HP StorageWorks Fabric OS 6.
Legal and notice information © Copyright 2009 Hewlett-Packard Development Company, L.P. © Copyright 2009 Brocade Communications Systems, Incorporated. Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.
Contents About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Supported Fabric OS 6.2.x HP StorageWorks hardware. . . . Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Related documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . Document conventions and symbols . . . . . . . . . . . . . . . . . . Rack stability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Firmware upgrade and downgrade consideration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configupload and download considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Expired licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing installed licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Changing the password for the current login account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Changing the password for a different account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Local account database distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Distributing the local user database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3 Configuring standard security features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Security Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Secure file copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting up SCP for configUploads and downloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Adding a member to an existing ACL policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Removing a member from an ACL policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Aborting all unsaved changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authentication policy for fabric elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
AES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Null encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IPsec policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IPsec traffic selector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Account management and Virtual Fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Supported platforms for Virtual Fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Supported port configurations in the HP StorageWorks 8/40 SAN Switch and HP StorageWorks 8/80 SAN Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Admin Domains, zones, and zone databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Admin Domains and LSAN zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Configuration upload and download in an AD context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 8 Installing and maintaining firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Zone aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating an alias. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding members to an alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Removing members from an alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Inter-Chassis Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 11Routing traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Routing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Path versus route selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HP StorageWorks B-Series iSCSI Director Blade port numbering . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling the iSCSI gateway service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling GbE ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring the GbE interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Trunking with TI zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Limitations and restrictions of Traffic Isolation Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Admin Domain considerations for Traffic Isolation Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Virtual Fabric considerations for Traffic Isolation Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting the maximum LSAN count. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring backbone fabrics for interconnectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HA and downgrade considerations for LSAN zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LSAN zone policies using LSAN tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enforce tag . . .
Displaying monitor counters . . . . . . . . . . . . . Clearing monitor counters . . . . . . . . . . . . . . Saving and restoring monitor configurations . Performance data collection. . . . . . . . . . . . . . . . . .. .. .. .. .. .. .. .. . . . . .. .. .. .. .. .. .. .. . . . . .. .. .. .. . . . . .. .. .. .. .. .. .. .. . . . . .. .. .. .. .. .. .. .. . . . . .. .. .. .. . . . . .. .. .. .. .. .. .. .. . . . . .. .. .. .. .. .. .. .. . . . . .... .... .... .... . . . .
21Configuring and monitoring FCIP extension services . . . . . . . . . . . . . . . . . . . . . . . . . . 457 FCIP concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Virtual ports and FCIP tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Virtual Port Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Starting an ipPerf session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . WAN tool ipPerf syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Testing a connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tracing a route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
FICON emulation requirement for a determinate path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . One Ethernet interface, one IP route and one FCIP tunnel between sites . . . . . . . . . . . . . . . . . . . . Traffic isolation zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Allow/Prohibit for M-series directors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deleting a route. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing IP addresses and routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . Displaying IP routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Examples of supported configurations . . . . . . . . . . . . . . . . . . . . . . . . . . .
45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 Tables 1 2 3 4 5 6 7 Dedicated path is not the shortest path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 Traffic isolation Routing over FCR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 TI zone in an edge fabric . . . . . . . . . . . . . . . . . . . . . . . . .
8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 22 Fabric OS roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Permission types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 RBAC permissions matrix . . . . . . . . . . . .
67 Port numbering schemes for the HP StorageWorks 4/256 SAN Director, HP StorageWorks DC SAN Backbone Director and HP StorageWorks DC04 SAN Director Switch enterprise-class platforms268 68 Default index/area_ID core PID assignment with no port swap . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 69 Default index/area_ID core PID assignment with no port swap for the HP StorageWorks DC04 SAN Director Switch271 70 HP StorageWorks enterprise-class platform terminology and abbreviations . . . . . . .
About this guide This guide provides information about: • Installing and configuring Fabric OS 6.2.x • Managing user accounts • Using licensed features Supported Fabric OS 6.2.x HP StorageWorks hardware Table 1 lists Brocade and HP StorageWorks product models supported by Fabric OS 6.2.x.
Table 1 Switch model naming matrix Brocade product name Equivalent HP StorageWorks B-Series product name Brocade 5410 HP StorageWorksEVA4400 Embedded Switch Module, 8Gb Brocade Brocade 5480 8Gb SAN Switch for HP BladeSystem c-Class Intended audience This guide is intended for system administrators with knowledge of: • Storage area networks • HP StorageWorks Fibre Channel SAN switches Related documentation The following documents provide related information: • HP StorageWorks Fabric OS 6.1.
CAUTION: Indicates that failure to follow directions could result in damage to equipment or data. IMPORTANT: NOTE: TIP: Provides clarifying information or specific instructions. Provides additional information. Provides helpful hints and shortcuts. Rack stability Rack stability protects personnel and equipment. WARNING! To reduce the risk of personal injury or damage to equipment: • Extend leveling jacks to the floor. • Ensure that the full weight of the rack rests on the leveling jacks.
http://www.hp.com/go/storagewarranty Subscription service HP recommends that you register your product at the Subscriber's Choice for Business website: http://www.hp.com/go/wwalerts. After registering, you will receive e-mail notification of product enhancements, new driver versions, firmware updates, and other product resources. HP websites For additional product information, see the following HP websites: • http://www.hp.com • http://www.hp.com/go/storage • http://www.hp.
1 Performing basic configuration tasks Fabric OS overview This chapter describes how to configure your HP SAN using the Fabric OS command line interface (CLI). Before you can configure a storage area network (SAN), you must power-up the enterprise-class platform or switch and blades, and then set the IP addresses of those devices.
routeHelp Routing help information trackChangesHelp Track Changes help information zoneHelp Zoning help information Telnet or SSH sessions Connect to the Fabric OS through a Telnet or SSH connection or through a console session on the serial port. The switch must also be physically connected to the network.
Console sessions using the serial port Note the following behaviors for serial connections: • Some procedures require that you connect through the serial port; for example, setting the IP address or setting the boot PROM password. • For the HP StorageWorks 4/256 SAN Director, HP StorageWorks DC SAN Backbone Director, and HP StorageWorks DC04 SAN Director Switch enterprise-class platforms, You can connect to CP0 or CP1 using either of the two serial ports. Connecting to Fabric OS through the serial port 1.
Table 3 describes the default administrative accounts for switches by model number.
To skip a single prompt press Enter. To skip all of the remaining prompts press Ctrl-C. login: admin Password: Please change your passwords now. Use Control-C to exit or press 'Enter' key to proceed. for user - root Changing password for root Enter new password: ******** Password changed. Saving password to stable storage. Password saved to stable storage successfully. Please change your passwords now. for user - factory Changing password for factory Enter new password: ******** Password changed.
Displaying the network interface settings If an IP address has not been assigned to the network interface (Ethernet), you must connect to the Fabric OS CLI using a console session on the serial port. For more information, see ”Console sessions using the serial port” on page 31. Otherwise, connect using SSH. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the ipAddrShow command. ecp:admin> ipaddrshow SWITCH Ethernet IP Address: 10.1.2.3 Ethernet Subnetmask: 255.255.
Static Ethernet addresses Use static Ethernet network interface addresses on HP StorageWorks 4/256 SAN Director, HP StorageWorks DC SAN Backbone Director, and HP StorageWorks DC04 SAN Director Switch enterprise-class platforms, and in environments where DHCP service is not available. To use static addresses for the Ethernet interface, you must first disable DHCP. You may enter static Ethernet information and disable DHCP at the same time. See ”DHCP activation” on page 35 for more information.
The DHCP client uses a DHCP vendor class identifier that allows DHCP servers to determine that the Discovers and Requests are coming from an HP switch. The vendor class identifier is the string “BROCADE” followed by the SWBD model number of the platform. For example, the vendor class identifier for a request from an HP 8/80 Base 48-ports Enabled SAN Switch is “BROCADESWBD64.” The client conforms to the latest IETF Draft Standard RFCs for IPv4, IPv6, and DHCP.
IPv6 autoconfiguration IPv6 can assign multiple IP addresses to each network interface. Each interface is configured with a link local address in almost all cases, but this address is accessible only from other hosts on the same network. To provide for wider accessibility, interfaces are typically configured with at least one additional global scope IPv6 address.
2. Enter the date command, using the following syntax: date "mmddHHMMyy" The values represent the following: • mm is the month; valid values are 01 through 12. • dd is the date; valid values are 01 through 31. • HH is the hour; valid values are 00 through 23. • MM is minutes; valid values are 00 through 59. • yy is the year, valid values are 00-37 and 70-99 (year values from 70-99 are interpreted as 1970-1999, year values from 00-37 are interpreted as 2000-2037).
2. Enter the tsTimeZone command as follows: switch:admin> tstimezone [--interactive]/ [, timezone_fmt] • Use tsTimeZone with no parameters to display the current time zone setting • Use --interactive to list all of the time zones supported by the firmware. • Use timeZone_fmt to set the time zone by Country/City or by time zone ID, such as PST. The following example shows how to display the current time zone setup and how to change the time zone to US/Central.
Synchronizing the local time with an external source The tsClockServer command accepts multiple server addresses in either IPv4, IPv6, or DNS name formats. When multiple NTP server addresses are passed, tsClockServer sets the first obtainable address as the active NTP server. The rest are stored as backup servers that can take over if the active NTP server fails. The principal or primary FCS switch synchronizes its time with the NTP server every 64 seconds. 1.
Customizing chassis names 1. Connect to the switch and log in as admin. 2. Enter the chassisName command using the following syntax: switch:admin> chassisname newname Where newname is the new name for the enterprise-class platform. It is not necessary to use quotation marks. 3. Record the new chassis name for future reference.
Fabric information is displayed, including the domain ID (D_ID). switch:admin> fabricshow Switch ID Worldwide Name Enet IP Addr FC IP Addr Name ------------------------------------------------------------------------2: fffc02 10:00:00:60:69:e0:01:46 10.32.220.1 0.0.0.0 "ras001" 3: fffc03 10:00:00:60:69:e0:01:47 10.32.220.2 0.0.0.0 "ras002" 5: fffc05 10:00:00:05:1e:34:01:bd 10.32.220.5 0.0.0.0 "ras005" fec0:60:69bc:63:205:1eff:fe34:1bd 6: fffc06 10:00:00:05:1e:34:02:3e 10.32.220.6 0.0.0.
5. Enter a unique domain ID at the Domain prompt. Use a domain ID value from 1 through 239 for normal operating mode (FCSW compatible): Domain: (1..239) [1] 3 6. Respond to the remaining prompts, or press Ctrl-d to accept the other settings and exit. 7. Enter the switchEnable command to re-enable the switch.
Table 4 44 License requirements (continued) Feature License Where license should be installed FICON XRC Sequence Emulation over an FCIP Tunnel FICON XRC High-Performance Extension over FCIP/FC Local and attached switches. FIPS No license required. n/a Firmware download No license required. Firmwaredownload is a command and comes with the OS on the switch. n/a Full fabric Full Fabric Local switch. May be required on attached switches.
Table 4 License requirements (continued) Feature License Where license should be installed Speed 8 Gb/s license needed to support 8 Gb/s on the HP StorageWorks 8/8 and 8/24 SAN Switch, HP StorageWorks 8/40 SAN Switch, and HP StorageWorks 8/80 SAN Switch only. This license is installed by default and you should not remove it Local switch SSH public key No license required. n/a Top Talkers Advanced Performance Monitoring Local switch and attached switches. Traffic isolation No license required.
Time-based licenses A time-based license applies a try-before-you-buy approach to certain features so that you can experience the feature and its capabilities prior to buying the license. Once you have installed the license, you are given a time limit to use the feature.
http://webkey.external.hp.com/welcome.asp The Hewlett-Packard Authorization Center website main menu is displayed. 2. Click Generate a license key. The HP StorageWorks Software License Key instruction page opens: Proxy host (impor ted devic e) Host Proxy tar get (impor ted devic e) Target Fabric 1 Fabric 2 E_P ort IFL E_P ort EX_P ort IFL Brocade 7500 3. Enter the information in the required fields. 4. Follow the onscreen instructions to generate multiple license keys if applicable. 5. Click Next.
Some features may require additional configuration, or you may need to disable and re-enable the switch to make them operational; see the feature documentation for details. switch:admin> licenseshow aAYtMJg7tmMZrTZ9JTWBC4SXWLJMY3QfBJYHG: Fabric license Remote Switch license Remote Fabric license Extended Fabric license Entry Fabric license Fabric Watch license Performance Monitor license Trunking license Security license (not supported as of FOS 6.
Ports on Demand The HP StorageWorks 4/8 and 4/16 SAN Switch, HP StorageWorks 8/8 and 8/24 SAN Switch models can be purchased with 8 ports and no E_Port, 8 ports with full fabric access, or 16 ports with full fabric access. If you purchase the HP 4/x SAN Switch or HP Enabled SAN Switch with 8 ports enabled, you can activate unlicensed ports in 4-port increments up to 16 ports by purchasing and installing the Ports on Demand optional licensed product.
IMPORTANT: If you enable or disable an active port you will disrupt any traffic and potentially lose data flowing on that port. If the port is connected to another switch, you will segment the switch from the fabric and all traffic flowing between the disabled port and the fabric is lost. Activating Ports on Demand 1. Connect to the switch and log in using an account assigned to the admin role. 2. Optional: To verify that the current states of the ports, use the portShow command.
Example of manually assigned POD licenses: switch:admin> licenseport --show 24 ports are available in this switch Full POD license is installed Static POD method is in use 24 port assignments are provisioned for use in this switch: 12 port assignments are provisioned by the base switch license 12 port assignments are provisioned by a full POD license 24 ports are assigned to installed licenses: 12 ports are assigned to the base switch license 12 ports are assigned to the full POD license Ports assigned to t
Disabling Dynamic Ports on Demand Disabling the Dynamic POD feature changes the POD method to static and erases any prior port license associations or assignments the next time the switch is rebooted. 1. Connect to the switch and log in using an account assigned to the admin role. Enter the licensePort --method command with the static option to change the license assignment method to static. switch:admin> licenseport --method static The POD method has been changed to static.
2. Enter the licensePort --show command to verify that there are port reservations still available.
After a port is assigned to the POD set, the port is licensed until it is manually removed from the POD port set using the licensePort --release command. When a port is released from its POD port set (Base, Single, or Double), it creates a vacancy in that port set. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the switchDisable command to take the switch offline. switch:admin> switchdisable 3.
IMPORTANT: The fabric will be reconfigured if the port you are enabling or disabling is connected to another switch. The switch whose port has been disabled will be segmented from the fabric and all traffic flowing between it and the fabric will be lost. Disabling a port 1. Connect to the switch and log in using an account assigned to the admin role. 2.
Before connecting a switch to a fabric that contains switches running different firmware versions, you must first set the same PID format on all switches. The presence of different PID formats in a fabric causes fabric segmentation. • For information on PID formats and related procedures, see ”PID format selection” on page 525. • For information on configuring the routing of connections, see Chapter 11, ”Routing traffic” on page 283.
2. Connect to the switch at one end of the gateway and log in using an account assigned to the admin role. 3.
4. Enter the slotShow -m command to display the inventory and the current status of each slot in the system.
2. Enter the fabricShow command. This command displays a summary of all the switches in the fabric. switch:admin> fabricshow Switch ID Worldwide Name Enet IP Addr FC IP Addr Name ------------------------------------------------------------------------2: fffc02 10:00:00:60:69:e0:01:46 10.32.220.1 0.0.0.0 "ras001" 3: fffc03 10:00:00:60:69:e0:01:47 10.32.220.2 0.0.0.0 "ras002" 5: fffc05 10:00:00:05:1e:34:01:bd 10.32.220.5 0.0.0.0 "ras005" fec0:60:69bc:63:205:1eff:fe34:1bd 6: fffc06 10:00:00:05:1e:34:02:3e 10.
The number of devices listed should reflect the number of devices that are connected. Displaying switches in Access Gateway mode 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the agShow command. switch:admin> agshow Worldwide Name Ports Enet IP Addr Firmware Local/Remote Name -------------------------------------------------------------10:00:00:05:1e:02:1d:b0 16 10.32.53.4 v6.1.0 local ag_01 10:00:00:05:1e:03:4b:e7 24 10.32.60.95 v6.1.
The status of the track changes feature is displayed as either on or off. The display includes whether or not the track changes feature is configured to send SNMP traps. switch:admin> trackchangesshow Track changes status: ON Track changes generate SNMP-TRAP: NO switch:admin> Viewing the switch status policy threshold values The policy parameter determines the number of failed or inoperable units for each contributor that triggers a status change in the switch.
SAN Switch, HP StorageWorks 8/40 SAN Switch, HP StorageWorks 8/80 SAN Switch, and HP StorageWorks 400 Multi-Protocol Router switch:admin> switchstatuspolicyset To change the overall switch status policy parameters The current overall switch status policy parameters: Down Marginal ---------------------------------PowerSupplies 2 1 Temperatures 2 1 Fans 2 1 Flash 0 1 MarginalPorts 2 1 FaultyPorts 2 1 MissingSFPs 0 0 Note that the value, 0, for a parameter, means that it is NOT used in the calculation.
Auditable events are generated by the switch and streamed to an external host through a configured system message log daemon (syslog). You specify a filter on the output to select the event classes that are sent through the system message log. The filtered events are streamed chronologically and sent to the system message log on an external host in the specified audit message format. This ensures that they can be easily distinguished from other system message log events that occur in the network.
Audit events have the following message format: AUDIT, , [], , , ///,/,, Switch names are logged for switch components and enterprise-class platform names for enterprise-class platform components. For example, an enterprise-class platform name may be FWDL or RAS and a switch component name may be zone, name server, or SNMP.
ad_0/ras007/FID 128, , Event: login, Status: success, Info: Successful login attempt via REMOTE, IP Addr: 10.32.220.137. Oct 10 08:52:23 10.32.220.7 raslogd: 2008/10/10-08:20:36, [CONF-1001], 13, WWN 10:00:00:05:1e:34:02:0c | FID 128, INFO, ras007, configUpload completed successfully. All config parameters are uploaded. Oct 10 09:00:04 10.32.220.7 raslogd: AUDIT, 2008/10/10-08:28:16 (GMT), [SEC-3021], INFO, SECURITY, admin/NONE/10.32.220.
3. Wait until you see the following message: DCX:FID128:admin> sysshutdown This command will shutdown the operating systems on your switch. You are required to power-cycle the switch in order to restore operation. Are you sure you want to shutdown the switch [y/n]?y HA is disabled Stopping blade 10 Shutting down the blade.... Stopping blade 12 Shutting down the blade.... Broadcast message from root (pts/0) Fri Oct 10 08:36:48 2008... The system is going down for system halt NOW !! 4. Power off the switch.
2 Managing user accounts This chapter provides information and procedures on managing authentication and user accounts for the switch management channel. User accounts overview In addition to the default accounts—root, factory, admin, and user—Fabric OS supports up to 252 additional user-defined accounts in each Logical Switch (domain). These accounts expand your ability to track account access and audit administrative activities.
account using the userConfig command to add this permission to a user account. For clarity, this permission has been added to Table 8 which describes the Fabric OS predefined roles. Table 8 Fabric OS roles Role name Fabric OS version Duties Description Admin All All administration All administrative commands excluding chassis-specific commands BasicSwitchAdmin 5.2.0 and later Restricted switch administration Mostly monitoring with limited switch (local) commands Chassis-role permission 6.2.
Table 10 shows the permission type for the categories of commands that each role is assigned. The permissions apply to all commands within the specified category. For a complete list of commands and role permissions, see the Fabric OS Command Reference.
Table 10 RBAC permissions matrix (continued) Category Role permission Admin Basic Switch Admin Fabric Admin Operator Security Admin Switch Admin User Zone Admin Port Mirroring OM N N N N N N N QOS OM OM OM OM O OM O O RADIUS OM N N N OM N N N Reboot OM O OM OM OM OM O OM Routing—Advanced OM O OM O N O O N Routing—Basic OM O OM OM N OM O O Security OM O OM N OM O O N Session Management OM OM OM OM OM OM O N SNMP OM O OM O
Table 11 Maximum number of simultaneous sessions (continued) Role name Maximum sessions User 4 ZoneAdmin 4 Local database user accounts User add, change, and delete operations are subject to the subset rule: An admin with ADlist 0-10 or LFlist 1-10 cannot perform operations on an admin, user, or any role with an ADlist 11-25 or LFlist 11-128. The user account being changed must have an ADlist or LFlist that is a subset of the account that is making the change.
where: username -r rolename -h logicalFabric_ID or adminDomain_ID -l logicalFabric_ID_list -a adminDomain_ID_list -d description -c chassis_role -x Specifies the account name, which must begin with an alphabetic character. The name can be from 8 to 40 characters long. It is case-sensitive and can contain alphabetic and numeric characters, the period (.) and the underscore ( _ ). It must be different than all other account names on the Logical Switch.
Changing account parameters This procedure can be performed on local user accounts. When changing account parameters, if you change the ADlist for the user account, all of the currently active sessions for that account will be logged out. For more information about changing the Admin Domain on an account, see Chapter 7, ”Managing administrative domains” on page 191. 1. Connect to the switch and log in using an account assigned to the admin role. 2.
• An admin with ADlist 0-10 or LFlist 1-10 cannot change the password on an admin, user, or any role with an ADlist 11-25 or LFlist 11-128. The user account being changed must have an ADlist that is a subset of the account that is making the change. • A new password must have at least one character different from the old password. • You cannot change passwords using SNMP. NOTE: Starting with Fabric OS 5.1.0, password policies apply. Starting with Fabric OS 4.4.
NOTE: If Virtual Fabrics mode is enabled, distributing the password database to switches is not supported. If the distribution command is entered from a pre-Fabric OS 6.2.0, switches running Fabric OS 6.2.0 will reject it. Protection of the local user database from distributions Fabric OS 5.2.0 and later allows you to distribute the user database and passwords to other switches in the fabric.
• Uppercase Specifies the minimum number of uppercase alphabetic characters that must appear in the password. The default value is zero. The maximum value must be less than or equal to the MinLength value. • Digits Specifies the minimum number of numeric digits that must appear in the password. The default value is zero. The maximum value must be less than or equal to the MinLength value. • Punctuation Specifies the minimum number of punctuation characters that must appear in the password.
expiration during which warnings will commence. Password expiration does not disable or lock out the account. Use the following attributes to set the password expiration policy: • MinPasswordAge Specifies the minimum number of days that must elapse before a user can change a password. MinPasswordAge values range from 0 to 999. The default value is zero.
The following commands manage the account lock out policy. • userConfig --change account_name -u • passwdCfg --disableadminlockout Note that the account-locked state is distinct from the account-disabled state. Use the following attributes to set the account lockout policy: • LockoutThreshold Specifies the number of times a user can attempt to log in using an incorrect password before the account is locked. The number of failed login attempts is counted from the last successful login.
You should set the boot PROM password and the recovery string on all switches, as described in ”With a recovery string” on page 79. If your site procedures dictate that you set the boot PROM password without the recovery string, see ”Without a recovery string” on page 81. With a recovery string To set the boot PROM password with a recovery string, see the section that applies to your switch model.
Setting the boot PROM password for a director with a recovery string This procedure applies to the following enterprise-class platforms: HP StorageWorks 4/256 SAN Director and HP StorageWorks DC SAN Backbone Director and HP StorageWorks DC04 SAN Director. The boot PROM and recovery passwords must be set for each CP blade on HP StorageWorks 4/256 SAN Director, HP StorageWorks DC SAN Backbone Director, and HP StorageWorks DC04 SAN Director Switch enterprise-class platforms. 1.
Without a recovery string Although you can set the boot PROM password without also setting the recovery string, HP recommends that you set both the password and the string as described in ”With a recovery string” on page 79. If your site procedures dictate that you must set the boot PROM password without the string, follow the procedure that applies to your switch model.
3. Create a serial connection to the standby CP blade as described in ”Connecting to Fabric OS through the serial port” on page 31. 4. Reboot the standby CP blade by sliding the On/Off switch on the ejector handle of the standby CP blade to Off, and then back to On. This causes the blade to reset. 5. Press ESC within 4 seconds after the message Press escape within 4 seconds... is displayed. The following options are available: Option Description 1 2 3 Continues the system boot process.
The authentication model Fabric OS 6.0.0 and later versions support the use of both the local user database and the remote authentication dial-in user service (RADIUS) at the same time. and the local user database and lightweight directory access protocol (LDAP) using Microsoft Active Directory in Windows at the same time. When configured to use RADIUS or LDAP, the switch acts as a network access server (NAS) and RADIUS or LDAP client.
• If you cannot log in because of a RADIUS or LDAP server connection problem, Web Tools displays a message indicating server outage. Table 13 on page 84 describes the aaaConfig command options used to set up the authentication mode. Table 13 Authentication configuration options aaaConfig options Description Equivalent setting in Fabric OS 5.1.0 and earlier --radius --switchdb1 --authspec “local” Default setting. Authenticates management connections against the local database only.
2. Enter the following command: switch:admin> aaaConfig --authspec ["radius" | "ldap" | "radius;local" | "ldap;local" --backup] Fabric OS user accounts RADIUS and LDAP servers allow you to set up user accounts by their true network-wide identity rather than by the account names created on a Fabric OS switch. With each account name, assign the appropriate switch access roles.
Table 14 Syntax for VSA-based account roles (continued) Item Value Description Vendor length 2 or higher 1 octet, calculated by server, including vendor-type and vendor-length Attribute-specific data ASCII string Multiple octets, maximum 253, indicating the name of the assigned role and other supported attribute values such as Admin Domain member list.
After you have completed the dictionary file, define the role for the user in a configuration file.
In the next example, on a Linux FreeRadius Server, the user takes the “operator” role, with ADList 1, 2, 4, 5, 6, 7, 8, 9, 12, 20 and HomeAD 2. user-opr Auth-Type := Local, User-Password == "password" Brocade-Auth-Role = "operator", Brocade-AVPairs1 = "ADList=1,2;HomeAD=2", Brocade-AVPairs2 = "ADList=-4-8,20;ADList=7,9,12" In the next example, on a Linux FreeRadius Server, the user takes the “zoneAdmin” role, with VFlist 2, 4, 5, 6, 7, 8, 10, 11, 12, 13, 15 17, 19, 22, 23, 24, 25, 29, 31 and HomeContext 1.
Adding the Brocade attribute to the server 1. Create and save the file $PREFIX/etc/raddb/dictionary.brocade with the following information: # # dictionary.
Clients are the switches that will use the RADIUS server; each client must be defined. By default, all IP addresses are blocked. The HP StorageWorks 4/256 SAN Director, HP StorageWorks DC SAN Backbone Director and HP StorageWorks DC04 SAN Director Switch enterprise-class platforms send their RADIUS requests using the IP address of the active CP. When adding clients, add both the active and standby CP IP addresses so that, in the event of a failover, users can still log in to the switch. Enabling clients 1.
a. For the Add RADIUS Client window, provide the following: • Client address (IP or DNS)—Enter the IP address of the switch. • Client-Vendor—Select RADIUS Standard. • Shared secret—Provide a password. Shared secret is a password used between the client device and server to prevent IP address spoofing by unwanted clients. Keep your shared secret password in a safe place. You will need to enter this password in the switch configuration.
Figure 2 shows what the brocade.dct file should look like and Figure 3 shows what needs to be modified in the brocade.dcm file. IMPORTANT: The dictionary files for RSA RADIUS Server must remain in the installation directory. Do not move the files to other locations on your computer. Add Brocade-VSA macro and define the attributes as follows: • vid (Vendor-ID): 1588 • type1 (Vendor-Type): 1 • len1 (Vendor-Length): >=2 ########################################################################### # brocade.
####################################################################### # dictiona.dcm ####################################################################### # Generic Radius @radius.dct # # Specific Implementations (vendor specific) # @3comsw.dct @aat.dct @acc.dct @accessbd.dct @agere.dct @agns.dct @airespace.dct @alcatel.dct @altiga.dct @annex.dct @aptis.dct @ascend.dct @ascndvsa.dct @axc.dct @brocade.dct @bandwagn.dct @brocade.dct <------- Figure 3 Example of the dictiona.dcm file c.
1. Install a Certificate Authority (CA) certificate on the Windows Active Directory server for LDAP. Follow Microsoft instructions for generating and installing CA certificates on a Windows server. 2. Create a user in Microsoft Active Directory server. For instructions on how to create a user, see www.microsoft.com or Microsoft documentation to create a user in your Active Directory. 3.
Example using Administrative Domains: adlist_0_10_200_endAd Home Admin Domain (homeAD) for the user will be the first value in the adlist (Admin Domain list). If a user has no values assigned in the adlist attribute, the homeAD ‘0’ will be the default administrative domain for the user. • If you are using Virtual Fabrics, enter the value of the Logical Fabric separated by a semi-colon ( ; ) into the Value field.
Adding a RADIUS server to the switch configuration 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the following command: switch:admin> aaaConfig --add server [-p port] [-s secret] [-t timeout] [-a pap | chap | peap-mschapv2] Enter either a server name or IPv4 or IPv6 address. Avoid duplicating server listings (that is, listing the same server once by name and again by IP address). Up to five servers can be added to the configuration.
where you specify the type of server as either RADIUS or LDAP, but not both; local is used for local authentication if the user authentication fails on the RADIUS or LDAP server. Example switch:admin> aaaconfig --authspec "radius;local" --backup Deleting a RADIUS or LDAP server from the configuration 1. Connect to the switch and log in using an account assigned to the admin role. 2.
server to_position Enter either the name or IP address of the server whose position is to be changed. Enter the position number to which the server is to be moved. When the command succeeds, the event log indicates that a server configuration is changed. Configuring local authentication as backup It is useful to enable local authentication so that the switch can take over authentication locally if the RADIUS or LDAP servers fail to respond because of power outage or network problems.
Fabric OS 6.
Managing user accounts
3 Configuring standard security features This chapter provides information and procedures for configuring standard Fabric OS security features such as protocol and certificate management. IMPORTANT: Secure Fabric OS is no longer supported in Fabric OS 6.x. However, all features of Secure Fabric OS are included in the base Fabric OS 6.x. Security Protocols Security protocols provide endpoint authentication and communications privacy using cryptography.
Table 17 describes additional software or certificates that you must obtain to deploy secure protocols. Table 17 Items needed to deploy secure protocols Protocol Host side Switch side SSHv2 Secure shell client None HTTPS No requirement on host side except a browser that supports HTTPS Switch IP certificate for SSL SCP SSH daemon, scp server None SNMPv1, SNMPv2, SNMPv3 None None The security protocols are designed with the four main use cases described in Table 18.
Example: Setting up SCP for configUpload/download: switch:admin> configure Not all options will be available on an enabled switch. To disable the switch, use the "switchDisable" command. Configure...
For information on the specific commands used in these procedures, see online help or the Fabric OS Command Reference. SNMP and Virtual Fabrics When an SNMPv3 request arrives with a particular username, it executes in the home-Virtual Fabric. From the SNMP manager all SNMPv3 requests must have a home-Virtual Fabric that is specified in the contextName field. Whenever the home Virtual Fabric is specified, it will be converted to the corresponding switch ID and the home-Virtual Fabric will be set.
The snmpConfig command Use the snmpConfig --set command to change either the SNMPv3 or SNMPv1 configuration. You can also change access control, MIB capability, and system group. Example: SNMPv3 configuration switch:admin> snmpconfig --set snmpv3 SNMPv3 user configuration: User (rw): [snmpadmin1] adminuser Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [3] 1 New Auth Passwd: Verify Auth Passwd: Priv Protocol [DES(1)/noPriv(2)/3DES(3)/AES128(4)/AES192(5)/AES256(6)]): (1..
Example: accessControl configuration switch:admin> snmpconfig --set accessControl SNMP access list configuration: Access host subnet area in dot notation: [0.0.0.0] 192.168.0.0 Read/Write? (true, t, false, f): [true] Access host subnet area in dot notation: [0.0.0.0] 10.32.148.0 Read/Write? (true, t, false, f): [true] f Access host subnet area in dot notation: [0.0.0.0] Read/Write? (true, t, false, f): [true] Access host subnet area in dot notation: [0.0.0.0] 10.33.0.
Example: systemGroup configuration (default) switch:admin> snmpconfig --default systemGroup ***** This command will reset the agent's system group configuration back to factory default ***** sysDescr = Fibre Channel Switch sysLocation = End User Premise sysContact = Field Support authTraps = 0 (OFF) ***** Are you sure? (yes, y, no, n): [no] y Secure Shell protocol To ensure security, Fabric OS supports secure shell (SSH) encrypted sessions.
Configuring SSH authentication Incoming authentication is used when the remote host needs to authenticate to the switch. Outgoing authentication is used when the switch needs to authenticate to a server or remote host and is more commonly used for the configUpload command. Both password and public key authentication can coexist on the switch. After the allowed-user is configured, the remaining setup steps must be completed by the allowed-user. 1. Log in to the switch as the default admin. 2.
switch:alloweduser> sshutil importpubkey Enter IP address:192.168.38.244 Enter remote directory:~auser/.ssh Enter public key name(must have .pub suffix):id_dsa.pub Enter login name:auser Password: Public key is imported successfully. 6. Generate a key pair for switch-to-host (outgoing) authentication by logging in to the switch as the allowed user and entering the following command: sshUtil genkey Enter a passphrase for additional security.
Secure Sockets Layer protocol Secure sockets layer (SSL) protocol provides secure access to a fabric through Web-based management tools like Web Tools. SSL support is a standard Fabric OS feature. Switches configured for SSL grant access to management tools through hypertext transfer protocol over SSL links (which begin with https://) instead of standard links (which begin with http://). SSL uses public key infrastructure (PKI) encryption to protect data transferred over SSL connections.
5. Install the certificate on each switch. Once the certificate is loaded on the switch, HTTPS starts automatically. 6. If necessary, install the root certificate to the browser on the management workstation. 7. Add the root certificate to the Java Plug-in keystore on the management workstation. Certificate authorities To ease maintenance and allow secure out-of-band communication between switches, consider using one certificate authority (CA) to sign all management certificates for a fabric.
5. Enter the requested information. You can use either FTP or SCP. Select protocol [ftp or scp]: ftp Enter IP address: 192.1.2.3 Enter remote directory: path_to_remote_directory Enter Login Name: your account Enter Password: your password Success: exported CSR.
The next procedures are guides for installing root certificates to Internet Explorer and Mozilla Firefox browsers. For more detailed instructions, see the documentation that came with the certificate. Checking and installing root certificates on Internet Explorer 1. Select Tools > Internet Options. 2. Select the Content tab. 3. Select Certificates. 4. Select the Intermediate or Trusted Root tabs and scroll the list to see if the root certificate is listed.
3. Enter the keytool command and respond to the prompts (in the following example, changeit is the default password and RootCert is an example root certificate name): C:\Program Files\Java\j2re1.6.0\bin> keytool -import -alias RootCert.crt -keystore ..
where the -sip option can be given as any, dp is the port number for Telnet (23), and -proto is TCP. Example: Adding a rule ipfilter --addrule block_telnet_v4 -rule 2 -sip any -dp 23 -proto tcp -act deny 4. Save the new ipfilter policy by issuing the following command: ipfilter --save policyname where policyname is the name of the policy and is optional. Example: Saving a policy ipfilter --save block_telnet_v4 5.
Table 21 Blocked listener applications (continued) Listener application HP StorageWorks 4/256 SAN Director, HP StorageWorks DC04 SAN Director, and HP StorageWorks DC SAN Backbone Director enterprise-class platforms HP StorageWorks 4/8 and 4/16 SAN Switches, HP StorageWorks 8/8 and 8/24 SAN Switches, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, Brocade 8Gb SAN Switch for HP BladeSystem c-Class, HP StorageWorks EVA4400 embedded switch module, 8Gb Bro
Port configuration Table 23 provides information on ports that the switch uses. When configuring the switch for various policies, take into consideration firewalls and other devices that may sit between switches in the fabric and your network or between the managers and the switch. Table 23 Port information Port Type Common use Comment 22 TCP SSH n/a 23 TCP Telnet Use the ipfilter command to block the port. 80 TCP HTTP Use the ipfilter command to block the port.
116 Configuring standard security features
4 Configuring advanced security features This chapter provides information and procedures for configuring advanced Fabric OS security features such as Access Control List (ACL) policies, authentication policies, and IP Filtering for HP’s Fibre Channel switches. ACL policies overview Each supported Access Control List (ACL) policy listed below is identified by a specific name. Only one policy of each type can exist, except for DCC policies.
When a policy is activated, the defined policy either replaces the policy with the same name in the active set or becomes a new active policy. If a policy appears in the defined set but not in the active set, the policy was saved but has not been activated. If a policy with the same name appears in both the defined and active sets but the two versions have different values, the policy has been modified but the changes have not been activated.
and switches that are not listed in that policy. You can remove one or more members from a policy. If all members are removed from a policy, that aspect of the fabric becomes closed to all access. • ”Policy database distribution” on page 139 discusses the configuration of a switch to accept or reject the distribution of polices. • ”ACL policy distribution to other switches” on page 142 discusses the configuration of the distribution of policies to switches within the fabric. Displaying ACL policies 1.
fabric and not to pre-5.2.0 switches. Fabric OS 5.2.0 switches receive the distribution and will ignore the FCS database. FCS policy restrictions The backup FCS switches normally cannot modify the policy. However, if the Primary FCS switch in the policy list is not reachable, a backup FCS switch is allowed to modify the policy. Once an FCS policy is configured and distributed across the fabric, only the Primary FCS switch can perform certain operations.
3. Activate the policy using the secPolicyActivate command. If the command is not entered, the changes are lost when the session is logged out. For more information about this command, see ”ACL policy modifications” on page 126. 4. To distribute the policies, enter either the distribute -p policy_list -d switch_list command to either send the policies to intended domains, or the distribute -p policy_list -d wild_card (*) command to send the policies to all switches. Creating an FCS policy 1.
For example, to move a backup FCS switch from position 2 to position 3 in the FCS list, using interactive mode: primaryfcs:admin> secpolicyfcsmove PosPrimary WWN DIdswName. ================================================= 1 Yes 10:00:00:60:69:10:02:181switch5. 2 No 10:00:00:60:69:00:00:5a2switch60. 3 No 10:00:00:60:69:00:00:133switch73. Please enter position you’d like to move from : (1..3) [1] 2 Please enter position you’d like to move to : (1..
configuration parameter controls whether the distribution of the policy is accepted or rejected on the local switch. Setting the configuration parameter to accept indicates distribution of the policy will be accepted and distribution may be initiated using the distribute -p command. Setting the configuration parameter to reject indicates the policy distribution is rejected and the switch may not distribute the policy.
stale policies in the current Logical Switch or delete the stale policies after the port movements. Use the secPolicyDelete command to delete stale DCC policies. DCC policy restrictions The following restrictions apply when using DCC policies: • Some older private-loop HBAs do not respond to port login from the switch and are not enforced by the DCC policy. This does not create a security problem because these HBAs cannot contact any device outside of their immediate loop.
• To save and activate the policy, enter the secPolicyActivate command. If neither of these commands is entered, the changes are lost when the session is logged out. For more information about these commands, see ”ACL policy modifications” on page 126.
Virtual Fabric considerations: In a Logical Fabric environment the SCC policy enforcement is not done on the logical ISL. For a logical ISL-based switch, the SCC policy enforcement is considered as the reference and the logical ISL is formed if the SCC enforcement passes on the extended ISL. The following functionality changes: • A Logical Switch supports an SCC policy. You can configure and distribute an SCC policy on a Logical Switch.
3. Save and activate the policy deletion by entering the secPolicyActivate command. switch:admin> secpolicydelete "DCC_POLICY_010" About to delete policy Finance_Policy. Are you sure (yes, y, no, n):[no] y Finance_Policy has been deleted. Member modification to existing policies You can add and members to and remove members from the ACL policies by using the secPolicyAdd command. As soon as a policy has been activated, it is enforced in the aspect of the fabric managed by that policy.
configured to accept FCAP protocol in authentication. To use FCAP on both switches, PKI certificates have to be installed. NOTE: The fabric authentication feature is available in base Fabric OS. No license is required. You can configure a switch with Fabric OS 5.3.0 or later to use DH-CHAP for device authentication. Use the authUtil command to configure the authentication parameters used by the switch.
The AUTH policy is designed to accommodate mixed fabric environments that contain Fabric OS 6.0.0 and later along with pre-6.0.0 switches. The policy states PASSIVE and OFF allow connection from Fabric OS 6.0.0 and later switches to pre-6.0.0 switches. These policy states do not allow switches to send the authentication negotiation and therefore continue with the rest of port initialization.
The authentication begins automatically during the E_Port initialization. A switch with this policy can safely connect to pre-6.0.0 switches, since it continues E_Port initialization if the connecting switch does not support authentication. The switches with firmware pre-3.2.0 do not support FCAP or DH-CHAP authentication, so an E_Port initializes without authentication. The switches with firmware version 3.2.0 and later respond to authentication negotiation and participate in FCAP and DH-CHAP handshaking.
PASSIVE Authentication is optional. If the attached device is capable of doing the authentication, the switch participates in authentication; otherwise it forms an F_Port without authentication. In PASSIVE mode, an F_Port is disabled if the HBA shared secret does not match with the secret installed on the switch. If the secret provided by the switch does not match the secrets installed on the HBA, the HBA disables the port on its side.
• 00 for the DH Null option • 01 for the1024 bit key • 02 for the 1280 bit key • 03 for the 1536 bit key • 04 for the 2048 bit key This section illustrates using the authUtil command to display the current authentication parameters and to set the authentication protocol to DH-CHAP. Viewing the current authentication parameter settings for a switch 1. Log in to the switch using an account assigned to the admin role. 2. On a switch running Fabric OS 6.0.0 or later, enter authUtil --show.
Example: All E_Ports on the switch switch:admin> authutil –-authinit allE Example: Enterprise-class platforms using the slot/port format switch:admin> authutil –-authinit 1/1, 1/2 Secret key pairs When you configure the switches at both ends of a link to use DH-CHAP for authentication, you must also define a secret key pair—one for each end of the link. Use the secAuthSecret command to perform the following tasks: • View the WWN of switches with a secret key pair.
loops through a sequence of switch specification, peer secret entry, and local secret entry. To exit the loop, press Enter for the switch name; and then enter y. switchA:admin> secauthsecret --set This command is used to set up secret keys for the DH-CHAP authentication. The minimum length of a secret key is 8 characters and maximum 40 characters. Setting up secret keys does not initiate DH-CHAP authentication. If switch is configured to do DH-CHAP, it is performed whenever a port or a switch is enabled.
IP Filter policy The IP Filter policy is a set of rules applied to the IP management interfaces as a packet filtering firewall. The firewall permits or denies the traffic to go through the IP management interfaces according to the policy rules. Fabric OS supports multiple IP Filter policies, which are defined at the same time. Each IP Filter policy is identified by a name and has an associated type. Two IP Filter policy types, IPv4 and IPv6, exist to provide separate packet filtering for IPv4 and IPv6.
2. Enter the following command: ipfilter –-show [] where is the name of the policy and is optional. Saving an IP Filter policy You can save one or all IP Filter policies persistently in the defined configuration. The policy name is optional for this subcommand. If the policy name is given, the IP Filter policy in the temporary buffer is saved; if the policy name is not given, all IP Filter policies in the temporary buffer are saved.
For an IPv4 filter policy, the source address has to be a 32-bit IPv4 address in dot decimal notation. The group prefix has to be a CIDR block prefix representation. For example, 208.130.32.0/24 represents a 24-bit IPv4 prefix starting from the most significant bit. The special prefix 0.0.0.0/0 matches any IPv4 address. In addition, the keyword any is supported to represent any IPv4 address. For an IPv6 filter policy, the source address has to be a 128-bit IPv6 address, in a format acceptable in RFC 3513.
A switch with Fabric OS 5.3.0 or later will have a default IP Filter policy for IPv4 and IPv6. The default IP Filter policy cannot be deleted or changed. When an alternative IP Filter policy is activated, the default IP Filter policy becomes deactivated. Table 33 lists the rules of the default IP Filter policy.
-rule rule number -sip source IP -dp destination port -proto protocol -act Specifies a valid rule number between 1 and the current maximum rule number plus 1. Specifies the source IP address. For IPv4 filter type, the address must be a 32-bit address in dot decimal notation, or a CIDR block IPv4 prefix. For IPv6 filter type, the address must be a 128-bit IPv6 address in any format specified by RFC, or a CIDR block IPv6 prefix.
The ACL policy database is managed as follows: • Switch database distribution setting: Controls whether or not the switch accepts or rejects databases distributed from other switches in the fabric. The distribute command sends the database from one switch to another, overwriting the target switch database with the distributed one. To send or receive a database the setting must be accept. For configuration instructions, see ”Database distribution settings” on page 140.
Table 35 Supported policy databases Database type Database identifier (ID) Authentication policy database AUTH DCC policy database DCC FCS policy database FCS IP Filter policy database IPFILTER Password database PWD SCC policy database SCC Displaying the database distribution settings 1. Connect to the switch and log in using an account assigned to the admin role. 2.
ACL policy distribution to other switches This section explains how to manually distribute local ACL policy databases. The distribute command has the following dependencies: • All target switches must be running Fabric OS 5.2.0 or later. • All target switches must accept the database distribution (see ”Database distribution settings” on page 140). • The fabric must have a tolerant or no (absent) fabric-wide consistency policy (see ”Fabric-wide enforcement” on page 142).
NOTE: FC routers cannot join a fabric with a strict fabric-wide consistency policy. FC routers do not support the fabric-wide consistency policies. Table 37 on page 143 describes the fabric-wide consistency settings. Table 37 Fabric-wide consistency policy settings Setting Value When a policy is activated Absent null Database is not automatically distributed to other switches in the fabric.
The following example shows how to set a strict SCC and tolerant DCC fabric-wide consistency policy.
Table 38 describes the impact of merging fabrics with the same fabric-wide consistency policy that have SCC, DCC, or both policies. Table 38 Merging fabrics with matching fabric-wide consistency policies Fabric-wide consistency policy Fabric A ACL policies Fabric B ACL policies Merge results Database copied None None None Succeeds No ACL policies copied None SCC/DCC Succeeds No ACL policies copied None None Succeeds No ACL policies copied.
Table 40 Fabric merges with tolerant/absent combinations Fabric-wide consistency policy setting Policy type Fabric A Tolerant/Absent SCC;DCC Expected behavior Fabric B DCC SCC;DCC SCC DCC SCC Error message logged. Run fddCfg --fabwideset “” from any switch with the desired configuration to fix the conflict. The secPolicyActivate command is blocked until conflict is resolved.
It is possible in this scenario that one or both of the protected endpoints will be behind a network address translation (NAT) node, in which case the tunneled packets will have to be UDP-encapsulated so that port numbers in the UDP headers can be used to identify individual endpoints behind the NAT.
Nested Configurations You can configure other scenarios as nested combinations of the above configurations. IPsec protocols IPsec uses two different protocols, Authentication Header (AH) and Encapsulating Security Payload (ESP), to ensure the authentication, integrity, and confidentiality of the communication. To protect the integrity of the IP datagram, the IPsec protocols use hash message authentication codes (HMAC).
Table 41 Algorithms and associated authentication policies Algorithm Encryption Level Policy aes128_cbc 128-bit ESP aes256_cbc 256-bit ESP null_enc n/a ESP Block ciphers In cryptography, a block cipher is a symmetric key cipher which operates on fixed-length groups of bits, termed blocks, with an unvarying transformation. For example, when encrypting, a block cipher might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext.
operations), not a Feistel network. The cipher is specified in terms of repetitions of processing steps that are applied to make up rounds of keyed transformations between the input plain-text and the final output of cipher-text. A set of reverse rounds is applied to transform cipher-text back into the original plain-text using the same encryption key.
is used for the creation of the security associations, the switch populates the security association database (SAD) accordingly. Pre-shared keys A pre-shared key is one of the available methods for configuring IKE to use for primary authentication. You can specify the pre-shared keys used in IKE policies. You can also add and delete pre-shared keys (in local database) corresponding to the identity of the IKE peer or group of peers.
See Chapter 3, ”Configuring standard security features” on page 99 for information on how to set up pre-shared keys and certificates. 7. Configure the IKE policy using the ipSecConfig --add policy ike -tag name -remote IP_address[/prefixlength] -id IP_address[/prefixlength] -remoteid IP_address[/prefixlength] -enc algorithm -hash algorithm -prf algorithm -auth psk|dss|rsasig -dh number -psk file command. The following example creates an IKE policy for the remote peer.
Example of an End-to-End Transport Tunnel mode This example illustrates securing traffic between two systems using AH protection with MD5 and configure IKE with pre-shared keys. The following list defines the switch models and their associated IP addresses. • The two systems are named BRCD300 and BRCD7500. • The BRCD300 has IPv4 address 10.33.74.13; the BRCD7500 has IPv4 address 10.33.69.132. 1. Connect to the switch and log in using an account assigned to the admin role. 2.
10. Generate IP traffic and verify that it is protected using defined policies. a. Initiate Telnet or SSH or ping session from BRCD300 to BRCD7500. b. Verify that the IP traffic is encapsulated. c. Monitor IPsec SAs created using IKE for the above traffic flow. • Use the ipsecConfig -–show manual-sa –a command with the operands specified to display the outbound and inbound SAs in the kernel SADB.
Table 42 Zeroization Behavior (continued) Keys Zeroization CLI Description SSH Session Key No CLI required Generated for each SSH session that is established to and from the host. Automatically zeroizes on session termination. SSH RSA private Key No CLI required Key-based SSH authentication is not used for SSH sessions. RNG Seed Key No CLI required /dev/urandom is used as the initial source of seed for RNG. RNG seed key is zeroized on every random number generation.
Only FIPS-compliant algorithms are run at this stage.
Setting up LDAP for FIPS mode 1. Set the switch authentication mode and add your LDAP server by using the commands in the example below. Provide the Fully Qualified Domain Name (FQDN) of the Active Directory server for the hostname parameter while configuring LDAP. Example: Setting up LDAP for FIPS mode switch:admin> aaaconfig --add GEOFF5.ADLDAP.LOCAL -conf ldap -d adldap.
For additional Microsoft Active Directory settings: a. Set the following SCHANNEL settings listed in Table 45 to allow. To support FIPS compliant TLS cipher suites on Microsoft’s Active Directory server, allow the SCHANNEL settings listed in Table 45. See www.microsoft.com for instructions on how to allow the SCHANNEL settings for the ciphers, hashes, key exchange, and the TLS protocol.
Example of exporting an LDAP CA certificate switch:admin> seccertutil export -ldapcacert Select protocol [ftp or scp]: scp Enter IP address: 192.168.38.206 Enter remote directory: /users/aUser/certs Enter Login Name: aUser Enter LDAP certificate name (must have ".pem" \ suffix):LDAPTestCa.cer Password: Success: exported LDAP certificate Deleting an LDAP switch certificate This option deletes the LDAP CA certificate from the switch. 1. Connect to the switch and log in as admin. 2.
Enabling FIPS mode 1. Log in to the switch using an account assigned the admin or securityAdmin role. 2. Optional: Select the appropriate method based on your needs: • If the switch is set for RADIUS, modify each server to use only peap-mschapv2 as the authentication protocol using the aaaConfig --change or aaaConfig --remove command. • If the switch is set for LDAP, see the instructions in ”Setting up LDAP for FIPS mode” on page 157. 3. Optional: Set the authentication protocols. a.
8. Enter the following command to block access to root: userconfig --change root -e no By disabling the root account, RADIUS and LDAP users with root roles are also blocked in FIPS mode. 9. Verify that your switch is FIPS ready: fipscfg --verify fips 10. Enter the command fipsCfg --enable fips. 11. Reboot the switch. Disabling FIPS mode 1. Log in to the switch using an account assigned the admin or securityAdmin role. 2. Enter the command fipsCfg --disable fips. 3. Reboot the switch. 4.
162 Configuring advanced security features
5 Maintaining the switch configuration file This chapter provides procedures for basic switch configuration maintenance. Configuration settings It is important to maintain consistent configuration settings on all switches in the same fabric because inconsistent parameters, such as inconsistent PID formats, can cause fabric segmentation.
Example: Configuration file [Configuration upload Information] Configuration Format = 2.0 date = Thu Oct 9 21:22:25 2008 FOS version = v6.2.0.
Switch section There is always at least one switch section for the default switch or a switch that has Virtual Fabric mode disabled. There are additional sections corresponding to each additionally defined Logical Switch instance on a switch with Virtual Fabrics mode enabled. These are the switch-specific data that affect only that Logical Switch’s behavior.
4. Respond to the prompts as follows: Protocol (scp or ftp) Server Name or IP Address User name File name Section Password If your site requires the use of Secure Copy, specify SCP. Otherwise, specify FTP. If you leave it blank, the default specified in the brackets ( [ ] ) is used. Enter the name or IP address of the server where the file is to be stored; for example, 192.1.2.3. You can enter a server name if DNS is enabled. For details about the dnsConfig command, see the Fabric OS Command Reference.
CAUTION: Make sure that the configuration file you are downloading is compatible with your switch model, because configuration files from other model switches or firmware versions might cause your switch to fail. If your setup supports anonymous users, and you log in as an anonymous user, password is still a required field, even though its value may be ignored by the FTP service. Configuration management supports configDownload with 6.1.x or 6.2.0 configuration files.
In case something happens to your switch and you need to set it up again, run the commands listed in Table 46 and save the output in a file format. Store the files in a safe place for emergency reference.
5. Respond to the prompts as follows: Protocol (scp or ftp) Server Name or IP Address User name File name Section Password If your site requires the use of Secure Copy, specify scp. Otherwise, specify ftp. Enter the name or IP address of the server where the file is stored; for example, 192.1.2.3. You can enter a server name if DNS is enabled. Enter the user name of your account on the server; for example, JohnDoe. Specify the full path name of the backup file; for example, /pub/configurations/config.
The following example shows configDownload run on a switch with Admin Domains: switch:AD5:admin>configdownload Protocol (scp or ftp) [ftp]: Server Name or IP Address [host]: 10.1.2.3 User Name [user]: JohnDoe File Name [config.txt]: /pub/configurations/config.txt *** CAUTION *** This command is used to download a backed-up configuration for a specific switch. If using a file from a different switch, this file's configuration settings will override any current switch settings.
CAUTION: Do not download a configuration file from one switch to another switch that is a different model or firmware version, because it can cause the switch to fail. If you need to reset affected switches, enter the configDefault command. IMPORTANT: Verify that all domain IDs are unique prior to performing the configDownload because the switches will segment if they all have the same domain ID.
If fmsmode is enabled in a configuration file, but is disabled on the switch, the configDownload command fails and displays an error message. This prevents undesirable conditions that could result from enabling fmsmode on a switch that does not require it. B-Series configuration form Use this form (Table 46) as a hard copy reference for your configuration information.
6 Managing virtual fabrics Virtual Fabrics overview Virtual Fabrics is an architecture used to virtualize hardware boundaries. Traditionally, SAN design and management is done at the granularity of a physical switch. The Virtual Fabrics feature allows SAN design and management to be done at the granularity of a port. Virtual Fabrics is a suite of related features that can be customized based on your needs.
Before enabling Virtual Fabrics After enabling Virtual Fabrics Physical chassis Physical chassis P0 P3 P6 P1 P4 P7 P2 P5 P8 P9 Default logical switch P0 P3 P6 P1 P4 P7 P2 P5 P8 P9 Figure 8 Switch before and after enabling Virtual Fabrics After you enable Virtual Fabrics, you can create up to eight Logical Switches, depending on the switch model. Figure 9 shows a Virtual Fabrics-enabled switch before and after it is divided into Logical Switches.
already assigned FID 15 in the chassis. Each Logical Switch must have a unique fabric ID within the chassis. The default Logical Switch is initially assigned FID 128. You can change this value later.
• If you want to remove a port from a Logical Switch, you must move it to a different Logical Switch. For example, if you want to remove P4 from logical switch 3, you must assign it to a different Logical Switch, either logical switch 2, logical switch 4, or logical switch 1 (the default Logical Switch). • If you assign a port to a Logical Switch, it is automatically removed from the Logical Switch it is currently assigned to.
D2 H1 Switch 1 D1 Fabric 128 Switch 2 Fabric 1 Switch 4 Switch 3 Fabric 15 Fabric 8 Figure 13 Logical Switches in a single chassis belonging to separate fabrics If you want to allow device sharing across fabrics in a Virtual Fabrics environment, see ”FC-FC routing and Virtual Fabrics” on page 401. Logical Fabric A Logical Fabric is a fabric that contains at least one Logical Switch.
Fabric 15 Fabric 128 SW3 SW1 SW7 SW5 Fabric 1 Fabric 8 SW4 SW2 SW6 SW8 Figure 15 Logical Switches connected to form Logical Fabrics The ISLs between the Logical Switches are dedicated ISLs because they carry traffic only for a single Logical Fabric. In Figure 14, Fabric 128 has two switches (the default Logical Switches), but they cannot communicate with each other because they have no ISLs between them and they cannot use the ISLs between the other Logical Switches.
Physical chassis 2 Physical chassis 1 P1 Logical switch 5 (Default logical switch) Fabric ID 128 P1 Logical switch 1 (Default logical switch) Fabric ID 128 Logical switch 2 Fabric ID 1 Logical switch 3 Fabric ID 15 Base switch Fabric ID 8 P2 P2 P4 P7 Logical switch 7 Fabric ID 15 P6 P5 P6 Logical switch 6 Fabric ID 1 XISL P8 P9 Base switch Fabric ID 8 Figure 16 Base switches connected by an XISL Traffic between the Logical Switches can now flow across this XISL.
Physical chassis 2 Physical chassis 1 P1 Logical switch 1 (Default logical switch) Fabric ID 128 Logical switch 2 Fabric ID 1 Logical ISL ISL P2 P1 Logical switch 5 (Default logical switch) Fabric ID 128 P2 Logical ISL Logical switch 6 Fabric ID 1 Logical ISL Logical switch 3 Fabric ID 15 Base switch Fabric ID 8 Logical switch 7 Fabric ID 15 P6 P5 P6 XISL P8 Base switch Fabric ID 8 P4 P7 P9 Figure 18 Logical Fabric using ISLs and XISLs By default, the physical ISL path is favored over the
• Firmware management (one firmware applies to all Logical Switches, firmware upgrade, HA failover) • Logical Switch operations These are operations that are limited to the Logical Switch, such as displaying or changing port states. Logical Switch operations include all operations that are not covered in the chassis management operations. When a user logs in, the user is assigned an active context, or active Logical Switch.
Supported port configurations in the HP StorageWorks DC SAN Backbone Director and HP StorageWorks DC04 SAN Director Some of the ports in the HP StorageWorks DC SAN Backbone Director and HP StorageWorks DC04 SAN Director are not supported on all types of Logical Switches.
Table 49 Virtual Fabrics interaction with Fabric OS features (continued) Fabric OS feature Interaction with Virtual Fabrics Interoperability mode In interoperability modes 2 and 3, you cannot use XISL in the Logical Fabric. The Logical Switches must be connected only with ISLs. Licensing Licenses are required for all Logical Switches in a chassis. Performance monitoring Performance monitors are supported in a limited number of Logical Switches, depending on the platform type.
Enabling Virtual Fabrics Virtual Fabrics is disabled by default on switches that you upgrade to Fabric OS 6.2.0 or later. Virtual Fabrics is enabled by default on a new chassis. Before you can use the Virtual Fabrics features, such as Logical Switch and Logical Fabric, you must enable Virtual Fabrics. NOTE: When you enable Virtual Fabrics, the CPs are rebooted and all EX_Ports are disabled after the reboot. 1.
The following example checks whether Virtual Fabrics is enabled or disabled and then disables it: switchA:FID128:admin> fosconfig --show FC Routing service: disabled iSCSI service: Service not supported on this Platform iSNS client service: Service not supported on this Platform Virtual Fabric: enabled switch:admin> fosconfig --disable vf WARNING: This is a disruptive operation that requires a reboot to take effect.
Deleting a Logical Switch The following procedure describes how to delete a Logical Switch. You must remove all ports from the Logical Switch before deleting it. You cannot delete the default Logical Switch. 1. Connect to the physical chassis and log in using an account assigned to the admin role. 2. Remove all ports from the Logical Switch, as described in ”Adding and removing ports on a Logical Switch” on page 186. 3.
Displaying Logical Switch configuration 1. Connect to the physical chassis and log in using an account assigned to the admin role with the chassis-role permission. 2. Enter the following command to display a list of all Logical Switches and the ports assigned to them: lscfg --show [ -provision ] If the -provision option is specified, all ports on all slots are displayed, regardless of the slot status. For more information on the lscfg command, see the Fabric OS Command Reference.
where fabricID is the fabric ID of the Logical Switch you want to switch to and manage. 3. Enter the switchshow command and check the Allow XISL Use parameter to verify whether the switch is configured to use XISLs: switch218:FID128:admin> switchshow switchName: switch218 switchType: 62.
Physical chassis 2 Physical chassis 1 D1 P1 Logical switch 5 (Default logical switch) Fabric ID 128 P1 Logical switch 1 (Default logical switch) Fabric ID 128 P3 Logical switch 2 Fabric ID 1 P2 P2 Logical switch 6 Fabric ID 1 H1 P4 D2 H2 Logical switch 3 Fabric ID 15 P4 Base switch Fabric ID 8 Logical switch 7 Fabric ID 15 P6 P5 P6 XISL P8 Base switch Fabric ID 8 P7 P9 Figure 19 Example of Logical Fabrics in multiple chassis and XISLs 1. Set up the base switches in each chassis: a.
5. Enable all Logical Switches by entering the following command on each Logical Switch that you created in step 4 (the base switches are already enabled): switchenable The Logical Fabric is formed. The fabricShow command displays all Logical Switches configured with the same fabric ID as the local switch and all non-Virtual Fabric switches connected through ISLs to these Logical Switches.
7 Managing administrative domains Administrative Domains overview An Administrative Domain (Admin Domain or AD) is a logical grouping of fabric elements that defines which switches, ports, and devices you can view and modify. An Admin Domain is a filtered administrative view of the fabric. NOTE: If you do not implement Admin Domains, the feature has no impact on users and you can ignore this chapter. Admin Domains permit access to a configured set of users.
Figure 20 shows a fabric with two Admin Domains: AD1 and AD2. AD1 AD2 Figure 20 Fabric with two Admin Domains Figure 21 shows how users get a filtered view of this fabric, depending on which Admin Domain they are in. As shown in Figure 21, users can see all switches and E_Ports in the fabric, regardless of their Admin Domain; however, the switch ports and end devices are filtered based on Admin Domain membership.
• Have a separate zone database for each Admin Domain. See ”Admin Domains, zones, and zone databases” on page 210 for more information. • Move devices from one Admin Domain to another without traffic disruption, cable reconnects, or discontinuity in zone enforcement. • Provide strong fault and event isolation between Admin Domains. • Have visibility of all physical fabric resources. All switches, E_Ports, and FRUs (including blade information) are visible.
Table 51 lists each Admin Domain user type and describes its administrative access and capabilities. Table 51 AD user types User type Description Physical fabric administrator User account with admin role and with access to all Admin Domains (AD0 through AD255). Creates and manages all Admin Domains. Assigns other administrators or users to each Admin Domain. Only a physical fabric administrator can create other physical fabric administrators.
When a new device is added to the fabric, it automatically becomes an implicit member of AD0 until it is explicitly added to another Admin Domain. AD0 is useful when you create Admin Domains because you can see which devices, switch ports, and switches are not yet assigned to any Admin Domains. AD0 owns the root zone database (legacy zone database). During zone merge or zone update, only the root zone database is exchanged with non-AD-capable switches. AD255 AD255 is used for Admin Domain management.
• For default accounts such as admin and user, the home Admin Domain defaults to AD0 and cannot be changed. • The Admin Domain list for the default admin account is 0–255, which gives this account automatic access to any Admin Domain as soon as the domain is created, and makes this account a physical fabric administrator. • For user-defined accounts, the home Admin Domain also defaults to AD0 but an administrator can set the home Admin Domain to any Admin Domain to which the account has been given access.
NOTE: If the switch domain ID changes, the domain,index members are invalid (they are not automatically changed). You must then reconfigure the Admin Domain with the current domain,index members.
AD3 WWN = 10:00:00:00:c7:2b:fd:a3 WWN = 10:00:00:00:c2:37:2b:a3 Domain ID = 1 WWN = 10:00:00:05:1f:05:23:6f Domain ID = 2 WWN = 10:00:00:05:2e:06:34:6e AD4 WWN = 10:00:00:00:c8:3a:fe:a2 Figure 23 Fabric showing switch and device WWNs Figure 24 shows the filtered view of the fabric as seen from AD3 and AD4. The switch WWNs are converted to the NAA=5 syntax; the device WWNs and domain IDs remain the same.
• In mixed-fabric configurations, the legacy switches allow unfiltered access to the fabric and its devices; therefore, these legacy switches should be managed by the physical fabric administrator. • You must zone all ports and devices from legacy switches in the AD0 root zone database.
See the Fabric OS Command Reference for detailed information about CLI syntax and options. Setting the default zone mode To begin implementing an Admin Domain structure within your SAN, you must first set the default zone mode to No Access. You must be in AD0 to change the default zone mode. 1. Log in to an AD-capable switch in the fabric with the appropriate RBAC role. 2. Ensure you are in the AD0 context by entering the ad --show command to determine the current Admin Domain.
2. Disable Virtual Fabrics, if necessary, as described in ”Disabling Virtual Fabrics” on page 184. Admin Domains and Virtual Fabrics cannot co-exist. 3. Set the default zone mode to No Access, if you have not already done so. See ”Setting the default zone mode” on page 200 for instructions. 4. Switch to the AD255 context, if you are not already in that context: ad --select 255 5.
Creating a new user account for managing Admin Domains 1. Connect to the switch and log in as admin. 2. Enter the userConfig --add command using the -r option to set the role, the -a option to provide access to Admin Domains, and the -h option to specify the home Admin Domain.
Activating an Admin Domain An Admin Domain can be in either an active or inactive state. When you create an Admin Domain, it is automatically in the active state. 1. Connect to the switch and log in as admin. 2. Switch to the AD255 context, if you are not already in that context. ad --select 255 3. Enter the ad --activate option. ad --activate ad_id The activate option prompts for confirmation.
The following example deactivates Admin Domain AD_B4. switch:AD255:admin> ad --deactivate AD_B4 You are about to deactivate an AD. This operation will fail if an effective zone configuration exists in the AD Do you want to deactivate ’AD_B5’ admin domain (yes, y, no, n): [no] y switch:AD255:admin> Adding members to an existing Admin DomainConnect to an AD-capable switch and log in as admin. 1. Switch to the AD255 context, if you are not already in that context. ad --select 255 2.
Renaming an Admin Domain Use this procedure if you want to change the name of an Admin Domain. You can also change auto-assigned names (ADn). 1. Connect to the switch and log in as admin. 2. Switch to the AD255 context, if you are not already in that context. ad --select 255 3. Enter the ad --rename command with the present name and the new name.
Deleting all user-defined Admin Domains When you clear the Admin Domain configuration, all user-defined Admin Domains are deleted, the explicit membership list of AD0 is cleared, and all fabric resources (switches, ports, and devices) are returned to the implicit membership list of AD0. You cannot clear the Admin Domain configuration if zone configurations exist in any of the user-defined Admin Domains. 1.
The following example validates the member list of Admin Domain 10 in the current transaction buffer.
Executing a command in a different AD context You can execute a command in an Admin Domain that is different from your current AD context. The Admin Domain must be one that you can access. This option creates a new shell with the current user_id, switches to the specified Admin Domain, performs the specified command, and exits the shell. 1. Connect to the switch and log in. 2. Enter the ad --exec command, specifying the Admin Domain and the command you want to execute.
1. Connect to the switch and log in as any user type. 2. Enter the ad --select command and the Admin Domain you want to switch to. 3. Leave the new Admin Domain context by exiting from the shell. logout You cannot switch to another Admin Domain context from within the shell created by ad --select. You must first exit the shell, and then enter the ad --select command again. The following example switches to the AD12 context and back. Note that the prompt changes to display the Admin Domain.
Fabric OS feature Admin Domain interaction FICON • • Admin Domains support FICON. However, you must perform additional steps because FICON management (CUP) requires additional physical control of the ports. You must set up the switch as a physical member of the FICON AD. Device Connection Control (DCC) and Switch Connection Control (SCC) policies are supported only in AD0 and AD255, because ACL configurations are supported only in AD0 and AD255. iSCSI iSCSI operations are supported only in AD0.
See ”Validating a zone” on page 249 for instructions on using the zone --validate command. For more information about the zone command and its use with Admin Domains, see the Fabric OS Command Reference. NOTE: AD zone databases do not have an enforced size limit. The zone database size is calculated by the upper limit of the AD membership definition and the sum of all the zone databases for each AD. Admin Domains support the default zone mode of noaccess only.
Configuration upload and download in an AD context The behavior of the configUpload and configDownload commands varies depending on the AD context and whether the switch is a member of the current Admin Domain. In the AD context, these commands include only the zone configuration of the current Admin Domain. If the switch is a member of the Admin Domain, all switch configuration parameters are saved and the zone database for that Admin Domain is also saved.
8 Installing and maintaining firmware Firmware download process overview Fabric OS 6.2.0 provides nondisruptive firmware installation.
If you are using an HP StorageWorks 4/256 SAN Director, or an HP StorageWorks DC SAN Backbone Director or HP StorageWorks DC04 SAN Director Switch enterprise-class platform, with one or more AP blades: The Fabric OS automatically detects mismatches between the active CP firmware and the blade’s firmware. The auto-leveling process will automatically update the blade firmware to match the active CP. At the end of the auto-leveling process, the active CP and the blade will run the same version of the firmware.
High Available sync state HA synchronization occurs when two CPs in an enterprise-class platform are synchronized. This state provides redundancy and a non-disruptive firmware download. In order for a firmware download to successfully occur, the two CPs in an enterprise-class platform must be in sync. If the CPs have mixed versions when you enter the firmwareDownload command, the CPs may not be in HA sync.
NOTE: IPv6 and DNS are supported by firmwareDownload in 6.0.0 or later. If DNS is enabled and a server name instead of a server IP address is specified in the command line, firmwareDownload determines whether IPv4 or IPv6 should be used. To be able to mention the FTP server by name, you must enter at least one DNS server using the dnsConfig command. 3. Perform a configUpload prior to the firmwareDownload. Save the config file on your FTP or SSH server or USB memory device on supported platforms. 4.
Obtain and decompress firmware Firmware upgrades are available for customers on the HP website http://www.hp.com. You must decompress the firmware before you can use the firmwareDownload command to update the firmware on your equipment. Use the UNIX tar command for .tar files, the gunzip command for all .gz files, or a Windows unzip program for all .zip files When you unpack the downloaded firmware, it expands into a directory that is named according to the version of Fabric OS it contains.
The upgrade process first downloads and then commits the firmware to the switch. While the upgrade is proceeding, you can start a session on the switch and use the firmwareDownloadStatus command to observe the upgrade progress if you wish. CAUTION: After you start the process, do not enter any disruptive commands (such as reboot) that will interrupt the process. The entire firmware download and commit process takes approximately 17 minutes.
Network protocol Password Specify the file transfer protocol used to download the firmware from the file server. Valid values are FTP and SCP. The Values are not case-sensitive. If -p is not specified, firmwareDownload will determine the protocol automatically by checking the config.security parameter on the switch. Enter the password for the server. This operand can be omitted if firmware is accessible through a local directory, or if no password is required by the FTP or SCP server.
During the upgrade process, the director fails over to its standby CP blade and the IP address for the enterprise-class platform moves to that CP blade's Ethernet port. This may cause informational ARP address reassignment messages to appear on other switches in the fabric. This is normal behavior, because the association between the IP addresses and MAC addresses has changed. IMPORTANT: the CPs.
5. Use the firmwareShow command to check the current firmware version on connected switches. Upgrade the firmware, if necessary, before proceeding with upgrading this switch. See ”Connected switches” on page 216 6. Enter the haShow command to confirm that the two CP blades are synchronized.
NOTE: HP does not support the FA4-18 product. sw77:admin> firmwaredownload Type of Firmware (FOS, SAS, or any application) [FOS]: Server Name or IP Address: 192.168.32.10 Network Protocol (1-auto-select, 2-FTP, 3-SCP) [1]: User Name: userfoo File Name: /home/userfoo/v6.2.0 Password: Verifying the input parameters … Verifying the system parameters for firmwaredownload…. The following AP blades are installed in the system.
10. As an option, after the failover, connect to the switch, and log in again as admin. Using a separate session to connect to the switch, enter the firmwareDownloadStatus command to monitor the firmware download status. sw77:admin> firmwareDownloadstatus [1]: Thu Mar 06 00:30:49 2008 Slot 2 (SAS): Firmware is being downloaded to the blade. It may take up to 30 minutes. [2]: Thu Mar 06 00:30:49 2008 Slot 7 (SAS): Firmware is being downloaded to the blade. It may take up to 30 minutes.
NOTE: HP does not support the FA4-18 product. switch:admin> firmwareshow Slot Name Appl Primary/Secondary Versions Status ----------------------------------------------------------2 FA4-18 FOS v6.2.0 v6.2.0 SAS v3.3.0 v3.3.0 DMM v3.3.0 v3.3.0 5 CP0 FOS v6.2.0Standby * v6.2.0 6 CP0 FOS v6.2.0Active v6.2.0 7 FA4-18 FOS v6.2.0 v6.2.0 SAS v3.3.0 v3.3.0 DMM v3.3.0 v3.3.0 * Local CP Note: If Local CP and Remote CP have different versions of firmware, please retry firmwaredownload command.
2. Enter the usbStorage -l command: BrcdDCXBB:admin> usbstorage –l firmware\ 381MB 2008 v6.2.0\ 381MB 2008 config\ 0B 2008 support\ 0B 2008 firmwarekey\ 0B 2008 Available space on usbstorage 79% Sep Oct Sep Sep Sep 28 19 28 28 28 15:33 10:39 15:33 15:33 15:33 Downloading the 6.2.0 image using the relative path 1. Log in to the switch as admin. 2. Enter the firmwareDownload command with the -U operand: admin>firmwaredownload –U v6.2.0 Downloading the 6.2.0 image using the absolute path 1.
A different firmware key pair is created for digitally signed firmware releases. The private key file for the digitally signed firmware releases is used to sign released firmware, and the public key file is packaged inside these digitally signed firmware releases. NOTE: If FIPS is enabled, all logins should be done through SSH or direct serial and the transfer protocol should be SCP. Updating the firmwarekey 1. Log in to the switch as admin. 2. Enter the firmwareKeyUpdate command. 3.
cfgload attributes Select Yes. The following questions are displayed: Enforce secure config Upload/Download: Select yes Enforce signed firmware download: Select yes Webtools Default is no; press Enter to select default setting. attributes System Default is no; press Enter to select default setting. Power-on Firmware Checksum Test FIPS requires the checksums of the executables and libraries on the filesystem to be validated before Fabric OS modules are launched.
The switch will perform a reboot and come up with the new firmware to be tested. Your current switch session will automatically disconnect. 7. Connect to the switch, log in as admin, and enter the firmwareShow command to confirm that the primary partition of the switch contains the new firmware. You are now ready to evaluate the new version of firmware.
5. Exit the session. 6. Update the firmware on the standby CP: a. Connect to the enterprise-class platform and log in as admin to the standby CP. b. Enter the firmwareDownload -s command and respond to the prompts. At this point, the firmware should download to the standby CP only. When it has completed the download to that CP, reboot it. The current enterprise-class platform session will be disconnected. 7. Fail over to the standby CP. a. Connect to the enterprise-class platform on the active CP. b.
10. Perform a commit on the standby CP. From the current enterprise-class platform session on the standby CP, enter the firmwareCommit command to update the secondary partition with new firmware. It takes several minutes to complete the commit operation. Do not do anything on the enterprise-class platform while this operation is in process. 11. Perform a commit on the active CP: a.
Validating a firmware download Validate the firmware download by running the following commands: firmwareShow, firmwareDownloadStatus, nsShow, nsAllShow, and fabricShow. NOTE: When you prepared for the firmware download earlier, you entered either the supportShow or supportSave command. Although you can enter the command again and compare the output from before and after, it may take up to 30 minutes for the command to execute.
232 Installing and maintaining firmware
9 Administering advanced zoning Zoning overview Zoning enables you to partition your storage area network (SAN) into logical groups of devices that can access each other. A device can communicate only with other devices connected to the fabric within its specified zone. For example, you can partition your SAN into two zones, winzone and unixzone, so that your Windows servers and storage do not interact with your UNIX servers and storage.
To list the commands associated with zoning, use the zoneHelp command. For detailed information on the zoning commands used in the procedures, see the Fabric OS Command Reference or the online man page for each command. NOTE: The information in this chapter applies to Brocade Native mode only. For information about zoning in InteropMode 2 or 3, see Chapter 12, ”Interoperability for merged SANs” on page 291. Zone types Table 57 summarizes the types of zoning available.
Table 58 Approaches to fabric-based zoning Zoning approach Description Recommended approach Single HBA Zoning by single HBA most closely re-creates the original SCSI bus. Each zone created has only one HBA (initiator) in the zone; each of the target devices is added to the zone. Typically, a zone is created for the HBA and the disk storage ports are added. If the HBA also accesses tape devices, a second zone is created with the HBA and associated tape devices in it.
Zone objects identified by port number or index number are specified as a pair of decimal numbers in the form d, index, where d is the domain ID of the switch and index is the index number on that switch in relation to the port you want to specify. For example, in enterprise-class platforms, 4,30 specifies port 14 in slot number 2 (domain ID 4, port index 30). On fixed-port models, 3,13 specifies port 13 in switch domain ID 3.
Zone configurations A zone configuration is a group of one or more zones. A zone can be included in more than one zone configuration. When a zone configuration is in effect, all zones that are members of that configuration are in effect. Several zone configurations can reside on a switch at once, and you can quickly alternate between them. For example, you might want to have one configuration enabled during the business hours and another enabled overnight.
Hardware-enforced zoning Hardware-enforced zoning means that each frame is checked by hardware (the ASIC) before it is delivered to a zone member and is discarded if there is a zone mismatch. When hardware-enforced zoning is active, the Fabric OS switch monitors the communications and blocks any frames that do not comply with the effective zone configuration. The switch performs this blocking at the transmit side of the port on which the destination device is located.
Table 59 Enforcing hardware zoning Fabric type Methodology Best practice HP StorageWorks SAN Switch 2/8V, 2/8-EL, 2/16, 2/16-EL, 2/16V, 2/16N, 2/32, HP StorageWorks MSA SAN Switch 2/8, HP StorageWorks 4/8 and 4/16 SAN Switches, HP StorageWorks 8/8 and 8/24 SAN Switches, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, HP StorageWorks SAN Switch 4/32, HP StorageWorks 4/64 SAN Switch, HP StorageWorks SAN Switch 4/32B, HP StorageWorks 8/40 SAN Switch, H
WWN_Zone1 Port_Zone1 Core Switch Port_Zone2 Zone Boundaries WWN_Zone2 22.3b(13.3) Figure 28 Hardware-enforced overlapping zones Any zone using a mixed zoning scheme on the Fabric OS 2-Gb/s platform relies on name server authentication as well as hardware-assisted (ASIC) authentication. Hardware-assisted authentication ensures that any PLOGI, ADISC, PDISC, or ACC from an unauthorized device is rejected if that device is attempting to access a device that is not in the same zone.
2. Enter the portZoneShow command, using the following syntax: portzoneshow Considerations for zoning architecture Table 60 lists considerations for zoning architecture. Table 60 Considerations for zoning architecture Item Description Type of zoning: hard HP recommends hard zoning if security is a priority. or soft (session-based) Use of aliases Optional with zoning. Using aliases requires structure when defining zones.
control which devices receive broadcast frames, you can create a special zone, called a broadcast zone, which restricts broadcast packets to only those devices that are members of the broadcast zone. If there are no broadcast zones or if a broadcast zone is defined but not enabled, broadcast frames are not forwarded to any F_Ports.
"3,1" "1,1" "4,1" "2,1" AD1 AD2 broadcast "2,1; 3,1; 4,1" broadcast "1,1; 3,1; 5,1" "5,1" "1,1" "3,1; 4,1" broadcast "1,1; 3,1; 4,1" Figure 31 Broadcast zones and Admin Domains The dotted box represents the consolidated broadcast zone, which contains all of the devices that can receive broadcast packets. The actual delivery of broadcast packets is also controlled by the Admin Domain and zone enforcement logic.
Loop devices and broadcast zones Delivery of broadcast packets to individual devices in a loop is not controlled by the switch. Consequently, adding loop devices to a broadcast zone does not have any effect. If a loop device is part of a broadcast zone, all devices in that loop receive broadcast packets. Best practice: All devices in a single loop should have uniform broadcast capability. If all the devices in the loop can handle broadcast frames, add the FL_Port to the broadcast zone.
The values represent the following: aliasname member The name of the zone alias to be created. A member or list of members to be added to the alias. An alias member can be specified by one or more of the following methods: • • A domain,port pair. Device node or device port WWN 3. Enter the cfgSave command to save the change to the defined configuration.
2. Enter the aliRemove command, using the following syntax: aliremove "aliasname", "member[; member...]" where: aliasname member The name of the zone alias A member or list of members to be removed from the alias. An alias member can be specified by one or more of the following methods: • • A domain,port pair A device node or device port WWN 3. Enter the cfgSave command to save the change to the defined configuration.
Viewing an alias in the defined configuration 1. Connect to the switch and log in as admin. 2. Enter the aliShow command, using the following syntax: alishow "pattern"[, mode] where: pattern mode A POSIX-style regular expression used to match zone alias names. Specify 0 to display the contents of the transaction buffer (the contents of the current transaction), or specify 1 to display the contents of the nonvolatile memory. The default value is 0.
3. Enter the cfgSave command to save the change to the defined configuration: switch:admin> zonecreate "greenzone", "2,32; 2,33; 2,34; 4,4" switch:admin> zonecreate "bluezone", "21:00:00:20:37:0c:66:23; 4,3" switch:admin> zonecreate "broadcast", "1,2; 2,33; 2,34" switch:admin> cfgsave You are about to save the Defined zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled.
where: zonename member The name of the zone to be created. A member or list of members to be removed from the zone. A zone member can be specified by one or more of the following methods: • • • A domain,port pair A device node or device port WWN A zone alias name 3.
where: pattern mode A POSIX-style regular expression used to match zone names Specify 0 to display the contents of the transaction buffer (the contents of the current transaction), or specify 1 to display the contents of the nonvolatile memory. The default value is 0.
cannot specify a mode option or specify a zone object as an argument with the -f option. This mode flag should be used after the zone has been validated. For more details about the zone, cfgShow, cfgEnable, and cfgSave commands, see the Fabric OS Command Reference. Default zoning mode The default zoning mode controls device access if zoning is not implemented or if there is no effective zone configuration. The default zoning mode has two options: • All Access.
Zoning database size and zone merging Table 61 presents zoning database size limitations for various Fabric OS release versions. The maximum size of a zone database is the upper limit for the defined configuration. It is determined by the amount of flash memory available for storing the defined configuration. Table 61 Zoning database limitations Fabric OS version Maximum database size (KB) 2.4.0 64 2.5.0 64 2.6.0 96 3.0.0 128 3.1.0 96 3.2.0 256 4.0.0, 4.1.0, 4.2.0 128 4.4.0 256 5.0.
Table 62 Resulting database size: 0 to 96K (continued) Initiator Receiver Fabric OS 3.1 Fabric OS 3.2 Fabric OS 4.0/ 4.1/ 4.2 Fabric OS 4.4.0 Fabric OS 5.0.0/ 5.0.1/ 5.1.0 Fabric OS 5.2.0 or later Fibre Channel Router XPath 7.3 Fabric OS 4.0/ 4.1/4.2 Join Join Join Join Join Join Join Join Fabric OS 4.4.0 Join Join Join Join Join Join Join Join Fabric OS 5.0.0/ 5.0.1/5.1.0 Join Join Join Join Join Join Join Join Fabric OS 5.2.
Table 64 Resulting database size: 128K to 256K (continued) Initiator Receiver Fabric OS 3.1 Fabric OS 3.2 Fabric OS 4.0/ 4.1/ 4.2 Fabric OS 4.4.0 Fabric OS 5.0.0/ 5.0.1/ 5.1.0 Fabric OS 5.2.0 or later Fibre Channel Router XPath 7.3 Fabric OS 5.0.0/5.0.1 Segment Join Segment Join Join Join Join Segment Fabric OS 5.2.0 or later Segment Join Join Join Join Join Join Join FC router Segment Join Segment Join Join Join Join Segment XPath 7.
NOTE: For Fabric OS 5.3.0 and later, the minimum zoning database size is 4 bytes, even if the zoning database is empty. For important considerations for managing zoning in a fabric, and more details about the maximum zone database size for each version of the Fabric OS, see ”Zoning database size and zone merging” on page 251. If you create or make changes to a zone configuration, you must enable the configuration for the changes to take effect. Creating a zoning configuration 1.
The cfgSave command ends and commits the current zoning transaction buffer to both volatile and nonvolatile memory. If a transaction is open on a different switch in the fabric when this command is run, the transaction on the other switch is automatically aborted. A message is displayed on the other switches to indicate that the transaction was aborted. Removing zones (members) from a zone configuration 1. Connect to the switch and log in as admin. 2.
NOTE: If the default zoning mode is set to All Access and more than 120 devices are connected to the fabric, you cannot disable the zone configuration. See ”Default zoning mode” on page 250 for information about setting this mode to No Access. The following procedure ends and commits the current zoning transaction buffer to both volatile and nonvolatile memory.
transaction, the newly edited zone configuration that has not yet been saved is displayed. If there are no outstanding transactions, the committed zone configuration is displayed. 1. Connect to the switch and log in as admin. 2.
21:00:00:20:37:0c:76:85 21:00:00:20:37:0c:71:df Clearing all zone configurations 1. Connect to the switch and log in as admin. 2. Enter the cfgClear command to clear all zone information in the transaction buffer. CAUTION: Be careful using the cfgClear command because it deletes the defined configuration. switch:admin> cfgclear The Clear All action will clear all Aliases, Zones, FA Zones and configurations in the Defined configuration.
4. Enter the cfgShow command to verify that the new zone object is present. switch:admin> cfgshow "Test*" cfg: Test1 Blue_zone cfg: Test_cfg Purple_zone; Blue_zone switch:admin> cfgShow "US_Test1" cfg: US_Test1 Blue_zone 5. If you want the change preserved when the switch reboots, enter the cfgSave command to save it to nonvolatile (flash) memory. 6. Enter the cfgEnable command for the appropriate zone configuration to make the change effective.
4. Enter yes at the prompt. 5. Enter the cfgShow command to verify that the deleted zone object is no longer present. 6. If you want the change preserved when the switch reboots, enter the cfgSave command to save it to nonvolatile (flash) memory. 7. Enter the cfgEnable command for the appropriate zone configuration to make the change effective. Renaming a zone object 1. Connect to the switch and log in as admin. 2.
• Before merging zones To facilitate merging, check the following before merging switches or fabrics: • Zoning licenses: All switches running Fabric OS 6.0.x or earlier must have a Zoning license enabled. • Native operating mode: All switches must be in the native operating mode. • Secure Fabric OS: The switch being merged into the existing fabric must not have Brocade Secure Fabric OS enabled.
• Type mismatch: The name of a zone object in one fabric is used for a different type of zone object in the other fabric. • Content mismatch: The definition of a zone object in one fabric is different from the definition of zone object with the same name in the other fabric. • Zone Database Size: If the zone database size exceeds the maximum limit of another switch.
Entering these commands causes a merge, making the fabric consistent with the correct configuration. Zone merging scenarios Table 66 provides information on merging zones and the expected results. Table 66 Zone merging scenarios Description Switch A Switch B Expected results Switch A has a defined configuration. Switch B does not have a defined configuration.
Table 66 Zone merging scenarios (continued) Description Switch A Switch B Expected results Same content, different effective cfg name. defined: cfg1 zone1: ali1; ali2 effective: cfg1 zone1: ali1; ali2 defined:cfg2 zone1: ali1; ali2 effective: cfg2 zone1: ali1; ali2 Fabric segments due to: Zone Conflict cfg mismatch Same content, different zone name.
266 Administering advanced zoning
10 Configuring Enterprise-class platforms Ports Because enterprise-class platforms contain interchangeable port blades, their procedures differ from those for fixed-port switches. For example, fixed-port models identify ports only by the port number, while enterprise-class platforms identify ports by slot/port notation.
Table 67 Port numbering schemes for the HP StorageWorks 4/256 SAN Director, HP StorageWorks DC SAN Backbone Director and HP StorageWorks DC04 SAN Director Switch enterprise-class platforms Port blades Numbering scheme • HP StorageWorks SAN Director 2/128 16-port blade Ports are numbered from 0 through 15 from bottom to top.
Port Identification by Port Area ID The relationship between the port number and area ID depends upon the PID format used in the fabric. When Core PID format is in effect, the area ID for port 0 is 0, for port 1 is 1, and so forth. For 32-port blades (HP StorageWorks 4/256 SAN Director 16 Port 4Gb blade, HP StorageWorks SAN Director 32 Port 8Gb FC blade), the numbering is contiguous up to port 15; from port 16, the numbering is still contiguous, but starts with 128.
Table 68 Default index/area_ID core PID assignment with no port swap (continued) Port Slot on 1Idx/are blade a Slot 2Idx/are a Slot 3Idx/are a Slot 4Idx/are a Slot 7Idx/are a Slot 8Idx/are a Slot 9Idx/are a Slot 10Idx/area 45 269/133 285/149 301/165 317/181 333/197 349/213 365/229 381/245 44 268/132 284/148 300/164 316/180 332/196 348/212 364/228 380/244 43 267/131 283/147 299/163 315/179 331/195 347/211 363/227 379/243 42 266/130 282/146 298/162 314/178 330/194 34
Table 68 Default index/area_ID core PID assignment with no port swap (continued) Port Slot on 1Idx/are blade a Slot 2Idx/are a Slot 3Idx/are a Slot 4Idx/are a Slot 7Idx/are a Slot 8Idx/are a Slot 9Idx/are a Slot 10Idx/area 7 7/7 23/23 39/39 55/55 71/71 87/87 103/103 119/119 6 6/6 22/22 38/38 54/54 70/70 86/86 102/102 118/118 5 5/5 21/21 37/37 53/53 69/69 85/85 101/101 117/117 4 4/4 20/20 36/36 52/52 68/68 84/84 100/100 116/116 3 3/3 19/19 35/35 51/51 67/67
Table 69 Default index/area_ID core PID assignment with no port swap for the HP StorageWorks DC04 SAN Director Switch (continued) Port on blade Slot 1Idx/area Slot 2Idx/area Slot 7Idx/area Slot 8Idx/area 27 27/27 91/91 155/155 219/219 26 26/26 90/90 154/154 218/218 25 25/25 89/89 153/153 217/217 24 24/24 88/88 152/152 216/216 23 23/23 87/87 151/151 215/215 22 22/22 86/86 150/150 214/214 21 21/21 85/85 149/149 213/213 20 20/20 84/84 148/148 212/212 19 19/19 83/8
NOTE: Some FRUs in the chassis may use significant power, yet cannot be powered off through software. For example, a missing blower FRU may change the power computation enough to affect how many slots can be powered up. Powering off a port blade NOTE: In the HP StorageWorks DC SAN Backbone Director and HP StorageWorks DC04 SAN Director Switch the core blades and CPs cannot be powered off from the CLI interface.
• HP StorageWorks 4/256 SAN Director 32 Port 4Gb Blade • HP StorageWorks SAN Director 16 Port 8Gb FC Blade • HP StorageWorks SAN Director 6 Port 10Gb FC Blade • HP StorageWorks B-Series iSCSI Director Blade • FS8-18 NOTE: The HP StorageWorks B-Series iSCSI Director Blade is not supported in either the HP StorageWorks DC SAN Backbone Director or HP StorageWorks DC04 SAN Director Switch enterprise-class platform.
NOTE: This is not true for the HP StorageWorks SAN Director 16 Port 8Gb FC Blade. Since FC8 type blades support EX_Ports, they are still retained in the configuration, but they are persistently disabled.
Table 70 HP StorageWorks enterprise-class platform terminology and abbreviations (continued) Blade name Abbrev. Blade ID (slotsh ow) Definition 16-port 2-Gb/s port blade HP StorageW orks SAN Director 2/128 16-port Blade 4 The second generation HP StorageWorks16-port Blade supporting 1 and 2 Gb/s port speeds. This port blade is compatible only with the HP StorageWorks 4/256 SAN Director CP Blades.
Table 70 HP StorageWorks enterprise-class platform terminology and abbreviations (continued) Blade name Abbrev. Blade ID (slotsh ow) Definition 48-port 8-Gb/s Port Blade HP StorageW orks SAN Director 48 Port 8Gb FC Blade 51 A 48-port HP StorageWorks Platform Port Blade supporting 1, 2, 4, and 8 Gb/s port speeds. HP StorageWorks SAN Director 48 Port 8Gb FC Blade support only F_Ports and E_Ports; FL_Ports are not supported.
Mixed CP blades are not supported on a single chassis, except during specific upgrade procedures detailed in the HP StorageWorks 4/256 SAN Director Hardware Reference Manual. CP4 and CP8 blades cannot be mixed in the same chassis under any circumstances. HP recommends that each platform have only one type of CP blade installed and that each CP (primary and secondary partition) maintains the same firmware version.
Table 71 Port blades supported by each platform (continued) Port blades HP StorageWorks 4/256 SAN Director (CP4) HP StorageWorks DC SAN Backbone Director and HP StorageWorks DC04 SAN Director Switch B-Series Multi-Protocol Router Blade Supported Supported FS8-18 Supported Supported 1. Can coexist only with HP StorageWorks 4/256 SAN Director 16 Port 4Gb Blade. Displaying slot information 1. Connect to the switch and log in as admin. 2.
See Table 70 on page 275 for a list of blades and their corresponding IDs. Status (Displays the status of the blade) DIAG RUNNING POST1: The blade is present, powered on, and running the post-initialization power-on self test (POST). DIAG RUNNING POST2: The blade is present, powered on, and running the POST. ENABLED: The blade is on and enabled. ENABLED (User Ports Disabled): The blade is on, but external ports have been disabled with the bladeDisable command. DISABLED: The blade is powered on but disabled.
ICL1 <--> ICL1 ICL ports can be used only with an ICL license. For more information license enforcement, see ”Licensed features” on page 43. After the addition or removal of a license, the license enforcement is performed on the ICL ports only when you enter the portDisable or portEnable commands on the switch for the ports. All ICL ports must be disabled, and then re-enabled for the license to take effect. An ICL license must be installed on both platforms forming the ICL connection.
282 Configuring Enterprise-class platforms
11 Routing traffic Routing overview Data moves through a fabric from switch to switch and from storage to server along one or more paths that make up a route. Routing policies determine the path for each frame of data. Before the fabric can begin to route a packet, it must discover the route that packet should take to reach the intended destination. Route tables are lists that indicate the next hop to which packets are directed to reach a destination.
redundancy. If a link goes down, part of the fabric becomes isolated. FSPF ensures that the topology is loop free and that the frame is never forwarded over the same ISL more than once. FSPF calculates paths based on the destination domain ID. The fabric protocol must complete domain ID assignments before routing can begin. ISLs provide the physical pathway when the Source ID (SID) address has a frame destined to a port on a remote switch Destination ID (DID).
IMPORTANT: For most configurations, the default routing policy is optimal and provides the best performance. You should change the routing policy only if there is a performance issue that is of concern, or if a particular fabric configuration requires it. Displaying the current routing policy 1. Connect to the switch and log in as admin. 2. Enter the aptPolicy command with no parameters. aptpolicy The current policy is displayed, followed by the supported policies for the switch.
AP route policy On the HP StorageWorks 400 Multi-Protocol Router and B-Series Multi-Protocol Router Blade, there are eight internal physical links used by EX_ and VEX_Port functionality. The links are shared by both ingress and egress traffic on EX_ and VEX_Ports. The AP (appliance) route policy dedicates some links for ingress traffic and some links for egress traffic.
Dynamic load sharing The exchange-based routing policy depends on the Fabric OS Dynamic Load Sharing feature (DLS) for dynamic routing path selection. When using the exchange-based routing policy, DLS is enabled by default and cannot be disabled. In other words, you cannot enable or disable DLS when the exchange-based routing policy is in effect. When the port-based policy is in force, you can enable DLS to optimize routing.
Instead, you can use the traffic isolation feature to create a dedicated path for interswitch traffic. See ”Traffic Isolation Routing” on page 339 for information about this feature. Assigning a static route 1. Connect to the switch and log in as admin. 2. Enter the uRouteConfig command. urouteconfig in_area domain out_area where: in_area The input port to be statically routed, either an F_Port or an E_Port. domain The destination domain. out_area The output port to which traffic is forwarded.
In a stable fabric, frames are always delivered in order, even when the traffic between switches is shared among multiple paths. However, when topology changes occur in the fabric (for example, if a link goes down), traffic is rerouted around the failure, and some frames could be delivered out of order. Most destination devices tolerate out-of-order delivery, but some do not.
290 Routing traffic
12 Interoperability for merged SANs For information on HP supported interop configurations, see the HP StorageWorks Fabric interoperability application notes for merging B-Series fabrics with fabrics based on C-Series and M-Series Fibre Channel switches on the following HP website: http://h18000.www1.hp.com/products/storageworks/san/documentation.html Fabric OS 6.
292 Interoperability for merged SANs
13 Configuring the Distributed Management Server Distributed Management Server overview The Fabric OS Distributed Management Server (MS) allows a SAN management application to retrieve information and administer interconnected switches, servers, and storage devices. The management server assists in the autodiscovery of switch-based fabrics and their associated topologies.
Enabling platform services 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the msplMgmtActivate command. switch:admin> msplmgmtactivate Request to activate MS Platform Service in progress...... *Completed activating MS Platform Service in the fabric! switch:admin> Disabling platform services 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the msplMgmtDeactivate command. 3. Enter y to confirm the deactivation.
In the following example, the list is empty: switch:admin> msconfigure 0 Done 1 Display the access list 2 Add member based on its Port/Node WWN 3 Delete member based on its Port/Node WWN select : (0..3) [1] 1 MS Access list is empty. 0 Done 1 Display the access list 2 Add member based on its Port/Node WWN 3 Delete member based on its Port/Node WWN select : (0..3) [1] 0 done ... switch:admin> Adding a member to the ACL 1. Connect to the switch and log in using an account assigned to the admin role. 2.
8. Press Enter to update the nonvolatile memory and end the session. switch:admin> msconfigure 0 Done 1 Display the access list 2 Add member based on its Port/Node WWN 3 Delete member based on its Port/Node WWN select : (0..3) [1] 2 Port/Node WWN (in hex): [00:00:00:00:00:00:00:00] 20:00:00:20:37:65:ce:aa *WWN is successfully added to the MS ACL. 0 Done 1 Display the access list 2 Add member based on its Port/Node WWN 3 Delete member based on its Port/Node WWN select : (0..
8. Press Enter to update the nonvolatile memory and end the session. switch:admin> msconfigure 0 Done 1 Display the access list 2 Add member based on its Port/Node WWN 3 Delete member based on its Port/Node WWN select : (0..3) [1] 2 Port/Node WWN (in hex): [00:00:00:00:00:00:00:00] 10:00:00:00:c9:29:b3:84 *WWN is successfully added to the MS ACL. 0 Done 1 Display the access list 2 Add member based on its Port/Node WWN 3 Delete member based on its Port/Node WWN select : (0..
The contents of the management server platform database are displayed. switch:admin> msplatshow ----------------------------------------------------------Platform Name: [9] "first obj" Platform Type: 5 : GATEWAY Number of Associated M.A.: 1 [35] "http://java.sun.
Disabling topology discovery 1. Connect to the switch and log in as admin. 2. Enter the appropriate following command based on how you want to disable discovery: • For the local switch, enter the mstdDisable command. • For the entire fabric, enter the mstdDisable all command. A warning is displayed, saying that all NID entries might be cleared. 3. Enter y to disable the discovery feature. NOTE: Disabling discovery of management server topology might erase all NID entries.
300 Configuring the Distributed Management Server
14 iSCSI gateway service iSCSI gateway service overview This chapter describes the HP StorageWorks B-Series iSCSI Director Blade gateway service. The iSCSI gateway service is supported only on the HP StorageWorks 4/256 SAN Director running Fabric OS 5.2.0 or later with one or more iSCSI-enabled HP StorageWorks B-Series iSCSI Director Blade.
At the iSCSI gateway port, the incoming iSCSI data is converted to FCP (SCSI on FC) by the iSCSI virtual initiator, and then forwarded to the FC target. This allows low-cost servers to leverage an existing FC infrastructure. To represent all iSCSI initiators and sessions, each iSCSI portal has one iSCSI virtual initiator (VI) to the FC fabric that appears as an N_Port device with a special WWN format.
F C target 1 LUN 0 iS C S I virtual target 1 1 LUN 2 0 3 1 4 2 5 F C target 2 iS C S I virtual target 2 LUN 0 LUN 20 21 22 iS C S I virtual target 3 23 LUN 24 0 25 Figure 36 iSCSI VT advanced LUN mapping iSCSI component identification IQN Prefix Unique iSCSI Qualified Names (IQNs) are used to identify each iSCSI VT. The format for the IQN is type.date.naming authority:. The type.date.naming authority portion is a fixed prefix. The default prefix is iqn.2002-12.com.brocade.
iS C S I initiator A iqn.2003-11.c om.mic ros oft: win2k-s n-192168101 iS C S I virtual targets (V T s ) VT 1 iqn.2002-12.c om.broc ade: 10: 00: 00: 05: 1e: aa: bb: c c IP Network VT 2 iqn.2002-12.c om.broc ade: 10: 00: 00: 05: 1e: c c : bb: aa VT 3 iqn.2002-12.c om.broc ade: 10: 00: 00: 05: 1e: bb: c c : aa iS C S I initiator B iiqn.2003-11.c om.
DDS et 1 iS C S I virtual targets (V T s ) DD1 iS C S I initiator A VT 1 IP network VT 2 VT 3 iS C S I initiator B DD2 iS C S I gateway s ervic e Figure 38 Discovery domain set configuration example Switch-to-iSCSI initiator authentication iSCSI sessions are authenticated using CHAP (Challenge Handshake Authentication Protocol). The iSCSI gateway service supports the following three strategies for CHAP authentication: • One-way: Only the iSCSI VT authenticates the session.
connection redirection for specific slots, and the all option may be used to disable connection redirection for all slots. The following example disables connection redirection for ports on a blade located in slot 9. switch:admin> iscsiswcfg --disableconn -s 9 The operation completed successfully Displaying connection redirection status 1. Connect to the switch and log in. 2. Enter the iscsiSwCfg --showconn command with the -s all option to display the current status of connection redirection.
service. Table 74 provides a high-level overview of the commands and links to the sections that detail the procedures. See the Fabric OS Command Reference for detailed information on the commands. Table 74 iSCSI target gateway configuration steps Step Command Procedure 1 Activate iSCSI for the HP StorageWorks B-Series iSCSI Director Blade. fosConfig - -enable iscsi ”Enabling the iSCSI gateway service” on page 309 2 Configure the IP address for GbE ports.
Table 74 iSCSI target gateway configuration steps (continued) Step Command Procedure 16 Enable zone configuration. cfgEnable “cfgname” ”Creating and enabling a zoning configuration” on page 328 17 Optional: Enable connection redirection for load balancing. iscsiSwCfg - -enableconn -s | ”Enabling and disabling connection redirection for load balancing” on page 305 18 Optional: Configure iSNS client.
s c al e: 5/ 16" = 1" 56-0000590-01 Rev A ! ge7 ge7 ge6 ge5 ge4 G bE ports GE ge3 ge2 ge1 ge0 7 ge0 7 6 5 4 F C ports FC 3 2 1 0 0 FC4 16IP 40. 1 Figure 39 HP StorageWorks B-Series iSCSI Director Blade ports Enabling the iSCSI gateway service The iSCSI gateway service translates and directs SCSI traffic between an iSCSI initiator and an FC target. This procedure explains how to enable the iSCSI gateway service on the HP StorageWorks 4/256 SAN Director. 1.
iSNS Client service:disabled Enabling GbE ports By default, GbE ports are enabled on an HP StorageWorks B-Series iSCSI Director Blade installed in the HP StorageWorks 4/256 SAN Director. However, if you insert the HP StorageWorks B-Series iSCSI Director Blade into a slot that was previously occupied by an FR-18i blade, GbE ports are disabled. Before enabling the physical iSCSI interface, enable the iSCSI gateway service as described in ”Enabling the iSCSI gateway service” on page 309.
Arp configuration: IP Address Mac Address -----------------------------Iproute Configuration: IP Address Mask Gateway Metric -----------------------------------------------------switch:admin> Configuring the GbE interface NOTE: You can set the TCP/IP parameters of a GbE port even when iSCSI gateway service is disabled. Address resolution protocol (ARP) entries for the IP interfaces are created automatically when you verify that the network connectivity using the ping command.
Reply Reply Reply Reply from from from from 30.0.0.1: 30.0.0.1: 30.0.0.1: 30.0.0.1: bytes=64 bytes=64 bytes=64 bytes=64 rtt=0ms rtt=0ms rtt=0ms rtt=0ms ttl=255 ttl=255 ttl=255 ttl=255 Ping Statistics for 30.0.0.1: Packets: Sent = 4, Received = 4, Loss = 0 ( 0 percent loss) Min RTT = 0ms, Max RTT = 0ms Average = 0ms 7. Optional: Enter the portCfg arp command to configure additional ARP entries. switch:admin> portcfg arp 3/ge0 add 30.0.30.11 00:0F:1F:69:99:88 Operation Succeeded 8.
switch:admin> iscsicfg --easycreate tgt This will create iSCSI targets for ALL FC targets. This could be a long-running operation. Continue [N]: y Index FC WWN iSCSI Name Status 9 2e:1f:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2e:1f:00:06:2b:0d:10:ba Succeeded Operation 10 2e:3f:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2e:3f:00:06:2b:0d:10:ba Succeeded Operation 11 2e:5f:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2e:5f:00:06:2b:0d:10:ba Succeeded Operation 12 2e:7f:00:06:2b:0d:10:ba iqn.2002-12.
22 2f:bf:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2f:bf:00:06:2b:0d:10:ba Succeeded 23 2f:df:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2f:df:00:06:2b:0d:10:ba Succeeded 24 2f:ff:00:06:2b:0d:12:9a iqn.2002-12.com.brocade:2f:ff:00:06:2b:0d:12:9a Succeeded Operation Operation Operation 4. Enter the iscsiCfg --show tgt command to display the status of the created iSCSI VTs. The following is an example: switch:admin> iscsicfg --show tgt Number of records found: 16 Name: State/Status: iqn.2002-12.com.
State/Status: Online/Defined Name: State/Status: iqn.2002-12.com.brocade:2f:df:00:06:2b:0d:10:ba Online/Defined Name: State/Status: iqn.2002-12.com.brocade:2f:ff:00:06:2b:0d:12:9a Online/Defined Generating an iSCSI VT for a specific FC target 1. Connect and log in to the switch. 2. Enter the iscsiCfg --easycreate tgt command with the -w option to create an iSCSI VT that contains only the storage attached to the specified WWN. The default value of iqn.2002-12.com.
The following is an example. switch:admin> iscsicfg --show tgt -t iqn.2002-12.com.brocade:example-disk001 -v Number of records found: 1 Name: iqn.2002-10.com.brocade.example:disk001 State/Status: Offline/Defined Auth. Method: None 4. Enter the fcLunQuery command to display a list of connected FC targets and show the LUN configurations. The following is an example.
-l Maps the physical FC LUNs to virtual iSCSI LUNs and is specified as a pair: LUNs:physical LUNs The following is an example: switch:admin> iscsicfg --add lun -t iqn.2002-12.com.brocade:example-disk001 \ -w 21:00:00:04:cf:e7:73:7e -l 0:0 The operation completed successfully. 6. Enter the iscsiCfg --show lun command with –t options to verify that the LUN has been added to the iSCSI VT, where -t is the IQN that identifies the iSCSI VT. The following is an example.
Deleting LUNs from an iSCSI VT You can delete individual LUNs, a list or range of LUNs, or all LUNs associated with an iSCSI VT. 1. Connect to the switch and log in. 2. Enter the iscsiCfg --delete lun command with –t , –w , and –l options to delete LUNs, where: -t Specifies the IQN name for the iSCSI VT in the format: iqn.2002-12.com.brocade:, where user_defined_name may be any unique string up to 12 alpha-numeric characters long.
Number of records found: 2 Name: iqn.2006-10.com.example-disk001 State/Status: Online/Defined Auth. Method: None Name: iqn.2002-10.com.brocade:21:00:00:04:cf:e7:74:cf State/Status: Online/Defined Auth. Method: None Discovery domain and domain set configuration Discovery domains (DDs) and discovery domain sets can be used to configure access control between iSCSI initiators and iSCSI VTs manually. A DD controls iSCSI initiator access to iSCSI VTs.
Name: dd-host001 Status: Defined Num. Members: 2 iqn.1991-05.com.microsoft:host001.brocade.com iqn.2006-10.com.example:disk001 Creating and enabling a discovery domain sets 1. Connect and log in to the switch. 2. Enter the iscsiCfg --create ddset command with the -n and -d options to create a new DDSet: switch:admin> iscsicfg --create ddset -n ddset-engineering -d dd-host001 The operation completed successfully. 3. Enter the iscsiCfg --show ddset command with the -v option to verify that the DDSet.
4. To verify that CHAP is enabled for the iSCSI VT, enter the iscsiCfg --show tgt command with the -t and -v options: switch:admin> iscsicfg --show tgt -t iqn.2006-10.com.brocade:example-disk001 -v Number of records found: 1 Name: iqn.2006-10.com.brocade:example-disk001 State/Status: Online/Defined Auth. Method: CHAP Binding user names to an iSCSI VT For additional security, you can bind specific user names to an iSCSI VT.
Committing the iSCSI-related configuration After you have configured iSCSI-related configuration parameters, including iSCSI VTs, discovery domains, discovery domain sets, and CHAP authentication, after they have been defined, you must save them through a commit process. Each set of changes, additions, and deletions is called a “transaction.” Review the current transaction before committing the changes; once the changes are committed, they are enforced fabric-wide.
Num. members: 1 4. Enter the iscsiCfg --commit all command with the -f option on the switch that has the database you want to use fabric-wide: switch:admin> iscsicfg --commit all -f This will commit ALL database changes made to all iSCSI switches in fabric. This could be a long-running operation. Continue (yes, y, no, n) [n]: y The operation completed successfully. 5.
DD1 iS C S I virtual targets (V T s ) iS C S I G bE portal group FC T arget 1 iS C S I initiator A L UNs VT 1 IP network IP P ortal iS C S I virtual initiator IP P ortal iS C S I virtual initiator IP P ortal iS C S I virtual initiator IP P ortal iS C S I virtual initiator IP P ortal iS C S I virtual initiator L UNs VT 2 iS C S I initiator B DD2 VT 3 IP S AN FC T arget 2 FC T arget 3 L UNs FC iS C S I gateway s ervic e L UNs iS C S I zone FC T arget 4 Figure 40 iSCSI gateway servi
iSCSI FC zone creation To create an iSCSI FC zone, you must include the following iSCSI elements in the zone: • The FC targets, used to create the virtual targets (VT). • The iSCSI virtual initiators (VIs): • If there is more than one HP StorageWorks B-Series iSCSI Director Blade in the chassis, you must add all virtual initiators to the same zone. • If there is more than one HP StorageWorks B-Series iSCSI Director Blade in the fabric, you must add all virtual initiators from all switches to the same zone.
3. Write down or copy and paste the FC WWN information for each LUN, which you will need during the zone creation process. 4.
N N N N PortSymb: [23] "iSCSI Virtual Initiator" NodeSymb: [51] "IPAddr: 30.0.127.33 Slot/Port: 3/ge3 Logical pn: 43" Fabric Port Name: 00:00:00:00:00:00:00:00 Permanent Port Name: 50:06:06:9e:00:15:63:18 Port Index: 43 Share Area: No Device Shared in Other AD: No 012c00; 3;50:06:06:9e:00:15:63:20;50:06:06:9e:00:15:63:21; na FC4s: FCP PortSymb: [23] "iSCSI Virtual Initiator" NodeSymb: [51] "IPAddr: 30.0.127.
7. Enter the cfgSave command to save the change to the defined configuration: switch:admin> cfgsave You are about to save the Defined zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled. Do you want to save Defined zoning configuration only? (yes, y, no, n): [no] y 8. Enter the zoneCreate command to create the zone.
switch:admin> cfgenable iscsi_cfg001 You are about to enable a new zoning configuration. This action will replace the old zoning configuration with the current configuration selected. Do you want to enable 'iscsi_cfg001' configuration (yes, y, no, n): [no] y zone config "iscsi_cfg001" is in effect Updating flash ... switch:admin> iSNS client service configuration The internet storage name service (iSNS) server facilitates the automatic discovery and manages access control of iSCSI VTs on a TCP/IP network.
NOTE: If DD and DDSets are configured on the fabric, clear the DD and DDSet configurations before enabling iSNS client services. 1. Connect to the switch and log in. 2. Enter the fosConfig --enable isnsc command to enable the iSNS client service: switch:admin> fosconfig --enable isnsc 3. Enter the fosConfig --show command to verify that the service is enabled: switch:admin> fosconfig --show FC Routing service:disabled iSCSI service:enabled iSNS Client service:enabled 4.
Disabling the iSNS client service When the iSNS client service is disabled, the DD and DDSets are kept in the fabric. 1. Connect and log in to the switch. 2. Enter the fosConfig --disable isnsc command to disable the iSNS client service: switch:admin> fosconfig --disable isnsc 3.
332 iSCSI gateway service
15 Administering NPIV NPIV overview N_Port ID Virtualization (NPIV) enables a single Fibre Channel protocol port to appear as multiple, distinct ports, providing separate port identification within the fabric for each operating system image behind the port (as if each operating system image had its own unique physical port). NPIV assigns a different virtual port ID to each Fibre Channel protocol device.
NOTE: If the NPIV feature is disabled, the port is toggled if NPIV devices are logged in from that F_Port (a true NPIV port). Otherwise the firmware considers that port as an F_Port even though the NPIV feature was enabled. Configuring NPIV To specify the number of virtual N_Port_IDs per port or per switch, use the configure command with either of the following parameters: • switch.login.perPortMax Use this parameter to set the number of virtual N_Port_IDs per port to a value between 0 and 255.
Configuration scenarios The actual number of virtual N_Port_IDs accepted per port and per switch is determined by the limits you set, and also by the limit that is reached first. For example, if you have set switch.login.perPortMax to 25, and switch.login.perSwitchMax to 100, the first 4 ports will accept up to 25 virtual N_Port_IDs each. However, the fifth port will reject any more virtual N_Port_IDs because the switch.login.perSwitchMax parameter (100) has been reached. If you set switch.login.
0 0 1 1 2 2 3 3 4 4 ...
Type PID World Wide Name credit df_sz cos ===================================================== fe 630240 c0:50:76:ff:fb:00:16:fc 101 2048 c fe 63023f c0:50:76:ff:fb:00:16:f8 101 2048 c fe 63023e c0:50:76:ff:fb:00:17:ec 101 2048 c ...
338 Administering NPIV
16 Optimizing fabric behavior Adaptive Networking overview Adaptive Networking is a suite of tools and capabilities that enable you to ensure optimized behavior in the SAN. Even under the worst congestion conditions, the Adaptive Networking features can maximize the fabric behavior and provide necessary bandwidth for high-priority, mission-critical applications and connections.
Domain 1 Domain 3 7 8 9 1 9 2 10 12 7 6 5 = Dedicated Path 4 = Ports in the TI zone Domain 4 Figure 42 Traffic Isolation zone creating a dedicated path through the fabric In Figure 42, all traffic entering Domain 1 from N_Ports 7 and 8 is routed through E_Port 1. Similarly, traffic entering Domain 3 from E_Port 9 is routed to E_Port 12, and traffic entering Domain 4 from E_Port 7 is routed to the devices through N_Ports 5 and 6.
• If failover is enabled for the TI zone, non-TI zone traffic is routed from Domain 1 to Domain 3 through the dedicated ISL. • If failover is disabled for the TI zone, non-TI zone traffic is halted until the non-dedicated ISL between Domain 1 and Domain 3 is back online. Additional considerations when disabling failover If failover is disabled, be aware of the following considerations: • This feature is intended for use in simple linear fabric configurations, such as that shown in Figure 42 on page 340.
• If failover is disabled, non-TI zone traffic is blocked because it cannot use the dedicated ISL, which is the lowest cost path. For example, in Figure 44, there is a dedicated path between Domain 1 and Domain 3, and another, non-dedicated, path that passes through Domain 2. If failover is enabled, all traffic will use the dedicated path, because the non-dedicated path is not the shortest path.
• Set up a TI zone in an edge fabric to guarantee that traffic from a specific device in that edge fabric is routed through a particular EX_Port or VEX_Port. • Set up a TI zone in the backbone fabric to guarantee that traffic between two devices in different fabrics is routed through a particular ISL (VE_Ports or E_Ports) in the backbone.
Host 1 Domain 1 8 9 Front Domain 3 1 9 2 10 E_Ports Host 2 -1 EX_Ports -1 = Dedicated Path = Ports in the TI zone Xlate Domain 4 Proxy Target Figure 47 TI zone in an edge fabric In the TI zone, when you designate E_Ports between the front and xlate phantom switches, you must use -1 in place of the “I” in the D,I notation. Both the front and xlate domains must be included in the TI zone.
Target 1 Target 2 WWN WWN Host WWN Target 3 Edge fabric 2 Edge fabric 1 Backbone fabric 1 2 1 3 4 VE_Ports 7 5 8 6 9 FC router 1 Edge fabric 3 2 3 FC router 2 = Dedicated Path = Ports in the TI zone Figure 48 TI zone in a backbone fabric TI zones within the backbone fabric use the port WWN instead of D,I notation for devices that are to communicate across fabrics. (You can use the portShow command to obtain the port WWN.
General rules for TI zones Note the following general rules for TI zones: • A TI zone must include E_Ports and N_Ports that form a complete, end-to-end route from initiator to target. • A given port (N_Port or E_Port) used in a TI zone should not be a member of more than one TI zone. If multiple E_Ports are configured on the lowest cost route to a domain, the various source ports for that zone are load-balanced across the specified E_Ports.
• HP StorageWorks DC SAN Backbone Directors, . • Ports in a TI zone must belong to switches that run Fabric OS 6.0.0 or later. For TI over FCR zones, ports must belong to switches that run Fabric OS 6.1.0 or later.
• Use care if defining TI zones with ports that are shared across Admin Domains because of the limitation that a given port can appear in only one TI zone. Best practice: Do not use ports that are shared across Admin Domains in a TI zone. Virtual Fabric considerations for Traffic Isolation Routing This section describes how TI zones work with Virtual Fabrics.
You must also create and activate a TI zone in the base fabric to reserve the XISLs for the dedicated path. In Figure 50, the XISLs highlighted (by a dotted line) in the base fabric can be reserved for FID1 by defining and activating a base fabric TI zone that consists of ports 10, 12, 14, and 16. You must also include ports 3 and 8, because they belong to Logical Switches participating in the Logical Fabric. For the TI zone, it is as though ports 3 and 8 belong to Domains 1 and 2 respectively.
1 10 F 2 F E 3 4 5 E EX LS2, FID3 Domain 6 LS3, FID1 Domain 3 E E E Base switch Domain 1 EX E 15 6 16 7 E EX Base switch Domain 2 E 11 12 13 14 EX = Dedicated Path = Ports in the TI zones Figure 53 Example configuration for TI zones over FC routers in Logical Fabrics Figure 54 shows a logical representation of the configuration in Figure 53.
When you create a TI zone, you can enable or disable failover mode. By default, failover mode is enabled. If you want to change the failover mode after you create the zone, see ”Modifying TI zones” on page 353. If you are creating a TI zone with failover disabled, note the following: • Ensure that the E_Ports of the TI zone correspond to valid paths; otherwise, the route might be missing for ports in that TI zone. You can use the topologyShow command to verify the paths.
To create a TI zone and set the state to deactivated (failover is enabled by default): switch:admin> zone --create -t ti -o d bluezone -p "1,1; 2,4; 1,8; 2,6" To create a TI zone with failover disabled and the state set to deactivated: switch:admin> zone --create -t ti -o dn bluezone -p "1,1; 2,4; 1,8; 2,6" To create a TI zone in the edge fabric with failover enabled and the state set to activated (default settings): switch:admin> zone --create -t ti bluezone -p "1,1; 1,8; 2,-1; 3,-1" To create a TI zone in
4. Enter the cfgEnable command to reactivate your current effective configuration and enforce the TI zones.
To add port members to the existing TI zone in a backbone fabric: switch:admin> zone --add backbonezone -p "3,4; 3,6; 10:00:00:04:1f:03:16:f2;" To disable failover on the existing TI zone bluezone: switch:admin> zone --add -o n bluezone To enable failover and add ports to TI zone greenzone: switch:admin> zone --add -o f greenzone -p "3,4" To remove ports from the TI zone bluezone: switch:admin> zone --remove bluezone -p "3,4; 3,6" IMPORTANT: Your changes are not enforced until you enter the cfgEnable comm
2. Enter the zone --delete command. zone --delete name where: The name of the zone to be deleted. name You can delete multiple zones by separating the zone names with a semicolon and enclosing them in quotation marks. 3. Enter the cfgEnable command to reactivate your current effective configuration and enforce the TI zones.
To display information about all TI zones in the defined configuration: switch:admin> zone --show Defined TI zone configuration: TI Zone Name: Port List: greenzone: 2,2; 3,3; 5,3; 4,11; Configured Status: Activated / Failover-Enabled Enabled Status: Activated / Failover-Enabled TI Zone Name: Port List: purplezone: 1,2; 1,3; 3,3; 4,5; Configured Status: Activated / Failover-Enabled Enabled Status: Deactivated / Failover-Enabled TI Zone Name: Port List: bluezone: 9,2; 9,3; 8,3; 8,5; Configured Status: D
NOTE: In the following procedure the three TI zones in the edge and backbone fabrics are all given the same name, TI_Zone1. It is not required that the TI zones have the same name; this is done to avoid confusion. If several dedicated paths are set up across the FC router, the TI zones for each path can have the same name. 1. In each edge fabric, set up an LSAN zone that includes Host 1, Target 1, and Target 2, so these devices can communicate with each other.
3. Log in to edge fabric 2 and set up the TI zone. a. Enter the fabricShow command to display the switches in the fabric. From the output, you can determine the front and translate domains. E2switch:admin> fabricshow Switch ID Worldwide Name Enet IP Addr FC IP Addr Name ------------------------------------------------------------------------1: fffc01 50:00:51:e3:95:36:7e:09 0.0.0.0 0.0.0.0 "fcr_fd_1" 4: fffc04 50:00:51:e3:95:48:9f:a1 0.0.0.0 0.0.0.0 "fcr_xd_6_9" 9: fffc09 10:00:00:05:1e:40:f0:7d 10.32.72.
4. Log in to the backbone fabric and set up the TI zone. a. Enter the following commands to create and display a TI zone: BB_DCX_1:admin> zone --create -t ti TI_Zone1 -p "1,9; 1,1; 2,4; 2,7; 10:00:00:00:00:08:00:00; 10:00:00:00:00:02:00:00; 10:00:00:00:00:03:00:00" BB_DCX_1:admin> zone --show Defined TI zone configuration: TI Zone Name: TI_Zone1 Port List: 1,9; 1,1; 2,4; 2,7; 10:00:00:00:00:08:00:00; 10:00:00:00:00:02:00:00; 10:00:00:00:00:03:00:00 Status: Activated Failover: Enabled b.
NOTE: Ingress rate limiting is applicable only to F_Ports and FL_Ports and is available only on the following platforms: • HP StorageWorks 8/8 and 8/24 SAN Switches • HP StorageWorks 8/40 SAN Switch • HP StorageWorks 8/80 SAN Switch • HP StorageWorks DC SAN Backbone Director • HP StorageWorks DC04 SAN Director Switch. Virtual Fabrics considerations: If Virtual Fabrics is enabled, the rate limit configuration on a port is on a per-Logical-Switch basis.
Disabling ingress rate limiting 1. Connect to the switch and log in as admin. 2. Enter the portCfgQos --resetratelimit command. portcfgqos --resetratelimit slot/port where: slot/port The slot and port number of the F_Port or FL_Port for which you want to disable ingress rate limiting.
The switch automatically sets the priority for the host,target pairs specified in the zones based on the priority level in the zone name. NOTE: QoS can be used for device pairs that exist within the same fabric only. QoS priority information is not passed over EX_ or VEX_Ports and should not be used for devices in separate fabrics. If a QoS zone name prefix is specified in an LSAN zone (a zone beginning with prefix LSAN_), the QoS tag is ignored. Only the first prefix in a zone name is recognized.
Domain 1 H1 Domain 3 1 S1 9 14 H2 3 13 12 15 8 7 = Low priority = Medium priority = High priority = E_Ports with QoS enabled 16 Domain 2 S2 S3 Domain 4 Figure 57 QoS with E_Ports enabled You need to enable QoS on the E_Ports on both ISLs between Domain 3 and Domain 4 because either path might be selected to carry the traffic.
Domain 1 Domain 3 8 9 H1 S1 1 2 5 6 3 4 8 7 LS3, FID1 Domain 7 Chassis 1 LS4, FID3 Domain 8 Base switch Domain 10 LS1, FID1 Domain 5 Domain 2 10 11 12 13 14 15 16 17 LS2, FID3 Domain 6 Chassis 2 Base switch Domain 9 = High priority = E_Ports with QoS enabled Figure 58 Traffic prioritization in a Logical Fabric Supported configurations for traffic prioritization Note the following configuration rules for traffic prioritization: • All switches in the fabric must be running Fabric OS
Limitations and restrictions for traffic prioritization Note the following configuration rules for traffic prioritization: • If a host and target are included in two or more QoS zones with different priorities, the zone with the lowest priority takes precedence. For example, if an effective zone configuration has QOSH_z1 (H,T) and QOSL_z2 (H,T), the traffic flow between H and T will be of low QoS priority.
6. Enter the portCfgQos command to enable QoS on the E_Ports, using the following syntax: portcfgqos --enable [slot/]port where: slot/port The slot and port number of the E_Port on which you want to enable QoS. The slot number is required for the HP StorageWorks 4/256 SAN Director HP StorageWorks DC SAN Backbone Director platforms.
17 Using the FC-FC routing service FC-FC routing service overview The FC-FC routing service provides Fibre Channel routing (FCR) between two or more fabrics without merging those fabrics. A Fibre Channel router (FC router) is a switch running the FC-FC routing service. The FC-FC routing service can be simultaneously used as an FC router and as a SAN extension over wide area networks (WANs) using FCIP.
• FC router connected to a B-Series secured edge fabric • FC router connected to a McDATA Open Mode 1 edge fabric • FC router connected to a McDATA Fabric Mode edge fabric • FC router connected to B-Series secured and nonsecured fabrics with EX_Port trunking enabled • FC router interoperating with older FC routers (XPath 7.4.x and Fabric OS 5.1) McDATA Enterprise OS switches cannot exist in the backbone fabric.
Figure 59 shows a metaSAN consisting of three edge fabrics connected through an HP StorageWorks DC SAN Backbone Director with interfabric links. Host Edge fabric 1 Edge fabric 2 E_Port Edge fabric 3 E_Port E_Port Fibre Channel switch Target Target IFL IFL EX_Ports Long distance IFL Fibre Channel switch FC router Figure 59 A metaSAN with interfabric links • Logical SANs (LSANs) An LSAN is defined by zones in two or more edge or backbone fabrics that contain the same devices.
VE_Port Edge fabric 2 IP cloud Edge fabric 1 Edge fabric 3 E_Port E_Port IFL IFL IFL VEX_Port FC router EX_Port (2) = LSAN Backbone fabric Figure 60 A metaSAN with edge-to-edge and backbone fabrics and LSAN zones • Proxy device A proxy device is a virtual device imported into a fabric by a Fibre Channel router, to represent a real device on another fabric. It has a name server entry and is assigned a valid port ID.
A simple metaSAN can be constructed using an FC router to connect two or more separate fabrics. Additional FC routers can be used to increase the available bandwidth between fabrics and to provide redundancy. Figure 61 shows a metaSAN consisting of a host in Edge SAN 1 connected to storage in Edge SAN 2 through a backbone fabric connecting two FC routers.
Proxy host (imported devic e) Host Proxy target (imported devic e) Target Fabric 1 Fabric 2 E_Port IFL E_Port EX_Port IFL Brocade 7500 Figure 62 MetaSAN with imported devices Routing types The FC-FC routing service provides two types of routing: • Edge-to-Edge Occurs when devices in one edge fabric communicate with devices in another edge fabric through one or more FC routers. • Backbone-to-Edge Occurs when FC routers connect to a common fabric—known as a backbone fabric—through E_Ports.
connected from that router to the edge fabric. Another FC router connected to the same edge fabric projects a different front phantom domain. The second level of phantom domains is known as a translate phantom domain, also referred to as translate domain or xlate domain. The translate phantom domain is a router virtual domain that represents an entire fabric.
Host 1 Fabric 1 Front domain 1 (FC router 1) Front domain 2 (FC router 2) Xlate domain 1 (Fabric 2) Xlate domain 2 (Fabric 3) Target 1' Target 2' Target 3' Figure 64 EX_Port phantom switch topology All EX_Ports or VEX_Ports connected to an edge fabric use the same xlate domain ID number for an imported edge fabric; this value persists across switch reboots and fabric reconfigurations.
translation (FC-NAT). Using FC-NAT, the proxy devices in a fabric can have different PIDs than the real devices that they represent, allowing the proxy devices to have appropriate PIDs for the address space of their corresponding fabric. Setting up the FC–FC routing service To set up the FC–FC Routing Service, perform the following tasks in the order listed: • Verify that you have the proper setup for FC–FC routing. (See ”Verifying the setup for FC–FC routing”.) • Assign backbone FIDs.
• If you are not configuring an HP StorageWorks 4/256 SAN Director, HP StorageWorks DC SAN Backbone Director, or HP StorageWorks DC04 SAN Director Switch platform, skip to step 5.
5. Enter the interopMode command and verify that Fabric OS switch interoperability with switches from other manufacturers is disabled.
IMPORTANT: In a multi-switch backbone fabric, modification of FID within the backbone fabric will cause disruption to local traffic. Assigning backbone FIDs 1. Log in to the switch or director. 2. Enter the switchDisable command. 3. Enter the fosConfig --disable fcr command to disable the FC-FC Routing Service. See the Fabric OS Command Reference or the CLI man pages for more information about the fosConfig command. The default state for the FCR is disabled. 4.
NOTE: To ensure that fabrics remain isolated, disable the port prior to inserting the cable. If you are configuring an EX_Port, disable the port prior to making the connection. Configuring an IFL for both edge and backbone connections 1. On the FC router, disable the port that you are configuring as an EX_Port (the one connected to the Fabric OS switch) by issuing the portDisable command.
3. Determine whether to set up FC Router port cost operations and/or ISL or EX-Port trunking. These options include FC Router port cost operations and setting up either ISL or EX_Port trunking. For information about using FCR Router Port Cost operations, see ”FC Router port cost configuration” on page 383 and for information on trunking setup, see ”Configuring EX_Port frame trunking” on page 385. 4. Enter the portEnable command to enable the ports that you disabled in step 1.
Port 7/10 info Admin: enabled State: NOT OK Pid format: Not Applicable Operate mode: Brocade Native Edge Fabric ID: 30 Preferred Domain ID: 160 Front WWN: 50:06:06:9e:20:38:6e:1e Fabric Parameters: Auto Negotiate R_A_TOV: Not Applicable E_D_TOV: Not Applicable Authentication Type: None DH Group: N/A Hash Algorithm: N/A Edge fabric's primary wwn: N/A Edge fabric's version stamp: N/A switch:admin_06> portshow 7/10 portName: portHealth: OFFLINE Authentication: None EX_Port Mode: Enabled Fabric ID: 30 Front Ph
LE domain: 0 FC Fastwrite: ON Interrupts: Unknown: Lli: Proc_rqrd: Timed_out: Rx_flushed: Tx_unavail: Free_buffer: Overrun: Suspended: Parity_err: 2_parity_err: CMI_bus_err: 0 0 0 0 0 0 0 0 0 0 0 0 0 Link_failure: Loss_of_sync: Loss_of_sig: Protocol_err: Invalid_word: Invalid_crc: Delim_err: Address_err: Lr_in: Lr_out: Ols_in: Ols_out: 0 0 2 0 0 0 0 0 0 0 0 0 Frjt : Fbsy : 0 0 Port part of other ADs: No 8.
FC Router port cost configuration The router port cost is set automatically. This section provides information about the router port cost and describes how you can modify the cost for a port if you want to change the default value. FC routers optimize the usage of the router port links by directing traffic to the link with the smallest router port cost. The FC router port cost is similar to the link cost setting available on E_Ports, which allows you to customize traffic flow.
Upgrade, downgrade, and HA considerations for router port cost For HA, the router port cost is synchronized to the standby CP. Legacy routers in the backbone fabric program all the router ports without considering router port cost. Fabric OS 5.2.0 or later considers legacy router port cost as 1000 for both EX or VEX_Ports. Setting router port cost for an EX_Port The router port cost value for an EX_Port is set automatically when the EX_Port is created. However, you can modify the cost for that port.
The FC router front domain has a higher node WWN—derived from the FC router—than that of the edge fabric. Therefore, the FC router front domain initiates the trunking protocol on the EX_Port. After initiation, the first port from the trunk group that comes online is designated as the master port. The other ports that come online on the trunk group are considered the slave ports. Adding or removing a slave port does not cause frame drop.
Displaying EX_Port trunking information 1. Log in as an admin and connect to the switch. 2. Enter the switchShow command to display trunking information for the EX_Ports.
To enable device sharing across multiple fabrics, you must create LSAN zones on the edge fabrics (and, as an option on the backbone fabric as well), using normal zoning operations to create zones with names that begin with the prefix LSAN_, and adding host and target port WWNs from both local and remote fabrics to each local zone as desired.
4. Enter the zoneAdd command to add Target A to the LSAN. FID75Domain5:admin> zoneadd "lsan_zone_fabric75", "50:05:07:61:00:5b:62:ed" 5. Enter the cfgAdd or cfgCreate and cfgEnable commands to add and enable the LSAN configuration. switch:admin> cfgadd "zone_cfg", "lsan_zone_fabric75" switch:admin> cfgenable "zone_cfg" You are about to enable a new zoning configuration. This action will replace the old zoning configuration with the current configuration selected.
12. Enter the following commands to display information about the LSANs. • lsanZoneShow -s shows the LSAN switch:admin> lsanzoneshow -s Fabric ID: 2 Zone Name: lsan_zone_fabric2 10:00:00:00:c9:2b:c9:0c Imported 50:05:07:61:00:5b:62:ed EXIST 50:05:07:61:00:49:20:b4 EXIST Fabric ID: 75 Zone Name: lsan_zone_fabric75 10:00:00:00:c9:2b:c9:0c EXIST 50:05:07:61:00:5b:62:ed Imported • fcrPhyDevShow shows the physical devices in the LSAN.
For information on how to display the maximum allowed and currently used LSAN zones and devices, see ”Resource monitoring” on page 399. NOTE: Since the maximum number of LSANs is configured for each switch, if there is a different maximum LSAN count on the switches throughout the metaSAN, the device import/export will not be identical on the FC routers. You should enter the same maximum LSAN count for all the FC routers in the same backbone that support this feature.
lsan_abc lsan_xyz lsan_fab1 In this example, the following LSAN zones would all be accepted: lsan_abc Lsan_xyz123456 LSAN_FAB1_abc You can specify up to eight Enforce tags on an FC router. Speed tag During target discovery, the FC router process of presenting proxy devices and setting up paths to the proxy devices might cause some sensitive hosts to time out or fail.
D1 D2 H1 Edge fabric 1 Edge fabric 2 FC router 1 Edge fabric 3 FC router 2 = LSAN Figure 65 Example of setting up Speed LSAN tag Rules for LSAN tagging Note the following rules for configuring LSAN tags: • Configure the tags on the FC router, and not on the edge switches. If Virtual Fabrics are enabled, configure the tags on the base switch on which the EX_ and VEX_Ports are located. You then have to ensure that the LSAN zones in the edge fabrics incorporate the tags correctly.
Configuring a Speed LSAN tag 1. Log in to the FC router as admin. 2. Enter the following command to create a Speed LSAN tag: fcrlsan --add -speed tagname where tagname is the name of the LSAN tag you want to create. 3. Change the names of the LSAN zones in the edge fabrics to incorporate the tag in the names. 4. Toggle the host or target port to trigger the fast import process. Removing an LSAN tag Use the following procedure to remove an LSAN tag.
LSAN zone binding LSAN zone binding is an optional, advanced feature that increases the scalability envelope for very large metaSANs. NOTE: LSAN zone binding is supported only on FC routers with Fabric OS 5.3.0 and later. The FC router matrix feature is supported only on FC routers with Fabric OS 6.1.0 and later. Without LSAN zone binding, every FC router in the backbone fabric maintains the entire LSAN zone and device state database.
Table 77 LSAN information stored in each FC router with and without LSAN zone binding WIthout LSAN zone binding With LSAN zone binding FC router 1 FC router 2 FC router 3 FC router 4 FC router 1 FC router 2 FC router 3 FC router 4 LSAN LSAN LSAN LSAN LSAN LSAN LSAN LSAN LSAN LSAN LSAN LSAN LSAN LSAN LSAN LSAN LSAN 1 LSAN 2 LSAN 2 LSAN 3 LSAN 4 LSAN 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 To summarize: • Without LSAN zone binding, the maximum number of LSAN devices is 10,000.
FC router matrix definition Depending on how the backbone fabric is structured, you can specify pairs of FC routers that can access each other.
Setting up LSAN zone binding 1. Log in to the FC router as admin. 2. Enter the following command to add a pair of FC routers that can access each other: FCR:Admin > fcrlsanmatrix --add -fcr wwn1 wwn2 where wwn1 and wwn2 are the WWNs of the FC routers. 3. Enter the following command to add a pair of edge fabrics that can access each other: FCR:Admin > fcrlsanmatrix --add -lsan fid1 fid2 where fid1 and fid2 are the FIDs of the edge fabrics. 4.
used to determine the Area_ID field of the PID) and the Port_ID field. Like the PIDs in a fabric, a proxy PID must be unique. If the slot argument results in a duplicate PID, it will be ignored. Proxy PIDs are automatically assigned to devices imported into a fabric, starting at f001. For Proxy IDs projected to an M-EOS edge fabric in McDATA fabric mode, use valid ALPAs (lower 8 bits). See the fcrProxyConfig command in the Fabric OS Command Reference for more details.
Backbone fabric FC router 1 FC router 2 Edge fabric 1 Fabric OS earlier than v5.3.0 Edge fabric 3 Edge fabric 2 v5.3.0+ Fabric OS v5.3.0 or later Pre-v5.3.0 Figure 67 Inter-fabric broadcast frames Displaying the current broadcast configuration 1. Log in to the FC router as admin. 2. Enter the following command: fcr:admin> fcrbcastconfig --show This command displays only the FIDs that have the broadcast frame option disabled. The FIDs that are not listed have the broadcast frame option enabled.
In Fabric OS 5.3.0 and later, you can have 3000 LSAN zones configurable up to a maximum of 5000. On a dual-CP switch, both CPs must have 5.3.0 code or later to select 5000. If the active CP is running Fabric OS 5.3.0 or later with a maximum count of 5000 LSANs and the standby CP is running an earlier firmware version, HA synchronization will fail. If 5000 is selected before downgrading to an earlier version of Fabric OS, you are prompted to go back to the default maximum LSAN count of 3000.
See the Fabric OS Command Reference for details about the fcrResourceShow command. FC-FC routing and Virtual Fabrics If Virtual Fabrics is not enabled, FC-FC routing behavior is unchanged. If Virtual Fabrics is enabled, in the FC-FC routing context, a base switch is like a backbone switch and a base fabric is like a backbone fabric. If Virtual Fabrics is enabled, the following rules apply: • EX_Ports and VEX_Ports can be configured only on the base switch.
Physical chassis 1 IFL Physical chassis 2 ISL E Logical switch 1 E (Default logical switch) Fabric ID 128 Logical ISL Logical switch 2 Fabric ID 1 Allows XISL use F F E Logical switch 5 (Default logical switch) Fabric ID 128 ISL E Logical switch 3 Fabric ID 15 Logical switch 6 Fabric ID 1 Allows XISL use E E F Logical switch 7 Fabric ID 15 IFL EX EX Logical switch 4 (Base switch) Fabric ID 8 E E XISL Logical switch 8 (Base switch) Fabric ID 8 Figure 68 EX_Ports in a base switch Figure 69
Physical chassis 1 IFL Physical chassis 2 E Logical switch 1 E (Default logical switch) Fabric ID 128 ISL Logical switch 2 Fabric ID 1 Allows XISL use C F Logical switch 3 Fabric ID 15 B F E Logical switch 5 (Default logical switch) Fabric ID 128 Edge fabric FID 20 Logical switch 6 Fabric ID 1 Allows XISL use E ISL E E E Logical switch 7 Fabric ID 15 IFL IFL EX Logical switch 4 (Base switch) Fabric ID 8 EX E XISL E Logical switch 8 (Base switch) Fabric ID 8 EX E ISL A E FC router Fab
Range of output ports The edge fabric detects only one front domain from an FC router connected through multiple output ports. The output port of the front domain is not fixed to 0; the values can be in a range of 129–255. The range of the output ports connected to the xlate domain is also 129–255. This range enables the front domain to connect to 127 remote xlate domains. Displaying the range of output ports connected to the xlate domains 1. Log in to a switch in the edge fabric. 2.
Fabric OS 6.
406 Using the FC-FC routing service
18 Administering advanced performance monitoring Advanced Performance Monitoring overview This chapter describes the Advanced Performance Monitoring licensed feature. Additional performance monitoring features are provided through Web Tools and DCFM. See the Web Tools Administrator’s Guide and DCFM User’s Manual for information about monitoring performance using a graphical interface.
Table 79 Number of Logical Switches that support performance monitors Platform Maximum number of Logical Switches supported Maximum number of Logical Switches on which monitors are supported HP StorageWorks DC SAN Backbone Director 8 4 HP StorageWorks DC04 SAN Director Switch 8 4 HP StorageWorks 8/40 SAN Switch 3 3 HP StorageWorks 8/80 SAN Switch 4 3 Advanced Performance Monitor commands are available only to users with the admin or switchAdmin roles.
You can monitor end-to-end performance using the perfMonitorShow command, as described in ”Displaying monitor counters” on page 418. You can clear end-to-end counters using the perfMonitorClear command, as described in ”Clearing monitor counters” on page 420.
where: slotnumber For bladed systems only, specifies the slot number of the port on which the monitor is to be added. For all other switches, this operand is not required. portnumber Specifies the port number sourceID Specifies the 3-byte SID (source ID) of the originator device destID Specifies the 3-byte DID (destination ID) of the destination device Figure 71 shows two devices: • Host A is connected to domain 5 (0x05), switch area ID 18 (0x12), AL_PA 0x00 on Switch X.
Setting a mask for an end-to-end monitor End-to-end monitors count the number of words in Fibre Channel frames that match a specific SID/DID pair. If you want to match only part of the SID or DID, you can set a mask on the port to compare only certain parts of the SID or DID. By default, the frame must match the entire SID and DID to trigger the monitor. By setting a mask, you can choose to have the frame match only one or two of the three fields (Domain ID, Area ID, and AL_PA) to trigger the monitor.
must match only the AL_PA portion of the specified SID-DID pair. Each port can have only one EE mask. The mask is applied to all end-to-end monitors on the port. Individual masks for each monitor on the port cannot be specified. Received by port Transmitted from port SID mask SID mask DID mask DID mask perfsetporteemask 1/2, "00:ff:ff" "00:ff:ff" "00:ff:ff" "00:ff:ff" AL_PA mask Area ID mask Domain ID mask Figure 73 Mask positions for end-to-end monitors Deleting end-to-end monitors 1.
• HP StorageWorks 8/40 SAN Switch • HP StorageWorks 400 Multi-Protocol Router • HP StorageWorks DC SAN Backbone Director • HP StorageWorks DC04 SAN Director Switch For the HP StorageWorks 4/256 SAN Directors, the maximum number of filters is 12 per port in any combination of standard filters and user-defined filters, except for the HP StorageWorks SAN Director 48 Port 4Gb FC blade.
The following example adds filter-based monitors to slot 1, port 2 and displays the results: switch:admin> perfaddreadmonitor 1/2 SCSI Read filter monitor #0 added switch:admin> perfaddwritemonitor 1/2 SCSI Write filter monitor #1 added switch:admin> perfaddrwmonitor 1/2 SCSI Read/Write filter monitor #2 added switch:admin> perfaddscsimonitor 1/2 SCSI traffic frame monitor #3 added switch:admin> perfaddipmonitor 1/2 IP traffic frame monitor #4 added switch:admin> perfmonitorshow --class FLT 1/2 There are 5
part of a filter definition. Offset 0 is a special case, which can be used to monitor the first 4 bytes of the frame (SOF). When the offset is set to 0, the values 0–7 that are checked against that offset are predefined as shown in Table 80.
An ISL monitor measures traffic to all reachable destination domains for an ISL, showing which destination domain is consuming the most traffic. If there are more than 16 domains, the monitor samples traffic and extrapolates the measurement. EE monitors on E_Ports are deleted when they become part of an ISL. ISL monitors are deleted when Top Talker is installed and are restored when Top Talker is deleted. (See ”Top Talker monitors” for information about Top Talker monitors.
combinations that are possible on a given port and provides a sorted output of the top talking flows. Also, if the number of flows exceeds the hardware resources, existing end-to-end monitors fail to get real time data for all of them; however, Top Talker monitors can monitor all flows for a given E_Port or F_Port (up to 10,000 flows). Virtual Fabric considerations: All Logical Switches in the same chassis can use either fabric mode Top Talker monitors or port mode Top Talker and end-to-end monitors.
where: slotnumber For enterprise-class platforms only (HP StorageWorks 4/256 SAN Director, HP StorageWorks DC SAN Backbone Director, and HP StorageWorks DC04 SAN Director Switch), the slot number. port The port number n The number of top talking flows to display, between 1 and 32.
If end-to-end monitors are present on remote switches running Fabric OS 6.1.0 or later, the command succeeds; however, on the remote switches, fabric mode fails and a raslog message is displayed on those switches. If end-to-end monitors are present on remote switches running Fabric OS 6.0.x, the command succeeds. If a new switch joins the fabric, you must run the perfTTmon --add fabricmode command on the new switch. The Top Talker configuration information is not automatically propagated to the new switch.
Trunk monitoring To monitor E_Port (ISL) and F_Port trunks, you can set monitors only on the master port of the trunk. If the master changes, the monitor automatically moves to the new master port. If a monitor is installed on a port that later becomes a slave port when a trunk comes up, the monitor automatically moves to the master port of the trunk. Note the following: • For Fabric OS 3.x switches, monitoring can be set on slave ISLs. • End-to-end monitors are not supported for ISLs.
The following example displays an end-to-end monitor on a port at 10-second intervals: switch:admin> perfMonitorShow --class EE 4/5 10 Showing EE monitors 4/5 10: Tx/Rx are # of bytes 0 1 2 3 4 --------- --------- --------- --------- --------Tx Rx Tx Rx Tx Rx Tx Rx Tx Rx ========= ========= ========= ========= ========= 0 0 0 0 0 0 0 0 0 0 53m 4.9m 53m 4.9m 53m 4.9m 53m 4.9m 53m 0 53m 4.4m 53m 4.4m 53m 4.4m 53m 4.4m 53m 0 53m 4.8m 53m 4.8m 53m 4.8m 53m 4.8m 53m 0 53m 4.6m 53m 4.6m 53m 4.6m 53m 4.
The following example displays filter monitor information on a port: switch:admin> perfMonitorShow --class FLT 2/5 There are 7 filter-based monitors defined on port 21. KEY ALIAS OWNER_APP FRAME_COUNT OWNER_IP_ADDR ----------------------------------------------------------------0 SCSI_Frame TELNET 0x00000000002c2229 N/A 1 SCSI_WR TELNET 0x000000000000464a N/A 2 SCSI_RW TELNET 0x000000000000fd8c N/A 3 SCSI_RW WEB_TOOLS 0x0000000000007ba3 192.168.169.40 4 SCSI_RW WEB_TOOLS 0x0000000000004f0e 192.168.169.
The following example clears statistics counters for a filter-based monitor: switch:admin> perfMonitorClear --class FLT 1/2 4 Filter-based monitor number 4 counters are cleared switch:admin> perfMonitorClear --class FLT 1/2 This will clear ALL filter-based monitors' counters on port 2, continue? (yes, y, no, y): [no] y The following example clears statistics counters for an ISL monitor: switch:admin> perfMonitorClear --class ISL 1 This will clear ISL monitor on port 1, continue? (yes, y, no, n): [no] y Sav
Performance data collection Data collected through Advanced Performance Monitoring is deleted when the switch is rebooted. Using the Data Center Fabric Manager (DCFM) Enterprise Edition, you can store performance data persistently. For details on this feature, see the DCFM Enterprise User Manual.
19 Administering extended fabrics Licensing for Extended Fabrics An Extended Fabrics license is required before you can implement long distance dynamic (LD) and long distance static (LS) distance levels. The LD and LS settings are necessary to achieve maximum performance results over Inter-Switch Links (ISLs) that are greater than 10 km. Use the Time-Based Temporary Licensing that can be generated with the expiration date embedded in the license key to activate the Extended Fabrics feature.
The following table describes Fibre Channel data frames. Table 81 Fibre Channel data frames Fibre Channel Frame fields Field size Start of frame 4 bytes 32 bits Standard frame header 24 bytes 192 bits Data (payload) 0–2112 bytes 0–16,896 bits CRC 4 bytes 32 bits End of frame 4 bytes 32 bits Total (Number bits/frame) 36–2148 bytes 288–17,184 bits NOTE: The term byte used in Table 81 equals 8 bits. The maximum Fibre Channel frame is 2148 bytes.
FC switch port buffer credit requirements for long-distance calculations You can calculate how many ports can be configured for long distance on all Fabric OS 6.x capable switch modules. Following are the considerations for the calculation: • Each port is part of a port group that includes a pool of buffer credits that can be utilized. This is not the same as the port groups used for ISL Trunking. • Each user port reserves eight buffer credits when online or offline.
1. Determine the desired distance in kilometers between the switch-to-switch connection. This example uses 50 km. 2. Determine the speed that you will use for the long-distance connection. This example uses 2 Gb/s. 3. Use the following formula to calculate the reserved buffers for distance: (Reserved Buffer for Distance Y) = (X * LinkSpeed / 2) + 6 Where: X = the distance determined in step 1 (in kilometers). LinkSpeed = the speed of the link determined in step 2.
1. Connect to the switch and log in as admin. 2. Enter the portBufferShow command.
Table 82 Buffer Credits (continued) Switch/blade model Total FC ports (per switch/blade) User port group size Unreserved buffers (per port group) HP StorageWorks 4/256 SAN Director 16 Port 4Gb Blade 16 16 584 HP StorageWorks B-Series iSCSI Director Blade 8 8 616 HP StorageWorks 4/256 SAN Director 32 Port 4Gb Blade 32 16 624 HP StorageWorks 4/256 SAN Director 48 Port 4Gb Blade 48 24 560 HP StorageWorks SAN Director 16 Port 8Gb FC Blade 16 16 1292 / 1338 HP StorageWorks SAN Director
Table 83 Supported Distances (continued) Maximum supported distances with 2112 Byte Frame Size (1-port allocated all unreserved buffer credits) in km @ Switch/blade model 1 Gb/s 2 Gb/s 4 Gb/s 8 Gb/s HP StorageWorks 400 Multi-Protocol Router 500 250 100 N/A HP StorageWorks 4/256 SAN Director 16 Port 4Gb Blade 500 250 100 N/A HP StorageWorks B-Series iSCSI Director Blade 500 250 100 N/A HP StorageWorks 4/256 SAN Director 32 Port 4Gb Blade 500 250 100 N/A HP StorageWorks 4/256 SAN Di
Virtual E_Ports and Virtual EX_Ports do not support long distance. The buffer credit recovery feature is enabled for the following flow control modes: Normal, Virtual Channel (VC), and Extended VC modes.
(vc_translation_link_init) parameter of the portCfgLongDistance command is enabled for long-distance links. On switches running Fabric OS 6.2.0 or later, during port configuration, you can specify fill words used on long-distance links to be either ARBs or IDLEs in the VC_RDY flow control mode. The vc_translation_link_init parameter specifies the fill words used on long-distance links. When set to 1, the link uses ARB fill words (default). When set to 0, the link uses IDLE fill words.
3. Disable the credit recovery; credit recovery is not compatible with the IDLE mode. If you do not disable the credit recovery, it continues to perform a link reset. switch: admin> portcfgcreditrecovery –disable 4. Configure the port to support long-distance links.
distance_level One of the following (the numerical value representing each distance_level is shown in parentheses): • L0 (0) Specify L0 to configure the port to be a regular (default) switch port. • LE (3) Specify LE mode for distances up to 10 km. • LD (5) Specify LD for automatic long-distance configuration. The buffer credits for the given E_Port are automatically configured, based on the actual link distance measured during E_Port initialization versus the user-desired distance.
434 Administering extended fabrics
20 Administering ISL trunking ISL Trunking overview This chapter contains procedures for using the B-Series Inter-Switch Link (ISL) Trunking licensed feature, which optimizes the use of bandwidth by allowing a group of inter-switch links to merge into a single logical link. ISL Trunking reduces or eliminates situations that require static traffic routes and individual ISL management to achieve optimal performance.
B-Series Multi-Protocol Router Blade, and the HP StorageWorks DC04 SAN Director Switch using HP StorageWorks SAN Director 16 Port 8Gb FC blade, HP StorageWorks SAN Director 32 Port 8Gb FC blade, HP StorageWorks SAN Director 48 Port 8Gb FC blade, and the B-Series Multi-Protocol Router Blade support these advanced features: • Up to eight ports in one trunk group to create high performance 32 Gb/s ISL trunks between switches and up to 64 Gb/s if there are eight ISLs with 8 Gb/s each, and 8 Gb/s is supported.
• Trunking groups can be used to resolve ISL oversubscription if the total capability of the trunking group is not exceeded. • Consider how the addition of a new path will affect existing traffic patterns: • A trunking group has the same link cost as the master ISL of the group, regardless of the number of ISLs in the group. This allows slave ISLs to be added or removed without causing data to be rerouted, because the link cost remains constant.
• Change the existing path to a more optimal path. • Wait for sufficient time for frames already received to be transmitted. This is needed to maintain IOD. • Resume traffic. Configuring lossless dynamic load sharing on trunk ports Configure load sharing on trunk ports by using the iodSet command to specify that no frames are dropped while rebalancing or rerouting traffic: 1. Connect to the switch and log in using an account assigned to the admin role. 2.
Adding a monitor to an F_Port master port 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the perfAddEEMonitor command. switch:admin> perfaddeemonitor 4 0x010400 0x020800 Adding monitor to the master port of the F-Port Trunk. where 4 is a slave port of the F_Port Trunk. If you attempt to install a monitor on a slave port of an F_Port trunk and the same monitor is already installed on the corresponding master, the following message is displayed.
The following example shows traffic flowing through a trunking group (ports 5, 6, and 7).
On the HP StorageWorks 4/8 and 4/16 SAN Switches, HP StorageWorks 8/8 and 8/24 SAN Switches, HP StorageWorks SAN Switch 4/32 HP StorageWorks 4/256 SAN Director, HP StorageWorks 4/64 SAN Switch, HP StorageWorks 8/40 SAN Switch, and HP StorageWorks 8/80 SAN Switch, for long-distance ports, you should specify the port speed instead of setting it to autonegotiate.
2. Enter the portCfgSpeed command. The format is: portcfgspeed [slotnumber/]portnumber, speed_level where: slotnumber For bladed systems only, specify the slot number of the port to be configured, followed by a slash (/). This operand is required only for directors and enterprise-class platforms. portnumber Specifies the port number relative to its slot for bladed systems. speedlevel Specifies the speed of the link: 0—Autonegotiating mode. The port automatically configures for the highest speed.
The following example sets the speed for all ports on the switch to 8 Gb/s: switch:admin> switchcfgspeed 8 Committing configuration...done. The following example sets the speed for all ports on the switch to autonegotiate: switch:admin> switchcfgspeed 0 Committing configuration...done. Displaying trunking information You can display all the trunks and members of a trunk, and whether the trunking port connection is the master port connection for the trunking group.
Table 85 Trunking support for HP StorageWorks SAN Switch 4/32 and HP StorageWorks 4/64 SAN Switch (Condor ASIC) Mode Distance Number of 2 Gb/s ports Number of 4 Gb/s ports LE 10 km 32 (four 8-port trunks) 32 (four 8-port trunks) LD 200 km 3 (one 3-port trunk) 0 LD 250 km 3 (one 3-port trunk) 0 LD 500 km 0 0 Enhanced trunking support for the HP StorageWorks SAN Director 48 Port 4Gb FC blade in the HP StorageWorks 4/256 SAN Director is summarized in Table 86.
• HP StorageWorks 4/256 SAN Director and the HP StorageWorks DC SAN Backbone Director platforms running Fabric OS 6.2.0. F_Port masterless trunking interoperates between Access Gateway (AG), 2 Gb/s, 4 Gb/s, and 8 Gb/s-based platforms. This feature does not work on M-EOS or third party switches. Figure 75 shows a switch in AG mode without F_Port masterless trunking. Figure 76 on page 445 shows a switch in AG mode with F_Port masterless trunking.
Table 87 F_Port masterless trunking considerations Category Description Area assignment Statically assign the area within the trunk group on the edge switch. That group is the F_Port masterless trunk. The static trunk area you assign must fall within the ASIC's trunk group of the switch or blade starting from port 0 and must be one of the port’s default areas of the trunk group.
Table 87 F_Port masterless trunking considerations (continued) Category Description portCfgTrunkPort , 0 The portCfgTrunkPort , 0 command will fail if a Trunk Area is enabled on a port. The port Trunk Area must be disabled first. switchCfgTrunk 0 The switchCfgTrunk 0 command will fail if a port has TA enabled. All ports on a switch must be TA-disabled first.
Table 87 F_Port masterless trunking considerations (continued) Category Description DCC policy DCC policy enforcement for the F_Port trunk is based on the Trunk Area; the FDISC requests to a trunk port are accepted only if the WWN of the attached device is part of the DCC policy against the TA. The PWWN of the FLOGI sent from the AG will be dynamic for the F_Port trunk master.
trunking groups are based on the user port number, with contiguous eight ports as one group, such as 0–7, 8–15, 16–23 and up to the number of ports on the switch (see Figure 77). Figure 77 Trunk group configuration for the HP StorageWorks 8/40 SAN Switch 1. Connect to the switch and log in using an account assigned to the admin role. 2. Ensure that both modules (edge switch and the switch running in AG mode) have the trunking licenses enabled. 3.
4. Show the TA port configuration (ports still disabled): switch:admin> porttrunkarea --show enabled Slot Port Type State Master TI DI ------------------------------------------10 13 ---125 125 10 14 ---125 126 ------------------------------------------5. Enable ports 13 and 14: switch:admin> portenable 10/13 switch:admin> portenable 10/14 6.
4. Show switch and port information: switch:admin> switchshow switchName: SPIRIT_B4_01 switchType: 66.
36 36 id N4 Online 37 37 id N4 Online 38 38 id N4 Online 39 39 id N4 Online 5. Display TA-enabled port configuration: F-Port 2 NPIV public (Trunk master) F-Port (Trunk port, master is Port 36 ) F-Port (Trunk port, master is Port 36 ) F-Port (Trunk port, master is Port 36 ) switch:admin> porttrunkarea --show enabled Port Type State Master TA DA ------------------------------------36 F-port Master 36 37 36 37 F-port Slave 36 37 37 38 F-port Slave 36 37 38 39 F-port Slave 36 37 39 6.
old master and install the monitor on the new master port. If you attempt to add a monitor to a slave port, it is automatically added to the master port instead. Configuration management for trunk areas Ports from different ADs are not allowed to join the same Trunk Area group. The portTrunkArea command prevents the different ADs from joining the TA group. When you assign a TA, the ports within the TA group have the same Index. The Index that was assigned to the ports is no longer part of the switch.
The following are considerations for F_Port trunking when you enable a Virtual Fabric: • If a port is enabled for F_Port trunking, you must disable the configuration before you can move a port from the Logical Switch. • If the user bound area for a port is configured using the portAddress command, the port cannot be configured as an F_Port trunk port. You must explicitly remove the user bound area before enabling F_Port trunking.
1. Connect to the switch and log in using an account assigned to the admin role. switch:admin> fosconfig -enable vf WARNING: This is a disruptive operation that requires a reboot to take effect. All EX ports will be disabled upon reboot. Would you like to continue [Y/N] 2. Specify the E_Ports to authenticate, for example 2, 3, and 4. switch:admin> authutil --authinit 2,3,4 Fabric OS 6.
456 Administering ISL trunking
21 Configuring and monitoring FCIP extension services FCIP concepts Fibre Channel over IP (FCIP) enables you to connect Fibre Channel SANs over IP-based networks. The HP StorageWorks 400 Multi-Protocol Router and B-Series Multi-Protocol Router Blade uses FCIP to encapsulate Fibre Channel frames within IP frames that can be sent over an IP network to a partner HP StorageWorks 400 Multi-Protocol Router or B-Series Multi-Protocol Router Blade.
Fibre Channel initiator Fibre Channel initiator Office FC SAN Data Center FC SAN IP WAN Network VE_Port VE_Port Brocade 7500 VE_Port Brocade 48000 with FR4-18i Blade Brocade 7500 VE_Port Office FC SAN Office FC SAN Fibre Channel Target Brocade 48000 with FR4-18i Blade Fibre Channel Target Figure 78 Network using FCIP Compression on FCIP tunnels Data compression can be enabled or disabled on FCIP tunnels. The default setting is to disable compression.
enterprise-class platforms. The HP StorageWorks 400 Multi-Protocol Router and the B-Series Multi-Protocol Router Blade both have 16 physical Fibre Channel ports and 2 physical GbE ports. NOTE: The FCIP Tunneling Service for the HP StorageWorks 400 Multi-Protocol Router and B-Series Multi-Protocol Router Blade is not compatible with the XPath FCIP service, nor is it compatible with any other vendor’s implementation.
Table 91 Default Mapping of DSCP priorities to L2Cos Priorities (continued) Virtual CIrcuit (VC) DSCP priority/bits L2CoS priority/bits Assigned to: 3 15 / 001111 3 / 011 Medium QoS 4 19 / 010011 3 / 011 Medium QoS 5 23 / 010111 3 / 011 Medium QoS 6 27 / 011011 0 / 000 Class 3 Multicast 7 31 / 011111 0 / 000 Broadcast/Multicast 8 35 / 100011 0 / 000 Low Qos 9 39 / 100111 0 / 000 Low Qos 10 43 / 101011 4 / 100 High QoS 11 47 / 101111 4 / 100 High QoS 12 51 / 110011
Table 92 IPsec terminology (continued) Term Definition ESP Encapsulating Security Payload is the IPsec protocol that provides confidentiality, data integrity and data source authentication of IP packets, and protection against replay attacks. IKE Internet Key Exchange is defined in RFC 2407, RFC 2408 and RFC 2409. IKEv2 is defined in RFC 4306.
The first step to configuring IPsec is to create a policy for IKE and a policy for IPsec. Once the policies have been created, you assign the policies when creating the FCIP tunnel. IKE negotiates SA parameters and authenticates the peer using the preshared key authentication method. Once the two phases of the negotiation are completed successfully, the actual encrypted data transfer can begin. IPsec policies are managed using the policy command. You can configure up to 32 IKE and 32 IPsec policies.
where: type and number The type of policy being created (IKE or IPsec) and the number for this type of policy. To easily determine how many policies have been created, consider using sequential numbering. The range of valid values is any whole number from 1 through 32. encryption_method The supported type of encryption. Valid options are 3DES, AES-128, and AES-256. AES-128 is the default. authentication_algorithm The authentication algorithm. Valid options are SHA-1, MD5, and AES-XCBC (IPsec only).
The example below shows all of the IKE policies defined; in this example, there are two IKE policies.
The following example shows the portShow fcipTunnel command used to display IPsec information for tunnel 3: switch:admin> portshow fciptunnel 8/ge0 3 -ipsec Port: ge0 ------------------------------------------Tunnel ID 3 Remote IP Addr 192.175.5.200 Local IP Addr 192.175.5.100 Remote WWN Not Configured Local WWN 10:00:00:05:1e:37:00:20 Compression off Fastwrite on Tape Pipelining on Uncommitted bandwidth, minimum of 1000 Kbps (0.
The TCP Byte Streaming feature supports an FCIP frame that has been split into a maximum of eight separate TCP segments. If the frame is split into more than eight segments, it results in prematurely sending a frame to the FCIP layer with an incorrect size and the FCIP tunnel bounces. Only one tunnel is allowed to be configured for a GigE port that has TCP Byte Streaming configured.
Constraints for FCIP Fastwrite and Tape Pipelining Consider the constraints described in Table 95 when configuring tunnels to use either of these features. Table 95 Using FCIP Fastwrite and Tape Pipelining FCIP Fastwrite Tape pipelining Each GbE port supports up to 2048 simultaneous accelerated exchanges, which means a total of 2048 simultaneous exchanges combined for Fastwrite and Tape Pipelining.
Figure 80 Multiple tunnels to multiple ports, Fastwrite and Tape Pipelining enabled on a per-tunnel/per-port basis Unsupported configurations for Fastwrite and Tape Pipelining The configurations shown in Figure 81 are not supported with Fastwrite and Tape Pipelining. These configurations use multiple equal-cost paths.
VE-VE or VEX-VEX Figure 81 Unsupported configurations with Fastwrite and Tape Pipelining FC Fastwrite concepts FC Fastwrite operates in Fibre Channel network topologies similar to the basic topology shown in Figure 82. FC Fastwrite provides accelerated speeds for SCSI Write operations over long distance Fibre Fabric OS 6.
Channel ISLs implemented through the FC-FC Routing Service rather than FCIP. FC Fastwrite is supported in Fabric OS 5.3.x and later. Figure 82 Typical network topology for FC Fastwrite Platforms and OS requirements for FC Fastwrite Fabric OS supports FC Fastwrite between two HP StorageWorks 400 Multi-Protocol Routers or two HP StorageWorks 4/256 SAN Directors with B-Series Multi-Protocol Router Blade connected by a Fibre Channel network. Fabric OS 5.3.
4. The PI continues to stage data received from the initiator, respond locally to a Transfer Ready, and send the data to the target device until the target device sends a Response (FCP_RSP). Figure 83 How FC Fastwrite works FC Fastwrite can improve write performance. Read performance is unaffected. The gains seen from enabling FC Fastwrite depend on several factors, including the following: • The size of I/O versus Transfer Ready (Tx_RDY).
Take the following steps to configure and enable FC Fastwrite. 1. Create a zone configuration to filter FC Fastwrite flows. FC Fastwrite flows are configured by creating a zone name with an fcacc token as a prefix. For LSAN configuration, use lsan_fcacc as a prefix, as shown in the following example.
5. Use the portShow command to verify that FC Fastwrite is enabled. switch:admin> k portName: portHealth: HEALTHY Authentication: None portDisableReason: None portCFlags: 0x1 portFlags: 0x20b03 PRESENT ACTIVE F_PORT G_PORT U_PORT LOGICAL_ONLINE LOGIN NOELP ACCEPT portType: 10.
Example: Disabling FC Fastwrite on a switch switch:admin> fastwritecfg --disable 7 !!!! WARNING !!!! Disabling FC Fastwrite will require powering off and back on the and it may take up to 5 minutes. For non bladed system, the switch will be rebooted. Data traffic will be disrupted. Continue (Y,y,N,n): [ n] y Slot 7 is being powered off Disabling FC Fastwrite on a port 1. Connect to the switch and log in using an account assigned to the admin role. 2.
11. If you are implementing FICON emulation, configure FICON emulation using the portCfg ficon command. See Chapter 23, ”Configuring and monitoring FICON Extension Services” on page 513 for specific instructions. 12. If you are implementing FTRACE, configure FTRACE using the portCfg ftrace command. See the Fabric OS Troubleshooting and Diagnostics Guide. for specific instructions. 13. Check the configuration to ensure that the parameters are correct using the portShow fciptunnel command. 14.
Creating IP interfaces and routes The IP network connection between two HP StorageWorks 400 Multi-Protocol Routers or two FR4-18i blades or one HP StorageWorks 400 Multi-Protocol Router and one FR4-18i blade is configured by defining IP interfaces for origin and destination virtual ports, and then defining one or more IP routes to connect them. 1. Define the IP interface of each virtual port, using the portCfg command. You can define up to eight IP interfaces per GbE port. The command syntax is as follows.
The following example shows two routes being added to an interface: switch:admin06> portcfg iproute 8/ge0 create 192.168.11.0 255.255.255.0 192.168.100.1 1 switch:admin06> portcfg iproute 8/ge0 create 192.168.12.0 255.255.255.0 192.168.100.1 1 The following example verifies that the two routes have been successfully created: switch:admin06> portshow iproute 8/ge0 Slot: 8 Port: ge0 IP Address Mask Gateway Metric Flags -----------------------------------------------------------------192.168.100.0 255.255.
-z size The size in bytes of the ping packet to use. The total size cannot be greater than the configured MTU size (see step 1). The default size is 64 bytes. The following example tests the connection between 192.175.5.100 and 192.175.5.200, switch:admin06> portcmd --ping ge0 -s 192.175.5.100 -d 192.175.5.200 Pinging 192.175.5.200 from ip interface 192.175.5.100 on 0/ge0 with 64 bytes of data Reply from 192.175.5.200: bytes=64 rtt=1ms ttl=64 Reply from 192.175.5.
-s Disables selective acknowledgement code (SACK) on the specified tunnel. -f Enables FCIP Fastwrite. -M Enables VC QoS mapping. -t Enables Read and Write Tape Pipelining on the specified tunnel. If Read and Write Tape Pipelining is enabled, Fastwrite must also be enabled. -n remote_wwn The remote-side FC entity WWN. -k timeout The keep-alive timeout in seconds. The range of valid values is 8 through 7,200 sec and the default is 10.
Example: Creating an FCIP tunnel with FastWrite and Tape Pipelining enabled switch:admin> portcfg fciptunnel ge1 create 1 192.168.1.2 192.168.1.201 0 -f -t !!!! WARNING !!!! The fastwrite and tape pipelining features are incompatible with multiple equal cost paths. Please ensure that there are no multiple equal cost paths in your fabric before continuing.
is configured, and can be displayed by entering the portShow fciptunnel all command: switch0:admin> portshow fciptunnel ge0 all Port: ge0 ------------------------------------------Tunnel ID 0 Tunnel Description Not Configured Remote IP Addr 10.10.12.100 Local IP Addr 10.62.0.100 Remote WWN Not Configured Local WWN 10:00:00:05:1e:38:58:61 Compression on Fastwrite on Tape Pipelining on Committed Rate 1000000 Kbps (1.
3. Verify that the VE_Port or VEX_Port is online, use the switchShow command to view and verify that the FCIP tunnel is online. switch:admin06> portenable 8/18 switch:admin06> portenable 8/19 switch:admin06> switchshow switchName:switch switchType:42.
4.
2. Enter the portCfg fcipTunnel command to modify FCIP tunnels. You must specify at least one characteristic to modify.
-P data_L2Cos The PL2 Class of Service/Priority, as defined by IEEE 802.1p, for the FCIP data connection. Range is 0-7. Default is 0. -bstr 0|1 Enables (1)/Disables (0) TCP Byte Streaming. The following example shows two FCIP tunnels created on slot 8, port ge0; the first with an uncommitted bandwidth (0), and the second with a committed bandwidth of 10000 Kbps: switch:admin> portcfg fciptunnel 8/ge0 create 2 192.168.100.50 192.168.100.40 0 switch:admin06> portcfg fciptunnel 8/ge0 create 3 192.168.100.
Deleting an FCIP tunnel 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the portCfg fciptunnel command to delete FCIP tunnels. The command syntax is as follows. portcfg fciptunnel [slot/]ge0|ge1 delete tunnel_id The following example shows two tunnels deleted on slot 8, port ge0: switch:admin> portcfg fciptunnel 8/ge0 delete 6 switch:admin> portcfg fciptunnel 8/ge0 delete 7 Deleting an IP interface (IPIF) The following command deletes an IP interface.
The following example adds an entry that tags all frames from IP address 192.168.10.1 destined for IP address 192.168.20.1 with a VLAN ID of 100, and a L2 CoS value of 3. switch:admin> portcfg vlantag 8/ge0 add 192.168.10.1 100 3 7 192.168.20.1 WAN performance analysis tools Introduced in Fabric OS 5.2.0, WAN analysis tools are designed to test connections, trace routes, and estimate the end-to-end IP path performance characteristics between a pair of B-Series FCIP port endpoints.
WAN tool performance characteristics Table 96 lists the end-to-end IP path performance characteristics that you can display using the portCmd ipPerf command and option. All four of the base ipPerf performance characteristics (bandwidth, loss, RTT, PMTU) are provided in the command output in Fabric OS 5.2.0 or later. Table 96 WAN tool performance characteristics Characteristic Description Bandwidth Indicates the total packets and bytes sent.
The following example shows the results of the performance analysis for slot 8, port ge0: ipperf to 192.41.70.43 from IP interface 192.41.70.42 on 0/1:3227 Sampling frequency(30s) Total time(30s) BW:112.73MBps WBW:55.57MBps Loss(%):0.00 Delay(ms):23 PMTU:1500 Sampling frequency(30s) Total time(60s) BW:112.77MBps WBW:83.61MBps Loss(%):0.00 Delay(ms):23 PMTU:1500 Sampling frequency(30s) Total time(90s) BW:112.43MBps WBW:97.46MBps Loss(%):0.
-S Operates the WAN tool FCIP port-embedded client in the sender mode. The test endpoint will generate a traffic stream and report the end-to-end IP path characteristics from this endpoint toward the receiver endpoint. This option cannot be used with the –R option. -R Operates the WAN tool FCIP-port embedded client in the receiver mode. The test endpoint will accept a connection and traffic stream from the sender This option cannot be used with the -S option.
-v vlan_id The VLAN ID. Values must be in the range of 1 - 4094. There is no default value. Note that a VLAN tag entry must exist on the local and remote sides prior to issuing the -v option. A VLAN Tag table entry will be dynamically maintained by the ipperf application.See the portCfg help page for details on creating a VLAN tag table. -w wait_time The time to wait for the response of each ping request. This parameter is specified in milliseconds and the default value is 5000 milliseconds (5 sec).
FCIP tunnel performance characteristics You can use the portShow fcipTunnel command to view the performance statistics and monitor the behavior of an online FCIP tunnel. To view detailed fcipTunnel statistics, you must specify either the -perf or -params options. The command syntax is as follows. portShow fciptunnel [Slot]/ge0|ge1 all|tunnel ID -perf -params The following example shows the portCmd fcipTunnel with the -perf option to display performance characteristics of tunnel 0.
The following example shows the portCmd fcipTunnel with the parameters options to display the parameters of tunnel 0: switch:admin06> portshow fciptunnel 8/ge0 0 —params Slot: 8 Port: ge0 ------------------------------------------Tunnel ID 0 Remote IP Addr 192.175.4.200 Local IP Addr 192.175.4.100 Remote WWN Not Configured Local WWN 10:00:00:60:69:e2:09:be Compression on Fastwrite off Committed Rate 300000 Kbps (0.
556200 Bps 30s avg, 491394 Bps lifetime avg 494 Configuring and monitoring FCIP extension services
22 FICON fabrics Fabric OS support for FICON IBM Fibre Connection (FICON®) is an industry-standard, high-speed input/output (I/O) interface for mainframe connections to storage devices. Fabric OS supports intermix mode operations, in which FICON and Fibre Channel technology work together.
• Port binding is a security method for restricting host or storage devices that connect to particular switch ports. The DCC policy also binds device ports to switch ports. Policies range from completely restrictive to reasonably flexible, based on customer needs. SCC ACL with strict fabric-wide consistency is necessary for FICON switch binding.
predefined list of switches (domains) to exist in the fabric and prevents other switches from joining the fabric. This type of configuration is described in ”Configuring a high-integrity fabric” on page 500. Control Unit Port (CUP) Control Unit Port (CUP) protocol is used by IBM mainframe management programs to provide in-band management for FICON switches. When it is enabled, you can set up directors in a FICON environment to be managed through IBM mainframe management programs.
will result in a port that appears as: Index Slot Port Address ======================== 252 12 28 3e0200 Port addresses that have not been assigned to a Logical Switch will appear as “uninstalled” in the PIB’s Port Descriptor. NOTE: The CUP port address will always be xxFExx. Port Addresses xxFExx and xxFFxx are unavailable to assign to physical ports. CUP Limitations You can configure up to two CUP switches as Logical Switches in a Virtual Fabric-enabled platform for FICON FMS mode.
Table 97 Fabric OS commands related to FICON and FICON CUP (continued) Command Description ficoncupshow fmsmode Displays the FICON Management Server mode setting for the switch. ficoncupshow modereg Displays the mode register bit settings for the switch. NOTE: The Fabric OS CLI supports only a subset of the management features for FICON fabrics. The full set of FICON CUP administrative procedures is available using the Data Center Fabric Manager and Web Tools software features.
Preparing a switch for FICON To verify and prepare a switch for use in a FICON environment, complete the following steps. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the switchShow command to verify that the switch and devices are online. 3.
Channel A Switch Domain ID = 21 Switch Domain ID = 22 Control Unit B Figure 84 Cascaded configuration, two switches Channel A Switch Domain ID = 21 Switch Domain ID = 22 Control Unit C Switch Domain ID = 23 Control Unit D Figure 85 Cascaded configuration, three switches Setting unique domain IDs In a cascaded configuration, each switch must have a unique domain ID, and insistent domain ID (IDID) mode must be enabled. 1.
8. Enter the switchEnable command to re-enable the switch. switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] yes Domain: (1..239) [3] 5 R_A_TOV: (4000..120000) [10000] E_D_TOV: (1000..5000) [2000] Data field size: (256..2112) [2112] Sequence Level Switching: (0..1) [0] Disable Device Probing: (0..1) [0] Suppress Class F Traffic: (0..1) [0] VC Encoded Address Mode: (0..1) [0] Per-frame Route Priority: (0..1) [0] Long Distance Fabric: (0..1) [0] BB credit: (1..
• For all switches defined in the fabric: ficonShow ilir fabric Port swapping If a port malfunctions, or if you want to connect to different devices without having to re-wire your infrastructure, you can move a port’s traffic to another port (swap ports) without changing the I/O Configuration Data Set (IOCDS) on the mainframe computer. IMPORTANT: Ports that have been swapped cannot be moved to another Logical Switch. 1. Connect to the switch and log in using an account assigned to the admin role. 2.
If Advanced Zoning is in use, see ”Zoning and PDCM considerations” on page 508. Setting up FICON CUP To set up FICON CUP, use the following procedure and be sure to perform the steps in the order indicated. 1. Take the appropriate action based on whether you have both B- and M-series switches in your fabric: • If you have both series, verify that the Fabric Mode is set to 2 on the supported platforms. • If you do not have both series, proceed to step 2. 2.
• PDCM values are read from the IPL; the default is “Allow All.” • Advanced Zoning, if used, continues to be in force. If there are any differences in restrictions set up with Advanced Zoning and PDCM, the most restrictive rules are automatically applied. • RSCNs are sent to devices if PDCM results in changes to connectivity between a set of ports. Changing fmsmode from enabled to disabled triggers the following events: • A device reset is performed on the control device. • PDCM is no longer enforced.
change it and notify the channel of the change. The channel will ask what the MIHPTO is set to during the time where it is bringing that link to the CUP online. The MIHPTO setting will persist across reboots, POR, and failovers. Setting this value to the upper end of the time range will allow the CUP to process more requests, such as at peak usage times, without timing out the channels. HP recommends that the value should be set to 180 seconds in a SAN with B- and M-Series switches.
To display the mode register bit HCP for the switch: switch:admin> ficoncupshow modereg HCP HCP 0 Setting the mode register bits Use the ficonCupSet modereg command to set the FICON CUP mode register bits for the local switch. Consider the following when changing mode register bits: • As required by the CUP protocol, the UAM bit cannot be changed using this command. • All mode register bits except UAM are saved across power on/off cycles; the UAM bit is reset to 0 following a power-on.
• CUP employs 8-bit characters in port address names and switch names; Fabric OS employs 7-bit characters. When fmsmode is enabled, all characters greater than 0x40 and not equal to 0xFF (EBCIDC code page 37 [0x25]) are allowed in the name; therefore, it is possible for a channel to set a name with nonprintable characters. If a name contains nonprintable characters, they are displayed as dots (...).
Uploading the configuration files See Chapter 5, ”Maintaining the switch configuration file” on page 163 for more information on the configUpload command. When you execute the configUpload command, all the files saved in the file access facility are uploaded to a management workstation (there is a section in the uploaded configuration file labeled “FICON_CUP” that exists in an encoded format).
Table 99 FICON configuration worksheet (continued) ® FICON Switch Configuration Worksheet FICON® Switch Manufacturer:___________________Type: _________ Model: ______ S/N: ________ HCD Defined Switch ID_________(Switch ID) FICON® Switch Domain ID_________(Switch @) Cascaded Directors No _____Yes _____ Corresponding Cascaded Switch Domain ID _____ Fabric Name ________________________________ FICON® Switch F_Ports Attached N_Ports / E_Ports (CU, CPC, or ISL) Slot Numb er Port Numb er Port Addre ss
For more information on switch numbering, see the IBM publication FICON® Implementation Guide (SG24-6497-00). In the following sample IOCP configuration file, the UNIT value for FICON CUP definitions is 2032 for any FICON director regardless of vendor or platform. All B-Series switches require UNIT=2032 for the CUP definition. All Domain IDs are specified in hex values in the IOCP (and not in decimal values); the Domain IDs in the example are for demonstration purposes only.
512 FICON fabrics
23 Configuring and monitoring FICON Extension Services This chapter describes the FICON extension concepts, configuration procedures, and tools and procedures for monitoring network performance. Commands described in this chapter require Admin or root user access. See the Fabric OS Command Reference for detailed information on command syntax. FICON extension products licensing Several specific licensed features are available for FICON extension. These include the following. • XRC emulation.
FICON emulation requirement for a determinate path FICON emulation processing creates FICON commands and responses on extended FICON Channel Path IDs (CHPIDs), and must know exactly what exchanges are occurring between a Channel and a control unit (CU) on a CHPID to function correctly. For FICON Emulation processing to function correctly, the responses to Host I/O (channel I/O) must be carried on the same ISL as the commands.
XRC emulation The eXtended Remote Copy (XRC) application is a DASD application that implements disk mirroring, as supported by the disk hardware architecture and a host software component called System Data Mover (SDM). The primary volume and the secondary mirrored volume may be geographically distant across an IP WAN. The latency introduced by greater distance creates delays in anticipated responses to certain commands.
• tape read pipelining. • -b 1|0 enables or disables FICON read block ID. 1 is enable, O is disable. • wrtMaxPipe value defines a maximum number of channel commands that may be outstanding at a given time during write pipelining. Too small of a value will result in poor performance. The value should be chosen carefully based upon the typical tape channel program that requires optimum performance. The default value is 32. the range is 1-100.
FICON emulation configuration values You can display the values configured for FICON emulation by issuing the portShow ficon command.
• -r 1|0 enables or disables tape read pipelining. 1 is enable, O is disable. • -t 1|0 enables or disables TIN/TUR emulation. 1 is enable, O is disable.This option should be enabled when one or all of the following features are enabled: • XRC emulation. • tape write pipelining. • tape read pipelining. • -l 1|0 enables or disables device level ACK emulation. 1 is enable, O is disable. This option should be enabled when one or all of the following features are enabled: • XRC emulation.
• -globals are general FICON Controls/Statistics. • -images are discovered Images (FCUB). • -emul represents emulated FDCBs. • -active represents active FDCBs. • -epcb is the emulation Control Block (port specific). • -fhpb is the FICON Host Path Block. • -fdpb adrs is the FICON Device Path Block. • -fchb is the FICON Channel Control Block. • -fcub is the FICON Control Unit Control Block. • -fdcb adrs is the FICON Device Control Block. • -mem adrs displays 1250 memory in 256 byte increments.
Tape output example: TAPE EMULATION STATS +----------+----------------+-+-----+----+----+----+-----------+----------+------+----------+----+ | FDCB Ptr | Path |H|State|Emul|Emul|Rtry| Emulated |Emulated | (0x) |D| |Read CCWs | Size |Write CCWs| Size | (0x) | |Pipe|Q'd | Qd | Tape Ops |RdAvg |Emulated |WtAvg | +----------+----------------+-+-----+----+----+----+-----------+----------+------+----------+----+ |0x10018A00|2463016406050000|H| 0x14|0x20|000E|0000| 13212| 0| 0| 125754| 32760| |0x
XRC output example: XRC EMULATION STATS +----------+----------------+-+-----+----+----+----+----+-----------+---+------+------+ | FDCB Ptr | Path |H|State|Cmds| Cmd|Data|Data| Emulated |Avg| RRS| RRS | | (0x) |D| |RRS| TLF| Read| (0x) | | Qd | Max| Qd |Max | RRS Ops +----------+----------------+-+-----+----+----+----+----+-----------+---+------+------+ |0x1017DC00|24B100B20E11092B|H| 0x00|0000|000F|0000|0230| 47184|213| 25636| 16063| |0x104B4C00|24B100B20E1109F7|H| 0x00|0000|000F|0000|01E0|
522 Configuring and monitoring FICON Extension Services
A Configuring the PID format PIDs and PID binding overview Port identifiers (called PIDs) are used by the routing and zoning services in Fibre Channel fabrics to identify ports in the network. All devices in a fabric must use the same PID format, so when you add new equipment to the SAN, you might need to change the PID format on legacy equipment. NOTE: Any switch running Fabric OS 6.1.0 or later uses the Core PID format and cannot be modified.
PID formats HP StorageWorks switches employ the following types of PID formats: • VC encoded is the format defined by the HP Fibre Channel Switch 8 and 16. Connections to these switches are not supported in Fabric OS 4.0.0 and later. • Native was introduced with the HP StorageWorks SAN Switch 8 and 16, and HP StorageWorks SAN Switch 8-EL and 16-EL. This format supports up to 16 ports per switch.
which is capable of addressing higher port counts. Changing from Native PID format to Core PID format changes the PID, which requires hosts that use port binding to be rebooted. Static PID mapping errors If you can avoid using drivers that employ static PID binding, you should do so. With the WWN or dynamic PID binding most typically used with drivers, changing the device’s PID does not affect the PID mapping.
NOTE: Switches that are queried using outside calls should be configured using PID 1 (core PID) to ensure that the correct port numbering is used in other management applications. Table 101 shows various combinations of existing fabrics, new switches added to those fabrics, and the recommended PID format for that combination. The criteria for the recommendations are first to eliminate host reboots, and second to minimize the need for a host reboot in the future.
• JBOD drive firmware versions • Multipathing software versions • HBA time-out values • Multipathing software timeout values • Kernel timeout values • Configuration of switch 2. Make a list of manually configurable PID drivers. Some device drivers do not automatically bind by PID, but allow the operator to manually create a PID binding. For example, persistent binding of PIDs to logical drives might be done in many HBA drivers. Make a list of all devices that are configured this way.
Changing the PID format Whether it is best to perform an offline or online update depends on the uptime requirements of the site. Following are some aspects of offline and online changes: • An offline update must have all devices attached to the fabric be offline. • With careful planning, it should be safe to update the core PID format parameter in a live, production environment. This requires dual fabrics with multipathing software.
6. Reenable the switches in the updated fabric one at a time. In a core/edge network, enable the core switches first. 7. After the fabric has reconverged, use the cfgEnable command to update zoning. 8. Bring the devices online in the order appropriate to the SAN. This usually involves starting up the storage arrays first, and the hosts last. 9. For any devices manually bound by PID, bring the device back online, but do not start applications. Update their bindings and reboot again if necessary.
Before changing the PID format, determine if host reboots will be necessary. The section ”Host reboots” on page 524 summarizes the situations that may require a reboot. switch:admin> switchdisable switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] y Domain: (1..239) [1] BB credit: (1..27) [16] R_A_TOV: (4000..120000) [10000] E_D_TOV: (1000..5000) [2000] WAN_TOV: (1000..120000) [0] Data field size: (256..2112) [2112] Sequence Level Switching: (0..1) [0] Disable Device Probing: (0..
The following sections contain a basic procedure that summarizes the steps necessary to perform PID format changes without disrupting the fabric, and special procedures for HP/UX and AIX. Basic procedure for changing the PID format This process should be executed as part of the overall online or offline update process. However, it can be implemented in a stand-alone manner on a non-production fabric, or a switch that has not yet joined a fabric. 1.
At this point, all switches in the fabric are operating in the new addressing mode. HP-UX procedure for changing the PID format This procedure is not intended to be comprehensive. It provides a starting point from which a SAN administrator could develop a site-specific procedure for a device that binds automatically by PID, and cannot be rebooted due to uptime requirements. 1. Back up all data. Verify backups. 2.
# ioscan -funC disk Class I H/W Path Driver S/W State H/W Type Description ------------------------------------------------------------------------------------disk 0 0/0/1/1.2.0 adisk CLAIMED DEVICE SEAGATE ST39204LC /dev/dsk/clt2d0 /dev/rdsk/c1t2d0 disk 1 0/0/2/1.2.0 adisk CLAIMED DEVICE HP DVD-ROM 304 /dev/dsk/c3t2d0 /dev/rdsk/c3t2d0 disk 319 0/4/0/0.1.2.255.14.8.0 adisk CLAIMED DEVICE SEAGATE ST336605FC /dev/dsk/c64t8d0 /dev/rdsk/c64t8d0 disk 320 0/4/0/0.1.18.255.14.8.
10. Rebuild the device entries for the affected fabric using the cfgMgr command. For example: cfgmgr –v This command might take several minutes to complete. 11. Perform the appropriate actions based on whether you using or not using multipathing software: • If you are not using multipathing software, vary the disk volume groups online. The proper usage would be varyonvg . For example: varyonvg datavg • If you are not using multipathing software, mount all devices again and restart I/O.
6. Disable the port swap feature: portswapdisable Table 102 Physical port numbers and logical area IDs for swapped ports Slot Slotport Swport Area 2 2 18 19 2 3 19 18 Fabric OS 6.
536 Configuring the PID format
B Understanding legacy password behavior This appendix provides password information for early versions of Fabric OS firmware. Password management information Table 103 describes the password standards and behaviors between various versions of firmware. Table 103 Account/password characteristics matrix Topic 4.0.0 4.1.0 to 4.2.0 4.4.0 and later Number of default accounts on the switch 4, chassis-based Core Switch 2/64 8 for the director, 4 per switch. All other switches and directors - 4.
Table 103 Account/password characteristics matrix (continued) Topic 4.0.0 4.1.0 to 4.2.0 4.4.0 and later Can passwd change higher-level passwords? For example, can admin change root password? Yes, but will ask for the old password of the higher-level account (example root). Yes; if users connect as admin, they can change the root, factory, and admin passwords. However, if you connect as user, you can change only the user password. 4.4.0 to 5.1.
Password migration during firmware changes Table 105 describes the expected outcome of password settings when upgrading or downgrading firmware for various Fabric OS versions. Table 105 Password migration behavior during firmware upgrade/downgrade Topic 4.4.0 to 5.0.1 5.0.1 and later Passwords used when upgrading to a newer firmware release for the first time. Default accounts and passwords are preserved. Default accounts and passwords are preserved.
540 Understanding legacy password behavior
C Mixed fabric configurations for non-merge SANs For information on HP supported interop configurations, refer to the HP StorageWorks Fabric interoperability: merging fabrics based on M-Series and B-Series Fibre Channel switches on the following HP website: http://h18000.www1.hp.com/products/storageworks/san/documentation.html. Fabric OS 6.
542 Mixed fabric configurations for non-merge SANs
D Migrating from an MP Router to a 400 MP Router Introduction to MP Router upgrades This appendix describes how to upgrade routers in your fabric with the least disruption, while providing better performance and scalability. Improper implementation could lead to a change in the xlate Domain IDs and proxy device PIDs, which may cause disruption in the fabric. FC routers are deployed in different configurations in a fabric.
Redundant configuration Figure 89 shows an example of a simple redundant configuration. The configuration shown in Figure 89, shows that old routers can be removed one by one. For example, FC router 2 can be replaced with the new FC router. You are expected to maintain the connections to the edge fabrics and the other router, same as with old router.
In the Multi-Protocol Router, end devices are allowed to be directly connected, but these devices cannot be imported to other edge fabrics (using LSAN zones). During the upgrade process, these devices will face disruption unless there is redundancy support provided from the device end. 400 MP Router allows the end devices to be imported to edge fabrics. Configuring a new FC router To configure the new router: 1. Log in to the new router as admin. 2. Enable FCR functionality on the 400 MP Router. a.
546 Migrating from an MP Router to a 400 MP Router
E Inband Management Inband Management overview Inband Management on the HP StorageWorks 400 Multi-Protocol Router allows a management station to communicate to the CP through the GE ports for tasks such as downloading firmware, SNMP polling, SNMP traps, troubleshooting, and configuration. To facilitate this communication, the HP StorageWorks 400 Multi-Protocol Router uses IP forwarding and IP routing to forward IP traffic through the switch to the management station.
Figure 91 Inband Management process The NAT IP table is loaded and automatically configured on bootup.The source address NAT is configured on the inband management interfaces to use the address of the CP management interface (eth0). The switch automatically uses the IP address of the CP management interface to source address NAT the new inband management interfaces, so no additional configuration will be required.
routeadd destination netmask [gateway] Adds a route to the management station for an existing CP or GbE port (CP or GbE designation is made automatically). You must specify the destination IP address and the subnet mask when adding a management route. You must create the IP addresses for the CP and the GbE port interfaces before you can add a route to the routing table. routedel destination netmask Deletes a management route from an internal CP or a GbE port interface.
is specified, it is assumed that the management station is on the same subnet as the external GE IP address, so no route is created on the GE port processor. Only a route on the CP is created with the internal GE port processor inband device address as the gateway. The routes configured using the portCfg inbandmgmt command behave differently than the normal routes configured using portCfg iproute command, but it still uses entries to the routing table.
FIPS To maintain security while in FIPs mode, these devices will not function if FIPs mode is enabled. If these devices are configured and you try to enter FIPs mode, an error will occur. You must delete the configuration of these devices prior to entering FIPs mode. Examples of supported configurations The examples below demonstrate how to set up your HP StorageWorks 400 Multi-Protocol Routers using two different network scenarios.
b. Add the route on the Management Station that is going to the 7500 R1. linux> route ge0 -host 10.1.2.20 gw 192.186.3.20 Configuring a Management Station on different subnets For a configuration with multiple subnets, the routes must be added to all intermediate hops in the network. To minimize the impact on IP traffic and limit the possibility that unnecessary access will be given, a host specific route can be used on all routes specified for the HP StorageWorks 400 Multi-Protocol Routers.
3. Configure the routes on Router A. a. Configure the route going to the 7500 L1 management address. linux> route add -host 10.1.1.10 gw 192.168.1.10 b. Configure the route on the router going to the Management Station. linux> route add -net 192.168.3.0/24 gw 172.0.1.3 4. Configure the routes on Router B. a. Configure the route going to the 7500 R1 management address. linux> route add -host 10.1.2.20 gw 192.168.2.20 b. Configure the route going to the Management Station. linux> route add -net 192.168.3.
554 Inband Management
F Using Remote Switch This appendix provides information on the Remote Switch feature. About Remote Switch The Remote Switch feature, which aids in ensuring gateway compatibility, was formerly a licensed feature. Its functionality is now available as part of the Fabric OS standard feature set through the use of the portCfgIslMode command, which is described in ”Gateway links” on page 56.
NOTE: Consult your gateway vendor for supported and qualified configurations. • R_A_TOV: Specify a Resource Allocation Timeout Value compatible with your gateway device. • E_D_TOV: Specify an Error Detect Timeout Value compatible with your gateway device. • Data field size: Specify the maximum Fibre Channel data field reported by the fabric. Verify the maximum data field size the network-bridge can handle. Some bridges may not be able to handle a maximum data field size of 2112.
Index A AAA service requests 83 access active ports 49 browser support 108 changing account parameters 73 CP blade 88 creating accounts 71 deleting accounts 72 full fabric 49 IP address changes 30 log in fails 30 NTP 40 password, changing 32 remote access policies 91 secure, HTTPS 108 secure, SSL 108 SNMP ACL 101 accessing switches and fabrics 114 account ID 30 account lockout policy 77 duration 78 threshold 78 accounts changing parameters 73 creating 71 deleting 72 displaying information 71 managing passwo
audience 25 Auth policy 127 authenticating users 67 authentication configuring 83, 320 defining iSCSI VT to iSCSI initiator 312 local 98 auto-leveling, FR4-18i blade 221, 229 B backbone fabric ID 377 backbone-to-edge routing 372, 377 backing up a configuration 165 base switches about 178 creating 185 basic connections 55 binding user names 321 blades compatibility 275, 278 disabling and enabling 273 displaying slot information 279 enabling exceptions for the FC4- and FC8-48 275 enabling exceptions for the
Speed LSAN tag 393 SSL 108 switch 95 switch, RADIUS client 90 switch, single 500 Windows RADIUS client 90 zone 328 zone, rules for 240 connecting multiple EX_Ports to an edge fabric 375 connecting to devices 56 connection network 311 restrictions 70 serial 30 telnet 30 connection redirection disabling 305 displaying status 306 enabling 305 load balancing 305 conventions document 26 text symbols 26 core/edge topology and ISL trunking 436 CP blade 47 access 88 creating accounts 71 address resolution protocol
related documentation 26 domain ID, insistent 495 domain, phantom 374 E edge-to-edge routing 377 effective AD configuration 199 effective zone configuration 236 enabling discovery domain sets 320 port 55 Virtual Fabrics 184 zone configuration 328 zone configurations 255 enabling and disabling ISL trunking 440 encryption 108 end-to-end monitors adding 407 deleting 410 restoring configuration 421 saving configuration 421 setting a mask 409 end-to-end performance monitoring 406 enforce LSAN tag 390 equipment
configuration, high-integrity fabric 500 CUP 503 disabling IDID mode 498 disabling the managment server mode 504 displaying information 502 dynamic load sharing 499 enabling IDID mode 498 enabling the management server mode 504 fmsmode setting, displaying 505 FRU failure monitoring 498 FRU failures 502 IDID 495 intermix mode 495 link incidents, displaying 498, 502 mode register bit settings, displaying 506 node identification data 502 persistently enabling/disabling ports 507 port and switch naming standard
assigning 311 port 312 IP Filter supported services 137 IP routes adding static 311 IP-NAT 374 IPsec 3DES 149 AES 149 algorithms 148 Authentication Header protocol 148 block cipher 149 Blowfish 149 configuration on the management interface 146 Encapsulating Security Payload protocol 148 FCIP 460 FCIP changeable parameters 462 FCIP configuration 461 FCIP fixed parameters 462 flushing SAs 154 HMAC 149 IKE policies 150 key management 150 manual key entry 151 policies 149, 150 pre-shared key 151 sa-proposal 148
J Java support, SSL 108 Java version 108 L legacy FCR switches 403 license advanced zoning 325 license ID 46 licensed features 43 licenses Extended Fabrics 423 license ID 46 overview 43 remove feature 48 limiting traffic from a device 360 linking through a gateway 56 Linux, configuring RADIUS on 88 LISL 179 listing FC targets 316 load balancing, See connection redirection local authentication overview 98 local clock 40 LOCL 40 logging timestamp 37 logical fabrics about 177 changing context 188 logical ISLs
PROM 78 recovery 81 recovery string 79 rules 73 set PROM 79, 80 password expiration policy 76 password management information 537 password migration during firmware changes 539 password policies 75 password prompting behaviors 538 password recovery options 539 password strength policy 75 permissions and roles 68 phantom domains 371, 372 physical fabric administrator 193 physical FC targets 302 PID 10-bit addressing mode 523 256-area addressing mode 523 AIX procedure 533 basic procedure 531 binding 523 chang
filter-based monitors 413 licensed feature 48 LSAN tags 393 members from a zone configuration 255 ports from logical switches 186 zone configurations 255 zone members 247 renaming Admin Domains 205 requirements Admin Domains 193 resolving zone conflicts 262 restoring monitor configuration 421 Role-Based Action Control. See RBAC.
switch firmware version, finding 216 switch names 40 switch WWN in Admin Domains 197 SWL, ISL Trunking support for 435 symbols in text 26 system-defined Admin Domains 194 T tags for LSAN zones 390 Tape Pipelining 466 Tape pipelining 514 tape read and write acceleration 466 tape write acceleration 514 technical support, HP 27 telnet connection 30 text symbols 26 TI zones 339 activating 354 changing state 354 creating 350 creating in a base fabric 352 deactivating 354 deleting 354 displaying 355 modifying 35
working with domain IDs 41 WWN 47, 326 displaying FC target information 325 displaying iSCSI virtual initiator information 326 virtual target creation 315 WWNs switch WWNs in Admin Domains 197 X XISL, about 178 xlate domains 373 Z zone adding a new switch or fabric 260 adding members 247 administering security 262 alias, adding members 244 alias, deleting 245 alias, removing members 245 alias, viewing 246 aliases 236 aliases, creating and managing 243 all access 250 all access in iSCSI 324 configuration,
568
Figures 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 Windows 2000 VSA configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Example of a Brocade DCT file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Example of the dictiona.dcm file . . . . . . . . . . . . . . . . . . . . . .
59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 A metaSAN with interfabric links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 A metaSAN with edge-to-edge and backbone fabrics and LSAN zones . . . . . . . . . . . . . . . . . . . . . 370 Edge SANs connected through a backbone fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 MetaSAN with imported devices . . . . . .
Tables 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 Switch model naming matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Default administrative account names and passwords . . . . . . .
59 60 61 62 63 64 65 66 67 Enforcing hardware zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 Considerations for zoning architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 Zoning database limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 Resulting database size: 0 to 96K . . . . . . . . . . . . . . . . . . . . . . . .