Virtual fabrics considerations, Recommendation for compression, Configuring encryption and compression – Dell POWEREDGE M1000E User Manual

Fabric OS Administrator’s Guide

399

53-1002745-02

Configuring encryption and compression

14

Virtual Fabrics considerations

The E_Ports and EX_Ports in the user-created logical switch, base switch, or default switch; and
EX_Ports on base switches can support encryption and compression. You can configure encryption
on XISL ports, but not on LISL ports. However, frames from the LISL ports are implicitly encrypted or
compressed as they pass through encryption/compression enabled XISL ports.

If an encryption or compression enabled port needs to be moved from one logical switch to another
logical switch, the movement of the port is blocked. You must disable the encryption and
compression configurations before moving the port, and then enable encryption and compression
after the port has moved.

Recommendation for compression

When configuring compression on long distance ports, it is recommended to configure the long
distance ports with double the number of buffers. This can be done by configuring the port to use
the long distance LS mode and specifying the number of buffers to allocate to the port. You can see
what the average compression ratio and the average frame size values are and adjust the
allocated credit accordingly using the portEncCompShow and portBufferShow commands. You can
then use the portBufferCalc command to estimate the assigned credit value to optimize
performance. See the Fabric OS Command Reference for details on using these commands.

Configuring encryption and compression

On a given ISL between two 16 Gbps E_Ports or EX_Ports, you can configure each port for encryption,
compression, or both. Your encryption and compression settings must match at either end of the ISL.
Port segmentation will occur during port initialization if these configurations do not match.

Before configuring a port for encryption, you must configure the port for authentication using the
authUtil and secAuthSecret commands:

•

Use the authUtil command to enable switch authentication, enable the DH-CHAP
authentication protocol for ports that support encryption, and select the appropriate
DH (Diffie-Hellman) group (4 or “*”).
To enable switch authentication, use the authUtil

--

policy command with the -sw option to

select either the on mode or the active mode.

To enable the DH-CHAP authentication protocol, use the authUtil

--

set command with the -a

option and select either dhchap or all. dhchap explicitly specifies the DH-CHAP protocol.
Although all enables both FCAP and DH-CHAP, the active protocol defaults to DH-CHAP for all
ports configured for in-flight encryption.

To select the appropriate DH group, use the authUtil

--

set command with the -g option and

choose either group 4 or “*”. If “*” is entered, then group 4 is selected from a list.

•

Use the secAuthSecret command to configure a pre-shared secret on both sides of the ISL for
all ports configured for in-flight encryption. A secret of at least 32 characters is recommended.
The maximum length for a secret is 40 characters.

ATTENTION

Port segmentation will occur during port initialization if authentication fails.