HP StorageWorks Fabric OS 5.3.
Legal and notice information © Copyright 2007 Hewlett-Packard Development Company, L.P. © Copyright 2007 Brocade Communications Systems, Incorporated. Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.
Contents About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Supported HP StorageWorks hardware. . . . . . . . . . . . . . . . Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Related documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . Glossary of terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Document conventions and symbols . . . . . . . . . . . . . . . . . .
Activating ports on demand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How to activate Ports on Demand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Dynamic Ports on Demand (DPOD) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Port assignments and licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Changing local account passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 How to change the password for the current login account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 How to change the password for a different account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Configuring the local user database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to enable telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Blocking listeners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Accessing switches and fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Port configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deleting an ACL policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Aborting all uncommitted changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring the authentication policy for fabric elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E_Port authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Assigning a user to an admin domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How to create a new user account for managing Admin Domains . . . . . . . . . . . . . . . . . . . . . . . How to assign Admin Domains to an existing user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . How to create a new physical fabric administrator user account . . . . . . . . . . . . . . . . . . . . . . . . . Activating and deactivating admin domains . . . . . . .
Configuring Directors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Identifying ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . By slot and port number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . By port area ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Matching fabric parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EX_Port frame trunking (optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Supported configurations and platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . High Availability support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Recording configuration information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Sample IOCP configuration file for SAN Switch 2/32, SAN Switch 4/32, SAN Switch 4/32B, SAN Director 2/128, and 4/256 SAN Director switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Sample RMF configuration file for mainframe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Supported hardware . . . . . . . . . . . . . . . . . . . . . How port mirroring works. . . . . . . . . . . . . . . . . . Port mirroring considerations. . . . . . . . . . . . . . . . Creating, deleting, and displaying port mirroring . .. .. .. .. .. .. .. .. . . . . .. .. .. .. . . . . .. .. .. .. .. .. .. .. . . . . .. .. .. .. .. .. .. .. . . . . .. .. .. .. . . . . .. .. .. .. .. .. .. .. . . . . .. .. .. .. .. .. .. .. . . . . .. .. .. .. ... ... ... ...
Zone aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Zone configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Zoning enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hardware-enforced Zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Testing end-to-end IP path performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Fastwrite and tape pipelining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling fastwrite and tape pipelining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Constraints for Fastwrite and Tape Pipelining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Password recovery options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450 D Using Remote Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453 About Remote Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453 Remote switch capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About this Guide This guide provides procedures to help you maintain Fabric OS 5.3.0 running in your Storage Area Network (SAN). Supported HP StorageWorks hardware Table 1 lists Brocade and HP StorageWorks product models supported by Fabric OS 5.3.0 at the time of this document’s release.
WARNING! For late breaking, supplemental information, access the latest version of the HP StorageWorks Fabric OS 5.3.x release notes Glossary of terms This guide uses industry standard SAN terminology. However, some terms are intrinsic to Fabric OS 5.3.0. See the Brocade Glossary supporting Fabric OS 5.3.0 for a complete list of terms and definitions. Access from the HP web site using the procedure outlined in ”Related documentation”.
HP technical support Telephone numbers for worldwide technical support are listed on the HP support web site: http://www.hp.com/support/. Collect the following information before calling: • Technical support registration number (if applicable) • Product serial numbers • Product model names and numbers • Applicable error messages • Operating system type and revision level • Detailed, specific questions For continuous quality improvement, calls may be recorded or monitored.
18
1 Introducing Fabric OS CLI procedures This chapter summarizes procedures for configuring and managing an HP StorageWorks SAN using the Fabric OS Command Line Interface (CLI).
There are several methods that you can use to configure a switch. These are listed with their respective documents: • Command Line Interface (CLI) • A telnet session into logical switches • A telnet session into active and standby CPs for Director class switches • A serial console, including active and standby CPs for Director class switches • An optional modem, which behaves like a serial console port For CLI details, refer to the Fabric OS Command Reference Manual.
Help information Each Fabric OS command provides Help information that explains the command function, its possible operands, its level in the command hierarchy, and additional pertinent information. Displaying command Help 1. Connect to the switch and log in as admin. 2. To display a list of all command help topics for a given login level, enter the help command with no arguments.
Introducing Fabric OS CLI procedures
2 Performing basic configuration tasks Connecting to the CLI Connect to the CLI either through a telnet or SSH connection or through a console session on the serial port. Using telnet or SSH session Connect to the Fabric OS CLI of a switch that has a configured network interface using a telnet or SSH session. The switch must also be physically connected to the network.
If you have not changed the system passwords from the default, you are prompted to change them. Enter the new system passwords, or press Ctrl-c to skip the password prompts. See ”How to change default passwords at login” on page 28. 5. Verify that the login was successful. The prompt displays the switch name and user ID to which you are connected.
Every logical switch (domain) has a set of default accounts. The root and factory default accounts are reserved for development and manufacturing. The user account is primarily used for system monitoring. For more information on default accounts, see ”About the default accounts” on page 66.
How to change default passwords at login 1. Connect to the switch and log in as admin. The default password for all default accounts is: password 2. At each of the “Enter new password” prompts, either enter a new password or skip the prompt. Press Enter to skip a prompt. Press Ctrl-c to bypass the remaining prompts. login: admin Password: Please change your passwords now. Use Control-C to exit or press 'Enter' key to proceed.
How to display network interface settings If an IP address has not been assigned to the network interface (Ethernet), you must connect to the Fabric OS CLI using a console session on the serial port, see ”How to connect via the serial port” on page 26. Otherwise, connect using SSH. 1. Connect to the switch and log in as admin. 2. Enter the ipAddrShow command. FD21:admin> ipaddrshow SWITCH Ethernet IP Address: 192.168.78.158 Ethernet Subnetmask: 255.255.255.0 Fibre Channel IP Address: 220.220.220.
How to set static addresses for the Ethernet network interface 1. Connect to the switch and log in as admin. 2. Enter the following command to set the IPv4 address: switch:admin> ipaddrset Ethernet IP Address [192.168.74.102]: Ethernet Subnetmask [255.255.255.0]: Fibre Channel IP Address [220.220.220.2]: Fibre Channel Subnetmask [255.255.0.0]: Gateway IP Address [192.168.74.
DHCP summary Plug DHCP enabled switches in to the network, power on the switch, and the switch automatically obtains the Ethernet IP address, Ethernet subnet mask, and default gateway address from the DHCP server. The DHCP client can only connect to a DHCP server on the same subnet as the switch. Do not enable DHCP, if the DHCP server is not on the same subnet as the switch.
Setting the date and time Switches maintain the current date and time inside a battery-backed real-time clock (RTC) circuit. Date and time are used for logging events. Switch operation does not depend on the date and time; a switch with an incorrect date and time value still functions properly. However, because the date and time are used for logging, error detection, and troubleshooting, you should set them correctly. Authorization access to set or change date and time for a switch is role-based.
You can set the time zone for a switch using the tsTimeZone command. The tsTimeZone command allows you to: • Display all of the time zones supported in the firmware • Set the time zone based on a Country and City combination or based on a time zone ID such as PST See the tsTimeZone command in the Fabric OS Command Reference Manual for more detailed information about the command parameters. The time zone setting has the following characteristics: • Users can view the time zone settings.
How to set the time zone interactively 1. Type the tsTimeZone command as follows: switch:admin> tstimezone --interactive 2. Select a general location: Please identify a location so that time zone rules can be set correctly. Please select a continent or ocean. Africa Americas Antarctica Arctic Ocean Asia Atlantic Ocean Australia Europe Indian Ocean Pacific Ocean none - I want to specify the time zone using the Posix TZ format.
4. You are finally prompted to specify the time zone region. Please select one of the following time zone regions.
How to synchronize local time with an external source 1. Connect to the switch and log in with an account assigned to the admin role. 2. Enter the tsClockServer command: switch:admin> tsclockserver “ Where ntp1 is the IP address or DNS name of the first NTP server, which the switch must be able to access. The second ntp2 is the second NTP server and is optional.
You need the following items for each chassis to be licensed: • Transaction key in the paperpack document supplied with the switch software. Or, when you purchased a license, HP providesa transaction key to be used for generating a software license key. • License ID. To see a switch license ID, use the licenseIdShow command.
b. Activate the license using the licenseAdd command: switch:admin> licenseadd “key” The license key is case-sensitive and must be entered exactly as given. The quotation marks are optional. For HP StorageWorks Director models, licenses are effective on both CP blades and on all logical switches, but are valid only when the CP blade is inserted into a chassis that has an appropriate license ID stored in the World Wide Name (WWN) card.
After a reboot (or switchDisable and switchEnable) only the remaining licenses appear: switch:admin> licenseshow SybbzQQ9edTzcc0X: Fabric license switch:admin> If there are no license keys, licenseShow displays “No licenses.” Customizing a switch name Switches can be identified by IP address, Domain ID, World Wide Name (WWN), or by customized switch names that are unique and meaningful. Version 4.0.
5. Record the new switch name for future reference. 6. SAN Director 2/128 configured with two domains: Disconnect from the session and repeat the procedure for the second logical switch. switch:admin> switchname “switch62” Committing configuration... Done. switch62:admin> Customizing the chassis name Beginning with Fabric OS 4.4.x, it is recommended that you customize the chassis name for each switch.
How to display domain IDs 1. Connect to a switch and log in as admin. 2. Enter the fabricShow command. Fabric information is displayed, including the domain ID (D_ID): switch:admin> fabricshow Switch ID Worldwide Name Enet IP Addr FC IP Addr Name ------------------------------------------------------------------------1: fffc01 10:00:00:60:69:e4:00:3c 10.32.220.80 0.0.0.0 "ras080" 2: fffc02 10:00:00:60:69:e0:01:46 10.32.220.1 0.0.0.0 "ras001" 3: fffc03 10:00:00:60:69:e0:01:47 10.32.220.2 0.0.0.
7. Enter the switchEnable command to re-enable the switch. Activating ports on demand The SAN Switch 2/32 can be purchased with 16 or 32 licensed ports. As your needs increase, you can activate unlicensed ports (up to the maximum of 32 ports) by purchasing and installing the HP Ports on Demand optional, licensed product. The 4/32 SAN Switch can be purchased with 16 or 32 licensed ports.
CAUTION: If you enable or disable an active port you will disrupt any traffic and potentially lose data transmission on that port. If the port is connected to another switch, you will segment the switch from the fabric and all traffic between the disabled port and the fabric will be lost. How to activate Ports on Demand 1. Connect to the switch and log in as admin. 2. Optionally, to verify the current states of the ports, use the portShow command.
Full POD license is installed Static POD method is in use 24 port assignments are provisioned for use in this switch: 12 port assignments are provisioned by the base switch license 12 port assignments are provisioned by a full POD license 24 ports are assigned to installed licenses: 12 ports are assigned to the base switch license 12 ports are assigned to the full POD license Ports assigned to the base switch license: 1, 2, 3, 4, 5, 6, 7, 8, 17, 18, 19, 20 Ports assigned to the full POD license: 0, 9, 10, 1
1. Connect to the switch and log in as admin. 2. Enter the licensePort --method command with the static option to change the license assignment method to static. switch:admin> licenseport --method static The POD method has been changed to static. Please reboot the switch now for this change to take effect. 3. Enter the reboot command to restart the switch. switch:admin> reboot 4. Enter the licensePort --show command to verify the switch started the Static POD feature.
switch:admin> licenseport -reserve 0 4. If all port reservations are assigned, select a port to release its POD license. You must disable the port first by entering the command portdisable . 5. Enter the licensePort --release command to remove the port from the POD license. switch:admin> licenseport --release 0 6. Enter the licensePort --show command to verify there is an available port reservation.
Enter the switchShow command to verify the switch state is now online. Disabling and enabling a switch By default, the switch is enabled after power is applied and diagnostics and switch initialization routines have finished. You can disable and re-enable it as necessary. How to disable a switch 1. Connect to the switch and log in as admin. 2. Enter the switchDisable command at the command line. All Fibre Channel ports on the switch are taken offline.
How to enable a port 1. Connect to the switch and log in as admin. 2. HP StorageWorks 4/16 SAN Switch and 4/8 SAN Switch, SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, SAN Switch 4/32, 4/64 SAN Switch, 4/32B SAN Switch and 400 MP Router: Enter the following command: switch:admin> portenable portnumber where portnumber is the port number of the port you want to enable.
Linking through a gateway A gateway merges SANs into a single fabric by establishing point-to-point E_Port connectivity between two Fibre Channel switches that are separated by a network with a protocol such as IP or SONET. Except for link initialization, gateways are transparent to switches; the gateway simply provides E_Port connectivity from one switch to another. By default, switch ports initialize links using the Exchange Link Parameters (ELP) mode 1.
Checking status You can check the status of switch operation, high availability features, and fabric connectivity. How to verify switch operation 1. Connect to the switch and log in as admin. 2. Enter the switchShow command at the command line. This command displays a switch summary and a port summary. 3. Check that the switch and ports are online. 4. Use the switchStatusShow command to further check the status of the switch.
4. Enter the nsAllShow command at the command line. This command displays 24-bit Fibre Channel addresses of all devices in the fabric.
A message displays, verifying that the track changes feature is on: switch:admin> trackchangesset 1 Committing configuration...done. switch:admin> The output from the track changes feature is dumped to the system message log for the switch. 3. Use the errDump or errShow command to view the log. Items in the system message log created from the track changes feature are labeled TRCK: 2004/08/24-08:45:43, [TRCK-1001], 212,, INFO, ras007, Successful login by user admin.
The output is similar to the following: switch:admin> switchstatuspolicyshow The current overall switch status policy parameters: Down Marginal ---------------------------------PowerSupplies 3 0 Temperatures 2 1 Fans 2 1 WWN 0 1 CP 0 1 Blade 0 1 Flash 0 1 MarginalPorts 2 1 FaultyPorts 2 1 MissingSFPs 0 0 switch:admin> The policy parameter determines the number of failed or inoperable units for each contributor that will trigger a status change in the switch.
shows the command as executed on a SAN Switch 2/32 switch.
• By default, all event classes are configured for audit; to create an audit event log for specific events, you must explicitly set a filter via the class operand and then enable it. • Audited events are generated specific to a switch and have no negative impact on performance. • All Secure Fabric OS event are audited. • Events are not persistently stored on the switch but are streamed to a system message log.
Audit events have the following message format: AUDIT, , [], , , ///,/,, Switch names are logged for switch components and chassis names for chassis components. For example, a chassis name might be FWDL or RAS and a switch component name might be zone, name server, or SNMP. Pushed messages contain the administration domain of the entity that generated the event.
The following example shows the SYSLOG (system message log) output for audit logging. Jun 2 08:33:04 [10.32.220.7.2.2] raslogd: AUDIT, 2006/06/02-15:25:53, [SULB-1003], INFO, FIRMWARE, root/root/NONE/console/CLI, ad_0/ras007_chassis, , Firmwarecommit has started. Jun 5 06:45:33 [10.32.220.70.2.2] raslogd: AUDIT, 2006/06/05-13:38:17, [CONF-1010], INFO, CONFIGURATION, root/root/NONE/ console/CLI, ad_0/ras070, , configDownload failed Jun 5 08:15:32 [10.32.248.73.2.
High availability of daemon processes Fabric OS 5.3.0 supports automatic restart of non-critical daemons. Starting these non-critical daemons is automatic, you cannot configure the startup process. The following sequence of events occur when a non-critical daemon fails: 1. When a non-critical daemon fails or dies, a RASlog and AUDIT event message is logged. 2. The daemon is automatically started again. 3.
3 Managing user accounts This chapter provides information and procedures on managing authentication and user accounts. Overview Fabric OS provides two options for authenticating users—remote RADIUS services and/or the local switch user database. Both options allow users to be centrally managed using the following methods: • Local user database: Manually synchronize the local user database using the distribute command to push a copy of the switch’s local user database to all other Fabric OS 5.2.
Table 9 Fabric OS 5.3.0 roles Role name Version Duties Description BasicSwitchAdm in 5.2.x and higher Restricted switch administration Mostly monitoring with limited switch (local) commands. User All Monitoring only Nonadministrative use, such as monitoring system activity. Role Permissions Table 10 describes the types of permissions that are assigned to roles.
Table 11 RBAC permissions matrix (continued) Category Role permission User Operator Switch admin Zone admin Fabric admin Basic Admin switchadmin Security Admin Fabric Watch O OM OM N OM O OM N FICON O OM OM N OM O OM N Firmware Management O OM OM O OM O OM O FRU Management O OM OM N OM O OM N HA (High Availability) O O OM N OM O OM O iSCSI O O O O OM O OM N Switch Management—IP Configuration O OM OM N OM O OM OM Local User Environment
Table 11 RBAC permissions matrix (continued) Category Role permission User Operator Switch admin Zone admin Fabric admin Basic Admin switchadmin Security Admin Switch Port Management O OM OM O OM OM OM O Topology O O O N OM O OM N User Management N N N N N N OM OM WWN Card O OM OM N OM N OM N Zoning O O O OM OM O OM O Set the authentication model on each switch. Refer to “Configuring the authentication model” on page -65 for more information.
Configuring the authentication model This section explains how to configure authentication of the switch management channel connections. Fabric OS 5.3.0 supports use of both the local user database and RADIUS service at the same time. Use the aaaConfig command to set the authentication model for Fabric OS switch management channel connection authentication model as shown in Table 12. Table 12 Authentication configuration options aaaConfig Option --localonly Description Default setting.
About the default accounts Fabric OS provides the following predefined accounts in the switch-local user database. Change the password for all defaults during the initial installation and configuration, see Table 13. Table 13 Default local user accounts Account Name Role Admin domain Description user User AD0 home: 0 Most commands have observe-only permission. admin Admin AD0-255 home: 0 Most commands have observe-modify permission.
How to create an account 1. Connect to the switch and log in. 2. Enter the following command: userConfig --add -r [-h ] [-a ] [-d ] [-x] username Specifies the account name, which must begin with an alphabetic character. The name can be from 8 to 40 characters long. It is case-sensitive and can contain alphabetic and numeric characters, the dot (.) and the underscore ( _ ).
How to change account parameters When changing account parameters, if you change the ADlist for the user account, all of the currently active sessions for that account will be logged out. 1. Connect to the switch and log in. 2. Enter the following command: userconfig --change username [-r rolename] [-h admindomain_ID] [-a admindomain_ID_ list] [-d description] [-e yes | no] -u -x username Changes the account attribute for username. The account must already exist.
removed from the existing list. If the –h argument is not specified, the home Admin Domain will either remain as it was or will be the lowest Admin Domain ID in the remaining list. Recovering accounts The following conditions apply to recovering user accounts: • The attributes in the backup database replace the attributes in the current account database. • An event is stored in the system message log, indicating that accounts have been recovered.
How to change the password for a different account 1. Connect to the switch and log in. 2. Enter the following command: passwd name where name is the name of the account. 3. Enter the requested information at the prompts.
How to accept the user database 1. Connect to the switch. 2. Enter the following command: fddCfg --localaccept PWD where PWD is one of the three supported database policies. Supported policy databases are SCC, DCC, PWD. How to reject distributed user databases 1. Connect to the switch. 2. Enter the following command: fddCfg --localreject PWD Configuring password policies The password policies described in this section apply to the switch-local user database only.
not allowed because it is incompatible Web Tools. The default value is zero. The maximum value must be less than or equal to the MinLength value. • MinLength Specifies the minimum length of the password. The minimum can be from 8 to 40 characters. New passwords must between the minimum length specified and 40 characters. The default value is 8.
password history setting to select a recently-used password. The MinPasswordAge policy is not enforced when an administrator changes the password for another user. • MaxPasswordAge Specifies the maximum number of days that can elapse before a password must be changed, and is also known as the password expiration period. MaxPasswordAge values in range from 0 to 999. The default value is zero. Setting this parameter to zero disables password expiration.
Managing Fabric OS users on the RADIUS server All existing Fabric OS mechanisms for managing switch-local user accounts and passwords remain functional when the switch is configured to use RADIUS. Changes made to the switch-local database do not propagate to the RADIUS server, nor do the changes affect any account on the RADIUS server. Switch to RADIUS server interaction When configured to use RADIUS, the switch acts as a Network Access Server (NAS) and RADIUS client.
Table 14 Syntax for VSA-based account roles (continued) Item Value Description Vendor length 2 or higher 1 octet, calculated by server, including vendor-type and vendor-length Attribute-specific data ASCII string multiple octet, maximum 253, indicating the name of assigned role and other supported attribute values such as Admin Domain member list.
RADIUS configuration and admin domains When configuring users with Admin Domains, you must also include the Admin Domain member list. This section describes the way that you configure attribute types for this configuration. The values for the new attribute types use the syntax key=val[;key=val], where key is a text description of attributes, value is the attribute value for the given key, = is the separator between key and value, and ; is an optional separator for multiple key-value pairs.
servers do not respond (because of power failure or network problems), the switch uses local authentication. Consider the following effects of the use of RADIUS service on other Fabric OS features: • When RADIUS service is enabled, all account passwords must be managed on the RADIUS server. The Fabric OS mechanisms for changing switch passwords remain functional; however, such changes affect only the involved switches locally.
FreeRADIUS installation places the configuration files in $PREFIX/etc/raddb. By default, the PREFIX is /usr/local. Configuring RADIUS service on Linux consists of the following tasks: • Adding the Brocade attribute to the server • Creating the user • Enabling clients How to add the Brocade attribute to the server 1. Create and save the file $PREFIX/etc/raddb/dictionary.brocade with the following information: # # Brocade FabricOS v5.0.
For example, to configure the switch at IP address 10.32.170.59 as a client: client 10.32.170.59 secret = Secret shortname = Testing Switch nastype = other In this example, shortname is an alias used to easily identify the client. Secret is the shared secret between the client and server. Make sure that the shared secret matches that configured on the switch (see ”To add a RADIUS server to the switch configuration” on page 96). 2. Save the file $PREFIX/etc/raddb/client.
6. Repeat this for every user you want to add. When you have completed adding all users, click OK. 7. In the New Group window, verify that the users you added in step 4 appear in the Members field; then click Create to create this group. The new groups are created for each login type (admin, switchAdmin, user). How to configure the RADIUS server 1. From the Windows Start menu, select Programs > Administrative Tools > Internet Authentication Service to open the Internet Authentication Service window. 2.
Vendor-assigned attribute number—Enter the value 1. Attribute format—Enter String. Attribute value—Enter the login role (Root, Admin, Factory, SwitchAdmin, or User) the user group must use to log in to the switch. 17. In the Multivalued Attribute Information window, click OK. 18. In the Edit Dial-in Profile window, remove all additional parameters (except the one you just added, “Vendor-Specific”) and click OK. 19. In the Add Remote Access Policy window, click Finish. 20.
How to add a RADIUS server to the switch configuration 1. Connect to the switch and log in as admin. 2. Enter this command: switch:admin> aaaConfig --add [-a pap | chap] server [-p port] [-s secret] [-t timeout] server Enter either a server name or IP address. Avoid duplicating server listings (that is, listing the same server once by name and again by IP address). Up to five servers can be added to the configuration. -p port Optionally, enter a server port. The default is port 1812.
How to change a RADIUS server configuration 1. Connect to the switch and log in as admin. 2. Enter this command: switch:admin> aaaConfig --change | chap] server [-p port] [-s secret] [-t timeout] [-a pap server Servers are listed by either name or IP address. Enter either the name or IP address of the server to be changed. -p port Optionally, enter a server port. -s secret Optionally, enter a shared secret.
Setting the boot PROM password The boot PROM password provides an additional layer of security by protecting the boot PROM from unauthorized use. Setting a recovery string for the boot PROM password enables you to recover a lost boot PROM password by contacting your switch service provider. Without the recovery string, a lost boot PROM password cannot be recovered. You should set the boot PROM password and the recovery string on all switches, as described next.
6. Enter the boot PROM password; then reenter it when prompted. The password must be eight alphanumeric characters (any additional characters are not recorded). Record this password for future use. The new password is automatically saved. 7. Reboot the switch. SAN Director 2/128 and 4/256 SAN Director The boot PROM and recovery passwords must be set for each CP blade on SAN Director 2/128 and 4/256 SAN Directors: How to set the boot PROM password for a Director with a recovery string 1.
9. Connect the serial cable to the serial port on the new standby CP blade (previously the active CP blade). 10. Repeat step 2 through step 7 for the new standby CP blade (each CP blade has a separate boot PROM password). 11. Connect to the active CP blade by serial or telnet and enter the haEnable command to restore high availability.
1. Determine the active CP blade by opening a telnet session to either CP blade, connecting as admin, and entering the haShow command. 2. Connect to the active CP blade by serial or telnet and enter the haDisable command to prevent failover during the remaining steps. 3. Create a serial connection to the standby CP blade as described in ”How to connect via the serial port” on page 26. 4.
To recover a lost root or boot PROM password, contact HP. You must have previously set a recovery string to recover the boot PROM password.
4 Configuring standard security features This chapter provides information and procedures for configuring standard Fabric OS security features such as account and password management. Additional security features are available when secure mode is enabled. For information about licensed security features available in Secure Fabric OS, refer to the Secure Fabric OS administrator’s guide. Secure protocols Fabric OS supports the secure protocols shown in Table 16.
The security protocols are designed with the four main usage cases described in Table 18. Table 18 Main security scenarios Fabric Management interfaces Comments Nonsecure Nonsecure No special setup is needed to use telnet or HTTP. An HP switch certificate must be installed if sectelnet is used. Nonsecure Secure Secure protocols may be used. An SSL switch certificate must be installed if SSH/HTTPS is used. Secure Secure Secure protocols are supported on Fabric OS 4.4.0 (and later) switches.
Fabric OS 4.1.0 and later supports SSH protocol v2.0 (ssh2). For more information on SSH, refer to the SSH IETF web site: http://www.ietf.org/ids.by.wg/secsh.html Refer to SSH, The Secure Shell: The Definitive Guide by Daniel J. Barrett, Richard Silverman. Fabric OS 4.4.0 and later comes with the SSH server preinstalled; however, you must select and install the SSH client. For information on installing and configuring the F-Secure SSH client, refer to the web site: http://www.f-secure.
Blocking listeners HP StorageWorks switches block Linux subsystem listener applications that are not used to implement supported features and capabilities. Table 19 lists the listener applications that switches either block or do not start.
Accessing switches and fabrics If you are using the FC-FC Routing Service, be aware that you cannot execute the secModeEnable command on backbone fabrics (you cannot run this command in secure mode when a backbone fabric is connected to edge fabrics). Refer to ”Using the FC-FC routing service” on page 227 for details about the FC-FC Routing Service and it relationship with Secure Fabric OS. Table 20 lists the defaults for accessing hosts, devices, switches, and zones.
Table 21 Port information Port Type Common use 512 TCP exec 513 TCP login 514 TCP shell 897 TCP Comment This port is used by the Platform API. Disable this port using the configure command. Configuring for the SSL protocol Fabric OS v4.4.0 and later supports Secure Sockets Layer (SSL) protocol, which provides secure access to a fabric through Web-based management tools like Web Tools.
3. Obtain the certificates from the CA. You can request a certificate from a CA through a Web browser. After you request a certificate, the CA either sends certificate files by email (public) or gives access to them on a remote host (private). Typically, the CA provides the certificate files listed in Table 22. Table 22 SSL Certificate Files Certificate File Description name.crt The switch certificate. nameRoot.crt The root certificate.
Generating and storing a CSR After generating a public/private key (see ”Generating a public/private key” on page 95), perform this procedure on each switch: 1. Connect to the switch and log in as admin. 2. Enter this command: switch:admin> seccertutil gencsr 3.
It might take several days to receive the certificates. If the certificates arrive by email, save them to an FTP server. If the CA provides access to the certificates on an FTP server, make note of the path name and make sure you have a login name and password on the server. Installing a switch certificate Perform this procedure on each switch: 1. Connect to the switch and log in as admin. 2. Enter this command: switch:admin> seccertutil import 3.
Configuring the browser The root certificate might already be installed on your browser, but if not, you must install it. To see whether it is already installed, check the certificate store on your browser. The next procedures are guides for installing root certificates to Internet Explorer and Mozilla browsers. For more detailed instructions, refer to the documentation that came with the certificate. To check and install root certificates on Internet Explorer 1.
Displaying and deleting certificates Table 23 summarizes the commands for displaying and deleting certificates. For details on the commands, refer to the Fabric OS Command reference manual.
Configuring SNMP You can configure for the automatic transmission of Simple Network Management Protocol (SNMP) information to management stations. SNMPv3 and SNMPv1 are supported. The configuration process involves configuring the SNMP agent and configuring SNMP traps. The following commands are used in the process: • Use the configure command to set the security level. You can specify no security, authentication only, or authentication and privacy.
Setting the security level Use the configure command to set the security level (called “SNMP attributes”). You can specify no security, authentication only, or authentication and privacy. For example, to configure for authentication and privacy: switch:admin> configure Not all options will be available on an enabled switch. To disable the switch, use the “switchDisable” command. Configure...
Sample SNMPv3 configuration switch:admin> snmpconfig --set snmpv3 SNMPv3 user configuration: User (rw): [snmpadmin1] adminuser Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: New Auth Passwd: Verify Auth Passwd: Priv Protocol [DES(1)/noPriv[2]): (1..2) New Priv Passwd: Verify Priv Passwd: User (rw): [snmpadmin2] shauser Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: New Auth Passwd: Verify Auth Passwd: Priv Protocol [DES(1)/noPriv[2]): (1..
Sample accessControl configuration switch:admin> snmpconfig --set accessControl SNMP access list configuration: Access host subnet area in dot notation: [0.0.0.0] 192.168.0.0 Read/Write? (true, t, false, f): [true] Access host subnet area in dot notation: [0.0.0.0] 10.32.148.0 Read/Write? (true, t, false, f): [true] f Access host subnet area in dot notation: [0.0.0.0] Read/Write? (true, t, false, f): [true] Access host subnet area in dot notation: [0.0.0.0] 10.33.0.
Using legacy commands for SNMPv1 You should use the snmpConfig command to configure the SNMPv1 agent and traps (refer to ”Using the snmpConfig command” on page 101). However, if necessary for backward compatibility, you can choose to use legacy commands. Sample SNMP agent configuration information switch:admin> agtcfgshow Current SNMP Agent Configuration Customizable MIB-II system variables: sysDescr = FC Switch sysLocation = End User Premise sysContact = Field Support.
Sample modification of the SNMP configuration values switch:admin> agtcfgset Customizing MIB-II system variables ... At each prompt, do one of the followings: o to accept current value, o enter the appropriate new value, o to skip the rest of configuration, or o to cancel any change. To correct any input mistake: erases the previous character, erases the whole line, sysDescr: [FC Switch] sysLocation: [End User Premise] sysContact: [Field Support.
Sample reset of the SNMP agent configuration to default values switch:admin> agtcfgdefault ***** This command will reset the agent's configuration back to factory default ***** Current SNMP Agent Configuration Customizable MIB-II system variables: sysDescr = Fibre Channel Switch. sysLocation = End User Premise sysContact = sweng authTraps = 0 (OFF) SNMPv1 community and trap recipient configuration: Community 1: Secret C0de (rw) Trap recipient: 192.168.15.
Sample modification of the options for configuring SNMP MIB traps switch:admin> snmpmibcapset The SNMP Mib/Trap Capability has been set to support FE-MIB SW-MIB FA-MIB FA-TRAP FA-MIB (yes, y, no, n): [yes] FICON-MIB (yes, y, no, n): [no] y HA-MIB (yes, y, no, n): [no] y SW-TRAP (yes, y, no, n): [no] y swFCPortScn (yes, y, no, n): [no] swEventTrap (yes, y, no, n): [no] swFabricWatchTrap (yes, y, no, n): [no] swTrackChangesTrap (yes, y, no, n): [no] FA-TRAP (yes, y, no, n): [yes] connUnitStatusChange (yes, y
Sample view of the SNMP MIB trap setup switch:admin> snmpmibcapshow FA-MIB: YES FICON-MIB: YES HA-MIB: YES SW-TRAP: YES swFCPortScn: YES swEventTrap: YES swFabricWatchTrap: YES swTrackChangesTrap: YES FA-TRAP: YES SW-EXTTRAP: YES HA-TRAP: YES fruStatusChanged: YES cpStatusChanged: YES fruHistoryTrap: YES Configuring secure file copy You can use the configure command to specify that secure file copy (scp) be used for configuration uploads and downloads.
5 Maintaining configurations It is important to maintain consistent configuration settings on all switches in the same fabric, because inconsistent parameters (such as inconsistent PID formats) can cause fabric segmentation. As part of standard configuration maintenance procedures, it is recommended that you back up all important configuration data for every switch on a host computer server for emergency reference. NOTE: For information about AD-enabled switches using Fabric OS 5.2.
Before beginning, verify that you can reach the FTP server from the switch. Using a telnet connection, save a backup copy of the configuration file from a logical switch to a host computer as follows: To upload a configuration file 1. Verify that the FTP service is running on the host computer. 2. Connect to the switch and log in as admin. 3. Enter the configUpload command. The command becomes interactive and you are prompted for the required information. 4.
NOTE: The configuration file is printable, but you might want to see how many pages will be printed before you send it to the printer; you might not want to print a lot of pages if it is too long. Troubleshooting configuration upload If the configuration upload fails, it may be because: • The host name is not known to the switch. • The host IP address cannot be contacted. • You do not have configuration upload permission on the switch.
Configuration download without disabling a switch Starting in Fabric OS 5.2.x, you can download configuration files to a switch while the switch is enabled, that is, you do not need to disable the switch for changes in SNMP, Fabric Watch, and ACL parameters. When you use the configDownload command, you will be prompted to disable the switch only when necessary. However, if there is any changed parameter that does not belong to SNMP, Fabric Watch, or ACL, then you must disable the switch.
NOTE: Because some configuration parameters require a reboot to take effect, after you download a configuration file you must reboot to be sure that the parameters are enabled. Before the reboot, this type of parameter is listed in the configuration file, but it is not effective until after the reboot. Security considerations Security parameters and the switch's identity cannot be changed by configDownload.
Restoring configurations in a FICON environment If the switch is operating in a FICON CUP environment, and the ASM (active=saved) bit is set on, then the switch ignores the IPL file downloaded when you restore a configuration. Table 26 describes this behavior in more detail. Table 26 Backup and restore in a FICON CUP environment ASM bit Command Description on or off configupload All the files saved in file access facility are uploaded to the management workstation.
4/256 SAN Director configuration form Table 27 provides a form to use as a hardcopy reference for your configuration information.
Table 28 FC port configuration setting FC port configuration Port numbers 0 1 Speed Trunk Port Long Distance VC Link Init Locked L_Port Locked G_Port Disable E_Port ISL R_RDY Mode RSCN Suppressed Persistent disable NPIV capability EX Port 116 Maintaining configurations 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Table 29 FC port configuration setting FC Port Configuration Port Numbers 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Speed Trunk port Long distance VC link Init Locked L_Port Locked G_Port Disable E_Port ISL R_RDY mode RSCN suppressed Persistent disable NPIV capability EX port Fabric OS 5.3.
118 Maintaining configurations
6 Configuring advanced security This chapter provides information and procedures for configuring advanced Fabric OS 5.2.x security feature, Access Control Lists (ACL) policies for FC port and switch binding. NOTE: Run all commands in this chapter by logging in to Administrative Domain (AD) 255 or if Administrative Domains have not been implemented log in to AD 0. For information about licensed security features available in Secure Fabric OS, see the Secure Fabric OS Administrator’s Guide.
Identifying policy members Specify the FCS, DCC and SCC policy members by device port WWN, switch WWN, domain IDs, or switch names, depending on the policy. The valid methods for specifying policy members are listed in Table 30.
Displaying ACL policies Use the secPolicyShow command to display the active and defined policy sets. Additionally, in a defined policy set, policies created in the same login session also appear but these policies are automatically deleted if the user logs out without saving. The following example shows a switch that has no SCC, DCC, and FCS policies. To display the ACL policies 1. Connect to the switch and log in. 2.
• Distribution to pre-5.3.0 switches using the wild (*) character When the wild card character is specified, distribution succeeds even if the fabric contains pre-5.3.0 switches. However, the FCS database will be sent only to switches with a Fabric OS of 5.2.0 or later in the fabric and not to pre-5.2.0 switches. Fabric OS 5.2.0 switches receive the distribution and will ignore the FCS database. FCS policy restrictions Back-up FCS switches normally cannot modify the policy.
Overview of steps to create and manage the FCS policies Whether your intention is to create new FCS policies or manage your current FCS policies. You must follow certain steps to ensure the domains throughout your fabric have the same policy. 1. Create the FCS policy using the secPolicyCreate command 2. Activate the policy using the secPolicyActivate command 3. Distribute the policies to the intended domains using the distribute command To create an FCS policy: 1. Connect to the switch and log in as admin.
Distributing an FCS policy The FCS policy has to be manually distributed to the switches. Each switch that receives the FCS policy must be configured to receive the policy. To configure the switch to accept distribution of the FCS policy, refer to “Configuring the database distribution settings” on page 123. Switches in the fabric are designated as Primary FCS, backup FCS or non-FCS switch. Database distributions may be initiated from only the Primary FCS switch.
Configuring a DCC policy Multiple DCC policies can be used to restrict which device ports can connect to which switch ports. The devices can be initiators, targets, or intermediate devices such as SCSI routers and loop hubs. By default, all device ports are allowed to connect to all switch ports; no DCC policies exist until they are created. Each device port can be bound to one or more switch ports; the same device ports and switch ports may be listed in multiple DCC policies.
Creating a DCC policy DCC policies must follow the naming convention “DCC_POLICY_nnn,” where nnn represents a unique string. To save memory and improve performance, one DCC policy per switch or group of switches is recommended. Device ports must be specified by port WWN. Switch ports can be identified by the switch WWN, domain ID, or switch name followed by the port or area number. To specify an allowed connection, enter the device port WWN, a semicolon, and the switch port identification.
To create the DCC policy “DCC_POLICY_abc” that includes device 33:44:55:66:77:11:22:cc and ports 1 through 6 and port 9 of switch domain 3: switch:admin> secpolicycreate "DCC_POLICY_abc", "33:44:55:66:77:11:22:cc;3(1-6,9)" DCC_POLICY_xxx has been created To create the DCC policy “DCC_POLICY_example” that includes devices 44:55:66:77:22:33:44:dd and 33:44:55:66:77:11:22:cc, ports 1 through 4 of switch domain 4, and all devices currently connected to ports 1 through 4 of switch domain 4: switch:admin> secpol
Saving changes to ACL policies You can save changes to ACL policies without activating them by entering the secPolicySave command. This saves the changes to the defined policy set. Until the secPolicySave or secPolicyActivate command is issued, all policy changes are in volatile memory only and are lost if the switch reboots or the current session is logged out. To save changes without activating the policies 1. Connect to the switch and log in. 2. Type the secPolicySave command.
Removing a member from an ACL policy To remove a member from an ACL policy 1. Connect to the switch and log in. 2. Type secPolicyRemove “policy_name”, “member;...;member”. where policy_name is the name of the ACL policy. member is the device or switch to be removed from the policy, identified by IP address, switch domain ID, device or switch WWN, or switch name. 3. To implement the change immediately, enter the secPolicyActivate command.
Fabric OS 5.3.0 switch-to-switch authentication implementation is fully backward compatible with v3.2, v4.2, v4.4, v5.0, v5.1, and v5.2. Use secAuthSecret to set a shared secret on the switch. When configured, the secret key pair are used for authentication. Authentication occurs whenever there is a state change for the switch or port. The state change can be due to a switch reboot, a switch or port disable and enable, or the activation of a policy.
E_Port authentication The authentication (AUTH) policy allows you to configure the DH-CHAP authentication on the switch. By default the policy is set to PASSIVE and you can change the policy using the authutil command All changes to the AUTH policy are effective. This includes starting authentication on all E_Ports on the local switch if the policy is changed to ON or ACTIVE, and clearing the authentication if the policy is changed to OFF.
Device authentication policy Device authentication policy can also be categorized as an HBA authentication policy. Fabric wide distribution of the device authentication policy is not supported since the device authentication requires manual interaction in setting the HBA shared secrets and switch shared secrets, and most of the HBAs do not support the defined DH groups for use in the DH-CHAP protocol.
Selecting authentication protocols Use the authUtil command to perform the following tasks: • Display the current authentication parameters • Select the authentication protocol used between switches • Select the Diffie-Hellman (DH) group for a switch Run the authUtil command on the switch you want to view or change. Below are the different options to specify which DH group you want to use.
To re-authenticate E_Ports: 1. Log in to the switch as admin. 2. On a switch running Fabric OS 5.3.0, type the following command: $authutil –-authinit $authutil –-authinit 2,3,4 $authutil –-authinit allE (all E_ports in the switch) For directors, use the slot/port format for specifying the port number.
To set a secret key pair: 1. Log in to the switch as admin 2. On a switch running Fabric OS 4.x or 5.x, type secAuthSecret --set; on a switch running Fabric OS v3.x, type secAuthSecret "--set". The command enters interactive mode. The command returns a description of itself and needed input; then it loops through a sequence of switch specification, peer secret entry, and local secret entry. To exit the loop, press Enter for the switch name; then type y.
IP filter policy The IP Filter policy is a set of rules applied to the IP management interfaces as a packet filtering firewall. The firewall permits or denies the traffic to go through the IP management interfaces according to the policy rules. Fabric OS supports multiple IP Filter policies to be defined at the same time. Each IP Filter policy is identified by a name and has an associated type. Two IP Filter policy types, IPv4 and IPv6, exist to provide separate packet filtering for IPv4 and IPv6.
Displaying an IP Filter policy Displays the IP Filter policy content for the specified policy name, or all IP Filter policies if policy name is not specified. For each IP Filter policy, the policy name, type, persistent state and policy rules are displayed. The policy rules are listed by the rule number in ascending order. There is no pagination stop for multiple screens of information. Pipe the output to the more command to achieve this.
Deleting an IP Filter policy You can delete a specified IP Filter policy. Deleting an IP Filter policy will remove it from the temporary buffer. To permanently delete the policy from persistent database, run ipfilter --save. An active IP Filter policy cannot be deleted. To delete an IP Filter policy: 1. Log in to the switch as admin. 2. Type the following command: ipfilter –delete where is the name of the policy. 3.
For an IP Filter policy rule, users can only select port numbers in either the well known or the registered port number range, between 0 and 49151, inclusive. This means that customers have the ability to control how to expose the management services hosted on a switch, but not the ability to affect the management traffic that is initiated from a switch. A valid port number range is represented by a dash, for example 7-30. Alternatively, service names can also be used instead of port number.
Table 38 Default IP policy rules (continued) Rule number Source address Destination port Protocol Action 11 Any 123 UDP Permit 12 Any 600-1023 UDP Permit IP Filter policy enforcement An active IP Filter policy is a filter applied to the IP packets through the management interface. IPv4 management traffic will pass through the active IPv4 filter policy, and IPv6 management traffic will pass through the active IPv6 filter policy.
Deleting IP Filter policy rules Deleting a rule in the specified IP Filter policy causes the rules following the deleted rule to shift up in rule order. The change to the specified IP Filter policy is not saved to persistent configuration until a save or activate sub-command is run. To delete a rule to an IP Filter policy: 1. Log in to the switch as admin. 2.
Distributing the policy database Fabric OS lets you manage and enforce the ACL policy database on either a per-switch or fabric-wide basis. The local switch distribution setting and the fabric-wide consistency policy affect the switch ACL policy database and related distribution behavior. The ACL policy database is managed as follows: • Switch database distribution setting—Controls whether or not the switch accepts or rejects databases distributed from other switches in the fabric.
Configuring the database distribution settings The distribution settings control whether a switch accepts or rejects distributions of databases from other switches and whether or not the switch may initiate a distribution. Configure the distribution setting to reject when maintaining the database on a per-switch basis. Table 40 lists the databases supported starting in Fabric OS 5.3.0.
Distributing ACL policies to other switches This section explains how to manually distribute local ACL policy databases to other Fabric 5.2.0 and later switches. The distribute command has the following dependencies: • All target switches must be running Fabric OS 5.2.0 or later. • All target switches must accept the database distribution (see ”Configuring the database distribution settings” on page 140).
FC routers cannot join a fabric with a strict fabric-wide consistency policy. FC routers do not support the fabric-wide consistency policies. Table 42 describes the fabric-wide consistency settings. Table 42 Fabric-wide consistency policy settings Setting Value When a policy is activated Absent null Database is not automatically distributed to other switches in the fabric. Tolerant database_id All updated and new policies of the type specified (SCC, DCC, or both) are distributed to all Fabric 5.2.
Notes on joining a switch to the fabric When a switch is joined to a fabric with a tolerant SCC or DCC fabric-wide consistency policy, the joining switch must have a matching tolerant SCC or DCC fabric-wide consistency policy. If the tolerant SCC or DCC fabric-wide consistency policies do not match, the switch can join the fabric, but an error message flags the mismatch. If the tolerant SCC and DCC fabric-wide consistency policies match, the corresponding SCC and DCC ACL policies are compared.
Table 43 describes the impact of merging fabrics with the same fabric-wide consistency policy that have SCC, DCC, or both policies. Table 43 Merging fabrics with matching fabric-wide consistency policies Fabric-wide consistency policy Fabric A ACL policies Fabric B ACL policies Merge results Database copied None None None Succeeds No ACL policies copied. None SCC/DCC Succeeds No ACL policies copied. None None Succeeds No ACL policies copied.
Table 45 has a matrix of merging fabrics with tolerant and absent policies. Table 45 Fabric merges with tolerant/absent combinations Fabric-wide consistency policy setting Fabric A Tolerant/Absent Fabric B SCC;DCC DCC SCC;DCC SCC DCC SCC 148 Configuring advanced security Expected behavior Error message logged. Run fddCfg --fabwideset “” from any switch with the desired configuration to fix the conflict. The secPolicyActivate command is blocked until conflict is resolved.
7 Managing administrative domains This chapter describes the concepts and procedures for using the administrative domain feature introduced in Fabric OS 5.2.x. About administrative domains An Administrative Domain (Admin Domain or AD) is a logical grouping of fabric elements that defines what switches, ports, and devices you can view and modify. An Admin Domain is a filtered administrative view of the fabric.
AD1 AD2 Figure 3 Fabric with two admin domains Figure 4 shows how users get a filtered view of this fabric, depending on which Admin Domain they are in. Users can see all switches and E_Ports in the fabric, regardless of their Admin Domain; however, the switch ports and end devices are filtered based on Admin Domain membership.
• Move devices from one Admin Domain to another without traffic disruption, cable reconnects, or discontinuity in zone enforcement. • Provide strong fault and event isolation between Admin Domains. • Have visibility of all physical fabric resources. All switches, E_Ports, and FRUs (including blade information) are visible. • Implement Admin Domains in a fabric with some switches running AD-unaware firmware versions (that is, firmware versions lower than Fabric OS 5.2.x).
always exist and cannot be deleted or renamed. They are reserved for use in creation and management of Admin Domains. AD0 AD0 is a system-defined Admin Domain that, in addition to containing members you explicitly added (similar to user-defined Admin Domains), contains all online devices, switch ports, and switches that have not been assigned to any user-defined Admin Domain. Unlike user-defined Admin Domains, AD0 has an implicit and an explicit membership list.
AD1 AD255 AD0 AD2 Figure 5 Fabric with AD0 and AD255 Admin domain access levels Admin Domains offer a hierarchy of administrative access. To manage Admin Domains, you must be a physical fabric administrator. A “physical fabric administrator” is a user with the Admin role and access to all Admin Domains (AD0 through AD255). Other administrative access is determined by your defined RBAC role and AD membership. Your role determines your access level and permission to perform an operation.
Admin domains and login You are always logged in to an Admin Domain, and you can view and modify only the devices in that Admin Domain. If you have access to more than one Admin Domain, one of them will have been specified as your “home Admin Domain,” the one you are automatically logged in to. If your home Admin Domain is deleted or deactivated, then by default you are logged in to the lowest numbered active Admin Domain in your Admin Domain List.
Switch port members Switch port members are defined by switch (domain, port). A switch port member: • Grants port control rights and zoning rights for that switch port. • Grants view access and zoning rights to the device connected to that switch port. • Allows you to share (domain, port) members across multiple Admin Domains. In each Admin Domain, you can also zone shared devices differently. • Implicitly includes all devices connected to the specified (domain, port) members in the Admin Domain membership.
Admin Domains and switch WWN Admin Domains are treated as fabrics. Because switches cannot belong to more than one fabric, switch WWNs are converted so that they appear as unique entities in different Admin Domains (fabrics). This WWN conversion is done only in the AD1 through AD254 context. AD0 and AD255 use unconverted switch WWNs.
Fabric Visible to AD3 User WWN = 10:00:00:00:c2:37:2b:a3 WWN = 10:00:00:00:c7:2b:fd:a3 Domain ID = 1 WWN = 50:00:51:f0:52:36:f9:03 Domain ID = 2 WWN = 50:00:52:e0:63:46:e9:03 WWN = 10:00:00:00:c2:37:2b:a3 Fabric Visible to AD4 User Domain ID = 1 WWN = 50:00:51:f0:52:36:f9:04 Domain ID = 2 WWN = 50:00:52:e0:63:46:e9:04 WWN = 10:00:00:00:c8:3a:fe:a2 Figure 7 Filtered fabric views showing converted switch WWNs Admin domain compatibility and availability Admin Domains maintain continuity of service fo
AD-aware fabric AD-unaware fabric AD-aware fabric These two subfabrics have different AD databases but the same root zone database. Figure 8 Isolated subfabrics Firmware upgrade and downgrade scenarios You cannot perform a firmware downgrade to a Fabric OS version earlier than 5.2.x, if ADs are configured in the fabric. Following are special scenarios for director class products only: • If the primary and secondary CPs are running pre-Fabric OS 5.2.
Understanding the AD transaction model This section summarizes the ad command. This command follows a batched-transaction model, which means that changes to the Admin Domain configuration occur in the transaction buffer. An Admin Domain configuration can exist in several places: • Effective configuration—The Admin Domain configuration that is currently in effect. • Defined configuration—The Admin Domain configuration that is saved in flash memory.
Creating an admin domain To create an Admin Domain, you must specify an Admin Domain name or number or both. • If you create an Admin Domain using only a number, the Admin Domain name is automatically assigned to be “ADn”, where n is the number you specified. For example, if you specify AD number = 4, then AD name is set to “AD4”.
Assigning a user to an admin domain After you create an Admin Domain, you can specify one or more user accounts as the valid accounts who can use that Admin Domain. You create these user accounts using the userConfig command. User accounts have the following characteristics with regard to Admin Domains: • A user account can only have a single role. You can choose roles from the one of the seven types of roles, either the existing user and administrator role or one of the other RBAC roles.
How to create a new physical fabric administrator user account 1. Connect to the switch and log in as admin. 2. Enter the userconfig --add command using the -r option to set the role to admin and the -a option to provide access to Admin Domains 0 through 255. userconfig --add username -r admin -h home_AD -a "0-255" where username is the name of the account and home_AD is the home Admin Domain.
Adding and removing admin domain members Use the following procedures to add or remove members of an Admin Domain. NOTE: If you remove the last member of an Admin Domain, that Admin Domain is automatically deleted. How to add members to an existing Admin Domain 1. Connect to an AD-aware switch and log in as admin. 2. Switch to the AD255 context, if you are not already in that context. ad --select 255 3.
The rename operation does not take effect if the Admin Domain you want to rename is part of the effective configuration and thus enforced. 4. Optional: To end the transaction now, enter ad --save to save the Admin Domain definition or enter ad --apply to save the Admin Domain definition and directly apply the definitions to the fabric. The Admin Domain numbers remain unchanged after the operation. The following example changes the name of Admin Domain Eng_AD to Eng_AD2.
Validating an Admin Domain member list The ad --validate option allows you to validate the device and switch member list and flag all resources that are from AD-unaware switches. You can use the validate option to list Admin Domain members from AD-unaware switches and non-existing or offline Admin Domain members. You can use the validate option to identify misconfigurations of the Admin Domain.
A port or device appears in CLI command output or other management tool outputs if any one of the conditions listed in is met, see Table 47. Table 47 Ports and devices in CLI output For Condition (domain, port) • • Device WWN • • The port is specified in the (domain, port) member list of the Admin Domain. One or more WWNs specified in the AD member list is attached to the (domain, port). The device WWN is specified in the AD WWN member list.
How to show an Admin Domain 1. Connect to the switch and log in as any user type. 2. Enter the ad --show command. If you are in the AD0 context, you can use the -i option to display the implicit membership list of AD0; otherwise, only the explicit membership list is displayed.
that are not part of the current zone enforcement table. A member might not be part of the zone enforcement table because: • The device is offline. • The device is online, but is connected to an AD-unaware switch. • The device is online but is not part of the current Admin Domain. For more information about the zone command and its use with Admin Domains, see the Fabric OS Command Reference Manual.
Table 48 Admin Domain interaction with Fabric OS features (continued) Fabric OS feature Admin Domain interaction FICON Admin Domains support FICON. However, you must perform additional steps because FICON management (CUP) requires additional physical control of the ports. You must set up the switch as a physical member of the FICON AD. DCC and SCC policies are supported only in AD0 and AD255, since ACL configurations are supported only in AD0 and AD255.
Admin Domains introduce two types of zone database nomenclature and behavior: • Root zone database—If you do not use Admin Domains, you will have only one zone database. This legacy zone database is known as the root zone database. If you create Admin Domains, you will have the root zone database, which is owned by AD0, and other zone databases, one for each user-defined Admin Domain. • During the zone update process, only the root zone database is sent to AD-unaware switches.
See ”Maintaining configurations” on page 147 for additional information.
172 Managing administrative domains
8 Installing and maintaining firmware This chapter contains procedures for installing and maintaining firmware. Fabric OS 5.3.0 provides nondisruptive firmware installation. Additionally, this chapter provides information on the following optional port blades: • FC blades contain only Fibre Channel ports: FC4-16, FC4-32, FC4-48.
CAUTION: For each switch in your fabric, complete all firmware download changes on the current switch before issuing the firmwareDownload command on the next switch. This process ensures nondisruption of traffic between switches in your fabric. To verify the firmwareDownload process is complete, enter the firmwareDownloadStatus command on the switch, verify the process is complete, then move on to the next switch.
Considerations for FICON CUP environments To prevent channel errors during nondisruptive firmware installation, the switch CUP port must be taken offline from all host systems. Preparing for a firmware download Before executing a firmware download, it is recommended that you perform the tasks mentioned in this section.
NOTE: If you do not know the CP address, use the ipAddrShow command to view a list of all CP IP addresses associated with the switch. 6. (Optional) Enter the supportSave command to capture a snapshot of your configuration and provide baseline information in case there is a need to troubleshoot or seek advanced support. Make sure that you enter this command on the standby CP as well.
Obtaining and decompressing firmware NOTE: The following steps describe how to download firmware. Web retrieval procedures may be subject to change. To access the latest Fabric OS 5.2.x firmware, configuration files and MIB files go to the following HP web site: http://h18006.www1.hp.com/storage/saninfrastructure/index.html You must decompress the firmware (using the UNIX tar command for .tar files, the gunzip command for all .gz files, or a Windows unzip program for all .
4/16 SAN Switch and 4/8 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, SAN Switch 4/32, SAN Switch 4/32B, 4/64 SAN Switch and 400 MP Router firmware download procedure The upgrade process first downloads and then commits the firmware to the switch.
User name Enter the user name of your account on the server; for example, “JohnDoe”. File name Fabric OS 5.2.x or higher: Specify the full path name of the firmware directory, for example, /pub/v5.2.x. Fabric OS 5.1.x or lower: Specify the full path name of the firmware directory, appended by release.plist; for example, /pub/v5.1.x/release.plist. Note: For Fabric OS 5.x switches only, do not attempt to locate the release.plist file in the top level directory; there is a release.
Summary of firmware downloads on Director models You can download firmware to SAN Director 2/128 and 4/256 SAN Director without disrupting the overall fabric if the two CP blades are installed and fully synchronized. Use the haShow command to confirm synchronization. If only one CP blade is powered on, the switch must reboot to activate firmware, which is disruptive to the overall fabric. If the CPs are not in sync, run the haSyncStart command.
To upgrade the firmware on SAN Director 2/128 and 4/256 SAN Director (including the blades): 1. Verify that the FTP or SSH server is running on the host server and that you have a user ID on that server. 2. Obtain the firmware file from http://www.hp.com and store the file on the FTP or SSH server. 3. Unpack the compressed files preserving directory structures. 4. The firmware is in the form of RPM packages with names defined in a .
10. Respond to the prompts as follows: Server Name or IP Address Enter the name or IP address of the server where the firmware file is stored: for example, 192.1.2.3. IPv6 and DNS are supported by firmwareDownload in Fabric OS 5.3.0. If DNS is enabled and a server name instead of a server IP address is specified in the command line, firmwareDownload determines whether IPv4 or IPv6 should be used. User name Enter the user name of your account on the server: for example, JohnDoe. File name Fabric OS 5.
This command will cause the active CP to reset and will require that existing telnet or SSH sessions be restarted. Do you want to continue [Y]: y The firmware is being downloaded to the Standby CP. It may take up to 10 minutes Do you want to continue [Y]: y 12. Optionally, after the failover, connect to the switch, and log in again as admin. Using a separate session to connect to the switch, enter the firmwareDownloadStatus command to monitor the firmware download status.
13. Enter the firmwareShow command to display the new firmware versions. Following is an example of firmwareShow on the 4/256 SAN Director. switch:admin> firmwareshow Slot Name Appl Primary/Secondary Versions Status ----------------------------------------------------------2 FA4-18 FOS v5.3.0 v5.3.0 SAS v3.0.0 v3.0.0 DMM v3.0.0 v3.0.0 5 CP0 FOS v5.3.0 Standby * v5.3.0 6 CP0 FOS v5.3.0 Active v5.3.0 7 FA4-18 FOS v5.3.0 v5.3.0 SAS v3.0.0 v3.0.0 DMM v3.0.0 v3.0.
6. Enter the firmwareDownload -s command to update the firmware and respond to the prompts as follows: switch:admin> firmwareDownload -s Type of Firmware (FOS, SAS, or any application) [FOS]: Server Name or IP Address: 192.168.32.10 Network Protocol (1-auto-select, 2-FTP, 3-SCP) [1]: User Name: userfoo File Name: /home/userfoo/v5.3.0 Password: Do Auto-Commit after Reboot [Y]: n Reboot system after download [N]: y Firmware is being downloaded to the switch. This step may take up to 30 minutes.
Testing and restoring firmware-on Directors This procedure enables you to perform a firmware download on each CP and verify that the procedure was successful before committing to the new firmware. The old firmware is saved in the secondary partition of each CP until you enter the firmwareCommit command. If you decide to back out of the installation prior to the firmwareCommit you can enter the firmwareRestore command to restore the former, active Fabric OS firmware image.
NOTE: If the CPs fail to synchronize, you can still proceed because the version being tested is already present on the active CP, and subsequent steps will ensure that the standby CP is updated to the same version as the active CP c. Confirm the evaluation version of firmware is now running on the active CP by entering the firmwareShow command. 9. Update firmware on the standby CP: a. Connect to the switch on the standby CP, which is the old active CP. b.
b. Enter the firmwareRestore command. The standby CP will reboot and the current switch session will end. Both partitions will have the same Fabric OS after several minutes. c. Wait five minutes and log in to the switch. Enter the firmwareShow command and verify that all partitions have the original firmware. If an AP blade is present: Blade partitions always contain the same version of the firmware on both partitions (it does not keep two copies).
NOTE: You cannot perform a firmware downgrade from Fabric OS 5.2.x or higher if administrative domains are configured in the fabric. See ”Managing administrative domains” on page 157 for details. When the primary and secondary CPs in a 4/256 SAN Director are running pre-Fabric OS 5.2.
For more information on any of the commands in the Recommended Action section, see the Fabric OS Command Reference. NOTE: Some of the messages include error codes (as shown in the example below). These error codes are for internal use only and you can disregard them. Example: Port configuration with EX ports enabled along with trunking for port(s) 63, use the portcfgexport, portcfgvexport, and/or portcfgtrunkport commands to remedy this. Verify blade is ENABLED.
Message AP Blade type 31 is inserted. Please use slotshow to find out which slot it is in and remove it. Probable Cause and Recommended Action The firmware download operation was attempting to downgrade a system to Fabric OS v5.1.0 or earlier with one or more FC4-16IP port blades (blade ID 31) in the system. Brocade FC4-16IP port blades are not supported on firmware v5.1.0 or earlier, so the firmware download operation failed.
Execute the chassisConfig command with a supported option (1, 2, or 5 for SAN Director 2/128 and 1 or 5 for 4/256 SAN Director), and then retry the firmware download operation.
Message Cannot downgrade due to the presence of broadcast zone(s). Remove or disable them before proceeding. Probable cause and recommended action If the switch is running v5.3.0, and a “broadcast zone” is configured, the user will not be allowed to downgrade the switch to v5.2.0 or earlier, as a broadcast zone gets a special meaning in v5.3.0 but it will be treated as regular zone in v5.2.0 or earlier. Use the zoneRemove command to remove the zone or zoneDelete command to delete the zone.
Message Cannot downgrade to v5.2.0 or lower because ge port(s) has IPSec and Fastwrite enabled. Please use portcfg command to disable Fastwrite and try again. Probable cause and recommended action If a GE port has IPSec and Fastwrite enabled, the user will not be allowed to downgrade to v5.2.0 or earlier. Use the portcfg command to disable Fastwrite and try again. Message Cannot downgrade to v5.2.0 or lower because GE port(s) has DSCP enabled. Please use portcfg command to disable it and try again.
Message Cannot upgrade directly to 5.3.0. Upgrade your switch to v5.1 or v5.2 first before upgrading to the requested version. Probable cause and recommended action If the switch is running v5.0.0 or earlier, you will not be allowed to upgrade directly to v5.3.0 because of the “two-version” rule. Upgrade your switch to Fabric OS version v5.1.0 or v5.2.0 before upgrading to v5.3.0 Message Cannot upgrade due to the presence of an existing zone named “broadcast”. Rename this zone before proceeding.
L2 Specify L2 long distance to support a long distance link up to 100 km. A total of 50, 100, or 200 full-size frame buffers are reserved for data traffic for the port at speeds of 1 Gbit/sec, 2 Gbit/sec, or 4 Gbit/sec respectively. For previously released switches (Bloom1-based), the number of frames buffers is limited to 63. LE Specify LE mode is for E_Ports for distances beyond 5 Km and up to 10 Km.
Downgrade the system to firmware v4.4.0 or v5.0.0 first, and then downgrade to the desired firmware version. Message The command failed due to network timeout. Probable Cause and Recommended Action The firmware download operation was attempting to upgrade a system from Fabric OS v4.4.0 or lower directly to firmware v5.2.0. This firmware jump is not supported, so the firmware download operation aborted. Note that the message is from the currently running switch firmware, which may be v4.2.0 or lower.
Message The command failed due to the presence of an Admin Domain. Use the ad command to remedy this before proceeding. Probable Cause and Recommended Action The firmware download operation was attempting to downgrade a system to Fabric OS v5.1.0 or lower with Admin Domain (AD) enabled on the system. Admin Domains are not supported on firmware v5.1.0 or lower, so the firmware download operation failed.
Message The command failed because IPSec is enabled. Please use the portcfg fciptunnel command to disable it before proceeding. Probable Cause and Recommended Action The firmwareDownload operation was attempting to downgrade a system to Fabric OS v5.1.0 or lower and the IPsec feature is enabled. The IPsec feature is not supported on firmware v5.1.0 or lower, so the firmwareDownload operation failed. Disable IPSec using the portCfg fcipTunnel command. Retry the firmware download operation.
• Disable the strict fabric-wide policy using the fddCfg --fabWideSet ""command. The “absent” setting disables the fabric-wide consistency policy. Retry the firmware download operation. Message The switch is currently configured with “radiuslocal” mode. Please use the aaaconfig command to remedy it before proceeding. Probable Cause and Recommended Action The firmware download operation was attempting to downgrade a system to Fabric OS v5.1.0 or lower and radiuslocal mode is enabled.
Remove all DCC policies containing more than 256 ports using the secPolicyDelete and secPolicyActivate commands. Retry the firmware download operation. Blade troubleshooting tips Typically, issues that evolve during firmware downloads to the B-Series MP Router blade do not require explicit actions on your part.
202 Installing and maintaining firmware
9 Configuring Directors This chapter contains procedures that are specific to the SAN Director 128 and 4/256 SAN Director models. For detailed information about these models, refer to the HP StorageWorks SAN Director installation guide available on http://www.hp.com. Because Directors contain interchangeable port blades, install procedures differ from the SAN Switches, which operate as fixed-port switches.
Table 51 Port numbering schemes for the 4/256 SAN Director (continued) Port blades 4/256 SAN Director FA4-18 Fibre Channel ports are numbered from 0 through 15 from bottom to top. There are also 2 GbE ports (numbered A0 - A1, from top to bottom) that are for Storage Application manageability purposes; you cannot address these ports using the CLI. FR4-18i Ports are numbered from 0 through 15 from bottom to top. There are also 2 GbE ports (numbered ge0-ge1, from bottom to top).
By index With the introduction of 48-port blades, the Index was introduced. Unique area IDs are possible up to 255 areas, but beyond that there needed to be some way to ensure uniqueness. A number of fabric-wide databases supported by Fabric OS (including ZoneDB, Secure FOS DDC policies, the ACL DDC, and Admin Domain) allow a port to be designated by the use of a “D,P” (Domain, Port) notation.
Table 52 Default index/area_ID Core PID assignment with no port swap (continued) Port on blade Slot 1Idx/Area Slot 2Idx/Area Slot 3Idx/Area Slot 4Idx/Area Slot 7Idx/Area Slot 8Idx/Area Slot 9Idx/Area Slot 10Idx/Area 30 142/142 158/158 174/174 190/190 206/206 222/222 238/238 254/254 29 141/141 157/157 173/173 189/189 205/205 221/221 237/237 253/253 28 140/140 156/156 172/172 188/188 204/204 220/220 236/236 252/252 27 139/139 155/155 171/171 187/187 203/203 219/219
Table 53 Default index/area extended-edge PID assignment with no port swap Port on blade Slot 1Idx/Area Slot Slot 2Idx/Area 3Idx/Area Slot 4Idx/Area Slot 7Idx/Area Slot Slot Slot 8Idx/Area 9Idx/Area 10Idx/Area 47 271/135 287/151 303/167 319/183 335/199 351/215 367/231 383/247 46 270/134 286/150 302/166 318/182 334/198 350/214 366/230 382/246 45 269/133 285/149 301/165 317/181 333/197 349/213 365/229 381/245 44 268/132 284/148 300/164 316/180 332/196 348/212 364/228
Table 53 Default index/area extended-edge PID assignment with no port swap (continued) Port on blade Slot 1Idx/Area Slot Slot 2Idx/Area 3Idx/Area Slot 4Idx/Area Slot 7Idx/Area Slot Slot Slot 8Idx/Area 9Idx/Area 10Idx/Area 13 29/29 45/45 61/61 77/77 93/93 109/109 125/125 13/13 12 28/28 44/44 60/60 76/76 92/92 108/108 124/124 12/12 11 27/27 43/43 59/59 75/75 91/91 107/107 123/123 11/11 10 26/26 42/42 58/58 74/74 90/90 106/106 122/122 10/10 9 25/25 41/41 57/57 73
Disabling and enabling port blades Port blades are enabled by default. In some cases, you will need to disable a port blade to perform diagnostics. When diagnostics are executed manually (from the Fabric OS command line), many commands require the port blade to be disabled. This ensures that diagnostic activity does not interfere with normal fabric traffic. To disable a port blade: 1. Connect to the switch and log in as admin. 2.
ports 16–31 with an FC4-48, the FC4-48 faults. To correct this, reinsert the FC4-32 and issue portSwap to restore the original area IDs to ports 16–31. Conserving power To conserve power and ensure that more critical components are the least affected by a power fluctuation, you can power off components in a specified order, using the powerOffListSet command. The available power is compared to the power demand to determine if there is enough power to operate.
Term Abbreviation Blade ID (slotshow) Definition 48-port 4-Gbit/sec port blades FC4-48 36 A 48 port Director port blade supporting 1, 2, and 4 Gbit/sec port speeds in chassis mode 5 with port and exchange-based routing. This port blade is only compatible with the 4/256 SAN Director CP blades.
Table 56 lists the supported configuration options. Table 57 lists configuration options and resulting slot configurations. Table 56 Supported configuration options Option Number of Maximum number Supported port domains of ports per switch blades Supported CP blades Notes 1 1 128 FC2-16, FC4-16 CP2 or CP4 Option 1 is the default configuration for SAN Director 2/128. 2 2 64/64 FC2-16 CP2 5 1 384 FC4-16, FC4-16IP, FC4-32, FR4-18i, FR4-481 CP4 1.
1. Connect to the switch and log in as user or admin. 1. Enter the slotShow command to display the current status of each slot in the system. The format of the display includes a header and four fields for each slot. The fields and their possible values are: Slot Displays the physical slot number. Blade Type Displays the blade type: SW BLADE: The blade is a switch. CP BLADE: The blade is a control processor. AP BLADE: The blade is the FR4-18i blade.
1. Connect to the switch and log in as admin. 2. Enter the chassisConfig command without options to verify that the switch is configured with one domain. For example: switch:admin> chassisconfig Current Option: 1 3. Enter the chassisConfig command to configure two domains. Use the -f option to suppress prompting for uploading the configuration. This command reboots the system. switch:admin> chassisconfig -f 2 Current Option changed to 2 Restoring switch 0 configuration to factory defaults...
This procedure restores most configuration parameters to factory defaults. After performing this procedure, you must check the new configuration and reconfigure those parameters that you customized in the old configuration. NOTE: This procedure restores most configuration parameters to factory defaults. After performing this procedure, you must check the new configuration and reconfigure those parameters that you customized in the old configuration.
Setting the blade beacon mode When beaconing mode is enabled, the port LEDs will flash amber in a running pattern from port 0 through port 15 and back again. The pattern continues until the user turns it off. This can be used to locate a particular blade. To set the blade beacon mode on: 1. Connect to the switch and log in as admin. 1.
10 Routing traffic About data routing and routing policies Data moves through a fabric from switch to switch and storage to server along one or more paths that make up a route. Routing policies determine the correct path for each frame of data. Whatever routing policy a switch is using applies to the VE_Ports as well. Refer to ”Using the FC-FC routing service” on page 227 for details about VE_Ports. CAUTION: For most configurations, the default routing policy is optimal, and provides the best performance.
In the following example, the routing policy for a 400 MP Router is changed from exchange-based to port-based: switch:admin> aptpolicy Current Policy: 3 3: Default Policy 1: Port Based Routing Policy 3: Exchange Based Routing Policy switch:admin> switchdisable switch:admin> aptpolicy 1 Policy updated successfully.
NOTE: Certain devices do not tolerate out-of-order exchanges; in such cases, use the port-based routing policy. In a stable fabric, frames are always delivered in order, even when the traffic between switches is shared among multiple paths. However, when topology changes occur in the fabric (for example, if a link goes down), traffic is rerouted around the failure, and some frames could be delivered out of order. Most destination devices tolerate out-of-order delivery, but some do not.
Viewing routing path information The topologyShow and uRouteShow commands provide information about the routing path. 1. Connect to the switch and log in as admin. 2. Enter the topologyShow command to display the fabric topology, as it appears to the local switch.
SAN Director 2/128 and 4/256 SAN Director: Use the following syntax: urouteshow [slot/][portnumber][, domainnumber] The following entries appear: • Local Domain—Domain number of the local switch. • In Ports—Port from which a frame is received. • Domain—Destination domain of the incoming frame. • Out Port—The port to which the incoming frame will be forwarded in order to reach the destination domain. • Name—The name of the destination switch.
Viewing routing information along a path You can display detailed routing information from a source port (or area) on the local switch to a destination port (or area) on another switch. This routing information describes the full path that a data stream travels between these ports, including all intermediate switches. 1. Connect to the switch and log in as admin. 2. Enter the pathInfo command.
The information that pathInfo provides is: Hops The number of switch-to-switch links (ISLs) transversed. The local switch is hop 0. In Port The port that the frames come in from on this path. For hop 0, the source port. Domain ID The domain ID of the switch. Name The name of the switch. Out Port The output port that the frames use to reach the next hop on this path. For the last hop, the destination port. BW The bandwidth of the output ISL, in Gbit/sec. It does not apply to the embedded port.
224 Routing traffic
11 Using the FC-FC routing service The FC-FC Routing (FCR) Service provides Fibre Channel routing between two or more fabrics without merging those fabrics. The FC-FC Routing Service can be simultaneously used as a Fibre Channel router and for SAN extension over wide area networks (WANs) using FCIP. FCR supports backbone to edge routing, allowing devices in the backbone to talk to devices on the edge fabric. A Fibre Channel router is a switch running the FC-FC routing services.
Fibre Channel routing concepts Fibre Channel routing introduces the following concepts: • Logical Storage Area Networks (LSANs) An LSAN is defined by zones in two or more edge or backbone fabrics that contain the same device(s). You can create LSANs that can span fabrics. These LSANs enable Fibre Channel zones to cross physical SAN boundaries without merging the fabrics while maintaining the access controls of zones (refer to Figure 9).
Figure 10 shows a metaSAN consisting of three edge fabrics connected through a 4/256 SAN Director containing an B-Series MP Router blade with interfabric links.
• MetaSAN A metaSAN is the collection of SANs interconnected with Fibre Channel routers. A simple metaSAN can be constructed using a 400 MP Router, 4/256 SAN Director with a B-Series MP Router blade, or MP Router to connect two or more separate fabrics. Additional 400 MP Routers, 4/256 SAN Director with B-Series MP Router blades, or MP Router can be used to increase the available bandwidth between fabrics, and for redundancy.
Figure 11 shows another metaSAN consisting of a host in Edge SAN 1 connecting to storage in Edge SAN 2 through a backbone fabric connecting two 4/256 SAN Directors, each containing B-Series MP Router blades.
Routing types • Edge-to-Edge Occurs when devices in one edge fabric communicate with devices in another edge fabric through one or more Fibre Channel routers. • Backbone-to-Edge Occurs when Fibre Channel routers connect to a common fabric—known as a backbone fabric—via E_Ports. A backbone fabric can be used as a transport fabric that interconnects edge fabrics.
domains allows routing around path failures, including path failures through the routers. The multiple paths to an xlate domain provide additional bandwidth and redundancy. There are some differences in how the xlate domain is presented in the BB. The BB xlate domains are topologically connected to FC routers and participate in FC-Protocol in BB. Front domains are not needed in the BB.
3. If configuring the 4/256 SAN Director with a B-Series MP Router blade, then enter the chassisConfig command to verify that the director is using configuration option 5.
In addition to ensuring that the backbone fabric IDs are the same within the same backbone, you need to make sure that when two different backbones are connected to the same edge fabric, the backbone fabric IDs are different (but the edge fabric FID should be the same). Configuration of two backbones with the same backbone fabric ID that are connected to the same edge is invalid. In this configuration, a RAS log message is displayed warning about fabric ID overlap.
fabrics. Secure Fabric OS is an optional licensed product that provides customizable security restrictions through local and remote management channels on a Brocade fabric. The FC-FC Routing Service uses only the DH-CHAP shared secrets to provide switch-to-switch authentication when connecting to a Secure Fabric OS fabric. You can set up DH-CHAP on the edge fabric, but it is not a prerequisite for FCR to work.
Following inputs should be specified for each entry. 1. WWN for which secret is being set up. 2. Peer secret: The secret of the peer that authenticates to peer. 3. Local secret: The local secret that authenticates peer.
switch:admin> portcfgexport 7/10 -a 1 -f 30 switch:admin> portcfgexport 7/10 Port 7/10 info Admin: enabled State: NOT OK Pid format: Not Applicable Operate mode: Brocade Native Edge Fabric ID: 30 Preferred Domain ID: 160 Front WWN: 50:06:06:9e:20:38:6e:1e Fabric Parameters: Auto Negotiate R_A_TOV: Not Applicable E_D_TOV: Not Applicable Authentication Type: None DH Group: N/A Hash Algorithm: N/A Edge fabric's primary wwn: N/A Edge fabric's version stamp: N/A portCfgExport options This port can now connect t
For related FC-FC Routing commands, see fcrxlateconfig, fcrconfigure, and fcrproxyconfig in the Fabric OS Command Reference Manual. A Fibre Channel router can interconnect multiple fabrics. EX_Ports or VEX_Ports attached to more than one edge fabric must configure a different fabric ID for each edge fabric. At this point you have some options to consider before proceeding to the next step. These options include FCR router port cost operations and setting up either ISL or EX_Port trunking.
Preferred Domain ID: 160 Front WWN: 50:06:06:9e:20:38:6e:1e Fabric Parameters: Auto Negotiate R_A_TOV: Not Applicable E_D_TOV: Not Applicable Authentication Type: None DH Group: N/A Hash Algorithm: N/A Edge fabric's primary wwn: N/A Edge fabric's version stamp: N/A switch:admin_06> portshow 7/10 portName: portHealth: OFFLINE Authentication: None EX_Port Mode: Enabled Fabric ID: 30 Front Phantom: state = Not OK Pref Dom ID: 160 Fabric params: R_A_TOV: 0 E_D_TOV: 0 PID fmt: au to Authentication Type: None Has
The fcrFabricShow command displays the static IPv6 addresses for each FC router and each edge fabric switch connected to the EX_Ports. fcr:admin> fcrfabricshow FCR WWN: 10:00:00:05:1e:13:59:00, Dom ID: 2, Info: 10.32.156.52 1080::8:800:200C:1234/64, "fcr_mars_9" EX_Port FID Neighbor Switch Info (WWN, enet IP, name) ------------------------------------------------------------------7 10 10:00:00:05:1e:34:11:e5 10.32.156.33 "mojo_10" 1080::8:8FF:FE0C:417A/64 4 116 10:00:00:05:1e:37:00:44 10.32.156.
To set and display the router port cost 1. Disable any port on which you want to set the router port cost. 2. Enable admin for the EX_Port/VEX_Port with portCfgExport or portCfgVexport commands. 3. Enter the fcrRouterPortCost command to display the router port cost per EX_Port. switch:admin> fcrrouterportcost Port Cost -----------------------7/3 1000 7/4 1000 7/9 1000 7/10 1000 7/13 1000 10/0 1000 You can also use the fcrRouteShow command to display the router port cost. 4.
higher router cost IFLs (for example ports 8–15). For VEX_Ports, you would use ports in the range of 16-23 or 24-31. You can connect multiple EX_Ports or VEX_Ports to the same edge fabric. The EX_Ports can all be on the same 400 MP Router or 4/256 SAN Director with an B-Series MP Router blade, or they can be on multiple routers. Multiple EX_Ports create multiple paths for frame routing.
The default values for R_A_TOV and E_D_TOV are the recommended values for all but very large fabrics (ones requiring four or more hops) or high-latency fabrics (such as ones using long-distance FCIP links). Configuring EX_Port frame trunking (optional) In Fabric OS v5.2.x or later, you can configure EX_Ports to use frame based trunking just as you do regular E_Ports.
Upgrade and downgrade considerations Table 58describes the upgrade and downgrade considerations for EX_Port Frame Trunking. Table 58 Trunking upgrade and downgrade considerations Upgrade or downgrade Consideration A firmware downgrade from Fabric OS v5.2.x to Fabric OS v5.1.0 If EX_Port trunking is on, prior to the firmware downgrade, the script displays a message requesting that you disable EX_Port trunking. A firmware upgrade from Fabric OS v5.1 to Fabric OS v5.2.
To display EX_Port trunking information 1. Log in as an admin and connect to the switch. 2. Enter the switchShow command to display trunking information for the EX_Ports. fcr_switch:admin_06> switchshow The following is an example of a master EX_Port and a slave EX_Port displayed in switchShow.
example, in Figure 11, when the zones for Edge SAN 1 are defined, you do not need to consider the zones in Edge SAN 2, and vice versa. Zones that contain hosts and targets that are shared between the two fabrics need to be explicitly coordinated. Although an LSAN is managed using the same tools as any other zone on the edge fabric, two behaviors distinguish an LSAN from a conventional zone: • A required naming convention. The name of an LSAN begins with the prefix “LSAN_”.
The Local Name Server has 1 entry } 3. Enter the zoneCreate command to create the LSAN lsan_zone_fabric75, which includes the host. switch:admin> zonecreate "lsan_zone_fabric75", "10:00:00:00:c9:2b:c9:0c" 4. Enter the zoneAdd command to Target A to the LSAN. FID75Domain5:admin> zoneadd "lsan_zone_fabric75", "50:05:07:61:00:5b:62:ed" 5. Enter the cfgAdd or cfgCreate and cfgEnable commands to add and enable the LSAN configuration.
Fabric ID: 75 Zone Name: lsan_zone_fabric75 10:00:00:00:c9:2b:c9:0c EXIST 50:05:07:61:00:5b:62:ed Imported - fcrPhyDevShow shows the physical devices in the LSAN. switch:admin> fcrphydevshow Device WWN Physical Exists PID in Fabric ----------------------------------------75 10:00:00:00:c9:2b:c9:0c c70000 2 50:05:07:61:00:5b:62:ed 0100ef 2 50:05:07:61:00:5b:62:ed 0100e8 Total devices displayed: 3 - fcrProxyDevShow shows the proxy devices in the LSAN.
NOTE: This feature is supported only in a fabric with Fabric OS 5.3.0 and later Fibre Channel routers in the backbone. The fcrlsanmatrix command is local to a Fibre Channel router and its configuration data will be saved locally. The configuration is not distributed automatically to other Fibre Channel routers on the backbone. The fcrlsanmatrix command is used to configure each of the FCRs in the backbone that support this feature.
fcrlsanmatrix --fabricview The following is an example: FCR:Admin > fcrlsanmatrix --fabricview LSAN MATRIX is activated Fabric ID 1 Fabric ID 2 -------------------------------------4 5 4 7 10 19 Default LSAN Matrix: 1 2 8 See the Fabric OS Command Reference Manual for additional information on the fcrlsanmatrix command.
Configuring backbone fabrics for interconnectivity If you want devices in backbone fabrics to communicate with devices in edge fabrics, follow the steps in the section To set up LSAN zone binding, page 253. However, instead of configuring the LSAN in the second edge fabric, configure the LSAN in the backbone fabric. HA and downgrade considerations: • The LSAN zone matrix is synchronized to the standby CP. • On a dual CP switch, both CPs need to have the v5.3.0 code or later to enable the feature.
fcrbcastconfig command to set edge fabrics to receive broadcast frames. On switches with an earlier Fabric OS version than v5.3.0 that do not support broadcast zoning, the fcrbcastconfig command sets up inter-fabric broadcast frame forwarding on the FC router and prevents inter-fabric forwarding of broadcast frames to the switches running older versions of firmware. Between FC routers, the broadcast frame is sent through the FC router protocol frame.
• Displays the maximum pool size for translate phantom node and port WWNs and shows the number of translate node and port WWNs from this pool. • Phantom Node WWN—The display shows the maximum versus the currently allocated phantom switch node WWNs. The phantom switch requires node WWNs for SFPF and manageability purposes. Phantom node names are allocated from the pool sequentially and are not reused until the pool is exhausted and rolls over. The last allocated phantom node WWN is persistently stored.
Routing ECHO The FC-FC Routing Service enables you to route the ECHO generated when an fcPing command is issued on a switch, providing fcPing capability between two devices in different fabrics across the 400 MP Router or 4/256 SAN Director with a B-Series MP Router blade. To check for Fibre Channel connectivity problems 1.
Interoperability with legacy FCR switches The following interoperability considerations apply when administering legacy FCR switches in the same backbone (BB) fabric as switches supporting Fabric OS v5.2.x: • When a legacy switch is connected to the fabric, a RAS log message is issued indicating that the capability of the backbone (BB) fabric is lower as legacy FCR switches (those with XPath OS and Fabric OS v5.1) support lower capability limits.
12 Administering FICON fabrics Overview of Fabric OS support for FICON IBM Fibre Connections (FICON®) is an industry-standard, high-speed input/output (I/O) interface for mainframe connections to storage devices. Fabric OS supports intermix mode operations, in which FICON and Fibre Channel technology work together. For specific information about intermix mode and other aspects of FICON, refer to the IBM Redbook, FICON® Implementation Guide (SG24-6497-01).
authenticated using digital certificates and unique private keys provided to the Switch Link Authentication Protocol (SLAP). • Switch binding is a security method for restricting devices that connect to a particular switch. If the device is another switch, this is handled by the SCC policy. If the device is a host or storage device, the Device Connection Control (DCC) policy binds those devices to a particular switch.
Control Unit Port (CUP) Control Unit Port (CUP) protocol is used by IBM mainframe management programs to provide in-band management for FICON switches. When it is enabled, you can set up Directors in a FICON environment to be managed through IBM mainframe management programs. CUP is an optionally licensed feature available with Fabric OS v4.4.0 or later. CUP functionality is present on the SAN Switch 2/32 and SAN Director 2/128 models running Fabric OS v4.4.0 or later.
FICON commands Table 61 summarizes the Fabric OS CLI commands that can be used for managing FICON fabrics. For detailed information on these commands, refer to the Fabric OS Command Reference Manual. Table 61 Fabric OS commands related to FICON and FICON CUP Command Description Standard Fabric OS commands: configure Sets the domain ID and the insistent domain ID mode. portSwap Swaps ports. portSwapDisable Disables the portSwap command. portSwapEnable Enables the portSwap command.
NOTE: The Fabric OS CLI supports only a subset of the management features for FICON fabrics. The full set of FICON CUP administrative procedures is available using the Fabric Manager and Web Tools software features. You can also use an SNMP agent and the FICON Management Information Base (MIB).
• Some 1-Gbit/sec storage devices cannot auto-negotiate speed with the 4/256 SAN Director, SAN Switch 4/32 or SAN Switch 4/32B ports. For these types of devices, configure ports that are connected to 1-Gbit/sec storage devices for fixed 1-Gbit/sec speed. Preparing a switch To verify and prepare a switch for use in a FICON environment, complete the following steps: 1. Connect to the switch and log in as admin. 2. If not in a cascaded environment, proceed to step 3.
CAUTION: If Security is enabled via the CLI in the FICON environment, then you should use the following syntax for the secModeEnable command: secmodeenable --lockdown=scc --currentpwd --fcs “*” Issuing the secModeEnable command as it appears above enables security and creates an SCC policy with all of the switches that currently reside in the fabric. It will also use the current password as the password for all available accounts on the switch.
7. Respond to the remaining prompts (or press Ctrl-d to accept the other settings and exit). 8. Enter the switchEnable command to re-enable the switch. switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] yes Domain: (1..239) [3] 5 R_A_TOV: (4000..120000) [10000] E_D_TOV: (1000..5000) [2000] Data field size: (256..2112) [2112] Sequence Level Switching: (0..1) [0] Disable Device Probing: (0..1) [0] Suppress Class F Traffic: (0..1) [0] VC Encoded Address Mode: (0..
FRU failures To display FRU failure information, connect to the switch, log in as admin, and enter one of the following commands: • For the local switch: ficonshow ilir • For all switches defined in the fabric: ficonshow ilir fabric Swapping ports If a port malfunctions, or if you want to connect to different devices without having to re-wire your infrastructure, you can move a port’s traffic to another port (swap ports) without changing the I/O Configuration Data Set (IOCDS) on the mainframe computer.
Using FICON CUP Host-based management programs manage switches using CUP protocol by sending commands to an emulated control device in Fabric OS. A switch that supports CUP can be controlled by one or more host-based management programs. A mode register controls the behavior of the switch with respect to CUP itself, and with respect to the behavior of other management interfaces. FICON Management Server mode (fmsmode) must be enabled on the switch to enable CUP management features.
Enabling and disabling FICON management server mode To enable fmsmode: 1. Connect to the switch and log in as admin. 2. Enter ficoncupse fmsmode enable. To disable fmsmode: 1. Connect to the switch and log in as admin. 2. Enter ficoncupsetfmsmode disable. The fmsmode setting can be changed whether the switch is offline or online.
Changing fmsmode from enabled to disabled triggers the following events: 1. A device reset is performed on the control device. 2. PDCM is no longer enforced. 3. RSCNs might be generated to some devices if PDCM removal results in changes to connectivity between a set of ports. 4. If a given port was set to “Block” or “Unblock,” that port remains disabled or enabled. 5. Serialized access to switch parameters ceases.
Displaying mode register bit settings The mode register bits are described in Table 62 Table 62 FICON CUP mode register bits POSC Programmed offline state control. When this bit is set on, the host is prevented from taking the switch offline. The default setting is 1 (on). UAM User alert mode. When this bit is set on, a warning is issued when an action is attempted that will write CUP parameters on the switch. The default setting is 0 (off). ASM Active=saved mode.
Setting mode register bits Use the ficoncupset modereg command to set the FICON CUP mode register bits for the local switch. Consider the following when changing mode register bits: • As required by the CUP protocol, the UAM bit cannot be changed using this command. • All mode register bits except UAM are saved across power on/off cycles; the UAM bit is reset to 0 following a power-on. • Mode register bits can be changed when the switch is offline or online.
Port and switch naming standards Fabric OS handles differences in port and switch naming rules between CUP and itself as follows: • CUP employs 8-bit characters in port address names and switch names; Fabric OS employs 7-bit characters. When fmsmode is enabled, all characters greater than 0x40 and not equal to 0xFF (EBCIDC code page 37 [0x25]) are allowed in the name; therefore, it is possible for a channel to set a name with nonprintable characters.
Troubleshooting The following sources provide useful problem-solving information: • The standard support commands (portLogDump, supportSave, supportShow) or the Fabric Manager Event Log By default, the FICON group in the supportShow output is disabled. To enable the capture of FICON data in the supportShow output, enter the supportshowcfgenable ficon command.
Backing up FICON files The FICON file access facility is used to store configuration files. This includes IPL and other configuration files. The Fabric OS saves the IPL and all other configuration files on the switch. A maximum of 16 configuration files, including the IPL file, are supported. You can upload the configuration files saved on the switch to a management workstation using the configUpload command.
Table 63 FICON® switch configuration worksheet FICON® Switch Manufacturer:___________________Type: _________ Model: ______ S/N: ________ HCD Defined Switch ID_________(Switch ID) FICON® Switch Domain ID_________(Switch @) Cascaded Directors No _____Yes _____ Corresponding Cascaded Switch Domain ID _____ Fabric Name ________________________________ FICON® Switch F_Ports Attached N_Ports / E_Ports (CU, CPC, or ISL) Slot Port Number Number Port Address Laser Type: LX / SX 282 Administering FICON fa
Sample IOCP configuration file for SAN Switch 2/32, SAN Switch 4/32, SAN Director 2/128, and 4/256 SAN Director switches The channel subsystem controls communication between a configured channel, the control unit, and the device. The I/O Configuration Dataset (IOCDS) defines the channels, control units, and devices to the designated logical partitions (LPARs) within the server; this is defined using the Input/Output Configuration Program (IOCP).
In the following sample IOCP configuration file, the UNIT value for FICON CUP definitions is 2032 for any FICON Director regardless of vendor or platform. So all SAN Switch 2/32, SAN Switch 4/32, SAN Switch 4/32B, or SAN Director 2/128 switches require UNIT=2032 for the CUP definition. All Domain IDs are specified in hex values in the IOCP (and not in decimal values); the Domain IDs in the example are for demonstration purposes only.
/****************************************************************** ***/ /* MONITOR I OPTIONS */ /* */ /* XA ONLY */ /* */ /****************************************************************** ***/ FCD CHAN CPU CYCLE(1000) DEVICE(NOSG) DEVICE(NOCHRDR) /* FICON Director */ /* COLLECT CHANNEL STATISTICS /* COLLECT CPU STATISTICS */ /* SAMPLE ONCE EVERY SECOND */ /* PREVENT SORT OF STORAGE GROUPS*/ /* CHARACTER READER STATISTICS WILL NOT BE COLLECTED DEVICE(COMM) */ */ /* COMMUNICATION EQUIP
286 Administering FICON fabrics
13 Configuring the distributed manager server The Fabric OS Distributed Management Server allows a SAN management application to retrieve information and administer interconnected switches, servers, and storage devices. The management server assists in the autodiscovery of switch-based fabrics and their associated topologies. A client of the management server can find basic information about the switches in the fabric and use this information to construct topology relationships.
To disable platform services 3. Connect to the switch and log in as admin. 4. Enter the msplMgmtActivate command. 5. Press y to confirm deactivation. switch:admin> msplmgmtdeactivate MS Platform Service is currently enabled. This will erase MS Platform Service configuration information as well as database in the entire fabric. Would you like to continue this operation? (yes, y, no, n): [no] y Request to deactivate MS Platform Service in progress......
To add a member to the ACL 1. Connect to the switch and log in as admin. 2. Enter the msConfigure command. The command becomes interactive. 3. At the select prompt, enter 2 to add a member based on its port/node WWN. 4. Enter the WWN of the host to be added to the ACL. 5. At the prompt, enter 1 to verify the WWN you entered was added to the ACL. 6. After verifying that the WWN was added correctly, enter 0 at the prompt to end the session. 7. At the “Update the FLASH?” prompt, enter y. 8.
16. Press Enter to update the nonvolatile memory and end the session. switch:admin> msconfigure 0 Done 1 Display the access list 2 Add member based on its Port/Node WWN 3 Delete member based on its Port/Node WWN select : (0..3) [1] 3 Port/Node WWN (in hex): [00:00:00:00:00:00:00:00] 20:00:00:20:37:65:ce:aa *WWN is successfully deleted from the MS ACL. 0 Done 1 Display the access list 2 Add member based on its Port/Node WWN 3 Delete member based on its Port/Node WWN select : (0..
The contents of the management server platform database are displayed. switch:admin> msplatshow ----------------------------------------------------------Platform Name: [9] "first obj" Platform Type: 5 : GATEWAY Number of Associated M.A.: 1 [35] "http://java.sun.
3. Press y to disable the discovery feature. 4. Enter the mstdDisable all command to disable the discovery feature on the entire fabric. 5. Press y to disable the discovery feature. NOTE: Disabling management server topology discover might erase all NID entries. switch:admin> mstddisable This may erase all NID entries. Are you sure? (yes, y, no, n): [no] y Request to disable MS Topology Discovery Service in progress.... *MS Topology Discovery disabled locally.
14 Working with diagnostic features This chapter provides information on diagnostics and how to display system, port, and specific hardware information. It also describes how to set up system logging mapping (syslogd) and how to set up the offloading of error messages (supportSave). About Fabric OS diagnostics The purpose of the diagnostic subsystem is to evaluate the integrity of the system hardware.
The following example shows a typical boot sequence, including POST messages: The system is coming up, please wait... Read board ID of 0x80 from addr 0x23 Read extended model ID of 0x16 from addr 0x22 Matched board/model ID to platform index 4 PCI Bus scan at bus 0 : : : : : : Checking system RAM - press any key to stop test Checking memory address: 00100000 System RAM test using Default POST RAM Test succeeded. Press escape within 4 seconds to enter boot interface. Booting "Fabric Operating System" image.
To view the overall status of the switch 1. Connect to the switch and log in as admin. 2. Enter the switchStatusShow command: switch:admin> switchstatusshow Switch Health Report Switch Name: SWFCR IP address: 10.33.54.
To display the uptime for a switch 1. Connect to the switch and log in as admin. 2. At the command line, enter the uptime command: : switch:admin> uptime 4:43am up 1 day, 12:32, switch:admin> 1 user, load average: 1.29, 1.31, 1.27 The uptime command displays the length of time the system has been in operation, the total cumulative amount of uptime since the system was first powered-on, the date and time of the last reboot (applies only to FOS v3.x and v2.6.
To display the port statistics 1. Connect to the switch and log in as admin. 2. At the command line, enter the portStatsShow command. Port statistics include information such as number of frames received, number of frames sent, number of encoding errors received, and number of class 2 and class 3 frames received. Refer to the Fabric OS Command Reference Manual for additional portStatsShow command information, such as the syntax for slot or port numbering.
To display a summary of port errors for a switch 1. Connect to the switch and log in as admin. 2. At the command line, enter the portErrShow command. Refer to the Fabric OS Command Reference Manual for additional portErrShow command information. switch:admin> porterrshow frames enc crc too too bad enc disc link loss loss frjt fbsy tx rx in err shrt long eof out c3 fail sync sig sig===================================================================== 0: 22 24 0 0 0 0 0 1.5m 0 7 3 0 0 0 1: 22 24 0 0 0 0 0 1.
Error Type Description frjt Frames rejected with F_RJT fbsy Frames busied with F_BSY Viewing equipment status You can display status for fans, power supply, and temperature. NOTE: The number of fans, power supply units, and temperature sensors depends on the switch type. For detailed specifications on these components, refer to the switch install guide. The specific output from the status commands varies depending on the switch type. To display the status of the fans 1.
To display temperature status 1. Connect to the switch and log in as admin. 2. At the command line, enter the tempShow command: switch:admin> tempshow Index Status Centigrade Fahrenheit ---------------------------------------------------1 OK 21 70 2 OK 22 72 3 OK 29 84 4 OK 24 75 5 OK 25 77 switch:admin> Information displays for each temperature sensor in the switch. The possible temperature status values are: OK—Temperature is within acceptable range. FAIL—Temperature is outside of acceptable range.
Viewing the port log The Fabric OS maintains an internal log of all port activity. The port log stores entries for each port as a circular buffer. Each port has space to store 8000 log entries. When the log is full, the newest log entries overwrite the oldest log entries. Port logs are not persistent and are lost over power-cycles and reboots. If the port log is disabled, an error message displays. NOTE: Port log functionality is completely separate from the system message log.
Because a portLogDump output is long, a truncated example is presented: switch:admin> portlogdump task event port cmd args ------------------------------------------------16:30:41.780 PORT Rx 9 40 02fffffd,00fffffd,0061ffff,14000000 16:30:41.780 PORT Tx 9 0 c0fffffd,00fffffd,0061030f 16:30:42.503 PORT Tx 9 40 02fffffd,00fffffd,0310ffff,14000000 16:30:42.505 PORT Rx 9 0 c0fffffd,00fffffd,03100062 16:31:00.464 PORT Rx 9 20 02fffc01,00fffca0,0063ffff,01000000 16:31:00.
In this example, Fabric OS messages map to local7 facility level 7 in the /etc/syslog.conf file: local7.emerg local7.alert local7.crit local7.err local7.warning local7.notice local7.info local7.debug /var/adm/swcritical /var/adm/alert7 /var/adm/crit7 /var/adm/swerror /var/adm/swwarning /var/adm/notice7 /var/adm/swinfo /var/adm/debug7 If you prefer to map Fabric OS severities to a different UNIX local7 facility level, see ”To set the facility level” on page 303.
Viewing and saving diagnostic information Enter the supportShow command to dump important diagnostic and status information to the session screen, where you can review it or capture its data. To save a set of files that customer support technicians can use to further diagnose the switch condition, enter the supportSave command.
To enable the automatic transfer of trace dumps 1. Connect to the switch and log in as admin. 2. Enter the following command: switch:admin> traceftp -e To set up periodic checking of the remote server 1. Connect to the switch and log in as admin. 2. Enter the following command: switch:admin> supportftp -t interval The interval is in hours. The minimum interval is 1 hour. Specify 0 hours to disable the checking feature. To save a comprehensive set of diagnostic files to the server 1.
306 Working with diagnostic features
15 Troubleshooting This chapter provides information on troubleshooting and the most common procedures used to diagnose and recover from problems. It also includes specific troubleshooting scenarios as examples. About troubleshooting Troubleshooting should begin at the center of the SAN — the fabric. Because switches are located between the hosts and storage devices and have visibility into both sides of the storage network, starting with them can help narrow the search path.
Gathering information for technical support If you are troubleshooting a production system, you need to gather data quickly. As soon as a problem is observed, perform the following tasks (if using a dual CP system, run the commands on both CPs): 1. Enter the supportSave command to save RASLOG, TRACE, and supportShow (active CP only) information for the local CP to a remote FTP location. On a dual CP system, only the local CP information is saved and supportShow information is not available on the active CP.
Use the following steps to retrieve as much of the following informational items as possible prior to contacting HP. 1. Switch information: • Serial number (located on the chassis) • World Wide Name (obtain using licenseIdShow or wwn commands) • Fabric OS version (obtain using the version command) • Switch configuration settings • supportSave output • pdShow and saveCore output 2.
2. Regardless of the device’s zoning, the fcPing command sends the ELS frame to the destination port. A device can take any one of the following actions: • Send an ELS Accept to the ELS request. • Send an ELS Reject to the ELS request. • Ignore the ELS request. There are some devices that do not support the ELS ECHO request. In these cases, the device will either not respond to the request or send an ELS reject.
To check the Name Server (NS) 1.
To check for zoning problems 1. Enter the cfgActvShow command to determine if zoning is enabled. If zoning is enabled, it is possible that the problem is being caused by zoning enforcement (for example, two devices in different zones cannot see each other). 2. Confirm that the specific edge devices that need to communicate with each other are in the same zone. • If they are in the same zone, perform the following tasks: • Enter the portCamShow command on the host port to verify that the target is present.
8. Enter the configure command to edit the fabric parameters for the segmented switch. Refer to the Fabric OS Command Reference Manual for more detailed information. 9. Enable the switch by entering the switchEnable command. Alternatively, you can reconcile fabric parameters by entering the configUpload command for each switch. To download a correct configuration You can restore a segmented fabric by downloading a previously saved correct backup configuration to the switch.
Table 67 summarizes commands that are useful for debugging zoning issues. Table 67 Commands for debugging zoning Command Function aliCreate Use to create a zone alias. aliDelete Use to delete a zone alias. cfgCreate Use to create a zone configuration. cfgShow Displays zoning configuration. defZone Sets the default zone access mode to No Access, initializes a zoning transaction (if one is not already in progress), and creates the reserved zoning objects.
To edit zone configuration members 1. Log in to one of the switches in a segmented fabric as admin. 2. Enter the cfgShow command. 3. Print the output from the cfgShow command. 4. Start another telnet session and connect to the next fabric as an administrator. 5. Run the cfgShow command. 6. Print the output from the cfgShow command. 7. Compare the two fabric zone configurations line by line and look for an incompatible configuration. 8. Connect to one of the fabrics. 9.
Correcting I2C bus errors I2C bus errors generally indicate defective hardware or poorly seated devices or blades; the specific item is listed in the error message. Refer to the Fabric OS System Error Message Reference Manual for information specific to the error that was received. Some CPT and Environmental Monitor (EM) messages contain I2C-related information. If the I2C message does not indicate the specific hardware that might be failing, begin debugging the hardware, as this is the most likely cause.
Correcting device login issues To try to pinpoint problems with device logins, use this procedure: 1. Log in to the switch as admin. 2. Enter the switchShow command; then, check for correct logins: switch:admin> switchshow switchName: sw094135 switchType: 26.
4. Enter the portErrShow command; then, check for errors that can cause login problems.
5.
6. Enter the portLogDumpPort portid command where the port ID is the port number; then, view the device to switch communication. switch:admin> portlogdumpport 10 time task event port cmd args ------------------------------------------------12:38:21.590 SPEE sn 10 WS 00000000,00000000,00000000 12:38:21.591 SPEE sn 10 WS 000000ee,00000000,00000000 12:38:21.611 SPEE sn 10 WS 00000001,00000000,00000000 12:38:21.871 SPEE sn 10 NC 00000002,00000000,00000001 12:38:21.872 LOOP loopscn 10 LIP 8002 12:38:22.
Identifying media-related issues This section provides procedures that help pinpoint any media-related issues in the fabric. The tests listed in Table 68 are a combination of structural and functional tests that can be used to provide an overview of the hardware components and help identify media-related issues. • Structural tests perform basic testing of the switch circuit. If a structural test fails, replace the main board or port blade.
To test a switch’s internal components 1. Connect to the switch and log in as admin. 2. Connect the port you want to test to any other switch port with the cable you want to test. 3. Enter the crossporttest -lb_mode 5 command where 5 is the operand that causes the test to be run on the internal switch components (this is a partial list—refer to the Fabric OS Command Reference Manual for additional command information): [-nframes count]—Specify the number of frames to send.
Correcting link failures A link failure occurs when a server or storage is connected to a switch, but the link between the server/storage and the switch does not come up. This prevents the server/storage from communicating through the switch. If the switchShow command or LEDs indicate that the link has not come up properly, use one or more of the following procedures. To determine if the negotiation was successfully completed The port negotiates the link speed with the opposite side.
3. Skip point-to-point initialization. The switch changes to point-to-point initialization after the Loop Initialization Soft Assigned (LISA) phase of the loop initialization. This behavior sometimes causes trouble with old HBAs. If this is the case, then: Skip point-to-point initialization by using the portCfgLport Command. To check for a point-to-point initialization failure 1. Enter the switchShow command to confirm that the port is active and has a module that is synchronized.
Correcting marginal links A marginal link involves the connection between the switch and the edge device. Isolating the exact cause of a marginal link involves analyzing and testing many of the components that make up the link (including the switch port, switch SFP, cable, the edge device, and the edge device SFP). To troubleshoot a marginal link: 1. Enter the portErrShow command.
5. You will need an adapter to run the loopback test for the SFP. Otherwise, run the portloopbacktest on the marginal port using the loopback mode lb=5. Refer to the Fabric OS Command Reference Manual for additional information. Loopback mode Description 1 Port Loopback (loopback plugs) 2 External (SERDES) loopback 5 Internal (parallel) loopback (indicates no external equipment) 7 Back-end bypass & port loopback 8 Back-end bypass & SERDES loopback 9 Back-end bypass & internal loopback 6.
• VE_Port—Functions somewhat like an E_Port, but terminates at the switch and does not propagate fabric services or routing topology information from one edge fabric to another. • VEX_Port—A type of VE_Port that connects a Fibre Channel router to an edge fabric. From the point of view of a switch in an edge fabric, an VEX_Port appears as a normal VE_Port. It follows the same Fibre Channel protocol as other VE_Ports.
Supported hardware Port mirroring is supported on Condor-based ASIC platforms, including: • SAN Switch 4/32 • SAN Switch 4/32B • 4/64 SAN Switch • 400 MP Router • 4/256 SAN Director with chassis option 5 Port mirroring can be used on the following blades within a chassis: • FC4-32 32-port blade • FC4-16 16-port blade • FC4-48 48-port blade • FR4-18i routing & FCIP blade • FC4-16IP iSCSI blade on FC ports only The FC4-48 implements port pairing, meaning that two ports share the same area.
How port mirroring works Port mirroring reroutes the data frames between two devices to the mirror port. Rerouting introduces latency for the data flow. The latency depends on the location of the mirror port. For a given port, the traffic received from the point of view of the switch can be captured before leaving this ASIC. Each user port is connected to an ASIC port. The user port's ingress traffic is routed to another user port on this chip, uplinks to the core switch, or E_Ports to remote domains.
There are two types of transmit filter installation • If the E_Port is on the same chip, port mirroring installs an egress (transmitted information) filter on the source port. • If the E_Port is on a different chip, port mirror installs the filter on the C_Ports of the other chip. To better explain how the transmit filter works on each of these types, the method used for both types is described as follows: • Traffic is received at the E_Ports destined to a source port.
Creating, deleting, and displaying port mirroring The following section describes how to use the port mirroring feature in the fabric. The method for adding a port mirror connection between two local switch ports and between a local switch port and a remote switch port is the same. To add a port mirror connection 1. Log in to the switch as admin. 2.
The switchShow command output shows the mirror port as shown in the following example. switch:admin> switchshow switchName:ESS118 switchType: 42.
16 Administering NPIV N-Port ID Virtualization (NPIV) enables a single Fibre Channel protocol port to appear as multiple, distinct ports, providing separate port identification within the fabric for each operating system image behind the port (as if each operating system image had its own unique physical port). NPIV assigns a different virtual port ID to each Fibre Channel protocol device. NPIV is designed to enable you to allocate virtual addresses without impacting your existing hardware implementation.
The following example shows the configuration of these parameters: switch:admin> switchdisable switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] Virtual Channel parameters (yes, y, no, n): [no] F-Port login parameters (yes, y, no, n): [no] y Maximum logins per switch: (1..4032) [4032] 2048 Maximum logins per port: (1..255) [255] 126 . . .
output indicates whether or not a port is an NPIV F_Port, and identifies the number of virtual N_Ports behind it. Following is sample output from the switchShow command: switch: admin> switchshow switchName:swd77 switchType:32.
Use the portShow command to view the NPIV attributes and all the N_Port (physical and virtual) port WWNs under “portWwn of device(s) connected.” Following is sample output for portShow: switch:admin> portshow 2 portName: 02 portHealth: HEALTHY Authentication: None portDisableReason: None portCFlags: 0x1 portFlags: 0x24b03 PRESENT ACTIVE F_PORT G_PORT NPIV LOGICAL_ONLINE LOGIN NOELP LED ACCEPT portType: 10.
17 Administering Advanced Performance Monitoring (APM) Based on Frame Filtering technology and a unique performance counter engine, Advanced Performance Monitoring (APM) is a comprehensive tool for monitoring the performance of networked storage resources. It supports direct-attach, loop, and switched fabric Fibre Channel SAN topologies by: • Monitoring transaction performance from source to destination. • Reporting cyclic redundancy check (CRC) error measurement statistics.
Table 72 lists commands associated with Advanced Performance Monitoring. Advanced Performance Monitor commands are available only to users with the admin or switchAdmin roles. For detailed information on these commands, refer to the Fabric OS Command Reference Manual. Table 72 APM commands Command Description perfAddEEMonitor Add an end-to-end monitor to a port. perfAddIPMonitor Add an IP monitor to a port. perfAddReadMonitor Add a SCSI Read monitor to a port.
Displaying and clearing the CRC error count You can use the perfShowAlpaCrc command to display the CRC error count for all AL_PA devices or for a single AL_PA on a specific active L_Port. Example: Displaying the CRC error count for all AL_PA devices on a port switch:admin> perfshowalpacrc 1/1 AL_PA CRC count -------------------0xd9 0 Example: Displaying the CRC error count for a single AL_PA device on a port switch:admin> perfshowalpacrc 1/1, 0xd9 The CRC count at ALPA 0xd9 on port 1 is 0x000000000.
Adding end-to-end monitors An end-to-end monitor counts the following items for a port: number of words received, number of words transmitted, and number of CRC errors detected in frames. 4/16 SAN Switch and 4/8 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, and SAN Director 2/128 models allow up to eight end-to-end monitors.
Add Monitor 0 to slot 2, port 2 on Switch x, specifying 0x051200 as the SID and 0x111eef as the DID, as shown in the following example: Monitor 0 counts the frames that have an SID of 0x051200 and a DID of 0x111eef. For monitor 0, RX_COUNT is the number of words from Host A to Dev B, TX_COUNT is the number of words from Dev B to Host A, and CRC_COUNT is the number of frames in both directions with CRC errors.
The mask is applied to all end-to-end monitors on the port. Individual masks for each monitor on the port cannot be specified. Figure 21 Mask positions for end-to-end monitors Received by port Transmitted from port SID mask DID mask SID mask DID mask perfsetporteemask 1/2, “00:00:ff” “00:00:ff” “00:00:ff” “00:00:ff” AL_PA mask Area ID mask Domain ID mask To display the current end-to-end mask of a port Enter the perfShowPortEeMask command.
Monitoring filter-based performance Filter-based performance monitoring counts the number of times a frame with a particular pattern is transmitted by a port. Filter-based monitoring is achieved by configuring a filter for a particular purpose. The filter can be a standard filter (for example, a SCSI read command filter that counts the number of SCSI read commands that have been transmitted by the port) or a user-defined filter customized for your particular use.
Example: Add filter-based monitors to slot 1, port 2 and displays the results switch:admin> perfaddreadmonitor 1/2 SCSI Read filter monitor #0 added switch:admin> perfaddwritemonitor 1/2 SCSI Write filter monitor #1 added switch:admin> perfaddrwmonitor 1/2 SCSI Read/Write filter monitor #2 added switch:admin> perfaddscsimonitor 1/2 SCSI traffic frame monitor #3 added switch:admin> perfaddipmonitor 1/2 IP traffic frame monitor #4 added switch:admin> perfmonitorshow --class FLT 1/2 There are 5 filter-based mo
• 4/16 SAN Switch and 4/8 SAN Switch models (Fabric OS v5.0.1) Up to 7 different offsets per port (6 offsets when FMS is enabled). You can specify up to four values to compare against each offset. If more than one offset is required to properly define a filter, the bytes found at each offset must match one of the given values for the filter to increment its counter. If one or more of the given offsets does not match any of the given values, the counter does not increment.
The following example displays the monitors on slot 1, port 4 using the perfShowFilterMonitor command (the monitor numbers are listed in the KEY column) and deletes monitor number 1 on slot 1, port 4 using the perfDelFilterMonitor command: switch:admin> perfshowfiltermonitor 1/4 There are 4 filter-based monitors defined on port 4.
Displaying monitor counters Use the perfMonitorShow command to display the monitors on a specified port. For end-to-end counters, you can display either the cumulative count of the traffic detected by the monitors or a snapshot of the traffic at specified intervals.
Example: Displaying EE monitors on a port switch:admin> perfMonitorShow --class EE 4/5 There are 7 end-to-end monitor(s) defined on port 53.
Clearing monitor counters Before you clear statistics counters, verify the valid monitor numbers on a specific port using the perfMonitorShow command, to make sure the correct monitor counters are cleared. To clear statistics counters for all or a specified monitor, use the perfMonitorClear command. After the command has been executed, the telnet shell confirms that the counters on the monitor have been cleared.
Saving and restoring monitor configurations To save the current end-to-end and filter monitor configuration settings into nonvolatile memory, use the perfCfgSave command: switch:admin> perfcfgsave This will overwrite previously saved Performance Monitoring settings in FLASH. Do you want to continue? (yes, y, no, n): [no] y Please wait ... Performance monitoring configuration saved in FLASH. To restore a saved monitor configuration, use the perfCfgRestore command.
18 Administering Extended Fabrics This chapter contains procedures for using the Extended Fabrics licensed feature, which extends the distance that interswitch links (ISLs) can reach over a dark fiber or DWM connection. The Extended Fabrics feature is not used over FCIP connections over IP WANs. To use extended ISL modes, you must first install the Extended Fabrics license. For details on obtaining and installing licensed features, refer to ”Maintaining licensed software features” on page 36.
See Configuring Directors, page 203 for details about port blade nomenclature. For the following switches, buffer credits are used by all ports on the chip. Buffer-limited port technology allows all ports to remain operational, even when extended links are in use.
Extended ISL modes for switches that integrate the Bloom ASIC Table 75 lists the extended ISL modes for switches that have a Bloom ASIC. You can configure extended ISL modes with the portCfgLongDistance command when the Extended Fabrics license is activated.
Extended isl modes for 4/8 or 4/16 SAN Switches (Goldeneye ASIC) Table 76 lists the extended ISL modes for the 4/8 SAN Switch or 4/16 SAN Switch, (Goldeneye ASIC). Table 76 Mode 1 L0 LE 2 L0.5 4/8 SAN Switch or 4/16 SAN Switch extended ISL modes (Goldeneye ASIC) Buffer allocation Distance @ 1 Gbps Distance @ 2 Gbps Distance @ 4 Gbps Earliest Fabric OS release Extended Fabrics license required? 1 Gbps 2 Gbps 4 Gbps 3(17)a 3(17) 3(17) 6 km 3 km 1.
Extended ISL modes for 4/32B SAN Switch, 400 MP Router, 4/256 SAN Director switches, and FR4-18i blade (Condor ASIC) Table 77 lists the extended ISL modes for switches and blades that have a Condor ASIC.
SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, SAN director 2/128, and 4/256 SAN Director (FC2-16 port blades) Table 79 lists the number of ports that can be configured per port group at various distances.
Brocade 4Gb SAN Switch for c-Class BladeSystem Table 82 lists the number of ports that can be configured at various distances. Note that for the Brocade 4Gb SAN Switch for c-Class BladeSystem, exact distances (rather than set, incremental distances) are used. Table 82 Brocade 4Gb SAN Switch for c-Class BladeSystem Speed (Gbps) Number of ports allowed at distance (km) 1 port Up to 2 ports Up to 3 ports Up to 4 ports Up to 5 ports Up to 6 ports Up to 7 ports Up to 8 ports 1 38 km 30 km 27.
4/256 SAN Director (FC4-16 port blades) Table 86 lists the number of ports that can be configured at various distances.
4/256 SAN Director (FR4-18i blades) For the FR4-18i blade, long distance settings are applicable only to the physical FC_Ports (ports 0-15). Long distance settings are not applicable to virtual FC_Ports (ports 16-31). Table 90 lists the number of ports that can be configured at various distances.
Where: slotnumber portnumber distance_level Specify the slot number for SAN Director 2/128 and 4/256 SAN Director. This option is not applicable to fixed-port switches. The slot number must be followed by a slash (/) and the port number. Specify the port number. The value of distance_level can be one of the following (the numerical value representing each distance_level is shown in parentheses): L0 (0) Specify L0 to configure the port to be a regular switch port.
desired_distance Specify the desired distance, in kilometers, for the link. desired_distance is a required parameter to configure a port as an LD and LS-mode link. For an LD-mode link, the desired distance is used as the upper limit of the link distance to calculate buffer availability for other ports in the same port group. When the measured distance is more than desired_distance, the desired_distance is used to allocate the buffers.
362 Administering Extended Fabrics
19 Administering ISL Trunking This chapter contains procedures for using the ISL Trunking licensed feature, which optimizes the use of bandwidth by allowing a group of interswitch links to merge into a single logical link. Overview ISL Trunking reduces or eliminates situations that require static traffic routes and individual ISL management to achieve optimal performance.
Connections between SAN Switch 4/32, SAN Switch 4/32B, 4/64 SAN Switch, and 4/256 SAN Director (using FC4-16 and FC4-32 port blades) models support these advanced features: • Up to eight ports in one trunk group to create high performance 32-Gbit/sec ISL trunks between switches • ISL Trunking over longer distances than other models • Dynamic trunk master reassignment if a trunk master is disabled (on other platforms, all ports on a trunk must be disabled temporarily to reassign a master) • 4 Gbit/sec trunk
• Each physical ISL uses two ports that could otherwise be used to attach node devices or other switches. • Trunking groups can be used to resolve ISL oversubscription if the total capability of the trunking group is not exceeded. • Consider how the addition of a new path will affect existing traffic patterns: • A trunking group has the same link cost as the master ISL of the group, regardless of the number of ISLs in the group.
Monitoring traffic To implement ISL Trunking effectively, you must monitor fabric traffic to identify congested paths or to identify frequently dropped links. While monitoring changes in traffic patterns, you can adjust the fabric design accordingly, such as by adding, removing, or reconfiguring ISLs and trunking groups in problem areas.
Enabling and disabling ISL trunking You can enable or disable ISL Trunking for a single port or for an entire switch.When you execute the commands portCfgTrunkPort or switchCfgTrunk to update the trunking configuration, the ports for which the configuration applies are disabled and re-enabled with the new trunk configuration. As a result, traffic through those ports could be disrupted. To enable or disable ISL Trunking on one port 1. Connect to the switch and log in as admin. 2.
Setting port speeds For long-distance ports, if a port is set to autonegotiate port speed, the maximum speed (which is 4 Gbit/sec) is assumed for reserving buffers for the port–this wastes buffers if the port is actually running at 2 Gbit/sec. For long-distance ports, it is best to set the port speed (this applies to SAN Switch 4/32, SAN Switch 4/32B and 4/256 SAN Director only). You can set the port speed for one port or for an entire switch. Trunked ports must be set to the same speed.
To set the speed for all of the ports on the switch 1. Connect to the switch and log in as admin. 2. Enter the switchCfgSpeed command. The format is: switchcfgspeed speedlevel speedlevel Specifies the speed of the link: • 0—Auto-negotiating mode. The port automatically configures for the highest speed. • 1—one Gbit/sec mode. Fixes the port at a speed of one Gbit/sec. Changing the speed to one Gbit/sec causes the port to be excluded from the trunk group. • 2—two Gbit/second mode.
This example shows three trunking groups (1, 2, and 3); ports 1, 4, and 14 are masters: switch:admin> trunkshow 1: 1 -> 1 10:00:00:60:69:04:10:83 0 -> 0 10:00:00:60:69:04:10:83 2: 4 -> 4 10:00:00:60:69:04:01:94 5 -> 5 10:00:00:60:69:04:01:94 7 -> 7 10:00:00:60:69:04:01:94 6 -> 6 10:00:00:60:69:04:01:94 3:14 -> 14 10:00:00:60:69:04:10:83 15 -> 15 10:00:00:60:69:04:10:83 switch:admin> deskew deskew deskew deskew deskew deskew deskew deskew 16 Master 15 16 Master 15 17 16 16 Master 15 Trunking over Extended
Troubleshooting trunking problems If you have difficulty with trunking, try the solutions in this section. Listing link characteristics If a link that is part of an ISL Trunk fails, use the trunkDebug command to troubleshoot the problem, as shown in the following procedure: 1. Connect to the switch and log in as admin. 2. Enter the following command: trunkDebug port port, port Specifies the number of a port in an ISL Trunking group.
3. Change LD/L1/L2/L0.5 back to L0 (of non-buffer limited ports). 4. If you are in buffer-limited mode on the LD port, then increase the estimated distance. These changes are implemented only after disabling (portDisable) and enabling (portEnable) the buffer-limited port (or buffer-limited switch).
20 Administering Advanced Zoning This chapter provides procedures for using the Advanced Zoning feature. About Zoning Zoning enables you to partition your SAN into logical groups of devices that can access each other. For example, you can partition your SAN into two zones, winzone and unixzone, so that your Windows servers and storage do not interact with your UNIX servers and storage. Zones can be configured dynamically.
Zone types Table 88 summarizes the types of Zoning. Table 88 Types of Zoning Zone type Description Storage-based Storage units typically implement LUN-based Zoning, also called LUN masking. LUN-based Zoning limits access to the LUNs on the storage port to the specific WWN of the server HBA. It is needed in most SANs. It functions during the probe portion of SCSI initialization. The server probes the storage port for a list of available LUNs and their properties.
Table 89 Approaches to fabric-based Zoning Zoning approach Description Operating system Zoning by operating system has issues similar to Zoning by application. In a large site, this type of zone can become very large and complex. When zone changes are made, they typically involve applications rather than a particular server type.
Zone aliases also simplify repetitive entry of zone objects such as port numbers or a WWN. For example, you can use the name “Eng” as an alias for “10:00:00:80:33:3f:aa:11”. A useful convention is to name zones for the initiator they contain. For example, if you use the alias SRV_MAILSERVER_SLT5 to designate a mail server in PCI slot 5, then the alias for the associated zone is ZNE_MAILSERVER_SLT5. This clearly identifies the server host bus adapter (HBA) associated with the zone.
• Prevents hosts from discovering unauthorized target devices. • Ensures that the name server does not return any information to an unauthorized initiator in response to a name server query. • Is exclusively enforced through selective information presented to end nodes through the fabric Simple Name Server (SNS). When an initiator queries the name server for accessible devices in the fabric, the name server returns only those devices that are in the same zone as the initiator.
name server returns only those devices that are in the same zone as the initiator. Devices that are not part of the zone are not returned as accessible devices. Table 90 shows the various switch models, the hardware Zoning methodology for each, and tips for best usage. Table 90 Enforcing hardware Zoning Fabric Type Methodology Best practice HP StorageWorks 1 GB Enables hardware-enforced Zoning only on domain, port zones; WWN or mixed zones are not hardware-enforced.
Figure 24 shows a fabric with four non-overlapping hardware-enforced zones. Figure 24 Hardware-enforced non-overlapping Zones WWN_Zone1 Port_Zone1 Port_Zone2 Core Switch WWN_Zone2 Zone Boundaries 22.2b(13.2) Figure 25 shows the same fabric components zoned in an overlapping fashion. Fabric OS 5.3.
Figure 25 Hardware-enforced overlapping zones WWN_Zone1 Port_Zone1 Port_Zone2 Core Switch WWN_Zone2 Zone Boundaries 22.3b(13.3) Any zone using both WWNs and domain, port entries on the 2 Gbit/sec platform relies on Name Server authentication as well as hardware-assisted (ASIC) authentication, which ensures that any PLOGI/ADISC/PDISC/ACC from an unauthorized device attempting to access a device it is not zoned with is rejected.
Rules for configuring zones Observe the following rules when configuring zones. • If security is a priority, you should use hard Zoning. • The use of aliases is optional with Zoning, and using aliases requires structure when defining zones. However, aliases aid administrators of a zoned fabric to understand the structure and context. • Evaluate the security requirements of the fabric. If additional security is required, add Secure Fabric OS into the fabric.
Broadcast zones do not function in the same way as other zones. A broadcast zone does not restrict access to its members in any way. If you want to restrict access to any devices in a broadcast zone, you must also include those devices in a regular zone. To restrict broadcast frames reaching broadcast-incapable devices, create a broadcast zone and populate it with the devices that are capable of handling broadcast packets.
• The broadcast zone for AD2 includes member devices “2,1”, “3,1”, and “4,1”. Even though “2,1” is a member of AD1, it is not a member of AD2 and so is not added to the consolidated broadcast zone. • Device “3,1” is added to the consolidated broadcast zone because of its membership in the AD2 broadcast zone. In the fabric shown in Figure 28, broadcast packets will be sent to devices “1,1”, “3,1”, and “4,1”. Broadcast frames can go across Admin Domain boundaries.
If the effective configuration has only a broadcast zone, then the configuration appears as a No Access configuration. To change this configuration to All Access, you must put all the available devices in a regular zone. See ”Activating default zones” on page 383 for additional information about default zoning. Creating and managing zone aliases A zone alias is a logical group of ports, WWNs, or AL_PAs.
3. Enter the cfgSave command to save the change to the defined configuration. switch:admin> aliremove “array1”, “1,2” switch:admin> aliremove “array2”, “21:00:00:20:37:0c:72:51” switch:admin> aliremove “loop1”, “4,6” switch:admin> cfgsave You are about to save the Defined Zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled.
3. Enter the cfgSave command to save the change to the defined configuration. switch:admin> zonecreate “greenzone”, “2,32; 2,33; 2,34; 4,4” switch:admin> zonecreate “redzone”, “21:00:00:20:37:0c:66:23; 4,3” switch:admin> cfgsave You are about to save the Defined Zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled.
The following example shows all zones beginning with A, B, or C: switch:admin> zoneshow “[A-C]*” zone: Blue_zone 1,1; array1; 1,2; array2 zone: Bobs_zone 4,5; 4,6; 4,7; 4,8; 4,9 If no parameters are specified, the entire zone database (both the defined and effective configuration) is displayed. Activating default zones Typically, when you issue the cfgDisable command in a large fabric with thousands of devices, the name server indicates to all hosts that they can communicate with each other.
Merging zones Table 91 presents Zoning database size limitations for various Fabric OS release versions. The maximum size of a zone database is the upper limit for the defined configuration, and it is determined by the amount of flash memory available for storing the defined configuration. Table 91 Zoning database limitations Fabric OS version Maximum database size (KB)) 2.4.0 64 2.5.0 64 2.6.0 96 3.x 128 3.1.x 96 3.2.x 256 4.x, 4.1.x, 4.2.x 128 4.4.x 256 5.0.1 256 5.0.x 256 5.1.
Table 92 Resulting database size: 0 to 96K (continued) Receiver Fabric Fabric Fabric Fabric OS OS 2.6 OS 3.1 OS 3.2 4.0/4.1/4.2 Fabric OS 4.3/4.4.0 Fabric OS 5.0.0/ 5.0.1/5.1.x Fibre Channel Router XPath 7.3 Fibre Channel Router Join Join Join Join Join Join Join Join XPath 7.3 Join Join Join Join Join Join Join Join Initiator Table 93 Resulting database size: 96K to 128K Receiver Fabric OS 2.6 Fabric OS 3.1 Fabric OS 3.2 Fabric OS 4.0/4.1/ Fabric OS 4.3/4.4.
Table 95 Resulting database size: 256K to 1M Fabric OS 4.0/4.1/4.2 Fabric OS 4.3/4.4.x Fabric OS 5.0.0/ 5.0.1 Fibre XPath Channel 7.3 Router Segment Segment Segment Segment Segment Segment Segment Segment Fabric OS 3.2 Segment Segment Segment Segment Segment Segment Segment Segment Fabric OS 4.0/4.1/4.2 Segment Segment Segment Segment Segment Segment Segment Segment Fabric OS 4.3/4.4.0 Segment Segment Segment Segment Segment Segment Segment Segment Fabric OS 5.0.0/5.0.
To add zones (members) to a Zoning configuration 1. Connect to the switch and log in as admin. 2. Enter the cfgAdd command. 3. Enter the cfgSave command to save the change to the defined configuration. switch:admin> cfgadd “newcfg”, “bluezone” switch:admin> cfgsave You are about to save the Defined Zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled.
2. Enter the cfgShow command with no operands.
Maintaining zone objects While you can use the cfgDelete command to delete a zone configuration, there is a quicker and easier way to perform the same task via the zone object commands (zoneObjectExpunge, zoneObjectCopy, and zoneObjectRename). You can also copy and rename zone objects. When you copy a zone object, the resulting object has the same type as the original. Deleting a zone object also removes the object from any member lists of other objects. You can rename objects for all zone object types.
To delete a zone object 1. Connect to the switch and log in as admin. 2. Enter the cfgShow command to view the zone configuration objects you want to delete.
4. Enter the cfgShow command to verify the renamed zone object is present. 5. If you want the change preserved when the switch reboots, save it to nonvolatile (also known as “flash”) memory by entering the cfgSave command. 6. For the change to become effective, enable the appropriate zone configuration using the cfgEnable command. For more details about the zoneObjectCopy, cfgShow, cfgEnable, and cfgSave commands, refer to the Fabric OS Command Reference Manual.
• Merging rules Observe these rules when merging zones: Local and adjacent configurations If the local and adjacent zone database configurations are the same, they will remain unchanged after the merge. Effective configurations If there is an effective configuration between two switches, the zone configuration in effect match. Zone object naming If a Zoning object has the same name in both the local and adjacent defined configurations, the object types and member lists must match.
Splitting a fabric If the connections between two fabrics are no longer available, the fabric will segment into two separate fabrics. Each new fabric will retain the same zone configuration. If the connections between two fabrics are replaced and no changes have been made to the zone configuration in either of the two fabrics, then the two fabrics will merge back into one single fabric. If any changes that cause a conflict have been made to either zone configuration, then the fabrics might segment.
Table 96 Considerations for Zoning architecture Item Description Type of Zoning: hard or soft (session-based) If security is a priority, hard Zoning is recommended. Use of aliases The use of aliases is optional with Zoning. Using aliases requires structure when defining zones. Aliases will aid administrators of zoned fabric in understanding the structure and context. Security requirements Evaluate the security requirements of the fabric.
21 Configuring and monitoring FCIP tunneling The Fibre Channel over IP (FCIP) Tunneling Service is an optional feature that enables you to use Fibre Channel “tunnels” to connect SANs over IP-based networks. An FCIP tunnel transports data between a pair of Fibre Channel switches. You can have more than one TCP connection between the pair of Fibre Channel switches.
FCIP also supports: • Configuration and management of GbE ports and the virtual ports, IP interfaces, and tunnels enabled by GbE ports • Compression and decompression of Fibre Channel frames moving through FCIP tunnels NOTE: off.
NOTE: In Figure 28, because FCIP was configured with VE_Ports, the switches will merge over the IP WAN to become a single fabric. If any of the VE_Ports had been configured as VEX_Ports, that portion of the fabric would remain a separate fabric, but still enable sharing of storage and server devices. Figure 28 illustrates a portion of a Fibre Channel network using FCIP. The FCIP interswitch link (VE_Ports connected over the IP WAN network) joins the office and data center SANs into a single larger SAN.
Port numbering on the B-Series MP Router blade There are sixteen physical Fibre Channel ports and two physical GbE ports on the B-Series MP Router blade. The two GbE ports (ge0 and ge1) support up to eight FCIP tunnels each (each FCIP tunnel is represented and managed as a VE_Port or VEX_Port). Ports 0-15 correspond to the physical Fibre Channel ports, and ports 16-23 are logical Fibre Channel ports on the physical GbE port, ge0.
Port Numbering on the 400 MP Router You do not need to specify slot numbers for the 400 MP Router. Refer to the GbE ports as ge0 and ge1, and the Fibre Channel ports are numbered 0 through 15. Moving from left to right on the front of the chassis, the sixteen Fibre Channel ports, followed by the 2 GbE ports. You manage the 400 MP Router as if it had 32 Fibre Channel ports (16 standard Fibre Channel ports, and 16 virtual Fibre Channel Ports) and 2 GbE ports.
FCIP fastwrite and tape pipelining When the FCIP link is the slowest part of the network and it affects speed, consider using fastwrite and tape write acceleration, called “tape pipelining.” Supported only in Fabric OS 5.2.x and higher, fastwrite and tape pipelining are two features that provide accelerated speeds to FCIP tunnels in some configurations: • Fastwrite accelerates the SCSI write I/Os over FCIP.
Table 99 Using fastwrite and tape pipelining (continued) Fastwrite Tape pipelining Class 3 traffic is accelerated with fastwrite. Class 3 traffic is accelerated between host and sequential device. With sequential devices (tape drives), there are 1024 initiator-tape (IT) pairs per GbE port, but 2048 initiator-tape-LUN (ITL) pairs per GbE port. The ITL pairs are shared among the IT pairs. For example: • 2 ITL pairs for each IT pair as long as the target has two LUNs.
Figure 32 Multiple tunnels to multiple ports, fastwrite and tape pipelining enabled on a per-tunnel/per-port basis Connections must all be VEX-VE 400 Configuring and monitoring FCIP tunneling
Unsupported configurations The following example configurations are not supported with fastwrite and tape pipelining. These configurations use multiple equal-cost paths. Figure 33 Unsupported configurations with fastwrite and tape pipelining VE-VE or VEX-VEX Fabric OS 5.3.
FC fastwrite over Fibre Channel ISLs FC Fastwrite operates in Fibre Channel network topologies similar to the basic topology shown in Figure 34. FC Fastwrite provides accelerated speeds for SCSI Write operations over long distance Fibre Channel ISLs. FC Fastwrite is supported in Fabric OS v5.3.x and later.
The processing outlined eliminates the latency inherent in sending Transfer Ready back to the initiator when writing data across ISLs to geographically distant target devices. FC Fastwrite can improve Write performance. Read performance is unaffected. The gains seen from enabling FC Fastwrite depend on several factors, including the following: • The size of I/O vs. Transfer Ready. In general, the more times a target device sends a Transfer Ready, the greater the performance gain.
Where: is the slot in which the FR4-18i blade is installed. A slot number is not required for the 400 MP Router. Example: SJ3_6A1_12000_0:root> fastwritecfg --enable 7 !!!! WARNING !!!! Enabling FC Fastwrite will require powering off and back on the and it may take upto 5 minutes. For non bladed system, the switch will be rebooted. Data traffic will be disrupted.
5. Use the portshow command to verify that FC Fastwrite is enabled. rack1_6a1:root> portshow 3/3 portName: portHealth: HEALTHY Authentication: None portDisableReason: None portCFlags: 0x1 portFlags: 0x20b03 PRESENT ACTIVE F_PORT G_PORT U_PORT LOGICAL_ONLINE LOGIN NOELP ACCEPT portType: 10.
Disabling FC Fastwrite on a port To disable FC Fastwrite on a port, enter the following command. #portcfg fastwrite —disable Where is the slot in which the FR4-18i is installed. A slot number is not required for the 400 MP Router. Tunneling and IPSec Internet Protocol security (IPSec) uses cryptographic security to ensure private, secure communications over Internet Protocol networks.
Table 100 IPSec terminology Term Definition MAC Message Authentication Code is a key-dependent, one-way hash function used for generating and verifying authentication data. HMAC SA A stronger MAC because it is a keyed hash inside a keyed hash. Security association is the collection of security parameters and authenticated keys that are negotiated between IPSec peers. The following limitations apply to using IPSec: • IPv6, NAT, and AH are not supported.
IPSec parameters Table 99 lists fixed policy parameters that you cannot modify. Table 101 Fixed policy parameters Parameter Fixed Value IKE negotiation protocol Main mode ESP Tunnel mode IKE negotiation authentication method Preshared key 3DES encryption Key length of 168 bits AES encryption Key length of 128 or 256 Table 100 lists policy parameters that you may modify.
DH_Group The Diffie-Hellman group. Supported groups are Group 1 and Group 14. Group 1 is the default. secs The security association lifetime in seconds. 28800 is the default.
For example, to delete the IPSec policy number 10: switch:admin06> policy --delete ipsec 10 The policy has been successfully deleted. Configuring FCIP Tunnels You can create only one FCIP tunnel on a given pair of IP address interfaces (local and remote). You can create multiple FCIP tunnels on a single IP interface if either the local or remote IP interface is unique and does not have any other FCIP tunnel on it.
4.
The following example shows IP interfaces defined for slot 8 on GbE port ge0: switch:admin06> portshow ipif 8/ge0 Port: 8/ge0 Interface IP Address NetMask MTU ---------------------------------------------------------0 192.168.100.40 255.255.255.0 1500 1 192.168.100.41 255.255.255.0 1500 switch:admin06> portcfg ipif 8/ge0 create 192.168.100.40 255.255.255.0 1500 switch:admin06> portcfg ipif 8/ge0 create 192.168.100.41 255.255.255.
The delete argument is: delete ipaddr netmask The gateway address must be on the same IP subnet as one of the port IP addresses. The following example shows two routes being added to an interface: switch:admin06> portcfg iproute 8/ge0 create 192.168.11.0 255.255.255.0 192.168.100.1 1 switch:admin06> portcfg iproute 8/ge0 create 192.168.12.0 255.255.255.0 192.168.100.
Verifying IP connectivity After you add the IP addresses of the routes, enter the portCmd ping command to ping a destination IP address from one of the source IP interfaces on the GbE port and verify the Ethernet IP to IP connectivity. This verification also ensures that data packets can be sent to the remote interface. You can ping a connection only if both ports have IP interfaces set. Use the portCmd --ping command to ping a destination IP address from one of the source IP interfaces on the GbE port.
Configuring FCIP tunnels After you have verified licensing and connectivity between source and destination IP interfaces, you can configure FCIP tunnels. As you plan the tunnel configurations, be aware that uncommitted rate tunnels use a minimum of 1000 Kb/sec, up to a maximum of available uncommitted bandwidth on the GbE port. The total bandwidth available on a GbE port is 1 Gbit/sec. You can configure tunnels as bidirectional entities with different commit rates in both directions.
FCIP Tunnel modify and delete options NOTE: time. Using the tunnel Modify option disrupts traffic on the specified FCIP tunnel for a brief period of Following is the syntax for the portCfg fcipTunnel command to modify FCIP tunnels (you must specify at least one characteristic to modify): portcfg fciptunnel [slot/][ge]port args [optional_args] modify [<-b comm._rate>] [<-c 0|1>] [<-f 0|1>] [<-k timeout>] [<-m time>] [<-r retransmissions>] [<-s 0|1>] where: -b comm.
Verifying the FCIP tunnel configuration After you have created local and remote FCIP configurations, use the portEnable [slot/]port command to enable the port. It is recommended that you verify that the tunnel configuration operation succeeded using the portShow fcipTunnel command (be sure to specify the slot/port numbers and number of tunnels). Look at the “Status” field to verify that the tunnel is now “Active.
To verify that a VE_Port or VEX_Port is online 1. Use the switchShow command to view and verify that the FCIP tunnel is online. switch:admin06> portenable 8/18 switch:admin06> portenable 8/19 switch:admin06> switchshow switchName:switch switchType:42.
Checklist for configuring FCIP links Use Table 100 as a checklist for creating FCIP links. Table 103 Steps for configuring FCIP links Step Command 1. Enable persistently disabled ports. portcfgpersistentenable [slot/]port 2. Disable the ports while performing the configuration. portdisable [slot/]port 3. Configure the port type as VE_Port or VEX_Port for both ports for a tunnel. portcfgvexport [slot/][ge] port 4. Configure the IP interface for both ports of a tunnel.
About the Ipperf option The WAN tool ipPerf (referred to simply as “ipPerf” in this chapter) is an option of the Fabric OS portCmd command. This option allows you to specify the slot and port information for displaying performance statistics for a pair of ports. For this basic configuration, you can specify the IP addresses of the endpoints, target bandwidth for the path, and optional parameters such as the length of time to run the test and statistic polling interval.
WAN Tool performance characteristics The following table lists the end-to-end IP path performance characteristics that you can display using the portCmd ipPerf command and option. All four of the base ipPerf performance characteristics (bandwidth, loss, RTT, PMTU) are provided in the command output in Fabric OS 5.2.0 or higher. Figure 36 WAN Tool performance characteristics Characteristic Description Bandwidth Indicates the total packets and bytes sent.
To start an ipPerf session 1. Configure the receiver test endpoint using the CP CLI. The syntax for invoking the receiver test endpoint using ipPerf for slot8, port ge0 on an FR4-18i is as follows: portcmd --ipperf 8/ge0 -s 192.168.255.10 -d 192.168.255.100 -R 2. Configure the sender test endpoint using a similar CP CLI. The syntax for invoking the sender test endpoint using ipPerf for slot8, port ge0 on an FR4-18i is as follows: portcmd --ipperf 8/ge0 -s 192.168.255.100 -d 192.168.255.10 –S 3.
Following is the syntax for portCmd ipPerf to display end-to-end IP path performance statistics: portCmd --ipPerf [slot]/ge# -s -d -S | -R [-r ] [-z ] [-t
To view detailed fcipTunnel statistics, you must specify either the -perf or -params options. The following example shows the portCmd fcipTunnel with the performance option to display characteristics of tunnel 0. switch:admin06> portshow fciptunnel 8/ge0 all Slot: 8 Port: ge0 ------------------------------------------Tunnel ID 0 Remote IP Addr 192.175.4.200 Local IP Addr 192.175.4.100 Remote WWN Not Configured Local WWN 10:00:00:60:69:e2:09:be Compression on Fastwrite off Committed Rate 300000 Kbps (0.
The following example shows the portCmd fcipTunnel with the parameters options to display the parameters of tunnel 0: switch:admin06> portshow fciptunnel 8/ge0 0 Slot: 8 Port: ge0 ------------------------------------------Tunnel ID 0 Remote IP Addr 192.175.4.200 Local IP Addr 192.175.4.100 Remote WWN Not Configured Local WWN 10:00:00:60:69:e2:09:be Compression on Fastwrite off Committed Rate 300000 Kbps (0.
The following example shows the portShow fcipTunnel command to display IPSec information for tunnel 0: switch:admin06> portshow fciptunnel 8/ge0 3 -ipsec Port: ge0 ------------------------------------------Tunnel ID 3 Remote IP Addr 192.175.5.200 Local IP Addr 192.175.5.100 Remote WWN Not Configured Local WWN 10:00:00:05:1e:37:00:20 Compression off Fastwrite on Tape Pipelining on Uncommitted bandwidth, minimum of 1000 Kbps (0.
A Configuring the PID format Port identifiers (called PIDs) are used by the routing and zoning services in Fibre Channel fabrics to identify ports in the network. All devices in a fabric must use the same PID format, so when you add new equipment to your SAN, you might need to change the PID format on legacy equipment.
Impact of changing the fabric PID format If your fabric contains switches that use Native PID, it is recommended that you change the format to Core PID before you add the new, higher port count switches and Directors. Also, it is recommended that you use Core PID when upgrading the Fabric OS version on 2000 and 3000 series switches.
CAUTION: After changing the fabric PID format, if the change invalidates the configuration data (see Table 101 to determine this), do not download old (pre-PID format change) configuration files to any switch on the fabric.
Table 102 shows various combinations of existing fabrics, new switches added to those fabrics, and the recommended PID format for that combination. The criteria for the recommendations are first to eliminate host reboots, and second to minimize the need for a host reboot in the future. Table 102 PID format recommendations for adding new switches Existing Fabric OS versions; PID format Switch to be Recommendations (in order of preference) added v2.6.2 and later/v3.1.2 and later; Native PID v2.6.
Evaluating the fabric In addition to this section, refer to the HP StorageWorks SAN Design reference guide for information on evaluating the fabric: http://h18000.www1.hp.com/products/storageworks/san/documentation.
It is also important to understand how multipathing software reacts when one of the two fabrics is taken offline. If the time-outs are set correctly, the failover between fabrics should be transparent to the users. You should use the multipathing software to manually fail a path before starting maintenance on that fabric. 4. Perform empirical testing. Empirical testing might be required for some devices, to determine whether they bind by PID.
7. After the fabric has reconverged, use the cfgEnable command to update zoning. 8. Update their bindings for any devices manually bound by PID. This might involve changing them to the new PIDs, or preferably changing to WWN binding. For any devices automatically bound by PID, two options exist: a. Execute a custom procedure to rebuild its device tree online. Examples are provided in the ”Converting port number to area ID” on page 433 section of this chapter. b. Reboot the device to rebuild the device tree.
The following maps the PID format names to the names used in the management interfaces. PID format name Management interface name native PID switch PID address mode 0 core PID switch PID address mode 1 extended edge PID switch PID address mode 2 Before changing the PID format, determine if host reboots will be necessary. The section ”Host reboots” on page 424 summarizes the situations that might require a reboot. Example switch:admin> switchdisable switch:admin> configure Configure...
1. Determine if the current switch firmware versions meet the minimum supported version levels. Table 103 lists the earliest Fabric OS version levels that support Extended Edge PID format. Use this table to determine if you need to upgrade the firmware in the switches in your fabric before you change the PID format. Table 103 Earliest Fabric OS versions for extended edge PID format HP StorageWorks 1 GB switches v2.6.
Example: Configure Command on a Switch Running Fabric OS 3.1.2 Configure... Fabric parameters (yes, y, no, n): [no] yes Domain: (1..239) [217] BB credit: (1..27) [16] R_A_TOV: (4000..120000) [10000] E_D_TOV: (1000..5000) [2000] Data field size: (256..2112) [2112] Sequence Level Switching: (0..1) [0] Disable Device Probing: (0..1) [0] Suppress Class F Traffic: (0..1) [0] SYNC IO mode: (0..10 [0] Switch PID Format : (0..2) [0] 2 Per-frame Route Priority: (0..1) [0] Long Distance Fabric: (0..
Converting port number to area ID Except for the following cases, the area ID is equal to the port number: • when you perform a port swap operation • when you enable Extended Edge (also known as “displaced PID”) PID on the Director If you are using Extended Edge PID format (for example, the 4/256 SAN Director with configuration option 5) and would like to map the output of the port number to the area ID, use the following formula (for ports 0-127): a = (p + 16) % 128 where: aarea pport number %modulus (or
When the port number is greater than or equal to 128, the area ID and port number are the same. Figure 37 shows a 4/256 SAN Director with Extended Edge PID.
Performing PID format changes There are several routine maintenance procedures which might result in a device receiving a new PID.
Example switch:admin> switchdisable switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] yes Domain: (1..239) [1] R_A_TOV: (4000..120000) [10000] E_D_TOV: (1000..5000) [2000] Data field size: (256..2112) [2112] Sequence Level Switching: (0..1) [0] Disable Device Probing: (0..1) [0] Suppress Class F Traffic: (0..1) [0] SYNC IO mode: (0..1) [0] Core Switch PID Format: (0..2) [0] 1 Per-frame Route Priority: (0..1) [0] Long Distance Fabric: (0..1) [0] BB credit: (1..27) [16] 10.
14. Change to /dev and untar the file that was tared in step 4. For example: tar –xf /tmp/jbod.tar Import the volume groups using vgimport. The proper usage would be vgimport –m . For example: vgimport –m /tmp/jbod_map /dev/jbod /dev/dsk/c64t8d0 /dev/dsk/c64t9d0 15. Activate the volume groups using vgchange. The proper usage would be vgchange –a y . For example: vgexport –a y /dev/jbod 16.
4. If you are not using multipathing software, unmount the volumes from their mount points using umount. The command usage is umount . For example: umount /mnt/jbod 5. If you are using multipathing software, use that software to remove one fabric’s devices from its configuration. 6. Remove the device entries for the fabric you are migrating. For example, if the HBA for that fabric is fcs0, execute the command: rmdev -Rdl fcs0 7. Connect to each switch in the fabric. 8.
5. Verify that the port area IDs have been swapped: portswapshow A table is shows the physical port numbers and the logical area IDs for any swapped ports. 6. Disable the port swap feature: portswapdisable Fabric OS 5.3.
440 Configuring the PID format
B Configuring McData Open Fabric mode This appendix provides information on setting up a heterogeneous fabric that includes HP StorageWorks switches and switches from other manufacturers. The interoperability mode enables HP StorageWorks switches and others to exchange interoperability parameters, allowing their fabrics to merge into one fabric with one principal switch and unique domain IDs. The interopMode command must be executed on all HP StorageWorks switches in the fabric.
Supported features The following features are supported on HP StorageWorks switches in interoperability mode: • Fabric Watch • Fabric Access API functions Accessible from HP StorageWorks switches only, but switch information for non- HP StorageWorks switches is reported. The object information and zoning actions are configurable from the API.
have a McDATA switch between two HP StorageWorks switches if you are managing zoning from the HP StorageWorks switches. • LC IBM GBICs are not supported if they are connected to a McData ISL. • When a switch gets a new domain ID assigned through a fabric reconfiguration, the new domain ID is written to nonvolatile memory and the old domain ID value is overwritten. When a McDATA switch gets a new domain ID assigned through a fabric reconfiguration, it keeps the original domain ID in nonvolatile memory.
You can use the cfgSize command to check both the maximum available size and the currently saved size. If you believe you are approaching the maximum, you can save a partially completed zoning configuration and use the cfgSize command to determine the remaining space Zone name restrictions The name field must contain the ASCII characters that actually specify the name, not including any required fill bytes. Names must follow these rules: • Length must be between 1 and 64 characters.
3. Enter the interopmode 0 command to disable interoperability. This command resets a number of parameters and disables interactive mode. 4. You must reboot the switch after changing the interoperability mode: switch:admin> switchdisable switch:admin> interopmode 0 The switch effective configuration will be lost when the operating mode is changed; do you want to continue? (yes, y, no, n): [no] y done. Interopmode is disabled Note: You must reboot this switch for the new change to take effect.
446 Configuring McData Open Fabric mode
C Understanding legacy password behaviour The following sections provide password information for early versions of Fabric OS firmware. Password management information Table 104 describes the password standards and behaviors between various versions of firmware. Table 104 Account/password characteristics matrix Topic v4.0.0 v4.1.0 to v4.2.0 v4.4.0 to 5.1.
Table 104 Account/password characteristics matrix (continued) Topic v4.0.0 v4.1.0 to v4.2.0 v4.4.0 to 5.1.x Does a user need to know the old passwords when changing passwords using the passwd command? Yes, except when the root user changes another user’s password. This is standard UNIX behavior; Fabric OS does not enforce any additional security. Old password is required only when changing password for the same level user password.
Password prompting behaviors Table 105 describes the expected password prompting behaviors of various Fabric OS versions. Table 105 Password Prompting Matrix Topic v4.0.0 v4.1.0 and later Must all password prompts be completed for any change to take effect? No. Partial changes of all four passwords are allowed. No. Partial changes of all four passwords are allowed.
Password migration during firmware changes Table 106 describes the expected outcome of password settings when upgrading or downgrading firmware for various Fabric OS versions. Table 106 Password migration behavior during firmware upgrade/downgrade Topic v4.4.0 to v5.0.1 v5.0.1 to 5.1.x Passwords used when upgrading to a newer firmware release for the first time. Default accounts and passwords are preserved. Default accounts and passwords are preserved.
Table 107 Password recovery options (continued) Topic v4.0.0 v4.1.0 and later How to recover boot PROM password? n/a Contact HP and provide the recovery string. Refer to ”Setting the Boot PROM Password” on page 112 for instructions on setting the password with a recovery string. How do I recover a user, admin, or factory password? Refer to ”Recovering Forgotten Passwords” on page 116. Fabric OS 5.3.
452 Understanding legacy password behaviour
D Using Remote Switch This appendix describes the concepts and procedures for using the Remote Switch feature and contains the following topics: About Remote Switch The Remote Switch feature, which aids in ensuring gateway compatibility, was formerly a licensed feature. Its functionality is now available as part of the Fabric OS standard feature set through the use of the portCfgIslMode command.
You might be required to reconfigure the following parameters, depending on the gateway requirements: • R_A_TOV: Specify a Resource Allocation Timeout Value compatible with your gateway device. • E_D_TOV: Specify a Error Detect Timeout Value compatible with your gateway device • Data field size: Specify the maximum Fibre Channel data field reported by the fabric. Verify the maximum data field size the network-bridge can handle. Some bridges might not be able to handle a maximum data field size of 2112.
E Zone merging scenarios Table 108 provides information on merging zones and the expected results. Table 108 Zone merging scenarios Description Switch A Switch B Expected results Switch A with a defined configuration defined: cfg1: zone1: ali1; ali2 effective: none defined: none effective: none Configuration from Switch A to propagate throughout the fabric in an inactive state, because the configuration is not enabled.
Table 108 Zone merging scenarios (continued) Description Switch A Switch B Expected results cfg content mismatch defined: cfg1 zone1: ali1; ali2 effective: irrelevant defined: cfg1 zone1: ali3; ali4 effective: irrelevant Fabric segments due to: Zone Conflict content mismatch defined: cfg1 zone1: ali1; ali2 effective: irrelevant defined: cfg1 zone1: ali1; ali4 effective: irrelevant Fabric segments due to: Zone Conflict content mismatch Same content - different effective cfg name defined: cfg1 z
Index A AAA service requests 72 aaaConfig command 63, 79, 80, 81 access active ports 42 browser support 92 changing account parameters 66 control 101 CP blade 75 creating accounts 65 deleting accounts 65 NTP 36 other devices 48 other switches 48 password, changing 27–?? recovering accounts 67 remote access policies 78 secure, HTTPS 92 secure, SSL 92 SNMP ACL 87 access methods configuration, cli 22 configuration, Fabric Manager 22 configuration, Web Tools 22 accessControl 101 accessing switches and fabrics 9
assigning users to Admin Domains 159 audience 17 Auth policy 127 authenticating users 59 authentication configuring 63 local 81 authorized reseller, HP 19 auto-leveling, FR4-18i blade 180, 184 B backbone fabric ID 230 backbone-to-edge routing 228, 230 backing up a configuration 107 and restoring configurations, FICON 267 basic card management 206 PID procedure 433 basic connections 48 beaconing mode 214 blocking listeners 90 boot password 82 boot PROM password 82 browser configuring 96 troubleshooting cert
fosConfig 231 interopMode 230 passwdCfg 69 portDisable 133 portEnable 133 secPolicyAbort 127 secPolicyActivate 121, 124, 125, 126, 127 secPolicyAdd 126 secPolicyDelete 127 secPolicyFCSMove 121 secPolicyRemove 127 secPolicySave 121, 124, 125, 126, 127 secPolicyShow 121 slotshow 229 userConfig 60 version 229 configuration FICON environment switched point-to-point 254 FICON environment, cascaded 254 recommendations for interoperability 440 restrictions for interoperability 440 save to a host 107 settings, FICO
accounts 65 Admin Domains 158 DCC policy 123 IPSec tunnel 404 policy 123, 125 SCC policy 125 zone 373 creating a zone configuration 378 creating an alias 372 creating and maintaining zones 373 creating and managing zone aliases 372 creating and modifying zoning configurations 378 CSR 94 customizing switch names 39 customizing the chassis name 40 customizing the switch name 39 D database, clearing in a FICON environment 256 date 32 date and time 32, 36 DCC policy 123 deactivating Admin Domains 160 Default I
end-to-end monitors adding 328 deleting 330 displaying the mask 330 restoring configuration 338 saving configuration 338 setting a mask 329 ensuring network security 88 event connectivity 105 date and time 32 description, connectivity 105 sensor 105 EX_Port 250 Ex_Port 315 example chassisshow 50 fabricshow 50 nsallshow 51 slotshow 50 exchange-based routing 215 extended ISL choosing mode 340 configuring 347 extended link buffer allocation 339 F fabric high integrity 254 fabric access 91 fabric connectivity
host reboots 422 host-based zoning 362 HP authorized reseller 19 storage web site 19 Subscriber’s choice web site 19 technical support 19 HP/UX procedure 434 HTTP 95 HTTPS 92, 95, 97 certificates, security 87 hybrid update 427 I IAS configuring users 77 remote access policies 78 IAS (Internet Authentication Service), configuring 77 ID, account 25 identifying ports from the tag field 268 identifying media-related issues 309 Identifying ports by slot and port number 202 identifying ports 201 by port area ID
policy 118 policy, adding 126 policy, removing 127 MIB 98, 99 mibCapability 101 modifying the FCS policy 119 monitoring end-to-end performance 327 monitoring filter-based performance 331 monitoring ISL performance 334 monitoring resources 248, 249 monitoring traffic 354 monitoring trunks 334 monitors clearing counters 337 most common problem areas 295 Mozilla 92 N name chassis 40 name server zoning 362 names switch defaults 39 NAT 228 network address translation, see NAT network security 88 node identifica
port numbering 201 port swapping nodes, identifying in FICON environments 261 port-based routing 215 portDisable 133 portEnable 133 ports activating POD 43 buffer-limited 340 identifying 201 identifying by port area ID 202 identifying by slot and port number 202 licenses 42 status of 284 ports, swapping 261 powering off a card 206 powering port cards on and off 206 preparing a switch 258 printing hard copies of switch information 113 private key 93 procedural differences between fixed-port and variable-port
security 88 activating certificates 95 and tunneling 400 Brocade MIB 98 browsers 92 certificates 87 certificates, deleting 97 certificates, displaying 97 configuring standard features 87, 117 enabling CHAP 77 encryption 92 FibreAlliance MIB 98 file copy 106 HTTPS, certificate 87 IAS remote access policies 78 obtaining certicates 94 secure protocols, supported 87 secure telnet, certificate 87 setting levels 99 SNMP configuration 98 SNMP default values 104 SNMP traps 98 SNMP values 103 SSH, certificate 87 SSL
supported features 440 Supported Services 137 supportsave command 292 swapping port area IDs 436 swapping ports 261 SW-EXTTRAP 98 switch access methods, cli 22 access methods, Fabric Manager 22 access methods, Web Tools 22 certificates, installing 95 configuring 79, 257 configuring single 258 connecting 48 deleting RADIUS configuration 80 disabling 47 disabling port 47 displaying RADIUS configuration 79 enabling 47 FICON environment, configuring 257 identifying 39 IP 39 name customizing 39 name defaults 39
viewing fan status 287 port status 284 power supply status 287 temperature status 288 viewing an alias alias viewing 373 viewing and saving diagnostic information 292 viewing equipment status 287 viewing port information 284 viewing power-on self test 281 viewing routing information along a path 220 viewing routing path information 218 viewing switch status 282 viewing the port log 289 viewing the system message log 288 viewing zone database configurations 380 viewing zones 374 zoning zoning zoning zoning