53-1001763-01 30 March 2010 Fabric OS Administrator’s Guide Supporting Fabric OS v6.4.
Copyright © 2005-2010 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, the B-wing symbol, BigIron, DCX, Fabric OS, FastIron, IronPoint, IronShield, IronView, IronWare, JetCore, NetIron, SecureIron, ServerIron, StorageX, and TurboIron are registered trademarks, and DCFM, Extraordinary Networks, and SAN Health are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries.
Title Publication number Summary of changes Fabric OS Administrator’s Guide 53-1000043-02 June 2006 Removed SilkWorm 4016 and 4020 from supported switches; FCIP chapter updates. Fabric OS Administrator’s Guide 53-1000239-01 Revised for Fabric OS v5.2.0 features. Added new hardware platforms: Brocade FC4-48 and FC4-16IP. Fabric OS Administrator’s Guide 53-1000448-01 15 June 2007 Added Fabric OS v5.3.0 features. Added support for new hardware platforms: Brocade 7600, FA4-18, and FC10-6.
iv Fabric OS Administrator’s Guide 53-1001763-01
Contents About This Document In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . xxxiv What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxv Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Device login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Principal switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 E_Port login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Fabric login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Port login process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 RSCN causes . . .
Chapter 3 Performing Advanced Configuration Tasks In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 PIDs and PID binding overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Core PID addressing mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Fixed addressing mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 10-bit addressing mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 4 Routing Traffic About this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Routing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Path versus route selection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 FSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Fibre Channel NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Password policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Password strength policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Password history policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Password expiration policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Account lockout policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 The boot PROM password . . . . . . . . . . . . . .
Chapter 7 Configuring Security Policies In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133 ACL policies overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133 How the ACL policies are stored . . . . . . . . . . . . . . . . . . . . . . . .133 Policy members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134 ACL policy management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Policy database distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158 Database distribution settings . . . . . . . . . . . . . . . . . . . . . . . . .159 ACL policy distribution to other switches . . . . . . . . . . . . . . . . .160 Fabric-wide enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160 Notes on joining a switch to the fabric . . . . . . . . . . . . . . . . . . .162 Management interface security . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Firmware download on switches . . . . . . . . . . . . . . . . . . . . . . . . . . .194 Switch firmware download process overview. . . . . . . . . . . . . .194 Firmware download on an enterprise-class platform . . . . . . . . . . .196 Enterprise-class platform firmware download process overview196 Firmware download from a USB device . . . . . . . . . . . . . . . . . . . . . .200 Enabling USB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200 Viewing the USB file system . . . . .
Deleting a logical switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228 Adding and removing ports on a logical switch. . . . . . . . . . . . . . . .229 Displaying logical switch configuration . . . . . . . . . . . . . . . . . . . . . .230 Changing the fabric ID of a logical switch . . . . . . . . . . . . . . . . . . . .230 Changing a logical switch to a base switch . . . . . . . . . . . . . . . . . . .231 Setting up IP addresses for a Virtual Fabric . . . . . . . . . . . . . . . . .
Zoning configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253 Creating a zoning configuration . . . . . . . . . . . . . . . . . . . . . . . .254 Adding zones (members) to a zoning configuration . . . . . . . .254 Removing zones (members) from a zone configuration . . . . .255 Enabling a zone configuration . . . . . . . . . . . . . . . . . . . . . . . . .255 Disabling a zone configuration . . . . . . . . . . . . . . . . . . . . . . . . .256 Deleting a zone configuration . .
Deleting a TI zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .286 Displaying TI zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .286 Setting up TI over FCR (sample procedure). . . . . . . . . . . . . . . . . . .287 Chapter 13 Administering NPIV In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291 NPIV overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
E_Port authentication between Fabric OS and M-EOS switches . .311 Switch authentication policy . . . . . . . . . . . . . . . . . . . . . . . . . . .313 Dumb switch authentication . . . . . . . . . . . . . . . . . . . . . . . . . . .315 Authentication of EX_Port, VE_Port, and VEX_Port connections316 Authentication of VE_Port-to-VE_Port connections . . . . . . . . . 317 Authentication of VEX_Port-to-VE_Port connections . . . . . . . .320 Authentication of VEX_Port-to-VEX_Port connections . . . . . . .
Admin Domain management for physical fabric administrators . .344 Setting the default zoning mode for Admin Domains . . . . . . .344 Creating an Admin Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . .345 User assignments to Admin Domains . . . . . . . . . . . . . . . . . . .346 Removing an Admin Domain from a user account . . . . . . . . .348 Activating an Admin Domain . . . . . . . . . . . . . . . . . . . . . . . . . . .348 Deactivating an Admin Domain . . . . . . . . . . . . . . . . . . . . .
Viewing installed licenses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .375 Activating a license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .375 Adding a licensed feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 Removing a licensed feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377 Ports on Demand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377 Activating Ports on Demand . . .
Performance data collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .399 Chapter 18 Optimizing Fabric Behavior In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .401 Adaptive Networking overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . .401 Ingress Rate Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .402 Limiting traffic from a particular device . . . . . . . . . . . . . . . . . .
Basic trunk group configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . .428 Re-initializing ports for trunking . . . . . . . . . . . . . . . . . . . . . . . .428 Enabling Trunking on a port . . . . . . . . . . . . . . . . . . . . . . . . . . .428 Enabling Trunking on a switch . . . . . . . . . . . . . . . . . . . . . . . . .428 Displaying trunking information . . . . . . . . . . . . . . . . . . . . . . . .429 Trunking over long distance fabrics . . . . . . . . . . . . . . . . . . . . . . . . .
Fibre Channel routing concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . .457 Proxy devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .461 Routing types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .461 Phantom domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .462 Setting up the FC-FC routing service . . . . . . . . . . . . . . . . . . . . . . . .464 Verifying the setup for FC-FC routing . . . . . . . . .
M-EOS fabrics overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .497 McDATA Mi10K interoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . .499 Fabric configurations for interconnectivity . . . . . . . . . . . . . . . . . . .499 Connectivity modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .499 Configuring the FC router . . . . . . . . . . . . . . . . . . . . . . . . . . . . .500 Configuring LSAN zones in the M-EOS fabric . . . . . . . . . . . .
Preparing the switch for FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .527 Overview of steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .527 Enabling FIPS mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .528 Disabling FIPS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .529 Zeroizing for FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .530 Displaying FIPS configuration . . . . . . . . . . . .
xxiv Fabric OS Administrator’s Guide 53-1001763-01
Figures Figure 1 Well-known addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Figure 2 Identifying the blades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Figure 3 Blade swap with Virtual Fabrics during the swap. . . . . . . . . . . . . . . . . . . . . . . . . 52 Figure 4 Blade swap with Virtual Fabrics after the swap . . . . . . . . . . . . . . . . . . . . . . . . . .
xxvi Figure 37 Dedicated path is not the shortest path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Figure 38 Enhanced TI zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 Figure 39 Illegal ETIZ configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 Figure 40 Traffic Isolation Zoning over FCR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Figure 79 Inband Management process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506 Figure 80 Management Station on same subnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 Figure 81 Management Station on a different subnet . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xxviii Fabric OS Administrator’s Guide 53-1001763-01
Tables Table 1 Daemons that are automatically restarted. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Table 2 Default administrative account names and passwords . . . . . . . . . . . . . . . . . . . 19 Table 3 Port numbering schemes for the Brocade 48000, Brocade DCX and DCX-4S enterprise-class platforms 40 Table 4 Brocade enterprise-class platform terminology and abbreviations . . . . . . . . . . 44 Table 5 Port blades supported by each platform. . . . . . . . . . . . . . . . . . .
xxx Table 36 Supported policy databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Table 37 Fabric-wide consistency policy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Table 38 Merging fabrics with matching fabric-wide consistency policies. . . . . . . . . . . . 163 Table 39 Examples of strict fabric merges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 76 Configuration upload and download scenarios in an AD context . . . . . . . . . . . 362 Table 77 Available Brocade licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366 Table 78 License requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368 Table 79 Base to Upgrade License Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xxxii Fabric OS Administrator’s Guide 53-1001763-01
About This Document In this chapter • How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii • Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiv • What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxv • Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxv • Additional information . . . . . . . . . . . . . .
• Chapter 11, “Administering Advanced Zoning,” provides procedures for use of the Brocade Advanced Zoning feature. • Chapter 12, “Traffic Isolation Zoning,” provides concepts and procedures for use of Traffic Isolation Zones within a fabric. • Chapter 13, “Administering NPIV,” provides procedures for enabling and configuring N-Port ID Virtualization (NPIV). • Chapter 14, “Interoperability for Merged SANs,” provides information about using Brocade switches with other brands of switches.
• • • • • • • • • • • • • Brocade 5424 embedded switch Brocade 5460 embedded switch Brocade 5470 embedded switch Brocade 5480 embedded switch Brocade 7500 extension switch Brocade 7500E extension switch Brocade 7600 application appliance Brocade 7800 extension switch Brocade 8000 application appliance Brocade 48000 director Brocade DCX Backbone data center backbone Brocade DCX-4S Backbone data center backbone Brocade VA-40FC What’s new in this document • Information that was added: - Support for new hardw
Text formatting The narrative-text formatting conventions that are used are as follows: bold text Identifies command names Identifies the names of user-manipulated GUI elements Identifies keywords and operands Identifies text to enter at the GUI or CLI italic text Provides emphasis Identifies variables Identifies paths and Internet addresses Identifies document titles code text Identifies CLI output Identifies command syntax examples For readability, command names in the narrative portions of this gui
CAUTION A Caution statement alerts you to situations that can be potentially hazardous to you or cause damage to hardware, firmware, software, or data. DANGER A Danger statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you. Safety labels are also attached directly to products to warn of these conditions or situations. Key terms For definitions specific to Brocade and Fibre Channel, see the Brocade Glossary.
For practical discussions about SAN design, implementation, and maintenance, you can obtain Building SANs with Brocade Fabric Switches through: http://www.amazon.com For additional Brocade documentation, visit the Brocade SAN Info Center and click the Resource Library location: http://www.brocade.com Release notes are available on the My Brocade web site and are also bundled with the Fabric OS firmware.
• Brocade 5424 — On the bottom of the switch module. • Brocade 4100, 4900, and 7500 — On the switch ID pull-out tab located inside the chassis on the port side on the left. • Brocade 5000 — On the switch ID pull-out tab located on the bottom of the port side of the switch • Brocade 300, 5100, and 5300 — On the switch ID pull-out tab located on the bottom of the port side of the switch. • • • • Brocade 7600, 7800, and 8000 — On the bottom of the chassis.
xl Fabric OS Administrator’s Guide 53-1001763-01
Section Standard Features I This section describes standard Fabric OS features, and includes the following chapters: • Chapter 1, “Understanding Fibre Channel Services” • Chapter 2, “Performing Basic Configuration Tasks” • Chapter 3, “Performing Advanced Configuration Tasks” • Chapter 4, “Routing Traffic” • Chapter 5, “Managing User Accounts” • Chapter 6, “Configuring Protocols” • Chapter 7, “Configuring Security Policies” • Chapter 8, “Maintaining the Switch Configuration File” • Chapter 9, “Installing
2 Fabric OS Administrator’s Guide 53-1001763-01
Chapter Understanding Fibre Channel Services 1 In this chapter • Fibre Channel services overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 • The Management Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 • Platform services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 • Management server database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1 The Management Server Management Server — The Management Server provides a single point for managing the fabric. The only service that is user-configurable is the Management Server. Alias Server — The Alias Server keeps a group of nodes registered as one name to handle multicast groups. Broadcast Server — The Broadcast Server is optional, and when frames are transmitted to this address they are broadcasted to all operational N_ and NL_Ports.
Management server database 1 Platform services in a Virtual Fabric Each logical switch has a separate Platform Database. All platform registrations done to a logical switch are valid only in that particular logical switch’s Virtual Fabric. Activating the platform services on a switch or enterprise-class platform will activate platform services on all logical switches in a Virtual Fabric.
1 Management server database NOTE The management server is logical switch-capable. All management server features are supported within a logical switch. Displaying the management server ACL 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the msConfigure command. The command becomes interactive. 3. At the “select” prompt, enter 1 to display the access list. A list of WWNs that have access to the management server is displayed.
Management server database 1 Port/Node WWN (in hex): [00:00:00:00:00:00:00:00] 20:00:00:20:37:65:ce:aa *WWN is successfully added to the MS ACL. 0 Done 1 Display the access list 2 Add member based on its Port/Node WWN 3 Delete member based on its Port/Node WWN select : (0..
1 Management server database 3 Delete member based on its Port/Node WWN select : (0..3) [1] 3 Port/Node WWN (in hex): [00:00:00:00:00:00:00:00] 10:00:00:00:c9:29:b3:84 *WWN is successfully deleted from the MS ACL. 0 Done 1 Display the access list 2 Add member based on its Port/Node WWN 3 Delete member based on its Port/Node WWN select : (0..3) [3] 1 MS Access list is empty 0 Done 1 Display the access list 2 Add member based on its Port/Node WWN 3 Delete member based on its Port/Node WWN select : (0..
Topology discovery 1 Topology discovery The topology discovery feature can be displayed, enabled, and disabled; it is disabled by default. The commands mstdEnable and mstdDisable are allowed only in AD0 and AD255. Displaying topology discovery status 1. Connect to the switch and log in as admin. 2. Enter the mstdReadConfig command. switch:admin> mstdreadconfig *MS Topology Discovery is Enabled. Enabling topology discovery 1. Connect to the switch and log in as admin. 2.
1 Device login *MS Topology Discovery disabled locally. switch:admin> mstddisable all This may erase all NID entries. Are you sure? (yes, y, no, n): [no] y Request to disable MS Topology Discovery Service in progress.... *MS Topology Discovery disabled locally. *MS Topology Discovery Disable Operation Complete!! Device login A device can be a storage, host, or switch. When new devices are introduced into the fabric, they must be powered on and, if a host or storage device, connected to a switch.
Device login 1 parameters do not match, a link will not occur. Once an SW_ACC frame is received from the principal switch, the new switch sends an Exchange Switch Capabilities (ESC) frame. The two switches exchange routing protocols and agree on a common routing protocol. An SW_ACC frame is received from the principal switch and the new switch sends an Exchange Fabric Parameters (EFP) frame to the principal switch, requesting principal switch priority and the domain ID list.
1 High availability of daemon processes The Fibre Channel protocol (FCP) auto discovery process enables private storage devices that accept the process login (PRLI) to communicate in a fabric. If device probing is enabled, the embedded performs a PLOGI and attempts a PRLI into the device to retrieve information to enter into the Name Server. This enables private devices that do not perform a FLOGI, but accept a PRLI, to be entered in the Name Server and receive full fabric access.
High availability of daemon processes 1 Schedule downtime and reboot the switch at your convenience. Table 1 lists the daemons that are considered non-critical and are automatically restarted on failure. TABLE 1 Daemons that are automatically restarted Daemon Description arrd Asynchronous Response Router, which is used to send management data to hosts when the switch is accessed through the APIs (FA API or SMI-S). cald Common Access Layer daemon, which is used by manageability applications.
1 14 High availability of daemon processes Fabric OS Administrator’s Guide 53-1001763-01
Chapter 2 Performing Basic Configuration Tasks In this chapter • Fabric OS overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Fabric OS command line interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Password modification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • The Ethernet interface on your switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Date and time settings .
2 Fabric OS command line interface Although many different software and hardware configurations are tested and supported by Brocade Communications Systems, Inc., documenting all possible configurations and scenarios is beyond the scope of this document. In some cases, earlier releases are highlighted to present considerations for interoperating with them. The hardware reference manuals for Brocade products describe how to power up devices and set their IP addresses.
Fabric OS command line interface 2 • In a UNIX environment, enter the following string at the prompt: tip /dev/ttyb -9600 If ttyb is already in use, use ttya instead and enter the following string at the prompt: tip /dev/ttya -9600 Telnet or SSH sessions Connect to the Fabric OS through a Telnet or SSH connection or through a console session on the serial port. The switch must also be physically connected to the network.
2 Password modification 4. From a management station, open a Telnet connection using the IP address of the switch to which you want to connect. The login prompt is displayed when the Telnet connection finds the switch in the network. 5. Enter the account ID at the login prompt. See “Password modification” on page 18 for instructions on how to log in for the first time. 6. Enter the password. If you have not changed the system passwords from the default, you are prompted to change them.
2 Password modification NOTE The default account passwords can be changed from their original value only when prompted immediately following the login; the passwords cannot be changed using the passwd command later in the session. If you skip the prompt, and then later decide to change the passwords, log out and then back in. The default accounts on the switch are admin, user, root, and factory.
2 The Ethernet interface on your switch The Ethernet interface on your switch The Ethernet (network) interface provides management access, including direct access to the Fabric OS CLI, and allows other tools, such as Web Tools, to interact with the switch. You can use either Dynamic Host Configuration Protocol (DHCP) or static IP addresses for the Ethernet network interface configuration.
The Ethernet interface on your switch 2 Displaying the network interface settings If an IP address has not been assigned to the network interface (Ethernet), you must connect to the Fabric OS CLI using a console session on the serial port. For more information, see “Console sessions using the serial port” on page 16. Otherwise, connect using SSH. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the ipAddrShow command. Example output of an enterprise-class platform.
2 The Ethernet interface on your switch Static Ethernet addresses Use static Ethernet network interface addresses on Brocade 48000 directors and Brocade DCX and DCX-4S enterprise-class platforms, and in environments where DHCP service is not available. To use static addresses for the Ethernet interface, you must first disable DHCP. You can enter static Ethernet information and disable DHCP at the same time. Refer to “DHCP activation” on page 23 for more information.
The Ethernet interface on your switch 2 Setting the static addresses for the chassis IP management interface 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the ipAddrSet -chassis command. Example of setting the chassis IPv4 address switch:admin> ipaddrset -chassis Ethernet IP Address [192.168.166.148]: Ethernet Subnetmask [255.255.255.0]: Committing configuration...Done. 3.
2 The Ethernet interface on your switch Example of enabling DCHP switch:admin> ipaddrset Ethernet IP Address [10.1.2.3]: Ethernet Subnetmask [255.255.255.0]: Fibre Channel IP Address [220.220.220.2]: Fibre Channel Subnetmask [255.255.0.0]: Gateway IP Address [10.1.2.1]: DHCP [Off]:on Disabling DHCP When you disable DHCP, enter the static Ethernet IP address and subnet mask of the switch and default gateway address.
Date and time settings 2 There are two methods of autoconfiguration for IPv6 addresses, stateless and stateful. Stateless allows an IPv6 host to obtain a unique address using the IEEE 802 MAC address; stateful uses a DHCPv6 server which keeps a record of the IP address and other configuration information for the host. Whether a host engages in autoconfiguration and which method it uses is dictated by the routers serving the local network, not by a configuration of the host.
2 Date and time settings date "mmddHHMMyy" The values represent the following: • • • • • mm is the month; valid values are 01 through 12. dd is the date; valid values are 01 through 31. HH is the hour; valid values are 00 through 23. MM is minutes; valid values are 00 through 59. yy is the year, valid values are 00-37 and 70-99 (year values from 70-99 are interpreted as 1970-1999, year values from 00-37 are interpreted as 2000-2037).
Date and time settings 2 Setting the time zone The following procedure describes how to set the time zone for a switch. You must perform the procedure on all switches for which the time zone must be set. However, you only need to set the time zone once on each switch because the value is written to nonvolatile memory. 1. Connect to the switch and log in using an account assigned to the admin role and with the chassis-role permission. 2. Enter the tsTimeZone command.
2 Domain IDs In a Virtual Fabric, all the switches in the fabric must have the same NTP clock server configured. This includes any pre-Fabric OS v6.2.0 switches in the fabric. This ensures that time does not go out of sync in the logical fabric. It is not recommended to have LOCL in the server list. When a new switch enters the fabric, the time server daemon of the principal or primary FCS switch sends out the addresses of all existing clock servers and the time to the new switch.
Domain IDs 2 If a switch has a domain ID when it is enabled, and that domain ID conflicts with another switch in the fabric, the conflict is automatically resolved if the other switch’s domain ID is not persistently set. The process can take several seconds, during which time traffic is delayed. If both switches have their domain IDs persistently set, one of them will need to have its domain ID changed to a domain ID not used within the fabric. The default domain ID for Brocade switches is 1.
2 Switch names Enet IP Addr FC IP Addr Name The switch’s Ethernet IP address for IPv4- and IPv6-configured switches. For IPv6 switches, only the static IP address displays. The switch’s Fibre Channel IP address. The switch’s symbolic or user-created name in quotes. An arrow (>) indicates the principal switch. Setting the domain ID 1. Connect to the switch and log in on an account assigned to the admin role. 2. Enter the switchDisable command to disable the switch. 3. Enter the configure command. 4.
Chassis names 2 Chassis names Brocade recommends that you customize the chassis name for each platform. Some system logs identify devices by platform names; if you assign meaningful platform names, logs are more useful. All chassis names have a limit of 15 characters, except for the Brocade 300, 5100, 5300, and VA-40FC switches, and the 5410, 5424, 5450, and 5480 embedded switches, which allow 31 characters.
2 Switch and enterprise-class platform shutdown Powering off a Brocade switch The following procedure describes how to gracefully shut down a switch. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the sysShutdown command. 3. At the prompt, enter y. switch:admin> sysshutdown This command will shutdown the operating systems on your switch. You are required to power-cycle the switch in order to restore operation.
Basic connections 2 Basic connections Before connecting a switch to a fabric that contains switches running different firmware versions, you must first set the same PID format on all switches. The presence of different PID formats in a fabric causes fabric segmentation. • For information on PID formats and related procedures, see Chapter 3, “Performing Advanced Configuration Tasks”. • For information on configuring the routing of connections, see “Routing Traffic” on page 63.
2 34 Basic connections Fabric OS Administrator’s Guide 53-1001763-01
Chapter 3 Performing Advanced Configuration Tasks In this chapter • PIDs and PID binding overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Blade terminology and compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Enabling and disabling blades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3 PIDs and PID binding overview Core PID addressing mode Core PID is the default PID format for Brocade platforms. It uses the entire 24-bit address space of the domain, area_ID, and AL_PA to determine an objects address within the fabric.
PIDs and PID binding overview 3 • Any port on a 48-port blade can support up to 256 NPIV devices (in fixed addressing mode, only 128 NPIV devices are supported in non-VF mode and 64 NPIV devices in VF mode on a 48-port blade). • Any port on a 48-port blade can support loop devices. • Any port on a 48-port blade can support hard port zoning. • Port index is not guaranteed to be equal to the port area_ID.
3 PIDs and PID binding overview Virtual Fabric considerations WWN-base PID assignment is disabled by default and is supported in the default switch on a Brocade DCX and DCX-4S. This feature is not supported on application blades such as the FS8-18, FX8-24, and the FCOE10-24. The total number of ports in the default switch must be 256 or less. When the WWN-base PID assignment feature is enabled and a new blade is plugged into the chassis, the ports for which the area is not available are disabled.
Ports 3 Clearing PID binding 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the wwnAddress -unbind command to clear the PID binding for the specified WWN. Showing PID assignments 1. Connect to the switch and log in using an account assigned to the admin role. 2. Based on what you want to display, enter the appropriate command: • wwnAddress –show displays the assigned WWN-PID bindings.
3 Ports The Brocade DCX-4S has 8 slots that contain control processor, core, port, and AP blades: • Slot numbers 4 and 5 contain CPs. • Slot numbers 3 and 6 contain core blades. • Slot numbers 1 and 2, and 7 and 8 contain port and AP blades. NOTE The Core blades for the Brocade DCX (CORE8) and the Brocade DCX-4S (CR4S-8) are not interchangeable between the two products.
Ports 3 Setting port names Perform the following steps to specify a port name. For enterprise-class directors, specify the slot number where the blade is installed. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the portName command. Example of naming port 0 ecp:admin> portname 1/0 trunk1 Port identification by slot and port number The port number is a number assigned to an external port to give it a unique identifier in a switch.
3 Ports A number of fabric-wide databases supported by Fabric OS (including ZoneDB, the ACL DDC, and Admin Domain) allow a port to be designated by the use of a “D,P” (domain,port) notation. While the “P” component appears to be the port number, for up to 255 ports it is actually the area assigned to that port. ATTENTION Port area schema does not apply to the Brocade DCX-4S enterprise-class platform. If two ports are changed using the portSwap command, their respective areas and “P” values are exchanged.
Ports 3 If ports are persistently disabled and you use the portEnable command to enable a disabled port, the port will revert to being disabled after a power cycle or a switch reboot. To ensure the port remains enabled, use the portCfgPersistentEnable command as instructed below. CAUTION The fabric will be reconfigured if the port you are enabling or disabling is connected to another switch.
3 Blade terminology and compatibility Setting the same speed for all ports on the switch 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the switchCfgSpeed command. Example of setting the switch speed The following example sets the speed for all ports on the switch to 8 Gbps: switch:admin> switchcfgspeed 8 Committing configuration...done.
Blade terminology and compatibility TABLE 4 3 Brocade enterprise-class platform terminology and abbreviations (Continued) Term Abbreviation Blade ID Definition (slotshow) 32-port 4-Gbps port blade FC4-32 18 A 32-port Brocade platform port blade supporting 1, 2, and 4 Gbps port speeds. This port blade is compatible only with the Brocade 48000 CP blades. 32-port 8-Gbps port blade FC8-32 55 A 32-port Brocade platform port blade supporting 1, 2, 4, and 8 Gbps port speeds.
3 Blade terminology and compatibility CP blades The control processor (CP) blade provides redundancy and acts as the brains of the enterprise-class platform. The Brocade 48000 supports the CP256 blade. The Brocade DCX and DCX-4S support the CP8 blades. The CP blades in the Brocade DCX and DCX-4S are hot-swappable. When the CPs from a Brocade DCX are inserted into a Brocade DCX-4S, the switch type changes. The same is true when inserting a CP blade from a Brocade DCX-4S into a Brocade DCX.
Blade terminology and compatibility TABLE 5 3 Port blades supported by each platform (Continued) Port blades Brocade 48000 (CP4) Brocade DCX and DCX-4S FS8-18 Unsupported Supported FX8-24 Unsupported Supported 1. During power up when an FCOE10-24 is detected first before any other AP blade in a chassis with Fabric OS v6.3.0 and later, all other AP and FC8-64 blades will be faulted. If a non-FCOE10-24 blade is detected first, then any subsequently-detected FCOE10-24 blades will be faulted.
3 Enabling and disabling blades FX8-24 compatibility notes When you have an FR4-18i and an FX8-24 blade in your chassis, the following guidelines need to be followed: • The FR4-18i and Brocade 7500 GbE ports cannot be connected to either the FX8-24 or Brocade 7800 GbE ports. The ports may come online, but they will not communicate with each other. Running physical cables between the FR4 -18i and FX8-24 blades is not supported.
Enabling and disabling blades 3 FA4-18 application blade enabling exceptions The Brocade 48000 director supports up to two FA4-18 blades in a chassis. The Brocade DCX and DCX-4S Backbones support up to four FA4-18 blades in a chassis. FC4-48 and FC8-48 port blade enabling exceptions Because the area IDs are shared with different port IDs, the FC4-48 and FC8-48 blades support only F_ and E_Ports. They do not support FL_Ports. Port swapping on an FC4-48 or FC8-48 is supported only on ports 0–15.
3 Blade swapping • When an FR4-18i blade is replaced by an FC4-16, FC4-32, FC8-16, FC8-32, FC8-48, or FC8-64 blade, then the EX_Port configuration is removed from any ports that were configured as EX_Ports (equivalent to disabling the EX_Port configuration using the portCfgEXPort command). All remaining port configurations are retained. NOTE This is not true for the 8-Gbps port blades.
Blade swapping 3 Swapping blades The bladeSwap command performs the following operations: 1. Blade selection The selection process includes selecting the switch and the blades to be affected by the swap operation. Figure 2 shows the source and destination blades are identified to begin the process. FIGURE 2 Identifying the blades 2. Blade validation The validation process includes determining the compatibility between the blades selected for the swap operation: • Blade technology.
3 Blade swapping FIGURE 3 Blade swap with Virtual Fabrics during the swap 4. Port swapping The swap ports action is effectively an iteration of the portSwap command for each port on the source blade to each corresponding port on the destination blade. In Figure 4 shows Virtual Fabrics, where the blades can be carved up into different logical switches as long as they are carved the same way. If slot 1 and slot 2 ports 0-7 are all in the same logical switch, then blade swapping slot 1 to slot 2 will work.
Power management 3 3. Once the command completes successfully, move the cables from the source blade to the destination blade. 4. Enter the bladeEnable command on the destination blade to enable all user ports. Power management All blades are powered on by default when the switch chassis is powered on. Blades cannot be powered off when POST or AP initialization is in progress.
3 Equipment status Equipment status You can check the status of switch operation, High Availability features, and fabric connectivity. Checking switch operation 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the switchShow command. This command displays a switch summary and a port summary. 3. Check that the switch and ports are online. 4. Use the switchStatusShow command to further check the status of the switch.
Equipment status 3 The possible fields and their values are outlined below. Field Value Slot Displays the physical slot number. Blade Type Displays the blade type. SW BLADE: The blade is a port blade. CP BLADE: The blade is a control processor. CORE BLADE: The blade is a core blade (Brocade DCX and DCX-4S only). AP BLADE: The blade is the FR4-18i blade. UNKNOWN: The blade is not present or its type is not recognized. ID Displays the hardware ID of the blade type.
3 Track and control switch changes 4. Enter the nsAllShow command to display the 24-bit Fibre Channel addresses of all devices in the fabric.
Track and control switch changes 3 Displaying the status of the track changes feature 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the trackChangesShow command. The status of the track changes feature is displayed as either on or off. The display includes whether or not the track changes feature is configured to send SNMP traps.
3 Track and control switch changes The current switch status policy parameter values are displayed. You are prompted to enter values for each DOWN and MARGINAL threshold parameter. NOTE By setting the DOWN and MARGINAL values for a parameter to 0,0 that parameter is no longer used in setting the overall status for the switch. 3. Verify the threshold settings you have configured for each parameter. Enter the switchStatusPolicyShow command to view your current switch status policy configuration.
Audit log configuration 3 Out of range Flash contributing to MARGINAL status: (0..1) [1] MarginalPorts contributing to DOWN status: (0..1800) [112] MarginalPorts contributing to MARGINAL status: (0..1800) [44] FaultyPorts contributing to DOWN status: (0..1800) [112] FaultyPorts contributing to MARGINAL status: (0..1800) [44] MissingSFPs contributing to DOWN status: (0..576) [0] MissingSFPs contributing to MARGINAL status: (0..
3 Audit log configuration Auditable event classes Before configuring an audit log, you must select the event classes you want audited. The audit log includes: • SEC-3001 through SEC-3017 • SEC-3024 through SEC-3029 • ZONE-3001 through ZONE-3012 Table 7 identifies auditable event classes and the auditCfg command operands used to enable auditing of a specific class.
Audit log configuration 3 1. Set up an external host machine with a system message log daemon running to receive the audit events that will be generated. 2. On the switch where the audit configuration is enabled, enter the syslogdIpAdd command to add the IP address of the host machine so that it can receive the audit events. You can use IPv4, IPv6, or DNS names for the syslogdIpAdd command. 3. Ensure the network is configured with a network connection between the switch and the remote host. 4.
3 62 Audit log configuration Fabric OS Administrator’s Guide 53-1001763-01
Chapter 4 Routing Traffic About this chapter • Routing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Inter-switch links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Gateway links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Inter-chassis links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4 Routing overview Path versus route selection Paths are possible ways to get from one switch to another. Each Inter-Switch Link (ISL) has a metric cost based on bandwidth. The cumulative cost is based on the sum of all costs of all traversed ISLs. Route selection is the path that is chosen. Paths that are selected from the routing database are chosen based on the minimal cost.
Routing overview 4 FSPF makes minimal use of the ISL bandwidth, leaving virtually all of it available for traffic. In a stable fabric, a switch transmits 64 bytes every 20 seconds in each direction. FSPF frames have the highest priority in the fabric. This guarantees that a control frame is not delayed by user data and that FSPF routing decisions occur very quickly during convergence. FSPF guarantees a routing loop free topology at all times.
4 Inter-switch links Inter-switch links An inter-switch link (ISL) is a link between two switches, E_Port-to-E_Port. The ports of the two switches automatically come online as E_Ports, once the login process finishes successfully. For more information on the login process refer to Chapter 1, “Understanding Fibre Channel Services”. FIGURE 6 New switch added to existing fabric You can connect new switches to existing switches and this expands your fabric.
Inter-switch links 4 There are non-fabric parameters that must match as well, such as zoning. Some fabric services, such as Management Server must match. If it is enabled in the fabric, then the switch you are introducing into the fabric must also have it enabled. If you experience a segmented fabric, refer to the Fabric OS Troubleshooting and Diagnostics Guide to fix the problem.
4 Inter-switch links FIGURE 7 Virtual Channels on a 1/2/4 Gbps ISL Quality of Service (QoS) is a licensed traffic shaping feature available in Fabric OS. QoS allows the prioritization of data traffic based on the SID/DID of each frame. Through the use of QoS zones, traffic can be divided into three priorities: high, medium, and low. The seven data VC channels, VC8-14, are used to multiplex data frames based upon QoS Zones when congestion occurs.
Gateway links FIGURE 8 4 Virtual Channels on an 8 Gbps ISL Gateway links A gateway merges SANs into a single fabric by establishing point-to-point E_Port connectivity between two Fibre Channel switches that are separated by a network with a protocol such as IP or SONET. Except for link initialization, gateways are transparent to switches; the gateway simply provides E_Port connectivity from one switch to another. Figure 9 shows two separate SANs, A-1 and A-2, merged together using a gateway.
4 Gateway links FIGURE 9 Gateway link merges SAN By default, switch ports initialize links using the Exchange Link Parameters (ELP) mode 1. However, gateways expect initialization with ELP mode 2, also referred to as ISL R_RDY mode. Therefore, to enable two switches to link through a gateway, the ports on both switches must be set for ELP mode 2.
Inter-chassis links 4 Example of enabling a gateway link on slot 2, port 3. ecp:admin> portcfgislmode 2/3, 1 Committing configuration...done. ISL R_RDY Mode is enabled for port 3. Please make sure the PID formats are consistent across the entire fabric. Inter-chassis links An Inter-chassis link (ICL) is a licensed feature used to interconnect two Brocade DCX Backbones, two Brocade DCX-4S, or a Brocade DCX and a Brocade DCX-4S Backbone.
4 Inter-chassis links The following ICL connections are not allowed: • ICL0 <--> ICL0 • ICL1 <--> ICL1 Refer to the Brocade DCX Data Center Backbone Hardware Reference Manual for detailed ICL connection information. ICL ports can be used only with an ICL license. For more information on how license enforcement occurs, see Chapter 16, “Administering Licensing”.
Routing policies 4 If one ICL is broken but there is a regular ISL, the triangular topology still holds given the ISL cost is lower than the total cost through the ICL linear topology. If a direct ICL link between two switches is broken the triangular topology is considered broken when the ISL path between the two switches is a multiple hop.
4 Routing policies Each switch can have its own routing policy and different policies can exist in the same fabric. ATTENTION For most configurations, the default routing policy is optimal and provides the best performance. You should change the routing policy only if there is a performance issue that is of concern, or if a particular fabric configuration or application requires it. Displaying the current routing policy 1. Connect to the switch and log in as admin. 2.
Routing policies 4 Using port-based routing, you can assign a static route, in which the path chosen for traffic does not change when a topology change occurs unless the path becomes unavailable. If the static route violates FSPF, it is not used. In contrast, exchange-based routing policies always employ dynamic path selection. NOTE For FC routers only: When an FC router is in port-based routing mode, the backbone traffic is load-balanced based on SID and DID.
4 Route selection Setting the routing policy 1. Connect to the switch and log in as admin. 2. Enter the switchDisable command to disable the switch. 3. Take the appropriate following action based on the route policy you choose to implement: • If Exchange-based policy is required, enter the aptPolicy 3 command. • If Port-based policy is required, enter the aptPolicy 1 command. Setting up the AP route policy 1. Connect to the switch and log in as admin. 2.
Route selection 4 • ”DLS is set with Lossless enabled.” DLS is enabled with the Lossless feature. Load sharing is recomputed with every change in the fabric, and existing routes can be moved to maintain optimal balance. In Lossless mode, no framers are lost during this operation. • "DLS is set by default with current routing policy. DLS is set with Lossless enabled." Indicates that the current routing policy (exchange-based) requires DLS to be enabled by default.
4 Frame order delivery Frame order delivery The order of delivery of frames is maintained within a switch and determined by the routing policy in effect. The frame delivery behaviors for each routing policy are: • Port-based routing All frames received on an incoming port destined for a destination domain are guaranteed to exit the switch in the same order in which they were received.
Lossless Dynamic Load Sharing on ports 4 Lossless Dynamic Load Sharing on ports Lossless Dynamic Load Sharing (DLS) allows you to rebalance port paths without causing input/output (I/O) failures. For devices where In-Order Delivery (IOD) of frames is required, you can set IOD separately. You can use this feature with the Brocade300, 5100, 5300, and VA-40FC switches, and the FC8-16/32/64/48 port blades, the FC8-32 and FX8-18 application blades in the Brocade DCX and DCX-4S enterprise-class platforms.
4 Lossless Dynamic Load Sharing on ports TABLE 9 Combinations of routing policy and IOD with Lossless DLS enabled (Continued) Policy IOD Rebalance result with Lossless DLS enabled Exchange-based Disabled No frame loss, but out of order frames may occur. Exchange-based Enabled No frame loss and no out of order frames. Topology restrictions apply. Intended for FICON environment.
Frame Redirection 4 Example of how DLS affects other logical switches in the fabric On a Brocade DCX platform, logical switch 1 consists of ports 0 through 5 in slot 1. Logical switch 2 consists of ports 6–10 in slot 1. The Lossless DLS feature is enabled on logical switch 1. Because ports 0–10 in slot 1 belong to a logical switch where Lossless DLS is turned on, the traffic in logical switch 2 is affected whenever traffic for logical switch 1 is rebalanced.
4 Frame Redirection FIGURE 12 Single Host and Target Figure 12 demonstrates the flow of frame redirection traffic. A frame starts at the host with a destination to the target. The port where the appliance is attached to the host switch acts as the virtual initiator and the port where the appliance is attached to the target switch is the virtual target.
Chapter 5 Managing User Accounts In this chapter • User accounts overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Local database user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Local account database distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Password policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • The boot PROM password . . . . . . .
5 User accounts overview Fabric OS provides three options for authenticating users—remote RADIUS services, remote LDAP service, and the local switch user database. All options allow users to be centrally managed using the following methods: • Remote RADIUS server: Users are managed in a remote RADIUS server. All switches in the fabric can be configured to authenticate against the centralized remote database. • Remote LDAP server: Users are managed in a remote LDAP server.
5 User accounts overview The default home domain for the predefined account is AD0. For user-defined accounts, the default home domain is the Admin Domain in the user’s Admin Domain list with the lowest ID. Role permissions Table 11 describes the types of permissions that are assigned to roles.
5 User accounts overview TABLE 12 RBAC permissions matrix (Continued) Category 86 Role permission Admin Basic Switch Admin Fabric Admin Operator Security Switch User Admin Admin Zone Admin Encryption Management OM N OM N O N N N Ethernet Configuration OM O OM O N OM O N Fabric OM O OM O O O O O Fabric Distribution OM N OM N OM N N N Fabric Routing OM O OM O O O O O Fabric Watch OM O OM OM N OM O N FICON OM O OM OM N OM O N FIPS Bootp
5 User accounts overview TABLE 12 RBAC permissions matrix (Continued) Category Role permission Admin Basic Switch Admin Fabric Admin Operator Security Switch User Admin Admin Zone Admin SNMP OM O OM O OM OM O N Statistics OM O OM OM N OM O N Statistics—Device OM O OM OM N OM O N Statistics—Port OM O OM OM N OM O N Switch Configuration OM O OM OM OM OM O O Switch Management OM O OM OM O OM O O Switch Management—IP Configuration OM O OM OM
5 Local database user accounts Local database user accounts User add, change, and delete operations are subject to the subset rule: an admin with ADlist 0-10 or LFlist 1-10 cannot perform operations on an admin, user, or any role with an ADlist 11-25 or LFlist 11-128. The user account being changed must have an ADlist or LFlist that is a subset of the account that is making the change.
Local database user accounts 5 Deleting an account This procedure can be performed on local user accounts. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the userConfig --delete command. NOTE You cannot delete the default accounts. An account cannot delete itself. All active CLI sessions for the deleted account are logged out. 3. At the prompt for confirmation, enter y. Changing account parameters This procedure can be performed on local user accounts.
5 Local account database distribution Local account database distribution Fabric OS allows you to distribute the user database and passwords to other switches in the fabric. When the switch accepts a distributed user database, it replaces the local user database with the user database it receives. By default, switches accept the user databases and passwords distributed from other switches. The ‘Locked’ status of a user account is not distributed as part of local user database distribution.
Password policies 5 Password policies The password policies described in this section apply to the local switch user database only. Configured password policies (and all user account attribute and password state information) are synchronized across CPs and remain unchanged after an HA failover. Password policies can also be manually distributed across the fabric (see “Local account database distribution” on page 90).
5 Password policies • MinLength Specifies the minimum length of the password. The minimum can be from 8 to 40 characters. New passwords must be between the minimum length specified and 40 characters. The default value is 8. The maximum value must be greater than or equal to the MinLength value. • Repeat Specifies the length of repeated character sequences that will be disallowed.
Password policies 5 Password expiration policy The password expiration policy forces expiration of a password after a configurable period of time, and is enforced across all user accounts. A warning that password expiration is approaching is displayed when the user logs in. When a user’s password expires, he or she must change the password to complete the authentication process and open a user session. You can specify the number of days prior to password expiration during which warnings will commence.
5 Password policies The following commands are used to manage the account lockout policy. • userConfig --change account_name -u • passwdCfg --disableadminlockout Note that the account-locked state is distinct from the account-disabled state. Use the following attributes to set the account lockout policy: • LockoutThreshold Specifies the number of times a user can attempt to log in using an incorrect password before the account is locked.
The boot PROM password 5 The boot PROM password The boot PROM password provides an additional layer of security by protecting the boot PROM from unauthorized use. Setting a recovery string for the boot PROM password enables you to recover a lost boot PROM password by contacting your switch service provider. Without the recovery string, a lost boot PROM password cannot be recovered.
5 The boot PROM password The recovery string must be between 8 and 40 alphanumeric characters. A random string that is 15 characters or longer is recommended for higher security. The firmware prompts for this password only once. It is not necessary to remember the recovery string because it is displayed the next time you enter the command shell. The following prompt displays: New password: 6. Enter the boot PROM password, then re-enter it when prompted.
The boot PROM password 5 The recovery string must be between 8 and 40 alphanumeric characters. A random string that is 15 characters or longer is recommended for higher security. The firmware only prompts for this password once. It is not necessary to remember the recovery string because it is displayed the next time you enter the command shell. The following prompt displays: New password: 7. Enter the boot PROM password, then re-enter it when prompted.
5 The boot PROM password 5. At the shell prompt, enter the passwd command. NOTE The passwd command only applies to the boot PROM password when it is entered from the boot interface. 6. Enter the boot PROM password at the prompt, then re-enter it when prompted. The password must be eight alphanumeric characters (any additional characters are not recorded). Record this password for future use. 7. Enter the saveEnv command to save the new password. 8. Reboot the switch by entering the reset command.
The authentication model using RADIUS and LDAP 5 8. Enter the boot PROM password at the prompt, then re-enter it when prompted. The password must be eight alphanumeric characters (any additional characters are not recorded). Record this password for future use. 9. Enter the saveEnv command to save the new password. 10. Reboot the standby CP blade by entering the reset command. 11.
5 The authentication model using RADIUS and LDAP To enable RADIUS or LDAP service, it is strongly recommended that you access the CLI through an SSH connection so that the shared secret is protected. Multiple login sessions can configure simultaneously, and the last session to apply a change leaves its configuration in effect. After a configuration is applied, it persists after a reboot or an HA failover. To enable LDAP service, you need to install a certificate on the Microsoft Active Directory server.
5 The authentication model using RADIUS and LDAP TABLE 15 Authentication configuration options (Continued) aaaConfig options Description Equivalent setting in Fabric OS v5.1.0 and earlier --radius --switchdb1 --authspec “radius;local” --backup Authenticates management connections against any RADIUS databases. If RADIUS fails because the service is not available, it then authenticates against the local user database.
5 The authentication model using RADIUS and LDAP You can set a user password expiration date and add a warning for RADIUS login. The password expiry date must be specified in UTC and in MM/DD/YYYY format. The password warning specifies the number of days prior to the password expiration that a warning of password expiration notifies the user. You either specify both attributes or none.
The authentication model using RADIUS and LDAP 5 Windows 2000 IAS To configure a Windows 2000 internet authentication service (IAS) server to use VSA to pass the Admin role to the switch in the dial-in profile, the configuration specifies the Vendor code (1588), Vendor-assigned attribute number (1), and attribute value (admin), as shown in Figure 13.
5 The authentication model using RADIUS and LDAP RADIUS configuration with Admin Domains or Virtual Fabrics When configuring users with Admin Domains or Virtual Fabrics, you must also include the Admin Domain or Virtual Fabric member list. This section describes the way that you configure attribute types for this configuration.
The authentication model using RADIUS and LDAP 5 In the next example, on a Linux FreeRadius Server, the user takes the “zoneAdmin” role, with VFlist 2, 4, 5, 6, 7, 8, 10, 11, 12, 13, 15 17, 19, 22, 23, 24, 25, 29, 31 and HomeLF 1.
5 The authentication model using RADIUS and LDAP ATTRIBUTE ATTRIBUTE ATTRIBUTE ATTRIBUTE ATTRIBUTE ATTRIBUTE ATTRIBUTE Brocade-Auth-Role Brocade-AVPairs1 Brocade-AVPairs2 Brocade-AVPairs3 Brocade-AVPairs4 Brocade-Passwd-ExpiryDate Brocade-Passwd-WarnPeriod 1 2 3 4 5 6 7 string string string string string string string Brocade Brocade Brocade Brocade Brocade Brocade Brocade This defines the Brocade vendor ID as 1588, the Brocade attribute 1 as Brocade-Auth-Role and 6 as Brocade-Passwd-ExpiryDate, both
The authentication model using RADIUS and LDAP 5 Enabling clients Clients are the switches that will use the RADIUS server; each client must be defined. By default, all IP addresses are blocked. The Brocade 48000 director, Brocade DCX and DCX-4S enterprise-class platforms send their RADIUS requests using the IP address of the active CP. When adding clients, add both the active and standby CP IP addresses so that, in the event of a failover, users can still log in to the switch. 1.
5 The authentication model using RADIUS and LDAP IAS is the Microsoft implementation of a RADIUS server and proxy. IAS uses the Windows native user database to verify user login credentials; it does not list specific users, but instead lists user groups. Each user group should be associated with a specific switch login role. For example, you should configure a user group for root, admin, factory, switchAdmin, and user, and then add any users whose logins you want to associate to the appropriate group. 4.
The authentication model using RADIUS and LDAP 5 Setting up the RSA RADIUS server For more information on how to install and configure the RSA Authentication Manager and the RSA RADIUS server, refer to your documentation or visit www.rsa.com. 1. Create user records in the RSA Authentication Manager. 2. Configure the RSA Authentication Manager by adding an agent host. 3. Configure the RSA RADIUS server.
5 The authentication model using RADIUS and LDAP ########################################################################### # brocade.dct -- Brocade Dictionary # # (See readme.dct for more details on the format of this file) ########################################################################### # # Use the Radius specification attributes in lieu of the Brocade one: # @radius.
The authentication model using RADIUS and LDAP 5 d. Add the Brocade profile. e. In RSA Authentication Manager, edit the user records that will be authenticating using RSA SecurID. LDAP configuration and Microsoft Active Directory LDAP provides user authentication and authorization using the Microsoft Active Directory service in conjunction with LDAP on the switch. There are two modes of operation in LDAP authentication, FIPS mode and non-FIPS mode.
5 The authentication model using RADIUS and LDAP 3. Create a group name that uses the switch’s role name so that the Active Directory group’s name is the same as the switch’s role name. or Use the ldapCfg -–maprole ldap_role_name switch_role command to map an LDAP server role to one of the default roles available on the switch. 4. Associate the user to the group by adding the user to the group. For instructions on how to create a user refer to www.microsoft.
The authentication model using RADIUS and LDAP 5 Adding an Admin Domain or Virtual Fabric list 1. From the Windows Start menu, select Programs> Administrative Tools> ADSI.msc ADSI is a Microsoft Windows Resource Utility. This will need to be installed to proceed with the rest of the setup. For Windows 2003, this utility comes with Service Pack 1 or you can download this utility from the Microsoft web site. 2. Go to CN=Users 3. Right click on select Properties. Click the Attribute Editor tab. 4.
5 The authentication model using RADIUS and LDAP Authentication servers on the switch At least one RADIUS or LDAP server must be configured before you can enable RADIUS or LDAP service. You can configure the RADIUS or LDAP service even if it is disabled on the switch. You can configure up to five RADIUS or LDAP servers. You must be logged in as admin or switchAdmin to configure the RADIUS service.
The authentication model using RADIUS and LDAP 5 Changing a RADIUS or LDAP server configuration 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the aaaConfig --change command. Changing the order in which RADIUS or LDAP servers are contacted for service 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the aaaConfig --move command. When the command succeeds, the event log indicates that a server configuration is changed.
5 116 The authentication model using RADIUS and LDAP Fabric OS Administrator’s Guide 53-1001763-01
Chapter 6 Configuring Protocols In this chapter • Security protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Secure Copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Secure Shell protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Secure Sockets Layer protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6 Secure Copy TABLE 18 Secure protocol support Protocol Description SSH Secure Shell (SSH) is a network protocol that allows data to be exchanged over a secure channel between two computers. Encryption provides confidentiality and integrity of data. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary. SSL Fabric OS uses secure socket layer (SSL) to support HTTPS.
Secure Shell protocol 6 Setting up SCP for configUploads and downloads 1. Log in to the switch as admin. 2. Type the configure command. 3. Type y or yes at the cfgload attributes prompt. 4. Type y or yes at the Enforce secure configUpload/Download prompt. Example of setting up SCP for configUpload/download switch:admin> configure Not all options will be available on an enabled switch. To disable the switch, use the "switchDisable" command. Configure...
6 Secure Shell protocol SSH public key authentication OpenSSH public key authentication provides password-less logins, known as SSH authentication, that uses public and private key pairs for incoming and outgoing authentication. This feature allows only one allowed-user to be configured to utilize OpenSSH public key authentication. Using OpenSSH RSA and DSA, the authentication protocols are based on a pair of specially generated cryptographic keys, called the private key and the public key.
Secure Shell protocol 6 Example of RSA/DSA key pair generation alloweduser@mymachine: ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/users/alloweduser/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /users/alloweduser/.ssh/id_dsa. Your public key has been saved in /users/alloweduser/.ssh/id_dsa.pub.
6 Secure Sockets Layer protocol Deleting keys on the switch 1. Log in to the switch as the allowed-user. 2. Use the sshUtil delprivkey command to delete the private key. or Use the sshUtil delpubkeys command to delete all public keys. For more information on IP Filter policies, refer to Chapter 7, “Configuring Security Policies”. Secure Sockets Layer protocol Secure sockets layer (SSL) protocol provides secure access to a fabric through Web-based management tools like Web Tools.
Secure Sockets Layer protocol 6 SSL configuration overview You configure for SSL by obtaining, installing, and activating digital certificates for SSL support. Certificates are required on all switches that are to be accessed through SSL. Also, you must install a certificate in the Java Plug-in on the management workstation, and you may need to add a certificate to your Web browser. Configuring for SSL involves these main steps, which are shown in detail in the next sections. 1.
6 Secure Sockets Layer protocol Generating a public and private key Perform this procedure on each switch. 1. Connect to the switch and log in as admin. 2. Enter the secCertUtil genkey command to generate a public/private key pair. The system reports that this process will disable secure protocols, delete any existing CSR, and delete any existing certificates. 3. Respond to the prompts to continue and select the key size.
Secure Sockets Layer protocol 6 If you are setup for secure file copy protocol, you can select it; otherwise, select ftp. Enter the IP address of the switch on which you generated the CSR. Enter the remote directory name of the FTP server to which the CSR is to be sent. Enter your account name and password on the server. Obtaining certificates Check the instructions on the CA Web site; then, perform this procedure for each switch. 1.
6 Secure Sockets Layer protocol The next procedures are guides for installing root certificates to Internet Explorer and Mozilla Firefox browsers. For more detailed instructions, refer to the documentation that came with the certificate. Checking and installing root certificates on Internet Explorer 1. Select Tools > Internet Options. 2. Click the Content tab. 3. Click Certificates. 4. Click the Intermediate or Trusted Root tabs and scroll the list to see if the root certificate is listed.
Simple Network Management Protocol 6 3. Enter the keytool command and respond to the prompts. Example of installing a root certificate C:\Program Files\Java\j2re1.6.0\bin> keytool -import -alias RootCert -file RootCert.crt -keystore ..
6 Simple Network Management Protocol If you use both SW-MIB and FA-MIB, you may receive duplicate information. You can disable the FA-MIB, but not the SW-MIB. You can also use these additional MIBs and their associated traps: • FICON-MIB (for FICON environments) • SW-EXTTRAP Includes the swSsn (Software Serial Number) as a part of Brocade SW traps. For information on Brocade MIBs, see the Fabric OS MIB Reference.
Telnet protocol 6 Attributes that are specific to each logical switch belong to the switch category. These attributes are available in the Virtual Fabrics context and not available in the Chassis context. Attributes that are common across the logical switches belong to the chassis level. These attributes are accessible to users having the chassis-role permission. When a chassis table is queried the context is set to chassis context, if the user has the chassis-role permission.
6 Telnet protocol ATTENTION The rule number assigned has to precede the default rule number for this protocol. For example, in the defined policy, the Telnet rule number is 2, therefore to effectively block Telnet, the rule number to assign must be 1. If you choose not to use 1, you will need to delete the telnet rule number 2 after adding this rule. Refer to “Deleting a rule to an IP Filter policy” on page 157 for more information on deleting IP filter rules. 6.
Listener applications 6 3. To permanently delete the policy, type the ipfilter --save command. ATTENTION If you deleted the rule to permit Telnet, you will need to add a rule to permit Telnet. Listener applications Brocade switches block Linux subsystem listener applications that are not used to implement supported features and capabilities. Table 22 lists the listener applications that Brocade switches either block or do not start.
6 Ports and applications used by switches TABLE 23 Access defaults (Continued) Access default Devices All devices can access the management server. Any device can connect to any FC port in the fabric. Switch access Any switch can join the fabric. All switches in the fabric can be accessed through a serial port. Zoning No zoning is enabled. Port configuration Table 24 provides information on ports that the switch uses.
Chapter 7 Configuring Security Policies In this chapter • ACL policies overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • ACL policy management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • FCS policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • DCC policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7 ACL policy management Policies with the same state are grouped together in a Policy Set. Each switch has the following two sets: • Active policy set, which contains ACL policies being enforced by the switch. • Defined policy set, which contains a copy of all ACL policies on the switch. When a policy is activated, the defined policy either replaces the policy with the same name in the active set or becomes a new active policy.
ACL policy management 7 Displaying ACL policies You can view the active and defined policy sets at any time. Additionally, in a defined policy set, policies created in the same login session also appear but these policies are automatically deleted if the you log out without saving them. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Type the secPolicyShow command.
7 ACL policy management Adding a member to an existing ACL policy As soon as a policy has been activated, the aspect of the fabric managed by that policy is enforced. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the secPolicyAdd command. 3. To implement the change immediately, enter the secPolicyActivate command.
FCS policies 7 FCS policies Fabric Configuration Server (FCS) policy in base Fabric OS may be performed on a local switch basis and may be performed on any switch in the fabric. The FCS policy is not present by default, but must be created. When the FCS policy is created, the WWN of the local switch is automatically included in the FCS list. Additional switches can be included in the FCS list. The first switch in the list becomes the Primary FCS switch.
7 FCS policies TABLE 27 FCS switch operations Allowed on FCS switches Allowed on all switches secPolicyAdd (Allowed on all switches for SCC and DCC policies as long as it is not fabric-wide) secPolicyShow secPolicyCreate (Allowed on all switches for SCC and DCC policies as long as it is not fabric-wide) fddCfg –-localaccept or fddCfg --localreject secPolicyDelete (Allowed on all switches for SCC and DCC policies as long as its not fabric-wide) userconfig, Passwd, Passwdcfg (Fabric-wide distributi
FCS policies 7 NOTE FCS policy must be consistent across the fabric. If the policy is inconsistent in the fabric, then you will not be able to perform any fabric-wide configurations from the primary FCS. Modifying the order of FCS switches 1. Log in to the Primary FCS switch using an account assigned to the admin role. 2. Type secPolicyShow “Defined”, “FCS_POLICY”. This displays the WWNs of the current Primary FCS switch and backup FCS switches. 3.
7 DCC policies Only the Primary FCS switch is allowed to distribute the database. The FCS policy may need to be manually distributed across the fabric using the distribute -p command. Since this policy is distributed manually, the command fddCfg –-fabwideset is used to distribute a fabric-wide consistency policy for FCS policy in an environment consisting of only Fabric OS v6.2.0 and later switches.
DCC policies TABLE 29 7 DCC policy states Policy state Characteristics No policy Any device can connect to any switch port in the fabric. Policy with no entries Any device can connect to any switch port in the fabric. An empty policy is the same as no policy. Policy with entries If a device WWN is specified in a DCC policy, that device is only allowed access to the switch if connected by a switch port listed in the same policy.
7 DCC policies DCC_POLICY_nnn is the name of the DCC policy; nnn is a string consisting of up to 19 alphanumeric or underscore characters to differentiate it from any other DCC policies. 3. To save or activate the new policy, enter the appropriate command: • To save the policy, enter the secPolicySave command. • To save and activate the policy, enter the secPolicyActivate command. If neither of these commands is entered, the changes are lost when the session is logged out.
SCC policies 7 SCC policies The switch connection control (SCC) policy is used to restrict which switches can join the fabric. Switches are checked against the policy each time an E_Port-to-E_Port connection is made. The policy is named SCC_POLICY and accepts members listed as WWNs, domain IDs, or switch names. Only one SCC policy can be created. By default, any switch is allowed to join the fabric; the SCC policy does not exist until it is created.
7 Authentication policy for fabric elements Authentication policy for fabric elements By default, Fabric OS v6.2.0 and later use DH-CHAP or FCAP protocols for authentication. These protocols use shared secrets and digital certificates, based on switch WWN and public key infrastructure (PKI) technology, to authenticate switches. Authentication automatically defaults to FCAP if both switches are configured to accept FCAP protocol in authentication.
Authentication policy for fabric elements 7 The switch authentication (AUTH) policy initiates DH-CHAP/FCAP authentication on all E_Ports. This policy is persistent across reboots, which means authentication will be initiated automatically on ports or switches brought online if the policy is set to activate authentication. The AUTH policy is distributed by command; automatic distribution of the AUTH policy is not supported.
7 Authentication policy for fabric elements WARNING: This is a disruptive operation that requires a reboot to take effect. All EX ports will be disabled upon reboot. Would you like to continue [Y/N] y switch:admin> authutil --authinit 2,3,4 CAUTION If data input has not been completed and a failover occurs, the command is terminated without completion and your entire input is lost.
Authentication policy for fabric elements 7 Device authentication policy Device authentication policy can also be categorized as an F_Port, node port, or an HBA authentication policy. Fabric-wide distribution of the device authentication policy is not supported because the device authentication requires manual interaction in setting the HBA shared secrets and switch shared secrets, and most of the HBAs do not support the defined DH groups for use in the DH-CHAP protocol.
7 Authentication policy for fabric elements • FICON channels • Configupload and download will not be supported for the following AUTH attributes: auth type, hash type, group type. Supported HBAs The following HBAs support authentication: • Emulex LP11000 (Tested with Storport Miniport v2.0 windows driver) • Qlogic QLA2300 (Tested with Solaris v5.
Authentication policy for fabric elements 7 When using DH-CHAP, make sure that you configure the switches at both ends of a link. NOTE If you set the authentication protocol to DH-CHAP or FCAP, have not configured shared secrets or certificates, and authentication is checked (for example, you enable the switch), then switch authentication fails.
7 Authentication policy for fabric elements Example of setting a secret key pair switchA:admin> secauthsecret --set This command is used to set up secret keys for the DH-CHAP authentication. The minimum length of a secret key is 8 characters and maximum 40 characters. Setting up secret keys does not initiate DH-CHAP authentication. If switch is configured to do DH-CHAP, it is performed whenever a port or a switch is enabled. Warning: Please use a secure channel for setting secrets.
Authentication policy for fabric elements 7 You can request a certificate from a CA through a Web browser. After you request a certificate, the CA either sends certificate files by e-mail (public) or gives access to them on a remote host (private). Typically, the CA provides the certificate files listed in Table 31. ATTENTION Only the .pem file is supported for FCAP authentication. TABLE 31 FCAP certificate files Certificate file Description nameCA.pem The CA certificate.
7 Authentication policy for fabric elements jdoe@10.1.2.3's password: Success: exported FCAP CA certificate Import CA for FCAP Once you receive the files back from the Certificate Authority, you will need to install or import them onto the local and remote switches. 1. Log in to the switch using an account assigned to the admin role. 2. Enter the secCertUtil import –fcapswcert command and verify the CA certificates are consistent on both local and remote switches.
IP Filter policy 7 Fabric-wide distribution of the Auth policy The AUTH policy can be manually distributed to the fabric by command; there is no support for automatic distribution. To distribute the AUTH policy, see “Distributing the local ACL policies” on page 160 for instructions. Local Switch configuration parameters are needed to control whether a switch accepts or rejects distributions of the AUTH policy using the distribute command and whether the switch may initiate distribution of the policy.
7 IP Filter policy Cloning an IP Filter policy You can create an IP Filter policy as an exact copy of an existing policy. The policy created is stored in a temporary buffer and has the same type and rules as the existing defined or active policy. 1. Log in to the switch using an account assigned to the admin role. 2. Enter the ipFilter --clone command.
IP Filter policy 7 Deleting an IP Filter policy You can delete a specified IP Filter policy. Deleting an IP Filter policy removes it from the temporary buffer. To permanently delete the policy from the persistent database, run ipfilter --save. An active IP Filter policy cannot be deleted. 1. Log in to the switch using an account assigned to the admin role. 2. Enter the ipFilter -–delete command. 3. To permanently delete the policy, enter the ipfilter --save command.
7 IP Filter policy TABLE 32 Supported services (Continued) Service name Port number snmp 161 ssh 22 sunrpc 111 telnet 23 www 80 TCP and UDP protocols are valid selections. Fabric OS v6.2.0 and later does not support configuration to filter other protocols. Implicitly, ICMP type 0 and type 8 packets are always allowed to support ICMP echo request and reply on commands like ping and traceroute. For the action, only “permit” and “deny” are valid.
IP Filter policy 7 IP Filter policy enforcement An active IP Filter policy is a filter applied to the IP packets through the management interface. IPv4 management traffic passes through the active IPv4 filter policy, and IPv6 management traffic passes through the active IPv6 filter policy. The IP Filter policy applies to the incoming (ingress) management traffic only. When a packet arrives, it is compared against each rule, starting from the first rule.
7 Policy database distribution IP Filter policy distribution The IP Filter policy is manually distributed by command. The distribution includes both active and defined IP Filter policies. All policies are combined as a single entity to be distributed and cannot be selectively distributed. However, you may choose the time at which to implement the policy for optimization purposes. If a distribution includes an active IP Filter policy, the receiving switches activate the same IP Filter policy automatically.
Policy database distribution TABLE 35 7 Interaction between fabric-wide consistency policy and distribution settings Distribution setting Fabric-wide consistency policy Absent (default) Tolerant configuration.1 Reject Database is protected, it cannot be overwritten. May not match other databases in the fabric. Invalid Accept (default) Database is not protected, the database can be overwritten.
7 Policy database distribution DATABASE - Accept/Reject --------------------------------SCC accept DCC accept PWD accept FCS accept AUTH accept IPFILTER accept Fabric Wide Consistency Policy:- "" Enabling local switch protection 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the fddCfg --localreject command. Disabling local switch protection 1. Connect to the switch and log in using an account assigned to the admin role. 2.
Policy database distribution 7 NOTE To completely remove all policies from a fabric enter the fddCfg --fabwideset "” command. When you set the fabric-wide consistency policy using the fddCfg command with the option, both the fabric-wide consistency policy and specified database are distributed to the fabric.The active policies of the specified databases overwrite the corresponding active and defined policies on the target switches.
7 Policy database distribution switch:admin> fddcfg --showall Local Switch Configuration for all Databases:DATABASE - Accept/Reject --------------------------------SCC accept DCC accept PWD accept FCS accept AUTH accept IPFILTER accept Fabric Wide Consistency Policy:- "SCC:S;DCC" Notes on joining a switch to the fabric When a switch is joined to a fabric with a tolerant SCC or DCC fabric-wide consistency policy, the joining switch must have a matching tolerant SCC or DCC fabric-wide consistency policy.
Policy database distribution 7 Matching fabric-wide consistency policies This section describes the interaction between the databases with active SCC and DCC policies and combinations of fabric-wide consistency policy settings when fabrics are merged. For example: Fabric A with SCC:S;DCC (strict SCC and tolerant DCC) joins Fabric B with SCC:S;DCC (strict SCC and tolerant DCC), the fabrics can merge as long as the SCC policies match, including the order SCC:S;DCC and if both are set to strict.
7 Management interface security TABLE 39 Examples of strict fabric merges Fabric-wide consistency policy setting Strict/Tolerant Strict/Absent Expected behavior Fabric A Fabric B SCC:S;DCC:S SCC;DCC:S SCC;DCC:S SCC:S;DCC Ports connecting switches are disabled. SCC:S;DCC:S SCC:S DCC:S Strict/Strict SCC:S DCC:S Table 40 has a matrix of merging fabrics with tolerant and absent policies.
Management interface security 7 • Replay Protection — Prevents replay attack, a type of denial of service (DoS) attack where an attacker intercepts a series of packets and resends them to cause the recipient to waste CPU cycles processing them. • Automated Key Management—Automates the process, as well as manages the periodic exchange and generation of new keys.
7 Management interface security Gateway-to-Gateway Tunnel In this scenario, neither endpoint of the IP connection implements IPsec, but the network nodes between them protect traffic for part of the way. Protection is transparent to the endpoints, and depends on ordinary routing to send packets through the tunnel endpoints for processing.
Management interface security 7 To protect the integrity of the IP datagram, the IPsec protocols use hash message authentication codes (HMAC). To derive this HMAC, the IPsec protocols use hash algorithms like MD5 and SHA to calculate a hash based on a secret key and the contents of the IP datagram. This HMAC is then included in the IPsec protocol header and the receiver of the packet can check the HMAC if it has access to the secret key.
7 Management interface security TABLE 41 Algorithms and associated authentication policies Algorithm Encryption Level Policy Description hmac_md5 128-bit AH, ESP hmac_sha1 160-bit AH, ESP A stronger MAC because it is a keyed hash inside a keyed hash. When MD5 or SHA-1 is used in the calculation of an HMAC; the resulting MAC algorithm is termed HMAC-MD5 or HMAC-SHA-1 accordingly.
Management interface security 7 IKE policies When IKE is used as the key management protocol, IKE policy defines the parameters used in IKE negotiations needed to establish IKE SA and parameters used in negotiations to establish IPsec SAs. These include the authentication and encryption algorithms, and the primary authentication method, such as preshared keys, or a certificate-based method, such as RSA signatures.
7 Management interface security Static Security Associations Manual Key Entry (MKE) provides the ability to manually add, delete and flush SA entries in the SADB. Manual SA entries may not have an associated IPsec policy in the local policy database. Manual SA entries are persistent across system reboots. Creating the tunnel These instructions do not take the place of creating a tunnel for either a FR4-18i or FX8-24.
Management interface security 7 Example of creating an IKE policy This example creates an IKE policy for the remote peer. switch:admin> ipsecconfig --add policy ike –t IKE01 -remote 10.33.74.13 \ -id 10.33.69.132 -remoteid 10.33.74.13 -enc 3des_cbc \ -hash hmac_md5 -prf hmac_md5 –auth psk -dh modp1024 \ -psk ipseckey.psk 8. Create an IPsec transform on each switch using the ipSecConfig --add command.
7 Management interface security Example of an End-to-End Transport Tunnel mode This example illustrates securing traffic between two systems using AH protection with MD5 and configure IKE with pre-shared keys. The two systems are a switch, BROCADE300 (IPv4 address 10.33.74.13), and an external host (10.33.69.132). NOTE A backslash ( \ ) is used to skip the return character so you can continue the command on the next line without the return character being interpreted by the shell. 1.
Management interface security 7 -t SELECTOR-IN -d in -l 10.33.69.132 -r 10.33.74.13 \ -transform TRANSFORM01 10. Verify the IPsec SAs created with IKE using the ipsecConfig --show manual-sa –a command. 11. Perform the equivalent steps on the remote peer to complete the IPsec configuration. Refer to your server administration guide for instructions. 12. Generate IP traffic and verify that it is protected using defined policies. a. Initiate Telnet or SSH or ping session from BRCD300 to Remote Host. b.
7 174 Management interface security Fabric OS Administrator’s Guide 53-1001763-01
Chapter 8 Maintaining the Switch Configuration File In this chapter • Configuration settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuration file backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuration file restoration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configurations across a fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8 Configuration settings CAUTION Editing of the uploaded file is unsupported and can result in system errors if an edited file is subsequently downloaded. If you have the chassis role permissions added to your user account, then the following options are available whether you are uploading or downloading a configuration file: -fid Uploads the specified FID configuration. -all Uploads all of the system configuration, including the chassis section and all switch sections for all logical switches.
Configuration settings 8 [Switch Configuration Begin : 0] SwitchName = Sprint5100 Fabric ID = 128 [Boot Parameters] [Configuration] [Bottleneck Configuration] [Zoning] [Defined Security policies] [Active Security policies] [iSCSI] [cryptoDev] [FICU SAVED FILES] [Banner] [End] [Switch Configuration End : 0] date = Thu Apr 2 21:28:52 2009 [Switch Configuration Begin : 1] SwitchName = switch_2 Fabric ID = 1 [Boot Parameters] [Configuration] [Bottleneck Configuration] [Zoning] [Defined Security policies] [Ac
8 Configuration file backup Chassis section There is only one chassis section within a configuration. It defines configuration data for chassis components that affects the entire system—not just an individual logical switch. The chassis section is included in non-Virtual Fabric modes only if you use the configUpload -all command.
Configuration file backup 8 In non-Virtual Fabric mode, you must use the configUpload -all command to include both the switch and the chassis information. In Virtual Fabric mode, the configUpload -all command can be selected to upload all logical switches and the chassis configuration. Only administrators with the chassis role permission are allowed to upload other FIDs or the chassis configuration.
8 Configuration file restoration Configuration file restoration Restoring a configuration involves overwriting the configuration on the switch by downloading a previously saved backup configuration file. CAUTION Make sure that the configuration file you are downloading is compatible with your switch model, because configuration files from other model switches or firmware versions might cause your switch to fail.
Configuration file restoration -all 8 The number of switches or FIDs defined in the downloaded configuration file must match the number of switches or FIDs currently defined on the switch. The switches must be disabled, if necessary (refer to “Configuration download without disabling a switch” on page 182 for more information on non-disruptive configuration downloads).
8 Configuration file restoration CAUTION The switch has limited error checking and edited files may become corrupted and can lead to switch failures. Configuration download without disabling a switch You can download configuration files to a switch while the switch is enabled; that is, you do not need to disable the switch for changes in SNMP, Fabric Watch, or ACL parameters. However, if there is any changed parameter that does not belong to SNMP, Fabric Watch, or ACL, then you must disable the switch.
Configuration file restoration 8 Example of configDownload without Admin Domains switch:admin> configdownload Protocol (scp, ftp, local) [ftp]: Server Name or IP Address [host]: 10.1.2.3 User Name [user]: UserFoo Path/Filename [/config.txt]: Section (all|chassis|FID# [all]): all *** CAUTION *** This command is used to download a backed-up configuration for a specific switch. If using a file from a different switch, this file's configuration settings will override any current switch settings.
8 Configurations across a fabric Configurations across a fabric To save time when configuring fabric parameters and software features, you can save a configuration file from one switch and download it to other switches of the same model type, as shown in the following procedure. Do not download a configuration file from one switch to another switch that is a different model or firmware version, because it can cause the switch to fail.
Configuration management for Virtual Fabrics 8 Uploading a configuration file from a switch with Virtual Fabrics enabled The configUpload command with the -vf option specifies that configuration upload will upload the Virtual Fabric configuration instead of the non-Virtual Fabric configuration information. You must specify a filename with the configUpload -vf command. It is recommended not to use config.txt for a filename as this can easily be confused with a normal uploaded configuration file.
8 Configuration management for Virtual Fabrics 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the configDownload -vf command. 3. Respond to the prompts. 4. Wait for the configuration file to download onto the switch. You may need to reconnect to the switch. 5. Enter the configDownload command. 6. Respond to the prompts. 7. Wait for the configuration file to download to the switch. 8. Verify the LISL ports are set up correctly.
Brocade configuration form 8 Brocade configuration form Use the form in Table 43 as a hard copy reference for your configuration information. In the hardware reference manuals for the Brocade 48000 director and the Brocade DCX and DCX-4S enterprise-class platform, there is a guide for FC port setting tables. The tables can be used to record configuration information for the various blades.
8 188 Brocade configuration form Fabric OS Administrator’s Guide 53-1001763-01
Chapter 9 Installing and Maintaining Firmware In this chapter • Firmware download process overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Preparing for a firmware download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Firmware download on switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Firmware download on an enterprise-class platform . . . . . . . . . . . . . . . . . • Firmware download from a USB device . . . . . . . . . . . . . . . .
9 Firmware download process overview Or, on the Brocade 300, 5100, 5300, 7800, 8000, and VA-40FC switches, the Brocade 5410, 5424, 5450, 5480 embedded switches, and the Brocade DCX and DCX-4S Backbones you can use a Brocade-branded USB device. The new firmware consists of multiple files in the form of RPM packages listed in a .plist file. The .plist file contains specific firmware information (time stamp, platform code, version, and so forth) and the names of packages of the firmware to be downloaded.
Firmware download process overview 9 In most cases, you will be upgrading firmware; that is, installing a newer firmware version than the one you are currently running. However, some circumstances may require installing an older version; that is, downgrading the firmware. The procedures in this section assume that you are upgrading firmware, but they work for downgrading as well, provided the old and new firmware versions are compatible.
9 Preparing for a firmware download A nondisruptive firmware download, which is performed by entering the firmwareDownload command without the –s operand, is only supported if you are upgrading from Fabric OS 6.1.x to 6.2.0. If you are downgrading from Fabric OS 6.2.0 to v6.1.x, you must enter the firmwareDownload -s command option as discussed in “Test and restore firmware on switches” on page 203 and “Test and restore firmware on enterprise-class platforms” on page 204.
Preparing for a firmware download 9 Connected switches Before you upgrade the firmware on your switch you will need to check the connected switches to ensure compatibility and that any older versions are supported. Refer to the Fabric OS Compatibility section of the Brocade Fabric OS Release Notes, for the recommended firmware version. NOTE Go to http://www.brocade.com to view end-of-life policies for Brocade products. Navigate to the Support tab, then select Policies and Locations.
9 Firmware download on switches Firmware download on switches Brocade 300, 4100, 4900, 5000, 5100, 5300, 5410, 5424, 5450, 5460, 5470, 5480, 7500, 7500E, 7600, 7800, 8000, and VA-40FC switches maintain primary and secondary partitions for firmware. The firmwareDownload command defaults to an autocommit option that automatically copies the firmware from one partition to the other. NOTE This section only applies when upgrading from Fabric OS v6.1.x to v6.2.0, or from different versions of v6.2.
Firmware download on switches 9 Upgrading firmware for Brocade 300, 4100, 4900, 5000, 5100, 5300, 5410, 5424, 5450, 5460, 5470, 5480, 7500, 7500E, 7600, 7800, 8000, and VA-40FC switches. 1. Take the following appropriate action based on what service you are using: • If you are using FTP or SCP, verify that the FTP or SSH server is running on the host server and that you have a valid user ID and password on that server.
9 Firmware download on an enterprise-class platform This command will cause a warm/non-disruptive boot on the switch,but will require that existing telnet, secure telnet or SSH sessions be restarted. Do you want to continue [Y]: y Firmware is being downloaded to the switch. This step may take up to 30 minutes.
Firmware download on an enterprise-class platform 9 6. The new standby CP blade (the active CP blade before the failover) downloads firmware. 7. The new standby CP blade reboots and comes up with the new Fabric OS. 8. The new active CP blade synchronizes its state with the new standby CP blade. 9. The firmwareCommit command runs automatically on both CP blades. CAUTION After you start the process, do not enter any disruptive commands (such as reboot) that will interrupt the process.
9 Firmware download on an enterprise-class platform ecp:admin> hashow Local CP (Slot 5, CP0): Active, Warm Recovered Remote CP (Slot 6, CP1): Standby, Healthy HA enabled, Heartbeat Up, HA State synchronized CP blades must be synchronized and running Fabric OS v6.0.0 or later to provide a nondisruptive download. If the two CP blades are not synchronized, enter the haSyncStart command to synchronize them. If the CPs still are not synchronized, contact your switch service provider.
Firmware download on an enterprise-class platform 9 Do you want to continue [Y]: y The firmware is being downloaded to the Standby CP. It may take up to 10 minutes 10. Optionally, after the failover, connect to the switch, and log in again as admin. Using a separate session to connect to the switch, enter the firmwareDownloadStatus command to monitor the firmware download status.
9 Firmware download from a USB device Firmware download from a USB device The Brocade 300, 5100, 5300, 7800, 8000, and VA-40FC switches and the Brocade DCX and DCX-4S Backbones support a firmware download from a Brocade branded USB device attached to the switch or active CP. Before the USB device can be accessed by the firmwareDownload command, it must be enabled and mounted as a file system.
FIPS Support 9 FIPS Support Federal information processing standards (FIPS) specify the security standards needed to satisfy a cryptographic module utilized within a security system for protecting sensitive information in the computer and telecommunication systems. For more information about FIPS, refer to Chapter 7, “Configuring Security Policies”. The v6.4.0 firmware is digitally signed using the OpenSSL utility to provide FIPS support.
9 FIPS Support When firmwareDownload installs a firmware file, it needs to validate the signature of the file. Different scenarios are handled as follows: • If a firmware file does not have a signature, how it is handled depends on the “signed_firmware” parameter on the switch. If it is enabled, firmwareDownload will fail. Otherwise, firmwareDownload will display a warning message and proceed normally. So when downgrading to a non-FIPS compliant firmware, the “signed_firmware” flag needs to be disabled.
Test and restore firmware on switches 9 Test and restore firmware on switches NOTE This section does not apply to SAS or storage applications applied to the FA4-18 AP blade. Typically, users downgrade firmware after briefly evaluating a newer (or older) version and then restore the original version of the firmware. Testing a new version of firmware in this manner ensures that you do not replace existing firmware because the evaluated version occupies only one partition on the switch.
9 Test and restore firmware on enterprise-class platforms ATTENTION Stop! If you want to restore the firmware, stop here and skip ahead to step 9; otherwise, continue to step 8 to commit the firmware on the switch, which completes the firmware download operations. 8. Commit the firmware. a. Enter the firmwareCommit command to update the secondary partition with new firmware. Note that it takes several minutes to complete the commit operation. b.
Test and restore firmware on enterprise-class platforms 9 Testing different firmware versions on enterprise-class platforms 1. Connect to the Brocade enterprise-class platform IP address. 2. Enter the ipAddrShow command and note the address of CP0 and CP1. 3. Enter the haShow command and note which CP is active and which CP is standby. Verify that both CPs are in sync. 4. Enter the firmwareShow command and confirm that the current firmware on both partitions on both CPs is listed as expected. 5.
9 Test and restore firmware on enterprise-class platforms c. Confirm the evaluation version of firmware is now running on the active CP by entering the firmwareShow command. 9. Update firmware on the standby CP. a. Connect to the enterprise-class platform on the standby CP, which is the old active CP. b. Enter the firmwareDownload command with the -s -b -n operands. This ensures that the following steps are successful. At this point the firmware should download to the standby CP only and reboot it.
Validating a firmware download 9 a. In the current enterprise-class platform session for the active CP, enter the haShow command to verify that HA synchronization is complete. It will take a minute or two for the standby CP to reboot and synchronize with the active CP. b. Enter the haFailover command. The active CP will reboot and the current enterprise-class platform session will end. The enterprise-class platform is now running the original firmware. 14. Restore firmware on the “new” standby CP. a.
9 Validating a firmware download ecp:admin> firmwareshow Slot Name Appl Primary/Secondary Versions Status ------------------------------------------------------------------------ * 208 6 CP0 FOS 7 CP1 FOS v6.4.0 v6.4.0 v6.4.0 v6.4.0 ACTIVE * STANDBY Local CP firmwareDownloadStatus Displays an event log that records the progress and status of events during Fabric OS, SAS, and SA firmwareDownload.
Chapter 10 Managing Virtual Fabrics In this chapter • Virtual Fabrics overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Logical switch overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Logical fabric overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Management model for logical switches . . . . . . . . . . . . . . . . . . . . . . . . . . .
10 Logical switch overview This chapter describes the logical switch and logical fabric features. For information about device sharing with Virtual Fabrics, see “FC-FC Routing and Virtual Fabrics” on page 492.
Logical switch overview FIGURE 20 Before enabling Virtual Fabrics After enabling Virtual Fabrics Physical chassis Physical chassis P0 P3 P6 P1 P4 P7 P2 P5 P8 10 P9 Default logical switch P0 P3 P6 P1 P4 P7 P2 P5 P8 P9 Switch before and after enabling Virtual Fabrics After you enable Virtual Fabrics, you can create up to eight logical switches, depending on the switch model. Figure 21 shows a Virtual Fabrics-enabled switch before and after it is divided into logical switches.
10 Logical switch overview Logical switches and fabric IDs When you create a logical switch, you must assign it a fabric ID (FID). The fabric ID uniquely identifies each logical switch within a chassis and indicates to which fabric the logical switch belongs. You cannot define multiple logical switches with the same fabric ID within the chassis. In Figure 22, logical switches 2, 3, 4, and 5 are assigned FIDs of 1, 15, 8, and 20, respectively.
Logical switch overview Before port assignment After port assignment Logical switch 1 (Default logical switch) Logical switch 1 (Default logical switch) P0 P2 P4 P6 P8 P1 P3 P5 P7 P9 P0 P1 P7 10 P8 P2 Logical switch 2 Logical switch 2 P3 P4 Logical switch 3 P9 Logical switch 3 P5 P6 Logical switch 4 FIGURE 23 Logical switch 4 Assigning ports to logical switches A given port is always in one (and only one) logical switch.
10 Logical fabric overview You can also connect other switches to logical switches. In Figure 24, P6 is an E_Port that forms an ISL between Logical switch 4 and the non-Virtual Fabrics switch. Logical switch 4 is the only logical switch that can communicate with the non-Virtual Fabrics switch and D2, because the other logical switches are in different fabrics.
Logical fabric overview 10 You connect logical switches to other logical switches in two ways: • Using ISLs • Using base switches and shared ISLs Logical fabric and ISLs Figure 26 shows two physical chassis divided into logical switches. In Figure 26, ISLs are used to connect the logical switches with fabric ID 1 and the logical switches with fabric ID 15. The logical switches with fabric ID 8 are each connected to a non-Virtual Fabrics switch.
10 Logical fabric overview NOTE Only logical switches with the same FID can form a fabric. If you connect two logical switches with different FIDs, the link between the switches segments. Logical fabric and ISL sharing Another way to connect logical switches is using extended ISLs and base switches. When you divide a chassis into logical switches, you can designate one of the switches to be a base switch. A base switch is a special logical switch that is used for interconnecting the physical chassis.
Logical fabric overview 10 Traffic between the logical switches can now flow across this XISL. The traffic can flow only between logical switches with the same fabric ID. For example, traffic can flow between Logical Switch 2 in chassis 1 and Logical switch 6 in chassis 2, because they both have fabric ID 1. Traffic cannot flow between Logical switch 2 and Logical switch 7, because they have different fabric IDs (and are thus in different fabrics).
10 Logical fabric overview Physical chassis 1 Physical chassis 2 P1 Logical switch 1 (Default logical switch) Fabric ID 128 Logical switch 2 Fabric ID 1 P1 Logical ISL ISL P2 Logical switch 5 (Default logical switch) Fabric ID 128 P2 Logical ISL Logical switch 6 Fabric ID 1 Logical ISL Logical switch 3 Fabric ID 15 Base switch Fabric ID 8 FIGURE 30 P6 P7 P6 P5 XISL P4 P8 Logical switch 7 Fabric ID 15 Base switch Fabric ID 8 P9 Logical fabric using ISLs and XISLs By default, the phys
Management model for logical switches 10 Logical fabric formation Fabric formation is not based on connectivity, but is based on the FIDs of the logical switches. The basic order of fabric formation is as follows: 1. Base fabric forms. 2. Logical fabrics form when the base fabric is stable. 3. Traffic is initiated between the logical switches. 4. Devices start seeing each other.
10 Account management and Virtual Fabrics Account management and Virtual Fabrics When user accounts are created, they are assigned a list of logical fabrics to which they can log in and a home logical fabric (home FID). When you connect to a physical chassis, the home FID defines the logical switch to which you are logged in by default. You can change to a different logical switch context, as described in “Changing the context to a different logical fabric” on page 233.
Supported platforms for Virtual Fabrics 10 Supported port configurations in the Brocade DCX and DCX-4S Some of the ports in the Brocade DCX and DCX-4S are not supported on all types of logical switches. Table 45 on page 221 lists the blades and ports that are supported on each type of logical switch.
10 Limitations and restrictions of Virtual Fabrics TABLE 46 Virtual Fabrics interaction with Fabric OS features Fabric OS feature Virtual Fabrics interaction Admin Domains Virtual Fabrics and Admin Domains are mutually exclusive and are not supported at the same time on a switch. To use Admin Domains, you must first disable Virtual Fabrics; to use Virtual Fabrics, you must first delete all Admin Domains.
Enabling Virtual Fabrics mode TABLE 47 10 Maximum number of logical switches per chassis (Continued) Platform Maximum number of logical switches Brocade 5300 4 Brocade 5100 3 Brocade VA-40FC 3 Following are restrictions on the default logical switch in the Brocade DCX and DCX-4S: • The default logical switch cannot use extended ISLs (XISLs). • The default logical switch cannot be a base switch. Following are restrictions on XISL use.
10 Disabling Virtual Fabrics mode 1. Connect to the physical chassis and log in using an account assigned to the admin role with the chassis-role permission. 2. Enter the following command to check whether VF mode is enabled: fosconfig --show 3. Delete all Admin Domains, as described in “Deleting all user-defined Admin Domains non-disruptively” on page 352. 4. Enter the following command to enable VF mode: fosconfig --enable vf 5. Enter y at the prompt.
Configuring logical switches to use basic configuration values 10 Example The following example checks whether VF mode is enabled or disabled and then disables it. switchA:FID128:admin> fosconfig --show FC Routing service: disabled iSCSI service: Service not supported on this Platform iSNS client service: Service not supported on this Platform Virtual Fabric: enabled switch:admin> fosconfig --disable vf WARNING: This is a disruptive operation that requires a reboot to take effect.
10 Creating a logical switch or base switch You can optionally define the logical switch to be a base switch. Each chassis can have only one base switch. NOTE Domain ID conflicts are detected before fabric ID conflicts. If you have both a domain ID conflict and a fabric ID conflict, only the domain ID conflict is reported. 1. Connect to the physical chassis and log in using an account assigned to the admin role with the chassis-role permission. 2.
Executing a command in a different logical fabric context 10 Domain: (1..239) [1] 14 WWN Based persistent PID (yes, y, no, n): [no] ... (output truncated) WARNING: The domain ID will be changed. The port level zoning may be affected switch_4:FID4:admin> switchenable Executing a command in a different logical fabric context This procedure describes how to execute a command for a logical switch while you are in the context of a different logical switch.
10 Deleting a logical switch --------------------------------------------------"fabricshow" on FID 128: Switch ID Worldwide Name Enet IP Addr FC IP Addr Name ------------------------------------------------------------------------97: fffc61 10:00:00:05:1e:82:3c:2a 10.32.79.105 0.0.0.
Adding and removing ports on a logical switch 10 Adding and removing ports on a logical switch This procedure explains how to add and remove ports on logical switches. All ports in a chassis must be assigned to a logical switch. All ports are initially assigned to the default logical switch. When you create a logical switch, it has no ports assigned to it. You add ports to a logical switch by moving the ports from one logical switch to another.
10 Displaying logical switch configuration Displaying logical switch configuration 1. Connect to the physical chassis and log in using an account assigned to the admin role with the chassis-role permission. 2. Enter the following command to display a list of all logical switches and the ports assigned to them: lscfg --show [ -provision ] If the -provision option is specified, all ports on all slots are displayed, regardless of the slot status.
Changing a logical switch to a base switch 10 Example sw0:FID128:admin> lscfg --change 5 -newfid 7 Changing of a switch fid requires that the switch be disabled. Would you like to continue [y/n]?: y Disabling switch... All active login sessions for FID 5 have been terminated. Checking and logging message: fid = 5. Please enable your switch.
10 Setting up IP addresses for a Virtual Fabric 19 19 1e1300 -N8 No_Module 20 20 1e1400 -N8 No_Module switch_25:FID7:admin> configure FC FC Not all options will be available on an enabled switch. To disable the switch, use the "switchDisable" command. Configure... Fabric parameters (yes, y, no, n): [no] y WWN Based persistent PID (yes, y, no, n): [no] Allow XISL Use (yes, y, no, n): [yes] n WARNING!! Disabling this parameter will cause removal of LISLs to other logical switches.
Changing the context to a different logical fabric 10 XISL use is not supported for the following cases: • FICON logical fabrics. • Logical switches in an edge fabric connected to an FC router. If the logical switch is enabled, you cannot allow XISL use. If the logical switch is disabled or has not yet joined the edge fabric, you can allow XISL use; however, fabric segmentation occurs when the logical switch is enabled or is connected to an edge fabric.
10 Creating a logical fabric using XISLs Creating a logical fabric using XISLs This procedure describes how to create a logical fabric using multiple chassis and XISLs and refers to the configuration shown in Figure 31 as an example.
Creating a logical fabric using XISLs 10 For the example shown in Figure 31, you would create a logical switch with FID 1 and a logical switch with FID 15. c. Assign ports to the logical switch, as described in “Adding and removing ports on a logical switch” on page 229. d. Physically connect devices and ISLs to these ports on the logical switch. e. (Optional) Configure the logical switch to use XISLs, if it is not already XISL-capable.
10 236 Creating a logical fabric using XISLs Fabric OS Administrator’s Guide 53-1001763-01
Chapter 11 Administering Advanced Zoning In this chapter • Special zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Zoning overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Broadcast zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Zone aliases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11 Zoning overview • QoS zones Assign high or low priority to designated traffic flows. QoS zones are normal zones with additional QoS attributes specified by adding a QOS prefix to the zone name. See “QoS: SID/DID traffic prioritization” on page 403 for more information. • Traffic Isolation zones (TI zones) Isolate inter-switch traffic to a specific, dedicated path through the fabric. See “Traffic Isolation Zoning” on page 267 for more information.
Zoning overview 11 JBOD Loop 2 Server2 Blue zone Fibre Channel Fabric RAID Hub Server1 Loop 1 Red zone FIGURE 32 Server3 Green zone Zoning example To list the commands associated with zoning, use the zoneHelp command. For detailed information on the zoning commands used in the procedures, see the Fabric OS Command Reference or the online man page for each command. Zone types Table 48 summarizes the types of zoning available.
11 Zoning overview TABLE 49 Approaches to fabric-based zoning Zoning approach Description Recommended approach Single HBA Zoning by single HBA most closely re-creates the original SCSI bus. Each zone created has only one HBA (initiator) in the zone; each of the target devices is added to the zone. Typically, a zone is created for the HBA and the disk storage ports are added. If the HBA also accesses tape devices, a second zone is created with the HBA and associated tape devices in it.
Zoning overview 11 For example, in enterprise-class platforms, “4,30” specifies port 14 in slot number 2 (domain ID 4, port index 30). On fixed-port models, “3,13” specifies port 13 in switch domain ID 3. Note the following effects on zone membership based on the type of zone object: • When a zone object is the physical port number, then all devices connected to that port are in the zone.
11 Zoning overview Zone configurations A zone configuration is a group of one or more zones. A zone can be included in more than one zone configuration. When a zone configuration is in effect, all zones that are members of that configuration are in effect. Several zone configurations can reside on a switch at once, and you can quickly alternate between them. For example, you might want to have one configuration enabled during the business hours and another enabled overnight.
Zoning overview 11 Session-based hardware enforcement is in effect in the following cases, on a per-zone basis: • A zone does not have either all WWN or all D,I entries. • Overlapping zones (in which zone members appear in two or more zones). Identifying the enforced zone type 1. Connect to the switch and log in as admin. 2. Enter the portZoneShow command, using the following syntax: portzoneshow Considerations for zoning architecture Table 50 lists considerations for zoning architecture.
11 Broadcast zones Best practices for zoning The following are recommendations for using zoning: • Always zone using the highest Fabric OS-level switch. Switches with earlier Fabric OS versions do not have the capability to view all the functionality that a newer Fabric OS provides, as functionality is backwards compatible but not forwards compatible. • Zone using the core switch versus an edge switch. • Zone using an enterprise-class platform rather than a switch.
Broadcast zones 11 Figure 33 illustrates how broadcast zones work with Admin Domains. Figure 33 shows a fabric with five devices and two Admin Domains, AD1 and AD2. Each Admin Domain has two devices and a broadcast zone.
11 Zone aliases High availability considerations with broadcast zones If a switch has broadcast zone-capable firmware on the active CP (Fabric OS v5.3.x or later) and broadcast zone-incapable firmware on the standby CP (Fabric OS version earlier than v5.3.0), then you cannot create a broadcast zone because the zoning behavior would not be the same across an HA failover. If the switch failed over, then the broadcast zone would lose its special significance and would be treated as a regular zone.
Zone aliases 11 3. Enter the cfgSave command to save the change to the defined configuration. The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile memory. If a transaction is open on a different switch in the fabric when this command is run, the transaction on the other switch is automatically aborted. A message displays on the other switches to indicate that the transaction was aborted.
11 Zone aliases Example switch:admin> aliremove "array1", "1,2" switch:admin> aliremove "array2", "21:00:00:20:37:0c:72:51" switch:admin> aliremove "loop1", "4,6" switch:admin> cfgsave You are about to save the Defined zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled. Do you want to save Defined zoning configuration only? (yes, y, no, n): [no] y Deleting an alias 1.
Zone creation and maintenance 11 Zone creation and maintenance To create a broadcast zone, use the reserved name “broadcast”. Do not give a regular zone the name of “broadcast”. See “Broadcast zones” on page 244 for additional information about this special type of zone. Virtual Fabric considerations: Zone definitions should not include logical port numbers. Zoning is not enforced on logical ports. Creating a zone 1. Connect to the switch and log in as admin. 2.
11 Zone creation and maintenance action will Any changes take effect Do you want only save the changes on the Defined configuration. made on the Effective configuration will not until it is re-enabled. to save Defined zoning configuration only? (yes, y, no, n): [no] y Removing devices (members) from a zone 1. Connect to the switch and log in as admin. 2. Enter the zoneRemove command, using the following syntax: zoneremove "zonename", "member[; member...]" 3.
Zone creation and maintenance 11 Viewing a zone in the defined configuration 1. Connect to the switch and log in as admin. 2. Enter the zoneShow command, using the following syntax: zoneshow[--sort] ["pattern"] [, mode] If no parameters are specified, the entire zone database (both the defined and effective configuration) is displayed.
11 Default zoning mode The mode flag -m can be used to specify the zone database location. Supported mode flag values are: • 0 - zone database from the current transaction buffer • 1 - zone database stored from the persistent storage • 2 - currently effective zone database. If no mode options are given, the validated output of all three buffers is shown. If the -f option is specified, all the zone members that are not enforceable would be expunged in the transaction buffer.
Zoning database size 11 4. Enter either the cfgSave, cfgEnable, or cfgDisable command to commit the change and distribute it to the fabric. The change will not be committed and distributed across the fabric if you do not enter one of these commands.
11 Zoning configurations When enabling a new zone configuration, ensure that the size of the defined configuration does not exceed the maximum configuration size supported by all switches in the fabric. This is particularly important if you downgrade to a Fabric OS version that supports a smaller zone database than the current Fabric OS. In this scenario, the zone database in the current Fabric OS would have to be changed to the smaller zone database before the downgrade.
Zoning configurations 11 The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile memory. If a transaction is open on a different switch in the fabric when this command is run, the transaction on the other switch is automatically aborted. A message displays on the other switches to indicate that the transaction was aborted. Example switch:admin> cfgadd "newcfg", "bluezone" switch:admin> cfgsave You are about to save the Defined zoning configuration.
11 Zoning configurations to one or more traffic isolation zones, the update may result in localized disruption to traffic on ports associated with the traffic isolation zone changes. Do you want to enable 'USA_cfg' configuration (yes, y, no, n): [no] y zone config "USA_cfg" is in effect Updating flash ... Disabling a zone configuration When you disable the current zone configuration, the fabric returns to non-zoning mode.
Zoning configurations 11 Any changes made on the Effective configuration will not take effect until it is re-enabled. Do you want to save Defined zoning configuration only? (yes, y, no, n): [no] y Clearing changes to a configuration 1. Enter the cfgTransAbort command. When this command is executed, all changes since the last save operation (performed with the cfgSave, cfgEnable, or cfgDisable command) are cleared.
11 Zoning configurations Viewing selected zone configuration information 1. Connect to the switch and log in as admin. 2. Enter the cfgShow command and specify a pattern. cfgshow "pattern"[, mode] Example The following example displays all zone configurations that start with “Test”: switch:admin> cfgshow "Test*" cfg: Test1 Blue_zone cfg: Test_cfg Purple_zone; Blue_zone Viewing the configuration in the effective zone database 1. Connect to the switch and log in as admin. 2.
Zone object maintenance 11 Zone object maintenance The following procedures describe how to copy, delete, and rename zone objects. Depending on the operation, a zone object can be a zone member, a zone alias, a zone, or a zone configuration. Copying a zone object When you copy a zone object, the resulting object has the same name as the original. The zone object can be a zone configuration, a zone alias, or a zone. 1. Connect to the switch and log in as admin. 2.
11 Zone object maintenance alias: array1 21:00:00:20:37:0c:76:8c; 21:00:00:20:37:0c:71:02 alias: array2 21:00:00:20:37:0c:76:22; 21:00:00:20:37:0c:76:28 alias: loop1 21:00:00:20:37:0c:76:85; 21:00:00:20:37:0c:71:df Effective configuration: cfg: USA_cfg zone: Blue_zone 1,1 21:00:00:20:37:0c:76:8c 21:00:00:20:37:0c:71:02 1,2 21:00:00:20:37:0c:76:22 21:00:00:20:37:0c:76:28 zone: Purple_zone 1,0 21:00:00:20:37:0c:76:85 21:00:00:20:37:0c:71:df 3. Enter the zone --expunge command to delete the zone object.
Zoning configuration management 11 4. Enter the cfgShow command to verify the renamed zone object is present. 5. If you want the change preserved when the switch reboots, enter the cfgSave command to save it to nonvolatile (flash) memory. 6. Enter the cfgEnable command for the appropriate zone configuration to make the change effective.
11 Zoning configuration management The database is the zone configuration database. (This is the data displayed as the “defined configuration” in the cfgShow command.) It is stored in nonvolatile memory by the cfgSave command. This database is a replicated database, which means that all switches in the fabric will have a copy of this database.
Security and zoning 11 A merge is not possible if any of the following conditions exist: - Configuration mismatch: Zoning is enabled in both fabrics and the zone configurations that are enabled are different in each fabric. - Type mismatch: The name of a zone object in one fabric is used for a different type of zone object in the other fabric. - Content mismatch: The definition of a zone object in one fabric is different from the definition of zone object with the same name in the other fabric.
11 Zone merging scenarios When two secure fabrics join, the traditional zoning merge does not occur. Instead, a zoning database is downloaded from the primary FCS switch of the merged secure fabric. When E_Ports are active between two switches, the name of the FCS server and a zoning policy set version identifier are exchanged between the switches.
Zone merging scenarios TABLE 51 11 Zone merging scenarios (Continued) Description Switch A Switch B Expected results Switch A and Switch B have different defined configurations. Switch B has an enabled configuration. defined: cfg2 zone2: ali3; ali4 effective: none defined: cfg1 zone1: ali1; ali2 effective: cfg1 Clean merge. The new configuration will be a composite of the two, with cfg1 as the effective configuration. Effective configuration mismatch.
11 Zone merging scenarios TABLE 51 Zone merging scenarios (Continued) Description Switch A Switch B Expected results Different default zone access mode settings. defzone: allaccess defzone: noaccess Clean merge — noaccess takes precedence and defzone configuration from Switch B propagates to fabric. defzone: noaccess Different default zone access mode settings.
Chapter 12 Traffic Isolation Zoning In this chapter • Traffic Isolation Zoning overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Enhanced TI zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Traffic Isolation Zoning over FC routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . • General rules for TI zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
12 Traffic Isolation Zoning overview Figure 34 shows a fabric with a TI zone consisting of the following: • N_Ports: • E_Ports: “1,7”, “1,8”, “4,5”, and “4,6” “1,1”, “3,9”, “3,12”, and “4,7” The dotted line indicates the dedicated path between the initiator in Domain 1 to the target in Domain 4.
Traffic Isolation Zoning overview TABLE 52 12 Comparison of traffic behavior when failover is enabled or disabled in TI zones Failover enabled Failover disabled If the dedicated path is not the shortest path or if the dedicated path is broken, the TI zone traffic will use a non-dedicated path instead. If the dedicated path is not the shortest path or if the dedicated path is broken, traffic for that TI zone is halted until the dedicated path is fixed.
12 Traffic Isolation Zoning overview • For the Brocade 300, 5000, 5100, 5300, 5410, 5424, 5450, 5460, 5470, 5480, 7800, 8000, VA-40FC, DCX, DCX-4S, and Brocade Encryption Switch: Domain controller frames can use any path between switches. Disabling failover does not affect Domain Controller connectivity. For example, in Figure 35, if failover is disabled, Domain 2 can continue to send domain controller frames to Domain 3 and 4, even though the path between Domain 1 and Domain 3 is a dedicated path.
Traffic Isolation Zoning overview 12 • If failover is disabled, non-TI zone traffic is blocked because it cannot use the dedicated ISL, which is the lowest cost path. For example, in Figure 36, there is a dedicated path between Domain 1 and Domain 3, and another, non-dedicated, path that passes through Domain 2. If failover is enabled, all traffic will use the dedicated path, because the non-dedicated path is not the shortest path.
12 Enhanced TI zones Enhanced TI zones Prior to Fabric OS v6.4.0, a port could be in only one TI zone at a time. Starting in Fabric OS v6.4.0, ports can be in multiple TI zones at the same time. Zones with overlapping port members are called enhanced TI zones (ETIZ). Figure 38 shows an example of two TI zones. Because these TI zones have an overlapping port (3,8), they are enhanced TI zones.
Traffic Isolation Zoning over FC routers Domain 1 Host 1 1 Domain 3 2 6 3 7 12 Target 8 4 Host 2 2 1 = ETIZ 1 = ETIZ 2 Domain 2 FIGURE 39 Illegal ETIZ configuration The Fabric OS routing implementation does not support separate routes to separate ports on a destination domain. Configurations such as this should be avoided. See “Additional configuration rules for enhanced TI zones” on page 278 for more information about enhanced TI zones.
12 Traffic Isolation Zoning over FC routers Edge fabric 1 Backbone fabric Edge fabric 2 = Dedicated path set up by TI zone in edge fabric 1 = Dedicated path set up by TI zone in edge fabric 2 = Dedicated path set up by TI zone in backbone fabric FIGURE 40 Traffic Isolation Zoning over FCR In addition to setting up TI zones, you must also ensure that the devices are in an LSAN zone so that they can communicate with each other.
12 Traffic Isolation Zoning over FC routers In the TI zone, when you designate E_Ports between the front and xlate phantom switches, you must use -1 in place of the “I” in the D,I notation. Both the front and xlate domains must be included in the TI zone.
12 General rules for TI zones Using D,I and port WWN notation, the members of the TI zone in Figure 42 are: 1,1 (EX_Port for FC router 1) 1,4 (VE_Port for FC router 1) 2,7 (VE_Port for FC router 2) 2,1 (EX_Port for FC router 2) 10:00:00:00:00:01:00:00 (Port WWN for the host) 10:00:00:00:00:02:00:00 (Port WWN for target 1) 10:00:00:00:00:03:00:00 (Port WWN for target 2) Limitations of TI zones over FC routers Be aware of the following when configuring TI zones over FC routers: • A TI zone defined within
Supported configurations for Traffic Isolation Zoning 12 For example, in Figure 43, the TI zone was configured incorrectly and E_Port “3,9” was erroneously omitted from the zone. The domain 3 switch assumes that traffic coming from E_Port 9 is not part of the TI zone and so that traffic is routed to E_Port 11 instead of E_Port 12, if failover is enabled. If failover is disabled, the route is broken and traffic stops.
12 Limitations and restrictions of Traffic Isolation Zoning TI over FCR is not backward compatible with Fabric OS v6.0.x or earlier. The -1 in the domain,index entries causes issues to legacy switches in a zone merge. Firmware downgrade is prevented if TI over FCR zones exist.
Admin Domain considerations for Traffic Isolation Zoning 12 • Two N_Ports that have the same shared area should not be configured in different TI zones. This limitation does not apply to E_Ports that use the same shared area on the FC4-48 and FC8-48 port blades. • Ports that are in different TI zones cannot communicate with each other if failover is disabled. • TI zone members that overlap must have the same TI failover policy across all TI zones to which they belong.
12 Virtual Fabric considerations for Traffic Isolation Zoning Host Domain 8 8 9 1 2 5 6 3 4 8 7 LS3, FID1 Domain 3 Chassis 1 Target Domain 9 LS1, FID1 Domain 5 Domain 7 LS4, FID3 Domain 4 10 Base switch Domain 1 11 12 XISL XISL 14 13 15 XISL 16 XISL 17 Chassis 2 LS2, FID3 Domain 6 Base switch Domain 2 = Dedicated Path = Ports in the TI zones FIGURE 44 Dedicated path with Virtual Fabrics Figure 45 shows a logical representation of FID1 in Figure 44.
Traffic Isolation Zoning over FC routers with Virtual Fabrics 12 Using D,I notation, the port numbers for the TI zones in the logical fabric and base fabric are as follows: Port members for the TI zone in logical fabric Port members for the TI zone in base fabric 8,8 8,1 3,3 3,10 5,16 5,8 9,5 9,9 1,3 1,10 7,12 7,14 2,16 2,8 F_Port E_Port E_Port E_Port E_Port E_Port E_Port F_Port E_Port for ISL in logical switch E_Port for XISL E_Port for XISL E_Port for XISL E_Port for XISL E_Port for ISL in logical
12 Creating a TI zone Edge fabric Fabric 1 1 SW3 3 10 2 12 4 5 SW1 FIGURE 48 SW6 11 6 15 13 7 Backbone fabric Edge fabric Fabric 3 16 SW2 14 Logical representation of TI zones over FC routers in logical fabrics Creating a TI zone You create and modify TI zones using the zone command. Other zoning commands, such as zoneCreate, aliCreate, and cfgCreate, cannot be used to manage TI zones. When you create a TI zone, you can set the state of the zone to activated or deactivated.
Creating a TI zone 12 Be aware of the ramifications if you create a TI zone with failover mode disabled. See “TI zone failover” on page 268 for information about disabling failover mode. 3. Enter the cfgEnable command to reactivate your current effective configuration and enforce the TI zones. cfgenable "current_effective_configuration" Example of creating a TI zone The following examples create a TI zone named “bluezone”, which contains E_Ports 1,1 and 2,4 and N_Ports 1,8 and 2,6.
12 Modifying TI zones Creating a TI zone in a base fabric 1. Connect to the switch and log in as admin. 2. Create a “dummy” zone configuration in the base fabric. For example: zone --create "z1", "1,1" cfgcreate "base_config", z1 3. Enter the zone --create command to create the TI zone in the base fabric: zone --create -t objtype -o f name -p "portlist" The disable failover option is not supported in base fabrics. 4.
Changing the state of a TI zone 12 Be aware of the ramifications if you disable failover mode. See “TI zone failover” on page 268 for information about disabling failover mode. 3. Enter the cfgEnable command to reactivate your current effective configuration and enforce the TI zones.
12 Deleting a TI zone Deleting a TI zone Use the zone --delete command to delete a TI zone from the defined configuration. This command deletes the entire zone; to only remove port members from a TI zone, use the zone --remove command, as described in “Modifying TI zones” on page 284. 1. Connect to the switch and log in as admin. 2. Enter the zone --delete command. zone --delete name You can delete multiple zones by separating the zone names with a semicolon and enclosing them in quotation marks. 3.
12 Setting up TI over FCR (sample procedure) To display information about all TI zones in the defined configuration in ascending order: switch:admin> zone --show -ascending Defined TI zone configuration: TI Zone Name: Port List: bluezone: 8,3; 8,5; 9,2; 9,3; Configured Status: Deactivated / Failover-Disabled Enabled Status: Activated / Failover-Enabled TI Zone Name: Port List: greenzone: 2,2; 3,3; 4,11; 5,3; Configured Status: Activated / Failover-Enabled Enabled Status: Activated / Failover-Enabled T
12 Setting up TI over FCR (sample procedure) NOTE In the following procedure the three TI zones in the edge and backbone fabrics are all given the same name, TI_Zone1. It is not required that the TI zones have the same name, but this is done to avoid confusion. If several dedicated paths are set up across the FC router, the TI zones for each path can have the same name. 1.
Setting up TI over FCR (sample procedure) 12 3. Log in to the edge fabric 2 and set up the TI zone. a. Enter the fabricShow command to display the switches in the fabric. From the output, you can determine the front and translate domains. E2switch:admin> fabricshow Switch ID Worldwide Name Enet IP Addr FC IP Addr Name ------------------------------------------------------------------------1: fffc01 50:00:51:e3:95:36:7e:09 0.0.0.0 0.0.0.0 "fcr_fd_1" 4: fffc04 50:00:51:e3:95:48:9f:a1 0.0.0.0 0.0.0.
12 Setting up TI over FCR (sample procedure) b. Enter the following commands to reactivate your current effective configuration and enforce the TI zones. BB_DCX_1:admin> cfgactvshow Effective configuration: cfg: cfg_TI zone: lsan_t_i_TI_Zone1 10:00:00:00:00:00:02:00:00 10:00:00:00:00:00:03:00:00 10:00:00:00:00:00:08:00:00 BB_DCX_1:admin> cfgenable cfg_TI You are about to enable a new zoning configuration. This action will replace the old zoning configuration with the current configuration selected.
Chapter 13 Administering NPIV In this chapter • NPIV overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring NPIV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Enabling and disabling NPIV. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Viewing NPIV port configuration information. . . . . . . . . . . . . . . . . . . . . . . .
13 NPIV overview ============================================== 0 0 010000 id N4 Online FC F-Port 1 1 010100 id N4 Online FC F-Port 2 2 010200 id N4 Online FC F-Port 3 3 010300 id N4 Online FC F-Port 20:0c:00:05:1e:05:de:e4 0xa06601 1 N Port + 4 NPIV public 1 N Port + 119 NPIV public 1 N Port + 221 NPIV public On the Brocade DCX and DCX-4S with the FC8-64 blade, the base port is not included in the NPIV device count. The following example shows only 63 NPIV devices total.
Configuring NPIV TABLE 53 13 Number of supported NPIV devices (Continued) Platform Virtual Fabric Logical switch type NPIV support DCX-4S Enabled Logical switch Yes, 255 virtual device limit.3 DCX-4S Enabled Base switch No. 1. Maximum limit support takes precedence if user-configured maximum limit is greater. This applies to shared areas on the FC4-48, FC8-48, and FC8-64 port blades. 2.
13 Enabling and disabling NPIV VC Link Init Locked L_Port Locked G_Port Disabled E_Port Locked E_Port ISL R_RDY Mode RSCN Suppressed Persistent Disable LOS TOV enable NPIV capability QOS E_Port Port Auto Disable: Rate Limit EX Port Mirror Port Credit Recovery F_Port Buffers NPIV PP Limit: CSCTL mode: OFF OFF OFF OFF OFF OFF OFF OFF OFF ON OFF OFF OFF OFF OFF ON OFF 176 OFF Enabling and disabling NPIV On the Brocade 300, 4100, 4900, 5000, 5100, 5300, and 8000 switches, the Brocade 5410, 5424, 5450, 5460,
Viewing NPIV port configuration information 13 Ports of Slot 0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 -----------------+--+--+--+--+----+--+--+--+----+--+--+--+----+--+--+-Speed AN AN AN AN AN AN AN AN AN AN AN AN AN AN AN AN Trunk Port ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON Long Distance .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. VC Link Init .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. Locked L_Port .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. Locked G_Port .. .. .. .. .. .. .. .. ..
13 Viewing NPIV port configuration information portState: 1Online portPhys: 6In_Sync portScn: 32F_Port port generation number: 148 portId: 630200 portIfId: 43020005 portWwn: 20:02:00:05:1e:35:37:40 portWwn of device(s) connected: c0:50:76:ff:fb:00:16:fc c0:50:76:ff:fb:00:16:f8 ...
Chapter 14 Interoperability for Merged SANs In this chapter • Interoperability overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Connectivity solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Domain ID offset modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • McDATA Fabric mode configuration restrictions . . . . . . . . . . . . . . . . . . . . .
14 Connectivity solutions • InteropMode 2 for McDATA Fabric mode, which supports M-EOS switches running in McDATA Fabric mode. • InteropMode 3 for McDATA Open Fabric mode, which supports M-EOS switches running in Open Fabric mode. McDATA Open Fabric mode is intended specifically for adding Fabric OS-based products to M-EOS fabrics that are already using Open Fabric mode. Fabrics containing only Fabric OS switches in Open Fabric mode are not supported.
Domain ID offset modes FIGURE 50 14 Typical direct E_Port configuration Domain ID offset modes The domain ID offset in interopmode 3 (IM3) allows an M-EOS switch to operate in a fabric that contains domain IDs other than 1-31. In interopmode 2 (IM2) the domain ID offset can only be in the 1-31 range. In IM3, the domain ID offset only changes the range of domain IDs used, the restriction of 31 switches in a fabric remains.
14 Domain ID offset modes TABLE 54 Internal representations of ID domain offsets in IM2. Domain Offset Domain ID PID Area affected 0x00 0x01 01XXYY 0x20 0x21 21XXYY 0x40 0x41 41XXYY 0x60 0x01 61XXYY 0x80 0x81 81XXYY 0xA0 0xA1 A1XXYY 0xC0 0xC1 C1XXYY TABLE 55 Internal representations of ID domain offsets in IM3.
McDATA Fabric mode configuration restrictions 14 • Domain ID offset mode — In this mode, you can set the Domain ID Offset to any one of the following values: 0x00, 0x20, 0x40, 0x80, 0xA0, or 0xC0. Supported Domain ID ranges are: 1-31, 33-63, 65-95, 129-159, 161-191, 193-223. In IM 2: Once the domain ID offset is set, you only need to enter a decimal number in the 1-31 range when configuring a Domain ID in IM2. There is no need to derive the Domain ID by subtracting the offset.
14 McDATA Open Fabric mode configuration restrictions • Platform management functions must be deactivated before connecting a Fabric OS switch to an M-EOS switch because M-EOS switches do not understand Brocade proprietary frames used to exchange platform information. • In the default domain ID mode, the domain IDs of all switches in the fabric must fall within the decimal range of 1-31 or 97-127 range.
Switch configurations for interoperability 14 In a Virtual Fabric, the logical switch used to communicate among different logical switches is called the base switch and it must be in Brocade Native mode. If you set a logical switch to interopmode 2 or interopmode 3, it cannot use the logical links between two logical switches if they were connected using extended ISLs that were formed as part of the base fabric.
14 Switch configurations for interoperability 1. Verify that you have implemented all the Brocade prerequisites necessary to enable interopMode 3 on the fabric (see “McDATA Open Fabric mode configuration restrictions” on page 302.) 2. Connect to the switch and log in using an account assigned to the admin role. 3. Enter the switchDisable command. switch:admin> switchdisable 4.
Switch configurations for interoperability 14 The switch effective and defined configuration will be lost if interop Mode is changed. Interop Mode or Domain Offset Will Be Changed and switch will be Enabled Do you want to continue? (yes, y, no, n): [no] y 6. Repeat step 2 through step 5 on each Fabric OS switch in the fabric. For more information on the switch, refer to the switch documentation. 7.
14 Zone management in interoperable fabrics Zone management in interoperable fabrics McDATA Fabric and McDATA Open Fabric modes support zone activation using an M-series management tool such as such as Data Center Fabric Manager (DCFM) or Web Tools. The command line interface (CLI) can also be used as a zone management tool for both IM2 and IM3. CLI commands are very limited in IM3. CLI commands for IM3 are available for Frame Redirect support. All management tools can be launched at one time.
Zone management in interoperable fabrics 14 • Zoning using domain,port notation is allowed. Zone configurations that use either physical port numbers or port IDs are supported. • Zoning using domain,index notation is allowed only in McDATA Fabric mode (IM2) only, not Open fabric mode (IM3). Zone name restrictions The name value must contain the ASCII characters that actually specify the name, not including any required fill bytes.
14 Zone management in interoperable fabrics Safe zoning mode The safe zoning mode is a fabric-wide parameter that ensures that the resulting zone set of two merged fabrics is consistent with the pre-merged zone sets. When you enable the safe zoning mode, the default zoning mode must be disabled and the zoning configuration of neighboring switches must match completely before the zoning can merge. ATTENTION Safe zoning mode is only available in fabrics with their interoperable mode set to 2.
Zone management in interoperable fabrics 14 Effective zone configuration An effective zone configuration is a subset of the defined zone configuration, containing only the zone configuration objects that are currently enabled; only one configuration can be effective at a time, but multiple configurations can be defined in the database. The effective zone set or zone configuration must correctly propagate to the other switches in the fabric.
14 Frame Redirection in interoperable fabrics Frame Redirection in interoperable fabrics Frame Redirection provides a means to redirect traffic flow between a host and a target to virtualization and encryption applications so that those applications can perform without having to reconfigure the host and target. Use this feature if the hosts and targets are not directly attached to M-EOS switches.
Brocade SANtegrity implementation in mixed fabric SANS 14 Brocade SANtegrity implementation in mixed fabric SANS SANtegrity is required only in legacy M-EOS fabrics running DCFM management software. In mixed fabrics, FICON requires using Fabric Binding to define switches, and to verify the inter-switch link (ISL) restrictions.
14 E_Port authentication between Fabric OS and M-EOS switches Because M-EOS only supports the DH-CHAP authentication, not all Fabric OS authentication configurations work when connected to an M-EOS switch. With DH-CHAP authentication, you must configure the shared secrets on both switches. For details on procedures to configure shared secrets, see the Chapter 7, “Configuring Security Policies”. Table 56 describes the Fabric OS authentication types.
E_Port authentication between Fabric OS and M-EOS switches 14 Table 59 describes the device authentication mode. TABLE 59 Device authentication mode Fabric OS authentication mode M-EOS support M-EOS switch explanation Off N/A Not used for E_Port authentication. Passive N/A Not used for E_Port authentication. Switch authentication policy There are differences in the Switch Authentication policies between the Fabric OS switch and the M-EOS switch.
14 E_Port authentication between Fabric OS and M-EOS switches Authentication policy when the secrets are not correct Table 61 and Table 62 show the connection status for the cases where the authentication secrets are incorrect. Table 61 shows the E_Port connection status when the Fabric OS switch does not have the correct secret for the M-EOS switch.
E_Port authentication between Fabric OS and M-EOS switches TABLE 62 Fabric OS 14 Switch authentication policy-M-EOS switch with the incorrect peer secret for Fabric OS switch Passive Active On Off On No E_Port does not connect (Authentication Rejected). When the Fabric OS switch generates the reject, it disables the Fabric OS port. When the M-EOS switch generates the reject, it goes to an invalid attachment state. No E_Port does not connect (Authentication Rejected).
14 E_Port authentication between Fabric OS and M-EOS switches TABLE 63 Fabric OS Switch authentication policy when connected to an M-EOS dumb switch Passive Active On Off Yes Connected without any authentication (Fabric builds normally). No E_Port does not connect (Authentication Rejected). When the Fabric OS switch generates the reject, it disables the Fabric OS port. When the M-EOS switch generates the reject, it goes to an invalid attachment state.
E_Port authentication between Fabric OS and M-EOS switches 14 Authentication of VE_Port-to-VE_Port connections Although running authentication for VE_Ports works the same as for E_Ports, for VE_Ports, both sides of the connection are on the Fabric OS switches. Table 64 shows the switch authentication policy for VE_Port-to-VE_Port connections when all the secrets are correct. Note that there is no *Yes in the table indicating one-way authentication.
14 E_Port authentication between Fabric OS and M-EOS switches TABLE 64 318 VE_Port-to-VE_Port authentication policy with correct switch secret (Continued) Fabric OS switch VE_ to VE_Port Passive Active On Off On Yes! Connected with two-way authentication; both sides of the connection perform authentication (Fabric builds normally). Yes! Connected with two-way authentication; both sides of the connection perform authentication (Fabric builds normally).
E_Port authentication between Fabric OS and M-EOS switches TABLE 65 14 VE_Port-to-VE_Port authentication policy with unknown switch secret Fabric OS switch VE_ to VE_Port Passive Active On Off Passive Yes Connected without any authentication (Fabric builds normally). No E_Port does not connect (Authentication Rejected). When the Fabric OS switch generates the reject, it disables the Fabric OS port. When the M-EOS switch generates the reject, it goes to an invalid attachment state.
14 E_Port authentication between Fabric OS and M-EOS switches TABLE 65 VE_Port-to-VE_Port authentication policy with unknown switch secret (Continued) Fabric OS switch VE_ to VE_Port Passive Active On Off On No E_Port does not connect (Authentication Rejected). When the Fabric OS switch generates the reject, it disables the Fabric OS port. When the M-EOS switch generates the reject, it goes to an invalid attachment state. No E_Port does not connect (Authentication Rejected).
FCR SANtegrity TABLE 66 14 VEX_Port-to-VE_Port authentication policy with correct secrets Fabric OS switch VEX_Port-to-VE_Port Passive Active On Off Passive Yes Connected without any authentication (Fabric builds normally). Yes! Connected with two-way authentication; both sides of the connection perform Authentication (Fabric builds normally). Yes! Connected with two-way authentication; both sides of the connection perform Authentication (Fabric builds normally).
14 FCR SANtegrity FCR implements a simplified version of Fabric Binding that is passive and only checks whether its own Front Port domain ID and WWN pair is present in the Fabric Binding list that is sent from an M-EOS switch. CAUTION In FOS-only McDATA Fabric Mode fabrics that have Fabric Binding activated, fabric disruptions may occur if there are any FOS switches that do not have insistent domain ID enabled. Fabric Binding activation or deactivation is a fabric-wide event.
FICON implementation in a mixed fabric 14 1. Connect to the switch and log in using an account assigned to the admin role. Ensure that the port is offline to configure the preferred domain ID. 2. Enter the portCfgEXPort command. For McDATA Fabric mode, the valid range of domain IDs is from 1-31. For McDATA Open Fabric mode, the valid range of domain IDs is from 97-127. For example, to set preferred domain ID to 5 on port 2 in McDATA Fabric mode: switch:admin> portcfgexport 2 -d 5 3. Enable the EX_Port.
14 Coordinated Hot Code Load Coordinated Hot Code Load Coordinated Hot Code Load (HCL) removes the limitations on the number of E_Ports that can be supported. Fabric OS v6.2.0 and later supports Coordinated HCL on all Fabric OS switches when connected to a mixed fabric with M-EOS switches running in either McDATA Fabric or McDATA Open Fabric mode.
McDATA-aware features 14 If you select yes, the firmwareDownload operation proceeds without making the normal Coordinated HCL checks. The firmwareDownload -o command upgrades both CPs in the switch. Coordinated HCL on switches firmware downloads If the firmwareDownload command is entered with both the –s and –b (auto-reboot) options, a best effort will be made to run Coordinated HCL. If one or more switches in the fabric do not support Coordinated HCL, the firmware download process will still continue.
14 McDATA-unaware features TABLE 68 McDATA-aware (Continued)features Feature Behavior FICON and FICON CUP Fabric Binding is required for FICON support in mixed fabrics. Cascaded CUP and Missing Interrupt Handler Process Timeout (MIHPTO), which should be set to 60, are supported. Cascaded CUP is only supported in McDATA Fabric mode. Long distance The configure command displays the number of buffer credits allocated to a port.
McDATA-unaware features TABLE 70 14 Complete feature compatibility matrix (Continued) Feature Support DHCP Yes Environmental monitor Yes Error event management Yes Fabric Device Management Interface (FDMI) Yes Fabric Watch (FW) Yes Fibre Channel over Ethernet (FCoE) No McDATA Fabric mode and McDATA Open Fabric mode are not supported on the Brocade 8000.
14 McDATA-unaware features TABLE 70 Complete feature compatibility matrix (Continued) Feature Support Speed negotiation Yes syslog daemon Yes QoS No Trunking • • • • Notes Frame-level ISL Trunking from Fabric OS to Fabric OS: Yes; McDATA Fabric mode only Frame-level ISL Trunking from Fabric OS to M-EOS: No Load balancing from Fabric OS to Fabric OS using DLS or DPS: Yes Load balancing from Fabric OS to M-EOS using DLS or DPS: Yes Value Line Options (Static POD, DPOD) Yes Virtual fabrics Y
Supported hardware in an interoperable environment 14 • Trunking Fabric OS switches support trunking when participating in Brocade Native, McDATA Fabric, or McDATA Open Fabric mode. Trunk ports (bandwidth aggregation) only apply to an ISL between two Fabric OS switches. Note the following: - Fabric OS frame-based trunking Fabric OS frame-based trunking is supported for ISLs between two Fabric OS switches.
14 Supported hardware in an interoperable environment TABLE 71 Fabric OS interoperability with M-EOS Fabric OS v6.2.0 Fabric OS v6.3.0 Fabric OS v6.4.
Supported features in an interoperable environment TABLE 71 14 Fabric OS interoperability with M-EOS (Continued) Fabric OS v6.2.0 Fabric OS v6.3.0 Fabric OS v6.4.
14 Supported features in an interoperable environment TABLE 72 Supported Fabric OS features Fabric OS Features 332 Fabric OS v6.2.0 Fabric OS v6.3.0 and v6.4.0 Interop mode 2 Interop mode 3 Interop mode 2 Interop mode 3 Dynamic Load Sharing (DLS); port based routing Yes Yes Yes Yes Dynamic Path Selection (DPS); exchange based routing Yes Supported outbound from Fabric OS-based switches. M-EOS can provide reciprocal load balancing using OpenTrunking.
Supported features in an interoperable environment TABLE 72 14 Supported Fabric OS features (Continued) Fabric OS Features Fabric OS v6.2.0 Fabric OS v6.3.0 and v6.4.
14 Unsupported features in an interoperable environment Unsupported features in an interoperable environment The following optional features are not supported in McDATA Fabric and McDATA Open Fabric modes and cannot be installed on any Fabric OS switch in the fabric: • • • • • • • • • • 334 Administrative Domains Quickloop and QuickLoop Zoning Timer Server function Open E_Port Broadcast Zoning Management Server service and FDMI Alias Server Platform services Top Talkers Advanced Performance Monitoring
Chapter Managing Administrative Domains 15 In this chapter • Administrative Domains overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 • Admin Domain management for physical fabric administrators . . . . . . . . 344 • SAN management with Admin Domains . . . . . . . . . . . . . . . . . . . . . . . . . . .
15 Administrative Domains overview AD1 AD2 FIGURE 51 Fabric with two Admin Domains Figure 52 shows how users get a filtered view of this fabric, depending on which Admin Domain they are in. As shown in Figure 52, users can see all switches and E_Ports in the fabric, regardless of their Admin Domain; however, the switch ports and end devices are filtered based on Admin Domain membership.
Administrative Domains overview 15 Admin Domain features Admin Domains allow you to: • Define the scope of an Admin Domain to encompass ports and devices within a switch or a fabric. • Share resources across multiple Admin Domains. For example, you can share array ports and tape drives between multiple departments. In Figure 51 on page 336, one of the storage devices is shared between AD1 and AD2. • Have a separate zone database for each Admin Domain.
15 Administrative Domains overview Admin Domain access levels Admin Domains offer a hierarchy of administrative access. To manage Admin Domains, you must be a physical fabric administrator. A physical fabric administrator is a user with the admin role and access to all Admin Domains (AD0 through AD255). Only a physical fabric administrator can perform Admin Domain configuration and management. Other administrative access is determined by your defined RBAC role and AD membership.
Administrative Domains overview 15 Initially, the AD0 implicit membership list contains all devices, switch ports, and switches in the fabric. When you explicitly create AD1 through AD254, the devices, switch ports, and switches used to create these user-defined Admin Domains disappear from the AD0 implicit membership list.
15 Administrative Domains overview FIGURE 53 Fabric with AD0 and AD255 Admin Domains and login You are always logged in to an Admin Domain, and you can view and modify only the devices in that Admin Domain. If you have access to more than one Admin Domain, one of them is designated as your home Admin Domain, the one you are automatically logged in to.
Administrative Domains overview 15 Admin Domain member types You define an Admin Domain by identifying members of that domain. Admin Domain members can be devices, switch ports, or switches. Defining these member types is similar to defining a traditional zone member type. An Admin Domain does not require or have a new domain ID or management IP address linked to it.
15 Administrative Domains overview Switch members Switch members are defined by the switch WWN or domain ID, and have the following properties: • A switch member grants administrative control to the switch. • A switch member grants port control for all ports in that switch. • A switch member allows switch administrative operations such as disabling and enabling a switch, rebooting, and firmware downloads. • A switch member does not provide zoning rights for the switch ports or devices.
Administrative Domains overview FIGURE 54 15 Fabric showing switch and device WWNs Figure 55 shows the filtered view of the fabric as seen from AD3 and AD4. The switch WWNs are converted to the NAA=5 syntax; the device WWNs and domain IDs remain the same.
15 Admin Domain management for physical fabric administrators Admin Domain compatibility, availability, and merging Admin Domains maintain continuity of service for Fabric OS features and operate in mixed-release Fabric OS environments. High availability is supported with some backward compatibility. When an E_Port comes online, the adjacent switches merge their AD databases.
Admin Domain management for physical fabric administrators 15 1. Log in to the switch with the appropriate RBAC role. 2. Ensure you are in the AD0 context by entering the ad --show command to determine the current Admin Domain. If necessary, switch to the AD0 context by entering the ad --select 0 command. 3. Set the default zoning mode to No Access, as described in “Setting the default zoning mode” on page 252.
15 Admin Domain management for physical fabric administrators 5. Enter the ad --create command using the -d option to specify device and switch port members and the -s option to specify switch members: ad --create ad_id -d "dev_list" -s "switch_list" 6. Enter the appropriate command based on whether you want to save or activate the Admin Domain definition: • To save the Admin Domain definition, enter ad --save.
Admin Domain management for physical fabric administrators 15 Creating a new user account for managing Admin Domains 1. Connect to the switch and log in as admin. 2. Enter the userConfig --add command using the -r option to set the role, the -a option to provide access to Admin Domains, and the -h option to specify the home Admin Domain.
15 Admin Domain management for physical fabric administrators Removing an Admin Domain from a user account When you remove an Admin Domain from an account, all of the currently active sessions for that account are logged out. 1. Connect to the switch and log in using an account assigned to the admin role. 2.
Admin Domain management for physical fabric administrators 15 Deactivating an Admin Domain If you deactivate an Admin Domain, the members assigned to the Admin Domain can no longer access their hosts or storage unless those members are part of another Admin Domain. You cannot log in to an Admin Domain that has been deactivated. You must activate an Admin Domain before you can log in to it. 1. Connect to the switch and log in as admin. 2.
15 Admin Domain management for physical fabric administrators 4. Enter the appropriate command based on whether you want to save or activate the Admin Domain definition: • To save the Admin Domain definition, enter ad --save. • To save the Admin Domain definition and directly apply the definition to the fabric, enter ad --apply. Example The following example adds two switch ports, designated by domain,index, to AD1.
Admin Domain management for physical fabric administrators 15 3. Enter the ad --rename command with the present name and the new name. ad --rename present_name new_name 4. Enter the appropriate command based on whether you want to save or activate the Admin Domain definition: • To save the Admin Domain definition, enter ad --save. • To save the Admin Domain definition and directly apply the definition to the fabric, enter ad --apply. The Admin Domain numbers remain unchanged after the operation.
15 Admin Domain management for physical fabric administrators Deleting all user-defined Admin Domains When you clear the Admin Domain configuration, all user-defined Admin Domains are deleted, the explicit membership list of AD0 is cleared, and all fabric resources (switches, ports, and devices) are returned to the implicit membership list of AD0. You cannot clear the Admin Domain configuration if zone configurations exist in any of the user-defined Admin Domains.
Admin Domain management for physical fabric administrators 15 where: source_AD Name of the user-defined AD from which you are copying the zone. source_name Name of the zone to be copied. dest_name Name to give the zone after it is copied to AD0. 4. Copy the newly added zones in AD0 to the zone configuration. cfgadd "cfgName", "member[;member]" 5. Enable the configuration to complete the transaction. cfgenable cfgName 6. Switch to the AD255 context. ad --select 255 7.
15 Admin Domain management for physical fabric administrators FIGURE 56 AD0 and two user-defined Admin Domains, AD1 and AD2 FIGURE 57 AD0 with three zones sw0:admin> ad --exec 255 "cfgshow" Zone CFG Info for AD_ID: 0 (AD Name: AD0, State: Active) : Defined configuration: cfg: AD0_cfg AD0_RedZone zone: AD0_RedZone 10:00:00:00:01:00:00:00; 10:00:00:00:02:00:00:00 Effective configuration: cfg: AD0_cfg zone: AD0_RedZone 10:00:00:00:01:00:00:00 10:00:00:00:02:00:00:00 Zone CFG Info for AD_ID: 1 (AD Name
Admin Domain management for physical fabric administrators 15 Effective configuration: cfg: AD1_cfg zone: AD1_BlueZone 10:00:00:00:02:00:00:00 10:00:00:00:03:00:00:00 Zone CFG Info for AD_ID: 2 (AD Name: AD2, State: Active) : Defined configuration: cfg: AD2_cfg AD2_GreenZone zone: AD2_GreenZone 10:00:00:00:04:00:00:00; 10:00:00:00:05:00:00:00 Effective configuration: cfg: AD2_cfg zone: AD2_GreenZone 10:00:00:00:04:00:00:00 10:00:00:00:05:00:00:00 sw0:admin> zone --copy AD1.
15 SAN management with Admin Domains Validating an Admin Domain member list You can validate the device and switch member list. You can list non-existing or offline Admin Domain members. You can also identify misconfigurations of the Admin Domain. The Admin Domain validation process is not applicable for AD0, because AD0 implicitly contains all unassigned online switches and their devices. 1. Connect to the switch and log in as admin. 2. Switch to the AD255 context, if you are not already in that context.
SAN management with Admin Domains 15 Each Admin Domain can also have its own zone configurations (defined and effective) with zones and aliases under them. CLI commands in an AD context The CLI command input arguments are validated against the AD member list; they do not work with input arguments that specify resources that are not members of the current Admin Domain. All commands present filtered output, showing only the members of the current Admin Domain.
15 SAN management with Admin Domains Displaying an Admin Domain configuration You can display the membership information and zone database information of a specified Admin Domain. Note the following differences in the information displayed based on the Admin Domain: • AD255: if you do not specify the AD_name or number, all information about all existing Admin Domains is displayed. • AD0-AD254 contexts: the membership of the current Admin Domain is displayed.
SAN management with Admin Domains 15 1. Connect to the switch and log in as any user type. 2. Enter the ad --select command and the Admin Domain you want to switch to. 3. Leave the new Admin Domain context by exiting from the shell. logout You cannot switch to another Admin Domain context from within the shell created by ad --select. You must first exit the shell, and then issue the ad --select command again. Example The following example switches to the AD12 context and back.
15 SAN management with Admin Domains TABLE 75 Admin Domain interaction with Fabric OS features (Continued) Fabric OS feature Admin Domain interaction FC-FC Routing Service You can create LSAN zones as a physical fabric administrator or as an individual AD administrator. The LSAN zone can be part of the root zone database or the AD zone database. FCR collects the LSAN zones from all ADs. If both edge fabrics have matching LSAN zones and both devices are online, FCR triggers a device import.
SAN management with Admin Domains 15 Zoning operations ignore any resources not in the Admin Domain, even if they are specified in the zone. The behavior functions similarly to specifying offline devices in a zone. All zones from each AD zone configuration are enforced. The enforcement policy encompasses zones in the effective zone configuration of the root zone database and the effective zone configurations of each AD.
15 SAN management with Admin Domains Admin Domains and LSAN zones LSANs under each Admin Domain are collated into a single name space and sent out to FCR phantom domains using the following format: _AD For example, a zone with name lsan_for_linux_farm in AD5 is internally converted to lsan_for_linux_farm_AD005. LSAN zone names in AD0 are never converted for backward compatibility reasons.
Sectiona Licensed Features II This section describes optionally licensed Brocade Fabric OS features and includes the following chapters: • • • • • • Chapter 16, “Administering Licensing” Chapter 17, “Monitoring Fabric Performance” Chapter 18, “Optimizing Fabric Behavior” Chapter 19, “Managing Trunking Connections” Chapter 20, “Managing Long Distance Fabrics” Chapter 21, “Using the FC-FC Routing Service” Fabric OS Administrator’s Guide 53-1001763-01 363
364 Fabric OS Administrator’s Guide 53-1001763-01
Chapter 16 Administering Licensing In this chapter • Licensing overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • The Brocade 7800 Upgrade license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • ICL licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • 8G licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
16 Licensing overview TABLE 77 366 Available Brocade licenses License Description 10GbE License This license enables the two 10GbE ports on the FX8-24. With this license, two additional operating modes (in addition to 10 1GbE ports mode) can be selected: • 10 1GbE ports and 1 10GbE port, or • 2 10GbE ports This license is available on the Brocade 7800 switch, and the Brocade DCX and DCX-4S for the FX8-24 on an individual slot basis.
Licensing overview TABLE 77 16 Available Brocade licenses (Continued) License Description Brocade Fabric Watch Monitors mission-critical switch operations. Fabric Watch includes Port Fencing capabilities. Brocade ISL Trunking Provides the ability to aggregate multiple physical links into one logical link for enhanced network performance and fault tolerance. Also includes Access Gateway ISL Trunking on those products that support Access Gateway deployment.
16 Licensing overview TABLE 77 Available Brocade licenses (Continued) License Description Integrated Routing Allows any ports in a Brocade 5100, 5300, and VA-40FC switches, the Brocade Encryption Switch, or the Brocade DCX and DCX-4S platforms to be configured as an EX_Port supporting Fibre Channel Routing. This eliminates the need to add an FR4-18i blade or use the 7500 for FCR purposes, and also provides double the bandwidth for each FCR connection when connected to another 8 Gbps-capable port.
Licensing overview 16 TABLE 78 License requirements (Continued) Feature License Where license should be installed Fibre Channel Routing IR Local and attached switches. FICON No license required. n/a FICON-CUP FICON Management Server Local switch. FICON Tape Read and Write Emulation over an FCIP Tunnel FICON Tape High-Performance Extension over FCIP/FC license or Advanced FICON Acceleration on Brocade 7800 Local and attached switches.
16 Licensing overview TABLE 78 License requirements (Continued) Feature License Where license should be installed Ports Ports on demand licenses. This license applies to a select set of switches. Upgrade license for the 7500E and 7800 switches to use all ports. 10 Gigabit Ethernet license to use 10GbE ports on FX8-24 blade. Brocade 8000 – Must have license installed to enable the 8 FC ports. A maximum of 8 FC ports are allowed. Local switch.
The Brocade 7800 Upgrade license 16 The Brocade 7800 Upgrade license The Brocade 7800 has four Fibre Channel (FC) ports and two GbE ports active by default. The number of physical ports active on the Brocade 7800 is fixed. There is one upgrade license to activate the rest of the FC and GbE ports for a total of 16 FC ports and six GbE ports. The Upgrade license activates FC and GbE ports, and also activates additional features outlined in Table 79.
16 8G licensing 8G licensing ATTENTION This license is installed by default and you should not remove it. The 8 Gbps licensing applies to the Brocade 300, 5100, 5300, and VA-40FC switches and the 8 Gbps embedded switches. The Brocade 48000 does not need the 8G license to use any of the FC8- type blades. The following list describes the basic rules of using, adding, or removing 8G licenses.
Time-based licenses 16 Upgrade/downgrade considerations When a Slot-based license is present on the switch, firmware downgrade to pre-Fabric OS v6.3.0 is allowed, but the Slot-based features that were licensed will not be functional. Adding a license to a slot 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the licenseSlotCfg -add command to add the license the appropriate slot.
16 Universal Time-based licenses Configupload and download considerations The configDownload and configUpload commands download the legacy, enhanced, consumed capacities, and time-based licenses. Expired licenses Once a Time-based license has expired, you can view it through the licenseShow command. Expired licenses have an output string of ‘License has expired’.
Viewing installed licenses 16 Extending a license Extending a Universal Time-based license is done by adding a temporary license with expiry date after the Universal Time-based license expiry date, or by adding a permanent license. Re-applying an existing Universal Time-based license is not allowed. Deleting a license Universal Time-based licenses are always retained in the license database, and cannot be explicitly deleted.
16 Adding a licensed feature An information screen displays the license keys and you will receive an e-mail with the software license keys and installation instructions. Adding a licensed feature To enable a feature, go to the feature’s appropriate section in this manual. Enabling a feature on a switch may be a separate task from adding the license.
Removing a licensed feature 16 Removing a licensed feature 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the licenseShow command to display the active licenses. 3. Remove the license key using the licenseRemove command. The license key is case-sensitive and must be entered exactly as given. The quotation marks are optional. After removing a license key, the licensed feature is disabled when the switch is rebooted or when a switch disable and enable is performed.
16 Ports on Demand ATTENTION Licenses are not interchangeable between units. For example, if you bought a POD license for a Brocade 300, you cannot use that license on a Brocade 5100 or VA-40FC. The licenses are based on the switches WWN and are not interchangeable. Table 80 shows the ports that are enabled by default and the ports that can be enabled after you install the first and second Ports on Demand licenses for each switch type.
Ports on Demand 16 Activating Ports on Demand 1. Connect to the switch and log in using an account assigned to the admin role. 2. Verify the current states of the ports, using the portShow command. In the portShow output, the Licensed field indicates whether the port is licensed. 3. Install the Brocade Ports on Demand license. For instructions on how to install a license, see “Adding a licensed feature” on page 376. 4. Use the portEnable command to enable the ports.
16 Ports on Demand Ports 1, Ports 0, 12 ports are assigned to the full POD license assigned to the base switch license: 2, 3, 4, 5, 6, 7, 8, 17, 18, 19, 20 assigned to the full POD license: 9, 10, 11, 12, 13, 14, 15, 16, 21, 22, 23 Enabling Dynamic Ports on Demand If the switch is in the Static POD mode, then activating the Dynamic POD will erase any prior port license assignments the next time the switch is rebooted. The static POD assignments become the initial Dynamic POD assignments.
Ports on Demand 16 1. Connect to the switch and log in using an account assigned to the admin role. Enter the licensePort --method command with the static option to change the license assignment method to static. switch:admin> licenseport --method static The POD method has been changed to static. Please reboot the switch now for this change to take effect. 2. Enter the reboot command to restart the switch. 3. Enter the licensePort --show command to verify the switch started the Static POD feature.
16 Ports on Demand 3. Take the following appropriate action based on whether port reservations are available: • If a port reservation is available, then issue the licensePort --reserve command to reserve a license for the port. switch:admin> licenseport -reserve 0 • If all port reservations are assigned, select a port to release its POD license. Follow the instructions in “Releasing a port from a POD set” to release a port from its POD assignment. Once the port is released, you can reserve it.
Chapter 17 Monitoring Fabric Performance In this chapter • Advanced Performance Monitoring overview . . . . . . . . . . . . . . . . . . . . . . . • End-to-end performance monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Frame monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • ISL performance monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Top Talker monitors . . . . . . . . . . . . . . . . .
17 Advanced Performance Monitoring overview • ISL monitors measure the traffic transmitted through an InterSwitch Link (ISL) to different destination domains. • Top Talkers monitors measure the flows that are major consumers of bandwidth on a switch or port. The type of monitors supported depends on the switch model, as shown in Table 81.
End-to-end performance monitoring 17 • Top Talker (fabric mode): If fabric mode Top Talkers is enabled on the logical switch, a fabric mode Top Talker monitor is automatically installed on the port after it is moved to the logical switch. • Top Talker (port mode): Any port mode Top Talker monitors on the port are deleted. To keep the port mode Top Talker monitor, you must manually install it on the port after the move.
17 End-to-end performance monitoring The monitor count is qualified using either of the following conditions: • For frames received at the port with the end-to-end monitor installed, the frame SID is the same as “SourceID” and the frame DID is the same as “DestID”. The RX_COUNT updated accordingly. • For frames transmitted from the port with the end-to-end monitor installed, the frame DID is the same as “SourceID” and the frame SID is the same as “DestID”. The TX_COUNT updated accordingly.
End-to-end performance monitoring 17 Monitor 1 counts the frames that have an SID of 0x111eef and a DID of 0x051200. For monitor 1, RX_COUNT is the number of words from Dev B to Host A, and TX_COUNT is the number of words from Host A to Dev B. Figure 59 shows several switches and the correct ports on which to add performance monitors for a specified SID-DID pair. Add monitors here SID 0x051200 Host A FIGURE 59 ... ... ... DID 0x111eef ...
17 End-to-end performance monitoring Figure 60 shows the mask positions in the command. A mask (“ff”) is set on slot 1, port 2 to compare the AL_PA fields on the SID and DID in all frames (transmitted and received) on port 2. The frame SID and DID must match only the AL_PA portion of the specified SID-DID pair. Each port can have only one EE mask. The mask is applied to all end-to-end monitors on the port. Individual masks for each monitor on the port cannot be specified.
Frame monitoring 17 Frame monitoring Frame monitoring counts the number of times a frame with a particular pattern is transmitted by a port and generates alerts when thresholds are crossed. Frame monitoring is achieved by defining a filter, or frame type, for a particular purpose. The frame type can be a standard type (for example, a SCSI read command filter that counts the number of SCSI read commands that have been transmitted by the port) or a user-defined frame type customized for your particular use.
17 Frame monitoring For the perfMonitorShow and perfMonitorClear commands, the management of filter monitors is provided through the fmConfig interface.While the legacy commands are still operational in the Fabric OS v6.4.0 release, their use is incompatible with the new fmConfig command. Once you use the fmConfig interface to configure and manage filter-based monitors, you can no longer use the old commands.
Frame monitoring 17 Deleting frame types Deleting a frame type removes the entire configuration, including configured thresholds and associated actions. It also removes any frame monitors of the specified type from all ports. You can delete only user-defined frame types; you cannot delete the pre-defined frame types. 1. Connect to the switch and log in as admin. 2. Enter the fmConfig --delete command to delete a specific frame type.
17 Frame monitoring 1. Connect to the switch and log in as admin. 2. Enter the fmConfig --save command to save the set of ports on which the frame type is monitored to the persistent configuration. Example In this example, the first command adds a standard SCSI frame type monitor to ports 3 through 12, but does not save the port configuration. The second command saves the port configuration persistently.
ISL performance monitoring 17 Example This example clears the counters for the ABTS monitor from ports 7 through 10. switch:admin> fmconfig --clear ABTS -port 7-10 ISL performance monitoring ISL monitoring is set up on E_Ports automatically. An ISL monitor measures traffic to all reachable destination domains for an ISL, showing which destination domain is consuming the most traffic. If there are more than 16 domains, the monitor samples traffic and extrapolates the measurement.
17 Top Talker monitors The Top Talker monitor is based on SID/DID and not WWNs. Once Top Talker is installed on a switch or port, it remains installed across power cycles. Top Talkers supports two modes, port mode and fabric mode: • Port mode Top Talker A Top Talker monitor can be installed on an F_Port to measure the traffic originating from the F_Port and flowing to different destinations.
Top Talker monitors 17 1. Connect to the switch and log in as admin. 2. Remove any end-to-end monitors in the fabric, as described in “Deleting end-to-end monitors” on page 388. Fabric Mode Top Talker monitors and end-to-end monitors cannot both exist in the fabric. 3. Enter the perfTTmon --add fabricmode command. perfttmon --add fabricmode The system responds: Before enabling fabric mode, please remove all EE monitors in the fabric continue? (yes, y, no, n): 4. Type y at the prompt to continue.
17 Top Talker monitors Displaying top talking flows for a given domain ID (fabric mode) 1. Connect to the switch and log in as admin. 2. Enter the perfTTmon --show dom command. perfttmon --show dom domainid [n] [wwn | pid] Fabric mode must be enabled for this option. The output is sorted based on the data rate of each flow. If you do not specify the number of flows to display, then the command displays the top 8 flows or the total number of flows, whichever is less.
Trunk monitoring 17 Limitations of Top Talker monitors Be aware of the following when using Top Talker monitors: • • • • • Top Talker monitors cannot detect transient surges in traffic through a given flow. You cannot install a Top Talker monitor on a mirrored port. Top Talker can monitor only 10,000 flows at a time. Top Talker is not supported on VE_Ports, EX_Ports, and VEX_Ports. The maximum number of F_Port Top Talker monitors on an ASIC is 16.
17 Clearing end-to-end and ISL monitor counters 0 53m 53m 53m 53m 53m 53m 0 4.9m 4.4m 4.8m 4.6m 5.0m 4.5m 0 53m 53m 53m 53m 53m 53m 0 4.9m 4.4m 4.8m 4.6m 5.0m 4.5m 0 53m 53m 53m 53m 53m 53m 0 4.9m 4.4m 4.8m 4.6m 5.0m 4.5m 0 53m 53m 53m 53m 53m 53m 0 4.9m 4.4m 4.8m 4.6m 5.0m 4.5m 0 53m 53m 53m 53m 53m 53m 0 0 0 0 0 0 0 Example of displaying EE monitors on a port switch:admin> perfMonitorShow --class EE 4/5 There are 7 end-to-end monitor(s) defined on port 53.
Saving and restoring monitor configurations 17 Saving and restoring monitor configurations To prevent the switch configuration flash from running out of memory, the number of monitors saved to flash memory is limited as follows: • The total number of EE monitors per port is limited to 16. • The total number of frame monitors per port is limited to 16. • The total number of monitors per switch is limited to 512.
17 400 Performance data collection Fabric OS Administrator’s Guide 53-1001763-01
Chapter 18 Optimizing Fabric Behavior In this chapter • Adaptive Networking overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Ingress Rate Limiting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • QoS: SID/DID traffic prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • QoS zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
18 Ingress Rate Limiting • Traffic Isolation Zoning Traffic Isolation Zoning (TI zoning) allows you to control the flow of interswitch traffic by creating a dedicated path for traffic flowing from a specific set of source ports (F_Ports). Traffic Isolation Zoning does not require a license. See “Traffic Isolation Zoning” on page 267 for more information about this feature. • Ingress Rate Limiting Ingress rate limiting restricts the speed of traffic from a particular device to the switch port.
QoS: SID/DID traffic prioritization 18 • Ingress rate limiting is available only on the following platforms: Brocade 300, 5100, 5300, 5410, 5424, 5450, 5460, 5470, 5480, 7800, 8000, VA-40FC, Brocade Encryption Switch, Brocade DCX, or DCX-4S. • QoS traffic prioritization takes precedence over ingress rate limiting. • Ingress rate limiting is not enforced on trunked ports. Virtual Fabrics considerations: If Virtual Fabrics is enabled, the rate limit configuration on a port is on a per-logical switch basis.
18 QoS: SID/DID traffic prioritization NOTE If there is a single low priority flow to a destination ID (DID) and several medium priority flows to that same DID, then it is possible that the medium priority flows would have less bandwidth because they have to share the medium priority VCs, whereas the low priority flow would have a separate VC.
QoS: SID/DID traffic prioritization 18 3. Identify E_Ports on which QoS should be manually disabled. In the islshow output, these ports have all of the following characteristics: • 8 Gbps ports • Trunking is enabled • QoS is disabled 4. Check whether QoS is enabled on each port identified in step 3 using the following command: portcfgshow In the output, the value of QOS E_Port is AE if QoS is automatically enabled by default, ON if QoS is enabled manually, and OFF or ".." if QoS is disabled. 5.
18 QoS zones RSCN Suppressed .. .. .. .. Persistent Disable ON .. .. .. LOS TOV enable .. .. .. .. NPIV capability ON ON ON ON NPIV PP Limit 126 126 126 126 QOS E_Port AE AE AE AE EX Port .. .. .. .. Mirror Port ON .. .. .. Rate Limit .. .. .. .. Credit Recovery ON ON ON ON Fport Buffers .. .. .. .. Port Auto Disable .. .. .. .. CSCTL mode .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ON ON ON ON 126 126 126 126 AE AE AE AE .. .. .. .. ON .. .. .. .. .. .. .. ON ON ON ON .. .. .. .. .. .. .. .. .. .. .
QoS zones 18 For example, Figure 61 shows a fabric with two hosts (H1, H2) and three targets (S1, S2, S3). The traffic prioritization is as follows: • Traffic between H1 and S1 is high priority. • Traffic between H1 and S3 and between H2 and S3 is low priority. • All other traffic is medium priority, which is the default.
18 QoS zones Domain 1 H1 Domain 3 1 9 14 H2 3 13 12 15 8 7 = Low priority = Medium priority = High priority = E_Ports with QoS enabled FIGURE 62 S1 S3 16 Domain 2 S2 Domain 4 QoS with E_Ports enabled You need to enable QoS on the E_Ports on both ISLs between Domain 3 and Domain 4 because either path might be selected to carry the traffic.
QoS zones 18 • QoS over FC routers is supported only in an edge-to-edge fabric configuration; it is not supported in a backbone-to-edge fabric configuration. You cannot prioritize the flow between a device in an edge fabric and a device in the backbone fabric. • QoS over FC routers is supported only if Virtual Fabrics is disabled in the backbone fabric. QoS over FC routers cannot be enabled if Virtual Fabrics is also enabled in the backbone fabric.
18 QoS zones High availability considerations for traffic prioritization If the standby CP is running a Fabric OS version earlier than 6.3.0 and is synchronized with the active CP, then QoS zones using D,I notation cannot be created. If the standby CP is not synchronized or if no standby CP exists, then the QoS zone creation succeeds.
QoS zones 18 QoS is disabled by default on 4 Gbps ports and long-distance 8 Gbps ports. In some firmware versions earlier than Fabric OS 6.3.0, QoS is enabled by default on these ports. When you upgrade to Fabric OS 6.3.0, the QoS configuration settings remain the same for all ports (that is, if a port was enabled for QoS before the upgrade, it remains enabled for QoS after the upgrade).
18 QoS zones Example In this example, the islshow output displays ports involved in four ISLs: • Ports 2 and 8 QoS is enabled on these ISLs. Check the portcfgshow output to determine whether QoS is disabled on these ports. • Port 19 QoS is enabled on this ISL. Because this is an 8 Gbps port, check the portcfgshow output to determine whether this is a long distance port and whether QoS is disabled on this port. • Port 24 QoS is disabled on this ISL, so you should not enable QoS on port 24.
QoS zones Trunk Port ON ON ON ON Long Distance ON ON ON ON VC Link Init .. .. .. .. Locked L_Port .. .. .. .. Locked G_Port .. .. .. .. Disabled E_Port .. .. .. .. Locked E_Port .. .. .. .. ISL R_RDY Mode .. .. .. .. RSCN Suppressed .. .. .. .. Persistent Disable ON .. .. .. LOS TOV enable .. .. .. .. NPIV capability ON ON ON ON NPIV PP Limit 126 126 126 126 QOS E_Port AE AE AE AE EX Port .. .. .. .. Mirror Port ON .. .. .. Rate Limit .. .. .. .. Credit Recovery ON ON ON ON Fport Buffers .. .. .. ..
18 Setting traffic prioritization • If QoS is enabled, an additional 16 buffer credits are allocated per port for 8-Gbps ports in LE mode. See Chapter 20, “Managing Long Distance Fabrics,” for information about buffer credit allocation in extended fabrics. • Trunking considerations: If some ports in a trunk group have QoS enabled and some ports have QoS disabled, then two different trunks are formed, one with QoS enabled and one with QoS disabled. Setting traffic prioritization 1.
Setting traffic prioritization over FC routers 18 Example sw0:admin> zonecreate "QOSH1_zone", "10:00:00:00:10:00:00:00; 10:00:00:00:20:00:00:00" sw0:admin> zonecreate "QOSL2_zone", "10:00:00:00:30:00:00:00; 10:00:00:00:40:00:00:00" sw0:admin> zoneshow sw0:admin> cfgadd "cfg1", "QOSH1_zone" sw0:admin> cfgadd "cfg1", "QOSL2_zone" sw0:admin> cfgshow Defined configuration: cfg: cfg1 zone1; QOSH1_zone; QOSL2_zone zone: QOSH1_zone 10:00:00:00:10:00:00:00; 10:00:00:00:20:00:00:00 zone: QOSL2_zone 10:00:00:00:30:
18 Disabling QoS Disabling QoS 1. Connect to the switch and log in as admin. 2. Enter the cfgRemove command to remove the QoS zones from the current zone configuration. 3. Enter the portCfgQos command to disable QoS on the E_Ports. Bottleneck detection Bottleneck detection does not require a license. A bottleneck is a port in the fabric where frames cannot get through as fast as they should. In other words, a bottleneck is a port where the offered load is greater than the achieved egress throughput.
Bottleneck detection 18 NOTE Bottleneck detection is disabled by default. Best practice is to enable bottleneck detection on all switches in the fabric, and leave it on to continuously gather statistics. Supported configurations for bottleneck detection Note the following configuration rules for bottleneck detection: • Bottleneck detection is supported only on Fibre Channel ports and FCoE F_Ports.
18 Bottleneck detection Upgrade and downgrade considerations for bottleneck detection The bottleneck detection configuration is persistent across firmware upgrades and downgrades. If you downgrade to Fabric OS 6.3.x, bottleneck detection is supported; however, the bottleneck configuration is not applied. You must re-apply the bottleneck configuration after the downgrade. Additionally, you must use the 6.3.x version of the bottleneck detection commands. In v6.3.
Enabling bottleneck detection on a switch 18 Enabling bottleneck detection on a switch Bottleneck detection is enabled on a switch basis. It is recommended that you enable bottleneck detection on every switch in the fabric. If you add additional switches, including logical switches, to the fabric, be sure to enable bottleneck detection on those switches as well. When you enable bottleneck detection on a switch, the feature is applied to all eligible ports on that switch.
18 Displaying bottleneck detection configuration details 1. Connect to the switch to which the target port belongs and log in as admin. 2. Enter the bottleneckmon --exclude command to exclude the port from bottleneck detection. To later include the port, enter the bottleneckmon --include command.
Changing bottleneck alert parameters 18 The alert parameters include whether alerts are sent and the threshold, time, and quiet time options. For a trunk, you can change the alert parameters only on the master port only. 1. Connect to the switch and log in as admin. 2. Enter the bottleneckmon --config command to set the alert option and specify new threshold values. Enter the bottleneckmon --configclear command to remove any port-specific alert parameters and revert to the switch-wide parameters.
18 Displaying bottleneck statistics Switch-wide alerting parameters: ============================ Alerts Latency threshold for alert Congestion threshold for alert Averaging time for alert Quiet time for alert - Yes 0.970 0.800 5000 seconds 300 seconds Per-port overrides for alert parameters: ======================================== Slot Port Alerts? LatencyThresh CongestionThresh Time(s) QTime(s) ======================================================================= 0 1 N ----0 2 Y 0.990 0.
Disabling bottleneck detection on a switch Jan 13 18:54:20 Jan 13 18:54:25 Jan 13 18:54:30 Jan 13 18:54:25 Jan 13 18:54:30 Jan 13 18:54:35 18 1 0 0 Disabling bottleneck detection on a switch When you disable bottleneck detection on a switch, all bottleneck configuration details are discarded, including the list of excluded ports and non-default values of alerting parameters. 1. Connect to the switch and log in as admin. 2.
18 424 Disabling bottleneck detection on a switch Fabric OS Administrator’s Guide 53-1001763-01
Chapter 19 Managing Trunking Connections In this chapter • Trunking overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Supported hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Recommendations for trunking groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Basic trunk group configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Trunking over long distance fabrics .
19 Trunking overview Re-initializing ports for trunking is required after you install the license so that the ports know that trunking is enabled. You can enable or disable trunking for a single port or for an entire switch. For trunking to work, individual ports or the entire switch must be set at the same speed and at the same mode, for example, 2 Gbps, 4 Gbps, 8 Gbps, or autonegotiate. For more information on setting port speeds, see “Trunking over long distance fabrics” on page 430.
Supported hardware 19 Supported hardware Trunking is supported on the FC ports of all Brocade platforms and blades supported in Fabric OS v6.4.0. Recommendations for trunking groups To identify the most useful trunking groups, consider the following recommendations along with the standard guidelines for SAN design: • Evaluate the traffic patterns within the fabric. • Place trunking-capable switches adjacent to each other. This maximizes the number of trunking groups that can form.
19 Basic trunk group configuration Basic trunk group configuration Re-initializing ports for trunking is required after you install the ISL Trunking license. You must re-initialize the ports being used for ISLs so that they recognize that trunking is enabled. This procedure needs to be performed only one time. To re-initialize the ports, you can either disable and then re-enable the switch, or disable and then re-enable the affected ports.
Basic trunk group configuration 19 Displaying trunking information 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the trunkShow command. This example shows trunking groups 1, 2, and 3; ports 4, 13, and 14 are masters.
19 Trunking over long distance fabrics 4: 12->892 10:00:00:05:1e:46:42:01 3 deskew 15 MASTER 13->893 10:00:00:05:1e:46:42:01 3 deskew 15 Tx: Bandwidth 16.00Gbps, Throughput 1.67Gbps (12.12%) Rx: Bandwidth 16.00Gbps, Throughput 1.66Gbps (12.11%) Tx+Rx: Bandwidth 32.00Gbps, Throughput 3.33Gbps (12.11%) Trunking over long distance fabrics In long-distance fabrics, if a port speed is set to autonegotiate, then the maximum speed, which is 8 Gbps, is assumed for reserving buffers for the port.
F_Port trunking TABLE 87 19 Trunking over distance for the Brocade 48000, DCX Backbone, and the DCX-4S Long distance mode Distance Number of 2 Gbps ports Number of 4 Gbps ports LE 10 km 48 (six 8-port trunks) 48 (six 8-port trunks) L0 Normal See note below 48 (six 8-port trunks) LD 200 km 4 (one 2-port trunk per switch) 0 LD 250 km 4 (one 2-port trunk per switch) 0 LD 500 km 0 0 LS Static See note below NOTE The L0 mode supports up to 5 km at 2 Gbps, up to 2 km at 4 Gbps, and
19 F_Port trunking • The edge switch F_Port trunk ports are connected within the ASIC-supported trunk group on the AG switch. • Both switches are running the same Fabric OS versions. • Trunking is enabled on all ports to be included in a Trunk Area (TA) before you attempt to create a Trunk Area • Keep in mind that F_Port trunking does not support shared area ports on the FC8-48 and FC4-48 blades in the Brocade 48000.
F_Port masterless trunking 19 The DCX-4S supports trunk groups with up to eight ports. The trunking groups are based on the user port number with contiguous eight ports as one group, for example 0-7, 8-15, and 16-23. F_Port trunking considerations for Virtual Fabrics Following are the F_Port trunking considerations for virtual fabrics: • If a port is enabled for F_Port trunking, then you must disable the configuration before you can move a port from the logical switch.
19 F_Port masterless trunking TABLE 88 PWWN format for F_Port and N_Port trunk ports NAA = 2 2f:xx:nn:nn:nn:nn:nn:nn (1) Port WWNs for: switch’s Fx_Ports. The valid range of xx is [0 - FF], for maximum of 256. NAA = 2 25:xx:nn:nn:nn:nn:nn:nn (1) Port WWNs for: switch's FX_Ports The valid range of xx is [0 - FF], for maximum of 256.
F_Port masterless trunking 19 NOTE You do not need to manually map the host to the master port because Access Gateway will perform a cold failover to the master port. To implement F_Port masterless trunking, you must first configure an F_Port trunk group and statically assign an Area_ID within the trunk group. Assigning a Trunk Area (TA) to a port or trunk group enables F_Port masterless trunking on that port or trunk group.
19 F_Port masterless trunking TABLE 89 F_Port masterless trunking considerations (Continued) Category Description D.I. Zoning (D,I) AD (D,I) DCC and (PWWN,I) DCC Creating a Trunk Area may remove the Index ("I") from the switch to be grouped to the Trunk Area. All ports in a Trunk Area share the same "I". This means that domain,index (D,I), which refer to an "I" that might have been removed, will no longer be part of the switch. Note: Ensure to include AD, zoning, and DCC when creating a Trunk Area.
F_Port masterless trunking TABLE 89 19 F_Port masterless trunking considerations (Continued) Category Description Management Server Registered Node ID (RNID), Link Incident Record Registration (LIRR), and Query Security Attribute (QSA) ELSs are not supported on F_Port trunks. NPIV Supported on F_Port master trunk. PID format F_Port masterless trunking is only supported in the CORE PID format.
19 F_Port masterless trunking Example : How Trunk Area assignment affect the port Domain,Index If you have AD1: 3,7; 3,8; 4,13; 4,14 and AD2: 3,9; 3,10, and then create a TA with Index 8 with ports that have index 7, 8, 9, and 10, then index 7, 9, and 10 are no longer with domain 3. This means that AD2 does not have access to any ports because index 9 and 10 no longer exist on domain 3. This also means that AD1 no longer has 3,7in effect because Index 7 no longer exists for domain 3.
F_Port masterless trunking 19 Rx: Bandwidth 16.00Gbps, Throughput 1.62Gbps (11.76%) Tx+Rx: Bandwidth 32.00Gbps, Throughput 3.24Gbps (11.80%) 38->1 sp: 8.000G bw: 8.000G deskew 15 Tx: Bandwidth 16.00Gbps, Throughput 1.63Gbps (11.84%) Rx: Bandwidth 16.00Gbps, Throughput 1.62Gbps (11.76%) Tx+Rx: Bandwidth 32.00Gbps, Throughput 3.24Gbps (11.80%) 37->1 sp: 8.000G bw: 8.000G deskew 15 Tx: Bandwidth 16.00Gbps, Throughput 1.63Gbps (11.84%) Rx: Bandwidth 16.00Gbps, Throughput 1.62Gbps (11.76%) Tx+Rx: Bandwidth 32.
19 440 F_Port masterless trunking Fabric OS Administrator’s Guide 53-1001763-01
Chapter 20 Managing Long Distance Fabrics In this chapter • Long distance fabrics overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Extended Fabrics device limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Long distance link modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring an extended ISL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Buffer credit management . . . . . . . .
20 Extended Fabrics device limitations Extended Fabrics device limitations Extended Fabrics is normally not implemented on the following devices: • 7600 and the FA4-18 blade - The 7600 and the FA4-18 blade have two Gigabit Ethernet ports and 16 FC ports. The two Gigabit Ethernet ports are for use by storage applications, and generally the FC ports on these devices are used to connect devices used by the storage applications.
Configuring an extended ISL 20 Configuring an extended ISL Before configuring an extended ISL, ensure that the following conditions are met: • The ports on both ends of the ISL are operating at the same port speed, and can be configured at the same distance level without compromising local switch performance. NOTE A long-distance link also can be configured to be part of a trunk group.
20 Configuring an extended ISL Authentication: None portDisableReason: None portCFlags: 0x1 portFlags: 0x1 PRESENT U_PORT portType: 17.
Buffer credit management 20 Buffer credit management Buffer-to-buffer credit management affects performance over distances; therefore, allocating a sufficient number of buffer credits for long-distance traffic is essential to performance. To prevent a target device (either host or storage) from being overwhelmed with frames, the Fibre Channel architecture provides flow control mechanisms based on a system of credits. Each of these credits represents the ability of the device to accept additional frames.
20 Buffer credit management Optimal buffer credit allocation The optimal number of buffer credits is determined by the distance (frame delivery time), the processing time at the receiving port, link signaling rate, and the size of the frames being transmitted. As the link speed increases, the frame transmission time is reduced and the number of buffer credits must be increased to obtain full link utilization, even in a short-distance environment.
Buffer credit management 20 Fibre Channel gigabit values reference definition Before you can calculate the buffer requirement, note the following Fibre Channel gigabit values reference definition: • • • • 1.0625 for 1 Gbps 2.125 for 2 Gbps 4.25 for 4 Gbps 8.5 for 8 Gbps Allocating buffer credits based on full-size frames Assuming that the frame size is full, one buffer credit allows a device to send one payload up to 2112 bytes (2148 with headers).
20 Buffer credit management NOTE The portCfgLongDistance command’s desired_distance parameter is the upper limit of the link distance and is used to calculate buffer availability for other ports in the same port group. When the measured distance exceeds the value of desired_distance, this value is used to allocate the buffers. In this case, the port operates in degraded mode instead of being disabled due to insufficient buffers.
Buffer credit management 20 24 = the number of user ports in a port group retrieved from Table 92 on page 451. 8 = the number of reserved credits for each user port. 676 = the number of buffer credits available in the port group.
20 Buffer credit management NOTE This formula does not work with LD mode because LD mode checks the distance and limits the estimated distance to the real value of 100 km. LS mode allows for the necessary desired_distance based on the data size entered, regardless of the distance.
Buffer credit management 20 Buffer credits for each switch model Table 92 shows the total ports in a switch or blade, number of user ports in a port group, and the unreserved buffer credits available per port group.
20 Buffer credit management Maximum configurable distances for Extended Fabrics Table 93 shows the maximum supported extended distances (in kilometers) that can be configured for one port on a specific switch or blade at different speeds.
Buffer credit recovery 20 NOTE QoS requires an additional 14 buffer credits per active port so maximum supported distances may be lower. To get an estimated maximum equally distributed distance for n number of ports at a particular ("X") speed, divide the 1-port maximum distance of the switch at X speed by n. For example, for three ports running at 2 Gbps on a 300 switch, the maximum equally distributed distance is calculated as 486 / 3 = 164 km.
20 454 Buffer credit recovery Fabric OS Administrator’s Guide 53-1001763-01
Chapter 21 Using the FC-FC Routing Service In this chapter • FC-FC routing service overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Integrated Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Fibre Channel routing concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Setting up the FC-FC routing service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Backbone fabric IDs . . . . . . .
21 FC-FC routing service overview Supported platforms for Fibre Channel routing Fibre Channel routing is supported on the following platforms: • Brocade DCX and DCX-4S (FC8-16, FC8-32, FC8-48, FC8-64, FS8-18, FX8-24, or FR4-18i blade) • • • • • • • Brocade 5100 switch Brocade 5300 switch Brocade VA-40FC switch Brocade 7500 Extension Switch Brocade 7800 Extension Switch Brocade 48000 director, using the FR4-18i blade Brocade Encryption Switch For the Brocade 48000 director, EX_Ports are supported only
Integrated Routing 21 NOTE In configurations with two backbones connected to the same edge fabric, routing is not supported between edge fabrics that are not directly attached to the same backbone. Routing over multiple backbones is a multi-hop topology and is not allowed. Integrated Routing Integrated Routing is a licensed feature that allows 8-Gbps FC ports to be configured as EX_Ports (or VEX_Ports) supporting Fibre Channel routing.
21 Fibre Channel routing concepts • Edge fabric An edge fabric is a Fibre Channel fabric with targets and initiators connected through the supported platforms by using an EX_Port or VEX_Port. • Backbone fabric A backbone fabric is an intermediate network that connects one or more edge fabrics. In a SAN, the backbone fabric consists of at least one FC router and possibly a number of Fabric OS-based Fibre Channel switches (see Figure 70 on page 460).
Fibre Channel routing concepts 21 VE_Port Edge fabric 2 IP cloud Edge fabric 1 Edge fabric 3 E_Port E_Port IFL IFL IFL VEX_Port FC router EX_Port (2) = LSAN Backbone fabric FIGURE 69 A metaSAN with edge-to-edge and backbone fabrics and LSAN zones • Proxy device A proxy device is a virtual device imported into a fabric by a Fibre Channel router, and represents a real device on another fabric. It has a name server entry and is assigned a valid port ID.
21 Fibre Channel routing concepts NOTE Backbone fabrics that share connections to the same edge fabrics must have unique backbone fabric IDs. • MetaSAN A metaSAN is the collection of all SANs interconnected with Fibre Channel routers. A simple metaSAN can be constructed using an FC router to connect two or more separate fabrics. Additional FC routers can be used to increase the available bandwidth between fabrics and to provide redundancy.
Fibre Channel routing concepts 21 Proxy devices An FC router achieves inter-fabric device connectivity by creating proxy devices (hosts and targets) in attached fabrics that represent real devices in other fabrics. For example, a host in Fabric 1 can communicate with a target in Fabric 2 as follows: • A proxy target in Fabric 1 represents the real target in Fabric 2. • Likewise, a proxy host in Fabric 2 represents the real host in Fabric 1.
21 Fibre Channel routing concepts To do so, at least one translate phantom domain is created in the backbone fabric. This translate phantom domain represents the entire edge fabric. The shared physical devices in the edge have corresponding proxy devices on the translate phantom domain. Each edge fabric has one and only one xlate domain to the backbone fabric. The backbone fabric device communicates with the proxy devices whenever it needs to contact the shared physical devices in the edge.
Fibre Channel routing concepts Host Target 1 Fabric 2 Fabric 1 E Target 2 E E Target 3 EX E E EX FC router 1 FIGURE 72 EX FC router 2 Fabric 4 Fabric 3 EX EX 21 FC router 3 E E EX EX FC router 4 Sample topology (physical topology) Figure 73 shows a phantom topology for the physical topology shown in Figure 72. In this figure, the dashed lines and shapes represent the phantom topology from the perspective of Fabric 1.
21 Setting up the FC-FC routing service All EX_Ports or VEX_Ports connected to an edge fabric use the same xlate domain ID number for an imported edge fabric; this value persists across switch reboots and fabric reconfigurations. If you lose connectivity to the edge fabric because of link failures or the IFL being disabled, xlate domains remain visible. This prevents unnecessary fabric disruptions caused by xlate domains repeatedly going offline and online due to corresponding IFL failures.
Setting up the FC-FC routing service 21 1. Log in to the switch or director as admin and enter the version command. Verify that Fabric OS v6.4.0 is installed on the FC router as shown in the following example. switch:admin> version Kernel: 2.6.14.2 Fabric OS: v6.4.0 Made on: Fri Jan 22 01:15:34 2010 Flash: Mon Jan 25 20:53:48 2010 BootProm: 1.0.9 2.
21 Backbone fabric IDs InteropMode: Off usage: InteropMode [0|2|3 [-z McDataDefaultZone] [-s McDataSafeZone]] 0: to turn interopMode off 2: to turn McDATA Fabric mode on Valid McDataDefaultZone: 0 (disabled), 1 (enabled) Valid McDataSafeZone: 0 (disabled), 1 (enabled) 3: to turn McDATA Open Fabric mode on If InteropMode is on, FC routing is not supported. To turn off interoperability mode, disable the switch and enter the interopMode 0 command, as described in “Enabling Brocade Native mode” on page 305.
FCIP tunnel configuration 21 Assigning backbone fabric IDs 1. Log in to the switch or director. 2. Enter the switchDisable command if EX_Ports are online. 3. Enter the fosConfig --disable fcr command to disable the FC-FC Routing Service. The default state for the FCR is disabled. 4. Enter the fcrConfigure command. At the prompt, enter the fabric ID, or press Enter to keep the current fabric ID, which is displayed in brackets. 5. Verify the backbone fabric ID is different from that set for edge fabrics.
21 Inter-fabric link configuration Inter-fabric link configuration Before configuring an IFL, be aware that you cannot configure both IFLs (EX_Ports, VEX_Ports) and ISLs (E_Ports) from a backbone fabric to the same edge fabric. Configuring an inter-fabric link involves disabling ports and cabling them to other fabrics, configuring those ports for their intended use, and then enabling the ports. To configure an 8-Gbps IFL, both the EX_Port and the connecting E_Port must be 8-Gbps ports.
Inter-fabric link configuration 21 This port can now connect to another switch. For related FC-FC Routing commands, see fcrEdgeShow, fcrXlateConfig, fcrConfigure, and fcrProxyConfig in the Fabric OS Command Reference. A Fibre Channel router can interconnect multiple fabrics. EX_Ports or VEX_Ports attached to more than one edge fabric must configure a different fabric ID for each edge fabric. 3. (Optional) Configure FC router port cost, if you want to change the default values.
21 Inter-fabric link configuration EX Port Mirror Port FC Fastwrite ON ON ON 9.
21 FC Router port cost configuration LE domain: 0 FC Fastwrite: ON Interrupts: Unknown: Lli: Proc_rqrd: Timed_out: Rx_flushed: Tx_unavail: Free_buffer: Overrun: Suspended: Parity_err: 2_parity_err: CMI_bus_err: 0 0 0 0 0 0 0 0 0 0 0 0 0 Link_failure: Loss_of_sync: Loss_of_sig: Protocol_err: Invalid_word: Invalid_crc: Delim_err: Address_err: Lr_in: Lr_out: Ols_in: Ols_out: 0 0 2 0 0 0 0 0 0 0 0 0 Frjt : Fbsy : 0 0 Port part of other ADs: No 10.
21 FC Router port cost configuration FC routers optimize the usage of the router port links by directing traffic to the link with the smallest router port cost. The FC router port cost is similar to the link cost setting available on E_Ports, which allows you to customize traffic flow. The router port link cost values are either 1000 or 10,000. The router module chooses the router port path based on the lowest cost for each FID connection.
FC Router port cost configuration 21 EX_Ports and VEX_Ports, when connected, are assigned different router port costs and traffic will flow only through the EX_Ports. Routing failover is automatic, but it can result in frames arriving out of order when frames take different routes. The FC router can force in-order delivery, although frame delivery is delayed immediately after the path failover.
21 EX_Port frame trunking configuration EX_Port frame trunking configuration In Fabric OS v5.2.0 and later, you can configure EX_Ports to use frame-based trunking just as you do regular E_Ports. EX_Port frame trunking support is designed to provide the best utilization and balance of frames transmitted on each link between the FC router and the edge fabric. You should trunk all ports connected to the same edge fabrics.
EX_Port frame trunking configuration 21 Table 94 lists the platforms that support FC-FC routing, indicates whether masterless EX_Port frame trunking is supported and, if supported, whether Virtual Fabrics must be enabled or disabled.
21 EX_Port frame trunking configuration High availability support The EX_Port frame trunking feature also is a High Availability (HA) supported feature. The HA protocol for EX_Port trunking is as follows: • If trunking is disabled prior to the HA failover, it remains disabled after the HA failover. • If trunking is enabled prior to the HA failover, it remains enabled after the HA failover.
LSAN zone configuration 21 LSAN zone configuration An LSAN consists of zones in two or more edge or backbone fabrics that contain the same devices. LSANs essentially provide selective device connectivity between fabrics without forcing you to merge those fabrics. FC routers provide multiple mechanisms to manage inter-fabric device connectivity through extensions to existing switch management interfaces. You can define and manage LSANs using Brocade Advanced Zoning.
21 LSAN zone configuration LSAN zones and fabric-to-fabric communications Zoning is enforced by all involved fabrics; any communication from one fabric to another must be allowed by the zoning setup on both fabrics. If the SANs are under separate administrative control, then separate administrators maintain access control. Controlling device communication with the LSAN The following procedure illustrates how LSANs control which devices can communicate with each other.
LSAN zone configuration Do you want to enable 'zone_cfg' configuration zone config "zone_cfg" is in effect Updating flash … 21 (yes, y, no, n): [no] y 6. Log in as admin to fabric2. 7. Enter the nsShow command to list Target A (50:05:07:61:00:5b:62:ed) and Target B (50:05:07:61:00:49:20:b4).
21 LSAN zone configuration • fcrPhyDevShow shows the physical devices in the LSAN. switch:admin> fcrphydevshow Device WWN Physical Exists PID in Fabric ----------------------------------------75 10:00:00:00:c9:2b:c9:0c c70000 2 50:05:07:61:00:5b:62:ed 0100ef 2 50:05:07:61:00:5b:62:ed 0100e8 Total devices displayed: 3 • fcrProxyDevShow shows the proxy devices in the LSAN.
LSAN zone configuration 21 NOTE Since the maximum number of LSANs is configured for each switch, if there is a different maximum LSAN count on the switches throughout the metaSAN, then the device import/export will not be identical on the FC routers. You should enter the same maximum LSAN count for all the FC routers in the same backbone that support this feature. Verify the configured maximum limit against the LSANs configured using the fcrResourceShow command.
21 LSAN zone configuration Normally the FC router automatically accepts all zones with names that start with “lsan_”. You can specify an Enforce tag to indicate that a particular FC router should only accept zones that start with the prefix “lsan_tag”. For example, if you specify an Enforce tag of “abc”, the FC router accepts only those LSAN zones that start with “lsan_abc” and does not import or export any other LSAN zones.
LSAN zone configuration D1 D2 H1 Edge fabric 1 Edge fabric 2 FC router 1 21 Edge fabric 3 FC router 2 = LSAN FIGURE 74 Example of setting up Speed LSAN tag Rules for LSAN tagging Note the following rules for configuring LSAN tags: • You configure the tags on the FC router, and not on the edge switches. If Virtual Fabrics are enabled, you configure the tags on the base switch on which the EX_ and VEX_Ports are located.
21 LSAN zone configuration 4. Enter the following command to enable the FC router: switchenable 5. Change the names of the LSAN zones in the edge fabrics to incorporate the tag in the names. Example sw0:admin> switchdisable sw0:admin> fcrlsan --add -enforce enftag1 LSAN tag set successfully sw0:admin> switchenable Configuring a Speed LSAN tag 1. Log in to the FC router as admin. 2.
LSAN zone configuration 21 Example sw0:admin> fcrlsan --show -enforce Total LSAN tags : 1 ENFORCE : enftag1 sw0:admin> fcrlsan --show -speed Total SPEED tags : 1 SPEED : fasttag2 sw0:admin> fcrlsan --show -all Total LSAN tags : 2 ENFORCE : enftag1 SPEED : fasttag2 LSAN zone binding LSAN zone binding is an optional, advanced feature that increases the scalability envelope for very large metaSANs. NOTE LSAN zone binding is supported only on FC routers with Fabric OS v5.3.0 and later.
21 LSAN zone configuration LSAN zone 2 LSAN zone 1 Fabric 1 Fabric 2 FC router 1 Fabric 3 Fabric 7 FC router 2 Backbone fabric FC router 4 FC router 3 Fabric 8 Fabric 9 Fabric 4 Fabric 5 Fabric 6 LSAN zone 3 FIGURE 75 LSAN zone 4 LSAN zone binding After you set up LSAN zone binding, each FC router stores information about only those LSAN zones that access its local edge fabrics.
LSAN zone configuration 21 How LSAN zone binding works LSAN zone binding uses an FC router matrix, which specifies pairs of FC routers in the backbone fabric that can access each other, and an LSAN fabric matrix, which specifies pairs of edge fabrics that can access each other. You set up LSAN zone binding using the fcrLsanMatrix command. This command has two options: -fcr and -lsan.
21 LSAN zone configuration LSAN fabric matrix definition With LSAN zone binding, you can specify pairs of fabrics that can access each other.
Proxy PID configuration 21 Viewing the LSAN zone binding matrixes 1. Log on to the FC router as admin. 2. Enter the following command to view the FC router matrix: fcrlsanmatrix --fabricview -fcr 3.
21 Inter-fabric broadcast frames • To change the fabric parameters on a switch in the edge fabric, use the configure command. Note that to access all of the fabric parameters controlled by this command, you must disable the switch using the switchDisable command. If executed on an enabled switch, only a subset of attributes are configurable. • To change the fabric parameters of an EX_Port on the FC router, use the portCfgEXPort command.
Resource monitoring 21 Enabling broadcast frame forwarding 1. Log in to the FC router as admin. 2. Type the following command: fcr:admin> fcrbcastconfig --enable -f fabricID where fabricID is the FID of the edge or backbone fabric on which you want to enable broadcast frame forwarding. Broadcast frame forwarding is enabled by default. Disabling broadcast frame forwarding 1. Log in to the FC router as admin. 2.
21 FC-FC Routing and Virtual Fabrics LSAN Devices: Proxy Device Slots: 10000 10000 51 20 Phantom Node WWN: Phantom Port WWN: WWN Pool Size Allocated --------------------------------8192 5413 32768 16121 Port Limits: Max proxy devices: Max NR_Ports: 2000 1000 Currently 0 | 1 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | Used(column 1: proxy, column 2: NR_Ports): 0 34 3 34 0 0 0 0 0 0 0 0 6 34 6 34 6 34 6 34 6 34 6 34 6 34 6 34 8 34 8 34 8 34 8 34 8
FC-FC Routing and Virtual Fabrics 21 • EX_Ports can connect to a logical switch that is in the same chassis or a different chassis. However, the FID of the EX_Port must be set to a different value than the FID of the logical switch to which it connects. • EX_Ports and VEX_Ports — those in FC routers and those in a base switch — cannot connect to any edge fabric with logical switches configured to use XISLs.
21 FC-FC Routing and Virtual Fabrics Physical chassis 2 Physical chassis 1 IFL ISL E Logical switch 1 E (Default logical switch) Fabric ID 128 Logical ISL Logical switch 2 Fabric ID 1 Allows XISL use F E Logical switch 5 F (Default logical switch) Fabric ID 128 ISL E Logical switch 3 Fabric ID 15 Logical switch 6 Fabric ID 1 Allows XISL use E E F Logical switch 7 Fabric ID 15 IFL EX Logical switch 4 (Base switch) Fabric ID 8 FIGURE 76 EX E Logical switch 8 (Base switch) E Fabric ID 8 XIS
21 Upgrade and downgrade considerations for FC-FC routing Even though F_Ports are not allowed in the base switch, they are allowed in an FC router in legacy mode (Fabric OS v6.1.x or earlier, or Fabric OS v6.2.0 or later with Virtual Fabrics disabled). If you connect an FC router in legacy mode to the base switch, backbone-to-edge routing is supported on that FC router. In Figure 76, no devices can be connected to the backbone fabric (Fabric 8) because base switches cannot have F_Ports.
21 Displaying the range of output ports connected to xlate domains If you replace an 8-Gbps port blade or FX8-24 blade with an FR4-18i blade, the EX_Port configuration remains the same for all ports on the FR4-18i blade. All ports are persistently disabled. If you replace an 8-Gbps port blade with an FX8-24 blade, the EX_Port configuration remains the same for the first 12 FC ports on the FX8-24 blade.
Appendix A M-EOS Migration Path to Fabric OS In this appendix • M-EOS fabrics overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497 • McDATA Mi10K interoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499 • Fabric configurations for interconnectivity. . . . . . . . . . . . . . . . . . . . . . . . . .
A M-EOS fabrics overview TABLE 96 Fabric OS Fabric OS and M-EOSc interoperability compatibility matrix1 (Continued) Versions of M-EOSc v6.2.0 v9.8 v9.9 v6.3.0 Yes Yes v6.4.0 Yes Yes 1. v7.1.3x v8.0 v9.2.0 v9.6.2 v9.7 Both Open and McDATA Fabric modes are supported. 2. Fabric OS v5.1.0 and M-E/OSc v4.1.1, v5.1.2, 6.2.0 can interoperate through the FC routing capability of the SilkWorm AP7420 only. Fabric OS and M-E/OSc v7.1.
McDATA Mi10K interoperability A The connectivity limitations of a metaSAN containing Fabric OS and M-EOS fabrics are defined by the scalability of each individual fabric. The latest scalability information can be found at the Brocade Connect Web site at www.brocade.com. Refer to the M-EOS fabric documentation for scalability considerations.
A Fabric configurations for interconnectivity To allow interconnectivity with M-EOS SANs, use the -m option on the portCfgEXPort command to indicate the connectivity mode. Table 98 lists the valid parameters to use with the -m option to set the connectivity mode. TABLE 98 portCfgEXPort -m values Value Description Use 0 Brocade Native Default mode. 1 McDATA Open Mode 1 When the neighboring M-EOS switch is running in open mode.
Fabric configurations for interconnectivity A The following example sets port 10/13 to admin-enabled, assigns a Fabric ID of 37, and sets the M-EOS connection to McDATA Fabric Mode. ecp:admin_06> portcfgexport 10/13 -a 1 -f 37 -m 2 6. Enable the port by issuing the portEnable command. ecp:admin_06> portenable 10/13 If the port was persistently disabled, use the following command to enable the port: ecp:admin_06> portcfgpersistentenable 10/13 7.
A Fabric configurations for interconnectivity Configuring LSAN zones in the M-EOS fabric To ensure connectivity with devices in the Fabric OS fabric, you must set up LSAN zones in each edge fabric. An LSAN is defined by a zone in an edge fabric. When zoning an LSAN containing multiple fabrics with switches that are not running Fabric OS, you must use port WWN. Because port IDs are not necessarily unique across fabrics, you cannot use the domain,port method of identification.
Fabric configurations for interconnectivity A 6. Connect to the switch and configure the connection to capture console output. 7. Enter the supportShow (or supportSave if available) command, and save the output. 8. If the fabric does not appear: a. Disable the EX_Port on the connected fabric. b. Enter the portLogClear command for the port. c. Enable the port on the FC router. d. Enter the portLogDump command for the port, capturing the output.
A Fabric configurations for interconnectivity state known Device Type N rev owner v520 0xfffc02 list: count 1 Pid COS PortName NodeName 010e00; 3;10:00:00:00:00:01:00:00;10:00:00:00:00:00:01:00; Fabric Port Name: 20:0e:00:60:69:e2:18:b6 Permanent Port Name: 10:00:00:00:00:01:00:00 Port Index: 14 Share Area: No Device Shared in Other AD: No Switch entry for 3 state rev owner known v410 0xfffc02 Device list: count 1 Type Pid COS PortName NodeName N 03f001; 2,3;10:00:00:00:c9:44:54:04;20:00:00:00:c9:44:54:
Appendix B Inband Management In this appendix • Inband Management overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Internal Ethernet devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • IP address and routing management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Examples of supported configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . .
B Internal Ethernet devices Internal Ethernet devices During the switch initialization process, a new internal Ethernet device is created. The devices created are inbd0 and inbd1. Ethernet device inbd0 is used to communicate through GE port 1 and inbd1 is used to communicate through GE port 0. These new Ethernet interfaces are internal only and are not accessible from outside the switch. They are used strictly for communicating IP packets between the CP and the GE port processor.
IP address and routing management B specified gateway. If no gateway is specified, it is assumed that the management station is on the same subnet as the external GE IP address, so no route is created on the GE port processor. Only a route on the CP is created with the internal GE port processor inband device address as the gateway.
B IP address and routing management Deleting an Inband Management route 1. Connect to the switch and log in as admin. 2. Enter the portCfg inbandmgmt command to delete a route to the Management Station. switch:admin> portcfg inbandmgmt ge0 routedel 192.168.3.0 255.255.255.0 Viewing Inband Management IP addresses and routes The portShow inbandmgmt command displays the addresses that are currently configured for that GE port number and a status of Inband Management (Enabled/Disabled).
Examples of supported configurations B CP for 192.168.255.0/24 with gateway 192.168.255.1. Likewise, there is a “Management” route on the GE port processor for 10.1.1.61/32 with gateway 192.168.255.1, and a “Management” route on the CP for 192.168.112.60/32 with gateway 192.168.255.2. In this example, the CP management address is 10.1.1.61, and the “Management Station” is at address 192.168.112.60.
B Examples of supported configurations b. On the 7500 R1, create an IP address on the GE interface: switch:admin> portcfg ipif ge0 create 192.168.3.20 255.255.255.0 1500 2. Configure the management interfaces on the 7500 L1. a. Configure the internal addresses for the inbd devices for CP and GE port (GE port 0 for this example). switch:admin> portcfg inbandmgmt ge0 ipaddrset cp 192.168.255.1 255.255.255.0 switch:admin> portcfg inbandmgmt ge0 ipaddrset ge 192.168.255.2 255.255.255.0 b.
Examples of supported configurations FIGURE 81 B Management Station on a different subnet 1. Configure the IP address for each of the 7500s (L1 and R1): a. On the 7500 L1, create an IP address on the GE interface: switch:admin> portcfg ipif ge0 create 192.168.1.10 255.255.255.0 1500 b. On the 7500 R1, create an IP address on the GE interface: switch:admin> portcfg ipif ge0 create 192.168.2.20 255.255.255.0 1500 2. Configure the management addresses for the 7500 L1. a.
B Examples of supported configurations switch:admin> portcfg inbandmgmt ge0 routeadd 192.168.3.0 255.255.255.0 192.168.2.250 4. Configure the routes on Router A. a. Configure the route going to the 7500 L1 management address. linux> route add -host 10.1.1.10 gw 192.168.1.10 b. Configure the route going to the Management Station. linux> route add -net 192.168.3.0/24 gw 172.0.1.3 5. Configure the routes on Router B. a. Configure the route going to the 7500 R1 management address.
Appendix C Port Indexing In this appendix • Port indexing on the Brocade 48000 director. . . . . . . . . . . . . . . . . . . . . . . 513 • Port indexing on the Brocade DCX backbone . . . . . . . . . . . . . . . . . . . . . . . 515 • Port indexing on the Brocade DCX-4S backbone . . . . . . . . . . . . . . . . . . . . 517 Port indexing on the Brocade 48000 director Table 99 shows the area_ID and index mapping for core PID assignment for the Brocade 48000 director.
C Port indexing on the Brocade 48000 director TABLE 99 Default index/area_ID core PID assignment with no port swap for the Brocade 48000 director (Continued) Port on blade Slot 1 Idx/area Slot 2 Idx/area Slot 3 Idx/area Slot 4 Idx/area Slot 7 Idx/area Slot 8 Idx/area Slot 9 Idx/area Slot 10 Idx/area 32 256/136 272/152 288/168 304/184 320/200 336/216 352/232 368/248 31 143/143 159/159 175/175 191/191 207/207 223/223 239/239 255/255 30 142/142 158/158 174/174 190/190 206/20
Port indexing on the Brocade DCX backbone C Port indexing on the Brocade DCX backbone Table 100 shows the index and PID mapping for the Brocade DCX enterprise-class platform. This table provides the index/PID assignment for the maximum number of ports (used by the FC8-64 blade). If your blade does not have the maximum number of ports, use the lower sections of the table to determine the index and PID assignment.
C Port indexing on the Brocade DCX backbone TABLE 100 Default index/16-bit PID assignment with no port swap on a Brocade DCX backbone (Continued) Port (DCX) Slot 1 Index/PID Slot 2 Index/PID Slot 3 Index/PID Slot 4 Index/PID Slot 9 Index/PID Slot 10 Index/PID Slot 11 Index/PID Slot 12 Index/PID 47 271/0x87c0 287/0x97c0 303/0xa7c0 319/0xb7c0 335/0xc7c0 351/0xd7c0 367/0xe7c0 383/0xf7c0 46 270/0x86c0 286/0x96c0 302/0xa6c0 318/0xb6c0 334/0xc6c0 350/0xd6c0 366/0xe6c0 382/0xf6c0 45
Port indexing on the Brocade DCX-4S backbone TABLE 100 C Default index/16-bit PID assignment with no port swap on a Brocade DCX backbone (Continued) Port (DCX) Slot 1 Index/PID Slot 2 Index/PID Slot 3 Index/PID Slot 4 Index/PID Slot 9 Index/PID Slot 10 Index/PID Slot 11 Index/PID Slot 12 Index/PID 12 12/0x0c40 28/0x1c40 44/0x2c40 60/0x3c40 76/0x4c40 92/0x5c40 108/0x6c40 124/0x7c40 11 11/0x0b40 27/0x1b40 43/0x2b40 59/0x3b40 75/0x4b40 91/0x5b40 107/0x6b40 123/0x7b40 10 10/0x0a4
C Port indexing on the Brocade DCX-4S backbone TABLE 101 518 Default index/16-bit PID assignment with no port swap for the Brocade DCX-4S Port on blade Slot 1 Index/PID Slot 2 Index/PID Slot 7 Index/PID Slot 8 Index/PID 63 63/0x3f00 127/0x7f00 191/0xbf00 255/0xff00 62 62/0x3e00 126/0x7e00 190/0xbe00 254/0xfe00 61 61/0x3d00 125/0x7d00 189/0xbd00 253/0xfd00 60 60/0x3c00 124/0x7c00 188/0xbc00 252/0xfc00 59 59/0x3b00 123/0x7b00 187/0xbb00 251/0xfb00 58 58/0x3a00 122/0x7a00 186
Port indexing on the Brocade DCX-4S backbone TABLE 101 Default index/16-bit PID assignment with no port swap for the Brocade DCX-4S (Continued) Port on blade Slot 1 Index/PID Slot 2 Index/PID Slot 7 Index/PID Slot 8 Index/PID 28 28/0x1c00 92/0x5c00 156/0x9c00 220/0xdc00 27 27/0x1b00 91/0x5b00 155/0x9b00 219/0xdb00 26 26/0x1a00 90/0x5a00 154/0x9a00 218/0xda00 25 25/0x1900 89/0x5900 153/0x9900 217/0xd900 24 24/0x1800 88/0x5800 152/0x9800 216/0xd800 23 23/0x1700 87/0x5700 151/0
C 520 Port indexing on the Brocade DCX-4S backbone Fabric OS Administrator’s Guide 53-1001763-01
Appendix D FIPS Support In this appendix • FIPS overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Zeroization functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • FIPS mode configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Preparing the switch for FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
D Zeroization functions TABLE 102 Zeroization behavior (Continued) Keys Zeroization CLI Description FCSP Challenge Handshake Authentication Protocol (CHAP) Secret secAuthSecret –-remove value | –-all The secAuthSecret --remove value is used to remove the specified keys from the database. When the secAuthSecret command is used with –-remove –-all option then the entire key database is deleted.
FIPS mode configuration D The results of all self-tests, for both power-up and conditional, are recorded in the system log or are output to the local console. This includes logging both passing and failing results. Refer to the Fabric OS Troubleshooting and Diagnostics Guide for instructions on how to recover if your system cannot get out of the conditional test mode. FIPS mode configuration By default, the switch comes up in non-FIPS mode.
D FIPS mode configuration LDAP in FIPS mode You can configure your Microsoft Active Directory server to use LDAP while in FIPS mode. There is no option provided on the switch to configure TLS ciphers for LDAP in FIPS mode. However, the LDAP client checks if FIPS mode is set on the switch and uses the FIPS-compliant TLS ciphers for LDAP. If the FIPS mode is not set and the Microsoft Active Directory server is configured for FIPS ciphers, it uses FIPS-compliant ciphers.
FIPS mode configuration D 2. Configure the DNS on the switch by using the dnsConfig command. Example of setting the DNS switch:admin> dnsconfig Enter option 1 Display Domain Name Service (DNS) configuration 2 Set DNS configuration 3 Remove DNS configuration 4 Quit Select an item: (1..4) [4] 2 Enter Domain Name: [] domain.com Enter Name Server IP address in dot notation: [] 123.123.123.123 Enter Name Server IP address in dot notation: [] 123.123.123.
D FIPS mode configuration LDAP certificates for FIPS mode To utilize the LDAP services for FIPS between the switch and the host, you must generate a CSR on the Active Directory server and import and export the CA certificates. To support server certificate validation, it is essential to have the CA certificate installed on the switch and Active Directory server. Use the secCertUtil to import the CA certificate to the switch.
Preparing the switch for FIPS D Deleting an LDAP switch certificate This option deletes the LDAP CA certificate from the switch. 1. Connect to the switch and log in as admin. 2. Enter the secCertUtil show -ldapcacert command to determine the name of the LDAP certificate file. 3. Enter the secCertUtil delete -ldapcacert command, where the is the name of the LDAP certificate on the switch.
D Preparing the switch for FIPS Enabling FIPS mode 1. Log in to the switch using an account assigned the admin or securityAdmin role. 2. Optional: Select the appropriate method based on your needs: • If the switch is set for RADIUS, modify each server to use only peap-mschapv2 as the authentication protocol using the aaaConfig --change or aaaConfig --remove command. • If the switch is set for LDAP, refer to the instructions in “Setting up LDAP for FIPS mode” on page 524. 3.
Preparing the switch for FIPS Enforce secure config Upload/Download Enforce firmware signature validation D Press enter to accept default. Yes Example switch:admin> configure Not all options will be available on an enabled switch. To disable the switch, use the "switchDisable" command. Configure...
D Preparing the switch for FIPS Zeroizing for FIPS 1. Log in to the switch using an account assigned the admin or securityAdmin role. 2. Type the command fipsCfg --zeroize. 3. Reboot the switch. Displaying FIPS configuration 1. Log in to the switch using an account assigned the admin or securityAdmin role. 2. Type the command fipsCfg --showall.
Appendix E Hexadecimal Hexadecimal overview Hexadecimal, or simply hex, is a numeral system with a base of 16, usually written using unique symbols 0–9 and A–F, or a–f. Its primary purpose is to represent the binary code that computers interpret in a format easier for humans to read. It acts as a form of shorthand, in which one hexadecimal digit stands in place of four binary bits.
E Hexadecimal overview TABLE 106 532 Decimal to hexadecimal conversion table Decimal 01 02 03 04 05 06 07 08 09 10 Hex 01 02 03 04 05 06 07 08 09 0a Decimal 11 12 13 14 15 16 17 18 19 20 Hex 0b 0c 0d 0e 0f 10 11 12 13 14 Decimal 21 22 23 24 25 26 27 28 29 30 Hex 15 16 17 18 19 1a 1b 1c 1d 1e Decimal 31 32 33 34 35 36 37 38 39 40 Hex 1f 20 21 22 23 24 25 26 27 28 Decimal 41 42 43 44 45 46 47 48 49 50 Hex
E Hexadecimal overview TABLE 106 Decimal to hexadecimal conversion table (Continued) Decimal 181 182 183 184 185 186 187 188 189 190 Hex b5 b6 b7 b8 b9 ba bb bc bd be Decimal 191 192 193 194 195 196 197 198 199 200 Hex bf c0 c1 c2 c3 c4 c5 c6 c7 c8 Decimal 201 202 203 204 205 206 207 208 209 210 Hex c9 ca cb cc cd ce cf d0 d1 d2 Decimal 211 212 213 214 215 216 217 218 219 220 Hex d3 d4 d5 d6 d7 d8 d9 da db dc Decimal
E 534 Hexadecimal overview Fabric OS Administrator’s Guide 53-1001763-01
Index Numerics 239 domain ID mode, 301 A AAA service requests, 99 access browser support, 122 changing account parameters, 89 CP blade, 105 creating accounts, 88 deleting accounts, 89 IP address changes, 17 log in fails, 17 NTP, 28 password, changing, 19 remote access policies, 108 secure, HTTPS, 122 secure, SSL, 122 SNMP ACL, 127 accessing switches and fabrics, 131 account ID, 18 accounts changing parameters, 89 creating, 88 deleting, 89 displaying information, 88 lockout policy, 93 lockout policy, durat
Admin Domains about, 335 access levels, 338 activating, 348 AD0, 338 AD255, 339 adding members, 349 ADList, 104 assigning users to, 346 configupload, download, 362 configuration, displaying, 358 creating, 345 deactivating, 349 defined AD configuration, 344 deleting, 351, 352 effective AD configuration, 344 homeAD, 104, 340 implementing, 344 interaction with Fabric OS features, 359 logging in to, 340 LSAN zones, 362 member types, 341 numbering, 335 physical fabric administrator, 338 removing from user accoun
certificates browser, configuring, 125 CSR, certificate signing request, 124 HTTPS, 118 installing, 125 obtaining, 125 private key, 124 public key, 124 root, 123 root, configuring, 126 security, 118 SSH, 118 SSL, 118, 122, 123, 151 switch, 123, 151 changing an account password, 91 FID of logical switch, 230 logical switch to base switch, 231 RADIUS configuration, 115 RADIUS servers, 115 clearing performance monitor counters, 398 clearing zone configurations, 258 command line interface, 16 configuration file
customizing the switch name, 28 D date and time, 25 DCFM (Data Center Fabric Manager), 15 deactivating Admin Domains, 349 TI zones, 285 default IP Policy Rules, 156 logical switch, 210 zone mode, 252, 344 defined AD configuration, 344 zone configuration, 242 deleting accounts, 89 Admin Domains, 351, 352 alias, 248 end-to-end monitors, 388 frame monitors, 391 logical switches, 228 RADIUS configuration, 114 TI zones, 286 zone configurations, 256 zones, 250 detecting bottlenecks, 416 devices proxy, 461 dictio
extended fabrics about, 441 buffer credit management, 445 buffer credit recovery, 453 buffer requirement calculation, 447 buffer-to-buffer credits, 445 device limitations, 442 extended ISLs, 443 F_Port buffer credits, 450 ISL, 446 long-distance mode, 447 port buffer credit, 446 QoS buffer credit requirements, 453 time-division multiplexing, 444 extended ISL, 216 F F_Port, 11 fabric parameters, 66 fabric access, 131 fabric addresses, 35 fabric connectivity, 55 Fabric controller, 3 fabric interoperability ac
frame monitors deleting, 391 restoring configuration, 399 saving, 391 saving configuration, 399 frame redirection, 81 FreeRADIUS, 105 G G_Port, 11 gateway links buffer credits, 441 H HA failover, 91, 105 high availability (HA), 54 home Admin Domain, 104, 340 host-based zoning, 239 HTTPS, 122 certificates, security, 118 I installing certificates, 125 certificates for FIPS, 526 installing a root certificate to the Java plug-in, 126 Integrated Routing, 457 interfabric link, see IFL Internet Explorer and SS
local authentication overview, 115 local clock, 28 LOCL, 28 logging timestamp, 25 logical fabrics about, 214 changing context, 233 logical ISLs, 217 logical ports, 218 logical switches about, 210 allowing XISL use, 232 changing FID, 230 changing to a base switch, 231 creating, 225 deleting, 228 displaying configuration, 230 moving ports, 229 login changing password, 89 fails, 17 with Admin Domains, 340 login sessions, maximum allowed, 87 lossless dynamic load sharing, 79 LSAN, 477 LSAN tags, 481 LSAN zone b
platforms, FC routing supported, 456 PLOGI, 12 POD activating, 379 enabling ports, 43 policies, routing, 63 policy creating, 143 creating, SCC, 143 members, identifying, 134 password expiration, 93 password strength, 91 SCC, 143 port, 43 activating POD, 379 enabling, 43 Port Login, 10 port mirroring, 11 port type E_Port, 11 EX_Port, 11 F_Port, 11 FL_Port, 11 G_Port, 11 M_Port, 11 U_Port, 11 VE_Port, 11 VEX_Port, 11 primary FCS, 5 Principal ISLs, 64 priority groups, 67 private key, 124 PRLI, 12 protocols sec
rules configuring zones, for, 243 password, 89 S SAN Pilot, 501 saved zone configuration, 242 saving monitor configuration, 399 scalability, 499 SCC policy, 143 secure shell (ssh), 119 secure sockets layer, 122 security AUTH policy, 144 Brocade MIB, 127 browsers, 122 certificates, 118 encryption and SSL, 122 FibreAlliance MIB, 127 HTTPS, certificate, 118 IAS remote access policies, 108 IP policy rules, 156 obtaining certificates, 125 policies, ACL, 133 secure protocols, supported, 117, 118 setting levels,
TI zones, 267 activating, 285 changing state, 285 creating, 282 creating in a base fabric, 284 deactivating, 285 deleting, 286 displaying, 286 modifying, 284 with Virtual Fabrics, 281 time and date, 25 time zones, 25 Top Talkers, 393, 401 tracking and controlling switch changes, 56 traffic isolation over FCR, 273 traffic isolation over FCR with Virtual Fabrics, 281 traffic patterns planning for, 427 traffic prioritization, 403 transaction model managing Admin Domains, 344 traps MIB, 127 SNMP, 127 trunking w
WWN-based PID assignment, 37 WWNs switch WWNs in Admin Domains, 342 X XISL, about, 216 xlate domains, 462 Fabric OS Administrator’s Guide 53-1001763-01 Z zone adding a new switch or fabric, 261 adding members, 249 administering security, 263 alias, adding members, 247 alias, deleting, 248 alias, removing members, 247 alias, viewing, 248 aliases, 241 aliases, creating and managing, 246 all access, 252 concepts, 238 configurations, 242 configurations, adding members, 254 configurations, creating and mainta
zone configurations creating, 254 deleting, 256 disabling, 256 enabling, 255 removing, 255 zone database and Admin Domains, 360 zone, broadcast, 244 zones QoS zones, 406 TI zones, 267 546 Fabric OS Administrator’s Guide 53-1001763-01