HP StorageWorks Fabric OS 6.1.
Legal and notice information © Copyright 2008 Hewlett-Packard Development Company, L.P. © Copyright 2008 Brocade Communications Systems, Incorporated. Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.
Contents About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Supported Fabric OS 6.1.x HP StorageWorks hardware. . . . Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Related documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . Document conventions and symbols . . . . . . . . . . . . . . . . . . Rack stability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reserving a license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Releasing a port from a POD set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Disabling and enabling switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Disabling and enabling ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the boot PROM password without a recovery string . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 4/256 SAN Director and DC SAN Backbone Director (short name, DC Director) . . . . . . . . . . . . . . 86 Recovering forgotten passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 3 Configuring standard security features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Security protocols . . . .
E_Port authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Device authentication policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Auth policy restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Supported HBAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6 Managing administrative domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Admin Domain features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Requirements for Admin Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Admin Domain access levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Director restrictions for downgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FIPS Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Public and private key management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Updating the firmwarekey. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
FC4-48 and FC8-48 blade exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conserving power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Blade terminology and compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CP blades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Generating an iSCSI VT for a specific FC target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Manual iSCSI VT creation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mapping LUNs on a specific port to an iSCSI VT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deleting LUNs from an iSCSI VT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
QoS: SID/DID traffic prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . QoS zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . QoS on E_Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Supported configurations for traffic prioritization . . . . . . . . . . . . . . . . . . . . . . . . .
End-to-end monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding end-to-end monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting a mask for an end-to-end monitors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deleting end-to-end monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F_Port Trunking Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 Configuration management for trunk areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 Trunking for Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 20Configuring and monitoring FCIP extension services . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 21FICON fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423 Fabric OS support for FICON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Platforms supporting FICON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
FICON performance statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446 FICON emulation monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447 A Configuring the PID format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451 About PIDs and PID binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 Tables 1 2 3 16 Zoning example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hardware-enforced non-overlapping zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hardware-enforced overlapping zones. . . . . . . . . . . . . . . . . . . . . . . .
4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 License requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 AuditCfg event class operands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Daemons that are automatically restarted . . . . . . . . . . . . .
63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 Default index/area_ID core PID assignment with no port swap . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Director terminology and abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 Port blades supported by each Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Supported configuration options . . . . . . . . . . . . . . . . . . . . . .
About this guide This guide provides information about: • Installing and configuring Fabric OS 6.1.x • Managing user accounts • Using licensed features Supported Fabric OS 6.1.x HP StorageWorks hardware Table 1 lists Brocade and HP StorageWorks product models supported by Fabric OS 6.1.x.
Intended audience This guide is intended for system administrators with knowledge of: • Storage area networks • HP StorageWorks Fibre Channel SAN switches Related documentation The following documents provide related information: • HP StorageWorks Fabric OS 6.1.x release notes • Web Tools administrator’s guide You can find these documents from the Manuals page of the HP Business Support Center website: http://www.hp.
NOTE: TIP: Provides additional information. Provides helpful hints and shortcuts. Rack stability Rack stability protects personnel and equipment. WARNING! To reduce the risk of personal injury or damage to equipment: • Extend leveling jacks to the floor. • Ensure that the full weight of the rack rests on the leveling jacks. • Install stabilizing feet on the rack. • In multiple-rack installations, secure racks together. • Extend only one rack component at a time.
Subscription service HP recommends that you register your product at the Subscriber's Choice for Business website: http://www.hp.com/go/wwalerts. After registering, you will receive e-mail notification of product enhancements, new driver versions, firmware updates, and other product resources. HP websites For additional product information, see the following HP websites: • http://www.hp.com • http://www.hp.com/go/storage • http://www.hp.com/support/manuals Documentation feedback HP welcomes your feedback.
1 Standard features This chapter describes how to configure your HP StorageWorks SAN using the Fabric OS Command Line Interface (CLI). Before you can configure a Storage Area Network (SAN), you must power-up the Director or switch and blades, and then set the IP addresses of those devices. Although this chapter focuses on configuring a SAN using the CLI, you can also use the following methods to configure a SAN: • Web Tools For Web Tools procedures, see the Web Tools Administrator’s Guide.
The following commands provide help files for specific topics to understand configuring your SAN: diagHelp ficonHelp fwHelp iscsiHelp licenseHelp perfHelp routeHelp trackChangesHelp zoneHelp Diagnostic help information FICON help information Fabric Watch help information iSCSI help informations License help information Performance Monitoring help information Routing help information Track Changes help information Zoning help information Connecting to the CLI Read this section for procedures.
The login prompt is displayed when the Telnet connection finds the switch in the network 5. Enter the account ID at the login prompt. See ”Changing passwords” on page 25 for instructions on how to log in for the first time. 6. Enter the password. If you have not changed the system passwords from the default, you are prompted to change them. Enter the new system passwords, or press Ctrl-C to skip the password prompts. See ”Changing default account passwords at login” on page 26. 7.
NOTE: The default account passwords can be changed from their original value only when prompted immediately following the login; the passwords cannot be changed using the passwd command later in the session. If you skip the prompt, and then later decide to change the passwords, log out and then back in. The default accounts on the switch are admin, user, root, and factory.
To skip a single prompt press Enter. To skip all of the remaining prompts press Ctrl-c. login: admin Password: Please change your passwords now. Use Control-C to exit or press 'Enter' key to proceed. for user - root Changing password for root Enter new password: ******** Password changed. Saving password to stable storage. Password saved to stable storage successfully. Please change your passwords now. for user - factory Changing password for factory Enter new password: ******** Password changed.
2. Issue the ipAddrShow command: 200E:admin> ipaddrshow SWITCH Ethernet IP Address: 102.108.153.238 Ethernet Subnetmask: 255.255.255.0 Fibre Channel IP Address: none Fibre Channel Subnetmask: 255.255.0.0 Gateway IP Address: 102.108.153.1 DHCP: Off IPv6 Autoconfiguration Enabled: No Local IPv6 Addresses: static 1080::9:800:400c:416a/64 If the Ethernet IP address, subnet mask, and gateway address are displayed, the network interface is configured. Verify that the information is correct.
3. Enter the network information in dotted-decimal notation for the Ethernet IPv4 address and in semicolon-separated notation for IPv6. Example of setting logical switch (sw0)'s IPv6 address on an enterprise-class platform: ecp:admin> ipaddrset -ipv6 -sw 0 --add 1080::8:800:200C:417B/64 IP address is being changed...Done. 4. Enter the Ethernet Subnetmask at the prompt. 5. Skip Fibre Channel prompts by pressing Enter. The Fibre Channel IP address is used for management. 6.
4. When you are prompted for DHCP[Off], enable it by entering at the prompt: switch:admin> ipaddrset Ethernet IP Address [192.168.74.102]: Ethernet Subnetmask [255.255.255.0]: Fibre Channel IP Address [220.220.220.2]: Fibre Channel Subnetmask [255.255.0.0]: Gateway IP Address [192.168.74.1]: DHCP [Off]:on Disabling DHCP When you disable DHCP, enter the static Ethernet IP address and subnet mask of the switch and default gateway address.
• yy is the year; valid values are 00 through 99 (values greater than 69 are interpreted as 1970 through 1999, and values less than 70 are interpreted as 2000-2069). switch:admin> date Fri Sep 29 17:01:48 UTC 2007 switch:admin> date "0927123007" Thu Sep 27 12:30:00 UTC 2007 switch:admin> For more information on the tsTimeZone command, see the Fabric OS Command Reference. Setting time zones You can set the time zone for a switch by name.
The following example shows how to display the current time zone setup and how to change the time zone to US/Central. switch:admin> tstimezone Time Zone : US/Pacific switch:admin> tstimezone US/Central switch:admin> tstimezone Time Zone : US/Central The following procedure sets the current time zone to Pacific Standard Time using interactive mode: 1. Connect to the switch and log in using an account assigned to the admin role. 2. Issue the tsTimeZone command: switch:admin> tstimezone --interactive 3.
optional; by default, this value is LOCL, which uses the local clock of the principal or primary switch as the clock server. switch:admin> tsclockserver LOCL switch:admin> tsclockserver "132.163.135.131" switch:admin> tsclockserver 132.163.135.131 switch:admin> The following example shows how to set up more than one NTP server using a DNS name: switch:admin> tsclockserver "10.32.170.1;10.32.170.2;ntp.localdomain.net" Updating Clock Server configuration...done.
1. Connect to a switch and log in using an account assigned to the admin role. 2. Issue the fabricShow command. Fabric information is displayed, including the Domain ID (D_ID) switch:admin> fabricshow Switch ID Worldwide Name Enet IP Addr FC IP Addr Name ------------------------------------------------------------------------64: fffc40 10:00:00:60:69:00:06:56 192.168.64.59 192.168.65.59 "sw5" 65: fffc41 10:00:00:60:69:00:02:0b 192.168.64.180 192.168.65.180 >"sw180" 66: fffc42 10:00:00:60:69:00:05:91 192.
• If a license is associated with a blade type, the licensed feature can be used only with the associated blade; if you want to use the feature on a second blade, you must purchase an additional license. Generating a license key The transaction key is case sensitive; it must be entered exactly as it appears in the paperback. To reduce the change of error, copy and paste the transaction key. The quotation marks are optional. To generate a license key: 1.
If you move a standby CP from one Director to another, the active CP will propagate its configuration (including license keys). 3. Verify that the license was added by issuing the licenseShow command. The licensed features currently installed on the switch display are listed. If the feature is not listed, issue the licenseAdd command again.
Features and required licenses Table 4 lists the licenses that should be installed on the local switch and any connecting switches for a particular feature. Table 4 License requirements Feature License Where license should be installed Administrative Domains No license required. n/a Configuration up/download No license required. Configupload or configdownload is a command and comes with the OS on the switch. n/a Diagnostic tools No license required.
Table 4 License requirements Feature License Where license should be installed QoS Adaptive Networking Local switch and attached switches. RADIUS No license required. n/a RBAC No license required. n/a Routing traffic No license required. This includes port-based or exchanged-based routing, static routes, frame-order deliver, and dynamic routes. n/a Security No license required. Includes the DCC, SCC, FCS, IP Filter, and authentication policies. n/a SNMP No license required.
• When you remove the 8-Gbps license, the ports that are online and already running at 8-Gbps are not disturbed until the port goes offline or the switch is rebooted. The switch’s ports return to their pre-licensed state maximum speed of 4-Gbps. Time-based licenses A time-based license applies a try-before-you-buy approach to certain features so that you can experience the feature and its capabilities prior to buying the license.
need to generate a license key from a transaction key supplied with your purchase, see ”Generating a license key” on page 35. Each POD license activates the next group of eight ports in numerical order. For example, the 4/8 SAN Switch or 4/16 SAN Switch activates the first eight with four port increments. Before installing a license key, you must insert transceivers in the ports to be activated. Remember to insert the transceivers in the lowest group of inactive port numbers first.
Displaying the port license assignment Use the licensePort --show command to display the available licenses. You can also view the current port assignment of those licenses and the POD method state (dynamic or static). To display the port licenses: 1. Connect to the switch and log in on an account assigned to the admin role. 2. Issue the licensePort --show command.
4. Issue the licensePort --show command to verify that the switch started the Dynamic POD feature.
Reserving a license Reserving a license for a port assigns a POD license to that port whether the port is online or offline. That license will not be available to other ports that come online before the specified port. To allocate license to a specific port instead of automatically assigning them as the ports come online, reserve a license for the port. The port receives a POD assignment if any are available. To reserve a port license: 1.
Releasing a port from a POD set Releasing a port removes it from the POD set; the port appears as unassigned until it comes back online. Persistently disabling the port ensures that the port cannot come back online and be automatically assigned to a POD assignment. After a port is assigned to a POD set, the port is licensed until it is manually removed from the POD port set using the licensePort --release command.
Disabling and enabling ports By default, all licensed ports are enabled. You can disable and reenable them as necessary. Ports that you activate with Ports on Demand must be enabled explicitly, as described in ”Activating POD” on page 40. WARNING! The fabric will be reconfigured if the port you are enabling or disabling is connected to another switch. The switch whose port has been disabled will be segmented from the fabric and all traffic flowing between it and the fabric will be lost.
the device. When powering the devices back on, wait for each device to complete the fabric login before powering on the next one. Connecting to other switches See the hardware reference guide for your specific switch for interswitch link (ISL) connection and cable management information. The standard or default ISL mode is L0. ISL Mode L0 is a static mode, with the following maximum ISL distances: • 10 km at 1 Gbps • 5 km at 2 Gbps • 2.5 km at 4 Gbps • 1.
Specify a slot/port number pair. Valid values for slot and port number vary depending on the switch type. The mode operand is required: specify 1 to enable ISL R_RDY mode (gateway link) or specify 0 to disable it. In the following example, slot 2, port 3 is enabled for a gateway link: switch:admin> portcfgislmode 2/3, 1 Committing configuration...done. ISL R_RDY Mode is enabled for port 3. Please make sure the PID formats are consistent across the entire fabric. switch:admin> 4.
Fabric connectivity To verify fabric connectivity: 1. Connect to the switch and log in using an account assigned to the admin role. 2. Issue the fabricShow command. This command displays a summary of all the switches in the fabric. switch:admin> fabricshow Switch ID Worldwide Name Enet IP Addr FC IP Addr Name ------------------------------------------------------------------------64: fffc40 10:00:00:60:69:00:06:56 192.168.64.59 192.168.65.59 "sw5" 65: fffc41 10:00:00:60:69:00:02:0b 192.168.64.180 192.168.
Tracking and controlling switch changes The track changes feature allows you to keep a record of specific changes that may not be considered switch events, but may provide useful information. The output from the track changes feature is dumped to the system messages log for the switch. Use the errDump or errShow command to view the log. Items in the log created from the Track changes feature are labeled TRCK.
2. Issue the switchStatusPolicyShow command. Whenever there is a switch change, an error message is logged and an SNMP connUnitStatusChange trap is sent.
HP StorageWorks 4/8 SAN Switch and 4/16 SAN Switch, 8/8 SAN Switch, 8/24 SAN Switch, 8/40 SAN Switch, 8/80 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 400 Multi-protocol Router: switch:admin> switchstatuspolicyset To change the overall switch status policy parameters The current overall switch status policy parameters: Down Marginal ---------------------------------PowerSupplies 2 1 Temp
system message log on an external host in the specified audit message format. This ensures that they can be easily distinguished from other system message log events that occur in the network. Then, at some regular interval of your choosing, you can review the audit events to look for unexpected changes.
NOTE: Only the active CP can generate audit messages because event classes being audited occur only on the active CP. Audit messages cannot originate from other blades in a Director. Audit events have the following message format: AUDIT, , [], , , ///,/,, Switch names are logged for switch components and Director names for Director components.
5. To verify the audit event log setup, make a change affecting an enabled event class, and confirm that the remote host machine receives the audit event messages. The following example shows the SYSLOG (system message log) output for audit logging. Jun 2 08:33:04 [10.32.220.7.2.2] raslogd: AUDIT, 2006/06/02-15:25:53, [SULB-1003], INFO, FIRMWARE, root/root/NONE/console/CLI, ad_0/ras007_chassis, , Firmwarecommit has started. Jun 5 06:45:33 [10.32.220.70.2.
High Availability of daemon processes Fabric OS 6.x supports automatic restart of non-critical daemons. Starting these non-critical daemons is automatic, you cannot configure the startup process. The following sequence of events occurs when a non-critical daemon fails: 1. When a non-critical daemon fails or dies, a RASLog and AUDIT event message is logged. 2. The daemon is automatically started again. 3.
Standard features
2 Managing user accounts This chapter provides information and procedures on managing authentication and user accounts for the switch management channel. Overview In addition to the default accounts—root, factory, admin, and user—Fabric OS supports up to 252 additional user-defined accounts in each logical switch (domain). These accounts expand your ability to track account access and audit administrative activities.
Role-Based Access Control (RBAC) Role-Based Action Control (RBAC) defines the capabilities that a user account has, based on the role the account has been assigned. For each role, there is a set of pre-defined permissions on the jobs and tasks that can be performed on a fabric and its associated fabric elements. Fabric OS 6.1.0 uses RBAC to determine which commands a user can issue. When you log in to a switch, your user account is associated with a pre-defined role.
Role permissions Table 9 describes the types of permissions that are assigned to roles. Table 9 Permission types Abbreviation Definition Description O Observe The user can run commands using options that display information only, such as running userConfig --show -a to show all users on a switch. M Modify The user can run commands using options that create, change, and delete objects on the system, such as running userconfig --change username -r rolename to change a user’s role.
Table 10 RBAC permissions matrix (continued) Category Role permission User Operator Switch admin Zone admin Fabric admin Basic switch admin Admin Security admin HA (High Availability) O O OM N OM O OM O iSCSI O O O O OM O OM N License O OM OM O OM O OM O LDAP N N N N N N OM OM Local User Environment OM OM OM OM OM OM OM OM Logging O OM OM O OM O OM OM Management Access Configuration O OM OM N OM O OM N Management Server O OM OM O
Managing the local database user accounts User add, change, and delete operations are subject to the subset rule: an admin with ADlist 0-10 cannot perform operations on an admin, user, or any role with an ADlist 11-25. The user account being changed must have an ADlist that is a subset of the account that is making the change. About the default accounts Fabric OS provides the following predefined accounts in the local switch user database.
To create an account: 1. Connect to the switch and log in using an admin account. 2. Issue the following command: userConfig --add -r [-h ] [-a ] [-d ] [-x] where: username Specifies the account name, which must begin with an alphabetic character. The name can be from 8 to 40 characters long. It is case-sensitive and can contain alphabetic and numeric characters, the period (.) and the underscore ( _ ).
To change account parameters: When changing account parameters, if you change the ADlist for the user account, all of the currently active sessions for that account will be logged out. For more information about changing the Admin Domain on an account, see Chapter 6, ”Managing administrative domains” on page 153. 1. Connect to the switch and log in using an admin account. 2.
• Only users with Admin roles can change the password for another account. When changing an Admin account password, you must provide the current password. • An admin with ADlist 0-10 cannot change the password on an admin, user, or any role with an ADlist 11-25. The user account being changed must have an ADlist that is a subset of the account that is making the change. • A new password must have at least one character different from the old password. • You cannot change passwords using SNMP.
where is a semicolon-separated list of switch Domain IDs, switch names, or switch WWN addresses. You can also specify —d “*” to send the local user database only to Fabric OS 5.2.0 or later switches in the fabric. Protecting the local user database from distributions Fabric OS 5.2.0 and later allow you to distribute the user database and passwords to other switches in the fabric.
• Digits Specifies the minimum number of numeric digits that must appear in the password. The default value is zero. The maximum value must be less than or equal to the MinLength value. • Punctuation Specifies the minimum number of punctuation characters that must appear in the password. All printable, non-alphanumeric punctuation characters except the colon ( : ) are allowed. The colon is not allowed because it is incompatible with Web Tools. The default value is zero.
Specifies the minimum number of days that must elapse before a user can change a password. MinPasswordAge values range from 0 to 999. The default value is zero. Setting this parameter to a non-zero value discourages users from rapidly changing a password in order to circumvent the password history setting to select a recently-used password. The MinPasswordAge policy is not enforced when an administrator changes the password for another user.
NOTE: Note that the account-locked state is distinct from the account-disabled state. Use the following attributes to set the account lockout policy: • LockoutThreshold Specifies the number of times a user can attempt to log in using an incorrect password before the account is locked. The number of failed login attempts is counted from the last successful login. LockoutThreshold values range from 0 to 999, and the default value is 0. Setting the value to 0 disables the lockout mechanism.
To enable the admin lockout policy: 1. Log in to the switch using an admin or securityAdmin account. 2. Issue the following command: passwdCfg --enableadminlockout The policy is now enabled. To unlock an account: 1. Log in to the switch using an admin or securityAdmin account. 2. Issue the following command: userConfig --change -u where is the name of the user account that is locked out. To disable the admin lockout policy: 1.
To enable LDAP service, you will need to install a certificate on the Microsoft Active Directory server. The configuration applies to all switches and on a Director the configuration replicates itself on a standby CP blade if one is present. It is saved in a configuration upload and applied in a configuration download. You should configure at least two RADIUS servers so that if one fails, the other will assume service.
Table 12 Authentication configuration options (continued) aaaConfig options Description Equivalent setting in Fabric OS 5.1.0 and earlier --radius --switchdb1 --authspec “radius;local” --backup Replaces --radiuslocalbackup. Authenticates management connections against any RADIUS databases. If RADIUS fails because the service is not available, authenticates against the local user database. On On --authspec “ldap” Authenticates management connections n/a against any LDAP database(s) only.
Table 13 Syntax for VSA-based account roles (continued) Item Value Description Vendor type 1 1 octet, Brocade-Auth-Role; valid attributes for the Brocade-Auth-Role are: SwitchAdmin ZoneAdmin FabricAdmin BasicSwitchAdmin Operator User Admin 2 Optional: Specifies the Admin Domain member list. For more information, see ”RADIUS configuration and Admin Domains” on page 73.
Figure 1 Windows 2000 VSA configuration Linux FreeRadius server For the configuration on a Linux FreeRadius server, define the following in a vendor dictionary file called dictionary.brocade. Include the values outlined in Table 14. Table 14 dictionary.brocade file entries Include Key Value VENDOR Brocade 1588 ATTRIBUTE Brocade-AV-Pairs 2, 3, 4, 5 STRING Admin Domain member list After you have completed the dictionary file, define the role for the user in a configuration file.
• ADList is a comma-separated list of Administrative Domain numbers to which this account is a member. Valid numbers range from 0 to 255, inclusive. A dash between two numbers specifies a range. Multiple ADList key-value pairs within the same or across the different Vendor-Type codes are concatenated. Multiple occurrences of the same AD number are ignored. RADIUS authentication requires that the account have a valid role through the attribute type Brocade-Auth-Role.
To add the Brocade attribute to the server: 1. Create and save the file $PREFIX/etc/raddb/dictionary.brocade with the following information: # # Brocade FabricOS 5.0.1 dictionary # VENDOR Brocade 1588 # # attribute 1 defined to be Brocade-Auth-Role # string defined in user configuration # ATTRIBUTE Brocade-Auth-Role 1 string Brocade This defines the Brocade vendor ID as 1588, the Brocade attribute 1 as Brocade-Auth-Role, and it is a string value. 2.
Save the file $PREFIX/etc/raddb/client.config and then start the RADIUS server as follows: $PREFIX/sbin/radiusd Configuring RADIUS server support with Windows 2000 The instructions for setting up RADIUS on a Windows 2000 server are listed here for your convenience but are not guaranteed to be accurate for your network environment. Always check with your system administrator before proceeding with setup. NOTE: All instructions involving Microsoft Windows 2000 can be obtained from www.microsoft.
e. After returning to the Internet Authentication Service window, add additional policies for all login types for which you want to use the RADIUS server. After this is done, you can configure the switch. RSA RADIUS server Traditional password-based authentication methods are based on one-factor authentication, where you confirm your identity using a memorized password. Two-factor authentication increases the security that uses a second factor to corroborate identification.
########################################################################### # brocade.dct -- Brocade Dictionary # # (See readme.dct for more details on the format of this file) ########################################################################### # # Use the Radius specification attributes in lieu of the Brocade one: # @radius.
LDAP in FIPS mode, see ”Configuring advanced security features” on page 107. The following are restrictions when using LDAP: • In Fabric OS 6.1.x and later there will be no password change through Active Directory. • There is no automatic migration of newly created users from local switch database to Active Directory. This is a manual process explained later. • LDAP authentication is used on the local switch only and not for the entire fabric.
Adding the adlist 1. From the Windows Start menu, select Programs > Administrative Tools > ADSI.msc ADSI is a Microsoft Windows Resource Utility. This will need to be installed to proceed with the rest of the setup. For Windows 2003, this utility comes with Service Pack 1 or you can download this utility from the Microsoft website. 2. Go to CN=Users 3. Right click on Properties. Click the Attribute Editor tab. 4. Double-click the adminDescription attribute. This opens the String Attribute Editor dialog box.
Secret Timeouts Authentication The shared secrets. The length of time servers have to respond before the next server is contacted. The type of authentication being used on servers. To add a RADIUS server to the switch configuration: 1. Connect to the switch and log in using an admin account. 2. Issue the following command: switch:admin> aaaConfig --add [-p port] [-s secret] [-t timeout] [-a pap | chap | peap-mschapv2] where: server Enter either a server name or IPv4 or IPv6 address.
If no RADIUS or LDAP configuration exists, turning on the RADIUS authentication mode triggers an error message. When the command succeeds, the event log indicates that the configuration is enabled or disabled. NOTE: When the RADIUS authentication mode is set to radius;local, you cannot downgrade the Fabric OS to any version earlier than 5.2.0. Previous versions do not support the radius;local mode.
2. Issue the following command: switch:admin> aaaConfig --change server [-p port] [-t timeout] [-d domain_name] where: Enter either a server name or IPv4 address. Microsoft’s Active Directory does not support IPv6 addresses. Avoid duplicating server listings (that is, listing the same server once by name and again by IP address). Up to five servers can be added to the configuration. -p port Optional: Enter a server port. The default is port 389.
Setting the boot PROM password with a recovery string To set the boot PROM password with a recovery string, see the section that applies to your switch model. NOTE: Setting the boot PROM password requires accessing the boot prompt, which stops traffic flow through the switch until the switch is rebooted. You should perform this procedure during a planned down time.
4/256 SAN Director and DC SAN Backbone Director (short name, DC Director) The boot PROM and recovery passwords must be set for each CP blade on the 4/256 SAN Director or DC Director. To set the boot PROM password for a Director with a recovery string: 1. Connect to the serial port interface on the standby CP blade. 2. Connect to the active CP blade by serial or Telnet and issue the haDisable command to prevent failover during the remaining steps. 3.
Setting the boot PROM password without a recovery string Although you can set the boot PROM password without also setting the recovery string, HP recommends that you set both the password and the string as described in ”Setting the boot PROM password with a recovery string” on page 84. If your site procedures dictate that you must set the boot PROM password without the string, follow the procedure that applies to your switch model.
The following options are available: Option Description 1 2 3 Start system. Continues the system boot process. Recovery password. Lets you set the recovery string and the boot PROM password. Enter command shell. Provides access to boot parameters. 6. Enter 3. 7. Issue the passwd command at the shell prompt. NOTE: The passwd command only applies to the boot PROM password when it is entered from the boot interface. 8. Enter your boot PROM password at the prompt, then re-enter it when prompted.
Managing user accounts
3 Configuring standard security features This chapter provides information and procedures for configuring standard Fabric OS security features such as protocol and certificate management. IMPORTANT: Secure Fabric OS is no longer supported in Fabric OS 6.x. However, all features of Secure Fabric OS are included in the base Fabric OS 6.x. Security protocols Security protocols provide endpoint authentication and communications privacy using cryptography.
For details on Brocade MIB files, naming conventions, loading instructions, and information about using Brocade's SNMP agent, see the Fabric OS MIB Reference. Table 16 describes additional software or certificates that you must obtain to deploy secure protocols.
Commands that require a secure login channel must originate from an SSH session. If you start an SSH session, and then use the login command to start a nested SSH session, commands that require a secure channel will be rejected. Fabric OS 6.1.x and later supports SSH protocol version 2.0 (ssh2). For more information on SSH, see the SSH IETF website: http://www.ietf.org/ids.by.wg/secsh.html For more information, see SSH, The Secure Shell: The Definitive Guide by Daniel J.
Sample RSA/DSA key pair generation alloweduser@mymachine: ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/users/alloweduser/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /users/alloweduser/.ssh/id_dsa. Your public key has been saved in /users/alloweduser/.ssh/id_dsa.pub. The key fingerprint is: 32:9f:ae:b6:7f:7e:56:e4:b5:7a:21:f0:95:42:5c:d1 alloweduser@mymachine 5.
Example: exporting a public key from the switch switch:kghanta> sshutil exportpubkey Enter IP address:192.168.38.244 Enter remote directory:~auser/.ssh Enter login name:auser Password: public key out_going.pub is exported successfully. 8. Append the public key to a remote host by logging in to the remote host, locating the directory where authorized keys are stored, and appending the public key to the file. You may need to refer to the host’s documentation to locate where the authorized keys are stored. 9.
Example: ipfilter --save block_telnet_v4 5. Activate the new ipfilter policy by issuing the following command: ipfilter --activate where policyname is the name of the policy you created in step 2. Example: ipfilter --activate block_telnet_v4 Unblocking Telnet To unblock Telnet: 1. Connect to the switch through a means other than Telnet (for example, SSH) and log in as admin. 2.
Summary of SSL procedures Configure SSL by obtaining, installing, and activating digital certificates for SSL support. Certificates are required on all switches that are to be accessed through SSL. You must also install a certificate in the Java Plug-in on the management workstation, and you may need to add a certificate to your Web browser. Configuring for SSL involves these major steps, which are shown in detail in the next sections. 1. Choose a Certificate Authority (CA). 2.
IMPORTANT: limited. HP recommends selecting 1024 in most cases. CA support for the 2048-bit key size is Generating and storing a CSR After generating a public/private key, perform this procedure on each switch. 1. Connect to the switch and log in as admin. 2. Issue the following command: switch:admin> seccertutil gencsr 3.
6. Copy and paste this section (including the BEGIN and END lines) into the area provided in the request form; then, follow the instructions to complete and send the request. It may take several days to receive the certificates. If the certificates arrive by e-mail, save them to an FTP server. If the CA provides access to the certificates on an FTP server, make note of the path name and make sure you have a login name and password on the server.
Configuring the browser The root certificate may already be installed on your browser. If it is not, you must install it. To determine whether it is already installed, check the certificate store on your browser. The following procedures are guides for installing root certificates to Internet Explorer and Mozilla Firefox browsers. For more detailed instructions, see the documentation that came with the certificate. To check and install root certificates on Internet Explorer: 1.
3. Issue the keytool command and respond to the prompts: C:\Program Files\Java\j2re1.5.0_06\bin> keytool -import -alias RootCert -file RootCert.crt -keystore ..
• FibreAlliance MIB trap Associated with the FibreAlliance MIB (FA-MIB), this MIB manages SAN switches and devices from any company that complies with FibreAlliance specifications. If you use both SW-MIB and FA-MIB, you may receive duplicate information. You can disable the FA-MIB, but not the SW-MIB. You can also use these additional MIBs and their associated traps: • FICON-MIB (for FICON environments) • SW-EXTTRAP Includes the swSsn (Software Serial Number) as a part of Brocade SW traps.
Sample SNMPv3 configuration switch:admin> snmpconfig --set snmpv3 SNMPv3 user configuration: User (rw): [snmpadmin1] adminuser Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [3] 1 New Auth Passwd: Verify Auth Passwd: Priv Protocol [DES(1)/noPriv(2)/3DES(3)/AES128(4)/AES192(5)/AES256(6)]): (1..2) [2] 1 New Priv Passwd: Verify Priv Passwd: User (rw): [snmpadmin2] shauser Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [3] 2 New Auth Passwd: Verify Auth Passwd: Priv Protocol [DES(1)/noPriv[2]): (1..
Sample accessControl configuration switch:admin> snmpconfig --set accessControl SNMP access list configuration: Access host subnet area in dot notation: [0.0.0.0] 192.168.0.0 Read/Write? (true, t, false, f): [true] Access host subnet area in dot notation: [0.0.0.0] 10.32.148.0 Read/Write? (true, t, false, f): [true] f Access host subnet area in dot notation: [0.0.0.0] Read/Write? (true, t, false, f): [true] Access host subnet area in dot notation: [0.0.0.0] 10.33.0.
Sample mibCapability configuration DCX:admin> snmpconfig --show mibcapability FE-MIB:YES SW-MIB: YES FA-MIB: YES FICON-MIB: YES HA-MIB: YES FCIP-MIB: YES ISCSI-MIB: NO SW-TRAP: YES swFCPortScn: YES swEventTrap: YES swFabricWatchTrap: YES swTrackChangesTrap: YES FA-TRAP: YES connUnitStatusChange: YES connUnitEventTrap: YES connUnitSensorStatusChange: YES connUnitPortStatusChange: YES SW-EXTTRAP: NO FICON-TRAP: YES linkRNIDDeviceRegistration: YES linkRNIDDeviceDeRegistration: YES linkLIRRlistenerAdded: YES li
Setting up SCP for configuploads and downloads 1. Log in to the switch as admin. 2. Issue the configure command. 3. Enter y or yes at the cfgload attributes prompt. 4. Enter y or yes at the Enforce secure config Upload/Download prompt. Example of setting up SCP for config upload/download: switch:admin> configure Not all options will be available on an enabled switch. To disable the switch, use the "switchDisable" command. Configure...
Ports and applications used by switches If you are using the FC-FC Routing Service, be aware that the secModeEnable command is not supported in Fabric OS 6.1.0. Table 21 lists the defaults for accessing hosts, devices, switches, and zones. Table 21 Access defaults Access default Hosts Any host can access the fabric by SNMP. Any host can Telnet to any switch in the fabric. Any host can establish an HTTP connection to any switch in the fabric.
Configuring standard security features
4 Configuring advanced security features This chapter provides information and procedures for configuring advanced Fabric OS security features such as Access Control List (ACL) policies, authentication policies, and IP Filtering for HP’s Fibre Channel switches. ACL policies overview Each supported Access Control List (ACL) policy listed below is identified by a specific name; only one policy of each type can exist, except for DCC policies.
When a policy is activated, the defined policy either replaces the policy with the same name in the active set or becomes a new active policy. If a policy appears in the defined set but not in the active set, the policy was saved but has not been activated. If a policy with the same name appears in both the defined and active sets but they have different values, the policy has been modified but the changes have not been activated.
• ”Activating changes to ACL policies” on page 116 Simultaneously save and implement all the policy changes made since the last time changes were activated. The activated policies are known as the “active policy set.” • ”Adding a member to an existing policy” on page 117 Add one or more members to a policy. The aspect of the fabric covered by each policy is closed to access by all devices and switches that are not listed in that policy.
Table 25 FCS policy states (continued) Policy state Characteristics Active policy with one entry A primary FCS switch is designated (local switch), but there are no backup FCS switches. If the primary FCS switch becomes unavailable for any reason, the fabric is left without an FCS switch. Active policy with multiple entries A primary FCS switch and one or more backup FCS switches are designated. If the primary FCS switch becomes unavailable, the next switch in the list becomes the primary FCS switch.
Table 26 Switch operations (continued) Allowed on FCS switches Allowed on all switches Any fabric-wide commands secPolicyAbort All zoning commands except the show commands SNMP commands All AD commands configupload Any local-switch commands Any AD command that does not affect fabric-wide configuration FCS enforcement does not apply to pre-5.3.0 switches; they will be able to initiate all operations.
3. Issue the secPolicyFCSMove command; then provide the current position of the switch in the list and the desired position at the prompts. Alternatively, issue the secPolicyFCSMove “From, To” command, where From is the current position in the list of the FCS switch and To is the desired position in the list for this switch. For example, to move a backup FCS switch from position 2 to position 3 in the FCS list, using interactive mode: primaryfcs:admin> secpolicyfcsmove Pos Primary WWN DIdswName.
NOTE: The FCS policy distribution is allowed to be distributed from a switch in the FCS list. However, if none of the FCS switches in the existing FCS list are reachable, receiving switches will accept distribution from any switch in the fabric. Local switch configuration parameters are needed to control whether a switch accepts or rejects distributions of FCS policy and whether the switch is allowed to initiate distribution of an FCS policy.
Table 28 DCC policy states (continued) Policy state Characteristics Policy with no entries Any device can connect to any switch port in the fabric. An empty policy is the same as no policy. Policy with entries If a device WWN is specified in a DCC policy, that device is only allowed access to the switch if connected by a switch port listed in the same policy. If a switch port is specified in a DCC policy, it only permits connections from devices that are listed in the policy.
deviceportWWN switch The WWN of the device port. The switch WWN, Domain ID, or switch name. The port can be specified by port or area number. Designating ports automatically includes the devices currently attached to those ports. The ports can be specified using any of the following syntax methods: (*) Selects all ports on the switch. (1-6) Selects ports 1 through 6. [*] Selects all ports and all devices attached to those ports. [3, 9] Selects ports 3 and 9 and all devices attached to those ports.
Creating an SCC policy The switch connection control (SCC) policy is used to restrict which switches can join the fabric. Switches are checked against the policy each time an E_Port-to-E_Port connection is made. The policy is named SCC_POLICY and accepts members listed as WWNs, Domain IDs, or switch names. Only one SCC policy can be created. By default, any switch is allowed to join the fabric; the SCC policy does not exist until it is created.
2. Issue the secPolicyActivate command: switch:admin> secpolicyactivate About to overwrite the current Active data. ARE YOU SURE (yes, y, no, n): [no] y Adding a member to an existing policy Add members to the ACL policies by using the secPolicyAdd command. As soon as a policy has been activated, the aspect of the fabric managed by that policy is enforced. To add a member to an existing ACL policy: 1. Connect to the switch and log in using an account assigned to the admin role. 2.
2. Issue the secPolicyAbort command: switch:admin> secpolicyabort Unsaved data has been aborted. All changes since the last time the secPolicySave or secPolicyActivate commands were entered are aborted. Configuring the authentication policy for fabric elements By default, Fabric OS 6.1.0 and later uses DH-CHAP or FCAP protocols for authentication. These protocols use shared secrets and digital certificates, based on switch WWN and public key infrastructure (PKI) technology, to authenticate switches.
elements. Alternatively, a secret key pair for all possible connections may be initially installed, enabling links to be arbitrarily changed while still maintaining a valid secret key pair for any new connection. The switch authentication (AUTH) policy initiates DH-CHAP/FCAP authentication on all E_Ports. This policy is persistent across reboots, which means authentication will be initiated automatically on ports or switches brought online if the policy is set to activate authentication.
switches can have authentication enabled and this will not impact the pre-5.3.0 switches. By default the pre-5.3.0 switches act as passive switches, since they accept incoming authentication requests. Regardless of the policy, E_Port is disabled if the DH-CHAP or FCAP protocol fails to authenticate the attached E_Port. OFF: This setting turns off the policy. The switch will not support authentication and rejects any authentication negotiation request from another switch.
Supported HBAs The following HBAs support authentication: • Emulex LP11000 (Tested with Storport Miniport 2.0 windows driver) • Qlogic QLA2300 (Tested with Solaris 5.04 driver) Authentication protocols Use the authUtil command to perform the following tasks: • Display the current authentication parameters • Select the authentication protocol used between switches • Select the Diffie-Hellman (DH) group for a switch Run the authUtil command on the switch you want to view or change.
This command works independently of the authentication policy; this means you can initiate the authentication even if the switch is in PASSIVE mode. This command is used to restart authentication after changing the DH-CHAP group, hash type, and shared secret between a pair of switches. WARNING! correctly. This command may bring down the E_Ports if the DH-CHAP shared secrets are not installed To re-authenticate E_Ports: 1. Log in to the switch using an account assigned to the admin role. 2.
The output displays the WWN, Domain ID, and name (if known) of the switches with defined shared secrets: WWN DId Name ----------------------------------------------10:00:00:60:69:80:07:52 Unknown 10:00:00:60:69:80:07:5c 1 switchA To set a secret key pair: 1. Log in to the switch using an account assigned to the admin role. 2. On a switch running Fabric OS 4.x, 5.x, or 6.0.0 or later, enter secAuthSecret --set. On a switch running Fabric OS 3.x, enter secAuthSecret "--set".
Fabric-wide distribution of the Auth policy The AUTH policy can be manually distributed to the fabric using the distribute command; there is no support for automatic distribution. To distribute the AUTH policy, see ”To distribute the local ACL policies:” on page 132.
Displaying an IP Filter policy You can Display the IP Filter policy content for the specified policy name, or all IP Filter policies if policy name is not specified. For each IP Filter policy, the policy name, type, persistent state and policy rules are displayed. The policy rules are listed by the rule number in ascending order. There is no pagination stop for multiple screens of information. Pipe the output to the more command to achieve this.
1. Log in to the switch using an account assigned to the admin role. 2. Issue the following command: ipfilter –delete where is the name of the policy. 3. To permanently delete the policy, issue the following command: ipfilter --save IP Filter policy rules An IP Filter policy consists of a set of rules. Each rule has an index number identifying the rule. There is a maximum of 256 rules within an IP Filter policy.
For every IP Filter policy, the following two rules are always assumed to be appended implicitly to the end of the policy. This is to ensure TCP and UDP traffics to dynamic port ranges is allowed, that way management IP traffic initiated from a switch, such as syslog, radius and ftp, is not affected. Table 31 Implicit IP Filter rules Source address Destination port Protocol Action Any 1024-65535 TCP Permit Any 1024-65535 UDP Permit A switch with Fabric OS 5.3.
Creating IP Filter policy rules A maximum of 256 rules can be created for an IP Filter policy. The change to the specified IP Filter policy is not saved to the persistent configuration until a save or activate sub-command is run. To add a rule to an IP Filter policy: 1. Log in to the switch using an account assigned to the admin role. 2.
implement the policy for optimization purposes. If a distribution includes an active IP Filter policy, the receiving switches will activate the same IP Filter policy automatically. When a switch receives IP Filter policies, all uncommitted changes left in its local transaction buffer will be lost, and the transaction is aborted. Switches with Fabric OS 5.3.0 or later have the ability to accept or deny IP Filter policy distribution, through the commands fddCfg --localaccept or fddcfg --localreject.
1. Error is returned indicating that the distribution setting must be accepted before you can set the fabric-wide consistency policy. Configuring the database distribution settings The distribution settings control whether a switch accepts or rejects distributions of databases from other switches and whether or not the switch may initiate a distribution. Configure the distribution setting to reject when maintaining the database on a per-switch basis. Table 34 lists the databases supported in Fabric OS 5.3.
To display the database distribution settings: 1. Connect to the switch and log in using an account assigned to the admin role. 2. Issue the following command: switch:admin> fddcfg --showall Local Switch Configuration for all Databases:DATABASE - Accept/Reject --------------------------------SCC accept DCC accept PWD accept FCS accept AUTH accept IPFILTER accept Fabric Wide Consistency Policy:- "" To enable local switch protection: 1.
Table 35 describes how the target switch database distribution settings affect the distribution. Table 35 ACL policy database distribution behavior Target switch Distribution Results Fabric OS version Database setting 5.1.0 or earlier NA Fails An error is returned. The entire transaction is aborted and no databases are updated. 5.2.0 Reject Fails The target switch explicitly refuses the distribution. The entire transaction is aborted and no databases are updated.
Table 36 Fabric-wide consistency policy settings Setting Value When a policy is activated Absent null Database is not automatically distributed to other switches in the fabric. Tolerant database_id All updated and new policies of the type specified (SCC, DCC, or both) are distributed to all Fabric 5.2.0 and later switches in the fabric. Pre-Fabric OS 5.2.0 switches are allowed in the fabric, but no automated means are provided to ensure those switches have consistent databases.
Notes on joining a switch to the fabric When a switch is joined to a fabric with a tolerant SCC or DCC fabric-wide consistency policy, the joining switch must have a matching tolerant SCC or DCC fabric-wide consistency policy. If the tolerant SCC or DCC fabric-wide consistency policies do not match, the switch can join the fabric, but an error message flags the mismatch. If the tolerant SCC and DCC fabric-wide consistency policies match, the corresponding SCC and DCC ACL policies are compared.
Table 37 describes the effect of merging fabrics with the same fabric-wide consistency policy that have SCC, DCC, or both policies. Table 37 Merging fabrics with matching fabric-wide consistency policies Fabric-wide consistency policy Fabric A ACL policies Fabric B ACL policies Merge results Database copied None None None Succeeds No ACL policies copied. None SCC/DCC Succeeds No ACL policies copied. None None Succeeds No ACL policies copied.
Table 39 Fabric merges with tolerant/absent combinations Fabric-wide consistency policy setting Fabric A Tolerant/Absent Expected behavior Fabric B SCC;DCC DCC SCC;DCC SCC DCC SCC Error message logged. Run fddCfg --fabwideset “” from any switch with the desired configuration to fix the conflict. The secPolicyActivate command is blocked until conflict is resolved.
Zeroization behavior (continued) Table 40 Keys Zeroization CLI Description Passwords passwddefault fipscfg –-zeroize This will remove user defined accounts in addition to default passwords for the root, admin, and user default accounts. However only root has permissions for this command. So securityadmin and admin roles need to use fipscfg –-zeroize, which, in addition to removing user accounts and resetting passwords, also does the complete zerioization of the system.
Table 41 FIPS mode restrictions (continued) Features FIPS mode Non-FIPS mode SSH algorithms HMAC-SHA1 (mac) 3DES-CBC, AES128-CBC, AES192-CBC, AES256-CBC (cipher suites) No restrictions HTTP/HTTPS access HTTPS only HTTP and HTTPS HTTPS protocol/algorithms TLS/AES128 cipher suite TLS/AES128 cipher suite (SSL will no longer be supported) RPC/secure RPC access Secure RPC only RPC and secure RPC Secure RPC protocols TLS - AES128 cipher suite SSL and TLS – all cipher suites SNMP Read-only ope
To set up LDAP for FIPS mode: 1. Set the switch authentication mode and add your LDAP server by using the commands in the example below. Provide the Fully Qualified Domain Name (FQDN) of the Active Directory server for the hostname parameter while configuring LDAP. Example of setting up LDAP for FIPS mode: switch:admin> aaaconfig --add GEOFF5.ADLDAP.
Additional Microsoft Active Directory settings a. Set the following SCHANNEL settings listed in Table 43 to allow. To support FIPS compliant TLS cipher suites on Microsoft’s Active Directory server, allow the SCHANNEL settings listed in Table 43. See the Microsoft website for instructions that explain how to allow the SCHANNEL settings for the ciphers, hashes, key exchange and the TLS protocol.
Exporting an LDAP switch certificate This option exports the LDAP CA certificate from the switch to the remote host. 1. Connect to the switch and log in as admin. 2. Issue the secCertUtil export -ldapcacert command. Example of exporting an LDAP CA certificate: switch:admin> seccertutil export -ldapcacert Select protocol [ftp or scp]: scp Enter IP address: 192.168.38.206 Enter remote directory: /users/aUser/certs Enter Login Name: aUser Enter LDAP certificate name (must have ".pem" \ suffix):LDAPTestCa.
Overview of steps 1. Optional: Configure RADIUS server 2. Optional: Configure authentication protocols 3. For LDAP only: Install SSL certificate on Microsoft Active Directory server and CA certificate on the switch for using LDAP authentication. 4. Block Telnet, HTTP, and RPC 5. Disable BootProm access 6. Configure the switch for signed firmware 7. Disable root access 8. Enable FIPS To enable FIPS mode: 1. Log in to the switch using an account assigned the admin or securityAdmin role. 2.
Enforce secure config Upload/Download Press Enter to accept default. Enforce firmware signature validation Yes Example: switch:admin> configure Not all options will be available on an enabled switch. To disable the switch, use the "switchDisable" command. Configure... System services (yes, y, no, n): [no] … cfgload attributes (yes, y, no, n): [no] yes Enforce secure config Upload/Download (yes, y, no, n): [no] Enforce firmware signature validation (yes, y, no, n): [no] yes 8.
Configuring advanced security features
5 Maintaining the switch configuration file This chapter provides procedures for basic switch configuration maintenance. Configuration settings It is important to maintain consistent configuration settings on all switches in the same fabric because inconsistent parameters (such as inconsistent PID formats) can cause fabric segmentation.
4. Respond to the Protocol (scp or ftp) Server Name or IP Address User name File name Password prompts as follows: If your site requires the use of Secure Copy, specify SCP. Otherwise, specify FTP. If you leave it blank, the default specified in [ ] is used. Enter the name or IP address of the server where the file is to be stored; for example, 192.1.2.3. You can enter a server name if DNS is enabled. For details about the dnsConfig command, see the Fabric OS Command Reference.
Restoring a configuration Restoring a configuration involves overwriting the configuration on the switch by downloading a previously saved backup configuration file. WARNING! Make sure that the configuration file you are downloading is compatible with your switch model, because configuration files from other model switches might cause your switch to fail.
Configuration download without disabling a switch is independent of the hardware platform and supported on all hardware platforms running Fabric OS 5.2.0 and later. To restore a configuration: 1. Verify that the FTP service is running on the server where the backup configuration file is located. 2. Connect to the switch and log in as admin. 3.
Protocol (scp or ftp) [ftp]: Server Name or IP Address [host]: 10.1.2.3 User Name [user]: JohnDoe File Name [config.txt]: /pub/configurations/config.txt *** CAUTION *** This command is used to download a backed-up configuration for a specific switch. If using a file from a different switch, this file's configuration settings will override any current switch settings. Downloading a configuration file, which was uploaded from a different type of switch, may cause this switch to fail.
Table 45 Backup and restore in a FICON CUP environment (continued) ASM bit Command Description on configDownload Files saved on the switch that are also present in the FICON_CUP section of the configuration file are overwritten. Files in the FICON section of the configuration file that are not currently present on the switch are saved. The IPL file is not replaced, because active=saved mode is on. A warning message is displayed in the syslog to warn that the IPL file is not being overwritten.
Configuration form Use Table 46 as a hard copy reference for your configuration information. In the hardware reference manuals for the 4/256 SAN Director and DC SAN Backbone Director (short name, DC Director) there is a guide for FC port setting tables. The tables can be used to record configuration information for the various blades.
Maintaining the switch configuration file
6 Managing administrative domains This chapter provides procedures for using administrative domains (Admin Domain or AD). An Admin Domain is a logical grouping of fabric elements that defines what switches, ports, and devices you can view and modify. An Admin Domain is a filtered administrative view of the fabric. NOTE: If you do not implement Admin Domains, the feature has no affect on users and you can skip this chapter. Admin Domains permit access to a configured set of users.
AD1 AD2 Figure 5 Fabric with two Admin Domains Figure 6 shows how users get a filtered view of this fabric, depending on which Admin Domain they are in. As shown in Figure 7, users can see all switches and E_Ports in the fabric, regardless of their Admin Domain; however, the switch ports and end devices are filtered, based on Admin Domain membership.
Admin Domain features Admin Domains allow you to: • Define the scope of an Admin Domain to encompass ports and devices within a switch or a fabric. • Share resources across multiple Admin Domains. For example, you can share array ports and tape drives between multiple departments. In Figure 5, one of the storage devices is shared between AD1 and AD2. • Have a separate zone database for each Admin Domain. See ”Admin Domains, zones, and zone databases” on page 172 for more information.
Table 47 lists each Admin Domain user type and describes its administrative access and capabilities. Table 47 AD user types User type Description Physical fabric administrator User account with Admin role and with access to all Admin Domains (AD0 through AD255). Creates and manages all Admin Domains. Assigns other administrators or users to each Admin Domain. Only a physical fabric administrator can create other physical fabric administrators.
AD0 is useful when you create Admin Domains because you can see which devices, switch ports, and switches have not yet been assigned to any Admin Domains. AD0 owns the root zone database (legacy zone database). During zone merge or zone update, only the root zone database is exchanged with AD-unaware switches. AD255 AD255 is used for Admin Domain management. You can use AD255 to get an unfiltered view of the fabric and to view the hierarchical zone databases of AD0 through AD254.
• The Admin Domain list for the default admin account is 0–255, which gives this account automatic access to any Admin Domain as soon as the domain is created, and makes this account a physical fabric administrator. • The Admin Domain list for the default user account is AD0 only. • For user-defined accounts, the home Admin Domain also defaults to AD0 but an administrator can set the home Admin Domain to any Admin Domain to which the account has been given access.
NOTE: If the switch domain ID changes, the domain,index members are invalid (they are not automatically changed). You must then reconfigure the Admin Domain with the current domain,index members. Switch members Switch members are defined by the switch WWN or Domain ID and have the following properties: • A switch member grants administrative control to the switch. • A switch member grants port control for all ports in that switch.
AD3 WWN = 10:00:00:00:c7:2b:fd:a3 WWN = 10:00:00:00:c2:37:2b:a3 Domain ID = 1 WWN = 10:00:00:05:1f:05:23:6f Domain ID = 2 WWN = 10:00:00:05:2e:06:34:6e AD4 WWN = 10:00:00:00:c8:3a:fe:a2 Figure 8 Fabric showing switch and device WWNs Figure 9 shows the filtered view of the fabric as seen from AD3 and AD4. The switch WWNs are converted to the NAA=5 syntax; the device WWNs and Domain IDs remain the same.
Compatibility Admin Domains can be implemented in fabrics with a mix of AD-capable switches and non-AD-capable switches. The following considerations apply: • In mixed-fabric configurations, the legacy switches allow unfiltered access to the fabric and its devices; therefore, these legacy switches should be managed by the physical fabric administrator. • You must zone all ports and devices from legacy switches in the AD0 root zone database.
How you end the transaction determines the disposition of the Admin Domain configuration in the transaction buffer. The following commands end the Admin Domain transaction: ad --save Saves the changes in the transaction buffer to the defined configuration in persistent storage and propagates the defined configuration to all switches in the fabric.
If you specify AD name = AD15 and the lowest available AD number is 6, AD name is AD15 and AD number is 15. Because the specified name is in the format ADn, the AD number is assigned to be n and not the lowest available AD number. The Admin Domain name cannot exceed 63 characters and can contain alphabetic and numeric characters. The only special character allowed is an underscore ( _ ). When you create an Admin Domain, you must specify at least one member (switch, switch port, or device).
• If you do not specify one, the home Admin Domain is the lowest valid Admin Domain in the numerically-sorted AD list. • Users can log in to their Admin Domains and create their own Admin Domain-specific zones and zone configurations. • Adding an Admin Domain list, home Admin Domain, and role to a user configuration is backward compatible with pre-Fabric OS 5.2.0 firmware. When you downgrade to pre-Fabric OS 5.2.0 firmware, the userConfig command records are interpreted using legacy logic.
where username is the account from which the Admin Domain is being removed (the account must already exist), admindomain_ID is the home Admin Domain, and admindomain_ID_list is the Admin Domain list to be removed from the existing list. If the -h argument is not specified, the home Admin Domain either remains as it was or becomes the lowest Admin Domain ID in the remaining list. Activating and deactivating Admin Domains An Admin Domain can be in either an active or inactive state.
The following example deactivates Admin Domain AD_B4. switch:AD255:admin> ad --deactivate AD_B4 You are about to deactivate an AD. This operation will fail if an effective zone configuration exists in the AD Do you want to deactivate ’AD_B5’ admin domain (yes, y, no, n): [no] y sw5:AD255:admin> Adding and removing Admin Domain members Use the following procedures to add or remove members of an Admin Domain. NOTE: If you remove the last member of an Admin Domain, that Admin Domain is automatically deleted.
4. Issue the appropriate command, based on whether you want to save or activate the Admin Domain definition: • To save the Admin Domain definition, issue the ad --save command. • To save the Admin Domain definition and directly apply the definition to the fabric, issue the ad --apply command. The following example removes port 5 of domain 100 and port 3 of domain 1 from AD1. sw5:AD255:admin> ad --remove 1 –d "100,5; 1,3" The following example removes switch 100 from the membership list of AD4.
6. Issue the ad --apply command to save the Admin Domain definition and directly apply the definition to the fabric. The following example deletes Admin Domain AD_B3. switch:AD255:admin> ad --delete AD_B3 You are about to delete an AD.
3. Issue the following command. ad --validate ad_id -m mode If you do not specify any parameters, the entire AD database (transaction buffer, defined configuration, and effective configuration) is displayed. If you do not specify an Admin Domain, information about all existing Admin Domains is displayed. The -m mode flag can be used as follows: • 0 to display the Admin Domain configuration in the current transaction buffer.
Table 48 Ports and devices in CLI output For Condition domain,port The port is specified in the domain,port member list of the Admin Domain. One or more WWNs specified in the AD member list is attached to the domain,port. Device WWN The device WWN is specified in the AD WWN member list. The device WWN is attached to one of the domain,port specified in the AD member list. RASLog and SYSlog output is not filtered based on AD membership.
switch:AD1:admin> ad --show Current AD Number: 1 AD Name: TheSwitches Effective configuration: -----------------------AD Number: 1 AD Name: TheSwitches Switch WWN members: State: Active 50:06:06:99:00:2a:e9:01; 50:00:51:e0:23:36:f9:01; 50:06:06:98:05:be:99:01; Switching to a different Admin Domain context You can switch between different Admin Domain contexts. This option creates a new shell with a new Admin Domain context. If the corresponding Admin Domain is not yet activated, the operation fails.
Table 49 Admin Domain interaction with Fabric OS features (continued) Fabric OS feature Admin Domain interaction FC-FC Routing Service You can create LSAN zones as a physical fabric administrator or as an individual AD administrator. The LSAN zone can be part of the root zone database or the AD zone database. FCR collects the LSAN zones from all ADs. If both edge fabrics have matching LSAN zones and both devices are online, FCR triggers a device import.
Using the zone --validate command, you can see all zone members that are not part of the current zone enforcement table, but are part of the zoning database. A member might not be part of the zone enforcement table because: • The device is offline. • The device is online, but is connected to a non-AD-capable switch. • the device is online, but is not part of the current Admin Domain. For more information about the zone command and its use with Admin Domains, see the Fabric OS Command Reference.
See ”Using the FC-FC routing service” on page 311 for additional information about LSAN zones. Configuration upload and download in an AD context The behavior of configUpload and configDownload varies depending on the AD context and whether the switch is a member of the current Admin Domain. In the AD context, these commands include only the zone configuration of the current Admin Domain.
7 Installing and maintaining firmware This chapter provides procedures for installing and maintaining firmware. Fabric OS 6.1.0 provides nondisruptive firmware installation. This chapter refers to the following specific types of blades inserted into either Director platform: • Port blades contain only Fibre Channel ports: • FC4-16 • FC4-32 • FC4-48 • FC10-6 • FC8-16 • FC8-32 • FC8-48 • FC blades or port blades contain only Fibre Channel ports.
If the firmware download process is interrupted by an unexpected reboot, the system will automatically repair and recover the secondary partition. You must wait for the recovery to complete before issuing another firmwareDownload command. The command supports both non-interactive and interactive modes. If the firmwareDownload command is issued without any operands, or if there is any syntax error in the parameters, the command enters an interactive mode, and you are prompted for input.
Preparing for a firmware download Before executing a firmware download, HP recommends that you perform the tasks listed in this section. In the unlikely event of a failure or time-out, the preparation tasks that are described in this section will enable you to provide HP the information required to perform advanced troubleshooting. HP recommends that you perform a configUpload to back up the current configuration before you download firmware to a switch.
Checking connected switches When checking connected switches, ensure that any older versions are supported. See the recommended version (shown in Table 52) before upgrading firmware on the switch. Go to http://www.hp.com for the latest supported versions of firmware for each switch and to view end-of-life policies. Table 52 Recommended firmware Switch model Earliest compatible version HP StorageWorks 1 Gb Switch Not supported in same fabric with 6.1.x switches.
Table 52 Recommended firmware (continued) Switch model Earliest compatible version HP StorageWorks SAN Director 48 Port 6.0.0b 8Gb FC blade (FC8-48) HP StorageWorks SAN Director 6 Port 6.0.0b 10Gb ISL blade (FC10-6) HP StorageWorks 48 Port 4Gb Blade (FC4-48) HP StorageWorks B-Series iSCSI Director Blade (FC4-16IP), HP StorageWorks 4/32B SAN Switch 5.2.1b HP StorageWorks MP Router XPath OS 7.4.x Fabric Manager 5.2.0a Data Center Fabric Manager (DCFM) 10.0.
Firmware download on switches HP StorageWorks 4/8 SAN Switch, 4/16 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 8/8 SAN Switch, 8/24 SAN Switch, 8/40 SAN Switch, 8/80 SAN Switch, and 400 MP Router switches also maintain primary and secondary partitions for firmware.
The firmware is in the form of RPM packages with names defined in a .plist file. The .plist file contains specific firmware information and the names of packages of the firmware to be downloaded. 4. Connect to the switch and log in as admin. 5. Issue the firmwareShow command to check the current firmware version on connected switches. Upgrade their firmware, if necessary, before you upgrade this switch. See ”Checking connected switches” on page 178 for details. 6. Issue the firmwareDownload command. 7.
CPs are not in sync, you can run firmwareDownload –s on each of the CPs to upgrade them. These operations will be disruptive. If the CPs are not in sync, run the haSyncStart command. If the problem persists, review ”The firmwareDownload command” on page 188. If the firmwaredownload information fails to help resolve the issue, contact HP. During the upgrade process, the Director fails over to its standby CP blade and the IP addresses for the logical switches move to that CP blade's Ethernet port.
4. Connect to the switch and log in as admin. 5. Issue the firmwareShow command to check the current firmware version on connected switches. Upgrade the firmware, if necessary, before proceeding with upgrading this switch. See ”Checking connected switches” on page 178 6. Issue the haShow command to confirm that the two CP blades are synchronized.
Autoleveling takes place in parallel with the firmware download being performed on the CPs, and does not impact performance. Fibre Channel traffic is not disrupted during autoleveling, but GbE traffic on AP blades may be affected. sw77:admin> firmwaredownload Type of Firmware (FOS, SAS, or any application) [FOS]: Server Name or IP Address: 192.168.32.10 Network Protocol (1-auto-select, 2-FTP, 3-SCP) [1]: User Name: userfoo File Name: /home/userfoo/v6.1.
[8]: Thu Jul 28 00:37:50 2005 Slot 7 : Firmware commit is started. [9]: Thu Jul 28 00:37:50 2005 Slot 2 : Firmware commit has completed. [10]: Thu Jul 28 00:37:50 2005 Slot 7 : Firmware commit has completed. (Firmwaredownload has completed.) 11. Issue the firmwareShow command to display the new firmware versions. Following is an example of firmwareShow output on the 4/256 SAN Director.
firmware\ 381MB 2007 v6.0.1\ 381MB 2007 config\ 0B 2007 support\ 0B 2007 firmwarekey\ 0B 2007 Available space on usbstorage 79% Sep Oct Sep Sep Sep 28 19 28 28 28 15:33 10:39 15:33 15:33 15:33 Downloading the 6.1.1 image using the relative path To download the 6.1.1 image using the relative path: 1. Log in to the switch as admin. 2. Issue the firmwareDownload command with the -U operand: admin>firmwaredownload –U v6.1.1 Downloading the 6.1.1 image using the absolute path To download the 6.1.
The switch manufacturer generates one private and public key pair. These key pairs are stored in the privatekey.pem and pubkey.pem files, respectively. The private key file is used to sign the firmware files. The public key file is packaged in an RPM-package as part of the firmware, and will be downloaded to the switch. After it is downloaded, it can be used to validate the firmware to be downloaded next time. The public key file on the switch contains only one public key.
The firmwareDownload command As mentioned previously, the public key file will need to be packaged, installed, and run on your switch before downloading a signed firmware. When firmwareDownload installs a firmware file, it needs to validate the signature of the file. Different scenarios are handled as follows: a. If a firmware file does not have a signature, how it is handled depends on the signed_firmware parameter on the switch. If it is enabled, firmwareDownload fails.
Testing and restoring firmware on switches Typically, users downgrade firmware after briefly evaluating a newer (or older) version and then restore the original version of the firmware. Testing a new version of firmware in this manner ensures that you do not replace existing firmware because the evaluated version occupies only one partition on the switch.
IMPORTANT: Stop! If you have completed step 8, you have committed the firmware on the switch and you have completed the firmware download procedure. To restore the original firmware, see step 9 (should be performed after step 6). 9. Restore the firmware. a. Issue the firmwareRestore command. The switch reboots and comes up with the original firmware again. A firmwareCommit automatically begins to copy the original firmware from the primary partition to the secondary partition.
IMPORTANT: If the CPs do not achieve synchronization, stop here. Log in to the standby CP, and issue the firmwareRestore command to restore the original firmware. c. Issue the firmwareShow command to confirm that the primary partition of the standby CP contains the new firmware. d. Issue the haFailover command. The active CP reboots and the current switch session is disconnected. If an AP blade is present: At the point of the failover an autoleveling process is activated.
IMPORTANT: Stop! If you have completed step 11, you have committed the firmware on both CPs and you have completed the firmware download procedure. The following step 12 through step 14 describe how to restore the original firmware, and should be performed after step 5. 12. Restore the firmware on the standby CP. In the current switch session for the standby CP, issue the firmwareRestore command. The standby CP will reboot and the current switch session will end.
BrcdDCXBB:admin> firmwareshow -v Slot Name Appl Primary/Secondary Versions Status -----------------------------------------------------------------------6 CP0 FOS Co-FOS 7 CP1 FOS Co-FOS v6.1.0 v6.1.0 v6.1.0 v6.1.0 v6.1.0 v6.1.0 v6.1.0 v6.1.0 ACTIVE * STANDBY * Local CP The firmwareDownloadStatus command displays an event log that records the progress and status of events during firmwaredownload.
Installing and maintaining firmware
8 Administering Advanced Zoning About zoning Zoning enables you to partition your SAN into logical groups of devices that can access each other. A device can communicate only with other devices connected to the fabric within its specified zone. For example, you can partition your SAN into two zones, winzone and unixzone, so that your Windows servers and storage do not interact with your UNIX servers and storage.
Zone types Table 53 summarizes the types of zoning available. Table 53 Types of zoning Zone type Description Storage-based Storage units typically implement LUN-based zoning, also called LUN masking. LUN-based zoning limits access to the LUNs on the storage port to the specific WWN of the server HBA. It is needed in most SANs. It functions during the probe portion of SCSI initialization. The server probes the storage port for a list of available LUNs and their properties.
Table 54 Approaches to fabric-based zoning (continued) Zoning approach Description Alternative approaches Application Zoning by application typically requires zoning multiple, perhaps incompatible, operating systems into the same zones. This method of zoning creates the possibility that a minor server in the application suite could disrupt a major server (such as a Web server disrupting a data warehouse server).
• When a zone object is the node WWN name, only the specified device is in the zone. • When a zone object is the port WWN name, only the single port is in the zone. The types of zone objects used to define a zone can be mixed. For example, a zone defined with the zone objects 2,12; 2,14; 10:00:00:80:33:3f:aa:11 contains the devices connected to domain 2, ports 12 and 14, and a device with the WWN (either node name or port name) 10:00:00:80:33:3f:aa:11 that is connected on the fabric.
defined configuration if you have modified any of the zone definitions and have not saved the configuration. • Disabled Configuration—The effective configuration is removed from flash memory. When you disable the effective configuration, the Advanced Zoning feature is disabled on the fabric, and all devices within the fabric can communicate with all other devices (unless you previously set up a default zone, as described in ”Default zoning mode” on page 212).
• Is enforced at the ASIC level. Each ASIC maintains a list of source port IDs that have permission to access any of the ports on that ASIC. • Is available on 1, 2, 4, 8 and 10 Gbps platforms. • Ensures that the name server does not return any information to an unauthorized initiator in response to a name server query. • Is exclusively enforced through selective information presented to end nodes through the fabric Simple Name Server (SNS).
Table 55 Enforcing hardware zoning (continued) Fabric type Methodology Best practice HP StorageWorks 4/8 SAN Switch, 4/16 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 400 MP Router, 8/8 SAN Switch, 8/24 SAN Switch, 8/40 SAN Switch, and 8/80 SAN Switch, 4/256 SAN Director, and the DC SAN Backbone Director (short name, DC Director) Enable hardware-enforced zoning on domain,port zones,
WWN_Zone1 Port_Zone1 Port_Zone2 Core Switch Zone Boundaries WWN_Zone2 22.3b(13.3) Figure 13 Hardware-enforced overlapping zones Any zone using a mixed zoning scheme on the Fabric OS 2-Gbps platform relies on name server authentication as well as hardware-assisted (ASIC) authentication. Hardware-assisted authentication ensures that any PLOGI, ADISC, PDISC, or ACC from an unauthorized device is rejected if that device is attempting to access a device that is not in the same zone.
Identifying the enforced zone type 1. Connect to the switch and log in as admin. 2. Issue the portZoneShow command. Considerations for zoning architecture Table 56 lists considerations for zoning architecture. Table 56 Considerations for zoning architecture Item Description Type of zoning: hard or soft (session-based) If security is a priority, hard zoning is recommended. Use of aliases The use of aliases is optional with zoning. Using aliases requires structure when defining zones.
An enterprise-class platform has more resources to handle zoning changes and implementations. Broadcast zones Fibre Channel allows sending broadcast frames to all Nx_Ports if the frame is sent to a broadcast well-known address (FFFFFF); however, many target devices and HBAs cannot handle broadcast frames. To control which devices receive broadcast frames, you can create a special zone, called a broadcast zone, which restricts broadcast packets to only those devices that are members of the broadcast zone.
"3,1" "1,1" "4,1" "2,1" AD1 AD2 broadcast "2,1; 3,1; 4,1" broadcast "1,1; 3,1; 5,1" "5,1" "1,1" "3,1; 4,1" broadcast "1,1; 3,1; 4,1" Figure 16 Broadcast zones and Admin Domains The dotted box represents the consolidated broadcast zone, which contains all of the device that can receive broadcast packets. the actual delivery of broadcast packets is also controlled by the Admin Domain and zone enforcement logic.
High Availability considerations with broadcast zones If a switch has broadcast zone-capable firmware on the active CP (Fabric OS 5.3.x or later) and broadcast zone-incapable firmware on the standby CP (Fabric OS version earlier than 5.3.0), you cannot create a broadcast zone because the zoning behavior would not be the same across an HA failover. If the switch failed over, the broadcast zone would lose its special significance and would be treated as a regular zone.
where: aliasname member The name of the zone alias to be created. A member or list of members to be added to the alias. An alias member can be specified by one or more of the following methods: • A domain,port pair. • Device node or device port WWN 3. Issue the cfgSave command to save the change to the defined configuration.
where: aliasname member The name of the zone alias. A member or list of members to be removed from the alias. An alias member can be specified by one or more of the following methods: • A domain,port pair. • Device node or device port WWN 3. Issue the cfgSave command to save the change to the defined configuration.
Creating and maintaining zones Reliable Commit Service (RCS) is a fabric-wide capability and is supported only if all switches in the fabric are running Fabric OS 4.1 and later. RCS guarantees that either all or none of the switches receive the new zone configuration. You should use RCS to secure a reliable propagation of the latest zone configuration. If you use non-RCS mode, you must log in to every switch to monitor the status of the zone configuration.
You are about to save the Defined zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled. Do you want to save Defined zoning configuration only? (yes, y, no, n): [no] y To remove devices (members) from a zone: 1. Connect to the switch and log in as admin. 2. Issue the zoneRemove command with the following syntax: zoneremove "zonename", "member[; member...
3. Issue the cfgSave command to save the change to the defined configuration. switch:admin> zonedelete "redzone" switch:admin> cfgsave You are about to save the Defined zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled. Do you want to save Defined zoning configuration only? (yes, y, no, n): [no] y To view a zone in the defined configuration: 1.
4.
4. Issue either the cfgSave, cfgEnable, or cfgDisable command to commit the change and distribute it to the fabric. The change will not be committed and distributed across the fabric if you do not issue one of these commands. Viewing the current default zone access mode To view the current default zone access mode: 1. Connect to the switch and log in as admin. 2. Issue the defZone --show command.
Symmetrical segmentation occurs when both ends of an ISL are shut down. Subsequently, no frames are exchanged between those two switches. Asymmetrical segmentation not only prevents frames from being exchanged between switches, but also causes routing inconsistencies. The best way to avoid either type of segmentation is to know the zone database size limit of adjacent switches. The following tables provide the expected behavior based on different database sizes after a zone merge is specified.
Table 60 Resulting database size: 128K to 256K Fabric OS Fabric 3.1 OS 3.2 Fabric OS Fabric OS 4.4.0 4.0/ 4.1/ 4.2 Fabric OS Fabric OS 5.2.0 or 5.0.0/ later 5.0.1/ 5.1.0 Fibre Channel Router XPath 7.3 Fabric OS 3.1 Segment Segment Segment Segment Segment Segment Join Segment Fabric OS 3.2 Segment Join Segment Join Join Join Join Segment Fabric OS 4.0/4.1/4.2 Segment Segment Segment Segment Segment Segment Segment Segment Fabric OS 4.4.
Zoning configurations You can store a number of zones in a zoning configuration database. The maximum number of items that can be stored in the zoning configuration database depends on the following criteria: • Number of switches in the fabric. • Whether or not interoperability mode is enabled. • Number of bytes per item. The number of bytes required for an item depends on the specifics of the fabric, but cannot exceed 64 bytes per item.
where: cfgname member The name of the zone configuration. The zone name or list of zone names to be added to the configuration. 3. Issue the cfgSave command to save the change to the defined configuration. switch:admin> cfgadd "newcfg", "bluezone" switch:admin> cfgsave You are about to save the Defined zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled.
switch:admin> zoneremove "zone1","3,5" switch:admin> cfgtransabort To view all zone configuration information: If you do not specify an operand when executing the cfgShow command to view zone configurations, all zone configuration information (both defined and effective) displays. If there is an outstanding transaction, the newly edited zone configuration that has not yet been saved is displayed. If there are no outstanding transactions, the committed zone configuration displays. 1.
zone: Blue_zone 1,1 21:00:00:20:37:0c:76:8c 21:00:00:20:37:0c:71:02 1,2 21:00:00:20:37:0c:76:22 21:00:00:20:37:0c:76:28 zone: Red_zone 1,0 21:00:00:20:37:0c:76:85 21:00:00:20:37:0c:71:df To clear all zone configurations: 1. Connect to the switch and log in as admin. 2. Issue the cfgClear command to clear all zone information in the transaction buffer. NOTE: Be careful using the cfgClear command; it deletes the defined configuration.
3. Issue the zone --copy command, specifying the zone configuration objects you want to copy, along with the new object name. Note that zone configuration names are case-sensitive; blank spaces are ignored and it works in any Admin Domain other than AD255. switch:admin> zone --copy "Test1", "US_Test1" 4. Issue the cfgShow command to verify the new zone object is present.
To rename a zone object: 1. Connect to the switch and log in as admin. 2. Issue the cfgShow command to view the zone configuration objects you want to rename.
If Secure Fabric OS is enabled on one switch, it must be enabled on all switches in the fabric; however, Secure Fabric OS is not supported in Fabric OS 6.0.0 or later. • Default Zone: The switch being merged into the existing fabric should be configured with the same default zone mode as the existing switches. • Merging and segmentation The fabric is checked for segmentation during power-up or when a switch is disabled or enabled, or when a new switch is added.
NOTE: If the zoneset members on two switches are not listed in the same order, the configuration is considered a mismatch, resulting in the switches being segmented from the fabric. For example: cfg1 = z1; z2 is different from cfg1 = z2; z1, even though members of the configuration are the same. If zoneset members on two switches have the same names defined in the configuration, make sure zoneset members are listed in the same order.
Administering Advanced Zoning
9 Configuring Directors This chapter contains procedures that are specific to the: • HP StorageWorks 4/256 SAN Director • HP StorageWorks DC SAN Backbone Director For detailed information see the HP StorageWorks SAN Director hardware reference manual or the HP StorageWorks DC SAN Backbone Director hardware reference manual. Identifying ports Because Directors contain interchangeable port blades, their procedures differ from those for fixed-port switches.
Director port numbering schemes Table 62 lists the port numbering schemes for the 4/256 Director and DC Director. Table 62 Port numbering schemes for the 4/256 Director and DC Director Port blades Numbering scheme FC2-16 FC4-16 FC8-16 Ports are numbered from 0 through 15 from bottom to top. FC4-32 FC8-32 Ports are numbered from 0 through 15 from bottom to top on the left set of ports and 16 through 31 from bottom to top on the right set of ports.
Port identification by index With the introduction of 48-port blades, indexing was introduced. Unique area IDs are possible up to 255 areas, but beyond that there needed to be some way to ensure uniqueness. A number of fabric-wide databases supported by Fabric OS (including ZoneDB, the ACL DDC, and Admin Domain) allow a port to be designated by the use of a D,P (domain,port) notation. Where the P component appears to be the port number, but in up to 255 ports it is actually the area assigned to that port.
Table 63 Default index/area_ID core PID assignment with no port swap (continued) Port on blade Slot 1Idx/area Slot 2Idx/area Slot 3Idx/area Slot 4Idx/area Slot 7Idx/area Slot 8Idx/area Slot 9Idx/area Slot 10Idx/area 30 142/142 158/158 174/174 190/190 206/206 222/222 238/238 254/254 29 141/141 157/157 173/173 189/189 205/205 221/221 237/237 253/253 28 140/140 156/156 172/172 188/188 204/204 220/220 236/236 252/252 27 139/139 155/155 171/171 187/187 203/203 219/219
Basic blade management The following sections provide procedures for naming a switch, powering a port blade off and on, and disabling and enabling a port blade. Customizing enterprise-class platform names HP recommends that you customize the enterprise-class platform name for each platform. Some system logs identify devices by platform names; if you assign meaningful platform names, logs are more useful. To change the platform name: 1.
To enable a port blade: 1. Connect to the switch and log in as admin. 2. Issue the bladeEnable command with the slot number of the port blade you want to enable: switch:admin> bladeenable 3 Slot 3 is being enabled FR4-18i blade exceptions Note the following port blade exceptions: • You have inserted the FR4-18i blade into a slot that was previously empty or contained an FC4-48, FC4-32, FC8-48, FC8-32, FC4-16, FC10-6, or FC4-16IP.
NOTE: Some FRUs in the chassis may use significant power, yet cannot be powered off through software. For example, a missing blower FRU may change the power computation enough to affect how many slots can be powered up. The powerOffListShow command displays the power off order. Blade terminology and compatibility Before configuring a chassis, familiarize yourself with the Director CP blade and port blade nomenclature, as well as the port blade compatibilities.
CP blades The 4/256 Director supports the CP4 blade. The DC Director supports the CP8 blade. Mixed CP blades are not supported on a single chassis, except during specific upgrade procedures detailed in the HP StorageWorks SAN Director hardware reference manual. CP4 and CP8 blades cannot be mixed in the same chassis under any circumstances. HP recommends that each Director have only one type of CP blade installed and that each CP (primary and secondary partition) maintains the same firmware version.
Table 65 Port blades supported by each Director Director Port blades 4/256 Director (CP4) DC Director FC2-16 Supported1 N/A FC4-16 Supported N/A FC4-32 Supported N/A FC4-48 Supported N/A FC8-16 Supported Supported FC8-32 Supported Supported FC8-48 Supported Supported FC10-6 Supported Supported FC4-16IP Supported N/A FR4-18i Supported Supported 1. Can coexist only with FC4-16 blades.
Table 67 Platform configuration options Option Result 1 One 128-port switch (Blade IDs 4, 17 on slots 1–4, 7–10. Blade ID 5 and 16 on slots 5, 6) 5 One 384-port switch (Blade IDs 4, 17, 18, 31, and 36 on slots 1–4, 7–10. Blade ID 16 on slots 5, 6) See Table 64 for details about the different blades, including their corresponding IDs. Displaying slot information To display the status of all slots in the chassis: 1. Connect to the switch and log in as user or admin. 2.
Inter-chassis Link behavior between two HP StorageWorks DC Directors An Inter-chassis link (ICL) is a licensed feature used to interconnect two DC Directors; there are two ICL connector ports ICL0 and ICL1 on each core blade, each aggregating a set of 16 ports. Thus, each core blade provides 32 ICL ports and there are 64 ICL ports available for the entire DC Director chassis. All of the ICL connector ports must be connected to the same two DC Director chassis. ICL ports can be used only with an ICL license.
Configuring Directors
10 Routing traffic This chapter provides information on routing policies. Data routing and routing policies Data moves through a fabric from switch to switch and from storage to server along one or more paths that make up a route. Routing policies determine the path for each frame of data. IMPORTANT: For most configurations, the default routing policy is optimal, and provides the best performance.
switch:admin> aptpolicy Current Policy: 3 1(ap) 3 0(ap): Default Policy 1: Port Based Routing Policy 3: Exchange Based Routing Policy 0: AP Shared Link Policy 1: AP Dedicated Link Policy See the Fabric OS Command Reference for more details on the aptPolicy command. Static route assignment A static route can be assigned only when the active routing policy is port-based routing. When exchange-based routing is active, you cannot assign static routes.
Frame order delivery The order of delivery of frames is maintained within a switch and determined by the routing policy in effect. The frame delivery behaviors for each routing policy are: • Port-based routing All frames received on an incoming port destined for a destination domain are guaranteed to exit the switch in the same order in which they were received.
• A device goes offline Setting DLS 1. Connect to the switch and log in as admin. 2. Issue the dlsShow command to view the current DLS setting. One of the following messages appears: • DLS IS SET indicates that dynamic load sharing is turned on. • DLS is not set indicates that dynamic load sharing is turned off. • DLS cannot be changed with current routing policy indicates that you are using the exchange-based routing policy and you cannot enable or disable DLS.
Total Bandwidth Bandwidth Demand Flags The maximum bandwidth of the out port. The maximum bandwidth demand of the in ports. An indication whether the route is dynamic (D) or static (S). This value is always “D”, indicating a dynamic path. 3. Issue the uRouteShow command to display unicast routing information.
Viewing routing information along a path You can display detailed routing information from a source port (or area) on the local switch to a destination port (or area) on another switch. This routing information describes the full path that a data stream travels between these ports, including all intermediate switches. 1. Connect to the switch and log in as admin. 2. Issue the pathInfo command.
The information that pathInfo provides is: Hops The number of switch-to-switch links (ISLs) traversed. The local switch is hop 0. In Port The port that the frames come in from on this path. For hop 0, the source port. Domain ID The domain ID of the switch. Name The name of the switch. Out Port The output port that the frames use to reach the next hop on this path. For the last hop, the destination port. BW The bandwidth of the output ISL, in Gbps. It does not apply to the embedded port.
Routing traffic
11 Implementing an interoperable fabric For information on HP supported interop configurations, see the HP StorageWorks Fabric interoperability application notes for merging B-Series fabrics with fabrics based on C-Series and M-Series Fibre Channel switches on the following HP website: = http://h18000.www1.hp.com/products/storageworks/san/documentation.html Fabric OS 6.1.
Implementing an interoperable fabric
12 Configuring the Distributed Management Server This chapter provides information on enabling and disabling the platform services, configuring and controlling access to the Management Server database, and using the topology discovery feature. Distributed Management Server overview The Fabric OS Distributed Management Server allows a SAN management application to retrieve information and administer interconnected switches, servers, and storage devices.
Enabling platform services 1. Connect to the switch and log in as admin. 2. Issue the msplMgmtActivate command: switch:admin> msplmgmtactivate Request to activate MS Platform Service in progress...... *Completed activating MS Platform Service in the fabric! switch:admin> Disabling platform services 1. Connect to the switch and log in as admin. 2. Issue the msplMgmtDeactivate command. 3. Enter y to confirm the deactivation: switch:admin> msplmgmtdeactivate MS Platform Service is currently enabled.
switch:admin> Adding a member to the ACL 1. Connect to the switch and log in as admin. 2. Issue the msConfigure command. The command becomes interactive. 3. At the select prompt, enter 2 to add a member based on its port/node WWN. 4. Enter the WWN of the host to be added to the ACL. 5. At the prompt, enter 1 to display the access list so you can verify that the WWN you entered was added to the ACL. 6. After verifying that the WWN was added correctly, enter 0 at the prompt to end the session. 7.
3. At the select prompt, enter 3 to delete a member based on its port/node WWN. 4. At the prompt, enter the WWN of the member to be deleted from the ACL. 5. At the prompt, enter 1 to display the access list so you can verify that the WWN you entered was deleted from the ACL. 6. After verifying that the WWN was deleted correctly, enter 0 at the prompt to end the session. 7. At the Update the FLASH? prompt, enter y. 8. Press Enter to update the nonvolatile memory and end the session.
The contents of the Management Server platform database are displayed. switch:admin> msplatshow -------------------------------------------------Platform Name: [9] "first obj" Platform Type: 5 : GATEWAY Number of Associated M.A.: 1 [35] "http://java.sun.com/products/plugin" Number of Associated Node Names: 1 Associated Node Names: 10:00:00:60:69:20:15:71 -------------------------------------------------Platform Name: [10] "second obj" Platform Type: 7 : HOST_BUS_ADAPTER Number of Associated M.A.
• For the local switch, issue the mstdDisable command. • For the entire fabric, issue the mstdDisable all command. A warning displays that all NID entries might be cleared. 3. Enter y to disable the discovery feature. NOTE: Disabling discovery of Management Server topology might erase all NID entries. switch:admin> mstddisable This may erase all NID entries. Are you sure? (yes, y, no, n): [no] y Request to disable MS Topology Discovery Service in progress.... *MS Topology Discovery disabled locally.
13 iSCSI Gateway services Overview of iSCSI gateway service The FC4-16IP iSCSI gateway service is an intermediate device in the network, allowing iSCSI initiators in an IP SAN to access and utilize storage in a Fibre Channel (FC) SAN as shown in Figure 17.
To represent all iSCSI initiators and sessions, each iSCSI portal has one iSCSI virtual initiator (VI) to the FC fabric that appears as an N_Port device with a special WWN format. Regardless of the number of iSCSI initiators or iSCSI sessions sharing the portal, Fabric OS uses one iSCSI VI per iSCSI portal. Figure 19 shows the interaction of different layers from the iSCSI initiator stack to the FC target stack, including the iSCSI gateway service used during protocol translation.
Advanced LUN mapping SCSI VTs can be mapped to more than one physical FC target, and the LUNs can be mapped to different virtual LUNs. Figure 21 shows an advanced mapping scenario.
Figure 22 shows an iSCSI gateway that has three iSCSI VTs and two iSCSI initiators. iS C S I initiator A iqn.2003-11.c om.mic ros oft: win2k-s n-192168101 iS C S I virtual targets (V T s ) VT 1 iqn.2002-12.c om.broc ade: 10: 00: 00: 05: 1e: aa: bb: c c IP Network VT 2 iqn.2002-12.c om.broc ade: 10: 00: 00: 05: 1e: c c : bb: aa VT 3 iqn.2002-12.c om.broc ade: 10: 00: 00: 05: 1e: bb: c c : aa iS C S I initiator B iiqn.2003-11.c om.
DDS et 1 iS C S I virtual targets (V T s ) DD1 iS C S I initiator A VT 1 IP network VT 2 VT 3 iS C S I initiator B DD2 iS C S I gateway s ervic e Figure 23 Discovery domain set configuration example Switch-to-iSCSI initiator authentication iSCSI sessions are authenticated using CHAP (Challenge Handshake Authentication Protocol). The iSCSI gateway service supports the following three strategies for CHAP authentication: • One-way—Only the iSCSI VT authenticates the session.
Enabling and disabling connection redirection for load balancing 1. Connect to the switch and log in. 2. Issue the appropriate form of the iscsiSwCfg command for the operation you want to perform: • To enable connection redirection, use the iscsiSwCfg --enableconn command. For 4/256 SAN Directors, the -s option can be used to enable connection redirection for specific slots, and the all option may be used to enable connection redirection for all slots.
Supported iSCSI initiators Table 69 lists iSCSI intitiators supported by the iSCSI gateway service. Table 69 Supported iSCSI initiators iSCSI initiator driver versions Windows • MS iSCSI initiator 2.02 • MS iSCSI initiator 2.03 • MS iSCSI initiator 2.04 Linux • RH EL 4 default initiator • RH 4 Advanced server, Update 4 (default initiator) • RH 5 Advanced server (default initiator) • 2.6.10 - 4.0.2 iSCSI initiator (SourceForge,Net initiator) • 2.4.20 - 3.6.
Table 70 iSCSI target gateway configuration steps (continued) Step Command Procedure 5 (Advanced) Create iSCSI virtual target. iscsiCfg --create tgt –t ”Manual iSCSI VT creation” on page 268 6 Add LUNs to the virtual target. iscsiCfg --add lun -t \ -w -l 7 Create discovery domains. Where members are iSCSI components identified using IQNs. iscsiCfg --create dd -d \ -m “,,,.. .
FC4-16IP Blade Configuration This section describes the initial setup required to deploy an iSCSI gateway solution. Install and configure the FC4-16IP blade in a 4/256 SAN Director as described in the FC4-16IP hardware reference manual before performing these procedures. NOTE: Only the 4/256 SAN Director with an iSCSI-enabled FC4-16IP blade running Fabric OS 5.2.0 or later supports the iSCSI gateway service.
Enabling the iSCSI gateway service The iSCSI gateway service translates and directs SCSI traffic between an iSCSI initiator and an FC target. This section explains how to enable the iSCSI gateway service on the 4/256 SAN Director. 1. Connect and log in to the switch. 2. Issue the fosConfig --show command to show the current Fabric OS configuration: switch:admin> fosconfig --show FC Routing service:disabled iSCSI service:disabled iSNS Client service:disabled 3.
3. Take the appropriate action based on the Persistent Disable setting: • If it is set to OFF, proceed to step 4. • If it is set to ON, issue the portCfgPersistentEnable command with the slot number and GbE port number: switch:admin> portcfgpersistentenable 10/ge0 4. Issue the portCfgShow command with the slot number and GbE port number to verify that the port is persistently enabled. In the following sample output, the Persistent Disable setting is set to OFF.
4. (Optional) Issue the portCfg command to define static routes to reach the destination IP through a preferred gateway: switch:admin> portcfg iproute 3/ge0 create 0.0.0.0 0.0.0.0 30.0.0.1 1 Operation Succeeded The gateway must be on the same subnet as the GbE port. You can specify a maximum of 32 routes per GbE port. 5.
Automatic iSCSI VT creation An iSCSI VT is created using target LUNs from the attached FC network. LUNs are mapped to iSCSI VTs by creating unique iSCSI Qualified Names (IQNs) for each target. You can create iSCSI VTs by issuing the iscsiCfg --easycreate tgt command. There are two options. • An iSCSI VT may be created for every FC target. IQNs are created automatically, using the port WWNs as the user defined portion of the IQN.
switch:admin> iscsicfg --easycreate tgt This will create iSCSI targets for ALL FC targets. This could be a long-running operation. Continue [N]: y Index FC WWN iSCSI Name Status 9 2e:1f:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2e:1f:00:06:2b:0d:10:ba Operation Succeeded 10 2e:3f:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2e:3f:00:06:2b:0d:10:ba Operation Succeeded 11 2e:5f:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2e:5f:00:06:2b:0d:10:ba Operation Succeeded 12 2e:7f:00:06:2b:0d:10:ba iqn.2002-12.
For example: switch:admin> iscsicfg --show tgt Number of records found: 16 Name: State/Status: iqn.2002-12.com.brocade:2e:1f:00:06:2b:0d:10:ba Online/Defined Name: State/Status: iqn.2002-12.com.brocade:2e:3f:00:06:2b:0d:10:ba Online/Defined Name: State/Status: iqn.2002-12.com.brocade:2e:5f:00:06:2b:0d:10:ba Online/Defined Name: State/Status: iqn.2002-12.com.brocade:2e:7f:00:06:2b:0d:10:ba Online/Defined Name: State/Status: iqn.2002-12.com.
iqn.2002-12.com.brocade, is used for the fixed prefix, and the port WWN is used as the user-defined portion of the IQN. For example: switch:admin> iscsicfg --easycreate tgt -w 21:00:00:04:cf:e7:74:cf IndexFC WWN iSCSIName Status 21:00:00:04:cf:e7:74:cf iqn.2002-10.com.brocade:21:00:00:04:cf:e7:74:cf Operation Succeeded 3. Issue the iscsiCfg --show tgt command to display the status of the created iSCSI VTs: For example: switch:admin> iscsicfg --show tgt Number of records found: 1 Name: iqn.2002-10.com.
For example: switch:admin> fclunquery Target Index: 1 Target Node WWN: 20:00:00:04:cf:e7:74:cf Target Port WWN: 21:00:00:04:cf:e7:74:cf Target Pid: 120d6 Number of LUNs returned by query: 1 LUN ID: 0x00 Target Index: 2 Target Node WWN: 20:00:00:04:cf:e7:73:7e Target Port WWN: 21:00:00:04:cf:e7:73:7e Target Pid: 120d9 Number of LUNs returned by query: 1 LUN ID: 0x00 Target Index: 3 Target Node WWN: 2f:ff:00:06:2b:0d:12:99 Target Port WWN: 2f:ff:00:06:2b:0d:12:99 Target Pid: 12300 Number of LUNs returned by
6. Issue the iscsiCfg --show lun command with –t options to verify that the LUN has been added to the iSCSI VT, where -t is the IQN that identifies the iSCSI VT. For example. switch:admin> iscsicfg --show lun -t iqn.2002-12.com.brocade:example-disk001 Number of targets found: 1 Target: iqn.2006-10.com.example:disk001 Number of LUN Maps: 1 FC WWN Virtual LUN(s) 21:00:00:04:cf:e7:73:7e 0 Physical LUN(s) 0 Mapping LUNs on a specific port to an iSCSI VT 1. Connect to the switch and log in. 2.
3. Issue the iscsiCfg --commit all command to commit the changes to the database. If the LUN deletion is one of several configuration changes, you may want to see ”Committing the iSCSI-related configuration” on page 274 for extra detail on the commit process. Displaying the iSCSI virtual target LUN map 1. Connect and log in to the switch. 2. Issue the iscsiCfg --show lun command: switch:admin> iscsicfg --show lun Number of targets found: 2 Target: iqn.2006-10.com.
If you do not configure either discovery domains or iSNS for access control, any iSCSI initiator on the IP network can access all iSCSI VTs (and therefore all FC targets) in the fabric. Displaying iSCSI initiator IQNs All iSCSI components in a DD must be identified using IQNs. Fabric OS temporarily stores the IQNs and IP addresses of iSCSI initiators that have logged in the gateway. NOTE: If an iSCSI initiator has more than one IP address, only one of the IP addresses is displayed. 1.
iSCSI initiator-to-VT authentication configuration Fabric OS 5.2.0 or later supports both one-way and mutual CHAP authentication for iSCSI initiator-to-iSCSI VT target sessions. The authentication method (CHAP or none) is set on a per-iSCSI VT basis. Setting the user name and shared secret Authentication depends on a user name and shared secret. When an iSCSI VT authenticates an iSCSI initiator, it checks the user name and shared secret against all configured CHAP values.
Deleting user names from an iSCSI VT binding list User names can be deleted from the list of bound user names. 1. Connect and log in to the switch. 2. Issue the isciCfg --deleteusername tgt command with the -t and -u options to delete a user name: switch:admin> iscsicfg --deleteusername tgt -t iqn.2002-10.com.
Resolving conflicts between iSCSI configurations When you merge two fabrics with different iSCSI configurations, a conflict will result. If there is a conflict, the database will not be merged and you must resolve the conflict. The iscsiCfg --show fabric command displays the out of sync state. The rest of the switches will function normally, however, since there is no segmentation of E_Ports as a result of discovery domain set database conflicts. 1. Connect to the switch and log in. 2.
• Issue the fcLunQuery command with the -s option to return the node and port WWNs of the switch. The following is an example. switch:admin> fclunquery -s The following WWNs will be used for any lun query from this switch: Node WWN: 10:00:00:60:69:80:04:4a Port WWN: 21:fd:00:60:69:80:04:4a iSCSI FC zoning overview After you have finished setting up the iSCSI target gateway, you can create an iSCSI FC zone for discovery domains.
iSCSI FC zone creation To create an iSCSI FC zone, you must include the following iSCSI elements in the zone: • The FC targets, used to create the virtual targets (VT). • The iSCSI virtual initiators (VIs): • If there is more than one FC4-16IP blade in the chassis, you must add all virtual initiators to the same zone. • If there is more than one FC4-16IP blade in the fabric, you must add all virtual initiators from all switches to the same zone.
4.
Port Index: 43 Share Area: No Device Shared in Other AD: No N 012c00; 3;50:06:06:9e:00:15:63:20;50:06:06:9e:00:15:63:21; na FC4s: FCP PortSymb: [23] "iSCSI Virtual Initiator" NodeSymb: [51] "IPAddr: 30.0.127.
7. Issue the cfgSave command to save the change to the defined configuration: switch:admin> cfgsave You are about to save the Defined zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled. Do you want to save Defined zoning configuration only? (yes, y, no, n): [no] y 8. Issue the zoneCreate command to create the zone.
4. Issue the cfgEnable command. switch:admin> cfgenable iscsi_cfg001 You are about to enable a new zoning configuration. This action will replace the old zoning configuration with the current configuration selected. Do you want to enable 'iscsi_cfg001' configuration (yes, y, no, n): [no] y zone config "iscsi_cfg001" is in effect Updating flash ...
Enabling the iSNS client service This section explains how to enable the iSNS client service and configure the iSNS server IP address. Fabric OS supports one iSNS server connection. NOTE: If DD and DDSets are configured on the fabric, clear the DD and DDSet configurations before enabling iSNS client services. 1. Connect to the switch and log in. 2. Issue the fosConfig --enable isnsc command to enable the iSNS client service: switch:admin> fosconfig --enable isnsc 3.
Disabling the iSNS client service When the iSNS client service is disabled, the DD and DDSets are kept in the fabric. 1. Connect and log in to the switch. 2. Issue the fosConfig --disable isnsc command to disable the iSNS client service: switch:admin> fosconfig --disable isnsc 3.
iSCSI Gateway services
14 Administering NPIV This chapter describes the concepts and procedures for administering N-Port ID Virtualization (NPIV). NPIV Overview N_Port Virtualization (NPIV) enables a single Fibre Channel protocol port to appear as multiple, distinct ports, providing separate port identification within the fabric for each operating system image behind the port (as if each operating system image had its own unique physical port). NPIV assigns a different virtual port ID to each Fibre Channel protocol device.
1. Connect to the switch and log in using an account assigned to the admin role. 2. Issue the switchDisable command. IMPORTANT: The switchDisable command disables the switch and stops all traffic flowing to and from the switch. Issue this command during a scheduled maintenance. 3. Issue the configure command. 4. Press Enter, accepting the defaults, until you reach F-Port login parameters. 5. Enter yes or y and the prompt. 6. Select the maximum logins per switch and press Enter to keep the parameter. 7.
The following example shows whether or not a port is configured for NPIV: switch:admin> portcfgshow Ports of Slot 0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 -----------------+--+--+--+--+----+--+--+--+----+--+--+--+----+--+--+-Speed AN AN AN AN AN AN AN AN AN AN AN AN AN AN AN AN Trunk Port ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON Long Distance .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. VC Link Init .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. Locked L_Port .. .. .. .. .. .. .. .. .. .. .. .. ..
Use the portShow command to view the NPIV attributes and all the N_Port (physical and virtual) port WWNs that are listed under portWwn of device(s) connected. Following is sample output for the portShow command: switch:admin> portshow 2 portName: 02 portHealth: HEALTHY Authentication: None portDisableReason: None portCFlags: 0x1 portFlags: 0x24b03 PRESENT ACTIVE F_PORT G_PORT NPIV LOGICAL_ONLINE LOGIN NOELP LED ACCEPT portType: 10.
Viewing virtual PID login information Use the portLoginShow command to display the login information for the virtual PIDs of a port. Following is sample output from the portLoginShow command: switch:admin> portloginshow 2 Type PID World Wide Name credit df_sz cos ===================================================== fe 630240 c0:50:76:ff:fb:00:16:fc 101 2048 c fe 63023f c0:50:76:ff:fb:00:16:f8 101 2048 c fe 63023e c0:50:76:ff:fb:00:17:ec 101 2048 c ...
Administering NPIV
15 Optimizing fabric behavior This chapter describes the Adaptive Networking features. Adaptive networking overview Adaptive Networking is a suite of tools and capabilities that enable you to ensure optimized behavior in the SAN. Even under the worst congestion conditions, the Adaptive Networking features can maximize the fabric behavior and provide necessary bandwidth for high-priority, mission-critical applications and connections.
Domain 1 Domain 3 7 8 9 1 9 2 10 12 7 6 5 = Dedicated Path 4 = Ports in the TI zone Domain 4 Figure 27 Traffic Isolation zone creating a dedicated path through the fabric In Figure 27, all traffic entering Domain 1 from N_Port 8 is routed through E_Port 1. Similarly, traffic entering Domain 3 from E_Port 9 is routed to E_Port 12, and traffic entering Domain 4 from E_Port 7 is routed to the device through N_Port 6.
• If failover is disabled for the TI zone, non-TI zone traffic is halted until the non-dedicated ISL between Domain 1 and Domain 3 is back online. FSPF routing rules and Traffic Isolation All traffic must use the lowest cost path. FSPF routing rules take precedence over the TI zones, as described in the following situations.
the TI zone. If failover is disabled, the TI zone traffic stops until the dedicated path is configured to be the shortest path. Domain 1 8 Domain 3 1 9 9 14 12 3 15 7 16 6 = Dedicated Path = Ports in the TI zone 5 Domain 2 Domain 4 Figure 29 Dedicated path is not the shortest path NOTE: For information about setting or displaying the FSPF cost of a path, see the linkCost and topologyShow commands in the Fabric OS Command Reference.
Edge fabric 1 Backbone fabric Edge fabric 2 = Dedicated path set up by TI zone in edge fabric 1 = Dedicated path set up by TI zone in edge fabric 2 = Dedicated path set up by TI zone in backbone fabric Figure 30 Traffic isolation over FCR In addition to setting up TI zones, you must also ensure that the devices are in an LSAN zone, so that they may communicate with each other. If failover is enabled and the TI path is not available, an alternate plan is used.
Using D,I notation, the members of the TI zone in Figure 31 are: • 1,8 • 1,1 • 3,-1 (E_Port for the front phantom domain) • 4,-1 (E_Port for the xlate phantom domain) Note that in this configuration the traffic between the front and xlate domains can go through any path between these two domains. The -1 does not identify any specific ISL. To guarantee a specific ISL, you need to set up a zone within the backbone fabric.
Limitations of TI zones over FC routers Consider the following when configuring TI zones over FC routers: • A TI zone defined within the backbone fabric does not guarantee that edge fabric traffic will arrive at a particular EX_Port. You must set up a TI zone in the edge fabric to guarantee this. • TI zones within the backbone fabric cannot contain more than one destination router port (DRP) for each fabric. • Only one egress VE_Port for each FC router can be defined within TI zones.
• Ports in a TI zone must belong to switches that run Fabric OS 6.0.0 or later. For TI over FCR zones, ports must belong to switches that run Fabric OS 6.1.0 or later. • Traffic Isolation has limited support for FICON FCIP in McDATA Fabric Mode (interopmode 2), in the following configuration only: • 400 Multi-protocol Router with E_Port connections to an M-switch and VE_Port connections to another 400 Multi-protocol Router. • Devices attached to M-switch only.
When you create a TI zone, by default, failover is enabled and the zone is activated. If you want to change the failover mode after you create the zone, see ”Modifying TI zones” on page 300. If you are creating a TI zone with failover disabled, consider the following: • Ensure that the E_Ports of the TI zone correspond to valid paths; otherwise, the route might be missing for ports in that TI zone. Use the topologyShow command to verify the paths.
Your changes are not enforced until you issue the cfgEnable command: switch:admin> cfgenable “USA_cfg” You are about to enable a new zoning configuration. This action will replace the old zoning configuration with the current configuration selected. Do you want to enable ‘USA_cfg’ configuration (yes, y, no, n): [no] y zone config “USA_cfg” is in effect Updating flash ... Modifying TI zones Using the zone --add command, you can add ports to an existing TI zone, change the failover option, or both.
Activating and deactivating a TI zone The TI zone must exist before you can activate it. To activate or deactivate a TI zone: 1. Connect to the switch and log in as admin. 2. Issue the zone --activate command to activate a TI zone. Issue the zone --deactivate command to deactivate a TI zone. zone --activate name zone --deactivate name 3. where name is the name of the zone to be activated or deactivated. Issue the cfgEnable command to activate your current effective configuration and enforce TI zones.
To display information about TI zones: 1. Connect to the switch and log in as admin. 2. Issue the zone --show command. zone --show [ name ] where: name is the name of the zone to be displayed. If the name is omitted, the command displays information about all TI zones in the defined configuration.
Host 1 Target 1 Target 2 Domain ID = 1 Domain ID = 2 2 9 8 3 6 5 1 7 4 Edge fabric 1 Backbone fabric Domain ID = 4 Edge fabric 2 Domain ID = 9 = Dedicated path set up by TI zone in edge fabric 1 = Dedicated path set up by TI zone in edge fabric 2 = Dedicated path set up by TI zone in backbone fabric Figure 34 TI over FCR example In the following procedure the three TI zones in the edge and backbone fabrics are all given the same name, TI_Zone1.
c. Issue the following commands to reactivate your current effective configuration and enforce the TI zones. E1switch:admin> cfgactvshow Effective configuration: cfg: cfg_TI zone: lsan_t_i_TI_Zone1 10:00:00:00:00:00:02:00:00 10:00:00:00:00:00:03:00:00 10:00:00:00:00:00:08:00:00 E1switch:admin> cfgenable cfg_TI You are about to enable a new zoning configuration. This action will replace the old zoning configuration with the current configuration selected.
4. Log in to the backbone fabric and set up the TI zone. a. Issue the following commands to create and display a TI zone: BB_DCX_1:admin> zone --create -t ti TI_Zone1 -p "1,9; 1,1; 2,4; 2,7; 10:00:00:00:00:08:00:00; 10:00:00:00:00:02:00:00; 10:00:00:00:00:03:00:00" BB_DCX_1:admin> zone --show Defined TI zone configuration: TI Zone Name: TI_Zone1 Port List: 1,9; 1,1; 2,4; 2,7; 10:00:00:00:00:08:00:00; 10:00:00:00:00:02:00:00; 10:00:00:00:00:03:00:00 Status: Activated Failover: Enabled b.
2. Issue the portcfgqos --setratelimit command. portcfgqos --setratelimit [slot/]port ratelimit where: • slot/port is the slot and port number of the F_Port or FL_Port on which you want to limit traffic. • ratelimit is the maximum speed, in megabits per second (Mbps), for traffic coming from the device. The valid values are: 200, 400, 600, 800, 1000, 1500, 2000, 2500, 3000, 3500, 4000, 5000, 6000, 7000, and 8000.
NOTE: QoS can be used for device pairs that exist within the same fabric only. QoS priority information is not passed over EX_ or VEX_Ports and should not be used for devices in separate fabrics. If a QoS zone name prefix is specified in an LSAN zone (a zone beginning with prefix LSAN_), the QoS tag is ignored. Only the first prefix in a zone name is recognized. For example, a zone with the name LSAN_QOSH_zone1 is recognized as an LSAN zone and not as QoS zone.
QoS on E_Ports In addition to configuring the hosts and targets in a zone, you must also enable QoS on individual E_Ports that might carry traffic between the given host and target pairs. Path selection between the host,target pairs is governed by FSPF rules and is not affected by QoS priorities. By default, QoS is enabled on E_Ports in port configuration. For example, in Figure 36, QoS should be enabled on the encircled E_Ports.
Limitations and restrictions for traffic prioritization Note the following configuration rules for traffic prioritization: • If a host and target are included in two or more QoS zones with different priorities, the zone with the lowest priority takes precedence. For example, if an effective zone configuration has QOSH_z1 (H,T) and QOSL_z2 (H,T), the traffic flow between H and T will be of low QoS priority.
Optimizing fabric behavior
16 Using the FC-FC routing service FC-FC routing service overview The FC-FC routing service provides Fibre Channel routing (FCR) between two or more fabrics without merging those fabrics. A Fibre Channel router (FC router) is a switch running the FC-FC routing service. The FC-FC routing service can be used simultaneously as an FC router and as a SAN extension over wide area networks (WANs) using FCIP.
Supported configurations In an edge fabric that contains a mix of administrative domain (AD)-capable switches and switches that are not aware of AD, the FC router must be connected directly to the AD-capable switch. For more information, see ”Use of administrative domains with LSAN zones and FCR” on page 329. You can use SANtegrity to configure M-Series switches connecting to a B-Series router. For more information, see ”Implementing an interoperable fabric” on page 245.
Host Target Edge fabric 1 E_Port Edge fabric 2 Edge fabric 3 E_Port E_Port Fibre Channel switch Target IFL IFL Long Distance IFL Fibre Channel switch EX_Ports 4/256 SAN Director with FR4-18i blade 26415a Figure 37 A metaSAN with interfabric links • Fabric ID (FID) Every EX_Port and VEX_Port uses the fabric ID (FID) to identify the fabric at the opposite end of the interfabric link (IFL). The FID for every edge fabric must be unique from the perspective of each backbone fabric.
VE_Port Edge fabric 2 IP cloud Edge fabric 1 Edge fabric 3 E_Port E_Port IFL IFL IFL VEX_Port 400 MP Router EX_Port (2) = LSAN Backbone fabric Figure 38 A metaSAN with edge-to-edge and backbone fabrics 26416a Figure 38 shows a metaSAN with a backbone consisting of one 400 MP Router connecting hosts in Edge Fabrics 1 and 3 with storage in Edge Fabric 2 and the backbone through the use of LSANs.
a router virtual domain that represents an entire fabric. Device connectivity can be achieved from one fabric to another—over the backbone or edge fabric through this virtual domain—without merging the two fabrics. Translate phantom domains are sometimes referred to as translate domains or xlate domains. If an FC router is attached to an edge fabric using an EX_Port, it will create translate phantom domains in the fabric corresponding to the imported edge fabrics with active LSANs defined.
Proxy host (imported device) Host Proxy target (imported device) Target Fabric 1 Fabric 2 E_Port IFL E_Port EX_Port IFL 400 MP Router Figure 40 MetaSAN with imported devices Routing types The FC-FC routing service provides two types of routing: • Edge-to-Edge Occurs when devices in one edge fabric communicate with devices in another edge fabric through one or more Fibre Channel routers.
Fibre Channel fabrics require that all ports be identified by a unique PID. In a single fabric, FC protocol guarantees that Domain IDs are unique, and so a PID formed by a Domain ID and area ID is unique within a fabric. However, the Domain IDs and PIDs in one fabric may be duplicated within another fabric, just as IP addresses are unique to one private network are likely to be duplicated within another private network.
1. Log in to the switch or director as admin and issue the version command. Verify that Fabric OS 6.1 is installed on the FC router as shown in the following example. switch:admin> version Kernel: 2.6.14.2 Fabric OS: v6.1.0 Made on: Wed Mar 12 01:15:34 2008 Flash: Fri Mar 14 20:53:48 2008 BootProm: 4.6.6 2.
5. Issue the interopMode command and verify that Fabric OS switch interoperability with switches from other manufacturers is disabled.
IMPORTANT: In a multi-switch backbone fabric, modification of FID within the backbone fabric causes disruption to local traffic. To assign backbone fabric IDs: 1. Log in to the switch or director. 2. Issue the switchDisable command. 3. Issue the fosConfig --disable fcr command to disable the FC-FC Routing Service. See the Fabric OS Command Reference or the CLI man pages for more information about the fosConfig command. The default state for the FCR is disabled. 4. Issue the fcrConfigure command.
NOTE: To ensure that fabrics remain isolated, disable the port prior to inserting the cable. If you are configuring an EX_Port, disable the port prior to making the connection. To configure an IFL for both edge and backbone connections: 1. On the FC Router, disable the port that you are configuring as an EX_Port (the one connected to the Fabric OS switch) by issuing the portDisable command.
3. Issue the portEnable command to enable the ports that you disabled in step 2. You can now physically attach ISLs from the Fibre Channel Router to the edge fabric. switch:admin> portenable 7/10 4. Issue the portCfgShow command to view ports that are persistently disabled.
6.
Proc_rqrd: Timed_out: Rx_flushed: Tx_unavail: Free_buffer: Overrun: Suspended: Parity_err: 2_parity_err: CMI_bus_err: 0 0 0 0 0 0 0 0 0 0 Protocol_err: Invalid_word: Invalid_crc: Delim_err: Address_err: Lr_in: Lr_out: Ols_in: Ols_out: 0 0 0 0 0 0 0 0 0 Port part of other ADs: No 7. Issue the switchShow command to verify the EX_Port (or VEX_Port), edge fabric ID, and name of the edge fabric switch (containing the E_Port or VE_Port). 8.
Every IFL has a default cost. The default router port cost values are: • 1000 for legacy (v5.1 or XPath FCR) IFL • 1000 for EX_Port IFL • 10,000 for VEX_Port IFL The FCR router port cost settings are 0, 1000, or 10,000. If the cost is set to 0, the default cost will be used for that IFL. The FC router port cost is persistent and is saved in the existing port configuration file. Router port cost is passed to other routers in the same backbone.
Legacy routers in the backbone fabric program all the router ports without considering router port cost. Fabric OS 5.2.0 or later considers the legacy router port cost as 1000 for both EX or VEX_Ports. Port cost considerations The router port cost has the following considerations: • Router port sets are defined as follows: • 0-7 and FCIP Tunnel 16-23 • 8-15 and FCIP Tunnel 24-31 More than two router port sets can exist in a 4/256 SAN Director or DC Director with two FR4-18i blades.
As an option, you can configure these parameters manually. To change the fabric parameters on a switch in the edge fabric, execute the configure command. To change the fabric parameters of an EX_Port on the 400 MP Router or 4/256 SAN Director or DC Director with an FR4-18i blade, use the portCfgEXPort command. If you want to change the fabric parameters of a VEX_Port, use the portCfgVEXPort command.
Supported configurations and platforms The EX_Port trunking is an FCR software feature and requires that you have a trunking license installed on the FCR switch and on the edge fabric connected to the other side of the trunked EX_Ports. EX_Port trunking is supported only with edge fabrics. You can use EX_Port frame trunking in the following configurations and cases: • Ports with speeds of 2 Gbps up to a maximum speed of 4 Gbps and trunking over long distance.
Configuring LSANs and zoning An LSAN consists of zones in two or more edge or backbone fabrics that contain the same devices. LSANs essentially provide selective device connectivity between fabrics without forcing you to merge those fabrics. FC routers provide multiple mechanisms to manage interfabric device connectivity through extensions to existing switch management interfaces. You can define and manage LSANs using Advanced Zoning or Fabric Manager.
NOTE: If you are managing other switches in a fabric, HP recommends that you run the defZone --show command on your Fabric OS 5.1.0 and later switches as a precaution. Default zoning behavior in Fabric OS 5.1.0 and later operates differently compared to earlier versions of Fabric OS (2.x, 3.x v4.x and 5.0.1). For example, if you issue the defZone --noaccess command on a Fabric OS 5.1.0 or later switch, default zoning configurations are created on each switch in the fabric (2.x, 3.x, 4.x or v.0.1 switches).
5. Issue the cfgAdd or cfgCreate and cfgEnable commands to add and enable the LSAN configuration: switch:admin> cfgadd "zone_cfg", "lsan_zone_fabric75" switch:admin> cfgenable "zone_cfg" You are about to enable a new zoning configuration. This action will replace the old zoning configuration with the current configuration selected. Do you want to enable 'zone_cfg' configuration (yes, y, no, n): [no] y zone config "zone_cfg" is in effect Updating flash … 6. Log in as admin to fabric2. 7.
• lsanZoneShow -s shows the LSAN. switch:admin> lsanzoneshow -s Fabric ID: 2 Zone Name: lsan_zone_fabric2 10:00:00:00:c9:2b:c9:0c Imported 50:05:07:61:00:5b:62:ed EXIST 50:05:07:61:00:49:20:b4 EXIST Fabric ID: 75 Zone Name: lsan_zone_fabric75 10:00:00:00:c9:2b:c9:0c EXIST 50:05:07:61:00:5b:62:ed Imported • fcrPhyDevShow shows the physical devices in the LSAN.
LSAN zone 2 LSAN zone 1 Fabric 1 Fabric 2 Fabric 3 Fabric 7 FC router 1 FC router 2 Backbone fabric Fabric 8 FC router 3 FC router 4 Fabric 9 Fabric 4 Fabric 5 LSAN zone 3 Fabric 6 LSAN zone 4 Figure 41 LSAN zone binding After you set up LSAN zone binding, each FC router stores information about only those LSAN zones that access its local edge fabrics. Table 71 shows what LSAN information is stored in each FC router before and after LSAN zone binding is in effect.
creating and updating the LSAN fabric matrix. See the Fabric OS Command Reference for a complete description of this command. Best practice: Use this feature in a backbone fabric in which all FC routers are running Fabric OS 6.1.0 or later. When you set up LSAN zone binding on the local FC router (running Fabric OS 6.1.0 or later), the resultant matrix database is automatically distributed to all of the 6.1.0 or later FC routers in the backbone fabric.
The command fcrLsanMatrix --add -lsan 0 0 erases the entire LSAN fabric matrix settings in the cache. The FC router matrix and the LSAN fabric matrix are used together to determine which fabrics can access each other, with the LSAN fabric matrix providing more specific binding. Upgrade, downgrade, and HA considerations for LSAN zone binding When a CP is upgraded from Fabric OS 6.0.x or 5.3.x to 6.1.0, the LSAN zone binding and handling remains the same.
For example: FCR:Admin > fcrlsanmatrix --fabricview -lsan LSAN MATRIX is activated Fabric ID 1 Fabric ID 2 -------------------------------------4 5 4 7 10 19 Default LSAN Matrix: 1 2 8 Dual backbone configuration When dual backbones share edge fabrics, one of the backbones is selected to be the owner of the edge fabric which sends device state updates to the other backbone through the shared edge fabric.
HA and downgrade considerations for LSAN zones LSAN zones affect high availability and firmware downgrades as follows: • The LSAN zone matrix is synchronized to the standby CP. • On a dual CP switch, both CPs need to have Fabric OS 5.3.0 or later to enable the feature. • If the feature is enabled on the active CP, introducing a CP with an earlier version of Fabric OS as a standby will cause the HA synchronization to fail.
To display the current broadcast configuration: 1. Log in to the FC router as admin. 2. Issue the following command: fcr:admin> fcrbcastconfig --show This command displays only the FIDs that have the broadcast frame option disabled. The FIDs that are not listed have the broadcast frame option enabled. To enable broadcast frame forwarding: 1. Log in to the FC router as admin. 2.
The following example shows the use of the fcrResourceShow command display per physical port (EX_Port) resources.
If you replace an 8-Gbps port blade with another 8-Gbps port blade, the EX_Port configuration remains the same. Interoperability with legacy FCR switches A legacy FCR switch is a switch running Fabric OS 5.1. or earlier or XPath OS. The following interoperability considerations apply when administering legacy FCR switches in the same backbone fabric as switches supporting Fabric OS 5.2.
The following example illustrates the use of the portcfgexport command.
1. Log in to an FC router tat is connected to an edge fabric switch through multiple EX_Ports from the same router. 2. Issue the portCfgShow command and confirm the ports are enabled. 3. Issue the portCfgExport command and confirm that the EX_Ports share the same front domain ID (DID) and node WWN. NOTE: Abnormal operation for front domain consolidation exists when the ports do not come online or EX_Ports do not share the same front domain consolidation PID and node WWN.
17 Administering advanced performance monitoring This chapter describes the Advanced Performance Monitoring licensed feature. About Advanced Performance Monitoring Additional performance monitoring features are provided through Web Tools. See the Web Tools Administrator’s Guide for information about monitoring performance using the Web Tools GUI.
NOTE: The command examples in this chapter use the slot/port syntax required by 4/256 SAN Director and DC Directors. For the 4/8 SAN Switch, 4/16 SAN Switch, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 8/8 SAN Switch, 8/24 SAN Switch, 8/40 SAN Switch, 8/80 SAN Switch and the 400 Multi-protocol Router, use only the port number where needed in the commands.
Adding end-to-end monitors Figure 43 shows two devices: • Host A is connected to domain 5 (0x05), switch area ID 18 (0x12), AL_PA 0x00 on Switch X. • Dev B is a storage device connected to domain 17 (0x11), switch area ID 30 (0x1e), AL_PA 0xef on Switch Y. SID 0x051200 Switch x Host A Switch y ... Monitor 0 domain 0x05, switch area ID 0x12 AL_PA 0x00 DID 0x111eef ...
monitor. By setting a mask, you can choose to have the frame match only one or two of the three fields (Domain ID, Area ID, and AL_PA) to trigger the monitor. You specify the masks in the form dd:aa:pp, where dd is the domain ID mask, aa is the area ID mask, and pp is the AL_PA mask. The values for dd, aa, and pp are either ff (the field must match) or 00 (the field is ignored). The default EE mask value is ff:ff:ff. Only one mask per port can be set.
2 0x000123 0x000789 WEB_TOOLS 0x0000000000000000 3 0x001212 0x003434 WEB_TOOLS 0x0000000000000000 switch:admin> perfdeleemonitor 0, 2 End-to-End monitor number 2 deleted switch:admin> 0x0000000000000000 0x0000000000000000 10.106.7.179 10.106.7.179 Filter-based performance monitoring Filter-based performance monitoring counts the number of times a frame with a particular pattern is transmitted by a port. Filter-based monitoring is achieved by configuring a filter for a particular purpose.
The following example adds filter-based monitors to slot 1, port 2 and displays the results: switch:admin> perfaddreadmonitor 1/2 SCSI Read filter monitor #0 added switch:admin> perfaddwritemonitor 1/2 SCSI Write filter monitor #1 added switch:admin> perfaddrwmonitor 1/2 SCSI Read/Write filter monitor #2 added switch:admin> perfaddscsimonitor 1/2 SCSI traffic frame monitor #3 added switch:admin> perfaddipmonitor 1/2 IP traffic frame monitor #4 added switch:admin> perfmonitorshow --class FLT 1/2 There are 5
frame (SOF). When the offset is set to 0, the values 0–7 that are checked against that offset are predefined as shown in Table 74. Table 74 Predefined values at offset 0 Value SOF Value SOF 0 SOFf 4 SOFi2 1 SOFc1 5 SOFn2 2 SOFi1 6 SOFi3 3 SOFn1 7 SOFn3 If the switch does not have enough resources to create a given filter, other filters might have to be deleted to free resources.
Top Talker monitors Top Talker monitors determine the flows (SID/DID pairs) that are the major users of bandwidth (after initial stabilization). Top Talker monitors measure bandwidth usage data in real-time and relative to the port on which the monitor is installed. NOTE: Initial stabilization is the time taken by a flow to reach the maximum bandwidth. This time varies depending on the number of flows in the fabric and other factors.
• port is the port number For example, to monitor the incoming traffic on port 7: perfttmon --add ingress 7 To monitor the outgoing traffic on slot 2, port 4 on the 4/256 SAN Director or DC Director: perfttmon --add egress 2/4 Deleting a Top Talker monitor on an F_Port To delete a Top Talker monitor on an F_Port: 1. Connect to the switch and log in as admin. 2.
Use the perfttmon command to add, delete, and display Top Talker monitors. Adding Top Talker monitors on all switches in the fabric To add Top Talker monitors on all switches in the fabric: 1. Connect to the switch and log in as admin. 2. Remove any end-to-end monitors in the fabric, as described in ”Deleting end-to-end monitors” on page 346. Fabric Mode Top Talker monitors and end-to-end monitors cannot both exist in the fabric. 3.
To display the top flows on domain 2 in PID format: perfttmon --show dom 2 pid switch:admin> perfttmon --show dom 2 pid ======================================== Src_PID Dst_PID MB/sec ======================================== 0xa908ef 0xa05200 6.926 0xa05200 0xa908ef 6.872 0xa905ef 0xa05200 6.830 0xa909d5 0xa05200 6.772 Limitations of Top Talker monitors Note the following when using Top Talker monitors: • Top Talker monitors cannot detect transient surges in traffic through a given flow.
The Directors have a total of 10 slots. Slot numbers 5 and 6 are control processor blades; slots 1 through 4 and 7 through 10 are port blades. For 16-port blades, there are 16 ports, counted from the bottom, numbered 0 to 15. For 32-port blades, there are 32 ports numbered 0 to 31. • portnumber specifies a port number. Valid values for port number vary, depending on the switch type. This operand is required. • interval specifies an interval in seconds.
The following example displays EE monitors on a port: switch:admin> perfMonitorShow --class EE 4/5 There are 7 end-to-end monitor(s) defined on port 53.
The following example displays ISL monitor information on a port: switch:admin> perfMonitorShow --class ISL 1/1 Total transmit count for this ISL: 1462326 Number of destination domains monitored: 3 Number of ports in this ISL: 2 Domain 97: 110379 Domain 98: Domain 99: 1337982 13965 Clearing monitor counters To clear monitor counters: 1. Connect to the switch and log in as admin. 2.
The following example clears statistics counters for an end-to-end monitor: switch:admin> perfMonitorClear --class EE 1/2 5 End-to-End monitor number 5 counters are cleared switch:admin> perfMonitorClear --class EE 1/2 This will clear ALL EE monitors' counters on port 2, continue? (yes, y, no, n): [no] y The following example clears statistics counters for a filter-based monitor: switch:admin> perfMonitorClear --class FLT 1/2 4 Filter-based monitor number 4 counters are cleared switch:admin> perfMonitorCle
• To clear the previously saved performance monitoring configuration settings from nonvolatile memory, use the perfCfgClear command: switch:admin> perfcfgclear This will clear Performance Monitoring settings in FLASH. The RAM settings won’t change. Do you want to continue? (yes, y, no, n): [no] y Please wait... Committing configuration...done. Performance Monitoring configuration cleared from FLASH.
18 Administering extended fabrics This chapter provides information on implementing Extended Fabrics software. Extended Fabrics licensing To implement long distance dynamic (LD) and long distance static (LS) distance levels, you must first install the Extended Fabrics license. Use the licenseShow command to verify that the license is present on both switches used on both ends of the extended ISL. For details on obtaining and installing licensed features, see ”Licensed features” on page 34.
Table 75 describes Fibre Channel data frames Table 75 Fibre Channel data frames Start of frame 4 bytes 32 bits Standard frame header 24 bytes 192 bits Data (payload) {0 - 2,112} bytes {0 - 16,896} bits CRC 4 bytes 32 bits End of frame 4 bytes 32 bits Total (Nbr bits/frame) {36 0 2,148} bytes 288 - 17, 184 bits The term byte used in Table 75 means 8 bits. The maximum Fibre Channel frame is 2,148 bytes.
FC switch port Buffer Credit requirements for long distance calculations You can calculate how many ports can be configured for long distance on all switch modules or ASICs except Bloom-based switches. For information on the port, speed, and distance for Bloom-based ASICs, see Table 77. The following are the considerations for the calculation: • Each user port reserves eight buffers when they are not online. • Remaining buffers can be reserved by any port in the port group.
676 = a static number retrieved from Table 76. If you allocate the entire 484 + 8 reserved buffers = 492 buffers to a single port, that port can support 486 km at 2 G, which is the reserved buffer for distance. How many 50 km ports you can configure? If you have a distance of 50 km at 8 Gbps then 484 / (206 – 8) = 2 ports. If you have a distance of 50 km at 1 Gbps then 484 / (31 – 8) = 21 ports. NOTE: The 10 Gbps FC10-6 blade has two port groups of three ports each.
Table 76 Switch, port speed, and distance with ASIC and buffers Switch blade model ASIC Total ports in a switch or blade Total ports in a group Reserved buffers for ports B-Series 2Gb Switches Bloom 8, 16 or 32 108/4 0 4/8 SAN Switch or 4/16 SAN Switch Golden Eye 16 272/16 8 8/8 SAN Switch, 8/24 SAN Switch Golden Eye2 24 676/24 8 SAN Switch 4/32 and SAN Switch 4/32B Condor 32 1000/32 8 4/64 SAN Switch Condor 64 712/16 8 8/40 SAN Switch Condor2 40 2012/40 8 8/80 SAN Switc
NOTE: Additional buffers are available with 4 Gbps chassis for 8 Gbps blades because of fewer buffers allocated for back-end port connections. Buffer credit recovery Buffer recovery credit allows links to recover after frames and R_RDYs are lost when the credit recovery logic is enabled. Buffer recovery credit maintains performance; as soon as one credit is lost, it attempts to recover. During link reset, the frame and credit loss counters are reset without performance degradation.
Configuring an extended ISL Before configuring an extended ISL, ensure that the following conditions are met: • Be sure that the ports on both ends of the ISL are operating at the same port speed, and can be configured at the same distance level without compromising local switch performance. NOTE: A long-distance link also can be configured to be part of a trunk group.
• desired_distance is, for an LD-mode link, a threshold limit for link distance to ensure buffer availability for other ports in the same port group. If the measured distance exceeds desired_distance, desired_distance is used. For an LS-mode link, desired_distance is used to calculate the buffers required for the port. 5. Repeat step 4 for the remote extended ISL port. Both the local and remote extended ISL ports must be configured to the same distance level.
19 Administering ISL trunking This chapter contains procedures for using the ISL Trunking licensed feature, which optimizes the use of bandwidth by allowing a group of interswitch links to merge into a single logical link. About ISL Trunking ISL Trunking reduces or eliminates situations that require static traffic routes and individual ISL management to achieve optimal performance.
• Dynamic trunk master reassignment if a trunk master is disabled (on other platforms, all ports on a trunk must be disabled temporarily to reassign a master). • 4 Gbps trunk links. • 8 Gbps trunk links where supported. The maximum number of ports per trunk and trunks per switch depends on the HP model. NOTE: Director blade model FC10-6 does not support trunking.
• A trunking group has the same link cost as the master ISL of the group, regardless of the number of ISLs in the group. This allows slave ISLs to be added or removed without causing data to be rerouted, because the link cost remains constant. • The addition of a path that is shorter than existing paths causes traffic to be rerouted through that path. • The addition of a path that is longer than existing paths may not be useful because the traffic will choose the shorter paths first.
Adding a monitor to an F_Port master port 1. Connect to the switch and log in as admin. 2. Issue the perfAddEEMonitor command: switch:admin> perfaddeemonitor 4 0x010400 0x020800 Adding monitor to the master port of the F-Port Trunk. where 4 is a slave port of the F_Port Trunk.
The following example shows traffic flowing through a trunking group (ports 5, 6, and 7). After port 6 fails, traffic is redistributed over the remaining two links in the group, ports 5 and 7: switch:admin> portperfshow 0 1 2 3 4567 Total -------------------------------------------------------------------0 0 0 0 0145m144m145m 434 0 0 0 0 0144m143m144m 431 0 0 0 0 0162m0162m 324 Enabling and disabling ISL Trunking You can enable or disable ISL Trunking for a single port or for an entire switch.
Setting port speeds For long-distance ports, if a port is set to autonegotiate port speed, the maximum speed (8 Gbps) is assumed for reserving buffers for the port. If the port is running at only 2 Gbps, this wastes buffers. For long-distance ports, it is best to set the port speed (this applies to the 4/32 SAN Switch, 4/32B SAN Switch and the 4/256 SAN Director only).
• 4—four Gbps mode. Fixes the port at a speed of four Gbps. (HP StorageWorks 4/8 SAN Switch, 4/16 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 400 Multi-protocol Router and 4/256 SAN Director only) • 8—eight Gbps mode. Fixes the port at a speed of eight Gbps.
Use the trunkShow command to display the following information about ISL Trunking groups: Trunking Group Number Displays each trunking group on a switch. All the ports that are part of this trunking group are displayed. Port-to-port connections, Displays the port-to-port trunking connections. WWN Displays the WWN of the connected port. Domain Displays the domain IDs of the switches directly connected to the physical ports.
Enhanced trunking support for the FC4-48 port blade in the 4/256 SAN Director is summarized in Table 80. Table 80 Trunking support for 4/256 SAN Director and DC Directors with supported blades (Condor and Condor2 ASIC) Mode Distance Number of 2 Gbps ports Number of 4 or 8 Gbps ports LE 10 km 48 (six 8-port trunks) 48 (six 8-port trunks) L0 Normal See note below.
work on M-EOS or third party switches. Figure 47 shows a switch in AG mode without F_Port masterless trunking. Figure 48 shows a switch in AG mode with F_Port masterless trunking. Figure 47 Switch in Access Gateway mode without F_Port trunking Figure 48 Switch in Access Gateway mode with F_Port masterless trunking NOTE: You do not need to map the host to the master port manually because Access Gateway performs a cold failover to the master port.
F_Port trunking considerations Table 81 F_Port masterless trunking considerations Category Description Area assignment You statically assign the area within the trunk group on the edge switch. That group is the F_Port masterless trunk. The static trunk area you assign must fall within the ASIC's trunk group of the switch or blade starting from port 0. The static trunk area you assign must be one of the port’s default areas of the trunk group.
Table 81 F_Port masterless trunking considerations (continued) Category Description portCfgTrunkPort , 0 The portCfgTrunkPort , 0 command fails if a Trunk Area is enabled on a port. The port Trunk Area must be disabled first. switchCfgTrunk 0 The switchCfgTrunk 0 command will fail if a port has TA enabled. All ports on a switch must be TA disabled first.
Table 81 F_Port masterless trunking considerations (continued) Category Description DCC Policy DCC policy enforcement for the F_Port trunk is based on the Trunk Area; the FDISC requests to a trunk port is accepted only if the WWN of the attached device is part of the DCC policy against the TA. The PWWN of the FLOGI sent from the AG will be dynamic for the F_Port trunk master.
user port number, with contiguous eight ports as one group, such as 0 – 7, 8- 15, 16-23 and up to the number of ports on the switch. Figure 49 Trunk group configuration for the SAN Switch 8/40 To set up F_Port trunking: 1. Connect to the switch and log in as admin. 2. Ensure that both modules (edge switch and the switch running in AG mode) have trunking the licenses enabled. 3. Ensure that the ports have trunking enabled by issuing the portCfgShow command.
3. Issue the TA for ports 13 and 14 on slot 10 with a port index of 125: switch:admin> porttrunkarea --enable 10/13-14 -index 125 Trunk index 125 enabled for ports 10/13 and 10/14. 4. Show the TA port configuration (ports still disabled): switch:admin> porttrunkarea --show enabled Slot Port Type State Master TI DI ------------------------------------------10 13 ---125 125 10 14 ---125 126 ------------------------------------------- 5.
4. Show switch/port information: switch:admin> switchshow switchName: SPIRIT_B4_01 switchType: 66.
5. Display TA enabled port configuration: switch:admin> porttrunkarea --show enabled Port Type State Master TA DA ------------------------------------36 F-port Master 36 37 36 37 F-port Slave 36 37 37 38 F-port Slave 36 37 38 39 F-port Slave 36 37 39 6. Display the trunking information. For example, to display trunk details for a user assigned TA 37 that includes ports 36-39: switch:admin> porttrunkarea --show trunk Trunk Area 37: 36->23 sp: 4.000G bw: 16.000G deskew 16 MASTER 39->22 sp: 4.000G bw: 4.
Example: How Trunk Area assignment affects the port Domain,Index If you have AD1: 3,7; 3,8; 4,13; 4,14 and AD2: 3,9; 3,10, and then create a TA with Index 8 with ports that have index 7, 8, 9, and 10, index 7, 9, and 10 are no longer with domain 3. This means that AD2 does not have access to any ports because index 9 and 10 no longer exist on domain 3. This also means that AD1 no longer has 3,7in effect because Index 7 no longer exists for domain 3.
20 Configuring and monitoring FCIP extension services This chapter describes the FCIP concepts, configuration procedures, and tools and procedures for monitoring network performance. Commands described in this chapter require Admin or root user access. See the Fabric OS Command Reference for detailed information on command syntax. FCIP concepts Fibre Channel over IP (FCIP) enables you to connect Fibre Channel SANs over IP-based networks.
• A VEX_Port enables FC-FC Routing Service functionality over an FCIP tunnel. VEX_Ports enable interfabric links (IFLs). If a VEX_Port is on one end of an FCIP tunnel, the fabrics connected by the tunnel are not merged. The other end of the tunnel must be defined as a VE_Port. VEX_Ports are not used in pairs. Figure 50 illustrates a portion of a Fibre Channel network that uses FCIP ISLs, which are VE_Ports connected over the IP WAN network, to join the office and data center SANs into a single larger SAN.
FCIP services license Most of the FCIP extension services described in this chapter require the High Performance Extension over FCIP/FC license. Use the licenseShow command to verify the license is present on the hardware used on both ends the FCIP tunnel. For details on obtaining and installing licensed features, see ”Licensed features” on page 34.
When both DSCP and L2CoS are used If an FCIP tunnel is not VLAN tagged, only DSCP is relevant. If the FCIP tunnel is VLAN tagged, both DSCP and L2CoS are relevant, unless the VLAN is end-to-end, with no intermediate hops in the IP network. Table 85 shows the default mapping of DSCP priorities to L2Cos priorities per tunnel ID. This may be helpful when consulting with the network administrator. These values may be modified per FCIP tunnel.
IPSec uses some terms that you should be familiar with before beginning your configuration. These are standardized terms, but are included here for your convenience. Table 86 IPSec terminology Term Definition AES Advanced Encryption Standard. FIPS 197 endorses the Rijndael encryption algorithm as the approved AES for use by US Government organizations and others to protect sensitive information. It replaces DES as the encryption standard. AES-XCBC Cipher Block Chaining.
• IPSec can be configured only on IP V4-based tunnels. Secure tunnels can not be created on a 400 Multi-protocol Router or FR4-18i blade if any IP V6 addresses are defined on either ge0 or ge1. • Secure Tunnels cannot be defined with VLAN Tagged connections. Configuring IPSec IPSec requires predefined configurations for IKE and IPSec. You can enable IPSec only when these configurations are well-defined and properly created in advance.
The parameters listed inTable 88 can be modified: Table 88 Modifiable policy parameters Parameter Description Encryption Algorithm 3DES—168-bit key AES-128—128-bit key (default) AES-256—256-bit key Authentication Algorithm SHA-1—Secure Hash Algorithm (default) MD5—Message Digest 5 AES-XCBC—Used only for IPSec Security Association lifetime in seconds The lifetime in seconds of the security association. A new key is renegotiated before seconds expires. Seconds must be between 28800 to 250000000 or 0.
The following example shows how to create IKE policy number 10 using 3DES encryption, MD5 authentication, and Diffie-Hellman Goup 1: switch:admin06> policy --create ike 10 -enc 3des -auth md5 -dh 1 The following policy has been set: IKE Policy 10 ----------------------------------------Authentication Algorithm: MD5 Encryption: 3DES Perfect Forward Secrecy: on Diffie-Hellman Group: 1 SA Life (seconds): 28800 Operation Succeeded For a complete description of the policy command, see the Fabric OS Command Refe
where type is the policy type and number is the number assigned. For example, to delete the IPSec policy number 10: switch:admin06> policy --delete ipsec 10 The policy has been successfully deleted. To view IPSec information for an FCIP tunnel: 1. Log in to the switch as admin. 2. Issue the portShow fcipTunnel command: switch:admin06> portshow fciptunnel 8/ge0 3 -ipsec Port: ge0 ------------------------------------------Tunnel ID 3 Remote IP Addr 192.175.5.200 Local IP Addr 192.175.5.
fastwrite flows may be passed through the FCIP tunnel, but only if the FCIP fastwrite option is disabled on the tunnel. FCIP fastwrite and tape pipelining When the FCIP link is the slowest part of the network, consider using FCIP fastwrite and tape pipelining. Supported only in Fabric OS 5.2.x and later, FCIP fastwrite and tape pipelining are two features that provide accelerated speeds for write I/O over FCIP tunnels in some configurations: • FCIP fastwrite accelerates the SCSI write I/Os over FCIP.
FCIP fastwrite/tape pipelining configurations To help understand the supported configurations, consider the configurations shown in the Figure 51 and Figure 52. In both cases, there are no multiple equal-cost paths. In Figure 51, there is a single tunnel with fastwrite and tape pipelining enabled. In Figure 52, there are multiple tunnels, but none of them create a multiple equal-cost path.
VE-VE or VEX-VEX Figure 53 Unsupported configurations with fastwrite and tape pipelining FC Fastwrite concepts FC Fastwrite operates in Fibre Channel network topologies similar to the basic topology shown in Figure 54.
Channel ISLs implemented through the FC-FC Routing Service (FRS) rather than FCIP. FC Fastwrite is supported in Fabric OS 5.3.x and later. Figure 54 Typical network topology for FC Fastwrite Platforms and OS requirements for FC Fastwrite Fabric OS supports FC Fastwrite between two 400 Multi-Protocol Routers, two 4/256 SAN Directors with FR4-18i blades, or two DC SAN Backbone Directors with FR418i blades, connected by a Fibre Channel network. Fabric OS 5.3.
4. The PI continues to stage data received from the initiator, respond locally to a Transfer Ready, and send the data to the target device until the target device sends a Response (FCP_RSP). Figure 55 How FC Fastwrite works FC Fastwrite can improve write performance. Read performance is unaffected. The gains seen from enabling FC Fastwrite depend on several factors, including the following: • The size of I/O versus Transfer Ready.
Perform the following procedure to configure and enable FC Fastwrite. 1. Create a zone configuration to filter FC Fastwrite flows. FC Fastwrite flows are configured by creating a zone name with an fcacc token as a prefix. For LSAN configuration, use lsan_fcacc as a prefix, as shown in the following example: #zonecreate fcacc_myzone1, "initiator-wwn; target-wwn" #zonecreate LSAN_fcacc_myzone2, "initiator-wwn; target1-wwn; target2-wwn" #cfgcreate mycfg, "fcacc_myzone1; LSAN_fcacc_myzone2" #cfgenable mycfg 2.
5. Issue the portShow command to verify that FC Fastwrite is enabled: switch:admin> portshow 3/3 portName: portHealth: HEALTHY Authentication: None portDisableReason: None portCFlags: 0x1 portFlags: 0x20b03 PRESENT ACTIVE F_PORT G_PORT U_PORT LOGICAL_ONLINE LOGIN NOELP ACCEPT portType: 10.
Example of disabling FC Fastwrite on a switch : switch:admin> fastwritecfg --disable 7 !!!! WARNING !!!! Disabling FC Fastwrite will require powering off and back on the and it may take upto 5 minutes. For non bladed system, the switch will be rebooted. Data traffic will be disrupted. Continue (Y,y,N,n): [ n] y Slot 7 is being powered off Disabling FC Fastwrite on a port 1. Connect to the switch and log in using an account assigned to the admin role. 2.
11. If you are implementing FTRACE, configure FTRACE using the portcfg ftrace command. See ”FICON fabrics” on page 423 for specific instructions. 12. Check the configuration using the portshow fciptunnel command. 13. Persistently enable the ports using the portpersistentenable command. 14. Create a matching configuration on the 400 Multi-protocol Router or FR4-18i blade at the other end of the tunnel. 15. Test the IP connection using the portcmd --ping command.
where: slot The number of a slot in a 4/256 SAN Director or DC Director chassis that contains an FR4-18i blade. This parameter does not apply to the stand-alone 400 Multi-protocol Router. ge0|ge1 The Ethernet port used by the tunnel (ge0 or ge1). src_ipaddr Specify source IP address in either IPv6 or IPv4 format: src_IPv6_addr/[prefix_len] Specifies the source IPv6 address of the virtual port if IPv6 is used. The address must be an IPv6 global, unicast address. As an option, specify the prefix length.
The following example verifies that the two routes have been successfully created: switch:admin06> portshow iproute 8/ge0 Slot: 8 Port: ge0 IP Address Mask Gateway Metric Flags -----------------------------------------------------------------192.168.100.0 255.255.255.0 192.168.100.40 0 Interface 192.168.100.0 255.255.255.0 192.168.100.41 0 Interface 192.168.11.0 255.255.255.0 192.168.100.1 1 192.168.12.0 255.255.255.0 192.168.100.1 1 3.
The following example tests the connection between 192.175.5.100 and 192.175.5.200, switch:admin06> portcmd --ping ge0 -s 192.175.5.100 -d 192.175.5.200 Pinging 192.175.5.200 from ip interface 192.175.5.100 on 0/ge0 with 64 bytes of data Reply from 192.175.5.200: bytes=64 rtt=1ms ttl=64 Reply from 192.175.5.200: bytes=64 rtt=0ms ttl=64 Reply from 192.175.5.200: bytes=64 rtt=0ms ttl=64 Reply from 192.175.5.200: bytes=64 rtt=1ms ttl=64 Ping Statistics for 192.175.5.
-k timeout is the keep-alive timeout in seconds. The range of valid values is 8 through 7,200 seconds and the default is 10. If tape pipelining is enabled both the default and minimum values are 80 seconds. -r retransmissions is the maximum number of retransmissions on the existing FCIP tunnel. The range of valid values is 1 through 16.
The following example shows an active tunnel with FCIP fastwrite and tape pipelining enabled: switch:admin06> portshow fciptunnel ge0 all ------------------------------------------Tunnel ID 1 Remote IP Addr 192.168.1.2 Local IP Addr 192.168.1.201 Remote WWN Not Configured Local WWN 10:00:00:05:1e:35:1f:ed Compression off Fastwrite on Tape Pipelining on Uncommitted bandwidth, minimum of 1000 Kbps (0.
To verify that a VE_Port or VEX_Port is online, use the switchShow command to view and verify that the FCIP tunnel is online. switch:admin06> portenable 8/18 switch:admin06> portenable 8/19 switch:admin06> switchshow switchName:switch switchType:42.
switch:admin06> portcfgpersistentenable 8/18 switch:admin06> portcfgpersistentenable 8/19 switch:admin06> portcfgshow Ports of Slot 8 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 -----------------+--+--+--+--+----+--+--+--+----+--+--+--+----+--+--+-Speed AN AN AN AN AN AN AN AN AN AN AN AN AN AN AN AN Trunk Port ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON Long Distance .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. VC Link Init .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. Locked L_Port .. .. .. .. .. .. ..
2. Issue the portCfg fcipTunnel command to modify FCIP tunnels (you must specify at least one characteristic to modify). The command syntax is as follows: portcfg fciptunnel [slot/]ge[port] modify tunnel_id [-b comm_rate] [-c 0|1] [-s 0|1] [-f 0|1] [-k timeout] [-m time] [-q control_dscp] [-Q data_dscp] [-p control_L2Cos] [-P data_L2Cos} [-r retransmissions] [-t 0|1] where: slot is the number of a slot in a 4/256 SAN Director or DC Director chassis that contains an FR4-18i blade.
The following example shows two FCIP tunnels created on slot 8, port ge0; the first with an uncommitted bandwidth (0), and the second with a committed bandwidth of 10000 Kb/sec: switch:admin06> portcfg fciptunnel 8/ge0 create 2 192.168.100.50 192.168.100.40 0 switch:admin06> portcfg fciptunnel 8/ge0 create 3 192.168.100.51 192.168.100.41 10000 The following example shows an FCIP tunnel created between a remote interface 10.1.1.44, and a local IP interface 192.168.131.124: switch:admin06> portcfg 192.168.
Deleting an IP interface (IPIF) The following command deletes an IP interface: portcfg ipif delete ipaddr Deleting an IProute The following command deletes an IP route: portcfg iproute [slot/]ge0|ge1 delete ipaddr netmask Managing the VLAN tag tables The VLAN tag table is used by ingress processing to filter inbound VLAN tagged frames. If a VLAN tagged frame is received from the network and there is no entry in the VLAN tag table for the VLAN ID, the frame id discarded.
• portCmd traceroute traces routes from a local Ethernet port (ge0 or ge1) to a destination IP address. • portShow fcipTunnel displays performance statistics generated from the WAN analysis. About the ipperf option The WAN tool ipPerf is an option of the Fabric OS portCmd command. This option allows you to specify the slot and port information for displaying performance statistics for a pair of ports.
WAN tool performance characteristics Table 90 lists the end-to-end IP path performance characteristics that you can display using the portCmd ipPerf command and option. All four of the base ipPerf performance characteristics (bandwidth, loss, RTT, PMTU) are provided in the command output in Fabric OS 5.2.0 or later. Table 90 WAN tool performance characteristics Characteristic Description Bandwidth Indicates the total packets and bytes sent.
2. Configure the sender test endpoint using a similar CP CLI. The syntax for invoking the sender test endpoint using ipPerf for slot8, port ge0 on an FR4-18i is as follows: portcmd --ipperf 8/ge0 -s 192.168.255.100 -d 192.168.255.10 –S The following example shows the results of the performance analysis for slot 8, port ge0: ipperf to 192.168.255.10 from IP interface 192.168.255.100 on 8/0:3227 30s: BW:113.03MBps WBW(30s): 55.39MBps Loss(%):0.0 Delay(ms):1 PMTU:1500 60s: BW:108.89MBps WBW(30s): 83.
Following is the syntax for portCmd ipPerf to display end-to-end IP path performance statistics: portCmd --ipPerf [slot]/ge0|ge1 -s source_ip -d destination_ip -S|-R [-r rate] [-z size] [-t time] [-i interval] [-p port] [-q diffserv] [-v vlan_id] [-c L2_Cos] where: -s source_ip The source IP address. -d destination_ip The destination IP address. -S Operates the WAN tool FCIP port-embedded client in the sender mode.
where: slot The number of a slot in a 4/256 SAN Director or DC Director chassis that contains an FR4-18i blade. This parameter does not apply to the stand-alone 400 Multi-protocol Router. ge0|ge1 The Ethernet port used by the tunnel (ge0 or ge1) -s source_ip The source IP interface that originates the ping request. -d destination_ip The destination IP address for the ping request. -n num-requests Generates a specified number of ping requests. The default is 4. -q diffserv The DiffServ QoS.
-h max_hops The maximum number of IP router hops allowed for the outbound probe packets. If this value is exceeded, the probe is stopped. The default is 30. -f first_ttl The initial time to live value for the first outbound probe packet. The default value is 1. -q diffserv The DiffServ QoS. The default is 0 (zero). The value must be an integer in the range from 0 through 255. -w wait-time The time to wait for the response of each ping request.
The following example shows the portCmd fcipTunnel with the -perf option to display performance characteristics of tunnel 0. switch:admin06> portshow fciptunnel 8/ge0 all —perf Slot: 8 Port: ge0 ------------------------------------------Tunnel ID 0 Remote IP Addr 192.175.4.200 Local IP Addr 192.175.4.100 Remote WWN Not Configured Local WWN 10:00:00:60:69:e2:09:be Compression on Fastwrite off Committed Rate 300000 Kbps (0.
The following example shows the portCmd fcipTunnel with the parameters options to display the parameters of tunnel 0: switch:admin06> portshow fciptunnel 8/ge0 0 —params Slot: 8 Port: ge0 ------------------------------------------Tunnel ID 0 Remote IP Addr 192.175.4.200 Local IP Addr 192.175.4.100 Remote WWN Not Configured Local WWN 10:00:00:60:69:e2:09:be Compression on Fastwrite off Committed Rate 300000 Kbps (0.
556200 Bps 30s avg, 491394 Bps lifetime avg Table 91 Command checklist for configuring FCIP links Step Command 1. Configure IPSec policies (optional). policy - -create 2. Persistently disable ports. portcfgpersistentdisable 3. If a VEX port is to be implemented, configure the appropriate virtual port as a VEX_Port. portcfgvexport 4. Configure the IP interface for both ports of a tunnel. portcfg ipif 5. Verify the IP interface for both ports of a tunnel. portshow ipif 6.
Configuring and monitoring FCIP extension services
21 FICON fabrics This chapter provides procedures for managing FICON fabrics. Fabric OS support for FICON IBM Fibre Connection (FICON®) is an industry-standard, high-speed input/output (I/O) interface for mainframe connections to storage devices. Fabric OS supports intermix mode operations, in which FICON and Fibre Channel technology work together.
Platforms supporting FICON FICON protocol is supported on the HP StorageWorks 4/256 SAN Director and DC SAN Backbone Director, short name, DC Director. Contact your HP storage representative for FICON support on switches not listed here.
• The FC4-48 and FC8-48 port blades must not be inserted in slot 10 of the chassis in a FICON configuration. (Other blades are supported in slot 10, but the FC8-48 and FC4-48 blades are not.) Port 255 is reserved for CUP. FICON commands Table 92 summarizes the Fabric OS CLI commands that can be used for managing FICON fabrics. For detailed information on these commands, see the Fabric OS Command Reference.
User security considerations To administer FICON, you must have one of the following roles: • Admin • Operator • SwitchAdmin • FabricAdmin The User and BasicSwitchAdmin roles are view-only. The ZoneAdmin and SecurityAdmin roles have no access. In an Admin Domain-aware fabric, if you use the FICON commands (ficonshow, ficonclear, ficoncupshow, and ficoncupset) for any Admin Domain other than AD0 and AD255, the current switch must be a member of that Admin Domain.
command when working from the command line. For GUI-based procedures, see the Web Tools Administrator’s Guide for configuring the routing policy using the FICON tab in Web Tools. 4. Issue the ficonshow rnid command to verify that the FICON devices are registered with the switch. 5. Issue the ficonshow lirr command to verify that the FICON host channels are registered to listen for link incidents. 6. For an option, see ”FICON CUP” on page 431 for details about using FICON CUP.
there are only 2 domains in a path from a FICON Channel interface to a FICON Control Unit interface.
Setting unique Domain IDs In a cascaded configuration, each switch must have a unique Domain ID, and insistent Domain ID (IDID) mode must be enabled. To set a unique Domain ID and enable IDID mode: 1. Connect to the switch and log in as admin. 2. Verify that the switch has a unique Domain ID. If it does not, set a unique Domain ID. For instructions on displaying and changing the Domain ID, see ”Working with Domain IDs” on page 33. 3. Issue the switchDisable command to disable the switch. 4.
Registered listeners To display registered listeners for link incidents: Connect to the switch, log in as user, and issue one of the following commands: • For the local switch: ficonshow lirr • For all switches defined in the fabric: ficonshow lirr fabric Node identification data To display node-identification data: Connect to the switch, log in as user, and issue any of the following commands: • For the local switch: ficonshow switchrnid • For all switches defined in the fabric: ficonshow switchrnid fabri
See the Fabric OS Command Reference for additional details about the portSwap command. Clearing the FICON management database Perform the following steps to clear RLIR and RNID records from the FICON management database. 1. Connect to the switch and log in as admin. 2. To remove all the RLIR records from the local RLIR database, issue the ficonclear rlir command. 3. To remove all the RNID records marked not current from the local RNID database, issue the ficonclear rnid command.
This serialization prevents interference from local switch commands when a host-based management program is being used to administer the switch. bladeDisable portDisable portEnable portName portShow portSwap bladeEnable switchCfgPersistentDisable switchDisable switchEnable switchName switchShow NOTE: You cannot use the portCfgPersistentEnable and portCfgPersistentDisable commands to persistently enable and disable ports when FICON Management Server mode is on.
To set up FICON CUP if fmsmode is already enabled: 1. Verify that FICON Management Server mode is enabled by issuing the ficoncupshow fmsmode command. NOTE: If fmsmode is already enabled, disabling it might be disruptive to operation because ports that were previously prevented from communicating will now be able to do so. 2. If FICON Management Server mode is enabled, disable it by issuing the ficoncupset fmsmode disable command. 3.
Displaying mode register bit settings The mode register bits are described in Table 93. Table 93 FICON CUP mode register bits POSC Programmed offline state control. When this bit is set on, the host is prevented from taking the switch offline. The default setting is 1 (on). UAM User alert mode. When this bit is set on, a warning is issued when an action is attempted that will write CUP parameters on the switch. The default setting is 0 (off). ASM Active=saved mode.
where: • bitname is one of the mode register bits described in ”FICON CUP mode register bits” on page 434. • 0 specifies that the bit is off. • 1 specifies that the bit is on. The following example sets the mode register bit HCP to off: switch:admin> ficoncupset modereg HCP 0 Mode register bit HCP has been set to 0. The following example sets the mode register bit ACP to on: switch:admin> ficoncupset modereg ACP 1 Mode register bit ACP has been set to 1.
FICON CUP license considerations If fmsmode is enabled when the FICON CUP license is removed, the control device is reset. PDCM enforcement continues. If fmsmode is disabled when the FICON CUP license is removed, no special action is taken. If fmsmode is enabled on a switch that does not have a FICON CUP license and then the license is installed, you must first disable and then reenable fmsmode. If fmsmode is disabled and a FICON CUP license is installed, no special action is required.
The IPL will not be replaced because Active=Saved mode is enabled. A warning message is displayed in the event log to warn users that the IPL will not be overwritten. Downloading configuration files with Active=Saved mode disabled See ”Maintaining the switch configuration file” on page 145 for more information on the configDownload command. The contents of existing files saved on the switch, which are also present in the FICON_CUP section, are overwritten.
Recording configuration information You can use the worksheet in Table 94 to record FICON configuration information.
Sample IOCP configuration file The channel subsystem controls communication between a configured channel, the control unit, and the device. The I/O Configuration Dataset (IOCDS) defines the channels, control units, and devices to the designated logical partitions (LPARs) within the server; this is defined using the Input/Output Configuration Program (IOCP). The IOCP statements are typically built using the hardware configuration dialog (HCD).
FICON fabrics
22 Configuring and monitoring FICON Extension Services This chapter describes the FICON extension concepts, configuration procedures, and tools and procedures for monitoring network performance. Commands described in this chapter require Admin or root user access. See the Fabric OS Command Reference for detailed information on command syntax. FICON extension products licensing Several specific licensed features are available for FICON extension. These include the following. • XRC emulation.
FICON emulation requirement for a determinate path FICON emulation processing creates FICON commands and responses on extended FICON Channel Path IDs (CHPIDs), and must know exactly what exchanges are occurring between a Channel and a control unit (CU) on a CHPID to function correctly. For FICON Emulation processing to function correctly, the responses to Host I/O (channel I/O) must be carried on the same ISL as the commands.
XRC emulation The eXtended Remote Copy (XRC) application is a DASD application that implements disk mirroring, as supported by the disk hardware architecture and a host software component called System Data Mover (SDM). The primary volume and the secondary mirrored volume may be geographically distant across an IP WAN. The latency introduced by greater distance creates delays in anticipated responses to certain commands.
• tape read pipelining. • -b 1|0 enables or disables FICON read block ID. 1 is enable, O is disable. • wrtMaxPipe value defines a maximum number of channel commands that may be outstanding at a given time during write pipelining. Too small of a value will result in poor performance. The value should be chosen carefully based upon the typical tape channel program that requires optimum performance. The default value is 32. the range is 1-100.
FICON emulation configuration values You can display the values configured for FICON emulation by issuing the portShow ficon command.
• -t 1|0 enables or disables TIN/TUR emulation. 1 is enable, O is disable.This option should be enabled when one or all of the following features are enabled: • XRC emulation. • tape write pipelining. • tape read pipelining. • -l 1|0 enables or disables device level ACK emulation. 1 is enable, O is disable. This option should be enabled when one or all of the following features are enabled: • XRC emulation. • tape write pipelining. • tape read pipelining. • -b 1|0Enables or disables FICON read block ID.
• -images are discovered Images (FCUB). • -emul represents emulated FDCBs. • -active represents active FDCBs. • -epcb is the emulation Control Block (port specific). • -fhpb is the FICON Host Path Block. • -fdpb adrs is the FICON Device Path Block. • -fchb is the FICON Channel Control Block. • -fcub is the FICON Control Unit Control Block. • -fdcb adrs is the FICON Device Control Block. • -mem adrs displays 1250 memory in 256 byte increments. • -pools displays current data buffer pool counts.
|0x10018A00|2463016406050000|H| 0x14|0x20|000E|0000| 13212| 0| 0| 125754| 32760| |0x1001E800|2463016406050001|H| 0x14|0x20|001A|0000| 13647| 0| 0| 128776| 32760| |0x1001C400|2463016406050002|H| 0x18|0x20|000A|0000| 13164| 0| 0| 125758| 32760| |0x1001CC00|2463016406050003|H| 0x14|0x20|0008|0000| 13908| 0| 0| 131716| 32760| |0x1002BC00|2463016407050000|H| 0x14|0x20|0008|0000| 10094| 0| 0| 97917| 32760| |0x10027B00|2463016407050001|H| 0x14|0x20|0011|0000| 8915| 0| 0| 85966| 32760|
XRC output example: XRC EMULATION STATS +----------+----------------+-+-----+----+----+----+----+-----------+---+------+------+ | FDCB Ptr | Path |H|State|Cmds| Cmd|Data|Data| Emulated |Avg| RRS| RRS | | (0x) |D| |RRS| TLF| Read| (0x) | | Qd | Max| Qd |Max | RRS Ops +----------+----------------+-+-----+----+----+----+----+-----------+---+------+------+ |0x1017DC00|24B100B20E11092B|H| 0x00|0000|000F|0000|0230| 47184|213| 25636| 16063| |0x104B4C00|24B100B20E1109F7|H| 0x00|0000|000F|0000|01E0|
Configuring and monitoring FICON Extension Services
A Configuring the PID format Port identifiers (called PIDs) are used by the routing and zoning services in Fibre Channel fabrics to identify ports in the network. All devices in a fabric must use the same PID format, so when you add new equipment to the SAN, you might need to change the PID format on legacy equipment. NOTE: Any switch running Fabric OS 6.1.x uses the Core PID format and cannot be modified.
NOTE: Extended Edge is not supported on any switch with Fabric OS 6.0 or later. In addition to the PID formats list here, Interoperability mode supports additional PID formats that are not discussed in this guide. Impact of changing the fabric PID format If your fabric contains switches that use Native PID, it is recommended that you change the format to Core PID before you add the new, higher port count switches and directors.
Changes to configuration data Table 95 lists various combinations of before-and-after PID formats, and indicates whether the configuration is affected. NOTE: After changing the fabric PID format, if the change invalidates the configuration data (see Table 95 to determine this), do not download old (pre-PID format change) configuration files to any switch on the fabric.
Table 96 shows various combinations of existing fabrics, new switches added to those fabrics, and the recommended PID format for that combination. The criteria for the recommendations are first to eliminate host reboots, and second to minimize the need for a host reboot in the future. Table 96 PID format recommendations for adding new switches Existing Fabric OS versions; PID format Switch to be added Recommendations (in order of preference) 3.1.2 and later; Core PID 3.1.2 and later 1.
1. Collect device, software, hardware, and configuration data. The following is a non-comprehensive list of information to collect: • HBA driver versions • Fabric OS versions • RAID array microcode versions • SCSI bridge code versions • JBOD drive firmware versions • Multipathing software versions • HBA time-out values • Multipathing software timeout values • Kernel timeout values • Configuration of switch 2. Make a list of manually configurable PID drivers.
If either of the first two options are used, the procedures should again be validated in the test environment. Determine the behavior of multipathing software, including but not limited to: • HBA time-out values • Multipathing software time-out values • Kernel time-out values Changing the PID format Whether it is best to perform an offline or online update depends on the uptime requirements of the site.
Changing the PID format offline The following steps are intended to provide SAN administrators a starting point for creating site-specific procedures. 1. Schedule an outage for all devices attached to the fabric. 2. Back up all data and verify backups. 3. Shut down all hosts and storage devices attached to the fabric. 4. Disable all switches in the fabric. 5. Change the PID format on each switch in the fabric. 6. Reenable the switches in the updated fabric one at a time.
Before changing the PID format, determine whether host reboots will be necessary. The section ”Host reboots” on page 452 summarizes the situations that may require a reboot. switch:admin> switchdisable switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] y Domain: (1..239) [1] BB credit: (1..27) [16] R_A_TOV: (4000..120000) [10000] E_D_TOV: (1000..5000) [2000] WAN_TOV: (1000..120000) [0] Data field size: (256..2112) [2112] Sequence Level Switching: (0..
In some cases, device drivers allow you to specify static PID binding. In these cases, such devices must be identified and their PID binding should be changed to WWN binding. The following sections contain a basic procedure that summarizes the steps necessary to perform PID format changes without disrupting the fabric, and special procedures for HP-UX (11iv2 or earlier only) and AIX.
HP-UX procedure This procedure is not intended to be comprehensive. It provides a starting point from which a SAN administrator could develop a site-specific procedure for a device that binds automatically by PID, and cannot be rebooted due to uptime requirements. 1. Back up all data and verify the backups. 2. If you are not using multipathing software, stop all I/O going to all volumes connected through the switch and fabric to be updated. 3.
# ioscan -funC disk Class I H/W Path Driver S/W State H/W Type Description --------------------------------------------------------------------------disk 0 0/0/1/1.2.0 adisk CLAIMED DEVICE SEAGATE ST39204LC /dev/dsk/clt2d0 /dev/rdsk/c1t2d0 disk 1 0/0/2/1.2.0 adisk CLAIMED DEVICE HP DVD-ROM 304 /dev/dsk/c3t2d0 /dev/rdsk/c3t2d0 disk 319 0/4/0/0.1.2.255.14.8.0 adisk CLAIMED DEVICE SEAGATE ST336605FC /dev/dsk/c64t8d0 /dev/rdsk/c64t8d0 disk 320 0/4/0/0.1.18.255.14.8.
7. Connect to each switch in the fabric. 8. Issue the switchDisable command. 9. Issue the configure command and change the Core Switch PID Format to 1. 10. Issue the configEnable [effective_zone_configuration] command. For example: configenable my_config 11. Issue the switchEnable command. Enable the core switches first, and then the edges. 12. Rebuild the device entries for the affected fabric using the cfgMgr command. For example: cfgmgr –v This command might take several minutes to complete. 13.
5. Verify that the port area IDs have been swapped: portswapshow A table is shows the physical port numbers and the logical area IDs for any swapped ports. 6. Disable the port swap feature: portswapdisable Fabric OS 6.1.
Configuring the PID format
B Understanding legacy password behavior This appendix provides password information for early versions of Fabric OS firmware. Password management information Table 97 describes the password standards and behaviors between various versions of firmware. Table 97 Account/password characteristics matrix Topic 4.0.0 4.1.0 to 4.2.0 4.4.0 and later Number of default accounts on the switch 4, chassis-based Core Switch 2/64 8 for the director, 4 per switch. All other switches and directors - 4.
Table 97 Account/password characteristics matrix (continued) Topic 4.0.0 4.1.0 to 4.2.0 4.4.0 and later Does a user need to know the old passwords when changing passwords using the passwd command? Yes, except when the root user changes another user’s password. This is standard UNIX behavior; Fabric OS does not enforce any additional security. Old password is required only when changing password for the same level user password. Changing password for lower level user does not require old password.
Table 98 Password prompting matrix (continued) Topic 4.0.0 4.1.
Table 100 Password recovery options Topic 4.0.0 4.1.0 and later If all the passwords are forgotten, what is the password recovery mechanism? Are these procedures non-disruptive recovery procedures? Contact HP. A non-disruptive procedure is available only on chassis systems. Contact HP. A non-disruptive procedure is available only on chassis systems. If a user has only the root password, what is the password recovery mechanism? Root can change any password by using the passwd command.
C Interoperating with an M-EOS fabric For information on HP supported interop configurations, see the HP StorageWorks Fabric interoperability application notes for merging B-Series fabrics with fabrics based on C-Series and M-Series Fibre Channel switches on the following HP website: http://h18000.www1.hp.com/products/storageworks/san/documentation.html Fabric OS 6.1.
Interoperating with an M-EOS fabric
D Migrating from an MP Router to a 400 MP Router Introduction to MP Router upgrades This appendix describes how to upgrade routers in your fabric with the least disruption, while providing better performance and scalability. Improper implementation could lead to a change in the xlate Domain IDs and proxy device PIDs, which may cause disruption in the fabric. FC routers are deployed in different configurations in a fabric.
. Figure 60 Configuration during the upgrade The switch Domain ID and backbone fabric ID of the new FC router can be identical. Once the metaSAN is stable, EX_Ports on the new router are active, the old router can be taken out of the setup. Redundant configuration Figure 61 shows an example of a simple redundant configuration. The configuration shown in Figure 61, shows that old routers can be removed one by one. For example, FC router 2 can be replaced with the new FC router.
Figure 62 Dual backbone fabric configuration Fabric OS 6.1.
In the Multi-protocol Router, end devices are allowed to be directly connected, but these devices cannot be imported to other edge fabrics (using LSAN zones). During the upgrade process, these devices will face disruption unless there is redundancy support provided from the device end. 400 MP Router allows the end devices to be imported to edge fabrics. Configuring a new FC router To configure the new router: 1. Log in to the new router as admin. 2. Enable FCR functionality on the 400 MP Router. a.
E Using Remote Switch This appendix provides information on the Remote Switch feature. About Remote Switch The Remote Switch feature, which aids in ensuring gateway compatibility, was formerly a licensed feature. Its functionality is now available as part of the Fabric OS standard feature set through the use of the portCfgIslMode command, which is described in ”Linking through a gateway” on page 46.
You may be required to reconfigure the following parameters, depending on the gateway requirements: NOTE: Consult your gateway vendor for supported and qualified configurations. • R_A_TOV: Specify a Resource Allocation Timeout Value compatible with your gateway device. • E_D_TOV: Specify an Error Detect Timeout Value compatible with your gateway device. • Data field size: Specify the maximum Fibre Channel data field reported by the fabric. Verify the maximum data field size the network-bridge can handle.
F Zone merging scenarios Table 101 provides information on merging zones and the expected results. Table 101 Zone merging scenarios Description Switch A Switch B Expected results Switch A has a defined configuration. defined: cfg1: zone1: ali1; ali2 effective: none defined: none effective: none Configuration from Switch A to propagate throughout the fabric in an inactive state, because the configuration is not enabled.
Table 101 Zone merging scenarios (continued) Description Switch A Switch B Expected results Effective configuration mismatch. defined: cfg1 zone1: ali1; ali2 effective: cfg1 zone1: ali1; ali2 defined: cfg2 zone2: ali3; ali4 effective: cfg2 zone2: ali3; ali4 Fabric segments due to: Zone Conflict cfg mismatch Configuration content mismatch.
Table 101 Zone merging scenarios (continued) Description Switch A Switch B Expected results Same default zone access mode settings. defzone: allaccess defzone: allaccess Clean merge — defzone configuration is allaccess in the fabric. Same default zone access mode settings. defzone: noaccess defzone: noaccess Clean merge — defzone configuration is noaccess in the fabric. Effective zone configuration. No effective configuration.
Zone merging scenarios
A AAA service requests 69 aaaConfig command 71, 82, 83 access browser support 94 changing account parameters 63 control 102 CP blade 74 creating accounts 62 deleting accounts 62 IP address changes 24 log in fails 24 NTP 32 other devices 45 other switches 46 password, changing 26 recovering accounts 63 remote access policies 76 secure, HTTPS 94 secure, SSL 94 SNMP ACL 89 access control 281 configuring discovery domain sets 271 discovery domains 271 discovery domains 256 limiting 256 access methods configurat
all access zone setting 276 ARP.
nsShow 278 nsshow 48 ping 263 portCfg 259, 263, 264 portCfgPersistentEnable 263 portCfgShow 262, 263 portCmd 264 portdisable 45 portShow 263, 264 slotshow 47 switchdisable 44 switchenable 44 switchName 33 switchshow 47 zoneCreate 260, 280 command list for configuration 259 commands aaaConfig 71 defZone 330 fcrConfigure 320 passwdCfg 65 portDisable 123 portEnable 123 secPolicyAbort 118 secPolicyActivate 111, 112, 115, 116, 117, 118 secPolicyAdd 117 secPolicyDelete 117 secPolicyRemove 117 secPolicySave 111, 1
zones 209 CSR 96 customizing switch names 33 customizing the chassis name 33 customizing the switch name 33 D database, clearing in a FICON environment 425 date 30 date and time 30, 32 DCC policy 113 DD. See discovery domains DDSet.
F fabric high integrity 424 fabric access 105 fabric connectivity 48 fabric considerations 368 Fabric Manager access methods 23 Fabric OS standard security features, configuring 89, 107 supported protocols 89, 90 Fabric Wide Consistency Policy 319 fabric, designing for trunking 368 fabricshow command 48 Fastwrite 394, 442 FC targets 254, 264, 268 FC Fastwrite 396 FC router 116 FC routing concepts 312 supported platforms 311 FC routing types 316 FC target LUNs 265 FC targets 254, 264, 268 for iSCSI zone crea
initializing trunking on ports 369 initiators. See iSCSI initiators insistent domain ID 423 installing certificates 97, 140 installing a switch certificate 97 Integrated Routing 311 interfabric link configuring 320 interfabric link, see ISL intermix mode 423 Internet Explorer 94 internet storage name service.
iSNS (Internet Storage Name Service) 271 iSNS server 271 isnscCfg clear 283 reregister 282 set 260, 282 show 282 J Java support, SSL 94 Java version 94 K keys purchasing 39 L legacy FCR switches 340 license key activating 35 licenseadd command 35 licensed features 34 licenseremove command 36 licenses overview 34 purchasing keys 39 remove feature 36 link incidents displaying in a FICON environment 425, 429 linking through a gateway 46 Linux, configuring RADIUS on 74 load balancing, See connection redirect
P packet size 263 passwd command 64 passwdCfg command 65 password 25 boot prom 83 changing 64 changing defaults 26 default 26 limits 26 PROM 83, 84, 86 recovery 86 recovery string 84 rules 63 set PROM 84, 85 password expiration policy 66 password management information 465 password migration during firmware changes 467 password policies 65 password prompting behaviors 466 password recovery options 467 password strength policy 65 passwords recovering forgotten passwords 87 perfaddIPmonitor command 347 perfad
RADIUS clients switch configuration 75 RADIUS server 72 configuration 74 configuring 74 LINUX configuration 74 RADIUS service Windows configuration 76 RBAC 58 recording configuration information 438 recovering accounts 63 recovering forgotten passwords 87 recovery password 86 recovery string 84 recovery string, boot PROM password 83 registered listeners 430 related documentation 20 remote access policies 76 remote switch 475 remove feature 36 removing Admin Domain members 166 alias members 207 filter-based
SSH certificates 90 SSL 94, 95, 97 certificates, security 90 standard filter-based monitors 347 standard trunking criteria 368 standby CP blade 74 state virtual targets 271 static PID mapping errors 452 static route 238 static routes, maximum 263 status iSNS client service 281 virtual targets 271 storage-based zoning 196 subnet mask 263 Subscriber’s choice, HP 22 summary of PID formats 451 summary of SSL procedures 95 support FC router 116 Java version 94 SNMPv3 and v1 99 Supported Services 126 swapping por
viewing routing path information 240 viewing zone database configurations 218 virtual initiators.
Figures 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 Windows 2000 VSA configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Example of a Brocade DCT file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Example of the dictiona.dcm file . . . . . . . . . . . . . . . . . . . . . . . . .
57 58 59 60 61 62 Cascaded configuration, three switches . Allow/Prohibit example . . . . . . . . . . . . Non-redundant router configuration . . . . Configuration during the upgrade . . . . . Redundant router configuration . . . . . . . Dual backbone fabric configuration . . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. . . . . . . .. .. .. .. .. .. . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. . . . . . . .. .. .. .. .. .. .. .. .. .. .
Tables 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 Switch model naming matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Default administrative account names and passwords . . . . . . . . . . . . . . . .
53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 Types of zoning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Approaches to fabric-based zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Enforcing hardware zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .