Compression Options; Ipsec Implementation Over Fcip Tunnels; Limitations In Using Ipsec Over Fcip Tunnels - Brocade Communications Systems 8 Administrator's Manual

2

Compression options

Compression options
Hardware-based compression is available on both the 7800 switch and the FX8-24 blade. There
are two additional more aggressive options for compression. One is a combination of hardware and
software compression that provides more compression than hardware compression alone. This
option supports up to 8 Gbps of FC traffic. The third option is software only compression option
that provides a more aggressive algorithm. This option supports up to 2.5 Gbps of FC traffic.
Compression is defined on the FCIP tunnel.

IPSec implementation over FCIP tunnels

Internet Protocol security (IPsec) uses cryptographic security to ensure private, secure
communications over Internet Protocol networks. IPsec supports network-level data integrity, data
confidentiality, data origin authentication, and replay protection. It helps secure your SAN against
network-based attacks from untrusted computers.
The following describes the sequence of events that invokes the IPsec protocol.
1. IPSec and Internet Key Exchange (IKE) policies are created and assigned on peer switches or
2. Traffic from an IPsec peer with the lower local IP address initiates the IKE negotiation process.
3. IKE negotiates security association (SA) parameters, setting up matching SAs in the peers.
4. Data is transferred between IPsec peers based on the IPsec parameters and keys stored in the
5. SA lifetimes terminate through deletion or by timing out. An SA lifetime equates to

Limitations in using IPSec over FCIP tunnels

The following limitations apply to using IPsec:
•
•
20
ipif_addr The locally defined IP address.
vlan_id The VLAN tag used for this tag (range 1-4094).
L2CoS Layer 2 class of service (range 0-7)
dst_IP_addr The destination IP address. All frames destined for this IP address will be
tagged with the specified vlan_id and L2 CoS. If a destination IP address is
not specified, all frames not already tagged will be tagged.
The following example adds an entry that tags all frames from IP address 192.168.10.1
destined for IP address 192.168.20.1 with a VLAN ID of 100, and a L2 CoS value of 3.
switch:admin> portcfg vlantag 8/ge0 add 192.168.10.1 100 3 192.168.20.1
blades on both ends of the FCIP tunnel.
Some of the negotiated SA parameters include encryption and authentication algorithms,
Diffie-Hellman key exchange, and SA lifetimes.
SA database.
approximately 2GB of traffic passed through the SA.
NAT and AH are not supported.
IPsec-specific statistics are not supported.
Fabric OS FCIP Administrator's Guide
53-1001766-01