Deployment with fcip extension switches – Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual
Page 204
186
Fabric OS Encryption Administrator’s Guide (LKM/SSKM)
53-1002925-01
Deployment with FCIP extension switches
4
The following is a summary of steps for creating and enabling the frame redirection features in the
FCR configuration (edge to edge):
•
The encryption device creates the frame redirection zone automatically, consisting of host,
target, virtual target, and virtual initiator. when the target and host are configured on the
encryption device. In
, the encryption device is connected to the host edge fabric.
•
Create the frame redirection one consisting of host, target, virtual target, and virtual initiator in
the target edge fabric. The CLI command is zone
--
rdcreate [host wwn] [target wwn] [VI wwn]
[VT wwn][nonrestartable] [noFCR]. Always specify nonrestartable as policy for creating
redirection zones in case of the encryption device. The VI and VT port WWNs can be obtained
by running the cryptocfg
--
show
-
container
-
cfg command on the
encryption switch or blade. After the redirection zones are created, commit the configuration
with the cfgsave command.
•
Create the LSAN zone consisting of host, target, virtual target, and virtual initiator in both the
backbone fabric and the target edge fabrics. Refer to the Fabric OS Administrator’s Guide for
information about LSANs, LSAN zoning, and Fibre Channel routing (FCR) configurations.
Deployment with FCIP extension switches
Encryption switches may be deployed in configurations that use extension switches or extension
blades within a DCX Backbone chassis to enable long distance connections.
shows an
encryption switch deployment in a Fibre Channel over IP (FCIP) configuration. Refer to the Fabric
OS Administrator’s Guide for information about creating FCIP configurations.
NOTE
We recommend disabling data compression on FCIP links that might carry encrypted traffic to avoid
potential performance issues as compression of encrypted data might not yield the desired
compression ratio. We also recommend that tape pipelining and fastwrite also be disabled on the
FCIP link if it is transporting encrypted traffic.
When an encryption switch is deployed with an extension switch or blade in the same chassis or
fabric, the encryption switch can use the FCIP functionality provided by the extension switch.
In
, the host is using the remote target for remote data mirroring or backup across the
FCIP link. If the encryption services are enabled for the host and the remote target, the encryption
switch can take clear text from the host and send cipher text over the FCIP link. For FCIP on the
extension switch, this traffic is same as rest of the FCIP traffic between any two FCIP end points.
The traffic is encrypted traffic. FCIP provides a data compression option. Data compression should
not be enabled on the FCIP link. If compression is enabled on FCIP link, then encrypted traffic going
through FCIP compression may not provide the best compression ratio.