HP StorageWorks 4/64 Brocade Fabric OS Administrator's Guide v6.3.0 (53-100133 - Page 190
Management interface security
View all HP StorageWorks 4/64 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 190 highlights
7 Management interface security Table 37 has a matrix of merging fabrics with tolerant and absent policies. TABLE 37 Fabric merges with tolerant/absent combinations Fabric-wide consistency policy setting Expected behavior Fabric A Fabric B Tolerant/Absent SCC;DCC DCC SCC;DCC SCC DCC SCC Error message logged. Run fddCfg --fabwideset "" from any switch with the desired configuration to fix the conflict. The secPolicyActivate command is blocked until conflict is resolved. Management interface security You can secure an Ethernet management interface between two Brocade switches or enterprise-class platforms by implementing IPsec and IKE policies to create a tunnel that protects traffic flows. The tunnel has at each end a Brocade switch or enterprise-class platform. There may be routers, gateways, and firewalls in between the two ends. ATTENTION Enabling secure IPsec tunnels does not provide IPsec protection for traffic flows on the external management interfaces of intelligent blades in a chassis, nor does it support protection of traffic flows on FCIP interfaces. Internet Protocol security (IPsec) is a framework of open standards that ensures private and secure communications over Internet Protocol (IP) networks through the use of cryptographic security services. The goal of IPsec is to provide the following capabilities: • Authentication - Ensures that the sending and receiving end-users and devices are known and trusted by one another. • Data Integrity - Confirms that the data received was in fact the data transmitted. • Data Confidentiality - Protects the user data being transmitted, such as utilizing encryption to avoid sending data in clear text. • Replay Protection - Prevents replay attack, a type of denial of service (DoS) attack where an attacker intercepts a series of packets and resends them to cause the recipient to waste CPU cycles processing them. • Automated Key Management-Automates the process, as well as manages the periodic exchange and generation of new keys. Using the ipsecConfig command, you must configure multiple security policies for traffic flows on the Ethernet management interfaces based on IPv4 or IPv6 addresses, a range of IPv4 or IPv6 addresses, the type of application, port numbers, and port types used (UDP/TCP). You must specify the transforms and processing choices for the traffic flow (drop, protect or bypass). Also, you must select and configure the key management protocol using an automatic or manual key. For more information on IPv4 and IPv6 addressing, refer to Chapter 1, "Performing Basic Configuration Tasks". 148 Fabric OS Administrator's Guide 53-1001336-01