Use this page to set or modify IP addresses for the selected IBM® TS7700 Cluster.
You can backup these settings as part of the
ts7700_cluster<cluster ID>.xmi
file and restore them for later use or use with
another
cluster.
- IP Addresses
- Use this tab to set or modify the management interface IP addresses for the selected cluster.
Each cluster is associated with two routers or switches. Each router or switch is assigned an IP
address and one virtual IP address is shared between routers or switches.
Note: Any modifications to
IP addresses on the accessing cluster interrupt access to that cluster for all current users. If
accessing cluster IP addresses are modified, current users are redirected to the new virtual
address.
Fields on this tab include:
- IPv4
- Select this radio button if the cluster can be accessed by an IPv4 address. If this option is
disabled, all incoming IPv4 traffic is blocked, although loop back traffic is still
permitted.
Note: If this option is enabled, you must specify the following addresses:
- <Cluster Name> IP Address
- An AIX® virtual IPv4 address that receives traffic on both
customer networks. This field cannot be blank if IPv4 is enabled.
- Primary Address
- The IPv4 address for the primary customer network. This field cannot be blank if IPv4 is
enabled.
- Secondary Address
- The IPv4 address for the secondary customer network. This field cannot be blank if IPv4 is
enabled.
- Subnet Mask
- The IPv4 subnet mask used to determine the addresses present on the local network. This field
cannot be blank if IPv4 is enabled.
- Gateway
- The IPv4 address used to access machines outside the local network.
- A valid IPv4 address is 32 bits long, consists of four decimal numbers, each ranging from 0 to
255, separated by periods, like:
98.104.120.12
- IPv6
- Select this radio button if the cluster can be accessed by an IPv6 address. If this option is
disabled, all incoming IPv6 traffic is blocked, although loop back traffic is still permitted. If
you enable this option and do not designate any additional IPv6 information, the minimum required
local addresses for each customer network interface will automatically be enabled and configured
using neighbor
discovery.
-
Note: If this option is enabled, you can specify the following addresses:
- Primary Address
- The IPv6 address for the primary network. This field cannot be blank if IPv6 is enabled.
- Secondary Address
- The IPv6 address for the secondary network. This field cannot be blank if IPv6 is enabled.
- Prefix Length
- The IPv6 prefix length used to determine the addresses present on the local network. The value
in this field is an integer between 1 and 128. This field cannot be blank if IPv6 is enabled.
- Gateway
- The IPv6 address used to access machines outside the local network.
- A valid IPv6 address is an 128-bit long hexadecimal value separated into 16-bit fields by
colons, like:
3afa:1910:2535:3:110:e8ef:ef41:91cf
Leading zeros can be omitted
in each field, so that :0003:
can be written as :3:
. A double
colon (::
) can be used once per address to replace multiple fields of zeros. For
example, 3afa:0:0:0:200:2535:e8ef:91cf
can be written as:
3afa::200:2535:e8ef:91cf
- DNS Server
- The IP addresses of any Domain Name System (DNS) server, separated by commas. DNS addresses are
only needed if you specify a symbolic domain name instead of a numeric IP address for one or more of
the following:
- Primary Server URL on the Add External policy page
- Encryption key server address
- SNMP server address
- Security server address
If this field is left blank, the DNS server address will be
populated by DHCP.
- The address values can be in IPv4 or IPv6 format. A maximum of two DNS
servers can be added. Any spaces entered in this field are removed.
- To submit changes click the Submit button. If your changes apply to the
accessing cluster, a warning message is displayed indicating current user access will be
interrupted. To accept changes to the accessing cluster, click OK. To reject
changes to the accessing cluster and return to the IP Addresses tab, click
Cancel.
- To reject the changes made to the IP Addresses fields and reinstate the
last submitted values, select the Reset button. You can also refresh the page
to reinstate the last submitted values for each field.
- Encrypt Grid Communication
- Use this tab to encrypt grid communication between specific clusters.
Important: Enabling grid encryption can affect the performance of the TS7700. System performance can be
reduced significantly when grid encryption is enabled.
Note: TCP/IP ports 500
and 8500 must be open when grid communication is encrypted.
Fields on this tab
include:
- Password
- This password is used as an encryption key to protect grid communication. This value has a 255
ASCII character limit and is required.
- Cluster communication paths
- Check the box next to each cluster communication path to be encrypted.
Note: You can only select
a communication path between two clusters if both clusters meet all the following conditions:
- Are online
- Operate at microcode level 8.30.0.x or later
- Operate using IPv6-capable servers (3957-V07/VEB)
- To submit changes click the Submit button.
- IPSec
- IP Security. Use this tab to:
- Enable or disable IP Security for defined connections
- Activate or deactivate a defined connection
- Add, modify, or delete a specific connection subject to IP Security
You can enable IP Security for any customer network or grid connection.
- Enable/Disable
- Use this toggle button to enable or disable IP Security on the connections defined by the
Connections table.
- Connections
- To activate an existing connection, in the Connections table select the radio button next
to the name of the connection you want to activate and select the Activate button. To
deactivate an existing connection, select the radio button next to the name of that connection and
select the Deactivate button.
- Use the Add, Modify, and Delete buttons on the Connections table to
make changes to the list of connections subject to IP Security.
- The Connections table displays each defined connection that can be made subject to IP
Security. Information displayed includes:
- Name
- A 16-character Unicode value that uniquely identifies the connection. This field cannot be
blank.
- Active
- Whether the connection is active. Possible values are Yes and No.
- Local Address
- The local address for the connection, used to address each service. This address can be in IPv4
or IPv6 format. This field cannot be blank.
- All traffic directed to this address is authenticated and/or encrypted between this address and
the remote address.
- Remote Address
- The remote address for the connection. This address can be in IPv4 or IPv6 format. This field
cannot be blank.
- Tunnel
- This check box toggles the encryption of data sent. If this box is checked, a host-to-gateway
connection is established and the entire packet between is encrypted. If this box is not checked, a
host-to-host connection is established and only the payload is encrypted. This bock is unchecked by
default. If this box is checked, the following additional fields are shown:
- Remote Network
- The address for the remote network that will be accessed by the tunnel connection. This value
can be in IPv4 or IPv6 format.
- Remote Network Subnet
- A subnet mask or range of addresses for the remote network to be accessed by the tunnel
connection. This range of addresses is encoded if the remote address is a router.
- Key
- The encryption key used. This value can be a preshared key or a certificate from the SSL key
store. Select the radio button for the key type to be used and complete any additional required
fields.
- Preshared Key
- Select this radio button to use a preshared encryption key. In the adjacent field, enter the key
as a hexadecimal or ASCII value with a maximum length not to exceed 256 characters.
- Certificate
- Select this radio button to use a SSL key store certificate as an encryption key. If this option
is selected, the certificate is copied to the AIX key store.
You must also select a valid key from the list of key Aliases on this page.
- Encryption Algorithm
- Used to encrypt traffic. Possible values are:
- None
- No encryption algorithm is used.
- ESP 3 DES (this is the default value)
- Encapsulating Security Payload Triple Data Encryption Algorithm
- ESP AES 128
- Encapsulating Security Payload Advanced Encryption Standard. Symmetric-key encryption with
128-bit block size and a key size of 128 bits.
- ESP AES 192
- Encapsulating Security Payload Advanced Encryption Standard. Symmetric-key encryption with
128-bit block size and a key size of 192 bits.
- ESP AES 256
- Encapsulating Security Payload Advanced Encryption Standard. Symmetric-key encryption with
128-bit block size and a key size of 256 bits.
- ESP AES 128 GCM 16
- Encapsulating Security Payload Advanced Encryption Standard, Galois/Counter Mode. Symmetric-key
encryption with 128-bit block size, a key size of 128 bits, and a 16-byte tag.
- ESP AES 192 GCM 16
- Encapsulating Security Payload Advanced Encryption Standard, Galois/Counter Mode. Symmetric-key
encryption with 128-bit block size, a key size of 192 bits, and a 16-byte tag.
- ESP AES 256 GCM 16
- Encapsulating Security Payload Advanced Encryption Standard, Galois/Counter Mode. Symmetric-key
encryption with 128-bit block size, a key size of 256 bits, and a 16-byte tag.
- ESP AES 128 GMAC
- Encapsulating Security Payload Advanced Encryption Standard, Galois Message Authentication Code.
Symmetric-key encryption with 128-bit block size and a key size of 128 bits, where Galois/Counter
Mode (GCM) input is restricted to unencrypted data.
- ESP AES 192 GMAC
- Encapsulating Security Payload Advanced Encryption Standard, Galois Message Authentication Code.
Symmetric-key encryption with 128-bit block size and a key size of 192 bits, where GCM input is
restricted to unencrypted data.
- ESP AES 256 GMAC
- Encapsulating Security Payload Advanced Encryption Standard, Galois Message Authentication Code.
Symmetric-key encryption with 128-bit block size and a key size of 256 bits, where GCM input is
restricted to unencrypted data.
- Authentication Algorithm
- Uses to authenticate traffic. Possible values are:
- None
- No authentication algorithm is used.
- HMAC-SHA
- Hash-based Message Authentication Code, Secure Hash Algorithm. This is the default value.
- CMAC-SHA
- Cipher-based Message Authentication Code, Secure Hash Algorithm.
- CMAC-AES-XCB
- Cipher-based Message Authentication Code, Advanced Encryption Standard, Extended Codebook.
- HMAC-MD5
- Hash-based Message Authentication Code, MD5 Message-Digest Algorithm.