Administrator Guide

ManualsBrandsDell ManualsComputer AccessoriesPOWEREDGE M1000E

201

202

203

204

205

206

207

208

209

210

Table Of Contents

Contents
Figures
Tables
About This Document
- In this chapter
- How this document is organized
- Supported hardware and software
- What’s new in this document
- Document conventions
- Notice to the reader
- Additional information
  - Brocade resources
  - Other industry resources
- Getting technical help
- Document feedback
Understanding Fibre Channel Services
- In this chapter
- Fibre Channel services overview
- The Management Server
- Platform services
- Management server database
- Topology discovery
- Device login
- High availability of daemon processes
Performing Basic Configuration Tasks
- In this chapter
- Fabric OS overview
- Fabric OS command line interface
- Password modification
  - Default account passwords
- The Ethernet interface on your switch
- Date and time settings
- Domain IDs
  - Displaying the domain IDs
  - Setting the domain ID
- Switch names
  - Customizing the switch name
- Chassis names
  - Customizing chassis names
- Switch activation and deactivation
  - Disabling a switch
  - Enabling a switch
- Switch and enterprise-class platform shutdown
  - Powering off a Brocade switch
  - Powering off a Brocade enterprise-class platform
- Basic connections
  - Device connection
  - Switch connection
Performing Advanced Configuration Tasks
- In this chapter
- PIDs and PID binding overview
- Ports
- Blade terminology and compatibility
- Enabling and disabling blades
  - Enabling blades
  - Disabling blades
- Blade swapping
  - Swapping blades
  - Swapping blades
- Power management
  - Powering off a port blade
  - Powering on a port blade
- Equipment status
- Track and control switch changes
- Audit log configuration
Routing Traffic
- About this chapter
- Routing overview
- Inter-switch links
  - Buffer credits
  - Virtual Channels
- Gateway links
  - Configuring a link through a gateway
- Inter-chassis links
  - Supported topologies
- Routing policies
- Route selection
  - Dynamic Load Sharing
  - Static route assignment
- Frame order delivery
  - Forcing in-order frame delivery across topology changes
  - Restoring out-of-order frame delivery across topology changes
- Lossless Dynamic Load Sharing on ports
- Frame Redirection
Managing User Accounts
- In this chapter
- User accounts overview
  - Role-Based Access Control (RBAC)
  - The management channel
- Local database user accounts
  - Default accounts
  - Local account passwords
- Local account database distribution
- Password policies
- The boot PROM password
- The authentication model using RADIUS and LDAP
Configuring Protocols
- In this chapter
- Security protocols
- Secure Copy
  - Setting up SCP for configUploads and downloads
- Secure Shell protocol
  - SSH public key authentication
- Secure Sockets Layer protocol
- Simple Network Management Protocol
- Telnet protocol
  - Blocking Telnet
  - Unblocking Telnet
- Listener applications
- Ports and applications used by switches
  - Port configuration
Configuring Security Policies
- In this chapter
- ACL policies overview
  - How the ACL policies are stored
  - Policy members
- ACL policy management
- FCS policies
- DCC policies
- SCC policies
  - Creating an SCC policy
- Authentication policy for fabric elements
- IP Filter policy
- Policy database distribution
- Management interface security
Maintaining the Switch Configuration File
- In this chapter
- Configuration settings
  - Configuration file format
- Configuration file backup
  - Uploading a configuration file in interactive mode
- Configuration file restoration
  - Restrictions
  - Configuration download without disabling a switch
- Configurations across a fabric
  - Downloading a configuration file from one switch to another same model switch
  - Security considerations
- Configuration management for Virtual Fabrics
- Brocade configuration form
Installing and Maintaining Firmware
- In this chapter
- Firmware download process overview
- Preparing for a firmware download
- Firmware download on switches
  - Switch firmware download process overview
- Firmware download on an enterprise-class platform
  - Enterprise-class platform firmware download process overview
- Firmware download from a USB device
- FIPS Support
- Test and restore firmware on switches
  - Testing a different firmware version on a switch
- Test and restore firmware on enterprise-class platforms
  - Testing different firmware versions on enterprise-class platforms
- Validating a firmware download
Managing Virtual Fabrics
- In this chapter
- Virtual Fabrics overview
- Logical switch overview
  - Default logical switch
  - Logical switches and fabric IDs
  - Port assignment in logical switches
  - Logical switches and connected devices
- Logical fabric overview
  - Logical fabric and ISLs
  - Logical fabric and ISL sharing
- Management model for logical switches
- Account management and Virtual Fabrics
- Supported platforms for Virtual Fabrics
  - Supported port configurations in the Brocade 5100, 5300, and VA-40FC
  - Supported port configurations in the Brocade DCX and DCX-4S
  - Virtual Fabrics interaction with other Fabric OS features
- Limitations and restrictions of Virtual Fabrics
  - Restrictions on moving ports
- Enabling Virtual Fabrics mode
- Disabling Virtual Fabrics mode
- Configuring logical switches to use basic configuration values
- Creating a logical switch or base switch
- Executing a command in a different logical fabric context
- Deleting a logical switch
- Adding and removing ports on a logical switch
- Displaying logical switch configuration
- Changing the fabric ID of a logical switch
- Changing a logical switch to a base switch
- Setting up IP addresses for a Virtual Fabric
- Removing an IP address for a Virtual Fabric
- Configuring a logical switch to use XISLs
- Changing the context to a different logical fabric
- Creating a logical fabric using XISLs
Administering Advanced Zoning
- In this chapter
- Special zones
- Zoning overview
- Broadcast zones
- Zone aliases
- Zone creation and maintenance
- Default zoning mode
  - Setting the default zoning mode
  - Viewing the current default zone access mode
- Zoning database size
- Zoning configurations
- Zone object maintenance
- Zoning configuration management
  - New switch or fabric additions
  - Fabric segmentation and zoning
- Security and zoning
- Zone merging scenarios
Traffic Isolation Zoning
- In this chapter
- Traffic Isolation Zoning overview
  - TI zone failover
  - FSPF routing rules and traffic isolation
- Enhanced TI zones
- Traffic Isolation Zoning over FC routers
- General rules for TI zones
- Supported configurations for Traffic Isolation Zoning
  - Additional configuration rules for enhanced TI zones
  - Trunking with TI zones
- Limitations and restrictions of Traffic Isolation Zoning
- Admin Domain considerations for Traffic Isolation Zoning
- Virtual Fabric considerations for Traffic Isolation Zoning
- Traffic Isolation Zoning over FC routers with Virtual Fabrics
- Creating a TI zone
  - Creating a TI zone in a base fabric
- Modifying TI zones
- Changing the state of a TI zone
- Deleting a TI zone
- Displaying TI zones
- Setting up TI over FCR (sample procedure)
Administering NPIV
- In this chapter
- NPIV overview
- Configuring NPIV
- Enabling and disabling NPIV
- Viewing NPIV port configuration information
  - Viewing virtual PID login information
Interoperability for Merged SANs
- In this chapter
- Interoperability overview
- Connectivity solutions
- Domain ID offset modes
  - Configuring the Domain_ID offset
- McDATA Fabric mode configuration restrictions
- McDATA Open Fabric mode configuration restrictions
- Interoperability support for logical switches
- Switch configurations for interoperability
  - Enabling McDATA Open Fabric mode
  - Enabling McDATA Fabric mode
  - Enabling Brocade Native mode
- Zone management in interoperable fabrics
  - Zoning restrictions
  - Zone name restrictions
  - Zoning modes
  - Setting the safe zone mode on a stand-alone switch
  - Setting the safe zone mode fabric-wide
  - Disabling safe zone mode
  - Effective zone configuration
  - Saving the effective zone configuration to the Defined Database
- Frame Redirection in interoperable fabrics
- Traffic Isolation zones in interoperable fabrics
- Brocade SANtegrity implementation in mixed fabric SANS
  - Fabric OS Layer 2 Fabric Binding
- E_Port authentication between Fabric OS and M-EOS switches
  - Switch authentication policy
  - Dumb switch authentication
  - Authentication of EX_Port, VE_Port, and VEX_Port connections
  - Authentication of VE_Port-to-VE_Port connections
  - Authentication of VEX_Port-to-VE_Port connections
  - Authentication of VEX_Port-to-VEX_Port connections
- FCR SANtegrity
  - Fabric Binding behavior in a mixed fabric
  - Translate domains do not have Preferred or Insistent Domain ID behavior.
  - Configuring the preferred domain ID and the insistent domain ID
- FICON implementation in a mixed fabric
- Fabric OS version change restrictions in an interoperable environment
- Coordinated Hot Code Load
  - Bypassing the Coordinated HCL check on firmware download
  - Coordinated HCL on switches firmware downloads
  - Upgrade and downgrade considerations for HCL for interoperability
- McDATA-aware features
- McDATA-unaware features
  - M-EOS feature limitations in mixed fabrics
- Supported hardware in an interoperable environment
- Supported features in an interoperable environment
- Unsupported features in an interoperable environment
Managing Administrative Domains
- In this chapter
- Administrative Domains overview
- Admin Domain management for physical fabric administrators
- SAN management with Admin Domains
Administering Licensing
- In this chapter
- Licensing overview
- The Brocade 7800 Upgrade license
- ICL licensing
  - ICL 16-link license
  - ICL 8-link license
- 8G licensing
- Slot-based licensing
- Time-based licenses
  - Configupload and download considerations
  - Expired licenses
- Universal Time-based licenses
- Viewing installed licenses
- Activating a license
- Adding a licensed feature
- Removing a licensed feature
- Ports on Demand
Monitoring Fabric Performance
- In this chapter
- Advanced Performance Monitoring overview
  - Types of monitors
  - Virtual Fabrics considerations for Advanced Performance Monitoring
- End-to-end performance monitoring
- Frame monitoring
- ISL performance monitoring
- Top Talker monitors
- Trunk monitoring
- Displaying end-to-end and ISL monitor counters
- Clearing end-to-end and ISL monitor counters
- Saving and restoring monitor configurations
- Performance data collection
Optimizing Fabric Behavior
- In this chapter
- Adaptive Networking overview
- Ingress Rate Limiting
  - Limiting traffic from a particular device
  - Disabling ingress rate limiting
- QoS: SID/DID traffic prioritization
  - License requirements for traffic prioritization
- QoS zones
- Setting traffic prioritization
- Setting traffic prioritization over FC routers
- Disabling QoS
- Bottleneck detection
- Enabling bottleneck detection on a switch
- Excluding a port from bottleneck detection
- Displaying bottleneck detection configuration details
- Changing bottleneck alert parameters
- Displaying bottleneck statistics
- Disabling bottleneck detection on a switch
Managing Trunking Connections
- In this chapter
- Trunking overview
  - Criteria for managing trunking connections
- Supported hardware
- Recommendations for trunking groups
- Basic trunk group configuration
- Trunking over long distance fabrics
- F_Port trunking
- F_Port masterless trunking
Managing Long Distance Fabrics
- In this chapter
- Long distance fabrics overview
- Extended Fabrics device limitations
- Long distance link modes
- Configuring an extended ISL
  - Enabling long distance when connecting to TDM devices
- Buffer credit management
- Buffer credit recovery
Using the FC-FC Routing Service
- In this chapter
- FC-FC routing service overview
  - Supported platforms for Fibre Channel routing
  - Supported configurations
- Integrated Routing
- Fibre Channel routing concepts
- Setting up the FC-FC routing service
  - Verifying the setup for FC-FC routing
- Backbone fabric IDs
  - Assigning backbone fabric IDs
- FCIP tunnel configuration
- Inter-fabric link configuration
  - Configuring an IFL for both edge and backbone connections
- FC Router port cost configuration
  - Port cost considerations
  - Setting router port cost for an EX_Port
- EX_Port frame trunking configuration
- LSAN zone configuration
- Proxy PID configuration
- Fabric parameter considerations
- Inter-fabric broadcast frames
- Resource monitoring
- FC-FC Routing and Virtual Fabrics
  - Logical switch configuration for FC routing
  - Backbone-to-edge routing with Virtual Fabrics
- Upgrade and downgrade considerations for FC-FC routing
  - How replacing port blades affects EX_Port configuration
- Displaying the range of output ports connected to xlate domains
M-EOS Migration Path to Fabric OS
- In this appendix
- M-EOS fabrics overview
- McDATA Mi10K interoperability
- Fabric configurations for interconnectivity
Inband Management
- In this appendix
- Inband Management overview
- Internal Ethernet devices
- IP address and routing management
- Examples of supported configurations
  - Configuring a Management Station on the same subnet
  - Configuring a Management Station on different subnets
Port Indexing
- In this appendix
- Port indexing on the Brocade 48000 director
- Port indexing on the Brocade DCX backbone
- Port indexing on the Brocade DCX-4S backbone
FIPS Support
- In this appendix
- FIPS overview
- Zeroization functions
  - Power-up self tests
  - Conditional tests
- FIPS mode configuration
  - LDAP in FIPS mode
  - LDAP certificates for FIPS mode
- Preparing the switch for FIPS
Hexadecimal
- Hexadecimal overview
  - Example conversion of the hexadecimal triplet Ox616000
Index

Fabric OS Administrator’s Guide 167

53-1001763-02

Management interface security

To protect the integrity of the IP datagram, the IPsec protocols use hash message authentication

codes (HMAC). To derive this HMAC, the IPsec protocols use hash algorithms like MD5 and SHA to

calculate a hash based on a secret key and the contents of the IP datagram. This HMAC is then

included in the IPsec protocol header and the receiver of the packet can check the HMAC if it has

access to the secret key.

To protect against denial of service attacks, the IPsec protocols use a sliding window. Each packet

gets assigned a sequence number and is only accepted if the packet's number is within the window

or newer. Older packets are immediately discarded. This protects against replay attacks where the

attacker records the original packets and replays them later.

Security associations

A security association (SA) is the collection of security parameters and authenticated keys that are

negotiated between IPsec peers. For the peers to be able to encapsulate and decapsulate the

IPsec packets, they need a way to store the secret keys, algorithms, and IP addresses involved in

the communication. All these parameters needed for the protection of the IP datagram are stored

in a security association (SA). The security associations are in turn stored in a security association

database (SADB).

An IPsec security association is a construct that specifies security properties that are recognized by

communicating hosts. The properties of the SA are the security protocol (AH or ESP), destination IP

address, and Security Parameter Index (SPI) number. SPI is an arbitrary 32-bit value contained in

IPsec protocol headers (AH or ESP) and an IPsec SA is unidirectional. Because most

communication is peer-to-peer or client-to-server, two SAs must be present to secure traffic in both

directions. An SA specifies the IPsec protocol (AH or ESP), the algorithms used for encryption and

authentication, and the expiration definitions used in security associations of the traffic. IKE uses

these values in negotiations to create IPsec SAs. You must create an SA prior to creating an

SA-proposal. You cannot modify an SA once it is created. Use the ipsecConfig --flush manual-sa

command to remove all SA entries from the kernel SADB and re-create the SA. For more

information on the ipSecConfig command, refer to the Fabric OS Command Reference.

IPsec proposal

The IPsec sa-proposal defines an SA or an SA bundle. An SA is a set of parameters that define how

the traffic is protected using IPsec. These are the IPsec protocols to use for an SA, either AH or ESP,

and the encryption and authentication algorithms to use to protect the traffic. For SA bundles,

[AH, ESP] is the supported combination.

Authentication and encryption algorithms

IPsec uses different protocols to ensure the authentication, integrity, and confidentiality of the

communication. Encapsulating Security Payload (ESP) provides confidentiality, data integrity and

data source authentication of IP packets, and protection against replay attacks. Authentication

Header (AH) provides data integrity, data source authentication, and protection against replay

attacks, but unlike ESP, AH does not provide confidentiality.

In AH and ESP, hmac_md5 and hmac_sha1 are used as authentication algorithms. Only in ESP,

3des_cbc, blowfish_cbc, aes256_cbc and null_enc are used as encryption algorithms. Use

Table 41 on page 168 when configuring the authentication algorithm.