The Fabric IPsec Gateway feature introduces a Virtual Machine (VM) that supports aggregation of Fabric Extend Tunnels with fragmentation, reassembly, and Internet Protocol Security (IPsec) encryption functions.
The minimum configuration requirements for the Fabric IPsec Gateway VM are as follows:
4 GB Random Access Memory (RAM)
One Virtualization Technology for Directed I/O (VT-d) vport (eth0)
Minimum 10 GB SSD
Note
To use this feature on the applicable models of 5720 Series, you must install an SSD module in the switch
To configure IPsec on a switch through the Fabric IPsec Gateway VM, see Fabric IPsec Gateway Configuration using CLI.
Fabric IPsec Gateway supports the following services through the VM:
IPsec with fragmentation and reassembly - for the VXLAN traffic that needs IPsec, the network routes the packets through the Fabric IPsec Gateway VM that provides IPsec encryption and decryption for VXLAN packets. The system also supports fragmentation and reassembly for IPsec tunnels that you configure on the VM, and a minimum of 1300 bytes of Maximum Transmission Unit (MTU) value. You can configure fragmentation to occur before the packets are encrypted.
Fragmentation and reassembly - the Fabric IPsec Gateway VM performs fragmentation and reassembly for VXLAN and IPsec tunnels, for which the network routes the packets through the VM. The system supports a minimum of 750 bytes of Maximum Transmission Unit (MTU) value.
A device is in IPsec decoupled mode when IPsec and Fabric Extend (FE) termination takes place on two different IP addresses. A device is in IPsec coupled mode when IPsec and Fabric Extend (FE) termination takes place on the same IP address.
5720 Series, 7520 Series, and 7720 Series, which use Fabric IPsec Gateway for Fabric Extend over IPsec, support IPsec in decoupled mode only. You must configure the IPsec tunnel in decoupled mode to enable IPsec termination in the Fabric IPsec Gateway VM. For more information about how to configure IPsec tunnels on the VM, see Configure IPsec Tunnels on Fabric IPsec Gateway VM.