Cluster network settings

Use this page to set or modify IP addresses for the selected IBM® TS7700 Cluster.

You can backup these settings as part of the ts7700_cluster<cluster ID>.xmi file and restore them for later use or use with another cluster.

IP Addresses
Use this tab to set or modify the management interface IP addresses for the selected cluster. Each cluster is associated with two routers or switches. Each router or switch is assigned an IP address and one virtual IP address is shared between routers or switches.
Note: Any modifications to IP addresses on the accessing cluster interrupt access to that cluster for all current users. If accessing cluster IP addresses are modified, current users are redirected to the new virtual address.
Fields on this tab include:
IPv4
Select this radio button if the cluster can be accessed by an IPv4 address. If this option is disabled, all incoming IPv4 traffic is blocked, although loop back traffic is still permitted.
Note: If this option is enabled, you must specify the following addresses:
<Cluster Name> IP Address
An AIX® virtual IPv4 address that receives traffic on both customer networks. This field cannot be blank if IPv4 is enabled.
Primary Address
The IPv4 address for the primary customer network. This field cannot be blank if IPv4 is enabled.
Secondary Address
The IPv4 address for the secondary customer network. This field cannot be blank if IPv4 is enabled.
Subnet Mask
The IPv4 subnet mask used to determine the addresses present on the local network. This field cannot be blank if IPv4 is enabled.
Gateway
The IPv4 address used to access machines outside the local network.
A valid IPv4 address is 32 bits long, consists of four decimal numbers, each ranging from 0 to 255, separated by periods, like:
98.104.120.12
IPv6
Select this radio button if the cluster can be accessed by an IPv6 address. If this option is disabled, all incoming IPv6 traffic is blocked, although loop back traffic is still permitted. If you enable this option and do not designate any additional IPv6 information, the minimum required local addresses for each customer network interface will automatically be enabled and configured using neighbor discovery.
Note: If this option is enabled, you can specify the following addresses:
Primary Address
The IPv6 address for the primary network. This field cannot be blank if IPv6 is enabled.
Secondary Address
The IPv6 address for the secondary network. This field cannot be blank if IPv6 is enabled.
Prefix Length
The IPv6 prefix length used to determine the addresses present on the local network. The value in this field is an integer between 1 and 128. This field cannot be blank if IPv6 is enabled.
Gateway
The IPv6 address used to access machines outside the local network.
A valid IPv6 address is an 128-bit long hexadecimal value separated into 16-bit fields by colons, like:
3afa:1910:2535:3:110:e8ef:ef41:91cf
Leading zeros can be omitted in each field, so that :0003: can be written as :3:. A double colon (::) can be used once per address to replace multiple fields of zeros. For example,
3afa:0:0:0:200:2535:e8ef:91cf
can be written as:
3afa::200:2535:e8ef:91cf
DNS Server
The IP addresses of any Domain Name System (DNS) server, separated by commas. DNS addresses are only needed if you specify a symbolic domain name instead of a numeric IP address for one or more of the following:
  • Primary Server URL on the Add External policy page
  • Encryption key server address
  • SNMP server address
  • Security server address
If this field is left blank, the DNS server address will be populated by DHCP.
The address values can be in IPv4 or IPv6 format. A maximum of two DNS servers can be added. Any spaces entered in this field are removed.
To submit changes click the Submit button. If your changes apply to the accessing cluster, a warning message is displayed indicating current user access will be interrupted. To accept changes to the accessing cluster, click OK. To reject changes to the accessing cluster and return to the IP Addresses tab, click Cancel.
To reject the changes made to the IP Addresses fields and reinstate the last submitted values, select the Reset button. You can also refresh the page to reinstate the last submitted values for each field.
Encrypt Grid Communication
Use this tab to encrypt grid communication between specific clusters.
Important: Enabling grid encryption can affect the performance of the TS7700. System performance can be reduced significantly when grid encryption is enabled.
Note: TCP/IP ports 500 and 8500 must be open when grid communication is encrypted.
Fields on this tab include:
Password
This password is used as an encryption key to protect grid communication. This value has a 255 ASCII character limit and is required.
Cluster communication paths
Check the box next to each cluster communication path to be encrypted.
Note: You can only select a communication path between two clusters if both clusters meet all the following conditions:
  • Are online
  • Operate at microcode level 8.30.0.x or later
  • Operate using IPv6-capable servers (3957-V07/VEB)
To submit changes click the Submit button.
IPSec
IP Security. Use this tab to:
  • Enable or disable IP Security for defined connections
  • Activate or deactivate a defined connection
  • Add, modify, or delete a specific connection subject to IP Security
You can enable IP Security for any customer network or grid connection.
Enable/Disable
Use this toggle button to enable or disable IP Security on the connections defined by the Connections table.
Connections
To activate an existing connection, in the Connections table select the radio button next to the name of the connection you want to activate and select the Activate button. To deactivate an existing connection, select the radio button next to the name of that connection and select the Deactivate button.
Use the Add, Modify, and Delete buttons on the Connections table to make changes to the list of connections subject to IP Security.
The Connections table displays each defined connection that can be made subject to IP Security. Information displayed includes:
Name
A 16-character Unicode value that uniquely identifies the connection. This field cannot be blank.
Active
Whether the connection is active. Possible values are Yes and No.
Local Address
The local address for the connection, used to address each service. This address can be in IPv4 or IPv6 format. This field cannot be blank.
All traffic directed to this address is authenticated and/or encrypted between this address and the remote address.
Remote Address
The remote address for the connection. This address can be in IPv4 or IPv6 format. This field cannot be blank.
Tunnel
This check box toggles the encryption of data sent. If this box is checked, a host-to-gateway connection is established and the entire packet between is encrypted. If this box is not checked, a host-to-host connection is established and only the payload is encrypted. This bock is unchecked by default. If this box is checked, the following additional fields are shown:
Remote Network
The address for the remote network that will be accessed by the tunnel connection. This value can be in IPv4 or IPv6 format.
Remote Network Subnet
A subnet mask or range of addresses for the remote network to be accessed by the tunnel connection. This range of addresses is encoded if the remote address is a router.
Key
The encryption key used. This value can be a preshared key or a certificate from the SSL key store. Select the radio button for the key type to be used and complete any additional required fields.
Preshared Key
Select this radio button to use a preshared encryption key. In the adjacent field, enter the key as a hexadecimal or ASCII value with a maximum length not to exceed 256 characters.
Certificate
Select this radio button to use a SSL key store certificate as an encryption key. If this option is selected, the certificate is copied to the AIX key store. You must also select a valid key from the list of key Aliases on this page.
Encryption Algorithm
Used to encrypt traffic. Possible values are:
None
No encryption algorithm is used.
ESP 3 DES (this is the default value)
Encapsulating Security Payload Triple Data Encryption Algorithm
ESP AES 128
Encapsulating Security Payload Advanced Encryption Standard. Symmetric-key encryption with 128-bit block size and a key size of 128 bits.
ESP AES 192
Encapsulating Security Payload Advanced Encryption Standard. Symmetric-key encryption with 128-bit block size and a key size of 192 bits.
ESP AES 256
Encapsulating Security Payload Advanced Encryption Standard. Symmetric-key encryption with 128-bit block size and a key size of 256 bits.
ESP AES 128 GCM 16
Encapsulating Security Payload Advanced Encryption Standard, Galois/Counter Mode. Symmetric-key encryption with 128-bit block size, a key size of 128 bits, and a 16-byte tag.
ESP AES 192 GCM 16
Encapsulating Security Payload Advanced Encryption Standard, Galois/Counter Mode. Symmetric-key encryption with 128-bit block size, a key size of 192 bits, and a 16-byte tag.
ESP AES 256 GCM 16
Encapsulating Security Payload Advanced Encryption Standard, Galois/Counter Mode. Symmetric-key encryption with 128-bit block size, a key size of 256 bits, and a 16-byte tag.
ESP AES 128 GMAC
Encapsulating Security Payload Advanced Encryption Standard, Galois Message Authentication Code. Symmetric-key encryption with 128-bit block size and a key size of 128 bits, where Galois/Counter Mode (GCM) input is restricted to unencrypted data.
ESP AES 192 GMAC
Encapsulating Security Payload Advanced Encryption Standard, Galois Message Authentication Code. Symmetric-key encryption with 128-bit block size and a key size of 192 bits, where GCM input is restricted to unencrypted data.
ESP AES 256 GMAC
Encapsulating Security Payload Advanced Encryption Standard, Galois Message Authentication Code. Symmetric-key encryption with 128-bit block size and a key size of 256 bits, where GCM input is restricted to unencrypted data.
Authentication Algorithm
Uses to authenticate traffic. Possible values are:
None
No authentication algorithm is used.
HMAC-SHA
Hash-based Message Authentication Code, Secure Hash Algorithm. This is the default value.
CMAC-SHA
Cipher-based Message Authentication Code, Secure Hash Algorithm.
CMAC-AES-XCB
Cipher-based Message Authentication Code, Advanced Encryption Standard, Extended Codebook.
HMAC-MD5
Hash-based Message Authentication Code, MD5 Message-Digest Algorithm.