Page 1 53-1002696-01 ® 17 December 2012 Brocade Network Advisor SAN User Manual Supporting Network Advisor 12.0.0...
Page 2 Copyright © 2010-2012 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, Brocade Assurance, the B-wing symbol, DCX, Fabric OS, MLX, SAN Health, VCS, and VDX are registered trademarks, and AnyIO, Brocade One, CloudPlex, Effortless Networking, ICX, NET Health, OpenScript, and The Effortless Network are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries.
Page 3: Table Of Contents
Contents Contents About This Document In this chapter ......... . xxxv How this document is organized .
Page 4 Connecting to the database using the ODBC client (Linux systems) ......21 Changing the database user password ....23 Supported open source software products.
Page 5 Host discovery ......... . . 59 Discovering Hosts by Network address or host name .
Page 6 Flyover settings ......... . 89 Configuring flyovers .
Page 7 Accepting changes for all fabrics ..... . .134 Accepting changes for a switch, access gateway, or phantom domain ........135 Chapter 6 User Account Management Users overview .
Page 8 User profiles ......... . .161 Viewing your user profile .
Page 9 Chapter 8 Dashboard Management Dashboard overview ........189 Dashboard tab overview .
Page 10 Chapter 9 View Management In this chapter ......... .237 SAN tab overview .
Page 11 Grouping on the topology ....... . .270 Collapsing groups ........270 Expanding groups .
Page 12 Restarting all services ....... .292 Changing the database password ..... .292 Ports tab .
Page 13 Firmware management........344 Downloading firmware .......344 Displaying the firmware repository .
Page 14 Enabling port auto disable on all ports on a device ..383 Disabling port auto disable on individual ports ... .384 Disabling port auto disable on all ports on a device ..385 Unblocking ports .
Page 15 Host adapter discovery ........408 VM Manager ......... . .408 Adding a VM Manager .
Page 16 FCoE protocols supported ....... .437 Ethernet link layer protocols supported ....437 FCoE protocols .
Page 17 802.1x authentication ........470 Enabling 802.1x authentication ......471 Disabling 802.1x authentication .
Page 18 Chapter 19 Virtual Fabrics Virtual Fabrics overview ........511 Terminology for Virtual Fabrics .
Page 19 Importing the signed KAC certificate ....546 Uploading the CA certificate onto the DPM appliance (and first-time configurations) ....546 Uploading the KAC certificate onto the DPM appliance (manual identity enrollment) .
Page 20 Steps for connecting to a KMIP appliance (SafeNet KeySecure). . 574 Setting FIPS compliance ......575 Creating a local CA.
Page 21 Enabling and disabling tape LUN write early and read ahead .........662 Tape LUN statistics .
Page 22 HA Clusters tab........705 Link Keys tab .
Page 23 Exporting an offline zone database .....737 Importing an offline zone database .....738 Rolling back changes to the offline zone database .
Page 24 FCIP trunking ......... . .762 Design for redundancy and fault tolerance .
Page 25 Disabling FCIP circuits ........793 Enabling FCIP circuits ........793 Deleting FCIP Circuits .
Page 26 Unblocking a port........822 Avoiding port fencing inheritance ..... . .822 Editing thresholds .
Page 27 Chapter 26 VLAN Management VLAN Manager......... .853 Default VLAN .
Page 28 Chapter 28 Fibre Channel Troubleshooting In this chapter ......... .881 FC troubleshooting .
Page 29 Inheriting alert parameters from a switch ....926 Copying alert parameters from one switch or port to another ..........926 Displaying bottleneck statistics .
Page 30 Viewing a policy monitor report ......969 Exporting a policy monitor report ..... . . 971 Viewing historical reports for all policy monitors .
Page 31 Setting pseudo event policies ......1011 Filtering pseudo event traps ......1012 Creating a pseudo event definition by copying an existing definition .
Page 32 Viewing the technical support repository ....1046 Saving technical support information to another location . .1047 E-mailing technical support information ....1048 Copying technical support information to an external FTP server .
Page 33 Product events........1095 IP Performance monitoring events.
Page 34 Appendix H Database Fields Database tables and fields ......1157 Views ..........1360 ADAPTER_PORT_CONFIG_INFO .
Page 35 PORT_PROFILE_MAC_INFO ......1394 SFLOW......... . . 1395 SFLOW_MINUTE_L3_VIEW .
Page 36 xxxvi Brocade Network Advisor SAN User Manual 53-1002696-01...
Page 37: About This Document
About This Document In this chapter • How this document is organized ....... . . xxxv •...
Page 38 • Chapter 14, “Storage Port Mapping,” provides instructions about how to create and assign properties to a storage device. • Chapter 15, “Host Management,” provides information on how to configure an HBA. • Chapter 16, “Fibre Channel over Ethernet,” provides information on how to configure FCoE. •...
Page 39: Supported Hardware And Software
Supported hardware and software In those instances in which procedures or parts of procedures documented here apply to some devices but not to others, this guide identifies exactly which devices are supported and which are not. Although many different software and hardware configurations are tested and supported by Brocade Communications Systems, Inc.
Page 40 TABLE 1 Fabric OS-supported hardware Device name Terminology used in documentation Firmware level required Brocade 200E switch 16-port, 4 Gbps FC Switch Brocade 300 switch 24-port, 8 Gbps FC Switch Fabric OS v6.1.0 or later Brocade 4012 switch Embedded 12-port, 4 Gbps FC Switch Brocade 4016 switch Embedded 16-port, 4 Gbps FC Switch Brocade 4018 switch...
Page 41 TABLE 1 Fabric OS-supported hardware (Continued) Device name Terminology used in documentation Firmware level required Brocade 1860 Fabric Adapter 16 Gbps FC HBA mode Adapter Software 3.0.0.0 or later 10 Gbps CNA mode 10 Gbps NIC mode Brocade 1867 HBA 16 Gbps Mezzanine HBA Adapter Software 3.0.3.0 or later Brocade 48000 director...
Page 42: What's New In This Document
TABLE 1 Fabric OS-supported hardware (Continued) Device name Terminology used in documentation Firmware level required 1, 2 Brocade DCX 8510-8 16 Gbps 8-slot Backbone Chassis Fabric OS v7.0.0 or later Brocade Encryption Switch 8 Gbps Encryption Switch Fabric OS v6.1.1_enc or later FS8-18 Encryption Blade Encryption Blade FA4-18 Application Platform Blade...
Page 43 Port Group Support (VLAN Management) Database tables MEASURE  PM_COLLECTOR_MEASURE_SETTING  PM_COLLECTOR_TARGET_SETTING  PM_DASHBOARD_WIDGET  PM_DATA_COLLECTOR  PM_WIDGET_MEASURE_TYPE  PM_WIDGET_MONITOR_TYPE  PM_WIDGET_TARGET_ENTRY  PM_WIDGET_TIME_SERIES_ENTRY  PM_WIDGET_TOP_N_COLLECTOR_ENTRY  PM_WIDGET_USER_ENTRY  GRE_TUNNEL_INTERFACE  TIME_SERIES_DATA  TIME_SERIES_DATA_1DAY  TIME_SERIES_DATA_2HOUR  TIME_SERIES_DATA_30MIN  POLICY_RULE ...
Page 44 VM_DATASTORE_DETAILS  VM_VIRTUAL_MACHINE_DATASTORE_MAP  PM_COLLECTOR_TIME_SERIES_MAPPING  DEVICE_CONNECTION  WIRELESS_PRODUCT_DETAILS  WIRELESS_PRODUCT_RELATION  MAPS_EVENT  MAPS_EVENT_DETAILS  PM_STATS_AGING_POLICY  ENCRYPTION_KMIP_PARAMETERS  PORT_COMMISSION_CIMOM_SERVER  DISK_USAGE  HYPER_V_VIRTUAL_MACHINE  HYPER_V_VM_HBA_PORT_MAP  CNA_ETH_PORT_CONFIG  MAPS_EVENT_CAUSE_ACTION  DEPLOYMENT_REPORT_TEMPLATE  • Information that was changed: Dashboard Firmware Management Client and server ports Status bar...
Page 45: Document Conventions
Document conventions This section describes text formatting conventions and important notice formats used in this document. Text formatting The narrative-text formatting conventions that are used are as follows: bold text Identifies command names Identifies the names of user-manipulated GUI elements Identifies keywords and operands Identifies text to enter at the GUI or CLI italic text...
Page 46: Notice To The Reader
Notice to the reader This document may contain references to the trademarks of the following corporations. These trademarks are the properties of their respective companies and corporations. These references are made for informational purposes only. Corporation Referenced trademarks and products Linus Torvalds Linux Microsoft Corporation...
Page 47: Other Industry Resources
Other industry resources For additional resource information, visit the Technical Committee T11 website. This website provides interface standards for high-performance and mass storage applications for Fibre Channel, storage management, and other applications: http://www.t11.org For information about the Fibre Channel industry, visit the Fibre Channel Industry Association website: http://www.fibrechannel.org Getting technical help...
Page 48: Document Feedback
• Brocade 5000—On the switch ID pull-out tab located on the bottom of the port side of the switch • Brocade 7600—On the bottom of the chassis • Brocade 48000—Inside the chassis next to the power supply bays • Brocade DCX and DCX-4S—On the bottom right on the port side of the chassis 4.
Page 49: User Interface Components
Chapter Getting Started In this chapter • User interface components ........1 •...
Page 50 User interface components FIGURE 1 Main window 1. Menu bar. Lists commands you can perform on the Management application. The available commands vary depending on which tab (SAN or Dashboard) you select. For a list of available commands, refer to Appendix A, “Application menus”.
Page 51: Management Server And Client
Management server and client Management server and client The Management application has two parts: the Server and the Client. The Server is installed on one machine and stores device-related information; it does not have a user interface. To view information through a user interface, you must log in to the Server through a Client. The Server and Clients may reside on the same machine, or on separate machines.
Page 52: Launching A Remote Client
Management server and client Click OK on the Login Banner dialog box. The Management application displays. NOTE When you launch the Management application or navigate to a new view, the SAN tab displays with a gray screen over the Product List and Topology Map while data is loading. Launching a remote client To launch a remote client, complete the following steps.
Page 53: Clearing Previous Versions Of The Remote Client
Management server and client Clearing previous versions of the remote client The remote client link in the Start menu does not automatically upgrade when you upgrade the Management application. You must clear the previous version from the Java cache. To clear the Java cache, complete the following steps. 1.
Page 54 Management server and client 4. Complete the following steps on the FTP/SCP/SFTP Server screen. a. Choose one of the following options: • Select Built-in FTP/SCP/SFTP Server to configure an internal FTP/SCP/SFTP server and select one of the following options: Select Built-in FTP Server to configure an internal FTP server The internal FTP server uses a default account and port 21.
Page 55 Management server and client a. Select an address from the Server IP Configuration list. b. Select an address from the Switch - Server IP Configuration Preferred Address list. NOTE If the “hostname” contains invalid characters, the host name does not display in the list. Valid characters include alphanumeric and dash (-) characters.
Page 56 Management server and client d. Enter a port number in the Starting Port Number field (default is 24600). NOTE For Professional software, the server requires 15 consecutive free ports beginning with the starting port number. NOTE For Trial and Licensed software, the server requires 18 consecutive free ports beginning with the starting port number.
Page 57: Viewing Active Sessions
Management server and client 11. Enter your user name and password. The defaults are Administrator and password, respectively. NOTE Do not enter Domain\User_Name in the User ID field for LDAP server authentication. 12. Click Login. 13. Click OK on the Login Banner. NOTE When you launch the Management application or navigate to a new view, the SAN tab displays with a gray screen over the Product List and Topology Map while data is loading.
Page 58: Disconnecting Users
Management server and client Disconnecting users To disconnect a user, complete the following steps. 1. Select Server > Active Sessions. The Active Sessions dialog box displays. 2. Select the user you want to disconnect and click Disconnect. 3. Click Yes on the confirmation message. 4.
Page 59: Viewing Port Status
Management server and client TABLE 2 Server Properties Field/Component Description Java VM Vendor The Java Virtual Machine vendor. Java VM Version The Java Virtual Machine version running on the server. Server Name The server’s name. OS Architecture The operating system architecture on the server. OS Name The name of the operating system running on the server.
Page 60: Server And Client Ports
Management server and client FIGURE 6 Port Status dialog box 2. Review the port status details: • Name — The Port name. Options include CIM Indication for Event Handling, CIM Indication for HCM Proxy, FTP, SCP/SFTP, SNMP Trap, Syslog, Web Server (HTTP), and Web Server (HTTPS).
Page 61 Management server and client • Communication Path — The “source” to “destination” vaules. Client and Server refer to the Management application client and server unless stated otherwise. Product refers to the Fabric OS, Network OS, or IronWare devices. • Open in Firewall — Whether the port needs to be open in the firewall. TABLE 3 Port usage and firewall requirements Port Number Ports...
Page 62 Management server and client TABLE 3 Port usage and firewall requirements (Continued) Port Number Ports Transport Description Communication Path Open in Firewall LDAP Authentication Server Port LDAP server port for Server–LDAP authentication if you use LDAP Server as an external authentication HTTPS server HTTPS (HTTP over SSL) server Client-Server...
Page 63 Management server and client TABLE 3 Port usage and firewall requirements (Continued) Port Number Ports Transport Description Communication Path Open in Firewall Server-Managed Host 6343 sFlow Receives sFlow data from Product-Server products if you are monitoring with sFlow 24600 JNP (Java Naming Protocol) port Use for service location.
Page 64: Accessibility Features For The Management Application
Accessibility features for the Management application TABLE 3 Port usage and firewall requirements (Continued) Port Number Ports Transport Description Communication Path Open in Firewall 34568 HCM Agent discovery port Used for HBA management via Server - Managed JSON Host 55556 Launch in Context (LIC) client hand Client port used to check if a Client...
Page 65: Look And Feel Customization
Accessibility features for the Management application TABLE 4 Keyboard shortcuts Menu Item or Function Keyboard Shortcut Internet Explorer SHIFT + F2 Master Log FireFox SHIFT + F1 Paste CTRL + V Product List Properties Alt-Enter Select All CTRL + A Show Ports Shift-F5 View Utilization...
Page 66 Accessibility features for the Management application 2. Select Look and Feel in the Category list. 3. Choose from one of the following options: • Select Default to configure the look and feel back to the Management application defaults. • Select System to configure the Management application to have the look and feel of your system.
Page 67: Postgresql Database
PostgreSQL database PostgreSQL database You can connect to the database using one of the following options: • pgAdmin III • ODBC client • Command line interface Connecting to the database using pgAdmin III To access the PostgreSQL database, complete the following steps. 1.
Page 68: Connecting To The Database Using The Odbc Client (Windows Systems)
PostgreSQL database Connecting to the database using the ODBC client (Windows systems) The Open Database Connectivity (ODBC) driver enables you to configure the data source name (DSN) for the database. To install the ODBC driver and create a new data source, complete the following steps. 1.
Page 69: Connecting To The Database Using The Odbc Client (Linux Systems)
PostgreSQL database 20. Click Save. 21. Click OK on the ODBC Data Source Administrator dialog box. 22. To export data, select Data > Import External Data > New Database Query and complete the steps in the Data Connection Wizard. Connecting to the database using the ODBC client (Linux systems) NOTE The ODBC driver is not supported on 64-bit Linux systems.
Page 70 PostgreSQL database Adding the Datasourse on Linux systems Before you edit the INI files, make sure the PostgreSQL database is up and running. NOTE For RedHat and Oracle Enterprise systems, the odbc.ini and odbcinst.ini files are located in /etc. For SUSE systems, the odbc.ini and odbcinst.ini files are located in /etc/unixODBC.
Page 71: Changing The Database User Password
PostgreSQL database 5. On the Set up user authentication screen, complete the following steps. a. Enter the database user name in the User name field. b. Select the Password required check box. Click Test Connection to test the connection. The Authentication Password dialog box displays. d.
Page 72: Supported Open Source Software Products
Supported open source software products If the new password and confirm password do not match, the following message displays: New password and confirm password do not match. Please try again. Press any key to continue. 3. Launch the Server Management Console. 4.
Page 73 Supported open source software products TABLE 7 Open source software third-party software products Open Source Software License Type ApacheCommonsNet 2.0 Apache License v2.0 ApacheCommonsPool 1.5.4 Apache License v2.0 ApacheCommonsValidator 1.3.1 Apache License v2.0 Apache Extras Companion for Apache log4j 1.1 Apache License v2.0 ApacheFTPServer 1.0.3 Apache License v2.0...
Page 74 Supported open source software products TABLE 7 Open source software third-party software products Open Source Software License Type JCalendar 1.3.3 LGPL v2.1 JCommon 1.0.16 LGPL v2.1 JDOM 1.1.1 Apache Style JFreeChart 1.0.13 LGPL v2.1 JGoodiesForms 1.2.1 JGoodiesLooks 2.2.2 JGraph 5.13.0.1 BSD Style JIDE 2.10.1 JIDE Software License...
Page 75: San Feature-To-Firmware Requirements
SAN feature-to-firmware requirements SAN feature-to-firmware requirements Use the following table to determine whether the Management application SAN features are only available with a specific version of the Fabric OS firmware as well as if there are specific licensing requirements. TABLE 8 SAN feature to firmware requirements Feature Fabric OS...
Page 76 SAN feature-to-firmware requirements TABLE 8 SAN feature to firmware requirements Feature Fabric OS Port Fencing (Trial and Licensed version Requires Fabric OS 6.2 or later. Only) Requires Fabric OS 6.3 or later for State Change and C3 Discard Frames violation types. Security Management Requires Fabric OS 5.2 and later for SCC Policy.
Page 77: Chapter 2 Licenses
Chapter Licenses In this chapter • Licenses overview ..........29 •...
Page 78: Managed San Port Count Calculation
Entering the license key Managed SAN port count calculation NOTE If you exceed the maximum port count for your version, software functionality is impacted and you must reduce the port count using the Discover Fabrics dialog box or contact your vendor to purchase an additional license for your version.
Page 79: Upgrading The Management Application
Upgrading the Management application • License Key — License keys consist of an asterisk (*) followed by unique string of alphanumeric characters. License keys verify ownership of the Management application software as well as determine the maximum port count allowed or any additional features that you receive as part of the license.
Page 80 Upgrading the Management application TABLE 10 IP upgrade paths Current software release To software release IP Professional IP Base Trial or Licensed version IP Base Trial IP Base Licensed version SAN + IP Enterprise Licensed version IP Base Licensed version (lower count) IP Base Licensed version (higher count) SAN + IP Enterprise Licensed version TABLE 11...
Page 81: License Downgrade
License downgrade License downgrade You can downgrade from a higher Trial configuration to a licensed version with a lower configuration. NOTE You cannot downgrade to Professional Edition. NOTE Downgrading to a Trial version is not supported. NOTE You cannot downgrade during migration (Configuration Wizard). Downgrading the edition The following table list the available downgrade paths.
Page 82 License downgrade Brocade Network Advisor SAN User Manual 53-1002696-01...
Page 83: Chapter 3 Patches
Chapter Patches In this chapter • Installing a patch ..........35 •...
Page 84: Uninstalling A Patch
Uninstalling a patch • Extracts patch files to the Install_Home folder. • Creates a back up (zip) of the original files to be updated and copies the zip file to the Install_Home\patch-backup directory (for example, Install_Home\patch-backup\na_11-3-0a.zip). The first time you apply a patch, the back up patch zip file uses the following naming convention: <Application>_<Major_Version>-<Minor_Version>-<Revision_Number>...
Page 85 Uninstalling a patch 6. Copy the artifact from the extracted folder to the source folder in the Install_Home/patch-backup directory. Repeat step 5 and 6 for all artifacts listed in the restore.xml folder. 8. Go to the Install_Home/conf directory. 9. Open the version.properties file in a text editor. 10.
Page 86 Uninstalling a patch Brocade Network Advisor SAN User Manual 53-1002696-01...
Page 87: Discovery
Chapter Discovery In this chapter • SAN discovery overview......... . 39 •...
Page 88: Fcs Policy And Seed Switches
SAN discovery overview NOTE Professional Plus edition can discover up to 2,560 ports. NOTE Professional Plus edition can discover, but not manage the Backbone chassis.Use the device’s Element Manager, which can be launched from the Connectivity Map, to manage the device. This device cannot be used as a Seed switch.
Page 89: Discovering Fabrics
SAN discovery overview TABLE 13 Backbone Chassis discovery Device Professional Professional Plus Enterprise 16 Gbps 8-slot Backbone Yes for discovery; Yes for discovery; Chassis as member switch however, it cannot be however, it cannot be managed. managed. 16 Gbps 4-slot Backbone Chassis as seed switch 16 Gbps 4-slot Backbone Chassis as member switch...
Page 90 SAN discovery overview FIGURE 8 Add Fabric Discovery dialog box (IP Address tab) 3. Enter a name for the fabric in the Fabric Name field. 4. Enter an IP address (IPv4 or IPv6) for a device in the IP Address field. To configure the preferred IP format for the Management application server to connect with Fabric OS devices, refer to “Configuring the preferred IP format”...
Page 91 SAN discovery overview For Admin Domain (AD) discovery, Fabric OS switch must have Physical AD visibility. For Virtual Fabric discovery device requirements, refer to “Virtual Fabrics requirements” page 512. To discover a Virtual Fabric device, you must have the following permissions: •...
Page 92 SAN discovery overview Enter the number of times to retry the process in the Retries field. d. Select the SNMP version from the SNMP Version list. • If you selected v1, continue with step e. • If you select v3, the SNMP tab displays the v3 required parameters. Go to step i. To discover a Fabric OS device (not virtual fabric-capable), you must provide the existing SNMPv3 username present in the switch.
Page 93: Editing The Password For Multiple Devices
SAN discovery overview Editing the password for multiple devices You can only edit password for Fabric OS devices in the same fabric. To edit the password for multiple devices within the same fabric, complete the following steps. 1. Select Discover > Fabrics. The Discover Fabrics dialog box displays.
Page 94: Configuring Snmp Credentials
SAN discovery overview Configuring SNMP credentials 1. Select Discover > Fabrics. The Discover Fabrics dialog box displays. 2. Select an IP address from the Discovered Fabrics table. 3. Click Edit. The Add Fabric Discovery dialog box displays. 4. To revert to the default SNMPv3 settings, click the Automatic option. Go to step 19. 5.
Page 95: Reverting To A Default Snmp Community String
SAN discovery overview 16. Enter the authorization password in the Auth Password field. • If you selected Configure for 256-Port_Director_Name, go to step 19. • If you did not select Configure for 256-Port_Director_Name, continue with step 17. 17. Select the privacy protocol in the Priv Protocol field. 18.
Page 96: Removing A Fabric From Active Discovery
SAN discovery overview Removing a fabric from active discovery If you decide you no longer want the Management application to discover and monitor a specific fabric, you can delete it from active discovery. Deleting a fabric also deletes the fabric data on the server (both system collected and user-defined data) except for user-assigned names for the device port, device node, and device enclosure information.
Page 97: Viewing The Fabric Discovery State
Viewing the fabric discovery state Viewing the fabric discovery state The Management application enables you to view device status through the Discover Setup dialog box. To view the discovery status of a device, complete the following steps. 1. Select Discover > Fabrics. The Discover Fabrics dialog box displays.
Page 98: Managed Count Exceeded Troubleshooting
Troubleshooting fabric discovery Managed count exceeded troubleshooting The following section states possible issues and the recommended solution when you exceed your managed count limits. Problem Resolution If you exceed your managed count limit, the Perform one or more of the following actions to •...
Page 99: Virtual Fabric Discovery Troubleshooting
Troubleshooting fabric discovery Problem Resolution Remove a device from active discovery To remove a fabric from active discovery, complete the following steps. Select Discover > Fabrics. The managed count exceeded message displays. Managed counts that have been exceeded display with a light red background. Managed counts that are within the grace count limit display with a pale yellow background.
Page 100: San Fabric Monitoring
SAN Fabric monitoring Problem Resolution At the time of discovery, SNMP v3 is not configured. Configure the SNMP v3 information for the Virtual Fabric-enabled device. At the time of discovery, SNMP v3 is not configured for all other switches in the fabric. After discovery, a device is upgraded to Fabric OS 6.2 or later and is Virtual Fabric-enabled;...
Page 101: Stop Monitoring Of Discovered Fabrics
SAN Fabric monitoring For Professional and Professional Plus, the default monitoring interval is 120 seconds (minimum interval is 120 seconds). Table 6 details the default and minimum monitoring intervals used to query the monitored switches: TABLE 16 Monitor Intervals SAN Size Default Minimum Small...
Page 102: Stop Monitoring Of Discovered Switches
SAN Fabric monitoring Stop monitoring of discovered switches NOTE You cannot stop monitoring the seed switch. When you stop monitoring a switch, the Management application performs the following actions: • Stops all data collection for the switch. • Unregisters as SNMP trap recipient from the switch. For Virtual Fabric switches, only unregister as SNMP trap recipient when all Virtual Fabric switches of that chassis are unmonitored.
Page 103: Resume Monitoring Of Discovered Fabrics
SAN Fabric monitoring 2. Select one or more switches in the same fabric that you want to stop monitoring from the Discovered Fabrics table. NOTE You cannot select switches in different fabrics. 3. Click Unmonitor. The Unmonitor Status dialog box displays with the following details: •...
Page 104: Resume Monitoring Of Discovered Switches
SAN Seed switch Resume monitoring of discovered switches NOTE Monitoring is not supported on Hosts. NOTE You can only monitor a switch that is reachable and has valid credentials. To monitor a switch, complete the following steps. 1. Select Discovery > Fabrics. The Discover Fabrics dialog box displays.
Page 105: Seed Switch Requirements
SAN Seed switch This operation preserves historical and configuration data, such as performance monitoring and user-customized data for the selected fabric. ATTENTION If the seed switch firmware is downgraded from Fabric OS 5.2.X to an earlier version, then all RBAC-related data is discarded from the Management application. If, during the seed switch change, the fabric is deleted, but the rediscovery operation fails (for example, if the new seed switch becomes unreachable using HTTP), then you must rediscover the fabric again.
Page 106 SAN Seed switch • Identifies which switches are Virtual Fabric-enabled switches (Fabric OS only). If there are Virtual Fabric-enabled switches, the Management application only uses these switches as recommended seed switches. If there are no Virtual Fabric-enabled switches, continue with the next check. •...
Page 107: Host Discovery
Host discovery Host discovery The Management application enables you to discover individual hosts, import a group of Host from a comma separated values (CSV) file, or import all hosts from discovered fabrics or VM managers. NOTE Host discovery requires HCM Agent 2.0 or later. NOTE SMI and WMI discovery are not supported.
Page 108 Host discovery FIGURE 13 Add Host Adapters dialog box 3. (Optional) Enter a discovery request name (such as, Manual 06/12/2009) in the Discovery Request Name field. 4. Select Network Address from the list. 5. Enter the IP address (IPv4 or IPv6 formats) or host name in the Network Address field. 6.
Page 109: Importing Hosts From A Csv File
Host discovery 13. Click OK on the Add Host Adapters dialog box. If an error occurs, a message displays. Click OK to close the error message and fix the problem. A Host Group displays in Discovered Hosts table with pending status. To update the status from pending you must close and reopen the Discover Host Adapters dialog box.
Page 110: Importing Hosts From A Fabric
Host discovery The CSV file must meet the following requirements: • Comma separated IP address or host names • No commas within the values • No escaping supported For example, XX.XX.XXX.XXX, XX.XX.X.XXX, computername.company.com 6. Click Open. The CSV file is imported to the Add Host Adapters dialog box. During import, duplicate values are automatically dropped.
Page 111 Host discovery FIGURE 15 Add Host Adapters dialog box 3. Enter a discovery request name (such as, MyFabric) in the Discovery Request Name field. 4. Select Hosts in Fabrics from the list. 5. Select All fabrics or an individual fabric from the list. 6.
Page 112: Importing Hosts From A Vm Manager
Host discovery 12. Click OK on the Add Host Adapters dialog box. If an error occurs, a message displays. Click OK to close the error message and fix the problem. A Host Group displays in Discovered Hosts table with pending status. To update the status from pending you must close and reopen the Discover Host Adapters dialog box.
Page 113: Editing Host Adapter Credentials
Host discovery • To configure CIM server credentials, select the CIM server (ESXi only) option. Continue with step If you do not need to configure Host credentials, skip to step 8. Configure discovery authentication by choosing one of the following options: •...
Page 114: Removing A Host From Active Discovery
Host discovery 4. Configure discovery authentication by choosing one of the following options: • To configure discovery with authentication, select the HTTPS from the Protocol list. • To configure discovery without authentication, select the HTTP from the Protocol list. 5. Enter the port number in the Port field. HCM agent default is 34568.
Page 115: Deleting A Host Adapter From Discovery
Host discovery 5. Click Close on the Discover Host Adapters dialog box. Deleting a host adapter from discovery To delete a host permanently from discovery, complete the following steps. 1. Select Discover > Host Adapters. The Discover Host Adapters dialog box displays. 2.
Page 116: Troubleshooting Host Discovery
VM Manager discovery • Brocade HBA Discovery Failed: HCM Agent connection failed • HCM Agent collection failed Troubleshooting host discovery If you encounter discovery problems, complete the following checklist to ensure that discovery was set up correctly. For more complete information about troubleshooting adapters, refer to the Brocade Adapters Troubleshooting Guide.
Page 117 VM Manager discovery FIGURE 18 Discover VM Managers dialog box 2. Click Add. The Add VM Manager dialog box displays. FIGURE 19 Add VM Manager dialog box 3. Enter the IP address or host name in the Network Address field. 4.
Page 118: Editing A Vm Manager
VM Manager discovery 8. Select the Forward event to vCenter check box to enable event forwarding from the Management application to vCenter. Clear to disable event forwarding. 9. Click OK on the Add VM Manager dialog box. If an error occurs, a message displays. Click OK to close the error message and fix the problem. A VM manager displays in Discovered VM Managers table with pending status.
Page 119: Excluding A Host From Vm Manager Discovery
VM Manager discovery Excluding a host from VM manager discovery To exclude host from VM manager discovery complete the following steps. 1. Select Discover > VM Managers. The Discover VM Managers dialog box displays. 2. Select the Host you want to exclude in the Discovered VM Managers list and click Exclude. 3.
Page 120: Deleting A Vm Manager From Discovery
VM Manager discovery 4. Click OK on the confirmation message. The rediscovered VM manager displays in the Discovered VM Managers table. 5. Click Close on the Discover VM Managers dialog box. Deleting a VM manager from discovery To delete a host permanently from discovery, complete the following steps. 1.
Page 121: Troubleshooting Vm Manager Discovery
VM Manager discovery Troubleshooting VM manager discovery If you encounter discovery problems, complete the following checklist to ensure that discovery was set up correctly. 1. Verify IP connectivity by issuing a ping command to the switch. a. Open the command prompt. b.
Page 122 VM Manager discovery Brocade Network Advisor SAN User Manual 53-1002696-01...
Page 123: Application Configuration
Chapter Application Configuration In this chapter • Server Data backup..........77 •...
Page 124 Configurable preferences • SAN End Node Display — Use to display (or turn off display of) end nodes on the Connectivity map for newly discovered fabrics. Disabling end node display limits the Connectivity map to switch members only. For more information, refer to “SAN End node display”...
Page 125: Server Data Backup
Server Data backup Server Data backup The Management application helps you to protect your data by backing it up automatically. Backup is a service process that periodically copies and stores application files to an output directory. The output directory is relative to the server and must use a network share format to support backup to the network.
Page 126: Configuring Backup
Server Data backup Back up directory structure overview The Management server backs up data to two alternate folders. For example, if the backup directory location is D:\Backup, the backup service alternates between two backup directories, D:\Backup\Backup and D:\Backup\BackupAlt. The current backup is always D:\Backup and contains a complete backup of the system.
Page 127 Server Data backup • Select the Include Technical Support directory check box, if necessary. Only available if the Include FTP Root directory check box is clear. • Select the Include Upload Failure Data Capture directory check box, if necessary. Only available if the Include FTP Root directory check box is clear.
Page 128: Enabling Backup
Server Data backup 9. Back up data to a CD by completing the following steps. NOTE This is not recommended on a permanent basis. CDs have a limited life, and may only last a month. An error message occurs if your Management application can no longer back up to the disc.
Page 129: Viewing The Backup Status
Server Data backup 4. Click Apply or OK. Viewing the backup status The Management application enables you to view the backup status at a glance by providing a backup status icon on the Status Bar. The following table illustrates and describes the icons that indicate the current status of the backup function.
Page 130: Starting Immediate Backup
Server Data backup Starting immediate backup NOTE You must have backup privileges to use the Backup Now function. For more information about privileges, refer to “User Privileges” on page 1097. To start the backup process immediately, complete one of the following procedures: Using the Backup Icon, right-click the Backup icon and select Backup Now.
Page 131: Server Data Restore
Server Data restore Server Data restore NOTE You cannot restore data from a previous version of the Management application. NOTE You cannot restore data from a higher or lower configuration (Trial or Licensed version) of the Management application. NOTE You cannot restore data from a different package of the Management application. NOTE You cannot restore data from a 64-bit server to a 32-bit server.
Page 132: Restoring Data To A New Server
SAN display settings 5. Browse to the backup location. Browse to the location specified in the Output Directory field on the Options dialog box - Backup pane. 6. Click Restore. Upon completion, a message displays the status of the restore operation. Click OK to close the message and the Server Management Console.
Page 133: Resetting Your Display
SAN display settings FIGURE 22 Options dialog box (SAN Display pane) 3. Click Set Up FICON Display. Any table that contains end device descriptions move the following nine columns to the beginning of the table: Attached Port #, FC Address, Serial #, Tag, Device Type, Model, Vendor, Port Type, and WWN.
Page 134: San End Node Display
SAN End node display 1. Select Server > Options. The Options dialog box displays. 2. Select SAN Display in the Category list. 3. Click Reset Display. 4. Click Yes on the reset confirmation message. The display and view settings are immediately reset to the default display settings (as detailed in the Default display Settings table (Table 19)).
Page 135: San Ethernet Loss Events
SAN Ethernet loss events SAN Ethernet loss events An Ethernet event occurs when the Ethernet link between the Management Server and the managed SAN device is lost. You can configure the application to enable events when the Ethernet connection is lost. Enabling SAN Ethernet loss events The Options dialog box enables you to configure the Management application to generate an Ethernet event after a device is offline for a specific period of time.
Page 136: Event Storage Settings
Event storage settings Event storage settings You can configure the maximum number of historical events save to the repository, how long the events will be retained, as well as whether to store historical events to a file before purging them from the repository.
Page 137: Storing Historical Events Purged From Repository
Flyover settings Storing historical events purged from repository To store historical events purged from the repository, complete the following steps. 1. Select Server > Options. The Options dialog box displays. 2. Select Event Storage in the Category list. 3. Select the Yes option. 4.
Page 138 Flyover settings FIGURE 26 Options dialog box (Flyovers pane, Product tab) a. Select the type from the Type list, if necessary. protocol b. Select each property you want to display in the product flyover from the Available Properties table. Depending on which protocol you select, some of the following properties may not be available: FC (default) •...
Page 139 Flyover settings Add connection properties you want to display on flyover by selecting the Connection tab (Figure 27) and completing the following steps. FIGURE 27 Options dialog box (Flyovers pane, Connection tab) a. Select the type from the Type list, if necessary. protocol Depending on which protocol you select, some properties may not be available for all protocols.
Page 140: Turning Flyovers On Or Off
SAN name settings FCoE • • Name Port# • • Node WWN Port Type • • FCoE Index # Click the right arrow to move the selected properties to the Selected Properties table. d. Use the Move Up and Move Down buttons to reorder the properties in the Selected Properties table.
Page 141: Setting Names To Be Unique
SAN name settings Setting names to be unique You can edit duplicate names so that each device has a unique name. Note that the Duplicated Names dialog box only displays when you set names to be unique and there are duplicate names in the system.
Page 142: Fixing Duplicate Names
SAN name settings 2. Select SAN Names in the Category list. 3. Select Set names to be non-unique to allow duplicate names on your system. 4. Click OK on the Options dialog box. Fixing duplicate names To fix duplicated names, complete the following steps. 1.
Page 143: Viewing Names
SAN name settings Operational Status — The operational status of the device. There are four possible  values: Up — Operation is normal. Down — The port is down or the route to the remote destination is disabled. Disabled — The connection has been manually disabled. Backup Active —...
Page 144: Adding A Name To An Existing Device
SAN name settings • Scope list — Select a search value (Name or WWN) from the list. • Search text box — Enter the name or WWN of the device for which you are searching. • Search button — Click to search on the value in the Search field. For more information, refer to “Searching for a device by name”...
Page 145: Adding A Name To A New Device
SAN name settings 4. Double-click in the Name column for the selected device or port and enter a name for the device or port. If you set names to be unique on the Options dialog box and the name you entered already exists, the entry is not accepted.
Page 146: Removing A Name From A Device
SAN name settings 5. Click OK on the Configure Names dialog box. Removing a name from a device 1. Select Configure > Names. The Configure Names dialog box displays. 2. In the Display table, select the name you want to remove. 3.
Page 147: Importing Names
SAN name settings 5. Click OK to close the Configure Names dialog box. Importing Names If the name length exceeds the limitations detailed in the following table, you must edit the name (in the CSV file) before import. Names that exceed these limits will not be imported. If you migrated from a previous version, the .properties file is located in the Install_Home\migration\data folder.
Page 148: Searching For A Device By Wwn
SAN name settings 4. Enter the name you want to search for in the Search field. You can search on partial names. NOTE To search for a device, the device must be discovered and display in the topology. 5. Click Search. All devices with the specified name (or partial name) are highlighted in the Display table.
Page 149: Miscellaneous Security Settings
Miscellaneous security settings Miscellaneous security settings You can configure the Server Name, login banner, modify whether or not to allow clients to save passwords, and modify whether or not to enforce the MD5 checksum during import. When the login banner is enabled, each time a client connects to the server, the login banner displays with a legal notice provided by you.
Page 150: Enforcing Md5 File During Import
Miscellaneous security settings 5. Click Apply or OK to save your work. Enforcing MD5 file during import NOTE The MD5 checksum file is required when you load Fabric OS firmware into the Management application version 12.0 or later. You can configure the Management application to enforce the MD5 checksum file import during the import of the Fabric OS image into the firmware repository.
Page 151: Disabling The Login Banner
Syslog Registration settings 4. Enter the message you want to display every time a user logs into this server in the Banner Message field. This field contains a maximum of 2048 characters. 5. Click Apply or OK to save your work. Disabling the login banner To disable the login banner display, complete the following steps.
Page 152: Configuring The Syslog Listing Port Number
SNMP Trap Registration settings Configuring the Syslog listing port number 1. Select Server > Options. The Options dialog box displays. 2. Select Syslog Registration in the Category pane. The Syslog Registration pane displays (Figure 32). 3. Enter the Syslog listening port number of the Server in the Syslog Listening Port (Server) field, if necessary.
Page 153: Snmp Trap Forwarding Credential Settings
SNMP Trap forwarding credential settings 3. Enter the SNMP listening port number of the Server in the SNMP Listening Port (Server) field, if necessary. The default SNMP listening port number is 162 and is automatically populated. 4. Click Apply or OK to save your work. SNMP Trap forwarding credential settings You can configure SNMP credentials for the traps forwarded by the server.
Page 154: Configuring Snmp V3 Credentials
Software Configuration Configuring SNMP v3 credentials To configure a SNMP v1 or v2c credentials, complete the following steps. 1. Select Server > Options. The Options dialog box displays. 2. Select Trap Forwarding Credentials in the Category pane. The Trap Forwarding Credentials pane displays (Figure 34).
Page 155: Certificates
Software Configuration Certificates Certificate management allows you to enable certificate validation between the Management application server and products when HTTPS is enabled and between server and client when SSL is enabled on server. For more information about product communication, refer to “Product communication settings”...
Page 156 Software Configuration The Certificates pane contains the following fields and components: • Enable certificate validation check box — Select to enable certificate validation. Clear to disable certificate validation • Keystore Certificates drop-down list — Select one of the following options: View —...
Page 157 Software Configuration FIGURE 36 Name Details - Certificate dialog box The Details - Certificate Name dialog box contains the following fields: • Left-side text box — Name of the Issuer. • Right-side table — Displays the following certificate details: Version — Version of the certificate. ...
Page 158 Software Configuration 5. Enter a unique alias for the certificate in the Alias Name field. 6. Click OK. Click Apply or OK to save your work. Deleting a truststore certificate 1. Select Server > Options. The Options dialog box displays. 2.
Page 159 Software Configuration Viewing a keystore certificate 1. Select Server > Options. The Options dialog box displays. 2. Select Certificates to in the Category list. The Certificates pane displays. 3. Select View from the Keystore Certificate list. The Details - Certificate Name dialog box displays with the following fields: •...
Page 160 Software Configuration Replacing a keystore certificate NOTE Changes to this option take effect after an application restart. 1. Select Server > Options. The Options dialog box displays. 2. Select Certificates to in the Category list. The Certificates pane displays. 3. Select Replace from the Keystore Certificate list. The Replace Keystore Certificate dialog box displays.
Page 161: Client Export Port Settings
Software Configuration Enabling and disabling certificate validation The Management application server only validates the certifying authority and the date in the certificate. Certificate validation requires HTTPS connections between the server and the switches. To configure product communication to HTTPS, refer to “Product communication settings”...
Page 162: Client/Server Ip
Software Configuration 4. Click Apply or OK to save your work. NOTE Changes to this option take effect after a client restart. 5. Click OK on the “changes take effect after client restart” message. Client/Server IP You can configure connections between the client or switches and the Management application server.
Page 163 Software Configuration FIGURE 38 Options dialog box (Client/Server IP option) 3. Choose one of the following options in the Server IP Configuration list. • Select All. Go to step • Select a specific IP address. Continue with step • Select localhost. Continue with step When Server IP Configuration is set to All, you can select any available IP address as the Return Address.
Page 164 Software Configuration Configuring an explicit server IP address If you selected a specific IP address from the Server IP Configuration screen during installation and the selected IP address changes, you will not be able to connect to the server. To connect to the new IP address, you must manually update the IP address information.
Page 165 Software Configuration 8. Verify the IP address on the Server Configuration Summary screen and click Next. 9. Click Finish on the Start Server screen. 10. Click Yes on the restart server confirmation message. 11. Enter your user name and password. The defaults are Administrator and password, respectively.
Page 166: Memory Allocation Settings
Software Configuration 4. Select the return IP address in the Client - Server IP Configuration Return Address list. When Server IP Configuration is set to All, you can select any available IP address as the Return Address. If you select a specific IP address, the Return Address field shows the same IP address and you cannot change it.
Page 167 Software Configuration 4. Enter the memory allocation (MB) for the client in the Client Memory Allocation field. If you enter an invalid value, an error message displays with the minimum value allowed. Click OK and edit the value again. The current configured number of megabytes for client memory allocation displays in the Current Value field.
Page 168 Software Configuration • Enterprise Medium : 1500 MB • Enterprise Large : 2048 MB Default values for SAN only Server Server Heap Size For a 32-bit Windows or Linux Server • Small : 768 MB • Medium : 950 MB •...
Page 169 Software Configuration 3. Enter how often you want to check for state changes in the Check for state change every field. Valid values are from 1 through 600 seconds. You cannot enter a value lower than the default minimum value. Default minimum values are as follows: •...
Page 170: Product Communication Settings
Software Configuration Viewing the network size status The Management application enables you to view the network size status at a glance by providing a status icon on the Status Bar. Double-click the icon to launch the Memory Allocation pane of the Options dialog box.
Page 171 Software Configuration FIGURE 40 Options dialog box (Product Communication pane) 3. To connect using HTTP, complete the following steps. a. Select the Connect using HTTP option. b. Enter the connection port number in the Port # field. Go to step The default HTTP port number is 80.
Page 172: Ftp/Scp/Sftp Server Settings
Software Configuration FTP/SCP/SFTP server settings NOTE For FIPS-enabled Fabric OS switches, you must configure the FTP/SCP/SFTP server communication to an external SCP server to download firmware and allow technical support. File Transfer Protocol (FTP) is a network protocol used to transfer data from one computer to another over a TCP computer network.
Page 173 Software Configuration Configuring an internal FTP server To configure the internal FTP server settings, complete the following steps. 1. Select Server > Options. The Options dialog box displays. 2. Select FTP/SCP/SFTP in the Category list. The FTP/SCP/SFTP pane displays (Figure 41).
Page 174 Software Configuration Configuring an internal SCP or SFTP server NOTE SCP is supported on Fabric OS devices running 5.3 and later. NOTE SFTP is supported on Fabric OS devices running 7.0 and later. To configure the internal SCP or SFTP server settings, complete the following steps. 1.
Page 175 Software Configuration Configuring an external FTP, SCP, or SFTP server NOTE For FIPS-enabled Fabric OS switches, you must configure the FTP/SCP/SFTP server communication to an external SCP or SFTP server to download firmware and allow technical support. NOTE SCP is supported on Fabric OS devices running 5.3 and later. NOTE SFTP is supported on Fabric OS devices running 7.0 and later.
Page 176 Software Configuration 5. To configure an external SCP server, complete the following steps. a. Select the SCP Server check box to configure the external SCP server. All fields are mandatory. b. Enter the IP address for the remote host in the SCP Host IP field. Enter a user name in the SCP Host User Name field.
Page 177: Server Port Settings
Software Configuration • If you are using the external FTP server, select the Use external FTP/SCP/SFTP Server option. For step-by-step instructions about configuring the built-in server, refer to “Configuring an external FTP, SCP, or SFTP server” on page 127. 4. Click Test. An “FTP, SCP, or SFTP Server running successfully”...
Page 178: Support Mode Settings
Software Configuration 5. Enter a port number in the Starting Port # field. The default is 24600. For Professional, the server requires 15 consecutive free ports beginning with the starting port number. For Trial and Licensed versions, the server requires 18 consecutive free ports beginning with the starting port number.
Page 179 Software Configuration 5. Click Apply or OK to save your work. NOTE Changes to the server log levels reset to the default (INFO) after a server restart. NOTE Changes to the Log client support data log level is applicable for this client only. client.
Page 180: Fips Support
FIPS Support FIPS Support To manage FIPS-enabled Fabric OS fabrics and switches, make sure you complete the following configuration requirements: • Configure Product Communication to HTTPS (refer to “Configuring SAN communication” page 122) to allow communication between the server and the Fabric OS switches. •...
Page 181: Disabling Fabric Tracking
Fabric tracking • Device Ports—This table shows a brief summary of the device ports including status (whether the device port will be added ( ) or removed ( ) from the fabric), device type, port, port WWN, node WWN, and attached port number. •...
Page 182: Accepting Changes For All Fabrics
Fabric tracking • Fabric Name—Displays the name of the selected fabric. • Switches—This table shows a brief summary of the switches including status (whether the device port will be added ( ) or removed ( ) from the fabric), name, IP address, WWN, and domain ID.
Page 183: Accepting Changes For A Switch, Access Gateway, Or Phantom Domain
Fabric tracking Accepting changes for a switch, access gateway, or phantom domain 1. Accept the changes to a switch, access gateway, or phantom domain by choosing one of the following options: • Select the switch, access gateway, or phantom domain on the Product List or Connectivity Map and select Monitor >...
Page 184 Fabric tracking Brocade Network Advisor SAN User Manual 53-1002696-01...
Page 185: User Account Management
Chapter User Account Management In this chapter • Users overview..........137 •...
Page 186: Viewing Configured Users
Users overview Viewing configured users To view configured users, complete the following steps. 1. Select Server > Users. The Users dialog box displays. 2. Click the Users tab, if necessary. FIGURE 46 Users dialog box - Users tab The Users dialog box contains the following fields and components: •...
Page 187 Users overview • Users table — The configured users. User ID — The unique name used to identity a user.  Full Name — The user’s full name.  Roles — List of Roles the user belongs to separated by comma. ...
Page 188 Users overview Default system roles for SAN only environments include: SAN System Administrator Network Administrator Security Administrator Zone Administrator Operator Security Officer Host Administrator Description — A description of the role.  Add button — Click to add a new role (refer to “Creating a new role”...
Page 189: User Accounts
User accounts User accounts NOTE You must have User Management Read and Write privileges to add new accounts, set passwords for accounts, and apply roles to the accounts. For a list of privileges, refer to “User Privileges” page 1097. Management application user accounts contain the identification of the Management application user, as well as privileges, roles, and AORs assigned to the user.
Page 190 User accounts 4. Enter a password for the user in the Password and Confirm Password fields. Passwords displays as dots (.). For password policy details, refer to “Viewing your password policy” on page 163. 5. Select the Account Status - Enable check box to enable the account of the user. Account Status is enabled by default.
Page 191: Editing A User Account
User accounts Editing a user account To make changes to an existing user account, complete the following steps. 1. Select Server > Users. The Users dialog box displays. 2. Select the user account you want to edit and click Edit under the Users table. The Edit User dialog box displays.
Page 192: Copying And Pasting User Preferences
User accounts Copying and pasting user preferences Enables you to copy user preference settings, such as window and dialog box sizes, table column and sort order, as well as other customizations, and all the user-defined views (including fabrics and hosts) from the selected user account to one or more other user accounts. If the fabric and hosts from the original user account are not included in the other user's AOR, then the copied fabrics and hosts do not display in the other user's views.
Page 193: Removing Roles And Areas Of Responsibility From A User Account
User accounts 4. Click OK to save the user account and close the Edit User dialog box. If you make changes to the user’s role or AOR while the user is logged in, a confirmation message displays. When you click OK on the confirmation message, the user is logged out and must log back in to see the changes.
Page 194: Enabling A User Account
User accounts Enabling a user account To re-activate a user account, complete the following steps. 1. Select Server > Users. The Users dialog box displays. 2. Select the disabled user account you want to enable in the Users table and click Enable. 3.
Page 195: Roles
Roles Roles NOTE You must have User Management Read and Write privileges to view, add, modify, or delete roles. A role is a group of Management application tasks or privileges that can be assigned to several users who have similar functions. When you create a role, it immediately becomes available in the Users dialog box.
Page 196: Editing A Role
Roles 6. Click OK to save the new role and close the Add Role dialog box. The new role displays in the Roles list of the Users dialog box. To add users to this role, follow the instructions in “Assigning roles and areas of responsibility to a user account” on page 144.
Page 197: Deleting A Role
Roles Deleting a role To delete a role, complete the following steps. 1. Select Server > Users. The Users dialog box displays. 2. Select the role you want to delete in the Roles table and click Delete. 3. Click Yes on the confirmation message. 4.
Page 198: Removing Privileges From A Role
Areas of responsibility Removing privileges from a role You remove privileges from the Edit or Duplicate Users dialog boxes. To remove privileges from role, complete the following steps. 1. Select Server > Users. The Users dialog box displays. 2. Select the role you want to edit in the Roles table and click Edit or Duplicate under the Roles table.
Page 199: Creating An Aor
Areas of responsibility Creating an AOR When creating an AOR, you assign devices or groups to that AOR. After you save the AOR, it can be assigned to one or more user account. Users of those accounts can then view the devices or groups in their assigned AOR.
Page 200: Editing An Aor
Areas of responsibility Editing an AOR NOTE You cannot edit system AORs. To make changes to an existing AOR, complete the following steps. 1. Select Server > Users. The Users dialog box displays. 2. Select the AOR you want to edit in the AOR table and click Edit. The Edit AOR dialog box displays.
Page 201: Deleting An Aor
Areas of responsibility Deleting an AOR NOTE You cannot delete system AORs. To delete an AOR, complete the following steps. 1. Select Server > Users. The Users dialog box displays. 2. Select the AOR you want to delete in the AOR table and click Delete. 3.
Page 202: Password Policies
Password policies 3. In the Selected Products table, select the products or groups you want to remove and click the left arrow button. Select multiple products or groups by holding down the CTRL key and clicking more than one item. 4.
Page 203 Password policies b. Enter the minimum password length in the Minimum Length field. Only enabled when the Empty Password - Allow check box is clear. Valid values are 4 through 127. The default is 8. Enter the minimum number of uppercase characters required in the Upper Case Characters field.
Page 204: Viewing Password Policy Violators
Password policies Configure the password login policy by completing the following steps. a. Select Concurrent Login or Single Login from the Login Mode list. Single Login allows only one user to login at a time. If you selected Single Login, continue with step b.
Page 205: Ldap Authorization On The Management Server
LDAP authorization on the Management server LDAP authorization on the Management server NOTE You must have User Management Read and Write privileges to map roles and AORs to Active Directory (AD) groups. NOTE You must configure an LDAP server as the primary authentication server and set LDAP Authorization as the authorization preference (refer to “Configuring LDAP server authentication”...
Page 206: Removing Roles And Aors From An Ad Group
LDAP authorization on the Management server Removing roles and AORs from an AD group To remove roles and AORs from an AD group, complete the following steps. 1. Select Server > Users. The Users dialog box displays. 2. Click the LDAP Authorization tab. 3.
Page 207: Deleting An Ad Group
LDAP authorization on the Management server Deleting an AD group Deleting an AD group deletes the roles and AORs assigned to the group and removes the group from the Active Directory Groups table. To delete an AD group, complete the following steps. 1.
Page 208: Defining User Accounts On The External Ldap Server
LDAP authorization on the Management server Defining user accounts on the external LDAP server If you configure the external LDAP server as the primary authentication server in the server management console, you must define roles and AORs in the external LDAP server to match the Management application roles and AORs.
Page 209: User Profiles
User profiles Configuring authorization details on the external LDAP server Open the ADSI Edit dialog box on the Active Directory installed server. 1. Select Start > Run. 2. Type adsiedit.msc and press Enter. 3. Right-click CN=User_Name in the CN=Users directory and select Properties. Where User_Name is the name of the user you created in “Creating an AD user account”...
Page 210: Editing Your User Profile
User profiles • Full Name — Displays the name if entered while adding a user; otherwise, this field is blank. • Password — Displays your password as dots (.). If the password policy is configured for an empty password, this field is blank. To change your password, refer to “Changing your password”...
Page 211: Changing Your Password
User profiles Click Filter to set up basic event filters. For step-by-step instructions about setting up basic event filters, refer to “Setting up basic event filtering” on page 975. 8. Change your e-mail, text message, or page address in the E-mail Address field. Enter more than one e-mail address, separating each with a semi-colon.
Page 212: Resetting Optional Messages
User profiles • Minimum Length—The minimum length allowed for the password. • Upper Case Characters—The minimum number of uppercase characters required in the password. • Lower Case Characters—The minimum number of lowercase characters required in the password. • Number of Digits—The minimum number of digits required in the password. •...
Page 213 User profiles 4. Enter your e-mail, text message, or page address in the E-mail Address field. Enter more than one e-mail address, separating each with a semi-colon. To send a text message or page via e-mail, use the following format number@carrier.com, where number is your phone number and carrier.com is the SMS server.
Page 214 User profiles Brocade Network Advisor SAN User Manual 53-1002696-01...
Page 215: Call Home
Chapter Call Home In this chapter • About Call Home ..........168 •...
Page 216: About Call Home
About Call Home About Call Home NOTE Call Home is supported on Windows systems for all modem and e-mail Call Home centers and is supported on UNIX for the e-mail Call Home centers. Call Home notification allows you to configure the Management application server to automatically send an e-mail alert or dial in to a support center to report system problems on specified devices (Fabric OS switches, routers, and directors).
Page 217: System Requirements
Viewing Call Home configurations Call Home allows you to perform the following tasks: • Assign devices to and remove devices from the Call Home centers. • Define filters from the list of events generated by Fabric OS devices. • Edit and remove filters available in the Call Home Event Filters table. •...
Page 218 Viewing Call Home configurations • Products List — Displays all discovered products. The list allows for multiple selections and manual sorting of columns. This list displays the following information: Product Icon — The status of the products’ manageability.  Name — The name of the product. ...
Page 219 Viewing Call Home configurations • Call Home Centers list — The Call Home centers, products assigned to the Call Home centers, and event filters assigned to the Call Home centers and products. This list displays the following information: Centers — A tree with Call Home centers as the parent node, assigned products as ...
Page 220: Showing A Call Home Center
Showing a Call Home center Showing a Call Home center To show a Call Home center, complete the following steps. 1. Select Monitor > Event Notification > Call Home. The Call Home dialog box displays. 2. Click Show/Hide Centers (beneath the Call Home Centers list). The Centers dialog box displays with a predefined list of Call Home centers (Figure 51).
Page 221: Editing A Call Home Center
Editing a Call Home center Editing a Call Home center To edit a Call Home center, select from the following procedures: • Editing the IBM Call Home center ....... . 173 •...
Page 222: Editing An E-Mail Call Home Center
Editing a Call Home center 8. Enter how often you want to retry the heartbeat interval in the Retry Interval field. The default is 10 seconds. 9. Enter the maximum number of retries in the Maximum Retries field. The default is 3. 10.
Page 223 Editing a Call Home center FIGURE 53 Configure Call Home Center dialog box (Brocade, IBM, NetApp, or Oracle E-mail option) 4. Make sure the Call Home center type you selected displays in the Call Home Centers list. If the Call Home center type is incorrect, select the correct type from the list. 5.
Page 224 Editing a Call Home center 16. Enter an e-mail address in the E-mail Notification Settings - Send To Address field. For Brocade E-mail Call Home centers, enter callhomeemail@brocade.com. 17. Click Send Test to test the mail server. The selected Call Home center must be enabled to test the mail server. A faked event is generated and sent to the selected Call Home center.
Page 225 Editing a Call Home center Source — Details about the product. Includes the following data: Firmware Version  Supplier Serial number  Factory Serial number  IP Address  Model number  Type  Product Name  Product WWN  Ethernet IP ...
Page 226: Editing The Emc Call Home Center
Editing a Call Home center Editing the EMC Call Home center To edit an EMC Call Home center, complete the following steps. 1. Select Monitor > Event Notification > Call Home. The Call Home dialog box displays. 2. Select the EMC Call Home center you want to edit in the Call Home Centers list. 3.
Page 227: Editing The Hp Lan Call Home Center
Editing a Call Home center 13. Click OK. The Call Home dialog box displays with the Call Home center you edited highlighted in the Call Home Centers list. 14. Click OK to close the Call Home dialog box. Editing the HP LAN Call Home center To edit an HP LAN Call Home center, complete the following steps.
Page 228: Enabling A Call Home Center
Enabling a Call Home center 8. Click Send Test to test the address. The selected Call Home center must be enabled to test the IP address. A faked event is generated and sent to the selected Call Home center. You must contact the Call Home center to verify that the event was received and in the correct format.
Page 229: Testing The Call Home Center Connection
Testing the Call Home center connection Testing the Call Home center connection Once you add and enable a Call Home center, you should verify that Call Home is functional. To verify Call Home center functionality, complete the following steps. 1. Select Monitor > Event Notification > Call Home. 2.
Page 230: Viewing Call Home Status
Viewing Call Home status Viewing Call Home status You can view Call Home status from the main Management application window or from the Call Home Notification dialog box. The Management application enables you to view the Call Home status at a glance by providing a Call Home status icon on the status bar.
Page 231: Assigning A Device To The Call Home Center
Assigning a device to the Call Home center Assigning a device to the Call Home center Discovered devices (switches, routers, and directors) are not assigned to a corresponding Call Home center automatically. You must manually assign each device to a Call Home center before you use Call Home.
Page 232: Defining An Event Filter
Defining an event filter 3. Click the left arrow button. A confirmation message displays. 4. Click OK. All devices assigned to the selected Call Home center display in the Products List. Any assigned filters are also removed. 5. Click OK to close the Call Home dialog box. Defining an event filter To define an event filter, complete the following steps.
Page 233: Assigning An Event Filter To A Call Home Center
Assigning an event filter to a Call Home center Assigning an event filter to a Call Home center Event filters allow Call Home center users to log in to a Management server and assign specific event filters to the devices. This limits the number of unnecessary or “acknowledge” events and improves the performance and effectiveness of the Call Home center.
Page 234: Overwriting An Assigned Event Filter
Overwriting an assigned event filter Overwriting an assigned event filter A device can only have one event filter at a time; therefore, when a new filter is applied to a device that already has a filter, you must confirm the new filter assignment. To overwrite an event filter, complete the following steps.
Page 235: Removing An Event Filter From A Device
Removing an event filter from a device Removing an event filter from a device To remove an event filter from a device, complete the following steps. 1. Select Monitor > Event Notification > Call Home. The Call Home dialog box displays. 2.
Page 236 Searching for an assigned event filter Brocade Network Advisor SAN User Manual 53-1002696-01...
Page 237: Dashboard Management
Chapter Dashboard Management In this chapter • Dashboard overview ......... . . 189 •...
Page 238 Dashboard overview FIGURE 56 Dashboard tab 1. Menu bar — Lists commands you can perform on the dashboard. For a list of Dashboard tab menu commands, refer to “Dashboard main menus” on page 1061. The dashboard also provides a shortcut menu to reset the dashboard back to the defaults. Reset the dashboard back to the default settings by right-clicking in the white space and selected Reset to Default.
Page 239: Dashboard Toolbar
Dashboard overview Dashboard toolbar The toolbar (Figure 57) is located beneath the menu bar and provides icons and buttons to perform various functions. FIGURE 57 Toolbar Depending on which dashboard you are using the toolbar contains the following buttons: 1. Dashboard list — Select one of the following to choose the dashboard you want to view. •...
Page 240 Dashboard overview 3. Click the Performance tab (Figure 58). The preconfigured performance monitor widgets display. You can create up to 100 performance monitors; however, you can only display up to 30 performance monitors. For more information about performance monitor widgets, refer to “Performance Dashboard monitors”...
Page 241: General Functions
Dashboard overview General functions The Management application also provides the following general functions which are applicable to all widgets and monitors: • Preference persistence — Any customization you make to the Dashboard tab or Performance Dashboard are persisted in that dashboard. For example, if you customize both dashboards to display the Events widget and set the Range to This Hour in the Dashboard tab and set it to Last 30 Days in the Performance Dashboard, then these preferences persist when you log off and log back in again.
Page 242: Printing The Dashboard Display
Dashboard widgets 4. Click Save. The file is saved to the location you selected. Printing the dashboard display You can print the current dashboard display (all widgets and monitors) or a selected widget or monitor. 1. Select one of the following options from the Print list: •...
Page 243: Bottlenecked Ports Widget
Dashboard widgets Bottlenecked Ports widget The Bottlenecked Ports widget (Figure 59) displays the bottlenecked port violations for the specified fabric and time range in a table. FIGURE 59 Bottlenecked Ports widget The Bottlenecked Ports widget includes the following data: • Severity icon/violation count/widget title —...
Page 244: Events Widget
Dashboard widgets Customizing the Bottlenecked Ports widget You can customize the widget to display data for a specific fabric and duration. • Display data by selecting the fabric you want to monitor from the Show list. Select All Fabrics to include all managed and monitored fabrics in your AOR. The default is All Fabrics.
Page 245 Dashboard widgets • Range list — Use to customize this widget to display a specific time range. Options include: This Hour, Last Hour, Today, Yesterday, Last 7 Days, and Last 30 Days. • Show Syslog check box — Select to include Syslog information (default) on the Event Summary. •...
Page 246: Host Adapter Inventory Widget
Dashboard widgets • Include Syslog information (default) on the Event Summary pane by selecting the Show Syslog check box. To exclude Syslog information, clear the Show Syslog check box. Accessing additional data from the Events widget Double-click a bar in the Events widget to navigate to an event custom report (HTML) that displays the events corresponding to the event type selected.
Page 247 Dashboard widgets Customizing the Host Adapter Inventory widget You can customize the Host Adapter Inventory widget to display product inventory for a specific grouping. The group type and number of products in the group displays to the left of the associated bar;...
Page 248: San Inventory Widget
Dashboard widgets SAN Inventory widget The SAN Inventory widget (Figure 63) displays the SAN products inventory as stacked bar graphs. FIGURE 63 SAN Inventory widget The SAN Inventory widget includes the following data: • Severity icon/product count/widget title — The color of the worst severity followed by the number of products with that severity displays before to the widget title.
Page 249: San Status Widget
Dashboard widgets • Change the grouping by selecting one of the following from the Group By list: Firmware — The product inventory by firmware release. Model — The product inventory by model. Location — The product inventory by physical location. Contact —...
Page 250: Viewing Additional San Product Data
Dashboard widgets • Pie chart — The device status as a percentage of the total number of devices. The pie chart displays the percentage in various colors on each slice. Tooltips showing the number of devices in that state are shown when you pause on the slice. When there is one status category with less than one percent of the total number of devices, the status widget displays the number of devices in each category on each slice.
Page 251: Status Widget
Dashboard widgets Status widget The Status widget (Figure 65) displays the number of products managed and the number of events within the selected event time range. FIGURE 65 Status widget The Status widget displays the following items for each product license: •...
Page 252: Performance Dashboard Monitors
Performance Dashboard monitors Customizing the VM Alarms widget You can customize the VM Alarms widget to display data for a specific fabric and duration. • Display data by fabric by selecting the fabric you want to monitor from the Show list. Select All Fabrics to include all managed and monitored fabrics in your AOR.
Page 253: Launching The Performance Dashboard
Performance Dashboard monitors • Top Port Encode Error Out — Table view of the encode error out measure (All SAN FC port collector) • Top Port Errors — Table view of the errors measure (port error count collector) • Top Port Link Failures — Table view of the top port link failues (All SAN FC port collector) •...
Page 254: Top Port C3 Discards Monitor
Performance Dashboard monitors Top Port C3 Discards monitor The Top Port C3 Discards monitor (Figure 66) displays the top ports with Class 3 frames discarded in a table. FIGURE 66 Top Port C3 Discards monitor The Top Port C3 Discards monitor includes the following data: •...
Page 255: Top Port C3 Discards Rx To Monitor
Performance Dashboard monitors Top Port C3 Discards RX TO monitor The Top Port C3 Discards RX TO monitor (Figure 67) displays the top ports with receive Class 3 frames received at this port and discarded at the transmission port due to timeout in a table. FIGURE 67 Top Port C3 Discards RX TO monitor The Top Port C3 Discards RX TO monitor includes the following data:...
Page 256: Top Port Crc Errors Monitor
Performance Dashboard monitors • Double-click a row to navigate to the SAN Historical Graphs/Tables dialog box. For more information, refer to “Performance Data” on page 895. Top Port CRC Errors monitor The Top Port CRC Errors monitor (Figure 68) displays the top ports with frames that contain cyclic redundancy check (CRC) errors in a table.
Page 257: Top Port Encode Error Out Monitor
Performance Dashboard monitors • Double-click a row to navigate to the SAN Historical Graphs/Tables dialog box. For more information, refer to “Performance Data” on page 895. Top Port Encode Error Out monitor The Top Port Encode Error Out monitor (Figure 69) displays the top ports with encoding errors outside of frames in a table.
Page 258: Top Port Errors Monitor
Performance Dashboard monitors • Double-click a row to navigate to the SAN Historical Graphs/Tables dialog box. For more information, refer to “Performance Data” on page 895. Top Port Errors monitor The Top Port Errors monitor (Figure 70) displays the top ports with receive and transmit errors in a table.
Page 259: Top Port Link Failures Monitor
Performance Dashboard monitors • Double-click a row to navigate to the Historical Graphs/Tables dialog box. For more information, refer to “Performance Data” on page 895. Top Port Link Failures monitor The Top Port Link Failures monitor (Figure 71) displays the top ports with link failures in a table. FIGURE 71 Top Port Link Failures monitor The Top Port Link Failures monitor includes the following data:...
Page 260: Top Port Link Resets Monitor
Performance Dashboard monitors • Double-click a row to navigate to the SAN Historical Graphs/Tables dialog box. For more information, refer to “Performance Data” on page 895. Top Port Link Resets monitor The Top Port Link Resets monitor (Figure 72) displays the top ports with link resets in a table. FIGURE 72 Top Port Link Resets monitor The Top Port Link Resets monitor includes the following data:...
Page 261: Top Port Sync Losses Monitor
Performance Dashboard monitors • Double-click a row to navigate to the SAN Historical Graphs/Tables dialog box. For more information, refer to “Performance Data” on page 895. Top Port Sync Losses monitor The Top Port Sync Losses monitor (Figure 72) displays the top ports with synchronization failures in a table.
Page 262: Top Port Traffic Monitor
Performance Dashboard monitors • Double-click a row to navigate to the SAN Historical Graphs/Tables dialog box. For more information, refer to “Performance Data” on page 895. Top Port Traffic monitor The Top Port Traffic monitor (Figure 74) displays the top ports with receive and transmit traffic in a table.
Page 263: Top Port Utilization Percentage Monitor
Performance Dashboard monitors • Double-click a row to navigate to the Historical Graphs/Tables dialog box. For more information, refer to “Performance Data” on page 895. Top Port Utilization Percentage monitor The Top Port Utilization monitor (Figure 75) displays the top port utilization percentages in a table. FIGURE 75 Top Port Utilization monitor The Top Port Utilization monitor includes the following data:...
Page 264: Top Product Cpu Utilization Monitor
Performance Dashboard monitors Top Product CPU Utilization monitor The Top Product CPU Utilization monitor (Figure 76) displays the top product CPU utilization percentages in a table. FIGURE 76 Top Product CPU Utilization monitor The Top Product CPU Utilization monitor includes the following data: •...
Page 265: Top Product Memory Utilization Monitor
Performance Dashboard monitors Accessing additional data from the Top Product CPU Utilization monitor • Right-click a row in the monitor to access the shortcut menu available for the associated device. For more information about shortcut menus, refer to “Application menus” page 1061.
Page 266: Top Product Response Time Monitor
Performance Dashboard monitors • Location — The location of the product. • Contact — A contact name for the product. • Refreshed — The refresh time and selected time range for the monitor. To customize the monitor to display data by a selected time frame as well as customize the display options, refer to “Editing a preconfigured performance monitor”...
Page 267: Top Product Temperature Monitor
Performance Dashboard monitors • Status — The product status (for example, Reachable). • Tag — The product tag. • Serial # — The serial number of the product. • Model — The product model. • Port Count — The number of ports on the product. •...
Page 268: Editing A Preconfigured Performance Monitor
Performance Dashboard monitors • Temperature — The top temperatures. • Max — The maximum value of the measure in the specified time range. • Fabric — The fabric to which the device belongs. • Product Type — The type of product (for example, switch). •...
Page 269 Performance Dashboard monitors • Last 12 Hours — Displays data for the previous 12 hours beginning when you launch the dashboard. • Last 24 Hours — Displays data for the previous 24 hours beginning when you launch the dashboard. 3. (Top or Bottom performance monitors only) Select the number of products to include in a selected measure by entering a number in the For Top N, Bottom N Monitors, N= field.
Page 270: User-Defined Performance Monitors
User-defined performance monitors User-defined performance monitors The Performance Dashboard makes it easy for you to customize performance monitors specific to your needs. You can define up to 100 performance monitors; however, you can only display up to 30 performance monitors at a time. Top or bottom product performance monitors The top or bottom product performance monitors (Figure...
Page 271: Top Or Bottom Port Performance Monitors
User-defined performance monitors • Port Count — The number of ports on the product. • Firmware — The firmware level running on the product. • Location — The location of the product. • Contact — A contact name for the product. •...
Page 272: Distribution Performance Monitors
User-defined performance monitors • Measure_Type — The percentage bar of the selected measure. Depending on the selected measure, more than one Measure_Type may display. By default, ports display sorted by the Measure_Type value (Top ports sort from highest to lowest and bottom ports sort lowest to highest). Click a column head to sort the columns by that value.
Page 273 User-defined performance monitors The distribution performance monitor includes the following data: • Monitor title — The user-defined monitor title. • Number of Products/Ports (y-axis) — The y-axis always displays a numbered range (zero to the maximum number of objects) for the products or ports affected by the selected measure. •...
Page 274: Time Series Performance Monitors
User-defined performance monitors Accessing additional data from the Distribution monitors • Place the cursor on a bar in the graph to display the number of products included in the count for the selected bar. For example, the tooltip “(Data Item 3, 22.6-33.8) = 6” means that there are six products within the third percentage range (displays the temperatures within the percentage range) for the selected measure (product temperature).
Page 275: Configuring A User-Defined Product Performance Monitor
User-defined performance monitors Configuring a user-defined product performance monitor 1. Select Monitor > Performance > Dashboard. The Performance Dashboard displays in a new window. 2. Click the Customize Dashboard icon. The Customize Dashboard dialog box displays. 3. Click the Performance tab. 4.
Page 276 User-defined performance monitors • Last 12 Hours — Displays data for the previous 12 hours beginning when you launch the dashboard. • Last 24 Hours — Displays data for the previous 24 hours beginning when you launch the dashboard. 9. (Top N and Bottom N monitors only) Select the number products to include in a selected measure by entering a number in the For Top N, Bottom N Monitors, N= field.
Page 277: Adding Targets To A User-Defined Performance Monitor
User-defined performance monitors 13. (Time series monitors only) Remove targets from the monitor by selecting one or more targets in the Targets list and clicking Remove. 14. Click OK on the Add Performance Dashboard Monitor dialog box. The Customize Dashboard dialog box displays with the new monitor in the Performance Monitors list.
Page 278: Configuring A User-Defined Port Performance Monitor
User-defined performance monitors 9. Click the SAN tab. 10. Select SAN targets from the Available SAN Sources list. 11. Click the right arrow button to move the targets to the Selected Sources list. 12. Select FCIP targets from the Available list. 13.
Page 279 User-defined performance monitors 6. Select the port measure for the monitor in the Measure area: Common FCIP • • Port Utilization Percentage Compression Ratio • • Traffic Latency • • CRC Errors Dropped Packets • Link Retransmits • • Link Resets Timeout Retransmits •...
Page 280: Viewing Product Distribution Data Details
User-defined performance monitors 9. (Top N, Bottom N, and Distribution monitors only) Configure the monitor to show only values greater than or less than a specified value by completing the following steps. a. Select the Show values check box. b. Select greater than or less than from the list. Enter a value in the field.
Page 281: Viewing Port Distribution Data Details
User-defined performance monitors • Measure_Type — This column depends on which measure you select for the monitor. Memory Utilization Percentage — The memory utilization percentage for the product.  CPU Utilization Percentage — The CPU utilization percentage for the product. ...
Page 282 User-defined performance monitors Signal Losses — The number of signal failures. Sync Losses — The number of synchronization failures. Link Failures — The number of link failures. Sequence Errors — The number of sequence errors. Invalid Transmissions — The number of invalid transmissions. C3 Discards —...
Page 283 User-defined performance monitors MAC Errors — The number of MAC errors. Back Packets Received — The number of bad packets received. Tx Errors — The number of transmit errors. • Product — The product affected by this monitor. • Type — The type of port (for example, U-Port). •...
Page 284 User-defined performance monitors Brocade Network Advisor SAN User Manual 53-1002696-01...
Page 285: In This Chapter
Chapter View Management In this chapter • SAN tab overview..........237 •...
Page 286 SAN tab overview FIGURE 84 Main window - SAN tab 1. Menu bar — Lists commands you can perform on the SAN tab. Some menu items display as disabled unless you select the correct object from the product list or topology map. For a list of the many functions available on each menu, refer to “SAN main menus”...
Page 287: San Main Toolbar
SAN tab overview 9. Connectivity Map — Displays the topology, including discovered and monitored devices and connections. For more information, refer to “Connectivity Map” on page 243. 10. Master Log — Displays all events that have occurred on the Management application. For more information, refer to “Master Log”...
Page 288: View All List
SAN tab overview View All list The View All list is located at the top left side of the window and enables you to create, copy, or edit a view, select to how to view the Product list (All Levels, Products and Ports, Products Only, or Ports Only) and to select which view you want to display in the main window.
Page 289: Port Display Buttons
SAN tab overview Port Display buttons The Port Display buttons are located at the top right of the Product List and enable you to configure how ports display. You have the option of viewing connected (or occupied) product ports, unoccupied product ports, or attached ports. Not enabled until you discover a fabric or host. NOTE Occupied/connected ports are those that originate from a device, such as a switch.
Page 290: Product List
SAN tab overview Product List The Product List, located on the SAN tab, displays an inventory of all discovered devices and ports. The Product List is a quick way to look up product and port information, including serial numbers and IP addresses. To display the Product List, select View >...
Page 291: Connectivity Map
SAN tab overview • Symbolic Name — Displays the symbolic name for the port. • TAG — Displays the tag number of the product. • Vendor — Displays the name of the product’s vendor. • WWN — Displays the world wide name of the product or port. •...
Page 292: Utilization Legend
SAN tab overview Connectivity Map functions • Two-way selection — When you select an icon on the Topology Map, that device is highlighted in the Product List and vice versa. • Device double-click — Double-click a device to launch Web Tools for the selected device. •...
Page 293: Master Log
SAN tab overview Master Log The Master Log, which displays in the lower left area of the main window, lists the events and alerts that have occurred on the SAN. If you do not see the Master Log, select View > Show Panels > All Panels or press F5.
Page 294: Minimap
SAN tab overview Minimap The Minimap, which displays in the lower right corner of the main window, is useful for getting a bird’s-eye view of the topology, or to quickly jump to a specific place on the topology. To jump to a specific location on the topology, click that area on the Minimap.
Page 295: Status Bar
SAN tab overview Status bar The status bar displays at the bottom of the main window. The status bar provides a variety of information about the SAN and the application. The icons on the status bar change to reflect different information, such as the current status of products, fabrics, and backup. FIGURE 91 Status Bar The icons on your status bar will vary based on the licensed features on your system.
Page 296: Icon Legend
Icon legend 10. Call-Home Status — (Trial and Licensed version only) Displays a call home status icon when one or more product are discovered, which allows you to determine the current call home status. Click to launch the Call Home Notification dialog box. For more information about Call Home status and icons, refer to “Viewing Call Home status”...
Page 297: Host Product Icons
Icon legend Host product icons The following table lists the manageable Host product icons that display on the topology. Fabric OS manageable devices display with blue icons. Unmanageable devices display with gray icons. Some of the icons shown only display when certain features are licensed. TABLE 31 Icon Description...
Page 298: Host Group Icons
Icon legend Host group icons The following table lists the manageable Host product group icons that display on the topology. TABLE 33 Icon Description Icon Description Host Group SAN port icons The following table lists the port icons that display in the Product List. TABLE 34 Icon Description...
Page 299: Event Icons
Icon legend TABLE 35 Icon Status Down/Failed Routed In Routed Out Unknown/Link Down Unreachable Event icons The following table lists the event icons that display on the topology and Master Log. For more information about events, refer to “Fault Management” on page 973.
Page 300: Customizing The Main Window
Customizing the main window Customizing the main window You can customize the main window to display only the data you need by displaying different levels of detail on the Connectivity Map (topology) or Product List. Zooming in and out of the Connectivity Map You can zoom in or out of the Connectivity Map to see products and ports.
Page 301: Showing Levels Of Detail On The Connectivity Map
Customizing the main window Showing levels of detail on the Connectivity Map You can configure different levels of detail on the Connectivity Map, making device management easier. Viewing fabrics To view only fabrics, without seeing groups, products, or ports, select View > Show> Fabrics Only. Viewing groups To view only groups and fabrics, without seeing products, or ports, select View >...
Page 302 Customizing the main window • Export information from the table • Search for information • Expand the table to view all information • Collapse the table Displaying columns To only display specific columns, complete the following steps. 1. Right-click anywhere in the table and select Customize or Table > Customize. The Customize Columns dialog box displays.
Page 303 Customizing the main window Changing the order of columns To change the order in which columns display, choose from one of the following options. Rearrange columns in a table by dragging and dropping the column to a new location. 1. Right-click anywhere in the table and select Customize or Table > Customize. The Customize Columns dialog box displays.
Page 304 Customizing the main window Exporting table information You can export the entire table or a specific row to a text file. 1. Choose from one of the following options: • Right-click anywhere in the table and select Table > Export Table. •...
Page 305: San Product List Customization
SAN Product List customization SAN Product List customization You can customize the Product List on the SAN tab to display only the data you need by adding, editing, and deleting property labels. You can also edit property fields to change information. Adding a property label You can add a new column to the Product List.
Page 306: Search
Search Search You can search for a objects by text or regular expression. • Text—Enter a text string in the search text box. This search is case sensitive. For example, if you are searching for a device in the Product List, you can enter the first five characters in a device name.
Page 307: Restricting A Search By Node
Search 2. Choose one of the following options: • Select Text from the search list and enter a text string in the search text box. This search is case sensitive. • Select Regular Expression from the search list and enter a Unicode regular expression in the search text box.
Page 308: Clearing Search Results
SAN view management overview 2. Enter your search criteria in the search field. • Text—Enter a text string in the search text box. This search is case sensitive. For example, you can enter the first five characters in a device name. All products in the Product List that contain the search text display highlighted.
Page 309 SAN view management overview 1. Select View > Manage View > Create View. The Create View dialog box displays. FIGURE 95 Create View dialog box - Fabrics tab 2. Enter a name (128-character maximum) in the Name field and a description (126-character maximum) in the Description field for the view.
Page 310: Editing A Customized View
SAN view management overview 6. In the Available Hosts table, select the hosts you want to include in the view and click the right arrow button to move your selections to the Selected Fabrics and Hosts table. The Available Hosts table displays the name, IP address, network address of the available hosts and the fabric in which the host is located.
Page 311: Deleting A Customized View
SAN view management overview FIGURE 98 Edit View dialog box - Hosts tab 5. In the Available Hosts table, select the fabrics you want to include in the view and use the right arrow button to move your selections to the Selected Fabrics and Hosts table. The Available Hosts table displays the name, IP address, network address of the available hosts and the fabric in which the host is located.
Page 312: Copying A View
SAN view management overview Copying a view To copy a customized view, use the following procedure. 1. Use one of the following methods to open the Copy View dialog box: • Select View > Manage View > Copy View > View_Name. •...
Page 313: San Topology Layout
SAN topology layout Click OK to save your changes and close the Copy View dialog box. NOTE When you open a new view, the SAN tab displays with a gray screen over the Product List and Topology Map while data is loading. 8.
Page 314: Customizing The Layout Of Devices On The Topology
SAN topology layout • Port Display. Select to configure how ports display. Occupied Product Ports. Select to display the ports of the devices in the fabrics (present in the Connectivity Map) that are connected to other devices. UnOccupied Product Ports. Select to display the ports of the devices (shown in the Connectivity Map) that are not connected to any other device.
Page 315: Customizing The Layout Of Connections On The Topology
SAN topology layout • Square. Select to display the device icons in a square configuration. Default for Host and Storage groups. • Vertical. Select to display the device icons vertically. • Horizontal. Select to display the device icons horizontally. • Most Connected at Center.
Page 316: Reverting To The Default Background Color
SAN topology layout FIGURE 101 Choose a background color dialog box 3. Select a color from the swatches tab and click OK. • To specify a color based on hue, saturation, and value, click the HSV tab. Specify the hue (0 to 359 degrees), saturation (0 to 100%), value (0 to 100%), and transparency (0 to 100%).
Page 317: Changing The Product Label
SAN topology layout Changing the product label To change the product label, complete the following steps. 1. Select a product in the Connectivity Map or Product List. 2. Select View > Product Label, and select one of the following options: •...
Page 318: Grouping On The Topology
Grouping on the topology 2. Repeat step 1 to select more than one port display option. Grouping on the topology To simplify management, devices display in groups. Groups are shown with background shading and are labeled appropriately. You can expand and collapse groups to easily view a large topology. Collapsing groups To collapse a single group on the topology, choose one of the following options: •...
Page 319: Configuring Custom Connections
Grouping on the topology Configuring custom connections NOTE Active zones must be available on the fabric. To create a display of the connected end devices participating in a single zone or group of zones, complete the following steps. 1. Select a fabric on the topology and select View > Connected End Devices > Custom. The Connected End Devices - Custom display for Fabric dialog box displays with a list of devices participating in a single zone or a group of zones in the Zones in Fabric list.
Page 320 Grouping on the topology Brocade Network Advisor SAN User Manual 53-1002696-01...
Page 321: About Third-Party Tools
Chapter Third-party tools In this chapter • About third-party tools ......... . 273 •...
Page 322: Starting Third-Party Tools From The Application
Starting third-party tools from the application Starting third-party tools from the application You can open third-party tools from the Tools menu or a device’s shortcut menu. Remember that you cannot open a tool that is not installed on your computer. You must install the tool on your computer and add the tool to the Tools menu or the device’s shortcut menu.
Page 323: Launching An Element Manager
Launching an Element Manager Launching an Element Manager Element Managers are used to manage Fibre Channel switches and directors. You can open a device’s Element Manager directly from the application. To launch a device’s Element Manager, complete the following steps. On the Connectivity Map, double-click the device you want to manage.
Page 324: Launching Fcr Configuration
Launching FCR configuration 1. Select a Fabric OS device. 2. Select Configure > Element Manager > Hardware. Web Tools displays. 1. Select a Fabric OS device. 2. Click the Element Manager icon on the toolbar. Web Tools displays. NOTE When you close the Management application client, any Web Tools instance launched from the clients closes as well.
Page 325: Launching Name Server
Launching Name Server 1. Select a Fabric OS device. 2. Select Configure > Element Manager > Router Admin. The FC Routing module displays. NOTE When you close the Management application client, any Web Tools instance launched from the clients closes as well. Launching Name Server Use Name Server to view entries in the Simple Name Server database.
Page 326: Launching Hcm Agent
Launching HCM Agent Launching HCM Agent Use Fabric OS HCM Agent to enable and manage Fabric OS HBAs. You can open HCM Agent directly from the application. For more information about HCM Agent, refer to the HCM Agent Administrator’s Guide. For more information about Fabric OS HBAs, refer to the documentation for the specific device.
Page 327: Adding A Tool
Adding a tool 1. Select a Fabric OS device. 2. Select Monitor > Fabric Watch > Configure. Fabric Watch displays. Adding a tool You can specify third-party tools so they appear on the Setup Tools dialog box. From there, you can add them to the Tools menu and then open the tools directly from the Management application.
Page 328: Entering The Server Ip Address Of A Tool
Entering the server IP address of a tool Entering the server IP address of a tool If the third-party tool is a web-based application, you must enter the IP address of the applications server as a parameter to be able to open the application. To enter the server IP address, complete the following steps.
Page 329 Adding an option to the Tools menu FIGURE 103 Setup Tools dialog box (Tools menu tab) 3. Type a label for the option as you want it to appear on the Tools menu in the Menu Text field. 4. Select the application from the Tool list, or click Define if you want to specify a new tool. To specify a new tool, refer to “Adding a tool”...
Page 330: Changing An Option On The Tools Menu
Changing an option on the Tools menu Changing an option on the Tools menu You can edit parameters for third-party tools that display on the Tools menu. To edit a option to the tools menu, complete the following steps. 1. Select Tools > Setup. The Setup Tools dialog box displays.
Page 331: Adding An Option To A Device's Shortcut Menu
Adding an option to a device’s shortcut menu Adding an option to a device’s shortcut menu You can add an option to a device’s shortcut menu. To add an option to the device’s shortcut menu, complete the following steps. 1. Select Tools > Setup. The Setup Tools dialog box displays.
Page 332: Changing An Option On A Device's Shortcut Menu
Changing an option on a device’s shortcut menu Changing an option on a device’s shortcut menu You can change the parameters for a tool that displays on a device’s shortcut menu. To edit an option to the device’s shortcut menu, complete the following steps. 1.
Page 333: Removing An Option From A Device's Shortcut Menu
Removing an option from a device’s shortcut menu Removing an option from a device’s shortcut menu You can remove a tool that displays on a device’s shortcut menu. To remove an option to the device’s shortcut menu, complete the following steps. 1.
Page 334: Registering A Scom Server
Microsoft System Center Operations Manager (SCOM) plug-in SCOM plug-in requirements • Make sure you import the Management application management pack (Management_Application_Name.FabricView.xml) to the SCOM Server prior to registering the SCOM Plug-in. The management pack is located in the following directory on the DVD scom/OEM_Name.
Page 335: Removing A Scom Server
Microsoft System Center Operations Manager (SCOM) plug-in 3. Edit the domain name in the Domain field. 4. Enter your user ID and password. 5. Click OK. 6. Click Close. Removing a SCOM server To configure the SCOM plug-in, complete the following steps. 1.
Page 336 Microsoft System Center Operations Manager (SCOM) plug-in Brocade Network Advisor SAN User Manual 53-1002696-01...
Page 337: Server Management Console
Chapter Server Management Console In this chapter • Server Management Console overview ......289 •...
Page 338: Launching The Smc On Linux
Services tab Launching the SMC on Linux NOTE The Server Management Console is a graphical user interface and should be launched from the XConsole on Linux systems. Perform the following steps to launch the Server Management Console on Linux systems. 1.
Page 339: Refreshing The Server Status
Services tab 3. Review the following information for each available service. • Name—The name of the server; for example, FTP Server or Database Server. • Process Name—The name of the process; for example, postgres.exe (Database Server). • Status—The status of the service; for example, started or stopped. •...
Page 340: Starting All Services
Services tab Starting all services NOTE The Start button restarts running services in addition to starting stopped services which causes client-server disconnect. To start all services, complete the following steps. 1. Launch the Server Management Console. 2. Click the Services tab. 3.
Page 341: Ports Tab
Ports tab 6. Select the database user name for which you want to change the password in the User Name field. Options include dcmadmin and dcmuser. Changing the dcmadmin password requires all Management application services, except for the database server, to be stopped and then re-started. Changing the dcmuser password requires all ODBC remote client sessions to be restarted.
Page 342: Aaa Settings Tab
AAA Settings tab AAA Settings tab Authentication enables you to configure an authentication server and establish authentication policies. You can configure the Management application to authenticate users against the local database (Management application server), an external server (RADIUS, LDAP, or TACACS+), or a switch.
Page 343 AAA Settings tab 1. Select the AAA Settings tab (Figure 105). FIGURE 105 AAA Settings tab 2. Select Radius Server from the Primary Authentication list. 3. Add or edit a Radius server by referring to “Configuring a Radius server” on page 296. 4.
Page 344 AAA Settings tab Configuring a Radius server To add or edit a Radius server, complete the following steps. 1. Choose one of the following options from the AAA Settings tab: • Click Add. • Select an existing Radius server and click Edit. The Add or Edit Radius Server dialog box displays (Figure 106).
Page 345: Configuring Ldap Server Authentication
AAA Settings tab Configuring LDAP server authentication NOTE You cannot configure multiple Active Directory groups (domains) for the LDAP server. NOTE You cannot enter Domain\User_Name in the Management application dialog box for LDAP server authentication. If you are using an LDAP server for authentication, make the following preparations first: •...
Page 346 AAA Settings tab FIGURE 107 AAA Settings tab - LDAP server If you configure the external LDAP server as the primary authentication server, make the following preparations first: • Make sure that the external LDAP server and its user accounts have been properly configured (refer to “Creating an AD user account”...
Page 347 AAA Settings tab Enter your user name and password and click OK. Test attempts to contact the LDAP server by issuing a ping command and verifies the following: • Verifies connections to the LDAP Server • Verifies authentication with the LDAP Server •...
Page 348 AAA Settings tab Configuring an LDAP server To add or edit a LDAP server, complete the following steps. 1. Select the AAA Settings tab. 2. Select LDAP Server from the Primary Authentication list. 3. Choose one of the following options: •...
Page 349: Configuring Tacacs+ Server Authentication
AAA Settings tab Configuring TACACS+ server authentication If you are using a TACACS+ server for authentication, make the following preparations first: • Make sure that the server you want to use is on the network that the Management application manages. •...
Page 350 AAA Settings tab 9. Set the fall back condition to secondary authentication by selecting one of the following options from the Fail Over Option list: • TACACS+ Server Not Reachable • TACACS+ Server Authentication Failed 10. Set the authorization preference by selecting one of the following options from the Authorization Preference list: •...
Page 351: Configuring Switch Authentication
AAA Settings tab 6. Enter the number of attempts to be made to reach a server before assuming it is unreachable in the Attempts field. Default is 3 attempts. Click OK to return to the AAA Settings tab. The Radius Servers and Sequence table displays the following information: •...
Page 352: Configuring Windows Authentication
AAA Settings tab 11. Click Close to close the Server Management Console. Configuring Windows authentication Windows authentication enables you to authenticate a user account against the Windows user accounts and the Management application server when running on Windows hosts. The following list details the supported Windows authentication types and the associated platforms: •...
Page 353: Displaying The Client Authentication Audit Trail
Restore tab 3. Click Test. The Test Authentication dialog box displays. 4. Enter your user ID and password and click Test. Test verifies your user ID and password for the local database and verifies user privileges on the Management application server. 5.
Page 354 Restore tab NOTE You cannot restore data from a higher or lower configuration (Trial or Licensed version) of the Management application. NOTE You cannot restore data from a different package of the Management application. To restore the application data files, complete the following steps. 1.
Page 355: Technical Support Information Tab
Technical Support Information tab Technical Support Information tab The Technical Support Information tab of the SMC allows you to capture technical support information for the Management application as well as the configuration files for all switches in discovered fabrics. This information is saved in a zip file in a location that you specify. Capturing technical support information To capture technical support information, complete the following steps.
Page 356: Hcm Upgrade Tab
HCM Upgrade tab NOTE For Linux systems, you cannot have blank spaces in the output path (target directory). If the output path contains blank spaces, the supportShow files are not complete. 4. Click Capture. A confirmation message displays when the capture is complete. 5.
Page 357: Performance Data Aging Tab
Performance Data Aging tab Performance Data Aging tab Performance data samples are collected at regular intervals. The Performance Data Aging tab enables you to define the performance data collection interval for product and port measures. NOTE Changes to the performance data aging option requires a server restart. NOTE You can only restart the server using the Server Management Console (Start >...
Page 358: Smi Agent Configuration Tool
SMI Agent Configuration Tool • Option 2—2 years data with the following samples Raw samples for the last 8 days  1 day granularity for last 2 years (730 samples)  If you change from Option 2 to Option 1, you will lose existing performance data for the 5 minutes granularity for last 8 days (2304 samples) interval.
Page 359 SMI Agent Configuration Tool 2. Click Configure SMI Agent on the Server Management Console dialog box. The Log In dialog box displays. FIGURE 115 Log In dialog box 3. Enter your username and password in the appropriate fields. The defaults are Administrator and password, respectively. If you migrated from a previous release, your username and password do not change.
Page 360: Launching The Smia Configuration Tool On Unix
SMI Agent Configuration Tool Launching the SMIA configuration tool on Unix NOTE All Management application services must be running before you can log into the SMIA Configuration Tool. To start the Management application services, click Start on the Server Management Console dialog box. Perform the following steps to launch the Server Management Console on Unix systems.
Page 361: Service Location Protocol (Slp) Support
SMI Agent Configuration Tool Service Location Protocol (SLP) support The Management application SMI Agent uses Service Location Protocol (SLP) to allow applications to discover the existence, location, and configuration of WBEM services in enterprise networks. You do not need a WBEM client to use SLP discovery to find a WBEM Server; that is, SLP discovery might already know about the location and capabilities of the WBEM Server to which it wants to send its requests.
Page 362 SMI Agent Configuration Tool This output shows the functionalities of the Management application SMI Agent: • accepts WBEM requests over HTTP using SSL on TCP port 5989 • accepts WBEM requests over HTTP without SSL on TCP port 5988 • slptool findattrs service:wbem:https://IP_Address:Port NOTE Where IP_Address:Port is the IP address and port number that display when you use the...
Page 363 SMI Agent Configuration Tool (Classinfo=0,0),(RegisteredProfilesSupported=SNIA:SMI-S,DMTF:Profile Registration,SNIA:FC HBA,DMTF:LaunchInContext,SNIA:Fan,SNIA:Fabric, SNIA:Switch,DMTF:Role Based Authorization,SNIA:Power Supply,SNIA:Sensors, SNIA:Server) SLP on UNIX systems This section describes how to verify the SLP daemon on UNIX systems. SLP file locations on UNIX systems • SLP log—Install_Home/cimom /cfg/slp.log • SLP daemon—Install_Home/cimom /cfg/slp.conf You can reconfigure the SLP daemon by modifying this file.
Page 364: Home Tab
SMI Agent Configuration Tool You can statically register an application that does not dynamically register with SLP using SLPAPIs by modifying this file. For more information about these files, read the comments contained in them, or refer to http://www.openslp.org/doc/html/UsersGuide/index.html. Verifying SLP service installation and operation on Windows systems 1.
Page 365: Authentication Tab
SMI Agent Configuration Tool Accessing Management application features To access Management application features such as, fabric and host discovery, role-based access control, application configuration and display options, server properties, as well as the application name, build, and copyright, complete the following steps. 1.
Page 366 SMI Agent Configuration Tool 1. Click the Authentication tab. FIGURE 117 Authentication tab 2. Select the Enable Client Mutual Authentication check box, as needed. If the check box is checked, CIM client mutual authentication is enabled. If the check box is clear (default), client mutual authentication is disabled.
Page 367: Cimom Tab
SMI Agent Configuration Tool 1. Click the Authentication tab. 2. Choose from one of the following options: • Select No Authentication to allow the CIM client to query the CIMOM server without providing credentials; however, note that the CIMOM server requires the Management application credentials to connect to the Management application server to retrieve the required data.
Page 368 SMI Agent Configuration Tool Configuring the SMI Agent port number To configure the SMI Agent port number, complete the following steps. 1. Click the CIMOM tab. FIGURE 118 CIMOM tab 2. Select or clear the Enable SSL check box, to enable or disable SSL for the SMI Agent. NOTE Disabling SSL will disable Indication and Client Mutual Authentication.
Page 369 SMI Agent Configuration Tool Configuring the CIMOM Bind Network Address NOTE You must have SAN - SMI Operation Read and Write privileges to view or make changes on the CIMOM tab. For more information about privileges, refer to “User Privileges” on page 1097.
Page 370: Certificate Management Tab
SMI Agent Configuration Tool 3. Click Apply. NOTE Changes on this tab take effect after the next CIMOM server restart. NOTE You can only restart the server using the Server Management Console (Start > Programs > Management_Application_Name 12.X.X > Server Management Console). 4.
Page 371 SMI Agent Configuration Tool 2. Select the Client or Indication from the Authentication list. The appropriate certificates display in the Certificates list. 3. Enter the full path or browse to the certificate you want to import (for example, on Windows the path is C:\Certificates\cimom-indication-auth2.cer and on Linux the path is opt/Certificates/cimom-indication-auth2.cer).
Page 372: Summary Tab
SMI Agent Configuration Tool 4. Click Export Server Certificate. The Save As dialog box displays. 5. Browse to the directory where you want to export the certificate. 6. Edit the certificate name in the File Name field, if necessary. Click Save. 8.
Page 373 SMI Agent Configuration Tool 1. Click the Summary tab. FIGURE 120 Summary tab 2. Review the summary. NOTE When the CIMOM server is stopped, the server configuration information does not display on the Summary tab. The following information is included in the summary. TABLE 37 Field/Component Description...
Page 374 SMI Agent Configuration Tool TABLE 37 Field/Component Description Log Level Displays the log level for the Server Configuration and the Current Configuration. Options include the following: • 10000—Off • 1000—Severe • 900—Warning • 800—Info (default) • 700—Config • 500—Fine • 400—Finer •...
Page 375: San Device Configuration
Chapter SAN Device Configuration In this chapter • Configuration repository management ......327 •...
Page 376: Saving Switch Configurations On Demand
Configuration repository management Saving switch configurations on demand NOTE Save switch configuration is only supported on Fabric OS switches. NOTE This feature requires a Trial or Licensed version. NOTE To save switch configuration on more than one switch at a time, you must have the Enhanced Group Management license.
Page 377: Restoring A Switch Configuration For A Selected Device
Configuration repository management 3. Click the right arrow to move the selected switches to the Selected Switches table. 4. Click OK. Configuration files from the selected switches are saved to the repository. 5. (Professional only) Browse to the location where you want to save the switch configuration. 6.
Page 378: Scheduling A Switch Configuration Back Up
Configuration repository management Scheduling a switch configuration back up NOTE This feature requires a Trial or Licensed version. NOTE The Enhanced Group Management (EGM) license must be activated on a switch to perform this procedure and to use the supportSave module. You can schedule a backup of one or more switch configurations.
Page 379 Configuration repository management 2. Click the Enable scheduled backup check box. 3. Set the Schedule parameters. These include the following: The desired Frequency for backup operations (daily, weekly, monthly). The Day you want back up to run. If Frequency is Daily, the Day list is grayed out. If Frequency is Weekly, choices are days of the week (Sunday through Saturday).
Page 380: Restoring A Configuration From The Repository
Configuration repository management Restoring a configuration from the repository If you delete a fabric or switch from discovery, the configuration remains in the repository until you delete it manually. Stored configurations are linked to the switch WWN; therefore, if the IP address or switch name is changed and then rediscovered, the Switch Configuration Repository dialog box displays the new switch name and IP address for the old configuration.
Page 381: Viewing Configuration File Content
Configuration repository management • Discovered — Whether the switch is discovered or not. Yes — The switch is discovered.  No — The switch was deleted from discovery.  • Comments — Comments regarding the switch. 2. Select the configuration you want to restore, and click Restore. The configuration is downloaded to the device.
Page 382: Searching The Configuration File Content
Configuration repository management FIGURE 125 Configuration file content 3. Click Close to close the dialog box. 4. Click Yes on the message. Searching the configuration file content NOTE This feature requires a Trial or Licensed version. To search the configuration file content, complete the following steps. 1.
Page 383: Deleting A Configuration
Configuration repository management FIGURE 126 Configuration file content 4. Click Close to close the dialog box. 5. Click Yes on the message. Deleting a configuration NOTE This feature requires a Trial or Licensed version. 1. Right-click a device in the Product List or the Connectivity Map, and select Configuration > Configuration Repository.
Page 384: Importing A Configuration
Configuration repository management 4. Click Export. The configuration is automatically named (Device_Name_Date_and_Time) and exported to the location you selected. Importing a configuration NOTE This feature requires a Trial or Licensed version. 1. Right-click a device in the Product List or the Connectivity Map, and select Configuration > Configuration Repository.
Page 385 Configuration repository management 3. Source Location, which allows you to select the location of the configuration you wish to replicate. For more information about the fields and components of this step, refer to Table 39 on page 337. 4. Source Configuration, which allows you to select the source switch to replicate. For more information about the fields and components of this step, refer to Table 40 on page 338.
Page 386 Configuration repository management TABLE 40 Step 4. Source Configuration Field/Component Description Saved Switch Configuration table Lists the information related to the saved switch, if you selected (Configuration Repository only) Configuration Repository on the Source Location screen. Backup Date/Time (Configuration The date and time the last backup occurred on the switch. Repository only) Fabric Name The name of the fabric that is associated with the selected available...
Page 387 Configuration repository management TABLE 40 Step 4. Source Configuration (Continued) Field/Component Description State The port state, for example, online or offline. Status The operational status of the port.; for example, unknown or marginal. Symbolic Name The symbolic name for the port. The tag number of the port Vendor The hardware vendor’s name.
Page 388: Replicating Security Configurations
Configuration repository management TABLE 41 Step 5. Destination Switches (Continued) Field/Component Description Status The operational status of the port.; for example, unknown or marginal. Symbolic Name The symbolic name for the port. The tag number of the port Vendor The hardware vendor’s name. The world wide name of the source switch to be replicated.
Page 389 Configuration repository management 3. Select Source Switch, which allows you to select the source device of the security policy configuration you wish to replicate. For more information about the fields and components of this step, refer to Table 45 on page 341. 4.
Page 390 Configuration repository management TABLE 45 Step 3. Select Source Switch (Continued) Field/Component Description Port Count The total number of ports. Firmware The firmware version. Location The customer site location. Contact The primary contact at the customer site. Description A description of the customer site. State The port state, for example, online or offline.
Page 391: Enhanced Group Management
Enhanced group management TABLE 47 Step 5. Validation Field/Component Description Validation Settings table The replication settings that have been configured in previous steps; for example, the configuration type, source configuration, and destination settings. Click Finish to approve the settings. TABLE 48 Step 6.
Page 392: Firmware Management
Firmware management Firmware management A firmware file repository (Windows systems only) is maintained on the server in the following location: C:\Program Files\Install_Directory\data\ftproot\Firmware\Switches\7.0\n.n.n\n.n.n The firmware repository is used by the internal FTP, SCP, or SFTP server that is delivered with the Management application software, and may be used by an external FTP server if it is installed on the same platform as the Management application software.
Page 393 Firmware management FIGURE 127 Firmware download 3. Select one or more switches from the Available Switches table. The Available Switches table lists the switches that are available for firmware download. 4. Click the right arrow to move the switches to the Selected Switches table. If you selected any switches that do not support firmware download, a message displays.
Page 394 Firmware management • Select the SCP Server option to download from the external SCP server. Continue with step NOTE The Management application only supports WinSSHD as the third-party Windows external SCP server. Firmware upgrade and downgrade through WinSSHD is only supported on devices running Fabric OS 6.0 or later.
Page 395: Displaying The Firmware Repository
Firmware management Displaying the firmware repository The firmware repository is available on the Firmware Management dialog box. The Management application supports .zip and .gz compression file types for firmware files. Initially, the firmware repository is configured to use the built-in FTP, SCP, or SFTP server. To use an external FTP server, refer to “Configuring an external FTP, SCP, or SFTP server”...
Page 396: Importing A Firmware File
Firmware management • Release Notes View button — Click to view the release notes, if imported, which contain information about downloading firmware. • Supported Switch Type Information table — Shows the switch type, capable switch count, and number of installed switches. You can choose one of two switch groups: Show switch types in my resource group.
Page 397: Deleting A Firmware File
Firmware management 6. Enter or browse to the location of the MD5 file (.md5 file type). If the MD5 checksum file is located in the same directory as the firmware file and has the same file name (with the md5 extension), this field is auto-populated. The MD5 checksum file can be obtained from the Fabric OS product download site in the same location as the firmware file.
Page 398: Frame Viewer
Frame viewer Frame viewer NOTE Frame viewer is only supported on Fabric OS devices running 7.1.0 or later. Frame viewer enables you to view a list of devices with discarded frames due to c3 timeout, destination unreachable, and not routable. You can also view a summary of discarded frames for each device and clear the discarded frame log on the device.
Page 399 Frame viewer 3. Select a device in the top table to view detailed data about the discarded frames on that device. • Discarded Frame History for the Selected Product table — Summary of the discarded frames for the selected device. Count –...
Page 400: Viewing Discarded Frames From A Port
Frame viewer Viewing discarded frames from a port 1. Select a port on a Fabric OS device running 7.1.0 or later and select Monitor > Discarded Frames. The Discarded Frames dialog box displays. 2. Review the data for the discarded frames from the selected port. •...
Page 401: Clearing The Discarded Frame Log
Properties customization Clearing the discarded frame log 1. Open the Discarded Frames dialog box (refer to “Viewing discarded frames from a device” page 350 or “Viewing discarded frames from a port” on page 352). 2. Select one of the following options: •...
Page 402: Editing A Property Label
Properties customization Editing a property label You can edit any label that you create on the Properties dialog box. To edit any field you create, complete the following steps. 1. Right-click any product icon and select Properties. The Properties dialog box displays. 2.
Page 403: Ports
Ports Ports You can enable and disable ports, as well as view port details, properties, type, status, and connectivity. Viewing port connectivity The connected switch and switch port information displays for all ports. To view port connectivity, choose one of the following steps: •...
Page 404 Ports TABLE 49 Port connectivity properties (Continued) Field Description Blade Number The number of the blade. Blocked Whether the selected port is blocked. Buffer Limited Whether buffers are limited. Buffers Needed/Allocated The ratio of buffers needed relative to the number of buffers allocated.
Page 405 Ports TABLE 49 Port connectivity properties (Continued) Field Description Fabric / Switch Name If launched from a fabric, displays the fabric name. If launched from a switch, displays the fabric name and the switch name. FC4 Type The active FC4 type; for example, SCSI. FC Address The Fibre Channel address.
Page 406: Refreshing The Port Connectivity View
Ports TABLE 49 Port connectivity properties (Continued) Field Description Switch in Order Delivery Whether switch in-order delivery is enabled. Switch IP The switch’s IP address. Switch Port Count The number of ports on the switch. Switch Port Type The port type; for example, E-Port, F-Port, U-port, and so on. Switch Role The role of the switch;...
Page 407: Filtering Port Connectivity
Ports Filtering port connectivity To filter results from the port connectivity view, complete the following steps. 1. Click the Filter link from the Port Connectivity View dialog box The Filter dialog box displays (Figure 132). FIGURE 132 Filter dialog box 2.
Page 408: Viewing Port Details
Ports Resetting the filter Reset immediately clears all existing definitions. You cannot cancel the reset. To reset the Filter dialog box, complete the following steps. 1. Click the Filter link from the Port Connectivity View dialog box. The Filter dialog box displays. 2.
Page 409: Viewing Ports
Ports Viewing ports To view ports on the Connectivity Map, right-click a product icon and select Show Ports. NOTE Show Ports is not applicable when the map display layout is set to Free Form (default). NOTE This feature is only available for connected products. On bridges and CNT products, only utilized Fibre Channel ports display;...
Page 410: Viewing Port Connection Properties
Ports Viewing port connection properties You can view the information about products and ports on both sides of the connection. 1. Right-click the connection between two end devices on the Connectivity Map and select Properties. Double-click the connection between two devices on the Connectivity Map. The Connection Properties dialog box displays.
Page 411 Ports TABLE 51 Port connection properties (Continued) Field Description 2-Port Type The port type of the second switch. 2-WWPN The world wide port number of the second switch. 2-MAC Address The MAC address of the second switch. 2-IP Address The IP address of the second switch. 2-Trunk Whether there is a trunk on the second switch.
Page 412 Ports TABLE 51 Port connection properties (Continued) Field Description Long Distance Setting Whether the connection is considered to be normal or longer distance. MAC Address The MAC address of the switch. Manufacturer The name of the manufacturer. Manufacturer Plant The name of the manufacturing plant. Name The name of the switch.
Page 413: Determining Inactive Iscsi Devices
Ports TABLE 51 Port connection properties (Continued) Field Description Auto VPWWN The automatically generated VPWWN. User VPWWN The user-defined VPWWN. 3. Click Close to close the dialog box. Determining inactive iSCSI devices For router-discovered iSCSI devices, you can view all of the inactive iSCSI devices in one list. To do this, use the Ports Only view and then sort the devices by FC Address.
Page 414 Ports 2. Review the port optics information. • Combined Status — Displays the current status of the port. NOTE Requires a 16 Gbps capable port running Fabric OS 7.0 or later. NOTE The device must have a Fabric Watch license and threshold monitoring configured for the port.
Page 415: Port Commissioning Overview
Port commissioning overview • FC Speed (MB/s) (Fabric OS 6.4 or earlier) — The FC port speed; for example, 400 Mbps. • Distance — The length of the fiber optic cable. • Vendor — The vendor of the SFP. • Vendor OUI —...
Page 416: Viewing Existing Cimom Servers
Port commissioning overview Viewing existing CIMOM servers NOTE Port commissioning is only supported on Fabric OS devices running Fabric OS 7.1 or later. Before you can decommission or recommission an F-Port, you must register the CIMOM servers within the fabric affected by the action. 1.
Page 417: Registering A Cimom Server
Port commissioning overview • Description — User-defined description of the system. • CIMOM Port — The CIMOM port number of the system. • Namespace — The namespace of the CIM_FCPort. • User ID — The user identifier for the system. •...
Page 418: Editing Cimom Server Credentials
Port commissioning overview 5. Enter the namespace of the CIM_FCPort in the Namespace field. The default namespace is root/cimv2. 6. (Optional) Enter a user identifier for the CIMOM server in the Credentials User ID field. The credentials user identifier cannot be over 128 characters. (Optional) Enter a password in the Password field.
Page 419: Importing Cimom Servers And Credentials
Port commissioning overview Importing CIMOM servers and credentials You can import one or more CIMOM servers (system and credentials) using a CSV formatted file. You can import a maximum of 2,000 CIMOM servers. 1. Select Configure > Port Commissioning > Setup. The Port Commissioning Setup dialog box displays (Figure 135).
Page 420: Changing Cimom Server Credentials
Port commissioning overview Changing CIMOM server credentials You can edit the CIMOM server credentials for one or more CIMOM servers at the same time. 1. Select Configure > Port Commissioning > Setup. The Port Commissioning Setup dialog box displays (Figure 135).
Page 421: Deleting Cimom Server Credentials
Port commissioning overview Deleting CIMOM server credentials 1. Select Configure > Port Commissioning > Setup. The Port Commissioning Setup dialog box displays (Figure 135). 2. Select one or more CIMOM server from the System List table and click the left arrow button. The details for the last selected CIMOM server row displays in the Add/Edit System and Credentials area.
Page 422: Decommissioning An E-Port
Port commissioning overview Recommissioning an F-Port NOTE You must configure at least one CIMOM server (refer to “Registering a CIMOM server” on page 369) before you can recommission an F-Port. Select the F-Port, then select Configure > Port Commissioning > Recommission > Port. While recommissioning is in progress, an up arrow icon displays next to the port icon in the Product List.
Page 423: Decommissioning All Ports On A Switch Or Blade
Port commissioning overview Decommissioning all ports on a switch or blade NOTE (Virtual Fabrics only) All ports on the blade must be managed by the Management application. NOTE Fabric tracking must be enabled (refer to “Enabling fabric tracking” on page 132) to maintain the decommissioned port details (such as port type, device port wwn, and so on).
Page 424: Recommissioning All Ports On A Switch Or Blade
Port commissioning overview Recommissioning all ports on a switch or blade NOTE All ports on the switch or blade must be managed by the Management application. Select the switch or logical switch for which you want to recommission all ports, then select Configure >...
Page 425: Administrative Domain-Enabled Fabric Support
Administrative Domain-enabled fabric support Administrative Domain-enabled fabric support The Management application provides limited support for AD-enabled fabrics. An Administrative Domain (Admin Domain or AD) is a logical grouping of fabric elements that defines which switches, ports, and devices you can view and modify. An Admin Domain is a filtered administrative view of the fabric.
Page 426: Management Application Support For Ad-Enabled Fabrics
Administrative Domain-enabled fabric support • If you try to enable Virtual Fabrics on an AD-enabled switch, that operation fails with the following message: “Failed to enable Virtual Fabric feature for Chassis (Remove All ADs before attempting to enable VF).” • Performs performance management (including Advance Performance Monitoring and Top Talkers) data collection and reports in a physical fabric context.
Page 427 Administrative Domain-enabled fabric support TABLE 52 Feature support for AD-enabled fabrics (Continued) Feature AD context ADO AD255 Not supported All AD User interface impact Performance Management > Filters AD-enabled fabric from the Fabrics list. Configure Thresholds End-to-End Monitors Clear Counters Port Auto Disable Filters AD-enabled fabric from the dialog box.
Page 428: Port Auto Disable
Port Auto Disable Port Auto Disable The Port Auto Disable dialog box allows you to enable and disable the port auto disable flag on individual FC_ports or on all ports on a selected device, as well as unblock currently blocked ports. Enabling the port auto disable on a port or device configures a port to become blocked when any of the following five events occur: •...
Page 429 Port Auto Disable FIGURE 136 Port Auto Disable dialog box 2. Select one of the following from the Show list to determine what ports to display: • All Ports (default) • Disabled PAD Ports • Enabled PAD Ports • Blocked Ports 3.
Page 430: Configuring Port Auto Disable Triggers
Port Auto Disable • Port Type — Displays the port type. • Port Number — Displays the port number. • Port WWN — Displays the port world wide name. • Port Name — Displays the port name. • User Port # — Displays the user port number. •...
Page 431: Enabling Port Auto Disable On Individual Ports
Port Auto Disable Click OK on the Configure Port Auto Disable dialog box. 8. Click OK on the Port Auto Disable dialog box. Enabling port auto disable on individual ports NOTE The device must be running Fabric OS 6.3 or later. To enable port auto disable on individual ports, complete the following steps.
Page 432: Disabling Port Auto Disable On Individual Ports
Port Auto Disable 4. Select the device on which you want to enable PAD on all ports. 5. Click Configure. The Configure Port Auto Disable dialog box displays. 6. Select one or more of the following event types: • Port Auto Disable •...
Page 433: Disabling Port Auto Disable On All Ports On A Device
Port Auto Disable Click OK on the Configure Port Auto Disable dialog box. 8. Click OK on the Port Auto Disable dialog box. Disabling port auto disable on all ports on a device NOTE The device must be running Fabric OS 6.3 or later. To disable port auto disable on all ports on a device, complete the following steps.
Page 434 Port Auto Disable Brocade Network Advisor SAN User Manual 53-1002696-01...
Page 435: In This Chapter
Chapter Host Port Mapping In this chapter • Host port mapping overview ........387 •...
Page 436: Creating A New Host
Creating a new Host Creating a new Host To create a new Host, complete the following steps. 1. Right-click an HBA icon in the Fabric topology and select Host Port Mapping. The Host Port Mapping dialog box displays. FIGURE 137 Host Port Mapping dialog box The Host Port Mapping dialog box includes the following details: •...
Page 437: Renaming An Hba Host
Renaming an HBA Host Renaming an HBA Host To rename a Host, complete the following steps. 1. Right-click an HBA icon in the Fabric topology and select Host Port Mapping. The Host Port Mapping dialog box displays. 2. Click the Host you want to rename in the Hosts table, wait a moment, and then click it again. The Host displays in edit mode.
Page 438: Associating An Hba With A Host
Associating an HBA with a Host Associating an HBA with a Host ATTENTION Discovered information overwrites your user settings. To associate an HBA with a Host, complete the following steps. 1. Right-click an HBA icon in the Fabric topology and select Host Port Mapping. The Host Port Mapping dialog box displays.
Page 439 Importing HBA-to-Host mapping 4. Click Open on the Import dialog box. The file imports, reads, and applies all changes line-by-line and performs the following: • Checks for correct file structure and well-formed WWNs, and counts number of errors. If more than 5 errors occur, import fails and a ‘maximum error count exceeded’ message displays.
Page 440: Removing An Hba From A Host
Removing an HBA from a Host Removing an HBA from a Host To remove an HBA from a Host, complete the following steps. 1. Right-click an HBA icon in the Fabric topology and select Host Port Mapping. The Host Port Mapping dialog box displays. 2.
Page 441 Exporting Host port mapping 4. Browse to the location where you want to save the export file. Depending on your operating system, the default export location are as follows: • Desktop\My documents (Windows) • \root (Linux) 5. Enter a name for the files and click Save. 6.
Page 442 Exporting Host port mapping Brocade Network Advisor SAN User Manual 53-1002696-01...
Page 443: In This Chapter
Chapter Storage Port Mapping In this chapter • Storage port mapping overview ........395 •...
Page 444: Creating A Storage Array
Creating a storage array Creating a storage array To create a storage array, complete the following steps. 1. Select a storage port icon in the topology view, then select Discover > Storage Port Mapping. The Storage Port Mapping dialog box displays with the following information. •...
Page 445: Unassigning A Storage Port From A Storage Array
Unassigning a storage port from a storage array 4. Click the right arrow. The storage port is added to the Storage Array. 5. Click OK to save your work and close the Storage Port Mapping dialog box. If the storage device is part of more than one fabric, a message displays: The selected Storage_Name/Storage_WWN is part of more than one fabric.
Page 446: Editing Storage Array Properties
Editing storage array properties 6. Click the right arrow button. The storage port moves from the Storage Ports table to the selected storage array. Click OK to save your work and close the Storage Port Mapping dialog box. Editing storage array properties To edit storage array properties, complete the following steps.
Page 447: Viewing Storage Array Properties
Viewing storage array properties 4. Review the properties. 5. Click OK on the Properties dialog box. 6. Click OK on the Storage Port Mapping dialog box. Viewing storage array properties To view storage array properties, complete the following steps. 1. Select a storage port icon in the topology view, then select Discover > Storage Port Mapping. The Storage Port Mapping dialog box displays.
Page 448 Importing storage port mapping 4. Click Open on the Import dialog box. The file imports, reads, and applies all changes line-by-line and performs the following: • Checks for correct file structure (first entry must be the storage node name (WWN) and second entry must be the storage array name), well formed WWNs, and counts number of errors If more than 5 errors occur, import automatically cancels.
Page 449: Exporting Storage Port Mapping
Exporting storage port mapping Exporting storage port mapping The Storage Port Mapping dialog box enables you to export a storage port array. The export file uses the CSV format. The first row contains the headers (Storage Node Name (WWNN), Storage Array Name) for the file.
Page 450 Exporting storage port mapping Brocade Network Advisor SAN User Manual 53-1002696-01...
Page 451: Host Management
Chapter Host Management In this chapter • Host management..........403 •...
Page 452: Brocade Adapters
Brocade adapters The Management application, in conjunction with HCM, provides end-to-end management capability. For information about configuring, monitoring, and managing individual adapters using the HCM GUI or the Brocade Command Utility (BCU), refer to the Adapters Administrator’s Guide. Brocade adapters The following sections describe the three Brocade adapter types: •...
Page 453: Converged Network Adapters
Brocade adapters Converged Network Adapters Table 56 describes available Brocade Converged Network Adapters (CNAs) for PCIe x 8 host bus interfaces, hereafter referred to as Brocade CNAs. These adapters provide reliable, high-performance host connectivity for mission-critical SAN environments. TABLE 56 Brocade Fibre Channel CNA models Model number Port speed...
Page 454: Anyio Tm Technology
HCM software AnyIO technology Although the Brocade 1860 Fabric Adapter can be shipped in a variety of small form-factor pluggable (SFP) transceiver configurations, you can change port function to the following modes using Brocade AnyIO technology, provided the correct SFP transceiver is installed for the port: •...
Page 455: Hcm Features
HCM software HCM features Common HBA and CNA management software features include the following: • Discovery using the agent software running on the servers attached to the SAN, which enables you to contact the devices in your SAN. • Configuration management, which enables you to configure local and remote systems. With HCM, you can configure the following items: Brocade 4 Gbps and 8 Gbps HBAs HBA ports (including logical ports, base ports, remote ports, and virtual ports) associated...
Page 456: Host Adapter Discovery
Host adapter discovery Host adapter discovery The Management application enables you to discover individual hosts, import a group of hosts from a CSV file, or import host names from discovered fabrics. The maximum number of host discovery requests that can be accepted is 1000. Host discovery requires HCM Agent 2.0 or later. ESXi host adapter discovery requires the Brocade HBA CIM provider to be installed on the ESXi host.
Page 457: Editing A Vm Manager
HCM and Management application support on ESXi systems Click OK. The VMM discovery process begins. When complete, the vCenter server and all ESX and ESXi hosts managed by that vCenter display in the Host product tree. Editing a VM Manager The fields in the Edit VM Manager dialog box are identical to the fields in the Add VM Manager dialog box except for the Network Address field, which you cannot edit.
Page 458: Esxi Cim Listener Ports
HCM and Management application support on ESXi systems ESXi CIM listener ports The Management application server uses two CIM indication listener ports to listen for CIM indications. • HCM Proxy Service CIM Indication Listener Port—This port is used to listen for CIM indications from ESXi hosts managed through HCM instances launched by the Management application.
Page 459: Connectivity Map
Connectivity map 3. Select CIM server (ESXi only) as the Contact option. 4. (Optional) Select HTTP or HTTPS from the Protocol list. HTTPS is the default. 5. Click OK. Connectivity map The Connectivity Map, which displays in the upper right area of the main window, is a grouped map that shows physical and logical connectivity of Fabric OS components, including discovered and monitored devices and connections.
Page 460: Adapter Software
Adapter software If you create a new host and associate HBAs to it, and then you try to discover a host with the same HBAs using Host discovery, the HBAs discovered using host discovery must match the HBAs associated to the host exactly; otherwise, host discovery will fail. Instructions for mapping a host to HBAs are detailed in Chapter 13, “Host Port Mapping”.
Page 461: Driver Repository
Adapter software • Name—The name of the host. The first three digits indicate the host’s operating system; for example, WIN or LIN. • Operating System—The host operating system; for example, Microsoft Windows or Red Hat Linux. • Driver Version—The host’s current driver version. •...
Page 462: Boot Image Repository
Adapter software FIGURE 141 Driver Repository dialog box 2. Click Import on the Driver Repository dialog box. The Import Driver Repository dialog box displays. 3. Locate the driver file using one of the following methods: • Search for the file you want from the Look In list. •...
Page 463 Adapter software Importing a boot image into the repository Boot images are required for adapters that are shipped without a boot image or when it is necessary to overwrite images on adapters that contain older or corrupted boot image versions. 1.
Page 464 Adapter software 3. From the Boot Image Management dialog box, click the Repository button. The Boot Image Repository dialog box, shown in Figure 143, displays. FIGURE 143 Boot Image Repository dialog box 4. Click Import on the Boot Image Repository dialog box. 5.
Page 465 Adapter software Downloading a boot image to a selected host To download boot images to a selected host, perform the following tasks. 1. Select one or more hosts from the Available Hosts list on the Boot Image Management dialog box, and click the right arrow button to move the selected hosts to the Selected Hosts list. You can select up to 50 hosts.
Page 466: Bulk Port Configuration
Bulk port configuration Bulk port configuration Use the Adapter Host Port Configuration dialog box to create and assign port-level configurations to either a single or multiple adapter ports at a time. You can save up to 50 port-level configurations. The Management application supports the following default port configurations, which you can select and assign to one port or multiple ports.
Page 467 Bulk port configuration Adding a port configuration The Add Port Configuration dialog box allows you to create a maximum of 50 customized port configurations which you can then select and assign to ports. 1. Click Add on the Configure Host Adapter Ports dialog box. The Add Port Configuration dialog box, shown in Figure 145, displays.
Page 468 Bulk port configuration Target Rate Limiting—Enable the Target Rate Limiting feature to minimize congestion at the adapter port. Limiting the data rate to slower targets ensures that there is no buffer-to-buffer credit back-pressure between the switch due to a slow-draining target. NOTE NOTE: Target Rate Limiting and QoS cannot be enabled at the same time.
Page 469 Bulk port configuration • Enter the minimum allowable output bandwidth in the Min Bandwidth (Mbps) box. The minimum bandwidth is 0 Mbps. A zero value of minimum bandwidth (the default) implies that no bandwidth is guaranteed for that vNIC. • BB Credit Recovery—Enables you to enable or disable buffer-to-buffer (BB) credits, which are a flow control mechanism that represent the availability of resources at the receiving port.
Page 470: Adapter Port Wwn Virtualization
Adapter port WWN virtualization Adapter port WWN virtualization Adapter port world wide name (WWN) virtualization enables the adapter port to use a switch-assigned WWN rather than the physical port WWN for communication, allowing you to preprovision the server with the following configuration tasks: •...
Page 471 Adapter port WWN virtualization Enabling the FAWWN feature on a switch or AG ports 1. Select Configure > Fabric Assigned WWN. Right-click the switch and select Fabric Assigned WWN. The Configure Fabric Assigned WWNs dialog box displays. 2. Select a switch port from the Fabric Assigned WWN - Configuration list. 3.
Page 472 Adapter port WWN virtualization Manually assigning a FAWWN to a switch or AG port 1. Select Configure > Fabric Assigned WWN. Right-click the switch and select Fabric Assigned WWN. The Configure Fabric Assigned WWNs dialog box displays. 2. Select a switch port or AG port from the Fabric Assigned WWN - Configuration list. 3.
Page 473: Fawwns On Attached Ag Ports
Adapter port WWN virtualization FAWWNs on attached AG ports The Configure Fabric Assigned Assigned WWNs dialog box, shown in Figure 147, enables you to configure the Fabric Assigned WWN feature on a selected attached Access Gateway (AG) port. 1. Select Configure > Fabric Assigned WWN. Right-click the switch and select Fabric Assigned WWN.
Page 474 Adapter port WWN virtualization 5. Enter a valid world wide name (WWN), with or without colons, for the Access Gateway node. Optionally, you can select an existing AG Node WWN from the list. The AG Node WWN box includes all discovered AG Node WWNs that are connected to the selected switch. 6.
Page 475: Role-Based Access Control
Role-based access control Role-based access control The Management application enables you to create resource groups and assign users to the selected role within that group. This enables you to assign users to a role within the resource group. The Management application provides one preconfigured resource group (All Fabrics). When you create a resource group, all available roles are automatically assigned to the resource group.
Page 476: Host Performance Management
Host performance management Host performance management Real-time performance enables you to collect data from managed HBA and CNA ports. You can use real-time performance to configure the following options: • Select the polling rate from 20 seconds up to 1 minute. •...
Page 477: Host Security Authentication
Host security authentication TABLE 58 Counters (Continued) FC port measures HBA port measures CNA port measures Transmitted FCoE pause frames Received FCS error frames Transmitted FCS error frames Received alignment error frames Received length error frames Received code error frames Instructions for generating real-time performance data are detailed in “Generating a real-time performance graph”...
Page 478 Host security authentication FIGURE 148 Fibre Channel Security Protocol Configuration dialog box 3. Configure the following parameters on the Fibre Channel Security Protocol Configuration dialog box: a. Select the Enable Authentication check box to enable the authentication policy. If authentication is enabled, the port attempts to negotiate with the switch. If the switch does not participate in the authentication process, the port skips the authentication process.
Page 479: Supportsave On Adapters
supportSave on adapters supportSave on adapters Host management features support capturing support information for managed Brocade adapters, which are discovered in the Management application. You can trigger supportSave for multiple adapters at the same time. supportSave cannot be used to collect support information for ESXi hosts managed by a CIM Server.
Page 480: Filtering Event Notifications
Host fault management Filtering event notifications The Management application provides notification of many different types of SAN events. If a user wants to receive notification of certain events, you can filter the events specifically for that user. NOTE The e-mail filter in the Management application is overridden by the firmware e-mail filter. When the firmware determines that certain events do not receive e-mail notification, an e-mail notification is not sent for those events even when the event type is added to the Selected Events table in the Define Filter dialog box.
Page 481: Backup Support
Backup support Backup support The Management application helps you to protect your data by backing it up automatically. The data can then be restored, as necessary. Configuring backup to a hard drive NOTE Configuring backup to a hard drive requires a hard drive. The drive should not be the same physical drive on which your operating system or the Management application is installed.
Page 482: Enabling Backup
Backup support Enabling backup Backup is enabled by default. However, if it has been disabled, complete the following steps to enable the function. 1. Select Server > Options. The Options dialog box displays. 2. Select Server Backup in the Category list. 3.
Page 483: In This Chapter
Chapter Fibre Channel over Ethernet In this chapter • FCoE overview ..........435 •...
Page 484: Dcbx Exchange Protocol
Enhanced Ethernet features DCBX exchange protocol Data Center Bridging Exchange (DCBX) protocol allows enhanced Ethernet devices to convey and configure their DCB capabilities and ensures a consistent configuration across the network. DCBX protocol is used between DCB devices, such as a converged network adapter (CNA) and an FCoE switch, to exchange configuration with directly connected peers.
Page 485: Ethernet Jumbo Frames
FCoE protocols supported Ethernet jumbo frames The basic assumption underlying FCoE is that TCP/IP is not required in a local data center network and the necessary functions can be provided with Enhanced Ethernet. The purpose of an “enhanced” Ethernet is to provide reliable, lossless transport for the encapsulated Fibre Channel traffic.
Page 486: Fcoe Licensing
FCoE licensing FCoE licensing The FCoE license enables Fibre Channel over Ethernet (FCoE) functionality on the following supported DCB switches: • Brocade 10 GbE 24-port 8 GbE 8 FC port switch • Brocade VDX 6710, 6720, and 6730 switches • Brocade VDX 8770-series switches •...
Page 487 Save running configurations 3. Highlight the selected switch and click OK to start the configuration. The running configuration is saved to the selected switch, effective on the next system startup. If you restore the DCB switch using the Restore Switch Configuration dialog box, you are prompted to select one of two restoration methods: •...
Page 488: Dcb Configuration Management
DCB configuration management DCB configuration management Depending on the platform, the DCB switch has one of the configurations shown in Table TABLE 59 DCB configurations Device type Configuration possibilities • IBM blade server 14 internal 10-Gbps ports for IBM BladeCenter H (BCH) chassis type •...
Page 489: Switch Policies
Switch policies Switch policies You can configure and enable a number of DCB policies on a switch, port, or link aggregation group (LAG). The following switch policy configurations apply to all ports in a LAG: • DCB map and Traffic Class map •...
Page 490: Dcb Configuration
DCB Configuration DCB Configuration To launch the DCB Configuration dialog box, select Configure > DCB from the menu bar. The DCB Configuration dialog box displays, showing the status of all DCB-related hardware and functions. NOTE The Protocol Down Reason column, shown in Figure 150, displays the values only for the external ports of embedded platforms but not for the internal ports.
Page 491 DCB Configuration Creating a DCB map to carry the LAN and SAN traffic To create a DCB map to carry the LAN and SAN traffic, complete the following steps. NOTE This procedure is applicable for Fabric OS versions earlier than Fabric OS 7.0. For Fabric OS versions 7.0 and later, you can only edit the the default DCB map.
Page 492 DCB Configuration • CoS - Click the CoS cell to launch the Edit CoS dialog box, where you can select and assign one or more priorities (PG ID 15.0 through 15.7). All of the eight CoS values (0-7) must be used in a DCB map. Duplicate CoS values in two or more priority groups are not allowed.
Page 493 DCB Configuration FIGURE 152 Edit Switch dialog box - LLDP-DCBX tab 4. Select the Global Configuration LLDP profile in the LLDP Profiles list. 5. Click the left arrow button to edit. 6. Select the FCoE Application and FCoE Logical Link check boxes in the Advertise list to advertise them on the network.
Page 494 DCB Configuration 8. Select the DCB map you created in “Creating a DCB map to carry the LAN and SAN traffic” page 443 from the Available DCB Maps list. 9. Click the LLDP-DCBX tab and select the Enable LLDP-DCBX on Te Port Number check box. 10.
Page 495: Adding A Lag
DCB Configuration Creating VLAN classifiers and activating on the DCB interface NOTE You can complete this procedure using the Management application for Fabric OS versions 7.0 and later. For Fabric OS versions earlier than Fabric OS 7.0, you must use the CLI. To create and activate the VLAN classifiers on the DCB interface, complete the following steps.
Page 496 DCB Configuration 2. Select the DCB switch or one or more DCB ports from the Products/Ports list to add to a link aggregation group (LAG). 3. Click Add LAG or Edit LAG. The Add LAG or Edit LAG dialog box displays, as shown in Figure 153.
Page 497: Editing A Dcb Switch
DCB Configuration 5. Select at least one available DCB port from the Available Members list and click the right arrow button to move it to the LAG Members list. The DCB ports are now part of the link aggregation group. 6.
Page 498 DCB Configuration FIGURE 154 Edit Switch dialog box 4. Configure the policies for the Edit Switch dialog box tabs, which are described in the following sections: • “QoS configuration” on page 455 • “FCoE provisioning” on page 461 • “VLAN classifier configuration” on page 463 •...
Page 499: Editing A Dcb Port
DCB Configuration Editing a DCB port 1. Select Configure > DCB. The DCB Configuration dialog box displays, showing the status of all DCB-related hardware and functions. 2. Select a DCB port from the Products/Ports list. 3. Click Edit. The Edit Port dialog box displays, as shown in Figure 155.
Page 500: Editing A Lag
DCB Configuration 5. When you have finished configuring the policies, apply the settings to the DCB port. NOTE Clicking Cancel when there are pending changes launches a pop-up dialog box. 6. Click OK when you have finished modifying the DCB port parameters. The Deploy to Ports dialog box displays.
Page 501 DCB Configuration 4. Configure the following LAG parameters, as required: NOTE Ports with 802.1x authentication or ports that are enabled in L2 mode or L3 mode are not supported in a LAG. • LAG ID - The LAG identifier, which is not an editable field. •...
Page 502: Enabling A Dcb Port Or Lag
DCB Configuration 8. Click Start on the Deployment Status dialog box to save the changes to the selected LAG or LAGs. NOTE If the primary or secondary IP address already exists on another interface, an error message displays in the Status area. 9.
Page 503: Qos Configuration
QoS configuration QoS configuration QoS configuration involves configuring packet classification, mapping the priority and traffic class, controlling congestion, and scheduling. The configuration of these QoS entities consist of DCB Map and Traffic Class Map configuration. In a Data Center Bridging (DCB) configuration, Enhanced Transmission Selection (ETS) and priority-based flow control (PFC) are configured by utilizing a priority table, a priority group table, and a priority traffic table.
Page 504 QoS configuration NOTE The 10 Gbps DCB/FC switch module can have only one DCB map. 1. Select Configure > DCB. The DCB Configuration dialog box displays, showing the status of all DCB-related hardware and functions. 2. Select a switch, and click Edit. 3.
Page 505: Editing A Dcb Map
QoS configuration % Bandwidth (optional) - While in the Edit CoS dialog box, enter a bandwidth value for priority group (PG) IDs 15.0 through 15.7. You must map each CoS to at least one of the PG IDs. Note the following points: •...
Page 506: Deleting A Dcb Map
QoS configuration Deleting a DCB map You cannot delete the DCB map of a 10 Gbps DCB/FC switch module. To delete the DCB map of an 8 Gbps DCB switch, complete the following steps. 1. Select Configure > DCB. The DCB Configuration dialog box displays, showing the status of all DCB-related hardware and functions.
Page 507: Creating A Traffic Class Map
QoS configuration 4. Click the Assign a map to <device_name> check box to assign the selected port to a DCB map. If you do not enable this check box, all QoS edit features are disabled. 5. Select DCB Map in the Map Type list. 6.
Page 508: Deleting A Traffic Class Map
QoS configuration 3. Click the QoS tab on the Edit Switch dialog box. The QoS dialog box displays. 4. Select a Traffic Class map from the Traffic Class Maps list and click the left arrow button to load its values to the left pane. The fields are now editable. If the name of the Traffic Class map already exists, an overwrite warning message displays.
Page 509: Fcoe Provisioning
FCoE provisioning 3. Click the QoS tab on the Edit Port or Edit LAG dialog box. The QoS dialog box displays. 4. Click the Assign a map check box. 5. Select Traffic Class in the Map Type list. 6. Select a Traffic Class map in the Traffic Class Map list. When you have finished the configuration, click OK to launch the Deploy to Ports/LAGs dialog box.
Page 510: Enabling Or Disabling The Fcoe Map On The Port
FCoE provisioning 3. Click the FCoE tab on the Edit Switch dialog box. The Edit Switch dialog box, FCoE tab displays the following FCoE map parameters: NOTE The FCoE tab does not display for the Brocade 8000 switch or the FCOE10-24 port blade. •...
Page 511: Vlan Classifier Configuration
VLAN classifier configuration 4. If enabled, click the Enable FCoE check box to disable the port’s membership on the FCoE map. 5. When you have finished the configuration, click OK to launch the Deploy to Ports dialog box. 6. Click OK after changing the attributes of the current deployment. The Deployment Status dialog box launches.
Page 512 VLAN classifier configuration FIGURE 158 Edit Switch dialog box, VLAN Classifiers tab 4. Click the Add button under the Available Rules list. The Add Rules dialog box displays, as shown in Figure 159. FIGURE 159 Add Rules dialog box The Rule ID field is pre-populated with the next available rule ID number. 5.
Page 513: Editing A Vlan Classifier Rule
VLAN classifier configuration 9. Click OK to add the rule to the Available Rules list on the VLAN Classifiers tab of the Edit Switch dialog box and close the Add Rules dialog box. NOTE Clicking Apply also adds the rule to the Available Rules list on the VLAN Classifiers tab of the Edit Switch dialog box, and in addition, the Add Rules dialog box remains open and clears all entries for you to define the next rule.
Page 514: Creating A Vlan Classifier Group
VLAN classifier configuration Creating a VLAN classifier group You can assign existing rules to a selected VLAN classifier and form a VLAN classifier group. If no rules are available, you can add rules to a selected switch using the Add Rules dialog box. 1.
Page 515: Lldp-Dcbx Configuration
LLDP-DCBX configuration LLDP-DCBX configuration Link Layer Discovery Protocol (LLDP) provides a solution for the configuration issues caused by increasing numbers and types of network devices in a LAN environment, because, with LLDP, you can statically monitor and configure each device on a network. Data Center Bridging Capability Exchange Protocol (DCBX) enables Enhanced Ethernet devices to discover whether a peer device supports particular features, such as Priority Flow Control or Class of Service (CoS).
Page 516: Adding An Lldp Profile
LLDP-DCBX configuration Adding an LLDP profile NOTE When a TE port is selected to assign to an LLDP profile, a yellow banner displays with the following error message: “LLDP-DCBX is disabled on this switch. The configuration becomes functional when LLDP-DCBX is enabled on the switch.” 1.
Page 517: Editing An Lldp Profile
LLDP-DCBX configuration Editing an LLDP profile 1. Select Configure > DCB. The DCB Configuration dialog box displays, showing the status of all DCB-related hardware and functions. 2. Select a switch, and click Edit. 3. Click the LLDP-DCBX tab on the Edit Switch dialog box. The LLDP-DCBX Profile dialog box displays.
Page 518: Assigning An Lldp Profile To A Port Or Ports In A Lag
802.1x authentication Assigning an LLDP profile to a port or ports in a LAG You create LLDP profiles using the Edit Switch dialog box, which you access from the DCB Configuration dialog box. Global configuration parameters, which is the default selection, are displayed in the Assigned Profile table.
Page 519: Enabling 802.1X Authentication
802.1x authentication Enabling 802.1x authentication 802.1x authentication is enabled or disabled globally on the switch using the Edit Switch dialog box. 1. Select Configure > DCB from the menu bar. The DCB Configuration dialog box displays, showing the status of all DCB-related hardware and functions.
Page 520 802.1x authentication FIGURE 161 802.1x dialog box 5. Configure the following 802.1x parameters: • Wait Period - The number of seconds the switch waits before sending an EAP request. The value range is 15 to 65535 seconds. The default value is 30. •...
Page 521: Switch, Port, And Lag Deployment
Switch, port, and LAG deployment Switch, port, and LAG deployment The Deploy to Products, Deploy to Ports, and Deploy to LAGs dialog boxes provide the flexibility to commit DCB configurations either right away or at a scheduled time. These dialog boxes also allow you to commit the switch-level configuration changes to one or more target switches.
Page 522 Switch, port, and LAG deployment FIGURE 163 Deploy to Ports dialog box FIGURE 164 Deploy to LAGs dialog box Brocade Network Advisor SAN User Manual 53-1002696-01...
Page 523 Switch, port, and LAG deployment 4. Click one of the following deployment options: • Deploy now • Save and deploy now • Save deployment only • Schedule 5. Click one of the following save configuration options: • Save to running •...
Page 524: Source To Target Switch Fabric Os Version Compatibility For Deployment
Switch, port, and LAG deployment For LAGs: • LAG attributes (Interface Mode, etc.) • QoS, DCB Map / Traffic Class Map • LLDP Profiles 9. Click to move the available targets selected for configuration deployment to the Selected Targets list. 10.
Page 525: Dcb Performance
DCB performance TABLE 61 Source to target switch Fabric OS version compatibility (Continued) Source Fabric OS version and device Target Fabric OS version supported Comments Brocade Converged 10 GbE switch Allows Brocade Converged 10 Gbe Both source and target switches module for IBM BladeCenter with switch module for IBM BladeCenter must support the FCoE map and...
Page 526 DCB performance FIGURE 165 Real Time Performance Graphs dialog box - SAN tab For complete information about Real Time Performance Graphs, refer to “SAN real-time performance data” on page 903. Generating a real-time performance graph from the IP tab To generate a real-time performance graph for a NOS DCB switch, complete the following steps. 1.
Page 527: Historical Performance Graph
DCB performance Historical performance graph The Historical Performance Graph dialog box enables you to customize how you want the historical performance information to display. Generating a historical performance graph You can generate a historical performance graph by selecting FOS or NOS DCB devices from the SAN tab or the IP tab.
Page 528: Fcoe Login Groups
FCoE login groups FIGURE 167 Historical Performance Report dialog box For complete information about Historical Performance Graphs, refer to “SAN Historical performance data” on page 907. FCoE login groups The FCoE Configuration dialog box allows you to manage the FCoE login configuration parameters on the DCB switches in all discovered fabrics.
Page 529: Adding An Fcoe Login Group
FCoE login groups FIGURE 168 FCoE Configuration dialog box 2. Perform one of the following tasks: Under Login Group: • Click Add to launch the Add Login Group dialog box, where you can select an existing switch or enter the WWN of a switch on which the FCoE login group will be created. See “Adding an FCoE login group”...
Page 530 FCoE login groups FIGURE 169 Add Login Group dialog box 3. Select an existing switch from the Switch list, or enter the WWN of the switch that will be added to the FCoE login group. 4. Select one of the following Login Members options: •...
Page 531: Editing An Fcoe Login Group
FCoE login groups Editing an FCoE login group Complete the following steps to edit the name of a login group. You can manually add ports by entering the world wide name (WWN) or select available managed CNAs from all discovered hosts. Only directly-connected devices are supported.
Page 532: Deleting One Or More Fcoe Login Groups
FCoE login groups Click Start to apply the changes, or click Close to abort the operation. On closing the FCoE Login Group Confirmation and Status dialog box, the FCoE Configuration Dialog refreshes the data and the latest information is displayed. Deleting one or more FCoE login groups 1.
Page 533: Virtual Fcoe Port Configuration
Virtual FCoE port configuration 3. The FCoE Login Group Configuration and Status dialog box displays. 4. Review the changes carefully before you accept them. 5. Click Start to apply the changes, or click Close to abort the operation. The FCoE login management feature is enabled on the selected switch. The value in the FCoE Login Management State column is Enabled after the FCoE Configuration dialog box refresh operation.
Page 534: Clearing A Stale Entry
Virtual FCoE port configuration FIGURE 171 Virtual FCoE Ports dialog box 3. Select one or more virtual ports from the Ports list. 4. Perform one of the following tasks: • Click Enable to enable a selected virtual FCoE port from the Virtual FCoE Ports tab. •...
Page 535 Virtual FCoE port configuration 4. Click Start to apply the changes, or click Close to abort the operation. On closing the DCB Confirmation and Status dialog box, the FCoE Configuration Dialog refreshes the data and the latest information about the FCoE ports are displayed. Brocade Network Advisor SAN User Manual 53-1002696-01...
Page 536 Virtual FCoE port configuration Brocade Network Advisor SAN User Manual 53-1002696-01...
Page 537: Chapter 17 Security Management
Chapter Security Management In this chapter • Layer 2 access control list management ......489 •...
Page 538 Layer 2 access control list management Creating a standard Layer 2 ACL configuration (Fabric OS) To create a standard Layer 2 ACL configuration, complete the following steps. 1. Select the device and select Configure > Security > Layer 2 ACL > Product. The Device_Name - Layer 2 ACL Configuration dialog box displays.
Page 539 Layer 2 access control list management 11. Click OK on the Device_Name - Layer 2 ACL Configuration dialog box. The Deploy to Products - Layer 2 ACL dialog box displays. To save the configuration, refer to “Saving a security configuration deployment” on page 500 Editing a standard Layer 2 ACL configuration (Fabric OS) To create a standard Layer 2 ACL configuration on a Fabric OS device, complete the following steps.
Page 540 Layer 2 access control list management 4. To edit an existing ACL rule, complete the following steps. a. Select the rule you want to edit in the ACL Entries list and click the left arrow button. b. Complete step 5 through step 9 “Creating a standard Layer 2 ACL configuration (Fabric...
Page 541 Layer 2 access control list management 5. Enter a sequence number for the ACL in the Sequence field. 6. Select Permit or Deny from the Action list. In the Source list, select one of the following options: • • Host •...
Page 542 Layer 2 access control list management Editing an extended Layer 2 ACL configuration (Fabric OS) To edit an extended Layer 2 ACL configuration on a Fabric OS device, complete the following steps. 1. Select the device and select Configure > Security > Layer 2 ACL > Product. The Device_Name - Layer 2 ACL Configuration dialog box displays.
Page 543 Layer 2 access control list management 5. To add a new ACL rule, complete step 4 through step 12 “Creating an extended Layer 2 ACL configuration (Fabric OS)” on page 492. The new ACL entry displays in the ACL Entries list. To add additional ACL entries, repeat step 6.
Page 544: Creating A Layer 2 Acl From A Saved Configuration
Layer 2 access control list management 4. Select the Assign ACL option and choose one of the following options from the first Assign ACL list: • Select ACLs on this Product to assign ACLs deployed on the product to the port. The second list is populated with the ACLs deployed on the switch or associated with a save deployment object.
Page 545: Deleting A Layer 2 Acl Configuration From The Application
Layer 2 access control list management 4. Click OK on the Layer 2 ACL Saved Configurations dialog box. The new ACL displays in the ACLs list. 5. Click OK on the Device_Name - Layer 2 ACL Configuration dialog box. The Deploy to Products - Layer 2 ACL dialog box displays. To save the configuration, refer to “Saving a security configuration deployment”...
Page 546: Security Configuration Deployment
Security configuration deployment Security configuration deployment Figure 175 shows the standard interface used to deploy security configurations. FIGURE 175 Deploy to Product/Ports dialog box Before you can deploy a security configuration, you must create the security configuration. For step-by-step instructions, refer to the following sections: Security Management enables you to configure, persist, and manage a security configuration as a “deployment configuration object”.
Page 547: Deploying A Security Configuration On Demand
Security configuration deployment Deploying a security configuration on demand To deploy a security configuration immediately, complete the following steps. FIGURE 176 Deploy to Product/Ports dialog box 1. Choose one of the following options: • Deploy now — Select to deploy the configuration immediately on the product or port without saving the deployment definition.
Page 548: Saving A Security Configuration Deployment
Security configuration deployment Saving a security configuration deployment To save a security configuration deployment, complete the following steps. FIGURE 177 Deploy to Product/Ports dialog box 1. Select the Save deployment only option to save the deployment definition for future deployment. 2.
Page 549: Scheduling A Security Configuration Deployment
Security configuration deployment Scheduling a security configuration deployment To schedule a security configuration deployment, complete the following steps. FIGURE 178 Deploy to Product/Ports dialog box 1. Select Configure > Security > Layer 2 ACL > Product. The Device_Name - Layer 2 ACL Configuration dialog box displays. 2.
Page 550 Security configuration deployment 10. Choose one of the following options to configure the frequency at which deployment runs for the schedule: • To configure deployment to run only once, refer to “Configuring a one-time deployment schedule” on page 502. • To configure hourly deployment, refer to “Configuring an hourly deployment schedule”...
Page 551 Security configuration deployment Configuring a daily deployment schedule To configure a daily deployment schedule, complete the following steps. Select Daily from the Frequency list. Select the time of day you want deployment to run from the Time (hh:mm) lists. Where the hour value is from 1 through 12, the minute value is from 00 through 59, and the day or night value is AM or PM.
Page 552 Security configuration deployment Brocade Network Advisor SAN User Manual 53-1002696-01...
Page 553: Chapter 18 Fc-Fc Routing Service Management
Chapter FC-FC Routing Service Management In this chapter • Devices that support Fibre Channel routing ......505 •...
Page 554: Fibre Channel Routing Overview
Fibre Channel routing overview • Any of the following blades on a Backbone chassis: 4 Gbps Router, Extension Blade FC 8 GB 16-port Blade FC 8 GB 32-port Blade FC 8 GB 32-port Enhanced Blade (16 Gbps 4-slot or 16 Gbps 4-slot Backbone Chassis only) FC 8 GB 48-port Blade - The shared ports area (ports 16-47) cannot be used as EX_Ports.
Page 555: Guidelines For Setting Up Fibre Channel Routing
Guidelines for setting up Fibre Channel routing Figure 179 on page 507 shows a metaSAN with a backbone fabric and three edge fabrics. The backbone consists of one 4 Gbps Router, Extension Switch connecting hosts in Edge fabrics 1 and 3 with storage in Edge fabric 2 and the backbone fabric.
Page 556: Connecting Edge Fabrics To A Backbone Fabric
Connecting edge fabrics to a backbone fabric Connecting edge fabrics to a backbone fabric The following procedure explains how to set up FC-FC routing on two edge fabrics connected through an FC router using E_Ports and EX_Ports. NOTE To configure an EX_Port, switches running Fabric OS 7.0.0 or earlier must have an FCR license. Switches running Fabric OS 7.0.1 or later configured in Brocade Native mode (IM0) or Brocade NOS mode (IM5) do not require an FCR license.
Page 557 Connecting edge fabrics to a backbone fabric FIGURE 180 Router Configuration-Connect Edge Fabric dialog box 3. Select the FC router from the Available Routers list. 4. Click the right arrow button to move the FC router you selected to the Selected Router list. 5.
Page 558: Configuring Routing Domain Ids
Configuring routing domain IDs 9. Configure LSAN zones in each fabric that will share devices. For specific instructions, refer to “Configuring LSAN zoning” on page 739. Configuring routing domain IDs Logical (phantom) domains are automatically created to enable routed fabrics. Two types of logical domains are created: •...
Page 559: Virtual Fabrics
Chapter Virtual Fabrics In this chapter • Virtual Fabrics overview ........511 •...
Page 560: Terminology For Virtual Fabrics
Virtual Fabrics requirements Terminology for Virtual Fabrics Table 62 lists definitions of Virtual Fabrics terms. TABLE 62 Virtual Fabrics terms Term Definition Physical chassis The physical switch or chassis from which you create logical switches and fabrics. Logical switch A collection of ports that act as a single Fibre Channel (FC) switch. When Virtual Fabrics is enabled on the chassis, there is always at least one logical switch: the default logical switch.
Page 561 Virtual Fabrics requirements • Discover a Virtual Fabrics-enabled seed physical chassis running Fabric OS 6.2.0 or later with Virtual Fabrics enabled, and at least one logical switch defined on the core switch. The physical chassis displays as a virtual switch. •...
Page 562: Configuring Virtual Fabrics
Configuring Virtual Fabrics TABLE 64 Blade and port types supported on logical switches for backbone chassis (Continued) • Logical switch Extension Blade—GE_Ports and VE_Ports • FC 8 GB Port Blade—E_Ports and F_Ports • FC 16 GB Port Blade—E_Ports and F_Ports •...
Page 563: Enabling Virtual Fabrics
Configuring Virtual Fabrics 3. Set up logical switches in each physical chassis. a. Create logical switches in each physical chassis and assign ports to them. Make sure the logical switches are configured to allow XISL use. Refer to “Creating a logical switch or base switch” on page 516 for instructions.
Page 564: Creating A Logical Switch Or Base Switch
Configuring Virtual Fabrics Creating a logical switch or base switch Before you can create a logical switch, you must enable Virtual Fabrics on at least one physical chassis in your fabric. Optionally, you can define the logical switch to be a base switch. Each chassis can have only one base switch.
Page 565 Configuring Virtual Fabrics The New Logical Switch dialog box displays. FIGURE 184 New Logical Switch dialog box 5. Click the Fabric tab and enter fabric-wide parameters. a. Enter a fabric identifier in the Logical Fabric ID field. This assigns the new logical switch to a logical fabric. If the logical fabric does not exist, this creates a new logical fabric as well as assigning the new logical switch.
Page 566: Finding The Physical Chassis For A Logical Switch
Configuring Virtual Fabrics e. (Optional) For Backbone Chassis only, select an option in the 256 Area Limit list to use 256-area addressing mode (zero-based or port-based) or to disable this mode (default). The 256-area addressing mode can be used in FICON environments, which have strict requirements for 8-bit area FC addresses.
Page 567: Assigning Ports To A Logical Switch
Configuring Virtual Fabrics Assigning ports to a logical switch A port can be assigned to only one logical switch. All ports are initially assigned to the default logical switch. When you create a logical switch, it has no ports and you must explicitly assign ports to it. When you assign a port to a logical switch, it is removed from the original logical switch and assigned to the new logical switch.
Page 568: Deleting A Logical Switch
Configuring Virtual Fabrics 5. Click the left arrow button. A message displays indicating that the ports will be moved to the default logical switch. 6. Click OK on the warning message. The selected ports are removed from the logical switch and automatically reassigned to the default logical switch.
Page 569: Configuring Fabric-Wide Parameters For A Logical Fabric
Configuring Virtual Fabrics NOTE Ports are disabled before moving from one logical switch to another. 6. (Optional) Select the Unbind Port Addresses while moving them check box. Click Start to send these changes to the affected chassis. NOTE Most changes to logical switches will disrupt data traffic in the fabric. The status of each change is displayed in the Status column and Status area in the dialog box.
Page 570: Applying Logical Fabric Settings To All Associated Logical Switches
Configuring Virtual Fabrics Leave this check box blank to allow the domain ID to be changed if a duplicate address exists. 8. Click OK on the New Logical Fabric Template dialog box. The new logical fabric template displays under the Discovered Logical Switches node in the Existing Logical Switches list (already highlighted).
Page 571: Moving A Logical Switch To A Different Fabric
Configuring Virtual Fabrics Moving a logical switch to a different fabric You can move a logical switch from one fabric to another by assigning a different fabric ID. 1. Select Configure > Virtual Fabric > Logical Switches. The Logical Switches dialog box displays. 2.
Page 572 Configuring Virtual Fabrics 2. Right-click anywhere in the Existing Logical Switches list and select Table > Expand All. 3. Select the logical switch you want to change to a base switch. 4. Click Edit. The Edit Properties dialog box displays. 5.
Page 573 Chapter SAN Encryption Configuration In this chapter • Encryption Center features ........526 •...
Page 574: Encryption Center Features
Encryption Center features • Redirection zones ..........682 •...
Page 575: Encryption User Privileges
Encryption user privileges • “Blade processor links” on page 539 describes the steps for interconnecting encryption switches or blades in an encryption group through a dedicated LAN. This must be done before the encryption engines are enabled. Security parameters and certificates cannot be exchanged if these links are not configured and active.
Page 576: Smart Card Usage
Smart card usage TABLE 65 Encryption privileges (Continued) Privilege Read/Write • Storage Encryption Launch the Encryption center dialog box. • View switch, group, or engine properties. Security • View Encryption Group Properties Security tab. • View LUN centric view. • View all rekey sessions.
Page 577: Registering Authentication Cards From A Card Reader
Smart card usage • Establishing a trusted link with the NetApp LKM/SSKM key vault. • Decommissioning a LUN. When a quorum of authentication cards is registered for use, authentication must be provided before you are granted access. Registering authentication cards from a card reader To register an authentication card or a set of authentication cards from a card reader, have the cards physically available.
Page 578 Smart card usage 3. Locate the Authentication Card Quorum Size and select the quorum size from the list. The quorum size is the minimum number of cards necessary to enable the card holders to perform the security sensitive operations listed above. The maximum quorum size is five cards. The actual number of authentication cards registered is always more than the quorum size, so if you set the quorum size to five, for example, you will need to register at least six cards in the subsequent steps.
Page 579: Registering Authentication Cards From The Database
Smart card usage Registering authentication cards from the database Smart cards that are already in the Management program’s database can be registered as authentication cards. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 185 on page 526).
Page 580: Deregistering An Authentication Card
Smart card usage Deregistering an authentication card Authentication cards can be removed from the database and the switch by deregistering them. Complete the following procedure to deregister an authentication card. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 185 on page 526).
Page 581: Using System Cards
Smart card usage Using system cards System cards are smart cards that can be used to control activation of encryption engines. You can choose whether the use of a system card is required or not. Encryption switches and blades have a card reader that enables the use of a system card.
Page 582: Enabling Or Disabling The System Card Requirement
Smart card usage Enabling or disabling the system card requirement To use a system card to control activation of an encryption engine on a switch, you must enable the system card requirement. If a system card is required, it must be read by the card reader on the switch.
Page 583: Deregistering System Cards
Smart card usage Deregistering system cards System cards can be removed from the database by deregistering them. Use the following procedure to deregister a system card: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box.
Page 584 Smart card usage • Usage: Usage content varies based on the card type. • For Authentication cards, the Usage column shows the number of groups for which the card is registered. • For System cards, the Usage column shows the number of encryption engines for which the card is registered.
Page 585 Smart card usage FIGURE 191 Smart Card asset tracking dialog box 3. Select a smart card from the table, then do one of the following: • Click Delete to remove the smart card from the Management application database. Deleting smart cards from the Management application database keeps the Smart Cards table at a manageable size, but does not invalidate the smart card.
Page 586: Editing Smart Cards
Smart card usage Editing smart cards Smart cards can be used for user authentication, master key storage and backup, and as a system card for authorizing use of encryption operations. 1. From the Encryption Center dialog box, select Smart Card > Edit Smart Card from the menu task bar to display the Edit Smart Card dialog box (Figure 192).
Page 587: Network Connections
Network connections Network connections Before you use the encryption setup wizard for the first time, you must have the following required network connections: • The management ports on all encryption switches and 8-slot Backbone Chassis CPs that have Encryption Blades installed must have a LAN connection to the SAN management program, and must be available for discovery.
Page 588: Configuring Blade Processor Links
Encryption node initialization and certificate generation Configuring blade processor links To configure blade processor links, complete the following steps: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 185 on page 526.) 2.
Page 589: Setting Encryption Node Initialization
Key Management Interoperability Protocol Setting encryption node initialization Encryption nodes are initialized by the Configure Switch Encryption wizard when you confirm a configuration. Encryption nodes may also be initialized from the Encryption Center dialog box. 1. Select a switch from the Encryption Center Devices table, then select Switch > Init Node from the menu task bar.
Page 590: Supported Encryption Key Manager Appliances
Supported encryption key manager appliances HA support should be set before you register the key vault. Three settings are supported; however, certain settings are determined by the compliant key vault type that is being used: • Transparent: The client assumes the entire HA is implemented on the key vault. Key archival and retrieval is performed without any additional hardening checks.
Page 591 Supported encryption key manager appliances The following key vault types are supported: • RSA Data Protection Manager (DPM): If an encryption group contains mixed firmware nodes, the Encryption Group Properties Key Vault Type name is based on the firmware version of the group leader.
Page 592: Steps For Connecting To A Dpm Appliance
Steps for connecting to a DPM appliance Steps for connecting to a DPM appliance All switches that you plan to include in an encryption group must have a secure connection to the RSA Data Protection Manager (DPM). The following is a suggested order of steps needed to create a secure connection to the DPM.
Page 593: Submitting The Csr To A Certificate Authority
Steps for connecting to a DPM appliance 4. Do one of the following: • If a CSR is present, click Export. • If a CSR is not present, select a switch from the Encryption Center Devices table, then select Switch > Init Node from the menu task bar. This generates switch security parameters and certificates, including the KAC CSR.
Page 594: Importing The Signed Kac Certificate
Steps for connecting to a DPM appliance In the example above, the certificate validity is active until “Dec 4 18:03:14 2010 GMT.” After the KAC certificate has expired, the registration process must be redone. NOTE In the event that the signed KAC certificate must be re-registered, you will need to log in to the key vault web interface and upload the new signed KAC certificate for the corresponding Fabric OS encryption switch Identity.
Page 595 Steps for connecting to a DPM appliance Open another web browser window, and start the RSA management user interface. You will need the URL, and have the proper authority level, user name, and password. NOTE The Identity Group name used in the next step might not exist in a freshly installed DPM. To establish an Identity Group name, click the Identity Group tab, and create a name.
Page 596: Uploading The Kac Certificate Onto The Dpm Appliance (Manual Identity Enrollment)
Steps for connecting to a DPM appliance Uploading the KAC certificate onto the DPM appliance (manual identity enrollment) NOTE The Fabric OS encryption switch will not use the Identity Auto Enrollment feature supported with DPM 3.x servers. You must complete the identity enrollment manually to configure the DPM 3.x server with the Fabric OS encryption switch as described in this section.
Page 597: Steps For Connecting To An Lkm/Sskm Appliance
Steps for connecting to an LKM/SSKM appliance FIGURE 195 Encryption Group Properties with Key Vault Certificate 2. Select Load from File and browse to the location on your client PC that contains the downloaded CA certificate in .pem format. Steps for connecting to an LKM/SSKM appliance The NetApp KeySecure Lifetime Key Manager (LKM) and Storage Secure Key Manager (SSKM) reside on an FIPS 140-2 Level 3-compliant network appliance.
Page 598: Obtaining And Importing The Lkm/Sskm Certificate
Steps for connecting to an LKM/SSKM appliance 5. If required, create an LKM/SSKM cluster for high availability. Refer to “LKM/SSKM key vault high availability deployment” on page 552. Additional information for consideration is discussed in the following sections: • “Disk keys and tape pool keys (Brocade native mode support)” on page 553 •...
Page 599: Exporting And Registering The Switch Kac Certificates On Lkm/Sskm
Steps for connecting to an LKM/SSKM appliance 5. If you are using the Management application, the path to the file must be specified ion the Select Key Vault dialog box when creating a group leader. If the proper path is entered, the file is imported.
Page 600: Establishing The Trusted Link
Steps for connecting to an LKM/SSKM appliance Establishing the trusted link You must generate the trusted link establishment package (TEP) on all nodes to obtain a trusted acceptance package (TAP) before you can establish a trusted link between each node and the NetApp LKM/SSKM appliance.
Page 601: Disk Keys And Tape Pool Keys (Brocade Native Mode Support)553
Steps for connecting to an LKM/SSKM appliance When dual LKM/SSKMs are used with the encryption switch or blade, the dual LKM/SSKMs must be clustered. There is no enforcement done at the encryption switch or blade to verify whether or not the dual LKM/SSKMs are clustered, but key creation operations will fail if you register non-clustered dual LKM/SSKMs with the encryption switch or blade.
Page 602: Lkm/Sskm Key Vault Deregistration
Steps for connecting to an ESKM/SKM appliance LKM/SSKM key vault deregistration Deregistration of either the primary or secondary LKM/SSKM key vault from an encryption switch or blade is allowed independently. • Deregistration of Primary LKM/SSKM: You can deregister the Primary LKM/SSKM from an encryption switch or blade without deregistering the backup or secondary LKM/SSKM for maintenance or replacement purposes.
Page 603: Configuring A Brocade Group On Eskm/Skm
Steps for connecting to an ESKM/SKM appliance 6. Enable an SSL connection. Refer to “Enabling SSL on the Key Management System (KMS) Server” on page 560. Configure a cluster of ESKM/SKM appliances for high availability. Refer to: • “Creating an ESKM/SKM High Availability cluster” on page 560.
Page 604: Registering The Eskm/Skm Brocade Group User Name And Password
Steps for connecting to an ESKM/SKM appliance Registering the ESKM/SKM Brocade group user name and password The Brocade group user name and password you created when configuring a Brocade group on ESKM/SKM must also be registered on each encryption node. NOTE This operation can be performed only after the switch is added to the encryption group.
Page 605: Setting Up The Local Certificate Authority (Ca) On Eskm/Skm557
Steps for connecting to an ESKM/SKM appliance • If you change the user name and password, the keys created by the previous user become inaccessible. The Brocade group user name and password must also be changed to the same values on ESKM/SKM to make the keys accessible. •...
Page 606: Downloading The Local Ca Certificate From Eskm/Skm
Steps for connecting to an ESKM/SKM appliance FIGURE 198 Creating an HP ESKM/SKM local CA 5. Under Certificates & CAs, select Trusted CA Lists to display the Trusted Certificate Authority List Profiles. 6. Click on Default under Profile Name. In the Trusted Certificate Authority List, click Edit. 8.
Page 607: Creating And Installing The Eskm/Skm Server Certificate
Steps for connecting to an ESKM/SKM appliance Creating and installing the ESKM/SKM server certificate To create the ESKM/SKM server certificate, complete the following steps: 1. Click the Security tab. 2. Under Certificates and CAs, select Certificates. 3. Enter the required information under Create Certificate Request. Enter a Certificate Name and Common Name.
Page 608: Creating An Eskm/Skm High Availability Cluster
Steps for connecting to an ESKM/SKM appliance 17. Select the server certificate name you just created from the certificate list, and select Properties. The Certificate Request Information window displays. 18. Click Install Certificate. The Certificate Installation window displays. 19. Paste the signed certificate data you copied under Certificate Response, then click Save. The status of the server certificate should change from Request Pending to Active.
Page 609: Copying The Local Ca Certificate For A Clustered Eskm/Skm Appliance
Steps for connecting to an ESKM/SKM appliance 4. For Local Port, use the default value of 9001 unless you are explicitly directed to use a different value for your site. 5. Type the cluster password in the Create Cluster section of the main window to create the new cluster, then click Create.
Page 610: Signing The Encryption Node Kac Csr On Eskm/Skm
Steps for connecting to an ESKM/SKM appliance 9. Click Save. 10. Select the Device tab. 11. In the Device Configuration menu, click Cluster. 12. Click Join Cluster. In the Join Cluster section of the window, leave Local IP and Local Port set to their default settings.
Page 611: Importing A Signed Kac Certificate Into A Switch
Steps for connecting to an ESKM/SKM appliance 12. Paste the file contents that you copied in step 3 in the Certificate Request Copy area. 13. Select Sign Request. 14. Download the signed certificate to your local system as signed_kac_eskm_cert.pem or signed_kac_skm_cert.pem, depending on your key vault type.
Page 612 Steps for connecting to an ESKM/SKM appliance Disk keys and tape pool keys support DEK creation, retrieval, and update for disk and tape pool keys are as follows: • DEK creation: The DEK is first archived to the virtual IP address of the ESKM/SKM cluster. The request gets routed to the primary or secondary ESKM/SKM, and is synchronized with other ESKMs or SKMs in the cluster.
Page 613: Steps For Connecting To A Teka Appliance
Steps for connecting to a TEKA appliance Steps for connecting to a TEKA appliance TEKA provides a web user interface for management of clients, keys, admins, and configuration parameters. A Thales officer creates domains, groups, and managers (a type of administrator), assigns groups to domains, and assigns managers to manage groups.
Page 614 Steps for connecting to a TEKA appliance 1. Log in to the Thales management program as admin and select the Network tab (Figure 200). FIGURE 200 TEKA Network Settings 2. Enter the management IP address information under Management Interface. 3. Enter the client IP address information under KM Server Interface. 4.
Page 615: Creating A Client On Teka
Steps for connecting to a TEKA appliance Creating a client on TEKA This step assumes the group brocade has been created by an administrator. If the group brocade does not exist, you must log in to TEKA as officer, create the group, and assign the group to a manager.
Page 616: Establishing Teka Key Vault Credentials On The Switch
Steps for connecting to a TEKA appliance 9. Select the group brocade from the group pull-down menu, then click Add Client. A TEKA client user is created and is listed in the table. Establishing TEKA key vault credentials on the switch The credentials established for the TEKA client must be presented to TEKA by the switch.
Page 617: Signing The Encryption Node Kac Csr On Teka
Steps for connecting to a TEKA appliance Signing the encryption node KAC CSR on TEKA The KAC certificate signing request (KAC CSR) generated when the encryption node is initialized must be exported for each encryption node and signed by the local CA on TEKA. The signed certificate must then be imported back into the encryption node.
Page 618: Steps For Connecting To A Tklm Appliance
Steps for connecting to a TKLM appliance Steps for connecting to a TKLM appliance All switches you plan to include in an encryption group must have a secure connection to the Tivoli Key Lifecycle Manager (TKLM). A local LINUX host must be available to transfer certificates. NOTE Ensure that the time zone and clock time setting on the TKLM server and encryption nodes are the same.
Page 619: Exporting The Fabric Os Node Self-Signed Kac Certificates
Steps for connecting to a TKLM appliance Exporting the Fabric OS node self-signed KAC certificates Each Fabric OS node generates a self-signed KAC certificate as part of the node initialization process as described under “Encryption node initialization and certificate generation”. These certificates must be exported from each switch and stored on a local LINUX host to make them available for importing to TKLM.
Page 620: Creating A Self-Signed Certificate For Tklm
Steps for connecting to a TKLM appliance Creating a self-signed certificate for TKLM You must create a self-signed certificate for TKLM that can be downloaded to the Fabric OS encryption engines to verify the authenticity of TKLM. 1. Select Tivoli Key Lifecycle Manager > Configuration. The Configuration page displays.
Page 621: Importing The Tklm Certificate Into The Group Leader
Steps for connecting to a TKLM appliance For Windows: <installed directory>\ibm\tivoli\tiptklmV2\bin\wsadmin.bat -username TKLMAdmin -password <password> -lang jython 2. Check the certificate list using the following command: print AdminTask.tklmCertList('[]') The listing will contain the UUID for all certificates. Use the UUID of the server certificate to export the server certificate from the database to the file system.
Page 622: Steps For Connecting To A Kmip Appliance (Safenet Keysecure)
Steps for connecting to a KMIP appliance (SafeNet KeySecure) Steps for connecting to a KMIP appliance (SafeNet KeySecure) With the introduction of Fabric OS 7.1.0, the Key Management Interoperability Protocol (KMIP) KeySecure Management Console can be used on the Fabric OS encryption switch. Any KMIP-compliant server can be reregistered as a KMIP key vault.
Page 623: Setting Fips Compliance
Steps for connecting to a KMIP appliance (SafeNet KeySecure) Setting FIPS compliance 1. From the KeySecure Management Console, select the Security tab, then select Advanced Security, > High Security. The High Security Configuration page displays (Figure 206). FIGURE 206 KeySecure High Security Configuration page 2.
Page 624: Creating A Local Ca
Steps for connecting to a KMIP appliance (SafeNet KeySecure) Creating a local CA 1. From the KeySecure Management Console, select the Security tab, then select CAs & SSL Certificates > Local CAs. The Certificate and CA Configuration page displays (Figure 207).
Page 625: Creating A Server Certificate
Steps for connecting to a KMIP appliance (SafeNet KeySecure) Creating a server certificate 1. From the Security tab, select CAs & SSL Certificates > SSL Certificates. The Certificate and CA Configuration page displays (Figure 209). FIGURE 209 KeySecure Certificate and CA Configuration page 2.
Page 626 Steps for connecting to a KMIP appliance (SafeNet KeySecure) FIGURE 210 KeySecure Certificate and CA Configuration - Certificate List 4. Click on the server certificate name you just created (Safenet75ServerCert), which will display the certificate contents (Figure 211). FIGURE 211 KeySecure Certificate and CA Configuration page - Certificate Request Information 5.
Page 627 Steps for connecting to a KMIP appliance (SafeNet KeySecure) 6. From the Security tab, select CAs & SSL Certificates > Local CAs. The Certificate and CA Configuration page displays (Figure 212). FIGURE 212 KeySecure Certificate and CA Configuration - Local Certificate Authority List Under Local Certificate Authority List, select the local CA certificate you just created (SafeNetCA), then click Sign Request.
Page 628 Steps for connecting to a KMIP appliance (SafeNet KeySecure) 9. Paste the server certificate contents that you copied (refer to step 5) in the Certificate Request text box, then click Sign Request. The Certificate and CA Configuration page refreshes and the certificate information is displayed under Certificate Request Information (Figure 214).
Page 629 Steps for connecting to a KMIP appliance (SafeNet KeySecure) 13. Paste the server certificate request contents in the Certificate Installation text box, then click Save (Figure 215). FIGURE 215 KeySecure Certificate and CA Configuration - Certificate Installation After the page refreshes, the new certificate information is displayed in the Certificate List table (Figure 216).
Page 630: Creating A Cluster
Steps for connecting to a KMIP appliance (SafeNet KeySecure) Creating a cluster 1. From the KeySecure Management Console, select the Device tab, then select Device Configuration > Cluster. The Cluster Configuration page displays (Figure 217). FIGURE 217 KeySecure Cluster Configuration page 2.
Page 631 Steps for connecting to a KMIP appliance (SafeNet KeySecure) FIGURE 218 KeySecure Cluster Configuration page 4. Under Cluster Settings, click Download Cluster Key (Figure 219). You will be prompted to enter a local file name. FIGURE 219 KeySecure Cluster Configuration - Cluster Settings Brocade Network Advisor SAN User Manual 53-1002696-01...
Page 632: Signing The Encryption Node Kac Csr On Kmip
Steps for connecting to a KMIP appliance (SafeNet KeySecure) Signing the encryption node KAC CSR on KMIP The KAC certificate signing request generated when the encryption node is initialized must be exported for each encryption node and signed by the Brocade local CA on KMIP. The signed certificate must then be imported back into the encryption node.
Page 633: Importing A Signed Kac Certificate Into A Switch
Steps for connecting to a KMIP appliance (SafeNet KeySecure) FIGURE 220 Certificate and CA Configuration page - Sign Certificate Request 9. Select Sign with Certificate Authority from the drop-down list. (The example is using “SafeNetCA (maximum of 3550 days)”. 10. Select Client as Certificate Purpose. 11.
Page 634: Backing Up The Certificates
Steps for connecting to a KMIP appliance (SafeNet KeySecure) The Import Signed Certificate dialog box displays (Figure 221). FIGURE 221 Import Signed Certificate dialog box 3. Browse to the location where the signed certificate is stored, then click OK. The signed certificate is stored on the switch. Backing up the certificates 1.
Page 635 Steps for connecting to a KMIP appliance (SafeNet KeySecure) FIGURE 223 Backup and Restore - Device items 5. Select the items for backup, then click Continue. The Create Backup dialog box displays (Figure 224), which is used for setting backup details. FIGURE 224 Backup and Restore - Backup details 6.
Page 636: Configuring The Kmip Server
Steps for connecting to a KMIP appliance (SafeNet KeySecure) Configuring the KMIP server 1. From the KeySecure Management Console, select the Device tab, then select Device Configuration > Key Server > Key Server. The Cryptographic Key Server Configuration page displays (Figure 225).
Page 637: Adding A Node To The Cluster
Steps for connecting to a KMIP appliance (SafeNet KeySecure) Adding a node to the cluster Perform the following steps on the secondary KeySecure node when adding it to the cluster. 1. From the KeySecure Management Console, select the Device tab, then select Device Configuration >...
Page 638 Steps for connecting to a KMIP appliance (SafeNet KeySecure) FIGURE 227 KeySecure Cluster Configuration - Cluster Members From the Devices tab, select Maintenance > Backup and Restore > Restore Backup. The Backup and Restore page displays (Figure 228). FIGURE 228 KeySecure Backup and Restore page 8.
Page 639: Encryption Preparation
Encryption preparation 9. Enter the Backup Password in the field provided, then click Restore. 10. After the certificate is restored to the secondary node from the previously backed-up primary node, select Maintenance > Services. The Services Configuration page displays (Figure 229).
Page 640: Creating A New Encryption Group
Creating a new encryption group • Switch KAC certificates have been signed by a CA and stored in a known location. • Key management system (key vault) certificates have been obtained and stored in a known location. Creating a new encryption group The following steps describe how to start and run the encryption setup wizard and create a new encryption group.
Page 641 Creating a new encryption group 6. Confirm the configuration. Configuration Status. 8. Read Instructions. FIGURE 231 Configure Switch Encryption wizard - welcome screen 4. From the Configure Switch Encryption welcome screen, click Next to begin. The Designate Switch Membership dialog box displays (Figure 232).
Page 642 Creating a new encryption group FIGURE 232 Designate Switch Membership dialog box 5. For this procedure, verify that Create a new encryption group containing just this switch is selected, then click Next. NOTE If you are adding a switch to an encryption, refer to “Adding a switch to an encryption group”...
Page 643 Creating a new encryption group The dialog box contains the following information: • Encryption Group Name text box: Encryption group names can have up to 15 characters. Letters, digits, and underscores are allowed. The group name is case-sensitive. • Failback mode: Selects whether or not storage targets should be automatically transferred back to an encryption engine that comes online after being unavailable.
Page 644 Creating a new encryption group Using this dialog box, you can select a key vault for the encryption group that contains the selected switch. Prior to selecting your Key Vault Type, the selection is shown as None. The dialog box contains the following information: •...
Page 645: Configuring Key Vault Settings For Rsa Data Protection Manager (Dpm)
Creating a new encryption group • Backup Certificate File: (Optional.) If a backup key vault is entered, the backup certificate file must also be entered. Navigate to and select the secondary public key certificate from your desktop, if applicable. • Serial Number: (TKLM only.) Serial number of the switch, which is required for registering the switch on the key vault.
Page 646 Creating a new encryption group FIGURE 235 Select Key Vault dialog box for DPM 1. Enter the IP address or host name for the primary key vault. If you are clustering DPM appliances for high availability, IP load balancers are used to direct traffic to the appliances. Use the IP address of the load balancer.
Page 647 Creating a new encryption group FIGURE 236 Specify Certificate Signing Request File Name dialog box 5. Enter the filename in which you want to store the certificate information, or browse to the file location. The certificate stored in this file is the switch’s Switch Certificate Signing file. You will need to know this path and file name to install the switch’s Switch Certificate Signing file on the key management appliance.
Page 648 Creating a new encryption group FIGURE 237 Specify Master Key File Name dialog box Enter the location of the file in which you want to store back up master key information, or browse to the desired location. 8. Enter the passphrase, which is required for restoring the master key. The passphrase can be between eight and 40 characters, and any character is allowed.
Page 649 Creating a new encryption group FIGURE 238 Select Security Settings dialog box 10. Set quorum size and system card requirements. The quorum size is the minimum number of cards necessary to enable the card holders to perform the security sensitive operations listed above. The maximum quorum size is five cards. The actual number of authentication cards registered is always more than the quorum size, so if you set the quorum size to five, for example, you will need to register at least six cards in the subsequent steps.
Page 650 Creating a new encryption group FIGURE 239 Confirm Configuration dialog box The Configuration Status dialog box displays (Figure 240). FIGURE 240 Configuration Status dialog box 12. Review the post-configuration instructions, which you can copy to a clipboard or print for later, then click Next.
Page 651 Creating a new encryption group FIGURE 241 Next Steps dialog box 13. Review the post-configuration instructions, which you can copy to a clipboard or print for later, then click Finish to exit the wizard. Brocade Network Advisor SAN User Manual 53-1002696-01...
Page 652: Configuring Key Vault Settings For Netapp Link Key Manager (Lkm/Sskm)
Creating a new encryption group Configuring key vault settings for NetApp Link Key Manager (LKM/SSKM) The following procedure assumes you have already configured the initial steps in the Configure Switch Encryption wizard. If you have not already done so, go to “Creating a new encryption group”...
Page 653 Creating a new encryption group FIGURE 243 Specify Public Key Certificate (KAC) File Name dialog box 4. Specify the location of the file in which you want to store the public key certificate that is used to authenticate connections to the key vault. The certificate stored in this file is the switch’s public key certificate.
Page 654 Creating a new encryption group FIGURE 244 Select Security Settings dialog box 6. Set quorum size and system card requirements. The quorum size is the minimum number of cards necessary to enable the card holders to perform the security sensitive operations listed above. The maximum quorum size is five cards. The actual number of authentication cards registered is always more than the quorum size, so if you set the quorum size to five, for example, you will need to register at least six cards in the subsequent steps.
Page 655 Creating a new encryption group FIGURE 245 Confirm Configuration dialog box The Configuration Status dialog box displays (Figure 246). FIGURE 246 Configuration Status dialog box All configuration items have green check marks if the configuration is successful. A red stop sign indicates a failed step.
Page 656 Creating a new encryption group After configuration of the encryption group is completed, the Management application sends API commands to verify the switch configuration. See “Understanding configuration status results” on page 629 for more information. 8. Verify the information is correct, then click Next. The Next Steps dialog box displays (Figure 247).
Page 657: Configuring Key Vault Settings For Hp Enterprise Secure Key Manager (Eskm/Skm)
Creating a new encryption group Configuring key vault settings for HP Enterprise Secure Key Manager (ESKM/SKM) The following procedure assumes you have already configured the initial steps in the Configure Switch Encryption wizard. If you have not already done so, go to “Creating a new encryption group”...
Page 658 Creating a new encryption group FIGURE 249 Specify Certificate Signing Request File Name dialog box 6. Enter the location of the file in which you want to store the certificate information, or browse to the desired location, then click Next. The Specify Master Key File Name dialog box displays (Figure 250).
Page 659 Creating a new encryption group 8. Re-enter the passphrase for verification, then click Next. The Select Security Settings dialog box displays (Figure 251). FIGURE 251 Select Security Settings dialog box 9. Set quorum size and system card requirements. The quorum size is the minimum number of cards necessary to enable the card holders to perform the security sensitive operations listed above.
Page 660 Creating a new encryption group FIGURE 252 Confirm Configuration dialog box The Configuration Status dialog box displays (Figure 253). FIGURE 253 Configuration Status dialog box All configuration items have green check marks if the configuration is successful. A red stop sign indicates a failed step.
Page 661: Configuring Key Vault Settings For Thales E_Security
Creating a new encryption group After configuration of the encryption group is completed, the Management application sends API commands to verify the switch configuration. See “Understanding configuration status results” on page 629 for more information. 11. Review important messages, then click Next. The Next Steps dialog box displays (Figure 254).
Page 662 Creating a new encryption group FIGURE 255 Select Key Vault dialog box for TEKA 1. Enter the IP address or host name for the primary key vault. 2. Enter the name of the file that holds the primary key vault’s public key certificate, or browse to the desired location.
Page 663 Creating a new encryption group FIGURE 256 Specify Master Key File Name dialog box 6. Enter the name of the file used for backing up the master key or browse to the desired location. Enter the passphrase, which is required for restoring the master key. The passphrase can be between eight and 40 characters, and any character is allowed.
Page 664 Creating a new encryption group 9. Set quorum size and system card requirements. The quorum size is the minimum number of cards necessary to enable the card holders to perform the security sensitive operations listed above. The maximum quorum size is five cards. The actual number of authentication cards registered is always more than the quorum size, so if you set the quorum size to five, for example, you will need to register at least six cards in the subsequent steps.
Page 665 Creating a new encryption group FIGURE 259 Configuration Status dialog box All configuration items have green check marks if the configuration is successful. A red stop sign indicates a failed step. A message displays below the table, indicating the encryption switch was added to the group you named, and the public key certificate is stored in the location you specified.
Page 666 Creating a new encryption group FIGURE 260 Next Steps dialog box 12. Review the post-configuration instructions, which you can copy to a clipboard or print for later. 13. Click Finish to exit the Configure Switch Encryption wizard. 14. Refer to “Understanding configuration status results”...
Page 667: Configuring Key Vault Settings For Ibm Tivoli Key Lifetime Manager (Tklm)
Creating a new encryption group Configuring key vault settings for IBM Tivoli Key Lifetime Manager (TKLM) The following procedure assumes you have already configured the initial steps in the Configure Switch Encryption wizard. If you have not already done so, go to “Creating a new encryption group”...
Page 668 Creating a new encryption group FIGURE 262 Specify Public Key Certificate (KAC) File Name dialog box 5. Enter the name of the file in which the switch’s public key certificate is stored, or browse to the desired location, then click Next. The Specify Master Key File Name dialog box displays (Figure 263).
Page 669 Creating a new encryption group Enter the passphrase, which is required for restoring the master key. The passphrase can be between eight and 40 characters, and any character is allowed. 8. Re-enter the passphrase for verification, then click Next. The Select Security Settings dialog box displays (Figure 264).
Page 670 Creating a new encryption group FIGURE 265 Confirm Configuration dialog box The Configuration Status dialog box displays (Figure 266). FIGURE 266 Configuration Status dialog box All configuration items have green check marks if the configuration is successful. A red stop sign indicates a failed step.
Page 671: Configuring Key Vault Settings For Key Management Interoperability Protocol (Kmip)
Creating a new encryption group After configuration of the encryption group is completed, the Management application sends API commands to verify the switch configuration. 11. Click Next. The Next Steps dialog box displays (Figure 267). Instructions for installing public key certificates for the encryption switch are displayed.
Page 672 Creating a new encryption group Figure 268 shows the key vault selection dialog box for KMIP. FIGURE 268 Select Key Vault dialog box for KMIP 1. Select the High Availability mode. Options are: • Opaque: Both the primary and secondary key vaults are registered on the Fabric OS encryption switch.
Page 673 Creating a new encryption group 6. Select the Certificate Type. Options are: • CA Signed: The Fabric OS encryption switch KAC certificate is signed by a CA, imported back onto the Fabric OS encryption switch, and registered as a KAC certificate. The CA will be registered as a key vault certificate on the Fabric OS encryption switch.
Page 674 Creating a new encryption group FIGURE 270 Specify Master Key File Name dialog box 9. Enter the name of the file used for backing up the master key, or browse to the desired location. 10. Enter the passphrase, which is required for restoring the master key. The passphrase can be between eight and 40 characters, and any character is allowed.
Page 675 Creating a new encryption group FIGURE 271 Select Security Settings dialog box 12. Set quorum size and system card requirements. The quorum size is the minimum number of cards necessary to enable the card holders to perform the security sensitive operations listed above. The maximum quorum size is five cards. The actual number of authentication cards registered is always more than the quorum size, so if you set the quorum size to five, for example, you will need to register at least six cards in the subsequent steps.
Page 676 Creating a new encryption group FIGURE 272 Confirm Configuration dialog box 14. Confirm the encryption group name and switch public key certificate file name you specified are correct, then click Next. The Configuration Status dialog box displays (Figure 273). FIGURE 273 Configuration Status dialog box Brocade Network Advisor SAN User Manual 53-1002696-01...
Page 677: Understanding Configuration Status Results
Creating a new encryption group All configuration items have green check marks if the configuration is successful. A red stop sign indicates a failed step. A message displays below the table, indicating the encryption switch was added to the group you named, and the public key certificate is stored in the location you specified.
Page 678: Adding A Switch To An Encryption Group
Adding a switch to an encryption group 3. Register the key vault. The Management application registers the key vault using the cryptocfg reg keyvault command. 4. Enable the encryption engines. The Management application initializes an encryption switch using the cryptocfg initEE [<slotnumber>] and cryptocfg regEE [<slotnumber>] commands.
Page 679 Adding a switch to an encryption group FIGURE 275 Configure Switch Encryption wizard - welcome screen 3. Click Next. The Designate Switch Membership dialog box displays (Figure 276). FIGURE 276 Designate Switch Membership dialog box 4. For this procedure, select Add this switch to an existing encryption group, then click Next. The Add Switch to Existing Encryption Group dialog box displays (Figure 277).
Page 680 Adding a switch to an encryption group The dialog box contains the following information: • Encryption Groups table: Enables you to select an encryption group in which to add a switch. • Member Switches table: Lists the switches in the selected encryption group. NOTE If you are creating a new encryption group, refer to “Creating a new encryption group”...
Page 681 Adding a switch to an encryption group FIGURE 278 Specify Public Key Certificate (KAC) File Name dialog box 6. Enter the location where you want to store the public key certificate that is used to authenticate connections to the key vault, or browse to the desired location, then click Next. The Confirm Configuration dialog box displays (Figure 279).
Page 682 Adding a switch to an encryption group FIGURE 280 Configuration Status dialog box All configuration items have green check marks if the configuration is successful. A red stop sign indicates a failed step. A message displays below the table, indicating the encryption switch was added to the group you named, and the public key certificate is stored in the location you specified.
Page 683 Adding a switch to an encryption group FIGURE 281 Error Instructions dialog box 8. Review the post-configuration instructions, which you can copy to a clipboard or print for later. 9. Click Finish to exit the Configure Switch Encryption wizard. Brocade Network Advisor SAN User Manual 53-1002696-01...
Page 684: Replacing An Encryption Engine In An Encryption Group
Replacing an encryption engine in an encryption group Replacing an encryption engine in an encryption group To replace an encryption engine in an encryption group with another encryption engine within the same DEK Cluster, complete the following steps: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box.
Page 685: High Availability (Ha) Clusters
High availability (HA) clusters High availability (HA) clusters A high availability (HA) cluster is a group of exactly two encryption engines (EEs). One encryption engine can take over encryption and decryption tasks for the other encryption engine, if that member fails or becomes unreachable. NOTE High Availability clusters between two EEs should not be confused with High Availability opaque mode that is supported in KMIP.
Page 686: Removing Engines From An Ha Cluster
High availability (HA) clusters FIGURE 283 Encryption Group Properties dialog box - HA Clusters tab NOTE If you are creating a new HA cluster, a dialog box displays requesting a name for the new HA cluster. HA Cluster names can have up to 31 characters. Letters, digits, and underscores are allowed. Removing engines from an HA cluster Removing the last engine from an HA cluster also removes the HA cluster.
Page 687: Swapping Engines In An Ha Cluster
High availability (HA) clusters Swapping engines in an HA cluster Swapping engines is useful when replacing hardware. Swapping engines is different from removing an engine and adding another because when you swap engines, the configured targets on the former HA cluster member are moved to the new HA cluster member. 1.
Page 688: Configuring Encryption Storage Targets
Configuring encryption storage targets Configuring encryption storage targets Adding an encryption target maps storage devices and hosts to virtual targets and virtual initiators within the encryption switch. The storage encryption wizard enables you to configure encryption for a storage device (target). NOTE It is recommended that you configure the host and target in the same zone before configuring them for encryption.
Page 689 Configuring encryption storage targets FIGURE 284 Encryption Targets dialog box 3. Click Add. The Configure Storage Encryption welcome screen displays (Figure 285). FIGURE 285 Configure Storage Encryption welcome screen 4. Click Next. The Select Encryption Engine dialog box displays (Figure 286).
Page 690 Configuring encryption storage targets FIGURE 286 Select Encryption Engine dialog box The dialog box contains the following information: • Encryption engine: The name of the encryption engine. The list of engines depends on the scope being viewed: • If an encryption group was selected, the list includes all engines in the group. •...
Page 691 Configuring encryption storage targets FIGURE 287 Select Target dialog box The dialog box contains the following information: • Target Port WWN: The world wide name of the target port in the same fabric as the encryption engine. • Target Port Name: The name of the target port in the same fabric as the encryption engine. •...
Page 692 Configuring encryption storage targets FIGURE 288 Select Hosts dialog box The dialog box contains the following information: • Hosts in Fabric table: Lists the available hosts in the fabric. • Selected Hosts table: Lists the hosts that have been selected to access the target. •...
Page 693 Configuring encryption storage targets • Right arrow button: Moves a host from the Host in Fabric table to the Selected Hosts table. • Left arrow button: Removes a host from the Selected Hosts table. • Add button: Click to manually add host port world wide names or host node world wide names to the Selected Hosts table.
Page 694 Configuring encryption storage targets FIGURE 290 Confirmation dialog box The screen contains the following information: • Encryption Engine: The slot location of the encryption engine. • Container Name: The logical encryption name used to map storage targets and hosts to virtual targets and virtual initiators.
Page 695 Configuring encryption storage targets FIGURE 291 Configuration Status screen The screen contains the following information: • Device: The device type (target or host). • Device Port WWN: The port world wide name. • Represented by VI/VT: The virtual target (VT) mapped to the physical target or virtual initiator (VI) representing the host.
Page 696: Configuring Hosts For Encryption Targets
Configuring hosts for encryption targets FIGURE 292 Next Steps screen The screen contains the following information: • Important Instructions: Instructions about post-configuration tasks you must complete after you close the wizard. For example, you must zone the physical hosts and the target together and then you encrypt the LUNs using the Storage Device LUNs dialog box.
Page 697 Configuring hosts for encryption targets NOTE You can also select a group, switch, or engine from the Encryption Center Devices table, then click the Targets icon. The Encryption Targets dialog box displays (Figure 293). FIGURE 293 Encryption Targets dialog box 3.
Page 698: Adding Target Disk Luns For Encryption
Adding target disk LUNs for encryption NOTE Both the Host Ports in Fabric table and the Selected Hosts table now contain a Port ID column to display the 24-bit PID of the host port. 4. Select one or more hosts in a fabric using either of the following methods: a.
Page 699 Adding target disk LUNs for encryption The Encryption Disk LUN View dialog box displays (Figure 295). FIGURE 295 Encryption Disk LUN View dialog box The dialog box provides a convenient way to view and manage disk LUNs that are provisioned from different hosts, identify conflicts between configuration policies on storage systems, and to provide a launching point for the Add New Path wizard for configuring multiple I/O paths to the LUN.
Page 700 Adding target disk LUNs for encryption FIGURE 296 Select Target Port dialog box The dialog box is used to select a target port when configuring multiple I/O paths to a disk LUN. The dialog box contains the following information: • Storage Array The Storage Array selected from the LUN view prior to launching the Add New Path wizard.
Page 701 Adding target disk LUNs for encryption The dialog box is used to select an initiator port when configuring multiple I/O paths to a disk LUN. The dialog box contains the following information: • Storage Array: Displays the storage array that was selected from the LUN view prior to launching the wizard.
Page 702 Adding target disk LUNs for encryption • LUN table: Available LUNs identified by the following: • Host • LUN Number • LUN Serial Number • Current LUN State: Options are Encrypted, which is automatically selected if the LUN has a key ID; Clear Text, and <select> for LUNs without a key ID. User selection is required.
Page 703: Configuring Storage Arrays
Adding target disk LUNs for encryption FIGURE 299 Correcting an Encryption Mode Mismatch When you correct a policy on a LUN, it is automatically selected for all paths to the selected LUN. When you modify LUN policies, a Modify icon displays to identify the modified LUN entry. 11.
Page 704: Remote Replication Luns
Adding target disk LUNs for encryption Remote replication LUNs The Symmetrix Remote Data Facility (SRDF) transmits data that is being written to both a local Symmetrix array and a remote symmetrix array. The replicated data facilitates a fast switchover to the remote site for data recovery.
Page 705: Metadata Requirements And Remote Replication
Adding target disk LUNs for encryption FIGURE 300 Basic SRDF configuration with encryption switches Metadata requirements and remote replication When the metadata and key ID are written, the primary metadata on blocks 1–16 is compressed and encrypted. However, there are scenarios whereby these blocks cannot be compressed, and the metadata is not written to the media.
Page 706: Adding Target Tape Luns For Encryption
Adding target tape LUNs for encryption • The New LUN option can be used only if replication is enabled for the encryption group. • If the local LUN contains host data, configuring it with the New LUN option will cause the data on the last three blocks of the LUN to be lost.
Page 707 Adding target tape LUNs for encryption FIGURE 302 Encryption Target Tape LUNs dialog box 4. Click Add. The Add Encryption Target Tape LUNs dialog box displays (Figure 303). A table of all LUNs in the storage device that are visible to hosts is displayed. LUNs are identified by the Host world wide name, LUN number, Volume Label Prefix number, and Enable Write Early ACK and Enable Read Ahead status.
Page 708 Adding target tape LUNs for encryption When you select a specific host, only the LUNs visible to that host are displayed. If you select All Hosts, LUNs visible to all configured hosts are displayed. If a LUN is visible to multiple hosts, it is listed once for each host.
Page 709: Moving Targets
Moving Targets Moving Targets The Move Targets dialog box is used to redistribute which engine encrypts which targets. It is also useful for transferring all targets to another engine before replacing or removing engine hardware. Moving targets to another engine may be done while traffic is flowing between the host and target. Traffic is interrupted for a short time but resumes before the host applications are affected.
Page 710: Tape Lun Write Early And Read Ahead
Tape LUN write early and read ahead 8. In the Encryption Targets dialog box, select Target Port A, click LUNs, then click Add. Select the LUNs to be encrypted and the encryption policies for the LUNs. 9. In the Encryption Targets dialog box, select Target Port B, click LUNs, then click Add. Select the LUNs to be encrypted and the encryption policies for the LUNs, making sure that the encryption policies match the policies specified in the other path.
Page 711 Tape LUN write early and read ahead FIGURE 304 Encryption Targets dialog box 3. Select a target tape storage device from the table, then click LUNs. The Encryption Target Tape LUNs dialog box displays (Figure 305). FIGURE 305 Encryption Target Tape LUNs dialog box - Setting tape LUN read ahead and write early 4.
Page 712: Tape Lun Statistics
Tape LUN statistics NOTE You can also select a group, switch, or engine from the Encryption Center Devices table, then click the Targets icon. Select the appropriate crypto target container, then click Commit. Tape LUN statistics This feature enables you to view and clear statistics for tape LUNs. These statistics include the number of compressed blocks, uncompressed blocks, compressed bytes and uncompressed bytes written to a tape LUN.
Page 713: Viewing And Clearing Tape Lun Statistics For Specific Tape Luns
Tape LUN statistics FIGURE 307 Tape LUN Statistics dialog box The dialog box contains the following information: • LUN #: The number of the logical unit for which statics are displayed. • Tape Volume/Pool: The tape volume label of the currently-mounted tape, if a tape session is currently in progress.
Page 714 Tape LUN statistics 3. Select a tape target storage device, then click LUNs. The Target Tape LUNs dialog box displays (Figure 308). A list of the configured tape LUNs is displayed. FIGURE 308 Target Tape LUNs dialog box 4. Select the LUN or LUNs for which to display or clear statistics, then click Statistics. The Tape LUN Statistics dialog box displays (Figure 309).
Page 715: Viewing And Clearing Statistics For Tape Luns In A Container
Tape LUN statistics • Host Port WWN: The WWN of the host port that is being used for the write operation. • A Refresh button updates the statistics on the display since the last reset. • A Clear button resets all statistics in the display. 5.
Page 716: Encryption Engine Rebalancing
Encryption engine rebalancing FIGURE 311 Tape LUN Statistics dialog box The dialog box contains the following information: • LUN #: The number of the logical unit for which statics are displayed. • Tape Volume/Pool: The tape volume label of the currently-mounted tape, if a tape session is currently in progress.
Page 717: Rebalancing An Encryption Engine
Master keys During rebalancing operations, be aware of the following: • You might notice a slight disruption in Disk I/O. In some cases, manual intervention may be needed. • Backup jobs to tapes might need to be restarted after rebalancing is completed. To determine if rebalancing is recommended for an encryption engine, check the encryption engine properties.
Page 718: Active Master Key
Master keys The new master key cannot be used (no new data encryption keys can be created, so no new encrypted LUNs can be configured), until you back up the new master key. After you have backed up the new master key, it is strongly recommended that all encrypted disk LUNs be rekeyed. rekeying causes a new data encryption key to be created and encrypted using the new active master key, thereby removing any dependency on the old master key.
Page 719: Saving The Master Key To A File
Master keys Refer to the following procedures for more information: • “Saving the master key to a file” on page 671 • “Saving a master key to a key vault” on page 672 • “Saving a master key to a smart card set” on page 673 You must back up the master key when the status is Created but not backed up.
Page 720: Saving A Master Key To A Key Vault
Master keys FIGURE 312 Backup Destination (to file) dialog box 4. Select File as the Backup Destination. 5. Enter a file name, or browse to the desired location. 6. Enter the passphrase, which is required for restoring the master key. The passphrase can be between eight and 40 characters, and any character is allowed.
Page 721: Saving A Master Key To A Smart Card Set
Master keys FIGURE 313 Backup Destination (to key vault) dialog box 4. Select Key Vault as the Backup Destination. 5. Enter the passphrase, which is required for restoring the master key. The passphrase can be between eight and 40 characters, and any character is allowed. 6.
Page 722 Master keys FIGURE 314 Backup Destination (to smart cards) dialog box 4. Select A Recovery Set of Smart Cards as the Backup Destination. 5. Enter the recovery card set size. 6. Insert the first blank card and wait for the card serial number to appear. Run the additional cards through the reader that are needed for the set.
Page 723: Restoring A Master Key From A File
Master keys Saving a master key to a smart card set - Overview A card reader must be attached to the SAN Management application PC to save a master key to a recovery card. Recovery cards can only be written once to back up a single master key. Each master key backup operation requires a new set of previously unused smart cards.
Page 724: Restoring A Master Key From A Key Vault
Master keys FIGURE 315 Select a Master Key to Restore (from file) dialog box 4. Choose the active or alternate master key for restoration, as appropriate. 5. Select File as the Restore From location. 6. Enter a file name, or browse to the desired location. Enter the passphrase.
Page 725: Restoring A Master Key From A Smart Card Set
Master keys FIGURE 316 Select a Master Key to Restore (from key vault) dialog box 4. Choose the active or alternate master key for restoration, as appropriate. 5. Select Key Vault as the Restore From location. 6. Enter the key ID of the master key that was backed up to the key vault. Enter the passphrase.
Page 726: Creating A New Master Key
Master keys FIGURE 317 Select a Master Key to Restore (from a recovery set of smart cards) dialog box 4. Choose the active or alternate master key for restoration, as appropriate. 5. Select A Recovery Set of Smart Cards as the Restore From location. 6.
Page 727: Security Settings
Security Settings Security Settings Security settings help you identify if system cards are required to initialize an encryption engine and also determine the number of authentication cards needed for a quorum. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 185 on page 526).
Page 728: Setting Zeroization
Zeroizing an encryption engine NOTE Zeroizing an engine affects the I/Os, but all target and LUN configuration remain intact. Encryption target configuration data is not deleted. You can zeroize an encryption engine only if it is enabled (running), or disabled but ready to be enabled.
Page 729: Using The Encryption Targets Dialog Box
Using the Encryption Targets dialog box Using the Encryption Targets dialog box The Encryption Targets dialog box enables you to send outbound data that you want to store as ciphertext to an encryption device. The encryption target acts as a virtual target when receiving data from a host, and as a virtual initiator when writing the encrypted data to storage.
Page 730: Redirection Zones
Redirection zones Redirection zones It is recommended that you configure the host and target in the same zone before you configure them for encryption. Doing so creates a redirection zone to redirect the host/target traffic through the encryption engine; however, a redirection zone can only be created if the host and target are in the same zone.
Page 731: Decommissioning Disk Luns
Disk device decommissioning Provided that the crypto configuration is not left uncommitted because of any crypto configuration changes or a failed device decommission operation issued on a encryption group leader node, this error message will not be seen for any device decommission operation issued serially on an encryption group member node.
Page 732: Displaying And Deleting Decommissioned Key Ids
Disk device decommissioning Displaying and deleting decommissioned key IDs With the introduction of Fabric OS 7.1.0, the ability to decommission disk LUNs is supported on all key vault platforms. Earlier releases restricted this functionality to DPM (formerly RKM) and LKM/SSKM key vaults only. When disk LUNs are decommissioned, the process includes the disabling of the key record in the key vault and indication that the key has been decommissioned.
Page 733: Displaying Universal Ids
Rekeying all disk LUNs manually 3. Click Delete All to delete the decommissioned keys from the switch. As a precaution, copy the keys to a secure location before deleting them from the switch. Right-click on an entry in the table to individually select a key ID. You may also copy or export a single row within the table or the entire table.
Page 734: Setting Disk Lun Re-Key All
Rekeying all disk LUNs manually • The encryption group must be in the converged state. • The target container that hosts the LUN must be online. In addition to providing the ability to launch manual rekey operations, the management application also enables you to monitor their progress.
Page 735: Viewing Disk Lun Rekeying Details
Rekeying all disk LUNs manually FIGURE 322 Pending manual rekey operations Viewing disk LUN rekeying details You can view details related to the rekeying of a selected target disk LUN from the LUN Re-keying Details dialog box. 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 185 on page 526).
Page 736 Rekeying all disk LUNs manually FIGURE 323 Encryption Target Disk LUNs dialog box 4. Click Add. The Add Disk LUNs dialog box displays. This dialog box includes a table of all LUNs in the storage device that are visible to the hosts. 5.
Page 737: Viewing The Progress Of Manual Rekey Operations
Rekeying all disk LUNs manually Viewing the progress of manual rekey operations To monitor the progress of manual rekey operations, complete these steps: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box (Refer to Figure 185 on page 526).
Page 738: Thin Provision Luns
Thin provision LUNs • Current LBA: The Logical Block Address (LBA) of the block that is currently being written. • Number of Blocks: The number of blocks written. • Thin Provision LUN: Identifies if the new LUN is a thin provisioned LUN. Options are: •...
Page 739: Viewing Time Left For Auto Rekey
Viewing time left for auto rekey Viewing time left for auto rekey You can view the time remaining until auto rekey is no longer active for a disk LUN. The information is expressed as the difference between the next rekey date and the current date and time, and is measured in days, hours, and minutes.
Page 740: Viewing And Editing Switch Encryption Properties
Viewing and editing switch encryption properties Viewing and editing switch encryption properties To view switch encryption properties, complete the following steps: 1. Select Configure > Encryption from the menu task bar to display the Encryption Center dialog box. (Refer to Figure 185 on page 526.) 2.
Page 741 Viewing and editing switch encryption properties • Switch Status: The health status of the switch. Options are: • Healthy • Marginal • Down • Unknown • Unmonitored • Unreachable • Switch Membership Status: The alert or informational message description, which details the health status of the switch.
Page 742 Viewing and editing switch encryption properties • Thales e-Security keyAuthority (TEKA): If an encryption group contains mixed firmware nodes, the Encryption Group Properties Key Vault Type name is based on the firmware version of the group leader. For example, If a switch is running Fabric OS 7.1.0 or later, the Key Vault Type is displayed as “Thales e-Security keyAuthority (TEKA).”If a switch is running Fabric OS prior to v7.1.0, Key Vault Type is displayed as “Thales Key Manager (TEMS)”.
Page 743: Exporting The Public Key Certificate Signing Request (Csr) From Properties
Viewing and editing switch encryption properties • need master/link key • Online • Set State To: Identifies if the state is enabled or disabled. You can click the line item in the table to change the value, then click OK to apply the change. •...
Page 744: Enabling And Disabling The Encryption Engine State From Properties
Viewing and editing encryption group properties FIGURE 327 Import Signed Certificate dialog box 4. Enter or browse to the file containing the signed certificate, then click OK. The file is imported onto the switch. Enabling and disabling the encryption engine state from properties To enable the encryption engine, complete the following steps: 1.
Page 745 Viewing and editing encryption group properties The Encryption Group Properties dialog box includes several tabs that are used to configure the various functions for encryption groups. All tabs are visible for all key vault types with one exception; the Link Keys tab is visible only if the key vault type is NetApp LKM/SSKM. Unless otherwise specified, the Encryption Group Properties dialog box opens with the General tab displayed.
Page 746: General Tab
Viewing and editing encryption group properties General tab The General tab (Figure 329) is viewed from the Encryption Group Properties dialog box. To access the General tab, select a group from the Encryption Center Devices table, then select Group > Properties from the menu task bar.
Page 747 Viewing and editing encryption group properties When the first encryption engine comes back online, the encryption group’s failback setting determines whether the first encryption engine automatically resumes encrypting and decrypting traffic to its encryption targets. In manual mode, the second encryption engine continues handling the traffic until you manually invoke failback using the CLI, or until the second encryption engine fails.
Page 748 Viewing and editing encryption group properties • Backup Key Vault Connection Status: The status of the backup key vault link. Options are: • Connected • Unknown/Busy • Not configured • Not responding • Failed authentication • High Availability Mode: (For KMIP key vault only.) Options are: •...
Page 749: Members Tab
Viewing and editing encryption group properties Members tab The Members tab lists group switches, their role, and their connection status with the group leader. The table columns are not editable. The tab displays the configured membership for the group and includes the following: •...
Page 750: Consequences Of Removing An Encryption Switch
Viewing and editing encryption group properties FIGURE 330 Encryption Group Properties dialog box - Members tab Members tab Remove button You can click the Remove button to remove a selected switch or group from the encryption group table. • You cannot remove the group leader unless it is the only switch in the group. If you remove the group leader, the Management application also removes the HA cluster, the target container, and the tape pool (if configured) that are associated with the switch.
Page 751: Security Tab
Viewing and editing encryption group properties The consequences of removing the last switch in a group (which will be the group leader) are all switch removal consequences noted above, plus the following: • The encryption group is deleted. • All configured tape pools are deleted. Table 67 explains the impact of removing switches.
Page 752 Viewing and editing encryption group properties FIGURE 331 Encryption Group Properties dialog box - Security tab The dialog box contains the following information: • Master Key Status: Displays the status of the master key. Possible values are: • Not used: Displays when LKM/SSKM is the key vault. •...
Page 753: Ha Clusters Tab
Viewing and editing encryption group properties • Registered Authentication Cards table: Lists the registered authentication cards by Group Card number, Card ID, the name of the person to which the card is assigned, and optional notes. • Register from Card Reader button: Launches the Add Authentication Card dialog box. •...
Page 754 Viewing and editing encryption group properties • Right- and Left-arrow buttons: You can select an encryption engine in the Non-HA Encryption Engines table and click the Right-arrow button to add the encryption engine to the High-Availability Clusters. (If you are creating a new HA cluster, a dialog box displays requesting a name for the new HA cluster.) Similarly, you can select an encryption engine in the High-Availability Clusters table and click the Left-arrow button to remove it from a cluster.
Page 755: Link Keys Tab
Viewing and editing encryption group properties Link Keys tab NOTE The Link Keys tab displays only if the key vault type is NetApp LKM/SSKM. Connections between a switch and an NetApp LKM/SSKM key vault require a shared link key. Link keys are used only with LKM/SSKM key vaults.
Page 756: Tape Pools Tab
Viewing and editing encryption group properties FIGURE 333 Encryption Group Properties dialog box - Link Keys tab Tape Pools tab Tape pools are managed from the Tape Pools tab. From the Tape Pools tab, you can add, modify, and remove tape pools. •...
Page 757 Viewing and editing encryption group properties FIGURE 334 Encryption Group Properties dialog box - Tape Pools tab Tape pools overview Tape cartridges and volumes can be organized into a tape pool (a collection of tape media). The same data encryption keys are used for all cartridges and volumes in the pool. Tape pools are used by backup application programs to group all tape volumes used in a single backup or in a backup plan.
Page 758 Viewing and editing encryption group properties NOTE If groups are not visible in the Encryption Center Devices table, select View > Groups from the menu task bar. 3. Click Add. The Add Tape Pool dialog box displays (Figure 335). The Name tape pool label type is the default;...
Page 759: Engine Operations Tab
Viewing and editing encryption group properties 6. Enter the number of days to use a key before obtaining a new one, if you choose to enforce a key lifespan. The default is Infinite (a blank field or a value of 0), which is the recommended setting.
Page 760: Encryption-Related Acronyms In Log Messages
Encryption-related acronyms in log messages NOTE You cannot replace an encryption engine if it is part of an HA Cluster. Encryption-related acronyms in log messages Fabric OS log messages related to encryption components and features may have acronyms embedded that require interpretation. Table 68 lists some of those acronyms.
Page 761: Zoning
Chapter Zoning In this chapter • Zoning overview ..........713 •...
Page 762: Types Of Zones
Zoning overview Blue Zone Server 2 Server 1 Storage 2 Red Zone Storage 1 RAID Green Zone Storage 3 Server 3 FIGURE 338 Zoning NOTE Zone objects based on physical port number or port ID (D,I ports) are not supported in Network OS fabrics.
Page 763: Online Zoning
Zoning overview • QoS zones Assign high or low priority to designated traffic flows. Quality of Service (QoS) zones are standard zones with additional QoS attributes that you select when you create the zone. • Traffic Isolation zones (TI zones) Isolate inter-switch traffic to a specific, dedicated path through the fabric.
Page 764: Zone Naming Conventions
Zone database size Zone naming conventions The naming rules for zone names, zone aliases, and zone configuration names vary with the type of fabric. The following conventions apply: • Names must start with an alphabetic character and may contain alphanumeric characters and the underscore ( _ ) character.
Page 765: Zoning Configuration
Zoning configuration Zoning configuration At a minimum, zoning configuration entails creating zones and zone members. However, you can also create zone aliases, zone configurations, and zone databases. You can define multiple zone configurations, deactivating and activating individual configurations as your needs change. Zoning configuration can also involve enabling or disabling the default zone.
Page 766: Viewing Zone Properties
Zoning configuration 2. Click the Zone DB tab if that tab is not automatically displayed. 3. Select a fabric from the Zoning Scope list. This identifies the target entity for all subsequent zoning actions and displays the zoning database for the selected entity. 4.
Page 767: Adding Members To A Zone
Zoning configuration Adding members to a zone Use this procedure to add a member to a zone when the member is listed in the Potential Members list of the Zone DB tab. Enterprise and Professional Plus editions: For instructions to add a member to a zone when the member is not listed in the Potential Members list, refer to the procedure “Creating a member in a zone”...
Page 768: Creating A Member In A Zone
Zoning configuration 9. Click OK or Apply to save your changes. Any zones or zone configurations you have changed are saved in the zone database. Creating a member in a zone Use this procedure to add a member to a zone when the member is not listed in the Potential Members list of the Zone DB tab.
Page 769: Removing A Member From A Zone
Zoning configuration Removing a member from a zone Use the following procedure to remove one or more members from a zone or zones. Note that the member is not deleted; it is only removed from the zone. 1. Select Configure > Zoning > Fabric. The Zoning dialog box displays.
Page 770: Deleting A Zone
Zoning configuration Any zones or zone configurations you have changed are saved in the zone database. Deleting a zone 1. Select Configure > Zoning > Fabric. The Zoning dialog box displays. 2. Click the Zone DB tab if that tab is not automatically displayed. 3.
Page 771: Customizing The Zone Member Display
Zoning configuration 5. (Optional) Type a new name for the zone and press Enter to save the name. Depending on the characters included in the name you enter, a message may display informing you the name contains characters that are not accepted by some switch vendors. Click OK and enter a different name or accept the default name assigned to the zone.
Page 772: Creating A Zone Alias
Zoning configuration 6. Make sure the appropriate fabric is named on the Zoning Policies dialog box. Perform one of the following actions based on the task you want to complete: • To enable the default zone, click Enable, and then click OK. •...
Page 773: Editing A Zone Alias
Zoning configuration Editing a zone alias 1. Select Configure > Zoning > Fabric. The Zoning dialog box displays. 2. Click the Zone DB tab if that tab is not automatically displayed. 3. Select a fabric from the Zoning Scope list. 4.
Page 774: Exporting Zone Aliases
Zoning configuration 6. Select one or more objects that you want to remove from the alias in the Alias list. (Press SHIFT or CTRL and click each member to select more than one member.) You can select objects from different zone aliases. Right-click one of the selected objects and select Remove.
Page 775: Duplicating A Zone Alias
Zoning configuration 3. Select a fabric from the Zoning Scope list. 4. Select Alias from the Type list. 5. Right-click the zone alias you want to delete and select Delete. 6. Click Yes on the confirmation message. The selected zone alias is deleted from the Alias list. Click OK or Apply on the Zoning dialog box to save your changes.
Page 776: Viewing Zone Configuration Properties
Zoning configuration Add zones to the zone configuration. For step-by-step instructions, refer to “Adding zones to a zone configuration” on page 728. 8. Click OK or Apply to save your changes. Any zones or zone configurations you have changed are saved in the zone database. Viewing zone configuration properties 1.
Page 777: Removing A Zone From A Zone Configuration
Zoning configuration Removing a zone from a zone configuration Use the following procedure to remove a zone from a zone configuration. Note that the zone is not deleted; it is only removed from the zone configuration. 1. Select Configure > Zoning > Fabric. The Zoning dialog box displays.
Page 778: Deactivating A Zone Configuration
Zoning configuration 3. Select a fabric from the Zoning Scope list. This identifies the target entity for all subsequent zoning actions and displays the zoning database for the selected entity. 4. (Optional) Select a zone database from the Zone DB list (Enterprise and Professional Plus editions only).
Page 779: Renaming A Zone Configuration
Zoning configuration • The selected fabric is not supported by the Management application. • The selected fabric is no longer discovered. 1. Select Configure > Zoning > Fabric. The Zoning dialog box displays. 2. Click the Active Zone Configuration tab. 3.
Page 780: Duplicating A Zone Configuration
Zoning configuration 3. Select a fabric from the Zoning Scope list. This identifies the target entity for all subsequent zoning actions and displays the zoning database for the selected entity. 4. Select one or more zone configurations in the Zone Configurations list that you want to delete, then right-click and select Delete.
Page 781: Creating An Offline Zone Database
Zoning configuration 6. Click OK or Apply to save your changes. Any zones or zone configurations you have changed are saved in the zone database. Creating an offline zone database Offline zone databases are supported only in Enterprise and Professional Plus editions. Use this procedure to create a zone database and save it offline.
Page 782: Refreshing A Zone Database
Zoning configuration 2. Select a fabric from the Zoning Scope list. This identifies the target entity for all subsequent zoning actions and displays the zoning databases for the selected entity. 3. Select the offline zone database you want to delete in the Zone DB list. NOTE Only offline databases can be deleted.
Page 783: Merging Two Zone Databases
Zoning configuration Ensure that the active configurations are the same. a. Load the newly created offline zone database. b. Add the active zones to the zone configuration that is the active configuration on the other fabric. Rename the inactive configuration. Merging two zone databases If a zone or zone configuration is merged, the resulting zone or zone configuration includes all members that were marked for addition or removal as well as all members not otherwise marked.
Page 784: Creating A Common Active Zone Configuration In Two Fabrics
Zoning configuration 5. (Optional) Merge elements (zone configurations, zones, or aliases) by completing the following steps: a. Select one or more of the same element type from the Reference Zone DB area. You can select zone configurations, zones, or aliases, but do not mix element types. b.
Page 785: Saving A Zone Database To A Switch
Zoning configuration 2. Select Compare from the Zone DB Operation list. The Compare/Merge Zone DBs dialog box displays, as shown in Figure 339. 3. Select the database for the first fabric from the Reference Zone DB list. 4. Select the database for the second fabric from the Editable Zone DB list. 5.
Page 786: Importing An Offline Zone Database
LSAN zones 5. Click Export Zone DB. 6. Click OK to save your work and close the Zoning dialog box. Importing an offline zone database NOTE You cannot import an online zone database. You cannot import a zone database that contains zones with duplicate members.
Page 787: Configuring Lsan Zoning
LSAN zones LSAN zones are supported between the following types of fabrics: • Fabric OS and Fabric OS NOTE LSAN zoning is supported only in Enterprise and Professional Plus editions. Configuring LSAN zoning The following procedure provides an overview of the steps you must perform to configure LSAN zoning.
Page 788: Creating An Lsan Zone
LSAN zones Creating an LSAN zone 1. Select a backbone fabric from the Connectivity Map or Product List. 2. Select Configure > Zoning > LSAN Zoning (Device Sharing). The Zoning dialog box displays. 3. Click the Zone DB tab if that tab is not automatically displayed. 4.
Page 789: Creating A New Member In An Lsan Zone
LSAN zones 6. Select an option from the Type list. By default, the first time you launch the LSAN Zoning dialog box for a zoning scope, the Potential Members list displays valid members using the following rules: • If you select the WWN type, the valid members display by the Attached Ports. •...
Page 790: Activating Lsan Zones
Traffic Isolation zones 6. Click OK to save your changes and close the Add Zone Member dialog box. Click Apply to save your changes and keep the Add Zone Member dialog box open so you can add more new members. Repeat step 3 through step 5...
Page 791: Failover Options
Traffic Isolation zones NOTE TI zones are not supported with Network OS. Failover options A TI zone can have failover enabled or disabled. Disable failover if you want to guarantee that TI zone traffic uses only the dedicated path, and that no other traffic can use the dedicated path.
Page 792: Configuring Traffic Isolation Zoning
Traffic Isolation zones If the fabric contains a switch running an earlier version of Fabric OS, you cannot create an enhanced TI zone. The failover mode must be the same for each enhanced TI zone to which a port belongs. You cannot merge a down-level switch into a fabric containing enhanced TI zones, and you cannot merge a switch with enhanced TI zones defined into a fabric containing switches that do not support ETIZ.
Page 793: Adding Members To A Traffic Isolation Zone
Traffic Isolation zones 3. Select a fabric from the Zoning Scope list. This identifies the target entity for all subsequent zoning actions and displays the zoning database for the selected entity. 4. Select Domain, Port Index from the Type list. 5.
Page 794: Enabling A Traffic Isolation Zone
Traffic Isolation zones 8. Click the right arrow between the Potential Members list and the Zones list to add the selected ports to the zone. 9. Click OK or Apply to save your changes. The TI zone is saved, but is not activated. Traffic Isolation zones are activated when you activate a zone configuration in the same zone database.
Page 795: Enabling Failover On A Traffic Isolation Zone
Traffic Isolation zones 5. Click OK or Apply to save your changes. The Traffic Isolation zone is not disabled until you activate a zone configuration in the same zone database. Enabling failover on a Traffic Isolation zone NOTE Traffic Isolation zones are configurable only on a Fabric OS device. 1.
Page 796: Boot Lun Zones
Boot LUN zones This identifies the target entity for all subsequent zoning actions and displays the zoning database for the selected entity. 4. Right-click the Traffic Isolation zone upon which you want to disable failover in the Zones list and clear the Configured Failover check box. 5.
Page 797: Modifying A Boot Lun Zone
Zoning administration The Boot LUN zone is saved to the Active Zone DB. To activate the Boot LUN zone, you must move it to a zone configuration and activate the configuration. Modifying a Boot LUN zone Only one Boot LUN zone can exist for a host port. If you want to change the target port or LUN number, you must create a new Boot LUN zone and overwrite the existing zone.
Page 798: Comparing Zone Databases
Zoning administration Comparing zone databases You can compare zone databases against one another to identify any and all differences between their memberships prior to sending them to the switch. Once the two databases have been compared, icons display to show the differences between the two databases. These icons are illustrated and described in Table TABLE 69...
Page 799: Managing Zone Configuration Comparison Alerts
Zoning administration 4. Select a database from the Editable Zone DB list. The Reference Zone DB and Editable Zone DB areas display all available element types (zone configurations, zones, and aliases) for the two selected zone databases. In the Editable Zone DB area, each element type and element display with an icon indicator (Table 69) to show the...
Page 800: Setting Change Limits On Zoning Activation
Zoning administration Setting change limits on zoning activation Use this procedure to set a limit on the number of changes a user can make to the zone database before activating a zone configuration. If the user exceeds the limit, zone configuration activation is not allowed.
Page 801: Removing All User Names From A Zone Database
Zoning administration 2. Select a fabric from the Zoning Scope list. This identifies the target entity for all subsequent zoning actions and displays the zoning databases for the selected entity. 3. Select the Fabric Zone DB from the Zone DB list. 4.
Page 802: Finding A Zone Member In The Potential Member List
Zoning administration 6. Click Find > between the Potential Members list and the Zones list. If the member is found, all instances of the zone member found are highlighted in the Zones list. Finding a zone member in the potential member list Use this procedure to locate a zone member in the Potential Members list on the Zone DB tab.
Page 803: Listing Zone Members
Zoning administration 3. Select a fabric from the Zoning Scope list. This identifies the target entity for all subsequent zoning actions and displays the zoning database for the selected entity. 4. Select the zone configuration member (for example, the zone) in the Zone Configurations list that you want to find in the Zones list.
Page 804: Removing An Offline Device
Zoning administration 5. Click Close to exit the Un-Zone Members dialog box. Removing an offline device The Management application enables you to remove an offline device from all zones and zone aliases in the selected zone DB. 1. Select Configure > Zoning > Fabric. The Zoning dialog box displays.
Page 805: Replacing An Offline Device By Wwn
Zoning administration 6. Enter the WWN, name, domain and port index numbers, or alias—whichever is appropriate for the method you chose in step When you choose the WWN method, you may define a name for the replacement zone member. Click OK. The new zone member replaces the old zone member in the Zones list and the Replace Zone Member dialog box closes.
Page 806 Zoning administration 1. Select Configure > Zoning > Fabric. The Zoning dialog box displays. 2. Select a fabric from the Zoning Scope list. This identifies the target entity for all subsequent zoning actions and displays the zoning database for the selected entity. 3.
Page 807 Chapter Fibre Channel over IP In this chapter • FCIP services licensing ......... 760 •...
Page 808: Fcip Services Licensing
FCIP services licensing FCIP services licensing Most of the FCIP extension services described in this chapter require the High Performance . FICON emulation features require additional licenses. Extension over FCIP/FC license The following features and licensing apply to the 8 Gbps Extension platforms. •...
Page 809: Fcip Platforms And Supported Features
FCIP platforms and supported features FCIP platforms and supported features The following Fabric OS platforms that support FCIP: • The 8 Gbps extension switch. • The 8 Gbps Extension blade (8-slot Backbone Chassis, 4-slot Backbone Chassis). • The 4 Gbps Extension blade (8-slot Backbone Chassis, 4-slot Backbone Chassis, Director Chassis).
Page 810: Fcip Trunking
FCIP trunking The way FCIP tunnels and virtual ports map to the physical GbE ports depends on the switch or blade model. The 8 Gbps Extension Switch and 8 Gbps Extension Blade tunnels are not tied to a specific GbE port, and may be assigned to any virtual port within the allowed range. The 4 Gbps Extension Blade requires tunnels to be mapped to specific GbE ports and specific virtual ports.
Page 811: Design For Redundancy And Fault Tolerance
FCIP trunking IP Router IP Router 10.0.1.1 10.0.0.1 FCIP Circuits FCIP Circuits 10.0.0.2 10.0.1.2 10.0.0.3 10.0.1.3 10.0.0.4 10.0.1.4 FCIP Tunnel 10.0.0.5 10.0.1.5 FIGURE 341 FCIP tunnel and FCIP circuits Design for redundancy and fault tolerance Multiple FCIP tunnels can be defined between pairs of 8 Gbps extension switches and 8 Gbps extension Blades, but doing so defeats the concept of a multiple circuit FCIP tunnel.
Page 812: Fcip Circuit Failover Capabilities
FCIP trunking • In a scenario where a FCIP tunnel has multiple circuits of different metrics the data will flow over the lower metric circuits unless a failover condition occurs, as described in “FCIP circuit failover capabilities”. • The maximum bandwidth for a single circuit is 1 Gbps. However, a maximum of 10 Gbps per circuit is allowed between 10 GbE ports on 8 Gbps Extension Blades when both blades are running Fabric OS 7.0 or greater.
Page 813: Bandwidth Calculation During Failover
Adaptive Rate Limiting Bandwidth calculation during failover The bandwidth of higher metric circuits is not calculated as available bandwidth on an FCIP tunnel until all lowest metric circuits have failed. For example, assume the following: • Circuits 0 and 1 are created with a metric of 0. Circuit 0 is created with a maximum transmission rate of 1 Gbps, and Circuit 1 is created with a maximum transmission rate of 500 Mbps.
Page 814: Qos Sid/Did Priorities Over An Fcip Trunk
QoS SID/DID priorities over an FCIP trunk QoS SID/DID priorities over an FCIP trunk QoS SID/DID traffic prioritization is a capability of Fabric OS Adaptive Networking licensed feature. This feature allows you to prioritize FC traffic flows between hosts and targets. Four internal TCP connections provide internal circuits for managing QoS SID/DID priorities over an FCIP tunnel, as illustrated in Figure...
Page 815: Configuring Qos Priorities
QoS SID/DID priorities over an FCIP trunk External User Perspective Internal Architecture VE Port Tunnel High Priority Med. Priority Low Priority F-Class Virtual Virtual Virtual Virtual Tunnel Tunnel Tunnel Tunnel Virtual Virtual Virtual Virtual Circuit Circuit Circuit Circuit Circuit Connection Connection Connection Connection...
Page 816: Ipsec And Ike Implementation Over Fcip
IPsec and IKE implementation over FCIP The Advanced Settings dialog box is displayed. This dialog box has a Transmission tab, Security tab, and FICON Emulation tab. Configure QoS percentages on the Transmission tab (Figure 345). FIGURE 345 Advanced Settings Transmission Tab 5.
Page 817: Ipsec For The 4 Gbps Platforms
IPsec and IKE implementation over FCIP IPsec for the 4 Gbps platforms IPsec uses some terms that you should be familiar with before beginning your configuration. These are standard terms, but are included here for your convenience. Term Definition Advanced Encryption Standard. FIPS 197 endorses the Rijndael encryption algorithm as the approved AES for use by US Government organizations and others to protect sensitive information.
Page 818: Ipsec For The 8 Gbps Platforms
QOS, DSCP, and VLANs IPSec for the 8 Gbps platforms The 8 Gbps platforms use AES-GCM-ESP as a single, pre-defined mode of operation for protecting all TCP traffic over an FCIP tunnel. AES-GCM-ESP is described in RFC-4106. Key features are listed below: •...
Page 819: Vlans And Layer Two Quality Of Service
QOS, DSCP, and VLANs DSCP settings are useful only if IP routers are configured to enforce QoS policies uniformly within the network. IP routers use the DSCP value as an index into a Per Hop Behavior (PHB) table. Control connections and data connections may be configured with different DSCP values. Before configuring DSCP settings, determine if the IP network you are using implements PHB, and consult with your WAN administrator to determine the appropriate DSCP values.
Page 820: Open Systems Tape Pipelining
Open systems tape pipelining TABLE 72 Default Mapping of DSCP priorities to L2Cos Priorities (Continued) DSCP priority/bits L2CoS priority/bits Assigned to: 59 / 111011 4 / 100 High QoS 63 / 111111 0 / 000 Open systems tape pipelining Open Systems Tape Pipelining (OSTP) can be used to enhance open systems SCSI tape write I/O performance.
Page 821: Ficon Emulation Features
FICON emulation features TABLE 73 OSTP constraints FCIP Fastwrite Tape Acceleration Class 3 traffic is accelerated with Fastwrite. Class 3 traffic is accelerated between host and sequential device. With sequential devices (tape drives), there are 1024 initiator-tape (IT) pairs per GbE port, but 2048 initiator-tape-LUN (ITL) pairs per GbE port.
Page 822: Tape Write Pipelining
FCIP configuration guidelines Tape write pipelining FICON tape write pipelining improves performance for a variety of applications when writing to tape over extended distances. FICON tape write pipelining locally acknowledges write data records, enabling the host to generate more records while previous records are in transit across the IP WAN. If exception status is received from the device, the writing of data and emulation is terminated.
Page 823: Virtual Port Types
FCIP configuration guidelines • The Management application must be able to discover the fabrics the contain the extension switches. • The extension switches should be physically connected to the IP network they will be using to pass data, and the connection should be active and working. •...
Page 824: Configuring An Fcip Tunnel
Configuring an FCIP tunnel Configuring an FCIP tunnel When you configure an FCIP extension connection, you create FCIP tunnels and FCIP circuits, between two extension switches. 1. Select Configure > FCIP Tunnels. The FCIP Tunnels dialog box is displayed (Figure 346).
Page 825 Configuring an FCIP tunnel FIGURE 347 Add FCIP Tunnel dialog box Click Select Switch Two under Switch Two Settings on the Add FCIP Tunnels dialog box to display discovered extension switches in the Select Switch dialog box, The switch name and fabric are displayed in the Switch and Fabric fields. d.
Page 826: Adding An Fcip Circuit
Adding an FCIP circuit A Circuits properties table displays at the bottom of the dialog box. For 8 Gbps platforms, this may contain columns for multiple circuits. Actual, as well as cached circuits display. You can configure circuits using the Add, Edit, Delete, Enable, and Disable circuits using the function buttons to the right of the table.
Page 827 Adding an FCIP circuit 1. Select the GiGE Port used for the Ethernet connection on each switch. The choices available depend on the extension switch or blade model. 2. Select Use as failover to configure the 10 GbE port on an 8 Gbps Blade platform as a 10 Gbps lossless failover circuit.
Page 828 Adding an FCIP circuit 9. Select values for bandwidth settings. An uncommitted bandwidth is not allowed on an FCIP circuit. You must select Committed bandwidth. If you want to use ARL, set Minimum and Maximum bandwidth values. Bandwidth grows towards the maximum and reduces towards the minimum based on traffic conditions.
Page 829: Circuit Configuration Failure
Configuring FCIP tunnel advanced settings Use the Max. Retransmits option to override the default value of 8. As shown, the range is 1 to 8. Select L2CoS and DSCP priorities. Refer to “QOS, DSCP, and VLANs” on page 770 for more information.
Page 830 Configuring FCIP tunnel advanced settings 3. Click OK to commit your selection. For the 8 Gbps Extension Switch and 8 Gbps Extension Blade: 1. Select Advanced Settings on the Add FCIP Tunnel or Edit FCIP Tunnel dialog box to display the Advanced Settings dialog box.
Page 831: Enabling Open Systems Tape Pipelining (Ostp)
Configuring FCIP tunnel advanced settings Enabling Open Systems Tape Pipelining (OSTP) Latency introduced by a long distance IP connection can negatively impact tape I/O performance. OSTP may be used to improve performance on SCSI write I/Os to sequential devices (such as tape drives).
Page 832: Configuring Ipsec And Ike Policies
Configuring FCIP tunnel advanced settings Configuring IPSec and IKE policies IPSec and IKE policies are configured from the Security tab. The screens and procedures are platform-dependent. Figure 351 on page 784 shows the screen for the 8 Gbps Extension Switch and 8 Gbps Extension Blade.
Page 833: Configuring Ficon Emulation
Configuring FCIP tunnel advanced settings • For the 4 Gbps Extension Switch and Blade and the 8 Gbps Extension Blade, the key value must be between 12 and 32 alphanumeric characters. The length depends on the chosen IKE policy. • For the 8Gbps Extension switch, the key value must be a minimum of 32 alphanumeric characters.
Page 834 Configuring FCIP tunnel advanced settings 3. Select the check boxes for the FICON emulation features you want to implement. The primary FICON emulation features are FICON XRC Emulation (IBM z/OS Global Mirror emulation), tape write pipelining, tape read pipelining, TIN/TUR emulation and device level ACK emulation provide support for the primary features.
Page 835: Viewing Fcip Connection Properties
Viewing FCIP connection properties Viewing FCIP connection properties The FCIP connection properties show properties of the blades or switches on both sides of a connection. To view FCIP connection properties, right-click the connection between two extension blades or switches (Figure 353).
Page 836: Viewing General Fcip Properties
Viewing General FCIP properties Viewing General FCIP properties Use the following steps to view general FCIP properties for a switch or blade. 1. Right click an extension blade or switch from the Fabric Tree structure or on the Connectivity Map, and select Properties. 2.
Page 837: Viewing Fcip Fc Port Properties
Viewing FCIP FC port properties FIGURE 355 General FCIP properties tab (blade chassis) Viewing FCIP FC port properties Take the following steps to view FCIP FC port properties. 1. Right click an extension blade or switch from the Fabric Tree structure or on the Connectivity Map, and select Properties.
Page 838: Viewing Fcip Ethernet Port Properties
Viewing FCIP Ethernet port properties FIGURE 356 FC ports properties Viewing FCIP Ethernet port properties Take the following steps to view Ethernet port properties. 1. Right click an extension blade or switch from the Fabric Tree structure or on the Connectivity Map, and select Properties.
Page 839: Editing Fcip Circuits
Editing FCIP circuits FIGURE 357 GigE ports properties Editing FCIP circuits FCIP circuit settings may be edited from the Edit FCIP Circuit dialog box. The procedure for launching this dialog box for the 4 Gbps Extension Switch and Blade is different than the procedure for the 8 Gbps Extension Switch and the 8 Gbps Extension Blade.
Page 840: Disabling Fcip Tunnels
Disabling FCIP tunnels 3. Select Edit to the right of the Circuits properties table at the bottom of the dialog box. The Edit FCIP Circuit dialog box displays. For the 8 Gbps Extension Switch and the 8 Gbps Extension Blade: 1.
Page 841: Enabling Fcip Tunnels
Enabling FCIP tunnels Enabling FCIP tunnels 1. From the FCIP Tunnels dialog box, select the tunnel you want to enable. 2. Select Enable. 3. Click OK to enable the tunnel. Deleting FCIP tunnels 1. From the FCIP Tunnels dialog box, select the tunnel you want to delete. 2.
Page 842: Deleting Fcip Circuits
Deleting FCIP Circuits Deleting FCIP Circuits 1. From the FCIP Tunnels dialog box, select the tunnel that contains the circuit. 2. Select Edit. The Edit FCIP Tunnel dialog box displays. 3. Select the circuit that you want to delete from the Circuit properties table at the bottom of the dialog box.
Page 843: Displaying Tunnel Properties From The Fcip Tunnels Dialog Box
Displaying tunnel properties from the FCIP tunnels dialog box Displaying tunnel properties from the FCIP tunnels dialog box Tunnel properties can be displayed from the FCIP Tunnels dialog box. 1. Select a tunnel from the FCIP tunnels dialog box. 2. Select the Tunnel tab. Tunnel properties are displayed.
Page 844: Displaying Fcip Circuit Properties From The Fcip Tunnels Dialog Box
Displaying FCIP circuit properties from the FCIP tunnels dialog box Displaying FCIP circuit properties from the FCIP tunnels dialog box Tunnel properties can be displayed from the FCIP Tunnels dialog box using the following procedure. 1. Select a tunnel from the FCIP tunnels dialog box. 2.
Page 845: Displaying Switch Properties From The Fcip Tunnels Dialog Box
Displaying switch properties from the FCIP Tunnels dialog box Displaying switch properties from the FCIP Tunnels dialog box Switch properties are displayed on the FCIP Tunnels dialog box when you select a switch (Figure 361). FIGURE 361 Switch properties on the FCIP Tunnels dialog box Brocade Network Advisor SAN User Manual 53-1002696-01...
Page 846: Displaying Fabric Properties From The Fcip Tunnels Dialog Box
Displaying fabric properties from the FCIP Tunnels dialog box Displaying fabric properties from the FCIP Tunnels dialog box Fabric properties are displayed on the FCIP Tunnels dialog box when you select a fabric. (Figure 362). FIGURE 362 Fabric properties on the FCIP Tunnels dialog box Troubleshooting FCIP Ethernet connections 1.
Page 847: Fabric Binding
Chapter Fabric Binding In this chapter • Fabric Bining overview......... . 799 •...
Page 848 Fabric Bining overview FIGURE 363 Fabric Binding dialog box 2. Review the fabric binding membership details. • Fabric List table — Lists the fabrics in your network. Fabric Name — The name of the fabric.  Fabric WWN — The world wide name of the fabric. ...
Page 849: Enabling Fabric Binding
Fabric Bining overview • Membership List of Fabric_Name table — The current Fabric Membership List (FML) of the highlighted fabric, including the following details: Name — The name of the switch fabric.  Node WWN — The node WWN of an available or member switch. ...
Page 850: Disabling Fabric Binding
Fabric Bining overview 2. In the Fabric List table, click the Enable/Disable check box for fabrics for which you want to configure fabric binding. For instructions on adding and removing switches from the membership list, refer to “Adding switches to the fabric binding membership list” on page 803 and “Removing switches from fabric binding membership”...
Page 851: Adding Switches To The Fabric Binding Membership List
Fabric Bining overview Adding switches to the fabric binding membership list Once you have enabled Fabric Binding (refer to “Enabling fabric binding” on page 801), you can add switches to the fabric binding membership list. NOTE Fabric Binding is only supported on Fabric OS 5.2 or later. To add a switch to the fabric, complete the following steps.
Page 852: Removing Switches From Fabric Binding Membership
High integrity fabrics overview Removing switches from fabric binding membership Once you have enabled Fabric Binding (refer to “Enabling fabric binding” on page 801), you can remove switches that are not part of the fabric from the membership list. NOTE Fabric Binding is only supported on Fabric OS 5.2 or later.
Page 853: Activating High Integrity Fabrics
High integrity fabrics overview • A policy must be set that limits connectivity to only the switches within the same fabric. Fabric binding is a security method for restricting switches that may join a fabric. For Fabric OS switches, fabric binding is implemented by defining a switch connection control (SCC) policy that prevents unauthorized switches from joining a fabric.
Page 854: Deactivating High Integrity Fabrics
High integrity fabrics overview Deactivating high integrity fabrics NOTE Deactivating high integrity fabrics is not supported in a pure Fabric OS environment. To deactivate a HIF, complete the following steps. 1. Select Configure > High Integrity Fabric. The High Integrity Fabric dialog box displays (Figure 364).
Page 855: Port Fencing
Chapter Port Fencing In this chapter • About port fencing ..........807 •...
Page 856: Viewing Port Fencing Configurations
About port fencing Viewing port fencing configurations NOTE This feature is only available for Fabric OS devices. NOTE This feature requires a Trial or Licensed version. Port Fencing allows you to protect your SAN from repeated operational or security problems experienced by ports.
Page 857 About port fencing • Thresholds table — List of configured thresholds based on the threshold type selected in the Violation Type list. Limit (Fabric OS) — The number of events allowed for the assigned threshold.  If the object has no fencing support or no fencing changes, this field displays two hyphens separated by a space (- -).
Page 858: Thresholds
Thresholds Operational State — The operational state of the port.  Blocked Configuration — The current configuration of the port (Blocked or Unblocked).  Port WWN — The port world wide name of the port.  Connected Product — The device label of the connected object. ...
Page 859: C3 Discard Frames Threshold
Thresholds C3 Discard Frames threshold NOTE This threshold is only available for Fabric OS devices running 6.3 or later. Use this type of threshold to block a port when a C3 Discard Frames violation meets the Fabric OS switch threshold. This threshold is only supported on directors, switches, and blades with a 4 Gbps, 8 Gbps, or 16 Gbps ASIC.
Page 860: Invalid Crcs Threshold
Thresholds Invalid CRCs threshold NOTE This threshold is only available for Fabric OS devices. Use this type of threshold to block a port when an Invalid CRCs violation meets the Fabric OS switch threshold. Invalid words threshold NOTE This threshold is only available for Fabric OS devices. Use this type of threshold to block a port when an Invalid Words violation meets the Fabric OS switch threshold.
Page 861: Adding Thresholds
Adding thresholds Adding thresholds NOTE This feature requires a Trial or Licensed version. The Management application allows you to create Invalid CRCs, Invalid words, Link, Link Reset, Protocol Error, Security, and Sync Loss thresholds. Adding a C3 Discard Frames threshold NOTE This threshold is only available for Fabric OS devices running 6.3 or later.
Page 862 Adding thresholds FIGURE 367 Add C3 Discard Frames Threshold dialog box 4. Enter a name for the threshold in the Name field. 5. Select one of the following options: • Default — Uses device defaults. Go to step • Custom — Uses your selections. Continue with step 6.
Page 863: Adding An Invalid Crcs Threshold
Adding thresholds Adding an Invalid CRCs threshold NOTE This threshold is only available for Fabric OS devices. NOTE This feature requires a Trial or Licensed version. Use to block a port when an Invalid CRC violation type meets the Fabric OS switch threshold. For default threshold values for Fabric OS devices, refer to Chapter 7 of the Fabric Watch Administrator's Guide.
Page 864: Adding An Invalid Words Threshold
Adding thresholds 8. Click OK to add the Invalid CRCs threshold to the table and close the Add Invalid CRCs Threshold dialog box. To assign this threshold to fabrics, switches, or switch ports, refer to “Assigning thresholds” page 821. 9. Click OK on the Port Fencing dialog box. Adding an Invalid Words threshold NOTE This threshold is only available for Fabric OS devices.
Page 865: Adding A Link Reset Threshold
Adding thresholds • Minute — the port is blocked as soon as the specified number of invalid words allowed is reached within a minute. • Hour — the port is blocked as soon as the specified number of invalid words allowed is reached within a hour.
Page 866: Adding A Protocol Error Threshold
Adding thresholds Select the time period for the threshold from the errors per list. The following choices are available: • None — the port is blocked as soon as the specified number of link resets allowed is met. • Second — the port is blocked as soon as the specified number of link resets allowed is reached within a second.
Page 867 Adding thresholds FIGURE 371 Add Protocol Error Threshold dialog box 4. Enter a name for the threshold in the Name field. 5. Select the Fabric OS check box. a. Select one of the following options: • Default — Uses device defaults. Go to step •...
Page 868: Adding A State Change Threshold
Adding thresholds Adding a State Change threshold NOTE This threshold is only available for Fabric OS devices running 6.3 or later. NOTE This feature requires a Trial or Licensed version. Use to block a port when a state change violation type meets the Fabric OS switch threshold. For 4 Gbps Router, Extension Switches and Blades only, when you apply this threshold on an E Port, the threshold is also applied to the VE Ports (internally by Fabric OS).
Page 869: Assigning Thresholds
Adding thresholds • Hour — the port is blocked as soon as the specified number of state changes allowed is reached within a hour. • Day — the port is blocked as soon as the specified number of state changes allowed is reached within a day.
Page 870: Unblocking A Port
Adding thresholds Unblocking a port The Management application allows you to unblock a port (only if it was blocked by Port Fencing) once the problem that triggered the threshold is fixed. When a port is blocked an Attention icon ( ) displays next to the port node.
Page 871: Editing Thresholds
Editing thresholds Editing thresholds The Management application allows you to edit the name, number of events needed, and time period of ISL Protocol, Link, and Security thresholds. Editing a C3 Discard Frames threshold NOTE This threshold is only available for Fabric OS devices. NOTE This feature requires a Trial or Licensed version.
Page 872: Editing An Invalid Words Threshold
Editing thresholds 3. Select the threshold you want to change and click Edit. The Edit Invalid CRCs Threshold dialog box displays. 4. Complete step 4 through step 7 “Adding an Invalid CRCs threshold” on page 815. 5. Click OK on the Edit Invalid CRCs Threshold dialog box. If the threshold has already been assigned to ports, an “Are you sure you want to make the requested changes to this threshold on “X”...
Page 873: Editing A Link Reset Threshold
Editing thresholds Editing a Link Reset threshold NOTE This threshold is only available for Fabric OS devices. NOTE This feature requires a Trial or Licensed version. Use to block a port when the Link Reset violation type meets the Fabric OS switch threshold. To edit a Link Reset threshold, complete the following steps.
Page 874: Editing A State Change Threshold
Editing thresholds 3. Select the threshold you want to change and click Edit. The Edit Protocol Error Threshold dialog box displays. 4. Complete step 4 through step 5 “Adding a Protocol Error threshold” on page 818. 5. Click OK on the Edit Protocol Error Threshold dialog box. If the threshold has already been assigned to ports, an “Are you sure you want to make the requested changes to this threshold on “X”...
Page 875: Finding Assigned Thresholds
Editing thresholds Finding assigned thresholds The Management application allows you to find all ports with a specific threshold applied. NOTE This search is performed on the threshold name. Since Fabric OS devices do not retain the threshold name, the ability to search for a threshold on a Fabric OS device is not available in most cases. To find assigned thresholds, complete the following steps.
Page 876: Removing Thresholds
Removing thresholds 4. Review the Thresholds table. • # (Number) — The line number for each threshold in the table. • Status — The threshold status. • Directly Assigned Indicator — Whether or not the threshold was directly assigned. • Name —...
Page 877: Removing Thresholds From The Thresholds Table
Removing thresholds A directly assigned icon ( ) displays next to each object with an assigned threshold which does not inherit a threshold from higher in the tree. NOTE If you remove a threshold from All Fabrics, it removes the threshold from individual Fabrics, switches, and switch ports in all Fabrics except for a Chassis group.
Page 878 Removing thresholds Brocade Network Advisor SAN User Manual 53-1002696-01...
Page 879: Ficon Configurations
Chapter FICON Environments In this chapter • FICON Configurations ......... . 831 •...
Page 880: Configuring Ficon Display
Configuring FICON display FIGURE 374 Cascaded configuration, three domains, but only two in a path Configuring FICON display You can set display settings for FICON display so that the columns of any table that contains end device descriptions to move the following eight columns to be the first columns: FC Address, Serial #, Tag, Device Type, Model, Vendor, Port Type, and WWN.
Page 881 Configuring an Allow/Prohibit Matrix • Double-click a configuration file. • Select a configuration file and click the right arrow. A matrix displays. The switch ports are displayed on both the vertical axis and horizontal axis. A green circle icon ( ) indicates communication is allowed between the ports. FIGURE 375 Active Configuration 4.
Page 882: Configuring An Allow/Prohibit Matrix Manually
Configuring an Allow/Prohibit Matrix manually Configuring an Allow/Prohibit Matrix manually NOTE If you receive a 'FICON not supported on switch' error, refer to FICON troubleshooting for a list of possible causes. To configure to allow or prohibit communication between specific ports manually, complete the following steps.
Page 883: Saving Or Copying Allow/Prohibit Matrix Configurations To Another Device
Saving or Copying Allow/Prohibit Matrix configurations to another device 8. Click Add. The information displays in the Selected Ports for Modification table. To delete any of these manual configurations, select the configuration you want to delete in the Selected Ports for Modification table and click Remove. The table displays the following information: •...
Page 884: Copying An Allow/Prohibit Matrix Configuration
Saving or Copying Allow/Prohibit Matrix configurations to another device Copying an Allow/Prohibit Matrix configuration NOTE If you receive a 'FICON not supported on switch' error, refer to FICON troubleshooting for a list of possible causes. To duplicate an existing Allow/Prohibit Matrix configuration, complete the following steps. 1.
Page 885: Another Device
Saving or Copying Allow/Prohibit Matrix configurations to another device Saving an Allow/Prohibit Matrix configuration to another device NOTE If you receive a 'FICON not supported on switch' error, refer to FICON troubleshooting for a list of possible causes. To save an existing Allow/Prohibit Matrix configuration to another device, complete the following steps.
Page 886: Activating An Allow/Prohibit Matrix Configuration
Activating an Allow/Prohibit Matrix configuration Activating an Allow/Prohibit Matrix configuration NOTE If you receive a 'FICON not supported on switch' error, refer to FICON troubleshooting for a list of possible causes. You must have an active zone configuration before you can activate a Allow/Prohibit Matrix configuration.
Page 887: Deleting An Allow/Prohibit Matrix Configuration
Deleting an Allow/Prohibit Matrix configuration Deleting an Allow/Prohibit Matrix configuration NOTE If you receive a 'FICON not supported on switch' error, refer to FICON troubleshooting for a list of possible causes. You cannot delete the active configuration, the IPL configuration, or a configuration that is marked as having uncommitted changes.
Page 888: Clearing Port Names
Cascaded FICON fabric Clearing port names Select the Clear Port Names option below the matrix display to clear all port names from the selected matrix. Perform the following steps to change the display to the desired format. 1. Select Clear Port Names. A warning displays asking you to confirm the operation.
Page 889: Configuring A Cascaded Ficon Fabric
Cascaded FICON fabric Configuring a cascaded FICON fabric NOTE If you receive a 'FICON not supported on switch' error, refer to FICON troubleshooting for a list of possible causes. The FICON wizard automatically creates high integrity fabric configuration settings that support a cascaded FICON fabric.
Page 890 Cascaded FICON fabric 5. Select to enable port-based, exchange-based, or device-based routing on switches. If you select Port-Based Routing, enables port-based routing on 4 Gbps platform switches. If you select Exchange-Based Routing, enables exchange-based routing for the fabric if all switches are 8 Gbps or greater platforms running Fabric OS 6.4 or later.
Page 891: Cascaded Ficon Fabric Merge
Cascaded FICON fabric merge Cascaded FICON fabric merge The Management application provides a wizard to help you merge two fabrics for cascaded FICON. Note that merging two cascaded FICON fabrics may be disruptive to current I/O operations in both fabrics, as it needs to disable and enable the switches in both fabrics. The merge process will not make any configuration changes on the primary (production) fabric that are disruptive.
Page 892 Cascaded FICON fabric merge • (Optional) Turns on FICON Management Server (FMS) mode on all switches. If some switches already have FMS mode enabled, it is re-enabled. If switches are running Fabric OS 7.0 and later, FMS will not be enabled on switches that do not have an active CUP license.
Page 893: Merging Two Cascaded Ficon Fabrics
Cascaded FICON fabric merge Merging two cascaded FICON fabrics NOTE If you receive a 'FICON not supported on switch' error, refer to FICON troubleshooting for a list of possible causes. If you want to join two cascaded FICON fabrics, they must be merged. If the distance between fabrics is 10 km or more, an Extended Fabrics license is required, and an extra step is required to configure the connection as a long distance connection.
Page 894 Cascaded FICON fabric merge 8. Click Next. The Check merge screen displays. A Status details table shows progress through merge check points. A rotating arrow under Status indicates a Merge check step is in progress. A blue check mark indicates successful completion of that Merge check.
Page 895: Resolving Merge Conflicts
Cascaded FICON fabric merge Resolving merge conflicts You can resolve the following types of switch configuration conflicts: • Domain ID • • Buffer To Buffer Credit • Disable Device Probe NOTE This test will be skipped if all primary and secondary fabric switches are found to be Fabric OS v7.0 and above.
Page 896: Port Groups
Port Groups 5. Perform step 11 through step 14 of the procedure “Merging two cascaded FICON fabrics” page 845 to finish resolving a merge conflict. Port Groups A port group is a group of FC ports from one or more switches within the same fabric. Port groups are user-specific, you can only view and manage port groups that you create.
Page 897 Port Groups FIGURE 381 Port Groups dialog box 2. Click New. 3. Enter a name for the port group in the Name field. 4. Enter a description for the port group in the Description field. 5. Select one or more ports to add to the group in the Group Type - FC Ports table. A port group must have at least one port in the Membership List.
Page 898: Viewing Port Groups
Port Groups Viewing port groups Port groups are user-specific, you can only view and manage port groups that you create. To view port groups, complete the following steps. 1. Select Configure > Port Groups. The Port Groups dialog box only displays port groups defined by you. If a fabric becomes un-monitored, any port groups associated with that fabric do not display in the Port Groups table.
Page 899: Deleting A Port Group
Swapping blades Select one or more ports to remove from the group in the Membership List table. 8. Click the left arrow button. The selected ports are removed from the Membership List. 9. Click Update. 10. Click OK. Deleting a port group To delete a port group, complete the following steps.
Page 900 Swapping blades 1. Select a chassis that contains at least two of the same type of blades. 2. Select Configure > Switch > Swap Blades. The Swap Blades dialog box displays. 3. Select the blade you want to replace from the first Swap Blades list. Once you select a blade, the second list automatically filters out the selected blade and any blade types that do not match the selected blade.
Page 901: Chapter 26 Vlan Management
Chapter VLAN Management In this chapter • VLAN Manager ..........853 •...
Page 902: Configuration Requirements For Vlan Manager
VLAN Manager Configuration requirements for VLAN Manager Before you can manage VLANs with VLAN Manager, you must complete the following tasks: • Make sure that the discovery process has been run. Discovery captures configuration information from Brocade products and places that information in the Management application database.
Page 903: Vlan Management In A Vcs Environment
VLAN Manager VLAN management in a VCS environment Table 74 lists the VLAN management features that are supported in VCS mode (Fabric mode) and standalone mode. TABLE 74 VLAN management features supported for VCS mode Feature VCS (FC mode) Standalone mode VLAN topology Yes (shown at the fabric level) STP topology...
Page 904: Displaying Vlans In The Vlan View
VLAN Manager Displaying VLANs in the VLAN view The VLAN View tab displays all the VLANs discovered on the network and lists them by VLAN IDs (Figure 382). FIGURE 382 VLAN Manager dialog box - VLAN View tab To view the VLANs or products in the VLAN View tab, complete the following steps. 1.
Page 905: Displaying Vlans By Products
VLAN Manager 3. Select a VLAN to expand the list of products listed under that VLAN. Use the Search tool to find VLANs, products, or ports quickly. A VLAN may be listed several times. For example, the first three VLAN1s have only one product. Each product in each VLAN is in its own broadcast domain and either does not have connectivity with other products or FDP or LLDP is not enabled on that product.
Page 906: Port Vlans
Port VLANs FIGURE 383 VLAN Manager dialog box - Product View tab 2. Expand a product to display the port VLANs that have been configured on that product. 3. Click a VLAN in the list to display the interfaces on that product that belong to the VLAN. Port VLANs VLAN Manager facilitates the creation, modification, and deletion of port VLANs on products that are known to the Management application.
Page 907 Port VLANs FIGURE 384 Add VLAN dialog box - Ports tab 3. Enter a VLAN ID in the Configure VLAN field. You can enter more than one ID, separating individual IDs with a comma (for example, 10, 45, 79, 30). For DCB products, the VLAN ID range is from 1 through 3583. 4.
Page 908 Port VLANs 10. Complete one of the following tasks: • If you want to assign the interface to the VLAN as an untagged port, click Untag. • If you want to assign the interface to the VLAN as a tagged port, click Tag. •...
Page 909: Adding Or Modifying Dual Mode Ports
Port VLANs Adding or modifying dual mode ports You can configure an interface in a VLAN as a dual mode port by assigning it as a tagged port to one VLAN and as an untagged port to another VLAN. You can add a dual mode port to any VLAN except the default VLAN, VLAN 1.
Page 910: Adding Vlan Properties
Port VLANs Adding VLAN properties The Add VLAN dialog box has two tabs: Ports and Properties. The VLAN properties vary for different products, for example: • When an IOS VLAN is selected, the Name, QoS, Spanning Tree and Router Interface fields and Transparent Flooding enable check box display.
Page 911 Port VLANs 4. Enter the following information: For IOS VLAN Properties: Name—Displays the name of the VLAN, which is editable. QoS—Select a QoS level from the list. • Select Low (None or 0) through High (7) for NetIron CES products. Select None for NetIron CER and NetIron CES products if the product does not have VLAN priority configured.
Page 912: Modifying Port Vlan Properties
Port VLANs Modifying port VLAN properties Complete the following steps to modify port VLANs using the VLAN View tab or the Product View tab on the Edit VLAN dialog box. 1. On the VLAN Manager dialog box, click the VLAN View or Product View tab. 2.
Page 913: Deploying Vlan Configurations
Spanning Tree Protocol configuration Deploying VLAN configurations The Deploy VLANs dialog box allows you to deploy a VLAN configuration to target products. Duplicate action is not supported. 1. Select a deployment option: • Click the Deploy now option if you want to deploy the VLAN definition. •...
Page 914: Configuring Stp Or Rstp On A Port Vlan
Spanning Tree Protocol configuration • MSTP—Multiple Spanning Tree Protocol (IEEE 802.1s Internet standard) allows several VLANs to be mapped to a reduced number of spanning tree instances. This is possible because most networks do not need more than a few logical topologies. Each instance handles multiple VLANs that have the same Layer 2 topology.
Page 915 Spanning Tree Protocol configuration FIGURE 387 STP Configuration dialog box 3. Select the target switch, VLAN, or port from the Target Context list. Target contexts and spanning tree options at the product, VLAN, or port level are listed in Table TABLE 76 Spanning tree configuration matrix Target context...
Page 916: Deploying An Stp Configuration On A Port Vlan
Spanning Tree Protocol configuration 10. The Force Version list is available only if you selected RSTP. This parameter forces the bridge to send BPDUs in a specific format. You can enter one of the following values: • 0: The bridge has been forced to operate in STP default mode. •...
Page 917: Configuring Mstp On A Product
Spanning Tree Protocol configuration Click Start on the Deployment Status dialog box to save the changes to the selected products. 8. After the deployment has successfully completed, click Close to close the Deployment Status dialog box. Configuring MSTP on a product You can configure MSTP attributes from the VLAN View tab or the Product View tab on the VLAN Manager dialog box.
Page 918 Spanning Tree Protocol configuration Enter the number of seconds a bridge waits (the listen and learn period) before it begins to forward data packets in the Forward Delay field. The values range from 4 through 30 seconds. The default is 15 seconds. 8.
Page 919: Vlan Routing
VLAN routing Adding an MSTP instance 1. Click the STP button on the VLAN Manager dialog box to display the STP Configuration dialog box. 2. Select a VLAN node (in this example, a FOS node) in the Selected VLANs list, and click the left arrow button.
Page 920: Managing Ip Addresses On An Svi
VLAN routing Managing IP addresses on an SVI Switch Virtual Interfaces (SVIs) can be added to port VLANs when you create or modify VLAN definitions. SVIs can only be created in Layer 3 products. Once VLAN definitions are deployed to products, you can add an IP address to the SVI by completing the following steps.
Page 921 VLAN routing 4. Enter the following information: Primary or Secondary options (DCB products only)—Indicates whether the IP address is the primary or secondary IP address of the VLAN. Type—Select the type of IP address you want to assign to the VLAN. Choose CIDR or IP/Subnet.
Page 922 VLAN routing Brocade Network Advisor SAN User Manual 53-1002696-01...
Page 923: Introduction To The Deployment Manager
Chapter Deployment Manager In this chapter • Introduction to the Deployment Manager ......875 • Editing a deployment configuration .
Page 924: Editing A Deployment Configuration
Editing a deployment configuration Editing a deployment configuration 1. Select Configure > Deployment. The Deployment dialog box displays, as shown in Figure 391. FIGURE 391 Deployment dialog box 2. Select a deployment configuration in the Saved or Scheduled tab. Policy-based routing configurations cannot be edited. 3.
Page 925: Duplicating A Deployment Configuration
Duplicating a deployment configuration Duplicating a deployment configuration 1. Select Configure > Deployment. The Deployment dialog box displays. 2. Select a deployment configuration in the Saved or Scheduled tab. NOTE VLAN configurations and policy-based routing configurations cannot be duplicated. 3. Click Duplicate. A dialog box specific to the type of deployment displays.
Page 926: Viewing Deployment Logs
Viewing deployment logs Viewing deployment logs 1. Select Configure > Deployment. The Deployment dialog box displays. 2. Click the Log tab. A list of deployment configurations that are executed and the status of each displays. Generating a deployment report 1. Select Configure > Deployment. The Deployment dialog box displays.
Page 927: Searching The Configuration Snapshots
Searching the configuration snapshots Searching the configuration snapshots 1. Select Configure > Deployment. The Deployment dialog box displays. 2. Select a deployment in the Saved, Scheduled, or Log tab. 3. Click Snapshot. The Configuration Snapshot Search dialog box displays. 4. Identify the targets you want to search. Select a target in the Available Targets list and click the right arrow to move the target to the Selected Targets list.
Page 928 Comparing configuration snapshots FIGURE 392 Compare dialog box The Compare dialog box displays the following information: • Product — The IP address of the device. • Date — The Displays the date the device configuration was taken. • Change Navigator buttons/legend — The Enabled when there is at least one change between to two compared files.
Page 929: Fibre Channel Troubleshooting
Chapter Fibre Channel Troubleshooting In this chapter • FC troubleshooting ..........881 •...
Page 930: Tracing Fc Routes
FC troubleshooting Tracing FC routes The Management application enables you to select a source port and a destination port and displays the detailed routing information from the source port or area on the local switch to the destination port or area on another switch. NOTE Trace route cannot be performed on offline devices.
Page 931: Troubleshooting Device Connectivity
FC troubleshooting • Trace Route Summary — This table shows a brief summary of the trace including the following: Port WWN  Port Name  FC Address  Switch Name  (Fabric OS only) Whether ping was successful (Fabric OS only) ...
Page 932 FC troubleshooting Click Search and Add. • Select the source and destination ports from a list by selecting the Select two device ports option and completing the following steps. a. Right-click a fabric in the Available Device Ports table and select Expand All. b.
Page 933: Confirming Fabric Device Sharing
FC troubleshooting Confirming Fabric Device Sharing NOTE Fabric device sharing is only available with Trial or Licensed version. NOTE Fabric device sharing is only available on pure Fabric OS fabrics. To confirm that two or more fabrics have been configured to share devices, complete the following steps.
Page 934 FC troubleshooting ATTENTION If you run more than one test per slot, the result may go wrong or the test may fail. TABLE 77 D-Port test support matrix D-Ports Tests Fabric OS 7.0 Fabric OS 7.1 HBA driver 3.2 E-Port E-Port F-Port AG N-Port...
Page 935 FC troubleshooting • Link traffic • Latency measurement • Measure link distance TABLE 78 Supported link distance measurements SFP speed Accuracy Precision 10 Gbps 124 meters + or - 50meters 16 Gbps 5 meters + or - 5 meters If any of the tests fail, the Management application does not rollback to already executed operations.
Page 936 FC troubleshooting TABLE 79 Status Detail messages Operation/Test Possible message Failed to enable the port slot_number/port_number of the switch switch_IP_address. Reason: CAL_error_message Disable the diagnostic mode on Disabled diagnostic mode on port slot_number/port_number of the source or destination D ports switch switch_IP_address.
Page 937: Configuring Link Traffic Test Parameters
FC troubleshooting TABLE 79 Status Detail messages Operation/Test Possible message If any test fails, that test displays Sample failure report : as failed and a Failure report Errors detected (local): CRC, Bad_EOF, Enc_out displays. Errors detected (remote): CRC, Bad_EO Run portstatsshow and porterrshow for more detail on the errors. HBA Electrical test successful Successfully completed Electrical Loopback Test on port HBA_port_number of the HBA HBA_node...
Page 938: Fcip Troubleshooting
FCIP troubleshooting Click OK on the Link Traffic Test Configuration dialog box. The Diagnostic Port Test dialog box displays. Return to step 5 “Troubleshooting port diagnostics” on page 885. FCIP troubleshooting NOTE FCIP troubleshooting is only available for Fabric OS devices. You can perform the following operations using FCIP troubleshooting: •...
Page 939 FCIP troubleshooting TABLE 80 FCIP IP Ping Response Details Field or Component Description Status Always displays ‘Completed’. If there is a failure, an error message displays instead of the IP Ping Result dialog box. Packets Sent Always displays ‘4. This is not configurable. Packets Received The number of received responses.
Page 940: Tracing Ip Routes
FCIP troubleshooting Tracing IP routes The Management application enables you to select an source and a target and displays the detailed routing information from the source port or area on the local switch to the destination port or area on another switch. Trace route cannot be performed on the offline devices or virtual devices.
Page 941: Viewing Fcip Tunnel Performance
FCIP troubleshooting Click Close on the IP Traceroute Result dialog box. 8. Click Cancel on the IP Traceroute dialog box. Viewing FCIP tunnel performance NOTE IP Performance is only supported on the 4 Gbps Router, Extension Switch and Encryption Blade running Fabric OS 5.2 or later.
Page 942 FCIP troubleshooting Field/Component Description DELAY The average round trip time to send a packet of data and receive the acknowledgement. PMTU The largest packet size that can be transmitted over the end path without fragmentation. This value is measured in bytes and includes the IP header and (Path Maximum payload.
Page 943 Chapter Performance Data In this chapter • SAN performance overview........896 •...
Page 944: San Performance Overview
SAN performance overview SAN performance overview Performance monitoring provides details about the quantity of traffic and errors that a specific port or device generates on the fabric over a specific time. You can also use performance to indicate the devices that create the most traffic and to identify the ports that are most congested. Performance allows you to monitor your SAN using the following methods (requires a Licensed version): •...
Page 945: San Performance Measures
SAN performance overview SAN Performance measures Performance measures enable you to select one or more measures to define the graph or report. The measures available to you depend on the object type from which you want to gather performance data. NOTE Devices with 10GE ports must be running Fabric OS 6.4.1ltd or later to obtain the correct TE port statistics (TX/RX).
Page 946: San Performance Management Requirements
SAN performance overview • Compression Ratio — available for FCIP tunnels only. • Latency — available for FCIP tunnels only. • Link Retransmits — available for FCIP tunnels only. • Timeout Retransmits — available for FCIP tunnels only. • Fast Retransmits — available for FCIP tunnels only. •...
Page 947 SAN performance overview Example of Management application Server IP included in access control list FCRRouter:admin> snmpconfig --show accesscontrol SNMP access list configuration: Entry 0: Access host subnet area 172.26.1.86 (rw) Entry 1: No access host configured yet Entry 2: No access host configured yet Entry 3: No access host configured yet Entry 4:...
Page 948 SAN performance overview Community (rw): [OrigEquipMfr] Trap Recipient's IP address : [172.26.24.26] Trap recipient Severity level : (0..5) [4] Trap recipient Port : (0..65535) [162] Community (rw): [custom] Trap Recipient's IP address : [172.26.1.158] Trap recipient Severity level : (0..5) [4] Trap recipient Port : (0..65535) [162] Community (ro): [custom] Trap Recipient's IP address : [0.0.0.0]...
Page 949 SAN performance overview Priv Protocol [DES(1)/noPriv(2)/3DES(3)/AES128(4)/AES2(5)/AES256(6)]): (2..2) [2] User (ro): [snmpuser1] Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [3] Priv Protocol [DES(1)/noPriv(2)/3DES(3)/AES128(4)/AES2(5)/AES256(6)]): (2..2) [2] User (ro): [snmpuser2] Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [3] Priv Protocol [DES(1)/noPriv(2)/3DES(3)/AES128(4)/AES2(5)/AES256(6)]): (2..2) [2] User (ro): [snmpuser3] Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [3] Priv Protocol [DES(1)/noPriv(2)/3DES(3)/AES128(4)/AES2(5)/AES256(6)]): (2..2) [2] SNMPv3 trap recipient configuration:...
Page 950 SAN performance overview SNMP SET Security Level: No security To set the SNMP security level, use the snmpconfig --set secLevel command. Example of checking SNMP security level snmpconfig --set secLevel 0 Select SNMP GET Security Level (0 = No security, 1 = Authentication only, 2 = Authentication and Privacy, 3 = No Access): (0..3) [0] •...
Page 951: San Real-Time Performance Data
SAN real-time performance data Example for FCIP tunnels Sprint-65:root> portshow fciptunnel ge0 1 -perf SAN real-time performance data Real-time performance enables you to collect data from managed devices in your SAN. Real-time performance is only supported on the following managed objects: FC (E_ and F_ports), GE_ports, E port trunks, 10GE_ports, Managed HBA Ports, Managed CNA Ports, and FCIP tunnels.
Page 952 SAN real-time performance data FIGURE 393 Realtime Port Selector dialog box NOTE You can set columns in right side of the dialog box for FICON display using Server > Options > SAN DIsplay. The first eight columns will display FC Address, Serial #, Tag, Product Type, Model, Vendor, Port Name, Port Type, and Port WWN.
Page 953: Filtering Real-Time Performance Data
SAN real-time performance data Filtering real-time performance data To filter real-time performance data from the Real Time Performance Graphs dialog box, complete the following steps. 1. Open the Real Time Performance Graphs dialog box. For step-by-step instructions, refer to “Generating a real-time performance graph” page 903.
Page 954: Exporting Real-Time Performance Data
SAN real-time performance data • Port Type - Type of port being monitored. • Graph - Graph of data over time. • Destination - The destination device. • Destination Port - The port through which the selected device is connected to the destination device.
Page 955: San Historical Performance Data
SAN Historical performance data SAN Historical performance data Performance should be enabled constantly to receive the necessary historical data required for a meaningful report. The following options and features are available for obtaining historical performance data: • Collect historical performance data from the entire SAN or from a selected fabric. NOTE Virtual Fabric logical ISL ports are not included in performance collection.
Page 956: Enabling Historical Performance Collection San Wide
SAN Historical performance data Enabling historical performance collection SAN wide To enable historical performance collection, select Monitor > Performance > Historical Data Collection. The Fabric Selector dialog box displays with Enable SAN Wide enabled by default. This enables historical performance data collection for all fabrics in the SAN. NOTE After, enabling historical data collection information for switches, ports, and FCIP tunnels also displays in the IP Historical Graph/Tables dialog box.
Page 957: Disabling Historical Performance Collection
SAN Historical performance data 5. Select the Include newly discovered fabrics check box to automatically add all newly discovered fabrics to the Selected table. 6. Click OK. Historical performance data collection is enabled for all selected fabrics. NOTE After, enabling historical data collection, information for switches, ports, and FCIP tunnels also displays in the IP Historical Graph/Tables dialog box.
Page 958 SAN Historical performance data FIGURE 395 Historical Performance Graphs dialog box 3. Select a default or custom-saved (port and time) from the Favorites list or filter the historical data by completing the following steps. a. Select the number of results to display from the Display list. b.
Page 959 SAN Historical performance data • Raw samples for last 1 day • 30 minutes granularity for last 3 days • 2 hour granularity for last 30 days • 1 day granularity for last 2 years Option 2—2 years data with the following samples: •...
Page 960 SAN Historical performance data Configuring the graph display To configure the historical performance graph display, right click in the graph and select the following options: • Select Zoom In to zoom in on the graph. • Select Zoom Out to zoom out on the graph. •...
Page 961 SAN Historical performance data FIGURE 396 Custom Port Selector dialog box 3. Right-click a device in the Available table and select Expand All. 4. Select the ports (press Ctrl or Shift and then click to select multiple ports) from which you want to gather performance data from the Available table and click the right arrow button.
Page 962: Exporting Historical Performance Data
SAN Historical performance data FIGURE 397 Custom Port Selector dialog box 3. Click OK. Exporting historical performance data To export historical performance data, complete the following steps. 1. Generate a performance graph. To generate a performance graph, refer to “Generating and saving a historical performance graph”...
Page 963: San End-To-End Monitoring
SAN End-to-end monitoring SAN End-to-end monitoring NOTE End-to-end monitoring requires a Fabric OS device. NOTE An end-to-end monitor and a Top Talker monitor cannot be configured on the same external F-port ASIC (application-specific integrated circuit). You must delete the Top Talker monitor before you configure the end-to-end monitor.
Page 964 SAN End-to-end monitoring FIGURE 398 Set End-to-End Monitors dialog box 2. Select the fabric for which you want to configure end-to-end monitoring from the Fabric list. 3. Select an initiator port from the Select an initiator port table. 4. Select a target port from the Select a target port table. 5.
Page 965: Displaying End-To-End Monitor Pairs In A Real-Time Graph
SAN End-to-end monitoring Displaying end-to-end monitor pairs in a real-time graph To display an end-to-end monitor pair in a graph, complete the following steps. 1. Select Monitor > Performance > End-to-End Monitors. The Set End-to-End Monitor dialog box displays. 2. Select one or more end-to-end monitor pairs you want to view from the Monitored Pairs table. You can select up to 100 monitored pairs.
Page 966: San Top Talker Monitoring
SAN Top Talker monitoring 2. Select the end-to-end monitor pair you want to delete from the Monitored Pairs table. 3. Click Delete Monitor. 4. Click OK. SAN Top Talker monitoring Here are some important notes for using this feature: • Top Talkers requires the Advance Performance Monitoring (APM) license on the device.
Page 967: Configuring A Fabric Mode Top Talker Monitor
SAN Top Talker monitoring Configuring a fabric mode Top Talker monitor NOTE A fabric mode Top Talker and an end-to-end monitor cannot be configured on the same fabric. You must delete the end-to-end monitor before you configure the fabric mode Top Talker. NOTE A fabric mode Top Talker and an F_Port mode Top Talker cannot be configured on the same fabric.
Page 968: Configuring An F_Port Mode Top Talker Monitor
SAN Top Talker monitoring Click Apply. The top 20 conversations display in the Current Top Talkers table. The Top Talkers Summary table displays all Top Talkers that occurred since the Top Talkers dialog box was opened (displays a maximum of 360). When the maximum is reached, the oldest Top Talker drops as a new one occurs.
Page 969: Deleting A Top Talker Monitor
SAN Top Talker monitoring 6. Select how often you want the Top Talker to refresh (10, 20, 30, 40, or 50 seconds, or 1 minute) from the Refresh Interval list. Select whether you want to monitor the receive (Rx) flow or the transmit (Tx) flow for the port from the Flow list.
Page 970: Bottleneck Detection
Bottleneck detection Bottleneck detection A bottleneck is a port in the fabric where frames cannot get through as fast as they should. In other words, a bottleneck is a port where the offered load is greater than the achieved egress throughput.
Page 971: How Bottlenecks Are Reported
Bottleneck detection • Bottleneck detection is supported whether Virtual Fabrics is enabled or disabled. In VF mode, bottleneck detection is supported on all fabrics, including the base fabric. How bottlenecks are reported Bottlenecks are reported through alerts in the Master Log. A bottleneck cleared alert is sent when the bottleneck is cleared.
Page 972: Alert Parameters
Bottleneck detection Enabling bottleneck alerts and configuring alert parameters Bottleneck detection is enabled on a switch or fabric basis. It enables both latency and congestion detection. • If you enable bottleneck detection on a fabric, the feature is applied to all eligible switches in the fabric and all eligible ports on the switches.
Page 973 Bottleneck detection FIGURE 401 Bottlenecks dialog box 2. Select Enable if it is not already selected. 3. Select the Congestion Alerts check box to enable alerts for congestion bottlenecks. Clear this check box to disable alerts. If you enabled alerts, enter threshold values (1-100%), or use the default value for triggering a congestion alert.
Page 974: Inheriting Alert Parameters From A Switch
Bottleneck detection Select one or more fabrics, switches, or ports from the Products/Ports list. You can select fabrics or switches or ports, but you cannot select a mix of fabrics, switches, and ports. 8. Click the right arrow to apply the settings in the Bottleneck Detection pane to the selected elements in the Products/Ports list.
Page 975: Displaying Bottleneck Statistics
Bottleneck detection 5. Click the right arrow. The bottleneck parameters are applied to the selected items. 6. Click OK or Apply to save your changes. Displaying bottleneck statistics You can display a graph of bottleneck statistics for up to 32 ports at one time. You can display a graph showing the history of bottleneck conditions, for up to the last 150 minutes.
Page 976: Displaying Devices That Could Be Affected By An F_ Or Fl_Port Bottleneck
Bottleneck detection Displaying devices that could be affected by an F_ or FL_Port bottleneck The following procedure displays hosts and targets that could be affected because of a bottlenecked F_ or FL_Port. These devices are determined based on zoning information and are not based on actual traffic flow.
Page 977: Thresholds And Event Notification
Thresholds and event notification Thresholds and event notification Performance allows you to apply thresholds and event notification to real-time performance data. A performance monitor process (thread) monitors the performance data against the threshold setting for each port and issues an appropriate alert to notify you when the threshold is exceeded. For information about configuring event notification, refer to Event Notification.
Page 978 Thresholds and event notification FIGURE 403 Set Threshold Policies dialog box 2. To edit a current policy, select a policy form the available threshold policies. The Edit Threshold Policy dialog box displays. FIGURE 404 Edit Threshold Policy dialog box 3. To add a new policy, perform the following steps: a.
Page 979 Thresholds and event notification FIGURE 405 New Threshold Policy dialog box b. Enter a name for the policy (100 characters maximum) in the Name field. 4. Select a policy type from the Policy Type list. You can only define policies for E and F/FL ports. 5.
Page 980: Duplicating A Threshold Policy
Thresholds and event notification FIGURE 406 Confirm Threshold Changes dialog box 14. Make the threshold changes by selecting one of the following options: • To only add new thresholds, select the Keep currently set thresholds and only add new thresholds check box. •...
Page 981: Deleting A Threshold Policy
Thresholds and event notification 2. Select one or more threshold policies you want to assign to a fabric or device in the Available Threshold Policies table. Press Ctrl or Shift and then click to select multiple policies. 3. Select one or more fabrics or devices to which you want to assign the policy in the Available Threshold Policies table.
Page 982: San Connection Utilization
SAN Connection utilization 6. Make the threshold changes by selecting one of the following options: • To only add new thresholds, select the Keep currently set thresholds and only add new thresholds check box. • To overwrite all existing thresholds on all fabrics and devices, select the Overwrite all thresholds currently set on all switches check box.
Page 983: Enabling Connection Utilization
SAN Connection utilization Line Color Utilization Defaults Blue line 1% to 40% utilization Gray line 0% to 1% utilization Black line Utilization disabled Enabling connection utilization NOTE Fabrics where performance data collection is not enabled display connections as thin black lines. To display the connection utilization, complete the following steps.
Page 984: Changing Connection Utilization
SAN Connection utilization Changing connection utilization You can change the utilization percentages. To change the utilization percentages, complete the following steps. 1. Click the change link in the utilization legend. FIGURE 408 Utilization Legend in edit mode 2. Enter or select the end percentage you want for the blue line. When you make a change to the end percentage of a utilization line, you also change the start percentage for the utilization line immediately above the one you changed when you click apply.
Page 985 SAN Connection utilization • Select the Use Logarithmic Axis check box to present data on a logarithmic or non-logarithmic axis. • Select the Show Values check box to annotate data point values in the graph. • Select the Enable Auto Scrolling check box to automatically jump to display the new data when new data is collected while the graph is in view.
Page 986 SAN Connection utilization 3. Click Options to launch the Graph Options dialog box. Refer to “Configuring graph options” page 938 for instructions on using this dialog box. 4. Select the Graph or Table option to display data in graphical or tabular format. 5.
Page 987 SAN Connection utilization FIGURE 409 Graph Options dialog box (Historical Graphs/Tables dialog box) NOTE Figure 409 illustrates the Graph Options dialog box available from the Historical Graphs/Tables dialog box. The Graph Options dialog box available from the Real Time Graphs/Tables dialog box is similar, but has fewer control options. 2.
Page 988 SAN Connection utilization • (Historical graphs and monitors only) Plot Min/Max - Plots minimum and maximum values along with the average data. The range between the minimum and maximum values will be represented by the width of a color band surrounding the data points as shown in the following illustration.
Page 989 SAN Connection utilization a. (Historical graphs and monitors only) Select the granularity of the data points to display on the graph from the Granularity list. Options are Minimum interval, 30 minutes, 2 hours, or 1 day. The granularity varies depending on the configuration on the Server Management Console, Performance Data Aging tab.
Page 990 SAN Connection utilization Brocade Network Advisor SAN User Manual 53-1002696-01...
Page 991: Frame Monitor
Chapter Frame Monitor In this chapter • Frame Monitor ..........943 •...
Page 992 Frame Monitor Pre-defined frame types Pre-defined frame types include the following: • ABTS (Abort Sequence Basic Link Service command) • BA_ACC (Abort Accept) • • SCSI • SCSI Read • SCSI Write • SCSI RW • SCSI-2 Reserve • SCSI-3 Reserve Custom frame types In addition to the standard frame types, you can create custom frame types to gather statistics that fit your needs.
Page 993: Frame Monitoring Requirements
Creating a custom frame monitor Frame Monitoring requirements To configure Frame Monitoring, the following requirements must be met: • The switch must be running Fabric OS 7.0.0 or later. • Frame Monitoring requires the Advanced Performance Monitoring license and the Fabric Watch license.
Page 994 Creating a custom frame monitor 2. Select the Switch option. The Products / Monitors list displays the switches that support Frame Monitoring. 3. Enter the monitor data in the Configure Monitor area. 4. Select one or more switches in the Products / Monitors list, and click the right arrow button to assign the frame monitor to those switches.
Page 995: Editing A Frame Monitor
Editing a frame monitor 11. Click Start. The frame monitor configuration is applied to the switches. 12. Click Close after configuration is complete (indicated by “Completed” in the Progress column). Editing a frame monitor 1. Select Monitor > Fabric Watch > Frame Monitor. The Frame Monitor dialog box displays.
Page 996: Finding Frame Monitor Assignments
Finding frame monitor assignments 6. Click the right arrow button to move the frame monitor to the selected ports. The Monitor Details list displays the monitors that are assigned to a selected port. If no monitors are assigned, or if more than one port is selected, the Monitor Details list does not display.
Page 997: Removing A Frame Monitor From A Switch
Removing a frame monitor from a switch 8. Click Start. The frame monitor configuration is applied to the ports. 9. Click Close after configuration is complete (indicated by “Completed” in the Progress column). Removing a frame monitor from a switch When you remove a frame monitor from a switch, the frame monitor is automatically removed from all assigned ports in the switch.
Page 998 Removing a frame monitor from a switch Brocade Network Advisor SAN User Manual 53-1002696-01...
Page 999: Policy Monitor Overview
Chapter Policy Monitor In this chapter • Policy monitor overview......... 951 •...
Page 1000: Fabric Policy Monitors
Policy monitor overview Fabric policy monitors Fabric policy monitors enable you to set the following policy monitors on SAN (refer to “Adding a policy monitor” on page 959): • Check zoning status — This fabric policy monitor enables you to determine if zoning is enabled or disabled on the fabric.

This manual is also suitable for:

Brocade network advisor 12.0.0

Brocade Communications Systems StoreFabric SN6500B User Manual

Chapter 1 Getting Started

Chapter 2 Licenses

Chapter 3 Patches

Chapter 4 Discovery

Chapter 5 Application Configuration

Chapter 6 User Account Management

Chapter 7 Call Home

Chapter 8 Dashboard Management

Chapter 9 View Management

Quick Links

Troubleshooting

Related Manuals for Brocade Communications Systems StoreFabric SN6500B

Summary of Contents for Brocade Communications Systems StoreFabric SN6500B