Dell EqualLogic PS6210XS EqualLogic Group Manager Administrator s Guide PS Ser - Page 96
Protect Communication Between Group Members, Protect iSCSI Initiator Connections, Add Members to an
View all Dell EqualLogic PS6210XS manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 96 highlights
Protect Communication Between Group Members To enable IPsec security for communication between group members, use the ipsec enable CLI command. No further configuration actions are required. Protect iSCSI Initiator Connections IP traffic between the group and iSCSI initiators is not automatically protected after IPsec has been enabled. Configure an IPsec configuration as follows: NOTE: See the Dell EqualLogic Group Manager CLI Reference Guide for command syntax and examples of the CLI commands. 1. If you are authenticating with certificates rather than pre-shared keys, load local and root-CA certificates using the ipsec certificate load command. (See About IPsec for more information.) 2. Create a security parameter using one of the ipsec security-params create commands, based on the authentication method: • If you are using a certificate, use ipsec security-params create certificate. • If you are using a pre-shared key, use ipsec security-params create pre-shared-key. NOTE: Local and root-CA certificates must be loaded before you can create certificate-based security parameters. This step is not required for security parameters using pre-shared keys. 3. Create a policy that defines a particular set of network traffic and applies a specific action to that traffic, a process that is conceptually similar to creating a firewall rule. You can either drop the traffic, allow it to pass through, or protect it using a security parameter. NOTE: If you are creating policies that drop traffic or allow it to pass, you do not have to create the corresponding security parameter. 4. Perform additional host or initiator configuration tasks required to use IPsec. See your operating system or iSCSI initiator documentation for instructions. 5. IPsec must be enabled for the IPsec configuration to take effect. However, you can still create IPsec configurations while IPsec is disabled. Add Members to an IPsec-Enabled Group You can add new group members to an existing IPsec-enabled group, provided the new member is a model that supports IPsec. See the documentation for the setup command in the Dell EqualLogic Group Manager CLI Reference Guide for instructions on joining an IPsec-enabled group. Some older PS Series array models do not support IPsec. See the Dell EqualLogic PS Series Storage Arrays Release Notes for more information. Remove an IPsec Configuration IPsec configurations cannot be modified. They must be removed and then recreated using the new configuration. NOTE: This process might disrupt connections that are covered by the policy being deleted. Dell recommends changing the configuration during a maintenance window. If you are removing an IPsec configuration, you must delete the components in the reverse order in which they were applied: 1. Delete the policy. 2. Delete the security parameter. 3. Delete the certificate (if certificate-based protection is being used). This same ordering rule applies when deleting any component used in an IPsec configuration. To delete a security parameter, you must first delete any policies using it. To delete a certificate, you must first delete any security parameters that use it. 96 About Group-Level Security