Configuring SME Tapes
This chapter contains information about managing tapes that are encrypted using SME.
This chapter includes the following topics:
•Information About SME Tape Management
•Configuring SME Tape Management Using the CLI
•Verifying SME Tape Management Configuration
•Monitoring SME Tape Management
•Feature History for SME Tape Management
Information About SME Tape Management
Once provisioned, SME provides transparency to hosts and targets. To manage the paths from a hosts to tape devices, SME uses the following:
•Tape group—A backup environment in the SAN. This consists of all the tape backup servers and the tape libraries that they access.
•Tape device—A tape drive that is configured for encryption.
•Tape volume—A physical tape cartridge identified by a barcode for a given use.
•Tape volume group—A logical set of tape volumes configured for a specific purpose. Using SME, a tape volume group can be configured using a barcode range or a specified regular expression. In an auto-volume group, a tape volume group can be the volume pool name configured at the backup application.
SME provides the capability to export a volume group with an encryption password. This file could later be imported to a volume group. Also, volume group filtering options provide mechanisms to specify what type of information will be included in a specific volume group. For example, you could filter information in a volume group by specifying a barcode range.
Figure 5-1 shows the SME tape backup environment.
Figure 5-1 SME Tape Backup Environment and Configuration
The following concepts are used in tape management procedures:
•Key management settings
•Auto-volume group
•Key-on-Tape
•Compression
•Configuring volume groups
Note If data is written to a partially non-SME encrypted tape, it is left in clear text. When a tape is recycled or relabeled, the tape will be encrypted by SME.
Configuring SME Tape Management Using the CLI
This section includes the following topics:
•Enabling and Disabling Tape Compression
•Enabling and Disabling Key-on-Tape
•Configuring a Tape Volume Group
•Enabling and Disabling Automatic Volume Groups
•Adding a Tape Device to the Tape Group
•Adding Paths to the Tape Device
Enabling and Disabling Tape Compression
Detailed Steps
To enable tape compression, follow these steps:
|
|
|
Step 1 |
switch# config t |
Enters configuration mode. |
Step 2 |
switch(config)# sme cluster clustername1 switch(config-sme-cl)# |
Specifies the cluster and enters SME cluster configuration submode. |
Step 3 |
switch(config-sme-cl)# tape-compression switch(config-sme-cl)# |
Enables tape compression. |
Step 4 |
switch(config-sme-cl)# no tape-compression switch(config-sme-cl)# |
Disables tape compression. |
Enabling and Disabling Key-on-Tape
SME provides the option to store the encrypted security keys on the backup tapes.
Detailed Steps
To enable the key-on-tape feature, follow these steps:
|
|
|
Step 1 |
switch# config t |
Enters configuration mode. |
Step 2 |
switch(config)# sme cluster clustername1 switch(config-sme-cl)# |
Specifies the cluster and enters SME cluster configuration submode. |
Step 3 |
switch(config-sme-cl)# key-ontape switch(config-sme-cl)# |
Enables the key-on-tape feature. |
Step 4 |
switch(config-sme-cl)# no key-ontape switch(config-sme-cl)# |
Disables key-on-tape feature. |
Configuring a Tape Volume Group
A tape volume group is a group of tapes that are categorized usually by function. For example, HR1 could be the designated tape volume group for all Human Resource backup tapes; EM1 could be the designated tape volume group for all e-mail backup tapes.
Adding tape groups allows you to select the VSANs, hosts, storage devices, and paths that SME will use for encrypted data. For example, adding a tape group for HR data sets the mapping for SME to transfer data from the HR hosts to the dedicated HR backup tapes.
Detailed Steps
To configure a tape volume group, follow these steps:
|
|
|
Step 1 |
switch# config t |
Enters configuration mode. |
Step 2 |
switch(config)# sme cluster clustername1 switch(config-sme-cl)# |
Specifies the cluster and enters SME cluster configuration submode. |
Step 3 |
switch(config-sme-cl)# tape-bkgrp groupname1 switch(config-sme-cl-tape-bkgrp)# |
Specifies the tape volume group and enters the SME tape volume group submode. |
Step 4 |
switch(config-sme-cl-tape-bkgrp)# tape-device devicename1 switch(config-sme-cl-tape-bkgrp-tapedevice)# |
Specifies the tape device name and enters the SME tape device submode. |
Step 5 |
switch(config-sme-cl-tape-bkgrp-tapedevice)# tape-device devicename1 D switch(config-sme-cl-tape-bkgrp-tapedevice)# |
Specifies the tape cartridge identifier. |
Step 6 |
switch(config-sme-cl-tape-bkgrp-tapedevice)# host 10:00:00:00:c9:4e:19:ed target 2f:ff:00:06:2b:10:c2:e2 vsan 4093 lun 0 fabric f1 switch(config-sme-cl-tape-bkgrp-tapedevice)# |
Specifies the host and target, the VSAN, LUN and the fabric (f1) for the tape volume group. |
Step 7 |
switch(config-sme-cl-tape-bkgrp-tapedevice)# enable |
Enables the tape device. |
Enabling and Disabling Automatic Volume Groups
When SME recognizes that a tape barcode does not belong to an exiting volume group, then SME creates a new volume group when automatic volume grouping is enabled.
Automatic volume grouping is disabled by default.
Detailed Steps
To enable or disable automatic volume grouping, follow these steps:
|
|
|
Step 1 |
switch# config t |
Enters configuration mode. |
Step 2 |
switch(config)# sme cluster clustername1 switch(config-sme-cl)# |
Specifies the cluster and enters SME cluster configuration submode. |
Step 3 |
switch(config-sme-cl)# auto-volgrp switch(config-sme-cl)# |
Specifies automatic volume grouping. |
Step 4 |
switch(config-sme-cl)# no auto-volgrp switch(config-sme-cl)# |
Specifies no automatic volume grouping. |
Adding a Tape Device to the Tape Group
A tape device is specified as part of a tape group and is identified using a name as an alias.
Detailed Steps
To add a tape device to the tape group, follow these steps:
|
|
|
Step 1 |
switch# config t |
Enters configuration mode. |
Step 2 |
switch(config)# sme cluster clustername1 switch(config-sme-cl)# |
Specifies the cluster and enters SME cluster configuration submode. |
Step 3 |
switch(config-sme-cl)# tape-bkgrp groupname1 switch(config-sme-cl-tape-bkgrp)# |
Specifies the tape volume group and enters the SME tape volume group submode. |
Step 4 |
switch(config-sme-cl-tape-bkgrp)# tape-device devicename1 switch(config-sme-cl-tape-bkgrp-tape device)# |
Specifies the tape device name and enters the SME tape device submode. |
Step 5 |
switch(config-sme-cl-tape-bkgrp-tape device)# tape-device devicename1 D switch(config-sme-cl-tape-bkgrp-tape device)# |
Specifies the tape cartridge identifier. |
Adding Paths to the Tape Device
Caution
All IT-nexuses that host paths between the server and storage must be added to the configuration or else the data integrity is at risk.
A tape device is specified as part of a tape group and is identified using a name as an alias. All the paths to the tape device in the cluster must be specified using the host, target, LUN, VSAN, and fabric.
Detailed Steps
To add a path to a tape device in the cluster, follow these steps:
|
|
|
Step 1 |
switch# config t |
Enters configuration mode. |
Step 2 |
switch(config)# sme cluster clustername1 switch(config-sme-cl)# |
Specifies the cluster and enters SME cluster configuration submode. |
Step 3 |
switch(config-sme-cl)# tape-bkgrp groupname1 switch(config-sme-cl-tape-bkgrp)# |
Specifies the tape volume group and enters the SME tape volume group submode. |
Step 4 |
switch(config-sme-cl-tape-bkgrp)# tape-device devicename1 switch(config-sme-cl-tape-bkgrp-tape device)# |
Specifies the tape device name and enters the SME tape device submode. |
Step 5 |
switch(config-sme-cl-tape-bkgrp-tape device)# tape-device devicename1 D switch(config-sme-cl-tape-bkgrp-tape device)# |
Specifies the tape cartridge identifier. |
Step 6 |
switch(config-sme-cl-tape-bkgrp-tape device)# host 10:00:00:00:c9:4e:19:ed target 2f:ff:00:06:2b:10:c2:e2 vsan 4093 lun 0 fabric f1 switch(config-sme-cl-tape-bkgrp-tape device)# |
Specifies the host and target, the VSAN, LUN and the fabric (f1) for the tape volume group. |
Step 7 |
switch(config-sme-cl-tape-bkgrp-tape device)# no host 10:00:00:00:c9:4e:19:ed target 2f:ff:00:06:2b:10:c2:e2 vsan 4093 lun 0 switch(config-sme-cl-tape-bkgrp-tape device)# |
Removes the specified path from the tape device. |
Note If the IT-nexus specified in the path above is not configured in SME, SME will also trigger a discovery of the IT-nexus along with adding the configured path to the specified tape device. In a scripted environment, when adding paths, it is always advisable to give a delay of one minute to allow the IT-nexus discovery to complete.
Bypassing Tape Encryption
You can enable or disable the bypass feature once you create the tape device.
Note By default, bypass encryption is disabled. Writes fails when a clear text tape is loaded.
Detailed Steps
To enable or disable bypass tape encryption, follow these steps:
|
|
|
Step 1 |
switch# config t |
Enters configuration mode. |
Step 2 |
switch(config)# sme cluster clustername1 switch(config-sme-cl)# |
Specifies the cluster and enters SME cluster configuration submode. |
Step 3 |
switch(config-sme-cl)# tape-bkgrp groupname1 switch(config-sme-cl-tape-bkgrp)# |
Specifies the tape volume group and enters the SME tape volume group submode. |
Step 4 |
switch(config-sme-cl-tape-bkgrp)# tape-device tapename1 switch(config-sme-cl-tape-bkgrp tape-device tapename1)# |
Specifies the tape that has clear text data. |
Step 5 |
switch(config-sme-cl-tape-bkgrp-tape device)# no by pass |
Specifies the bypass policy for the tape device, which rejects writes when a clear text tape is used. |
switch(config-sme-cl-tape-bkgrp-tape device)# by pass |
Specifies the bypass policy for the tape device, which allows data to pass in clear text. |
Caution
All IT-nexuses that host paths between the server and storage must be added to the configuration or else the data integrity is at risk.
Verifying SME Tape Management Configuration
To display SME Tape management configuration information, perform one of the following tasks:
|
|
show sme cluster tape |
Displays summary or detailed information about tapes. |
show sme cluster tape detail |
Displays information about tape cartridges. |
show sme cluster tape-bkgrp |
Displays information about all tape volume groups or about a specific group. |
For detailed information about the fields in the output from these commands, refer to the Cisco MDS 9000 Family NX-OS Command Reference.
Monitoring SME Tape Management
This section includes the following topics:
•Viewing Host Details
•Viewing Tape Device Details
•Viewing SME Tape Information Using the CLI
Viewing Host Details
You can view detailed information about hosts in a SME cluster. Information for a specific host includes the tape group membership, paths from the host to the target, VSAN, fabric, status, and the tape device.
Viewing Tape Device Details
You can view detailed information about tape devices in a SME cluster. Information for a specific tape device includes the tape group membership, device description, serial number, and the host and target PWWN.
Viewing SME Tape Information Using the CLI
Use the show sme cluster tape command to view summary or detailed information about tapes.
switch# show sme cluster clustername1 tape summary
-------------------------------------------------------------------------------
Host WWN Description Crypto-Tape Status
-------------------------------------------------------------------------------
10:00:00:00:c9:4e:19:ed HP Ultrium 2-SCSI HR1 online
Viewing Tape Cartridge Information
Use the show sme cluster tape detail to view information about tape cartridges.
switch# show sme cluster clustername1 tape detail
Serial Number is 2b10c2e22f
Host 10:00:00:00:c9:4e:19:ed Target 2f:ff:00:06:2b:10:c2:e2 LUN 0x0000
Viewing Tape Volume Group Information
Use the show sme cluster tape-bkgrp command to view information about all tape volume groups or about a specific group.
switch# show sme cluster clustername1 tape-bkgrp
-------------------------------------------------------------------------------
Name Tape Devices Volume Groups
-------------------------------------------------------------------------------
switch# show sme cluster clustername1 tape-bkgrp HR1
Number of tape devices is 1
Number of volume groups is 1
Tape device td1 is online
Description is HP Ultrium 2-SCSI
Serial number is 2b10c2e22f
Host 10:00:00:00:c9:4e:19:ed Target 2f:ff:00:06:2b:10:c2:e2 Lun 0x0000 vsan 4093[f1]
Viewing the Status of the Tape Device
Use the show sme internal info cluster <cname> tape-all command to view tape information.
SWitch# show sme internal info cluster tie1 tape-all
Memory Address : 0x10788854
Tape Key Recycle : Enabled
Shared Key Mode : Disabled
Auto Volume Group : Disabled
Memory Address : 0x107ba054
SME (Encryption) : Enabled
Bypass-Policy : BYPASS DISABLED
FSM State : SME_CTAPE_DEVICE_G_ST_STABLE
LUN FSM State : SME_LUN_ST_STABLE
IT :V 3 I 40:00:00:00:00:00:00:01 T 40:00:00:00:00:00:00:02
Use the sh sme internal info cluster tie1 tape-bkgrp tb2 tape-device td0 to view the information about a particular Tape Device in a particular Tape Backup Group.
Switch# sh sme internal info cluster tie1 tape-bkgrp tb2 tape-device td0
Memory Address : 0x107ba054
SME (Encryption) : Enabled
Bypass-Policy : BYPASS DISABLED
FSM State : SME_CTAPE_DEVICE_G_ST_STABLE
LUN FSM State : SME_LUN_ST_STABLE
IT :V 3 I 40:00:00:00:00:00:00:01 T 40:00:00:00:00:00:00:02
Use the Show Interface smex/y to view statistical information about the SME interface configured for Encryption.
----------------------------------------------------------------------------
Host Reads 0 0 0 0.00 B/s
Host Writes 0 0 0 0.00 B/s
Host Total 0 0 0 0.00 B/s
Tgt Writes 0 0 0 0.00 B/s
Clear IOs IO/s Bytes Rate
----------------------------------------------------------------------------
Host Reads 0 0 0 0.00 B/s
Host Writes 0 0 0 0.00 B/s
Host Total 0 0 0 0.00 B/s
Tgt Writes 0 0 0 0.00 B/s
Clear Luns 1, Encrypted Luns 0
0 CTH, 0 Authentication 0 Compression
0 Key Generation, 0 Incorrect Read Size
0 Overlap Commands, 0 Stale Key Accesses
0 Overload Condition, 0 Incompressible
0 XIPC Task Lookup, 0 Invalid CDB
0 Ili, 0 Eom, 0 Filemark, 0 Other
2 FAILED WRITE Count - BYPASS DISABLED by USER ======> If write fails for clear text
tape
last error at Tue Jun 26 13:39:49 2012
Use the module Commands to view LUN specific information.
show sme internal info crypto-node 1 lun all
module-1# sh sme internal info crypto-node 1 lun all
serial no. 0003-0000-00000000:0000000000000000
Bypass_Policy BYPASS DISABLED
wrap guid 0000000000000000-0000000000000000
media guid 0000000000000000-0000000000000000
Feature History for SME Tape Management
Table 5-1 lists the release history for this feature.
Table 5-1 Feature History for SME Tape Configuration
|
|
|
Added a new SME tape command |
5.2(6) |
Added a new SME tape command. |
Software change |
5.2(1) |
In Release 5.2(1), Fabric Manager is changed to DCNM for SAN (DCNM-SAN). |
4.1(1c) |
In Release 4.1(1b) and later, the MDS SAN-OS software is changed to MDS NX-OS software. The earlier releases are unchanged and all refrerences are retained. |