Recommendation for connectivity, Usage limitations – Brocade Fabric OS Encryption Administrator’s Guide Supporting Key Management Interoperability Protocol (KMIP) Key-Compliant Environments (Supporting Fabric OS v7.1.0) User Manual
Page 24
6
Fabric OS Encryption Administrator’s Guide (KMIP)
53-1002747-02
Recommendation for connectivity
1
Recommendation for connectivity
In order to achieve high performance and throughput, the encryption engines perform what is
referred to as “cut-through” encryption. In simple terms, this is achieved by encrypting the data in
data frames on a per-frame basis. This enables the encryption engine to buffer only one frame,
encrypt it, and send out the frame to the target on write I/Os. For read I/Os, the reverse is done.
This puts some constraints on the topology and the container configurations to support acceptable
performance for encrypted and decrypted I/O to and from LUNs, and to support acceptable levels
of scale in terms of the number of LUNs and the number of flows. The topology and container
configuration constraint are stated below:
Care must be taken when connecting the encryption engines to the fabric and configuring
crypto-target containers to be sure that the traffic flow between the host initiator and the physical
storage array LUN through the container flows through only one encryption engine that is hosting
the container. This is to avoid crisscrossing of flows to and from virtual entities; that is, from virtual
targets and virtual initiators on two different encryption engines over the same path.
Although there is considerable flexibility in connecting and configuring the containers for
encryption, the following guidelines are the recommended best practices:
•
Host and storage array ports that are not involved in any encryption flow can be connected to
any encryption engines (EEs).
•
Recommendations for host and target ports with respect to encryption flows are as follows:
-
For high availability (HA) purposes, only ISLs are connected to the encryption engine to
connect it to the fabric. No devices (initiators and targets) are connected to it.
-
To maintain HA, we recommend that devices (hosts and targets) and ISLs not be
connected directly to the encryption blades (FS8-18) in a Brocade DCX Backbone chassis
in a single-path configuration.
Usage limitations
There are usage limitations to be aware of when planning an encryption implementation:
•
Special redirection zones are created to handle data that is redirected to an encryption switch
or blade. Quality of Service (QoS) cannot be applied to a redirection zone.
•
For frame redirection to be applied, regular zones for hosts and targets must be defined in the
effective configuration. Hosts and targets must be zoned together by worldwide port name
(WWPN) rather than worldwide node name (WWNN) in configurations where frame redirection
will be used. If hosts or targets are zoned together using worldwide node name, frame
redirection will not occur properly.
NOTE
The use of alias names in place of WWPNs is not supported.
•
On tapes written in DataFort format, the encryption switch or blade cannot read and decrypt
files with a block size of 1 MB or greater.
•
The Top Talker feature is not compatible with redirection zones. The Top Talker feature should
not be enabled when an encryption switch or blade is present in the fabric.