Redirection zones – Brocade Fabric OS Encryption Administrator’s Guide Supporting Key Management Interoperability Protocol (KMIP) Key-Compliant Environments (Supporting Fabric OS v7.1.0) User Manual

236

Fabric OS Encryption Administrator’s Guide (KMIP)

53-1002747-02

Redirection zones

5

•

Before committing CryptoTarget container or LUN configurations or modifications on an
encryption switch or FS8-18 blade, make sure that there are no outstanding zoning
transactions in the switch or fabric. If there is an outstanding zoning transaction, the commit
operation will fail and result in disabling the LUN. You can check for outstanding zoning
transactions by issuing the cfgtransshow command.

•

LUNs are uniquely identified by the encryption switch or FS8-18 blade using the LUN serial
number. The LUN serial number must be unique for LUNs exposed from the same target port.
The LUN serial number must be unique for LUNs belonging to different target ports in
non-multipathing configurations. Failure to ensure that the serial numbers are unique will
result in undefined behavior and may result in faulting the encryption switch or FS8-18 blade.

•

To enable host MPIO, LUNs must also be available through a second target port, hosted on a
second encryption switch, the same encryption switch or encryption engine. The second
encryption switch could be in the same fabric, or a different fabric.

•

Hosts should be able to access LUNs through multiple ports for redundancy.

•

For high availability and failover within the fabric, implement an HA cluster of two encryption
switches, and host the target port as a virtual target on one of the switches.

•

Don't change the WWN of any node after it has been deployed in an encryption group.

•

To minimize host IO disruption or time-outs during CryptoTarget container failover, it is
recommended that the devices (hosts, target ports) are connected to an edge switch in a
fabric, and not directly to Encryption switch/blade ports.

•

Always use the following process when configuring the LUN for encryption, unless the LUN was
previously encrypted.

1. Add the LUN as cleartext to the CryptoTarget container.

2. When the LUN comes online and Host I/O starts flowing through the LUN as cleartext, then

modify the LUN from cleartext to encrypt and enable_encexistingdata options to convert
the LUN to encryption.

An exception to this LUN configuration process is that if the LUN was previously encrypted by
the encryption switch or FS8-18 blade, then the LUN can be added to the CryptoTarget
Container with the

–

encrypt and

–

lunstate encrypted options.

Redirection zones

Redirection zones should not be deleted. If a redirection zone is accidentally deleted, I/O traffic
cannot be redirected to encryption devices, and encryption is disrupted. To recover, re-enable the
existing device configuration by invoking the cryptocfg

--

commit command on the group leader. If

no changes have taken place since the last commit, you should use the cryptocfg

--

commit

-

force command. This recreates redirection zones related to the device configuration in the zone

database, and restores frame redirection, which makes it possible to restore encryption.

To remove access between a given initiator and target, remove both the active zoning information
between the initiator and target, and the associated CryptoTarget Containers (CTCs). This will
remove the associated frame redirection zone information.