Page 1 HP StorageWorks Fabric OS 6.x administrator guide Part number: 5697-0015 edition: May 2009...
Page 2 © Copyright 2008-2009 Brocade Communications Systems, Incorporated. Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.
Page 3: Table Of Contents
Contents About this guide ............19 Supported Fabric OS 6.x HP StorageWorks hardware .
Page 4 Disabling and enabling ports ............44 Making basic connections .
Page 5 Ensuring network security............86 Configuring the Telnet protocol.
Page 6 Cloning an IP Filter policy ............116 Displaying an IP Filter policy .
Page 7 Firmware upgrade and downgrade scenarios ........151 Managing Admin Domains .
Page 8 By index ..............194 Basic blade management .
Page 9 HA and downgrade considerations..........237 IPFC over FCR .
Page 10 Backing up and restoring FICON configuration files ........275 Recording configuration information .
Page 11 Traffic isolation..............331 TI zone failover .
Page 12 Initializing trunking on ports............375 Monitoring traffic .
Page 13 FCIP fastwrite/tape pipelining configurations ........422 Unsupported configurations .
Page 14 Host reboots ............. . . 464 Static PID mapping errors .
Page 15 C Understanding legacy password behavior ....... . . 495 Password management information..........495 Password prompting behaviors.
Page 16 45 4/256 SAN Director with extended edge PID ........471 46 Typical configuration .
Page 17 56 Chassis configuration options ........... 201 57 Hardware and firmware compatibility for nonsecure fabrics .
Page 18 114 Password recovery options ........... . 497 115 Zone merging scenarios .
Page 19: About This Guide
About this guide This guide provides information about: • Installing and configuring Fabric OS 6.x • Managing user accounts • Using licensed features Supported Fabric OS 6.x HP StorageWorks hardware Table 1 lists Brocade and HP StorageWorks product models supported by Fabric OS 6.x. Table 1 Switch model naming matrix Brocade product name...
Page 20: Intended Audience
Intended audience This guide is intended for system administrators with knowledge of: • Storage area networks • HP StorageWorks Fibre Channel SAN switches Related documentation The following documents provide related information: • HP StorageWorks Fabric OS 6.x release notes • HP StorageWorks DC SAN Backbane Director hardware reference guide You can find these documents from the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals...
Page 21: Rack Stability
NOTE: Provides additional information. TIP: Provides helpful hints and shortcuts. Rack stability Rack stability protects personnel and equipment. WARNING! To reduce the risk of personal injury or damage to equipment: • Extend leveling jacks to the floor. • Ensure that the full weight of the rack rests on the leveling jacks. •...
Page 22: Subscription Service
Subscription service HP recommends that you register your product at the Subscriber's Choice for Business website: http://www.hp.com/go/e-updates. After registering, you will receive e-mail notification of product enhancements, new driver versions, firmware updates, and other product resources. HP websites For additional product information, see the following HP websites: •...
Page 23: Standard Features
Standard features This chapter describes how to configure your HP StorageWorks SAN using the Fabric OS Command Line Interface (CLI). Before you can configure a Storage Area Network (SAN), you must power-up the Director or switch and blades, and then set the IP addresses of those devices. Although this chapter focuses on configuring a SAN using the CLI, you can also use the following methods to configure a SAN: •...
Page 24: Connecting To The Cli
The following commands provide help files for specific topics to understand configuring your SAN: Diagnostic help information diagHelp FICON help information ficonHelp Fabric Watch help information fwHelp iSCSI help informations iscsiHelp License help information licenseHelp Performance Monitoring help information perfHelp Routing help information routeHelp trackChangesHelp Track Changes help information...
Page 25: Using A Console Session On The Serial Port
Verify that the login was successful. The prompt displays the switch name and user ID to which you are connected. login: admin password: xxxxxxx switch:admin> Using a console session on the serial port Note the following behaviors for serial connections: •...
Page 26: Changing Default Account Passwords At Login
Every logical switch (domain) has a set of default accounts. The root and factory default accounts are reserved for development and manufacturing. The user account is primarily used for system monitoring. For more information on default accounts, see ”About the default accounts”...
Page 27: Configuring The Ethernet Interface
Password changed. Saving password to stable storage. Password saved to stable storage successfully. switch:admin> Configuring the Ethernet interface You can use Dynamic Host Configuration Protocol (DHCP) for the Ethernet network interface configuration. The Ethernet (network) interface provides management access, including direct access to the Fabric OS CLI, and allows other tools, such as Web Tools, to interact with the switch.
Page 28: Setting Static Ethernet Addresses
Setting static Ethernet addresses Use static Ethernet network interface addresses on HP StorageWorks 2/128, 4/256 SAN Director, DC Director models, and in environments where DHCP service is not available. To use static addresses for the Ethernet interface, you must first disable DHCP. You may enter static Ethernet information and disable DHCP at the same time.
Page 29: Configuring Dhcp
Configuring DHCP By default, some HP switches have DHCP enabled; check the latest Fabric OS 6.x release notes for a complete list of switches. The 4/256 SAN Director and DC SAN Backbone Director (short name, DC Director) do not support DHCP. The Fabric OS DHCP client supports the following parameters: •...
Page 30: Setting The Date And Time
When you are prompted for DHCP[On], disable it by entering off. switch:admin> ipaddrset Ethernet IP Address [192.168.74.102]: Ethernet Subnetmask [255.255.255.0]: Fibre Channel IP Address [220.220.220.2]: Fibre Channel Subnetmask [255.255.0.0]: Gateway IP Address [192.168.74.1]: DHCP [On]:off Setting the date and time Switches maintain the current date and time inside a battery-backed real-time clock (RTC) circuit.
Page 31 IMPORTANT: If you are downgrading to a Fabric OS version earlier than 6.x, or retaining the offset format, see prior versions of the Fabric OS Administrator’s Guide for detailed information about setting time zones using the offset format. See ”About the firmware download process”...
Page 32: Synchronizing Local Time Using Ntp
The following procedure describes how to set the current time zone using interactive mode to Pacific Standard Time. To set the time zone interactively: Type the tsTimeZone command as follows: switch:admin> tstimezone --interactive You are prompted to select a general location. Please identify a location so that time zone rules can be set correctly.
Page 33: Customizing Switch Names
The following example shows how to set up more than one NTP server using a DNS name: switch:admin> tsclockserver "10.32.170.1;10.32.170.2;ntp.localdomain.net" Updating Clock Server configuration...done. Updated with the NTP servers Changes to the clock server value on the principal or primary FCS switch are propagated to all switches in the fabric.
Page 34: Licensed Features
The Fabric has 4 switches The fields in the fabricShow display are: Switch ID — The switch Domain_ID and embedded port D_ID Worldwide Name — The switch WWN Enet IP Addr — The switch Ethernet IP address for IPv4 and IPv6 configured switches. For IPv6 switches, only the static IP address displays FC IP Addr —The switch FC IP address Name —The switch symbolic name.
Page 35: Generating A License Key
35 to activate. If you do not have a license key, launch an Internet browser and go to: http://webkey.external.hp.com/welcome.asp The Hewlett-Packard Authorization Center website main menu displays. Click Generate a license key. The HP StorageWorks Software License Key instruction page opens:h Enter the information in the required fields.
Page 36: Removing A Licensed Feature
Verify that the license was added by entering the licenseShow command. The licensed features currently installed on the switch display. If the feature is not listed, enter the licenseAdd command again. Some features may require additional configuration, or you may need to disable and reenable the switch to make them operational;...
Page 37: Features And Required Licenses
Features and required licenses Table 4 lists the licenses that should be installed on the local switch and any connecting switches for a particular feature. Table 4 License requirements Feature License Where license should be installed Administrative No license required. Domains Configuration No license required.
Page 38: Inter-Chassis Link (Icl) Licensing
Table 4 License requirements Feature License Where license should be installed Ports Ports on demand licenses. This license Local switch applies to a select set of switches. Adaptive Networking Local switch and attached switches. RADIUS No license required. RBAC No license required. Routing traffic No license required.
Page 39: Time-Based Licenses
Time-based licenses A time-based license applies a try-before-you-buy approach to certain features so that you can experience the feature and its capabilities prior to buying the license. Once you have installed the license, you are given a time limit to use the feature. The following lists the types of licenses that have this feature: •...
Page 40: Activating Pod
After you install a license key, you must enable the ports to complete their activation. You can do so without disrupting switch operation by issuing the portEnable command on each port. Alternatively, you can disable and reenable the switch to activate ports. NOTE: If you enable or disable an active port you will disrupt any traffic and potentially lose data flowing on that port.
Page 41: Displaying The Port License Assignment
Displaying the port license assignment Use the licensePort show command to display the available licenses, the current port assignment of those licenses, and the POD method state (dynamic or static). To display the port licenses: Connect to the switch and log in using an admin account. Enter the licensePort show command.
Page 42: Disabling Dynamic Ports On Demand
1, 2, 5, 6, 8*, 21, 22, 23 Ports assigned to the full POD license: None Ports not assigned to a license: 0, 3, 4, 7, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20 16 license reservations are still available for use by unassigned ports 1 license assignment is held by an offline port (indicated by *) Disabling Dynamic Ports on Demand Disabling the Dynamic POD feature (changing the POD method to static), erases any prior port license...
Page 43: Releasing A Port
12 port assignments are provisioned by a full POD license 10 ports are assigned to installed licenses: 10 ports are assigned to the base switch license 0 ports are assigned to the full POD license Ports assigned to the base switch license: 1*, 2*, 3*, 4*, 5*, 6*, 8*, 21, 22, 23 Ports assigned to the full POD license: None...
Page 44: Disabling And Enabling Switches
Ports assigned to the base switch license: 1*, 2*, 3*, 4*, 5*, 6*, 8*, 21, 22, 23 Ports assigned to the full POD license: None Ports not assigned to a license: 0, 7, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20 switch:admin>...
Page 45: Making Basic Connections
For 4/256 SAN Director and DC Director: Enter the following command: switch:admin> portenable slotnumber/portnumber where slotnumber and portnumber are the slot and port numbers of the port you want to enable. (Slots are numbered 1 through 4 and 7 through 10, counting from left to right.) If the port is connected to another switch, the fabric may be reconfigured.
Page 46: Checking Status
Any number of E_Ports in a fabric can be configured for gateway links, provided the following rules are followed: • All switches in the fabric must be upgraded to Fabric OS 5.2.0 or later. • All switches in the fabric are using the core PID format. •...
Page 47 Enter the haShow to verify that HA is enabled, the heartbeat is up, and that the HA state is synchronized between the active and standby CP blades. Enter the slotShow to display the inventory and the current status of each slot in the system. To verify fabric connectivity: Connect to the switch and log in using an account assigned to the admin role.
Page 48: Tracking And Controlling Switch Changes
Tracking and controlling switch changes The track changes feature allows you to keep a record of specific changes that may not be considered switch events, but may provide useful information. The output from the track changes feature is dumped to the system messages log for the switch.
Page 49 To view the switch status policy threshold values: Connect to the switch and log in using an account assigned to the admin role. Enter the switchStatusPolicyShow command. Whenever there is a switch change, an error message is logged and an SNMP connUnitStatusChange trap is sent.
Page 50: Configuring The Audit Log
Verify the threshold settings you have configured for each parameter. Enter the switchStatusPolicyShow command to view your current switch status policy configuration. HP StorageWorks 4/8 SAN Switch and 4/16 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 400 Multi-protocol Router: switch:admin>...
Page 51: Auditable Event Classes
be easily distinguished from other system message log events that occur in the network. Then, at some regular interval of your choosing, you can review the audit events to look for unexpected changes. Before you configure audit event logging, familiarize yourself with the following audit event log behaviors and limitations: •...
Page 52 NOTE: Only the active CP can generate audit messages because event classes being audited occur only on the active CP. Audit messages cannot originate from other blades in a Director. Audit events have the following message format: AUDIT, <Timestamp>, [<Event ID>], <Severity>, <Event Class>, <User ID>/<Role>/<IP address>/<Interface>,<Admin Domain>/<Switch name>,<Reserved>,<Event-specific information>...
Page 53: Shutting Down Switches And Directors
Jun 5 08:15:32 [10.32.248.73.2.2] raslogd: AUDIT, 2006/06/05-13:38:17, [SEC-1000], WARNING, SECURITY, JaneDoe/root/192.168.132.19/ telnet, Domain A/DoeSwitch, , Incorrect password during login attempt. Shutting down switches and Directors To avoid corrupting your file system, HP recommends that you perform graceful shutdowns of switches and Directors.
Page 54: Daemons That Are Automatically Restarted
Schedule downtime and reboot the switch at your convenience. Table 6 lists the daemons that are considered non-critical and are automatically restarted on failure. Table 6 Daemons that are automatically restarted Daemon Description Asynchronous Response Router (used to send management data to hosts when the switch is accessed Arrd through the APIs (FA API or SMI-S).
Page 55: Managing User Accounts
Managing user accounts This chapter provides information and procedures on managing authentication and user accounts for the switch management channel. Overview In addition to the default accounts—root, factory, admin, and user—Fabric OS supports up to 252 additional user-defined accounts in each logical switch (domain). These accounts expand your ability to track account access and audit administrative activities.
Page 56: Using Role-Based Access Control (Rbac)
Using Role-Based Access Control (RBAC) Role-Based Action Control (RBAC) defines the capabilities that a user account has based on the role the account has been assigned. For each role, there is a set of pre-defined permissions on the jobs and tasks that can be performed on a fabric and its associated fabric elements.
Page 57: Role Permissions
Role permissions Table 9 describes the types of permissions that are assigned to roles. Table 9 Permission types Abbreviation Definition Description Observe The user can run commands using options that display information only, such as running userConfig --show -a to show all users on a switch.
Page 58 Table 10 RBAC permissions matrix (continued) Category Role permission User Operator Switch Zone Fabric Basic Admin Security admin admin admin switch admin admin HA (High Availability) iSCSI License LDAP Local User Environment Logging Management Access Configuration Management Server Name Server Nx_Port Management Physical Computer System Port Mirroring...
Page 59: Managing The Local Database User Accounts
Managing the local database user accounts User add, change, and delete operations are subject to the subset rule: an admin with ADlist 0- 1 0 cannot perform operations on an admin, user, or any role with an ADlist 1 1-25. The user account being changed must have an ADlist that is a subset of the account that is making the change.
Page 60 To create an account: Connect to the switch and log in using an admin account. Enter the following command: userConfig --add <username> -r <rolename> [-h <admindomain_ID>] [-a <admindomain_ID_list>] [-d <description>] [-x] username Specifies the account name, which must begin with an alphabetic character.
Page 61 To change account parameters: When changing account parameters, if you change the ADlist for the user account, all of the currently active sessions for that account will be logged out. Connect to the switch and log in using an admin account. Enter the following command: userconfig --change username [-r rolename] [-h admindomain_ID] [-a admindomain_ID_list] [-d description] [-e yes | no] -u -x...
Page 62: Recovering Accounts
Recovering accounts The following conditions apply to recovering user accounts: • The attributes in the backup database replace the attributes in the current account database. • An event is stored in the system message log, indicating that accounts have been recovered. To recover an account: Connect to the switch and log in using an admin account.
Page 63: Configuring The Local User Database
Configuring the local user database This section covers the following topics: • ”Distributing the local user database” on page 63 • ”Protecting the local user database from distributions” on page 63 • ”Configuring password policies” on page 64 Distributing the local user database Distributing the local switch user database and passwords to other switches in the fabric causes the distributed database to replace (overwrite) the database on the target switch.
Page 64: Configuring Password Policies
Configuring password policies The password policies described in this section apply to the local switch user database only. Configured password policies (and all user account attribute and password state information) are synchronized across CPs and remain unchanged after an HA failover. Password policies can also be manually distributed across the fabric (see ”Distributing the local user database”...
Page 65: Setting The Password History Policy
• Sequence Specifies the length of sequential character sequences that will be disallowed. A sequential character sequence is defined as a character sequence in which the ASCII value of each contiguous character differs by one. The ASCII value for the characters in the sequence must all be increasing or decreasing. For example, if the “sequence”...
Page 66: Upgrade And Downgrade Considerations
Upgrade and downgrade considerations If you are upgrading from a 5.3.x environment to 6.x, the existing password databases do not contain the state information that implements password expiration. So, when the password expiration policy is first set after an upgrade to 6.x, any user who has not changed their password will have their password expiration period set to the maximum password expiration period.
Page 67: Denial Of Service Implications
To disable the admin lockout policy: Log in to the switch using an admin or securityAdmin account. Type passwdCfg --disableadminlockout. The policy is now disabled. Denial of service implications The account lockout mechanism may be used to create a denial of service condition by repeatedly attempting to log in to an account using an incorrect password.
Page 68: Authentication Configuration Options
Consider the following effects of the use of RADIUS or LDAP service on other Fabric OS features: When RADIUS or LDAP service is enabled, all account passwords must be managed on the RADIUS or • LDAP server. The Fabric OS mechanisms for changing switch passwords remain functional; however, such changes affect only the involved switches locally.
Page 69: Creating Fabric Os User Accounts
Table 12 Authentication configuration options (continued) aaaConfig options Description Equivalent setting in Fabric OS 5.1.0 and earlier radius switchdb Authenticates management connections --authspec “ldap” against any LDAP database(s) only. If LDAP service is not available or the credentials do not match, the login fails. Authenticates management connections --authspec “ldap;...
Page 70: Managing Fabric Os Users On The Radius Server
Table 13 Syntax for VSA-based account roles (continued) Item Value Description Vendor type 1 octet, Brocade-Auth-Role; valid attributes for the Brocade-Auth-Role are: SwitchAdmin ZoneAdmin FabricAdmin BasicSwitchAdmin Operator User Admin Optional: Specifies the Admin Domain member list. For more information, see ”RADIUS configuration and Admin Domains”...
Page 71: Linux Freeradius Server
Linux FreeRadius server For the configuration on a Linux FreeRadius server, define the following in a vendor dictionary file called dictionary.brocade. Include the values outlined in Table Table 14 dictionary.brocade file entries Include Value VENDOR Brocade 1588 ATTRIBUTE Brocade-Auth-Role 1 string Brocade AdminDomain After you have completed the dictionary file, define the role for the user in a configuration file.
Page 72: Configuring The Radius Server
Configuring the RADIUS server You must know the switch IP address, in either IPv4 or IPv6 notation, or name to connect to switches. Use the ipAddrShow command to display a switch IP address. For Directors (chassis-based systems), the switch IP addresses are aliases of the physical Ethernet interfaces on the CP blades.
Page 73: Windows 2000
To create the user: Open the $PREFIX/etc/raddb/user file in a text editor and add user names and roles for users who will • be accessing the switch and authenticating RADIUS. The user will log in using the role specified with Brocade-Auth-Role. The valid roles include Root, Admin, SwitchAdmin, ZoneAdmin, SecurityAdmin, BasicSwitchAdmin, FabricAdmin, Operator and User.
Page 74 Each user group should be associated with a specific switch login role. For example, you should configure a user group for root, admin, factory, switchadmin, and user, and then add any users whose logins you want to associate to the appropriate group. •...
Page 75: Ldap Configuration And Microsoft's Active Directory
In the Add Remote Access Policy window, enter an easily identifiable Policy friendly name that will enable you to see the switch login for which the policy is being created; then click Next. After the Add Remote Access Policy window refreshes, click Add. In the Select Attribute window, select Windows Groups and click Add.
Page 76 To set up LDAP: Install a certificate on the Windows Active Directory server for LDAP. Create a user in Microsoft Active Directory server. For instructions on how to create a user, refer to www.microsoft.com or Microsoft documentation to create a user in your Active Directory. Create a group name that uses the switch’s role name so that the Active Directory group’s name is the same as the switch’s role name.
Page 77: Configuring Authentication Servers On The Switch
Configuring authentication servers on the switch RADIUS and LDAP configuration of the switch is controlled by the aaaConfig command. At least one RADIUS or LDAP server must be configured before you can enable RADIUS or LDAP service. You can configure the RADIUS or LDAP service even if it is disabled on the switch. You can configure up to five RADIUS or LDAP servers.
Page 78 To add a RADIUS server to the switch configuration: Connect to the switch and log in using an admin account. Enter this command: switch:admin> aaaConfig --add <server> [-p port] [-s secret] [-t timeout] [-a pap | chap | peap-mschapv2] server Enter either a server name or IPv4 or IPv6 address.
Page 79 NOTE: When the RADIUS authentication mode is set to radius;local, you cannot downgrade the Fabric OS to any version earlier than 5.2.0. Previous versions do not support the radius;local mode. When the LDAP authentication mode is set to ldap;local, you cannot downgrade the Fabric OS to any version earlier than 6.x.
Page 80: Enabling And Disabling Local Authentication As Backup
To change an LDAP server configuration: Connect to the switch and log in using an admin account. Enter this command: switch:admin> aaaConfig --change server [-p port] [-t timeout] [-d domain_name] Enter either a server name or IPv4 address. Microsoft’s Active Directory server does not support IPv6 addresses.
Page 81: Setting The Boot Prom Password With A Recovery String
Setting the boot PROM password with a recovery string To set the boot PROM password with a recovery string, refer to the section that applies to your switch model. NOTE: Setting the boot PROM password requires accessing the boot prompt, which stops traffic flow through the switch until the switch is rebooted.
Page 82: 4/256 San Director And Dc San Backbone Director (Short Name, Dc Director)
4/256 SAN Director and DC SAN Backbone Director (short name, DC Director) The boot PROM and recovery passwords must be set for each CP blade on the 4/256 SAN Director or DC Director. To set the boot PROM password for a Director with a recovery string: Connect to the serial port interface on the standby CP blade.
Page 83: Setting The Boot Prom Password Without A Recovery String
Setting the boot PROM password without a recovery string Although you can set the boot PROM password without also setting the recovery string, it is strongly recommended that you set both the password and the string as described in ”Setting the boot PROM password with a recovery string”...
Page 84: Recovering Forgotten Passwords
The following options are available: Option Description Start system. Continues the system boot process. Recovery password. Lets you set the recovery string and the boot PROM password. Enter command shell. Provides access to boot parameters. Enter 3. Enter the passwd command at the shell prompt. NOTE: The passwd command only applies to the boot PROM password when it is entered from the boot interface.
Page 85: Configuring Standard Security Features
Configuring standard security features This chapter provides information and procedures for configuring standard Fabric OS security features such as protocol and certificate management. IMPORTANT: Secure Fabric OS is no longer supported in Fabric OS 6.x. Secure protocols Fabric OS supports the secure protocols shown in Table Table 15 Secure protocol support...
Page 86: Ensuring Network Security
The security protocols are designed with the four main usage cases described in Table Table 17 Main security scenarios Fabric Management Comments interfaces Nonsecure Nonsecure No special setup is needed to use Telnet or HTTP. Nonsecure Secure Secure protocols may be used. An SSL switch certificate must be installed if HTTPS is used.
Page 87: Configuring The Telnet Protocol
Configuring the Telnet protocol Telnet is enabled by default. To prevent users from passing clear text passwords over the network when they connect to the switch, you can block the Telnet protocol using an IP Filter policy. NOTE: Before blocking Telnet, make sure you have an alternate method of establishing a connection with the switch.
Page 88: Blocking Listeners
Blocking listeners HP switches block Linux subsystem listener applications that are not used to implement supported features and capabilities. Table 18 lists the listener applications that Brocade switches either block or do not start. Table 18 Blocked listener applications Listener application 4/256 SAN Director and DC SAN HP StorageWorks 4/8 SAN Switch, 4/16 Backbone Director (short name, DC SAN Switch, Brocade 4Gb SAN Switch for...
Page 89: Port Configuration
Port configuration The following Table provides information on ports that the switch uses. When configuring the switch for various policies, take into consideration firewalls and other devices that may sit between switches in the fabric and your network or between the managers and the switch. Port Type Common use...
Page 90: Summary Of Ssl Procedures
Summary of SSL procedures You configure for SSL by obtaining, installing, and activating digital certificates for SSL support. Certificates are required on all switches that are to be accessed through SSL. You also need to install a certificate in the Java Plug-in on the management workstation, and you may need to add a certificate to your Web browser.
Page 91: Generating And Storing A Csr
IMPORTANT: HP recommends selecting 1024 in most cases. CA support for the 2048-bit key size is limited. Generating and storing a CSR After generating a public/private key, perform this procedure on each switch. Connect to the switch and log in as admin. Enter this command: seccertutil gencsr switch:admin>...
Page 92: Installing A Switch Certificate
It may take several days to receive the certificates. If the certificates arrive by e-mail, save them to an FTP server. If the CA provides access to the certificates on an FTP server, make note of the path name and make sure you have a login name and password on the server. Installing a switch certificate Perform this procedure on each switch.
Page 93: Configuring The Browser
Configuring the browser The root certificate may already be installed on your browser, but if not, you must install it. To see whether it is already installed, check the certificate store on your browser. The next procedures are guides for installing root certificates to Internet Explorer and Mozilla browsers. For more detailed instructions, refer to the documentation that came with the certificate.
Page 94: Displaying And Deleting Certificates
Trust this certificate? [no]: Certificate was added to keystore In the example, changeit is the default password and RootCert is an example root certificate name. Displaying and deleting certificates Table 21 summarizes the commands for displaying and deleting certificates. For details on the commands, see the Fabric OS Command Reference.
Page 95: Configuring For Snmp
Configuring for SNMP You can configure for the automatic transmission of SNMP information to management stations. SNMPv3 and SNMPv1 are supported. The configuration process involves configuring the SNMP agent and configuring SNMP traps. The following commands are used in the process: •...
Page 96: Using The Snmpconfig Command
webtools attributes (yes, y, no, n): [no] System (yes, y, no, n): [no] No changes. Using the snmpConfig command Use the snmpConfig set command to change either the SNMPv3 or SNMPv1 configuration. You can also change access control, MIB capability, and system group. Sample SNMPv3 configuration switch:admin>...
Page 97 Sample SNMPv1 configuration switch:admin> snmpconfig --set snmpv1 SNMP community and trap recipient configuration: Community (rw): [Secret C0de] admin Trap Recipient's IP address in dot notation: [0.0.0.0] 10.32.225.1 Trap recipient Severity level : (0..5) [0] 1 Community (rw): [OrigEquipMfr] Trap Recipient's IP address in dot notation: [10.32.225.2] Trap recipient Severity level : (0..5) [1] Community (rw): [private] Trap Recipient's IP address in dot notation: [10.32.225.3]...
Page 98: Configuring Secure File Copy
connUnitStatusChange: YES connUnitEventTrap: YES connUnitSensorStatusChange: YES connUnitPortStatusChange: YES SW-EXTTRAP: NO FICON-TRAP: YES linkRNIDDeviceRegistration: YES linkRNIDDeviceDeRegistration: YES linkLIRRListenerAdded: YES linkLIRRListenerRemoved: YES linkRLIRFailureIncident: YES HA-TRAP: YES fruStatusChanged: YES cpStatusChanged: YES fruHistoryTrap: YES FCIP-TRAP: NO Sample systemGroup configuration (default) switch:admin> snmpconfig --default systemGroup ***** This command will reset the agent's system group configuration back to factory default...
Page 99: Configuring Advanced Security Features
Configuring advanced security features This chapter provides information and procedures for configuring advanced Fabric OS security features such as Access Control List (ACL) policies, authentication policies, and IP Filtering for HP’s Fibre Channel switches. NOTE: Run all commands, with the suggested role, in this chapter by logging in to Administrative Domain (AD) 255 or, if Administrative Domains have not been implemented, log in to AD 0.
Page 100: Identifying Policy Members
and active sets but they have different values, then the policy has been modified but the changes have not been activated. Admin Domain considerations: ACL management can be done on AD255 and in AD0 only if other there are no user-defined Admin Domains. Both AD0 (when no other user-defined Admin Domains exist) and AD255 provide an unfiltered view of the fabric.
Page 101: Displaying Acl Policies
• ”Configuring the database distribution settings” on page 122 Configure a switch to accept or reject the distribution of polices. • ”Distributing ACL policies to other switches” on page 123 Configure the distribution of policies to switches within the fabric. Displaying ACL policies Use the secPolicyShow command to display the active and defined policy sets.
Page 102: Fcs Policy Restrictions
distribution, Fabric OS 6.0.0 switches may enforce FCS policy and perform database distribution among 5.3.0 and 6.0.0 switches while still allowing pre-5.3.0 switches to join the fabric. • Distribution to pre-5.3.0 switches with specific Domain IDs When specific Domain IDs are given for the distribution, all domains must be on a switch with Fabric OS 5.3.0 or later.
Page 103: Overview Of Steps To Create And Manage The Fcs Policies
Overview of steps to create and manage the FCS policies Whether your intention is to create new FCS policies or manage your current FCS policies, you must follow certain steps to ensure the domains throughout your fabric have the same policy. The local-switch WWN cannot be deleted from the FCS policy.
Page 104: Distributing An Fcs Policy
For example, to move a backup FCS switch from position 2 to position 3 in the FCS list, using interactive mode: primaryfcs:admin> secpolicyfcsmove Pos Primary WWN DIdswName. ================================================= 10:00:00:60:69:10:02:181switch5. 10:00:00:60:69:00:00:5a2switch60. 10:00:00:60:69:00:00:133switch73. Please enter position you’d like to move from : (1..3) [1] 2 Please enter position you’d like to move to : (1..3) [1] 3 ____________________________________________________ DEFINED POLICY SET...
Page 105: Configuring A Dcc Policy
switch. Setting the configuration parameter to accept indicates distribution of the policy will be accepted and distribution may be initiated using the distribute -p command. Setting the configuration parameter to reject indicates the policy distribution is rejected and the switch may not distribute the policy. The default value for the distribution configuration parameter is accept, which means the switch accepts all database distributions and is able to initiate a distribute operation for all databases.
Page 106: Creating A Dcc Policy
• You cannot manage proxy devices with DCC policies. Proxy devices are always granted full access, even if the DCC policy has an entry that restricts or limits access of a proxy device. Creating a DCC policy DCC policies must follow the naming convention “DCC_POLICY_nnn,” where nnn represents a unique string.
Page 107: Examples Of Creating Dcc Policies
Examples of creating DCC policies To create the DCC policy “DCC_POLICY_server” that includes device 1 1:22:33:44:55:66:77:aa and port 1 and port 3 of switch domain 1: switch:admin> secpolicycreate "DCC_POLICY_server", "11:22:33:44:55:66:77:aa;1(1,3)" DCC_POLICY_server has been created To create the DCC policy “DCC_POLICY_storage” that includes device port WWN 22:33:44:55:66:77:1 1:bb, all ports of switch domain 2, and all currently connected devices of switch domain 2: switch:admin>...
Page 108: Saving Changes To Acl Policies
For example, to create an SCC policy that allows switches that have Domain IDs 2 and 4 to join the fabric: switch:admin> secpolicycreate "SCC_POLICY", "2;4" SCC_POLICY has been created To save or activate the new policy, enter either the secPolicySave or the secPolicyActivate command.
Page 109: Removing A Member From An Acl Policy
Removing a member from an ACL policy To remove a member from an ACL policy: Connect to the switch and log in using an account assigned to the admin role. Type secPolicyRemove “policy_name”, “member;...;member”. where policy_name is the name of the ACL policy. member is the device or switch to be removed from the policy, identified by IP address, switch Domain ID, device or switch WWN, or switch name.
Page 110: E_Port Authentication
authutil –-set <fcap|dhchap> to set the authentication protocol which can then be verified using the command authutil –-show CLI. NOTE: The standards-compliant DH-CHAP and FCAP authentication protocols are not compatible with the SLAP protocol that was the only protocol supported in earlier Fabric OS releases 4.2, 4.1, 3.1, 2.6.x. Fabric OS 6.0.0 switch-to-switch authentication implementation is fully backward compatible with 3.2, 4.2, 4.4, 5.0, 5.1, 5.2, and 5.3.0.
Page 111 WARNING! If data input has not been completed and a failover occurs, the command is terminated without completion and the entire user input is lost. If data input has completed, the enter key pressed, and a failover occurs, data may or may not be replicated to the other CP depending on the timing of the failover.
Page 112: Device Authentication Policy
Device authentication policy Device authentication policy can also be categorized as an HBA authentication policy. Fabric wide distribution of the device authentication policy is not supported since the device authentication requires manual interaction in setting the HBA shared secrets and switch shared secrets, and most of the HBAs do not support the defined DH groups for use in the DH-CHAP protocol.
Page 113: Selecting Authentication Protocols
Selecting authentication protocols Use the authUtil command to perform the following tasks: • Display the current authentication parameters • Select the authentication protocol used between switches • Select the Diffie-Hellman (DH) group for a switch Run the authUtil command on the switch you want to view or change. Options for specifying which DH group you want to use include: •...
Page 114: Managing Secret Key Pairs
WARNING! This command may bring down the E_Port(s) if the DH-CHAP shared secrets are not installed correctly. To re-authenticate E_Ports: Log in to the switch using an account assigned to the admin role. On a switch running Fabric OS 5.3.0 and later, type the following command: $authutil –-authinit <slot/port_number(s)|allE>...
Page 115: Fabric Wide Distribution Of The Auth Policy
To set a secret key pair: Log in to the switch using an account assigned to the admin role. On a switch running Fabric OS 4.x, 5.x, or 6.0, type secAuthSecret --set; on a switch running Fabric OS 3.x, type secAuthSecret " set".
Page 116: Accept Distributions Configuration Parameter
Accept distributions configuration parameter Local Switch configuration parameters are needed to control whether a switch accepts or rejects distributions of the AUTH policy using the distribute command and whether the switch may initiate distribution of the policy. To set the local switch configuration parameter, refer to ”Configuring the database distribution settings”...
Page 117: Displaying An Ip Filter Policy
Displaying an IP Filter policy Displays the IP Filter policy content for the specified policy name, or all IP Filter policies if policy name is not specified. For each IP Filter policy, the policy name, type, persistent state and policy rules are displayed. The policy rules are listed by the rule number in ascending order.
Page 118: Deleting An Ip Filter Policy
Deleting an IP Filter policy You can delete a specified IP Filter policy. Deleting an IP Filter policy will remove it from the temporary buffer. To permanently delete the policy from persistent database, run ipfilter save. An active IP Filter policy cannot be deleted. To delete an IP Filter policy: Log in to the switch using an account assigned to the admin role.
Page 119: Ip Filter Policy Enforcement
Table 30 Supported services (continued) Service name Port number telnet TCP and UDP protocols are valid selections. Fabric OS 5.3.0 and later does not support configuration to filter other protocols. Implicitly, ICMP type 0 and type 8 packets are always allowed to support ICMP echo request and reply on commands like ping and traceroute.
Page 120: Creating Ip Filter Policy Rules
If none of the rules in the policy matches the incoming packet, the two implicit rules will be matched to the incoming packet. If the rules still do not match the packet, the default action, which is to deny, will be taken.
Page 121: Ip Filter Policy Distributions
To abort a transaction associated with IP Filter: Log in to the switch using an account assigned to the admin role. Type in the following command: ipfilter –-transabort IP Filter policy distributions The IP Filter policy is manually distributed, using the distribute --p “IPFILTER” command. The distribution includes both active and defined IP Filter policies.
Page 122: Configuring The Database Distribution Settings
Table 33 explains how the local database distribution settings and the fabric-wide consistency policy affect the local database when the switch is the target of a distribution command. Table 33 Interaction between fabric-wide consistency policy and distribution settings Distribution Fabric-wide consistency policy setting Absent (default) Tolerant...
Page 123: Distributing Acl Policies To Other Switches
Enter the following command: switch:admin> fddcfg --showall Local Switch Configuration for all Databases:- DATABASE Accept/Reject --------------------------------- accept accept accept accept AUTH accept IPFILTER accept Fabric Wide Consistency Policy:- "" To enable local switch protection: Connect to the switch and log in using an account assigned to the admin role. Enter the following command: fddCfg --localreject <database_ID>...
Page 124: Setting The Consistency Policy Fabric-Wide
Table 35 describes how the target switch database distribution settings affect the distribution. Table 35 ACL policy database distribution behavior Target switch Distribution Results Fabric OS Database version setting 5.1.0 or Fails An error is returned. The entire transaction is aborted and earlier no databases are updated.
Page 125: Notes On Joining A Switch To The Fabric
To display the fabric-wide consistency policy: Connect to the switch and log in using an account assigned to the admin role. Enter the fddCfg --showall command. The following example shows policies for a fabric where no consistency policy is defined. switch:admin>...
Page 126: Matching Fabric-Wide Consistency Policies
Under both conflicting conditions, secPolicyActivate is blocked in the merged fabric.Use fddcfg –fabwideset command to resolve the fabric-wide consistency policy conflicts. Use the distribute command to explicitly resolve conflicting ACL policies. When a switch is joined to a fabric with a strict SCC or DCC fabric-wide consistency policy, the joining switch must have a matching fabric-wide consistency policy.
Page 127: Non-Matching Fabric-Wide Consistency Policies
Non-matching fabric-wide consistency policies You may encounter one of the following two scenarios: Merging a fabric with a strict policy to a fabric with an absent, tolerant, or non-matching strict policy. The merge fails and the ports are disabled. Table 38 shows merges that are not supported.
Page 128: Zeroization Functions
Zeroization functions Explicit zeroization can be done at the discretion of the security administrator. These functions clear the passwords and the shared secrets. The following table lists the various keys used in the system that will be zeroized in a FIPS compliant FOS module. Table 40 Zeroization behavior Keys...
Page 129: Conditional Tests
Conditional tests These tests are for the random number generators and are executed to verify the randomness of the random number generator. The conditional tests are executed each time prior to using the random number provided by the random number generator. The results of all self-tests, for both power-up and conditional, are recorded in the system log or are output to the local console.
Page 130: Fips Mode
loading kernel kjournald starting. Commit interval 5 seconds EXT3-fs: mounted filesystem with ordered data mode. VFS: Mounted root (ext3 filesystem) readonly. Trying to move old root to /initrd ... okay Freeing unused kernel memory: 108k init INIT: version 2.78 booting sh-2.04# On all platforms, from the shell prompt, enter the following commands: mount -o remount,rw,noatime /...
Page 131: Preparing The Switch For Fips
Table 41 FIPS mode restrictions Features FIPS mode Non-FIPS mode DH-CHAP/FCAP SHA- 1 MD5 and SHA- 1 hashing algorithms Signed firmware Mandatory firmware signature validation Optional firmware signature validation Configupload/ SCP only FTP and SCP download/ supportsave/ firmwaredownload IPsec Usage of AES-XCBC, MD5 and DH group 1 No restrictions are blocked Radius auth protocols...
Page 132 b. Add a rule to the IP Filter policy, see ”To add a rule to an IP Filter policy:” on page 120. You can use the following modifications to the rule: ipfilter --addrule <policyname> -rule <rule_number> -sip <source_IP> -dp <dest_port> -proto <protocol> -act <deny> •...
Page 133 Optional: Use the configure command to set switch to use non-signed firmware. By keeping the switch set to use signed firmware, all firmware downloaded to the switch will have to be signed with a key. Disable selftests by typing the following command: fipscfg --disable selftests Disable IPFilter policies that were created to enable FIPS.
Page 134 134 Configuring advanced security features...
Page 135: Maintaining Configurations
Maintaining configurations This chapter provides procedures for basic switch configuration maintenance. Maintaining consistent configuration settings It is important to maintain consistent configuration settings on all switches in the same fabric because inconsistent parameters (such as inconsistent PID formats) can cause fabric segmentation. As part of standard configuration maintenance procedures, it is recommended that you back up all important configuration data for every switch on a host computer server for emergency reference.
Page 136: Troubleshooting Configuration Upload
Respond to the prompts as follows: Protocol (scp If your site requires the use of Secure Copy, specify scp. Otherwise, specify or ftp) FTP. Server Name Enter the name or IP address of the server where the file is to be stored; for or IP Address example, 192.1.2.3.
Page 137: Restoring Switch Information
Restoring switch information Run the commands listed in Table 42 and save the output in a file format. Store the files in a safe place for emergency reference. Table 42 CLI commands to display switch configuration information Command Displays System configuration parameters and settings, including license information, configShow zoning, and licensing information.
Page 138 To restore a configuration: Verify that the FTP service is running on the server where the backup configuration file is located. Connect to the switch and log in as admin. If there are any changed parameters in the configuration file that do not belong to SNMP, Fabric Watch, or ACL, disable the switch by entering the switchDisable command.
Page 139: Security Considerations
The following example shows configDownload run on a switch with Admin Domains: switch:AD5:admin>configdownload Protocol (scp or ftp) [ftp]: Server Name or IP Address [host]: 10.1.2.3 User Name [user]: JohnDoe File Name [config.txt]: /pub/configurations/config.txt *** CAUTION *** This command is used to download a backed-up configuration for a specific switch.
Page 140: Messages Captured In The Logs
There may be some restrictions if you are using Admin Domains. See ”Managing administrative domains” on page 143 for details. Messages captured in the logs Configuration download generates both RASLog and Audit log messages resulting from execution of the configDownload command. The following messages are written to the logs: •...
Page 141: Configuration Form
To download a configuration file from one switch to another same model switch: Configure one switch first. Use the configUpload command to save the configuration information. See ”Backing up a configuration” on page 135. Run configDefault on each of the target switches, and then use the configDownload command to download the configuration file to each of the target switches.
Page 142 142 Maintaining configurations...
Page 143: Managing Administrative Domains
Managing administrative domains This chapter provides procedures for using administrative domains (Admin Domain or AD). An Admin Domain is a logical grouping of fabric elements that defines what switches, ports, and devices you can view and modify. An Admin Domain is a filtered administrative view of the fabric. NOTE: If you do not implement Admin Domains, the feature has no impact on users and you do not need to learn how to use this functionality.
Page 144: Fabric With Two Admin Domains
Figure 2 Fabric with two Admin Domains Figure 3 shows how users get a filtered view of this fabric, depending on which Admin Domain they are in. As shown in Figure 4, users can see all switches and E_Ports in the fabric, regardless of their Admin Domain;...
Page 145: Admin Domain Features
Admin Domain features Admin Domains allow you to: • Define the scope of an Admin Domain to encompass ports and devices within a switch or a fabric. • Share resources across multiple Admin Domains. For example, you can share array ports and tape drives between multiple departments.
Page 146: Ad0
AD0 is a system-defined Admin Domain that, in addition to containing members you explicitly added (similar to user-defined Admin Domains), contains all online devices, switch ports, and switches that have not been assigned to any user-defined Admin Domain. Unlike user-defined Admin Domains, AD0 has an implicit and an explicit membership list. User-defined Admin Domains have only explicit members.
Page 147: Admin Domain Access Levels
AD255 Figure 4 Fabric with AD0 and AD255 Admin Domain access levels Admin Domains offer a hierarchy of administrative access. To manage Admin Domains, you must be a physical fabric administrator. A “physical fabric administrator” is a user with the Admin role and access to all Admin Domains (AD0 through AD255).
Page 148: Admin Domains And Login
Admin Domains and login You are always logged in to an Admin Domain, and you can view and modify only the devices in that Admin Domain. If you have access to more than one Admin Domain, one of them will have been specified as your “home Admin Domain,”...
Page 149: Switch Port Members
Switch port members Switch port members are defined by switch domain,port. A switch port member: • Grants port control rights and zoning rights for that switch port. • Grants view access and zoning rights to the device connected to that switch port. •...
Page 150: Admin Domain Compatibility And Availability
Figure 5 shows an unfiltered view of a fabric with two switches, three devices, and two Admin Domains. The devices are labeled with device WWNs and the switches are labeled with Domain ID and switch WWNs. WWN = 10:00:00:00:c7:2b:fd:a3 WWN = 10:00:00:00:c2:37:2b:a3 Domain ID = 1 Domain ID = 2 WWN = 10:00:00:05:1f:05:23:6f...
Page 151: Compatibility
AD database exactly matches both the defined and effective configurations of the local AD database. If the AD database merge fails, the E_Port is segmented with “AD conflict” error code. Compatibility Admin Domains can be implemented in fabrics with a mix of AD-aware switches and AD-unaware switches.
Page 152: Understanding The Ad Transaction Model
Understanding the AD transaction model You use the ad command to perform most of the tasks in this section. This command follows a batched-transaction model, which means that changes to the Admin Domain configuration occur in the transaction buffer. An Admin Domain configuration can exist in several places: Effective configuration—The Admin Domain configuration that is currently in effect.
Page 153: Creating An Admin Domain
Creating an Admin Domain To create an Admin Domain, you must specify an Admin Domain name, number, or both. • If you create an Admin Domain using only a number, the Admin Domain name is automatically assigned to be “ADn”, where n is the number you specified. For example, if you specify AD number = 4, then AD name is set to “AD4”.
Page 154: Assigning A User To An Admin Domain
Assigning a user to an Admin Domain After you create an Admin Domain, you can specify one or more user accounts as the valid accounts who can use that Admin Domain. You create these user accounts using the userConfig command. User accounts have the following characteristics with regard to Admin Domains: •...
Page 155: Activating And Deactivating Admin Domains
where username is the name of the account and home_AD is the home Admin Domain. The following example creates new user account pf_admin1 with an admin role, access to all Admin Domains (AD0 through AD255), and home Admin Domain set to 255. This user account is now a physical fabric administrator.
Page 156: Adding And Removing Admin Domain Members
Adding and removing Admin Domain members Use the following procedures to add or remove members of an Admin Domain. NOTE: If you remove the last member of an Admin Domain, that Admin Domain is automatically deleted. To add members to an existing Admin Domain: Connect to an AD-aware switch and log in as admin.
Page 157: Deleting An Admin Domain
The rename operation does not take effect if the Admin Domain you want to rename is part of the effective configuration and thus enforced. To end the transaction now, enter ad save to save the Admin Domain definition or enter ad apply to save the Admin Domain definition and directly apply the definitions to the fabric.
Page 158: Validating An Admin Domain Member List
Validating an Admin Domain member list The ad validate option allows you to validate the device and switch member list and flag all resources that are from AD-unaware switches. You can use the validate option to list Admin Domain members from AD-unaware switches and non-existing or offline Admin Domain members. You can use the validate option to identify misconfigurations of the Admin Domain.
Page 159: Executing A Command In A Different Ad Context
Table 46 Ports and devices in CLI output Condition The port is specified in the domain,port member list of the Admin Domain. domain,port One or more WWNs specified in the AD member list is attached to the domain,port. The device WWN is specified in the AD WWN member list. Device WWN The device WWN is attached to one of the domain,port specified in the AD member list.
Page 160: Switching To A Different Admin Domain Context
The following example displays membership information about AD1. sw5:AD1:admin> ad --show Current AD Number: 1 AD Name: TheSwitches Effective configuration: ------------------------ AD Number: 1 AD Name: TheSwitches State: Active Switch WWN members: 50:06:06:99:00:2a:e9:01; 50:00:51:e0:23:36:f9:01; 50:06:06:98:05:be:99:01; Switching to a different Admin Domain context The ad select option is used to switch between different Admin Domain contexts.
Page 161: Admin Domain Interaction With Fabric Os Features
Table 47 lists some of the Fabric OS features and considerations that apply when using Admin Domains. Table 47 Admin Domain interaction with Fabric OS features Fabric OS feature Admin Domain interaction ACLs If no user-defined Admin Domains exist, you can run ACL configuration commands in only AD0 and AD255.
Page 162: Admin Domains, Zones, And Zone Databases
Admin Domains, zones, and zone databases Each Admin Domain has its own zone database, with both defined and effective zone configurations and all related zone objects (zones, zone aliases, and zone members). Within an Admin Domain, you can configure zoning only with the devices that are present in that Admin Domain. With a hierarchical zoning model, the name space for each Admin Domain and the root zones are separate;...
Page 163: Configuration Upload And Download In An Ad Context
The auto-converted LSAN zone names might collide with LSAN zone names in AD0 (for example, in the above example, if AD0 contains lsan_for_linux_farm_AD005, this would cause a name collision). Fabric OS does not detect or report such name clash. LSAN zone names greater than 57 characters are not converted or sent to the FCR phantom domain. Configuration upload and download in an AD context The behavior of configUpload and configDownload varies depending on the AD context and whether the switch is a member of the current Admin Domain.
Page 164 164 Managing administrative domains...
Page 165: Installing And Maintaining Firmware
Installing and maintaining firmware This chapter provides procedures for installing and maintaining firmware. Fabric OS 6.0 provides nondisruptive firmware installation. This chapter refers to the following specific types of blades inserted into either the 4/256 SAN Director or DC SAN Backbone Director (short name, DC Director): •...
Page 166: Upgrading And Downgrading Firmware
The command supports both non-interactive and interactive modes. If the firmwareDownload command is issued without any operands, or if there is any syntax error in the parameters, the command enters an interactive mode, in which you are prompted for input. TIP: For each switch in your fabric, complete all firmware download changes on the current switch before issuing the firmwareDownload command on the next switch.
Page 167: Preparing For Firmware Downloads
Preparing for firmware downloads Before executing a firmware download, it is recommended that you perform the tasks listed in this section. In the unlikely event of a failure or time-out, the preparation tasks that are described in this section will enable you to provide HP the information required to perform advanced troubleshooting.
Page 168: Checking Connected Switches
Checking connected switches When checking connected switches, ensure that any older versions are supported. See the recommended version (shown in Table 50) before upgrading firmware on the switch. Go to http://www.hp.com to view end-of-life policies. Table 50 Recommended firmware Switch model Earliest compatible version Recommended version for interoperating with Fabric OS 6.x...
Page 169: Obtaining And Decompressing Firmware
Refer to the Fabric OS Compatibility section of the HP StorageWorks Fabric OS 6.x release notes, for the recommended firmware version. If the 4/8 SAN Switch, 4/16 SAN Switch, SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, or 400 MP Router switches are adjacent and you start firmware downloads on them at the same time, there may be traffic disruption.
Page 170: San Switch 4/32B, 400 Mp Router, And Firmware Download
HP StorageWorks 4/8 SAN Switch, 4/16 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 400 MP Router, and firmware download The upgrade process first downloads and then commits the firmware to the switch. While the upgrade is proceeding, you can start a session on the switch and use the firmwareDownloadStatus command to observe the upgrade progress if you wish.
Page 171: Downloading Firmware To A Director
Network Specify the file transfer protocol used to download the firmware from the file protocol server. Valid values are FTP and SCP. The Values are not case-sensitive. If “-p” is not specified, firmwareDownload will determine the protocol automatically by checking the config.security parameter on the switch. Password Enter the password for the server.
Page 172: Overview Of The Firmware Download Process On Directors
Overview of the firmware download process on directors The following summary describes the default behavior of the firmwareDownload command (without options) on the 4/256 SAN Director and DC Director. After you enter the firmwareDownload command on the active CP blade the following actions occur: The standby CP blade downloads firmware.
Page 173 CP blades must be synchronized and running Fabric OS 4.2.0 or later to provide a nondisruptive download. If the two CP blades are not synchronized, enter the haSyncStart command to synchronize them. If the CPs still are not synchronized, contact HP. Enter the firmwareDownload –s command.
Page 174 Autoleveling takes place in parallel with the firmware download being performed on the CPs, but does not impact performance. Fibre Channel traffic is not disrupted during autoleveling, but GbE traffic on AP blades may be affected. sw77:admin> firmwaredownload Type of Firmware (FOS, SAS, or any application) [FOS]: Server Name or IP Address: 192.168.32.10 Network Protocol (1-auto-select, 2-FTP, 3-SCP) [1]: User Name: userfoo...
Page 175: Director Restrictions For Downgrading
[8]: Thu Jul 28 00:37:50 2005 Slot 7 : Firmware commit is started. [9]: Thu Jul 28 00:37:50 2005 Slot 2 : Firmware commit has completed. [10]: Thu Jul 28 00:37:50 2005 Slot 7 : Firmware commit has completed. (Firmwaredownload has completed.) 1 1.
Page 176: Firmwaredownload From A Usb Device
firmwaredownload from a USB device The DC Director supports a firmware download from the USB device attached to the active CP. NOTE: The USB device ships with the DC Director only. Before the USB device can be accessed by the firmwaredownload command, it must be enabled and mounted as a file system.
Page 177: Fips Support
FIPS Support Federal information processing standards (FIPS) specify the security standards needed to satisfy a cryptographic module utilized within a security system for protecting sensitive information in the computer and telecommunication systems. For more information about FIPS, refer to ”Configuring advanced security features”...
Page 178: The Firmwaredownload Command
Respond to the prompts as follows: Server Name Enter the name or IP address of the FTP server, or SSH server for SCP, where or IP Address the firmwarekey file is stored; for example, 192.1.2.3. Download Optional: -U (upper case) Specify this option if you want to download from from USB the USB device attached to the active CP.
Page 179: Power-On Firmware Checksum Test
Power-on firmware checksum test FIPS requires the checksums of the executables and libraries on the filesystem to be validated before Fabric OS modules are launched. This is to make sure these files have not been changed after they are installed. When firmware RPM packages are installed during firmwareDownload, the MD5 checksums of the firmware files are stored in the RPM database on the filesystem.
Page 180: Testing And Restoring Firmware On Directors
IMPORTANT: Stop! If you want to restore the firmware, stop here and skip ahead to step otherwise, continue to step 8 to commit the firmware on the switch, which completes the firmware download operations. Commit the firmware. a. Enter the firmwareCommit command to update the secondary partition with new firmware. Note that it takes several minutes to complete the commit operation.
Page 181 Update the firmware on the standby CP: a. Connect to the switch and log in as admin to the standby CP. b. Enter the firmwareDownload -s command and respond to the prompts. At this point, the firmware should download to the standby CP only. When it has completed the download to that CP, reboot it.
Page 182 1 1. Perform a commit on the active CP. a. From the current switch session on the active CP, enter the firmwareShow command and confirm that only the active CP secondary partition contains the old firmware. b. Enter the firmwareCommit command to update the secondary partition with the new firmware. It takes several minutes to complete the commit operation.
Page 183: Validating Firmwaredownload
Validating firmwareDownload Validate the firmware download by running the following commands: firmwareShow, firmwareDownloadStatus, nsShow, nsAllShow, and fabricShow. NOTE: When you prepared for the firmware download earlier, you issued either the supportShow or supportSave command. Although you can issue the command again and compare the output from before and after, it may take up to 30 minutes for the command to execute.
Page 184: Troubleshooting Firmwaredownload
Troubleshooting firmwareDownload Starting in Fabric OS 5.2.0 a network diagnostic script and preinstallation check was added as a part of the firmwareDownload procedure. The script and preinstallation check performs troubleshooting and automatically checks for any blocking conditions. However, you should follow these best practices for firmware download before you start the procedure: •...
Page 185: Preinstallation Messages
• If LDAP is configured on the switch, delete the LDAP configuration. Preinstallation messages The messages in this section are displayed if an exception case is encountered during firmware download from Fabric OS 5.2.0. The example earlier shows feature-related messages that you may see if you were downgrading from 5.2.0 to 5.1.0: The following items need to be addressed before downloading the specified firmware:...
Page 186 Use the slotShow command to display which slot the FC4- 1 6IP port blade is in. Physically remove the blade(s) from the chassis, or use the micro-switch to turn the blade off. Retry the firmware download operation. Message AP Blade type 33 is inserted. Please use slotshow to find out which slot it is in and remove it.
Page 187 Message SW Blade type 51 is inserted. Please use slotshow to find out which slot it is in and remove it. Probable cause and recommended action The firmware download operation was attempting to downgrade a system to Fabric OS 5.3.0 or earlier with one or more FC8-48 port blades (blade ID 51) in the system.
Page 188 Disable the switch and change the routing policy selection to one of the following supported selections on firmware 5.1.0 using the aptPolicy command, and then retry the firmware download operation. The supported selections are: policy 1 Port-based routing policy With this policy, the path chosen for an incoming frame is based on: 1.
Page 189 Message Cannot downgrade due to LSAN count is set to 3000, please disable it before proceeding. Probable cause and recommended action If a switch is running 5.3.0 or higher and the LSAN count is at 3000, then you will not be allowed to downgrade to 5.2.0 or earlier.
Page 190 Message Cannot upgrade directly to 5.3.0. Upgrade your switch to 5.1 or 5.2 first before upgrading to the requested version. Probable cause and recommended action If the switch is running 5.0.0 or earlier, you will not be allowed to upgrade directly to 5.3.0 because of the “two-version”...
Page 191: Blade Troubleshooting Tips
Message The command failed due to the current zone size is not supported by the new firmware. Reduce the size of the configuration before proceeding. Probable cause and recommended action The firmware download operation was attempting to downgrade a system to Fabric OS 5.1.0 or earlier and the current zone size is not supported by the firmware version to be downloaded, so the firmware download operation failed.
Page 192 192 Installing and maintaining firmware...
Page 193: Configuring Directors
Configuring Directors This chapter provides procedures specific to HP StorageWorks Director models. Changing a Director’s name HP recommends that you customize the enterprise-class platform name for each platform. Some system logs identify devices by platform names, if you assign meaningful platform names, logs are more useful. To change the platform name: Connect to the switch and log in using an account assigned to the admin role.
Page 194: Director Port Numbering Schemes
Director port numbering schemes Table 51 lists the port numbering schemes for the 4/256 Director and DC Director. Table 51 Port numbering schemes for the 4/256 Director and DC Director Port blades Numbering scheme FC2- 1 6 Ports are numbered from 0 through 15 from bottom to top. FC4- 1 6 FC8- 1 6 FC4-32...
Page 195: Default Index/Area_Id Core Pid Assignment With No Port Swap
A number of fabric-wide databases supported by Fabric OS (including ZoneDB, the ACL DDC, and Admin Domain) allow a port to be designated by the use of a “D,P” (domain,port) notation. While the “P” component appears to be the port number, in up to 255 ports it is actually the area assigned to that port. If the PID format is changed from Extended-edge to Core, the “P”...
Page 196: Basic Blade Management
Table 52 Default index/area_ID core PID assignment with no port swap (continued) Port on Slot Slot Slot Slot Slot Slot Slot Slot blade 1Idx/area 2Idx/area 3Idx/area 4Idx/area 7Idx/area 8Idx/area 9Idx/area 10Idx/area 135/135 151/151 167/167 183/183 199/199 215/215 231/231 247/247 134/134 150/150 166/166 182/182...
Page 197: Disabling And Enabling Port Blades
To power off a port blade: Connect to the switch and log in as admin. Enter the slotPowerOff command with the slot number of the port blade you want to power off. switch:admin> slotpoweroff 3 Slot 3 is being powered off switch:admin>...
Page 198: Fc4-48 And Fc8-48 Blade Exceptions
To summarize: When an FC4- 1 6, FC4-32, FC8- 1 6, FC8-32, FC10-6, or FC4- 1 6IP blade is replaced by an FR4- 1 8i • blade, the FC configuration of the previously configured FC_Ports continues to be used, and all FC_Ports on the FR4- 1 8i blade are persistently disabled.
Page 199: Blade Terminology And Compatibility
Blade terminology and compatibility Before configuring a chassis, familiarize yourself with the Director CP blade and port blade nomenclature, as well as the port blade compatibilities. Often in procedures, only the abbreviated names for CP and port blades are used (for example, the FC4- 1 6 blade). Table 53 includes CP and port blade abbreviations and descriptions.
Page 200: Core Blades
type of CP blade installed and that each CP (primary and secondary partition) maintains the same firmware version. Core blades The DC Director supports two CR8 core blades. This blade is used for intra-chassis switching as well as ICL connectivity to another DC Director chassis. The 4/256 Director does not support core blades.
Page 201: Obtaining Slot Information
Table 56 lists chassis configuration options and resulting slot configurations. Table 56 Chassis configuration options Option Result One 128-port switch (Blade IDs 4, 17 on slots 1–4, 7–10. Blade ID 5 and 16 on slots 5, 6) One 384-port switch (Blade IDs 4, 17, 18, 31, and 36 on slots 1–4, 7–10. Blade ID 16 on slots 5, 6) Table 53 for details about the different blades, including their corresponding IDs.
Page 202 202 Configuring Directors...
Page 203: Routing Traffic
Routing traffic This chapter provides information on routing policies. About data routing and routing policies Data moves through a fabric from switch to switch and from storage to server along one or more paths that make up a route. Routing policies determine the correct path for each frame of data. Whatever routing policy a switch is using applies to the VE_Ports as well.
Page 204: Assigning A Static Route
option 1, an error message is returned because you cannot change the routing policy. See the Fabric OS Command Reference for more details on the aptPolicy command. You must disable the switch before changing the routing policy, and re-enable it afterward. Assigning a static route A static route can be assigned only when the active routing policy is port-based and running on an StorageWorks 4/8 SAN Switch, 4/16 SAN Switch,...
Page 205: Using Dynamic Load Sharing
Connect to the switch and log in as admin. Enter the iodReset command at the command line. NOTE: This command can cause a delay in the establishment of a new path when a topology change occurs; use it with care. To confirm the in-order delivery has been disabled, issue the iodShow command.
Page 206: Viewing Routing Path Information
Viewing routing path information The topologyShow and uRouteShow commands provide information about the routing path. Connect to the switch and log in as admin. Enter the topologyShow command to display the fabric topology, as it appears to the local switch: switch:admin>...
Page 207 Use the uRouteShow command to display unicast routing information for the following: HP StorageWorks 4/8 SAN Switch and 4/16 SAN Switch, SAN Switch 4/32, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, 4/64 SAN Switch, SAN Switch 4/32B, 400 Multi-protocol Router Use the following syntax: urouteshow [portnumber][, domainnumber]...
Page 208: Viewing Routing Information Along A Path
Viewing routing information along a path You can display detailed routing information from a source port (or area) on the local switch to a destination port (or area) on another switch. This routing information describes the full path that a data stream travels between these ports, including all intermediate switches.
Page 209 The information that pathInfo provides is: Hops The number of switch-to-switch links (ISLs) traversed. The local switch is hop 0. In Port The port that the frames come in from on this path. For hop 0, the source port. Domain ID The Domain ID of the switch.
Page 210 210 Routing traffic...
Page 211: 10Using The Fc-Fc Routing Service
Using the FC-FC routing service Supported platforms FC-FC Routing is supported on the following platforms: • 400 MP Router • 4/256 SAN Director or DC SAN Backbone Director (short name, DC Director) when it is configured with an FR4- 1 8i blade and uses chassis configuration option 5 NOTE: The DC Director only supports chassis configuration option 5.
Page 212: A Metasan With Interfabric Links
Figure 8 shows a metaSAN consisting of three edge fabrics connected through a 4/256 SAN Director or DC Director containing an FR4- 1 8i with interfabric links. Host Target Target Edge Edge Edge fabric 1 fabric 2 fabric 3 E_Port E_Port E_Port Fibre...
Page 213: Metasan With Edge-To-Edge And Backbone Fabrics
VE_Port Edge fabric 2 IP cloud Edge fabric 1 Edge fabric 3 E_Port E_Port VEX_Port 400 MP Router EX_Port (2) = LSAN Backbone fabric 26416a Figure 9 A metaSAN with edge-to-edge and backbone fabrics Figure 9 shows a metaSAN with a backbone consisting of one 400 MP Router connecting hosts in Edge Fabrics 1 and 3 with storage in Edge Fabric 2 and the backbone through the use of LSANs.
Page 214: Proxy Devices
If an FR4- 1 8i blade is attached to an edge fabric using an EX_Port, it will create translate phantom domains in the fabric corresponding to the imported edge fabrics with active LSANs defined. If you import devices into the backbone fabric, then a translate phantom domain is created in the backbone device in addition to the one in the edge fabric.
Page 215: Routing Types
Proxy host Host (imported device) Proxy target (imported device) Target Fabric 2 Fabric 1 E_Port E_Port EX_Port 400 MP Router Figure 1 1 MetaSAN with imported devices Routing types • Edge-to-Edge Occurs when devices in one edge fabric communicate with devices in another edge fabric through one or more Fibre Channel routers.
Page 216: Setting Up The Fc-Fc Routing Service
Fibre Channel fabrics require that all ports be identified by a unique PID. In a single fabric, FC protocol guarantees that domain IDs are unique, and so a PID formed by a domain ID and area ID is unique within a fabric.
Page 217: Performing Verification Checks
Performing verification checks Before configuring a fabric to connect to another fabric, you must perform the following verification checks on the switch or director. To perform verification checks: Log in to the switch or director as admin and enter the version command. Verify that Fabric OS 6.0 is installed on the 400 MP Router, 4/256 SAN Director or DC Director with the FR4- 1 8i blade as shown in the following example.
Page 218: Assigning Backbone Fabric Ids
Enter the interopMode command and verify that Brocade switch interoperability with switches from other manufacturers is disabled. switch:admin> interopmode InteropMode: Off Usage: InteropMode 0|1 0: to turn it off 1: to turn it on Enter the msPlatShow command to verify that Management Server Platform database is disabled in the backbone fabric.
Page 219: Configuring Fcip Tunnels (Optional)
To assign backbone fabric IDs: Log in to the switch or director. Enter the fosConfig disable fcr command to disable the FC-FC Routing Service. See the Fabric OS Command Reference or the CLI man pages for more information about the fosConfig command.
Page 220: Configuring Dh-Chap Secret
fabrics. Secure Fabric OS is an optional licensed product that provides customizable security restrictions through local and remote management channels on an HP fabric. Although Secure Fabric OS is not supported in Fabric OS 6.0, you can still connect a 6.0 switch to an edge switch that participates in a Secure Fabric OS.
Page 221: Configuring An Interfabric Link
When prompted, type y. The DH-CHAP secret is now stored in the secret word database and is ready for use. switch:admin> secauthsecret --set This command is used to set up secret keys for the DH-CHAP authentication. The minimum length of a secret key is 8 characters and maximum 40 characters.
Page 222 To configure an IFL for both edge and backbone connections: On the 400 MP Router, or 4/256 SAN Director or DC Director with an FR4- 1 8i blade, disable the port that you are configuring as an EX_Port (the one connected to the Brocade switch) by issuing the portDisable command.
Page 223: Portcfgexport Options
portCfgExport options This port can now connect to another switch. The following list describes the options for the portCfgExport command. For more information about the portCfgExport and portCfgVexport commands, see the Fabric OS Command Reference. Sets the EX_Port to enabled (1) or disabled (2). Admin use only. Sets the fabric ID (1 to 128).
Page 224 Enter the portCfgShow command to view ports that are persistently disabled. switch:admin> portcfgshow 7/10 Area Number: Speed Level: AUTO Trunk Port Long Distance VC Link Init Locked L_Port Locked G_Port Disabled E_Port ISL R_RDY Mode RSCN Suppressed Persistent Disable NPIV capability EX Port Mirror Port FC Fastwrite...
Page 225 Enter either the portCfgEXPort or portShow command to verify that each port is configured correctly: switch:admin> portcfgexport 7/10 Port 7/10 info Admin: enabled State: NOT OK Pid format: Not Applicable Operate mode: Brocade Native Edge Fabric ID: Preferred Domain ID: Front WWN: 50:06:06:9e:20:38:6e:1e Fabric Parameters:...
Page 226: Configuring The Fc Router Port Cost (Optional)
Proc_rqrd: Protocol_err: 0 Timed_out: Invalid_word: 0 Rx_flushed: Invalid_crc: Tx_unavail: Delim_err: Free_buffer: Address_err: Overrun: Lr_in: Suspended: Lr_out: Parity_err: Ols_in: 2_parity_err: Ols_out: CMI_bus_err: Port part of other ADs: No Enter the switchShow command to verify the EX_Port (or VEX_Port), edge fabric ID, and name of the edge fabric switch (containing the E_Port or VE_Port).
Page 227: Using Router Port Cost
The FCR router port cost settings are 0, 1000, or 10,000. If the cost is set to 0, the default cost will be used for that IFL. The FC router port cost is persistent and is saved in the existing port configuration file. Router port cost is passed to other routers in the same backbone.
Page 228: Port Cost Considerations
Port cost considerations The router port cost has the following considerations: • Router port sets are defined as follows: • 0-7 and FCIP Tunnel 16-23 • 8- 1 5 and FCIP Tunnel 24-31 More than two router port sets can exist in a 4/256 SAN Director or DC Director with two FR4- 1 8i blades. •...
Page 229: Configuring Ex_Port Frame Trunking (Optional)
400 MP Router or 4/256 SAN Director or DC Director with an FR4- 1 8i blade, use the portCfgEXPort command. If you want to change the fabric parameters of a VEX_Port, then use the portCfgVEXPort command. The PID mode for the backbone fabric PID mode and the edge fabric PID mode do not need to match, but the PID mode for the EX_Port or VEX_Port and the edge fabric to which it is attached must match.
Page 230: Supported Configurations And Platforms
Supported configurations and platforms The EX_Port trunking is an FCR software feature and requires that you have a trunking license installed on the FCR switch and on the edge fabric connected to the other side of the trunked EX_Ports. EX_Port trunking is supported only with edge fabrics.
Page 231: Configuring Lsans And Zoning
through these ports may be disrupted for a short period of time. In addition to the commands for enabling and disabling trunking, you can also use the following E_Port commands for administering EX_Port Frame Trunking: • Use portCfgSpeed and switchCfgSpeed to set speed for a port or switch. •...
Page 232: Defining And Naming Zones
address authority (NAA) field in the WWN to detect an FC Router. LSAN zone enforcement in the local fabric occurs only if the administration domain member list contains both of the devices (local and imported device) specified in the LSAN zone. For more information, see ”Managing administrative domains”...
Page 233 • Target B has WWN 50:05:07:61:00:49:20:b4 (connected to switch2). The following procedure shows how to control device communication with the LSAN. To control device communication with the LSAN: Log in as admin and connect to switch1. Enter the nsShow command to list the WWN of the host (10:00:00:00:c9:2b:c9:0c). NOTE: The nsShow output displays both the port WWN and node WWN;...
Page 234 Enter the cfgShow command to verify that the zones are correct. switch:admin> cfgshow Defined configuration: zone: lsan_zone_fabric2 10:00:00:00:c9:2b:c9:0c; 50:05:07:61:00:5b:62:ed; 50:05:07:61:00:49:20:b4 Effective configuration: no configuration in effect Enter the cfgAdd and cfgEnable commands to create and enable the LSAN configuration. switch:admin> cfgadd "zone_cfg", "lsan_zone_fabric2" switch:admin>...
Page 235: Lsan Zone Binding (Optional)
LSAN zone binding (optional) By default, the Fibre Channel routers (FCR) in the backbone maintain the entire LSAN zone and device state database. On Fibre Channel routers with Fabric OS 5.3.0 and later, the LSAN zone binding allows you to specify pairs of edge fabrics that share devices, effectively creating an LSAN fabric matrix. The Fibre Channel router uses this information to store only the LSAN zone entries of the remote edge fabrics that can access its local edge fabrics and also to search and do a pair match only against the specified edge fabrics.
Page 236: Dual Backbone Configuration
Clears the information from the cache and put it back to the saved cancel value. Displays the information that is saved in the cache. display Displays the static and default and dynamic binding of the backbone fabricview to show which edge fabrics can access each other. Verifies if the information in the cache is valid and will not disrupt verify existing import/export devices.
Page 237: Configuring Backbone Fabrics For Interconnectivity
The fcrlsancount command assumes that all the FCRs in the same LSAN fabric matrix or backbone have the same maximum LSAN count defined, to protect all the FCRs from running into indefinite state. Asymmetric LSAN configurations due to different maximum LSAN counts could lead to different devices being imported on different FCRs.
Page 238: Broadcast Configuration
In the FC router, use the command fcrbcastconfig to prevent interfabric forwarding of broadcast frames of edge or backbone fabrics. Using the fcrbcastconfig command, you can disable or enable the broadcast frame forwarding option per FID (edge fabric or backbone fabric). If you have an FID with a pre-existing IPFC data session that you want to disable then the IPFC traffic across the FCR may not stop even after disabling the broadcasting to some edge fabrics.
Page 239: Monitoring Resources
Type the following command: fcr:admin> fcrbcastconfig --disable -f <fabric id> where <fabric id> is the specified FID where you want to disable frame forwarding. This command disables the broadcast frame forwarding option for an FID (edge or backbone fabric). Monitoring resources It is possible to exhaust resources, such as proxy PIDs.
Page 240: Routing Echo
The following example shows the use of the fcrResourceShow command display per physical port (EX_Port) resources. switch:admin> fcrresourceshow Daemon Limits: Max Allowed Currently Used ---------------------------------- LSAN Zones: 3000 28 LSAN Devices: 10000 51 Proxy Device Slots: 10000 20 WWN Pool Size Allocated ---------------------------------- Phantom Node WWN: 8192 5413 Phantom Port WWN: 32768 16121...
Page 241: Upgrade And Downgrade Considerations
To check for Fibre Channel connectivity problems: On the edge Fabric OS switch, make sure that the source and destination devices are properly configured in the LSAN zone before entering the fcPing command. This command performs the following functions: • Checks the zoning configuration for the two ports specified. •...
Page 242: Backward Compatibility
For the exact RASLog message descriptions, see the following RASLogs: FCR_1055, FCR_1056, and FCR_1073. For further information on these messages, refer to Fabric OS Message Reference. Backward compatibility In a fabric with Secure Fabric OS enabled, the edge fabric must have Fabric OS 3.2, 4.4.0, or later because only DH-CHAP authentication is supported.
Page 243: Range Of Output Ports
The portCfgExport command has additional options to verify the front domain ID. The portCfgExport –d option is changed to enforce use of the same front domain ID for the EX_Ports connected to the same edge fabric. The portCfgExport display results remain the same. For more information about the portCfgExport -d option, see ”portCfgExport options”...
Page 244 To display the range of output ports connected to the xlate domains: Log in to the FC router. Enter the lsDbShow command on the edge fabric. The following example shows the range of output ports. linkCnt = 2, flags = 0x0 LinkId = 53, out port = 1, rem port =...
Page 245: Interoperating With An M-Eos Fabric
Interoperating with an M-EOS fabric IMPORTANT: Interoperating with an M-EOS fabric is not supported at the time of the release of this document. Please check with your sales representative or http://www.hp.com regarding HP support of the interoperability features. This section covers how to set up your B-Series SAN and M-Series SAN to route traffic without merging the two SANs.
Page 246: Mcdata Mi10K Interoperability
The Fibre Channel routing feature for M-EOS interoperability is not a licensed feature. Table 59 Brocade-McDATA M-EOSn interoperability compatibility matrix Fabric OS Versions of M-EOSn (i10k) 9.2.0 9.6.2 v5.3.0 Both Open and McDATA Fabric modes are supported. Connected SANs provide additional functionality not possible with segregated SANs. Some of these functions are as follows: •...
Page 247: Configuring The Fabrics For Interconnectivity
data (RNID) to obtain the information. If the command to get the switch name is successful, the RNID request is not tried and the switch name is obtained. See the following example: switch: admin> switchshow|grep EX 042c00 Online EX-Port 10:00:08:00:88:2c:c2:00 "McDATA:10.32.68.146" (fabric id = 12 ) 042e00 Online EX-Port...
Page 248: Connectivity Modes
Connectivity modes You can connect to M-EOS fabrics in both McDATA Open mode or McDATA Fabric mode. If the mode is not configured correctly, the port is disabled because of incompatibility. To allow interconnectivity with M-EOS SANs, the command line interface (CLI) command portCfgExPort uses the -m option to indicate the connectivity mode.
Page 249 On the 400 MP Router and 4/256 SAN Director or DC Director with an FR4- 1 8i blade, use the portDisable to disable the EX_Port that you will use to connect to the M-Series switch. Ports are persistently disabled by default. Switch:admin_06>...
Page 250 Enable the port by issuing the portEnable command. switch>:admin_06> portenable 10/13 If the port was persistently disabled, use the following command to enable the port: switch:admin_06> portcfgpersistentenable 10/13 • Connect IFL1 and verify EX_PORT connectivity. Repeat for all Brocade fabric IFLs. •...
Page 251: Configuring M-Eos For Interconnection
For information about Brocade edge fabric setup on E_Ports and interswitch linking, see ”Administering Trunking” on page 129. For information on EX_Port Frame trunking setup on the FCR switch, see ”Using EX_Port frame trunking” on page 230. Capture a SAN profile of the McDATA and Brocade SANs, identifying the number of devices in each SAN.
Page 252: San Pilot And Efcm Zone Screens
Figure 13 SAN Pilot and EFCM Zone screens NOTE: The screens provided in this section are for illustrative purposes only. Depending on the M-EOS firmware release you are using, the M-EOS web-based management tool may display a user interface different from those shown. Type the desired name in the Zone Name field, using the LSAN_xxxx naming schema.
Page 253 To add devices that are connected to the Brocade fabric, click Edit in the Pending Zone set. On the Modify Zone tab, enter the device WWN into the World Wide Name field and click Add. The Pending Zone Membership List is updated with the new Zone members. If you are using EFCM, select Potential Zone Members >...
Page 254: Lsan Zoning With M-Eos
Figure 14 Adding a zone set name in SAN Pilot Regardless of the method used, you should now verify that the new zone set containing your LSAN has been added. Alternately, use the following procedure: Create the LSAN, using the LSAN_xxxx naming schema. Append the newly-created zone set to a currently active zone set.
Page 255: Completing The Configuration
Move back to the 400 MP Router or 4/256 SAN Director or DC Director with an FR4- 1 8i blade and issue the fcrProxyDevShow command on to verify that the devices are configured and exported. switch:admin> fcrproxydevshow Proxy Proxy Device Physical State Created...
Page 256 Log in to the Brocade edge fabric switch and issue the nsAllShow or the nsCamShow command. edgeswitch:admin> nsallshow 010e00 020000 03f001 04f002 4 Nx_Ports in the Fabric } edgeswitch:admin> nscamshow nscam show for remote switches: Switch entry for 1 state owner known v520...
Page 257: Migrating From An Mp Router To A 400 Mp Router
All of the devices from both LSANs should appear in the output. If the devices do not appear in the output, issue the cfgShow command to verify your zone configuration. Use the cfgactvshow command to display the zone configuration currently in effect. The following example illustrates the use of cfgactvshow.
Page 258: Redundant Configuration
Figure 16 Configuration during the upgrade The switch domain ID and BB fabric ID of the new FC router can be identical. Once the metaSAN is stable, EX_Ports on the new router are ‘active’, the old router can be taken out of the setup. Redundant configuration The configuration shown in Figure 17...
Page 259: Devices Directly Connected To Router
Figure 18 Dual backbone fabric configuration Devices directly connected to router In the Multi-protocol Router, end devices are allowed to be directly connected, but these devices cannot be imported to other edge fabrics (using LSAN zones). During the upgrade process, these devices will face disruption unless there is redundancy support provided from the device end.
Page 260 260 Using the FC-FC routing service...
Page 261: 11Administering Ficon Fabrics
Administering FICON fabrics This chapter provides procedures for managing FICON fabrics. Overview of Fabric OS support for FICON ® IBM Fibre Connection (FICON ) is an industry-standard, high-speed input/output (I/O) interface for mainframe connections to storage devices. Fabric OS supports intermix mode operations, in which FICON and Fibre Channel technology work together.
Page 262: Supported Switches
Supported switches FICON protocol is supported on the following HP StorageWorks models: DC SAN Backbone Director, short name, DC Director (FC8- 1 6, FC8-32 port blades, FR4- 1 8i FCIP blade and FC10-6 10 Gbit/sec port blade for ISL connections), the 4/256 SAN Director (FC4- 1 6, FC4-32 port blades, FR4- 1 8i FCIP blade and FC10-6 10 Gbit/sec port blade for ISL connections), SAN Switch 4/32, 4/64 SAN Switch and SAN Switch 4/32B switches.
Page 263: Ficon Commands
• The FR4- 1 8i routing blade must not be inserted in slot 10 of the chassis. (Other blades are supported in slot 10, but the FR4- 1 8i blade is not.) FICON channels and control units can be attached only to the FC ports on this blade.
Page 264: User Security Considerations
For information on these tools, see: Web Tools—Web Tools Administrator’s Guide • • Fabric Manager—Fabric Manager Administrator’s Guide • SNMP Agent and FICON Management Information Base (MIB)—Fabric OS MIB Reference User security considerations To administer FICON, you must have one of the following roles: •...
Page 265: Preparing A Switch
Preparing a switch To verify and prepare a switch for use in a FICON environment, complete the following steps: Connect to the switch and log in as admin. Enter the switchShow command to verify that the switch and devices are online. Change the routing policy on the switch from the default exchange-based policy to the required port-based policy for those switches with FICON devices directly attached using the aptPolicy command when working from the command line.
Page 266: Setting A Unique Domain Id
Figure 19 Figure 20 show two viable cascaded configurations. These configurations require Channel A to be configured for two-byte addressing and require IDID and fabric binding. It is recommended that there are only 2 domains in a path from a FICON Channel interface to a FICON Control Unit interface. Control Switch Switch...
Page 267: Displaying Information
Enter the switchEnable command to re-enable the switch. switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] yes Domain: (1..239) [3] 5 R_A_TOV: (4000..120000) [10000] E_D_TOV: (1000..5000) [2000] Data field size: (256..2112) [2112] Sequence Level Switching: (0..1) [0] Disable Device Probing: (0..1) [0] Suppress Class F Traffic: (0..1) [0] VC Encoded Address Mode: (0..1) [0] Per-frame Route Priority: (0..1) [0]...
Page 268: Swapping Ports
Swapping ports If a port malfunctions, or if you want to connect to different devices without having to re-wire your infrastructure, you can move a port’s traffic to another port (swap ports) without changing the I/O Configuration Data Set (IOCDS) on the mainframe computer. To swap ports: Connect to the switch and log in as admin.
Page 269: Setup Summary
Setup summary To set up FICON CUP, use the following procedure and be sure to perform the steps in the order indicated. For directors with at least 256 ports installed, use the PortDisable command to disable (block) ports 254 and 255. Ports 254 and 255 are not supported in a CUP environment.
Page 270: Setting Up Cup When Ficon Management Server Mode Is Enabled
• Advanced Zoning, if used, continues to be in force. If there are any differences in restrictions set up with Advanced Zoning and PDCM, the most restrictive rules are automatically applied. • RSCNs are sent to devices if PDCM results in changes to connectivity between a set of ports. Changing fmsmode from enabled to disabled triggers the following events: •...
Page 271: Displaying Mode Register Bit Settings
Displaying mode register bit settings The mode register bits are described in Table Table 62 FICON CUP mode register bits POSC Programmed offline state control. When this bit is set on, the host is prevented from taking the switch offline. The default setting is 1 (on). User alert mode.
Page 272: Setting Mode Register Bits
Setting mode register bits Use the ficoncupset modereg command to set the FICON CUP mode register bits for the local switch. Consider the following when changing mode register bits: • As required by the CUP protocol, the UAM bit cannot be changed using this command. •...
Page 273: Port And Switch Naming Standards
Port and switch naming standards Fabric OS handles differences in port and switch naming rules between CUP and itself as follows: • CUP employs 8-bit characters in port address names and switch names; Fabric OS employs 7-bit characters. When fmsmode is enabled, all characters greater than 0x40 and not equal to 0xFF (EBCIDC code page 37 [0x25]) are allowed in the name;...
Page 274: Troubleshooting
Troubleshooting The following sources provide useful problem-solving information: • The standard support commands (portLogDump, supportSave, supportShow) or the Fabric Manager Event Log. By default, the FICON group in the supportShow output is disabled. To enable the capture of FICON data in the supportShow output, enter the supportshowcfgenable ficon command. After you get confirmation that the configuration has been updated, the following will be collected and appear in the output for the supportShow command: •...
Page 275: Backing Up And Restoring Ficon Configuration Files
Backing up and restoring FICON configuration files The FICON file access facility is used to store configuration files. This includes IPL and other configuration files. The Fabric OS saves the IPL and all other configuration files on the switch. A maximum of 16 configuration files, including the IPL file, are supported.
Page 276: Recording Configuration Information
Recording configuration information You can use the following worksheet for recording FICON configuration information. Table 63 FICON configuration worksheet FICON Switch Configuration Worksheet ® FICON Switch Manufacturer:___________________Type: _________ Model: ______ S/N: ________ ® HCD Defined Switch ID_________(Switch ID) Cascaded Directors No _____Yes _____ FICON Switch Domain ID_________(Switch @) Corresponding Cascaded Switch Domain ID _____...
Page 277: Sample Iocp Configuration File
Sample IOCP configuration file The channel subsystem controls communication between a configured channel, the control unit, and the device. The I/O Configuration Dataset (IOCDS) defines the channels, control units, and devices to the designated logical partitions (LPARs) within the server; this is defined using the Input/Output Configuration Program (IOCP).
Page 278 278 Administering FICON fabrics...
Page 279: 12Configuring The Distributed Management Server
Configuring the Distributed Management Server This chapter provides information on enabling and disabling the platform services, configuring and controlling access to the management server database, and using the topology discovery feature. Introduction The Fabric OS Distributed Management Server allows a SAN management application to retrieve information and administer interconnected switches, servers, and storage devices.
Page 280: Controlling Access
Enter y to confirm the deactivation. switch:admin> msplmgmtdeactivate MS Platform Service is currently enabled. This will erase MS Platform Service configuration information as well as database in the entire fabric. Would you like to continue this operation? (yes, y, no, n): [no] y Request to deactivate MS Platform Service in progress..
Page 281 Enter the WWN of the host to be added to the ACL. At the prompt, enter 1 to display the access list so you can verify that the WWN you entered was added to the ACL. After verifying that the WWN was added correctly, enter 0 at the prompt to end the session. At the “Update the FLASH?”...
Page 282 To delete a member from the ACL: Connect to the switch and log in as admin. Enter the msConfigure command. The command becomes interactive. At the select prompt, enter 3 to delete a member based on its port/node WWN. At the prompt, enter the WWN of the member to be deleted from the ACL. At the prompt, enter 1 to display the access list so you can verify that the WWN you entered was deleted from the ACL.
Page 283: Configuring The Server Database
Configuring the server database The management server database can be viewed or cleared. The command msPlClearDB is allowed only in AD0 and AD255. To view the contents of the management server database: Connect to the switch and log in as admin. Enter the msPlatShow command.
Page 284 Request to enable MS Topology Discovery Service in progress..*MS Topology Discovery enabled locally. switch:admin> mstdenable ALL Request to enable MS Topology Discovery Service in progress..*MS Topology Discovery enabled locally. *MS Topology Discovery Enable Operation Complete!! To disable topology discovery: Connect to the switch and log in as admin.
Page 285: 13Working With Diagnostic Features
Working with Diagnostic Features This chapter provides information on diagnostics and how to display system, port, and specific hardware information. It also describes how to set up system logging mapping (syslogd) and how to set up offloading error messages (supportSave). About Fabric OS diagnostics The purpose of the diagnostic subsystem is to evaluate the integrity of the system hardware.
Page 286 Press escape within 4 seconds to enter boot interface. Booting "Fabric Operating System" image. Linux/PPC load: BootROM command line: quiet Uncompressing Linux...done. Now booting the kernel Attempting to find a root file system on hda2... modprobe: modprobe: Can't open dependencies file /lib/modules/2.4.19/modules.dep (No such file or directory) INIT: version 2.78 booting INIT: Entering runlevel: 3...
Page 287: Viewing Switch Status
POST2: Running diagshow POST2: Script PASSED with exit status of 0 Thu Mar 31 20:13:12 GMT 2005 took (0:0:17) 2005/03/31-20:13:13, [BL-1000], 221,, INFO, Paulsa45, Initializing Ports... Enabling switch... 2005/03/31-20:13:13, [BL-1001], 222,, INFO, Paulsa45, Port Initialization Completed 2005/03/31-20:13:13, [EM-5012], 0,, INFO, SW4100_P45, EM: sent dumpready to ME., em.c, line: 2152 2005/03/31-20:13:13, [DGD-5002], 0,, INFO, SW4100_P45, Slot 0 has passed the POST tests., main.c, line: 936...
Page 288 To display switch information: Connect to the switch and log in as admin. Enter the switchShow command, which displays the following information for a switch: • switchname—The switch name. • switchtype—The switch model and firmware version numbers. • switchstate—The switch state: Online, Offline, Testing, or Faulty. •...
Page 289: Viewing Port Information
Viewing port information Use the following commands to view information about ports. To view the status of a port: Connect to the switch and log in as admin. Enter the portShow command, specifying the number that corresponds to the port you are troubleshooting.
Page 290 To display the port statistics: Connect to the switch and log in as admin. At the command line, enter the portStatsShow command. Port statistics include information such as the number of frames received, number of frames sent, number of encoding errors received, and number of class 2 and class 3 frames received. See the Fabric OS Command Reference for additional portStatsShow command information, such as the syntax for slot or port numbering.
Page 291 To display a summary of port errors for a switch: Connect to the switch and log in as admin. Enter the portErrShow command. See the Fabric OS Command Reference for additional portErrShow command information. switch:admin> porterrshow frames enc disc link loss loss frjt fbsy err shrt long c3 fail sync sig sig=====================================================================...
Page 292: Error Summary Description
The portErrShow command output provides one output line per port. See Table 64 for a description of the error types. Table 64 Error summary description Error type Description Frames transmitted frames tx Frames received frames rx Encoding errors inside frames enc in Frames with CRC errors crc err...
Page 293: Viewing Equipment Status
Viewing equipment status You can display status for fans, power supply, and temperature. NOTE: The number of fans, power supplies, and temperature sensors depends on the switch type. For detailed specifications on these components, refer to the switch hardware reference manual. The specific output from the status commands varies depending on the switch type.
Page 294: Viewing The System Message Log
Enter the tempShow command: switch:admin> tempshow Index Status Centigrade Fahrenheit ---------------------------------------------------- switch:admin> Information displays for each temperature sensor in the switch. The possible temperature status values are: • OK—Temperature is within acceptable range. • FAIL—Temperature is outside of acceptable range. Damage might occur. Viewing the system message log The system message log feature enables messages to be saved across power cycles and reboots.
Page 295: Commands For Port Log Management
Enter the portLogShow command: switch:admin> portlogshow 12 time task event port cmd args ------------------------------------------------- Thu Apr 14 12:07:09 2005 12:07:09.350 PORT 02fffffd,00fffffd,0608ffff,14000000 12:07:09.350 PORT c0fffffd,00fffffd,060807fc 12:07:10.812 PORT 02fffffd,00fffffd,07feffff,14000000 12:07:10.813 PORT c0fffffd,00fffffd,07fe0627 12:07:19.492 PORT 02fffffd,00fffffd,0800ffff,14000000 12:07:19.492 PORT 02fffffd,00fffffd,0802ffff,14000000 12:07:19.493 PORT c0fffffd,00fffffd,08009287 12:07:19.493 PORT 02fffffd,00fffffd,0804ffff,14000000...
Page 296: Configuring For Syslogd
Because a portLogDump output is long, a truncated example is presented: switch:admin> portlogdump task event port cmd args ------------------------------------------------- 16:30:41.780 PORT Rx 9 40 02fffffd,00fffffd,0061ffff,14000000 16:30:41.780 PORT Tx 9 0 c0fffffd,00fffffd,0061030f 16:30:42.503 PORT Tx 9 40 02fffffd,00fffffd,0310ffff,14000000 16:30:42.505 PORT Rx 9 0 c0fffffd,00fffffd,03100062 16:31:00.464 PORT Rx 9 20 02fffc01,00fffca0,0063ffff,01000000 16:31:00.464 PORT Tx 9 0 c0fffca0,00fffc01,00630311 16:31:00.465 nsd ctin 9 fc 000104a0,0000007f...
Page 297: Configuring The Switch
In this example, Fabric OS messages map to local7 facility level 7 in the /etc/syslog.conf file: local7.emerg /var/adm/swcritical local7.alert /var/adm/alert7 local7.crit /var/adm/crit7 local7.err /var/adm/swerror local7.warning /var/adm/swwarning local7.notice /var/adm/notice7 local7.info /var/adm/swinfo local7.debug /var/adm/debug7 If you prefer to map Fabric OS severities to a different UNIX local7 facility level, see ”To set the facility level:”...
Page 298: Viewing And Saving Diagnostic Information
To remove a syslogd host from the list: Connect to the switch and log in as admin. Enter the syslogDipRemove command: switch:admin> syslogdipremove 10.1.2.1 Verify the IP address was deleted using the syslogDipShow command. Viewing and saving diagnostic information Enter the supportShow command to dump important diagnostic and status information to the session screen, where you can review it or capture its data.
Page 299 Respond to the prompts as follows: Enter the name or IP address of the server where the file is to be stored; for Host Name example, for a server configured for IPv6. 1080::8:800:200C:417A Enter the user name of your account on the server; for example, “JohnDoe”. User name Enter your account password for the server.
Page 300 300 Working with Diagnostic Features...
Page 301: 14Troubleshooting
Troubleshooting This chapter provides information on troubleshooting and the most common procedures to use to diagnose and recover from problems. It also includes specific troubleshooting scenarios as examples. About troubleshooting Troubleshooting should begin at the center of the SAN—the fabric. Because switches are located between the hosts and storage devices and have visibility into both sides of the storage network, starting with them can help narrow the search path.
Page 302: Gathering Information For Technical Support
Table 67 Common troubleshooting problems and tools (continued) Problem area Investigate Tools Hosts • Downlevel HBA firmware • Host operating system diagnostic tools • Incorrect device driver installation • Device driver diagnostic tools • Incorrect device driver • Switch commands (for configuration example, switchShow or nsAllShow) for diagnostics...
Page 303 • How large is the fabric? • Is it a secure fabric? • Is the fabric redundant? Run the supportSave command on both CPs if it is a director class product, for example 4/256 SAN Director or DC SAN Backbone Director (short name, DC Director). Document the sequence of events by answering the following questions: •...
Page 304: Analyzing Connection Problems
Analyzing connection problems If a host is unable to detect its target (for example, a storage or tape device), you should begin troubleshooting the problem in the middle of the data path. Determine if the problem is above or below the starting point, then continue to divide the suspected problem path in half until you can pinpoint the problem.
Page 305 Round-trip min/avg/max = 1012/1136/1442 usec Pinging 21:00:00:20:37:25:ad:05 [0x211e8] with 12 bytes of data: Request rejected Request rejected Request rejected Request rejected Request rejected 5 frames sent, 0 frames received, 5 frames rejected, 0 frames timeout Round-trip min/avg/max = 0/0/0 usec switch:admin>...
Page 306 To check the name server (NS): Enter the nsShow command on the switch to which the device is attached: The Local Name Server has 9 entries { Type Pid PortName NodeName TTL(sec) 021a00; 2,3;20:00:00:e0:69:f0:07:c6;10:00:00:e0:69:f0:07:c6; 895 Fabric Port Name: 20:0a:00:60:69:10:8d:fd 051edc; 3;21:00:00:20:37:d9:77:96;20:00:00:20:37:d9:77:96;...
Page 307: Restoring A Segmented Fabric
• If the device is listed in the NS, the problem is between the storage device and the host. There may be a zoning mismatch or a host/storage issue. Proceed to ”To check for zoning problems:” on page 307. Enter the portLoginShow command to check the port login status. Enter the fcpProbeShow command to display the FCP probing information for the devices attached to the specified F_Port or L_Port.
Page 308 There are a number of settings that control the overall behavior and operation of the fabric. Some of these values, such as the domain ID, are assigned automatically by the fabric and can differ from one switch to another in the fabric. Other parameters, such as the BB credit, can be changed for specific applications or operating environments, but must be the same among all switches to allow the formation of a fabric.
Page 309: Correcting Zoning Setup Issues
Compare the fabricShow output from the two fabrics. Note the number of domain ID conflicts; there may be several duplicate domain IDs that must be changed. Determine which switches have domain overlap and change the domain IDs for each of those switches. Choose the fabric on which to change the duplicate domain ID;...
Page 310 ”Administering Advanced Zoning” on page 403 for additional information about setting up zoning. Also, see the Fabric OS Command Reference for details about zoning commands. You can correct zone conflicts by using the cfgClear command to clear the zoning database. IMPORTANT: The cfgClear command is a disruptive procedure.
Page 311: Recognizing Mq-Write Errors
Recognizing MQ-WRITE errors An MQ error is a message queue error. Identify an MQ error message by looking for the two letters M and Q in the error message: 2004/08/24- 1 0:04:42, [MQ- 1 004], 218,, ERROR, ras007, mqRead, queue = raslog-test- string0123456-raslog, queue I D = 1, type = 2 MQ errors can result in devices dropping from the SNS or can prevent a switch from joining the fabric.
Page 312: Correcting I2C Bus Errors
Correcting I C bus errors C bus errors generally indicate defective hardware or poorly seated devices or blades; the specific item is listed in the error message. See the Fabric OS Command Reference for information specific to the error that was received. Some Chip-Port (CPT) and Environmental Monitor (EM) messages contain I C-related information.
Page 313: Correcting Device Login Issues
Correcting device login issues Perform the following steps to try to pinpoint problems with device logins. Log in to the switch as admin. Enter the switchShow command; then, check for correct logins: switch:admin> switchshow switchName: Dazzler switchType: 26.1 switchState: Online switchMode: Native switchRole:...
Page 314 ISL R_RDY Mode ........ RSCN Suppressed ........ Persistent Disable..
Page 315: Identifying Media-Related Issues
8 Offline No_Light PRESENT U_PORT LED 9 Offline No_Light PRESENT U_PORT LED 10 Offline No_Module PRESENT U_PORT LED 11 Offline No_Module PRESENT U_PORT LED 12 Offline No_Module PRESENT U_PORT LED 13 Offline No_Module PRESENT U_PORT LED 14 Online In_Sync PRESENT ACTIVE F_PORT G_PORT U_PORT LOGICAL_ONLINE LOGIN NOELP LED ACCEPT 15 Online In_Sync...
Page 316: Component Test Descriptions
Table 70 Component test descriptions Test name Operands Checks fporttest [-nframes count] [-ports itemlist] Tests point-to-point path from the [-seed payload_pattern] F_Port to the N_Port and back. Used [-width pattern_width] [-size to test online F_Port devices, N_Port pattern_size] devices, SFPs, and GBICs. loopporttest [-nframes count] Only tests components attached to a...
Page 317: Correcting Link Failures
Table 71 for a list of additional tests that can be used to determine the switch components that are not functioning properly. See the Fabric OS Command Reference for additional command information. Table 71 Switch component tests Test Function Performs a functional test of port N to N path. portloopbacktest Performs a read and write test of the ASIC SRAMs and registers.
Page 318 Correct the negotiation by entering the portCfgSpeed [slotnumber/]portnumber, speed_level command if the fields in step 5 do not appear. switch:admin> portcfgspeed Usage: portCfgSpeed PortNumber Speed_Level Speed_Level: 0 - Auto Negotiate 1 - 1Gbps 2 - 2Gbps 4 - 4Gbps To check for a loop initialization failure: Verify the port is an L_Port.
Page 319: Correcting Marginal Links
Table 72 SwitchShow output and suggested action Output Suggested action Check the output from the switchShow command to determine whether the Disabled switch is disabled. If the port is disabled (for example, due to persistent disable or security reasons), attempt to resolve the issue and then enter the portEnable command.
Page 320: Inaccurate Information In The System Message Log
Table 73 Loopback modes Loopback mode Description Back-end bypass & SERDES loopback Back-end bypass & internal loopback Check the results of the loopback test and proceed as follows: • If the loopback test failed, the port is bad. Replace the port blade. •...
Page 321: Configuring Ftrace For A Tunnel
Table 74 FTRACE configurable parameters Parameter Default Range Syntax Trace Mask 0x8000 0-0xFFFFFFFF Integer Trigger Mask 0x00000003 0-0xFFFFFFFF Integer After information is captured, you can use the portshow command to display FTRACE information on a GE port for a tunnel. You can save trace events can for future analysis. Configuring ftrace for a tunnel Use the following syntax to configure a trace: portcfg -ftrace [slot-number] ge port number [tunnel -id] cfg|del] <opt...
Page 322: Recognizing Port Initialization And Fcp Auto Discovery Process
Recognizing port initialization and FCP auto discovery process The steps in the port initialization process represent a protocol used to discover the type of connected device and establish the port type. The possible port types are as follows: • U_Port—Universal FC port. The base Fibre Channel port type and all unidentified, or uninitiated ports are listed as U_Ports.
Page 323: Supported Hardware
Supported hardware Port mirroring is supported on Condor-based ASIC platforms, including: • HP StorageWorks SAN Switch 4/32 and 4/32B • HP StorageWorks 4/64 SAN Switch • HP StorageWorks 400 MP Router • 4/256 SAN Director and DC Director with chassis option 5 Port mirroring can be used on the following blades within a chassis: •...
Page 324: Port Mirroring Considerations
Port mirroring considerations Before creating port mirror connections, consider the following limitations: • A mirror port can be any port on the same switch as the source identifier port. • Only one domain can be mirrored per chip; after a domain is defined, only mirror ports on the defined domain can be used.
Page 325 To delete a port mirror connection between two local switch ports or a local and a remote switch port: Log in to the switch as admin. Type portMirror --del SourceID DestID. For example, to delete the port mirror connection on mirror port 2, you might type: portMirror --del 0x01 1400 0x240400 To display port mirror connections: Log in to the switch as admin.
Page 326 No_Module No_Module Online F-Port 21:00:00:e0:8b:12:8a:be Online E-Port segmented,(No Fabric License) 326 Troubleshooting...
Page 327: 15Administering Npiv
Administering NPIV This chapter describes the concepts and procedures for administering N-Port ID Virtualization (NPIV). About NPIV NPIV enables a single Fibre Channel protocol port to appear as multiple, distinct ports, providing separate port identification within the fabric for each operating system image behind the port (as if each operating system image had its own unique physical port).
Page 328: Configuration Scenarios
The following example shows the configuration of these parameters: switch:admin> switchdisable switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] Virtual Channel parameters (yes, y, no, n): [no] F-Port login parameters (yes, y, no, n): [no] y Maximum logins per switch: (1..4032) [4032] 2048 Maximum logins per port: (1..255) [255] 126 switch:admin>...
Page 329 command output indicates whether or not a port is an NPIV F_Port, and identifies the number of virtual N_Ports behind it. Following is sample output from the switchShow command: switch: admin> switchshow switchName:swd77 switchType:32.0 switchState: Online switchMode:Native switchRole:Principal switchDomain: 99 switchId:fffc63 switchWwn:10:00:00:05:1e:35:37:40 zoning:...
Page 330: Displaying Login Information
<output truncated> c0:50:76:ff:fb:00:16:80 50:05:07:64:01:a0:73:b8 Distance: normal portSpeed: N2Gbps Interrupts: Link_failure: 16 Frjt: Unknown: Loss_of_sync: 422 Fbsy: Lli: 294803 Loss_of_sig: Proc_rqrd: Protocol_err: 0 Timed_out: Invalid_word: 0 Rx_flushed: Invalid_crc: Tx_unavail: Delim_err: Free_buffer: Address_err: 1458 Overrun: Lr_in: Suspended: Lr_out: Parity_err: Ols_in: 2_parity_err: Ols_out: CMI_bus_err: Displaying login information Use the portLoginShow command to display the login information for the virtual PIDs of a port.
Page 331: 16Optimizing Fabric Behavior
Optimizing fabric behavior This chapter describes the Adaptive Networking features. Introduction to adaptive networking Adaptive Networking is a suite of tools and capabilities that enable you to ensure optimized behavior in the SAN. Even under the worst congestion conditions, the Adaptive Networking features can maximize the fabric behavior and provide necessary bandwidth for high-priority, mission-critical applications and connections.
Page 332: Ti Zone Failover
Figure 21, all traffic entering Domain 1 from N_Port 8 is routed through E_Port 1. Similarly, traffic entering Domain 3 from E_Port 9 is routed to E_Port 12, and traffic entering Domain 4 from E_Port 7 is routed to the device through N_Port 6. Traffic coming from other ports in Domain 1 would not use E_Port 1, but would use E_Port 2 instead.
Page 333: General Rules For Ti Zones
Figure 23, a dedicated path between Domain 1 and Domain 4 exists, but is not the shortest path. In this situation, if failover is enabled, the TI zone traffic uses the shortest path, even though the E_Ports are not in the TI zone.
Page 334: Supported Configurations For Traffic Isolation
Domain 1 Domain 3 = Dedicated path = Ports in the TI zone Domain 4 Figure 24 TI zone misconfiguration Supported configurations for Traffic Isolation Note the following configuration rules for TI zones: • Traffic Isolation is supported only on the HP StorageWorks 4/8 SAN Switch, 4/16 SAN Switch, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, and 400 Multi-protocol Router, 4/256 SAN Director and DC SAN Backbone Director (short name, DC Director), all configured in Brocade Native Mode (interopmode 0).
Page 335: Limitations And Restrictions Of Traffic Isolation
Limitations and restrictions of Traffic Isolation The following are limitations of TI zones: • A maximum of 255 TI zones can be created in one fabric. A fabric merge resulting in greater than 255 TI zones results in merge failure and the fabrics are segmented. •...
Page 336: Modifying Ti Zones
Modifying TI zones Using the zone --add and zone --remove commands, you can add and remove ports and change the failover option of existing TI zones. If you remove the last member of a TI zone, the TI zone is deleted. To modify a TI zone: Connect to the switch and log in as admin.
Page 337: Activating And Deactivating A Ti Zone
Enter the zone --add command to add ports or change the failover option for an existing TI zone. Enter the zone --remove command to remove ports from an existing TI zone. zone --add [-o optlist] name -p "portlist" zone --remove name -p "portlist" where: A list of options for controlling failover mode.
Page 338: Deleting A Ti Zone
Deleting a TI zone Use the zone --delete command to delete a TI zone from the defined configuration. This command deletes the entire zone; to only remove port members from a TI zone, use the zone --remove command, as described in ”Modifying TI zones”...
Page 339: Qos: Sid/Did Traffic Prioritization
To limit the traffic, you set the maximum speed at which the traffic can flow through a particular F_Port or FL_Port. For example, if you set the rate limit at 4 Gbps, then traffic from a particular device is limited to a maximum of 4 Gbps.
Page 340: Qos Zones
QoS zones You assign high or low priority (QoS level) using a QoS zone. A QoS zone is a special zone that indicates the priority of the traffic flow between a given host/target pair. The members of a QoS zone are WWNs of the host/target pairs.
Page 341: Qos On E_Ports
QoS on E_Ports In addition to configuring the hosts and targets in a zone, you must also enable QoS on individual E_Ports that might carry traffic between the given host and target pairs. Path selection between the “host,target” pairs is governed by FSPF rules and is not affected by QoS priorities. By default, QoS is enabled on E_Ports in port configuration.
Page 342: Setting Traffic Prioritization
• Traffic prioritization is not supported on mirrored ports. Trunking considerations: If some ports in a trunk group have QoS enabled and some ports have • QoS disabled, then two different trunks are formed, one with QoS enabled and one with QoS disabled.
Page 343: 17Administering Advanced Performance Monitoring
Administering Advanced Performance Monitoring This chapter contains information about the Advanced Performance Monitoring licensed feature. About Advanced Performance Monitoring Based on Frame Filtering technology and a unique performance counter engine, Advanced Performance Monitoring is a comprehensive tool for monitoring the performance of networked storage resources. Advanced Performance Monitoring provides the following monitors: •...
Page 344: Advanced Performance Monitoring Commands
Table 77 lists commands associated with Advanced Performance Monitoring. Advanced Performance Monitor commands are available only to users with the admin or switchAdmin roles. For detailed information on these commands, see the Fabric OS Command Reference. Table 77 Advanced performance monitoring commands Command Description Add an end-to-end monitor to a port.
Page 345: Monitoring Al_Pas
Monitoring AL_PAs You can use the perfShowAlpaCrc command to display the CRC error count for all AL_PA devices or for a single AL_PA on a specific active L_Port. The following example displays the CRC error count for all AL_PA devices on a port: switch:admin>...
Page 346: Adding End-To-End Monitors
NOTE: For end-to-end monitors, CRC counters are not displayed on the 4/8 SAN Switch, 4/16 SAN Switch, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 400 Multi-protocol Router, 4/256 SAN Director, and DC Director switches. Adding end-to-end monitors An end-to-end monitor counts the following items for a port: number of words received, number of words transmitted, and number of CRC errors detected in frames.
Page 347: Setting A Mask For End-To-End Monitors
Monitoring the traffic from Host A to Dev B: Add Monitor 0 to slot 2, port 2 on Switch x, specifying 0x051200 as the SID and 0x1 1 1eef as the DID, as shown in the following example: switch:admin> perfaddeemonitor 2/2, "0x051200" "0x111eef" End-to-End monitor number 0 added.
Page 348: Deleting End-To-End Monitors
AL_PA of the SIDs and DIDs for frames transmitted from and received by the port. Figure 29 shows the mask positions in the command. A mask (“ff”) is set on slot 1, port 2 to compare the AL_PA fields on the SID and DID in all frames (transmitted and received) on port 2. The frame SID and DID must match only the AL_PA portion of the specified SID-DID pair.
Page 349: Monitoring Filter-Based Performance
Monitoring filter-based performance Filter-based performance monitoring counts the number of times a frame with a particular pattern is transmitted by a port. Filter-based monitoring is achieved by configuring a filter for a particular purpose. The filter can be a standard filter (for example, a SCSI read command filter that counts the number of SCSI read commands that have been transmitted by the port) or a user-defined filter customized for your particular use.
Page 350: Adding Custom Filter-Based Monitors
switch:admin> perfaddscsimonitor 1/2 SCSI traffic frame monitor #3 added switch:admin> perfaddipmonitor 1/2 IP traffic frame monitor #4 added switch:admin> perfmonitorshow --class FLT 1/2 There are 5 filter-based monitors defined on port 2. ALIAS OWNER_APP FRAME_COUNT OWNER_IP_ADDR ---------------------------------------------------------------- SCSI Read TELNET 0x0000000000000000 SCSI Write TELNET 0x0000000000000000...
Page 351: Deleting Filter-Based Monitors
frame (SOF). When the offset is set to 0, the values 0–7 that are checked against that offset are predefined as shown in Table Table 79 Predefined values at offset 0 Value Value SOFf SOFi2 SOFc1 SOFn2 SOFi1 SOFi3 SOFn1 SOFn3 If the switch does not have enough resources to create a given filter, then other filters might have to be deleted to free resources.
Page 352: Identifying Top Bandwidth Users (Top Talkers)
Identifying top bandwidth users (Top Talkers) Top Talker monitors determine the flows (SID/DID pairs) that are the major users of bandwidth (after initial stabilization). Top Talker monitors measure bandwidth usage data in real-time and relative to the port on which the monitor is installed. NOTE: Initial stabilization is the time taken by a flow to reach the maximum bandwidth.
Page 353: Using Top Talker Monitors In Port Mode
Using Top Talker monitors in port mode Use the perfttmon command to add, delete, and display Top Talker monitors. Refer to the Fabric OS Command Reference for details about the perfttmon command. To add a Top Talker monitor on an F_Port: Connect to the switch and log in as admin.
Page 354: Using Top Talker Monitors In Fabric Mode
For example, to display the top 5 flows on port 7 in WWN (default) format: perfttmon --show 7 5 To display the top flows on slot 2, port 4 on the 4/256 SAN Director or DC Director in PID format: perfttmon --show 2/4 pid switch:admin>...
Page 355: Limitations Of Top Talker Monitors
To display the top flows on domain 2 in PID format: perfttmon --show dom 2 pid switch:admin> perfttmon --show dom 2 pid ======================================== Src_PID Dst_PID MB/sec ======================================== 0xa908ef 0xa05200 6.926 0xa05200 0xa908ef 6.872 0xa905ef 0xa05200 6.830 0xa909d5 0xa05200 6.772 Limitations of Top Talker monitors •...
Page 356 Specifies the slot number for a 4/256 SAN Director director. For all other slotnumber switches, this operand is not required. The slot number must be followed by a slash ( / ) and the port number, so that each port is represented by both slot number (1 through 4 or 7 through 10) and port number (0 through 15).
Page 357 The following example displays an end-to-end monitor on a port at 6-second intervals: switch:admin> perfMonitorShow --class EE 4/5 6 perfmonitorshow 53, 6: Tx/Rx are # of bytes and crc is # of crc errors ------------- ------------- ------------- ------------- ------------- Rx crc Rx crc Rx crc Rx crc...
Page 358 The following example displays a filter-based monitor on a port at 6-second intervals: switch:admin> perfMonitorShow --class FLT 2/5 6 perfmonitorshow 21, 6 #Frames #Frames #Frames #Frames #Frames #Frames #Frames --------------------------------------------------------------- The following example displays filter monitor information on a port: switch:admin>...
Page 359: Known Display Problem And Workaround
Known display problem and workaround When two shared ports on an FC4-48 blade are receiving traffic and the primary port goes offline, all the frames that are out for delivery for the primary port are dropped, but the counters show them as dropped on the secondary port that shares the same area.
Page 360 where: monitor_class The monitor class, which can be one of EE (end-to-end), FLT (filter-based), or ISL (inter-switch link). The class monitor_class operand is required. Specifies the slot number for a 4/256 SAN Director. For all other switches, this slotnumber operand is not required. The slot number must be followed by a slash ( / ) and the port number, so that each port is represented by both slot number (1 through 4 or 7 through 10) and port number (0 through 15).
Page 361: Saving And Restoring Monitor Configurations
Saving and restoring monitor configurations To save the current end-to-end and filter monitor configuration settings into nonvolatile memory, use the perfCfgSave command: switch:admin> perfcfgsave This will overwrite previously saved Performance Monitoring settings in FLASH. Do you want to continue? (yes, y, no, n): [no] y Please wait ...
Page 362 362 Administering Advanced Performance Monitoring...
Page 363: 18Administering Extended Fabrics
Administering Extended Fabrics This chapter provides information on implementing Extended Fabrics software. Extended Fabrics licensing To implement long distance dynamic (LD) and long distance static (LS) distance levels, you must first install . Use the licenseShow command to verify that the license is present on both Extended Fabrics license switches used on both ends of the extended ISL.
Page 364: Fibre Channel Data Frames
Table 80 describes Fibre Channel data frames Table 80 Fibre Channel data frames Start of frame 4 byes 32 bits Standard frame 24 bytes 192 bits header Data (payload) {0 - 2,1 12 bytes {0 - 16,896} bits 4 bytes 32 bits End of frame 4 bytes...
Page 365: Fc Switch Port Buffer Credit Requirements For Long Distance Calculations
FC switch port Buffer Credit requirements for long distance calculations You can calculate how many ports can be configured for long distance on all switch modules or ASICs except Bloom-based switches. For information on the port, speed and distance for Bloom-based ASICs, see Table 82.
Page 366: Displaying The Remaining Buffers In A Port Group
Example: Consider the , which has 16 ports and total buffers of 272 4/16 SAN Switch The maximum remaining number of buffer credits after each port is reserved is: 272 – (16 * 8) = 144 buffers Where: 16 = the number of ports in a port group retrieved from Table 8 = the number of reserved buffers 272 = a static number retrieved from...
Page 367 Enter the portbuffershow command. switch:admin> portbuffershow 1 User Port Max/Resv Buffer Needed Link Remaining Port Type Mode Buffers Usage Buffers Distance Buffers ---- ---- ---- ------- ------ ------- --------- ----- switch:admin> Fabric OS 6.x administrator guide 367...
Page 368: Fabric Considerations
Table 81 Switch, port speed, and distance with ASIC and buffers Switch blade ASIC Total ports in Total ports in a Reserved model a switch or group buffers for ports blade 4/8 SAN Switch Golden Eye 272/16 or 4/16 SAN Switch SAN Switch Condor...
Page 369: Long Distance Link Initialization Activation
Long distance link initialization activation VC translation link initialization (vc_translation_link_init), a parameter of the portCfgLongDistance command, is enabled by default for long-distance links. To avoid inconsistency in the fabric, make sure that this parameter is enabled on both ends of the link by entering the portCfgLongDistance --vc_translation_link_init command.
Page 370 Enter the portCfgLongDistance command, using the following syntax: portcfglongdistance [slotnumber/]portnumber [distance_level] [vc_translation_link_init] [desired_distance] For blades, the slot number in which the blade is located. The slot slotnumber number must be followed by a slash (/) and the port number. This option is not used for fixed-port switches.
Page 371: Extended Isl Modes: 3Xxx Switches (Bloom And Bloom Ii Asics)
Table 82 lists the extended ISL modes for switches with Bloom-based ASICs. You can configure extended ISL modes with the portCfgLongDistance command when the Extended Fabrics license is activated. Table 82 Extended ISL modes: 3xxx switches (Bloom and Bloom II ASICs) Mode Buffer allocation Distance @ 1 Distance @ 2...
Page 372 372 Administering Extended Fabrics...
Page 373: 19Administering Isl Trunking
Administering ISL Trunking This chapter contains procedures for using the ISL Trunking licensed feature, which optimizes the use of bandwidth by allowing a group of interswitch links to merge into a single logical link. About ISL Trunking ISL Trunking reduces or eliminates situations that require static traffic routes and individual ISL management to achieve optimal performance.
Page 374: Standard Trunking Criteria
The maximum number of ports per trunk and trunks per switch depends on the HP model. NOTE: Director blade model FC10-6 does not support trunking. For detailed information about trunking commands, see online help or the Fabric OS Command Reference. Standard trunking criteria Observe the following criteria for standard distance trunking: •...
Page 375: Initializing Trunking On Ports
• Determine the optimal number of trunking groups between each set of linked switches, depending on traffic patterns and port availability. The goal is to avoid traffic congestion without unnecessarily using ports that could be used to attach other switches or devices. Consider these points: •...
Page 376 There are three methods of monitoring fabric traffic: Advanced Performance Monitoring monitors traffic flow and allows you to view the impact of different • fabric configurations on performance. See ”Administering Advanced Performance Monitoring” on page 361 for additional information. • Fabric Watch allows you to monitor traffic flow through specified ports on the switch and send alerts when the traffic exceeds or drops below configured thresholds.
Page 377: Enabling And Disabling Isl Trunking
Enabling and disabling ISL Trunking You can enable or disable ISL Trunking for a single port or for an entire switch.When you execute the commands portCfgTrunkPort or switchCfgTrunk to update the trunking configuration, the ports for which the configuration applies are disabled and re-enabled with the new trunk configuration. As a result, traffic through those ports could be disrupted.
Page 378: Setting Port Speeds
Setting port speeds For long-distance ports, if a port is set to autonegotiate port speed, the maximum speed (which is 4 Gbps) is assumed for reserving buffers for the port–this wastes buffers if the port is actually running at 2 Gbps. For long-distance ports, it is best to set the port speed (this applies to the 4/32 SAN Switch, 4/32B SAN Switch and the 4/256 SAN Director only).
Page 379: Displaying Trunking Information
Specifies the speed of the link: speedlevel • 0—Auto-negotiating mode. The port automatically configures for the highest speed. • 1—one Gbps mode. Fixes the port at a speed of one Gbps. Changing the speed to one Gbps causes the port to be excluded from the trunk group. •...
Page 380: Trunking Over Extended Fabrics
Trunking over extended fabrics In addition to the criteria listed in ”Standard trunking criteria” on page 374, observe the following criteria for trunking over extended fabrics: • ISL Trunking over extended fabrics is supported on switches running Fabric OS 4.4.0 and later. •...
Page 381: Trunking Distances
Trunking distances Enhanced trunking support for switches with Condor ASICs is summarized in Table Table 83 Trunking support for SAN Switch 4/32, 4/32B and 4/64 SAN Switch (Condor ASIC) Mode Distance Number of 2 Gbps ports Number of 4 Gbps ports 10 km 32 (four 8-port trunks) 32 (four 8-port trunks)
Page 382: Recognizing Buffer Underallocation
• Port trunking is disabled. • The port is not an E_Port. • The port is not 2 Gbps, 4 Gbps, or 8 Gbps. • The port connects to different switches. • The ports are not the same speed, or they are not set to a valid speed. •...
Page 383: 20Administering Advanced Zoning
20 Administering Advanced Zoning About zoning Zoning enables you to partition your SAN into logical groups of devices that can access each other. A device can communicate only with other devices connected to the fabric within its specified zone. For example, you can partition your SAN into two zones, winzone and unixzone, so that your Windows servers and storage do not interact with your UNIX servers and storage.
Page 384: Zone Types
Zone types Table 85 summarizes the types of zoning available. Table 85 Types of zoning Zone type Description Storage-based Storage units typically implement LUN-based zoning, also called LUN masking. LUN-based zoning limits access to the LUNs on the storage port to the specific WWN of the server HBA.
Page 385: Zone Objects
Table 86 Approaches to fabric-based zoning (continued) Zoning Description approach Alternative approaches Application Zoning by application typically requires zoning multiple, perhaps incompatible, operating systems into the same zones. This method of zoning creates the possibility that a minor server in the application suite could disrupt a major server (such as a Web server disrupting a data warehouse server).
Page 386: Zoning Schemes
When a zone object is the port WWN name, only the single port is in the zone. The types of zone objects used to define a zone can be mixed. For example, a zone defined with the zone objects 2,12; 2,14; 10:00:00:80:33:3f:aa:1 1 contains the devices connected to domain 2, ports 12 and 14, and a device with the WWN (either node name or port name) 10:00:00:80:33:3f:aa:1 1 that is connected on the fabric.
Page 387: Zoning Enforcement
• Disabled Configuration—The effective configuration is removed from flash memory. When you disable the effective configuration, the Advanced Zoning feature is disabled on the fabric, and all devices within the fabric can communicate with all other devices (unless you previously set up a default zone, as described in ”Activating default zones”...
Page 388: Enforcing Hardware Zoning
• Is available on 1, 2, 4, 8 and 10 Gbps platforms. • Ensures that the name server does not return any information to an unauthorized initiator in response to a name server query. • Is exclusively enforced through selective information presented to end nodes through the fabric Simple Name Server (SNS).
Page 389: Hardware-Enforced Nonoverlapping Zones
Figure 32 shows a fabric with four hardware-enforced zones that don’t overlap. Port_Zone1 WWN_Zone1 Core WWN_Zone2 Port_Zone2 Switch Zone Boundaries 22.2b(13.2) Figure 32 Hardware-enforced nonoverlapping zones Figure 33 shows the same fabric components, but with overlapping zones. WWN_Zone1 Port_Zone1 Core Port_Zone2 WWN_Zone2 Switch...
Page 390: Considerations For Zoning Architecture
Port_Zone2 Port_Zone1 Core WWN_Zone1 WWN_Zone2 Switch Zone Boundaries 22.5b(13.5) Figure 35 Session-based hard zoning Figure 35, only the overlapping ports are software-enforced with hardware assist. Considerations for zoning architecture Table 88 lists considerations for zoning architecture. Table 88 Considerations for zoning architecture Item Description Type of zoning:...
Page 391: Best Practices For Zoning
Table 88 Considerations for zoning architecture (continued) Item Description Effect of changes in Zone changes in a production fabric can result in a disruption of I/O a production fabric under conditions when an RSCN is issued because of the zone change and the HBA is unable to process the RSCN fast enough.
Page 392: Supported Switches For Broadcast Zones
To restrict broadcast frames reaching broadcast-incapable devices, create a broadcast zone and populate it with the devices that are capable of handling broadcast packets. Devices that cannot handle broadcast frames must be kept out of the broadcast zone so that they do not receive any broadcast frames. You create a broadcast zone the same way you create any other zone except that a broadcast zone must have the name “broadcast”...
Page 393: Upgrade And Downgrade Considerations
You can run zone validate on a broadcast zone to check if it has any invalid members that cannot be enforced in the current AD context. Upgrade and downgrade considerations If you upgrade from a Fabric OS version earlier than 5.3.0 to Fabric OS 5.3.0 or later, you must rename any existing zones named “broadcast”...
Page 394: Creating And Managing Zone Aliases
Creating and managing zone aliases A zone alias is a logical group of ports or WWNs. You can simplify the process of creating zones by first specifying aliases, which eliminates the need for long lists of individual zone member names. If you are creating a new alias using aliCreate w, “1,1”, and a user in another Telnet session executes cfgEnable (or cfgDisable, or cfgSave), the other user’s transaction will abort your transaction and you will receive an error message.
Page 395 You are about to save the Defined zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled. Do you want to save Defined zoning configuration only? (yes, y, no, n): [no] y To remove members from an alias: Connect to the switch and log in as admin.
Page 396: Creating And Maintaining Zones
Enter the cfgSave command to save the change to the defined configuration. switch:admin> alidelete "array1" switch:admin> cfgsave You are about to save the Defined zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled.
Page 397 The values represent the following: The name of the zone to be created. zonename A member or list of members to be added to the zone. A zone member member can be specified by one or more of the following methods: •...
Page 398 To remove devices (members) from a zone: Connect to the switch and log in as admin. Enter the zoneRemove command, using the following syntax: zoneremove "zonename", "member[; member...]" The values represent the following: The name of the zone to be created. zonename A member or list of members to be removed from the zone.
Page 399: Activating Default Zones
The values represent the following: A POSIX-style regular expression used to match zone names. pattern Specify 0 to display the contents of the transaction buffer (the contents of mode the current transaction), or specify 1 to display the contents of the nonvolatile memory.
Page 400: Merging Zones
NOTE: If you performed a firmware download of an older release, then the current default zone access state will appear as it did prior to the download. For example, if the d_efault_Cfg was in effect before the download, it will remain in effect afterward. See the Fabric OS Command Reference for additional information on the defZone command.
Page 401: Resulting Database Size: 0 To 96K
Table 90 Resulting database size: 0 to 96K Receiver Fabric Fabric Fabric Fabric Fabric Fabric Fabric Fibre XPath OS OS 2.6 OS 3.1 OS 3.2 OS 4.0/ Channel 4.1/ 4.3/ 5.0.0/ 5.2.0/ Router Initiator 4.4.0 5.0.1/ 5.3.0 5.1.0 Fabric OS 2.6/3.1 Join Join Join...
Page 402: Resulting Database Size: 128K To 256K
Table 92 Resulting database size: 128K to 256K Receiver Fabric Fabric Fabric Fabric Fabric Fabric Fabric OS Fibre XPath 7.3 OS 2.6 OS 3.1 OS 33.2 OS 4.0/ OS 4.3/ 5.2.0/ Channel 4.1/ 4.4.0 5.0.0/ 5.3.0 Router Initiator 5.0.1/ 5.1.0 Fabric OS Segment Segment Segmen...
Page 403 Table 93 Resulting database size: 256K to 1M (continued) Receiver Fabric Fabric Fabric Fabric OS Fabric Fabric Fabric Fibre XPath OS 2.6 OS 3.1 OS 3.2 4.0/v OS 4.3/ Channel 4.1/ 4.4.0 5.0.0/ 5.2.0/ Router Initiator 5.0.1/ 5.3.0 5.1.0 Fibre Channel Segment Segment Segment Segment Segment...
Page 404: Creating And Modifying Zoning Configurations
Creating and modifying zoning configurations You can store a number of zones in a zoning configuration database. The maximum number of items that can be stored in the zoning configuration database depends on the following criteria: • Number of switches in the fabric. •...
Page 405 The values represent the following: The name of the zone configuration. cfgname The zone name or list of zone names to be added to the configuration. member Enter the cfgSave command to save the change to the defined configuration. switch:admin> cfgadd "newcfg", "bluezone" switch:admin>...
Page 406 Do you want to save Defined zoning configuration only? (yes, y, no, n): [no] y To clear changes to a configuration: Enter the cfgTransAbort command. When this command is executed, all changes since the last save operation (performed with the cfgSave command) are cleared.
Page 407: Maintaining Zone Objects
For example, to display all zone configurations that start with “Test”: switch:admin> cfgshow "Test*" cfg: Test1 Blue_zone cfg: Test_cfg Red_zone; Blue_zone To view a configuration in the effective zone database: Connect to the switch and log in as admin. Enter the cfgActvShow command. switch:admin>...
Page 408 Enter the cfgShow command to verify the new zone object is present. switch:admin> cfgshow "Test*" cfg: Test1 Blue_zone cfg: Test_cfg Red_zone; Blue_zone switch:admin> cfgShow "US_Test1" cfg: Test1 Blue_zone cfg: Test_cfg Red_zone; Blue_zone If you want the change preserved when the switch reboots, enter the cfgSave command to save it to nonvolatile (flash) memory.
Page 409 To rename a zone object: Connect to the switch and log in as admin. Enter the cfgShow command to view the zone configuration objects you want to rename. switch:admin> cfgShow Defined configuration: cfg: USA_cfg Red_zone; White_zone; Blue_zone zone: Blue_zone 1,1; array1; 1,2; array2 zone: Red_zone 1,0;...
Page 410: Managing Zoning Configurations In A Fabric
To validate all zones in the zone database in the defined configuration. switch:admin> sw5:root> zone --validate -m 1 Defined configuration: cfg: cfg1 zone1 cfg: cfg2 zone1; zone2 zone: zone1 1,1; ali1 zone: zone2 1,1; ali2 alias: ali1 10:00:00:05:1e:35:81:7f*; 10:00:00:05:1e:35:81:7d* alias: ali2 10:00:00:05:1e:35:81:09*;...
Page 411 Before the new fabric can merge successfully, it must pass the following criteria: Before merging zones • To facilitate merging, check the following before merging switches or fabrics: • Zoning licenses: All switches must have a Zoning license enabled. • Native operating mode: All switches must be in the native operating mode. •...
Page 412: Splitting A Fabric
A merge is not possible if any of the following conditions exist: • Configuration mismatch: Zoning is enabled in both fabrics and the zone configurations that are enabled are different in each fabric. • Type mismatch: The name of a zone object in one fabric is used for a different type of zone object in the other fabric.
Page 413 IMPORTANT: Use caution using the cfgClear command because it deletes the defined configuration. Fabric OS 6.x administrator guide 413...
Page 414 414 Administering Advanced Zoning...
Page 415: 21Configuring And Monitoring Fcip Extension Services
Configuring and monitoring FCIP extension services This chapter describes the FCIP concepts, configuration procedures, and tools and procedures for monitoring network performance. Commands described in this chapter require Admin or root user access. See the Fabric OS Command Reference for detailed information on command syntax. FCIP services licensing Most of the FCIP extension services described in this chapter require the High Performance Extension over FCIP/FC license.
Page 416: Platforms That Support San Extension Over Ip
Platforms that support SAN extension over IP Fabric OS supports SAN extension between 400 Multi-protocol Routers or between FR4- 1 8i blades installed on 4/256 SAN Directors or DC SAN Backbone Directors. The 400 Multi-protocol Router and FR4- 1 8i blade integrate sixteen physical Fibre Channel ports and two physical GbE ports as illustrated in Figure 37 Figure Figure 37...
Page 417: Fcip Concepts
FCIP concepts Fibre Channel over IP (FCIP) enables you to connect Fibre Channel SANs over IP-based networks. 400 Multi-protocol Router and FR4- 1 8i blades use FCIP to encapsulate Fibre Channel frames within IP frames that can be sent over an IP network to a partner 400 Multi-protocol Router or FR4- 1 8i blade. When the IP packets are received, the Fibre Channel frames are reconstructed.
Page 418: Compression
Fibre Fibre Channel Channel initiator initiator Office Data Center FC SAN FC SAN IP WAN VE_Port Network VE_Port 400 MP 400 MP Router Router VE_Port VE_Port 4/256 4/256 Office SAN Director SAN Director FC SAN with FR4-18i with FR4-18i Office Blade Blade FC SAN...
Page 419: Layer Three Diffserv Code Points (Dscp)
Layer three DiffServ Code Points (DSCP) Layer three class of service DiffServ Code Points (DSCP) refers to a specific implementation for establishing QoS policies as defined by RFC2475. DSCP uses six bits of the Type of Service (TOS) field in the IP header to establish up to 64 different values to associate with data traffic priority.
Page 420: Ipsec Concepts And Implementation Over Fcip
IPSec concepts and implementation over FCIP Internet Protocol security (IPSec) uses cryptographic security to ensure private, secure communications over Internet Protocol networks. IPSec supports network-level data integrity, data confidentiality, data origin authentication, and replay protection. It helps secure your SAN against network-based attacks from untrusted computers, attacks that can result in the denial-of-service of applications, services, or the network, data corruption, and data and user credential theft.
Page 421: Options For Enhancing Tape Write I/O Performance
Table 96 IPSec terminology (continued) Term Definition HMAC A stronger MAC because it is a keyed hash inside a keyed hash. Security Association is the collection of security parameters and authenticated keys that are negotiated between IPSec peers. The following limitations apply to using IPSec: •...
Page 422: Constraints For Fcip Fastwrite And Tape Pipelining
Constraints for FCIP fastwrite and tape pipelining Consider the constraints described in Table 97 when configuring tunnels to use either of these features. Table 97 Using FCIP fastwrite and tape pipelining FCIP fastwrite Tape pipelining Each GbE port supports up to 2048 Each GbE port supports up to 2048 simultaneous accelerated exchanges, which simultaneous accelerated exchanges, which...
Page 423: Unsupported Configurations
Connection can be VE-VE or VEX-VE Figure 40 Single tunnel, fastwrite and tape pipelining enabled Figure 41 Multiple tunnels to multiple ports, fastwrite and tape pipelining enabled on a per-tunnel/per-port basis Unsupported configurations The following configurations are not supported with fastwrite and tape pipelining. These configurations use multiple equal-cost paths.
Page 424: Ficon Emulation Concepts
VE-VE or VEX-VEX Unsupported configurations with fastwrite and tape pipelining Figure 42 FICON emulation concepts FICON emulation supports FICON traffic over IP WANs using FCIP as the underlying protocol. FICON emulation can be extended to support performance enhancements for specific applications. 424 Configuring and monitoring FCIP extension services...
Page 425: Xrc Emulation
XRC emulation The eXtended Remote Copy (XRC) application is a DASD application that implements disk mirroring, as supported by the disk hardware architecture and a host software component called System Data Mover (SDM). The primary volume and the secondary mirrored volume may be geographically distant across an IP WAN.
Page 426: Fcip Services Configuration Guidelines
FCIP services configuration guidelines There are multiple configuration requirements and options associated with FCIP services. The following general guidelines may be helpful. The steps are presented in an order that minimizes the number of times ports need to be disabled and enabled. In practice, the steps do not have to be taken in this order. Determine if you are implementing IPSec.
Page 427: Configuring Ipsec
Table 98 Command checklist for configuring FCIP links (continued) Step Command 3. If a VEX port is to be implemented, portcfgvexport configure the appropriate virtual port as a VEX_Port. 4. Configure the IP interface for both portcfg ipif ports of a tunnel. 5.
Page 428: Ipsec Parameters
IPSec policies are managed using the policy command. You can configure up to 32 IKE and 32 IPSec policies. Policies cannot be modified; they must be deleted and recreated in order to change the parameters. You can delete and recreate any policy as long as the policy is not being used by an active FCIP tunnel.
Page 429: Managing Policies
Managing policies Use the policy command to create, delete, and show IKE and IPSec policies. To create a new policy: Log in to the switch as admin. At the command prompt, type: policy --create type number [-enc encryption_method][-auth authentication_algorithm] [-pfs off|on] [-dh DH_group] [-seclife secs] where: type and number The type of policy being created (IKE or IPSec) and the number for...
Page 430 The example below shows all of the IKE policies defined; in this example, there are two IKE policies. switch:admin06> policy --show ike all IKE Policy 1 ----------------------------------------- Authentication Algorithm: MD5 Encryption: 3DES Perfect Forward Secrecy: off Diffie-Hellman Group: 1 SA Life (seconds): 0 IKE Policy 32 ----------------------------------------- Authentication Algorithm: SHA-1...
Page 431: Persistently Disabling Ports
SACK on Min Retransmit Time 100 Keepalive Timeout 80 Max Retransmissions 9 Status : Active Uptime 1 day, 23 hours, 24 minutes, 46 seconds IKE Policy 7 ----------------------------------------- Authentication Algorithm: MD5 Encryption: 3DES Perfect Forward Secrecy: off Diffie-Hellman Group: 1 SA Life (seconds): 200000 IPSec Policy 7 -----------------------------------------...
Page 432: Configuring Ip Interfaces And Ip Routes
The following example configures a port as a VEX_Port for slot number 8 in port number 18, enables admin, and specifies fabric ID 2 and preferred Domain ID 220: switch:admin06> portcfgvexport 8/18 -a 1 -f 2 -d 220 Configuring IP interfaces and IP routes The IP network connection between two 400 Multi-protocol Router or two FR4- 1 8i blades is configured by defining IP interfaces for origin and destination virtual ports, and then defining one or more IP routes to connect them.
Page 433 The following example verifies that the two routes have been successfully created: switch:admin06> portshow iproute 8/ge0 Slot: 8 Port: ge0 IP Address Mask Gateway Metric Flags -------------------------------------------------------------- ---- 192.168.100.0 255.255.255.0 192.168.100.40 Interface 192.168.100.0 255.255.255.0 192.168.100.41 Interface 192.168.11.0 255.255.255.0 192.168.100.1 192.168.12.0 255.255.255.0 192.168.100.1 If you are implementing VLAN tagging, create a static ARP entry for the IP interfaces on both ends of...
Page 434: Configuring Fcip Tunnels
The following example tests the connection between 192.175.5.100 and 192.175.5.200, switch:admin06> portcmd --ping ge0 -s 192.175.5.100 -d 192.175.5.200 Pinging 192.175.5.200 from ip interface 192.175.5.100 on 0/ge0 with 64 bytes of data Reply from 192.175.5.200: bytes=64 rtt=1ms ttl=64 Reply from 192.175.5.200: bytes=64 rtt=0ms ttl=64 Reply from 192.175.5.200: bytes=64 rtt=0ms ttl=64 Reply from 192.175.5.200: bytes=64 rtt=1ms ttl=64 Ping Statistics for 192.175.5.200:...
Page 435: Configuring Ficon Emulation
Enables FCIP fastwrite. Enables VC QoS mapping. Enables tape pipelining. If tape pipelining is enabled, fastwrite must also be enabled. The remote-side FC entity WWN. -n remote_wwn The keep-alive timeout in seconds. The range of valid values is 8 through -k timeout 7,200 sec and the default is 10.
Page 436 Where: The number of a slot in a 4/256 SAN Director or DC Director chassis that slot contains an FR4- 1 8i blade. This parameter does not apply to the stand-alone 400 Multi-protocol Router. The Ethernet port used by the tunnel (ge0 or ge1). ge0|ge1 The tunnel number (0 - 7).
Page 437: Configuring Ftrace
Configuring FTRACE FTRACE is a support tool primarily for use by Tech Support personnel. FTRACE includes the ability to freeze traces on certain events, and to retain the trace information for future examination. The syntax for the portcfg ftrace command is as follows: portcfg ftrace [slot/]ge0|ge1 tunnel_Id cfg [-a 1|0] [-b value] [-e 1|0] [-i value] [-p value] [-r value] [-s value] [-t value] [-z value] Where:...
Page 438 The following example shows an active tunnel with FCIP fastwrite and tape pipelining enabled: switch:admin06> portshow fciptunnel ge0 all ------------------------------------------- Tunnel ID 0 Remote IP Addr 10.0.10.224 Local IP Addr 10.0.10.225 Remote WWN Not Configured Local WWN 10:00:00:05:1e:37:91:dd Compression on Fastwrite on Tape Pipelining on Uncommitted bandwidth, minimum of 1000 Kbps (0.001000 Gbps)
Page 439 To verify that a VE_Port or VEX_Port is online, use the switchShow command to view and verify that the FCIP tunnel is online. switch:admin06> portenable 8/18 switch:admin06> portenable 8/19 switch:admin06> switchshow switchName:switch switchType:42.2 switchState:Online switchMode:Native switchRole:Subordinate switchDomain:4 switchId:fffc04 switchWwn:10:00:00:60:69:80:0d:bc zoning:ON (LSAN001) switchBeacon:OFF blade3 Beacon: blade4 Beacon:...
Page 440: Enabling Persistently Disabled Ports
Enabling persistently disabled ports Before an FCIP tunnel can be used, the associated ports must be persistently enabled. NOTE: VEX_Port Users: If the fabric is already connected, you must leave the ge0 and ge1 ports disabled until after you have configured the VEX_Port; this will prevent unintentional merging of the two fabrics. To enable a persistently disabled port: Enter the portCfgShow command to view ports that are persistently disabled.
Page 441 Enter the portCfgShow command to verify the port is persistently enabled as shown below: switch:admin06> portcfgpersistentenable 8/16 switch:admin06> portcfgpersistentenable 8/17 switch:admin06> portcfgpersistentenable 8/18 switch:admin06> portcfgpersistentenable 8/19 switch:admin06> portcfgshow Ports of Slot 8 9 10 11 12 13 14 15 -----------------+--+--+--+--+----+--+--+--+----+--+--+--+----+--+--+ Speed AN AN AN AN AN AN AN AN...
Page 442: Modify And Delete Command Options
Modify and delete command options Command options are available that allow you to modify or delete configured elements. NOTE: Using the Modify option disrupts traffic on the specified FCIP tunnel for a brief period of time. Modifying FCIP tunnels The portCfg fcipTunnel command to modify FCIP tunnels (you must specify at least one characteristic to modify).
Page 443: Modifying/Deleting Qos Settings
The layer 2 class of service used for control traffic. -p control_L2Cos The layer 2 class of service used for data traffic. -P data_L2Cos The following example shows two FCIP tunnels created on slot 8, port ge0; the first with an uncommitted bandwidth (0), and the second with a committed bandwidth of 10000 b/sec: switch:admin06>...
Page 444 The modify option changes the FICON emulation configuration modify options and parameters. The following options turn features on and off. The associates tunnels must be disabled to modify the option settings. If you attempt to do them on an enabled tunnel, the operation is not allowed, and you are prompted to disable the...
Page 445: Deleting An Fcip Tunnel
Defines the maximum amount of data that can be contained in a wrtMaxChains value single CCW chain. If this value is exceeded, emulation is suspended. Defines the base value of an entry pool of 256 OXIDs supplied to oxidBase value emulation generated exchanges.
Page 446: Troubleshooting Fcip Links
NOTE: If you do not specify a destination IP address, the destination address defaults to 0.0.0.0, and all frames are tagged with the associated VLAN tag. FCIP and ipPerf create and maintain entries in the VLAN tag table through their own configuration procedures.
Page 447: Wan Performance Analysis Tools
WAN performance analysis tools Introduced in Fabric OS 5.2.0, WAN analysis tools are designed to test connections, trace routes, and estimate the end-to-end IP path performance characteristics between a pair of HP FCIP port endpoints. WAN tools include the following commands and options: •...
Page 448: Wan Tool Performance Characteristics
WAN tool performance characteristics Table 101 lists the end-to-end IP path performance characteristics that you can display using the portCmd ipPerf command and option. All four of the base ipPerf performance characteristics (bandwidth, loss, RTT, PMTU) are provided in the command output in Fabric OS 5.2.0 or later. Table 101 WAN tool performance characteristics Characteristic...
Page 449: Wan Tool Ipperf Syntax
To start an ipPerf session: Configure the receiver test endpoint using the CP CLI. The syntax for invoking the receiver test endpoint using ipPerf for slot8, port ge0 on an FR4- 1 8i is as follows: portcmd --ipperf 8/ge0 -s 192.168.255.10 -d 192.168.255.100 -R Configure the sender test endpoint using a similar CP CLI.
Page 450: Using Portcmd Ping
• Default size—1MSS Following is the syntax for portCmd ipPerf to display end-to-end IP path performance statistics: portCmd --ipPerf [slot]/ge0|ge1 -s source_ip -d destination_ip -S|-R [-r rate] [-z size] [-t time] [-i interval] [-p port] [-q diffserv] [-v vlan_id] [-c L2_Cos] Where: The source IP address.
Page 451: Using Portcmd Traceroute
Where: The number of a slot in a 4/256 SAN Director or DC Director slot chassis that contains an FR4- 1 8i blade. This parameter does not apply to the stand-alone 400 Multi-protocol Router. The Ethernet port used by the tunnel (ge0 or ge1) ge0|ge1 The source IP interface that originates the ping request.
Page 452: Fcip Tunnel Performance Characteristics
The maximum number of IP router hops allowed for the outbound -h max_hops probe packets. If this value is exceeded, the probe is stopped. The default is 30. The initial time to live value for the first outbound probe packet. The -f first_ttl default value is 1.
Page 453 2013762456 compressed Bytes 33208083 Bps 30s avg, 4760667 Bps lifetime avg 7.35 compression ratio FC control traffic TCP connection: Local 192.175.4.100:4139, Remote 192.175.4.200:3225 Performance stats: 849 output packets 0 pkt/s 30s avg, 2 pkt/s lifetime avg 173404 output Bytes 39 Bps 30s avg, 409 Bps lifetime avg 0 packets lost (retransmits) 0.00% loss rate 30s avg 806 input packets...
Page 454 Uptime 7 minutes, 3 seconds FC control traffic TCP connection: Local 192.175.4.100:4139, Remote 192.175.4.200:3225 Runtime parameters: Send MSS 1456 Bytes Sender stats: smoothed roundtrip 50 ms, variance 0 peer advertised window 1874944 Bytes negotiated window scale (shift count) 9 congestion window 149649 Bytes slow start threshold 1875000 Bytes operational mode: slow start 2 packets queued: TCP sequence# MIN(2950582519)
Page 455: Ficon Performance Statistics
FICON performance statistics You can use the portShow fcipTunnel command to view the performance statistics and monitor the behavior of an online FCIP tunnel. This additional information is reported in the details of the command output. portshow ficon [Slot/]ge0|ge1 all|tunnel_id [arguments] Where: The slot number of a blade in a multi-slot chassis.
Page 456: Ftrace Output Control And Display
PARAMETERS TunnelId WrtPipe RdPipe WrtDevs RdDevs WrtTimer WrtChain OxidBase DebugFlags 0000 0000000 0x0000 0x00000000 0000 0000000 0x0000 0x00000000 0000 0000000 0x0000 0x00000000 0000 0000000 0x0000 0x00000000 0000 0000000 0x0000 0x00000000 0000 0000000 0x0000 0x00000000 0000 0000000 0x0000 0x00000000 0000 0000000 0x0000 0x00000000 FTRACE output control and display...
Page 457: Fc Fastwrite Concepts
Enable traces for a tunnel. Enable Display the active trace filters. Filter Display this menu. Help Display traces in HEX. Display traces starting at index 'xx'. INDex xx Set/Reset the inbound FC OXID filter. INOxid 0-FFFF Set/Reset the FICON link control frame filter. Lcontrol Display the next trace records.
Page 458: Platforms And Os Requirements For Fc Fastwrite
Channel ISLs implemented through the FC-FC Routing Service (FRS) rather than FCIP. FC fastwrite is supported in Fabric OS 5.3.x and later. 400 MP Router 400 MP Router Figure 43 Typical network topology for FC fastwrite Platforms and OS requirements for FC fastwrite Fabric OS supports FC fastwrite between two 400 Multi-protocol Router or two 4/256 SAN Directors with FR4- 1 8i blades connected by a Fibre Channel network.
Page 459: Fc Fastwrite Flow Configuration Requirements
The PI continues to stage data received from the initiator, respond locally to Transfer Ready, and send the data to the target device until the target device sends an FCP_RSP. Figure 44 How FC fastwrite works FC fastwrite can improve Write performance. Read performance is unaffected. The gains seen from enabling FC fastwrite depend on several factors, including the following: •...
Page 460: Configuring And Enabling Fc Fastwrite
Configuring and enabling FC fastwrite The FC-FC (Fibre Channel) Routing Service provides Fibre Channel routing between two or more fabrics without merging those fabrics. The FC-FC Routing Service can be simultaneously used as a Fibre Channel router and for SAN extension over wide area networks (WANs) using FCIP. Take the following steps to configure and enable FC fastwrite.
Page 461 Repeat steps 1 through 3 for the blade or switch on the other end of the FC fastwrite path. Use the portshow command to verify that FC fastwrite is enabled. rack1_6a1:root> portshow 3/3 portName: portHealth: HEALTHY Authentication: None portDisableReason: None portCFlags: 0x1 portFlags: 0x20b03 PRESENT ACTIVE F_PORT G_PORT U_PORT...
Page 462: Disabling Fc Fastwrite On A Blade Or Switch
Disabling FC fastwrite on a blade or switch Disable FC fastwrite using the fastwritecfg command. Disabling FC fastwrite with this command disrupts data traffic. For the FR4- 1 8i blade, the command powers the blade off and back on. In the case of the 400 Multi-protocol Router, the switch is rebooted.
Page 463: A Configuring The Pid Format
Configuring the PID format Port identifiers (called PIDs) are used by the routing and zoning services in Fibre Channel fabrics to identify ports in the network. All devices in a fabric must use the same PID format, so when you add new equipment to the SAN, you might need to change the PID format on legacy equipment.
Page 464: Impact Of Changing The Fabric Pid Format
In addition to the PID formats list here, Interoperability mode supports additional PID formats that are not discussed in this guide. Impact of changing the fabric PID format If your fabric contains switches that use Native PID, it is recommended that you change the format to Core PID before you add the new, higher port count switches and directors.
Page 465: Changes To Configuration Data
Changes to configuration data Table 102 lists various combinations of before-and-after PID formats, and indicates whether the configuration is affected. NOTE: After changing the fabric PID format, if the change invalidates the configuration data (see Table 102 to determine this), do not download old (pre-PID format change) configuration files to any switch on the fabric.
Page 466: Evaluating The Fabric
Table 103 shows various combinations of existing fabrics, new switches added to those fabrics, and the recommended PID format for that combination. The criteria for the recommendations are first to eliminate host reboots, and second to minimize the need for a host reboot in the future. Table 103 PID format recommendations for adding new switches Existing Fabric OS versions;...
Page 467 Collect device, software, hardware, and configuration data. The following is a non-comprehensive list of information to collect: • HBA driver versions • Fabric OS versions • RAID array microcode versions • SCSI bridge code versions • JBOD drive firmware versions •...
Page 468: Planning The Update Procedure
If either of the first two options are used, the procedures should again be validated in the test environment. Determine the behavior of multipathing software, including but not limited to: • HBA time-out values • Multipathing software time-out values • Kernel time-out values Planning the update procedure Whether it is best to perform an offline or online update depends on the uptime requirements of the site.
Page 469: Offline Update
Offline update The following steps are intended to provide SAN administrators a starting point for creating site-specific procedures. Schedule an outage for all devices attached to the fabric. Back up all data and verify backups. Shut down all hosts and storage devices attached to the fabric. Disable all switches in the fabric.
Page 470: Converting Port Number To Area Id
Before changing the PID format, determine if host reboots will be necessary. The section ”Host reboots” on page 464 summarizes the situations that may require a reboot. switch:admin> switchdisable switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] y Domain: (1..239) [1] BB credit: (1..27) [16] R_A_TOV: (4000..120000) [10000]...
Page 471: San Director With Extended Edge Pid
Link Link 10/100 Mb/s 10/100 Mb/s Active CP Active CP Slot 1 Slot 2 Slot 3 Slot 4 Slot 5 Slot 6 Slot 7 Slot 8 Slot 9 Slot 10 Figure 45 4/256 SAN Director with extended edge PID Fabric OS 6.x administrator guide 471...
Page 472: Performing Pid Format Changes
Performing PID format changes There are several routine maintenance procedures which might result in a device receiving a new PID. Examples include, but are not limited to: • Changing compatibility mode settings • Changing switch domain IDs • Merging fabrics •...
Page 473: Hp/Ux Procedure
Enter the switchEnable command to re-enable the switch. For example: switch:admin> switchdisable switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] yes Domain: (1..239) [1] R_A_TOV: (4000..120000) [10000] E_D_TOV: (1000..5000) [2000] Data field size: (256..2112) [2112] Sequence Level Switching: (0..1) [0] Disable Device Probing: (0..1) [0] Suppress Class F Traffic: (0..1) [0] SYNC IO mode: (0..1) [0]...
Page 474 Change to /dev and untar the file that was tared in step 4. For example: tar –xf /tmp/jbod.tar Import the volume groups using vgimport. The proper usage would be vgimport –m <mapfile> <path_to_volume_group> <physical_volume_path>. For example: vgimport –m /tmp/jbod_map /dev/jbod /dev/dsk/c64t8d0 /dev/dsk/c64t9d0 Activate the volume groups using vgchange.
Page 475: Aix Procedure
AIX procedure This procedure is not intended to be comprehensive. It provides a starting point from which a SAN administrator can develop a site-specific procedure for a device that binds automatically by PID, and cannot be rebooted due to uptime requirements. Back up all data.
Page 476: Swapping Port Area Ids
Swapping port area IDs If a device that uses port binding is connected to a port that fails, you can use port swapping to make another physical port use the same PID as the failed port. The device can then be plugged into the new port without the need to reboot the device.
Page 477: B Implementing An Interoperable Fabric
Implementing an interoperable fabric This appendix provides information on setting up a heterogeneous fabric that includes Fabric OS switches and McDATA Enterprise OS switches (M-EOS). IMPORTANT: These features are not supported at the time of the release of this document. Please check with your sales representative or http://www.hp.com regarding HP support of the interoperability features.
Page 478: Determining Mcdata-Unaware Features
Table 104 McDATA-aware features (continued) Feature Behavior FCR Fabric OS L2 SANtegrity Supported only in McDATA Fabric mode. Name server Displays the device PID with domain offset. For example, a host attached to a switch with domain value 1 will have a (nsShow, nsCamShow, default PID of 0x61AAPP.
Page 479: Supported Connectivity For Fabric 6.0
Supported Connectivity for Fabric 6.0 Brocade switches can directly connect to the following Brocade M-series (formerly McDATA) directors: Mi10k, M6140, M6064 and switches: 4700, 4400, 4500, 4300, 3232,3216, 3032, 3016. Other M-EOS 9.6.2 products can reside in the same fabric as a Brocade switch but cannot directly connect to it.
Page 480 Table 106 Complete feature compatibility matrix (continued) Config Download/Upload DHCP Environmental Monitor Error Event Management Extended Fabrics Displays the credit number in the configure command. Fabric Device Management Interface (FDMI) Fabric Watch FICON (includes CUP) High Availability HCL (Hot Code Load) in Fabric OS Interoperability •...
Page 481: M-Eos 9.6.2 Features Supported In Fabric Os 6.0
Table 106 Complete feature compatibility matrix (continued) Speed Negotiation Syslog Daemon Trunking • Frame-level ISL Trunking from Brocade to Brocade: Yes - McDATA Fabric Mode only • Frame-level ISL Trunking from Brocade to McDATA: • Load balancing from Brocade to Brocade using DLS or DPS: Yes •...
Page 482: Trunking
Trunking HP switches support trunking when participating in an M-EOS Native fabric. Trunk ports (bandwidth aggregation) only apply to ISL between two HP switches. NOTE: Trunking is allowed between Brocade switches in Native mode only. Trunking is disabled between Brocade switches running in McDATA Open Fabric mode. •...
Page 483: Supported Switches
The following licensed features are not supported with Fabric OS 6.0: Table 108 Unsupported features License Feature Advanced Zoning In Fabric 0S 6.0, Advance zoning does require a license. Zoning is configured through M-EOS switches. Fabric Manager Enables administration, configuration, and maintenance of fabric switches and SANs with host-based software.
Page 484: Supported Features Mcdata Fabric Mode (Interopmode 2)
Supported features McDATA Fabric mode (interopmode 2) The following features are supported in Fabric OS 6.0: • Zone activation Zoning managed through EFCM • ESA frame support • Coordinated Hot Code Load • FCR E_Port SANtegrity • Fabric OS L2 SANtegrity Support •...
Page 485: Mcdata Open Fabric Mode Configuration Restrictions
McDATA Open Fabric mode configuration restrictions • Maximum 200 devices. • Maximum 4 switch (domain ID) limitation. • Domain IDs must be in the 97 to 127 value range on Fabric OS switches for successful connection to McDATA switches. The firmware automatically assigns a valid domain ID, if necessary. If Fabric OS 6.0 is installed on a Brocade switch, and when McDATA Open Fabric is enabled on the switch, then from a McDATA perspective, 97- 1 27 appear as 1-31.
Page 486: Zone Name Restrictions
• Brocade switches connected to McDATA switches receive the effective configuration when a zone merge occurs. (McDATA only has an effective zone configuration and discards the defined zone configuration when it sends merge information to the Brocade switch.) However, a zone update sends the defined and effective configuration to all switches in the fabric.
Page 487: Safe Zone
Safe zone Safe zoning is a fabric-wide parameter that ensures that the resulting zone set of two merged fabrics is consistent with the pre-merged zone sets. When you enable Safe zone, the Default Zone must be disabled and the zoning configuration of neighboring switches must match completely before the zoning can merge. To allow a Brocade switch into an M-EOS Native fabric, safe zoning must be disabled.
Page 488 To view zoning configurations: Enter the cfgShow command to view the zoning configuration. • switch:admin cfgShow Default Zone: OFF Safe Zone: OFF Defined configuration: cfg: switch set switch1; sqitch2; switch3; switch4 zone: switch1 dd:dd:dd:dd:aa:aa:aa:aa; bb:bb:bb:cc:cc:cd:dd:dd zone: switch2 23:34:87:23:50:72:35:07; 12,64 [output truncated] Effective configuration: cfg: switch set...
Page 489: Moving To Mcdata Open Fabric Mode From Earlier Fabric Os Versions
Moving to McDATA Open Fabric mode from earlier Fabric OS versions To move from interopmode 1 under Fabric OS 5.3 to Open Fabric mode: Enter the switchDisable command to disable the switch. switch:admin> switchdisable Enter the interopmode 0 command (native Brocade mode). Upgrade to Fabric OS 6.0.
Page 490: Enabling Mcdata Fabric Mode
Enabling McDATA Fabric mode When McDATA Fabric mode is turned on, the OUI portion of the switch WWN is no longer replaced with a McDATA OUI. All existing zoning configurations will be cleared. To enable McDATA Fabric mode Verify that you have implemented all the Brocade prerequisites necessary to enable interopmode 2 on the fabric (see ”McDATA Fabric mode configuration restrictions”...
Page 491: Enabling Brocade Native Mode
Enabling Brocade Native mode When you change the mode from McDATA Fabric or McDATA Open Fabric mode to Brocade Native mode, existing configurations will be erased and the switch must assume the zone configuration from the fabric it joins or a new configuration must be configured. When you change the switch to Brocade Native mode, all configuration parameters return to their default states and can be modified using the configure command.
Page 492: Fcr Santegrity (Fabric Binding)
NOTE: Turning off McDATA Enterprise Fabric mode does NOT turn off any of the features that it turned Enabling Fabric Binding using EFCM will automatically enable Insistent Domain ID on all Fabric OS and McDATA switches in the fabric. Disabling Fabric Binding does not turn off Insistent Domain ID. EFCM automates the Fabric Binding configuration process.
Page 493: Support For Coordinated Hot Code Load
On the FCR, enter the portcfgexport command to configure the preferred domain ID.This preferred domain ID will become Insistent whenever Fabric Binding is enabled. If the port is not already set to McDATA Fabric mode, this command may also be used to set it. Enable the EX_Port configured in the previous step.
Page 494: Activating Hot Code Load
Table 1 10 Hot Code upgrade considerations Fabric OS Versions Notes Upgrading from any other down-level • Must upgrade to Brocade Native release mode, and then change the interopmode; cannot be in McDATA Open Fabric mode before the upgrade. • The upgrade is disruptive or has the potential to be disruptive.
Page 495: C Understanding Legacy Password Behavior
Understanding legacy password behavior This appendix provides password information for early versions of Fabric OS firmware. Password management information Table 1 1 1 describes the password standards and behaviors between various versions of firmware. Table 1 1 1 Account/password characteristics matrix Topic 4.0.0 4.1.0 to 4.2.0...
Page 496: Password Prompting Behaviors
Table 1 1 1 Account/password characteristics matrix (continued) Topic 4.0.0 4.1.0 to 4.2.0 4.4.0 and later Can passwd change Yes, but will ask for Yes; if users connect as 4.4.0 to 5.1.0 only: higher-level passwords? For the “old password” admin, they can change Yes, if users connect as example, can admin change of the higher-level...
Page 497: Password Migration During Firmware Changes
Password migration during firmware changes Table 1 13 describes the expected outcome of password settings when upgrading or downgrading firmware for various Fabric OS versions. Table 1 13 Password migration behavior during firmware upgrade/downgrade Topic 4.4.0 to 5.0.1 5.0.1 and later Passwords used when upgrading to a Default accounts and passwords Default accounts and passwords...
Page 498 498 Understanding legacy password behavior...
Page 499: D Using Remote Switch
Using Remote Switch This appendix prrovides infromation on the Remote Switch feature. About Remote Switch The Remote Switch feature, which aids in ensuring gateway compatibility, was formerly a licensed feature. Its functionality is now available as part of the Fabric OS standard feature set through the use of the portCfgIslMode command, which is described in ”Linking through a gateway”...
Page 500 You may be required to reconfigure the following parameters, depending on the gateway requirements: NOTE: Consult your gateway vendor for supported and qualified configurations. • R_A_TOV: Specify a Resource Allocation Timeout Value compatible with your gateway device. • E_D_TOV: Specify an Error Detect Timeout Value compatible with your gateway device. •...
Page 501: E Zone Merging Scenarios
Zone merging scenarios Table 1 15 provides information on merging zones and the expected results. Table 1 15 Zone merging scenarios Description Switch A Switch B Expected results Switch A has a defined defined: defined: none Configuration from Switch A to configuration.
Page 502 Table 1 15 Zone merging scenarios (continued) Description Switch A Switch B Expected results Effective configuration mismatch. defined: cfg1 defined: cfg2 Fabric segments due to: Zone zone1: ali1; ali2 zone2: ali3; ali4 Conflict cfg mismatch effective: cfg1 effective: cfg2 zone1: ali1; ali2 zone2: ali3;...
Page 503 Table 1 15 Zone merging scenarios (continued) Description Switch A Switch B Expected results Same default zone access mode defzone: allaccess defzone: allaccess Clean merge — defzone settings. configuration is allaccess in the fabric. Same default zone access mode defzone: noaccess defzone: noaccess Clean merge —...
Page 504 504 Zone merging scenarios...
Page 505: Index
Index alias members and removing FICON CUP licenses AAA service requests custom filter-based monitors aaaConfig command end-to-end monitors access filter-based monitors browser support members to a zone configuration changing account parameters port mirror connection control RADIUS configuration CP blade standard filter-based monitors creating accounts switches to a zone deleting accounts...
Page 506 auto-leveling, FR4-18i blade chassisshow command checking connected switches status backbone fabric ID choosing backbone-to-edge routing a CA backing up clearing a configuration FICON management database basic monitor counters card management collecting performance data PID procedure command basic connections advanced performance monitoring blocking listeners chassisname boot password...
Page 507 secPolicyShow other switches slotshow connecting to devices supportsave connecting to other switches supportShow connecting to the command line interface userConfig connection version restrictions configuration serial FICON environment switched point-to-point telnet FICON environment, cascaded conserving power high-integrity fabric controlling access save to a host controlling topology discovery settings, FICON environment conventions...
Page 508 zone configurations enabling and disabling ISL trunking zones enabling and disabling local authentication deleting end-to-end monitors enabling and disabling the platform services deleting filter-based monitors encryption designing fabric for trunking end-to-end monitoring deskew end-to-end monitors deskew values adding displaying deleting devices, connecting restoring configuration devices, proxy...
Page 509 fddCfg fddCfg command storage web site feature licenses Subscriber’s choice web site Fibre Channel NAT technical support Fibre Channel over IP HP/UX procedure Fibre Channel routing HTTP FICON HTTPS FICON environment certificates, security cascaded configuration hybrid update configuration settings disabling IDID mode displaying link incidents configuring users...
Page 510 setting matching fabric parameters McDATA transaction, for licensed features members keys policy purchasing policy, adding policy, removing merging zones legacy FCR switches license ID mibCapability license key Migrating from an AP7420 to a Brocade 7500 activating modifying licenseadd command zoning configurations licensed features modifying the FCS policy licenseIdShow...
Page 511 recovery port-based routing recovery string portDisable rules portEnable set PROM portLog command password expiration policy ports password management information activating POD password migration during firmware changes identifying by port area ID password policies identifying by slot and port number password prompting behaviors status of password recovery options ports, swapping...
Page 512 alias members obtaining certificates end-to-end monitors secure protocols, supported filter-based monitors setting levels licensed feature SNMP traps members from a zone configuration SSH, certificate zone members SSL, certificate renaming Admin Domains security and zoning resolving zone conflicts selecting a PID format restoring a configuration Selecting Authentication Protocols restoring a segmented fabric...
Page 513 synchronize certificates, security date and time SSL protocol syslogd configuring configuring standard filter-based monitors system-defined Admin Domains standard trunking criteria systemGroup standby CP blade static PID mapping errors tag field, interpreting static route Tape pipelining storage-based zoning tape write acceleration Subscriber’s choice, HP TCP/IP summary of PID formats...
Page 514 using aliases, creating and managing certificates configurations using dynamic load sharing configurations, creating and maintaining using FICON CUP configuring rules using legacy commands for SNMPv1 creating using the snmpconfig command creating a configuration using zoning to administer security database size default zone mode defined zone configuration deleting...
Page 515: Figures
Figures DH-CHAP authentication ............110 Fabric with two Admin Domains .
Page 517 Tables Switch model naming matrix ........... . . 19 Document conventions .
Page 518: Trunking Support For 4/256 San Director And Dc Directors With Supported Blades (Condor And Condor2 Asic)381
59 Brocade-McDATA M-EOSn interoperability compatibility matrix ......246 60 portCfgExPort -m values ............248 61 Fabric OS commands related to FICON and FICON CUP .

This manual is also suitable for:

Ae370a - brocade 4gb san switch 4/12

HP A7533A - Brocade 4Gb SAN Switch Base Administrator's Manual

Tables

About this Guide

Standard Features

Managing User Accounts

Configuring Standard Security Features

Configuring Advanced Security Features

Maintaining Configurations

Managing Administrative Domains

Quick Links

Troubleshooting

Related Manuals for HP A7533A - Brocade 4Gb SAN Switch Base

Summary of Contents for HP A7533A - Brocade 4Gb SAN Switch Base