Page 1 53-1001763-01 ® 30 March 2010 Fabric OS Administrator’s Guide Supporting Fabric OS v6.4.0...
Page 2 Copyright © 2005-2010 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, the B-wing symbol, BigIron, DCX, Fabric OS, FastIron, IronPoint, IronShield, IronView, IronWare, JetCore, NetIron, SecureIron, ServerIron, StorageX, and TurboIron are registered trademarks, and DCFM, Extraordinary Networks, and SAN Health are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries.
Page 3 Title Publication number Summary of changes Date Fabric OS Administrator’s Guide 53-1000043-02 Removed SilkWorm 4016 and 4020 June 2006 from supported switches; FCIP chapter updates. Fabric OS Administrator’s Guide 53-1000239-01 Revised for Fabric OS v5.2.0 features. September 2006 Added new hardware platforms: Brocade FC4-48 and FC4-16IP.
Page 4 Fabric OS Administrator’s Guide 53-1001763-01...
Page 5: Table Of Contents
Contents About This Document In this chapter ......... xxxiii How this document is organized .
Page 6 Device login ..........10 Principal switch .
Page 7 Chapter 3 Performing Advanced Configuration Tasks In this chapter ......... . . 35 PIDs and PID binding overview.
Page 8 Chapter 4 Routing Traffic About this chapter ........63 Routing overview .
Page 9 Password policies ........91 Password strength policy.
Page 10 Chapter 7 Configuring Security Policies In this chapter ......... .133 ACL policies overview .
Page 11 Policy database distribution .......158 Database distribution settings ......159 ACL policy distribution to other switches .
Page 12 Firmware download on switches ......194 Switch firmware download process overview....194 Firmware download on an enterprise-class platform .
Page 13 Deleting a logical switch ........228 Adding and removing ports on a logical switch....229 Displaying logical switch configuration .
Page 14 Zoning configurations ........253 Creating a zoning configuration ......254 Adding zones (members) to a zoning configuration .
Page 15 Deleting a TI zone ........286 Displaying TI zones .
Page 16 E_Port authentication between Fabric OS and M-EOS switches . .311 Switch authentication policy ......313 Dumb switch authentication .
Page 17 Admin Domain management for physical fabric administrators . .344 Setting the default zoning mode for Admin Domains ..344 Creating an Admin Domain ......345 User assignments to Admin Domains .
Page 18 Viewing installed licenses....... . .375 Activating a license ........375 Adding a licensed feature .
Page 19 Performance data collection ......399 Chapter 18 Optimizing Fabric Behavior In this chapter ......... .401 Adaptive Networking overview .
Page 20 Basic trunk group configuration......428 Re-initializing ports for trunking ......428 Enabling Trunking on a port .
Page 21 Fibre Channel routing concepts ......457 Proxy devices ........461 Routing types .
Page 22 M-EOS fabrics overview ........497 McDATA Mi10K interoperability ......499 Fabric configurations for interconnectivity .
Page 23 Preparing the switch for FIPS ......527 Overview of steps ........527 Enabling FIPS mode.
Page 24 xxiv Fabric OS Administrator’s Guide 53-1001763-01...
Page 25 Figures Figure 1 Well-known addresses ..........3 Figure 2 Identifying the blades .
Page 26 Figure 37 Dedicated path is not the shortest path ....... 271 Figure 38 Enhanced TI zones .
Page 27 Figure 79 Inband Management process ........506 Figure 80 Management Station on same subnet .
Page 28 xxviii Fabric OS Administrator’s Guide 53-1001763-01...
Page 29 Tables Table 1 Daemons that are automatically restarted......13 Table 2 Default administrative account names and passwords .
Page 30 Table 36 Supported policy databases ........159 Table 37 Fabric-wide consistency policy settings .
Page 31 Table 76 Configuration upload and download scenarios in an AD context ... 362 Table 77 Available Brocade licenses ......... 366 Table 78 License requirements.
Page 32 xxxii Fabric OS Administrator’s Guide 53-1001763-01...
Page 33: About This Document
About This Document In this chapter • How this document is organized ....... . xxxiii •...
Page 34: Supported Hardware And Software
• Chapter 11, “Administering Advanced Zoning,” provides procedures for use of the Brocade Advanced Zoning feature. • Chapter 12, “Traffic Isolation Zoning,” provides concepts and procedures for use of Traffic Isolation Zones within a fabric. • Chapter 13, “Administering NPIV,” provides procedures for enabling and configuring N-Port ID Virtualization (NPIV).
Page 35: What's New In This Document
• Brocade 5424 embedded switch • Brocade 5460 embedded switch • Brocade 5470 embedded switch • Brocade 5480 embedded switch • Brocade 7500 extension switch • Brocade 7500E extension switch • Brocade 7600 application appliance • Brocade 7800 extension switch •...
Page 36: Command Syntax Conventions
Text formatting The narrative-text formatting conventions that are used are as follows: bold text Identifies command names Identifies the names of user-manipulated GUI elements Identifies keywords and operands Identifies text to enter at the GUI or CLI italic text Provides emphasis Identifies variables Identifies paths and Internet addresses Identifies document titles...
Page 37: Notice To The Reader
CAUTION A Caution statement alerts you to situations that can be potentially hazardous to you or cause damage to hardware, firmware, software, or data. DANGER A Danger statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you. Safety labels are also attached directly to products to warn of these conditions or situations.
Page 38: Getting Technical Help
For practical discussions about SAN design, implementation, and maintenance, you can obtain Building SANs with Brocade Fabric Switches through: http://www.amazon.com For additional Brocade documentation, visit the Brocade SAN Info Center and click the Resource Library location: http://www.brocade.com Release notes are available on the My Brocade web site and are also bundled with the Fabric OS firmware.
Page 39: Document Feedback
• Brocade 5424 — On the bottom of the switch module. • Brocade 4100, 4900, and 7500 — On the switch ID pull-out tab located inside the chassis on the port side on the left. • Brocade 5000 — On the switch ID pull-out tab located on the bottom of the port side of the switch •...
Page 40 Fabric OS Administrator’s Guide 53-1001763-01...
Page 41: Standard Features
Section Standard Features This section describes standard Fabric OS features, and includes the following chapters: • Chapter 1, “Understanding Fibre Channel Services” • Chapter 2, “Performing Basic Configuration Tasks” • Chapter 3, “Performing Advanced Configuration Tasks” • Chapter 4, “Routing Traffic” •...
Page 42 Fabric OS Administrator’s Guide 53-1001763-01...
Page 43: Understanding Fibre Channel Services
Chapter Understanding Fibre Channel Services In this chapter • Fibre Channel services overview ........3 •...
Page 44: The Management Server
The Management Server Management Server — The Management Server provides a single point for managing the fabric. The only service that is user-configurable is the Management Server. Alias Server — The Alias Server keeps a group of nodes registered as one name to handle multicast groups.
Page 45: Platform Services In A Virtual Fabric
Management server database Platform services in a Virtual Fabric Each logical switch has a separate Platform Database. All platform registrations done to a logical switch are valid only in that particular logical switch’s Virtual Fabric. Activating the platform services on a switch or enterprise-class platform will activate platform services on all logical switches in a Virtual Fabric.
Page 46: Displaying The Management Server Acl
Management server database NOTE The management server is logical switch-capable. All management server features are supported within a logical switch. Displaying the management server ACL 1. Connect to the switch and log in using an account assigned to the admin role. 2.
Page 47: Deleting A Member From The Acl
Management server database Port/Node WWN (in hex): [00:00:00:00:00:00:00:00] 20:00:00:20:37:65:ce:aa *WWN is successfully added to the MS ACL. Done Display the access list Add member based on its Port/Node WWN Delete member based on its Port/Node WWN select : (0..3) [2] 1 MS Access List consists of (14): { 20:00:00:20:37:65:ce:aa 20:00:00:20:37:65:ce:bb...
Page 48: Viewing The Contents Of The Management Server Database
Management server database Delete member based on its Port/Node WWN select : (0..3) [1] 3 Port/Node WWN (in hex): [00:00:00:00:00:00:00:00] 10:00:00:00:c9:29:b3:84 *WWN is successfully deleted from the MS ACL. Done Display the access list Add member based on its Port/Node WWN Delete member based on its Port/Node WWN select : (0..3) [3] 1 MS Access list is empty...
Page 49: Topology Discovery
Topology discovery Topology discovery The topology discovery feature can be displayed, enabled, and disabled; it is disabled by default. The commands mstdEnable and mstdDisable are allowed only in AD0 and AD255. Displaying topology discovery status 1. Connect to the switch and log in as admin. 2.
Page 50: Device Login
Device login *MS Topology Discovery disabled locally. switch:admin> mstddisable all This may erase all NID entries. Are you sure? (yes, y, no, n): [no] y Request to disable MS Topology Discovery Service in progress..*MS Topology Discovery disabled locally. *MS Topology Discovery Disable Operation Complete!! Device login A device can be a storage, host, or switch.
Page 51: Fabric Login
Device login parameters do not match, a link will not occur. Once an SW_ACC frame is received from the principal switch, the new switch sends an Exchange Switch Capabilities (ESC) frame. The two switches exchange routing protocols and agree on a common routing protocol. An SW_ACC frame is received from the principal switch and the new switch sends an Exchange Fabric Parameters (EFP) frame to the principal switch, requesting principal switch priority and the domain ID list.
Page 52: Rscn Causes
High availability of daemon processes The Fibre Channel protocol (FCP) auto discovery process enables private storage devices that accept the process login (PRLI) to communicate in a fabric. If device probing is enabled, the embedded performs a PLOGI and attempts a PRLI into the device to retrieve information to enter into the Name Server.
Page 53: Table 1 Daemons That Are Automatically Restarted
High availability of daemon processes Schedule downtime and reboot the switch at your convenience. Table 1 lists the daemons that are considered non-critical and are automatically restarted on failure. TABLE 1 Daemons that are automatically restarted Daemon Description arrd Asynchronous Response Router, which is used to send management data to hosts when the switch is accessed through the APIs (FA API or SMI-S).
Page 54 High availability of daemon processes Fabric OS Administrator’s Guide 53-1001763-01...
Page 55: Performing Basic Configuration Tasks
Chapter Performing Basic Configuration Tasks In this chapter • Fabric OS overview ..........15 •...
Page 56: Fabric Os Command Line Interface
Fabric OS command line interface Although many different software and hardware configurations are tested and supported by Brocade Communications Systems, Inc., documenting all possible configurations and scenarios is beyond the scope of this document. In some cases, earlier releases are highlighted to present considerations for interoperating with them.
Page 57: Telnet Or Ssh Sessions
Fabric OS command line interface • In a UNIX environment, enter the following string at the prompt: tip /dev/ttyb -9600 If ttyb is already in use, use ttya instead and enter the following string at the prompt: tip /dev/ttya -9600 Telnet or SSH sessions Connect to the Fabric OS through a Telnet or SSH connection or through a console session on the serial port.
Page 58: Getting Help On A Command
Password modification 4. From a management station, open a Telnet connection using the IP address of the switch to which you want to connect. The login prompt is displayed when the Telnet connection finds the switch in the network. 5. Enter the account ID at the login prompt. “Password modification”...
Page 59: Default Account Passwords
Password modification NOTE The default account passwords can be changed from their original value only when prompted immediately following the login; the passwords cannot be changed using the passwd command later in the session. If you skip the prompt, and then later decide to change the passwords, log out and then back in.
Page 60: The Ethernet Interface On Your Switch
The Ethernet interface on your switch The Ethernet interface on your switch The Ethernet (network) interface provides management access, including direct access to the Fabric OS CLI, and allows other tools, such as Web Tools, to interact with the switch. You can use either Dynamic Host Configuration Protocol (DHCP) or static IP addresses for the Ethernet network interface configuration.
Page 61: Displaying The Network Interface Settings
The Ethernet interface on your switch Displaying the network interface settings If an IP address has not been assigned to the network interface (Ethernet), you must connect to the Fabric OS CLI using a console session on the serial port. For more information, see “Console sessions using the serial port”...
Page 62: Static Ethernet Addresses
The Ethernet interface on your switch Static Ethernet addresses Use static Ethernet network interface addresses on Brocade 48000 directors and Brocade DCX and DCX-4S enterprise-class platforms, and in environments where DHCP service is not available. To use static addresses for the Ethernet interface, you must first disable DHCP. You can enter static Ethernet information and disable DHCP at the same time.
Page 63: Dhcp Activation
The Ethernet interface on your switch Setting the static addresses for the chassis IP management interface 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the ipAddrSet -chassis command. Example of setting the chassis IPv4 address switch:admin>...
Page 64: Ipv6 Autoconfiguration
The Ethernet interface on your switch Example of enabling DCHP switch:admin> ipaddrset Ethernet IP Address [10.1.2.3]: Ethernet Subnetmask [255.255.255.0]: Fibre Channel IP Address [220.220.220.2]: Fibre Channel Subnetmask [255.255.0.0]: Gateway IP Address [10.1.2.1]: DHCP [Off]:on Disabling DHCP When you disable DHCP, enter the static Ethernet IP address and subnet mask of the switch and default gateway address.
Page 65: Date And Time Settings
Date and time settings There are two methods of autoconfiguration for IPv6 addresses, stateless and stateful. Stateless allows an IPv6 host to obtain a unique address using the IEEE 802 MAC address; stateful uses a DHCPv6 server which keeps a record of the IP address and other configuration information for the host.
Page 66: Time Zone Settings
Date and time settings date "mmddHHMMyy" The values represent the following: • mm is the month; valid values are 01 through 12. • dd is the date; valid values are 01 through 31. • HH is the hour; valid values are 00 through 23. •...
Page 67: Network Time Protocol
Date and time settings Setting the time zone The following procedure describes how to set the time zone for a switch. You must perform the procedure on all switches for which the time zone must be set. However, you only need to set the time zone once on each switch because the value is written to nonvolatile memory.
Page 68: Domain Ids
Domain IDs In a Virtual Fabric, all the switches in the fabric must have the same NTP clock server configured. This includes any pre-Fabric OS v6.2.0 switches in the fabric. This ensures that time does not go out of sync in the logical fabric. It is not recommended to have LOCL in the server list. When a new switch enters the fabric, the time server daemon of the principal or primary FCS switch sends out the addresses of all existing clock servers and the time to the new switch.
Page 69: Displaying The Domain Ids
Domain IDs If a switch has a domain ID when it is enabled, and that domain ID conflicts with another switch in the fabric, the conflict is automatically resolved if the other switch’s domain ID is not persistently set. The process can take several seconds, during which time traffic is delayed. If both switches have their domain IDs persistently set, one of them will need to have its domain ID changed to a domain ID not used within the fabric.
Page 70: Setting The Domain Id
Switch names Enet IP Addr The switch’s Ethernet IP address for IPv4- and IPv6-configured switches. For IPv6 switches, only the static IP address displays. FC IP Addr The switch’s Fibre Channel IP address. Name The switch’s symbolic or user-created name in quotes. An arrow (>) indicates the principal switch.
Page 71: Chassis Names
Chassis names Chassis names Brocade recommends that you customize the chassis name for each platform. Some system logs identify devices by platform names; if you assign meaningful platform names, logs are more useful. All chassis names have a limit of 15 characters, except for the Brocade 300, 5100, 5300, and VA-40FC switches, and the 5410, 5424, 5450, and 5480 embedded switches, which allow 31 characters.
Page 72: Powering Off A Brocade Switch
Switch and enterprise-class platform shutdown Powering off a Brocade switch The following procedure describes how to gracefully shut down a switch. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the sysShutdown command. 3.
Page 73: Basic Connections
Basic connections Basic connections Before connecting a switch to a fabric that contains switches running different firmware versions, you must first set the same PID format on all switches. The presence of different PID formats in a fabric causes fabric segmentation. •...
Page 74 Basic connections Fabric OS Administrator’s Guide 53-1001763-01...
Page 75: In This Chapter
Chapter Performing Advanced Configuration Tasks In this chapter • PIDs and PID binding overview ........35 •...
Page 76: Core Pid Addressing Mode
PIDs and PID binding overview Core PID addressing mode Core PID is the default PID format for Brocade platforms. It uses the entire 24-bit address space of the domain, area_ID, and AL_PA to determine an objects address within the fabric. The Core PID is a 24-bit address built from the following three 8-bit fields: •...
Page 77: 256-Area Addressing Mode
PIDs and PID binding overview • Any port on a 48-port blade can support up to 256 NPIV devices (in fixed addressing mode, only 128 NPIV devices are supported in non-VF mode and 64 NPIV devices in VF mode on a 48-port blade).
Page 78 PIDs and PID binding overview Virtual Fabric considerations WWN-base PID assignment is disabled by default and is supported in the default switch on a Brocade DCX and DCX-4S. This feature is not supported on application blades such as the FS8-18 , and the .
Page 79: Ports
Ports Clearing PID binding 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the wwnAddress -unbind command to clear the PID binding for the specified WWN. Showing PID assignments 1. Connect to the switch and log in using an account assigned to the admin role. 2.
Page 80: Table 3 Port Numbering Schemes For The Brocade 48000, Brocade Dcx And Dcx-4S Enterprise-Class Platforms
Ports The Brocade DCX-4S has 8 slots that contain control processor, core, port, and AP blades: • Slot numbers 4 and 5 contain CPs. • Slot numbers 3 and 6 contain core blades. • Slot numbers 1 and 2, and 7 and 8 contain port and AP blades. NOTE The Core blades for the Brocade DCX (CORE8) and the Brocade DCX-4S (CR4S-8) are not interchangeable between the two products.
Page 81: Setting Port Names
Ports Setting port names Perform the following steps to specify a port name. For enterprise-class directors, specify the slot number where the blade is installed. 1. Connect to the switch and log in using an account assigned to the admin role. 2.
Page 82: Swapping Port Area Ids
Ports A number of fabric-wide databases supported by Fabric OS (including ZoneDB, the ACL DDC, and Admin Domain) allow a port to be designated by the use of a “D,P” (domain,port) notation. While the “P” component appears to be the port number, for up to 255 ports it is actually the area assigned to that port.
Page 83: Setting Port Speeds
Ports If ports are persistently disabled and you use the portEnable command to enable a disabled port, the port will revert to being disabled after a power cycle or a switch reboot. To ensure the port remains enabled, use the portCfgPersistentEnable command as instructed below. CAUTION The fabric will be reconfigured if the port you are enabling or disabling is connected to another switch.
Page 84: Setting The Same Speed For All Ports On The Switch
Blade terminology and compatibility Setting the same speed for all ports on the switch 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the switchCfgSpeed command. Example of setting the switch speed The following example sets the speed for all ports on the switch to 8 Gbps: switch:admin>...
Page 85 Blade terminology and compatibility TABLE 4 Brocade enterprise-class platform terminology and abbreviations (Continued) Term Abbreviation Blade ID Definition (slotshow) 32-port 4-Gbps port blade FC4-32 A 32-port Brocade platform port blade supporting 1, 2, and 4 Gbps port speeds. This port blade is compatible only with the Brocade 48000 CP blades.
Page 86: Cp Blades
Blade terminology and compatibility CP blades The control processor (CP) blade provides redundancy and acts as the brains of the enterprise-class platform. The Brocade 48000 supports the CP256 blade. The Brocade DCX and DCX-4S support the CP8 blades. The CP blades in the Brocade DCX and DCX-4S are hot-swappable. When the CPs from a Brocade DCX are inserted into a Brocade DCX-4S, the switch type changes.
Page 87: Table 6 Blade Compatibility Within A Brocade Dcx And Dcx-4S Backbone
Blade terminology and compatibility TABLE 5 Port blades supported by each platform (Continued) Port blades Brocade 48000 (CP4) Brocade DCX and DCX-4S FS8-18 Unsupported Supported FX8-24 Unsupported Supported During power up when an FCOE10-24 is detected first before any other AP blade in a chassis with Fabric OS v6.3.0 and later, all other AP and FC8-64 blades will be faulted.
Page 88: Fx8-24 Compatibility Notes
Enabling and disabling blades FX8-24 compatibility notes When you have an FR4-18i and an FX8-24 blade in your chassis, the following guidelines need to be followed: • GbE ports cannot be connected to either the FX8-24 or Brocade FR4-18i and Brocade 7500 7800 GbE ports.
Page 89 Enabling and disabling blades FA4-18 application blade enabling exceptions The Brocade 48000 director supports up to two FA4-18 blades in a chassis. The Brocade DCX and DCX-4S Backbones support up to four FA4-18 blades in a chassis. FC4-48 and FC8-48 port blade enabling exceptions Because the area IDs are shared with different port IDs, the FC4-48 and FC8-48 blades support only F_ and E_Ports.
Page 90: Disabling Blades
Blade swapping • When an FR4-18i blade is replaced by an FC4-16, FC4-32, FC8-16, FC8-32, FC8-48, or FC8-64 blade, then the EX_Port configuration is removed from any ports that were configured as EX_Ports (equivalent to disabling the EX_Port configuration using the portCfgEXPort command).
Page 91: Swapping Blades
Blade swapping Swapping blades The bladeSwap command performs the following operations: 1. Blade selection The selection process includes selecting the switch and the blades to be affected by the swap operation. Figure 2 shows the source and destination blades are identified to begin the process.
Page 92: Swapping Blades
Blade swapping FIGURE 3 Blade swap with Virtual Fabrics during the swap 4. Port swapping The swap ports action is effectively an iteration of the portSwap command for each port on the source blade to each corresponding port on the destination blade. Figure 4 shows Virtual Fabrics, where the blades can be carved up into different logical switches as long as they are carved the same way.
Page 93: Power Management
Power management 3. Once the command completes successfully, move the cables from the source blade to the destination blade. 4. Enter the bladeEnable command on the destination blade to enable all user ports. Power management All blades are powered on by default when the switch chassis is powered on. Blades cannot be powered off when POST or AP initialization is in progress.
Page 94: Equipment Status
Equipment status Equipment status You can check the status of switch operation, High Availability features, and fabric connectivity. Checking switch operation 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the switchShow command. This command displays a switch summary and a port summary.
Page 95: Verifying Fabric Connectivity
Equipment status The possible fields and their values are outlined below. Field Value Slot Displays the physical slot number. Blade Type Displays the blade type. SW BLADE: The blade is a port blade. CP BLADE: The blade is a control processor. CORE BLADE: The blade is a core blade (Brocade DCX and DCX-4S only).
Page 96: Track And Control Switch Changes
Track and control switch changes 4. Enter the nsAllShow command to display the 24-bit Fibre Channel addresses of all devices in the fabric. switch:admin> nsallshow 010e00 012fe8 012fef 030500 030b04 030b08 030b17 030b18 030b1e 030b1f 040000 050000 050200 050700 050800 050de8 050def 051700 061c00 071a00 073c00 090d00 0a0200 0a07ca 0a07cb 0a07cc 0a07cd 0a07ce 0a07d1 0a07d2 0a07d3 0a07d4 0a07d5 0a07d6 0a07d9 0a07da 0a07dc 0a07e0 0a07e1 0a0f01...
Page 97: Displaying The Status Of The Track Changes Feature
Track and control switch changes Displaying the status of the track changes feature 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the trackChangesShow command. The status of the track changes feature is displayed as either on or off. The display includes whether or not the track changes feature is configured to send SNMP traps.
Page 98 Track and control switch changes The current switch status policy parameter values are displayed. You are prompted to enter values for each DOWN and MARGINAL threshold parameter. NOTE By setting the DOWN and MARGINAL values for a parameter to 0,0 that parameter is no longer used in setting the overall status for the switch.
Page 99: Audit Log Configuration
Audit log configuration Out of range Flash contributing to MARGINAL status: (0..1) [1] MarginalPorts contributing to DOWN status: (0..1800) [112] MarginalPorts contributing to MARGINAL status: (0..1800) [44] FaultyPorts contributing to DOWN status: (0..1800) [112] FaultyPorts contributing to MARGINAL status: (0..1800) [44] MissingSFPs contributing to DOWN status: (0..576) [0] MissingSFPs contributing to MARGINAL status: (0..576) [0] No change...
Page 100: Auditable Event Classes
Audit log configuration Auditable event classes Before configuring an audit log, you must select the event classes you want audited. The audit log includes: • SEC-3001 through SEC-3017 • SEC-3024 through SEC-3029 • ZONE-3001 through ZONE-3012 Table 7 identifies auditable event classes and the auditCfg command operands used to enable auditing of a specific class.
Page 101: Configuring An Audit Log For Specific Event Classes
Audit log configuration 1. Set up an external host machine with a system message log daemon running to receive the audit events that will be generated. 2. On the switch where the audit configuration is enabled, enter the syslogdIpAdd command to add the IP address of the host machine so that it can receive the audit events.
Page 102 Audit log configuration Fabric OS Administrator’s Guide 53-1001763-01...
Page 103: About This Chapter
Chapter Routing Traffic About this chapter • Routing overview ..........63 •...
Page 104: Path Versus Route Selection
Routing overview Path versus route selection Paths are possible ways to get from one switch to another. Each Inter-Switch Link (ISL) has a metric cost based on bandwidth. The cumulative cost is based on the sum of all costs of all traversed ISLs. Route selection is the path that is chosen.
Page 105: Fibre Channel Nat
Routing overview FSPF makes minimal use of the ISL bandwidth, leaving virtually all of it available for traffic. In a stable fabric, a switch transmits 64 bytes every 20 seconds in each direction. FSPF frames have the highest priority in the fabric. This guarantees that a control frame is not delayed by user data and that FSPF routing decisions occur very quickly during convergence.
Page 106: Inter-Switch Links
Inter-switch links Inter-switch links An inter-switch link (ISL) is a link between two switches, E_Port-to-E_Port. The ports of the two switches automatically come online as E_Ports, once the login process finishes successfully. For more information on the login process refer to Chapter 1, “Understanding Fibre Channel Services”.
Page 107: Buffer Credits
Inter-switch links There are non-fabric parameters that must match as well, such as zoning. Some fabric services, such as Management Server must match. If it is enabled in the fabric, then the switch you are introducing into the fabric must also have it enabled. If you experience a segmented fabric, refer to the Fabric OS Troubleshooting and Diagnostics Guide to fix the problem.
Page 108: Figure 7 Virtual Channels On A 1/2/4 Gbps Isl
Inter-switch links FIGURE 7 Virtual Channels on a 1/2/4 Gbps ISL Quality of Service (QoS) is a licensed traffic shaping feature available in Fabric OS. QoS allows the prioritization of data traffic based on the SID/DID of each frame. Through the use of QoS zones, traffic can be divided into three priorities: high, medium, and low.
Page 109: Gateway Links
Gateway links FIGURE 8 Virtual Channels on an 8 Gbps ISL Gateway links A gateway merges SANs into a single fabric by establishing point-to-point E_Port connectivity between two Fibre Channel switches that are separated by a network with a protocol such as IP or SONET.
Page 110: Configuring A Link Through A Gateway
Gateway links FIGURE 9 Gateway link merges SAN By default, switch ports initialize links using the Exchange Link Parameters (ELP) mode 1. However, gateways expect initialization with ELP mode 2, also referred to as ISL R_RDY mode. Therefore, to enable two switches to link through a gateway, the ports on both switches must be set for ELP mode 2.
Page 111: Inter-Chassis Links
Inter-chassis links Example of enabling a gateway link on slot 2, port 3. ecp:admin> portcfgislmode 2/3, 1 Committing configuration...done. ISL R_RDY Mode is enabled for port 3. Please make sure the PID formats are consistent across the entire fabric. Inter-chassis links An Inter-chassis link (ICL) is a licensed feature used to interconnect two Brocade DCX Backbones, two Brocade DCX-4S, or a Brocade DCX and a Brocade DCX-4S Backbone.
Page 112: Supported Topologies
Inter-chassis links The following ICL connections are not allowed: • ICL0 <--> ICL0 • ICL1 <--> ICL1 Refer to the Brocade DCX Data Center Backbone Hardware Reference Manual for detailed ICL connection information. ICL ports can be used only with an ICL license. For more information on how license enforcement occurs, see Chapter 16, “Administering Licensing”.
Page 113: Routing Policies
Routing policies If one ICL is broken but there is a regular ISL, the triangular topology still holds given the ISL cost is lower than the total cost through the ICL linear topology. If a direct ICL link between two switches is broken the triangular topology is considered broken when the ISL path between the two switches is a multiple hop.
Page 114: Displaying The Current Routing Policy
Routing policies Each switch can have its own routing policy and different policies can exist in the same fabric. ATTENTION For most configurations, the default routing policy is optimal and provides the best performance. You should change the routing policy only if there is a performance issue that is of concern, or if a particular fabric configuration or application requires it.
Page 115: Ap Route Policy
Routing policies Using port-based routing, you can assign a static route, in which the path chosen for traffic does not change when a topology change occurs unless the path becomes unavailable. If the static route violates FSPF, it is not used. In contrast, exchange-based routing policies always employ dynamic path selection.
Page 116: Route Selection
Route selection Setting the routing policy 1. Connect to the switch and log in as admin. 2. Enter the switchDisable command to disable the switch. 3. Take the appropriate following action based on the route policy you choose to implement: •...
Page 117: Static Route Assignment
Route selection • ”DLS is set with Lossless enabled.” DLS is enabled with the Lossless feature. Load sharing is recomputed with every change in the fabric, and existing routes can be moved to maintain optimal balance. In Lossless mode, no framers are lost during this operation. •...
Page 118: Frame Order Delivery
Frame order delivery Frame order delivery The order of delivery of frames is maintained within a switch and determined by the routing policy in effect. The frame delivery behaviors for each routing policy are: • Port-based routing All frames received on an incoming port destined for a destination domain are guaranteed to exit the switch in the same order in which they were received.
Page 119: Lossless Dynamic Load Sharing On Ports
Lossless Dynamic Load Sharing on ports Lossless Dynamic Load Sharing on ports Lossless Dynamic Load Sharing (DLS) allows you to rebalance port paths without causing input/output (I/O) failures. For devices where In-Order Delivery (IOD) of frames is required, you can set IOD separately.
Page 120: Lossless Core
Lossless Dynamic Load Sharing on ports TABLE 9 Combinations of routing policy and IOD with Lossless DLS enabled (Continued) Policy Rebalance result with Lossless DLS enabled Exchange-based Disabled No frame loss, but out of order frames may occur. Exchange-based Enabled No frame loss and no out of order frames.
Page 121: Frame Redirection
Frame Redirection Example of how DLS affects other logical switches in the fabric On a Brocade DCX platform, logical switch 1 consists of ports 0 through 5 in slot 1. Logical switch 2 consists of ports 6–10 in slot 1. The Lossless DLS feature is enabled on logical switch 1. Because ports 0–10 in slot 1 belong to a logical switch where Lossless DLS is turned on, the traffic in logical switch 2 is affected whenever traffic for logical switch 1 is rebalanced.
Page 122: Creating A Frame Redirect Zone
Frame Redirection FIGURE 12 Single Host and Target Figure 12 demonstrates the flow of frame redirection traffic. A frame starts at the host with a destination to the target. The port where the appliance is attached to the host switch acts as the virtual initiator and the port where the appliance is attached to the target switch is the virtual target.
Page 123: Managing User Accounts
Chapter Managing User Accounts In this chapter • User accounts overview ......... 83 •...
Page 124: Role-Based Access Control (Rbac)
User accounts overview Fabric OS provides three options for authenticating users—remote RADIUS services, remote LDAP service, and the local switch user database. All options allow users to be centrally managed using the following methods: • Remote RADIUS server: Users are managed in a remote RADIUS server. All switches in the fabric can be configured to authenticate against the centralized remote database.
Page 125: Table 11 Permission Types
User accounts overview The default home domain for the predefined account is AD0. For user-defined accounts, the default home domain is the Admin Domain in the user’s Admin Domain list with the lowest ID. Role permissions Table 11 describes the types of permissions that are assigned to roles. TABLE 11 Permission types Abbreviation...
Page 126: Table 12 Rbac Permissions Matrix
User accounts overview TABLE 12 RBAC permissions matrix (Continued) Category Role permission Admin Basic Fabric Operator Security Switch User Zone Switch Admin Admin Admin Admin Admin Encryption Management Ethernet Configuration Fabric Fabric Distribution Fabric Routing Fabric Watch FICON FIPS Bootprom FIPS Configuration Firmware Key Management Firmware Management...
Page 127: The Management Channel
User accounts overview TABLE 12 RBAC permissions matrix (Continued) Category Role permission Admin Basic Fabric Operator Security Switch User Zone Switch Admin Admin Admin Admin Admin SNMP Statistics Statistics—Device Statistics—Port Switch Configuration Switch Management Switch Management—IP Configuration Switch Port Configuration Switch Port Management Topology USB Management...
Page 128: Local Database User Accounts
Local database user accounts Local database user accounts User add, change, and delete operations are subject to the subset rule: an admin with ADlist 0-10 or LFlist 1-10 cannot perform operations on an admin, user, or any role with an ADlist 11-25 or LFlist 11-128.
Page 129: Local Account Passwords
Local database user accounts Deleting an account This procedure can be performed on local user accounts. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the userConfig delete command. NOTE You cannot delete the default accounts. An account cannot delete itself. All active CLI sessions for the deleted account are logged out.
Page 130: Local Account Database Distribution
Local account database distribution Local account database distribution Fabric OS allows you to distribute the user database and passwords to other switches in the fabric. When the switch accepts a distributed user database, it replaces the local user database with the user database it receives.
Page 131: Password Policies
Password policies Password policies The password policies described in this section apply to the local switch user database only. Configured password policies (and all user account attribute and password state information) are synchronized across CPs and remain unchanged after an HA failover. Password policies can also be manually distributed across the fabric (see “Local account database distribution”...
Page 132: Password History Policy
Password policies • MinLength Specifies the minimum length of the password. The minimum can be from 8 to 40 characters. New passwords must be between the minimum length specified and 40 characters. The default value is 8. The maximum value must be greater than or equal to the MinLength value. •...
Page 133: Password Expiration Policy
Password policies Password expiration policy The password expiration policy forces expiration of a password after a configurable period of time, and is enforced across all user accounts. A warning that password expiration is approaching is displayed when the user logs in. When a user’s password expires, he or she must change the password to complete the authentication process and open a user session.
Page 134 Password policies The following commands are used to manage the account lockout policy. • userConfig change account_name -u • passwdCfg disableadminlockout Note that the account-locked state is distinct from the account-disabled state. Use the following attributes to set the account lockout policy: •...
Page 135: The Boot Prom Password
The boot PROM password The boot PROM password The boot PROM password provides an additional layer of security by protecting the boot PROM from unauthorized use. Setting a recovery string for the boot PROM password enables you to recover a lost boot PROM password by contacting your switch service provider.
Page 136: Setting The Boot Prom Password For A Director With A Recovery String
The boot PROM password The recovery string must be between 8 and 40 alphanumeric characters. A random string that is 15 characters or longer is recommended for higher security. The firmware prompts for this password only once. It is not necessary to remember the recovery string because it is displayed the next time you enter the command shell.
Page 137: Setting The Boot Prom Password For A Switch Without A Recovery
The boot PROM password The recovery string must be between 8 and 40 alphanumeric characters. A random string that is 15 characters or longer is recommended for higher security. The firmware only prompts for this password once. It is not necessary to remember the recovery string because it is displayed the next time you enter the command shell.
Page 138: Setting The Boot Prom Password For A Director Without A Recovery
The boot PROM password 5. At the shell prompt, enter the passwd command. NOTE The passwd command only applies to the boot PROM password when it is entered from the boot interface. 6. Enter the boot PROM password at the prompt, then re-enter it when prompted. The password must be eight alphanumeric characters (any additional characters are not recorded).
Page 139: The Authentication Model Using Radius And Ldap
The authentication model using RADIUS and LDAP 8. Enter the boot PROM password at the prompt, then re-enter it when prompted. The password must be eight alphanumeric characters (any additional characters are not recorded). Record this password for future use. 9.
Page 140: Table 15 Authentication Configuration Options
The authentication model using RADIUS and LDAP To enable RADIUS or LDAP service, it is strongly recommended that you access the CLI through an SSH connection so that the shared secret is protected. Multiple login sessions can configure simultaneously, and the last session to apply a change leaves its configuration in effect. After a configuration is applied, it persists after a reboot or an HA failover.
Page 141: Setting The Switch Authentication Mode
The authentication model using RADIUS and LDAP TABLE 15 Authentication configuration options (Continued) aaaConfig options Description Equivalent setting in Fabric OS v5.1.0 and earlier radius switchdb --authspec “radius;local” --backup Authenticates management connections against any RADIUS databases. If RADIUS fails because the service is not available, it then authenticates against the local user database.
Page 142: Fabric Os Users On The Radius Server
The authentication model using RADIUS and LDAP You can set a user password expiration date and add a warning for RADIUS login. The password expiry date must be specified in UTC and in MM/DD/YYYY format. The password warning specifies the number of days prior to the password expiration that a warning of password expiration notifies the user.
Page 143: Figure 13 Windows 2000 Vsa Configuration
The authentication model using RADIUS and LDAP Windows 2000 IAS To configure a Windows 2000 internet authentication service (IAS) server to use VSA to pass the Admin role to the switch in the dial-in profile, the configuration specifies the Vendor code (1588), Vendor-assigned attribute number (1), and attribute value (admin), as shown in Figure FIGURE 13...
Page 144 The authentication model using RADIUS and LDAP RADIUS configuration with Admin Domains or Virtual Fabrics When configuring users with Admin Domains or Virtual Fabrics, you must also include the Admin Domain or Virtual Fabric member list. This section describes the way that you configure attribute types for this configuration.
Page 145: The Radius Server
The authentication model using RADIUS and LDAP In the next example, on a Linux FreeRadius Server, the user takes the “zoneAdmin” role, with VFlist 2, 4, 5, 6, 7, 8, 10, 11, 12, 13, 15 17, 19, 22, 23, 24, 25, 29, 31 and HomeLF 1. user300 Auth-Type := Local, User-Password == "password"...
Page 146 The authentication model using RADIUS and LDAP ATTRIBUTE Brocade-Auth-Role string Brocade ATTRIBUTE Brocade-AVPairs1 string Brocade ATTRIBUTE Brocade-AVPairs2 string Brocade ATTRIBUTE Brocade-AVPairs3 string Brocade ATTRIBUTE Brocade-AVPairs4 string Brocade ATTRIBUTE Brocade-Passwd-ExpiryDate string Brocade ATTRIBUTE Brocade-Passwd-WarnPeriod string Brocade This defines the Brocade vendor ID as 1588, the Brocade attribute 1 as Brocade-Auth-Role and 6 as Brocade-Passwd-ExpiryDate, both are string values.
Page 147 The authentication model using RADIUS and LDAP Enabling clients Clients are the switches that will use the RADIUS server; each client must be defined. By default, all IP addresses are blocked. The Brocade 48000 director, Brocade DCX and DCX-4S enterprise-class platforms send their RADIUS requests using the IP address of the active CP.
Page 148 The authentication model using RADIUS and LDAP IAS is the Microsoft implementation of a RADIUS server and proxy IAS uses the Windows native user database to verify user login credentials; it does not list specific users, but instead lists user groups. Each user group should be associated with a specific switch login role. For example, you should configure a user group for root, admin, factory, switchAdmin, and user, and then add any users whose logins you want to associate to the appropriate group.
Page 149 The authentication model using RADIUS and LDAP Setting up the RSA RADIUS server For more information on how to install and configure the RSA Authentication Manager and the RSA RADIUS server, refer to your documentation or visit www.rsa.com. 1. Create user records in the RSA Authentication Manager. 2.
Page 150: Figure 14 Example Of A Brocade Dct File
The authentication model using RADIUS and LDAP ########################################################################### # brocade.dct -- Brocade Dictionary # (See readme.dct for more details on the format of this file) ########################################################################### # Use the Radius specification attributes in lieu of the Brocade one: @radius.dct MACRO Brocade-VSA(t,s) 26 [vid=1588 type1=%t% len1=+2 data=%s%] ATTRIBUTE Brocade-Auth-Role Brocade-VSA(1,string) r...
Page 151: Ldap Configuration And Microsoft Active Directory
The authentication model using RADIUS and LDAP d. Add the Brocade profile. e. In RSA Authentication Manager, edit the user records that will be authenticating using RSA SecurID. LDAP configuration and Microsoft Active Directory LDAP provides user authentication and authorization using the Microsoft Active Directory service in conjunction with LDAP on the switch.
Page 152: Creating A Group
The authentication model using RADIUS and LDAP 3. Create a group name that uses the switch’s role name so that the Active Directory group’s name is the same as the switch’s role name. Use the ldapCfg -–maprole ldap_role_name switch_role command to map an LDAP server role to one of the default roles available on the switch.
Page 153 The authentication model using RADIUS and LDAP Adding an Admin Domain or Virtual Fabric list 1. From the Windows Start menu, select Programs> Administrative Tools> ADSI.msc ADSI is a Microsoft Windows Resource Utility. This will need to be installed to proceed with the rest of the setup.
Page 154: Authentication Servers On The Switch
The authentication model using RADIUS and LDAP Authentication servers on the switch At least one RADIUS or LDAP server must be configured before you can enable RADIUS or LDAP service. You can configure the RADIUS or LDAP service even if it is disabled on the switch. You can configure up to five RADIUS or LDAP servers.
Page 155: Configuring Local Authentication As Backup
The authentication model using RADIUS and LDAP Changing a RADIUS or LDAP server configuration 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the aaaConfig change command. Changing the order in which RADIUS or LDAP servers are contacted for service 1.
Page 156 The authentication model using RADIUS and LDAP Fabric OS Administrator’s Guide 53-1001763-01...
Page 157: In This Chapter
Chapter Configuring Protocols In this chapter • Security protocols ..........117 •...
Page 158: Secure Copy
Secure Copy TABLE 18 Secure protocol support Protocol Description Secure Shell (SSH) is a network protocol that allows data to be exchanged over a secure channel between two computers. Encryption provides confidentiality and integrity of data. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary.
Page 159: Setting Up Scp For Configuploads And Downloads
Secure Shell protocol Setting up SCP for configUploads and downloads 1. Log in to the switch as admin. 2. Type the configure command. 3. Type y or yes at the cfgload attributes prompt. 4. Type y or yes at the Enforce secure configUpload/Download prompt. Example of setting up SCP for configUpload/download switch:admin>...
Page 160: Ssh Public Key Authentication
Secure Shell protocol SSH public key authentication OpenSSH public key authentication provides password-less logins, known as SSH authentication, that uses public and private key pairs for incoming and outgoing authentication. This feature allows only one allowed-user to be configured to utilize OpenSSH public key authentication. Using OpenSSH RSA and DSA, the authentication protocols are based on a pair of specially generated cryptographic keys, called the private key and the public key.
Page 161 Secure Shell protocol Example of RSA/DSA key pair generation alloweduser@mymachine: ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/users/alloweduser/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /users/alloweduser/.ssh/id_dsa. Your public key has been saved in /users/alloweduser/.ssh/id_dsa.pub.
Page 162: Secure Sockets Layer Protocol
Secure Sockets Layer protocol Deleting keys on the switch 1. Log in to the switch as the allowed-user. 2. Use the sshUtil delprivkey command to delete the private key. Use the sshUtil delpubkeys command to delete all public keys. For more information on IP Filter policies, refer to Chapter 7, “Configuring Security Policies”.
Page 163: Ssl Configuration Overview
Secure Sockets Layer protocol SSL configuration overview You configure for SSL by obtaining, installing, and activating digital certificates for SSL support. Certificates are required on all switches that are to be accessed through SSL. Also, you must install a certificate in the Java Plug-in on the management workstation, and you may need to add a certificate to your Web browser.
Page 164 Secure Sockets Layer protocol Generating a public and private key Perform this procedure on each switch. 1. Connect to the switch and log in as admin. 2. Enter the secCertUtil genkey command to generate a public/private key pair. The system reports that this process will disable secure protocols, delete any existing CSR, and delete any existing certificates.
Page 165: The Browser
Secure Sockets Layer protocol If you are setup for secure file copy protocol, you can select it; otherwise, select ftp. Enter the IP address of the switch on which you generated the CSR. Enter the remote directory name of the FTP server to which the CSR is to be sent. Enter your account name and password on the server.
Page 166: Root Certificates For The Java Plug-In
Secure Sockets Layer protocol The next procedures are guides for installing root certificates to Internet Explorer and Mozilla Firefox browsers. For more detailed instructions, refer to the documentation that came with the certificate. Checking and installing root certificates on Internet Explorer 1.
Page 167: Simple Network Management Protocol
Simple Network Management Protocol 3. Enter the keytool command and respond to the prompts. Example of installing a root certificate C:\Program Files\Java\j2re1.6.0\bin> keytool -import -alias RootCert -file RootCert.crt -keystore ..\lib\security\RootCerts Enter keystore password: changeit Owner: CN=Brocade, OU=Software, O=Brocade Communications, L=San Jose, ST=California, C=US Issuer: CN=Brocade, OU=Software, O=Brocade Communications, L=San Jose, ST=California, C=US...
Page 168: Snmp And Virtual Fabrics
Simple Network Management Protocol If you use both SW-MIB and FA-MIB, you may receive duplicate information. You can disable the FA-MIB, but not the SW-MIB. You can also use these additional MIBs and their associated traps: • FICON-MIB (for FICON environments) •...
Page 169: The Security Level
Telnet protocol Attributes that are specific to each logical switch belong to the switch category. These attributes are available in the Virtual Fabrics context and not available in the Chassis context. Attributes that are common across the logical switches belong to the chassis level. These attributes are accessible to users having the chassis-role permission.
Page 170: Unblocking Telnet
Telnet protocol ATTENTION The rule number assigned has to precede the default rule number for this protocol. For example, in the defined policy, the Telnet rule number is 2, therefore to effectively block Telnet, the rule number to assign must be 1. If you choose not to use 1, you will need to delete the telnet rule number 2 after adding this rule.
Page 171: Listener Applications
Listener applications 3. To permanently delete the policy, type the ipfilter save command. ATTENTION If you deleted the rule to permit Telnet, you will need to add a rule to permit Telnet. Listener applications Brocade switches block Linux subsystem listener applications that are not used to implement supported features and capabilities.
Page 172: Port Configuration
Ports and applications used by switches TABLE 23 Access defaults (Continued) Access default Devices All devices can access the management server. Any device can connect to any FC port in the fabric. Switch access Any switch can join the fabric. All switches in the fabric can be accessed through a serial port.
Page 173: In This Chapter
Chapter Configuring Security Policies In this chapter • ACL policies overview ......... . 133 •...
Page 174: Policy Members
ACL policy management Policies with the same state are grouped together in a Policy Set. Each switch has the following two sets: • Active policy set, which contains ACL policies being enforced by the switch. • Defined policy set, which contains a copy of all ACL policies on the switch. When a policy is activated, the defined policy either replaces the policy with the same name in the active set or becomes a new active policy.
Page 175: Displaying Acl Policies
ACL policy management Displaying ACL policies You can view the active and defined policy sets at any time. Additionally, in a defined policy set, policies created in the same login session also appear but these policies are automatically deleted if the you log out without saving them. 1.
Page 176: Adding A Member To An Existing Acl Policy
ACL policy management Adding a member to an existing ACL policy As soon as a policy has been activated, the aspect of the fabric managed by that policy is enforced. 1. Connect to the switch and log in using an account assigned to the admin role. 2.
Page 177: Fcs Policies
FCS policies FCS policies Fabric Configuration Server (FCS) policy in base Fabric OS may be performed on a local switch basis and may be performed on any switch in the fabric. The FCS policy is not present by default, but must be created. When the FCS policy is created, the WWN of the local switch is automatically included in the FCS list.
Page 178: Ensuring Fabric Domains Share Policies
FCS policies TABLE 27 FCS switch operations Allowed on FCS switches Allowed on all switches secPolicyAdd (Allowed on all switches for SCC and DCC secPolicyShow policies as long as it is not fabric-wide) secPolicyCreate (Allowed on all switches for SCC and fddCfg localaccept or fddCfg localreject...
Page 179: Modifying The Order Of Fcs Switches
FCS policies NOTE FCS policy must be consistent across the fabric. If the policy is inconsistent in the fabric, then you will not be able to perform any fabric-wide configurations from the primary FCS. Modifying the order of FCS switches 1.
Page 180: Dcc Policies
DCC policies Only the Primary FCS switch is allowed to distribute the database. The FCS policy may need to be manually distributed across the fabric using the distribute -p command. Since this policy is distributed manually, the command fddCfg –-fabwideset is used to distribute a fabric-wide consistency policy for FCS policy in an environment consisting of only Fabric OS v6.2.0 and later switches.
Page 181: Dcc Policy Restrictions
DCC policies TABLE 29 DCC policy states Policy state Characteristics No policy Any device can connect to any switch port in the fabric. Policy with no entries Any device can connect to any switch port in the fabric. An empty policy is the same as no policy.
Page 182: Deleting A Dcc Policy
DCC policies DCC_POLICY_nnn is the name of the DCC policy; nnn is a string consisting of up to 19 alphanumeric or underscore characters to differentiate it from any other DCC policies. 3. To save or activate the new policy, enter the appropriate command: •...
Page 183: Scc Policies
SCC policies SCC policies The switch connection control (SCC) policy is used to restrict which switches can join the fabric. Switches are checked against the policy each time an E_Port-to-E_Port connection is made. The policy is named SCC_POLICY and accepts members listed as WWNs, domain IDs, or switch names. Only one SCC policy can be created.
Page 184: Authentication Policy For Fabric Elements
Authentication policy for fabric elements Authentication policy for fabric elements By default, Fabric OS v6.2.0 and later use DH-CHAP or FCAP protocols for authentication. These protocols use shared secrets and digital certificates, based on switch WWN and public key infrastructure (PKI) technology, to authenticate switches. Authentication automatically defaults to FCAP if both switches are configured to accept FCAP protocol in authentication.
Page 185: E_Port Authentication
Authentication policy for fabric elements The switch authentication (AUTH) policy initiates DH-CHAP/FCAP authentication on all E_Ports. This policy is persistent across reboots, which means authentication will be initiated automatically on ports or switches brought online if the policy is set to activate authentication. The AUTH policy is distributed by command;...
Page 186 Authentication policy for fabric elements WARNING: This is a disruptive operation that requires a reboot to take effect. All EX ports will be disabled upon reboot. Would you like to continue [Y/N] y switch:admin> authutil --authinit 2,3,4 CAUTION If data input has not been completed and a failover occurs, the command is terminated without completion and your entire input is lost.
Page 187: Device Authentication Policy
Authentication policy for fabric elements Device authentication policy Device authentication policy can also be categorized as an F_Port, node port, or an HBA authentication policy. Fabric-wide distribution of the device authentication policy is not supported because the device authentication requires manual interaction in setting the HBA shared secrets and switch shared secrets, and most of the HBAs do not support the defined DH groups for use in the DH-CHAP protocol.
Page 188: Authentication Protocols
Authentication policy for fabric elements • FICON channels • Configupload and download will not be supported for the following AUTH attributes: auth type, hash type, group type. Supported HBAs The following HBAs support authentication: • Emulex LP11000 (Tested with Storport Miniport v2.0 windows driver) •...
Page 189: Secret Key Pairs For Dh-Chap
Authentication policy for fabric elements When using DH-CHAP, make sure that you configure the switches at both ends of a link. NOTE If you set the authentication protocol to DH-CHAP or FCAP, have not configured shared secrets or certificates, and authentication is checked (for example, you enable the switch), then switch authentication fails.
Page 190: Fcap Configuration Overview
Authentication policy for fabric elements Example of setting a secret key pair switchA:admin> secauthsecret --set This command is used to set up secret keys for the DH-CHAP authentication. The minimum length of a secret key is 8 characters and maximum 40 characters.
Page 191: Table 31 Fcap Certificate Files
Authentication policy for fabric elements You can request a certificate from a CA through a Web browser. After you request a certificate, the CA either sends certificate files by e-mail (public) or gives access to them on a remote host (private).
Page 192 Authentication policy for fabric elements jdoe@10.1.2.3's password: <hidden text> Success: exported FCAP CA certificate Import CA for FCAP Once you receive the files back from the Certificate Authority, you will need to install or import them onto the local and remote switches. 1.
Page 193: Fabric-Wide Distribution Of The Auth Policy
IP Filter policy Fabric-wide distribution of the Auth policy The AUTH policy can be manually distributed to the fabric by command; there is no support for automatic distribution. To distribute the AUTH policy, see “Distributing the local ACL policies” page 160 for instructions. Local Switch configuration parameters are needed to control whether a switch accepts or rejects distributions of the AUTH policy using the distribute command and whether the switch may initiate distribution of the policy.
Page 194: Cloning An Ip Filter Policy
IP Filter policy Cloning an IP Filter policy You can create an IP Filter policy as an exact copy of an existing policy. The policy created is stored in a temporary buffer and has the same type and rules as the existing defined or active policy. 1.
Page 195: Deleting An Ip Filter Policy
IP Filter policy Deleting an IP Filter policy You can delete a specified IP Filter policy. Deleting an IP Filter policy removes it from the temporary buffer. To permanently delete the policy from the persistent database, run ipfilter save. An active IP Filter policy cannot be deleted.
Page 196: Table 33 Implicit Ip Filter Rules
IP Filter policy TABLE 32 Supported services (Continued) Service name Port number snmp sunrpc telnet TCP and UDP protocols are valid selections. Fabric OS v6.2.0 and later does not support configuration to filter other protocols. Implicitly, ICMP type 0 and type 8 packets are always allowed to support ICMP echo request and reply on commands like ping and traceroute.
Page 197: Ip Filter Policy Enforcement
IP Filter policy IP Filter policy enforcement An active IP Filter policy is a filter applied to the IP packets through the management interface. IPv4 management traffic passes through the active IPv4 filter policy, and IPv6 management traffic passes through the active IPv6 filter policy. The IP Filter policy applies to the incoming (ingress) management traffic only.
Page 198: Ip Filter Policy Distribution
Policy database distribution IP Filter policy distribution The IP Filter policy is manually distributed by command. The distribution includes both active and defined IP Filter policies. All policies are combined as a single entity to be distributed and cannot be selectively distributed.
Page 199: Database Distribution Settings
Policy database distribution TABLE 35 Interaction between fabric-wide consistency policy and distribution settings Distribution Fabric-wide consistency policy setting Absent (default) Tolerant Strict Reject Database is protected, it Invalid configuration. Invalid configuration. cannot be overwritten. May not match other databases in the fabric. Accept (default) Database is not protected, Database is not protected.
Page 200: Acl Policy Distribution To Other Switches
Policy database distribution DATABASE Accept/Reject --------------------------------- accept accept accept accept AUTH accept IPFILTER accept Fabric Wide Consistency Policy:- "" Enabling local switch protection 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the fddCfg localreject command.
Page 201: Table 37 Fabric-Wide Consistency Policy Settings
Policy database distribution NOTE To completely remove all policies from a fabric enter the fddCfg fabwideset "” command. When you set the fabric-wide consistency policy using the fddCfg command with the fabwideset <database_id> option, both the fabric-wide consistency policy and specified database are distributed to the fabric.The active policies of the specified databases overwrite the corresponding active and defined policies on the target switches.
Page 202: Notes On Joining A Switch To The Fabric
Policy database distribution switch:admin> fddcfg --showall Local Switch Configuration for all Databases:- DATABASE Accept/Reject --------------------------------- accept accept accept accept AUTH accept IPFILTER accept Fabric Wide Consistency Policy:- "SCC:S;DCC" Notes on joining a switch to the fabric When a switch is joined to a fabric with a tolerant SCC or DCC fabric-wide consistency policy, the joining switch must have a matching tolerant SCC or DCC fabric-wide consistency policy.
Page 203: Table 38 Merging Fabrics With Matching Fabric-Wide Consistency Policies
Policy database distribution Matching fabric-wide consistency policies This section describes the interaction between the databases with active SCC and DCC policies and combinations of fabric-wide consistency policy settings when fabrics are merged. For example: Fabric A with SCC:S;DCC (strict SCC and tolerant DCC) joins Fabric B with SCC:S;DCC (strict SCC and tolerant DCC), the fabrics can merge as long as the SCC policies match, including the order SCC:S;DCC and if both are set to strict.
Page 204: Management Interface Security
Management interface security TABLE 39 Examples of strict fabric merges Fabric-wide consistency policy setting Expected behavior Fabric A Fabric B Strict/Tolerant SCC:S;DCC:S SCC;DCC:S Ports connecting switches are disabled. SCC;DCC:S SCC:S;DCC Strict/Absent SCC:S;DCC:S SCC:S DCC:S Strict/Strict SCC:S DCC:S Table 40 has a matrix of merging fabrics with tolerant and absent policies. TABLE 40 Fabric merges with tolerant/absent combinations Fabric-wide consistency policy setting...
Page 205: Configuration Examples
Management interface security • Replay Protection — Prevents replay attack, a type of denial of service (DoS) attack where an attacker intercepts a series of packets and resends them to cause the recipient to waste CPU cycles processing them. • Automated Key Management—Automates the process, as well as manages the periodic exchange and generation of new keys.
Page 206: Ipsec Protocols
Management interface security Gateway-to-Gateway Tunnel In this scenario, neither endpoint of the IP connection implements IPsec, but the network nodes between them protect traffic for part of the way. Protection is transparent to the endpoints, and depends on ordinary routing to send packets through the tunnel endpoints for processing. Each endpoint would announce the set of addresses behind it, and packets would be sent in tunnel mode where the inner IP header would contain the IP addresses of the actual endpoints.
Page 207: Security Associations
Management interface security To protect the integrity of the IP datagram, the IPsec protocols use hash message authentication codes (HMAC). To derive this HMAC, the IPsec protocols use hash algorithms like MD5 and SHA to calculate a hash based on a secret key and the contents of the IP datagram. This HMAC is then included in the IPsec protocol header and the receiver of the packet can check the HMAC if it has access to the secret key.
Page 208: Ipsec Policies
Management interface security TABLE 41 Algorithms and associated authentication policies Algorithm Encryption Level Policy Description hmac_md5 128-bit AH, ESP A stronger MAC because it is a keyed hash inside a keyed hash. When MD5 or SHA-1 is used in the calculation of an HMAC; the hmac_sha1 160-bit AH, ESP...
Page 209: Ike Policies
Management interface security IKE policies When IKE is used as the key management protocol, IKE policy defines the parameters used in IKE negotiations needed to establish IKE SA and parameters used in negotiations to establish IPsec SAs. These include the authentication and encryption algorithms, and the primary authentication method, such as preshared keys, or a certificate-based method, such as RSA signatures.
Page 210: Creating The Tunnel
Management interface security Static Security Associations Manual Key Entry (MKE) provides the ability to manually add, delete and flush SA entries in the SADB. Manual SA entries may not have an associated IPsec policy in the local policy database. Manual SA entries are persistent across system reboots. Creating the tunnel These instructions do not take the place of creating a tunnel for either a FR4-18i or FX8-24.
Page 211 Management interface security Example of creating an IKE policy This example creates an IKE policy for the remote peer. switch:admin> ipsecconfig --add policy ike –t IKE01 -remote 10.33.74.13 \ -id 10.33.69.132 -remoteid 10.33.74.13 -enc 3des_cbc \ -hash hmac_md5 -prf hmac_md5 –auth psk -dh modp1024 \ -psk ipseckey.psk 8.
Page 212: Example Of An End-To-End Transport Tunnel Mode
Management interface security Example of an End-to-End Transport Tunnel mode This example illustrates securing traffic between two systems using AH protection with MD5 and configure IKE with pre-shared keys. The two systems are a switch, BROCADE300 (IPv4 address 10.33.74.13), and an external host (10.33.69.132). NOTE A backslash ( \ ) is used to skip the return character so you can continue the command on the next line without the return character being interpreted by the shell.
Page 213 Management interface security -t SELECTOR-IN -d in -l 10.33.69.132 -r 10.33.74.13 \ -transform TRANSFORM01 10. Verify the IPsec SAs created with IKE using the ipsecConfig --show manual-sa –a command. 11. Perform the equivalent steps on the remote peer to complete the IPsec configuration. Refer to your server administration guide for instructions.
Page 214 Management interface security Fabric OS Administrator’s Guide 53-1001763-01...
Page 215: Maintaining The Switch Configuration File
Chapter Maintaining the Switch Configuration File In this chapter • Configuration settings ......... . 175 •...
Page 216: Configuration File Format
Configuration settings CAUTION Editing of the uploaded file is unsupported and can result in system errors if an edited file is subsequently downloaded. If you have the chassis role permissions added to your user account, then the following options are available whether you are uploading or downloading a configuration file: -fid Uploads the specified FID configuration.
Page 217 Configuration settings [Switch Configuration Begin : 0] SwitchName = Sprint5100 Fabric ID = 128 [Boot Parameters] [Configuration] [Bottleneck Configuration] [Zoning] [Defined Security policies] [Active Security policies] [iSCSI] [cryptoDev] [FICU SAVED FILES] [Banner] [End] [Switch Configuration End : 0] date = Thu Apr 2 21:28:52 2009 [Switch Configuration Begin : 1] SwitchName = switch_2...
Page 218: Configuration File Backup
Configuration file backup Chassis section There is only one chassis section within a configuration. It defines configuration data for chassis components that affects the entire system—not just an individual logical switch. The chassis section is included in non-Virtual Fabric modes only if you use the configUpload all command.
Page 219: Uploading A Configuration File In Interactive Mode
Configuration file backup In non-Virtual Fabric mode, you must use the configUpload all command to include both the switch and the chassis information. In Virtual Fabric mode, the configUpload all command can be selected to upload all logical switches and the chassis configuration. Only administrators with the chassis role permission are allowed to upload other FIDs or the chassis configuration.
Page 220: Configuration File Restoration
Configuration file restoration Configuration file restoration Restoring a configuration involves overwriting the configuration on the switch by downloading a previously saved backup configuration file. CAUTION Make sure that the configuration file you are downloading is compatible with your switch model, because configuration files from other model switches or firmware versions might cause your switch to fail.
Page 221: Table 42 Cli Commands To Display Or Modify Switch Configuration Information
Configuration file restoration -all The number of switches or FIDs defined in the downloaded configuration file must match the number of switches or FIDs currently defined on the switch. The switches must be disabled, if necessary (refer to “Configuration download without disabling a switch”...
Page 222: Configuration Download Without Disabling A Switch
Configuration file restoration CAUTION The switch has limited error checking and edited files may become corrupted and can lead to switch failures. Configuration download without disabling a switch You can download configuration files to a switch while the switch is enabled; that is, you do not need to disable the switch for changes in SNMP, Fabric Watch, or ACL parameters.
Page 223 Configuration file restoration Example of configDownload without Admin Domains switch:admin> configdownload Protocol (scp, ftp, local) [ftp]: Server Name or IP Address [host]: 10.1.2.3 User Name [user]: UserFoo Path/Filename [<home dir>/config.txt]: Section (all|chassis|FID# [all]): all *** CAUTION *** This command is used to download a backed-up configuration for a specific switch.
Page 224: Configurations Across A Fabric
Configurations across a fabric Configurations across a fabric To save time when configuring fabric parameters and software features, you can save a configuration file from one switch and download it to other switches of the same model type, as shown in the following procedure. Do not download a configuration file from one switch to another switch that is a different model or firmware version, because it can cause the switch to fail.
Page 225: Uploading A Configuration File From A Switch With Virtual Fabrics
Configuration management for Virtual Fabrics Uploading a configuration file from a switch with Virtual Fabrics enabled The configUpload command with the -vf option specifies that configuration upload will upload the Virtual Fabric configuration instead of the non-Virtual Fabric configuration information. You must specify a filename with the configUpload -vf command.
Page 226: Restrictions
Configuration management for Virtual Fabrics 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the configDownload -vf command. 3. Respond to the prompts. 4. Wait for the configuration file to download onto the switch. You may need to reconnect to the switch.
Page 227: Brocade Configuration Form
Brocade configuration form Brocade configuration form Use the form in Table 43 as a hard copy reference for your configuration information. In the hardware reference manuals for the Brocade 48000 director and the Brocade DCX and DCX-4S enterprise-class platform, there is a guide for FC port setting tables. The tables can be used to record configuration information for the various blades.
Page 228 Brocade configuration form Fabric OS Administrator’s Guide 53-1001763-01...
Page 229: Installing And Maintaining Firmware
Chapter Installing and Maintaining Firmware In this chapter • Firmware download process overview ......189 •...
Page 230: Upgrading And Downgrading Firmware
Firmware download process overview Or, on the Brocade 300, 5100, 5300, 7800, 8000, and VA-40FC switches, the Brocade 5410, 5424, 5450, 5480 embedded switches, and the Brocade DCX and DCX-4S Backbones you can use a Brocade-branded USB device. The new firmware consists of multiple files in the form of RPM packages listed in a .plist file. The .plist file contains specific firmware information (time stamp, platform code, version, and so forth) and the names of packages of the firmware to be downloaded.
Page 231: Considerations For Ficon Cup Environments
Firmware download process overview In most cases, you will be upgrading firmware; that is, installing a newer firmware version than the one you are currently running. However, some circumstances may require installing an older version; that is, downgrading the firmware. The procedures in this section assume that you are upgrading firmware, but they work for downgrading as well, provided the old and new firmware versions are compatible.
Page 232: Preparing For A Firmware Download
Preparing for a firmware download A nondisruptive firmware download, which is performed by entering the firmwareDownload command without the –s operand, is only supported if you are upgrading from Fabric OS 6.1.x to 6.2.0. If you are downgrading from Fabric OS 6.2.0 to v6.1.x, you must enter the firmwareDownload -s command option as discussed in “Test and restore firmware on switches”...
Page 233: Connected Switches
Preparing for a firmware download Connected switches Before you upgrade the firmware on your switch you will need to check the connected switches to ensure compatibility and that any older versions are supported. Refer to the Fabric OS Compatibility section of the Brocade Fabric OS Release Notes, for the recommended firmware version. NOTE Go to http://www.brocade.com...
Page 234: Firmware Download On Switches
Firmware download on switches Firmware download on switches Brocade 300, 4100, 4900, 5000, 5100, 5300, 5410, 5424, 5450, 5460, 5470, 5480, 7500, 7500E, 7600, 7800, 8000, and VA-40FC switches maintain primary and secondary partitions for firmware. The firmwareDownload command defaults to an autocommit option that automatically copies the firmware from one partition to the other.
Page 235 Firmware download on switches Upgrading firmware for Brocade 300, 4100, 4900, 5000, 5100, 5300, 5410, 5424, 5450, 5460, 5470, 5480, 7500, 7500E, 7600, 7800, 8000, and VA-40FC switches. 1. Take the following appropriate action based on what service you are using: •...
Page 236: Firmware Download On An Enterprise-Class Platform
Firmware download on an enterprise-class platform This command will cause a warm/non-disruptive boot on the switch,but will require that existing telnet, secure telnet or SSH sessions be restarted. Do you want to continue [Y]: y Firmware is being downloaded to the switch. This step may take up to 30 minutes.
Page 237 Firmware download on an enterprise-class platform 6. The new standby CP blade (the active CP blade before the failover) downloads firmware. The new standby CP blade reboots and comes up with the new Fabric OS. 8. The new active CP blade synchronizes its state with the new standby CP blade. 9.
Page 238 Firmware download on an enterprise-class platform ecp:admin> hashow Local CP (Slot 5, CP0): Active, Warm Recovered Remote CP (Slot 6, CP1): Standby, Healthy HA enabled, Heartbeat Up, HA State synchronized CP blades must be synchronized and running Fabric OS v6.0.0 or later to provide a nondisruptive download.
Page 239 Firmware download on an enterprise-class platform Do you want to continue [Y]: y The firmware is being downloaded to the Standby CP. It may take up to 10 minutes 10. Optionally, after the failover, connect to the switch, and log in again as admin. Using a separate session to connect to the switch, enter the firmwareDownloadStatus command to monitor the firmware download status.
Page 240: Firmware Download From A Usb Device
Firmware download from a USB device Firmware download from a USB device The Brocade 300, 5100, 5300, 7800, 8000, and VA-40FC switches and the Brocade DCX and DCX-4S Backbones support a firmware download from a Brocade branded USB device attached to the switch or active CP.
Page 241: Fips Support
FIPS Support FIPS Support Federal information processing standards (FIPS) specify the security standards needed to satisfy a cryptographic module utilized within a security system for protecting sensitive information in the computer and telecommunication systems. For more information about FIPS, refer to Chapter 7, “Configuring Security Policies”.
Page 242: Power-On Firmware Checksum Test
FIPS Support When firmwareDownload installs a firmware file, it needs to validate the signature of the file. Different scenarios are handled as follows: • If a firmware file does not have a signature, how it is handled depends on the “signed_firmware”...
Page 243: Test And Restore Firmware On Switches
Test and restore firmware on switches Test and restore firmware on switches NOTE This section does not apply to SAS or storage applications applied to the FA4-18 AP blade. Typically, users downgrade firmware after briefly evaluating a newer (or older) version and then restore the original version of the firmware.
Page 244: Test And Restore Firmware On Enterprise-Class Platforms
Test and restore firmware on enterprise-class platforms ATTENTION Stop! If you want to restore the firmware, stop here and skip ahead to step 9; otherwise, continue to step 8 to commit the firmware on the switch, which completes the firmware download operations.
Page 245 Test and restore firmware on enterprise-class platforms Testing different firmware versions on enterprise-class platforms 1. Connect to the Brocade enterprise-class platform IP address. 2. Enter the ipAddrShow command and note the address of CP0 and CP1. 3. Enter the haShow command and note which CP is active and which CP is standby. Verify that both CPs are in sync.
Page 246 Test and restore firmware on enterprise-class platforms Confirm the evaluation version of firmware is now running on the active CP by entering the firmwareShow command. 9. Update firmware on the standby CP. a. Connect to the enterprise-class platform on the standby CP, which is the old active CP. b.
Page 247: Validating A Firmware Download
Validating a firmware download a. In the current enterprise-class platform session for the active CP, enter the haShow command to verify that HA synchronization is complete. It will take a minute or two for the standby CP to reboot and synchronize with the active CP. b.
Page 248 Validating a firmware download ecp:admin> firmwareshow Slot Name Appl Primary/Secondary Versions Status ------------------------------------------------------------------------ v6.4.0 ACTIVE * v6.4.0 v6.4.0 STANDBY v6.4.0 Local CP firmwareDownloadStatus Displays an event log that records the progress and status of events during Fabric OS, SAS, and SA firmwareDownload. The event log is created by the current firmwareDownload command and is kept until another firmwareDownload command is issued.
Page 249: In This Chapter
Chapter Managing Virtual Fabrics In this chapter • Virtual Fabrics overview ........209 •...
Page 250: Logical Switch Overview
Logical switch overview This chapter describes the logical switch and logical fabric features. For information about device sharing with Virtual Fabrics, see “FC-FC Routing and Virtual Fabrics” on page 492. The following platforms are Virtual Fabrics-capable: • Brocade DCX and DCX-4S •...
Page 251: Figure 20 Switch Before And After Enabling Virtual Fabrics
Logical switch overview Before enabling Virtual Fabrics After enabling Virtual Fabrics Physical chassis Physical chassis Default logical switch FIGURE 20 Switch before and after enabling Virtual Fabrics After you enable Virtual Fabrics, you can create up to eight logical switches, depending on the switch model.
Page 252: Logical Switches And Fabric Ids
Logical switch overview Logical switches and fabric IDs When you create a logical switch, you must assign it a fabric ID (FID). The fabric ID uniquely identifies each logical switch within a chassis and indicates to which fabric the logical switch belongs.
Page 253: Logical Switches And Connected Devices
Logical switch overview Before port assignment After port assignment Logical switch 1 Logical switch 1 (Default logical switch) (Default logical switch) Logical switch 2 Logical switch 2 Logical switch 3 Logical switch 3 Logical switch 4 Logical switch 4 FIGURE 23 Assigning ports to logical switches A given port is always in one (and only one) logical switch.
Page 254: Logical Fabric Overview
Logical fabric overview You can also connect other switches to logical switches. In Figure 24, P6 is an E_Port that forms an ISL between Logical switch 4 and the non-Virtual Fabrics switch. Logical switch 4 is the only logical switch that can communicate with the non-Virtual Fabrics switch and D2, because the other logical switches are in different fabrics.
Page 255: Logical Fabric And Isls
Logical fabric overview You connect logical switches to other logical switches in two ways: • Using ISLs • Using base switches and shared ISLs Logical fabric and ISLs Figure 26 shows two physical chassis divided into logical switches. Figure 26, ISLs are used to connect the logical switches with fabric ID 1 and the logical switches with fabric ID 15.
Page 256: Logical Fabric And Isl Sharing
Logical fabric overview NOTE Only logical switches with the same FID can form a fabric. If you connect two logical switches with different FIDs, the link between the switches segments. Logical fabric and ISL sharing Another way to connect logical switches is using extended ISLs and base switches. When you divide a chassis into logical switches, you can designate one of the switches to be a base switch.
Page 257: Figure 29 Logical Isls Connecting Logical Switches
Logical fabric overview Traffic between the logical switches can now flow across this XISL. The traffic can flow only between logical switches with the same fabric ID. For example, traffic can flow between Logical Switch 2 in chassis 1 and Logical switch 6 in chassis 2, because they both have fabric ID 1. Traffic cannot flow between Logical switch 2 and Logical switch 7, because they have different fabric IDs (and are thus in different fabrics).
Page 258: Figure 30 Logical Fabric Using Isls And Xisls
Logical fabric overview Physical chassis 1 Physical chassis 2 Logical switch 5 Logical switch 1 Logical ISL (Default logical switch) (Default logical switch) Fabric ID 128 Fabric ID 128 Logical switch 2 Logical switch 6 Fabric ID 1 Fabric ID 1 Logical ISL Logical ISL Logical switch 3...
Page 259: Management Model For Logical Switches
Management model for logical switches Logical fabric formation Fabric formation is not based on connectivity, but is based on the FIDs of the logical switches. The basic order of fabric formation is as follows: 1. Base fabric forms. 2. Logical fabrics form when the base fabric is stable. 3.
Page 260: Account Management And Virtual Fabrics
Account management and Virtual Fabrics Account management and Virtual Fabrics When user accounts are created, they are assigned a list of logical fabrics to which they can log in and a home logical fabric (home FID). When you connect to a physical chassis, the home FID defines the logical switch to which you are logged in by default.
Page 261: Virtual Fabrics Interaction With Other Fabric Os Features
Supported platforms for Virtual Fabrics Supported port configurations in the Brocade DCX and DCX-4S Some of the ports in the Brocade DCX and DCX-4S are not supported on all types of logical switches. Table 45 on page 221 lists the blades and ports that are supported on each type of logical switch.
Page 262: Limitations And Restrictions Of Virtual Fabrics
Limitations and restrictions of Virtual Fabrics TABLE 46 Virtual Fabrics interaction with Fabric OS features Fabric OS feature Virtual Fabrics interaction Admin Domains Virtual Fabrics and Admin Domains are mutually exclusive and are not supported at the same time on a switch. To use Admin Domains, you must first disable Virtual Fabrics; to use Virtual Fabrics, you must first delete all Admin Domains.
Page 263: Restrictions On Moving Ports
Enabling Virtual Fabrics mode TABLE 47 Maximum number of logical switches per chassis (Continued) Platform Maximum number of logical switches Brocade 5300 Brocade 5100 Brocade VA-40FC Following are restrictions on the default logical switch in the Brocade DCX and DCX-4S: •...
Page 264: Disabling Virtual Fabrics Mode
Disabling Virtual Fabrics mode 1. Connect to the physical chassis and log in using an account assigned to the admin role with the chassis-role permission. 2. Enter the following command to check whether VF mode is enabled: fosconfig --show 3. Delete all Admin Domains, as described in “Deleting all user-defined Admin Domains non-disruptively”...
Page 265: Configuring Logical Switches To Use Basic Configuration Values
Configuring logical switches to use basic configuration values Example The following example checks whether VF mode is enabled or disabled and then disables it. switchA:FID128:admin> fosconfig --show FC Routing service: disabled iSCSI service: Service not supported on this Platform iSNS client service: Service not supported on this Platform Virtual Fabric: enabled...
Page 266 Creating a logical switch or base switch You can optionally define the logical switch to be a base switch. Each chassis can have only one base switch. NOTE Domain ID conflicts are detected before fabric ID conflicts. If you have both a domain ID conflict and a fabric ID conflict, only the domain ID conflict is reported.
Page 267: Executing A Command In A Different Logical Fabric Context
Executing a command in a different logical fabric context Domain: (1..239) [1] 14 WWN Based persistent PID (yes, y, no, n): [no] (output truncated) WARNING: The domain ID will be changed. The port level zoning may be affected switch_4:FID4:admin> switchenable Executing a command in a different logical fabric context This procedure describes how to execute a command for a logical switch while you are in the context of a different logical switch.
Page 268: Deleting A Logical Switch
Deleting a logical switch --------------------------------------------------- "fabricshow" on FID 128: Switch ID Worldwide Name Enet IP Addr FC IP Addr Name ------------------------------------------------------------------------- 97: fffc61 10:00:00:05:1e:82:3c:2a 10.32.79.105 0.0.0.0 >"sw0" --------------------------------------------------- "fabricshow" on FID 4: Switch ID Worldwide Name Enet IP Addr FC IP Addr Name ------------------------------------------------------------------------- 14: fffc0e 10:00:00:05:1e:82:3c:2b 10.32.79.105...
Page 269: Adding And Removing Ports On A Logical Switch
Adding and removing ports on a logical switch Adding and removing ports on a logical switch This procedure explains how to add and remove ports on logical switches. All ports in a chassis must be assigned to a logical switch. All ports are initially assigned to the default logical switch.
Page 270: Displaying Logical Switch Configuration
Displaying logical switch configuration Displaying logical switch configuration 1. Connect to the physical chassis and log in using an account assigned to the admin role with the chassis-role permission. 2. Enter the following command to display a list of all logical switches and the ports assigned to them: lscfg --show [ -provision ] If the -provision option is specified, all ports on all slots are displayed, regardless of the slot...
Page 271: Changing A Logical Switch To A Base Switch
Changing a logical switch to a base switch Example sw0:FID128:admin> lscfg --change 5 -newfid 7 Changing of a switch fid requires that the switch be disabled. Would you like to continue [y/n]?: y Disabling switch... All active login sessions for FID 5 have been terminated. Checking and logging message: fid = 5.
Page 272: Setting Up Ip Addresses For A Virtual Fabric
Setting up IP addresses for a Virtual Fabric 1e1300 No_Module 1e1400 No_Module switch_25:FID7:admin> configure Not all options will be available on an enabled switch. To disable the switch, use the "switchDisable" command. Configure... Fabric parameters (yes, y, no, n): [no] y WWN Based persistent PID (yes, y, no, n): [no] Allow XISL Use (yes, y, no, n): [yes] n WARNING!! Disabling this parameter will cause removal of LISLs to...
Page 273: Changing The Context To A Different Logical Fabric
Changing the context to a different logical fabric XISL use is not supported for the following cases: • FICON logical fabrics. • Logical switches in an edge fabric connected to an FC router. If the logical switch is enabled, you cannot allow XISL use. If the logical switch is disabled or has not yet joined the edge fabric, you can allow XISL use;...
Page 274: Creating A Logical Fabric Using Xisls
Creating a logical fabric using XISLs Creating a logical fabric using XISLs This procedure describes how to create a logical fabric using multiple chassis and XISLs and refers to the configuration shown in Figure 31 as an example. Physical chassis 1 Physical chassis 2 Logical switch 5 Logical switch 1...
Page 275 Creating a logical fabric using XISLs For the example shown in Figure 31, you would create a logical switch with FID 1 and a logical switch with FID 15. Assign ports to the logical switch, as described in “Adding and removing ports on a logical switch”...
Page 276 Creating a logical fabric using XISLs Fabric OS Administrator’s Guide 53-1001763-01...
Page 277: Administering Advanced Zoning
Chapter Administering Advanced Zoning In this chapter • Special zones..........237 •...
Page 278: Zoning Overview
Zoning overview • QoS zones Assign high or low priority to designated traffic flows. QoS zones are normal zones with additional QoS attributes specified by adding a QOS prefix to the zone name. See “QoS: SID/DID traffic prioritization” on page 403 for more information. •...
Page 279: Zone Types
Zoning overview JBOD Loop 2 Server2 Blue zone Fibre Channel Fabric RAID Server3 Server1 Loop 1 Red zone Green zone FIGURE 32 Zoning example To list the commands associated with zoning, use the zoneHelp command. For detailed information on the zoning commands used in the procedures, see the Fabric OS Command Reference or the online man page for each command.
Page 280: Zone Objects
Zoning overview TABLE 49 Approaches to fabric-based zoning Zoning approach Description Recommended approach Single HBA Zoning by single HBA most closely re-creates the original SCSI bus. Each zone created has only one HBA (initiator) in the zone; each of the target devices is added to the zone. Typically, a zone is created for the HBA and the disk storage ports are added.
Page 281: Zone Aliases
Zoning overview For example, in enterprise-class platforms, “4,30” specifies port 14 in slot number 2 (domain ID 4, port index 30). On fixed-port models, “3,13” specifies port 13 in switch domain ID 3. Note the following effects on zone membership based on the type of zone object: •...
Page 282: Zone Configurations
Zoning overview Zone configurations A zone configuration is a group of one or more zones. A zone can be included in more than one zone configuration. When a zone configuration is in effect, all zones that are members of that configuration are in effect.
Page 283: Considerations For Zoning Architecture
Zoning overview Session-based hardware enforcement is in effect in the following cases, on a per-zone basis: • A zone does not have either all WWN or all D,I entries. • Overlapping zones (in which zone members appear in two or more zones). Identifying the enforced zone type 1.
Page 284: Best Practices For Zoning
Broadcast zones Best practices for zoning The following are recommendations for using zoning: • Always zone using the highest Fabric OS-level switch. Switches with earlier Fabric OS versions do not have the capability to view all the functionality that a newer Fabric OS provides, as functionality is backwards compatible but not forwards compatible.
Page 285: Broadcast Zones And Fc-Fc Routing
Broadcast zones Figure 33 illustrates how broadcast zones work with Admin Domains. Figure 33 shows a fabric with five devices and two Admin Domains, AD1 and AD2. Each Admin Domain has two devices and a broadcast zone. "3,1" "1,1" "4,1" "2,1"...
Page 286: High Availability Considerations With Broadcast Zones
Zone aliases High availability considerations with broadcast zones If a switch has broadcast zone-capable firmware on the active CP (Fabric OS v5.3.x or later) and broadcast zone-incapable firmware on the standby CP (Fabric OS version earlier than v5.3.0), then you cannot create a broadcast zone because the zoning behavior would not be the same across an HA failover.
Page 287: Adding Members To An Alias
Zone aliases 3. Enter the cfgSave command to save the change to the defined configuration. The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile memory. If a transaction is open on a different switch in the fabric when this command is run, the transaction on the other switch is automatically aborted.
Page 288: Deleting An Alias
Zone aliases Example switch:admin> aliremove "array1", "1,2" switch:admin> aliremove "array2", "21:00:00:20:37:0c:72:51" switch:admin> aliremove "loop1", "4,6" switch:admin> cfgsave You are about to save the Defined zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled.
Page 289: Zone Creation And Maintenance
Zone creation and maintenance Zone creation and maintenance To create a broadcast zone, use the reserved name “broadcast”. Do not give a regular zone the name of “broadcast”. See “Broadcast zones” on page 244 for additional information about this special type of zone. Virtual Fabric considerations: Zone definitions should not include logical port numbers.
Page 290: Removing Devices (Members) From A Zone
Zone creation and maintenance action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled. Do you want to save Defined zoning configuration only? (yes, y, no, n): [no] y Removing devices (members) from a zone 1.
Page 291: Viewing A Zone In The Defined Configuration
Zone creation and maintenance Viewing a zone in the defined configuration 1. Connect to the switch and log in as admin. 2. Enter the zoneShow command, using the following syntax: zoneshow[--sort] ["pattern"] [, mode] If no parameters are specified, the entire zone database (both the defined and effective configuration) is displayed.
Page 292: Default Zoning Mode
Default zoning mode The mode flag -m can be used to specify the zone database location. Supported mode flag values are: • 0 - zone database from the current transaction buffer • 1 - zone database stored from the persistent storage •...
Page 293: Viewing The Current Default Zone Access Mode
Zoning database size 4. Enter either the cfgSave, cfgEnable, or cfgDisable command to commit the change and distribute it to the fabric. The change will not be committed and distributed across the fabric if you do not enter one of these commands. Example switch:admin>...
Page 294: Creating A Zoning Configuration
Zoning configurations When enabling a new zone configuration, ensure that the size of the defined configuration does not exceed the maximum configuration size supported by all switches in the fabric. This is particularly important if you downgrade to a Fabric OS version that supports a smaller zone database than the current Fabric OS.
Page 295: Removing Zones (Members) From A Zone Configuration
Zoning configurations The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile memory. If a transaction is open on a different switch in the fabric when this command is run, the transaction on the other switch is automatically aborted. A message displays on the other switches to indicate that the transaction was aborted.
Page 296: Disabling A Zone Configuration
Zoning configurations to one or more traffic isolation zones, the update may result in localized disruption to traffic on ports associated with the traffic isolation zone changes. (yes, y, no, n): [no] y Do you want to enable 'USA_cfg' configuration zone config "USA_cfg"...
Page 297: Clearing Changes To A Configuration
Zoning configurations Any changes made on the Effective configuration will not take effect until it is re-enabled. Do you want to save Defined zoning configuration only? (yes, y, no, n): [no] y Clearing changes to a configuration 1. Enter the cfgTransAbort command. When this command is executed, all changes since the last save operation (performed with the cfgSave, cfgEnable, or cfgDisable command) are cleared.
Page 298: Viewing Selected Zone Configuration Information
Zoning configurations Viewing selected zone configuration information 1. Connect to the switch and log in as admin. 2. Enter the cfgShow command and specify a pattern. cfgshow "pattern"[, mode] Example The following example displays all zone configurations that start with “Test”: switch:admin>...
Page 299: Zone Object Maintenance
Zone object maintenance Zone object maintenance The following procedures describe how to copy, delete, and rename zone objects. Depending on the operation, a zone object can be a zone member, a zone alias, a zone, or a zone configuration. Copying a zone object When you copy a zone object, the resulting object has the same name as the original.
Page 300: Renaming A Zone Object
Zone object maintenance alias: array1 21:00:00:20:37:0c:76:8c; 21:00:00:20:37:0c:71:02 alias: array2 21:00:00:20:37:0c:76:22; 21:00:00:20:37:0c:76:28 alias: loop1 21:00:00:20:37:0c:76:85; 21:00:00:20:37:0c:71:df Effective configuration: cfg: USA_cfg zone: Blue_zone 21:00:00:20:37:0c:76:8c 21:00:00:20:37:0c:71:02 21:00:00:20:37:0c:76:22 21:00:00:20:37:0c:76:28 zone: Purple_zone 21:00:00:20:37:0c:76:85 21:00:00:20:37:0c:71:df 3. Enter the zone expunge command to delete the zone object. Zone configuration names are case-sensitive;...
Page 301: Zoning Configuration Management
Zoning configuration management 4. Enter the cfgShow command to verify the renamed zone object is present. 5. If you want the change preserved when the switch reboots, enter the cfgSave command to save it to nonvolatile (flash) memory. 6. Enter the cfgEnable command for the appropriate zone configuration to make the change effective.
Page 302 Zoning configuration management The database is the zone configuration database. (This is the data displayed as the “defined configuration” in the cfgShow command.) It is stored in nonvolatile memory by the cfgSave command. This database is a replicated database, which means that all switches in the fabric will have a copy of this database.
Page 303: Fabric Segmentation And Zoning
Security and zoning A merge is not possible if any of the following conditions exist: Configuration mismatch: Zoning is enabled in both fabrics and the zone configurations that are enabled are different in each fabric. Type mismatch: The name of a zone object in one fabric is used for a different type of zone object in the other fabric.
Page 304: Zone Merging Scenarios
Zone merging scenarios When two secure fabrics join, the traditional zoning merge does not occur. Instead, a zoning database is downloaded from the primary FCS switch of the merged secure fabric. When E_Ports are active between two switches, the name of the FCS server and a zoning policy set version identifier are exchanged between the switches.
Page 305 Zone merging scenarios TABLE 51 Zone merging scenarios (Continued) Description Switch A Switch B Expected results Switch A and Switch B have different defined: cfg2 defined: cfg1 Clean merge. The new configuration defined configurations. Switch B has zone2: ali3; ali4 zone1: ali1;...
Page 306: Table 51 Zone Merging Scenarios
Zone merging scenarios TABLE 51 Zone merging scenarios (Continued) Description Switch A Switch B Expected results Different default zone access mode defzone: allaccess defzone: noaccess Clean merge — noaccess takes settings. precedence and defzone configuration from Switch B propagates to fabric. defzone: noaccess Different default zone access mode defzone: noaccess...
Page 307: Traffic Isolation Zoning
Chapter Traffic Isolation Zoning In this chapter • Traffic Isolation Zoning overview ....... . . 267 •...
Page 308: Ti Zone Failover
Traffic Isolation Zoning overview Figure 34 shows a fabric with a TI zone consisting of the following: • N_Ports: “1,7”, “1,8”, “4,5”, and “4,6” • E_Ports: “1,1”, “3,9”, “3,12”, and “4,7” The dotted line indicates the dedicated path between the initiator in Domain 1 to the target in Domain 4.
Page 309: Table 52 Comparison Of Traffic Behavior When Failover Is Enabled Or Disabled In Ti Zones
Traffic Isolation Zoning overview TABLE 52 Comparison of traffic behavior when failover is enabled or disabled in TI zones Failover enabled Failover disabled If the dedicated path is not the shortest path or if the If the dedicated path is not the shortest path or if the dedicated path is broken, the TI zone traffic will use a dedicated path is broken, traffic for that TI zone is non-dedicated path instead.
Page 310: Fspf Routing Rules And Traffic Isolation
Traffic Isolation Zoning overview • For the Brocade 300, 5000, 5100, 5300, 5410, 5424, 5450, 5460, 5470, 5480, 7800, 8000, VA-40FC, DCX, DCX-4S, and Brocade Encryption Switch: Domain controller frames can use any path between switches. Disabling failover does not affect Domain Controller connectivity. For example, in Figure 35, if failover is disabled, Domain 2 can continue to send domain...
Page 311: Figure 36 Dedicated Path Is The Only Shortest Path
Traffic Isolation Zoning overview • If failover is disabled, non-TI zone traffic is blocked because it cannot use the dedicated ISL, which is the lowest cost path. For example, in Figure 36, there is a dedicated path between Domain 1 and Domain 3, and another, non-dedicated, path that passes through Domain 2.
Page 312: Enhanced Ti Zones
Enhanced TI zones Enhanced TI zones Prior to Fabric OS v6.4.0, a port could be in only one TI zone at a time. Starting in Fabric OS v6.4.0, ports can be in multiple TI zones at the same time. Zones with overlapping port members are called enhanced TI zones (ETIZ).
Page 313: Traffic Isolation Zoning Over Fc Routers
Traffic Isolation Zoning over FC routers Domain 1 Domain 3 Target Host 1 Host 2 = ETIZ 1 = ETIZ 2 Domain 2 FIGURE 39 Illegal ETIZ configuration The Fabric OS routing implementation does not support separate routes to separate ports on a destination domain.
Page 314: Ti Within An Edge Fabric
Traffic Isolation Zoning over FC routers Edge fabric 1 Backbone Edge fabric 2 fabric = Dedicated path set up by TI zone in edge fabric 1 = Dedicated path set up by TI zone in edge fabric 2 = Dedicated path set up by TI zone in backbone fabric FIGURE 40 Traffic Isolation Zoning over FCR In addition to setting up TI zones, you must also ensure that the devices are in an LSAN zone so...
Page 315: Ti Within A Backbone Fabric
Traffic Isolation Zoning over FC routers In the TI zone, when you designate E_Ports between the front and xlate phantom switches, you must use -1 in place of the “I” in the D,I notation. Both the front and xlate domains must be included in the TI zone.
Page 316: Limitations Of Ti Zones Over Fc Routers
General rules for TI zones Using D,I and port WWN notation, the members of the TI zone in Figure 42 are: (EX_Port for FC router 1) (VE_Port for FC router 1) (VE_Port for FC router 2) (EX_Port for FC router 2) 10:00:00:00:00:01:00:00 (Port WWN for the host) 10:00:00:00:00:02:00:00...
Page 317: Supported Configurations For Traffic Isolation Zoning
Supported configurations for Traffic Isolation Zoning For example, in Figure 43, the TI zone was configured incorrectly and E_Port “3,9” was erroneously omitted from the zone. The domain 3 switch assumes that traffic coming from E_Port 9 is not part of the TI zone and so that traffic is routed to E_Port 11 instead of E_Port 12, if failover is enabled.
Page 318: Additional Configuration Rules For Enhanced Ti Zones
Limitations and restrictions of Traffic Isolation Zoning TI over FCR is not backward compatible with Fabric OS v6.0.x or earlier. The -1 in the domain,index entries causes issues to legacy switches in a zone merge. Firmware downgrade is prevented if TI over FCR zones exist. Additional configuration rules for enhanced TI zones Enhanced TI zones (ETIZ) have the following additional configuration rules: •...
Page 319: Admin Domain Considerations For Traffic Isolation Zoning
Admin Domain considerations for Traffic Isolation Zoning • Two N_Ports that have the same shared area should not be configured in different TI zones. This limitation does not apply to E_Ports that use the same shared area on the FC4-48 and FC8-48 port blades.
Page 320: Figure 44 Dedicated Path With Virtual Fabrics
Virtual Fabric considerations for Traffic Isolation Zoning Target Host Domain 8 Domain 9 LS3, FID1 LS1, FID1 Domain 7 Domain 3 Domain 5 Chassis 1 Chassis 2 LS4, FID3 LS2, FID3 Domain 4 Domain 6 Base switch Base switch Domain 1 Domain 2 = Dedicated Path = Ports in the TI zones...
Page 321: Traffic Isolation Zoning Over Fc Routers With Virtual Fabrics
Traffic Isolation Zoning over FC routers with Virtual Fabrics Using D,I notation, the port numbers for the TI zones in the logical fabric and base fabric are as follows: Port members for the TI zone in logical fabric Port members for the TI zone in base fabric F_Port E_Port for ISL in logical switch E_Port...
Page 322: Creating A Ti Zone
Creating a TI zone Edge fabric Fabric 1 Edge fabric Fabric 3 Backbone fabric FIGURE 48 Logical representation of TI zones over FC routers in logical fabrics Creating a TI zone You create and modify TI zones using the zone command. Other zoning commands, such as zoneCreate, aliCreate, and cfgCreate, cannot be used to manage TI zones.
Page 323 Creating a TI zone Be aware of the ramifications if you create a TI zone with failover mode disabled. See “TI zone failover” on page 268 for information about disabling failover mode. 3. Enter the cfgEnable command to reactivate your current effective configuration and enforce the TI zones.
Page 324: Creating A Ti Zone In A Base Fabric
Modifying TI zones Creating a TI zone in a base fabric 1. Connect to the switch and log in as admin. 2. Create a “dummy” zone configuration in the base fabric. For example: zone --create "z1", "1,1" cfgcreate "base_config", z1 3.
Page 325: Changing The State Of A Ti Zone
Changing the state of a TI zone Be aware of the ramifications if you disable failover mode. See “TI zone failover” on page 268 for information about disabling failover mode. 3. Enter the cfgEnable command to reactivate your current effective configuration and enforce the TI zones.
Page 326: Deleting A Ti Zone
Deleting a TI zone Deleting a TI zone Use the zone delete command to delete a TI zone from the defined configuration. This command deletes the entire zone; to only remove port members from a TI zone, use the zone remove command, as described in “Modifying TI zones”...
Page 327: Setting Up Ti Over Fcr (Sample Procedure)
Setting up TI over FCR (sample procedure) To display information about all TI zones in the defined configuration in ascending order: switch:admin> zone --show -ascending Defined TI zone configuration: TI Zone Name: bluezone: Port List: 8,3; 8,5; 9,2; 9,3; Configured Status: Deactivated / Failover-Disabled Enabled Status: Activated / Failover-Enabled TI Zone Name: greenzone:...
Page 328 Setting up TI over FCR (sample procedure) NOTE In the following procedure the three TI zones in the edge and backbone fabrics are all given the same name, TI_Zone1. It is not required that the TI zones have the same name, but this is done to avoid confusion.
Page 329 Setting up TI over FCR (sample procedure) 3. Log in to the edge fabric 2 and set up the TI zone. a. Enter the fabricShow command to display the switches in the fabric. From the output, you can determine the front and translate domains. E2switch:admin>...
Page 330 Setting up TI over FCR (sample procedure) b. Enter the following commands to reactivate your current effective configuration and enforce the TI zones. BB_DCX_1:admin> cfgactvshow Effective configuration: cfg: cfg_TI zone: lsan_t_i_TI_Zone1 10:00:00:00:00:00:02:00:00 10:00:00:00:00:00:03:00:00 10:00:00:00:00:00:08:00:00 BB_DCX_1:admin> cfgenable cfg_TI You are about to enable a new zoning configuration. This action will replace the old zoning configuration with the current configuration selected.
Page 331: Administering Npiv
Chapter Administering NPIV In this chapter • NPIV overview ..........291 •...
Page 332: Upgrade Considerations
NPIV overview ============================================== 010000 Online FC F-Port 20:0c:00:05:1e:05:de:e4 0xa06601 010100 Online FC F-Port 1 N Port + 4 NPIV public 010200 Online FC F-Port 1 N Port + 119 NPIV public 010300 Online FC F-Port 1 N Port + 221 NPIV public On the Brocade DCX and DCX-4S with the FC8-64 blade, the base port is not included in the NPIV device count.
Page 333: Configuring Npiv
Configuring NPIV TABLE 53 Number of supported NPIV devices (Continued) Platform Virtual Fabric Logical switch type NPIV support DCX-4S Enabled Logical switch Yes, 255 virtual device limit. DCX-4S Enabled Base switch Maximum limit support takes precedence if user-configured maximum limit is greater. This applies to shared areas on the FC4-48, FC8-48, and FC8-64 port blades.
Page 334: Enabling And Disabling Npiv
Enabling and disabling NPIV VC Link Init Locked L_Port Locked G_Port Disabled E_Port Locked E_Port ISL R_RDY Mode RSCN Suppressed Persistent Disable LOS TOV enable NPIV capability QOS E_Port Port Auto Disable: Rate Limit EX Port Mirror Port Credit Recovery F_Port Buffers NPIV PP Limit: CSCTL mode:...
Page 335 Viewing NPIV port configuration information Ports of Slot 0 9 10 11 12 13 14 15 -----------------+--+--+--+--+----+--+--+--+----+--+--+--+----+--+--+-- Speed AN AN AN AN AN AN AN AN AN AN AN AN AN AN AN AN Trunk Port ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON...
Page 336: Viewing Virtual Pid Login Information
Viewing NPIV port configuration information portState: 1Online portPhys: 6In_Sync portScn: 32F_Port port generation number: portId: 630200 portIfId: 43020005 portWwn: 20:02:00:05:1e:35:37:40 portWwn of device(s) connected: c0:50:76:ff:fb:00:16:fc c0:50:76:ff:fb:00:16:f8 <output truncated> c0:50:76:ff:fb:00:16:80 50:05:07:64:01:a0:73:b8 Distance: normal portSpeed: N2Gbps Interrupts: Link_failure: 16 Frjt: Unknown: Loss_of_sync: 422 Fbsy: Lli: 294803...
Page 337: In This Chapter
Chapter Interoperability for Merged SANs In this chapter • Interoperability overview ........297 •...
Page 338: Connectivity Solutions
Connectivity solutions • InteropMode 2 for McDATA Fabric mode, which supports M-EOS switches running in McDATA Fabric mode. • InteropMode 3 for McDATA Open Fabric mode, which supports M-EOS switches running in Open Fabric mode. McDATA Open Fabric mode is intended specifically for adding Fabric OS-based products to M-EOS fabrics that are already using Open Fabric mode.
Page 339: Domain Id Offset Modes
Domain ID offset modes FIGURE 50 Typical direct E_Port configuration Domain ID offset modes The domain ID offset in interopmode 3 (IM3) allows an M-EOS switch to operate in a fabric that contains domain IDs other than 1-31. In interopmode 2 (IM2) the domain ID offset can only be in the 1-31 range.
Page 340: Table 54 Internal Representations Of Id Domain Offsets In Im2
Domain ID offset modes TABLE 54 Internal representations of ID domain offsets in IM2. Domain Offset Domain ID PID Area affected 0x00 0x01 01XXYY 0x20 0x21 21XXYY 0x40 0x41 41XXYY 0x60 0x01 61XXYY 0x80 0x81 81XXYY 0xA0 0xA1 A1XXYY 0xC0 0xC1 C1XXYY TABLE 55...
Page 341: Configuring The Domain_Id Offset
McDATA Fabric mode configuration restrictions • Domain ID offset mode — In this mode, you can set the Domain ID Offset to any one of the following values: 0x00, 0x20, 0x40, 0x80, 0xA0, or 0xC0. Supported Domain ID ranges are: 1-31, 33-63, 65-95, 129-159, 161-191, 193-223.
Page 342: Mcdata Open Fabric Mode Configuration Restrictions
McDATA Open Fabric mode configuration restrictions • Platform management functions must be deactivated before connecting a Fabric OS switch to an M-EOS switch because M-EOS switches do not understand Brocade proprietary frames used to exchange platform information. • In the default domain ID mode, the domain IDs of all switches in the fabric must fall within the decimal range of 1-31 or 97-127 range.
Page 343: Switch Configurations For Interoperability
Switch configurations for interoperability In a Virtual Fabric, the logical switch used to communicate among different logical switches is called the base switch and it must be in Brocade Native mode. If you set a logical switch to interopmode 2 or interopmode 3, it cannot use the logical links between two logical switches if they were connected using extended ISLs that were formed as part of the base fabric.
Page 344: Enabling Mcdata Fabric Mode
Switch configurations for interoperability 1. Verify that you have implemented all the Brocade prerequisites necessary to enable interopMode 3 on the fabric (see “McDATA Open Fabric mode configuration restrictions” page 302.) 2. Connect to the switch and log in using an account assigned to the admin role. 3.
Page 345: Enabling Brocade Native Mode
Switch configurations for interoperability The switch effective and defined configuration will be lost if interop Mode is changed. Interop Mode or Domain Offset Will Be Changed and switch will be Enabled Do you want to continue? (yes, y, no, n): [no] y 6.
Page 346: Zone Management In Interoperable Fabrics
Zone management in interoperable fabrics Zone management in interoperable fabrics McDATA Fabric and McDATA Open Fabric modes support zone activation using an M-series management tool such as such as Data Center Fabric Manager (DCFM) or Web Tools. The command line interface (CLI) can also be used as a zone management tool for both IM2 and IM3. CLI commands are very limited in IM3.
Page 347: Zone Name Restrictions
Zone management in interoperable fabrics • Zoning using domain,port notation is allowed. Zone configurations that use either physical port numbers or port IDs are supported. • Zoning using domain,index notation is allowed only in McDATA Fabric mode (IM2) only, not Open fabric mode (IM3).
Page 348: Setting The Safe Zone Mode On A Stand-Alone Switch
Zone management in interoperable fabrics Safe zoning mode The safe zoning mode is a fabric-wide parameter that ensures that the resulting zone set of two merged fabrics is consistent with the pre-merged zone sets. When you enable the safe zoning mode, the default zoning mode must be disabled and the zoning configuration of neighboring switches must match completely before the zoning can merge.
Page 349: Effective Zone Configuration
Zone management in interoperable fabrics Effective zone configuration An effective zone configuration is a subset of the defined zone configuration, containing only the zone configuration objects that are currently enabled; only one configuration can be effective at a time, but multiple configurations can be defined in the database. The effective zone set or zone configuration must correctly propagate to the other switches in the fabric.
Page 350: Frame Redirection In Interoperable Fabrics
Frame Redirection in interoperable fabrics Frame Redirection in interoperable fabrics Frame Redirection provides a means to redirect traffic flow between a host and a target to virtualization and encryption applications so that those applications can perform without having to reconfigure the host and target. Use this feature if the hosts and targets are not directly attached to M-EOS switches.
Page 351: Brocade Santegrity Implementation In Mixed Fabric Sans
Brocade SANtegrity implementation in mixed fabric SANS Brocade SANtegrity implementation in mixed fabric SANS SANtegrity is required only in legacy M-EOS fabrics running DCFM management software. In mixed fabrics, FICON requires using Fabric Binding to define switches, and to verify the inter-switch link (ISL) restrictions.
Page 352: Table 56 Fabric Os Switch Authentication Types
E_Port authentication between Fabric OS and M-EOS switches Because M-EOS only supports the DH-CHAP authentication, not all Fabric OS authentication configurations work when connected to an M-EOS switch. With DH-CHAP authentication, you must configure the shared secrets on both switches. For details on procedures to configure shared secrets, see the Chapter 7, “Configuring Security Policies”.
Page 353: Switch Authentication Policy
E_Port authentication between Fabric OS and M-EOS switches Table 59 describes the device authentication mode. TABLE 59 Device authentication mode Fabric OS authentication M-EOS support M-EOS switch explanation mode Not used for E_Port authentication. Passive Not used for E_Port authentication. Switch authentication policy There are differences in the Switch Authentication policies between the Fabric OS switch and the M-EOS switch.
Page 354: Table 61 Switch Authentication Policy - Fabric Os Switch With Incorrect Peer Secret For M-Eos
E_Port authentication between Fabric OS and M-EOS switches Authentication policy when the secrets are not correct Table 61 Table 62 show the connection status for the cases where the authentication secrets are incorrect. Table 61 shows the E_Port connection status when the Fabric OS switch does not have the correct secret for the M-EOS switch.
Page 355: Dumb Switch Authentication
E_Port authentication between Fabric OS and M-EOS switches TABLE 62 Switch authentication policy-M-EOS switch with the incorrect peer secret for Fabric OS switch Fabric OS Passive Active M-EOS E_Port does not E_Port does not E_Port does not E_Port does not connect connect connect...
Page 356: Table 63 Switch Authentication Policy When Connected To An M-Eos Dumb Switch
E_Port authentication between Fabric OS and M-EOS switches TABLE 63 Switch authentication policy when connected to an M-EOS dumb switch Fabric OS Passive Active M-EOS Disabled Connected without E_Port does not connect E_Port does not connect Connected any authentication (Authentication Rejected). (Authentication Rejected).
Page 357: Authentication Of Ve_Port-To-Ve_Port Connections
E_Port authentication between Fabric OS and M-EOS switches Authentication of VE_Port-to-VE_Port connections Although running authentication for VE_Ports works the same as for E_Ports, for VE_Ports, both sides of the connection are on the Fabric OS switches. Table 64 shows the switch authentication policy for VE_Port-to-VE_Port connections when all the secrets are correct.
Page 358 E_Port authentication between Fabric OS and M-EOS switches TABLE 64 VE_Port-to-VE_Port authentication policy with correct switch secret (Continued) Fabric OS Passive Active switch VE_ to VE_Port Yes! Yes! Yes! Connected with two-way Connected with Connected with E_Port does not connect authentication;...
Page 359: Table 65 Ve_Port-To-Ve_Port Authentication Policy With Unknown Switch Secret
E_Port authentication between Fabric OS and M-EOS switches TABLE 65 VE_Port-to-VE_Port authentication policy with unknown switch secret Fabric OS Passive Active switch VE_ to VE_Port Passive Connected without E_Port does not E_Port does not Connected without any any authentication connect connect authentication (Fabric (Fabric builds...
Page 360: Authentication Of Vex_Port-To-Ve_Port Connections
E_Port authentication between Fabric OS and M-EOS switches TABLE 65 VE_Port-to-VE_Port authentication policy with unknown switch secret (Continued) Fabric OS Passive Active switch VE_ to VE_Port E_Port does not E_Port does not E_Port does not E_Port does not connect connect connect connect (Authentication Rejected).
Page 361: Authentication Of Vex_Port-To-Vex_Port Connections
FCR SANtegrity TABLE 66 VEX_Port-to-VE_Port authentication policy with correct secrets Fabric OS switch Passive Active VEX_Port-to-VE_Port Passive Yes! Yes! Connected without Connected with Connected with Connected without any authentication two-way two-way any authentication (Fabric builds authentication; both authentication; both (Fabric builds normally).
Page 362: Fabric Binding Behavior In A Mixed Fabric
FCR SANtegrity FCR implements a simplified version of Fabric Binding that is passive and only checks whether its own Front Port domain ID and WWN pair is present in the Fabric Binding list that is sent from an M-EOS switch. CAUTION In FOS-only McDATA Fabric Mode fabrics that have Fabric Binding activated, fabric disruptions may occur if there are any FOS switches that do not have insistent domain ID enabled.
Page 363: Ficon Implementation In A Mixed Fabric
FICON implementation in a mixed fabric 1. Connect to the switch and log in using an account assigned to the admin role. Ensure that the port is offline to configure the preferred domain ID. 2. Enter the portCfgEXPort command. For McDATA Fabric mode, the valid range of domain IDs is from 1-31. For McDATA Open Fabric mode, the valid range of domain IDs is from 97-127.
Page 364: Coordinated Hot Code Load
Coordinated Hot Code Load Coordinated Hot Code Load Coordinated Hot Code Load (HCL) removes the limitations on the number of E_Ports that can be supported. Fabric OS v6.2.0 and later supports Coordinated HCL on all Fabric OS switches when connected to a mixed fabric with M-EOS switches running in either McDATA Fabric or McDATA Open Fabric mode.
Page 365: Coordinated Hcl On Switches Firmware Downloads
McDATA-aware features If you select yes, the firmwareDownload operation proceeds without making the normal Coordinated HCL checks. The firmwareDownload -o command upgrades both CPs in the switch. Coordinated HCL on switches firmware downloads If the firmwareDownload command is entered with both the –s and –b (auto-reboot) options, a best effort will be made to run Coordinated HCL.
Page 366: Mcdata-Unaware Features
McDATA-unaware features TABLE 68 McDATA-aware (Continued)features Feature Behavior FICON and FICON CUP Fabric Binding is required for FICON support in mixed fabrics. Cascaded CUP and Missing Interrupt Handler Process Timeout (MIHPTO), which should be set to 60, are supported. Cascaded CUP is only supported in McDATA Fabric mode.
Page 367: Table 70 Complete Feature Compatibility Matrix
McDATA-unaware features TABLE 70 Complete feature compatibility matrix (Continued) Feature Support Notes DHCP Environmental monitor Error event management Fabric Device Management Interface (FDMI) Fabric Watch (FW) Fibre Channel over McDATA Fabric mode and McDATA Open Fabric Ethernet (FCoE) mode are not supported on the Brocade 8000. FICON (includes CUP) Supported on the Brocade 4900, 5000, 5100, 5300, and the VA-40FC switches, and the...
Page 368: M-Eos Feature Limitations In Mixed Fabrics
McDATA-unaware features TABLE 70 Complete feature compatibility matrix (Continued) Feature Support Notes Speed negotiation syslog daemon • Trunking Frame-level ISL Trunking from Fabric OS to Fabric OS: Yes; McDATA Fabric mode only • Frame-level ISL Trunking from Fabric OS to M-EOS: No •...
Page 369: Supported Hardware In An Interoperable Environment
Supported hardware in an interoperable environment • Trunking Fabric OS switches support trunking when participating in Brocade Native, McDATA Fabric, or McDATA Open Fabric mode. Trunk ports (bandwidth aggregation) only apply to an ISL between two Fabric OS switches. Note the following: Fabric OS frame-based trunking Fabric OS frame-based trunking is supported for ISLs between two Fabric OS switches.
Page 370: Table 71 Fabric Os Interoperability With M-Eos
Supported hardware in an interoperable environment TABLE 71 Fabric OS interoperability with M-EOS Fabric OS v6.2.0 Fabric OS v6.3.0 Fabric OS v6.4.0 Chassis Type Blade Type McDATA Open Fabric and McDATA Open Fabric and McDATA Open Fabric and Fabric mode Fabric mode Fabric mode Brocade 48000 director...
Page 371: Supported Features In An Interoperable Environment
Supported features in an interoperable environment TABLE 71 Fabric OS interoperability with M-EOS (Continued) Fabric OS v6.2.0 Fabric OS v6.3.0 Fabric OS v6.4.0 Chassis Type Blade Type McDATA Open Fabric and McDATA Open Fabric and McDATA Open Fabric and Fabric mode Fabric mode Fabric mode Brocade VA-40FC...
Page 372: Table 72 Supported Fabric Os Features
Supported features in an interoperable environment TABLE 72 Supported Fabric OS features Fabric OS Features Fabric OS v6.2.0 Fabric OS v6.3.0 and v6.4.0 Interop mode 2 Interop mode 3 Interop mode 2 Interop mode 3 Dynamic Load Sharing (DLS); port based routing Dynamic Path Selection (DPS);...
Page 373 Supported features in an interoperable environment TABLE 72 Supported Fabric OS features (Continued) Fabric OS Features Fabric OS v6.2.0 Fabric OS v6.3.0 and v6.4.0 Interop mode 2 Interop mode 3 Interop mode 2 Interop mode 3 Layer 2 Fabric Binding Layer 2 Fabric OS Coordinated Hot Code Load (HCL)
Page 374: Unsupported Features In An Interoperable Environment
Unsupported features in an interoperable environment Unsupported features in an interoperable environment The following optional features are not supported in McDATA Fabric and McDATA Open Fabric modes and cannot be installed on any Fabric OS switch in the fabric: • Administrative Domains •...
Page 375: Managing Administrative Domains
Chapter Managing Administrative Domains In this chapter • Administrative Domains overview ....... . 335 •...
Page 376: Figure 51 Fabric With Two Admin Domains
Administrative Domains overview FIGURE 51 Fabric with two Admin Domains Figure 52 shows how users get a filtered view of this fabric, depending on which Admin Domain they are in. As shown in Figure 52, users can see all switches and E_Ports in the fabric, regardless of their Admin Domain;...
Page 377: Admin Domain Features
Administrative Domains overview Admin Domain features Admin Domains allow you to: • Define the scope of an Admin Domain to encompass ports and devices within a switch or a fabric. • Share resources across multiple Admin Domains. For example, you can share array ports and tape drives between multiple departments.
Page 378: Admin Domain Access Levels
Administrative Domains overview Admin Domain access levels Admin Domains offer a hierarchy of administrative access. To manage Admin Domains, you must be a physical fabric administrator. A physical fabric administrator is a user with the admin role and access to all Admin Domains (AD0 through AD255). Only a physical fabric administrator can perform Admin Domain configuration and management.
Page 379 Administrative Domains overview Initially, the AD0 implicit membership list contains all devices, switch ports, and switches in the fabric. When you explicitly create AD1 through AD254, the devices, switch ports, and switches used to create these user-defined Admin Domains disappear from the AD0 implicit membership list.
Page 380: Admin Domains And Login
Administrative Domains overview FIGURE 53 Fabric with AD0 and AD255 Admin Domains and login You are always logged in to an Admin Domain, and you can view and modify only the devices in that Admin Domain. If you have access to more than one Admin Domain, one of them is designated as your home Admin Domain, the one you are automatically logged in to.
Page 381: Admin Domain Member Types
Administrative Domains overview Admin Domain member types You define an Admin Domain by identifying members of that domain. Admin Domain members can be devices, switch ports, or switches. Defining these member types is similar to defining a traditional zone member type. An Admin Domain does not require or have a new domain ID or management IP address linked to it.
Page 382: Admin Domains And Switch Wwn
Administrative Domains overview Switch members Switch members are defined by the switch WWN or domain ID, and have the following properties: • A switch member grants administrative control to the switch. • A switch member grants port control for all ports in that switch. •...
Page 383: Figure 54 Fabric Showing Switch And Device Wwns
Administrative Domains overview FIGURE 54 Fabric showing switch and device WWNs Figure 55 shows the filtered view of the fabric as seen from AD3 and AD4. The switch WWNs are converted to the NAA=5 syntax; the device WWNs and domain IDs remain the same. Fabric Visible to AD3 User WWN = 10:00:00:00:c2:37:2b:a3 WWN = 10:00:00:00:c7:2b:fd:a3...
Page 384: Admin Domain Compatibility, Availability, And Merging
Admin Domain management for physical fabric administrators Admin Domain compatibility, availability, and merging Admin Domains maintain continuity of service for Fabric OS features and operate in mixed-release Fabric OS environments. High availability is supported with some backward compatibility. When an E_Port comes online, the adjacent switches merge their AD databases. The receiving switch accepts an AD database from the neighboring switch only if the local AD database is empty or if the new AD database exactly matches both the defined and effective configurations of the local AD database.
Page 385: Creating An Admin Domain
Admin Domain management for physical fabric administrators 1. Log in to the switch with the appropriate RBAC role. 2. Ensure you are in the AD0 context by entering the ad show command to determine the current Admin Domain. If necessary, switch to the AD0 context by entering the ad select 0 command.
Page 386: User Assignments To Admin Domains
Admin Domain management for physical fabric administrators 5. Enter the ad create command using the -d option to specify device and switch port members and the -s option to specify switch members: ad --create ad_id -d "dev_list" -s "switch_list" 6. Enter the appropriate command based on whether you want to save or activate the Admin Domain definition: •...
Page 387 Admin Domain management for physical fabric administrators Creating a new user account for managing Admin Domains 1. Connect to the switch and log in as admin. 2. Enter the userConfig add command using the -r option to set the role, the -a option to provide access to Admin Domains, and the -h option to specify the home Admin Domain.
Page 388: Removing An Admin Domain From A User Account
Admin Domain management for physical fabric administrators Removing an Admin Domain from a user account When you remove an Admin Domain from an account, all of the currently active sessions for that account are logged out. 1. Connect to the switch and log in using an account assigned to the admin role. 2.
Page 389: Deactivating An Admin Domain
Admin Domain management for physical fabric administrators Deactivating an Admin Domain If you deactivate an Admin Domain, the members assigned to the Admin Domain can no longer access their hosts or storage unless those members are part of another Admin Domain. You cannot log in to an Admin Domain that has been deactivated.
Page 390: Removing Members From An Admin Domain
Admin Domain management for physical fabric administrators 4. Enter the appropriate command based on whether you want to save or activate the Admin Domain definition: • To save the Admin Domain definition, enter ad save. • To save the Admin Domain definition and directly apply the definition to the fabric, enter ad apply.
Page 391: Deleting An Admin Domain
Admin Domain management for physical fabric administrators 3. Enter the ad rename command with the present name and the new name. ad --rename present_name new_name 4. Enter the appropriate command based on whether you want to save or activate the Admin Domain definition: •...
Page 392: Deleting All User-Defined Admin Domains
Admin Domain management for physical fabric administrators Deleting all user-defined Admin Domains When you clear the Admin Domain configuration, all user-defined Admin Domains are deleted, the explicit membership list of AD0 is cleared, and all fabric resources (switches, ports, and devices) are returned to the implicit membership list of AD0.
Page 393 Admin Domain management for physical fabric administrators where: source_AD Name of the user-defined AD from which you are copying the zone. source_name Name of the zone to be copied. dest_name Name to give the zone after it is copied to AD0. 4.
Page 394: Figure 56 Ad0 And Two User-Defined Admin Domains, Ad1 And Ad2
Admin Domain management for physical fabric administrators FIGURE 56 AD0 and two user-defined Admin Domains, AD1 and AD2 FIGURE 57 AD0 with three zones sw0:admin> ad --exec 255 "cfgshow" Zone CFG Info for AD_ID: 0 (AD Name: AD0, State: Active) : Defined configuration: cfg: AD0_cfg AD0_RedZone...
Page 395 Admin Domain management for physical fabric administrators Effective configuration: cfg: AD1_cfg zone: AD1_BlueZone 10:00:00:00:02:00:00:00 10:00:00:00:03:00:00:00 Zone CFG Info for AD_ID: 2 (AD Name: AD2, State: Active) : Defined configuration: cfg: AD2_cfg AD2_GreenZone zone: AD2_GreenZone 10:00:00:00:04:00:00:00; 10:00:00:00:05:00:00:00 Effective configuration: cfg: AD2_cfg zone: AD2_GreenZone 10:00:00:00:04:00:00:00...
Page 396: Validating An Admin Domain Member List
SAN management with Admin Domains Validating an Admin Domain member list You can validate the device and switch member list. You can list non-existing or offline Admin Domain members. You can also identify misconfigurations of the Admin Domain. The Admin Domain validation process is not applicable for AD0, because AD0 implicitly contains all unassigned online switches and their devices.
Page 397: Cli Commands In An Ad Context
SAN management with Admin Domains Each Admin Domain can also have its own zone configurations (defined and effective) with zones and aliases under them. CLI commands in an AD context The CLI command input arguments are validated against the AD member list; they do not work with input arguments that specify resources that are not members of the current Admin Domain.
Page 398: Displaying An Admin Domain Configuration
SAN management with Admin Domains Displaying an Admin Domain configuration You can display the membership information and zone database information of a specified Admin Domain. Note the following differences in the information displayed based on the Admin Domain: • AD255: if you do not specify the AD_name or number, all information about all existing Admin Domains is displayed.
Page 399: Admin Domain Interactions With Other Fabric Os Features
SAN management with Admin Domains 1. Connect to the switch and log in as any user type. 2. Enter the ad select command and the Admin Domain you want to switch to. 3. Leave the new Admin Domain context by exiting from the shell. logout You cannot switch to another Admin Domain context from within the shell created by ad select.
Page 400: Admin Domains, Zones, And Zone Databases
SAN management with Admin Domains TABLE 75 Admin Domain interaction with Fabric OS features (Continued) Fabric OS feature Admin Domain interaction FC-FC Routing Service You can create LSAN zones as a physical fabric administrator or as an individual AD administrator. The LSAN zone can be part of the root zone database or the AD zone database.
Page 401 SAN management with Admin Domains Zoning operations ignore any resources not in the Admin Domain, even if they are specified in the zone. The behavior functions similarly to specifying offline devices in a zone. All zones from each AD zone configuration are enforced. The enforcement policy encompasses zones in the effective zone configuration of the root zone database and the effective zone configurations of each AD.
Page 402: Admin Domains And Lsan Zones
SAN management with Admin Domains Admin Domains and LSAN zones LSANs under each Admin Domain are collated into a single name space and sent out to FCR phantom domains using the following format: <original_LSAN_name>_AD<AD_num> For example, a zone with name lsan_for_linux_farm in AD5 is internally converted to lsan_for_linux_farm_AD005.
Page 403: Licensed Features
Sectiona Licensed Features This section describes optionally licensed Brocade Fabric OS features and includes the following chapters: • Chapter 16, “Administering Licensing” • Chapter 17, “Monitoring Fabric Performance” • Chapter 18, “Optimizing Fabric Behavior” • Chapter 19, “Managing Trunking Connections” •...
Page 404 Fabric OS Administrator’s Guide 53-1001763-01...
Page 405: In This Chapter
Chapter Administering Licensing In this chapter • Licensing overview..........365 •...
Page 406: Table 77 Available Brocade Licenses
Licensing overview TABLE 77 Available Brocade licenses License Description 10GbE License This license enables the two 10GbE ports on the FX8-24. With this license, two additional operating modes (in addition to 10 1GbE ports mode) can be selected: • 10 1GbE ports and 1 10GbE port, or •...
Page 407 Licensing overview TABLE 77 Available Brocade licenses (Continued) License Description Brocade Fabric Watch Monitors mission-critical switch operations. Fabric Watch includes Port Fencing capabilities. Brocade ISL Trunking Provides the ability to aggregate multiple physical links into one logical link for enhanced network performance and fault tolerance. Also includes Access Gateway ISL Trunking on those products that support Access Gateway deployment.
Page 408 Licensing overview TABLE 77 Available Brocade licenses (Continued) License Description Integrated Routing Allows any ports in a Brocade 5100, 5300, and VA-40FC switches, the Brocade Encryption Switch, or the Brocade DCX and DCX-4S platforms to be configured as an EX_Port supporting Fibre Channel Routing. This eliminates the need to add an FR4-18i blade or use the 7500 for FCR purposes, and also provides double the bandwidth for each FCR connection when connected to another 8 Gbps-capable port.
Page 409 Licensing overview TABLE 78 License requirements (Continued) Feature License Where license should be installed Fibre Channel Routing Local and attached switches. FICON No license required. FICON-CUP FICON Management Server Local switch. FICON Tape Read and FICON Tape Local and attached switches. Write Emulation over an High-Performance Extension over FCIP/FC FCIP Tunnel...
Page 410: Table 78 License Requirements
Licensing overview TABLE 78 License requirements (Continued) Feature License Where license should be installed Ports Ports on demand licenses. This license applies Local switch. to a select set of switches. Upgrade license for the 7500E and 7800 switches to use all ports. 10 Gigabit Ethernet license to use 10GbE ports on FX8-24 blade.
Page 411: The Brocade 7800 Upgrade License
The Brocade 7800 Upgrade license The Brocade 7800 Upgrade license The Brocade 7800 has four Fibre Channel (FC) ports and two GbE ports active by default. The number of physical ports active on the Brocade 7800 is fixed. There is one upgrade license to activate the rest of the FC and GbE ports for a total of 16 FC ports and six GbE ports.
Page 412: 8G Licensing
8G licensing 8G licensing ATTENTION This license is installed by default and you should not remove it. The 8 Gbps licensing applies to the Brocade 300, 5100, 5300, and VA-40FC switches and the 8 Gbps embedded switches. The Brocade 48000 does not need the 8G license to use any of the FC8- type blades.
Page 413: Upgrade/Downgrade Considerations
Time-based licenses Upgrade/downgrade considerations When a Slot-based license is present on the switch, firmware downgrade to pre-Fabric OS v6.3.0 is allowed, but the Slot-based features that were licensed will not be functional. Adding a license to a slot 1. Connect to the switch and log in using an account assigned to the admin role. 2.
Page 414: Configupload And Download Considerations
Universal Time-based licenses Configupload and download considerations The configDownload and configUpload commands download the legacy, enhanced, consumed capacities, and time-based licenses. Expired licenses Once a Time-based license has expired, you can view it through the licenseShow command. Expired licenses have an output string of ‘License has expired’. RASlog warning messages are generated every hour for licenses present in the database which have expired or which are going to expire in the next five days.
Page 415: Extending A License
Viewing installed licenses Extending a license Extending a Universal Time-based license is done by adding a temporary license with expiry date after the Universal Time-based license expiry date, or by adding a permanent license. Re-applying an existing Universal Time-based license is not allowed. Deleting a license Universal Time-based licenses are always retained in the license database, and cannot be explicitly deleted.
Page 416: Adding A Licensed Feature
Adding a licensed feature An information screen displays the license keys and you will receive an e-mail with the software license keys and installation instructions. Adding a licensed feature To enable a feature, go to the feature’s appropriate section in this manual. Enabling a feature on a switch may be a separate task from adding the license.
Page 417: Removing A Licensed Feature
Removing a licensed feature Removing a licensed feature 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the licenseShow command to display the active licenses. 3. Remove the license key using the licenseRemove command. The license key is case-sensitive and must be entered exactly as given.
Page 418: Table 80 List Of Available Ports When Implementing Pods
Ports on Demand ATTENTION Licenses are not interchangeable between units. For example, if you bought a POD license for a Brocade 300, you cannot use that license on a Brocade 5100 or VA-40FC. The licenses are based on the switches WWN and are not interchangeable. Table 80 shows the ports that are enabled by default and the ports that can be enabled after you install the first and second Ports on Demand licenses for each switch type.
Page 419: Activating Ports On Demand
Ports on Demand Activating Ports on Demand 1. Connect to the switch and log in using an account assigned to the admin role. 2. Verify the current states of the ports, using the portShow command. In the portShow output, the Licensed field indicates whether the port is licensed. 3.
Page 420: Enabling Dynamic Ports On Demand
Ports on Demand 12 ports are assigned to the full POD license Ports assigned to the base switch license: 1, 2, 3, 4, 5, 6, 7, 8, 17, 18, 19, 20 Ports assigned to the full POD license: 0, 9, 10, 11, 12, 13, 14, 15, 16, 21, 22, 23 Enabling Dynamic Ports on Demand If the switch is in the Static POD mode, then activating the Dynamic POD will erase any prior port license assignments the next time the switch is rebooted.
Page 421: Reserving A Port License
Ports on Demand 1. Connect to the switch and log in using an account assigned to the admin role. Enter the licensePort method command with the static option to change the license assignment method to static. switch:admin> licenseport --method static The POD method has been changed to static.
Page 422: Releasing A Port From A Pod Set
Ports on Demand 3. Take the following appropriate action based on whether port reservations are available: • If a port reservation is available, then issue the licensePort reserve command to reserve a license for the port. switch:admin> licenseport -reserve 0 •...
Page 423: In This Chapter
Chapter Monitoring Fabric Performance In this chapter • Advanced Performance Monitoring overview ..... . . 383 • End-to-end performance monitoring ......385 •...
Page 424: Virtual Fabrics Considerations For Advanced Performance Monitoring
Advanced Performance Monitoring overview • ISL monitors measure the traffic transmitted through an InterSwitch Link (ISL) to different destination domains. • Top Talkers monitors measure the flows that are major consumers of bandwidth on a switch or port. The type of monitors supported depends on the switch model, as shown in Table TABLE 81 Types of monitors supported on Brocade switch models...
Page 425: End-To-End Performance Monitoring
End-to-end performance monitoring • Top Talker (fabric mode): If fabric mode Top Talkers is enabled on the logical switch, a fabric mode Top Talker monitor is automatically installed on the port after it is moved to the logical switch. • Top Talker (port mode): Any port mode Top Talker monitors on the port are deleted.
Page 426: Adding End-To-End Monitors
End-to-end performance monitoring The monitor count is qualified using either of the following conditions: • For frames received at the port with the end-to-end monitor installed, the frame SID is the same as “SourceID” and the frame DID is the same as “DestID”. The RX_COUNT updated accordingly.
Page 427: Setting A Mask For An End-To-End Monitor
End-to-end performance monitoring Monitor 1 counts the frames that have an SID of 0x111eef and a DID of 0x051200. For monitor 1, RX_COUNT is the number of words from Dev B to Host A, and TX_COUNT is the number of words from Host A to Dev B.
Page 428: Deleting End-To-End Monitors
End-to-end performance monitoring Figure 60 shows the mask positions in the command. A mask (“ff”) is set on slot 1, port 2 to compare the AL_PA fields on the SID and DID in all frames (transmitted and received) on port 2. The frame SID and DID must match only the AL_PA portion of the specified SID-DID pair.
Page 429: Frame Monitoring
Frame monitoring Frame monitoring Frame monitoring counts the number of times a frame with a particular pattern is transmitted by a port and generates alerts when thresholds are crossed. Frame monitoring is achieved by defining a filter, or frame type, for a particular purpose. The frame type can be a standard type (for example, a SCSI read command filter that counts the number of SCSI read commands that have been transmitted by the port) or a user-defined frame type customized for your particular use.
Page 430: Creating Frame Types To Be Monitored
Frame monitoring For the perfMonitorShow and perfMonitorClear commands, the management of filter monitors is provided through the fmConfig interface.While the legacy commands are still operational in the Fabric OS v6.4.0 release, their use is incompatible with the new fmConfig command. Once you use the fmConfig interface to configure and manage filter-based monitors, you can no longer use the old commands.
Page 431: Deleting Frame Types
Frame monitoring Deleting frame types Deleting a frame type removes the entire configuration, including configured thresholds and associated actions. It also removes any frame monitors of the specified type from all ports. You can delete only user-defined frame types; you cannot delete the pre-defined frame types. 1.
Page 432: Displaying Frame Monitors
Frame monitoring 1. Connect to the switch and log in as admin. 2. Enter the fmConfig save command to save the set of ports on which the frame type is monitored to the persistent configuration. Example In this example, the first command adds a standard SCSI frame type monitor to ports 3 through 12, but does not save the port configuration.
Page 433: Isl Performance Monitoring
ISL performance monitoring Example This example clears the counters for the ABTS monitor from ports 7 through 10. switch:admin> fmconfig --clear ABTS -port 7-10 ISL performance monitoring ISL monitoring is set up on E_Ports automatically. An ISL monitor measures traffic to all reachable destination domains for an ISL, showing which destination domain is consuming the most traffic.
Page 434: Adding A Top Talker Monitor On An F_Port
Top Talker monitors The Top Talker monitor is based on SID/DID and not WWNs. Once Top Talker is installed on a switch or port, it remains installed across power cycles. Top Talkers supports two modes, port mode and fabric mode: •...
Page 435: Displaying The Top N Bandwidth-Using Flows On An F_Port
Top Talker monitors 1. Connect to the switch and log in as admin. 2. Remove any end-to-end monitors in the fabric, as described in “Deleting end-to-end monitors” on page 388. Fabric Mode Top Talker monitors and end-to-end monitors cannot both exist in the fabric.
Page 436: Displaying Top Talking Flows For A Given Domain Id (Fabric Mode)396
Top Talker monitors Displaying top talking flows for a given domain ID (fabric mode) 1. Connect to the switch and log in as admin. 2. Enter the perfTTmon show dom command. perfttmon --show dom domainid [n] [wwn | pid] Fabric mode must be enabled for this option. The output is sorted based on the data rate of each flow.
Page 437: Limitations Of Top Talker Monitors
Trunk monitoring Limitations of Top Talker monitors Be aware of the following when using Top Talker monitors: • Top Talker monitors cannot detect transient surges in traffic through a given flow. • You cannot install a Top Talker monitor on a mirrored port. •...
Page 438: Clearing End-To-End And Isl Monitor Counters
Clearing end-to-end and ISL monitor counters 4.9m 4.9m 4.9m 4.9m 4.4m 4.4m 4.4m 4.4m 4.8m 4.8m 4.8m 4.8m 4.6m 4.6m 4.6m 4.6m 5.0m 5.0m 5.0m 5.0m 4.5m 4.5m 4.5m 4.5m Example of displaying EE monitors on a port switch:admin> perfMonitorShow --class EE 4/5 There are 7 end-to-end monitor(s) defined on port 53.
Page 439: Saving And Restoring Monitor Configurations
Saving and restoring monitor configurations Saving and restoring monitor configurations To prevent the switch configuration flash from running out of memory, the number of monitors saved to flash memory is limited as follows: • The total number of EE monitors per port is limited to 16. •...
Page 440 Performance data collection Fabric OS Administrator’s Guide 53-1001763-01...
Page 441: In This Chapter
Chapter Optimizing Fabric Behavior In this chapter • Adaptive Networking overview ........401 •...
Page 442: Ingress Rate Limiting
Ingress Rate Limiting • Traffic Isolation Zoning Traffic Isolation Zoning (TI zoning) allows you to control the flow of interswitch traffic by creating a dedicated path for traffic flowing from a specific set of source ports (F_Ports). Traffic Isolation Zoning does not require a license. See “Traffic Isolation Zoning”...
Page 443: Limiting Traffic From A Particular Device
QoS: SID/DID traffic prioritization • Ingress rate limiting is available only on the following platforms: Brocade 300, 5100, 5300, 5410, 5424, 5450, 5460, 5470, 5480, 7800, 8000, VA-40FC, Brocade Encryption Switch, Brocade DCX, or DCX-4S. • QoS traffic prioritization takes precedence over ingress rate limiting. •...
Page 444: License Requirements For Traffic Prioritization
QoS: SID/DID traffic prioritization NOTE If there is a single low priority flow to a destination ID (DID) and several medium priority flows to that same DID, then it is possible that the medium priority flows would have less bandwidth because they have to share the medium priority VCs, whereas the low priority flow would have a separate VC.
Page 445 QoS: SID/DID traffic prioritization 3. Identify E_Ports on which QoS should be manually disabled. In the islshow output, these ports have all of the following characteristics: • 8 Gbps ports • Trunking is enabled • QoS is disabled 4. Check whether QoS is enabled on each port identified in step 3 using the following command: portcfgshow...
Page 446: Qos Zones
QoS zones RSCN Suppressed Persistent Disable ON LOS TOV enable NPIV capability NPIV PP Limit 126 126 126 126 126 126 126 126 126 126 126 126 126 126 126 126 QOS E_Port EX Port Mirror Port Rate Limit Credit Recovery Fport Buffers Port Auto Disable CSCTL mode...
Page 447: Qos On E_Ports
QoS zones For example, Figure 61 shows a fabric with two hosts (H1, H2) and three targets (S1, S2, S3). The traffic prioritization is as follows: • Traffic between H1 and S1 is high priority. • Traffic between H1 and S3 and between H2 and S3 is low priority. •...
Page 448: Qos Over Fc Routers
QoS zones Domain 1 Domain 3 = Low priority = Medium priority = High priority = E_Ports with QoS enabled Domain 2 Domain 4 FIGURE 62 QoS with E_Ports enabled You need to enable QoS on the E_Ports on both ISLs between Domain 3 and Domain 4 because either path might be selected to carry the traffic.
Page 449: Virtual Fabric Considerations For Traffic Prioritization
QoS zones • QoS over FC routers is supported only in an edge-to-edge fabric configuration; it is not supported in a backbone-to-edge fabric configuration. You cannot prioritize the flow between a device in an edge fabric and a device in the backbone fabric. •...
Page 450: High Availability Considerations For Traffic Prioritization
QoS zones High availability considerations for traffic prioritization If the standby CP is running a Fabric OS version earlier than 6.3.0 and is synchronized with the active CP, then QoS zones using D,I notation cannot be created. If the standby CP is not synchronized or if no standby CP exists, then the QoS zone creation succeeds.
Page 451 QoS zones QoS is disabled by default on 4 Gbps ports and long-distance 8 Gbps ports. In some firmware versions earlier than Fabric OS 6.3.0, QoS is enabled by default on these ports. When you upgrade to Fabric OS 6.3.0, the QoS configuration settings remain the same for all ports (that is, if a port was enabled for QoS before the upgrade, it remains enabled for QoS after the upgrade).
Page 452 QoS zones Example In this example, the islshow output displays ports involved in four ISLs: • Ports 2 and 8 QoS is enabled on these ISLs. Check the portcfgshow output to determine whether QoS is disabled on these ports. • Port 19 QoS is enabled on this ISL.
Page 453: Limitations And Restrictions For Traffic Prioritization
QoS zones Trunk Port Long Distance VC Link Init Locked L_Port Locked G_Port Disabled E_Port Locked E_Port ISL R_RDY Mode RSCN Suppressed Persistent Disable ON LOS TOV enable NPIV capability NPIV PP Limit 126 126 126 126 126 126 126 126 126 126 126 126 126 126 126 126 QOS E_Port...
Page 454: Setting Traffic Prioritization
Setting traffic prioritization • If QoS is enabled, an additional 16 buffer credits are allocated per port for 8-Gbps ports in LE mode. See Chapter 20, “Managing Long Distance Fabrics,” for information about buffer credit allocation in extended fabrics. • Trunking considerations: If some ports in a trunk group have QoS enabled and some ports have QoS disabled, then two different trunks are formed, one with QoS enabled and one with QoS disabled.
Page 455: Setting Traffic Prioritization Over Fc Routers
Setting traffic prioritization over FC routers Example sw0:admin> zonecreate "QOSH1_zone", "10:00:00:00:10:00:00:00; 10:00:00:00:20:00:00:00" sw0:admin> zonecreate "QOSL2_zone", "10:00:00:00:30:00:00:00; 10:00:00:00:40:00:00:00" sw0:admin> zoneshow sw0:admin> cfgadd "cfg1", "QOSH1_zone" sw0:admin> cfgadd "cfg1", "QOSL2_zone" sw0:admin> cfgshow Defined configuration: cfg: cfg1 zone1; QOSH1_zone; QOSL2_zone zone: QOSH1_zone 10:00:00:00:10:00:00:00; 10:00:00:00:20:00:00:00 zone: QOSL2_zone 10:00:00:00:30:00:00:00;...
Page 456: Disabling Qos
Disabling QoS Disabling QoS 1. Connect to the switch and log in as admin. 2. Enter the cfgRemove command to remove the QoS zones from the current zone configuration. 3. Enter the portCfgQos command to disable QoS on the E_Ports. Bottleneck detection Bottleneck detection does not require a license.
Page 457: Supported Configurations For Bottleneck Detection
Bottleneck detection NOTE Bottleneck detection is disabled by default. Best practice is to enable bottleneck detection on all switches in the fabric, and leave it on to continuously gather statistics. Supported configurations for bottleneck detection Note the following configuration rules for bottleneck detection: •...
Page 458: Trunking Considerations For Bottleneck Detection
Bottleneck detection Upgrade and downgrade considerations for bottleneck detection The bottleneck detection configuration is persistent across firmware upgrades and downgrades. If you downgrade to Fabric OS 6.3.x, bottleneck detection is supported; however, the bottleneck configuration is not applied. You must re-apply the bottleneck configuration after the downgrade. Additionally, you must use the 6.3.x version of the bottleneck detection commands.
Page 459: Enabling Bottleneck Detection On A Switch
Enabling bottleneck detection on a switch Enabling bottleneck detection on a switch Bottleneck detection is enabled on a switch basis. It is recommended that you enable bottleneck detection on every switch in the fabric. If you add additional switches, including logical switches, to the fabric, be sure to enable bottleneck detection on those switches as well.
Page 460: Displaying Bottleneck Detection Configuration Details
Displaying bottleneck detection configuration details 1. Connect to the switch to which the target port belongs and log in as admin. 2. Enter the bottleneckmon exclude command to exclude the port from bottleneck detection. To later include the port, enter the bottleneckmon include command.
Page 461 Changing bottleneck alert parameters The alert parameters include whether alerts are sent and the threshold, time, and quiet time options. For a trunk, you can change the alert parameters only on the master port only. 1. Connect to the switch and log in as admin. 2.
Page 462: Displaying Bottleneck Statistics
Displaying bottleneck statistics Switch-wide alerting parameters: ============================ Alerts - Yes Latency threshold for alert - 0.970 Congestion threshold for alert - 0.800 Averaging time for alert - 5000 seconds Quiet time for alert - 300 seconds Per-port overrides for alert parameters: ======================================== Slot Port...
Page 463: Disabling Bottleneck Detection On A Switch
Disabling bottleneck detection on a switch Jan 13 18:54:20 Jan 13 18:54:25 Jan 13 18:54:25 Jan 13 18:54:30 Jan 13 18:54:30 Jan 13 18:54:35 Disabling bottleneck detection on a switch When you disable bottleneck detection on a switch, all bottleneck configuration details are discarded, including the list of excluded ports and non-default values of alerting parameters.
Page 464 Disabling bottleneck detection on a switch Fabric OS Administrator’s Guide 53-1001763-01...
Page 465: In This Chapter
Chapter Managing Trunking Connections In this chapter • Trunking overview ..........425 •...
Page 466: Criteria For Managing Trunking Connections
Trunking overview Re-initializing ports for trunking is required after you install the license so that the ports know that trunking is enabled. You can enable or disable trunking for a single port or for an entire switch. For trunking to work, individual ports or the entire switch must be set at the same speed and at the same mode, for example, 2 Gbps, 4 Gbps, 8 Gbps, or autonegotiate.
Page 467: Supported Hardware
Supported hardware Supported hardware Trunking is supported on the FC ports of all Brocade platforms and blades supported in Fabric OS v6.4.0. Recommendations for trunking groups To identify the most useful trunking groups, consider the following recommendations along with the standard guidelines for SAN design: •...
Page 468: Basic Trunk Group Configuration
Basic trunk group configuration Basic trunk group configuration Re-initializing ports for trunking is required after you install the ISL Trunking license. You must re-initialize the ports being used for ISLs so that they recognize that trunking is enabled. This procedure needs to be performed only one time. To re-initialize the ports, you can either disable and then re-enable the switch, or disable and then re-enable the affected ports.
Page 469: Displaying Trunking Information
Basic trunk group configuration Displaying trunking information 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the trunkShow command. This example shows trunking groups 1, 2, and 3; ports 4, 13, and 14 are masters. switch:admin>...
Page 470: Trunking Over Long Distance Fabrics
Trunking over long distance fabrics 4: 12->892 10:00:00:05:1e:46:42:01 3 deskew 15 MASTER 13->893 10:00:00:05:1e:46:42:01 3 deskew 15 Tx: Bandwidth 16.00Gbps, Throughput 1.67Gbps (12.12%) Rx: Bandwidth 16.00Gbps, Throughput 1.66Gbps (12.11%) Tx+Rx: Bandwidth 32.00Gbps, Throughput 3.33Gbps (12.11%) Trunking over long distance fabrics In long-distance fabrics, if a port speed is set to autonegotiate, then the maximum speed, which is 8 Gbps, is assumed for reserving buffers for the port.
Page 471: F_Port Trunking
F_Port trunking TABLE 87 Trunking over distance for the Brocade 48000, DCX Backbone, and the DCX-4S Long distance mode Distance Number of 2 Gbps ports Number of 4 Gbps ports 10 km 48 (six 8-port trunks) 48 (six 8-port trunks) Normal See note below 48 (six 8-port trunks)
Page 472: Enabling F_Port Trunking
F_Port trunking • The edge switch F_Port trunk ports are connected within the ASIC-supported trunk group on the AG switch. • Both switches are running the same Fabric OS versions. • Trunking is enabled on all ports to be included in a Trunk Area (TA) before you attempt to create a Trunk Area •...
Page 473: F_Port Trunking Considerations For Virtual Fabrics
F_Port masterless trunking The DCX-4S supports trunk groups with up to eight ports. The trunking groups are based on the user port number with contiguous eight ports as one group, for example 0-7, 8-15, and 16-23. F_Port trunking considerations for Virtual Fabrics Following are the F_Port trunking considerations for virtual fabrics: •...
Page 474: Figure 66 Switch In Access Gateway Mode Without F_Port Trunking
F_Port masterless trunking TABLE 88 PWWN format for F_Port and N_Port trunk ports NAA = 2 2f:xx:nn:nn:nn:nn:nn:nn Port WWNs for: The valid range of xx is [0 - FF], for maximum of 256. switch’s Fx_Ports. NAA = 2 25:xx:nn:nn:nn:nn:nn:nn Port WWNs for: The valid range of xx is [0 - FF], switch's FX_Ports for maximum of 256.
Page 475: F_Port Masterless Trunking Considerations
F_Port masterless trunking NOTE You do not need to manually map the host to the master port because Access Gateway will perform a cold failover to the master port. To implement F_Port masterless trunking, you must first configure an F_Port trunk group and statically assign an Area_ID within the trunk group.
Page 476 F_Port masterless trunking TABLE 89 F_Port masterless trunking considerations (Continued) Category Description D.I. Zoning Creating a Trunk Area may remove the Index ("I") from the switch to be grouped to (D,I) AD the Trunk Area. All ports in a Trunk Area share the same "I". This means that domain,index (D,I), which refer to an "I"...
Page 477: Assigning A Trunk Area
F_Port masterless trunking TABLE 89 F_Port masterless trunking considerations (Continued) Category Description Management Server Registered Node ID (RNID), Link Incident Record Registration (LIRR), and Query Security Attribute (QSA) ELSs are not supported on F_Port trunks. NPIV Supported on F_Port master trunk. PID format F_Port masterless trunking is only supported in the CORE PID format.
Page 478: Table 90 Address Identifier
F_Port masterless trunking Example : How Trunk Area assignment affect the port Domain,Index If you have AD1: 3,7; 3,8; 4,13; 4,14 and AD2: 3,9; 3,10, and then create a TA with Index 8 with ports that have index 7, 8, 9, and 10, then index 7, 9, and 10 are no longer with domain 3. This means that AD2 does not have access to any ports because index 9 and 10 no longer exist on domain 3.
Page 479: Enabling The Dcc Policy On A Trunk Area
F_Port masterless trunking Rx: Bandwidth 16.00Gbps, Throughput 1.62Gbps (11.76%) Tx+Rx: Bandwidth 32.00Gbps, Throughput 3.24Gbps (11.80%) 38->1 8.000G bw: 8.000G deskew 15 Tx: Bandwidth 16.00Gbps, Throughput 1.63Gbps (11.84%) Rx: Bandwidth 16.00Gbps, Throughput 1.62Gbps (11.76%) Tx+Rx: Bandwidth 32.00Gbps, Throughput 3.24Gbps (11.80%) 37->1 8.000G bw: 8.000G deskew 15 Tx: Bandwidth 16.00Gbps, Throughput 1.63Gbps (11.84%)
Page 480 F_Port masterless trunking Fabric OS Administrator’s Guide 53-1001763-01...
Page 481: Managing Long Distance Fabrics
Chapter Managing Long Distance Fabrics In this chapter • Long distance fabrics overview ........441 •...
Page 482: Extended Fabrics Device Limitations
Extended Fabrics device limitations Extended Fabrics device limitations Extended Fabrics is normally not implemented on the following devices: • 7600 and the FA4-18 blade - The 7600 and the FA4-18 blade have two Gigabit Ethernet ports and 16 FC ports. The two Gigabit Ethernet ports are for use by storage applications, and generally the FC ports on these devices are used to connect devices used by the storage applications.
Page 483: Configuring An Extended Isl
Configuring an extended ISL Configuring an extended ISL Before configuring an extended ISL, ensure that the following conditions are met: • The ports on both ends of the ISL are operating at the same port speed, and can be configured at the same distance level without compromising local switch performance.
Page 484: Enabling Long Distance When Connecting To Tdm Devices
Configuring an extended ISL Authentication: None portDisableReason: None portCFlags: 0x1 portFlags: 0x1 PRESENT U_PORT portType: 17.0 portState: 2 Offline Protocol: FC portPhys: No_Module portScn: port generation number: portId: 010200 portIfId: 4312003b portWwn: 20:02:00:05:1e:94:0f:00 portWwn of device(s) connected: Distance: static (desired = 100 Km) portSpeed: N8Gbps LE domain: 0 FC Fastwrite: OFF...
Page 485: Buffer Credit Management
Buffer credit management Buffer credit management Buffer-to-buffer credit management affects performance over distances; therefore, allocating a sufficient number of buffer credits for long-distance traffic is essential to performance. To prevent a target device (either host or storage) from being overwhelmed with frames, the Fibre Channel architecture provides flow control mechanisms based on a system of credits.
Page 486: Optimal Buffer Credit Allocation
Buffer credit management Optimal buffer credit allocation The optimal number of buffer credits is determined by the distance (frame delivery time), the processing time at the receiving port, link signaling rate, and the size of the frames being transmitted. As the link speed increases, the frame transmission time is reduced and the number of buffer credits must be increased to obtain full link utilization, even in a short-distance environment.
Page 487: Fibre Channel Gigabit Values Reference Definition
Buffer credit management Fibre Channel gigabit values reference definition Before you can calculate the buffer requirement, note the following Fibre Channel gigabit values reference definition: • 1.0625 for 1 Gbps • 2.125 for 2 Gbps • 4.25 for 4 Gbps •...
Page 488 Buffer credit management NOTE The portCfgLongDistance command’s desired_distance parameter is the upper limit of the link distance and is used to calculate buffer availability for other ports in the same port group. When the measured distance exceeds the value of desired_distance, this value is used to allocate the buffers. In this case, the port operates in degraded mode instead of being disabled due to insufficient buffers.
Page 489: Allocating Buffer Credits Based On Average-Size Frames
Buffer credit management 24 = the number of user ports in a port group retrieved from Table 92 on page 451. 8 = the number of reserved credits for each user port. 676 = the number of buffer credits available in the port group. If you allocate the entire 484 + 8 (8 for the reserved buffers already allocated to that user port) = 492 buffers to a single port, you can calculate the maximum single port extended distance supported:...
Page 490: Allocating Buffer Credits For F_Ports
Buffer credit management NOTE This formula does not work with LD mode because LD mode checks the distance and limits the estimated distance to the real value of 100 km. LS mode allows for the necessary desired_distance based on the data size entered, regardless of the distance. If buffer credit recovery is enabled, Fabric OS supports a BB_SC_N range of 1 to 15;...
Page 491: Buffer Credits For Each Switch Model
Buffer credit management Buffer credits for each switch model Table 92 shows the total ports in a switch or blade, number of user ports in a port group, and the unreserved buffer credits available per port group. TABLE 92 SPIK Buffer credits Switch/blade model Total FC ports (per switch/blade) User port group size Unreserved buffers (per port group)
Page 492: Maximum Configurable Distances For Extended Fabrics
Buffer credit management Maximum configurable distances for Extended Fabrics Table 93 shows the maximum supported extended distances (in kilometers) that can be configured for one port on a specific switch or blade at different speeds. TABLE 93 Configurable distances for Extended Fabrics Maximum distances (km) that can be configured assuming 2112 Byte Frame Size Switch/blade model 1 Gbps...
Page 493: Buffer Credit Recovery
Buffer credit recovery NOTE QoS requires an additional 14 buffer credits per active port so maximum supported distances may be lower. To get an estimated maximum equally distributed distance for n number of ports at a particular ("X") speed, divide the 1-port maximum distance of the switch at X speed by n. For example, for three ports running at 2 Gbps on a 300 switch, the maximum equally distributed distance is calculated as 486 / 3 = 164 km.
Page 494 Buffer credit recovery Fabric OS Administrator’s Guide 53-1001763-01...
Page 495: In This Chapter
Chapter Using the FC-FC Routing Service In this chapter • FC-FC routing service overview ........455 •...
Page 496: Supported Platforms For Fibre Channel Routing
FC-FC routing service overview Supported platforms for Fibre Channel routing Fibre Channel routing is supported on the following platforms: • Brocade DCX and DCX-4S (FC8-16, FC8-32, FC8-48, FC8-64, FS8-18, FX8-24, or FR4-18i blade) • Brocade 5100 switch • Brocade 5300 switch •...
Page 497: Integrated Routing
Integrated Routing NOTE In configurations with two backbones connected to the same edge fabric, routing is not supported between edge fabrics that are not directly attached to the same backbone. Routing over multiple backbones is a multi-hop topology and is not allowed. Integrated Routing Integrated Routing is a licensed feature that allows 8-Gbps FC ports to be configured as EX_Ports (or VEX_Ports) supporting Fibre Channel routing.
Page 498: Figure 68 A Metasan With Inter-Fabric Links
Fibre Channel routing concepts • Edge fabric An edge fabric is a Fibre Channel fabric with targets and initiators connected through the supported platforms by using an EX_Port or VEX_Port. • Backbone fabric A backbone fabric is an intermediate network that connects one or more edge fabrics. In a SAN, the backbone fabric consists of at least one FC router and possibly a number of Fabric OS-based Fibre Channel switches (see Figure 70...
Page 499: Figure 69 A Metasan With Edge-To-Edge And Backbone Fabrics And Lsan Zones
Fibre Channel routing concepts VE_Port Edge fabric 2 IP cloud Edge fabric 1 Edge fabric 3 E_Port E_Port VEX_Port FC router EX_Port (2) = LSAN Backbone fabric FIGURE 69 A metaSAN with edge-to-edge and backbone fabrics and LSAN zones • Proxy device A proxy device is a virtual device imported into a fabric by a Fibre Channel router, and represents a real device on another fabric.
Page 500: Figure 70 Edge Sans Connected Through A Backbone Fabric
Fibre Channel routing concepts NOTE Backbone fabrics that share connections to the same edge fabrics must have unique backbone fabric IDs. • MetaSAN A metaSAN is the collection of all SANs interconnected with Fibre Channel routers. A simple metaSAN can be constructed using an FC router to connect two or more separate fabrics.
Page 501: Proxy Devices
Fibre Channel routing concepts Proxy devices An FC router achieves inter-fabric device connectivity by creating proxy devices (hosts and targets) in attached fabrics that represent real devices in other fabrics. For example, a host in Fabric 1 can communicate with a target in Fabric 2 as follows: •...
Page 502: Phantom Domains
Fibre Channel routing concepts To do so, at least one translate phantom domain is created in the backbone fabric. This translate phantom domain represents the entire edge fabric. The shared physical devices in the edge have corresponding proxy devices on the translate phantom domain. Each edge fabric has one and only one xlate domain to the backbone fabric.
Page 503: Figure 73 Ex_Port Phantom Switch Topology
Fibre Channel routing concepts Host Target 1 Target 2 Target 3 Fabric 1 Fabric 2 Fabric 3 Fabric 4 FC router 1 FC router 2 FC router 3 FC router 4 FIGURE 72 Sample topology (physical topology) Figure 73 shows a phantom topology for the physical topology shown in Figure 72.
Page 504: Setting Up The Fc-Fc Routing Service
Setting up the FC-FC routing service All EX_Ports or VEX_Ports connected to an edge fabric use the same xlate domain ID number for an imported edge fabric; this value persists across switch reboots and fabric reconfigurations. If you lose connectivity to the edge fabric because of link failures or the IFL being disabled, xlate domains remain visible.
Page 505 Setting up the FC-FC routing service 1. Log in to the switch or director as admin and enter the version command. Verify that Fabric OS v6.4.0 is installed on the FC router as shown in the following example. switch:admin> version Kernel: 2.6.14.2 Fabric OS:...
Page 506: Backbone Fabric Ids
Backbone fabric IDs InteropMode: Off usage: InteropMode [0|2|3 [-z McDataDefaultZone] [-s McDataSafeZone]] 0: to turn interopMode off 2: to turn McDATA Fabric mode on Valid McDataDefaultZone: 0 (disabled), 1 (enabled) Valid McDataSafeZone: 0 (disabled), 1 (enabled) 3: to turn McDATA Open Fabric mode on If InteropMode is on, FC routing is not supported.
Page 507: Assigning Backbone Fabric Ids
FCIP tunnel configuration Assigning backbone fabric IDs 1. Log in to the switch or director. 2. Enter the switchDisable command if EX_Ports are online. 3. Enter the fosConfig disable fcr command to disable the FC-FC Routing Service. The default state for the FCR is disabled. 4.
Page 508: Inter-Fabric Link Configuration
Inter-fabric link configuration Inter-fabric link configuration Before configuring an IFL, be aware that you cannot configure both IFLs (EX_Ports, VEX_Ports) and ISLs (E_Ports) from a backbone fabric to the same edge fabric. Configuring an inter-fabric link involves disabling ports and cabling them to other fabrics, configuring those ports for their intended use, and then enabling the ports.
Page 509 Inter-fabric link configuration This port can now connect to another switch. For related FC-FC Routing commands, see fcrEdgeShow, fcrXlateConfig, fcrConfigure, and fcrProxyConfig in the Fabric OS Command Reference. A Fibre Channel router can interconnect multiple fabrics. EX_Ports or VEX_Ports attached to more than one edge fabric must configure a different fabric ID for each edge fabric.
Page 510 Inter-fabric link configuration EX Port Mirror Port FC Fastwrite 9. Enter either the portCfgEXPort or portShow command to verify that each port is configured correctly: switch:admin> portcfgexport 7/10 Port 7/10 info Admin: enabled State: NOT OK Pid format: Not Applicable Operate mode: Brocade Native Edge Fabric ID:...
Page 511: Fc Router Port Cost Configuration
FC Router port cost configuration LE domain: 0 FC Fastwrite: ON Interrupts: Link_failure: 0 Frjt : Unknown: Loss_of_sync: 0 Fbsy : Lli: Loss_of_sig: Proc_rqrd: Protocol_err: 0 Timed_out: Invalid_word: 0 Rx_flushed: Invalid_crc: Tx_unavail: Delim_err: Free_buffer: Address_err: Overrun: Lr_in: Suspended: Lr_out: Parity_err: Ols_in: 2_parity_err: Ols_out:...
Page 512: Port Cost Considerations
FC Router port cost configuration FC routers optimize the usage of the router port links by directing traffic to the link with the smallest router port cost. The FC router port cost is similar to the link cost setting available on E_Ports, which allows you to customize traffic flow.
Page 513: Setting Router Port Cost For An Ex_Port
FC Router port cost configuration EX_Ports and VEX_Ports, when connected, are assigned different router port costs and traffic will flow only through the EX_Ports. Routing failover is automatic, but it can result in frames arriving out of order when frames take different routes. The FC router can force in-order delivery, although frame delivery is delayed immediately after the path failover.
Page 514: Ex_Port Frame Trunking Configuration
EX_Port frame trunking configuration EX_Port frame trunking configuration In Fabric OS v5.2.0 and later, you can configure EX_Ports to use frame-based trunking just as you do regular E_Ports. EX_Port frame trunking support is designed to provide the best utilization and balance of frames transmitted on each link between the FC router and the edge fabric.
Page 515: Supported Configurations And Platforms
EX_Port frame trunking configuration Table 94 lists the platforms that support FC-FC routing, indicates whether masterless EX_Port frame trunking is supported and, if supported, whether Virtual Fabrics must be enabled or disabled. TABLE 94 Supported platforms and VF mode for masterless EX_Port trunking Supported platforms for FCR Masterless EX_Port trunking supported? VF mode required for masterless EX_Port trunking Brocade DCX and DCX-4S:...
Page 516: Configuring Ex_Port Frame Trunking
EX_Port frame trunking configuration High availability support The EX_Port frame trunking feature also is a High Availability (HA) supported feature. The HA protocol for EX_Port trunking is as follows: • If trunking is disabled prior to the HA failover, it remains disabled after the HA failover. •...
Page 517: Lsan Zone Configuration
LSAN zone configuration LSAN zone configuration An LSAN consists of zones in two or more edge or backbone fabrics that contain the same devices. LSANs essentially provide selective device connectivity between fabrics without forcing you to merge those fabrics. FC routers provide multiple mechanisms to manage inter-fabric device connectivity through extensions to existing switch management interfaces.
Page 518: Lsan Zones And Fabric-To-Fabric Communications
LSAN zone configuration LSAN zones and fabric-to-fabric communications Zoning is enforced by all involved fabrics; any communication from one fabric to another must be allowed by the zoning setup on both fabrics. If the SANs are under separate administrative control, then separate administrators maintain access control.
Page 519 LSAN zone configuration Do you want to enable 'zone_cfg' configuration (yes, y, no, n): [no] y zone config "zone_cfg" is in effect Updating flash … 6. Log in as admin to fabric2. Enter the nsShow command to list Target A (50:05:07:61:00:5b:62:ed) and Target B (50:05:07:61:00:49:20:b4).
Page 520: Setting The Maximum Lsan Count
LSAN zone configuration • fcrPhyDevShow shows the physical devices in the LSAN. switch:admin> fcrphydevshow Device Physical Exists in Fabric ----------------------------------------- 75 10:00:00:00:c9:2b:c9:0c c70000 50:05:07:61:00:5b:62:ed 0100ef 50:05:07:61:00:5b:62:ed 0100e8 Total devices displayed: 3 • fcrProxyDevShow shows the proxy devices in the LSAN. switch:admin>...
Page 521: Configuring Backbone Fabrics For Interconnectivity
LSAN zone configuration NOTE Since the maximum number of LSANs is configured for each switch, if there is a different maximum LSAN count on the switches throughout the metaSAN, then the device import/export will not be identical on the FC routers. You should enter the same maximum LSAN count for all the FC routers in the same backbone that support this feature.
Page 522 LSAN zone configuration Normally the FC router automatically accepts all zones with names that start with “lsan_”. You can specify an Enforce tag to indicate that a particular FC router should only accept zones that start with the prefix “lsan_tag”. For example, if you specify an Enforce tag of “abc”, the FC router accepts only those LSAN zones that start with “lsan_abc”...
Page 523: Figure 74 Example Of Setting Up Speed Lsan Tag
LSAN zone configuration Edge fabric 1 Edge fabric 2 Edge fabric 3 FC router 1 FC router 2 = LSAN FIGURE 74 Example of setting up Speed LSAN tag Rules for LSAN tagging Note the following rules for configuring LSAN tags: •...
Page 524 LSAN zone configuration 4. Enter the following command to enable the FC router: switchenable 5. Change the names of the LSAN zones in the edge fabrics to incorporate the tag in the names. Example sw0:admin> switchdisable sw0:admin> fcrlsan --add -enforce enftag1 LSAN tag set successfully sw0:admin>...
Page 525: Lsan Zone Binding
LSAN zone configuration Example sw0:admin> fcrlsan --show -enforce Total LSAN tags : 1 ENFORCE : enftag1 sw0:admin> fcrlsan --show -speed Total SPEED tags : 1 SPEED : fasttag2 sw0:admin> fcrlsan --show -all Total LSAN tags : 2 ENFORCE : enftag1 SPEED : fasttag2 LSAN zone binding...
Page 526: Figure 75 Lsan Zone Binding
LSAN zone configuration LSAN zone 1 LSAN zone 2 Fabric 1 Fabric 2 Fabric 3 Fabric 7 router 1 router 2 Backbone fabric Fabric 8 router 4 router 3 Fabric 9 Fabric 4 Fabric 5 Fabric 6 LSAN zone 3 LSAN zone 4 FIGURE 75 LSAN zone binding...
Page 527 LSAN zone configuration How LSAN zone binding works LSAN zone binding uses an FC router matrix, which specifies pairs of FC routers in the backbone fabric that can access each other, and an LSAN fabric matrix, which specifies pairs of edge fabrics that can access each other.
Page 528 LSAN zone configuration LSAN fabric matrix definition With LSAN zone binding, you can specify pairs of fabrics that can access each other. Using the metaSAN shown in Figure 75 as an example, the following edge fabrics can access each other: •...
Page 529: Proxy Pid Configuration
Proxy PID configuration Viewing the LSAN zone binding matrixes 1. Log on to the FC router as admin. 2. Enter the following command to view the FC router matrix: fcrlsanmatrix --fabricview -fcr 3. Enter the following command to view the LSAN fabric matrix: fcrlsanmatrix --fabricview -lsan Example FCR:Admin>...
Page 530: Inter-Fabric Broadcast Frames
Inter-fabric broadcast frames • To change the fabric parameters on a switch in the edge fabric, use the configure command. Note that to access all of the fabric parameters controlled by this command, you must disable the switch using the switchDisable command. If executed on an enabled switch, only a subset of attributes are configurable.
Page 531: Enabling Broadcast Frame Forwarding
Resource monitoring Enabling broadcast frame forwarding 1. Log in to the FC router as admin. 2. Type the following command: fcr:admin> fcrbcastconfig --enable -f fabricID where fabricID is the FID of the edge or backbone fabric on which you want to enable broadcast frame forwarding.
Page 532: Fc-Fc Routing And Virtual Fabrics
FC-FC Routing and Virtual Fabrics LSAN Devices: 10000 Proxy Device Slots: 10000 WWN Pool Size Allocated --------------------------------- Phantom Node WWN: 8192 5413 Phantom Port WWN: 32768 16121 Port Limits: Max proxy devices: 2000 Max NR_Ports: 1000 Currently Used(column 1: proxy, column 2: NR_Ports): 10 | 11 | 12 |...
Page 533: Logical Switch Configuration For Fc Routing
FC-FC Routing and Virtual Fabrics • EX_Ports can connect to a logical switch that is in the same chassis or a different chassis. However, the FID of the EX_Port must be set to a different value than the FID of the logical switch to which it connects.
Page 534: Backbone-To-Edge Routing With Virtual Fabrics
FC-FC Routing and Virtual Fabrics Physical chassis 1 Physical chassis 2 Logical switch 1 Logical switch 5 (Default logical switch) (Default logical switch) Fabric ID 128 Fabric ID 128 Logical ISL Logical switch 2 Logical switch 6 Fabric ID 1 Fabric ID 1 Allows XISL use Allows XISL use...
Page 535: Upgrade And Downgrade Considerations For Fc-Fc Routing
Upgrade and downgrade considerations for FC-FC routing Even though F_Ports are not allowed in the base switch, they are allowed in an FC router in legacy mode (Fabric OS v6.1.x or earlier, or Fabric OS v6.2.0 or later with Virtual Fabrics disabled). If you connect an FC router in legacy mode to the base switch, backbone-to-edge routing is supported on that FC router.
Page 536: Displaying The Range Of Output Ports Connected To Xlate Domains
Displaying the range of output ports connected to xlate domains If you replace an 8-Gbps port blade or FX8-24 blade with an FR4-18i blade, the EX_Port configuration remains the same for all ports on the FR4-18i blade. All ports are persistently disabled.
Page 537: M-Eos Migration Path To Fabric Os
Appendix M-EOS Migration Path to Fabric OS In this appendix • M-EOS fabrics overview......... 497 •...
Page 538: Table 96 Fabric Os And M-Eosc Interoperability Compatibility Matrix
M-EOS fabrics overview TABLE 96 Fabric OS and M-EOSc interoperability compatibility matrix (Continued) Fabric OS Versions of M-EOSc v6.2.0 v7.1.3x v8.0 v9.2.0 v9.6.2 v9.7 v9.8 v9.9 v6.3.0 v6.4.0 Both Open and McDATA Fabric modes are supported. Fabric OS v5.1.0 and M-E/OSc v4.1.1, v5.1.2, 6.2.0 can interoperate through the FC routing capability of the SilkWorm AP7420 only.
Page 539: Mcdata Mi10K Interoperability
McDATA Mi10K interoperability The connectivity limitations of a metaSAN containing Fabric OS and M-EOS fabrics are defined by the scalability of each individual fabric. The latest scalability information can be found at the Brocade Connect Web site at www.brocade.com. Refer to the M-EOS fabric documentation for scalability considerations.
Page 540: Configuring The Fc Router
Fabric configurations for interconnectivity To allow interconnectivity with M-EOS SANs, use the -m option on the portCfgEXPort command to indicate the connectivity mode. Table 98 lists the valid parameters to use with the -m option to set the connectivity mode. TABLE 98 portCfgEXPort -m values Value...
Page 541 Fabric configurations for interconnectivity The following example sets port 10/13 to admin-enabled, assigns a Fabric ID of 37, and sets the M-EOS connection to McDATA Fabric Mode. ecp:admin_06> portcfgexport 10/13 -a 1 -f 37 -m 2 6. Enable the port by issuing the portEnable command. ecp:admin_06>...
Page 542: Configuring Lsan Zones In The M-Eos Fabric
Fabric configurations for interconnectivity Configuring LSAN zones in the M-EOS fabric To ensure connectivity with devices in the Fabric OS fabric, you must set up LSAN zones in each edge fabric. An LSAN is defined by a zone in an edge fabric. When zoning an LSAN containing multiple fabrics with switches that are not running Fabric OS, you must use port WWN.
Page 543: Completing The Configuration
Fabric configurations for interconnectivity 6. Connect to the switch and configure the connection to capture console output. Enter the supportShow (or supportSave if available) command, and save the output. 8. If the fabric does not appear: a. Disable the EX_Port on the connected fabric. b.
Page 544 Fabric configurations for interconnectivity state owner known v520 0xfffc02 Device list: count 1 Type Pid PortName NodeName 010e00; 3;10:00:00:00:00:01:00:00;10:00:00:00:00:00:01:00; Fabric Port Name: 20:0e:00:60:69:e2:18:b6 Permanent Port Name: 10:00:00:00:00:01:00:00 Port Index: 14 Share Area: No Device Shared in Other AD: No Switch entry for 3 state owner known...
Page 545: Inband Management
Appendix Inband Management In this appendix • Inband Management overview ........505 •...
Page 546: Internal Ethernet Devices
Internal Ethernet devices Internal Ethernet devices During the switch initialization process, a new internal Ethernet device is created. The devices created are inbd0 and inbd1. Ethernet device inbd0 is used to communicate through GE port 1 and inbd1 is used to communicate through GE port 0. These new Ethernet interfaces are internal only and are not accessible from outside the switch.
Page 547: Setting The Ip Address For The 7500S
IP address and routing management specified gateway. If no gateway is specified, it is assumed that the management station is on the same subnet as the external GE IP address, so no route is created on the GE port processor. Only a route on the CP is created with the internal GE port processor inband device address as the gateway.
Page 548: Deleting An Inband Management Route
IP address and routing management Deleting an Inband Management route 1. Connect to the switch and log in as admin. 2. Enter the portCfg inbandmgmt command to delete a route to the Management Station. switch:admin> portcfg inbandmgmt ge0 routedel 192.168.3.0 255.255.255.0 Viewing Inband Management IP addresses and routes The portShow inbandmgmt command displays the addresses that are currently configured for that GE port number and a status of Inband Management (Enabled/Disabled).
Page 549: Fips
Examples of supported configurations CP for 192.168.255.0/24 with gateway 192.168.255.1. Likewise, there is a “Management” route on the GE port processor for 10.1.1.61/32 with gateway 192.168.255.1, and a “Management” route on the CP for 192.168.112.60/32 with gateway 192.168.255.2. In this example, the CP management address is 10.1.1.61, and the “Management Station”...
Page 550: Configuring A Management Station On Different Subnets
Examples of supported configurations b. On the 7500 R1, create an IP address on the GE interface: switch:admin> portcfg ipif ge0 create 192.168.3.20 255.255.255.0 1500 2. Configure the management interfaces on the 7500 L1. a. Configure the internal addresses for the inbd devices for CP and GE port (GE port 0 for this example).
Page 551 Examples of supported configurations FIGURE 81 Management Station on a different subnet 1. Configure the IP address for each of the 7500s (L1 and R1): a. On the 7500 L1, create an IP address on the GE interface: switch:admin> portcfg ipif ge0 create 192.168.1.10 255.255.255.0 1500 b.
Page 552 Examples of supported configurations switch:admin> portcfg inbandmgmt ge0 routeadd 192.168.3.0 255.255.255.0 192.168.2.250 4. Configure the routes on Router A. a. Configure the route going to the 7500 L1 management address. linux> route add -host 10.1.1.10 gw 192.168.1.10 b. Configure the route going to the Management Station. linux>...
Page 553: Port Indexing
Appendix Port Indexing In this appendix • Port indexing on the Brocade 48000 director..... . . 513 • Port indexing on the Brocade DCX backbone ..... . . 515 •...
Page 554: Table 99 Default Index/Area_Id Core Pid Assignment With No Port Swap For The Brocade 48000
Port indexing on the Brocade 48000 director TABLE 99 Default index/area_ID core PID assignment with no port swap for the Brocade 48000 director (Continued) Port on blade Slot 1 Slot 2 Slot 3 Slot 4 Slot 7 Slot 8 Slot 9 Slot 10 Idx/area Idx/area...
Page 555: Port Indexing On The Brocade Dcx Backbone
Port indexing on the Brocade DCX backbone Port indexing on the Brocade DCX backbone Table 100 shows the index and PID mapping for the Brocade DCX enterprise-class platform. This table provides the index/PID assignment for the maximum number of ports (used by the FC8-64 blade).
Page 556 Port indexing on the Brocade DCX backbone TABLE 100 Default index/16-bit PID assignment with no port swap on a Brocade DCX backbone (Continued) Port Slot 1 Slot 2 Slot 3 Slot 4 Slot 9 Slot 10 Slot 11 Slot 12 (DCX) Index/PID Index/PID...
Page 557: Port Indexing On The Brocade Dcx-4S Backbone
Port indexing on the Brocade DCX-4S backbone TABLE 100 Default index/16-bit PID assignment with no port swap on a Brocade DCX backbone (Continued) Port Slot 1 Slot 2 Slot 3 Slot 4 Slot 9 Slot 10 Slot 11 Slot 12 (DCX) Index/PID Index/PID...
Page 558 Port indexing on the Brocade DCX-4S backbone TABLE 101 Default index/16-bit PID assignment with no port swap for the Brocade DCX-4S Port on blade Slot 1 Index/PID Slot 2 Index/PID Slot 7 Index/PID Slot 8 Index/PID 63/0x3f00 127/0x7f00 191/0xbf00 255/0xff00 62/0x3e00 126/0x7e00 190/0xbe00...
Page 559: Table 101 Default Index/16-Bit Pid Assignment With No Port Swap For The Brocade Dcx-4S
Port indexing on the Brocade DCX-4S backbone TABLE 101 Default index/16-bit PID assignment with no port swap for the Brocade DCX-4S (Continued) Port on blade Slot 1 Index/PID Slot 2 Index/PID Slot 7 Index/PID Slot 8 Index/PID 28/0x1c00 92/0x5c00 156/0x9c00 220/0xdc00 27/0x1b00 91/0x5b00...
Page 560 Port indexing on the Brocade DCX-4S backbone Fabric OS Administrator’s Guide 53-1001763-01...
Page 561: Fips Support
Appendix FIPS Support In this appendix • FIPS overview..........521 •...
Page 562: Power-Up Self Tests
Zeroization functions TABLE 102 Zeroization behavior (Continued) Keys Zeroization CLI Description FCSP Challenge secAuthSecret –-remove The secAuthSecret remove value is used to remove Handshake value | –-all the specified keys from the database. When the Authentication Protocol secAuthSecret command is used with –-remove –-all (CHAP) Secret option then the entire key database is deleted.
Page 563: Fips Mode Configuration
FIPS mode configuration The results of all self-tests, for both power-up and conditional, are recorded in the system log or are output to the local console. This includes logging both passing and failing results. Refer to the Fabric OS Troubleshooting and Diagnostics Guide for instructions on how to recover if your system cannot get out of the conditional test mode.
Page 564: Ldap In Fips Mode
FIPS mode configuration LDAP in FIPS mode You can configure your Microsoft Active Directory server to use LDAP while in FIPS mode. There is no option provided on the switch to configure TLS ciphers for LDAP in FIPS mode. However, the LDAP client checks if FIPS mode is set on the switch and uses the FIPS-compliant TLS ciphers for LDAP.
Page 565: Table 105 Active Directory Keys To Modify
FIPS mode configuration 2. Configure the DNS on the switch by using the dnsConfig command. Example of setting the DNS switch:admin> dnsconfig Enter option 1 Display Domain Name Service (DNS) configuration 2 Set DNS configuration 3 Remove DNS configuration 4 Quit Select an item: (1..4) [4] 2 Enter Domain Name: [] domain.com Enter Name Server IP address in dot notation: [] 123.123.123.123...
Page 566: Ldap Certificates For Fips Mode
FIPS mode configuration LDAP certificates for FIPS mode To utilize the LDAP services for FIPS between the switch and the host, you must generate a CSR on the Active Directory server and import and export the CA certificates. To support server certificate validation, it is essential to have the CA certificate installed on the switch and Active Directory server.
Page 567: Preparing The Switch For Fips
Preparing the switch for FIPS Deleting an LDAP switch certificate This option deletes the LDAP CA certificate from the switch. 1. Connect to the switch and log in as admin. 2. Enter the secCertUtil show -ldapcacert command to determine the name of the LDAP certificate file.
Page 568: Enabling Fips Mode
Preparing the switch for FIPS Enabling FIPS mode 1. Log in to the switch using an account assigned the admin or securityAdmin role. 2. Optional: Select the appropriate method based on your needs: • If the switch is set for RADIUS, modify each server to use only peap-mschapv2 as the authentication protocol using the aaaConfig change or aaaConfig remove command.
Page 569: Disabling Fips Mode
Preparing the switch for FIPS Enforce secure config Upload/Download Press enter to accept default. Enforce firmware signature validation Example switch:admin> configure Not all options will be available on an enabled switch. To disable the switch, use the "switchDisable" command. Configure... System services (yes, y, no, n): [no] …...
Page 570: Zeroizing For Fips
Preparing the switch for FIPS Zeroizing for FIPS 1. Log in to the switch using an account assigned the admin or securityAdmin role. 2. Type the command fipsCfg zeroize. 3. Reboot the switch. Displaying FIPS configuration 1. Log in to the switch using an account assigned the admin or securityAdmin role. 2.
Page 571: Hexadecimal
Appendix Hexadecimal Hexadecimal overview Hexadecimal, or simply hex, is a numeral system with a base of 16, usually written using unique symbols 0–9 and A–F, or a–f. Its primary purpose is to represent the binary code that computers interpret in a format easier for humans to read. It acts as a form of shorthand, in which one hexadecimal digit stands in place of four binary bits.
Page 572: Table 106 Decimal To Hexadecimal Conversion Table
Hexadecimal overview TABLE 106 Decimal to hexadecimal conversion table Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Fabric OS Administrator’s Guide 53-1001763-01...
Page 573 Hexadecimal overview TABLE 106 Decimal to hexadecimal conversion table (Continued) Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Fabric OS Administrator’s Guide 53-1001763-01...
Page 574 Hexadecimal overview Fabric OS Administrator’s Guide 53-1001763-01...
Page 575 Index Numerics adding a new switch or fabric to a zone Admin Domain members 239 domain ID mode alias members end-to-end monitors members to a zone configuration ports to logical switches switches to a zone AAA service requests zone members access addressing mode browser support...
Page 576 Admin Domains auto-leveling, FR4-18i blade about access levels activating AD255 backbone fabric ID adding members backbone-to-edge routing ADList backing up a configuration assigning users to base switches configupload, download about configuration, displaying creating creating blade swapping deactivating blades defined AD configuration compatibility deleting disabling and enabling...
Page 577 certificates configuring browser, configuring access methods, Web Tools CSR, certificate signing request authentication HTTPS browser certificates installing certificates obtaining changing RADIUS servers private key date and time public key Enforce LSAN tag root FibreAlliance MIB root, configuring for interconnectivity security HTTPS access interfabric link switch...
Page 578 customizing the switch name Distributed Management Server FCS policy management server database topology discovery well-known address Distrubted Management Server date and time well-known address DCFM (Data Center Fabric Manager) domain ID deactivating 239 mode Admin Domains offset mode TI zones offset, default mode default domain ID offset...
Page 579 extended fabrics Fabric OS about supported protocols buffer credit management Fabric Wide Consistency Policy buffer credit recovery FC router buffer requirement calculation FC routing buffer-to-buffer credits concepts device limitations supported platforms extended ISLs FC routing types F_Port buffer credits FCAP FC-FC Routing long-distance mode FC-FC Routing and Virtual Fabrics...
Page 580 frame monitors installing deleting certificates restoring configuration certificates for FIPS saving installing a root certificate to the Java plug-in saving configuration Integrated Routing frame redirection interfabric link, see IFL FreeRADIUS Internet Explorer and SSL support interswitch link inter-switch link (ISL) IP Filter supported services G_Port...
Page 581 local authentication modifying overview TI zones local clock zoning configurations modifying the FCS policy LOCL monitoring logging timestamp trunks logical fabrics monitoring end-to-end performance about monitoring ISL performance changing context logical ISLs monitors logical ports clearing counters Mozilla Firefox and SSL support logical switches about allowing XISL use...
Page 582 platforms, FC routing supported PLOGI RADIUS activating ADList enabling ports ContextRoleList policies, routing homeAD policy Virtual Fabrics HomeContext creating RADIUS client creating, SCC Windows configuration members, identifying RADIUS clients password expiration switch configuration password strength RADIUS server configuration port LINUX configuration activating POD RADIUS service enabling...
Page 583 rules SNMP configuring zones, for password agent attributes configuration changes configuring password change polling SAN Pilot traps saved zone configuration saving monitor configuration scalability specifying frame order delivery SCC policy Speed LSAN tag secure shell (ssh) SSH certificates secure sockets layer security SSL certificates, security AUTH policy...
Page 584 TI zones verify activating device connectivity changing state high availability (HA) creating VEX_Port creating in a base fabric VF mode deactivating definition deleting See also Virtual Fabrics displaying viewing modifying alias with Virtual Fabrics zones time and date virtual channels time zones Virtual Fabrics Top Talkers...
Page 585 WWN-based PID assignment WWNs switch WWNs in Admin Domains zone adding a new switch or fabric adding members administering security alias, adding members alias, deleting XISL, about alias, removing members xlate domains alias, viewing aliases aliases, creating and managing all access concepts configurations configurations, adding members...
Page 586 zone configurations creating deleting disabling enabling removing zone database and Admin Domains zone, broadcast zones QoS zones TI zones Fabric OS Administrator’s Guide 53-1001763-01...

This manual is also suitable for:

8/24 8/40 8/8 8/80

Brocade Communications Systems 1606 Administrator's Manual

Standard Features

Chapter 1 Understanding Fibre Channel Services

Chapter 2 Performing Basic Configuration Tasks

Chapter 3 Performing Advanced Configuration Tasks

Chapter 4 Routing Traffic

Chapter 5 Managing User Accounts

Chapter 6 Configuring Protocols

Chapter 7 Configuring Security Policies

Quick Links

Related Manuals for Brocade Communications Systems 1606

Summary of Contents for Brocade Communications Systems 1606