About this guide This guide provides information about: • Installing and configuring Fabric OS 6.1.x • Managing user accounts • Using licensed features Supported Fabric OS 6.1.x HP StorageWorks hardware Table 1 lists Brocade and HP StorageWorks product models supported by Fabric OS 6.1.x. Table 1 Switch model naming matrix Brocade product name...
Intended audience This guide is intended for system administrators with knowledge of: • Storage area networks • HP StorageWorks Fibre Channel SAN switches Related documentation The following documents provide related information: • HP StorageWorks Fabric OS 6.1.x release notes • Web Tools administrator’s guide You can find these documents from the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals...
NOTE: Provides additional information. TIP: Provides helpful hints and shortcuts. Rack stability Rack stability protects personnel and equipment. WARNING! To reduce the risk of personal injury or damage to equipment: • Extend leveling jacks to the floor. • Ensure that the full weight of the rack rests on the leveling jacks. •...
Subscription service HP recommends that you register your product at the Subscriber's Choice for Business website: http://www.hp.com/go/e-updates. After registering, you will receive e-mail notification of product enhancements, new driver versions, firmware updates, and other product resources. HP websites For additional product information, see the following HP websites: •...
Standard features This chapter describes how to configure your HP StorageWorks SAN using the Fabric OS Command Line Interface (CLI). Before you can configure a Storage Area Network (SAN), you must power-up the Director or switch and blades, and then set the IP addresses of those devices. Although this chapter focuses on configuring a SAN using the CLI, you can also use the following methods to configure a SAN: •...
The following commands provide help files for specific topics to understand configuring your SAN: Diagnostic help information diagHelp FICON help information ficonHelp Fabric Watch help information fwHelp iSCSI help informations iscsiHelp License help information licenseHelp Performance Monitoring help information perfHelp Routing help information routeHelp trackChangesHelp Track Changes help information...
Verify that the login was successful. The prompt displays the switch name and user ID to which you are connected. login: admin password: xxxxxxx switch:admin> Using a console session on the serial port Note the following behaviors for serial connections: •...
Every logical switch (domain) has a set of default accounts. The root and factory default accounts are reserved for development and manufacturing. The user account is primarily used for system monitoring. For more information on default accounts, see ”About the default accounts”...
Changing password for user Enter new password: ******** Password changed. Saving password to stable storage. Password saved to stable storage successfully. switch:admin> Configuring the Ethernet interface You can use Dynamic Host Configuration Protocol (DHCP) for the Ethernet network interface configuration. The Ethernet (network) interface provides management access, including direct access to the Fabric OS CLI, and allows other tools, such as Web Tools, to interact with the switch.
Setting static Ethernet addresses Use static Ethernet network interface addresses on HP StorageWorks 2/128, 4/256 SAN Director, DC Director models, and in environments where DHCP service is not available. To use static addresses for the Ethernet interface, you must first disable DHCP. You may enter static Ethernet information and disable DHCP at the same time.
Activating DHCP By default, some HP switches have DHCP enabled; check the latest Fabric OS 6.x release notes for a complete list of switches. The 4/256 SAN Director and DC SAN Backbone Director (short name, DC Director) do not support DHCP. The Fabric OS DHCP client supports the following parameters: •...
When you are prompted for DHCP[On], disable it by entering off. switch:admin> ipaddrset Ethernet IP Address [192.168.74.102]: Ethernet Subnetmask [255.255.255.0]: Fibre Channel IP Address [220.220.220.2]: Fibre Channel Subnetmask [255.255.0.0]: Gateway IP Address [192.168.74.1]: DHCP [On]:off Setting the date and time Switches maintain the current date and time inside a battery-backed real-time clock (RTC) circuit.
Page 31
IMPORTANT: If you are downgrading to a Fabric OS version earlier than 6.x, or retaining the offset format, see prior versions of the Fabric OS Administrator’s Guide for detailed information about setting time zones using the offset format. See ”About the firmware download process”...
The following procedure describes how to set the current time zone using interactive mode to Pacific Standard Time. To set the time zone interactively: Type the tsTimeZone command as follows: switch:admin> tstimezone --interactive You are prompted to select a general location. Please identify a location so that time zone rules can be set correctly.
The following example shows how to set up more than one NTP server using a DNS name: switch:admin> tsclockserver "10.32.170.1;10.32.170.2;ntp.localdomain.net" Updating Clock Server configuration...done. Updated with the NTP servers Changes to the clock server value on the principal or primary FCS switch are propagated to all switches in the fabric.
The Fabric has 4 switches The fields in the fabricShow display are: Switch ID — The switch Domain_ID and embedded port D_ID Worldwide Name — The switch WWN Enet IP Addr — The switch Ethernet IP address for IPv4 and IPv6 configured switches. For IPv6 switches, only the static IP address displays FC IP Addr —The switch FC IP address Name —The switch symbolic name.
35 to activate. If you do not have a license key, launch an Internet browser and go to: http://webkey.external.hp.com/welcome.asp The Hewlett-Packard Authorization Center website main menu displays. Click Generate a license key. The HP StorageWorks Software License Key instruction page opens:h Enter the information in the required fields.
Verify that the license was added by entering the licenseShow command. The licensed features currently installed on the switch display. If the feature is not listed, enter the licenseAdd command again. Some features may require additional configuration, or you may need to disable and reenable the switch to make them operational;...
Features and required licenses Table 4 lists the licenses that should be installed on the local switch and any connecting switches for a particular feature. Table 4 License requirements Feature License Where license should be installed Administrative No license required. Domains Configuration No license required.
Table 4 License requirements Feature License Where license should be installed Adaptive Networking Local switch and attached switches. RADIUS No license required. RBAC No license required. Routing traffic No license required. This includes port-based or exchanged-based routing, static routes, frame-order deliver, and dynamic routes. Security No license required.
• When you remove the 8Gb license, the ports which are online and already running at 8Gb would not be disturbed until the port goes offline or the switch is rebooted. The behavior would return to its pre-license state maximum speed of 4Gb. Time-based licenses A time-based license applies a try-before-you-buy approach to certain features so that you can experience the feature and its capabilities prior to buying the license.
Each POD license activates the next group of eight ports in numerical order. For example, the 4/8 SAN Switch or 4/16 SAN Switch activates the first eight with four port increments. Before installing a license key, you must insert transceivers in the ports to be activated. Remember to insert the transceivers in the lowest group of inactive port numbers first.
After a port is assigned to the POD set, the port is licensed until it is manually removed from the POD port set using the licensePort release command. When a port is released from its POD port set (Base, Single, or Double), it creates a vacancy in that port set. Displaying the port license assignment Use the licensePort show command to display the available licenses, the current port assignment of...
8 ports are assigned to the base switch license 0 ports are assigned to the full POD license Ports assigned to the base switch license: 1, 2, 5, 6, 8*, 21, 22, 23 Ports assigned to the full POD license: None Ports not assigned to a license: 0, 3, 4, 7, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20...
Dynamic POD method is in use 24 port assignments are provisioned for use in this switch: 12 port assignments are provisioned by the base switch license 12 port assignments are provisioned by a full POD license 10 ports are assigned to installed licenses: 10 ports are assigned to the base switch license 0 ports are assigned to the full POD license Ports assigned to the base switch license:...
10 ports are assigned to installed licenses: 10 ports are assigned to the base switch license 0 ports are assigned to the full POD license Ports assigned to the base switch license: 1*, 2*, 3*, 4*, 5*, 6*, 8*, 21, 22, 23 Ports assigned to the full POD license: None Ports not assigned to a license:...
switch:admin> portenable portnumber where portnumber is the port number of the port you want to enable. For 4/256 SAN Director and DC Director: Enter the following command: switch:admin> portenable slotnumber/portnumber where slotnumber and portnumber are the slot and port numbers of the port you want to enable. (Slots are numbered 1 through 4 and 7 through 10, counting from left to right.) If the port is connected to another switch, the fabric may be reconfigured.
Any number of E_Ports in a fabric can be configured for gateway links, provided the following rules are followed: • All switches in the fabric must be upgraded to Fabric OS 5.2.0 or later. • All switches in the fabric are using the core PID format. •...
Use the switchStatusShow command to further check the status of the switch. High Availability (HA) features NOTE: HA features provide maximum reliability and nondisruptive replacement of key hardware and software modules. To verify HA features (Directors only): Connect to the switch using an account with admin role Enter the chassisShow command to verify the field replaceable units (FRUs).
Show switches in Access Gateway mode To show switches in Access Gateway mode: Connect to the switch and log in using an account assigned to the admin role. Enter the agShow command. switch:admin> agshow Worldwide Name Ports Enet IP Addr Firmware Local/Remote Name -------------------------------------------------------------- 10:00:00:05:1e:02:1d:b0...
Page 49
To view the switch status policy threshold values: Connect to the switch and log in using an account assigned to the admin role. Enter the switchStatusPolicyShow command. Whenever there is a switch change, an error message is logged and an SNMP connUnitStatusChange trap is sent.
Verify the threshold settings you have configured for each parameter. Enter the switchStatusPolicyShow command to view your current switch status policy configuration. HP StorageWorks 4/8 SAN Switch and 4/16 SAN Switch, 8/8 SAN Switch, 8/24 SAN Switch, 8/40 SAN Switch, 8/80 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 400 Multi-protocol Router: switch:admin>...
be easily distinguished from other system message log events that occur in the network. Then, at some regular interval of your choosing, you can review the audit events to look for unexpected changes. Before you configure audit event logging, familiarize yourself with the following audit event log behaviors and limitations: •...
Page 52
NOTE: Only the active CP can generate audit messages because event classes being audited occur only on the active CP. Audit messages cannot originate from other blades in a Director. Audit events have the following message format: AUDIT, <Timestamp>, [<Event ID>], <Severity>, <Event Class>, <User ID>/<Role>/<IP address>/<Interface>,<Admin Domain>/<Switch name>,<Reserved>,<Event-specific information>...
Jun 5 08:15:32 [10.32.248.73.2.2] raslogd: AUDIT, 2006/06/05-13:38:17, [SEC-1000], WARNING, SECURITY, JaneDoe/root/192.168.132.19/ telnet, Domain A/DoeSwitch, , Incorrect password during login attempt. Shutting down switches and Directors To avoid corrupting your file system, HP recommends that you perform graceful shutdowns of switches and Directors.
Schedule downtime and reboot the switch at your convenience. Table 6 lists the daemons that are considered non-critical and are automatically restarted on failure. Table 6 Daemons that are automatically restarted Daemon Description Asynchronous Response Router (used to send management data to hosts when the switch is accessed Arrd through the APIs (FA API or SMI-S).
Managing user accounts This chapter provides information and procedures on managing authentication and user accounts for the switch management channel. Overview In addition to the default accounts—root, factory, admin, and user—Fabric OS supports up to 252 additional user-defined accounts in each logical switch (domain). These accounts expand your ability to track account access and audit administrative activities.
Using Role-Based Access Control (RBAC) Role-Based Action Control (RBAC) defines the capabilities that a user account has based on the role the account has been assigned. For each role, there is a set of pre-defined permissions on the jobs and tasks that can be performed on a fabric and its associated fabric elements.
Role permissions Table 9 describes the types of permissions that are assigned to roles. Table 9 Permission types Abbreviation Definition Description Observe The user can run commands using options that display information only, such as running userConfig --show -a to show all users on a switch.
Page 58
Table 10 RBAC permissions matrix (continued) Category Role permission User Operator Switch Zone Fabric Basic Admin Security admin admin admin switch admin admin HA (High Availability) iSCSI License LDAP Local User Environment Logging Management Access Configuration Management Server Name Server Nx_Port Management Physical Computer System Port Mirroring...
Managing the local database user accounts User add, change, and delete operations are subject to the subset rule: an admin with ADlist 0- 1 0 cannot perform operations on an admin, user, or any role with an ADlist 1 1-25. The user account being changed must have an ADlist that is a subset of the account that is making the change.
Page 60
To create an account: Connect to the switch and log in using an admin account. Enter the following command: userConfig --add <username> -r <rolename> [-h <admindomain_ID>] [-a <admindomain_ID_list>] [-d <description>] [-x] username Specifies the account name, which must begin with an alphabetic character.
Page 61
To change account parameters: When changing account parameters, if you change the ADlist for the user account, all of the currently active sessions for that account will be logged out. Connect to the switch and log in using an admin account. Enter the following command: userconfig --change username [-r rolename] [-h admindomain_ID] [-a admindomain_ID_list] [-d description] [-e yes | no] -u -x...
Recovering accounts The following conditions apply to recovering user accounts: • The attributes in the backup database replace the attributes in the current account database. • An event is stored in the system message log, indicating that accounts have been recovered. To recover an account: Connect to the switch and log in using an admin account.
Configuring the local user database This section covers the following topics: • ”Distributing the local user database” on page 63 • ”Protecting the local user database from distributions” on page 63 • ”Configuring password policies” on page 64 Distributing the local user database Distributing the local switch user database and passwords to other switches in the fabric causes the distributed database to replace (overwrite) the database on the target switch.
Configuring password policies The password policies described in this section apply to the local switch user database only. Configured password policies (and all user account attribute and password state information) are synchronized across CPs and remain unchanged after an HA failover. Password policies can also be manually distributed across the fabric (see ”Distributing the local user database”...
• Sequence Specifies the length of sequential character sequences that will be disallowed. A sequential character sequence is defined as a character sequence in which the ASCII value of each contiguous character differs by one. The ASCII value for the characters in the sequence must all be increasing or decreasing. For example, if the “sequence”...
Upgrade and downgrade considerations If you are upgrading from a 5.3.x environment to 6.x, the existing password databases do not contain the state information that implements password expiration. So, when the password expiration policy is first set after an upgrade to 6.x, any user who has not changed their password will have their password expiration period set to the maximum password expiration period.
Log in to the switch using an admin or securityAdmin account. Type userConfig change <account_name> -u. where <account_name> is the name of the user account that is locked out. To disable the admin lockout policy: Log in to the switch using an admin or securityAdmin account. Type passwdCfg --disableadminlockout.
Consider the following effects of the use of RADIUS or LDAP service on other Fabric OS features: When RADIUS or LDAP service is enabled, all account passwords must be managed on the RADIUS or • LDAP server. The Fabric OS mechanisms for changing switch passwords remain functional; however, such changes affect only the involved switches locally.
Table 12 Authentication configuration options (continued) aaaConfig options Description Equivalent setting in Fabric OS 5.1.0 and earlier radius switchdb Authenticates management connections --authspec “ldap” against any LDAP database(s) only. If LDAP service is not available or the credentials do not match, the login fails. Authenticates management connections --authspec “ldap;...
Table 13 Syntax for VSA-based account roles (continued) Item Value Description Vendor type 1 octet, Brocade-Auth-Role; valid attributes for the Brocade-Auth-Role are: SwitchAdmin ZoneAdmin FabricAdmin BasicSwitchAdmin Operator User Admin Optional: Specifies the Admin Domain member list. For more information, see ”RADIUS configuration and Admin Domains”...
Linux FreeRadius server For the configuration on a Linux FreeRadius server, define the following in a vendor dictionary file called dictionary.brocade. Include the values outlined in Table Table 14 dictionary.brocade file entries Include Value VENDOR Brocade 1588 ATTRIBUTE Brocade-Auth-Role 1 string Brocade AdminDomain After you have completed the dictionary file, define the role for the user in a configuration file.
Configuring the RADIUS server You must know the switch IP address, in either IPv4 or IPv6 notation, or name to connect to switches. Use the ipAddrShow command to display a switch IP address. For Directors (chassis-based systems), the switch IP addresses are aliases of the physical Ethernet interfaces on the CP blades.
To create the user: Open the $PREFIX/etc/raddb/user file in a text editor and add user names and roles for users who will • be accessing the switch and authenticating RADIUS. The user will log in using the role specified with Brocade-Auth-Role. The valid roles include Root, Admin, SwitchAdmin, ZoneAdmin, SecurityAdmin, BasicSwitchAdmin, FabricAdmin, Operator and User.
Each user group should be associated with a specific switch login role. For example, you should configure a user group for root, admin, factory, switchadmin, and user, and then add any users whose logins you want to associate to the appropriate group. •...
Setting up the RSA RADIUS server For more information on how to install and configure the RSA Authentication Manager and the RSA RADIUS server, refer to your documentation or visit www.rsa.com. Create user records in the RSA Authentication Manager. Configure the RSA Authentication Manager. Add an agent host in RSA Authentication Manager.
####################################################################### # dictiona.dcm ####################################################################### # Generic Radius @radius.dct # Specific Implementations (vendor specific) @3comsw.dct @aat.dct @acc.dct @accessbd.dct @agere.dct @agns.dct @airespace.dct @alcatel.dct @altiga.dct @annex.dct @aptis.dct @ascend.dct @ascndvsa.dct @axc.dct @brocade.dct @bandwagn.dct @brocade.dct <------- Figure 2 Example of the dictiona.dcm file c. When selecting items from the Add Return List Attribute, select Brocade-Auth-Role and type the string Admin.
To set up LDAP: Install a Certificate Authority (CA) certificate on the Windows Active Directory server for LDAP. Follow Microsoft’s instructions for generating and installing CA certificates on a Windows server. Create a user in Microsoft Active Directory server. For instructions on how to create a user, refer to Microsoft documentation to create a user in your Active Directory.
NOTE: You can perform batch operations using the Ldifde.exe utility. For more information on importing and exporting schemas, refer to your Microsoft documentation or visit www.microsoft.com. Configuring authentication servers on the switch RADIUS and LDAP configuration of the switch is controlled by the aaaConfig command. At least one RADIUS or LDAP server must be configured before you can enable RADIUS or LDAP service.
Page 79
To add a RADIUS server to the switch configuration: Connect to the switch and log in using an admin account. Enter this command: switch:admin> aaaConfig --add <server> [-p port] [-s secret] [-t timeout] [-a pap | chap | peap-mschapv2] server Enter either a server name or IPv4 or IPv6 address.
Page 80
NOTE: When the RADIUS authentication mode is set to radius;local, you cannot downgrade the Fabric OS to any version earlier than 5.2.0. Previous versions do not support the radius;local mode. When the LDAP authentication mode is set to ldap;local, you cannot downgrade the Fabric OS to any version earlier than 6.x.
To change an LDAP server configuration: Connect to the switch and log in using an admin account. Enter this command: switch:admin> aaaConfig --change server [-p port] [-t timeout] [-d domain_name] Enter either a server name or IPv4 address. Microsoft’s Active Directory server does not support IPv6 addresses.
Setting the boot PROM password with a recovery string To set the boot PROM password with a recovery string, refer to the section that applies to your switch model. NOTE: Setting the boot PROM password requires accessing the boot prompt, which stops traffic flow through the switch until the switch is rebooted.
4/256 SAN Director and DC SAN Backbone Director (short name, DC Director) The boot PROM and recovery passwords must be set for each CP blade on the 4/256 SAN Director or DC Director. To set the boot PROM password for a Director with a recovery string: Connect to the serial port interface on the standby CP blade.
Setting the boot PROM password without a recovery string Although you can set the boot PROM password without also setting the recovery string, it is strongly recommended that you set both the password and the string as described in ”Setting the boot PROM password with a recovery string”...
The following options are available: Option Description Start system. Continues the system boot process. Recovery password. Lets you set the recovery string and the boot PROM password. Enter command shell. Provides access to boot parameters. Enter 3. Enter the passwd command at the shell prompt. NOTE: The passwd command only applies to the boot PROM password when it is entered from the boot interface.
Configuring standard security features This chapter provides information and procedures for configuring standard Fabric OS security features such as protocol and certificate management. IMPORTANT: Secure Fabric OS is no longer supported in Fabric OS 6.x. However, all features of Secure Fabric OS are included in the base Fabric OS 6.x.
For details on Brocade MIB files, naming conventions, loading instructions, and information about using Brocade's SNMP agent, see the Fabric OS MIB Reference. Table 16 describes additional software or certificates that you must obtain to deploy secure protocols. Table 16 Items needed to deploy secure protocols Protocol Host side...
Commands that require a secure login channel must originate from an SSH session. If you start an SSH session, and then use the login command to start a nested SSH session, commands that require a secure channel will be rejected. Fabric OS 6.1.x and later supports SSH protocol version 2.0 (ssh2).
Generating a key pair for host-to-switch authentication (incoming) Log in to your host as admin. Verify that SSH v2 is installed and working. Refer to your host’s documentation. Type the following command: ssh-keygen -t dsa Example of RSA/DSA key pair generation alloweduser@mymachine: ssh-keygen -t dsa Generating public/private dsa key pair.
Example of adding the public key to the switch switch:alloweduser> sshutil importpubkey Enter IP address:192.168.38.244 Enter remote directory:~auser/.ssh Enter public key name(must have .pub suffix):id_dsa.pub Enter login name:auser Password: Public key is imported successfully. Exporting the public key for switch-to-host authentication (outgoing) Log in to the switch as the allowed-user.
Configuring the Telnet protocol Telnet is enabled by default. To prevent users from passing clear text passwords over the network when they connect to the switch, you can block the Telnet protocol using an IP Filter policy. NOTE: Before blocking Telnet, make sure you have an alternate method of establishing a connection with the switch.
Configuring for the SSL protocol Secure sockets layer (SSL) protocol provides a secure sockets layer (SSL) protocol, which provides secure access to a fabric through Web-based management tools like Web Tools. SSL support is a standard Fabric OS feature. Switches configured for SSL grant access to management tools through hypertext transfer protocol-secure links (which begin with https://) instead of standard links (which begin with http://).
Table 18 SSL certificate files (continued) Certificate file Description nameRoot.crt The root certificate. Typically, this certificate is already installed in the browser, but if not, you must install it. nameCA.crt The CA certificate. It needs to be installed in the browser to verify the validity of the server certificate or server validation fails.
Your CA may require specific codes for Country, State or Province, Locality, Organization, and Organizational Unit names. Make sure that your spelling is correct and matches the CA requirements. If the CA requires that the Common Name be specified as an FQDN, make sure that the fully qualified domain name is set on the domain name server.
Activating a switch certificate Enter the configure command When the ssl attributes comes up, type y Respond to the prompts that apply to SSL certificates: SSL attributes Enter y or yes. Certificate File Enter the name of the switch certificate file: for example, 192.1.2.3.crt.
Browse to the certificate location and select the certificate. (For example, select nameRoot.crt.) Click Open and follow the instructions to import the certificate. Installing a root certificate to the Java plug-in For information on Java requirements, see ”For more details on levels of browser and Java support, see the Web Tools Administrator’s Guide.”...
Configuring for SNMP You can configure for the automatic transmission of SNMP information to management stations. SNMPv3 and SNMPv1 are supported. The configuration process involves configuring the SNMP agent and configuring SNMP traps. The following commands are used in the process: •...
webtools attributes (yes, y, no, n): [no] System (yes, y, no, n): [no] No changes. Using the snmpConfig command Use the snmpConfig set command to change either the SNMPv3 or SNMPv1 configuration. You can also change access control, MIB capability, and system group. Sample SNMPv3 configuration switch:admin>...
Page 100
Sample SNMPv1 configuration switch:admin> snmpconfig --set snmpv1 SNMP community and trap recipient configuration: Community (rw): [Secret C0de] admin Trap Recipient's IP address in dot notation: [0.0.0.0] 10.32.225.1 Trap recipient Severity level : (0..5) [0] 1 Community (rw): [OrigEquipMfr] Trap Recipient's IP address in dot notation: [10.32.225.2] Trap recipient Severity level : (0..5) [1] Community (rw): [private] Trap Recipient's IP address in dot notation: [10.32.225.3]...
Listener applications Brocade switches block Linux subsystem listener applications that are not used to implement supported features and capabilities. Table 20 lists the listener applications that Brocade switches either block or do not start. Table 20 Blocked listener applications Listener 4/256 SAN Director and DC HP StorageWorks 4/8 or 4/16, 8/8 application...
Port configuration Table 22 provides information on ports that the switch uses. When configuring the switch for various policies, take into consideration firewalls and other devices that may sit between switches in the fabric and your network or between the managers and the switch. Table 22 Port information Port...
Page 104
104 Configuring standard security features...
Configuring advanced security features This chapter provides information and procedures for configuring advanced Fabric OS security features such as Access Control List (ACL) policies, authentication policies, and IP Filtering for HP’s Fibre Channel switches. NOTE: Run all commands, with the suggested role, in this chapter by logging in to Administrative Domain (AD) 255 or, if Administrative Domains have not been implemented, log in to AD 0.
and active sets but they have different values, then the policy has been modified but the changes have not been activated. Admin Domain considerations: ACL management can be done on AD255 and in AD0 only if other there are no user-defined Admin Domains. Both AD0 (when no other user-defined Admin Domains exist) and AD255 provide an unfiltered view of the fabric.
• ”Adding a member to an existing policy” on page 1 15 Add one or more members to a policy. The aspect of the fabric covered by each policy is closed to access by all devices and switches that are not listed in that policy. •...
the changes have been saved or activated; they can be aborted later if you have set your fabric to distribute the changes manually. Table 25 FCS policy states Policy state Characteristics No active policy Any switch can perform fabric wide configuration changes. Active policy with one entry A primary FCS switch is designated (local switch), but there are no backup FCS switches.
Table 26 Switch operations Allowed on FCS switches Allowed on all switches secPolicyRemove (Allowed on all switches for secPolicyActivate SCC/DCC policies as long as its not fabric-wide) fddcfg –-fabwideset secPolicySave Any fabric-wide commands secPolicyAbort All zoning commands except the show commands SNMP commands All AD commands configupload...
This displays the WWNs of the current primary FCS switch and backup FCS switches. Type secPolicyFCSMove; then provide the current position of the switch in the list and the desired position at the prompts. Alternatively, enter secPolicyFCSMove “From, To”. From is the current position in the list of the FCS switch and To is the desired position in the list for this switch.
NOTE: The FCS policy distribution is allowed to be distributed from a switch in the FCS list. However, if none of the FCS switches in the existing FCS list are reachable, receiving switches will accept distribution from any switch in the fabric. Local switch configuration parameters are needed to control whether a switch accepts or rejects distributions of FCS policy and whether the switch is allowed to initiate distribution of an FCS policy.
Table 28 DCC policy states (continued) Policy state Characteristics Policy with no entries Any device can connect to any switch port in the fabric. An empty policy is the same as no policy. Policy with entries If a device WWN is specified in a DCC policy, that device is only allowed access to the switch if connected by a switch port listed in the same policy.
The WWN of the device port. deviceportWWN The switch WWN, Domain ID, or switch name. The port can switch be specified by port or area number. Designating ports automatically includes the devices currently attached to those ports. The ports can be specified using any of the following syntax methods: (*) Selects all ports on the switch.
Creating an SCC policy The switch connection control (SCC) policy is used to restrict which switches can join the fabric. Switches are checked against the policy each time an E_Port-to-E_Port connection is made. The policy is named SCC_POLICY and accepts members listed as WWNs, Domain IDs, or switch names. Only one SCC policy can be created.
Activating changes to ACL policies To activate changes: Connect to the switch and log in using an account assigned to the admin role. Type the secPolicyActivate command: switch:admin> secpolicyactivate About to overwrite the current Active data. ARE YOU SURE (yes, y, no, n): [no] y Adding a member to an existing policy Add members to the ACL policies by using the secPolicyAdd command.
Aborting all uncommitted changes Use the secPolicyAbort command to abort all ACL policy changes that have not yet been saved. To abort all unsaved changes: Connect to the switch and log in using an account assigned to the admin role. Type the secPolicyAbort command: switch:admin>...
Key database on switch Key database on switch Local secret B Local secret A Peer secret A Peer secret B Switch A Switch B Figure 3 DH-CHAP authentication If you use DH-CHAP authentication, then a secret key pair must be installed only in connected fabric elements.
port if it is connected to a switch which does not support authentication. Regardless of the policy, the E_Port is disabled if the DH-CHAP or FCAP protocol fails to authenticate each other. ACTIVE: In this state the switch is more tolerant and can connect to a switch with any type of policy. During switch initialization, authentication begins on all E_Ports, but the port is not disabled if the connecting switch does not support authentication or the AUTH policy is turned to the OFF state.
Since the F_Port authentication requires DH-CHAP protocol, selecting the PASSIVE mode will be blocked if only FCAP protocol is selected as the authentication protocol. Similarly de-selecting the DH-CHAP protocol from the authentication protocol list will be blocked if the device authentication is set to PASSIVE. Auth policy restrictions Fabric OS 5.1.0 implementation of DH-CHAP/FCAP does not support integration with RADIUS.
On a switch running Fabric OS 4.x or 5.x, type authUtil --set -a dhchap; on a switch running Fabric OS 3.x, type authUtil " set -a dhchap". Output similar to the following is displayed: Authentication is set to dhchap. When using DH-CHAP, make sure that you configure the switches at both ends of a link. NOTE: If you set the authentication protocol to DH-CHAP, have not yet configured shared secrets, and authentication is checked (for example, you enable the switch), switch authentication fails.
Page 121
This section illustrates using the secAuthSecret command to display the list of switches in the current switch’s shared secret database and to set the secret key pair for the current switch and a connected switch. See the for more details on the secAuthSecret command. NOTE: When setting a secret key pair, note that you are entering the shared secrets in plain text.
The command enters interactive mode. The command returns a description of itself and needed input; then it loops through a sequence of switch specification, peer secret entry, and local secret entry. To exit the loop, press Enter for the switch name; then type y. switchA:admin>...
IP Filter policy The IP Filter policy is a set of rules applied to the IP management interfaces as a packet filtering firewall. The firewall permits or denies the traffic to go through the IP management interfaces according to the policy rules.
Displaying an IP Filter policy Displays the IP Filter policy content for the specified policy name, or all IP Filter policies if policy name is not specified. For each IP Filter policy, the policy name, type, persistent state and policy rules are displayed. The policy rules are listed by the rule number in ascending order.
Deleting an IP Filter policy You can delete a specified IP Filter policy. Deleting an IP Filter policy will remove it from the temporary buffer. To permanently delete the policy from persistent database, run ipfilter save. An active IP Filter policy cannot be deleted. To delete an IP Filter policy: Log in to the switch using an account assigned to the admin role.
Table 30 Supported services (continued) Service name Port number telnet TCP and UDP protocols are valid selections. Fabric OS 5.3.0 and later does not support configuration to filter other protocols. Implicitly, ICMP type 0 and type 8 packets are always allowed to support ICMP echo request and reply on commands like ping and traceroute.
If none of the rules in the policy matches the incoming packet, the two implicit rules will be matched to the incoming packet. If the rules still do not match the packet, the default action, which is to deny, will be taken.
Aborting a switch session transaction To abort a transaction associated with IP Filter: Log in to the switch using an account assigned to the admin role. Type in the following command: ipfilter –-transabort IP Filter policy distributions The IP Filter policy is manually distributed, using the distribute --p “IPFILTER” command. The distribution includes both active and defined IP Filter policies.
Table 33 explains how the local database distribution settings and the fabric-wide consistency policy affect the local database when the switch is the target of a distribution command. Table 33 Interaction between fabric-wide consistency policy and distribution settings Distribution Fabric-wide consistency policy setting Absent (default) Tolerant...
Enter the following command: switch:admin> fddcfg --showall Local Switch Configuration for all Databases:- DATABASE Accept/Reject --------------------------------- accept accept accept accept AUTH accept IPFILTER accept Fabric Wide Consistency Policy:- "" To enable local switch protection: Connect to the switch and log in using an account assigned to the admin role. Enter the following command: fddCfg --localreject <database_ID>...
Table 35 describes how the target switch database distribution settings affect the distribution. Table 35 ACL policy database distribution behavior Target switch Distribution Results Fabric OS Database version setting 5.1.0 or Fails An error is returned. The entire transaction is aborted and earlier no databases are updated.
Table 36 Fabric-wide consistency policy settings Setting Value When a policy is activated Absent null Database is not automatically distributed to other switches in the fabric. Tolerant database_id All updated and new policies of the type specified (SCC, DCC, or both) are distributed to all Fabric 5.2.0 and later switches in the fabric.
Notes on joining a switch to the fabric When a switch is joined to a fabric with a tolerant SCC or DCC fabric-wide consistency policy, the joining switch must have a matching tolerant SCC or DCC fabric-wide consistency policy. If the tolerant SCC or DCC fabric-wide consistency policies do not match, the switch can join the fabric, but an error message flags the mismatch.
Table 37 Merging fabrics with matching fabric-wide consistency policies (continued) Fabric-wide Fabric A Fabric B Merge Database copied consistency policy ACL policies ACL policies results Tolerant None None Succeeds No ACL policies copied. None SCC/DCC Succeeds ACL policies are copied from B to A.
Table 39 Fabric merges with tolerant/absent combinations Fabric-wide consistency policy setting Expected behavior Fabric A Fabric B Tolerant/Absent SCC;DCC Error message logged. Run fddCfg --fabwideset “<policy_ID>” from any switch with the desired configuration to fix SCC;DCC the conflict. The secPolicyActivate command is blocked until conflict is resolved.
Table 41 FIPS mode restrictions Features FIPS mode Non-FIPS mode RPC/secure RPC Secure RPC only RPC and secure RPC access Secure RPC protocols TLS - AES128 cipher suite SSL and TLS – all cipher suites SNMP Read-only operations Read and write operations DH-CHAP/FCAP SHA- 1 MD5 and SHA- 1...
Page 138
Example of setting up LDAP for FIPS mode switch:admin> aaaconfig --add GEOFF5.ADLDAP.LOCAL -conf ldap -d adldap.local -p 389 -t 3 switch:admin> aaaconfig --authspec "ldap;local" switch:admin> aaaconfig –show RADIUS CONFIGURATIONS ===================== RADIUS configuration does not exist. LDAP CONFIGURATIONS =================== Position Server : GEOFF5.ADLDAP.LOCAL Port : 389...
Addtional Microsoft Active Directory settings a. Set the following SCHANNEL settings listed in Table 43 to allow. To support FIPS compliant TLS cipher suites on Microsoft’s Acitve Directory server, allow the SCHANNEL settings listed in Table 43. Refer to the Microsoft website for instructions on how to allow the SCHANNEL settings for the ciphers, hashes, key exchange and the TLS protocol.
Exporting an LDAP switch certificate This option exports the LDAP CA certificate from the switch to the remote host. Connect to the switch and log in as admin. Enter the secCertUtil export -ldapcacert command. Example of exporting an LDAP CA certificate switch:admin>...
Overview of steps Optional: Configure RADIUS server Optional: Configure authentication protocols For LDAP only: Install SSL certificate on Microsoft Active Directory server and CA certificate on the switch for using LDAP authentication. Block Telnet, HTTP, and RPC Disable BootProm access Configure the switch for signed firmware Disable root access Enable FIPS...
Example switch:admin> configure Not all options will be available on an enabled switch. To disable the switch, use the "switchDisable" command. Configure... System services (yes, y, no, n): [no] … cfgload attributes (yes, y, no, n): [no] yes Enforce secure config Upload/Download (yes, y, no, n): [no] Enforce firmware signature validation (yes, y, no, n): [no] yes Type the following command to block access to root: userconfig --change root -e no...
Maintaining the switch configuration file This chapter provides procedures for basic switch configuration maintenance. Maintaining consistent configuration settings It is important to maintain consistent configuration settings on all switches in the same fabric because inconsistent parameters (such as inconsistent PID formats) can cause fabric segmentation. As part of standard configuration maintenance procedures, it is recommended that you back up all important configuration data for every switch on a host computer server for emergency reference.
Page 144
Respond to the prompts as follows: Protocol (scp If your site requires the use of Secure Copy, specify scp. Otherwise, specify or ftp) FTP. Server Name Enter the name or IP address of the server where the file is to be stored; for or IP Address example, 192.1.2.3.
Restoring a configuration Restoring a configuration involves overwriting the configuration on the switch by downloading a previously saved backup configuration file. Make sure that the configuration file you are downloading is compatible with your switch model, because configuration files from other model switches might cause your switch to fail.
Page 146
To restore a configuration: Verify that the FTP service is running on the server where the backup configuration file is located. Connect to the switch and log in as admin. If there are any changed parameters in the configuration file that do not belong to SNMP, Fabric Watch, or ACL, disable the switch by entering the switchDisable command.
The following example shows configDownload run on a switch with Admin Domains: switch:AD5:admin>configdownload Protocol (scp or ftp) [ftp]: Server Name or IP Address [host]: 10.1.2.3 User Name [user]: JohnDoe File Name [config.txt]: /pub/configurations/config.txt *** CAUTION *** This command is used to download a backed-up configuration for a specific switch.
Table 45 Backup and restore in a FICON CUP environment ASM bit Command Description on or off All the files saved in the file access facility are uploaded to the configUpload management workstation. A section in the uploaded configuration file labeled FICON_CUP is in an encoded format. Files saved on the switch that are also present in the configDownload FICON_CUP section of the configuration file are overwritten.
Configuration form Table 46 as a hard copy reference for your configuration information. In the hardware reference manuals for the 4/256 SAN Director and DC SAN Backbone Director (short name, DC Director) there is a guide for FC port setting tables. The tables can be used to record configuration information for the various blades.
Page 150
150 Maintaining the switch configuration file...
Managing administrative domains This chapter provides procedures for using administrative domains (Admin Domain or AD). An Admin Domain is a logical grouping of fabric elements that defines what switches, ports, and devices you can view and modify. An Admin Domain is a filtered administrative view of the fabric. NOTE: If you do not implement Admin Domains, the feature has no impact on users and you can skip this chapter.
Figure 4 Fabric with two Admin Domains Figure 5 shows how users get a filtered view of this fabric, depending on which Admin Domain they are in. As shown in Figure 6, users can see all switches and E_Ports in the fabric, regardless of their Admin Domain;...
Admin Domain features Admin Domains allow you to: • Define the scope of an Admin Domain to encompass ports and devices within a switch or a fabric. • Share resources across multiple Admin Domains. For example, you can share array ports and tape drives between multiple departments.
Table 47 lists each Admin Domain user type and describes its administrative access and capabilities. Table 47 AD user types User type Description Physical Fabric User account with Admin role and with access to all Admin Domains (AD0 through Administrators AD255).
AD0 is useful when you create Admin Domains because you can see which devices, switch ports, and switches have not yet been assigned to any Admin Domains. AD0 owns the root zone database (legacy zone database). During zone merge or zone update, only the root zone database is exchanged with AD-unaware switches.
• The Admin Domain list for the default admin account is 0–255, which gives this account automatic access to any Admin Domain as soon as the domain is created, and makes this account a physical fabric administrator. • The Admin Domain list for the default user account is AD0 only. •...
NOTE: If the switch domain ID changes, the domain,index members are invalid (they are not automatically changed). You must then reconfigure the Admin Domain with the current domain,index members. Switch members Switch members are defined by the switch WWN or Domain ID. A switch member: •...
WWN = 10:00:00:00:c7:2b:fd:a3 WWN = 10:00:00:00:c2:37:2b:a3 Domain ID = 1 Domain ID = 2 WWN = 10:00:00:05:1f:05:23:6f WWN = 10:00:00:05:2e:06:34:6e WWN = 10:00:00:00:c8:3a:fe:a2 Figure 7 Fabric showing switch and device WWNs Figure 8 shows the filtered view of the fabric as seen from AD3 and AD4. The switch WWNs are converted to the NAA=5 syntax;...
Compatibility Admin Domains can be implemented in fabrics with a mix of AD-capable switches and AD-uncapable switches. The following considerations apply: • In mixed-fabric configurations, the legacy switches allow unfiltered access to the fabric and its devices; hence, these legacy switches should be managed by the physical fabric administrator. •...
How you end the transaction determines the disposition of the Admin Domain configuration in the transaction buffer. The following commands end the Admin Domain transaction: Saves the changes in the transaction buffer to the defined configuration in save persistent storage and propagates the defined configuration to all switches in the fabric.
If you specify AD name = “AD15” and the lowest available AD number is 6, then AD name is “AD15” and AD number is 15. Because the specified name is in the format “ADn”, the AD number is assigned to be n and not the lowest available AD number. The Admin Domain name cannot exceed 63 characters and can contain alphabetic and numeric characters.
• Adding an Admin Domain list, home Admin Domain, and role to a user configuration is backward compatible with pre-Fabric OS 5.2.0 firmware. When you downgrade to pre-Fabric OS 5.2.0 firmware, the userConfig command records are interpreted using legacy logic. To create a new user account for managing Admin Domains: Connect to the switch and log in as admin.
Enter the ad activate option. The activate option prompts for confirmation. On default, after the Admin Domain is activated, the devices specified under that AD are not able to see each other until they are zoned together. To end the transaction now, enter ad save to save the Admin Domain definition or enter ad apply to save the Admin Domain definition and directly apply the definitions to the fabric.
The following example adds two switch ports, designated by domain,port, to Admin Domain AD1. sw5:AD255:admin> ad --add AD1 -d "100,5; 4,1" To remove members from an Admin Domain: Connect to the switch and log in as admin. Switch to the AD255 context, if you are not already in that context. ad --select 255 Enter the ad remove command using the -d option to specify device and switch port members and...
Switch to the AD255 context. ad --select 255 Enter the ad delete command. ad --delete ad_id The ad delete command prompts you for confirmation before triggering the deletion. The command will succeed, whether the Admin Domain is in an activated or deactivated state. Enter the ad apply command to save the Admin Domain definition and directly apply the definition to the fabric.
The Admin Domain validation process is not applicable for AD0, as AD0 implicitly contains all unassigned and AD-unaware online switches and their devices. To list the switches and devices in an AD member list: Connect to the switch and log in as admin. Switch to the AD255 context, if you are not already in that context.
Table 48 Ports and devices in CLI output Condition The port is specified in the domain,port member list of the Admin Domain. domain,port One or more WWNs specified in the AD member list is attached to the domain,port. The device WWN is specified in the AD WWN member list. Device WWN The device WWN is attached to one of the domain,port specified in the AD member list.
The following example displays membership information about AD1. sw5:AD1:admin> ad --show Current AD Number: 1 AD Name: TheSwitches Effective configuration: ------------------------ AD Number: 1 AD Name: TheSwitches State: Active Switch WWN members: 50:06:06:99:00:2a:e9:01; 50:00:51:e0:23:36:f9:01; 50:06:06:98:05:be:99:01; Switching to a different Admin Domain context The ad select option is used to switch between different Admin Domain contexts.
Table 49 lists some of the Fabric OS features and considerations that apply when using Admin Domains. Table 49 Admin Domain interaction with Fabric OS features Fabric OS feature Admin Domain interaction ACLs If no user-defined Admin Domains exist, you can run ACL configuration commands in only AD0 and AD255.
Admin Domains, zones, and zone databases Each Admin Domain has its own zone database, with both defined and effective zone configurations and all related zone objects (zones, zone aliases, and zone members). Within an Admin Domain, you can configure zoning only with the devices that are present in that Admin Domain. With a hierarchical zoning model, the name space for each Admin Domain and the root zones are separate;...
The auto-converted LSAN zone names might collide with LSAN zone names in AD0 (for example, in the above example, if AD0 contains lsan_for_linux_farm_AD005, this would cause a name collision). Fabric OS does not detect or report such name clash. LSAN zone names greater than 57 characters are not converted or sent to the FCR phantom domain. ”Using the FC-FC routing service”...
Page 172
”Maintaining the switch configuration file” on page 143 for additional information about uploading and downloading configurations. 172 Managing administrative domains...
Installing and maintaining firmware This chapter provides procedures for installing and maintaining firmware. Fabric OS 6.1.x provides nondisruptive firmware installation. This chapter refers to the following specific types of blades inserted into either Director platform: • Port blades contain only Fibre Channel ports: •...
The command supports both non-interactive and interactive modes. If the firmwareDownload command is issued without any operands, or if there is any syntax error in the parameters, the command enters an interactive mode, in which you are prompted for input. TIP: For each switch in your fabric, complete all firmware download changes on the current switch before issuing the firmwareDownload command on the next switch.
Preparing for firmware downloads Before executing a firmware download, it is recommended that you perform the tasks listed in this section. In the unlikely event of a failure or time-out, the preparation tasks that are described in this section will enable you to provide HP the information required to perform advanced troubleshooting.
Checking connected switches When checking connected switches, ensure that any older versions are supported. See the recommended version (shown in Table 52) before upgrading firmware on the switch. Go to http://www.hp.com to view end-of-life policies. Table 52 Recommended firmware Switch model Earliest compatible version Recommended version for interoperating with Fabric OS 6.1.x...
Table 52 Recommended firmware (continued) Switch model Earliest compatible version Recommended version for interoperating with Fabric OS 6.1.x http://www.hp.com 6.0.0b 6.1.x (see for latest HP StorageWorks SAN Director 48 Port version released by HP) 8Gb FC blade (FC8-48) http://www.hp.com 6.0.0b 6.1.x (see for latest HP StorageWorks SAN Director 6 Port...
Performing firmwareDownload on switches HP StorageWorks 4/8 SAN Switch, 4/16 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 8/8 SAN Switch, 8/24 SAN Switch, 8/40 SAN Switch, 8/80 SAN Switch, and 400 MP Router switches also maintain primary and secondary partitions for firmware.
Connect to the switch and log in as admin. Issue the firmwareShow command to check the current firmware version on connected switches. Upgrade their firmware if necessary before proceeding with upgrading this switch. ”Checking connected switches” on page 176 for details. Enter the firmwareDownload command.
problem persists, review ”Troubleshooting firmwareDownload” on page 183. If the troubleshooting information fails to help resolve the issue, contact HP. During the upgrade process, the Director fails over to its standby CP blade and the IP addresses for the logical switches move to that CP blade's Ethernet port. This may cause informational ARP address reassignment messages to appear on other switches in the fabric.
Page 181
Use the firmwareShow command to check the current firmware version on connected switches. Upgrade the firmware, if necessary, before proceeding with upgrading this switch. ”Checking connected switches” on page 176 Enter the haShow command to confirm that the two CP blades are synchronized. In the following example, the active CP blade is CP0 and the standby CP blade is CP1: switch:admin>...
Page 182
Autoleveling takes place in parallel with the firmware download being performed on the CPs, but does not impact performance. Fibre Channel traffic is not disrupted during autoleveling, but GbE traffic on AP blades may be affected. sw77:admin> firmwaredownload Type of Firmware (FOS, SAS, or any application) [FOS]: Server Name or IP Address: 192.168.32.10 Network Protocol (1-auto-select, 2-FTP, 3-SCP) [1]: User Name: userfoo...
v6.0.1\ 381MB 2007 Oct 19 10:39 config\ 2007 Sep 28 15:33 support\ 2007 Sep 28 15:33 firmwarekey\ 2007 Sep 28 15:33 Available space on usbstorage 79% Downloading the 6.1.0 image using the relative path To download the 6.1.0 image using the relative path: Log in to the switch as admin.
The switch manufacturer generates one private and public key pair. These key pairs are stored in the privatekey.pem and pubkey.pem files, respectively. The private key file is used to sign the firmware files. The public key file is packaged in an RPM-package as part of the firmware, and will be downloaded to the switch.
The firmwareDownload command As mentioned previously, the public key file will need to be packaged, installed, and run on your switch before downloading a signed firmware. When firmwareDownload installs a firmware file, it needs to validate the signature of the file. Different scenarios are handled as follows: a.
Testing and restoring firmware on switches Typically, users downgrade firmware after briefly evaluating a newer (or older) version and then restore the original version of the firmware. Testing a new version of firmware in this manner ensures that you do not replace existing firmware because the evaluated version occupies only one partition on the switch.
IMPORTANT: Stop! If you have completed step 8, then you have committed the firmware on the switch and you have completed the firmware download procedure. To restore the original firmware, refer to step 9 (should be performed after step Restore the firmware. a.
Page 189
IMPORTANT: If the CPs do not achieve synchronization, stop here; log in to the standby CP, and enter the firmwareRestore command to restore the original firmware. c. Enter the firmwareShow command to confirm that the primary partition of the standby CP contains the new firmware.
IMPORTANT: Stop! If you have completed step 1 1, then you have committed the firmware on both CPs and you have completed the firmware download procedure. The following step 12 through step 14 describe how to restore the original firmware, and should be performed after step Restore the firmware on the standby CP.
Page 191
maintain the same firmware level on both partitions of each CP within the Director. The command firmwareShow -v will display the firmware version on the Co-CPs. BrcdDCXBB:admin> firmwareshow -v Slot Name Appl Primary/Secondary Versions Status ------------------------------------------------------------------------ v6.1.0 ACTIVE * v6.1.0 Co-FOS v6.1.0 v6.1.0...
Page 192
192 Installing and maintaining firmware...
Administering Advanced Zoning About zoning Zoning enables you to partition your SAN into logical groups of devices that can access each other. A device can communicate only with other devices connected to the fabric within its specified zone. For example, you can partition your SAN into two zones, winzone and unixzone, so that your Windows servers and storage do not interact with your UNIX servers and storage.
Zone types Table 53 summarizes the types of zoning available. Table 53 Types of zoning Zone type Description Storage-based Storage units typically implement LUN-based zoning, also called LUN masking. LUN-based zoning limits access to the LUNs on the storage port to the specific WWN of the server HBA.
Table 54 Approaches to fabric-based zoning (continued) Zoning Description approach Alternative approaches Application Zoning by application typically requires zoning multiple, perhaps incompatible, operating systems into the same zones. This method of zoning creates the possibility that a minor server in the application suite could disrupt a major server (such as a Web server disrupting a data warehouse server).
When a zone object is the port WWN name, only the single port is in the zone. The types of zone objects used to define a zone can be mixed. For example, a zone defined with the zone objects 2,12; 2,14; 10:00:00:80:33:3f:aa:1 1 contains the devices connected to domain 2, ports 12 and 14, and a device with the WWN (either node name or port name) 10:00:00:80:33:3f:aa:1 1 that is connected on the fabric.
• Disabled Configuration—The effective configuration is removed from flash memory. When you disable the effective configuration, the Advanced Zoning feature is disabled on the fabric, and all devices within the fabric can communicate with all other devices (unless you previously set up a default zone, as described in ”Activating default zones”...
• Is available on 1, 2, 4, 8 and 10 Gbps platforms. • Ensures that the name server does not return any information to an unauthorized initiator in response to a name server query. • Is exclusively enforced through selective information presented to end nodes through the fabric Simple Name Server (SNS).
Table 55 Enforcing hardware zoning (continued) Fabric type Methodology Best practice HP StorageWorks Enable hardware-enforced zoning on Use either WWN or 4/8 SAN Switch, domain,port zones, and WWN zones. domain,port identifiers. 4/16 SAN Switch, Overlap of similar zone types does not result in Brocade 4Gb the loss of hardware enforcement.
WWN_Zone1 Port_Zone1 Core Port_Zone2 WWN_Zone2 Switch Zone Boundaries 22.3b(13.3) Figure 12 Hardware-enforced overlapping zones Any zone using a mixed zoning scheme on the Fabric OS 2-Gbps platform relies on name server authentication as well as hardware-assisted (ASIC) authentication. Hardware-assisted authentication ensures that any PLOGI, ADISC, PDISC, or ACC from an unauthorized device is rejected if that device is attempting to access a device that is not in the same zone.
Considerations for zoning architecture Table 56 lists considerations for zoning architecture. Table 56 Considerations for zoning architecture Item Description Type of zoning: If security is a priority, hard zoning is recommended. hard or soft (session-based) Use of aliases The use of aliases is optional with zoning. Using aliases requires structure when defining zones.
Best practices for zoning The following are recommendations for using zoning: • Always zone using the highest Fabric OS-level switch. Switches with earlier Fabric OS versions do not have the capability to view all the functionality that a newer Fabric OS provides, as functionality is backwards compatible but not forwards compatible. •...
Broadcast zones and FC-FC routing If you create broadcast zones in a metaSAN consisting of multiple fabrics connected through an FC router, the broadcast zone must include the IP device that exists in the edge or backbone fabric as well as the proxy device in the remote fabric.
Creating and managing zone aliases A zone alias is a logical group of ports or WWNs. You can simplify the process of creating zones by first specifying aliases, which eliminates the need for long lists of individual zone member names. If you are creating a new alias using aliCreate w, “1,1”, and a user in another Telnet session executes cfgEnable (or cfgDisable, or cfgSave), the other user’s transaction will abort your transaction and you will receive an error message.
Page 205
You are about to save the Defined zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled. Do you want to save Defined zoning configuration only? (yes, y, no, n): [no] y To remove members from an alias: Connect to the switch and log in as admin.
Enter the cfgSave command to save the change to the defined configuration. switch:admin> alidelete "array1" switch:admin> cfgsave You are about to save the Defined zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled.
Page 207
The values represent the following: The name of the zone to be created. zonename A member or list of members to be added to the zone. A zone member member can be specified by one or more of the following methods: •...
Page 208
To remove devices (members) from a zone: Connect to the switch and log in as admin. Enter the zoneRemove command, using the following syntax: zoneremove "zonename", "member[; member...]" The values represent the following: The name of the zone to be created. zonename A member or list of members to be removed from the zone.
The values represent the following: A POSIX-style regular expression used to match zone names. pattern Specify 0 to display the contents of the transaction buffer (the contents of mode the current transaction), or specify 1 to display the contents of the nonvolatile memory.
Merging zones Table 57 presents zoning database size limitations for various Fabric OS release versions. The maximum size of a zone database is the upper limit for the defined configuration, and it is determined by the amount of flash memory available for storing the defined configuration. Table 57 Zoning database limitations Fabric OS version...
Table 58 Resulting database size: 0 to 96K (continued) Receiver Fabric Fabric Fabric OS Fabric Fabric OS Fabric Fibre XPath 7.3 OS 3.1 OS 3.2 4.0/ OS 4.4.0 5.0.0/ Channel 4.1/ 5.0.1/ 5.2.0 or Router Initiator 5.1.0 later Fabric OS 4.0/ Join Join Join...
Table 60 Resulting database size: 128K to 256K (continued) Receiver Fabric OS Fabric Fabric OS Fabric Fabric OS Fabric OS Fibre XPath 7.3 OS 3.2 4.0/ OS 4.4.0 5.0.0/ 5.2.0 or Channel 4.1/ 5.0.1/ later Router Initiator 5.1.0 FC router Segment Join Segment...
Creating and modifying zoning configurations You can store a number of zones in a zoning configuration database. The maximum number of items that can be stored in the zoning configuration database depends on the following criteria: • Number of switches in the fabric. •...
Page 214
The values represent the following: The name of the zone configuration. cfgname The zone name or list of zone names to be added to the configuration. member Enter the cfgSave command to save the change to the defined configuration. switch:admin> cfgadd "newcfg", "bluezone" switch:admin>...
Page 215
Do you want to save Defined zoning configuration only? (yes, y, no, n): [no] y To clear changes to a configuration: Enter the cfgTransAbort command. When this command is executed, all changes since the last save operation (performed with the cfgSave command) are cleared.
For example, to display all zone configurations that start with “Test”: switch:admin> cfgshow "Test*" cfg: Test1 Blue_zone cfg: Test_cfg Red_zone; Blue_zone To view a configuration in the effective zone database: Connect to the switch and log in as admin. Enter the cfgActvShow command. switch:admin>...
Page 217
Enter the cfgShow command to verify the new zone object is present. switch:admin> cfgshow "Test*" cfg: Test1 Blue_zone cfg: Test_cfg Red_zone; Blue_zone switch:admin> cfgShow "US_Test1" cfg: Test1 Blue_zone cfg: Test_cfg Red_zone; Blue_zone If you want the change preserved when the switch reboots, enter the cfgSave command to save it to nonvolatile (flash) memory.
Page 218
To rename a zone object: Connect to the switch and log in as admin. Enter the cfgShow command to view the zone configuration objects you want to rename. switch:admin> cfgShow Defined configuration: cfg: USA_cfg Red_zone; White_zone; Blue_zone zone: Blue_zone 1,1; array1; 1,2; array2 zone: Red_zone 1,0;...
To validate all zones in the zone database in the defined configuration. switch:admin> sw5:root> zone --validate -m 1 Defined configuration: cfg: cfg1 zone1 cfg: cfg2 zone1; zone2 zone: zone1 1,1; ali1 zone: zone2 1,1; ali2 alias: ali1 10:00:00:05:1e:35:81:7f*; 10:00:00:05:1e:35:81:7d* alias: ali2 10:00:00:05:1e:35:81:09*;...
Page 220
Before the new fabric can merge successfully, it must pass the following criteria: Before merging zones • To facilitate merging, check the following before merging switches or fabrics: • Zoning licenses: All switches running Fabric OS v6.0.x or earlier must have a Zoning license enabled.
A merge is not possible if any of the following conditions exist: • Configuration mismatch: Zoning is enabled in both fabrics and the zone configurations that are enabled are different in each fabric. • Type mismatch: The name of a zone object in one fabric is used for a different type of zone object in the other fabric.
Page 222
followed by a portDisable or portEnable command on one of the ISL ports that connects the fabrics. This will cause a merge, making the fabric consistent with the correct configuration. IMPORTANT: Be careful using the cfgClear command because it deletes the defined configuration.. 222 Administering Advanced Zoning...
Configuring Directors This chapter contains procedures that are specific to the: • HP StorageWorks 4/256 SAN Director • HP StorageWorks DC SAN Backbone Director For detailed information see the HP StorageWorks SAN Director hardware reference manual or the HP StorageWorks DC SAN Backbone Director hardware reference manual. Identifying ports Because Directors contain interchangeable port blades, their procedures differ from those for fixed-port switches.
Director port numbering schemes Table 62 lists the port numbering schemes for the 4/256 Director and DC Director. Table 62 Port numbering schemes for the 4/256 Director and DC Director Port blades Numbering scheme FC2- 1 6 Ports are numbered from 0 through 15 from bottom to top. FC4- 1 6 FC8- 1 6 FC4-32...
A number of fabric-wide databases supported by Fabric OS (including ZoneDB, the ACL DDC, and Admin Domain) allow a port to be designated by the use of a “D,P” (domain,port) notation. While the “P” component appears to be the port number, in up to 255 ports it is actually the area assigned to that port. If the PID format is changed from Extended-edge to Core, the “P”...
Powering port blades off and on All blades are powered on by default when the switch chassis is powered on. Blades cannot be powered off when POST or AP initialization is in progress. NOTE: In the DC Director, the core blades in slots 5 and 8 cannot be powered off with the CLI interface. You must manually power off the blades by unseating the blade from its mounting or removing the power from chassis.
If a previously configured FR4- 1 8i blade is removed and another or the same FR4- 1 8i blade is inserted into the same slot, then the ports use the previous configuration and come up enabled. If a previously-configured FR4- 1 8i blade is removed and an FC4-48, FC4-32, FC4- 1 6, FC8-48, FC8-32, FC8- 1 6, or FC10-6 blade is plugged in, then—other than the port’s EX_Port configuration—all the remaining port configurations previously applied to the FR4- 1 8i FC_Ports can be used.
Blade terminology and compatibility Before configuring a chassis, familiarize yourself with the Director CP blade and port blade nomenclature, as well as the port blade compatibilities. Often in procedures, only the abbreviated names for CP and port blades are used (for example, the FC4- 1 6 blade). Table 64 includes CP and port blade abbreviations and descriptions.
type of CP blade installed and that each CP (primary and secondary partition) maintains the same firmware version. Core blades The DC Director supports two CR8 core blades. This blade is used for intra-chassis switching as well as ICL connectivity to another DC Director chassis. The 4/256 Director does not support core blades.
Table 67 lists chassis configuration options and resulting slot configurations. Table 67 Chassis configuration options Option Result One 128-port switch (Blade IDs 4, 17 on slots 1–4, 7–10. Blade ID 5 and 16 on slots 5, 6) One 384-port switch (Blade IDs 4, 17, 18, 31, and 36 on slots 1–4, 7–10. Blade ID 16 on slots 5, 6) Table 64 for details about the different blades, including their corresponding IDs.
Inter Chassis Link behavior between two HP StorageWorks DC Directors Inter chassis links (ICL) is a licensed feature used to interconnect two DC Directors; there are two ICL connector ports ICL0 and ICL1 on each core blade, each aggregating a set of 16 ports. Thus each core blade provides 32 ICL ports and there are 64 ICL ports available for the entire DC Director chassis.
Routing traffic This chapter provides information on routing policies. Data routing and routing policies Data moves through a fabric from switch to switch and from storage to server along one or more paths that make up a route. Routing policies determine the path for each frame of data. IMPORTANT: For most configurations, the default routing policy is optimal, and provides the best performance.
Whatever routing policy a switch is using applies to the VE_Ports as well. See ”Configuring and monitoring FCIP extension services” on page 375 for details about VE_Ports. To display the current routing policy and specify a different routing policy, use the aptPolicy command. The aptPolicy command detects the switch’s configuration options and provides the appropriate policies for you to select from.
In a stable fabric, frames are always delivered in order, even when the traffic between switches is shared among multiple paths. However, when topology changes occur in the fabric (for example, if a link goes down), traffic is rerouted around the failure, and some frames could be delivered out of order. Most destination devices tolerate out-of-order delivery, but some do not.
Enter the dlsSet command to enable DLS or enter the dlsReset command to disable it. switch:admin> dlsshow DLS is not set switch:admin> dlsset switch:admin> dlsshow DLS is set switch:admin> dlsreset switch:admin> dlsshow DLS is not set Viewing routing path information The topologyShow and uRouteShow commands provide information about the routing path.
Page 237
Use the uRouteShow command to display unicast routing information. Use the following syntax for the 4/8 SAN Switch, 4/16 SAN Switch, 8/8 SAN Switch 8/24 SAN Switch Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, , and SAN Switch 4/32 4/64 SAN Switch, SAN Switch 4/32...
Viewing routing information along a path You can display detailed routing information from a source port (or area) on the local switch to a destination port (or area) on another switch. This routing information describes the full path that a data stream travels between these ports, including all intermediate switches.
Page 239
The information that pathInfo provides is: The number of switch-to-switch links (ISLs) traversed. The local switch is hop 0. Hops The port that the frames come in from on this path. For hop 0, the source In Port port. Domain ID The domain ID of the switch. The name of the switch.
Implementing an interoperable fabric For information on HP supported interop configurations, refer to the HP StorageWorks Fabric interoperability: merging fabrics based on C-Series and B-Series Fibre Channel switches on the following HP website: http://h18000.www1.hp.com/products/storageworks/san/documentation.html Fabric OS 6.1.x administrator guide 241...
Page 242
242 Implementing an interoperable fabric...
Configuring the Distributed Management Server This chapter provides information on enabling and disabling the platform services, configuring and controlling access to the Management Server database, and using the topology discovery feature. Overview The Fabric OS Distributed Management Server allows a SAN management application to retrieve information and administer interconnected switches, servers, and storage devices.
Enabling platform services Connect to the switch and log in as admin. Enter the msplMgmtActivate command. switch:admin> msplmgmtactivate Request to activate MS Platform Service in progress..*Completed activating MS Platform Service in the fabric! switch:admin> Disabling platform services Connect to the switch and log in as admin. Enter the msplMgmtDeactivate command.
Display the access list Add member based on its Port/Node WWN Delete member based on its Port/Node WWN select : (0..3) [1] 0 done ... switch:admin> Adding a member to the ACL Connect to the switch and log in as admin. Enter the msConfigure command.
Display the access list Add member based on its Port/Node WWN Delete member based on its Port/Node WWN select : (0..3) [1] 0 done ... Update the FLASH? (yes, y, no, n): [yes] y *Successfully saved the MS ACL to the flash. switch:admin>...
Display the access list Add member based on its Port/Node WWN Delete member based on its Port/Node WWN select : (0..3) [1] 0 done ... Update the FLASH? (yes, y, no, n): [yes] y *Successfully saved the MS ACL to the flash. switch:admin>...
Page 248
switch:admin> mstdreadconfig *MS Topology Discovery is Enabled. To enable topology discovery: Connect to the switch and log in as admin. Enter the mstdEnable command to enable the discovery feature locally. Enter the mstdEnable all command to enable the discovery feature on the entire fabric. switch:admin>...
iSCSI Gateway services Overview of iSCSI gateway service The FC4- 1 6IP iSCSI gateway service is an intermediate device in the network, allowing iSCSI initiators in an IP SAN to access and utilize storage in a Fibre Channel (FC) SAN as shown in the figure below. F C 4-16IP F C target 1 iS C S I gateway...
To represent all iSCSI initiators and sessions, each iSCSI portal has one iSCSI virtual initiator (VI) to the FC fabric that appears as an N_Port device with a special WWN format. Regardless of the number of iSCSI initiators or iSCSI sessions sharing the portal, Fabric OS uses one iSCSI VI per iSCSI portal. The following figure shows the interaction of different layers from the iSCSI initiator stack to the FC target stack, including the iSCSI gateway service used during protocol translation.
Advanced LUN mapping SCSI VTs can be mapped to more than one physical FC target, and the LUNs can be mapped to different virtual LUNs. The following figure shows an advanced mapping scenario. F C target 1 iS C S I virtual target 1 F C target 2 iS C S I virtual target 2 iS C S I virtual target 3...
The following figure shows an iSCSI gateway that has three iSCSI VTs and two iSCSI initiators. iS C S I initiator A iqn.2003-11.c om.mic ros oft: win2k-s n-192168101 iS C S I virtual targets (V T s ) V T 1 iqn.2002-12.c om.broc ade: 10: 00: 00: 05: 1e: aa: bb: c c IP Network V T 2...
DDS et 1 iS C S I virtual targets (V T s ) iS C S I initiator A V T 1 IP network V T 2 V T 3 iS C S I initiator B iS C S I gateway s ervic e Figure 21 Discovery domain set configuration example Switch-to-iSCSI initiator authentication...
Enabling and disabling connection redirection for load balancing Connect to the switch and log in. Enter the appropriate form of the iscsiSwCfg command for the operation you want to perform: • To enable connection redirection, use the iscsiSwCfg - -enableconn command. For 4/256 SAN Directors, the -s <slot number>...
FC4- 1 6IP Blade Configuration This section describes the initial setup required to deploy an iSCSI gateway solution. NOTE: Only the 4/256 SAN Director with an iSCSI-enabled FC4- 1 6IP blade running Fabric OS 5.2.0 or later supports the iSCSI gateway service. You can also configure an FC4- 1 6IP blade through the Web Tools Graphical User Interface as an alternative to the command line interface.
Enabling the iSCSI gateway service The iSCSI gateway service translates and directs SCSI traffic between an iSCSI initiator and an FC target. This section explains how to enable the iSCSI gateway service on the 4/256 SAN Director. Connect and log in to the switch. Enter the fosConfig --show command to show the current Fabric OS configuration.
Take the appropriate action based on the Persistent Disable setting: • If it is set to OFF, proceed to step 4. • If it is set to ON, enter the portCfgPersistentEnable command with the slot number and GbE port number. switch:admin>...
(Optional) Enter the portCfg command to define static routes to reach the destination IP through a preferred gateeway. switch:admin> portcfg iproute 3/ge0 create 0.0.0.0 0.0.0.0 30.0.0.1 1 Operation Succeeded The gateway must be on the same subnet as the GbE port. You can specify a maximum of 32 routes per GbE port.
Automatic iSCSI VT creation An iSCSI VT is created using target LUNs from the attached FC network. LUNs are mapped to iSCSI VTs by creating unique iSCSI Qualified Names (IQNs) for each target. You can create iSCSI VTs by using the iscsiCfg easycreate tgt command.
Page 262
2f:7f:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2f:7f:00:06:2b:0d:10:ba Operation Succeeded 2f:9f:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2f:9f:00:06:2b:0d:10:ba Operation Succeeded 2f:bf:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2f:bf:00:06:2b:0d:10:ba Operation Succeeded 2f:df:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2f:df:00:06:2b:0d:10:ba Operation Succeeded 2f:ff:00:06:2b:0d:12:9a iqn.2002-12.com.brocade:2f:ff:00:06:2b:0d:12:9a Operation Succeeded Enter the iscsiCfg show tgt command to display the status of the created iSCSI VTs. The following is an example. switch:admin>...
Name: iqn.2002-12.com.brocade:2f:ff:00:06:2b:0d:12:9a State/Status: Online/Defined Generating an iSCSI VT for a specific FC target Connect and log in to the switch. Enter the iscsiCfg easycreate tgt command with the -w <port WWN> option to create an iSCSI VT that contains only the storage attached to the specified WWN. The default value of , is used for the fixed prefix, and the port WWN is used as the user-defined iqn.2002-12.com.brocade portion of the IQN.
Page 264
The following is an example. switch:admin> fclunquery Target Index: 1 Target Node WWN: 20:00:00:04:cf:e7:74:cf Target Port WWN: 21:00:00:04:cf:e7:74:cf Target Pid: 120d6 Number of LUNs returned by query: 1 LUN ID: 0x00 Target Index: 2 Target Node WWN: 20:00:00:04:cf:e7:73:7e Target Port WWN: 21:00:00:04:cf:e7:73:7e Target Pid: 120d9 Number of LUNs returned by query: 1 LUN ID: 0x00...
Enter the iscsiCfg show lun command with –t <IQN> options to verify that the LUN has been added to the iSCSI VT, where -t is the IQN that identifies the iSCSI VT. The following is an example. switch:admin> iscsicfg --show lun -t iqn.2002-12.com.brocade:example-disk001 Number of targets found: 1 Target: iqn.2006-10.com.example:disk001 Number of LUN Maps: 1...
Displaying the iSCSI virtual target LUN map Connect and log in to the switch. Enter the iscsiCfg show lun command: switch:admin> iscsicfg --show lun Number of targets found: 2 Target: iqn.2006-10.com.example:disk001 Number of LUN Maps: 2 FC WWN Virtual LUN(s) Physical LUN(s) 21:00:00:04:cf:e7:73:7e 2f:ff:00:06:2b:0d:12:99...
Displaying iSCSI initiator IQNs All iSCSI componenets in a DD must be identified using IQNs. Fabric OS temporarily stores the IQNs and IP addresses of iSCSI initiators that have logged in the gateway. NOTE: If an iSCSI initiator has more than one IP address, only one of the IP addresses is displayed. Connect and log in to the switch.
iSCSI initiator-to-VT authentication configuration Fabric OS 5.2.0 or later supports both one-way and mutual CHAP authentication for iSCSI initiator-to-iSCSI VT target sessions. The authentication method (CHAP or none) is set on a per-iSCSI VT basis. Setting the user name and shared secret Authentication depends on a user name and shared secret.
Deleting user names from an iSCSI VT binding list User names can be deleted from the list of bound user names. Connect and log in to the switch. Enter the isciCfg - -deleteusername tgt command with the -t and -u options to delete a user name: switch:admin>...
Resolving conflicts between iSCSI configurations When you merge two fabrics with different iSCSI configurations, a conflict will result. If there is a conflict, the database will not be merged and you must resolve the conflict. The iscsiCfg show fabric command displays the “out of sync” state. The rest of the switches will function normally, however, since there is no segmentation of E_Ports as a result of discovery domain set database conflicts.
• Enter the fcLunQuery command with the -s option to return the node and port WWNs of the switch. The following is an example. switch:admin> fclunquery -s The following WWNs will be used for any lun query from this switch: Node WWN: 10:00:00:60:69:80:04:4a Port WWN: 21:fd:00:60:69:80:04:4a iSCSI FC zoning overview...
iSCSI FC zone creation To create an iSCSI FC zone, you must include the following iSCSI elements in the zone: • The FC targets, used to create the virtual targets (VT). • The iSCSI virtual initiators (VIs): • If there is more than one FC4- 1 6IP blade in the chassis, you must add all virtual initiators to the same zone.
Page 273
Enter the nsShow command to display the WWN information for the iSCSI virtual initiators: switch:admin> nsshow Type Pid PortName NodeName TTL(sec) 0120d6; 3;21:00:00:04:cf:e7:74:cf;20:00:00:04:cf:e7:74:cf; na FC4s: FCP [SEAGATE ST336607FC 0004] Fabric Port Name: 20:20:00:60:69:e0:01:56 Permanent Port Name: 21:00:00:04:cf:e7:74:cf Port Index: 32 Share Area: No Device Shared in Other AD: No 0120d9;...
Page 274
FC4s: FCP PortSymb: [23] "iSCSI Virtual Initiator" NodeSymb: [51] "IPAddr: 30.0.127.34 Slot/Port: 3/ge4 Logical pn: 44" Fabric Port Name: 00:00:00:00:00:00:00:00 Permanent Port Name: 50:06:06:9e:00:15:63:20 Port Index: 44 Share Area: No Device Shared in Other AD: No 012d00; 3;50:06:06:9e:00:15:63:28;50:06:06:9e:00:15:63:29; na FC4s: FCP PortSymb: [23] "iSCSI Virtual Initiator"...
Enter the zoneCreate command to create the zone. The following example illustrates the creation of a zone by specifying the aliases for FC targets and iSCSI virtual initiators as members of the named zone. switch:admin> zonecreate iscsi_zone001, "ISCSI_TARGETS; ISCSI_VI_SWITCH1_SLOT3" switch:admin> where: The user-defined name for the created zone.
iSNS client service configuration The internet storage name service (iSNS) server facilitates the automatic discovery and manages access control of iSCSI VTs on a TCP/IP network. iSNS clients initiate transactions with iSNS servers using the iSNS protocol, register available iSCSI VTs, download information about other registered clients (such as iSCSI initiators), and receive notification of events that occur in the DDs.
Enter the fosConfig - -show command to verify that the service is enabled: switch:admin> fosconfig --show FC Routing service:disabled iSCSI service:enabled iSNS Client service:enabled Set the IP address of the iSNS server. You can use either the IP address of the GbE port that attaches the FC4- 1 6IP blade, or the server management port IP address.
Clearing the iSNS client configuration The iSNS client configuration can be cleared with a single command. Connect and log in to the switch. Enter the isnscCfg - -clear command to clear the iSNS configuration: switch:admin> isnsccfg --clear Cleared iSNS server IP address 278 iSCSI Gateway services...
Administering NPIV This chapter describes the concepts and procedures for administering N-Port ID Virtualization (NPIV). About NPIV NPIV enables a single Fibre Channel protocol port to appear as multiple, distinct ports, providing separate port identification within the fabric for each operating system image behind the port (as if each operating system image had its own unique physical port).
The following example shows the configuration of these parameters: switch:admin> switchdisable switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] Virtual Channel parameters (yes, y, no, n): [no] F-Port login parameters (yes, y, no, n): [no] y Maximum logins per switch: (1..4032) [4032] 2048 Maximum logins per port: (1..255) [255] 126 switch:admin>...
Page 281
output indicates whether or not a port is an NPIV F_Port, and identifies the number of virtual N_Ports behind it. Following is sample output from the switchShow command: switch: admin> switchshow switchName:swd77 switchType:32.0 switchState: Online switchMode:Native switchRole:Principal switchDomain: 99 switchId:fffc63 switchWwn:10:00:00:05:1e:35:37:40 zoning: switchBeacon:OFF...
Interrupts: Link_failure: 16 Frjt: Unknown: Loss_of_sync: 422 Fbsy: Lli: 294803 Loss_of_sig: Proc_rqrd: Protocol_err: 0 Timed_out: Invalid_word: 0 Rx_flushed: Invalid_crc: Tx_unavail: Delim_err: Free_buffer: Address_err: 1458 Overrun: Lr_in: Suspended: Lr_out: Parity_err: Ols_in: 2_parity_err: Ols_out: CMI_bus_err: Displaying login information Use the portLoginShow command to display the login information for the virtual PIDs of a port. Following is sample output from the portLoginShow command: switch:admin>...
Optimizing fabric behavior This chapter describes the Adaptive Networking features. Introduction to adaptive networking Adaptive Networking is a suite of tools and capabilities that enable you to ensure optimized behavior in the SAN. Even under the worst congestion conditions, the Adaptive Networking features can maximize the fabric behavior and provide necessary bandwidth for high-priority, mission-critical applications and connections.
Figure 25 shows a fabric with a TI zone consisting of N_Ports “1,8” and “4,6” and E_Ports “1,1”, “3,9”, “3,12”, and “4,7”. The dotted line indicates the dedicated path from Domain 1 to Domain 4. Domain 1 Domain 3 = Dedicated Path = Ports in the TI zone Domain 4 Figure 25...
For example, in Figure 26, there is a dedicated path between Domain 1 and Domain 3, and another, non-dedicated, path that passes through Domain 2. Since the non-dedicated path is not the shortest path between Domain 1 and Domain 3, all traffic will use the dedicated path. Domain 1 Domain 3 = Dedicated Path...
• The TI zones appear in the defined zone configuration only and do not appear in the effective zone configuration. A TI zone only provides Traffic Isolation and is not a “regular” zone. • A TI zone must include a set (two or more) of E_Ports forming an end-to-end path. Inclusion of N_Ports is optional.
• FCR does not support Traffic Isolation. • Ports in a TI zone must belong to switches that run Fabric OS v6.0 or later. • Traffic Isolation is not supported in fabrics with switches running firmware versions earlier than Fabric OS 6.0.
To create a TI zone with failover enabled and activate it (default settings), type: zone --create -t ti redzone -p "1,1; 2,4; 1,8; 2,6" To create a deactivated TI zone with failover disabled, type: zone --create -t ti -o dn redzone -p "1,1; 2,4; 1,8; 2,6" Modifying TI zones Using the zone --add and zone --remove commands, you can add and remove ports and change the failover option of existing TI zones.
Enter the zone --add command to add ports or change the failover option for an existing TI zone. Enter the zone --remove command to remove ports from an existing TI zone. zone --add [-o optlist] name -p "portlist" zone --remove name -p "portlist" where: A list of options for controlling failover mode.
Deleting a TI zone Use the zone --delete command to delete a TI zone from the defined configuration. This command deletes the entire zone; to only remove port members from a TI zone, use the zone --remove command, as described in ”Modifying TI zones”...
To limit the traffic, you set the maximum speed at which the traffic can flow through a particular F_Port or FL_Port. For example, if you set the rate limit at 4 Gbps, then traffic from a particular device is limited to a maximum of 4 Gbps.
QoS zones You assign high or low priority (QoS level) using a QoS zone. A QoS zone is a special zone that indicates the priority of the traffic flow between a given host/target pair. The members of a QoS zone are WWNs of the host/target pairs.
QoS on E_Ports In addition to configuring the hosts and targets in a zone, you must also enable QoS on individual E_Ports that might carry traffic between the given host and target pairs. Path selection between the “host,target” pairs is governed by FSPF rules and is not affected by QoS priorities. By default, QoS is enabled on E_Ports in port configuration.
• Traffic prioritization is not supported on mirrored ports. Trunking considerations: If some ports in a trunk group have QoS enabled and some ports have • QoS disabled, then two different trunks are formed, one with QoS enabled and one with QoS disabled.
Using the FC-FC Routing Service Supported platforms FC-FC Routing is supported on the following platforms: • 400 MP Router • 4/256 SAN Director or DC SAN Backbone Director (short name, DC Director) when it is configured with an FR4- 1 8i blade and uses chassis configuration option 5 NOTE: The DC Director only supports chassis configuration option 5.
Figure 31 shows a metaSAN consisting of three edge fabrics connected through a 4/256 SAN Director or DC Director containing an FR4- 1 8i with interfabric links. Host Target Target Edge Edge Edge fabric 1 fabric 2 fabric 3 E_Port E_Port E_Port Fibre...
VE_Port Edge fabric 2 IP cloud Edge fabric 1 Edge fabric 3 E_Port E_Port VEX_Port 400 MP Router EX_Port (2) = LSAN Backbone fabric 26416a Figure 32 A metaSAN with edge-to-edge and backbone fabrics Figure 32 shows a metaSAN with a backbone consisting of one 400 MP Router connecting hosts in Edge Fabrics 1 and 3 with storage in Edge Fabric 2 and the backbone through the use of LSANs.
If an FR4- 1 8i blade is attached to an edge fabric using an EX_Port, it will create translate phantom domains in the fabric corresponding to the imported edge fabrics with active LSANs defined. If you import devices into the backbone fabric, then a translate phantom domain is created in the backbone device in addition to the one in the edge fabric.
Proxy host Host (imported device) Proxy target (imported device) Target Fabric 2 Fabric 1 E_Port E_Port EX_Port 400 MP Router Figure 34 MetaSAN with imported devices Routing types • Edge-to-Edge Occurs when devices in one edge fabric communicate with devices in another edge fabric through one or more Fibre Channel routers.
Fibre Channel fabrics require that all ports be identified by a unique PID. In a single fabric, FC protocol guarantees that Domain IDs are unique, and so a PID formed by a Domain ID and area ID is unique within a fabric.
Performing verification checks Before configuring a fabric to connect to another fabric, you must perform the following verification checks on the switch or director. To perform verification checks: Log in to the switch or director as admin and enter the version command. Verify that Fabric OS 6.0 is installed on the 400 MP Router, 4/256 SAN Director or DC Director with the FR4- 1 8i blade as shown in the following example.
Enter the interopMode command and verify that Brocade switch interoperability with switches from other manufacturers is disabled. switch:admin> interopmode InteropMode: Off Usage: InteropMode 0|1 0: to turn it off 1: to turn it on Enter the msPlatShow command to verify that Management Server Platform database is disabled in the backbone fabric.
To assign backbone fabric IDs: Log in to the switch or director. Enter the fosConfig disable fcr command to disable the FC-FC Routing Service. See the Fabric OS Command Reference or the CLI man pages for more information about the fosConfig command.
fabrics. Secure Fabric OS is an optional licensed product that provides customizable security restrictions through local and remote management channels on an HP fabric. Although Secure Fabric OS is not supported in Fabric OS 6.0, you can still connect a 6.0 switch to an edge switch that participates in a Secure Fabric OS.
When prompted, type y. The DH-CHAP secret is now stored in the secret word database and is ready for use. switch:admin> secauthsecret --set This command is used to set up secret keys for the DH-CHAP authentication. The minimum length of a secret key is 8 characters and maximum 40 characters.
Page 306
To configure an IFL for both edge and backbone connections: On the 400 MP Router, or 4/256 SAN Director or DC Director with an FR4- 1 8i blade, disable the port that you are configuring as an EX_Port (the one connected to the Brocade switch) by issuing the portDisable command.
portCfgExport options This port can now connect to another switch. The following list describes the options for the portCfgExport command. For more information about the portCfgExport and portCfgVexport commands, see the Fabric OS Command Reference. Sets the EX_Port to enabled (1) or disabled (2). Admin use only. Sets the fabric ID (1 to 128).
Page 308
Enter the portCfgShow command to view ports that are persistently disabled. switch:admin> portcfgshow 7/10 Area Number: Speed Level: AUTO Trunk Port Long Distance VC Link Init Locked L_Port Locked G_Port Disabled E_Port ISL R_RDY Mode RSCN Suppressed Persistent Disable NPIV capability EX Port Mirror Port FC Fastwrite...
Page 309
Enter either the portCfgEXPort or portShow command to verify that each port is configured correctly: switch:admin> portcfgexport 7/10 Port 7/10 info Admin: enabled State: NOT OK Pid format: Not Applicable Operate mode: Brocade Native Edge Fabric ID: Preferred Domain ID: Front WWN: 50:06:06:9e:20:38:6e:1e Fabric Parameters:...
Proc_rqrd: Protocol_err: 0 Timed_out: Invalid_word: 0 Rx_flushed: Invalid_crc: Tx_unavail: Delim_err: Free_buffer: Address_err: Overrun: Lr_in: Suspended: Lr_out: Parity_err: Ols_in: 2_parity_err: Ols_out: CMI_bus_err: Port part of other ADs: No Enter the switchShow command to verify the EX_Port (or VEX_Port), edge fabric ID, and name of the edge fabric switch (containing the E_Port or VE_Port).
The FCR router port cost settings are 0, 1000, or 10,000. If the cost is set to 0, the default cost will be used for that IFL. The FC router port cost is persistent and is saved in the existing port configuration file. Router port cost is passed to other routers in the same backbone.
Port cost considerations The router port cost has the following considerations: • Router port sets are defined as follows: • 0-7 and FCIP Tunnel 16-23 • 8- 1 5 and FCIP Tunnel 24-31 More than two router port sets can exist in a 4/256 SAN Director or DC Director with two FR4- 1 8i blades. •...
400 MP Router or 4/256 SAN Director or DC Director with an FR4- 1 8i blade, use the portCfgEXPort command. If you want to change the fabric parameters of a VEX_Port, then use the portCfgVEXPort command. The PID mode for the backbone fabric PID mode and the edge fabric PID mode do not need to match, but the PID mode for the EX_Port or VEX_Port and the edge fabric to which it is attached must match.
Supported configurations and platforms The EX_Port trunking is an FCR software feature and requires that you have a trunking license installed on the FCR switch and on the edge fabric connected to the other side of the trunked EX_Ports. EX_Port trunking is supported only with edge fabrics.
through these ports may be disrupted for a short period of time. In addition to the commands for enabling and disabling trunking, you can also use the following E_Port commands for administering EX_Port Frame Trunking: • Use portCfgSpeed and switchCfgSpeed to set speed for a port or switch. •...
address authority (NAA) field in the WWN to detect an FC router. LSAN zone enforcement in the local fabric occurs only if the administration domain member list contains both of the devices (local and imported device) specified in the LSAN zone. For more information, see ”Managing administrative domains”...
Page 317
• Target B has WWN 50:05:07:61:00:49:20:b4 (connected to switch2). The following procedure shows how to control device communication with the LSAN. To control device communication with the LSAN: Log in as admin and connect to switch1. Enter the nsShow command to list the WWN of the host (10:00:00:00:c9:2b:c9:0c). NOTE: The nsShow output displays both the port WWN and node WWN;...
Page 318
Enter the cfgShow command to verify that the zones are correct. switch:admin> cfgshow Defined configuration: zone: lsan_zone_fabric2 10:00:00:00:c9:2b:c9:0c; 50:05:07:61:00:5b:62:ed; 50:05:07:61:00:49:20:b4 Effective configuration: no configuration in effect Enter the cfgAdd and cfgEnable commands to create and enable the LSAN configuration. switch:admin> cfgadd "zone_cfg", "lsan_zone_fabric2" switch:admin>...
LSAN zone binding (optional) By default, the Fibre Channel routers (FCR) in the backbone maintain the entire LSAN zone and device state database. On Fibre Channel routers with Fabric OS 5.3.0 and later, the LSAN zone binding allows you to specify pairs of edge fabrics that share devices, effectively creating an LSAN fabric matrix. The Fibre Channel router uses this information to store only the LSAN zone entries of the remote edge fabrics that can access its local edge fabrics and also to search and do a pair match only against the specified edge fabrics.
Clears the information from the cache and put it back to the saved cancel value. Displays the information that is saved in the cache. display Displays the static and default and dynamic binding of the backbone fabricview to show which edge fabrics can access each other. Verifies if the information in the cache is valid and will not disrupt verify existing import/export devices.
The fcrlsancount command assumes that all the FCRs in the same LSAN fabric matrix or backbone have the same maximum LSAN count defined, to protect all the FCRs from running into indefinite state. Asymmetric LSAN configurations due to different maximum LSAN counts could lead to different devices being imported on different FCRs.
In the FC router, use the command fcrbcastconfig to prevent interfabric forwarding of broadcast frames of edge or backbone fabrics. Using the fcrbcastconfig command, you can disable or enable the broadcast frame forwarding option per FID (edge fabric or backbone fabric). If you have an FID with a pre-existing IPFC data session that you want to disable then the IPFC traffic across the FCR may not stop even after disabling the broadcasting to some edge fabrics.
Type the following command: fcr:admin> fcrbcastconfig --disable -f <fabric id> where <fabric id> is the specified FID where you want to disable frame forwarding. This command disables the broadcast frame forwarding option for an FID (edge or backbone fabric). Monitoring resources It is possible to exhaust resources, such as proxy PIDs.
The following example shows the use of the fcrResourceShow command display per physical port (EX_Port) resources. switch:admin> fcrresourceshow Daemon Limits: Max Allowed Currently Used ---------------------------------- LSAN Zones: 3000 28 LSAN Devices: 10000 51 Proxy Device Slots: 10000 20 WWN Pool Size Allocated ---------------------------------- Phantom Node WWN: 8192 5413 Phantom Port WWN: 32768 16121...
To check for Fibre Channel connectivity problems: On the edge Fabric OS switch, make sure that the source and destination devices are properly configured in the LSAN zone before entering the fcPing command. This command performs the following functions: • Checks the zoning configuration for the two ports specified. •...
For the exact RASLog message descriptions, see the following RASLogs: FCR_1055, FCR_1056, and FCR_1073. For further information on these messages, refer to Fabric OS Message Reference. Backward compatibility In a fabric with Secure Fabric OS enabled, the edge fabric must have Fabric OS 3.2, 4.4.0, or later because only DH-CHAP authentication is supported.
The portCfgExport command has additional options to verify the front Domain ID. The portCfgExport –d option is changed to enforce use of the same front Domain ID for the EX_Ports connected to the same edge fabric. The portCfgExport display results remain the same. For more information about the portCfgExport -d option, see ”portCfgExport options”...
Page 328
To display the range of output ports connected to the xlate domains: Log in to the FC router. Enter the lsDbShow command on the edge fabric. The following example shows the range of output ports. linkCnt = 2, flags = 0x0 LinkId = 53, out port = 1, rem port =...
Administering Advanced Performance Monitoring This chapter describes the Advanced Performance Monitoring licensed feature. About Advanced Performance Monitoring Additional performance monitoring features are provided through Web Tools. See the Web Tools Administrator’s Guide for information about monitoring performance using the Web Tools GUI. Based on Brocade Frame Filtering technology and a unique performance counter engine, Advanced Performance Monitoring is a comprehensive tool for monitoring the performance of networked storage resources.
NOTE: The command examples in this chapter use the slot/port syntax required by 4/256 SAN Director and DC Directors. For the 4/8 SAN Switch, 4/16 SAN Switch, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 8/8 SAN Switch, 8/24 SAN Switch, 8/40 SAN Switch, 8/80 SAN Switch and the 400 Multi-protocol Router, use only the port number where needed in the commands.
Figure 35 shows two devices: Host A is connected to domain 5 (0x05), switch area ID 18 (0x12), AL_PA 0x00 on Switch X. • • Dev B is a storage device connected to domain 17 (0x1 1), switch area ID 30 (0x1e), AL_PA 0xef on Switch Y.
Table 73 lists commands associated with Advanced Performance Monitoring. Advanced Performance Monitor commands are available only to users with the admin or switchAdmin roles. For detailed information on these commands, see the Fabric OS Command Reference. Table 73 Advanced Performance Monitoring commands Command Description Add an end-to-end monitor to a port.
Monitoring AL_PAs You can use the perfShowAlpaCrc command to display the CRC error count for all AL_PA devices or for a single AL_PA on a specific active L_Port. The following example displays the CRC error count for all AL_PA devices on a port: switch:admin>...
Setting a mask for an end-to-end monitor You can specify a mask using the perfSetPortEEMask command in the form dd:aa:pp, where dd is the Domain ID mask, aa is the area ID mask, and pp is the AL_PA mask. The values for dd, aa, and pp are either ff (the field must match) or 00 (the field is ignored).
You cannot add identical filter monitors to the same port. Two filter monitors are considered to be identical when they have the same values for the following items. • Filter monitor type • Owner (telnet, Web Tools, etc.) • Alias The following example adds filter-based monitors to slot 1, port 2 and displays the results: switch:admin>...
You can specify up to four values to compare against each offset. If more than one offset is required to properly define a filter, the bytes found at each offset must match one of the given values for the filter to increment its counter.
ISL monitors are deleted when Top Talker is installed and are restored when Top Talker is deleted. (See ”Top Talker monitors” for information about Top Talker monitors.) You can monitor ISL performance using the perfMonitorShow command, as described in “”Displaying monitor counters”.”...
To add a Top Talker monitor on an F_Port: Connect to the switch and log in as admin. Enter the perfttmon add command. perfttmon --add [egress | ingress] [slotnumber/]port where: For director-class switches only (4/256 SAN Director and DC Director), the slotnumber slot number.
perfttmon --show 7 5 To display the top flows on slot 2, port 4 on the 4/256 SAN Director or DC Director in PID format: perfttmon --show 2/4 pid switch:admin> perfttmon --show 2/4 pid ======================================== Src_PID Dst_PID MB/sec ======================================== 0xa90800 0xa05200 6.926 0xa90800...
The output is sorted based on the data rate of each flow. If you do not specify the number of flows to display, then the command displays the top 8 flows or the total number of flows, whichever is less. The command can display a maximum of 32 flows.
Page 342
The monitor class, which can be one of EE (end-to-end), FLT (filter-based), or monitor_class ISL (inter-switch link). The class monitor_class operand is required. Specifies the slot number for a 4/256 SAN Director director. For all other slotnumber switches, this operand is not required. The slot number must be followed by a slash ( / ) and the port number, so that each port is represented by both slot number (1 through 4 or 7 through 10) and port number (0 through 15).
Page 343
0x21300 0x21de0 TELNET 0x00000004d0bab3a5 0x0000000067229e87 0x0000000000000000 0x21300 0x21de1 TELNET 0x00000004d0bac1e4 0x0000000067229e87 0x0000000000000000 0x21300 0x21de2 TELNET 0x00000004d0bad086 0x0000000067229e87 0x0000000000000000 0x11000 0x21fd6 WEB_TOOLS 0x00000004d0bade54 0x0000000067229e87 0x0000000000000000 192.168.169.40 0x11000 0x21fe0 WEB_TOOLS 0x00000004d0baed41 0x0000000067229e98 0x0000000000000000 192.168.169.40 The following example displays a filter-based monitor on a port at 6-second intervals: switch:admin>...
SCSI_WR WEB_TOOLS 0x000000000000033a 192.168.169.40 The following example displays ISL monitor information on a port: switch:admin> perfMonitorShow --class ISL 1/1 Total transmit count for this ISL: 1462326 Number of destination domains monitored: 3 Number of ports in this ISL: 2 Domain 110379 Domain 98: 13965...
Page 345
where: monitor_class The monitor class, which can be one of EE (end-to-end), FLT (filter-based), or ISL (inter-switch link). The class monitor_class operand is required. For bladed systems only, specifies the slot number of the port on which the slotnumber monitor counter is to be cleared. For all other switches, this operand is not required.
Saving and restoring monitor configurations To save the current end-to-end and filter monitor configuration settings into nonvolatile memory, use the perfCfgSave command: switch:admin> perfcfgsave This will overwrite previously saved Performance Monitoring settings in FLASH. Do you want to continue? (yes, y, no, n): [no] y Please wait ...
Administering Extended Fabrics This chapter provides information on implementing Extended Fabrics software. Extended Fabrics licensing To implement long distance dynamic (LD) and long distance static (LS) distance levels, you must first install . Use the licenseShow command to verify that the license is present on both Extended Fabrics license switches used on both ends of the extended ISL.
FC switch port Buffer Credit requirements for long distance calculations You can calculate how many ports can be configured for long distance on all switch modules or ASICs except Bloom-based switches. For information on the port, speed and distance for Bloom-based ASICs, see Table 78.
Example: Consider the , which has 24 ports and total buffers of 676 8/24 SAN Switch The maximum remaining number of buffer credits after each port is reserved is: 676 – (24 * 8) = 484 buffers Where: 24 = the number of ports in a port group retrieved from Table 8 = the number of reserved buffers 676 = a static number retrieved from...
Page 351
Enter the portbuffershow command. switch:admin> portbuffershow 1 User Port Max/Resv Buffer Needed Link Remaining Port Type Mode Buffers Usage Buffers Distance Buffers ---- ---- ---- ------- ------ ------- --------- ----- switch:admin> Fabric OS 6.1.x administrator guide 351...
Table 77 Switch, port speed, and distance with ASIC and buffers Switch blade ASIC Total ports in Total ports in a Reserved model a switch or group buffers for ports blade B-Series 2Gb Bloom 8, 16 or 32 108/4 Switches 4/8 SAN Switch Golden Eye 272/16...
Buffer credit recovery Buffer recovery credit allows links to recover after frames and R_RDYs are lost when the credit recovery logic is enabled. Buffer recovery credit maintains performance; as soon as one credit is lost, it attempts to recover. During link reset, the frame and credit loss counters are reset without performance degradation. This feature is only supported on long distance E_Ports connected between GoldenEye2 and condor2-based ports.
Configuring an extended ISL Before configuring an extended ISL, ensure that the following conditions are met: • Be sure that the ports on both ends of the ISL are operating at the same port speed, and can be configured at the same distance level without compromising local switch performance. NOTE: A long-distance link also can be configured to be part of a trunk group.
Enables the long-distance link initialization sequence. This vc_translation_link_in extended link initialization sequence is an enhanced link reset protocol, and avoids excessive resetting of ports. By default this option is set to 1 (enabled). It must be set to 1 (enabled) when configuring a trunk over Extended Fabrics.
Administering ISL Trunking This chapter contains procedures for using the ISL Trunking licensed feature, which optimizes the use of bandwidth by allowing a group of interswitch links to merge into a single logical link. About ISL Trunking ISL Trunking reduces or eliminates situations that require static traffic routes and individual ISL management to achieve optimal performance.
• 8 Gbps trunk links where supported. The maximum number of ports per trunk and trunks per switch depends on the HP model. NOTE: Director blade model FC10-6 does not support trunking. Standard trunking criteria Observe the following criteria for standard distance trunking: •...
• The addition of a path that is longer than existing paths may not be useful because the traffic will choose the shorter paths first. • Plan for future bandwidth addition to accommodate increased traffic. For trunking groups over which traffic is likely to increase as business requirements grow, consider leaving one or two ports in the group available for future nondisruptive addition of bandwidth.
Where 4 is a slave port of the F_Port Trunk. If you attempt to install a monitor on a slave port of an F_Port trunk and the same monitor is already installed on the corresponding master, the following message is displayed” switch:admin>...
Enabling and disabling ISL Trunking You can enable or disable ISL Trunking for a single port or for an entire switch.When you execute the commands portCfgTrunkPort or switchCfgTrunk to update the trunking configuration, the ports for which the configuration applies are disabled and re-enabled with the new trunk configuration. As a result, traffic through those ports could be disrupted.
Setting port speeds For long-distance ports, if a port is set to autonegotiate port speed, the maximum speed (which is 8 Gbps) is assumed for reserving buffers for the port. If the port is only running at 2 Gbps this wastes buffers. For long-distance ports, it is best to set the port speed (this applies to the 4/32 SAN Switch, 4/32B SAN Switch and the 4/256 SAN Director only).
portcfgspeed [slotnumber/]portnumber, speed_level slotnumber For bladed systems only, specify the slot number of the port to be configured, followed by a slash (/). This operand is only required for Directors. portnumber Specifies the port number relative to its slot for bladed systems. speedlevel Specifies the speed of the link: •...
The following example sets the speed for all ports on the switch to eight Gbps: switch:admin> switchcfgspeed 8 Committing configuration...done. The following example sets the speed for all ports on the switch to autonegotiate: switch:admin> switchcfgspeed 0 Committing configuration...done. Displaying trunking information The trunkShow command offers an efficient means of listing out all the trunks and members of a trunk.
Trunking over Extended Fabrics In addition to the criteria listed in ”Standard trunking criteria” on page 358, observe the following criteria for trunking over Extended Fabrics: • ISL Trunking over Extended Fabrics is supported on switches running Fabric OS 4.4.0 and later. •...
F_Port trunking prevents reassignments of the Port ID when F_Ports go offline and it increases F_Port bandwidth. This feature supports the HP StorageWorks SAN Switch 4/32, 4/32B, 4/64 SAN Switch, 8/8 SAN Switch, 8/24 SAN Switch, 8/40 SAN Switch, 8/80 SAN Switch, 4/256 SAN Director and the DC Director enterprise-class platforms running Fabric OS 6.1.x.
F_Port trunking considerations Table 82 F_Port masterless trunking considerations Category Description Area assignment You statically assign the area within the trunk group on the edge switch. That group is the F_Port masterless trunk. The static trunk area you assign must fall within the ASIC's trunk group of the switch or blade starting from port 0.
Page 368
Table 82 F_Port masterless trunking considerations Category Description portCfgTrunkPort <port>, 0 The portCfgTrunkPort <port>, 0 command will fail if a Trunk Area is enabled on a port. The port Trunk Area must be disabled first. switchCfgTrunk 0 The switchCfgTrunk 0 command will fail if a port has TA enabled.
Table 82 F_Port masterless trunking considerations Category Description DCC Policy DCC policy enforcement for the F_Port trunk is based on the Trunk Area; the FDISC requests to a trunk port is accepted only if the WWN of the attached device is part of the DCC policy against the TA.
based on the user port number, with contiguous eight ports as one group, such as 0 – 7, 8- 15, 16-23 and up to the number of ports on the switch. Figure 41 Trunk group configuration for the SAN Switch 8/40 Connect to the switch and log in as admin.
switch:admin> porttrunkarea --show enabled Slot Port Type State Master ------------------------------------------- 125 125 125 126 ------------------------------------------- Enable ports 13 aD 14: switch:admin> portenable 10/13 switch:admin> portenable 10/14 Show the TA port configuration after enabling the ports: switch:admin> porttrunkarea --show enabled Slot Port Type State...
Disabling F_Port trunking Connect to the switch and log in as admin. Enter the portTrunkArea --disable command switch:admin> porttrunkarea --disable 36-39 ERROR: port 36 has to be disabled Disable each port prior to removing ports from the TA. Then reissue the command: switch:admin>...
20 Configuring and monitoring FCIP extension services This chapter describes the FCIP concepts, configuration procedures, and tools and procedures for monitoring network performance. Commands described in this chapter require Admin or root user access. See the Fabric OS Command Reference for detailed information on command syntax. FCIP services licensing Most of the FCIP extension services described in this chapter require the High Performance Extension over FCIP/FC license.
Platforms that support SAN extension over IP Fabric OS supports SAN extension between 400 Multi-protocol Routers or between FR4- 1 8i blades installed on 4/256 SAN Directors or DC SAN Backbone Directors. The 400 Multi-protocol Router and FR4- 1 8i blade integrate sixteen physical Fibre Channel ports and two physical GbE ports as illustrated in Figure 42 Figure Figure 42...
FCIP concepts Fibre Channel over IP (FCIP) enables you to connect Fibre Channel SANs over IP-based networks. 400 Multi-protocol Router and FR4- 1 8i blades use FCIP to encapsulate Fibre Channel frames within IP frames that can be sent over an IP network to a partner 400 Multi-protocol Router or FR4- 1 8i blade. When the IP packets are received, the Fibre Channel frames are reconstructed.
Compression Data compression can be enabled or disabled on FCIP tunnels. The default setting is to disable compression. Traffic shaping Traffic can be shaped by establishing a rate limit per tunnel. A committed rate can be assigned to a port that guarantees a fixed amount of bandwidth.
Table 86 shows the default mapping of DSCP priorities to L2Cos priorities per tunnel ID. This may be helpful when consulting with the network administrator. These values may be modified per FCIP tunnel. Table 86 Default Mapping of DSCP priorities to L2Cos Priorities Virtual CIrcuit DSCP priority/bits L2CoS priority/bits...
IPSec uses some terms that you should be familiar with before beginning your configuration. These are standardized terms, but are included here for your convenience. Table 87 IPSec terminology Term Definition Advanced Encryption Standard. FIPS 197 endorses the Rijndael encryption algorithm as the approved AES for use by US Government organizations and others to protect sensitive information.
• IPSec can only be configured on IP V4 based tunnels. Secure tunnels can not be created on a 400 Multi-protocol Router or FR4- 1 8i blade if any IP V6 addresses are defined on either ge0 or ge1. • Secure Tunnels cannot be defined with VLAN Tagged connections.
Table 88 Using FCIP fastwrite and tape pipelining (continued) FCIP fastwrite Tape pipelining Class 3 traffic is accelerated with fastwrite. Class 3 traffic is accelerated between host and sequential device. With sequential devices (tape drives), there are 1024 initiator-tape (IT) pairs per GbE port, but 2048 initiator-tape-LUN (ITL) pairs per GbE port.
Figure 45 Multiple tunnels to multiple ports, fastwrite and tape pipelining enabled on a per-tunnel/per-port basis Unsupported configurations The following configurations are not supported with fastwrite and tape pipelining. These configurations use multiple equal-cost paths. Fabric OS 6.1.x administrator guide 383...
VE-VE or VEX-VEX Unsupported configurations with fastwrite and tape pipelining Figure 46 FICON emulation concepts FICON emulation supports FICON traffic over IP WANs using FCIP as the underlying protocol. FICON emulation can be extended to support performance enhancements for specific applications. 384 Configuring and monitoring FCIP extension services...
XRC emulation The eXtended Remote Copy (XRC) application is a DASD application that implements disk mirroring, as supported by the disk hardware architecture and a host software component called System Data Mover (SDM). The primary volume and the secondary mirrored volume may be geographically distant across an IP WAN.
FCIP services configuration guidelines There are multiple configuration requirements and options associated with FCIP services. The following general guidelines may be helpful. The steps are presented in an order that minimizes the number of times ports need to be disabled and enabled. In practice, the steps do not have to be taken in this order. Determine if you are implementing IPSec.
Table 89 Command checklist for configuring FCIP links (continued) Step Command 3. If a VEX port is to be implemented, portcfgvexport configure the appropriate virtual port as a VEX_Port. 4. Configure the IP interface for both portcfg ipif ports of a tunnel. 5.
IPSec policies are managed using the policy command. You can configure up to 32 IKE and 32 IPSec policies. Policies cannot be modified; they must be deleted and recreated in order to change the parameters. You can delete and recreate any policy as long as the policy is not being used by an active FCIP tunnel.
Managing policies Use the policy command to create, delete, and show IKE and IPSec policies. To create a new policy: Log in to the switch as admin. At the command prompt, type: policy --create type number [-enc encryption_method][-auth authentication_algorithm] [-pfs off|on] [-dh DH_group] [-seclife secs] where: type and number The type of policy being created (IKE or IPSec) and the number for...
Page 390
The example below shows all of the IKE policies defined; in this example, there are two IKE policies. switch:admin06> policy --show ike all IKE Policy 1 ----------------------------------------- Authentication Algorithm: MD5 Encryption: 3DES Perfect Forward Secrecy: off Diffie-Hellman Group: 1 SA Life (seconds): 0 IKE Policy 32 ----------------------------------------- Authentication Algorithm: SHA-1...
SACK on Min Retransmit Time 100 Keepalive Timeout 80 Max Retransmissions 9 Status : Active Uptime 1 day, 23 hours, 24 minutes, 46 seconds IKE Policy 7 ----------------------------------------- Authentication Algorithm: MD5 Encryption: 3DES Perfect Forward Secrecy: off Diffie-Hellman Group: 1 SA Life (seconds): 200000 IPSec Policy 7 -----------------------------------------...
The following example configures a port as a VEX_Port for slot number 8 in port number 18, enables admin, and specifies fabric ID 2 and preferred Domain ID 220: switch:admin06> portcfgvexport 8/18 -a 1 -f 2 -d 220 Configuring IP interfaces and IP routes The IP network connection between two 400 Multi-protocol Router or two FR4- 1 8i blades is configured by defining IP interfaces for origin and destination virtual ports, and then defining one or more IP routes to connect them.
Page 393
The following example verifies that the two routes have been successfully created: switch:admin06> portshow iproute 8/ge0 Slot: 8 Port: ge0 IP Address Mask Gateway Metric Flags -------------------------------------------------------------- ---- 192.168.100.0 255.255.255.0 192.168.100.40 Interface 192.168.100.0 255.255.255.0 192.168.100.41 Interface 192.168.11.0 255.255.255.0 192.168.100.1 192.168.12.0 255.255.255.0 192.168.100.1 If you are implementing VLAN tagging, create a static ARP entry for the IP interfaces on both ends of...
The following example tests the connection between 192.175.5.100 and 192.175.5.200, switch:admin06> portcmd --ping ge0 -s 192.175.5.100 -d 192.175.5.200 Pinging 192.175.5.200 from ip interface 192.175.5.100 on 0/ge0 with 64 bytes of data Reply from 192.175.5.200: bytes=64 rtt=1ms ttl=64 Reply from 192.175.5.200: bytes=64 rtt=0ms ttl=64 Reply from 192.175.5.200: bytes=64 rtt=0ms ttl=64 Reply from 192.175.5.200: bytes=64 rtt=1ms ttl=64 Ping Statistics for 192.175.5.200:...
Enables FCIP fastwrite. Enables VC QoS mapping. Enables tape pipelining. If tape pipelining is enabled, fastwrite must also be enabled. The remote-side FC entity WWN. -n remote_wwn The keep-alive timeout in seconds. The range of valid values is 8 through -k timeout 7,200 sec and the default is 10.
Page 396
Where: The number of a slot in a 4/256 SAN Director or DC Director chassis that slot contains an FR4- 1 8i blade. This parameter does not apply to the stand-alone 400 Multi-protocol Router. The Ethernet port used by the tunnel (ge0 or ge1). ge0|ge1 The tunnel number (0 - 7).
Configuring FTRACE FTRACE is a support tool primarily for use by Tech Support personnel. FTRACE includes the ability to freeze traces on certain events, and to retain the trace information for future examination. The syntax for the portcfg ftrace command is as follows: portcfg ftrace [slot/]ge0|ge1 tunnel_Id cfg [-a 1|0] [-b value] [-e 1|0] [-i value] [-p value] [-r value] [-s value] [-t value] [-z value] Where:...
Page 398
The following example shows an active tunnel with FCIP fastwrite and tape pipelining enabled: switch:admin06> portshow fciptunnel ge0 all ------------------------------------------- Tunnel ID 0 Remote IP Addr 10.0.10.224 Local IP Addr 10.0.10.225 Remote WWN Not Configured Local WWN 10:00:00:05:1e:37:91:dd Compression on Fastwrite on Tape Pipelining on Uncommitted bandwidth, minimum of 1000 Kbps (0.001000 Gbps)
Page 399
To verify that a VE_Port or VEX_Port is online, use the switchShow command to view and verify that the FCIP tunnel is online. switch:admin06> portenable 8/18 switch:admin06> portenable 8/19 switch:admin06> switchshow switchName:switch switchType:42.2 switchState:Online switchMode:Native switchRole:Subordinate switchDomain:4 switchId:fffc04 switchWwn:10:00:00:60:69:80:0d:bc zoning:ON (LSAN001) switchBeacon:OFF blade3 Beacon: blade4 Beacon:...
Enabling persistently disabled ports Before an FCIP tunnel can be used, the associated ports must be persistently enabled. NOTE: VEX_Port Users: If the fabric is already connected, you must leave the ge0 and ge1 ports disabled until after you have configured the VEX_Port; this will prevent unintentional merging of the two fabrics. To enable a persistently disabled port: Enter the portCfgShow command to view ports that are persistently disabled.
Page 401
Enter the portCfgShow command to verify the port is persistently enabled as shown below: switch:admin06> portcfgpersistentenable 8/16 switch:admin06> portcfgpersistentenable 8/17 switch:admin06> portcfgpersistentenable 8/18 switch:admin06> portcfgpersistentenable 8/19 switch:admin06> portcfgshow Ports of Slot 8 9 10 11 12 13 14 15 -----------------+--+--+--+--+----+--+--+--+----+--+--+--+----+--+--+ Speed AN AN AN AN AN AN AN AN...
Modify and delete command options Command options are available that allow you to modify or delete configured elements. NOTE: Using the Modify option disrupts traffic on the specified FCIP tunnel for a brief period of time. Modifying FCIP tunnels The portCfg fcipTunnel command to modify FCIP tunnels (you must specify at least one characteristic to modify).
The layer 2 class of service used for control traffic. -p control_L2Cos The layer 2 class of service used for data traffic. -P data_L2Cos The following example shows two FCIP tunnels created on slot 8, port ge0; the first with an uncommitted bandwidth (0), and the second with a committed bandwidth of 10000 b/sec: switch:admin06>...
Page 404
The modify option changes the FICON emulation configuration modify options and parameters. The following options turn features on and off. The associates tunnels must be disabled to modify the option settings. If you attempt to do them on an enabled tunnel, the operation is not allowed, and you are prompted to disable the...
Defines the maximum amount of data that can be contained in a wrtMaxChains value single CCW chain. If this value is exceeded, emulation is suspended. Defines the base value of an entry pool of 256 OXIDs supplied to oxidBase value emulation generated exchanges.
NOTE: If you do not specify a destination IP address, the destination address defaults to 0.0.0.0, and all frames are tagged with the associated VLAN tag. FCIP and ipPerf create and maintain entries in the VLAN tag table through their own configuration procedures.
WAN performance analysis tools Introduced in Fabric OS 5.2.0, WAN analysis tools are designed to test connections, trace routes, and estimate the end-to-end IP path performance characteristics between a pair of HP FCIP port endpoints. WAN tools include the following commands and options: •...
WAN tool performance characteristics Table 92 lists the end-to-end IP path performance characteristics that you can display using the portCmd ipPerf command and option. All four of the base ipPerf performance characteristics (bandwidth, loss, RTT, PMTU) are provided in the command output in Fabric OS 5.2.0 or later. Table 92 WAN tool performance characteristics Characteristic...
To start an ipPerf session: Configure the receiver test endpoint using the CP CLI. The syntax for invoking the receiver test endpoint using ipPerf for slot8, port ge0 on an FR4- 1 8i is as follows: portcmd --ipperf 8/ge0 -s 192.168.255.10 -d 192.168.255.100 -R Configure the sender test endpoint using a similar CP CLI.
Where: The number of a slot in a 4/256 SAN Director or DC Director slot chassis that contains an FR4- 1 8i blade. This parameter does not apply to the stand-alone 400 Multi-protocol Router. The Ethernet port used by the tunnel (ge0 or ge1) ge0|ge1 The source IP interface that originates the ping request.
The maximum number of IP router hops allowed for the outbound -h max_hops probe packets. If this value is exceeded, the probe is stopped. The default is 30. The initial time to live value for the first outbound probe packet. The -f first_ttl default value is 1.
FICON fabrics This chapter provides procedures for managing FICON fabrics. Overview of Fabric OS support for FICON ® IBM Fibre Connection (FICON ) is an industry-standard, high-speed input/output (I/O) interface for mainframe connections to storage devices. Fabric OS supports intermix mode operations, in which FICON and Fibre Channel technology work together.
Supported switches FICON protocol is supported on the HP StorageWorks 4/256 SAN Director and DC SAN Backbone Director, short name, DC Director. The following port blades can exist in a FICON environment; however, FICON device connection to ports on these blades is not supported: •...
• The FC4-48 and FC8-48 port blades must not be inserted in slot 10 of the chassis in a FICON configuration. (Other blades are supported in slot 10, but the FC8-48 and FC4-48 blades are not.) Port 255 is reserved for CUP. FICON commands Table 93 summarizes the Fabric OS CLI commands that can be used for managing FICON fabrics.
User security considerations To administer FICON, you must have one of the following roles: • Admin • Operator • SwitchAdmin • FabricAdmin The User and BasicSwitchAdmin roles are view-only. The ZoneAdmin and SecurityAdmin roles have no access. In an Admin Domain-aware fabric, if you use the FICON commands (ficonshow, ficonclear, ficoncupshow, and ficoncupset) for any Admin Domain other than AD0 and AD255, the current switch must be a member of that Admin Domain.
Preparing a switch To verify and prepare a switch for use in a FICON environment, complete the following steps: Connect to the switch and log in as admin. Enter the switchShow command to verify that the switch and devices are online. Change the routing policy on the switch from the default exchange-based policy to the required port-based policy for those switches with FICON devices directly attached using the aptPolicy command when working from the command line.
Figure 48 Figure 49 show two viable cascaded configurations. These configurations require Channel A to be configured for two-byte addressing and require IDID and fabric binding. It is recommended that there are only 2 domains in a path from a FICON Channel interface to a FICON Control Unit interface. Control Channel Switch...
Swapping ports If a port malfunctions, or if you want to connect to different devices without having to re-wire your infrastructure, you can move a port’s traffic to another port (swap ports) without changing the I/O Configuration Data Set (IOCDS) on the mainframe computer. To swap ports: Connect to the switch and log in as admin.
Setup summary To set up FICON CUP, use the following procedure and be sure to perform the steps in the order indicated. For directors with at least 256 ports installed, use the PortDisable command to disable (block) ports 254 and 255. Ports 254 and 255 are not supported in a CUP environment.
• Advanced Zoning, if used, continues to be in force. If there are any differences in restrictions set up with Advanced Zoning and PDCM, the most restrictive rules are automatically applied. • RSCNs are sent to devices if PDCM results in changes to connectivity between a set of ports. Changing fmsmode from enabled to disabled triggers the following events: •...
Displaying mode register bit settings The mode register bits are described in Table Table 94 FICON CUP mode register bits POSC Programmed offline state control. When this bit is set on, the host is prevented from taking the switch offline. The default setting is 1 (on). User alert mode.
Setting mode register bits Use the ficoncupset modereg command to set the FICON CUP mode register bits for the local switch. Consider the following when changing mode register bits: • As required by the CUP protocol, the UAM bit cannot be changed using this command. •...
Port and switch naming standards Fabric OS handles differences in port and switch naming rules between CUP and itself as follows: • CUP employs 8-bit characters in port address names and switch names; Fabric OS employs 7-bit characters. When fmsmode is enabled, all characters greater than 0x40 and not equal to 0xFF (EBCIDC code page 37 [0x25]) are allowed in the name;...
Troubleshooting The following sources provide useful problem-solving information: • The standard support commands (portLogDump, supportSave, supportShow) or the Fabric Manager Event Log. By default, the FICON group in the supportShow output is disabled. To enable the capture of FICON data in the supportShow output, enter the supportshowcfgenable ficon command. After you get confirmation that the configuration has been updated, the following will be collected and appear in the output for the supportShow command: •...
Backing up and restoring FICON configuration files The FICON file access facility is used to store configuration files. This includes IPL and other configuration files. The Fabric OS saves the IPL and all other configuration files on the switch. A maximum of 16 configuration files, including the IPL file, are supported.
Sample IOCP configuration file The channel subsystem controls communication between a configured channel, the control unit, and the device. The I/O Configuration Dataset (IOCDS) defines the channels, control units, and devices to the designated logical partitions (LPARs) within the server; this is defined using the Input/Output Configuration Program (IOCP).
22 Configuring and monitoring FICON Extension Services This chapter describes the FICON extension concepts, configuration procedures, and tools and procedures for monitoring network performance. Commands described in this chapter require Admin or root user access. See the Fabric OS Command Reference for detailed information on command syntax. FICON extension products licensing Several specific licensed features are available for FICON extension.
Platforms that support FICON extension over IP Fabric OS supports SAN extension between 400 MP Router, or between FR4- 1 8i blades. The 400 MP Router and the FR4- 1 8i blade both have 16 physical Fibre Channel ports and 2 physical GbE ports as illustrated in Figure 50 Figure...
FCIP Configuration requirements for FICON extension FICON extension uses FCIP for transport. FCIP interfaces and tunnels used for FICON extension must be defined prior to configuring FICON emulation. Ports should remain persistently disabled until after FICON emulation is configured. Refer to ”Configuring and monitoring FCIP extension services”...
to block (prohibit) specific F_Port to E_Port connections. You can create a determinate data path by blocking all F_Port to E_Port connections except the one you want to use for FICON traffic. Figure 52 shows a portion of the allow/prohibit matrix. The F_Port addresses are in the vertical column to the left, and the E_Port addresses are in a horizontal row at the top.
responses to remote hosts, eliminating distance related delays. A FICON XRC Emulation License is required to enable XRC Emulation. Tape Write Pipelining FICON tape write pipelining improves performance for a variety of applications when writing to tape over extended distances. FICON tape write pipelining locally acknowledges write data records, enabling the host to generate more records while previous records are in transit across the IP WAN.
Page 438
wrtMaxPipe value Defines a maximum number of channel commands that may be outstanding at a given time during write pipelining. Too small of a value will result in poor performance. The value should be chosen carefully based upon the typical tape channel program that requires optimum performance.
Displaying FICON emulation configuration values You can display the values configured for FICON emulation by using the portShow ficon command. The following example shows FICON emulation configuration values for port ge1. Sprint108:root> portshow ficon ge1 all Port: ge1 VE_STATUS TunnelId vePort vePortStatus veFeatureBitMap veHashEntryCount DOWN DOWN DOWN...
Page 440
-t 1|0 Enables or disables TIN/TUR emulation. 1 is enable, O is disable.This option should be enabled when one or all of the following features are enabled: • XRC emulation. • tape write pipelining. • tape read pipelining. -l 1|0 Enables or disables device level ACK emulation.
FICON performance statistics You can use the portshow ficon command to view the performance statistics and monitor the behavior of FICON emulation. The syntax is as follows. portShow ficon [Slot/]ge0|ge1 all|tunnel_id [arguments] Where: slot The slot number of a blade in a multi-slot chassis. Does not apply to the MP 400 Router.
Monitoring FICON emulation The -emul argument can be used to monitor FICON Emulation. The following is an example. Sprint108:root> portshow ficon ge1 0 -emul XRC and Tape statistics are presented different output formats. The following elements are common to both tape emulation and XRC emulation outputs: FDCB ptr A pointer to the FICON Device Control Block.
Configuring the PID format Port identifiers (called PIDs) are used by the routing and zoning services in Fibre Channel fabrics to identify ports in the network. All devices in a fabric must use the same PID format, so when you add new equipment to the SAN, you might need to change the PID format on legacy equipment.
Impact of changing the fabric PID format If your fabric contains switches that use Native PID, it is recommended that you change the format to Core PID before you add the new, higher port count switches and directors. Also, it is recommended that you use Core PID when upgrading the Fabric OS version on 1Gb and 2Gb series switches.
Changes to configuration data Table 96 lists various combinations of before-and-after PID formats, and indicates whether the configuration is affected. NOTE: After changing the fabric PID format, if the change invalidates the configuration data (see Table 96 to determine this), do not download old (pre-PID format change) configuration files to any switch on the fabric.
Table 97 shows various combinations of existing fabrics, new switches added to those fabrics, and the recommended PID format for that combination. The criteria for the recommendations are first to eliminate host reboots, and second to minimize the need for a host reboot in the future. Table 97 PID format recommendations for adding new switches Existing Fabric OS versions;...
Page 449
Collect device, software, hardware, and configuration data. The following is a non-comprehensive list of information to collect: • HBA driver versions • Fabric OS versions • RAID array microcode versions • SCSI bridge code versions • JBOD drive firmware versions •...
If either of the first two options are used, the procedures should again be validated in the test environment. Determine the behavior of multipathing software, including but not limited to: • HBA time-out values • Multipathing software time-out values • Kernel time-out values Planning the update procedure Whether it is best to perform an offline or online update depends on the uptime requirements of the site.
Offline update The following steps are intended to provide SAN administrators a starting point for creating site-specific procedures. Schedule an outage for all devices attached to the fabric. Back up all data and verify backups. Shut down all hosts and storage devices attached to the fabric. Disable all switches in the fabric.
Before changing the PID format, determine if host reboots will be necessary. The section ”Host reboots” on page 446 summarizes the situations that may require a reboot. switch:admin> switchdisable switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] y Domain: (1..239) [1] BB credit: (1..27) [16] R_A_TOV: (4000..120000) [10000]...
Performing PID format changes There are several routine maintenance procedures which might result in a device receiving a new PID. Examples include, but are not limited to: • Changing compatibility mode settings • Changing switch Domain IDs • Merging fabrics •...
Suppress Class F Traffic: (0..1) [0] SYNC IO mode: (0..1) [0] Core Switch PID Format: (0..2) [0] 1 Per-frame Route Priority: (0..1) [0] Long Distance Fabric: (0..1) [0] BB credit: (1..27) [16] After all switches are updated to use the new PID format and re-enabled, verify the fabric has fully reconverged.
vgexport –a y /dev/jbod If you are not using multipathing software, mount all devices again and restart I/O. For example: mount /mnt/jbod If you are using multipathing software, reenable the affected path. The preceding steps do not “clean up” the results from ioscan. When viewing the output of ioscan, notice the that the original entry is still there, but now has a status of NO_HW.
If you are not using multipathing software, vary the volume groups offline. The command usage is varyoffvg <volume_group_name>. For example: varyoffvg datavg If you are not using multipathing software, unmount the volumes from their mount points using umount. The command usage is umount <mount_point>. For example: umount /mnt/jbod If you are using multipathing software, use that software to remove one fabric’s devices from its configuration.
Page 457
portdisable slot/port1 portdisable slot/port2 HP StorageWorks 4/8, 4/16, 4/32, 8/8 SAN Switch, 8/24 SAN Switch, 8/40 SAN Switch, 8/80 SAN Switch, and 400 Multi-protocol Router switches: Enter the following command: portswap port1 port2 4/256 SAN Director and DC SAN Backbone Director (short name, DC Director): Enter the following command: portswap slot1/port1 slot2/port2 Verify that the port area IDs have been swapped:...
Understanding legacy password behaviour This appendix provides password information for early versions of Fabric OS firmware. Password management information Table 98 describes the password standards and behaviors between various versions of firmware. Table 98 Account/password characteristics matrix Topic 4.0.0 4.1.0 to 4.2.0 4.4.0 and later Number of default accounts 4, chassis-based...
Table 98 Account/password characteristics matrix (continued) Topic 4.0.0 4.1.0 to 4.2.0 4.4.0 and later Can passwd change Yes, but will ask for Yes; if users connect as 4.4.0 to 5.1.0 only: higher-level passwords? For the “old password” admin, they can change Yes, if users connect as example, can admin change of the higher-level...
Password migration during firmware changes Table 100 describes the expected outcome of password settings when upgrading or downgrading firmware for various Fabric OS versions. Table 100 Password migration behavior during firmware upgrade/downgrade Topic 4.4.0 to 5.0.1 5.0.1 and later Passwords used when upgrading to a Default accounts and passwords Default accounts and passwords newer firmware release for the first time.
Interoperating with an M-EOS fabric For information on HP supported interop configurations, refer to the HP StorageWorks Fabric interoperability: merging fabrics based on C-Series and B-Series Fibre Channel switches on the following HP website: http://h18000.www1.hp.com/products/storageworks/san/documentation.html Fabric OS 6.1.x administrator guide 463...
Page 464
464 Interoperating with an M-EOS fabric...
Migrating from an MP Router to a 400 MP Router This section describes how to upgrade routers in your fabric with the least disruption, while providing better performance and scalability. Improper implementation could lead to a change in the xlate Domain IDs and proxy device PIDs, which may cause disruption in the fabric.
Figure 55 Configuration during the upgrade The switch Domain ID and BB fabric ID of the new FC router can be identical. Once the metaSAN is stable, EX_Ports on the new router are ‘active’, the old router can be taken out of the setup. Redundant configuration The configuration shown in Figure 56...
Figure 57 Dual backbone fabric configuration Devices directly connected to router In the Multi-protocol Router, end devices are allowed to be directly connected, but these devices cannot be imported to other edge fabrics (using LSAN zones). During the upgrade process, these devices will face disruption unless there is redundancy support provided from the device end.
Page 468
468 Migrating from an MP Router to a 400 MP Router...
Using Remote Switch This appendix prrovides infromation on the Remote Switch feature. About Remote Switch The Remote Switch feature, which aids in ensuring gateway compatibility, was formerly a licensed feature. Its functionality is now available as part of the Fabric OS standard feature set through the use of the portCfgIslMode command, which is described in ”Linking through a gateway”...
Page 470
You must connect the fabrics through the gateway device, and make sure that the configure parameters are compatible with the gateway device. You may be required to reconfigure the following parameters, depending on the gateway requirements: NOTE: Consult your gateway vendor for supported and qualified configurations. •...
This example shows how to modify the data field size and suppress class F traffic on a switch: switch:admin> switchdisable switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] yes Domain: (1..239) [3] R_A_TOV: (4000..120000) [10000] E_D_TOV: (1000..5000) [2000] Data field size: (256..2112) [2112] 1000 Sequence Level Switching: (0..1) [0] Disable Device Probing: (0..1) [0]...
Zone merging scenarios Table 103 provides information on merging zones and the expected results. Table 103 Zone merging scenarios Description Switch A Switch B Expected results Switch A has a defined defined: defined: none Configuration from Switch A to configuration. cfg1: effective: none propagate throughout the fabric...
Page 474
Table 103 Zone merging scenarios (continued) Description Switch A Switch B Expected results Switch A and Switch B have defined: cfg2 defined: cfg1 Clean merge. The new different defined configurations. zone2: ali3; ali4 zone1: ali1; ali2 configuration will be a Switch B has an enabled effective: none effective: cfg1...
Table 103 Zone merging scenarios (continued) Description Switch A Switch B Expected results Different default zone access defzone: noaccess defzone: allaccess Clean merge — noaccess takes mode settings. precedence and defzone configuration from Switch A propagates to fabric. defzone: noaccess Same default zone access mode defzone: allaccess defzone: allaccess...
Page 477
policy policy changes AAA service requests ports on demand aaaConfig command access AD255 browser support adding changing account parameters a new switch or fabric to a zone control Admin Domain members CP blade alias members creating accounts and removing FICON CUP licenses deleting accounts custom filter-based monitors IP address changes...
Page 478
creating root, configuring deleting security removing members aliCreate all access switch zone setting cfgAdd ARP. See address resolution protocol cfgClear assigning a static route cfgCreate assigning users to Admin Domains cfgDisable audience cfgEnable Auth policy cfgSave authenticating users Challenge Handshake Authentication Protocol. See authentication CHAP binding user names...
Page 487
displaying RADIUS configuration userConfig command enabling user-defined FICON environment, configuring accounts identifying user-defined Admin Domains user-defined filter-based monitors name users, authenticating customizing using RADIUS client certificates RADIUS configuration using dynamic load sharing RADIUS configuration, adding using FICON CUP RADIUS configuration, disabling using legacy commands for SNMPv1 user-defined accounts switch access...
Page 488
administering security aliases aliases, creating and managing configuration, creating configuration, enabling configurations configurations, creating and maintaining configuring rules creating creating a configuration creating, iSCSI FC database size default zone mode default, set to all access default, set to no access defined zone configuration deleting deleting a configuration...
Page 489
Figures Example of a Brocade DCT file ..........75 Example of the dictiona.dcm file .