53-1001336-02 23 November 2009 Fabric OS Administrator’s Guide Supporting Fabric OS v6.3.
Copyright © 2007-2009 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, the B-wing symbol, BigIron, DCX, Fabric OS, FastIron, IronPoint, IronShield, IronView, IronWare, JetCore, NetIron, SecureIron, ServerIron, StorageX, and TurboIron are registered trademarks, and DCFM, Extraordinary Networks, and SAN Health are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries.
Title Publication number Summary of changes Fabric OS Administrator’s Guide 53-1000043-02 June 2006 Removed SilkWorm 4016 and 4020 from supported switches; FCIP chapter updates. Fabric OS Administrator’s Guide 53-1000239-01 Revised for Fabric OS v5.2.0 features. Added new hardware platforms: Brocade FC4-48 and FC4-16IP. Fabric OS Administrator’s Guide 53-1000448-01 15 June 2007 Added Fabric OS v5.3.0 features. Added support for new hardware platforms: Brocade 7600, FA4-18, and FC10-6.
iv Fabric OS Administrator’s Guide 53-1001336-02
Contents Figures Tables About This Document In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . xxxiv What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxv Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Domain IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Displaying the domain IDs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Setting the domain ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Switch names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Customizing the switch name . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Chassis names . . . . . . . . . . . . . .
Inter-chassis links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Supported topologies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Gateway links. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Configuring a link through a gateway . . . . . . . . . . . . . . . . . . . . . 41 Equipment status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Checking switch operation . . .
Routing policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Displaying the current routing policy . . . . . . . . . . . . . . . . . . . . . 61 Exchange-based routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Port-based routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 AP route policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Routing in Virtual Fabrics . . . . . . . . . .
The boot PROM password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Setting the boot PROM password for a switch with a recovery string . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Setting the boot PROM password for a director with a recovery string . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Setting the boot PROM password for a switch without a recovery string . . . . . . . . . . . . . . . . . . . . . . . . . .
ACL policies overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123 How the ACL policies are stored . . . . . . . . . . . . . . . . . . . . . . . .123 Policy members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124 ACL policy management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124 Displaying ACL policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125 Saving changes without activating the policies . . . . . .
Management interface security . . . . . . . . . . . . . . . . . . . . . . . . . . . .152 Configuration examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153 IPsec protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154 Security associations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155 Authentication and encryption algorithms . . . . . . . . . . . . . . . .155 IPsec policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Firmware download from a USB device . . . . . . . . . . . . . . . . . . . . . .188 Enabling USB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188 Viewing the USB file system . . . . . . . . . . . . . . . . . . . . . . . . . . .188 Downloading from USB using the relative path . . . . . . . . . . . .188 Downloading from USB using the absolute path . . . . . . . . . . .188 SAS and SA applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deleting a logical switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218 Adding and removing ports on a logical switch. . . . . . . . . . . . . . . .218 Displaying logical switch configuration . . . . . . . . . . . . . . . . . . . . . .219 Changing the fabric ID of a logical switch . . . . . . . . . . . . . . . . . . . .220 Changing a logical switch to a base switch . . . . . . . . . . . . . . . . . . .221 Setting up IP addresses for a Virtual Fabric . . . . . . . . . . . . . . . . .
Zoning configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244 Creating a zoning configuration . . . . . . . . . . . . . . . . . . . . . . . .244 Adding zones (members) to a zoning configuration . . . . . . . .245 Removing zones (members) from a zone configuration . . . . .245 Enabling a zone configuration . . . . . . . . . . . . . . . . . . . . . . . . .245 Disabling a zone configuration . . . . . . . . . . . . . . . . . . . . . . . . .246 Deleting a zone configuration . .
iSCSI initiator-to-VT authentication configuration . . . . . . . . . . . . . .279 Setting the user name and shared secret . . . . . . . . . . . . . . . .279 Binding user names to an iSCSI VT . . . . . . . . . . . . . . . . . . . . .279 Deleting user names from an iSCSI VT binding list . . . . . . . . .280 Displaying CHAP configurations . . . . . . . . . . . . . . . . . . . . . . . .280 Committing the iSCSI-related configuration . . . . . . . . . . . . . . . . . .
Zone management in interoperable fabrics . . . . . . . . . . . . . . . . . .306 Zoning restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306 Zone name restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307 Zoning modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307 Setting the safe zone mode on a stand-alone switch . . . . . . .308 Setting the safe zone mode fabric-wide . . . . . . . . . . . . . . . . . .
Administrative Domains overview . . . . . . . . . . . . . . . . . . . . . . . . . .337 Admin Domain features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339 Requirements for Admin Domains . . . . . . . . . . . . . . . . . . . . . .339 Admin Domain access levels. . . . . . . . . . . . . . . . . . . . . . . . . . .340 User-defined Administrative Domains . . . . . . . . . . . . . . . . . . .340 System-defined Administrative Domains . . . . . . . . . . . . . . . . .340 Admin Domains and login .
Time-based licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .375 High availability considerations . . . . . . . . . . . . . . . . . . . . . . . .375 Configupload and download considerations . . . . . . . . . . . . . . 376 Expired licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 Universal Time-based licenses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 Universal Time-based license expiration date . . . . . . . . . . . . .
Top Talker monitors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394 Adding a Top Talker monitor on an F_Port . . . . . . . . . . . . . . . .395 Deleting a Top Talker monitor on an F_Port . . . . . . . . . . . . . . .395 Displaying the top n bandwidth-using flows on an F_Port . . .395 Adding Top Talker monitors on all switches in the fabric (fabric mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
QoS: Ingress Rate Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423 Limiting traffic from a particular device . . . . . . . . . . . . . . . . . .423 Disabling ingress rate limiting. . . . . . . . . . . . . . . . . . . . . . . . . .423 QoS: SID/DID traffic prioritization . . . . . . . . . . . . . . . . . . . . . . . . . .424 License requirements for traffic prioritization . . . . . . . . . . . . .424 QoS zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F_Port trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447 Prerequisites for F_Port Trunking . . . . . . . . . . . . . . . . . . . . . . .447 Enabling F_Port trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .448 Disabling F_Port trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . .448 F_Port Trunking in Virtual Fabrics. . . . . . . . . . . . . . . . . . . . . . .448 F_Port trunking considerations for Virtual Fabrics . . . . . . . . .
Inter-fabric link configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .482 Configuring an IFL for both edge and backbone connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .482 FC Router port cost configuration . . . . . . . . . . . . . . . . . . . . . . . . . .486 Port cost considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .486 Setting router port cost for an EX_Port. . . . . . . . . . . . . . . . . . .
Fabric configurations for interconnectivity . . . . . . . . . . . . . . . . . . .513 Connectivity modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .513 Configuring the FC router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514 Configuring LSAN zones in the M-EOS fabric . . . . . . . . . . . . . . 517 Correcting errors if LSAN devices appear in only one of the fabrics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Appendix E Hexadecimal Hexadecimal overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Figures Figure 1 Identify the blades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Figure 2 Blade Swap with Virtual Fabrics during the swap . . . . . . . . . . . . . . . . . . . . . . . . 36 Figure 3 Blade Swap with Virtual Fabrics after swap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Figure 4 ICL triangular topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xxvi Figure 37 iSCSI gateway service in an iSCSI FC zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Figure 38 iSCSI network with iSNS server and clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 Figure 39 Typical direct E_Port configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Figure 40 Fabric with two Admin Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Figure 79 EX_Ports in a base switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508 Figure 80 Logical representation of EX_Ports in a base switch . . . . . . . . . . . . . . . . . . . . . 508 Figure 81 Backbone-to-edge routing across base switch using FC router in legacy mode 509 Figure 82 Inband Management process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522 Figure 83 Management station on same subnet . . . . . . . . . .
xxviii Fabric OS Administrator’s Guide 53-1001336-02
Tables Table 1 Default administrative account names and passwords . . . . . . . . . . . . . . . . . . . . 5 Table 2 Port numbering schemes for the Brocade 48000, Brocade DCX and DCX-4S enterprise-class platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Table 3 Brocade enterprise-class platform terminology and abbreviations . . . . . . . . . . 30 Table 4 Port blades supported by each platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 36 Examples of strict fabric merges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Table 37 Fabric merges with tolerant/absent combinations . . . . . . . . . . . . . . . . . . . . . . 152 Table 38 Algorithms and associated authentication policies . . . . . . . . . . . . . . . . . . . . . . 155 Table 39 CLI commands to display or modify switch configuration information . . . . . . . 169 Table 40 Backup and restore in a FICON CUP environment . . . . . . . . . . .
Table 76 License requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370 Table 77 Base to Upgrade License Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373 Table 78 List of available ports when implementing PODs. . . . . . . . . . . . . . . . . . . . . . . . 380 Table 79 Types of monitors supported on Brocade switch models . . . . . . . . . . . . . . . . .
xxxii Fabric OS Administrator’s Guide 53-1001336-02
About This Document In this chapter • How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii • Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiv • What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxv • Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvi • Additional information . . . . . . . . . . . . . . .
• Chapter 11, “Administering Advanced Zoning,” provides procedures for use of the Brocade Advanced Zoning licensed feature. • Chapter 12, “Managing iSCSI Gateway Service,” provides concepts and procedures for allowing initiators in an IP SAN to access and utilitze storage in a Fibre Channel SAN. • Chapter 13, “Administering NPIV,” provides procedures for enabling and configuring N-Port ID Virtualization (NPIV).
• • • • • • • • • • • • Brocade 5424 embedded switch Brocade 5460 embedded switch Brocade 5470 embedded switch Brocade 5480 embedded switch Brocade 7500 extension switch Brocade 7500E extension switch Brocade 7600 application appliance Brocade 7800 extension switch Brocade 8000 aplication appliance Brocade 48000 director Brocade DCX Backbone data center backbone Brocade DCX-4S Backbone data center backbone What’s new in this document • Information that was added: - Support for new hardware platforms • Bro
• • • • Showing blade status information QoS D,I zones Port information for virtual devices TrunkShow command information • Information that was changed: • Information that was deleted: - “Configuring and Monitoring FCIP Extension Services,” which provides procedures for creating and maintaining FCIP tunnels was removed from this manual and can be found in the Fibre Channel over IP Administrator’s Guide.
Command syntax conventions Command syntax in this manual follows these conventions: command Commands are printed in bold. --option, option Command options are printed in bold. -argument, arg Arguments. [] Optional element. variable Variables are printed in italics. In the help pages, values are underlined or enclosed in angled brackets < >. ... Repeat the previous element, for example “member[;member...]” value Fixed values following arguments are printed in plain font.
http://www.snia.org/education/dictionary Notice to the reader This document may contain references to the trademarks of the following corporations. These trademarks are the properties of their respective companies and corporations. These references are made for informational purposes only. Corporation Referenced Trademarks and Products Microsoft Corporation Windows, Windows NT, Internet Explorer Mozilla Corporation Mozilla, Firefox Netscape Communications Corporation Netscape Red Hat, Inc.
For information about the Fibre Channel industry, visit the Fibre Channel Industry Association Web site: http://www.fibrechannel.org Getting technical help Contact your switch support supplier for hardware, firmware, and software support, including product repairs and part ordering. To expedite your call, have the following information available: 1.
If you cannot use the wwn command because the switch is inoperable, you can get the WWN from the same place as the serial number, except for the Brocade DCX enterprise class platform. For the Brocade DCX enterprise class platform, access the numbers on the WWN cards by removing the Brocade logo plate at the top of the nonport side of the chassis. For the Brocade 5424 embedded switch: Provide the license ID. Use the licenseIdShow command to display the WWN.
Section Standard Features This section describes standard Fabric OS features, and includes the following chapters: • Chapter 1, “Performing Basic Configuration Tasks” • Chapter 2, “Performing Advanced Configuration Tasks” • Chapter 3, “Understanding Fibre Channel Services” • Chapter 4, “Routing Traffic” • Chapter 5, “Managing User Accounts” • Chapter 6, “Configuring Standard Security Features” • Chapter 7, “Configuring Advanced Security Features” • Chapter 8, “Maintaining the Switch Configuration File” •
Chapter Performing Basic Configuration Tasks 1 In this chapter • Fabric OS overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 • Fabric OS command line interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 • Password modification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 • The Ethernet interface on your switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1 Fabric OS command line interface Although many different software and hardware configurations are tested and supported by Brocade Communications Systems, Inc., documenting all possible configurations and scenarios is beyond the scope of this document. In some cases, earlier releases are highlighted to present considerations for interoperating with them. The hardware reference manuals for Brocade products describe how to power up devices and set their IP addresses.
Fabric OS command line interface Parameter Value Stop bits 1 Flow control None 1 • In a UNIX environment, enter the following string at the prompt: tip /dev/ttyb -9600 If ttyb is already in use, use ttya instead and enter the following string at the prompt: tip /dev/ttya -9600 Telnet or SSH sessions Connect to the Fabric OS through a Telnet or SSH connection or through a console session on the serial port. The switch must also be physically connected to the network.
1 Fabric OS command line interface 2. Verify the switch’s network interface is configured and that it is connected to the IP network through the RJ-45 Ethernet port. Switches in the fabric that are not connected through the Ethernet can be managed through switches that are using IP over Fibre Channel. The embedded port must have an assigned IP address. 3. Log off the switch. 4. From a management station, open a Telnet connection using the IP address of the switch to which you want to connect.
Password modification 1 Password modification The switch automatically prompts you to change the default account passwords after logging in for the first time. If you do not change the passwords, the switch prompts you after each subsequent login until all the default passwords have been changed. NOTE The default account passwords can be changed from their original value only when prompted immediately following the login; the passwords cannot be changed using the passwd command later in the session.
1 The Ethernet interface on your switch Use Control-C to exit or press 'Enter' key to proceed. for user - root Changing password for root Enter new password: Password changed. Saving password to stable storage. Password saved to stable storage successfully. (output truncated) The Ethernet interface on your switch The Ethernet (network) interface provides management access, including direct access to the Fabric OS CLI, and allows other tools, such as Web Tools, to interact with the switch.
The Ethernet interface on your switch 1 IPv4 addresses assigned to individual Virtual Fabrics are assigned to IP-over-FC network interfaces. In Virtual Fabric environments a single chassis can be assigned to multiple fabrics, each of which is logically distinct and separate from one another, each IP-over-FC point of connection to a given chassis needs a separate IPv4 address and prefix in order to be accessible to a management host.
1 The Ethernet interface on your switch cp 1 fe80:60:69bc:70::3 If the Ethernet IP address, subnet mask, and gateway address are displayed, then the network interface is configured. Verify the information on your switch is correct. If DHCP is enabled, the network interface information was acquired from the DHCP server. NOTE You can use either IPv4 or IPv6 with a classless inter-domain routing (CIDR) block notation (also known as a network prefix length) to set up your IP addresses.
The Ethernet interface on your switch 1 3. Enter the network information in dotted-decimal notation for the Ethernet IPv4 address and in semicolon-separated notation for IPv6. 4. Enter the Ethernet Subnetmask at the prompt. 5. Skip Fibre Channel prompts by pressing Enter. The Fibre Channel IP address is used for management. 6. Enter the Gateway Address at the prompt. 7. Disable DHCP by entering off. Setting the static addresses for the chassis IP management interface 1.
1 The Ethernet interface on your switch Enabling DHCP after the Ethernet information has been configured releases the current Ethernet network interface settings, including Ethernet IP, Ethernet Subnetmask, and Gateway. The Fibre Channel (FC) IP address and subnet mask are static and are not affected by DHCP; see “Static Ethernet addresses” on page 8 for instructions on setting the FC IP address. 1. Connect to the switch and log in using an account assigned to the admin role. 2.
The Ethernet interface on your switch 1 IPv6 autoconfiguration IPv6 can assign multiple IP addresses to each network interface. Each interface is configured with a link local address in almost all cases, but this address is only accessible from other hosts on the same network. To provide for wider accessibility, interfaces are typically configured with at least one additional global scope IPv6 address.
1 Date and time settings Date and time settings Switches maintain the current date and time inside a battery-backed real-time clock (RTC) circuit that receives the date and time from the fabric’s principal switch. Date and time are used for logging events. Switch operation does not depend on the date and time; a switch with an incorrect date and time value still functions properly. However, because the date and time are used for logging, error detection, and troubleshooting, you should set them correctly.
Date and time settings 1 The time zone setting has the following characteristics: • Users can view the time zone settings. However, only those with administrative permissions can set the time zones. • It automatically adjusts for Daylight Savings Time. • Changing the time zone on a switch updates the local time zone setup and is reflected in local time calculations. • By default, all switches are in the GMT time zone (0,0).
1 Date and time settings 4. At the prompt, select a country location. 5. At the prompt, enter the appropriate number to specify the time zone region or Ctrl-D to quit. Network time protocol You can synchronize the local time of the principal or primary fabric configuration server (FCS) switch to a maximum of eight external network time protocol (NTP) servers.
Domain IDs 1 Example of displaying the NTP server switch:admin> tsclockserver 10.1.2.3 Example of setting up more than one NTP server using a DNS name switch:admin> tsclockserver "10.1.2.4;10.1.2.5;ntp.localdomain.net" Updating Clock Server configuration...done. Updated with the NTP servers Changes to the clock server value on the principal or primary FCS switch are propagated to all switches in the fabric.
1 Switch names 20: fffc14 10:00:00:05:1e:40:68:78 25: fffc19 10:00:00:05:1e:37:23:c6 30: fffc1e 10:00:00:60:69:90:04:1e 35: fffc23 10:00:00:05:1e:07:c7:26 40: fffc28 10:00:00:60:69:50:06:7f 45: fffc2d 10:00:00:05:1e:35:10:72 46: fffc2e 10:00:00:05:1e:34:c5:17 47: fffc2f 10:00:00:05:1e:02:aa:f7 50: fffc32 10:00:00:60:69:c0:06:64 (output truncated) 10.3.220.20 10.3.220.25 10.3.220.30 10.3.220.35 10.3.220.40 10.3.220.45 10.3.220.46 10.3.220.47 10.1.220.50 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.
Chassis names 1 Switch names can be from 1 to 30 characters long. For the Brocade DCX and DCX-4S Backbone, the name can be from 1 to 15 characters in length. All switch names must begin with a letter, and can contain letters, numbers, or the underscore character. It is not necessary to use quotation marks. NOTE Changing the switch name causes a domain address format RSCN (registered state change notification) to be issued and may be disruptive to the fabric. Customizing the switch name 1.
1 Switch and enterprise-class platform shutdown Enabling a switch 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the switchEnable command. All Fibre Channel ports that passed the POST test are enabled. If the switch has interswitch links (ISLs) to a fabric, it joins the fabric.
Basic connections 1 3. Wait until you see the following message: DCX:FID128:admin> sysshutdown This command will shutdown the operating systems on your switch. You are required to power-cycle the switch in order to restore operation. Are you sure you want to shutdown the switch [y/n]?y HA is disabled Stopping blade 10 Shutting down the blade.... Stopping blade 12 Shutting down the blade.... Broadcast message from root (pts/0) Fri Oct 10 08:36:48 2008... The system is going down for system halt NOW !! 4.
1 20 Basic connections Fabric OS Administrator’s Guide 53-1001336-02
Chapter 2 Performing Advanced Configuration Tasks In this chapter • PIDs and PID binding overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Blade terminology and compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Enabling and disabling blades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 PIDs and PID binding overview Core PID addressing mode Core PID is the default PID format for Brocade platforms. It uses the entire 24-bit address space of the domain, area_ID, and ALPA to determine an objects address within the fabric.
PIDs and PID binding overview 2 • Any port on a 48-port blade can support up to 256 NPIV devices (In fixed addressing mode only 128 NPIV devices are supported in non-VF mode and 64 NPIV devices in VF mode on a 48-port blade). • Any port on a 48-port blade can support loop devices. • Any port on a 48-port blade can support hard port zoning. • Port index is not guaranteed to be equal to the port area ID.
2 PIDs and PID binding overview If the NPIV device has Dynamic Persistent PID set, then the same ALPA value in the PID is used. This guarantees NPIV devices get the same PID across reboots and ALPAs assigned for the device do not depend on the order in which the devices come up. Enabling automatic PID assignment NOTE To activate the WWN-based PID assignment, you do not need to disable the switch. 1. Connect to the switch and log in using an account assigned to the admin role. 2.
Ports 2 Ports Because enterprise-class platforms contain interchangeable port blades, their procedures differ from those for fixed-port switches. For example, fixed-port models identify ports only by the port number, while enterprise-class platforms identify ports by slot/port notation.
2 Ports TABLE 2 Port numbering schemes for the Brocade 48000, Brocade DCX and DCX-4S enterprise-class platforms Port blades Numbering scheme FC2-16 FC4-16 FC8-16 Ports are numbered from 0 through 15 from bottom to top. FC4-32 FC8-32 Ports are numbered from 0 through 15 from bottom to top on the left set of ports and 16 through 31 from bottom to top on the right set of ports.
Ports 2 To select a specific port in the Brocade 48000, Brocade DCX and DCX-4S enterprise-class platforms, you must identify both the slot number and the port number using the format slot number/port number. No spaces are allowed between the slot number, the slash (/), and the port number. Example of enabling port 4 on a blade in slot 2. ecp:admin> portenable 2/4 Port identification by port area ID The relationship between the port number and area ID depends upon the PID format used in the fabric.
2 Ports Swapping port area IDs If a device that uses port binding is connected to a port that fails, you can use port swapping to make another physical port use the same PID as the failed port. The device can then be plugged into the new port without the need to reboot the device. Use the following procedure to swap the port area IDs of two physical switch ports. In order to swap port area IDs, the port swap feature must be enabled, and both switch ports must be disabled.
Ports 2 • To enable a port that is disabled, enter the command portEnable portnumber or portEnable slotnumber/portnumber. • To enable a port that is persistently disabled, enter the command portCfgPersistentEnable portnumber or portCfgPersistentEnable slotnumber/portnumber. If you change port configurations during a switch failover, the ports may become disabled. To bring the ports online, re-issue the portEnable command after the failover is complete. Disabling a port 1.
2 Blade terminology and compatibility Blade terminology and compatibility Before configuring a chassis, familiarize yourself with the platform CP blade and port blade nomenclature, as well as the port blade compatibilities. Often in procedures, only the abbreviated names for CP and port blades are used (for example, the FC4-16 blade). Table 3 includes CP and port blade abbreviations and descriptions.
Blade terminology and compatibility TABLE 3 2 Brocade enterprise-class platform terminology and abbreviations (Continued) Term Abbreviation Blade ID Definition (slotshow) 48-port 8-Gbps port blade FC8-48 51 A 48-port Brocade platform port blade supporting 1, 2, 4, and 8 Gbps port speeds. The Brocade DCX and DCX-4S support loop devices on 48-port blades in Virtual Fabrics-enabled environment.
2 Blade terminology and compatibility Mixed CP blades are not supported on a single chassis, except during specific upgrade procedures detailed in the Brocade 48000 Hardware Reference Manual. CP4 and CP8 blades cannot be mixed in the same chassis under any circumstances. Brocade recommends that each Brocade platform have only one type of CP blade installed and that each CP (primary and secondary partition) maintains the same firmware version.
Enabling and disabling blades 2 Enabling and disabling blades Port blades are enabled by default. In some cases, you will need to disable a port blade to perform diagnostics. When diagnostics are executed manually (from the Fabric OS command line), many commands require the port blade to be disabled. This ensures that diagnostic activity does not interfere with normal fabric traffic.
2 Blade swapping If a previously-configured FR4-18i blade is removed and an FC4-48, FC8-16, FC8-32, FC8-48, or FC10-6 blade is plugged in, then—other than the port’s EX_Port configuration—all the remaining port configurations previously applied to the FR4-18i ports can be used. The EX_Port configuration on those ports is disabled before the FC4 or FC8 port blade becomes operational.
Blade swapping 2 unforeseen error does occur during the bladeSwap command, an entry will be made into the RASlog and all ports that have been swapped as part of the blade swap operation will be swapped back. On successful completion of the command, the source and destination blades are left in a disabled state allowing you to complete the cable move. Blade swapping is based on port swapping and has the same restrictions: • • • • Shared area ports cannot be swapped.
2 Blade swapping • Blade technology. Both blades must be of compatible technology types (i.e. Fibre Channel to Fibre Channel, Ethernet to Ethernet, application to application, etc). • Port Count. Both blades must support the same number of front ports. For example, 16-ports to 16-ports, 32-ports to 32-ports, 48-ports to 48-ports, and so on. • Availability. The ports on the destination blade must be available for the swap operation and not attached to any other devices. 3.
Power conservation FIGURE 3 2 Blade Swap with Virtual Fabrics after swap Swapping blades 1. Connect to the director and log in using an account assigned to the admin role. 2. Enter the bladeSwap command. If no errors are encountered, the blade swap will complete successfully. If errors are encountered, the command is interrupted and the ports are set back to their original configuration. 3. Once the command completes successfully, move the cables from the source blade to the destination blade. 4.
2 Inter-chassis links NOTE In the Brocade DCX and DCX-4S the core blades and CPs cannot be powered off from the CLI interface. You must manually power off the blades by unseating the blade from its mounting, the slider, or removing power from the chassis. Powering off a port blade 1. Connect to the switch and log in as admin. 2. Enter the slotPowerOff command with the slot number of the port blade you want to power off. ecp:admin> slotpoweroff 3 Slot 3 is being powered off Powering on a port blade 1.
Inter-chassis links 2 For additional information on ICLs, see the Brocade DCX Data Center Backbone Hardware Reference Manual. ICL ports can be used only with an ICL license. For more information on how license enforcement occurs, see Chapter 16, “Administering Licensing”. After the addition or removal of a license, the license enforcement is performed on the ICL ports only when you issue the portDisable or portEnable commands on the switch for the ports.
2 Gateway links Chassis 1 Chassis 3 ICL 3 ICL 1 FIGURE 4 ICL 2 Chassis 2 ICL triangular topology Virtual Fabrics considerations: In Virtual Fabrics, the ICL ports can be split across the logical switch, base switch and default switch. The triangular topology requirement still needs to be met for each fabric individually. The present restriction on ICL being part of only logical switches with “Allow XISL Use” attribute off still applies.
Equipment status 2 Configuring a link through a gateway 1. Connect to the switch at one end of the gateway and log in using an account assigned to the admin role. 2. Enter the portCfgIslMode command. 3. Repeat steps 1 through 2 for any additional ports that will be connected to the gateway. 4. Repeat this procedure on the switch at the other end of the gateway. Example of enabling a gateway link on slot 2, port 3. ecp:admin> portcfgislmode 2/3, 1 Committing configuration...done.
2 Equipment status Slot Blade Type ID Model Name Status -------------------------------------------------1 SW BLADE 55 FC8-32 ENABLED 2 SW BLADE 51 FC8-48 ENABLED 3 SW BLADE 39 FC10-6 ENABLED 4 SW BLADE 51 FC8-48 ENABLED 5 CORE BLADE 52 CORE8 ENABLED 6 CP BLADE 50 CP8 ENABLED 7 CP BLADE 50 CP8 ENABLED 8 CORE BLADE 52 CORE8 ENABLED 9 SW BLADE 37 FC8-16 ENABLED 10 AP BLADE 43 FS8-18 ENABLED 11 SW BLADE 55 FC8-32 ENABLED 12 AP BLADE 24 FR4-18i ENABLED The possible fields and their values are outlined below.
Track and control switch changes 2 The output of the fabricShow command is discuss in “Domain IDs” on page 15. Verifying device connectivity 1. Connect to the switch and log in using an account assigned to the admin role. 2. Optional: Enter the switchShow command to verify devices, hosts, and storage are connected. 3. Optional: Enter the nsShow command to verify devices, hosts, and storage have successfully registered with the name server. 4.
2 Track and control switch changes Enabling the track changes feature 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the trackChangesSet 1 command to enable the track changes feature. A message displays, verifying that the track changes feature is on: switch:admin> trackchangesset 1 Committing configuration...done. 3. View the log using the commands errDump |more to display a page at a time or errShow to view one line at a time.
Track and control switch changes CP Blade Flash MarginalPorts FaultyPorts MissingSFPs 0 0 0 2 2 0 2 1 1 1 1 1 0 Setting the switch status policy threshold values 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the switchStatusPolicySet command. The current switch status policy parameter values are displayed. You are prompted to enter values for each DOWN and MARGINAL threshold parameter.
2 Audit log configuration MarginalPorts contributing to MARGINAL status: (0..32) [1] 0 FaultyPorts contributing to DOWN status: (0..32) [2] 0 FaultyPorts contributing to MARGINAL status: (0..32) [1] 0 MissingSFPs contributing to DOWN status: (0..32) [0] 0 MissingSFPs contributing to MARGINAL status: (0..32) [0] 0 Policy parameter set has been changed On the Brocade 48000, and Brocade DCX and DCX-4S enterprise-class platforms, the command output includes parameters related to CP blades.
Audit log configuration 2 Auditable event classes Before configuring an audit log, you must select the event classes you want audited. The audit log includes: • SEC-3001 through SEC-3017 • SEC-3024 through SEC-3029 • ZONE-3001 through ZONE-3012 Table 6 identifies auditable event classes and the auditCfg command operands used to enable auditing of a specific class.
2 Audit log configuration 1. Set up an external host machine with a system message log daemon running to receive the audit events that will be generated. 2. On the switch where the audit configuration is enabled, enter the syslogdIpAdd command to add the IP address of the host machine so that it can receive the audit events. You can use IPv4, IPv6, or DNS names for the syslogdIpAdd command. 3. Ensure the network is configured with a network connection between the switch and the remote host. 4.
High availability of daemon processes 2 High availability of daemon processes Fabric OS v6.1.0 and later supports automatic restart of non-critical daemons. Starting these non-critical daemons is automatic; you cannot configure the startup process. The following sequence of events occurs when a non-critical daemon fails: 1. A RASlog and AUDIT event message is logged. 2. The daemon is automatically started again. 3.
2 50 High availability of daemon processes Fabric OS Administrator’s Guide 53-1001336-02
Chapter 3 Understanding Fibre Channel Services In this chapter • Fibre Channel services overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • The Management Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Platform services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Management server database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Topology discovery. .
3 The Management Server Broadcast server — This service is optional, and when frames are transmitted to this address they are broadcasted to all operational N_ and NL_Ports. When registration and query frames are sent to a well-known address a different protocol service, Fibre Channel Common Transport (FC-CT), is used. This protocol provides a simple, consistent format and behavior when a service provider is accessed for registration and query purposes.
Management server database 3 Activating the platform services on a switch or enterprise-class platform will activate platform services on all logical switches in a Virtual Fabric. Similarly, deactivating the platform services will deactivate the platform service on all logical switches in a Virtual Fabric. The msPlatShow command displays all platforms registered in a Virtual Fabric.
3 Management server database Displaying the management server ACL 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the msConfigure command. The command becomes interactive. 3. At the “select” prompt, enter 1 to display the access list. A list of WWNs that have access to the management server is displayed.
Management server database 3 select : (0..
3 Management server database 0 Done 1 Display the access list 2 Add member based on its Port/Node WWN 3 Delete member based on its Port/Node WWN select : (0..3) [2] 1 MS Access List consists of (1): { 10:00:00:00:c9:29:b3:84 } 0 Done 1 Display the access list 2 Add member based on its Port/Node WWN 3 Delete member based on its Port/Node WWN select : (0..3) [1] 3 Port/Node WWN (in hex): [00:00:00:00:00:00:00:00] 10:00:00:00:c9:29:b3:84 *WWN is successfully deleted from the MS ACL.
Topology discovery 3 Clearing the management server database The command msPlClearDB is allowed only in AD0 and AD255. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the msplClearDb command. 3. Enter y to confirm the deletion. The management server platform database is cleared. Topology discovery The topology discovery feature can be displayed, enabled, and disabled; it is disabled by default.
3 Topology discovery A warning displays that all NID entries might be cleared. 3. Enter y to disable the discovery feature. NOTE Disabling discovery of management server topology might erase all NID entries. Example of disabling discovery switch:admin> mstddisable This may erase all NID entries. Are you sure? (yes, y, no, n): [no] y Request to disable MS Topology Discovery Service in progress.... *MS Topology Discovery disabled locally. switch:admin> mstddisable all This may erase all NID entries.
Chapter 4 Routing Traffic About this chapter • Routing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Routing policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Route selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Frame order delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4 Routing overview Route selection is the path that is chosen. Paths that are selected from the routing database are chosen based on the minimal cost. FSPF Fabric Shortest Path First (FSPF) is a link state path selection protocol that directs traffic along the shortest path between the source and destination based upon the link cost.
Routing policies 4 Fibre Channel NAT Within an edge fabric or across a backbone fabric, the standard Fibre Channel fabric shortest path first (FSPF) protocol determines how frames are routed from the source Fibre Channel device to the destination FC device. The source or destination device can be a proxy device. Fibre Channel fabrics require that all ports be identified by a unique PID.
4 Routing policies Example of the output from the aptPolicy command. In the following example, the current policy is exchange-based routing (3) with the additional AP dedicated link policy.
Routing policies 4 AP route policy On the Brocade 7500 switch and FR4-18i blade, there are eight internal physical links used by EX_ and VEX_Port functionality. The links are shared by both ingress and egress traffic on EX_ and VEX_Ports. The AP (appliance) route policy dedicates some links for ingress traffic and some links for egress traffic.
4 Route selection Setting up the AP route policy 1. Connect to the switch and log in as admin. 2. Enter the switchDisable command to disable the switch. 3. Take the appropriate following action based on the route policy you choose to implement: • If AP Shared Link policy (default) is required, enter the aptPolicy -ap 0 command. • If AP Dedicated Link policy is required, enter the aptPolicy -ap 1 command.
Frame order delivery 4 DLS is set switch:admin> dlsreset switch:admin> dlsshow DLS is not set Static route assignment A static route can be assigned only when the active routing policy is port-based routing. When exchange-based routing is active, you cannot assign static routes. Static routes are supported only on the Brocade 4100 and 5000 platforms.
4 Lossless Dynamic Load Sharing on ports NOTE Some devices do not tolerate out-of-order exchanges; in such cases, use the port-based routing policy. In a stable fabric, frames are always delivered in order, even when the traffic between switches is shared among multiple paths. However, when topology changes occur in the fabric (for example, if a link goes down), traffic is rerouted around the failure, and some frames could be delivered out of order.
Frame Redirection 4 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the appropriate iodSet command to enable or disable dynamic load sharing. switch:admin>iodset --enable lossLessDLS switch:admin>iodset --disable lossLessDLS Lossless dynamic load sharing in Virtual Fabrics Enabling load sharing is optional on logical switches in a Virtual Fabric.
4 Frame Redirection FIGURE 6 Single Host and Target Figure 6 demonstrates the flow of frame redirection traffic. A frame starts at the host with a destination to the target. The port where the appliance is attached to the host switch acts as the virtual initiator and the port where the appliance is attached to the target switch is the virtual target.
Multi-service Frame Redirect 4 Multi-service Frame Redirect MSFR uses the same approach as Frame Redirection, only the number of host-to-targets is expanded to support up to seven redirected devices. MSFR zone objects are stored in the Defined Configuration. The Name Server enforces MSFR devices that are defined through MSFR zoning. MSFR implementations can co-exist with Frame Redirection in the fabric.
4 Multi-service Frame Redirect ordered so that it will be the first redirected device. This option does not guarantee that this appliance will always be first. If yet another MSFR zone is created afterwards and requests to be ordered first, then this latest addition will become the first redirected device, displacing the former to be the second redirected device in the series.
Multi-service Frame Redirect 4 • A Virtual Initiator can represent one, and only one, end-point initiator. • A Virtual Target can represent one, and only one, end-point target. • At the port level, there cannot exist more than one MSFR Service Configuration between a given end-point target and any of its initiators (physical or virtual). • A VI/VT pair cannot represent more than one policy. • A given H/T pair can belong to one, and only one, MSFR Service Configuration.
4 72 Multi-service Frame Redirect Fabric OS Administrator’s Guide 53-1001336-02
Chapter 5 Managing User Accounts In this chapter • User accounts overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Local database user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Local account database distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Password policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • The boot PROM password . . . . . . .
5 User accounts overview Fabric OS provides three options for authenticating users—remote RADIUS services, remote LDAP service, and the local switch user database. All options allow users to be centrally managed using the following methods: • Remote RADIUS server: Users are managed in a remote RADIUS server. All switches in the fabric can be configured to authenticate against the centralized remote database. • Remote LDAP server: Users are managed in a remote LDAP server.
5 User accounts overview If some Admin Domains have been defined for the user and all of them are inactive, the user will not be allowed to log in to any switch in the fabric. If no Home Domain is specified for a user, the system provides a default home domain. The default home domain for the predefined account is AD0. For user-defined accounts, the default home domain is the Admin Domain in the user’s Admin Domain list with the lowest ID.
5 User accounts overview TABLE 10 RBAC permissions matrix (Continued) Category 76 Role permission Admin Basic Switch Admin Fabric Admin Operator Security Switch User Admin Admin Zone Admin Debug N N N N N N N N Diagnostics OM O OM OM N OM O N Encryption Configuration OM N O N OM N N N Encryption Management OM N OM N O N N N Ethernet Configuration OM O OM O N OM O N Fabric OM O OM O O O O O Fabric Distribution OM N OM N OM N N N Fabri
5 User accounts overview TABLE 10 RBAC permissions matrix (Continued) Category Role permission Admin Basic Switch Admin Fabric Admin Operator Security Switch User Admin Admin Zone Admin Routing—Basic OM O OM OM N OM O O Security OM O OM N OM O O N Session Management OM OM OM OM OM OM O N SNMP OM O OM O OM OM O N Statistics OM O OM OM N OM O N Statistics—Device OM O OM OM N OM O N Statistics—Port OM O OM OM N OM O N Switch Configuratio
5 Local database user accounts TABLE 11 Maximum number of simultaneous sessions (Continued) Role name Maximum sessions User 4 ZoneAdmin 4 Local database user accounts User add, change, and delete operations are subject to the subset rule: an admin with ADlist 0-10 or LFlist 1-10 cannot perform operations on an admin, user, or any role with an ADlist 11-25 or LFlist 11-128. The user account being changed must have an ADlist or LFlist that is a subset of the account that is making the change.
Local database user accounts 5 • userConfig --showlf -l logicalFabric_ID for each LF in an LF_ID_list, displays a list of users that include that LF in their LF permissions. Creating an account 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the userConfig --add command. 3. In response to the prompt, enter a password for the account. The password is not displayed when you enter it on the command line.
5 Local account database distribution Changing the password for the current login account 1. Connect to the switch and log in. 2. Enter the passwd command. 3. Enter the requested information at the prompts. Changing the password for a different account 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the passwd command specifying the name of the account for which the password is being changed. 3. Enter the requested information at the prompts.
Password policies 5 Rejecting distributed user databases on the local switch 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the fddCfg --localreject PWD command. Password policies The password policies described in this section apply to the local switch user database only. Configured password policies (and all user account attribute and password state information) are synchronized across CPs and remain unchanged after an HA failover.
5 Password policies • Punctuation Specifies the minimum number of punctuation characters that must appear in the password. All printable, non-alphanumeric punctuation characters except the colon ( : ) are allowed. The default value is zero. The maximum value must be less than or equal to the MinLength value. • MinLength Specifies the minimum length of the password. The minimum can be from 8 to 40 characters. New passwords must be between the minimum length specified and 40 characters.
Password policies 5 Password expiration policy The password expiration policy forces expiration of a password after a configurable period of time, and is enforced across all user accounts. A warning that password expiration is approaching is displayed when the user logs in. When a user’s password expires, he or she must change the password to complete the authentication process and open a user session. You can specify the number of days prior to password expiration during which warnings will commence.
5 Password policies • userConfig --change account_name -u • passwdCfg --disableadminlockout Note that the account-locked state is distinct from the account-disabled state. Use the following attributes to set the account lockout policy: • LockoutThreshold Specifies the number of times a user can attempt to log in using an incorrect password before the account is locked. The number of failed login attempts is counted from the last successful login.
The boot PROM password 5 The boot PROM password The boot PROM password provides an additional layer of security by protecting the boot PROM from unauthorized use. Setting a recovery string for the boot PROM password enables you to recover a lost boot PROM password by contacting your switch service provider. Without the recovery string, a lost boot PROM password cannot be recovered.
5 The boot PROM password The recovery string must be between 8 and 40 alphanumeric characters. A random string that is 15 characters or longer is recommended for higher security. The firmware prompts for this password only once. It is not necessary to remember the recovery string because it is displayed the next time you enter the command shell. The following prompt displays: New password: 6. Enter the boot PROM password, then re-enter it when prompted.
The boot PROM password 5 The recovery string must be between 8 and 40 alphanumeric characters. A random string that is 15 characters or longer is recommended for higher security. The firmware only prompts for this password once. It is not necessary to remember the recovery string because it is displayed the next time you enter the command shell. The following prompt displays: New password: 7. Enter the boot PROM password, then re-enter it when prompted.
5 The boot PROM password 5. At the shell prompt, enter the passwd command. NOTE The passwd command only applies to the boot PROM password when it is entered from the boot interface. 6. Enter the boot PROM password at the prompt, then re-enter it when prompted. The password must be eight alphanumeric characters (any additional characters are not recorded). Record this password for future use. 7. Enter the saveEnv command to save the new password. 8. Reboot the switch by entering the reset command.
The authentication model using RADIUS and LDAP 5 8. Enter the boot PROM password at the prompt, then re-enter it when prompted. The password must be eight alphanumeric characters (any additional characters are not recorded). Record this password for future use. 9. Enter the saveEnv command to save the new password. 10. Reboot the standby CP blade by entering the reset command. 11.
5 The authentication model using RADIUS and LDAP To enable RADIUS or LDAP service, it is strongly recommended that you access the CLI through an SSH connection so that the shared secret is protected. Multiple login sessions can configure simultaneously, and the last session to apply a change leaves its configuration in effect. After a configuration is applied, it persists after a reboot or an HA failover. To enable LDAP service, you need to install a certificate on the Microsoft Active Directory server.
5 The authentication model using RADIUS and LDAP TABLE 13 Authentication configuration options (Continued) aaaConfig options Description Equivalent setting in Fabric OS v5.1.0 and earlier --radius --switchdb1 --authspec “radius;local” --backup Authenticates management connections against any RADIUS databases. If RADIUS fails because the service is not available, it then authenticates against the local user database.
5 The authentication model using RADIUS and LDAP You can set a user password expiration date and add a warning for RADIUS login. The password expiry date must be specified in UTC and in MM/DD/YYYY format. The password warning specifies the number of days prior to the password expiration that a warning of password expiration notifies the user. You either specify both attributes or none.
The authentication model using RADIUS and LDAP 5 Windows 2000 IAS For example, to configure a Windows 2000 internet authentication service (IAS) server to use VSA to pass the Admin role to the switch in the dial-in profile, the configuration specifies the Vendor code (1588), Vendor-assigned attribute number (1), and attribute value (admin), as shown in Figure 8 on page 93.
5 The authentication model using RADIUS and LDAP Brocade-Passwd-ExpiryDate = "11/10/2008", Brocade-Passwd-WarnPeriod = "30" RADIUS configuration with Admin Domains or Virtual Fabrics When configuring users with Admin Domains or Virtual Fabrics, you must also include the Admin Domain or Virtual Fabric member list. This section describes the way that you configure attribute types for this configuration.
The authentication model using RADIUS and LDAP 5 Brocade-Auth-Role = "operator", Brocade-AVPairs1 = "ADList=1,2;HomeAD=2", Brocade-AVPairs2 = "ADList=-4-8,20;ADList=7,9,12" In the next example, on a Linux FreeRadius Server, the user takes the “zoneAdmin” role, with VFlist 2, 4, 5, 6, 7, 8, 10, 11, 12, 13, 15 17, 19, 22, 23, 24, 25, 29, 31 and HomeLF 1.
5 The authentication model using RADIUS and LDAP # # attributes # ATTRIBUTE ATTRIBUTE ATTRIBUTE ATTRIBUTE ATTRIBUTE ATTRIBUTE ATTRIBUTE Brocade-Auth-Role Brocade-AVPairs1 Brocade-AVPairs2 Brocade-AVPairs3 Brocade-AVPairs4 Brocade-Passwd-ExpiryDate Brocade-Passwd-WarnPeriod 1 2 3 4 5 6 7 string string string string string string string Brocade Brocade Brocade Brocade Brocade Brocade Brocade This defines the Brocade vendor ID as 1588, the Brocade attribute 1 as Brocade-Auth-Role and 6 as Brocade-Passwd
The authentication model using RADIUS and LDAP 5 When you use network information service (NIS) for authentication, the only way to enable authentication with the password file is to force the Brocade switch to authenticate using password authentication protocol (PAP); this requires the -a pap option with the aaaConfig command. Enabling clients Clients are the switches that will use the RADIUS server; each client must be defined. By default, all IP addresses are blocked.
5 The authentication model using RADIUS and LDAP NOTE If a user is configured prior to enabling reverse password encryption, then the user’s password is stored and cannot utilize CHAP. To use CHAP, the password must be re-entered after encryption is enabled. If the password is not re-entered, then CHAP authentication will not work and the user will be unable to authenticate from the switch. 3. Configuring a user IAS is the Microsoft implementation of a RADIUS server and proxy.
The authentication model using RADIUS and LDAP 5 RSA RADIUS server Traditional password-based authentication methods are based on one-factor authentication, where you confirm your identity using a memorized password. Two-factor authentication increases the security by using a second factor to corroborate identification. The first factor is either a PIN or password and the second factor is the RSA SecurID token. RSA SecurID with an RSA RADIUS server is used for user authentication.
5 The authentication model using RADIUS and LDAP ########################################################################### # brocade.dct -- Brocade Dictionary # # (See readme.dct for more details on the format of this file) ########################################################################### # # Use the Radius specification attributes in lieu of the Brocade one: # @radius.
The authentication model using RADIUS and LDAP 5 c. When selecting items from the Add Return List Attribute, select Brocade-Auth-Role and type the string Admin. The string will equal the role on the switch. d. Add the Brocade profile. e. In RSA Authentication Manager, edit the user records that will be authenticating using RSA SecurID.
5 The authentication model using RADIUS and LDAP or Use the ldapCfg -–maprole ldap_role_name switch_role command to map an LDAP server role to one of the default roles available on the switch. 4. Associate the user to the group by adding the user to the group. For instructions on how to create a user refer to www.microsoft.com or Microsoft documentation to create a user in your Active Directory. 5.
The authentication model using RADIUS and LDAP 5 Adding an Admin Domain or Virtual Fabric list 1. From the Windows Start menu, select Programs> Administrative Tools> ADSI.msc ADSI is a Microsoft Windows Resource Utility. This will need to be installed to proceed with the rest of the setup. For Windows 2003, this utility comes with Service Pack 1 or you can download this utility from the Microsoft web site. 2. Go to CN=Users 3. Right click on select Properties. Click the Attribute Editor tab. 4.
5 The authentication model using RADIUS and LDAP Authentication servers on the switch At least one RADIUS or LDAP server must be configured before you can enable RADIUS or LDAP service. You can configure the RADIUS or LDAP service even if it is disabled on the switch. You can configure up to five RADIUS or LDAP servers. You must be logged in as admin or switchAdmin to configure the RADIUS service.
The authentication model using RADIUS and LDAP 5 When the command succeeds, the event log indicates that the server is removed. Changing a RADIUS or LDAP server configuration 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the aaaConfig --change command. Changing the order in which RADIUS or LDAP servers are contacted for service 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the aaaConfig --move command.
5 106 The authentication model using RADIUS and LDAP Fabric OS Administrator’s Guide 53-1001336-02
Chapter 6 Configuring Standard Security Features In this chapter • Security protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Secure Copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Secure Shell protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Secure Sockets Layer protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6 Secure Copy TABLE 16 Secure protocol support Protocol Description SSH Secure Shell (SSH) is a network protocol that allows data to be exchanged over a secure channel between two computers. Encryption provides confidentiality and integrity of data. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary. SSL Fabric OS uses secure socket layer (SSL) to support HTTPS.
Secure Shell protocol 6 Setting up SCP for configUploads and downloads 1. Log in to the switch as admin. 2. Type the configure command. 3. Type y or yes at the cfgload attributes prompt. 4. Type y or yes at the Enforce secure configUpload/Download prompt. Example of setting up SCP for configUpload/download switch:admin> configure Not all options will be available on an enabled switch. To disable the switch, use the "switchDisable" command. Configure...
6 Secure Shell protocol SSH public key authentication OpenSSH public key authentication provides password-less logins, known as SSH authentication, that uses public and private key pairs for incoming and outgoing authentication. This feature allows only one allowed-user to be configured to utilize OpenSSH public key authentication. Using OpenSSH RSA and DSA, the authentication protocols are based on a pair of specially generated cryptographic keys, called the private key and the public key.
Secure Shell protocol 6 Example of RSA/DSA key pair generation alloweduser@mymachine: ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/users/alloweduser/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /users/alloweduser/.ssh/id_dsa. Your public key has been saved in /users/alloweduser/.ssh/id_dsa.pub.
6 Secure Sockets Layer protocol or Use the sshUtil delpubkeys command to delete all public keys. For more information on IP Filter policies, refer to Chapter 7, “Configuring Advanced Security Features”. Secure Sockets Layer protocol Secure sockets layer (SSL) protocol provides secure access to a fabric through Web-based management tools like Web Tools. SSL support is a standard Fabric OS feature.
Secure Sockets Layer protocol a. A public and private key by using the secCertUtil genkey command. b. A certificate signing request (CSR) by using the secCertUtil gencsr command. 6 3. Store the CSR on a file server by using the secCertUtil export command. 4. Obtain the certificates from the CA. You can request a certificate from a CA through a Web browser. After you request a certificate, the CA either sends certificate files by e-mail (public) or gives access to them on a remote host (private).
6 Secure Sockets Layer protocol Generating new rsa public/private key pair Done. Because CA support for the 2048-bit key size is limited, you should select 1024 in most cases. Generating and storing a CSR After generating a public/private key, perform this procedure on each switch. 1. Connect to the switch and log in as admin. 2. Enter the secCertUtil gencsr command. 3. Enter the requested information.
Secure Sockets Layer protocol 6 4. Enter the secCertUtil showcsr command. The contents of the CSR are displayed. 5. Locate the section that begins with “BEGIN CERTIFICATE REQUEST” and ends with “END CERTIFICATE REQUEST”. 6. Copy and paste this section (including the BEGIN and END lines) into the area provided in the request form; then, follow the instructions to complete and send the request. It may take several days to receive the certificates.
6 Secure Sockets Layer protocol 5. Follow the instructions in the Certificate Import wizard to import the certificate. Checking and installing root certificates on Mozilla Firefox 1. Select Tools > Options. 2. Click Advanced. 3. Click the Encryption tab. 4. Click View Certificates > Authorities tab and scroll the list to see if the root certificate is listed. For example, its name may have the form nameRoot.crt.
Simple Network Management Protocol 6 In the example, changeit is the default password and RootCert is an example root certificate name. Simple Network Management Protocol The Simple Network Management Protocol (SNMP) is a standard method for monitoring and managing network devices. Using SNMP components, you can program tools to view, browse, and manipulate Brocade switch variables and set up enterprise-level management processes.
6 Simple Network Management Protocol SNMP and Virtual Fabrics When an SNMPv3 request arrives with a particular username, it executes in the home Virtual Fabric. From the SNMP manager all SNMPv3 requests must have a home Virtual Fabric that is specified in the contextName field. Whenever the home Virtual Fabric is specified, it will be converted to the corresponding switch ID and the home Virtual Fabric will be set.
Telnet protocol 6 The snmpConfig command Use the snmpConfig --set command to change either the SNMPv3 or SNMPv1 configuration. You can also change access control, MIB capability, and system group. For details on Brocade MIB files, naming conventions, loading instructions, and information about using the Brocade SNMP agent, see the Fabric OS MIB Reference. Telnet protocol Telnet is enabled by default.
6 Telnet protocol switch:admin> ipfilter --activate BlockTelnet 9. Verify the new policy is active (the default_ipv4 policy should be displayed as defined).
Listener applications 6 Listener applications Brocade switches block Linux subsystem listener applications that are not used to implement supported features and capabilities. Table 20 lists the listener applications that Brocade switches either block or do not start.
6 Ports and applications used by switches Port configuration Table 22 provides information on ports that the switch uses. When configuring the switch for various policies, take into consideration firewalls and other devices that may sit between switches in the fabric and your network or between the managers and the switch. TABLE 22 122 Port information Port Type Common use Comment 22 TCP SSH, SCP 23 TCP Telnet Use the ipfilter command to block the port.
Chapter 7 Configuring Advanced Security Features In this chapter • ACL policies overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • ACL policy management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • FCS policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • DCC policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7 ACL policy management Policies with the same state are grouped together in a Policy Set. Each switch has the following two sets: • Active policy set, which contains ACL policies being enforced by the switch. • Defined policy set, which contains a copy of all ACL policies on the switch. When a policy is activated, the defined policy either replaces the policy with the same name in the active set or becomes a new active policy.
ACL policy management 7 Displaying ACL policies You can view the active and defined policy sets at any time. Additionally, in a defined policy set, policies created in the same login session also appear but these policies are automatically deleted if the you log out without saving them. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Type the secPolicyShow command.
7 ACL policy management Adding a member to an existing ACL policy As soon as a policy has been activated, the aspect of the fabric managed by that policy is enforced. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the secPolicyAdd command. 3. To implement the change immediately, enter the secPolicyActivate command.
FCS policies 7 FCS policies Fabric Configuration Server (FCS) policy in base Fabric OS may be performed on a local switch basis and may be performed on any switch in the fabric. The FCS policy is not present by default, but must be created. When the FCS policy is created, the WWN of the local switch is automatically included in the FCS list. Additional switches can be included in the FCS list. The first switch in the list becomes the Primary FCS switch.
7 FCS policies Table 25 shows the commands for switch operations for Primary FCS enforcement.
FCS policies 7 3. To save or activate the new policy, enter either the secPolicySave or the secPolicyActivate command. Once the policy has been activated you can distribute the policy. NOTE FCS policy must be consistent across the fabric. If the policy is inconsistent in the fabric, then you will not be able to perform any fabric-wide configurations from the primary FCS. Modifying the order of FCS switches 1. Log in to the Primary FCS switch using an account assigned to the admin role. 2.
7 DCC policies Only the Primary FCS switch is allowed to distribute the database. The FCS policy may need to be manually distributed across the fabric using the distribute -p command. Since this policy is distributed manually, the command fddCfg –-fabwideset is used to distribute a fabric-wide consistency policy for FCS policy in an environment consisting of only Fabric OS v6.1.0 and later switches.
DCC policies 7 Table 27 shows the possible DCC policy states. TABLE 27 DCC policy states Policy state Characteristics No policy Any device can connect to any switch port in the fabric. Policy with no entries Any device can connect to any switch port in the fabric. An empty policy is the same as no policy. Policy with entries If a device WWN is specified in a DCC policy, that device is only allowed access to the switch if connected by a switch port listed in the same policy.
7 SCC policies 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the secPolicyCreate “DCC_POLICY_nnn” command. DCC_POLICY_nnn is the name of the DCC policy; nnn is a string consisting of up to 19 alphanumeric or underscore characters to differentiate it from any other DCC policies. 3. To save or activate the new policy, enter the appropriate command: • To save the policy, enter the secPolicySave command.
SCC policies 7 The switch connection control (SCC) policy is used to restrict which switches can join the fabric. Switches are checked against the policy each time an E_Port-to-E_Port connection is made. The policy is named SCC_POLICY and accepts members listed as WWNs, domain IDs, or switch names. Only one SCC policy can be created. By default, any switch is allowed to join the fabric; the SCC policy does not exist until it is created.
7 Authentication policy for fabric elements Authentication policy for fabric elements By default, Fabric OS v6.1.0 and later use DH-CHAP or FCAP protocols for authentication. These protocols use shared secrets and digital certificates, based on switch WWN and public key infrastructure (PKI) technology, to authenticate switches. Authentication automatically defaults to FCAP if both switches are configured to accept FCAP protocol in authentication.
Authentication policy for fabric elements 7 The DH group is used in the DH-CHAP protocol only. The FCAP protocol exchanges the DH group information, but does not use it. Virtual Fabric considerations: If a Virtual Fabric is enabled, all AUTH module parameters such as shared secrets, and shared switch and device policies, are logical switch-wide.
7 Authentication policy for fabric elements CAUTION If data input has not been completed and a failover occurs, the command is terminated without completion and your entire input is lost. If data input has completed, the enter key pressed, and a failover occurs, data may or may not be replicated to the other CP depending on the timing of the failover. Log in to the other CP after the failover is complete and verify the data was saved. If data was not saved, run the command again.
Authentication policy for fabric elements 7 Warning: Activating the authentication policy requires DH-CHAP secrets on both switch and device. Otherwise, the F-port will be disabled during next F-port bring-up. ARE YOU SURE (yes, y, no, n): [no] y Device authentication is set to PASSIVE AUTH policy restrictions All fabric element authentication configurations are performed on a local switch basis.
7 Authentication policy for fabric elements Viewing the current authentication parameter settings for a switch 1. Log in to the switch using an account assigned to the admin role. 2. Enter the authUtil --show. Example of output from the authUtil --show command AUTH TYPE HASH TYPE GROUP TYPE -------------------------------------fcap,dhchap sha1,md5 0, 1, 2, 3, 4 Switch Authentication Policy: PASSIVE Device Authentication Policy: OFF Setting the authentication protocol used by the switch to DH-CHAP 1.
Authentication policy for fabric elements 7 Example for enterprise-class platforms using the slot/port format switch:admin> authutil –-authinit 1/1, 1/2 Secret key pairs When you configure the switches at both ends of a link to use DH-CHAP for authentication, you must also define a secret key pair—one for each end of the link. Use the secAuthSecret command to perform the following tasks: • View the WWN of switches with a secret key pair. • Set the secret key pair for switches.
7 Authentication policy for fabric elements This command is used to set up secret keys for the DH-CHAP authentication. The minimum length of a secret key is 8 characters and maximum 40 characters. Setting up secret keys does not initiate DH-CHAP authentication. If switch is configured to do DH-CHAP, it is performed whenever a port or a switch is enabled. Warning: Please use a secure channel for setting secrets. Using an insecure channel is not safe and may compromise secrets.
IP Filter policy 7 IP Filter policy The IP Filter policy is a set of rules applied to the IP management interfaces as a packet filtering firewall. The firewall permits or denies the traffic to go through the IP management interfaces according to the policy rules. Fabric OS supports multiple IP Filter policies to be defined at the same time. Each IP Filter policy is identified by a name and has an associated type.
7 IP Filter policy For each IP Filter policy, the policy name, type, persistent state and policy rules are displayed. The policy rules are listed by the rule number in ascending order. There is no pagination stop for multiple screens of information. Pipe the output to the |more command to achieve this. If a temporary buffer exists for an IP Filter policy, the --show subcommand displays the content in the temporary buffer, with the persistent state set to no. 1.
IP Filter policy 7 Each rule contains the following elements: • • • • Source Address: A source IP address or a group prefix. Destination Port: The destination port number or name, such as: Telnet, SSH, HTTP, HTTPS. Protocol: The protocol type. Supported types are TCP or UDP. Action: The filtering action taken by this rule, either Permit or Deny. For an IPv4 filter policy, the source address has to be a 32-bit IPv4 address in dot decimal notation.
7 IP Filter policy For every IP Filter policy, the two rules listed in Table 30 are always assumed to be appended implicitly to the end of the policy. This ensures that TCP and UDP traffic to dynamic port ranges is allowed, so that management IP traffic initiated from a switch, such as syslog, radius and ftp, is not affected. TABLE 30 Implicit IP Filter rules Source address Destination port Protocol Action Any 1024-65535 TCP Permit Any 1024-65535 UDP Permit A switch with Fabric OS v6.1.
IP Filter policy 7 NOTE If a switch is part of a LAN behind a Network Address Translation (NAT) server, depending on the NAT server configuration, the source address in an IP Filter rule may have to be the NAT server address. Adding a rule to an IP Filter policy There can be a maximum of 256 rules created for an IP Filter policy. The change to the specified IP Filter policy is not saved to the persistent configuration until a save or activate subcommand is run. 1.
7 Policy database distribution Policy database distribution Fabric OS lets you manage and enforce the ACL policy database on either a per-switch or fabric-wide basis. The local switch distribution setting and the fabric-wide consistency policy affect the switch ACL policy database and related distribution behavior.
Policy database distribution 7 1. An error is returned indicating that the distribution setting must be accept before you can set the fabric-wide consistency policy. Database distribution settings The distribution settings control whether a switch accepts or rejects distributions of databases from other switches and whether or not the switch may initiate a distribution. Configure the distribution setting to reject when maintaining the database on a per-switch basis.
7 Policy database distribution Disabling local switch protection 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the fddCfg --localaccept command. ACL policy distribution to other switches This section explains how to manually distribute local ACL policy databases. The distribute command has the following dependencies: • All target switches must be running Fabric OS v6.1.0or later.
Policy database distribution TABLE 34 7 Fabric-wide consistency policy settings Setting Value When a policy is activated Absent null Database is not automatically distributed to other switches in the fabric. Tolerant database_id All updated and new policies of the type specified (SCC, DCC, or both) are distributed to all Fabric v6.1.0and later switches in the fabric.
7 Policy database distribution Notes on joining a switch to the fabric When a switch is joined to a fabric with a tolerant SCC or DCC fabric-wide consistency policy, the joining switch must have a matching tolerant SCC or DCC fabric-wide consistency policy. If the tolerant SCC or DCC fabric-wide consistency policies do not match, the switch can join the fabric, but an error message flags the mismatch.
Policy database distribution 7 Table 35 describes the impact of merging fabrics with the same fabric-wide consistency policy that have SCC, DCC, or both policies. TABLE 35 Merging fabrics with matching fabric-wide consistency policies Fabric-wide consistency policy Fabric A ACL policies Fabric B ACL policies Merge results Database copied None None None Succeeds No ACL policies copied. None SCC/DCC Succeeds No ACL policies copied. None None Succeeds No ACL policies copied.
7 Management interface security TABLE 37 Fabric merges with tolerant/absent combinations Fabric-wide consistency policy setting Fabric A Tolerant/Absent Expected behavior Fabric B SCC;DCC DCC SCC;DCC SCC DCC SCC Error message logged. Run fddCfg --fabwideset “” from any switch with the desired configuration to fix the conflict. The secPolicyActivate command is blocked until conflict is resolved.
Management interface security 7 Configuration examples Below are several examples of various configurations you can use to implement an IPsec tunnel between two devices. You can configure other scenarios as nested combinations of these configurations. Endpoint-to-Endpoint Transport or Tunnel In this scenario, both endpoints of the IP connection implement IPsec, as required of hosts in RFC4301. The transport mode is commonly used with no inner IP header.
7 Management interface security Endpoint-to-Gateway Tunnel In this scenario, a protected endpoint (typically a portable computer) connects back to its corporate network through an IPsec-protected tunnel. It might use this tunnel only to access information on the corporate network, or it might tunnel all of its traffic back through the corporate network in order to take advantage of protection provided by a corporate firewall against Internet-based attacks.
Management interface security 7 Security associations A security association (SA) is the collection of security parameters and authenticated keys that are negotiated between IPsec peers. For the peers to be able to encapsulate and decapsulate the IPsec packets, they need a way to store the secret keys, algorithms, and IP addresses involved in the communication. All these parameters needed for the protection of the IP datagram are stored in a security association (SA).
7 Management interface security TABLE 38 Algorithms and associated authentication policies Algorithm Encryption Level Policy Description 3des_cbc 168-bit ESP Triple DES is a more secure variant of DES. It uses three different 56-bit keys to encrypt blocks of 64-bit plain text. The algorithm is FIPS-approved for use by Federal agencies. blowfish_cbc 64-bit ESP Blowfish is a 32-bit to 448-bit keyed, symmetric block cipher.
Management interface security 7 Key management The IPsec key management supports Internet Key Exchange or Manual key/SA entry. The Internet Key Exchange (IKE) protocol handles key management automatically. SAs require keying material for authentication and encryption. The managing of keying material that SAs require is called key management. The IKE protocol solves the most prominent problem in the setup of secure communication: the authentication of the peers and the exchange of the symmetric keys.
7 Management interface security Creating the tunnel Each side of the tunnel must be configured in order for the tunnel to come up. Once you are logged into the switch, do not log off as each step requires that you are logged in to the switch. IPsec configuration changes take effect upon execution and are persistent across reboots.
Management interface security 7 Example of creating an IPsec transform This example creates an IPsec transform TRANSFORM01 to use the transport mode to protect traffic identified for IPsec protection and use IKE01 as key management policy. switch:admin> ipsecconfig --add policy ips transform –t TRANSFORM01 \ -mode transport -sa-proposal IPSEC-AH \ -action protect –ike IKE01 9. Create a traffic selector on each switch using the ipSecConfig --add command.
7 Management interface security 1. On the system console, log in to the switch as Admin. 2. Enable IPsec. a. Connect to the switch and log in using an account assigned to the admin role. b. Enter the ipsecConfig --enable command to enable IPsec on the switch. 3. Create an IPsec SA policy named AH01, which uses AH protection with MD5. switch:admin> ipsecconfig --add policy ips sa -t AH01 \ -p ah -auth hmac_md5 4. Create an IPsec proposal IPSEC-AH to use AH01 as SA.
Management interface security a. Initiate Telnet or SSH or ping session from BRCD300 to Remote Host. b. Verify that the IP traffic is encapsulated. c. Monitor IPsec SAs created using IKE for the above traffic flow. 7 • Use the ipsecConfig -–show manual-sa –a command with the operands specified to display the outbound and inbound SAs in the kernel SADB. • Use the ipsecConfig –-show policy ips sa -a command with the specified operands to display all IPsec SA policies.
7 162 Management interface security Fabric OS Administrator’s Guide 53-1001336-02
Chapter 8 Maintaining the Switch Configuration File In this chapter • Configuration settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuration file backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuration file restoration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configurations across a fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8 Configuration settings If you have the chassis role permissions added to your user account, then the following options are available whether you are uploading or downloading a configuration file: -fid Uploads the specified FID’s configuration. -all Uploads all of the system’s configuration, including the chassis section and all switch sections for all logical switches.
Configuration settings 8 [Bottleneck Configuration] [Zoning] [Defined Security policies] [Active Security policies] [iSCSI] [cryptoDev] [FICU SAVED FILES] [Banner] [End] [Switch Configuration End : 0] date = Thu Apr 2 21:28:52 2009 [Switch Configuration Begin : 1] SwitchName = switch_2 Fabric ID = 1 [Boot Parameters] [Configuration] [Bottleneck Configuration] [Zoning] [Defined Security policies] [Active Security policies] [iSCSI] [cryptoDev] [FICU SAVED FILES] [Banner] [End] [Switch Configuration End : 1
8 Configuration file backup • • • • • • • FCoE chassis configuration licensesDB bottleneck configuration DMM_WWN licenses GE blade mode Fabric Watch chassis configuration Switch section There is always at least one switch section for the default switch or a switch that has Virtual Fabric mode disabled, and there are additional sections corresponding to each additionally defined logical switch instance on a switch with Virtual Fabrics mode enabled.
Configuration file restoration 8 Uploading a configuration file in interactive mode 1. Verify that the FTP or SCP service is running on the host computer. 2. Connect to the switch and log in as admin. 3. Enter the configUpload command. The command becomes interactive and you are prompted for the required information. 4. Store a soft copy of the switch configuration information in a safe place for future reference.
8 Configuration file restoration If a configDownload command is issued on a non-FCR platform, for example, the configuration file from a Brocade 7500 downloads to a Brocade 7600, any FCR-like parameters may be viewed in the downloaded data. This is harmless to the switch and can be ignored. Configuration management supports configDownload with 6.1.x or 6.2.0 configuration files. Configuration files from a system running Fabric OS v6.2.
Configuration file restoration 8 In case something happens to your switch and you need to set it up again, run the commands listed in Table 39 and save the output in a file format. Store the files in a safe place for emergency reference. TABLE 39 CLI commands to display or modify switch configuration information Command Displays configShow System configuration parameters and settings, and license information. fcLunQuery A list of LUN IDs and LUNs for all accessible targets.
8 Configuration file restoration Restoring a configuration CAUTION Using the SFID parameter erases all configuration information on the logical switch. Use this parameter only when the logical switch has no configuration information you want to save. 1. Verify that the FTP service is running on the server where the backup configuration file is located. 2. Connect to the switch and log in using an account assigned to the admin role, and if necessary with the chassis-role permission. 3.
Configuration file restoration 8 Do you want to continue [y/n]: y Password: configDownload complete. Example of a configDownload with Admin Domains The following example shows configDownload run on a switch with Admin Domains: switch:AD5:admin>configdownload Protocol (scp or ftp) [ftp]: Server Name or IP Address [host]: 10.1.2.3 User Name [user]: UserFoo Path/Filename [/config.txt]: /pub/configurations/config.
8 Configurations across a fabric TABLE 40 Backup and restore in a FICON CUP environment ASM bit Command Description on or off configUpload All the files saved in the file access facility are uploaded to the management workstation. A section in the uploaded configuration file labeled FICON_CUP is in an encoded format. on configDownload Files saved on the switch that are also present in the FICON_CUP section of the configuration file are overwritten.
Configuration Management for Virtual Fabrics 8 3. Run configDefault on each of the target switches, and then use the configDownload command to download the configuration file to each of the target switches. See “Configuration file restoration” on page 167 for more information. Security considerations Security parameters and the switch's identity cannot be changed by the configDownload command.
8 Configuration Management for Virtual Fabrics configUpload complete: VF config parameters are uploaded 2009/07/20-09:13:40, [LOG-1000], 225, SLOT 7 | CHASSIS, INFO, BrocadeDCX, Previous message repeated 7 time(s) 2009/07/20-10:27:14, [CONF-1001], 226, SLOT 7 | FID 128, INFO, DCX_80, configUpload completed successfully for VF config parameters.
Brocade configuration form 8 Do you want to continue [y/n]: y (output truncated) Restrictions • The -vf option is incompatible with the –fid, –sfid, or –all options. Any attempt to combine it with any of the other three will fail the configupload/download operation. • You are not allowed to modify the Virtual Fabric configuration file after it has been uploaded. Only minimal verification is done by configdownload to ensure it is compatible, much like the normal configdownload file.
8 Brocade configuration form TABLE 41 Brocade configuration and connection (Continued) Brocade configuration settings Total number of devices in fabric (nsAllShow) Total number of switches in the fabric (fabricShow) 176 Fabric OS Administrator’s Guide 53-1001336-02
Chapter 9 Installing and Maintaining Firmware In this chapter • Firmware download process overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Preparing for a firmware download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Firmware download on switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Firmware download on an enterprise-class platform . . . . . . . . . . . . . . . . . • Firmware download from a USB device . . . . . . . . . . . . . . . .
9 Firmware download process overview You can download Fabric OS to a director, which is a chassis; and to a nonchassis-based system, also referred to as a switch. The difference in the download process is that directors have two CPs and nonchassis-based systems have one CP. Use the firmwareDownload command to download the firmware from either an FTP or SSH server by using either the FTP or SCP protocol to the switch.
Firmware download process overview 9 In most cases, you will be upgrading firmware; that is, installing a newer firmware version than the one you are currently running. However, some circumstances may require installing an older version; that is, downgrading the firmware. The procedures in this section assume that you are upgrading firmware, but they work for downgrading as well, provided the old and new firmware versions are compatible.
9 Preparing for a firmware download A nondisruptive firmware download, which is performed by entering the firmwareDownload command without the –s operand, is only supported if you are upgrading from Fabric OS 6.1.x to 6.2.0. If you are downgrading from Fabric OS 6.2.0 to v6.1.x, you must enter the firmwareDownload -s command option as discussed in “Test and restore firmware on switches” on page 192 and “Test and restore firmware on enterprise-class platforms” on page 194.
Preparing for a firmware download 9 Connected switches Before you upgrade the firmware on your switch you will need to check the connected switches to ensure compatibility and that any older versions are supported. Refer to the Fabric OS Compatibility section of the Brocade Fabric OS Release Notes, for the recommended firmware version. NOTE Go to http://www.brocade.com to view end-of-life policies for Brocade products. Navigate to the Support tab, then select Policies and Locations.
9 Firmware download on switches Firmware download on switches Brocade 300, 4100, 4900, 5000, 5410, 5424, 5450, 5460, 5470, 5480, 5100, 5300, 5424, 7500, 7500E, 7600, 7800 and 8000 switches maintain primary and secondary partitions for firmware. The firmwareDownload command defaults to an autocommit option that automatically copies the firmware from one partition to the other. NOTE This section only applies when upgrading from Fabric OS v6.1.x to v6.2.0, or from different versions of v6.2.
Firmware download on switches 9 Upgrading firmware for Brocade 300, 4100, 4900, 5000, 5410, 5424, 5450, 5460, 5470, 5480, 5100, 5300, 5424, 7500, 7500E, 7600, 7800 and 8000 switches. 1. Take the following appropriate action based on what service you are using: • If you are using FTP or SCP, verify that the FTP or SSH server is running on the host server and that you have a valid user ID and password on that server. • If your platform supports a USB memory device, verify that it is connected and running.
9 Firmware download on an enterprise-class platform This command will cause a warm/non-disruptive boot on the switch,but will require that existing telnet, secure telnet or SSH sessions be restarted. Do you want to continue [Y]: y Firmware is being downloaded to the switch. This step may take up to 30 minutes.
Firmware download on an enterprise-class platform 7. 9 The new standby CP blade reboots and comes up with the new Fabric OS. 8. The new active CP blade synchronizes its state with the new standby CP blade. 9. The firmwareCommit command runs automatically on both CP blades. CAUTION After you start the process, do not enter any disruptive commands (such as reboot) that will interrupt the process. The entire firmware download and commit process takes approximately 15 minutes.
9 Firmware download on an enterprise-class platform HA enabled, Heartbeat Up, HA State synchronized CP blades must be synchronized and running Fabric OS v6.0.0 or later to provide a nondisruptive download. If the two CP blades are not synchronized, enter the haSyncStart command to synchronize them. If the CPs still are not synchronized, contact your switch service provider. 8. Enter the firmwareDownload command and respond to the interactive prompts. 9.
Firmware download on an enterprise-class platform 9 The firmware is being downloaded to the Standby CP. It may take up to 10 minutes Do you want to continue [Y]: y 10. Optionally, after the failover, connect to the switch, and log in again as admin. Using a separate session to connect to the switch, enter the firmwareDownloadStatus command to monitor the firmware download status.
9 Firmware download from a USB device Firmware download from a USB device The Brocade 300, 5100, 5300, 7800, and 8000 switches and the Brocade DCX and DCX-4S Backbones support a firmware download from a Brocade branded USB device attached to the switch or active CP. Before the USB device can be accessed by the firmwareDownload command, it must be enabled and mounted as a file system.
SAS and SA applications 9 SAS and SA applications The firmwareDownload command supports downloading application images such as storage application service (SAS) and Data Migration Manager (DMM) to the FA4-18 blade and the Brocade 7600. By default, the FA4-18 blade and the Brocade 7600 ship with the latest versions of SAS and Fabric OS.
9 FIPS Support Example of a SAS firmwareDownload The following example shows the download of a SAS image to slot 1, and 3 on a Brocade 48000 director in interactive mode. switch:admin> firmwareDownload Type of Firmware (FOS, SAS, or any application) [FOS]:SAS Target Slots (all, or slot numbers) [all]: 1,3 Server Name or IP Address: 10.1.2.3 Network Protocol (1-auto-select, 2-FTP, 3-SCP) [1]: User Name: userfoo File Name: /userfoo/dist/v3.3.0 Password: Downloading Applications...
FIPS Support 9 NOTE If FIPS is enabled, all logins should be done through SSH or direct serial and the transfer protocol should be SCP. Updating the firmwarekey 1. Log in to the switch as admin. 2. Type the firmwareKeyUpdate command and respond to the prompts. The firmwareDownload Command As mentioned previously, the public key file will need to be packaged, installed, and run on your switch before downloading a signed firmware.
9 Test and restore firmware on switches Power-on Firmware Checksum Test FIPS requires the checksums of the executables and libraries on the filesystem to be validated before Fabric OS modules are launched. This is to make sure these files have not been changed after they are installed. When firmware RPM packages are installed during firmwareDownload, the MD5 checksums of the firmware files are stored in the RPM database on the filesystem. The checksums go through all of the files in the RPM database.
Test and restore firmware on switches 9 User Name: userfoo File Name: /home/userfoo/v6.3.0 Password: Do Auto-Commit after Reboot [Y]: n Reboot system after download [N]: y Firmware is being downloaded to the switch. This step may take up to 30 minutes. Checking system settings for firmwaredownload... The switch will perform a reboot and come up with the new firmware to be tested. Your current switch session will automatically disconnect. 7.
9 Test and restore firmware on enterprise-class platforms Test and restore firmware on enterprise-class platforms This procedure enables you to perform a firmware download on each CP and verify that the procedure was successful before committing to the new firmware. The old firmware is saved in the secondary partition of each CP until you enter the firmwareCommit command.
Test and restore firmware on enterprise-class platforms d. 9 Enter the haFailover command. The active CP will reboot and the current enterprise-class platform session will be disconnected. If an AP blade is present: At the point of the failover an autoleveling process is activated. See, “Enterprise-class platform firmware download process overview” on page 184 for details about autoleveling. 8. Verify the failover. a.
9 Test and restore firmware on enterprise-class platforms a. From the current enterprise-class platform session on the active CP, enter the firmwareShow command and confirm that only the active CP secondary partition contains the old firmware. b. Enter the firmwareCommit command to update the secondary partition with the new firmware. It takes several minutes to complete the commit operation. Do not do anything on the enterprise-class platform while this operation is in process. c.
Validating a firmware download 9 Validating a firmware download Validate the firmware download by running the following commands: firmwareShow, firmwareDownloadStatus, nsShow, nsAllShow, and fabricShow. NOTE When you prepared for the firmware download earlier, you issued either the supportShow or supportSave command. Although you can issue the command again and compare the output from before and after, it may take up to 30 minutes for the command to execute.
9 198 Validating a firmware download nsShow Displays all devices directly connected to the switch that have logged into the name server. Make sure the number of attached devices after the firmware download is exactly the same as the number of attached devices prior to the firmware download. nsAllShow Displays all devices connected to a fabric. Make sure the number of attached devices after the firmware download is exactly the same as the number of attached devices prior to the firmware download.
Chapter 10 Managing Virtual Fabrics In this chapter • Virtual Fabrics overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Logical switch overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Logical fabric overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Management model for logical switches . . . . . . . . . . . . . . . . . . . . . . . . . . .
10 Logical switch overview This chapter describes the logical switch and logical fabric features. For information about device sharing with Virtual Fabrics, see “FC-FC Routing and Virtual Fabrics” on page 506. The following platforms are Virtual Fabrics-capable: • Brocade DCX and DCX-4S • Brocade 5300 • Brocade 5100 For additional information about supported switches and port types, see “Supported platforms for Virtual Fabrics” on page 210.
Logical switch overview FIGURE 15 Before enabling Virtual Fabrics After enabling Virtual Fabrics Physical chassis Physical chassis P0 P3 P6 P1 P4 P7 P2 P5 P8 10 P9 Default logical switch P0 P3 P6 P1 P4 P7 P2 P5 P8 P9 Switch before and after enabling Virtual Fabrics After you enable Virtual Fabrics, you can create up to eight logical switches, depending on the switch model. Figure 16 shows a Virtual Fabrics-enabled switch before and after it is divided into logical switches.
10 Logical switch overview Logical switches and fabric IDs When you create a logical switch, you must assign it a fabric ID (FID). The fabric ID uniquely identifies each logical switch within a chassis and indicates to which fabric the logical switch belongs. You cannot define multiple logical switches with the same fabric ID within the chassis. In Figure 17, logical switches 2, 3, 4, and 5 are assigned FIDs of 1, 15, 8, and 20, respectively.
Logical switch overview Before port assignment After port assignment Logical switch 1 (Default logical switch) Logical switch 1 (Default logical switch) P0 P2 P4 P6 P8 P1 P3 P5 P7 P9 P0 P1 P7 10 P8 P2 Logical switch 2 Logical switch 2 P3 P4 Logical switch 3 P9 Logical switch 3 P5 P6 Logical switch 4 FIGURE 18 Logical switch 4 Assigning ports to logical switches A given port is always in one (and only one) logical switch.
10 Logical fabric overview You can also connect other switches to logical switches. In Figure 19, P6 is an E_Port that forms an ISL between Logical switch 4 and the non-Virtual Fabrics switch. Logical switch 4 is the only logical switch that can communicate with the non-Virtual Fabrics switch and D2, because the other logical switches are in different fabrics.
Logical fabric overview 10 You connect logical switches to other logical switches in two ways: • Using ISLs • Using base switches and shared ISLs Logical fabric and ISLs Figure 21 shows two physical chassis divided into logical switches. In Figure 21, ISLs are used to connect the logical switches with fabric ID 1 and the logical switches with fabric ID 15. The logical switches with fabric ID 8 are each connected to a non-Virtual Fabrics switch.
10 Logical fabric overview NOTE Only logical switches with the same FID can form a fabric. If you connect two logical switches with different FIDs, the link between the switches segments. Logical fabric and ISL sharing Another way to connect logical switches is using extended ISLs and base switches. When you divide a chassis into logical switches, you can designate one of the switches to be a base switch. A base switch is a special logical switch that is used for interconnecting the physical chassis.
Logical fabric overview 10 Traffic between the logical switches can now flow across this XISL. The traffic can flow only between logical switches with the same fabric ID. For example, traffic can flow between Logical Switch 2 in chassis 1 and Logical switch 6 in chassis 2, because they both have fabric ID 1. Traffic cannot flow between Logical switch 2 and Logical switch 7, because they have different fabric IDs (and are thus in different fabrics).
10 Logical fabric overview Physical chassis 1 Physical chassis 2 P1 Logical switch 1 (Default logical switch) Fabric ID 128 Logical switch 2 Fabric ID 1 P1 Logical ISL ISL P2 Logical switch 5 (Default logical switch) Fabric ID 128 P2 Logical ISL Logical switch 6 Fabric ID 1 Logical ISL Logical switch 3 Fabric ID 15 Base switch Fabric ID 8 FIGURE 25 P6 P7 P6 P5 XISL P4 P8 Logical switch 7 Fabric ID 15 Base switch Fabric ID 8 P9 Logical fabric using ISLs and XISLs By default, the phys
Management model for logical switches 10 Logical fabric formation Fabric formation is not based on connectivity, but is based on the FIDs of the logical switches. The basic order of fabric formation is as follows: 1. Base fabric forms. 2. Logical fabrics form when the base fabric is stable. 3. Traffic is initiated between the logical switches. 4. Devices start seeing each other.
10 Account management and Virtual Fabrics Account management and Virtual Fabrics When user accounts are created, they are assigned a list of logical fabrics to which they can log in and a home logical fabric (home FID). When you connect to a physical chassis, the home FID defines the logical switch to which you are logged in by default. You can change to a different logical switch context, as described in “Changing the context to a different logical fabric” on page 223.
Supported platforms for Virtual Fabrics TABLE 43 10 Blade and port types supported on logical switches Blade type Default logical switch User-defined logical switch Base switch FC8-16 FC8-32 FC8-48 Yes (F, E) Yes (F, E) Yes (E, EX, EX) FA4-18 Yes (F, E, VE) No No FC10-6 Yes (F, E) No No FS8-18 Yes (F, E) No No FCOE10-24 Yes (F, E) No No FX8-24 FC ports GE ports Yes (F, E, VE) Yes (VE) Yes (F, E, VE) Yes (VE) Yes (E, EX, VEX, VE) Yes (VE) FR4-18i FC ports GE ports Yes (F, E,
10 Limitations and restrictions of Virtual Fabrics TABLE 44 Virtual Fabrics interaction with Fabric OS features (Continued) Fabric OS feature Virtual Fabrics interaction FC-FC Routing Service All EX_Ports must reside in a base switch. You cannot attach EX_Ports to a logical switch that has XISL use enabled. You must use ISLs to connect the logical switches in an edge fabric. Only 8-Gbps ports are allowed to be used as FC router EX_Ports, with the exception of VEX_Ports on the FR4-18i blade.
Enabling Virtual Fabrics 10 Following are restrictions on XISL use. To allow or disallow XISL use for a logical switch, see “Configuring a logical switch to use XISLs” on page 222. XISL use is not permitted in any of the following scenarios: • • • • • • The logical switch is FICON CUP enabled. The logical switch is operating in interoperability mode 2 or 3. The logical switch has ICL ports. The logical switch is an edge switch for an FC router. The logical switch is using GbE ports (VE_Ports).
10 Disabling Virtual Fabrics Example The following example checks whether Virtual Fabrics is enabled or disabled and then enables it.
Configuring logical switches to use basic configuration values 10 Configuring logical switches to use basic configuration values All switches in the fabric are configured to use the same basic configuration values. When you create logical switches, the logical switches might have different configuration values than the default logical switch. Use the following procedure to ensure that newly created logical switches have the same basic configuration values as the default logical switch.
10 Creating a logical switch or base switch Specify the -base option if the logical switch is to be a base switch. Specify the -force option to execute the command without any user prompts or confirmation. 3. Set the context to the new logical switch. setcontext fabricID where fabricID is the fabric ID of the logical switch you just created. 4. Disable the logical switch. switchdisable 5. Configure the switch attributes, including assigning a unique domain ID. configure 6.
Executing a command in a different logical fabric context 10 Executing a command in a different logical fabric context This procedure describes how to execute a command for a logical switch while you are in the context of a different logical switch. You can also execute a command for all the logical switches in a chassis. The command is not executed on those logical switches for which you do not have permission. 1. Connect to the physical chassis and log in using an account assigned to the admin role. 2.
10 Deleting a logical switch "fabricshow" on FID 4: Switch ID Worldwide Name Enet IP Addr FC IP Addr Name ------------------------------------------------------------------------14: fffc0e 10:00:00:05:1e:82:3c:2b 10.32.79.105 0.0.0.0 >"switch_4" --------------------------------------------------"fabricshow" on FID 5: Switch ID Worldwide Name Enet IP Addr FC IP Addr Name ------------------------------------------------------------------------30: fffc1e 10:00:00:05:1e:82:3c:2c 10.32.79.105 0.0.0.
Displaying logical switch configuration 10 When you move a port from one logical switch to another, the port is automatically disabled. Any performance monitors that were installed on the port are deleted. If monitors are required in the new logical switch, you must manually reinstall them on the port after the move. If the logical switch to which the port is moved has fabric mode Top Talkers enabled, then if the port is an E_Port, fabric mode Top Talker monitors are automatically installed on that port.
10 Changing the fabric ID of a logical switch FID 128 | 128 | 128 | 128 | 128 | 128 | 128 | 128 | 128 | 128 | Port 10 11 12 13 14 15 16 17 18 19 ------------------------------------------------------------------FID 128 | 128 | 128 | 128 | 128 | 128 | 128 | 128 | 5 | 5 | Port 20 21 22 23 24 25 26 27 28 29 ------------------------------------------------------------------FID 5 | 128 | 4 | 4 | 128 | 128 | 128 | 128 | 128 | 128 | Port 30 31 32 33 34 35 36 37 38 39 -------------------------------------------
Changing a logical switch to a base switch 10 Changing a logical switch to a base switch 1. Connect to the switch and log in using an account assigned to the admin role with the chassis-role permission. 2. Set the context to the logical switch you want to change, if you are not already in that context. setcontext fabricID where fabricID is the fabric ID of the logical switch you want to change to a base switch. 3.
10 Setting up IP addresses for a Virtual Fabric switch_25:FID7:admin> lscfg --change 7 -base Creation of a base switch requires that the proposed new base switch on this system be disabled. Would you like to continue [y/n]?: y Disabling the proposed new base switch... Disabling switch fid 7 Please enable your switches when ready. switch_25:FID7:admin> switchenable Setting up IP addresses for a Virtual Fabric NOTE IPv6 is not supported when setting the IPFC interface for Virtual Fabrics. 1.
Changing the context to a different logical fabric 10 setcontext fabricID where fabricID is the fabric ID of the logical switch you want to switch to and manage. 3. Enter the switchShow command and check the value of the Allow XISL Use parameter. 4. Disable the logical switch. switchdisable 5. Enter the following command: configure 6. Enter y after the Fabric Parameters prompt: Fabric parameters (yes, y, no, n): [no] y 7.
10 Creating a logical fabric using XISLs Physical chassis 2 Physical chassis 1 P1 P1 Logical switch 1 (Default logical switch) Fabric ID 128 D1 P3 Logical switch 2 Fabric ID 1 ISL P2 P2 Logical switch 5 (Default logical switch) Fabric ID 128 H1 Logical switch 6 Fabric ID 1 P4 D2 P7 H2 P4 Logical switch 3 Fabric ID 15 P6 P5 Logical switch 7 Fabric ID 15 XISL Base switch Fabric ID 8 FIGURE 26 P6 P8 Base switch Fabric ID 8 P9 Example of logical fabrics in multiple chassis and XISLs 1.
Creating a logical fabric using XISLs 10 d. Physically connect devices and ISLs to these ports on the logical switch. e. (Optional) Configure the logical switch to use XISLs, if it is not already XISL-capable. See “Configuring a logical switch to use XISLs” on page 222 for instructions. By default, newly created logical switches are configured to allow XISL use. f.
10 226 Creating a logical fabric using XISLs Fabric OS Administrator’s Guide 53-1001336-02
Chapter 11 Administering Advanced Zoning In this chapter • Special zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Zoning overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Broadcast zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Zone aliases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11 Zoning overview • QoS zones Assign high or low priority to designated traffic flows. QoS zones are normal zones with additional QoS attributes specified by adding a QOS prefix to the zone name. See “QoS: SID/DID traffic prioritization” on page 424 for more information. • Traffic Isolation zones (TI zones) Isolate inter-switch traffic to a specific, dedicated path through the fabric. See “Traffic Isolation Routing” on page 402 for more information.
Zoning overview 11 JBOD Loop 2 Server2 Fibre Channel Fabric Blue zone RAID Hub Server1 Loop 1 Red zone FIGURE 27 Server3 Green zone Zoning example To list the commands associated with zoning, use the zoneHelp command. For detailed information on the zoning commands used in the procedures, see the Fabric OS Command Reference or the online man page for each command. Zone types Table 46 summarizes the types of zoning available.
11 Zoning overview TABLE 47 Approaches to fabric-based zoning Zoning approach Description Recommended approach Single HBA Zoning by single HBA most closely re-creates the original SCSI bus. Each zone created has only one HBA (initiator) in the zone; each of the target devices is added to the zone. Typically, a zone is created for the HBA and the disk storage ports are added. If the HBA also accesses tape devices, a second zone is created with the HBA and associated tape devices in it.
Zoning overview 11 For example, in enterprise-class platforms, “4,30” specifies port 14 in slot number 2 (domain ID 4, port index 30). On fixed-port models, “3,13” specifies port 13 in switch domain ID 3. Note the following effects on zone membership based on the type of zone object: • When a zone object is the physical port number, then all devices connected to that port are in the zone.
11 Zoning overview Zone configurations A zone configuration is a group of one or more zones. A zone can be included in more than one zone configuration. When a zone configuration is in effect, all zones that are members of that configuration are in effect. Several zone configurations can reside on a switch at once, and you can quickly alternate between them. For example, you might want to have one configuration enabled during the business hours and another enabled overnight.
Zoning overview 11 Session-based hardware enforcement is in effect in the following cases, on a per-zone basis: • A zone does not have either all WWN or all D,I entries. • Overlapping zones (in which zone members appear in two or more zones). NOTE For the Brocade 48000 with an FC4-48 port blade: If ports 16 through 47 on the FC4-48 port blade use domain,index identifiers, then session-based hardware enforcement is in effect on these ports, regardless of the enforcement for the remaining zone members.
11 Broadcast zones The zone configuration is managed on a fabric basis. When a change in the configuration is saved, enabled, or disabled according to the transactional model, it is automatically (by closing the transaction) distributed to all switches in the fabric, preventing a single point of failure for zone information. NOTE Zoning commands make changes that affect the entire fabric.
Broadcast zones 11 You create a broadcast zone the same way you create any other zone except that a broadcast zone must have the name “broadcast” (case-sensitive). You can set up and manage broadcast zones using the standard zoning commands, which are described in “Zone creation and maintenance” on page 239. Broadcast zones and Admin Domains Each Admin Domain can have only one broadcast zone.
11 Zone aliases When a switch receives a broadcast packet it forwards the packet only to those devices which are zoned with the sender and are also part of the consolidated broadcast zone. You can check whether a broadcast zone has any invalid members that cannot be enforced in the current AD context. Refer to “Validating a zone” on page 241 for complete instructions.
Zone aliases 11 If you are creating a new alias using aliCreate w, “1,1”, and a user in another Telnet session executes cfgEnable (or cfgDisable, or cfgSave), the other user’s transaction will abort your transaction and you will receive an error message. Creating a new alias while there is a zone merge taking place might also abort your transaction. For more details about zone merging and zone merge conflicts, see “New switch or fabric additions” on page 251.
11 Zone aliases take effect until it is re-enabled. Do you want to save Defined zoning configuration only? (yes, y, no, n): [no] y Removing members from an alias 1. Connect to the switch and log in as admin. 2. Enter the aliRemove command, using the following syntax: aliremove "aliasname", "member[; member...]" 3. Enter the cfgSave command to save the change to the defined configuration. The cfgSave command ends and commits the current zoning transaction buffer to both volatile and nonvolatile memory.
Zone creation and maintenance 11 Viewing an alias in the defined configuration 1. Connect to the switch and log in as admin. 2. Enter the aliShow command, using the following syntax alishow "pattern"[, mode] If no parameters are specified, the entire zone database (both the defined and effective configuration) is displayed. Example The following example shows all zone aliases beginning with “arr”.
11 Zone creation and maintenance Adding devices (members) to a zone 1. Connect to the switch and log in as admin. 2. Enter the zoneAdd command, using the following syntax: zoneadd "zonename", "member[; member...]" 3. Enter the cfgSave command to save the change to the defined configuration. The cfgSave command ends and commits the current zoning transaction buffer to both volatile and nonvolatile memory.
Zone creation and maintenance 11 3. Enter the cfgSave command to save the change to the defined configuration. The cfgSave command ends and commits the current zoning transaction buffer to both volatile and nonvolatile memory. If a transaction is open on a different switch in the fabric when this command is run, the transaction on the other switch is automatically aborted. A message displays on the other switches to indicate that the transaction was aborted.
11 Default zoning mode 4. Enter the following command to validate all zones in the zone database in the defined configuration.
Zoning database size 11 Setting the default zoning mode 1. Connect to the switch and log in as admin. 2. Enter the cfgActvShow command to view the current zone configuration. 3. Enter the defZone command with one of the following options: defzone --noaccess defzone --allaccess This command initiates a transaction (if one is not already in progress). 4. Enter either the cfgSave, cfgEnable, or cfgDisable command to commit the change and distribute it to the fabric.
11 Zoning configurations Zoning configurations You can store a number of zones in a zoning configuration database. The maximum number of items that can be stored in the zoning configuration database depends on the following criteria: • Number of switches in the fabric. • Whether or not interoperability mode is enabled. • Number of bytes for each item name. The number of bytes required for an item name depends on the specifics of the fabric, but cannot exceed 64 bytes for each item.
Zoning configurations 11 Adding zones (members) to a zoning configuration 1. Connect to the switch and log in as admin. 2. Enter the cfgAdd command, using the following syntax: cfgadd "cfgname", "member[; member...]" 3. Enter the cfgSave command to save the change to the defined configuration. The cfgSave command ends and commits the current zoning transaction buffer to both volatile and nonvolatile memory.
11 Zoning configurations cfgenable "cfgname" 3. Enter y at the prompt. Example switch:admin> cfgenable "USA_cfg" You are about to enable a new zoning configuration. This action will replace the old zoning configuration with the current configuration selected. If the update includes changes to one or more traffic isolation zones, the update may result in localized disruption to traffic on ports associated with the traffic isolation zone changes.
Zoning configurations 11 The cfgSave command ends and commits the current zoning transaction buffer to both volatile and nonvolatile memory. If a transaction is open on a different switch in the fabric when this command is run, the transaction on the other switch is automatically aborted. A message displays on the other switches to indicate that the transaction was aborted. Example switch:admin> cfgdelete "testcfg" switch:admin> cfgsave You are about to save the Defined zoning configuration.
11 Zoning configurations 21:00:00:20:37:0c:71:02 1,2 21:00:00:20:37:0c:76:22 21:00:00:20:37:0c:76:28 zone: Purple_zone 1,0 21:00:00:20:37:0c:76:85 21:00:00:20:37:0c:71:df Viewing selected zone configuration information 1. Connect to the switch and log in as admin. 2. Enter the cfgShow command and specify a pattern.
Zone object maintenance 11 The Clear All action will clear all Aliases, Zones, FA Zones and configurations in the Defined configuration. cfgSave may be run to close the transaction or cfgTransAbort may be run to cancel the transaction. Do you really want to clear all configurations? (yes, y, no, n): [no] 3. Enter one of the following commands, depending on whether an effective zoning configuration exists: • If no effective zoning configuration exists, enter the cfgSave command.
11 Zone object maintenance Deleting a zone object The following procedure removes all references to a zone object and then deletes the zone object. The zone object can be a zone member, a zone alias, or a zone. 1. Connect to the switch and log in as admin. 2. Enter the cfgShow command to view the zone configuration objects you want to delete.
Zoning configuration management 11 switch:admin> cfgShow Defined configuration: cfg: USA_cfg Purple_zone; White_zone; Blue_zone zone: Blue_zone 1,1; array1; 1,2; array2 zone: Purple_zone 1,0; loop1 zone: White_zone 1,3; 1,4 alias: array1 21:00:00:20:37:0c:76:8c; 21:00:00:20:37:0c:71:02 alias: array2 21:00:00:20:37:0c:76:22; 21:00:00:20:37:0c:76:28 alias: loop1 21:00:00:20:37:0c:76:85; 21:00:00:20:37:0c:71:df 3. Enter the zoneObjectRename command to rename zone configuration objects.
11 Zoning configuration management Before the new fabric can merge successfully, it must pass the following criteria: • Before merging zones To facilitate merging, check the following before merging switches or fabrics: - Zoning licenses: All switches running Fabric OS v6.0.x or earlier must have a Zoning license enabled. - Native operating mode: All switches must be in the native operating mode.
Security and zoning 11 • Merge conflicts When a merge conflict is present, a merge will not take place and the ISL will segment. Use the switchShow or errDump commands to obtain additional information about possible merge conflicts, because many non-zone related configuration parameters can cause conflicts. See the Fabric OS Command Reference for detailed information about these commands.
11 Zone merging scenarios You must perform zone management operations from the primary FCS switch using a zone management interface, such as Telnet or Advanced Web Tools. You can alter a zoning database, provided you are connected to the primary FCS switch. When two secure fabrics join, the traditional zoning merge does not occur. Instead, a zoning database is downloaded from the primary FCS switch of the merged secure fabric.
Zone merging scenarios TABLE 49 11 Zone merging scenarios (Continued) Description Switch A Switch B Expected results Switch A and Switch B have different defined configurations. Neither have an enabled zone configuration. defined: cfg2 zone2: ali3; ali4 effective: none defined: cfg1 zone1: ali1; ali2 effective: none Clean merge. The new configuration will be a composite of the two.
11 Zone merging scenarios TABLE 49 Zone merging scenarios (Continued) Description Switch A Switch B Expected results Different default zone access mode settings. defzone: noaccess defzone: allaccess Clean merge — noaccess takes precedence and defzone configuration from Switch A propagates to fabric. defzone: noaccess Same default zone access mode settings. defzone: allaccess defzone: allaccess Clean merge — defzone configuration is allaccess in the fabric.
Chapter‘ 12 Managing iSCSI Gateway Service In this chapter • iSCSI gateway service overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • FC4-16IP blade configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • iSCSI virtual target configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Discovery domain and domain set configuration . . . . . . . . . . . . . . . . . . . . • iSCSI initiator-to-VT authentication configuration .
12 iSCSI gateway service overview • Manages iSCSI initiator access control using discovery domains and a discovery domain set • Session management, such as session tracking and performance monitoring • Session authentication using CHAP NOTE The FC4-16IP iSCSI gateway service is not compatible with other iSCSI gateway platforms, including Brocade iSCSI Gateway or the Brocade Multiprotocol Router.
iSCSI gateway service overview Application S torage (device s erver) SCSI SCSI iS C S I iS C S I F C P (F C -4) FCP T C P /IP T C P /IP F C (F C -2/F C -3) FC iS C S I initiator iS C S I virtual target (V T ) iS C S I virtual initiator (V I) F C target 12 iS C S I gateway s ervic e 40.
12 iSCSI gateway service overview F C target 1 LUN 0 iS C S I virtual target 1 1 LUN 2 0 3 1 4 2 5 F C target 2 iS C S I virtual target 2 LUN 0 LUN 20 21 22 iS C S I virtual target 3 23 LUN 24 0 25 FIGURE 33 iSCSI VT advanced LUN mapping iSCSI component identification of the IQN prefix Unique IQNs are used to identify each iSCSI VT. The format for the IQN is type.date.naming authority:. The type.date.naming authority portion is a fixed prefix. The default prefix is iqn.
iSCSI gateway service overview 12 iS C S I initiator A iqn.2003-11.c om.mic ros oft: win2k-s n-192168101 iS C S I virtual targets (V T s ) VT 1 iqn.2002-12.c om.broc ade: 10: 00: 00: 05: 1e: aa: bb: c c IP Network VT 2 iqn.2002-12.c om.broc ade: 10: 00: 00: 05: 1e: c c : bb: aa VT 3 iqn.2002-12.c om.broc ade: 10: 00: 00: 05: 1e: bb: c c : aa iS C S I initiator B iiqn.2003-11.c om.
12 iSCSI gateway service overview DDS et 1 iS C S I virtual targets (V T s ) DD1 iS C S I initiator A VT 1 IP network VT 2 VT 3 iS C S I initiator B DD2 FIGURE 35 iS C S I gateway s ervic e Discovery domain set configuration example Switch-to-iSCSI initiator authentication iSCSI sessions are authenticated using CHAP (Challenge Handshake Authentication Protocol).
iSCSI gateway service overview 12 Enabling and disabling connection redirection for load balancing 1. Connect to the switch and log in. 2. Enter the appropriate form of the iscsiSwCfg command for the operation you want to perform: - To enable connection redirection, use the iscsiSwCfg --enableconn command. For Brocade 48000 directors, the -s option can be used to enable connection redirection for specific slots, and the all option may be used to enable connection redirection for all slots.
12 iSCSI gateway service overview Supported iSCSI initiators The following table lists iSCSI initiators supported by the iSCSI gateway service. TABLE 50 Supported iSCSI initiators iSCSI initiator driver versions Windows • • • MS iSCSI initiator 2.02. MS iSCSI initiator 2.03. MS iSCSI initiator 2.04. Linux • • • • • RH EL 4 default initiator. 2.6.10 - 4.0.2 iSCSI initiator (SourceForge,Net initiator). 2.4.20 - 3.6.2 iSCSI initiator (SourceForge,Net initiator). SUSE 9. SUSE 10.
iSCSI gateway service overview TABLE 51 12 iSCSI target gateway configuration steps (Continued) Step Command Procedure “Manual iSCSI VT creation” on page 273 5 (Advanced) Create iSCSI virtual target. iscsiCfg --create tgt –t targetname 6 Add LUNs to the virtual target. iscsiCfg --add lun -t targetname \ -w fcwwn -l LUN_map 7 Create discovery domains. Where members are iSCSI components identified using IQNs. iscsiCfg --create dd -d ddname \ -m “member, member, member,...
12 FC4-16IP blade configuration FC4-16IP blade configuration This section describes the initial setup required to deploy an iSCSI gateway solution. Install and configure the FC4-16IP blade in a Brocade 48000 as described in the Brocade FC4-16IP Hardware Reference Manual before performing these procedures. NOTE Only the Brocade 48000 with an iSCSI-enabled FC4-16IP blade running Fabric OS v6.1.0 or later supports the iSCSI gateway service.
FC4-16IP blade configuration 12 s c al e: 5/ 16" = 1" 56-0000590-01 Rev A ! ge7 ge7 ge6 ge5 ge4 G bE ports GE ge3 ge2 ge1 ge0 7 ge0 7 6 5 4 F C ports FC 3 2 1 0 0 FC4 16IP 40. 1 FIGURE 36 FC4-16IP ports Enabling the iSCSI gateway service The iSCSI gateway service translates and directs SCSI traffic between an iSCSI initiator and an FC target. This section explains how to enable the iSCSI gateway service on the Brocade 48000. 1. Connect and log in to the switch. 2.
12 FC4-16IP blade configuration iSCSI service is enabled 4. Verify that the iSCSI gateway service is enabled. switch:admin> fosconfig --show FC Routing service:disabled iSCSI service:enabled iSNS Client service:disabled Enabling GbE ports By default, GbE ports are enabled on an FC4-16IP blade installed in the Brocade 48000. However, if you insert the FC4-16IP blade into a slot that was previously occupied by an FR-18i blade, GbE ports are disabled.
FC4-16IP blade configuration 12 switch:admin> portcfgshow 10/ge0 Mode: ISCSI Persistent Disable: OFF Ipif configuration: Interface IP Address NetMask MTU ---------------------------------------------------------0 30.0.130.100 255.255.0.
12 iSCSI virtual target configuration The gateway must be on the same subnet as the GbE port. You can specify a maximum of 32 routes per GbE port. 5. (Optional) Verify the route as follows: switch:admin> portshow iproute 3/ge0 Slot: 3 Port: ge0 IP AddressMaskGatewayMetricFlags -----------------------------------------------------------------0.0.0.0 0.0.0.0 30.0.0.1 1 30.0.0.0 255.255.0.0 30.0.127.30 0 Interface 6.
iSCSI virtual target configuration 12 Automatic iSCSI VT creation An iSCSI VT is created using target LUNs from the attached FC network. LUNs are mapped to iSCSI VTs by creating unique iSCSI Qualified Names (IQNs) for each target. You can create iSCSI VTs by using the iscsiCfg --easycreate tgt command. There are two options. • An iSCSI VT may be created for every FC target. IQNs are created automatically, using the port WWNs as the user defined portion of the IQN.
12 iSCSI virtual target configuration 17 2f:1f:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2f:1f:00:06:2b:0d:10:ba Operation Succeeded 18 2f:3f:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2f:3f:00:06:2b:0d:10:ba Operation Succeeded 19 2f:5f:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2f:5f:00:06:2b:0d:10:ba Operation Succeeded 20 2f:7f:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2f:7f:00:06:2b:0d:10:ba Operation Succeeded 21 2f:9f:00:06:2b:0d:10:ba iqn.2002-12.com.
iSCSI virtual target configuration Name: State/Status: iqn.2002-12.com.brocade:2f:5f:00:06:2b:0d:10:ba Online/Defined Name: State/Status: iqn.2002-12.com.brocade:2f:7f:00:06:2b:0d:10:ba Online/Defined Name: State/Status: iqn.2002-12.com.brocade:2f:9f:00:06:2b:0d:10:ba Online/Defined Name: State/Status: iqn.2002-12.com.brocade:2f:bf:00:06:2b:0d:10:ba Online/Defined Name: State/Status: iqn.2002-12.com.brocade:2f:df:00:06:2b:0d:10:ba Online/Defined Name: State/Status: iqn.2002-12.com.
12 iSCSI virtual target configuration Type Date Auth User defined +--++------++----------++-----------------------+ iqn.2002-12.com.brocade:10:00:00:05:1e:aa:bb:cc Every iSCSI initiator and iSCSI VT on the same IP network and SAN must have a unique IQN. The default for the type.date.naming authority: prefix portion may be changed using the iscsiSwCfg --modifygw -t tgtname command. Your organization may suggest or require a specific format for the prefix portion of the IQN.
iSCSI virtual target configuration LUN LUN LUN LUN LUN LUN LUN LUN ID: ID: ID: ID: ID: ID: ID: ID: 12 0x08 0x09 0x0a 0x0b 0x0c 0x0d 0x0e 0x0f 5. Enter the iscsiCfg --add lun command with –t QN, –w port_WWN, and –l n:n options to add an FC device to an existing iSCSI VT, where: -t IQN Specifies the unique IQN name for the iSCSI VT in the format: iqn.2002-12.com.brocade:.
12 iSCSI virtual target configuration Number of targets found: 1 Target: iqn.2002-12.com.brocade:example-disk001 Number of LUN Maps: 2 FC WWN Virtual LUN(s) 21:00:00:04:cf:e7:73:7e 0 2f:ff:00:06:2b:0d:12:99 1-2 Physical LUN(s) 0 0-1 Deleting LUNs from an iSCSI VT You can delete individual LUNs, a list or range of LUNs, or all LUNs associated with an iSCSI VT. 1. Connect to the switch and log in. 2.
Discovery domain and domain set configuration 12 Displaying iSCSI VT state and status The following information can be displayed for each iSCSI VT: • Name — IQN for the iSCSI VT. • State — Whether the FC target is online or offline. • Status — Whether the iSCSI VT has been defined (configuration completed but not committed) or is committed (active and available to iSCSI initiators). • Authentication method — Indicates CHAP if authentication is enabled for the iSCSI VT. 1.
12 Discovery domain and domain set configuration NOTE If an iSCSI initiator has more than one IP address, only one of the IP addresses is displayed. 1. Connect and log in to the switch. 2. Enter the iscsiCfg --show initiator command to display iSCSI initiator IQNs. switch:admin> iscsicfg --show initiator Number of records found: 1 Name iqn.1991-05.com.microsoft:host001.brocade.com IP Address 30.0.30.11 Creating discovery domains 1. Connect and log in to the switch. 2.
iSCSI initiator-to-VT authentication configuration 12 The operation completed successfully. iSCSI initiator-to-VT authentication configuration Fabric OS v6.1.0 or later supports both one-way and mutual CHAP authentication for iSCSI initiator-to-iSCSI VT target sessions. The authentication method (CHAP or none) is set on a per-iSCSI VT basis. Setting the user name and shared secret Authentication depends on a user name and shared secret.
12 Committing the iSCSI-related configuration 4. Enter the iscsiCfg --show tgt command with the -t and -v options to verify that a user name has been bound to the iSCSI VT: switch:admin> iscsicfg --show tgt -t iqn.2002-10.com.brocade:tgt -v Number of records found: 1 Name: iqn.2002-10.com.brocade:tgt1 CHAP Users CHAP Status 1. iscsitgt1 Online/Committed 2. hello123 Invalid Deleting user names from an iSCSI VT binding list User names can be deleted from the list of bound user names. 1.
Resolving conflicts between iSCSI configurations 12 1. Connect and log in to the switch. 2. Enter the iscsiCfg --show transaction command to display the pending transactions: switch:admin> iscsicfg --show transaction Active transaction ID is: 10490 and the owner is: CLI. The following groups have been modified: 1. Auth. group. 2. Target/LUN group. 3. DD/DDSet group. 3.
12 LUN masking considerations 5. Enter the iscsiCfg --show fabric command to verify that the conflict has been resolved: switch:admin> iscsicfg --show fabric Switch IDSwitch WWN 220 10:00:00:05:1e:36:0d:f8 * 1 10:00:00:60:69:e0:01:56 Switch State In Sync -- iSNSC Disabled Disabled Aggregated iSCSI database state for fabric: In Sync LUN masking considerations The node WWN and port WWN of the local switch are used to query LUNs on the physical target.
12 iSCSI FC zoning overview DD1 iS C S I virtual targets (V T s ) iS C S I G bE portal group FC T arget 1 iS C S I initiator A L UNs VT 1 IP network IP P ortal iS C S I virtual initiator IP P ortal iS C S I virtual initiator IP P ortal iS C S I virtual initiator IP P ortal iS C S I virtual initiator IP P ortal iS C S I virtual initiator L UNs VT 2 iS C S I initiator B DD2 VT 3 IP S AN FC T arget 3 L UNs FC iS C S I gateway s ervic e L UNs iS C S I zone FIGURE 37 FC T arget 2 F
12 iSCSI FC zoning overview • The iSCSI virtual initiators (VIs): - If there is more than one FC4-16IP blade in the chassis, you must add all virtual initiators to the same zone. - If there is more than one FC4-16IP blade in the fabric, you must add all virtual initiators from all switches to the same zone. - If connection redirection is not used, only the VI correlating to the iSCSI target portal used by the host(s) needs to be used.
iSCSI FC zoning overview 12 switch:admin> nsshow { Type Pid COS PortName NodeName TTL(sec) NL 0120d6; 3;21:00:00:04:cf:e7:74:cf;20:00:00:04:cf:e7:74:cf; na FC4s: FCP [SEAGATE ST336607FC 0004] Fabric Port Name: 20:20:00:60:69:e0:01:56 Permanent Port Name: 21:00:00:04:cf:e7:74:cf Port Index: 32 Share Area: No Device Shared in Other AD: No NL 0120d9; 3;21:00:00:04:cf:e7:73:7e;20:00:00:04:cf:e7:73:7e; na FC4s: FCP [SEAGATE ST336607FC 0004] Fabric Port Name: 20:20:00:60:69:e0:01:56 Permanent Port Name: 21:00:0
12 iSCSI FC zoning overview Share Area: No Device Shared in Other AD: No N 012c00; 3;50:06:06:9e:00:15:63:20;50:06:06:9e:00:15:63:21; na FC4s: FCP PortSymb: [23] "iSCSI Virtual Initiator" NodeSymb: [51] "IPAddr: 30.0.127.
Zoning configuration creation 12 switch:admin> cfgsave You are about to save the Defined zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled. Do you want to save Defined zoning configuration only? (yes, y, no, n): [no] y 8. Enter the zoneCreate command.
12 iSNS client service configuration switch:admin> cfgsave You are about to save the Defined zoning configuration. This action will only save the changes on Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled. Do you want to save Defined zoning configuration only? (yes, y, no, n): [no] y Updating flash ... 4. Enter the cfgEnable command. switch:admin> cfgenable iscsi_cfg001 You are about to enable a new zoning configuration.
iSNS client service configuration 12 Displaying iSNS client service status 1. Connect and log in to the switch. 2. Enter the fosConfig command to show the current Fabric OS configuration. switch:admin> fosconfig --show FC Routing service:disabled iSCSI service:enabled iSNS Client service:disabled Enabling the iSNS client service This section explains how to enable the iSNS client service and configure the iSNS server IP address. Fabric OS supports one iSNS server connection.
12 iSNS client service configuration Enter the isnsccfg --set command with the -m and -s options to set the IP address of the iSNS server management port rather than the GbE port: switch:admin> isnsccfg --set -m -s IP_address where IP_address is the iSNS server management port IP address. The following is an example. switch:admin> isnsccfg –set –m –s 10.33.56.105 iSNS client configuration updated: peering with iSNS server 10.33.56.105 on the management port. 5.
Chapter 13 Administering NPIV In this chapter • NPIV overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Enabling and disabling NPIV. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring NPIV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Viewing NPIV port configuration information. . . . . . . . . . . . . . . . . . . . . . . .
13 Enabling and disabling NPIV Enabling and disabling NPIV On the Brocade 300, 4100, 4900, 5000, 5100, and 5300 switches, the Brocade 5410, 5424, 5450, 5480 embedded switches, the Brocade 48000 director, the Brocade DCX and DCX-4S enterprise-class platforms, and the FA4-18 blade, NPIV is enabled for every port. NOTE The FC10-6 port blade and the CEE ports on the Brocade 8000 do not support NPIV. 1. Connect to the switch and log in using an account assigned to the admin role. 2.
Viewing NPIV port configuration information 13 Use this parameter to set the number of virtual N_Port_IDs per switch to a value between 0 and 126 multiplied by the number of ports you specify when setting this parameter. The default setting is 16 multiplied by the number of ports specified. If no ports are specified then all ports on the switch are used. ATTENTION The switchDisable command disables the switch and stops all traffic flowing to and from the switch.
13 Viewing NPIV port configuration information Speed AN Trunk Port ON Long Distance .. VC Link Init .. Locked L_Port .. Locked G_Port .. Disabled E_Port .. ISL R_RDY Mode .. RSCN Suppressed .. Persistent Disable.. NPIV capability ON AN ON .. .. .. .. .. .. .. .. ON AN ON .. .. .. .. .. .. .. .. ON AN ON .. .. .. .. .. .. .. .. ON AN ON .. .. .. .. .. .. .. .. ON AN ON .. .. .. .. .. .. .. .. ON AN ON .. .. .. .. .. .. .. .. ON AN ON .. .. .. .. .. .. .. .. ON AN ON .. .. .. .. .. .. .. ..
Viewing NPIV port configuration information 13 portScn: 32F_Port port generation number: 148 portId: 630200 portIfId: 43020005 portWwn: 20:02:00:05:1e:35:37:40 portWwn of device(s) connected: c0:50:76:ff:fb:00:16:fc c0:50:76:ff:fb:00:16:f8 ...
13 296 Viewing NPIV port configuration information Fabric OS Administrator’s Guide 53-1001336-02
Chapter 14 Interoperability for Merged SANs In this chapter • Interoperability overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Connectivity solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Domain ID offset modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • McDATA Fabric mode configuration restrictions . . . . . . . . . . . . . . . . . . . . .
14 Connectivity solutions • InteropMode 2 for McDATA Fabric mode, which supports M-EOS switches running in McDATA Fabric mode. • InteropMode 3 for McDATA Open Fabric mode, which supports M-EOS switches running in Open Fabric mode. McDATA Open Fabric mode is intended specifically for adding Fabric OS-based products to M-EOS fabrics that are already using Open Fabric mode. Fabrics containing only Fabric OS switches in Open Fabric mode are not supported.
Domain ID offset modes FIGURE 39 14 Typical direct E_Port configuration Domain ID offset modes The domain ID offset in interopmode 3 (IM3) allows an M-EOS switch to operate in a fabric that contains domain IDs other than 1-31. In interopmode 2 (IM2) the domain ID offset can only be in the 1-31 range. In IM3, the domain ID offset only changes the range of domain IDs used, the restriction of 31 switches in a fabric remains.
14 Domain ID offset modes domain controller offset. In IM3 the device offset is always the same as the domain controller offset. The offset is used to define the minimum and maximum of the domain ID range. Refer to Table 17 and Table 18 a for the internal representation of domain ID offset values in IM2 and IM3 respectively. TABLE 52 Internal representations of ID domain offsets in IM2.
McDATA Fabric mode configuration restrictions 14 In IM 3: The Domain ID is always in the range of 97-127, or 1-31 plus the default Domain ID Offset of 0x60 (96). For example, the Domain ID of 5 would be configured as 101 (101 - 96= 5). • Domain ID offset mode — In this mode, you can set the Domain ID Offset to any one of the following values: 0x00, 0x20, 0x40, 0x80, 0xA0, or 0xC0. Supported Domain ID ranges are: 1-31, 33-63, 65-95, 129-159, 161-191, 193-223.
14 McDATA Open Fabric mode configuration restrictions NOTE If insistent domain ID (IDID) is not enabled and a switch attempts to join the fabric with a duplicate DID, the principal switch will assign the incoming switch a different domain ID. If the principal switch cannot assign a different domain ID to the incoming switch, it will segment from the fabric. • The DCC policy or port based security is not supported in McDATA Fabric mode.
Interoperability support for logical switches 14 Interoperability support for logical switches Interoperability for logical switches is supported on the Brocade 5100 and 5300 switches, and the Brocade DCX and DCX-4S platforms. You can configure logical switches individually to operate in any of the interoperable modes. This means that McDATA Fabric mode, McDATA Open Fabric mode, and Brocade Native mode are supported in the same chassis.
14 Switch configurations for interoperability Enabling McDATA Open Fabric mode When configuring McDATA Open Fabric mode, avoid domain ID conflicts before fabric reconfiguration. When configuring multiple switches, you should wait for a fabric reconfiguration after adding or removing each switch. Every switch in the fabric must have a unique domain ID. 1.
Switch configurations for interoperability 14 Configure... Fabric Parameters (yes, y, no, n): [no] y Domain (1...31): [1] 5 5. Enter the interopMode 2 command to enable interoperability. This command resets a number of parameters and enables fabric mode. switch:admin> interopmode 2 McDATA Fabric mode is enabled The switch effective and defined configuration will be lost if interop mode is changed. Interop mode or Domain Offset will be changed and switch will be enabled.
14 Zone management in interoperable fabrics Zone management in interoperable fabrics McDATA Fabric and McDATA Open Fabric modes support zone activation using an M-series management tool such as such as Data Center Fabric Manager (DCFM) or Web Tools. You can only launch one zoning management tool at a time. The Defined Database is where special zones, such as, Frame Redirection and Traffic Isolation zones, reside on Fabric OS switches.
Zone management in interoperable fabrics 14 • Zoning using domain,index notation is allowed only in McDATA Fabric mode (IM2) only, not Open fabric mode (IM3). Zone name restrictions The name value must contain the ASCII characters that actually specify the name, not including any required fill bytes. Names must follow these rules: • • • • Length must be between 1 and 64 characters. All characters must be 7-bit ASCII.
14 Zone management in interoperable fabrics ATTENTION Safe zoning mode is only available in fabrics with their interoperable mode set to 2. With safe zoning enabled, the effective configurations must match exactly. Also, it does not allow the default zone to be enabled. To allow a Fabric OS switch into an M-EOS native fabric, safe zoning mode must be disabled. This allows the Fabric OS switch to join the fabric although the zone sets do not match.
Frame Redirection in interoperable fabrics 14 In McDATA Fabric mode, you can set the effective zone configuration to the Defined Database. If the Defined Database contains a configuration with the same name, it is replaced. Any non-duplicate zone sets or zones remain unchanged. Before moving the effective zone configuration to the Defined Database, you should view the zoning configuration. In Fabric OS v6.3.
14 Traffic Isolation zones in interoperable fabrics The Defined Zone Database in McDATA Open Fabric mode supports the special Frame Redirect zones. Frame Redirection supports the following: • Allows you to create Frame Redirection zones and send redirection zone updates to switches running M-EOS in McDATA Open Fabric mode (interopmode 3) and McDATA Fabric mode (Interopmode 2). • Allows redirection of data traffic for hosts and targets attached to switches running M-EOS.
E_Port authentication between Fabric OS and M-EOS switches 14 Fabric OS Layer 2 Fabric Binding The Fabric OS SANtegrity binding feature locks the fabric into its intended configuration and ensures protection against WWN spoofing for E_Ports and N_Ports. Switches must exchange and validate their Fabric Binding Membership list when bringing up an ISL. Enabling Fabric Binding using DCFM automatically enables Insistent Domain ID on all Fabric OS and M-EOS switches in the fabric.
14 E_Port authentication between Fabric OS and M-EOS switches TABLE 54 Fabric OS switch authentication types Fabric OS authentication types M-EOS support M-EOS switch explanation FCAP No M-EOS switch does not support FCAP protocol. DH-CHAP Yes DH-CHAP supported. Table 55 describes the Fabric OS mode descriptions.
E_Port authentication between Fabric OS and M-EOS switches 14 Table 57 describes the device authentication mode. TABLE 57 Device authentication mode Fabric OS authentication mode M-EOS support M-EOS switch explanation Off N/A Not used for E_Port authentication. Passive N/A Not used for E_Port authentication. Switch authentication policy There are differences in the Switch Authentication policies between the Fabric OS switch and the M-EOS switch.
14 E_Port authentication between Fabric OS and M-EOS switches TABLE 58 Fabric OS Switch authentication policy when all secrets are correct Passive Active On Off On Yes! Connected with two-way authentication; both sides of the connection perform Authentication (Fabric builds normally). Yes! Connected with two-way authentication; both sides of the connection perform Authentication (Fabric builds normally).
E_Port authentication between Fabric OS and M-EOS switches TABLE 59 Fabric OS 14 Switch authentication policy-Fabric OS switch with incorrect peer secret for M-EOS switch Passive Active On Off On No E_Port does not connect (Authentication Rejected). When the Fabric OS switch generates the reject, it will disable the Fabric OS port. When the M-EOS switch generates the reject, it will go to an invalid attachment state. No E_Port does not connect (Authentication Rejected).
14 E_Port authentication between Fabric OS and M-EOS switches TABLE 60 Fabric OS Switch authentication policy-M-EOS switch with the incorrect peer secret for Fabric OS switch Passive Active On Off On No E_Port does not connect (Authentication Rejected). When the Fabric OS switch generates the reject, it disables the Fabric OS port. When the M-EOS switch generates the reject, it goes to an invalid attachment state. No E_Port does not connect (Authentication Rejected).
E_Port authentication between Fabric OS and M-EOS switches TABLE 61 Fabric OS 14 Switch authentication policy when connected to an M-EOS dumb switch Passive Active On Off Yes Connected without any authentication (Fabric builds normally). No E_Port does not connect (Authentication Rejected). When the Fabric OS switch generates the reject, it disables the Fabric OS port. When the M-EOS switch generates the reject, it goes to an invalid attachment state.
14 E_Port authentication between Fabric OS and M-EOS switches Authentication of VE_Port-to-VE_Port connections Although running authentication for VE_Ports works the same as for E_Ports, for VE_Ports, both sides of the connection are on the Fabric OS switches. Table 62 shows the switch authentication policy for VE_Port-to-VE_Port connections when all the secrets are correct. Note that there is no *Yes in the table indicating one-way authentication.
E_Port authentication between Fabric OS and M-EOS switches TABLE 62 14 VE_Port-to-VE_Port authentication policy with correct switch secret (Continued) Fabric OS switch VE_ to VE_Port Passive Active On Off On Yes! Connected with two-way authentication; both sides of the connection perform authentication (Fabric builds normally). Yes! Connected with two-way authentication; both sides of the connection perform authentication (Fabric builds normally).
14 E_Port authentication between Fabric OS and M-EOS switches TABLE 63 320 VE_Port-to-VE_Port authentication policy with unknown switch secret Fabric OS switch VE_ to VE_Port Passive Active On Off Passive Yes Connected without any authentication (Fabric builds normally). No E_Port does not connect (Authentication Rejected). When the Fabric OS switch generates the reject, it disables the Fabric OS port. When the M-EOS switch generates the reject, it goes to an invalid attachment state.
E_Port authentication between Fabric OS and M-EOS switches TABLE 63 14 VE_Port-to-VE_Port authentication policy with unknown switch secret (Continued) Fabric OS switch VE_ to VE_Port Passive Active On Off On No E_Port does not connect (Authentication Rejected). When the Fabric OS switch generates the reject, it disables the Fabric OS port. When the M-EOS switch generates the reject, it goes to an invalid attachment state. No E_Port does not connect (Authentication Rejected).
14 FCR SANtegrity TABLE 64 VEX_Port-to-VE_Port authentication policy with correct secrets Fabric OS switch VEX_Port-to-VE_Port Passive Active On Off Passive Yes Connected without any authentication (Fabric builds normally). Yes! Connected with two-way authentication; both sides of the connection perform Authentication (Fabric builds normally). Yes! Connected with two-way authentication; both sides of the connection perform Authentication (Fabric builds normally).
FCR SANtegrity 14 NOTE After a Fabric Binding check failure between a McDATA E_Port and an EX_Port, the current M-EOS implementation requires you to disable the M-EOS port and then re-enable it before the link can come up again. Enabling just the EX_Port does not always allow the link to come up again.
14 FICON implementation in a mixed fabric 1. Connect to the switch and log in using an account assigned to the admin role. Ensure that the port is offline to configure the preferred domain ID. 2. Enter the portCfgEXPort command. For McDATA Fabric mode, the valid range of domain IDs is from 1-32. For McDATA Open Fabric mode, the valid range of domain IDs is from 97-127. For example, to set preferred domain ID to 5 on port 2 in McDATA Fabric mode: switch:admin> portcfgexport 2 -d 5 3. Enable the EX_Port.
Coordinated Hot Code Load 14 Coordinated Hot Code Load Coordinated Hot Code Load (HCL) removes the limitations on the number of E_Ports that can be supported. Fabric OS v6.1.0 supports Coordinated HCL on all Fabric OS switches when connected to a mixed fabric with M-EOS switches running in either McDATA Fabric or McDATA Open Fabric mode.
14 McDATA-aware features If you select yes, the firmwareDownload operation proceeds without making the normal Coordinated HCL checks. The firmwareDownload -o command upgrades both CPs in the switch. Coordinated HCL on switches firmware downloads If the firmwareDownload command is entered with both the –s and –b (auto-reboot) options, a best effort will be made to run Coordinated HCL. If one or more switches in the fabric do not support Coordinated HCL, the firmware download process will still continue.
McDATA-unaware features TABLE 66 14 McDATA-aware (Continued)features Feature Behavior FICON and FICON CUP Fabric Binding is required for FICON support in mixed fabrics. Cascaded CUP and Missing Interrupt Handler Process Timeout (MIHPTO), which should be set to 60, are supported. Cascaded CUP is only supported in McDATA Fabric mode. Long distance The configure command displays the number of buffer credits allocated to a port.
14 McDATA-unaware features TABLE 68 328 Complete feature compatibility matrix (Continued) Feature Support Notes DHCP Yes Environmental monitor Yes Error event management Yes Fabric Device Management Interface (FDMI) Yes Fabric Watch (FW) Yes Fibre Channel over Ethernet (FCoE) No McDATA Fabric mode and McDATA Open Fabric mode are not supported on the Brocade 8000.
McDATA-unaware features TABLE 68 14 Complete feature compatibility matrix (Continued) Feature Support Notes Open E_Port Yes Autonegotiates the R_RDY mode by default. Uses portCfgIsMode to static configure the port. Port mirroring Yes Fabric OS v6.2.0 and later supports 8 Gbps port mirroring.
14 Supported hardware in an interoperable environment NPIV management on the Fabric OS switch is the same as in the standard Fabric OS SAN that is not merged. There are no limitations for NPIV support in an M-EOS Fabric 1.0 mode fabric. • Trunking Fabric OS switches support trunking when participating in Brocade Native, McDATA Fabric, or McDATA Open Fabric mode. Trunk ports (bandwidth aggregation) only apply to an ISL between two Fabric OS switches.
Supported hardware in an interoperable environment TABLE 69 14 Fabric OS interoperability with M-EOS Fabric OS v6.1.0 Fabric OS v6.2.0 Fabric OS v6.3.
14 Supported features in an interoperable environment TABLE 69 Fabric OS interoperability with M-EOS (Continued) Fabric OS v6.1.0 Fabric OS v6.2.0 Fabric OS v6.3.
Supported features in an interoperable environment TABLE 70 14 Supported Fabric OS features Fabric OS Features Fabric OS v6.1.0 Fabric OS v6.2.0 Fabric OS v6.3.
14 Supported features in an interoperable environment TABLE 70 Supported Fabric OS features (Continued) Fabric OS Features Fabric OS v6.1.0 Fabric OS v6.2.0 Fabric OS v6.3.0 Interop mode 2 Interop mode 3 Interop mode 2 Interop mode 3 Interop mode 2 Interop mode 3 Dynamic Path Selection (DPS); exchange based routing Yes Supported outbound from Fabric OS-based switches. M-EOS can provide reciprocal load balancing using OpenTrunking. Yes Supported outbound from Fabric OS-based switches.
Unsupported features in an interoperable environment TABLE 70 14 Supported Fabric OS features (Continued) Fabric OS Features Fabric OS v6.1.0 Fabric OS v6.2.0 Fabric OS v6.3.
14 336 Unsupported features in an interoperable environment Fabric OS Administrator’s Guide 53-1001336-02
Chapter Managing Administrative Domains 15 In this chapter • Administrative Domains overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 • Admin Domain management for physical fabric administrators . . . . . . . . 346 • SAN management with Admin Domains . . . . . . . . . . . . . . . . . . . . . . . . . . .
15 Administrative Domains overview AD1 AD2 FIGURE 40 Fabric with two Admin Domains Figure 41 shows how users get a filtered view of this fabric, depending on which Admin Domain they are in. As shown in Figure 41, users can see all switches and E_Ports in the fabric, regardless of their Admin Domain; however, the switch ports and end devices are filtered based on Admin Domain membership.
Administrative Domains overview 15 Admin Domain features Admin Domains allow you to: • Define the scope of an Admin Domain to encompass ports and devices within a switch or a fabric. • Share resources across multiple Admin Domains. For example, you can share array ports and tape drives between multiple departments. In Figure 40 on page 338, one of the storage devices is shared between AD1 and AD2. • Have a separate zone database for each Admin Domain.
15 Administrative Domains overview Admin Domain access levels Admin Domains offer a hierarchy of administrative access. To manage Admin Domains, you must be a physical fabric administrator. A physical fabric administrator is a user with the admin role and access to all Admin Domains (AD0 through AD255). Only a physical fabric administrator can perform Admin Domain configuration and management. Other administrative access is determined by your defined RBAC role and AD membership.
Administrative Domains overview 15 Initially, the AD0 implicit membership list contains all devices, switch ports, and switches in the fabric. When you explicitly create AD1 through AD254, the devices, switch ports, and switches used to create these user-defined Admin Domains disappear from the AD0 implicit membership list.
15 Administrative Domains overview AD1 AD255 AD0 AD2 FIGURE 42 Fabric with AD0 and AD255 Admin Domains and login You are always logged in to an Admin Domain, and you can view and modify only the devices in that Admin Domain. If you have access to more than one Admin Domain, one of them is designated as your home Admin Domain, the one you are automatically logged in to.
Administrative Domains overview 15 • If you are in any Admin Domain context other than AD0, the Admin Domain number is included in the system prompt displayed during your session. The following are example prompts for when you are in the AD0, AD1, and AD255 contexts, respectively: switch:admin> switch:AD1:admin> switch:AD255:admin> Admin Domain member types You define an Admin Domain by identifying members of that domain. Admin Domain members can be devices, switch ports, or switches.
15 Administrative Domains overview If a device is a member of an Admin Domain, the switch port to which the device is connected becomes an indirect member of that Admin Domain and the domain,index is removed from the AD0 implicit membership list. NOTE If the switch domain ID changes, the domain,index members are invalid (they are not automatically changed). You must then reconfigure the Admin Domain with the current domain,index members.
Administrative Domains overview 15 Figure 43 shows an unfiltered view of a fabric with two switches, three devices, and two Admin Domains. The devices are labeled with device WWNs and the switches are labeled with domain ID and switch WWNs.
15 Admin Domain management for physical fabric administrators Admin Domain compatibility, availability, and merging Admin Domains maintain continuity of service for Fabric OS features and operate in mixed-release Fabric OS environments. High availability is supported with some backward compatibility. When an E_Port comes online, the adjacent switches merge their AD databases.
Admin Domain management for physical fabric administrators 15 1. Log in to the switch with the appropriate RBAC role. 2. Ensure you are in the AD0 context by entering the ad --show command to determine the current Admin Domain. If necessary, switch to the AD0 context by entering the ad --select 0 command. 3. Set the default zoning mode to No Access, as described in “Setting the default zoning mode” on page 243.
15 Admin Domain management for physical fabric administrators 5. Enter the ad --create command using the -d option to specify device and switch port members and the -s option to specify switch members: ad --create ad_id -d "dev_list" -s "switch_list" 6. Enter the appropriate command based on whether you want to save or activate the Admin Domain definition: • To save the Admin Domain definition, enter ad --save.
Admin Domain management for physical fabric administrators 15 Creating a new user account for managing Admin Domains 1. Connect to the switch and log in as admin. 2. Enter the userConfig --add command using the -r option to set the role, the -a option to provide access to Admin Domains, and the -h option to specify the home Admin Domain.
15 Admin Domain management for physical fabric administrators Removing an Admin Domain from a user account When you remove an Admin Domain from an account, all of the currently active sessions for that account are logged out. 1. Connect to the switch and log in using an account assigned to the admin role. 2.
Admin Domain management for physical fabric administrators 15 Deactivating an Admin Domain If you deactivate an Admin Domain, the members assigned to the Admin Domain can no longer access their hosts or storage unless those members are part of another Admin Domain. You cannot log in to an Admin Domain that has been deactivated. You must activate an Admin Domain before you can log in to it. 1. Connect to the switch and log in as admin. 2.
15 Admin Domain management for physical fabric administrators • To save the Admin Domain definition, enter ad --save. • To save the Admin Domain definition and directly apply the definition to the fabric, enter ad --apply. Example The following example adds two switch ports, designated by domain,index, to AD1. switch:AD255:admin> ad --add AD1 -d "100,5; 4,1" Removing members from an Admin Domain NOTE If you remove the last member of an Admin Domain, that Admin Domain is automatically deleted. 1.
Admin Domain management for physical fabric administrators 15 3. Enter the ad --rename command with the present name and the new name. ad --rename present_name new_name 4. Enter the appropriate command based on whether you want to save or activate the Admin Domain definition: • To save the Admin Domain definition, enter ad --save. • To save the Admin Domain definition and directly apply the definition to the fabric, enter ad --apply. The Admin Domain numbers remain unchanged after the operation.
15 Admin Domain management for physical fabric administrators Deleting all user-defined Admin Domains When you clear the Admin Domain configuration, all user-defined Admin Domains are deleted, the explicit membership list of AD0 is cleared, and all fabric resources (switches, ports, and devices) are returned to the implicit membership list of AD0. You cannot clear the Admin Domain configuration if zone configurations exist in any of the user-defined Admin Domains.
Admin Domain management for physical fabric administrators 15 where: source_AD Name of the user-defined AD from which you are copying the zone. source_name Name of the zone to be copied. dest_name Name to give the zone after it is copied to AD0. 4. Copy the newly added zones in AD0 to the zone configuration. cfgadd "cfgName", "member[;member]" 5. Enable the configuration to complete the transaction. cfgenable cfgName 6. Switch to the AD255 context. ad --select 255 7.
15 Admin Domain management for physical fabric administrators AD0 AD1 AD0_RedZone AD2 AD1_BlueZone AD2_GreenZone WWN2 WWN2 WWN1 FIGURE 45 WWN3 WWN5 WWN4 AD0 and two user-defined Admin Domains, AD1 and AD2 AD0 AD1_BlueZone AD2_GreenZone AD0_RedZone WWN2 WWN3 WWN4 WWN5 WWN1 FIGURE 46 AD0 with three zones sw0:admin> ad --exec 255 "cfgshow" Zone CFG Info for AD_ID: 0 (AD Name: AD0, State: Active) : Defined configuration: cfg: AD0_cfg AD0_RedZone zone: AD0_RedZone 10:00:00:00:01:00:00:
Admin Domain management for physical fabric administrators 15 10:00:00:00:02:00:00:00 10:00:00:00:03:00:00:00 Zone CFG Info for AD_ID: 2 (AD Name: AD2, State: Active) : Defined configuration: cfg: AD2_cfg AD2_GreenZone zone: AD2_GreenZone 10:00:00:00:04:00:00:00; 10:00:00:00:05:00:00:00 Effective configuration: cfg: AD2_cfg zone: AD2_GreenZone 10:00:00:00:04:00:00:00 10:00:00:00:05:00:00:00 sw0:admin> zone --copy AD1.AD1_BlueZone AD0_BlueZone sw0:admin> zone --copy AD2.
15 SAN management with Admin Domains 1. Connect to the switch and log in as admin. 2. Switch to the AD255 context, if you are not already in that context. ad --select 255 3. Enter the ad --validate command. ad --validate ad_id -m mode If you do not specify any parameters, the entire AD database (transaction buffer, defined configuration, and effective configuration) is displayed. If you do not specify an Admin Domain, information about all existing Admin Domains is displayed.
SAN management with Admin Domains 15 CLI commands in an AD context The CLI command input arguments are validated against the AD member list; they do not work with input arguments that specify resources that are not members of the current Admin Domain. All commands present filtered output, showing only the members of the current Admin Domain. For example, switchShow displays details for the list of AD members present in that switch.
15 SAN management with Admin Domains • AD0-AD254 contexts: the membership of the current Admin Domain is displayed. • AD0: the device and switch list members are categorized into implicit and explicit member lists. 1. Connect to the switch and log in as any user type. 2. Enter the ad --show command. ad --show If you are in the AD0 context, you can use the -i option to display the implicit membership list of AD0; otherwise, only the explicit membership list is displayed.
SAN management with Admin Domains 15 Example The following example switches to the AD12 context and back. Note that the prompt changes to display the Admin Domain. switch:admin> ad --select 12 switch:AD12:admin> logout switch:admin> Admin Domain interactions with other Fabric OS features The administrative domain feature provides interaction with other Fabric OS features and across third-party applications. You can manage Admin Domains with Web Tools as well as the CLI.
15 SAN management with Admin Domains TABLE 73 Admin Domain interaction with Fabric OS features (Continued) Fabric OS feature Admin Domain interaction FICON Admin Domains support FICON. However, you must perform additional steps because FICON management (CUP) requires additional physical control of the ports. You must set up the switch as a physical member of the FICON AD.
SAN management with Admin Domains 15 See “Validating a zone” on page 241 for instructions on using the zone --validate command. For more information about the zone command and its use with Admin Domains, see the Fabric OS Command Reference. NOTE AD zone databases do not have an enforced size limit. The zone database size is calculated by the upper limit of the AD membership definition and the sum of all the zone databases for each AD. Admin Domains support the default zone mode of noaccess only.
15 SAN management with Admin Domains The auto-converted LSAN zone names might collide with LSAN zone names in AD0 (for example, in the above example, if AD0 contains lsan_for_linux_farm_AD005, this causes a name collision). Fabric OS does not detect or report such name clashes. LSAN zone names greater than 57 characters are not converted or sent to the FCR phantom domain. See Chapter 21, “Using the FC-FC Routing Service,” for information about LSAN zones.
Section Licensed Features II This section describes optionally licensed Brocade Fabric OS features and includes the following chapters: • • • • • • Chapter 16, “Administering Licensing” Chapter 18, “Optimizing Fabric Behavior” Chapter 17, “Administering Advanced Performance Monitoring” Chapter 19, “Managing Trunking Connections” Chapter 20, “Managing Long Distance Fabrics” Chapter 21, “Using the FC-FC Routing Service”
Chapter 16 Administering Licensing In this chapter • Licensing overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • The Brocade 7800 Upgrade License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • ICL licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • 8G licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
16 Licensing overview TABLE 75 368 Available Brocade licenses License Description 10GbE License This license enables the two 10GbE ports on the FX8-24. With this license, two additional operating modes (in addition to 10 1GbE ports mode) can be selected: • 10 1GbE ports and 1 10GbE port, or • 2 10GbE ports This license is available on the Brocade 7800 switch, and the Brocade DCX and DCX-4S for the FX8-24 on an individual slot basis.
Licensing overview TABLE 75 16 Available Brocade licenses License Description Brocade Extended Fabrics Provides greater than 10km of switched fabric connectivity at full bandwidth over long distances (depending on the platform this can be up to 3000km). Brocade Fabric Watch Monitors mission-critical switch operations. Fabric Watch includes Port Fencing capabilities.
16 Licensing overview TABLE 75 Available Brocade licenses License Description ICL 8-Link License Activates all eight links on ICL ports on a Brocade DCX-4S chassis or half of the ICL bandwidth for each ICL port on the Brocade DCX platform by enabling only eight links out of the sixteen links available. This allows you to purchase half the bandwidth of DCX ICL ports initially and upgrade with an additional 8-link license to utilize the full ICL bandwidth at a later time.
Licensing overview TABLE 76 16 License requirements Feature License Where license should be installed FCIP FC-IP Services or High Performance Extension over FCIP/FC Local and attached switches. License is needed on both sides of tunnel. FCIP Trunking Advanced Extension Local and attached switches. Fibre Channel Routing IR Local and attached switches. FICON No license required. n/a FICON-CUP FICON Management Server Local switch.
16 Licensing overview TABLE 76 License requirements Feature License Where license should be installed Port fencing Fabric Watch Local switch. Ports Ports on demand licenses. This license applies to a select set of switches. Upgrade license for the 7500E and 7800 switches to use all ports. 10 Gigabit Ethernet license to use 10GbE ports on FX8-24 blade. Brocade 8000 – Must have license installed to enable the 8 FC ports. A maximum of 8 FC ports are allowed. Local switch.
The Brocade 7800 Upgrade License 16 The Brocade 7800 Upgrade License The Brocade 7800 has four Fibre Channel (FC) ports and two GbE ports active by default. The number of physical ports active on the Brocade 7800 is fixed. There is one upgrade license to activate the rest of the FC and GbE ports for a total of 16 FC ports and six GbE ports. The Upgrade license activates FC and GbE ports, and also activates additional features outlined in Table 77.
16 8G licensing 8G licensing ATTENTION This license is installed by default and you should not remove it. The 8 Gbps licensing applies to the Brocade 300, 5100, and 5300 switches and the 8 Gbps embedded switches. The following list describes the basic rules of using, adding, or removing 8G licenses. • Without an 8G license, even if there is an 8 Gbps SFP plugged into a port in an applicable platform, the port would be enabled to run at a maximum speed of 4 Gbps.
Time-based licenses 16 Removing a license from a slot To remove a Slot-based license from a blade slot and move the license to another slot, the following steps must be performed: 1. Connect to the switch and log in using an account assigned to the admin role. 2. You must deconfigure the application that uses the licensed feature on the blade slot. 3. The Slot-based license feature must be deconfigured. 4. Enter the licenseSlotCfg -remove command to remove the license from slot.
16 Universal Time-based licenses Configupload and download considerations The configDownload and configUpload commands download the legacy, enhanced, consumed capacities, and time-based licenses. Expired licenses Once a Time-based license has expired, you can view it through the licenseShow command. Expired licenses have an output string of ‘License has expired’.
Viewing installed licenses 16 Extending a license Extending a Universal Time-based license is done by adding a temporary license with expiry date after the Universal Time-based license expiry date, or by adding a permanent license. Re-applying an existing Universal Time-based license is not allowed. Deleting a license Universal Time-based licenses are always retained in the license database, and cannot be explicitly deleted.
16 Adding a licensed feature An information screen displays the license keys and you will receive an e-mail with the software license keys and installation instructions. Adding a licensed feature To enable a feature, go to the feature’s appropriate section in this manual. Enabling a feature on a switch may be a separate task from adding the license.
Removing a licensed feature 16 Removing a licensed feature 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the licenseShow command to display the active licenses. 3. Remove the license key using the licenseRemove command. The license key is case-sensitive and must be entered exactly as given. The quotation marks are optional. After removing a license key, the licensed feature is disabled when the switch is rebooted or when a switch disable and enable is performed.
16 Ports on Demand TABLE 78 List of available ports when implementing PODs Platform Available user ports No POD license POD1 or POD2 present Both POD license present Brocade 300 0-7 0-15 0-23 Brocade 4100 0-15 0-23 0-31 Brocade 4900 0-31 0-47 0-63 Brocade 5000 0-15 0-23 0-31 Brocade 5100 0-23 0-31 0-39 Brocade 5300 0-47 0-63 0-79 Brocade 5410 0-11 n/a 0-11 Brocade 5424 1-8 and 17-20 POD1: 0, 9-16, and 21-23 0-23 Brocade 5450 1-10 and 19-22 POD1: 0, 11-18, and 23-25
Ports on Demand 16 3. Install the Brocade Ports on Demand license. For instructions on how to install a license, see “Adding a licensed feature” on page 378. 4. Use the portEnable command to enable the ports. Alternatively, you can disable and re-enable the switch to activate ports. 5. Use the portShow command to check the newly activated ports. Dynamic Ports on Demand The Brocade 4016, 4018, 4020, and 4024 switch modules are for bladed servers.
16 Ports on Demand Enabling Dynamic Ports on Demand If the switch is in the Static POD mode, then activating the Dynamic POD will erase any prior port license assignments the next time the switch is rebooted. The static POD assignments become the initial Dynamic POD assignments. After the Dynamic POD feature is enabled, you can customize the POD license associations. The Dynamic POD feature is supported on the Brocade 4016, 4018, 4020, and 4024 switch modules only. 1.
Ports on Demand 16 switch:admin> licenseport --show 24 ports are available in this switch Full POD license is installed Static POD method is in use 24 port assignments are provisioned for use in this switch: 12 port assignments are provisioned by the base switch license 12 port assignments are provisioned by a full POD license 24 ports are assigned to installed licenses: 12 ports are assigned to the base switch license 12 ports are assigned to the full POD license Ports assigned to the base switch license
16 Ports on Demand Releasing a port from a POD set Releasing a port removes it from the POD set; the port appears as unassigned until it comes back online. Persistently disabling the port ensures that the port cannot come back online and be automatically assigned to a POD assignment. Before you can re-assign a license, you must disable the port and release the license. After a port is assigned to the POD set, the port is licensed until it is manually removed from the POD port set.
Chapter 17 Administering Advanced Performance Monitoring In this chapter • Advanced Performance Monitoring overview . . . . . . . . . . . . . . . . . . . . . . . • End-to-end performance monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Filter-based performance monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • ISL performance monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Top Talker monitors . . . . . . . . . . . . . . .
17 End-to-end performance monitoring • ISL monitors measure the traffic transmitted through an InterSwitch Link (ISL) to different destination domains. • Top Talkers monitors measure the flows that are major consumers of bandwidth on a switch or port. The type of monitors supported depends on the switch model, as shown in Table 79.
End-to-end performance monitoring 17 To enable end-to-end performance monitoring, you must configure an end-to-end monitor on a port, specifying the SID-DID pair (in hexadecimal). The monitor counts only those frames with matching SID and DID. Each SID or DID has the following three fields: • Domain ID (DD) • Area ID (AA) • AL_PA (PP) For example, the SID 0x118a0f denotes DD 0x11, AA 0x8a, and AL_PA 0x0f.
17 End-to-end performance monitoring Adding end-to-end monitors 1. Connect to the switch and log in as admin. 2. Enter the following command: perfaddeemonitor [slotnumber/]portnumber sourceID destID Figure 47 shows two devices: • Host A is connected to domain 5 (0x05), switch area ID 18 (0x12), AL_PA 0x00 on Switch X. • Dev B is a storage device connected to domain 17 (0x11), switch area ID 30 (0x1e), AL_PA 0xef on Switch Y. SID 0x051200 Switch X Host A ...
End-to-end performance monitoring 17 Setting a mask for an end-to-end monitor End-to-end monitors count the number of words in Fibre Channel frames that match a specific SID/DID pair. If you want to match only part of the SID or DID, you can set a mask on the port to compare only certain parts of the SID or DID. By default, the frame must match the entire SID and DID to trigger the monitor.
17 Filter-based performance monitoring Deleting end-to-end monitors 1. Connect to the switch and log in as admin. 2. Enter the perfMonitorShow command to list the valid end-to-end monitor numbers for a port. 3. Enter the perfDelEEMonitor command to delete a specific monitor. If you do not specify which monitor number to delete, you are asked if you want to delete all entries.
Filter-based performance monitoring 17 Virtual Fabrics considerations: Filter-based monitors are not supported on logical ISLs (LISLs), but are supported on ISLs and extended ISLs (XISLs). You can monitor filter-based performance using the perfMonitorShow command, as described in “Displaying monitor counters” on page 398. You can clear filter-based counters using the perfMonitorClear command, as described in “Clearing monitor counters” on page 399.
17 Filter-based performance monitoring To define a custom filter, you must specify a series of offsets, masks, and values. For all transmitted frames, the switch performs these tasks: • • • • Locates the byte found in the frame at the specified offset. Applies the mask to the byte found in the frame. Compares the value with the given values in the perfAddUserMonitor command. Increments the filter counter if a match is found.
ISL performance monitoring 17 Example switch:admin> perfaddusermonitor 4/2, "12, 0xff, 0x05, 0x08; 9, 0xff, 0x02" "FCP/IP" User monitor #5 added switch:admin> perfaddusermonitor 1/2, "0, 0xff, 6" User Monitor #6 added In this example, two filter-based monitors are added. The first monitor (#5) counts all FCP and IP frames transmitted from domain 0x02 for slot 4, port 2. The FCP and IP protocols are selected by monitoring offset 12, mask 0xff and matching values of 0x05 or 0x08.
17 Top Talker monitors Top Talker monitors Top Talker monitors determine the flows (SID/DID pairs) that are the major users of bandwidth (after initial stabilization). Top Talker monitors measure bandwidth usage data in real-time and relative to the port on which the monitor is installed. NOTE Initial stabilization is the time taken by a flow to reach the maximum bandwidth. This time varies depending on the number of flows in the fabric and other factors.
Top Talker monitors 17 Adding a Top Talker monitor on an F_Port 1. Connect to the switch and log in as admin. 2. Enter the perfTTmon --add command. perfttmon --add [egress | ingress] [slotnumber/]port For example, to monitor the incoming traffic on port 7: perfttmon --add ingress 7 To monitor the outgoing traffic on slot 2, port 4 on the Brocade 48000, Brocade DCX, or DCX-4S: perfttmon --add egress 2/4 Deleting a Top Talker monitor on an F_Port 1. Connect to the switch and log in as admin. 2.
17 Top Talker monitors Adding Top Talker monitors on all switches in the fabric (fabric mode) When fabric mode is enabled, you can no longer install Top Talker monitors on an F_Port unless you delete fabric mode. 1. Connect to the switch and log in as admin. 2. Remove any end-to-end monitors in the fabric, as described in “Deleting end-to-end monitors” on page 390. Fabric Mode Top Talker monitors and end-to-end monitors cannot both exist in the fabric. 3. Enter the perfTTmon --add fabricmode command.
Trunk monitoring 17 The output is sorted based on the data rate of each flow. If you do not specify the number of flows to display, then the command displays the top 8 flows or the total number of flows, whichever is less. The command can display a maximum of 32 flows.
17 Displaying monitor counters Displaying monitor counters You can display the end-to-end, filter-based, or ISL monitors on a specified port. For end-to-end counters, you can display either the cumulative count of the traffic detected by the monitors or a snapshot of the traffic at specified intervals. 1. Connect to the switch and log in as admin. 2. Enter the perfmonitorshow command.
17 Clearing monitor counters Example of displaying filter monitor information on a port switch:admin> perfMonitorShow --class FLT 2/5 There are 7 filter-based monitors defined on port 21. KEY ALIAS OWNER_APP FRAME_COUNT OWNER_IP_ADDR ----------------------------------------------------------------0 SCSI_Frame TELNET 0x00000000002c2229 N/A 1 SCSI_WR TELNET 0x000000000000464a N/A 2 SCSI_RW TELNET 0x000000000000fd8c N/A 3 SCSI_RW WEB_TOOLS 0x0000000000007ba3 192.168.169.
17 Saving and restoring monitor configurations Saving and restoring monitor configurations To prevent the switch configuration flash from running out of memory, the number of monitors saved to flash memory is limited as follows: • The total number of EE monitors per port is limited to 16. • The total number of filter monitors per port is limited to 16. • The total number of monitors per switch is limited to 512.
Chapter 18 Optimizing Fabric Behavior In this chapter • Adaptive Networking overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Top Talkers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Traffic Isolation Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Traffic Isolation Routing over FC routers . . . . . . . . . . . . . . . . . . . . . . . . . . . • General rules for TI zones . .
18 Top Talkers Top Talkers The Top Talkers feature provides real-time information about the top “n” bandwidth-consuming flows from a set of a large number of flows passing through a specific port in the network. You can use Top Talkers to identify the SID/DID pairs that consume the most bandwidth and can then configure them with certain QoS attributes so they get proper priority. The Top Talkers feature is part of the licensed Advanced Performance Monitoring feature.
Traffic Isolation Routing 18 In Figure 50, all traffic entering Domain 1 from N_Ports 7 and 8 is routed through E_Port 1. Similarly, traffic entering Domain 3 from E_Port 9 is routed to E_Port 12, and traffic entering Domain 4 from E_Port 7 is routed to the devices through N_Ports 5 and 6. Traffic coming from other ports in Domain 1 would not use E_Port 1, but would use E_Port 2 instead. Use the zone command to create and manage TI zones.
18 Traffic Isolation Routing Additional considerations when disabling failover If failover is disabled, be aware of the following considerations: • This feature is intended for use in simple linear fabric configurations, such as that shown in Figure 50 on page 402. • Ensure that there are non-dedicated paths through the fabric for all devices that are not in a TI zone. • If you create a TI zone with just E_Ports, failover must be enabled.
Traffic Isolation Routing 18 If the dedicated ISL is not the lowest cost path ISL, then the following rules apply: • If failover is enabled, the traffic path for the TI zone is broken, and TI zone traffic uses the lowest cost path instead. • If failover is disabled, the TI zone traffic is blocked. If the dedicated ISL is the only lowest cost path ISL, then the following rules apply: • If failover is enabled, non-TI zone traffic as well as TI zone traffic uses the dedicated ISL.
18 Traffic Isolation Routing over FC routers Domain 1 8 Domain 3 1 9 9 14 12 3 15 7 16 6 = Dedicated Path = Ports in the TI zone 5 Domain 2 FIGURE 53 Domain 4 Dedicated path is not the shortest path NOTE For information about setting or displaying the FSPF cost of a path, see the linkCost and topologyShow commands in the Fabric OS Command Reference. Traffic Isolation Routing over FC routers This section describes how TI zones work with Fibre Channel routing (TI over FCR).
Traffic Isolation Routing over FC routers Edge fabric 1 Backbone fabric 18 Edge fabric 2 = Dedicated path set up by TI zone in edge fabric 1 = Dedicated path set up by TI zone in edge fabric 2 = Dedicated path set up by TI zone in backbone fabric FIGURE 54 Traffic isolation Routing over FCR In addition to setting up TI zones, you must also ensure that the devices are in an LSAN zone so that they can communicate with each other.
18 Traffic Isolation Routing over FC routers In the TI zone, when you designate E_Ports between the front and xlate phantom switches, you must use -1 in place of the “I” in the D,I notation. Both the front and xlate domains must be included in the TI zone.
General rules for TI zones 18 Using D,I and port WWN notation, the members of the TI zone in Figure 56 are: 1,1 (EX_Port for FC router 1) 1,4 (VE_Port for FC router 1) 2,7 (VE_Port for FC router 2) 2,1 (EX_Port for FC router 2) 10:00:00:00:00:01:00:00 (Port WWN for the host) 10:00:00:00:00:02:00:00 (Port WWN for target 1) 10:00:00:00:00:03:00:00 (Port WWN for target 2) Limitations of TI zones over FC routers Be aware of the following when configuring TI zones over FC routers: • A TI zone defined within
18 Supported configurations for Traffic Isolation Routing • Each TI zone is interpreted by each switch and each switch considers only the routing required for its local ports. No consideration is given to the overall topology and to whether the TI zones accurately provide dedicated paths through the whole fabric. For example, in Figure 57, the TI zone was configured incorrectly and E_Port “3,9” was erroneously omitted from the zone.
Limitations and restrictions of Traffic Isolation Routing 18 • Traffic Isolation Routing is not supported in fabrics with switches running firmware versions earlier than Fabric OS v6.0.0. However, the existence of a TI zone in such a fabric is backward-compatible and does not disrupt fabric operation in switches running earlier firmware versions. TI over FCR is not backward compatible with Fabric OS v6.0.x or earlier. The -1 in the domain,index entries causes issues to legacy switches in a zone merge.
18 Virtual Fabric considerations for Traffic Isolation Routing Virtual Fabric considerations for Traffic Isolation Routing This section describes how TI zones work with Virtual Fabrics. See Chapter 10, “Managing Virtual Fabrics,” for information about the Virtual Fabrics feature, including logical switches and logical fabrics.
18 Traffic Isolation Routing over FC routers with Virtual Fabrics Domain 8 Host Domain 3 2 8 1 4 3 Domain 5 Domain 9 11 17 7 6 10 16 8 5 Target 9 = Dedicated Path = Ports in the TI zones FIGURE 59 Creating a TI zone in a logical fabric You must also create and activate a TI zone in the base fabric to reserve the XISLs for the dedicated path.
18 Creating a TI zone 1 10 F 2 F E 3 4 5 E EX LS2, FID3 Domain 6 LS3, FID1 Domain 3 E E E Base switch Domain 1 EX E 6 15 7 16 E EX Base switch Domain 2 E 11 12 13 14 EX = Dedicated Path = Ports in the TI zones FIGURE 61 Example configuration for TI zones over FC routers in logical fabrics Figure 62 shows a logical representation of the configuration in Figure 61.
Creating a TI zone 18 When you create a TI zone, you can set the state of the zone to activated or deactivated. By default the zone state is set to activated; however, this does not mean that the zone is activated. After you create the TI zone, you must enable the current effective configuration to enforce the new TI zone, which is either activated or deactivated. Virtual Fabric considerations: Because base fabrics do not contain end devices, they normally do not have an effective zone configuration.
18 Creating a TI zone To create a TI zone in the edge fabric with failover enabled and the state set to activated (default settings): switch:admin> zone --create -t ti bluezone -p "1,1; 1,8; 2,-1; 3,-1" To create a TI zone in the backbone fabric with failover enabled and the state set to activated (default settings): switch:admin> zone --create -t ti backbonezone -p "10:00:00:04:1f:03:16:f2; 1,1; 1,4; 2,7; 2,1; 10:00:00:04:1f:03:18:f1, 10:00:00:04:1f:04:06:e2" To create TI zones in a logical fabric, suc
Modifying TI zones 18 Modifying TI zones Using the zone --add command, you can add ports to an existing TI zone, change the failover option, or both. Using the zone --remove command, you can remove ports from existing TI zones. If you remove the last member of a TI zone, the TI zone is deleted. After you modify the TI zone, you must enable the current effective configuration to enforce the changes. ATTENTION If failover is disabled, do not allocate all ISLs in TI zones.
18 Changing the state of a TI zone Changing the state of a TI zone You can change the state of a TI zone to activated or deactivated. Changing the state does not activate or deactivate the zone. After you change the state of the TI zone, you must enable the current effective configuration to enforce the change. The TI zone must exist before you can change its state. 1. Connect to the switch and log in as admin. 2.
Displaying TI zones 18 Displaying TI zones Use the zone --show command to display information about TI zones.
18 Setting up TI over FCR (sample procedure) Setting up TI over FCR (sample procedure) The following example shows how to set up TI zones over FCR to provide a dedicated path shown in Figure 63. In this example, three TI zones are created: one in each of the edge fabrics and one in the backbone fabric. The combination of these three TI zones creates a dedicated path for traffic between Host 1 in edge fabric 1 and Targets 1 and 2 in edge fabric 2.
Setting up TI over FCR (sample procedure) b. 18 Enter the following commands to create and display a TI zone: E1switch:admin> zone --create -t ti TI_Zone1 -p "4,8; 4,5, 1,-1; 6,-1" E1switch:admin> zone --show Defined TI zone configuration: TI Zone Name: Port List: TI_Zone1 4,8; 4,5; 1,-1; 6,-1 Status: Activated c. Failover: Enabled Enter the following commands to reactivate your current effective configuration and enforce the TI zones.
18 Setting up TI over FCR (sample procedure) c. Enter the following commands to reactivate your current effective configuration and enforce the TI zones. E2switch:admin> cfgactvshow Effective configuration: cfg: cfg_TI zone: lsan_t_i_TI_Zone1 10:00:00:00:00:00:02:00:00 10:00:00:00:00:00:03:00:00 10:00:00:00:00:00:08:00:00 E2switch:admin> cfgenable cfg_TI You are about to enable a new zoning configuration. This action will replace the old zoning configuration with the current configuration selected.
QoS: Ingress Rate Limiting 18 QoS: Ingress Rate Limiting Ingress rate limiting is a licensed feature that requires the Adaptive Networking license. Ingress rate limiting restricts the speed of traffic from a particular device to the switch port. Use ingress rate limiting for the following situations: • To reduce existing congestion in the network or proactively avoid congestion. • To enable you to offer flexible bandwidth limit services based on requirements.
18 QoS: SID/DID traffic prioritization Example of disabling ingress rate limiting on slot 3, port 9 portcfgqos --resetratelimit 3/9 QoS: SID/DID traffic prioritization SID/DID traffic prioritization allows you to categorize the traffic flow between a host and target as having a high or low priority. For example, you could assign online transaction processing (OLTP) to high priority and backup traffic to low priority. All flows without QoS prioritization are considered medium priority.
QoS: SID/DID traffic prioritization 18 If 8 Gbps ports are part of an active trunk group before the Adaptive Networking license is added, ISLs are formed without QoS. When you install the Adaptive Networking license, QoS is automatically enabled on all 8 Gbps ports for which you have not manually disabled QoS, so the 8 Gbps ports in the trunk group are set to QoS enabled by default. Adding the license does not immediately affect the trunk groups.
18 QoS: SID/DID traffic prioritization In the portcfgshow output, the value of QOS_E_Port is AE for port 19 and ".." for port 24. This means that QoS is enabled by default on port 19 and disabled on port 24. You need to disable QoS on port 19. switch:admin> islshow 1: 2->300 10:00:00:05:1e:43:00:00 100 DCX 2: 8-> 3 10:00:00:05:1e:41:8a:d5 30 B5300 3: 19-> 10 10:00:00:05:1e:41:43:ac 50 B300 4: 24-> 12 10:00:00:05:1e:41:42:ad 30 B5300 sp: sp: sp: sp: 8.000G 4.000G 8.000G 8.000G bw: bw: bw: bw: 32.
QoS: SID/DID traffic prioritization 18 where id is a flow identifier that designates a specific virtual channel for the traffic flow and xxxxx is the user-defined portion of the name. For example, the following are valid QoS zone names: QOSH3_HighPriorityTraffic QOSL1_LowPriorityZone The switch automatically sets the priority for the “host,target” pairs specified in the zones based on the priority level (H or L) in the zone name.
18 QoS: SID/DID traffic prioritization QoS on E_Ports In addition to configuring the hosts and targets in a zone, you must also enable QoS on individual E_Ports that might carry traffic between the host and target pairs. Path selection between the “host,target” pairs is governed by FSPF rules and is not affected by QoS priorities. For example, in Figure 65, QoS should be enabled on the encircled E_Ports. NOTE By default, QoS is enabled on 8 Gbps ports, except for long-distance 8 Gbps ports.
QoS: SID/DID traffic prioritization 18 • Define LSAN zones in each edge fabric. • Enable QoS on the E_Ports (or VE_Ports) in each edge fabric. • Enable QoS on the EX_Ports (or VEX_Ports) in the backbone fabric. See “Setting traffic prioritization over FC routers” on page 435 for detailed instructions. Following are requirements for establishing QoS over FCR: • QoS over FC routers is supported in Brocade native mode only. It is not supported in interopmode 2 or interopmode 3.
18 QoS: SID/DID traffic prioritization Domain 1 Domain 3 8 9 H1 S1 1 2 5 6 3 4 8 7 LS3, FID1 Domain 7 Chassis 1 LS4, FID3 Domain 8 LS1, FID1 Domain 5 Domain 2 10 12 Base switch Domain 10 11 13 14 16 LS2, FID3 Domain 6 Chassis 2 Base switch Domain 9 15 17 = High priority = E_Ports with QoS enabled FIGURE 66 Traffic prioritization in a logical fabric High availability considerations for traffic prioritization If the standby CP is running a Fabric OS version earlier than 6.3.
QoS: SID/DID traffic prioritization 18 • Brocade 5450 • Brocade 5480 • FC8-16, FC8-32, or FC8-48 port blade in the Brocade DCX or DCX-4S platform. - To preserve the priority level across ISLs, the switches must be running Fabric OS v6.0.0 or later and must be one of the following platforms: Brocade 300, 4100, 4900, 5000, 5100, 5300, 5410, 5424, 5450, 5480, 7500, 7500E, 7600, 7800, 8000, 48000, Brocade DCX, or DCX-4S. • QoS is enabled by default on 8 Gbps ports.
18 QoS: SID/DID traffic prioritization In the output, the value of QOS E_Port is AE if QoS is automatically enabled by default and ON if QoS is enabled manually. 5. For 8 Gbps ports, check whether they are long-distance ports (in the portcfgshow output, Long Distance is ON). 6. Manually enable QoS on all of the ports identified in step 3 for which QoS is automatically enabled (in the portcfgshow output, QOS E_Port is AE).
QoS: SID/DID traffic prioritization Mirror Port Rate Limit Credit Recovery Fport Buffers Port Auto Disable .. .. ON .. .. .. .. ON .. .. .. .. ON .. .. .. .. ON ON .. .. .. ON .. .. .. .. ON .. .. .. .. ON .. .. .. .. ON .. .. .. .. ON .. .. .. .. ON .. .. .. .. ON ON .. .. .. ON .. .. .. .. ON .. .. .. .. ON .. .. .. .. ON .. .. 18 .. .. ON .. ..
18 QoS: SID/DID traffic prioritization • • • • You must be running Fabric OS v6.3.0 or later to create QoS zones using D,I notation. QoS zones using D,I notation are not supported for QoS over FCR. QoS zones using D,I notation should not be used for loop or NPIV ports. If QoS is enabled, an additional 16 buffer credits are allocated per port for 8-Gbps ports in LE mode. See Chapter 20, “Managing Long Distance Fabrics,” for information about buffer credit allocation in extended fabrics.
QoS: SID/DID traffic prioritization 18 Example sw0:admin> zonecreate "QOSH1_zone", "10:00:00:00:10:00:00:00; 10:00:00:00:20:00:00:00" sw0:admin> zonecreate "QOSL2_zone", "10:00:00:00:30:00:00:00; 10:00:00:00:40:00:00:00" sw0:admin> zoneshow sw0:admin> cfgadd "cfg1", "QOSH1_zone" sw0:admin> cfgadd "cfg1", "QOSL2_zone" sw0:admin> cfgshow Defined configuration: cfg: cfg1 zone1; QOSH1_zone; QOSL2_zone zone: QOSH1_zone 10:00:00:00:10:00:00:00; 10:00:00:00:20:00:00:00 zone: QOSL2_zone 10:00:00:00:30:00:00:00; 1
18 Bottleneck detection Bottleneck detection A bottleneck is a port in the fabric where frames cannot get through as fast as they should. In other words, a bottleneck is a port where the offered load is greater than the achieved egress throughput. Bottleneck detection does not require a license. Bottlenecks can cause undesirable degradation in throughput on various links. When a bottleneck occurs at one place, other points in the fabric can experience bottlenecks as the traffic backs up.
Bottleneck detection 18 • Bottleneck detection is supported whether Virtual Fabrics is enabled or disabled. See “Virtual Fabrics considerations for bottleneck detection” on page 438 for additional information on using bottleneck detection if Virtual Fabrics is enabled. How bottlenecks are reported Bottlenecks are reported through RASlog alerts. You can set alert thresholds for the severity and duration of the bottleneck.
18 Bottleneck detection Virtual Fabrics considerations for bottleneck detection If a port on which bottleneck detection is enabled is moved out of a logical switch, the bottleneck detection configuration is retained by the logical switch. If the port is returned to the logical switch, bottleneck detection is automatically enabled for the port with the same settings as before.
Bottleneck detection 18 The following example enables bottleneck detection on port 5. Alerts are sent when the port is bottlenecked 50% of the time over any period of 300 seconds (default value), with a minimum of 30 seconds between alerts. switch:admin> bottleneckmon --enable -alert -thresh 0.5 -qtime 30 5 Displaying list of ports on which bottleneck detection is enabled 1. Connect to the switch to which the target ports belong and log in as admin. 2.
18 Bottleneck detection switch:admin> bottleneckmon --disable 4 switch:admin> bottleneckmon --enable -thresh 0.6 -time 420 4 switch:admin> bottleneckmon --status Port Alerts? Threshold Time (s) Quiet Time (s) ======================================================================= 4 Y 0.600 420 300 Displaying history of bottlenecks on a port You can use the following procedure to display a history of bottleneck conditions, for up to three hours, on a port. 1.
Chapter 19 Managing Trunking Connections In this chapter • Trunking overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Supported hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Recommendations for trunking groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Basic trunk group configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Trunking over long distance fabrics .
19 Trunking overview Re-initializing ports for trunking is required after you install the license so that the ports know that trunking is enabled. You can enable or disable trunking for a single port or for an entire switch. For trunking to work, individual ports or the entire switch must be set at the same speed and at the same mode, for example, 2 Gbps, 4 Gbps, 8 Gbps, or autonegotiate. For more information on setting port speeds, see “Trunking over long distance fabrics” on page 446.
Supported hardware 19 Supported hardware Trunking is supported on the FC ports of all Brocade platforms and blades supported in Fabric OS v6.3.0. Recommendations for trunking groups To identify the most useful trunking groups, consider the following recommendations along with the standard guidelines for SAN design: • Evaluate the traffic patterns within the fabric. • Place trunking-capable switches adjacent to each other. This maximizes the number of trunking groups that can form.
19 Basic trunk group configuration Basic trunk group configuration Re-initializing ports for trunking is required after you unlock the ISL Trunking license. You must re-initialize the ports being used for ISLs so that they recognize that trunking is enabled. This procedure only needs to be performed one time. To re-initialize the ports, you can either disable and then re-enable the switch, or disable and then re-enable the affected ports.
Basic trunk group configuration 19 Displaying trunking information 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the trunkShow command. This example shows trunking groups 1, 2, and 3; ports 4, 13, and 14 are masters.
19 Trunking over long distance fabrics Trunking over long distance fabrics In long-distance fabrics, if a port speed is set to autonegotiate, then the maximum speed, which is 8 Gbps, is assumed for reserving buffers for the port. If the port is only running at 2 Gbps, this wastes buffers. On the Brocade 300, 4100, 4900, 5100, 5300, 5410, 5424, 5450, 5480, 7800, 8000, and 48000 platforms, for long-distance ports, you should specify the port speed instead of setting it to autonegotiate.
F_Port trunking TABLE 85 19 Trunking over distance for the Brocade 48000, DCX Backbone, and the DCX-4S Long distance mode Distance Number of 2 Gbps ports Number of 4 Gbps ports LD 500 km 0 0 LS Static See note below NOTE The L0 mode supports up to 5 km at 2 Gbps, up to 2 km at 4 Gbps, and up to 1 km at 8 Gbps. The distance for the LS mode is static. You can specify any distance greater than 10 km.
19 F_Port trunking • Keep in mind that F_Port trunking does not support shared area ports on the FC8-48 and FC4-48 blades in the Brocade 48000. F_Port trunking is supported in the shared area ports on the FC8-48 in the Brocade DCX and DCX-4S. Enabling F_Port trunking 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the portTrunkArea --enable command. switch:admin> porttrunkarea --enable 36-39 ERROR: port 36 has to be disabled Disabling F_Port trunking 1.
F_Port masterless trunking 19 • If a port is enabled for F_Port trunking, then you must disable the configuration before you can move a port from the logical switch. • If the user bound area for a port is configured using the portAddress command, then the port cannot be configured as an F_Port trunk port. You must explicitly remove the user bound area before enabling F_Port trunking. • If you swap a port using the portSwap command, then you must undo the port swap before enabling F_Port trunking.
19 F_Port masterless trunking FIGURE 69 Switch in Access Gateway mode without F_Port trunking FIGURE 70 Switch in Access Gateway mode with F_Port masterless trunking NOTE You do not need to manually map the host to the master port because Access Gateway will perform a cold failover to the master port. To implement F_Port masterless trunking, you must first configure an F_Port trunk group and statically assign an Area_ID within the trunk group.
F_Port masterless trunking TABLE 87 19 F_Port masterless trunking considerations Category Description Area assignment You statically assign the area within the trunk group on the edge switch. That group is the F_Port masterless trunk. The static trunk area you assign must fall within the ASIC's trunk group of the switch or blade starting from port 0. The static trunk area you assign must be one of the port’s default areas of the trunk group.
19 F_Port masterless trunking TABLE 87 F_Port masterless trunking considerations (Continued) Category Description Port Swap When you assign a Trunk Area to a trunk group, the Trunk Area cannot be port swapped; if a port is swapped, then you cannot assign a Trunk Area to that port. Trunk Master No more than one trunk master in a trunk group. The second trunk master will be persistently disabled with reason "Area has been acquired”.
19 F_Port masterless trunking TABLE 87 F_Port masterless trunking considerations (Continued) Category Description QoS Not currently supported. D.I. Zoning Creating a Trunk Area may remove the Index ("I") from the switch to be grouped to (D,I) AD the Trunk Area. All ports in a Trunk Area share the same "I". This means that (D, I) DCC and (PWWN, I) DCC domain,index (D,I), which refer to an "I" that might have been removed, will no longer be part of the switch.
19 F_Port masterless trunking 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the portDisable command for each port to be included in the TA. 3. Enter the portTrunkArea --enable command to enable the Trunk Area for ports 36-39 with index number 37. switch:admin> porttrunkarea --enable 36-39 -index 37 Trunk index 37 enabled for ports 36, 37, 38 and 39. When you assign a trunk area on a port, it enables trunking on the F_Ports automatically.
Chapter 20 Managing Long Distance Fabrics In this chapter • Long distance fabrics overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Extended Fabrics device limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Long distance link modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring an extended ISL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Buffer credit management . . . . . . . .
20 Extended Fabrics device limitations Extended Fabrics device limitations Extended Fabrics is normally not implemented on the following devices: • 7600 and the FA4-18 blade - The 7600 and the FA4-18 blade have two Gigabit Ethernet ports and 16 FC ports. The two Gigabit Ethernet ports are for use by storage applications, and generally the FC ports on these devices are used to connect devices used by the storage applications.
Configuring an extended ISL 20 Configuring an extended ISL Before configuring an extended ISL, ensure that the following conditions are met: • The ports on both ends of the ISL are operating at the same port speed, and can be configured at the same distance level without compromising local switch performance. NOTE A long-distance link also can be configured to be part of a trunk group.
20 Configuring an extended ISL Authentication: None portDisableReason: None portCFlags: 0x1 portFlags: 0x1 PRESENT U_PORT portType: 17.
Buffer credit management 20 Buffer credit management Buffer-to-buffer credit management affects performance over distances; therefore, allocating a sufficient number of buffer credits for long-distance traffic is essential to performance. To prevent a target device (either host or storage) from being overwhelmed with frames, the Fibre Channel architecture provides flow control mechanisms based on a system of credits. Each of these credits represents the ability of the device to accept additional frames.
20 Buffer credit management Optimal buffer credit allocation The optimal number of buffer credits is determined by the distance (frame delivery time), the processing time at the receiving port, link signaling rate, and the size of the frames being transmitted. As the link speed increases, the frame transmission time is reduced and the number of buffer credits must be increased to obtain full link utilization, even in a short-distance environment.
Buffer credit management 20 Fibre Channel gigabit values reference definition Before you can calculate the buffer requirement, note the following Fibre Channel gigabit values reference definition: • • • • 1.0625 for 1 Gbps 2.125 for 2 Gbps 4.25 for 4 Gbps 8.5 for 8 Gbps Allocating buffer credits based on full-size frames Assuming that the frame size is full, one buffer credit allows a device to send one payload up to 2112 bytes (2148 with headers).
20 Buffer credit management NOTE The portCfgLongDistance command’s desired_distance parameter is the upper limit of the link distance and is used to calculate buffer availability for other ports in the same port group. When the measured distance exceeds the value of desired_distance, this value is used to allocate the buffers. In this case, the port operates in degraded mode instead of being disabled due to insufficient buffers.
Buffer credit management 20 24 = the number of user ports in a port group retrieved from Table 90 on page 465. 8 = the number of reserved credits for each user port. 676 = the number of buffer credits available in the port group.
20 Buffer credit management NOTE This formula does not work with LD mode because LD mode checks the distance and limits the estimated distance to the real value of 100 km. LS mode allows for the necessary desired_distance based on the data size entered, regardless of the distance.
Buffer credit management 12 13 14 15 16 17 18 19 20 21 22 23 U U U U U U U - 8 8 8 8 8 8 8 8 8 8 8 8 0 0 0 0 0 0 0 0 0 0 0 0 - 20 - 484 Buffer credits for each switch model Table 90 shows the total ports in a switch or blade, number of user ports in a port group, and the unreserved buffer credits available per port group.
20 Buffer credit management TABLE 90 Buffer credits (Continued) Switch/blade model Total FC ports (per switch/blade) User port group size Unreserved buffers (per port group) FS8-18 16 8 1604 FX8-24 12 12 1060 For the FC8-x blades, the first number in the Unreserved buffers column designates the number of unreserved buffers per port group in Brocade DCX and DCX-4S platforms; the second number designates the unreserved buffers in a Brocade 48000 director.
Buffer credit recovery TABLE 91 20 Configurable distances for Extended Fabrics (Continued) Maximum distances that can be configured assuming 2112 Byte Frame Size Switch/blade model 1 Gbps 2 Gbps 4 Gbps 8 Gbps FC8-48 2461 / 3149 1230 / 1574 615 / 787 307 / 393 FR4-18i 500 250 100 N/A FS8-18 3208 1604 802 401 FX8-24 2125 1062 531 265 NOTE QoS requires an additional 14 buffer credits per active port so maximum supported distances may be lower.
20 468 Buffer credit recovery Fabric OS Administrator’s Guide 53-1001336-02
Chapter 21 Using the FC-FC Routing Service In this chapter • FC-FC routing service overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Integrated Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Fibre Channel routing concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Setting up the FC-FC routing service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Backbone fabric IDs . . . . . . .
21 FC-FC routing service overview Supported platforms for Fibre Channel routing Fibre Channel routing is supported on the following platforms: • • • • • • Brocade DCX and DCX-4S (FC8-16, FC8-32, FC8-48, FX8-24, or FR4-18i blade) Brocade 5100 switch Brocade 5300 switch Brocade 7500 Extension Switch Brocade 7800 Extension Switch Brocade 48000 director, using the FR4-18i blade For the Brocade 48000 director, EX_Ports are supported only on the FR4-18i blade and are not supported on 8-Gbps port blades.
Integrated Routing 21 Integrated Routing Integrated Routing is a licensed feature that allows 8-Gbps FC ports to be configured as EX_Ports supporting Fibre Channel routing. This license eliminates the need to add an FR4-18i blade to the Brocade DCX and DCX-4S, or to use the Brocade 7500 for FC-FC routing purposes. Using 8-Gbps ports for Fibre Channel routing provides double the bandwidth for each FCR connection (when connected to another 8-Gbps-capable port).
21 Fibre Channel routing concepts • Inter-fabric link (IFL) The link between an E_Port and EX_Port, or VE_Port and VEX_Port, is called an inter-fabric link (IFL). You can configure multiple IFLs from an FC router to an edge fabric. Figure 71 shows a metaSAN consisting of three edge fabrics connected through a Brocade DCX with inter-fabric links.
Fibre Channel routing concepts 21 VE_Port Edge fabric 2 IP cloud Edge fabric 1 Edge fabric 3 E_Port E_Port IFL IFL IFL VEX_Port FC router EX_Port (2) = LSAN Backbone fabric FIGURE 72 A metaSAN with edge-to-edge and backbone fabrics and LSAN zones • Proxy device A proxy device is a virtual device imported into a fabric by a Fibre Channel router, and represents a real device on another fabric. It has a name server entry and is assigned a valid port ID.
21 Fibre Channel routing concepts NOTE Backbone fabrics that share connections to the same edge fabrics must have unique backbone fabric IDs. • MetaSAN A metaSAN is the collection of all SANs interconnected with Fibre Channel routers. A simple metaSAN can be constructed using an FC router to connect two or more separate fabrics. Additional FC routers can be used to increase the available bandwidth between fabrics and to provide redundancy.
Fibre Channel routing concepts 21 Proxy devices An FC router achieves inter-fabric device connectivity by creating proxy devices (hosts and targets) in attached fabrics that represent real devices in other fabrics. For example, a host in Fabric 1 can communicate with a target in Fabric 2 as follows: • A proxy target in Fabric 1 represents the real target in Fabric 2. • Likewise, a proxy host in Fabric 2 represents the real host in Fabric 1.
21 Fibre Channel routing concepts To do so, at least one translate phantom domain is created in the backbone fabric. This translate phantom domain represents the entire edge fabric. The shared physical devices in the edge have corresponding proxy devices on the translate phantom domain. Each edge fabric has one and only one xlate domain to the backbone fabric. The backbone fabric device communicates with the proxy devices whenever it needs to contact the shared physical devices in the edge.
Fibre Channel routing concepts Host Target 1 Fabric 2 Fabric 1 E Target 2 E E Target 3 EX E E EX FC router 1 FIGURE 75 EX FC router 2 Fabric 4 Fabric 3 EX EX 21 FC router 3 E E EX EX FC router 4 Sample topology (physical topology) Figure 76 shows a phantom topology for the physical topology shown in Figure 75. In this figure, the dashed lines and shapes represent the phantom topology from the perspective of Fabric 1.
21 Setting up the FC-FC routing service All EX_Ports or VEX_Ports connected to an edge fabric use the same xlate domain ID number for an imported edge fabric; this value persists across switch reboots and fabric reconfigurations. If you lose connectivity to the edge fabric because of link failures or the IFL being disabled, xlate domains remain visible. This prevents unnecessary fabric disruptions caused by xlate domains repeatedly going offline and online due to corresponding IFL failures.
Setting up the FC-FC routing service 21 1. Log in to the switch or director as admin and enter the version command. Verify that Fabric OS v6.3.0 is installed on the FC router as shown in the following example. switch:admin> version Kernel: 2.6.14.2 Fabric OS: v6.3.0 Made on: Thu Jul 16 01:15:34 2009 Flash: Mon Jul 20 20:53:48 2009 BootProm: 1.0.9 2.
21 Backbone fabric IDs InteropMode: Off usage: InteropMode [0|2|3 [-z McDataDefaultZone] [-s McDataSafeZone]] 0: to turn interopMode off 2: to turn McDATA Fabric mode on Valid McDataDefaultZone: 0 (disabled), 1 (enabled) Valid McDataSafeZone: 0 (disabled), 1 (enabled) 3: to turn McDATA Open Fabric mode on If InteropMode is on, FC routing is not supported. To turn off interoperability mode, enter the interopMode 0 command. 5.
FCIP tunnel configuration 21 In addition to ensuring that the backbone fabric IDs are the same within the same backbone, you must make sure that when two different backbones are connected to the same edge fabric, the backbone fabric IDs are different, but the edge fabric ID should be the same. Configuration of two backbones with the same backbone fabric ID that are connected to the same edge is invalid. In this configuration, a RASLog message displays a warning about fabric ID overlap.
21 Inter-fabric link configuration If using FCIP in your FC-FC Routing configuration, you must first configure FCIP tunnels. Once a tunnel is created, it defaults to a disabled state. Then configure the VE_Port or VEX_Port. After the appropriate ports are configured, enable the tunnel. NOTE This section is applicable only to Fabric OS fabrics and does not apply to M-EOS fabrics. See the Fibre Channel over IP Administrator’s Guide for instructions on how to configure FCIP tunnels.
Inter-fabric link configuration 21 Edge Fabric ID: 30 Preferred Domain ID: 160 Front WWN: 50:06:06:9e:20:38:6e:1e Fabric Parameters: Auto Negotiate R_A_TOV: Not Applicable E_D_TOV: Not Applicable Authentication Type: None DH Group: N/A Hash Algorithm: N/A Edge fabric's primary wwn: N/A Edge fabric's version stamp: N/A This port can now connect to another switch. For related FC-FC Routing commands, see fcrEdgeShow, fcrXlateConfig, fcrConfigure, and fcrProxyConfig in the Fabric OS Command Reference.
21 Inter-fabric link configuration Area Number: Speed Level: Trunk Port Long Distance VC Link Init Locked L_Port Locked G_Port Disabled E_Port ISL R_RDY Mode RSCN Suppressed Persistent Disable NPIV capability EX Port Mirror Port FC Fastwrite 74 AUTO OFF OFF OFF OFF OFF OFF OFF OFF OFF ON ON ON ON 9.
21 Inter-fabric link configuration portType: 10.
21 FC Router port cost configuration 4 95 10:00:00:05:1e:37:00:45 10.32.156.31 "Brocade 7500" 5 95 10:00:00:05:1e:37:00:45 10.32.156.31 "Brocade 7500" 6 95 10:00:00:05:1e:37:00:45 10.32.156.31 "Brocade 7500" FC Router port cost configuration The router port cost is set automatically. This section provides information about the router port cost and describes how you can modify the cost for a port if you want to change the default value.
FC Router port cost configuration 21 You can connect multiple EX_Ports or VEX_Ports to the same edge fabric. The EX_Ports can all be on the same FC router, or they can be on multiple routers. Multiple EX_Ports create multiple paths for frame routing. Multiple paths can be used in two different, but compatible, ways: • Failing over from one path to another. • Using multiple paths in parallel to increase effective data transmission rates.
21 EX_Port frame trunking configuration switch:admin> fcrrouterportcost 7/10 10000 • To set the cost of the EX_Port back to the default, enter a cost value of 0: switch:admin> fcrrouterportcost 7/10 0 6. Enter the portEnable command to enable the ports that you disabled in step 1. switch:admin> portenable 7/10 EX_Port frame trunking configuration In Fabric OS v5.2.0 and later, you can configure EX_Ports to use frame-based trunking just as you do regular E_Ports.
EX_Port frame trunking configuration 21 For EX_Ports on the Brocade 7500 or the FR4-18i blade, or for EX_Ports on the Brocade DCX or DCX-4S with Virtual Fabrics mode disabled, masterless EX_Port trunking is not in effect. In this situation, if the master port goes offline, the entire EX_Port-based trunk re-forms and is taken offline for a short period of time. If there are no other links to the edge fabric from the backbone, the master port going offline may cause a traffic disruption in the backbone.
21 EX_Port frame trunking configuration High availability support The EX_Port frame trunking feature also is a High Availability (HA) supported feature. The HA protocol for EX_Port trunking is as follows: • If trunking is disabled prior to the HA failover, it remains disabled after the HA failover. • If trunking is enabled prior to the HA failover, it remains enabled after the HA failover.
LSAN zone configuration 21 LSAN zone configuration An LSAN consists of zones in two or more edge or backbone fabrics that contain the same devices. LSANs essentially provide selective device connectivity between fabrics without forcing you to merge those fabrics. FC routers provide multiple mechanisms to manage inter-fabric device connectivity through extensions to existing switch management interfaces. You can define and manage LSANs using Brocade Advanced Zoning.
21 LSAN zone configuration LSAN zones and fabric-to-fabric communications Zoning is enforced by all involved fabrics; any communication from one fabric to another must be allowed by the zoning setup on both fabrics. If the SANs are under separate administrative control, then separate administrators maintain access control. Controlling device communication with the LSAN The following procedure illustrates how LSANs control which devices can communicate with each other.
LSAN zone configuration Do you want to enable 'zone_cfg' configuration zone config "zone_cfg" is in effect Updating flash … 21 (yes, y, no, n): [no] y 6. Log in as admin to fabric2. 7. Enter the nsShow command to list Target A (50:05:07:61:00:5b:62:ed) and Target B (50:05:07:61:00:49:20:b4).
21 LSAN zone configuration • fcrPhyDevShow shows the physical devices in the LSAN. switch:admin> fcrphydevshow Device WWN Physical Exists PID in Fabric ----------------------------------------75 10:00:00:00:c9:2b:c9:0c c70000 2 50:05:07:61:00:5b:62:ed 0100ef 2 50:05:07:61:00:5b:62:ed 0100e8 Total devices displayed: 3 • fcrProxyDevShow shows the proxy devices in the LSAN.
LSAN zone configuration 21 NOTE Since the maximum number of LSANs is configured for each switch, if there is a different maximum LSAN count on the switches throughout the metaSAN, then the device import/export will not be identical on the FC routers. You should enter the same maximum LSAN count for all the FC routers in the same backbone that support this feature. Verify the configured maximum limit against the LSANs configured using the fcrResourceShow command.
21 LSAN zone configuration Normally the FC router automatically accepts all zones with names that start with “lsan_”. You can specify an Enforce tag to indicate that a particular FC router should only accept zones that start with the prefix “lsan_tag”. For example, if you specify an Enforce tag of “abc”, the FC router accepts only those LSAN zones that start with “lsan_abc” and does not import or export any other LSAN zones.
LSAN zone configuration D1 D2 H1 Edge fabric 1 Edge fabric 2 FC router 1 21 Edge fabric 3 FC router 2 = LSAN FIGURE 77 Example of setting up Speed LSAN tag Rules for LSAN tagging Note the following rules for configuring LSAN tags: • You configure the tags on the FC router, and not on the edge switches. If Virtual Fabrics are enabled, you configure the tags on the base switch on which the EX_ and VEX_Ports are located.
21 LSAN zone configuration 4. Enter the following command to enable the FC router: switchenable 5. Change the names of the LSAN zones in the edge fabrics to incorporate the tag in the names. Example sw0:admin> switchdisable sw0:admin> fcrlsan --add -enforce enftag1 LSAN tag set successfully sw0:admin> switchenable Configuring a Speed LSAN tag 1. Log in to the FC router as admin. 2.
LSAN zone configuration 21 Example sw0:admin> fcrlsan --show -enforce Total LSAN tags : 1 ENFORCE : enftag1 sw0:admin> fcrlsan --show -speed Total SPEED tags : 1 SPEED : fasttag2 sw0:admin> fcrlsan --show -all Total LSAN tags : 2 ENFORCE : enftag1 SPEED : fasttag2 LSAN zone binding LSAN zone binding is an optional, advanced feature that increases the scalability envelope for very large metaSANs. NOTE LSAN zone binding is supported only on FC routers with Fabric OS v5.3.0 and later.
21 LSAN zone configuration LSAN zone 2 LSAN zone 1 Fabric 1 Fabric 2 FC router 1 Fabric 3 Fabric 7 FC router 2 Backbone fabric FC router 4 FC router 3 Fabric 8 Fabric 9 Fabric 4 Fabric 5 Fabric 6 LSAN zone 3 FIGURE 78 LSAN zone 4 LSAN zone binding After you set up LSAN zone binding, each FC router stores information about only those LSAN zones that access its local edge fabrics.
LSAN zone configuration 21 How LSAN zone binding works LSAN zone binding uses an FC router matrix, which specifies pairs of FC routers in the backbone fabric that can access each other, and an LSAN fabric matrix, which specifies pairs of edge fabrics that can access each other. You set up LSAN zone binding using the fcrLsanMatrix command. This command has two options: -fcr and -lsan.
21 LSAN zone configuration Now edge fabrics 1, 2, 3, 7, and 8 can access each other, and edge fabrics 4, 5, 6, and 9 can access each other; however, edge fabrics in one group cannot access edge fabrics in the other group. LSAN fabric matrix definition With LSAN zone binding, you can specify pairs of fabrics that can access each other.
Proxy PID configuration 21 FCR:Admin> fcrlsanmatrix --add -lsan 10 19 FCR:Admin> fcrlsanmatrix --apply -all Viewing the LSAN zone binding matrixes 1. Log on to the FC router as admin. 2. Enter the following command to view the FC router matrix: fcrlsanmatrix --fabricview -fcr 3.
21 Fabric parameter considerations Fabric parameter considerations By default, EX_Ports and VEX_Ports detect, autonegotiate, and configure the fabric parameters without user intervention. You can optionally configure these parameters manually. To change the fabric parameters on a switch in the edge fabric, execute the configure command. To change the fabric parameters of an EX_Port on the FC router, use the portCfgEXPort command.
Resource monitoring 21 fcr:admin> fcrbcastconfig --enable -f fabricID where fabricID is the FID of the edge or backbone fabric on which you want to enable broadcast frame forwarding. Broadcast frame forwarding is enabled by default. Disabling broadcast frame forwarding 1. Log in to the FC router as admin. 2. Type the following command: fcr:admin> fcrbcastconfig --disable -f fabricID where fabricID is the FID of the edge or backbone fabric on which you want to disable broadcast frame forwarding.
21 FC-FC Routing and Virtual Fabrics Phantom Port WWN: Port Limits: Max proxy devices: Max NR_Ports: Currently 0 | 1 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 32768 16121 2000 1000 Used(column 1: proxy, column 2: NR_Ports): 0 34 3 34 0 0 0 0 0 0 0 0 6 34 6 34 6 34 6 34 6 34 6 34 6 34 6 34 8 34 8 34 8 34 8 34 8 34 8 34 8 34 8 34 FC-FC Routing and Virtual Fabrics If Virtual Fabrics is not enabled, FC-FC routing behavior is unchanged.
FC-FC Routing and Virtual Fabrics 21 • EX_Ports and VEX_Ports — those in FC routers and those in a base switch — cannot connect to any edge fabric with logical switches configured to use XISLs. If you connect an EX_Port or VEX_Port to an edge fabric, you must ensure that there are no logical switches with XISL use enabled in that edge fabric. If any logical switch in the edge fabric allows XISL use, then the EX_Port or VEX_Port is disabled.
21 FC-FC Routing and Virtual Fabrics Physical chassis 2 Physical chassis 1 IFL ISL E Logical switch 1 E (Default logical switch) Fabric ID 128 Logical ISL Logical switch 2 Fabric ID 1 Allows XISL use F E Logical switch 5 F (Default logical switch) Fabric ID 128 ISL E Logical switch 3 Fabric ID 15 Logical switch 6 Fabric ID 1 Allows XISL use E E F Logical switch 7 Fabric ID 15 IFL EX Logical switch 4 (Base switch) Fabric ID 8 FIGURE 79 EX E Logical switch 8 (Base switch) E Fabric ID 8 XIS
21 Upgrade and downgrade considerations for FC-FC routing Even though F_Ports are not allowed in the base switch, they are allowed in an FC router in legacy mode (Fabric OS v6.1.x or earlier, or Fabric OS v6.2.0 or later with Virtual Fabrics disabled). If you connect an FC router in legacy mode to the base switch, backbone-to-edge routing is supported on that FC router. In Figure 79, no devices can be connected to the backbone fabric (Fabric 8) because base switches cannot have F_Ports.
21 Displaying the range of output ports connected to xlate domains If you replace an 8-Gbps port blade or FX8-24 blade with an FR4-18i blade, the EX_Port configuration remains the same for all ports on the FR4-18i blade. All ports are persistently disabled. If you replace an 8-Gbps port blade with an FX8-24 blade, the EX_Port configuration remains the same for the first 12 FC ports on the FX8-24 blade.
Appendix A Mixed Fabric Configurations for Non-merged SANs In this appendix • M-EOS fabrics overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511 • McDATA Mi10K interoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513 • Fabric configurations for interconnectivity. . . . . . . . . . . . . . . . . . . . . . . . . .
A M-EOS fabrics overview 2. Fabric OS v5.1.0 and M-E/OSc v4.1.1, v5.1.2, 6.2.0 can interoperate through the FC routing capability of the SilkWorm AP7420 only. Fabric OS and M-E/OSc v7.1.3 can interoperate through the FC routing capability of the SilkWorm AP7420, Brocade 7500, or FR4-18i blade. Fabric OS and M-E/OSc v8.0.0 and v9.2.0 can interoperate through the FC routing capability of the Brocade 7500, or FR4-18i blade.
McDATA Mi10K interoperability A McDATA Mi10K interoperability When an EX_Port is connected to an M-EOS edge fabric, the front domain ID must be within a range the edge M-Series switch can understand. Valid values are: • McDATA Native mode: 1 – 31 • McDATA Open mode: 239 The default front domain ID assigned to the EX_Port remains at 160 when it is created.
A Fabric configurations for interconnectivity You can display the current operational mode of the EX_Port by issuing the portCfgExPort command with the port number as the only parameter.
Fabric configurations for interconnectivity A FC Router BB Fabric ID: 1 Index Slot Port Address Media Speed State Proto =================================================== 112 10 0 037000 id N4 No_Light Disabled (Persistent) 113 10 1 037100 id N4 No_Light Disabled (Persistent) 114 10 2 037200 id N4 No_Light Disabled (Persistent) 115 10 3 037300 id N4 No_Light Disabled (Persistent) 116 10 4 037400 id N4 No_Light Disabled (Persistent) 117 10 5 037500 id N4 No_Light Disabled (Persistent) 118 10 6 037600 id
A Fabric configurations for interconnectivity switchId: fffc03 switchWwn: 10:00:00:60:69:e4:00:86 zoning: ON (test) switchBeacon: OFF blade3 Beacon: OFF blade8 Beacon: OFF blade10 Beacon: OFF FC Router: ON FC Router BB Fabric ID: 1 Index Slot Port Address Media Speed State Proto =================================================== 112 10 0 037000 id N4 No_Light 113 10 1 037100 id N4 No_Light 114 10 2 037200 id N4 No_Light 115 10 3 037300 id N4 No_Light 116 10 4 037400 id N4 No_Light 117 10 5 037500 id N4 N
A Fabric configurations for interconnectivity 67: fffc43 10:00:00:60:69:10:60:1f 192.168.64.187 0.0.0.0 "sw187" The Fabric has 4 switches You can use DCFM to gather similar information for the M-EOS fabric. See the EFC Manager Software User Manual for information using DCFM. When you have configured the FC router to connect to a fabric, you must create LSAN zones for the SAN. After you set up LSAN zoning, issue the cfgShow command to verify that the zoning is correct.
A Fabric configurations for interconnectivity switch:admin> fcrproxydevshow Proxy WWN Proxy Device Physical State Created PID Exists PID in Fabric in Fabric ---------------------------------------------------------------------------10 20:00:00:01:73:00:59:dd 05f001 12 610902 Imported 10 21:00:00:e0:8b:04:80:76 02f002 11 340713 Imported 10 50:06:01:68:40:04:d3:95 02f001 11 660713 Imported 11 10:00:00:00:c9:2d:3d:5c 020001 10 011500 Imported 6.
Fabric configurations for interconnectivity A 6. Log in to the Fabric OS edge fabric switch and enter the nsAllShow or the nsCamShow command.
A Fabric configurations for interconnectivity 50:06:01:60:38:e0:0b:a4 10:00:00:00:c9:44:54:04 7. 520 Log into the FC router and run the lsanZoneShow -s command to verify FIDs and devices to be shared among LSANs.
Appendix B Inband Management In this appendix • Inband Management overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Internal Ethernet devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • IP address and routing management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Examples of supported configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . .
B Internal Ethernet devices Internal Ethernet devices During the switch initialization process, a new internal Ethernet device is created. The devices created are inbd0 and inbd1. Ethernet device inbd0 is used to communicate through GE port 1 and inbd1 is used to communicate through GE port 0. These new Ethernet interfaces are internal only and are not accessible from outside the switch. They are used strictly for the means of communicating IP packets between the CP and the GE port processor.
IP address and routing management B specified gateway. If no gateway is specified, it is assumed that the management station is on the same subnet as the external GE IP address, so no route is created on the GE port processor. Only a route on the CP is created with the internal GE port processor inband device address as the gateway.
B IP address and routing management Viewing inband management IP addresses and routes The portShow inbandmgmt command displays the addresses that are currently configured for that GE port number and a status of Inband Management (Enabled/Disabled). To display the routing table, use the existing portShow iproute command. There is a status flag for the IP routes to signify if a route is used for the management interfaces.
Examples of supported configurations B FIPS To maintain security while in FIPs mode, these devices will not function if FIPs mode is enabled. If these devices are configured and you try to enter FIPs mode, an error will occur. You must delete the configuration of these devices prior to entering FIPs mode. Examples of supported configurations The examples below demonstrate how to set up your Brocade 7500 Extension Switches using two different network scenarios.
B Examples of supported configurations 3. Configure the routes on the Management Station. a. Add the route on the Management Station that is going to the 7500 L1. linux> route add -host 10.1.1.10 gw 192.168.3.10 b. Add the route on the Management Station that is going to the 7500 R1. linux> route ge0 -host 10.1.2.20 gw 192.186.3.20 Configuring a Management Station on different subnets For a configuration with multiple subnets, the routes must be added to all intermediate hops in the network.
Examples of supported configurations a. B Configure the internal addresses for the inbd devices for CP and GE port (GE port 0 for this example): switch:admin> portcfg inbandmgmt ge0 ipaddrset cp 192.168.255.1 255.255.255.0 switch:admin> portcfg inbandmgmt ge0 ipaddrset ge 192.168.255.2 255.255.255.0 b. Add the route on the switch going to the Management Station. switch:admin> portcfg inbandmgmt ge0 routeadd 192.168.3.0 255.255.255.0 192.168.2.250 3. Configure the routes on Router A. a.
B 528 Examples of supported configurations Fabric OS Administrator’s Guide 53-1001336-02
Appendix C Port Indexing In this appendix Table 97 shows the area ID and index mapping for core PID assignment for the Brocade 48000 and the Brocade DCX enterprise-class platform. There are up to 255 areas and the area_ID mapping to the index is one-to-one. Beyond this, the index is similar but not exact, and in some instances, the area ID is shared among multiple ports. This table provides the area_ID/index assignment for the maximum number of ports (used by the FC4-48 and FC8-48 blades).
C In this appendix TABLE 97 Default index/area_ID core PID assignment with no port swap (Continued) Port on blade (48K) Slot 1 Idx/area Slot 2 Idx/area Slot 3 Idx/area Slot 4 Idx/area Slot 7 Idx/area Slot 8 Idx/area Slot 9 Idx/area Slot 10 Idx/area Port on blade (DCX) Slot 1 Idx/area Slot 2 Idx/area Slot 3 Idx/area Slot 4 Idx/area Slot 9 Idx/area Slot 10 Idx/area Slot 11 Idx/area Slot 12 Idx/area 28 140/140 156/156 172/172 188/188 204/204 220/220 236/236 252/252 27 139/139 1
In this appendix C This table provides the area_ID/index assignment for the maximum number of ports (used by the FC4-48 and FC8-48 blades). If your blade does not have the maximum number of ports, use the lower sections of the table to determine the area_ID and index.
C In this appendix TABLE 98 532 Default index/area_ID core PID assignment with no port swap for the Brocade DCX-4S (Continued) Port on blade Slot 1Idx/area Slot 2Idx/area Slot 7Idx/area Slot 8Idx/area 14 14/14 78/78 142/142 206/206 13 13/13 77/77 141/141 205/205 12 12/12 76/76 140/140 204/204 11 11/11 75/75 139/139 203/203 10 10/10 74/74 138/138 202/202 9 9/9 73/73 137/137 201/201 8 8/8 72/72 136/136 200/200 7 7/7 71/71 135/135 199/199 6 6/6 70/70 134/134 1
Appendix D FIPS support In this appendix • FIPS overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Zeroization functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • FIPS mode configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Preparing the switch for FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
D Zeroization functions TABLE 99 Zeroization Behavior Keys Zeroization CLI Description FCAP Private Key pkiremove The pkiCreate command creates the keys, and 'pkiremove' removes/zeroizes the keys. SSH Session Key No CLI required This is generated for each SSH session that is established to and from the host. It automatically zeroizes on session termination. SSH RSA private Key No CLI required Key-based SSH authentication is not used for SSH sessions.
FIPS mode configuration D FIPS mode configuration By default, the switch comes up in non-FIPS mode. You can run the fipsCfg --enable fips command to enable FIPS mode, but you need to configure the switch first. Self-tests mode must be enabled before FIPS mode can be enabled. A set of prerequisites as mentioned in the table below must be satisfied for the system to enter FIPS mode. To be FIPS-compliant, the switch must be rebooted. KATs are run on the reboot.
D FIPS mode configuration LDAP in FIPS mode You can configure your Microsoft Active Directory server to use LDAP while in FIPS mode. There is no option provided on the switch to configure TLS ciphers for LDAP in FIPS mode. However, the LDAP client checks if FIPS mode is set on the switch and uses the FIPS-compliant TLS ciphers for LDAP. If the FIPS mode is not set and the Microsoft Active Directory server is configured for FIPS ciphers, it uses FIPS-compliant ciphers.
FIPS mode configuration D 2. Configure the DNS on the switch by using the dnsConfig command. Example of setting the DNS switch:admin> dnsconfig Enter option 1 Display Domain Name Service (DNS) configuration 2 Set DNS configuration 3 Remove DNS configuration 4 Quit Select an item: (1..4) [4] 2 Enter Domain Name: [] domain.com Enter Name Server IP address in dot notation: [] 123.123.123.123 Enter Name Server IP address in dot notation: [] 123.123.123.
D FIPS mode configuration LDAP certificates for FIPS mode To utilize the LDAP services for FIPS between the switch and the host, you must generate a CSR on the Active Directory server and import and export the CA certificates. To support server certificate validation, it is essential to have the CA certificate installed on the switch and Active Directory server. Use the secCertUtil to import the CA certificate to the switch.
Preparing the switch for FIPS D 1. Connect to the switch and log in as admin. 2. Enter the secCertUtil delete -ldapcacert command, where the is the name of the LDAP certificate on the switch. Example of deleting an LDAP CA certificate switch:admin> seccertutil delete -ldapcacert LDAPTestCa.pem WARNING!!! About to delete certificate: LDAPTestCa.
D Preparing the switch for FIPS • If the switch is set for LDAP, refer to the instructions in “Setting up LDAP for FIPS mode” on page 536. 3. Optional: Set the authentication protocols. a. Type the following command to set the hash type for MD5 which is used in authentication protocols DHCHAP and FCAP: authutil --set -h sha1 b. Set the DH group to 1 or 2 or 3 or 4 using authUtil --set -g , where the DH group is represented by . 4.
Preparing the switch for FIPS D Configure... System services (yes, y, no, n): [no] … cfgload attributes (yes, y, no, n): [no] yes Enforce secure config Upload/Download (yes, y, no, n): [no] Enforce firmware signature validation (yes, y, no, n): [no] yes 8. Type the following command to block access to root: userconfig --change root -e no By disabling the root account, RADIUS and LDAP users with root roles are also blocked in FIPS mode. 9. Verify your switch is FIPS ready: fipscfg --verify fips 10.
D Preparing the switch for FIPS Displaying FIPS configuration 1. Log in to the switch using an account assigned the admin or securityAdmin role. 2. Type the command fipsCfg --showall.
Appendix E Hexadecimal In this appendix • Hexadecimal overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543 Hexadecimal overview Hexadecimal, or simply hex, is a numeral system with a base of 16, usually written using unique symbols 0–9 and A–F, or a–f. Its primary purpose is to represent the binary code that computers interpret and represent in a format easier for humans to read.
E Hexadecimal overview Result: hexadecimal triplet 610600 = decimal triplet 97,06,00 TABLE 103 544 Decimal to Hexadecimal conversion table Decimal 01 02 03 04 05 06 07 08 09 10 Hex 01 02 03 04 05 06 07 08 09 0a Decimal 11 12 13 14 15 16 17 18 19 20 Hex 0b 0c 0d 0e 0f 10 11 12 13 14 Decimal 21 22 23 24 25 26 27 28 29 30 Hex 15 16 17 18 19 1a 1b 1c 1d 1e Decimal 31 32 33 34 35 36 37 38 39 40 Hex 1f 20 21 22 23 24 25 26
E Hexadecimal overview TABLE 103 Decimal to Hexadecimal conversion table Decimal 181 182 183 184 185 186 187 188 189 190 Hex b5 b6 b7 b8 b9 ba bb bc bd be Decimal 191 192 193 194 195 196 197 198 199 200 Hex bf c0 c1 c2 c3 c4 c5 c6 c7 c8 Decimal 201 202 203 204 205 206 207 208 209 210 Hex c9 ca cb cc cd ce cf d0 d1 d2 Decimal 211 212 213 214 215 216 217 218 219 220 Hex d3 d4 d5 d6 d7 d8 d9 da db dc Decimal 221 222
E 546 Hexadecimal overview Fabric OS Administrator’s Guide 53-1001336-02
Index Numerics 239 domain ID mode, 301 A AAA service requests, 89 access browser support, 112 changing account parameters, 79 CP blade, 95 creating accounts, 79 deleting accounts, 79 IP address changes, 3 log in fails, 3 NTP, 14 password, changing, 5 remote access policies, 98 secure, HTTPS, 112 secure, SSL, 112 SNMP ACL, 117 accessing switches and fabrics, 121 account ID, 4 accounts changing parameters, 79 creating, 79 deleting, 79 displaying information, 78 lockout policy, 83 lockout policy, duration, 8
Admin Domains about, 337 access levels, 340 activating, 350 AD0, 270, 340 AD255, 341 adding members, 351 ADList, 94 assigning users to, 348 configupload, download, 364 configuration, displaying, 359 creating, 347 deactivating, 351 defined AD configuration, 346 deleting, 353, 354 effective AD configuration, 346 home AD, 94 homeAD, 342 implementing, 346 interaction with Fabric OS features, 361 logging in to, 342 LSAN zones, 363 member types, 343 numbering, 337 physical fabric administrator, 340 removing from
certificates browser, configuring, 115 CSR, certificate signing request, 114 HTTPS, 108 installing, 115 obtaining, 114 private key, 113 public key, 113 root, 113 root, configuring, 116 security, 108 SSH, 108 SSL, 108, 112, 113 switch, 113 changing an account password, 81 FID of logical switch, 220 logical switch to base switch, 221 RADIUS configuration, 105 RADIUS servers, 105 CHAP iSCSI authentication, 277 required, 279 clearing performance monitor counters, 399 clearing zone configurations, 248 command li
CP blade, 378 access, 95 creating accounts, 79 address resolution protocol entries, 269 Admin Domains, 347 alias, 237 base switches, 215 discovery domain sets, 278 discovery domains, 278 iSCSI FC zones, 283 iSCSI virtual targets, 273 logical switches, 215 policy, 132 SCC policy, 132 TI zones, 414 user-defined virtual targets, 275 zone configurations, 244, 287 zones, 239 CSR (certificate signing request), 113, 114 customizing the switch name, 15 D date and time, 12 DCFM (Data Center Fabric Manager), 1 DD.
E F edge-to-edge routing, 480 EFCM, 517, 518 effective AD configuration, 346 effective zone configuration, 232 enabling bottleneck detection, 438 connection redirection, 263 discovery domain sets, 278 iSCSI gateway service, 267 iSCSI GbE ports, 268 port, 28 Virtual Fabrics, 213 zone configuration, 288 zone configurations, 245 enabling and disabling ISL trunking, 444 enabling iSCSI physical interface, 268 encryption using SSL, 112 end-to-end monitors adding, 387 deleting, 390 restoring configuration, 400 s
feature licenses, 367 Fibre Channel NAT, 60 Fibre Channel over IP, 481 Fibre Channel routing, 471 Fibre Channel services, 51 FICON-MIB, 117 filter-based monitors, 390 adding, 391 deleting, 393 restoring configuration, 400 saving configuration, 400 FIPS certificates, installing, 538 firmwareDownload, 191 Inband Management, 525 LDAP certificates, displaying and deleting, 538 firmware download, 178 auto-leveling, 195 connected switches, 181 enterprise-class platforms, 184 FICUN CUP considerations, 179 FIPS, 19
IPsec algorithms, 155 Authentication Header protocol, 154 configuration on the management interface, 152 Encapsulating Security Payload protocol, 154 flushing SAs, 161 IKE policies, 156 key management, 157 manual key entry, 157 policies, 156 pre-shared key, 157 sa-proposal, 155 security association, 155 security certificate, 157 traffic selector, 156 transform set, 156 IQNs, 271 displaying initiator, 277 displaying prefix, 261 virtual target creation, 271 Fabric OS Administrator’s Guide 53-1001336-02 iSCS
iSCSI virtual initiators adding to same zone, 284 connection redirection, 284 for iSCSI FC zone creation, 284 iSCSI virtual targets, 270, 271 add FC device, 275 binding user names, 279 creation, 271, 273 for every FC target, 271 for specific FC target, 273 delete LUNs from, 276 displaying LUN map, 276 manual creation, 273 user-defined, 275 ISL, 19 iSNS client, 288 client service, 288 client service, disabling, 290 client service, enabling, 289 client service, status, 289 configuration, 288 protocol, 288 ser
M P MAC address, port, 270 making basic connections, 19 Management server, 51 managing accounts, 80 zoning configurations in a fabric, 249 mask for end-to-end monitors setting, 389 matching fabric parameters, 478 McDATA, 517 members policy, 124 M-EOS SANs, connecting with Fabric OS SANs, 511 merging zones, 243 MIB, 117 modifying TI zones, 417 zoning configurations, 244 modifying the FCS policy, 127 monitoring filter-based performance, 390 trunks, 397 monitoring end-to-end performance, 386 monitoring ISL p
proxy devices, 475 proxy PID, 473, 503 public key, 113 public key infrastructure encryption, 112 Q QoS, 424 buffer credit requirement, 467 QoS over FC routers, 428 QoS zones, 426 R RADIUS, 104, 105 ADList, 94 ContextRoleList, 94 homeAD, 94 Virtual Fabrics HomeContext, 94 RADIUS client Windows configuration, 97 RADIUS clients switch configuration, 97 RADIUS server, 92 configuration, 95 LINUX configuration, 95 RADIUS service Windows configuration, 97 RBAC, 74 remote access policies, 98 remove feature, 379 r
setting changing passwords, 5 default zone mode, 346 mask for end-to-end monitors, 389 password, boot PROM, 85 security level, 118 switch date and time, 12 the IP address, 8 time zone, 13 time zones, 12, 13 traffic prioritization, 434 traffic prioritization over FC routers, 435 setting chassis configurations, 30 SID/DID traffic prioritization, 424 SNMP, 117 ACL, 117 agent, 117 attributes, 118 configuration changes, 119 configuring, 119 password change, 79 polling, 521 traps, 521 v1, 117 v3, 117 specifying f
traps MIB, 117 SNMP, 117 trunking with TI zones, 411 U USB device, 188 user accounts and removing Admin Domains, 350 user databases, 80 user-defined accounts, 78 Admin Domains, 340 filter-based monitors, 391 users assigning to Admin Domains, 348 authenticating, 74 using security certificates, 112 V validating Admin Domain members, 357 verification check, 478 verify device connectivity, 19 high availability (HA), 41 viewing alias, 239 zones, 241 Virtual Fabrics and FC-FC Routing, 506 and ingress rate limi
X XISL, about, 206 xlate domains, 476 Fabric OS Administrator’s Guide 53-1001336-02 559
Z zone adding a new switch or fabric, 251 adding members, 240 administering security, 253 alias, adding members, 237 alias, deleting, 238 alias, removing members, 238 alias, viewing, 239 aliases, 231 aliases, creating and managing, 236 all access, 242 all access in iSCSI, 283 concepts, 228 configuration, creating, 287 configuration, enabling, 288 configurations, 232 configurations, adding members, 245 configurations, creating and maintaining, 244 configurations, managing, 249 configuring rules, 233 creating
