Home » HP Manuals » Storage Devices » HP StorageWorks 8/20q » Manual Viewer

HP StorageWorks 8/20q HP StorageWorks 8/20q Fibre Channel Switch Command Line - Page 29

Managing IP security, IP security concepts, Uses of security policies - 8 base san switch

View all HP StorageWorks 8/20q manuals

Add to My Manuals
Save this manual to your list of manuals

Page 29 highlights

Managing IP security To modify IP security, you must open an Admin session with the admin start command, then open an Ipsec Edit session with the ipsec edit command. The Admin session prevents other accounts from making changes at the same time through Telnet, Simple SAN Connection Manager, or any other management application. The Ipsec Edit session provides access to the ipsec, ipsec association and ipsec policy commands with which you make modifications to the IP security configuration, as shown in the following example: 8/20q FC Switch #> admin start 8/20q FC Switch (admin) #> ipsec edit 8/20q FC Switch (admin-ipsec)#> ipsec . . . 8/20q FC Switch (admin-ipsec)#> ipsec policy . . . 8/20q FC Switch (admin-ipsec)#> ipsec association. . . The ipsec save command saves the changes you made during the Ipsec Edit session. Changes take effect immediately. 8/20q FC Switch (admin-ipsec)#> ipsec save To close the Ipsec Edit session without saving changes, enter the ipsec cancel command. 8/20q FC Switch (admin-ipsec)#> ipsec cancel The admin end command releases the Admin session for other administrators when you are finished making changes to the switch. To remove all IP security policies and associations, enter the reset ipsec command. 8/20q FC Switch (admin) #> reset ipsec The following subsections describe IP security concepts and IP security management tasks: • IP security concepts, page 29 • Displaying IP security information, page 30 • Managing the security policy database, page 31 • Managing the security association database, page 34 • Resetting the IP security configuration, page 37 IP security concepts IP security provides encryption-based security for IPv4 and IPv6 communications through the use of security policies and associations. Security policies are located in the security policy database and define the following parameters: • Connection source and destination • Data traffic direction: inbound or outbound • Protocols for which to protect data traffic • Security protocols; Authentication Header (AH) or Encapsulating Security Payload (ESP) • Level of protection: IP Security, discard, or none Security associations are located in the security association database and define the encryption algorithm and encryption key to apply when called by a security policy. A security policy may call several associations at different times, but each association is related to only one policy. Uses of security policies Policies can define security for host-to-host, host-to-gateway, and gateway-to-gateway connections; providing one policy for each direction. For example, to secure the connection between two hosts, you need two policies: one for outbound traffic from the source to the destination, and another for inbound traffic to the source from the destination. You can specify sources and destinations by IP addresses (version 4 or 6) or DNS host names. If a host name resolves to more than one IP address, the switch creates the necessary policies and associations. You can recognize these dynamic policies and associations because their names begin with DynamicSP_ and DynamicSA_ respectively. 8/20q Fibre Channel Switch Command Line Interface Guide 29

Section	Page
Contents	3
About this guide	11
Intended audience	11
Related documentation	11
Document conventions and symbols	12
Table 1 Document conventions	12
HP technical support	13
Product warranties	13
Subscription service	13
HP web sites	13
Documentation feedback	13
Command line interface usage	15
Logging in to the switch through Telnet	15
Opening and closing an admin session	16
Entering commands	16
Table 2 Command-line completion	16
Getting help	17
Setting page breaks	17
Creating a support file	17
Downloading and uploading files	19
User account configuration	21
Table 3 Factory user accounts	21
Displaying user account information	21
Creating user accounts	22
Modifying user accounts and passwords	22
Network configuration	25
Displaying the network configuration	25
Configuring the Ethernet port	26
IPv4 configuration	26
IPv6 configuration	27
DNS server configuration	28
Verifying a switch in the network	28
Managing IP security	29
IP security concepts	29
Uses of security policies	29
Applying IP security	30
Displaying IP security information	30
Policy and association information	30
IP security configuration history	31
IP security configuration limits	31
Managing the security policy database	31
Creating a policy	32
Deleting a policy	32
Modifying a user-defined policy	33
Renaming a user-defined policy	34
Copying a policy	34
Managing the security association database	34
Creating an association	35
Deleting an association	35
Modifying a user-defined association	36
Renaming a user-defined association	37
Copying an association	37
Resetting the IP security configuration	37
Switch configuration	39
Displaying switch information	39
Name server information	40
Switch operational information	41
System process information	42
Elapsed time between resets	42
Configuration information	42
Switch configuration parameters	43
Zoning configuration parameters	43
Security configuration parameters	44
Hardware information	45
Table 4 Heartbeat LED activity	45
Firmware information	45
Managing switch services	46
Managing switch configurations	48
Displaying a list of switch configurations	48
Activating a switch configuration	48
Copying a switch configuration	48
Deleting a switch configuration	48
Modifying a switch configuration	49
Backing up and restoring a switch configuration	50
Creating the backup file	50
Downloading the configuration file	50
Restoring the configuration file	50
Paging a switch	51
Managing the date and time	51
Displaying the date and time	51
Setting the date and time explicitly	52
Setting the time through an NTP server	53
Resetting a switch	53
Table 5 Switch reset methods	53
Installing firmware	54
Non-disruptive activation	54
One-step firmware installation	55
Custom firmware installation	56
Testing a switch	56
Online tests for switches	57
Offline tests for switches	57
Connectivity tests for switches	57
Displaying switch test status	58
Canceling a switch test	58
Verifying and tracing Fibre Channel connections	59
Managing switch feature upgrades	59
Displaying feature licenses	59
Installing a feature license key	59
Managing idle session timers	60
Port configuration	61
Displaying port information	61
Port configuration parameters	61
Port operational information	62
Port threshold alarm configuration parameters	63
Port performance	64
Transceiver information	64
Modifying port operating characteristics	65
Configuring transparent routing	66
Port binding	68
Resetting a port	69
Configuring port threshold alarms	69
Testing a port	71
Online tests for ports	71
Offline tests for ports	72
Displaying port test results	72
Canceling a port test	72
Zoning configuration	73
Displaying zoning database information	73
Configured zone set information	74
Active zone set information	75
Merged zone set information	76
Edited zone set information	76
Zone set membership information	76
Zone membership information	77
Orphan zone information	77
Alias and alias membership information	78
Zoning modification history	78
Zoning database limits	79
Configuring the zoning database	79
Modifying the zoning database	81
Saving the active and merged zone sets	81
Resetting the zoning database	82
Deleting inactive zone sets, zones, and aliases	82
Managing zone sets	82
Creating a zone set	82
Deleting a zone set	82
Renaming a zone set	83
Copying a zone set	83
Adding zones to a zone set	83
Removing zones from a zone set	83
Activating a zone set	83
Deactivating a zone set	83
Managing zones	83
Creating a zone	84
Deleting a zone	84
Renaming a zone	84
Copying a zone	84
Adding members to a zone	84
Removing members from a zone	84
Managing aliases	85
Creating an alias	85
Deleting an alias	85
Renaming an alias	85
Copying an alias	85
Adding members to an alias	85
Removing members from an alias	86
Connection security configuration	87
Managing SSL and SSH services	87
Displaying SSL and SSH services	88
Creating an SSL security certificate	89
Device security configuration	91
Displaying security database information	91
Configured security set information	91
Active security set information	92
Security set membership information	93
Group membership information	93
Security database modification history	94
Security database limits	94
Configuring the security database	95
Modifying the security database	96
Resetting the security database	96
Managing security sets	96
Creating a security set	96
Deleting a security set	97
Renaming a security set	97
Copying a security set	97
Adding groups to a security set	97
Removing groups from a security set	97
Activating a security set	97
Deactivating a security set	97
Managing groups	97
Creating a group	98
Deleting a group	98
Renaming a group	98
Copying a group	98
Adding members to a group	98
Modifying a group member	99
Removing members from a group	99
RADIUS server configuration	101
Displaying RADIUS server information	101
Configuring a RADIUS server on the switch	102
Event log configuration	105
Starting and stopping event logging	105
Displaying the event log	106
Table 6 Event log message format	106
Filtering the event log display	107
Controlling messages in the output stream	107
Managing the event log configuration	107
Configuring the event log	107
Displaying the event log configuration	108
Restoring the event log configuration	108
Clearing the event log	108
Logging to a remote host	108
Creating and downloading a log file	109
Call Home configuration	111
Call Home concepts	111
Call Home requirements	111
Call Home messages	112
Technical support interface	113
Configuring the Call Home service	114
Managing the Call Home database	115
Displaying Call Home database information	116
Creating a profile	118
Deleting a profile	118
Modifying a profile	119
Renaming a profile	119
Copying a profile	119
Adding a data capture configuration	120
Modifying a data capture configuration	120
Deleting a data capture configuration	121
Testing a Call Home profile	121
Changing Simple Mail Transfer Protocol servers	121
Clearing the Call Home message queue	121
Resetting the Call Home database	122
Simple Network Management Protocol configuration	123
Managing the SNMP service	123
Displaying SNMP information	124
Modifying the SNMP configuration	125
Resetting the SNMP configuration	126
Managing the SNMP version 3 configuration	127
Creating an SNMP version 3 user account	128
Displaying SNMP version 3 user accounts	128
Modifying an SNMP version 3 user account	129
Command reference	131
Access authority	131
Syntax and operands	131
Notes and examples	131
admin	132
alias	133
callhome	135
Table 7 Call Home queue statistics parameters	136
capture	138
Table 8 Data capture configuration parameters	138
clone config port	141
config	142
create	145
date	147
exit	148
fcping	149
fctrace	150
feature	151
firmware install	152
group	154
Table 9 ISL group member attributes	154
Table 10 Port group member attributes	155
Table 11 MS group member attributes	155
Table 12 Group type parameters	156
Table 13 Group member attributes	156
hardreset	160
help	161
history	162
hotreset	163
image	164
ipsec	166
ipsec association	168
Table 14 Association configuration parameters	168
ipsec list	171
ipsec policy	174
Table 15 Policy configuration parameters	174
lip	177
logout	178
passwd	179
ping	180
profile	181
Table 16 Profile configuration parameters	181
ps	184
quit	185
reset	186
Table 17 Call Home service configuration defaults	188
Table 18 Switch configuration defaults	189
Table 19 Port configuration defaults	189
Table 20 Port threshold alarm configuration defaults	190
Table 21 Zoning configuration defaults	190
Table 22 SNMP configuration defaults	190
Table 23 RADIUS configuration defaults	191
Table 24 Switch services configuration defaults	191
Table 25 DNS host name configuration defaults	192
Table 26 IPv4 Ethernet configuration defaults	192
Table 27 IPv6 Ethernet configuration defaults	192
Table 28 Event logging configuration defaults	192
Table 29 NTP server configuration defaults	193
Table 30 Timer configuration defaults	193
Table 31 Security configuration defaults	193
security	194
securityset	197
set alarm	199
Table 32 Output stream alarm parameters	199
set beacon	200
Table 33 Beacon state parameters	200
set config port	201
Table 34 Port configuration parameters	201
set config security	204
Table 35 Security configuration parameters	204
set config security portbinding	205
Table 36 Port binding configuration parameters	205
set config switch	206
Table 37 Switch configuration parameters	206
set config threshold	208
Table 38 Port alarm threshold parameters	208
set config zoning	210
Table 39 Zoning configuration parameters	210
set log	211
Table 40 Component event monitoring filter parameters	211
Table 41 Event display filter parameters	212
Table 42 Severity level monitoring parameters	212
Table 43 Port monitoring parameters	212
set pagebreak	214
Table 44 Pagebreak state parameters	214
set port	215
Table 45 Transmission speed parameters	215
Table 46 Port administrative state parameters	215
set setup callhome	216
Table 47 Call Home service configuration attributes	216
set setup radius	218
Table 48 Common RADIUS server configuration attributes	218
Table 49 Server-specific RADIUS server configuration attributes	218
set setup services	221
Table 50 Switch services settings	221
set setup snmp	224
Table 51 Common SNMP configuration parameters	224
Table 52 SNMP trap configuration parameters	225
set setup system	227
Table 53 DNS host name configuration parameters	227
Table 54 IPv4 Ethernet configuration parameters	228
Table 55 IPv6 Ethernet configuration parameters	228
Table 56 Event logging configuration parameters	229
Table 57 NTP server configuration parameters	229
Table 58 Timer configuration parameters	230
set switch state	234
Table 59 Switch administrative state parameters	234
set timezone	235
show about	236
Table 60 Show about display entries	236
show alarm	238
show broadcast	239
show chassis	240
show config port	241
show config security	242
show config security portbinding	243
show config switch	244
show config threshold	245
show config zoning	246
show domains	247
show donor	248
show env	249
show fabric	250
show fdmi	251
show interface	252
show log	253
Table 61 Log monitoring components	253
Table 62 Event log display filter parameters	254
show lsdb	256
show media	257
Table 63 Transceiver information	258
show mem	260
show ns	261
Table 64 Name server display parameters	261
show pagebreak	262
show perf	263
show port	265
Table 65 Show port display entries	265
show postlog	269
show setup callhome	270
show setup mfg	271
show setup radius	272
show setup services	273
show setup snmp	274
show setup system	275
show steering	277
show switch	278
Table 66 Switch operational parameters	278
show system	280
show temp	281
show testlog	282
show timezone	283
show topology	284
show users	285
show version	286
Table 67 Show version display entries	286
show voltage	288
shutdown	289
snmpv3user	290
Table 68 SNMP version 3 user account parameters	290
test cancel	293
test port	294
Table 69 Offline port loopback types	294
Table 70 Port test parameters	294
test status	296
test switch	298
Table 71 Connectivity loopback types	298
Table 72 Offline loopback types	298
Table 73 Switch test parameters	298
uptime	300
user	301
whoami	303
zone	304
zoneset	307
zoning active	309
zoning cancel	310
zoning clear	311
zoning configured	312
zoning delete orphans	313
zoning edit	314
Table 74 Zoning database parameters	314
zoning edited	315
zoning history	316
zoning limits	317
Table 75 Zoning database limits	317
zoning list	318
zoning merged	319
zoning restore	320
zoning save	321

Match case Limit results 1 per page

8/20q Fibre Channel Switch Command Line Interface Guide

Managing IP security

To modify IP security, you must open an Admin session with the

admin start

command, then open an

Ipsec Edit session with the

ipsec edit

command. The Admin session prevents other accounts from

making changes at the same time through Telnet, Simple SAN Connection Manager, or any other

management application. The Ipsec Edit session provides access to the

ipsec

ipsec association

and

ipsec policy

commands with which you make modifications to the IP security configuration, as

shown in the following example:

8/20q FC Switch #> admin start

8/20q FC Switch (admin) #> ipsec edit

8/20q FC Switch (admin-ipsec)#> ipsec . . .

8/20q FC Switch (admin-ipsec)#> ipsec policy . . .

8/20q FC Switch (admin-ipsec)#> ipsec association. . .

The

ipsec save

command saves the changes you made during the Ipsec Edit session. Changes take

effect immediately.

8/20q FC Switch (admin-ipsec)#> ipsec save

To close the Ipsec Edit session without saving changes, enter the

ipsec cancel

command.

8/20q FC Switch (admin-ipsec)#> ipsec cancel

The

admin end

command releases the Admin session for other administrators when you are finished

making changes to the switch.

To remove all IP security policies and associations, enter the

reset ipsec

command.

8/20q FC Switch (admin) #> reset ipsec

The following subsections describe IP security concepts and IP security management tasks:

•

IP security concepts

, page 29

•

Displaying IP security information

, page 30

•

Managing the security policy database

, page 31

•

Managing the security association database

, page 34

•

Resetting the IP security configuration

, page 37

IP security concepts

IP security provides encryption-based security for IPv4 and IPv6 communications through the use of security

policies and associations. Security policies are located in the security policy database and define the

following parameters:

•

Connection source and destination

•

Data traffic direction: inbound or outbound

•

Protocols for which to protect data traffic

•

Security protocols; Authentication Header (AH) or Encapsulating Security Payload (ESP)

•

Level of protection: IP Security, discard, or none

Security associations are located in the security association database and define the encryption algorithm

and encryption key to apply when called by a security policy. A security policy may call several

associations at different times, but each association is related to only one policy.

Uses of security policies

Policies can define security for host-to-host, host-to-gateway, and gateway-to-gateway connections;

providing one policy for each direction. For example, to secure the connection between two hosts, you

need two policies: one for outbound traffic from the source to the destination, and another for inbound

traffic to the source from the destination. You can specify sources and destinations by IP addresses (version

4 or 6) or DNS host names. If a host name resolves to more than one IP address, the switch creates the

necessary policies and associations. You can recognize these dynamic policies and associations because

their names begin with

DynamicSP_

and

DynamicSA_

respectively.