IP partnerships

Partnerships can be established over Ethernet links that use the IPv4 and IPv6 addresses associated with Ethernet ports. These IP partnerships can be connections through Ethernet switches, or direct connections between local and partner systems. Partnerships must be created as either an IPv4 or IPv6 partnership.

Secured IP partnerships secure the data as it travels through an untrusted network between production and recovery systems. Although securing IP partnerships is optional, it supports authentication of the production and recovery systems, and verifies the confidentiality and integrity of the replicated data. Secured IP partnerships minimize the risk of hackers manipulating or intercepting data in untrusted networks. Secured IP partnerships use Internet Protocol Security (IPsec) suite of protocols that covers important security aspects such as:

Enhanced mutual authentication
Stronger encryption algorithms
Encryption key management mechanisms

In secured IP partnerships, the partner systems authenticate to each other, negotiate the security parameters, exchange encryption keys, and establish secured network tunnels through which encrypted data travels. Partner systems are authenticated by certificates issued by internal root certificate authorities (CA) or trusted third-party's root CA or intermediate CA. Secured IP partnerships are created when the necessary certificates and authorities are installed on the partner systems.

Note: Secured IP partnerships are only available on certain Amazon Web Services (AWS) and Microsoft Azure regions. For more information, see Planning secured IP partnerships.

Portsets replace the requirement for creating groups for IP partnerships. Dedicated portsets can be created for remote copy traffic. The dedicated portsets provide group of IP addresses for IP Partnerships. Each node can have one IP address that is assigned to a portset for traffic. If the local system in the IP partnership contains four nodes, a portset can be created that defines four IP addresses, one per each node. Similarly, the remote system with four nodes, a portset on that system can also have four IP addresses to handle traffic exclusively. During updates of the software, any IP addresses that are assigned to groups with an existing IP partnership are automatically moved to a corresponding portset. For example, if group 1 is defined on the system before the update then IP addresses from that remote-copy group are mapped to portset 1 after the update. Similarly, IP address in group 2 is mapped to portset 2. Before you can configure a new IP partnership, you need to define a portset and assign IP addresses to nodes.

You can configure portsets so that each IP partnership can be mapped to two portsets, one for each WAN link between systems. For network configurations that have a single link between systems in an IP partnership, a single portset can be defined in the Portset Link 1 field on the Create Partnership page from GUI. You can also use the -link1 attribute in the mkippartnership command for partnerships with a single link. For a partnership with dual links, a second portset must be mapped defined in the Portset Link 2 field. Use the -link2 attribute to specify the second portset for a dual link configuration.

Supported IP partnership configurations

The following general configurations are supported, but the number of I/O groups that are configured for each site can be different.

Configuration 1: In this configuration, only a single WAN intersite link is available. Therefore, only one portset is configured on each node.

Image that shows one intersite link, with one I/O group per system — Figure 1. One intersite link, one I/O group per system

Only one port from either of the nodes in each system actively participates in the IP partnership. The other port acts as the failover port. If a critical failure is observed on node H1 in Site H, the IP partnership will fail over to node H2 and continue. Remote copy relationships might stop momentarily during the failover.

Note: The system supports two IP partnerships that use the same physical link between systems however the single link can have lower throughput than a single IP partnership.

Configuration 2: In this configuration, only one intersite link is available. Each system uses a single portset where each node in the system has an IP address assigned. However, out of all of the available ports, only one port from either of the nodes in each system actively participates in the IP partnership. The other ports act as failover ports.

Image that shows one intersite link, with two I/O groups per system — Figure 2. One intersite link, two I/O groups per system

If a critical failure is observed on node H1 in Site H, the IP partnership fails over to node H2, H3, or H4 and continues. Remote copy relationships might stop momentarily during the failover.

Configuration 3: In this configuration, eight-node systems are available. However, only two I/O groups in a system can have ports that are configured in IP partnerships. Each system uses a single portset where each node in the system has an IP address assigned. In this configuration, each system has a portset with eight IP addresses. However, out of all the available ports, only one port from either node in each system actively participates in IP partnership. The other ports act as failover ports.

Note: Configuration 3 also applies to systems with four I/O groups. In such systems, while only two I/O groups can have ports configured in IP partnerships, all I/O groups in a system can contain remote-copy relationships. Any replication-related operations that are generated by nodes that are not connected directly to the remote system is forwarded to connected nodes for onward transmission to the remote system.

Image that shows one intersite link, with three I/O groups per system — Figure 3. One intersite link, three I/O groups per system

If a critical failure is observed on node H1 in Site 1, the IP partnership fails over to node H2, H3, or H4 and continues. Remote copy relationships might stop momentarily during the failover.

Configuration 4: In this configuration, two intersite links are available; therefore, two portsets are configured. One port from each node in each system actively participates in the IP partnership. If a critical failure is observed on node H1 in Site H, the IP partnership continues over the other port on node H2.

No failure occurs in this scenario; however, the effective bandwidth is reduced to half; only one of the two links is available to facilitate IP partnership traffic. When the failure is corrected, ports will fail back and the IP partnership continues to operate over both links.

Image that shows two intersite links, with one I/O group per system — Figure 4. Two intersite links, one I/O group per system

Configuration 5:In this multi-node configuration, two intersite links are available. Each link must be assigned to a different portset. Each portset contains one IP address for each node in the system. Out of the four ports, only two ports actively facilitate the IP partnerships. This port and path selection is maintained by an internal algorithm. The other ports act as failover ports.

Image that shows two intersite links, with two I/O groups per system — Figure 5. Two intersite links, two I/O groups per system

If a critical failure occurs on node H1 in Site H, the IP partnership will fail over to node H3 and continue. The link bandwidth is not affected, as the failover happens immediately and completes quickly while IP partnership traffic continues from node H2.

Configuration 6: In this configuration, eight-node systems are available. However, only two I/O groups in a system can have ports that are configured in IP partnerships. In this multi-node configuration, two intersite links are available. Each link must be assigned to a different portset. Each portset contains one IP address for each node in the system. Out of the four ports, only two ports actively facilitate the IP partnerships. This port and path selection is maintained by an internal algorithm. The other ports act as failover ports.

Note: Configuration 6 also applies to systems with four I/O groups. In such systems, while only two I/O groups can have ports that are configured in IP partnerships, all I/O groups in a system can contain remote-copy relationships. Any replication-related operations that are generated by nodes that are not connected directly to the remote system are forwarded to connected nodes for onward transmission to the remote system.

Image that shows two intersite links, with three I/O groups per system — Figure 6. Two intersite links, three I/O groups per system

If a critical failure is observed on the node H1 in Site H, the IP partnership will fail over to node H3 and continue. The link bandwidth is not affected because the failover happens immediately and completes quickly while IP partnership traffic continues from node H2.