53-1001194-01 November 24, 2008 Web Tools Administrator’s Guide Supporting Fabric OS v6.2.
Copyright © 2006-2008 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, Fabric OS, File Lifecycle Manager, MyView, and StorageX are registered trademarks and the Brocade B-wing symbol, DCX, and SAN Health are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. All other brands, products, or service names are or may be trademarks or service marks of, and are used to identify, products or services of their respective owners.
Document History The following table lists all versions of the Web Tools Administrator’s Guide. Document Title Publication Number Summary of Changes Publication Date Web Tools User’s Guide v2.0 53-0001536-01 N/A September 1999 Web Tools User’s Guide v2.2 53-0001558-02 N/A May 2000 Web Tools User’s Guide v2.3 53-0000067-02 N/A December 2000 Web Tools User’s Guide v3.0 53-0000130-03 N/A July 2001 Web Tools User’s Guide v2.6 53-0000197-02 N/A December 2001 Advanced Web Tools User’s Guide v3.
Document Title Publication Number Summary of Changes Publication Date Web Tools Administrator’s Guide 53-1000049-01 Updates to support new switch types (4900, 7500) and Fabric OS v5.1.0, including FCR, FCIP, and the FR4-18i port blade. Web Tools EZ information is moved to a separate book. January 2006 Web Tools Administrator’s Guide 53-1000049-02 Updates to the FCIP chapter to clarify how to configure tunnels. April 2006 Web Tools Administrator’s Guide 53-1000194-01 Updates for Fabric OS v5.2.
Web Tools Administrator’s Guidev 53-1001194-01
viWeb Tools Administrator’s Guide 53-1001194-01
Contents About This Document In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . xxiv What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxv Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Opening Web Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Logging in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Logging out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Role-Based Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Session management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Switch configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Enabling and disabling a switch . . . . . . . . . . . . . . . . . . . . . . . . . 46 Changing the switch name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Changing the switch domain ID . . . . . . . . . . . . . . . . . . . . . . . . . 46 Viewing and printing a switch report . . . . . . . . . . . . . . . . . . . . . 47 Switch rebooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Performing a firmware download . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Encryption firmware download . . . . . . . . . . . . . . . . . . . . . . . . . . 75 SAS and SA firmware download . . . . . . . . . . . . . . . . . . . . . . . . . 75 Switch configurations for mixed fabrics. . . . . . . . . . . . . . . . . . . . . . . 76 Enabling interoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Chapter 5 Managing Your Ports In this chapter . . . . . . . . . . . . . . .
Creating and populating domains . . . . . . . . . . . . . . . . . . . . . . . . . .103 Creating an Admin Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . .103 Adding ports or switches to the fabric . . . . . . . . . . . . . . . . . . .106 Activating or deactivating an Admin Domain . . . . . . . . . . . . . . 107 Modifying Admin Domain members. . . . . . . . . . . . . . . . . . . . . . . . . 107 Renaming Admin Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 9 Administering Zoning In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131 Zoning overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131 Basic Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132 Traffic Isolation zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132 LSAN zone requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 10 Working With Diagnostic Features In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151 Trace dumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151 How a trace dump is used. . . . . . . . . . . . . . . . . . . . . . . . . . . . .152 Setting up automatic trace dump transfers . . . . . . . . . . . . . . .152 Specifying a remote server . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Access Gateway policy modification . . . . . . . . . . . . . . . . . . . . . . . .175 Path Failover and Failback policies . . . . . . . . . . . . . . . . . . . . . 176 Modifying Path Failover and Failback policies . . . . . . . . . . . . . 176 Enabling the Automatic Port Configuration policy . . . . . . . . . . 176 Chapter 13 Administering Fabric Watch In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Fabric Watch overview . . . . . . . . . . . . . . .
Setting up iSCSI Target Gateway Services. . . . . . . . . . . . . . . . . . . .194 Launching the iSCSI Target Gateway Admin Module. . . . . . . .194 Launching the iSCSI Setup wizard . . . . . . . . . . . . . . . . . . . . . .196 Activating the iSCSI feature. . . . . . . . . . . . . . . . . . . . . . . . . . . .196 Encryption Services for the iSCSI Gateway . . . . . . . . . . . . . . .196 Configuring the IP interface. . . . . . . . . . . . . . . . . . . . . . . . . . . .197 Editing an IP Address. . . . . . .
User-defined accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215 Virtual Fabrics considerations. . . . . . . . . . . . . . . . . . . . . . . . . .216 Admin Domain considerations . . . . . . . . . . . . . . . . . . . . . . . . .216 Viewing user account information . . . . . . . . . . . . . . . . . . . . . . 217 Creating user-defined accounts . . . . . . . . . . . . . . . . . . . . . . . . 217 Deleting user-defined accounts . . . . . . . . . . . . . . . . . . . . . . . .
IPSec over FCIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .246 Accessing the IPSec Policies dialog box . . . . . . . . . . . . . . . . . .246 Establishing an IKE policy for an FCIP tunnel . . . . . . . . . . . . . 247 Establishing an IPSec policy for an FCIP tunnel. . . . . . . . . . . .248 IPSec over management ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . .249 Accessing the Ethernet IPSec Policies dialog box . . . . . . . . . .249 Enabling IPSec . . . .
xvi Web Tools Administrator’s Guide 53-1001194-01
Figures Figure 1 Configuring Internet Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Figure 2 Temporary Internet Settings dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Figure 3 Java Control Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Figure 4 Java Runtime Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xviii Figure 36 USB configuration download. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Figure 37 USB Port Management wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Figure 38 Firmware Download tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Figure 39 Firmware Download tab for bladed switches . . . . . . . . . . . . . . . . . . . . . . . . . . .
Figure 78 Port LEDs for the FC4-32 port blade in the Brocade 48000. . . . . . . . . . . . . . . 160 Figure 79 FC Routing module in Disabled mode with General tab selected . . . . . . . . . . 164 Figure 80 FC Routing module with LSAN Fabrics tab selected . . . . . . . . . . . . . . . . . . . . . 165 Figure 81 FC Routing module with EX_Ports tab selected . . . . . . . . . . . . . . . . . . . . . . . . . 166 Figure 82 FC Routing module with LSAN Devices tab selected . . . . . . . . . . . . . . . . . .
Figure 120 IKE Policies (FCIP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 Figure 121 Add Policy (IKE for FCIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 Figure 122 Add Policy (IPSec over FCIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 Figure 123 IPSec Policies (Ethernet management port). . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tables Table 1 Basic Web Tools features and EGM licensed features . . . . . . . . . . . . . . . . . . . . . 2 Table 2 Web Tools functionality moved to DCFM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Table 3 Certified and tested platforms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Table 4 Supported platforms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Table 5 Icon image changes . .
xxii Web Tools Administrator’s Guide 53-1001194-01
About This Document In this chapter • Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiv • What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv • Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv • Additional information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii • Document feedback . . . . . . . . . . . .
• Chapter 13, “Administering Fabric Watch,” provides information on how to use the Fabric Watch feature to monitor the performance and status of switches and alert you when problems arise. • Chapter 14, “Administering Extended Fabrics,” provides information on how to configure a port for long distance. • Chapter 15, “Administering the iSCSI Target Gateway,” provides information on how to configure and manage the iSCSI Target Gateway.
• • • • Brocade 48000 director Brocade DCX Enterprise-class platform Brocade Encryption Switch Brocade DCX-4S Enterprise-class platform What’s new in this document The following changes have been made since this document was last released: • • • • • • • • Changes to GUI icon images and operator components to be consistent with DCFM. Support for the new DCX-4S Data Center Backbone. Support for Virtual Fabrics. Auto-configuration of IPv6 addresses. IPSec for management interfaces.
Notes, cautions, and warnings The following notices and statements are used in this manual. They are listed below in order of increasing severity of potential hazards. NOTE A note provides a tip, guidance or advice, emphasizes important information, or provides a reference to related information. ATTENTION An Attention statement indicates potential damage to hardware or data.
Additional information This section lists additional Brocade and industry-specific documentation that you might find helpful. Brocade resources To get up-to-the-minute information, join Brocade Connect. It’s free! Go to http://www.brocade.com and click Brocade Connect to register at no cost for a user ID and password. For practical discussions about SAN design, implementation, and maintenance, you can obtain Building SANs with Brocade Fabric Switches through: http://www.amazon.
• supportSave command output • Detailed description of the problem, including the switch or fabric behavior immediately following the problem, and specific questions • Description of any troubleshooting steps already performed and the results • Serial console and Telnet session logs • syslog message logs 2. Switch Serial Number The switch serial number and corresponding bar code are provided on the serial number label, as illustrated below.
Chapter Introducing Web Tools 1 In this chapter • Web Tools overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 • What’s new in this release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 • Web Tools, the EGM license, and DCFM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 • Java installation on the workstation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 • Java plug-in configuration .
1 Web Tools, the EGM license, and DCFM Web Tools, the EGM license, and DCFM Beginning with Fabric OS version 6.1.1, Web Tools functionality is tiered and integrated with DCFM. If you are migrating from a Web Tools release prior to Fabric OS version 6.1.1, this may impact how you use Web Tools. A Web Tools license is not required, and a basic version of Web Tools is available for free. Additional functionality may be added by obtaining the Enhanced Group Management (EGM) license.
Web Tools, the EGM license, and DCFM TABLE 1 Basic Web Tools features and EGM licensed features Feature Basic Web Tools Web Tools with EGM License Fabric Events no no Fabric Summary no no Fabric Tree yes yes FCIP Tunnel configuration no no FCIP Tunnel Display yes yes FCR Management yes yes FCR Port Config yes yes FICON CUP Tab no yes FRU Monitoring yes yes High Availability yes yes IP Sec Policies no yes ISL Trunk Management no yes ISL Trunking information yes yes
1 Web Tools, the EGM license, and DCFM Web Tools functionality moved to DCFM The functionality that was moved from Web Tools into DCFM is applicable to both DCFM Professional and DCFM Enterprise. The following table details these changes. TABLE 2 Web Tools functionality moved to DCFM Function Web Tools 6.1.
System requirements TABLE 2 1 Web Tools functionality moved to DCFM Function Web Tools 6.1.0 DCFM Comments Non-local switch ports display in zoning tree Zone Admin Admin Domain Switch Admin > DCC policies Performance Monitoring Configure > Zoning In Web Tools, non-local switch port id/WWN can be added using text box. Remove Offline or Inaccessible Devices Zone Admin Configure > Zoning Replace/Replace All zone members by selecting the offline devices from the zone tree.
1 System requirements Setting Refresh Frequency for Internet Explorer Correct operation of Web Tools with Internet Explorer requires specifying the appropriate settings for browser refresh frequency and process model. Browser pages should be refreshed frequently to ensure the correct operation of Web Tools. 1. Click Tools > Internet Options in the browser. 2. Click the General tab and click Settings under “Temporary Internet Files.” 3.
Java installation on the workstation FIGURE 2 1 Temporary Internet Settings dialog box 3. Click Delete Files to remove the temporary files used by Java applications. 4. Click OK on the confirmation dialog box. You can clear the Trace and Log files check box if you want to keep those files. 5. Click OK. 6. On the Java Control Panel, click View to review the files that are in the Java cache. If you have deleted all the temporary files, the list is empty.
1 Java plug-in configuration 4. Create a symbolic link from this location: $FIREFOX/plugins/libjavaplugin_oji.so To this location: $JRE/plugin/$ARCH/ns600/libjavaplugin_oji.so Installing patches on Solaris 1. Search for any required patches for your current version of the JRE at the following Web site: http://sunsolve.sun.com/pub-cgi/show.pl?target=patchpage NOTE This URL points to a non-Brocade Web site and is subject to change without notice. 2.
Java plug-in configuration FIGURE 3 1 Java Control Panel 3. In the section Java Applet Runtime Settings, click View. The Java Applet Runtime Settings dialog box appears. FIGURE 4 Java Runtime Settings 4. Double-click in the Java Runtime Parameters field and type the following information to set the minimum and maximum heap size: -Xms256m -Xmx256m In this example, the minimum and maximum sizes are both 256 MB. 5. Click Apply to apply your settings and close the Java Control Panel.
1 Value line licenses FIGURE 5 Default Java for browsers option 3. Select Mozilla family and click OK. 4. Click Apply to apply your settings and close the Java Control Panel. Value line licenses If your fabric includes a switch with a limited switch license and you are opening Web Tools using that switch, if the fabric exceeds the switch limit indicated in the license, Web Tools allows a 30day “grace period” in which you can still monitor the switch through Web Tools.
Opening Web Tools 1 Opening Web Tools You can open Web Tools on any workstation with a compatible Web browser installed. For a list of Web browsers compatible with Fabric OS 6.2.0, see Table 3. Web Tools supports both HTTP and HTTPS protocol. 1. Open the Web browser and type the IP address of the device in the Address field: http://10.77.77.77 or https://10.77.77.77 2. Press Enter. A browser window opens to open Web Tools. A Login dialog box opens. See “Logging in” on page 12 for more information.
1 Opening Web Tools FIGURE 6 Web Tools interface Logging in When you use Web Tools, you must log in before you can view or modify any switch information. This section describes the login process. Prior to displaying the login window, Web Tools displays a security banner (if one is configured for your switch), which you must accept before logging in. The security banner displays every time you access the switch. When you are presented with the login screen you must provide a user name and a password.
Opening Web Tools FIGURE 7 1 Signed applet certificate 2. Click OK in the security banner window, if one appears. FIGURE 8 Login dialog box 3. On the login dialog box, type your user name. 4. Type the password. If your current password has expired, you must also provide a new password and confirm the new password.
1 Opening Web Tools FIGURE 9 Virtual Fabric login option 2. Log in to a logical fabric. - To log in to the home logical fabric, select Home Logical Fabric and click OK. To log in to a logical fabric other than the home logical fabric, select User Specified Logical Fabric, type in the fabric ID number, and click OK. Logging in to an Admin Domain If you are logging in to a platform that is capable of supporting Admin Domains, the log in dialog box provides the option of logging in to an Admin Domain.
Opening Web Tools FIGURE 10 1 Login dialog box with Admin Domain options If the user name or password is incorrect, a dialog box displays indicating an authentication failure. If you entered valid credentials, but specified an invalid Admin Domain, a dialog box displays from which you can choose a valid Admin Domain or click Cancel to log in to your home domain.
1 Role-Based Access Control Logging out You can end a Web Tools session either by logging out or by closing Switch Explorer window. You might be logged out of a session involuntarily, without explicitly clicking the Logout button, under the following conditions: • • • • A physical fabric administrator changes the contents of your currently selected Admin Domain. Your currently selected Admin Domain is removed or invalidated. Your currently selected Admin Domain is removed from your Admin Domain list.
Session management 1 Session management A Web Tools session is the connection between the Web Tools client and its managed switch. A session is established when you log in to a switch through Web Tools. When you close Switch Explorer, Web Tools ends the session.
1 Requirements for IPv6 support Requirements for IPv6 support The following list provides requirements for Web Tools IPv6 support: • In a pure IPv6 environment, you must configure DNS maps to the IPv6 address of the switch. • The switch name is required to match the DNS name that is mapped to the IPv6 address. • If both IPv4 and IPv6 addresses are configured, Web Tools uses the IPv4 address to launch the switch. • Use a switch with v5.3.
Chapter 2 Using the Web Tools Interface In this chapter • Viewing Switch Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Displaying tool tips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Right-click options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Refresh rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 Viewing Switch Explorer • Reporting tasks, such as viewing the status of a switch. • Monitoring tasks, such as performance monitoring, and viewing the temperature or power status. NOTE To perform monitoring tasks such as performance monitoring the EGM license must be installed on the switch; otherwise, access to this feature is denied and an error message displays. • Tools tasks, such as opening the Telnet window.
Viewing Switch Explorer 2 3 2 4 1 5 8 6 7 FIGURE 12 Switch Explorer Use the following table with Figure 12 to identify the areas of Switch Explorer.
2 Viewing Switch Explorer Changes for consistency with DCFM Beginning with Fabric OS version 6.2.0, Web Tools icons are changed to be consistent with DCFM. Table 5 summarizes these changes.
Viewing Switch Explorer TABLE 5 2 Icon image changes (Continued) Image Name Old Image New Image Switch event - Fatal Switch event - Informational Switch event - Warning Refresh Enable Disable Prohibit Web Tools Administrator’s Guide 53-1001194-01 23
2 Viewing Switch Explorer The Search, Copy, and Export buttons are removed from the Web Tools tree and table headers, and are replaced by right-click operations, as shown in Figure 13. Old New FIGURE 13 Right-click for Copy, Export, and Search Tasks The Tasks menu lets you manage, monitor, and perform other tasks. The Management section provides access to: • Zone administration Zone information is collected from the selected switch.
Viewing Switch Explorer 2 • iSCSI administration • Fabric Watch NOTE Some of these functions require a license key to activate them. The Monitor section provides access to: • Performance monitoring You must use Web Tools with the EGM license to perform performance monitoring operations; otherwise, access to this feature is denied and an error message displays. • Name Server information This feature is available with Web Tools and Web Tools with the EGM license.
2 Viewing Switch Explorer FIGURE 14 Missing EGM license If you are logged into Web Tools without the EGM license, you must log in again using a specific AD. The following figure shows the login wizard. After you log in, All the Admin Domains assigned to you are available in the drop-down menu, see Figure 16. For most administrative tasks, you must be in either AD0 or the physical fabric.
Viewing Switch Explorer 2 Figure 16 shows the Admin Domain context drop-down menu highlighted for changing the Admin Domain context. FIGURE 16 Changing the Admin Domain context The following procedure describes how to change the Admin Domain context. When changing the Admin Domain context, the option for selecting AD from the drop-down is not available if the EGM license is not present. 1. Select an Admin Domain from the Admin Domain menu. 2. Click OK in the confirmation window.
2 Viewing Switch Explorer Switch View buttons The Switch View buttons let you access the following switch information: • • • • • Status - click the button to view the status of the switch. Temperature - click the button to view temperature monitors. Power - click the button to view power supply information. Fan - click the button to view the status of the switch fans. Beaconing - click this button to enable or disable beaconing and to view the status of beaconing from the button’s icon.
Viewing Switch Explorer 2 Blade representations Blades are graphically represented as shown in table. They are vertical in the DCX, and horizontal in the DCX-4s. TABLE 6 Blade Graphic CR4s-8 CP8 FC8-48 FC8-32 FC8-16 FS8-18 FR4-81i FA4-18 FC10-6 Port representations The ports in the Switch View show the port type. Borders around the accessible ports indicate that SFP modules are present.
2 Viewing Switch Explorer The port LEDs in the Switch View match the LEDs on the physical switch; however, the blink rate of the LEDs in the Switch View does not necessarily match the blink rate of the LEDs on the physical switch. See “Port LED interpretation” on page 158 for more information. Ethernet ports have two LEDs. Right-click a port in Switch View to get a menu from which you can open the Port Administration window and view detailed information about the port.
Viewing Switch Explorer 2 NOTE Left-click the USB port on the switch to launch the USB Storage Management window. Switch View refresh rates The Switch View display is refreshed at 15 second intervals. However, the initial display of Switch Explorer might take from 30 to 60 seconds after the switch is booted. Refresh rates are fabric-size dependent. The larger the fabric, the longer it takes to poll the fabric and refresh the view. F_Port and L_Port connection changes refresh immediately.
2 Displaying tool tips Displaying tool tips When you hover over the Web Tools buttons, the system displays a brief description of the button. If you hover the cursor over most components, the system displays tool tip information about the component. In Fabric Tree you can hover over a switch to view its type, Ethernet IP, Fibre Channel IP, and status of the switch. In Switch View, you can hover over a blade to view the blade ID and its status.
Refresh rates 2 Refresh rates Different panels of Web Tools refresh at different rates. The refresh, or polling, rates listed in this section and throughout the book indicate the time between the end of one polling and the start of the next, and not how often the screen is refreshed. A refresh rate of 15 seconds does not ensure that a refresh occurs every 15 seconds. It ensures that the time between each refresh activity is no more than 15 seconds. Autorefresh intervals might be not be exactly 15 seconds.
2 Working with Web Tools: recommendations 1. Open Web Tools as described in “Opening Web Tools” on page 11 and log in to the switch. Switch Explorer is displayed for the switch you logged in to. 2. If the Fabric Tree is not expanded, click the plus sign (+) in the Fabric Tree to view all the switches in the fabric. 3. Click a switch in the Fabric Tree. A separate browser window opens and displays the selected switch. (If the launch switch is running a Fabric OS version earlier than v5.0.
Opening a Telnet or SSH client window 2 Opening a Telnet or SSH client window When you open a Telnet or SSH client window, the connection is to the IP interface of the switch. You cannot connect to a CP blade on a director switch through a Telnet or SSH client window opened from Web Tools, even when the blade has an IP address and supports Telnet sessions. See the Fabric OS Command Reference for information about the Telnet commands. NOTE Internet Explorer 7.
2 36 Collecting logs for troubleshooting Web Tools Administrator’s Guide 53-1001194-01
Chapter 3 Managing Fabrics and Switches In this chapter • Fabric and switch management overview . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring IP and netmask information . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring a syslog IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Removing a syslog IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Setting up IP Filtering . . . . . . . . . . . . . . .
3 Fabric and switch management overview FIGURE 20 Switch Administration window, Switch tab With the exception of switch time, information displayed in the Switch Administration window is not updated automatically by Web Tools. To update the information displayed in the Switch Administration window, see “Refreshing the Switch Administration window” on page 41. ATTENTION Most changes you make in the Switch Administration window are buffered, and are not applied to the switch until you save the changes.
Fabric and switch management overview 3 Opening the Switch Administration window Most of the management procedures in this chapter are performed from the Switch Administration window. 1. Select a switch in Fabric Tree. The switch displays in Switch View. 2. Click Switch Admin in the Manage section of the Tasks menu. The Switch Administration window opens in basic mode, as shown in Figure 20 on page 40. The basic mode displays the “basic” tabs and options. 3.
3 Configuring IP and netmask information Configuring IP and netmask information Before proceeding, collect all the information you need to configure the Ethernet IP interface. This includes the subnet mask, gateway IP address, or Fibre Channel IP interface, and subnet mask for your system. When you configure or change the Ethernet IP, subnet mask, gateway IP, or Fibre Channel IP, and subnet mask from Web Tools, there is a normal loss of network connection to the switch.
Configuring a syslog IP address 3 Configuring a syslog IP address The syslog IP represents the IP address of the server that is running the syslog process. The syslog daemon reads and forwards system messages to the appropriate log files or users, depending on the system configuration. When one or more IP addresses are configured, the switch forwards all error log entries to the syslog on the specified servers. Up to six servers are supported.
3 Blade management • The Clone Policy button lets you copy a policy. Use this feature when you want to create similar policies. After you create a clone, you can edit the policy to make the appropriate changes. • The Activate Policy button lets you make an existing policy active. • The Distribute Policy button lets you distribute a policy to various switches. • The Accepts Distribution check box lets you set the policy to accept or reject distributions.
Blade management 3 3. Select the Enable Blade check box for each blade you want to enable. Clear the check box to disable the blade. You cannot enable or disable the CP blades. 4. Click Apply. Setting a slot-level IP address 1. Open the Switch Administration window as described on page 41. 2. Click the Blade tab. 3. Click Set IP address. 4. Select a slot number from the list. 5. Enter the IP address, subnet mask, and Gateway IP address. 6. Select a type from the list. 7.
3 Switch configuration Switch configuration Use the Switch tab of the Switch Administration window to perform basic switch configuration. Figure 20 on page 40 shows an example of the Switch tab. Enabling and disabling a switch You can identify if a switch is enabled or disabled in the Switch Administration window by looking at the lower-right corner. If you hover the cursor over the icon, the system displays text that indicates the status of the switch. 1.
Switch rebooting 3 Viewing and printing a switch report The switch report includes the following information: • • • • • • A list of switches in the fabric Switch configuration parameters A list of ISLs and ports Name Server information Zoning information SFP serial ID information Perform the following steps to view or print a report: 1. Open the Switch Administration window as described on page 41. 2. Click the Switch tab. 3. Click View Report. 4.
3 System configuration parameters System configuration parameters You must disable the switch before you can configure fabric parameters. You can change the following system configuration parameters: • • • • • Switch fabric settings Virtual channel settings Arbitrated loop parameters System services Signed firmware Configuring fabric settings 1. Open the Switch Administration window as described on page 41. 2. Disable the switch as described in “Enabling and disabling a switch” on page 46. 3.
System configuration parameters 3 Fabric settings Configure the following fabric settings on the Fabric subtab of the Configure tab: BB Credit The buffer-to-buffer credit is the number of buffers available to attached devices for frame receipt. The default BB Credit is 16. The range is 1–27. R_A_TOV Resource allocation timeout value (in milliseconds). This variable works with the E_D_TOV to determine switch actions when presented with an error condition. The default is 10000.
3 System configuration parameters ATTENTION The default virtual channel settings are already optimized for switch performance. Changing the default values can improve switch performance, but can also degrade performance. Do not change these settings without fully understanding the effects of the changes. VC Priority specifies the class of frame traffic given priority for a virtual channel. 1. Open the Switch Administration window as described on page 41. 2. Disable the switch as described on page 46. 3.
Licensed feature management 3 Configuring system services You can enable or disable FCP read link status (RLS) probing for F_Ports and FL_Ports. It is disabled by default. 1. Open the Switch Administration window as described on page 41. 2. Disable the switch as described in “Enabling and disabling a switch” on page 46. 3. Click the Configure tab and click the System subtab. 4. Select the Disable RLS Probing check box to disable RLS probing. Clear the check box to enable RLS probing. 5. Click Apply. 6.
3 Licensed feature management FIGURE 24 License tab Use the links above the table to export data, copy data, or search the table. Activating a license on a switch Before you can unlock a licensed feature, you must obtain a license key. You can either use the license key provided in the paperpack document supplied with switch software or see the Fabric OS Administrator’s Guide for instructions on how to obtain a license key at the Brocade Web site (www.brocade.com). 1.
High Availability overview 3 Removing a license from a switch You can remove a license from a switch in the Switch Administration window. ATTENTION Use care when removing licenses. If you remove a license for a feature, that feature will no longer work. Removing the Web Tools license from a switch makes that switch unavailable from Web Tools. 1. Open the Switch Administration window as described on page 41. 2. Click the License tab. 3. Click the license you want to remove. 4. Click Remove.
3 High Availability overview FIGURE 25 High Availability window, CP tab Note that the highlight color of the HA Status at the top of the module is the same as the background color of the HA button. The High Availability window contains two tabs: • The Service tab displays information about the switch. When the hardware is configured as a dual switch, the Service tab displays information about both switches. • The CP tab displays information about slot 5 and slot 6.
High Availability overview 3 Synchronizing Services on the CP A nondisruptive CP failover is only possible when all the services are synchronized between both CPs. 1. Open the High Availability window as described in “Launching the High Availability Window” on page 53. 2. Verify that HA Summary field displays Non-Disruptive Failover Ready. If the HA Status field displays Non-Disruptive Failover Ready, you are finished. If the HA Status field displays Disruptive Failover Ready, continue with step 3. 3.
3 Event monitoring Event monitoring Web Tools displays fabric-wide and switch-wide events.
Event monitoring 3 1. Click the switch from the Fabric Tree. The Switch View appears. 2. Click the Switch Events tab, if necessary. FIGURE 26 Switch Events tab You can click the column head to sort the events by a particular column, and drag the column divider to resize a column. You can also right-click a column heading to resize one or all columns, sort the information in ascending or descending order, or choose which columns are displayed.
3 Event monitoring FIGURE 27 Event Filter dialog box 3. To filter events within a certain time period: a. Select the From check box and enter the start time and date in the fields. b. Select the To check box and enter the finish time and date in the fields. 4. To filter events beginning at a certain date and time, select the From check box and enter the start time and date. 5. To filter events up until a certain date and time, select the To check box and enter the finish time and date. 6. Click OK.
Displaying the Name Server entries 3 Filtering events by message ID 1. Open the Switch Events tab as described in “Displaying Switch Events” on page 56. 2. Click Filter. The Event Filter dialog box appears. 3. Select Message ID. 4. Type the message IDs in the associated field. You can enter multiple message IDs as long as you separate them by commas. You can type either the full message ID (moduleID-messageType) or a partial ID (moduleID only). The message ID filtering is case-sensitive. 5. Click OK.
3 Displaying the Name Server entries 1. Click Name Server in the Monitor section of the Tasks menu. The Name Server window appears. FIGURE 28 Name Server window 2. To set an autorefresh rate for the The Name Server entries, select the Auto Refresh check box in the Name Server window, and type an auto-refresh interval (in seconds). The minimum (and default) interval is 15 seconds. Printing the Name Server entries 1. Click Name Server in the Monitor section of the Tasks menu.
Physically locating a switch using beaconing 3 Displaying zone members for a particular device 1. Click Name Server in the Monitor section of the Tasks menu. The Name Server window appears. 2. Click a device from the Domain column. 3. Click Accessible Devices. The Zone Accessible Devices window displays accessible zone member information specific to that device. Physically locating a switch using beaconing Use the Beacon button to physically locate a switch in a fabric.
3 Virtual Fabrics overview Virtual Fabrics overview Virtual Fabrics is an architecture to virtualize hardware boundaries. Traditionally, SAN design and management is done at the granularity of a physical switch. Each switch and all the ports in the switch act as a single fabric element that participates in a single fabric. The Virtual Fabrics feature allows SAN design and management to be done at the granularity of a port.
Virtual Fabrics overview 3 Selecting a logical switch from the Switch View You can log in to a specific logical switch, as described in Chapter 1, or you can select a logical switch from the Switch View. If you do not log in to a specific logical switch, you are presented with the default logical switch. Figure 29 is an example. FIGURE 29 Default logical switch 1. To select a different logical switch, use the Logical Switch selector to select the fabric ID, as shown in Figure 30.
3 Virtual Fabrics overview FIGURE 31 Logical switch, fabric ID 2. Under System Information, Base Switch, Default Switch, and Allow XISL Use are specific to VIrtual Fabrics: • Base Switch indicates whether or not the logical switch can act as a base switch. A base switch is a special logical switch that can be used for chassis interconnection. Each chassis may only designate only one logical switch as a base switch.
Virtual Fabrics overview 3 Viewing Logical ports When base switches are connected through XISLs, a base fabric is formed that includes logical switches in different chassis. A logical link is established in the base fabric to carry frames between the logical switches. Logical ports are created in the respective switches to support the logical link. Logical ports are software constructs, and have no corresponding hardware to represent them on the Switch View.
3 66 Virtual Fabrics overview Web Tools Administrator’s Guide 53-1001194-01
Chapter 4 Maintaining Configurations and Firmware In this chapter • Creating a configuration backup file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Restoring a configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Admin Domain configuration maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . • Uploading and downloading from USB storage . . . . . . . . . . . . . . . . . . . . . . . • Performing a firmware download . . . . . . . . .
4 Creating a configuration backup file FIGURE 33 Upload/Download tab 5. If you upload from a network, type the host name or IP address in the Host Name or IP field, the user ID and password required for access to the host in the User Name and Password fields, and choose the Protocol Type used for the upload. The default is FTP. If you choose “Secure Copy Protocol (SCP),” you cannot specify “anonymous” in the User Name field.
Restoring a configuration 4 An info link is enabled when USB is chosen as the source of the configuration file. If you click on info, the following information message is displayed. 6. Type the configuration file with a fully-qualified path, or select the configuration file name in the Configuration File Name field. 7. Use the Fabric ID selector to select the fabric ID of the logical switch from which the configuration file is to uploaded.
4 Restoring a configuration FIGURE 35 Upload/Download tab 5. Under Function, select Config Download to Switch. 6. If you download from a network, type the host name or IP address in the Host Name or IP field, the user ID and password required for access to the host in the User Name and Password fields, and choose the Protocol Type used for the upload. The default is FTP. If you choose “Secure Copy Protocol (SCP),” you cannot specify “anonymous” in the User Name field. 7.
Admin Domain configuration maintenance 4 An info link is enabled when USB is chosen as the source of the configuration file. If you click info, the following information message is displayed. 8. Type the configuration file with a fully-qualified path, or select the configuration file in the Configuration File Name field. 9. Use the Fabric ID selector to select the fabric ID of the logical switch to which the configuration file is to downloaded.
4 Uploading and downloading from USB storage • Local zone configuration • iSCSI config (if any) • All other config information except Admin Domain configuration information • If you invoke it from AD255 and you are logged in with any role that allows config upload/ download), the following will be saved in the configuration file: • Configuration information for zones in all Admin Domains • iSCSI configuration (if any) • All other configuration information, including zoning from all Admin Domains The filt
Performing a firmware download FIGURE 37 4 USB Port Management wizard Performing a firmware download During a firmware download, the switch reboots and the browser temporarily loses connection with the switch. When the connection is restored, the version of the software running in the browser is different from the new software version that was installed and activated on the switch. You must close all of the Web Tools windows and log in again to avoid a firmware version mismatch.
4 Performing a firmware download FIGURE 38 Firmware Download tab 3. Choose whether you are downloading the firmware or the firmware key. 4. Choose whether the download source is located on the network or a USB device. When you select the USB button, you can specify only a firmware path or directory name. No other fields on the tab are available. The USB button is available if the USB is present on the switch. 5.
Performing a firmware download 4 About halfway through the download process, after the firmware key is downloaded to the switch, connection to the switch is lost and Web Tools invalidates the current session. (Web Tools invalidates all windows because upfront login is always enabled and cannot be disabled. 8. Close all Web Tools windows and log in again. If the firmware download is in progress when you log in, you can continue to monitor its progress.
4 Switch configurations for mixed fabrics FIGURE 39 Firmware Download tab for bladed switches Switch configurations for mixed fabrics You can use Web Tools to configure switches in a mixed fabric. You do this by setting the switch to interoperability mode, which is McDATA Open Fabric mode or McDATA Fabric mode. When you turn on interoperability mode, the Zone DB is cleared. When you turn on McDATA Fabric Mode, which supports M-EOS switches v9.6.
Switch configurations for mixed fabrics 4 Enabling interoperability When you configure interoperability, Web Tools verifies that the domain ID of the switch falls within the range for the interoperability mode you choose. The domain ranges are: • • • • The normal domain ID range is 1-239. The McDATA Fabric mode supports domain ID range of 1-31. The Open Fabric mode range is 97-131.
4 78 Switch configurations for mixed fabrics Web Tools Administrator’s Guide 53-1001194-01
Chapter 5 Managing Your Ports In this chapter • Port management overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring FC ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Assigning a name to a port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Enabling and disabling a port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5 Port management overview Click here to display FC Ports FIGURE 41 Port Administration window, FC Ports, Basic Mode The Port Administration window displays information about the ports on the switch. Click the Show Advanced Mode button in the upper-right corner of the window to see more port management options (see Figure 42).
Port management overview FIGURE 42 5 Port Administration window, FC Ports, Advanced Mode Admin Domain considerations In fabrics with user-defined Admin Domains, the Port Administration window is filtered to show only ports that are direct or indirect members of the currently selected Admin Domain. • Direct members are ports that were directly added to the Admin Domain as members.
5 Port management overview The GigEPorts tab has the following three subtabs: - Interfaces - lets you view interfaces Routes - lets you view routes FCIP tunnel - lets you view tunnels; this tab has two buttons: Go to FCIP port and Show Security Policies • The Ports Explorer tree on the left side.
Port management overview 5 • When viewing detailed information about a port, the Advanced Mode provides these additional subtabs: - General—All ports • • • • • - Enable/Disable Trunking Enable/Disable NPIV Port Swap F_Port Trunking Re-Authenticate SFP—Physical ports only (FC and GbE) • Advanced information about the port equipment - Port Statistics • Advanced port statistics • Error details • FCIP Tunnels—GbE ports and logical FCIP ports only (not available for the FR4-16IP) Controllable ports Al
5 Configuring FC ports FIGURE 43 Port Administration window, Table view Configuring FC ports With the FC Port Configuration wizard, you can configure allowed port types, port speed, and long distance mode for physical ports. You must use Web Tools with the EGM license enabled on the switch to configure long distance; otherwise, access to this feature is denied and the following error message displays.
Configuring FC ports 5 The following procedure describes how to open the FC Port Configuration wizard. The wizard is selfexplanatory, so the explicit steps are not documented here. 1. Click a port in the Switch View to open the Port Administration window (see Figure 41 on page 80). 2. Click the FC Ports tab. FIGURE 45 FC Port Configuration Wizard, FC Ports 3. Select the port you want to configure from the tree on the left. 4. Click the General subtab.
5 Configuring FC ports Allowed Port Types For FC ports, the Port Administration window displays the following values relating to port type: Port Type This is the actual or current port type. If the port is offline, this value is the allowed types (or U_Port, if no type constraint is specified). If the port is online, this value is the type the port has actually negotiated to. Allowed Port Type The allowed or configured port type.
Assigning a name to a port 5 The EGM license is required only for 8 Gbps platforms, such as the Brocade DCX and DCX-4S enterprise-class platforms, the Encryption Switch, the 300, 5300, and 5100 switches. For non-8 Gbps platforms, all functionalities are available without EGM license. FC Fastwrite FC Fastwrite reduces the number of round-trip times required to write data.
5 Persistent enabling and disabling ports 5. Click Enable or Disable. If the button is gray (unavailable), the port is already in the enabled or disabled state. For example, if the Enable button is unavailable, the port is already enabled. If you select multiple ports in both enabled and disabled states, both buttons are active. When you click either button, the action is applied to all selected ports. 6. Click Yes in the confirmation window.
Enabling and disabling NPIV ports 5 6. Click Yes in the confirmation window. Enabling and disabling NPIV ports The NPIV license must be installed on a switch before NPIV functionality can be enabled on any port. NOTE NPIV enable/disable is not supported on EX_Ports. NPIV is supported on all ports on the Brocade FS-8-18 Encryption blade and Encryption Switch with a maximum of 255 virtual devices per port for Fabric OS v5.1.0 and higher. For Fabric OS v5.
5 Port activation TABLE 9 Ports Enabled with POD Licenses and DPOD Feature (Continued) Switch Name Enabled by Default Enabled with Ports on Demand License(s) Enabled with the Dynamic Ports on Demand Feature Brocade 4018 2-11 12-17 Any available ports Brocade 4020 0-7, 15, 16 8, 9, 17-19 10-14 Any available ports Brocade 4024 1-8, 17-20 9-12, 21, 22 0, 13-16, 23 Any available ports Brocade 4900 0–31 32–47 48–63 Not supported For the Brocade 4016, 4018, 4020, and 4024 switches only, yo
Port activation 5 3. From the tree on the left, click the switch or the slot that contains the port. 4. Click the Enable DPOD button to enable the licensing mechanism to be dynamic. If the button says Disable DPOD, the licensing mechanism is already set to dynamic. The existing POD associations and assignments are set as the initial Dynamic POD associations. Two fields are displayed: • Available Licenses indicate the number of free licenses. These can be allocated for any port.
5 Port swapping index You can reserve or release a license on any port with a a license allocated. To reserve a license, click Reserve License in the Port Administration window. To release a license, click Release License in the Port Administration window.
Port swapping index FIGURE 47 Web Tools Administrator’s Guide 53-1001194-01 5 Port Swapping Index 93
5 94 Port swapping index Web Tools Administrator’s Guide 53-1001194-01
Chapter Managing Administrative Domains 6 In this chapter • Administrative domain overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 • Enabling administrative domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 • Admin Domain window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 • Creating and populating domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6 Administrative domain overview User-defined Admin Domains AD1 through AD254 are user-defined Admin Domains. These user-defined Admin Domains can be created only by a physical fabric administrator in AD255. System-defined Admin Domains AD0 and AD255 are special Admin Domains and are present in every AD-capable fabric.
Enabling administrative domains 6 You can use AD255 to: • • • • Manage other Admin Domains. Get an unfiltered view of the fabric. Manage ACL and distribution (can be managed in AD0 if no other Admin Domains are present). Manage Advanced Performance Monitoring (can be managed in AD0 if no other Admin Domains are present and only if you are using Web Tools with the EGM license).
6 Admin Domain window 1. Change the Admin Domain context to AD0. See “Changing the Admin Domain context” on page 26. NOTE Changing the Admin Domain context requires using Web Tools with the EGM license; otherwise, access to this feature is denied and an error message displays. Change the Default Zone mode to No Access. See “Setting the default zoning mode” on page 133. 2. Navigate to AD255 or the physical fabric and begin managing the Admin Domains.
Admin Domain window FIGURE 49 6 Admin Domain window, summary view The Admin Domain window displays information about the Admin Domains defined in the fabric. If you launch the Admin Domain window from AD255 (physical fabric), the window contains information about the current content of all Admin Domains. If you launch the Admin Domain window from any other Admin Domain, the window displays the current Admin Domain only. To manage Admin Domains, you must be logged in with the role of Admin.
6 Admin Domain window FIGURE 50 Admin Domain window, single Admin Domain detail NOTE The tree only displays launched switches and their ports. It also displays all the devices in the fabric. Slot and port information of other switches are not displayed in the tree. The Admin Domain window has buttons in a task bar at the top of the window: • • • • • • New lets you create a new Admin Domain. Print lets you print the current or effective configuration.
Admin Domain window 6 • Click Copy to copy the contents of the table in tab-delimited text format to a file. • Click Search to search for a specific text string in the table. The Switch Members box appears, as shown in Figure 51. In the Switch Members box, type the text string and press Enter. This is an incremental search and allows 24 maximum characters including the wildcards question mark (?) and asterisk (*). The first row containing the text string is highlighted.
6 Admin Domain window Refreshing Admin Domain information Any changes you make in the Admin Domain window are saved to a local buffer; they are not applied to persistent storage until you invoke one of the transactional operations listed in the Actions menu. You can refresh the Admin Domain information at any time to reflect changes that might have been made by other users or to back out of current, unsaved work and start again.
Creating and populating domains 6 Creating and populating domains Setting up an Admin Domain involves the following steps: 1. Creating an Admin Domain. 2. Assigning one or more administrators to the Admin Domain. The Admin account always has access to administer the Admin Domains, even if no other users are assigned (see “Changing user account parameters” on page 220). When you create an Admin Domain, you can activate the Admin Domain after you finish creating it.
6 Creating and populating domains 5. In the State area. select the Active check box to activate the Admin Domain when you finish creating it. This is the default setting. Clear the Active check box if you want the Admin Domain deactivated when you finish creating it. 6. Click Next. 7. In the Membership area, assign members to the Admin Domain by selecting them in the Available Members section and clicking Add, Add Ports, or Add Devices.
Creating and populating domains 6 The wizard displays a summary of the Admin Domain. Read the summary to verify that the Admin Domain setup is correctly. FIGURE 54 Summary view 9. Click Finish to close the wizard. 10. Click Save to save the new Admin Domain configuration to persistent storage. 11. Click Apply to enforce the new Admin Domain configuration as the effective configuration. Adding ports or switches to the fabric 1. From the Create Admin Domain wizard, click Manual.
6 Modifying Admin Domain members Activating or deactivating an Admin Domain 1. Open the Admin Domain window. 2. From the tree on the left, select the Admin Domain you want to activate or deactivate. 3. Click Activate to activate the Admin Domain. Click Deactivate to deactivate the Admin Domain. 4. Click Actions > Save AD Configuration to save the new Admin Domain configuration to persistent storage. 5.
Modifying Admin Domain members FIGURE 56 6 Modify Admin Domain wizard 4. Assign members to the Admin Domain by selecting them in the Available Members section and clicking Add, Add Ports, or Add Devices. • Select a switch, port, or device in the Available Members tree and click Add to add the selected element. Alternatively, you can press the Insert key to add your selections. • Select a switch or slot and click Add Ports to add all of the ports in the selected switch or slot.
6 Modifying Admin Domain members Renaming Admin Domains You can change the name of an Admin Domain, including an auto-assigned ID name. The Admin Domain name cannot exceed 63 chars and can contain alphabetic and numeric characters. The only special character allowed is an underscore ( _ ). NOTE You cannot rename AD0 or AD255. 1. Open the Admin Domain window. 2. From the tree on the left, select the Admin Domain. 3. Click Rename. 4. Enter the new name. 5. Click OK. 6.
Chapter 7 Enabling ISL Trunking In this chapter • ISL trunking overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Disabling or enabling ISL trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Viewing trunk group information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • F_Port trunk groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7 Disabling or enabling ISL trunking Disabling or enabling ISL trunking The trunking feature requires using Web Tools with the EGM license. If you attempt to use this feature without the EGM license, the following error message displays. FIGURE 57 Missing EGM license When the trunking license is activated, trunks are automatically established on eligible ISLs and trunking capability is enabled by default on all ports.
Viewing trunk group information 7 Viewing trunk group information Use the Trunking tab of the Switch Admin window to view trunk group information (see Figure 58). FIGURE 58 Trunking tab The following trunking attributes can be displayed from the Port Admin view by selecting Show Advanced Mode. • Trunk port state, either master or slave. • Trunk master port (does not apply to F_Port trunking). • Trunk index (applies only to F_Port trunking).
7 F_Port trunk groups F_Port trunk groups F_Port trunking provides extra bandwidth and robust connectivity for hosts and targets connected by switches in Access Gateway mode. There are five general criteria for establishing F_Port trunking: • The F_Port trunking feature requires installing the EGM license; otherwise if you attempt to use this feature in Web Tools without the license, the following error message displays.
F_Port trunk groups 7 3. Select any port from the port group in which you want to create the trunk group. 4. Select F_Port Trunking. The F_Port Trunking dialog box displays (see Figure 60) FIGURE 60 F_Port trunking dialog box 5. Select one or more ports in the Ports for trunking pane. A dialog box displays, asking you to select a trunk index. 6. Select the trunk index from the drop-down box populated with the index for all the ports.
7 116 F_Port trunk groups Web Tools Administrator’s Guide 53-1001194-01
Chapter 8 Monitoring Performance In this chapter • Performance Monitor overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Opening the Performance Monitoring window . . . . . . . . . . . . . . . . . . . . . . • Creating basic performance monitor graphs. . . . . . . . . . . . . . . . . . . . . . . . • Customizing basic monitoring graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Advanced performance monitoring graphs . . . . . . . . . . . . . . . . . . . . . .
8 Performance Monitor overview The Advanced Monitoring option in the Performance Graphs window displays pre-defined reports and filter-based performance monitoring. You can use this feature to track the following: • The number of words received and transmitted in Fibre Channel frames with a defined SID/ DID pair. • The number of times a particular filter pattern in a frame is transmitted by a port. For detailed information on performance monitoring, see the Fabric OS Administrator’s Guide.
Performance Monitor overview TABLE 10 8 Basic performance graphs Graph Type Displays Port Throughput The performance of a port, in bytes per second, for frames received and transmitted. Switch Aggregate Throughput The aggregate performance of all ports on a switch. Blade Aggregate Throughput The aggregate performance of all ports on a port card. This graph is available only for the Brocade 48000 and Brocade DCX and DCX-4S enterprise-class platforms.
8 Performance Monitor overview Table 12 lists each graph and indicates the supported port types for each. The port selection lists for each graph display the supported ports for that graph.
Performance Monitor overview 8 Figure 61 shows how to access the list of Advanced Performance Monitoring graphs using Web Tools with the EGM license. This example displays the graphs available in the Performance Monitoring window for a Brocade 48000 director with the Advanced Performance Monitoring license installed. Note that the slot number is identified.
8 Opening the Performance Monitoring window FIGURE 62 Canvas of six performance monitoring graphs Opening the Performance Monitoring window To perform performance monitoring, you must use Web Tools with the EGM license; otherwise, when you click on the Performance Monitor tab, access to this feature is denied and an error messages displays. Use the following procedure to open the Web Tools Performance Monitoring window. 1. Select a switch from the Fabric Tree and log in when prompted. 2.
Customizing basic monitoring graphs 8 Depending on the type of graph you select, you might be prompted to select a slot or port for which to create a graph (see Figure 64). FIGURE 63 Creating a basic performance monitor graph 3. If prompted, drag the port into the Enter/drag slot,port field, or manually type the slot and port information in the field, in the format slot,port.
8 Customizing basic monitoring graphs The following procedure assumes that you already created one of these customizable graphs. 1. Create or access the graph you want to customize. See “Creating basic performance monitor graphs” on page 123 for instructions on creating a graph. 2. For Brocade 48000 and Brocade DCX and DCX-4S enterprise-class platforms, display detailed port throughput utilization rates for each port in a slot by clicking the arrows next to a slot.
Advanced performance monitoring graphs 8 c. Click Add to move the selected ports to the Selected Ports list. d. Optional: Click ADD ALL Ports to add all of the ports in the Port Selection List to the Selected Ports list. e. Optional: Click Search to open the Search Port Selection List dialog box, from which you can search for all E_Ports, all F_Ports, or all port names with a defined string. Select the ports you want to add and click Search in the Search Port Selection List dialog box. f.
8 Advanced performance monitoring graphs FIGURE 65 Creating an SID/DID performance graph NOTE Only the FC ports of the launched switch display in the tree. The All Devices tab lists all the devices in the fabric and lets you select the source and destination. Slot and port information of other switches is not displayed in the tree. 3. Click a port from the Slot/Port or Sid/Did Selection List. a. Drag the selected port into the Enter/drag slot, port number field. b. Click Retrieve preset EE monitors.
Advanced performance monitoring graphs 8 Creating a SCSI vs. IP Traffic Graph The SCSI vs. IP Traffic graph displays the SCSI versus IP traffic for selected ports. For Brocade 48000 and Brocade DCX and DCX-4S enterprise-class platforms, the slot and port name are identified in the graph. In a trunk group, the SCSI vs. IP Traffic graph displays only the master port and not the slave ports. 1. Open the Performance Monitoring window. 2. Click Performance Graphs > Advanced Monitoring > SCSI vs. IP Traffic.
8 Saving graphs to a canvas FIGURE 66 Creating a SCSI command graph 3. Navigate to a switch > slot > port in the Slot/Port Selection List. 4. Click the port from the Slot/Port Selection List and drag it into the Enter/drag slot,port field. 5. Optional: For the LUN per port graphs, type a LUN number, in hexadecimal notation.
Adding graphs to an existing canvas 8 Adding graphs to an existing canvas The following procedure assumes that a canvas is already created. To create a new canvas, you must first create graphs, as described in “Creating basic performance monitor graphs” on page 123 and “Advanced performance monitoring graphs” on page 125, and then save those graphs to a canvas, as described in “Saving graphs to a canvas” on page 128. 1. Click File > Display Canvas Configurations. The Canvas Configuration List displays.
8 Modifying graphs NOTE The Edit button is enabled only for the graphs that are configurable or editable. 5. Make changes in the Edit dialog box, as necessary. 6. Click OK to close the Edit dialog box. 7. Click Save to save the changes and close the Performance Monitor Canvas dialog box. 8. Click Close to close the Canvas Configuration List.
Chapter 9 Administering Zoning In this chapter • Zoning overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Zoning configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Zoning management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Zone configuration and zoning database management. . . . . . . . . . . . . . . • Best practices for zoning. . . . . . . . . . . . . .
9 Zoning overview TABLE 13 Zoning features supported in DCFM Professional and Enterprise Edition Description DCFM Professional Edition DCFM Enterprise Edition LSAN zoning no yes Rolling back an already activated zone DB no yes Importing/Exporting of a zone DB to/ from file system in XML format no yes Basic Zones Basic zoning enables you to partition a storage area network (SAN) into logical groups of devices that can access each other.
Zoning configurations 9 QoS zone requirements A QoS zone is a special zone that assigns a Quality of Service (QoS) level for traffic flow between a given host/target pair. The members of a QoS zone are WWNs of the host/target pairs. QoS zones can contain only WWN members. A QoS zone has a special prefix, to differentiate it from a regular zone.
9 Zoning management 1. Open the Zone Administration window (see “Opening the Zone Administration window” on page 133). 2. Click Zoning Actions > Set Default Mode, and then select the access mode. Zoning management You can monitor and manage basic and traffic isolation zoning through the Web Tools Zone Administration. The information in the Zone Administration window is collected from the selected switch.
Zoning management 9 ATTENTION Any changes you make in the Zone Administration window are held in a buffered environment and are not updated in the zoning database until you save the changes. If you close the Zone Administration window without saving your changes, your changes are lost. To save the buffered changes you make in the Zone Administration window to the zoning database on the switch, see “Saving local zoning changes” on page 136.
9 Zoning management Refreshing fabric information This function refreshes the display of fabric elements only (switches, ports, and devices). It does not affect any zoning element changes or update zone information in the Zone Administration window. You can refresh the fabric element information displayed at any time. 1. In the Zone Administration window, click View > Refresh From Live Fabric. This refreshes the status for the fabric, including switches, ports, and devices.
Zoning management 9 Saving local zoning changes All information displayed and all changes made in the Zone Administration window are buffered until you save the changes. That means that any other user looking at the zone information for the switch will not see the changes you have made until you save them. Saving the changes propagates any changes made in the Zone Administration window (buffered changes) to the zoning database on the switch.
9 Zoning management Creating and populating zone aliases An alias is a logical group of port index numbers and WWNs. Specifying groups of ports or devices as an alias makes zone configuration easier, by enabling you to configure zones using an alias rather than inputting a long string of individual members. You can specify members of an alias using the following methods: • Identifying members by switch domain and port index number pair, for example, 2, 20.
Zoning management 9 6. Click Zoning Actions > Save Config to save the configuration changes. To enable the configuration, see “Enabling zone configurations” on page 145. Renaming zone aliases The new alias name cannot exceed 64 characters and can contain alphabetic, numeric, and underscore characters. Use the following procedure to change the name of a zone alias. 1. Open the Zone Administration window as described on page 133. 2.
9 Zoning management Creating and populating zones A zone is a region within the fabric where specified switches and devices can communicate. A device can communicate only with other devices connected to the fabric within its specified zone. Use the following procedure to create a zone. 1. Open the Zone Administration window as described on page 133. 2. Select a format to display zoning members in the Member Selection List as described in “Select a zoning view” on page 137. 3. Click the Zone tab. 4.
Zoning management 9 5. Click Add Member to add a zone member, or click Remove Member to remove a zone member. The zone is modified in the Zone Admin buffer. At this point you can either save your changes or save and enable your changes. 6. Click Zoning Actions > Save Config to save the configuration changes. To enable the configuration, see “Enabling zone configurations” on page 145. Renaming zones Use the following procedure to change the name of a zone. 1.
9 Zoning management Deleting zones Use the following procedure to delete a zone. 1. Open the Zone Administration window as described on page 133. 2. Click the Zone tab. 3. Select the zone you want to delete from the Name menu and click Delete. 4. On the confirmation dialog box, click Yes. The selected zone is deleted from the Zone Admin buffer. At this point you can either save your changes or save and enable your changes. 5. Click Zoning Actions > Save Config to save the configuration changes.
Zone configuration and zoning database management 9 Zone configuration and zoning database management A zone configuration is a group of zones; zoning is enabled on a fabric by enabling a specific configuration. You can specify members of a configuration using zone names. Figure 68 shows a sample zoning database and the relationship between the zone aliases, zones, and zoning configuration. The database contains one zoning configuration, myconfig, which contains two zones: Zone A and Zone B.
9 Zone configuration and zoning database management 3. Click the Zone Config tab and click New Zone Config. 4. On Create New Config, type a name for the new configuration and click OK. The new configuration appears in the Name list. 5. Expand the Member Selection List to view the nested elements. The choices available in the list depend on the selection made in the View menu. 6. Select an element in the Member Selection List that you want to include in your configuration.
Zone configuration and zoning database management 9 4. On Rename a Config, type a new configuration name and click OK. The configuration is renamed in the configuration database. 5. Click Zoning Actions > Save Config to save the configuration changes. Cloning zone configurations You must use Web Tools with the EGM license to perform cloning operations for zone configurations; otherwise, access to this feature is denied and an error message displays.
9 Zone configuration and zoning database management 1. Open the Zone Administration window as described on page 133. 2. Click Zoning Actions > Enable Config. 3. On Enable Config, select the configuration to be enabled from the menu. 4. Click OK to save and enable the selected configuration. Disabling zone configurations When you disable the active configuration, the Advanced Zoning feature is disabled on the fabric, and all devices within the fabric can communicate with all other devices.
Zone configuration and zoning database management FIGURE 69 9 Effective Configuration window Viewing the enabled zone configuration name without opening the Zone Administration window • Select a switch from the Fabric Tree. The selected switch appears in the Switch View. The current zone configuration name (if one is enabled) is displayed in the lower portion of the Switch Events and Switch Information. If no zone configuration is enabled, the field displays “No configuration in effect”.
9 Zone configuration and zoning database management 3. Optional: Click Print located in the Print Effective Zone Configuration dialog box to print the enabled zone configuration details. This launches the print dialog box. NOTE You must use DCFM Professional or Enterprise Edition to print the zone database summary configurations, display zone configuration summaries and create configuration analysis reports.
Zone configuration and zoning database management 9 3. Type the WWN to be replaced in the Replace field. 4. Type the new WWN in the By field and click OK. The Replace WWN dialog box is displayed. It lists all the zoning elements that include the WWN. 5. Click an item in the list to select or unselect, and click Replace to replace the WWN in all the selected zoning elements.
9 Best practices for zoning • Clear the entire contents of the current Web Tools Zone Admin buffer. • Delete the entire persistent contents of the fabric zoning database. The wizard allows you to define one and only one name for each device port (WWN). Devices with one or more aliases are considered already named and are not displayed.
Chapter Working With Diagnostic Features 10 In this chapter • Trace dumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 • Displaying switch information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 • Port LED interpretation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Trace dumps A trace dump is a snapshot of the running behavior within the Brocade switch.
10 Trace dumps Using the Trace tab of the Switch Administration window, you can view and configure the trace FTP host target and enable or disable automatic trace uploads. FIGURE 70 Trace tab How a trace dump is used The generation of a trace dump causes a CRITICAL message to be logged to the system error log. When a trace dump is detected, issue the supportSave command on the affected switch.
Trace dumps 10 Setting up for automatic transfer of diagnostic files involves the following tasks: • Specifying a remote server to store the files. • Enabling the automatic transfer of trace dumps to the server. (Trace dumps overwrite each other by default; sending them to a server preserves information that would otherwise be lost.) Specifying a remote server You can perform this task only if the switch belongs to the Admin Domain you are logged into. 1. Open the Switch Administration window. 2.
10 Displaying switch information Displaying switch information The Fan, Temperature, and Power Status windows have Export, Copy, and Search options at the top of the tables. These options are not available if the table does not have any content. You must accept the Brocade Certificate at the beginning of the login to Web Tools to enable the functionality of Export and Copy. • Click Export to save the contents of the table to a tab-delimited file.
Displaying switch information 10 The Fan No. column indicates either the fan number or the fan FRU number, depending on the switch model. A fan FRU can contain one or more fans. • For Brocade 4100, 4900, 5000, 5100, 5300, 7600, the 7500 and 7500E Extension switches, and the Brocade Encryption Switch, the Fan No. column indicates the fan FRU number. • The Brocade 200E, 300, 4012, 4016, 4018, 4020, and 4024 switches do not contain fan FRUs, so for these switch models, the Fan No.
10 Displaying switch information 1. Select a switch from the Fabric Tree. The selected switch appears in the Switch View. The icon on the Power button indicates the overall status of the power supply. 2. Click Power on the Switch View. The detailed power supply states are displayed. FIGURE 74 Power Status window Checking the physical health of a switch The Status button displays the operational state of the switch. The icon on the button displays the real-time status of the switch.
Displaying switch information 10 Click the Status button to display a detailed, customizable switch status report, shown in Figure 75. Note that this is a static report and not a dynamic view of the switch. FIGURE 75 Switch Report window 1. Select a switch from the Fabric Tree. The selected switch appears in the Switch View. The icon on the Status button indicates the overall status of the switch. 2. Click Status on the Switch View. The detailed switch health report is displayed, as shown in Figure 75.
10 Port LED interpretation • View the style sheet for the report • View the XML schema for the report FIGURE 76 Switch Report Action menu Port LED interpretation The Switch View displays port graphics with blinking LEDs, simulating the physical appearance of the ports. One of the LEDs indicates port status; the other indicates port speed. For LED information, refer to the hardware documentation for the switch you are viewing.
Port LED interpretation 10 Port icon colors The background color of the port icon indicates the port status, as follows: • • • • • • Green (healthy) Yellow (marginal) Red (critical) Gray (unmonitored) If the entire port icon is blue, the port is buffer-limited. If a group of port icons appears dimmed, those ports are not licensed. LED representations The port icons are different for different switch models. Figure 77 shows E_Port port icons and associated LEDs from a Brocade 4100 switch.
10 Port LED interpretation Web Tools Representation Physical Port Card 3 1 ! 2 1 ! 2 4 3 4 FC4 32 1. Port Speed LED for the right port 2. Port Status LED for the right port 3. Port Speed LED for the left port 4.
Chapter 11 Using the FC-FC Routing Service In this chapter • Fibre Channel routing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Supported switches for Fibre Channel routing . . . . . . . . . . . . . . . . . . . . . . • Setting up FC-FC routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • FC-FC routing management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Viewing EX_Ports . . . . . . . . . . . . . . . .
11 Supported switches for Fibre Channel routing Note the following terminology for Fibre Channel routing: backbone fabric An FC Router can connect two edge fabrics; a backbone fabric connects FC Routers. The backbone fabric is the fabric to which the FC Router switch belongs. A backbone fabric consists of at least one FC Router and possibly a number of Fabric OS-based Fibre Channel switches.
FC-FC routing management 11 3. Configure EX_Ports by clicking the EX Ports tab and then clicking New. Follow the instructions in the wizard. See “Viewing EX_Ports” on page 165. 4. Connect the cables from the EX_Ports on the FC Router to the edge fabrics, if they were not connected before. For a multi-FC Router backbone fabric, make sure that each FC Router is connected to a switch in the backbone fabric. 5. Configure LSAN zones on the fabrics that will share devices. See “Viewing LSAN zones” on page 167.
11 FC-FC routing management 1. Select a switch from the Fabric Tree. The selected switch appears in the Switch View. 2. Click FCR in the Manage section of the Tasks menu. The FC Routing module displays (as shown in Figure 79). If FC-FC Routing is disabled, a message to that effect displays on all the tabs in the module.
Viewing EX_Ports 11 For Brocade switches, this launches Web Tools. For non-Brocade fabrics, this launches the element manager for that switch. FIGURE 80 FC Routing module with LSAN Fabrics tab selected Viewing EX_Ports The EX_Ports tab (see Figure 81 on page 166) displays all of the EX_Ports on the switch, including configuration and status information. The ports are sorted by slot number, and then by row number within each slot. IP address information is displayed in IPv4 and IPv6 formats.
11 Configuring an EX_Port • • • • Enable or disable an EX_Port Persistently enable or disable an EX_Port Enable or disable trunking Configure router port cost ATTENTION During EX_Port configuration, the port is automatically disabled, and then reenabled when the changes are applied. Be sure that you do not physically connect a port to a remote fabric before configuring it as an EX_Port; otherwise, the two fabrics merge and you lose the benefit of Fibre Channel routing.
Configuring FCR router port cost 11 4. Follow the instructions in the wizard to configure the EX_Port. You must specify the Fabric ID and, if configuring an FC port, the speed and long distance mode. You can choose any unique fabric ID as long as it is consistent for all EX_Ports that connect to the same edge fabric. Editing the configuration of an EX_Port 1. Select Tasks > Manage > FCR. 2. Click the EX_Ports tab. 3. Select a port to configure, by clicking in the row. 4.
11 Viewing LSAN zones The LSAN matrix is mapping of LSAN Zones with the edge fabric they are going to communicate with. When an LSAN matrix is created in the backbone fabric, only the LSAN zones mapped in the edge fabrics are displayed in the LSAN Zones tab. Follow the procedure described in “Creating and populating zones” on page 140 to create LSAN zones.
Configuring the backbone fabric ID 11 Configuring the backbone fabric ID The FC-FC Routing Service must be disabled when configuring the backbone fabric ID. Web Tools automatically disables FC-FC Routing before setting the fabric ID, and then reenables it afterwards; however, you must first disable all of the EX_Ports before you invoke this operation. After the fabric ID is changed, you can enable these ports again manually.
11 170 Configuring the backbone fabric ID Web Tools Administrator’s Guide 53-1001194-01
Chapter 12 Using the Access Gateway In this chapter • Access Gateway overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Enabling Access Gateway mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Disabling Access Gateway mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Viewing the Access Gateway settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Port configuration . . . . . . . . . . . . . . . . . . .
12 Disabling Access Gateway mode NOTE You cannot enable Access Gateway mode if Management Server is enabled. To disable Management Server, enter the MsplmgmtDeactivate command. 1. Select a switch. 2. Click Switch Admin in the Manage section under Tasks. The Switch Administration window opens. 3. Save the switch configuration. 4. Click Enable in the Access Gateway Mode section. 5. Click Apply. 6. Click Yes to restart the switch in Access Gateway mode. Disabling Access Gateway mode 1. Select a switch. 2.
Port configuration FIGURE 83 12 Access Gateway Device display Port configuration You can configure the port types (N_Port, F_Port) on each individual port on an Access Gateway enabled switch. When you configure ports, you can specify a global configuration policy using the Port Configuration Policy button. By default, Advanced is selected and sets the initial defaults for port types, groups, and the F_Port-to-N_Port mappings.
12 Port configuration NOTE If you want to distribute F_Ports among groups, you can leave all ports in the default port group 0, or you can disable N_Port grouping. 1. Click a port in the Switch View to open the Port Administration window. 2. Click Configure N_Port Groups. FIGURE 84 Port Group Configuration dialog box 3. On Port Group Configuration, select one of the following options to change: • • • • Disable N_Port grouping Add a port group Edit a port group Delete a port group 4.
Access Gateway policy modification FIGURE 85 12 F-N Port Mapping Configuration dialog box 4. In the Primary Mappings area, select ports and use the Add button to map F_Ports or U_Ports to N_Ports. Use the Remove button to delete an F_Port mapping from an N_Port. 5. Define a Secondary N_Port in the Secondary Failover Mappings area, by selecting the ports using the Add and Remove buttons to set up the secondary mappings.
12 Access Gateway policy modification Path Failover and Failback policies The Path Failover and Failback policies determine the behavior of the F_Port if the primary mapped N_Port they are mapped to goes offline or is disabled. The Path Failover and failback policies are attributes of the N_Port. By default, the Path Failover and Failback policies are enabled for all N_Ports. Modifying Path Failover and Failback policies 1. Click a port in the Switch View to open the Port Administration window. 2.
Access Gateway policy modification 12 3. Click Yes in the confirmation window.
12 178 Access Gateway policy modification Web Tools Administrator’s Guide 53-1001194-01
Chapter 13 Administering Fabric Watch In this chapter • Fabric Watch overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Using Fabric Watch with Web Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Fabric Watch threshold configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring alarms for FRUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Fabric Watch alarm information . . . . . . . .
13 Using Fabric Watch with Web Tools Using Fabric Watch with Web Tools You can perform Fabric Watch operations using Web Tools and Web Tools with the EGM license. NOTE Unless the switch is a member of the current Admin Domain context, Fabric Watch is view-only. FIGURE 88 The Fabric Watch window Fabric Watch Explorer, on the left side of the window, displays the available classes. Not all classes are available for all switches.
Fabric Watch threshold configuration 13 Opening the Fabric Watch window 1. Select a switch from the Fabric Tree and log in if necessary. 2. Select Tasks > Manage > Fabric Watch. The Fabric Watch window opens, as shown in Figure 88. Fabric Watch threshold configuration The Threshold Configuration tab enables you to configure event conditions. From this tab, you configure threshold traits, alarms, and e-mail configurations.
13 Fabric Watch threshold configuration FIGURE 89 Threshold configuration in Fabric Watch 3. Click the Trait Configuration subtab. 4. In Fabric Watch Explorer, click a class. 5. Under Area Selection, choose an area from the list. This sets the units in the Units field. The module displays two columns of trait information, labeled System Default and Custom Defined. You cannot modify the information in the System Default column. 6.
Fabric Watch threshold configuration 13 Configuring threshold alarms After you update the threshold information, use the Alarm Configuration subtab to customize the notification settings for each event setting. 1. Open the Fabric Watch window. 2. Click the Threshold Configuration tab. 3. Click the Alarm Configuration subtab. 4. In Fabric Watch Explorer, click a class. 5. Under Area Selection, choose an area from the drop-down list.
13 Configuring alarms for FRUs • Click Triggered to receive threshold alarms only when they are triggered by events that you defined. • Click Continuous to receive threshold alarms at a continuous interval. Select a time interval in which to receive the threshold alarms from the Time Interval menu. 9. Click Apply. 10. Optional: Apply the selections on this panel to multiple elements simultaneously. a. Click Apply More. The Multiple Selection dialog box displays. b.
Fabric Watch alarm information 13 Fabric Watch alarm information From Fabric Watch, you can view two types of reports: • Alarm notifications—Displays the alarms that occurred for a selected class/area • Alarm configuration—Displays threshold and alarm configurations for a selected class/area Viewing an alarm configuration report Use the Threshold Configuration tab, Configuration Report subtab to display a report of the configuration for a selected class/area with the following information: • Threshold
13 E-mail notification 1. Open the Fabric Watch window. 2. In Fabric Watch Explorer, select the class that you want to check for alarms. 3. Click the Alarm Notification tab. 4. In Area Selection, select the area that you want to check for alarms from the list. All alarms for that area display. For troubleshooting responses to alarms, see the Fabric Watch Administrator’s Guide. E-mail notification You can be notified of an alarm condition through an e-mail alert.
E-mail notification 13 NOTE E-mail addresses must not exceed 128 characters. 5. Click Apply. 6. Optional: Click Send Test Email to receive a test e-mail so you can verify the e-mail notification is working correctly. You can send a test e-mail only after you have applied your settings.
13 186 E-mail notification Web Tools Administrator’s Guide 53-1001194-01
Chapter Administering Extended Fabrics 14 In this chapter • Extended link buffer allocation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 • Configuring a port for long distance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Extended link buffer allocation overview If the link is used over long distances, use the Extended Fabric tab of the Switch Administration window to configure the long-distance setting of a port.
14 Extended link buffer allocation overview • Actual Distance (km)—The actual distance for the link in kilometers. • Desired Distance (km)—Required for a port configured in LD or LS mode (see Table 16 on page 189), the desired distance, in kilometers, for the link. For an LD-mode link, the desired distance is used as the upper limit of the link distance to calculate buffer availability for other ports in the same port group.
Configuring a port for long distance TABLE 16 14 Long-distance settings and license requirements Value Description Extended Fabrics License Required? L0 No long-distance setting is enabled. The maximum supported link distance is 10 km, 5 km, or 2.5 km for ports at speeds of 1 Gbps, 2 Gbps, and 4 Gbps, respectively. No LE Extended normal setting is enabled, 10 km (6 miles) or less. No LD Dynamic setting is enabled.
14 Configuring a port for long distance • If the port capability is 2 GB, type a number between 10 and 250, inclusive. • If the port capability is 1 GB, type a number between 10 and 500, inclusive. This value is the upper limit for calculating buffer availability for other ports in the same port group. If the actual distance is more than the desired distance, the port operates in buffer-limited mode. c. Press Enter or click another port entry for the value to be accepted. 6. Click Apply.
Chapter 15 Administering the iSCSI Target Gateway In this chapter • iSCSI service overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Supported platforms for iSCSI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Setting up iSCSI Target Gateway Services . . . . . . . . . . . . . . . . . . . . . . . . . . • Discovery Domain management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Discovery domain sets (DDSet) . . . . .
15 iSCSI service overview Supported platforms for iSCSI The iSCSI target gateway service is supported on the Brocade 48000 director with CP blades running Fabric OS v5.2.0 and later releases, and configured with an FC4-16IP blade. Common iSCSI Target Gateway Admin functions Export, Copy, and Search links are displayed at the top of each tab. NOTE You must accept the Brocade Certificate at the beginning of the log in to Web Tools to enable the functionality of Export and Copy.
iSCSI service overview 15 Terminology iSCSI target gateway services require you to understand some additional terminology. Following are terms that are used in this document to explain how the iSCSI target gateway is implemented. TABLE 17 iSCSI gateway services terminology Term Definition iSCSI Internet-SCSI. A transport carrier of the SCSI protocol over IP.
15 Setting up iSCSI Target Gateway Services Saving Changes There are several ways to save changes on the switch and apply them to the fabric (applies to the iSCSI Target Gateway Admin module only): • Apply—Click Apply and your changes will be transfered from the Web Tools database to the switches database and distributed throughout the fabric. • Abort—Click Abort to cancel the changes before saving them. The configuration is restored to the last saved data point.
Setting up iSCSI Target Gateway Services FIGURE 93 15 iSCSI Target Gateway Admin with the Targets tab selected 1. Select a switch from the Fabric Tree and log in, if necessary. The selected switch appears in Switch View. Make sure that your Admin Domain Context is either AD0 or AD255. Generally, the default user Admin Domain is AD0. The recommended practice is to perform all iSCSI management from AD0; you can make changes from AD255, but you will not be able to make any zoning changes. 2.
15 Setting up iSCSI Target Gateway Services Launching the iSCSI Setup wizard 1. Select a switch from the Fabric Tree and log in, if necessary. The selected switch appears in Switch View. Make sure that your Admin Domain Context is either AD0 or AD255. Generally, the default user Admin Domain is AD0. The recommended practice is to perform all iSCSI management from AD0; you can make changes from AD255 but you will not be able to make any zoning changes. 2.
Setting up iSCSI Target Gateway Services 15 Configuring the IP interface This step configures iSCSI ports (GbE Ports) found on the FC4-16IP. You must have at least one iSCSI port configured to log into the iSCSI target. There are two steps in this process: • Configure the IP interface for iSCSI port. • Configure the IP route for the iSCSI port. The iSCSI Port Group tab allows you to configure iSCSI ports, display session details on a port, and show the port statistics.
15 Setting up iSCSI Target Gateway Services 1. Open iSCSI Target Gateway Admin as described on page 194. 2. Select the iSCSI Port tab. 3. In the left pane, select the GbE port to use. 4. Select the IP Interface subtab and click Add. 5. Enter the IP address and subnet mask. 6. Enter the MTU size or accept the default MTU size, and click Add. Editing an IP Address 1. Launch the iSCSI Target Gateway Admin module as described on page 194. 2. Select the iSCSI Port tab. 3.
Setting up iSCSI Target Gateway Services 15 Configuring the IP route (optional) 1. Launch the iSCSI Target Gateway Admin module as described on page 194. 2. Select the iSCSI Port tab. 3. From the left pane, select the GbE port that to use. 4. Select the IP Routes tab. 5. Click Add. FIGURE 96 Add IP Route dialog box 6. Enter the IP address, subnet mask, and gateway IP address, and the metric. 7. Click Add. Editing the IP route 1. Open the iSCSI Target Gateway Admin as described on page 194. 2.
15 Setting up iSCSI Target Gateway Services Creating iSCSI virtual targets SCSI virtual target creation is done from the first pane in the iSCSI Target Gateway Admin module. The iSCSI Virtual Target wizard provides two ways to create iSCSI targets: Create and Easy Create. Create allows you to double check your work several times before committing the changes. 1. Open iSCSI Target Gateway Admin as described on page 194. 2. Select the Targets tab. 3. Click Create. The VT Configuration Wizard opens.
Setting up iSCSI Target Gateway Services 15 Using Easy Create to create iSCSI virtual targets Easy Create is an alternative method for creating iSCSI virtual targets. 1. Open iSCSI Target Gateway Admin as described on page 194. 2. Select the Targets tab. 3. Click Easy Create. FIGURE 98 Easy VT Creation Dialog 4. Follow the instructions in the wizard to create a virtual target in iSCSI. The wizard is self-explanatory, so the individual steps are not described in this document.
15 Setting up iSCSI Target Gateway Services 5. Follow the instructions in the wizard to edit an iSCSI virtual target. The wizard is self-explanatory, so the individual steps are not described in this document. NOTE The Remove LUN(s) button is available only for virtual targets that are fully initialized as a target. Searching for a specific Fibre Channel target The creation wizard has a search function to find specific Fibre Channel targets. 1. Click the Search link. 2.
Discovery Domain management 15 Discovery Domain management You configure discovery domains and discovery domain sets for managing iSCSI device access control. The Discovery Domains pane displays all discovery domains and discovery domain sets and allows you to manage them. When you select DDInfo from the tree in the left pane, you can create a discovery domain.
15 Discovery Domain management In the wizard: • You can configure the DD. You specify the DD name, and then you can add or remove initiators and targets. You can also add any offline device(s) by entering the IQN name in the IQN name field and clicking Add Offline Devices under the list on the right. The offline device name will be added to the Selected List. • You can also filter out initiators and targets from the tree in the Selection List by using the Filter button.
Discovery domain sets (DDSet) 15 Editing a discovery domain 1. Open iSCSI Target Gateway Admin as described on page 194. 2. Select the Discovery Domains tab. 3. Select a DD in the left pane and click Edit. 4. Select virtual targets and use the buttons to add or remove them from the DD. 5. Click Next. The opening screen with a list of virtual targets that you added to your DDs is displayed. 6. Click Next. You can verify the virtual targets that you added to your DDs. 7. Click Finish.
15 CHAP Configuration FIGURE 102 Create DDSet wizard 4. Follow the instructions in the wizard to create an iSCSI discovery domain set. The wizard is self-explanatory, so the individual steps are not described in this document. Editing a Discovery Domain Set 1. Launch the iSCSI Target Gateway Admin module as described on page 194. 2. Select the Discovery Domains tab. 3. Select a DDSet in the left pane and click Edit. 4. Select the discovery domains to add to or remove from the DDSet. 5. Click Finish.
CHAP Configuration 15 FIGURE 103 CHAP tab Creating a CHAP user 1. Launch the iSCSI Target Gateway Admin module as described on page 194. 2. Select the CHAP tab. 3. Click Create. 4. Enter the CHAP user name. Optional: To add more than one user at a time, click Add. 5. Enter a CHAP secret and click Apply. Editing a CHAP secret 1. Launch the iSCSI Target Gateway Admin module as described on page 194. 2. Select the CHAP tab. 3. Click Change CHAP Secret.
15 iSCSI Fibre Channel Zone configuration Binding or Removing CHAP users 1. Launch the iSCSI Target Gateway Admin module as described on page 194. 2. Select the CHAP tab. 3. Click Bind/Remove Chap(s). 4. Select a virtual target. 5. Enter a new CHAP user, if necessary. 6. Select the CHAP users and click Add or Remove to move them into the appropriate list (unassociated or associated CHAP users). 7. Click Apply.
iSCSI Fibre Channel Zone configuration 15 Creating an iSCSI Fibre Channel zone with no effective zone configuration 1. Open iSCSI Target Gateway Admin as described on page 194. 2. Click Create iSCSI Zone. The following dialog box is displayed. FIGURE 104 Create an iSCSI FC zone dialog box 3. Click Yes. The Create iSCSI Zone wizard creates a zone called “ISCSI FC ZONE,” which is not placed into a defined configuration or automatically enabled. 4. Add the ISCSI FC ZONE into a configuration.
15 Managing and Troubleshooting Accessibility 5. Click OK. The effective configuration is modified and re-enabled. Managing and Troubleshooting Accessibility The Web Tools iSCSI accessibility feature helps you do the following: • • • • • 210 Verify that both host and target are online. Verify that the effective discovery domain set has both host and target. Allow an initiator or target to access the other. Deny an initiator or target to access the other.
Chapter 16 Routing Traffic In this chapter • Routing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Viewing Fabric Shortest Path First routing. . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring dynamic load sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Specifying frame order delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring the link cost for a port. . . . . . . . . .
16 Viewing Fabric Shortest Path First routing FIGURE 105 Routing tab Viewing Fabric Shortest Path First routing The Routing tab of the Switch Administration window displays information about routing paths. 1. Open the Switch Administration window as described on page 41. 2. Click the Routing tab. 3. This step is switch-type specific: For the Brocade 48000 and Brocade DCX and DCX-4S enterprise-class platforms, click a slot number under the FSPF Route category in the navigation tree.
Specifying frame order delivery 16 When the port-based policy is in force, you can enable DLS to optimize routing. When DLS is enabled, it shares traffic among multiple equivalent paths between switches. DLS recomputes load sharing either when a switch boots up or each time an E_Port or FX_Port goes online or offline. Enabling this feature allows a path to be discovered automatically by the FSPF path-selection protocol.
16 Configuring the link cost for a port Configuring the link cost for a port This section describes how to set the cost of an interswitch link (ISL). The cost of a link is a dimensionless positive number. The fabric shortest path first (FSPF) protocol compares the cost of various paths between a source switch and a destination switch by adding the costs of all the ISLs along each path. FSPF chooses the path with minimum cost.
Chapter 17 Configuring Standard Security Features In this chapter • User-defined accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Access control list policy configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Authentication policy configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • SNMP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • RADIUS service management. .
17 User-defined accounts The User tab of the Switch Administration window (see Figure 106 on page 217) displays account information. You can create and manage accounts depending on your role: TABLE 18 User role and permissions Role Permissions admin Create and manage all predefined and user-defined accounts operator Change your own password and cannot create, modify, or view predefined or userdefined accounts securityadmin Create and manage all security roles.
User-defined accounts 17 FIGURE 106 User tab Viewing user account information 1. Open the Switch Administration window as described on page 41. 2. Click the User tab. A list of the default and user-defined accounts appears. If you are logged in using the switchadmin role, only your account information is displayed. Creating user-defined accounts 1. Open the Switch Administration window as described on page 41. 2. Click the User tab. 3. Click Add. The Add User Account dialog box opens.
17 User-defined accounts FIGURE 107 Add User Account dialog box (VF) FIGURE 108 Add User Account dialog box (AD) 218 Web Tools Administrator’s Guide 53-1001194-01
User-defined accounts 17 4. Type the user name, which must begin with an alphabetic character. The name can be up to 40 characters long. It is case-sensitive and can contain alphabetic and numeric characters, the dot (.) and the underscore (_). It must be different from all other account names on the logical switch. 5. Select a role from the drop-down menu. For VF-enabled switches, the selection is done per logical fabric ID. (See “Role-Based Access Control” on page 16 for information about these roles.
17 User-defined accounts 3. Select the account to remove and click Remove. 4. Click Apply to save your changes. You cannot delete the default accounts. An account cannot delete itself. All active command line interface (CLI) sessions for the deleted account are logged out. Changing user account parameters Use the following procedure to change the role, add or change the description, and enable or disable accounts. Note that you cannot change the user name of the account using this procedure.
User-defined accounts 17 If AD0 is deselected in the user’s Admin Domain list and no other Admin Domains are selected, the next available Admin Domain becomes the user’s default home Admin Domain. 10. Click OK and click Apply to apply your changes. Maintaining passwords When you expire a password, the next time that user logs in, Web Tools requires the user to provide a new password. NOTE You have to own the switch in order to modify password rules.
17 User-defined accounts Setting the rules for passwords 1. Open the Switch Administration window as described on page 41. 2. Click the User tab. 3. Click Set Password Rule. The Configure Password Rule dialog box displays, as shown in Figure 109 on page 222. 4. Fill out the dialog box for the password rules you want to enforce.
User-defined accounts 17 Setting a password as expired 1. Open the Switch Administration window as described on page 41. 2. Click the User tab. 3. Select the account. 4. Click Expire Password. If the button is unavailable, this means the password is already expired. 5. Click Apply to save your changes. Unlocking a password 1. Open the Switch Administration window as described on page 41. 2. Click the User tab. 3. Select the account. 4. Click Unlock Password.
17 User-defined accounts The Role Mapping for that user is displayed (Figure 110).
Access control list policy configuration 17 Access control list policy configuration Support for the Access Control List (ACL) policies is currently defined in the Switch Connection Control (SCC) and Device Connection Control (DCC) policies. SCC and DCC policy configuration in base Fabric OS is performed on a switch-local basis. Fabric Configuration Server (FCS) Policy can be created only once. While creating the FCS policy, the local switch WWN is automatically included in the list.
17 Access control list policy configuration Creating an SCC, DCC, or FCS policy You can create the FCS policy only once. 1. Open the Switch Administration window as described on page 41. 2. Click the Security Policies tab. 3. Select a policy by clicking on the appropriate tab (SCC, DCC, or FCS). 4. Click Edit. This launches the ACL Policy Configuration wizard. 5. Select the policy type you want to edit. 6. Click Next and click Create. 7.
Access control list policy configuration 17 Editing an SCC, DCC, or FCS policy 1. Open the Switch Administration window as described on page 41. 2. Make sure the Show Advanced Mode is selected. 3. Click the Security Policies tab. 4. Select a policy by clicking on the appropriate tab. 5. Click Edit. This launches the ACL Policy Configuration wizard. 6. Select the policy type you want to edit. 7. Click Next and click Modify. 8.
17 Access control list policy configuration Distributing an FCS policy You must perform this procedure to distribute an FCS policy. 1. Open the Switch Administration window as described on page 41. 2. Click the Security Policies tab. 3. Select the FCS tab. 4. Click Distribute Policy. 5. Select the switches to be distributed to. 6. Select OK. If the policy distribution fails, an error dialog box is displayed.
Authentication policy configuration 17 Authentication policy configuration You can configure an authentication protocol policy for E_Port and F_Port authentication, and then distribute the authentication policy to other switches in the fabric. You can also set shared secret keys. Configuring authentication policies for E_Ports 1. Open the Switch Administration window as described on page 41. 2. Click the Security Policies tab. 3. Click Authentication on the Security Policies menu. 4.
17 Authentication policy configuration Distributing authentication policies NOTE You cannot distribute authentication policies in AD0 unless it is the only Admin Domain. 1. Open the Switch Administration window as described on page 41. 2. Click the Security Policies tab. 3. Click Authentication on the Security Policies menu. 4. Click Distribute Policy. 5. Select the switches or click the button to distribute to all. 6. Click OK.
Authentication policy configuration 17 FIGURE 113 Add Shared Secret Keys window 6. Enter the Switch WWN, name, or domain ID, or use the Browse button to select a switch. 7. In the Peer Secret and Confirm Peer Secret fields, enter the peer secret value. 8. In the Local Secret and Confirm Local Secret fields, enter the local secret value. 9. Click Add. 10. When you are finished adding secret key pairs for switches, click Apply.
17 SNMP configuration SNMP configuration This section describes how to manage the configuration of the SNMP agent in the switch. The configuration includes SNMPv1 and SNMPv3 configuration, accessControl, and systemGroup configuration parameters. Access is read-only if you do not have admin or security admin authority. For more information, see the snmpConfig command in the Fabric OS Command Reference. Setting SNMP Trap Levels 1. Open the Switch Administration window as described on page 41. 2.
SNMP configuration 17 Changing the systemGroup configuration parameters 1. Open the Switch Administration window as described on page 41. 2. Click the SNMP tab (see Figure 114). 3. Type a contact name, description, and location in the SNMP Information section. 4. Optional: Select the Enable Authentication Trap check box to allow authentication traps to be sent to the reception IP address. 5. Click Apply. Setting SNMPv1 configuration parameters 1.
17 RADIUS service management 4. Select a permission for the host from the Access Control List menu. Options are Read Only and Read Write. 5. Click Apply. NOTE The port number is not included. RADIUS service management Fabric OS supports RADIUS authentication, authorization, and accounting service (AAA). When configured for RADIUS, the switch becomes a Network Access Server (NAS) that acts as a RADIUS client. In this configuration, authentication records are stored in the RADIUS host server database.
RADIUS service management 17 FIGURE 116 AAA Service tab Enabling and Disabling RADIUS Service At least one RADIUS server must be configured before you can enable RADIUS service. 1. Open the Switch Administration window as described on page 41. 2. Click the AAA Service tab. 3. To enable RADIUS service, select RADIUS from the Primary AAA Service drop-down menu. 4. Select None, Switch Database when RADIUS Login Failed, or Switch Database when RADIUS Login Timeout from the Secondary AAA Service menu.
17 RADIUS service management Configuring the RADIUS Service The configuration is chassis-based, so it applies to all logical switches (domains) on the switch and it is replicated on a standby CP, if one is present. It is saved in a configuration upload, and can be applied to other switches in a configuration download. You should configure at least two RADIUS servers so that if one fails, the other will assume service. You can configure the RADIUS service even if it is disabled.
Active Directory service management 17 Modifying the RADIUS Server Order The RADIUS servers are contacted in the order they are listed, starting from the top of the list and moving to the bottom. 1. Open the Switch Administration window as described on page 41. 2. Click the AAA Service tab. 3. Click a RADIUS server from the RADIUS Configuration list. 4. Click the up and down arrows to rearrange the order of the RADIUS servers. 5. Click Apply.
17 Active Directory service management 4. Select None, Switch Database when Active Directory authentication failed, or Switch Database when Active Directory timeout from the Secondary AAA Service menu. To disable Active Directory service, select Switch Database from the Primary AAA Service dropdown menu and select None from the Secondary AAA Service drop-down menu. 5. Click Apply.
IPSec Concepts 17 IPSec Concepts Internet Security Protocol (IPSec) is a set of open standards that provide cryptographic security services for IP networks. Several protocols are available for providing authentication and secure transmission of data. From Web Tools, you can establish IPSec policies for FCIP implementations on7500 extension switches and FR4-18i blades, and you can establish IPSec policies for IP interfaces that provide management access to switches and control processors.
17 IPSec Concepts Transport mode and tunnel mode Transport mode adds an authentication header (AH) before the IP header. Only a single pair of addresses is used (those in the IP header). When transport mode is used, both endpoints implement IPSec. Tunnel mode encapsulates an IP datagram in a new datagram, with a new IP header specifying the addresses of the tunnel end points. IPSec is implemented between tunnel endpoints.
IPSec Concepts 17 IPSec header options IPSec adds headers to an IP datagram to enable authentication and privacy. There are two options: • Authentication Header (AH) • Encapsulating Security Payload (ESP) Authentication Header AH can be used to authenticate a data stream, but does not provide encryption needed for privacy. The AH contains a message authentication code (MAC). The MAC is created by a hash algorithm calculation. The MAC is transmitted in an IP datagram.
17 IPSec Concepts Basic IPSec configurations There are three basic configurations for IPSec use: • Endpoint to Endpoint. • Gateway to Gateway. • Endpoint to Gateway. Endpoint to Endpoint In an endpoint to endpoint configuration, both endpoints implement IPSec. Transport mode is commonly used in endpoint to endpoint configurations, and only a single pair of addresses is used. Typically, this kind of configuration would be used for direct communication between hosts.
IPSec Concepts 17 Internet Key Exchange (IKE) Concepts Key exchange is used to authenticate the end points of an IP connection, and to determine security policies for IP traffic over the connection. The initiating node proposes a policy based on the following: • An encryption algorithm to protect data. • A hash algorithm to check the integrity of the authentication data. • A Pseudo-Random Function (PRF) algorithm that can be used with the hash algorithm for additional cryptographic strength.
17 IPSec Concepts PRF (Pseudo-Random Function) Algorithm The PRF algorithm generates output that appears to be random data, using the HMAC chosen as the hash algorithm as the seed value. PRF is used to strengthen security. Public key certificate-based authentication Industry standard X.500 database servers are available as certificate authority servers to enable certificate-based authentication of computers.
IPSec Concepts 17 Authentication methods The methods used to authenticate the IKE peer are preshared key (psk), DSS digital signature (dss), and RSA digital signature (rsasig). • A Preshared key (PSK) is a shared secret that is shared between two parties over a secure channel before it is used. Typically, the PSK is a password or pass phrase. PSKs are created in the end systems used by the two parties.
17 IPSec over FCIP IPSec over FCIP 7500 extension switches and FR4-81i blades use FCIP protocol to IP to carry Fibre Channel traffic over IP networks. IPSec can be used to secure the IP flows over an FCIP tunnel. At a high level, the steps to take are as follows: • • • • • • • Access the IPSec Policies dialog box. Create an IKE policy for authentication. Create a security association (SA). Create an SA proposal. Add an IPSec Transform policy, referencing the IKE policy and the SA proposal.
IPSec over FCIP 17 Establishing an IKE policy for an FCIP tunnel 1. From the IKE tab of the IPSec Policies screen, select Create. An Add Policy dialog box is displayed (Figure 121). FIGURE 121 Add Policy (IKE for FCIP) 2. Policy Type provides a way to toggle between IKE and IPSec Add Policy dialog boxes. Make sure the Policy Type is set to IKE. 3. Assign a policy number. The Policy Number selector allows you to choose a number between 1 and 32. 4. Choose the Encryption Algorithm used in this policy.
17 IPSec over FCIP Establishing an IPSec policy for an FCIP tunnel 1. Select the IPSec tab The IPSec Policies window is displayed. 2. Select Create. An Add Policy dialog box is displayed (Figure 122). FIGURE 122 Add Policy (IPSec over FCIP) 3. Policy Type provides a way to toggle between IKE and IPSec Add Policy dialog boxes. Make sure the Policy Type is set to IPSEC. 4. Assign a policy number. The Policy Number selector allows you to choose a number between 1 and 32. 5.
IPSec over management ports 17 IPSec over management ports IPSec can be applied to the management port on a switch or a CP blade to establish a secure connection between a PC or workstation and Web Tools. The connection can be used as a virtual private network (VPN) interface to Web Tools. At a high level, the steps to take are as follows: • • • • • • • Access the Ethernet IPSec Policies dialog box. Enable IPSec. Create an IKE policy for authentication. Create an security association (SA).
17 IPSec over management ports Enabling IPSec Ethernet IPSec policies can be configured only after enabling IPSec by clicking the Enable button below the Ethernet IPSec policies table (refer to Figure 123). Establishing an IKE policy When you establish an IKE policy, you identify a set of algorithms and authentication rules and parameters to use in a key exchange. 1. Select the IKE tab on the IPSec Policies window for Ethernet IPSec. The Add IKE Policy dialog box is displayed (Figure 124).
IPSec over management ports 17 5. Type the identifier of the remote peer switch in Peer Identifier. This is normally the IP address in IPv4 or IPv6 format, but it may also be a DNS name. 6. Choose the Encryption Algorithm. the choices are 3des_cbc, null_enc, aes128_cbc, and aes256_cbc. 7. Choose the Hash Algorithm. The choices are hmac_md5 and hmac_sha1. 8. Choose the PRF Algorithm. The choices are hmac_md5 and hmac_sha1. 9. Choose the DH Group Number.
17 IPSec over management ports 4. Type a name for the SA in the SA Name field. 5. Choose the IPSec Protocol. The choices are ah (for authentication header) and esp (for encapsulated security protocol). 6. Choose the Authentication Algorithm. The choices are hmac_md5, hmac_sha1, and AES_xcbc. 7. Choose the Encryption Algorithm. The choices are 3des_cbc, aes_128, and aes_256. 8. Optionally, type an SPI number.
IPSec over management ports 17 3. Type a name in the SA Proposal Name field. 4. Type the SAs in the SA(s) to use field. 5. Optionally, define SA lifetime parameters. The SA lifetime may be defined as a time value in seconds (LifeTime in seconds), as the number of bytes transmitted before the SA is rekeyed (LifeTime in bytes), or both. When both are used, the SA lifetime is determined by which threshold is reached first. 6. Click OK.
17 IPSec over management ports The Add Transform dialog box is displayed (Figure 128). FIGURE 128 Add Transform dialog box 3. Type a name in the Transform Name field. 4. Choose the IPSec Mode. The choices are Transport or Tunnel. 5. Select the SA Proposal name. 6. Select the IPSec Protection Type. The choices are discard, bypass, and protect. 7. - Discard causes data packets to be rejected if there is an invalid pair of source and destination addresses or invalid port addresses.
IPSec over management ports 17 Adding an IPSec selector Selectors are used to apply transform policies to an IP flow. Flows are uni-directional. Selectors are associated with a specific source IP address, a specific peer IP address, and a specific transform. 1. Select the Selectors tab. The Selectors screen is displayed (Figure 129). FIGURE 129 Selectors tab 2. Select Add.
17 IPSec over management ports The Add Selector dialog box is displayed. FIGURE 130 Add Selector dialog box 3. Type a name in the Selector Name field. 4. Select the Traffic Flow Direction (in or out). IPSec policies are unidirectional, and must be applied separately to inbound and outbound flows. 5. Type the IP address of the sender in the Source IP Address field. 6. Type the IP address of the receiver in the Peer IP Address field. 7. Choose the Transform Name. 8.
IPSec over management ports 17 Manually creating an SA You can manually create a security association (SA). 1. Select the SA(Manual) tab. 2. Select Add. The Add Manual-SA dialog box is displayed (Figure 131) FIGURE 131 Add Manual-SA dialog box 3. Type a security parameter index number in the SPI (Hexadecimal) field. The SPI must be manually applied when manually adding an SA. 4. Enter the IP address of the endpoint that sends the SA in the Source IP Address field. 5.
17 IPSec over management ports 8. Choose the IPSec Mode. The choices are Transport or Tunnel. Refer to“Transport mode and tunnel mode” if you are unfamiliar with Transport and Tunnel modes. 9. Choose the IPSec Protocol. The choices are ah (for authentication header) and esp (for encapsulated security protocol). 10. Choose the IPSec Protection Type. The choices are discard, bypass, or process.
Establishing authentication policies for HBAs 17 5. Select the policy or policies you want to delete. 6. Select Delete. 7. The policy is deleted from the SA database (SADB), and is removed from the list. Establishing authentication policies for HBAs To establish and enable authentication policies for HBAs as the log in to a fabric, do the following. 1. Open the Switch Administration window. 2. Select Show Advanced Mode. 3. Select the Security Policies tab. 4.
17 Establishing authentication policies for HBAs 10. Click Apply. 11. If your authentication method uses a shared secret, select the Shared Secret Keys tab. The Shared Secret Keys screen is displayed (Figure 133). FIGURE 133 Device authentication Shared Secret Keys tab 12. Select Add. The Add Shared Secret Keys dialog box is displayed. 13. Browse to select the switch WWN or name and domain ID, or type the switch WWN or name and domain ID in the Switch WWN: Name/Domain ID field. 14.
Establishing authentication policies for HBAs 17 15. Enter the shared secret for the peer device (an HBA in this case) in the Peer Shared Secret and Confirm Peer Shared Secret fields. 16. Enter the shared secret for switch in the Local Shared Secret and Confirm Local Shared Secret fields. 17. Click Add. An entry is added in the Switch WWN box. 18. Click OK. 19. Add more shared secrets if needed.
17 262 Establishing authentication policies for HBAs Web Tools Administrator’s Guide 53-1001194-01
Chapter 18 Administering FICON CUP Fabrics In this chapter • FICON CUP fabrics overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Enabling port-based routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Enabling or disabling FICON Management Server mode . . . . . . . . . . . . . . • FMS parameter configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Displaying code page information . . . . . . . . . . . . .
18 Enabling port-based routing • Manage port connectivity configuration You do not need to install the FICON CUP license to perform FICON CUP management; you must install the FICON CUP license, however, if your switch is to enforce traffic between the FICON director and the host-based management program. Enabling port-based routing Port-based path selection is a routing policy in which paths are chosen based on ingress port and destination only. This also includes user-configured paths.
Enabling or disabling FICON Management Server mode 18 FIGURE 134 FICON CUP management Enabling or disabling FICON Management Server mode FICON Management Server (FMS) is used to support switch management using CUP. To be able to use the CUP functionality, all switches in the fabric must have FICON Management Server mode (FMS mode) enabled. FMS mode is a per-switch setting. After FMS mode is enabled, you can activate a CUP license without rebooting the director.
18 FMS parameter configuration The FICON CUP tabbed page displays the FICON Management Server page, as shown in Figure 134. All attributes on this tab are disabled until FMS mode is enabled. 5. Click Enable in the FICON Management Server Mode section to enable FMS mode or click Disable to disable FMS mode. 6. Click Apply to save your changes.
Displaying code page information TABLE 22 18 FMS mode parameter descriptions (Continued) Parameter Description Director Clock Alert Mode Controls behavior for attempts to set the switch timestamp clock through the director console. When it is enabled, the director console (Web Tools, in this case) displays warning indications when the switch timestamp is changed by a user application. When it is disabled, you can activate a function to automatically set the timestamp clock.
18 Viewing the control device state Viewing the control device state The control device is in either a neutral or a switched state. When it is neutral, the control device accepts commands from any channel that has established a logic path with it and accepts commands from alternate managers. When the control device is switched, it establishes a logical path and accepts commands only from that logical path (“device allegiance”). Commands from other paths cause a FICON CUP Busy Error.
CUP port connectivity configuration 18 CUP port connectivity configuration In the Port Connectivity subpanel, you can manage the configuration files and active configuration. All CUP configuration files and the active configuration are listed in a table. The active configuration is listed as “Active Configuration*” and the description in the table is “Current active configuration on switch.” The other special configuration file is the IPL.
18 CUP port connectivity configuration • To create a new configuration, click New. The Create Port CUP Connectivity Configuration dialog box displays all ports and port names on the selected switch (similar to the dialog box shown in Figure 136). The Block column, Prohibit column, and prohibited ports matrix are displayed as empty, for you to configure. • To edit an existing configuration, click the configuration, and then click Edit.
CUP port connectivity configuration 18 FIGURE 136 Port CUP Connectivity Configuration dialog box Activating a CUP Port Connectivity Configuration When you activate a saved CUP port connectivity configuration on the switch, the preceding configuration (currently activated) is overwritten. 1. Open the CUP port connectivity configuration list. 2. Click the saved configuration from the list. 3. Click Activate. The Activate CUP Port Connectivity Configuration confirmation dialog box opens.
18 Displaying Request Node Identification Data (RNID) 3. Click Copy. The Copy CUP Port Connectivity Configuration dialog box displays. 4. In the dialog box, type a name and description for the new configuration and click OK to save the configuration to the target file; click Cancel to cancel copying the configuration. The file name must be in alphanumeric characters and can contain only dashes or underscores as special characters.
Displaying Request Node Identification Data (RNID) 18 RNID information for attached FICON devices and channel paths displays on the Name Server view. To view this information, Click Name Server to display the Name Server view. Ports that completed an RNID exchange display FICON in the Capability column.
18 274 Displaying Request Node Identification Data (RNID) Web Tools Administrator’s Guide 53-1001194-01
Chapter 19 Limitations In this chapter • General Web Tools limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 General Web Tools limitations Table 23 lists general Web Tools limitations that apply to all browsers and switch platforms. TABLE 23 Web Tools limitations Area Details Blade Failure If a blade fails on the switch, the Web Tools interface can still display slot and ports as healthy.
19 General Web Tools limitations TABLE 23 276 Web Tools limitations (Continued) Area Details Firmware download There are multiple phases to firmware download and activation. When Web Tools reports that firmware download completed successfully, this indicates that a basic sanity check, package retrieval, package unloading, and verification was successful. Web Tools forces a full package install. A reboot is required to activate the newly downloaded firmware.
General Web Tools limitations TABLE 23 19 Web Tools limitations (Continued) Area Details Loss of Connection Occasionally, you might see the following message when you try to retrieve data from the switch or send a request to the switch: Switch Status Checking The switch is not currently accessible. The dialog title may vary, because it indicates which module is having the problem. This is caused by the loss of HTTP connection with the switch, due to a variety of possible problems.
19 General Web Tools limitations TABLE 23 278 Web Tools limitations (Continued) Area Details Refresh option in browsers Web Tools must be restarted when the Ethernet IP address is changed using the NetworkConfig View command. Web Tools appears to hang if it is not restarted after this operation is executed. Workaround: Restart the browser.
Index Numerics 2 domain/4 domain fabric licenses, 10 all access zoning, 133 arbitrated loop parameters, configuring, 50 automatic trace dump transfers, 152 A B About Discovery Domains (DD), 203 Access Control List. See ACL access control. See RBAC.
configuration Access Gateway mode, 171 upload, 172 configuration file Admin Domain considerations, 71 backing up, 67 restoring, 69 configuring arbitrated loop parameters, 50 backbone fabric ID, 168 CUP port connectivity, 269 default heap size, 8 email notifications, 184 EX_Ports, 165 fabric parameters, 48 Fabric Watch thresholds, 179 FAN frame notification parameters, 50 FC ports, 84 FCR router cost, 167 FICON Management Server parameters, 266 FRU alarms, 182 IOD frames delivery, 213 IP address for iSCSI Ta
disabling automatic trace uploads, 153 blades, 44 dynamic load sharing, 212 Fabric Watch threshold alarms, 181 FICON Management Server mode, 265 ports, 88, 89 RADIUS service, 235 RLS probing, 51 switch, 46 trunking mode, 112 zone configurations, 146 zoning, 146 Discovery Domain Set.
FC-FC routing about, 161 setting up, 162 supported switches, 162 FCR router cost, 167 FCS policy activate, 227 create, 225 deactivate, 227 delete, 227 distribute, 227 moving switch position, 228 feature licenses, 52 FICON Management Server mode, enabling and disabling, 265 parameters, 266 filtering events, 57 Filtering IP Addresses, 43 firmware download, 73 FRU alarms, configuring, 182 FSPF routing, 212 fwdl. See firmware download. G graphs for performance monitoring, 118 H HA.
effective zone configuration, 209 iSCSI initiator, 193 iSCSI initiators, 202 iSCSI Port, 193 iSCSI session, 193 iSCSI virtual target, 193 launching module, 194 LUN mapping, 193 managing/troubleshooting accessibility, 210 PDU, 193 search for FC target, 202 supported switches, 192 VT LUN, 193 iSCSI target, editing for iSCSI Target Gateway, 201 ISL trunking, 111 J Java Plug-ins configuring, 8 installing, 7, 8 supported, 5 JRE, installing, 7 L launching FC Routing module, 163 iSCSI Target Gateway module, 194
performance graphs adding to a canvas, 129 modifying, 129 printing, 129 types of, 118 Performance Monitoring window, 122 per-frame routing priority, 49 persistently disable a port, 89 platforms, supported, 5 polling rates, 34 port membership in Admin Domains, 81 port menu, 33 port names, assigning, 87 port speed, configuring, 84 port swapping, 93 port type, configuring, 84 port-based routing, 211 ports buffer-limited, 187 configuring, 79 disabling, 88, 89 enabling, 88 LEDs, 158 long distance parameter, 189
SID-DID performance graph, 125 SNMP trap levels, 232 Solaris patches, installing, 8 starting Web Tools, 11 swapping port index IDs, 93 switch changing the name of, 46 enabling and disabling, 46 mouse over information, 33 rebooting, 47 Switch Administration window, 39 opening, 41 refreshing, 41 Switch Events and Switch Information, 31 switch events, displaying, 56 Switch Explorer Admin Domains, 26 switch name, changing, 46 switch report, 47 switch status report, 157 Switch View, 28 Switch View buttons, 28 sy
zone configurations creating, 143 deleting, 145 disabling, 146 enabling, 145 example, 143 modifying, 144 renaming, 144 zone member selection lists, searching, 148 zones about, 131 adding WWNs, 147 best practices, 149 creating, 140 deleting, 142 description, 140 LSAN, 167 modifying, 140 removing WWNs, 148 renaming, 141 replacing WWNs, 148 selecting a view, 137 zoning all access, 133 default zoning, 133 no access, 133 zoning database clearing, 149 maximum size, 136, 145 zoning views, 137 zoning, disabling, 14