Redirection zones, Deployment with admin domains (ad), Do not use dhcp for ip interfaces – Brocade Fabric OS Encryption Administrator’s Guide Supporting HP Secure Key Manager (SKM) and HP Enterprise Secure Key Manager (ESKM) Environments (Supporting Fabric OS v7.2.0) User Manual

Fabric OS Encryption Administrator’s Guide (SKM/ESKM)

231

53-1002923-01

Redirection zones

5

•

To enable host MPIO, LUNs must also be available through a second target port, hosted on a
second encryption switch, the same encryption switch or encryption engine. The second
encryption switch could be in the same fabric, or a different fabric.

•

Hosts should be able to access LUNs through multiple ports for redundancy.

•

For high availability and failover within the fabric, implement an HA cluster of two encryption
switches, and host the target port as a virtual target on one of the switches.

•

Don't change the WWN of any node after it has been deployed in an encryption group.

•

To minimize host IO disruption or time-outs during CryptoTarget container failover, it is
recommended that the devices (hosts, target ports) are connected to an edge switch in a
fabric, and not directly to Encryption switch/blade ports.

•

Always use the following process when configuring the LUN for encryption, unless the LUN was
previously encrypted.

1. Add the LUN as cleartext to the CryptoTarget container.

2. When the LUN comes online and Host I/O starts flowing through the LUN as cleartext, then

modify the LUN from cleartext to encrypt and enable_encexistingdata options to convert
the LUN to encryption.

An exception to this LUN configuration process is that if the LUN was previously encrypted by
the encryption switch or FS8-18 blade, then the LUN can be added to the CryptoTarget
Container with the

–

encrypt and

–

lunstate encrypted options.

Redirection zones

Redirection zones should not be deleted. If a redirection zone is accidentally deleted, I/O traffic
cannot be redirected to encryption devices, and encryption is disrupted. To recover, re-enable the
existing device configuration by invoking the cryptocfg

--

commit command on the group leader. If

no changes have taken place since the last commit, you should use the cryptocfg

--

commit

-

force command. This recreates redirection zones related to the device configuration in the zone

database, and restores frame redirection, which makes it possible to restore encryption.

To remove access between a given initiator and target, remove both the active zoning information
between the initiator and target, and the associated CryptoTarget Containers (CTCs). This will
remove the associated frame redirection zone information.

Deployment with Admin Domains (AD)

Virtual devices created by the encryption device do not support the AD feature in this release. All
virtual devices are part of AD0 and AD255. Targets for which virtual targets are created and hosts
for which virtual initiators are created must also be in AD0 and AD255. If they are not, access from
the hosts and targets to the virtual targets and virtual initiators is denied, leading to denial of
encryption services.

Do not use DHCP for IP interfaces

Do not use DHCP for either the GbE management interface or the Ge0 and Ge1 interfaces. Assign
static IP addresses.