Cisco Storage Media Encryption Design Guide for Release 3.2(3) [Cisco MDS 9000 Intelligent Fabric Applications]

Audience

This guide is for sales engineers and storage administrators who want to understand the Cisco® Storage Media Encryption (SME) service. Basic knowledge of Cisco MDS 9000 family Fibre Channel concepts and storage area networks (SANs), including tape backup environments, is expected. Familiarity with the Fibre Channel redirect (FC-redirect) feature of the Cisco MDS 9000 SAN-OS Software is desirable.

This design guide provides details about Cisco SME data flow, supported topologies, and best practices for Cisco SME deployment in a tape backup environment.

Cisco Storage Media Encryption Overview

Encryption of storage media in the data center has become a critical issue. Numerous high-profile incidents of lost or stolen tape and disk devices have underscored the risk and exposure companies face when sensitive information falls into the wrong hands. Regulatory requirements arising from Sarbanes-Oxley, Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI-DSS), and other laws have made encryption a top priority.

To meet these requirements, Cisco has introduced the Cisco SME solution. Cisco SME is a comprehensive network-integrated encryption service with enterprise-class key management that works transparently with existing and new SANs. Figure 1 shows a high-level view of a SAN with Cisco SME service deployed.

Figure 1. Cisco Storage Media Encryption

Cisco SME is a secure, integrated solution that delivers encryption as a SAN service (Figure 2). It provides intuitive provisioning, support for heterogeneous SAN devices, comprehensive key management, and role-based access control (RBAC). Using the clustering infrastructure, Cisco SME provides scalability, high availability, and load balancing.

Figure 2. Cisco SME: Secure, Integrated Solution

The Cisco SME solution provides numerous advantages over competitive solutions:

• Cisco SME installation and provisioning are simple and nondisruptive. Unlike other solutions, Cisco SME does not require rewiring or SAN reconfiguration.

• Encryption engines are integrated on the Cisco MDS 9000 18/4-Port Multiservice Module (18/4 MSM) and the Cisco MDS 9222i Multiservice Modular Switch, eliminating the need to purchase and manage additional switch ports, cables, and appliances.

• Traffic from any virtual SAN (VSAN) can be encrypted using Cisco SME, enabling flexible, automated load balancing through network traffic management across multiple SANs.

• No additional software is required for provisioning, key, and user role management; Cisco SME is integrated into Cisco Fabric Manager, therefore reducing operating expenses.

Cisco SME Terminology

The following Cisco SME terms are used in this document:

• Cisco SME interface: The security engine in the Cisco SME line card or fixed slot of a Cisco MDS 9222i fabric switch; each Cisco SME line card and MDS 9222i switch has one security engine

• Cisco SME cluster: A network of MDS switches that are configured to provide the Cisco SME function; each switch includes one or more Cisco SME line cards, each module includes a security engine, and the switches in the cluster use IP connectivity through the management interface for communication

• Cisco SME cluster node: The MDS switch that is part of a Cisco SME cluster

• Fabric: A physical fabric topology in the SAN as seen by Cisco Fabric Manager; there can be multiple virtual SANs (VSANs; logical fabrics) within the physical fabric

• Tape group: A backup environment in the SAN; it consists of all the tape backup servers and the tape libraries that the servers access

• Tape device: A tape drive that is configured for encryption

• Tape volume: A physical tape cartridge identified by a bar code for a given use

• Tape volume group: A logical grouping of tape volumes that are configured for a specific use: for example, a group of tape volumes used to back up a database

• Cisco Key Management Center (KMC): A component of Cisco Fabric Manager Server (FMS) that stores the encryption keys (for details, refer to the Cisco Storage Encryption Media Key Management white paper)

• Cisco SME key hierarchy: The keys included in the Cisco SME key management system: master key, tape volume group keys, and tape volume keys; every backup tape has an associated tape volume key, tape volume group key, and master key (for more information about Cisco SME keys, refer to the Cisco Storage Encryption Media Configuration Guide)

– Master key: This encryption key is generated when a Cisco SME cluster is created. There is a unique master key for each cluster, and it is shared across all members of the cluster. The master key is used to wrap the tape volume group keys.

– Tape volume group key: This encryption key is used to encrypt and authenticate the tape volume keys: the keys that encrypt all tapes belonging to the same tape volume group. A tape volume group can be created on the basis of a bar code range for a set of backup tapes, or it can be associated with a specific backup application.

– Tape volume key: This key is used to encrypt and authenticate the data on the tapes. In unique key mode, the tape volume keys are unique for each physical tape. In shared key mode, one tape volume key is used to encrypt all volumes in a volume group.

• Smart card: A card (approximately the size of a credit card) with a built-in microprocessor and memory used for authentication; it is used to store the master key recovery shares for Cisco SME recovery officers

• Cisco SME administrator: A network administrator who configures Cisco SME

• Cisco SME recovery officer: A data security officer entrusted with smart cards and the associated personal identifier numbers (PINs); each smart card stores a share of the master key of the cluster. Recovery officers must present their cards and PINs to recover the key database of an archived cluster. A quorum of recovery officers is required to execute this operation

• FC-redirect: Capability in Cisco MDS 9000 SAN-OS Software that enables traffic from any switch port to be encrypted without SAN reconfiguration or rewiring

• Cisco SME line card: A module capable of providing Cisco SME services: the Cisco MDS 9000 18/4 MSM module or the integrated supervisor module on the Cisco MDS 9222i switch; for simplicity, this document uses "Cisco SME line card"

Cisco SME Requirements

Software Requirements

All Cisco MDS switches in the Cisco SME cluster must be running the current release of Cisco Fabric Manager and Cisco MDS 9000 SAN-OS Software:

• Cisco FMS must be running Cisco Fabric Manager 3.2.3 or higher.

• Cisco MDS 9000 family switches attached to tape devices must be running Cisco MDS 9000 SAN-OS Software Release 3.2.3 or higher.

• All switches that include Cisco MDS 9000 18/4 MSM modules must be running Cisco MDS 9000 SAN-OS Software Release 3.2.3 or higher.

• All FC-redirect-capable switches must be running Cisco MDS 9000 SAN-OS Software Release 3.2.3 or higher.

Hardware Requirements

Security Engine Capabilities

Cisco SME requires at least one encryption service engine in each cluster. The Cisco SME engines provide the transparent encryption and compression services to the hosts and storage devices. The following hardware supports Cisco SME:

• Cisco MDS 9000 18/4-Port Multiservice Module (Cisco MDS 9000 18/4 MSM)

• Integrated supervisor module on the Cisco MDS 9222i Multiservice Modular Switch

FC-Redirect-Capable Switches

Cisco SME requires that each target switch be FC-redirect capable. FC-redirect is supported on the following Cisco switches:

• Cisco MDS 9500 Series

• Cisco MDS 9222i, 9216i and 9216A Multilayer Fabric Switches

• Cisco MDS 9120 20-Port Multilayer Fabric Switch

• Cisco MDS 9140 40-Port Multilayer Fabric Switch

Cisco FMS and Cisco KMC Workstation Requirements

A separate dedicated workstation with the following configuration should be used for Cisco FMS and Cisco KMC for Cisco SME purposes:

• CPU: 2 GHz or more

• Memory: 2 GB or more

• Disk space: 20 GB or more

Smart Card Readers

To employ standard and advanced security levels, Cisco SME requires the following:

• Smart card reader for Cisco SME (DS-SCR-K9)

• Smart card for Cisco SME (DS-SC-K9)

The smart card reader is a USB device that is connected to a management workstation (Microsoft Windows platforms only). The Cisco SME Web client on the management workstation is used to configure the Cisco SME cluster (Figure 3).

The smart card reader requires the smart card drivers that are included on the installation CD. These must be installed on the management workstation where the reader is attached.

The smart card reader is required only for initial configuration (and future recovery scenarios). It is not required for normal Cisco SME operation.

Figure 3. Smart Card Reader

License Requirements

Cisco SME requires a license for each Cisco MDS 9000 18/4 MSM module and MDS 9222i switch with a security engine used for Cisco SME. License packages are summarized in Table 1.

Table 1. Cisco SME License Packages

Part Number	Description	Applicable Product
M9500SME1MK9	Cisco SME package for Cisco MDS 9000 18/4 MSM module	Cisco MDS 9500 Series with MSM
M9200SME1MK9	Cisco SME package for Cisco MDS 9000 18/4 MSM module	Cisco MDS 9200 Series with MSM
M9200SME1FK9	Cisco SME package for fixed slot	Cisco MDS 9222i switch only

Note: A separate license for Cisco FMS is not required if an Cisco SME license is installed.

Topology Requirements

Cisco SME supports a single-fabric topology. In a fabric, one or more (up to a maximum of four) Cisco SME capable switches form a cluster. Each fabric can have only one cluster.

Cisco SME is fully supported in a fabric consisting of Cisco switches only. In future releases, Cisco SME may be supported in some fabrics consisting of both Cisco and other vendors' switches.

A Cisco SME cluster can span multiple VSANs in a fabric. In Figure 4, traffic in multiple VSANs is encrypted by the same Cisco SME cluster.

Figure 4. Cisco SME Cluster Spanning Multiple VSANs

For more guidelines on the topology design, refer to "Network Topologies" later in this document.

Zoning Requirements

Cisco SME supports port world wide name (pWWN) based zoning only for initiators and targets. This support will be enhanced the futures release.

Internal virtual N-ports are created by Cisco SME in the default zone. The default zone must be set to Deny, and these virtual N-ports must not be zoned with any other host or target.

FC-Redirect Requirements

• The Cisco MDS 9000 family switch with a Cisco SME line card needs to be running Cisco 9000 SAN-OS Software Release 3.2.3 or higher.

• The target must be connected to a Cisco MDS 9500 Series, 9222i, 9216i, or 9216A switch running Cisco MDS 9000 SAN-OS Software Release 3.2.3.

• FC-redirect supports 32 targets per switch. This support will be enhanced in a future release.

• Each FC-redirected target can be zoned with a maximum of 16 hosts. This support will be enhanced in a future release.

• Cisco Fabric Services must not be disabled on all required switches for FC-redirect.

• Servers and tape devices using Cisco SME cannot be part of an inter-VSAN routing (IVR) zone set.

• Cisco SME must not be used in conjunction with SAN device virtualization (SDV), Cisco Data Mobility Manager (DMM) and IVR.

Configuration Requirements

• On a Cisco SME line card, either Small Computer System Interface over IP (iSCSI) or Cisco SME can be configured. Both iSCSI and Cisco SME cannot be configured on the same Cisco SME line card.

• IVR cannot be enabled on the Cisco SME enabled switches. Further, hosts and target devices using Cisco SME cannot be part of an IVR zone set.

• Fibre Channel over IP (FCIP) write acceleration and FCIP tape acceleration must not be configured on the Cisco SME data flow (that is, Cisco SME traffic between the host and the target must not pass through FCIP tunnels with FCIP write acceleration and FCIP tape acceleration enabled.

• FCIP and IPsec are not supported on modules running Cisco SME.

Cisco SME Data Flow

Single Cisco SME Switch

Figure 5 shows a single-fabric topology with Cisco SME line card on one switch. In this case, the data from the server H2 is compressed and encrypted by Cisco SME. Data from the server H1 is not processed by Cisco SME.

Figure 5. Cisco SME Data Flow: Single Cisco SME Switch

Cisco employs an FC-redirect scheme that automatically redirects the traffic flow for the desired initiator-target nexus (I-T nexus) pair to an appropriate Cisco SME line card in the fabric. There is no appliance inline in the data path, and there is no SAN rewiring or reconfiguration. Encryption and compression services are transparent to the hosts and storage devices. These services are available for devices in any VSAN in a physical fabric and can be used without rezoning.

Cisco SME Clustering

Cluster technology provides scalability, reliability, and availability; automated load balancing; failover capabilities; and a single point of management.

A Cisco SME cluster consists of all Cisco SME enabled switches in a fabric (Figure 6). Scalability can be easily achieved by adding more Cisco SME line cards in the fabric. A Cisco SME cluster can consist of up to four Cisco SME enabled switches. Each Cisco SME enabled switch can have multiple Cisco SME line cards. Each switch can be part of only one cluster (consequently, each Cisco SME interface can be part of only one cluster).

With multiple Cisco SME line cards in a Cisco SME cluster, the traffic is automatically load balanced across these modules. If a Cisco SME line card or a Cisco MDS 9000 family switch fails, the traffic automatically fails over to another Cisco SME line card in the cluster.

The entire Cisco SME cluster can be managed through a single point using Cisco Fabric Manager.

Figure 6. Cisco SME Clustering

Cisco SME cluster infrastructure uses the management interface to communicate with other switches in the cluster. A cluster view is defined as the set of switches that are part of the operational cluster. Only switches that are part of a cluster view participate in the Cisco SME operations. This requires a quorum of switches to be present. Refer to the Cisco Storage Encryption Media Configuration Guide for details.

Cisco SME Data Flow in a Cluster

After a Cisco SME cluster has been created and provisioned, the data is forwarded from the host to the Cisco SME module using FC-redirect. The data is compressed and encrypted and then sent to the target. When the data is read, it follows the reverse path. Only the traffic from configured I-T nexus pairs is redirected to a Cisco SME module. All other traffic is unaffected.

Each I-T nexus is bound to a specific Cisco SME interface. When multiple Cisco SME modules are present in a Cisco SME cluster, Cisco SME uses target-based load balancing. All I-T nexus pairs for a given target are always bound to the same Cisco SME interface. I-T nexus pairs for different targets are load balanced across all available Cisco SME modules in the cluster. These Cisco SME modules can be on any Cisco SME capable switch in the cluster (multiple Cisco SME line cards on one switch are allowed).

In Figure 7, encryption traffic to target T1 (from both hosts H1 and H2) flows through the Cisco SME module on switch SW1, and the encryption traffic to target T2 (from host H2) flows through the Cisco SME module on switch S2. Nonencrypted data flow from host H1 to target T3 does not go through the Cisco SME modules.

Figure 7. Cisco SME Data Flow in a Cluster

Failure Conditions

If the Cisco SME interface on switch SW2 fails (or if the entire switch SW2 fails), the traffic flow for I-T nexus pairs bound on the corresponding Cisco SME interfaces will be briefly interrupted (for example, traffic from host H2 to target T2) until the affected I-T nexus pairs are reassigned to other available Cisco SME interfaces in the cluster (Figure 8). The failure can cause some backup applications to stop backup jobs, and these may have to be restarted.

Figure 8. Failure Conditions

Cisco SME cluster operations require successful communication among the switches in the Cisco SME cluster using the management interface. Failure of this communication channel can affect the cluster membership of a switch. If a member switch loses communication with other members for more than 20 seconds (and is no longer part of the cluster view), Cisco SME service is stopped on that switch. All the traffic fails over to other switches in the cluster.

Network Topologies

Cisco SME is fully supported in Cisco MDS 9000 family-only fabrics. In future releases, Cisco SME may be supported in some fabrics consisting of both Cisco and other vendors' switches.

Cisco SME supports a single-fabric topology. In a fabric, one or more (up to a maximum of four) Cisco SME capable switches form a cluster. Single-fabric topologies support single-path and multipath configurations.

In a single-path configuration, a cluster configuration includes only one path represented as an initiator/target path. In a multipath configuration, a cluster configuration includes all paths, which are represented as multiple initiator/targets.

Topology Guidelines

When determining the provisioning and configuration requirements for Cisco SME, note the following guidelines related to SAN topology:

• The existing and new tape libraries must be connected to Cisco MDS 9500 and 9200 Series switches.

• Switches connected to tape libraries must be running Cisco MDS 9000 SAN-OS Software Release 3.2.3 or later.

• The Cisco MDS 9000 18/4 MSM module is supported on Cisco MDS 9500 Series switches and on the Cisco MDS 9222i switch. The switch must be running Cisco MDS 9000 SAN-OS Software Release 3.2.3 or later.

• Cisco SME requires a minimum of one Cisco SME line card in a cluster.

• Cisco SME line cards (security engines) should be on the target switch whenever possible.

• The zoning of media servers and tape drives must confirm to the FC-redirect limits described in this document.

Core-edge and edge-core-edge topologies are described here. Additional examples for dedicated tape SANs are presented in the appendix.

Core-Edge Topology

In a core-edge topology, media servers are at the edge of the network, and tape libraries are at the core.

If the targets that require Cisco SME services are connected to only one switch in the core (Figure 9), use Cisco SME line cards and provision Cisco SME on this switch only. The number of Cisco SME line cards depends on the throughput requirements (see "Sizing Guidelines" later in this document).

Figure 9. Core-Edge Topology: Targets on a Single Core Switch

If the targets that require Cisco SME services are connected to multiple core switches (Figure 10), connect Cisco SME line cards and provision Cisco SME on these switches. Based on the throughput requirements, derive the total number Cisco SME line cards and spread them (in proportion to the expected traffic) across the switches where the targets are connected. Additionally, provision the interswitch links (ISLs) between the target-connected switches in the core to account for Cisco SME traffic. Since the encryption service for the targets can be handled by any of the Cisco SME line cards in the core switches, additional traffic will traverse the ISLs between the core switches.

Figure 10. Core-Edge Topology: Targets on Multiple Core Switches

Note: If the Cisco SME line card is on a different switch than the tape library, additional ISL traffic crosses the network.

Edge-Core-Edge Topology

In an edge-core-edge topology, the hosts and the targets are at the two edges of the network connected through core switches.

If the targets that require Cisco SME services are connected to only one switch on the edge (Figure 11), use Cisco SME line cards and provision Cisco SME on this switch only. The number of Cisco SME line cards depends on the throughput requirements (see "Sizing Guidelines" later in this document).

Figure 11. Edge-Core-Edge Topology: Targets on a Single Edge Switch

If the targets that require Cisco SME services are connected to multiple edge switches (Figure 12), connect Cisco SME line cards and provision Cisco SME on these edge switches. Based on the throughput requirements, derive the total number of Cisco SME line cards and spread them (in proportion to the expected traffic) across the switches where the targets are connected. Additionally, provision the ISLs between the target-connected edge switches and the core switches to account for Cisco SME traffic. Since the encryption service for the targets can be handled by any of the Cisco SME line cards in the edge switches, additional traffic will traverse the ISLs between the edge switches and the core switches.

Figure 12. Edge-Core-Edge Topology: Targets on Multiple Edge Switches

Inserting Cisco SME in Existing Cisco SANs

The Cisco SME solution can be added to existing SAN fabrics in either of two ways:

• Upgrade switches connected to the target devices: Upgrade the Cisco MDS 9000 family switches connected to the targets to Cisco MDS 9000 SAN-OS Software Release 3.2.3 or higher and add Cisco SME line cards to these switches. Additionally, consider the configuration and zoning requirements specified in "Cisco SME Requirements" earlier in this document.

• Add new switches to the fabric and move target devices: Add new Cisco MDS 9000 family switches with Cisco SME capabilities (using Cisco SME line cards) to the fabric and move the target devices needing Cisco SME to the new switch. This switch must be running Cisco MDS 9000 SAN-OS Software Release 3.2.3 or higher.

In both these solutions, the host-connected switches should be upgraded to Cisco MDS 9000 SAN-OS Software Release 3.2.3 or higher.

Sizing Guidelines

• Each Cisco SME interface supports up to 450 MBps throughput with compression and encryption enabled.

• Peak throughput to each Linear Tape-Open 3 (LTO-3) drive is 40 to 60 MBps with compression and encryption enabled. For optimal performance, each Cisco SME interface should be connected to six to eight LTO-3 drives.

– The actual throughput depends on the server performance, number of concurrent Cisco SME streams on the Cisco SME interface, and the backup data (compressibility).

– For Canterbury Corpus data, the observed compression ratio using Cisco SME is 4.7:1.

• Up to 32 targets per switch are supported by FC-redirect. This support will be enhanced in a future release.

• Each FC-redirected target can be zoned with a maximum of 16 hosts. This support will be enhanced in a future release.

• A maximum of 1000 FC-redirect entries are available on each line card on which to hosts or targets are connected.

– If there are h hosts on a line card zoned to a total of T targets in the SAN, then the number of redirect entries used on the host line card is h * T, This number should be less than 1000.

– If there are t targets on a line card zoned to a total H hosts in the SAN (note that the maximum value of H is 16), then the number of redirect entries used on the target line card is t * H. This number should be less Than a 1000.

– On a Cisco SME line card, Cisco SME uses two Fibre Channel entries for each host-target pair that is being encrypted on that module. If the hosts or targets are connected to the Cisco SME line card, then the total of host, target, and Cisco SME redirect entries should be less than 1000.

– If the hosts and the line cards are on different switches, the ISLs connecting these switches use h * t number of redirect entries. These count toward the total limit of 1000 FC-redirect entries per line card.

• A Cisco MDS 9500 Series switch can accommodate multiple Cisco SME line cards

– The additional slot on the Cisco MDS 9222i switch can contain a Cisco MDS 9000 18/4 MSM module.

• A physical fabric can have only one Cisco SME cluster. Each cluster can have up to four switches with multiple Cisco SME interfaces provisioned and Cisco SME service enabled.

Table 2 summarizes Cisco SME capabilities.

Table 2. Cisco SME Capabilities

Capability	Release 3.2(3)
Number of Clusters per Switch	1
Number of Cluster per Physical Fabric	1
Switches in a Cluster	4
Fabrics in a Cluster	1
Modules in a Switch	11
Cisco SME Interfaces in a Cluster	32
Initiator-Target Logical Unit Numbers (LUNs), or ITLs, per Cluster	128
LUNs Behind a Target	32
Host Ports in a Cluster	128
Target Ports in a Cluster	128
Number of Hosts per Target	16
Tape Groups per Cluster	2
Tape Volume Groups in a Tape Group	4
Cisco Key Management Center Number of Keys	32,000

Cisco FMS Guidelines

In small, dedicated tape SAN environments that use Cisco FMS for overall SAN management, Cisco FMS can also be used as the key management server and for the Cisco SME configuration.

However, for larger SAN setups and especially when the Cisco FMS performance manager is being used, a separate server should be used for Cisco SME purposes.

Appendix A: Deployment Examples

This section presents deployment examples and derives the requirements for the number and placement of Cisco SME interfaces. All examples have Cisco SME interfaces on the same switch as the targets, and the targets are connected to the Cisco SME line cards.

Example 1

The backup environment consists of 16 media servers and 30 LTO-3 tape drives. The backup environment is a single-fabric SAN. All the switches are Cisco MDS 9000 family switches running Cisco MDS 9000 SAN-OS Software Release 3.2.3.

1A: One-Switch Configuration

A single Cisco MDS 9500 Series director is used to connect all media servers and the tape drives.

• Each Cisco SME interface can support 6 to 8 LTO-3 tape drives. The total number Cisco SME interfaces needed is 30/10 = 3 plus 1 additional for failover purposes (during a future upgrade where the Cisco SME security engine on each Cisco SME interface would go through a disruptive upgrade, one module at a time). Thus, a total of 4 Cisco SME interfaces are needed.

• 30 tape drives are evenly distributed across all 4 Cisco SME interfaces (7 or 8 tape drives each).

• 16 media servers are evenly distributed across all 4 modules (4 media servers each).

• There is any-to-any connectivity between the media servers and the tape drives (zoning configuration).

• The number of FC-redirect entries used on each line card is calculated as follows:

– Target-to-host entries: (8 targets per line card) * (16 hosts) = 128

– Host-to-target entries: (4 hosts per line card) * (30 targets) = 120

– Cisco SME entries: (8 targets per line card) * (16 hosts) * 2 = 256 entries

This is an average load when the encryption load for the targets is evenly distributed on multiple Cisco SME interfaces. If one of the modules fails, other modules take over the load and would have a higher number of entries during that period.

– Total of 504 entries (within the limit of 1000)

– There is no ISL.

1B: Multiple Switch SAN with Tapes on One Switch

In this example, all the targets are on a Cisco MDS 9500 Series director, and the media servers are connected to other switches in the SAN. This topology is similar to the topologies in Figures 8 and 10.

• The calculations for Cisco SME interfaces and the placement are the same as case 1A.

• Each Cisco SME interface can support 6 to 8 LTO-3 tape drives. The total number of Cisco SME interfaces needed is 30/10 = 3 plus 1 additional for failover purposes (during a future upgrade where the Cisco SME security engine on each Cisco SME interface would go through a disruptive upgrade, one module at a time). Thus, a total of 4 Cisco SME interfaces are needed.

• 30 tape drives are evenly distributed across all 4 Cisco SME interfaces (7 or 8 tape drives each).

• 16 media servers are connected on various switches in the SAN (they need not be on the Cisco SME line cards). Assume that these hosts are connected to 2 line cards (8 hosts on each line card) on 2 switches.

• There is any-to-any connectivity between the media servers and the tape drives (zoning configuration).

• The number of FC-redirect entries used on each line card is calculated as follows (note that the host entries are not on the line cards on the target switch):

– Target-to-host entries: (8 targets per line card) * (16 hosts) = 128

– Cisco SME entries: (8 targets per line card) * (16 hosts) * 2 = 256 entries

– Total of 384 entries on the Cisco SME line card (within the limit of 1000)

– Host-to-target entries: (8 hosts per line card) * (30 targets) = 240 (within the limit of 1000)

– There are no FC-redirect entries on the ISL because all the targets are on the same switch and the host switches are FC-redirect capable.

1C: Multiple Switch SAN with Tapes on Two Switches

In this example, the targets are on two Cisco MDS 9000 family switches, and the media servers are connected to other switches in the SAN. This topology is similar to the topologies in Figures 9 and 11.

• Each target switch has 15 tape drives.

• Each Cisco SME interface can support 6 to 8 LTO-3 tape drives. The total number of Cisco SME interfaces needed on each switch is 15/10 = approximately 2 plus 1 additional for failover purposes (during a future upgrade where the Cisco SME security engine on each Cisco SME interface would go through a disruptive upgrade, one module at a time). Thus, a total of 3 Cisco SME interfaces are needed on each switch.

• On each switch, 15 tape drives are evenly distributed across all 3 Cisco SME interfaces (5 tape drives each).

• 16 media servers are connected on various switches in the SAN. Assume that these hosts are connected to 2 line cards (8 hosts on each line card) on 2 switches.

• There is any-to-any connectivity between the media servers and the tape drives (zoning configuration).

• Note that encryption engines on Cisco SME interfaces on one switch can be used to encrypt tapes connected to the other switch.

• The number of FC-redirect entries used on each line card is calculated as follows (note that the host entries are not on the line cards on the target switch):

– Target-to-host entries: (5 targets per line card) * (16 hosts) = 80

– Cisco SME entries: (5 targets per line card) * (16 hosts) * 2 = 160 entries

– Total of 240 entries on the Cisco SME line card (within the limit of 1000)

– The number of ISL entries on the target switch depends on the load distribution. If all the local targets are serviced by the local Cisco SME line card, the number of entries needed is (30 targets on the switch) * (16 hosts in SAN) = 480. However, if the local targets are serviced by the remote switch, the worst-case number for FC-redirect entries on the ISL is (60 targets on the switch) * (16 hosts in SAN) = 960. Hence, the ISL must be provisioned on a line card other than a Cisco SME line card.

– Host-to-target entries (8 hosts per line card) * (30 targets) = 240 (within the limit of 1000)

– ISL entries on host switch: (8 hosts on the switch) * (60 targets) = 480 in the worst case. If the ISL is on the same line card as the hosts, the total number of entries is 720.

Example 2

The backup environment consists of 16 media servers and 60 LTO-3 tape drives. The backup environment is a single-fabric SAN. All the switches are Cisco MDS 9000 family switches running Cisco MDS 9000 SAN-OS Software Release 3.2.3.

Note: It is possible to work around the 32 targets per switch FC-redirect limitation if all the targets are on the same switch.

In this one-switch configuration, a single Cisco MDS 9500 Series director is used to connect all the media servers and the tape drives.

• Each Cisco SME interface can support 6 to 8 LTO-3 tape drives. The total number of Cisco SME interfaces needed is 60/10 = 6 plus 1 additional for failover purposes (during a future upgrade where the Cisco SME security engine on each Cisco SME interface would go through a disruptive upgrade, one module at a time). Thus, a total of 7 Cisco SME interfaces are needed.

• 60 tape drives are evenly distributed across all 7 Cisco SME interfaces (8 or 9 tape drives each).

• 16 media servers are evenly distributed across all 7 modules (2 or 3 media servers each).

• There is any-to-any connectivity between the media servers and the tape drives (zoning configuration).

• The number of FC-redirect entries used on each line card is calculated as follows:

– Target-to-host entries: (9 targets per line card) * (16 hosts) = 144

– Host-to-target entries: (3 hosts per line card) * (60 targets) = 180

– Cisco SME entries: (9 targets per line card) * (16 hosts) * 2 = 288 entries

– Total of 612 entries (within the limit of 1000)

– There is no ISL.

Example 3

The backup environment consists of 32 media servers and 60 LTO-3 tape drives. The backup environment is a single-fabric SAN. All the switches are Cisco MDS 9000 family switches running Cisco MDS 9000 SAN-OS Software Release 3.2.3.

Since each target can be zoned to at most 16 hosts, the backup environment must be divided into 2 zones. Each zone has 16 media servers and 30 targets. Then Example 1A or 1B can be used to connect each set of 16 media servers and 30 targets. Each set of 30 targets will be on a separate switch.

In future releases, when this restriction of 16 hosts per target is removed, other topologies are possible.

Appendix B: Configuration Checklist

This section provides a Cisco SME configuration checklist. Please verify that the following configuration is used.

1. Software versions

a. Cisco MDS 9000 SAN-OS Software Release 3.2(3) or later

b. Cisco FMS 3.2(3) or later

c. Smart-card drivers

2. Topology

a. Target switch is connected to FC-redirect-capable switch (Cisco MDS 9500 Series, 9200 Series, 9120, and 9140 switches).

b. The tape-backup environment is on the supported matrix.

3. GUI

a. Cisco FMS is installed (Cisco FMS license not required for Cisco SME).

b. For key management, either Cisco KMC or RSA Key Manager (RKM) is selected. For RKM, appropriate certificates have been installed.

c. If Domain Name System (DNS) is not used, UseIP should be set to True in the smeserver.properties file. Cisco FMS must have been restarted after editing the file.

d. You should be able to ping the fully qualified domain name (FQDN) of switches from Cisco FMS.

e. The Cisco Fabric Manager login name and password must be the same as the switch login name and password.

f. The fabric name must be such that it will remain constant (fabric name cannot be changed after Cisco SME configuration).

g. The following ports must be allowed on the firewall server:

i. Ports 9333 to 9339 for TCP and UDP, for Cisco SME cluster communication

ii. Ports 8800 and 8900 for Cisco KMC communication

iii. Ports HTTP (80) and HTTPS (443) for Cisco SME Web-client communication

h. Microsoft Windows PC is available to open the Cisco Fabric Manager Web client.

4. DNS

a. Domain name is configured on all the switches.

b. Name server is configured on all the switches.

c. Ping between the switches using the FQDN.

5. Security

a. Secure Shell (SSH) is enabled on all the switches.

b. If roles are used, the sme-admin role is configured on the switches, TACACS, and authentication, authorization, and accounting (AAA) server.

6. Configuration

a. Visibility exists for the desired VSANs on the Cisco SME cluster switches.

b. Zones are configured with hosts and targets and the zone set is activated.

c. Zoning is performed using pWWNs for Cisco SME hosts and targets.

d. Default zone policy is set to deny.

e. Fibre Channel Name Server (FCNS) is populated with the FC-4 features for all Cisco SME initiators and targets.

f. The host is able to access the target without Cisco SME.

7. Design questions

a. All the switches that will be in the Cisco SME cluster are in one fabric.

b. The following Cisco SME options have been selected:

i. Compression (Yes or No)

ii. Store Key on Tape (Yes or No)

iii. Tape Volume Policy (Shared Key or Unique Key)

iv. If Unique Key, Tape Key Recycle (Yes or No)

c. If tape backup application is Tivoli Storage Manager (TSM)

i. Auto Volume Group (Yes or No)

d. Security mode to use

i. Basic

ii. Standard

iii. Advanced: 2/5 ⁭or 3/5

e. If using standard or advanced security mode

i. The Windows Web client PC has a USB port for the smart card reader.

ii. Smartcard drivers are installed.

Hierarchical Navigation

Cisco MDS 9000 Intelligent Fabric Applications

Cisco Storage Media Encryption Design Guide for Release 3.2(3)

Downloads