Fibre Channel (SAN)

Reply
Super Contributor
Posts: 644
Registered: ‎03-01-2007

Access continuity by Hardware Failure.

Hi Expert's

Before i begin, let me say I am not familiar with encryption hardware.

The question is maybe stupid, but what happens with the files in the productive environment by

encrypted hardware failure ?

  • The most important question is:

        What happens with all the file when i decide to complete remove or replace encrypted

hardware/switches with standard SAN Switches?

  • Or, a simple example:

        I have a mixed Fabric contain Standard SAN Switches, additional "ONE" Brocade Encryption

SAN Switch and the encryption SAN Switch Crash/Fail.

        I'll continue to have access to the file when encryption hardware failure?

New Contributor
Posts: 3
Registered: ‎02-22-2010

Re: Access continuity by Hardware Failure.

Hi,

The Brocade encryption switch encrypts block-level data at the LUN on disks or on tape media - i.e. has no knowledge or understanding of content and file-level data. Once you encrypt data on a disk drive using a Brocade encryption switch, you must use a Brocade encryption switch to decrypt the data. If you were to replace the encryption switch with a regular switch then the servers would be reading encrypted data only.

In this case, since you become dependent on the encryption switches to access the data, you would configure these solutions with at least one encryption switch per fabric (in a typical dual fabric configuration) to prevent a loss of availability. For tape implementations where you may only have one fabric, you could use just one encryption switch for this. In the case of a hardware failure in a single fabric configuration, you would need to physicallly replace the failed encryption switch and reconfigure it - which can take time obviously. However, you can optionally implement an HA configuration where you can have two encryption switches in any given fabric configured such that one unit will take over the load of the other in the event of a hardware failure.

By the way, you can use the Brocade encryption switch as a standalone switch with all of the servers and storage devices directly connected to it or, you can simply connect it to an existing fabric using ISLs and the data will be encrypted at the LUN level regardless of where the servers or storage devices are physically connected in the fabric. This is accomplished using the Brocade frame redirection technology introduced back in FOS 5.3.

Roger

New Contributor
Posts: 2
Registered: ‎02-18-2010

Re: Access continuity by Hardware Failure.

Most encryption configurations are typically made of a pair of encryption devices and a pair of key vaults in a Highly-available redundant configuration.

Once you do the initial keying of your data you move to an encrypted world in your SAN where data-at-rest is always encrypted.

If one device fails the failover feature takes over and continues processing.

Careful planning is highly recommended in that you shoulod not deploy encryption in a SAN and then arbitrarily decide to remove it.



Super Contributor
Posts: 644
Registered: ‎03-01-2007

Re: Access continuity by Hardware Failure.

Roger, Jose.

Thanks for the explanation.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook