Home » Dell Manuals » Hubs & Switches » Dell Brocade 6520 » Manual Viewer

Dell Brocade 6520 Web Tools Administrator's Guide Supporting Fabric OS v7.1.0 - Page 223

Establishing an IKE policy, Creating a security association, The Ethernet

Add to My Manuals
Save this manual to your list of manuals

Page 223 highlights

IPsec over management ports 15 1. Open the Switch Administration window. 2. Select Show Advanced Mode. 3. Select the Security Policies tab. 4. Under Security Policies, select Ethernet IPsec. The Ethernet IPsec Policies screen displays. 5. Ethernet IPsec policies can be configured only after enabling IPsec by clicking the Enable button below the Ethernet IPsec policies table. Establishing an IKE policy When you establish an IKE policy, you identify a set of algorithms and authentication rules and parameters to use in a key exchange. Refer to the Fabric OS Administrator's Guide for details on IKE functionality. To establish an IKE policy, perform the following steps. 1. Select the IKE tab on the IPsec Policies window for Ethernet IPsec. The Add IKE Policy dialog box displays. 2. Enter an IKE Policy Name. 3. Enter the IP address of the authentication partner in the Peer IP Address field. 4. Enter the switch's local identifier in the Local Identifier field. This is normally the IP address in IPv4 or IPv6 format, but it may also be a DNS name. 5. Enter the identifier of the remote peer switch in Peer Identifier. This is normally the IP address in IPv4 or IPv6 format, but it may also be a DNS name. 6. Select the Encryption Algorithm option. 7. Select the Hash Algorithm option. 8. Select the PRF Algorithm option. 9. Select the DH Group Number option. 10. Select the Authentication Method option. 11. If PSK is chosen as the authentication method, enter the name of the file that holds the pre-shared key in the Pre-Shared Key filename field. 12. If you are using an X.509 certificate for authentication, enter the appropriate file names in the Public Key filename, Private Key filename, and Peer Public Key filename fields in PEM format. 13. Use the PFS selector to turn Perfect Forward Secrecy (PFS) on or off. PFS provides additional security by means of a Diffie-Hellman shared secret value. With PFS, if one key is compromised, previous and subsequent keys are secure because they are not derived from previous keys. Creating a security association A security association (SA) describes a set of parameters for providing secure communications between two endpoints. Web Tools Administrator's Guide 195 53-1002756-01

Section	Page
Contents	5
Figures	17
Tables	19
About This Document	21
In this chapter	21
How this document is organized	21
Supported hardware and software	22
What’s new in this document	23
Document conventions	24
Text formatting	24
Notes, cautions, and warnings	25
Key terms	25
Notice to the reader	25
Additional information	26
Brocade resources	26
Other industry resources	26
Getting technical help	26
Document feedback	27
Introducing Web Tools	29
In this chapter	29
Web Tools overview	29
Web Tools, the EGM license, and Brocade Network Advisor	29
Web Tools features enabled by the EGM license	30
Web Tools functionality moved to Brocade Network Advisor	31
System requirements	32
Setting refresh frequency for Internet Explorer	33
Deleting temporary internet files used by Java applications	34
Java installation on the workstation	35
Installing the JRE on your Solaris or Linux client workstation	35
Installing patches on Solaris	35
Installing the Java plug-in on Windows	36
Java plug-in configuration	36
Configuring the Java plug-in for Windows	36
Configuring the Java Plug-in for Mozilla family browsers	36
Value line licenses	37
Opening Web Tools	38
Logging in	39
Logging out	41
Role-Based Access Control	41
Session management	42
Ending a Web Tools session	42
Web Tools system logs	43
Technical SupportSave logs	43
Requirements for IPv6 support	44
Using the Web Tools Interface	45
In this chapter	45
Viewing Switch Explorer	45
Persisting GUI preferences	47
Tabs	48
Fabric Tree	48
Switch View buttons	49
Switch View	49
Switch Events and Switch Information	51
Free Professional Management tool	52
Displaying tool tips	52
Right-click options	53
Refresh rates	53
Displaying switches in the fabric	54
Working with Web Tools: recommendations	54
Opening a Telnet or SSH client window	55
Collecting logs for troubleshooting	56
Managing Fabrics and Switches	57
In this chapter	57
Fabric and switch management overview	57
Opening the Switch Administration window	59
Configuring IP and subnet mask information	59
Configuring Netstat Auto Refresh	60
Configuring a syslog IP address	60
Removing a syslog IP address	60
Configuring IP Filtering	61
Blade management	61
Enabling or disabling a blade	62
Setting a slot-level IP address	62
Viewing IP addresses	63
Switch configuration	63
Enabling and disabling a switch	63
Enabling and disabling switch persistent	64
Changing the switch name	64
Changing the switch domain ID	65
Viewing and printing a switch report	65
Setting a principal switch	65
Switch restart	66
Performing a fast boot	66
Performing a reboot	67
System configuration parameters	67
WWN-based Persistent PID assignment	67
Configuring fabric settings	68
Enabling insistent domain ID mode	69
Configuring virtual channel settings	69
Configuring arbitrated loop parameters	70
Configuring system services	70
Configuring signed firmware	71
Licensed feature management	71
Activating a license on a switch	71
Assigning slots for a license key	72
Removing a license from a switch	72
Universal time-based licensing	73
High Availability overview	73
Launching the High Availability window	73
Synchronizing services on the CP	74
Initiating a CP failover	75
Event monitoring	75
Displaying Switch Events	77
Filtering Switch Events	77
Filtering events by event severity levels	77
Filtering events by message ID	78
Filtering events by service component	78
Displaying the Name Server entries	78
Printing the Name Server entries	79
Displaying Name Server information for a particular device	79
Displaying zone members for a particular device	79
Physically locating a switch using beaconing	80
Locating logical switches using chassis beaconing	80
Virtual Fabrics overview	80
Selecting a logical switch from the Switch View	81
Viewing logical ports	81
Maintaining Configurations and Firmware	83
In this chapter	83
Creating a configuration backup file	83
Restoring a configuration	84
Uploading and downloading from USB storage	85
Performing a firmware download	85
Managing Ports	87
In this chapter	87
Port management overview	87
Opening the Port Admin tab	88
Port Admin tab components	88
Controllable ports	91
Configuring FC ports	92
Allowed port types	93
Long distance mode	93
Ingress rate limit	94
Assigning a name to a port	95
Port beaconing	96
Enabling and disabling a port	96
Considerations for enabling or disabling a port	97
Persistent enabling and disabling ports	97
Configuring NPIV ports	98
Port activation	99
Enabling Ports on Demand	100
Enabling Dynamic Ports on Demand	100
Disabling Dynamic Ports on Demand	101
Diagnostic ports	101
Reserving and releasing licenses on a port basis	102
Port swapping index	102
Port swapping	103
Determining if a port index was swapped with another switch port	103
Configuring BB credits on an F_Port	104
Configuring ALPA	105
Configuring port octet speed combination	106
Configuring CSCTL	108
Configuring compression and encryption	109
Enabling/disabling encryption	109
Enabling/disabling compression	109
Displaying compression ratio	110
Forward Error Correction	110
Inband Management	110
GigE port modes	112
Enabling ISL Trunking	113
In this chapter	113
ISL Trunking overview	113
Disabling or enabling ISL Trunking	113
Viewing trunk group information	114
F_Port trunk groups	115
Creating and maintaining F_Port trunk groups	115
Monitoring Performance	117
In this chapter	117
Performance Monitor overview	117
Basic monitoring	117
Advanced monitoring	118
Performance graphs	118
Predefined performance graphs	118
User-defined graphs	121
Canvas configurations	121
Opening the Performance Monitor window	122
Creating basic performance monitor graphs	122
Customizing basic monitoring graphs	123
Advanced performance monitoring graphs	125
Creating SID-DID Performance graphs	125
Creating the SCSI vs. IP Traffic graph	126
Creating SCSI command graphs	126
Tunnel and TCP performance monitoring graphs	127
Tunnel and TCP graph chart properties	128
Saving graphs to a canvas	128
Adding graphs to an existing canvas	129
Printing graphs	129
Modifying graphs	129
Administering Zoning	131
In this chapter	131
Zoning overview	131
Basic zones	131
Traffic Isolation zones	131
LSAN zone requirements	132
QoS zone requirements	132
Zoning configurations	132
Opening the Zone Admin window	132
Setting the default zoning mode	133
Zoning management	133
Refreshing fabric information	135
Refreshing Zone Administration window information	136
Saving local zoning changes	136
Selecting a zoning view	137
Creating and populating zone aliases	137
Adding and removing members of a zone alias	138
Renaming zone aliases	139
Deleting zone aliases	139
Creating and populating zones	139
Adding and removing members of a zone	140
Renaming zones	141
Cloning zones	141
Deleting zones	142
Creating and populating enhanced traffic isolation zones	142
Zone configuration and zoning database management	143
Creating zone configurations	144
Adding or removing zone configuration members	144
Renaming zone configurations	145
Cloning zone configurations	145
Deleting zone configurations	145
Enabling zone configurations	146
Disabling zone configurations	146
Displaying enabled zone configurations	147
Viewing the enabled zone configuration name without opening the Zone Administration window	147
Viewing detailed information about the enabled zone configuration	147
Adding a WWN to multiple aliases and zones	148
Removing a WWN from multiple aliases and zones	148
Replacing a WWN in multiple aliases and zones	149
Searching for zone members	149
Clearing the zoning database	150
Zone configuration analysis	150
Best practices for zoning	150
Working with Diagnostic Features	151
In this chapter	151
Trace dumps	151
How a trace dump is used	152
Setting up automatic trace dump transfers	152
Specifying a remote server	152
Enabling automatic transfer of trace dumps	152
Disabling automatic trace uploads	153
Displaying switch information	153
Viewing detailed fan hardware status	154
Viewing the temperature status	154
Viewing the power supply status	155
Checking the physical health of a switch	155
Defining Switch Policy	156
Port LED interpretation	158
Port icon colors	158
Using the FC-FC Routing Service	159
In this chapter	159
Fibre Channel Routing overview	159
Supported switches for Fibre Channel Routing	160
Setting up FC-FC routing	160
FC-FC routing management	161
Opening the FC Routing module	161
Viewing and managing LSAN fabrics	162
Viewing EX-Ports	162
Configuring an EX-Port	163
Editing the configuration of an EX-Port	163
Configuring FCR router port cost	164
Viewing LSAN zones	164
Viewing LSAN devices	164
Configuring the backbone fabric ID	165
Using the Access Gateway	167
In this chapter	167
Access Gateway overview	167
Viewing Switch Explorer for Access Gateway mode	167
Access Gateway mode	168
Restricted access in the Port Admin tab	169
Enabling Access Gateway mode	169
Disabling Access Gateway mode	170
Viewing the Access Gateway settings	170
Port configuration	170
Creating port groups	171
Editing or viewing port groups	171
Deleting port groups	172
Defining custom primary F-N port mapping	172
Defining custom static F-N port mapping	173
Defining custom WWN-N port mappings	173
Access Gateway policy modification	174
Path Failover and Failback policies	174
Modifying Path Failover and Failback policies	174
Enabling the Automatic Port Configuration policy	174
Access Gateway limitations on the Brocade 8000	176
Administering Fabric Watch	177
In this chapter	177
Fabric Watch overview	177
Administering Extended Fabrics	179
In this chapter	179
Extended link buffer allocation overview	179
Configuring a port for long distance	182
Routing Traffic	185
In this chapter	185
Routing overview	185
Viewing fabric shortest path first routing	186
Configuring dynamic load sharing	187
Lossless dynamic load sharing	187
Specifying frame order delivery	188
Configuring the link cost for a port	188
Configuring Standard Security Features	191
In this chapter	191
User-defined accounts	191
Virtual Fabrics considerations	192
Viewing user account information	193
Creating user-defined accounts	193
Deleting user-defined accounts	195
Changing user account parameters	195
Maintaining passwords	196
User-defined roles	198
Guidelines and restrictions	198
Creating a user-defined role	199
Editing a user-defined role	200
Access control list policy configuration	201
Virtual Fabrics considerations	202
Creating an SCC, DCC, or FCS policy	202
Editing an SCC, DCC, or FCS policy	202
Deleting all SCC, DCC, or FCS policies	203
Activating all SCC, DCC, or FCS policies	203
Distributing an SCC, DCC, or FCS policy	203
Moving an FCS policy switch position	204
Configuring Advanced Device Security policy	204
Fabric-Wide Consistency Policy configuration	205
Authentication policy configuration	206
Configuring authentication policies for E_Ports	206
Configuring authentication policies for F_Ports	206
Distributing authentication policies	207
Re-authenticating policies	207
Setting a shared secret key pair	207
Modifying a shared secret key pair	208
Setting the Switch Policy Authentication mode	208
SNMP configuration	208
Setting SNMP trap levels	208
Changing the systemGroup configuration parameters	209
Setting SNMPv1 configuration parameters	209
Setting SNMPv3 configuration parameters	209
Changing the access control configuration	210
RADIUS management	210
Enabling and disabling RADIUS	211
Configuring RADIUS	211
Modifying the RADIUS server	212
Modifying the RADIUS server order	213
Removing a RADIUS server	213
Active Directory service management	213
Enabling Active Directory service	213
Modifying Active Directory service	214
Removing Active Directory service	214
TACACS+ management	215
Enabling and disabling TACACS+	215
Configuring TACACS+	215
Modifying TACACS+	215
Removing TACACS+	216
IPsec concepts	216
Transport mode and tunnel mode	217
IPsec header options	218
Basic IPsec configurations	219
Internet Key Exchange concepts	220
IPsec over management ports	222
Enabling the Ethernet IPsec policies	222
Establishing an IKE policy	223
Creating a security association	223
Creating an SA proposal	224
Adding an IPsec transform policy	225
Adding an IPsec selector	225
Manually creating an SA	226
Editing an IKE or IPsec policy	227
Deleting an IKE or IPsec policy	227
Establishing authentication policies for HBAs	228
Administering FICON CUP Fabrics	229
In this chapter	229
FICON CUP fabrics overview	229
Enabling port-based routing	230
Enabling or disabling FICON Management Server mode	231
FMS parameter configuration	231
Configuring FMS mode parameters	232
Displaying code page information	233
Viewing the control device state	233
Allow / Prohibit Matrix configuration	234
Viewing Allow / Prohibit Matrix configurations	235
Modifying Allow / Prohibit Matrix configurations	235
Activating an Allow / Prohibit Matrix configuration	237
Copying an Allow / Prohibit Matrix configuration	237
Deleting an Allow / Prohibit Matrix configuration	238
CUP logical path configuration	238
Viewing CUP logical path configurations	238
Configuring CUP logical paths	238
Link Incident Registered Recipient configuration	239
Viewing Link Incident Registered Recipient configurations	239
Configuring LIRRs	239
Displaying Request Node Identification Data	240
Configuring FCoE with Web Tools	241
In this chapter	241
Web Tools and FCoE overview	241
Web Tools, the EGM license, and Brocade Network Advisor	242
Port information that is unique to FCoE	242
Switch administration and FCoE	243
FC0E configuration tasks	243
Quality of Service configuration	243
Editing the DCB map	244
Adding a traffic class map	244
LLDP-DCBX configuration	245
Configuring global LLDP characteristics	245
Adding an LLDP profile	247
Configuring DCB interfaces	248
Configuring a link aggregation group	249
Configuring VLANs	250
Configuring FCoE login groups	251
Displaying FCoE port information	251
Displaying LAG information	252
Displaying VLAN information	253
Displaying FCoE login groups	253
Displaying QoS information	253
Displaying LLDP-DCBX information	253
Displaying DCB interface statistics	253
Configuring a DCB interface from the Switch View	254
Configuring a DCB interface from the Port Admin panel	254
Enabling and disabling a LAG	254
Enabling and disabling LLDP	255
Enabling and disabling QoS priority-based flow control	255
Enabling and disabling FCoE ports	255
Limitations	257
In this chapter	257
General Web Tools limitations	257

Match case Limit results 1 per page

Web Tools Administrator’s Guide

195

53-1002756-01

IPsec over management ports

Open the

Switch Administration

window.

Select

Show Advanced Mode

Select the

Security Policies

tab.

Under

Security Policies

, select

Ethernet IPsec

The Ethernet

IPsec Policies

screen displays.

Ethernet IPsec policies can be configured only after enabling IPsec by clicking the

Enable

button below the Ethernet

IPsec policies

table.

Establishing an IKE policy

When you establish an IKE policy, you identify a set of algorithms and authentication rules and

parameters to use in a key exchange. Refer to the

Fabric OS Administrator’s Guide

for details on

IKE functionality.

To establish an IKE policy, perform the following steps.

Select the

IKE

tab on the

IPsec Policies

window for Ethernet IPsec.

The

Add IKE Policy

dialog box displays.

Enter an

IKE Policy Name

Enter the IP address of the authentication partner in the

Peer IP Address

field.

Enter the switch’s local identifier in the

Local Identifier

field.

This is normally the IP address in IPv4 or IPv6 format, but it may also be a DNS name.

Enter the identifier of the remote peer switch in

Peer Identifier

This is normally the IP address in IPv4 or IPv6 format, but it may also be a DNS name.

Select the

Encryption Algorithm

option.

Select the

Hash Algorithm

option.

Select the

PRF Algorithm

option.

Select the

DH Group Number

option.

10.

Select the

Authentication Method

option.

11.

If PSK is chosen as the authentication method, enter the name of the file that holds the

pre-shared key in the

Pre-Shared Key filename

field.

12.

If you are using an X.509 certificate for authentication, enter the appropriate file names in the

Public Key filename

Private Key filename

, and

Peer Public Key filename

fields in PEM format.

13.

Use the

PFS

selector to turn Perfect Forward Secrecy (PFS) on or off.

PFS provides additional security by means of a Diffie-Hellman shared secret value. With PFS, if

one key is compromised, previous and subsequent keys are secure because they are not

derived from previous keys.

Creating a security association

A security association (SA) describes a set of parameters for providing secure communications

between two endpoints.