Redirection zones, Deployment with admin domains (ad), Do not use dhcp for ip interfaces – Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual

202

Fabric OS Encryption Administrator’s Guide (LKM/SSKM)

53-1002925-01

Redirection zones

5

Redirection zones

Redirection zones should not be deleted. If a redirection zone is accidentally deleted, I/O traffic
cannot be redirected to encryption devices, and encryption is disrupted. To recover, re-enable the
existing device configuration by invoking the cryptocfg

--

commit command on the group leader. If

no changes have taken place since the last commit, you should use the cryptocfg

--

commit

-

force command. This recreates redirection zones related to the device configuration in the zone

database, and restores frame redirection, which makes it possible to restore encryption.

To remove access between a given initiator and target, remove both the active zoning information
between the initiator and target, and the associated CryptoTarget Containers (CTCs). This will
remove the associated frame redirection zone information.

Deployment with Admin Domains (AD)

Virtual devices created by the encryption device do not support the AD feature in this release. All
virtual devices are part of AD0 and AD255. Targets for which virtual targets are created and hosts
for which virtual initiators are created must also be in AD0 and AD255. If they are not, access from
the hosts and targets to the virtual targets and virtual initiators is denied, leading to denial of
encryption services.

Do not use DHCP for IP interfaces

Do not use DHCP for either the GbE management interface or the Ge0 and Ge1 interfaces. Assign
static IP addresses.

Ensure uniform licensing in HA clusters

Licenses installed on the nodes should allow for identical performance numbers between HA
cluster members.

Tape library media changer considerations

In tape libraries where the media changer unit is addressed by a target port that is separate from
the actual tape SCSI I/O ports, create a CryptoTarget container for the media changer unit and
CryptoTarget containers for the SCSI I/O ports. If a CryptoTarget container is created only for the
media changer unit target port, no encryption is performed on this device.

In tape libraries where the media changer unit is addressed by separate LUN at the same target
port as the actual tape SCSI I/O LUN, create a CryptoTarget container for the target port, and add
both the media changer unit LUN and one or more tape SCSI I/O LUNs to that CryptoTarget
container. If only a media changer unit LUN is added to the CryptoTarget container, no encryption is
performed on this device.