Page 1 HP StorageWorks Fabric OS 5.2.x administrator guide Part number: 5697-0014 Fifth edition: May 2009...
Page 2 © Copyright 2007 Brocade Communications Systems, Incorporated. Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.
Page 3: Table Of Contents
Contents About this Guide ........... . . 15 Supported HP StorageWorks hardware.
Page 4 How Dynamic Ports on Demand works ..........40 Displaying the Port license assignment.
Page 5 Distributing the local user database ..........63 How to distribute the local user database.
Page 6 Browser and Java support............87 Summary of SSL procedures .
Page 7 7 Managing administrative domains ........127 About administrative domains .
Page 8 Troubleshooting firmware download ..........165 Downgrading firmware from Fabric OS 5.2.x .
Page 9 Configuring backbone fabrics for Interconnectivity ........219 Optional configuration procedures .
Page 10 Adding and removing FICON CUP licenses ......... 253 Zoning and PDCM considerations .
Page 11 To check for a loop initialization failure ..........297 To check for a point-to-point initialization failure .
Page 12 Listing link characteristics ............341 Recognizing buffer underallocation .
Page 13 Configure FCIP tunnels ............375 Verify the FCIP tunnel configuration .
Page 14 Fabric showing switch and device WWNs ......... 130 Filtered fabric views showing converted switch WWNs .
Page 15: About This Guide
About this Guide This guide provides procedures to help you maintain Fabric OS 5.2.x running in your Storage Area Network (SAN). ® NOTE: At the time of printing, IBM Fibre Connections (FICON ) is not supported on HP B-Series Fibre Channel switches.
Page 16: Intended Audience
Intended audience This guide is intended for: • System administrators responsible for setting up HP StorageWorks Fibre Channel SAN switches • Technicians responsible for maintaining the Fabric Operating System (OS) Related documentation Documentation, including white papers and best practices documents, is available on the HP web site: http://www.hp.com/support/manuals Scroll to the storage section of the web page.
Page 17: Hp Technical Support
CAUTION: Indicates that failure to follow directions could result in damage to equipment or data. IMPORTANT: Provides clarifying information or specific instructions. NOTE: Provides additional information. TIP: Provides helpful hints and shortcuts. HP technical support Telephone numbers for worldwide technical support are listed on the HP support web site: http://www.hp.com/support/.
Page 19: Introducing Fabric Os Cli Procedures
Introducing Fabric OS CLI procedures This chapter summarizes procedures for configuring and managing an HP StorageWorks SAN using the Fabric OS Command Line Interface (CLI). The guide applies to the following product models: • HP StorageWorks switches: 4/16 SAN Switch and 4/8 SAN Switch, SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, SAN Switch 4/32, 4/64 SAN Switch, and 400 MP Router These models contain a fixed number of ports (they are fixed-port switches).
Page 20: About The Cli
There are several methods that you can use to configure a switch. These are listed with their respective documents: • Command Line Interface (CLI) • A telnet session into logical switches • A telnet session into active and standby CPs for Director class switches •...
Page 21: Help Information
Help information Each Fabric OS command provides Help information that explains the command function, its possible operands, its level in the command hierarchy, and additional pertinent information. Displaying command Help Connect to the switch and log in as admin. To display a list of all command help topics for a given login level, enter the help command with no user arguments.
Page 22 Table 3 Help file commands (continued) Track Changes help information trackChangesHelp Zoning help information zoneHelp Introducing Fabric OS CLI procedures...
Page 23: Performing Basic Configuration Tasks
Performing basic configuration tasks This chapter contains procedures for performing basic switch configuration tasks using the Fabric OS Command Line Interface (CLI). Ideally, you should perform the initial configuration of a switch prior to introducing the switch into the fabric, or during a scheduled maintenance window to minimize fabric disruption. Connecting to the CLI Connect to the CLI either through a telnet or SSH connection or through a console session on the serial port.
Page 24: Using A Console Session On The Serial Port
Enter the password. The default password is: password If you have not changed the system passwords from the default, you are prompted to change them. Enter the new system passwords, or press Ctrl-c to skip the password prompts. See ”How to change default passwords at login”...
Page 25: Changing Default Passwords Summary
Every logical switch (domain) has a set of default accounts. The root and factory default accounts are reserved for development and manufacturing. The user account is primarily used for system monitoring. For more information on default accounts, see ”About the default accounts”...
Page 26: How To Change Default Passwords At Login
How to change default passwords at login Connect to the switch and log in as admin. The default password for all default accounts is: password At each of the “Enter new password” prompts, either enter a new password or skip the prompt. Press Enter to skip a prompt.
Page 27: How To Display Network Interface Settings
How to display network interface settings If an IP address has not been assigned to the network interface (Ethernet), you must connect to the Fabric OS CLI using a console session on the serial port, see ”How to connect via the serial port”...
Page 28: Configuring Dhcp
Configuring DHCP By default, some HP switches have DHCP enabled. SAN Director 2/128 and 4/256 SAN Director models do not support DHCP. The Fabric OS DHCP client supports the following parameters: • External Ethernet port IP addresses and subnet masks •...
Page 29: Setting The Date And Time
Enter the network information in dotted quad format for Ethernet IP address, Ethernet Subnetmask, and Gateway Address at the prompts. If a static Ethernet address is not available when you disable DHCP, enter 0.0.0.0 at the Ethernet IP address prompt. Skip Fibre Channel prompts by pressing enter. Disable DHCP by entering Off.
Page 30: How To Set The Time Zone
You can set the time zone for a switch using the tsTimeZone command. The tsTimeZone command allows you to: • Display all of the time zones supported in the firmware • Set the time zone based on a Country and City combination or based on a time zone ID such as PST See the tsTimeZone command in the Fabric OS Command Reference Manual for more detailed information about the command parameters.
Page 31: How To Set The Time Zone Interactively
How to set the time zone interactively Type the tsTimeZone command as follows: switch:admin> tstimezone --interactive Select a general location: Please identify a location so that time zone rules can be set correctly. Please select a continent or ocean. Africa Americas Antarctica Arctic Ocean...
Page 32: Synchronizing Local Time
You are finally prompted to specify the time zone region. Please select one of the following time zone regions. 1) Eastern Time 2) Eastern Time - Michigan - most locations 3) Eastern Time - Kentucky - Louisville area 4) Eastern Time - Kentucky - Wayne County 5) Eastern Time - Indiana - most locations 6) Eastern Time - Indiana - Crawford County 7) Eastern Time - Indiana - Starke County...
Page 33: Maintaining Licensed Software Features
Maintaining licensed software features If you purchased an HP StorageWorks Power Pack switch model, optional software licenses are included with the licensed Power Pack supplied with switch software. If you did not purchased an HP StorageWorks Power Pack switch model, you can purchase licenses separately from HP.
Page 34: How To Generate Or Activate A License Key
How to generate or activate a license key If you already have a license key, go to step 6 to activate. If you do not have a license key, launch an Internet browser and go to: http://webkey.external.hp.com/welcome.asp. The HP StorageWorks Software License Key instruction page opens: Figure 1 HP StorageWorks license key screen Enter the requested information in the required fields.
Page 35: How To Remove A Licensed Feature
The licensed features currently installed on the switch are listed. If the feature is not listed, reissue the licenseAdd command. d. Some features may require additional configuration, or you might need to disable and re-enable the switch to make them operational; refer to the feature documentation for details.. switch:admin>...
Page 36: Customizing A Switch Name
Customizing a switch name Switches can be identified by IP address, Domain ID, World Wide Name (WWN), or by customized switch names that are unique and meaningful. For Fabric OS 4.x (and later) switch names can be from 1 to 15 characters long, must begin with a letter, and can contain letters, numbers, or the underscore character.
Page 37: Customizing The Chassis Name
Customizing the chassis name Beginning with Fabric OS 4.4.x, it is recommended that you customize the chassis name for each switch. Some system logs identify switches by chassis names, so if you assign meaningful chassis names in addition to meaningful switch names, logs will be more useful. How to change the chassis name Connect to the switch and log in as admin.
Page 38: How To Display Domain Ids
How to display domain IDs Connect to a switch and log in as admin. Enter the fabricShow command. Fabric information is displayed, including the domain ID (D_ID): switch:admin> fabricshow Switch ID Worldwide Name Enet IP Addr FC IP Addr Name ------------------------------------------------------------------------- 1: fffc01 10:00:00:60:69:e4:00:3c 10.32.220.80...
Page 39: Ports On Demand License Summary For Applicable Switches
Ports on Demand license summary for applicable switches HP StorageWorks SAN Switch models integrate the following port licenses: 4/8 Base SAN Switch — Ships standard with eight ports, no E_Port and an HP Full-Fabric Upgrade • License. The sixteen available ports (eight active) are expandable to twelve or sixteen ports by purchasing the HP StorageWorks 4-Port Upgrade License.
Page 40: Configuring Dynamic Ports On Demand
For instructions, see ”Maintaining licensed software features” on page 33. Use the portenable command to enable the ports. Optionally, use the portShow command to verify the newly activated ports. If you remove a Ports on Demand license, the licensed ports will become disabled after the next platform reboot or the next port deactivation.
Page 41: Activating Dynamic Ports On Demand
The example above shows output from a switch has manually assigned POD licenses. Activating Dynamic Ports on Demand If the switch is in the Static POD mode, then activating the Dynamic POD will erase any prior port license assignments the next time the switch is rebooted. The static POD assignments become the initial Dynamic POD assignments.
Page 42: Managing Licenses
switch:admin> licenseport --method static The POD method has been changed to static. Please reboot the switch now for this change to take effect. Enter the reboot command to restart the switch. switch:admin> reboot Enter the licensePort --show command to verify that switch started the Static POD feature. switch:admin>...
Page 43: Releasing A Port
If port reservations available, then enter the licensePort --reserve command to reserve a license for the port. switch:admin> licenseport -reserve 0 If all port reservations are assigned, then select a port to release its POD license. You must disable the port first by entering portdisable <port num>.
Page 44: Disabling And Enabling A Switch
Enter the licensePort --show command to verify that the port is no longer assigned to a POD set. switch:admin> licenseport --show 24 ports are available in this switch Full POD license is installed Dynamic POD method is in use 24 port assignments are provisioned for use in this switch: 12 port assignments are provisioned by the base switch license 12 port assignments are provisioned by a full POD license 10 ports are assigned to installed licenses:...
Page 45: How To Enable A Port
HP StorageWorks SAN Director 2/128 and 4/256 SAN Director: Enter the following command: switch:admin> portdisable slotnumber/portnumber slotnumber portnumber where are the slot and port numbers of the port you want to disable. How to enable a port Connect to the switch and log in as admin. HP StorageWorks 4/16 SAN Switch and 4/8 SAN Switch, SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, SAN Switch 4/32, 4/64 SAN Switch, and 400 MP Router: Enter the following command:...
Page 46: Linking Through A Gateway
ISL mode L0 is available on all Fabric OS releases. When you upgrade from Fabric OS 4.0.0 to Fabric 4.1.0 or later, all extended ISL ports are set automatically to L0 mode. For information on extended ISL modes, which enable longer distance interswitch links, refer to ”Administering Extended Fabrics”...
Page 47: Checking Status
Refer to the Fabric OS Command Reference Manual for more information about the portCfgIslMode command. Checking status You can check the status of switch operation, high availability features, and fabric connectivity. How to verify switch operation Connect to the switch and log in as admin. Enter the switchShow command at the command line.
Page 48: Tracking And Controlling Switch Changes
Enter the nsAllShow command at the command line. This command displays 24-bit Fibre Channel addresses of all devices in the fabric. switch:admin> nsallshow 010e00 012fe8 012fef 030500 030b04 030b08 030b17 030b18 030b1e 030b1f 040000 050000 050200 050700 050800 050de8 050def 051700 061c00 071a00 073c00 090d00 0a0200 0a07ca 0a07cb 0a07cc 0a07cd 0a07ce 0a07d1 0a07d2 0a07d3 0a07d4 0a07d5 0a07d6 0a07d9 0a07da 0a07dc 0a07e0 0a07e1 0a0f01 0a0f02 0a0f0f 0a0f10 0a0f1b 0a0f1d 0b2700 0b2e00 0b2fe8...
Page 49: How To Display The Status Of The Track Changes Feature
How to display the status of the track changes feature Connect to the switch and log in as admin. Enter the trackChangesShow command. The status of the track changes feature is displayed as either on or off. The display includes whether the track changes feature is configured to send SNMP traps: switch:admin>...
Page 50: How To Set The Switch Status Policy Threshold Values
parameter is set to 3, the status of the switch will change if 3 ports fail. Only one policy parameter needs to pass the MARGINAL or DOWN threshold to change the overall status of the switch. For more information about setting policy parameters, refer to the Fabric Watch Administrator’s Guide. How to set the switch status policy threshold values Connect to the switch and log in as admin.
Page 51: Configuring The Audit Log
Configuring the audit log When managing SANs, you may wish to filter, or audit, certain classes of events to ensure that you can view and generate a paper trail, or “audit log,” for what is happening on a switch, particularly for security elated event changes.
Page 52: How To Verify Host Syslog Prior To Configuring The Audit Log
Table 6 identifies auditable event classes and auditCfg operands used to enable auditing of a specific class. Table 6 AuditCfg Event Class Operands Operand Event class Description Zone Audit zone event configuration changes, but not the actual values that were changed. For example, you a message might state, “Zone configuration has changed,”...
Page 53: How To Configure An Audit Log For Specific Event Classes
How to configure an audit log for specific event classes Connect to the switch from which you wish to generate an audit log and log in as admin. Enter the auditCfg --class command, which defines the specific event classes to be filtered. switch:admin>...
Page 54: To Power Off A Switch Gracefully (5.1.0 And Later)
To power off a switch gracefully (5.1.0 and later) Connect to the switch and log in as admin. Enter the sysShutdown command. At the prompt, type y. switch:admin> sysshutdown This command will shutdown the operating systems on your switch. You are required to power-cycle the switch in order to restore operation. Are you sure you want to shutdown the switch [y/n]?y Wait until the following message displays: Broadcast message from root (ttyS0) Wed Jan 25 16:12:09 2006...
Page 55: Managing User Accounts
Managing user accounts This chapter provides information and procedures on managing authentication and user accounts. Overview Fabric OS provides two options for authenticating users—remote RADIUS services and/or the local switch user database. Both options allow users to be centrally managed using the following methods: •...
Page 56: Role Permissions
Role Permissions Table 10 describes the types of permissions that are assigned to roles. Table 10 Permission types Abbreviation Definition Description Observe The user can run commands using options that display information only, such as running userConfig --show -a to show all users on a switch. Modify The user can run commands using options that create, change, and delete objects on the system, such as running userconfig --change...
Page 57 Table 1 1 RBAC permissions matrix (continued) Category Role permission User Operator Switch Zone Fabric Basic Admin admin admin admin switchadmin Switch Management—IP Configuration Local User Environment Logging License Management Access Configuration Management Server Name Server Nx_Port Management O Physical Computer System Port Mirroring RADIUS...
Page 58: Configuring The Authentication Model
Configuring the authentication model This section explains how to configure authentication of the switch management channel connections. Fabric OS 5.2.x and higher supports use of both the local user database and RADIUS service at the same time. Use the aaaConfig command to set the authentication model for Fabric OS switch management channel connection authentication model as shown in Table NOTE:...
Page 59: About The Default Accounts
About the default accounts Fabric OS provides the following predefined accounts in the switch-local user database. Change the password for all defaults during the initial installation and configuration, see Table Table 13 Default Local User Accounts Account Name Role Admin Description domain user...
Page 60: How To Create An Account
How to create an account Connect to the switch and log in. Enter the following command: userConfig --add <username> -r <rolename> [-h <admindomain_ID>] [-a <admindomain_ID list>] [-d <description>] [-x] Specifies the account name, which must begin with an alphabetic username character.
Page 61: How To Change Account Parameters
How to change account parameters When changing account parameters, if you change the ADlist for the user account, all of the currently active sessions for that account will be logged out. Connect to the switch and log in. Enter the following command: rolename userconfig --change username [-r ] [-h admindomain_ID]...
Page 62: Recovering Accounts
removed from the existing list. If the –h argument is not specified, the home Admin Domain will either remain as it was or will be the lowest Admin Domain ID in the remaining list. Recovering accounts The following conditions apply to recovering user accounts: •...
Page 63: How To Change The Password For A Different Account
How to change the password for a different account Connect to the switch and log in. Enter the following command: name passwd where name is the name of the account. Enter the requested information at the prompts. Configuring the local user database This section covers the following topics: •...
Page 64: How To Accept The User Database
How to accept the user database Connect to the switch. Enter the following command: fddCfg --localaccept PWD where PWD is one of the three supported database policies. Supported policy databases are SCC, DCC, PWD. How to reject distributed user databases Connect to the switch.
Page 65: How To Set The Password History Policy
not allowed because it is incompatible Web Tools. The default value is zero. The maximum value must be less than or equal to the MinLength value. • MinLength Specifies the minimum length of the password. The minimum can be from 8 to 40 characters. New passwords must between the minimum length specified and 40 characters.
Page 66: Upgrade And Downgrade Considerations
Upgrade and downgrade considerations If you are upgrading from a 5.0.x environment to 5.2.x, the existing password databases do not contain the state information that implements password expiration. So, when the password expiration policy is first set after an upgrade to 5.2.x, any user who has not changed their password will have their password expiration period set to the maximum password expiration period.
Page 67: Creating Fabric Os User Accounts
Creating Fabric OS user accounts With RADIUS servers, set up user accounts by their true network wide identity rather than by the account names created on a Fabric OS switch. Along with each account name, assign appropriate switch access roles. RADIUS supports all the defined RBAC roles described in Table 9 on page 55.
Page 68: Windows 2000 Ias
Windows 2000 IAS For example, to configure a Windows 2000 IAS server to use VSA to pass the “Admin” role to the switch in the dial-in profile, the configuration specifies the Vendor code (1588), Vendor-assigned attribute number (1), and attribute value (admin), as shown in the following: Linux FreeRadius server For the configuration on a Linux FreeRadius server, define the following in a vendor dictionary file called dictionary.brocade.
Page 69: Radius Configuration And Admin Domains
RADIUS configuration and admin domains When configuring users with Admin Domains, you must also include the Admin Domain member list. This section describes the way that you configure attribute types for this configuration. key=val[;key=val] The values for the new attribute types use the syntax , where is a text description of value...
Page 70: Configuring The Radius Server
servers do not respond (because of power failure or network problems), the switch uses local authentication. Consider the following effects of the use of RADIUS service on other Fabric OS features: • When RADIUS service is enabled, all account passwords must be managed on the RADIUS server. The Fabric OS mechanisms for changing switch passwords remain functional;...
Page 71: Linux
Linux The following procedures work for FreeRADIUS on Solaris and Red Hat Linux. FreeRADIUS is a freeware RADIUS server that you can find at: www.freeradius.org Follow the installation instructions at the web site. FreeRADIUS runs on Linux (all versions), FreeBSD, NetBSD, and Solaris.
Page 72: How To Enable Clients
Clients are the switches that will be using the RADIUS server; each client must be defined. By default, all IP addresses are blocked. On dual-CP switches (SAN Director 2/128 and 4/256 Director), the switch sends its RADIUS request using the IP address of the active CP. When adding clients, add both the active and standby CP IP addresses so that users can still log in the event of a failover.
Page 73: How To Configure Radius Users
How to configure RADIUS users From the Windows Start menu, select Programs > Administrative Tools > Computer Management to open the Computer Management window. In the Computer Management window, expand the Local Users and Groups folder and select the Groups folder. Right-click the Groups folder and select New Group from the pop-up menu.
Page 74: Configuring Radius Servers On The Switch
In the Edit Dial-in Profile window, click the Authentication tab and check only the Encrypted Authentication (CHAP) and Unencrypted Authentication (PAP, SPAP) checkboxes; then click the Advanced tab and click Add. In the Add Attributes window, select Vendor-Specific and click Add. In the Multivalued Attribute Information window, click Add.
Page 75: How To Display The Current Radius Configuration
How to display the current RADIUS configuration Connect to the switch and log in as admin. Enter this command: switch:admin> aaaConfig --show If a configuration exists, its parameters are displayed. If RADIUS service is not configured, only the parameter heading line is displayed. Parameters include: The order in which servers are contacted to provide service Position The server names or IP addresses...
Page 76: How To Enable And Disable A Radius Server
How to enable and disable a RADIUS server Connect to the switch and log in as admin. Enter this command to enable RADIUS + local: switch:admin> aaaconfig --radiuslocal Local is used if the user authentication fails on the RADIUS server. Or to enable RADIUS + localbackup: switch:admin>...
Page 77: Enabling And Disabling Local Authentication As Backup
Enabling and disabling local authentication as backup It is useful to enable local authentication so that the switch can take over authentication locally if the RADIUS servers fail to respond because of power outage or network problems. To enable or disable local authentication, enter the appropriate command: switch:admin>...
Page 78: San Director 2/128 And 4/256 San Director
If a password was previously set, the following messages display: Send the following string to Customer Support for password recovery: afHTpyLsDo1Pz0Pk5GzhIw== Enter the supplied recovery password. Recovery Password: Enter the recovery password (string). The recovery string must be between 8 and 40 alphanumeric characters. A random string that is 15 characters or longer is recommended for higher security.
Page 79: How To Set The Boot Prom Password For A Director Without A Recovery String
The recovery string must be between 8 and 40 alphanumeric characters. A random string that is 15 characters or longer is recommended for higher security. The firmware only prompts for this password once. It is not necessary to remember the recovery string because it is displayed the next time you enter the command shell.
Page 80: How To Set The Boot Prom Password For A Director Without A Recovery String
NOTE: The passwd command only applies to the boot PROM password when it is entered from the boot interface. Enter the boot PROM password at the prompt, then reenter it when prompted. The password must be eight alphanumeric characters (any additional characters are not recorded). Record this password for future use.
Page 81: Recovering Forgotten Passwords
Connect to the active CP blade by serial or telnet and enter the haEnable command to restore high availability. Recovering user, admin, and factory passwords If you know the root password, you can use this procedure to recover the user, admin, and factory passwords.
Page 82 Managing user accounts...
Page 83: Configuring Standard Security Features
Configuring standard security features This chapter provides information and procedures for configuring standard Fabric OS security features such as account and password management. Additional security features are available by purchasing the optional Secure Fabric OS feature. For information about licensed security features available in Secure Fabric OS, refer to the Secure Fabric OS Administrator’s Guide.
Page 84: Ensuring Network Security
The security protocols are designed with the four main usage cases described in Table Table 18 Main security scenarios Fabric Management Comments interfaces Nonsecure Nonsecure No special setup is needed to use telnet or HTTP. An HP switch certificate must be installed if sectelnet is used.
Page 85: Configuring The Telnet Interface
Fabric OS 4.1.0 and later supports SSH protocol v2.0 (ssh2). For more information on SSH, refer to the SSH IETF web site: http://www.ietf.org/ids.by.wg/secsh.html Refer to SSH, The Secure Shell: The Definitive Guide by Daniel J. Barrett, Richard Silverman. Fabric OS 4.4.0 and later comes with the SSH server preinstalled; however, you must select and install the SSH client.
Page 86: Blocking Listeners
Blocking listeners HP StorageWorks switches block Linux subsystem listener applications that are not used to implement supported features and capabilities. Table 19 lists the listener applications that switches either block or do not start. Table 19 Blocked Listener Applications Listener SAN Director 2/128 and 4/8 SAN Switch and 4/16 SAN Switch, application...
Page 87: Configuring For The Ssl Protocol
Port Configuration lists the ports used. This table provides the information to make it clearer when configuring the switch, taking into consideration firewalls and other devices that may sit between switches in the fabric or between the managers and the switch. Table 21 Port information Port...
Page 88: Browser And Java Support
Browser and Java support Fabric OS supports the following Web browsers for SSL connections: • Internet Explorer (Microsoft Windows) • Mozilla (Solaris and Red Hat Linux) In countries that allow the use of 128-bit encryption, you should use the latest version of your browser. For example, Internet Explorer 6.0 and later supports 128-bit encryption by default.
Page 89: Generating A Public/Private Key
Each CA (for example, Verisign or GeoTrust) has slightly different requirements; for example, some generate certificates based on IP address, while others require an FQDN, and most require a 1024-bit public/private key while some might accept a 2048-bit key. Consider your fabric configuration, check CA Web sites for requirements, and gather all the information that the CA requires.
Page 90: Obtaining Certificates
If you are set up for secure file copy protocol, you can select it; otherwise, select ftp. Enter the IP address of the switch on which you generated the CSR. Enter the remote Directory name of the FTP server to which the CSR is to be sent.
Page 91: Configuring The Browser
Activating a switch certificate Enter the configure command and respond to the prompts that apply to SSL certificates: Type yes. SSL attributes Certificate File Enter the name of the switch certificate file: for example, 192.1.2.3.crt. CA Certificate File If you want the CA name to be displayed in the browser window, enter the name of the CA certificate file;...
Page 92: Installing A Root Certificate To The Java Plug-In
name Browse to the certificate location and select the certificate. (For example, select Root.crt.) Click Open and follow the instructions to import the certificate. Installing a root certificate to the Java Plug-in For information on Java requirements, refer to ”Browser and Java support”...
Page 93: Troubleshooting Certificates
Troubleshooting certificates If you receive messages in the browser or in a pop-up window when logging in to the target switch using HTTPS, refer to Table Table 24 SSL Messages and Actions Message Action The page cannot be displayed The SSL certificate is not installed correctly or HTTPS is not enabled correctly.
Page 94: Setting The Security Level
You can also use these additional MIBs and their associated traps: • FICON-MIB (for FICON environments) • HA-MIB (for SAN Director 2/128 models) • SW-EXTTRAP Includes the swSsn (Software Serial Number) as a part of SW traps. It is also used in conjunction with the legacy 6400 integrated fabrics product to provide detailed group information for a particular trap.
Page 95 Sample SNMPv3 configuration switch:admin> snmpconfig --set snmpv3 SNMPv3 user configuration: User (rw): [snmpadmin1] adminuser Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [3] 1 New Auth Passwd: Verify Auth Passwd: Priv Protocol [DES(1)/noPriv[2]): (1..2) [2] 1 New Priv Passwd: Verify Priv Passwd: User (rw): [snmpadmin2] shauser Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [3] 2 New Auth Passwd: Verify Auth Passwd:...
Page 96 Sample accessControl configuration switch:admin> snmpconfig --set accessControl SNMP access list configuration: Access host subnet area in dot notation: [0.0.0.0] 192.168.0.0 Read/Write? (true, t, false, f): [true] Access host subnet area in dot notation: [0.0.0.0] 10.32.148.0 Read/Write? (true, t, false, f): [true] f Access host subnet area in dot notation: [0.0.0.0] Read/Write? (true, t, false, f): [true] Access host subnet area in dot notation: [0.0.0.0] 10.33.0.0...
Page 97: Using Legacy Commands For Snmpv1
Using legacy commands for SNMPv1 You should use the snmpConfig command to configure the SNMPv1 agent and traps (refer to ”Using the snmpConfig command” on page 94). However, if necessary for backward compatibility, you can choose to use legacy commands. Sample SNMP agent configuration information switch:admin>...
Page 98 Sample modification of the SNMP configuration values switch:admin> agtcfgset Customizing MIB-II system variables ... At each prompt, do one of the followings: o <Return> to accept current value, o enter the appropriate new value, o <Control-D> to skip the rest of configuration, or o <Control-C>...
Page 99 Sample reset of the SNMP agent configuration to default values switch:admin> agtcfgdefault ***** This command will reset the agent's configuration back to factory default ***** Current SNMP Agent Configuration Customizable MIB-II system variables: sysDescr = Fibre Channel Switch. sysLocation = End User Premise sysContact = sweng authTraps = 0 (OFF) SNMPv1 community and trap recipient configuration:...
Page 100 Sample modification of the options for configuring SNMP MIB traps switch:admin> snmpmibcapset The SNMP Mib/Trap Capability has been set to support FE-MIB SW-MIB FA-MIB FA-TRAP FA-MIB (yes, y, no, n): [yes] FICON-MIB (yes, y, no, n): [no] y HA-MIB (yes, y, no, n): [no] y SW-TRAP (yes, y, no, n): [no] y swFCPortScn (yes, y, no, n): [no] swEventTrap (yes, y, no, n): [no]...
Page 101: Configuring Secure File Copy
Sample view of the SNMP MIB trap setup switch:admin> snmpmibcapshow FA-MIB: YES FICON-MIB: YES HA-MIB: YES SW-TRAP: YES swFCPortScn: YES swEventTrap: YES swFabricWatchTrap: YES swTrackChangesTrap: YES FA-TRAP: YES SW-EXTTRAP: YES HA-TRAP: YES fruStatusChanged: YES cpStatusChanged: YES fruHistoryTrap: YES Configuring secure file copy You can use the configure command to specify that secure file copy (scp) be used for configuration uploads and downloads.
Page 102 102 Configuring standard security features...
Page 103: Configuring Advanced Security
Configuring advanced security This chapter provides information and procedures for configuring advanced Fabric OS 5.2.x security feature, Access Control Lists (ACL) policies for FC port and switch binding. NOTE: Run all commands in this chapter by logging in to Administrative Domain (AD) 255 or if Administrative Domains have not been implemented log in to AD 0.
Page 104: Configuring Acl Policies
Configuring ACL policies All policy modifications are saved in volatile memory until those changes are saved or activated. You can create multiple sessions to the switch from one or more hosts. However, Fabric OS allows only one ACL transaction at a time. If a second ACL transaction is started, it fails. The Secure Fabric OS and Fabric OS SCC and DCC policies are not interchangeable.
Page 105: Displaying Acl Policies
Displaying ACL policies Use the secPolicyShow command to display the Active and Defined policy sets. The following example shows a switch that has no SCC and DCC policies. secPolicyShow displays the following information: • Active Policy Set—The policies that are being enforced. •...
Page 106: Dcc Policy Restrictions
Table 25 DCC policy states Policy state Characteristics Policy with no entries Any device can connect to any switch port in the fabric. An empty policy is the same as no policy. Policy with entries If a device WWN is specified in a DCC policy, that device is only allowed access to the switch if connected by a switch port listed in the same policy.
Page 107: Examples Of Creating Dcc Policies
The member contains device or switch port information: deviceportWWN;switch(port) where: WWN of the device port. deviceportWWN Either the switch WWN, domain ID, or switch name. The switch port can be specified by port or area number. Designating ports automatically includes the devices currently attached to those ports.
Page 108: Saving Changes To Acl Policies
Fabric OS is disabled; policies created in Fabric OS are deleted when Secure Fabric OS is enabled. Back up SCC policies before enabling or disabling Secure Fabric OS. The SCC policy is used to restrict which switches can join the fabric. Switches are checked against the policy each time an E_Port-to-E_Port connection is made.
Page 109: Adding A Member To An Existing Policy
To activate changes Connect to the switch and log in. Type the secPolicyActivate command: switch:admin> secpolicyactivate About to overwrite the current Active data. ARE YOU SURE (yes, y, no, n): [no] y Adding a member to an existing policy Add members to the ACL policies by using the secPolicyAdd command. As soon as a policy has been activated, the aspect of the fabric managed by that policy is enforced.
Page 110: Aborting All Uncommitted Changes
Aborting all uncommitted changes Use the secPolicyAbort command to abort all ACL policy changes that have not yet been saved. To abort all unsaved changes Connect to the switch and log in. Type the secPolicyAbort command: switch:admin> secpolicyabort Unsaved data has been aborted. All changes since the last time the secPolicySave or secPolicyActivate commands were entered are aborted.
Page 111: Configuring The Database Distribution Settings
Error returned indicating that the distribution setting must be accept before you can set the fabric-wide consistency policy. Configuring the database distribution settings The distribution settings control whether a switch accepts or rejects distributions of databases from other switches and whether or not the switch may initiate a distribution. Configure the distribution setting to reject when maintaining the database on a per-switch basis.
Page 112: Distributing Acl Policies To Other Switches
Enter the following command: <database_ID> fddCfg --localaccept Default setting. Allows local database to be overwritten with databases localaccept received from other switches. Allows local database to be manually or automatically distributed to other switches. A semicolon-separated list of the local databases to be distributed, either database_id SCC and/or DCC.
Page 113: Setting The Consistency Policy Fabric-Wide
Enter the following command: distribute -p <database_id> -d <switch_list> A semicolon-separated list of the local databases to be distributed: SCC database_id and/or DCC. A is a semicolon-separated list of switch Domain IDs, switch names, or switch_list switch WWN addresses of the target switches that will received the distribution.
Page 114: Notes On Joining A Switch To The Fabric
The following example shows a not defined fabric-wide consistency policy. switch:admin> fddcfg --showall Local Switch Configuration for all Databases:- DATABASE - Accept/Reject ------------------------- - accept - accept - accept Fabric Wide Consistency Policy:- "" To set the fabric-wide consistency policy Connect to the switch and log in.
Page 115: Matching Fabric-Wide Consistency Policies
disabled. If the strict SCC and DCC fabric-wide consistency policies match, the corresponding SCC and DCC ACL policies are compared. The enforcement of fabric-wide consistency policy involves comparison of only the Active policy set.If the ACL polices match, the switch joins the fabric successfully. If the ACL policies are absent either on the switch or on the fabric, the switch joins the fabric successfully, and the ACL policies are copied automatically from where they are present to where they are absent.
Page 116: Non-Matching Fabric-Wide Consistency Policies
Non-matching fabric-wide consistency policies You may encounter one of the following two scenarios: • Merging a fabric with a strict policy to a fabric with an absent, tolerant, or non-matching strict policy. The merge fails and the ports are disabled. Table 32 shows merges that are not supported: Table 32...
Page 117: Maintaining Configurations
Maintaining configurations It is important to maintain consistent configuration settings on all switches in the same fabric, because inconsistent parameters (such as inconsistent PID formats) can cause fabric segmentation. As part of standard configuration maintenance procedures, it is recommended that you back up all important configuration data for every switch on a host computer server for emergency reference.
Page 118: To Upload A Configuration File
Before beginning, verify that you can reach the FTP server from the switch. Using a telnet connection, save a backup copy of the configuration file from a logical switch to a host computer as follows: To upload a configuration file Verify that the FTP service is running on the host computer.
Page 119: Troubleshooting Configuration Upload
NOTE: The configuration file is printable, but you might want to see how many pages will be printed before you send it to the printer; you might not want to print a lot of pages if it is too long. Troubleshooting configuration upload If the configuration upload fails, it may be because: •...
Page 120: Configuration Download Without Disabling A Switch
Configuration download without disabling a switch Starting in Fabric OS 5.2.x, you can download configuration files to a switch while the switch is enabled, that is, you do not need to disable the switch for changes in SNMP, Fabric Watch, and ACL parameters. only when When you use the configDownload command, you will be prompted to disable the switch necessary...
Page 121: Security Considerations
NOTE: Because some configuration parameters require a reboot to take effect, after you download a configuration file you must reboot to be sure that the parameters are enabled. Before the reboot, this type of parameter is listed in the configuration file, but it is not effective until after the reboot. Security considerations Security parameters and the switch's identity cannot be changed by configDownload.
Page 122: Restoring Configurations In A Ficon Environment
Restoring configurations in a FICON environment If the switch is operating in a FICON CUP environment, and the ASM (active=saved) bit is set on, then the switch ignores the IPL file downloaded when you restore a configuration. Table 35 describes this behavior in more detail.
Page 123: 4/256 San Director Configuration Form
4/256 SAN Director configuration form Table 36 provides a form to use as a hardcopy reference for your configuration information. Table 36 Configuration and connection Configuration settings IP address Gateway address Chassis configuration option Management connections Serial cable tag Ethernet cable tag Configuration information Domain ID Switch name...
Page 124 Table 37 FC port configuration setting FC port Port numbers configuration Speed Trunk Port Long Distance VC Link Init Locked L_Port Locked G_Port Disable E_Port ISL R_RDY Mode RSCN Suppressed Persistent disable NPIV capability EX Port 124 Maintaining configurations...
Page 125 Table 38 FC port configuration setting FC Port Port Numbers Configuration Speed Trunk port Long distance VC link Init Locked L_Port Locked G_Port Disable E_Port ISL R_RDY mode RSCN suppressed Persistent disable NPIV capability EX port Fabric OS 5.2.x administrator guide 125...
Page 126 126 Maintaining configurations...
Page 127: Managing Administrative Domains
Managing administrative domains This chapter describes the concepts and procedures for using the administrative domain feature introduced in Fabric OS 5.2.x and contains the following topics: About administrative domains Administrative Domain (Admin Domain or AD) is a logical grouping of fabric elements that defines what switches, ports, and devices you can view and modify.
Page 128: Admin Domain Features
Figure 2 Fabric with two admin domains Figure 3 shows how users get a filtered view of this fabric, depending on which Admin Domain they are in. Users can see all switches and E_Ports in the fabric, regardless of their Admin Domain; however, the switch ports and end devices are filtered based on Admin Domain membership.
Page 129: Requirements For Admin Domains
• Move devices from one Admin Domain to another without traffic disruption, cable reconnects, or discontinuity in zone enforcement. • Provide strong fault and event isolation between Admin Domains. • Have visibility of all physical fabric resources. All switches, E_Ports, and FRUs (including blade information) are visible.
Page 130: System-Defined Administrative Domains
System-defined administrative domains When you install Fabric OS 5.2.x firmware, the switch enters AD-capable mode with domains AD0 and AD255 automatically created. AD0 and AD255 are special Admin Domains. AD0 and AD255 always exist and cannot be deleted or renamed. They are reserved for use in creation and management of Admin Domains.
Page 131: Admin Domain Access Levels
AD255 Figure 4 Fabric with AD0 and AD255 Admin domain access levels Admin Domains offer a hierarchy of administrative access. To manage Admin Domains, you must be a physical fabric administrator. A “physical fabric administrator” is a user with the Admin role and access to all Admin Domains (AD0 through AD255). Other administrative access is determined by your defined RBAC role and AD membership.
Page 132: Admin Domains And Login
Admin domains and login You are always logged in to an Admin Domain, and you can view and modify only the devices in that Admin Domain. If you have access to more than one Admin Domain, one of them will have been specified as your “home Admin Domain,”...
Page 133: Switch Port Members
Switch port members Switch port members are defined by switch (domain, port). A switch port member: • Grants port control rights and zoning rights for that switch port. • Grants view access and zoning rights to the device connected to that switch port. •...
Page 134: Fabric Showing Switch And Device Wwns
Figure 5 shows an unfiltered view of a fabric with two switches, three devices, and two Admin Domains. The devices are labeled with device WWN and the switches are labeled with domain ID and switch WWN. WWN = 10:00:00:00:c7:2b:fd:a3 WWN = 10:00:00:00:c2:37:2b:a3 Domain ID = 1 Domain ID = 2 WWN = 10:00:00:05:1f:05:23:6f...
Page 135: Admin Domain Compatibility And Availability
Admin domain compatibility and availability Admin Domains maintain continuity of service for Fabric OS 5.2.x features and operate in mixed-release fabric environments. High availability is supported along with some backward compatibility. The following sections describe the continuity features of Admin Domain usage. Admin domains and merging When an E_Port comes online, the adjacent switches merge their AD databases.
Page 136: Managing Admin Domains
Managing admin domains This section is for physical fabric administrators who are managing Admin Domains. You must be a physical fabric administrator to perform the tasks in this section. • ”Implementing admin domains” on page 137 • ”Creating an admin domain”...
Page 137: Implementing Admin Domains
Implementing admin domains To begin implementing an Admin Domain structure within your SAN, you must first set the default zone mode to No Access. You must be in AD0 to change the default zone mode. You can use the defZone --show command to see the current default zone mode setting.
Page 138: Assigning A User To An Admin Domain
Optional: To end the transaction now, enter ad --save to save the Admin Domain definition or enter ad --apply to save the Admin Domain definition and directly apply the definitions to the fabric. The following example creates Admin Domain AD1, consisting of two switches, which are designated by domain ID and switch WWN.
Page 139: Activating And Deactivating Admin Domains
To assign Admin Domains to an existing user account Connect to the switch and log in as admin. Enter the userConfig --addad command using the -a option to provide access to Admin Domains and the -h option to specify the home Admin Domain. username home_AD AD_list...
Page 140: Adding And Removing Admin Domain Members
To deactivate an Admin Domain Connect to the switch and log in as admin. Disable the zone configuration under the Admin Domain you want to deactivate. Switch to the AD255 context, if you are not already in that context. ad --select 255 Enter the ad --deactivate option.
Page 141: Renaming An Admin Domain
Optional: To end the transaction now, enter ad --save to save the Admin Domain definition or enter ad --apply to save the Admin Domain definition and directly apply the definitions to the fabric. The following example removes port 5 of domain 100 and port 3 of domain 1 from AD1. sw5:AD255:admin>...
Page 142: Deleting All User-Defined Admin Domains
Deleting all user-defined Admin Domains When you clear the Admin Domain configuration, all user-defined Admin Domains are deleted, the explicit membership list of AD0 is cleared, and all fabric resources (switches, ports, and devices) are returned to the implicit membership list of AD0. You cannot clear the Admin Domain configuration if zone configurations exist in any of the user-defined Admin Domains.
Page 143: Using Admin Domains
Using Admin Domains This section is for users and administrators and describes how you use Admin Domains. If you are a physical fabric administrator and you want to create, modify, or otherwise manage Admin Domains, see ”Managing admin domains” on page 136. The Admin Domain looks like a virtual switch or fabric to a user.
Page 144: Displaying An Admin Domain Configuration
Displaying an Admin Domain configuration The ad --show option displays the membership information and zone database information of the specified Admin Domain. When you perform the show option in: • AD255, if you do not specify the AD_name or number, all information about all existing Admin Domains is displayed.
Page 145: Performing Zone Validation
The following example switches to the AD12 context. Note that the prompt changes to display the Admin Domain. sw5:admin> ad --select 12 sw5:AD12:admin> Performing zone validation If you are working with zones, you should be aware that there is an Admin Domain impact. Zone objects can be part of an Admin Domain.
Page 146: Admin Domains, Zones, And Zone Databases
Table 41 Admin Domain interaction with Fabric OS features (continued) Fabric OS feature Admin Domain interaction You can create LSAN zones as a physical fabric administrator or as an individual AD administrator. The LSAN zone can be part of the root zone database or the AD zone database.
Page 147: Admin Domains And Lsan Zones
Zoning operations ignore any resources not in the Admin Domain, even if they are specified in the zone. The behavior functions similarly to specifying offline devices in a zone. All zones from each Admin Domain zoneset are enforced. The enforcement policy encompasses zones in the effective zoneset of the root zone database and the effective zonesets of each AD.
Page 148: Configuration Upload And Download In An Ad Context
Configuration upload and download in an AD context The behavior of configUpload and configDownload varies depending on the AD context and whether the switch is a member of the current Admin Domain. In the AD context, these commands include only the zone configuration of the current Admin Domain. If the switch is a member of the Admin Domain, all switch configuration parameters are saved and the zone database for that Admin Domain is also saved.
Page 149: Installing And Maintaining Firmware
Installing and maintaining firmware In this chapter, you will see references to optional port blades installable in the SAN Director 4/256: • Port blades contain Fibre Channel ports. • FC blades contain only Fibre Channel ports: FC4- 1 6, FC4-32, FC4-48. •...
Page 150: Effects Of Firmware Changes On Accounts And Passwords
Effects of firmware changes on accounts and passwords The following table describes what happens to accounts and passwords when you replace the switch firmware with a different version. Table 43 Effects of firmware changes on accounts and passwords Change First time Subsequent times (after upgrade, then downgrade, then upgrade)
Page 151: Preparing For A Firmware Download
(or in some cases 4.4.x or lower) and the check finds that one of these exception cases is true, firmware download will fail and an error message will be displayed. It is recommended that you perform a configUpload to back up the current configuration before you download firmware to a switch.
Page 152: Checking Connected Switches
Verify that the compact flash usage is not above 90%. If the compact flash usage is above 90%, contact HP. NOTE: If running Fabric OS 4.2.x or earlier, enter the supportShow command and verify the above compact flash information by searching the output of the supportShow command. (Optional) Enter the errClear command to erase all existing messages in addition to internal messages.
Page 153: Performing Firmware Download On Switches
firmware. The firmwareDownload command defaults to an autocommit option that automatically copies the firmware from one partition to the other. You should not override autocommit under normal circumstances; use the default. Refer to Testing and restoring firmware-on Directors, page 161 for details about overriding the autocommit option. Summary of the firmware download process The following summary describes the default behavior after you enter the firmwareDownload command (without options) on 4/16 SAN Switch and 4/8 SAN Switch, SAN Switch 2/8V, SAN Switch 2/16V, SAN...
Page 154 Respond to the prompts as follows: Server Name Enter the name or IP address of the FTP server where the firmware file is or IP Address stored; for example, 192.1.2.3. You can enter a server name if DNS is enabled. User name Enter the user name of your account on the server;...
Page 155: Summary Of Firmware Downloads On Director Models
Summary of firmware downloads on Director models You can download firmware to SAN Director 2/128 and 4/256 SAN Director without disrupting the overall fabric if the two CP blades are installed and fully synchronized. Use the haShow command to confirm synchronization. If only one CP blade is powered on, the switch must reboot to activate firmware, which is disruptive to the overall fabric.
Page 156: San Director 2/128 And 4/256 San Director Firmware Download Procedure
SAN Director 2/128 and 4/256 SAN Director firmware download procedure There is one logical switch address for a 4/256 SAN Director, and up to two logical switch addresses for the SAN Director 2/128, but either can be used on the SAN Director 2/128 to effect a firmwaredownload (either logical switch).
Page 157 Respond to the prompts as follows: Server Name Enter the name or IP address of the server where the firmware file is stored: or IP Address for example, 192.1.2.3. You can enter a server name if DNS is enabled. User name Enter the user name of your account on the server: for example, JohnDoe.
Page 158 IMPORTANT: At the time of this document’s release, HP does not support the FC4- 1 6IP blade. Consult http://www.hp.com for the latest, updated information. switch:admin> firmwaredownload Server Name or IP Address: 10.1.2.3 FTP User Name: JaneDoe File Name: /pub/v5.2.x FTP Password: xxxx Verifying the input parameters ...
Page 159 Optionally, after the failover, connect to the switch, log in again as admin. Using a separate telnet session, enter the firmwareDownloadStatus command to monitor the firmware download status. switch:admin> firmwaredownloadstatus [1]: Fri Sep 22 09:45:15 2006 Slot 5 (CP0, active): Firmware is being downloaded to standby CP. This step may take up to 30 minutes.
Page 160: Testing And Restoring Firmware On Switches
Enter the firmwareShow command to display the new firmware versions.: switch:admin> firmwareshow Slot Name Primary/Secondary Versions Status -------------------------------------------------------------- FC4-16IP v5.2.x v5.2.x FR4-18i v5.2.x v5.2.x v5.2.x ACTIVE * v5.2.x v5.2.x STANDBY v5.2.x FR4-18i v5.2.x v5.2.x switch:admin> Testing and restoring firmware on switches Typically, users downgrade firmware after briefly “test driving”...
Page 161: Testing And Restoring Firmware-On Directors
3. Commit the firmware a. Enter the firmwareCommit command to update the secondary partition with new firmware. Note that it takes several minutes to complete the commit operation. b. Enter the firmwareShow command to confirm both partitions on the switch contain the new firmware.
Page 162 2. Update firmware on standby CP a. Start a telnet session, log in as admin to the standby CP. b. Enter the firmwareDownload -s command and respond to the prompts as follows: switch:admin> firmwaredownload -s Server Name or IP Address: 10.1.2.3 FTP User Name: JaneDoe File Name: /pub/v5.2.x FTP Password:...
Page 163 5. Update firmware on standby CP a. Start a telnet session on the standby CP (which is the old active CP). b. Enter the firmwareDownload -s command and respond to the prompts as follows: switch:admin> firmwaredownload -s Server Name or IP Address: 10.1.2.3 FTP User Name: JaneDoe File Name: /pub/v5.2.x FTP Password:...
Page 164: Validating The Firmware Download
10. Restore firmware on the “new” standby CP a. Wait one minute and start a telnet session on the new standby CP, which is the old active CP. b. Enter the firmwareRestore command. The standby CP will reboot and the telnet session will end.
Page 165: Troubleshooting Firmware Download
NOTE: You cannot perform a firmware downgrade from Fabric OS 5.2.x or higher if administrative domains are configured in the fabric. See ”Managing administrative domains” on page 157 for details. When the primary and secondary CPs in a 4/256 SAN Director are running pre-Fabric OS 5.2.x and are in HA-Sync, if firmware is downloaded to upgrade only one CP (using the firmwareDownload –s option), that CP will run in an AD-unaware mode (AD creation operations will fail and the local switch will appear as an AD-unaware switch in the fabric).
Page 166: Pre-Installation Messages
For more information on any of the commands in the Recommended Action section, see the Fabric OS Command Reference. NOTE: Some of the messages include error codes (as shown in the example below). These error codes are for internal use only and you can disregard them. Example: Port configuration with EX ports enabled along with trunking for port(s) 63, use the portcfgexport, portcfgvexport, and/or portcfgtrunkport commands to remedy this.
Page 167 Message Only platform options 1, 2, 5 are supported by version 5.1. Use chassisconfig to reset the option before downloading the firmware. Probable Cause and Recommended Action The firmware download operation was attempting to upgrade a system to Fabric OS v5.1.0. The chassisConfig option was set to 3 or 4, which is not supported in v5.1.0, so the firmware download operation was aborted.
Page 168 Message Cannot download to 5.1 because Device Based routing policy is not supported by 5.1. Use aptPolicy change the routing policy before proceeding. Probable Cause and Recommended Action The firmware download operation was attempting to upgrade a system to Fabric OS v5.1.0 with device-based routing policy selected.
Page 169 Message The command failed due to presence of long-distance ports in LS mode. Please remove these settings before proceeding. Probable Cause and Recommended Action The firmware download operation was attempting to downgrade a system to Fabric OS v5.0.0 or lower with long-distance ports in LS mode.
Page 170 Message The command failed due to one or more ports having both long-distance and ISL R_RDY Modes enabled. Use portcfglongdistance and portcfgislmode to disable it before proceeding. Probable Cause and Recommended Action The firmwareDownload operation was attempting to downgrade a system to Fabric OS v.0.0 or lower with both long-distance and ISL R_RDY modes enabled.
Page 171 Message Cannot downgrade due to presence of port mirror connections. Use portmirror --delete to remove these mirror connections before proceeding. Probable Cause and Recommended Action The firmware download operation was attempting to downgrade a system to Fabric OS v5.1.0 or lower with Port Mirroring enabled.
Page 172 Message The command failed due to the presence of an Admin Domain. Use the command to remedy this before proceeding. Probable Cause and Recommended Action The firmware download operation was attempting to downgrade a system to Fabric OS v5.1.0 or lower with Admin Domain (AD) enabled on the system.
Page 173 Message The command failed because IPSec is enabled. Please use the command to disable portcfg fciptunnel it before proceeding. Probable Cause and Recommended Action The firmwareDownload operation was attempting to downgrade a system to Fabric OS v5.1.0 or lower and the IPsec feature is enabled. The IPsec feature is not supported on firmware v5.1.0 or lower, so the firmwareDownload operation failed.
Page 174 Disable the strict fabric-wide policy using the fddCfg --fabWideSet ""command. The “absent” • setting disables the fabric-wide consistency policy. Retry the firmware download operation. Message The switch is currently configured with “radiuslocal” mode. Please use the command to remedy aaaconfig it before proceeding.
Page 175: Blade Troubleshooting Tips
Remove all DCC policies containing more than 256 ports using the secPolicyDelete and secPolicyActivate commands. Retry the firmware download operation. Blade troubleshooting tips Typically, issues that evolve during firmware downloads to the B-Series MP Router blade do not require explicit actions on your part. However, if any of the following events occur, perform the suggestion action to correct: •...
Page 176 • Ensure that the decompress process created multiple SWBDxx folders (where xx is a number) in the main folder. If the files are unpacked without folder creation, then the firmwareDownload command will be unable to locate the .plist file. 176 Installing and maintaining firmware...
Page 177: Configuring Directors
Configuring Directors This chapter contains procedures that are specific to the SAN Director 128 and 4/256 SAN Director models. Because Directors contain interchangeable port blades, install procedures differ from the SAN Switches, domain, port which operate as fixed-port switches. For example, fixed-port models identify ports by number slot/port number.
Page 178: By Slot And Port Number
The following sections tell how to identify ports on SAN Director 2/128 and 4/256 SAN Director, and how to identify ports for zoning commands. By slot and port number The port number is a number assigned to an external port to give it a unique identifier in a switch. To select a specific port in the SAN Director 2/128, and 4/256 SAN Director models, you must identify slot number port number...
Page 179 values of the first 128 ports, and using portswap on a pair of ports will exchange those ports’ area_ID and index values. Portswap is not supported for ports above 256. Table 44 Table 45 show the area ID and index mapping for core and extended-edge PID assignment. Note that up to 255 areas, the area_ID mapping to the index is one-to-one.
Page 180 Table 44 Default index/area_ID Core PID assignment with no port swap (continued) Port on Slot Slot Slot Slot Slot Slot Slot Slot blade 1Idx/Area 2Idx/Area 3Idx/Area 4Idx/Area 7Idx/Area 8Idx/Area 9Idx/Area 10Idx/Area 131/131 147/147 163/163 179/179 195/195 21 1/21 1 227/227 243/243 130/130 146/146...
Page 181 Table 45 Default index/area extended-edge PID assignment with no port swap (continued) Port on Slot Slot Slot Slot Slot Slot Slot Slot blade 1Idx/Area 2Idx/Area 3Idx/Area 4Idx/Area 7Idx/Area 8Idx/Area 9Idx/Area 10Idx/Area 260/140 276/156 292/172 308/188 324/204 340/220 356/236 372/252 259/139 275/155 291/171 307/187...
Page 182: Basic Blade Management
Table 45 Default index/area extended-edge PID assignment with no port swap (continued) Port on Slot Slot Slot Slot Slot Slot Slot Slot blade 1Idx/Area 2Idx/Area 3Idx/Area 4Idx/Area 7Idx/Area 8Idx/Area 9Idx/Area 10Idx/Area 18/18 34/34 50/50 66/66 82/82 98/98 1 14/1 14 17/17 33/33 49/49...
Page 183: 400 Mp Router Exceptions
400 MP Router exceptions The first time the 400 MP Router is powered on ports are persistently disabled. Ports will remain disabled until they are configured otherwise. B-Series MP Router blade (FR4- 1 8i) exceptions You may wish to persistently disable B-Series MP Router blade ports that are not configured so they cannot join the fabric when the following scenarios apply: •...
Page 184: Blade Terminology And Compatibility
NOTE: Some FRUs in the chassis may use significant power, yet cannot be powered off through software. For example, a missing blower FRU may change the power computation enough to affect how many slots can be powered up. The powerOffListShow command displays the power off order. Blade terminology and compatibility Before configuring a chassis, familiarize yourself with the Director CP blade and port blade nomenclature, as well as the port blade compatibilities.
Page 185: Cp Blades
CP blades CP blades determine the Director type: • If CP2 blades are installed, the Director is a SAN Director 2/128. • If CP4 blades are installed, the Director is a 4/256 SAN Director. Mixed CP blades are not supported on a single chassis, except during specific upgrade procedures SAN Director installation guide detailed in the .
Page 186 Table 48 lists the supported configurations options for Fabric OS 5.2.x. Table 49 lists configuration options and resulting slot configurations. NOTE: At the time of this document’s release, HP does not support the FC4- 1 6IP blade. Consult http://www.hp.com for the latest, updated information. Table 48 Supported configuration options Option...
Page 187: Obtaining Slot Information
Obtaining slot information For a SAN Director 2/128 configured as two logical switches, the chassis-wide commands display or control both logical switches. In the default configuration, SAN Director 2/128 Directors are configured as one logical switch, so the chassis-wide commands display and control the single logical switch. To display the status of all slots in the chassis Connect to the switch and log in as user or admin.
Page 188: Configuring A New San Director 2/128 With Two Domains
Configuring a new SAN Director 2/128 with two domains By default, the SAN Director 2/128 is configured as one 128-port switch (one domain). The procedure assumes that the new Director: • Has been installed and connected to power, but is not yet attached to the fabric. •...
Page 189: Converting An Installed San Director 2/128 To Support Two Domains
Converting an installed SAN Director 2/128 to support two domains Fabric OS versions earlier than v4.4.0 supported only one domain for SAN Director 2/128 models (one 128-port logical switch). When you upgrade a SAN Director 2/128 director to Fabric OS v4.4.0 or later, you can use the chassisConfig command to specify two domains for the Director (two 64-port logical switches, sw0 and sw1).
Page 190: Setting The Blade Beacon Mode
1 1. Enter the fabricShow command to verify that sw0 and sw1 have been merged with the fabric. Enter the configShow command to verify that zoning parameters were propagated. Setting the blade beacon mode When beaconing mode is enabled, the port LEDs will flash amber in a running pattern from port 0 through port 15 and back again.
Page 191: 10Routing Traffic
Routing traffic About data routing and routing policies Data moves through a fabric from switch to switch and storage to server along one or more paths that make up a route. Routing policies determine the correct path for each frame of data. Whatever routing policy a switch is using applies to the VE_Ports as well.
Page 192: Assigning A Static Route
In the following example, the routing policy for a 400 MP Router is changed from exchange-based to port-based: switch:admin> aptpolicy Current Policy: 3 3: Default Policy 1: Port Based Routing Policy 3: Exchange Based Routing Policy switch:admin> switchdisable switch:admin> aptpolicy 1 Policy updated successfully.
Page 193: Using Dynamic Load Sharing
In a stable fabric, frames are always delivered in order, even when the traffic between switches is shared among multiple paths. However, when topology changes occur in the fabric (for example, if a link goes down), traffic is rerouted around the failure, and some frames could be delivered out of order. Most destination devices tolerate out-of-order delivery, but some do not.
Page 194: Viewing Routing Path Information
Viewing routing path information The topologyShow and uRouteShow commands provide information about the routing path. Connect to the switch and log in as admin. Enter the topologyShow command to display the fabric topology, as it appears to the local switch. The following entries appear: switch:admin>...
Page 195 SAN Director 2/128 and 4/256 SAN Director: Use the following syntax: slot portnumber domainnumber urouteshow [ The following entries appear: • Local Domain—Domain number of the local switch. • In Ports—Port from which a frame is received. • Domain—Destination domain of the incoming frame. •...
Page 196: Viewing Routing Information Along A Path
Viewing routing information along a path You can display detailed routing information from a source port (or area) on the local switch to a destination port (or area) on another switch. This routing information describes the full path that a data stream travels between these ports, including all intermediate switches.
Page 197 The information that pathInfo provides is: Hops The number of switch-to-switch links (ISLs) transversed. The local switch is hop In Port The port that the frames come in from on this path. For hop 0, the source port. Domain ID The domain ID of the switch.
Page 198 198 Routing traffic...
Page 199: 11Using The Fc-Fc Routing Service
Using the FC-FC routing service The FC-FC (Fibre Channel) Routing Service provides Fibre Channel routing between two or more fabrics without merging those fabrics. The FC-FC Routing Service can be simultaneously used as a Fibre Channel router and for SAN extension over wide area networks (WANs) using FCIP. The Fibre Channel Routing also supports interoperability with McDATA E/OS v7.x and 8.x.
Page 200 EX_Port Special types of ports, called an and a VEX_Port function somewhat like an E_Port, but terminate at the switch and do not propagate fabric services or routing topology information from one edge fabric to interfabric Link another. The link between an E_Port and EX_Port, or VE_Port and VEX_Port is called an (IFL).
Page 201: A Metasan With Interfabric Links
fabric to another—over the backbone or edge fabric through this virtual domain—without merging the two fabrics. Translate phantom domains are sometimes referred to as “translate domains,” or “xlate domains.” If a B-Series MP Router blade is attached to an edge fabric using an EX_Port, it will create translate phantom domains in the fabric corresponding to the imported edge fabrics with active LSANs defined.
Page 202: Front Domain Consolidation
Figure 10 shows another metaSAN consisting of a host in Edge SAN 1 connecting to storage in Edge SAN 2 through a backbone fabric connecting two 4/256 SAN Directors, each containing B-Series MP Router blades. Figure 10 Edge SANs connected through a backbone fabric 4/256 SAN Director 4/256 SAN Director with B-Series...
Page 203: Upgrade And Downgrade Considerations
Upgrade and downgrade considerations The following considerations apply when upgrading to or downgrading from Fabric OS 5.2.x with front domain consolidation: • During an upgrade to Fabric OS v5.2 from Fabric OS v5.1: • The router switch is changed from one front domain per EX_Port to a shared front domain for the EX_Ports that are connected to the same edge fabric.
Page 204: Range Of Output Ports
For more information about the fabricShow command, see the Fabric OS Command Reference Manual. Range of output ports The edge fabric detects only one front domain from an FC router connected through multiple output ports. The output port of the front domain is not fixed to 0; the values can be in a range of 129–255. The range of the output ports connected to the xlate domain is also 129–255.
Page 205: Routing Types
The target responds by sending frames to the proxy host. Hosts and targets are exported from the edge SAN to which they are attached and, correspondingly, imported into the edge SAN reached through Fibre Channel routing. Figure 1 1 illustrates this concept. Proxy host Host (imported device)
Page 206: Fibre Channel Nat And Phantom Domains
Fibre Channel NAT and phantom domains Within an edge fabric or across a backbone fabric, the standard Fibre Channel FSPF protocol determines how frames are routed from the source Fibre Channel (FC) device to the destination FC device. The source or destination device can be a proxy device.
Page 207: Performing Verification Checks
Performing verification checks Before configuring a fabric to connect to another fabric, you must perform the following verification checks on the switch or director. To perform verification checks Log in to the switch or director as admin and enter the version command. Verify that Fabric OS v5.2.x is installed on the 400 MP Router or B-Series MP Router blade, as shown in the following example.
Page 208: Assigning Backbone Fabric Ids
Enter the secModeShow command to verify that security is disabled. switch:admin_06> secmodeshow Secure Mode: DISABLED. Enter the msPlatShow command to verify that Management Server Platform database is disabled in the backbone fabric. switch:admin_06> msplatshow *MS Platform Management Service is NOT enabled. If any of the items listed in the prior steps are enabled, you can see the Fabric OS Command Reference Manual for information on how to disable the option.
Page 209: Configuring Fcip Tunnels (Optional)
Then enter the fosConfig --enable fcr command. switch:admin_06> fosconfig --disable fcr FC Router service is disabled switch:admin_06> fcrconfigure FC Router parameter set. <cr> to skip a parameter Backbone fabric ID: (1-128)[1] switch:admin_06> fosconfig --enable fcr FC Router service is enabled Configuring FCIP tunnels (optional) The optional Fibre Channel over IP (FCIP) Tunneling Service enables you to use “tunnels”...
Page 210 it is connected. For example, on the 4/256 SAN Director with a B-Series MP Router blade, specify the WWN of the Secure Fabric OS switch and the secrets. On the Secure Fabric OS switch, specify the WWN of the front domain (EX_Port or VEX_Port) and the secrets. To view the front domain WWN, issue the portCfgEXPort command on the Fibre Channel router side.
Page 211: Configuring An Interfabric Link
To view a DH-CHAP secret word database Log in as admin to the 400 MP Router or 4/256 SAN Director with a B-Series MP Router blade. At the telnet prompt, enter the secAuthSecret command as shown: switch:admin_06> secauthsecret --show Name ------------------------------------------------------------ 10:00:00:60:69:80:05:14 switch...
Page 212: Portcfgexport Options
The following example enables the EX_Port (or VEX_Port) and assigns a Fabric ID of 30 to port 7. switch:admin_06> portcfgexport 7 -a 1 -f 30 switch:admin_06> portcfgexport 7/10 Port 7/10 info Admin: enabled State: NOT OK Pid format: Not Applicable Operate mode: Brocade Native Edge Fabric ID:...
Page 213 Preferred domain ID (1-239). This command enforces the use of the same preferred domain ID for all the ports connected to the same edge fabric. When this option is specified, the preferred domain ID is compared against the online ports. If the domain ID are different, an error message is issued and the command fails.
Page 214 After identifying such ports, enter the portCfgPersistentEnable command to enable the port, and then the portCfgShow command to verify the port is enabled. switch:admin_06> portcfgpersistentenable 7/10 switch:admin_06> portcfgshow 7/10 Area Number: Speed Level: AUTO Trunk Port Long Distance VC Link Init Locked L_Port Locked G_Port Disabled E_Port...
Page 215 switch:admin_06> portshow 7/10 portName: portHealth: OFFLINE Authentication: None EX_Port Mode: Enabled Fabric ID: Front Phantom: state = Not OK Pref Dom ID: 160 Fabric params: R_A_TOV: 0 E_D_TOV: 0 PID fmt: au Authentication Type: None Hash Algorithm: N/A DH Group: N/A Edge fabric's primary wwn: N/A Edge fabric's version stamp: N/A portDisableReason: None...
Page 216: Configuring Lsans And Zoning
Configuring LSANs and zoning An LSAN consists of zones in two or more edge or backbone fabrics that contain the same device(s). LSANs essentially provide selective device connectivity between fabrics without forcing you to merge those fabrics. FC routers provide multiple mechanisms to manage interfabric device connectivity through extensions to existing switch management interfaces.
Page 217 • Switch2 is connected to the 4/256 SAN Director with an B-Series MP Router blade using another EX_Port or VEX_Port • Host has WWN 10:00:00:00:c9:2b:c9:0c (connected to switch1) • Target A has WWN 50:05:07:61:00:5b:62:ed (connected to switch2) • Target B has WWN 50:05:07:61:00:49:20:b4 (connected to switch2) The following procedure shows how to control device communication with LSAN.
Page 218 Enter the zoneCreate command to create the LSAN lsan_zone_fabric2, which includes the host (10:00:00:00:c9:2b:6a:2c), Target A, and Target B. switch:admin_06> zonecreate "lsan_zone_fabric2", "10:00:00:00:c9:2b:c9:0c;50:05:07:61:00:5b:62:ed;50:05:07:61:00:49:20:b4" Enter the cfgShow command to verify that the zones are correct. switch:admin_06> cfgshow Defined configuration: zone: lsan_zone_fabric2 10:00:00:00:c9:2b:c9:0c;...
Page 219: Configuring Backbone Fabrics For Interconnectivity
On the 4/256 SAN Director with a B-Series MP Router blade, the host and fabric75 are imported, because both are defined by lsan_zone_fabric2 and lsan_zone_fabric75. However, target B defined by lsan_zone_fabric75 is not imported because lsan_zone_fabric2 does not allow it. When a PLOGI, PDISC, or ADISC arrives at the 4/256 SAN Director with a B-Series MP Router blade, the SID and DID of the frame are checked.
Page 220: Upgrade, Downgrade, And Ha Considerations
To set and display the router port cost Disable any port on which you want to set the router port cost. Enable admin for the EX_Port/VEX_Port with portCfgExport or portCfgVexport. Enter the fcrRouterPortCost command to display the router port cost per EX_Port. switch:admin_06>...
Page 221: Setting A Proxy Pid
router cost IFLs to another port group (for example ports 8–15). For VEX_Ports, you would use ports in the range of 16-23 or 24-31. You can connect multiple EX_Ports or VEX_Ports to the same edge fabric. The EX_Ports can all be on the same 400 MP Router or 4/256 SAN Director with an B-Series MP Router blade, or they can be on multiple routers.
Page 222: Ex_Port Frame Trunking (Optional)
The default values for R_A_TOV and E_D_TOV are the recommended values for all but very large fabrics (ones requiring four or more hops) or high-latency fabrics (such as ones using long-distance FCIP links). EX_Port frame trunking (optional) In Fabric OS v5.2.x, you can configure EX_Ports to use frame based trunking just as you do regular E_Ports.
Page 223: Using Ex_Port Frame Trunking
Upgrade and Downgrade Considerations Table 50describes the upgrade and downgrade considerations for EX_Port Frame Trunking. Table 50 Trunking upgrade and downgrade considerations Upgrade or downgrade Consideration A firmware downgrade from Fabric OS If EX_Port trunking is on, prior to the firmware downgrade, the v5.2.x to Fabric OS v5.1.0 script displays a message requesting that you disable EX_Port trunking.
Page 224: Monitoring Resources
To display EX_Port trunking information Log in as an admin and connect to the switch. Enter the switchShow command to display trunking information for the EX_Ports. fcr_switch:admin_06> switchshow The following is an example of a master EX_Port and a slave EX_Port displayed in switchShow. Index Slot Port Address Media Speed State ============================================== ee1000...
Page 225 • Phantom Node WWN—The display shows the maximum versus the currently allocated phantom switch node WWNs. The phantom switch requires node WWNs for SFPF and manageability purposes. Phantom node names are allocated from the pool sequentially and are not reused until the pool is exhausted and rolls over.
Page 226: Routing Echo
Routing ECHO The FC-FC Routing Service enables you to route the ECHO generated when an fcPing command is issued on a switch, providing fcPing capability between two devices in different fabrics across the 400 MP Router or 4/256 SAN Director with a B-Series MP Router blade. To check for Fibre Channel connectivity problems On the edge Fabric OS switch , make sure that the source and destination devices are properly...
Page 227: Interoperability With Legacy Fcr Switches
Interoperability with legacy FCR switches The following interoperability considerations apply when administering legacy FCR switches in the same backbone (BB) fabric as switches supporting Fabric OS v5.2.x: • When a legacy switch is connected to the fabric, a RAS log message is issued indicating that the capability of the backbone (BB) fabric is lower as legacy FCR switches (those with XPath OS and Fabric OS v5.1) support lower capability limits.
Page 228: Connecting To Hp M-Series Or Mcdata Sans
Connecting to HP M-Series or McDATA SANs Fabric OS 5.2.x lets you connect an HP StorageWorks B-Series fabric to an HP M-Series or McDATA fabric. Because of the high degree of connectivity, the devices across the remote fabrics can be shared. Fabric OS 5.2.x furnishes the FC router with the ability to connect to HP M-Series fabrics in Open mode and McDATA Fabric mode.
Page 229: Connectivity Modes
NOTE: Trunking is not supported on EX_Ports connected to the McData fabric. Connectivity modes You can connect to M-Series fabrics in both McDATA Open mode or McDATA Fabric mode. If the mode is not configured correctly, the port is disabled for incompatibility. NOTE: HP M-Series and McDATA fabrics are supported in Open mode.
Page 230: Configuring Interoperability
The following example sets port 10/12 to admin-enabled, assigns a Fabric ID of 41 and sets the port to Core PID and to Brocade mode. For complete information about any Fabric OS command, see ”Configuring interoperability mode” on page 399. switch:admin_06>...
Page 231 McDATA connection mode to McDATA fabric. switch:admin_06> portcfgexport 10/13 -a 1 -f 37 -m 2 Enable the port by issuing the portEnable command. switch>:admin_06 portenable 10/13 • Connect IFL 1 and verify EX_PORT connectivity. Repeat for all HP fabric IFLs. •...
Page 232: Configuring M-Series Or Mcdata For Interconnection
For information about edge fabric setup on E_ports and interswitch linking, see ”Administering ISL Trunking” on page 333. For information on EX_Port Frame trunking setup on the FCR switch, see ”Using EX_Port Frame trunking” on page 223. 1 1. Capture a SAN profile of the McDATA and HP SANs, identifying the number of devices in each SAN. By projecting the total number of devices and switches expected in each fabric when the LSANs are active, you can quickly determine the status of the SAN by issuing the commands nsAllShow and fabricShow on the HP fabric.
Page 233: San Pilot And Efcm Zone Screens
To prepare the McDATA fabric Log in to SAN Pilot or basic EFC Manager depending upon the firmware release. From the SAN Pilot left navigation menu, select Configure. Select the Zoning tab, then select the Zones tab. (select Configure > Zoning on EFCM). Figure 13 SAN Pilot and EFCM zone screens NOTE:...
Page 234: Pending Zone Set List In San Pilot And Efcm Zone Screens
In SAN Pilot, click the Add button to add the specified Zone. As shown in the following illustration, when you add the new zone name, the name is displayed in the Pending Zone Set list. Figure 14 Pending Zone Set list in SAN Pilot and EFCM zone screens To add devices that are connected to the HP fabric, select Edit button in the Pending Zone set.
Page 235: Lsan Zoning With Mcdata
In EFCM, return to the main window and select Configure, then select Activate Zone Set to launch the zone set activation window. Highlight the zone set to be activated and click Next. Click Next again, then Start to activate the zone set. Figure 15 Adding a zone set name in SAN Pilot Regardless of the method used, you should now verify that the new zone set containing your LSAN has...
Page 236: Completing The Configuration
Move back to the 400 MP Router and B-Series MP Router (FR4- 1 8i) blade and issue the fcrProxyDevShow command on to verify that the devices are configured and exported. switch:admin_06> fcrproxydevshow Proxy Proxy Device Physical State Created Exists in Fabric in Fabric ---------------------------------------------------------------------------- 20:00:00:01:73:00:59:dd...
Page 237 Log in to the switch and issue the nsAllShow or the nsCamShow command. edgeswitch:admin_06> nsallshow 010e00 020000 03f001 04f002 4 Nx_Ports in the Fabric } edgeswitch:admin_06> nscamshow nscam show for remote switches: Switch entry for 1 state owner known v520 0xfffc02 Device list: count 1 Type Pid...
Page 238 238 Using the FC-FC routing service...
Page 239: Administering Ficon Fabrics
Administering FICON fabrics Overview of Fabric OS support for FICON ® IBM Fibre Connections (FICON ) is an industry-standard, high-speed input/output (I/O) interface for intermix mode mainframe connections to storage devices. Fabric OS supports operations, in which FICON and Fibre Channel technology work together. For specific information about intermix mode and other aspects of FICON, refer to the IBM Redbook, FICON®...
Page 240: Supported Switches
authenticated using digital certificates and unique private keys provided to the Switch Link Authentication Protocol (SLAP). • Switch binding is a security method for restricting devices that connect to a particular switch. If the device is another switch, this is handled by the SCC policy. If the device is a host or storage device, the Device Connection Control (DCC) policy binds those devices to a particular switch.
Page 241: Types Of Ficon Configurations
Types of FICON configurations There are two types of FICON configurations: single-switch switched point-to-point • configuration (called ) requires that the channel be configured to use single-byte addressing. If the channel is set up for two-byte addressing, then the cascaded configuration setup applies.
Page 242: Ficon Commands
FICON commands Table 53 summarizes the Fabric OS CLI commands that can be used for managing FICON fabrics. For detailed information on these commands, refer to the Fabric OS Command Reference Manual. Table 53 Fabric OS commands related to FICON and FICON CUP Command Description Standard Fabric OS commands:...
Page 243: Configuring Switches
NOTE: The Fabric OS CLI supports only a subset of the management features for FICON fabrics. The full set of FICON CUP administrative procedures is available using the Fabric Manager and Web Tools software features. You can also use an SNMP agent and the FICON Management Information Base (MIB). For information on these tools, refer to: •...
Page 244: Preparing A Switch
• Some 1-Gbit/sec storage devices cannot auto-negotiate speed with the 4/256 SAN Director or SAN Switch 4/32 ports. For these types of devices, configure ports that are connected to 1-Gbit/sec storage devices for fixed 1-Gbit/sec speed. Preparing a switch To verify and prepare a switch for use in a FICON environment, complete the following steps: Connect to the switch and log in as admin.
Page 245: Setting A Unique Domain Id
CAUTION: If Security is enabled via the CLI in the FICON environment, then you should use the following syntax for the secModeEnable command: secmodeenable --lockdown=scc --currentpwd --fcs “*” Issuing the secModeEnable command as it appears above enables security and creates an SCC policy with all of the switches that currently reside in the fabric.
Page 246: Displaying Information
Respond to the remaining prompts (or press Ctrl-d to accept the other settings and exit). Enter the switchEnable command to re-enable the switch. switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] yes Domain: (1..239) [3] 5 R_A_TOV: (4000..120000) [10000] E_D_TOV: (1000..5000) [2000] Data field size: (256..2112) [2112] Sequence Level Switching: (0..1) [0]...
Page 247: Fru Failures
FRU failures To display FRU failure information, connect to the switch, log in as admin, and enter one of the following commands: • For the local switch: ficonshow ilir • For all switches defined in the fabric: ficonshow ilir fabric Swapping ports If a port malfunctions, or if you want to connect to different devices without having to re-wire your swap ports...
Page 248: Using Ficon Cup
Using FICON CUP Host-based management programs manage switches using CUP protocol by sending commands to an emulated control device in Fabric OS. A switch that supports CUP can be controlled by one or more host-based management programs. mode register controls the behavior of the switch with respect to CUP itself, and with respect to the behavior of other management interfaces.
Page 249: Enabling And Disabling Ficon Management Server Mode
Enabling and disabling FICON management server mode To enable fmsmode: Connect to the switch and log in as admin. Enter ficoncupse fmsmode enable. To disable fmsmode: Connect to the switch and log in as admin. Enter ficoncupsetfmsmode disable. The fmsmode setting can be changed whether the switch is offline or online. If fmsmode is changed while the switch is online, a device reset is performed for the control device and an RSCN is generated with PID 0xDDFE00 (where 0xDD is the domain ID of the switch).
Page 250: Setting Up Cup When Ficon Management Server Mode Is Enabled
enabled disabled Changing fmsmode from triggers the following events: A device reset is performed on the control device. PDCM is no longer enforced. RSCNs might be generated to some devices if PDCM removal results in changes to connectivity between a set of ports. If a given port was set to “Block”...
Page 251: Displaying Mode Register Bit Settings
Displaying mode register bit settings The mode register bits are described in Table 54 Table 54 FICON CUP mode register bits POSC Programmed offline state control. When this bit is set on, the host is prevented from taking the switch offline. The default setting is 1 (on). User alert mode.
Page 252: Setting Mode Register Bits
Setting mode register bits Use the ficoncupset modereg command to set the FICON CUP mode register bits for the local switch. Consider the following when changing mode register bits: • As required by the CUP protocol, the UAM bit cannot be changed using this command. •...
Page 253: Port And Switch Naming Standards
Port and switch naming standards Fabric OS handles differences in port and switch naming rules between CUP and itself as follows: • CUP employs 8-bit characters in port address names and switch names; Fabric OS employs 7-bit characters. When fmsmode is enabled, all characters greater than 0x40 and not equal to 0xFF (EBCIDC code page 37 [0x25]) are allowed in the name;...
Page 254: Troubleshooting
Troubleshooting The following sources provide useful problem-solving information: • The standard support commands (portLogDump, supportSave, supportShow) or the Fabric Manager Event Log By default, the FICON group in the supportShow output is disabled. To enable the capture of FICON data in the supportShow output, enter the supportshowcfgenable ficon command. After you get confirmation that the configuration has been updated, the following will be collected and appear in the output for the supportShow command: •...
Page 255: Backing Up Ficon Files
Backing up FICON files The FICON file access facility is used to store configuration files. This includes IPL and other configuration files. The Fabric OS saves the IPL and all other configuration files on the switch. A maximum of 16 configuration files, including the IPL file, are supported.
Page 256 Table 55 FICON switch configuration worksheet ® ® FICON Switch Manufacturer:___________________Type: _________ Model: ______ S/N: ________ HCD Defined Switch ID_________(Switch ID) Cascaded Directors No _____Yes _____ ® FICON Switch Domain ID_________(Switch @) Corresponding Cascaded Switch Domain ID _____ Fabric Name ________________________________ ®...
Page 257: San Director Switches
Sample IOCP configuration file for SAN Switch 2/32, SAN Switch 4/32, SAN Director 2/128, and 4/256 SAN Director switches The channel subsystem controls communication between a configured channel, the control unit, and the device. The I/O Configuration Dataset (IOCDS) defines the channels, control units, and devices to the designated logical partitions (LPARs) within the server;...
Page 258: Sample Rmf Configuration File For Mainframe
In the following sample IOCP configuration file, the UNIT value for FICON CUP definitions is 2032 for any FICON Director regardless of vendor or platform. So all SAN Switch 2/32, SAN Switch 4/32, or SAN Director 2/128 switches require UNIT=2032 for the CUP definition. All Domain IDs are specified in hex values in the IOCP (and not in decimal values);...
Page 259 /****************************************************************** ***/ /* MONITOR I OPTIONS O N L Y /****************************************************************** ***/ /* FICON Director CHAN /* COLLECT CHANNEL STATISTICS /* COLLECT CPU STATISTICS CYCLE(1000) /* SAMPLE ONCE EVERY SECOND DEVICE(NOSG) /* PREVENT SORT OF STORAGE GROUPS*/ DEVICE(NOCHRDR) /* CHARACTER READER STATISTICS WILL NOT BE COLLECTED DEVICE(COMM) /* COMMUNICATION EQUIPMENT STATS.
Page 260 260 Administering FICON fabrics...
Page 261: Configuring The Distributed Manager Server
Configuring the distributed manager server The Fabric OS Distributed Management Server allows a SAN management application to retrieve information and administer interconnected switches, servers, and storage devices. The management server assists in the autodiscovery of switch-based fabrics and their associated topologies. A client of the management server can find basic information about the switches in the fabric and use this information to construct topology relationships.
Page 262: Controlling Access
To disable platform services Connect to the switch and log in as admin. Enter the msplMgmtActivate command. Press y to confirm deactivation. switch:admin> msplmgmtdeactivate MS Platform Service is currently enabled. This will erase MS Platform Service configuration information as well as database in the entire fabric. Would you like to continue this operation? (yes, y, no, n): [no] y Request to deactivate MS Platform Service in progress..
Page 263 To add a member to the ACL Connect to the switch and log in as admin. Enter the msConfigure command. The command becomes interactive. At the select prompt, enter 2 to add a member based on its port/node WWN. Enter the WWN of the host to be added to the ACL. At the prompt, enter 1 to verify the WWN you entered was added to the ACL.
Page 264: Configuring The Server Database
Press Enter to update the nonvolatile memory and end the session. switch:admin> msconfigure Done Display the access list Add member based on its Port/Node WWN Delete member based on its Port/Node WWN select : (0..3) [1] 3 Port/Node WWN (in hex): [00:00:00:00:00:00:00:00] 20:00:00:20:37:65:ce:aa *WWN is successfully deleted from the MS ACL.
Page 265: Controlling Topology Discovery
The contents of the management server platform database are displayed. switch:admin> msplatshow ----------------------------------------------------------- Platform Name: [9] "first obj" Platform Type: 5 : GATEWAY Number of Associated M.A.: 1 [35] "http://java.sun.com/products/plugin" Number of Associated Node Names: 1 Associated Node Names: 10:00:00:60:69:20:15:71 ----------------------------------------------------------- Platform Name: [10] "second obj"...
Page 266 Press y to disable the discovery feature. Enter the mstdDisable all command to disable the discovery feature on the entire fabric. Press y to disable the discovery feature. NOTE: Disabling management server topology discover might erase all NID entries. switch:admin> mstddisable This may erase all NID entries.
Page 267: Working With Diagnostic Features
Working with diagnostic features This chapter provides information on diagnostics and how to display system, port, and specific hardware information. It also describes how to set up system logging mapping (syslogd) and how to set up the offloading of error messages (supportSave). About Fabric OS diagnostics The purpose of the diagnostic subsystem is to evaluate the integrity of the system hardware.
Page 268: Viewing Switch Status
The following example shows a typical boot sequence, including POST messages: The system is coming up, please wait... Read board ID of 0x80 from addr 0x23 Read extended model ID of 0x16 from addr 0x22 Matched board/model ID to platform index 4 PCI Bus scan at bus 0 Checking system RAM - press any key to stop test Checking memory address: 00100000...
Page 269 To view the overall status of the switch Connect to the switch and log in as admin. Enter the switchStatusShow command: switch:admin> switchstatusshow Switch Health Report Report time: 03/21/2005 03:50:36 PM Switch Name: SWFCR IP address: 10.33.54.176 SwitchState: MARGINAL Duration: 863:23 Power supplies monitor MARGINAL...
Page 270: Viewing Port Information
To display the uptime for a switch Connect to the switch and log in as admin. At the command line, enter the uptime command: switch:admin> uptime 4:43am up 1 day, 12:32, 1 user, load average: 1.29, 1.31, 1.27 switch:admin> The uptime command displays the length of time the system has been in operation, the total cumulative amount of uptime since the system was first powered-on, the date and time of the last reboot (applies only to FOS v3.x and v2.6.x systems), the reason for the last reboot (applies only to FOS v3.x and v2.6.x systems), and the load average over the past one minute (1.29 in the preceding example), five minutes...
Page 271 To display the port statistics Connect to the switch and log in as admin. At the command line, enter the portStatsShow command. Port statistics include information such as number of frames received, number of frames sent, number of encoding errors received, and number of class 2 and class 3 frames received. Refer to the Fabric OS Command Reference Manual for additional portStatsShow command information, such as the syntax for slot or port numbering.
Page 272 To display a summary of port errors for a switch Connect to the switch and log in as admin. At the command line, enter the portErrShow command. Refer to the Fabric OS Command Reference Manual for additional portErrShow command information. switch:admin>...
Page 273: Viewing Equipment Status
Error Type Description frjt Frames rejected with F_RJT fbsy Frames busied with F_BSY Viewing equipment status You can display status for fans, power supply, and temperature. NOTE: The number of fans, power supply units, and temperature sensors depends on the switch type. For detailed specifications on these components, refer to the switch install guide.
Page 274: Viewing The System Message Log
To display temperature status Connect to the switch and log in as admin. At the command line, enter the tempShow command: switch:admin> tempshow Index Status Centigrade Fahrenheit ---------------------------------------------------- switch:admin> Information displays for each temperature sensor in the switch. The possible temperature status values are: OK—Temperature is within acceptable range.
Page 275: Viewing The Port Log
Viewing the port log The Fabric OS maintains an internal log of all port activity. The port log stores entries for each port as a circular buffer. Each port has space to store 8000 log entries. When the log is full, the newest log entries overwrite the oldest log entries.
Page 276: Configuring For Syslogd
Because a portLogDump output is long, a truncated example is presented: switch:admin> portlogdump task event port cmd args ------------------------------------------------- 16:30:41.780 PORT Rx 9 40 02fffffd,00fffffd,0061ffff,14000000 16:30:41.780 PORT Tx 9 0 c0fffffd,00fffffd,0061030f 16:30:42.503 PORT Tx 9 40 02fffffd,00fffffd,0310ffff,14000000 16:30:42.505 PORT Rx 9 0 c0fffffd,00fffffd,03100062 16:31:00.464 PORT Rx 9 20 02fffc01,00fffca0,0063ffff,01000000 16:31:00.464 PORT Tx 9 0 c0fffca0,00fffc01,00630311 16:31:00.465 nsd ctin 9 fc 000104a0,0000007f...
Page 277: Configuring The Switch
/etc/syslog.conf In this example, Fabric OS messages map to local7 facility level 7 in the file: local7.emerg /var/adm/swcritical local7.alert /var/adm/alert7 local7.crit /var/adm/crit7 local7.err /var/adm/swerror local7.warning /var/adm/swwarning local7.notice /var/adm/notice7 local7.info /var/adm/swinfo local7.debug /var/adm/debug7 If you prefer to map Fabric OS severities to a different UNIX local7 facility level, see ”To set the facility level”...
Page 278: Viewing And Saving Diagnostic Information
Viewing and saving diagnostic information Enter the supportShow command to dump important diagnostic and status information to the session screen, where you can review it or capture its data. To save a set of files that customer support technicians can use to further diagnose the switch condition, enter the supportSave command.
Page 279 To enable the automatic transfer of trace dumps Connect to the switch and log in as admin. Enter the following command: switch:admin> traceftp -e To set up periodic checking of the remote server Connect to the switch and log in as admin. Enter the following command: interval switch:admin>...
Page 280 280 Working with diagnostic features...
Page 281: Most Common Problem Areas
Troubleshooting This chapter provides information on troubleshooting and the most common procedures used to diagnose and recover from problems. It also includes specific troubleshooting scenarios as examples. Troubleshooting should begin at the center of the SAN — the fabric. Because switches are located between the hosts and storage devices and have visibility into both sides of the storage network, starting with them can help narrow the search path.
Page 282: Gathering Information For Technical Support
Gathering information for technical support If you are troubleshooting a production system, you need to gather data quickly. As soon as a problem is observed, perform the following tasks (if using a dual CP system, run the commands on both CPs): Enter the supportSave command to save RASLOG, TRACE, and supportShow (active CP only) information for the local CP to a remote FTP location.
Page 283: Analyzing Connection Problems
Use the following steps to retrieve as much of the following informational items as possible prior to contacting HP. Switch information: • Serial number (located on the chassis) • World Wide Name (obtain using licenseIdShow or wwn commands) • Fabric OS version (obtain using the version command) •...
Page 284 Regardless of the device’s zoning, the fcPing command sends the ELS frame to the destination port. A device can take any one of the following actions: • Send an ELS Accept to the ELS request. • Send an ELS Reject to the ELS request. •...
Page 285 To check the Name Server (NS) Enter the nsShow command on the switch to which the device is attached: The Local Name Server has 9 entries { Type Pid PortName NodeName TTL(sec) 021a00; 2,3;20:00:00:e0:69:f0:07:c6;10:00:00:e0:69:f0:07:c6; 895 Fabric Port Name: 20:0a:00:60:69:10:8d:fd 051edc; 3;21:00:00:20:37:d9:77:96;20:00:00:20:37:d9:77:96;...
Page 286: To Check For Zoning Problems
To check for zoning problems Enter the cfgActvShow command to determine if zoning is enabled. If zoning is enabled, it is possible that the problem is being caused by zoning enforcement (for example, two devices in different zones cannot see each other). Confirm that the specific edge devices that need to communicate with each other are in the same zone.
Page 287: To Download A Correct Configuration
Enter the configure command to edit the fabric parameters for the segmented switch. Refer to the Fabric OS Command Reference Manual for more detailed information. Enable the switch by entering the switchEnable command. Alternatively, you can reconcile fabric parameters by entering the configUpload command for each switch.
Page 288: To Correct A Fabric Merge Problem Quickly
Table 59 summarizes commands that are useful for debugging zoning issues. Table 59 Commands for debugging zoning Command Function Use to create a zone alias. aliCreate Use to delete a zone alias. aliDelete Use to create a zone configuration. cfgCreate Displays zoning configuration.
Page 289: To Edit Zone Configuration Members
To edit zone configuration members Log in to one of the switches in a segmented fabric as admin. Enter the cfgShow command. Print the output from the cfgShow command. Start another telnet session and connect to the next fabric as an administrator. Run the cfgShow command.
Page 290: To Check Fan Components
Correcting I C bus errors C bus errors generally indicate defective hardware or poorly seated devices or blades; the specific item is listed in the error message. Refer to the Fabric OS System Error Message Reference Manual for information specific to the error that was received. Some CPT and Environmental Monitor (EM) messages contain I C-related information.
Page 291: Correcting Device Login Issues
Correcting device login issues To try to pinpoint problems with device logins, use this procedure: Log in to the switch as admin. Enter the switchShow command; then, check for correct logins: switch:admin> switchshow switchName: sw094135 switchType: 26.1 switchState: Online switchMode: Native switchRole: Principal...
Page 292 Enter the portErrShow command; then, check for errors that can cause login problems. switch:admin> porterrshow frames enc disc link loss loss frjt fbsy err shrt long c3 fail sync ===================================================================== 58k 111k 3.5g 3.5g 2.0k • A high number of errors relative to the frames transmitted and frames received can indicate a marginal link (refer to ”Correcting marginal links”...
Page 293 Enter the portFlagsShow command; then, check to see how a port has logged in and where a login failed (if a failure occurred): switch:admin> portflagsshow Slot Port SNMP Physical Flags ------------------------------------ 0 Offline No_Module PRESENT U_PORT LED 1 Offline No_Module PRESENT U_PORT LED 2 Offline No_Module...
Page 294 Enter the portLogDumpPort portid command where the port ID is the port number; then, view the device to switch communication. switch:admin> portlogdumpport 10 time task event port cmd args ------------------------------------------------- 12:38:21.590 SPEE 00000000,00000000,00000000 12:38:21.591 SPEE 000000ee,00000000,00000000 12:38:21.611 SPEE 00000001,00000000,00000000 12:38:21.871 SPEE 00000002,00000000,00000001 12:38:21.872...
Page 295: Identifying Media-Related Issues
Identifying media-related issues This section provides procedures that help pinpoint any media-related issues in the fabric. The tests listed in Table 60 are a combination of structural and functional tests that can be used to provide an overview of the hardware components and help identify media-related issues. •...
Page 296: To Test A Switch's Internal Components
To test a switch’s internal components Connect to the switch and log in as admin. Connect the port you want to test to any other switch port with the cable you want to test. Enter the crossporttest -lb_mode 5 command where 5 is the operand that causes the test to be run on the internal switch components (this is a partial list—refer to the Fabric OS Command Reference Manual for additional command information): [-nframes count]—Specify the number of frames to send.
Page 297: Correcting Link Failures
Correcting link failures A link failure occurs when a server or storage is connected to a switch, but the link between the server/storage and the switch does not come up. This prevents the server/storage from communicating through the switch. If the switchShow command or LEDs indicate that the link has not come up properly, use one or more of the following procedures.
Page 298: To Check For A Point-To-Point Initialization Failure
Skip point-to-point initialization. The switch changes to point-to-point initialization after the Loop Initialization Soft Assigned (LISA) phase of the loop initialization. This behavior sometimes causes trouble with old HBAs. If this is the case, then: Skip point-to-point initialization by using the portCfgLport Command. To check for a point-to-point initialization failure Enter the switchShow command to confirm that the port is active and has a module that is synchronized.
Page 299: Correcting Marginal Links
Correcting marginal links A marginal link involves the connection between the switch and the edge device. Isolating the exact cause of a marginal link involves analyzing and testing many of the components that make up the link (including the switch port, switch SFP, cable, the edge device, and the edge device SFP). To troubleshoot a marginal link: Enter the portErrShow command.
Page 300: Inaccurate Information In The System Message Log
You will need an adapter to run the loopback test for the SFP. Otherwise, run the portloopbacktest on the marginal port using the loopback mode lb=5. Refer to the Fabric OS Command Reference Manual for additional information. Loopback mode Description Port Loopback (loopback plugs) External (SERDES) loopback Internal (parallel) loopback (indicates no external...
Page 301: Port Mirroring
• VE_Port—Functions somewhat like an E_Port, but terminates at the switch and does not propagate fabric services or routing topology information from one edge fabric to another. • VEX_Port—A type of VE_Port that connects a Fibre Channel router to an edge fabric. From the point of view of a switch in an edge fabric, an VEX_Port appears as a normal VE_Port.
Page 302: Supported Hardware
Supported hardware Port mirroring is supported on Condor-based ASIC platforms, including: • SAN Switch 4/32 • 4/64 SAN Switch • 400 MP Router • 4/256 SAN Director with chassis option 5 Port mirroring can be used on the following blades within a chassis: •...
Page 303: How Port Mirroring Works
How port mirroring works Port mirroring reroutes the data frames between two devices to the mirror port. Rerouting introduces latency for the data flow. The latency depends on the location of the mirror port. For a given port, the traffic received from the point of view of the switch can be captured before leaving this ASIC.
Page 304: Port Mirroring Considerations
There are two types of transmit filter installation • If the E_Port is on the same chip, port mirroring installs an egress (transmitted information) filter on the source port. • If the E_Port is on a different chip, port mirror installs the filter on the C_Ports of the other chip. To better explain how the transmit filter works on each of these types, the method used for both types is described as follows: •...
Page 305: Creating, Deleting, And Displaying Port Mirroring
Creating, deleting, and displaying port mirroring The following section describes how to use the port mirroring feature in the fabric. The method for adding a port mirror connection between two local switch ports and between a local switch port and a remote switch port is the same. To add a port mirror connection Log in to the switch as admin.
Page 306 The switchShow command output shows the mirror port as shown in the following example. switch:admin> switchshow switchName:ESS118 switchType: 42.2 switchState: Online switchMode: Native switchRole:Subordinate switchDomain: 121 switchId:fffc79 switchWwn:10:00:00:60:69:e4:00:a0 zoning:ON (c) switchBeacon: OFF blade2 Beacon: Area Slot Port Media Speed State ===================================== --N4 No_Module...
Page 307: Administering Npiv
Administering NPIV N-Port ID Virtualization (NPIV) enables a single Fibre Channel protocol port to appear as multiple, distinct ports, providing separate port identification within the fabric for each operating system image behind the port (as if each operating system image had its own unique physical port). NPIV assigns a different virtual port ID to each Fibre Channel protocol device.
Page 308: Configuration Scenarios
The following example shows the configuration of these parameters: switch:admin> switchdisable switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] Virtual Channel parameters (yes, y, no, n): [no] F-Port login parameters (yes, y, no, n): [no] y Maximum logins per switch: (1..4032) [4032] 2048 Maximum logins per port: (1..255) [255] 126 switch:admin>...
Page 309 output indicates whether or not a port is an NPIV F_Port, and identifies the number of virtual N_Ports behind it. Following is sample output from the switchShow command: switch: admin> switchshow switchName:swd77 switchType:32.0 switchState: Online switchMode:Native switchRole:Principal switchDomain: 99 switchId:fffc63 switchWwn:10:00:00:05:1e:35:37:40 zoning: switchBeacon:OFF...
Page 310: Displaying Login Information
Use the portShow command to view the NPIV attributes and all the N_Port (physical and virtual) port WWNs under “portWwn of device(s) connected.” Following is sample output for portShow: switch:admin> portshow 2 portName: 02 portHealth: HEALTHY Authentication: None portDisableReason: None portCFlags: 0x1 portFlags: 0x24b03 PRESENT ACTIVE F_PORT G_PORT NPIV LOGICAL_ONLINE LOGIN NOELP LED ACCEPT...
Page 311: Administering Advanced Performance Monitoring (Apm)
Administering Advanced Performance Monitoring (APM) Based on Frame Filtering technology and a unique performance counter engine, Advanced Performance Monitoring (APM) is a comprehensive tool for monitoring the performance of networked storage resources. It supports direct-attach, loop, and switched fabric Fibre Channel SAN topologies by: •...
Page 312 Table 64 lists commands associated with Advanced Performance Monitoring. Advanced Performance Monitor commands are available only to users with the admin or switchAdmin roles. For detailed information on these commands, refer to the Fabric OS Command Reference Manual. Table 64 APM commands Command Description...
Page 313: Displaying And Clearing The Crc Error Count
Displaying and clearing the CRC error count You can use the perfShowAlpaCrc command to display the CRC error count for all AL_PA devices or for a single AL_PA on a specific active L_Port. Example: Displaying the CRC error count for all AL_PA devices on a port switch:admin>...
Page 314: Adding End-To-End Monitors
Adding end-to-end monitors An end-to-end monitor counts the following items for a port: number of words received, number of words transmitted, and number of CRC errors detected in frames. 4/16 SAN Switch and 4/8 SAN Switch, SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, and SAN Director 2/128 models allow up to eight end-to-end monitors.
Page 315: Setting A Mask For End-To-End Monitors
Add Monitor 0 to slot 2, port 2 on Switch x, specifying 0x051200 as the SID and 0x1 1 1eef as the DID, as shown in the following example: Monitor 0 counts the frames that have an SID of 0x051200 and a DID of 0x1 1 1eef. For monitor 0, RX_COUNT is the number of words from Host A to Dev B, TX_COUNT is the number of words from Dev B to Host A, and CRC_COUNT is the number of frames in both directions with CRC errors.
Page 316: Deleting End-To-End Monitors
The mask is applied to all end-to-end monitors on the port. Individual masks for each monitor on the port cannot be specified. Figure 20 Mask positions for end-to-end monitors Received by port Transmitted from port SID mask DID mask SID mask DID mask perfsetporteemask 1/2, “00:00:ff”...
Page 317: Monitoring Filter-Based Performance
Monitoring filter-based performance Filter-based performance monitoring counts the number of times a frame with a particular pattern is transmitted by a port. Filter-based monitoring is achieved by configuring a filter for a particular purpose. The filter can be a standard filter (for example, a SCSI read command filter that counts the number of SCSI read commands that have been transmitted by the port) or a user-defined filter customized for your particular use.
Page 318: Adding Custom Filter-Ased Monitors
Example: Add filter-based monitors to slot 1, port 2 and displays the results switch:admin> perfaddreadmonitor 1/2 SCSI Read filter monitor #0 added switch:admin> perfaddwritemonitor 1/2 SCSI Write filter monitor #1 added switch:admin> perfaddrwmonitor 1/2 SCSI Read/Write filter monitor #2 added switch:admin>...
Page 319: Deleting Filter-Based Monitors
• 4/16 SAN Switch and 4/8 SAN Switch models (Fabric OS v5.0.1) Up to 7 different offsets per port (6 offsets when FMS is enabled). You can specify up to four values to compare against each offset. If more than one offset is required to properly define a filter, the bytes found at each offset must match one of the given values for the filter to increment its counter.
Page 320: Monitoring Isl Performance
The following example displays the monitors on slot 1, port 4 using the perfShowFilterMonitor command (the monitor numbers are listed in the KEY column) and deletes monitor number 1 on slot 1, port 4 using the perfDelFilterMonitor command: switch:admin> perfshowfiltermonitor 1/4 There are 4 filter-based monitors defined on port 4.
Page 321: Displaying Monitor Counters
Displaying monitor counters Use the perfMonitorShow command to display the monitors on a specified port. For end-to-end counters, you can display either the cumulative count of the traffic detected by the monitors or a snapshot of the traffic at specified intervals. NOTE: 4/16 SAN Switch and 4/8 SAN Switch, SAN Switch 4/32, 4/64 SAN Switch, 400 MP Router, and 4/256 SAN Director outputs do not include CRC counts.
Page 322 Example: Displaying EE monitors on a port switch:admin> perfMonitorShow --class EE 4/5 There are 7 end-to-end monitor(s) defined on port 53. OWNER_APP OWNER_IP_ADDR TX_COUNT RX_COUNT CRC_COUNT ------------------------------------------------------------------------------------------------------------ 0x58e0f 0x1182ef TELNET 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x21300 0x21dda TELNET 0x00000004d0ba9915 0x0000000067229e65 0x0000000000000000 0x21300 0x21ddc TELNET 0x00000004d0baa754...
Page 323: Clearing Monitor Counters
Clearing monitor counters Before you clear statistics counters, verify the valid monitor numbers on a specific port using the perfMonitorShow command, to make sure the correct monitor counters are cleared. To clear statistics counters for all or a specified monitor, use the perfMonitorClear command. After the command has been executed, the telnet shell confirms that the counters on the monitor have been cleared.
Page 324: Saving And Restoring Monitor Configurations
Saving and restoring monitor configurations To save the current end-to-end and filter monitor configuration settings into nonvolatile memory, use the perfCfgSave command: switch:admin> perfcfgsave This will overwrite previously saved Performance Monitoring settings in FLASH. Do you want to continue? (yes, y, no, n): [no] y Please wait ...
Page 325: Administering Extended Fabrics
Administering Extended Fabrics This chapter contains procedures for using the Extended Fabrics licensed feature, which extends the distance that interswitch links (ISLs) can reach over a dark fiber or DWM connection. The Extended Fabrics feature is not used over FCIP connections over IP WANs. To use extended ISL modes, you must first install the Extended Fabrics license.
Page 326: Choosing An Extended Isl Mode
versions earlier than v4.0.2 and v3.0.2c, make sure that VC translation link initialization is disabled because these versions do not support it. Choosing an Extended ISL mode Table 67 lists the extended ISL modes for switches that have a Bloom ASIC. You can configure extended ISL modes with the portCfgLongDistance command when the Extended Fabrics license is activated.
Page 327 Table 68 lists the extended ISL modes for the 4/16 SAN Switch and 4/8 SAN Switch. Table 68 4/16 SAN Switch and 4/8 SAN Switch extended ISL modes (Goldeneye ASIC) Mode Buffer allocation Distance @ Distance Distance Earliest Fabric Extended 1 Gbit/sec OS release Fabrics...
Page 328: Configuring External Ports
For dynamic long distance links, you can approximate the number of buffer credits using the following formula: Buffer credits = [(distance in km) * (data rate) * 1000] / 2112 The data rate is 1.0625 for 1 Gbit/sec, 2.125 for 2 Gbit/sec, and 4.25 for 4 Gbit/sec and Fibre Channel. Configuring external ports The number of ports that can be configured per port group for each switch depends on both port speed and distance.
Page 329 Table 72 SAN Switch 4/32 Speed Number of ports allowed at distance (km) (continued) (Gbit/sec) 10 km 25 km 50 km 100 km 250 km 500 km 32 ports 32 ports up to 15 up to 7 up to 3 ports ports ports...
Page 330: Configuring An Extended Isl
4/256 SAN Director (FC4-32 port blades) The number of ports that can be configured at various distances is summarized in Table Table 76 4/256 SAN Director (FC4-32 blades) Speed Number of Ports Allowed at Distance (km) (Gbit/sec) 10 km 25 km 50 km 100 km 250 km...
Page 331 To configure an extended ISL Connect to the switch and log in as admin. If the fabric contains HP StorageWorks 1 GB extended ISLs, use the switchDisable command to disable the switch and then use the configure command to set the fabric-wide configuration parameter fabric.ops.mode.longDistance to 1 on all switches in the fabric.
Page 332 332 Administering Extended Fabrics...
Page 333: Administering Isl Trunking
Administering ISL Trunking This chapter contains procedures for using the ISL Trunking licensed feature, which optimizes the use of bandwidth by allowing a group of interswitch links to merge into a single logical link. Overview ISL Trunking reduces or eliminates situations that require static traffic routes and individual ISL management to achieve optimal performance.
Page 334: Standard Trunking Criteria
Connections between SAN Switch 4/32, 4/64 SAN Switch, and 4/256 SAN Director (using FC4- 1 6 and FC4-32 port blades) models support these advanced features: • Up to eight ports in one trunk group to create high performance 32-Gbit/sec ISL trunks between switches •...
Page 335: Initializing Trunking On Ports
• Each physical ISL uses two ports that could otherwise be used to attach node devices or other switches. • Trunking groups can be used to resolve ISL oversubscription if the total capability of the trunking group is not exceeded. •...
Page 336: Monitoring Traffic
Monitoring traffic To implement ISL Trunking effectively, you must monitor fabric traffic to identify congested paths or to identify frequently dropped links. While monitoring changes in traffic patterns, you can adjust the fabric design accordingly, such as by adding, removing, or reconfiguring ISLs and trunking groups in problem areas.
Page 337: Enabling And Disabling Isl Trunking
Enabling and disabling ISL trunking You can enable or disable ISL Trunking for a single port or for an entire switch.When you execute the commands portCfgTrunkPort or switchCfgTrunk to update the trunking configuration, the ports for which the configuration applies are disabled and re-enabled with the new trunk configuration. As a result, traffic through those ports could be disrupted.
Page 338: Setting Port Speeds
Setting port speeds For long-distance ports, if a port is set to autonegotiate port speed, the maximum speed (which is 4 Gbit/sec) is assumed for reserving buffers for the port–this wastes buffers if the port is actually running at 2 Gbit/sec.
Page 339: Displaying Trunking Information
To set the speed for all of the ports on the switch Connect to the switch and log in as admin. Enter the switchCfgSpeed command. The format is: speedlevel switchcfgspeed Specifies the speed of the link: speedlevel • 0—Auto-negotiating mode. The port automatically configures for the highest speed.
Page 340: Trunking Over Extended Fabrics
This example shows three trunking groups (1, 2, and 3); ports 1, 4, and 14 are masters: switch:admin> trunkshow 1: 1 -> 10:00:00:60:69:04:10:83 deskew 16 Master 0 -> 10:00:00:60:69:04:10:83 deskew 15 2: 4 -> 10:00:00:60:69:04:01:94 deskew 16 Master 5 -> 10:00:00:60:69:04:01:94 deskew 15 7 ->...
Page 341: Troubleshooting Trunking Problems
Troubleshooting trunking problems If you have difficulty with trunking, try the solutions in this section. Listing link characteristics If a link that is part of an ISL Trunk fails, use the trunkDebug command to troubleshoot the problem, as shown in the following procedure: Connect to the switch and log in as admin.
Page 342 Change LD/L1/L2/L0.5 back to L0 (of non-buffer limited ports). If you are in buffer-limited mode on the LD port, then increase the estimated distance. These changes are implemented only after disabling (portDisable) and enabling (portEnable) the buffer-limited port (or buffer-limited switch). Reconfiguring a port to LD from another mode can result in the port being disabled for lack of buffers–this does not apply to the SAN Switch 4/32 and 4/256 SAN Director (using FC4- 1 6 and FC4-32 port blades).
Page 343: Administering Advanced Zoning
20 Administering Advanced Zoning This chapter provides procedures for using the Advanced Zoning feature. About Zoning Zoning enables you to partition your SAN into logical groups of devices that can access each other. For example, you can partition your SAN into two zones, winzone and unixzone, so that your Windows servers and storage do not interact with your UNIX servers and storage.
Page 344: Zone Types
Zone types Table 80 summarizes the types of Zoning. Table 80 Types of Zoning Zone type Description Storage-based Storage units typically implement LUN-based Zoning, also called masking . LUN-based Zoning limits access to the LUNs on the storage port to the specific WWN of the server HBA.
Page 345: Zone Objects
Table 81 Approaches to fabric-based Zoning Zoning Description approach Operating Zoning by operating system has issues similar to Zoning by application. In a system large site, this type of zone can become very large and complex. When zone changes are made, they typically involve applications rather than a particular server type.
Page 346: Zone Objects
Zone aliases also simplify repetitive entry of zone objects such as port numbers or a WWN. For example, you can use the name “Eng” as an alias for “10:00:00:80:33:3f:aa:1 1”. A useful convention is to name zones for the initiator they contain. For example, if you use the alias SRV_MAILSERVER_SLT5 to designate a mail server in PCI slot 5, then the alias for the associated zone is ZNE_MAILSERVER_SLT5.
Page 347: Hardware-Enforced Zoning
• Prevents hosts from discovering unauthorized target devices. • Ensures that the name server does not return any information to an unauthorized initiator in response to a name server query. • Is exclusively enforced through selective information presented to end nodes through the fabric Simple Name Server (SNS).
Page 348 name server returns only those devices that are in the same zone as the initiator. Devices that are not part of the zone are not returned as accessible devices. Table 82 shows the various switch models, the hardware Zoning methodology for each, and tips for best usage.
Page 349: Hardware-Enforced Non-Overlapping Zones
Figure 23 shows a fabric with four non-overlapping hardware-enforced zones. Figure 23 Hardware-enforced non-overlapping Zones WWN_Zone1 Port_Zone1 Core WWN_Zone2 Port_Zone2 Switch Zone Boundaries 22.2b(13.2) Figure 24 shows the same fabric components zoned in an overlapping fashion. Fabric OS 5.2.x administrator guide 349...
Page 350: Hardware-Enforced Overlapping Zones
Figure 24 Hardware-enforced overlapping zones WWN_Zone1 Port_Zone1 Core Port_Zone2 WWN_Zone2 Switch Zone Boundaries 22.3b(13.3) domain, port Any zone using both WWNs and entries on the 2 Gbit/sec platform relies on Name Server authentication as well as hardware-assisted (ASIC) authentication, which ensures that any PLOGI/ADISC/PDISC/ACC from an unauthorized device attempting to access a device it is not zoned with is rejected.
Page 351: Rules For Configuring Zones
Rules for configuring zones Observe the following rules when configuring zones. • If security is a priority, you should use hard Zoning. • The use of aliases is optional with Zoning, and using aliases requires structure when defining zones. However, aliases aid administrators of a zoned fabric to understand the structure and context. •...
Page 352: To Create An Alias
To create an alias Connect to the switch and log in as admin. Enter the aliCreate command. Enter the cfgSave command to save the change to the defined configuration. switch:admin> alicreate “array1”, “2,32; 2,33; 2,34; 4,4” switch:admin> alicreate “array2”, “21:00:00:20:37:0c:66:23; 4,3” switch:admin>...
Page 353: To Delete An Alias
To delete an alias Connect to the switch and log in as admin. Enter the aliDelete command. Enter the cfgSave command to save the change to the defined configuration. switch:admin> alidelete “array1” switch:admin> cfgsave You are about to save the Defined Zoning configuration. This action will only save the changes on the Defined configuration.
Page 354: To Add Devices (Members) To A Zone
To add devices (members) to a zone Connect to the switch and log in as admin. Enter the zoneAdd command. Enter the cfgSave command to save the change to the defined configuration. switch:admin> zoneadd “greenzone”, “1,2” switch:admin> zoneadd “redzone”, “21:00:00:20:37:0c:72:51” switch:admin>...
Page 355: Activating Default Zones
Activating default zones Typically, when you issue the cfgDisable command in a large fabric with thousands of devices, the name server indicates to all hosts that they can communicate with each other. In fact, each host can receive an enormous list of PIDs, and ultimately cause other hosts to run out of memory or crash. To ensure that all devices in a fabric do not see each other during a cfgDisable operation, you can activate a default zone.
Page 356 Table 83 Zoning database limitations (continued) Fabric OS version Maximum database size (KB)) 3.1.x 3.2.x 4.x, 4.1.x, 4.2.x 4.4.x 5.0.1 5.0.x 5.1.x 5.2.x 1024 Before linking two switches together, it is important that you know the zone database limit of adjacent switches.
Page 357 Table 85 Resulting database size: 96K to 128K Receiver Fabric Fabric Fabric Fabric OS Fabric OS Fabric OS Fibre XPath OS 2.6 OS 3.1 OS 3.2 4.0/4.1/ 4.3/4.4.0 5.0.0/5.0.1/ Channel 5.1.x Router Initiator Fabric OS 2.6/3.1 Segment Segment Segment Segment Segment Segment Join...
Page 358: Creating And Modifying Zoning Configurations
Table 87 Resulting database size: 256K to 1M Receiver Fabric Fabric Fabric Fabric OS Fabric Fabric Fibre XPath OS 2.6 OS 3.1 OS 3.2 4.0/4.1/4.2 Channel Initiator 4.3/4.4.x 5.0.0/ Router 5.0.1 Fabric OS Segment Segment Segment Segment Segment Segment Segment Segment 4.3/4.4.0 Fabric OS...
Page 359: To Remove Zones (Members) From A Zone Configuration
Enter the cfgSave command to save the change to the defined configuration. switch:admin> cfgadd “newcfg”, “bluezone” switch:admin> cfgsave You are about to save the Defined Zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled.
Page 360: To View Selected Zone Configuration Information
Enter the cfgShow command with no operands. switch:admin> cfgshow Defined configuration: cfg: USA1 Blue_zone cfg: USA_cfg Red_zone; Blue_zone zone: Blue_zone 1,1; array1; 1,2; array2 zone: Red_zone 1,0; loop1 alias: array1 21:00:00:20:37:0c:76:8c; 21:00:00:20:37:0c:71:02 alias: array2 21:00:00:20:37:0c:76:22; 21:00:00:20:37:0c:76:28 alias: loop1 21:00:00:20:37:0c:76:85; 21:00:00:20:37:0c:71:df Effective configuration: cfg: USA_cfg...
Page 361: Maintaining Zone Objects
Maintaining zone objects While you can use the cfgDelete command to delete a zone configuration, there is a quicker and easier way to perform the same task via the zone object commands (zoneObjectExpunge, zoneObjectCopy, and zoneObjectRename). You can also copy and rename zone objects. When you copy a zone object, the resulting object has the same type as the original.
Page 362: To Delete A Zone Object
To delete a zone object Connect to the switch and log in as admin. Enter the cfgShow command to view the zone configuration objects you want to delete. switch:admin> cfgShow Defined configuration: cfg: USA_cfg Red_zone; White_zone; Blue_zone zone: Blue_zone 1,1; array1; 1,2; array2 zone: Red_zone 1,0;...
Page 363: Managing Zoning Configurations In A Fabric
Enter the cfgShow command to verify the renamed zone object is present. If you want the change preserved when the switch reboots, save it to nonvolatile (also known as “flash”) memory by entering the cfgSave command. For the change to become effective, enable the appropriate zone configuration using the cfgEnable command.
Page 364 • Merging rules Observe these rules when merging zones: Local and adjacent configurations If the local and adjacent zone database configurations are the same, they will remain unchanged after the merge. Effective configurations If there is an effective configuration between two switches, the zone configuration in effect match.
Page 365: Splitting A Fabric
Splitting a fabric If the connections between two fabrics are no longer available, the fabric will segment into two separate fabrics. Each new fabric will retain the same zone configuration. If the connections between two fabrics are replaced and no changes have been made to the zone configuration in either of the two fabrics, then the two fabrics will merge back into one single fabric.
Page 366 Table 88 Considerations for Zoning architecture Item Description Type of Zoning: hard or If security is a priority, hard Zoning is recommended. soft (session-based) Use of aliases The use of aliases is optional with Zoning. Using aliases requires structure when defining zones. Aliases will aid administrators of zoned fabric in understanding the structure and context.
Page 367: Configuring And Monitoring Fcip Tunneling
Configuring and monitoring FCIP tunneling The Fibre Channel over IP (FCIP) Tunneling Service is an optional feature that enables you to use Fibre Channel “tunnels” to connect SANs over IP-based networks. An FCIP tunnel transports data between a pair of Fibre Channel switches. You can have more than one TCP connection between the pair of Fibre Channel switches.
Page 368: Fcip Licensing
FCIP also supports: • Configuration and management of GbE ports and the virtual ports, IP interfaces, and tunnels enabled by GbE ports • Compression and decompression of Fibre Channel frames moving through FCIP tunnels NOTE: By default, the compression mode of Fibre Channel frames moving through FCIP tunnels is off.
Page 369: Network Using Fcip
NOTE: Figure 27, because FCIP was configured with VE_Ports, the switches will merge over the IP WAN to become a single fabric. If any of the VE_Ports had been configured as VEX_Ports, that portion of the fabric would remain a separate fabric, but still enable sharing of storage and server devices. Figure 27 illustrates a portion of a Fibre Channel network using FCIP.
Page 370: Port Numbering On The B-Series Mp Router Blade
Port numbering on the B-Series MP Router blade There are sixteen physical Fibre Channel ports and two physical GbE ports on the B-Series MP Router blade. The two GbE ports (ge0 and ge1) support up to eight FCIP tunnels each (each FCIP tunnel is represented and managed as a VE_Port or VEX_Port).
Page 371: Port Numbering On The 400 Mp Router
Port Numbering on the 400 MP Router You do not need to specify slot numbers for the 400 MP Router. Refer to the GbE ports as ge0 and ge1, and the Fibre Channel ports are numbered 0 through 15. Moving from left to right on the front of the chassis, the sixteen Fibre Channel ports, followed by the 2 GbE ports.
Page 372: Configuring Ipsec
Table 90 IPSec terminology Term Definition 3DES Triple DES is a more secure variant of DES, it uses 3 different 56-bit keys to encrypt blocks of 64-bit plain text. The algorithm is FIPS-approved for use by Federal agencies. Encapsulating Security Payload is the IPSec protocol that provides confidentiality, data integrity and data source authentication of IP packets, and protection against replay attacks.
Page 373: Ipsec Parameters
IKE negotiates SA parameters and authenticates the peer using the preshared key authentication method. Once the 2 phases of the negotiation are completed successfully, the actual encrypted data transfer can begin. IPSec policies are managed using the policy command. You can configure up to 32 IKE and 32 IPSec policies. Policies cannot be modified; they must be deleted and recreated in order to change the parameters.
Page 374: Managing Policies
Managing policies Use the policy command to create, delete, and show IKE and IPSec policies. To create a new policy Log in to the switch as admin. At the command prompt, type: policy --create type number [-enc encryption_method][-auth authentication_algorithm] [-pfs off|on] [-dh DH_group] [-seclife secs] where: The type of policy being created (IKE or IPSec) and the number for this type of type and number...
Page 375 The example below shows all of the IKE policies defined; in this example, there are two IKE policies. switch:admin06> policy --show ike all IKE Policy 1 ----------------------------------------- Authentication Algorithm: MD5 Encryption: UNKNOWN Perfect Forward Secrecy: off Diffie-Hellman Group: 1 SA Life (seconds): 0 IKE Policy 32 ----------------------------------------- Authentication Algorithm: SHA-1...
Page 376: Configuring Fcip Tunnels
Configuring FCIP Tunnels You can create only one FCIP tunnel on a given pair of IP address interfaces (local and remote). You can create multiple FCIP tunnels on a single IP interface if either the local or remote IP interface is unique and does not have any other FCIP tunnel on it.
Page 377: Defining The Ip Interface Of Each Virtual Port
Enter the portCfgShow command to verify the port is persistently enabled as shown below: switch:admin06> portcfgpersistentenable 8/16 switch:admin06> portcfgpersistentenable 8/17 switch:admin06> portcfgpersistentenable 8/18 switch:admin06> portcfgpersistentenable 8/19 switch:admin06> portcfgshow Ports of Slot 8 9 10 11 12 13 14 15 -----------------+--+--+--+--+----+--+--+--+----+--+--+--+----+--+--+-- Speed AN AN AN AN AN AN AN AN...
Page 378: Configuring The Gbe Ports
The following example shows IP interfaces defined for slot 8 on GbE port ge0: switch:admin06> portshow ipif 8/ge0 Port: 8/ge0 Interface IP Address NetMask ---------------------------------------------------------- 192.168.100.40 255.255.255.0 1500 192.168.100.41 255.255.255.0 1500 switch:admin06> portcfg ipif 8/ge0 create 192.168.100.40 255.255.255.0 1500 switch:admin06> portcfg ipif 8/ge0 create 192.168.100.41 255.255.255.0 1500 Then verify the newly-created IP interface using the portShow command: switch:admin06>...
Page 379 The following example shows two routes being added to an interface: switch:admin06> portcfg iproute 8/ge0 create 192.168.11.0 255.255.255.0 192.168.100.1 switch:admin06> portcfg iproute 8/ge0 create 192.168.12.0 255.255.255.0 192.168.100.1 The syntax to delete IP routes is: portcfg iproute [slot/][ge]port args delete ipaddr netmask The gateway address must be on the same IP subnet as one of the port IP addresses.
Page 380: Verifying Ip Connectivity
Verifying IP connectivity After you add the IP addresses of the routes, enter the portCmd ping command to ping a destination IP address from one of the source IP interfaces on the GbE port and verify the Ethernet IP to IP connectivity. This verification also ensures that data packets can be sent to the remote interface.
Page 381 Fastwrite and tape pipelining When the FCIP link is the slowest part of the network and it affects speed, consider using fastwrite and tape write acceleration, called “tape pipelining.” Supported only in Fabric OS 5.2.x and higher, fastwrite and tape pipelining are two features that provide accelerated speeds to FCIP tunnels in some configurations: •...
Page 382 Table 91 Using fastwrite and tape pipelining (continued) Fastwrite Tape pipelining Class 3 traffic is accelerated with fastwrite. Class 3 traffic is accelerated between host and sequential device. With sequential devices (tape drives), there are 1024 initiator-tape (IT) pairs per GbE port, but 2048 initiator-tape-LUN (ITL) pairs per GbE port.
Page 383: Supported Configurations
Supported configurations To help understand the supported configurations, consider the configurations shown in the two figures below. In both cases, there are no multiple equal-cost paths. In Figure 32, there is a single tunnel with fastwrite and tape pipelining enabled. In Figure 33, there are multiple tunnels, but none of them create a multiple equal-cost path.
Page 384: Unsupported Configurations
Unsupported configurations The following example configurations are not supported with fastwrite and tape pipelining. These configurations use multiple equal-cost paths. Figure 34 Unsupported configurations with fastwrite and tape pipelining VE-VE or VEX-VEX 384 Configuring and monitoring FCIP tunneling...
Page 385 Configuring FCIP tunnels After you have verified licensing and connectivity between source and destination IP interfaces, you can configure FCIP tunnels. As you plan the tunnel configurations, be aware that uncommitted rate tunnels use a minimum of 1000 Kb/sec, up to a maximum of available uncommitted bandwidth on the GbE port. The total bandwidth available on a GbE port is 1 Gbit/sec.
Page 386: Fcip Tunnel Modify And Delete Options
FCIP Tunnel modify and delete options NOTE: Using the tunnel Modify option disrupts traffic on the specified FCIP tunnel for a brief period of time. Following is the syntax for the portCfg fcipTunnel command to modify FCIP tunnels (you must specify at least one characteristic to modify): portcfg fciptunnel [slot/][ge]port args [optional_args] modify <tunnel_num>...
Page 387: Verifying The Fcip Tunnel Configuration
Verifying the FCIP tunnel configuration After you have created local and remote FCIP configurations, use the portEnable [slot/]port command to enable the port. It is recommended that you verify that the tunnel configuration operation succeeded using the portShow fcipTunnel command (be sure to specify the slot/port numbers and number of tunnels). Look at the “Status”...
Page 388 To verify that a VE_Port or VEX_Port is online Use the switchShow command to view and verify that the FCIP tunnel is online. switch:admin06> portenable 8/18 switch:admin06> portenable 8/19 switch:admin06> switchshow switchName:switch switchType:42.2 switchState:Online switchMode:Native switchRole:Subordinate switchDomain:4 switchId:fffc04 switchWwn:10:00:00:60:69:80:0d:bc zoning:ON (LSAN001) switchBeacon:OFF blade3 Beacon: blade4 Beacon:...
Page 389: Checklist For Configuring Fcip Links
Checklist for configuring FCIP links Table 92 as a checklist for creating FCIP links. Table 92 Steps for configuring FCIP links Step Command 1. Enable persistently disabled ports. portcfgpersistentenable [slot/]port 2. Disable the ports while performing portdisable [slot/]port the configuration. 3.
Page 390: About The Ipperf Option
About the Ipperf option The WAN tool ipPerf (referred to simply as “ipPerf” in this chapter) is an option of the Fabric OS portCmd command. This option allows you to specify the slot and port information for displaying performance statistics for a pair of ports. For this basic configuration, you can specify the IP addresses of the endpoints, target bandwidth for the path, and optional parameters such as the length of time to run the test and statistic polling interval.
Page 391: Wan Tool Performance Characteristics
WAN Tool performance characteristics The following table lists the end-to-end IP path performance characteristics that you can display using the portCmd ipPerf command and option. All four of the base ipPerf performance characteristics (bandwidth, loss, RTT, PMTU) are provided in the command output in Fabric OS 5.2.0 or higher. Figure 35 WAN Tool performance characteristics Characteristic...
Page 392: Wan Tool Ipperf Syntax
To start an ipPerf session Configure the receiver test endpoint using the CP CLI. The syntax for invoking the receiver test endpoint using ipPerf for slot8, port ge0 on an FR4- 1 8i is as follows: portcmd --ipperf 8/ge0 -s 192.168.255.10 -d 192.168.255.100 -R Configure the sender test endpoint using a similar CP CLI.
Page 393 Following is the syntax for portCmd ipPerf to display end-to-end IP path performance statistics: portCmd --ipPerf [slot]/ge# -s <source_ip> -d <destination_ip> -S | -R [-r <rate>] [-z <size>] [-t <time>] [-i <interval>] [-p <port>] where: Source IP address. -s <source_ip> Destination IP address.
Page 394 To view detailed fcipTunnel statistics, you must specify either the -perf or -params options. The following example shows the portCmd fcipTunnel with the performance option to display characteristics of tunnel 0. switch:admin06> portshow fciptunnel 8/ge0 all Slot: 8 Port: ge0 ------------------------------------------- Tunnel ID 0 Remote IP Addr 192.175.4.200...
Page 395 The following example shows the portCmd fcipTunnel with the parameters options to display the parameters of tunnel 0: switch:admin06> portshow fciptunnel 8/ge0 0 Slot: 8 Port: ge0 ------------------------------------------- Tunnel ID 0 Remote IP Addr 192.175.4.200 Local IP Addr 192.175.4.100 Remote WWN Not Configured Local WWN 10:00:00:60:69:e2:09:be Compression on Fastwrite off...
Page 396 The following example shows the portShow fcipTunnel command to display IPSec information for tunnel 0: switch:admin06> portshow fciptunnel 8/ge0 3 -ipsec Port: ge0 ------------------------------------------- Tunnel ID 3 Remote IP Addr 192.175.5.200 Local IP Addr 192.175.5.100 Remote WWN Not Configured Local WWN 10:00:00:05:1e:37:00:20 Compression off Fastwrite on Tape Pipelining on...
Page 397: A Configuring The Pid Format
Configuring the PID format PIDs Port identifiers (called ) are used by the routing and zoning services in Fibre Channel fabrics to identify ports in the network. All devices in a fabric must use the same PID format, so when you add new equipment to your SAN, you might need to change the PID format on legacy equipment.
Page 398: Impact Of Changing The Fabric Pid Format
Impact of changing the fabric PID format If your fabric contains switches that use Native PID, it is recommended that you change the format to Core PID before you add the new, higher port count switches and Directors. Also, it is recommended that you use Core PID when upgrading the Fabric OS version on 2000 and 3000 series switches.
Page 399: Selecting A Pid Format
CAUTION: After changing the fabric PID format, if the change invalidates the configuration data (see Table 91 to determine this), do not download old (pre-PID format change) configuration files to any switch on the fabric. Table 91 Effects of PID format changes on configurations PID format PID format after Configuration effect...
Page 400 Table 92 shows various combinations of existing fabrics, new switches added to those fabrics, and the recommended PID format for that combination. The criteria for the recommendations are first to eliminate host reboots, and second to minimize the need for a host reboot in the future. Table 92 PID format recommendations for adding new switches Existing Fabric OS...
Page 401: Evaluating The Fabric
Evaluating the fabric In addition to this section, refer to the HP StorageWorks SAN Design reference guide for information on evaluating the fabric: http://h18000.www1.hp.com/products/storageworks/san/documentation.html If there is the possibility that your fabric contains host devices with static PID bindings, you should evaluate the fabric to: •...
Page 402: Planning The Update Procedure
It is also important to understand how multipathing software reacts when one of the two fabrics is taken offline. If the time-outs are set correctly, the failover between fabrics should be transparent to the users. You should use the multipathing software to manually fail a path before starting maintenance on that fabric.
Page 403: Offline Update
After the fabric has reconverged, use the cfgEnable command to update zoning. Update their bindings for any devices manually bound by PID. This might involve changing them to the new PIDs, or preferably changing to WWN binding. For any devices automatically bound by PID, two options exist: a.
Page 404: Changing To Extended Edge Pid Format
The following maps the PID format names to the names used in the management interfaces. PID format name Management interface name native PID switch PID address mode 0 core PID switch PID address mode 1 extended edge PID switch PID address mode 2 Before changing the PID format, determine if host reboots will be necessary.
Page 405 Determine if the current switch firmware versions meet the minimum supported version levels. Table 93 lists the earliest Fabric OS version levels that support Extended Edge PID format. Use this table to determine if you need to upgrade the firmware in the switches in your fabric before you change the PID format.
Page 406 Example: Configure Command on a Switch Running Fabric OS 3.1.2 Configure... Fabric parameters (yes, y, no, n): [no] yes Domain: (1..239) [217] BB credit: (1..27) [16] R_A_TOV: (4000..120000) [10000] E_D_TOV: (1000..5000) [2000] Data field size: (256..2112) [2112] Sequence Level Switching: (0..1) [0] Disable Device Probing: (0..1) [0] Suppress Class F Traffic: (0..1) [0] SYNC IO mode: (0..10 [0]...
Page 407: Converting Port Number To Area Id
Converting port number to area ID Except for the following cases, the area ID is equal to the port number: • when you perform a port swap operation • when you enable Extended Edge (also known as “displaced PID”) PID on the Director If you are using Extended Edge PID format (for example, the 4/256 SAN Director with configuration option 5) and would like to map the output of the port number to the area ID, use the following formula (for ports 0- 1 27):...
Page 408: San Director With Extended Edge Pid
When the port number is greater than or equal to 128, the area ID and port number are the same. Figure 29 shows a 4/256 SAN Director with Extended Edge PID. Figure 29 4/256 SAN Director with Extended Edge PID 392 Configuring the PID format...
Page 409: Performing Pid Format Changes
Performing PID format changes There are several routine maintenance procedures which might result in a device receiving a new PID. Examples include, but are not limited to: • Changing compatibility mode settings • Changing switch domain IDs • Merging fabrics •...
Page 410: Hp/Ux Procedure
Example switch:admin> switchdisable switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] yes Domain: (1..239) [1] R_A_TOV: (4000..120000) [10000] E_D_TOV: (1000..5000) [2000] Data field size: (256..2112) [2112] Sequence Level Switching: (0..1) [0] Disable Device Probing: (0..1) [0] Suppress Class F Traffic: (0..1) [0] SYNC IO mode: (0..1) [0] Core Switch PID Format: (0..2) [0] 1 Per-frame Route Priority: (0..1) [0]...
Page 411: Aix Procedure
Change to /dev and untar the file that was tared in step 4. For example: tar –xf /tmp/jbod.tar Import the volume groups using vgimport. The proper usage would be vgimport –m <mapfile> <path_to_volume_group> <physical_volume_path>. For example: vgimport –m /tmp/jbod_map /dev/jbod /dev/dsk/c64t8d0 /dev/dsk/c64t9d0 Activate the volume groups using vgchange.
Page 412: Swapping Port Area Ids
If you are not using multipathing software, unmount the volumes from their mount points using umount. The command usage is umount <mount_point>. For example: umount /mnt/jbod If you are using multipathing software, use that software to remove one fabric’s devices from its configuration.
Page 413 Verify that the port area IDs have been swapped: portswapshow A table is shows the physical port numbers and the logical area IDs for any swapped ports. Disable the port swap feature: portswapdisable Fabric OS 5.2.x administrator guide 397...
Page 414 398 Configuring the PID format...
Page 415: B Configuring Interoperability Mode
Configuring interoperability mode This appendix provides information on setting up a heterogeneous fabric that includes HP StorageWorks switches and switches from other manufacturers. The interoperability mode enables HP StorageWorks switches and others to exchange interoperability parameters, allowing their fabrics to merge into one fabric with one principal switch and unique domain IDs.
Page 416: Supported Features
Supported features The following features are supported on HP StorageWorks switches in interoperability mode: • Fabric Watch • Fabric Access API functions Accessible from HP StorageWorks switches only, but switch information for non- HP StorageWorks switches is reported. The object information and zoning actions are configurable from the API. •...
Page 417: Zoning Restrictions
have a McDATA switch between two HP StorageWorks switches if you are managing zoning from the HP StorageWorks switches. • LC IBM GBICs are not supported if they are connected to a McData ISL. • When a switch gets a new domain ID assigned through a fabric reconfiguration, the new domain ID is written to nonvolatile memory and the old domain ID value is overwritten.
Page 418: Zone Name Restrictions
You can use the cfgSize command to check both the maximum available size and the currently saved size. If you believe you are approaching the maximum, you can save a partially completed zoning configuration and use the cfgSize command to determine the remaining space Zone name restrictions The name field must contain the ASCII characters that actually specify the name, not including any required fill bytes.
Page 419 Enter the interopmode 0 command to disable interoperability. This command resets a number of parameters and disables interactive mode. You must reboot the switch after changing the interoperability mode: switch:admin> switchdisable switch:admin> interopmode 0 The switch effective configuration will be lost when the operating mode is changed; do you want to continue? (yes, y, no, n): [no] y done.
Page 420 404 Configuring interoperability mode...
Page 421: C Understanding Legacy Password Behaviour
Understanding legacy password behaviour The following sections provide password information for early versions of Fabric OS firmware. Password management information Table 94 describes the password standards and behaviors between various versions of firmware. Table 94 Account/password characteristics matrix Topic v4.0.0 v4.1.0 to v4.2.0 v4.4.0 to 5.1.x Number of default...
Page 422 Table 94 Account/password characteristics matrix (continued) Topic v4.0.0 v4.1.0 to v4.2.0 v4.4.0 to 5.1.x Does a user need to know Yes, except when Old password is Old password is the old passwords when the root user required only when required only when changing passwords using changes another changing password...
Page 423: Password Prompting Behaviors
Password prompting behaviors Table 95 describes the expected password prompting behaviors of various Fabric OS versions. Table 95 Password Prompting Matrix Topic v4.0.0 v4.1.0 and later Must all password prompts No. Partial changes of all No. Partial changes of all be completed for any change four passwords are four passwords are...
Page 424: Password Migration During Firmware Changes
Password migration during firmware changes Table 96 describes the expected outcome of password settings when upgrading or downgrading firmware for various Fabric OS versions. Table 96 Password migration behavior during firmware upgrade/downgrade Topic v4.4.0 to v5.0.1 v5.0.1 to 5.1.x Passwords used when upgrading Default accounts and Default accounts and to a newer firmware release for the...
Page 425 Table 97 Password recovery options (continued) Topic v4.0.0 v4.1.0 and later How to recover boot PROM Contact HP and provide the password? recovery string. Refer to ”Setting the Boot PROM Password” on page 1 12 for instructions on setting the password with a recovery string.
Page 426 410 Understanding legacy password behaviour...
Page 427: D Using Remote Switch
Using Remote Switch This appendix describes the concepts and procedures for using the Remote Switch feature and contains the following topics: About Remote Switch The Remote Switch feature, which aids in ensuring gateway compatibility, was formerly a licensed feature. Its functionality is now available as part of the Fabric OS standard feature set through the use of the portCfgIslMode command.
Page 428 You might be required to reconfigure the following parameters, depending on the gateway requirements: • R_A_TOV: Specify a Resource Allocation Timeout Value compatible with your gateway device. • E_D_TOV: Specify a Error Detect Timeout Value compatible with your gateway device •...
Page 429: E Zone Merging Scenarios
Zone merging scenarios Table 98 provides information on merging zones and the expected results. Table 98 Zone merging scenarios Description Switch A Switch B Expected results Switch A with a defined defined: defined: none Configuration from Switch A to configuration cfg1: effective: none propagate throughout the fabric in...
Page 430 Table 98 Zone merging scenarios (continued) Description Switch A Switch B Expected results cfg content mismatch defined: cfg1 defined: cfg1 Fabric segments due to: Zone zone1: ali1; ali2 zone1: ali3; ali4 Conflict content mismatch effective: irrelevant effective: irrelevant defined: cfg1 defined: cfg1 Fabric segments due to: Zone zone1: ali1;...
Page 431: Index
Index a new switch or fabric Admin Domain members AAA service requests alias members aaaConfig command and removing FICON CUP licenses access custom filter-based monitors active ports end-to-end monitors browser support filter-based monitors changing account parameters members to a zone configuration control port mirror connection CP blade...
Page 432 authentication SNMP MIB trap values configuring SNMP values local switch names authorized reseller, HP to core PID format auto-leveling, FR4-18i blade to extended edge PID format CHAP account policies enabling backbone fabric ID chassis backbone-to-edge routing name backing up chassisshow command a configuration checking and restoring configurations, FICON...
Page 433: Correcting I2C Bus Errors
configUpload security features defZone security levels fcrConfigure server database fosConfig SNMP interopMode SNMP traps lsanZoneShow SSH client nsAllShow nsCamShow SSL protocol passwdCfg switch portCfgEXPort switch for RADIUS portLog switch, FICON environment secPolicyAbort switch, RADIUS client secPolicyActivate switch, single secPolicyAdd syslogd secPolicyDelete telnet interface secPolicyRemove...
Page 434 correcting marginal links devices correcting zoning setup issues connecting CP blade devices, proxy access DH-CHAP CP switch DHCHAP RADIUS configuration DH-CHAP secret CRC errors, displaying disabled zone configuration creating disabling accounts port Admin Domains RADIUS configuration DCC policy switch policy disabling and enabling a port SCC policy disabling and enabling a switch...
Page 435 enabling and disabling interoperability mode Fibre Channel NAT enabling and disabling ISL trunking Fibre Channel over IP enabling and disabling local authentication Fibre Channel routing enabling and disabling the platform services FICON enabling interoperability mode FICON environment encryption cascaded configuration end-to-end monitoring changing domain id end-to-end monitors...
Page 436 HomeAD Java version host configuring host reboots legacy FCR switches host-based zoning license key activating authorized reseller licenseadd command storage web site licensed features Subscriber’s choice web site licenseremove command technical support licenses HP/UX procedure remove feature HTTP licenseshow command HTTPS link incidents certificates, security...
Page 437 monitoring end-to-end performance password migration during firmware changes monitoring filter-based performance password policies monitoring ISL performance password prompting behaviors monitoring resources password recovery options monitoring traffic password strength policy monitoring trunks passwords monitors recovering forgotten passwords clearing counters perfaddeemonitor command most common problem areas perfaddIPmonitor command Mozilla...
Page 438 port swapping nodes, identifying in FICON accounts environments recovering forgotten passwords port-based routing recovery password portCfgExPort command recovery string portLog command recovery string, boot PROM password ports registered listeners activating POD related documentation remote access policies identifying remote switch identifying by port area ID remove feature identifying by slot and port number removing...
Page 439 secure sockets layer SNMP secure telnet SNMP default values certificates setup summary security activating certificates SLAP Brocade MIB slotShow command browsers slotshow command certificates SNMP certificates, deleting certificates, displaying agent configuring standard features and password change enabling CHAP configuring encryption support overview FibreAlliance MIB SNMP attributes...
Page 440 supportShow command tracking and controlling switch changes swapping port area IDs traffic patterns swapping ports planning for SW-EXTTRAP traps switch access methods, cli SNMP access methods, Fabric Manager SNMP MIB traps access methods, Web Tools troubleshooting certificates, installing certicates configuring corrupt certificate configuring single invalid certificate...
Page 441 viewing and saving diagnostic information viewing equipment status viewing port information viewing power-on self test viewing routing information along a path viewing routing path information viewing switch status viewing the port log viewing the system message log viewing zone database configurations viewing zones web sites HP storage...
Page 443 Figures HP StorageWorks license key screen ..........34 Fabric with two admin domains .
Page 445 Switch model naming matrix 15 Document conventions 16 Help file commands 21 Default administrative account names and passwords 25 AuditCfg Event Class Operands 48 List of daemons that are automatically restarted 50 Maximum number of simultaneous sessions 51 Fabric OS 5.2.x roles 51 Permission types 52 RBAC permissions matrix 52 Authentication configuration options 54...
Page 446 Hardware and firmware compatibility for nonsecure fabrics 221 portCfgExPort -m values 223 Fabric OS commands related to FICON and FICON CUP 236 FICON CUP mode register bits 245 FICON® switch configuration worksheet 250 Fabric OS to UNIX message severities 270 Common troubleshooting problems and tools 275 Types of zone discrepancies 281 Commands for debugging zoning 282...

This manual is also suitable for:

Storageworks 8/40 - san switch Storageworks 8/8 - san switch Storageworks 8/80 - san switch Storageworks fabric os 5.2 series

HP AE370A - Brocade 4Gb SAN Switch 4/12 Administrator's Manual

About this Guide

Introducing Fabric os CLI Procedures

Performing Basic Configuration Tasks

Figures

Managing User Accounts

Configuring Standard Security Features

Configuring Advanced Security

Maintaining Configurations

Managing Administrative Domains

Installing and Maintaining Firmware

Configuring Directors

Quick Links

Troubleshooting

Related Manuals for HP AE370A - Brocade 4Gb SAN Switch 4/12

Summary of Contents for HP AE370A - Brocade 4Gb SAN Switch 4/12