Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsGadgets1606
71727374757677787980
58 Fabric OS FCIP Administrator’s Guide
53-1002474-01
IPsec implementation over FCIP
3
L2CoS Quality of Service
Refer toVLANs and Layer 2 Quality of Service” on page 24 for a definition of Layer 2 Class of
Service (L2CoS).
A VLAN is a virtual LAN network. A VLAN may reside within a single physical network, or it can span
several physical networks. Related devices and applications that are separated by physical LAN
boundaries can reside in the same VLAN. Also, a large physical network can be broken down into
smaller VLANs. VLAN traffic is routed using 802.1Q-compliant tags within an Ethernet frame. The
tag includes a unique VLAN ID, and Class of Service (CoS) priority bits. The CoS priority scheme
(also called Layer 2 Class of Service or L2CoS), uses only the upper 3 bits of the TOS field, allowing
eight priorities.
When both DSCP and L2CoS are used
If an FCIP tunnel is not VLAN tagged, only DSCP is relevant. If the FCIP tunnel is VLAN tagged, both
DSCP and L2CoS are relevant, unless the VLAN is end-to-end, with no intermediate hops in the IP
network. Table 4 on page 25 shows the default mapping of DSCP priorities to L2CoS priorities per
tunnel ID. This may be helpful when consulting with the network administrator. These values may
be modified per FCIP tunnel.
IPsec implementation over FCIP
Refer to “IPsec implementation over FCIP tunnels” on page 28 for a definition of Internet Protocol
security (IPsec).
Used to provide greater security in tunneling on an FR4-18i blade, the IPsec feature does not
require you to configure separate security for each application that uses TCP/IP. IPsec works on
FCIP tunnels with or without IP compression (IPComp), FCIP Fastwrite, and OSTP.
IPsec requires the High-Performance Extension over FCIP/FC license.
IPsec uses some terms that you should be familiar with before beginning your configuration
(Table 10). These are standard terms, but are included here for your convenience.
TABLE 10 IPsec terminology
Term Definition
AES Advanced Encryption Standard. FIPS 197 endorses the Rijndael encryption algorithm as the
approved AES for use by US Government organizations and others to protect sensitive
information. It replaces DES as the encryption standard.
AES-XCBC Cipher Block Chaining. A key-dependent one-way hash function (MAC) used with AES in
conjunction with the Cipher-Block-Chaining mode of operation, suitable for securing messages
of varying lengths, such as IP datagrams.
AH Authentication Header. Like ESP, AH provides data integrity, data source authentication, and
protection against replay attacks but does not provide confidentiality.
DES Data Encryption Standard is the older encryption algorithm that uses a 56-bit key to encrypt
blocks of 64-bit plain text. Because of the relatively shorter key length, it is not a secured
algorithm and no longer approved for Federal use.
3DES Triple DES is a more secure variant of DES. It uses three different 56-bit keys to encrypt blocks
of 64-bit plain text. The algorithm is FIPS-approved for use by Federal agencies.