53-1002745-02 25 March 2013 Fabric OS Administrator’s Guide Supporting Fabric OS 7.1.
Copyright © 2013 Brocade Communications Systems, Inc. All Rights Reserved. ADX, AnyIO, Brocade, Brocade Assurance, the B-wing symbol, DCX, Fabric OS, ICX, MLX, MyBrocade, OpenScript, VCS, VDX, and Vyatta are registered trademarks, and HyperEdge, The Effortless Network, and The On-Demand Data Center are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned may be trademarks of their respective owners.
Contents (High Level) Section I Standard Features Chapter 1 Understanding Fibre Channel Services . . . . . . . . . . . . . . . . . . . . . . . . . 43 Chapter 2 Performing Basic Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Chapter 3 Performing Advanced Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . 79 Chapter 4 Routing Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111 Chapter 5 Managing User Accounts . .
Appendix A Port Indexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .611 Appendix B FIPS Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .615 Appendix C Hexadecimal Conversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents About This Document How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . 34 What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Notice to the reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 2 Performing Basic Configuration Tasks Fabric OS overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Fabric OS command line interface. . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Console sessions using the serial port. . . . . . . . . . . . . . . . . . . . 56 Telnet or SSH sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Getting help on a command . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 3 Performing Advanced Configuration Tasks Port Identifiers (PIDs) and PID binding overview . . . . . . . . . . . . . . . 79 Core PID addressing mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Fixed addressing mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 10-bit addressing mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 256-area addressing mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 WWN-based PID assignment . . .
Audit log configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Verifying host syslog prior to configuring the audit log . . . . . .108 Configuring an audit log for specific event classes . . . . . . . . .108 Duplicate PWWN handling during device login . . . . . . . . . . . . . . . .109 Setting the behavior for handling duplicate PWWNs. . . . . . . .110 Chapter 4 Routing Traffic Routing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Local database user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137 Default accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138 Local account passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139 Local user account database distribution. . . . . . . . . . . . . . . . . . . .140 Distributing the local user database . . . . . . . . . . . . . . . . . . . .140 Accepting distributed user databases on the local switch . . .
Telnet protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190 Blocking Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190 Unblocking Telnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191 Listener applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192 Ports and applications used by switches . . . . . . . . . . . . . . . . . . . .192 Port configuration . . . . . . . . . . .
IP Filter policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Creating an IP Filter policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . .218 Cloning an IP Filter policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218 Displaying an IP Filter policy . . . . . . . . . . . . . . . . . . . . . . . . . . .218 Saving an IP Filter policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218 Activating an IP Filter policy. . . . . . . . . . .
Chapter 9 Installing and Maintaining Firmware Firmware download process overview . . . . . . . . . . . . . . . . . . . . . . .255 Upgrading and downgrading firmware . . . . . . . . . . . . . . . . . . .257 Considerations for FICON CUP environments . . . . . . . . . . . . .257 HA sync state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257 Preparing for a firmware download . . . . . . . . . . . . . . . . . . . . . . . . .258 Obtaining and decompressing firmware . . . . . . . .
Limitations and restrictions of Virtual Fabrics . . . . . . . . . . . . . . . .288 Restrictions on XISLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .289 Restrictions on moving ports . . . . . . . . . . . . . . . . . . . . . . . . . .289 Enabling Virtual Fabrics mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290 Disabling Virtual Fabrics mode . . . . . . . . . . . . . . . . . . . . . . . . . . . .290 Configuring logical switches to use basic configuration values. . .
Zone creation and maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 Displaying existing zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 Creating a zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 Adding devices (members) to a zone . . . . . . . . . . . . . . . . . . . . 317 Removing devices (members) from a zone . . . . . . . . . . . . . . .318 Replacing zone members . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
General rules for TI zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356 Traffic Isolation Zone violation handling for trunk ports . . . . .357 Supported configurations for Traffic Isolation Zoning . . . . . . . . . .358 Additional configuration rules for enhanced TI zones . . . . . . .358 Trunking with TI zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359 Limitations and restrictions of Traffic Isolation Zoning . . . . . . . . .
Changing bottleneck detection parameters . . . . . . . . . . . . . . . . . .384 Examples of applying and changing bottleneck detection parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .385 Advanced bottleneck detection settings . . . . . . . . . . . . . . . . . . . . .388 Excluding a port from bottleneck detection . . . . . . . . . . . . . . . . . .389 Displaying bottleneck statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 16 Dynamic Fabric Provisioning: Fabric-Assigned PWWN Introduction to Dynamic Fabric Provisioning using FA-PWWN . . . .425 User- and auto-assigned FA-PWWN behavior . . . . . . . . . . . . . . . . .426 Checking for duplicate FA-PWWNs . . . . . . . . . . . . . . . . . . . . . .426 Configuring FA-PWWNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .426 Configuring an FA-PWWN for an HBA connected to an Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SAN management with Admin Domains . . . . . . . . . . . . . . . . . . . . .454 CLI commands in an AD context . . . . . . . . . . . . . . . . . . . . . . . .455 Executing a command in a different AD context . . . . . . . . . . .455 Displaying an Admin Domain configuration . . . . . . . . . . . . . . .456 Switching to a different Admin Domain context. . . . . . . . . . . .456 Admin Domain interactions with other Fabric OS features . . .457 Admin Domains, zones, and zone databases . . . . . . . . . . . . .
Ports on Demand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .483 Displaying installed licenses . . . . . . . . . . . . . . . . . . . . . . . . . . .484 Activating Ports on Demand . . . . . . . . . . . . . . . . . . . . . . . . . . .485 Dynamic Ports on Demand . . . . . . . . . . . . . . . . . . . . . . . . . . . .485 Displaying the port license assignments . . . . . . . . . . . . . . . . .486 Enabling Dynamic Ports on Demand . . . . . . . . . . . . . . . . . . . .
Top Talker monitors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510 Top Talker monitors and FC-FC routing. . . . . . . . . . . . . . . . . . .511 Limitations of Top Talker monitors . . . . . . . . . . . . . . . . . . . . . .512 Adding a Top Talker monitor to a port (port mode) . . . . . . . . .513 Adding Top Talker monitors on all switches in the fabric (fabric mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 22 Managing Trunking Connections Trunking overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .533 Types of trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .534 Masterless trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .534 License requirements for trunking . . . . . . . . . . . . . . . . . . . . . .535 Port groups for trunking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Buffer credit management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .555 Buffer-to-buffer flow control . . . . . . . . . . . . . . . . . . . . . . . . . . .555 Optimal buffer credit allocation . . . . . . . . . . . . . . . . . . . . . . . .556 Fibre Channel gigabit values reference definition. . . . . . . . . .557 Buffer credit allocation based on full-size frames. . . . . . . . . .557 Allocating buffer credits based on average-size frames . . . . .
LSAN zone configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .590 Use of Admin Domains with LSAN zones and FC-FC routing .590 Zone definition and naming . . . . . . . . . . . . . . . . . . . . . . . . . . .590 LSAN zones and fabric-to-fabric communications. . . . . . . . . .591 Controlling device communication with the LSAN . . . . . . . . . .591 Configuring backbone fabrics for interconnectivity . . . . . . . . .593 Setting the maximum LSAN count . . . . . . . . . . . . . . . . .
Fabric OS Administrator’s Guide 53-1002745-02
Figures Figure 1 Well-known addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Figure 2 Identifying the blades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Figure 3 Blade swap with Virtual Fabrics during the swap. . . . . . . . . . . . . . . . . . . . . . . . . 99 Figure 4 Blade swap with Virtual Fabrics after the swap . . . . . . . . . . . . . . . . . . . . . . . . .
Figure 36 Illegal ETIZ configuration: two paths from one port to two devices on the same remote domain 351 Figure 37 Illegal ETIZ configuration: two paths from one port . . . . . . . . . . . . . . . . . . . . . . 352 Figure 38 Traffic Isolation Zoning over FCR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353 Figure 39 TI zone in an edge fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Figure 77 MetaSAN with imported devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576 Figure 78 Sample topology (physical topology) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577 Figure 79 EX_Port phantom switch topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578 Figure 80 Example of setting up Speed LSAN tag. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596 Figure 81 LSAN zone binding . . . .
Fabric OS Administrator’s Guide 53-1002745-02
Tables Table 1 Daemons that are automatically restarted. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Table 2 Terminal port parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Table 3 Help topic contents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Table 4 fabricShow fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 37 Supported services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 Table 38 Implicit IP Filter rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Table 39 Default IP policy rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Table 40 Interaction between fabric-wide consistency policy and distribution settings .
Table 78 VCs assigned to QoS priority for frame prioritization in CS_CTL auto mode . . 521 Table 79 Trunking over long-distance for the Backbones and blades . . . . . . . . . . . . . . . 541 Table 80 F_Port masterless trunking considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546 Table 81 PWWN format for F_Port and N_Port trunk ports. . . . . . . . . . . . . . . . . . . . . . . . 548 Table 82 Fibre Channel data frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Fabric OS Administrator’s Guide 53-1002745-02
About This Document In this chapter • How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Notice to the reader . . . . . . . . . . . . . . . . . . . . .
• Chapter 11, “Administering Advanced Zoning,” provides procedures for use of the Brocade Advanced Zoning feature. • Chapter 12, “Traffic Isolation Zoning,” provides concepts and procedures for use of Traffic Isolation Zones within a fabric. • Chapter 13, “Bottleneck Detection,” describes how you can detect and configure alert thresholds for latency and congestion bottlenecks in the fabric.
The following hardware platforms are supported by this release of Fabric OS: • Fixed-port switches: - Brocade 300 switch - Brocade 5100 switch - Brocade 5300 switch - Brocade 5410 embedded switch - Brocade 5424 embedded switch - Brocade 5430 embedded switch - Brocade 5450 embedded switch - Brocade 5460 embedded switch - Brocade 5470 embedded switch - Brocade 5480 embedded switch - Brocade 6505 switch - Brocade 6510 switch - Brocade 6520 switch - Brocade 7800 extension switch - Brocade 8000 FCoE switch - Br
• Updated the Note in “In-flight encryption and compression overview” on page 393. • In “Encryption and compression restrictions” on page 394, clarified the restriction about the number of ports supported. • Corrected the “Example of enabling encryption and compression on an E_Port” on page 407 so that you activate authentication after setting up the DH-CHAP secret. • In “Frame monitoring” on page 505, added information about static offsets.
variable Variables are printed in italics. In the help pages, values are underlined or enclosed in angled brackets < >. ... Repeat the previous element, for example “member[;member...]” value Fixed values following arguments are printed in plain font. For example, --show WWN | Boolean. Elements are exclusive. Example: --show -mode egress | ingress Notes, cautions, and warnings The following notices and statements are used in this manual.
Corporation Referenced Trademarks and Products Microsoft Corporation Windows, Windows NT, Internet Explorer Mozilla Corporation Mozilla, Firefox Netscape Communications Corporation Netscape Red Hat, Inc. Red Hat, Red Hat Network, Maximum RPM, Linux Undercover Sun Microsystems, Inc. Sun, Solaris Additional information This section lists additional Brocade and industry-specific documentation that you might find helpful. Brocade resources To get up-to-the-minute information, go to http://my.
1. General Information • • • • • Switch model Switch operating system version Error numbers and messages received supportSave command output Detailed description of the problem, including the switch or fabric behavior immediately following the problem, and specific questions • Description of any troubleshooting steps already performed and the results • Serial console and Telnet session logs • syslog message logs 2.
Document feedback Quality is our first concern at Brocade and we have made every effort to ensure the accuracy and completeness of this document. However, if you find an error or an omission, or you think that a topic needs further development, we want to hear from you. Forward your feedback to: documentation@brocade.com Provide the title and version number of the document and as much detail as possible about your comment, including the topic heading and page number and your suggestions for improvement.
Section Standard Features I This section describes standard Fabric OS features, and includes the following chapters: • Chapter 1, “Understanding Fibre Channel Services” • Chapter 2, “Performing Basic Configuration Tasks” • Chapter 3, “Performing Advanced Configuration Tasks” • Chapter 4, “Routing Traffic” • Chapter 5, “Managing User Accounts” • Chapter 6, “Configuring Protocols” • Chapter 7, “Configuring Security Policies” • Chapter 8, “Maintaining the Switch Configuration File” • Chapter 9, “Installing
Fabric OS Administrator’s Guide 53-1002745-02
Chapter 1 Understanding Fibre Channel Services In this chapter • Fibre Channel services overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Management server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Platform services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Management server database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Topology discovery.
1 Management server Management server — The management server provides a single point for managing the fabric. This is the only service that users can configure. See “Management server” below for more details Alias server — The alias server keeps a group of nodes registered as one name to handle multicast groups. Broadcast server — The broadcast server is optional. When frames are transmitted to this address, they are broadcast to all operational N_ and NL_Ports.
Management server database 1 Platform services and Virtual Fabrics Each logical switch has a separate platform database. All platform registrations done to a logical switch are valid only in that particular logical switch’s Virtual Fabric. Activating the platform services on a switch activates the platform services on all logical switches in a Virtual Fabric. Similarly, deactivating the platform services deactivates the platform service on all logical switches in a Virtual Fabric.
1 Management server database If the list is empty (the default), the management server is accessible to all systems connected in-band to the fabric. For more access security, you can specify WWNs in the ACL so that access to the management server is restricted to only those WWNs listed. NOTE The management server is logical switch-capable. All management server features are supported within a logical switch.
Management server database 1 Example of adding a member to the management server ACL switch:admin> msconfigure 0 Done 1 Display the access list 2 Add member based on its Port/Node WWN 3 Delete member based on its Port/Node WWN select : (0..3) [1] 2 Port/Node WWN (in hex): [00:00:00:00:00:00:00:00] 20:00:00:20:37:65:ce:aa *WWN is successfully added to the MS ACL. 0 Done 1 Display the access list 2 Add member based on its Port/Node WWN 3 Delete member based on its Port/Node WWN select : (0..
1 Management server database 5. At the “select” prompt, enter 1 to display the access list so you can verify that the WWN you entered was deleted from the ACL. 6. After verifying that the WWN was deleted correctly, enter 0 at the “select” prompt to end the session. 7. At the “Update the FLASH?” prompt, enter y. 8. Press Enter to update the nonvolatile memory and end the session.
Topology discovery 1 Number of Associated Node Names: 1 Associated Node Names: 10:00:00:60:69:20:15:75 Clearing the management server database Use the following procedure to clear the management server database: NOTE The command msPlClearDB is allowed only in AD0 and AD255. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the msplClearDb command. 3. Enter y to confirm the deletion. The management server platform database is cleared.
1 Topology discovery *MS Topology Discovery enabled locally. *MS Topology Discovery Enable Operation Complete!! Disabling topology discovery Use the following procedure to disable topology discovery: 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the appropriate following command based on how you want to disable discovery: • For the local switch, enter the mstdDisable command. • For the entire fabric, enter the mstdDisable all command.
Device login 1 Device login A device can be storage, a host, or a switch. When new devices are introduced into the fabric, they must be powered on and, if a host or storage device, connected to a switch. Switch-to-switch logins (using the E_Port) are handled differently than storage and host logins. E_Ports exchange different frames than the ones listed below with the Fabric Controller to access the fabric. Once storage and host devices are powered on and connected, the following logins occur: 1.
1 Device login Fabric login process A device performs a fabric login (FLOGI) to determine if a fabric is present. If a fabric is detected then it exchanges service parameters with the fabric controller. A successful FLOGI sends back the 24-bit address for the device in the fabric. The device must issue and successfully complete a FLOGI command before communicating with other devices in the fabric.
High availability of daemon processes 1 Duplicate Port World Wide Name According to Fibre Channel standards, the Port World Wide Name (PWWN) of a device cannot overlap with that of another device, thus having duplicate PWWNs within the same fabric is an illegal configuration. If a PWWN conflict occurs with two devices attached to the same domain, Fabric OS handles device login in such a way that only one device may be logged in to the fabric at a time.
1 High availability of daemon processes TABLE 1 54 Daemons that are automatically restarted (Continued) Daemon Description webd Webserver daemon used for WebTools (includes httpd as well). weblinkerd Weblinker daemon provides an HTTP interface to manageability applications for switch management and fabric discovery.
Chapter 2 Performing Basic Configuration Tasks In this chapter • Fabric OS overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Fabric OS command line interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Password modification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • The switch Ethernet interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 Fabric OS command line interface Although many different software and hardware configurations are tested and supported by Brocade Communications Systems, Inc., documenting all possible configurations and scenarios is beyond the scope of this document. In some cases, earlier releases are highlighted to present considerations for interoperating with them. The hardware reference manuals for Brocade products describe how to power up devices and set their IP addresses.
Fabric OS command line interface 2 • In a Windows environment enter the following parameters: TABLE 2 Terminal port parameters Parameter Value Bits per second 9600 Databits 8 Parity None Stop bits 1 Flow control None • In a UNIX environment, enter the following string at the prompt: tip /dev/ttyb -9600 If ttyb is already in use, use ttya instead and enter the following string at the prompt: tip /dev/ttya -9600 Telnet or SSH sessions You can connect to the Fabric OS through a Telnet or SSH
2 Fabric OS command line interface Connecting to Fabric OS using Telnet Use the following procedure to connect to the Fabric OS using Telnet: 1. Connect through a serial port to the switch that is appropriate for your fabric: • If Virtual Fabrics is enabled, log in using an admin account assigned the chassis-role permission. • If Virtual Fabrics is not enabled, log in using an account assigned to the admin role. 2.
Fabric OS command line interface 2 The commands in the following table provides help files for the indicated specific topics.
2 Fabric OS command line interface Example cliHistory command output from admin login switch:admin> clihistory CLI history Date & Time Thu Sep 27 10:14:41 2012 Thu Sep 27 10:14:48 2012 switch:admin> Message admin, 10.70.12.101, clihistory admin, 10.70.12.101, clihistory --show cliHistory --show Using the “--show” argument displays the same results as entering “cliHistory” without any arguments.
Password modification 2 Notes: • SSH login CLI logs are not recorded in the command line history. • The CLI command log will be collected as part of any “supportsave” operation. The command long record of such an operation will be the equivalent of running “cliHistory --showall”. • For CLI commands that require a password (Examples: firmwaredownload, configupload/download, supportsave, and so on), only the command (no arguments) is stored (see below for an illustration).
2 The switch Ethernet interface Changing the default account passwords at login Use the following procedure to change the default account passwords: 1. Connect to the switch and log in using the default administrative account. 2. At each of the “Enter new password” prompts, either enter a new password or skip the prompt. To skip a single prompt, press Enter. To skip all of the remaining prompts, press Ctrl-C. Example output of changing passwords login: admin Password: Please change your passwords now.
The switch Ethernet interface 2 NOTE When you change the Ethernet interface settings, open connections such as SSH or Telnet may be dropped. Reconnect using the new Ethernet IP address information or change the Ethernet settings using a console session through the serial port to maintain your session during the change. You must connect through the serial port to set the Ethernet IP address if the Ethernet network interface is not configured already.
2 The switch Ethernet interface Host Name: ecp1 Gateway IP Address: 10.1.2.3 IPFC address for virtual fabric ID 123: 11.1.2.3/24 IPFC address for virtual fabric ID 45: 13.1.2.4/20 Slot 7 eth0: 11.1.2.4/24 Gateway: 11.1.2.1 Backplane IP address of CP0 : 10.0.0.5 Backplane IP address of CP1 : 10.0.0.
The switch Ethernet interface 2 Setting the static addresses for the Ethernet network interface Use the following procedure to set the Ethernet network interface static addresses: 1. Connect to the switch and log in using an account assigned to the admin role. 2. Perform the appropriate action based on whether you have a switch or Backbone: • If you are setting the IP address for a switch, enter the ipAddrSet command.
2 The switch Ethernet interface DHCP activation Some Brocade switches have DHCP enabled by default. Fabric OS support for DHCP functionality is only provided for Brocade fixed-port switches. These are listed in the Preface. NOTE The Brocade DCX and Brocade DCX-4S Backbones do not support DHCP.
The switch Ethernet interface 2 5. You can confirm that the change has been made using the ipAddrShow command. Example of enabling DHCP for IPv4 interactively: switch:admin> ipaddrset Ethernet IP Address [10.1.2.3]: Ethernet Subnetmask [255.255.255.0]: Fibre Channel IP Address [220.220.220.2]: Fibre Channel Subnetmask [255.255.0.0]: Gateway IP Address [10.1.2.
2 The switch Ethernet interface DHCP [On]:off switch:admin> Example of disabling DHCP for IPv4 using a single command: switch:admin> ipaddrset –ipv4 -add -dhcp OFF switch:admin> ipaddrshow SWITCH Ethernet IP Address: 10.20.134.219 Ethernet Subnetmask: 255.255.240.0 Gateway IP Address: 10.20.128.1 DHCP: Off switch:admin> IPv6 autoconfiguration IPv6 can assign multiple IP addresses to each network interface.
Date and time settings 2 Date and time settings Switches maintain the current date and time inside a battery-backed real-time clock (RTC) circuit that receives the date and time from the fabric’s principal switch. Date and time are used for logging events. Switch operation does not depend on the date and time; a switch with an incorrect date and time value functions properly. However, because the date and time are used for logging, error detection, and troubleshooting, you must set them correctly.
2 Date and time settings When you set the time zone for a switch, you can perform the following tasks: • Display all of the time zones supported in the firmware. • Set the time zone based on a country and city combination or based on a time zone ID, such as PST. The time zone setting has the following characteristics: • Users can view the time zone settings. However, only those with administrative permissions can set the time zones. • The setting automatically adjusts for Daylight Savings Time.
Date and time settings 2 Setting the time zone interactively Use the following procedure to set the current time zone to PST using interactive mode: 1. Connect to the switch and log in using an account assigned to the admin role and with the chassis-role permission. 2. Enter the tsTimeZone --interactive command. You are prompted to select a general location. Please identify a location so that time zone rules can be set correctly. 3. Enter the appropriate number or press Ctrl-D to quit. 4.
2 Domain IDs Use the following procedure to synchronize the local time with an external source: 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the tsClockServer command. switch:admin> tsclockserver "ntp1;ntp2" In this syntax, ntp1 is the IP address or DNS name of the first NTP server, which the switch must be able to access. The second variable, ntp2, is the second NTP server and is optional.
Domain IDs 2 Displaying the domain IDs Use the following procedure to display device domain IDs: 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the fabricShow command. Example output of fabric information, including the domain ID (D_ID) The principal switch is determined by the arrow ( > ) next to the name of the switch. In this output, the principal switch appears in blue boldface.
2 Switch names Setting the domain ID Use the following procedure to set the domain ID: 1. Connect to the switch and log in on an account assigned to the admin role. 2. Enter the switchDisable command to disable the switch. 3. Enter the configure command. 4. Enter y after the Fabric Parameters prompt. Fabric parameters (yes, y, no, n): [no] y 5. Enter a unique domain ID at the Domain prompt. Use a domain ID value from 1 through 239 for normal operating mode (FCSW-compatible). Domain: (1..239) [1] 3 6.
Chassis names 2 Chassis names Brocade recommends that you customize the chassis name for each platform. Some system logs identify devices by platform names; if you assign meaningful platform names, logs are more useful. All chassis names supported by Fabric OS v7.0.0 allow 31 characters. Chassis names must begin with an alphabetic character and can include alphabetic and numeric characters, and the underscore ( _ ). Customizing chassis names Use the following procedure to customize the chassis name: 1.
2 Switch activation and deactivation High availability considerations for fabric names Fabric names locally configured or obtained from a remote switch are saved in the configuration database, and then synchronized to the standby CP on dual-CP-based systems. Upgrade and downgrade considerations for fabric names Fabric names are lost during a firmware downgrade. No default fabric name is provided. If a fabric name is needed, it must be configured after the upgrade.
Switch and Backbone shutdown 2 Powering off a Brocade switch Use the following procedure to gracefully shut down a Brocade switch. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the sysShutdown command. 3. Enter y at the prompt. switch:admin> sysshutdown This command will shutdown the operating systems on your switch. You are required to power-cycle the switch in order to restore operation. Are you sure you want to shutdown the switch [y/n]?y 4.
2 Basic connections Basic connections Before connecting a switch to a fabric that contains switches running different firmware versions, you must first set the same port identification (PID) format on all switches. The presence of different PID formats in a fabric causes fabric segmentation. • For information on PID formats and related procedures, refer to Chapter 3, “Performing Advanced Configuration Tasks”.
Chapter Performing Advanced Configuration Tasks 3 In this chapter • Port Identifiers (PIDs) and PID binding overview. . . . . . . . . . . . . . . . . . . . . . 79 • Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 • Blade terminology and compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 • Enabling and disabling blades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3 Port Identifiers (PIDs) and PID binding overview Core PID addressing mode Core PID is the default PID format for Brocade platforms. It uses the entire 24-bit address space of the domain, area ID, and AL_PA to determine an object’s address within the fabric.
Port Identifiers (PIDs) and PID binding overview 3 • Shared area limitations are removed on 48-port and 64-port blades. • Any port on a 48-port or 64-port blade can support up to 256 NPIV devices (in fixed addressing mode, only 128 NPIV devices are supported in non-VF mode and 64 NPIV devices in VF mode on a 48-port blade). • Any port on a 48-port blade can support loop devices. • Any port on a 48-port or 64-port blade can support hard port zoning.
3 Port Identifiers (PIDs) and PID binding overview WWN-based PID assignment WWN-based PID assignment is disabled by default. When the feature is enabled, bindings are created dynamically; as new devices log in, they automatically enter the WWN-based PID database. The bindings exist until you explicitly unbind the mappings through the CLI or change to a different addressing mode.
Port Identifiers (PIDs) and PID binding overview 3 Use the following procedure to enable automatic PID assignment: 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the configure command. 3. At the Fabric Parameters prompt, type y. 4. At the WWN Based persistent PID prompt, type y. 5. Press Enter to bypass the remaining prompts without changing them. Example of activating PID assignments switch: admin> configure Configure...
3 Ports Ports Ports provide either a physical or virtual network connection point for a device. Brocade devices support a wide variety of ports. Port Types The following is a list of port types that may be part of a Brocade device: • D_Port — A diagnostic port lets an administrator isolate the inter-switch link (ISL) to diagnose link level faults. This port runs only specific diagnostics tests and does not carry any fabric traffic.
Ports 3 The different blades that can be inserted into a chassis are described as follows: • Control processor blades (CPs) contain communication ports for system management, and are used for low-level, platform-wide tasks. • Core blades are used for intra-chassis switching as well as interconnecting two Backbones. • Port blades are used for host, storage, and interswitch connections.
3 Ports Upgrade and Downgrade considerations For an upgrade, unless both CP8 external Ethernet ports are upgraded and rebooted, the bonding feature will not be enabled. On a downgrade, the first physical port named eth0 has to be connected for the device to initialize correctly; the bonding feature will not be available. Supported devices This feature is available on a CP8 blade when it is installed on a Brocade DCX, Brocade DCX-4S, Brocade DCX 8510-8 or Brocade DCX 8510-4.
Ports 3 Port identification by slot and port number The port number is a number assigned to an external port to give it a unique identifier in a switch. To select a specific port in the Backbones, you must identify both the slot number and the port number using the format slot number/port number. No spaces are allowed between the slot number, the slash (/), and the port number.
3 Ports Configuring a device-switch connection To configure an 8G (and 8G only) connection between a device and a switch, use the portCfgFillWord command. This command provides the following configuration options: • • • • • Mode Link Init/Fill Word Mode 0 IDLE/IDLE Mode 1 ARBF/ARBF Mode 2 IDLE/ARBF Mode 3 If ARBF/ARBF fails use IDLE/ARBF ATTENTION Although this setting only affects devices logged in at 8G, changing the mode is disruptive regardless of the speed at which the port is operating.
Ports 3 1. Connect to the switch and log in using an account with admin permissions. 2. Enable the portSwapEnable command to enable the feature. 3. Enter the portDisable command on each of the source and destination ports to be swapped. switch:admin>portdisable 1 ecp:admin>portdisable 1/2 4. Enter the portSwap command. switch:admin>portswap 1 2 ecp:admin>portswap 1/1 2/2 5. Enter the portSwapShow command to verify that the port area IDs have been swapped.
3 Ports Disabling a port Use the following procedure to disable a port: 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the appropriate command based on the current state of the port and on whether it is necessary to specify a slot number: • To disable a port that is enabled, enter the command portDisable portnumber or portDisable slotnumber/portnumber. You can also use the -x option to enter the value in hexadecimal if you prefer.
Ports 3 • When selecting autonegotiation, you can choose the specific link operating modes that are advertised to the link partner. At least one mode must be advertised in common by both sides of the link. • When forcing the link operating mode, both sides of the link must be forced to the same mode. A link will not work reliably if one side is set to autonegotiate and the other side is set to a forced mode. • For dual-CP systems, the ifModeSet command affects only the CP you are currently logged in to.
3 Ports Example of setting the port mode to 10 Mbps half-duplex operation To force the link for the eth0 interface from autonegotiation to 10 Mbps half-duplex operation, when entering this command through the serial console port: switch:admin> ifmodeset eth0 Auto-negotiate (yes, y, no, n): [yes] n Force 100 Mbps / Full Duplex (yes, y, no, n): [no] n Force 100 Mbps / Half Duplex (yes, y, no, n): [no] n Force 10 Mbps / Full Duplex (yes, y, no, n): [no] n Force 10 Mbps / Half Duplex (yes, y, no, n): [no] y
Blade terminology and compatibility 3 Setting port speed for a port octet You can use the portCfgOctetSpeedCombo command to configure the speed for a port octet. Be aware that in a Virtual Fabrics environment, this command applies chassis-wide and not just to the logical switch. Use the following procedure to set the port speed for a port octet: 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the portCfgOctetSpeedCombo command.
3 TABLE 6 Blade terminology and compatibility Port blade terminology, numbering, and platform support Supported on: Blade Blade ID DCX family (slotshow) DCX 8510 family Ports Definition FC8-161 21 Yes No 16 8-Gbps port blade supporting 1, 2, 4, and 8 Gbps port speeds. Ports are numbered from 0 through 15 from bottom to top. FC8-321 55 Yes No 32 8-Gbps port blade supporting 1, 2, 4, and 8 Gbps port speeds.
Blade terminology and compatibility TABLE 6 3 Port blade terminology, numbering, and platform support (Continued) Supported on: Blade Blade ID DCX family (slotshow) DCX 8510 family Ports Definition FCOE10-24 74 Yes ‘No 24 10-GbE DCB ports An application blade that provides Converged Enhanced Ethernet to bridge a Fibre Channel and Ethernet SAN. Ports are numbered from 0 through 11 from bottom to top on the left set of ports and 12 through 23 from bottom to top on the right set of ports.
3 Enabling and disabling blades Port and application blade compatibility Table 6 on page 94 identifies which port and application blades are supported for each Brocade Backbone. NOTE During power up of a Brocade DCX or DCX-4S Backbone, if an FCOE10-24 is detected first before any other AP blade, all other AP and FC8-64 blades are faulted. If a non-FCOE10-24 blade is detected first, then any subsequently-detected FCOE10-24 blades are faulted. Blades are powered up starting with slot 1.
Blade swapping 3 Enabling blades Use the following procedure to enable a blade: 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the bladeEnable command with the slot number of the port blade you want to enable. ecp:admin> bladeenable 3 Slot 3 is being enabled FC8-48, FC8-48E, FC8-64, and FC16-48 port blade enabling exceptions Because the area IDs are shared with different port IDs, the FC8-48, FC8-48E, FC8-64, and FC16-48 blades support only F_ and E_Ports.
3 Blade swapping • Blade swapping is not supported when swapping to a different model of blade or a different port count. For example, you cannot swap an FC8-32 blade with an FC8-48 port blade. How blades are swapped The bladeSwap command performs the following operations: 1. Blade selection The selection process includes selecting the switch and the blades to be affected by the swap operation. Figure 2 shows the source and destination blades identified to begin the process.
Blade swapping 3 The preparation process also includes any special handling of ports associated with logical switches. For example Figure 3 shows the source blade has ports in a logical switch or logical fabric, then the corresponding destination ports must be included in the associated logical switch or logical fabric of the source ports. FIGURE 3 Blade swap with Virtual Fabrics during the swap 4.
3 Enabling and disabling switches FIGURE 4 Blade swap with Virtual Fabrics after the swap Swapping blades Use the following procedure to swap blades: 1. Connect to the Backbone and log in using an account with admin permissions. 2. Enter the bladeSwap command. If no errors are encountered, the blade swap will complete successfully. If errors are encountered, the command is interrupted and the ports are set back to their original configurations. 3.
Power management 3 Using switchCfgPersistentDisable Entering switchCfgPersistentDisable with no arguments disables the switch immediately. Example of using switchCfgPersistentDisable command output without arguments switch:admin> switchCfgPersistentDisable Switch's persistent state set to 'disabled' Using switchCfgPersistentDisable - -disable Using the - -disable argument disables the switch immediately. This is the same as entering switchCfgPersistentDisable without any arguments.
3 Equipment status The power monitor compares the available power with the power required to determine if there will be enough power to operate. If it is predicted to be less power available than required, the power-off list is processed until there is enough power for operation. By default, the processing begins with slot 1 and proceeds to the last slot in the chassis. As power becomes available, slots are powered up in the reverse order.
Equipment status 3 4. Use the switchStatusShow command to further check the status of the switch. Verifying High Availability features (Backbones only) High Availability (HA) features provide maximum reliability and nondisruptive management of key hardware and software modules. Use the following procedure to verify High Availability features for a Backbone: 1. Connect to the switch and log in using an account with admin permissions. 2.
3 Track and control switch changes Verifying device connectivity Use the following procedure to verify device connectivity: 1. Connect to the switch and log in using an account with admin permissions. 2. Optional: Enter the switchShow command to verify devices, hosts, and storage are connected. 3. Optional: Enter the nsShow command to verify devices, hosts, and storage have successfully registered with the name server. 4.
Track and control switch changes 3 switch:admin> trackchangesset 1 Committing configuration...done. 3. View the log using the commands errDump |more to display a page at a time or errShow to view one line at a time. 2008/10/10-08:13:36, [TRCK-1001], 5, FID 128, INFO, ras007, Successful login by user admin. Displaying the status of the track changes feature Use the following procedure to display the status of the track changes feature: 1.
3 Track and control switch changes Flash MarginalPorts FaultyPorts MissingSFPs ErrorPorts Number of ports: 4 0 0.00%[0] 0.00%[0] 0.00%[0] 0.00%[0] 0 0.00%[0] 0.00%[0] 0.00%[0] 0.00%[0] Setting the switch status policy threshold values Use the following procedure to set the switch status policy threshold values: 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the switchStatusPolicySet command. The current switch status policy parameter values are displayed.
Audit log configuration 3 Bad Fans contributing to DOWN status: (0..2) [2] Bad Fans contributing to MARGINAL status: (0..2) [1] (output truncated) NOTE On the Brocade Backbones, the command output includes parameters related to CP blades. Audit log configuration When managing SANs you may want to audit certain classes of events to ensure that you can view and generate an audit log for what is happening on a switch, particularly for security-related event changes.
3 Audit log configuration NOTE Only the active CP can generate audit messages because event classes being audited occur only on the active CP. Audit messages cannot originate from other blades in a Backbone. Switch names are logged for switch components and Backbone names for Backbone components. For example, a Backbone name may be FWDL or RAS and a switch component name may be zone, name server, or SNMP. Pushed messages contain the administrative domain of the entity that generated the event.
Duplicate PWWN handling during device login 3 4. Enter the auditCfg --show command to view the filter configuration and confirm that the correct event classes are being audited, and the correct filter state appears (enabled or disabled). switch:admin> auditcfg --show Audit filter is enabled. 2-SECURITY 4-FIRMWARE 5. Issue the auditDump -s command to confirm that the audit messages are being generated. Example of the syslog (system message log) output for audit logging Oct 10 08:52:06 10.3.220.
3 Duplicate PWWN handling during device login TABLE 9 Duplicate PWWN behavior: Second login overrides first login Input port First port login is F_Port First port login is NPIV port FLOGI received New login forces an explicit logout of original login on the previous F_Port. The previous F_Port is persistently disabled. New login forces an explicit logout of original FDISC on the previous NPIV port. FDISC received New FDISC forces an explicit logout of original login on the previous F_Port.
Chapter 4 Routing Traffic In this chapter • Routing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Inter-switch links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Gateway links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Routing policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4 Routing overview Paths and route selection Paths are possible ways to get from one switch to another. Each inter-switch link (ISL) has a metric cost based on bandwidth. The cumulative cost is based on the sum of all costs of all traversed ISLs. Route selection is the path that is chosen. Paths that are selected from the routing database are chosen based on the minimal cost.
Routing overview 4 FSPF makes minimal use of the ISL bandwidth, leaving virtually all of it available for traffic. In a stable fabric, a switch transmits 64 bytes every 20 seconds in each direction. FSPF frames have the highest priority in the fabric. This guarantees that a control frame is not delayed by user data and that FSPF routing decisions occur very quickly during convergence. FSPF guarantees a routing loop-free topology at all times.
4 Inter-switch links Inter-switch links An inter-switch link (ISL) is a link between two switches, E_Port-to-E_Port. The ports of the two switches automatically come online as E_Ports once the login process finishes successfully. For more information on the login process, refer to Chapter 1, “Understanding Fibre Channel Services”. FIGURE 6 New switch added to existing fabric You can expand your fabric by connecting new switches to existing switches.
Inter-switch links 4 Buffer credits In order to prevent the dropping of frames in the fabric, a device can never send frames without the receiving device being able to receive them, so an end-to-end flow control is used on the switch. Flow control in Fibre Channel uses buffer-to-buffer credits, which are distributed by the switch. When all buffer-to-buffer credits are utilized, a device waits for a VC_RDY or an R_RDY primitive from the destination switch before resuming I/O.
4 Inter-switch links FIGURE 7 116 Virtual channels on a QoS-enabled ISL Fabric OS Administrator’s Guide 53-1002745-02
Gateway links 4 Gateway links A gateway merges SANs into a single fabric by establishing point-to-point E_Port connectivity between two Fibre Channel switches that are separated by a network with a protocol such as IP or SONET. Except for link initialization, gateways are transparent to switches; the gateway simply provides E_Port connectivity from one switch to another. Figure 8 shows two separate SANs, A-1 and A-2, merged together using a gateway.
4 Routing policies Configuring a link through a gateway 1. Connect to the switch at one end of the gateway and log in using an account assigned to the admin role. 2. Enter the portCfgIISLMode command. 3. Repeat steps 1 and 2 for any additional ports that are connected to the gateway. 4. Repeat this procedure on the switch at the other end of the gateway. Example of enabling a gateway link on slot 2, port 3 ecp:admin> portcfgislmode 2/3, 1 Committing configuration...done.
Routing policies 4 Displaying the current routing policy 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the aptPolicy command with no parameters. The current policy is displayed, followed by the supported policies for the switch. Example of the output from the aptPolicy command In the following example, the current policy is exchange-based routing (3) with the additional AP dedicated link policy.
4 Routing policies Device-based routing Device-based routing optimizes routing path selection and utilization based on the Source ID (SID) and Destination ID (DID) of the path source and destination ports. As a result, every distinct flow in the fabric can take a different path through the fabric. Effectively, device based routing works the same as exchange-based routing but does not use the OXID field. This helps to ensure that the exchanges between a pair of devices stay in order.
Routing policies 4 CAUTION Setting the routing policy is disruptive to the fabric because it requires that you disable the switch where the routing policy is being changed. Setting the routing policy Use the following procedure to set the routing policy: 1. Connect to the VF switch and log in as admin. 2. Enter the setcontext command for the correct Fabric ID or switch name. - The fabricID parameter is the FID of the logical switch you just created.
4 Route selection Route selection Selection of specific routes can be dynamic, so that the router can constantly adjust to changing network conditions; or it may be static, so that data packets always follow a predetermined path. Dynamic Load Sharing The exchange-based routing policy depends on the Fabric OS Dynamic Load Sharing (DLS) feature for dynamic routing path selection. When using the exchange-based routing policy, DLS is enabled by default and cannot be disabled.
Frame order delivery 4 Frame order delivery The order in which frames are delivered is maintained within a switch and determined by the routing policy in effect. The frame delivery behaviors for each routing policy are: • Port-based routing All frames received on an incoming port destined for a destination domain are guaranteed to exit the switch in the same order in which they were received.
4 Frame order delivery Using Frame Viewer to understand why frames are dropped When a frame is unable to reach its destination due to timeout, it is discarded. You can use Frame Viewer to find out which flows contained the dropped frames, which in turn can help you determine which applications might be impacted. Frame Viewer allows you to see the exact time (within one second) that the frames were dropped.
Lossless Dynamic Load Sharing on ports 4 The -txport and -rxport options accept the arguments “-1” (for fixed-port switches) or “-1/-1” (for modular switches). These stand for “any back-end port.”. Using this notation you can select specifically those discarded frames that have a back-end port in the TX port or RX port field. NOTE Individual back-end ports cannot be specified, only the quality of being a back-end port can be specified.
4 Lossless Dynamic Load Sharing on ports You can disable or enable IOD when Lossless DLS is enabled. You can also choose between exchange- or port-based policies with Lossless DLS. Events that cause a rebalance include the following: • • • • Adding an E_Port Adding a slave E_Port Removing an E_Port (However, frame loss occurs on traffic flows to this port.) Removing an F_Port (However, frame loss occurs on traffic flows to this port.
Lossless Dynamic Load Sharing on ports 4 ICL limitations If ICL ports are connected during a core blade removal, it is equivalent to removing external E_Ports which may cause I/O disruption on the ICL ports that have been removed. If ICL ports are connected during a core blade insertion, it is equivalent to adding external E_Ports which may cause I/O disruption due to reroutes. Lossless DLS, if enabled, takes effect to prevent I/O disruption.
4 Enabling forward error correction (FEC) To avoid this behavior, it is recommended to define your logical switches as follows: • Define logical switches that require Lossless DLS at the blade boundary. • Define logical switches that require Lossless DLS only using supported blades. For example, do not use blades that support IOD, but do not support Lossless DLS. For more information on Virtual Fabrics and chassis-level permissions, refer to Chapter 10, “Managing Virtual Fabrics”.
Enabling forward error correction (FEC) 4 Use the following procedure to enable and disable FEC: 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the portCfgFec command, specifying the port or range of ports on which FEC is to be enabled. portcfgfec --enable slot/port To enable the FEC feature on a single port and display the configuration, enter the following commands.
4 Frame Redirection Frame Redirection Frame Redirection provides a means to redirect traffic flow between a host and a target that use virtualization and encryption applications, such as the Brocade SAS blade and Brocade Data Migration Manager (DMM), so that those applications can perform without having to reconfigure the host and target. You can use this feature if the hosts and targets are not directly attached. Frame Redirection depends on the wide distribution of the Defined Zone Database.
Frame Redirection 4 Example of creating a frame redirect zone The following example creates a redirect zone, given a host (10:10:10:10:10:10:10:10), target (20:20:20:20:20:20:20:20), virtual initiator (30:30:30:30:30:30:30:30), and virtual target (40:40:40:40:40:40:40:40): switch:admin>zone --rdcreate 10:10:10:10:10:10:10:10 20:20:20:20:20:20:20:20 \ 30:30:30:30:30:30:30:30 40:40:40:40:40:40:40:40 restartable noFCR Deleting a frame redirect zone Use the following procedure to delete a frame redirect zon
4 132 Frame Redirection Fabric OS Administrator’s Guide 53-1002745-02
Chapter 5 Managing User Accounts In this chapter • User accounts overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Local database user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Local user account database distribution . . . . . . . . . . . . . . . . . . . . . . . . . . • Password policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • The boot PROM password . . . . . . . . . . . .
5 User accounts overview Fabric OS provides four options for authenticating users: remote RADIUS service, remote LDAP service, remote TACACS+ service, and the local-switch user database. All options allow users to be managed centrally by means of the following methods: • Remote RADIUS service: Users are managed in a remote RADIUS server. All switches in the fabric can be configured to authenticate against the centralized remote database. • Remote LDAP service: Users are managed in a remote LDAP server.
User accounts overview 5 Admin Domain considerations Legacy users with no Admin Domain specified and whose current role is admin will have access to AD0 through AD255 (physical fabric admin); otherwise, they will have access to AD0 only. If some Admin Domains have been defined for the user and all of them are inactive, the user will not be allowed to log in to any switch in the fabric. If no Home Domain is specified for a user, the system provides a default home domain.
5 User accounts overview The management channel The management channel is the communication established between the management workstation and the switch. Table 14 shows the number of simultaneous login sessions allowed for each role when authenticated locally. The roles are displayed in alphabetic order, which does not reflect their importance. When LDAP, RADIUS, or TACACS+ are used for authentication, the total number of sessions on a switch may not exceed 32.
Local database user accounts 5 The assigned permissions can be no higher than the admin role permission assigned to the class. The admin role permission for the Security class is Observe/Modify. Therefore, the Observe permission is valid. The roleConfig --show command is available to view the permissions assigned to a user-defined role.
5 Local database user accounts Default accounts Table 15 lists the predefined accounts offered by Fabric OS that are available in the local-switch user database. The password for all default accounts should be changed during the initial installation and configuration of each switch. TABLE 15 Default local user accounts Account name Role Admin Domain Logical Fabric Description admin Admin AD0–255 home: 0 LF1–128 home: 128 Most commands have Observe/Modify permission.
Local database user accounts 5 3. In response to the prompt, enter a password for the account. The password is not displayed when you enter it on the command line. Deleting an account This procedure can be performed on local user accounts. 1. Connect to the switch and log in using an account with admin permissions, or an account associated with a user-defined role with permissions for the UserManagement class of commands. 2. Enter the userConfig --delete command. You cannot delete the default accounts.
5 Local user account database distribution Changing the password for a different account 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the passwd command specifying the name of the account for which the password is being changed. 3. Enter the requested information at the prompts. Local user account database distribution Fabric OS allows you to distribute the user database and passwords to other switches in the fabric.
Password policies 5 Rejecting distributed user databases on the local switch 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the fddCfg --localreject PWD command. Password policies The password policies described in this section apply to the local-switch user database only. Configured password policies (and all user account attribute and password state information) are synchronized across CPs and remain unchanged after an HA failover.
5 Password policies • Punctuation Specifies the minimum number of punctuation characters that must appear in the password. All printable, non-alphanumeric punctuation characters except the colon ( : ) are allowed. The default value is zero. The maximum value must be less than or equal to the MinLength value. • MinLength Specifies the minimum length of the password. The minimum can be from 8 to 40 characters. New passwords must be between the minimum length specified and 40 characters.
Password policies 5 Password expiration policy The password expiration policy forces the expiration of a password after a configurable period of time. The expiration policy can be enforced across all user accounts or on specified users only. A warning that password expiration is approaching is displayed when the user logs in. When a password expires, the user must change the password to complete the authentication process and open a user session.
5 Password policies A failed login attempt counter is maintained for each user on each switch instance. The counters for all user accounts are reset to zero when the account lockout policy is enabled. The counter for an individual account is reset to zero when the account is unlocked after a lockout duration period expires, or when the account user logs in successfully. The admin account can also have the lockout policy enabled on it.
The boot PROM password 5 Denial of service implications The account lockout mechanism may be used to create a denial of service condition when a user repeatedly attempts to log in to an account by using an incorrect password. Selected privileged accounts are exempted from the account lockout policy to prevent users from being locked out from a denial of service attack. However, these privileged accounts may then become the target of password guessing attacks.
5 The boot PROM password 4. Enter 2. • If no password was previously set, the following message is displayed: Recovery password is NOT set. Please set it now. • If a password was previously set, the following messages is displayed: Send the following string to Customer Support for password recovery: afHTpyLsDo1Pz0Pk5GzhIw== Enter the supplied recovery password. Recovery Password: 5. Enter the recovery password (string). The recovery string must be between 8 and 40 alphanumeric characters.
The boot PROM password 5 • If a password was previously set, the following messages are displayed: Send the following string to Customer Support for password recovery: afHTpyLsDo1Pz0Pk5GzhIw== Enter the supplied recovery password. Recovery Password: 6. Enter the recovery password (string). The recovery string must be between 8 and 40 alphanumeric characters. A random string that is 15 characters or longer is recommended for higher security. The firmware only prompts for this password once.
5 The boot PROM password The following options are available: Option Description 1 2 3 Continues the system boot process. Lets you set the recovery string and the boot PROM password. Provides access to boot parameters. Start system. Recovery password. Enter command shell. 4. Enter 3. 5. At the shell prompt, enter the passwd command. The passwd command only applies to the boot PROM password when it is entered from the boot interface. 6.
Remote authentication 5 The passwd command applies only to the boot PROM password when it is entered from the boot interface. 8. Enter the boot PROM password at the prompt, and then re-enter it when prompted. The password must be eight alphanumeric characters (any additional characters are not recorded). Record this password for future use. 9. Enter the saveEnv command to save the new password. 10. Reboot the standby CP blade by entering the reset command. 11.
5 Remote authentication The supported management access channels that integrate with RADIUS, LDAP, and TACACS+ include serial port, Telnet, SSH, Web Tools, and API. All these access channels require the switch IP address or name to connect. RADIUS, LDAP, and TACACS+ servers accept both IPv4 and IPv6 address formats. For accessing both the active and standby CP, and for the purpose of HA failover, both CP IP addresses of a Backbone should be included in the authentication server configuration.
5 Remote authentication Supported LDAP options Table 16 summarizes the various LDAP options and Brocade support for each. TABLE 16 LDAP options Protocol Description Channel type Default port URL Brocade supported? LDAPv3 LDAP over TCP Unsecured 389 ldap:// No LDAPv3 with TLS extension LDAPv3 over TLS Secured 389 ldap:// Yes LDAPv3 with TLS and Certificate LDAPv3 over TLS channel and authenticated using a certificate Secured 389 ldap:// Yes LDAPv2 with SSL1 LDAPv2 over SSL.
5 Remote authentication TABLE 17 Authentication configuration options (Continued) aaaConfig options Description Equivalent setting in Fabric OS v5.1.0 and earlier --radius --switchdb1 --authspec “ldap; local” Authenticates management connections against any LDAP databases first. If LDAP fails for any reason, it then authenticates against the local user database. n/a On --authspec “ldap; local” --backup Authenticates management connections against any LDAP databases first.
Remote authentication 5 RADIUS, LDAP, and TACACS+ support all the defined RBAC roles described in Table 12 on page 134. Users must enter their assigned RADIUS, LDAP, or TACACS+ account name and password when logging in to a switch that has been configured with remote authentication. After the remote authentication (RADIUS, LDAP, or TACACS+) server authenticates a user, it responds with the assigned switch role in a Brocade Vendor-Specific Attribute (VSA).
5 Remote authentication Fabric OS users on the RADIUS server All existing Fabric OS mechanisms for managing local-switch user accounts and passwords remain functional when the switch is configured to use RADIUS. Changes made to the local switch database do not propagate to the RADIUS server, nor do the changes affect any account on the RADIUS server.
Remote authentication 5 Brocade-AVPairs2 = "LFRoleList=admin:2,4-8,70,80,128;ChassisRole=admin", Brocade-Passwd-ExpiryDate = "11/10/2011", Brocade-Passwd-WarnPeriod = "30" RADIUS configuration with Admin Domains or Virtual Fabrics When configuring users with Admin Domains or Virtual Fabrics, you must also include the Admin Domain or Virtual Fabric member list. This section describes the way that you configure attribute types for this configuration.
5 Remote authentication For example, on a Linux FreeRADIUS Server, the user (user-za) with the following settings takes the “zoneAdmin” permissions, with AD member list: 1, 2, 4, 5, 6, 7, 8, 9, 12; the Home Admin Domain will be 1.
Remote authentication 5 Configuring RADIUS service on Linux consists of the following tasks: • Adding the Brocade attributes to the server • Creating the user • Enabling clients Adding the Brocade attributes to the server 1. Create and save the file $PREFIX/etc/raddb/dictionary.brocade with the following information: # dictionary.
5 Remote authentication swadmin Auth-Type := System Brocade-Auth-Role = "admin", Brocade-AVPairs1 = "HomeLF=70", Brocade-AVPairs2 = "LFRoleList=admin:2,4-8,70,80,128", Brocade-AVPairs3 = "ChassisRole=switchadmin", Brocade-Passwd-ExpiryDate = "11/10/2008", Brocade-Passwd-WarnPeriod = "30" When you use network information service (NIS) for authentication, the only way to enable authentication with the password file is to force the Brocade switch to authenticate using password authentication protocol (PAP)
Remote authentication 5 If CHAP authentication is required, then Windows must be configured to store passwords with reversible encryption. Reverse password encryption is not the default behavior; it must be enabled. NOTE If a user is configured prior to enabling reverse password encryption, then the user’s password is stored and cannot utilize CHAP. To use CHAP, the password must be reentered after encryption is enabled.
5 Remote authentication e. After returning to the Internet Authentication Service window, add additional policies for all Brocade login types for which you want to use the RADIUS server. After this is done, you can configure the switch. NOTE Windows 2008 RADIUS (NPS) support is also available. RSA RADIUS server Traditional password-based authentication methods are based on one-factor authentication, where you confirm your identity using a memorized password.
Remote authentication c. 5 Add Brocade-VSA macro and define the attributes as follows: • vid (Vendor-ID): 1588 • type1 (Vendor-Type): 1 • len1 (Vendor-Length): >=2 ####################################################################### # brocade.dct -- Brocade Dictionary # # (See readme.dct for more details on the format of this file) ####################################################################### # # Use the Radius specification attributes in lieu of the Brocade one: # @radius.
5 Remote authentication ####################################################################### # dictiona.dcm ####################################################################### # Generic Radius @radius.dct # # Specific Implementations (vendor specific) # @3comsw.dct @aat.dct @acc.dct @accessbd.dct @agere.dct @agns.dct @airespace.dct @alcatel.dct @altiga.dct @annex.dct @aptis.dct @ascend.dct @ascndvsa.dct @axc.dct @bandwagn.dct @brocade.dct <------- FIGURE 12 Example of the dictiona.dcm file d.
Remote authentication 5 • LDAP authentication is used on the local switch only and not for the entire fabric. • You can use the User-Principal-Name and not the Common-Name for AD LDAP authentication. To provide backward compatibility, authentication based on the Common Name is still supported for Active Directory LDAP 2000 and 2003. Common Name based-authentication is not recommended for new installations. • A user can belong to multiple groups as long as one of the groups is the primary group.
5 Remote authentication 4. Associate the user to the group by adding the user to the group. For instructions on how to create a user refer to www.microsoft.com or Microsoft documentation to create a user in your Active Directory. 5. Add the user’s Administrative Domains or Virtual Fabrics to the CN_list by either editing the adminDescription value or adding the brcdAdVfData attribute to the existing Active Directory schema. This action maps the Admin Domains or Virtual Fabrics to the user name.
Remote authentication 5 3. Right click on select Properties. Click the Attribute Editor tab. 4. Double-click the adminDescription attribute. The String Attribute Editor dialog box opens. 5. Perform the appropriate action based on whether you are using Administrative Domains or Virtual Fabrics: • If you are using Administrative Domains, enter the value of the Admin Domain separated by an underscore ( _ ) into the Value field.
5 Remote authentication Two operational modes exist in LDAP authentication: FIPS mode and non-FIPS mode. This section discusses LDAP authentication in non-FIPS mode. For information on LDAP in FIPS mode, refer to Chapter 7, “Configuring Security Policies”. The following restrictions exist when using OpenLDAP in non-FIPS mode: • You must use the Common-Name for OpenLDAP authentication. User-Principal-Name is not supported in OpenLDAP. • OpenLDAP 2.4.23 is supported.
Remote authentication include include 5 /usr/local/etc/openldap/schema/cosine.schema /usr/local/etc/openldap/schema/local.schema ############################################### TLSCACertificateFile /root/sachin/ldapcert/cacert.pem TLSCertificateFile /root/sachin/ldapcert/serverCert.pem TLSCertificateKeyFile /root/sachin/ldapcert/serverKey.pem TLSVerifyClient never pidfile argsfile /usr/local/var/run/slapd.pid /usr/local/var/run/slapd.
5 Remote authentication Assigning a user to a group Before you can assign a user to a group, the memberOf overlay must be added to the slapd.conf file. Refer to “Enabling group membership” on page 166 for details. To create a group and assign a member: 1. In a .ldif file, create a “groupOfNames” objectClass entry with the name of the group, for example, “admin,” to create a group. 2.
Remote authentication 5 Example to add a group member 1. Create or edit a .ldif file with an entry similar to the following. ##########Adding an attr value dn: cn=admin,ou=groups,dc=mybrocade,dc=com changetype: modify add: member member: cn=test1,cn=Users,dc=mybrocade,dc=com 2. Enter the following ldapmodify command, where test1.ldif is the name of the file you edited in step 1. > ldapmodify -D cn=admin,dc=mybrocade,dc=com –x -w secret -f test1.ldif Example to delete a group member 1.
5 Remote authentication DESC 'Brocade specific data for LDAP authentication' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) objectclass ( 1.3.6.1.4.1.8412.110 NAME 'user' DESC 'Brocade switch specific person' SUP top AUXILIARY MAY ( brcdAdVfData $ description ) ) 2. Include the schema file in the slapd.conf file. The following example slapd.conf line assumes that local.schema contains the attribute definition provided in step 1.
Remote authentication 5 objectClass: uidObject cn: Sachin sn: Mishra description: First user brcdAdVfData: HomeLF=30;LFRoleList=admin:1-128;ChassisRole=admin userPassword: pass uid: mishras@mybrocade.com The following command adds the user to the LDAP directory. > ldapadd -D cn=Sachin,dc=mybrocade,dc=com -x -w secret -f test4.ldif TACACS+ service FabricOS can authenticate users with a remote server using the Terminal Access Controller Access-Control System Plus (TACACS+) protocol.
5 Remote authentication Configuring the TACACS+ server on LINUX FabricOS software supports TACACS+ authentication on a LINUX server running the Open Source TACACS+ LINUX package v4.0.4 from Cisco. To install and configure this software, perform the following steps. 1. Download the TACACS+ software from http://www.cisco.com and install it. Refer to the Cisco documentation for installation instructions. 2. Configure the TACACS+ server by editing the tac_plus.cfg file. Refer to “The tac_plus.
Remote authentication 5 Configuring Admin Domain lists If your network uses Admin Domains, you should create Admin Domain lists for each user to identify the Admin Domains to which the user has access. Assign the following key-value pairs to the brcd-AV--Pair1 and, optionally, brcd-AV-Pair2 attributes to grant the account access to the Admin Domains: • HomeAD is the designated home Admin Domain for the account. The valid range of values is from 0 through 255.
5 Remote authentication Configuring the password expiration date FabricOS lets you configure a password expiration date for each user account and to configure a warning period for notifying the user that the account password is about to expire. To configure these values, set the following attributes: • brcd-passwd-expiryDate sets the password expiration date in mm/dd/yyyy format. • brcd-passwd-warnPeriod sets the warning period as a number of days.
Remote authentication 5 Adding an authentication server to the switch configuration 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the aaaConfig --add command. At least one authentication server must be configured before you can enable the RADIUS, LDAP, or TACACS+ service. If no RADIUS, LDAP, or TACACS+ configuration exists, turning on the authentication mode triggers an error message.
5 Remote authentication Displaying the current authentication configuration 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the aaaConfig --show command. If a configuration exists, its parameters are displayed. If the RADIUS, LDAP, or TACACS+ service is not configured, only the parameter heading line is displayed. Parameters include: Position Server Port Secret Timeouts Authentication The order in which servers are contacted to provide service.
Chapter 6 Configuring Protocols In this chapter • Security protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Secure Copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Secure Shell protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Secure Sockets Layer protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6 Secure Copy TABLE 21 Secure protocol support (Continued) Protocol Description SSH Secure Shell (SSH) is a network protocol that allows data to be exchanged over a secure channel between two computers. Encryption provides confidentiality and integrity of data. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary. SSL Fabric OS uses Secure Socket Layer (SSL) to support HTTPS.
Secure Shell protocol 6 Setting up SCP for configuration uploads and downloads Use the following procedure to configure SCP for configuration uploads and downloads. 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the configure command. 3. Enter y or yes at the cfgload attributes prompt. 4. Enter y or yes at the Enforce secure configUpload/Download prompt.
6 Secure Shell protocol SSH public key authentication OpenSSH public key authentication provides password-less logins, known as SSH authentication, that uses public and private key pairs for incoming and outgoing authentication. This feature allows only one allowed-user to be configured to utilize outgoing OpenSSH public key authentication.Any admin user can perform incoming Open SSH public key authentication.
Secure Shell protocol 6 Enter login name:auser Password: Public key is imported successfully. 4. Test the setup by logging in to the switch from a remote device, or by running a command remotely using SSH. Configuring outgoing SSH authentication After the allowed-user is configured, the remaining setup steps must be completed by the allowed-user. Use the following procedure to configure outgoing SSH authentication: 1. Log in to the switch as the default admin. 2.
6 Secure Sockets Layer protocol Deleting public keys on the switch Use the following procedure to delete public keys from the switch. 1. Connect to the switch and log in using an account with admin permissions. 2. Use the sshUtil delpubkeys command to delete public keys. You will be prompted to enter the name of the user whose the public keys you want to delete. Enter all to delete public keys for all users. For more information on IP filter policies, refer to Chapter 7, “Configuring Security Policies”.
Secure Sockets Layer protocol 6 You should upgrade to the Java 1.6.0 plug-in on your management workstation. To find the Java version that is currently running, open the Java console and look at the first line of the window. For more details on levels of browser and Java support, refer to the Web Tools Administrator’s Guide. SSL configuration overview You configure SSL access for a switch by obtaining, installing, and activating digital certificates.
6 Secure Sockets Layer protocol 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the secCertUtil genkey command to generate a public/private key pair. The system reports that this process will disable secure protocols, delete any existing CSR, and delete any existing certificates. 3. Respond to the prompts to continue and select the key size.
Secure Sockets Layer protocol 6 Obtaining certificates Once you have generated a CSR, you will need to follow the instructions on the website of the certificate issuing authority that you want to use; and then obtain the certificate. Fabric OS and HTTPS support the following types of files from the Certificate Authority(CA): • .cer (binary) • .crt (binary) • .pem (text) Typically, the CA provides the certificate files listed in Table 24.
6 Secure Sockets Layer protocol 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the secCertUtil import command. 3. Select a protocol, enter the IP address of the host on which the switch certificate is saved, and enter your login name and password. Example of installing a switch certificate in interactive mode switch:admin> seccertutil import -config swcert -enable https Select protocol [ftp or scp]: ftp Enter IP address: 192.10.11.
Secure Sockets Layer protocol 6 4. Click the Intermediate or Trusted Root tab and scroll the list to see if the root certificate is listed. Take the appropriate following action based on whether you find the certificate: • If the certificate is listed, you do not need to install it. You can skip the rest of this procedure. • If the certificate is not listed, click Import. 5. Follow the instructions in the Certificate Import wizard to import the certificate.
6 Simple Network Management Protocol Issuer: CN=Brocade, OU=Software, O=Brocade Communications, L=San Jose, ST=California, C=US Serial number: 0 Valid from: Thu Jan 15 16:27:03 PST 2007 until: Sat Feb 14 16:27:03 PST 2007 Certificate fingerprints: MD5: 71:E9:27:44:01:30:48:CC:09:4D:11:80:9D:DE:A5:E3 SHA1: 06:46:C5:A5:C8:6C:93:9C:FE:6A:C0:EC:66:E9:51:C2:DB:E6:4F:A1 Trust this certificate? [no]: yes Certificate was added to keystore In the example, changeit is the default password and RootCert is an exampl
Simple Network Management Protocol 6 • SW-EXTTRAP Includes the swSsn (Software Serial Number) as a part of Brocade SW traps. For information on Brocade MIBs, refer to the Fabric OS MIB Reference. SNMP and Virtual Fabrics When an SNMPv3 request arrives with a particular user name, it executes in the home Virtual Fabric. From the SNMP manager, all SNMPv3 requests must have a home Virtual Fabric that is specified in the contextName field.
6 Telnet protocol SNMP security levels Use the snmpConfig --set seclevel command to set the security level. For more information about using the Brocade SNMP agent, refer to the Fabric OS MIB Reference. SNMP configuration Use the snmpConfig --set command to change either the SNMPv3 or SNMPv1 configuration. You can also change access control, MIB capability, and system group.
Telnet protocol 6 ATTENTION The rule number assigned must precede the default rule number for this protocol. For example, in the defined policy, the Telnet rule number is 2. Therefore, to effectively block Telnet, the rule number to assign must be 1. If you choose not to use 1, you must delete the Telnet rule number 2 after adding this rule. Refer to “Deleting a rule from an IP Filter policy” on page 223 for more information on deleting IP filter rules. 6.
6 Listener applications Refer to “Deleting a rule from an IP Filter policy” on page 223 for more information on deleting IP filter rules. 3. To permanently delete the policy, type the ipfilter --save command. ATTENTION If you deleted the rule to permit Telnet, you must add a rule to permit Telnet. Listener applications Brocade switches block Linux subsystem listener applications that are not used to implement supported features and capabilities.
Ports and applications used by switches TABLE 26 6 Access defaults (Continued) Access default Devices All devices can access the management server. Any device can connect to any FC port in the fabric. Switch access Any switch can join the fabric. All switches in the fabric can be accessed through a serial port. Zoning No zoning is enabled. Port configuration Table 27 provides information on ports that the switch uses.
6 194 Ports and applications used by switches Fabric OS Administrator’s Guide 53-1002745-02
Chapter 7 Configuring Security Policies In this chapter • ACL policies overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • ACL policy management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • FCS policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Device Connection Control policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • SCC Policies . . . . . .
7 ACL policy management Policies with the same state are grouped together in a Policy Set. Each switch has the following two sets: • Active policy set, which contains ACL policies being enforced by the switch. • Defined policy set, which contains a copy of all ACL policies on the switch. When a policy is activated, the defined policy either replaces the policy with the same name in the active set or becomes a new active policy.
ACL policy management 7 Displaying ACL policies You can view the active and defined policy sets at any time. Additionally, in a defined policy set, policies created in the same login session also appear but these policies are automatically deleted if the you log out without saving them. 1. Connect to the switch and log in using an account with admin permissions, or an account with O permission for the Security RBAC class of commands. 2. Type the secPolicyShow command.
7 ACL policy management Example of deleting an ACL policy switch:admin> secpolicydelete "DCC_POLICY_010" About to delete policy Finance_Policy. Are you sure (yes, y, no, n):[no] y Finance_Policy has been deleted. Adding a member to an existing ACL policy As soon as a policy has been activated, the aspect of the fabric managed by that policy is enforced. 1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions for the Security RBAC class of commands.
FCS policies 7 Example of aborting unsaved changes switch:admin> secpolicyabort Unsaved data has been aborted. All changes since the last time the secPolicySave or secPolicyActivate commands were entered are aborted. FCS policies Fabric configuration server (FCS) policy in base Fabric OS may be performed on a local switch basis and may be performed on any switch in the fabric. The FCS policy is not present by default, but must be created.
7 FCS policies Table 30 shows the commands for switch operations for Primary FCS enforcement.
FCS policies 7 Creating an FCS policy 1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions for the Security RBAC class of commands. 2. Enter the secPolicyCreate “FCS_POLICY” command. Example of creating an FCS policy The following example creates an FCS policy that allows a switch with domain ID 2 to become a primary FCS and domain ID 4 to become a backup FCS: switch:admin> secpolicycreate "FCS_POLICY", "2;4" FCS_POLICY has been created 3.
7 FCS policies FCS policy distribution The FCS policy can be automatically distributed using the fddCfg --fabwideset command or it can be manually distributed to the switches using the distribute -p command. Each switch that receives the FCS policy must be configured to receive the policy. To configure the switch to accept distribution of the FCS policy, refer to “Database distribution settings” on page 225. Database distributions may be initiated from only the Primary FCS switch.
Device Connection Control policies 7 Device Connection Control policies Multiple Device Connection Control (DCC) policies can be used to restrict which device ports can connect to which switch ports. The devices can be initiators, targets, or intermediate devices such as SCSI routers and loop hubs. By default, all device ports are allowed to connect to all switch ports; no DCC policies exist until they are created.
7 Device Connection Control policies Creating a DCC policy DCC policies must follow the naming convention “DCC_POLICY_nnn,” where nnn represents a unique string. The maximum length is 30 characters, including the prefix DCC_POLICY_. Device ports must be specified by port WWN. Switch ports can be identified by the switch WWN, domain ID, or switch name followed by the port or area number. To specify an allowed connection, enter the device port WWN, a semicolon, and the switch port identification.
Device Connection Control policies 7 Deleting a DCC policy 1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions for the Security RBAC class of commands. 2. Enter the secPolicyDelete command.
7 SCC Policies Table 34 shows the behavior of a DCC policy created manually with the physical PWWN of a device. The configurations shown in this table are the recommended configurations when an FA-PWWN is logged into the switch. TABLE 34 DCC policy behavior when created manually with PWWN Configuration WWN seen on DCC policy list Behavior when DCC policy activates Behavior on portDisable and portEnable • • FA-PWWN has logged into the switch.
Authentication policy for fabric elements 7 Creating an SCC policy 1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions for the Security RBAC class of commands. 2. Enter the secPolicyCreate “SCC_POLICY” command. 3. Save or activate the new policy by entering either the secPolicySave or the secPolicyActivate command. If neither of these commands is entered, the changes are lost when the session is logged out.
7 Authentication policy for fabric elements Key database on switch Local secret A Peer secret B Switch A FIGURE 13 Key database on switch Local secret B Peer secret A Switch B DH-CHAP authentication If you use DH-CHAP authentication, then a secret key pair must be installed only in connected fabric elements. However, as connections are changed, new secret key pairs must be installed between newly connected elements.
Authentication policy for fabric elements 7 Virtual Fabrics considerations The switch authentication policy applies to all E_Ports in a logical switch. This includes ISLs and extended ISLs. Authentication of extended ISLs between two base switches is considered peer-chassis authentication. Authentication between two physical entities is required, so the extended ISL which connects the two chassis needs to be authenticated.
7 Authentication policy for fabric elements Re-authenticating E_Ports Use the authUtil --authinit command to re-initiate the authentication on selected ports. It provides flexibility to initiate authentication for specified E_Ports, a set of E_Ports, or all E_Ports on the switch. This command does not work on loop, NPIV and FICON devices, or on ports configured for in-flight encryption. The command authUtil can re-initiate authentication only if the device was previously authenticated.
Authentication policy for fabric elements 7 and CT frames, except the AUTH_NEGOTIATE ELS frame, are blocked by the switch. During this time, the Fibre Channel driver rejects all other ELS frames. The F_Port does not form until the AUTH_NEGOTIATE is completed. It is the HBA's responsibility to send an Authentication Negotiation ELS frame after receiving the FLOGI accept frame with the FC-SP bit set.
7 Authentication policy for fabric elements Authentication protocols Use the authUtil command to perform the following tasks: • Display the current authentication parameters. • Select the authentication protocol used between switches. • Select the DH (Diffie-Hellman) group for a switch. Run the authUtil command on the switch you want to view or change. Below are the different options to specify which DH group you want to use.
Authentication policy for fabric elements 7 Secret key pairs for DH-CHAP When you configure the switches at both ends of a link to use DH-CHAP for authentication, you must also define a secret key pair—one for each end of the link. Use the secAuthSecret command to perform the following tasks: • View the WWN of switches with a secret key pair. • Set the secret key pair for switches. • Remove the secret key pair for one or more switches.
7 Authentication policy for fabric elements Setting a secret key pair 1. Log in to the switch using an account with admin permissions, or an account with OM permissions for the Authentication RBAC class of commands. 2. Enter the secAuthSecret --set command. The command enters interactive mode. The command returns a description of itself and needed input; then it loops through a sequence of switch specification, peer secret entry, and local secret entry.
Authentication policy for fabric elements 7 FCAP configuration overview Beginning with Fabric OS release 7.0.0, you must configure the switch to use third-party certificates for authentication with the peer switch. To perform authentication with FCAP protocol with certificates issued from third party, the user has to perform following steps: 1. Choose a certificate authority (CA). 2. Generate a public, private key, passphrase and a CSR on each switch. 3. Store the CSR from each switch on a file server. 4.
7 Authentication policy for fabric elements Exporting the CSR for FCAP You will need to export the CSR file created in “Generating the key and CSR for FCAP” section and send to a Certificate Authority (CA). The CA will in turn provide two files as outlined in “FCAP configuration overview” on page 215. 1. Log in to the switch using an account with admin permissions, or an account associated with the chassis role and having OM permissions for the PKI RBAC class of commands. 2.
IP Filter policy 7 Starting FCAP authentication 1. Log in to the switch using an account with admin permissions, or an account with OM permissions for the Authentication RBAC class of commands. 2. Enter the authUtil --authinit command to start the authentication using the newly imported certificates. (This command is not supported in Access Gateway mode.) 3. Enter the authUtil --policy -sw command and select active or on, the default is passive.
7 IP Filter policy Virtual Fabrics considerations: Each logical switch cannot have its own different IP Filter policies. IP Filter policies are treated as a chassis-wide configuration and are common for all the logical switches in the chassis. Creating an IP Filter policy You can create an IP Filter policy specifying any name and using type IPv4 or IPv6. The policy created is stored in a temporary buffer, and is lost if the current command session logs out.
IP Filter policy 7 1. Log in to the switch using an account with admin permissions, or an account associated with the chassis role and having the OM permissions for the IPfilter RBAC class of commands. 2. Enter the ipFilter –-save command. Activating an IP Filter policy IP Filter policies are not enforced until they are activated. Only one IP Filter policy per IPv4 and IPv6 type can be active.
7 IP Filter policy Source address For an IPv4 filter policy, the source address has to be a 32-bit IPv4 address in dot decimal notation. The group prefix has to be a CIDR block prefix representation. For example, 208.130.32.0/24 represents a 24-bit IPv4 prefix starting from the most significant bit. The special prefix 0.0.0.0/0 matches any IPv4 address. In addition, the keyword any is supported to represent any IPv4 address.
IP Filter policy TABLE 37 7 Supported services (Continued) Service name Port number bootps 67 bootpc 68 tftp 69 http 80 kerberos 88 hostnames 101 sunrpc 111 sftp 115 ntp 123 snmp 161 snmp trap 162 https 443 ssmtp 465 exec 512 login 513 shell 514 uucp 540 biff 512 who 513 syslog 514 route 520 timed 525 kerberos4 750 rpcd 897 securerpcd 898 Protocol TCP and UDP protocols are valid protocol selections. Fabric OS v6.2.
7 IP Filter policy Traffic type and destination IP The traffic type and destination IP elements allow an IP policy rule to specify filter enforcement for IP forwarding. The INPUT traffic type is the default and restricts rules to manage traffic on IP management interfaces, The FORWARD traffic type allows management of bidirectional traffic between the external management interface and the inband management interface. In this case, the destination IP element should also be specified.
IP Filter policy 7 IP Filter policy enforcement An active IP Filter policy is a filter applied to the IP packets through the management interface. IPv4 management traffic passes through the active IPv4 filter policy, and IPv6 management traffic passes through the active IPv6 filter policy. The IP Filter policy applies to the incoming (ingress) management traffic only. When a packet arrives, it is compared against each rule, starting from the first rule.
7 Policy database distribution 1. Log in to the switch using an account with admin permissions, or an account associated with the chassis role and having the OM permissions for the IPfilter RBAC class of commands. 2. Enter the ipFilter –-transabort command. IP Filter policy distribution The IP Filter policy is manually distributed by command. The distribution includes both active and defined IP Filter policies.
Policy database distribution 7 • Manually distribute an ACL policy database — Run the distribute command to push the local database of the specified policy type to target switches. “ACL policy distribution to other switches” on page 227. • Fabric-wide consistency policy — Use to ensure that switches in the fabric enforce the same policies. Set a strict or tolerant fabric-wide consistency policy for each ACL policy type to automatically distribute that database when a policy change is activated.
7 Policy database distribution TABLE 41 Supported policy databases (Continued) Database type Database identifier (ID) FCS policy database FCS IP Filter policy database IPFILTER Password database PWD SCC policy database SCC Use the chassisDistribute command to distribute IP filter policies. To distribute other security policies, use the distribute command. Displaying the database distribution settings 1.
Policy database distribution 7 ACL policy distribution to other switches This section explains how to manually distribute local ACL policy databases. The distribute command has the following dependencies: • All target switches must be running Fabric OS v6.2.0 or later. • All target switches must accept the database distribution (see “Database distribution settings” on page 225). • The fabric must have a tolerant or no (absent) fabric-wide consistency policy (see “Fabric-wide enforcement” on page 227).
7 Policy database distribution TABLE 42 Fabric-wide consistency policy settings Setting Value When a policy is activated Absent null Database is not automatically distributed to other switches in the fabric. Tolerant database_id All updated and new policies of the type specified (SCC, DCC, FCS, or any combination) are distributed to all Fabric v6.2.0 and later switches in the fabric.
Policy database distribution 7 Notes on joining a switch to the fabric When a switch is joined to a fabric with a tolerant SCC, DCC, or FCS fabric-wide consistency policy, the joining switch must have a matching tolerant SCC, DCC, or FCS fabric-wide consistency policy. If the tolerant SCC, DCC, or FCS fabric-wide consistency policies do not match, the switch can join the fabric, but an error message flags the mismatch.
7 Policy database distribution TABLE 43 Merging fabrics with matching fabric-wide consistency policies (Continued) Fabric-wide Fabric A consistency policy ACL policies Fabric B ACL policies Merge results Database copied Strict None None Succeeds No ACL policies copied. None SCC/DCC Succeeds ACL policies are copied from B to A. Matching SCC/DCC Matching SCC/DCC Succeeds No ACL policies copied. Different SCC/DCC policies Different SCC/DCC policies Fails Ports are disabled. 1.
Management interface security 7 Management interface security You can secure an Ethernet management interface between two Brocade switches or Backbones by implementing IP sec and IKE policies to create a tunnel that protects traffic flows. While the tunnel must have a Brocade switch or Backbone at each end, there may be routers, gateways, and firewalls in between the two ends.
7 Management interface security FIGURE 14 Protected endpoints configuration A possible drawback of end-to-end security is that various applications that require the ability to inspect or modify a transient packet will fail when end-to-end confidentiality is employed. Various QoS solutions, traffic shaping, and firewalling applications will be unable to determine what type of packet is being transmitted and will be unable to make the decisions that they are supposed to make.
Management interface security FIGURE 16 7 Endpoint-to-gateway tunnel configuration RoadWarrior configuration In endpoint-to-endpoint security, packets are encrypted and decrypted by the host which produces or consumes the traffic. In the gateway-to-gateway example, a router on the network encrypts and decrypts the packets on behalf of the hosts on a protected network.
7 Management interface security these values in negotiations to create IP sec SAs. You must create an SA prior to creating an SA-proposal. You cannot modify an SA once it is created. Use the IP secConfig --flush manual-sa command to remove all SA entries from the kernel SADB and re-create the SA. For more information on the IP secConfig command, refer to the Fabric OS Command Reference. IP sec proposal The IP sec sa-proposal defines an SA or an SA bundle.
Management interface security 7 IP sec traffic selector The traffic selector is a traffic filter that defines and identifies the traffic flow between two systems that have IP sec protection. IP addresses, the direction of traffic flow (inbound, outbound) and the upper layer protocol are used to define a filter for traffic (IP datagrams) that is protected using IP sec.
7 Management interface security The IP secConfig command does not support manipulating pre-shared keys corresponding to the identity of the IKE peer or group of peers. Use the secCertUtil command to import, delete, or display the pre-shared keys in the local switch database. For more information on this procedure, refer to Chapter 6, “Configuring Protocols”. Security certificates A certificate is one of the available methods IKE can be configured to use for primary authentication.
Management interface security 7 Example of creating an IP sec SA policy This example creates an IP sec SA policy named AH01, which uses AH protection with MD5. You would run this command on each switch; on each side of the tunnel so that both sides have the same IP sec SA policy. switch:admin> IP secconfig --add policy ips sa -t AH01 -p ah -auth hmac_md5 5. Create an IP sec proposal on each side of the tunnel using the IP secConfig --add command.
7 Management interface security 10. Verify traffic is protected. a. Initiate a telnet, SSH, or ping session from the two switches. b. Verify that IP traffic is encapsulated. c. Monitor IP sec SAs created using IKE for above traffic flow • Use the IP secConfig -–show manual-sa –a command with the operands specified to display the outbound and inbound SAs in kernel SADB. • Use the IP secConfig –-show policy ips sa -a command with the specified operands to display all IP sec SA policies.
Management interface security 7 6. Import the pre-shared key file using the secCertUtil command. The file name should have a .psk extension. For more information on importing the pre-shared key file, refer to “Installing a switch certificate” on page 185. 7. Configure an IKE policy for the remote peer. switch:admin> IP secconfig --add policy ike -t IKE01 \ -remote 10.33.69.132 -id 10.33.74.13 -remoteid 10.33.69.132 \ -enc 3des_cbc -hash hmac_md5 -prf hmac_md5 -auth psk \ -dh modp1024 -psk IP seckey.
7 Management interface security • Use the IP secConfig –-show policy ike –a command with the specified operands to display IKE policies. • Use the IP secConfig –-flush manual-sa command with the specified operands to flush the created SAs in the kernel SADB. CAUTION Flushing SAs requires IP sec to be disabled and re-enabled. This operation is disruptive to traffic using the tunnel. Notes • As of Fabric OS 7.0.0, IP sec no longer supports null encryption (null_enc) for IKE policies.
Chapter 8 Maintaining the Switch Configuration File In this chapter • Configuration settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuration file backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuration file restoration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configurations across a fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8 Configuration settings If your user account has chassis account permissions, you can use any of the following options when uploading or downloading a configuration file: -fid To upload the specified FID configuration. -all To upload all of the system configuration, including the chassis section and all switch sections for all logical switches. NOTE: Use this parameter when obtaining a complete capture of the switch configuration in a switch that has Virtual Fabrics mode disabled.
Configuration settings 8 [Active Security policies] [cryptoDev] [FICU SAVED FILES] [Banner] [End] [Switch Configuration End : 0] date = Tue Mar 1 21:28:52 2011 [Switch Configuration Begin : 1] SwitchName = switch_2 Fabric ID = 1 [Boot Parameters] [Configuration] [Bottleneck Configuration] [Zoning] [Defined Security policies] [Active Security policies] [cryptoDev] [FICU SAVED FILES] [Banner] [End] [Switch Configuration End : 1] Chassis section There is only one chassis section within a configuration.
8 Configuration file backup • • • • • • LicensesLservc – Sentinel License configuration GE blade mode – GigE Mode configuration FWD CHASSIS CFG – Fabric Watch configuration FRAME LOG – Frame log configuration (enable/disable) DMM_TB – Data migration manager configuration MOTD – Message of the day Switch section There is always at least one switch section for the default switch or a switch that has Virtual Fabrics mode disabled, and there are additional sections corresponding to each additionally defined
Configuration file backup 8 Before you upload a configuration file, verify that you can reach the FTP server from the switch. Using a Telnet connection, save a backup copy of the configuration file from a logical switch to a host computer. Secure File Transfer Protocol (SFTP) is now an option when uploading a configuration file. SFTP is analogous to Secure Copy Protocol (SCP). SFTP can be used for the configupload/download, supportsave, and auto FFDC/trace upload (supportftp) commands.
8 Configuration file restoration Configuration file restoration When you restore a configuration file, you overwrite the existing configuration with a previously saved backup configuration file. CAUTION Make sure that the configuration file you are downloading is compatible with your switch model. Downloading a configuration file from a different switch model or from a different firmware could cause your switch to fail.
Configuration file restoration -all 8 The number of switches or FIDs defined in the downloaded configuration file must match the number of switches or FIDs currently defined on the switch. The switches must be disabled first. If they are not, the configDownload command will download the configuration for as many switches as possible until a non-disabled switch is found. If a non-disabled switch is found, the downloading process stops.
8 Configuration file restoration CAUTION Though the switch itself has advanced error checking, the configdownload feature within Fabric OS was not designed for users to edit, and is limited in its ability. Edited files can become corrupted and this corruption can lead to switch failures.
Configuration file restoration 8 Example of configDownload without Admin Domains switch:admin> configdownload Protocol (scp, ftp, local) [ftp]: Server Name or IP Address [host]: 10.1.2.3 User Name [user]: UserFoo Path/Filename [/config.txt]: Section (all|chassis|FID# [all]): all *** CAUTION *** This command is used to download a backed-up configuration for a specific switch. If using a file from a different switch, this file's configuration settings will override any current switch settings.
8 Configurations across a fabric Activating configDownload: Switch is disabled configDownload complete: Only zoning parameters are downloaded to ad5. Example of a non-interactive download of all configurations (chassis and switches) configdownload -a -ftp 10.1.2.3,UserFoo,/pub/configurations/config.
Configuration management for Virtual Fabrics 8 Uploading a configuration file from a switch with Virtual Fabrics enabled The configUpload command with the -vf option specifies that configuration upload will upload the Virtual Fabrics configuration instead of the non-Virtual Fabrics configuration information. You must specify a file name with the configUpload -vf command. It is recommended not to use config.txt for a file name as this name can be confused with a normal uploaded configuration file.
8 Configuration management for Virtual Fabrics Wait for the configuration file to download on to the switch. You may need to reconnect to the switch. 4. Enter the configDownload command. 5. Respond to the prompts. Wait for the configuration file to download to the switch. 6. Verify the LISL ports are set up correctly. Example of a non-interactive download from a switch with FID = 8 and SFID =10 configdownload -fid 8 -sfid 10 -ftp 10.1.2.3,UserFoo,config.
Brocade configuration form 8 Brocade configuration form Use the form in Table 48 as a hard copy reference for your configuration information. In the hardware reference manuals for the Brocade DCX and DCX-4S Backbones, there is a guide for FC port-setting.
8 254 Brocade configuration form Fabric OS Administrator’s Guide 53-1002745-02
Chapter 9 Installing and Maintaining Firmware In this chapter • Firmware download process overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Preparing for a firmware download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Firmware download on switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Firmware download on a Backbone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Firmware download from a USB device . . . . . . . . . . .
9 Firmware download process overview You can download Fabric OS to a Backbone, which is a chassis; and to a nonchassis-based system, also referred to as a fixed-port switch. The difference in the download process is that Backbones have two CPs and fixed-port switches have one CP. Use the firmwareDownload command to download the firmware from either an FTP or SSH server by using FTP, SFTP, or SCP to the switch. Or you can use a Brocade-branded USB device.
Firmware download process overview 9 Upgrading and downgrading firmware Upgrading means installing a newer version of firmware. Downgrading means installing an older version of firmware. In most cases, you will be upgrading firmware; that is, installing a newer firmware version than the one you are currently running. However, some circumstances may require installing an older version; that is, downgrading the firmware.
9 Preparing for a firmware download TABLE 49 Backbone HA sync states Active CP Fabric OS version Standby CP Fabric OS version HA sync state Remedy v6.2.0 v6.2.0 inSync N/A v6.2.x v6.3.0 inSync N/A v6.3.0 v6.2.x If Ethernet Switch Service is enabled, no sync. Run firmwareDownload -s on the standby CP and upgrade it to v6.3.0. v6.3.0 v6.3.0 inSync N/A v6.3.0 v6.4.0 inSync N/A v6.4.0 v6.3.0 inSync Run firmwareDownload -s on the standby CP and upgrade it to v6.4.0. v6.4.0 v6.4.
Preparing for a firmware download 9 5. Connect to the switch and log in using an account with admin permissions. Enter the supportSave command to retrieve all current core files prior to executing the firmware download. This information helps to troubleshoot the firmware download process if a problem is encountered. 6. Optional: Enter the errClear command to erase all existing messages in addition to internal messages.
9 Firmware download on switches Firmware download on switches Brocade fixed-port switches maintain primary and secondary partitions for firmware. The firmwareDownload command defaults to an autocommit option that automatically copies the firmware from one partition to the other. NOTE This section only applies when upgrading from Fabric OS v7.0.x to v7.1.0, downgrading from v7.1.0 to v7.0.x, or going from v7.1.x to v7.1.x. If you are upgrading from Fabric OS v6.4.x to v7.1.0 or downgrading from v7.1.
Firmware download on switches 9 Upgrading firmware for Brocade fixed-port switches 1. Take the following appropriate action based on what service you are using: • If you are using FTP, SFTP, or SCP, verify that the FTP or SSH server is running on the host server and that you have a valid user ID and password on that server. • If your platform supports a USB memory device, verify that it is connected and running. 2. Obtain the firmware file from the Brocade website at http://www.brocade.
9 Firmware download on a Backbone Firmware download on a Backbone ATTENTION To successfully download firmware, you must have an active Ethernet connection on each CP. You can download firmware to a Backbone without disrupting the overall fabric if the two CP blades are installed and fully synchronized. Use the haShow command to verify that the CPs are synchronized prior to beginning the firmware download process.
Firmware download on a Backbone 9 Upgrading firmware on Backbones (including blades) There is only one chassis management IP address for the Brocade Backbones. NOTE By default, the firmwareDownload command automatically upgrades both the active and the standby CPs and all co-CPs on the CP blades in the Brocade Backbones. It automatically upgrades all AP blades in the Brocade Backbones using auto-leveling. 1. Verify that the Ethernet interfaces located on CP0 and CP1 are plugged into your network. 2.
9 Firmware download on a Backbone If an AP blade is present: At the point of the failover, an autoleveling process is activated. Autoleveling is triggered when the active CP detects a blade that contains a different version of the firmware, regardless of which version is older. Autoleveling downloads firmware to the AP blade, swaps partitions, reboots the blade, and copies the new firmware from the primary partition to the secondary partition.
Firmware download from a USB device 9 Slot 7 (CP1, active): Firmware has been downloaded to the secondary partition of the switch. [5]: Mon Mar 22 04:37:24 2010 Slot 7 (CP1, standby): The firmware commit operation has started. This may take up to 10 minutes. [6]: Mon Mar 22 04:41:59 2010 Slot 7 (CP1, standby): The commit operation has completed successfully. [7]: Mon Mar 22 04:41:59 2010 Slot 7 (CP1, standby): Firmwaredownload command has completed successfully.
9 FIPS support Downloading from the USB device using the relative path 1. Log in to the switch using an account assigned to the admin role. 2. Enter the firmwareDownload -U command. ecp:admin>firmwaredownload –U v7.1.0 Downloading from the USB device using the absolute path 1. Log in to the switch using an account assigned to the admin role. 2. Enter the firmwareDownload command with the -U operand. ecp:admin>firmwaredownload –U /usb/usbstorage/brocade/firmware/v7.1.
FIPS support 9 NOTE If FIPS mode is enabled, all logins should be handled through SSH or direct serial method, and the transfer protocol should be SCP. Updating the firmware key 1. Log in to the switch as admin. 2. Enter the firmwareKeyUpdate command and respond to the prompts. The firmwareDownload command The ipublic key file needs to be packaged, installed, and run on your switch before you download a signed firmware.
9 Testing and restoring firmware on switches Power-on firmware checksum test FIPS requires the checksums of the executables and libraries on the filesystem to be validated before Fabric OS modules are launched. This is to make sure these files have not been changed after they are installed. When firmware RPM packages are installed during firmware download, the MD5 checksums of the firmware files are stored in the RPM database on the filesystem.
Testing and restoring firmware on switches 9 User Name: userfoo File Name: /home/userfoo/v7.0.0 Password: Do Auto-Commit after Reboot [Y]: n Reboot system after download [N]: y Firmware is being downloaded to the switch. This step may take up to 30 minutes. Checking system settings for firmwaredownload... The switch performs a reboot and comes up with the new firmware to be tested. Your current switch session automatically disconnects.
9 Testing and restoring firmware on Backbones Testing and restoring firmware on Backbones This procedure enables you to perform a firmware download on each CP and verify that the procedure was successful before committing to the new firmware. The old firmware is saved in the secondary partition of each CP until you enter the firmwareCommit command.
Testing and restoring firmware on Backbones 9 8. Verify the failover. a. Connect to the Backbone on the active CP, which is the former standby CP. b. Enter the haShow command to verify that the HA synchronization is complete. It takes a minute or two for the standby CP, which is the old active CP, to reboot and synchronize with the active CP.
9 Testing and restoring firmware on Backbones ATTENTION Stop! If you have completed step 11, then you have committed the firmware on both CPs and you have completed the firmware download procedure. 12. Restore the firmware on the standby CP. In the current Backbone session for the standby CP, enter the firmwareRestore command. The standby CP reboots and the current Backbone session ends. Both partitions have the same Fabric OS after several minutes. 13. Perform haFailover on the active CP. a.
Validating a firmware download 9 Validating a firmware download Validate the firmware download by running the following commands: firmwareShow, firmwareDownloadStatus, nsShow, nsAllShow, and fabricShow. All of the connected servers, storage devices, and switches should be present in the output of these commands. If there is a discrepancy, it is possible that a device or switch cannot connect to the fabric and further troubleshooting is necessary.
9 274 Validating a firmware download Fabric OS Administrator’s Guide 53-1002745-02
Chapter 10 Managing Virtual Fabrics In this chapter • Virtual Fabrics overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Logical switch overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Logical fabric overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Management model for logical switches . . . . . . . . . . . . . . . . . . . . . . . . . . .
10 Logical switch overview This chapter describes the logical switch and logical fabric features. For information about device sharing with Virtual Fabrics, refer to “FC-FC routing and Virtual Fabrics” on page 606. For information about supported switches and port types, refer to “Supported platforms for Virtual Fabrics” on page 286. Virtual Fabrics and Admin Domains are mutually exclusive and are not supported at the same time on a switch.
Logical switch overview 10 After you enable Virtual Fabrics, you can create up to seven additional logical switches, depending on the switch model. Figure 18 shows a Virtual Fabrics-enabled switch before and after it is divided into logical switches. Before you create logical switches, the chassis appears as a single switch (default logical switch). After you create logical switches, the chassis appears as multiple independent logical switches.
10 Logical switch overview Physical chassis Logical switch 1 (Default logical switch) (FID = 128) Logical switch 2 (FID = 1) Logical switch 3 (FID = 15) Logical switch 4 (FID = 8) Logical switch 5 (FID = 20) FIGURE 19 Fabric IDs assigned to logical switches Port assignment in logical switches Initially, all ports belong to the default logical switch. When you create additional logical switches, they are empty and you must assign ports to those logical switches.
Logical switch overview 10 A given port is always in one (and only one) logical switch. The following scenarios refer to the chassis after port assignment in Figure 20: • If you assign P2 to logical switch 2, you cannot assign P2 to any other logical switch. • If you want to remove a port from a logical switch, you cannot delete it from the logical switch, but must move it to a different logical switch.
10 Logical switch overview Physical chassis Logical switch 1 P1 (Default logical switch) Fabric ID 128 Logical switch 2 Fabric ID 1 H1 P2 P3 D1 P4 Logical switch 3 Fabric ID 15 Logical switch 4 Fabric ID 8 P5 P6 D2 ISL Switch FIGURE 21 Logical switches connected to devices and non-Virtual Fabrics switch Figure 22 shows a logical representation of the physical chassis and devices in Figure 21. As shown in Figure 22, the devices are isolated into separate fabrics.
Management model for logical switches 10 Management model for logical switches You can use one common IP address for the hardware that is shared by all of the logical switches in the chassis and you can set up individual IPv4 addresses for each Virtual Fabric. For a management host to manage a logical switch using the Internet Protocol over Fibre Channel (IPFC) IP address, it must be physically connected to the Virtual Fabric using a host bus adapter (HBA).
10 Logical fabric overview Logical fabric and ISLs Figure 23 shows two physical chassis divided into logical switches. In Figure 23, ISLs are used to connect the logical switches with FID 1 and the logical switches with FID 15. The logical switches with FID 8 are each connected to a non-Virtual Fabrics switch. The two logical switches and the non-Virtual Fabrics switch are all in the same fabric, with FID 8.
Logical fabric overview 10 Base switch and extended ISLs Another way to connect logical switches is to use extended ISLs and base switches. When you divide a chassis into logical switches, you can designate one of the switches to be a base switch. A base switch is a special logical switch that is used for interconnecting the physical chassis. A base switch has the following properties: • ISLs connected through the base switch can be used for communication among the other logical switches.
10 Logical fabric overview Think of the logical switches as being connected with logical ISLs, as shown in Figure 26. In this diagram, the logical ISLs are not connected to ports because they are not physical cables. They are a logical representation of the switch connections that are allowed by the XISL. FIGURE 26 Logical ISLs connecting logical switches To use the XISL, the logical switches must be configured to allow XISL use.
Logical fabric overview 10 By default, the physical ISL path is favored over the logical path (over the XISL) because the physical path has a lower cost. This behavior can be changed by configuring the cost of the dedicated physical ISL to match the cost of the logical ISL. ATTENTION If you disable a base switch, all of the logical ISLs are broken and the logical switches cannot communicate with each other unless they are connected by a physical ISL.
10 Account management and Virtual Fabrics Account management and Virtual Fabrics When user accounts are created, they are assigned a list of logical fabrics to which they can log in and a home logical fabric (home FID). When you connect to a physical chassis, the home FID defines the logical switch to which you are logged in by default. You can change to a different logical switch context, as described in “Changing the context to a different logical fabric” on page 299.
Supported platforms for Virtual Fabrics 10 Supported port configurations in Brocade Backbones Some of the ports in the Brocade DCX and DCX 8510 Backbone families are not supported on all types of logical switches. Table 50 lists the blades and ports that are supported on each type of logical switch.
10 Limitations and restrictions of Virtual Fabrics Virtual Fabrics interaction with other Fabric OS features Table 51 lists some Fabric OS features and considerations that apply when using Virtual Fabrics. TABLE 51 Virtual Fabrics interaction with Fabric OS features Fabric OS feature Virtual Fabrics interaction Access Gateway Virtual Fabrics is not supported on a switch if AG mode is enabled.
Limitations and restrictions of Virtual Fabrics TABLE 52 10 Maximum number of logical switches per chassis (Continued) Platform Maximum number of logical switches Brocade DCX 8510 family 8 Brocade 5300 4 Brocade 5100 3 Brocade 6510 4 Brocade 6520 4 Brocade 7800 4 Brocade VA-40FC 3 Refer to “Supported port configurations in Brocade Backbones” on page 287 for restrictions on the default logical switch.
10 Enabling Virtual Fabrics mode Enabling Virtual Fabrics mode A fabric is said to be in Virtual Fabrics mode (VF mode) when the Virtual Fabrics feature is enabled. Before you can use the Virtual Fabrics features, such as logical switch and logical fabric, you must enable VF mode. VF mode is enabled by default. NOTE When you enable VF mode, the control processors (CPs) are rebooted and all EX_Ports are disabled after the reboot. Use the following procedure to enable Virtual Fabrics mode: 1.
Configuring logical switches to use basic configuration values 10 Use the following procedure to disable Virtual Fabrics mode: 1. Connect to the physical chassis and log in using an account with the chassis-role permission. 2. Use the fosConfig command to check whether VF mode is disabled: fosconfig --show 3. Move all ports to the default logical switch. lscfg --config 128 -slot slot -port port 4. Delete all of the non-default logical switches. lscfg --delete fabricID 5.
10 Creating a logical switch or base switch 3. Enter n at the prompts to configure system and cfgload attributes. Enter y at the prompt to configure custom attributes. System (yes, y, no, n): [no] n cfgload attributes (yes, y, no, n): [no] n Custom attributes (yes, y, no, n): [no] y 4. Enter the appropriate value at the Config Index prompt. Contact your switch service provider to determine the appropriate value. Config Index (0 to ignore): (0..
Executing a command in a different logical switch context 10 Example The following example creates a logical switch with FID 4, and then assigns domain ID 14 to it. sw0:FID128:admin> lscfg --create 4 About to create switch with fid=4. Please wait... Logical Switch with FID (4) has been successfully created. Logical Switch has been created with default configurations. Please configure the Logical Switch with appropriate switch and protocol settings before activating the Logical Switch.
10 Deleting a logical switch switchMode: switchRole: switchDomain: switchId: switchWwn: zoning: switchBeacon: FC Router: Fabric Name: Allow XISL Use: LS Attributes: Native Principal 14 fffc0e 10:00:00:05:1e:82:3c:2b OFF OFF OFF Fab4 ON [FID: 4, Base Switch: No, Default Switch: No, Address Mode 0] Index Port Address Media Speed State Proto ============================================== 22 22 0e1600 -N8 No_Module FC Disabled 23 23 0e1700 -N8 No_Module FC Disabled Example 2: Executing the fabricShow comma
Adding and moving ports on a logical switch 10 Example of deleting the logical switch with FID 7 switch_4:FID4:admin> lscfg --delete 7 All active login sessions for FID 7 have been terminated. Switch successfully deleted. Adding and moving ports on a logical switch This procedure explains how to add and move ports on logical switches. You add ports to a logical switch by moving the ports from one logical switch to another. See “Supported platforms for Virtual Fabrics” on page 286 for port restrictions.
10 Displaying logical switch configuration Displaying logical switch configuration Use the following procedure to display the configuration for a logical switch: 1. Connect to the physical chassis and log in using an account with the chassis-role permission. 2. Enter the lsCfg command to display a list of all logical switches and the ports assigned to them: lscfg --show [ -provision ] If the -provision option is specified, all ports on all slots are displayed, regardless of the slot status.
Changing a logical switch to a base switch 10 Checking and logging message: fid = 5. Please enable your switch. sw0:FID128:admin> fosexec --fid 7 -cmd "switchenable" --------------------------------------------------"switchenable" on FID 7: Changing a logical switch to a base switch Use the following procedure to change a logical switch to a base switch. 1. Connect to the switch and log in using an account with the chassis-role permission. 2.
10 Setting up IP addresses for a Virtual Fabric Configure... Fabric parameters (yes, y, no, n): [no] y WWN Based persistent PID (yes, y, no, n): [no] Allow XISL Use (yes, y, no, n): [yes] n WARNING!! Disabling this parameter will cause removal of LISLs to other logical switches. Do you want to continue? (yes, y, no, n): [no] y System services (yes, y, no, n): [no] switch_25:FID7:admin> lscfg --change 7 -base Creation of a base switch requires that the proposed new base switch on this system be disabled.
Configuring a logical switch to use XISLs 10 Configuring a logical switch to use XISLs When you create a logical switch, it is configured to use XISLs by default. Use the following procedure to allow or disallow the logical switch to use XISLs in the base fabric. XISL use is not supported in some cases. See “Limitations and restrictions of Virtual Fabrics” on page 288 for restrictions on XISL use. Use the following procedure to configure a logical switch to use XISLs: 1.
10 Creating a logical fabric using XISLs Creating a logical fabric using XISLs This procedure describes how to create a logical fabric using multiple chassis and XISLs and refers to the configuration shown in Figure 28 as an example. FIGURE 28 Example of logical fabrics in multiple chassis and XISLs Use the following procedure to create a logical fabric using XISLs: 1. Set up the base switches in each chassis: a.
Creating a logical fabric using XISLs 10 4. Configure the logical switches in each chassis: a. Connect to the physical chassis and log in using an account with the chassis-role permission. b. Create a logical switch and assign it a fabric ID for the logical fabric. This FID must be different from the FID in the base fabric. See “Creating a logical switch or base switch” on page 292 for instructions.
10 302 Creating a logical fabric using XISLs Fabric OS Administrator’s Guide 53-1002745-02
Chapter 11 Administering Advanced Zoning In this chapter • Zone types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Zoning overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Broadcast zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Zone aliases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11 Zoning overview • QoS zones Assign high or low priority to designated traffic flows. QoS zones are regular zones with additional QoS attributes specified by adding a QOS prefix to the zone name. See “QoS: SID/DID traffic prioritization” on page 519 for more information. • Traffic Isolation zones (TI zones) Isolate inter-switch traffic to a specific, dedicated path through the fabric. See Chapter 12, “Traffic Isolation Zoning,” for more information.
Zoning overview 11 Blue Zone Server 2 Server 1 Storage 2 Red Zone Storage 1 RAID Green Zone Storage 3 FIGURE 29 Server 3 Zoning example Approaches to zoning Table 53 lists the various approaches you can take when implementing zoning in a fabric. TABLE 53 Approaches to fabric-based zoning Zoning approach Description Recommended approach Single HBA Fabric OS Administrator’s Guide 53-1002745-02 Zoning by single HBA most closely re-creates the original SCSI bus.
11 Zoning overview TABLE 53 Approaches to fabric-based zoning (Continued) Zoning approach Description Alternative approaches Application Zoning by application typically requires zoning multiple, perhaps incompatible, operating systems into the same zones. This method of zoning creates the possibility that a minor server in the application suite could disrupt a major server (such as a Web server disrupting a data warehouse server).
Zoning overview 11 The types of zone objects used to define a zone can be mixed. For example, a zone defined with the zone objects 2,12; 2,14; 10:00:00:80:33:3f:aa:11 contains the devices connected to domain 2, ports 12 and 14, and a device with the WWN 10:00:00:80:33:3f:aa:11 (either node name or port name) that is connected on the fabric.
11 Zoning overview The different types of zone configurations are: • Defined Configuration The complete set of all zone objects defined in the fabric. • Effective Configuration A single zone configuration that is currently in effect. The effective configuration is built when you enable a specified zone configuration. • Saved Configuration A copy of the defined configuration plus the name of the effective configuration, which is saved in flash memory.
Zoning overview 11 Identifying the enforced zone type Use the following procedure to identify zones and zone types: 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the portZoneShow command, using the following syntax: portzoneshow Considerations for zoning architecture Table 54 lists considerations for zoning architecture.
11 Broadcast zones Best practices for zoning The following are recommendations for using zoning: • Always zone using the highest Fabric OS-level switch. Switches with earlier Fabric OS versions do not have the capability to view all the functionality that a newer Fabric OS provides, as functionality is backwards compatible but not forwards compatible. • Zone using the core switch versus an edge switch. • Zone using a Backbone rather than a switch.
Broadcast zones 11 Figure 30 illustrates how broadcast zones work with Admin Domains. Figure 30 shows a fabric with five devices and two Admin Domains, AD1 and AD2. Each Admin Domain has two devices and a broadcast zone.
11 Zone aliases High availability considerations with broadcast zones If a switch has broadcast zone-capable firmware on the active CP (Fabric OS v5.3.x or later) and broadcast zone-incapable firmware on the standby CP (Fabric OS version earlier than v5.3.0), then you cannot create a broadcast zone because the zoning behavior would not be the same across an HA failover. If the switch failed over, then the broadcast zone would lose its special significance and would be treated as a regular zone.
Zone aliases 11 Creating an alias Use the following procedure to create an alias: 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the aliCreate command, using the following syntax: alicreate "aliasname", "member[; member...]" 3. Enter the cfgSave command to save the change to the defined configuration. The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile memory.
11 Zone aliases inconsistent. The inconsistency will result in different Effective Zoning configurations for switches in the fabric if a zone merge or HA failover happens. To avoid inconsistency it is recommended to commit the configurations using the 'cfgenable' command. Do you still want to proceed with saving the Defined zoning configuration only? (yes, y, no, n): [no] y Removing members from an alias Use the following procedure to removing a member from an alias: 1.
Zone aliases 11 The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile memory. If a transaction is open on a different switch in the fabric when this command is run, the transaction on the other switch is automatically aborted. A message displays on the other switches to indicate that the transaction was aborted.
11 Zone creation and maintenance Zone creation and maintenance Fabric OS allows you to create zones to better manage devices. Notes • Broadcast Zone: To create a broadcast zone, use the reserved name “broadcast”. Do not give a regular zone the name of “broadcast”. See “Broadcast zones” on page 310 for additional information about this special type of zone. • Virtual Fabrics considerations: Zone definitions should not include logical port numbers. Zoning is not enforced on logical ports.
Zone creation and maintenance 11 To create a broadcast zone, use the reserved name “broadcast”. 3. Enter the cfgSave command to save the change to the defined configuration. The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile memory. If a transaction is open on a different switch in the fabric when this command is run, the transaction on the other switch is automatically aborted. A message displays on the other switches to indicate that the transaction was aborted. 4.
11 Zone creation and maintenance Example Adding members to a zone switch:admin> zoneadd matt, "ze*; bond*; j*" switch:admin> cfgsave switch:admin> cfgshow Defined configuration: zone: matt 30:06:00:07:1e:a2:10:20; 3,2; zeus; bond; jake; jeff; jones zone: sloth bawn; bolt; bond; brain; 10:00:00:00:01:1e:20:20 alias: bawn 3,5; 4,8 alias: bolt 10:00:00:02:1f:02:00:01 alias: bond 10:00:05:1e:a9:20:00:01; 3,5 alias: brain 11,4; 22,1; 33,6 alias: jake 4,7; 8,9; 14,11 alias: jeff 30:00:00:05:1e:a1:cd:02; 40:00:0
Zone creation and maintenance 11 alias: jeff 30:00:00:05:1e:a1:cd:02; 40:00:00:05:1e:a1:cd:04 alias: jones 7,3; 4,5 alias: zeus 4,7; 6,8; 9,2 Effective configuration: No Effective configuration: (No Access) switch:admin> switch:admin> zoneremove matt,"30:06:00:07:1e:a2:10:20; ja*; 3,2" switch:admin> cfgsave switch:admin> cfgshow Defined configuration: zone: matt zeus; bond; jeff; jones zone: sloth bawn; bolt; bond; brain; 10:00:00:00:01:1e:20:20 alias: bawn 3,5; 4,8 alias: bolt 10:00:00:02:1f:02:00:01 ali
11 Zone creation and maintenance alias: jake 4,7; 8,9; 14,11 alias: jeff 30:00:00:05:1e:a1:cd:02; 40:00:00:05:1e:a1:cd:04 alias: jones 7,3; 4,5 alias: zeus 4,7; 6,8; 9,2 Effective configuration: No Effective configuration: (No Access) switch:admin> switch:admin> zoneobjectreplace 11,2 4,8 switch:admin> cfgsave switch:admin> cfgshow Defined configuration: zone: matt zeus; bond; jeff; 4,8 zone: sloth bawn; bolt; bond; brain; 10:00:00:00:01:1e:20:20 alias: bawn 3,5 alias: bolt 10:00:00:02:1f:02:00:01 alias:
Zone creation and maintenance 11 The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile memory. If a transaction is open on a different switch in the fabric when this command is run, the transaction on the other switch is automatically aborted. A message displays on the other switches to indicate that the transaction was aborted.
11 Zone creation and maintenance Viewing a zone in the defined configuration Use the following procedure to view a zone in the configuration: 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the zoneShow command, using the following syntax: zoneshow[--sort] ["pattern"] [, mode] If no parameters are specified, the entire zone database (both the defined and effective configuration) is displayed.
Zone creation and maintenance 1,1; 1,2 alias: array1 alias: array2 11 21:00:00:20:37:0c:76:8c; 21:00:00:20:37:0c:71:02 21:00:00:20:37:0c:76:22; 21:00:00:20:37:0c:76:28 Effective configuration: cfg: fabric_cfg zone: Blue_zone 1,1 21:00:00:20:37:0c:76:8c 21:00:00:20:37:0c:71:02 1,2 Example Adding a new zone ‘red_zone’, deleting “1,1” and adding “6,15” to green_zone switch:admin> cfgshow --transdiffs Defined configuration: cfg: fabric_cfg Blue_zone zone: Blue_zone 1,1; array1; 1,2; array2 *zone: green_zon
11 Zone creation and maintenance alias: loop1 21:00:00:20:37:0c:76:85; 21:00:00:20:37:0c:71:df 3. Enter the zone --validate command to list all zone members that are not part of the current zone enforcement table. Note that zone configuration names are case-sensitive; blank spaces are ignored. switch:admin> zone --validate "White_zone" 4. Enter the following command to validate all zones in the zone database in the defined configuration.
Zone creation and maintenance 11 If you enter yes, and the cfgSave operation completes successfully then the following RASlog message [ZONE-1062] will be posted. [ZONE-1062], 620/181, FID 128, WARNING, sw0, Defined and Effective zone configurations are inconsistent, ltime:2012/09/03-23:18:30:983609 You can then either re-enable the updated configuration or revert to the older configuration.
11 Default zoning mode Default zoning mode The default zoning mode controls device access if zoning is not implemented or if there is no effective zone configuration. The default zoning mode has two options: • All Access—All devices within the fabric can communicate with all other devices. • No Access—Devices in the fabric cannot access any other device in the fabric. The default zone mode applies to the entire fabric, regardless of switch model. The default setting is “All Access”.
Zone database size 11 switch:admin> cfgsave WARNING!!! The changes you are attempting to save will render the Effective configuration and the Defined configuration inconsistent. The inconsistency will result in different Effective Zoning configurations for switches in the fabric if a zone merge or HA failover happens. To avoid inconsistency it is recommended to commit the configurations using the 'cfgenable' command.
11 Zone configurations Zone configurations You can store a number of zones in a zone configuration database. The maximum number of items that can be stored in the zone configuration database depends on the following criteria: • Number of switches in the fabric. • Number of bytes for each item name. The number of bytes required for an item name depends on the specifics of the fabric, but cannot exceed 64 bytes for each item.
Zone configurations 11 Adding zones (members) to a zone configuration Use the following procedure to add members to a zone configuration: 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the cfgAdd command, using the following syntax: cfgadd "cfgname", "member[; member...]" 3. Enter the cfgSave command to save the change to the defined configuration. The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile memory.
11 Zone configurations Enabling a zone configuration The following procedure ends and commits the current zoning transaction buffer to nonvolatile memory. If a transaction is open on a different switch in the fabric when this procedure is run, the transaction on the other switch is automatically aborted. A message displays on the other switches to indicate that the transaction was aborted. Use the following procedure to enable a zone configuration: 1.
Zone configurations 11 Deleting a zone configuration Use the following procedure to delete a zone configuration: 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the cfgDelete command, using the following syntax: cfgdelete "cfgname" 3. Enter the cfgSave command to save the change to the defined configuration. The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile memory.
11 Zone configurations alias: array1 alias: array2 alias: loop1 21:00:00:20:37:0c:76:8c; 21:00:00:20:37:0c:71:02 21:00:00:20:37:0c:76:22; 21:00:00:20:37:0c:76:28 21:00:00:20:37:0c:76:85; 21:00:00:20:37:0c:71:df Effective configuration: cfg: USA_cfg zone: Blue_zone 1,1 21:00:00:20:37:0c:76:8c 21:00:00:20:37:0c:71:02 1,2 21:00:00:20:37:0c:76:22 21:00:00:20:37:0c:76:28 zone: Purple_zone 1,0 21:00:00:20:37:0c:76:85 21:00:00:20:37:0c:71:df Viewing selected zone configuration information Use the following pr
Zone object maintenance 11 Clearing all zone configurations Use the following procedure to clear all zone configurations: 1. Connect to the switch and log in using an account with admin permissions. 2. Use cfgClear to clear all zone information in the transaction buffer. ATTENTION Be careful using the cfgClear command because it deletes the defined configuration. switch:admin> cfgclear The Clear All action will clear all Aliases, Zones, FA Zones and configurations in the Defined configuration.
11 Zone object maintenance 4. Enter the cfgShow command to verify the new zone object is present. switch:admin> cfgshow "Test*" cfg: Test1 Blue_zone cfg: Test_cfg Purple_zone; Blue_zone switch:admin> cfgShow "US_Test1" cfg: US_Test1 Blue_zone 5. If you want the change preserved when the switch reboots, use cfgSave to save it to nonvolatile (flash) memory. 6. Use cfgEnable for the appropriate zone configuration to make the change effective.
Zone object maintenance 11 You are about to expunge one configuration or member. This action could result in removing many zoning configurations recursively. [Removing the last member of a configuration removes the configuration.] Do you want to expunge the member? (yes, y, no, n): [no] yes 4. Enter yes at the prompt. 5. Use cfgShow to verify the deleted zone object is no longer present. 6. If you want the change preserved when the switch reboots, use cfgSave to save it to nonvolatile (flash) memory. 7.
11 Zone configuration management Zone configuration management You can add, delete, or remove individual elements in an existing zone configuration to create an appropriate configuration for your SAN environment. After the changes have been made, save the configuration to ensure the configuration is permanently saved in the switch and that the configuration is replicated throughout the fabric.
Zone merging 11 Adding a new fabric that has no zone configuration information to an existing fabric is very similar to adding a new switch. All switches in the new fabric inherit the zone configuration data. If the existing fabric has an effective zone configuration, then the same configuration becomes the effective configuration for the new switches.
11 Zone merging • Merging two fabrics Both fabrics have identical zones and configurations enabled, including the default zone mode. The two fabrics will join to make one larger fabric with the same zone configuration across the newly created fabric. If the two fabrics have different zone configurations, they will not be merged. If the two fabrics cannot join, the ISL between the switches will segment.
Zone merging 11 Zone merging scenarios The following tables provide information on merging zones and the expected results.
11 Zone merging TABLE 55 Zone merging scenarios: Defined and effective configurations (Continued) Description Switch A Switch B Expected results Switch A and Switch B have different defined configurations. Switch B has an effective configuration. defined: cfg2 zone2: ali3; ali4 effective: none defined: cfg1 zone1: ali1; ali2 effective: cfg1 Clean merge. The new configuration will be a composite of the two, with cfg1 as the effective configuration. Switch A does not have a defined configuration.
Zone merging TABLE 58 11 Zone merging scenarios: TI zones Description Switch A Switch B Expected results Switch A does not have Traffic Isolation (TI) zones. Switch B has TI zones. defined: cfg1 effective: cfg1 defined: cfg1 TI_zone1 effective: cfg1 Clean merge. TI zones are not automatically activated after the merge. Switch A has TI zones. Switch B has identical TI zones. defined: cfg1 TI_zone1 effective: cfg1 defined: cfg1 TI_zone1 effective: cfg1 Clean merge.
11 Concurrent zone transactions TABLE 60 Zone merging scenarios: Mixed Fabric OS versions Description Switch A Switch B Expected results Switch A is running Fabric OS 7.0.0 or later. Switch B is running a Fabric OS version earlier than 7.0.0. effective: cfg1 defzone = allaccess No effective configuration. defzone - noaccess Fabric segments due to zone conflict. Switch A is running Fabric OS 7.0.0 or later. Switch B is running a Fabric OS version earlier than 7.0.0. No effective configuration.
Concurrent zone transactions 11 u30:FID128:admin> cfgsave You are about to save the Defined zoning configuration. This action will only save the changes on Defined configuration. Multiple open transactions are pending in this fabric. Only one transaction can be saved. Please abort all unwanted transactions using the cfgtransabort command.
11 344 Concurrent zone transactions Fabric OS Administrator’s Guide 53-1002745-02
Chapter 12 Traffic Isolation Zoning In this chapter • Traffic Isolation Zoning overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Enhanced TI zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Traffic Isolation Zoning over FC routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . • General rules for TI zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
12 Traffic Isolation Zoning overview Figure 31 shows a fabric with a TI zone consisting of the following: • N_Ports: • E_Ports: “1,7”, “1,8”, “4,5”, and “4,6” “1,1”, “3,9”, “3,12”, and “4,7” The dotted line indicates the dedicated path between the initiator in Domain 1 to the target in Domain 4.
Traffic Isolation Zoning overview TABLE 61 12 Traffic behavior when failover is enabled or disabled in TI zones Failover enabled Failover disabled If the dedicated path is not the shortest path or if the dedicated path is broken, the TI zone traffic will use a non-dedicated path instead. If the dedicated path is not the shortest path or if the dedicated path is broken, traffic for that TI zone is halted until the dedicated path is fixed.
12 Traffic Isolation Zoning overview • Ensure that there are multiple paths between switches. Disabling failover locks the specified route so that only TI zone traffic can use it. Non-TI zone traffic is excluded from using the dedicated path. • You should enable failover-enabled TI zones before enabling failover-disabled TI zones, to avoid dropped frames. When you issue the cfgEnable command to enable the zone configuration, if you have failover disabled zones, do the following: 1.
Traffic Isolation Zoning overview 12 FSPF routing rules and traffic isolation All traffic must use the lowest cost path. FSPF routing rules take precedence over the TI zones, as described in the following situations. If the dedicated ISL is not the lowest cost path ISL, then the following rules apply: • If failover is enabled, the traffic path for the TI zone is broken, and TI zone traffic uses the lowest cost path instead. • If failover is disabled, the TI zone traffic is blocked.
12 Enhanced TI zones Domain 1 8 Domain 3 1 9 9 14 12 3 15 7 16 6 = Dedicated Path = Ports in the TI zone 5 Domain 4 Domain 2 FIGURE 34 Dedicated path is not the shortest path NOTE For information about setting or displaying the FSPF cost of a path, see the linkCost and topologyShow commands in the Fabric OS Command Reference. Enhanced TI zones In Fabric OS v6.4.0 and later, ports can be in multiple TI zones at the same time.
Enhanced TI zones 12 Illegal configurations with enhanced TI zones When you create TI zones, ensure that all traffic from a port to all destinations on a remote domain have the same path. Do not create separate paths from a local port to two or more ports on the same remote domain. If the TI zones are configured with failover disabled, some traffic will be dropped.
12 Traffic Isolation Zoning over FC routers In this example traffic from the Target to Domain 2 is routed correctly. Only one TI zone describes a path to Domain 2. However, both TI zones describe different, valid paths from the Target to Domain 1. Only one path will be able to get to (1,1). Traffic from port (3,8) cannot be routed to Domain 1 over both (3,6) and (3,7), so one port will be chosen. If (3,7) is chosen, frames destined for (1,1) will be dropped at Domain 1.
Traffic Isolation Zoning over FC routers Edge fabric 1 Backbone fabric 12 Edge fabric 2 = Dedicated path set up by TI zone in edge fabric 1 = Dedicated path set up by TI zone in edge fabric 2 = Dedicated path set up by TI zone in backbone fabric FIGURE 38 Traffic Isolation Zoning over FCR In addition to setting up TI zones, you must also ensure that the devices are in an LSAN zone so that they can communicate with each other.
12 Traffic Isolation Zoning over FC routers TI zones within an edge fabric A TI zone within an edge fabric is used to route traffic between a real device and a proxy device through a particular EX_Port. For example, in Figure 39, you can set up a TI zone to ensure that traffic between Host 1 and the proxy target is routed through EX_Port 9.
Traffic Isolation Zoning over FC routers 12 TI zones within a backbone fabric A TI zone within a backbone fabric is used to route traffic within the backbone fabric through a particular ISL. For example, in Figure 40, a TI zone is set up in the backbone fabric to ensure that traffic between EX_Ports “1,1” and “2,1” is routed through VE_Ports “1,4” and “2,7”.
12 General rules for TI zones Limitations of TI zones over FC routers Be aware of the following when configuring TI zones over FC routers: • A TI zone defined within the backbone fabric does not guarantee that edge fabric traffic will arrive at a particular EX_Port. You must set up a TI zone in the edge fabric to guarantee this. • TI zones within the backbone fabric cannot contain more than one destination router port (DRP) per each fabric.
General rules for TI zones 12 For example, in Figure 41, the TI zone was configured incorrectly and E_Port “3,9” was erroneously omitted from the zone. The domain 3 switch assumes that traffic coming from E_Port 9 is not part of the TI zone and so that traffic is routed to E_Port 11 instead of E_Port 12, if failover is enabled. If failover is disabled, the route is broken and traffic stops.
12 Supported configurations for Traffic Isolation Zoning E-Port Trunks Trunk members Trunk members E-Port Trunks Trunk members Trunk members in TI zone: 8 not in TI zone: 9 10 in TI zone: 16 not in TI zone: 17 18 Supported configurations for Traffic Isolation Zoning The following configuration rules apply to TI zones: • Ports in a TI zone must belong to switches that run Fabric OS v6.0.0 or later.
Limitations and restrictions of Traffic Isolation Zoning 12 Trunking with TI zones If you implement trunking and TI zones, you should keep the following points in mind: • To include a trunk group in a TI zone, you must include all ports of the trunk in the TI zone. • Trunked ISL ports cannot be members of more than one TI zone.
12 Admin Domain considerations for Traffic Isolation Zoning • To include a trunk group in a TI zone, you must include all ports of the trunk in the TI zone. • If two N_Ports are online and have the same shared area, and one of them is configured in a TI zone, then they both must be configured in that same TI zone. One of the online shared area N_Ports should not remain outside the TI zone unless it is offline, then it may remain outside the TI zone.
Virtual Fabrics considerations for Traffic Isolation Zoning 12 Virtual Fabrics considerations for Traffic Isolation Zoning This section describes how TI zones work with Virtual Fabrics. See Chapter 10, “Managing Virtual Fabrics,” for information about the Virtual Fabrics feature, including logical switches and logical fabrics.
12 Virtual Fabrics considerations for Traffic Isolation Zoning Domain 8 Host Domain 3 2 4 Domain 5 Domain 9 11 17 7 6 10 16 8 5 8 Target 9 1 3 = Dedicated Path = Ports in the TI zones FIGURE 43 Creating a TI zone in a logical fabric You must also create and activate a TI zone in the base fabric to reserve the XISLs for the dedicated path.
Traffic Isolation Zoning over FC routers with Virtual Fabrics 12 Traffic Isolation Zoning over FC routers with Virtual Fabrics This section describes how you can set up TI zones over FC routers in logical fabrics. Figure 45 shows two physical chassis configured into logical switches. The initiator in FID 1 communicates with the target in FID 3 over the EX_Ports in the base switches.
12 Creating a TI zone Creating a TI zone You create and modify TI zones using the zone command. Other zoning commands, such as zoneCreate, aliCreate, and cfgCreate, cannot be used to manage TI zones. When you create a TI zone, you can set the state of the zone to activated or deactivated. By default the zone state is set to activated; however, this does not mean that the zone is activated.
Creating a TI zone 12 Example TI zone creation The following examples create a TI zone named “bluezone”, which contains E_Ports 1,1 and 2,4 and N_Ports 1,8 and 2,6.
12 Creating a TI zone Creating a TI zone in a base fabric 1. Connect to the switch and log in using an account with admin permissions. 2. Create a “dummy” zone configuration in the base fabric. For example: zone --create "z1", "1,1" cfgcreate "base_config", z1 3. Enter the zone --create command to create the TI zone in the base fabric: zone --create -t objtype -o f name -p "portlist" The disable failover option is not supported in base fabrics. 4.
Modifying TI zones 12 Modifying TI zones Using the zone --add command, you can add ports to an existing TI zone, change the failover option, or both.You can also activate or deactivate the TI zone. Using the zone --remove command, you can remove ports from existing TI zones. If you remove the last member of a TI zone, the TI zone is deleted. After you modify the TI zone, you must enable the current effective configuration to enforce the changes.
12 Changing the state of a TI zone Example of modifying a TI zone To add port members to the existing TI zone bluezone: switch:admin> zone --add bluezone -p "3,4; 3,6" To add port members to the existing TI zone in a backbone fabric: switch:admin> zone --add backbonezone -p "3,4; 3,6; 10:00:00:04:1f:03:16:f2;" To disable failover on the existing TI zone bluezone: switch:admin> zone --add -o n bluezone To enable failover and add ports to TI zone greenzone: switch:admin> zone --add -o f greenzone -p "3,
Deleting a TI zone 12 Deleting a TI zone Use the zone --delete command to delete a TI zone from the defined configuration. This command deletes the entire zone; to only remove port members from a TI zone, use the zone --remove command, as described in “Modifying TI zones” on page 367. 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the zone --delete command.
12 Troubleshooting TI zone routing problems Example displaying information about all TI zones in the defined configuration in ascending order switch:admin> zone --show -ascending Defined TI zone configuration: TI Zone Name: Port List: bluezone: 8,3; 8,5; 9,2; 9,3; Configured Status: Deactivated / Failover-Disabled Enabled Status: Activated / Failover-Enabled TI Zone Name: Port List: greenzone: 2,2; 3,3; 4,11; 5,3; Configured Status: Activated / Failover-Enabled Enabled Status: Activated / Failover-Ena
Setting up TI over FCR (sample procedure) 12 Setting up TI over FCR (sample procedure) The following example shows how to set up TI zones over FCR to provide a dedicated path shown in Figure 47. In this example, three TI zones are created: one in each of the edge fabrics and one in the backbone fabric. The combination of these three TI zones creates a dedicated path for traffic between Host 1 in edge fabric 1 and Targets 1 and 2 in edge fabric 2.
12 Setting up TI over FCR (sample procedure) The Fabric has 3 switches b. Enter the following commands to create and display a TI zone: E1switch:admin> zone --create -t ti TI_Zone1 -p "4,8; 4,5, 1,-1; 6,-1" E1switch:admin> zone --show Defined TI zone configuration: TI Zone Name: Port List: TI_Zone1 4,8; 4,5; 1,-1; 6,-1 Status: Activated c. Failover: Enabled Enter the following commands to reactivate your current effective configuration and enforce the TI zones.
Setting up TI over FCR (sample procedure) c. 12 Enter the following commands to reactivate your current effective configuration and enforce the TI zones. E2switch:admin> cfgactvshow Effective configuration: cfg: cfg_TI zone: lsan_t_i_TI_Zone1 10:00:00:00:00:00:02:00:00 10:00:00:00:00:00:03:00:00 10:00:00:00:00:00:08:00:00 E2switch:admin> cfgenable cfg_TI You are about to enable a new zoning configuration. This action will replace the old zoning configuration with the current configuration selected.
12 374 Setting up TI over FCR (sample procedure) Fabric OS Administrator’s Guide 53-1002745-02
Chapter 13 Bottleneck Detection In this chapter • Bottleneck detection overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Supported configurations for bottleneck detection . . . . . . . . . . . . . . . . . . • Credit Loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Enabling bottleneck detection on a switch . . . . . . . . . . . . . . . . . . . . . . . . . • Displaying bottleneck detection configuration details . . .
13 Bottleneck detection overview • If the bottleneck detection feature detects ISL congestion, you can use ingress rate limiting to slow down low priority application traffic, if it is contributing to the congestion. Notes • Bottleneck detection is configured on a per-switch basis, with optional per-port exclusions. • Bottleneck detection is disabled by default. Best practice is to enable bottleneck detection on all switches in the fabric, and leave it on to continuously gather statistics.
Supported configurations for bottleneck detection 13 You can use the bottleneckMon command to specify alerting parameters for the following: • • • • • Whether alerts are to be sent when a bottleneck condition is detected The size of the time window to look at when determining whether to alert How many affected seconds are needed to generate the alert How long to stay quiet after an alert If an enabled alert is for congestion, for latency, or for both NOTE Changing alerting parameters affects RASlog ale
13 Supported configurations for bottleneck detection High availability considerations for bottleneck detection The bottleneck detection configuration is maintained across a failover or reboot; however, bottleneck statistics collected are lost. Upgrade and downgrade considerations for bottleneck detection The bottleneck detection configuration is persistent across firmware upgrades and downgrades.
Credit Loss 13 Credit Loss Fabric OS v7.1 and later supports back-end credit loss detection back-end ports and core blades as well as on the Brocade 5300 and 6520 switches, although the support is slightly different on each device. See below for details on these switches, and the Fabric OS Troubleshooting and Diagnostics Guide for more general information.
13 Enabling bottleneck detection on a switch The following credit loss recovery methods are supported for Brocade 6520 back-end ports: • For all the credit loss methods described above, a link reset will automatically be performed, assuming that this option was enabled. See “Enabling back-end credit loss detection and recovery” below for details on enabling this feature. • A manual link reset option using the bottleneckmon command is also available.
Displaying bottleneck detection configuration details 13 3. Repeat step 1 and step 2 on every switch in the fabric. NOTE Best practice is to use the default values for the alerting and sub-second latency criterion parameters. Example of enabling bottleneck detection (Recommended use case) The following example enables bottleneck detection on the switch with alerts using default values for thresholds and time.
13 Setting bottleneck detection alerts Switch-wide sub-second latency bottleneck criterion: ==================================================== Time threshold - 0.800 Severity threshold - 50.000 Switch-wide alerting parameters: ============================ Alerts Latency threshold for alert Congestion threshold for alert Averaging time for alert Quiet time for alert - Yes 0.100 0.
Setting bottleneck detection alerts FIGURE 48 13 Affected seconds for bottleneck detection The -time parameter specifies the time window. For this example, -time equals 12 seconds. The -cthresh and -lthresh parameters specify the thresholds on number of affected seconds that trigger alerts for congestion and latency bottlenecks, respectively. This example uses the default values for these parameters, where -cthresh = 0.8 (80%) and -lthresh = 0.1 (10%).
13 Changing bottleneck detection parameters Setting a congestion alert only This example enables a congestion alert and shows its values. Example of setting an alert for congestion switch:admin> bottleneckmon --enable -alert=congestion switch:admin> bottleneckmon --status Bottleneck detection - Enabled ============================== Switch-wide sub-second latency bottleneck criterion: ==================================================== Time threshold - 0.800 Severity threshold - 50.
Changing bottleneck detection parameters 13 NOTE Entering a --config command changes only those settings specified in the command; all others are left alone. The only exceptions are for the -alert (restores alerts using recorded values) or -noalert (disables all alerts) switches. This means that if you want alerts, you must specify what you want as the -alert value for every bottleneckmon - -config -alert command. See “Notes” on page 388 for information about --config and -alert-related settings.
13 Changing bottleneck detection parameters Switch-wide sub-second latency bottleneck criterion: ==================================================== Time threshold - 0.800 Severity threshold - 50.000 Switch-wide alerting parameters: ================================ Alerts Latency threshold for alert Congestion threshold for alert Averaging time for alert Quiet time for alert - Yes 0.200 0.
Changing bottleneck detection parameters 13 Congestion threshold for alert - 0.700 Averaging time for alert - 200 seconds Quiet time for alert - 150 seconds Per-port overrides for alert parameters: ======================================== Port Alerts? LatencyThresh CongestionThresh Time (s) QTime (s) ================================================================================= 46 N ----47 L 0.
13 Advanced bottleneck detection settings Switch-wide alerting parameters: ================================ Alerts Latency threshold for alert Congestion threshold for alert Averaging time for alert Quiet time for alert - Yes 0.200 0.700 200 seconds 150 seconds Adjusting the frequency of bottleneck alerts Depending on the circumstances, a problematic switch or port might be triggering alerts more frequently than desired.
Excluding a port from bottleneck detection 13 • You want greater-than-default (sub-second) latency sensitivity on your fabric, so you set sub-second latency criterion parameters at the time you enable bottleneck detection. • You want to reduce the number of alerts you are receiving about known latency bottlenecks in the fabric, so you temporarily decrease the sub-second latency sensitivity on these ports. • You have a latency bottleneck on an ISL that is not at the edge of the fabric.
13 Excluding a port from bottleneck detection For trunking, if you exclude a slave port from bottleneck detection, the exclusion has no effect as long as the port is a trunk slave. The exclusion takes effect only if the port becomes a trunk master or leaves the trunk. Use the following procedure to exclude a port from bottleneck detection: 1. Connect to the switch to which the target port belongs and log in using an account with admin permissions. 2.
Displaying bottleneck statistics 13 Switch-wide sub-second latency bottleneck criterion: ==================================================== Time threshold - 0.800 Severity threshold - 50.000 Switch-wide alerting parameters: ================================ Alerts Latency threshold for alert Congestion threshold for alert Averaging time for alert Quiet time for alert - Yes 0.200 0.
13 Disabling bottleneck detection on a switch Disabling bottleneck detection on a switch When you disable bottleneck detection on a switch, all bottleneck configuration details are discarded, including the list of excluded ports and non-default values of alerting parameters. Use the following procedure to disable bottleneck detection: 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the bottleneckmon --disable command to disable bottleneck detection on the switch.
Chapter 14 In-flight Encryption and Compression In this chapter • In-flight encryption and compression overview . . . . . . . . . . . . . . . . . . . . . . • Configuring encryption and compression . . . . . . . . . . . . . . . . . . . . . . . . . . • Encryption and compression examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Working with EX_Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14 In-flight encryption and compression overview En cr yp tio on Compression/Encryption si es pr FIGURE 49 om 16G C n 16G 16G Encryption and compression on 16 Gbps ISLs The encryption and compression features are designed to work only with E_Ports, EX_Ports, and XISL ports (in VF mode). Encryption and compression are also compatible with the following features: • • • • E_Ports or EX_Ports with trunking, QoS, or long distance features enabled.
In-flight encryption and compression overview 14 Bandwidth limits Fabric OS supports up to 32 Gbps of data encryption and 32 Gbps of data compression per 16G-capable FC platform. This limits the number of ports that can have these features enabled at any one time. Table 62 shows some examples of how port speed affects the number of supported ports for different implementations.
14 In-flight encryption and compression overview The port level authentication security feature must be enabled before encryption configuration can be enabled. Pre-shared secret keys should be configured on both ends of the ISL to perform authentication. Once the link has been authenticated, the port (E_Port or EX_Port) will use the IKE protocol to generate and exchange the keys, IV and Salt values. At this time expiry keys are not supported.
In-flight encryption and compression overview 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No Yes Yes No No No No No No No No No No No No No No No No No No No No No Yes Yes No No No No No No 14 16G 16G portCfgCompress The portCfgCompress command allows you to enable or disable compression on the specified po
14 In-flight encryption and compression overview portHealth: No Fabric Watch License Authentication: None portDisableReason: None portCFlags: 0x1 portFlags: 0x10000103 PRESENT ACTIVE E_PORT T_PORT T_MASTER G_PORT U_PORT ENCRYPT LOGIN LocalSwcFlags: 0x0 portType: 24.
Configuring encryption and compression 14 Virtual Fabrics considerations The E_Ports and EX_Ports in the user-created logical switch, base switch, or default switch; and EX_Ports on base switches can support encryption and compression. You can configure encryption on XISL ports, but not on LISL ports. However, frames from the LISL ports are implicitly encrypted or compressed as they pass through encryption/compression enabled XISL ports.
14 Configuring encryption and compression Notes • If you need to disable authentication on a port that has encryption or compression configured, you must first disable encryption or compression on the port, and then disable authentication. • If you want to enable authentication across a FC router and an edge fabric switch, you must first bring all EX_Ports online without using authentication.
Configuring encryption and compression 14 Viewing the encryption and compression configuration To determine which ports are available for encryption or compression on each ASIC on the switch, follow these steps: 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the portEncCompShow command. Example Using the portEncCompShow command The following example shows the output for two ASICs.
14 Configuring encryption and compression Changing port speed on encryption/compression enabled ports The port speed values can be displayed through several commands, including portStatsShow, portEncCompShow, and portCfgSpeed. However, the port speed can only be changed using the portCfgSpeed command. If the port speed is configured as AUTO NEG, the speed of the port is taken as 16G for calculation purposes.
Configuring encryption and compression 14 • Because encryption adds more payload to the port in addition to compression, the compression ratio calculation is significantly affected on ports configured for both encryption and compression. This is because the compressed length then also includes the encryption header. This overhead affects the ratio calculation. To obtain accurate compression ratio data, we recommend that you enable ports for compression only.
14 Configuring encryption and compression For additional information about configuring DH-CHAP authentication for E_Ports and EX_Ports, see “Authentication policy for fabric elements” on page 207. Configuring encryption NOTE Before performing this procedure, you must authenticate the port as described in “Configuring and enabling authentication” on page 403. It is also recommended that you check for port availability using the portEncCompShow command.
Configuring encryption and compression 14 4. Enable the port with the portEnable command. After enabling the port, the new configuration becomes active. Disabling encryption To disable encryption on a port, follow these steps: 1. Connect to the switch and log in using an account with secure admin permissions, or an account with OM permissions for the EncryptionConfiguration RBAC class of commands. 2. Use the portDisable command to disable the port on which you want to disable encryption 3.
14 Encryption and compression examples Encryption and compression examples The following examples show configuring and enabling encryption and compression. In this case, encryption and compression are being applied to the E_Ports at either end of an ISL connecting a port on a blade in an enterprise class platform named ‘myDCX’ to a port on a Brocade 6510 switch named ‘myswitch’. Table 63 identifies each end of the ISL connection by device name, device WWN, and port number.
Encryption and compression examples 14 Example of enabling encryption and compression on an E_Port This example configures and enables encryption and compression on a given port. The commands in this example are shown entered on the Brocade 6510 named ‘myswitch’. The same commands must also be entered on the peer switch. NOTE Authentication and a secret key must be configured and established before configuring encryption.
14 Encryption and compression examples Are you done? (yes, y, no, n): [no] y Saving data to key store... Done. myswitch:admin> secauthsecret --show WWN DId Name ----------------------------------------------10:00:00:05:1e:e5:cb:00 150 dcx_150 myswitch:admin> Activate authentication After you set up the DH-CHAP secrets, you activate DH-CHAP authentication.
Encryption and compression examples Rate Limit EX Port Mirror Port Credit Recovery F_Port Buffers Fault Delay: NPIV PP Limit: CSCTL mode: Frame Shooter Port D-Port mode: Compression: Encryption: FEC: myswitch:admin> 14 OFF OFF OFF ON OFF 0(R_A_TOV) 126 OFF OFF OFF OFF ON OFF Enabling compression Finally, you enable compression on the same port. The subsequent portCfgShow command shows both encryption and compression to be enabled on the port.
14 Encryption and compression examples Examples of disabling encryption and compression This example disables the encryption and compression that were enabled in the previous example.
Working with EX_Ports 14 Working with EX_Ports An EX_Port is a type of E_Port (expansion port) that connects a Fibre Channel router to an edge fabric. From the point of view of a switch in an edge fabric, an EX_Port appears as a normal E_Port; It follows applicable Fibre Channel standards just line an E_Port. However, a router terminates an EX_Port rather than allowing the two different fabrics to merge as would happen with an E_Port.
14 Working with EX_Ports NOTE If trunking is enabled, be aware that the ports creating the bandwidth limitation will form a trunk group, while the rest of the ports will be segmented. Example of enabling encryption and compression on an EX_Port This example configures and enables encryption and compression on an EX_Port. The commands in this example are shown entered on a Brocade 6510 named ‘myswitch’ as Fibre Channel Router (FCR) and an edge switch as ‘edge’.
Working with EX_Ports 14 This command is used to set up secret keys for the DH-CHAP authentication. The minimum length of a secret key is 8 characters and maximum 40 characters. Setting up secret keys does not initiate DH-CHAP authentication. If switch is configured to do DH-CHAP, it is performed whenever a port or a switch is enabled. Warning: Please use a secure channel for setting secrets. Using an insecure channel is not safe and may compromise secrets.
14 Working with EX_Ports QOS Port Port Auto Disable: Rate Limit EX Port Mirror Port Credit Recovery F_Port Buffers Fault Delay: NPIV PP Limit: CSCTL mode: D-Port mode: Compression: Encryption: FEC: myswitch:admin> AE OFF OFF ON OFF ON OFF 0(R_A_TOV) 255 OFF OFF OFF ON ON Example Enabling compression on port 1 of ‘myswitch’ The subsequent portCfgShow command shows both encryption and compression to be enabled on the port.
Working with EX_Ports FCR:admin> portcfgexport 1 Port 1 info Admin: State: Pid format: Operate mode: Edge Fabric ID: Front Domain ID: Front WWN: Principal Switch: Principal WWN: Fabric Parameters: R_A_TOV: E_D_TOV: Authentication Type: DH Group: Hash Algorithm: Encryption: Compression: Forward Error Correction: Edge fabric's primary wwn: Edge fabric's version stamp: 14 enabled OK core(N) Brocade Native 20 160 50:00:53:31:37:43:ee:14 8 10:00:00:05:33:13:70:3e Auto Negotiate 10000(N) 2000(N) None N/A N/A O
14 Working with EX_Ports characters. Setting up secret keys does not initiate DH-CHAP authentication. If switch is configured to do DH-CHAP, it is performed whenever a port or a switch is enabled. Warning: Please use a secure channel for setting secrets. Using an insecure channel is not safe and may compromise secrets. Following inputs should be specified for each entry. 1. WWN for which secret is being set up. 2. Peer secret: The secret of the peer that authenticates to peer. 3.
Working with EX_Ports NPIV PP Limit: CSCTL mode: D-Port mode: Compression: Encryption: FEC: 14 126 OFF OFF OFF ON ON Example Enabling compression on the same port. The portCfgShow command shows that both encryption and compression are now enabled on this port.
14 Working with EX_Ports EX_Port commands See the Fabric OS Command Reference for more details on these EX_Port -valid commands. portCfgExPort The portCfgExPort command sets a port to be an EX_Port, and also sets and displays EX_Port configuration parameters (including those for encryption and compression).
Chapter 15 NPIV In this chapter • NPIV overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring NPIV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Enabling and disabling NPIV. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Viewing NPIV port configuration information. . . . . . . . . . . . . . . . . . . . . . . .
15 NPIV overview Index Port Address Media Speed State Proto ============================================== 0 0 010000 id N4 Online FC F-Port 1 1 010100 id N4 Online FC F-Port 2 2 010200 id N4 Online FC F-Port 3 3 010300 id N4 Online FC F-Port 20:0c:00:05:1e:05:de:e4 0xa06601 1 N Port + 4 NPIV public 1 N Port + 119 NPIV public 1 N Port + 221 NPIV public On the Brocade DCX and DCX-4S with the FC8-64 blade, the base port is not included in the NPIV device count.
Configuring NPIV TABLE 64 15 Number of supported NPIV devices (Continued) Platform Virtual Fabrics Logical switch type NPIV support DCX-4S Enabled Logical switch Yes, 255 virtual device limit.3 DCX-4S Enabled Base switch No. 1. Maximum limit support takes precedence if user-configured maximum limit is greater. This applies to shared areas on the FC4-48, FC8-48, and FC8-64 port blades. 2.
15 Enabling and disabling NPIV VC Link Init Locked L_Port Locked G_Port Disabled E_Port Locked E_Port ISL R_RDY Mode RSCN Suppressed Persistent Disable LOS TOV enable NPIV capability QOS E_Port Port Auto Disable: Rate Limit EX Port Mirror Port Credit Recovery F_Port Buffers Fault Delay: NPIV PP Limit: CSCTL mode: Frame Shooter Port D-Port mode: Compression: Encryption: FEC: OFF OFF OFF OFF OFF OFF OFF OFF OFF ON AE OFF OFF OFF OFF ON OFF 0(R_A_TOV) 128 OFF OFF OFF OFF OFF ON Enabling and disabling NPIV
Viewing NPIV port configuration information 15 Viewing NPIV port configuration information 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the portCfgShow command to view the switch ports information.
15 Viewing NPIV port configuration information switch:admin> portshow 2 portName: 02 portHealth: HEALTHY Authentication: None portDisableReason: None portCFlags: 0x1 portFlags: 0x24b03 PRESENT ACTIVE F_PORT G_PORT NPIV LOGICAL_ONLINE LOGIN NOELP LED ACCEPT portType: 10.0 portState: 1Online portPhys: 6In_Sync portScn: 32F_Port port generation number: 148 portId: 630200 portIfId: 43020005 portWwn: 20:02:00:05:1e:35:37:40 portWwn of device(s) connected: c0:50:76:ff:fb:00:16:fc c0:50:76:ff:fb:00:16:f8 ...
Chapter 16 Dynamic Fabric Provisioning: Fabric-Assigned PWWN In this chapter • Introduction to Dynamic Fabric Provisioning using FA-PWWN . . . . . . . . . . • User- and auto-assigned FA-PWWN behavior . . . . . . . . . . . . . . . . . . . . . . . • Configuring FA-PWWNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Supported switches and configurations for FA-PWWN . . . . . . . . . . . . . . . . • Configuration upload and download considerations for FA-PWWN . . . . . .
16 User- and auto-assigned FA-PWWN behavior NOTE For the server to use the FA-PWWN feature, it must be using a Brocade HBA or adapter. Refer to the release notes for the HBA or adapter versions that support this feature. Some configuration of the HBA must be performed to use the FA-PWWN. User- and auto-assigned FA-PWWN behavior An FA-PWWN can be either user-generated or automatically assigned by the fabric.
Configuring FA-PWWNs 16 This section includes an FA-PWWN configuration procedure for each of the following two topologies: • An FA-PWWN for an HBA device that is connected to an Access Gateway switch. • An FA-PWWN for an HBA device that is connected directly to an edge switch. These topologies are shown in Figure 51. Access Gateway Switch Edge Switch running FOS 7.0.0 running FOS 7.0.
16 Configuring FA-PWWNs 3. Enter the fapwwn --show -ag all command: You should see output similar to the following sample. (In this example, long lines of output are shown split across two lines, for better readability.
Supported switches and configurations for FA-PWWN 16 3. Enter the fapwwn --show -port all command: You should see output similar to the following sample.
16 Configuration upload and download considerations for FA-PWWN • Access Gateway platforms running Fabric OS v7.0.0 or later: - Brocade 300 - Brocade 5100 - Brocade 6505 - Brocade 6510 • Brocade HBAs with driver version 3.0.0.0: - Brocade 415 - Brocade 425 - Brocade 815 - Brocade 825 Configuration upload and download considerations for FA-PWWN The configuration upload and download utilities can be used to import and export the FA-PWWN configuration.
Restrictions of FA-PWWN 16 NOTE When creating the DCC policy, use the physical device WWN and not the FA-PWWN. If you use DCC, a policy check is done on the physical PWWN on the servers. In the case of an HBA, the FA-PWWN is assigned to the HBA only after the DCC check is successful. Refer to “DCC policy behavior with Fabric-Assigned PWWNs” on page 205 for additional information.
16 432 Access Gateway N_Port failover with FA-PWWN Fabric OS Administrator’s Guide 53-1002745-02
Chapter Managing Administrative Domains 17 In this chapter • Administrative Domains overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433 • Admin Domain management for physical fabric administrators . . . . . . . . 442 • SAN management with Admin Domains . . . . . . . . . . . . . . . . . . . . . . . . . . .
17 Administrative Domains overview NOTE Do not confuse an Admin Domain number with the domain ID of a switch. They are two different identifiers. The Admin Domain number identifies the Admin Domain and has a range from 0 through 255. The domain ID identifies a switch in the fabric and has a range from 1 through 239. Figure 52 shows a fabric with two Admin Domains: AD1 and AD2.
Administrative Domains overview 17 Admin Domain features Admin Domains allow you to do the following: • Define the scope of an Admin Domain to encompass ports and devices within a switch or a fabric. • Share resources across multiple Admin Domains. For example, you can share array ports and tape drives between multiple departments. In Figure 52 on page 434, one of the storage devices is shared between AD1 and AD2. • Have a separate zone database for each Admin Domain.
17 Administrative Domains overview Table 65 lists each Admin Domain user type and describes its administrative access and capabilities. TABLE 65 AD user types User type Description Physical fabric administrator User account with admin permissions and with access to all Admin Domains (AD0 through AD255). Creates and manages all Admin Domains. Assigns other administrators or users to each Admin Domain. The default admin account is the first physical fabric administrator.
Administrative Domains overview 17 For example, if DeviceA is not a member of any user-defined Admin Domain, then it is an implicit member of AD0. If you explicitly add DeviceA to AD0, then DeviceA is both an implicit and an explicit member of AD0. AD0 implicit members DeviceA AD0 explicit members DeviceA AD2 members none If you add DeviceA to AD2, then DeviceA is deleted from the AD0 implicit membership list, but is not deleted from the AD0 explicit membership list.
17 Administrative Domains overview FIGURE 54 Fabric with AD0 and AD255 Home Admin Domains and login You are always logged in to an Admin Domain, and you can view and modify only the devices in that Admin Domain. If you have access to more than one Admin Domain, one of them is designated as your home Admin Domain, the one you are automatically logged in to.
Administrative Domains overview 17 • For user-defined accounts, the home Admin Domain defaults to AD0 but an administrator can set the home Admin Domain to any Admin Domain to which the account is given access. • If you are in any Admin Domain context other than AD0, the Admin Domain number is included in the system prompt displayed during your session.
17 Administrative Domains overview If a device is a member of an Admin Domain, the switch port to which the device is connected becomes an indirect member of that Admin Domain and the domain,index is removed from the AD0 implicit membership list. NOTE If the switch domain ID changes, the domain,index members are invalid (they are not automatically changed). You must then reconfigure the Admin Domain with the current domain,index members.
Administrative Domains overview 17 Figure 55 on page 441 shows an unfiltered view of a fabric with two switches, three devices, and two Admin Domains. The devices are labeled with device WWNs and the switches are labeled with domain IDs and switch WWNs. FIGURE 55 Fabric showing switch and device WWNs Figure 56 shows the filtered view of the fabric as seen from AD3 and AD4. The switch WWNs are converted to the NAA=5 syntax; the device WWNs and domain IDs remain the same.
17 Admin Domain management for physical fabric administrators Admin Domain compatibility, availability, and merging Admin Domains maintain continuity of service for Fabric OS features and operate in mixed-release Fabric OS environments. High availability is supported with some backward compatibility. When an E_Port comes online, the adjacent switches merge their AD databases.
Admin Domain management for physical fabric administrators 17 Setting the default zoning mode for Admin Domains To begin implementing an Admin Domain structure within your SAN, you must first set the default zoning mode to No Access. You must be in AD0 to change the default zoning mode. 1. Log in to the switch with the appropriate RBAC role. 2. Ensure you are in the AD0 context by entering the ad --show command to determine the current Admin Domain.
17 Admin Domain management for physical fabric administrators ad --select 255 5. Enter the ad --create command using the -d option to specify device and switch port members and the -s option to specify switch members: ad --create ad_id -d "dev_list" -s "switch_list" 6. Enter the appropriate command based on whether you want to save or activate the Admin Domain definition: • To save the Admin Domain definition, enter ad --save.
Admin Domain management for physical fabric administrators 17 Creating a new user account for managing Admin Domains 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the userConfig --add command using the -r option to set the role, the -a option to provide access to Admin Domains, and the -h option to specify the home Admin Domain.
17 Admin Domain management for physical fabric administrators Removing an Admin Domain from a user account When you remove an Admin Domain from an account, all of the currently active sessions for that account are logged out. 1. Connect to the switch and log in using an account with admin permissions. 2.
Admin Domain management for physical fabric administrators 17 Deactivating an Admin Domain If you deactivate an Admin Domain, the members assigned to the Admin Domain can no longer access their hosts or storage unless those members are part of another Admin Domain. You cannot log in to an Admin Domain that has been deactivated. You must activate an Admin Domain before you can log in to it. 1. Connect to the switch and log in using an account with admin permissions. 2.
17 Admin Domain management for physical fabric administrators • To save the Admin Domain definition, enter ad --save. • To save the Admin Domain definition and directly apply the definition to the fabric, enter ad --apply. Example of adding two switch ports, designated by domain,index, to AD1 switch:AD255:admin> ad --add AD1 -d "100,5; 4,1" Removing members from an Admin Domain If you remove the last member of an Admin Domain, that Admin Domain is automatically deleted. 1.
Admin Domain management for physical fabric administrators 17 4. Enter the appropriate command based on whether you want to save or activate the Admin Domain definition: • To save the Admin Domain definition, enter ad --save. • To save the Admin Domain definition and directly apply the definition to the fabric, enter ad --apply. The Admin Domain numbers remain unchanged after the operation.
17 Admin Domain management for physical fabric administrators Deleting all user-defined Admin Domains When you clear the Admin Domain configuration, all user-defined Admin Domains are deleted, the explicit membership list of AD0 is cleared, and all fabric resources (switches, ports, and devices) are returned to the implicit membership list of AD0. You cannot clear the Admin Domain configuration if zone configurations exist in any of the user-defined Admin Domains.
Admin Domain management for physical fabric administrators 17 3. Enter the zone --copy command to copy the zones from all user-defined Admin Domains to AD0. zone --copy source_AD.source_name dest_name In this syntax, source_AD is the name of the user-defined AD from which you are copying the zone, source_name is the name of the zone to be copied, and dest_name is the name to give to the zone after it is copied to AD0. 4. Copy the newly added zones in AD0 to the zone configuration.
17 Admin Domain management for physical fabric administrators FIGURE 57 AD0 and two user-defined Admin Domains, AD1 and AD2 At the conclusion of the procedure, all devices and zones are moved to AD0, and the user-defined Admin Domains are deleted, as shown in Figure 58.
Admin Domain management for physical fabric administrators 17 10:00:00:00:02:00:00:00; 10:00:00:00:03:00:00:00 Effective configuration: cfg: AD1_cfg zone: AD1_BlueZone 10:00:00:00:02:00:00:00 10:00:00:00:03:00:00:00 Zone CFG Info for AD_ID: 2 (AD Name: AD2, State: Active) : Defined configuration: cfg: AD2_cfg AD2_GreenZone zone: AD2_GreenZone 10:00:00:00:04:00:00:00; 10:00:00:00:05:00:00:00 Effective configuration: cfg: AD2_cfg zone: AD2_GreenZone 10:00:00:00:04:00:00:00 10:00:00:00:05:00:00:00 sw0:adm
17 SAN management with Admin Domains Validating an Admin Domain member list You can validate the device and switch member list. You can list non-existing or offline Admin Domain members. You can also identify misconfigurations of the Admin Domain. The Admin Domain validation process is not applicable for AD0, because AD0 implicitly contains all unassigned online switches and their devices. 1. Connect to the switch and log in using an account with admin permissions. 2.
SAN management with Admin Domains 17 CLI commands in an AD context The CLI command input arguments are validated against the AD member list; they do not work with input arguments that specify resources that are not members of the current Admin Domain. All commands present filtered output, showing only the members of the current Admin Domain. For example, switchShow displays details for the list of AD members present in that switch.
17 SAN management with Admin Domains Displaying an Admin Domain configuration You can display the membership information and zone database information of a specified Admin Domain. Notice the following differences in the information displayed based on the Admin Domain: • AD255: If you do not specify the AD name or number, all information about all existing Admin Domains is displayed. • AD0–AD254: The membership of the current Admin Domain is displayed.
SAN management with Admin Domains 17 You cannot switch to another Admin Domain context from within the shell created by ad --select. You must first exit the shell, and then issue the ad --select command again. Example of switching to a different Admin Domain context The following example switches to the AD12 context and back. Note that the prompt changes to display the Admin Domain.
17 SAN management with Admin Domains TABLE 67 Admin Domain interaction with Fabric OS features (Continued) Fabric OS feature Admin Domain interaction FDMI FDMI operations are allowed only in AD0 and AD255. FICON Admin Domains support FICON. However, you must perform additional steps because FICON management requires additional physical control of the ports. You must set up the switch as a physical member of the FICON AD.
SAN management with Admin Domains 17 The AD zone database also has the following characteristics: - Each zone database has its own name space. For example, you can define a zone name of test_z1 in more than one Admin Domain. - There is no zone database linked to the physical fabric (AD255) and no support for zone database updates. In the physical fabric context (AD255), you can only view the complete hierarchical zone database, which is all of the zone databases in AD0 through AD254.
17 SAN management with Admin Domains LSAN zone names in AD0 are never converted for backward-compatibility reasons. The auto-converted LSAN zone names might collide with LSAN zone names in AD0 (in the example, if AD0 contains lsan_for_linux_farm_AD005, this causes a name collision). Fabric OS does not detect or report such name clashes. LSAN zone names greater than 57 characters are not converted or sent to the FCR phantom domain.
Section Licensed Features II This section describes optionally licensed Brocade Fabric OS features and includes the following chapters: • • • • • • • Chapter 18, “Administering Licensing” Chapter 19, “Inter-chassis Links” Chapter 20, “Monitoring Fabric Performance” Chapter 21, “Optimizing Fabric Behavior” Chapter 22, “Managing Trunking Connections” Chapter 23, “Managing Long-Distance Fabrics” Chapter 24, “Using FC-FC Routing to Connect Fabrics” Fabric OS Administrator’s Guide 53-1002745-02 461
Fabric OS Administrator’s Guide 53-1002745-02
Chapter 18 Administering Licensing In this chapter • Licensing overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Brocade 7800 Upgrade license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • ICL licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • 8G licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
18 Licensing overview Table 69 lists the optionally licensed features that are available in Fabric OS 7.1. TABLE 69 Available Brocade licenses License Description 10 Gigabit FCIP/Fibre Channel (10G license) • • • • 7800 Upgrade • • • Allows 10 Gbps operation of FC ports on the Brocade 6510or 6520 switches or the FC ports of FC16-32 or FC16-48 port blades installed on a Brocade DCX 8510 Backbone.
Licensing overview TABLE 69 18 Available Brocade licenses (Continued) License Description Advanced FICON Acceleration • • Allows use of specialized data management techniques and automated intelligence to accelerate FICON tape read and write and IBM Global Mirror data replication operations over distance, while maintaining the integrity of command and acknowledgement sequences.
18 Licensing overview TABLE 69 Available Brocade licenses (Continued) License Description Enterprise ICL Allows you to connect more than four chassis in a fabric using ICLs. You can connect up to four Brocade DCX 8510 Backbones via ICLs without this license. If the number of interconnected chassis using ICLs exceeds four, then all of the chassis using ICLs require the Enterprise ICL license.
Licensing overview TABLE 69 18 Available Brocade licenses (Continued) License Description Integrated Routing • • Server Application Optimization (SAO) Allows any ports in Brocade 5100, 5300, 6510, 6520, and VA-40FC switches, the Brocade Encryption Switch, or the Brocade DCX, DCX-4S, and DCX 8510 family platforms to be configured as an EX_Port supporting FC-FC routing. Eliminates the need to use a Brocade 7500 for FC-FC routing purposes.
18 Licensing overview TABLE 70 License requirements and location name by feature (Continued) Feature License Where license should be installed FCIP High Performance Extension over FCIP/FC NOTE: Local and attached switches. License is needed on both sides of tunnel. FCIP Trunking Advanced Extension Local and attached switches. Fibre Channel Routing/EX_Ports Integrated Routing Local switch. FICON No license required. N/A FICON-CUP FICON Management Server Local switch.
Licensing overview TABLE 70 18 License requirements and location name by feature (Continued) Feature License Where license should be installed Logical switch No license required. N/A Long distance Extended Fabrics Local and attached switches. NOTE: License is needed on both sides of connection. NPIV No license required. N/A OpenSSH public key No license required. N/A Performance monitoring Advanced Performance Monitoring for advanced features. No license required for basic features.
18 Brocade 7800 Upgrade license TABLE 70 License requirements and location name by feature (Continued) Feature License Where license should be installed Speed 8 Gbps license needed to support 8 Gbps on the Brocade 300, 5100, 5300, and VA-40FC switches and embedded switches only. Local switch NOTE: The 8 Gbps license is installed by default, and you should not remove it.
ICL licensing TABLE 71 18 Base to Upgrade license comparison (Continued) Feature Base model 7800 Upgrade license Number of FCIP Tunnels 2 8 Tape Pipelining over FCIP Tunnel No Yes ICL licensing Brocade ICL links operate between the core blades of the DCX 8510 Backbone family, or between the core blades of the DCX and DCX-4S Backbones. Typically, if both core blades are installed, then they are active on the DCX and DCX-4S (or DCX 8510 family) Backbones.
18 ICL licensing ICL 8-link license The ICL 8-link license activates half of the ICL bandwidth for each ICL port on the Brocade DCX platform by enabling only half of the ICL links available. This allows you to purchase half the bandwidth of the Brocade DCX ICL ports initially and upgrade with an additional ICL license to use the full ICL bandwidth later.
8G licensing 18 Example switchShow output if no Enterprise ICL license is installed A message such as the following is displayed if a required EICL license is not installed: 440 8 24 -----id 16G Online FC segmented,10:00:00:05:33:0d:52:00 (No EICL License)(Trunk 441 8 25 -----id 16G Online FC segmented,10:00:00:05:33:0d:52:00 (No EICL License)(Trunk E-Port master) E-Port master) Example switchShow output if maximum number of chassis is reached A message such as the following is displayed if the maximum
18 Slot-based licensing Slot-based licensing Slot-based licensing is used on the Brocade DCX and DCX 8510 Backbone families to support the FX8-24 blade, and on the Brocade DCX 8510 Backbone family to support the 16 Gbps FC port blades (FC16-24 and FC16-48). License capacity is equal to the number of slots. These licenses allow you to select the slots that the license will enable up to the capacity purchased and to increase the capacity without disrupting slots that already have licensed features running.
10G licensing 18 Assigning a license to a slot Use the following procedure to assign a licence to a slot: 1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions in the license class of RBAC commands. 2. Enter the licenseSlotCfg -add command to add the license to the appropriate slot. Removing a license from a slot Use the following procedure to remove a slot-based license from a blade slot: 1.
18 10G licensing After applying a 10G license to the Brocade 6510or 6520 chassis or to a 16 Gbps FC blade, you must also configure the port octet (portCfgOctetSpeedCombo command) with the correct port octet speed group and configure each port to operate at 10 Gbps (portCfgSpeed command). It is necessary to configure the port octet because only certain combinations of port speeds are allowed within the port octet. No license is required for the octet group.
10G licensing 18 aTFPNFXGLmABANMGtT4LfSBJSDLWTYD3EFrr4WGAEMBA 10 Gigabit FCIP/Fibre Channel (FTR_10G) license Capacity 1 Consumed 1 Configured Blade Slots 1 8510-8switch:admin> licenseslotcfg -remove FTR_10G 1 8510-8switch:admin> licenseslotcfg -add FTR_10G 4 8510-8switch:admin> licenseshow aTFPNFXGLmABANMGtT4LfSBJSDLWTYD3EFrr4WGAEMBA 10 Gigabit FCIP/Fibre Channel (FTR_10G) license Capacity 1 Consumed 1 Configured Blade Slots 4 8510-8switch:admin> portcfgoctetspeedcombo 4/2 2 8510-8switch:admin> portcfgsp
18 Temporary licenses aTFPNFXGLmABANMGtT4LfSBJSDLWTYD3EFrr4WGAEMBA 10 Gigabit FCIP/Fibre Channel (FTR_10G) license Capacity 1 Consumed 1 Configured Blade Slots 1 8510-4switch:admin> licenseslotcfg -remove FTR_10G 1 8510-4switch:admin> licenseslotcfg -add FTR_10G 7 8510-4switch:admin> licenseshow aTFPNFXGLmABANMGtT4LfSBJSDLWTYD3EFrr4WGAEMBA 10 Gigabit FCIP/Fibre Channel (FTR_10G) license Capacity 1 Consumed 1 Configured Blade Slots 7 8510-4switch:admin> bladecfggemode --set 10G -slot 7 8510-4switch:admin>
Temporary licenses • • • • • • 18 FICON Management Server (CUP) license Extended Fabrics license High Performance Extension over FCIP/FC license Integrated Routing license Server Application Optimization license ISL Trunking license Restrictions on upgrading temporary slot-based licenses If the capacity of the permanent license is equal to or greater than the capacity of the temporary license and you use the same slot assignments, then replacing the temporary license with a permanent license is non-disr
18 Temporary licenses Expired licenses Once a temporary license has expired, you can view it through the licenseShow command. Expired licenses have an output string of “License has expired”. RASlog warning messages are generated every hour for licenses present in the database which have expired or are going to expire in the next five days. An expired license may become unusable after a reboot, failover, firmware download, or a port or switch disable or enable operation.
Viewing installed licenses 18 Viewing installed licenses Use the following procedure to view all installed licenses: 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the licenseShow command. Activating a license The transaction key is case-sensitive; it must be entered exactly as it appears in the paperpack. To lessen the chance of error, copy and paste the transaction key. The quotation marks are optional. Use the following procedure to activate a license: 1.
18 Removing a licensed feature Use the following procedure to add a licensed feature: 1. Connect to the switch and log in using an account with admin permissions. 2. Activate the license using the licenseAdd command. 3. Verify the license was added by entering the licenseShow command. The licensed features currently installed on the switch are listed. If the feature is not listed, enter the licenseAdd command again.
Ports on Demand 18 4. Enter the licenseShow command to verify the license is disabled. switch:admin> licenseshow bQebzbRdScRfc0iK: Entry Fabric license Fabric Watch license SybbzQQ9edTzcc0X: Fabric license switch:admin> licenseremove "bQebzbRdScRfc0iK" removing license key "bQebzbRdScRfc0iK" Entering the licenseShow command after the licenseRemove command displays the remaining licenses.
18 Ports on Demand TABLE 72 List of available ports when implementing PODs Platform Available user ports No POD license POD1 or POD2 present Both POD licenses present Brocade 300 0-7 0-15 0-23 Brocade 5100 0-23 0-31 0-39 Brocade 5300 0-47 0-63 0-79 Brocade 5410 0-11 N/A N/A Brocade 5424 1-8 and 17-20 POD1: 0, 9-16, and 21-23 0-23 Brocade 5450 1-10 and 19-22 POD1: 0, 11-18, and 23-25 0-25 Brocade 5480 1-8 and 17-20 POD1: 9-12 and 21-22 POD2: 0, 13-16, and 23 0-23 Brocade 65
Ports on Demand 18 First Ports on Demand license - additional 16 port upgrade license SdSSc9SyRSTeXTdn: Second Ports on Demand license - additional 16 port upgrade license SdSSc9SyRSTuXTd3: Full Ports on Demand license - additional 32 port upgrade license ATTENTION If you enable or disable an active port, you will disrupt any traffic and potentially lose data flowing on that port.
18 Ports on Demand For the embedded switch modules, the Dynamic POD feature detects and assigns ports to a POD license only if the server blade is installed with an HBA present. A server blade that does not have a functioning HBA is treated as an inactive link during initial POD port assignment. For the non-server blade switches, the dynamic assignment occurs when an attached Fibre Channel link transitions to the “link active” state.
Ports on Demand 18 switch:admin> licenseport --method dynamic The POD method has been changed to dynamic. Please reboot the switch now for this change to take effect. 3. Enter the reboot command to restart the switch. switch:admin> reboot 4. Enter the licensePort --show command to verify the switch started the Dynamic POD feature.
18 Ports on Demand Ports assigned to the full POD license: 0, 9, 10, 11, 12, 13, 14, 15, 16, 21, 22, 23 Reserving a port license You can allocate licenses by reserving and releasing POD assignments to specific ports. Disabled ports are not candidates for automatic license assignment by the Dynamic POD feature. Persistently disable an otherwise viable port to prevent it from coming online, and thereby preserve a license assignment for another port.
Ports on Demand 18 After a port is assigned to the POD set, the port is licensed until it is manually removed from the POD port set. When a port is released from its POD port set (Base, Single, or Double), it creates a vacancy in that port set. Use the following procedure to release a port from a POD set: 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the switchDisable command to take the switch offline. switch:admin> switchdisable 3.
18 490 Ports on Demand Fabric OS Administrator’s Guide 53-1002745-02
Chapter 19 Inter-chassis Links In this chapter • Inter-chassis links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • ICLs for the Brocade DCX 8510 Backbone family . . . . . . . . . . . . . . . . . . . . • ICLs for the Brocade DCX Backbone family . . . . . . . . . . . . . . . . . . . . . . . . . • Virtual Fabrics considerations for ICLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Supported topologies for ICL connections. . . . . . . . . . . . . . .
19 ICLs for the Brocade DCX 8510 Backbone family NOTE You cannot interconnect a Brocade DCX Backbone family chassis to a Brocade DCX 8510 Backbone family chassis. Refer to the specific hardware reference manuals for additional information about LED status meanings and ICL connections, including instructions on how to cable ICLs. ICLs for the Brocade DCX 8510 Backbone family Each ICL connects the core blades of two Brocade DCX 8510 chassis and provides up to 64 Gbps of throughput within a single cable.
ICLs for the Brocade DCX Backbone family 19 NOTE Brocade recommends that you have a maximum of eight ICLs connected to the same neighboring domain, with a maximum of four ICLs from each core blade. • The ICLs can connect to either core blade in the neighboring chassis. Unlike the copper ICLs, the QSFP ICLs do not need to be cross-connected. • The 100-meter ICL is supported, beginning in Fabric OS 7.1.0, when using 100-meter-capable QSFPs over OM4 cable only.
19 Virtual Fabrics considerations for ICLs FIGURE 60 DCX-4S allowed ICL connections The following ICL connections are not allowed: • ICL0 ports to ICL0 ports • ICL1 ports to ICL1 ports ICL trunking on the Brocade DCX and DCX-4S ICL trunks form automatically but additional licenses may be required for enabling all ICL ports or for larger ICL configurations. For more information about ICL licensing options, refer to Chapter 18, “Administering Licensing”. The ICLs are managed the same as ISL trunks.
Supported topologies for ICL connections 19 Supported topologies for ICL connections You can connect the Brocade Backbones in a mesh topology and a core-edge topology. A brief description of each follows. (You can also connect two DCX 8510s point-to-point.) The illustrations in this section show sample topologies. Refer to the Brocade SAN Scalability Guidelines for details about maximum topology configurations.
19 Supported topologies for ICL connections FIGURE 62 Full nine-mesh topology During an ICL break in the triangular topology, the chassis that has the connections of the other two is the main chassis. Any error messages relating to a break in the topology appear in the RASlog of the main chassis. For the Brocade DCX Backbone family only: If one ICL is broken but there is a regular ISL, the triangular topology holds given that the ISL cost is lower than the total cost through the ICL linear topology.
Supported topologies for ICL connections FIGURE 63 Fabric OS Administrator’s Guide 53-1002745-02 19 64 Gbps ICL core-edge topology 497
19 498 Supported topologies for ICL connections Fabric OS Administrator’s Guide 53-1002745-02
Chapter 20 Monitoring Fabric Performance In this chapter • Advanced Performance Monitoring overview . . . . . . . . . . . . . . . . . . . . . . . • End-to-end performance monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Frame monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Top Talker monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Trunk monitoring . . . . . . . . . . . . . . .
20 Advanced Performance Monitoring overview Restrictions for installing monitors • Advanced Performance Monitoring is not supported on VE_Ports and EX_Ports. If you issue commands for any Advanced Performance Monitoring on VE_Ports or EX_Ports, you will receive error messages. • For the Brocade 8000, Advanced Performance Monitoring is supported only on the FC ports and not on the CEE ports. • All monitor types are allowed only on physical ports.
End-to-end performance monitoring 20 Access Gateway considerations for Advanced Performance Monitoring EE monitors and frame monitors are supported on switches in Access Gateway mode. Top Talker monitors are not supported on these switches. EE monitors must be installed on F_Ports. Frame monitors can be installed on F_Ports or N_Ports. Refer to the Access Gateway Administrator’s Guide for additional information.
20 End-to-end performance monitoring Virtual Fabrics considerations: If Virtual Fabrics is enabled, the Brocade DCX, DCX-4S, DCX 8510 and 5300 models allow up to 256 end-to-end monitors on one logical switch. The Brocade 5100, 6510, 6520, and VA-40FC allow up to 341 end-to-end monitors on one logical switch. Supported port configurations for EE monitors You can configure EE monitors on F_Ports and, depending on the switch model, on E_Ports.
End-to-end performance monitoring 20 This monitor (Monitor 1) counts the frames that have an SID of 0x011200 and a DID of 0x021e00. For Monitor 1, RX_COUNT is the number of words from Host A to Dev B, and TX_COUNT is the number of words from Dev B to Host A.
20 End-to-end performance monitoring The perfSetPortEEMask command sets a mask for the domain ID, area ID, and AL_PA of the SIDs and DIDs for frames transmitted from and received by the port. Figure 65 shows the mask positions in the command. A mask (“ff”) is set on slot 1, port 2 to compare the AL_PA fields on the SID and DID in all frames (transmitted and received) on port 2. The frame SID and DID must match only the AL_PA portion of the specified SID and DID pair. Each port can have only one EE mask.
Frame monitoring 20 perfmonitorshow --class monitor_class [slotnumber/]portnumber [interval] Example of displaying an end-to-end monitor on a port at 10-second intervals switch:admin> perfMonitorShow --class EE 4/5 10 Showing EE monitors 4/5 10: Tx/Rx are # of bytes 0 1 2 3 4 --------- --------- --------- --------- --------Tx Rx Tx Rx Tx Rx Tx Rx Tx Rx ========= ========= ========= ========= ========= 0 0 0 0 0 0 0 0 0 0 53m 4.9m 53m 4.9m 53m 4.9m 53m 4.9m 53m 0 53m 4.4m 53m 4.4m 53m 4.4m 53m 4.
20 Frame monitoring NOTE The Advanced Performance Monitoring license is required to use the fmMonitor command. The monitoring functionality also requires the Fabric Watch license. When you configure actions and alerts through the fmMonitor command, Fabric Watch uses these values and generates alerts based on the configuration. If you do not have a Fabric Watch license, these values are ignored. Refer to the Fabric Watch Administrator’s Guide for more information about using Fabric Watch.
Frame monitoring 20 The value of the offset must be between 0 and 63, in decimal format. Byte 0 indicates the first byte of the Start of Frame (SOF), byte 4 is the first byte of the frame header, and byte 28 is the first byte of the payload. Thus, only the SOF, frame header, and first 36 bytes of payload can be selected as part of a filter definition. Offset 0 is a special case, which can be used to monitor the first 4 bytes of the frame (SOF).
20 Frame monitoring Adding frame monitors to a port If the switch does not have enough resources to add a frame monitor to a port, then other frame monitors on that port may have to be deleted to free resources. 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the fmMonitor --addmonitor command to add a frame monitor to one or more ports.
Frame monitoring 20 Example The following example displays the existing frame types and associated bit patterns on the switch.
20 Top Talker monitors Top Talker monitors Top Talker monitors determine the flows (SID and DID pairs) that are the major users of bandwidth (after initial stabilization). Top Talker monitors measure bandwidth usage data in real time and relative to the port on which the monitor is installed. NOTE Initial stabilization is the time taken by a flow to reach the maximum bandwidth. This time varies depending on the number of flows in the fabric and other factors.
Top Talker monitors 20 How do Top Talker monitors differ from EE monitors? EE monitors provide counter statistics for traffic flowing between a given SID and DID pair. Top Talker monitors identify all possible SID and DID flow combinations that are possible on a given port and provide a sorted output of the top talking flows.
20 Top Talker monitors Edge fabric E_Port FC router EX_Port Backbone fabric FIGURE 66 Fabric mode Top Talker monitors on FC router do not monitor any flows Edge fabric E_Port E_Port E_Port FC router EX_Port Backbone fabric FIGURE 67 Fabric mode Top Talker monitors on FC router monitor flows over the E_Port Limitations of Top Talker monitors Be aware of the following when using Top Talker monitors: • • • • • Top Talker monitors cannot detect transient surges in traffic through a given flow.
Top Talker monitors 20 Adding a Top Talker monitor to a port (port mode) 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the perfTTmon --add command. perfttmon --add [egress | ingress] [slotnumber/]port The following example monitors the incoming traffic on port 7. perfttmon --add ingress 7 The following example monitors the outgoing traffic on slot 2, port 4 on a Backbone.
20 Top Talker monitors The output is sorted based on the data rate of each flow. If you do not specify the number of flows to display, then the command displays the top 8 flows or the total number of flows, whichever is less.
Trunk monitoring 20 Deleting all fabric mode Top Talker monitors 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the perfTTmon --delete fabricmode command. perfttmon --delete fabricmode All Top Talker monitors are deleted. Trunk monitoring To monitor E_Port (ISL) and F_Port trunks, you can set monitors only on the master port of the trunk. If the master changes, the monitor automatically moves to the new master port.
20 Performance data collection 1. Connect to the switch and log in using an account with admin permissions. 2. Enter one of the following commands, depending on the action you want to perform: • To save the current EE monitor and frame monitor configuration settings into nonvolatile memory, use the perfCfgSave command. switch:admin> perfcfgsave This will overwrite previously saved Performance Monitoring settings in FLASH. Do you want to continue? (yes, y, no, n): [no] y Please wait ...
Chapter 21 Optimizing Fabric Behavior In this chapter • Adaptive Networking overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Ingress Rate Limiting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • QoS: SID/DID traffic prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • CS_CTL-based frame prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • QoS zone-based traffic prioritization . .
21 Ingress Rate Limiting • Ingress Rate Limiting Ingress Rate Limiting restricts the speed of traffic from a particular device to the switch port. Ingress Rate Limiting requires an Adaptive Networking license. See “Ingress Rate Limiting” on page 518 for more information about this feature. • Quality of Service (QoS) SID/DID Traffic Prioritization SID/DID traffic prioritization allows you to categorize the traffic flow between a host and target as having a high or low priority.
QoS: SID/DID traffic prioritization 21 Virtual Fabrics considerations If Virtual Fabrics is enabled, the rate limit configuration on a port is on a per-logical switch basis. That is, if a port is configured to have a certain rate limit value, and the port is then moved to a different logical switch, it would have no rate limit applied to it in the new logical switch. If that same port is moved back to the original logical switch, it would have the original rate limit take effect again.
21 QoS: SID/DID traffic prioritization Table 76 shows a basic comparison between CS-CTL-based and QoS zone-based prioritization. See “CS_CTL-based frame prioritization” on page 521 and “QoS zone-based traffic prioritization” on page 523 for detailed information about each type of prioritization scheme. TABLE 76 Comparison between CS_CTL-based and QoS zone-based prioritization CS_CTL-based frame prioritization QoS zone-based traffic prioritization Requires Adaptive Networking license.
CS_CTL-based frame prioritization 21 CS_CTL-based frame prioritization CS_CTL-based frame prioritization allows you to prioritize the frames between a host and target as having high, medium, or low priority, depending on the value of the CS_CTL field in the FC frame header. The CS_CTL field in the FC header can be used to assign a priority to a frame.
21 CS_CTL-based frame prioritization NOTE If a switch is running a firmware version earlier than Fabric OS v6.0.0, the outgoing frames from that switch lose their priority. High-availability considerations for CS_CTL-based frame prioritization If the standby CP is running a Fabric OS version earlier than 6.3.0 and is synchronized with the active CP, then you cannot enable CS_CTL-based frame prioritization on the active CP.
QoS zone-based traffic prioritization 21 Set CSCTL QoS Mode to 1 to enable auto mode, establishing the settings shown in Table 78 on page 521. Set CSCTL QoS Mode to 0 to disable auto mode and revert to default settings, shown in Table 77 on page 521. NOTE As noted previously, this is a chassis-level configuration. It does not provide options to enable CS_CTL QoS on the ports.
21 QoS zone-based traffic prioritization To preserve existing trunk groups, before you install the Adaptive Networking license, manually disable QoS on these ports, as described in “Manually disabling QoS on trunked ports” on page 524. Manually disabling QoS on trunked ports NOTE QoS is disabled by default on long-distance 8-Gbps and 16-Gbps ports. The following procedure does not apply to these ports. 1. Connect to the switch and log in using an account with admin permissions. 2.
QoS zones 21 switch:admin> portcfgshow (output truncated) Ports of Slot 0 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 -----------------+---+---+---+---+-----+---+---+---+-----+---+---+---+-----+---+---+--Speed AN AN AN AN AN AN AN AN AN AN AN AN AN AN AN AN Fill Word 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 AL_PA Offset 13 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. Trunk Port ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON Long Distance .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. VC Link Init .. .. ..
21 QoS zones The switch automatically sets the priority for the “host,target” pairs specified in the zones according to the priority level (H or L) in the zone name. The flow id allows you to have control over the VC assignment and control over balancing the flows throughout the fabric. The id range is 1–5 for high-priority traffic, which corresponds to VCs 10–14. For low-priority traffic, the id range is 1–2, which corresponds to VCs 8 and 9.
QoS zones 21 NOTE By default, QoS is enabled on 8-Gbps ports, except for long-distance 8-Gbps ports. QoS is disabled by default on all 4-Gbps ports and long-distance 8-Gbps ports.
21 QoS zones The following are requirements for establishing QoS over FCRs: • QoS over FC routers is supported in Brocade native mode only. It is not supported in interopmode 2 or interopmode 3. • QoS over FC routers is supported for the following configurations: - Edge-to-edge fabric configuration: supported on all platforms. - Backbone-to-edge fabric configuration: supported on 16-Gbps-capable platforms only (Brocade 6510, 6520, and Brocade DCX 8510 family), and only if no other platforms are used.
QoS zones Domain 1 21 Domain 3 8 9 H1 S1 1 2 5 6 3 4 8 7 LS3, FID1 Domain 7 Chassis 1 LS4, FID3 Domain 8 LS1, FID1 Domain 5 Domain 2 10 12 14 16 Base switch Domain 10 11 13 LS2, FID3 Domain 6 Chassis 2 Base switch Domain 9 15 17 = High priority = E_Ports with QoS enabled FIGURE 70 Traffic prioritization in a logical fabric Supported configurations for QoS zone-based traffic prioritization The following configuration rules apply to QoS zone-based traffic prioritization: • All
21 Setting QoS zone-based traffic prioritization • • • • Traffic prioritization is enforced on the egress ports only, not on the ingress ports. Traffic prioritization is not supported on 10-Gbps ISLs. Traffic prioritization is not supported on mirrored ports. Traffic prioritization is not supported over LSAN zones. The traffic is always medium priority in the ingress edge fabric, the backbone fabric, and the egress edge fabric.
Setting QoS zone-based traffic prioritization 21 The portCfgQos command does not affect QoS prioritization. It only enables or disables the link to pass QoS priority traffic. NOTE QoS is enabled by default on all ports (except long-distance ports). If you use the portCfgQos command to enable QoS on a specific port, the port is toggled to apply this configuration, even though the port already has QoS enabled.
21 Setting QoS zone-based traffic prioritization over FC routers Setting QoS zone-based traffic prioritization over FC routers 1. Connect to the switch in the edge fabric and log in using an account with admin permissions. 2. Create QoS zones in the edge fabric. The QoS zones must have WWN members only, and not D,I members. See “Setting QoS zone-based traffic prioritization” on page 530 for instructions. 3. Create LSAN zones in the edge fabric.
Chapter 22 Managing Trunking Connections In this chapter • Trunking overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Supported configurations for trunking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Supported platforms for trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Requirements for trunk groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Recommendations for trunk groups. . . . .
22 Trunking overview Types of trunking Trunking can be between two switches, between a switch and an Access Gateway module, or between a switch and a Brocade adapter. The types of trunking are as follows: • ISL trunking, or E_Port trunking, is configured on an inter-switch link (ISL) between two Fabric OS switches and is applicable only to E_Ports. • ICL trunking is configured on an inter-chassis link (ICL) between two Backbones and is applicable only to ports on the core blades.
Supported configurations for trunking 22 License requirements for trunking All types of trunking require the Trunking license. This license must be installed on each switch that participates in trunking. ATTENTION After you add the Trunking license, to enable trunking functionality, you must disable and then re-enable each port to be used in trunking, or disable and re-enable the switch.
22 Supported platforms for trunking Trunks operate best when the cable length of each trunked link is roughly equal to the length of the others in the trunk. For optimal performance, no more than 30 meters difference is recommended. Trunks are compatible with both short-wavelength (SWL) and long-wavelength (LWL) fiber-optic cables and transceivers. Trunking is performed according to the Quality of Service (QoS) configuration on the master and the slave ports.
Recommendations for trunk groups 22 Recommendations for trunk groups To identify the most useful trunk groups, consider the following recommendations along with the standard guidelines for SAN design: • Evaluate the traffic patterns within the fabric. • Place trunking-capable switches adjacent to each other. This maximizes the number of trunk groups that can form.
22 Configuring trunk groups Configuring trunk groups After you install the Trunking license, you must re-initialize the ports that are to be used in trunk groups so that they recognize that trunking is enabled. This procedure needs to be performed only once, and is required for all types of trunking. To re-initialize the ports, you can either disable and then re-enable the switch, or disable and then re-enable the affected ports. 1.
Displaying trunking information 22 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the portCfgTrunkPort command to disable trunking on a port. Enter the switchCfgTrunk command to disable trunking on all ports on the switch. Mode 1 enables and mode 0 disables trunking. switch:admin> switchcfgtrunk 0 Displaying trunking information You can use the trunkShow command to view the following information: • • • • All the trunks and members of a trunk.
22 Trunk Area and Admin Domains Rx: Bandwidth 16.00Gbps, Throughput 1.67Gbps (12.12%) Tx+Rx: Bandwidth 32.00Gbps, Throughput 3.33Gbps (12.12%) 3: 10-> 10 10:00:00:05:1e:81:56:8b 1 deskew 15 MASTER 11-> 11 10:00:00:05:1e:81:56:8b 1 deskew 15 Tx: Bandwidth 4.00Gbps, Throughput 1.66Gbps (48.45%) Rx: Bandwidth 4.00Gbps, Throughput 1.67Gbps (48.48%) Tx+Rx: Bandwidth 8.00Gbps, Throughput 3.33Gbps (48.
EX_Port trunking 22 For additional information on configuring long distance, see “Configuring an extended ISL” on page 553. Table 79 summarizes support for Trunking over long-distance for the Backbones and supported blades.
22 EX_Port trunking Masterless EX_Port trunking EX_Port trunking is masterless except for EX_Ports on Backbones. For the Backbones, Virtual Fabrics must be enabled for masterless EX_Port trunking to take effect. For the fixed-port switches, Virtual Fabrics can be enabled or disabled. If masterless EX_Port trunking is not in effect and the master port goes offline, the entire EX_Port-based trunk re-forms and is taken offline for a short period of time.
F_Port trunking 22 The following is an example of a master EX_Port and a slave EX_Port displayed in switchShow.
22 F_Port trunking FIGURE 72 Switch in Access Gateway mode without F_Port masterless trunking FIGURE 73 Switch in Access Gateway mode with F_Port masterless trunking NOTE You do not need to map the host to the master port manually, because the Access Gateway will perform a cold failover to the master port. See “Configuring F_Port trunking for an Access Gateway” on page 544 for instructions on configuring F_Port trunking.
F_Port trunking 22 Use the following procedure on the edge switch connected to the Access Gateway module to configure F_Port trunking. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the portCfgShow command to ensure that the ports have trunking enabled. If trunking is not enabled, enter the portCfgTrunkPort port 1 command. 3. Enter the portDisable command for each port to be included in the TA. 4. Enter the portTrunkArea --enable command to enable the trunk area.
22 F_Port trunking c. Enable the trunk on the ports by using the portTrunkArea command. switch:admin> porttrunkarea --enable 3/40-41 -index 296 Trunk index 296 enabled for ports 3/40 and 3/41. 2. On the host side, enable trunking as described in the Brocade Adapters Administrator’s Guide. 3. On the switch side, enable the ports by using the portEnable command.
F_Port trunking TABLE 80 22 F_Port masterless trunking considerations (Continued) Category Description DCC Policy DCC policy enforcement for the F_Port trunk is based on the Trunk Area; the FDISC requests to a trunk port are accepted only if the WWN of the attached device is part of the DCC policy against the TA. The PWWN of the FLOGI sent from the AG will be dynamic for the F_Port trunk master.
22 F_Port trunking TABLE 80 F_Port masterless trunking considerations (Continued) Category Description Trunk Master No more than one trunk master is allowed in a trunk group. The second trunk master will be persistently disabled with the reason "Area has been acquired”. Upgrade There are no limitations on upgrading to Fabric OS v7.0.0 and later if the F_Port is present on the switch. Upgrading is not disruptive. Table 81 describes the PWWN format for F_Port and N_Port trunk ports.
Displaying F_Port trunking information 22 • If F_Port trunking is enabled on some ports in the default switch, and you disable Virtual Fabrics, all of the F_Port trunking information is lost. • All of the ports in an F_Port trunk must belong to a single trunk group of ports on the platform and must also belong to the same logical switch. See Chapter 10, “Managing Virtual Fabrics,” for detailed information about Virtual Fabrics.
22 Enabling the DCC policy on a trunk area switch:admin> portdisable 0-2 switch:admin> porttrunkarea --disable 0-2 Trunk index 2 disabled for ports 0, 1, and 2. Enabling the DCC policy on a trunk area After you assign a trunk area, the portTrunkArea command checks whether there are any active DCC policies on the port with the index TA, and then issues a warning to add all the device WWNs to the existing DCC policy with index as TA.
Chapter 23 Managing Long-Distance Fabrics In this chapter • Long-distance fabrics overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Extended Fabrics device limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Long -distance link modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring an extended ISL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Buffer credit management . . . . . . . . .
23 Extended Fabrics device limitations • Optimized switch buffering When Extended Fabrics is installed on gateway switches (with E_Port connectivity from one switch to another), the ISLs (E_Ports) are configured with a large pool of buffer credits. The enhanced switch buffers help ensure that data transfer can occur at near-full bandwidth to use the connection over the extended links efficiently. This efficiency ensures the highest possible performance on ISLs.
Configuring an extended ISL 23 • Dynamic Mode (LD) — LD calculates buffer credits based on the distance measured during port initialization. Brocade switches use a proprietary algorithm to estimate distance across an ISL. The estimated distance is used to determine the buffer credits required in LD (dynamic) extended link mode based on a maximum Fibre Channel payload size of 2,112 bytes. You can place an upper limit on the calculation by providing a desired_distance value.
23 Configuring an extended ISL portcfglongdistance [slot/]port [distance_level] [vc_translation_link_init] [-distance desired_distance] 6. Repeat step 4 and step 5 for the remote extended ISL port. Both the local and remote extended ISL ports must be configured to the same distance_level. When the connection is initiated, the fabric will reconfigure. Example The following example configures slot 1, port 2 to support a 100-km link in LS mode and to use the extended link initialization sequence.
Buffer credit management 23 1. Connect to the switch and log in using an account assigned to the admin role. 2. Disable QoS. switch:admin> portcfgqos --disable [slot/]port If you do not disable QoS, after the second or third Link Reset (LR), ARB fill words display. 3. Disable buffer credit recovery; buffer credit recovery is not compatible with the IDLE mode. If you do not disable buffer credit recovery, it continues to perform a link reset. switch:admin> portcfgcreditrecovery --disable [slot/]port 4.
23 Buffer credit management Buffer-to-buffer flow control is flow control between adjacent ports in the I/O path, for example, transmission control over individual network links. A separate, independent pool of credits is used to manage buffer-to-buffer flow control.A sending port uses its available credit supply and waits to have the credits replenished by the port on the opposite end of the link.
Buffer credit management 23 Smaller frame sizes need more buffer credits. Two commands are available to help you determine whether you need to allocate more buffer credits to handle the average frame size. The portBufferShow command calculates the average frames size. The portBufferCalc command uses the average frame size with the speed and link distance to determine the number of buffer credits needed.
23 Buffer credit management TABLE 82 Fibre Channel data frames Fibre Channel frame fields Field size Start of frame 4 bytes 32 bits Standard frame header 24 bytes 192 bits Data (payload) 0–2,112 bytes 0–16,896 bits CRC 4 bytes 32 bits End of frame 4 bytes 32 bits Total (number bits/frame) 36–2,148 bytes 288–7,184 bits Allocating buffer credits based on full-sized frames You can allocate buffer credits based on distance using the portCfgLongDistance command.
Buffer credit management 23 • If QoS is not enabled: (Reserved Buffer for Distance Y) = (X * LinkSpeed / 2) + 6 where X = the distance determined in step 1 (in km). LinkSpeed = the speed of the link determined in step 2. 6 = the number of buffer credits reserved for fabric services, multicast, and broadcast traffic. This number is static. 14 = the number of buffer credits reserved for QoS. This number is static. With the answers provided in steps 1 and 2, insert the numbers into the appropriate formula.
23 Buffer credit management • 8 — the number of reserved buffer credits already allocated to that port. The floor of the resulting number is taken because fractions of a port are not allowed. If you have a distance of 50 km at 1 Gbps, then 484 / (31 – 8) = 21 ports Allocating buffer credits based on average-size frames In cases where the frame size is average, for example 1024 bytes, you must allocate twice the buffer credits or configure twice the distance in the long-distance LS configuration mode.
Buffer credit management 23 Configuring buffers for a single port directly To configure the number of buffers directly, use the -buffers option of the portCfgLongDistance command. Fabric OS uses this value to calculate the total number of buffers according to the following formula: Total Buffers = Configured Buffers + QOS_VC_Credits + Non-data_VC_Credits Seven Virtual Channels (VCs) are required for each QoS port. Each VC requires two buffers.
23 Buffer credit management To determine the number of buffers required, perform the following steps: 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the portBufferCalc command and provide values for the distance, port speed, and frame size. Example The following example calculates the number of buffers required for an 8-Gbps port on a 100-km link with an average frame size of 512 bytes.
Buffer credit management 23 switch:admin> portbuffershow 17 User Port Port Type ---------------- Lx Mode ---- Max/Resv Buffers ------- Avg Buffer Usage & FrameSize Buffer Needed Tx Rx Usage Buffers ---------------------------- ------ ------- Link Remaining Distance Buffers --------- 64 8 - ( - ) - ( - ) 0 65 8 - ( - ) - ( - ) 0 66 8 - ( - ) - ( - ) 0 67 8 - ( - ) - ( - ) 0 68 E LS 806 197(2012) 201(2044) 206 206 100km 69 E 8 1(2016) 1(2020) 26 26 2km 70 E 8 1(2012) 1(2036) 26 26 2km 71 E 8 1(2008) 2(
23 Buffer credit management TABLE 83 Total FC ports, ports per port group, and unreserved buffer credits per port group Switch/blade model Total FC ports (per switch/blade) User port group size Unreserved buffer credits per port group FC8-32 32 16 1292/508 FC8-32E 32 16 5456 FC8-48 48 24 1228/716 FC8-48E 48 24 5008 FC8-64 *** Extended Fabrics is not supported on this blade *** FC16-32 32 16 5456 FC16-48 48 24 5008 FS8-18 16 8 1604 FX8-24 12 12 1060 For the FC8-x port
Buffer credit management TABLE 84 23 Configurable distances for Extended Fabrics (Continued) Maximum distances (km) that can be configured (assuming a 2112-byte frame size) Switch/blade model 2 Gbps 4 Gbps 8 Gbps 10 Gbps 16 Gbps FC8-32 1294 647 323 N/A N/A FC8-32E 5190 2595 1297 1038 648 FC8-48 1230 615 307 N/A N/A FC8-48E 4486 2243 1121 897 560 FC8-64 *** Extended Fabrics is not supported on this blade *** FC16-32 5190 2595 1297 1038 648 FC16-48 4486 2243 1121
23 Buffer credit recovery Buffer credit recovery Buffer credit recovery (CR) allows links to recover after buffer credits are lost when the buffer credit recovery logic is enabled. The buffer credit recovery feature also maintains performance. If a credit is lost, a recover attempt is initiated. During link reset, the frame and credit loss counters are reset without performance degradation. This feature is supported on E_Ports, F_Ports, and EX_Ports.
Buffer credit recovery 23 For an F_Port on a Brocade switch or Access Gateway connected to an adapter, the following conditions must be met: • • • • • The Brocade switch or Access Gateway must run Fabric OS v7.1 or later. Fabric OS must support buffer credit recovery at both ends of the link. The adapter must be running HBA v3.2 firmware or later. The adapter must operate at maximum speed. The flow-control mode must be R_RDY.
23 Forward error correction on long-distance links The following example enables buffer credit recovery on port 1/20. switch:admin> portcfgcreditrecovery 1/20 -enable Forward error correction on long-distance links Forward error correction (FEC) on user ports is supported for LD and LS long-distance modes. Use the portCfgLongDistance command with the -fecEnable or -fecDisable options to enable or disable FEC, respectively, on a user port.
Chapter 24 Using FC-FC Routing to Connect Fabrics In this chapter • FC-FC routing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Fibre Channel routing concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Setting up FC-FC routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Backbone fabric IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
24 FC-FC routing overview A Fibre Channel router (FC router) is a switch running the FC-FC routing service. The FC-FC routing service can be simultaneously used as an FC router and as a SAN extension over wide area networks (WANs) using FCIP. You can set up QoS traffic prioritization over FC routers. Refer to “QoS: SID/DID traffic prioritization” on page 519 for information about QoS and instructions for setting traffic prioritization over an FC router.
FC-FC routing overview 24 • The Backbones have a limit of 128 EX_Ports for each chassis. Refer to the Network OS Administrator’s Guide for supported Network OS platforms. Supported configurations for FC-FC routing FC-FC routing supports the following configurations: • • • • • • FC router connected to a Fabric OS nonsecured edge fabric. FC router connected to a Fabric OS secured edge fabric. FC router connected to a Brocade Network OS edge fabric (Network OS v2.1.1 or later).
24 Fibre Channel routing concepts Fibre Channel routing concepts Fibre Channel routing introduces the following concepts: • Fibre Channel router (FC router) A switch running the FC-FC routing service. Refer to “Supported platforms for FC-FC routing” on page 570 for a list of platforms that can be FC routers.
Fibre Channel routing concepts 24 • Logical SANs (LSANs) An LSAN is defined by zones in two or more edge or backbone fabrics that contain the same devices. You can create LSANs that span fabrics. These LSANs enable Fibre Channel zones to cross physical SAN boundaries without merging the fabrics while maintaining the access controls of zones. An LSAN device can be a physical device, meaning that it physically exists in the fabric, or it can be a proxy device.
24 Fibre Channel routing concepts • Fabric ID (FID) Every EX_Port and VEX_Port uses the fabric ID (FID) to identify the fabric at the opposite end of the inter-fabric link. The FID for every edge fabric must be unique from the perspective of each backbone fabric. - If multiple EX_Ports (or multiple VEX_Ports) are attached to the same edge fabric, they must be configured with the same FID.
Fibre Channel routing concepts 24 ISL FC router FC router EX_Port EX_Port Backbone fabric IFL IFL E_Port E_Port Edge SAN 1 Edge SAN 2 = LSAN FIGURE 76 Edge SANs connected through a backbone fabric • Phantom domains A phantom domain is a domain emulated by the Fibre Channel router. The FC router can emulate two types of phantom domains: front phantom domains and translate phantom domains. For detailed information about phantom domains, refer to “Phantom domains” on page 577.
24 Fibre Channel routing concepts Proxy host (imported device) Host Proxy target (imported device) Target Fabric 1 Fabric 2 E_Port IFL E_Port EX_Port IFL FC router FIGURE 77 MetaSAN with imported devices FC-FC routing topologies The FC-FC routing service provides two types of routing: • Edge-to-edge Occurs when devices in one edge fabric communicate with devices in another edge fabric through one or more FC routers.
Fibre Channel routing concepts 24 Phantom domains A phantom domain is a domain created by the Fibre Channel router. The FC router creates two types of phantom domains: front phantom domains and translate phantom domains. A front phantom domain, or front domain, is a domain that is projected from the FC router to the edge fabric. There is one front phantom domain from each FC router to an edge fabric, regardless of the number of EX_Ports connected from that router to the edge fabric.
24 Fibre Channel routing concepts Host 1 Fabric 1 Front domain 1 (FC router 1) Front domain 2 (FC router 2) Xlate domain 1 (Fabric 2) Xlate domain 2 (Fabric 3) Target 1' FIGURE 79 Target 2' Target 3' EX_Port phantom switch topology All EX_Ports or VEX_Ports connected to an edge fabric use the same xlate domain ID for an imported edge fabric; this value persists across switch reboots and fabric reconfigurations.
Setting up FC-FC routing 24 Identifying and deleting stale xlate domains If a remote edge fabric goes unreachable, the xlate domains created in other edge fabrics for this remote edge fabric are retained and not removed unless there is any disruption in the local edge fabric. You can use the fcrXlateConfig command to identify and remove these stale xlate domains without disrupting the fabric. 1. Connect to the FC router and log in using an account with admin permissions. 2.
24 Setting up FC-FC routing 4. Configure IFLs for edge and backbone fabric connection. (Refer to “Inter-fabric link configuration” on page 583.) 5. Modify port cost for EX_Ports, if you want to change from the default settings. (Refer to “FC router port cost configuration” on page 587.) 6. Configure trunking on EX_Ports that are connected to the same edge fabric. (Refer to “EX_Port frame trunking configuration” on page 589.) 7.
Backbone fabric IDs 24 RyeSzRScycazfT0G: Integrated Routing license If you are connecting to a Fabric OS or M-EOS fabric and the Integrated Routing license is not installed, you must install it, as described in Chapter 18, “Administering Licensing”. The Integrated Routing license is not required if you are connecting to a Brocade Network OS fabric. 4. Verify that the Fabric-Wide Consistency Policy is not in “strict” mode by issuing the fddCfg --showall command.
24 FCIP tunnel configuration ATTENTION In a multi-switch backbone fabric, modification of the FID within the backbone fabric will cause disruption to local traffic. Assigning backbone fabric IDs 1. Log in to the switch or Backbone. 2. Enter the switchDisable command if EX_Ports are online. 3. Enter the fosConfig --disable fcr command to disable the FC-FC routing service. The default state for the FCR is disabled. 4. Enter the fcrConfigure command.
Inter-fabric link configuration 24 Refer to the Fibre Channel over IP Administrator’s Guide for instructions on how to configure FCIP tunnels. Inter-fabric link configuration Before configuring an inter-fabric link (IFL), be aware that you cannot configure both IFLs (EX_Ports, VEX_Ports) and ISLs (E_Ports) from a backbone fabric to the same edge fabric.
24 Inter-fabric link configuration Hash Algorithm: N/A Edge fabric's primary wwn: N/A Edge fabric's version stamp: N/A This port can now connect to another switch. The following example configures an EX_Port for connecting to a Brocade Network OS fabric. The -m 5 option indicates Network OS connectivity.
Inter-fabric link configuration 24 8. After identifying such ports, enter the portCfgPersistentEnable command to enable the port, and then the portCfgShow command to verify the port is enabled.
24 Inter-fabric link configuration Edge fabric's primary wwn: N/A Edge fabric's version stamp: N/A portDisableReason: None portCFlags: 0x1 portFlags: 0x1 PRESENT U_PORT EX_PORT portType: 10.
FC router port cost configuration 24 -----------------------------------------------------------------------4 95 10:00:00:05:1e:37:00:45 10.32.156.31 "5300" FCR WWN: 10:00:00:05:1e:12:e0:00, Dom ID: 100, Info: 10.32.156.50, "fcr_Brocade 5300" EX_Port FID Neighbor Switch Info (WWN, enet IP, name) -----------------------------------------------------------------------4 95 10:00:00:05:1e:37:00:45 10.32.156.31 "Brocade 5300" 5 95 10:00:00:05:1e:37:00:45 10.32.156.
24 FC router port cost configuration Port cost considerations The router port cost has the following considerations: • Router port sets are defined as follows: - 0–7 and FCIP Tunnel 16–23 - 8–15 and FCIP Tunnel 24–31 • The router port cost does not help distinguish one IFL (or EX_ and VEX_Port link) from another, if all the IFLs are connected to the same port set.
EX_Port frame trunking configuration 24 -----------------------7/3 1000 7/4 1000 7/9 1000 7/10 1000 7/13 1000 10/0 1000 You can also use the fcrRouteShow command to display the router port cost. To display the router port cost for a single EX_Port, enter the fcrRouterPortCost command with a port and slot number. switch:admin> fcrrouterportcost 7/10 Port Cost -----------------------7/10 1000 4.
24 LSAN zone configuration For information about setting up E_Port trunking on an edge fabric, refer to Chapter 22, “Managing Trunking Connections”. LSAN zone configuration An LSAN consists of zones in two or more edge or backbone fabrics that contain the same devices. LSANs provide selective device connectivity between fabrics without forcing you to merge those fabrics.
LSAN zone configuration 24 NOTE The "LSAN_" prefix must appear at the beginning of the zone name. LSAN zones may not be combined with QoS zones. Refer to “QoS zones” on page 525 for more information about the naming convention for QoS zones.
24 LSAN zone configuration 3. Enter the zoneCreate command to create the LSAN lsan_zone_fabric75, which includes the host. switch:admin> zonecreate "lsan_zone_fabric75", "10:00:00:00:c9:2b:c9:0c" 4. Enter the zoneAdd command to add Target A to the LSAN. FID75Domain5:admin> zoneadd "lsan_zone_fabric75", "50:05:07:61:00:5b:62:ed" 5. Enter the cfgAdd or cfgCreate and cfgEnable commands to add and enable the LSAN configuration.
LSAN zone configuration 24 This action will replace the old zoning configuration with the current configuration selected. Do you want to enable 'zone_cfg' configuration (yes, y, no, n): [no] y zone config "zone_cfg" is in effect Updating flash ... 11. Log in as an admin and connect to the FC router. 12. Enter the following commands to display information about the LSANs: • lsanZoneShow -s shows the LSAN.
24 LSAN zone configuration Setting the maximum LSAN count You can set the maximum number of LSAN zones, or LSAN count, that can be configured on the edge fabrics. By default, the maximum LSAN count is set to 3000. You can increase the maximum LSAN count to 5000 without disabling the switch. The maximum number of LSAN devices supported is 10,000 (this includes both physical and proxy devices).
LSAN zone configuration 24 You can specify two types of tags: • Enforce tag – Specifies which LSANs are to be enforced in an FC router. • Speed tag – Specifies which LSANs are to be imported or exported faster than other LSANs. The LSAN tags are persistently saved and support configupload and configdownload. Enforce tag The Enforce tag reduces the resources used in an FC router by limiting the number of LSAN zones that will be enforced in that FC router.
24 LSAN zone configuration lsan_f2_f1 (H1, D1) lsan_f2_f3 (H1, D2) The LSAN in the host fabric does not need the tag. 3. In Edge fabric 1, configure the following LSAN: lsan_super_f1_f2 (H1, D1) 4. In Edge fabric 3, configure the following LSAN: lsan_super_f3_f2 (H1, D2) 5. Toggle either the host or target to trigger the fast import process. The “super” tag is needed only in the LSANs of the target fabrics.
LSAN zone configuration 24 • The tag is from 1 through 8 alphanumeric characters. • You can configure only one Speed tag on an FC router, and up to eight Enforce tags on an FC router. The maximum number of tags (Enforce and Speed) on an FC router is eight. • Up to 500 Speed LSAN tags are supported. Configuring an Enforce LSAN tag 1. Log in to the FC router as admin. 2. Enter the following command to disable the FC router: switchdisable 3.
24 LSAN zone configuration 1. Log in to the FC router as admin. 2. Enter the fcrlsan --remove command to remove an existing LSAN tag. If you remove an Enforce LSAN tag, you must disable the switch first.
LSAN zone configuration 24 With LSAN zone binding, each FC router in the backbone fabric stores only the LSAN zone entries of the remote edge fabrics that can access its local edge fabrics. The LSAN zone limit supported in the backbone fabric is not limited by the capability of one FC router. In addition, due to the lower LSAN count, the CPU consumption by the FC router is lower.
24 LSAN zone configuration TABLE 85 LSAN information stored in FC routers, with and without LSAN zone binding WIthout LSAN zone binding With LSAN zone binding FC router 1 FC router 2 FC router 3 FC router 4 FC router 1 FC router 2 FC router 3 FC router 4 LSAN 1 LSAN 2 LSAN 3 LSAN 4 LSAN 1 LSAN 2 LSAN 3 LSAN 4 LSAN 1 LSAN 2 LSAN 3 LSAN 4 LSAN 1 LSAN 2 LSAN 3 LSAN 4 LSAN 1 LSAN 2 LSAN 2 LSAN 3 LSAN 4 LSAN 4 LSAN zone binding considerations • Without LSAN zone binding, the maximum number
LSAN zone configuration 24 FC router matrix definition Depending on the structure of the backbone fabric, you can specify pairs of FC routers that can access each other.
24 LSAN zone configuration Setting up LSAN zone binding 1. Log in to the FC router as admin. 2. Enter the following command to add a pair of FC routers that can access each other: FCR:Admin> fcrlsanmatrix --add -fcr wwn1 wwn2 The variables wwn1 and wwn2 are the WWNs of the FC routers. 3. Enter the following command to add a pair of edge fabrics that can access each other: FCR:Admin> fcrlsanmatrix --add -lsan fid1 fid2 The variables fid1 and fid2 are the fabric IDs of the edge fabrics. 4.
Proxy PID configuration 24 Proxy PID configuration When an FC router is first configured, the PIDs for the proxy devices are automatically assigned. Proxy PIDs (as well as phantom domain IDs) persist across reboots. The most common situation in which you would set a proxy PID is when you replace a switch. If you replace the switch and want to continue using the old PID assignments, you can configure it to do so; this value remains in the system even if the blade is replaced.
24 Inter-fabric broadcast frames Inter-fabric broadcast frames The FC router can receive and forward broadcast frames between edge fabrics and between the backbone fabric and edge fabrics. Many target devices and HBAs cannot handle broadcast frames. In this case, you can set up broadcast zones to control which devices receive broadcast frames. (Refer to “Broadcast zones” on page 310 for information about setting up broadcast zones.
Resource monitoring 24 You can monitor FC router resources using the fcrResourceShow command. The fcrResourceShow command shows FCR resource limits and usage and includes the following: • LSAN zones and LSAN devices — The information shows the maximum versus the currently used zones and device database entries. Each proxy or physical device constitutes an entry. If LSAN zones are defined in two edge fabrics, they are counted as two and not one.
24 FC-FC routing and Virtual Fabrics 20 21 22 23 | | | | 8 8 8 8 34 34 34 34 FC-FC routing and Virtual Fabrics If Virtual Fabrics is not enabled, FC-FC routing behavior is unchanged. If Virtual Fabrics is enabled, then in the FC-FC routing context, a base switch is like a backbone switch and a base fabric is like a backbone fabric. If Virtual Fabrics is enabled, the following rules apply: • EX_Ports and VEX_Ports can be configured only on the base switch.
FC-FC routing and Virtual Fabrics 24 • Although the Brocade 6510 and 6520 supports up to four logical switches, if you are using FC-FC routing, they can have a maximum of three logical switches. Logical switch configuration for FC routing Figure 82 shows an example of two chassis partitioned into logical switches. This configuration allows the device in Fabric 128 to communicate with the device in Fabric 15 without merging the fabrics.
24 FC-FC routing and Virtual Fabrics Edge fabric Fabric 128 Edge fabric Fabric 15 SW3 SW5 E SW1 SW7 E EX SW2 EX Fabric 1 SW4 Backbone fabric Fabric 8 FIGURE 83 SW6 SW8 Logical representation of EX_Ports in a base switch Backbone-to-edge routing with Virtual Fabrics Backbone-to-edge routing is not supported in the base switch, unless you use a legacy FC router. A legacy FC router is an FC router configured on a Brocade 7500 switch.
24 Upgrade and downgrade considerations for FC-FC routing Physical chassis 2 Physical chassis 1 IFL E Logical switch 1 E (Default logical switch) Fabric ID 128 ISL B E Logical switch 5 F (Default logical switch) Fabric ID 128 Logical switch 2 Fabric ID 1 Allows XISL use Edge fabric FID 20 Logical switch 6 Fabric ID 1 Allows XISL use C F Logical switch 3 Fabric ID 15 E ISL E E E Logical switch 7 Fabric ID 15 IFL IFL EX Logical switch 4 EX (Base switch) E Fabric ID 8 XISL E Logical switc
24 Displaying the range of output ports connected to xlate domains 1. Log in to a switch in the edge fabric. 2. Enter the lsDbShow command on the edge fabric. In the lsDbShow output, ports in the range from 129 through 255 are the output ports on the front domain. The following example shows the range of output ports.
Appendix Port Indexing A This appendix shows how to use the switchShow command to determine the mapping among the port index, slot/port numbers, and the 24-bit port ID (PID) on any Brocade Backbone. Enter the switchShow command without parameters to show the port index mapping for the entire platform. Enter the switchShow -slot command for port mapping information for the ports on the blade in a specific slot. Include the --qsfp option to list also the QSFP number, for slots that contain core blades.
A Port Indexing 740 3 20 5 741 3 21 5 742 3 22 5 743 3 23 5 744 3 24 6 745 3 25 6 746 3 26 6 747 3 27 6 748 3 28 7 10:00:00:05:1e:39:e4:5a 749 3 29 7 10:00:00:05:1e:39:e4:5a 750 3 30 7 10:00:00:05:1e:39:e4:5a 751 3 31 7 10:00:00:05:1e:39:e4:5a ---------------------------------------------trunkmaster -----trunkmaster -----trunkmaster -----trunkmaster -16G No_Module -16G No_Module -16G No_Module -16G No_Module -16G No_Module -16G No_Module -16G No_Module -16G No_Module id 16G Online name (Trunk master) id
Port Indexing A Example of port indexing on an FC8-64 blade on a Brocade DCX-4S Backbone. The Brocade DCX-4S does not need a mapping of ports on port blades because it is a one-to-one mapping. The order is sequential starting at slot 1 port 0 all the way through slot 8 port 255 for the FC8-64 blade. For core blades, the port index mapping for the blade in slot 3 begins with port index 256, and port index mapping for the core blade in slot 6 begins with port index 736.
A Port Indexing Example of port indexing on an FS8-18 blade on a DCX 8510-8 Backbone This example shows the truncated switchShow output for an FS8-18 encryption blade on the Brocade DCX 8510-8 Backbone. The assignment of port index numbers to PIDs will vary depending on blade type, platform type, and slot number.
Appendix B FIPS Support In this appendix • FIPS overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Zeroization functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • FIPS mode configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Preparing a switch for FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
B Zeroization functions TABLE 86 616 Zeroization behavior (Continued) Keys Zeroization CLI Description FCSP Challenge Handshake Authentication Protocol (CHAP) Secret secAuthSecret –-remove The secAuthsecret -–create command is used to input the keys, and the secAuthsecret -–remove command is used to remove and zeroize the keys. All the DHCHAP/FCAP authenticated ports are disabled after zeroization.
FIPS mode configuration B Power-on self tests A power-on self-test (POST) is invoked by powering on the switch in FIPS mode and does not require any operator intervention. If any KATs fail, the switch goes into a FIPS Error state, which reboots the system to start the test again. If the switch continues to fail the FIPS POST, you will need to return your switch to your switch service provider for repair.
B FIPS mode configuration TABLE 87 FIPS mode restrictions (Continued) Features FIPS mode Non-FIPS mode IPsec Usage of AES-XCBC, MD5, and DH group 1 are blocked. No restrictions LDAP CA CA certificate must be available. CA certificate is optional.
FIPS mode configuration B Setting up LDAP for FIPS mode 1. Log in to the switch using an account with admin or securityadmin permissions, or an account with OM permissions for the RADIUS and switch configuration RBAC classes of commands. 2. Enter the dnsConfig command to configure the DNS on the switch. Example of setting the DNS switch:admin> dnsconfig Enter option 1 Display Domain Name Service (DNS) configuration 2 Set DNS configuration 3 Remove DNS configuration 4 Quit Select an item: (1..
B FIPS mode configuration 4. Set up LDAP according to the instructions in “LDAP configuration and Microsoft Active Directory” on page 162, and then perform the following additional Microsoft Active Directory settings a. To support FIPS-compliant TLS cipher suites on the Microsoft Active Directory server, allow the SCHANNEL settings listed in Table 89. TABLE 89 b. Active Directory keys to modify Key Sub-key Ciphers 3DES Hashes SHA1 Key exchange algorithm PKCS Protocols TLSv1.
Preparing a switch for FIPS B Exporting an LDAP switch certificate This procedure exports the LDAP CA certificate from the switch to the remote host. 1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions for the PKI RBAC class of commands. 2. Enter the secCertUtil export -ldapcacert command. Example of exporting an LDAP CA certificate switch:admin> seccertutil export -ldapcacert Select protocol [ftp or scp]: scp Enter IP address: 192.168.38.
B Preparing a switch for FIPS Overview of steps 1. Remove legacy OpenSSH DSA keys. 2. Optional: Configure the RADIUS server or the LDAP server. 3. Optional: Configure any authentication protocols. 4. For LDAP only: Install an SSL certificate on the Microsoft Active Directory server and a CA certificate on the switch for using LDAP authentication. 5. Create separate IP filter policies for IPv4 and IPv6 and block access to Telnet (TCP port 23), HTTP (TCP port 80), or RPC (TCP and UDP ports 897 and 898). 6.
Preparing a switch for FIPS B 4. Optional: Set the authentication protocols. a. Enter the authUtil --set -h sha1 command to set the hash type for MD5, which is used in the DH-CHAP and FCAP authentication protocols. b. Enter the authUtil --set -g n command (where n represents the DH group) to set the DH group to 1, 2, 3, or 4. 5. Install the LDAP CA certificate on the switch and Microsoft Active Directory server. Refer to “LDAP certificates for FIPS mode” on page 620. 6.
B Preparing a switch for FIPS • • • • System services: No cfgload attributes: Yes Enforce secure config Upload/Download: Press Enter to accept the default. Enforce firmware signature validation: Yes Example switch:admin> configure Not all options will be available on an enabled switch. To disable the switch, use the "switchDisable" command. Configure...
Preparing a switch for FIPS B NOTE Passwords of the default accounts (admin and user) should be changed after every zeroization operation to maintain FIPS 140-2 compliance. 3. Power-cycle the switch. Displaying FIPS configuration 1. Log in to the switch using an account with admin or securityadmin permissions, or a user account with OM permissions for the FCIPCfg RBAC class of commands. 2. Enter the fipsCfg --showall command.
B 626 Preparing a switch for FIPS Fabric OS Administrator’s Guide 53-1002745-02
Appendix Hexadecimal Conversion C Hexadecimal overview Hexadecimal, also known as hex, is a numeral system with a base of 16, usually written by means of symbols 0–9 and A–F (or a–f). Its primary purpose is to represent the binary code that computers interpret in a format easier for humans to remember. It acts as a form of shorthand, in which one hexadecimal digit takes the place of four binary bits.
C Hexadecimal Conversion Decimal-to-hexadecimal conversion table TABLE 90 628 Decimal-to-hexadecimal conversion table Decimal 01 02 03 04 05 06 07 08 09 10 Hex 01 02 03 04 05 06 07 08 09 0a Decimal 11 12 13 14 15 16 17 18 19 20 Hex 0b 0c 0d 0e 0f 10 11 12 13 14 Decimal 21 22 23 24 25 26 27 28 29 30 Hex 15 16 17 18 19 1a 1b 1c 1d 1e Decimal 31 32 33 34 35 36 37 38 39 40 Hex 1f 20 21 22 23 24 25 26 27 28 Decimal 41
C Hexadecimal Conversion TABLE 90 Decimal-to-hexadecimal conversion table (Continued) Hex ab ac ad ae af b0 b1 b2 b3 b4 Decimal 181 182 183 184 185 186 187 188 189 190 Hex b5 b6 b7 b8 b9 ba bb bc bd be Decimal 191 192 193 194 195 196 197 198 199 200 Hex bf c0 c1 c2 c3 c4 c5 c6 c7 c8 Decimal 201 202 203 204 205 206 207 208 209 210 Hex c9 ca cb cc cd ce cf d0 d1 d2 Decimal 211 212 213 214 215 216 217 218 219 220 Hex d
C 630 Hexadecimal Conversion Fabric OS Administrator’s Guide 53-1002745-02
Index Numerics 10 Gbps operation on an FC port, enabling, 476 10-bit addressing mode, 80 10G license, 475–478 128-bit encryption, in browser, 182 16-link ICL license, 472 1st POD ICL license, 471 256-area addressing mode, 81 2nd POD ICL license, 471 8G license, 473 8-link ICL license, 472 A AAA service requests, 149 aaaConfig command, 151, 152, 171, 175, 176, 622 accepting distributed user databases locally, 140 access API, 192 browser security support, 182 changing account parameters, 139 creating accoun
policy distribution to other switches, 227 policy management, 196–199 policy members, 196 removing policy member, 198 resolving conflicting ACL policies, 229 activating ACL policy changes, 197 Admin Domains, 446 IP Filter policy, 219 licenses, 481 ports on demand, 483 TI zones, 368 ad command, 442, 446, 447, 448, 449, 450, 451, 454, 455, 456 AD0, ACL management, 196 AD0, and Admin Domains, 436 AD255, ACL management, 196 AD255, and Admin Domains, 437 Adaptive Networking bottleneck detection, 517 Ingress Rate
switch members, 440 switch port members, 439 switch WWN, 440 switching context, 456 system-defined, 436 TACACS+ service, 173 TI zone considerations, 360 transaction model, 442 trunk area, 540 user-defined, 436 using, 454 validating members, 454 VF mode and, 290 Virtual Fabrics permissions, 133 zone database, 458 admin lockout policy, disabling, 144 admin lockout policy, enabling, 144 Administrative Domains. See: Admin Domains.
auto-assigned FA-PWWN behavior, 426 auto-leveling, FR4-18i blade, 264, 270 automatic PID assignment, enabling, 82 B Backbone assigning fabric IDs, 582 blade compatibility, 96 fabric ID, 581–582 fabric, described, 572 port blades, described, 84 port configurations supported, 287 port restrictions, 287 shutdown, 77 upgrading firmware, 263 Backbone fabric, and TI zones, 355 Backbone firmware, 262–265 download, 262 download process overview, 262 version testing, 270 Backbone-to-edge routing, 576, 581 backing u
bottleneckMon command, 376, 380, 381, 382, 385, 390, 391, 392 Broadcast server, described, 44 broadcast zones, 303, 310 name restriction, 316 Brocade 6520, 464, 467 Brocade 7800, upgrade license, 464, 470 Brocade 7800, XISL restriction, 286 Brocade adapters, configuring F_Port trunking for, 545 Brocade adapters, F_Port trunking for, 545 Brocade configuration setup form, 253 Brocade DCX, 466, 491, 494 auto-leveling, 256 ICLs, 493 Brocade DCX 8510, 466, 491 auto-leveling, 256 ICLs, 492 Brocade DCX 8510-4, 466
chassis names, 75 chassis, changing name of, 75 chassisDistribute command, 224, 226 chassisName command, 75 ChassisRole Microsoft Active Directory, 165 OpenLDAP, 170 RADIUS, 155 TACACS+, 170 chassisShow command, 103 CIDR block notation, 64 class 2 and 3 traffic support, 111 classConfig command, 135 classless inter-domain routing. See: CIDR.
frameLog, 124 haDisable, 146 haFailover, 147, 272 haShow, 103, 262, 263, 271 haSyncStart, 263 help, 58 ifModeSet, 91 iodReset, 123 iodSet, 123 iodShow, 123 IP secConfig, 231, 236, 238, 239 ipAddrSet, 65, 66, 67, 223, 298 ipAddrShow, 63, 67 ipFilter, 190, 191, 218, 219, 223, 224, 623 ipSecConfig, 234, 624 islShow, 400, 524, 538 keyTool, 187 killTelnet, 57 ldapAdd, 171 ldapCfg, 152, 163, 164, 166, 168 licenseAdd, 476, 477, 482 licenseIdShow, 39 licensePort, 486, 487, 488, 489 licenseRemove, 482 licenseShow, 4
ssh-keygen, 180 sshUtil, 180, 182, 622 sshutil, 257 supportSave, 39 switchCfgPersistentDisable, 100 switchCfgSpeed, 92 switchCfgTrunk, 538, 539 switchDisable, 76, 110, 121, 489 switchEnable, 76, 110, 301 switchName, 74 switchShow, 87, 102, 104, 299, 301, 400, 419, 423, 486, 489 switchShow, 611 switchStatusPolicySet, 106 switchStatusPolicyShow, 105 switchStatusShow, 103 syslogDIpAdd, 108 sysShutdown, 77 tac_plus, 172 topologyShow, 364 trackChangesSet, 104 trackChangesShow, 105 trunkShow, 539 tsClockServer, 7
access methods, Web Tools, 55 audit log, 107 authentication, 403 authentication policy, 207–217 browser security certificates, 186 compression, 404 date and time, 69 device authentication, 211 device-switch connection, 88 DHCP, 66 encryption, 399–405 Enforce LSAN tag, 597 extended ISLs, 553 F_Port trunking on an Access Gateway, 544 FA-PWWNs, 426–429 FCAP, 215 FibreAlliance MIB, 188 FIPS mode, 617–621 FLOGI-time handling of duplicate PWWNs, 109 HTTPS access, 182 incoming SSH authentication, 180 in-flight enc
D D_Port, described, 84 daemon processes and High Availability, 53 daemon, tac_plus, 172 daemons automatically restarted, 53 date and time, 69 date change license restriction, 479 date command, 69 date settings, 69 daytime listener application, 192 DCC creating policy, 204 deleting policy, 205 policies, 196, 203–206 policy member, 196 policy restrictions, 203 policy, maximum name length, 204 DCC policies for NPIV ports, 205 policy behavior with fabric-assigned PWWNs, 205 Virtual Fabric considerations, 203 d
compression, 405 CS_CTL-based frame prioritization, 522 DHCP, 67 F_Port trunking, 549 failover in TI zones, considerations, 347 in-flight encryption, 405 ingress rate limiting, 519 ISL trunking, 538 local switch protection, 226 NPIV, 422 port, 90 QoS manually on trunked ports, 524 QoS zone-based traffic prioritization, 532 remote authentication, 175 switches, 76, 100 topology discovery, 50 Virtual Fabrics, 290 zone configurations, 330 discard listener application, 192 displaying Admin Domain configuration,
edge-to-edge routing, 581 EE monitors about, 501 adding, 502 clearing statistic counters, 505 defined, 499 deleting, 504 displaying counters, 504 maximum number, 501 setting a mask for, 503 supported port configurations for, 502 effective AD configuration, 442 effective zone configuration, defined, 308 ELP mode, 117 enabling 10 Gbps operation on an FC port, 476 10-GbE ports on an FX8-24 blade, 477 admin lockout policy, 144 authentication, 403 bottleneck detection, 380 compression, 404 CS_CTL-based frame pri
displaying information, 542 masterless, 542 supported configurations and platforms, 542 Exchange Link Parameters mode. See: ELP mode.
command line interface, 56, 56–59 default roles, 134 feature interaction with Virtual Fabrics, 288 interaction with Virtual Fabrics, 288 policies, 196 protocols supported, 178 security protocols supported, 177 user accounts, 152–153 on RADIUS servers, 154–162 user accounts through LDAP, 153 web server, 186 Fabric Shortest Path First. See: FSPF.
See also: FC. Fibre Channel Authentication Protocol. See: FCAP. Fibre Channel Common Transport (FC-CT) protocol service, described, 44 Fibre Channel fabrics, and port ID, 113 Fibre Channel Over IP service. See: FCIP.
port configurations supported, 286 port restrictions, 286 FL_Port, described, 84 FLOGI, 52 defined, 51 FC-SP bit setting, 210 process, 52 rejected, 210 request frame header value, 52 fmMonitor command, 224, 505, 507, 508, 509 Advanced Performance Monitoring license, 506 fmsmode, and XISL, 289 forcing frame delivery order, 123 forward error correction. See: FEC.
TACACS+, 173 home LF Microsoft Active Directory, 165 OpenLDAP, 170 RADIUS, 155 TACACS+, 173 host syslog, verifying, 108 hosts, accessing, 192 HTTPS protocol, 182 described, 177 secure protocol, 178 I IAS configuring, 159 remote access policies, 159 ICL 16-link license, 472 1st POD license, 471 2nd POD license, 471 8-link license, 472 about Inter-Chassis Links, 491 core-edge topology, 496 enterprise license, 472 for DCX 8510 family, 492 for DCX family, 493 license, 491 licensing, 471–472 limitations for los
policy rules, 219 policy rules using service names, 220 saving policy, 218 supported actions, 221 supported protocols, 221 supported services and port numbers, 220 IP interface for chassis management, 65 IP sec algorithms, 234 Authentication Header protocol, 233 configuration on the management interface, 231 Encapsulating Security Payload protocol, 233 flushing security associations, 240 IKE policies, 235 key management, 235 manual key entry, 236 null encryption support for IKE policies, 240 policies, 234–2
in FIPS mode, 618 installing certificates, 620 IPv4 and IPv6 support, 162 non-FIPS mode restrictions, 162 role mapping and OpenLDAP, 168 role mapping, and Microsoft Active Directory, 163 secure service, 150 LDAP server adding, 175 deleting, 175 reordering, 175 LDAP service configuration, displaying, 176 configuring, 162 configuring for OpenLDAP, 165–171 disabling, 175 enabling, 175 group assignment, 168 groups, creating, 164 modifying, 175 overview, 134 role, assigning, 164 users, adding, 164, 167 vendor at
blocked chargen, 192 daytime, 192 discard, 192 echo, 192 ftp, 192 rexec, 192 rlogin, 192 rsh, 192 rstats, 192 rusers, 192 time, 192 blocked list, 192 chargen, 192 daytime, 192 discard, 192 echo, 192 ftp, 192 rexec, 192 rlogin, 192 rsh, 192 rstats, 192 rusers, 192 time, 192 local ACL policies, distributing, 227 local authentication backup, as, 176 overview, 134 local clock, 72 local database user accounts, 137–140 local user account database distributing, 140 local user account database distribution, 140 loc
management server displaying ACL, 46 viewing database, 48 management server database, 45–49 Management server, described, 44 managing Admin Domains, 433–460 IP Filter thresholds, 224 trunking connections, 533–550 user accounts, 133–176 user-defined roles, 136–137 zoning configurations in a fabric, 333 manually distributing ACL policy database, 225 mask for end-to-end monitors, setting, 503 masterless EX_Port trunking, 542 masterless trunking, 534 matching fabric parameters, 579 maximum ISL distances in LO m
null encryption support for IKE policies, 240 O on-demand ports, 483–489 activating, 485 available ports, 484 disabling dynamic, 487 displaying installed licenses, 484 dynamic, 485 enabling dynamic, 486 supported devices, 483 Open LDAP See also: LDAP.
disabling, 45 enabling, 45 Virtual Fabrics, 45 platforms, FC-FC routing supported, 570 PLOGI, 52 defined, 51 POD enabling ports, 89 releasing a port from a set, 488 reserving a port license, 488 See also: ports on demand.
deactivation, 89 decommissioning, 90 deleting Top Talker monitor on, 514 disabling, 90 disabling dynamic POD, 487 disabling on blades, 96 displaying license assignments, 486 displaying the top n bandwidth-using flows, 513 dynamic POD, 485 E_Port compression/encryption example, 407 enabling, 89 enabling compression, 400 enabling dynamic POD, 486 enabling encryption, 400 EX_Port commands, 418 EX_Port compression/encryption example, 412 EX_Port downgrade considerations, 418 EX_Port segmentation, 411 excluding
portDecom command, 90 portDisable command, 90, 538 portEnable command, 89, 485 portEncCompShow command, 396, 399, 401, 402, 404 PortFecCap, 128 portLoginShow command, 424 portName command, 86 ports on demand, 483–489 activating, 485 available ports, 484 disabling dynamic, 487 displaying installed licenses, 484 dynamic, 485 enabling dynamic, 486 licence restrictions, 483 supported devices, 483 See also: POD.
QoS zone-based traffic prioritization, 523 disabling, 532 High Availability considerations, 528 limitations and restrictions, 529 setting, 530 ssetting over FC routers, 532 supported configurations, 529 trunking considerations, 530 Virtual Fabrics considerations, 528 QoS zones, 115, 304 defined, 525 name prefix specified in an LSAN zone, 526 QSFP ports in DCX 8510 chassis, 492 Quality of Service. See: QoS.
upgrading temporary slot-based licenses, 479 Virtual Fabrics, 288 XISLs, 289 rexec listener application, 192 rlogin listener application, 192 Role-Based Access Control. See: RBAC.
length, 213 setting, 214 viewing list of, 213 secure copy protocol. See: SCP. Secure Fabric OS policies, 196 secure LDAP, 150 secure protocol HTTPS, 178 items needed to deploy, 178 SCP, 178 SNMPv1, 178 SNMPv2, 178 SNMPv3, 178 SSHv2, 178 Secure Shell protocol. See: SSH. Secure Sockets Layer protocol. See: SSL.
security levels, 190 SNMPv1 secure protocol, 178 SNMPv2 secure protocol, 178 SNMPv3 secure protocol, 178 switch and chassis context enforcement, 189 v1 support, 188 v3 support, 188 Virtual Fabrics and, 189 snmpConfig command, 188, 190, 623 snmpWalk command, 189 special zones, 303 specification of ACL policy members, 196 Speed LSAN tag, 595 speed, setting for ports, 92 SSH allowed-user, 180 configuring incoming authentication, 180 configuring outgoing authentication, 181 connection, 57 encrypted sessions, 17
switch database distribution setting, 224 unique names for logical, 74 user-defined accounts, 137 viewing status policy threshold values, 105 switch authentication mode, setting, 152 switch authentication policy, 208 See also: AUTH. Switch Connection Control. See: SCC.
setting interactively, 71 time zone settings, 69–71 time, synchronizing local and external, 71 time-based licenses, 478–480 Top Talker monitors adding on all switches in fabric, 513 adding to aport (port mode), 513 and FC-FC routing, 511 defined, 499 deleting all in fabric, 515 deleting on a port, 514 fabric mode, described, 510 limitations, 512 port mode, described, 510 Top Talkers, 510 logical switches and, 295 topologies core-edge, 496 mesh, 495 supported for ICL connections, 495–497 topology database, 1
U V U_Port, described, 84 unblocking telnet access, 191 universal temporary license defined, 478 described, 480 extending, 480 shelf life, 480 unlocking an account, 144 unordered frame delivery, restoring, 123 upgrading firmware, 257 upgrading temporary slot-based licenses, restrictions, 479 uploading AD configuration file, 460 USB device, 265, 265–266 usbStorage command, 265 user account assigning Admin Domains to, 445 creating a physical fabric administrator, 445 for managing Admin Domains, 445 user acc
configDownload restrictions, 252 configUpload restrictions, 252 configuration management, 250 configuring SNMP for, 189–190 considerations for Adv. Perf.
Z zeroization functions for FIPS, 615 zeroizing for FIPS, 624 zone access mode, viewing current, 327 accessing, 192 adding a new switch or fabric, 336 adding members, 317 administering security, 336 alias adding members, 313 deleting, 314 removing members, 314 viewing, 315 Virtual Fabrics considerations, 312 wildcard usage, 316, 317, 318, 319 aliases, 307 all access, 326 broadcast, 303, 310 broadcast (reserved name), 316 concepts, 304 concurrent transactions, 342 configuration management, 336 configurations
zoneRemove command, 318 zoneShow command, 322 zoning advanced, 303–342 advanced commands, 304 defined, 304 enforcement, 308 on logical ports, 316 overview, 304 Fabric OS Administrator’s Guide 53-1002745-02 665
Fabric OS Administrator’s Guide 53-1002745-02