Basic FCIP setup:
(14+2 card)
interface GigabitEthernet9/2
no shutdown
ip address 10.10.10.2 255.255.255.0
fcip profile 1
ip address 10.10.10.2
interface fcip1
no shutdown
no channel-group auto
use-profile 1
peer-info ipaddr 10.10.10.1
On 9216i:
interface fcip1
no shutdown
use-profile 1
peer-info ipaddr 10.10.10.2
fcip profile 1
ip address 10.10.10.1
interface GigabitEthernet1/16 (1/2 in newer code)
ip address 10.10.10.1 255.255.255.0
no shutdown
iZone merge failed
Looked zone on vsan 1 in 9509A:
MDS9509-B1# show zoneset active v 1
zoneset name zs1 vsan 1
zone name zone1 vsan 1
attribute qos priority high
pwwn 10:10:10:10:10:10:10:10
zone name test2 vsan 1
interface fc1/3 swwn 20:00:00:05:30:00:24:1e
zone name chip vsan 1
interface fc1/2 swwn 20:00:00:05:30:00:24:1e
interface fc1/5 swwn 20:00:00:05:30:00:24:1e
So enable qos on 9216i and reshut/no shut fcip1 and
zones merged fine.
---------
StepII security:
9509B:
MDS9509-B1(config)# crypto ike enable
MDS9509-B1(config)# crypto ike domain ipsec
MDS9509-B1(config-ike-ipsec)# initiator version 1 address 10.0.0.1
MDS9509-B1(config-ike-ipsec)# key cisco address 10.0.0.1
MDS9509-B1(config)# crypto ike domain ipsec
MDS9509-B1(config)# crypto ipsec enable
MDS9509-B1(config)# ip access-list acl1 permit ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255
MDS9509-B1(config)# crypto transform-set domain ipsec aes-xcbc esp-aes 128 esp-aes-xcbc-mac
MDS9509-B1(config)# crypto transform-set domain ipsec 3des-md5 esp-3des esp-md5-hmac
MDS9509-B1(config)# crypto map domain ipsec cm1 1
MDS9509-B1(config-(crypto-map-ip))# set peer 10.10.10.1
MDS9509-B1(config-(crypto-map-ip))# match address acl1
MDS9509-B1(config-(crypto-map-ip))# set transform-set aes-xcbc 3des-md5
MDS9509-B1(config-(crypto-map-ip))# exit
MDS9509-B1(config)# interface gigabitethernet 9/2
MDS9509-B1(config-if)# crypto map domain ipsec cm1
Did same on 9216i except that peer 10.10.10.2 applied to interface gi 1/16 ( newer
SANOS code treats same interface gige 1/2)
-------------------------------
show commands:
MDS9216i# show crypto sad domain ipsec
interface: GigabitEthernet1/16
Crypto map tag: cm1, local addr. 10.10.10.1
protected network:
local ident (addr/mask): (10.10.10.0/255.255.255.0)
remote ident (addr/mask): (10.10.10.0/255.255.255.0)
current_peer: 10.10.10.2
local crypto endpt.: 10.10.10.1, remote crypto endpt.: 10.10.10.2
mode: tunnel, crypto algo: esp-aes-128-cbc, auth algo: esp-aes-xcbc-mac
current outbound spi: 0x4827c082 (1210564738), index: 16
lifetimes in seconds:: 3600
lifetimes in bytes:: 4718592000
current inbound spi: 0x90c7011 (151810065), index: 16
lifetimes in seconds:: 3600
lifetimes in bytes:: 4718592000
MDS9509-B1# show crypto sad domain ipsec interface gigabitethernet 9/2
interface: GigabitEthernet9/2
Crypto map tag: cm1, local addr. 10.10.10.2
protected network:
local ident (addr/mask): (10.10.10.0/255.255.255.0)
remote ident (addr/mask): (10.10.10.0/255.255.255.0)
current_peer: 10.10.10.1
local crypto endpt.: 10.10.10.2, remote crypto endpt.: 10.10.10.1
mode: tunnel, crypto algo: esp-aes 128, auth algo: esp-aes-xcbc-mac
current outbound spi: 0x90c7011 (151810065), index: 128
lifetimes in seconds:: 3600
lifetimes in bytes:: 4718592000
current inbound spi: 0x4827c082 (1210564738), index: 129
lifetimes in seconds:: 3600
lifetimes in bytes:: 4718592000
---------
MDS9216i(config-ike-ipsec)# key cisco address ?
Peer IP address
MDS9216i(config-ike-ipsec)# key cisco address 10.10.10.2
MDS9216i(config-ike-ipsec)# policy 10
MDS9216i(config-ike-ipsec-policy)# exit
-------
MDS9509-B1(config)# crypto ike domain ipsec
MDS9509-B1(config-ike-ipsec)# key cisco address 10.10.10.1
MDS9509-B1(config-ike-ipsec)# policy 10
MDS9509-B1(config-ike-ipsec-policy)# exit
MDS9216i# show crypto ike domain ipsec initiator
initiator address 10.10.10.2 mode 0
MDS9509-B1# show crypto ike domain ipsec initiator
initiator version 1 address 10.0.0.1
initiator version 1 address 10.10.10.1
MDS9216i# show crypto ike domain ipsec sa
Tunn Local Addr Remote Addr Encr Hash Auth Method Lifetime
-------------------------------------------------------------------------------
41 10.10.10.1[500] 10.10.10.2[500] 3des sha preshared key 3600
Tunn Local Addr Remote Addr Encr Hash Auth Method Lifetime
-------------------------------------------------------------------------------
9 10.10.10.2[500] 10.10.10.1[500] 3des sha1 preshared key 3600
MDS9509-B1#
MDS9509-B1# crypto ike domain ipsec rekey sa 9
CMI request failed (Rekeying not supported for an IKEv1 tunnel)
MDS9216i# crypto ike domain ipsec rekey sa 41
CMI request failed (not supported)
----------
Compression/WA/TA
MDS9509-B1(config)# interface fcip 1
MDS9509-B1(config-if)# write-accelerator
MDS9509-B1(config-if)# write-accelerator tape-accelerator
MDS9509-B1(config-if)# ip-compression ?
mode1 Fast compression for high bandwidth links
mode2 Moderate compression for medium bandwidth links
mode3 High compression for low bandwidth links
MDS9509-B1(config-if)# ip-compression mode1
MDS9509-B1(config-if)# shut
MDS9509-B1(config-if)# no shut
MDS9509-B1(config-if)# exit
MDS9509-B1# show int fcip1
fcip1 is down (Link failure or not-connected)
rite acceleration mode is on
Tape acceleration mode is on
Tape Accelerator flow control buffer size is automatic
IP Compression is enabled and set for mode1
And other switch:
show interface fcip1
fcip1 is down (Link failure or not-connected)
Hardware is GigabitEthernet
Port WWN is 20:14:00:0d:ec:0c:a9:00
Admin port mode is auto, trunk mode is on
-----------
So disable write/tape acce/ip compression
MDS9509-B1# show interface fcip1
fcip1 is trunking
Hardware is GigabitEthernet
Port WWN is 22:15:00:05:30:00:24:5e
Peer port WWN is 20:14:00:0d:ec:0c:a9:00
Admin port mode is auto, trunk mode is on
Port mode is TE
vsan is 1
Trunk vsans (allowed active) (1,20,100-102,105,200,500)
Trunk vsans (operational) (1)
Trunk vsans (up) ()
Trunk vsans (isolated) (20,100-102,105,200,500)
Trunk vsans (initializing) (1)
Using Profile id 1 (interface GigabitEthernet9/2)
Peer Information
Peer Internet address is 10.10.10.1 and port is 3225
FCIP tunnel is protected by IPSec
i----------------
vsan is 1
Using Profile id 1 (interface GigabitEthernet1/16)
Peer Information
Peer Internet address is 10.10.10.2 and port is 3225
Write acceleration mode is on
Tape acceleration mode is on
Tape Accelerator flow control buffer is 256 KBytes
IP Compression is enabled and set for higher through put
IP Compression is enabled and set for higher compression ratio
9216i older version of code, does not have mode1/mode 2
MDS9216i(config-if)# ip-compression ?
high-comp-ratio Higher ratio slower compression
high-throughput Lower ratio faster compression
------
upgrading to same version
--
after the upgrade 9216i gige interface became gigethernet 1/2 instead
of gig 1/16. Eventhough 10.10.10.1 was not in running config, if I try to
give gig 1/2 10.10.10.1 , it failed saying that config was already given.
So I did write erase and recopied config to running config. copy r s.
then applied crypto and ip to gig 1/2.
------interface GigabitEthernet1/2
no shutdown
ip address 10.10.10.1 255.255.255.0
crypto map domain ipsec cm1
i-----
MDS9216i# show int fcip 1
fcip1 is trunking
Hardware is GigabitEthernet
Port WWN is 20:14:00:0d:ec:0c:a9:00
Peer port WWN is 22:15:00:05:30:00:24:5e
Admin port mode is auto, trunk mode is on
Port mode is TE
vsan is 1
Trunk vsans (allowed active) (1)
Trunk vsans (operational) (1)
Trunk vsans (up) (1)
Trunk vsans (isolated) ()
Trunk vsans (initializing) ()
Using Profile id 1 (interface GigabitEthernet1/2)
Peer Information
Peer Internet address is 10.10.10.2 and port is 3225
FCIP tunnel is protected by IPSec
Write acceleration mode is off
Tape acceleration mode is off
Tape Accelerator flow control buffer size is automatic
IP Compression is disabled
Special Frame is disabled
Maximum number of TCP connections is 2
kickstart: version 2.0(1) [build 2.0(0.200)]
system: version 2.0(1) [build 2.0(0.200)]
----
MDS9509-B1# show int fcip 1
fcip1 is trunking
Hardware is GigabitEthernet
Port WWN is 22:15:00:05:30:00:24:5e
Peer port WWN is 20:14:00:0d:ec:0c:a9:00
Admin port mode is auto, trunk mode is on
Port mode is TE
vsan is 1
Trunk vsans (allowed active) (1,20,100-102,105,200,500)
Trunk vsans (operational) (1)
Trunk vsans (up) (1)
Trunk vsans (isolated) (20,100-102,105,200,500)
Trunk vsans (initializing) ()
Using Profile id 1 (interface GigabitEthernet9/2)
Peer Information
Peer Internet address is 10.10.10.1 and port is 3225
FCIP tunnel is protected by IPSec
Write acceleration mode is off
Tape acceleration mode is off
Tape Accelerator flow control buffer size is automatic
IP Compression is disabled
Special Frame is disabled
Maximum number of TCP connections is 2
------------
Look at FFCIP tunnel is protected by IPSec
-----
MDS9509-B1(config)# interface fcip 1
MDS9509-B1(config-if)# ip-compression mode1
MDS9216i# show int fcip 1
fcip1 is trunking
Hardware is GigabitEthernet
Port WWN is 20:14:00:0d:ec:0c:a9:00
Peer port WWN is 22:15:00:05:30:00:24:5e
Admin port mode is auto, trunk mode is on
Port mode is TE
vsan is 1
Trunk vsans (allowed active) (1)
Trunk vsans (operational) (1)
Trunk vsans (up) ()
Trunk vsans (isolated) ()
Trunk vsans (initializing) (1)
Using Profile id 1 (interface GigabitEthernet1/2)
Peer Information
Peer Internet address is 10.10.10.2 and port is 3225
FCIP tunnel is protected by IPSec
Write acceleration mode is off
Tape acceleration mode is off
Tape Accelerator flow control buffer size is automatic
IP Compression is enabled and set for mode1
MDS9509-B1# show interface fcip 1
fcip1 is trunking
Hardware is GigabitEthernet
Port WWN is 22:15:00:05:30:00:24:5e
Peer port WWN is 20:14:00:0d:ec:0c:a9:00
Admin port mode is auto, trunk mode is on
Port mode is TE
vsan is 1
Trunk vsans (allowed active) (1,20,100-102,105,200,500)
Trunk vsans (operational) (1)
Trunk vsans (up) (1)
Trunk vsans (isolated) (20,100-102,105,200,500)
Trunk vsans (initializing) ()
Using Profile id 1 (interface GigabitEthernet9/2)
Peer Information
Peer Internet address is 10.10.10.1 and port is 3225
FCIP tunnel is protected by IPSec
Write acceleration mode is off
Tape acceleration mode is off
Tape Accelerator flow control buffer size is automatic
IP Compression is enabled and set for mode1
----------------------
FCIP secure and compression on:
9216i:
ip access-list acl1 permit ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255
fcip enable
crypto ike enable
crypto ike domain ipsec
policy 10
key cisco address 10.10.10.2
fcip profile 1
ip address 10.10.10.1
crypto ipsec enable
crypto transform-set domain ipsec 3des-md5 esp-3des esp-md5-hmac
crypto transform-set domain ipsec aes-xcbc esp-aes 128 esp-aes-xcbc-mac
crypto map domain ipsec cm1 1
set peer 10.10.10.2
match address acl1
set transform-set aes-xcbc 3des-md5
interface fcip1
no shutdown
use-profile 1
peer-info ipaddr 10.10.10.2
ip-compression 1
interface GigabitEthernet1/2
no shutdown
ip address 10.10.10.1 255.255.255.0
crypto map domain ipsec cm1
------------
9509A:
ip access-list acl1 permit ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255
fcip enable
crypto ike enable
crypto ike domain ipsec
policy 1
policy 10
key cisco address 10.0.0.1
key cisco address 10.10.10.1
initiator version 1 address 10.0.0.1
initiator version 1 address 10.10.10.1
fcip profile 1
ip address 10.10.10.2
crypto ipsec enable
crypto transform-set domain ipsec 3des-md5 esp-3des esp-md5-hmac
crypto transform-set domain ipsec aes-xcbc esp-aes 128 esp-aes-xcbc-mac
crypto map domain ipsec cm1 1
set peer 10.10.10.1
match address acl1
set transform-set aes-xcbc 3des-md5
interface fcip1
no shutdown
no channel-group auto
use-profile 1
peer-info ipaddr 10.10.10.1
ip-compression 1
interface GigabitEthernet9/2
no shutdown
ip address 10.10.10.2 255.255.255.0
crypto map domain ipsec cm1
==================================
Saturday, April 12, 2008
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment