Description Manages policies in the Security Policy database. Authority Admin session and an Ipsec Edit session
Syntax ipsec policy
copy [policy_source] [policy_destination] create [policy]
delete [policy] edit [policy] list [option]
rename [policy_old] [policy_new]
Operands copy [policy_source] [policy_destination]
Creates a new policy named [policy_destination] and copies the configuration into it from the policy given by [policy_source]. You must enter the ipsec save command afterwards to save your changes. [policy_destination] must not begin with DynamicSP_, which is reserved for dynamic policies.
create [policy]
Creates a policy with the name given by [policy]. A policy name must begin with a letter and be no longer than 32 characters. Valid characters are alphanumeric, _, $, ^, and -. The Security Policy database supports a maximum of 128 user-defined policies. You must enter the
ipsec save command afterwards to save your changes. Table 16 describes the policy parameters:
Table 16 Policy configuration parameters
Parameter Description
Description Description of the policy
SourceAddress IP address (version 4 or 6) or DNS host name of the host, switch, or gateway from which data originates
SourcePort Source port number in the range 1—65535
DestinationAddress IP address (version 4 or 6) or DNS host name of the host, switch, or gateway receiving data. If you specified an IP address for the SourceAddress, the DestinationAddress must use the same IP version format.
DestinationPort Destination port number in the range 1—65535
Protocol Protocol or application to which to apply IP security. Enter an operand for one of the following protocols or an integer in the range 0—255:
• Internet Control Message Protocol for IPv4 (ICMP)
• Internet Control Message Protocol for IPv6 (ICMP6)
• Internet Protocol, version 4 (IPv4)
• Transmission Control Protocol (TCP)
• User Datagram Protocol (UDP)
• Any protocol
ICMPv6 ICMP number (0–255). You are prompted for this parameter only if you specify ICMP6 for the Protocol parameter.
Direction Direction of the data traffic to which the policy is to be applied:
• In—Data entering the source
• Out—Data leaving the source
Priority A number from –2147483647 to +214783647 that determines priority for this policy in the security policy database. The higher the number, the higher the priority.
Action Processing to apply to data traffic:
• Discard—Unconditionally disallow all inbound or outbound data traffic.
• None—Allow all inbound or outbound data traffic without encryption or decryption.
• Ipsec—Apply IP security to inbound and outbound data traffic. ProtectionDesired Type of IP security protection to apply:
• AH—Authentication Header
• ESP—Encapsulating Security Payload
• Both—Apply both AH and ESP protection ahRuleLevel Rule level to apply for AH protection:
• Default—Use the system wide default for the protocol
• Use—Use a security association if one is available
• Require—A security association is required whenever a packet is sent that is matched with the policy
espRuleLevel Rule level to apply for ESP protection:
• Default—Use the system wide default for the protocol
• Use—Use a security association if one is available
• Require—A security association is required whenever a packet is sent that is matched with the policy
Mode
(Action=Ipsec)
IP security connection type. Mode can have one of the following values:
• Transport—Encrypts the transport layer payload
• Tunnel—Encrypts the IP header and the transport layer payload. See the TunnelSource, and TunnelDestination
parameters. TunnelSource
(Mode=Tunnel)
IP address (version 4 or 6) of the tunnel source. TunnelDestination
(Mode=Tunnel)
IP address (version 4 or 6) of the tunnel destination.
TunnelSource and TunnelDestination must use the same IP version address format.
Table 16 Policy configuration parameters (continued)
ProtectionDesired (Action=Ipsec)
Type of IP security protection to apply.
• AH—Authentication header. Protects against modifications to the data. See the ahRuleLevel parameter.
• ESP–Encapsulating security payload. Protects against viewing the data. See the espRuleLevel parameter.
• Both–Apply both AH and ESP protection. See the ahRuleLevel and espRuleLevel parameters. ahRuleLevel
(ProtectionDesired= ahRuleLevel or Both)
Rule level to apply for AH protection. You are prompted for this parameter only if you specify AH or Both for the
ProtectionDesired parameter.
• Default—use the system wide default for the protocol
• Use—use a security association if one is available
• Require—a security association is required whenever a packet is sent that is matched with the policy
espRuleLevel
(ProtectionDesired= ESP or Both)
Rule level to apply for ESP protection.
• Default—use the system wide default for the protocol
• Use—use a security association if one is available
• Require—a security association is required whenever a packet is sent that is matched with the policy
Table 16 Policy configuration parameters (continued)
Parameter Description
Operands delete [policy]
Deletes the policy given by [policy] from the Security Policy database. You must enter the ipsec save command afterwards to save your changes.
edit [policy]
Opens an edit session in which to change the configuration of an existing policy given by [policy].
list [option]
Displays the configuration for the policies given by [option]. If you omit [option], the command displays the configuration of all active policies. [option] can be one of the following:
[policy]
Displays the configuration for the policy given by [policy].
active
Displays the configuration for all active policies.
configured
Displays the configuration for all user-defined policies.
edited
Displays the configuration for all policies that have been modified, but not saved.
rename [policy_old] [policy_new]
Renames the policy given by [policy_old] to the policy given by [policy_new]. You must enter the ipsec save command afterwards to save your changes. Dynamic policies cannot be renamed.
Examples The following is an example of the ipsec policy create command:
SN6000 FC Switch #> admin start
SN6000 FC Switch (admin) #> ipsec edit
SN6000 FC Switch (admin-ipsec) #> ipsec policy create h2h-sh-sp A list of attributes with formatting will follow.
Enter a value or simply press the ENTER key to skip specifying a value. If you wish to terminate this process before reaching the end of the list press 'q' or 'Q' and the ENTER key to do so.
Required attributes are preceded by an asterisk. Value (press ENTER to not specify value, 'q' to quit):
Description (string value, 0-127 bytes) :
Host-to-host: switch->host *SourceAddress (IPv4, IPv6 or hostname/[PrefixLength]) :
fe80::2c0:ddff:fe03:d4c1 SourcePort (decimal value, 1-65535) :
*DestinationAddress (IPv4, IPv6 or hostname/[PrefixLength]) :
fe80::250:daff:feb7:9d02 DestinationPort (decimal value, 1-65535) :
*Protocol (decimal value, or keyword)
Allowed keywords icmp, icmp6, ip4, tcp, udp or any : any *Direction (1=in, 2=out) : 2
Priority (value, -2147483647 to +214783647) :
*Action (1=discard, 2=none, 3=ipsec) : 3
Mode (1=transport, 2=tunnel) : 2
*TunnelSource (IPv4, or IPv6 Address) fe91::3d1:eecc:bf14:e5d2 *TunnelDestination (IPv4, or IPv6 Address) fe91::361:ebcc:bfc8:0e13 *ProtectionDesired (select one, transport-mode only)
1=ah Authentication Header 2=esp Encapsulating Security Payload 3=both : 2
*espRuleLevel (1=default, 2=use, 3=require) : 3 The security policy has been created.
This configuration must be saved with the 'ipsec save' command before it can take effect, or to discard this configuration use the 'ipsec cancel' command.
See also ipsec, page 184
ipsec association, page 186
key
Description Creates and manages public/private key pairs in the PKI database. Authority Admin session. The List keyword does not require an Admin session.
Syntax key
delete [key_name]
generate [key_name] size [size] force import [key_name] [file_name] force list [key_name]
Operands delete [key_name]
Deletes a public/private key pair from the PKI database.
generate [key_name] size [size] force
Creates a public/private key pair with the name given by [key_name] of the size in bits given by [size]. The optional keyword force overwrites an existing key pair with the same name. [size] can be one of the following:
512
Creates a public/private key pair of 512 bits
1024
Creates a public/private key of 1,024 bits
2048
Creates a public/private key of 2,048 bits
import [key_name] [file_name] force
Imports the public/private key pair file given by [file_name] into the PKI database with the name given by [key_name]. The optional keyword force overwrites an existing key pair with the same name.
list [key_name]
Displays detailed information about the public/private key pair given by [key_name]. If you omit [key_name], the command lists all key pairs in the PKI database.
Examples The following is an example of the key generate command:
SN6000 FC Switch #> admin start
SN6000 FC Switch (admin) #>: key generate key512 size 512
The following is an example of the key list command for key512:
SN6000 FC Switch #> key list key512 Key key512:
private key with: pubkey: RSA 512 bits
keyid: 49:80:4c:aa:d3:c3:bc:c7:f5:b1:41:34:ce:71:48:1d:b9:b3:d9:f9 subjkey: f4:b6:b9:27:25:7a:5a:69:a0:9e:cf:14:cd:3c:88:e9:d5:b1:aa:4a
The following is an example of the Key List command:
SN6000 FC Switch #> key list Installed Keys:
key512 key2048 key1024
* indicates key has a matching local certificate
lip
Description Reinitializes the specified loop port. Authority Admin session
Syntax lip [port_number]
Operands [port_number]
The number of the port to be reinitialized. Ports are numbered beginning with 0. Examples The following is an example of the lip command:
logout
Description Closes the switch connection. Authority None
Syntax logout
Notes You can also press Control-D to close the switch connection. See also exit, page 153
passwd
Description Changes a user account’s password.
Authority Admin account name and an Admin session to change another account’s password; you can change your own password without an Admin session.
Syntax passwd [account_name]
Operands [account_name]
The user account name. To change the password for an account name other than your own, you must open an Admin session with the account name admin. If you omit [account_name], you will be prompted to change the password for the current account name.
Examples The following is an example of the passwd command:
SN6000 FC Switch #> admin start
SN6000 FC Switch (admin) #> passwd user2
Press 'q' and the ENTER key to abort this command. account OLD password : ********
account NEW password (8-20 chars) : ******** please confirm account NEW password: ******** password has been changed.
ping
Description Initiates an attempt to communicate with another switch over an Ethernet network and reports the result. Authority None Syntax ping [host_name] -ipv4 [host_address] -ipv6 [host_address] Operands [host_name]
DNS host name of the switch you want to query. [host_name] is a character string of 2–125 characters made up of one or more subdomains delimited by periods (.). The following naming rules apply:
• Valid characters are alphanumeric characters, period (.), and hyphen (-). • Each subdomain must be a minimum of two alphanumeric characters. • Each subdomain must start and end with an alphanumeric character. • A host name can end with a period (.).
-ipv4 [host_address]
IP address (version 4) or DNS host name of the switch you want to query. Broadcast IP addresses, such as 255.255.255.255, are not valid.
-ipv6 [host_address]
IP address (version 6) or DNS host name of the switch you want to query.
Examples The following is an example of a ping command that successfully communicated with another switch:
SN6000 FC Switch #> ping 10.20.11.57
Ping command issued. Waiting for response... SN6000 FC Switch #>
Response successfully received from 10.20.11.57.
The following is an example of a ping command for which there was no response from the other switch:
SN6000 FC Switch #> ping 10.20.11.57
Ping command issued. Waiting for response... No response from 10.20.11.57. Unreachable.