53-1003130-01 27 June 2014 Fabric OS Administrators Guide Supporting Fabric OS 7.3.
© 2014, Brocade Communications Systems, Inc. All Rights Reserved. Brocade, the B-wing symbol, Brocade Assurance, ADX, AnyIO, DCX, Fabric OS, FastIron, HyperEdge, ICX, MLX, MyBrocade, NetIron, OpenScript, VCS, VDX, and Vyatta are registered trademarks, and The Effortless Network and the On-Demand Data Center are trademarks of Brocade Communications Systems, Inc., in the United States and in other countries. Other brands and product names mentioned may be trademarks of others.
Contents Preface...................................................................................................................................19 Document conventions....................................................................................19 Text formatting conventions................................................................ 19 Command syntax conventions............................................................ 19 Notes, cautions, and warnings.........................................
Password modification.................................................................................. 45 Default account passwords............................................................... 45 The switch Ethernet interface .......................................................................46 Brocade Backbones.......................................................................... 46 Brocade switches..............................................................................
Port decommissioning.........................................................................74 Setting network interface modes.........................................................75 Setting port speeds............................................................................. 76 Setting all ports on a switch to the same speed..................................76 Setting port speed for a port octet.......................................................77 Setting maximum auto-negotiated port speed......
Dynamic Load Sharing....................................................................108 Frame order delivery................................................................................... 109 Forcing in-order frame delivery across topology changes.............. 109 Restoring out-of-order frame delivery across topology changes.... 109 Enabling Frame Viewer...................................................................110 Using Frame Viewer to understand why frames are dropped ........
Password policies......................................................................................... 140 Password strength policy.................................................................. 141 Password history policy.....................................................................142 Password expiration policy................................................................142 Account lockout policy.......................................................................
Unblocking Telnet........................................................................... 205 Listener applications................................................................................... 205 Ports and applications used by switches.................................................... 206 Port configuration............................................................................207 Configuring Security Policies..................................................................................
ACL policy distribution to other switches...........................................240 Fabric-wide enforcement...................................................................241 Notes on joining a switch to the fabric...............................................242 Management interface security..................................................................... 244 Configuration examples.................................................................... 245 IPsec protocols...........................
Executing a command in a different logical switch context......................... 288 Deleting a logical switch..............................................................................289 Adding and moving ports on a logical switch.............................................. 290 Displaying logical switch configuration........................................................291 Changing the fabric ID of a logical switch...................................................
Zone object maintenance..............................................................................326 Copying a zone object.......................................................................326 Deleting a zone object.......................................................................327 Renaming a zone object................................................................... 328 Zone configuration management.................................................................. 328 Security and zoning.
High availability considerations for CS_CTL-based frame prioritization............................................................................... 379 Enabling CS_CTL-based frame prioritization on ports....................379 Disabling CS_CTL-based frame prioritization on ports................... 380 Using CS_CTL auto mode at the chassis level...............................380 Considerations for using CS_CTL-based frame prioritization......... 380 QoS zone-based traffic prioritization....................
Availability considerations for encryption and compression..............411 Virtual Fabrics considerations for encryption and compression........412 In-flight compression on long-distance ports.....................................412 Compression ratios for compression-enabled ports..........................412 Configuring in-flight encryption and compression on an EX_Port.................413 Configuring in-flight encryption and compression on an E_Port...................
Fabric-Assigned PWWN.......................................................................................................449 Fabric-Assigned PWWN overview.............................................................. 449 User- and auto-assigned FA-PWWN behavior .......................................... 450 Configuring an FA-PWWN for an HBA connected to an Access Gateway. 451 Configuring an FA-PWWN for an HBA connected to an edge switch......... 452 Supported switches and configurations for FA-PWWN.......
Supported topologies for ICL connections.................................................... 487 Mesh topology...................................................................................487 Core-edge topology...........................................................................489 Monitoring Fabric Performance............................................................................................. 491 Advanced Performance Monitoring overview................................................
Configuring trunk groups.............................................................................513 Enabling trunking........................................................................................ 513 Disabling trunking........................................................................................514 Displaying trunking information...................................................................514 Trunk Area and Admin Domains.........................................................
EX_Port frame trunking configuration........................................................... 558 LSAN zone configuration.............................................................................. 559 Use of Admin Domains with LSAN zones and FC-FC routing.......... 559 Zone definition and naming...............................................................559 LSAN zones and fabric-to-fabric communications............................ 560 Controlling device communication with the LSAN...................
Fabric OS Administrators Guide 53-1003130-01
Preface ● Document conventions....................................................................................................19 ● Brocade resources.......................................................................................................... 21 ● Contacting Brocade Technical Support...........................................................................21 ● Document feedback........................................................................................................
Notes, cautions, and warnings Convention Description value In Fibre Channel products, a fixed value provided as input to a command option is printed in plain text, for example, --show WWN. [] Syntax components displayed within square brackets are optional. Default responses to system prompts are enclosed in square brackets. {x|y|z} A choice of required parameters is enclosed in curly brackets separated by vertical bars. You must select one of the options.
Brocade resources Brocade resources Visit the Brocade website to locate related documentation for your product and additional Brocade resources. You can download additional publications supporting your product at www.brocade.com. Select the Brocade Products tab to locate your product, then click the Brocade product name or image to open the individual product page. The user manuals are available in the resources module at the bottom of the page under the Documentation category.
Document feedback • Brocade Supplemental Support augments your existing OEM support contract, providing direct access to Brocade expertise. For more information, contact Brocade or your OEM. • For questions regarding service levels and response times, contact your OEM/Solution Provider. Document feedback To send feedback and report errors in the documentation you can use the feedback form posted with the document or you can e-mail the documentation team.
About This Document ● Supported hardware and software.................................................................................. 23 ● What's new in this document...........................................................................................24 Supported hardware and software In those instances in which procedures or parts of procedures documented here apply to some switches but not to others, this list identifies exactly which switches are supported and which are not.
What's new in this document TABLE 2 Brocade DCX Backbone family Gen 4 platform (8-Gpbs) Gen 5 platform (16-Gbps) Brocade DCX Brocade DCX 8510-4 Brocade DCX-4S Brocade DCX 8510-8 What's new in this document This document includes new and modified information for the Fabric OS 7.3.0 release. The following content has been removed from this book and moved to other books: • Removed the chapter "Installing and Maintaining Firmware". The information in this chapter is now in the Fabric OS Upgrade Guide.
Understanding Fibre Channel Services ● Fibre Channel services overview.................................................................................... 25 ● Management server........................................................................................................ 26 ● Platform services.............................................................................................................26 ● Management server database....................................................................
Management server Broadcast server -- The broadcast server is optional. When frames are transmitted to this address, they are broadcast to all operational N_ and NL_Ports. When registration and query frames are sent to a well-known address, a different protocol service, Fibre Channel Common Transport (FC-CT), is used. This protocol provides a simple, consistent format and behavior when a service provider is accessed for registration and query purposes.
Enabling platform services logical switches in a Virtual Fabric. The msPlatShow command displays all platforms registered in a Virtual Fabric. Enabling platform services When FCS policy is enabled, the msplMgmtActivate command can be issued only from the primary FCS switch. The execution of the msplMgmtActivate command is subject to Admin Domain restrictions that may be in place. 1. Connect to the switch and log in using an account assigned to the admin role. 2.
Displaying the management server ACL Displaying the management server ACL Use the following procedure to display the management server ACL: 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the msConfigure command. The command becomes interactive. 3. At the "select" prompt, enter 1 to display the access list. A list of WWNs that have access to the management server is displayed.
Deleting a member from the ACL select : (0..
Viewing the contents of the management server database 2 Add member based on its Port/Node WWN 3 Delete member based on its Port/Node WWN select : (0..3) [3] 1 MS Access list is empty 0 Done 1 Display the access list 2 Add member based on its Port/Node WWN 3 Delete member based on its Port/Node WWN select : (0..3) [1] 0 Viewing the contents of the management server database Use the following procedure to view the contents of the management server database: 1.
Displaying topology discovery status Displaying topology discovery status Use the following procedure to display the status of the topology discovery: 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the mstdReadConfig command. switch:admin> mstdreadconfig *MS Topology Discovery is Enabled. Enabling topology discovery Use the following procedure to enable topology discovery: 1. Connect to the switch and log in using an account with admin permissions. 2.
Device login Example of disabling discovery switch:admin> mstddisable This may erase all NID entries. Are you sure? (yes, y, no, n): [no] y Request to disable MS Topology Discovery Service in progress.... *MS Topology Discovery disabled locally. switch:admin> mstddisable all This may erase all NID entries. Are you sure? (yes, y, no, n): [no] y Request to disable MS Topology Discovery Service in progress.... *MS Topology Discovery disabled locally.
Fabric login process credits, RA_TOV, and ED_TOV. This is not a negotiation. If one or the other port’s link parameters do not match, a link does not occur. Once an SW_ACC frame is received from the neighboring switch, the new switch sends an Exchange Switch Capabilities (ESC) frame. The two switches exchange routing protocols and agree on a common routing protocol.
Duplicate Port World Wide Name NOTE Fabric reconfigurations with no domain change do not cause an RSCN. Duplicate Port World Wide Name According to Fibre Channel standards, the Port World Wide Name (PWWN) of a device cannot overlap with that of another device, thus having duplicate PWWNs within the same fabric is an illegal configuration.
Understanding Fibre Channel Services TABLE 3 Daemons that are automatically restarted (Continued) Daemon Description rpcd Remote Procedure Call daemon, which is used by the API (Fabric Access API and SMI-S). snmpd Simple Network Management Protocol daemon. npd Flow Vision daemon. traced Trace daemon provides trace entry date and time translation to Trace Device at startup and when date/time changed by command. Maintains the trace dump trigger parameters in a Trace Device.
High availability of daemon processes 36 Fabric OS Administrators Guide 53-1003130-01
Performing Basic Configuration Tasks ● Fabric OS overview.........................................................................................................37 ● Fabric OS command line interface..................................................................................38 ● Password modification.................................................................................................... 45 ● The switch Ethernet interface .....................................................................
Fabric OS command line interface additional information about the commands used in the procedures, refer to the Fabric OS Command Reference. Fabric OS command line interface Fabric OS uses Role-Based Access Control (RBAC) to control access to all Fabric OS operations. Each feature is associated with an RBAC role and you need to know which role is allowed to run a command, make modifications to the switch, or view the output of the command.
Telnet or SSH sessions TABLE 4 Terminal port parameters (Continued) Parameter Value Flow control None • In a UNIX environment, enter the following string at the prompt: tip /dev/ttyb -9600 If ttyb is already in use, use ttya instead and enter the following string at the prompt: tip /dev/ttya -9600 Telnet or SSH sessions You can connect to the Fabric OS through a Telnet or SSH connection or by using a console session on the serial port. The switch must also be physically connected to the network.
Getting help on a command Switches in the fabric that are not connected through the Ethernet port can be managed through switches that are using IP over Fibre Channel. The embedded port must have an assigned IP address. 3. Log off the switch’s serial port. 4. From a management station, open a Telnet connection using the IP address of the switch to which you want to connect. The login prompt is displayed when the Telnet connection finds the switch in the network. 5. Enter the account ID at the login prompt.
Viewing a history of command line entries TABLE 5 Help topic contents (Continued) Topic name Help contents description routeHelp Routing help information trackChangesHelp Track Changes help information zoneHelp Zoning help information Viewing a history of command line entries The CLI command history log file saves the last 512 commands from all users on a FIFO basis, and this log is persistent across reboots and firmware downloads. This command is also supported for standby CPs.
cliHistory - -showuser username cliHistory - -showuser username Using the "- -showuser " argument displays the command line history of the named user. This argument is available only to Root, Admin, Factory and Securityadmin RBAC roles. Example of cliHistory command output showing username switch:root> clihistory --showuser admin CLI history Date & Time Thu Sep 27 10:14:41 2012 Thu Sep 27 10:14:48 2012 Thu Sep 27 10:15:00 2012 Message admin, 10.70.12.101, clihistory admin, 10.70.12.
Using fosexec to run commands on remote switches or domains Date & Time Wed May 23 03:39:37 2012 Message root, console, firmwaredownload Using fosexec to run commands on remote switches or domains The fosexec command allows you to run Fabric OS commands on remote switches or domains across the fabric. Both the local and remote switches must be configured to send and receive remote command execution. You do not need to log in to the remote switch locally.
Performing Basic Configuration Tasks • Commands that take longer time to execute are not supported. The timeout period is 15 seconds. • Returns only a maximum of 64 kilobytes of data from the remote switch. Any extra data gets truncated. • Not supported on FIPS and Access Gateway modes. • When you run supportSave through fosexec, wait for the execution to complete. To know whether the execution is completed, refer to the RASLOG [SS-1000] on all or the specific domain where fosexec is being run.
Password modification Password modification The switch automatically prompts you to change the default account passwords after logging in for the first time. If you do not change the passwords, the switch prompts you after each subsequent login until all the default passwords have been changed. NOTE The default account passwords can be changed from their original values only when prompted immediately following the login; the passwords cannot be changed using the passwd command later in the session.
The switch Ethernet interface The switch Ethernet interface The Ethernet (network) interface provides management access, including direct access to the Fabric OS CLI, and allows other tools, such as Web Tools, to interact with the switch. You can use either Dynamic Host Configuration Protocol (DHCP) or static IP addresses for the Ethernet network interface configuration.
Management Ethernet port bonding Management Ethernet port bonding The two external Ethernet ports of a CP8 blade can be bound together as a single logical network interface. This configuration uses an active-standby failover model to provide automatic failover support for the primary Ethernet port on the blade. If the primary Ethernet port fails (due to something other than power loss), the second Ethernet port immediately takes over to ensure link layer communication is retained.
Displaying the network interface settings Displaying the network interface settings If an IP address has not been assigned to the network interface (Ethernet), you must connect to the Fabric OS CLI using a console session on the serial port. For more information, see Console sessions using the serial port on page 38. Otherwise, connect using SSH. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the ipAddrShow command.
Setting the static addresses for the Ethernet network interface If you choose not to use DHCP or to specify an IP address for your switch Ethernet interface, you can do so by entering "none" or "0.0.0.0" in the Ethernet IP address field. On an application blade, configure the two external Ethernet interfaces to two different subnets. If two subnets are not present, configure one of the interfaces and leave the other unconfigured.
DHCP activation 3. Enter the network information in dotted-decimal notation for the Ethernet IPv4 address or in semicolon-separated notation for IPv6. 4. Enter the Ethernet Subnetmask at the prompt. DHCP activation Some Brocade switches have DHCP enabled by default. Fabric OS support for DHCP functionality is only provided for Brocade fixed-port switches. These are listed in the Supported hardware and software. NOTE The Brocade DCX and Brocade DCX-4S Backbones do not support DHCP.
Disabling DHCP for IPv4 3. If already set up, you can skip the Ethernet IP address, Ethernet subnet mask, Fibre Channel IP address, and Fibre Channel subnet mask prompts by pressing Enter . Otherwise, enter the network information in dotted-decimal notation for the IPv4 address. 4. Enable DHCP by entering on . 5. You can confirm that the change has been made using the ipAddrShow command. Example of enabling DHCP for IPv4 interactively: switch:admin> ipaddrset Ethernet IP Address [10.1.2.
IPv6 autoconfiguration DHCP [On]:off Example of disabling DHCP for IPv4 using a single command: switch:admin> ipaddrset -ipv4 -add -dhcp OFF switch:admin> ipaddrshow SWITCH Ethernet IP Address: 10.20.134.219 Ethernet Subnetmask: 255.255.240.0 Gateway IP Address: 10.20.128.1 DHCP: Off IPv6 autoconfiguration IPv6 can assign multiple IP addresses to each network interface.
Date and time settings Date and time settings Switches maintain the current date and time inside a battery-backed real-time clock (RTC) circuit that receives the date and time from the fabric’s principal switch. Date and time are used for logging events. Switch operation does not depend on the date and time; a switch with an incorrect date and time value functions properly. However, because the date and time are used for logging, error detection, and troubleshooting, you must set them correctly.
Setting the time zone • Display all of the time zones supported in the firmware. • Set the time zone based on a country and city combination or based on a time zone ID, such as PST. The time zone setting has the following characteristics: • Users can view the time zone settings. However, only those with administrative permissions can set the time zones. • The setting automatically adjusts for Daylight Savings Time.
Network time protocol 4. Select a country location at the prompt. 5. Enter the appropriate number at the prompt to specify the time zone region of Ctrl-D to quit. Network time protocol To keep the time in your SAN current, you should synchronize the local time of the principal or primary FCS switch with at least one external Network Time Protocol (NTP) server. The principal or primary FCS switch connects to the NTP server and broadcasts time service updates to all switches in the fabric.
Domain IDs Example of displaying the NTP server switch:admin> tsclockserver 10.1.2.3 Example of setting up more than one NTP server using a DNS name switch:admin> tsclockserver "10.1.2.4;10.1.2.5;ntp.localdomain.net" Updating Clock Server configuration...done. Updated with the NTP servers Changes to the clock server value on the principal or primary FCS switch are propagated to all switches in the fabric.
Setting the domain ID 6: fffc06 10:00:00:05:1e:34:02:3e 10.3.220.6 0.0.0.0 >"ras006" 7: fffc07 10:00:00:05:1e:34:02:0c (output truncated) The Fabric has 26 switches 10.3.220.7 0.0.0.0 "ras007" The following table displays the fabricShow fields. TABLE 6 fabricShow fields Field Description Switch ID The switch domain_ID and embedded port D_ID.
Customizing the switch name • Switch names can be from 1 through 30 characters long. • All switch names must begin with a letter, and can contain letters, numbers, or the underscore character. • Switch names must be unique across logical switches. • Changing the switch name causes a domain address format RSCN to be issued and may be disruptive to the fabric. Customizing the switch name 1. Connect to the switch and log in using an account assigned to the admin role. 2.
Configuring the fabric name • Each name must be unique for each logical switch within a chassis; duplicate fabric names are not allowed. • A fabric name can be from 1 through 128 alphanumeric characters. • All switches in a logical fabric must be running Fabric OS v7.2.0. Switches running earlier versions of the firmware can co-exist in the fabric, but do not show the fabric name details. • You must have admin permissions to configure the fabric name.
Disabling a switch TABLE 7 Ports affected when you enable or disable a switch in VF or non-VF mode (Continued) Operation Virtual Fabrics enabled Virtual Fabrics not enabled Enable chassis Enables all ports on physical chassis Not allowed Disable switch Disables all ports on logical switch Disables all ports on physical chassis Disable chassis Disables all ports on physical chassis Not allowed Disabling a switch You must disable a switch before making configuration changes or before running offl
Enabling a chassis All Fibre Channel ports on all logical switches are taken offline. If the logical switches are in fabrics, the fabrics are reconfigured. NOTE After a chassisDisable , if you want to do an haFailover , you should wait at least 30 seconds. Enabling a chassis Enabling a chassis enables all Fibre Channel ports on all logical switches in the chassis. The chassis is enabled by default after it is powered on and switch initialization routines have finished.
Powering off a Brocade Backbone Powering off a Brocade Backbone Use the following procedure to power off a Brocade Backbone device: 1. From the active CP in a dual-CP platform, enter the sysShutdown command. NOTE When the sysShutdown command is issued on the active CP, the active CP, the standby CP, and any application blades are all shut down. 2. Enter y at the prompt. 3.
Performing Basic Configuration Tasks • • • • • • 10 km at 1 Gbps 5 km at 2 Gbps 2.5 km at 4 Gbps 1 km at 8 Gbps 1 km at 10 Gbps 1 km at 16 Gbps For more information on extended ISL modes, which enable long distance inter-switch links, refer to Managing Long-Distance Fabrics on page 527.
Switch connection 64 Fabric OS Administrators Guide 53-1003130-01
Performing Advanced Configuration Tasks ● Port identifiers (PIDs) and PID binding overview............................................................ 65 ● Ports................................................................................................................................69 ● Blade terminology and compatibility................................................................................78 ● Enabling and disabling blades.....................................................................
Fixed addressing mode • 0f is the domain ID. • 1e is the area ID. • 00 is the assigned AL_PA. From this information, you can determine which switch the device resides on from the domain ID, which port the device is attached to from the area ID, and if this device is part of a loop from the AL_PA number. Fixed addressing mode With fixed addressing mode, each port has a fixed address assigned by the system based on the port number.
Zero-based addressing (mode 1) There are two types of area assignment modes with 256-area addressing: zero-based and port-based. ATTENTION On default logical switches with an address mode other than mode 1, any 48-port and 64-port blades are disabled if FICON Management Server (FMS) is enabled. Refer to the FICON Administrator's Guide for more details if needed.
Virtual Fabrics considerations for WWN-based PID assignment ATTENTION When WWN-based PID assignment is enabled, the area assignment is dynamic and does not guarantee any order in the presence of static WWN-area binding or when the devices are moved around. PID assignments are supported for a maximum of 4096 devices; this includes both point-to-point and NPIV devices. The number of point-to-point devices supported depends on the areas available.
Assigning a static PID System services (yes, y, no, n): [no] ssl attributes (yes, y, no, n): [no] rpcd attributes (yes, y, no, n): [no] cfgload attributes (yes, y, no, n): [no] webtools attributes (yes, y, no, n): [no] Custom attributes (yes, y, no, n): [no] system attributes (yes, y, no, n): [no] Assigning a static PID Use the following procedure to assign a static PID. 1. Connect to the switch and log in using an account with admin permissions. 2.
Backbone port blades • • • • • • • Fibre Channel standards as other E_Ports. However, the router terminates EX_Ports rather than allowing different fabrics to merge as would happen on a switch with regular E_Ports. An EX_Port cannot be connected to another EX_Port. F_Port -- A fabric port that is assigned to fabric-capable devices, such as SAN storage devices. G_Port -- A generic port that acts as a transition port for non-loop fabric-capable devices.
Setting port names When you have port blades with different port counts in the same Backbone (for example, 16-port blades and 32-port blades, or 16-port blades and 18-port blades with 16 FC ports and 2 GbE ports, or 16-port and 48-port blades), the area IDs no longer match the port numbers. Table 9 on page 78 lists the port numbering schemes for the blades. Setting port names Perform the following steps to specify a port name. For Backbones, specify the slot number where the blade is installed. 1.
Configuring a device-switch connection A number of fabric-wide databases supported by Fabric OS (including ZoneDB, the ACL DCC, and Admin Domain) allow a port to be designated by the use of a "D,P" (domain,port) notation. While the "P" component appears to be the port number, for up to 255 ports it is actually the area assigned to that port. NOTE The port area schema does not apply to the Brocade DCX-4S and DCX 8510-4 Backbones.
Enabling a port • • • • • Shared area ports cannot be swapped. Ports that are part of a trunk group cannot be swapped. GbE ports cannot be swapped. Ports on a faulty blade cannot be swapped. Swapping ports between different logical switches is not supported. The ports on the source and destination blades must be in the same logical switch. • The portSwap command is not supported for ports above 256. • Port swapping is not supported when TI Zoning is in use.
Disabling a port Disabling a port CAUTION If you disable the last E_Port or ISL connecting the switch to the fabric, the fabric reconfigures, the switch segments from the fabric, and all traffic flowing between the switch and the fabric is lost. 1. Connect to the switch and log in using an account with admin permissions. 2.
Setting network interface modes The following restrictions apply to port decommissioning: • The local switch and the remote switch on the other end of the E_Port must both be running Fabric OS 7.0.0 or later. • Port decommissioning is not supported on ports with DWDM, CWDM, or TDM. • Port decommissioning requires that the lossless feature is enabled on both the local switch and the remote switch. Use the portDecom command to begin the decommission process.
Setting port speeds Example of setting the port mode to full autonegotiate The following example sets the mode for eth3 to autonegotiate, and permits both full and half duplex modes to be selected at both 10 and 100 Mbps. Note that the caution shown in this example is not displayed when the command is entered using the serial console port. switch:admin> ifmodeset eth3 Exercise care when using this command.
Setting port speed for a port octet The following example sets the speed for all ports on the switch to 8 Gbps: switch:admin> switchcfgspeed 8 Committing configuration...done. The following example sets the speed for all ports on the switch to autonegotiate: switch:admin> switchcfgspeed 0 Committing configuration...done. Setting port speed for a port octet You can use the portCfgOctetSpeedCombo command to configure the speed for all ports in an octet.
Blade terminology and compatibility Blade terminology and compatibility Before configuring a chassis, familiarize yourself with the platform CP blade and port blade nomenclature, as well as the port blade compatibilities. TABLE 8 Core and CP blade terminology and platform support Supported on: Blade Blade ID (slotshow) DCX family DCX 8510 family Definition CP8 50 Yes Yes Brocade DCX and DCX 8510 Backbone family control processor blade.
Performing Advanced Configuration Tasks TABLE 9 Port blade terminology, numbering, and platform support (Continued) Supported on: Blade Blade ID (slotshow) DCX family DCX 8510 family Ports Definition FC8-32 55 Yes No 32 8-Gbps port blade supporting 1, 2, 4, and 8 Gbps port speeds. Ports are numbered from 0 through 15 from bottom to top on the left set of ports and 16 through 31 from bottom to top on the right set of ports.
Performing Advanced Configuration Tasks TABLE 9 Port blade terminology, numbering, and platform support (Continued) Supported on: Blade Blade ID (slotshow) DCX family DCX 8510 family Ports Definition FC8-64 77 Yes Yes 64 8-Gbps port blade supporting 2, 4, and 8 Gbps port speeds. The Brocade DCX and Brocade DCX 8510 Backbone families support loop devices on 64-port blades in a Virtual Fabrics-enabled environment.
CP blades TABLE 9 Port blade terminology, numbering, and platform support (Continued) Supported on: Blade Blade ID (slotshow) DCX family DCX 8510 family Ports Definition FS8-18 68 Yes Yes 16 FC Brocade Encryption blade that provides high performance 16-port auto-sensing 8Gbps Fibre Channel connectivity with data cryptographic (encryption and decryption) and data compression capabilities. 2 1000BaseT Ethernet FC ports are numbered from 0 through 15 from bottom to top.
Core blades The CP blades in the Brocade DCX and DCX 8510 Backbone families are hot-swappable. The CP8 blades are fully interchangeable among Brocade DCX, DCX-4S, DCX 8510-4, and DCX 8510-8 Backbones. Brocade recommends that each CP (primary and secondary partition) should maintain the same firmware version. Core blades Core blades provide intra-chassis switching and inter-chassis link (ICL) connectivity between DCX/ DCX-4S platforms and between DCX 8510 platforms.
Enabling and disabling blades detected first, then any subsequently-detected FCOE10-24 blades are faulted. Blades are powered up starting with slot 1. In the Brocade DCX 8510-4, if an FCOE10-24 blade is detected, it is faulted under any circumstance. FX8-24 compatibility Follow these guidelines when using an FX8-24 in the Brocade DCX and DCX-4S Backbones: • Brocade 7500 GbE ports cannot be connected to either the FX8-24 or Brocade 7800 GbE ports.
Blade swapping 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the bladeDisable command with the slot number of the port blade you want to disable. ecp:admin> bladedisable 3 Slot 3 is being disabled Blade swapping Blade swapping allows you to swap one blade with another of the same type; in this way, you can replace a FRU with minimal traffic disruption. The entire operation is accomplished when the bladeSwap command runs on the Fabric OS.
Performing Advanced Configuration Tasks FIGURE 2 Identifying the blades 2. Blade validation The validation process includes determining the compatibility between the blades selected for the swap operation: • Blade technology. Both blades must be of compatible technology types (for example, Fibre Channel to Fibre Channel, Ethernet to Ethernet, application to application, and so on). • Port count.
Swapping blades FIGURE 3 Blade swap with Virtual Fabrics during the swap 4. Port swapping The swap ports action is an iteration of the portSwap command for each port on the source blade to each corresponding port on the destination blade. As shown in the following figure, the blades can be divided into different logical switches as long as they are divided the same way. If slot 1 and slot 2 ports 0 through 7 are all in the same logical switch, then blade swapping slot 1 to slot 2 will work.
Disabling switches If no errors are encountered, the blade swap will complete successfully. If errors are encountered, the command is interrupted and the ports are set back to their original configurations. 3. Once the command completes successfully, move the cables from the source blade to the destination blade. 4. Enter the bladeEnable command on the destination blade to enable all user ports. Disabling switches Switches are enabled by default.
Powering on a port blade or core blade 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the slotPowerOff command with the slot number of the port blade or core blade you want to power off. ecp:admin> slotpoweroff 3 Slot 3 is being powered off Powering on a port blade or core blade All blades are powered on by default when the switch chassis is powered on. 1. Connect to the switch and log in using an account with admin permissions. 2.
Verifying fabric connectivity Start Time: 17:55:33 UTC Fri Jan 03 2014 Previous Active Session: Active Slot = CP1, Expected Recovered Standby Slot = CP0 Start Time: 17:49:46 UTC Fri Jan 03 2014 End Time: 17:54:10 UTC Fri Jan 03 2014 System Uptime: 17:42:11 UTC Fri Jan 03 2014 5. Enter the fanShow command to display the current status and speed of each fan in the system. Refer to the hardware reference manual of your system to determine the appropriate values. 6.
Viewing the switch status policy threshold values 611600 620800 621026 621036 6210e4 6210e8 6210ef 621400 621500 621700 621a00 75 Nx_Ports in the Fabric } The number of devices listed should reflect the number of devices that are connected.
Audit log configuration The current switch status policy parameter values are displayed. You are prompted to enter values for each DOWN and MARGINAL threshold parameter. NOTE By setting the DOWN and MARGINAL values for a parameter to 0 , that parameter is no longer used in setting the overall status for the switch. 3. Verify the threshold settings you have configured for each parameter. Enter the switchStatusPolicyShow command to view your current switch status policy configuration.
Verifying host syslog prior to configuring the audit log Auditable events are generated by the switch and streamed to an external host through a configured system message log daemon (syslog). You specify a filter on the output to select the event classes that are sent through the system message log. The filtered events are streamed chronologically and sent to the system message log on an external host in the specified audit message format.
Configuring an audit log for specific event classes 1. Set up an external host machine with a system message log daemon running to receive the audit events that will be generated. 2. On the switch where the audit configuration is enabled, enter the syslogdIpAdd command to add the IP address of the host machine so that it can receive the audit events. You can use IPv4, IPv6, or DNS names for the syslogdIpAdd command. 3.
Performing Advanced Configuration Tasks You can configure how duplicate PWWNs are handled by selecting an option in the Enforce FLOGI/ FDISC login prompt of the configure command: • Setting 0: First login takes precedence over second login (default behavior). • Setting 1: Second login overrides first login. • Setting 2: The port type determines whether the first or second login takes precedence. Setting 0, First login precedence When setting 0 is selected, the first login takes precedence over the second.
Setting the behavior for handling duplicate PWWNs TABLE 13 Duplicate PWWN behavior: Port type determines which login takes precedence Input port First port login is NPIV port FLOGI received New login forces an explicit logout of original FDISC on the previous NPIV port. If Base Device Logout is enabled on the NPIV port, only the base device is logged out and the remaining NPIV devices stay logged in. FDISC received New FDISC forces an explicit logout of original FDISC on the previous NPIV port.
FEC Limitations The following considerations apply to FEC: • FEC is supported on E_Ports on 16 Gbps-capable switches. • FEC is supported on the N_Ports and F_Ports of an Access Gateway using RDY, Normal (R_RDY), or Virtual Channel (VC_RDY) flow control modes. • FEC is supported on F_Ports on a switch if the device attached supports FEC. • FEC is enabled by default. • FEC enables automatically when negotiation with a switch detects FEC capability. • FEC persists after driver reloads and system reboots.
Disabling forward error correction Enabling FEC on a single port switch:admin> portcfgfec --enable -FEC 1 Warning : FEC changes will be disruptive to the traffic FEC has been enabled. switch:admin> portcfgfec --show 1 Port: 1 FEC Capable: YES FEC Configured: ON FEC via TTS Configured: OFF FEC State: active Disabling forward error correction Use the following procedure to disable FEC. ATTENTION Disabling FEC is disruptive to traffic. 1.
Enabling or disabling FEC for long-distance ports 98 Fabric OS Administrators Guide 53-1003130-01
Routing Traffic ● Routing overview.............................................................................................................99 ● Inter-switch links............................................................................................................101 ● Gateway links................................................................................................................104 ● Routing policies.....................................................................................
FSPF FSPF Fabric Shortest Path First (FSPF) is a link state path selection protocol that directs traffic along the shortest path between the source and destination based upon the link cost. FSPF is also referred to as Layer 2 routing. FSPF detects link failures, determines the shortest route for traffic, updates the routing table, provides fixed routing paths within a fabric, and maintains correct ordering of frames.
Fibre Channel NAT FSPF guarantees a routing loop-free topology at all times. It is essential for a fabric to include many physical loops because, without loops, there would not be multiple paths between switches, and consequently no redundancy. Without redundancy, if a link goes down, part of the fabric is isolated. FSPF ensures both that the topology is loop-free and that a frame is never forwarded over the same ISL more than once. FSPF calculates paths based on the destination domain ID.
Buffer credits FIGURE 6 New switch added to existing fabric When connecting two switches together, Brocade recommends the best practice that the following parameters are differentiated: • Domain ID • Switch name • Chassis name You must also verify the following fabric parameters are identical on each switch for a fabric to merge: • • • • • • • R_A_TOV (Resource Allocation TimeOut Value) E_D_TOV (Error Detect TimeOut Value) Data Field Size Sequence Level Switching Disable Device Probing Suppress Class F T
Congestion versus over-subscription destination switch before resuming I/O. The primitive is dependent on whether you have R_RDYs enabled on your switch using the portCfgISLMode command. When a device logs in to a fabric, it typically requests from two to sixteen buffer credits from the switch, depending on the device type, driver version, and configuration. This determines the maximum number of frames the port can transmit before receiving an acknowledgement from the receiving device.
Gateway links FIGURE 7 Virtual channels on a QoS-enabled ISL Gateway links A gateway merges SANs into a single fabric by establishing point-to-point E_Port connectivity between two Fibre Channel switches that are separated by a network with a protocol such as IP or SONET. Except for link initialization, gateways are transparent to switches; the gateway simply provides E_Port connectivity from one switch to another. The following figure shows two separate SANs, A-1 and A-2, merged together using a gateway.
Configuring a link through a gateway FIGURE 8 Gateway link merging SANs By default, switch ports initialize links using the Exchange Link Parameters (ELP) mode 1. However, gateways expect initialization with ELP mode 2, also referred to as ISL R_RDY mode. Therefore, to enable two switches to link through a gateway, the ports on both switches must be set for ELP mode 2.
Routing policies Routing policies By default, all routing protocols place their routes into a routing table. You can control the routes that a protocol places into each table and the routes from that table that the protocol advertises by defining one or more routing policies and then applying them to the specific routing protocol.
Exchange-based routing Whatever routing policy a switch is using applies to the VE_Ports as well. For more information on VE_Ports, refer to the Fabric OS FCIP Administrator's Guide. Exchange-based routing The choice of routing path is based on the Source ID (SID), Destination ID (DID), and Fibre Channel originator exchange ID (OXID) optimizing path utilization for the best performance. Thus, every exchange can take a different path through the fabric.
Dynamic Load Sharing Dynamic Load Sharing The Fabric OS Dynamic Load Sharing (DLS) feature for dynamic routing path selection is required by the exchange-based and device-based routing policies. When using these policies, DLS is enabled by default and cannot be disabled. In other words, you cannot enable or disable DLS when the exchangebased routing policy is in effect. When the port-based policy is in force, you can enable DLS to optimize routing.
Frame order delivery Frame order delivery The order in which frames are delivered is maintained within a switch and determined by the routing policy in effect. The frame delivery behaviors for each routing policy are: • Port-based routing All frames received on an incoming port destined for a destination domain are guaranteed to exit the switch in the same order in which they were received.
Enabling Frame Viewer 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the iodReset command. Enabling Frame Viewer The Frame Viewer application allows you to view the contents of discarded frames, which can be recorded at up to 40 frames per second per ASIC. To enable Frame Viewer, complete the following steps. 1. Connect to the switch and log in using an account with admin permissions. 2. Enter frameLog --enable -type type.
Displaying discarded frames by back-end port in Frame Viewer • Brocade 6505, 6510, 6520, DCX 8510-4 and DCX 8510-8 switches. • Brocade CR16-4, CR16-8, FC8-32E, FC8-48E, FC16-32, FC16-48, FC16-64 blades. If a chassis has any older blades, only the timeout frames will be captured for those blades. To display information about discarded frames, complete the following steps. This assumes that the framelog application has previously been enabled. 1.
Lossless Dynamic Load Sharing on ports Lossless Dynamic Load Sharing on ports Lossless Dynamic Load Sharing (DLS) allows you to rebalance port paths without causing input/output (I/O) failures. For devices where in-order delivery (IOD) of frames is required, you can set IOD separately.
Lossless core 3. If IOD is enabled, waits for sufficient time for frames already received to be transmitted. This is needed to maintain IOD. 4. Resumes traffic. The following table shows the effect of frames when you have a specific routing policy turned on with IOD. TABLE 14 Combinations of routing policy and IOD with Lossless DLS enabled Policy IOD Rebalance result with Lossless DLS enabled Port-based Disabled No frame loss, but out-of-order frames may occur.
Configuring Lossless Dynamic Load Sharing an FX8-24 blade, or vice versa, experiences I/O disruption because the FA4-18 blades do not support this feature. Configuring Lossless Dynamic Load Sharing You configure Lossless DLS switch- or chassis-wide by using the dlsSet command to specify that no frames are dropped while rebalancing or rerouting traffic. Use the following procedure to configure Lossless Dynamic Load Sharing. 1. Connect to the switch and log in using an account with admin permissions. 2.
Frame Redirection Frame Redirection Frame Redirection provides a means to redirect traffic flow between a host and a target that use virtualization and encryption applications, such as the Brocade SAS blade and Brocade Data Migration Manager (DMM), so that those applications can perform without having to reconfigure the host and target. You can use this feature if the hosts and targets are not directly attached. Frame Redirection depends on the wide distribution of the Defined Zone Database.
Deleting a frame redirect zone 1. Connect to the switch and log in using an account with admin permissions. 2. Enter thezone --rdcreate command. 3. Enter the cfgSave command to save the frame redirect zones to the defined configuration.
Buffer-to-Buffer Credits and Credit Recovery ● Buffer credit management ............................................................................................117 ● Buffer credit recovery ................................................................................................... 129 ● Credit loss.....................................................................................................................
Optimal buffer credit allocation be sent by the receiving link port to the sender. The rate of frame transmission is regulated by the receiving port, and is based on the availability of buffers to hold received frames. If Virtual Channel technology is in use, the VC_RDY or EXT_VC control word is used instead of the R_RDY control word to manage buffer credits. For Virtual Channels, the buffer credits are managed for each Virtual Channel, and not for the entire physical link.
Fibre Channel gigabit values reference definition Fibre Channel gigabit values reference definition The following table shows the Fibre Channel gigabit values that you can use to calculate buffer requirements. TABLE 15 Fibre Channel gigabit values Gigabit value Buffer requirements 1 Gbps 1.0625 2 Gbps 2.125 4 Gbps 4.25 8 Gbps 8.5 10 Gbps 10.
Allocating buffer credits based on full-sized frames TABLE 16 Fibre Channel data frames (Continued) Fibre Channel frame fields Field size Final frame size End of frame 4 bytes 32 bits Total (number bits/frame) 36-2,148 bytes 288-7,184 bits Allocating buffer credits based on full-sized frames You can allocate buffer credits based on distance using the portCfgLongDistance command.
Allocating buffer credits based on average-size frames 14 = The number of buffer credits reserved for QoS. This number is static. Using 50 km as the desired distance of the switch-to-switch connection and 2 Gbps as the speed of the long-distance connection, insert the numbers into the appropriate formula. The formula should read as follows: (50 km * 2 Gbps / 2) + 6 = 5 6 buffers, which is the number of buffers reserved for distance.
Configuring buffers for a single port directly The average_payload_size in this equation uses 1024 bytes If the real estimated distance is 100 km, the desired_distance is 207. desired_distance = roundup [(100 * 2112) / 1024] = 207 When configuring the LS mode with the portCfgLongDistance command, enter a desired_distance value of 207 for an actual 100-km link connected to an 8-Gbps E_Port. This causes Fabric OS to allocate the correct number of buffer credits. 2.
Configuring buffers using frame size NOTE You cannot use the -buffers option with the -distance option or the -frameSize option. switch:admin> portcfglongdistance 2/35 LS 1 -buffers 400 Reserved Buffers = 420 Configuring buffers using frame size You can configure the number of buffers by using the -frameSize option of the portCfgLongDistance command along with the -distance option.
Monitoring buffers in a port group Note that in the sample commands provided in the following procedure, 12 buffers are configured for an F_Port. To disable the port buffer configuration and return to the default buffer allocation, use the --disable option. switch:admin> portcfgfportbuffers --disable 2/44 NOTE The configured number of buffers for a given port is stored in the configuration database and is persistent across reboots.
Buffer-to-Buffer Credits and Credit Recovery TABLE 17 Total FC ports, ports per port group, and unreserved buffer credits per port group Switch/blade model Total FC ports (per switch/blade) User port group size Unreserved buffer credits per port group 300 24 24 484 5100 40 40 1692 5300 80 16 292 5410 12 12 580 5424 24 24 484 5431 16 16 548 5432 24 24 484 5450 26 26 468 5480 24 24 484 M6505 24 24 7904 6505 24 24 7904 6510 48 48 7712 6520 96 24 4736 6547
Maximum configurable distances for Extended Fabrics TABLE 17 Total FC ports, ports per port group, and unreserved buffer credits per port group (Continued) Switch/blade model Total FC ports (per switch/blade) User port group size Unreserved buffer credits per port group FC16-32 32 16 5408 FC16-48 48 24 4960 FC16-64 64 32 4288 FS8-18 16 8 1604 FX8-24 12 12 1060 For the FC8-x port blades, the first number in the "Unreserved buffer credits per port group" column designates the number of
Buffer-to-Buffer Credits and Credit Recovery TABLE 18 Configurable distances for Extended Fabrics (Continued) Maximum distances (km) that can be configured (assuming a 2112-byte frame size) Switch/blade model 2 Gbps 4 Gbps 8 Gbps 10 Gbps 16 Gbps 5480 486 243 121.
Downgrade considerations Estimated maximum equally distributed distance = 1-port maximum distance/Number of ports For example, for three ports running at 2 Gbps on a Brocade 300 switch, the maximum equally distributed distance is calculated as 486 / 3 = 164 km. Downgrade considerations When Fabric OS firmware is downgraded from version 7.
Buffer credit recovery 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the portCfgEPortCredits --enable command to allocate credits to an E_Port. In the following example, 14 credits are allocated to each of the medium Virtual Channels (VCs) for non-QoS ports, and to both the medium and high VCs for QoS ports. switch:admin> portcfgeportcredits --enable 12/6 14 Success 3.
Buffer credit recovery over an F_Port Buffer credit recovery over an F_Port Buffer credit recovery for F_Ports is supported for F_Port-to-N_Port links between a Brocade switch and Access Gateway, between a Brocade switch and an adapter, and between an Access Gateway and an adapter. For an F_Port on a Brocade switch connected to an Access Gateway, the following conditions must be met: • Both devices must run Fabric OS v7.1 or later. • Fabric OS must support buffer credit recovery at either end of the link.
Credit loss The following example disables buffer credit recovery on port 1/20. switch:admin> portcfgcreditrecovery 1/20 -disable 2. To enable buffer credit recovery on a port for which it has been disabled, perform the following steps. a) b) Connect to the switch and log in using an account assigned to the admin role. Enter the portCfgCreditRecovery command and include the enable option. The following example enables buffer credit recovery on port 1/20.
Enabling back-end credit loss detection and recovery • Per-port polling to detect credit loss. If credit loss is detected using this method, the RASlog C3-1012 message is displayed and recorded. • Per-VC credit loss detection. If single-credit loss is detected using this method, it will be automatically recovered and the RASlog C3-1023 message is displayed and recorded. If multicredit loss is detected using this method, the RASlog C3-1013 message is displayed and recorded.
Managing User Accounts ● User accounts overview ............................................................................................... 133 ● Local database user accounts...................................................................................... 137 ● Local user account database distribution......................................................................140 ● Password policies.........................................................................................................
Role-Based Access Control • Remote TACACS+ service : Users are managed in a remote TACACS+ server. All switches in the fabric can be configured to authenticate against the centralized remote database. • Local user database : Users are managed by means of the local user database. The local user database is manually synchronized by means of the distribute command to push a copy of the switch’s local user database to all other switches in the fabric running Fabric OS v5.3.
Role permissions The default home domain for the predefined account is AD0. For user-defined accounts, the default home domain is the Admin Domain in the user’s Admin Domain list with the lowest ID. Role permissions The following table describes the types of permissions that are assigned to roles.
Managing user-defined roles TABLE 21 Maximum number of simultaneous sessions (Continued) Role name Maximum sessions BasicSwitchAdmin 4 FabricAdmin 4 Operator 4 SecurityAdmin 4 SwitchAdmin 4 User 4 ZoneAdmin 4 Managing user-defined roles Fabric OS provides an extensive toolset for managing user-defined roles: • The roleConfig command is available for defining new roles, deleting created roles, or viewing information about user-defined roles.
Assigning a user-defined role to a user The roleConfig --show command is available to view the permissions assigned to a user-defined role. You can also use theclassConfig --showroles command to see that the role was indeed added with Observe permission for the security commands.
Displaying account information TABLE 22 Default local user accounts Account name Role Admin Domain Logical Fabric Description admin AD0-255 LF1-128 home: 0 home: 128 factory root user Admin Factory AD0-255 Root User LF1-128 home: 0 home: 128 AD0-255 LF1-128 home: 0 home: 128 AD0 LF-128 home: 0 home: 128 Most commands have Observe/Modify permission. Reserved Reserved. Most commands have observe-only permission.
Changing account parameters 1. Connect to the switch and log in using an account with admin permissions, or an account associated with a user-defined role with permissions for the UserManagement class of commands. 2. Enter the userConfig --delete command. You cannot delete the default accounts. An account cannot delete itself. All active CLI sessions for the deleted account are logged out. 3. At the prompt for confirmation, enter y.
Local user account database distribution Local user account database distribution Fabric OS allows you to distribute the user database and passwords to other switches in the fabric. When the switch accepts a distributed user database, it replaces the local user database with the user database it receives. By default, switches accept the user databases and passwords distributed from other switches. The "Locked" status of a user account is not distributed as part of local user database distribution.
Password strength policy All password policies are enforced during logins to the standby CP. However, you may observe that the password enforcement behavior on the standby CP is inconsistent with prior login activity; this is because password state information from the active CP is automatically synchronized with the standby CP, thereby overwriting any password state information that was previously stored there. Also, password changes are not permitted on the standby CP.
Password history policy allowed values is from 1 through 40. The default value is 1. When set to 1, sequential characters are not enforced. • Reverse Activates or deactivates the validation check to determine whether the password is an exact reverse string of the user name. This option is disabled by default.
Account lockout policy Specifies the maximum number of days that can elapse before a password must be changed, and is also known as the password expiration period. MaxPasswordAge values range from 0 through 999. The default value is zero. Setting this parameter to zero disables password expiration. • Warning Specifies the number of days prior to password expiration that a warning about password expiration is displayed. Warning values range from 0 through 999. The default value is 0 days.
Enabling the admin lockout policy Specifies the time, in minutes, after which a previously locked account is automatically unlocked. LockoutDuration values range from 0 through 99999, and the default value is 30. Setting the value to 0 disables lockout duration, and requires a user to seek administrative action to unlock the account. The lockout duration begins with the first login attempt after the LockoutThreshold has been reached. Subsequent failed login attempts do not extend the lockout period.
Setting the boot PROM password for a switch with a recovery string CAUTION Setting the boot PROM password requires accessing the boot prompt, which stops traffic flow through the switch until the switch is rebooted. Perform this procedure during a planned downtime. Setting the boot PROM password for a switch with a recovery string This procedure applies to the fixed-port switch models.
Setting the boot PROM password for a switch without a recovery string 3. Reboot the standby CP blade by sliding the On/Off switch on the ejector handle of the standby CP blade to Off , and then back to On . 4. Press Esc within four seconds after the message "Press escape within 4 seconds..." is displayed. 5. When prompted, enter 2 to select the recovery password option. • If no password was previously set, the following message is displayed: Recovery password is NOT set. Please set it now.
Setting the boot PROM password for a Backbone without a recovery string 3. Press Esc within four seconds after the message "Press escape within 4 seconds..." is displayed. 4. When prompted, enter 3 to enter the command shell. 5. At the shell prompt, enter the passwd command. The passwd command only applies to the boot PROM password when it is entered from the boot interface. 6. Enter the boot PROM password at the prompt, and then re-enter it when prompted.
Remote authentication NOTE To recover lost passwords, refer to the Fabric OS Troubleshooting and Diagnostics Guide. Remote authentication Fabric OS supports user authentication through the local user database or one of the following external authentication services: • Remote authentication dial-in user service (RADIUS) • Lightweight Directory Access Protocol (LDAP) using Microsoft Active Directory in Windows or OpenLDAP in Linux.
Switch configuration Switch configuration By default, the remote authentication services are disabled, so AAA services default to the switch’s local database. To enable remote authentication, it is strongly recommended that you access the CLI through an SSH connection so that the shared secret is protected. Multiple login sessions can configure simultaneously, and the last session to apply a change leaves its configuration in effect.
Command options Command options The following table outlines the aaaConfig command options used to set the authentication mode. TABLE 24 Authentication configuration options aaaConfig options Description --authspec "local" Default setting. Authenticates management connections against the local database only. If the password does not match or the user is not defined, the login fails. --authspec "radius" Authenticates management connections against any RADIUS databases only.
Setting the switch authentication mode TABLE 24 Authentication configuration options (Continued) aaaConfig options Description --authspec "tacacs+; local" --backup Authenticates management connections against any TACACS+ databases first. If TACACS+ fails for any reason, it then authenticates against the local user database. The --backup option states to try the secondary authentication database only if the primary authentication database is not available.
Fabric OS users on the RADIUS server TABLE 25 Syntax for VSA-based account roles (Continued) Item Value Description Vendor ID 1588 4 octet, Brocade SMI Private Enterprise Code Vendor type 1 1 octet, Brocade-Auth-Role; valid attributes for the Brocade-Auth-Role are: Admin BasicSwitchAdmin FabricAdmin Operator SecurityAdmin SwitchAdminUser ZoneAdmin 2 Optional: Specifies the Admin Domain or Virtual Fabric member list.
Linux FreeRADIUS server Windows 2000 VSA configuration Linux FreeRADIUS server For the configuration on a Linux FreeRADIUS server, define the values outlined in Table 26 in a vendor dictionary file called dictionary.brocade. TABLE 26 Entries in dictionary.
RADIUS configuration with Admin Domains or Virtual Fabrics RADIUS configuration with Admin Domains or Virtual Fabrics When configuring users with Admin Domains or Virtual Fabrics, you must also include the Admin Domain or Virtual Fabric member list. This section describes the way that you configure attribute types for this configuration.
Setting up a RADIUS server In the next example, on a Linux FreeRADIUS Server, the user has the "zoneAdmin" permissions, with VFlist 2, 4, 5, 6, 7, 8, 10, 11, 12, 13, 15 17, 19, 22, 23, 24, 25, 29, 31 and HomeLF 1.
Creating the user ATTRIBUTE ATTRIBUTE ATTRIBUTE Brocade-AVPairs4 Brocade-Passwd-ExpiryDate Brocade-Passwd-WarnPeriod 5 6 7 string string string Brocade Brocade Brocade This information defines the Brocade vendor ID as 1588, Brocade attribute 1 as Brocade-Auth-Role, Brocade attribute 6 as Brocade-Passwd-ExpiryDate, and Brocade attribute 7 as Brocade-PasswdWarnPeriod. 2. Open the file $PREFIX/etc/raddb/dictionary in a text editor and add the line: $INCLUDE dictionary.
Configuring RADIUS server support with Windows 2000 secret shortname nastype = Secret = Testing Switch = other In this example, shortname is an alias used to easily identify the client. Secret is the shared secret between the client and server. Make sure the shared secret matches that configured on the switch (refer to Adding an authentication server to the switch configuration on page 170). 2. Save the file $PREFIX/etc/raddb/client.
RSA RADIUS server secret password in a safe place. You will need to enter this password in the switch configuration. b) c) d) After clicking Finish , add a new client for all switches on which RADIUS authentication will be used. In the Internet Authentication Service window, right-click the Remote Access Policies folder, and then select New Remote Access Policy from the pop-up window.
Managing User Accounts ignore-ports = no port-number-usage = per-port-type b) help-id = 2000 Create a brocade.dct file that must be added into thedictiona.dcm file located in the following path: C:\Program Files\RSA Security\RSA RADIUS\Service Example of a brocade.dct file ####################################################################### # brocade.dct -- Brocade Dictionary # # (See readme.
LDAP configuration and Microsoft Active Directory d) e) f) When selecting items from the Add Return List Attribute , select Brocade-Auth-Role and type the string Admin . The string you type equals the role on the switch. Add the Brocade profile. In RSA Authentication Manager , edit the user records that will be authenticated using RSA SecurID.
Creating a user 1. If your Windows Active Directory server for LDAP needs to be verified by the LDAP client (that is, the Brocade switch), then you must install a Certificate Authority (CA) certificate on the Windows Active Directory server for LDAP. Follow Microsoft instructions for generating and installing CA certificates on a Windows server. 2. Create a user in Microsoft Active Directory server. For instructions on how to create a user, refer to www.microsoft.
Adding attributes to the Active Directory schema ADSI is a Microsoft Windows Resource Utility. This utility must be installed to proceed with the rest of the setup. For Windows 2003, this utility comes with Service Pack 1 or you can download this utility from the Microsoft website. 2. Go to CN=Users. 3. Select Properties. Click the Attribute Editor tab. 4. Double-click the adminDescription attribute. The String Attribute Editor dialog box displays. NOTE The attribute can be added to user objects only. 5.
OpenLDAP server configuration overview Configuring Security Policies on page 209. When using OpenLDAP in non-FIPS mode, you must use the Common-Name for OpenLDAP authentication. User-Principal-Name is not supported in OpenLDAP. OpenLDAP 2.4.23 is supported. When a user is authenticated, the role of the user is obtained from the memberOf attribute, which determines group membership. This feature is supported in OpenLDAP through the memberOf overlay.
Adding entries to the directory # Indices to maintain index objectClass overlay memberof eq Adding entries to the directory To add entries in the OpenLDAP directory, perform the following steps. 1. Using a text editor of your choice, create a .ldif file and enter the information for the entry. The following example defines an organizational role for the Directory Manager in a .ldif file for an organization with the domain name mybrocade.com.
Modifying an entry Modifying an entry To modify a directory entry, perform the following steps. 1. Create a .ldif file containing the information to be modified. 2. Enter the ldapmodify command with the -f option specifying the .ldif file you created in step 1. to delete a user attribute Adding an Admin Domain or Virtual Fabric list If your network uses Admin Domains, you can specify a list of Admin Domain numbers to which the user has access.
TACACS+ service ‐ ‐ ‐ The HomeLF field specifies the user’s home Logical Fabric. The LFRole list field specifies the additional Logical Fabrics to which the user has access and the user’s access permissions for those Logical Fabrics. Logical Fabric numbers are separated by commas ( , ). A hyphen ( - ) indicates a range. The ChassisRole field designates the permissions that apply to the ChassisRole subset of commands.
Configuring the TACACS+ server on Linux provide lists of Admin Domains or Virtual Fabrics to which the user should have access. For details, refer to The tac_plus.cfg file on page 167. On the Brocade switch, use the aaaConfig command to configure the switch to use TACACS+ for authentication. The aaaConfig command also allows you to specify up to five TACACS+ servers. When a list of servers is configured, failover from one server to another server happens only if a TACACS+ server fails to respond.
Adding a user and assigning a role Adding a user and assigning a role When adding a user to the tac_plus.cfg file, you should at least provide the brcd-role attribute. The value assigned to this attribute should match a role defined for the switch. When a login is authenticated, the role specified by the brcd-role attribute represents the permissions granted to the account. If no role is specified, or if the specified role does not exist on the switch, the account is granted user role permissions only.
Configuring the password expiration date The following example sets the home Virtual Fabric for the userVF account to 30 and allows the account admin role access to Virtual Fabrics 1, 3, and 4 and securityAdmin access to Virtual Fabrics 5 and 6.
Adding an authentication server to the switch configuration Multiple login sessions can invoke the aaaConfig command simultaneously. The last session that applies the change is the one whose configuration is in effect. This configuration is persistent after an HA failover. The authentication servers are contacted in the order they are listed, starting from the top of the list and moving to the bottom. Adding an authentication server to the switch configuration 1.
Displaying the current authentication configuration When the command succeeds, the event log indicates that a server configuration is changed. Displaying the current authentication configuration 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the aaaConfig --show command. If a configuration exists, its parameters are displayed. If the RADIUS, LDAP, or TACACS+ service is not configured, only the parameter heading line is displayed.
Configuring local authentication as backup 172 Fabric OS Administrators Guide 53-1003130-01
Configuring Protocols ● Security protocols..........................................................................................................173 ● Secure Copy................................................................................................................. 175 ● Secure Shell protocol.................................................................................................... 175 ● Secure Sockets Layer protocol .....................................................................
Configuring Protocols TABLE 28 Secure protocol support (Continued) Protocol Description SSH Secure Shell (SSH) is a network protocol that allows data to be exchanged over a secure channel between two computers. Encryption provides confidentiality and integrity of data. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary. SSL Fabric OS uses Secure Socket Layer (SSL) to support HTTPS.
Secure Copy Secure Copy The Secure Copy protocol (SCP) runs on port 22. It encrypts data during transfer, thereby avoiding packet sniffers that attempt to extract useful information during data transfer. SCP relies on SSH to provide authentication and security. Setting up SCP for configuration uploads and downloads Use the following procedure to configure SCP for configuration uploads and downloads. 1. Connect to the switch and log in using an account with admin permissions. 2.
SSH public key authentication If you set up a message of the day (MOTD), the MOTD displays either before or after the login prompt, depending on the SSH client implementation. Fabric OS does not control when the message displays. SSH public key authentication OpenSSH public key authentication provides password-less logins, known as SSH authentication, that uses public and private key pairs for incoming and outgoing authentication.
Configuring outgoing SSH authentication Enter public key name(must have .pub suffix):id_rsa.pub Enter login name:auser Password: Public key is imported successfully. 4. Test the setup by logging in to the switch from a remote device, or by running a command remotely using SSH. Configuring outgoing SSH authentication After the allowed-user is configured, the remaining setup steps must be completed by the allowed-user. Use the following procedure to configure outgoing SSH authentication: 1.
Deleting private keys on the switch 1. Connect to the switch and log in using an account with admin permissions. 2. Use the sshUtil delpubkeys command to delete public keys. You will be prompted to enter the name of the user whose the public keys you want to delete. Enter all to delete public keys for all users. For more information on IP filter policies, refer to Configuring Security Policies on page 209.
SSL configuration overview Enabling TLS 1.2 for the entire Web Tools session requires you to also enable TLS 1.2 in the Java Control Panel. SSL configuration overview You configure SSL access for a switch by obtaining, installing, and activating digital certificates. Certificates are required on all switches that are to be accessed through SSL. Also, you must install a certificate in the Java plug-in on the management workstation, and you may need to add a certificate to your web browser.
Generating and storing a Certificate Signing Request of generating a key Continue (yes, y, no, n): [no] y Select key size [1024 or 2048]: 1024 Generating new rsa public/private key pair Done. Generating and storing a Certificate Signing Request After generating a public/private key pair, you must generate and store a certificate signing request (CSR). 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the secCertUtil gencsr command. 3. Enter the requested information.
Installing a switch certificate • .cer (binary) • .crt (binary) • .pem (text) Typically, the CA provides the certificate files listed in the following table. TABLE 31 SSL certificate files Certificate file Description name .pem The switch certificate. name Root.pem The root certificate. Typically, this certificate is already installed in the browser, but if not, you must install it. name CA.pem The CA certificate.
The browser For example, certificates that contain lines similar to the following are usually .pem encoded: "----BEGIN REQUEST----" and "----END REQUEST---- (and may include the strings "x509" or "certificate") • For Certificate Authorities that request information regarding the type of web server, Fabric OS uses the Apache web server running on Linux. • If you try to import certificates of different sizes for a given switch, the import fails.
Checking and installing root certificates on Mozilla Firefox 1. Select Tools > Internet Options. 2. Click the Content tab. 3. Click Certificates. 4. Click the Intermediate or Trusted Root tab and scroll the list to see if the root certificate is listed. Take the appropriate following action based on whether you find the certificate: • If the certificate is listed, you do not need to install it. You can skip the rest of this procedure. • If the certificate is not listed, click Import. 5.
Simple Network Management Protocol ST=California, C=US Serial number: 0 Valid from: Thu Jan 15 16:27:03 PST 2007 until: Sat Feb 14 16:27:03 PST 2007 Certificate fingerprints: MD5: 71:E9:27:44:01:30:48:CC:09:4D:11:80:9D:DE:A5:E3 SHA1: 06:46:C5:A5:C8:6C:93:9C:FE:6A:C0:EC:66:E9:51:C2:DB:E6:4F:A1 Trust this certificate? [no]: yes Certificate was added to keystore In the example, changeit is the default password and RootCert is an example root certificate name.
Basic SNMP operation Basic SNMP operation Every Brocade device carries an agent and management information base (MIB). The agent accesses information about a device and makes it available to an SNMP network management station. FIGURE 10 SNMP structure When active, the management station can get information or set information when it queries an agent. SNMP commands, such as get , set , and getnext are sent from the management station, and the agent replies once the value is obtained or modified.
Access to MIB variables The corresponding name is: iso.org.dod.internet.private.enterprise.bcsi.commDev.fibreChannel.fcSwitch.sw The other branches are part of the standard MIBs, and the portions relevant to configuring SNMP on a Brocade switch are referenced in the remainder of this reference. FIGURE 13 Brocade MIB tree location Access to MIB variables Use a MIB browser to access the MIB variables: all MIB browsers perform SNMP queries and load MIBs.
SNMP support You can read this information only through traps. SNMP support In addition to the standard MIBs that Brocade devices support, these devices also support Brocadespecific MIBs. Since different vendors vary the information in their private enterprise MIBs, it is necessary to verify their information. The Fibre Channel MIB standards dictate that certain information be included in all MIBs: it is the vendors' responsibility to follow the standards.
HA traps This trap is generated by Fabric watch such that only the swUnitsStatusChange is controlled by the switchStatusPolicySet command. • connUnitSensorStatusChange This trap is generated when there are changes in the sensor settings. • connUnitPortStatusChange This trap sends the instance of connUnitPortName as part of the trap; the instance string is NULL, if the port name is not defined for the specified port.
FICON traps • • • • swExtTrap - The trap adds the SSN binding to the traps if it is enabled. swStateChangeTrap - This trap is sent when the switch changes its state to online or offline. swPortMoveTrap - This trap is sent when the virtual ports are moved from one switch to another. swBrcdGenericTrap - This trap is sent for one of the events, such as fabric change, device change, FAPWWN change, and FDMI events. This trap is for Brocade use.
Loading Brocade MIBs Traps to be sent for Monitoring and Alerting Policy Suite (MAPS) threshold events. Loading Brocade MIBs The Brocade MIB is a set of variables that are private extensions to the Internet standard MIB-II. The Brocade agents support many other Internet-standard MIBs. These standard MIBs are defined in RFC publications. To find specific MIB information, examine the Brocade proprietary MIB structure and the standard RFC MIBs supported by Brocade.
MIB loading order • • • • • • • • • • • • • • • • • RFC1158-MIB RFC-1212 RFC1213-MIB RFC-1215 RMON-MIB RSTP-MIB SNMP-COMMUNITY-MIB SNMP-FRAMEWORK-MIB SNMPv2-CONF SNMPv2-MIB SNMPv2-PARTY-MIB SNMPv2-SMI-MIB SNMPv2-TC SNMP-VIEW-BASED-ACM-MIB SNMP-USER-BASED-SM-MIB SNMP-TARGET-MIB T11-FC-ZONE-SERVER-MIB MIB loading order Many MIBs use definitions that are defined in other MIBs. These definitions are listed in the IMPORTS section near the top of the MIB.
Configuring Protocols TABLE 32 Brocade SNMP MIB dependencies (Continued) MIB Name Dependencies FA.mib RFC1155-SMI RFC1158-MIB RFC-1212 RFC1213-MIB RFC-1215 FIBRE-CHANNEL-FE-MIB SNMPv2-SMI SNMPv2-TC SNMP-FRAMEWORK-MIB SNMPv2-CONF FCIP-MGMT-MIB SNMPv2-SMI SNMPv2-TC INET-ADDRESS-MIB FC-MGMT-MIB IF-MIB SNMPv2-CONF SNMP-FRAMEWORK-MIB ENTITY-MIB SNMPv2-SMI SNMPv2-TC SNMPv2-CONF SNMP-FRAMEWORK-MIB SW.mib SNMPv2-TC SNMPv2-SMI Brocade-TC Brocade-REG-MIB FCMGMT-MIB bd.
Access Gateway and Brocade MIBs TABLE 32 Brocade SNMP MIB dependencies (Continued) MIB Name Dependencies brcdfcip.mib SNMPv2-SMI Brocade-REG-MIB SNMPv2-TC INET-ADDRESS-MIB IF-MIB SNMPv2-CONF faext.mib SNMPv2-TC SNMPv2-SMI SW-MIB FCMGMT-MIB FICON.mib SNMPv2-SMI SNMPv2-TC Brocade-REG-MIB HA.
Firmware upgrades and enabled traps TABLE 33 Access Gateway MIB support (Continued) MIB name Description SW-MIB Disabled in Access Gateway because the conventions are specific to fabric switches. In Fabric OS v6.4.0, swConnUnitPortExtensionTable is supported in Access Gateway mode. In Fabric OS v7.0.
Support for IPv6 addressing Support for IPv6 addressing IPv6 addressing is supported in Fabric OS v5.3.0 and later releases. Support for Virtual Fabrics Virtual Fabrics is supported in Fabric OS v6.2.0 and later releases. When an SNMPv3 request arrives with a particular user name, it executes in the home Virtual Fabric. From the SNMP manager, all SNMPv3 requests must have a home Virtual Fabric that is specified in the contextName field.
Customized traps Customized traps This is only applicable for OEM customers. FOS v7.0.0 and v7.0.1 releases supported addition of system OID in trap OID to customized trap OID on different platforms. For example, Fabric Watch customized trap OID is 1.3.6.1.4.1.1588.2.1.1.62.0.5 on DCX and 1.3.6.1.4.1.1588.2.1.1.71.0.5 on Brocade 5100. This feature is not supported from FOS 7.1.0 release.
Configuring SNMPv3 user/traps TABLE 35 Supported protocol options Protocol Options Auth protocols MD5 SHA noAuth Priv protocols DES noPriv AES128 AES256 Configuring SNMPv3 user/traps The following examples list how to configure SNMPv3 users/traps. 1. Create a user on the switch in non-VF Context using CLI userconfig, with the required role.
Configuring Protocols User (ro): [snmpuser2] Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [3] Priv Protocol [DES(1)/noPriv(2)/AES128(3)/AES256(4)]): (2..2) [2] Engine ID: [00:00:00:00:00:00:00:00:00] SNMPv3 trap recipient configuration: SNMPv3 trap recipient configuration: Trap Recipient's IP address : [0.0.0.0] 10.35.52.33 UserIndex: (1..6) [1] Trap recipient Severity level : (0..5) [0] 5 Trap recipient Port : (0..65535) [162] Trap Recipient's IP address : [0.0.0.0] 10.35.52.27 UserIndex: (1..
Configuring Protocols Verify Auth Passwd: Priv Protocol [DES(1)/noPriv(2)/AES128(3)/AES256(4)]): (1..4) [1] New Priv Passwd: Verify Priv Passwd: User (ro): [snmpuser1] Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [3] Priv Protocol [DES(1)/noPriv(2)/AES128(3)/AES256(4)]): (1..4) [2] User (ro): [snmpuser2] Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [3] Priv Protocol [DES(1)/noPriv(2)/AES128(3)/AES256(4)]): (1..4) [2] User (ro): [snmpuser3] Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..
Configuring Protocols | |ip-v6-change-trap | |sw-pmgr-event-trap | |sw-event-trap | |sw-fabric-reconfig-trap | |sw-fabric-segment-trap | |sw-state-change-trap | |sw-zone-config-change-trap | |sw-port-move-trap | |sw-brcd-generic-trap | |sw-device-status-trap 002|FICON-MIB |link-rnid-device-registration | |link-rnid-device-deregistration | |link-lirr-listener-added | |link-lirr-listener-removed | |link-rlir-failure-incident 003|FA-MIB |conn-unit-status-change | |conn-unit-sensor-status-change | |conn-unit-p
Configuring Protocols Example of accessControl configuration: switch:admin> snmpconfig --set accessControl SNMP access list configuration: Access host subnet area in dot notation: [0.0.0.0] 192.168.0.0 Read/Write? (true, t, false, f): [true] Access host subnet area in dot notation: [0.0.0.0] 10.32.148.0 Read/Write? (true, t, false, f): [true] f Access host subnet area in dot notation: [0.0.0.0] Read/Write? (true, t, false, f): [true] Access host subnet area in dot notation: [0.0.0.0] 10.33.0.
Configuring Protocols swStateChangeTrap: NO swPortMoveTrap: NO swBrcdGenericTrap: NO swDeviceStatusTrap: NO swZoneConfigChangeTrap: NO [...] To re-enable all traps under the SW-MIB category after they were disabled: switch:admin> snmpconfig --set mibCapability -mib_name SW-MIB -bitmask 0xFFF Operation succeeded switch:admin> snmpconfig --show mibCapability [...
Configuring Protocols linkLIRRListenerRemoved: YES linkRLIRFailureIncident: YES HA-TRAP: YES fruStatusChanged: YES cpStatusChanged: YES fruHistoryTrap: YES ISCSI-TRAP: YES iscsiTgtLoginFailure: YES iscsiIntrLoginFailure: YES iscsiInstSessionFailure: YES IF-TRAP: YES linkDown: YES linkUp: YES BD-TRAP: YES bdTrap: YES bdClearTrap: YES MAPS-TRAP: YES mapsTrapAM: YES T11-FC-ZONE-SERVER-TRAP: YES t11ZsRequestRejectNotify: YES t11ZsMergeFailureNotify: YES t11ZsMergeSuccessNotify: YES t11ZsDefZoneChangeNotify: YE
Telnet protocol NOTE SNMPv3 supports AES-128, AES-256, and DES protocols. NOTE For resolving AES-256 protocol in the USM MIB walk, the eso Consortium MIB has to be loaded. Telnet protocol Telnet is enabled by default. To prevent passing clear text passwords over the network when connecting to the switch, you can block the Telnet protocol using an IP filter policy. For more information on IP filter policies, refer to IP Filter policy on page 231.
Unblocking Telnet 7. Verify the new policy is correct by typing the ipFilter --show command. 8. Activate the new IP filter policy by typing the ipfilter --activate command. switch:admin> ipfilter --activate BlockTelnet 9. Verify the new policy is active (the default_ipv4 policy should be displayed as defined ).
Ports and applications used by switches TABLE 36 Blocked listener applications (Continued) Listener application Brocade DCX and DCX 8510 Backbone families Brocade switches daytime Disabled Disabled discard Disabled Disabled echo Disabled Disabled ftp Disabled Disabled rexec Block with packet filter Disabled rlogin Block with packet filter Disabled rsh Block with packet filter Disabled rstats Disabled Disabled rusers Disabled Disabled time Block with packet filter Disabled P
Port configuration Port configuration The following table provides information on ports that the switch uses. When configuring the switch for various policies, take into consideration firewalls and other devices that may sit between switches in the fabric and your network or between the managers and the switch. TABLE 38 Port information Port Type Common use Comment 22 TCP SSH, SCP 23 TCP Telnet Use the ipfilter command to block the port. 80 TCP HTTP Use the ipfilter command to block the port.
Port configuration 208 Fabric OS Administrators Guide 53-1003130-01
Configuring Security Policies ● ACL policies overview................................................................................................... 209 ● ACL policy management............................................................................................... 210 ● FCS policies.................................................................................................................. 213 ● Device Connection Control policies...............................................................
Admin Domain considerations for ACL policies When a policy is activated, the defined policy either replaces the policy with the same name in the active set or becomes a new active policy. If a policy appears in the defined set but not in the active set, the policy was saved but has not been activated. If a policy with the same name appears in both the defined and active sets but they have different values, then the policy has been modified but the changes have not been activated.
Displaying ACL policies policy type for SCC or DCC. See Policy database distribution on page 238 for more information on the database settings and fabric-wide consistency policy. Displaying ACL policies You can view the active and defined policy sets at any time. Additionally, in a defined policy set, policies created in the same login session also appear but these policies are automatically deleted if the you log out without saving them. 1.
Adding a member to an existing ACL policy Example of deleting an ACL policy switch:admin> secpolicydelete "DCC_POLICY_010" About to delete policy Finance_Policy. Are you sure (yes, y, no, n):[no] y Finance_Policy has been deleted. Adding a member to an existing ACL policy As soon as a policy has been activated, the aspect of the fabric managed by that policy is enforced. 1.
FCS policies All changes since the last time the secPolicySave or secPolicyActivate commands were entered are aborted. FCS policies Fabric configuration server (FCS) policy in base Fabric OS may be performed on a local switch basis and may be performed on any switch in the fabric. The FCS policy is not present by default, but must be created. When the FCS policy is created, the WWN of the local switch is automatically included in the FCS list. Additional switches can be included in the FCS list.
Ensuring fabric domains share policies TABLE 41 FCS switch operations Allowed on FCS switches Allowed on all switches secPolicyAdd (Allowed on all switches for SCC and DCC policies secPolicyShow as long as it is not fabric-wide) secPolicyCreate (Allowed on all switches for SCC and DCC policies as long as it is not fabric-wide) fddCfg --localaccept or fddCfg --localreject secPolicyDelete (Allowed on all switches for SCC and DCC policies as long as its not fabric-wide) userconfig, Passwd, Passwdcfg (Fab
Creating an FCS policy Creating an FCS policy 1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions for the Security RBAC class of commands. 2. Enter the secPolicyCreate "FCS_POLICY" command. Example of creating an FCS policy The following example creates an FCS policy that allows a switch with domain ID 2 to become a primary FCS and domain ID 4 to become a backup FCS: switch:admin> secpolicycreate "FCS_POLICY", "2;4" FCS_POLICY has been created 3.
FCS policy distribution FCS policy distribution The FCS policy can be automatically distributed using the fddCfg --fabwideset command or it can be manually distributed to the switches using the distribute -p command. Each switch that receives the FCS policy must be configured to receive the policy. To configure the switch to accept distribution of the FCS policy, refer to Database distribution settings on page 239. Database distributions may be initiated from only the Primary FCS switch.
Virtual Fabrics considerations Each device port can be bound to one or more switch ports; the same device ports and switch ports may be listed in multiple DCC policies. After a switch port is specified in a DCC policy, it permits connections only from designated device ports. Device ports that are not specified in any DCC policies are allowed to connect only to switch ports that are not specified in any DCC policies.
Deleting a DCC policy Device ports must be specified by port WWN. Switch ports can be identified by the switch WWN, domain ID, or switch name followed by the port or area number. To specify an allowed connection, enter the device port WWN, a semicolon, and the switch port identification. The following methods of specifying an allowed connection are possible: • deviceportWWN;switchWWN (port or area number) • deviceportWWN;domainID (port or area number) • deviceportWWN;switchname (port or area number) 1.
DCC policy behavior with Fabric-Assigned PWWNs Example of deleting stale DCC policies switch:admin> secpolicydelete ALL_STALE_DCC_POLICY About to clear all STALE DCC policies ARE YOU SURE (yes, y, no, n): [no] y DCC policy behavior with Fabric-Assigned PWWNs A DCC policy check is always performed for the physical port WWN of a device when the HBA has established that the device is attempting a normal FLOGI and has both a fabric-assigned port WWN (FA-PWWN) and a physical port WWN.
SCC Policies TABLE 45 DCC policy behavior when created manually with PWWN Configuration WWN seen on DCC policy list Behavior when DCC policy activates Behavior on portDisable and portEnable • FA-PWWN has logged into the switch. • DCC policy creation manually with physical PWWN of device. • DCC policy activation. PWWN Traffic will not be disrupted. Ports will come up without security issues. • DCC policy creation. manually with physical PWWN FA-PWWN has logged into the switch.
Creating an SCC policy • A logical switch supports an SCC policy. You can configure and distribute an SCC policy on a logical switch. • SCC enforcement is performed on a ISL based on the SCC policy present on the logical switch. For more information on Virtual Fabrics, refer to Managing Virtual Fabrics on page 267. Creating an SCC policy 1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions for the Security RBAC class of commands. 2.
Virtual Fabrics considerations The peer secret uniquely identifies the entity to which the local switch authenticates. Every switch can share a secret key pair with any other switch or host in a fabric. To use DH-CHAP authentication, a secret key pair has to be configured on both switches. For more information on setting up secret key pairs, refer to Setting a secret key pair on page 228. When configured, the secret key pair is used for authentication.
Virtual Fabrics considerations changes to the AUTH policy take effect during the next authentication request. This includes starting authentication on all E_Ports on the local switch if the policy is changed to ON or ACTIVE, and clearing the authentication if the policy is changed to OFF. The authentication configurations will be effective only on subsequent E_ and F_Port initialization. ATTENTION A secret key pair has to be installed prior to changing the policy.
Re-authenticating E_Ports either DH-CHAP secrets or PKI certificates depending on the protocol selected. Otherwise, ISLs will be segmented during next E-port bring-up. ARE YOU SURE (yes, y, no, n): [no] y Auth Policy is set to ACTIVE NOTE This authentication-policy change will not affect online EX_Ports. Re-authenticating E_Ports Use the authUtil --authinit command to re-initiate the authentication on selected ports.
Virtual Fabrics considerations By default the devicepolicy is in the OFF state, which means the switch clears the security bit in the FLOGI (fabric login). The authUtil command provides an option to change the device policy mode to select PASSIVE policy, which means the switch responds to authentication from any device and does not initiate authentication to devices. When the policy is set to ON, the switch expects a FLOGI with the FC-SP bit set.
Authentication protocols NOTE For information about how to use authentication with Access Gateway, refer to the Access Gateway Administrator's Guide. Authentication protocols Use the authUtil command to perform the following tasks: • Display the current authentication parameters. • Select the authentication protocol used between switches. • Select the DH (Diffie-Hellman) group for a switch. Run the authUtil command on the switch you want to view or change.
Secret key pairs for DH-CHAP all groups. See In-flight Encryption and Compression on page 407 for details about in-flight encryption. Secret key pairs for DH-CHAP When you configure the switches at both ends of a link to use DH-CHAP for authentication, you must also define a secret key pair --one for each end of the link. Use the secAuthSecret command to perform the following tasks: • View the WWN of switches with a secret key pair • Set the secret key pair for switches.
Setting a secret key pair When setting and removing the secret for a switch or device on Access Gateway, only the WWN can be used. Setting a secret key pair 1. Log in to the switch using an account with admin permissions, or an account with OM permissions for the Authentication RBAC class of commands. 2. Enter the secAuthSecret --set command. The command enters interactive mode.
Generating the key and CSR for FCAP ATTENTION Only the .pem file is supported for FCAP authentication. Certificate File Description name CA.pem The CA certificate. It must be installed on the remote and local switch to verify the validity of the switch certificate or switch validation fails. name .pem The switch certificates:switch certificate. 5. On each switch, install the CA certificate before installing switch certificate. 6.
Importing the FCAP switch certificate 1. Log in to the switch using an account with admin permissions, or an account associated with the chassis role and having OM permissions for the PKI RBAC class of commands. 2. Enter the secCertUtil import -fcapcacert command and verify the CA certificates are consistent on both local and remote switches. switch:admin> seccertutil import -fcapcacert Select protocol [ftp or scp]: scp Enter IP address: 10.1.2.
IP Filter policy Local Switch configuration parameters are needed to control whether a switch accepts or rejects distributions of the AUTH policy using the distribute command and whether the switch may initiate distribution of the policy. To set the local switch configuration parameter, refer to Policy database distribution on page 238. NOTE This is not supported for Access Gateway mode.
Cloning an IP Filter policy Cloning an IP Filter policy You can create an IP Filter policy as an exact copy of an existing policy. The policy created is stored in a temporary buffer and has the same type and rules as the existing defined or active policy. 1. Log in to the switch using an account with admin permissions, or an account associated with the chassis role and having OM permissions for the IPfilter RBAC class of commands. 2. Enter the ipFilter --clone command.
Deleting an IP Filter policy Deleting an IP Filter policy You can delete a specified IP Filter policy. Deleting an IP Filter policy removes it from the temporary buffer. To permanently delete the policy from the persistent database, run ipfilter --save . An active IP Filter policy cannot be deleted. 1. Log in to the switch using an account with admin permissions, or an account associated with the chassis role and having the OM permissions for the IPfilter RBAC class of commands. 2.
Configuring Security Policies TABLE 47 Supported services Service name Port number echo 7 discard 234 systat 11 daytime 13 netstat 15 chargen 19 ftp data 20 ftp 21 fsp 21 ssh 22 telnet 23 smtp 25 time 27 name 42 whois 43 domain 53 bootps 67 bootpc 68 tftp 69 http 80 kerberos 88 hostnames 101 sftp 115 ntp 123 snmp 161 snmp trap 162 Fabric OS Administrators Guide 53-1003130-01
Protocol TABLE 47 Supported services (Continued) Service name Port number https 443 ssmtp 465 exec 512 login 513 shell 514 uucp 540 biff 512 who 513 syslog 514 route 520 timed 525 kerberos4 750 Protocol TCP and UDP protocols are valid protocol selections. Fabric OS v6.2.0 and later do not support configuration to filter other protocols. Implicitly, ICMP type 0 and type 8 packets are always allowed to support ICMP echo request and reply on commands like ping and traceroute.
Default policy rules TABLE 48 Implicit IP Filter rules Source address Destination port Protocol Action Any 1024-65535 TCP Permit Any 1024-65535 UDP Permit Default policy rules Switches have a default IP Filter policy for IPv4 and IPv6. The default IP Filter policy cannot be deleted or changed. When an alternative IP Filter policy is activated, the default IP Filter policy becomes deactivated. Table 49 lists the rules of the default IP Filter policy.
Adding a rule to an IP Filter policy NOTE If a switch is part of a LAN behind a Network Address Translation (NAT) server, depending on the NAT server configuration, the source address in an IP Filter rule may have to be the NAT server address. Adding a rule to an IP Filter policy There can be a maximum of 256 rules created for an IP Filter policy. The change to the specified IP Filter policy is not saved to the persistent configuration until a save or activate subcommand is run. 1.
Policy database distribution NOTE Any RPC ports that were allowed in Fabric OS versions earlier than 7.2.0 are removed and ignored in Fabric OS 7.2.0 and later. Virtual Fabrics considerations : To distribute the IP Filter policy in a logical fabric, use the chassisDistribute command. Policy database distribution Fabric OS lets you manage and enforce the ACL policy database on either a per-switch or fabric-wide basis.
Database distribution settings TABLE 50 Interaction between fabric-wide consistency policy and distribution settings (Continued) Distribution setting Fabric-wide consistency policy Accept (default) Database is not protected, the database can be overwritten. If the switch initiating a distribute command has a strict or tolerant fabric-wide consistency policy, the fabricwide policy is also overwritten. Database is not protected. Database is not protected.
Displaying the database distribution settings Displaying the database distribution settings 1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions for the FabricDistribution RBAC class of commands. 2. Enter the fddCfg --showall command. The following sample output shows the database distribution settings.
Fabric-wide enforcement Fabric-wide enforcement The fabric-wide consistency policy enforcement setting determines the distribution behavior when changes to a policy are activated. Using the tolerant or strict fabric-wide consistency policy ensures that changes to local ACL policy databases are automatically distributed to other switches in the fabric. NOTE To completely remove all fabric-wide policy enforcement from a fabric, enter the fddCfg --fabwideset "" command.
Setting the fabric-wide consistency policy Setting the fabric-wide consistency policy 1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions for the FabricDistribution RBAC class of commands. 2. Enter the fddCfg --fabwideset command. The following example shows how to set a strict SCC and tolerant DCC fabric-wide consistency policy.
Non-matching fabric-wide consistency policies TABLE 53 Merging fabrics with matching fabric-wide consistency policies Fabric-wide consistency policy Fabric A ACL policies Fabric B ACL policies Merge results Database copied None None None Succeeds No ACL policies copied. None SCC/DCC Succeeds No ACL policies copied. None None Succeeds No ACL policies copied. None SCC/DCC Succeeds ACL policies are copied from B to A.
Management interface security TABLE 54 Examples of strict fabric merges (Continued) Fabric-wide consistency policy setting Expected behavior DCC:S Strict/Strict SCC:S DCC:S Table 55 has a matrix of merging fabrics with tolerant and absent policies. TABLE 55 Fabric merges with tolerant and absent combinations Fabric-wide consistency policy setting Expected behavior Fabric A Tolerant/Absent Fabric B SCC;DCC Error message logged.
Configuration examples Using the ipSecConfig command, you must configure multiple security policies for traffic flows on the Ethernet management interfaces based on IPv4 or IPv6 addresses, a range of IPv4 or IPv6 addresses, the type of application, port numbers, and protocols used (UDP/TCP/ICMP). You must specify the transforms and processing choices for the traffic flow (drop, protect or bypass). Also, you must select and configure the key management protocol using an automatic or manual key.
Endpoint-to-gateway tunnel FIGURE 16 Gateway tunnel configuration Endpoint-to-gateway tunnel In this scenario, a protected endpoint (typically a portable computer) connects back to its corporate network through an IPsec-protected tunnel. It might use this tunnel only to access information on the corporate network, or it might tunnel all of its traffic back through the corporate network in order to take advantage of protection provided by a corporate firewall against Internet-based attacks.
Security associations IPsec protocols use a sliding window to assist in flow control, The IPsec protocols also use this sliding window to provide protection against replay attacks in which an attacker attempts a denial of service attack by replaying an old sequence of packets. IPsec protocols assign a sequence number to each packet. The recipient accepts each packet only if its sequence number is within the window. It discards older packets.
IPsec policies TABLE 56 Algorithms and associated authentication policies (Continued) Algorithm Encryption Level Policy hmac_sha1 160-bit Description AH, ESP NOTE The MD5 hash algorithm is blocked when FIPS mode is enabled 3des_cbc 168-bit ESP Triple DES is a more secure variant of DES. It uses three different 56bit keys to encrypt blocks of 64-bit plain text. The algorithm is FIPSapproved for use by Federal agencies.
Key management Key management The IPsec key management supports Internet Key Exchange or Manual key/SA entry. The Internet Key Exchange (IKE) protocol handles key management automatically. SAs require keying material for authentication and encryption. The managing of keying material that SAs require is called key management . The IKE protocol secures communication by authenticating peers and exchanging keys. It also creates the SAs and stores them in the SADB.
Creating the tunnel Creating the tunnel Each side of the tunnel must be configured in order for the tunnel to come up. Once you are logged into the switch, do not log off as each step requires that you be logged in to the switch. IPsec configuration changes take effect upon execution and are persistent across reboots. Configure the following on each side of the tunnel: 1. Determine the authentication protocol and algorithm to be used on the tunnel.
Example of an end-to-end transport tunnel mode This example creates a traffic selector to select outbound and inbound traffic that needs to be protected. switch:admin> ipsecconfig --add policy ips selector -t SELECTOR-OUT -d out -l 10.33.69.132 -r 10.33.74.13 -transform TRANSFORM01 switch:admin> ipsecconfig --add policy ips selector -t SELECTOR-IN -d in -l 10.33.74.13 -r 10.33.69.132 -t transform TRANSFORM01 Inbound and outbound selectors use opposite values for local and remote IP addresses.
Configuring Security Policies For more information on importing the pre-shared key file, refer to Installing a switch certificate on page 181. 7. Configure an IKE policy for the remote peer. switch:admin> ipsecconfig --add policy ike -t IKE01 -remote 10.33.69.132 -id 10.33.74.13 -remoteid 10.33.69.132 -enc 3des_cbc -hash hmac_md5 -prf hmac_md5 -auth psk -dh modp1024 -psk ipseckey.
Notes Notes • As of Fabric OS 7.0.0, IPsec no longer supports null encryption (null_enc) for IKE policies. • IPv6 policies cannot tunnel IMCP traffic.
Notes 254 Fabric OS Administrators Guide 53-1003130-01
Maintaining the Switch Configuration File ● Configuration settings................................................................................................... 255 ● Configuration file backup...............................................................................................257 ● Configuration file restoration......................................................................................... 258 ● Configurations across a fabric..........................................................
Configuration file format -all To upload all of the system configuration, including the chassis section and all switch sections for all logical switches. NOTE Use this parameter when obtaining a complete capture of the switch configuration in a switch that has Virtual Fabrics mode disabled. -chassis To upload only the chassis section of the system configuration file. -switch To upload the switch configuration only, if Virtual Fabrics mode is disabled.
Configuration file backup • • • • • • • • • • FCoE software configuration Zoning Defined security policies Active security policies iSCSI CryptoDev FICU saved files VS_SW_CONF MAPS configuration Banner Configuration file backup Brocade recommends keeping a backup configuration file. You should keep individual backup files for all switches in the fabric and avoid copying configurations from one switch to another.
Configuration file restoration Example of configUpload on a switch with Admin Domains NOTE Administrative domains other than AD255 upload a subset of information. If you want a complete switch configuration, you must use the configUpload command while logged in to AD255. switch:AD5:admin> ad --select 5 switch:AD5:admin> configUpload Protocol (scp or ftp) [ftp]: Server Name or IP Address [host]: 10.1.2.3 User Name [user]: UserFoo Path/Filename [/config.txt]: /pub/configurations/config.
Maintaining the Switch Configuration File -fid FID The FID must be defined in both the downloaded configuration file and the current system. NOTE Brocade recommends you disable a switch before downloading a configuration file. If you plan to download a configuration file while the switch is enabled, refer to Configuration download without disabling a switch on page 260. -fid FID -sfid FID The FID must be defined on the switch and the source FID must be defined in the downloaded configuration file.
Configuration download without disabling a switch TABLE 57 CLI commands to display or modify switch configuration information (Continued) Command Displays portCfgVEXPort VEX_Port configuration parameters. CAUTION Though the switch itself has advanced error checking, the configdownload feature within Fabric OS was not designed for users to edit, and is limited in its ability. Edited files can become corrupted and this corruption can lead to switch failures.
Configurations across a fabric NOTE Always perform a reboot after you download a configuration file. On dual-CP platforms, you must reboot both CPs simultaneously. Example of configDownload without Admin Domains switch:admin> configdownload Protocol (scp, ftp, local) [ftp]: Server Name or IP Address [host]: 10.1.2.3 User Name [user]: UserFoo Path/Filename [/config.
Downloading a configuration file from one switch to another switch of the same model issue the configDefault command after download is completed but before the switch is enabled. If a switch is enabled with a duplicate domain ID, the switch becomes segmented. Downloading a configuration file from one switch to another switch of the same model 1. Configure one switch. 2. Use the configUpload command to save the configuration information. Refer to Configuration file backup on page 257 for more information.
Restoring a logical switch configuration using configDownload Example of configUpload on a logical switch configuration DCX_80:FID128:admin> configupload -vf Protocol (scp, ftp, sftp, local) [ftp]: Server Name or IP Address [host]: 10.1.2.3 User Name [user]: anonymous Path/Filename [/config.txt]: 5100_vf.
Restrictions Restrictions The following restrictions apply when using the configUpload or configDownload commands when Virtual Fabrics mode is enabled: • The -vf option is incompatible with the -fid, -sfid, or -all options. Any attempt to combine it with any of the other three will cause the configuration upload or download operation to fail. • You are not allowed to modify the Virtual Fabrics configuration file after it has been uploaded.
Maintaining the Switch Configuration File TABLE 58 Brocade configuration and connection form (Continued) Brocade configuration settings Total number of local devices (nsShow ) Total number of devices in fabric (nsAllShow ) Total number of switches in the fabric (fabricShow ) Fabric OS Administrators Guide 53-1003130-01 265
Brocade configuration form 266 Fabric OS Administrators Guide 53-1003130-01
Managing Virtual Fabrics ● Virtual Fabrics overview................................................................................................ 267 ● Logical switch overview.................................................................................................268 ● Management model for logical switches....................................................................... 274 ● Logical fabric overview..............................................................................................
Logical switch overview NOTE A note on terminology: Virtual Fabrics is the name of the suite of features. A logical fabric is a type of fabric that you can create using the Virtual Fabrics suite of features. Logical switch overview Traditionally, each switch and all the ports in the switch act as a single Fibre Channel switch (FC switch) that participates in a single fabric. The logical switch feature allows you to divide a physical chassis into multiple fabric elements.
Managing Virtual Fabrics FIGURE 18 Switch before and after enabling Virtual Fabrics After you enable Virtual Fabrics, you can create up to seven additional logical switches, depending on the switch model. The following figure shows a Virtual Fabrics-enabled switch before and after it is divided into logical switches. Before you create logical switches, the chassis appears as a single switch (default logical switch).
Logical switches and fabric IDs FIGURE 19 Switch before and after creating logical switches Logical switches and fabric IDs When you create a logical switch, you must assign it a fabric ID (FID). The fabric ID uniquely identifies each logical switch within a chassis and indicates to which fabric the logical switch belongs. You cannot define multiple logical switches with the same fabric ID within the chassis.
Port assignment in logical switches FIGURE 20 Fabric IDs assigned to logical switches Port assignment in logical switches Initially, all ports belong to the default logical switch. When you create additional logical switches, they are empty and you must assign ports to those logical switches. As you assign ports to a logical switch, the ports are moved from the default logical switch to the newly created logical switch. A given port can be in only one logical switch.
Logical switches and connected devices FIGURE 21 Assigning ports to logical switches A given port is always in one (and only one) logical switch. The following scenarios refer to the chassis after port assignment in Figure 21 : • If you assign P2 to logical switch 2, you cannot assign P2 to any other logical switch. • If you want to remove a port from a logical switch, you cannot delete it from the logical switch, but must move it to a different logical switch.
Managing Virtual Fabrics cannot communicate with each other because they are in different fabrics, even though they are both connected to the same physical chassis. You can also connect other switches to logical switches. In Figure 22 , P6 is an E_Port that forms an inter-switch link (ISL) between logical switch 4 and the non-Virtual Fabrics switch.
Management model for logical switches Management model for logical switches The operations you can perform on a logical switch depend on the context you are in. Some operations affect only a single logical switch, and some operations affect the entire physical chassis.
Managing Virtual Fabrics FID 8 are each connected to a non-Virtual Fabrics switch. The two logical switches and the non-Virtual Fabrics switch are all in the same fabric, with FID 8. FIGURE 24 Logical switches connected to other logical switches through physical ISLs Figure 25 shows a logical representation of the configuration in Figure 24 .
Base switch and extended ISLs Base switch and extended ISLs One way to connect logical switches is to use extended ISLs and base switches. When you divide a chassis into logical switches, you can designate one of the switches to be a base switch. A base switch is a special logical switch that is used for interconnecting the physical chassis. A base switch has the following properties: • ISLs connected through the base switch can be used for communication among the other logical switches.
Managing Virtual Fabrics Think of the logical switches as being connected with logical ISLs, as shown in Figure 27 . In this diagram, the logical ISLs are not connected to ports because they are not physical cables. They are a logical representation of the switch connections that are allowed by the XISL. FIGURE 27 Logical ISLs connecting logical switches To use the XISL, the logical switches must be configured to allow XISL use.
Base fabric FIGURE 28 Logical fabric using ISLs and XISLs By default, the physical ISL path is favored over the logical path (over the XISL) because the physical path has a lower cost. This behavior can be changed by configuring the cost of the dedicated physical ISL to match the cost of the logical ISL. ATTENTION If you disable a base switch, all of the logical ISLs are broken and the logical switches cannot communicate with each other unless they are connected by a physical ISL.
Logical fabric formation The NAA=5 syntax uses the following variables: • nnnnnn is the Brocade Organizationally Unique Identifier (OUI). • zzzzzz is the logical fabric serial number. • xxx is the logical port number, in the range 0 through FFF. Logical fabric formation Fabric formation is not based on connectivity, but on the FIDs of the logical switches. The basic order of fabric formation is as follows: 1. Base fabric forms. 2. Logical fabrics form when the base fabric is stable. 3.
Supported platforms for Virtual Fabrics IPFC addresses are not handled by configupload or configdownload. The IPFC address of the default logical switch or a non-VF switch is stored on the WWN card or compact flash. This address does not display in a configshow. Non-default logical switch IPFC addresses display in a confgshow. The ipaddrshow command displays all switch addresses and IPFC addresses configured in the chassis. Use the following procedure to set up IP addresses for a logical switch: 1.
Supported port configurations in the fixed-port switches Some restrictions apply to the ports, depending on the port type and blade type. The following sections explain these restrictions.
Restrictions on Brocade Backbones Restrictions on Brocade Backbones The following restrictions apply to Brocade Backbones: • EX_Ports and VEX_Ports can be in only the base switch. • ICL ports cannot be in a logical switch that is using XISLs. • All of the user ports in an ICL cable must be in the same logical switch. Distributing the user ports within the same cable across multiple logical switches is not supported. • ICL ports that are configured as EX_Ports can be in only the base switch.
Limitations and restrictions of Virtual Fabrics TABLE 60 Virtual Fabrics interaction with Fabric OS features (Continued) Fabric OS feature Virtual Fabrics interaction FICON Up to two logical switches per chassis can run FICON Management Server (CUP), but the FICON logical switch can use both ISLs and XISLs. ISL R_RDY mode ISL R_RDY mode is not supported in a base switch. Licensing Licenses are applicable for all logical switches in a chassis.
Restrictions on XISLs TABLE 61 Maximum number of logical switches per chassis (Continued) Platform Maximum number of logical switches Brocade 6520 4 Brocade 7800 4 Brocade 7840 4 Brocade VA-40FC 3 Refer to Supported port configurations in Brocade Backbones on page 281 for restrictions on the default logical switch.
Enabling Virtual Fabrics mode • VE_Ports on the FX8-24 blade can be moved to any logical switch independent of the location of the physical GE port. • If you move existing EX_Ports or VEX_Ports to any logical switch other than the base switch, these ports are automatically disabled. Enabling Virtual Fabrics mode A fabric is said to be in Virtual Fabrics mode (VF mode) when the Virtual Fabrics feature is enabled.
Configuring logical switches to use basic configuration values NOTE If you want to use Admin Domains in a fabric, you must first disable VF mode. 1. Connect to the physical chassis and log in using an account with the chassis-role permission. 2. Use the fosConfig command to check whether VF mode is disabled: fosconfig --show 3. Move all ports to the default logical switch. lscfg --config 128 -slot slot -port port 4. Delete all of the non-default logical switches. lscfg --delete fabricID 5.
Creating a logical switch or base switch 1. Connect to the physical chassis and log in using an account with the chassis-role permission. 2. Enter the configureChassis command to ensure that newly created logical switches have the same basic configuration values as the default logical switch: configurechassis 3. Enter n at the prompts to configure system and cfgload attributes. Enter y at the prompt to configure custom attributes.
Executing a command in a different logical switch context Example of creating a logical switch The following example creates a logical switch with FID 4, and then assigns domain ID 14 to it. sw0:FID128:admin> lscfg --create 4 A Logical switch with FID 4 will be created with default configuration. Would you like to continue [y/n]?:y About to create switch with fid=4. Please wait... Logical Switch with FID (4) has been successfully created. Logical Switch has been created with default configurations.
Deleting a logical switch Executing the switchShow command in a different logical switch context sw0:FID128:admin> fosexec --fid 4 -cmd "switchshow" --------------------------------------------------"switchshow" on FID 4: switchName: switch_4 switchType: 66.
Adding and moving ports on a logical switch Example of deleting the logical switch with FID 7 switch_4:FID4:admin> lscfg --delete 7 A Logical switch with FID 7 will be deleted. Would you like to continue [y/n]?:y All active login sessions for FID 7 have been terminated. Switch successfully deleted. Adding and moving ports on a logical switch You add ports to a logical switch by moving the ports from one logical switch to another.
Displaying logical switch configuration Displaying logical switch configuration Use the following procedure to display the configuration for a logical switch: 1. Connect to the physical chassis and log in using an account with the chassis-role permission. 2. Enter the lsCfg --show -n command to display information about all of the logical switches. 3. Enter the lsCfg --show command to display a list of all logical switches and the ports assigned to them.
Changing a logical switch to a base switch 3. Enter y at the prompt. 4. Enable the logical switch. fosexec --fid newFID -cmd "switchenable" Example of changing the fabric ID on the logical switch from 5 to 7 sw0:FID128:admin> lscfg --change 5 -newfid 7 Changing of a switch fid requires that the switch be disabled. Would you like to continue [y/n]?: y Disabling switch... All active login sessions for FID 5 have been terminated. Checking and logging message: fid = 5. Please enable your switch.
Configuring a logical switch for XISL use Example of changing the logical switch with FID 7 to a base switch sw0:FID128:admin> setcontext 7 switch_25:FID7:admin> switchshow switchName: switch_25 switchType: 66.
Changing the context to a different logical fabric 6. Enter y at the Allow XISL Use prompt to allow XISL use; enter n at the prompt to disallow XISL use: Allow XISL Use (yes, y, no, n): y 7. Respond to the remaining prompts or press Ctrl-d to accept the other settings and exit. Changing the context to a different logical fabric You can change the context to a different logical fabric. Your user account must have permission to access the logical fabric. 1.
Managing Virtual Fabrics FIGURE 29 Example of logical fabrics in multiple chassis and XISLs Use the following procedure to create a logical fabric using XISLs: 1. Set up the base switches in each chassis: a) b) c) d) e) Connect to the physical chassis and log in using an account with the chassis-role permission. Enable the Virtual Fabrics feature, if it is not already enabled. See Enabling Virtual Fabrics mode on page 285 for instructions.
Managing Virtual Fabrics e) f) (Optional ) Configure the logical switch to use XISLs, if it is not already XISL-capable. See Configuring a logical switch for XISL use on page 293 for instructions. By default, newly created logical switches are configured to allow XISL use. Repeat step a through step e in all chassis that are to participate in the logical fabric, using the same fabric ID whenever two switches need to be part of a single logical fabric. 5.
Administering Advanced Zoning ● Zone types.................................................................................................................... 297 ● Zoning overview............................................................................................................ 298 ● Broadcast zones........................................................................................................... 303 ● Zone aliases............................................................................
Zoning overview Isolate traffic to a specific, dedicated path through the fabric. Refer to Traffic Isolation Zoning on page 341 for more information. Zoning overview Zoning is a fabric-based service that enables you to partition your storage area network (SAN) into logical groups of devices that can access each other. For example, you can partition your SAN into two zones, "winzone" and "unixzone", so that your Windows servers and storage do not interact with your UNIX servers and storage.
Approaches to zoning FIGURE 30 Zoning example Approaches to zoning Table 62 lists the various approaches you can take when implementing zoning in a fabric. TABLE 62 Approaches to fabric-based zoning Zoning approach Description Recommended approach Single HBA Zoning by single HBA most closely re-creates the original SCSI bus. Each zone created has only one HBA (initiator) in the zone; each of the target devices is added to the zone.
Zone objects TABLE 62 Approaches to fabric-based zoning (Continued) Zoning approach Description Operating system Zoning by operating system has issues similar to zoning by application. In a large site, this type of zone can become very large and complex. When zone changes are made, they typically involve applications rather than a particular server type.
Zoning schemes and 14, and a device with the WWN 10:00:00:80:33:3f:aa:11 (either node name or port name) that is connected on the fabric. Zoning schemes You can establish a zone by identifying zone objects using one or more of the following zoning schemes : • Domain,index (D,I) All members are specified by domain ID , port number , or domain,index number pairs or aliases. • World Wide Name (WWN) All members are specified only by World Wide Names (WWNs) or aliases of WWNs.
Zoning enforcement Zoning enforcement Zoning enforcement describes a set of predefined rules that the switch uses to determine where to send incoming data. Fabric OS uses hardware-enforced zoning. Hardware-enforced zoning means that each frame is checked by hardware (the ASIC) before it is delivered to a zone member and is discarded if there is a zone mismatch.
Best practices for zoning TABLE 63 Considerations for zoning architecture (Continued) Item Description Effect of changes in a production fabric Zone changes in a production fabric can result in a disruption of I/O under conditions when an RSCN is issued because of the zone change and the HBA is unable to process the RSCN fast enough. Although RSCNs are a normal part of a functioning SAN, the pause in I/O might not be acceptable.
Broadcast zones and Admin Domains those logged-in Nx_Ports that are members of the broadcast zone and are also in the same zone (regular zone) as the sender of the broadcast packet. Devices that are not members of the broadcast zone can send broadcast packets, even though they cannot receive them. A broadcast zone can have domain,port, WWN, and alias members. Broadcast zones do not function in the same way as other zones. A broadcast zone does not allow access within its members in any way.
Broadcast zones and FC-FC routing The dotted box represents the consolidated broadcast zone, which contains all of the devices that can receive broadcast packets. The actual delivery of broadcast packets is also controlled by the Admin Domain and zone enforcement logic. The consolidated broadcast zone is not an actual zone, but is just an abstraction used for explaining the behavior.
Zone aliases If the effective configuration has only a broadcast zone, then the configuration appears as a No Access configuration. To change this configuration to All Access, you must put all the available devices in a regular zone. Refer to Default zoning mode on page 319 for additional information about default zoning. Zone aliases A zone alias is a name assigned to a logical group of ports or WWNs.
Adding members to an alias switch:admin> cfgsave WARNING!!! The changes you are attempting to save will render the Effective configuration and the Defined configuration inconsistent. The inconsistency will result in different Effective Zoning configurations for switches in the fabric if a zone merge or HA failover happens. To avoid inconsistency it is recommended to commit the configurations using the 'cfgenable' command.
Deleting an alias Example switch:admin> aliremove "array1", "1,2" switch:admin> aliremove "array2", "21:00:00:20:37:0c:72:51" switch:admin> aliremove "loop1", "4,6" switch:admin> cfgsave WARNING!!! The changes you are attempting to save will render the Effective configuration and the Defined configuration inconsistent. The inconsistency will result in different Effective Zoning configurations for switches in the fabric if a zone merge or HA failover happens.
Zone creation and maintenance The following example shows all zone aliases beginning with "arr": switch:admin> alishow "arr*" alias: array1 alias: array2 21:00:00:20:37:0c:76:8c 21:00:00:20:37:0c:66:23 The following example shows all zone aliases beginning with "arr", regardless of the case: switch:admin> alishow --ic "arr*" alias: array1 alias: array2 20:e0:00:05:33:11:1f:00 2f:11:00:05:33:c1:37:a2 Zone creation and maintenance Fabric OS allows you to create zones to better manage devices.
Creating a zone Creating a zone ATTENTION The zoneCreate command will add all zone member aliases that match the "aliasname_pattern" in the zone database to the new zone. Use the following procedure to create a zone. 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the zoneCreate command, using either of the following syntaxes: zonecreate "zonename ", "member[; member...
Removing devices (members) from a zone 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the zoneAdd command, using either of the following syntaxes: zoneadd "zonename", "member [; member...]" zoneadd "zonename ", "aliasname_pattern* [;members ]" NOTE The zoneAdd command supports partial pattern matching ("wildcards") of zone member aliases. This allows you to add multiple aliases that match the "aliasname_pattern" in the command line. 3.
Replacing zone members 3. Enter the cfgSave command to save the change to the defined configuration. The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile memory. If a transaction is open on a different switch in the fabric when this command is run, the transaction on the other switch is automatically aborted. A message displays on the other switches to indicate that the transaction was aborted. 4. Enter the cfgShow command to view the changes.
Administering Advanced Zoning replaced. To achieve the effect of replacement, create a new alias (with the desired new name) containing the same members, and then delete the old alias. Use the following procedure to replace members in a zone. 1. Connect to the switch and log in using an account with admin permissions. 2.
Deleting a zone Deleting a zone Use the following procedure to delete a zone. 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the zoneDelete command, using the following syntax: zonedelete "zonename" 3. Enter the cfgSave command to save the change to the defined configuration. The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile memory.
Viewing zone configuration names without case distinction 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the zoneShow command, using the following syntax: zoneshow[--sort] ["pattern "] [, mode If no parameters are specified, the entire zone database (both the defined and effective configuration) is displayed.
Validating a zone shown as "5,-1". A minus sign (-) before a domain ID indicates that this TI zone member has been deleted.
Inconsistencies between the defined and effective configurations 1,0; loop1 zone: White_zone 1,3; 1,4 alias: array1 alias: array2 alias: loop1 21:00:00:20:37:0c:76:8c; 21:00:00:20:37:0c:71:02 21:00:00:20:37:0c:76:22; 21:00:00:20:37:0c:76:28 21:00:00:20:37:0c:76:85; 21:00:00:20:37:0c:71:df 3. Enter the zone --validate command to list all zone members that are not part of the current zone enforcement table. Note that zone configuration names are case-sensitive; blank spaces are ignored.
Administering Advanced Zoning Example of warning message switch: admin> cfgsave WARNING!!! The changes you are attempting to save will render the Effective configuration and the Defined configuration inconsistent. The inconsistency will result in different Effective Zoning configurations for switches in the fabric if a zone merge or HA failover happens. To avoid inconsistency it is recommended to commit the configurations using the 'cfgenable' command.
Default zoning mode Default zoning mode The default zoning mode controls device access if zoning is not implemented or if there is no effective zone configuration. The default zoning mode has two options: • All Access -- All devices within the fabric can communicate with all other devices. • No Access -- Devices in the fabric cannot access any other device in the fabric. The default zone mode applies to the entire fabric, regardless of switch model. The default setting is "All Access".
Viewing the current default zone access mode [no] y switch:admin> cfgsave WARNING!!! The changes you are attempting to save will render the Effective configuration and the Defined configuration inconsistent. The inconsistency will result in different Effective Zoning configurations for switches in the fabric if a zone merge or HA failover happens. To avoid inconsistency it is recommended to commit the configurations using the 'cfgenable' command.
Zone configurations Zone configurations You can store a number of zones in a zone configuration database. The maximum number of items that can be stored in the zone configuration database depends on the following criteria: • Number of switches in the fabric. • Number of bytes for each item name. The number of bytes required for an item name depends on the specifics of the fabric, but cannot exceed 64 bytes for each item.
Adding zones to a zone configuration Adding zones to a zone configuration Use the following procedure to add members to a zone configuration. 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the cfgAdd command, using the following syntax: cfgadd "cfgname ", "member [; member ...]" 3. Enter the cfgSave command to save the change to the defined configuration. The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile memory.
Enabling a zone configuration Enabling a zone configuration The following procedure ends and commits the current zoning transaction buffer to nonvolatile memory. If a transaction is open on a different switch in the fabric when this procedure is run, the transaction on the other switch is automatically aborted. A message displays on the other switches to indicate that the transaction was aborted. Use the following procedure to enable a zone configuration. 1.
Deleting a zone configuration Deleting a zone configuration Use the following procedure to delete a zone configuration. 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the cfgDelete command, using the following syntax: cfgdelete "cfgname" 3. Enter the cfgSave command to save the change to the defined configuration. The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile memory.
Viewing selected zone configuration information alias: loop1 21:00:00:20:37:0c:76:85; 21:00:00:20:37:0c:71:df Effective configuration: cfg: USA_cfg zone: Blue_zone 1,1 21:00:00:20:37:0c:76:8c 21:00:00:20:37:0c:71:02 1,2 21:00:00:20:37:0c:76:22 21:00:00:20:37:0c:76:28 zone: Purple_zone 1,0 21:00:00:20:37:0c:76:85 21:00:00:20:37:0c:71:df Viewing selected zone configuration information Use the following procedure to view the selected zone configuration information. 1.
Clearing all zone configurations Clearing all zone configurations Use the following procedure to clear all zone configurations. 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the cfgClear command to clear all zone information in the transaction buffer. ATTENTION Be careful using the cfgClear command because it deletes the defined configuration.
Deleting a zone object 4. Enter the cfgShow command to verify the new zone object is present. switch:admin> cfgshow "Test*" cfg: Test1 Blue_zone cfg: Test_cfg Purple_zone; Blue_zone switch:admin> cfgShow "US_Test1" cfg: US_Test1 Blue_zone 5. If you want the change preserved when the switch reboots, use cfgSave to save it to nonvolatile (flash) memory. 6. Enter cfgEnable for the appropriate zone configuration to make the change effective.
Renaming a zone object Renaming a zone object Use the following procedure to rename a zone object. 1. Connect to the switch and log in using an account with admin permissions. 2. Enter cfgShow to view the zone configuration objects you want to rename.
Security and zoning Security and zoning Zones provide controlled access to fabric segments and establish barriers between operating environments. They isolate systems with different uses, protecting individual systems in a heterogeneous environment; for example, when zoning is in secure mode, no merge operations occur. Brocade Advanced Zoning is configured on the primary fabric configuration server (FCS). The primary FCS switch makes zoning changes and other security-related changes.
Administering Advanced Zoning configuration, the switch where the changes were made must close its transaction for the changes to be propagated throughout the fabric. If you have implemented default zoning, you must set the switch you are adding into the fabric to the same default zone mode setting as the rest of the fabric to avoid segmentation.
Fabric segmentation and zoning = z1; z2 is different from cfg1 = z2; z1 , even though members of the configuration are the same. If zone set members on two switches have the same names defined in the configuration, make sure zone set members are listed in the same order. NOTE In a large fabric, especially with 1 MB or more zone configuration takes some amount of time for zone merge. This may cause host device to not to discover the target in other end of the fabric for a short duration.
Administering Advanced Zoning TABLE 64 Zone merging scenarios: Defined and effective configurations (Continued) Description Switch A Switch B Expected results Switch A and Switch B have defined: cfg1zone1: the same defined configuration. ali1; ali2 effective: Neither have an effective none configuration. defined: cfg1zone1: ali1; ali2effective: none No change (clean merge). Switch A and Switch B have the same defined and effective configuration.
Administering Advanced Zoning TABLE 65 Zone merging scenarios: Different content Description Switch A Switch B Expected results Effective configuration mismatch. defined: cfg1 zone1: ali1; defined: cfg2 zone2: ali3; ali2effective: cfg1 zone1: ali1; ali4 effective: cfg2 zone2: ali2 ali3; ali4 Fabric segments due to: Zone Conflict cfg mismatch Configuration content mismatch.
Administering Advanced Zoning TABLE 67 Zone merging scenarios: TI zones (Continued) Description Switch A Switch B Expected results Switch A has a TI zone. defined: cfg1 defined: cfg1 Switch B has a different TI zone. TI_zone1 TI_zone2 Fabric segments due to: Zone Conflict cfg mismatch. Cannot merge switches with different TI zone configurations. Switch A has Enhanced TI zones. defined: cfg1 defined: none Clean merge. TI zones are not automatically activated after the merge.
Administering Advanced Zoning TABLE 69 Zone merging scenarios: Default access mode (with Fabric OS 7.3.0 or later on initiator and responder) Description Switch A (Initiator with FOS 7.3.0) Switch B (Responder with FOS 7.3.0) Expected results Different default zone access mode settings. defzone: allaccess defzone: noaccess Fabric segments due to zone conflict.
Administering Advanced Zoning TABLE 70 Zone merging scenarios: Default access mode (with Fabric OS 7.3.0 or later on initiator and pre-Fabric OS 7.3.0 on responder) Description Switch A (Initiator with FOS 7.3.0) Switch B (Responder with pre-FOS 7.3.0) Expected results Different default zone access mode settings. defzone: allaccess defzone: noaccess Fabric merges with allaccess on Switch A changes to noaccess.
Administering Advanced Zoning TABLE 71 Zone merging scenarios: Default access mode (with pre-Fabric OS 7.3.0 on initiator and Fabric OS 7.3.0 or later on responder) Description Switch A (Initiator with Switch B (Responder pre-FOS 7.3.0) with FOS 7.3.0) Expected results Different default zone access mode settings. defzone: allaccess defzone: noaccess Fabric segments due to zone conflict.
Concurrent zone transactions TABLE 72 Zone merging scenarios: Mixed Fabric OS versions Description Switch A Switch B Expected results Switch A is running Fabric OS 7.0.0 or later. effective: cfg1 No effective configuration. Fabric segments due to zone conflict. defzone = allaccess Switch B is running a Fabric OS version earlier than 7.0.0. defzone - noaccess Switch A is running Fabric OS 7.0.0 or later. No effective configuration. Switch B is running a Fabric OS version earlier than 7.0.0.
Viewing zone database transactions Do you want to enable 'cfg' configuration (yes, y, no, n): [no ] u30:FID128:admin> cfgsave You are about to save the Defined zoning configuration. This action will only save the changes on Defined configuration. Multiple open transactions are pending in this fabric. Only one transaction can be saved. Please abort all unwanted transactions using the cfgtransabort command.
Example: 340 Fabric OS Administrators Guide 53-1003130-01
Traffic Isolation Zoning ● Traffic Isolation Zoning overview...................................................................................341 ● TI zone failover .............................................................................................................342 ● Enhanced TI zones....................................................................................................... 346 ● Traffic Isolation Zoning over FC routers................................................................
TI zone failover FIGURE 32 Traffic Isolation zone creating a dedicated path through the fabric In this illustration, all traffic entering Domain 1 from N_Ports 7 and 8 is routed through E_Port 1. Similarly, traffic entering Domain 3 from E_Port 9 is routed to E_Port 12, and traffic entering Domain 4 from E_Port 7 is routed to the devices through N_Ports 5 and 6. Traffic coming from other ports in Domain 1 would not use E_Port 1, but would use E_Port 2 instead.
Additional considerations when disabling failover TABLE 73 Traffic behavior when failover is enabled or disabled in TI zones Failover enabled Failover disabled If the dedicated path is not the shortest path or if the dedicated path is broken, the TI zone traffic will use a non-dedicated path instead. If the dedicated path is not the shortest path or if the dedicated path is broken, traffic for that TI zone is halted until the dedicated path is fixed.
FSPF routing rules and traffic isolation Disabling failover locks the specified route so that only TI zone traffic can use it. Non-TI zone traffic is excluded from using the dedicated path. • You should enable failover-enabled TI zones before enabling failover-disabled TI zones, to avoid dropped frames. When you issue the cfgEnable command to enable the zone configuration, if you have failover disabled zones, do the following: 1. 2. 3. 4. Temporarily change failover-disabled TI zones to failover-enabled.
Traffic Isolation Zoning • If failover is enabled, non-TI zone traffic as well as TI zone traffic uses the dedicated ISL. • If failover is disabled, non-TI zone traffic is blocked because it cannot use the dedicated ISL, which is the lowest cost path. For example, in Figure 34 , there is a dedicated path between Domain 1 and Domain 3, and another, non-dedicated, path that passes through Domain 2.
Enhanced TI zones Enhanced TI zones In Fabric OS v6.4.0 and later, ports can be in multiple TI zones at the same time. Zones with overlapping port members are called enhanced TI zones (ETIZ). Enhanced TI zones are especially useful in FICON fabrics. The following figure shows an example of two TI zones. Because these TI zones have an overlapping port (3,8), they are enhanced TI zones. FIGURE 36 Enhanced TI zones See the FICON Administrator's Guide for example topologies using enhanced TI zones.
Illegal ETIZ configuration: separate paths from a single port to the same domain The TI zones are enhanced TI zones because they have an overlapping member (3,8). Each zone describes a different path from the Target to Domain 1. Traffic is routed correctly from Host 1 and Host 2 to the Target; however, traffic from the Target to the Hosts might not be. Traffic from (3,8) destined for Domain 1 cannot go through both port 6 and port 7, so only one port is chosen.
Traffic Isolation Zoning over FC routers FIGURE 38 Illegal ETIZ configuration: two paths from one port Traffic Isolation Zoning over FC routers This section describes how TI zones work with Fibre Channel routing (TI over FCR). Refer to Using FC-FC Routing to Connect Fabrics on page 533 for information about FC routers, phantom switches, and the FC-FC Routing Service.
TI zones within an edge fabric FIGURE 39 Traffic Isolation Zoning over FCR In addition to setting up TI zones, you must also ensure that the devices are in an LSAN zone so that they can communicate with each other. If failover is enabled and the TI path is not available, an alternate path is used. If failover is disabled and the TI path is not available, then devices are not imported.
TI zones within a backbone fabric FIGURE 40 TI zone in an edge fabric In the TI zone, when you designate E_Ports between the front and xlate phantom switches, you must use -1 in place of the "I" in the D,I notation. Both the front and xlate domains must be included in the TI zone.
Limitations of TI zones over FC routers FIGURE 41 TI zone in a backbone fabric TI zones within the backbone fabric use the port WWN instead of D,I notation for devices that are to communicate across fabrics. (You can use the portShow command to obtain the port WWN.) Port WWNs should be used only in TI zones within a backbone fabric and should not be used in other TI zones.
Fabric-Level Traffic Isolation in a backbone fabric • For TI over FCR, failover must be enabled in the TI zones in the edge fabrics and in the backbone fabric. • TI over FCR is not supported with FC Fast Write. • ETIZ over FCR is not supported. • For the FC8-16, FC8-32, FC8-48, FC8-64, and FX8-24 blades only: If Virtual Fabrics is disabled, two or more shared area EX_Ports connected to the same edge fabric should not be configured in different TI zones. This configuration is not supported.
Fabric-Level TI zones FIGURE 42 Fabric-level traffic isolation In the figure, there are two links between each edge fabric and the backbone fabric, and there are five links between the two FC routers in the backbone. Fabric ID 1 and Fabric ID 4 communicate only with each other. Two backbone ISLs are dedicated to traffic between FID1 and FID4. These dedicated ISL are indicted in red and blue. Fabric-Level TI zones Fabric-Level Traffic Isolation is accomplished through the use of TI zones.
Failover behavior for Fabric-Level TI zones • Create a separate TI zone for each path • Combine all of the paths in a single TI zone The option you select affects the failover behavior of the TI zones. Failover behavior for Fabric-Level TI zones Fabric-Level Traffic Isolation requires the TI zones in the backbone to have failover enabled. The failover behavior differs depending on how you create the TI zones.
Creating a single TI zone for all paths cfg: ... switch:admin> cfgenable You are about to enable a new zoning configuration. This action will replace the old zoning configuration with the current configuration selected.
General rules for TI zones zone config "name" is in effect Updating flash ... switch:admin> Switch:admin> zone --show Defined TI zone configuration: TI Zone Name: TI_Zone_ALL Port List: 20,3; 20,4; 20,5; 20,6; 30,7; 30,8; 30,9; 30,10 Configured Status: Activated / Failover-Enabled Enabled Status: Activated / Failover-Enabled Then enabled status now displays as "Activated".
Traffic Isolation Zone violation handling for trunk ports FIGURE 43 TI zone misconfiguration Traffic Isolation Zone violation handling for trunk ports For any trunk group, all the members of the group need to belong to the TI zone to prevent routing issues resulting from changes in the members of the trunk group. This applies to any E_Port or F_Port trunk groups that are included in TI zones using failover disabled mode.
Supported configurations for Traffic Isolation Zoning Trunk members in TI zone: 16 Trunk members not in TI zone: 17 18 Supported configurations for Traffic Isolation Zoning The following configuration rules apply to TI zones: • Ports in a TI zone must belong to switches that run Fabric OS v6.0.0 or later. For TI over FCR zones, all switches and FC routers in both edge and backbone fabrics must be running Fabric OS v6.1.0 or later.
Limitations and restrictions of Traffic Isolation Zoning Trunk members in TI zone: 16 18 Trunk members not in TI zone: 17 F-Port Trunks Trunk members in TI zone: 4 5 Trunk members not in TI zone: 6 TI Zone Name: loop E-Port Trunks Trunk members in TI zone: 0 Trunk members not in TI zone: 1 TI Zone Name: operand E-Port Trunks Trunk members in TI zone: 8 Trunk members not in TI zone: 9 10 E-Port Trunks Trunk members in TI zone: 16 Trunk members not in TI zone: 17 18 Limitations and restrictions of Traffic I
Admin Domain considerations for Traffic Isolation Zoning Admin Domain considerations for Traffic Isolation Zoning If you implement Admin Domains and TI zones, you should keep the following points in mind: • TI zones are applicable only in AD0, and the E_Ports that are members of a TI zone must be in the AD0 device list. Because TI zones must use D,I notation, the AD0 device list must be declared using D,I notation for ports that are to be used in TI zones.
Traffic Isolation Zoning FIGURE 44 Dedicated path with Virtual Fabrics Figure 45 shows a logical representation of FID1 in Figure 44 . To create the dedicated path, you must create and activate a TI zone in FID1 that includes the circled ports shown in Figure 45 . FIGURE 45 Creating a TI zone in a logical fabric You must also create and activate a TI zone in the base fabric to reserve the XISLs for the dedicated path.
Traffic Isolation Zoning over FC routers with Virtual Fabrics Using D,I notation, the port numbers for the TI zones in the logical fabric and base fabric are as follows: Port members for the TI zone in logical fabric Port members for the TI zone in base fabric 8,8 F_Port 1,3 E_Port for ISL in logical switch 8,1 E_Port 1,10 E_Port for XISL 3,3 E_Port 7,12 E_Port for XISL 3,10 E_Port 7,14 E_Port for XISL 5,16 E_Port 2,16 E_Port for XISL 5,8 E_Port 2,8 E_Port for ISL in logical switch 9,5 E_Port
Creating a TI zone Figure 48 shows a logical representation of the configuration in Figure 47 . This SAN is similar to that shown in Figure 39 on page 349 and you would set up the TI zones in the same way as described in Traffic Isolation Zoning over FC routers on page 348. FIGURE 48 Logical representation of TI zones over FC routers in logical fabrics Creating a TI zone You create and modify TI zones using the zone command.
Traffic Isolation Zoning Use the following procedure to create a TI zone. If you are creating a TI zone in a base fabric, use the procedure described in Creating a TI zone in a base fabric on page 365. 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the zone --create command: zone --create -t objtype [-o optlist] name -p "portlist" Be aware of the ramifications if you create a TI zone with failover mode disabled.
Creating a TI zone in a base fabric To create a TI zone in the backbone fabric with failover enabled and the state set to activated (default settings): switch:admin> zone --create -t ti backbonezone -p "10:00:00:04:1f:03:16:f2; 1,1; 1,4; 2,7; 2,1; 10:00:00:04:1f:03:18:f1, 10:00:00:04:1f:04:06:e2" To create TI zones in a logical fabric, such as the one shown in Figure 44 on page 361: Log in to the logical switch FID1, Domain 7 and create a TI zone in the logical fabric with FID=1: LS1> zone --create -t ti
Modifying TI zones a) Change the failover option to failover enabled. This is a temporary change to avoid frame loss during the transition. zone --add -o f name b) Enable the zones. cfgenable "current_effective_configuration" c) Reset the failover option to failover disabled. Then continue with step 4. zone --add -o n name 5. Enter the cfgEnable command to reactivate your current effective configuration and enforce the TI zones.
Traffic Isolation Zoning 1. Connect to the switch and log in using an account with admin permissions. 2. Enter one of the following commands, depending on how you want to modify the TI zone. • Enter the zone --add command to add ports or change the failover option for an existing TI zone. You can also activate or deactivate the zone. zone --add [-o optlist] name-p "portlist" zone --add -o optlist name [-p "portlist"] • Enter the zone --remove command to remove ports from an existing TI zone.
Changing the state of a TI zone Changing the state of a TI zone You can change the state of a TI zone to activated or deactivated. Changing the state does not activate or deactivate the zone. After you change the state of the TI zone, you must enable the current effective configuration to enforce the change. The TI zone must exist before you can change its state. 1. Connect to the switch and log in using an account with admin permissions. 2.
Displaying TI zones To delete the TI zone bluezone, type: switch:admin> zone --delete bluezone Remember that your changes are not enforced until you enter the cfgEnable command. Displaying TI zones Use the zone --show command to display information about TI zones.
Troubleshooting TI zone routing problems Example displaying members for the zone "TI_zone", regardless of the case switch:admin> zone --show -ic TI_zone* Defined TI zone configuration: TI Zone Name: TI_zone Port List: 7,8 Configured Status: Activated / Failover-Enabled Enabled Status: Deactivated TI Zone Name: ti_zone Port List: 3,3 Configured Status: Activated / Failover-Enabled Enabled Status: Deactivated Troubleshooting TI zone routing problems Use the following procedure to generate a report of existi
Traffic Isolation Zoning FIGURE 49 TI over FCR example NOTE In the following procedure the three TI zones in the edge and backbone fabrics are all given the same name, TI_Zone1. It is not required that the TI zones have the same name, but this is done to avoid confusion. If several dedicated paths are set up across the FC router, the TI zones for each path can have the same name. 1.
Traffic Isolation Zoning Effective configuration: cfg: cfg_TI zone: lsan_t_i_TI_Zone1 10:00:00:00:00:00:02:00:00 10:00:00:00:00:00:03:00:00 10:00:00:00:00:00:08:00:00 E1switch:admin> cfgenable cfg_TI You are about to enable a new zoning configuration. This action will replace the old zoning configuration with the current configuration selected.
Traffic Isolation Zoning 10:00:00:00:00:02:00:00; 10:00:00:00:00:03:00:00 Status: Activated Failover: Enabled b) Enter the following commands to reactivate your current effective configuration and enforce the TI zones. BB_DCX_1:admin> cfgactvshow Effective configuration: cfg: cfg_TI zone: lsan_t_i_TI_Zone1 10:00:00:00:00:00:02:00:00 10:00:00:00:00:00:03:00:00 10:00:00:00:00:00:08:00:00 BB_DCX_1:admin> cfgenable cfg_TI You are about to enable a new zoning configuration.
Setting up TI zones over FCR (sample procedure) 374 Fabric OS Administrators Guide 53-1003130-01
Optimizing Fabric Behavior ● Adaptive Networking overview...................................................................................... 375 ● Ingress Rate Limiting.................................................................................................... 376 ● QoS............................................................................................................................... 377 ● CS_CTL-based frame prioritization................................................................
Ingress Rate Limiting • You can use Top Talkers to identify the SID/DID pairs that consume the most bandwidth and can then configure them with certain QoS attributes so they get proper priority. • If the bottleneck detection feature detects a latency bottleneck, you can use TI zones or QoS to isolate latency device traffic from high-priority application traffic.
Disabling Ingress Rate Limiting Disabling Ingress Rate Limiting 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the portCfgQos --resetratelimit command. portcfgqos --resetratelimit [slot/]port Example of disabling Ingress Rate Limiting on slot 3, port 9 portcfgqos --resetratelimit 3/9 QoS Quality of Service (QoS) allows you to categorize the traffic flow between a host and a target as having a high, medium, or low priority.
License requirements for QoS TABLE 74 Comparison between CS_CTL-based and QoS zone-based prioritization (Continued) CS_CTL-based frame prioritization QoS zone-based traffic prioritization Setup steps: Setup steps: • Enable CS_CTL mode on F_Ports or FL_Ports. • Ensure that the CS_CTL mode-enabled host and storage are zoned together. • • • • Create QoS zones with host/target members. Add the QoS zones to the zone configuration. Save and then enable the zone configuration. Enable QoS on E_Ports.
Supported configurations for CS_CTL-based frame prioritization TABLE 75 Mapping of CS_CTL values to QoS priority for frame prioritization in CS_CTL default mode (Continued) CS_CTL value Priority 17-24 High Alternatively, the user can apply CS_CTL auto mode. The CS_CTL auto mode uses only three CS_CTL values, as illustrated in Table 76 .
Disabling CS_CTL-based frame prioritization on ports 1. Connect to the switch and log in to an account that has admin permissions. 2. Enable CS_CTL mode: portcfgqos --enable [slot/]port csctl_mode 3. Enter y at the prompt to override QoS zone-based traffic prioritization. Disabling CS_CTL-based frame prioritization on ports When you disable CS_CTL-based frame prioritization, QoS zone-based traffic prioritization is restored if it had been previously enabled. 1.
QoS zone-based traffic prioritization QoS zone-based traffic prioritization QoS zone-based traffic prioritization allows you to categorize the traffic flow between a host and a target as having a high, medium, or low priority, depending on the type of zone. High-, medium-, and low-priority flows are allocated to different virtual channels (VCs). High-priority flows receive more fabric resources than medium-priority flows, which receive more resources than lowpriority flows.
Optimizing Fabric Behavior The switch automatically sets the priority for the "host,target" pairs specified in the zones according to the priority level (H, M, or L) in the zone name. For high and low priority traffic, the flow id allows you to have control over the VC assignment and control over balancing the flows throughout the fabric. The id range is as follows: • 1 through 5 for high-priority traffic, which corresponds to VCs 10 through 14.
QoS on E_Ports QoS on E_Ports In addition to configuring the hosts and targets in a zone, you must also enable QoS on individual E_Ports that might carry traffic between the host and target pairs. Path selection between the "host,target" pairs is governed by FSPF rules and is not affected by QoS priorities. For example, in the following figure, QoS should be enabled on the encircled E_Ports. NOTE By default, QoS is enabled on 8-Gbps or higher ports, except for long-distance 8-Gbps ports.
Virtual Fabrics considerations for QoS zone-based traffic prioritization • • • • Define QoS zones in each edge fabric. Define LSAN zones in each edge fabric. Enable QoS on the E_Ports in each edge fabric. Enable QoS on the EX_Ports in the backbone fabric. Refer to Setting QoS zone-based traffic prioritization over FC routers on page 387 for detailed instructions. The following are requirements for establishing QoS over FC routers: • QoS over FC routers is supported in Brocade native mode only.
High-availability considerations for QoS zone-based traffic prioritization FIGURE 52 Traffic prioritization in a logical fabric High-availability considerations for QoS zone-based traffic prioritization If the standby control processor (CP) is running a Fabric OS version earlier than 6.3.0 and is synchronized with the active CP, then QoS zones using D,I notation cannot be created. If the standby CP is not synchronized or if no standby CP exists, then the QoS zone creation succeeds.
Limitations and restrictions for QoS zone-based traffic prioritization Limitations and restrictions for QoS zone-based traffic prioritization • Enabling and disabling QoS is potentially disruptive to the I/O on the affected port.
Setting QoS zone-based traffic prioritization over FC routers 5. Enter the cfgEnable command for the appropriate zone configuration to make the change effective. cfgenable "cfgname" 6. Enter the portCfgQos command to enable QoS on the E_Ports, by using the following syntax: portcfgqos --enable [slot/]port The portCfgQos command does not affect QoS prioritization. It only enables or disables the link to pass QoS priority traffic. NOTE QoS is enabled by default on all ports (except long-distance ports).
Disabling QoS zone-based traffic prioritization The QoS zones must have WWN members only, and not D,I members. Refer to Setting QoS zonebased traffic prioritization on page 386 for instructions. 3. Create LSAN zones in the edge fabric. Refer to Controlling device communication with the LSAN on page 560 for instructions. 4. Enter the portCfgQos --enable command to enable QoS on the E_Ports. portcfgqos --enable [slot/]port 5.
Bottleneck Detection ● Bottleneck detection overview ......................................................................................389 ● Supported configurations for bottleneck detection........................................................ 391 ● Enabling bottleneck detection on a switch.................................................................... 392 ● Displaying bottleneck detection configuration details....................................................
Types of bottlenecks Types of bottlenecks The bottleneck detection feature detects two types of bottlenecks: • Latency bottleneck • Congestion bottleneck A latency bottleneck is a port where the offered load exceeds the rate at which the other end of the link can continuously accept traffic, but does not exceed the physical capacity of the link. This condition can be caused by a device attached to the fabric that is slow to process received frames and send back credit returns.
Supported configurations for bottleneck detection Supported configurations for bottleneck detection The following configuration rules apply to bottleneck detection: • Bottleneck detection is supported only on the following Fibre Channel port types: • • • • ‐ E_Ports ‐ EX_Ports ‐ F_Ports ‐ FL_Ports ‐ F_Port and E_Port trunks ‐ Long distance E_Ports Bottleneck detection is not supported on either SIM ports or FCoE ports.
Virtual Fabrics considerations for bottleneck detection For masterless trunking, if the master port goes offline, the new master acquires all the configurations and bottleneck history of the old master and continues with bottleneck detection on the trunk. Virtual Fabrics considerations for bottleneck detection Bottleneck detection is supported in both VF and non-VF modes.
Displaying bottleneck detection configuration details Examples The following example enables bottleneck detection on the switch with alerts using default values for thresholds and time, and is the recommended manner of enabling bottleneck detection switch:admin> bottleneckmon --enable -alert The following example enables bottleneck detection on the switch without alerts. In this case, even though alerts are not delivered, you can still view the bottleneck history using either the CLI or BNA.
Setting bottleneck detection alerts This example shows that only a congestion alert at the switch level has been set: switch:admin> bottleneckmon --status Bottleneck detection - Enabled ============================== Switch-wide sub-second latency bottleneck criterion: ==================================================== Time threshold - 0.800 Severity threshold - 50.000 Switch-wide alerting parameters: ============================ Alerts - Congestion only Congestion threshold for alert - 0.
Setting both a congestion alert and a latency alert which 6 seconds are affected by a congestion bottleneck and 3 seconds are affected by a latency bottleneck. switch:admin> bottleneckmon -alert -time 12 -cthresh 0.8 -lthresh 0.1 FIGURE 53 Affected seconds for bottleneck detection For this time window, 50 percent of the seconds (6 out of 12 seconds) are affected by congestion. This is below the threshold of 80 percent, so an alert would not be generated for a congestion bottleneck.
Setting only a congestion alert The following example enables both alerts and then shows their values. switch:admin> bottleneckmon --enable -alert switch:admin> bottleneckmon --status Bottleneck detection - Enabled ============================== Switch-wide sub-second latency bottleneck criterion: ==================================================== Time threshold - 0.800 Severity threshold - 50.
Changing bottleneck detection parameters The following example enables a latency alert and shows its values. switch:admin> bottleneckmon --enable -alert=latency switch:admin> bottleneckmon --status Bottleneck detection - Enabled ============================== Switch-wide sub-second latency bottleneck criterion: ==================================================== Time threshold - 0.800 Severity threshold - 50.
Examples of applying and changing bottleneck detection parameters To remove any port-specific alerting and sub-second latency parameters and revert to the switchwide parameters, enter bottleneckmon --configclear. To remove and erase all bottleneck alerts and their criteria, enter bottleneckmon --disable. Refer to Disabling bottleneck detection on a switch on page 404 for more details. Refer to the Fabric OS Command Reference for more information.
Bottleneck Detection Bottleneck detection - Enabled ============================== Switch-wide sub-second latency bottleneck criterion: ==================================================== Time threshold - 0.800 Severity threshold - 50.000 Switch-wide alerting parameters: ================================ Alerts - Yes Latency threshold for alert - 0.200 Congestion threshold for alert - 0.
Adjusting the frequency of bottleneck alerts Port Alerts? LatencyThresh CongestionThresh Time (s) QTime (s) ================================================================================= 46 N ----47 L 0.750 -250 150 Example 6: Clearing bottleneck detection override values from ports. The following example removes any changed bottleneck detection parameter values from ports 46 and 47.
Advanced bottleneck detection settings 3. Enter auditCfg --class 5 to enable the bottleneck detection audit log. 4. Once you have captured the discarded frame information, enter auditCfg --disable to disable audit logging. 5. Enter auditDump -s to enable the bottleneck detection audit log. An audit log entry for a discarded frame will look similar to the following : <190>raslogd: AUDIT, 2014/04/11-23:12:04 (GMT), [AN-1014], INFO, FABRIC, NONE/root/ NONE/None/CLI, ad_0/STINGER3/FID 128, 7.3.0gcheung_v7.3.
Excluding a port from bottleneck detection When you enable bottleneck detection, you can specify switch-wide sub-second latency criterion parameters. After you enable bottleneck detection, you can change the sub-second latency criterion parameters only on a per-port basis. You cannot change them on the entire switch, as you can with alerting parameters, unless you disable and then re-enable bottleneck detection.
Bottleneck Detection Excluding a single port from bottleneck detection The following example excludes only port 7 from bottleneck detection. Refer to Disabling bottleneck detection on a switch on page 404 for more information. NOTE Excluding the master port excludes the entire trunk, even if individual slave ports are not excluded.
Displaying bottleneck statistics Displaying bottleneck statistics You can use the bottleneckmon --show command to display a history of bottleneck conditions for up to three hours. This command has several display options: • Display only latency bottlenecks, only congestion bottlenecks, or both combined. • Display bottleneck statistics for a single port, bottleneck statistics for all ports on the switch, or a list of ports affected by bottleneck conditions.
Bottleneck Detection 1. Connect to the switch and log in using an account with admin permissions. 2. Enter bottleneckmon --disable. This disables bottleneck detection on the switch.
Disabling bottleneck detection on a switch 406 Fabric OS Administrators Guide 53-1003130-01
In-flight Encryption and Compression ● In-flight encryption and compression overview............................................................. 407 ● Configuring in-flight encryption and compression on an EX_Port.................................413 ● Configuring in-flight encryption and compression on an E_Port................................... 413 ● Viewing the encryption and compression configuration................................................
Supported ports for in-flight encryption and compression FIGURE 54 Encryption and compression on 16 Gbps ISLs Supported ports for in-flight encryption and compression The in-flight encryption and compression features are supported only on E_Ports and EX_Ports, and only on the Brocade 6510 and 6520 switches, 16 Gbps embedded switches, and the Brocade DCX 8510 Backbone family. The ports can run at any speed, but must be 16 Gbps-capable.
Bandwidth and port limits for in-flight encryption and compression • In a configuration with two switches with multiple ISLs connecting them, an encrypted and nonencrypted pair of links between two chassis is not allowed to work concurrently. Also, the transition from non-encrypted to encrypted ISLs between the two switches is disruptive. • The payload size of a frame is restricted to 2048 bytes.
Port speed on encryption- or compression-enabled ports This table does not show all the possible combinations of different speeds for the encryption and compression ports; other combinations are also supported. The number of supported ports is automatically calculated based on the speeds chosen. Port speed on encryption- or compression-enabled ports The port speed determines the maximum number of ports on a device that can support the in-flight encryption and compression features.
Authentication and key generation for encryption and compression NOTE If trunking is enabled, be aware that the ports creating the bandwidth limitation will form a trunk group, while the rest of the ports will be segmented. You can also decommission any port that has in-flight encryption and compression enabled. Refer to Port decommissioning on page 74 for details on decommissioning ports.
Virtual Fabrics considerations for encryption and compression NOTE If any port on the ASIC with encryption or compression enabled encounters rare error conditions that require error recovery to be performed on the encryption engine within that ASIC, all encryption or compression-enabled ports on that ASIC go offline.
Configuring in-flight encryption and compression on an EX_Port Configuring in-flight encryption and compression on an EX_Port When you configure in-flight encryption and compression across an IFL, first configure the EX_Port and then configure the E_Port. The encryption and compression settings must match at either end of the IFL. The following steps summarize how to enable in-flight encryption or compression on an EX_Port. Perform these steps on the FC router. 1.
Viewing the encryption and compression configuration To configure in-flight encryption and compression across an IFL, first configure encryption and compression on the EX_Port in the FC router. Perform the following steps to configure the E_Port in the switch. 1. Determine which ports are available for encryption or compression. Refer to Viewing the encryption and compression configuration on page 414 for instructions. 2.
Configuring and enabling authentication for in-flight encryption 88 No 89 No 90 No (output truncated) 348 No 349 No 350 No 351 No No No No No No No No No No 4G 4G 4G No No No No Yes Yes No No Yes Yes No No 4G 4G 4G 4G The output displays the user port number. For bladed switches, use the switchShow command to determine the slot number of a specific user port.
In-flight Encryption and Compression You can specify either "4" or "*" . The "4" option explicitly enables DH group 4. Although "*" enables all DH groups (0 through 4), the DH group defaults to group 4 for all ports configured for inflight encryption. 4. Configure pre-shared keys or certificates based on the encryption method selected (DH-CHAP or FCAP): • If DH-CHAP is the configured authentication protocol, use the secAuthSecret --set command to establish pre-shared secret key at each end of the ISL.
Enabling in-flight encryption WWN DId Name ----------------------------------------------10:00:00:05:1e:e5:cb:00 150 dcx_150 switch:admin> authutil --policy -sw active Warning: Activating the authentication policy requires either DH-CHAP secrets or PKI certificates depending on the protocol selected. Otherwise, ISLs will be segmented during next E-port bring-up.
Enabling in-flight compression (output truncated) D-Port mode: D-Port over DWDM Compression: Encryption: OFF .. OFF ON Enabling in-flight compression Enable in-flight compression to provide better bandwidth use on the ISLs, especially over long distance. Frames are compressed at the egress point of an ISL and then decompressed at the ingress point. Enabling compression is an offline event. Ports must be disabled first, and then re-enabled after.
Disabling in-flight compression 1. Connect to the switch and log in using an account with secure admin permissions, or an account with OM permissions for the EncryptionConfiguration RBAC class of commands. 2. Disable the port using the portDisable command. 3. Disable encryption on the port using the portCfgEncrypt --disable command. The following example disables encryption on port 15 in slot 9 of an enterprise class platform: switch:admin> portcfgencrypt --disable 9/15 4.
Disabling in-flight compression 420 Fabric OS Administrators Guide 53-1003130-01
Diagnostic Port ● Diagnostic Port..............................................................................................................421 ● Supported platforms for D_Port.................................................................................... 421 ● Licensing requirements for D_Port................................................................................422 ● Understanding D_Port...................................................................................................
Licensing requirements for D_Port TABLE 78 Supported platforms for D_Port (Continued) Product Fabric OS release and later Brocade 6505 switch v7.0.1 Brocade 6510 switch v7.0.0 Brocade 6520 switch v7.1.0 Brocade 7840 switch v7.3.0 D_Port functionality is supported on the following HBAs: • Brocade 16-Gbps HBA (Brocade Fabric Adapter 1860) ports operating in HBA mode with a 16Gbps SFP+ on Brocade 16-Gbps switches running Fabric OS version 7.1 or later. Brocade HBA v3.
Advantages of D_Port 1. Disable the ports on both the ends of the link. 2. Run the portCfgdport -- enable command on both ends of the link. 3. Enable the ports on both the end of the link. The following figure illustrates an example D_Port connection between a pair of switches through SFP transceivers (port assignments will vary). For all topologies supported, refer to Supported topologies on page 426.
D_Port configuration modes and nature of test D_Port configuration modes and nature of test D_Port has three modes: • static -- explicitly configure the port as a D_Port. The port remains a D_Port until you explicitly remove the D_Port configuration. • dynamic -- port is automatically set to a D_Port based on an external request from a remote port on the other end of the connection. The port remains a D_Port until all the diagnostic tests are completed and the remote port reverts to normal mode.
General limitations and considerations for D_Port TABLE 79 D_Port configuration mode and nature of test D_Port mode/nature of test Mode Nature of test Description Static You need to configure the port explicitly. Port remains as D_Port until you remove the configuration. Dynamic No user configuration is required. D_Port mode is initiated by external request from the remote port. The remote port can either be a static or on-demand D_Port. On-demand No user configuration is required.
Supported topologies • • • • • • • mapped, the port mapping (including static and preferred port mapping) must be removed before the D_Port can be used. (Refer to Saving port mappings on an Access Gateway on page 429.) Access Gateway supports D_Port dynamic mode. If the port on the connected HBA is configured as a D_Port, the Access Gateway port automatically changes to D_Port mode.
Topology 2: ICLs FIGURE 56 ISLs connecting multiple switches and chassis Static-static, static-dynamic, and on-demand-dynamic D_Port modes are supported on the ISLs. For configuration details, refer to Using D_Port in static-static mode between switches on page 430. Topology 2: ICLs The following figure illustrates inter-chassis links (ICLs) between slots 5 and 8 in corresponding chassis. The letter E represents E_Ports to be configured as D_Ports.
Topology 3: Access Gateways For configuration details, refer to Using D_Port in static-static mode between switches on page 430. Topology 3: Access Gateways Figure 58 illustrates a switch configured as a single Access Gateway connected to a fabric switch. The letters N and F represent, respectively, an N_Port and an F_Port to be configured as D_Ports. The Access Gateway must be a Brocade 6505, 6510, or 6520.
Saving port mappings on an Access Gateway FIGURE 60 Access Gateway to HBA Static-static and static (HBA) - dynamic (AG) D_Port modes are supported . Saving port mappings on an Access Gateway Before configuring ports as D_Ports on a switch configured as an Access Gateway, you must remove N_Port-to-F_Port and device (WWN) mappings. Fabric OS commands are available to save N_Port mappings. Once you save them, you can display the saved N_Port mappings to reconfigure them after D_Port is disabled.
Using D_Port in static-static mode between switches FIGURE 61 HBA to switch For configuration details, refer to Using D_Port between switches and HBAs on page 432. Using D_Port in static-static mode between switches You can configure D_Ports in static-static modes between switches (ISLs), chassis (ICLs), Access Gateways, and switch-Access Gateway links.
Disabling D_Port in static mode 3. Repeat steps 1 and 2 for the corresponding port (in this example, Port 2) on Switch B. switchB:admin> portdisable 2 switchB:admin> portcfgdport --enable 2 4. Enable Port 1 on Switch A by using the portEnable command. switchA:admin> portenable 1 5. Enable Port 2 on Switch B by using the portEnable command. switchB:admin> portenable 2 The basic test suite starts as soon as both ports are enabled. 6.
Pre-provisioning D_Ports 3. Repeat steps 1 and 2 for Port 2 on Switch B. switchB:admin> portdisable 2 switchB:admin> portcfgdport --disable 2 4. Enable Port 1 on Switch A by using the portEnable command. switchA:admin> portenable 1 5. Enable Port 2 on Switch B by using the portEnable command. switchB:admin> portenable 2 Pre-provisioning D_Ports In a normal scenario, you need to disable a port before enabling static D_Port on the particular port.
Enabling D_Port in static mode between a switch and an HBA HBAs support testing in static and dynamic D_Port modes. If a D_Port is enabled on the switch, the switch forces the connected adapter port into D_Port mode. As soon as the D_Port is enabled on a switch, the HBA goes to dynamic D_Port mode, and then, the switch initiates tests on the HBA. In dynamic D_Port mode, you can disable the physical port by using the bcu port --disable command but bcu port --disable will not exit dynamic D_Port mode.
Using D_Port in dynamic mode • D_Ports on the HBA do not support forward error correction (FEC) and credit recovery (CR). If these features are enabled on the switch side, the HBA ignores them. • D_Port is not supported on adapter ports configured in CNA mode. • Toggling the port on either side of the link does not restart the test.
Example test scenarios and output to internal request to change a port mode to D_Port mode, and run diagnostic tests automatically. For more information on enabling on-demand D_Port mode for all ports in a switch or chassis, refer to D_Port configuration mode and nature of test. When an on-demand D_Port-capable switch or chassis comes online, the switch checks if the other end of the connection supports dynamic D_Port mode.
Diagnostic Port You can display the complete results from either the responder or the initiator switch. If the initiator switch is running Fabric OS v7.1.x or earlier, the responder displays only the local D_Port results, and you must query the initiator to see the complete results. The following example shows the D_Port results.
Diagnostic Port switchBeacon: OFF FC Router: OFF Allow XISL Use: ON LS Attributes: [FID: 10, Base Switch: No, Default Switch: No, Address Mode 0] Index Port Address Media Speed State Proto ============================================== 24 24 010000 id N16 Online FC D-Port Loopback->Port 24 26 26 010200 id N16 Online FC D-Port segmented,(D-Port mode mismatch) 33 33 010300 id N8 Online FC D-Port 10:00:00:05:33:13:2f:b5 Use the portCfgShow command to see which ports are D_Port-enabled.
Starting and stopping D_Port testing 438 Fabric OS Administrators Guide 53-1003130-01
NPIV ● NPIV overview...............................................................................................................439 ● Configuring NPIV.......................................................................................................... 441 ● Enabling and disabling NPIV.........................................................................................442 ● Base device logout........................................................................................................
Upgrade considerations NOTE When an Access Gateway is connected to the switch, the Access Gateway is counted as the base device or base login and it is not included in the NPIV device count. Upgrade considerations The maximum logins per switch decreased with Fabric OS v6.4.0. When upgrading from a release previous to Fabric OS v6.4.0, the configured maximum is carried forward and may exceed the Fabric OS v6.4.0 limit.
Configuring NPIV TABLE 81 Number of supported NPIV devices (Continued) Platform Virtual Fabrics Logical switch type NPIV support DCX-4S and DCX 8510-4 Enabled Default switch Yes, 255 virtual device limit. DCX-4S and DCX 8510-4 Enabled Logical switch Yes, 255 virtual device limit. 19 DCX-4S and DCX 8510-4 Enabled Base switch No. Configuring NPIV The NPIV feature is enabled by default. You can set the number of virtual N_Port IDs per port to a value from 1 through 255 per port.
Enabling and disabling NPIV NPIV capability QOS E_Port Port Auto Disable: Rate Limit EX Port Mirror Port Credit Recovery F_Port Buffers Fault Delay: NPIV PP Limit: CSCTL mode: Frame Shooter Port D-Port mode: D-Port over DWDM Compression: Encryption: FEC: ON AE OFF OFF OFF OFF ON OFF 0(R_A_TOV) 128 OFF OFF OFF .. OFF OFF ON Enabling and disabling NPIV NPIV is enabled for every port. NOTE NPIV is a requirement for FCoE. 1. Connect to the switch and log in using an account assigned to the admin role. 2.
Difference in the device logout behaviors of the base device logout causing all NPIV devices to log out, the base device logout affects only the base device; the NPIV devices stay logged in. Difference in the device logout behaviors A base device is a device on an F_Port that has the base PID. The base device logs in with a FLOGI. An NPIV device is a device on an F_Port which has an NPIV PID. An NPIV device logs in with an FDISC.
Use cases and dependencies The purpose of this feature is to make it possible for all devices; including base device and NPIV devices on a NPIV port to logout and login without disrupting the remaining logged on devices. By default, the base device logout option is disabled in all the ports. 1. Enable NPIV on the required ports. Ports that do not have NPIV capability cannot have the base device logout option enabled. 2.
NPIV • Base device logout is not supported on ICL, VE/GE (E/Ex/LG) ports. • Base device logout must be disabled on all the ports before downgrading from Fabric OS 7.3.0 to an earlier version.
Viewing base device logout setting Viewing base device logout setting The following portCfgShow command output shows ON if the base device logout option is enabled, and a "..
Viewing NPIV port configuration information The switchshow command displays the number of base devices as "1" and the number of NPIV devices. If the base device is logged out, the output displays only the number of NPIV devices. When base device logout is enabled and the base device has logged out, the portshow command output displays a FLOGI_LOGO with other port flags, and the PWWNs of the NPIV devices.
Viewing virtual PID login information ...
Fabric-Assigned PWWN ● Fabric-Assigned PWWN overview................................................................................ 449 ● User- and auto-assigned FA-PWWN behavior ............................................................ 450 ● Configuring an FA-PWWN for an HBA connected to an Access Gateway................... 451 ● Configuring an FA-PWWN for an HBA connected to an edge switch........................... 452 ● Supported switches and configurations for FA-PWWN...............................
User- and auto-assigned FA-PWWN behavior • An FA-PWWN for an HBA device that is connected to an Access Gateway switch • An FA-PWWN for an HBA device that is connected directly to an edge switch FIGURE 62 Fabric-assigned port World Wide Name provisioning scenarios User- and auto-assigned FA-PWWN behavior Each switch port and Access Gateway port can have up to two FA-PWWNs, one assigned automatically and one assigned by the user. FA-PWWNs must be unique, and only one FA-PWWN can be active at any given time.
Configuring an FA-PWWN for an HBA connected to an Access Gateway Configuring an FA-PWWN for an HBA connected to an Access Gateway To configure an FA-PWWN, assign the FA-PWWN on the Access Gateway switch. The FA-PWWN feature is enabled by default on the HBA. Refer to the Brocade Adapters Administrator’s Guide for a list of supported HBAs. 1. Log in to the edge switch to which the Access Gateway is directly connected. 2. Assign the FA-PWWN.
Configuring an FA-PWWN for an HBA connected to an edge switch Configuring an FA-PWWN for an HBA connected to an edge switch To configure an FA-PWWN, assign the FA-PWWN on the edge switch. The FA-PWWN feature is enabled by default on the HBA. Refer to the Brocade Adapters Administrator’s Guide for a list of supported HBAs. 1. Log in to the edge switch to which the device is connected. 2. Assign the FA-PWWN.
Configuration upload and download considerations for FA-PWWN ‐ Brocade DCX, DCX-4S, and DCX 8510 family ‐ Brocade 300 ‐ Brocade 5100 ‐ Brocade 5300 ‐ Brocade 6505 ‐ Brocade 6510 ‐ Brocade 6520 ‐ Brocade VA-40FC • Access Gateway platforms running Fabric OS v7.0.0 or later: ‐ ‐ ‐ ‐ Brocade 300 Brocade 5100 Brocade 6505 Brocade 6510 Refer to the release notes for the supported Brocade HBA or adapter versions.
Restrictions of FA-PWWN If you use DCC, a policy check is done on the physical PWWN on the servers. In the case of an HBA, the FA-PWWN is assigned to the HBA only after the DCC check is successful. Refer to DCC policy behavior with Fabric-Assigned PWWNs on page 219 for additional information. Restrictions of FA-PWWN The FA-PWWN feature is not supported with some Fibre Channel fabric features.
Managing Administrative Domains ● Administrative Domains overview................................................................................. 455 ● SAN management with Admin Domains....................................................................... 464 ● Admin Domain management for physical fabric administrators....................................
Managing Administrative Domains NOTE Do not confuse an Admin Domain number with the domain ID of a switch. They are two different identifiers. The Admin Domain number identifies the Admin Domain and has a range from 0 through 255. The domain ID identifies a switch in the fabric and has a range from 1 through 239. The following figure shows a fabric with two Admin Domains: AD1 and AD2.
Admin Domain features FIGURE 64 Filtered fabric views when using Admin Domains Admin Domain features Admin Domains allow you to do the following: • Define the scope of an Admin Domain to encompass ports and devices within a switch or a fabric. • Share resources across multiple Admin Domains. For example, you can share array ports and tape drives between multiple departments. In Figure 63 on page 456, one of the storage devices is shared between AD1 and AD2.
Admin Domain access levels ‐ ‐ The LSAN zone names must not end with "_ADn". The LSAN zone names must not be longer than 57 characters. Refer to Using FC-FC Routing to Connect Fabrics on page 533 for information about the FC-FC Routing Service and LSAN zones. Admin Domain access levels Admin Domains offer a hierarchy of administrative access. To manage Admin Domains, you must be a physical fabric administrator .
AD0 AD0 AD0 is a system-defined Admin Domain. Unlike user-defined Admin Domains, AD0 has an implicit and an explicit membership list. User-defined Admin Domains have only an explicit membership list. • The implicit membership list contains all devices, switch ports, and switches that have not been assigned to any other Admin Domain. Initially, the AD0 implicit membership list contains all devices, switch ports, and switches in the fabric.
Home Admin Domains and login The following figure shows the same fabric from Figure 63 on page 456, but with AD0 and AD255 shown. AD0 contains the two devices that are not in any of the user-defined Admin Domains (AD1 and AD2). AD255 always encompasses the entire physical fabric. FIGURE 65 Fabric with AD0 and AD255 Home Admin Domains and login You are always logged in to an Admin Domain, and you can view and modify only the devices in that Admin Domain.
Admin Domain member types Admin Domain member types You define an Admin Domain by identifying members of that domain. Admin Domain members can be devices, switch ports, or switches. Defining these member types is similar to defining a traditional zone member type. An Admin Domain does not require or have a new domain ID or management IP address linked to it.
Admin Domains and switch WWNs • A switch member grants administrative control to the switch. • A switch member grants port control for all ports in that switch. • A switch member allows switch administrative operations such as disabling and enabling a switch, rebooting, and firmware downloads. • A switch member does not provide zoning rights for the switch ports or devices. To allow devices to be zoned within Admin Domains, you must specify the port members using domain,index or device WWN members.
Managing Administrative Domains FIGURE 66 Fabric showing switch and device WWNs Figure 67 shows the filtered view of the fabric as seen from AD3 and AD4. The switch WWNs are converted to the NAA=5 syntax; the device WWNs and domain IDs remain the same.
Admin Domain compatibility, availability, and merging FIGURE 67 Filtered fabric views showing converted switch WWNs Admin Domain compatibility, availability, and merging Admin Domains maintain continuity of service for Fabric OS features and operate in mixed-release Fabric OS environments. High availability is supported with some backward compatibility. When an E_Port comes online, the adjacent switches merge their AD databases.
CLI commands in an AD context Each Admin Domain can also have its own zone configurations (defined and effective) with zones and aliases under them. CLI commands in an AD context The CLI command input arguments are validated against the AD member list; they do not work with input arguments that specify resources that are not members of the current Admin Domain. All commands present filtered output, showing only the members of the current Admin Domain.
Switching to a different Admin Domain context • AD255: If you do not specify the AD name or number, all information about all existing Admin Domains is displayed. • AD0-AD254: The membership of the current Admin Domain is displayed. • AD0: The device and switch list members are categorized into implicit and explicit member lists. 1. Connect to the switch and log in as any user type. 2. Enter the ad --show command.
Admin Domain interactions with other Fabric OS features Admin Domain interactions with other Fabric OS features The Admin Domain feature provides interaction with other Fabric OS features and across third-party applications. You can manage Admin Domains with Web Tools as well as the CLI. If the current Admin Domain owns the switch, you can perform Fabric Watch operations. Admin Domain interactions do not extend to user session tunneling across switches.
Admin Domains, zones, and zone databases TABLE 85 Admin Domain interaction with Fabric OS features (Continued) Fabric OS feature Admin Domain interaction iSCSI iSCSI operations are supported only in AD0. LSAN zoning Refer to Admin Domains and LSAN zones on page 469 for details. Management applications Management interfaces that access the fabric without a user’s credentials continue to get the physical fabric view.
Admin Domains and LSAN zones • There is no zone database linked to the physical fabric (AD255) and no support for zone database updates. In the physical fabric context (AD255), you can only view the complete hierarchical zone database, which is all of the zone databases in AD0 through AD254. • You can concurrently edit the separate zone databases. • With AD support, zoning updates are supported selectively at each AD level.
Configuration upload and download in an AD context LSAN zones defined within an Admin Domain must contain devices that are applicable to that Admin Domain only. A device must not be included in more than one LSAN zone across multiple Admin Domains. Device discovery problems might occur if LSAN zones in one Admin Domain contain devices that belong to another Admin Domain. Refer to Using FC-FC Routing to Connect Fabrics on page 533 for information about LSAN zones.
Admin Domain management for physical fabric administrators Admin Domain management for physical fabric administrators NOTE This section is for physical fabric administrators who are managing Admin Domains. The ad command follows a batched-transaction model, which means that changes to the Admin Domain configuration occur in the transaction buffer. An Admin Domain configuration can exist in several places: • Effective configuration -- The Admin Domain configuration that is currently in effect.
Creating an Admin Domain Creating an Admin Domain To create an Admin Domain, you must specify an Admin Domain name, number, or both: • If you create an Admin Domain using only a number, the Admin Domain name is automatically assigned to be "ADn", where n is the number you specified. For example, if you specify AD number = 4, then AD name is set to "AD4".
User assignments to Admin Domains The following example creates Admin Domain AD1, consisting of two switches, which are designated by domain ID and switch WWN. switch:AD255:admin> ad --create AD1 -s "97; 10:00:00:60:69:80:59:13" The following example creates Admin Domain "blue_ad," consisting of two switch ports (designated by domain,index), one device (designated by device WWN), and two switches (designated by domain ID and switch WWN).
Assigning Admin Domains to an existing user account Assigning Admin Domains to an existing user account 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the userConfig --addad command using the -a option to provide access to Admin Domains and the -h option to specify the home Admin Domain. userconfig --addad username -h home_AD -a "AD_list" The following example assigns Admin Domain green_ad2 to the existing user account ad1admin.
Deactivating an Admin Domain 3. Enter the ad --activate command. ad --activate ad_id You are prompted for confirmation. By default, after the Admin Domain is activated, the devices specified under that AD are not able to see each other until they are zoned together. 4. Enter the appropriate command based on whether you want to save or activate the Admin Domain definition: • To save the Admin Domain definition, enter ad --save .
Adding members to an existing Admin Domain Adding members to an existing Admin Domain 1. Connect to the switch and log in using an account with admin permissions. 2. Switch to the AD255 context, if you are not already in that context. ad --select 255 3. Enter the ad --add command using the -d option to specify device and switch port members and the -s option to specify switch members.
Renaming an Admin Domain Renaming an Admin Domain Use this procedure if you want to change the name of an Admin Domain. You can also change autoassigned names (ADn). The rename operation does not take effect if the Admin Domain you want to rename is part of the effective configuration. 1. Connect to the switch and log in using an account with admin permissions. 2. Switch to the AD255 context, if you are not already in that context. ad --select 255 3.
Deleting all user-defined Admin Domains This operation will fail if zone configuration exists in the AD Do you want to delete ’AD_B3’ admin domain (yes, y, no, n): [no] y switch:AD255:admin> Deleting all user-defined Admin Domains When you clear the Admin Domain configuration, all user-defined Admin Domains are deleted, the explicit membership list of AD0 is cleared, and all fabric resources (switches, ports, and devices) are returned to the implicit membership list of AD0.
Managing Administrative Domains In this syntax, source_AD is the name of the user-defined AD from which you are copying the zone, source_name is the name of the zone to be copied, and dest_name is the name to give to the zone after it is copied to AD0. 4. Copy the newly added zones in AD0 to the zone configuration. cfgadd "cfgName", "member[;member]" 5. Enable the configuration to complete the transaction. cfgenable cfgName 6. Switch to the AD255 context. ad --select 255 7.
Managing Administrative Domains FIGURE 69 AD0 with three zones sw0:admin> ad --exec 255 "cfgshow" Zone CFG Info for AD_ID: 0 (AD Name: AD0, State: Active) : Defined configuration: cfg: AD0_cfg AD0_RedZone zone: AD0_RedZone 10:00:00:00:01:00:00:00; 10:00:00:00:02:00:00:00 Effective configuration: cfg: AD0_cfg zone: AD0_RedZone 10:00:00:00:01:00:00:00 10:00:00:00:02:00:00:00 Zone CFG Info for AD_ID: 1 (AD Name: AD1, State: Active) : Defined configuration: cfg: AD1_cfg AD1_BlueZone zone: AD1_BlueZone 10:00:0
Validating an Admin Domain member list no auto recovery will be done in case of failure in the middle. Do you want to clear all admin domains (yes, y, no, n): [no] y sw0:AD255:admin> ad --apply You are about to enforce the saved AD configuration. This action will trigger AD apply to all switches in the fabric Do you want to apply all admin domains (yes, y, no, n): [no] y Validating an Admin Domain member list You can validate the device and switch member list.
Validating an Admin Domain member list 482 Fabric OS Administrators Guide 53-1003130-01
Inter-chassis Links ● Inter-chassis links .........................................................................................................483 ● ICLs for the Brocade DCX 8510 Backbone family........................................................ 484 ● ICLs for the Brocade DCX Backbone family................................................................. 486 ● Virtual Fabrics considerations for ICLs.........................................................................
License requirements for ICLs License requirements for ICLs ICL ports can be used only with an ICL license. An ICL license must be installed on both platforms forming the ICL connection. All ICL ports must be disabled and then re-enabled for the license to take effect.
ICL trunking on the Brocade DCX 8510-8 and DCX 8510-4 FIGURE 70 Minimum configuration for 64 Gbps ICLs • The maximum number of ICLs between two Brocade DCX 8510-4 chassis or between a Brocade DCX 8510-8 and a Brocade DCX 8510-4 is 16. The maximum number of ICLs between two Brocade DCX 8510-8 chassis is 32. Because the FSPF routing logic uses only the first 16 paths to come online, only 16 ICLs are utilized.
ICLs for the Brocade DCX Backbone family Refer to the specific hardware reference manuals for information about port numbering and connecting the ICL cables. ICLs for the Brocade DCX Backbone family The Brocade DCX has two ICL connectors at ports ICL0 and ICL1 on each core blade, each aggregating a set of 16 ports. Thus, each core blade provides 32 ICL ports and there are 64 ICL ports available for the entire Brocade DCX chassis.
ICL trunking on the Brocade DCX and DCX-4S ICL trunking on the Brocade DCX and DCX-4S ICL trunks form automatically but additional licenses may be required for enabling all ICL ports or for larger ICL configurations. For more information about ICL licensing options, refer to the Fabric OS Software Licensing Guide. The ICLs are managed the same as ISL trunks. • On the Brocade DCX, each ICL is managed as two 8-port ISL trunks. • On the Brocade DCX-4S, each ICL is managed as one 8-port ISL trunk.
Inter-chassis Links FIGURE 72 ICL triangular topology with Brocade DCX 8510-8 chassis During an ICL break in the triangular topology, the chassis that has the connections of the other two is the main chassis. Any error messages relating to a break in the topology appear in the RASlog of the main chassis.
Core-edge topology FIGURE 73 Full nine-mesh topology Core-edge topology You can also connect the Brocade DCX 8510 Backbones in a core-edge topology. For example, Figure 74 shows six chassis connected in a core-edge topology (four edges and two cores). Although Figure 74 shows only the Brocade DCX 8510-8, each chassis can be either a Brocade DCX 8510-4 or a DCX 8510-8. You can have up to eight edges with DCX 8510-8 cores or up to four edges with DCX 8510-4 cores.
Inter-chassis Links FIGURE 74 64 Gbps ICL core-edge topology 490 Fabric OS Administrators Guide 53-1003130-01
Monitoring Fabric Performance ● Advanced Performance Monitoring overview................................................................491 ● End-to-end performance monitoring............................................................................. 493 ● Frame monitoring.......................................................................................................... 497 ● Top Talker monitors......................................................................................................
Restrictions for installing monitors Restrictions for installing monitors • Advanced Performance Monitoring is not supported on VE_Ports and EX_Ports. If you issue commands for Advanced Performance Monitoring on VE_Ports or EX_Ports, you will receive error messages. • All monitor types are allowed only on physical ports. • Top Talker monitors and EE monitors on E_Ports should be installed only in the ingress direction.
Access Gateway considerations for Advanced Performance Monitoring Access Gateway considerations for Advanced Performance Monitoring EE monitors and frame monitors are supported on switches in Access Gateway mode. Top Talker monitors are not supported on these switches. EE monitors must be installed on F_Ports. Frame monitors can be installed on F_Ports or N_Ports. Refer to the Access Gateway Administrator's Guide for additional information.
Supported port configurations for EE monitors Supported port configurations for EE monitors You can configure EE monitors on F_Ports and, depending on the switch model, on E_Ports. The following platforms support EE monitors on E_Ports: • • • • • • Brocade 6505 Brocade 6510 Brocade 6520 Brocade M6505 Brocade 6547 Brocade DCX 8510 family Identical EE monitors cannot be added to the same port.
Setting a mask for an EE monitor On Domain 2, add a monitor to the F_Port as follows: switch:admin> perfaddeemonitor 2/14 "0x021e00" "0x011200" This monitor (Monitor 4) counts the frames that have an SID of 0x021e00 and a DID of 0x011200. For Monitor 4, RX_COUNT is the number of words from Dev B to Host A, and TX_COUNT is the number of words from Host A to Dev B. The E_Port monitors are configured similar to the F_Port monitors, but the ingress and egress directions are reversed.
Deleting EE monitors The following figure shows the mask positions in the command. A mask ("ff") is set on slot 1, port 2 to compare the AL_PA fields on the SID and DID in all frames (transmitted and received) on port 2. The frame SID and DID must match only the AL_PA portion of the specified SID and DID pair. Each port can have only one EE mask. The mask is applied to all end-to-end monitors on the port. Individual masks for each monitor on the port cannot be specified.
Clearing EE monitor counters Example of displaying an end-to-end monitor on a port at 10-second intervals switch:admin> perfMonitorShow --class EE 4/5 10 Showing EE monitors 4/5 10: Tx/Rx are # of bytes 0 1 2 3 4 --------- --------- --------- --------- --------Tx Rx Tx Rx Tx Rx Tx Rx Tx Rx ========= ========= ========= ========= ========= 0 0 0 0 0 0 0 0 0 0 53m 4.9m 53m 4.9m 53m 4.9m 53m 4.9m 53m 0 53m 4.4m 53m 4.4m 53m 4.4m 53m 4.4m 53m 0 53m 4.8m 53m 4.8m 53m 4.8m 53m 4.8m 53m 0 53m 4.6m 53m 4.6m 53m 4.
License requirements for frame monitoring TABLE 88 Maximum number of frame monitors and offsets per port Platform Maximum number of frame monitors per port Maximum number of offsets per port Brocade 300, 5300, 5410, 5424, 5450, 5460, 5470, 5480, and 7800 8 13 23 Brocade 5100, 6505, 6510, 6520, M6505, 6547, VA-40FC, DCX, DCX-4S, DCX 8510, and Brocade Encryption Switch 12 25 24 The actual number of frame monitors that can be configured on a port depends on the complexity of the frame types.
Creating a frame monitor The value of the offset must be between 0 and 63, in decimal format. Byte 0 indicates the first byte of the Start of Frame (SOF), byte 4 is the first byte of the frame header, and byte 28 is the first byte of the payload. Thus, only the SOF, frame header, and first 36 bytes of payload can be selected as part of a filter definition. Offset 0 is a special case, which can be used to monitor the first 4 bytes of the frame (SOF).
Adding frame monitors to a port 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the fmMonitor --delete command to delete a specific frame type. switch:admin> fmmonitor --delete myframemonitor Adding frame monitors to a port If the switch does not have enough resources to add a frame monitor to a port, then other frame monitors on that port may have to be deleted to free resources. 1. Connect to the switch and log in using an account with admin permissions. 2.
Displaying frame monitors Displaying frame monitors 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the fmMonitor --show command. The following example displays the existing frame types and associated bit patterns on the switch.
Monitoring Fabric Performance NOTE Initial stabilization is the time taken by a flow to reach the maximum bandwidth. This time varies depending on the number of flows in the fabric and other factors. This time can be up to 14 seconds in the Backbones, and up to 82 seconds in the fixed-port switches. Applications can use Top Talker monitors data to do the following: • Re-route the traffic through different ports that are less busy, so as not to overload a given port.
Top Talker monitors and FC-FC routing Top Talker monitors are not supported on the embedded platforms: Brocade 5410, 5424, 5450, 5460, 5470, and 5480. Top Talker monitors and FC-FC routing You can enable Top Talker monitors on a platform that is configured to be an FC router.
Monitoring Fabric Performance FIGURE 77 Fabric mode Top Talker monitors on FC router do not monitor any flows FIGURE 78 Fabric mode Top Talker monitors on FC router monitor flows over the E_Port 504 Fabric OS Administrators Guide 53-1003130-01
Limitations of Top Talker monitors Limitations of Top Talker monitors Be aware of the following when using Top Talker monitors: • • • • • Top Talker monitors cannot detect transient surges in traffic through a given flow. You cannot install a Top Talker monitor on a mirrored port. Top Talker monitors can monitor only 10,000 flows at a time. Top Talker monitors are not supported on VE_Ports, EX_Ports, and VEX_Ports. The maximum number of all port mode Top Talker monitors on an ASIC is 16.
Displaying the top bandwidth-using flows on a port (port mode) If a new switch joins the fabric, you must run the perfTTmon --add fabricmode command on that switch. The Top Talker monitor configuration information is not automatically propagated to the new switch. Displaying the top bandwidth-using flows on a port (port mode) 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the perfTTmon --show command.
Deleting all fabric mode Top Talker monitors The following example deletes the monitor on port 7: perfttmon --delete 7 The following example deletes the monitor on slot 2, port 4 on a Backbone: perfttmon --delete 2/4 Deleting all fabric mode Top Talker monitors 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the perfTTmon --delete fabricmode command. perfttmon --delete fabricmode All Top Talker monitors are deleted.
Performance data collection • The EE monitors for each port (from 0 to MAX_PORT) • The frame monitors for each port EE monitors get preference saving to flash memory when the total number of monitors in a switch exceeds 512. If the total number of monitors per port or switch exceeds the limit, then you will receive an error message indicating the count has been exceeded and that some monitors have been discarded. 1. Connect to the switch and log in using an account with admin permissions. 2.
Managing Trunking Connections ● Trunking overview......................................................................................................... 509 ● Supported platforms for trunking...................................................................................511 ● Supported configurations for trunking........................................................................... 511 ● Requirements for trunk groups..................................................................................
Masterless trunking Refer to Inter-chassis Links on page 483 for detailed information about ICL trunking. • EX_Port trunking is configured on an inter-fabric link (IFL) between an FC router (EX_Port) and an edge fabric (E_Port). The trunk ports are EX_Ports connected to E_Ports. Refer to EX_Port trunking on page 516 for additional information about EX_Port trunking. • F_Port trunking is configured on a link between a switch and either an Access Gateway module or a Brocade adapter.
Port groups for trunking Port groups for trunking For trunk groups to form, several conditions must be met. One of the conditions is that all of the ports in a trunk group must belong to the same port group. A port group is a group of eight ports, based on the user port number, such as 0-7, 8-15, 16-23, and up to the number of ports on the switch. The maximum number of port groups is platform-specific. Figure 79 shows the port groups for the Brocade 5100.
High Availability support for trunking High Availability support for trunking Trunking is a High Availability (HA) supported feature. The HA protocol for trunking is as follows: • If trunking is disabled prior to the HA failover, it remains disabled after the HA failover. • If trunking is enabled prior to the HA failover, it remains enabled after the HA failover.
Configuring trunk groups ‐ A trunk group has the same link cost as the master ISL of the group, regardless of the number of ISLs in the group. This allows slave ISLs to be added or removed without causing data to be rerouted, because the link cost remains constant. ‐ The addition of a path that is shorter than existing paths causes traffic to be rerouted through that path.
Disabling trunking 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the portCfgTrunkPort command to enable trunking on a port.Enter the switchCfgTrunk command to enable trunking on all ports on the switch. portcfgtrunkport[slot/]port mode switchcfgtrunk mode Mode 1 enables trunking. In the following example, trunking is being enabled on slot 1, port 3.
Trunk Area and Admin Domains 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the trunkShow command. The following example shows trunking groups 1, 2, and 3; ports 4, 13, and 14 are masters.
ISL trunking over long-distance fabrics ISL trunking over long-distance fabrics In long-distance fabrics, if a port speed is set to autonegotiate, then the maximum speed, which is 16 Gbps, is assumed for reserving buffers for the port. If the port is running at only 2 Gbps, this wastes buffers. For long-distance ports, you should specify the port speed instead of setting it to autonegotiate.
Masterless EX_Port trunking The FC router front domain has a higher node WWN--derived from the FC router--than that of the edge fabric. Therefore, the FC router front domain initiates the trunking protocol on the EX_Port. After initiation, the first port from the trunk group that comes online is designated as the master port. The other ports that come online on the trunk group are considered to be the slave ports.
Backward compatibility support NOTE QoS and EX_Port trunking can coexist. However, if some ports in the trunk group have QoS enabled and some have QoS disabled, then two trunk groups will form: one with QoS enabled and one with QoS disabled. Backward compatibility support For backward compatibility, an FC router that supports EX_Port trunking can continue to interoperate with older FC routers and all previously supported Brocade switches in the backbone fabric or Brocade edge fabric.
F_Port trunking for Access Gateway port immediately acquires the default area as its PID. F_Port trunking prevents reassignments of the Port ID (also referred to as the Address Identifier) when F_Ports go offline, and it increases F_Port bandwidth. Refer to the Access Gateway Administrator's Guide and the Brocade Adapters Administrator’s Guide for information about configuring the corresponding N_Port trunking on the Access Gateway and the Brocade adapter.
Requirements for F_Port trunking on an Access Gateway FIGURE 81 Switch in Access Gateway mode with F_Port masterless trunking NOTE You do not need to map the host to the master port manually because the Access Gateway will perform a cold failover to the master port. Refer to Configuring F_Port trunking for an Access Gateway on page 520 for instructions on configuring F_Port trunking.
F_Port trunking for Brocade adapters For example, the following command creates a TA for ports 36-39 with index number 37. switch:admin> porttrunkarea --enable 36-39 -index 37 Trunk index 37 enabled for ports 36, 37, 38 and 39. When you assign a trunk area on a port, trunking is automatically enabled on the F_Ports.
Managing Trunking Connections TABLE 91 F_Port masterless trunking considerations Category Description AD You cannot create a Trunk Area on ports with different Admin Domains. You cannot create a Trunk Area in AD255. Area assignment You statically assign the area within the trunk group on the edge switch. That group is the F_Port trunk.
Managing Trunking Connections TABLE 91 F_Port masterless trunking considerations (Continued) Category Description Default Area Port X is a port that has its Default Area the same as its Trunk Area. The only time you can remove port X from the trunk group is when the entire trunk group has the Trunk Area disabled. Downgrade You can have trunking on, but you must disable the trunk ports before performing a firmware downgrade.
F_Port trunking in Virtual Fabrics TABLE 91 F_Port masterless trunking considerations (Continued) Category Description Trunk Master No more than one trunk master is allowed in a trunk group. The second trunk master will be persistently disabled with the reason "Area has been acquired". Upgrade There are no limitations on upgrading to Fabric OS v7.0.0 and later if the F_Port is present on the switch. Upgrading is not disruptive. Table 92 describes the PWWN format for F_Port and N_Port trunk ports.
Displaying F_Port trunking information • F_Port trunks are not allowed on the base switch because you cannot have F_Ports on the base switch. • If F_Port trunking is enabled on some ports in the default switch, and you disable Virtual Fabrics, all of the F_Port trunking information is lost. • All of the ports in an F_Port trunk must belong to a single trunk group of ports on the platform and must also belong to the same logical switch.
Enabling the DCC policy on a trunk area Enabling the DCC policy on a trunk area After you assign a trunk area, the portTrunkArea command checks whether there are any active DCC policies on the port with the index TA, and then issues a warning to add all the device WWNs to the existing DCC policy with index as TA. All DCC policies that refer to an index that no longer exists will not be in effect. 1. Add the WWN of all the devices to the DCC policy against the TA. 2.
Managing Long-Distance Fabrics ● Long-distance fabrics overview.....................................................................................527 ● Extended Fabrics device limitations..............................................................................528 ● Long-distance link modes............................................................................................. 528 ● Configuring an extended ISL........................................................................................
Extended Fabrics device limitations Extended Fabrics device limitations Brocade recommends that you do not use the FC8-64 and FC16-64 port blades for long distance because of their limited buffers. These blades do not support long-wavelength (LWL) fiber optics and only support limited distance. However, you can use the portCfgLongDistance command to reserve frame buffers for the ports intended to be used in long-distance mode through DWDM.
Configuring an extended ISL Configuring an extended ISL Before configuring an extended ISL, ensure that the following conditions are met: • The ports on both ends of the ISL are operating at the same port speed, and can be configured for the same distance_level without compromising local switch performance. NOTE A long-distance link also can be configured to be part of a trunk group.
Enabling long distance when connecting to TDM devices Reserved Buffers = 406 Warning: port may be reserving more credits switch:admin> portshow 1/2 portName: portHealth: OFFLINE Authentication: None portDisableReason: None portCFlags: 0x1 portFlags: 0x1 PRESENT U_PORT portType: 17.
Enabling FEC on a long-distance link For additional details about FEC, refer to Forward error correction on page 95. Enabling FEC on a long-distance link 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the portCfgLongDistance command and include the -fecEnable option, or issue the portCfgFec command with the --enable option. 3. Enter the portCfgFec --show command to verify the configuration.
Disabling FEC on a long-distance link 532 Fabric OS Administrators Guide 53-1003130-01
Using FC-FC Routing to Connect Fabrics ● FC-FC routing overview................................................................................................ 533 ● Fibre Channel routing concepts.................................................................................... 535 ● Setting up FC-FC routing.............................................................................................. 544 ● Backbone fabric IDs.................................................................................
License requirements for FC-FC routing NOTE FC-FC routing is not supported on a Brocade 7800 that has been enabled for logical switches. License requirements for FC-FC routing A software license might be required for FC-FC routing, depending on the types of fabrics that are connected. The Integrated Routing license is required for FC-FC routing between Fabric OS fabrics and between Fabric OS and M-EOS fabrics.
Supported configurations for FC-FC routing For the Brocade Backbone families, the backbones have a limit of 128 EX_Ports for each chassis. Refer to the Network OS Administration Guide for supported Network OS platforms. Supported configurations for FC-FC routing FC-FC routing supports the following configurations: • • • • • • FC router connected to a Fabric OS nonsecured edge fabric. FC router connected to a Fabric OS secured edge fabric.
Using FC-FC Routing to Connect Fabrics • Backbone fabric A backbone fabric is an intermediate network that connects one or more edge fabrics. In a SAN, the backbone fabric consists of at least one FC router and possibly a number of Fabric OS-based Fibre Channel switches (refer to Figure 84 ). • Inter-fabric link (IFL) The link between an E_Port and EX_Port, or VE_Port and VEX_Port, is called an inter-fabric link (IFL). You can configure multiple IFLs from an FC router to an edge fabric.
Using FC-FC Routing to Connect Fabrics FIGURE 83 A metaSAN with edge-to-edge and backbone fabrics and LSAN zones • Proxy device A proxy device is a virtual device imported into a fabric by a Fibre Channel router, and represents a real device on another fabric. It has a name server entry and is assigned a valid port ID. When a proxy device is created in a fabric, the real Fibre Channel device is considered to be imported into this fabric.
Using FC-FC Routing to Connect Fabrics If two different backbone fabrics are connected to the same edge fabric, the backbone fabric IDs must be different, but the edge fabric IDs must be the same. If you configure the same fabric ID for two backbone fabrics that are connected to the same edge fabric, a RASLog message displays a warning about fabric ID overlap. You can optionally assign an alias name to the FID. • MetaSAN A metaSAN is the collection of all SANs interconnected with Fibre Channel routers.
Proxy devices A phantom domain is a domain emulated by the Fibre Channel router. The FC router can emulate two types of phantom domains: front phantom domains and translate phantom domains. For detailed information about phantom domains, refer to Phantom domains on page 540. Proxy devices An FC router achieves inter-fabric device connectivity by creating proxy devices (hosts and targets) in attached fabrics that represent real devices in other fabrics.
FC-FC routing topologies FC-FC routing topologies The FC-FC routing service provides two types of routing: • Edge-to-edge Occurs when devices in one edge fabric communicate with devices in another edge fabric through one or more FC routers. • Backbone-to-edge Occurs when FC routers connect to a common fabric--known as a backbone fabric --through E_Ports. A backbone fabric can be used as a transport fabric that interconnects edge fabrics.
Using FC-FC Routing to Connect Fabrics FIGURE 86 Sample topology (physical topology) Figure 87 shows a phantom topology for the physical topology shown in Figure 86 . In this figure, the dashed lines and shapes represent the phantom topology from the perspective of Fabric 1. Fabrics 2 and 3 also see phantom topologies, but they are not shown in this example. In this figure, note the following: • Front domain 1 and Front domain 2 are front domains for EX_Ports connecting to Fabric 1.
Using FC-FC Routing to Connect Fabrics FIGURE 87 EX_Port phantom switch topology All EX_Ports or VEX_Ports connected to an edge fabric use the same xlate domain ID for an imported edge fabric; this value persists across switch reboots and fabric reconfigurations. If you lose connectivity to the edge fabric because of link failures or the IFL being disabled, xlate domains remain visible.
Identifying and deleting stale xlate domains The combination of front domains and xlate domains allows routing around path failures, including path failures through the routers. The multiple paths to an xlate domain provide additional bandwidth and redundancy. There are some differences in how the xlate domain is presented in the backbone fabric. The backbone xlate domains are topologically connected to FC routers and participate in FC-FC routing protocol in the backbone fabric.
Setting up FC-FC routing Setting up FC-FC routing To set up FC-FC routing, perform the following tasks in the order listed. 1. Verify that you have the proper setup for FC-FC routing. (Refer to Verifying the setup for FC-FC routing on page 544.) 2. Assign backbone fabric IDs. (Refer to Backbone fabric IDs on page 545.) 3. Configure FCIP tunnels if you are connecting Fibre Channel SANs over IP-based networks. (Refer to FCIP tunnel configuration on page 547.) 4.
Backbone fabric IDs 3. Enter the licenseShow command to verify that the Integrated Routing license is installed. switch:admin> licenseshow S9bddb9SQbTAceeC: Fabric license bzbzRcbcSc0c0SY: Remote Fabric license RyeSzRScycazfT0G: Integrated Routing license If you are connecting to a Fabric OS or M-EOS fabric and the Integrated Routing license is not installed, you must install it, as described in the Fabric OS Software Licensing Guide.
Assigning backbone fabric IDs In addition to ensuring that the backbone fabric IDs are the same within the same backbone, you must make sure that when two different backbones are connected to the same edge fabric, the backbone fabric IDs are different, but the edge fabric ID should be the same. Configuration of two backbones with the same backbone fabric ID that are connected to the same edge is invalid. In this configuration, a RASLog message displays a warning about fabric ID overlap.
FCIP tunnel configuration 1. Log in to the switch or backbone. 2. Set the FID alias using the fcrconfigure --add command. fcrconfigure --add -alias alias_name -fid fid 3. Verify the configured alias names using the fcrconfigure --show -alias command. fcrconfigure --show -alias The following example configures alias names for three fabrics, and then configures an EX_Port using the FID alias name.
Inter-fabric link configuration Inter-fabric link configuration Configuring an inter-fabric link (IFL) involves disabling ports and cabling them to other fabrics, configuring those ports for their intended uses, and then enabling the ports. Before configuring an inter-fabric link, be aware that you cannot configure both IFLs (EX_Ports, VEX_Ports) and ISLs (E_Ports) from a backbone fabric to the same edge fabric.
Using FC-FC Routing to Connect Fabrics For related FC-FC routing commands, refer to fcrEdgeShow, fcrXlateConfig, fcrConfigure, and fcrProxyConfig in the Fabric OS Command Reference. A Fibre Channel router can interconnect multiple fabrics. EX_Ports or VEX_Ports attached to more than one edge fabric must configure a different fabric ID for each edge fabric. 3. (Optional ) Configure FC router port cost if you want to change the default values.
Using FC-FC Routing to Connect Fabrics Authentication Type: None DH Group: N/A Hash Algorithm: N/A Edge fabric's primary wwn: N/A Edge fabric's version stamp: N/A switch:admin_06> portshow 7/10 portName: portHealth: OFFLINE Authentication: None EX_Port Mode: Enabled Fabric ID: 30 Front Phantom: state = Not OK Pref Dom ID: 160 Fabric params: R_A_TOV: 0 E_D_TOV: 0 PID fmt: auto Authentication Type: None Hash Algorithm: N/A DH Group: N/A Edge fabric's primary wwn: N/A Edge fabric's version stamp: N/A portDisa
Configuring EX_Ports on an ICL 5300" EX_Port FID Neighbor Switch Info (WWN, enet IP, name) -----------------------------------------------------------------------4 95 10:00:00:05:1e:37:00:45 10.32.156.31 "Brocade 5300" 5 95 10:00:00:05:1e:37:00:45 10.32.156.31 "Brocade 5300" 6 95 10:00:00:05:1e:37:00:45 10.32.156.31 "Brocade 5300" 12.Enter the iflshow command to display the FC router details and ensure the fabric is functioning correctly.
Using FC-FC Routing to Connect Fabrics The following example configures EX_Port on one of the QSFP ports. switch:admin> portcfgexport 6/20 2013/04/25-21:21:54, [FCR-1071], changed from non FCR port to FCR 2013/04/25-21:21:54, [FCR-1071], changed from non FCR port to FCR 2013/04/25-21:21:55, [FCR-1071], changed from non FCR port to FCR 2013/04/25-21:21:55, [FCR-1071], changed from non FCR port to FCR -a 1 -f 45 29805, SLOT port. 29806, SLOT port. 29807, SLOT port. 29808, SLOT port.
FC router port cost configuration FC router port cost configuration FC routers optimize the usage of the router port links by directing traffic to the link with the smallest router port cost. The FC router port cost is similar to the link cost setting available on E_Ports, which allows you to customize traffic flow. The router port link cost values are either 0, 1,000, or 10,000. The router module chooses the router port path based on the lowest cost for each FID connection.
Setting router port cost for an EX_Port Source EX_Ports can balance loads across multiple destination EX_Ports attached to the same edge fabric using exchange IDs from the routed frames as keys to distribute the traffic. Setting router port cost for an EX_Port The router port cost value for an EX_Port is set automatically when the EX_Port is created. You can modify the cost for that port to force a path to have a higher or lower cost.
Using FC-FC Routing to Connect Fabrics fabric. This feature is useful when an FC router has multiple connections to the source edge fabric, and the backbone fabric has multiple FC routers connected through FCIP links (VE_Ports) and FC links (E_Ports). The selection of a low cost path depends on individual ISL link cost settings in the backbone fabric. Traffic originating from a domain in an edge fabric can choose any equal cost path in order to reach the destination edge fabric.
Configuring shortest IFL cost FIGURE 88 Shortest IFL solution Configuring shortest IFL cost 1. Enter the fcrFabricShow command to view the FC routers on the backbone fabric. switch:admin>fcrfabricshow FC Router WWN: 10:00:00:05:1e:58:bd:69, Dom ID: Info: 10.17.33.
Using FC-FC Routing to Connect Fabrics EX_Port FID Neighbor Switch Info (enet IP, WWN, name) -----------------------------------------------------------------------34 1 10.17.33.68 10:00:00:05:1e:61:28:22 "DID_4_1" switch:admin>fcrfabricshow FC Router WWN: 10:00:00:05:1e:58:be:69, Dom ID: 20, Info: 10.17.33.60, "DID_20" EX_Port FID Neighbor Switch Info (enet IP, WWN, name) -----------------------------------------------------------------------2 2 10.17.33.
EX_Port frame trunking configuration 5. Enter the linkcost command to set low cost values, ensuring that the cumulative ISL cost for the selected path is lower than that of all other paths. A low cost path should have a cumulative ISL cost of less than 10,000. • In the following example, the ISL link cost of path 2 from FC router ID Domain 40 to FC router Domain ID 30 is modified.
LSAN zone configuration LSAN zone configuration An LSAN consists of zones in two or more edge or backbone fabrics that contain the same devices. LSANs provide selective device connectivity between fabrics without forcing you to merge those fabrics. FC routers provide multiple mechanisms to manage inter-fabric device connectivity through extensions to existing switch management interfaces. You can define and manage LSANs using Brocade Advanced Zoning.
LSAN zones and fabric-to-fabric communications remote fabrics to each local zone as desired. Zones on the backbone and on multiple edge fabrics that share a common set of devices will be recognized as constituting a single multi-fabric LSAN zone, and the devices that they have in common will be able to communicate with each other across fabric boundaries.
Using FC-FC Routing to Connect Fabrics zone config "zone_cfg" is in effect Updating flash ... 6. Log in as admin to fabric2. 7. Enter the nsShow command to list Target A (50:05:07:61:00:5b:62:ed) and Target B (50:05:07:61:00:49:20:b4).
Configuring backbone fabrics for interconnectivity 2 50:05:07:61:00:5b:62:ed 0100e8 Total devices displayed: 3 • fcrProxyDevShow shows the proxy devices in the LSAN.
HA and downgrade considerations for LSAN zones FC routers in the same backbone that support this feature. Verify the configured maximum limit against the LSANs configured using the fcrResourceShow command. HA and downgrade considerations for LSAN zones Be aware of how LSAN zones impact high availability and firmware downgrades: • The LSAN zone matrix is synchronized to the standby CP. • On a dual CP switch, both CPs must have Fabric OS v5.3.0 or later.
Using FC-FC Routing to Connect Fabrics FIGURE 89 Example of setting up Enforce LSAN tag FC router 1 does not need to know about the LSAN between edge fabrics 2 and 3. Likewise, FC router 3 does not need to know about the LSAN between edge fabrics 1 and 2. In this scenario, you could set up two Enforce tags, one for each LSAN. On FC router 2, both Enforce tags would be needed, since FC router 2 uses both LSANs. FC router 1 and FC router 3 each need only one tag, for their respective LSANs.
Speed tag You can specify up to eight Enforce tags on an FC router. For example, in the figure above, you could configure the following Enforce tags on the FC routers: • For FC router 1, configure one Enforce tag, "21". FC router 1 would accept all LSAN zones starting with "LSAN_21", and so would accept LSAN_21_fab, but not LSAN_23fabrics. • For FC router 2, configure two Enforce tags, "21" and "23".
Rules for LSAN tagging FIGURE 90 Example of setting up Speed LSAN tag Rules for LSAN tagging Note the following rules for configuring LSAN tags: • You configure the tags on the FC router, and not on the edge switches. If Virtual Fabrics is enabled, you configure the tags on the base switch on which the EX_Ports and VEX_Ports are located. You then must ensure that the LSAN zones in the edge fabrics incorporate the tags correctly. • The LSAN tags are configured per FC router, not per fabric.
Configuring a Speed LSAN tag 4. Enter the following command to enable the FC router: switchenable 5. Change the names of the LSAN zones in the edge fabrics to incorporate the tag in the names. sw0:admin> switchdisable sw0:admin> fcrlsan --add -enforce enftag1 LSAN tag set successfully sw0:admin> switchenable Configuring a Speed LSAN tag 1. Log in to the FC router as admin. 2.
LSAN zone binding ENFORCE : enftag1 sw0:admin> fcrlsan --show -speed Total SPEED tags : 1 SPEED : fasttag2 sw0:admin> fcrlsan --show -all Total LSAN tags : 2 ENFORCE : enftag1 SPEED : fasttag2 LSAN zone binding LSAN zone binding is an optional, advanced feature that increases the scalability envelope for very large metaSANs. Without LSAN zone binding, every FC router in the backbone fabric maintains the entire LSAN zone and device state database.
Using FC-FC Routing to Connect Fabrics FIGURE 91 LSAN zone binding After you set up LSAN zone binding, each FC router stores information about only those LSAN zones that access its local edge fabrics. The following table shows what LSAN information is stored in each FC router before and after LSAN zone binding is in effect.
LSAN zone binding considerations TABLE 94 LSAN information stored in FC routers, with and without LSAN zone binding (Continued) Without LSAN zone binding With LSAN zone binding LSAN 1 LSAN 1 LSAN 1 LSAN 1 LSAN 1 LSAN 2 LSAN 2 LSAN 2 LSAN 2 LSAN 2 LSAN 3 LSAN 3 LSAN 3 LSAN 3 LSAN 4 LSAN 4 LSAN 4 LSAN 4 LSAN 2 LSAN 3 LSAN 4 LSAN 4 LSAN zone binding considerations • Without LSAN zone binding, the maximum number of LSAN devices is 10,000.
FC router matrix definition FC router matrix definition Depending on the structure of the backbone fabric, you can specify pairs of FC routers that can access each other.
Viewing the LSAN zone binding matrixes 3. Enter the following command to add a pair of edge fabrics that can access each other: FCR:Admin> fcrlsanmatrix --add -lsan fid1fid2 The variables fid1 and fid2 are the fabric IDs of the edge fabrics. 4.
Fabric parameter considerations Fabric parameter considerations By default, EX_Ports and VEX_Ports detect, autonegotiate, and configure the fabric parameters without user intervention. You can optionally configure these parameters manually. • To change the fabric parameters on a switch in the edge fabric, use the configure command. Note that to access all of the fabric parameters controlled by this command, you must disable the switch using the switchDisable command.
Enabling broadcast frame forwarding Enabling broadcast frame forwarding 1. Log in to the FC router as admin. 2. Enter the following command: fcr:admin> fcrbcastconfig --enable -f fabricID The fabricID variable is the FID of the edge or backbone fabric on which you want to enable broadcast frame forwarding. Broadcast frame forwarding is enabled by default. Disabling broadcast frame forwarding 1. Log in to the FC router as admin. 2.
FC-FC routing and Virtual Fabrics Phantom Node WWN: Phantom Port WWN: Port Limits: Max proxy devices: Max NR_Ports: 8192 32768 5413 16121 2000 1000 Currently Used(column 1: proxy, column 2: NR_Ports): 0 | 0 34 1 | 3 34 4 | 0 0 5 | 0 0 6 | 0 0 7 | 0 0 8 | 6 34 9 | 6 34 10 | 6 34 11 | 6 34 12 | 6 34 13 | 6 34 14 | 6 34 15 | 6 34 16 | 8 34 17 | 8 34 18 | 8 34 19 | 8 34 20 | 8 34 21 | 8 34 22 | 8 34 23 | 8 34 FC-FC routing and Virtual Fabrics If Virtual Fabrics is not enabled, FC-FC routing behavior is un
Logical switch configuration for FC routing Because XISL use is disallowed, dedicated links must be configured to route traffic across switches in the same logical fabric, as shown in FCIP tunnel configuration on page 547. ATTENTION If you connect an EX_Port or VEX_Port from an FC router running Fabric OS v6.1.x or earlier to a logical switch that allows XISL use, the EX_Port or VEX_Port is not disabled; however, this configuration is not supported.
Backbone-to-edge routing with Virtual Fabrics Figure 93 shows a logical representation of the physical chassis and devices in Figure 92 . As shown in Figure 93 , Fabric 128 and Fabric 15 are edge fabrics connected to a backbone fabric. Fabric 1 is not connected to the backbone, so the device in Fabric 1 cannot communicate with any of the devices in the other fabrics.
Upgrade and downgrade considerations for FC-FC routing FIGURE 94 Backbone-to-edge routing across base switch using FC router in legacy mode If a backbone fabric has both a Virtual Fabrics-enabled FC router and a Virtual Fabrics-disabled FC router, EX_Ports are not allowed from the base switch of the Virtual Fabrics-enabled FC router to the same edge fabric that is performing backbone-to-edge routing with the Virtual Fabrics-disabled FC router.
Displaying the range of output ports connected to xlate domains Displaying the range of output ports connected to xlate domains The edge fabric detects only one front domain from an FC router connected through multiple output ports. The output port of the front domain is not fixed to 0; the values can be in a range from 129 through 255. The range of the output ports connected to the xlate domain is from 1 through 128. This range enables the front domain to connect to 127 remote xlate domains. 1.
Displaying the range of output ports connected to xlate domains 580 Fabric OS Administrators Guide 53-1003130-01
Port Indexing This appendix shows how to use the switchShow command to determine the mapping among the port index, slot/port numbers, and the 24-bit port ID (PID) on any Brocade Backbone. Enter the switchShow command without parameters to show the port index mapping for the entire platform. Enter the switchShow -slot command for port mapping information for the ports on the blade in a specific slot. Include the --qsfp option to list also the QSFP number, for slots that contain core blades.
Port Indexing Example of port index mapping on an FC16-32 blade of a Brocade DCX 8510-8 Backbone This example shows the truncated output of the switchShow command for an FC16-32 port blade in slot 1 of a Brocade DCX 8510-8 Backbone. The Address column shows the PID.
Port Indexing This example shows the truncated switchShow output for an FX8-24 application blade on the Brocade DCX 8510-8 Backbone. The assignment of port index numbers to PIDs will vary depending on blade type, platform type, and slot number.
Port Indexing 584 Fabric OS Administrators Guide 53-1003130-01
Hexadecimal Conversion ● Hexadecimal overview.................................................................................................. 585 Hexadecimal overview Hexadecimal, also known as hex, is a numeral system with a base of 16, usually written by means of symbols 0-9 and A-F (or a-f). Its primary purpose is to represent the binary code that computers interpret in a format easier for humans to remember.
Decimal-to-hexadecimal conversion table Decimal-to-hexadecimal conversion table TABLE 95 Decimal-to-hexadecimal conversion table 586 Decimal 01 02 03 04 05 06 07 08 09 10 Hex 01 02 03 04 05 06 07 08 09 0a Decimal 11 12 13 14 15 16 17 18 19 20 Hex 0b 0c 0d 0e 0f 10 11 12 13 14 Decimal 21 22 23 24 25 26 27 28 29 30 Hex 15 16 17 18 19 1a 1b 1c 1d 1e Decimal 31 32 33 34 35 36 37 38 39 40 Hex 1f 20 21 22 23 24 25 26 27 28
Hexadecimal Conversion TABLE 95 Decimal-to-hexadecimal conversion table (Continued) Hex 79 7a 7b 7c 7d 7e 7f 80 81 82 Decimal 131 132 133 134 135 136 137 138 139 140 Hex 83 84 85 86 87 88 89 8a 8b 8c Decimal 141 142 143 144 145 146 147 148 149 150 Hex 8d 8e 8f 90 91 92 93 94 95 96 Decimal 151 152 153 154 155 156 157 158 159 160 Hex 97 98 99 9a 9b 9c 9d 9e 9f a0 Decimal 161 162 163 164 165 166 167 168 169 170 Hex a1 a2
Hexadecimal Conversion 588 Fabric OS Administrators Guide 53-1003130-01
Index 10-bit addressing mode 66 128-bit encryption, in browser 178 256-area addressing mode 66 A devices 206 hosts 206 switches and fabrics 206 zones 206 account ID 39 account management for Virtual Fabrics 279 accounts changing parameters 139 creating 138 deleting 138 displaying information 138 local database of users 137, 139 lockout policy 143 lockout policy, duration 143 lockout policy, threshold 143 lockouts and denial of service implications 144 managing passwords 139 password policies 140, 144 aa
ACL policy changes 211 Admin Domains 474 IP Filter policy 232 TI zones 368 AD0, ACL management 210 AD0, and Admin Domains 459 AD255, ACL management 210 AD255, and Admin Domains 459 Adaptive Networking bottleneck detection 375 Ingress Rate Limiting 375 overview 375 Quality of Service 375 Top Talkers 375 Traffic Isolation Zoning 375 ad command 465, 466, 471, 474–478, 481 adding Admin Domain members 476 a Top Talker monitor to a port (port mode) 505 frame monitors to a port 500 public key to switch 176 rules
Microsoft Active Directory 161 OpenLDAP 165 RADIUS 154 TACACS+ 168 implementing 471 interaction with Fabric OS features 467 LDAP server 161, 165 logging in to 460 LSAN zones 469 managing 455, 470 member types 461 Microsoft Active Directory service 161 numbering 455 OpenLDAP server 165 physical fabric administrator 458 RADIUS configuration 154 RADIUS server configuration 154 recommended maximum number 455 removing from user accounts 474 removing members 476 renaming 477 requirements 457 role considerations 1
adding 170 data 148 deleting 170 reordering 170 authentication service configuring 148 disabling 170, 171 enabling 170 local 171 Microsoft Active Directory and LDAP 160 modifying 170 OpenLDAP 162, 165 RADIUS 152 remote 148, 171 AUTH module, Virtual Fabric considerations 222 authorization, fabric-wide distribution of policy 230 AUTH policy distributing fabric-wide 230 authUtil command 223–226, 230, 415 auto-assigned FA-PWWN behavior 450 automatic PID assignment, enabling 68 B Backbone assigning fabric ID
advanced settings 401 alert status 393 configuration retention 391 configurations 391 considerations access gateway 392 high availability 391 trunking 391 upgrades and downgrades 391 virtual fabrics 392 disabling 404 displaying status 393 enabling 392 history 390 history retention time 390 licensing 389 limitations 391 parameters 397 slave ports 402 bottleneckMon command 390, 392–394, 397, 398, 402, 404 Broadcast server, described 25 broadcast zones name restriction 309 Brocade adapters, configuring F_Por
authentication server configuration 170 authentication server contact order 170 chassis name 58 logical switch to base switch 292 passwords 45 CHAP alternatives 157 password encryption requirement 157 See also\ DH-CHAP.
restrictions 258 configShow 255 configUpload 255, 257, 262, 328 configure 95, 175, 284, 293 configureChassis 286, 380 date 53 defZone 319, 320 distribute 133, 216, 240, 242 dlsReset 108 dlsSet 108, 114 dlsShow 108 fabricName 59 fabricShow 56, 89 fanShow 88 fcrConfigure 545, 546, 556 fcrXlateConfig 540, 543 fddCfg 216, 237, 240–242, 544 fmMonitor 497, 499–501 for advanced zoning 298 fosConfig 285, 546 fosExec 288 frameLog 110, 111 getting help on 40 haDisable 145 haFailover 145 haShow 88 help 40 ifModeSet 75
configDownload command 258 configuration management for Virtual Fabrics 262 FA-PWWN upload and download considerations 453 format of configuration file 256 in fabrics 261 modifying for switches 258 restoring 260 security considerations 262 setup form 264 supported for FA-PWWN 452 without disabling a switch 260 zones 328 configuration file backing up 257 backup 257 chassis section 256 configDownload command, in Admin Domain context 470 display settings 255 downloading 470 format 256 information not saved 25
CP.
ACL policy 211 Admin Domains 477, 478 all fabric mode Top Talker monitors 507 a Top Talker monitor on a port 506 DCC policy 218 end-to-end monitors 496 frame monitors 500 frame redirect zones 116 IP Filter policy 233 logical switches 289 private key from switch 178 public key from switch 177 rule from an IP Filter policy 237 TI zones 368 zone configurations zone configurations 324 delivery order, forcing for frames 109 deploying secure protocols 173 device accessing 206 configuring authentication 225 conn
authorization policy fabric-wide 230 FCS policies 216 IP Filter policy 237 local ACL policies 240 local user account database 140 distribution policy states 216 DLS computation trigger 108 effect on other logical switches 114 overview 108 rebalancing triggers 112 See also\ Dynamic Load Sharing.
deleting 496 restoring configuration 507 end-to-end performance monitoring 493 end-to-end transport tunnel mode, example 251 enforce LSAN tag 563 enforcement of zones 302 ensuring fabric domains share policies 214 equipment status 88 errShow command 187 ESP, described 247 eth0 port on CP8 blade 47 eth3 port on CP8 blade 47 ethernet address, static 48 about 527 buffer credit management 117 buffer credit recovery 129 buffer requirement calculation 119 buffer-to-buffer credits 117 extended ISLs 529 F_Port buf
PID. 65 authentication availability 221 authentication license 221 authentication policies 221, 230 changing name 59 configurations in 261 connectivity 89 deleting all Top Talker monitors 507 domain policy sharing 214 element authentication 221 fabric-assigned PWWN 449 fabric-assigned PWWNs and DCC policy behavior 219 fabric login. See\ FLOGI.
and FC-FC routing 547 tunnel configuration 547 tunnel hop support 282 FC-NAT, defined 101 FCoE, NPIV required 442 FCR and traffic isolation 348 authentication 543 Brocade 7800 logical switches 533 fcrConfigure command 545, 546, 556 concepts 535 conceptsphantom domains 543 See also\ FCR and FC-FC routing.
creating frame redirect zones 115 deleting frame redirect zones 116 discovering why dropped 110 forcing delivery order 109 restoring unordered delivery order 109 viewing frame redirect zones 116 frame timeout, logging 400 frame types creating to be monitored 498 deleting 499 daemon processes 34 failover and passwords 140 failover on RADIUS server 155 QoS zone-based traffic prioritization considerations 385 support for trunking 512 verifying features 88 history of CLI commands 41 home Admin Domain Microso
IKE policies, null encryption support 253 policies and IPsec 248 implementing Admin Domains 471 indexing ports 581 in-flight compression and port decommissioning 410 in-flight encryption configuring 417 disabling 418 license 407 port decommissioning 410 restrictions 408 in-flight encryption and compression overview 407 ingress rate limiting disabling 377 Virtual Fabrics considerations 376 in-order frame delivery, forcing 109 installing certificates on switch 181 root certificate to Java plugin 183 Inte
autoconfiguration 52 DHCP and stateful IPv6 addresses 50 filter policy address 233 IPv6 policies tunneling IMCP traffic 253 ISL best practices 101 configuring extended 529 fabric parameters 101 logical fabrics and 274 maximum distances in LO mode 62 ISLISL 62 ISL R_RDY mode 104 islShow command 413, 513 ISL trunking disabling 514 enabling 513 over long distance fabrics 516 J L L_Port, described 69 latency bottleneck type 390 Layer 2 routing. See also\ FSPF.
compression 407 encryption 407 Extended Fabrics 527 fabric authentication 221 ICL 484 in-flight encryption 407 Integrated Routing 534 requirements for SID/DID prioritization 378 requirements for trunking 510 licenseShow command 544 limiting traffic from a device 376 link, configuring through a gateway 105 link operating mode 75 link state, in routing 99 link state database 100 Linux FreeRADIUS and Fabric OS user setup 153 LDAP authentication 162, 165 RADIUS server support 155 TACACS+ authentication on 167
ICL limitations 113 traffic flow limitations 113 Microsoft Active Directory service configuring for LDAP 160 groups, creating 161 role, assigning 161 users, adding 161 vendor attributes, adding to schema 162 lossless DLS configuring 114 in Virtual Fabrics 114 lossless dynamic load sharing. See\ lossless DLS.
10-bit addressing mode 440 configuring 441 disabling 442 enabling 442 F_Ports 442 FCoE requirement 442 fixed addressing mode 440 overview 439 PIDs 68 upgrade considerations 440 viewing PID login information 448 viewing port configuration information 447 changing 45, 139 changing defaults 45 CHAP encryption requirement 157 default for accounts 45 limits 45 recovery string 145 recovery string, boot PROM password 144 Password Authentication Protocol (PAP) 157 password database, distribution restrictions 140 p
10-bit addressing mode 66 assigning static 69 automatic assignment 68 binding overview 65 clearing binding 69 core addressing mode 65 maximum number of assignments 67 showing assignments 69 static and NPIV 68 swapping port area IDs 72 WWN-based assignment 67 WWN-based Virtual Fabrics assignment 68 PKI generating DSA or RSA key pairs 176 generating key pairs 177 private key generation 179 public key generation 179 used with SSLpublic key public key infrastructure and encryption 178 platform database 26 pla
ACL deleting 211 ACL distribution 240 activating IP Filter 232 adding rule to an IP Filter policy 237 authentication restrictions 225 cloning an IP Filter 232 creating DCC 217 creating FCS 215 creating for IP Filter 231 creating SCC 221 DCC deleting 218 DCC restrictions 217 default IP Filter policy rules 236 deleting IP Filter 233 deleting rule from an IP Filter policy 237 device authentication 224 device authentication and Virtual Fabrics considerations 225 displaying IP Filter 232 enforcing IP Filter 236
by index 71 by port area ID 71 by slot and port number 71 logical and zoning 309 logical in ISL 278 lossless dynamic load sharing 112, 114 moving 271 naming 71 port login command 32 port login process 33 ports and applications used by switches 206 port types 69 re-authenticating an E_Port 224 removing frame monitors from 500 restrictions on Backbones 282 restrictions on moving 284 serial connection 38 setting mode 75 setting speed for a port octet 77 slave port bottleneck detection 402 SNMP filtering 195 sp
Fibre Channel Common Transport (FC-CT), described 25 HTTPS, described 173 IPsec, described 173 LDAPS, described 173 SCP, described 173 secure HTTPS 173 SCP 173 SNMPv1 173 SNMPv3 173 SSHv2 173 SNMP, described 173 SSH, described 173 SSL 178 SSL, described 173 telnet 204 buffer credit requirement 126 described 103 enabled by default 386 on E_Ports 383 over FC routers 383 SID/DID traffic prioritization 377 traffic prioritization 383 QoS CS_CTL-based frame prioritization 378, 380 QoS port buffer configuration
ADList 154 configuration, displaying 171 configuring 155 ContextRoleList 154, 168 disabling 170, 171 enabling 170 homeAD 154 Linux server-based 155 modifying 170 overview 133, 152 user, adding 156 Virtual Fabrics HomeContext 154 Windows 2008 support 157 Windows server-based 157 RASLOG message FSPF-1009 359 ZONE-1062 317 RBAC Admin Domain considerations 134 and Fabric OS 38 role permissions 135 recommendations for trunk groups 512 recovering a device 34 redirecting frames 115 Registered State Change Notifi
VE_Ports 106 RSA key pair generation 176 RSA RADIUS server 158 RSA RADIUS server, setup 158 RSA SecurID 158 RSCN 57 RSCN. See\ Registered State Change Notification.
setting changing passwords 45 chassis configurations 78 chassis management IP interface 49 date 53 default zone mode 471 fabric-wide consistency policy 242 mask for end-to-end monitors 495 port speeds 76 QoS zone-based traffic prioritization 386 QoS zone-based traffic prioritization over FC routers 387 static ethernet IP address 49 time 53 time zone 54 time zone interactively 54 settings, configuration 255, 264 SFTP 173 support 175 protocol, described 173 public key authentication 176 SSHv2 protocol 173 s
access 206 access methods, Web Tools 37 ACL policy distribution 240 activation and deactivation 59 adding public key 176 applications used 206 buffer credits by model 124 certificates, installing 181 changing name 58 configuring without disabling 260 connecting 62 connecting to a device 72 connecting with different firmware 62 default access 206 deleting private key 178 deleting public key 177 disabling 60, 87 disabling local switch protection 240 disabling port 74 displaying name server contents 33 enablin
blocking access 204 connection 39 protocol 204 unblocking access 205 Terminal Access Controller Access-Control System Plus protocol. See\ TACACS+.
configuring F_Port for Brocade adapters 521 disabling 514 disabling F_Port trunking 525 disabling ISL 514 displaying F_Port information 525 displaying information 514 enabling 513 enabling ISL 513 EX_Port 516, 518 F_Port 518, 526 F_Port considerations 521 F_Port for access gateways 519 F_Port for Brocade adapters 521 F_Ports and Virtual Fabrics 524 High Availability support 512 ICL on DCX and DCX-4S 487 ISL over long distance fabrics 516 license requirements 510 managing 509 masterless 510 overview 509 port
viewing logical fabrics ACL policies 211 alias 308 authentication parameter settings 226 compression configuration 414 current default zone access mode 320 encryption configuration 414 fabric-wide consistency policy 241 frame redirect zones 116 list of secret key pairs 227 NPIV port configuration information 447 policy database distribution settings 240 port information 430 virtual PID login information 448 context change 294 logical ISL (LISL) 276 logical switch creating 287 default 268 deleting 289 di
format for logical ports 278 switch WWNs in Admin Domains 462 wwnAddress command 69 WWN-based PID assignment considerations for Virtual Fabrics 68 X XISL default logical switch restriction 282 ICL port restriction 282 on FX8-24 282 See also: extended ISL 274 xlate domain ID 540 xlate domains 540 Z zone accessing 206 access mode, viewing current 320 adding a new switch or fabric 329 adding members zone members 310 administering security 329 alias adding members alias members 307 deleting alias 308 r
for all 324 for selected zones 325 in effective zone database 325 zone configuration, defined 301 zone object 300 zone types 297 zoneAdd command 310 zone command 115, 116, 327, 357, 363, 366, 368–370 zone configuration database, maximum items 321 zone configurations clearing 326 creating 321 deleting 324 disabling 323 enabling 323 removing members 322 zoneCreate command 310, 386 zone database, maximum size 320 zone database and Admin Domains 468 zoneDelete command 314 zoneHelp command 298 zone object copy
Fabric OS Administrators Guide 53-1003130-01