Brocade Fabric OS Administrator's Guide Supporting Fabric OS v6.3.0 (53-1001336-02, November 2009)

ManualsBrandsHP ManualsStorageBrocade 8/24c SAN Switch for BladeSystem c-Class

191

192

193

194

195

196

197

198

199

200

152 Fabric OS Administrator’s Guide

53-1001336-02

Management interface security

You can secure an Ethernet management interface between two Brocade switches or

enterprise-class platforms by implementing IPsec and IKE policies to create a tunnel that protects

traffic flows. The tunnel has at each end a Brocade switch or enterprise-class platform. There may

be routers, gateways, and firewalls in between the two ends.

ATTENTION

Enabling secure IPsec tunnels does not provide IPsec protection for traffic flows on the external

management interfaces of intelligent blades in a chassis, nor does it support protection of traffic

flows on FCIP interfaces.

Internet Protocol security (IPsec) is a framework of open standards that ensures private and secure

communications over Internet Protocol (IP) networks through the use of cryptographic security

services. The goal of IPsec is to provide the following capabilities:

• Authentication — Ensures that the sending and receiving end-users and devices are known and

trusted by one another.

• Data Integrity — Confirms that the data received was in fact the data transmitted.

• Data Confidentiality — Protects the user data being transmitted, such as utilizing encryption to

avoid sending data in clear text.

• Replay Protection — Prevents replay attack, a type of denial of service (DoS) attack where an

attacker intercepts a series of packets and resends them to cause the recipient to waste CPU

cycles processing them.

• Automated Key Management—Automates the process, as well as manages the periodic

exchange and generation of new keys.

Using the ipsecConfig command, you must configure multiple security policies for traffic flows on

the Ethernet management interfaces based on IPv4 or IPv6 addresses, a range of IPv4 or IPv6

addresses, the type of application, port numbers, and port types used (UDP/TCP). You must specify

the transforms and processing choices for the traffic flow (drop, protect or bypass). Also, you must

select and configure the key management protocol using an automatic or manual key.

For more information on IPv4 and IPv6 addressing, refer to Chapter 1, “Performing Basic

Configuration Tasks”.

TABLE 37 Fabric merges with tolerant/absent combinations

Fabric-wide consistency policy setting Expected behavior

Fabric A Fabric B

Tolerant/Absent SCC;DCC Error message logged.

Run fddCfg --fabwideset

“<policy_ID>” from any switch with

the desired configuration to fix the

conflict. The secPolicyActivate

command is blocked until conflict is

resolved.

DCC

SCC;DCC SCC

DCC SCC