Manualshelf

Brocade Fabric OS Encryption Administrator's Guide v6.3.0 (53-1001341-02, July 2009)

ManualsBrandsHP ManualsStorageHP Encryption SAN Switch
101102103104105106107108109110
Encryption Administrator’s Guide 87
53-1001341-02
Setting default zoning to no access
3
Setting default zoning to no access
Initially, default zoning for all Brocade switches is set to All Access. This is generally the default
zoning setting within a fabric. The All Access setting allows the Brocade Encryption Switch, DCX, or
DCX-4S to join the fabric (If there is a difference in this setting within the fabric, the fabric will
segment).
Before committing an encryption configuration in a fabric, default zoning must be set to No Access
within the fabric. When encryption is implemented, frames sent between a host and a target LUN
are redirected to a virtual target within an encryption switch or blade. Redirection zones are
created to route these frames. When redirection zones are in effect, direct access from host to
target should not be allowed to prevent data corruption. The No Access setting ensures that no two
devices on the fabric can communicate with one another without going through a regular zone or a
redirection zone.
1. Check the default zoning setting. Commonly, it will be set to All Access.
switch:admin> defzone --show
Default Zone Access Mode
committed - All Access
transaction - No Transaction
2. From any configured primary FCS switch, change the default zoning setting to No Access.
switch:admin> defzone --noaccess
switch:admin> cfgfsave
The change will be applied within the entire fabric.
Management port configuration
Each encryption switch has one GbE management port. In the case of a DCX or DCX-4S with
FS8-18 blades installed, management ports are located on the CP blades. The management port
connects to the key management system and optionally to DCFM. All switches you plan to include
in an encryption group must be connected to the same dedicated LAN management network. All
nodes within an encryption group, the key management system, and DCFM must have like IP
settings (all IPv4 or all IPv6) on their management interfaces. To eliminate DNS traffic and potential
security risks related to DHCP, DHCP should not be used. A static IP address should be assigned.