Brocade Fabric OS Encryption Administrator's Guide Supporting Fabric OS v6.2.0 (53-1001201-04, May 2009)

ManualsBrandsHP ManualsStorageHP Encryption SAN Switch

111

112

113

114

115

116

117

118

119

120

96 Encryption Administrator’s Guide

53-1001201-04

I/O sync link configuration

Each encryption switch or FS8-18 blade has two GbE ports labeled Ge0 and Ge1. The Ge0 and Ge1

ports connect encryption switches and FS8-18 blades to other encryption switches and FS8-18

blades. These two ports provide link layer redundancy rather than being used for the IP network

redundancy. The the ports are bonded together as a single virtual network interface, and are

collectively referred to as the I/O sync link. Only one IP address is used. All encryption switches or

blades must be interconnected by their I/O sync links through a dedicated LAN. Both ports of each

encryption switch or blade must be connected to the same IP network, and the same subnet. Avoid

VLANs, if possible. To eliminate DNS traffic and potential security risks related to DHCP, DHCP

should not be used. Static IP addresses should be assigned.

The IP address of the I/O sync link must be configured before enabling the encryption engine for

encryption. If the IP address is configured after the encryption engine is enabled for encryption, the

encryption switch needs to be rebooted, and the encryption blade needs to be powered off and

powered on (slotpoweroff/slotpoweron) for the IP address configuration to take effect. The

configured GE Ports must be connected to the network when deploying an encryption switch or

blade in an encryption group before performing any Re-Key operations. Failure to do so will result in

Re-Key operation not starting in the encryption group or high availability (HA) cluster.

If the IP address of the I/O sync link ports is modified after encryption engine is enabled for

encryption, the encryption switch needs to be rebooted, and the encryption blade needs to be

powered off and powered on (slotpoweroff/slotpoweron) for the modified IP address to take effect.

Failure to do so will result in Re-Key operations not starting in the encryption group or high

availability (HA) cluster.

Assigning static IP addresses to Ge0 and Ge1

The Ge0 and Ge1 ports are bonded together as a single virtual network interface that provides link

layer redundancy. Only Ge0 needs to be configured. Always use ipaddrset -eth0 to configure the

address. If an address is assigned to ge1 (-eth1), it is accepted and stored, but it is ignored. The

Ge0 and Ge1 addresses must be configured before initializing the encryption switch or blade.

1. Log into the switch as Admin or FabricAdmin.

2. Configure the IP address using the ipaddrset command. Only IPv4 addresses are supported.

Only -eth0 needs to be configured. Always use -eth0. The following example configures a static

IP address and gateway address for the bonded interface.

switch:admin> ipaddrset -eth0 --add 10.32.33.34/23

switch:admin> ipaddrset -gate --add 10.32.1.1

Special consideration for blades

For FS8-18 blades, the slot number must also be included in the ipaddrset command, for example:

switch:admin> ipaddrset -slot 7 -eth0 --add 10.32.33.34/23

switch:admin> ipaddrset -slot 7 -gate --add 10.32.1.1