You are on page 1of 35

Design and Implementation of Storage Media Encryption

BRKSAN-2893

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

2

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

1

Agenda

FC-Redirect SME in the Fabric Key Management Center Configuration/Display using Fabric Manager Server Network Design Examples
BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

3

Overview
What is Storage Media Encryption?
Encryption of data stored on tapes Key Creation Comprehensive Key Management

Why is it required?
Loss of backup tapes Regulatory compliance Sarbanes-Oxley, Gramm-Leach-Biley Act, VISA PCI, HIPAA etc.

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

4

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

2

FC-Redirect

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

5

Before FC-Redirect

FC

MDS

MDS

WAN

Most direct routes available were always taken from Host to Target. Service Modules needed to be in the direct path. Any single Service Module failure resulted in a loss of connectivity. Services could not be enabled/disabled on demand HA is not available with Service Modules Software upgrades to Service Modules is disruptive
BRKSAN-2893 14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

6

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

3

With FC-Redirect
SME - MSM SME - MSM

FC

MDS

MDS

WAN

Services are inserted & removed in a non-disruptive manner. The Management Services Module (18+4 and 9222i) is un-aware of being in the service cascade and need not be in the direct path. User can pick which MSM to service which Host / Storage Traffic. When an MSM HW/SW failure occurs, based on the application configuration, FCRedirect will automatically remove the MSM from the flow. If the application is HA capable FC-Redirect will prevent the Host from accessing the storage in case of an MSM failure, until another MSM becomes ready to service the traffic
BRKSAN-2893 14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

7

FC-Redirect Requirements
Targets must be attached to an MDS with SAN-OS 3.2(2c) or later. The MDS must be re-write capable e.g. 95XX, 92XX. 9124/9134 models are not re-write capable. Hosts attached to an MDS is optional. It is recommended for increased performance. The MSM creates a Virtual Target (VT) & Virtual Initiator (VI) for each serviced Host and Target as required. All the VT’s & VI’s are created in the same VSAN as the Target. The VT & VI will be created in a default zone, with permit=deny. No Host / Target should not be zoned with the FC-Redirect VT / VI. This would create possible routing issues. Cisco Fabric Services (CFS) should be enabled on all FC-Redirect switches. FC-Redirect is a Supervisor process.
BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

8

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

4

Packet Flow Host to Disk (Host on a non FC-Redirect aware Switch)

VT < H

VT < H FWD

DPP VI > T

VI > T MSM

[H>VT] [VI>T] FC [H>T]

[H>T] FCID: H

Target Switch

MAC H>T

FWD H > VT FCID: T

Link Between Re-Write SW & Host T

MAC VI > T

FWD

MAC H>T

Trunk Link Between Re-Write SW & MSM SW

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

9

Packet Flow Disk to Host (Host on a non FC-Redirect aware Switch)

VI < T DPP VT > H FWD

VI < T

T>H

MSM

[H<T] [VI<T] FC Target Switch [H<T]

[H<T] FCID: H

FWD VI < T

MAC H<T

T

FCID: T

Disk interface

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

10

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

5

Packet Flow Host to Disk (Host on a FC-Redirect aware Switch)

VT < H

VT < H FWD

DPP VI > T

VI > T MSM [VI>T]

[H>T]

[H>VT] FC [H>T]

FCID: H

Target Switch

MAC H>T

FWD H > VT Host Ingress Port T FCID: T

MAC VI > T

FWD

MAC H>T

Trunk Link Between Re-Write SW & SSM SW

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

11

Displays (Cont.)
r tp9-cae-9513-3a# sh sme c luster c1 i-nexus t - ----------- -- ----------- -- ----------- ---------------------------------------Host W W N, VSAN Status Swi tch In terface Target W W N - ----------- -- ----------- -- ----------- ---------------------------------------10:00:00:00:c9:5e:9c:96, 20:01:00:60:45:17:35:57 99 onl ne r i tp9-cae-9513-3a sme9/1

FCNS displays before SME configuration:
r tp9-cae-9513-3a# sh fcns data v 99 VSA N 99: - ----------- -- ----------- -- ---------------------------------------------FCID TYPE PW W N ( VEN D O R) FC4-TYPE:FEATU RE - ----------- -- ----------- -- ---------------------------------------------0x090100 N 10:00:00:00:c9:5e:9c:96 (E mulex) scsi fcp: i in t 0x0902ef NL 20:01:00:60:45:17:35:57 (ADIC) scsi fcp: target

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

12

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

6

Displays (Cont.)
FCNS displays after SME configuration:
r tp9-cae-9513-3a# sho w fcns database v 99 VSA N 99: ------------------------------------------------------------------------FCID TYPE P W W N (VEND O R) FC4-TYPE:FEATURE ------------------------------------------------------------------------0x090100 N 10:00:00:00:c9:5e:9c:96 (Em ulex) scs i fcp: ni i t 0x090101 N 2e:10:00:05:30:01:97:44 (Cisco) scsi fcp: target v . i. 0x090102 N 2e:0f:00:05:30:01:97:44 (Cisco) scs i fcp: i v r. in t i . t 0x0902ef NL 20:01:00:60:45:17:35:57 ( DIC) A scs i fcp: arget t

FC-Redirect displays
r tp9-cae-9513-3a# sho w fc-redirect in ternal wwn-database a l l Entry WWN Type Vr i tual Target 16 Host 2 Vr i tual In t t 8 i ia or Target 1

1 2e:10:00:05:30:01:97:44 2 10:00:00:00:C9:5e:9c:96 3 2e:0f :00:05:30:01:97:44 4 20:01:00:60:45:17:35:57

In Green are the Virtual Devices created by FC-Redirect
BRKSAN-2893 14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

13

FC-Redirect Configuration
There are no CLI configuration commands for FCRedirect. Only Show & Tech-Support commands
Clear Configuration is present to recover from error cases:
r tp9-cae-9513-3a# c lear fc red rec con ig v - i t f t2e:10:00:05:30:01:97:44

The FC-Redirect process is a permanent service as of today.

All Configurations are done by the MSM and sent appropriately to the supervisor FC-Redirect process. FC-Redirect process broadcasts the configuration to all capable MDS switches in the fabric using CFS. Configurations are saved in non-volatile Pesistent Storage Service (PSS) if the specific VSAN is configured locally.
BRKSAN-2893 14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

14

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

7

FC-Redirect Configuration (Cont.)
When a New VSAN is added, the local FC-Redirect process will download the configuration from neighboring MDS switches for that VSAN. When a specific Host / Target is attached locally (e.g. sending in a Fabric Log In (FLOGI)) the configuration kicks-in and all the required Access Control Lists (ACL’s) are programmed. When a specific Switch/Supervisor is replaced, certain precautions should be taken. Allow the FC-Redirect entries to be updated before enabling the affected local Host / Target Ports.

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

15

FC-Redirect Configuration (Cont.)
FC-Redirect works in a multi-version SAN-OS Fabric. Not all switches in the Fabric are required to be running SAN-OS 3.2(2c) or higher. Although it is recommended that all switches in a Fabric be running the same SAN-OS if possible. If a specific Host Switch is upgraded to FC-Redirect capable SANOS, after the configuration download, the appropriate ACL entries are programmed to control the flow. SME Target / Host ports should not have IVR enabled for them on the local switch.
If a specific Target is IVR enabled, then the IVR should not be enabled on the Target switch. The Target VSAN should be trunked to an adjacent switch and that switch be configured for IVR.

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

16

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

8

SME in the Fabric

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

17

Features
Server

Transparent fabric service Intuitive provisioning Clustering for load-balancing and redundancy Comprehensive Key Management Role Based Access Control (RBAC) Heterogeneous storage arrays, tape libraries and virtual tape libraries.
Key Management Center

Name: XYZ SSN: 1234567890 Amount: $123,456

Fabric Manager Server

MSM

@!$%!%%%^& *&^%&%$#$%*!^ @*%$*^^^%$@*)

Federal Information Processing Standard (FIPS) Level-3 System Architecture

Tape Libraries
BRKSAN-2893 14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

18

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

9

Transparent Fabric Service
Application Servers

Ability to deploy MSMs anywhere in the fabric.
No appliances in-line in the data path. No SAN re-wiring or reconfiguration.

MSM

Traffic flow automatically redirected to the MSM for encryption.
Achieved using FC-Redirect

Tape Library
BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

19

Clustering
Application Servers

Single point of Cluster management Automatic Load-balancing
Traffic load for encryption is distributed among the MSMs.

Redundancy
MSM MSM

If an MSM should fail, traffic is automatically re-directed to another MSM in the fabric.

Tape Libraries
BRKSAN-2893 14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

20

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

10

Clustering …
Application Servers

Dual-fabric support
MSMs across the fabrics configured in a single cluster MSM Cluster communication is over the management IP network.

Multi-path aware
MSM

SSL

MSM

Discovery and encryption of disks in the backend storage arrays take multi-pathing into account

Secure inter-node communication using Secure Sockets Layer (SSL)
Tape Library
BRKSAN-2893 14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

21

Cluster Services
Separate SanOS Service
Will support other applications in future releases

Provides the following services to applications:
Membership & Leader Election Database Synchronization Secure Reliable Group Communication (RGC) Configuration & Operation Management

Operational cluster requires a quorum of [N/2 + 1] nodes
[N/2] nodes can form a quorum if the lowest Node id is still present present

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

22

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

11

Node Join Process
Application Servers

User configures the Cluster to add a new switch (Node) Cluster Membership component probes for the switch, brings up TCP connections and enrolls the switch into the Cluster view Cluster and SME configuration and runtime databases are automatically synchronized on the new switch Reliable Group Communication Layer keeps any further configuration and state changes in sync across all switches

Tape Libraries
BRKSAN-2893 14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

23

Reliable Group Communication
Coordinator SME msg

RGC layer provides total order atomic message delivery guarantees to SME (all-or-none model, all messages in same order on all switches) Application request is sent to the coordinator from the receiving member, who serializes the requests Coordinator implements a 2-phase commit protocol for each message SME processes the message after the commit phase

Precommit

Ack

Commit

SME processes msg

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

24

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

12

Key Hierarchy
Master Key resides in Smartcards
Master Key

A quorum of smartcards required to recover the Master Key (2 of 3,2 of 5,3 of 5) Recovery Shares to accomplish this using Secret Sharing

Key Management Center

Unique Key per Tape Keys reside in clear-text only in crypto boundary Tape Keys are wrapped by the Master key & archived at the Key Management Center Option to store Tape keys on tape media
Tape Key

Tape Volume Group Key

Tape Key

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

25

Cisco Key Management Center
Cisco Key Management Center Fabric Manager Server

Tacacs+

Centralized Key Lifecycle Management
Archive, Shred, Recover, and Distribute media keys

L SS

Integrated into FM Server
App Servers

MSM

BRKSAN-2893 14734_05_2008_X1

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

SSL

Secure transport of keys
End-to-end using https/SSL/SSH

Access controls and accounting
MSM

Using existing AAA mechanisms.

Tape Library
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

26

13

Master Key Management
Smart cards

Advanced
Smart cards with Recovery Shares for each Master Key where M of N Recovery Officers are required to recover a Master Key

Level of Security

Standard
Single Smart Card with Master Key No Recovery Shares

Basic
Master Key Stored in file File encrypted with a password

Simplicity
BRKSAN-2893 14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

27

Media Key Management

Advanced
Unique key per media.

Level of Security

Flexible and secure solution for data management. Requires an enterprise-wide key management system.

Basic
Single key for all media
Easy to deploy. Very basic key management. Not a good practice for security. Compromise of one medium compromises all media.

Tape Libraries All Media – Same Key

Simplicity
BRKSAN-2893 14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

28

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

14

Intuitive Provisioning - Tapes
Master Server Media Server(s)

Configuration identifies a backup environment
Master server, Media server and the associated tape devices

Configuration Steps
MSM

Select Master/Media servers in their backup environment: Identified by host alias in FM Discover the backend tape libraries: MSM(s) in the fabric perform discovery on behalf of the specified servers Enable encryption

Tape Library

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

29

FC Session Sequence
Host VT VI Target

LOGO

SME installs a VI/VT for every I_T Nexus bound to a SME interface. LOGO is issued to an existing session to flush any pending exchanges in transit Discovery of backend target using the identity of the host done during PLOGI/PRLI session establishment. Discovery includes REPORT_LUNS, INQUIRY

PLOGI

PLOGI

PLOGI _ ACC

PRLI

PRLI _ ACC PRLI

PRLI _ ACC

DISCOVERY

DISCOVERY _ RSP

PLOGI _ ACC

PRLI

PRLI _ ACC

FC Session fully up

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

30

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

15

Tape Format and Tape Header
Cisco Tape Header to capture per-tape global information Tape Key ID or Encrypted Tape Key itself. Algorithms used etc. Tape Logical blocks compressed, and then encrypted and authenticated Header Information Random IV generated by Hifn Compression enabled or not, length etc. Trailer Information Integrity Check Value etc.. Specific Cluster information

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

31

SME Roles and Identities
SME Administrator
Responsible for SME Provisioning and Management. Per-VSAN role-based access control
Scope of management can be limited to certain VSANs.

SME Recovery Officer
Responsible for any critical recovery functionality that requires the Master Key. Split Knowledge
Quorum of Recovery Officers are required to perform any recovery procedures. Quorum is defined at Cluster create time as 2 of 3, 2 of 5, or 3 of 5.

SAN administrator may assume this role.

Security organization may assume this role.

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

32

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

16

FIPS Level-3 System Architecture
(Federal Information Processing Standard)

Cryptographic processing and Compression is done in Cavium Octeon
Strong AES-256 modes of encryption. AES-GCM : For tapes. Authentication to preserve integrity. DEFLATE : Compression for tapes.

Hardware and Software architecture is designed to meet FIPS Level-3 Certification requirements
Tamper-proof enclosure : Protects any sensitive data from being compromised. Any attempt at tampering the system is guaranteed to destroy the sensitive information. Critical Security Parameters never leave the system un-encrypted.

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

33

DS-9304-K9 (18+4) Block Diagram
Arbiter Crossbar Fabric

To Crossbar

From Crossbar
FCIP and iSCSI functionality at 4x1Gbps

SPI4.2 IPSec encryption at 4x1Gbps

MAC Layer

MAC Layer

Encryption/Compression
~4Gbps of application throughput compression using Deflate

12 FC

6 FC

4x1G ETH

Octeon Chip handles encryption and Compression
BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

34

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

17

Supported Backup Applications
Chapter 4 of Interop Matrix

http://cco/en/US/docs/storage/san_switches/mds9000/interoperability/matrix/Matrix.pdf

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

35

SME Capabilities
Capability Number of clusters per switch Number of cluster per fabric Switches in a cluster Fabrics in a cluster Modules in a switch Cisco MSM-18/4 modules in a cluster Initiator-Target-LUNs (ITLs) LUNs behind a target Host ports in a cluster Target ports in a cluster Number of hosts per target Tape backup groups per cluster Volume groups in a tape backup group Cisco Key Management Center (# of keys) Rel 3.2(3) 1 1 4 1 11 32 128 32 128 128 16 2 4 32K

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

36

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

18

Licensing
M9200EXT1AK9
San Extension License for 1 DS-9304-K9 in a MDS92xx switch

M9500EXT1AK9
San Extension License for 1 DS-9304-K9 in a MDS95xx switch

M9200SME1MK9
Storage Media Encryption License for 1 DS-9304-K9 in a MDS92xx switch

M9500SME1MK9
Storage Media Encryption License for 1 DS-9304-K9 in a MDS95xx switch

M9200SME1FK9
Storage Media Encryption License for fixed slot in a MDS92xx switch
BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

37

KMC Access

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

38

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

19

Cisco SME – Integrated Management
Active Keys (in Fabric)
Key 1 Key ‘n’ Key 2 Key 3

Cisco Fabric Manager

Encryption management integrated into Cisco Fabric Manager – leveraging its knowledge of the storage fabric
Uses PostgreSQL database No additional software required!

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

39

Clusters Using SSL Certificates
Fabric Manager Server Application Servers

Trust Certificate Server Certificate

ca_cert
MSM

MSM

ca_cert

ca_cert
MSM

Cisco Key Management Center

Tape Library Certicates are created on the MDS that will be using Trustpoints (ca_cert) Trust Certificate and Server Certificate defined on the FMS Cluster will be defined to use Trustpoints and MDS will register with FMS Key Manager Center can be accessed

C:\Program Files\Cisco Systems\MDS 9000\conf\cert
BRKSAN-2893 14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

40

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

20

Configuring KMC SSL

Cisco Key Manager Settings selection KMC SSL Settings for Trust and Server Certificates will be selected from the certificates that have been filed on the Fabric Manager Server in the following Directory:

C:\Program Files\Cisco Systems\MDS 9000\conf\cert
BRKSAN-2893 14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

41

Configuring RSA Key Manager

RSA Key Manager Settings selection Define Key Manager Server and Port number Trust and Client Certificates & Password will be provided by Customer Security team
BRKSAN-2893 14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

42

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

21

Cisco SME – Integrated Management
Active Keys (in Fabric)
Key 1 Key ‘n’ Key 2 Key 3

Cisco Fabric Manager API

RSA Key Manager

Encryption management integrated into Cisco Fabric Manager – leveraging its knowledge of the storage fabric
No additional software required!

Integrates with RSA Key Manager for comprehensive encryption key lifecycle management
BRKSAN-2893 14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

43

SME Configuration/ Management Using FM

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

44

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

22

Configuration/Display using FMS
Preferred mode of provisioning for SME using a FM webclient FM server installed on a standalone server to manage MDS fabric(s) Key Management Center (KMC) co-located on an FM server

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

45

Accessing FMS to Configure/Display SME

Point your Web Browser to the FMS Servers IP address Log in with User Name and Password defined at FMS install
BRKSAN-2893 14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

46

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

23

Displaying SME Cluster

Select the Cluster name to display Note the Nodes and Interfaces Note the individual Settings for this Cluster
BRKSAN-2893 14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

47

Displaying Cluster Members

Select the Members selection Note the Master Node and its IP Address Note the Interface Id for each Node
BRKSAN-2893 14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

48

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

24

Displaying Cluster Hosts

Select the specific Host to be displayed Note the VSAN membership Note the Tape Device to Lun relationship
BRKSAN-2893 14734_05_2008_X1

Verify that the Tape Device is in Online Status
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

49

Displaying Cluster Tape Devices

Select the specific Tape Device to be displayed Note the VSAN membership Note the Lun defined for the Initiator, Target, Lun (ITL) relationship
BRKSAN-2893 14734_05_2008_X1

Note the Node and SME Interface being used for this ITL
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

50

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

25

Displaying Cluster Volume Groups

Select the specific Volume Group to be displayed You can create specific Volume Groups using different Filter Methods Active Tab will display Volumes backed up using this Cluster If you have selected Unique Key per Media and are not storing Key on Tape
BRKSAN-2893 14734_05_2008_X1

Archived Tab will display Volumes imported to this Cluster
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

51

Volume Group Key Recovery
Production Site

Disaster Recovery Site

Server
Name: XYZ SSN: 1234567890 Amount: $123,456

Server
Name: XYZ SSN: 1234567890 Amount: $123,456

FMS

FMS

MSM

MSM

@!$%!%%%^& *&^%&%$#$%*!^ @*%$*^^^%$@*)

KMC

@!$%!%%%^& *&^%&%$#$%*!^ @*%$*^^^%$@*)

KMC

Tape Libraries

Tape Libraries

Tape Volume Group Keys can be Exported and Imported to a different site It is recommended that the Tape Volume Group Keys be Exported regularly Once Imported, they can no longer be Written to, Only Read from.
BRKSAN-2893 14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

52

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

26

Tape Volume Group Rekey
Tape volume groups can be rekeyed periodically to ensure better security and also when the key security has been compromised. In the unique key mode, the rekey operation generates a new tape volume group wrap key. The current tape volume group wrap key is archived. The current media keys remain unchanged, and the new media keys are wrapped with the new tape volume group wrap key. In the shared key mode, the rekey operation generates a new tape volume group wrap key and a new tape volume group shared key. The current tape volume group wrap key is archived while the current tape volume group shared key remain unchanged (in active state)..

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

53

Master Key Rekey
In advanced mode, the smart card replacement triggers a master key rekey and a new version of the master key is generated for the cluster. The new set of master key shares are stored in the smart cards. All the volume group keys are also synchronized with the new master key. Tape Volume Groups keys are also rekeyed. New Tape Volume Group keys are wrapped by new master key. The existing tape volume group keys are cloned and wrapped by new master key.

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

54

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

27

Offline Data Restore Tool
Stand-alone utility that can be used to decrypt tapes written by SME in an environment where MDS switches are not present. User points the tool to a tape drive where this tape is loaded and provides the key file exported from the KMC that has the corresponding key for this tape. Two phases
Tape to disk phase – Data is read from the tape and are stored in the disk as temporary file(s). Disk to tape phase – Decrypted, decompressed and written back to the tape.

Supported only on a RHEL 5.1 linux platform at this time.

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

55

SME Virtual Interface Counters

Display has information for Encrypted Traffic and Clear Text Traffic Compression Ratio and traffic percentages are also provided along with Error Statistics
BRKSAN-2893 14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

56

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

28

Smartcard Reader

For increased operational security, smart cards are offered to protect Master Keys, facilitate Master Key escrow, and help prevent unauthorized cryptographic cluster formation and key recovery. Smart Card Reader p/n for Cisco - SMEDS-SCR-K9= Smart Card p/n for Cisco - SMEDS-SC-K9=

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

57

Displays (Cont.)
Debugging information
show tech-support sme show tech-support cluster

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

58

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

29

SME Network Designs

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

59

Core-Edge Topology

In core-edge topology, media servers are at the edge of the network, and tape libraries at the core.

MSM

MSM

MSM

If the targets that require SME services are connected to only one switch in the core, use SME line cards and provision SME on this switch only. The number of SME line cards depends on the throughput requirements
BRKSAN-2893 14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

If the targets that require SME services are connected to multiple core switches, connect SME line cards and provision SME on these switches. Based on the throughput requirements, derive the total number SME line cards and spread them (in proportion to the expected traffic) across the switches where the targets are connected. Additionally, provision the ISLs between the target-connected switches in the core to account for SME traffic
60

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

30

Edge-Core-Edge Topology

In Edge-Core-Edge topology, the hosts and the targets are at the two edges of the network connected via core switches.
Tape Libraries

MSM

MSM

MSM

If the targets that require SME services are connected to only one switch on the edge, use SME line cards and provision SME on this switch only. The number of SME line cards depends on the throughput requirements
BRKSAN-2893 14734_05_2008_X1

If the targets that require SME services are connected to multiple core switches, connect SME line cards and provision SME on these switches. Based on the throughput requirements, derive the total number SME line cards and spread them (in proportion to the expected traffic) across the switches where the targets are connected. Additionally, provision the ISLs between the target-connected switches in the core to account for SME traffic
61

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Single Switch Fabric

Backup environment consists of 16 media servers and 30 LTO3 tape drives 4 MSM Modules installed in 9509 MDS (3 for expected traffic and 1 for failover)

WS-X9530 SFI

T MGM TEM IVE ET T US SYS ACT PWR RES STA

CONSOLE

M GMT 10 /100

COM 1 CFI

SUPERVI SOR WS-X9530 SFI

T MGM TEM IVE ET T US SYS ACT PWR RES STA

CONSOLE

M GMT 10 /100

COM 1 CFI

SUPERVI SOR

The 30 tape drives are evenly distributed across all 4 SME line cards (7 or 8 tape drives each). The 16 media servers are evenly distributed across all 4 modules (4 media servers each There is any-to-any connectivity between the media servers and the tape drives (zoning configuration). The number of FC redirect entries used on each line card is calculated below: Target to host entries (8 targets/line card) * (16 hosts) = 128 Host to target entries (4 hosts/line card) * (30 targets) = 120 SME entries (8 targets/line card) * (16 hosts) * 2 = 256 entries This is an average load when encryption load for the targets is evenly distributed on multiple SME line cards. If one of the modules fails, other modules take over the load and would have higher number of entries during that period. Total 504 entries (within the limit of 1000)
BRKSAN-2893 14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

62

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

31

Dual Switch Fabric
Backup environment consists of 16 media servers and 30 LTO3 tape drives 3 MSM Modules installed in 9509a MDS 3 MSM Modules installed in 9509b MDS (2 for expected traffic and 1 for failover)

30 tape drives. 15 attached to each MDS, distributed evenly across 3 MSM modules. 16 media servers. 8 accessing each MDS on a single line card from other switches in the Fabric. There is any-to-any connectivity between the media servers and the tape drives (zoning configuration). Note that encryption engines on each MSM can encrypt tapes connected to the other MDS. The number of FC redirect entries used on each line card is calculated below: Target to host entries (5 targets/line card) * (16 hosts) = 80 SME entries (5 targets/line card) * (16 hosts) * 2 = 160 entries This is an average load when encryption load for the targets is evenly distributed on multiple SME line cards. If one of the modules fails, other modules take over the load and would have higher number of entries during that period. Total 240 entries on each MSM module (within the limit of 1000) ISLs entries on the target switch depends on the load distribution. If all the local targets are serviced by the local SME line card, the number of entries needed is (30 targets on the switch)*(16 hosts in SAN) = 480. However, it if the local targets are serviced by the remote switch, the worst case number for FC Redirect entries on the ISL is (60 targets on the switch)*(16 hosts in SAN) = 960. Hence, the ISL must be provisioned on a non SME line card. Host to target entries (8 hosts/line card) * (30 targets) = 240 (within the limit of 1000) ISL entries on host switch (8 hosts on the switch) * (60 targets) = 480 in the worst case. If the ISL is on the same line card as the hosts, the total entries are 720.
BRKSAN-2893 14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

63

Target Centralized Dual Switch Fabric
Backup environment consists of 16 media servers and 30 LTO3 tape drives 4 MSM Modules installed in 9509 MDS (3 for expected traffic and 1 for failover)

WS-X9530 SFI

T TEM IVE TUS SYS ACT PWR STA MGM RES

CONSOLE
ET

M GMT 10 /100

COM 1 CFI

SUPERVI SOR WS-X9530 SFI

T TEM IVE TUS SYS ACT PWR STA MGM RES

CONSOLE
ET

M GMT 10 /100

COM 1 CFI

SUPERVI SOR

The 30 tape drives are evenly distributed across all 4 SME line cards (7 or 8 tape drives each). The 16 media servers connected to other switches in the Fabric. There is any-to-any connectivity between the media servers and the tape drives (zoning configuration) The number of FC redirect entries used on each line card is calculated below (note that the host entries are not on the line cards on the target switch) Target to host entries (8 targets/line card) * (16 hosts) = 128 SME entries (8 targets/line card) * (16 hosts) * 2 = 256 entries This is an average load when encryption load for the targets is evenly distributed on multiple SME line cards. If one of the modules fails, other modules take over the load and would have higher number of entries during that period. Total 384 entries on SME line card line card (within the limit of 1000) Host to target entries (8 hosts/line card) * (30 targets) = 240 (within the limit of 1000) There no FC Redirect entries on the ISL because all the targets are on the same switch and the host switches are FC Redirect capable.
BRKSAN-2893 14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

64

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

32

Single Switch Fabric
Backup environment consists of 16 media servers and 60 LTO3 tape drives 7 MSM Modules installed in 9509 MDS (6 for expected traffic and 1 for failover)

WS-X9530 SFI

MT STA EM IVE MG ET R TUS T SYS ACT PW RES

CONSOLE

M GMT 10 /100

COM 1 CFI

SUPERVI SOR WS-X9530 SFI

MT STA EM IVE MG ET TUS T R SYS ACT PW RES

CONSOLE

M GMT 10 /100

COM 1 CFI

……..

SUPERVI SOR

The 60 tape drives are evenly distributed across all 7 SME line cards (8 or 9 tape drives each). The 16 media servers are evenly distributed across all 7 modules (2 or 3 media servers each) There is any-to-any connectivity between the media servers and the tape drives (zoning configuration). The number of FC redirect entries used on each line card is calculated below: Target to host entries (9 targets/line card) * (16 hosts) = 144 Host to target entries (9 hosts/line card) * (60 targets) = 180 SME entries (9 targets/line card) * (16 hosts) * 2 = 288 entries This is an average load when encryption load for the targets is evenly distributed on multiple SME line cards. If one of the modules fails, other modules take over the load and would have higher number of entries during that period. Total 612 entries (within the limit of 1000)
BRKSAN-2893 14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

1
65

Single Switch Fabric
Backup environment consists of 32 media servers and 60 LTO3 tape drives 7 MSM Modules installed in 9509 MDS (6 for expected traffic and 1 for failover)

WS-X9530 SFI

MT STA EM IVE MG ET R TUS T SYS ACT PW RES

CONSOLE

M GMT 10 /100

COM 1 CFI

SUPERVI SOR WS-X9530 SFI

MT STA EM IVE MG ET TUS T R SYS ACT PW RES

CONSOLE

M GMT 10 /100

COM 1 CFI

SUPERVI SOR

The 60 tape drives are evenly distributed across all 7 SME line cards (8 or 9 tape drives each). The 32 media servers are evenly distributed across all 7 modules (4 or 5 media servers each) Since each target can only be zoned to a maximum of 16 hosts, the backup environment must be divided into 2 zones. Each zone has 16 Media Servers and 30 Targets.

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

66

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

33

Q and A

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

67

Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press Check the Recommended Reading flyer for suggested books

Available Onsite at the Cisco Company Store
BRKSAN-2893 14734_05_2008_X1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

68

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

34

Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008. Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

69

BRKSAN-2893 14734_05_2008_X1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

70

© 2006, Cisco Systems, Inc. All rights reserved. 14734_05_2008_X1.scr

35