Page 1 Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x First Published: 2013-01-30 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-27932-01...
Page 2 Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks . Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.
Page 3: Table Of Contents
Enabling Domain Manager Fast Restart Switch Priority Configuring Switch Priority About fcdomain Initiation Disabling or Reenabling fcdomains Configuring Fabric Names Incoming RCFs Rejecting Incoming RCFs Autoreconfiguring Merged Fabrics Enabling Autoreconfiguration Domain IDs Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 4 Configuring N Port Virtualization C H A P T E R 3 Configuring N Port Virtualization Information About NPV NPV Overview NPV Mode Server Interfaces NP Uplinks FLOGI Operation Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 5 Verifying FCoE NPV Configuration Configuration Examples for FCoE NPV Configuring VSAN Trunking C H A P T E R 5 Configuring VSAN Trunking Information About VSAN Trunking VSAN Trunking Mismatches Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 6 Operational State of a VSAN Static VSAN Deletion Deleting Static VSANs About Load Balancing Configuring Load Balancing Interop Mode Displaying the Static VSAN Configuration Default Settings for VSANs Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 7 Clearing the Zone Server Database Verifying the Zone Configuration Enhanced Zoning Enhanced Zoning Changing from Basic Zoning to Enhanced Zoning Changing from Enhanced Zoning to Basic Zoning Enabling Enhanced Zoning Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 8 Verifying the Device Alias Configuration Default Settings for Device Alias Services Managing FLOGI, Name Server, FDMI, and RSCN Databases C H A P T E R 9 Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x viii OL-27932-01...
Page 9 C H A P T E R 1 0 Discovering SCSI Targets Information About SCSI LUN Discovery About Starting SCSI LUN Discovery Starting SCSI LUN Discovery About Initiating Customized Discovery Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 10 C H A P T E R 1 2 Configuring Port Security Information About Port Security Port Security Enforcement Auto-Learning Port Security Activation Configuring Port Security Configuring Port Security with Auto-Learning and CFS Distribution Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 11 Displaying Port Security Configuration Default Settings for Port Security Configuring Fabric Binding C H A P T E R 1 3 Configuring Fabric Binding Information About Fabric Binding Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 12 Information About Port Tracking Default Settings for Port Tracking Configuring Port Tracking Enabling Port Tracking Configuring Linked Ports Operationally Binding a Tracked Port Tracking Multiple Ports Tracking Multiple Ports Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 13 Contents Monitoring Ports in a VSAN Monitoring Ports in a VSAN Forcefully Shutting down Forcefully Shutting Down a Tracked Port Displaying Port Tracking Information Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01 xiii...
Page 14 Contents Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 15: P R E F A C E Preface
Obtaining Documentation and Submitting a Service Request, page xix Audience This publication is for network administrators who configure and maintain Cisco Nexus devices. Document Conventions As part of our constant endeavor to remodel our documents to meet our customers' requirements, we have Note modified the manner in which we document configuration tasks.
Page 16 Means reader take note. Notes contain helpful suggestions or references to material not covered in the Note manual. Means reader be careful. In this situation, you might do something that could result in equipment damage Caution or loss of data. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 17: Related Documentation For Cisco Nexus 6000 Series Nx-Os Software
Related Documentation for Cisco Nexus 6000 Series NX-OS Software Related Documentation for Cisco Nexus 6000 Series NX-OS Software The entire Cisco NX-OS 6000 Series documentation set is available at the following URL: http://www.cisco.com/en/US/products/ps12806/tsd_products_support_series_home.html Release Notes The release notes are available at the following URL: http://www.cisco.com/c/en/us/support/switches/nexus-6000-series-switches/products-release-notes-list.html...
Page 18: Documentation Feedback
The Cisco Nexus 6000 Series NX-OS MIB Reference is available at http://www.cisco.com/en/US/docs/switches/ datacenter/nexus6000/sw/mib/reference/NX6000_MIBRef.html. Error and System Messages The Cisco Nexus 6000 Series NX-OS System Message Guide is available at http://www.cisco.com/c/en/us/td/ docs/switches/datacenter/nexus6000/sw/system_messages/reference/sl_nxos_book.html. Troubleshooting Guide The Cisco Nexus 6000 Series NX-OS Troubleshooting Guide is available at http://www.cisco.com/c/en/us/...
Page 19: Obtaining Documentation And Submitting A Service Request
What's New in Cisco Product Documentation. To receive new and revised Cisco technical content directly to your desktop, you can subscribe to the What's New in Cisco Product Documentation RSS feed. RSS feeds are a free service.
Page 20 Preface Obtaining Documentation and Submitting a Service Request Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 21: Overview
• SAN Switching Overview, page 1 SAN Switching Overview This chapter provides an overview of SAN switching for Cisco NX-OS devices. This chapter includes the following sections: Domain Parameters The Fibre Channel domain (fcdomain) feature performs principal switch selection, domain ID distribution, FC ID allocation, and fabric reconfiguration functions as described in the FC-SW-2 standards.
Page 22 PortChannels load balance Fibre Channel traffic using a hash of source FC-ID and destination FC-ID, and optionally the exchange ID. Load balancing using PortChannels is performed over both Fibre Channel and FCIP links. Cisco NX-OS software also can be configured to load balance across multiple same-cost FSPF routes.
Page 23 The Fibre Channel Security Protocol (FC-SP) provides switch-to-switch and hosts-to-switch authentication to overcome security challenges for enterprise-wide fabrics. The Diffie-Hellman Challenge Handshake Authentication Protocol (DHCHAP) is an FC-SP protocol that provides authentication between Cisco SAN switches and other devices. DHCHAP consists of the CHAP protocol combined with the Diffie-Hellman exchange.
Page 24 A management application is usually connected to the FCS on the switch through an N port. Multiple VSANs constitute a fabric, where one instance of the FCS is present per VSAN. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 25: Configuring Fibre Channel Domain Parameters
• Fabric reconfiguration—This phase guarantees a resynchronization of all switches in the fabric to ensure they simultaneously restart a new principal switch selection phase. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 26: Domain Restarts
IDs are different, the runtime domain ID changes to take on the static domain ID after the next restart, either disruptive or nondisruptive. If a VSAN is in interop mode, you cannot disruptively restart the fcdomain for that VSAN. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 27: Restarting A Domain
BF phase, followed by a principal switch selection phase. The fast restart feature can be used in any interoperability mode. Enabling Domain Manager Fast Restart You can enable the domain manager fast restart feature. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 28: Switch Priority
Configuring Switch Priority You can configure the priority for the principal switch. Procedure Command or Action Purpose Step 1 configure terminal Enters global configuration mode. Example: switch# configure terminal switch(config)# Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 29: About Fcdomain Initiation
Step 3 switch(config)# fcdomain vsan vsan-id Enables the fcdomain configuration in the specified VSAN. Configuring Fabric Names You can set the fabric name value for a disabled fcdomain. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 30: Incoming Rcfs
Rejecting Incoming RCFs You can reject incoming RCF request frames. Procedure Command or Action Purpose Step 1 configure terminal Enters global configuration mode. Example: switch# configure terminal switch(config)# Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 31: Autoreconfiguring Merged Fabrics
You can enable automatic reconfiguration in a specific VSAN (or range of VSANs). Procedure Command or Action Purpose Step 1 configure terminal Enters global configuration mode. Example: switch# configure terminal switch(config)# Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 32: Domain Ids
When a subordinate switch requests a domain, the following process takes place (see the figure below): • The local switch sends a configured domain ID request to the principal switch. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 33 ◦ If the configured type is preferred, the local switch accepts the domain ID assigned by the principal switch and the assigned domain ID becomes the runtime domain ID. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 34: Configuring Static Or Preferred Domain Ids
The domain ID range is 1 to 239. The VSAN ID range is 1 to 4093. Example: switch(config)# fcdomain domain 1 preferred vsan 5 Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 35: Allowed Domain Id Lists
Reverts to the factory default of allowing domain vsan-id IDs from 1 through 239 in the specified VSAN. Example: switch(config)# no fcdomain allowed 3 vsan 10 Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 36: Cfs Distribution Of Allowed Domain Id Lists
CFS Distribution of Allowed Domain ID Lists You can enable the distribution of the allowed domain ID list configuration information to all Cisco SAN switches in the fabric using the Cisco Fabric Services (CFS) infrastructure. This feature allows you to synchronize the configuration across the fabric from the console of a single switch.
Page 37: Committing Changes
Enters global configuration mode. configure terminal Example: switch# configure terminal switch(config)# Step 2 fcdomain abort vsan vsan-id Discards the pending domain configuration changes. Example: switch(config)# fcdomain abort vsan 30 Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 38: Clearing A Fabric Lock
You can display the status of the distribution session by using the show fcdomain session-status vsan command: switch# show fcdomain session-status vsan 1 Last Action: Distribution Enable Result: Success Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 39: Contiguous Domain Id Assignments
• An N port logs into a SAN switch. The WWN of the requesting N port and the assigned FC ID are retained and stored in a volatile cache. The contents of this volatile cache are not saved across reboots. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 40: Persistent Fc Ids
Step 2 fcdomain fcid persistent vsan vsan-id Activates (default) persistency of FC IDs in the specified VSAN. Example: switch(config)# fcdomain fcid persistent vsan 78 Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 41: Persistent Fc Id Configuration Guidelines
33:e8:00:05:30:00:16:df Configures a device WWN fcid fcid (33:e8:00:05:30:00:16:df) with the FC ID 0x070128 in the specified VSAN. Example: switch(config-fcid-db)# vsan 26 wwn 33:e8:00:05:30:00:16:df fcid 4 Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 42: Unique Area Fc Ids For Hbas
FC ID. Cisco SAN switches facilitate this requirement with the FC ID persistence feature. You can use this feature to preassign an FC ID with a different area to either the storage port or the HBA port.
Page 43 ------------------------------------------------------------------ INTERFACE VSAN FCID PORT NAME NODE NAME ------------------------------------------------------------------ vfc20 0x6fee00 50:05:08:b2:00:71:c8:c2 50:05:08:b2:00:71:c8:c0 vfc23 0x6f7704 50:06:0e:80:03:29:61:0f 50:06:0e:80:03:29:61:0f Note Both FC IDs now have different area assignments. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 44: Persistent Fc Id Selective Purging
If the fcdomain feature is disabled, the runtime fabric name in the display is the same as the configured fabric name. This example shows how to display information about fcdomain configurations: switch# show fcdomain vsan 2 Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 45: Default Settings For Fibre Channel Domains
FC IDs, and mask refers to a single or entire area of FC IDs. switch# show fcdomain address-allocation cache Default Settings for Fibre Channel Domains The following table lists the default settings for all fcdomain parameters. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 46 Disabled contiguous-allocation option Disabled Priority Allowed list 1 to 239 Fabric name 20:01:00:05:30:00:28:df rcf-reject Disabled Persistent FC ID Enabled Allowed domain ID list configuration distribution Disabled Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 47: Chapter 3 Configuring N Port Virtualization
Information About NPV NPV Overview By default, Cisco Nexus devices switches operate in fabric mode. In this mode, the switch provides standard Fibre Channel switching capability and features. In fabric mode, each switch that joins a SAN is assigned a domain ID. Each SAN (or VSAN) supports a maximum of 239 domain IDs, so the SAN has a limit of 239 switches.
Page 48: Npv Mode
As the NPIV box has multiple FLOGIs from the NPV box, the disable-feature command is rejected. Note In Cisco Nexus devices, server interfaces can be virtual Fibre Channel interfaces. Related Topics Configuring N Port Virtualization, on page 27 Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x...
Page 49: Np Uplinks
NP uplink are forwarded as-is to the core switch. In the switch CLI configuration commands and output displays, NP uplinks are called External Interfaces. Note In Cisco Nexus devices, NP uplink interfaces are virtual Fibre Channel interfaces. Related Topics Fabric Login, on page 119...
Page 50: Npv Traffic Management Guidelines
• Servers can be connected to the switch when in NPV mode. • When initiators and targets are assigned to the same border port (NP or NP-PO), then Cisco Nexus 5000 Series switches in NPIV mode do not support hairpinning.
Page 51: Configuring Npv
• ntp configuration • callhome configuration • snmp-server details • feature fcoe Step 3 switch(config-npv)# no npv Disables NPV mode, which results in a reload of the switch. enable Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 52: Configuring Npv Interfaces
Configuring NPV Traffic Maps An NPV traffic map associates one or more NP uplink interfaces with a server interface. The switch associates the server interface with one of these NP uplinks. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 53: Enabling Disruptive Load Balancing
Step 3 switch (config)# no npv auto-load-balance Disables disruptive load balancing on the disruptive switch. Verifying NPV To display information about NPV, perform the following task: Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 54: Verifying Npv Examples
For additional details (such as IP addresses, switch names, interface names) about the NPV edge switches that you see in the show fcns database output, enter the show fcns database detail command on the core switch: core-switch# show fcns database detail Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 55: Verifying Npv Traffic Management
To display the disruptive load-balancing status, enter the show npv status command: switch# show npv status npiv is enabled disruptive load balancing is enabled External Interfaces: ==================== Interface: vfc21, VSAN: 2, FCID: 0x1c0000, State: Up Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 56 Configuring N Port Virtualization Verifying NPV Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 57: Configuring Fcoe Npv
Configuration Examples for FCoE NPV, page 51 Information About FCoE NPV FCoE NPV is supported on the Cisco Nexus devices. The FCoE NPV feature is an enhanced form of FIP snooping that provides a secure method to connect FCoE-capable hosts to an FCoE-capable FCoE forwarder (FCF) switch.
Page 58: Information About Fcoe Npv
Interoperability with FCoE-Capable Switches The Cisco Nexus device interoperates with the following FCoE-capable switches: • Cisco MDS 9000 Series Multilayer switches enabled to perform FCF functions (EthNPV and VE) • Cisco Nexus 7000 Series switches enabled to perform FCF functions (EthNPV and VE) •...
Page 59: Fcoe Npv Model
The following figure shows the FCoE NPV bridge connecting hosts and FCFs. From a control plane perspective, FCoE NPV performs proxy functions towards the FCF and the hosts in order to load balance logins from the Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 60: Mapping Requirements
VSANs from the hosts must be created and for each VSAN, a dedicated VLAN must also be created and mapped. The mapped VLAN is used to carry FIP and FCoE traffic for the corresponding VSAN. The VLAN-VSAN mapping must be configured consistently in the entire fabric. The Cisco Nexus device supports 32 VSANs.
Page 61: Port Requirements
• FCoE frames received over VNP ports are forwarded only if the L2_DA matches one of the FCoE MAC addresses assigned to hosts on the VF ports otherwise they’re discarded. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 62: Vpc Topologies
• FCoE VLANs must not be configured on the inter-switch vPC interfaces. • VF port binding to a vPC member port is not supported for an inter-switch vPC. Figure 5: VNP Ports in an Inter-Switch vPC Topology Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 63: Supported And Unsupported Topologies
FCoE NPV supports the following topologies: Figure 6: Cisco Nexus Device As An FCoE NPV Device Connected to a Cisco Nexus Device Over A Non- vPC Port Channel Figure 7: Cisco Nexus Device As An FCoE NPV Device Connected Over a vPC To Another Cisco Nexus Device...
Page 64: Supported And Unsupported Topologies
Configuring FCoE NPV Supported and Unsupported Topologies Figure 9: Cisco Nexus Device With A 10GB Fabric Extender as an FCoE NPV Device Connected Over a vPC to Another Cisco Nexus Device Figure 10: Cisco Nexus Device As An FCoE NPV Bridge Connecting to a FIP Snooping Bridge Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x...
Page 65: Supported And Unsupported Topologies
Configuring FCoE NPV Supported and Unsupported Topologies Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 66: Supported And Unsupported Topologies
Figure 11: 10GB Fabric Extender Connecting To The Same FCoE NPV Bridge Over Multiple VF Ports Figure 12: Cisco Nexus Device As An FCoE NPV Bridge Connecting To A FIP Snooping Bridge Or Another FCoE NPV Bridge Figure 13: VF Port Trunk To Hosts In FCoE NPV Mode Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x...
Page 67: Guidelines And Limitations
FCoE NPV is enabled and if VNP ports are configured. • A warning is displayed if an ISSD is performed to Cisco NX-OS Release 5.0(3)N1(1) or an earlier release when FCoE NPV is enabled but VNP ports are not configured.
Page 68: Default Settings
The following table lists the default settings for FCoE NPV parameters. Table 5: Default FCoE NPV Parameters Parameters Default FCoE NPV Disabled FCoE Disabled Disabled VNP port Disabled FIP Keep Alive (FKA) Disabled Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 69: Enabling Fcoe And Enabling Npv
Exits configuration mode. Step 4 switch(config)# copy running-config (Optional) startup-config Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 70: Configuring Npv Ports For Fcoe Npv
• FCF or associated enode MAC address • Status • Associated VFC information show interface vfc x Displays information about the specified vFC interface including attributes and status. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 71: Configuration Examples For Fcoe Npv
51 switch(config-vlan)# fcoe vsan 51 This example shows a summary of the interface configuration information for trunked NP ports: switch# show interface brief | grep TNP vfc25 trunking Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 72 Trunk vsans (initializing) (1,20,100,200,300,400) 1 minute input rate 0 bits/sec, 0 bytes/sec, 0 frames/sec 1 minute output rate 0 bits/sec, 0 bytes/sec, 0 frames/sec 15 frames input, 2276 bytes Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 73 100, State: Up VSAN: 300, State: Up VSAN: 500, State: Up, FCID: 0xa10001 Interface: vfc90, State: Down Interface: vfc100, State: Down Interface: vfc110, State: Down Interface: vfc111, State: Down Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 74 Please increase the FKA duration to 60 seconds on FCF Active VNP ports with no disable-fka set ---------------------------------------- vfc90 vfc100 vfc110 vfc111 vfc120 vfc130 ISSU downgrade not supported as feature fcoe-npv is enabled switch# Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 75: Configuring Vsan Trunking
VSANs in which frames can be received or transmitted. • If a trunking-enabled E port is connected to a third-party switch, the trunking protocol ensures seamless operation as an E port. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 76: Vsan Trunking Mismatches
(when the trunking protocol was enabled). Other switches that are directly connected to this switch are similarly affected on the connected interfaces. If you need to merge traffic from different port VSANs across a nontrunking ISL, disable the trunking protocol. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 77: Configuring Vsan Trunking
The default trunk mode is on. The trunk mode configurations at the two ends of the link determine the trunking state of the link and the port modes at both ends (see the following table). Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 78: Configuring Trunk Mode
Auto No trunking (ISL) E port The preferred configuration on the Cisco SAN switches is that one side of the trunk is set to auto and the other is set to on. Note When connected to a third-party switch, the trunk mode configuration has no effect. The Inter-Switch Link (ISL) is always in a trunking disabled state.
Page 79: Trunk-Allowed Vsan Lists
VSAN list for an interface, and they are called allowed-active VSANs. The trunking protocol uses the list of allowed-active VSANs at the two ends of an ISL to determine the list of operational VSANs in which traffic is allowed. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 80 • The ISL between switch 2 and switch 3 includes VSAN 1 and VSAN 2. • The ISL between switch 3 and switch 1 includes VSAN 1, 2, and 5. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 81: Configuring An Allowed-Active List Of Vsans
4 Step 3 switchport trunk allowed vsan vsan-id - vsan-id Changes the allowed list for the specified VSAN range. Example: switch(config-if)# switchport trunk allowed vsan 35-55 Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 82: Displaying Vsan Trunking Information
Vsan 1 is up, FCID is 0xef0000 Vsan 2 is up, FCID is 0xef0000 Default Settings for VSAN Trunks The following table lists the default settings for VSAN trunking parameters. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 83 Default Settings for VSAN Trunks Table 7: Default VSAN Trunk Configuration Parameters Parameters Default Switch port trunk mode Allowed VSAN list 1 to 4093 user-defined VSAN IDs Trunking protocol Enabled Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 84 Configuring VSAN Trunking Default Settings for VSAN Trunks Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 85: Chapter 6 Configuring And Managing Vsans
• Multiple VSANs can share the same physical topology. • The same Fibre Channel IDs (FC IDs) can be assigned to a host in another VSAN, which increases VSAN scalability. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 86 The application servers or storage arrays can be connected to the switch using Fibre Channel or virtual Fibre Channel interfaces. A VSAN can include a mixture of Fibre Channel and virtual Fibre Channel interfaces. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 87 ◦ Different customers in storage provider data centers ◦ Production or test in an enterprise network ◦ Low and high security requirements ◦ Backup traffic on separate VSANs ◦ Replicating data from user traffic Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 88: Vsan Advantages
VSAN (the VSAN associated with the F port). zones. VSANs enforce membership at each E port, source Zones enforce membership only at the source and port, and destination port. destination ports. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 89: Guidelines And Limitations For Vsans
Once VSANs are created, they may exist in various conditions or states. ◦ The active state of a VSAN indicates that the VSAN is configured and enabled. By enabling a VSAN, you activate the services for that VSAN. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 90: About Vsan Creation
You cannot configure any application-specific parameters for a VSAN before creating the VSAN. Procedure Command or Action Purpose Step 1 Enters global configuration mode. configure terminal Example: switch# configure terminal switch(config)# Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 91: Port Vsan Membership
VSAN trunking ports have an associated list of VSANs that are part of an allowed list. Related Topics Assigning Static Port VSAN Membership, on page 72 Configuring VSAN Trunking, on page 55 Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 92: Assigning Static Port Vsan Membership
# show vsan 1 membership vsan 1 interfaces: vfc21 vfc22 vfc23 vfc24 san-port-channel 3 vfc1/1 Note Interface information is not displayed if interfaces are not configured on this VSAN. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 93: Default Vsans
Default VSANs The factory settings for Cisco SAN switches have only the default VSAN 1 enabled. We recommend that you do not use VSAN 1 as your production environment VSAN. If no VSANs are configured, all devices in the fabric are considered part of the default VSAN.
Page 94: Operational State Of A Vsan
Any commands for a nonconfigured VSAN are rejected. For example, if VSAN 10 is not configured in the system, a command request to move a port to VSAN 10 is rejected. Related Topics Configuring VSAN Trunking, on page 55 Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 95: Deleting Static Vsans
You can configure load balancing on an existing VSAN. Load-balancing attributes indicate the use of the source-destination ID (src-dst-id) or the originator exchange OX ID (src-dst-ox-id, the default) for load-balancing path selection. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 96 Negates the suspend command entered in the previous step. Example: switch(config-vsan-db)# no vsan 23 suspend Step 9 Returns you to EXEC mode. Example: switch(config-vsan-db)# end Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 97: Interop Mode
VSAN 1. State Active state. Name Concatenation of VSAN and a four-digit string representing the VSAN ID. For example, VSAN 3 is VSAN0003. Load-balancing attribute OX ID (src-dst-ox-id). Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 98 Configuring and Managing VSANs Default Settings for VSANs Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 99: Chapter 7 Configuring And Managing Zones
◦ A physical fabric can have a maximum of 16,000 members. This includes all VSANs in the fabric. • A zone set consists of one or more zones. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 100 This membership is also referred to as interface-based zoning. ◦Interface and domain ID—Specifies the interface of a switch identified by the domain ID. ◦Domain ID and port number—Specifies the domain ID of a Cisco switch domain and additionally specifies a port belonging to a non-Cisco switch.
Page 101: Zoning Example
S2 in zone 3, and to H1 and S1 in zone 1. Figure 24: Fabric with Three Zones Zone Implementation Cisco SAN switches automatically support the following basic zone features (no additional configuration is required): • Zones are contained in a VSAN.
Page 102: Active And Full Zone Sets
• An FC ID or Nx port that is not part of the active zone set belongs to the default zone and the default zone information is not distributed to other switches. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 103 If one zone set is active and you activate another zone set, the currently active zone set is automatically Note deactivated. You do not need to explicitly deactivate the currently active zone set before activating a new zone set. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 104 Configuring and Managing Zones Information About Zoning The following figure shows a zone being added to an activated zone set. Figure 25: Active and Full Zone Sets Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 105: Configuring A Zone
MyZone vsan 2 pWWN example: switch(config-zone)# member pwwn 10:00:00:23:45:67:89:ab Fabric pWWN example: switch(config-zone)# member fwwn 10:01:10:01:10:ab:cd:ef FC ID example: switch(config-zone)# member fcid 0xce00d1 FC alias example: switch(config-zone)# member fcalias Payroll Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 106: Zone Sets
In the following figure, two separate sets are created, each with its own membership hierarchy and zone members. Figure 26: Hierarchy of Zone Sets, Zones, and Zone Members Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 107: Activating A Zone Set
Traffic can either be permitted or denied among members of the default zone. This information is not distributed to all switches; it must be configured in each switch. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 108: Configuring The Default Zone Access Permission
• fWWN—The WWN of the fabric port name is in hex format (for example, 10:00:00:23:45:67:89:ab). • FC ID—The N port ID is in 0xhhhhhh format (for example, 0xce00d1). Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 109: Creating Fc Aliases
Configuring and Managing Zones Zone Sets • Domain ID—The domain ID is an integer from 1 to 239. A mandatory port number of a non-Cisco switch is required to complete this membership configuration. • Interface—Interface-based zoning is similar to port-based zoning because the switch interface is used to configure the zone.
Page 110: Creating Zone Sets And Adding Member Zones
You can create a zone set to include several zones. Procedure Command or Action Purpose Step 1 configure terminal Enters global configuration mode. Example: switch# configure terminal switch(config)# Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 111: Zone Enforcement
Note Hard zoning enforces zoning restrictions on every frame, and prevents unauthorized access. Cisco SAN switches support both hard and soft zoning. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 112: Zone Set Distribution
Enabling Full Zone Set Distribution All Cisco SAN switches distribute active zone sets when new E port links come up or when a new zone set is activated in a VSAN. The zone set distribution takes effect while sending merge requests to the adjacent switch or while activating a zone set.
Page 113: Recovering From Link Isolation
• Import the neighboring switch’s active zone set database and replace the current active zone set (see the figure below). • Export the current database to the neighboring switch. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 114: Importing And Exporting Zone Sets
• To the full zone set • To a remote location (using FTP, SCP, SFTP, or TFTP) Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 115: Copying Zone Sets
Caution in the full zone set database. Copying Zone Sets On Cisco SAN switches, you cannot edit an active zone set. However, you can copy an active zone set to create a new zone set that you can edit. Procedure...
Page 116: Cloning Zones, Zone Sets, Fc Aliases, And Zone Attribute Groups
2 Step 3 zone clone oldname newname vsan number Clones a zone in the specified VSAN. Example: switch(config)# zone clone test myzone3 vsan Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 117: Clearing The Zone Server Database
Displays zone information for all VSANs. show zone vsan vsan-id Displays zone information for a specific VSAN. show zoneset vsan vsan-id - Displays the configured zone sets for a range of VSANs. vsan-id Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 118: Enhanced Zoning
The following table lists the advantages of the enhanced zoning feature in all switches in the Cisco SAN switches. Table 12: Advantages of Enhanced Zoning...
Page 119: Changing From Basic Zoning To Enhanced Zoning
Set the operation mode to enhanced zoning mode. Changing from Enhanced Zoning to Basic Zoning Cisco SAN switches allow you to change from enhanced zoning to basic zoning to enable you to downgrade and upgrade to other Cisco NX-OS releases.
Page 120: Enabling Enhanced Zoning
Step 3 Set the operation mode to basic zoning mode. Enabling Enhanced Zoning You can enable enhanced zoning in a VSAN. By default, the enhanced zoning feature is disabled in all Cisco SAN switches. Procedure Command or Action Purpose Step 1 configure terminal Enters global configuration mode.
Page 121: Releasing Zone Database Locks
We recommend using the no zone commit vsan command first to release the session lock in the fabric. If that fails, use the clear zone lock vsan command on the remote switches where the session is still locked. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 122: Merging The Database
◦ If the setting is allow, the merge rules are used to perform the merge. Configuring Zone Merge Control Policies You can configure merge control policies. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 123: Default Zone Policies
Step 3 no zone default-zone permit vsan vsan-id Denies traffic flow to default zone members and reverts to factory default. Example: switch(config)# no zone default-zone permit vsan 12 Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 124: Configuring System Default Zoning Settings
VSANs on the switch. Only the active zone database is Example: distributed. switch(config)# no system default zone distribute full Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 125: Verifying Enhanced Zone Information
The following example shows how to display active zoning analysis: switch# show zone analysis active vsan 1 See the command reference for your device for the description of the information displayed in the command output. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 126: Default Settings For Zones
Table 14: Default Basic Zone Parameters Parameters Default Default zone policy Denied to all members. Full zone set distribute The full zone set(s) is not distributed. Enhanced zoning Disabled. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 127: Chapter 8 Distributing Device Alias Services
When the port WWN (pWWN) of a device must be specified to configure features (for example, zoning, DPVM, or port security) in a Cisco SAN switch, you must assign the correct device name each time you configure these features. An inaccurate device name may cause unexpected results. You can circumvent this problem if you define a user-friendly name for a pWWN and use this name in all the configuration commands as required.
Page 128: Device Alias Requirements
• Device aliases used to configure zones, IVR zones, or port security features are displayed automatically with their respective pWWNs in the show command output. For additional information, refer to Using Cisco Fabric Services in the System Management Configuration Guide for your device.
Page 129: Device Alias Databases
21:01:00:e0:8b:2e:80:93 Step 4 no device-alias name device-name Removes the device name for the device that is identified by its pWWN. Example: switch(config-device-alias-db)# no device-alias name mydevice Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 130: Device Alias Modes
• Before changing from enhanced to basic mode, you must first explicitly remove all native device alias-based configurations from both local and remote switches, or replace all device alias-based configuration members with the corresponding pWWN. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 131: Configuring Device Alias Modes
This example shows how to display the current device alias mode setting. switch# show device-alias status Fabric Distribution: Enabled Database:- Device Aliases 0 Mode: Basic Locked By:- User "admin" SWWN 20:00:00:0d:ec:30:90:40 Pending Database:- Device Aliases 0 Mode: Basic Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 132: Device Alias Distribution
• The pending database is distributed to the switches in the fabric and the effective database on those switches is overwritten with the new changes. • The pending database is emptied of its contents. • The fabric lock is released for this feature. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 133: Discarding Changes
Command or Action Purpose Step 1 Enters global configuration mode. configure terminal Example: switch# configure terminal switch(config)# Step 2 device-alias abort Discards the currently active session. Example: switch(config)# device-alias abort Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 134: Overriding The Fabric Lock
Step 2 no device-alias distribute Disables the distribution. Example: switch(config)# no device-alias distribute Step 3 device-alias distribute Enables the distribution (default). Example: switch(config)# device-alias distribute Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 135: Legacy Zone Alias Configuration
Importing a Zone Alias You can import the zone alias for a specific VSAN. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 136: Device Alias Database Merge Guidelines
• Verify that the combined number of device aliases in both databases does not exceed 8K (8191 device aliases) in fabrics running Cisco MDS SAN-OS Release 3.0 (x) and earlier, and 20K in fabrics running Cisco MDS SAN-OS Release 3.1(x) and later.
Page 137: Default Settings For Device Alias Services
Enabled. Device alias mode Basic. Database in use Effective database. Database to accept changes Pending database. Device alias fabric lock state Locked with the first device alias task. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 138 Distributing Device Alias Services Default Settings for Device Alias Services Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 139: Managing Flogi, Name Server, Fdmi, And Rscn Databases
0x870000 20:00:00:1b:21:06:58:bc 10:00:00:1b:21:06:58:bc Total number of flogi = 1. This example shows how to verify the storage devices associated with VSAN 1: switch# show flogi database vsan 1 Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 140: Name Server Proxy
By default, any future flogi (with duplicate pwwn) on different switch in the same vsan, will be rejected and earlier FLOGI retained, which does not follow FC standards. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 141: Rejecting Duplicate Pwwns
In a multiswitch fabric configuration, the name server instances running on each switch shares information in a distributed database. One instance of the name server process runs on each switch. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 142: Displaying Name Server Database Entries
FDMI Cisco SAN switches provide support for the Fabric-Device Management Interface (FDMI) functionality, as described in the FC-GS-4 standard. FDMI enables management of devices such as Fibre Channel host bus adapters (HBAs) through in-band communications. This addition complements the existing Fibre Channel name server and management server functions.
Page 143: Displaying Fdmi
The SCR table is not configurable. It is populated when hosts send SCR frames with RSCN information. If hosts do not receive RSCN information, then the show rscn scr-table command will not return entries. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 144: Multi-Pid Option
GMAL and GIELN commands to the switch that initiated the domain format SW-RSCN to determine what changed. Domain format SW-RSCNs can cause problems with some non-Cisco SAN switches. You can suppress the transmission of these SW-RSCNs over an ISL.
Page 145: Clearing Rscn Statistics
Before performing a downgrade, make sure that you revert the RSCN timer value in your network to the Note default value. Failure to do so will disable the links across your VSANs and other devices. You can configure the RSCN timer. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 146: Verifying The Rscn Timer Configuration
SW-RSCNs. RSCN supports two modes, distributed and nondistributed. In distributed mode, RSCN uses Cisco Fabric Services (CFS) to distribute configuration to all switches in the fabric. In nondistributed mode, only the configuration commands on the local switch are affected.
Page 147: Enabling Rscn Timer Configuration Distribution
RSCN timer distribution crashes and restarts or a switchover occurs, it resumes normal functionality from the state prior to the crash or switchover. For additional information, refer to Using Cisco Fabric Services in the System Management Configuration Guide for your device.
Page 148: Committing Rscn Timer Configuration Changes
Example: switch# configure terminal switch(config)# Step 2 rscn abort vsan timeout Discards the RSCN timer changes and clears the pending configuration database. Example: switch(config)# rscn abort vsan 800 Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 149: Clearing A Locked Session
The following table lists the default settings for RSCN. Table 17: Default RSCN Settings Parameters Default RSCN timer value 2000 milliseconds for Fibre Channel VSANs RSCN timer configuration distribution Disabled Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 150 Managing FLOGI, Name Server, FDMI, and RSCN Databases Default Settings for RSCN Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 151: Chapter 1 0 Discovering Scsi Targets
SCSI LUN discovery is done on demand. Only Nx ports that are present in the name server database and that are registered as FC4 Type = SCSI_FCP are discovered. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 152: Starting Scsi Lun Discovery
Adds the specified entry to the custom list. domain domain-id Step 2 switch# discover custom-list delete vsan vsan-id Deletes the specified domain ID from the domain domain-id custom list. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 153: Displaying Scsi Lun Information
The following example displays the port WWN that is assigned to each operating system (Windows, AIX, Solaris, Linux, or HPUX): switch# show scsi-target pwwn Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 154 Discovering SCSI Targets Displaying SCSI LUN Information Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 155: Chapter 1 1 Configuring Fc-Sp And Dhchap
Diffie-Hellman exchange. Fabric Authentication All Cisco SAN switches enable fabric-wide authentication from one switch to another switch, or from a switch to a host. These switch and host authentications are performed locally or remotely in each fabric. As storage islands are consolidated and migrated to enterprise-wide fabrics, new security challenges arise. The approach of securing storage islands cannot always be guaranteed in enterprise-wide fabrics.
Page 156: Configuring Dhchap Authentication
Configuring FC-SP and DHCHAP Configuring DHCHAP Authentication Cisco SAN switches support authentication features to address physical security (see the following figure). Figure 28: Switch and Host Authentication Fibre Channel host bus adapters (HBAs) with appropriate firmware and drivers are required for host-switch Note authentication.
Page 157: Dhchap Compatibility With Fibre Channel Features
Verify the DHCHAP configuration. DHCHAP Compatibility with Fibre Channel Features When configuring the DHCHAP feature along with existing Cisco NX-OS features, consider these compatibility issues: • SAN port channel interfaces—If DHCHAP is enabled for ports belonging to a SAN port channel, DHCHAP authentication is performed at the physical interface level, not at the port channel level.
Page 158: Dhchap Authentication Modes
Whenever DHCHAP port mode is changed to a mode other than the Off mode, reauthentication is Note performed. The following table identifies switch-to-switch authentication between two Cisco switches in various modes. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 159: Configuring The Dhchap Mode
Zero (0) indicates that the port does not perform reauthentication. Example: switch(config-if)# fcsp Note The reauthorization interval configuration is the auto-active 0 same as the default behavior. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 160: Dhchap Hash Algorithm
(0). DHCHAP Hash Algorithm Cisco SAN switches support a default hash algorithm priority list of MD5 followed by SHA-1 for DHCHAP authentication. If you change the hash algorithm configuration, then change it globally for all switches in the fabric.
Page 161: Dhchap Group Settings
DHCHAP Group Settings All Cisco SAN switches support all DHCHAP groups specified in the standard: 0 (null DH group, which does not perform the Diffie-Hellman exchange), 1, 2, 3, or 4. If you change the DH group configuration, change it globally for all switches in the fabric.
Page 162: Configuring Dhchap Passwords For The Local Switch
We recommend using RADIUS or TACACS+ for fabrics with more than five switches. If you need to use a local password database, you can continue to do so using Configuration 3 and using Cisco MDS 9000 Family Fabric Manager to manage the password database.
Page 163: Configuring Dhchap Passwords For Remote Devices
• The existing RADIUS and TACACS+ timeout values. • The same value must also be configured on all switches in the fabric. Configuring the DHCHAP Timeout Value You can configure the DHCHAP timeout value. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 164: Configuring Dhchap Aaa Authentication
The following example shows how to display the DHCHAP local password database: switch# show fcsp dhchap database Use the ASCII representation of the device WWN to configure the switch information on RADIUS and TACACS+ servers. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 165: Configuration Examples For Fabric Security
This example shows how to set up authentication: Procedure Step 1 Obtain the device name of the Cisco SAN switch in the fabric. The Cisco SAN switch in the fabric is identified by the switch WWN. Example: switch# show wwn switch...
Page 166: Default Settings For Fabric Security
A priority list of MD5 followed by SHA-1 for DHCHAP authentication DHCHAP authentication mode Auto-passive DHCHAP group default priority exchange order 0, 4, 1, 2, and 3, respectively DHCHAP timeout value 30 seconds Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 167 Configuring FC-SP and DHCHAP Default Settings for Fabric Security Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 168 Configuring FC-SP and DHCHAP Default Settings for Fabric Security Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 169: Chapter 1 2 Configuring Port Security
Configuring Port Security, page 149 Configuring Port Security Cisco SAN switches provide port security features that reject intrusion attempts and report these intrusions to the administrator. Port security is supported on virtual Fibre Channel ports and physical Fibre Channel ports.
Page 170: Port Security Enforcement
By default, the port security feature is not activated. When you activate the port security feature, the following operations occur: • Auto-learning is also automatically enabled, which means the following: Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 171: Configuring Port Security
This action ensures that the configured database is the same on all switches in the fabric. Step 10 Copy the running configuration to the startup configuration, using the fabric option. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 172: Configuring Port Security With Auto-Learning Without Cfs
Disabling Auto-Learning, on page 157 Enabling Port Security, on page 153 Enabling Port Security Distribution, on page 161 Configuring Port Security with Auto-Learning without CFS You can configure port security using auto-learning without Cisco Fabric Services (CFS). Procedure Step 1 Enable port security.
Page 173: Enabling Port Security
Port Security Activation Activating Port Security You can activate port security. Procedure Command or Action Purpose Step 1 configure terminal Enters global configuration mode. Example: switch# configure terminal switch(config)# Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 174: Database Activation Rejection
Forcing Port Security Activation You can forcefully activate the port security database. Procedure Command or Action Purpose Step 1 configure terminal Enters global configuration mode. Example: switch# configure terminal switch(config)# Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 175: Database Reactivation
Step 6 port-security activate vsan vsan-id Activates the port security database for the specified VSAN, and automatically enables auto-learning. Example: switch(config)# port-security activate vsan 35 Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 176: Auto-Learning
Enables auto-learning so the switch can learn about any device that is allowed to access VSAN 1. These devices are logged in the port security Example: active database. switch(config)# port-security auto-learn vsan 1 Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 177: Disabling Auto-Learning
Permitted configured any device Configured to log in to Any port on the switch Permitted any switch port Not configured A port configured with Denied some other device Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 178: Authorization Scenario
S1, F10 Permitted No conflict. S2, F11 Denied P10 is bound to F11. P4, N4, F5 (auto-learning Permitted No conflict. P4, N4, F5 (auto-learning Denied No match. off) Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 179: Port Security Manual Configuration
The WWN Identification has the following configuration guidelines and limitations: • Identify switch ports by the interface or by the fWWN. • Identify devices by the pWWN or by the nWWN. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 180: Adding Authorized Port Pairs
Step 4 switch(config-port-security)# swwn swwn-id Configures the specified sWWN to only interface san-port-channel 5 log in through SAN port channel 5. Example: switch(config-port-security)# swwn 21:00:05:30:23:1a:11:03 interface san-port-channel 5 Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 181: Port Security Configuration Distribution
32 Port Security Configuration Distribution The port security feature uses the Cisco Fabric Services (CFS) infrastructure to enable efficient database management, provide a single point of configuration for the entire fabric in the VSAN, and enforce the port security policies throughout the fabric.
Page 182: Locking The Fabric
Commits the port security changes in the specified VSAN. Example: switch(config)# port-security commit vsan Discarding the Changes You can discard the port security configuration changes for the specified VSAN. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 183: Activation And Auto-Learning Configuration Distribution
If the pending database contains more than one activation and auto-learning configuration when you commit the changes, the activation and auto-learning changes are consolidated and the resulting operation may change (see the following table). Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 184 = {A,B} active database = {A,B} and devices C and D are logged out. This is equal to an activation with auto-learning disabled. pending database = empty Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 185: Merging The Port Security Database
You can overwrite the configuration database with configured database by activating the port security the active database. database. Forcing an activation may violate the entries already configured in the active database. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 186 The following figure shows various scenarios of the active database and the configuration database status based on port security configurations. Figure 30: Port Security Database Scenarios Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 187: Database Scenarios
Database Scenarios the following figure illustrates various scenarios showing the active database and the configuration database status based on port security configurations. Figure 31: Port Security Database Scenarios Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 188: Copying The Port Security Database
The clear port-security database auto-learn and clear port-security statistics commands are only Note relevant to the local switch and do not acquire locks. Also, learned entries are only local to the switch and do not participate in distribution. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 189: Displaying Port Security Configuration
Table 24: Default Security Settings Parameters Default Auto-learn Enabled if port security is enabled. Port security Disabled. Distribution Disabled. Note Enabling distribution enables it on all VSANs in the switch. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 190 Configuring Port Security Default Settings for Port Security Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 191: Chapter 1 3 Configuring Fabric Binding
Port Security Uses a set of sWWNs and a persistent domain ID. Uses pWWNs/nWWNs or fWWNs/sWWNs. Binds the fabric at the switch level. Binds devices at the interface level. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 192: Fabric Binding Enforcement
For a Fibre Channel VSAN, the fabric binding feature requires all sWWNs connected to a switch to be part of the fabric binding active database. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 193: Configuring Fabric Binding
A user-specified fabric binding list contains a list of switch WWNs (sWWNs) within a fabric. If an sWWN attempts to join the fabric, and that sWWN is not on the list or the sWWN is using a domain ID that differs Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 194: Configuring Switch Wwn List
For example, one of the already logged in switches might be denied login by the config database. You can choose to forcefully override these situations. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 195: Activating Fabric Binding
Procedure Command or Action Purpose Step 1 Enters global configuration mode. configure terminal Example: switch# configure terminal switch(config)# Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 196: Copying Fabric Binding Configurations
Deleting the Fabric Binding Database Use the no fabric-binding command in configuration mode to delete the configured database for a specified VSAN: switch(config)# no fabric-binding database vsan 10 Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 197: Verifying The Fabric Binding Configuration
This example shows how to display EFMD Statistics for VSAN 4: switch# show fabric-binding efmd statistics vsan 4 Default Settings for Fabric Binding The following table lists the default settings for the fabric binding feature. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 198 Configuring Fabric Binding Default Settings for Fabric Binding Table 26: Default Fabric Binding Settings Parameters Default Fabric binding Disabled Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 199: Chapter 1 4 Configuring Fabric Configuration Servers
Each object has its own set of attributes and values. A null value may also be defined for some attributes. In the Cisco Nexus device environment, a fabric may consist of multiple VSANs. One instance of the FCS is present per VSAN.
Page 200: Fcs Characteristics
When a restart or switchover happens, FCSs retrieve the secondary storage information and rebuild its database. • SNMP manager can query FCSs for all IEs, ports, and platforms in the fabric. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 201: Fcs Name Specification
You can specify if the unique name verification is for the entire fabric (globally) or only for locally (default) registered platforms. Note Set this command globally only if every switch in the fabric belong to the Cisco MDS 9000 Family or Cisco Nexus devices. To enable global checking of the platform name, perform this task:...
Page 202 Configuring Fabric Configuration Servers Default FCS Settings Table 27: Default FCS Settings Parameters Default Global checking of the platform name Disabled Platform node type Unknown Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 203: Chapter 1 5 Configuring Port Tracking
Configuring Port Tracking, page 183 Configuring Port Tracking Cisco SAN switches offer the port tracking feature on physical Fibre Channel interfaces (but not on virtual Fibre Channel interfaces). This feature uses information about the operational state of the link to initiate a failure in the link that connects the edge device.
Page 204: Default Settings For Port Tracking
Related Topics About RSCN Information, on page 123 Fibre Channel Timeout Values Default Settings for Port Tracking The following table lists the default settings for port tracking parameters. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 205: Configuring Port Tracking
Before configuring port tracking, consider the following guidelines: • Verify that the tracked ports and the linked ports are on the same Cisco switch. • Be aware that the linked port is automatically brought down when the tracked port goes down.
Page 206: Configuring Linked Ports
Even if one tracked port is up, the linked port will stay up. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 207: Tracking Multiple Ports
If you configure this feature, the linked port is up only when the VSAN is up on the tracked port. The specified VSAN does not have to be the same as the port VSAN of the linked port. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 208: Monitoring Ports In A Vsan
You must explicitly remove the forced shut state (by administratively bringing up this interface) of the linked port once the tracked port is up and stable. Forcefully Shutting Down a Tracked Port You can forcefully shut down a tracked port. Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 209: Displaying Port Tracking Information
Hardware is Fibre Channel Port WWN is 24:01:00:05:30:00:0d:de Admin port mode is auto, trunk mode is on Port vsan is 2 Linked to 1 port(s) Port linked to interface vfc21 Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 210 Receive data field Size is 2112 Beacon is turned off Port track mode is force_shut <-- this port remains shut even if the tracked port is back up Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01...
Page 211 IDs description path selection distributing device alias databases 112, 113, 114, 116 enabling contiguous assignments disabling distribution preferred discarding changes static Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01 IN-1...
Page 212 EFMD switch priorities enabling FCSs 179, 180, 181 enforcement characteristics forceful activation configuring names forceful deactivation default settings initiation process description licensing requirements displaying information Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x IN-2 OL-27932-01...
Page 213 69, 75 attributes port security 137, 149, 150, 153, 154, 155, 159, 160, 169, 171 attributes for VSANs activating configuring activation description activation rejection guarantees adding authorized pairs Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01 IN-3...
Page 214 ID configuring proxies registering for name servers pWWNs 79, 88 TE ports 56, 93, 171, 179, 180 configuring fcalias members fabric binding checking zone membership Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x IN-4 OL-27932-01...
Page 215 79, 82, 86, 87, 92, 93, 94, 95, 96, 97, 105 VSAN IDs 62, 68, 69 activating allowed list analyzing description cloning range considerations VSAN membership Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x OL-27932-01 IN-5...
Page 216 68, 79, 81, 86, 89, 94, 95, 96, 97, 105, 108 access control zoning 79, 81 analyzing description backing up (procedure) example cloning implementation Cisco Nexus 6000 Series NX-OS SAN Switching Configuration Guide, Release 6.x IN-6 OL-27932-01...

Cisco Nexus 6000 Series Configuration Manual

P R E F a C E Preface

Overview

Configuring Fibre Channel Domain Parameters

Procedure

Command or Action

Step 1 Configure Terminal

Example

Step 5

Step 1

Example

Step 1

Example

Chapter 3 Configuring N Port Virtualization

Configuring Fcoe NPV

CHAPTER 5 Configuringvsantrunking

Chapter 6 Configuring and Managing Vsans

Chapter 7 Configuring and Managing Zones

Chapter 8 Distributing Device Alias Services

Managing FLOGI, Name Server, FDMI, and RSCN Databases

Chapter 1 0 Discovering SCSI Targets

Discovering SCSI Targets

Chapter 1 1 Configuring FC-SP and DHCHAP

Chapter 1 2 Configuring Port Security

Configuring Port Security

Quick Links

Need help?

Questions and answers

Related Manuals for Cisco Nexus 6000 Series

Summary of Contents for Cisco Nexus 6000 Series