HP StorageWorks Fabric OS 5.2.
Legal and notice information © Copyright 2007 Hewlett-Packard Development Company, L.P. © Copyright 2007 Brocade Communications Systems, Incorporated. Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.
Contents About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Supported HP StorageWorks hardware. . . . . . . . . . . . . . . . Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Related documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . Glossary of terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Document conventions and symbols . . . . . . . . . . . . . . . . . .
How Dynamic Ports on Demand works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Displaying the Port license assignment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Activating Dynamic Ports on Demand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Disabling Dynamic Ports on Demand. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Distributing the local user database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 How to distribute the local user database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Protecting the local user database from distributions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 How to accept the user database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Browser and Java support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Summary of SSL procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Choosing a certificate authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Generating a public/private key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing administrative domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 About administrative domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Admin domain features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Requirements for admin domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Troubleshooting firmware download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Downgrading firmware from Fabric OS 5.2.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Pre-installation messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Blade troubleshooting tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring backbone fabrics for Interconnectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Optional configuration procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FC router port cost (optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using router port cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Adding and removing FICON CUP licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Zoning and PDCM considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Zoning and link incident reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Backing up and restoring configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
To check for a loop initialization failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . To check for a point-to-point initialization failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . To correct a port that has come up in the wrong mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Correcting marginal links. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Listing link characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Recognizing buffer underallocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 20Administering Advanced Zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 Zoning concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure FCIP tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Verify the FCIP tunnel configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Verify VE_Port or VEX_Port is online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Checklist for configuring FCIP links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 14 Fabric showing switch and device WWNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Filtered fabric views showing converted switch WWNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Isolated subfabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A metaSAN with edge-to-edge and backbonef fabrics . . . . . . . .
About this Guide This guide provides procedures to help you maintain Fabric OS 5.2.x running in your Storage Area Network (SAN). NOTE: At the time of printing, IBM Fibre Connections (FICON®) is not supported on HP B-Series Fibre Channel switches. Please refer to http://www.hp.com for a list of current supported features. Supported HP StorageWorks hardware Table 1 lists Brocade and HP StorageWorks product models supported by Fabric OS 5.2.x at the time of this document’s release.
Intended audience This guide is intended for: • System administrators responsible for setting up HP StorageWorks Fibre Channel SAN switches • Technicians responsible for maintaining the Fabric Operating System (OS) Related documentation Documentation, including white papers and best practices documents, is available on the HP web site: http://www.hp.com/support/manuals Scroll to the storage section of the web page. Select SAN infrastructure for HP StorageWorks products.
CAUTION: Indicates that failure to follow directions could result in damage to equipment or data. IMPORTANT: NOTE: TIP: Provides clarifying information or specific instructions. Provides additional information. Provides helpful hints and shortcuts. HP technical support Telephone numbers for worldwide technical support are listed on the HP support web site: http://www.hp.com/support/.
1 Introducing Fabric OS CLI procedures This chapter summarizes procedures for configuring and managing an HP StorageWorks SAN using the Fabric OS Command Line Interface (CLI). The guide applies to the following product models: • HP StorageWorks switches: 4/16 SAN Switch and 4/8 SAN Switch, SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, SAN Switch 4/32, 4/64 SAN Switch, and 400 MP Router These models contain a fixed number of ports (they are fixed-port switches).
There are several methods that you can use to configure a switch. These are listed with their respective documents: • Command Line Interface (CLI) • A telnet session into logical switches • A telnet session into active and standby CPs for Director class switches • A serial console, including active and standby CPs for Director class switches • An optional modem, which behaves like a serial console port For CLI details, refer to the Fabric OS Command Reference Manual.
Help information Each Fabric OS command provides Help information that explains the command function, its possible operands, its level in the command hierarchy, and additional pertinent information. Displaying command Help 1. Connect to the switch and log in as admin. 2. To display a list of all command help topics for a given login level, enter the help command with no arguments.
Table 3 22 Help file commands (continued) trackChangesHelp Track Changes help information zoneHelp Zoning help information Introducing Fabric OS CLI procedures
2 Performing basic configuration tasks This chapter contains procedures for performing basic switch configuration tasks using the Fabric OS Command Line Interface (CLI). Ideally, you should perform the initial configuration of a switch prior to introducing the switch into the fabric, or during a scheduled maintenance window to minimize fabric disruption. Connecting to the CLI Connect to the CLI either through a telnet or SSH connection or through a console session on the serial port.
3. Enter the account ID at the login prompt. See ”Setting the default account passwords” on page 24 for instructions on how to log in for the first time. 4. Enter the password. The default password is: password If you have not changed the system passwords from the default, you are prompted to change them. Enter the new system passwords, or press Ctrl-c to skip the password prompts. See ”How to change default passwords at login” on page 26. 5. Verify that the login was successful.
The default accounts on the switch are admin, user, root, and factory. Use the default administrative account as shown in Table 4, to log in to the switch for the first time and to perform the basic configuration tasks described in this chapter. Every logical switch (domain) has a set of default accounts. The root and factory default accounts are reserved for development and manufacturing. The user account is primarily used for system monitoring.
How to change default passwords at login 1. Connect to the switch and log in as admin. The default password for all default accounts is: password 2. At each of the “Enter new password” prompts, either enter a new password or skip the prompt. Press Enter to skip a prompt. Press Ctrl-c to bypass the remaining prompts. login: admin Password: Please change your passwords now. Use Control-C to exit or press 'Enter' key to proceed.
How to display network interface settings If an IP address has not been assigned to the network interface (Ethernet), you must connect to the Fabric OS CLI using a console session on the serial port, see ”How to connect via the serial port” on page 24. Otherwise, connect using SSH. 1. Connect to the switch and log in as admin. 2. Enter the ipAddrShow command. FD21:admin> ipaddrshow SWITCH Ethernet IP Address: 192.168.78.158 Ethernet Subnetmask: 255.255.255.0 Fibre Channel IP Address: 220.220.220.
Configuring DHCP By default, some HP switches have DHCP enabled. SAN Director 2/128 and 4/256 SAN Director models do not support DHCP. The Fabric OS DHCP client supports the following parameters: • External Ethernet port IP addresses and subnet masks • Default gateway IP address The DHCP client uses a DHCP vendor class identifier that allows DHCP servers to determine that the Discovers and Requests are coming from an HP switch.
Enter the network information in dotted quad format for Ethernet IP address, Ethernet Subnetmask, and Gateway Address at the prompts. If a static Ethernet address is not available when you disable DHCP, enter 0.0.0.0 at the Ethernet IP address prompt. Skip Fibre Channel prompts by pressing enter. Disable DHCP by entering Off. Setting the date and time Switches maintain the current date and time in flash memory. Date and time are used for logging events.
You can set the time zone for a switch using the tsTimeZone command. The tsTimeZone command allows you to: • Display all of the time zones supported in the firmware • Set the time zone based on a Country and City combination or based on a time zone ID such as PST See the tsTimeZone command in the Fabric OS Command Reference Manual for more detailed information about the command parameters. The time zone setting has the following characteristics: • Users can view the time zone settings.
How to set the time zone interactively 1. Type the tsTimeZone command as follows: switch:admin> tstimezone --interactive 2. Select a general location: Please identify a location so that time zone rules can be set correctly. Please select a continent or ocean. Africa Americas Antarctica Arctic Ocean Asia Atlantic Ocean Australia Europe Indian Ocean Pacific Ocean none - I want to specify the time zone using the Posix TZ format.
4. You are finally prompted to specify the time zone region. Please select one of the following time zone regions.
Maintaining licensed software features If you purchased an HP StorageWorks Power Pack switch model, optional software licenses are included with the licensed Power Pack supplied with switch software. If you did not purchased an HP StorageWorks Power Pack switch model, you can purchase licenses separately from HP. HP then provides you with keys to unlock the optional software features.
How to generate or activate a license key 1. If you already have a license key, go to step 6 to activate. If you do not have a license key, launch an Internet browser and go to: http://webkey.external.hp.com/welcome.asp. The HP StorageWorks Software License Key instruction page opens: Figure 1 HP StorageWorks license key screen 2. Enter the requested information in the required fields. Also, follow the onscreen instructions to generate multiple license keys. 3. Click Next. A verification screen appears. 4.
The licensed features currently installed on the switch are listed. If the feature is not listed, reissue the licenseAdd command. d. Some features may require additional configuration, or you might need to disable and re-enable the switch to make them operational; refer to the feature documentation for details..
Customizing a switch name Switches can be identified by IP address, Domain ID, World Wide Name (WWN), or by customized switch names that are unique and meaningful. For Fabric OS 4.x (and later) switch names can be from 1 to 15 characters long, must begin with a letter, and can contain letters, numbers, or the underscore character. It is not necessary to use quotation marks.
Customizing the chassis name Beginning with Fabric OS 4.4.x, it is recommended that you customize the chassis name for each switch. Some system logs identify switches by chassis names, so if you assign meaningful chassis names in addition to meaningful switch names, logs will be more useful. How to change the chassis name 1. Connect to the switch and log in as admin. 2.
How to display domain IDs 1. Connect to a switch and log in as admin. 2. Enter the fabricShow command. Fabric information is displayed, including the domain ID (D_ID): switch:admin> fabricshow Switch ID Worldwide Name Enet IP Addr FC IP Addr Name ------------------------------------------------------------------------1: fffc01 10:00:00:60:69:e4:00:3c 10.32.220.80 0.0.0.0 "ras080" 2: fffc02 10:00:00:60:69:e0:01:46 10.32.220.1 0.0.0.0 "ras001" 3: fffc03 10:00:00:60:69:e0:01:47 10.32.220.2 0.0.0.
Ports on Demand license summary for applicable switches HP StorageWorks SAN Switch models integrate the following port licenses: • 4/8 Base SAN Switch — Ships standard with eight ports, no E_Port and an HP Full-Fabric Upgrade License. The sixteen available ports (eight active) are expandable to twelve or sixteen ports by purchasing the HP StorageWorks 4-Port Upgrade License. • 4/16 SAN Switch — Ships standard with sixteen active ports and an HP Full-Fabric license.
For instructions, see ”Maintaining licensed software features” on page 33. 4. Use the portenable command to enable the ports. 5. Optionally, use the portShow command to verify the newly activated ports. If you remove a Ports on Demand license, the licensed ports will become disabled after the next platform reboot or the next port deactivation. Configuring Dynamic Ports on Demand IMPORTANT: This feature is supported on the Brocade 4Gb SAN Switch for HP c-Class BladeSystem embedded switch only.
The example above shows output from a switch has manually assigned POD licenses. Activating Dynamic Ports on Demand If the switch is in the Static POD mode, then activating the Dynamic POD will erase any prior port license assignments the next time the switch is rebooted. The static POD assignments become the initial Dynamic POD assignments. After the Dynamic POD feature is enabled, use the licensePort command to customize the POD license associations.
switch:admin> licenseport --method static The POD method has been changed to static. Please reboot the switch now for this change to take effect. 3. Enter the reboot command to restart the switch. switch:admin> reboot 4. Enter the licensePort --show command to verify that switch started the Static POD feature.
3. If port reservations available, then enter the licensePort --reserve command to reserve a license for the port. switch:admin> licenseport -reserve 0 4. If all port reservations are assigned, then select a port to release its POD license. You must disable the port first by entering portdisable . 5. Enter the command to remove the port from the POD license. switch:admin> licenseport -release 0 6. Enter the licensePort --show command to verify that there is an available port reservation.
5. Enter the licensePort --show command to verify that the port is no longer assigned to a POD set.
HP StorageWorks SAN Director 2/128 and 4/256 SAN Director: Enter the following command: switch:admin> portdisable slotnumber/portnumber where slotnumber and portnumber are the slot and port numbers of the port you want to disable. How to enable a port 1. Connect to the switch and log in as admin. 2.
ISL mode L0 is available on all Fabric OS releases. When you upgrade from Fabric OS 4.0.0 to Fabric 4.1.0 or later, all extended ISL ports are set automatically to L0 mode. For information on extended ISL modes, which enable longer distance interswitch links, refer to ”Administering Extended Fabrics” on page 325.
Refer to the Fabric OS Command Reference Manual for more information about the portCfgIslMode command. Checking status You can check the status of switch operation, high availability features, and fabric connectivity. How to verify switch operation 1. Connect to the switch and log in as admin. 2. Enter the switchShow command at the command line. This command displays a switch summary and a port summary. 3. Check that the switch and ports are online. 4.
4. Enter the nsAllShow command at the command line. This command displays 24-bit Fibre Channel addresses of all devices in the fabric.
How to display the status of the track changes feature 1. Connect to the switch and log in as admin. 2. Enter the trackChangesShow command. The status of the track changes feature is displayed as either on or off. The display includes whether the track changes feature is configured to send SNMP traps: switch:admin> trackchangesshow Track changes status: ON Track changes generate SNMP-TRAP: NO switch:admin> How to view the switch status policy threshold values 1. Connect to the switch and log in as admin.
parameter is set to 3, the status of the switch will change if 3 ports fail. Only one policy parameter needs to pass the MARGINAL or DOWN threshold to change the overall status of the switch. For more information about setting policy parameters, refer to the Fabric Watch Administrator’s Guide. How to set the switch status policy threshold values 1. Connect to the switch and log in as admin. 2. Enter the switchStatusPolicySet command at the command line.
Configuring the audit log When managing SANs, you may wish to filter, or audit, certain classes of events to ensure that you can view and generate a paper trail, or “audit log,” for what is happening on a switch, particularly for security elated event changes. These events include login failures, zone configuration changes, firmware downloads, and other configuration changes—in other words—critical changes that have a serious effect on the operation and security of the switch.
Table 6 identifies auditable event classes and auditCfg operands used to enable auditing of a specific class. Table 6 AuditCfg Event Class Operands Operand Event class Description 1 Zone Audit zone event configuration changes, but not the actual values that were changed. For example, you a message might state, “Zone configuration has changed,” but the syslog does not display the actual values that were changed. 2 Security Audit any user-initiated security event for all management interfaces.
How to configure an audit log for specific event classes 1. Connect to the switch from which you wish to generate an audit log and log in as admin. 2. Enter the auditCfg --class command, which defines the specific event classes to be filtered. switch:admin> auditcfg --class 2,4 Audit filter is configured. The auditCfg event class operands are identified in Table 6 3. Enter the auditCfg --enable command, which enables audit event logging based on the classes configured in step 2.
To power off a switch gracefully (5.1.0 and later) 1. Connect to the switch and log in as admin. 2. Enter the sysShutdown command. 3. At the prompt, type y. switch:admin> sysshutdown This command will shutdown the operating systems on your switch. You are required to power-cycle the switch in order to restore operation. Are you sure you want to shutdown the switch [y/n]?y 4. Wait until the following message displays: Broadcast message from root (ttyS0) Wed Jan 25 16:12:09 2006...
3 Managing user accounts This chapter provides information and procedures on managing authentication and user accounts. Overview Fabric OS provides two options for authenticating users—remote RADIUS services and/or the local switch user database. Both options allow users to be centrally managed using the following methods: • Local user database: Manually synchronize the local user database using the distribute command to push a copy of the switch’s local user database to all other Fabric OS 5.2.
Role Permissions Table 10 describes the types of permissions that are assigned to roles. Table 10 Permission types Abbreviation Definition Description O Observe The user can run commands using options that display information only, such as running userConfig --show -a to show all users on a switch. M Modify The user can run commands using options that create, change, and delete objects on the system, such as running userconfig --change username -r rolename to change a user’s role.
Table 11 RBAC permissions matrix (continued) Category Role permission User Operator Switch admin Zone admin Fabric admin Basic Admin switchadmin Switch Management—IP Configuration O OM OM N OM O OM Local User Environment OM OM OM OM OM OM OM Logging O OM OM O OM O OM License O OM OM O OM O OM Management Access Configuration O OM OM N OM O OM Management Server O OM OM O OM O OM Name Server O O OM O OM O OM Nx_Port Management O O OM O OM O O
Configuring the authentication model This section explains how to configure authentication of the switch management channel connections. Fabric OS 5.2.x and higher supports use of both the local user database and RADIUS service at the same time. Use the aaaConfig command to set the authentication model for Fabric OS switch management channel connection authentication model as shown in Table 12. NOTE: Set the authentication model on each switch.
About the default accounts Fabric OS provides the following predefined accounts in the switch-local user database. Change the password for all defaults during the initial installation and configuration, see Table 13. Table 13 Default Local User Accounts Account Name Role Admin domain Description user User AD0 home: 0 Most commands have observe-only permission. admin Admin AD0-255 home: 0 Most commands have observe-modify permission.
How to create an account 1. Connect to the switch and log in. 2. Enter the following command: userConfig --add -r [-h ] [-a ] [-d ] [-x] username Specifies the account name, which must begin with an alphabetic character. The name can be from 8 to 40 characters long. It is case-sensitive and can contain alphabetic and numeric characters, the dot (.) and the underscore ( _ ).
How to change account parameters When changing account parameters, if you change the ADlist for the user account, all of the currently active sessions for that account will be logged out. 1. Connect to the switch and log in. 2. Enter the following command: userconfig --change username [-r rolename] [-h admindomain_ID] [-a admindomain_ID_ list] [-d description] [-e yes | no] -u -x username Changes the account attribute for username. The account must already exist.
removed from the existing list. If the –h argument is not specified, the home Admin Domain will either remain as it was or will be the lowest Admin Domain ID in the remaining list. Recovering accounts The following conditions apply to recovering user accounts: • The attributes in the backup database replace the attributes in the current account database. • An event is stored in the system message log, indicating that accounts have been recovered.
How to change the password for a different account 1. Connect to the switch and log in. 2. Enter the following command: passwd name where name is the name of the account. Enter the requested information at the prompts.
How to accept the user database 1. Connect to the switch. 2. Enter the following command: fddCfg --localaccept PWD where PWD is one of the three supported database policies. Supported policy databases are SCC, DCC, PWD. How to reject distributed user databases 1. Connect to the switch. 2. Enter the following command: fddCfg --localreject PWD Configuring password policies The password policies described in this section apply to the switch-local user database only.
not allowed because it is incompatible Web Tools. The default value is zero. The maximum value must be less than or equal to the MinLength value. • MinLength Specifies the minimum length of the password. The minimum can be from 8 to 40 characters. New passwords must between the minimum length specified and 40 characters. The default value is 8.
Upgrade and downgrade considerations If you are upgrading from a 5.0.x environment to 5.2.x, the existing password databases do not contain the state information that implements password expiration. So, when the password expiration policy is first set after an upgrade to 5.2.x, any user who has not changed their password will have their password expiration period set to the maximum password expiration period.
Creating Fabric OS user accounts With RADIUS servers, set up user accounts by their true network wide identity rather than by the account names created on a Fabric OS switch. Along with each account name, assign appropriate switch access roles. RADIUS supports all the defined RBAC roles described in Table 9 on page 55. Users must enter their assigned RADIUS account name and password when logging in to a switch that has been configured with RADIUS.
Windows 2000 IAS For example, to configure a Windows 2000 IAS server to use VSA to pass the “Admin” role to the switch in the dial-in profile, the configuration specifies the Vendor code (1588), Vendor-assigned attribute number (1), and attribute value (admin), as shown in the following: Linux FreeRadius server For the configuration on a Linux FreeRadius server, define the following in a vendor dictionary file called dictionary.brocade. See Table 15. Table 15 dictionary.
RADIUS configuration and admin domains When configuring users with Admin Domains, you must also include the Admin Domain member list. This section describes the way that you configure attribute types for this configuration. The values for the new attribute types use the syntax key=val[;key=val], where key is a text description of attributes, value is the attribute value for the given key, = is the separator between key and value, and ; is an optional separator for multiple key-value pairs.
servers do not respond (because of power failure or network problems), the switch uses local authentication. Consider the following effects of the use of RADIUS service on other Fabric OS features: • When RADIUS service is enabled, all account passwords must be managed on the RADIUS server. The Fabric OS mechanisms for changing switch passwords remain functional; however, such changes affect only the involved switches locally.
Linux The following procedures work for FreeRADIUS on Solaris and Red Hat Linux. FreeRADIUS is a freeware RADIUS server that you can find at: www.freeradius.org Follow the installation instructions at the web site. FreeRADIUS runs on Linux (all versions), FreeBSD, NetBSD, and Solaris. If you make a change to any of the files used in this configuration, you must stop the server and restart it for the changes to take effect. FreeRADIUS installation places the configuration files in $PREFIX/etc/raddb.
Clients are the switches that will be using the RADIUS server; each client must be defined. By default, all IP addresses are blocked. On dual-CP switches (SAN Director 2/128 and 4/256 Director), the switch sends its RADIUS request using the IP address of the active CP. When adding clients, add both the active and standby CP IP addresses so that users can still log in the event of a failover. How to enable clients 1. Open the $PREFIX/etc/raddb/client.
How to configure RADIUS users 1. From the Windows Start menu, select Programs > Administrative Tools > Computer Management to open the Computer Management window. 2. In the Computer Management window, expand the Local Users and Groups folder and select the Groups folder. 3. Right-click the Groups folder and select New Group from the pop-up menu. 4. In the New Group window, provide a Name and Description for the group and click Add. 5.
12. In the Edit Dial-in Profile window, click the Authentication tab and check only the Encrypted Authentication (CHAP) and Unencrypted Authentication (PAP, SPAP) checkboxes; then click the Advanced tab and click Add. 13. In the Add Attributes window, select Vendor-Specific and click Add. 14. In the Multivalued Attribute Information window, click Add. 15. In the Vendor-Specific Attribute Information window, click the Enter Vendor Code radio button and enter the value 1588. Click the Yes.
How to display the current RADIUS configuration 1. Connect to the switch and log in as admin. 2. Enter this command: switch:admin> aaaConfig --show If a configuration exists, its parameters are displayed. If RADIUS service is not configured, only the parameter heading line is displayed.
How to enable and disable a RADIUS server 1. Connect to the switch and log in as admin. 2. Enter this command to enable RADIUS + local: switch:admin> aaaconfig --radiuslocal Local is used if the user authentication fails on the RADIUS server. Or to enable RADIUS + localbackup: switch:admin> aaaconfig --radiuslocalbackup .Local is used if the RADIUS servers are not accessible. How to delete a RADIUS server from the configuration 1. Connect to the switch and log in as admin. 2.
Enabling and disabling local authentication as backup It is useful to enable local authentication so that the switch can take over authentication locally if the RADIUS servers fail to respond because of power outage or network problems. To enable or disable local authentication, enter the appropriate command: switch:admin> aaaConfig –radiuslocalbackup For details about this command and how it is different from aaaConfig –radiuslocal, see Table 12 on page 58.
If a password was previously set, the following messages display: Send the following string to Customer Support for password recovery: afHTpyLsDo1Pz0Pk5GzhIw== Enter the supplied recovery password. Recovery Password: 5. Enter the recovery password (string). The recovery string must be between 8 and 40 alphanumeric characters. A random string that is 15 characters or longer is recommended for higher security. The firmware prompts for this password only once.
The recovery string must be between 8 and 40 alphanumeric characters. A random string that is 15 characters or longer is recommended for higher security. The firmware only prompts for this password once. It is not necessary to remember the recovery string because it is displayed the next time you enter the command shell. The following prompt displays: New password: 7. Enter the boot PROM password; then reenter it when prompted.
NOTE: The passwd command only applies to the boot PROM password when it is entered from the boot interface. 6. Enter the boot PROM password at the prompt, then reenter it when prompted. The password must be eight alphanumeric characters (any additional characters are not recorded). Record this password for future use. 7. Enter the saveEnv command to save the new password. 8. Reboot the switch by entering the reset command.
14. Connect to the active CP blade by serial or telnet and enter the haEnable command to restore high availability. Recovering user, admin, and factory passwords If you know the root password, you can use this procedure to recover the user, admin, and factory passwords. How to recover passwords 1. Open a CLI connection (serial or telnet) to the switch. If secure mode is enabled, connect to the primary FCS switch. 2. Log in as root. 3.
Managing user accounts
4 Configuring standard security features This chapter provides information and procedures for configuring standard Fabric OS security features such as account and password management. Additional security features are available by purchasing the optional Secure Fabric OS feature. For information about licensed security features available in Secure Fabric OS, refer to the Secure Fabric OS Administrator’s Guide. Secure protocols Fabric OS supports the secure protocols shown in Table 16.
The security protocols are designed with the four main usage cases described in Table 18. Table 18 Main security scenarios Fabric Management interfaces Comments Nonsecure Nonsecure No special setup is needed to use telnet or HTTP. An HP switch certificate must be installed if sectelnet is used. Nonsecure Secure Secure protocols may be used. An SSL switch certificate must be installed if SSH/HTTPS is used. Secure Secure Secure protocols are supported on Fabric OS 4.4.0 (and later) switches.
Fabric OS 4.1.0 and later supports SSH protocol v2.0 (ssh2). For more information on SSH, refer to the SSH IETF web site: http://www.ietf.org/ids.by.wg/secsh.html Refer to SSH, The Secure Shell: The Definitive Guide by Daniel J. Barrett, Richard Silverman. Fabric OS 4.4.0 and later comes with the SSH server preinstalled; however, you must select and install the SSH client. For information on installing and configuring the F-Secure SSH client, refer to the web site: http://www.f-secure.
Blocking listeners HP StorageWorks switches block Linux subsystem listener applications that are not used to implement supported features and capabilities. Table 19 lists the listener applications that switches either block or do not start.
Port Configuration lists the ports used. This table provides the information to make it clearer when configuring the switch, taking into consideration firewalls and other devices that may sit between switches in the fabric or between the managers and the switch. Table 21 Port information Port Type Common use 22 TCP SSH 23 TCP Telnet Comment Use the configure command to disable the telnet service. 37 TCP NTP 80 TCP HTTP Use the configure command to disable the port.
Browser and Java support Fabric OS supports the following Web browsers for SSL connections: • Internet Explorer (Microsoft Windows) • Mozilla (Solaris and Red Hat Linux) In countries that allow the use of 128-bit encryption, you should use the latest version of your browser. For example, Internet Explorer 6.0 and later supports 128-bit encryption by default. You can display the encryption support (called “cipher strength”) using the Internet Explorer Help:About menu option.
Each CA (for example, Verisign or GeoTrust) has slightly different requirements; for example, some generate certificates based on IP address, while others require an FQDN, and most require a 1024-bit public/private key while some might accept a 2048-bit key. Consider your fabric configuration, check CA Web sites for requirements, and gather all the information that the CA requires. Generating a public/private key Perform this procedure on each switch: 1. Connect to the switch and log in as admin. 2.
If you are set up for secure file copy protocol, you can select it; otherwise, select ftp. Enter the IP address of the switch on which you generated the CSR. Enter the remote Directory name of the FTP server to which the CSR is to be sent. Enter your account name and password on the server. Obtaining certificates Check the instructions on the CA Web site; then, perform this procedure for each switch: 1. Generate and store the CSR as described in ”Generating a public/private key” on page 88. 2.
Activating a switch certificate Enter the configure command and respond to the prompts that apply to SSL certificates: SSL attributes Type yes. Certificate File Enter the name of the switch certificate file: for example, 192.1.2.3.crt. CA Certificate File If you want the CA name to be displayed in the browser window, enter the name of the CA certificate file; otherwise, skip this prompt. Select length of crypto key Enter the encryption key length (40, 56, or 128). HTTP attributes Type yes.
7. Browse to the certificate location and select the certificate. (For example, select nameRoot.crt.) 8. Click Open and follow the instructions to import the certificate. Installing a root certificate to the Java Plug-in For information on Java requirements, refer to ”Browser and Java support” on page 87. This procedure is a guide for installing a root certificate to the Java Plug-in on the management workstation. If the root certificate is not already installed to the plug-in, you should install it.
Troubleshooting certificates If you receive messages in the browser or in a pop-up window when logging in to the target switch using HTTPS, refer to Table 23. Table 24 SSL Messages and Actions Message Action The page cannot be displayed The SSL certificate is not installed correctly or HTTPS is not enabled correctly. Make sure that the certificate has not expired, that HTTPS is enabled, and that certificate file names are configured correctly.
You can also use these additional MIBs and their associated traps: • FICON-MIB (for FICON environments) • HA-MIB (for SAN Director 2/128 models) • SW-EXTTRAP Includes the swSsn (Software Serial Number) as a part of SW traps. It is also used in conjunction with the legacy 6400 integrated fabrics product to provide detailed group information for a particular trap. For information on MIBs, refer to the Fabric OS MIB Reference Manual.
Sample SNMPv3 configuration switch:admin> snmpconfig --set snmpv3 SNMPv3 user configuration: User (rw): [snmpadmin1] adminuser Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: New Auth Passwd: Verify Auth Passwd: Priv Protocol [DES(1)/noPriv[2]): (1..2) New Priv Passwd: Verify Priv Passwd: User (rw): [snmpadmin2] shauser Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: New Auth Passwd: Verify Auth Passwd: Priv Protocol [DES(1)/noPriv[2]): (1..
Sample accessControl configuration switch:admin> snmpconfig --set accessControl SNMP access list configuration: Access host subnet area in dot notation: [0.0.0.0] 192.168.0.0 Read/Write? (true, t, false, f): [true] Access host subnet area in dot notation: [0.0.0.0] 10.32.148.0 Read/Write? (true, t, false, f): [true] f Access host subnet area in dot notation: [0.0.0.0] Read/Write? (true, t, false, f): [true] Access host subnet area in dot notation: [0.0.0.0] 10.33.0.
Using legacy commands for SNMPv1 You should use the snmpConfig command to configure the SNMPv1 agent and traps (refer to ”Using the snmpConfig command” on page 94). However, if necessary for backward compatibility, you can choose to use legacy commands. Sample SNMP agent configuration information switch:admin> agtcfgshow Current SNMP Agent Configuration Customizable MIB-II system variables: sysDescr = FC Switch sysLocation = End User Premise sysContact = Field Support.
Sample modification of the SNMP configuration values switch:admin> agtcfgset Customizing MIB-II system variables ... At each prompt, do one of the followings: o to accept current value, o enter the appropriate new value, o to skip the rest of configuration, or o to cancel any change. To correct any input mistake: erases the previous character, erases the whole line, sysDescr: [FC Switch] sysLocation: [End User Premise] sysContact: [Field Support.
Sample reset of the SNMP agent configuration to default values switch:admin> agtcfgdefault ***** This command will reset the agent's configuration back to factory default ***** Current SNMP Agent Configuration Customizable MIB-II system variables: sysDescr = Fibre Channel Switch. sysLocation = End User Premise sysContact = sweng authTraps = 0 (OFF) SNMPv1 community and trap recipient configuration: Community 1: Secret C0de (rw) Trap recipient: 192.168.15.
Sample modification of the options for configuring SNMP MIB traps switch:admin> snmpmibcapset The SNMP Mib/Trap Capability has been set to support FE-MIB SW-MIB FA-MIB FA-TRAP FA-MIB (yes, y, no, n): [yes] FICON-MIB (yes, y, no, n): [no] y HA-MIB (yes, y, no, n): [no] y SW-TRAP (yes, y, no, n): [no] y swFCPortScn (yes, y, no, n): [no] swEventTrap (yes, y, no, n): [no] swFabricWatchTrap (yes, y, no, n): [no] swTrackChangesTrap (yes, y, no, n): [no] FA-TRAP (yes, y, no, n): [yes] connUnitStatusChange (yes, y
Sample view of the SNMP MIB trap setup switch:admin> snmpmibcapshow FA-MIB: YES FICON-MIB: YES HA-MIB: YES SW-TRAP: YES swFCPortScn: YES swEventTrap: YES swFabricWatchTrap: YES swTrackChangesTrap: YES FA-TRAP: YES SW-EXTTRAP: YES HA-TRAP: YES fruStatusChanged: YES cpStatusChanged: YES fruHistoryTrap: YES Configuring secure file copy You can use the configure command to specify that secure file copy (scp) be used for configuration uploads and downloads.
Configuring standard security features
5 Configuring advanced security This chapter provides information and procedures for configuring advanced Fabric OS 5.2.x security feature, Access Control Lists (ACL) policies for FC port and switch binding. NOTE: Run all commands in this chapter by logging in to Administrative Domain (AD) 255 or if Administrative Domains have not been implemented log in to AD 0. For information about licensed security features available in Secure Fabric OS, see the Secure Fabric OS Administrator’s Guide.
Configuring ACL policies All policy modifications are saved in volatile memory until those changes are saved or activated. You can create multiple sessions to the switch from one or more hosts. However, Fabric OS allows only one ACL transaction at a time. If a second ACL transaction is started, it fails. The Secure Fabric OS and Fabric OS SCC and DCC policies are not interchangeable. Uploading and saving a copy of the Fabric OS configuration after creating policies is strongly recommended.
Displaying ACL policies Use the secPolicyShow command to display the Active and Defined policy sets. The following example shows a switch that has no SCC and DCC policies. secPolicyShow displays the following information: • Active Policy Set—The policies that are being enforced. • Defined Policy Set—The policies that have been saved. Policies created in the same login session also appear but these policies are automatically deleted if the user logs out without saving. To display the ACL policies 1.
Table 25 DCC policy states Policy state Characteristics Policy with no entries Any device can connect to any switch port in the fabric. An empty policy is the same as no policy. Policy with entries If a device WWN is specified in a DCC policy, that device is only allowed access to the switch if connected by a switch port listed in the same policy. If a switch port is specified in a DCC policy, it only permits connections from devices that are listed in the policy.
The member contains device or switch port information: deviceportWWN;switch(port) where: deviceportWWN WWN of the device port. switch Either the switch WWN, domain ID, or switch name. The port can be specified by port or area number. Designating ports automatically includes the devices currently attached to those ports. The ports can be specified using any of the following syntax methods: (*) Selects all ports on the switch. (1-6) Selects ports 1 through 6.
Fabric OS is disabled; policies created in Fabric OS are deleted when Secure Fabric OS is enabled. Back up SCC policies before enabling or disabling Secure Fabric OS. The SCC policy is used to restrict which switches can join the fabric. Switches are checked against the policy each time an E_Port-to-E_Port connection is made. The policy is named SCC_POLICY and accepts members listed as WWNs, domain IDs, or switch names. Only one SCC policy can be created.
To activate changes 1. Connect to the switch and log in. 2. Type the secPolicyActivate command: switch:admin> secpolicyactivate About to overwrite the current Active data. ARE YOU SURE (yes, y, no, n): [no] y Adding a member to an existing policy Add members to the ACL policies by using the secPolicyAdd command. As soon as a policy has been activated, the aspect of the fabric managed by that policy is enforced. To add a member to an existing ACL policy 1. Connect to the switch and log in. 2.
Aborting all uncommitted changes Use the secPolicyAbort command to abort all ACL policy changes that have not yet been saved. To abort all unsaved changes 1. Connect to the switch and log in. 2. Type the secPolicyAbort command: switch:admin> secpolicyabort Unsaved data has been aborted. All changes since the last time the secPolicySave or secPolicyActivate commands were entered are aborted.
1. Error returned indicating that the distribution setting must be accept before you can set the fabric-wide consistency policy. Configuring the database distribution settings The distribution settings control whether a switch accepts or rejects distributions of databases from other switches and whether or not the switch may initiate a distribution. Configure the distribution setting to reject when maintaining the database on a per-switch basis.
2. Enter the following command: fddCfg --localaccept localaccept Default setting. Allows local database to be overwritten with databases received from other switches. Allows local database to be manually or automatically distributed to other switches. database_id A semicolon-separated list of the local databases to be distributed, either SCC and/or DCC.
2. Enter the following command: distribute -p -d database_id A semicolon-separated list of the local databases to be distributed: SCC and/or DCC. switch_list A is a semicolon-separated list of switch Domain IDs, switch names, or switch WWN addresses of the target switches that will received the distribution. Use an asterisk (*) to distribution the database to all Fabric OS 5.2.x and higher switches in the fabric.
The following example shows a not defined fabric-wide consistency policy. switch:admin> fddcfg --showall Local Switch Configuration for all Databases:DATABASE - Accept/Reject ------------------------SCC - accept DCC - accept PWD - accept Fabric Wide Consistency Policy:- "" To set the fabric-wide consistency policy 1. Connect to the switch and log in. 2.
disabled. If the strict SCC and DCC fabric-wide consistency policies match, the corresponding SCC and DCC ACL policies are compared. The enforcement of fabric-wide consistency policy involves comparison of only the Active policy set.If the ACL polices match, the switch joins the fabric successfully. If the ACL policies are absent either on the switch or on the fabric, the switch joins the fabric successfully, and the ACL policies are copied automatically from where they are present to where they are absent.
Non-matching fabric-wide consistency policies You may encounter one of the following two scenarios: • Merging a fabric with a strict policy to a fabric with an absent, tolerant, or non-matching strict policy. The merge fails and the ports are disabled.
6 Maintaining configurations It is important to maintain consistent configuration settings on all switches in the same fabric, because inconsistent parameters (such as inconsistent PID formats) can cause fabric segmentation. As part of standard configuration maintenance procedures, it is recommended that you back up all important configuration data for every switch on a host computer server for emergency reference. NOTE: For information about AD-enabled switches using Fabric OS 5.2.
Before beginning, verify that you can reach the FTP server from the switch. Using a telnet connection, save a backup copy of the configuration file from a logical switch to a host computer as follows: To upload a configuration file 1. Verify that the FTP service is running on the host computer. 2. Connect to the switch and log in as admin. 3. Enter the configUpload command. The command becomes interactive and you are prompted for the required information. 4.
NOTE: The configuration file is printable, but you might want to see how many pages will be printed before you send it to the printer; you might not want to print a lot of pages if it is too long. Troubleshooting configuration upload If the configuration upload fails, it may be because: • The host name is not known to the switch. • The host IP address cannot be contacted. • You do not have configuration upload permission on the switch.
Configuration download without disabling a switch Starting in Fabric OS 5.2.x, you can download configuration files to a switch while the switch is enabled, that is, you do not need to disable the switch for changes in SNMP, Fabric Watch, and ACL parameters. When you use the configDownload command, you will be prompted to disable the switch only when necessary. However, if there is any changed parameter that does not belong to SNMP, Fabric Watch, or ACL, then you must disable the switch.
NOTE: Because some configuration parameters require a reboot to take effect, after you download a configuration file you must reboot to be sure that the parameters are enabled. Before the reboot, this type of parameter is listed in the configuration file, but it is not effective until after the reboot. Security considerations Security parameters and the switch's identity cannot be changed by configDownload.
Restoring configurations in a FICON environment If the switch is operating in a FICON CUP environment, and the ASM (active=saved) bit is set on, then the switch ignores the IPL file downloaded when you restore a configuration. Table 35 describes this behavior in more detail. Table 35 Backup and restore in a FICON CUP environment ASM bit Command Description on or off configupload All the files saved in file access facility are uploaded to the management workstation.
4/256 SAN Director configuration form Table 36 provides a form to use as a hardcopy reference for your configuration information.
Table 37 FC port configuration setting FC port configuration Port numbers 0 1 Speed Trunk Port Long Distance VC Link Init Locked L_Port Locked G_Port Disable E_Port ISL R_RDY Mode RSCN Suppressed Persistent disable NPIV capability EX Port 124 Maintaining configurations 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Table 38 FC port configuration setting FC Port Configuration Port Numbers 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Speed Trunk port Long distance VC link Init Locked L_Port Locked G_Port Disable E_Port ISL R_RDY mode RSCN suppressed Persistent disable NPIV capability EX port Fabric OS 5.2.
Maintaining configurations
7 Managing administrative domains This chapter describes the concepts and procedures for using the administrative domain feature introduced in Fabric OS 5.2.x and contains the following topics: About administrative domains An Administrative Domain (Admin Domain or AD) is a logical grouping of fabric elements that defines what switches, ports, and devices you can view and modify. An Admin Domain is a filtered administrative view of the fabric.
AD1 AD2 Figure 2 Fabric with two admin domains Figure 3 shows how users get a filtered view of this fabric, depending on which Admin Domain they are in. Users can see all switches and E_Ports in the fabric, regardless of their Admin Domain; however, the switch ports and end devices are filtered based on Admin Domain membership.
• Move devices from one Admin Domain to another without traffic disruption, cable reconnects, or discontinuity in zone enforcement. • Provide strong fault and event isolation between Admin Domains. • Have visibility of all physical fabric resources. All switches, E_Ports, and FRUs (including blade information) are visible. • Implement Admin Domains in a fabric with some switches running AD-unaware firmware versions (that is, firmware versions lower than Fabric OS 5.2.x).
System-defined administrative domains When you install Fabric OS 5.2.x firmware, the switch enters AD-capable mode with domains AD0 and AD255 automatically created. AD0 and AD255 are special Admin Domains. AD0 and AD255 always exist and cannot be deleted or renamed. They are reserved for use in creation and management of Admin Domains.
AD1 AD255 AD0 AD2 Figure 4 Fabric with AD0 and AD255 Admin domain access levels Admin Domains offer a hierarchy of administrative access. To manage Admin Domains, you must be a physical fabric administrator. A “physical fabric administrator” is a user with the Admin role and access to all Admin Domains (AD0 through AD255). Other administrative access is determined by your defined RBAC role and AD membership. Your role determines your access level and permission to perform an operation.
Admin domains and login You are always logged in to an Admin Domain, and you can view and modify only the devices in that Admin Domain. If you have access to more than one Admin Domain, one of them will have been specified as your “home Admin Domain,” the one you are automatically logged in to. If your home Admin Domain is deleted or deactivated, then by default you are logged in to the lowest numbered active Admin Domain in your Admin Domain List.
Switch port members Switch port members are defined by switch (domain, port). A switch port member: • Grants port control rights and zoning rights for that switch port. • Grants view access and zoning rights to the device connected to that switch port. • Allows you to share (domain, port) members across multiple Admin Domains. In each Admin Domain, you can also zone shared devices differently. • Implicitly includes all devices connected to the specified (domain, port) members in the Admin Domain membership.
Figure 5 shows an unfiltered view of a fabric with two switches, three devices, and two Admin Domains. The devices are labeled with device WWN and the switches are labeled with domain ID and switch WWN.
Admin domain compatibility and availability Admin Domains maintain continuity of service for Fabric OS 5.2.x features and operate in mixed-release fabric environments. High availability is supported along with some backward compatibility. The following sections describe the continuity features of Admin Domain usage. Admin domains and merging When an E_Port comes online, the adjacent switches merge their AD databases.
Managing admin domains This section is for physical fabric administrators who are managing Admin Domains. You must be a physical fabric administrator to perform the tasks in this section.
Implementing admin domains To begin implementing an Admin Domain structure within your SAN, you must first set the default zone mode to No Access. You must be in AD0 to change the default zone mode. You can use the defZone --show command to see the current default zone mode setting. To set the default zone mode 1. Log in to an AD-aware switch in the fabric with the appropriate RBAC role. 2. Ensure you are in the AD0 context.
4. Optional: To end the transaction now, enter ad --save to save the Admin Domain definition or enter ad --apply to save the Admin Domain definition and directly apply the definitions to the fabric. The following example creates Admin Domain AD1, consisting of two switches, which are designated by domain ID and switch WWN.
To assign Admin Domains to an existing user account 1. Connect to the switch and log in as admin. 2. Enter the userConfig --addad command using the -a option to provide access to Admin Domains and the -h option to specify the home Admin Domain. userconfig --addad username -h home_AD -a "AD_list" where username is the name of the account, home_AD is the home Admin Domain, and AD_list is the list of Admin Domains to which the user account will have access.
To deactivate an Admin Domain 1. Connect to the switch and log in as admin. 2. Disable the zone configuration under the Admin Domain you want to deactivate. 3. Switch to the AD255 context, if you are not already in that context. ad --select 255 4. Enter the ad --deactivate option. The ad --deactivate option prompts for confirmation. 5.
4. Optional: To end the transaction now, enter ad --save to save the Admin Domain definition or enter ad --apply to save the Admin Domain definition and directly apply the definitions to the fabric. The following example removes port 5 of domain 100 and port 3 of domain 1 from AD1. sw5:AD255:admin> ad --remove 1 –d "100,5; 1,3" The following example removes switch 100 from the membership list of AD4.
Deleting all user-defined Admin Domains When you clear the Admin Domain configuration, all user-defined Admin Domains are deleted, the explicit membership list of AD0 is cleared, and all fabric resources (switches, ports, and devices) are returned to the implicit membership list of AD0. You cannot clear the Admin Domain configuration if zone configurations exist in any of the user-defined Admin Domains. To clear all Admin Domain definitions 1.
Using Admin Domains This section is for users and administrators and describes how you use Admin Domains. If you are a physical fabric administrator and you want to create, modify, or otherwise manage Admin Domains, see ”Managing admin domains” on page 136. The Admin Domain looks like a virtual switch or fabric to a user. However, based on the user role and type (User_ID), users are presented with only their relevant AD-based views (see Figure 2 and Figure 3).
Displaying an Admin Domain configuration The ad --show option displays the membership information and zone database information of the specified Admin Domain. When you perform the show option in: • AD255, if you do not specify the AD_name or number, all information about all existing Admin Domains is displayed. • AD0-AD254 contexts, the membership of the current Admin Domain is displayed. • AD0, the device and switch list members are categorized into implicit and explicit member lists.
The following example switches to the AD12 context. Note that the prompt changes to display the Admin Domain. sw5:admin> ad --select 12 sw5:AD12:admin> Performing zone validation If you are working with zones, you should be aware that there is an Admin Domain impact. Zone objects can be part of an Admin Domain. You can use the zone --validate command to list all zone members that are not part of the current zone enforcement table.
Table 41 Admin Domain interaction with Fabric OS features (continued) Fabric OS feature Admin Domain interaction FCR You can create LSAN zones as a physical fabric administrator or as an individual AD administrator. The LSAN zone can be part of the root zone database or the AD zone database. • • FCR collects the LSAN zones from all ADs. If both edge fabrics have matching LSAN zones and both devices are online, FCR triggers a device import.
Zoning operations ignore any resources not in the Admin Domain, even if they are specified in the zone. The behavior functions similarly to specifying offline devices in a zone. All zones from each Admin Domain zoneset are enforced. The enforcement policy encompasses zones in the effective zoneset of the root zone database and the effective zonesets of each AD. NOTE: AD zone databases do not have an enforced size limit.
Configuration upload and download in an AD context The behavior of configUpload and configDownload varies depending on the AD context and whether the switch is a member of the current Admin Domain. In the AD context, these commands include only the zone configuration of the current Admin Domain. If the switch is a member of the Admin Domain, all switch configuration parameters are saved and the zone database for that Admin Domain is also saved.
8 Installing and maintaining firmware In this chapter, you will see references to optional port blades installable in the SAN Director 4/256: • Port blades contain Fibre Channel ports. • FC blades contain only Fibre Channel ports: FC4-16, FC4-32, FC4-48. • AP blades are “intelligent” blades: B-Series Multi-protocol (MP) Router blade and FC4-16IP blade • CP blades have a control processor (CP) used to control the entire switch; they can be inserted only into slots 5 and 6.
Effects of firmware changes on accounts and passwords The following table describes what happens to accounts and passwords when you replace the switch firmware with a different version. Table 43 Effects of firmware changes on accounts and passwords Change First time Subsequent times (after upgrade, then Upgrading Default accounts and their passwords are preserved. User-defined and default accounts and their passwords are preserved. Downgrading User-defined accounts are no longer valid.
(or in some cases 4.4.x or lower) and the check finds that one of these exception cases is true, firmware download will fail and an error message will be displayed. It is recommended that you perform a configUpload to back up the current configuration before you download firmware to a switch. See ”Backing up a configuration” on page 117for details. To prepare for a firmware download 1. Read the latest Fabric OS Release Notes to find out if there are any issues related to firmware download. 2.
Verify that the compact flash usage is not above 90%. If the compact flash usage is above 90%, contact HP. NOTE: If running Fabric OS 4.2.x or earlier, enter the supportShow command and verify the above compact flash information by searching the output of the supportShow command. 7. (Optional) Enter the errClear command to erase all existing messages in addition to internal messages. Checking connected switches If the switch to be upgraded is running version 4.1.
firmware. The firmwareDownload command defaults to an autocommit option that automatically copies the firmware from one partition to the other. You should not override autocommit under normal circumstances; use the default. Refer to Testing and restoring firmware-on Directors, page 161 for details about overriding the autocommit option.
8. Respond to the prompts as follows: Server Name or IP Address Enter the name or IP address of the FTP server where the firmware file is stored; for example, 192.1.2.3. You can enter a server name if DNS is enabled. User name Enter the user name of your account on the server; for example, “JohnDoe”. File name Fabric OS 5.2.x or higher: Specify the full path name of the firmware directory, for example, /pub/v5.2.x. Fabric OS 5.1.
Summary of firmware downloads on Director models You can download firmware to SAN Director 2/128 and 4/256 SAN Director without disrupting the overall fabric if the two CP blades are installed and fully synchronized. Use the haShow command to confirm synchronization. If only one CP blade is powered on, the switch must reboot to activate firmware, which is disruptive to the overall fabric.
SAN Director 2/128 and 4/256 SAN Director firmware download procedure There is one logical switch address for a 4/256 SAN Director, and up to two logical switch addresses for the SAN Director 2/128, but either can be used on the SAN Director 2/128 to effect a firmwaredownload (either logical switch). NOTE: By default, the firmwareDownload command automatically upgrades both the active CP blade and the standby CP blade; it automatically upgrades all AP blades in the 4/256 SAN Director.
8. Respond to the prompts as follows: Server Name or IP Address Enter the name or IP address of the server where the firmware file is stored: for example, 192.1.2.3. You can enter a server name if DNS is enabled. User name Enter the user name of your account on the server: for example, JohnDoe. File name Fabric OS 5.2.x or higher: Specify the full path name of the firmware directory, for example, /pub/v5.2.x. Fabric OS 5.1.
IMPORTANT: At the time of this document’s release, HP does not support the FC4-16IP blade. Consult http://www.hp.com for the latest, updated information. . switch:admin> firmwaredownload Server Name or IP Address: 10.1.2.3 FTP User Name: JaneDoe File Name: /pub/v5.2.x FTP Password: xxxx Verifying the input parameters ... Checking system settings for firmwaredownload... The following AP blades are installed in the system.
9. Optionally, after the failover, connect to the switch, log in again as admin. Using a separate telnet session, enter the firmwareDownloadStatus command to monitor the firmware download status. switch:admin> firmwaredownloadstatus [1]: Fri Sep 22 09:45:15 2006 Slot 5 (CP0, active): Firmware is being downloaded to standby CP. This step may take up to 30 minutes. [2]: Fri Sep 22 09:51:21 2006 Slot 5 (CP0, active): Firmware has been downloaded successfully to Standby CP.
10. Enter the firmwareShow command to display the new firmware versions.: switch:admin> firmwareshow Slot Name Primary/Secondary Versions Status -------------------------------------------------------------3 FC4-16IP v5.2.x v5.2.x 4 FR4-18i v5.2.x v5.2.x 5 CP0 v5.2.x ACTIVE * v5.2.x 6 CP1 v5.2.x STANDBY v5.2.x 10 FR4-18i v5.2.x v5.2.
3. Commit the firmware a. Enter the firmwareCommit command to update the secondary partition with new firmware. Note that it takes several minutes to complete the commit operation. b. Enter the firmwareShow command to confirm both partitions on the switch contain the new firmware. NOTE: Stop! If you have completed step 3, then you have committed the firmware on the switch and you have completed the firmware download procedure.
2. Update firmware on standby CP a. Start a telnet session, log in as admin to the standby CP. b. Enter the firmwareDownload -s command and respond to the prompts as follows: switch:admin> firmwaredownload -s Server Name or IP Address: 10.1.2.3 FTP User Name: JaneDoe File Name: /pub/v5.2.x FTP Password: Do Auto-Commit after Reboot [Y]: n Reboot system after download [N]: y Firmware is being downloaded to the switch. This step may take up to 30 minutes. Checking system settings for firmwaredownload...
5. Update firmware on standby CP a. Start a telnet session on the standby CP (which is the old active CP). b. Enter the firmwareDownload -s command and respond to the prompts as follows: switch:admin> firmwaredownload -s Server Name or IP Address: 10.1.2.3 FTP User Name: JaneDoe File Name: /pub/v5.2.x FTP Password: Do Auto-Commit after Reboot [Y]: n Reboot system after download [N]: y Firmware is being downloaded to the switch. This step may take up to 30 minutes.
10. Restore firmware on the “new” standby CP a. Wait one minute and start a telnet session on the new standby CP, which is the old active CP. b. Enter the firmwareRestore command. The standby CP will reboot and the telnet session will end. Both partitions will be made equal after several minutes. c. Wait 5 minutes and log into the switch. Enter the firmwareShow command and verify that all partitions have the original firmware.
NOTE: You cannot perform a firmware downgrade from Fabric OS 5.2.x or higher if administrative domains are configured in the fabric. See ”Managing administrative domains” on page 157 for details. When the primary and secondary CPs in a 4/256 SAN Director are running pre-Fabric OS 5.2.
For more information on any of the commands in the Recommended Action section, see the Fabric OS Command Reference. NOTE: Some of the messages include error codes (as shown in the example below). These error codes are for internal use only and you can disregard them. Example: Port configuration with EX ports enabled along with trunking for port(s) 63, use the portcfgexport, portcfgvexport, and/or portcfgtrunkport commands to remedy this. Verify blade is ENABLED.
Message Only platform options 1, 2, 5 are supported by version 5.1. Use chassisconfig to reset the option before downloading the firmware. Probable Cause and Recommended Action The firmware download operation was attempting to upgrade a system to Fabric OS v5.1.0. The chassisConfig option was set to 3 or 4, which is not supported in v5.1.0, so the firmware download operation was aborted.
Message Cannot download to 5.1 because Device Based routing policy is not supported by 5.1. Use aptPolicy to change the routing policy before proceeding. Probable Cause and Recommended Action The firmware download operation was attempting to upgrade a system to Fabric OS v5.1.0 with device-based routing policy selected. Device-based routing policy is not supported in firmware v5.1.0, so the firmware download operation was aborted.
Message The command failed due to presence of long-distance ports in LS mode. Please remove these settings before proceeding. Probable Cause and Recommended Action The firmware download operation was attempting to downgrade a system to Fabric OS v5.0.0 or lower with long-distance ports in LS mode. Long-distance ports in LS mode is not supported in firmware v5.0.0 or lower, so the firmware download operation failed.
Message The command failed due to one or more ports having both long-distance and ISL R_RDY Modes enabled. Use portcfglongdistance and portcfgislmode to disable it before proceeding. Probable Cause and Recommended Action The firmwareDownload operation was attempting to downgrade a system to Fabric OS v.0.0 or lower with both long-distance and ISL R_RDY modes enabled.
Message Cannot downgrade due to presence of port mirror connections. Use portmirror --delete to remove these mirror connections before proceeding. Probable Cause and Recommended Action The firmware download operation was attempting to downgrade a system to Fabric OS v5.1.0 or lower with Port Mirroring enabled. Port Mirroring is not supported on firmware v5.1.0 or lower, so the firmware download operation failed. Remove the mirror connections using the portMirror - -delete command.
Message The command failed due to the presence of an Admin Domain. Use the ad command to remedy this before proceeding. Probable Cause and Recommended Action The firmware download operation was attempting to downgrade a system to Fabric OS v5.1.0 or lower with Admin Domain (AD) enabled on the system. Admin Domains are not supported on firmware v5.1.0 or lower, so the firmware download operation failed.
Message The command failed because IPSec is enabled. Please use the portcfg fciptunnel command to disable it before proceeding. Probable Cause and Recommended Action The firmwareDownload operation was attempting to downgrade a system to Fabric OS v5.1.0 or lower and the IPsec feature is enabled. The IPsec feature is not supported on firmware v5.1.0 or lower, so the firmwareDownload operation failed. Disable IPSec using the portCfg fcipTunnel command. Retry the firmware download operation.
• Disable the strict fabric-wide policy using the fddCfg --fabWideSet ""command. The “absent” setting disables the fabric-wide consistency policy. Retry the firmware download operation. Message The switch is currently configured with “radiuslocal” mode. Please use the aaaconfig command to remedy it before proceeding. Probable Cause and Recommended Action The firmware download operation was attempting to downgrade a system to Fabric OS v5.1.0 or lower and radiuslocal mode is enabled.
Remove all DCC policies containing more than 256 ports using the secPolicyDelete and secPolicyActivate commands. Retry the firmware download operation. Blade troubleshooting tips Typically, issues that evolve during firmware downloads to the B-Series MP Router blade do not require explicit actions on your part.
• Ensure that the decompress process created multiple SWBDxx folders (where xx is a number) in the main folder. If the files are unpacked without folder creation, then the firmwareDownload command will be unable to locate the .plist file.
9 Configuring Directors This chapter contains procedures that are specific to the SAN Director 128 and 4/256 SAN Director models. Because Directors contain interchangeable port blades, install procedures differ from the SAN Switches, which operate as fixed-port switches. For example, fixed-port models identify ports by domain, port number, while Director models identify ports by slot/port number.
The following sections tell how to identify ports on SAN Director 2/128 and 4/256 SAN Director, and how to identify ports for zoning commands. By slot and port number The port number is a number assigned to an external port to give it a unique identifier in a switch. To select a specific port in the SAN Director 2/128, and 4/256 SAN Director models, you must identify both the slot number and the port number using the format slot number/port number.
values of the first 128 ports, and using portswap on a pair of ports will exchange those ports’ area_ID and index values. Portswap is not supported for ports above 256. Table 44 and Table 45 show the area ID and index mapping for core and extended-edge PID assignment. Note that up to 255 areas, the area_ID mapping to the index is one-to-one. Beyond this, the index is similar but not exact, and in some instances the area ID is shared among multiple ports.
Table 44 Default index/area_ID Core PID assignment with no port swap (continued) Port on blade Slot 1Idx/Area Slot 2Idx/Area Slot 3Idx/Area Slot 4Idx/Area Slot 7Idx/Area Slot 8Idx/Area Slot 9Idx/Area Slot 10Idx/Area 19 131/131 147/147 163/163 179/179 195/195 211/211 227/227 243/243 18 130/130 146/146 162/162 178/178 194/194 210/210 226/226 242/242 17 129/129 145/145 161/161 177/177 193/193 209/209 225/225 241/241 16 128/128 144/144 160/160 176/176 192/192 208/208
Table 45 Default index/area extended-edge PID assignment with no port swap (continued) Port on blade Slot 1Idx/Area Slot Slot 2Idx/Area 3Idx/Area Slot 4Idx/Area Slot 7Idx/Area Slot Slot Slot 8Idx/Area 9Idx/Area 10Idx/Area 36 260/140 276/156 292/172 308/188 324/204 340/220 356/236 372/252 35 259/139 275/155 291/171 307/187 323/203 339/219 355/235 371/251 34 258/138 274/154 290/170 306/186 322/202 338/218 354/234 370/250 33 257/137 273/153 289/169 305/185 321/201 337/2
Table 45 Default index/area extended-edge PID assignment with no port swap (continued) Port on blade Slot 1Idx/Area Slot Slot 2Idx/Area 3Idx/Area Slot 4Idx/Area Slot 7Idx/Area Slot Slot Slot 8Idx/Area 9Idx/Area 10Idx/Area 2 18/18 34/34 50/50 66/66 82/82 98/98 114/114 2/2 1 17/17 33/33 49/49 65/65 81/81 97/97 113/113 1/1 0 16/16 32/32 48/48 64/64 80/80 96/96 112/112 0/0 Basic blade management The following sections provide procedures for powering a port blade off and on and
400 MP Router exceptions The first time the 400 MP Router is powered on ports are persistently disabled. Ports will remain disabled until they are configured otherwise. B-Series MP Router blade (FR4-18i) exceptions You may wish to persistently disable B-Series MP Router blade ports that are not configured so they cannot join the fabric when the following scenarios apply: • You have inserted the blade into a slot that was previously empty or contained an FC4-48, FC4-32, FC4-16, or FC4-16IP.
NOTE: Some FRUs in the chassis may use significant power, yet cannot be powered off through software. For example, a missing blower FRU may change the power computation enough to affect how many slots can be powered up. The powerOffListShow command displays the power off order. Blade terminology and compatibility Before configuring a chassis, familiarize yourself with the Director CP blade and port blade nomenclature, as well as the port blade compatibilities.
CP blades CP blades determine the Director type: • If CP2 blades are installed, the Director is a SAN Director 2/128. • If CP4 blades are installed, the Director is a 4/256 SAN Director. Mixed CP blades are not supported on a single chassis, except during specific upgrade procedures detailed in the SAN Director installation guide. HP recommends that each Director have only one type of CP blade installed and that each CP (primary and secondary partition) maintains the same firmware version.
Table 48 lists the supported configurations options for Fabric OS 5.2.x. Table 49 lists configuration options and resulting slot configurations. NOTE: At the time of this document’s release, HP does not support the FC4-16IP blade. Consult http://www.hp.com for the latest, updated information.
Obtaining slot information For a SAN Director 2/128 configured as two logical switches, the chassis-wide commands display or control both logical switches. In the default configuration, SAN Director 2/128 Directors are configured as one logical switch, so the chassis-wide commands display and control the single logical switch. To display the status of all slots in the chassis 1. Connect to the switch and log in as user or admin. 1.
Configuring a new SAN Director 2/128 with two domains By default, the SAN Director 2/128 is configured as one 128-port switch (one domain). The procedure assumes that the new Director: • Has been installed and connected to power, but is not yet attached to the fabric. • Has been given an IP address, but is otherwise running factory defaults. If this is not the case, back up the current configuration before starting, so that you can restore it later if necessary. • Is running Fabric OS v4.4.0 or later.
Converting an installed SAN Director 2/128 to support two domains Fabric OS versions earlier than v4.4.0 supported only one domain for SAN Director 2/128 models (one 128-port logical switch). When you upgrade a SAN Director 2/128 director to Fabric OS v4.4.0 or later, you can use the chassisConfig command to specify two domains for the Director (two 64-port logical switches, sw0 and sw1). This conversion is for SAN Director 2/128 Directors using configuration option one (one switch, FC2-16 cards installed).
11. Enter the fabricShow command to verify that sw0 and sw1 have been merged with the fabric. 12. Enter the configShow command to verify that zoning parameters were propagated. Setting the blade beacon mode When beaconing mode is enabled, the port LEDs will flash amber in a running pattern from port 0 through port 15 and back again. The pattern continues until the user turns it off. This can be used to locate a particular blade. To set the blade beacon mode on 1. Connect to the switch and log in as admin.
10 Routing traffic About data routing and routing policies Data moves through a fabric from switch to switch and storage to server along one or more paths that make up a route. Routing policies determine the correct path for each frame of data. Whatever routing policy a switch is using applies to the VE_Ports as well. Refer to ”Using the FC-FC routing service” on page 227 for details about VE_Ports. CAUTION: For most configurations, the default routing policy is optimal, and provides the best performance.
In the following example, the routing policy for a 400 MP Router is changed from exchange-based to port-based: switch:admin> aptpolicy Current Policy: 3 3: Default Policy 1: Port Based Routing Policy 3: Exchange Based Routing Policy switch:admin> switchdisable switch:admin> aptpolicy 1 Policy updated successfully.
In a stable fabric, frames are always delivered in order, even when the traffic between switches is shared among multiple paths. However, when topology changes occur in the fabric (for example, if a link goes down), traffic is rerouted around the failure, and some frames could be delivered out of order. Most destination devices tolerate out-of-order delivery, but some do not.
Viewing routing path information The topologyShow and uRouteShow commands provide information about the routing path. 1. Connect to the switch and log in as admin. 2. Enter the topologyShow command to display the fabric topology, as it appears to the local switch.
SAN Director 2/128 and 4/256 SAN Director: Use the following syntax: urouteshow [slot/][portnumber][, domainnumber] The following entries appear: • Local Domain—Domain number of the local switch. • In Ports—Port from which a frame is received. • Domain—Destination domain of the incoming frame. • Out Port—The port to which the incoming frame will be forwarded in order to reach the destination domain. • Name—The name of the destination switch.
Viewing routing information along a path You can display detailed routing information from a source port (or area) on the local switch to a destination port (or area) on another switch. This routing information describes the full path that a data stream travels between these ports, including all intermediate switches. 1. Connect to the switch and log in as admin. 2. Enter the pathInfo command.
The information that pathInfo provides is: Hops The number of switch-to-switch links (ISLs) transversed. The local switch is hop 0. In Port The port that the frames come in from on this path. For hop 0, the source port. Domain ID The domain ID of the switch. Name The name of the switch. Out Port The output port that the frames use to reach the next hop on this path. For the last hop, the destination port. BW The bandwidth of the output ISL, in Gbit/sec. It does not apply to the embedded port.
Routing traffic
11 Using the FC-FC routing service The FC-FC (Fibre Channel) Routing Service provides Fibre Channel routing between two or more fabrics without merging those fabrics. The FC-FC Routing Service can be simultaneously used as a Fibre Channel router and for SAN extension over wide area networks (WANs) using FCIP. The Fibre Channel Routing also supports interoperability with McDATA E/OS v7.x and 8.x.
Special types of ports, called an EX_Port and a VEX_Port, function somewhat like an E_Port, but terminate at the switch and do not propagate fabric services or routing topology information from one edge fabric to another. The link between an E_Port and EX_Port, or VE_Port and VEX_Port is called an interfabric Link (IFL).
fabric to another—over the backbone or edge fabric through this virtual domain—without merging the two fabrics. Translate phantom domains are sometimes referred to as “translate domains,” or “xlate domains.” If a B-Series MP Router blade is attached to an edge fabric using an EX_Port, it will create translate phantom domains in the fabric corresponding to the imported edge fabrics with active LSANs defined.
Figure 10 shows another metaSAN consisting of a host in Edge SAN 1 connecting to storage in Edge SAN 2 through a backbone fabric connecting two 4/256 SAN Directors, each containing B-Series MP Router blades. Figure 10 Edge SANs connected through a backbone fabric 4/256 SAN Director with B-Series MP Router blade ISL 4/256 SAN Director with B-Series MP Router blade EX_Port EX_Port Backbone Fabric IFL IFL E_Port E_Port Edge SAN 1 Edge SAN 2 = LSAN 25314a Front domain consolidation Fabric OS v5.2.
Upgrade and downgrade considerations The following considerations apply when upgrading to or downgrading from Fabric OS 5.2.x with front domain consolidation: • During an upgrade to Fabric OS v5.2 from Fabric OS v5.1: • The router switch is changed from one front domain per EX_Port to a shared front domain for the EX_Ports that are connected to the same edge fabric. • One port per edge fabric remains online and connected to the edge fabric.
For more information about the fabricShow command, see the Fabric OS Command Reference Manual. Range of output ports The edge fabric detects only one front domain from an FC router connected through multiple output ports. The output port of the front domain is not fixed to 0; the values can be in a range of 129–255. The range of the output ports connected to the xlate domain is also 129–255. This range enables the front domain to connect to 127 remote xlate domains.
The target responds by sending frames to the proxy host. Hosts and targets are exported from the edge SAN to which they are attached and, correspondingly, imported into the edge SAN reached through Fibre Channel routing. Figure 11 illustrates this concept.
Fibre Channel NAT and phantom domains Within an edge fabric or across a backbone fabric, the standard Fibre Channel FSPF protocol determines how frames are routed from the source Fibre Channel (FC) device to the destination FC device. The source or destination device can be a proxy device. When frames traverse the fabric through a 400 MP Router or 4/256 SAN Director in the backbone (BB), the frames are routed to another EX_Port or VEX_Port.
Performing verification checks Before configuring a fabric to connect to another fabric, you must perform the following verification checks on the switch or director. To perform verification checks 1. Log in to the switch or director as admin and enter the version command. Verify that Fabric OS v5.2.x is installed on the 400 MP Router or B-Series MP Router blade, as shown in the following example. switch:admin_06> version Kernel: 2.4.19 Fabric OS: v5.2.
5. Enter the secModeShow command to verify that security is disabled. switch:admin_06> secmodeshow Secure Mode: DISABLED. 6. Enter the msPlatShow command to verify that Management Server Platform database is disabled in the backbone fabric. switch:admin_06> msplatshow *MS Platform Management Service is NOT enabled. If any of the items listed in the prior steps are enabled, you can see the Fabric OS Command Reference Manual for information on how to disable the option.
5. Then enter the fosConfig --enable fcr command. switch:admin_06> fosconfig --disable fcr FC Router service is disabled switch:admin_06> fcrconfigure FC Router parameter set.
it is connected. For example, on the 4/256 SAN Director with a B-Series MP Router blade, specify the WWN of the Secure Fabric OS switch and the secrets. On the Secure Fabric OS switch, specify the WWN of the front domain (EX_Port or VEX_Port) and the secrets. To view the front domain WWN, issue the portCfgEXPort command on the Fibre Channel router side.
To view a DH-CHAP secret word database 1. Log in as admin to the 400 MP Router or 4/256 SAN Director with a B-Series MP Router blade. 2. At the telnet prompt, enter the secAuthSecret command as shown: switch:admin_06> secauthsecret --show WWN DId Name -----------------------------------------------------------10:00:00:60:69:80:05:14 1 switch For details about the setAuthSecret command, see the Secure Fabric OS Administrator’s Guide.
The following example enables the EX_Port (or VEX_Port) and assigns a Fabric ID of 30 to port 7.
-d Preferred domain ID (1-239). This command enforces the use of the same preferred domain ID for all the ports connected to the same edge fabric. When this option is specified, the preferred domain ID is compared against the online ports. If the domain ID are different, an error message is issued and the command fails. When the -d option is not specified, if there are online ports connected to the same edge fabric, the preferred domain ID is set to the preferred domain ID of those online ports.
5. After identifying such ports, enter the portCfgPersistentEnable command to enable the port, and then the portCfgShow command to verify the port is enabled. switch:admin_06> portcfgpersistentenable 7/10 switch:admin_06> portcfgshow 7/10 Area Number: 74 Speed Level: AUTO Trunk Port OFF Long Distance OFF VC Link Init OFF Locked L_Port OFF Locked G_Port OFF Disabled E_Port OFF ISL R_RDY Mode OFF RSCN Suppressed OFF Persistent Disable OFF NPIV capability ON EX Port ON Mirror Port ON 6.
switch:admin_06> portshow 7/10 portName: portHealth: OFFLINE Authentication: None EX_Port Mode: Enabled Fabric ID: 30 Front Phantom: state = Not OK Pref Dom ID: 160 Fabric params: R_A_TOV: 0 E_D_TOV: 0 PID fmt: au to Authentication Type: None Hash Algorithm: N/A DH Group: N/A Edge fabric's primary wwn: N/A Edge fabric's version stamp: N/A portDisableReason: None portCFlags: 0x1 portFlags: 0x1 PRESENT U_PORT EX_PORT portType: 10.
Configuring LSANs and zoning An LSAN consists of zones in two or more edge or backbone fabrics that contain the same device(s). LSANs essentially provide selective device connectivity between fabrics without forcing you to merge those fabrics. FC routers provide multiple mechanisms to manage interfabric device connectivity through extensions to existing switch management interfaces. You can define and manage LSANs using Advanced Zoning or Fabric Manager.
• Switch2 is connected to the 4/256 SAN Director with an B-Series MP Router blade using another EX_Port or VEX_Port • Host has WWN 10:00:00:00:c9:2b:c9:0c (connected to switch1) • Target A has WWN 50:05:07:61:00:5b:62:ed (connected to switch2) • Target B has WWN 50:05:07:61:00:49:20:b4 (connected to switch2) The following procedure shows how to control device communication with LSAN. To control device communication with LSAN 1. Log in as admin and connect to switch1. 2.
8. Enter the zoneCreate command to create the LSAN lsan_zone_fabric2, which includes the host (10:00:00:00:c9:2b:6a:2c), Target A, and Target B. switch:admin_06> zonecreate "lsan_zone_fabric2", "10:00:00:00:c9:2b:c9:0c;50:05:07:61:00:5b:62:ed;50:05:07:61:00:49:20:b4" 9. Enter the cfgShow command to verify that the zones are correct.
On the 4/256 SAN Director with a B-Series MP Router blade, the host and fabric75 are imported, because both are defined by lsan_zone_fabric2 and lsan_zone_fabric75. However, target B defined by lsan_zone_fabric75 is not imported because lsan_zone_fabric2 does not allow it. When a PLOGI, PDISC, or ADISC arrives at the 4/256 SAN Director with a B-Series MP Router blade, the SID and DID of the frame are checked. If they are LSAN-zoned at both SID and DID edge fabrics, the frame will be forwarded to the DID.
To set and display the router port cost 1. Disable any port on which you want to set the router port cost. 2. Enable admin for the EX_Port/VEX_Port with portCfgExport or portCfgVexport. 3. Enter the fcrRouterPortCost command to display the router port cost per EX_Port. switch:admin_06> fcrrouterportcost Port Cost -----------------------7/3 1000 7/4 1000 7/9 1000 7/10 1000 7/13 1000 10/0 1000 You can also use the fcrRouteShow and fcrDbgRoutShow to display the router port cost. 4.
router cost IFLs to another port group (for example ports 8–15). For VEX_Ports, you would use ports in the range of 16-23 or 24-31. You can connect multiple EX_Ports or VEX_Ports to the same edge fabric. The EX_Ports can all be on the same 400 MP Router or 4/256 SAN Director with an B-Series MP Router blade, or they can be on multiple routers. Multiple EX_Ports create multiple paths for frame routing.
The default values for R_A_TOV and E_D_TOV are the recommended values for all but very large fabrics (ones requiring four or more hops) or high-latency fabrics (such as ones using long-distance FCIP links). EX_Port frame trunking (optional) In Fabric OS v5.2.x, you can configure EX_Ports to use frame based trunking just as you do regular E_Ports. EX_Port frame trunking support is designed to provide the best utilization and balance of frames transmitted on each link between the FCR and the edge fabric.
Upgrade and Downgrade Considerations Table 50describes the upgrade and downgrade considerations for EX_Port Frame Trunking. Table 50 Trunking upgrade and downgrade considerations Upgrade or downgrade Consideration A firmware downgrade from Fabric OS v5.2.x to Fabric OS v5.1.0 If EX_Port trunking is on, prior to the firmware downgrade, the script displays a message requesting that you disable EX_Port trunking. A firmware upgrade from Fabric OS v5.1 to Fabric OS v5.2.
To display EX_Port trunking information 1. Log in as an admin and connect to the switch. 2. Enter the switchShow command to display trunking information for the EX_Ports. fcr_switch:admin_06> switchshow The following is an example of a master EX_Port and a slave EX_Port displayed in switchShow.
• Phantom Node WWN—The display shows the maximum versus the currently allocated phantom switch node WWNs. The phantom switch requires node WWNs for SFPF and manageability purposes. Phantom node names are allocated from the pool sequentially and are not reused until the pool is exhausted and rolls over. The last allocated phantom node WWN is persistently stored.
Routing ECHO The FC-FC Routing Service enables you to route the ECHO generated when an fcPing command is issued on a switch, providing fcPing capability between two devices in different fabrics across the 400 MP Router or 4/256 SAN Director with a B-Series MP Router blade. To check for Fibre Channel connectivity problems 1.
Interoperability with legacy FCR switches The following interoperability considerations apply when administering legacy FCR switches in the same backbone (BB) fabric as switches supporting Fabric OS v5.2.x: • When a legacy switch is connected to the fabric, a RAS log message is issued indicating that the capability of the backbone (BB) fabric is lower as legacy FCR switches (those with XPath OS and Fabric OS v5.1) support lower capability limits.
Connecting to HP M-Series or McDATA SANs Fabric OS 5.2.x lets you connect an HP StorageWorks B-Series fabric to an HP M-Series or McDATA fabric. Because of the high degree of connectivity, the devices across the remote fabrics can be shared. Fabric OS 5.2.x furnishes the FC router with the ability to connect to HP M-Series fabrics in Open mode and McDATA Fabric mode. NOTE: HP M-Series and McDATA fabrics are supported in Open mode.
NOTE: Trunking is not supported on EX_Ports connected to the McData fabric. Connectivity modes You can connect to M-Series fabrics in both McDATA Open mode or McDATA Fabric mode. If the mode is not configured correctly, the port is disabled for incompatibility. NOTE: HP M-Series and McDATA fabrics are supported in Open mode. To allow interconnectivity with McDATA SANs, the CLI command portCfgExPort uses the -m option to indicate the connectivity mode.
The following example sets port 10/12 to admin-enabled, assigns a Fabric ID of 41 and sets the port to Core PID and to Brocade mode. For complete information about any Fabric OS command, see ”Configuring interoperability mode” on page 399. switch:admin_06> portcfgexport 10/12 -a 1 -f 41 -p 1 -m 0 5. Re-enable the port by issuing the portEnable command. Switch:admin_06> portenable 10/12 6.
McDATA connection mode to McDATA fabric. switch:admin_06> portcfgexport 10/13 -a 1 -f 37 -m 2 8. Enable the port by issuing the portEnable command. switch>:admin_06 portenable 10/13 • Connect IFL 1 and verify EX_PORT connectivity. Repeat for all HP fabric IFLs. • Connect IFL (n) for the McDATA fabric and verify EX_PORT connectivity. Repeat for all McDATA fabric IFLs. 9. Log in to the FC router and issue the switchShow command to display the McDATA switch that is connected to the FC router EX_Port.
For information about edge fabric setup on E_ports and interswitch linking, see ”Administering ISL Trunking” on page 333. For information on EX_Port Frame trunking setup on the FCR switch, see ”Using EX_Port Frame trunking” on page 223. 11. Capture a SAN profile of the McDATA and HP SANs, identifying the number of devices in each SAN.
To prepare the McDATA fabric 1. Log in to SAN Pilot or basic EFC Manager depending upon the firmware release. 2. From the SAN Pilot left navigation menu, select Configure. 3. Select the Zoning tab, then select the Zones tab. (select Configure > Zoning on EFCM). Figure 13 SAN Pilot and EFCM zone screens NOTE: The screens provided in this section are for illustrative purposes only.
5. In SAN Pilot, click the Add button to add the specified Zone. As shown in the following illustration, when you add the new zone name, the name is displayed in the Pending Zone Set list. Figure 14 Pending Zone Set list in SAN Pilot and EFCM zone screens 6. To add devices that are connected to the HP fabric, select Edit button in the Pending Zone set. 7. In the Modify Zone tab, enter the device WWN into the World Wide Name field and click the Add button.
In EFCM, return to the main window and select Configure, then select Activate Zone Set to launch the zone set activation window. Highlight the zone set to be activated and click Next. Click Next again, then Start to activate the zone set. Figure 15 Adding a zone set name in SAN Pilot Regardless of the method used, you should now verify that the new zone set containing your LSAN has been added. Alternately, use the following procedure: 1. Create the LSAN, using the LSAN_xxxx naming schema. 2.
5. Move back to the 400 MP Router and B-Series MP Router (FR4-18i) blade and issue the fcrProxyDevShow command on to verify that the devices are configured and exported.
6. Log in to the switch and issue the nsAllShow or the nsCamShow command.
Using the FC-FC routing service
12 Administering FICON fabrics Overview of Fabric OS support for FICON IBM Fibre Connections (FICON®) is an industry-standard, high-speed input/output (I/O) interface for mainframe connections to storage devices. Fabric OS supports intermix mode operations, in which FICON and Fibre Channel technology work together. For specific information about intermix mode and other aspects of FICON, refer to the IBM Redbook, FICON® Implementation Guide (SG24-6497-01).
authenticated using digital certificates and unique private keys provided to the Switch Link Authentication Protocol (SLAP). • Switch binding is a security method for restricting devices that connect to a particular switch. If the device is another switch, this is handled by the SCC policy. If the device is a host or storage device, the Device Connection Control (DCC) policy binds those devices to a particular switch.
Types of FICON configurations There are two types of FICON configurations: • A single-switch configuration (called switched point-to-point) requires that the channel be configured to use single-byte addressing. If the channel is set up for two-byte addressing, then the cascaded configuration setup applies. This type of configuration is described in ”Configuring a single switch” on page 244. • A cascaded configuration (known as a high integrity fabric) requires a list of authorized switches.
FICON commands Table 53 summarizes the Fabric OS CLI commands that can be used for managing FICON fabrics. For detailed information on these commands, refer to the Fabric OS Command Reference Manual. Table 53 Fabric OS commands related to FICON and FICON CUP Command Description Standard Fabric OS commands: configure Sets the domain ID and the insistent domain ID mode. portSwap Swaps ports. portSwapDisable Disables the portSwap command. portSwapEnable Enables the portSwap command.
NOTE: The Fabric OS CLI supports only a subset of the management features for FICON fabrics. The full set of FICON CUP administrative procedures is available using the Fabric Manager and Web Tools software features. You can also use an SNMP agent and the FICON Management Information Base (MIB).
• Some 1-Gbit/sec storage devices cannot auto-negotiate speed with the 4/256 SAN Director or SAN Switch 4/32 ports. For these types of devices, configure ports that are connected to 1-Gbit/sec storage devices for fixed 1-Gbit/sec speed. Preparing a switch To verify and prepare a switch for use in a FICON environment, complete the following steps: 1. Connect to the switch and log in as admin. 2. If not in a cascaded environment, proceed to step 3.
CAUTION: If Security is enabled via the CLI in the FICON environment, then you should use the following syntax for the secModeEnable command: secmodeenable --lockdown=scc --currentpwd --fcs “*” Issuing the secModeEnable command as it appears above enables security and creates an SCC policy with all of the switches that currently reside in the fabric. It will also use the current password as the password for all available accounts on the switch.
7. Respond to the remaining prompts (or press Ctrl-d to accept the other settings and exit). 8. Enter the switchEnable command to re-enable the switch. switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] yes Domain: (1..239) [3] 5 R_A_TOV: (4000..120000) [10000] E_D_TOV: (1000..5000) [2000] Data field size: (256..2112) [2112] Sequence Level Switching: (0..1) [0] Disable Device Probing: (0..1) [0] Suppress Class F Traffic: (0..1) [0] VC Encoded Address Mode: (0..
FRU failures To display FRU failure information, connect to the switch, log in as admin, and enter one of the following commands: • For the local switch: ficonshow ilir • For all switches defined in the fabric: ficonshow ilir fabric Swapping ports If a port malfunctions, or if you want to connect to different devices without having to re-wire your infrastructure, you can move a port’s traffic to another port (swap ports) without changing the I/O Configuration Data Set (IOCDS) on the mainframe computer.
Using FICON CUP Host-based management programs manage switches using CUP protocol by sending commands to an emulated control device in Fabric OS. A switch that supports CUP can be controlled by one or more host-based management programs. A mode register controls the behavior of the switch with respect to CUP itself, and with respect to the behavior of other management interfaces. FICON Management Server mode (fmsmode) must be enabled on the switch to enable CUP management features.
Enabling and disabling FICON management server mode To enable fmsmode: 1. Connect to the switch and log in as admin. 2. Enter ficoncupse fmsmode enable. To disable fmsmode: 1. Connect to the switch and log in as admin. 2. Enter ficoncupsetfmsmode disable. The fmsmode setting can be changed whether the switch is offline or online.
Changing fmsmode from enabled to disabled triggers the following events: 1. A device reset is performed on the control device. 2. PDCM is no longer enforced. 3. RSCNs might be generated to some devices if PDCM removal results in changes to connectivity between a set of ports. 4. If a given port was set to “Block” or “Unblock,” that port remains disabled or enabled. 5. Serialized access to switch parameters ceases.
Displaying mode register bit settings The mode register bits are described in Table 54 Table 54 FICON CUP mode register bits POSC Programmed offline state control. When this bit is set on, the host is prevented from taking the switch offline. The default setting is 1 (on). UAM User alert mode. When this bit is set on, a warning is issued when an action is attempted that will write CUP parameters on the switch. The default setting is 0 (off). ASM Active=saved mode.
Setting mode register bits Use the ficoncupset modereg command to set the FICON CUP mode register bits for the local switch. Consider the following when changing mode register bits: • As required by the CUP protocol, the UAM bit cannot be changed using this command. • All mode register bits except UAM are saved across power on/off cycles; the UAM bit is reset to 0 following a power-on. • Mode register bits can be changed when the switch is offline or online.
Port and switch naming standards Fabric OS handles differences in port and switch naming rules between CUP and itself as follows: • CUP employs 8-bit characters in port address names and switch names; Fabric OS employs 7-bit characters. When fmsmode is enabled, all characters greater than 0x40 and not equal to 0xFF (EBCIDC code page 37 [0x25]) are allowed in the name; therefore, it is possible for a channel to set a name with nonprintable characters.
Troubleshooting The following sources provide useful problem-solving information: • The standard support commands (portLogDump, supportSave, supportShow) or the Fabric Manager Event Log By default, the FICON group in the supportShow output is disabled. To enable the capture of FICON data in the supportShow output, enter the supportshowcfgenable ficon command.
Backing up FICON files The FICON file access facility is used to store configuration files. This includes IPL and other configuration files. The Fabric OS saves the IPL and all other configuration files on the switch. A maximum of 16 configuration files, including the IPL file, are supported. You can upload the configuration files saved on the switch to a management workstation using the configUpload command.
Table 55 FICON® switch configuration worksheet FICON® Switch Manufacturer:___________________Type: _________ Model: ______ S/N: ________ HCD Defined Switch ID_________(Switch ID) FICON® Switch Domain ID_________(Switch @) Cascaded Directors No _____Yes _____ Corresponding Cascaded Switch Domain ID _____ Fabric Name ________________________________ FICON® Switch F_Ports Attached N_Ports / E_Ports (CU, CPC, or ISL) Slot Port Number Number Port Address Laser Type: LX / SX 256 Administering FICON fa
Sample IOCP configuration file for SAN Switch 2/32, SAN Switch 4/32, SAN Director 2/128, and 4/256 SAN Director switches The channel subsystem controls communication between a configured channel, the control unit, and the device. The I/O Configuration Dataset (IOCDS) defines the channels, control units, and devices to the designated logical partitions (LPARs) within the server; this is defined using the Input/Output Configuration Program (IOCP).
In the following sample IOCP configuration file, the UNIT value for FICON CUP definitions is 2032 for any FICON Director regardless of vendor or platform. So all SAN Switch 2/32, SAN Switch 4/32, or SAN Director 2/128 switches require UNIT=2032 for the CUP definition. All Domain IDs are specified in hex values in the IOCP (and not in decimal values); the Domain IDs in the example are for demonstration purposes only.
/****************************************************************** ***/ /* MONITOR I OPTIONS */ /* */ /* XA ONLY */ /* */ /****************************************************************** ***/ FCD CHAN CPU CYCLE(1000) DEVICE(NOSG) DEVICE(NOCHRDR) /* FICON Director */ /* COLLECT CHANNEL STATISTICS /* COLLECT CPU STATISTICS */ /* SAMPLE ONCE EVERY SECOND */ /* PREVENT SORT OF STORAGE GROUPS*/ /* CHARACTER READER STATISTICS WILL NOT BE COLLECTED DEVICE(COMM) */ */ /* COMMUNICATION EQUIP
Administering FICON fabrics
13 Configuring the distributed manager server The Fabric OS Distributed Management Server allows a SAN management application to retrieve information and administer interconnected switches, servers, and storage devices. The management server assists in the autodiscovery of switch-based fabrics and their associated topologies. A client of the management server can find basic information about the switches in the fabric and use this information to construct topology relationships.
To disable platform services 3. Connect to the switch and log in as admin. 4. Enter the msplMgmtActivate command. 5. Press y to confirm deactivation. switch:admin> msplmgmtdeactivate MS Platform Service is currently enabled. This will erase MS Platform Service configuration information as well as database in the entire fabric. Would you like to continue this operation? (yes, y, no, n): [no] y Request to deactivate MS Platform Service in progress......
To add a member to the ACL 1. Connect to the switch and log in as admin. 2. Enter the msConfigure command. The command becomes interactive. 3. At the select prompt, enter 2 to add a member based on its port/node WWN. 4. Enter the WWN of the host to be added to the ACL. 5. At the prompt, enter 1 to verify the WWN you entered was added to the ACL. 6. After verifying that the WWN was added correctly, enter 0 at the prompt to end the session. 7. At the “Update the FLASH?” prompt, enter y. 8.
16. Press Enter to update the nonvolatile memory and end the session. switch:admin> msconfigure 0 Done 1 Display the access list 2 Add member based on its Port/Node WWN 3 Delete member based on its Port/Node WWN select : (0..3) [1] 3 Port/Node WWN (in hex): [00:00:00:00:00:00:00:00] 20:00:00:20:37:65:ce:aa *WWN is successfully deleted from the MS ACL. 0 Done 1 Display the access list 2 Add member based on its Port/Node WWN 3 Delete member based on its Port/Node WWN select : (0..
The contents of the management server platform database are displayed. switch:admin> msplatshow ----------------------------------------------------------Platform Name: [9] "first obj" Platform Type: 5 : GATEWAY Number of Associated M.A.: 1 [35] "http://java.sun.
3. Press y to disable the discovery feature. 4. Enter the mstdDisable all command to disable the discovery feature on the entire fabric. 5. Press y to disable the discovery feature. NOTE: Disabling management server topology discover might erase all NID entries. switch:admin> mstddisable This may erase all NID entries. Are you sure? (yes, y, no, n): [no] y Request to disable MS Topology Discovery Service in progress.... *MS Topology Discovery disabled locally.
14 Working with diagnostic features This chapter provides information on diagnostics and how to display system, port, and specific hardware information. It also describes how to set up system logging mapping (syslogd) and how to set up the offloading of error messages (supportSave). About Fabric OS diagnostics The purpose of the diagnostic subsystem is to evaluate the integrity of the system hardware.
The following example shows a typical boot sequence, including POST messages: The system is coming up, please wait... Read board ID of 0x80 from addr 0x23 Read extended model ID of 0x16 from addr 0x22 Matched board/model ID to platform index 4 PCI Bus scan at bus 0 : : : : : : Checking system RAM - press any key to stop test Checking memory address: 00100000 System RAM test using Default POST RAM Test succeeded. Press escape within 4 seconds to enter boot interface. Booting "Fabric Operating System" image.
To view the overall status of the switch 1. Connect to the switch and log in as admin. 2. Enter the switchStatusShow command: switch:admin> switchstatusshow Switch Health Report Switch Name: SWFCR IP address: 10.33.54.
To display the uptime for a switch 1. Connect to the switch and log in as admin. 2. At the command line, enter the uptime command: : switch:admin> uptime 4:43am up 1 day, 12:32, switch:admin> 1 user, load average: 1.29, 1.31, 1.27 The uptime command displays the length of time the system has been in operation, the total cumulative amount of uptime since the system was first powered-on, the date and time of the last reboot (applies only to FOS v3.x and v2.6.
To display the port statistics 1. Connect to the switch and log in as admin. 2. At the command line, enter the portStatsShow command. Port statistics include information such as number of frames received, number of frames sent, number of encoding errors received, and number of class 2 and class 3 frames received. Refer to the Fabric OS Command Reference Manual for additional portStatsShow command information, such as the syntax for slot or port numbering.
To display a summary of port errors for a switch 1. Connect to the switch and log in as admin. 2. At the command line, enter the portErrShow command. Refer to the Fabric OS Command Reference Manual for additional portErrShow command information. switch:admin> porterrshow frames enc crc too too bad enc disc link loss loss frjt fbsy tx rx in err shrt long eof out c3 fail sync sig sig===================================================================== 0: 22 24 0 0 0 0 0 1.5m 0 7 3 0 0 0 1: 22 24 0 0 0 0 0 1.
Error Type Description frjt Frames rejected with F_RJT fbsy Frames busied with F_BSY Viewing equipment status You can display status for fans, power supply, and temperature. NOTE: The number of fans, power supply units, and temperature sensors depends on the switch type. For detailed specifications on these components, refer to the switch install guide. The specific output from the status commands varies depending on the switch type. To display the status of the fans 1.
To display temperature status 1. Connect to the switch and log in as admin. 2. At the command line, enter the tempShow command: switch:admin> tempshow Index Status Centigrade Fahrenheit ---------------------------------------------------1 OK 21 70 2 OK 22 72 3 OK 29 84 4 OK 24 75 5 OK 25 77 switch:admin> Information displays for each temperature sensor in the switch. The possible temperature status values are: OK—Temperature is within acceptable range. FAIL—Temperature is outside of acceptable range.
Viewing the port log The Fabric OS maintains an internal log of all port activity. The port log stores entries for each port as a circular buffer. Each port has space to store 8000 log entries. When the log is full, the newest log entries overwrite the oldest log entries. Port logs are not persistent and are lost over power-cycles and reboots. If the port log is disabled, an error message displays. NOTE: Port log functionality is completely separate from the system message log.
Because a portLogDump output is long, a truncated example is presented: switch:admin> portlogdump task event port cmd args ------------------------------------------------16:30:41.780 PORT Rx 9 40 02fffffd,00fffffd,0061ffff,14000000 16:30:41.780 PORT Tx 9 0 c0fffffd,00fffffd,0061030f 16:30:42.503 PORT Tx 9 40 02fffffd,00fffffd,0310ffff,14000000 16:30:42.505 PORT Rx 9 0 c0fffffd,00fffffd,03100062 16:31:00.464 PORT Rx 9 20 02fffc01,00fffca0,0063ffff,01000000 16:31:00.
In this example, Fabric OS messages map to local7 facility level 7 in the /etc/syslog.conf file: local7.emerg local7.alert local7.crit local7.err local7.warning local7.notice local7.info local7.debug /var/adm/swcritical /var/adm/alert7 /var/adm/crit7 /var/adm/swerror /var/adm/swwarning /var/adm/notice7 /var/adm/swinfo /var/adm/debug7 If you prefer to map Fabric OS severities to a different UNIX local7 facility level, see ”To set the facility level” on page 277.
Viewing and saving diagnostic information Enter the supportShow command to dump important diagnostic and status information to the session screen, where you can review it or capture its data. To save a set of files that customer support technicians can use to further diagnose the switch condition, enter the supportSave command.
To enable the automatic transfer of trace dumps 1. Connect to the switch and log in as admin. 2. Enter the following command: switch:admin> traceftp -e To set up periodic checking of the remote server 1. Connect to the switch and log in as admin. 2. Enter the following command: switch:admin> supportftp -t interval The interval is in hours. The minimum interval is 1 hour. Specify 0 hours to disable the checking feature. To save a comprehensive set of diagnostic files to the server 1.
Working with diagnostic features
15 Troubleshooting This chapter provides information on troubleshooting and the most common procedures used to diagnose and recover from problems. It also includes specific troubleshooting scenarios as examples. Troubleshooting should begin at the center of the SAN — the fabric. Because switches are located between the hosts and storage devices and have visibility into both sides of the storage network, starting with them can help narrow the search path.
Gathering information for technical support If you are troubleshooting a production system, you need to gather data quickly. As soon as a problem is observed, perform the following tasks (if using a dual CP system, run the commands on both CPs): 1. Enter the supportSave command to save RASLOG, TRACE, and supportShow (active CP only) information for the local CP to a remote FTP location. On a dual CP system, only the local CP information is saved and supportShow information is not available on the active CP.
Use the following steps to retrieve as much of the following informational items as possible prior to contacting HP. 1. Switch information: • Serial number (located on the chassis) • World Wide Name (obtain using licenseIdShow or wwn commands) • Fabric OS version (obtain using the version command) • Switch configuration settings • supportSave output • pdShow and saveCore output 2.
2. Regardless of the device’s zoning, the fcPing command sends the ELS frame to the destination port. A device can take any one of the following actions: • Send an ELS Accept to the ELS request. • Send an ELS Reject to the ELS request. • Ignore the ELS request. There are some devices that do not support the ELS ECHO request. In these cases, the device will either not respond to the request or send an ELS reject.
To check the Name Server (NS) 1.
To check for zoning problems 1. Enter the cfgActvShow command to determine if zoning is enabled. If zoning is enabled, it is possible that the problem is being caused by zoning enforcement (for example, two devices in different zones cannot see each other). 2. Confirm that the specific edge devices that need to communicate with each other are in the same zone. • If they are in the same zone, perform the following tasks: • Enter the portCamShow command on the host port to verify that the target is present.
8. Enter the configure command to edit the fabric parameters for the segmented switch. Refer to the Fabric OS Command Reference Manual for more detailed information. 9. Enable the switch by entering the switchEnable command. Alternatively, you can reconcile fabric parameters by entering the configUpload command for each switch. To download a correct configuration You can restore a segmented fabric by downloading a previously saved correct backup configuration to the switch.
Table 59 summarizes commands that are useful for debugging zoning issues. Table 59 Commands for debugging zoning Command Function aliCreate Use to create a zone alias. aliDelete Use to delete a zone alias. cfgCreate Use to create a zone configuration. cfgShow Displays zoning configuration. defZone Sets the default zone access mode to No Access, initializes a zoning transaction (if one is not already in progress), and creates the reserved zoning objects.
To edit zone configuration members 1. Log in to one of the switches in a segmented fabric as admin. 2. Enter the cfgShow command. 3. Print the output from the cfgShow command. 4. Start another telnet session and connect to the next fabric as an administrator. 5. Run the cfgShow command. 6. Print the output from the cfgShow command. 7. Compare the two fabric zone configurations line by line and look for an incompatible configuration. 8. Connect to one of the fabrics. 9.
Correcting I2C bus errors I2C bus errors generally indicate defective hardware or poorly seated devices or blades; the specific item is listed in the error message. Refer to the Fabric OS System Error Message Reference Manual for information specific to the error that was received. Some CPT and Environmental Monitor (EM) messages contain I2C-related information. If the I2C message does not indicate the specific hardware that might be failing, begin debugging the hardware, as this is the most likely cause.
Correcting device login issues To try to pinpoint problems with device logins, use this procedure: 1. Log in to the switch as admin. 2. Enter the switchShow command; then, check for correct logins: switch:admin> switchshow switchName: sw094135 switchType: 26.
4. Enter the portErrShow command; then, check for errors that can cause login problems.
5.
6. Enter the portLogDumpPort portid command where the port ID is the port number; then, view the device to switch communication. switch:admin> portlogdumpport 10 time task event port cmd args ------------------------------------------------12:38:21.590 SPEE sn 10 WS 00000000,00000000,00000000 12:38:21.591 SPEE sn 10 WS 000000ee,00000000,00000000 12:38:21.611 SPEE sn 10 WS 00000001,00000000,00000000 12:38:21.871 SPEE sn 10 NC 00000002,00000000,00000001 12:38:21.872 LOOP loopscn 10 LIP 8002 12:38:22.
Identifying media-related issues This section provides procedures that help pinpoint any media-related issues in the fabric. The tests listed in Table 60 are a combination of structural and functional tests that can be used to provide an overview of the hardware components and help identify media-related issues. • Structural tests perform basic testing of the switch circuit. If a structural test fails, replace the main board or port blade.
To test a switch’s internal components 1. Connect to the switch and log in as admin. 2. Connect the port you want to test to any other switch port with the cable you want to test. 3. Enter the crossporttest -lb_mode 5 command where 5 is the operand that causes the test to be run on the internal switch components (this is a partial list—refer to the Fabric OS Command Reference Manual for additional command information): [-nframes count]—Specify the number of frames to send.
Correcting link failures A link failure occurs when a server or storage is connected to a switch, but the link between the server/storage and the switch does not come up. This prevents the server/storage from communicating through the switch. If the switchShow command or LEDs indicate that the link has not come up properly, use one or more of the following procedures. To determine if the negotiation was successfully completed The port negotiates the link speed with the opposite side.
3. Skip point-to-point initialization. The switch changes to point-to-point initialization after the Loop Initialization Soft Assigned (LISA) phase of the loop initialization. This behavior sometimes causes trouble with old HBAs. If this is the case, then: Skip point-to-point initialization by using the portCfgLport Command. To check for a point-to-point initialization failure 1. Enter the switchShow command to confirm that the port is active and has a module that is synchronized.
Correcting marginal links A marginal link involves the connection between the switch and the edge device. Isolating the exact cause of a marginal link involves analyzing and testing many of the components that make up the link (including the switch port, switch SFP, cable, the edge device, and the edge device SFP). To troubleshoot a marginal link: 1. Enter the portErrShow command.
5. You will need an adapter to run the loopback test for the SFP. Otherwise, run the portloopbacktest on the marginal port using the loopback mode lb=5. Refer to the Fabric OS Command Reference Manual for additional information. Loopback mode Description 1 Port Loopback (loopback plugs) 2 External (SERDES) loopback 5 Internal (parallel) loopback (indicates no external equipment) 7 Back-end bypass & port loopback 8 Back-end bypass & SERDES loopback 9 Back-end bypass & internal loopback 6.
• VE_Port—Functions somewhat like an E_Port, but terminates at the switch and does not propagate fabric services or routing topology information from one edge fabric to another. • VEX_Port—A type of VE_Port that connects a Fibre Channel router to an edge fabric. From the point of view of a switch in an edge fabric, an VEX_Port appears as a normal VE_Port. It follows the same Fibre Channel protocol as other VE_Ports.
Supported hardware Port mirroring is supported on Condor-based ASIC platforms, including: • SAN Switch 4/32 • 4/64 SAN Switch • 400 MP Router • 4/256 SAN Director with chassis option 5 Port mirroring can be used on the following blades within a chassis: • FC4-32 32-port blade • FC4-16 16-port blade • FC4-48 48-port blade • FR4-18i routing & FCIP blade • FC4-16IP iSCSI blade on FC ports only At the time of this document’s release, HP does not support the FC4-16IP iSCSI blade. Consult http://www.hp.
How port mirroring works Port mirroring reroutes the data frames between two devices to the mirror port. Rerouting introduces latency for the data flow. The latency depends on the location of the mirror port. For a given port, the traffic received from the point of view of the switch can be captured before leaving this ASIC. Each user port is connected to an ASIC port. The user port's ingress traffic is routed to another user port on this chip, uplinks to the core switch, or E_Ports to remote domains.
There are two types of transmit filter installation • If the E_Port is on the same chip, port mirroring installs an egress (transmitted information) filter on the source port. • If the E_Port is on a different chip, port mirror installs the filter on the C_Ports of the other chip. To better explain how the transmit filter works on each of these types, the method used for both types is described as follows: • Traffic is received at the E_Ports destined to a source port.
Creating, deleting, and displaying port mirroring The following section describes how to use the port mirroring feature in the fabric. The method for adding a port mirror connection between two local switch ports and between a local switch port and a remote switch port is the same. To add a port mirror connection 1. Log in to the switch as admin. 2.
The switchShow command output shows the mirror port as shown in the following example. switch:admin> switchshow switchName:ESS118 switchType: 42.
16 Administering NPIV N-Port ID Virtualization (NPIV) enables a single Fibre Channel protocol port to appear as multiple, distinct ports, providing separate port identification within the fabric for each operating system image behind the port (as if each operating system image had its own unique physical port). NPIV assigns a different virtual port ID to each Fibre Channel protocol device. NPIV is designed to enable you to allocate virtual addresses without impacting your existing hardware implementation.
The following example shows the configuration of these parameters: switch:admin> switchdisable switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] Virtual Channel parameters (yes, y, no, n): [no] F-Port login parameters (yes, y, no, n): [no] y Maximum logins per switch: (1..4032) [4032] 2048 Maximum logins per port: (1..255) [255] 126 . . .
output indicates whether or not a port is an NPIV F_Port, and identifies the number of virtual N_Ports behind it. Following is sample output from the switchShow command: switch: admin> switchshow switchName:swd77 switchType:32.
Use the portShow command to view the NPIV attributes and all the N_Port (physical and virtual) port WWNs under “portWwn of device(s) connected.” Following is sample output for portShow: switch:admin> portshow 2 portName: 02 portHealth: HEALTHY Authentication: None portDisableReason: None portCFlags: 0x1 portFlags: 0x24b03 PRESENT ACTIVE F_PORT G_PORT NPIV LOGICAL_ONLINE LOGIN NOELP LED ACCEPT portType: 10.
17 Administering Advanced Performance Monitoring (APM) Based on Frame Filtering technology and a unique performance counter engine, Advanced Performance Monitoring (APM) is a comprehensive tool for monitoring the performance of networked storage resources. It supports direct-attach, loop, and switched fabric Fibre Channel SAN topologies by: • Monitoring transaction performance from source to destination. • Reporting cyclic redundancy check (CRC) error measurement statistics.
Table 64 lists commands associated with Advanced Performance Monitoring. Advanced Performance Monitor commands are available only to users with the admin or switchAdmin roles. For detailed information on these commands, refer to the Fabric OS Command Reference Manual. Table 64 APM commands Command Description perfAddEEMonitor Add an end-to-end monitor to a port. perfAddIPMonitor Add an IP monitor to a port. perfAddReadMonitor Add a SCSI Read monitor to a port.
Displaying and clearing the CRC error count You can use the perfShowAlpaCrc command to display the CRC error count for all AL_PA devices or for a single AL_PA on a specific active L_Port. Example: Displaying the CRC error count for all AL_PA devices on a port switch:admin> perfshowalpacrc 1/1 AL_PA CRC count -------------------0xd9 0 Example: Displaying the CRC error count for a single AL_PA device on a port switch:admin> perfshowalpacrc 1/1, 0xd9 The CRC count at ALPA 0xd9 on port 1 is 0x000000000.
Adding end-to-end monitors An end-to-end monitor counts the following items for a port: number of words received, number of words transmitted, and number of CRC errors detected in frames. 4/16 SAN Switch and 4/8 SAN Switch, SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, and SAN Director 2/128 models allow up to eight end-to-end monitors. The SAN Switch 4/32, 4/64 SAN Switch, 400 MP Router and 4/256 SAN Director models allow up to 256 end-to-end monitors shared by all ports in the same ASIC chip.
Add Monitor 0 to slot 2, port 2 on Switch x, specifying 0x051200 as the SID and 0x111eef as the DID, as shown in the following example: Monitor 0 counts the frames that have an SID of 0x051200 and a DID of 0x111eef. For monitor 0, RX_COUNT is the number of words from Host A to Dev B, TX_COUNT is the number of words from Dev B to Host A, and CRC_COUNT is the number of frames in both directions with CRC errors.
The mask is applied to all end-to-end monitors on the port. Individual masks for each monitor on the port cannot be specified. Figure 20 Mask positions for end-to-end monitors Received by port Transmitted from port SID mask DID mask SID mask DID mask perfsetporteemask 1/2, “00:00:ff” “00:00:ff” “00:00:ff” “00:00:ff” AL_PA mask Area ID mask Domain ID mask To display the current end-to-end mask of a port Enter the perfShowPortEeMask command.
Monitoring filter-based performance Filter-based performance monitoring counts the number of times a frame with a particular pattern is transmitted by a port. Filter-based monitoring is achieved by configuring a filter for a particular purpose. The filter can be a standard filter (for example, a SCSI read command filter that counts the number of SCSI read commands that have been transmitted by the port) or a user-defined filter customized for your particular use.
Example: Add filter-based monitors to slot 1, port 2 and displays the results switch:admin> perfaddreadmonitor 1/2 SCSI Read filter monitor #0 added switch:admin> perfaddwritemonitor 1/2 SCSI Write filter monitor #1 added switch:admin> perfaddrwmonitor 1/2 SCSI Read/Write filter monitor #2 added switch:admin> perfaddscsimonitor 1/2 SCSI traffic frame monitor #3 added switch:admin> perfaddipmonitor 1/2 IP traffic frame monitor #4 added switch:admin> perfmonitorshow --class FLT 1/2 There are 5 filter-based mo
• 4/16 SAN Switch and 4/8 SAN Switch models (Fabric OS v5.0.1) Up to 7 different offsets per port (6 offsets when FMS is enabled). You can specify up to four values to compare against each offset. If more than one offset is required to properly define a filter, the bytes found at each offset must match one of the given values for the filter to increment its counter. If one or more of the given offsets does not match any of the given values, the counter does not increment.
The following example displays the monitors on slot 1, port 4 using the perfShowFilterMonitor command (the monitor numbers are listed in the KEY column) and deletes monitor number 1 on slot 1, port 4 using the perfDelFilterMonitor command: switch:admin> perfshowfiltermonitor 1/4 There are 4 filter-based monitors defined on port 4.
Displaying monitor counters Use the perfMonitorShow command to display the monitors on a specified port. For end-to-end counters, you can display either the cumulative count of the traffic detected by the monitors or a snapshot of the traffic at specified intervals. NOTE: 4/16 SAN Switch and 4/8 SAN Switch, SAN Switch 4/32, 4/64 SAN Switch, 400 MP Router, and 4/256 SAN Director outputs do not include CRC counts.
Example: Displaying EE monitors on a port switch:admin> perfMonitorShow --class EE 4/5 There are 7 end-to-end monitor(s) defined on port 53.
Clearing monitor counters Before you clear statistics counters, verify the valid monitor numbers on a specific port using the perfMonitorShow command, to make sure the correct monitor counters are cleared. To clear statistics counters for all or a specified monitor, use the perfMonitorClear command. After the command has been executed, the telnet shell confirms that the counters on the monitor have been cleared.
Saving and restoring monitor configurations To save the current end-to-end and filter monitor configuration settings into nonvolatile memory, use the perfCfgSave command: switch:admin> perfcfgsave This will overwrite previously saved Performance Monitoring settings in FLASH. Do you want to continue? (yes, y, no, n): [no] y Please wait ... Performance monitoring configuration saved in FLASH. To restore a saved monitor configuration, use the perfCfgRestore command.
18 Administering Extended Fabrics This chapter contains procedures for using the Extended Fabrics licensed feature, which extends the distance that interswitch links (ISLs) can reach over a dark fiber or DWM connection. The Extended Fabrics feature is not used over FCIP connections over IP WANs. To use extended ISL modes, you must first install the Extended Fabrics license. For details on obtaining and installing licensed features, refer to ”Maintaining licensed software features” on page 33.
versions earlier than v4.0.2 and v3.0.2c, make sure that VC translation link initialization is disabled because these versions do not support it. Choosing an Extended ISL mode Table 67 lists the extended ISL modes for switches that have a Bloom ASIC. You can configure extended ISL modes with the portCfgLongDistance command when the Extended Fabrics license is activated.
Table 68 lists the extended ISL modes for the 4/16 SAN Switch and 4/8 SAN Switch. Table 68 4/16 SAN Switch and 4/8 SAN Switch extended ISL modes (Goldeneye ASIC) Mode1 Buffer allocation Distance @ Distance 1 Gbit/sec @ 2 Gbit/sec Distance @4 Gbit/sec Earliest Fabric OS release Extended Fabrics license required? 1 Gbit/sec 2 Gbit/sec 4 Gbit/sec L0 3(17)a 3(17) 3(17) 6 km 3 km 1.5 km All No LE 11 16 26 10 km 10 km 10 km v3.x, v4.x No L0.5 18 31 56 25 km 25 km 25 km 5.1.
For dynamic long distance links, you can approximate the number of buffer credits using the following formula: Buffer credits = [(distance in km) * (data rate) * 1000] / 2112 The data rate is 1.0625 for 1 Gbit/sec, 2.125 for 2 Gbit/sec, and 4.25 for 4 Gbit/sec and Fibre Channel. Configuring external ports The number of ports that can be configured per port group for each switch depends on both port speed and distance.
SAN Switch 4/32 Table 72 Speed (Gbit/sec) Number of ports allowed at distance (km) (continued) 10 km 25 km 50 km 100 km 250 km 500 km 2 32 ports 32 ports up to 15 ports up to 7 ports up to 3 ports n/a 4 32 ports up to 15 ports up to 7 ports up to 3 ports n/a n/a 4/64 SAN Switch The number of ports that can be configured at various distances is summarized in Table 73.
4/256 SAN Director (FC4-32 port blades) The number of ports that can be configured at various distances is summarized in Table 76.
To configure an extended ISL 1. Connect to the switch and log in as admin. 2. If the fabric contains HP StorageWorks 1 GB extended ISLs, use the switchDisable command to disable the switch and then use the configure command to set the fabric-wide configuration parameter fabric.ops.mode.longDistance to 1 on all switches in the fabric. 3.
Administering Extended Fabrics
19 Administering ISL Trunking This chapter contains procedures for using the ISL Trunking licensed feature, which optimizes the use of bandwidth by allowing a group of interswitch links to merge into a single logical link. Overview ISL Trunking reduces or eliminates situations that require static traffic routes and individual ISL management to achieve optimal performance.
Connections between SAN Switch 4/32, 4/64 SAN Switch, and 4/256 SAN Director (using FC4-16 and FC4-32 port blades) models support these advanced features: • Up to eight ports in one trunk group to create high performance 32-Gbit/sec ISL trunks between switches • ISL Trunking over longer distances than other models • Dynamic trunk master reassignment if a trunk master is disabled (on other platforms, all ports on a trunk must be disabled temporarily to reassign a master) • 4 Gbit/sec trunk links The maximum
• Each physical ISL uses two ports that could otherwise be used to attach node devices or other switches. • Trunking groups can be used to resolve ISL oversubscription if the total capability of the trunking group is not exceeded. • Consider how the addition of a new path will affect existing traffic patterns: • A trunking group has the same link cost as the master ISL of the group, regardless of the number of ISLs in the group.
Monitoring traffic To implement ISL Trunking effectively, you must monitor fabric traffic to identify congested paths or to identify frequently dropped links. While monitoring changes in traffic patterns, you can adjust the fabric design accordingly, such as by adding, removing, or reconfiguring ISLs and trunking groups in problem areas.
Enabling and disabling ISL trunking You can enable or disable ISL Trunking for a single port or for an entire switch.When you execute the commands portCfgTrunkPort or switchCfgTrunk to update the trunking configuration, the ports for which the configuration applies are disabled and re-enabled with the new trunk configuration. As a result, traffic through those ports could be disrupted. To enable or disable ISL Trunking on one port 1. Connect to the switch and log in as admin. 2.
Setting port speeds For long-distance ports, if a port is set to autonegotiate port speed, the maximum speed (which is 4 Gbit/sec) is assumed for reserving buffers for the port–this wastes buffers if the port is actually running at 2 Gbit/sec. For long-distance ports, it is best to set the port speed (this applies to SAN Switch 4/32 and 4/256 SAN Director only). You can set the port speed for one port or for an entire switch. Trunked ports must be set to the same speed. To set the speed for one port 1.
To set the speed for all of the ports on the switch 1. Connect to the switch and log in as admin. 2. Enter the switchCfgSpeed command. The format is: switchcfgspeed speedlevel speedlevel Specifies the speed of the link: • 0—Auto-negotiating mode. The port automatically configures for the highest speed. • 1—one Gbit/sec mode. Fixes the port at a speed of one Gbit/sec. Changing the speed to one Gbit/sec causes the port to be excluded from the trunk group. • 2—two Gbit/second mode.
This example shows three trunking groups (1, 2, and 3); ports 1, 4, and 14 are masters: switch:admin> trunkshow 1: 1 -> 1 10:00:00:60:69:04:10:83 0 -> 0 10:00:00:60:69:04:10:83 2: 4 -> 4 10:00:00:60:69:04:01:94 5 -> 5 10:00:00:60:69:04:01:94 7 -> 7 10:00:00:60:69:04:01:94 6 -> 6 10:00:00:60:69:04:01:94 3:14 -> 14 10:00:00:60:69:04:10:83 15 -> 15 10:00:00:60:69:04:10:83 switch:admin> deskew deskew deskew deskew deskew deskew deskew deskew 16 Master 15 16 Master 15 17 16 16 Master 15 Trunking over Extended
Troubleshooting trunking problems If you have difficulty with trunking, try the solutions in this section. Listing link characteristics If a link that is part of an ISL Trunk fails, use the trunkDebug command to troubleshoot the problem, as shown in the following procedure: 1. Connect to the switch and log in as admin. 2. Enter the following command: trunkDebug port port, port Specifies the number of a port in an ISL Trunking group.
3. Change LD/L1/L2/L0.5 back to L0 (of non-buffer limited ports). 4. If you are in buffer-limited mode on the LD port, then increase the estimated distance. These changes are implemented only after disabling (portDisable) and enabling (portEnable) the buffer-limited port (or buffer-limited switch). Reconfiguring a port to LD from another mode can result in the port being disabled for lack of buffers–this does not apply to the SAN Switch 4/32 and 4/256 SAN Director (using FC4-16 and FC4-32 port blades).
20 Administering Advanced Zoning This chapter provides procedures for using the Advanced Zoning feature. About Zoning Zoning enables you to partition your SAN into logical groups of devices that can access each other. For example, you can partition your SAN into two zones, winzone and unixzone, so that your Windows servers and storage do not interact with your UNIX servers and storage. Zones can be configured dynamically.
Zone types Table 80 summarizes the types of Zoning. Types of Zoning Table 80 Zone type Description Storage-based Storage units typically implement LUN-based Zoning, also called LUN masking. LUN-based Zoning limits access to the LUNs on the storage port to the specific WWN of the server HBA. It is needed in most SANs. It functions during the probe portion of SCSI initialization. The server probes the storage port for a list of available LUNs and their properties.
Table 81 Approaches to fabric-based Zoning Zoning approach Description Operating system Zoning by operating system has issues similar to Zoning by application. In a large site, this type of zone can become very large and complex. When zone changes are made, they typically involve applications rather than a particular server type.
Zone aliases also simplify repetitive entry of zone objects such as port numbers or a WWN. For example, you can use the name “Eng” as an alias for “10:00:00:80:33:3f:aa:11”. A useful convention is to name zones for the initiator they contain. For example, if you use the alias SRV_MAILSERVER_SLT5 to designate a mail server in PCI slot 5, then the alias for the associated zone is ZNE_MAILSERVER_SLT5. This clearly identifies the server host bus adapter (HBA) associated with the zone.
• Prevents hosts from discovering unauthorized target devices. • Ensures that the name server does not return any information to an unauthorized initiator in response to a name server query. • Is exclusively enforced through selective information presented to end nodes through the fabric Simple Name Server (SNS). When an initiator queries the name server for accessible devices in the fabric, the name server returns only those devices that are in the same zone as the initiator.
name server returns only those devices that are in the same zone as the initiator. Devices that are not part of the zone are not returned as accessible devices. Table 82 shows the various switch models, the hardware Zoning methodology for each, and tips for best usage. Table 82 Enforcing hardware Zoning Fabric Type Methodology Best practice HP StorageWorks 1 GB Enables hardware-enforced Zoning only on domain, port zones; WWN or mixed zones are not hardware-enforced.
Figure 23 shows a fabric with four non-overlapping hardware-enforced zones. Figure 23 Hardware-enforced non-overlapping Zones WWN_Zone1 Port_Zone1 Port_Zone2 Core Switch WWN_Zone2 Zone Boundaries 22.2b(13.2) Figure 24 shows the same fabric components zoned in an overlapping fashion. Fabric OS 5.2.
Figure 24 Hardware-enforced overlapping zones WWN_Zone1 Port_Zone1 Port_Zone2 Core Switch WWN_Zone2 Zone Boundaries 22.3b(13.3) Any zone using both WWNs and domain, port entries on the 2 Gbit/sec platform relies on Name Server authentication as well as hardware-assisted (ASIC) authentication, which ensures that any PLOGI/ADISC/PDISC/ACC from an unauthorized device attempting to access a device it is not zoned with is rejected.
Rules for configuring zones Observe the following rules when configuring zones. • If security is a priority, you should use hard Zoning. • The use of aliases is optional with Zoning, and using aliases requires structure when defining zones. However, aliases aid administrators of a zoned fabric to understand the structure and context. • Evaluate the security requirements of the fabric. If additional security is required, add Secure Fabric OS into the fabric.
To create an alias 1. Connect to the switch and log in as admin. 2. Enter the aliCreate command. 3. Enter the cfgSave command to save the change to the defined configuration. switch:admin> alicreate “array1”, “2,32; 2,33; 2,34; 4,4” switch:admin> alicreate “array2”, “21:00:00:20:37:0c:66:23; 4,3” switch:admin> alicreate “loop1”, “4,6” switch:admin> cfgsave You are about to save the Defined Zoning configuration. This action will only save the changes on the Defined configuration.
To delete an alias 1. Connect to the switch and log in as admin. 2. Enter the aliDelete command. 3. Enter the cfgSave command to save the change to the defined configuration. switch:admin> alidelete “array1” switch:admin> cfgsave You are about to save the Defined Zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled.
To add devices (members) to a zone 1. Connect to the switch and log in as admin. 2. Enter the zoneAdd command. 3. Enter the cfgSave command to save the change to the defined configuration. switch:admin> zoneadd “greenzone”, “1,2” switch:admin> zoneadd “redzone”, “21:00:00:20:37:0c:72:51” switch:admin> zoneadd “bluezone”, “4,6; 21:00:00:20:37:0c:66:23 switch:admin> cfgsave You are about to save the Defined Zoning configuration. This action will only save the changes on the Defined configuration.
Activating default zones Typically, when you issue the cfgDisable command in a large fabric with thousands of devices, the name server indicates to all hosts that they can communicate with each other. In fact, each host can receive an enormous list of PIDs, and ultimately cause other hosts to run out of memory or crash. To ensure that all devices in a fabric do not see each other during a cfgDisable operation, you can activate a default zone.
Table 83 Zoning database limitations (continued) Fabric OS version Maximum database size (KB)) 3.x 128 3.1.x 96 3.2.x 256 4.x, 4.1.x, 4.2.x 128 4.4.x 256 5.0.1 256 5.0.x 256 5.1.x 256 5.2.x 1024 Before linking two switches together, it is important that you know the zone database limit of adjacent switches. For example, when switches running Fabric OS v3.2, v4.4.0, or 5.1.
Table 85 Resulting database size: 96K to 128K Receiver Fabric OS 2.6 Fabric OS 3.1 Fabric OS 3.2 Fabric OS 4.0/4.1/ Fabric OS 4.3/4.4.0 Fabric OS Fibre 5.0.0/5.0.1/ Channel 5.1.x Router XPath 7.3 4.2 Initiator Fabric OS 2.6/3.1 Segment Segment Segment Segment Segment Segment Join Segment Fabric OS 3.2 Segment Segment Join Join Join Join Join Join Fabric OS 4.0/4.1/4.2 Segment Segment Segment Join Join Join Join Join Fabric OS 4.3/4.4.
Table 87 Resulting database size: 256K to 1M Receiver Fabric OS 2.6 Initiator Fabric OS 3.1 Fabric OS 3.2 Fabric OS 4.0/4.1/4.2 Fabric OS 4.3/4.4.x Fabric OS 5.0.0/ 5.0.1 Fibre XPath Channel 7.3 Router Fabric OS 4.3/4.4.0 Segment Segment Segment Segment Segment Segment Segment Segment Fabric OS 5.0.0/5.0.1 Segment Segment Segment Asymmetric al Segment Segment Join Join Segment Fibre Channel Router Segment Segment Segment Segment Segment Join Join Segment XPath 7.
3. Enter the cfgSave command to save the change to the defined configuration. switch:admin> cfgadd “newcfg”, “bluezone” switch:admin> cfgsave You are about to save the Defined Zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled. Do you want to save Defined Zoning configuration only? (yes, y, no, n): [no] y To remove zones (members) from a zone configuration 1.
2. Enter the cfgShow command with no operands.
Maintaining zone objects While you can use the cfgDelete command to delete a zone configuration, there is a quicker and easier way to perform the same task via the zone object commands (zoneObjectExpunge, zoneObjectCopy, and zoneObjectRename). You can also copy and rename zone objects. When you copy a zone object, the resulting object has the same type as the original. Deleting a zone object also removes the object from any member lists of other objects. You can rename objects for all zone object types.
To delete a zone object 1. Connect to the switch and log in as admin. 2. Enter the cfgShow command to view the zone configuration objects you want to delete.
4. Enter the cfgShow command to verify the renamed zone object is present. 5. If you want the change preserved when the switch reboots, save it to nonvolatile (also known as “flash”) memory by entering the cfgSave command. 6. For the change to become effective, enable the appropriate zone configuration using the cfgEnable command. For more details about the zoneObjectCopy, cfgShow, cfgEnable, and cfgSave commands, refer to the Fabric OS Command Reference Manual.
• Merging rules Observe these rules when merging zones: Local and adjacent configurations If the local and adjacent zone database configurations are the same, they will remain unchanged after the merge. Effective configurations If there is an effective configuration between two switches, the zone configuration in effect match. Zone object naming If a Zoning object has the same name in both the local and adjacent defined configurations, the object types and member lists must match.
Splitting a fabric If the connections between two fabrics are no longer available, the fabric will segment into two separate fabrics. Each new fabric will retain the same zone configuration. If the connections between two fabrics are replaced and no changes have been made to the zone configuration in either of the two fabrics, then the two fabrics will merge back into one single fabric. If any changes that cause a conflict have been made to either zone configuration, then the fabrics might segment.
Table 88 Considerations for Zoning architecture Item Description Type of Zoning: hard or soft (session-based) If security is a priority, hard Zoning is recommended. Use of aliases The use of aliases is optional with Zoning. Using aliases requires structure when defining zones. Aliases will aid administrators of zoned fabric in understanding the structure and context. Security requirements Evaluate the security requirements of the fabric.
21 Configuring and monitoring FCIP tunneling The Fibre Channel over IP (FCIP) Tunneling Service is an optional feature that enables you to use Fibre Channel “tunnels” to connect SANs over IP-based networks. An FCIP tunnel transports data between a pair of Fibre Channel switches. You can have more than one TCP connection between the pair of Fibre Channel switches.
FCIP also supports: • Configuration and management of GbE ports and the virtual ports, IP interfaces, and tunnels enabled by GbE ports • Compression and decompression of Fibre Channel frames moving through FCIP tunnels NOTE: off.
NOTE: In Figure 27, because FCIP was configured with VE_Ports, the switches will merge over the IP WAN to become a single fabric. If any of the VE_Ports had been configured as VEX_Ports, that portion of the fabric would remain a separate fabric, but still enable sharing of storage and server devices. Figure 27 illustrates a portion of a Fibre Channel network using FCIP. The FCIP interswitch link (VE_Ports connected over the IP WAN network) joins the office and data center SANs into a single larger SAN.
Port numbering on the B-Series MP Router blade There are sixteen physical Fibre Channel ports and two physical GbE ports on the B-Series MP Router blade. The two GbE ports (ge0 and ge1) support up to eight FCIP tunnels each (each FCIP tunnel is represented and managed as a VE_Port or VEX_Port). Ports 0-15 correspond to the physical Fibre Channel ports, and ports 16-23 are logical Fibre Channel ports on the physical GbE port, ge0.
Port Numbering on the 400 MP Router You do not need to specify slot numbers for the 400 MP Router. Refer to the GbE ports as ge0 and ge1, and the Fibre Channel ports are numbered 0 through 15. Moving from left to right on the front of the chassis, the sixteen Fibre Channel ports, followed by the 2 GbE ports. You manage the SilkWorm 7500 as if it had 32 Fibre Channel ports (16 standard Fibre Channel ports, and 16 virtual Fibre Channel Ports) and 2 GbE ports.
Table 90 IPSec terminology Term Definition 3DES Triple DES is a more secure variant of DES, it uses 3 different 56-bit keys to encrypt blocks of 64-bit plain text. The algorithm is FIPS-approved for use by Federal agencies. ESP Encapsulating Security Payload is the IPSec protocol that provides confidentiality, data integrity and data source authentication of IP packets, and protection against replay attacks.
IKE negotiates SA parameters and authenticates the peer using the preshared key authentication method. Once the 2 phases of the negotiation are completed successfully, the actual encrypted data transfer can begin. IPSec policies are managed using the policy command. You can configure up to 32 IKE and 32 IPSec policies. Policies cannot be modified; they must be deleted and recreated in order to change the parameters.
Managing policies Use the policy command to create, delete, and show IKE and IPSec policies. To create a new policy 1. Log in to the switch as admin. 2. At the command prompt, type: policy --create type number [-enc encryption_method][-auth authentication_algorithm] [-pfs off|on] [-dh DH_group] [-seclife secs] where: type and number The type of policy being created (IKE or IPSec) and the number for this type of policy.
The example below shows all of the IKE policies defined; in this example, there are two IKE policies.
Configuring FCIP Tunnels You can create only one FCIP tunnel on a given pair of IP address interfaces (local and remote). You can create multiple FCIP tunnels on a single IP interface if either the local or remote IP interface is unique and does not have any other FCIP tunnel on it. When the GbE port has a valid SFP and is physically connected to any other GbE port, the status output from the switchShow command is online.
4.
The following example shows IP interfaces defined for slot 8 on GbE port ge0: switch:admin06> portshow ipif 8/ge0 Port: 8/ge0 Interface IP Address NetMask MTU ---------------------------------------------------------0 192.168.100.40 255.255.255.0 1500 1 192.168.100.41 255.255.255.0 1500 switch:admin06> portcfg ipif 8/ge0 create 192.168.100.40 255.255.255.0 1500 switch:admin06> portcfg ipif 8/ge0 create 192.168.100.41 255.255.255.
The following example shows two routes being added to an interface: switch:admin06> portcfg iproute 8/ge0 create 192.168.11.0 255.255.255.0 192.168.100.1 1 switch:admin06> portcfg iproute 8/ge0 create 192.168.12.0 255.255.255.0 192.168.100.1 1 The syntax to delete IP routes is: portcfg iproute [slot/][ge]port args delete ipaddr netmask The gateway address must be on the same IP subnet as one of the port IP addresses.
Verifying IP connectivity After you add the IP addresses of the routes, enter the portCmd ping command to ping a destination IP address from one of the source IP interfaces on the GbE port and verify the Ethernet IP to IP connectivity. This verification also ensures that data packets can be sent to the remote interface. You can ping a connection only if both ports have IP interfaces set. Use the portCmd --ping command to ping a destination IP address from one of the source IP interfaces on the GbE port.
Fastwrite and tape pipelining When the FCIP link is the slowest part of the network and it affects speed, consider using fastwrite and tape write acceleration, called “tape pipelining.” Supported only in Fabric OS 5.2.x and higher, fastwrite and tape pipelining are two features that provide accelerated speeds to FCIP tunnels in some configurations: • Fastwrite accelerates the SCSI write I/Os over FCIP.
Table 91 Using fastwrite and tape pipelining (continued) Fastwrite Tape pipelining Class 3 traffic is accelerated with fastwrite. Class 3 traffic is accelerated between host and sequential device. With sequential devices (tape drives), there are 1024 initiator-tape (IT) pairs per GbE port, but 2048 initiator-tape-LUN (ITL) pairs per GbE port. The ITL pairs are shared among the IT pairs. For example: • 2 ITL pairs for each IT pair as long as the target has two LUNs.
Supported configurations To help understand the supported configurations, consider the configurations shown in the two figures below. In both cases, there are no multiple equal-cost paths. In Figure 32, there is a single tunnel with fastwrite and tape pipelining enabled. In Figure 33, there are multiple tunnels, but none of them create a multiple equal-cost path.
Unsupported configurations The following example configurations are not supported with fastwrite and tape pipelining. These configurations use multiple equal-cost paths.
Configuring FCIP tunnels After you have verified licensing and connectivity between source and destination IP interfaces, you can configure FCIP tunnels. As you plan the tunnel configurations, be aware that uncommitted rate tunnels use a minimum of 1000 Kb/sec, up to a maximum of available uncommitted bandwidth on the GbE port. The total bandwidth available on a GbE port is 1 Gbit/sec. You can configure tunnels as bidirectional entities with different commit rates in both directions.
FCIP Tunnel modify and delete options NOTE: time. Using the tunnel Modify option disrupts traffic on the specified FCIP tunnel for a brief period of Following is the syntax for the portCfg fcipTunnel command to modify FCIP tunnels (you must specify at least one characteristic to modify): portcfg fciptunnel [slot/][ge]port args [optional_args] modify [<-b comm._rate>] [<-c 0|1>] [<-f 0|1>] [<-k timeout>] [<-m time>] [<-r retransmissions>] [<-s 0|1>] where: -b comm.
Verifying the FCIP tunnel configuration After you have created local and remote FCIP configurations, use the portEnable [slot/]port command to enable the port. It is recommended that you verify that the tunnel configuration operation succeeded using the portShow fcipTunnel command (be sure to specify the slot/port numbers and number of tunnels). Look at the “Status” field to verify that the tunnel is now “Active.
To verify that a VE_Port or VEX_Port is online 1. Use the switchShow command to view and verify that the FCIP tunnel is online. switch:admin06> portenable 8/18 switch:admin06> portenable 8/19 switch:admin06> switchshow switchName:switch switchType:42.
Checklist for configuring FCIP links Use Table 92 as a checklist for creating FCIP links. Table 92 Steps for configuring FCIP links Step Command 1. Enable persistently disabled ports. portcfgpersistentenable [slot/]port 2. Disable the ports while performing the configuration. portdisable [slot/]port 3. Configure the port type as VE_Port or VEX_Port for both ports for a tunnel. portcfgvexport [slot/][ge] port 4. Configure the IP interface for both ports of a tunnel.
About the Ipperf option The WAN tool ipPerf (referred to simply as “ipPerf” in this chapter) is an option of the Fabric OS portCmd command. This option allows you to specify the slot and port information for displaying performance statistics for a pair of ports. For this basic configuration, you can specify the IP addresses of the endpoints, target bandwidth for the path, and optional parameters such as the length of time to run the test and statistic polling interval.
WAN Tool performance characteristics The following table lists the end-to-end IP path performance characteristics that you can display using the portCmd ipPerf command and option. All four of the base ipPerf performance characteristics (bandwidth, loss, RTT, PMTU) are provided in the command output in Fabric OS 5.2.0 or higher. Figure 35 WAN Tool performance characteristics Characteristic Description Bandwidth Indicates the total packets and bytes sent.
To start an ipPerf session 1. Configure the receiver test endpoint using the CP CLI. The syntax for invoking the receiver test endpoint using ipPerf for slot8, port ge0 on an FR4-18i is as follows: portcmd --ipperf 8/ge0 -s 192.168.255.10 -d 192.168.255.100 -R 2. Configure the sender test endpoint using a similar CP CLI. The syntax for invoking the sender test endpoint using ipPerf for slot8, port ge0 on an FR4-18i is as follows: portcmd --ipperf 8/ge0 -s 192.168.255.100 -d 192.168.255.10 –S 3.
Following is the syntax for portCmd ipPerf to display end-to-end IP path performance statistics: portCmd --ipPerf [slot]/ge# -s -d -S | -R [-r ] [-z ] [-t
To view detailed fcipTunnel statistics, you must specify either the -perf or -params options. The following example shows the portCmd fcipTunnel with the performance option to display characteristics of tunnel 0. switch:admin06> portshow fciptunnel 8/ge0 all Slot: 8 Port: ge0 ------------------------------------------Tunnel ID 0 Remote IP Addr 192.175.4.200 Local IP Addr 192.175.4.100 Remote WWN Not Configured Local WWN 10:00:00:60:69:e2:09:be Compression on Fastwrite off Committed Rate 300000 Kbps (0.
The following example shows the portCmd fcipTunnel with the parameters options to display the parameters of tunnel 0: switch:admin06> portshow fciptunnel 8/ge0 0 Slot: 8 Port: ge0 ------------------------------------------Tunnel ID 0 Remote IP Addr 192.175.4.200 Local IP Addr 192.175.4.100 Remote WWN Not Configured Local WWN 10:00:00:60:69:e2:09:be Compression on Fastwrite off Committed Rate 300000 Kbps (0.
The following example shows the portShow fcipTunnel command to display IPSec information for tunnel 0: switch:admin06> portshow fciptunnel 8/ge0 3 -ipsec Port: ge0 ------------------------------------------Tunnel ID 3 Remote IP Addr 192.175.5.200 Local IP Addr 192.175.5.100 Remote WWN Not Configured Local WWN 10:00:00:05:1e:37:00:20 Compression off Fastwrite on Tape Pipelining on Uncommitted bandwidth, minimum of 1000 Kbps (0.
A Configuring the PID format Port identifiers (called PIDs) are used by the routing and zoning services in Fibre Channel fabrics to identify ports in the network. All devices in a fabric must use the same PID format, so when you add new equipment to your SAN, you might need to change the PID format on legacy equipment.
Impact of changing the fabric PID format If your fabric contains switches that use Native PID, it is recommended that you change the format to Core PID before you add the new, higher port count switches and Directors. Also, it is recommended that you use Core PID when upgrading the Fabric OS version on 2000 and 3000 series switches.
CAUTION: After changing the fabric PID format, if the change invalidates the configuration data (see Table 91 to determine this), do not download old (pre-PID format change) configuration files to any switch on the fabric.
Table 92 shows various combinations of existing fabrics, new switches added to those fabrics, and the recommended PID format for that combination. The criteria for the recommendations are first to eliminate host reboots, and second to minimize the need for a host reboot in the future. Table 92 PID format recommendations for adding new switches Existing Fabric OS versions; PID format Switch to be Recommendations (in order of preference) added v2.6.2 and later/v3.1.2 and later; Native PID v2.6.
Evaluating the fabric In addition to this section, refer to the HP StorageWorks SAN Design reference guide for information on evaluating the fabric: http://h18000.www1.hp.com/products/storageworks/san/documentation.
It is also important to understand how multipathing software reacts when one of the two fabrics is taken offline. If the time-outs are set correctly, the failover between fabrics should be transparent to the users. You should use the multipathing software to manually fail a path before starting maintenance on that fabric. 4. Perform empirical testing. Empirical testing might be required for some devices, to determine whether they bind by PID.
7. After the fabric has reconverged, use the cfgEnable command to update zoning. 8. Update their bindings for any devices manually bound by PID. This might involve changing them to the new PIDs, or preferably changing to WWN binding. For any devices automatically bound by PID, two options exist: a. Execute a custom procedure to rebuild its device tree online. Examples are provided in the ”Converting port number to area ID” on page 391 section of this chapter. b. Reboot the device to rebuild the device tree.
The following maps the PID format names to the names used in the management interfaces. PID format name Management interface name native PID switch PID address mode 0 core PID switch PID address mode 1 extended edge PID switch PID address mode 2 Before changing the PID format, determine if host reboots will be necessary. The section ”Host reboots” on page 382 summarizes the situations that might require a reboot. Example switch:admin> switchdisable switch:admin> configure Configure...
1. Determine if the current switch firmware versions meet the minimum supported version levels. Table 93 lists the earliest Fabric OS version levels that support Extended Edge PID format. Use this table to determine if you need to upgrade the firmware in the switches in your fabric before you change the PID format. Table 93 Earliest Fabric OS versions for extended edge PID format HP StorageWorks 1 GB switches v2.6.
Example: Configure Command on a Switch Running Fabric OS 3.1.2 Configure... Fabric parameters (yes, y, no, n): [no] yes Domain: (1..239) [217] BB credit: (1..27) [16] R_A_TOV: (4000..120000) [10000] E_D_TOV: (1000..5000) [2000] Data field size: (256..2112) [2112] Sequence Level Switching: (0..1) [0] Disable Device Probing: (0..1) [0] Suppress Class F Traffic: (0..1) [0] SYNC IO mode: (0..10 [0] Switch PID Format : (0..2) [0] 2 Per-frame Route Priority: (0..1) [0] Long Distance Fabric: (0..
Converting port number to area ID Except for the following cases, the area ID is equal to the port number: • when you perform a port swap operation • when you enable Extended Edge (also known as “displaced PID”) PID on the Director If you are using Extended Edge PID format (for example, the 4/256 SAN Director with configuration option 5) and would like to map the output of the port number to the area ID, use the following formula (for ports 0-127): a = (p + 16) % 128 where: aarea pport number %modulus (or
When the port number is greater than or equal to 128, the area ID and port number are the same. Figure 29 shows a 4/256 SAN Director with Extended Edge PID.
Performing PID format changes There are several routine maintenance procedures which might result in a device receiving a new PID.
Example switch:admin> switchdisable switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] yes Domain: (1..239) [1] R_A_TOV: (4000..120000) [10000] E_D_TOV: (1000..5000) [2000] Data field size: (256..2112) [2112] Sequence Level Switching: (0..1) [0] Disable Device Probing: (0..1) [0] Suppress Class F Traffic: (0..1) [0] SYNC IO mode: (0..1) [0] Core Switch PID Format: (0..2) [0] 1 Per-frame Route Priority: (0..1) [0] Long Distance Fabric: (0..1) [0] BB credit: (1..27) [16] 10.
14. Change to /dev and untar the file that was tared in step 4. For example: tar –xf /tmp/jbod.tar Import the volume groups using vgimport. The proper usage would be vgimport –m . For example: vgimport –m /tmp/jbod_map /dev/jbod /dev/dsk/c64t8d0 /dev/dsk/c64t9d0 15. Activate the volume groups using vgchange. The proper usage would be vgchange –a y . For example: vgexport –a y /dev/jbod 16.
4. If you are not using multipathing software, unmount the volumes from their mount points using umount. The command usage is umount . For example: umount /mnt/jbod 5. If you are using multipathing software, use that software to remove one fabric’s devices from its configuration. 6. Remove the device entries for the fabric you are migrating. For example, if the HBA for that fabric is fcs0, execute the command: rmdev -Rdl fcs0 7. Connect to each switch in the fabric. 8.
5. Verify that the port area IDs have been swapped: portswapshow A table is shows the physical port numbers and the logical area IDs for any swapped ports. 6. Disable the port swap feature: portswapdisable Fabric OS 5.2.
398 Configuring the PID format
B Configuring interoperability mode This appendix provides information on setting up a heterogeneous fabric that includes HP StorageWorks switches and switches from other manufacturers. The interoperability mode enables HP StorageWorks switches and others to exchange interoperability parameters, allowing their fabrics to merge into one fabric with one principal switch and unique domain IDs. The interopMode command must be executed on all HP StorageWorks switches in the fabric.
Supported features The following features are supported on HP StorageWorks switches in interoperability mode: • Fabric Watch • Fabric Access API functions Accessible from HP StorageWorks switches only, but switch information for non- HP StorageWorks switches is reported. The object information and zoning actions are configurable from the API.
have a McDATA switch between two HP StorageWorks switches if you are managing zoning from the HP StorageWorks switches. • LC IBM GBICs are not supported if they are connected to a McData ISL. • When a switch gets a new domain ID assigned through a fabric reconfiguration, the new domain ID is written to nonvolatile memory and the old domain ID value is overwritten. When a McDATA switch gets a new domain ID assigned through a fabric reconfiguration, it keeps the original domain ID in nonvolatile memory.
You can use the cfgSize command to check both the maximum available size and the currently saved size. If you believe you are approaching the maximum, you can save a partially completed zoning configuration and use the cfgSize command to determine the remaining space Zone name restrictions The name field must contain the ASCII characters that actually specify the name, not including any required fill bytes. Names must follow these rules: • Length must be between 1 and 64 characters.
3. Enter the interopmode 0 command to disable interoperability. This command resets a number of parameters and disables interactive mode. 4. You must reboot the switch after changing the interoperability mode: switch:admin> switchdisable switch:admin> interopmode 0 The switch effective configuration will be lost when the operating mode is changed; do you want to continue? (yes, y, no, n): [no] y done. Interopmode is disabled Note: You must reboot this switch for the new change to take effect.
404 Configuring interoperability mode
C Understanding legacy password behaviour The following sections provide password information for early versions of Fabric OS firmware. Password management information Table 94 describes the password standards and behaviors between various versions of firmware. Table 94 Account/password characteristics matrix Topic v4.0.0 v4.1.0 to v4.2.0 v4.4.0 to 5.1.
Table 94 Account/password characteristics matrix (continued) Topic v4.0.0 v4.1.0 to v4.2.0 v4.4.0 to 5.1.x Does a user need to know the old passwords when changing passwords using the passwd command? Yes, except when the root user changes another user’s password. This is standard UNIX behavior; Fabric OS does not enforce any additional security. Old password is required only when changing password for the same level user password. Changing password for lower level user does not require old password.
Password prompting behaviors Table 95 describes the expected password prompting behaviors of various Fabric OS versions. Table 95 Password Prompting Matrix Topic v4.0.0 v4.1.0 and later Must all password prompts be completed for any change to take effect? No. Partial changes of all four passwords are allowed. No. Partial changes of all four passwords are allowed.
Password migration during firmware changes Table 96 describes the expected outcome of password settings when upgrading or downgrading firmware for various Fabric OS versions. Table 96 Password migration behavior during firmware upgrade/downgrade Topic v4.4.0 to v5.0.1 v5.0.1 to 5.1.x Passwords used when upgrading to a newer firmware release for the first time. Default accounts and passwords are preserved. Default accounts and passwords are preserved.
Table 97 Password recovery options (continued) Topic v4.0.0 v4.1.0 and later How to recover boot PROM password? n/a Contact HP and provide the recovery string. Refer to ”Setting the Boot PROM Password” on page 112 for instructions on setting the password with a recovery string. How do I recover a user, admin, or factory password? Refer to ”Recovering Forgotten Passwords” on page 116. Fabric OS 5.2.
410 Understanding legacy password behaviour
D Using Remote Switch This appendix describes the concepts and procedures for using the Remote Switch feature and contains the following topics: About Remote Switch The Remote Switch feature, which aids in ensuring gateway compatibility, was formerly a licensed feature. Its functionality is now available as part of the Fabric OS standard feature set through the use of the portCfgIslMode command.
You might be required to reconfigure the following parameters, depending on the gateway requirements: • R_A_TOV: Specify a Resource Allocation Timeout Value compatible with your gateway device. • E_D_TOV: Specify a Error Detect Timeout Value compatible with your gateway device • Data field size: Specify the maximum Fibre Channel data field reported by the fabric. Verify the maximum data field size the network-bridge can handle. Some bridges might not be able to handle a maximum data field size of 2112.
E Zone merging scenarios Table 98 provides information on merging zones and the expected results. Table 98 Zone merging scenarios Description Switch A Switch B Expected results Switch A with a defined configuration defined: cfg1: zone1: ali1; ali2 effective: none defined: none effective: none Configuration from Switch A to propagate throughout the fabric in an inactive state, because the configuration is not enabled.
Table 98 Zone merging scenarios (continued) Description Switch A Switch B Expected results cfg content mismatch defined: cfg1 zone1: ali1; ali2 effective: irrelevant defined: cfg1 zone1: ali3; ali4 effective: irrelevant Fabric segments due to: Zone Conflict content mismatch defined: cfg1 zone1: ali1; ali2 effective: irrelevant defined: cfg1 zone1: ali1; ali4 effective: irrelevant Fabric segments due to: Zone Conflict content mismatch Same content - different effective cfg name defined: cfg1 zo
Index A AAA service requests 62 aaaConfig command 54, 55, 70, 72 access active ports 39 browser support 83 changing account parameters 57 control 92 CP blade 66 creating accounts 56 deleting accounts 56 NTP 32 other devices 41 other switches 41 password, changing 25–?? recovering accounts 58 remote access policies 69 secure, HTTPS 83 secure, SSL 83 SNMP ACL 79 access methods configuration, cli 20 configuration, Fabric Manager 20 configuration, Web Tools 20 accessControl 92 accessing switches and fabrics 82
authentication configuring 54 local 73 authorized reseller, HP 17 auto-leveling, FR4-18i blade 151, 154, 158 B backbone fabric ID 202 backbone-to-edge routing 199, 202 backing up a configuration 113 and restoring configurations, FICON 247 basic card management 178 PID procedure 387 basic connections 41 beaconing mode 185 blocking listeners 82 boot password 73 boot PROM password 73 browser configuring 87 troubleshooting certificates 88 browser and Java support 83 browser,configuration 87 browsers support 83
configUpload 100 defZone 210 fcrConfigure 202 fosConfig 202 interopMode 201 lsanZoneShow 231 nsAllShow 231 nsCamShow 231 passwdCfg 60 portCfgEXPort 223 portLog 230 secPolicyAbort 105 secPolicyActivate 102, 104, 105 secPolicyAdd 104 secPolicyDelete 105 secPolicyRemove 105 secPolicySave 102, 104, 105 slotshow 201 supportsave 198 supportShow 198 userConfig 52 version 201 configuration FICON environment switched point-to-point 235 FICON environment, cascaded 235 recommendations for interoperability 394 restrict
correcting marginal links 293 correcting zoning setup issues 281 CP blade access 66 CP switch RADIUS configuration 68 CRC errors, displaying 307 creating accounts 56 Admin Domains 133 DCC policy 101 policy 101, 103 SCC policy 103 zone 347 creating a zone configuration 352 creating an alias 345 creating and maintaining zones 347 creating and managing zone aliases 345 creating and modifying zoning configurations 352 CSR 85 customizing switch names 36 customizing the chassis name 37 customizing the switch name
enabling and disabling interoperability mode 396 enabling and disabling ISL trunking 331 enabling and disabling local authentication 73 enabling and disabling the platform services 255 enabling interoperability mode 396 encryption 83 end-to-end monitoring 307 end-to-end monitors adding 308 deleting 310 displaying the mask 310 restoring configuration 318 saving configuration 318 setting a mask 309 ensuring network security 80 event connectivity 96 date and time 29 description, connectivity 96 sensor 96 EX_Po
HomeAD 65 host configuring 270 host reboots 376 host-based zoning 338 HP authorized reseller 17 storage web site 17 Subscriber’s choice web site 17 technical support 17 HP/UX procedure 388 HTTP 86 HTTPS 83, 86, 88 certificates, security 79 hybrid update 381 I IAS configuring users 68 remote access policies 69 IAS (Internet Authentication Service), configuring 68 ID, account 23 identifying ports from the tag field 248 identifying media-related issues 289 Identifying ports by slot and port number 174 identif
monitoring end-to-end performance 307 monitoring filter-based performance 311 monitoring ISL performance 314 monitoring resources 218 monitoring traffic 330 monitoring trunks 314 monitors clearing counters 317 most common problem areas 275 Mozilla 83 N name chassis 37 name server zoning 338 names switch defaults 36 NAT 200 network address translation, see NAT network security 80 node identification data 240 nonfcsadmin role 66 normal operation, FC routing 198 NR_Port 219 nsAllShow command 226, 231 nsallsho
port swapping nodes, identifying in FICON environments 241 port-based routing 187 portCfgExPort command 223 portLog command 230 ports activating POD 39 GbE 173 identifying 173 identifying by port area ID 174 identifying by slot and port number 174 licenses 39 status of 264 ports, swapping 241 portShow command 223 portStop command 223 powering off a card 178 powering port cards on and off 178 preparing a switch 238 printing hard copies of switch information 119 private key 84 procedural differences between f
secure sockets layer 83 secure telnet certificates 79 security 80 activating certificates 86 Brocade MIB 89 browsers 83 certificates 79 certificates, deleting 88 certificates, displaying 88 configuring standard features 79, 99 enabling CHAP 68 encryption 83 FibreAlliance MIB 89 file copy 97 HTTPS, certificate 79 IAS remote access policies 69 obtaining certicates 85 secure protocols, supported 79 secure telnet, certificate 79 setting levels 90 SNMP configuration 89 SNMP default values 95 SNMP traps 89 SNMP v
supportShow command 198 swapping port area IDs 390 swapping ports 241 SW-EXTTRAP 89 switch access methods, cli 20 access methods, Fabric Manager 20 access methods, Web Tools 20 certificates, installing 86 configuring 70, 237 configuring single 238 connecting 41 deleting RADIUS configuration 72 disabling 40 disabling port 40 displaying RADIUS configuration 71 enabling 40 FICON environment, configuring 237 identifying 36 IP 36 name customizing 36 name defaults 36 name limitations 36 RADIUS client 68 RADIUS co
viewing viewing viewing viewing viewing viewing viewing viewing viewing viewing viewing and saving diagnostic information 272 equipment status 267 port information 264 power-on self test 261 routing information along a path 191 routing path information 189 switch status 262 the port log 269 the system message log 268 zone database configurations 354 zones 348 W web sites HP storage 17 HP Subscriber’s choice 17 Web Tools access methods 20 support overview 20 WebTools—AP Edition 213 Windows RADIUS, configur
426
Figures 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 HP StorageWorks license key screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Fabric with two admin domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Filtered fabric views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Fabric with AD0 and AD255 . . . . .
Switch model naming matrix 15 Document conventions 16 Help file commands 21 Default administrative account names and passwords 25 AuditCfg Event Class Operands 48 List of daemons that are automatically restarted 50 Maximum number of simultaneous sessions 51 Fabric OS 5.2.x roles 51 Permission types 52 RBAC permissions matrix 52 Authentication configuration options 54 Default Local User Accounts 55 Syntax for VSA-based account roles 63 dictionary.
Hardware and firmware compatibility for nonsecure fabrics 221 portCfgExPort -m values 223 Fabric OS commands related to FICON and FICON CUP 236 FICON CUP mode register bits 245 FICON® switch configuration worksheet 250 Fabric OS to UNIX message severities 270 Common troubleshooting problems and tools 275 Types of zone discrepancies 281 Commands for debugging zoning 282 Component test descriptions 289 Switch component tests 290 SwitchShow output and suggested action 292 Port combinations for port mirroring 2