Download Print this page

Brocade Communications Systems 1606 Administrator's Manual

Brocade fabric os administrator's guide v6.3.0 (53-1001336-01, july 2009)

Hide thumbs Also See for 1606:

Command reference manual (988 pages)

,

Reference (792 pages)

,

Administrator's manual (586 pages)

Table Of Contents

page of 592

/ 592
Contents
Table of Contents
Bookmarks

Table of Contents

Advertisement

Quick Links

Download this manual See also: Troubleshooting Manual, Reference

53-1001336-01

28 July 2009

Fabric OS

Administrator's Guide

Supporting Fabric OS v6.3.0

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the 1606 and is the answer not in the manual?

Questions and answers

Summary of Contents for Brocade Communications Systems 1606

Page 1 53-1001336-01 28 July 2009 Fabric OS Administrator’s Guide Supporting Fabric OS v6.3.0...
Page 2 Copyright © 2007-2009 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, the B-wing symbol, BigIron, DCX, Fabric OS, FastIron, IronPoint, IronShield, IronView, IronWare, JetCore, NetIron, SecureIron, ServerIron, StorageX, and TurboIron are registered trademarks, and DCFM, Extraordinary Networks, and SAN Health are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries.
Page 3 Title Publication number Summary of changes Date Fabric OS Administrator’s Guide 53-1000043-02 Removed SilkWorm 4016 and 4020 June 2006 from supported switches; FCIP chapter updates. Fabric OS Administrator’s Guide 53-1000239-01 Revised for Fabric OS v5.2.0 features. September 2006 Added new hardware platforms: Brocade FC4-48 and FC4-16IP.
Page 4 Fabric OS Administrator’s Guide 53-1001336-01...
Page 5: Table Of Contents
Contents Figures Tables About This Document In this chapter ......... xxxiii How this document is organized .
Page 6 Domain IDs ..........14 Displaying the domain IDs.
Page 7 Inter-chassis links ........38 Supported topologies.
Page 8 Routing policies......... . 61 Displaying the current routing policy .
Page 9 The authentication model using RADIUS and LDAP ... . . 85 Setting the switch authentication mode ....87 Fabric OS user accounts .
Page 10 FCS policies ..........123 FCS policy restrictions .
Page 11 Chapter 8 Maintaining the Switch Configuration File In this chapter ......... .159 Configuration settings.
Page 12 FIPS Support ......... . .186 Public and Private Key Management .
Page 13 Changing the context to a different logical fabric ....219 Creating a logical fabric using XISLs ......219 Chapter 11 Administering Advanced Zoning In this chapter .
Page 14 Zoning configurations ........238 Creating a zoning configuration ......238 Adding zones (members) to a zoning configuration .
Page 15 iSCSI initiator-to-VT authentication configuration ....273 Setting the user name and shared secret ....273 Binding user names to an iSCSI VT .
Page 16 Zone management in interoperable fabrics ....299 Zoning restrictions ........299 Zone name restrictions .
Page 17 Chapter 15 Managing Administrative Domains In this chapter ......... .329 Administrative Domains overview .
Page 18 Slot-based licensing ........366 Upgrade/downgrade considerations ....366 Adding a license to a slot .
Page 19 Top Talker monitors ........386 Adding a Top Talker monitor on an F_Port.
Page 20 QoS: Ingress Rate Limiting ....... .415 Limiting traffic from a particular device ....415 Disabling ingress rate limiting.
Page 21 F_Port masterless trunking .......437 F_Port masterless trunking considerations ....439 Assigning a Trunk Area .
Page 22 EX_Port frame trunking configuration ..... . .478 Masterless EX_Port trunking......478 Supported configurations and platforms .
Page 23 Internal Ethernet devices ....... . .512 IP address and routing management ..... . .512 Setting the IP address for the CP inband management interface .
Page 24 xxiv Fabric OS Administrator’s Guide 53-1001336-01...
Page 25 Figures Figure 1 Identify the blades ..........35 Figure 2 Blade Swap with Virtual Fabrics during the swap .
Page 26 Figure 37 iSCSI network with iSNS server and clients ......282 Figure 38 Typical direct E_Port configuration .
Page 27 Figure 79 Logical representation of EX_Ports in a base switch ..... 498 Figure 80 Backbone-to-edge routing across base switch using FC router in legacy mode 499 Figure 81 Inband Management process .
Page 28 xxviii Fabric OS Administrator’s Guide 53-1001336-01...
Page 29 Tables Table 1 Default administrative account names and passwords ....5 Table 2 Port numbering schemes for the Brocade 48000, Brocade DCX and DCX-4S enterprise-class platforms .
Page 30 Table 36 Examples of strict fabric merges ........147 Table 37 Fabric merges with tolerant/absent combinations .
Page 31 Table 77 Types of monitors supported on Brocade switch models ....378 Table 78 Number of logical switches that support performance monitors ... 378 Table 79 Predefined values at offset 0.
Page 32 xxxii Fabric OS Administrator’s Guide 53-1001336-01...
Page 33: About This Document
About This Document In this chapter • How this document is organized ....... . xxxiii •...
Page 34: Supported Hardware And Software
• Chapter 11, “Administering Advanced Zoning,” provides procedures for use of the Brocade Advanced Zoning licensed feature. • Chapter 12, “Managing iSCSI Gateway Service,” provides concepts and procedures for allowing initiators in an IP SAN to access and utilitze storage in a Fibre Channel SAN. •...
Page 35: What's New In This Document
• Brocade 5424 embedded switch • Brocade 5460 embedded switch • Brocade 5470 embedded switch • Brocade 5480 embedded switch • Brocade 7500 extension switch • Brocade 7500E extension switch • Brocade 7600 application appliance • Brocade 7800 extension switch •...
Page 36: Document Conventions
• Showing blade status information • QoS D,I zones • Port information for virtual devices • TrunkShow command information • Information that was changed: • Information that was deleted: “Configuring and Monitoring FCIP Extension Services,” which provides procedures for creating and maintaining FCIP tunnels was removed from this manual and can be found in the Fibre Channel over IP Administrator’s Guide.
Page 37: Command Syntax Conventions
Command syntax conventions Command syntax in this manual follows these conventions: command Commands are printed in bold. option, option Command options are printed in bold. argument, arg Arguments. Optional element. variable Variables are printed in italics. In the help pages, values are underlined or enclosed in angled brackets <...
Page 38: Notice To The Reader
Notice to the reader This document may contain references to the trademarks of the following corporations. These trademarks are the properties of their respective companies and corporations. These references are made for informational purposes only. Corporation Referenced Trademarks and Products Microsoft Corporation Windows, Windows NT, Internet Explorer Mozilla Corporation...
Page 39: Getting Technical Help
Getting technical help Contact your switch support supplier for hardware, firmware, and software support, including product repairs and part ordering. To expedite your call, have the following information available: 1. General Information • Switch model • Switch operating system version •...
Page 40: Document Feedback
Document feedback Quality is our first concern at Brocade and we have made every effort to ensure the accuracy and completeness of this document. However, if you find an error or an omission, or you think that a topic needs further development, we want to hear from you. Forward your feedback to: documentation@brocade.com Provide the title and version number of the document and as much detail as possible about your comment, including the topic heading and page number and your suggestions for improvement.
Page 41: Standard Features
Section Standard Features This section describes standard Fabric OS features, and includes the following chapters: • Chapter 1, “Performing Basic Configuration Tasks” • Chapter 2, “Performing Advanced Configuration Tasks” • Chapter 3, “Understanding Fibre Channel Services” • Chapter 4, “Routing Traffic” •...
Page 43: Performing Basic Configuration Tasks
Chapter Performing Basic Configuration Tasks In this chapter • Fabric OS overview ..........1 •...
Page 44: Fabric Os Command Line Interface
Fabric OS command line interface Although many different software and hardware configurations are tested and supported by Brocade Communications Systems, Inc., documenting all possible configurations and scenarios is beyond the scope of this document. In some cases, earlier releases are highlighted to present considerations for interoperating with them.
Page 45: Telnet Or Ssh Sessions
Fabric OS command line interface Parameter Value Stop bits Flow control None • In a UNIX environment, enter the following string at the prompt: tip /dev/ttyb -9600 If ttyb is already in use, use ttya instead and enter the following string at the prompt: tip /dev/ttya -9600 Telnet or SSH sessions Connect to the Fabric OS through a Telnet or SSH connection or through a console session on the...
Page 46: Getting Help On A Command
Fabric OS command line interface 2. Verify the switch’s network interface is configured and that it is connected to the IP network through the RJ-45 Ethernet port. Switches in the fabric that are not connected through the Ethernet can be managed through switches that are using IP over Fibre Channel.
Page 47: Password Modification
Password modification Password modification The switch automatically prompts you to change the default account passwords after logging in for the first time. If you do not change the passwords, the switch prompts you after each subsequent login until all the default passwords have been changed. NOTE The default account passwords can be changed from their original value only when prompted immediately following the login;...
Page 48: The Ethernet Interface On Your Switch
The Ethernet interface on your switch Use Control-C to exit or press 'Enter' key to proceed. for user - root Changing password for root Enter new password: <hidden> Password changed. Saving password to stable storage. Password saved to stable storage successfully. (output truncated) The Ethernet interface on your switch You can use DHCP (Dynamic Host Configuration Protocol) for the Ethernet network interface...
Page 49: Static Ethernet Addresses
The Ethernet interface on your switch Ethernet IP Address: 10.1.2.3 Ethernet Subnetmask: 255.255.240.0 Host Name: ecp0 Gateway IP Address: 10.1.2.1 Ethernet IP Address: 10.1.2.4 Ethernet Subnetmask: 255.255.240.0 Host Name: ecp1 Gateway IP Address: 10.1.2.3 IPFC address for virtual fabric ID 123: 11.1.2.3/24 IPFC address for virtual fabric ID 45: 13.1.2.4/20 Slot 7 eth0: 11.1.2.4/24...
Page 50: Dhcp Activation
The Ethernet interface on your switch On an AP blade, configure the two external Ethernet interfaces to two different subnets, or if two subnets are not present, configure one of the interfaces and leave the other unconfigured. Otherwise the following message will display and also blade status may go into a faulty state after a reboot.
Page 51 The Ethernet interface on your switch NOTE The client conforms to the latest IETF Draft Standard RFCs for IPv4, IPv6, and DHCP. Activating DHCP Connect the DHCP-enabled switch to the network, power on the switch, and the switch automatically obtains the Ethernet IP address, Ethernet subnet mask, and default gateway address from the DHCP server.
Page 52: Ipv6 Autoconfiguration
The Ethernet interface on your switch Fibre Channel Subnetmask [255.255.0.0]: Gateway IP Address [10.1.2.1]: DHCP [On]:off IPv6 autoconfiguration IPv6 can assign multiple IP addresses to each network interface. Each interface is configured with a link local address in almost all cases, but this address is only accessible from other hosts on the same network.
Page 53: Date And Time Settings
Date and time settings Date and time settings Switches maintain the current date and time inside a battery-backed real-time clock (RTC) circuit that receives the date and time from the fabric’s principal switch. Date and time are used for logging events. Switch operation does not depend on the date and time; a switch with an incorrect date and time value still functions properly.
Page 54 Date and time settings The time zone setting has the following characteristics: • Users can view the time zone settings. However, only those with administrative permissions can set the time zones. • It automatically adjusts for Daylight Savings Time. • Changing the time zone on a switch updates the local time zone setup and is reflected in local time calculations.
Page 55: Network Time Protocol
Date and time settings 4. At the prompt, select a country location. 5. At the prompt, enter the appropriate number to specify the time zone region or Ctrl-D to quit. Network time protocol You can synchronize the local time of the principal or primary fabric configuration server (FCS) switch to a maximum of eight external network time protocol (NTP) servers.
Page 56: Domain Ids
Domain IDs Example of displaying the NTP server switch:admin> tsclockserver 10.1.2.3 Example of setting up more than one NTP server using a DNS name switch:admin> tsclockserver "10.1.2.4;10.1.2.5;ntp.localdomain.net" Updating Clock Server configuration...done. Updated with the NTP servers Changes to the clock server value on the principal or primary FCS switch are propagated to all switches in the fabric.
Page 57: Setting The Domain Id
Switch names 20: fffc14 10:00:00:05:1e:40:68:78 10.3.220.20 0.0.0.0 "ras020" 25: fffc19 10:00:00:05:1e:37:23:c6 10.3.220.25 0.0.0.0 "ras025" 30: fffc1e 10:00:00:60:69:90:04:1e 10.3.220.30 0.0.0.0 "ras030" 35: fffc23 10:00:00:05:1e:07:c7:26 10.3.220.35 0.0.0.0 "ras035" 40: fffc28 10:00:00:60:69:50:06:7f 10.3.220.40 0.0.0.0 "ras040" 45: fffc2d 10:00:00:05:1e:35:10:72 10.3.220.45 0.0.0.0 "ras045" 46: fffc2e 10:00:00:05:1e:34:c5:17 10.3.220.46 0.0.0.0 "ras046"...
Page 58: Customizing The Switch Name
Chassis names Switch names can be from 1 to 30 characters long. For the Brocade DCX and DCX-4S Backbone, the name can be from 1 to 15 characters in length. All switch names must begin with a letter, and can contain letters, numbers, or the underscore character. It is not necessary to use quotation marks.
Page 59: Enabling A Switch
Switch and enterprise-class platform shutdown Enabling a switch 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the switchEnable command. All Fibre Channel ports that passed the POST test are enabled. If the switch has interswitch links (ISLs) to a fabric, it joins the fabric.
Page 60: Basic Connections
Basic connections 3. Wait until you see the following message: DCX:FID128:admin> sysshutdown This command will shutdown the operating systems on your switch. You are required to power-cycle the switch in order to restore operation. Are you sure you want to shutdown the switch [y/n]?y HA is disabled Stopping blade 10 Shutting down the blade..
Page 61 Basic connections Fabric OS Administrator’s Guide 53-1001336-01...
Page 62 Basic connections Fabric OS Administrator’s Guide 53-1001336-01...
Page 63: Performing Advanced Configuration Tasks
Chapter Performing Advanced Configuration Tasks In this chapter • PIDs and PID binding overview ........21 •...
Page 64: Core Pid Addressing Mode
PIDs and PID binding overview Core PID addressing mode Core PID is the default PID format for Brocade platforms. It uses the entire 24-bit address space of the domain, area_ID, and ALPA to determine an objects address within the fabric. The Core PID is a 24-bit address built from the following three 8-bit fields: •...
Page 65: 256-Area Addressing Mode
PIDs and PID binding overview • Any port on a 48-port blade can support up to 256 NPIV devices (In fixed addressing mode only 128 NPIV devices are supported in non-VF mode and 64 NPIV devices in VF mode on a 48-port blade).
Page 66 PIDs and PID binding overview If the NPIV device has Dynamic Persistent PID set, then the same ALPA value in the PID is used. This guarantees NPIV devices get the same PID across reboots and ALPAs assigned for the device do not depend on the order in which the devices come up.
Page 67: Ports
Ports Ports Because enterprise-class platforms contain interchangeable port blades, their procedures differ from those for fixed-port switches. For example, fixed-port models identify ports only by the port number, while enterprise-class platforms identify ports by slot/port notation. NOTE For detailed information about the Brocade 48000 director, and the Brocade DCX and DCX-4S enterprise-class platforms, see the Brocade 48000 Hardware Reference Manual, the Brocade DCX Data Center Backbone Hardware Reference Manual, and the Brocade DCX-4S Data Center Backbone Hardware Reference Manual, respectively.
Page 68: Setting Port Names
Ports TABLE 2 Port numbering schemes for the Brocade 48000, Brocade DCX and DCX-4S enterprise-class platforms Port blades Numbering scheme FC2-16 Ports are numbered from 0 through 15 from bottom to top. FC4-16 FC8-16 FC4-32 Ports are numbered from 0 through 15 from bottom to top on the left set of ports and 16 through 31 from bottom to top on the right set of ports.
Page 69: Port Identification By Port Area Id
Ports To select a specific port in the Brocade 48000, Brocade DCX and DCX-4S enterprise-class platforms, you must identify both the slot number and the port number using the format slot number/port number. No spaces are allowed between the slot number, the slash (/), and the port number.
Page 70: Swapping Port Area Ids
Ports Swapping port area IDs If a device that uses port binding is connected to a port that fails, you can use port swapping to make another physical port use the same PID as the failed port. The device can then be plugged into the new port without the need to reboot the device.
Page 71: Setting Port Speeds
Ports • To enable a port that is disabled, enter the command portEnable portnumber or portEnable slotnumber/portnumber. • To enable a port that is persistently disabled, enter the command portCfgPersistentEnable portnumber or portCfgPersistentEnable slotnumber/portnumber. If you change port configurations during a switch failover, the ports may become disabled. To bring the ports online, re-issue the portEnable command after the failover is complete.
Page 72: Blade Terminology And Compatibility
Blade terminology and compatibility Blade terminology and compatibility Before configuring a chassis, familiarize yourself with the platform CP blade and port blade nomenclature, as well as the port blade compatibilities. Often in procedures, only the abbreviated names for CP and port blades are used (for example, the FC4-16 blade). Table 3 includes CP and port blade abbreviations and descriptions.
Page 73: Cp Blades
Blade terminology and compatibility TABLE 3 Brocade enterprise-class platform terminology and abbreviations (Continued) Term Abbreviation Blade ID Definition (slotshow) 48-port 8-Gbps port blade FC8-48 A 48-port Brocade platform port blade supporting 1, 2, 4, and 8 Gbps port speeds. The Brocade DCX and DCX-4S support loop devices on 48-port blades in Virtual Fabrics-enabled environment.
Page 74: Core Blades
Blade terminology and compatibility Mixed CP blades are not supported on a single chassis, except during specific upgrade procedures detailed in the Brocade 48000 Hardware Reference Manual. CP4 and CP8 blades cannot be mixed in the same chassis under any circumstances. Brocade recommends that each Brocade platform have only one type of CP blade installed and that each CP (primary and secondary partition) maintains the same firmware version.
Page 75: Enabling And Disabling Blades
Enabling and disabling blades Enabling and disabling blades Port blades are enabled by default. In some cases, you will need to disable a port blade to perform diagnostics. When diagnostics are executed manually (from the Fabric OS command line), many commands require the port blade to be disabled.
Page 76: Disabling Blades
Blade swapping If a previously-configured FR4-18i blade is removed and an FC4-48, FC8-16, FC8-32, FC8-48, or FC10-6 blade is plugged in, then—other than the port’s EX_Port configuration—all the remaining port configurations previously applied to the FR4-18i ports can be used. The EX_Port configuration on those ports is disabled before the FC4 or FC8 port blade becomes operational.
Page 77: Swapping Blades
Blade swapping unforeseen error does occur during the bladeSwap command, an entry will be made into the RASlog and all ports that have been swapped as part of the blade swap operation will be swapped back. On successful completion of the command, the source and destination blades are left in a disabled state allowing you to complete the cable move.
Page 78 Blade swapping • Blade technology. Both blades must be of compatible technology types (i.e. Fibre Channel to Fibre Channel, Ethernet to Ethernet, application to application, etc). • Port Count. Both blades must support the same number of front ports. For example, 16-ports to 16-ports, 32-ports to 32-ports, 48-ports to 48-ports, and so on.
Page 79: Swapping Blades
Power conservation FIGURE 3 Blade Swap with Virtual Fabrics after swap Swapping blades 1. Connect to the director and log in using an account assigned to the admin role. 2. Enter the bladeSwap command. If no errors are encountered, the blade swap will complete successfully. If errors are encountered, the command is interrupted and the ports are set back to their original configuration.
Page 80: Powering Off A Port Blade
Inter-chassis links NOTE In the Brocade DCX and DCX-4S the core blades and CPs cannot be powered off from the CLI interface. You must manually power off the blades by unseating the blade from its mounting, the slider, or removing power from the chassis. Powering off a port blade 1.
Page 81: Supported Topologies
Inter-chassis links For additional information on ICLs, see the Brocade DCX Data Center Backbone Hardware Reference Manual. ICL ports can be used only with an ICL license. For more information on how license enforcement occurs, see Chapter 16, “Administering Licensing”. After the addition or removal of a license, the license enforcement is performed on the ICL ports only when you issue the portDisable or portEnable commands on the switch for the ports.
Page 82: Gateway Links
Gateway links Chassis 1 Chassis 3 ICL 3 ICL 1 ICL 2 Chassis 2 FIGURE 4 ICL triangular topology Virtual Fabrics considerations: In Virtual Fabrics, the ICL ports can be split across the logical switch, base switch and default switch. The triangular topology requirement still needs to be met for each fabric individually.
Page 83: Configuring A Link Through A Gateway
Equipment status Configuring a link through a gateway 1. Connect to the switch at one end of the gateway and log in using an account assigned to the admin role. 2. Enter the portCfgIslMode command. 3. Repeat steps 1 through 2 for any additional ports that will be connected to the gateway. 4.
Page 84 Equipment status Example of the slot information displayed for a DCX chassis. DCX:FID128:admin> slotshow -m Slot Blade Type Model Name Status -------------------------------------------------- SW BLADE FC8-32 ENABLED SW BLADE FC8-48 ENABLED SW BLADE FC10-6 ENABLED SW BLADE FC8-48 ENABLED CORE BLADE CORE8 ENABLED CP BLADE...
Page 85: Verifying Fabric Connectivity
Track and control switch changes Verifying fabric connectivity 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the fabricShow command. This command displays a summary of all the switches in the fabric.
Page 86: Enabling The Track Changes Feature
Track and control switch changes An SNMP-TRAP mode can also be enabled (see the trackChangesHelp command in the Fabric OS Command Reference). Enabling the track changes feature 1. Connect to the switch and log in using an account assigned to the admin role. 2.
Page 87: Setting The Switch Status Policy Threshold Values
Track and control switch changes The output is similar to the following: switch:admin> switchstatuspolicyshow The current overall switch status policy parameters: Down Marginal ---------------------------------- PowerSupplies Temperatures Fans Blade Flash MarginalPorts FaultyPorts MissingSFPs Setting the switch status policy threshold values 1. Connect to the switch and log in using an account assigned to the admin role. 2.
Page 88: Audit Log Configuration
Audit log configuration Bad PowerSupplies contributing to DOWN status: (0..2) [2] 0 Bad PowerSupplies contributing to MARGINAL status: (0..2) [1] 0 Bad Temperatures contributing to DOWN status: (0..6) [2] 0 Bad Temperatures contributing to MARGINAL status: (0..6) [1] 0 Bad Fans contributing to DOWN status: (0..3) [2] 0 Bad Fans contributing to MARGINAL status: (0..3) [1] 0 Out of range Flash contributing to DOWN status: (0..1) [0] 0 Out of range Flash contributing to MARGINAL status: (0..1) [1] 0...
Page 89: Auditable Event Classes
Audit log configuration • If too many events are generated by the switch, the system message log becomes a bottleneck and audit events are dropped by the Fabric OS. • If the user name, IP address, or user interface is not transported, an audit message is logged by adding the message None to each of the respective fields.
Page 90: Verifying Host Syslog Prior To Configuring The Audit Log
Audit log configuration Pushed messages contain the administrative domain of the entity that generated the event. See the Fabric OS Message Reference for details on message formats. For more information on setting up the system error log daemon, refer to the Fabric OS Troubleshooting and Diagnostics Guide. Verifying host syslog prior to configuring the audit log Audit logging assumes that your syslog is operational and running.
Page 91: High Availability Of Daemon Processes
High availability of daemon processes Oct 10 08:52:23 10.3.220.7 raslogd: 2008/10/10-08:20:36, [CONF-1001], 13, WWN 10:00:00:05:1e:34:02:0c | FID 128, INFO, ras007, configUpload completed successfully. All config parameters are uploaded. Oct 10 09:00:04 10.3.220.7 raslogd: AUDIT, 2008/10/10-08:28:16 (GMT), [SEC-3021], INFO, SECURITY, admin/NONE/10.3.220.13/None/CLI, None/ras007/FID 128, , Event: login, Status: failed, Info: Failed login attempt via REMOTE, IP Addr: 10.3.220.13.
Page 92 High availability of daemon processes Fabric OS Administrator’s Guide 53-1001336-01...
Page 93: Understanding Fibre Channel Services
Chapter Understanding Fibre Channel Services In this chapter • Fibre Channel services overview ........51 •...
Page 94: The Management Server
The Management Server Broadcast server — This service is optional, and when frames are transmitted to this address they are broadcasted to all operational N_ and NL_Ports. When registration and query frames are sent to a well-known address a different protocol service, Fibre Channel Common Transport (FC-CT), is used.
Page 95: Enabling Platform Services
Management server database Activating the platform services on a switch or enterprise-class platform will activate platform services on all logical switches in a Virtual Fabric. Similarly, deactivating the platform services will deactivate the platform service on all logical switches in a Virtual Fabric. The msPlatShow command displays all platforms registered in a Virtual Fabric.
Page 96: Displaying The Management Server Acl
Management server database Displaying the management server ACL 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the msConfigure command. The command becomes interactive. 3. At the “select” prompt, enter 1 to display the access list. A list of WWNs that have access to the management server is displayed.
Page 97: Deleting A Member From The Acl
Management server database select : (0..3) [2] 1 MS Access List consists of (14): { 20:00:00:20:37:65:ce:aa 20:00:00:20:37:65:ce:bb 20:00:00:20:37:65:ce:ff 20:00:00:20:37:65:ce:11 20:00:00:20:37:65:ce:22 20:00:00:20:37:65:ce:33 20:00:00:20:37:65:ce:44 10:00:00:60:69:04:11:24 10:00:00:60:69:04:11:23 21:00:00:e0:8b:04:70:3b 10:00:00:60:69:04:11:33 20:00:00:20:37:65:ce:55 20:00:00:20:37:65:ce:66 00:00:00:00:00:00:00:00 Done Display the access list Add member based on its Port/Node WWN Delete member based on its Port/Node WWN select : (0..3) [1] 0 done ...
Page 98: Viewing The Contents Of The Management Server Database
Management server database Done Display the access list Add member based on its Port/Node WWN Delete member based on its Port/Node WWN select : (0..3) [2] 1 MS Access List consists of (1): { 10:00:00:00:c9:29:b3:84 Done Display the access list Add member based on its Port/Node WWN Delete member based on its Port/Node WWN select : (0..3) [1] 3...
Page 99: Clearing The Management Server Database
Topology discovery Clearing the management server database The command msPlClearDB is allowed only in AD0 and AD255. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the msplClearDb command. 3. Enter y to confirm the deletion. The management server platform database is cleared.
Page 100 Topology discovery A warning displays that all NID entries might be cleared. 3. Enter y to disable the discovery feature. NOTE Disabling discovery of management server topology might erase all NID entries. Example of disabling discovery switch:admin> mstddisable This may erase all NID entries. Are you sure? (yes, y, no, n): [no] y Request to disable MS Topology Discovery Service in progress..
Page 101: Routing Traffic
Chapter Routing Traffic About this chapter • Routing overview ..........59 •...
Page 102: Fspf
Routing overview FSPF Fabric Shortest Path First (FSPF) is a link state path selection protocol that directs traffic along the shortest path between the source and destination based upon the link cost. FSPF detects link failures, determines the shortest route for traffic, updates the routing table, provides fixed routing paths within a fabric, and maintains correct ordering of frames.
Page 103: Routing Policies
Routing policies Fibre Channel fabrics require that all ports be identified by a unique PID. In a single fabric, FC protocol guarantees that domain IDs are unique, and so a PID formed by a domain ID and area ID is unique within a fabric. However, the domain IDs and PIDs in one fabric may be duplicated within another fabric, just as IP addresses that are unique to one private network are likely to be duplicated within another private network.
Page 104: Exchange-Based Routing
Routing policies 3: Exchange Based Routing Policy 0: AP Shared Link Policy 1: AP Dedicated Link Policy Exchange-based routing The choice of routing path is based on the Source ID (SID), Destination ID (DID), and Fibre Channel originator exchange ID (OXID), optimizing path utilization for the best performance. Thus, every exchange can take a different path through the fabric.
Page 105: Routing In Virtual Fabrics
Routing policies It is recommended that the default AP Shared Link Policy be used for most environments. Also, it is recommended that you design a SAN that will localize Host to Target traffic by reducing the amount of traffic through the router. The two additional AP policies supported under exchange-based routing are: •...
Page 106: Route Selection
Route selection Route selection Selection of specific routes can be dynamic, so that the router can constantly adjust to changing network conditions; or it may be static, so that data packets always follow a predetermined path. Dynamic load sharing The exchange-based routing policy depends on the Fabric OS Dynamic Load Sharing feature (DLS) for dynamic routing path selection.
Page 107: Frame Order Delivery
Frame order delivery Static routes are not supported on the Brocade 300, 4900, 5410, 5424, 5450, 5460, 5470, 5480, 5100, 5300, 5424, 7500, 7500E, 7600, 7800 and 8000 switches, and the Brocade 48000 or Brocade DCX or DCX-4S enterprise-class platforms. Instead, use the traffic isolation feature to create a dedicated path for interswitch traffic.
Page 108: Forcing In-Order Frame Delivery Across Topology Changes
Lossless Dynamic Load Sharing on ports By default, out-of-order frame-based delivery is allowed to minimize the number of frames dropped. Enabling in-order delivery (IOD) guarantees that frames are either delivered in order or dropped. You should only force in-order frame delivery across topology changes if the fabric contains destination devices that cannot tolerate occasional out-of-order frame delivery.
Page 109: Frame Redirection
Frame Redirection Example of how DLS affects other logical switches in the fabric On a Brocade DCX platform, logical switch 1 consists of ports 0 through 5 in slot 1. Logical switch 2 consists of ports 6–10 in slot 1. The lossless DLS feature is turned ON on logical switch 1. Because ports 0–10 in slot 1 belong to a logical switch where lossless DLS is turned on, the traffic in logical switch 2 is affected whenever traffic for logical switch 1 is rebalanced.
Page 110: Creating A Frame Redirect Zone
Frame Redirection Creating a frame redirect zone The first time this command is run the following zone objects are created by default: • The base zone object, "red_______base". • The RD zone configuration, "r_e_d_i_r_c__fg". 1. Connect to the switch and log in using an account assigned to the admin role. 2.
Page 111: Managing User Accounts
Chapter Managing User Accounts In this chapter • User accounts overview ......... 69 •...
Page 112: Role-Based Access Control (Rbac)
User accounts overview Fabric OS provides three options for authenticating users—remote RADIUS services, remote LDAP service, and the local switch user database. All options allow users to be centrally managed using the following methods: • Remote RADIUS server: Users are managed in a remote RADIUS server. All switches in the fabric can be configured to authenticate against the centralized remote database.
Page 113: Role Permissions
User accounts overview If some Admin Domains have been defined for the user and all of them are inactive, the user will not be allowed to log in to any switch in the fabric. If no Home Domain is specified for a user, the system provides a default home domain.
Page 114 User accounts overview TABLE 10 RBAC permissions matrix (Continued) Category Role permission Admin Basic Fabric Operator Security Switch User Zone Switch Admin Admin Admin Admin Admin Debug Diagnostics Encryption Configuration Encryption Management Ethernet Configuration Fabric Fabric Distribution Fabric Routing Fabric Watch FICON FIPS Bootprom FIPS Configuration...
Page 115: The Management Channel
User accounts overview TABLE 10 RBAC permissions matrix (Continued) Category Role permission Admin Basic Fabric Operator Security Switch User Zone Switch Admin Admin Admin Admin Admin Routing—Basic Security Session Management SNMP Statistics Statistics—Device Statistics—Port Switch Configuration Switch Management Switch Management—IP Configuration Switch Port Configuration Switch Port Management Topology...
Page 116: Local Database User Accounts
Local database user accounts TABLE 11 Maximum number of simultaneous sessions (Continued) Role name Maximum sessions User ZoneAdmin Local database user accounts User add, change, and delete operations are subject to the subset rule: an admin with ADlist 0-10 or LFlist 1-10 cannot perform operations on an admin, user, or any role with an ADlist 11-25 or LFlist 11-128.
Page 117: Local Account Passwords
Local database user accounts • userConfig showlf -l logicalFabric_ID for each LF in an LF_ID_list, displays a list of users that include that LF in their LF permissions. Creating an account 1. Connect to the switch and log in using an account assigned to the admin role. 2.
Page 118: Local Account Database Distribution
Local account database distribution Changing the password for the current login account 1. Connect to the switch and log in. 2. Enter the passwd command. 3. Enter the requested information at the prompts. Changing the password for a different account 1.
Page 119: Rejecting Distributed User Databases On The Local Switch
Password policies Rejecting distributed user databases on the local switch 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the fddCfg localreject PWD command. Password policies The password policies described in this section apply to the local switch user database only. Configured password policies (and all user account attribute and password state information) are synchronized across CPs and remain unchanged after an HA failover.
Page 120: Password History Policy
Password policies • Punctuation Specifies the minimum number of punctuation characters that must appear in the password. All printable, non-alphanumeric punctuation characters except the colon ( : ) are allowed. The default value is zero. The maximum value must be less than or equal to the MinLength value. •...
Page 121: Password Expiration Policy
Password policies Password expiration policy The password expiration policy forces expiration of a password after a configurable period of time, and is enforced across all user accounts. A warning that password expiration is approaching is displayed when the user logs in. When a user’s password expires, he or she must change the password to complete the authentication process and open a user session.
Page 122 Password policies • userConfig change account_name -u • passwdCfg disableadminlockout Note that the account-locked state is distinct from the account-disabled state. Use the following attributes to set the account lockout policy: • LockoutThreshold Specifies the number of times a user can attempt to log in using an incorrect password before the account is locked.
Page 123: The Boot Prom Password
The boot PROM password The boot PROM password The boot PROM password provides an additional layer of security by protecting the boot PROM from unauthorized use. Setting a recovery string for the boot PROM password enables you to recover a lost boot PROM password by contacting your switch service provider. Without the recovery string, a lost boot PROM password cannot be recovered.
Page 124: Setting The Boot Prom Password For A Director With A Recovery String
The boot PROM password The recovery string must be between 8 and 40 alphanumeric characters. A random string that is 15 characters or longer is recommended for higher security. The firmware prompts for this password only once. It is not necessary to remember the recovery string because it is displayed the next time you enter the command shell.
Page 125: Setting The Boot Prom Password For A Switch Without A Recovery String
The boot PROM password The recovery string must be between 8 and 40 alphanumeric characters. A random string that is 15 characters or longer is recommended for higher security. The firmware only prompts for this password once. It is not necessary to remember the recovery string because it is displayed the next time you enter the command shell.
Page 126: Setting The Boot Prom Password For A Director Without A Recovery String
The boot PROM password 5. At the shell prompt, enter the passwd command. NOTE The passwd command only applies to the boot PROM password when it is entered from the boot interface. 6. Enter the boot PROM password at the prompt, then re-enter it when prompted. The password must be eight alphanumeric characters (any additional characters are not recorded).
Page 127: The Authentication Model Using Radius And Ldap
The authentication model using RADIUS and LDAP 8. Enter the boot PROM password at the prompt, then re-enter it when prompted. The password must be eight alphanumeric characters (any additional characters are not recorded). Record this password for future use. 9.
Page 128 The authentication model using RADIUS and LDAP To enable RADIUS or LDAP service, it is strongly recommended that you access the CLI through an SSH connection so that the shared secret is protected. Multiple login sessions can configure simultaneously, and the last session to apply a change leaves its configuration in effect. After a configuration is applied, it persists after a reboot or an HA failover.
Page 129: Setting The Switch Authentication Mode
The authentication model using RADIUS and LDAP TABLE 13 Authentication configuration options (Continued) aaaConfig options Description Equivalent setting in Fabric OS v5.1.0 and earlier radius switchdb --authspec “radius;local” --backup Authenticates management connections against any RADIUS databases. If RADIUS fails because the service is not available, it then authenticates against the local user database.
Page 130: Fabric Os Users On The Radius Server
The authentication model using RADIUS and LDAP You can set a user password expiration date and add a warning for RADIUS login. The password expiry date must be specified in UTC and in MM/DD/YYYY format. The password warning specifies the number of days prior to the password expiration that a warning of password expiration notifies the user.
Page 131 The authentication model using RADIUS and LDAP Windows 2000 IAS For example, to configure a Windows 2000 internet authentication service (IAS) server to use VSA to pass the Admin role to the switch in the dial-in profile, the configuration specifies the Vendor code (1588), Vendor-assigned attribute number (1), and attribute value (admin), as shown in Figure 7 on page 89.
Page 132 The authentication model using RADIUS and LDAP Brocade-Passwd-ExpiryDate = "11/10/2008", Brocade-Passwd-WarnPeriod = "30" RADIUS configuration with Admin Domains or Virtual Fabrics When configuring users with Admin Domains or Virtual Fabrics, you must also include the Admin Domain or Virtual Fabric member list. This section describes the way that you configure attribute types for this configuration.
Page 133: The Radius Server
The authentication model using RADIUS and LDAP Brocade-Auth-Role = "operator", Brocade-AVPairs1 = "ADList=1,2;HomeAD=2", Brocade-AVPairs2 = "ADList=-4-8,20;ADList=7,9,12" In the next example, on a Linux FreeRadius Server, the user takes the “zoneAdmin” role, with VFlist 2, 4, 5, 6, 7, 8, 10, 11, 12, 13, 15 17, 19, 22, 23, 24, 25, 29, 31 and HomeLF 1. user300 Auth-Type := Local, User-Password == "password"...
Page 134 The authentication model using RADIUS and LDAP VENDOR Brocade 1588 # attributes ATTRIBUTE Brocade-Auth-Role string Brocade ATTRIBUTE Brocade-AVPairs1 string Brocade ATTRIBUTE Brocade-AVPairs2 string Brocade ATTRIBUTE Brocade-AVPairs3 string Brocade ATTRIBUTE Brocade-AVPairs4 string Brocade ATTRIBUTE Brocade-Passwd-ExpiryDate string Brocade ATTRIBUTE Brocade-Passwd-WarnPeriod string Brocade This defines the Brocade vendor ID as 1588, the Brocade attribute 1 as Brocade-Auth-Role and 6 as Brocade-Passwd-ExpiryDate, both are string values.
Page 135 The authentication model using RADIUS and LDAP When you use network information service (NIS) for authentication, the only way to enable authentication with the password file is to force the Brocade switch to authenticate using password authentication protocol (PAP); this requires the -a pap option with the aaaConfig command.
Page 136 The authentication model using RADIUS and LDAP NOTE If a user is configured prior to enabling reverse password encryption, then the user’s password is stored and cannot utilize CHAP. To use CHAP, the password must be re-entered after encryption is enabled. If the password is not re-entered, then CHAP authentication will not work and the user will be unable to authenticate from the switch.
Page 137 The authentication model using RADIUS and LDAP RSA RADIUS server Traditional password-based authentication methods are based on one-factor authentication, where you confirm your identity using a memorized password. Two-factor authentication increases the security by using a second factor to corroborate identification. The first factor is either a PIN or password and the second factor is the RSA SecurID token.
Page 138 The authentication model using RADIUS and LDAP ########################################################################### # brocade.dct -- Brocade Dictionary # (See readme.dct for more details on the format of this file) ########################################################################### # Use the Radius specification attributes in lieu of the Brocade one: @radius.dct MACRO Brocade-VSA(t,s) 26 [vid=1588 type1=%t% len1=+2 data=%s%] ATTRIBUTE Brocade-Auth-Role Brocade-VSA(1,string) r...
Page 139: Ldap Configuration And Microsoft Active Directory
The authentication model using RADIUS and LDAP When selecting items from the Add Return List Attribute, select Brocade-Auth-Role and type the string Admin. The string will equal the role on the switch. d. Add the Brocade profile. e. In RSA Authentication Manager, edit the user records that will be authenticating using RSA SecurID.
Page 140: Creating A Group
The authentication model using RADIUS and LDAP Use the ldapCfg -–maprole ldap_role_name switch_role command to map an LDAP server role to one of the default roles available on the switch. 4. Associate the user to the group by adding the user to the group. For instructions on how to create a user refer to www.microsoft.com or Microsoft documentation to create a user in your Active Directory.
Page 141 The authentication model using RADIUS and LDAP Adding an Admin Domain or Virtual Fabric list 1. From the Windows Start menu, select Programs> Administrative Tools> ADSI.msc ADSI is a Microsoft Windows Resource Utility. This will need to be installed to proceed with the rest of the setup.
Page 142: Authentication Servers On The Switch
The authentication model using RADIUS and LDAP Authentication servers on the switch At least one RADIUS or LDAP server must be configured before you can enable RADIUS or LDAP service. You can configure the RADIUS or LDAP service even if it is disabled on the switch. You can configure up to five RADIUS or LDAP servers.
Page 143: Configuring Local Authentication As Backup
The authentication model using RADIUS and LDAP When the command succeeds, the event log indicates that the server is removed. Changing a RADIUS or LDAP server configuration 1. Connect to the switch and log in using an account assigned to the admin role. 2.
Page 144 The authentication model using RADIUS and LDAP Fabric OS Administrator’s Guide 53-1001336-01...
Page 145: Configuring Standard Security Features
Chapter Configuring Standard Security Features In this chapter • Security protocols ..........103 •...
Page 146: Secure Copy
Secure Copy TABLE 16 Secure protocol support Protocol Description Secure Shell (SSH) is a network protocol that allows data to be exchanged over a secure channel between two computers. Encryption provides confidentiality and integrity of data. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary.
Page 147: Setting Up Scp For Configuploads And Downloads
Secure Shell protocol Setting up SCP for configUploads and downloads 1. Log in to the switch as admin. 2. Type the configure command. 3. Type y or yes at the cfgload attributes prompt. 4. Type y or yes at the Enforce secure configUpload/Download prompt. Example of setting up SCP for configUpload/download switch:admin>...
Page 148: Ssh Public Key Authentication
Secure Shell protocol SSH public key authentication OpenSSH public key authentication provides password-less logins, known as SSH authentication, that uses public and private key pairs for incoming and outgoing authentication. This feature allows only one allowed-user to be configured to utilize OpenSSH public key authentication. Using OpenSSH RSA and DSA, the authentication protocols are based on a pair of specially generated cryptographic keys, called the private key and the public key.
Page 149 Secure Shell protocol Example of RSA/DSA key pair generation alloweduser@mymachine: ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/users/alloweduser/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /users/alloweduser/.ssh/id_dsa. Your public key has been saved in /users/alloweduser/.ssh/id_dsa.pub.
Page 150: Secure Sockets Layer Protocol
Secure Sockets Layer protocol Use the sshUtil delpubkeys command to delete all public keys. For more information on IP Filter policies, refer to Chapter 7, “Configuring Advanced Security Features”. Secure Sockets Layer protocol Secure sockets layer (SSL) protocol provides secure access to a fabric through Web-based management tools like Web Tools.
Page 151: Certificate Authorities
Secure Sockets Layer protocol a. A public and private key by using the secCertUtil genkey command. b. A certificate signing request (CSR) by using the secCertUtil gencsr command. 3. Store the CSR on a file server by using the secCertUtil export command. 4.
Page 152 Secure Sockets Layer protocol Generating new rsa public/private key pair Done. Because CA support for the 2048-bit key size is limited, you should select 1024 in most cases. Generating and storing a CSR After generating a public/private key, perform this procedure on each switch. 1.
Page 153: The Browser
Secure Sockets Layer protocol 4. Enter the secCertUtil showcsr command. The contents of the CSR are displayed. 5. Locate the section that begins with “BEGIN CERTIFICATE REQUEST” and ends with “END CERTIFICATE REQUEST”. 6. Copy and paste this section (including the BEGIN and END lines) into the area provided in the request form;...
Page 154: Root Certificates For The Java Plug-In
Secure Sockets Layer protocol 5. Follow the instructions in the Certificate Import wizard to import the certificate. Checking and installing root certificates on Mozilla Firefox 1. Select Tools > Options. 2. Click Advanced. 3. Click the Encryption tab. 4. Click View Certificates > Authorities tab and scroll the list to see if the root certificate is listed. For example, its name may have the form nameRoot.crt.
Page 155: Simple Network Management Protocol
Simple Network Management Protocol In the example, changeit is the default password and RootCert is an example root certificate name. Simple Network Management Protocol The Simple Network Management Protocol (SNMP) is a standard method for monitoring and managing network devices. Using SNMP components, you can program tools to view, browse, and manipulate Brocade switch variables and set up enterprise-level management processes.
Page 156: Snmp And Virtual Fabrics
Simple Network Management Protocol SNMP and Virtual Fabrics When an SNMPv3 request arrives with a particular username, it executes in the home Virtual Fabric. From the SNMP manager all SNMPv3 requests must have a home Virtual Fabric that is specified in the contextName field. Whenever the home Virtual Fabric is specified, it will be converted to the corresponding switch ID and the home Virtual Fabric will be set.
Page 157: The Snmpconfig Command
Telnet protocol The snmpConfig command Use the snmpConfig set command to change either the SNMPv3 or SNMPv1 configuration. You can also change access control, MIB capability, and system group. For details on Brocade MIB files, naming conventions, loading instructions, and information about using the Brocade SNMP agent, see the Fabric OS MIB Reference.
Page 158: Unblocking Telnet
Telnet protocol switch:admin> ipfilter --activate BlockTelnet 9. Verify the new policy is active (the default_ipv4 policy should be displayed as defined). switch:admin> ipfilter --show Name: BlockTelnet, Type: ipv4, State: defined Rule Source IP Protocol Dest Port Action deny permit permit permit permit permit...
Page 159: Listener Applications
Listener applications Listener applications Brocade switches block Linux subsystem listener applications that are not used to implement supported features and capabilities. Table 20 lists the listener applications that Brocade switches either block or do not start. TABLE 20 Blocked listener applications Listener application Brocade 48000 director and Brocade DCX Brocade 300, 4100, 4900, 5000, 5410, 5424,...
Page 160: Port Configuration
Ports and applications used by switches Port configuration Table 22 provides information on ports that the switch uses. When configuring the switch for various policies, take into consideration firewalls and other devices that may sit between switches in the fabric and your network or between the managers and the switch. TABLE 22 Port information Port...
Page 161: Configuring Advanced Security Features
Chapter Configuring Advanced Security Features In this chapter • ACL policies overview ......... . 119 •...
Page 162: Policy Members
ACL policy management Policies with the same state are grouped together in a Policy Set. Each switch has the following two sets: • Active policy set, which contains ACL policies being enforced by the switch. • Defined policy set, which contains a copy of all ACL policies on the switch. When a policy is activated, the defined policy either replaces the policy with the same name in the active set or becomes a new active policy.
Page 163: Displaying Acl Policies
ACL policy management Displaying ACL policies You can view the active and defined policy sets at any time. Additionally, in a defined policy set, policies created in the same login session also appear but these policies are automatically deleted if the you log out without saving them. 1.
Page 164: Adding A Member To An Existing Acl Policy
ACL policy management Adding a member to an existing ACL policy As soon as a policy has been activated, the aspect of the fabric managed by that policy is enforced. 1. Connect to the switch and log in using an account assigned to the admin role. 2.
Page 165: Fcs Policies
FCS policies FCS policies Fabric Configuration Server (FCS) policy in base Fabric OS may be performed on a local switch basis and may be performed on any switch in the fabric. The FCS policy is not present by default, but must be created. When the FCS policy is created, the WWN of the local switch is automatically included in the FCS list.
Page 166: Ensuring Fabric Domains Share Policies
FCS policies Table 25 shows the commands for switch operations for Primary FCS enforcement. TABLE 25 FCS switch operations Allowed on FCS switches Allowed on all switches secPolicyAdd (Allowed on all switches for SCC and DCC secPolicyShow policies as long as it is not fabric-wide) secPolicyCreate (Allowed on all switches for SCC and fddCfg localaccept or fddCfg...
Page 167: Modifying The Order Of Fcs Switches
FCS policies 3. To save or activate the new policy, enter either the secPolicySave or the secPolicyActivate command. Once the policy has been activated you can distribute the policy. NOTE FCS policy must be consistent across the fabric. If the policy is inconsistent in the fabric, then you will not be able to perform any fabric-wide configurations from the primary FCS.
Page 168: Dcc Policies
DCC policies Only the Primary FCS switch is allowed to distribute the database. The FCS policy may need to be manually distributed across the fabric using the distribute -p command. Since this policy is distributed manually, the command fddCfg –-fabwideset is used to distribute a fabric-wide consistency policy for FCS policy in an environment consisting of only Fabric OS v6.1.0 and later switches.
Page 169: Dcc Policy Restrictions
DCC policies Table 27 shows the possible DCC policy states. TABLE 27 DCC policy states Policy state Characteristics No policy Any device can connect to any switch port in the fabric. Policy with no entries Any device can connect to any switch port in the fabric. An empty policy is the same as no policy.
Page 170: Deleting A Dcc Policy
DCC policies 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the secPolicyCreate “DCC_POLICY_nnn” command. DCC_POLICY_nnn is the name of the DCC policy; nnn is a string consisting of up to 19 alphanumeric or underscore characters to differentiate it from any other DCC policies.
Page 171: Scc Policies
SCC policies SCC policies The switch connection control (SCC) policy is used to restrict which switches can join the fabric. Switches are checked against the policy each time an E_Port-to-E_Port connection is made. The policy is named SCC_POLICY and accepts members listed as WWNs, domain IDs, or switch names. Only one SCC policy can be created.
Page 172: Authentication Policy For Fabric Elements
Authentication policy for fabric elements Authentication policy for fabric elements By default, Fabric OS v6.1.0 and later use DH-CHAP or FCAP protocols for authentication. These protocols use shared secrets and digital certificates, based on switch WWN and public key infrastructure (PKI) technology, to authenticate switches. Authentication automatically defaults to FCAP if both switches are configured to accept FCAP protocol in authentication.
Page 173: E_Port Authentication
Authentication policy for fabric elements The DH group is used in the DH-CHAP protocol only. The FCAP protocol exchanges the DH group information, but does not use it. Virtual Fabric considerations: If a Virtual Fabric is enabled, all AUTH module parameters such as shared secrets, and shared switch and device policies, are logical switch-wide.
Page 174: Device Authentication Policy
Authentication policy for fabric elements CAUTION If data input has not been completed and a failover occurs, the command is terminated without completion and your entire input is lost. If data input has completed, the enter key pressed, and a failover occurs, data may or may not be replicated to the other CP depending on the timing of the failover.
Page 175: Auth Policy Restrictions
Authentication policy for fabric elements Example of setting the Device policy to passive mode: switch:admin> authutil --policy -dev passive Warning: Activating the authentication policy requires DH-CHAP secrets on both switch and device. Otherwise, the F-port will be disabled during next F-port bring-up.
Page 176 Authentication policy for fabric elements Viewing the current authentication parameter settings for a switch 1. Log in to the switch using an account assigned to the admin role. 2. Enter the authUtil show. Example of output from the authUtil --show command AUTH TYPE HASH TYPE GROUP TYPE...
Page 177: Secret Key Pairs
Authentication policy for fabric elements Example for enterprise-class platforms using the slot/port format switch:admin> authutil –-authinit 1/1, 1/2 Secret key pairs When you configure the switches at both ends of a link to use DH-CHAP for authentication, you must also define a secret key pair—one for each end of the link. Use the secAuthSecret command to perform the following tasks: •...
Page 178: Fabric-Wide Distribution Of The Auth Policy
Authentication policy for fabric elements This command is used to set up secret keys for the DH-CHAP authentication. The minimum length of a secret key is 8 characters and maximum 40 characters. Setting up secret keys does not initiate DH-CHAP authentication.
Page 179: Ip Filter Policy
IP Filter policy IP Filter policy The IP Filter policy is a set of rules applied to the IP management interfaces as a packet filtering firewall. The firewall permits or denies the traffic to go through the IP management interfaces according to the policy rules.
Page 180: Saving An Ip Filter Policy
IP Filter policy For each IP Filter policy, the policy name, type, persistent state and policy rules are displayed. The policy rules are listed by the rule number in ascending order. There is no pagination stop for multiple screens of information. Pipe the output to the |more command to achieve this. If a temporary buffer exists for an IP Filter policy, the show subcommand displays the content in the temporary buffer, with the persistent state set to no.
Page 181 IP Filter policy Each rule contains the following elements: • Source Address: A source IP address or a group prefix. • Destination Port: The destination port number or name, such as: Telnet, SSH, HTTP, HTTPS. • Protocol: The protocol type. Supported types are TCP or UDP. •...
Page 182: Ip Filter Policy Enforcement
IP Filter policy For every IP Filter policy, the two rules listed in Table 30 are always assumed to be appended implicitly to the end of the policy. This ensures that TCP and UDP traffic to dynamic port ranges is allowed, so that management IP traffic initiated from a switch, such as syslog, radius and ftp, is not affected.
Page 183: Adding A Rule To An Ip Filter Policy
IP Filter policy NOTE If a switch is part of a LAN behind a Network Address Translation (NAT) server, depending on the NAT server configuration, the source address in an IP Filter rule may have to be the NAT server address.
Page 184: Policy Database Distribution
Policy database distribution Policy database distribution Fabric OS lets you manage and enforce the ACL policy database on either a per-switch or fabric-wide basis. The local switch distribution setting and the fabric-wide consistency policy affect the switch ACL policy database and related distribution behavior. The ACL policy database is managed as follows: •...
Page 185: Database Distribution Settings
Policy database distribution An error is returned indicating that the distribution setting must be accept before you can set the fabric-wide consistency policy. Database distribution settings The distribution settings control whether a switch accepts or rejects distributions of databases from other switches and whether or not the switch may initiate a distribution. Configure the distribution setting to reject when maintaining the database on a per-switch basis.
Page 186: Acl Policy Distribution To Other Switches
Policy database distribution Disabling local switch protection 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the fddCfg localaccept command. ACL policy distribution to other switches This section explains how to manually distribute local ACL policy databases. The distribute command has the following dependencies: •...
Page 187 Policy database distribution TABLE 34 Fabric-wide consistency policy settings Setting Value When a policy is activated Absent null Database is not automatically distributed to other switches in the fabric. Tolerant database_id All updated and new policies of the type specified (SCC, DCC, or both) are distributed to all Fabric v6.1.0and later switches in the fabric.
Page 188: Notes On Joining A Switch To The Fabric
Policy database distribution Notes on joining a switch to the fabric When a switch is joined to a fabric with a tolerant SCC or DCC fabric-wide consistency policy, the joining switch must have a matching tolerant SCC or DCC fabric-wide consistency policy. If the tolerant SCC or DCC fabric-wide consistency policies do not match, the switch can join the fabric, but an error message flags the mismatch.
Page 189 Policy database distribution Table 35 describes the impact of merging fabrics with the same fabric-wide consistency policy that have SCC, DCC, or both policies. TABLE 35 Merging fabrics with matching fabric-wide consistency policies Fabric-wide Fabric A Fabric B Merge Database copied consistency policy ACL policies ACL policies...
Page 190: Management Interface Security
Management interface security Table 37 has a matrix of merging fabrics with tolerant and absent policies. TABLE 37 Fabric merges with tolerant/absent combinations Fabric-wide consistency policy setting Expected behavior Fabric A Fabric B Tolerant/Absent SCC;DCC Error message logged. Run fddCfg --fabwideset “<policy_ID>”...
Page 191: Configuration Examples
Management interface security Configuration examples Below are several examples of various configurations you can use to implement an IPsec tunnel between two devices. You can configure other scenarios as nested combinations of these configurations. Endpoint-to-Endpoint Transport or Tunnel In this scenario, both endpoints of the IP connection implement IPsec, as required of hosts in RFC4301.
Page 192: Ipsec Protocols
Management interface security Endpoint-to-Gateway Tunnel In this scenario, a protected endpoint (typically a portable computer) connects back to its corporate network through an IPsec-protected tunnel. It might use this tunnel only to access information on the corporate network, or it might tunnel all of its traffic back through the corporate network in order to take advantage of protection provided by a corporate firewall against Internet-based attacks.
Page 193: Security Associations
Management interface security Security associations A security association (SA) is the collection of security parameters and authenticated keys that are negotiated between IPsec peers. For the peers to be able to encapsulate and decapsulate the IPsec packets, they need a way to store the secret keys, algorithms, and IP addresses involved in the communication.
Page 194: Ipsec Policies
Management interface security TABLE 38 Algorithms and associated authentication policies Algorithm Encryption Level Policy Description 3des_cbc 168-bit Triple DES is a more secure variant of DES. It uses three different 56-bit keys to encrypt blocks of 64-bit plain text. The algorithm is FIPS-approved for use by Federal agencies.
Page 195: Key Management
Management interface security Key management The IPsec key management supports Internet Key Exchange or Manual key/SA entry. The Internet Key Exchange (IKE) protocol handles key management automatically. SAs require keying material for authentication and encryption. The managing of keying material that SAs require is called key management.
Page 196: Creating The Tunnel
Management interface security Creating the tunnel Each side of the tunnel must be configured in order for the tunnel to come up. Once you are logged into the switch, do not log off as each step requires that you are logged in to the switch. IPsec configuration changes take effect upon execution and are persistent across reboots.
Page 197: Example Of An End-To-End Transport Tunnel Mode
Management interface security Example of creating an IPsec transform This example creates an IPsec transform TRANSFORM01 to use the transport mode to protect traffic identified for IPsec protection and use IKE01 as key management policy. switch:admin> ipsecconfig --add policy ips transform –t TRANSFORM01 \ -mode transport -sa-proposal IPSEC-AH \ -action protect –ike IKE01 9.
Page 198 Management interface security 1. On the system console, log in to the switch as Admin. 2. Enable IPsec. a. Connect to the switch and log in using an account assigned to the admin role. b. Enter the ipsecConfig enable command to enable IPsec on the switch. 3.
Page 199 Management interface security a. Initiate Telnet or SSH or ping session from BRCD300 to Remote Host. b. Verify that the IP traffic is encapsulated. Monitor IPsec SAs created using IKE for the above traffic flow. • Use the ipsecConfig -–show manual-sa –a command with the operands specified to display the outbound and inbound SAs in the kernel SADB.
Page 200 Management interface security Fabric OS Administrator’s Guide 53-1001336-01...
Page 201: Maintaining The Switch Configuration File
Chapter Maintaining the Switch Configuration File In this chapter • Configuration settings ......... . 159 •...
Page 202: Configuration File Format
Configuration settings If you have the chassis role permissions added to your user account, then the following options are available whether you are uploading or downloading a configuration file: -fid Uploads the specified FID’s configuration. -all Uploads all of the system’s configuration, including the chassis section and all switch sections for all logical switches.
Page 203 Configuration settings [Configuration] [Bottleneck Configuration] [Zoning] [Defined Security policies] [Active Security policies] [iSCSI] [cryptoDev] [FICU SAVED FILES] [Banner] [End] [Switch Configuration End : 0] date = Thu Apr 2 21:28:52 2009 [Switch Configuration Begin : 1] SwitchName = switch_2 Fabric ID = 1 [Boot Parameters] [Configuration] [Bottleneck Configuration]...
Page 204: Configuration File Backup
Configuration file backup • chassis configuration • FCoE chassis configuration • licensesDB • bottleneck configuration • DMM_WWN • licenses • GE blade mode • Fabric Watch chassis configuration Switch section There is always at least one switch section for the default switch or a switch that has Virtual Fabric mode disabled, and there are additional sections corresponding to each additionally defined logical switch instance on a switch with Virtual Fabrics mode enabled.
Page 205: Uploading A Configuration File In Interactive Mode
Configuration file restoration Uploading a configuration file in interactive mode 1. Verify that the FTP or SCP service is running on the host computer. 2. Connect to the switch and log in as admin. 3. Enter the configUpload command. The command becomes interactive and you are prompted for the required information.
Page 206: Restrictions
Configuration file restoration If a configDownload command is issued on a non-FCR platform, for example, the configuration file from a Brocade 7500 downloads to a Brocade 7600, any FCR-like parameters may be viewed in the downloaded data. This is harmless to the switch and can be ignored. Configuration management supports configDownload with 6.1.x or 6.2.0 configuration files.
Page 207: Configuration Download Without Disabling A Switch
Configuration file restoration In case something happens to your switch and you need to set it up again, run the commands listed in Table 39 and save the output in a file format. Store the files in a safe place for emergency reference.
Page 208 Configuration file restoration Restoring a configuration CAUTION Using the SFID parameter erases all configuration information on the logical switch. Use this parameter only when the logical switch has no configuration information you want to save. 1. Verify that the FTP service is running on the server where the backup configuration file is located.
Page 209: Configuration Restoration In A Ficon Environment
Configuration file restoration Do you want to continue [y/n]: y Password: <hidden> configDownload complete. Example of a configDownload with Admin Domains The following example shows configDownload run on a switch with Admin Domains: switch:AD5:admin>configdownload Protocol (scp or ftp) [ftp]: Server Name or IP Address [host]: 10.1.2.3 User Name [user]: UserFoo Path/Filename [<home dir>/config.txt]: /pub/configurations/config.txt *** CAUTION ***...
Page 210: Configurations Across A Fabric
Configurations across a fabric TABLE 40 Backup and restore in a FICON CUP environment ASM bit Command Description on or off configUpload All the files saved in the file access facility are uploaded to the management workstation. A section in the uploaded configuration file labeled FICON_CUP is in an encoded format.
Page 211: Security Considerations
Configuration Management for Virtual Fabrics 3. Run configDefault on each of the target switches, and then use the configDownload command to download the configuration file to each of the target switches. See “Configuration file restoration” on page 163 for more information. Security considerations Security parameters and the switch's identity cannot be changed by the configDownload command.
Page 212: Restoring A Logical Switch Using Configdownload
Configuration Management for Virtual Fabrics configUpload complete: VF config parameters are uploaded 2009/07/20-09:13:40, [LOG-1000], 225, SLOT 7 | CHASSIS, INFO, BrocadeDCX, Previous message repeated 7 time(s) 2009/07/20-10:27:14, [CONF-1001], 226, SLOT 7 | FID 128, INFO, DCX_80, configUpload completed successfully for VF config parameters. Restoring a logical switch using configDownload The configDownload -vf command specifies that the Virtual Fabric configuration download file is downloaded instead of the regular configuration.
Page 213: Restrictions
Brocade configuration form Do you want to continue [y/n]: y (output truncated) Restrictions • The -vf option is incompatible with the –fid, –sfid, or –all options. Any attempt to combine it with any of the other three will fail the configupload/download operation. •...
Page 214 Brocade configuration form TABLE 41 Brocade configuration and connection (Continued) Brocade configuration settings Total number of devices in fabric (nsAllShow) Total number of switches in the fabric (fabricShow) Fabric OS Administrator’s Guide 53-1001336-01...
Page 215: Installing And Maintaining Firmware
Chapter Installing and Maintaining Firmware In this chapter • Firmware download process overview ......173 •...
Page 216: Upgrading And Downgrading Firmware
Firmware download process overview You can download Fabric OS to a director, which is a chassis; and to a nonchassis-based system, also referred to as a switch. The difference in the download process is that directors have two CPs and nonchassis-based systems have one CP. Use the firmwareDownload command to download the firmware from either an FTP or SSH server by using either the FTP or SCP protocol to the switch.
Page 217: Considerations For Ficon Cup Environments
Firmware download process overview In most cases, you will be upgrading firmware; that is, installing a newer firmware version than the one you are currently running. However, some circumstances may require installing an older version; that is, downgrading the firmware. The procedures in this section assume that you are upgrading firmware, but they work for downgrading as well, provided the old and new firmware versions are compatible.
Page 218: Preparing For A Firmware Download
Preparing for a firmware download A nondisruptive firmware download, which is performed by entering the firmwareDownload command without the –s operand, is only supported if you are upgrading from Fabric OS 6.1.x to 6.2.0. If you are downgrading from Fabric OS 6.2.0 to v6.1.x, you must enter the firmwareDownload -s command option as discussed in “Test and restore firmware on switches”...
Page 219: Connected Switches
Preparing for a firmware download Connected switches Before you upgrade the firmware on your switch you will need to check the connected switches to ensure compatibility and that any older versions are supported. Refer to the Fabric OS Compatibility section of the Brocade Fabric OS Release Notes, for the recommended firmware version.
Page 220: Firmware Download On Switches
Firmware download on switches Firmware download on switches Brocade 300, 4100, 4900, 5000, 5410, 5424, 5450, 5460, 5470, 5480, 5100, 5300, 5424, 7500, 7500E, 7600, 7800 and 8000 switches maintain primary and secondary partitions for firmware. The firmwareDownload command defaults to an autocommit option that automatically copies the firmware from one partition to the other.
Page 221 Firmware download on switches Upgrading firmware for Brocade 300, 4100, 4900, 5000, 5410, 5424, 5450, 5460, 5470, 5480, 5100, 5300, 5424, 7500, 7500E, 7600, 7800 and 8000 switches. 1. Take the following appropriate action based on what service you are using: •...
Page 222: Firmware Download On An Enterprise-Class Platform
Firmware download on an enterprise-class platform This command will cause a warm/non-disruptive boot on the switch,but will require that existing telnet, secure telnet or SSH sessions be restarted. Do you want to continue [Y]: y Firmware is being downloaded to the switch. This step may take up to 30 minutes.
Page 223 Firmware download on an enterprise-class platform 6. The new standby CP blade (the active CP blade before the failover) downloads firmware. 7. The new standby CP blade reboots and comes up with the new Fabric OS. 8. The new active CP blade synchronizes its state with the new standby CP blade. 9.
Page 224 Firmware download on an enterprise-class platform HA enabled, Heartbeat Up, HA State synchronized CP blades must be synchronized and running Fabric OS v6.0.0 or later to provide a nondisruptive download. If the two CP blades are not synchronized, enter the haSyncStart command to synchronize them.
Page 225 Firmware download on an enterprise-class platform The firmware is being downloaded to the Standby CP. It may take up to 10 minutes Do you want to continue [Y]: y 9. Optionally, after the failover, connect to the switch, and log in again as admin. Using a separate session to connect to the switch, enter the firmwareDownloadStatus command to monitor the firmware download status.
Page 226: Firmware Download From A Usb Device
Firmware download from a USB device Firmware download from a USB device The Brocade 300, 5100, 5300, 7800, and 8000 switches and the Brocade DCX and DCX-4S Backbones support a firmware download from a Brocade branded USB device attached to the switch or active CP.
Page 227: Sas And Sa Applications
SAS and SA applications SAS and SA applications The firmwareDownload command supports downloading application images such as storage application service (SAS) and Data Migration Manager (DMM) to the FA4-18 blade and the Brocade 7600. By default, the FA4-18 blade and the Brocade 7600 ship with the latest versions of SAS and Fabric OS.
Page 228: Fips Support
FIPS Support Example of a SAS firmwareDownload The following example shows the download of a SAS image to slot 1, and 3 on a Brocade 48000 director in interactive mode. switch:admin> firmwareDownload Type of Firmware (FOS, SAS, or any application) [FOS]:SAS Target Slots (all, or slot numbers) [all]: 1,3 Server Name or IP Address: 10.1.2.3 Network Protocol (1-auto-select, 2-FTP, 3-SCP) [1]:...
Page 229: The Firmwaredownload Command
FIPS Support NOTE If FIPS is enabled, all logins should be done through SSH or direct serial and the transfer protocol should be SCP. Updating the firmwarekey 1. Log in to the switch as admin. 2. Type the firmwareKeyUpdate command and respond to the prompts. The firmwareDownload Command As mentioned previously, the public key file will need to be packaged, installed, and run on your switch before downloading a signed firmware.
Page 230: Power-On Firmware Checksum Test
Test and restore firmware on switches Power-on Firmware Checksum Test FIPS requires the checksums of the executables and libraries on the filesystem to be validated before Fabric OS modules are launched. This is to make sure these files have not been changed after they are installed.
Page 231 Test and restore firmware on switches User Name: userfoo File Name: /home/userfoo/v6.3.0 Password: <hidden> Do Auto-Commit after Reboot [Y]: n Reboot system after download [N]: y Firmware is being downloaded to the switch. This step may take up to 30 minutes.
Page 232: Test And Restore Firmware On Enterprise-Class Platforms
Test and restore firmware on enterprise-class platforms Test and restore firmware on enterprise-class platforms This procedure enables you to perform a firmware download on each CP and verify that the procedure was successful before committing to the new firmware. The old firmware is saved in the secondary partition of each CP until you enter the firmwareCommit command.
Page 233 Test and restore firmware on enterprise-class platforms d. Enter the haFailover command. The active CP will reboot and the current enterprise-class platform session will be disconnected. If an AP blade is present: At the point of the failover an autoleveling process is activated. See, “Enterprise-class platform firmware download process overview”...
Page 234 Test and restore firmware on enterprise-class platforms a. From the current enterprise-class platform session on the active CP, enter the firmwareShow command and confirm that only the active CP secondary partition contains the old firmware. b. Enter the firmwareCommit command to update the secondary partition with the new firmware.
Page 235: Validating A Firmware Download
Validating a firmware download Validating a firmware download Validate the firmware download by running the following commands: firmwareShow, firmwareDownloadStatus, nsShow, nsAllShow, and fabricShow. NOTE When you prepared for the firmware download earlier, you issued either the supportShow or supportSave command. Although you can issue the command again and compare the output from before and after, it may take up to 30 minutes for the command to execute.
Page 236 Validating a firmware download nsShow Displays all devices directly connected to the switch that have logged into the name server. Make sure the number of attached devices after the firmware download is exactly the same as the number of attached devices prior to the firmware download. nsAllShow Displays all devices connected to a fabric.
Page 237: Managing Virtual Fabrics
Chapter Managing Virtual Fabrics In this chapter • Virtual Fabrics overview ........195 •...
Page 238: Logical Switch Overview
Logical switch overview This chapter describes the logical switch and logical fabric features. For information about device sharing with Virtual Fabrics, see “FC-FC Routing and Virtual Fabrics” on page 496. The following platforms are Virtual Fabrics-capable: • Brocade DCX and DCX-4S •...
Page 239 Logical switch overview Before enabling Virtual Fabrics After enabling Virtual Fabrics Physical chassis Physical chassis Default logical switch FIGURE 14 Switch before and after enabling Virtual Fabrics After you enable Virtual Fabrics, you can create up to eight logical switches, depending on the switch model.
Page 240: Logical Switches And Fabric Ids
Logical switch overview Logical switches and fabric IDs When you create a logical switch, you must assign it a fabric ID (FID). The fabric ID uniquely identifies each logical switch within a chassis and indicates to which fabric the logical switch belongs.
Page 241: Logical Switches And Connected Devices
Logical switch overview Before port assignment After port assignment Logical switch 1 Logical switch 1 (Default logical switch) (Default logical switch) Logical switch 2 Logical switch 2 Logical switch 3 Logical switch 3 Logical switch 4 Logical switch 4 FIGURE 17 Assigning ports to logical switches A given port is always in one (and only one) logical switch.
Page 242: Logical Fabric Overview
Logical fabric overview You can also connect other switches to logical switches. In Figure 18, P6 is an E_Port that forms an ISL between Logical switch 4 and the non-Virtual Fabrics switch. Logical switch 4 is the only logical switch that can communicate with the non-Virtual Fabrics switch and D2, because the other logical switches are in different fabrics.
Page 243: Logical Fabric And Isls
Logical fabric overview You connect logical switches to other logical switches in two ways: • Using ISLs • Using base switches and shared ISLs Logical fabric and ISLs Figure 20 shows two physical chassis divided into logical switches. Figure 20, ISLs are used to connect the logical switches with fabric ID 1 and the logical switches with fabric ID 15.
Page 244: Logical Fabric And Isl Sharing
Logical fabric overview NOTE Only logical switches with the same FID can form a fabric. If you connect two logical switches with different FIDs, the link between the switches segments. Logical fabric and ISL sharing Another way to connect logical switches is using extended ISLs and base switches. When you divide a chassis into logical switches, you can designate one of the switches to be a base switch.
Page 245 Logical fabric overview Traffic between the logical switches can now flow across this XISL. The traffic can flow only between logical switches with the same fabric ID. For example, traffic can flow between Logical Switch 2 in chassis 1 and Logical switch 6 in chassis 2, because they both have fabric ID 1. Traffic cannot flow between Logical switch 2 and Logical switch 7, because they have different fabric IDs (and are thus in different fabrics).
Page 246 Logical fabric overview Physical chassis 1 Physical chassis 2 Logical switch 5 Logical switch 1 Logical ISL (Default logical switch) (Default logical switch) Fabric ID 128 Fabric ID 128 Logical switch 2 Logical switch 6 Fabric ID 1 Fabric ID 1 Logical ISL Logical ISL Logical switch 3...
Page 247: Management Model For Logical Switches
Management model for logical switches Logical fabric formation Fabric formation is not based on connectivity, but is based on the FIDs of the logical switches. The basic order of fabric formation is as follows: 1. Base fabric forms. 2. Logical fabrics form when the base fabric is stable. 3.
Page 248: Account Management And Virtual Fabrics
Account management and Virtual Fabrics Account management and Virtual Fabrics When user accounts are created, they are assigned a list of logical fabrics to which they can log in and a home logical fabric (home FID). When you connect to a physical chassis, the home FID defines the logical switch to which you are logged in by default.
Page 249: Virtual Fabrics Interaction With Other Fabric Os Features
Supported platforms for Virtual Fabrics TABLE 43 Blade and port types supported on logical switches Blade type Default logical switch User-defined logical switch Base switch FC8-16 Yes (F, E) Yes (F, E) Yes (E, EX, EX) FC8-32 FC8-48 FA4-18 Yes (F, E, VE) FC10-6 Yes (F, E) FS8-18...
Page 250: Limitations And Restrictions Of Virtual Fabrics
Limitations and restrictions of Virtual Fabrics TABLE 44 Virtual Fabrics interaction with Fabric OS features (Continued) Fabric OS feature Virtual Fabrics interaction FC-FC Routing Service All EX_Ports must reside in a base switch. You cannot attach EX_Ports to a logical switch that has XISL use enabled. You must use ISLs to connect the logical switches in an edge fabric.
Page 251: Restrictions On Moving Ports
Enabling Virtual Fabrics Following are restrictions on XISL use. To allow or disallow XISL use for a logical switch, see “Configuring a logical switch to use XISLs” on page 218. XISL use is not permitted in any of the following scenarios: •...
Page 252: Disabling Virtual Fabrics
Disabling Virtual Fabrics Example The following example checks whether Virtual Fabrics is enabled or disabled and then enables it. switch:admin> fosconfig --show FC Routing service: disabled iSCSI service: Service not supported on this Platform iSNS client service: Service not supported on this Platform Virtual Fabric: disabled Ethernet Switch Service:...
Page 253: Configuring Logical Switches To Use Basic Configuration Values
Configuring logical switches to use basic configuration values Configuring logical switches to use basic configuration values All switches in the fabric are configured to use the same basic configuration values. When you create logical switches, the logical switches might have different configuration values than the default logical switch.
Page 254 Creating a logical switch or base switch Specify the -base option if the logical switch is to be a base switch. Specify the -force option to execute the command without any user prompts or confirmation. 3. Set the context to the new logical switch. setcontext fabricID where fabricID is the fabric ID of the logical switch you just created.
Page 255: Executing A Command In A Different Logical Fabric Context
Executing a command in a different logical fabric context Executing a command in a different logical fabric context This procedure describes how to execute a command for a logical switch while you are in the context of a different logical switch. You can also execute a command for all the logical switches in a chassis.
Page 256: Deleting A Logical Switch
Deleting a logical switch "fabricshow" on FID 4: Switch ID Worldwide Name Enet IP Addr FC IP Addr Name ------------------------------------------------------------------------- 14: fffc0e 10:00:00:05:1e:82:3c:2b 10.32.79.105 0.0.0.0 >"switch_4" --------------------------------------------------- "fabricshow" on FID 5: Switch ID Worldwide Name Enet IP Addr FC IP Addr Name ------------------------------------------------------------------------- 30: fffc1e 10:00:00:05:1e:82:3c:2c 10.32.79.105...
Page 257: Displaying Logical Switch Configuration
Displaying logical switch configuration When you move a port from one logical switch to another, the port is automatically disabled. Any performance monitors that were installed on the port are deleted. If monitors are required in the new logical switch, you must manually reinstall them on the port after the move. If the logical switch to which the port is moved has fabric mode Top Talkers enabled, then if the port is an E_Port, fabric mode Top Talker monitors are automatically installed on that port.
Page 258: Changing The Fabric Id Of A Logical Switch
Changing the fabric ID of a logical switch Port ------------------------------------------------------------------- 128 | 128 | 128 | 128 | 128 | 128 | 128 | 128 | Port ------------------------------------------------------------------- 5 | 128 | 4 | 128 | 128 | 128 | 128 | 128 | 128 | Port ------------------------------------------------------------------- 128 | 128 | 128 | 128 | 128 | 128 | 128 | 128 | 128 | 128 |...
Page 259: Changing A Logical Switch To A Base Switch
Changing a logical switch to a base switch Changing a logical switch to a base switch 1. Connect to the switch and log in using an account assigned to the admin role with the chassis-role permission. 2. Set the context to the logical switch you want to change, if you are not already in that context. setcontext fabricID where fabricID is the fabric ID of the logical switch you want to change to a base switch.
Page 260: Configuring A Logical Switch To Use Xisls
Configuring a logical switch to use XISLs switch_25:FID7:admin> lscfg --change 7 -base Creation of a base switch requires that the proposed new base switch on this system be disabled. Would you like to continue [y/n]?: y Disabling the proposed new base switch... Disabling switch fid 7 Please enable your switches when ready.
Page 261: Changing The Context To A Different Logical Fabric
Changing the context to a different logical fabric Changing the context to a different logical fabric You can change the context to a different logical fabric. Your user account must have permission to access the logical fabric. 1. Connect to the physical chassis and log in using an account assigned to the admin role. 2.
Page 262 Creating a logical fabric using XISLs Create a base switch and assign it a fabric ID that will become the FID of the base fabric. “Creating a logical switch or base switch” on page 211 for instructions on creating a base switch.
Page 263: Administering Advanced Zoning
Chapter Administering Advanced Zoning In this chapter • Special zones..........221 •...
Page 264: Zoning Overview
Zoning overview • QoS zones Assign high or low priority to designated traffic flows. QoS zones are normal zones with additional QoS attributes specified by adding a QOS prefix to the zone name. See “QoS: SID/DID traffic prioritization” on page 416 for more information. •...
Page 265: Zone Types
Zoning overview JBOD Loop 2 Server2 Blue zone Fibre Channel Fabric RAID Server3 Server1 Loop 1 Red zone Green zone FIGURE 26 Zoning example To list the commands associated with zoning, use the zoneHelp command. For detailed information on the zoning commands used in the procedures, see the Fabric OS Command Reference or the online man page for each command.
Page 266: Zone Objects
Zoning overview TABLE 47 Approaches to fabric-based zoning Zoning approach Description Recommended approach Single HBA Zoning by single HBA most closely re-creates the original SCSI bus. Each zone created has only one HBA (initiator) in the zone; each of the target devices is added to the zone. Typically, a zone is created for the HBA and the disk storage ports are added.
Page 267: Zone Aliases
Zoning overview For example, in enterprise-class platforms, “4,30” specifies port 14 in slot number 2 (domain ID 4, port index 30). On fixed-port models, “3,13” specifies port 13 in switch domain ID 3. Note the following effects on zone membership based on the type of zone object: •...
Page 268: Zone Configurations
Zoning overview Zone configuration naming is flexible. One configuration should be named PROD_fabricname, where fabricname is the name that the fabric has been assigned. The purpose of the PROD configuration is to easily identify the configuration that can be implemented and provide the most generic services.
Page 269: Considerations For Zoning Architecture
Zoning overview Hardware-enforced zoning means that each frame is checked by hardware (the ASIC) before it is delivered to a zone member and is discarded if there is a zone mismatch. When hardware-enforced zoning is active, the Fabric OS switch monitors the communications and blocks any frames that do not comply with the effective zone configuration.
Page 270: Best Practices For Zoning
Broadcast zones TABLE 48 Considerations for zoning architecture (Continued) Item Description Testing Before implementing a new zone, you should run the Zone Analyzer from Web Tools to isolate any possible problems. This is especially useful as fabrics increase in size. Confirming operation After changing or enabling a zone configuration, you should confirm that the nodes and storage can identify and access one another.
Page 271: Broadcast Zones And Admin Domains
Broadcast zones Devices that are not members of the broadcast zone can send broadcast packets, even though they cannot receive them. A broadcast zone can have domain,port, WWN, and alias members. Broadcast zones do not function in the same way as other zones. A broadcast zone does not allow access within its members in any way.
Page 272: Broadcast Zones And Fc-Fc Routing
Broadcast zones The dotted box represents the consolidated broadcast zone, which contains all of the devices that can receive broadcast packets. The actual delivery of broadcast packets is also controlled by the Admin Domain and zone enforcement logic. The consolidated broadcast zone is not an actual zone, but is just an abstraction used for explaining the behavior.
Page 273: Zone Aliases
Zone aliases If a broadcast zone is active, even if it is the only zone in the effective configuration, the default zone setting is not in effect. If the effective configuration has only a broadcast zone, then the configuration appears as a No Access configuration.
Page 274: Removing Members From An Alias
Zone aliases 3. Enter the cfgSave command to save the change to the defined configuration. The cfgSave command ends and commits the current zoning transaction buffer to both volatile and nonvolatile memory. If a transaction is open on a different switch in the fabric when this command is run, the transaction on the other switch is automatically aborted.
Page 275: Viewing An Alias In The Defined Configuration
Zone creation and maintenance The cfgSave command ends and commits the current zoning transaction buffer to both volatile and nonvolatile memory. If a transaction is open on a different switch in the fabric when this command is run, the transaction on the other switch is automatically aborted. A message displays on the other switches to indicate that the transaction was aborted.
Page 276: Adding Devices (Members) To A Zone
Zone creation and maintenance The cfgSave command ends and commits the current zoning transaction buffer to both volatile and nonvolatile memory. If a transaction is open on a different switch in the fabric when this command is run, the transaction on the other switch is automatically aborted. A message displays on the other switches to indicate that the transaction was aborted.
Page 277: Deleting A Zone
Zone creation and maintenance Example switch:admin> zoneremove "greenzone", "1,2" switch:admin> zoneremove "bluezone", "21:00:00:20:37:0c:72:51" switch:admin> zoneremove "broadcast", "2,34" switch:admin> cfgsave You are about to save the Defined zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled.
Page 278: Default Zoning Mode
Default zoning mode switch:admin> cfgShow Defined configuration: cfg: USA_cfg Purple_zone; White_zone; Blue_zone zone: Blue_zone 1,1; array1; 1,2; array2 zone: Purple_zone 1,0; loop1 zone: White_zone 1,3; 1,4 alias: array1 21:00:00:20:37:0c:76:8c; 21:00:00:20:37:0c:71:02 alias: array2 21:00:00:20:37:0c:76:22; 21:00:00:20:37:0c:76:28 alias: loop1 21:00:00:20:37:0c:76:85; 21:00:00:20:37:0c:71:df 3. Enter the zone validate command to list all zone members that are not part of the current zone enforcement table.
Page 279: Setting The Default Zoning Mode
Default zoning mode Typically, when you disable the zoning configuration in a large fabric with thousands of devices, the name server indicates to all hosts that they can communicate with each other. In fact, each host can receive an enormous list of PIDs, and ultimately cause other hosts to run out of memory or crash.
Page 280: Zoning Database Size
Zoning database size Zoning database size The maximum size of a zone database is the upper limit for the defined configuration, and it is determined by the amount of flash memory available for storing the defined configuration. Use the cfgSize command to display the zoning database size. The supported maximum zoning database size is 1 MB.
Page 281: Adding Zones (Members) To A Zoning Configuration
Zoning configurations Example switch:admin> cfgcreate "NEW_cfg", "purplezone; bluezone; greenzone" switch:admin> cfgsave You are about to save the Defined zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled.
Page 282: Enabling A Zone Configuration
Zoning configurations Enabling a zone configuration The following procedure ends and commits the current zoning transaction buffer to both volatile and nonvolatile memory. If a transaction is open on a different switch in the fabric when this procedure is run, the transaction on the other switch is automatically aborted. A message displays on the other switches to indicate that the transaction was aborted.
Page 283: Deleting A Zone Configuration
Zoning configurations Deleting a zone configuration 1. Connect to the switch and log in as admin. 2. Enter the cfgDelete command, using the following syntax: cfgdelete "cfgname" 3. Enter the cfgSave command to save the change to the defined configuration. The cfgSave command ends and commits the current zoning transaction buffer to both volatile and nonvolatile memory.
Page 284: Viewing Selected Zone Configuration Information
Zoning configurations alias: array1 21:00:00:20:37:0c:76:8c; 21:00:00:20:37:0c:71:02 alias: array2 21:00:00:20:37:0c:76:22; 21:00:00:20:37:0c:76:28 alias: loop1 21:00:00:20:37:0c:76:85; 21:00:00:20:37:0c:71:df Effective configuration: cfg: USA_cfg zone: Blue_zone 21:00:00:20:37:0c:76:8c 21:00:00:20:37:0c:71:02 21:00:00:20:37:0c:76:22 21:00:00:20:37:0c:76:28 zone: Purple_zone 21:00:00:20:37:0c:76:85 21:00:00:20:37:0c:71:df Viewing selected zone configuration information 1. Connect to the switch and log in as admin. 2.
Page 285: Clearing All Zone Configurations
Zone object maintenance Clearing all zone configurations 1. Connect to the switch and log in as admin. 2. Enter the cfgClear command to clear all zone information in the transaction buffer. ATTENTION Be careful using the cfgClear command because it deletes the defined configuration. switch:admin>...
Page 286: Deleting A Zone Object
Zone object maintenance 5. If you want the change preserved when the switch reboots, enter the cfgSave command to save it to nonvolatile (flash) memory. 6. Enter the cfgEnable command for the appropriate zone configuration to make the change effective. Deleting a zone object The following procedure removes all references to a zone object and then deletes the zone object.
Page 287: Renaming A Zone Object
Zoning configuration management Renaming a zone object 1. Connect to the switch and log in as admin. 2. Enter the cfgShow command to view the zone configuration objects you want to rename. switch:admin> cfgShow Defined configuration: cfg: USA_cfg Purple_zone; White_zone; Blue_zone zone: Blue_zone 1,1;...
Page 288 Zoning configuration management Adding a new fabric that has no zone configuration information to an existing fabric is very similar to adding a new switch. All switches in the new fabric inherit the zoning configuration data. If a zone configuration is in effect, then the same configuration becomes the enabled configuration. Before the new fabric can merge successfully, it must pass the following criteria: •...
Page 289: Fabric Segmentation And Zoning
Security and zoning • Merge conflicts When a merge conflict is present, a merge will not take place and the ISL will segment. Use the switchShow or errDump commands to obtain additional information about possible merge conflicts, because many non-zone related configuration parameters can cause conflicts. See the Fabric OS Command Reference for detailed information about these commands.
Page 290: Zone Merging Scenarios
Zone merging scenarios You must perform zone management operations from the primary FCS switch using a zone management interface, such as Telnet or Advanced Web Tools. You can alter a zoning database, provided you are connected to the primary FCS switch. When two secure fabrics join, the traditional zoning merge does not occur.
Page 291 Zone merging scenarios TABLE 49 Zone merging scenarios (Continued) Description Switch A Switch B Expected results Switch A and Switch B have different defined: cfg2 defined: cfg1 Clean merge. The new configuration defined configurations. Neither have zone2: ali3; ali4 zone1: ali1; ali2 will be a composite of the two.
Page 292 Zone merging scenarios TABLE 49 Zone merging scenarios (Continued) Description Switch A Switch B Expected results Different default zone access mode defzone: noaccess defzone: allaccess Clean merge — noaccess takes settings. precedence and defzone configuration from Switch A propagates to fabric. defzone: noaccess Same default zone access mode defzone: allaccess...
Page 293: Managing Iscsi Gateway Service
Chapter‘ Managing iSCSI Gateway Service In this chapter • iSCSI gateway service overview ........251 •...
Page 294: Iscsi Session Translation
iSCSI gateway service overview • Manages iSCSI initiator access control using discovery domains and a discovery domain set • Session management, such as session tracking and performance monitoring • Session authentication using CHAP NOTE The FC4-16IP iSCSI gateway service is not compatible with other iSCSI gateway platforms, including Brocade iSCSI Gateway or the Brocade Multiprotocol Router.
Page 295: Basic And Advanced Lun Mapping
iSCSI gateway service overview S torage Application (device s erver) S C S I S C S I iS C S I F C P (F C -4) F C P iS C S I T C P /IP T C P /IP F C (F C -2/F C -3) iS C S I initiator F C target...
Page 296: Iscsi Component Identification Of The Iqn Prefix
iSCSI gateway service overview F C target 1 iS C S I virtual target 1 F C target 2 iS C S I virtual target 2 iS C S I virtual target 3 FIGURE 32 iSCSI VT advanced LUN mapping iSCSI component identification of the IQN prefix Unique IQNs are used to identify each iSCSI VT.
Page 297: Access Control With Discovery Domains
iSCSI gateway service overview iS C S I initiator A iqn.2003-11.c om.mic ros oft: win2k-s n-192168101 iS C S I virtual targets (V T s ) V T 1 iqn.2002-12.c om.broc ade: 10: 00: 00: 05: 1e: aa: bb: c c IP Network V T 2 iqn.2002-12.c om.broc ade: 10: 00: 00: 05: 1e: c c : bb: aa...
Page 298: Switch-To-Iscsi Initiator Authentication
iSCSI gateway service overview DDS et 1 iS C S I virtual targets (V T s ) iS C S I initiator A V T 1 IP network V T 2 V T 3 iS C S I initiator B iS C S I gateway s ervic e FIGURE 34 Discovery domain set configuration example...
Page 299 iSCSI gateway service overview Enabling and disabling connection redirection for load balancing 1. Connect to the switch and log in. 2. Enter the appropriate form of the iscsiSwCfg command for the operation you want to perform: To enable connection redirection, use the iscsiSwCfg enableconn command.
Page 300: Supported Iscsi Initiators
iSCSI gateway service overview Supported iSCSI initiators The following table lists iSCSI initiators supported by the iSCSI gateway service. TABLE 50 Supported iSCSI initiators iSCSI initiator driver versions Windows • MS iSCSI initiator 2.02. • MS iSCSI initiator 2.03. • MS iSCSI initiator 2.04.
Page 301 iSCSI gateway service overview TABLE 51 iSCSI target gateway configuration steps (Continued) Step Command Procedure (Advanced) Create iSCSI iscsiCfg create tgt –t targetname “Manual iSCSI VT creation” virtual target. page 267 Add LUNs to the virtual iscsiCfg add lun -t targetname \ target.
Page 302: Fc4-16Ip Blade Configuration
FC4-16IP blade configuration FC4-16IP blade configuration This section describes the initial setup required to deploy an iSCSI gateway solution. Install and configure the FC4-16IP blade in a Brocade 48000 as described in the Brocade FC4-16IP Hardware Reference Manual before performing these procedures. NOTE Only the Brocade 48000 with an iSCSI-enabled FC4-16IP blade running Fabric OS v6.1.0 or later supports the iSCSI gateway service.
Page 303: Enabling The Iscsi Gateway Service
FC4-16IP blade configuration s c al e: 5/ 16" = 1" 56-0000590-01 G bE ports F C ports F C 4 16IP 40. 1 FIGURE 35 FC4-16IP ports Enabling the iSCSI gateway service The iSCSI gateway service translates and directs SCSI traffic between an iSCSI initiator and an FC target.
Page 304: Enabling Gbe Ports
FC4-16IP blade configuration iSCSI service is enabled 4. Verify that the iSCSI gateway service is enabled. switch:admin> fosconfig --show FC Routing service:disabled iSCSI service:enabled iSNS Client service:disabled Enabling GbE ports By default, GbE ports are enabled on an FC4-16IP blade installed in the Brocade 48000. However, if you insert the FC4-16IP blade into a slot that was previously occupied by an FR-18i blade, GbE ports are disabled.
Page 305: Configuring The Gbe Interface
FC4-16IP blade configuration In the following sample output, the Persistent Disable setting is set to OFF. switch:admin> portcfgshow 10/ge0 Mode: ISCSI Persistent Disable: Ipif configuration: Interface IP Address NetMask ---------------------------------------------------------- 30.0.130.100 255.255.0.0 1500 configuration: IP Address Mac Address ------------------------------ Iproute Configuration: IP Address Mask Gateway...
Page 306: Iscsi Virtual Target Configuration
iSCSI virtual target configuration 4. (Optional) Enter the portCfg command to define static routes to reach the destination IP through a preferred gateway. switch:admin> portcfg iproute 3/ge0 create 0.0.0.0 0.0.0.0 30.0.0.1 1 Operation Succeeded The gateway must be on the same subnet as the GbE port. You can specify a maximum of 32 routes per GbE port.
Page 307: Automatic Iscsi Vt Creation
iSCSI virtual target configuration You create iSCSI VTs using the LUN values of FC targets. The FC target must be accessible from the iSCSI gateway. iSCSI VTs can be automatically generated or manually created. After mapping iSCSI targets do not move the targets out of Administrative Domain 0 (AD0), unless you then explicitly add them back to AD0.
Page 308 iSCSI virtual target configuration 2e:df:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2e:df:00:06:2b:0d:10:ba Operation Succeeded 2e:ff:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2e:ff:00:06:2b:0d:10:ba Operation Succeeded 2f:1f:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2f:1f:00:06:2b:0d:10:ba Operation Succeeded 2f:3f:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2f:3f:00:06:2b:0d:10:ba Operation Succeeded 2f:5f:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2f:5f:00:06:2b:0d:10:ba Operation Succeeded 2f:7f:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2f:7f:00:06:2b:0d:10:ba Operation Succeeded 2f:9f:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2f:9f:00:06:2b:0d:10:ba Operation Succeeded 2f:bf:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2f:bf:00:06:2b:0d:10:ba Operation Succeeded 2f:df:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2f:df:00:06:2b:0d:10:ba Operation Succeeded 2f:ff:00:06:2b:0d:12:9a iqn.2002-12.com.brocade:2f:ff:00:06:2b:0d:12:9a Operation Succeeded...
Page 309: Manual Iscsi Vt Creation
iSCSI virtual target configuration Name: iqn.2002-12.com.brocade:2f:1f:00:06:2b:0d:10:ba State/Status: Online/Defined Name: iqn.2002-12.com.brocade:2f:3f:00:06:2b:0d:10:ba State/Status: Online/Defined Name: iqn.2002-12.com.brocade:2f:5f:00:06:2b:0d:10:ba State/Status: Online/Defined Name: iqn.2002-12.com.brocade:2f:7f:00:06:2b:0d:10:ba State/Status: Online/Defined Name: iqn.2002-12.com.brocade:2f:9f:00:06:2b:0d:10:ba State/Status: Online/Defined Name: iqn.2002-12.com.brocade:2f:bf:00:06:2b:0d:10:ba State/Status: Online/Defined Name: iqn.2002-12.com.brocade:2f:df:00:06:2b:0d:10:ba State/Status: Online/Defined Name: iqn.2002-12.com.brocade:2f:ff:00:06:2b:0d:12:9a State/Status: Online/Defined Generating an iSCSI VT for a specific FC target 1.
Page 310 iSCSI virtual target configuration 1. Connect and log in to the switch. 2. Enter the iscsiCfg create tgt command with the -t IQN option to create an undefined iSCSI VT, that is, an iSCSI VT that contains no LUNs. The IQN value is an iSCSI Qualified Name entered in the form user_defined.
Page 311 iSCSI virtual target configuration LUN ID: 0x00 LUN ID: 0x01 LUN ID: 0x02 LUN ID: 0x03 LUN ID: 0x04 LUN ID: 0x05 LUN ID: 0x06 LUN ID: 0x07 LUN ID: 0x08 LUN ID: 0x09 LUN ID: 0x0a LUN ID: 0x0b LUN ID: 0x0c LUN ID: 0x0d LUN ID: 0x0e...
Page 312: Displaying The Iscsi Virtual Target Lun Map
iSCSI virtual target configuration The following example maps two LUNs attached to port 2f:ff:00:06:2b:0d:12:99 to an iSCSI VT named iqn.2002-12.com.brocade:example-disk001. switch:admin> iscsicfg --add lun -t iqn.2002-12.com.brocade:example-disk001 \ -w 2f:ff:00:06:2b:0d:12:99 -l 1-2:0-1 The operation completed successfully. switch:admin> iscsicfg --show lun -t iqn.2002-12.com.brocade:example-disk001 Number of targets found: 1 Target: iqn.2002-12.com.brocade:example-disk001 Number of LUN Maps: 2...
Page 313: Displaying Iscsi Vt State And Status
Discovery domain and domain set configuration 2f:ff:00:06:2b:0d:12:99 Target: iqn.2002-10.com.brocade:21:00:00:04:cf:e7:74:cf Number of LUN Maps: 1 FC WWN Virtual LUN(s) Physical LUN(s) 21:00:00:04:cf:e7:74:cf 0x0000000000000000 Displaying iSCSI VT state and status The following information can be displayed for each iSCSI VT: • Name — IQN for the iSCSI VT. •...
Page 314: Displaying Iscsi Initiator Iqns
Discovery domain and domain set configuration Displaying iSCSI initiator IQNs All iSCSI components in a DD must be identified using IQNs. Fabric OS temporarily stores the IQNs and IP addresses of iSCSI initiators that have logged in the gateway. NOTE If an iSCSI initiator has more than one IP address, only one of the IP addresses is displayed.
Page 315: Iscsi Initiator-To-Vt Authentication Configuration
iSCSI initiator-to-VT authentication configuration 4. Enter the iscsiCfg enable ddset command with the -n option to enable the DDSet: switch:admin> iscsicfg --enable ddset -n ddset-engineering This will enable the DDSet specified. Continue (yes, y, no, n) [n]: y The operation completed successfully. iSCSI initiator-to-VT authentication configuration Fabric OS v6.1.0 or later supports both one-way and mutual CHAP authentication for iSCSI initiator-to-iSCSI VT target sessions.
Page 316: Deleting User Names From An Iscsi Vt Binding List
Committing the iSCSI-related configuration switch:admin> iscsicfg --addusername tgt -t iqn.2002-10.com.brocade:tgt -u ”isisctgt1;hello123” This operation completed successfully 3. Enter the iscsiCfg commit all command. 4. Enter the iscsiCfg show tgt command with the -t and -v options to verify that a user name has been bound to the iSCSI VT: switch:admin>...
Page 317: Resolving Conflicts Between Iscsi Configurations
Resolving conflicts between iSCSI configurations ATTENTION Make all necessary changes to the database—VT creation, LUN additions, DD creation, DDSet creation, and so on—before issuing the iscsiCfg commit all command. 1. Connect and log in to the switch. 2. Enter the iscsiCfg show transaction command to display the pending transactions: switch:admin>...
Page 318: Lun Masking Considerations
LUN masking considerations switch:admin> iscsicfg --commit all -f This will commit ALL database changes made to all iSCSI switches in fabric. This could be a long-running operation. Continue (yes, y, no, n) [n]: y The operation completed successfully. 5. Enter the iscsiCfg show fabric command to verify that the conflict has been resolved: switch:admin>...
Page 319: Iscsi Fc Zone Creation
iSCSI FC zoning overview iS C S I virtual targets (V T s ) iS C S I G bE portal group iS C S I initiator A T arget 1 L UNs V T 1 iS C S I virtual initiator P ortal IP network iS C S I virtual initiator...
Page 320 iSCSI FC zoning overview • The iSCSI virtual initiators (VIs): If there is more than one FC4-16IP blade in the chassis, you must add all virtual initiators to the same zone. If there is more than one FC4-16IP blade in the fabric, you must add all virtual initiators from all switches to the same zone.
Page 321 iSCSI FC zoning overview switch:admin> nsshow Type Pid PortName NodeName TTL(sec) 0120d6; 3;21:00:00:04:cf:e7:74:cf;20:00:00:04:cf:e7:74:cf; na FC4s: FCP [SEAGATE ST336607FC 0004] Fabric Port Name: 20:20:00:60:69:e0:01:56 Permanent Port Name: 21:00:00:04:cf:e7:74:cf Port Index: 32 Share Area: No Device Shared in Other AD: No 0120d9; 3;21:00:00:04:cf:e7:73:7e;20:00:00:04:cf:e7:73:7e;...
Page 322 iSCSI FC zoning overview Share Area: No Device Shared in Other AD: No 012c00; 3;50:06:06:9e:00:15:63:20;50:06:06:9e:00:15:63:21; na FC4s: FCP PortSymb: [23] "iSCSI Virtual Initiator" NodeSymb: [51] "IPAddr: 30.0.127.34 Slot/Port: 3/ge4 Logical pn: 44" Fabric Port Name: 00:00:00:00:00:00:00:00 Permanent Port Name: 50:06:06:9e:00:15:63:20 Port Index: 44 Share Area: No Device Shared in Other AD: No...
Page 323: Zoning Configuration Creation
Zoning configuration creation switch:admin> cfgsave You are about to save the Defined zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled. Do you want to save Defined zoning configuration only? (yes, y, no, n): [no] y 8.
Page 324: Isns Client Service Configuration
iSNS client service configuration switch:admin> cfgsave You are about to save the Defined zoning configuration. This action will only save the changes on Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled. Do you want to save Defined zoning configuration only? (yes, y, no, n): [no] y Updating flash ...
Page 325: Displaying Isns Client Service Status
iSNS client service configuration Displaying iSNS client service status 1. Connect and log in to the switch. 2. Enter the fosConfig command to show the current Fabric OS configuration. switch:admin> fosconfig --show FC Routing service:disabled iSCSI service:enabled iSNS Client service:disabled Enabling the iSNS client service This section explains how to enable the iSNS client service and configure the iSNS server IP address.
Page 326: Disabling The Isns Client Service
iSNS client service configuration Enter the isnsccfg set command with the -m and -s options to set the IP address of the iSNS server management port rather than the GbE port: switch:admin> isnsccfg --set -m -s IP_address where is the iSNS server management port IP address. IP_address The following is an example.
Page 327: Administering Npiv
Chapter Administering NPIV In this chapter • NPIV overview ..........285 •...
Page 328: Enabling And Disabling Npiv
Enabling and disabling NPIV Enabling and disabling NPIV On the Brocade 300, 4100, 4900, 5000, 5100, and 5300 switches, the Brocade 5410, 5424, 5450, 5480 embedded switches, the Brocade 48000 director, the Brocade DCX and DCX-4S enterprise-class platforms, and the FA4-18 blade, NPIV is enabled for every port. NOTE The FC10-6 port blade and the CEE ports on the Brocade 8000 do not support NPIV.
Page 329: Viewing Npiv Port Configuration Information
Viewing NPIV port configuration information • Maximum logins per switch Use this parameter to set the number of virtual N_Port_IDs per switch to a value between 0 and 126 multiplied by the number of ports you specify when setting this parameter. The default setting is 16 multiplied by the number of ports specified.
Page 330 Viewing NPIV port configuration information The following example shows whether or not a port is configured for NPIV: switch:admin> portcfgshow Ports of Slot 0 9 10 11 12 13 14 15 -----------------+--+--+--+--+----+--+--+--+----+--+--+--+----+--+--+-- Speed AN AN AN AN AN AN AN AN AN AN AN AN AN AN AN AN Trunk Port...
Page 331: Viewing Virtual Pid Login Information
Viewing NPIV port configuration information portFlags: 0x24b03 PRESENT ACTIVE F_PORT G_PORT NPIV LOGICAL_ONLINE LOGIN NOELP LED ACCEPT portType: 10.0 portState: 1Online portPhys: 6In_Sync portScn: 32F_Port port generation number: portId: 630200 portIfId: 43020005 portWwn: 20:02:00:05:1e:35:37:40 portWwn of device(s) connected: c0:50:76:ff:fb:00:16:fc c0:50:76:ff:fb:00:16:f8 <output truncated>...
Page 332 Viewing NPIV port configuration information Fabric OS Administrator’s Guide 53-1001336-01...
Page 333: Interoperability For Merged Sans
Chapter Interoperability for Merged SANs In this chapter • Interoperability overview ........291 •...
Page 334: Connectivity Solutions
Connectivity solutions • InteropMode 2 for McDATA Fabric mode, which supports M-EOS switches running in McDATA Fabric mode. • InteropMode 3 for McDATA Open Fabric mode, which supports M-EOS switches running in Open Fabric mode. McDATA Open Fabric mode is intended specifically for adding Fabric OS-based products to M-EOS fabrics that are already using Open Fabric mode.
Page 335: Domain Id Offset Modes
Domain ID offset modes FIGURE 38 Typical direct E_Port configuration Domain ID offset modes The domain ID offset in interopmode 3 (IM3) allows an M-EOS switch to operate in a fabric that contains domain IDs other than 1-31. In interopmode 2 (IM2) the domain ID offset can only be in the 1-31 range.
Page 336: Configuring The Domain_Id Offset
McDATA Fabric mode configuration restrictions Following are the configurable domain ID offset modes: • Domain ID default mode (McDATA Legacy domain ID mode) — In this mode, a default offset of 0x60 (96) is used. The default mode is used when you enable IM2 or IM3 without specifying a Domain ID offset.
Page 337: Mcdata Open Fabric Mode Configuration Restrictions
McDATA Open Fabric mode configuration restrictions • Domain IDs must be in the 1 to 31 or domain ID offset value range, on Fabric OS switches for successful connections to M-EOS switches. The firmware automatically assigns a valid domain NOTE If insistent domain ID (IDID) is not enabled and a switch attempts to join the fabric with a duplicate DID, the principal switch will assign the incoming switch a different domain ID.
Page 338: Interoperability Support For Logical Switches
Interoperability support for logical switches Interoperability support for logical switches Interoperability for logical switches is supported on the Brocade 5100 and 5300 switches, and the Brocade DCX and DCX-4S platforms. You can configure logical switches individually to operate in any of the interoperable modes. This means that McDATA Fabric mode, McDATA Open Fabric mode, and Brocade Native mode are supported in the same chassis.
Page 339: Enabling Mcdata Open Fabric Mode
Switch configurations for interoperability Enabling McDATA Open Fabric mode When configuring McDATA Open Fabric mode, avoid domain ID conflicts before fabric reconfiguration. When configuring multiple switches, you should wait for a fabric reconfiguration after adding or removing each switch. Every switch in the fabric must have a unique domain ID. 1.
Page 340: Enabling Brocade Native Mode
Switch configurations for interoperability switch:admin> configure Configure... Fabric Parameters (yes, y, no, n): [no] y Domain (1...31): [1] 5 5. Enter the interopMode 2 command to enable interoperability. This command resets a number of parameters and enables fabric mode. switch:admin> interopmode 2 McDATA Fabric mode is enabled The switch effective and defined configuration will be lost if interop mode is changed.
Page 341: Zone Management In Interoperable Fabrics
Zone management in interoperable fabrics Zone management in interoperable fabrics McDATA Fabric and McDATA Open Fabric modes support zone activation using an M-series management tool such as such as Data Center Fabric Manager (DCFM) or Web Tools. You can only launch one zoning management tool at a time.
Page 342: Zone Name Restrictions
Zone management in interoperable fabrics • Zoning using domain,index notation is allowed only in McDATA Fabric mode (IM2) only, not Open fabric mode (IM3). Zone name restrictions The name value must contain the ASCII characters that actually specify the name, not including any required fill bytes.
Page 343: Setting The Safe Zone Mode On A Stand-Alone Switch
Zone management in interoperable fabrics ATTENTION Safe zoning mode is only available in fabrics with their interoperable mode set to 2. With safe zoning enabled, the effective configurations must match exactly. Also, it does not allow the default zone to be enabled. To allow a Fabric OS switch into an M-EOS native fabric, safe zoning mode must be disabled.
Page 344: Database
Frame Redirection in interoperable fabrics In McDATA Fabric mode, you can set the effective zone configuration to the Defined Database. If the Defined Database contains a configuration with the same name, it is replaced. Any non-duplicate zone sets or zones remain unchanged. Before moving the effective zone configuration to the Defined Database, you should view the zoning configuration.
Page 345: Traffic Isolation Zones In Interoperable Fabrics
Traffic Isolation zones in interoperable fabrics The Defined Zone Database in McDATA Open Fabric mode supports the special Frame Redirect zones. Frame Redirection supports the following: • Allows you to create Frame Redirection zones and send redirection zone updates to switches running M-EOS in McDATA Open Fabric mode (interopmode 3) and McDATA Fabric mode (Interopmode 2).
Page 346: Fabric Os Layer 2 Fabric Binding
E_Port authentication between Fabric OS and M-EOS switches Fabric OS Layer 2 Fabric Binding The Fabric OS SANtegrity binding feature locks the fabric into its intended configuration and ensures protection against WWN spoofing for E_Ports and N_Ports. Switches must exchange and validate their Fabric Binding Membership list when bringing up an ISL.
Page 347 E_Port authentication between Fabric OS and M-EOS switches Fabric OS authentication types M-EOS support M-EOS switch explanation FCAP M-EOS switch does not support FCAP protocol. DH-CHAP DH-CHAP supported. Table 53 describes the Fabric OS mode descriptions. TABLE 53 Fabric OS mode descriptions Fabric OS authentication modes M-EOS support M-EOS switch explanation...
Page 348: Switch Authentication Policy
E_Port authentication between Fabric OS and M-EOS switches Table 55 describes the device authentication mode. TABLE 55 Device authentication mode Fabric OS authentication M-EOS support M-EOS switch explanation mode Not used for E_Port authentication. Passive Not used for E_Port authentication. Switch authentication policy There are differences in the Switch Authentication policies between the Fabric OS switch and the M-EOS switch.
Page 349 E_Port authentication between Fabric OS and M-EOS switches TABLE 56 Switch authentication policy when all secrets are correct Fabric OS Passive Active M-EOS Yes! Yes! Yes! Connected with Connected with Connected with E_Port does not two-way two-way two-way connect authentication; both authentication;...
Page 350 E_Port authentication between Fabric OS and M-EOS switches TABLE 57 Switch authentication policy-Fabric OS switch with incorrect M-EOS secrets Fabric OS Passive Active M-EOS E_Port does not E_Port does not E_Port does not E_Port does connect connect connect not connect (Authentication (Authentication (Authentication...
Page 351: Dumb Switch Authentication
E_Port authentication between Fabric OS and M-EOS switches TABLE 58 Switch authentication policy-M-EOS switch with the incorrect Fabric OS switch secrets Fabric OS Passive Active M-EOS E_Port does not E_Port does not E_Port does not E_Port does not connect connect connect connect (Authentication...
Page 352: Authentication Of Ex_Port, Ve_Port, And Vex_Port
E_Port authentication between Fabric OS and M-EOS switches TABLE 59 Switch authentication policy when connected to an M-EOS dumb switch Fabric OS Passive Active M-EOS Disabled Connected without E_Port does not E_Port does not Connected any authentication connect connect without any (Fabric builds (Authentication (Authentication...
Page 353: Authentication Of Ve_Port-To-Ve_Port Connections
E_Port authentication between Fabric OS and M-EOS switches Authentication of VE_Port-to-VE_Port connections Although running authentication for VE_Ports works the same as for E_Ports, for VE_Ports, both sides of the connection are on the Fabric OS switches. Table 60 shows the switch authentication policy for VE_Port-to-VE_Port connections when all the secrets are correct.
Page 354 E_Port authentication between Fabric OS and M-EOS switches TABLE 60 VE_Port-to-VE_Port authentication policy with correct switch secret (Continued) Fabric OS Passive Active switch VE_ to VE_Port Yes! Yes! Yes! Connected with two-way Connected with Connected with E_Port does not authentication; both sides two-way two-way connect...
Page 355 E_Port authentication between Fabric OS and M-EOS switches TABLE 61 VE_Port-to-VE_Port authentication policy with unknown switch secret Fabric OS Passive Active switch VE_ to VE_Port Passive Connected without E_Port does not E_Port does not Connected without any any authentication connect connect authentication (Fabric (Fabric builds...
Page 356: Authentication Of Vex_Port-To-Ve_Port Connections
E_Port authentication between Fabric OS and M-EOS switches TABLE 61 VE_Port-to-VE_Port authentication policy with unknown switch secret (Continued) Fabric OS Passive Active switch VE_ to VE_Port E_Port does not E_Port does not E_Port does not E_Port does not connect connect connect connect (Authentication Rejected).
Page 357: Authentication Of Vex_Port-To-Vex_Port Connections
FCR SANtegrity TABLE 62 VEX_Port-to-VE_Port authentication policy with correct secrets Fabric OS switch Passive Active VEX_Port-to-VE_Port Passive Yes! Yes! Connected without Connected with Connected with Connected without any authentication two-way two-way any authentication (Fabric builds authentication; authentication; (Fabric builds normally). both sides of the both sides of the normally).
Page 358: Fabric Binding Behavior In A Mixed Fabric
FCR SANtegrity NOTE After a Fabric Binding check failure between a McDATA E_Port and an EX_Port, the current M-EOS implementation requires you to disable the M-EOS port and then re-enable it before the link can come up again. Enabling just the EX_Port does not always allow the link to come up again. FCR implements a simplified version of Fabric Binding that is passive and only checks whether its own Front Port domain ID and WWN pair is present in the Fabric Binding list that is sent from an M-EOS switch.
Page 359: Ficon Implementation In A Mixed Fabric
FICON implementation in a mixed fabric 1. Connect to the switch and log in using an account assigned to the admin role. Ensure that the port is offline to configure the preferred domain ID. 2. Enter the portCfgEXPort command. For McDATA Fabric mode, the valid range of domain IDs is from 1-32. For McDATA Open Fabric mode, the valid range of domain IDs is from 97-127.
Page 360: Coordinated Hot Code Load
Coordinated Hot Code Load Coordinated Hot Code Load Coordinated Hot Code Load (HCL) removes the limitations on the number of E_Ports that can be supported. Fabric OS v6.1.0 supports Coordinated HCL on all Fabric OS switches when connected to a mixed fabric with M-EOS switches running in either McDATA Fabric or McDATA Open Fabric mode.
Page 361: Coordinated Hcl On Switches Firmware Downloads
McDATA-aware features If you select yes, the firmwareDownload operation proceeds without making the normal Coordinated HCL checks. The firmwareDownload -o command upgrades both CPs in the switch. Coordinated HCL on switches firmware downloads If the firmwareDownload command is entered with both the –s and –b (auto-reboot) options, a best effort will be made to run Coordinated HCL.
Page 362: Mcdata-Unaware Features
McDATA-unaware features TABLE 64 McDATA-aware (Continued)features Feature Behavior FICON and FICON CUP Fabric Binding is required for FICON support in mixed fabrics. Cascaded CUP and Missing Interrupt Handler Process Timeout (MIHPTO), which should be set to 60, are supported. Cascaded CUP is only supported in McDATA Fabric mode.
Page 363 McDATA-unaware features TABLE 66 Complete feature compatibility matrix (Continued) Feature Support Notes Configuration download/upload DHCP Environmental monitor Error event management Fabric Device Management Interface (FDMI) Fabric Watch (FW) Fibre Channel over McDATA Fabric mode and McDATA Ethernet (FCoE) Open Fabric mode are not supported on the Brocade 8000.
Page 364: M-Eos Feature Limitations In Mixed Fabrics
McDATA-unaware features TABLE 66 Complete feature compatibility matrix (Continued) Feature Support Notes Open E_Port Autonegotiates the R_RDY mode by default. Uses portCfgIsMode to static configure the port. Port mirroring Fabric OS v6.2.0 and later supports 8 Gbps port mirroring. SNMP Speed negotiation syslog daemon •...
Page 365: Supported Hardware In An Interoperable Environment
Supported hardware in an interoperable environment • NPIV NPIV management on the Fabric OS switch is the same as in the standard Fabric OS SAN that is not merged. There are no limitations for NPIV support in an M-EOS Fabric 1.0 mode fabric. •...
Page 366 Supported hardware in an interoperable environment TABLE 67 Fabric OS interoperability with M-EOS Fabric OS v6.1.0 Fabric OS v6.2.0 Fabric OS v6.3.0 Chassis Type Blade Type McDATA Open Fabric McDATA Open Fabric and McDATA Open Fabric and and Fabric mode Fabric mode Fabric mode Brocade 48000 director...
Page 367 Supported hardware in an interoperable environment TABLE 67 Fabric OS interoperability with M-EOS (Continued) Fabric OS v6.1.0 Fabric OS v6.2.0 Fabric OS v6.3.0 Chassis Type Blade Type McDATA Open Fabric McDATA Open Fabric and McDATA Open Fabric and and Fabric mode Fabric mode Fabric mode Brocade Encryption...
Page 368: Supported Features In An Interoperable Environment
Supported features in an interoperable environment Supported features in an interoperable environment Table 68 shows the interoperability features supported in Fabric OS v6.3.0, Fabric OS v6.2.0, and Fabric OS v6.1.0. TABLE 68 Supported Fabric OS features Fabric OS Features Fabric OS v6.1.0 Fabric OS v6.2.0 Fabric OS v6.3.0 Interop mode 2...
Page 369 Supported features in an interoperable environment TABLE 68 Supported Fabric OS features (Continued) Fabric OS Features Fabric OS v6.1.0 Fabric OS v6.2.0 Fabric OS v6.3.0 Interop mode 2 Interop mode 3 Interop mode 2 Interop mode 3 Interop mode 2 Interop mode 3 Dynamic Path Selection (DPS);...
Page 370: Unsupported Features In An Interoperable Environment
Unsupported features in an interoperable environment TABLE 68 Supported Fabric OS features (Continued) Fabric OS Features Fabric OS v6.1.0 Fabric OS v6.2.0 Fabric OS v6.3.0 Interop mode 2 Interop mode 3 Interop mode 2 Interop mode 3 Interop mode 2 Interop mode 3 M-EOS AL_PA 0x13 configuration...
Page 371: Managing Administrative Domains
Chapter Managing Administrative Domains In this chapter • Administrative Domains overview ....... . 329 •...
Page 372 Administrative Domains overview FIGURE 39 Fabric with two Admin Domains Figure 40 shows how users get a filtered view of this fabric, depending on which Admin Domain they are in. As shown in Figure 40, users can see all switches and E_Ports in the fabric, regardless of their Admin Domain;...
Page 373: Admin Domain Features
Administrative Domains overview Admin Domain features Admin Domains allow you to: • Define the scope of an Admin Domain to encompass ports and devices within a switch or a fabric. • Share resources across multiple Admin Domains. For example, you can share array ports and tape drives between multiple departments.
Page 374: Admin Domain Access Levels
Administrative Domains overview Admin Domain access levels Admin Domains offer a hierarchy of administrative access. To manage Admin Domains, you must be a physical fabric administrator. A physical fabric administrator is a user with the admin role and access to all Admin Domains (AD0 through AD255). Only a physical fabric administrator can perform Admin Domain configuration and management.
Page 375 Administrative Domains overview Initially, the AD0 implicit membership list contains all devices, switch ports, and switches in the fabric. When you explicitly create AD1 through AD254, the devices, switch ports, and switches used to create these user-defined Admin Domains disappear from the AD0 implicit membership list.
Page 376: Admin Domains And Login
Administrative Domains overview AD255 FIGURE 41 Fabric with AD0 and AD255 Admin Domains and login You are always logged in to an Admin Domain, and you can view and modify only the devices in that Admin Domain. If you have access to more than one Admin Domain, one of them is designated as your home Admin Domain, the one you are automatically logged in to.
Page 377: Admin Domain Member Types
Administrative Domains overview • If you are in any Admin Domain context other than AD0, the Admin Domain number is included in the system prompt displayed during your session. The following are example prompts for when you are in the AD0, AD1, and AD255 contexts, respectively: switch:admin>...
Page 378: Admin Domains And Switch Wwn
Administrative Domains overview If a device is a member of an Admin Domain, the switch port to which the device is connected becomes an indirect member of that Admin Domain and the domain,index is removed from the AD0 implicit membership list. NOTE If the switch domain ID changes, the domain,index members are invalid (they are not automatically changed).
Page 379 Administrative Domains overview Figure 42 shows an unfiltered view of a fabric with two switches, three devices, and two Admin Domains. The devices are labeled with device WWNs and the switches are labeled with domain ID and switch WWNs. WWN = 10:00:00:00:c7:2b:fd:a3 WWN = 10:00:00:00:c2:37:2b:a3 Domain ID = 1 Domain ID = 2...
Page 380: Admin Domain Compatibility, Availability, And Merging
Admin Domain management for physical fabric administrators Admin Domain compatibility, availability, and merging Admin Domains maintain continuity of service for Fabric OS features and operate in mixed-release Fabric OS environments. High availability is supported with some backward compatibility. When an E_Port comes online, the adjacent switches merge their AD databases. The receiving switch accepts an AD database from the neighboring switch only if the local AD database is empty or if the new AD database exactly matches both the defined and effective configurations of the local AD database.
Page 381: Creating An Admin Domain
Admin Domain management for physical fabric administrators 1. Log in to the switch with the appropriate RBAC role. 2. Ensure you are in the AD0 context by entering the ad show command to determine the current Admin Domain. If necessary, switch to the AD0 context by entering the ad select 0 command.
Page 382: User Assignments To Admin Domains
Admin Domain management for physical fabric administrators 5. Enter the ad create command using the -d option to specify device and switch port members and the -s option to specify switch members: ad --create ad_id -d "dev_list" -s "switch_list" 6. Enter the appropriate command based on whether you want to save or activate the Admin Domain definition: •...
Page 383 Admin Domain management for physical fabric administrators Creating a new user account for managing Admin Domains 1. Connect to the switch and log in as admin. 2. Enter the userConfig add command using the -r option to set the role, the -a option to provide access to Admin Domains, and the -h option to specify the home Admin Domain.
Page 384: Removing An Admin Domain From A User Account
Admin Domain management for physical fabric administrators Removing an Admin Domain from a user account When you remove an Admin Domain from an account, all of the currently active sessions for that account are logged out. 1. Connect to the switch and log in using an account assigned to the admin role. 2.
Page 385: Deactivating An Admin Domain
Admin Domain management for physical fabric administrators Deactivating an Admin Domain If you deactivate an Admin Domain, the members assigned to the Admin Domain can no longer access their hosts or storage unless those members are part of another Admin Domain. You cannot log in to an Admin Domain that has been deactivated.
Page 386: Removing Members From An Admin Domain
Admin Domain management for physical fabric administrators 4. Enter the appropriate command based on whether you want to save or activate the Admin Domain definition: • To save the Admin Domain definition, enter ad save. • To save the Admin Domain definition and directly apply the definition to the fabric, enter apply.
Page 387: Deleting An Admin Domain
Admin Domain management for physical fabric administrators ad --select 255 3. Enter the ad rename command with the present name and the new name. ad --rename present_name new_name 4. Enter the appropriate command based on whether you want to save or activate the Admin Domain definition: •...
Page 388: Deleting All User-Defined Admin Domains
Admin Domain management for physical fabric administrators Deleting all user-defined Admin Domains When you clear the Admin Domain configuration, all user-defined Admin Domains are deleted, the explicit membership list of AD0 is cleared, and all fabric resources (switches, ports, and devices) are returned to the implicit membership list of AD0.
Page 389 Admin Domain management for physical fabric administrators where: source_AD Name of the user-defined AD from which you are copying the zone. source_name Name of the zone to be copied. dest_name Name to give the zone after it is copied to AD0. 4.
Page 390 Admin Domain management for physical fabric administrators AD0_RedZone AD1_BlueZone AD2_GreenZone WWN2 WWN2 WWN5 WWN1 WWN3 WWN4 FIGURE 44 AD0 and two user-defined Admin Domains, AD1 and AD2 AD1_BlueZone AD2_GreenZone WWN2 WWN3 AD0_RedZone WWN4 WWN5 WWN1 FIGURE 45 AD0 with three zones sw0:admin>...
Page 391: Validating An Admin Domain Member List
Admin Domain management for physical fabric administrators 10:00:00:00:02:00:00:00 10:00:00:00:03:00:00:00 Zone CFG Info for AD_ID: 2 (AD Name: AD2, State: Active) : Defined configuration: cfg: AD2_cfg AD2_GreenZone zone: AD2_GreenZone 10:00:00:00:04:00:00:00; 10:00:00:00:05:00:00:00 Effective configuration: cfg: AD2_cfg zone: AD2_GreenZone 10:00:00:00:04:00:00:00 10:00:00:00:05:00:00:00 sw0:admin> zone --copy AD1.AD1_BlueZone AD0_BlueZone sw0:admin>...
Page 392: San Management With Admin Domains
SAN management with Admin Domains 1. Connect to the switch and log in as admin. 2. Switch to the AD255 context, if you are not already in that context. ad --select 255 3. Enter the ad validate command. ad --validate ad_id -m mode If you do not specify any parameters, the entire AD database (transaction buffer, defined configuration, and effective configuration) is displayed.
Page 393: Cli Commands In An Ad Context
SAN management with Admin Domains CLI commands in an AD context The CLI command input arguments are validated against the AD member list; they do not work with input arguments that specify resources that are not members of the current Admin Domain. All commands present filtered output, showing only the members of the current Admin Domain.
Page 394: Switching To A Different Admin Domain Context
SAN management with Admin Domains • AD0-AD254 contexts: the membership of the current Admin Domain is displayed. • AD0: the device and switch list members are categorized into implicit and explicit member lists. 1. Connect to the switch and log in as any user type. 2.
Page 395: Admin Domain Interactions With Other Fabric Os Features
SAN management with Admin Domains Example The following example switches to the AD12 context and back. Note that the prompt changes to display the Admin Domain. switch:admin> ad --select 12 switch:AD12:admin> logout switch:admin> Admin Domain interactions with other Fabric OS features The administrative domain feature provides interaction with other Fabric OS features and across third-party applications.
Page 396: Admin Domains, Zones, And Zone Databases
SAN management with Admin Domains TABLE 71 Admin Domain interaction with Fabric OS features (Continued) Fabric OS feature Admin Domain interaction FICON Admin Domains support FICON. However, you must perform additional steps because FICON management (CUP) requires additional physical control of the ports. You must set up the switch as a physical member of the FICON AD.
Page 397: Admin Domains And Lsan Zones
SAN management with Admin Domains “Validating a zone” on page 235 for instructions on using the zone validate command. For more information about the zone command and its use with Admin Domains, see the Fabric OS Command Reference. NOTE AD zone databases do not have an enforced size limit. The zone database size is calculated by the upper limit of the AD membership definition and the sum of all the zone databases for each AD.
Page 398: Configuration Upload And Download In An Ad Context
SAN management with Admin Domains The auto-converted LSAN zone names might collide with LSAN zone names in AD0 (for example, in the above example, if AD0 contains lsan_for_linux_farm_AD005, this causes a name collision). Fabric OS does not detect or report such name clashes. LSAN zone names greater than 57 characters are not converted or sent to the FCR phantom domain.
Page 399: Licensed Features
Section Licensed Features This section describes optionally licensed Brocade Fabric OS features and includes the following chapters: • Chapter 16, “Administering Licensing” • Chapter 18, “Optimizing Fabric Behavior” • Chapter 17, “Administering Advanced Performance Monitoring” • Chapter 19, “Managing Trunking Connections” •...
Page 401: Administering Licensing
Chapter Administering Licensing In this chapter • Licensing overview ..........359 •...
Page 402 Licensing overview TABLE 73 Available Brocade licenses License Description 10GbE License This license enables the two 10GbE ports on the FX8-24. With this license, two additional operating modes (in addition to 10 1GbE ports mode) can be selected: • 10 1GbE ports and 1 10GbE port, or •...
Page 403 Licensing overview TABLE 73 Available Brocade licenses License Description Brocade Extended Fabrics Provides greater than 10km of switched fabric connectivity at full bandwidth over long distances (depending on the platform this can be up to 3000km). Brocade Fabric Watch Monitors mission-critical switch operations. Fabric Watch includes Port Fencing capabilities.
Page 404 Licensing overview TABLE 73 Available Brocade licenses License Description ICL 8-Link License Activates all eight links on ICL ports on a Brocade DCX-4S chassis or half of the ICL bandwidth for each ICL port on the Brocade DCX platform by enabling only eight links out of the sixteen links available.
Page 405 Licensing overview TABLE 74 License requirements Feature License Where license should be installed FCIP FC-IP Services or Local and attached switches. License is needed on both sides of High Performance Extension over FCIP/FC tunnel. FCIP Trunking Advanced Extension Local and attached switches. Fibre Channel Routing Local and attached switches.
Page 406 Licensing overview TABLE 74 License requirements Feature License Where license should be installed Port fencing Fabric Watch Local switch. Ports Ports on demand licenses. This license applies Local switch. to a select set of switches. Upgrade license for the 7500E and 7800 switches to use all ports.
Page 407: The Brocade 7800 Upgrade License
The Brocade 7800 Upgrade License The Brocade 7800 Upgrade License The Brocade 7800 has four Fibre Channel (FC) ports and two GbE ports active by default. The number of physical ports active on the Brocade 7800 is fixed. There is one upgrade license to activate the rest of the FC and GbE ports for a total of 16 FC ports and six GbE ports.
Page 408: 8G Licensing
8G licensing 8G licensing ATTENTION This license is installed by default and you should not remove it. The 8 Gbps licensing applies to the Brocade 300, 5100, and 5300 switches and the 8 Gbps embedded switches. The following list describes the basic rules of using, adding, or removing 8G licenses.
Page 409: Removing A License From A Slot
Time-based licenses Removing a license from a slot To remove a Slot-based license from a blade slot and move the license to another slot, the following steps must be performed: 1. Connect to the switch and log in using an account assigned to the admin role. 2.
Page 410: Configupload And Download Considerations
Universal Time-based licenses Configupload and download considerations The configDownload and configUpload commands download the legacy, enhanced, consumed capacities, and time-based licenses. Expired licenses Once a Time-based license has expired, you can view it through the licenseShow command. Expired licenses have an output string of ‘License has expired’. RASlog warning messages are generated every hour for licenses present in the database which have expired or which are going to expire in the next five days.
Page 411: Extending A License
Viewing installed licenses Extending a license Extending a Universal Time-based license is done by adding a temporary license with expiry date after the Universal Time-based license expiry date, or by adding a permanent license. Re-applying an existing Universal Time-based license is not allowed. Deleting a license Universal Time-based licenses are always retained in the license database, and cannot be explicitly deleted.
Page 412: Adding A Licensed Feature
Adding a licensed feature An information screen displays the license keys and you will receive an e-mail with the software license keys and installation instructions. Adding a licensed feature To enable a feature, go to the feature’s appropriate section in this manual. Enabling a feature on a switch may be a separate task from adding the license.
Page 413: Removing A Licensed Feature
Removing a licensed feature Removing a licensed feature 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the licenseShow command to display the active licenses. 3. Remove the license key using the licenseRemove command. The license key is case-sensitive and must be entered exactly as given.
Page 414: Activating Ports On Demand
Ports on Demand TABLE 76 List of available ports when implementing PODs Platform Available user ports No POD license POD1 or POD2 present Both POD license present Brocade 300 0-15 0-23 Brocade 4100 0-15 0-23 0-31 Brocade 4900 0-31 0-47 0-63 Brocade 5000 0-15...
Page 415: Dynamic Ports On Demand
Ports on Demand 3. Install the Brocade Ports on Demand license. For instructions on how to install a license, see “Adding a licensed feature” on page 370. 4. Use the portEnable command to enable the ports. Alternatively, you can disable and re-enable the switch to activate ports. 5.
Page 416: Enabling Dynamic Ports On Demand
Ports on Demand Enabling Dynamic Ports on Demand If the switch is in the Static POD mode, then activating the Dynamic POD will erase any prior port license assignments the next time the switch is rebooted. The static POD assignments become the initial Dynamic POD assignments.
Page 417: Reserving A Port License
Ports on Demand switch:admin> licenseport --show 24 ports are available in this switch Full POD license is installed Static POD method is in use 24 port assignments are provisioned for use in this switch: 12 port assignments are provisioned by the base switch license 12 port assignments are provisioned by a full POD license 24 ports are assigned to installed licenses: 12 ports are assigned to the base switch license...
Page 418: Releasing A Port From A Pod Set
Ports on Demand Releasing a port from a POD set Releasing a port removes it from the POD set; the port appears as unassigned until it comes back online. Persistently disabling the port ensures that the port cannot come back online and be automatically assigned to a POD assignment.
Page 419: Administering Advanced Performance Monitoring
Chapter Administering Advanced Performance Monitoring In this chapter • Advanced Performance Monitoring overview ..... . . 377 • End-to-end performance monitoring ......378 •...
Page 420: Virtual Fabrics Considerations For Advanced Performance
End-to-end performance monitoring • ISL monitors measure the traffic transmitted through an InterSwitch Link (ISL) to different destination domains. • Top Talkers monitors measure the flows that are major consumers of bandwidth on a switch or port. The type of monitors supported depends on the switch model, as shown in Table TABLE 77 Types of monitors supported on Brocade switch models...
Page 421: End-To-End Monitors
End-to-end performance monitoring To enable end-to-end performance monitoring, you must configure an end-to-end monitor on a port, specifying the SID-DID pair (in hexadecimal). The monitor counts only those frames with matching SID and DID. Each SID or DID has the following three fields: •...
Page 422: Adding End-To-End Monitors
End-to-end performance monitoring Adding end-to-end monitors 1. Connect to the switch and log in as admin. 2. Enter the following command: perfaddeemonitor [slotnumber/]portnumber sourceID destID Figure 46 shows two devices: • Host A is connected to domain 5 (0x05), switch area ID 18 (0x12), AL_PA 0x00 on Switch X. •...
Page 423: Setting A Mask For An End-To-End Monitor
End-to-end performance monitoring Setting a mask for an end-to-end monitor End-to-end monitors count the number of words in Fibre Channel frames that match a specific SID/DID pair. If you want to match only part of the SID or DID, you can set a mask on the port to compare only certain parts of the SID or DID.
Page 424: Deleting End-To-End Monitors
Filter-based performance monitoring Deleting end-to-end monitors 1. Connect to the switch and log in as admin. 2. Enter the perfMonitorShow command to list the valid end-to-end monitor numbers for a port. 3. Enter the perfDelEEMonitor command to delete a specific monitor. If you do not specify which monitor number to delete, you are asked if you want to delete all entries.
Page 425: Adding Standard Filter-Based Monitors
Filter-based performance monitoring Virtual Fabrics considerations: Filter-based monitors are not supported on logical ISLs (LISLs), but are supported on ISLs and extended ISLs (XISLs). You can monitor filter-based performance using the perfMonitorShow command, as described in “Displaying monitor counters” on page 390. You can clear filter-based counters using the perfMonitorClear command, as described in “Clearing monitor counters”...
Page 426: Adding Custom Filter-Based Monitors
Filter-based performance monitoring To define a custom filter, you must specify a series of offsets, masks, and values. For all transmitted frames, the switch performs these tasks: • Locates the byte found in the frame at the specified offset. • Applies the mask to the byte found in the frame.
Page 427: Deleting Filter-Based Monitors
ISL performance monitoring Example switch:admin> perfaddusermonitor 4/2, "12, 0xff, 0x05, 0x08; 9, 0xff, 0x02" "FCP/IP" User monitor #5 added switch:admin> perfaddusermonitor 1/2, "0, 0xff, 6" User Monitor #6 added In this example, two filter-based monitors are added. The first monitor (#5) counts all FCP and IP frames transmitted from domain 0x02 for slot 4, port 2.
Page 428: Top Talker Monitors
Top Talker monitors Top Talker monitors Top Talker monitors determine the flows (SID/DID pairs) that are the major users of bandwidth (after initial stabilization). Top Talker monitors measure bandwidth usage data in real-time and relative to the port on which the monitor is installed. NOTE Initial stabilization is the time taken by a flow to reach the maximum bandwidth.
Page 429: Adding A Top Talker Monitor On An F_Port
Top Talker monitors Adding a Top Talker monitor on an F_Port 1. Connect to the switch and log in as admin. 2. Enter the perfTTmon add command. perfttmon --add [egress | ingress] [slotnumber/]port For example, to monitor the incoming traffic on port 7: perfttmon --add ingress 7 To monitor the outgoing traffic on slot 2, port 4 on the Brocade 48000, Brocade DCX, or DCX-4S:...
Page 430: Adding Top Talker Monitors On All Switches In The Fabric (Fabric Mode)
Top Talker monitors Adding Top Talker monitors on all switches in the fabric (fabric mode) When fabric mode is enabled, you can no longer install Top Talker monitors on an F_Port unless you delete fabric mode. 1. Connect to the switch and log in as admin. 2.
Page 431: Limitations Of Top Talker Monitors
Trunk monitoring The output is sorted based on the data rate of each flow. If you do not specify the number of flows to display, then the command displays the top 8 flows or the total number of flows, whichever is less. The command can display a maximum of 32 flows. For example, to display the top 5 flows on for domain 1 in WWN (default) format: perfttmon --show dom 1 5 To display the top flows on domain 2 in PID format:...
Page 432: Displaying Monitor Counters
Displaying monitor counters Displaying monitor counters You can display the end-to-end, filter-based, or ISL monitors on a specified port. For end-to-end counters, you can display either the cumulative count of the traffic detected by the monitors or a snapshot of the traffic at specified intervals. 1.
Page 433: Clearing Monitor Counters
Clearing monitor counters Example of displaying filter monitor information on a port switch:admin> perfMonitorShow --class FLT 2/5 There are 7 filter-based monitors defined on port 21. ALIAS OWNER_APP FRAME_COUNT OWNER_IP_ADDR ----------------------------------------------------------------- SCSI_Frame TELNET 0x00000000002c2229 SCSI_WR TELNET 0x000000000000464a SCSI_RW TELNET 0x000000000000fd8c SCSI_RW WEB_TOOLS 0x0000000000007ba3...
Page 434: Saving And Restoring Monitor Configurations
Saving and restoring monitor configurations Saving and restoring monitor configurations To prevent the switch configuration flash from running out of memory, the number of monitors saved to flash memory is limited as follows: • The total number of EE monitors per port is limited to 16. •...
Page 435: Optimizing Fabric Behavior
Chapter Optimizing Fabric Behavior In this chapter • Adaptive Networking overview ........393 •...
Page 436: Top Talkers
Top Talkers Top Talkers The Top Talkers feature provides real-time information about the top “n” bandwidth-consuming flows from a set of a large number of flows passing through a specific port in the network. You can use Top Talkers to identify the SID/DID pairs that consume the most bandwidth and can then configure them with certain QoS attributes so they get proper priority.
Page 437: Ti Zone Failover
Traffic Isolation Routing Figure 49, all traffic entering Domain 1 from N_Ports 7 and 8 is routed through E_Port 1. Similarly, traffic entering Domain 3 from E_Port 9 is routed to E_Port 12, and traffic entering Domain 4 from E_Port 7 is routed to the devices through N_Ports 5 and 6. Traffic coming from other ports in Domain 1 would not use E_Port 1, but would use E_Port 2 instead.
Page 438: Fspf Routing Rules And Traffic Isolation
Traffic Isolation Routing Additional considerations when disabling failover If failover is disabled, be aware of the following considerations: • This feature is intended for use in simple linear fabric configurations, such as that shown in Figure 49 on page 394. •...
Page 439 Traffic Isolation Routing If the dedicated ISL is not the lowest cost path ISL, then the following rules apply: • If failover is enabled, the traffic path for the TI zone is broken, and TI zone traffic uses the lowest cost path instead. •...
Page 440: Traffic Isolation Routing Over Fc Routers
Traffic Isolation Routing over FC routers Domain 1 Domain 3 = Dedicated Path = Ports in the TI zone Domain 2 Domain 4 FIGURE 52 Dedicated path is not the shortest path NOTE For information about setting or displaying the FSPF cost of a path, see the linkCost and topologyShow commands in the Fabric OS Command Reference.
Page 441: Ti Within An Edge Fabric
Traffic Isolation Routing over FC routers Edge fabric 1 Backbone Edge fabric 2 fabric = Dedicated path set up by TI zone in edge fabric 1 = Dedicated path set up by TI zone in edge fabric 2 = Dedicated path set up by TI zone in backbone fabric FIGURE 53 Traffic isolation Routing over FCR In addition to setting up TI zones, you must also ensure that the devices are in an LSAN zone so...
Page 442: Ti Within A Backbone Fabric
Traffic Isolation Routing over FC routers In the TI zone, when you designate E_Ports between the front and xlate phantom switches, you must use -1 in place of the “I” in the D,I notation. Both the front and xlate domains must be included in the TI zone.
Page 443: Limitations Of Ti Zones Over Fc Routers
General rules for TI zones Using D,I and port WWN notation, the members of the TI zone in Figure 55 are: (EX_Port for FC router 1) (VE_Port for FC router 1) (VE_Port for FC router 2) (EX_Port for FC router 2) 10:00:00:00:00:01:00:00 (Port WWN for the host) 10:00:00:00:00:02:00:00...
Page 444: Supported Configurations For Traffic Isolation Routing
Supported configurations for Traffic Isolation Routing For example, in Figure 56, the TI zone was configured incorrectly and E_Port “3,9” was erroneously omitted from the zone. The domain 3 switch assumes that traffic coming from E_Port 9 is not part of the TI zone and so that traffic is routed to E_Port 11 instead of E_Port 12, if failover is enabled.
Page 445: Trunking With Ti Zones
Limitations and restrictions of Traffic Isolation Routing TI over FCR is not backward compatible with Fabric OS v6.0.x or earlier. The -1 in the domain,index entries causes issues to legacy switches in a zone merge. Firmware downgrade is prevented if TI over FCR zones exist. Trunking with TI zones Note the following if you implement trunking and TI zones: •...
Page 446 Virtual Fabric considerations for Traffic Isolation Routing TI zones can be created in a logical fabric like in regular fabrics, with the following exceptions: • The disable failover option is not supported in logical fabrics that use XISLs. • To create a TI zone for a logical fabric that uses XISLs, you must create two TI zones: one in the logical fabric and one in the base fabric.
Page 447: Traffic Isolation Routing Over Fc Routers With Virtual Fabrics
Traffic Isolation Routing over FC routers with Virtual Fabrics You must also create and activate a TI zone in the base fabric to reserve the XISLs for the dedicated path. In Figure 57, the XISLs highlighted (by a dotted line) in the base fabric can be reserved for FID1 by defining and activating a base fabric TI zone that consists of ports 10, 12, 14, and 16.
Page 448: Creating A Ti Zone
Creating a TI zone LS2, FID3 LS3, FID1 Domain 6 Domain 3 Base switch Base switch Domain 1 Domain 2 = Dedicated Path = Ports in the TI zones FIGURE 60 Example configuration for TI zones over FC routers in logical fabrics Figure 61 shows a logical representation of the configuration in Figure...
Page 449 Creating a TI zone When you create a TI zone, you can set the state of the zone to activated or deactivated. By default the zone state is set to activated; however, this does not mean that the zone is activated. After you create the TI zone, you must enable the current effective configuration to enforce the new TI zone, which is either activated or deactivated.
Page 450: Creating A Ti Zone In A Base Fabric
Creating a TI zone To create a TI zone in the edge fabric with failover enabled and the state set to activated (default settings): switch:admin> zone --create -t ti bluezone -p "1,1; 1,8; 2,-1; 3,-1" To create a TI zone in the backbone fabric with failover enabled and the state set to activated (default settings): switch:admin>...
Page 451: Modifying Ti Zones
Modifying TI zones Modifying TI zones Using the zone add command, you can add ports to an existing TI zone, change the failover option, or both. Using the zone remove command, you can remove ports from existing TI zones. If you remove the last member of a TI zone, the TI zone is deleted.
Page 452: Changing The State Of A Ti Zone
Changing the state of a TI zone Changing the state of a TI zone You can change the state of a TI zone to activated or deactivated. Changing the state does not activate or deactivate the zone. After you change the state of the TI zone, you must enable the current effective configuration to enforce the change.
Page 453: Displaying Ti Zones
Displaying TI zones Displaying TI zones Use the zone show command to display information about TI zones. This command displays the following information for each zone: • zone name • E_Port members • N_Port members • configured status (the latest status, which may or may not have been activated by cfgEnable) •...
Page 454: Setting Up Ti Over Fcr (Sample Procedure)
Setting up TI over FCR (sample procedure) Setting up TI over FCR (sample procedure) The following example shows how to set up TI zones over FCR to provide a dedicated path shown in Figure 62. In this example, three TI zones are created: one in each of the edge fabrics and one in the backbone fabric.
Page 455 Setting up TI over FCR (sample procedure) b. Enter the following commands to create and display a TI zone: E1switch:admin> zone --create -t ti TI_Zone1 -p "4,8; 4,5, 1,-1; 6,-1" E1switch:admin> zone --show Defined TI zone configuration: TI Zone Name: TI_Zone1 Port List: 4,8;...
Page 456 Setting up TI over FCR (sample procedure) Enter the following commands to reactivate your current effective configuration and enforce the TI zones. E2switch:admin> cfgactvshow Effective configuration: cfg: cfg_TI zone: lsan_t_i_TI_Zone1 10:00:00:00:00:00:02:00:00 10:00:00:00:00:00:03:00:00 10:00:00:00:00:00:08:00:00 E2switch:admin> cfgenable cfg_TI You are about to enable a new zoning configuration. This action will replace the old zoning configuration with the current configuration selected.
Page 457: Qos: Ingress Rate Limiting
QoS: Ingress Rate Limiting QoS: Ingress Rate Limiting Ingress rate limiting is a licensed feature that requires the Adaptive Networking license. Ingress rate limiting restricts the speed of traffic from a particular device to the switch port. Use ingress rate limiting for the following situations: •...
Page 458: Qos: Sid/Did Traffic Prioritization
QoS: SID/DID traffic prioritization QoS: SID/DID traffic prioritization SID/DID traffic prioritization is a licensed feature that allows you to categorize the traffic flow between a given host and target as having a high or low priority. For example, you could assign online transaction processing (OLTP) to high priority and backup traffic to low priority.
Page 459: Qos On E_Ports
QoS: SID/DID traffic prioritization The flow id allows you to have control over the VC assignment and control over balancing the flows throughout the fabric. The id is from 1–5 for high priority traffic, which corresponds to VCs 10–14. For low priority traffic, the id is from 1–2, which corresponds to VCs 8 and 9. The id is optional; if it is not specified, the virtual channels are allocated using a round-robin scheme.
Page 460: Qos Over Fc Routers
QoS: SID/DID traffic prioritization Domain 1 Domain 3 = Low priority = Medium priority = High priority = E_Ports with QoS enabled Domain 2 Domain 4 FIGURE 64 QoS with E_Ports enabled You need to enable QoS on the E_Ports on both ISLs between Domain 3 and Domain 4 because either path might be selected to carry the traffic.
Page 461: Virtual Fabric Considerations For Traffic Prioritization
QoS: SID/DID traffic prioritization • QoS over FC routers is supported only in an edge-to-edge fabric configuration; it is not supported in a backbone-to-edge fabric configuration. You cannot prioritize the flow between a device in an edge fabric and a device in the backbone fabric. •...
Page 462: High Availability Considerations For Traffic Prioritization
QoS: SID/DID traffic prioritization High availability considerations for traffic prioritization If the standby CP is running a Fabric OS version earlier than 6.3.0 and is synchronized with the active CP, then QoS zones using D,I notation cannot be created. If the standby CP is not synchronized or if no standby CP exists, then the QoS zone creation succeeds.
Page 463: Setting Traffic Prioritization
QoS: SID/DID traffic prioritization • Traffic prioritization is not supported on 10 Gbps ISLs. • Traffic prioritization is not supported on mirrored ports. • Traffic prioritization is not supported over LSAN zones. The traffic is always medium priority in the ingress edge fabric, the backbone fabric, and the egress edge fabric. •...
Page 464 QoS: SID/DID traffic prioritization NOTE For the Brocade 300, 5100, 5300, 5410, 5424, 5450, 5480, Brocade Encryption Switch, and the Brocade DCX and DCX-4S enterprise-class platform, QoS is enabled by default on all ports. If you use the portCfgQos command to enable QoS on a specific port, the port is toggled to apply this configuration, even though the port already has QoS enabled.
Page 465: Setting Traffic Prioritization Over Fc Routers
Bottleneck detection Setting traffic prioritization over FC routers 1. Connect to the switch in the edge fabric and log in as admin. 2. Create QoS zones in the edge fabric. The QoS zones must have WWN members only, and not D,I members. See “Setting traffic prioritization”...
Page 466: Supported Configurations For Bottleneck Detection
Bottleneck detection NOTE Best practice is to turn bottleneck detection on for targets, and leave it on. Supported configurations for bottleneck detection Note the following configuration rules for bottleneck detection: • Bottleneck detection is supported only on Fibre Channel ports. •...
Page 467: High Availability Considerations For Bottleneck Detection
Bottleneck detection High availability considerations for bottleneck detection The bottleneck detection configuration (ports where enabled and thresholds) is maintained across a failover or reboot; however, bottleneck statistics collected are lost. Upgrade and downgrade considerations for bottleneck detection The configuration files for bottleneck detection are persistent across firmware upgrades and downgrades.
Page 468: Displaying List Of Ports On Which Bottleneck Detection Is
Bottleneck detection Example of enabling bottleneck detection (Preferred use case) The following example enables bottleneck detection on all F_ and FL_Ports in the switch with RASlog alerts using default values for threshold and time. switch:admin> bottleneckmon --enable -alert * The following example enables bottleneck detection on ports 3–7 using default values for threshold and time.
Page 469: Changing Bottleneck Settings On A Port
Bottleneck detection Changing bottleneck settings on a port Using the following procedure, you can change whether RASlog alerts are sent and the threshold, time, and quiet time options. You must first disable bottleneck detection on the port before you can change the settings.
Page 470 Bottleneck detection Fabric OS Administrator’s Guide 53-1001336-01...
Page 471: Managing Trunking Connections
Chapter Managing Trunking Connections In this chapter • Trunking overview ..........429 •...
Page 472: Criteria For Managing Trunking Connections
Trunking overview Re-initializing ports for trunking is required after you install the license so that the ports know that trunking is enabled. You can enable or disable trunking for a single port or for an entire switch. For trunking to work, individual ports or the entire switch must be set at the same speed and at the same mode, for example, 2 Gbps, 4 Gbps, 8 Gbps, or autonegotiate.
Page 473: Supported Hardware
Supported hardware Supported hardware Trunking is supported on the FC ports of all Brocade platforms and blades supported in Fabric OS v6.3.0. Recommendations for trunking groups To identify the most useful trunking groups, consider the following recommendations along with the standard guidelines for SAN design: •...
Page 474: Basic Trunk Group Configuration
Basic trunk group configuration Basic trunk group configuration Re-initializing ports for trunking is required after you unlock the ISL Trunking license. You must re-initialize the ports being used for ISLs so that they recognize that trunking is enabled. This procedure only needs to be performed one time. To re-initialize the ports, you can either disable and then re-enable the switch, or disable and then re-enable the affected ports.
Page 475: Displaying Trunking Information
Basic trunk group configuration Displaying trunking information 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the trunkShow command. This example shows trunking groups 1, 2, and 3; ports 4, 13, and 14 are masters. switch:admin>...
Page 476: Trunking Over Long Distance Fabrics
Trunking over long distance fabrics Trunking over long distance fabrics In long-distance fabrics, if a port speed is set to autonegotiate, then the maximum speed, which is 8 Gbps, is assumed for reserving buffers for the port. If the port is only running at 2 Gbps, this wastes buffers.
Page 477: F_Port Trunking
F_Port trunking TABLE 83 Trunking over distance for the Brocade 48000, DCX Backbone, and the DCX-4S Long distance mode Distance Number of 2 Gbps ports Number of 4 Gbps ports 500 km Static See note below NOTE The L0 mode supports up to 5 km at 2 Gbps, up to 2 km at 4 Gbps, and up to 1 km at 8 Gbps. The distance for the LS mode is static.
Page 478: Enabling F_Port Trunking
F_Port trunking • Keep in mind that F_Port trunking does not support shared area ports on the FC8-48 and FC4-48 blades in the Brocade 48000. F_Port trunking is supported in the shared area ports on the FC8-48 in the Brocade DCX and DCX-4S. Enabling F_Port trunking 1.
Page 479: F_Port Trunking Considerations For Virtual Fabrics
F_Port masterless trunking F_Port trunking considerations for Virtual Fabrics Following are the F_Port trunking considerations for virtual fabrics: • If a port is enabled for F_Port trunking, then you must disable the configuration before you can move a port from the logical switch. •...
Page 480 F_Port masterless trunking F_Port trunking prevents reassignments of the Port ID (also referred to as the Address Identifier as described in Table 86 on page 442) when F_Ports go offline and it increases F_Port bandwidth. F_Port masterless trunking interoperates between AG 2 Gbps, 4 Gbps, and 8 Gbps-based platforms.
Page 481: F_Port Masterless Trunking Considerations
F_Port masterless trunking F_Port masterless trunking considerations Table 85 describes the F_Port trunking considerations. TABLE 85 F_Port masterless trunking considerations Category Description Area assignment You statically assign the area within the trunk group on the edge switch. That group is the F_Port masterless trunk. The static trunk area you assign must fall within the ASIC's trunk group of the switch or blade starting from port 0.
Page 482 F_Port masterless trunking TABLE 85 F_Port masterless trunking considerations (Continued) Category Description portCfgTrunkPort port, 0 The portCfgTrunkPort port, 0 command will fail if a Trunk Area is enabled on a port. The port Trunk Area must be disabled first. switchCfgTrunk 0 The switchCfgTrunk 0 command will fail if a port has TA enabled.
Page 483: Assigning A Trunk Area
F_Port masterless trunking TABLE 85 F_Port masterless trunking considerations (Continued) Category Description Routing Routing will route against the F_Port trunk master. Port and exchange-based routing is supported on the F_Port trunk masters. Bandwidth information will be modified accordingly as the F_Port trunk forms. NPIV Supported on F_Port master trunk.
Page 484: Enabling The Dcc Policy On A Trunk Area
F_Port masterless trunking TABLE 86 Address identifier 21 20 19 18 16 15 14 10 9 7 6 5 Domain ID Area_ID Port ID Address Identifier 1. Connect to the switch and log in using an account assigned to the admin role. 2.
Page 485 F_Port masterless trunking Trunk ports should be turned on after issuing the secPolicyActivate command to prevent the ports from becoming disabled in the case where there is a DCC security policy violation. You can configure authentication on all three Brocade trunking configurations. For more information on authentication, see Chapter 7, “Configuring Advanced Security Features”.
Page 486 F_Port masterless trunking Fabric OS Administrator’s Guide 53-1001336-01...
Page 487: Managing Long Distance Fabrics
Chapter Managing Long Distance Fabrics In this chapter • Long distance fabrics overview ........445 •...
Page 488: Extended Fabrics Device Limitations
Extended Fabrics device limitations Extended Fabrics device limitations Extended Fabrics is normally not implemented on the following devices: • 7600 and the FA4-18 blade - The 7600 and the FA4-18 blade have two Gigabit Ethernet ports and 16 FC ports. The two Gigabit Ethernet ports are for use by storage applications, and generally the FC ports on these devices are used to connect devices used by the storage applications.
Page 489: Configuring An Extended Isl
Configuring an extended ISL Configuring an extended ISL Before configuring an extended ISL, ensure that the following conditions are met: • The ports on both ends of the ISL are operating at the same port speed, and can be configured at the same distance level without compromising local switch performance.
Page 490: Enabling Long Distance When Connecting To Tdm Devices
Configuring an extended ISL Authentication: None portDisableReason: None portCFlags: 0x1 portFlags: 0x1 PRESENT U_PORT portType: 17.0 portState: 2 Offline Protocol: FC portPhys: No_Module portScn: port generation number: portId: 010200 portIfId: 4312003b portWwn: 20:02:00:05:1e:94:0f:00 portWwn of device(s) connected: Distance: static (desired = 100 Km) portSpeed: N8Gbps LE domain: 0 FC Fastwrite: OFF...
Page 491: Buffer Credit Management
Buffer credit management Buffer credit management Buffer-to-buffer credit management affects performance over distances; therefore, allocating a sufficient number of buffer credits for long-distance traffic is essential to performance. To prevent a target device (either host or storage) from being overwhelmed with frames, the Fibre Channel architecture provides flow control mechanisms based on a system of credits.
Page 492: Optimal Buffer Credit Allocation
Buffer credit management Optimal buffer credit allocation The optimal number of buffer credits is determined by the distance (frame delivery time), the processing time at the receiving port, link signaling rate, and the size of the frames being transmitted. As the link speed increases, the frame transmission time is reduced and the number of buffer credits must be increased to obtain full link utilization, even in a short-distance environment.
Page 493: Fibre Channel Gigabit Values Reference Definition
Buffer credit management Fibre Channel gigabit values reference definition Before you can calculate the buffer requirement, note the following Fibre Channel gigabit values reference definition: • 1.0625 for 1 Gbps • 2.125 for 2 Gbps • 4.25 for 4 Gbps •...
Page 494 Buffer credit management NOTE The portCfgLongDistance command’s desired_distance parameter is the upper limit of the link distance and is used to calculate buffer availability for other ports in the same port group. When the measured distance exceeds the value of desired_distance, this value is used to allocate the buffers. In this case, the port operates in degraded mode instead of being disabled due to insufficient buffers.
Page 495: Allocating Buffer Credits Based On Average-Size Frames
Buffer credit management 24 = the number of user ports in a port group retrieved from Table 88 on page 455. 8 = the number of reserved credits for each user port. 676 = the number of buffer credits available in the port group. If you allocate the entire 484 + 8 (8 for the reserved buffers already allocated to that user port) = 492 buffers to a single port, you can calculate the maximum single port extended distance supported:...
Page 496: Allocating Buffer Credits For F_Ports
Buffer credit management NOTE This formula does not work with LD mode because LD mode checks the distance and limits the estimated distance to the real value of 100 km. LS mode allows for the necessary desired_distance based on the data size entered, regardless of the distance. If buffer credit recovery is enabled, Fabric OS supports a BB_SC_N range of 1 to 15;...
Page 497: Buffer Credits For Each Switch Model
Buffer credit management - 484 Buffer credits for each switch model Table 88 shows the total ports in a switch or blade, number of user ports in a port group, and the unreserved buffer credits available per port group. TABLE 88 SPIK Buffer credits Switch/blade model...
Page 498: Maximum Configurable Distances For Extended Fabrics
Buffer credit management TABLE 88 Buffer credits (Continued) Switch/blade model Total FC ports User port group size Unreserved buffers (per switch/blade) (per port group) FS8-18 1604 FX8-24 1060 For the FC8-x blades, the first number in the Unreserved buffers column designates the number of unreserved buffers per port group in Brocade DCX and DCX-4S platforms;...
Page 499: Buffer Credit Recovery
Buffer credit recovery TABLE 89 Configurable distances for Extended Fabrics (Continued) Maximum distances that can be configured assuming 2112 Byte Frame Size Switch/blade model 1 Gbps 2 Gbps 4 Gbps 8 Gbps FC8-48 2461 / 3149 1230 / 1574 615 / 787 307 / 393 FR4-18i FS8-18...
Page 500 Buffer credit recovery Fabric OS Administrator’s Guide 53-1001336-01...
Page 501: Using The Fc-Fc Routing Service
Chapter Using the FC-FC Routing Service In this chapter • FC-FC routing service overview........459 •...
Page 502: Supported Platforms For Fibre Channel Routing
FC-FC routing service overview Supported platforms for Fibre Channel routing Fibre Channel routing is supported on the following platforms: • Brocade DCX and DCX-4S (FC8-16, FC8-32, FC8-48, FX8-24, or FR4-18i blade) • Brocade 5100 switch • Brocade 5300 switch • Brocade 7500 Extension Switch •...
Page 503: Integrated Routing
Integrated Routing Integrated Routing Integrated Routing is a licensed feature that allows 8-Gbps FC ports to be configured as EX_Ports supporting Fibre Channel routing. This license eliminates the need to add an FR4-18i blade to the Brocade DCX and DCX-4S, or to use the Brocade 7500 for FC-FC routing purposes. Using 8-Gbps ports for Fibre Channel routing provides double the bandwidth for each FCR connection (when connected to another 8-Gbps-capable port).
Page 504 Fibre Channel routing concepts • Interfabric link (IFL) The link between an E_Port and EX_Port, or VE_Port and VEX_Port, is called an interfabric link (IFL). You can configure multiple IFLs from an FC router to an edge fabric. Figure 70 shows a metaSAN consisting of three edge fabrics connected through a Brocade DCX with interfabric links.
Page 505 Fibre Channel routing concepts VE_Port Edge fabric 2 IP cloud Edge fabric 1 Edge fabric 3 E_Port E_Port VEX_Port FC router EX_Port (2) = LSAN Backbone fabric FIGURE 71 A metaSAN with edge-to-edge and backbone fabrics and LSAN zones • Proxy device A proxy device is a virtual device imported into a fabric by a Fibre Channel router, and represents a real device on another fabric.
Page 506 Fibre Channel routing concepts NOTE Backbone fabrics that share connections to the same edge fabrics must have unique backbone fabric IDs. • MetaSAN A metaSAN is the collection of all SANs interconnected with Fibre Channel routers. A simple metaSAN can be constructed using an FC router to connect two or more separate fabrics.
Page 507: Proxy Devices
Fibre Channel routing concepts Proxy devices An FC router achieves interfabric device connectivity by creating proxy devices (hosts and targets) in attached fabrics that represent real devices in other fabrics. For example, a host in Fabric 1 can communicate with a target in Fabric 2 as follows: •...
Page 508: Phantom Domains
Fibre Channel routing concepts To do so, at least one translate phantom domain is created in the backbone fabric. This translate phantom domain represents the entire edge fabric. The shared physical devices in the edge have corresponding proxy devices on the translate phantom domain. Each edge fabric has one and only one xlate domain to the backbone fabric.
Page 509 Fibre Channel routing concepts Host Target 1 Target 2 Target 3 Fabric 1 Fabric 2 Fabric 3 Fabric 4 FC router 1 FC router 2 FC router 3 FC router 4 FIGURE 74 Sample topology (physical topology) Figure 75 shows a phantom topology for the physical topology shown in Figure 74.
Page 510: Setting Up The Fc-Fc Routing Service
Setting up the FC-FC routing service All EX_Ports or VEX_Ports connected to an edge fabric use the same xlate domain ID number for an imported edge fabric; this value persists across switch reboots and fabric reconfigurations. If you lose connectivity to the edge fabric because of link failures or the IFL being disabled, xlate domains remain visible.
Page 511 Setting up the FC-FC routing service 1. Log in to the switch or director as admin and enter the version command. Verify that Fabric OS v6.3.0 is installed on the FC router as shown in the following example. switch:admin> version Kernel: 2.6.14.2 Fabric OS:...
Page 512: Backbone Fabric Ids
Backbone fabric IDs InteropMode: Off usage: InteropMode [0|2|3 [-z McDataDefaultZone] [-s McDataSafeZone]] 0: to turn interopMode off 2: to turn McDATA Fabric mode on Valid McDataDefaultZone: 0 (disabled), 1 (enabled) Valid McDataSafeZone: 0 (disabled), 1 (enabled) 3: to turn McDATA Open Fabric mode on If InteropMode is on, FC routing is not supported.
Page 513: Assigning Backbone Fabric Ids
FCIP tunnel configuration In addition to ensuring that the backbone fabric IDs are the same within the same backbone, you must make sure that when two different backbones are connected to the same edge fabric, the backbone fabric IDs are different, but the edge fabric ID should be the same. Configuration of two backbones with the same backbone fabric ID that are connected to the same edge is invalid.
Page 514: Interfabric Link Configuration
Interfabric link configuration If using FCIP in your FC-FC Routing configuration, you must first configure FCIP tunnels. Once a tunnel is created, it defaults to a disabled state. Then configure the VE_Port or VEX_Port. After the appropriate ports are configured, enable the tunnel. NOTE This section is applicable only to Fabric OS fabrics and does not apply to M-EOS fabrics.
Page 515 Interfabric link configuration The following example configures the EX_Port (or VEX_Port) and assigns a Fabric ID of 30 to port 7. switch:admin> portcfgexport 7/10 -a 1 -f 30 switch:admin> portcfgexport 7/10 Port 7/10 info Admin: enabled State: NOT OK Pid format: Not Applicable Operate mode: Brocade Native...
Page 516 Interfabric link configuration EX Port Mirror Port FC Fastwrite 8. After identifying such ports, enter the portCfgPersistentEnable command to enable the port, and then the portCfgShow command to verify the port is enabled. switch:admin> portcfgpersistentenable 7/10 switch:admin> portcfgshow 7/10 Area Number: Speed Level: AUTO Trunk Port...
Page 517 Interfabric link configuration Authentication Type: None Hash Algorithm: N/A DH Group: N/A Edge fabric's primary wwn: N/A Edge fabric's version stamp: N/A portDisableReason: None portCFlags: 0x1 portFlags: 0x1 PRESENT U_PORT EX_PORT portType: 10.0 portState: 2 Offline portPhys: No_Module portScn: port generation number: portId: 014a00 portIfId:...
Page 518: Fc Router Port Cost Configuration
FC Router port cost configuration FCR WWN: 10:00:00:05:1e:12:e0:00, Dom ID: 100, Info:10.32.156.50 1080::8:60F:FE0C:456A/64 "fcr_7500" EX_Port FID Neighbor Switch Info (WWN, enet IP, name) ------------------------------------------------------------------------ 4 95 10:00:00:05:1e:37:00:45 10.32.156.31 "7500" FCR WWN: 10:00:00:05:1e:12:e0:00, Dom ID: 100, Info: 10.32.156.50, "fcr_Brocade 7500" EX_Port FID Neighbor Switch Info (WWN, enet IP, name) ------------------------------------------------------------------------ 4 95 10:00:00:05:1e:37:00:45 10.32.156.31 "Brocade 7500"...
Page 519: Setting Router Port Cost For An Ex_Port
FC Router port cost configuration • The router port cost does not help distinguish one IFL (or EX_ and VEX_Port link) from another, if all the IFLs are connected to the same port set. Therefore, if you connect IFL1 and IFL2 to the same edge fabric in port set 0–7 and then configure them to different router port costs, traffic is still balanced across all the IFLs in the same port set.
Page 520: Ex_Port Frame Trunking Configuration
EX_Port frame trunking configuration 4. Enter the fcrRouterPortCost command with a port and slot number, to display the router port cost for a single EX_Port. switch:admin> fcrrouterportcost 7/10 Port Cost ------------------------ 7/10 1000 5. Enter the appropriate form of the fcrRouterPortCost command based on the task you want to perform: •...
Page 521: Supported Configurations And Platforms
EX_Port frame trunking configuration Masterless EX_Port trunking is supported only on EX_Ports in the following platforms: • Brocade DCX and DCX-4S (FC8-16, FC8-32, FC8-48, or FX8-24) • Brocade 5100 switch • Brocade 5300 switch For the Brocade DCX and DCX-4S, Virtual Fabrics must be enabled for masterless EX_Port trunking to take effect.
Page 522: Configuring Ex_Port Frame Trunking
EX_Port frame trunking configuration Masterless EX_Port trunking has additional configuration requirements. See “Masterless EX_Port trunking” on page 478 for these additional requirements. NOTE QoS and EX_Port trunking can co-exist; however, if some ports in the trunk group have QoS enabled and some have QoS disabled, then two trunk groups will form: one with QoS enabled and one with QoS disabled.
Page 523: Lsan Zone Configuration
LSAN zone configuration ee1400 Online EX_Port (Trunk port, master is Slot 2 Port ee1500 Online EX_Port (Trunk port, master is Slot 2 Port ee1600 Online EX_Port (Trunk port, master is Slot 2 Port ee1700 Online EX_Port 10:00:00:60:69:80:1d:bc "MtOlympus_72" (fabric id = 2 )(Trunk master) LSAN zone configuration An LSAN consists of zones in two or more edge or backbone fabrics that contain the same devices.
Page 524: Lsan Zones And Fabric-To-Fabric Communications
LSAN zone configuration To enable device sharing across multiple fabrics, you must create LSAN zones on the edge fabrics (and optionally on the backbone fabric, as well), using normal zoning operations to create zones with names that begin with the special prefix “LSAN_”, and adding host and target port WWNs from both local and remote fabrics to each local zone as desired.
Page 525 LSAN zone configuration 5. Enter the cfgAdd or cfgCreate and cfgEnable commands to add and enable the LSAN configuration. switch:admin> cfgadd "zone_cfg", "lsan_zone_fabric75" switch:admin> cfgenable "zone_cfg" You are about to enable a new zoning configuration. This action will replace the old zoning configuration with the current configuration selected.
Page 526: Setting The Maximum Lsan Count
LSAN zone configuration switch:admin> lsanzoneshow -s Fabric ID: 2 Zone Name: lsan_zone_fabric2 10:00:00:00:c9:2b:c9:0c Imported 50:05:07:61:00:5b:62:ed EXIST 50:05:07:61:00:49:20:b4 EXIST Fabric ID: 75 Zone Name: lsan_zone_fabric75 10:00:00:00:c9:2b:c9:0c EXIST 50:05:07:61:00:5b:62:ed Imported • fcrPhyDevShow shows the physical devices in the LSAN. switch:admin> fcrphydevshow Device Physical Exists in Fabric...
Page 527: Configuring Backbone Fabrics For Interconnectivity
LSAN zone configuration 2. Enter the fcrlsancount command and specify the new LSAN zone limit. switch:admin> fcrlsancount 5000 LSAN Zone Limit 5000 For information on how to display the maximum allowed and currently used LSAN zones and devices, see “Resource monitoring” on page 495.
Page 528 LSAN zone configuration Use the Enforce tag to achieve better scalability in the FC router. This is useful when multiple FC routers are connected to the same edge fabric. Without the Enforce tag, all FC routers import all LSAN zones, even those that are not needed. Normally the FC router automatically accepts all zones with names that start with “lsan_”.
Page 529 LSAN zone configuration The target proxies D1 and D2 are always present in the host fabric (edge fabric 2), even if the host is brought down. A target proxy is removed from the host fabric when the target device is offline. Edge fabric 1 Edge fabric 2 Edge fabric 3...
Page 530 LSAN zone configuration 3. Enter the following command to create an Enforce LSAN tag: fcrlsan --add -enforce tagname where tagname is the name of the LSAN tag you want to create. 4. Enter the following command to enable the FC router: switchenable 5.
Page 531: Lsan Zone Binding
LSAN zone configuration Displaying the LSAN tag configuration 1. Log in to the FC router as admin. 2. Enter the fcrlsan show command. Example sw0:admin> fcrlsan --show -enforce Total LSAN tags : 1 ENFORCE : enftag1 sw0:admin> fcrlsan --show -speed Total SPEED tags : 1 SPEED : fasttag2 sw0:admin>...
Page 532 LSAN zone configuration LSAN zone 1 LSAN zone 2 Fabric 1 Fabric 2 Fabric 3 Fabric 7 router 1 router 2 Backbone fabric Fabric 8 router 4 router 3 Fabric 9 Fabric 4 Fabric 5 Fabric 6 LSAN zone 3 LSAN zone 4 FIGURE 77 LSAN zone binding...
Page 533 LSAN zone configuration How LSAN zone binding works LSAN zone binding uses an FC router matrix, which specifies pairs of FC routers in the backbone fabric that can access each other, and an LSAN fabric matrix, which specifies pairs of edge fabrics that can access each other.
Page 534 LSAN zone configuration Now edge fabrics 1, 2, 3, 7, and 8 can access each other, and edge fabrics 4, 5, 6, and 9 can access each other; however, edge fabrics in one group cannot access edge fabrics in the other group.
Page 535: Proxy Pid Configuration
Proxy PID configuration FCR:Admin> fcrlsanmatrix --add -lsan 10 19 FCR:Admin> fcrlsanmatrix --apply -all Viewing the LSAN zone binding matrixes 1. Log on to the FC router as admin. 2. Enter the following command to view the FC router matrix: fcrlsanmatrix --fabricview -fcr 3.
Page 536: Fabric Parameter Considerations
Fabric parameter considerations Fabric parameter considerations By default, EX_Ports and VEX_Ports detect, autonegotiate, and configure the fabric parameters without user intervention. You can optionally configure these parameters manually. To change the fabric parameters on a switch in the edge fabric, execute the configure command. To change the fabric parameters of an EX_Port on the FC router, use the portCfgEXPort command.
Page 537: Enabling Broadcast Frame Forwarding
Resource monitoring Enabling broadcast frame forwarding 1. Log in to the FC router as admin. 2. Type the following command: fcr:admin> fcrbcastconfig --enable -f fabricID where fabricID is the FID of the edge or backbone fabric on which you want to enable broadcast frame forwarding.
Page 538: Fc-Fc Routing And Virtual Fabrics
FC-FC Routing and Virtual Fabrics LSAN Devices: 10000 Proxy Device Slots: 10000 WWN Pool Size Allocated --------------------------------- Phantom Node WWN: 8192 5413 Phantom Port WWN: 32768 16121 Port Limits: Max proxy devices: 2000 Max NR_Ports: 1000 Currently Used(column 1: proxy, column 2: NR_Ports): 10 | 11 | 12 |...
Page 539: Logical Switch Configuration For Fc Routing
FC-FC Routing and Virtual Fabrics • EX_Ports can connect to a logical switch that is in the same chassis or a different chassis. However, the FID of the EX_Port must be set to a different value than the FID of the logical switch to which it connects.
Page 540 FC-FC Routing and Virtual Fabrics Physical chassis 1 Physical chassis 2 Logical switch 1 Logical switch 5 (Default logical switch) (Default logical switch) Fabric ID 128 Fabric ID 128 Logical ISL Logical switch 2 Logical switch 6 Fabric ID 1 Fabric ID 1 Allows XISL use Allows XISL use...
Page 541: Backbone-To-Edge Routing With Virtual Fabrics
Upgrade and downgrade considerations for FC-FC routing Backbone-to-edge routing with Virtual Fabrics Since the base switch does not allow F_Ports, you cannot have devices connected to the base switch. Even though F_Ports are not allowed in the base switch, they are allowed in an FC router in legacy mode (Fabric OS v6.1.x or earlier, or Fabric OS v6.2.0 or later with Virtual Fabrics disabled).
Page 542: How Replacing Port Blades Affects Ex_Port Configuration
Displaying the range of output ports connected to xlate domains How replacing port blades affects EX_Port configuration If you replace an FR4-18i blade with an 8-Gbps port blade or FX8-24 blade, the EX_Port configuration remains the same for the first 16 ports on the 8-Gbps port blade (and for the first 12 FC ports on the FX8-24 blade).
Page 543: Mixed Fabric Configurations For Non-Merged Sans
Appendix Mixed Fabric Configurations for Non-merged SANs In this appendix • M-EOS fabrics overview......... 501 •...
Page 544 M-EOS fabrics overview Fabric OS v5.1.0 and M-E/OSc v4.1.1, v5.1.2, 6.2.0 can interoperate through the FC routing capability of the SilkWorm AP7420 only. Fabric OS and M-E/OSc v7.1.3 can interoperate through the FC routing capability of the SilkWorm AP7420, Brocade 7500, or FR4-18i blade. Fabric OS and M-E/OSc v8.0.0 and v9.2.0 can interoperate through the FC routing capability of the Brocade 7500, or FR4-18i blade.
Page 545: Mcdata Mi10K Interoperability
McDATA Mi10K interoperability McDATA Mi10K interoperability When an EX_Port is connected to an M-EOS edge fabric, the front domain ID must be within a range the edge M-Series switch can understand. Valid values are: • McDATA Native mode: 1 – 31 •...
Page 546: Configuring The Fc Router
Fabric configurations for interconnectivity You can display the current operational mode of the EX_Port by issuing the portCfgExPort command with the port number as the only parameter. The following command sequence is an example to connect port 5 to an M-EOS fabric in McDATA Fabric Mode: switch:admin>...
Page 547 Fabric configurations for interconnectivity FC Router BB Fabric ID: 1 Index Slot Port Address Media Speed State Proto =================================================== 037000 No_Light Disabled (Persistent) 037100 No_Light Disabled (Persistent) 037200 No_Light Disabled (Persistent) 037300 No_Light Disabled (Persistent) 037400 No_Light Disabled (Persistent) 037500 No_Light Disabled (Persistent) 037600...
Page 548 Fabric configurations for interconnectivity switchId: fffc03 switchWwn: 10:00:00:60:69:e4:00:86 zoning: ON (test) switchBeacon: blade3 Beacon: blade8 Beacon: blade10 Beacon: FC Router: FC Router BB Fabric ID: Index Slot Port Address Media Speed State Proto =================================================== 037000 No_Light Disabled (Persistent) 037100 No_Light Disabled (Persistent) 037200 No_Light...
Page 549: Configuring Lsan Zones In The M-Eos Fabric
Fabric configurations for interconnectivity 67: fffc43 10:00:00:60:69:10:60:1f 192.168.64.187 0.0.0.0 "sw187" The Fabric has 4 switches You can use DCFM to gather similar information for the M-EOS fabric. See the EFC Manager Software User Manual for information using DCFM. When you have configured the FC router to connect to a fabric, you must create LSAN zones for the SAN.
Page 550: Completing The Configuration
Fabric configurations for interconnectivity switch:admin> fcrproxydevshow Proxy Proxy Device Physical State Created Exists in Fabric in Fabric ---------------------------------------------------------------------------- 20:00:00:01:73:00:59:dd 05f001 610902 Imported 21:00:00:e0:8b:04:80:76 02f002 340713 Imported 50:06:01:68:40:04:d3:95 02f001 660713 Imported 10:00:00:00:c9:2d:3d:5c 020001 011500 Imported 6. Connect to the switch and configure the connection to capture console output. 7.
Page 551 Fabric configurations for interconnectivity 6. Log in to the Fabric OS edge fabric switch and enter the nsAllShow or the nsCamShow command. edgeswitch:admin> nsallshow 010e00 020000 03f001 04f002 4 Nx_Ports in the Fabric } edgeswitch:admin> nscamshow nscam show for remote switches: Switch entry for 1 state owner...
Page 552 Fabric configurations for interconnectivity 50:06:01:60:38:e0:0b:a4 10:00:00:00:c9:44:54:04 7. Log into the FC router and run the lsanZoneShow -s command to verify FIDs and devices to be shared among LSANs. Fabric OS Administrator’s Guide 53-1001336-01...
Page 553: Inband Management
Appendix Inband Management In this appendix • Inband Management overview ........511 •...
Page 554: Internal Ethernet Devices
Internal Ethernet devices Internal Ethernet devices During the switch initialization process, a new internal Ethernet device is created. The devices created are inbd0 and inbd1. Ethernet device inbd0 is used to communicate through GE port 1 and inbd1 is used to communicate through GE port 0. These new Ethernet interfaces are internal only and are not accessible from outside the switch.
Page 555: Setting The Ip Address For The Cp Inband Management Interface
IP address and routing management specified gateway. If no gateway is specified, it is assumed that the management station is on the same subnet as the external GE IP address, so no route is created on the GE port processor. Only a route on the CP is created with the internal GE port processor inband device address as the gateway.
Page 556: Viewing Inband Management Ip Addresses And Routes
IP address and routing management Viewing inband management IP addresses and routes The portShow inbandmgmt command displays the addresses that are currently configured for that GE port number and a status of Inband Management (Enabled/Disabled). To display the routing table, use the existing portShow iproute command. There is a status flag for the IP routes to signify if a route is used for the management interfaces.
Page 557: Fips
Examples of supported configurations FIPS To maintain security while in FIPs mode, these devices will not function if FIPs mode is enabled. If these devices are configured and you try to enter FIPs mode, an error will occur. You must delete the configuration of these devices prior to entering FIPs mode.
Page 558: Configuring A Management Station On Different Subnets
Examples of supported configurations 3. Configure the routes on the Management Station. a. Add the route on the Management Station that is going to the 7500 L1. linux> route add -host 10.1.1.10 gw 192.168.3.10 b. Add the route on the Management Station that is going to the 7500 R1. linux>...
Page 559 Examples of supported configurations a. Configure the internal addresses for the inbd devices for CP and GE port (GE port 0 for this example): switch:admin> portcfg inbandmgmt ge0 ipaddrset cp 192.168.255.1 255.255.255.0 switch:admin> portcfg inbandmgmt ge0 ipaddrset ge 192.168.255.2 255.255.255.0 b.
Page 560 Examples of supported configurations Fabric OS Administrator’s Guide 53-1001336-01...
Page 561: Port Indexing
Appendix Port Indexing In this appendix Table 95 shows the area ID and index mapping for core PID assignment for the Brocade 48000 and the Brocade DCX enterprise-class platform. There are up to 255 areas and the area_ID mapping to the index is one-to-one. Beyond this, the index is similar but not exact, and in some instances, the area ID is shared among multiple ports.
Page 562 In this appendix TABLE 95 Default index/area_ID core PID assignment with no port swap (Continued) Port on blade Slot 1 Slot 2 Slot 3 Slot 4 Slot 7 Slot 8 Slot 9 Slot 10 (48K) Idx/area Idx/area Idx/area Idx/area Idx/area Idx/area Idx/area Idx/area...
Page 563 In this appendix This table provides the area_ID/index assignment for the maximum number of ports (used by the FC4-48 and FC8-48 blades). If your blade does not have the maximum number of ports, use the lower sections of the table to determine the area_ID and index. TABLE 96 Default index/area_ID core PID assignment with no port swap for the Brocade DCX-4S...
Page 564 In this appendix TABLE 96 Default index/area_ID core PID assignment with no port swap for the Brocade DCX-4S (Continued) Port on blade Slot 1Idx/area Slot 2Idx/area Slot 7Idx/area Slot 8Idx/area 14/14 78/78 142/142 206/206 13/13 77/77 141/141 205/205 12/12 76/76 140/140 204/204 11/11...
Page 565: Fips Support
Appendix FIPS support In this appendix • FIPS overview..........523 •...
Page 566: Power-Up Self Tests
Zeroization functions TABLE 97 Zeroization Behavior Keys Zeroization CLI Description FCAP Private Key pkiremove The pkiCreate command creates the keys, and 'pkiremove' removes/zeroizes the keys. SSH Session Key No CLI required This is generated for each SSH session that is established to and from the host.
Page 567: Fips Mode Configuration
FIPS mode configuration FIPS mode configuration By default, the switch comes up in non-FIPS mode. You can run the fipsCfg enable fips command to enable FIPS mode, but you need to configure the switch first. Self-tests mode must be enabled before FIPS mode can be enabled.
Page 568: Ldap In Fips Mode
FIPS mode configuration LDAP in FIPS mode You can configure your Microsoft Active Directory server to use LDAP while in FIPS mode. There is no option provided on the switch to configure TLS ciphers for LDAP in FIPS mode. However, the LDAP client checks if FIPS mode is set on the switch and uses the FIPS-compliant TLS ciphers for LDAP.
Page 569 FIPS mode configuration 2. Configure the DNS on the switch by using the dnsConfig command. Example of setting the DNS switch:admin> dnsconfig Enter option 1 Display Domain Name Service (DNS) configuration 2 Set DNS configuration 3 Remove DNS configuration 4 Quit Select an item: (1..4) [4] 2 Enter Domain Name: [] domain.com Enter Name Server IP address in dot notation: [] 123.123.123.123...
Page 570: Ldap Certificates For Fips Mode
FIPS mode configuration LDAP certificates for FIPS mode To utilize the LDAP services for FIPS between the switch and the host, you must generate a CSR on the Active Directory server and import and export the CA certificates. To support server certificate validation, it is essential to have the CA certificate installed on the switch and Active Directory server.
Page 571: Preparing The Switch For Fips
Preparing the switch for FIPS 1. Connect to the switch and log in as admin. 2. Enter the secCertUtil delete -ldapcacert <file_name> command, where the <filename> is the name of the LDAP certificate on the switch. Example of deleting an LDAP CA certificate switch:admin>...
Page 572 Preparing the switch for FIPS • If the switch is set for LDAP, refer to the instructions in “Setting up LDAP for FIPS mode” page 526. 3. Optional: Set the authentication protocols. a. Type the following command to set the hash type for MD5 which is used in authentication protocols DHCHAP and FCAP: authutil --set -h sha1 b.
Page 573: Disabling Fips Mode
Preparing the switch for FIPS Configure... System services (yes, y, no, n): [no] … cfgload attributes (yes, y, no, n): [no] yes Enforce secure config Upload/Download (yes, y, no, n): [no] Enforce firmware signature validation (yes, y, no, n): [no] yes 8.
Page 574: Displaying Fips Configuration
Preparing the switch for FIPS Displaying FIPS configuration 1. Log in to the switch using an account assigned the admin or securityAdmin role. 2. Type the command fipsCfg showall. Fabric OS Administrator’s Guide 53-1001336-01...
Page 575: Hexadecimal
Appendix Hexadecimal In this appendix • Hexadecimal overview......... . 533 Hexadecimal overview Hexadecimal, or simply hex, is a numeral system with a base of 16, usually written using unique symbols 0–9 and A–F, or a–f.
Page 576 Hexadecimal overview 00 = Port (ALPA) = 0 (not used in this instance, but is used in loop, NPIV, and Access Gateway devices) Result: hexadecimal triplet 610600 = decimal triplet 97,06,00 TABLE 101 Decimal to Hexadecimal conversion table Decimal Decimal Decimal Decimal Decimal...
Page 577 Hexadecimal overview TABLE 101 Decimal to Hexadecimal conversion table Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Fabric OS Administrator’s Guide 53-1001336-01...
Page 578 Hexadecimal overview Fabric OS Administrator’s Guide 53-1001336-01...
Page 579 Index Numerics adding a new switch or fabric to a zone Admin Domain members 239 domain ID mode alias members custom filter-based monitors end-to-end monitors filter-based monitors members to a zone configuration AAA service requests ports to logical switches access standard filter-based monitors browser support switches to a zone...
Page 580 Admin Domains (cont’d) blades logging in to compatibility LSAN zones disabling and enabling member types enabling exceptions for the FC4- and FC8-48 numbering enabling exceptions for the FR4-18i physical fabric administrator FC4-16IP removing from user accounts FC4-16IP, configuring removing members port area ID renaming port identification...
Page 581 CHAP configuring (cont’d) iSCSI authentication root certificates required security levels clearing performance monitor counters SNMP SNMP traps clearing zone configurations Speed LSAN tag command line interface configuration file switch backing up switch, RADIUS client chassis section Windows RADIUS client configDownload zone configdownload in Admin Domain context zone, rules for...
Page 582 discovery domains configuring creating date and time not deleted DCFM (Data Center Fabric Manager) displaying DD. See discovery domains Admin Domain configuration DDSet. See discovery domain sets configuration settings deactivating logical switch configuration Admin Domains LSAN tags TI zones LUN map default monitor counters IP Policy Rules...
Page 583 end-to-end monitors fabric interoperability (cont’d) adding effective zone configuration deleting fabric binding, translate domains restoring configuration feature limitations, trunking saving configuration mapping, mode values setting a mask McDATA-aware features end-to-end performance monitoring preferred domain ID, configuring SANtegrity enforce LSAN tag equipment status preferred domain ID events...
Page 584 FIPS ICLs certificates, installing about Inter-Chassis Links firmwareDownload LEDs Inband Management triangular topology LDAP certificates, displaying and deleting firmware download about auto-leveling configuring connected switches implementing Admin Domains enterprise-class platforms Inband Management FICUN CUP considerations FIPS FIPS internal Ethernet devices high availability synchronization IP addresses obtaining firmware...
Page 585 IQNs iSCSI FC zoning displaying initiator iSCSI gateway service displaying prefix iSCSI initiators virtual target creation iSCSI session distribution, See connection redirection iSCSI iSCSI virtual initiators authentication adding to same zone binding user names connection redirection CHAP for iSCSI FC zone creation mutual iSCSI virtual targets one-way...
Page 586 licenses LUNs Extended Fabrics adding license ID configuration overview deleting purchasing keys display map remove feature mapped using IQNs limiting traffic from a device mapping virtual target creation Linux, configuring RADIUS on LISL listing FC targets load balancing, See connection redirection MAC address, port local authentication making basic connections...
Page 587 NPIV port 10-bit addressing mode activating POD configuring enabling disabling enabling GbE, enabling viewing PID login information LUN mapping NTP access numbering primary FCS private key protocol address resolution protocols password secure boot PROM proxy changing devices changing defaults proxy PID default limits public key...
Page 588 removing security Admin Domain members AUTH policy Admin Domains from user accounts Brocade MIB alias members browsers filter-based monitors certificates licensed feature encryption and SSL LSAN tags FibreAlliance MIB members from a zone configuration HTTPS, certificate ports from logical switches IAS remote access policies zone configurations IP policy rules...
Page 589 standby CP blade traffic isolation static PIDs, NPIV about Admin Domains static route and Virtual Fabrics static routes, maximum traffic isolation over FCR status of iSNS client service traffic isolation over FCR with Virtual Fabrics storage-based zoning traffic patterns support planning for FC router traffic prioritization...
Page 590 Virtual Fabrics and FC-FC Routing and ingress rate limiting XISL, about and traffic isolation routing xlate domains base switches, about base switches, creating ContextRoleList date settings default logical switch zone disabling adding a new switch or fabric enabling adding members Ethernet interface administering security extended ISL (XISL)
Page 591 zone (cont’d) enabling a configuration enforcement host-based LUN masking merging name server-based no access no access in iSCSI objects optimizing resources planning removing members removing members from a configuration saved zone configuration schemes soft-zoning splitting a fabric storage-based terminology types viewing viewing configurations zone configuration...
Page 592 Fabric OS Administrator’s Guide 53-1001336-01...

This manual is also suitable for:

Am866a - storageworks 8/8 base san switch 8/24 8/40 8/8 8/80