HP A7533A - Brocade 4Gb SAN Switch Base Administrator's Manual

Hp storageworks fabric os 6.2 administrator guide (5697-0016, may 2009).
Hide thumbs
   
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576
HP StorageWorks
Part number: 5697-0016
Edition: May 2009

Advertising

   Related Manuals for HP A7533A - Brocade 4Gb SAN Switch Base

   Summary of Contents for HP A7533A - Brocade 4Gb SAN Switch Base

  • Page 1

    HP StorageWorks Fabric OS 6.2 administrator guide Part number: 5697-0016 Edition: May 2009...

  • Page 2

    © Copyright 2009 Brocade Communications Systems, Incorporated. Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

  • Page 3: Table Of Contents

    Contents About this guide ............25 Supported Fabric OS 6.2.x HP StorageWorks hardware.

  • Page 4: Table Of Contents

    Firmware upgrade and downgrade consideration ........46 Configupload and download considerations .

  • Page 5: Table Of Contents

    Changing the password for the current login account ....... . . 74 Changing the password for a different account.

  • Page 6: Table Of Contents

    3 Configuring standard security features ........99 Security Protocols .

  • Page 7: Table Of Contents

    Adding a member to an existing ACL policy........127 Removing a member from an ACL policy .

  • Page 8: Table Of Contents

    AES ..............149 Null encryption.

  • Page 9: Table Of Contents

    Account management and Virtual Fabrics ..........181 Supported platforms for Virtual Fabrics .

  • Page 10: Table Of Contents

    Admin Domains, zones, and zone databases ........210 Admin Domains and LSAN zones .

  • Page 11: Table Of Contents

    Zone aliases ..............243 Creating an alias.

  • Page 12: Table Of Contents

    Inter-Chassis Links ............. . 280 11Routing traffic .

  • Page 13: Table Of Contents

    HP StorageWorks B-Series iSCSI Director Blade port numbering ......308 Enabling the iSCSI gateway service ..........309 Enabling GbE ports .

  • Page 14: Table Of Contents

    Trunking with TI zones ............347 Limitations and restrictions of Traffic Isolation Routing .

  • Page 15: Table Of Contents

    Setting the maximum LSAN count..........389 Configuring backbone fabrics for interconnectivity .

  • Page 16: Table Of Contents

    Displaying monitor counters ............418 Clearing monitor counters .

  • Page 17: Table Of Contents

    21Configuring and monitoring FCIP extension services ......457 FCIP concepts..............457 Virtual ports and FCIP tunnels .

  • Page 18: Table Of Contents

    Starting an ipPerf session ........... . 488 WAN tool ipPerf syntax.

  • Page 19: Table Of Contents

    FICON emulation requirement for a determinate path ........514 One Ethernet interface, one IP route and one FCIP tunnel between sites .

  • Page 20: Table Of Contents

    Deleting a route............. 549 Viewing IP addresses and routes .

  • Page 21: Table Of Contents

    45 Dedicated path is not the shortest path ..........342 46 Traffic isolation Routing over FCR.

  • Page 22: Table Of Contents

    Fabric OS roles ............. . 68 Permission types .

  • Page 23: Table Of Contents

    67 Port numbering schemes for the HP StorageWorks 4/256 SAN Director, HP StorageWorks DC SAN Back- bone Director and HP StorageWorks DC04 SAN Director Switch enterprise-class platforms268 68 Default index/area_ID core PID assignment with no port swap ......269 69 Default index/area_ID core PID assignment with no port swap for the HP StorageWorks DC04 SAN Director Switch271 70 HP StorageWorks enterprise-class platform terminology and abbreviations .

  • Page 25: About This Guide, Supported Fabric Os 6.2.x Hp Storageworks Hardware, Fabric Os 6.2 Administrator Guide

    About this guide This guide provides information about: • Installing and configuring Fabric OS 6.2.x • Managing user accounts • Using licensed features Supported Fabric OS 6.2.x HP StorageWorks hardware Table 1 lists Brocade and HP StorageWorks product models supported by Fabric OS 6.2.x. Table 1 Switch model naming matrix Brocade product name...

  • Page 26: Intended Audience, Related Documentation, Document Conventions And Symbols

    Table 1 Switch model naming matrix Brocade product name Equivalent HP StorageWorks B-Series product name Brocade 5410 HP StorageWorksEVA4400 Embedded Switch Module, 8Gb Brocade Brocade 5480 8Gb SAN Switch for HP BladeSystem c-Class Intended audience This guide is intended for system administrators with knowledge of: •...

  • Page 27: Rack Stability, Hp Technical Support, Customer Self Repair, Product Warranties

    CAUTION: Indicates that failure to follow directions could result in damage to equipment or data. IMPORTANT: Provides clarifying information or specific instructions. NOTE: Provides additional information. TIP: Provides helpful hints and shortcuts. Rack stability Rack stability protects personnel and equipment. WARNING! To reduce the risk of personal injury or damage to equipment: •...

  • Page 28: Subscription Service, Hp Websites, Documentation Feedback

    http://www.hp.com/go/storagewarranty Subscription service HP recommends that you register your product at the Subscriber's Choice for Business website: http://www.hp.com/go/wwalerts. After registering, you will receive e-mail notification of product enhancements, new driver versions, firmware updates, and other product resources. HP websites For additional product information, see the following HP websites: •...

  • Page 29: Fabric Os Overview, Fabric Os Command Line Interface, Getting Help On A Command

    Performing basic configuration tasks Fabric OS overview This chapter describes how to configure your HP SAN using the Fabric OS command line interface (CLI). Before you can configure a storage area network (SAN), you must power-up the enterprise-class platform or switch and blades, and then set the IP addresses of those devices. Although this chapter focuses on configuring a SAN using the CLI, you can also use the following methods to configure a SAN: •...

  • Page 30: Telnet Or Ssh Sessions, Rules For Telnet Connections, Connecting To Fabric Os Using Telnet

    Routing help information routeHelp trackChangesHelp Track Changes help information Zoning help information zoneHelp Telnet or SSH sessions Connect to the Fabric OS through a Telnet or SSH connection or through a console session on the serial port. The switch must also be physically connected to the network. If the switch network interface is not configured or the switch has been disconnected from the network, use a console session on the serial port as described in ”Console sessions using the serial...

  • Page 31: Console Sessions Using The Serial Port, Connecting To Fabric Os Through The Serial Port

    Console sessions using the serial port Note the following behaviors for serial connections: • Some procedures require that you connect through the serial port; for example, setting the IP address or setting the boot PROM password. • For the HP StorageWorks 4/256 SAN Director, HP StorageWorks DC SAN Backbone Director, and HP StorageWorks DC04 SAN Director Switch enterprise-class platforms, You can connect to CP0 or CP1 using either of the two serial ports.

  • Page 32: Changing The Default Account Passwords At Login

    Table 3 describes the default administrative accounts for switches by model number. Table 3 Default administrative account names and passwords Model Administrative Password account HP StorageWorks 4/8 and 4/16 SAN Switch, HP admin password StorageWorks 8/8 and 8/24 SAN Switch, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, HP StorageWorks 4/32 SAN Switch, HP StorageWorks 4/64 SAN Switch, HP StorageWorks 4/32B SAN...

  • Page 33: The Ethernet Interface On Your Switch, Virtual Fabrics And The Ethernet Interface

    To skip a single prompt press Enter. To skip all of the remaining prompts press Ctrl-C. login: admin Password: Please change your passwords now. Use Control-C to exit or press 'Enter' key to proceed. for user - root Changing password for root Enter new password: ******** Password changed.

  • Page 34: Displaying The Network Interface Settings

    Displaying the network interface settings If an IP address has not been assigned to the network interface (Ethernet), you must connect to the Fabric OS CLI using a console session on the serial port. For more information, see ”Console sessions using the serial port”...

  • Page 35: Static Ethernet Addresses, Setting The Static Addresses For The Ethernet Network Interface, Dhcp Activation

    Static Ethernet addresses Use static Ethernet network interface addresses on HP StorageWorks 4/256 SAN Director, HP StorageWorks DC SAN Backbone Director, and HP StorageWorks DC04 SAN Director Switch enterprise-class platforms, and in environments where DHCP service is not available. To use static addresses for the Ethernet interface, you must first disable DHCP.

  • Page 36: Activating Dhcp, Deactivating Dhcp

    The DHCP client uses a DHCP vendor class identifier that allows DHCP servers to determine that the Discovers and Requests are coming from an HP switch. The vendor class identifier is the string “BROCADE” followed by the SWBD model number of the platform. For example, the vendor class identifier for a request from an HP 8/80 Base 48-ports Enabled SAN Switch is “BROCADESWBD64.”...

  • Page 37: Ipv6 Autoconfiguration, Setting Ipv6 Autoconfiguration, Date And Time Settings, Setting The Date And Time

    IPv6 autoconfiguration IPv6 can assign multiple IP addresses to each network interface. Each interface is configured with a link local address in almost all cases, but this address is accessible only from other hosts on the same network. To provide for wider accessibility, interfaces are typically configured with at least one additional global scope IPv6 address.

  • Page 38: Time Zone Settings, Setting The Time Zone

    Enter the date command, using the following syntax: date "mmddHHMMyy" The values represent the following: • mm is the month; valid values are 01 through 12. • dd is the date; valid values are 01 through 31. • HH is the hour; valid values are 00 through 23. •...

  • Page 39: Setting The Time Zone Interactively, Network Time Protocol

    Enter the tsTimeZone command as follows: switch:admin> tstimezone [--interactive]/ [, timezone_fmt] • Use tsTimeZone with no parameters to display the current time zone setting • Use interactive to list all of the time zones supported by the firmware. • Use timeZone_fmt to set the time zone by Country/City or by time zone ID, such as PST. The following example shows how to display the current time zone setup and how to change the time zone to US/Central.

  • Page 40: Synchronizing The Local Time With An External Source, Switch Names, Customizing The Switch Name

    Synchronizing the local time with an external source The tsClockServer command accepts multiple server addresses in either IPv4, IPv6, or DNS name formats. When multiple NTP server addresses are passed, tsClockServer sets the first obtainable address as the active NTP server. The rest are stored as backup servers that can take over if the active NTP server fails.

  • Page 41: Customizing Chassis Names

    Customizing chassis names Connect to the switch and log in as admin. Enter the chassisName command using the following syntax: switch:admin> chassisname newname Where newname is the new name for the enterprise-class platform. It is not necessary to use quotation marks.

  • Page 42: Setting The Domain Id

    Fabric information is displayed, including the domain ID (D_ID). switch:admin> fabricshow Switch ID Worldwide Name Enet IP Addr FC IP Addr Name ------------------------------------------------------------------------- 2: fffc02 10:00:00:60:69:e0:01:46 10.32.220.1 0.0.0.0 "ras001" 3: fffc03 10:00:00:60:69:e0:01:47 10.32.220.2 0.0.0.0 "ras002" 5: fffc05 10:00:00:05:1e:34:01:bd 10.32.220.5 0.0.0.0 "ras005"...

  • Page 43: Domain Ids, Licensed Features

    Enter a unique domain ID at the Domain prompt. Use a domain ID value from 1 through 239 for normal operating mode (FCSW compatible): Domain: (1..239) [1] 3 Respond to the remaining prompts, or press Ctrl-d to accept the other settings and exit. Enter the switchEnable command to re-enable the switch.

  • Page 44

    Table 4 License requirements (continued) Feature License Where license should be installed FICON XRC Sequence FICON XRC Local and attached switches. Emulation over an FCIP High-Performance Extension over FCIP/FC Tunnel FIPS No license required. Firmware download No license required. Firmwaredownload is a command and comes with the OS on the switch.

  • Page 45: Icl Licensing, License Requirements

    Table 4 License requirements (continued) Feature License Where license should be installed Speed 8 Gb/s license needed to support 8 Gb/s Local switch on the HP StorageWorks 8/8 and 8/24 SAN Switch, HP StorageWorks 8/40 SAN Switch, and HP StorageWorks 8/80 SAN Switch only.

  • Page 46: Time-based Licenses, High Availability Considerations, Firmware Upgrade And Downgrade Consideration, Configupload And Download Considerations

    Time-based licenses A time-based license applies a try-before-you-buy approach to certain features so that you can experience the feature and its capabilities prior to buying the license. Once you have installed the license, you are given a time limit to use the feature. The following lists the types of licenses that have this feature: •...

  • Page 47

    The Hewlett-Packard Authorization Center website main menu is displayed. Click Generate a license key. The HP StorageWorks Software License Key instruction page opens: P roxy host Host (impor ted devic e ) P roxy tar get (impor ted devic e )

  • Page 48: Removing A Licensed Feature

    Some features may require additional configuration, or you may need to disable and re-enable the switch to make them operational; see the feature documentation for details. switch:admin> licenseshow aAYtMJg7tmMZrTZ9JTWBC4SXWLJMY3QfBJYHG: Fabric license Remote Switch license Remote Fabric license Extended Fabric license Entry Fabric license Fabric Watch license Performance Monitor license...

  • Page 49: List Of Available Ports When Implementing Pods

    Ports on Demand The HP StorageWorks 4/8 and 4/16 SAN Switch, HP StorageWorks 8/8 and 8/24 SAN Switch models can be purchased with 8 ports and no E_Port, 8 ports with full fabric access, or 16 ports with full fabric access.

  • Page 50: Activating Ports On Demand

    IMPORTANT: If you enable or disable an active port you will disrupt any traffic and potentially lose data flowing on that port. If the port is connected to another switch, you will segment the switch from the fabric and all traffic flowing between the disabled port and the fabric is lost.

  • Page 51: Ports On Demand

    Example of manually assigned POD licenses: switch:admin> licenseport --show 24 ports are available in this switch Full POD license is installed Static POD method is in use 24 port assignments are provisioned for use in this switch: 12 port assignments are provisioned by the base switch license 12 port assignments are provisioned by a full POD license 24 ports are assigned to installed licenses: 12 ports are assigned to the base switch license...

  • Page 52: Dynamic Ports On Demand, Disabling Dynamic Ports On Demand, Pod License Management

    Disabling Dynamic Ports on Demand Disabling the Dynamic POD feature changes the POD method to static and erases any prior port license associations or assignments the next time the switch is rebooted. Connect to the switch and log in using an account assigned to the admin role. Enter the licensePort method command with the static option to change the license assignment method to static.

  • Page 53: Releasing A Port From A Pod Set

    Enter the licensePort show command to verify that there are port reservations still available. switch:admin> licenseport --show 24 ports are available in this switch Full POD license is installed Dynamic POD method is in use 24 port assignments are provisioned for use in this switch: 12 port assignments are provisioned by the base switch license 12 port assignments are provisioned by a full POD license 10 ports are assigned to installed licenses:...

  • Page 54: Switch Activation And Deactivation, Disabling A Switch, Enabling A Switch, Port Activation And Deactivation

    After a port is assigned to the POD set, the port is licensed until it is manually removed from the POD port set using the licensePort release command. When a port is released from its POD port set (Base, Single, or Double), it creates a vacancy in that port set. Connect to the switch and log in using an account assigned to the admin role.

  • Page 55: Disabling A Port, Enabling A Port, Basic Connections

    IMPORTANT: The fabric will be reconfigured if the port you are enabling or disabling is connected to another switch. The switch whose port has been disabled will be segmented from the fabric and all traffic flowing between it and the fabric will be lost. Disabling a port Connect to the switch and log in using an account assigned to the admin role.

  • Page 56: Device Connection, Switch Connection, Gateway Links, Configuring A Link Through A Gateway

    Before connecting a switch to a fabric that contains switches running different firmware versions, you must first set the same PID format on all switches. The presence of different PID formats in a fabric causes fabric segmentation. • For information on PID formats and related procedures, see ”PID format selection”...

  • Page 57: Equipment Status, Checking Switch Operation, Verifying High Availability Features (directors And Enterprise-class Platforms Only)

    Connect to the switch at one end of the gateway and log in using an account assigned to the admin role. Enter the portCfgIslMode command that is appropriate for your hardware model: HP StorageWorks 4/8 and 4/16 SAN Switch, HP StorageWorks 8/8 and 8/24 SAN Switch, HP StorageWorks SAN Switch 2/8V, HP StorageWorks SAN Switch 2/16V, HP StorageWorks SAN Switch 2/32, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, Brocade 8Gb SAN Switch for HP BladeSystem c-Class, HP StorageWorks 4/32 SAN...

  • Page 58: Verifying Fabric Connectivity

    Enter the slotShow -m command to display the inventory and the current status of each slot in the system. DCX:FID128:root> slotshow -m Slot Blade Type Model Name Status -------------------------------------------------- SW BLADE FC8-32 ENABLED SW BLADE FC8-48 ENABLED SW BLADE FC10-6 ENABLED SW BLADE FC8-48...

  • Page 59: Verifying Device Connectivity

    Enter the fabricShow command. This command displays a summary of all the switches in the fabric. switch:admin> fabricshow Switch ID Worldwide Name Enet IP Addr FC IP Addr Name ------------------------------------------------------------------------- 2: fffc02 10:00:00:60:69:e0:01:46 10.32.220.1 0.0.0.0 "ras001" 3: fffc03 10:00:00:60:69:e0:01:47 10.32.220.2 0.0.0.0 "ras002"...

  • Page 60: Displaying Switches In Access Gateway Mode, Track And Control Switch Changes

    The number of devices listed should reflect the number of devices that are connected. Displaying switches in Access Gateway mode Connect to the switch and log in using an account assigned to the admin role. Enter the agShow command. switch:admin> agshow Worldwide Name Ports Enet IP Addr Firmware Local/Remote Name...

  • Page 61: Viewing The Switch Status Policy Threshold Values, Setting The Switch Status Policy Threshold Values

    The status of the track changes feature is displayed as either on or off. The display includes whether or not the track changes feature is configured to send SNMP traps. switch:admin> trackchangesshow Track changes status: ON Track changes generate SNMP-TRAP: NO switch:admin>...

  • Page 62: Audit Log Configuration

    SAN Switch, HP StorageWorks 8/40 SAN Switch, HP StorageWorks 8/80 SAN Switch, and HP StorageWorks 400 Multi-Protocol Router switch:admin> switchstatuspolicyset To change the overall switch status policy parameters The current overall switch status policy parameters: Down Marginal ---------------------------------- PowerSupplies Temperatures Fans Flash MarginalPorts...

  • Page 63: Auditable Event Classes, Auditcfg Event Class Operands

    Auditable events are generated by the switch and streamed to an external host through a configured system message log daemon (syslog). You specify a filter on the output to select the event classes that are sent through the system message log. The filtered events are streamed chronologically and sent to the system message log on an external host in the specified audit message format.

  • Page 64: Verifying Host Syslog Prior To Configuring The Audit Log

    Audit events have the following message format: AUDIT, <Timestamp>, [<Event ID>], <Severity>, <Event Class>, <User ID>/<Role>/<IP address>/<Interface>,<Admin Domain>/<Switch name>,<Reserved>,<Event-specific information> Switch names are logged for switch components and enterprise-class platform names for enterprise-class platform components. For example, an enterprise-class platform name may be FWDL or RAS and a switch component name may be zone, name server, or SNMP.

  • Page 65: Switch And Enterprise-class Platform Shutdown, Powering Off A Switch, Powering Off An Enterprise-class Platform

    ad_0/ras007/FID 128, , Event: login, Status: success, Info: Successful login attempt via REMOTE, IP Addr: 10.32.220.137. Oct 10 08:52:23 10.32.220.7 raslogd: 2008/10/10-08:20:36, [CONF-1001], 13, WWN 10:00:00:05:1e:34:02:0c | FID 128, INFO, ras007, configUpload completed successfully. All config parameters are uploaded. Oct 10 09:00:04 10.32.220.7 raslogd: AUDIT, 2008/10/10-08:28:16 (GMT), [SEC-3021], INFO, SECURITY, admin/NONE/10.32.220.137/None/CLI, None/ras007/FID 128, , Event: login, Status: failed, Info: Failed login attempt via REMOTE, IP Addr: 10.32.220.137.

  • Page 66: High Availability Of Daemon Processes, Daemons That Are Automatically Restarted

    Wait until you see the following message: DCX:FID128:admin> sysshutdown This command will shutdown the operating systems on your switch. You are required to power-cycle the switch in order to restore operation. Are you sure you want to shutdown the switch [y/n]?y HA is disabled Stopping blade 10 Shutting down the blade..

  • Page 67: Managing User Accounts, User Accounts Overview, Role-based Access Control (rbac)

    Managing user accounts This chapter provides information and procedures on managing authentication and user accounts for the switch management channel. User accounts overview In addition to the default accounts—root, factory, admin, and user—Fabric OS supports up to 252 additional user-defined accounts in each Logical Switch (domain). These accounts expand your ability to track account access and audit administrative activities.

  • Page 68: Fabric Os Roles, Permission Types

    account using the userConfig command to add this permission to a user account. For clarity, this permission has been added to Table 8 which describes the Fabric OS predefined roles. Table 8 Fabric OS roles Role name Fabric OS Duties Description version Admin...

  • Page 69: Rbac Permissions Matrix

    Table 10 shows the permission type for the categories of commands that each role is assigned. The permissions apply to all commands within the specified category. For a complete list of commands and role permissions, see the Fabric OS Command Reference. Table 10 RBAC permissions matrix Category...

  • Page 70: Role Permissions, The Management Channel, Maximum Number Of Simultaneous Sessions

    Table 10 RBAC permissions matrix (continued) Category Role permission Admin Basic Fabric Operator Security Switch User Zone Switch Admin Admin Admin Admin Admin Port Mirroring RADIUS Reboot Routing—Advanced Routing—Basic Security Session Management SNMP Statistics Statistics—Device Statistics—Port Switch Configuration Switch Management Switch Management—IP Configuration Switch Port Configuration...

  • Page 71: Local Database User Accounts, Default Accounts, Displaying Account Information, Creating An Account

    Table 1 1 Maximum number of simultaneous sessions (continued) Role name Maximum sessions User ZoneAdmin Local database user accounts User add, change, and delete operations are subject to the subset rule: An admin with ADlist 0- 1 0 or LFlist 1- 1 0 cannot perform operations on an admin, user, or any role with an ADlist 1 1-25 or LFlist 1 1- 1 28. The user account being changed must have an ADlist or LFlist that is a subset of the account that is making the change.

  • Page 72: Deleting An Account

    where: Specifies the account name, which must begin with an alphabetic username character. The name can be from 8 to 40 characters long. It is case-sensitive and can contain alphabetic and numeric characters, the period (.) and the underscore ( _ ). It must be different than all other account names on the Logical Switch.

  • Page 73: Changing Account Parameters, Local Account Passwords

    Changing account parameters This procedure can be performed on local user accounts. When changing account parameters, if you change the ADlist for the user account, all of the currently active sessions for that account will be logged out. For more information about changing the Admin Domain on an account, see Chapter 7, ”Managing administrative domains”...

  • Page 74: Changing The Password For The Current Login Account, Changing The Password For A Different Account

    • An admin with ADlist 0- 1 0 or LFlist 1- 1 0 cannot change the password on an admin, user, or any role with an ADlist 1 1-25 or LFlist 1 1- 1 28. The user account being changed must have an ADlist that is a subset of the account that is making the change.

  • Page 75: Protection Of The Local User Database From Distributions

    NOTE: If Virtual Fabrics mode is enabled, distributing the password database to switches is not supported. If the distribution command is entered from a pre-Fabric OS 6.2.0, switches running Fabric OS 6.2.0 will reject it. Protection of the local user database from distributions Fabric OS 5.2.0 and later allows you to distribute the user database and passwords to other switches in the fabric.

  • Page 76: Password History Policy, Password Expiration Policy

    • Uppercase Specifies the minimum number of uppercase alphabetic characters that must appear in the password. The default value is zero. The maximum value must be less than or equal to the MinLength value. • Digits Specifies the minimum number of numeric digits that must appear in the password. The default value is zero.

  • Page 77: Upgrade And Downgrade Considerations For Password Management, Account Lockout Policy

    expiration during which warnings will commence. Password expiration does not disable or lock out the account. Use the following attributes to set the password expiration policy: • MinPasswordAge Specifies the minimum number of days that must elapse before a user can change a password. MinPasswordAge values range from 0 to 999.

  • Page 78: Enabling The Admin Lockout Policy, Unlocking An Account, Disabling The Admin Lockout Policy

    The following commands manage the account lock out policy. • userConfig change account_name -u • passwdCfg disableadminlockout Note that the account-locked state is distinct from the account-disabled state. Use the following attributes to set the account lockout policy: • LockoutThreshold Specifies the number of times a user can attempt to log in using an incorrect password before the account is locked.

  • Page 79: With A Recovery String

    You should set the boot PROM password and the recovery string on all switches, as described in ”With a recovery string” on page 79. If your site procedures dictate that you set the boot PROM password without the recovery string, see ”Without a recovery string”...

  • Page 80: The Boot Prom Password

    Setting the boot PROM password for a director with a recovery string This procedure applies to the following enterprise-class platforms: HP StorageWorks 4/256 SAN Director and HP StorageWorks DC SAN Backbone Director and HP StorageWorks DC04 SAN Director. The boot PROM and recovery passwords must be set for each CP blade on HP StorageWorks 4/256 SAN Director, HP StorageWorks DC SAN Backbone Director, and HP StorageWorks DC04 SAN Director Switch enterprise-class platforms.

  • Page 81: With A Recovery String, Without A Recovery String

    Without a recovery string Although you can set the boot PROM password without also setting the recovery string, HP recommends that you set both the password and the string as described in ”With a recovery string” on page 79. If your site procedures dictate that you must set the boot PROM password without the string, follow the procedure that applies to your switch model.

  • Page 82: Recovering Forgotten Passwords

    Create a serial connection to the standby CP blade as described in ”Connecting to Fabric OS through the serial port” on page 31. Reboot the standby CP blade by sliding the On/Off switch on the ejector handle of the standby CP blade to Off, and then back to On.

  • Page 83: The Authentication Model, Effects Of Using Radius Or Ldap Service On Fabric Os Features

    The authentication model Fabric OS 6.0.0 and later versions support the use of both the local user database and the remote authentication dial-in user service (RADIUS) at the same time. and the local user database and lightweight directory access protocol (LDAP) using Microsoft Active Directory in Windows at the same time. When configured to use RADIUS or LDAP, the switch acts as a network access server (NAS) and RADIUS or LDAP client.

  • Page 84: Setting The Switch Authentication Mode, Authentication Configuration Options

    • If you cannot log in because of a RADIUS or LDAP server connection problem, Web Tools displays a message indicating server outage. Table 13 on page 84 describes the aaaConfig command options used to set up the authentication mode. Table 13 Authentication configuration options aaaConfig options...

  • Page 85: Fabric Os User Accounts, Syntax For Vsa-based Account Roles

    Enter the following command: switch:admin> aaaConfig --authspec ["radius" | "ldap" | "radius;local" | "ldap;local" --backup] Fabric OS user accounts RADIUS and LDAP servers allow you to set up user accounts by their true network-wide identity rather than by the account names created on a Fabric OS switch. With each account name, assign the appropriate switch access roles.

  • Page 86: Fabric Os Users On The Radius Server, Windows 2000 Ias, Dictionary.brocade File Entries

    Table 14 Syntax for VSA-based account roles (continued) Item Value Description Vendor length 2 or higher 1 octet, calculated by server, including vendor-type and vendor-length Attribute-specific ASCII Multiple octets, maximum 253, indicating the name of the assigned data string role and other supported attribute values such as Admin Domain member list.

  • Page 87

    After you have completed the dictionary file, define the role for the user in a configuration file. For example, to grant the user jsmith the Admin role, you would add the following statement to the configuration file: swladmin Auth-Type := Local, User-Password == "myPassword" Brocade-Auth-Role = "admin", Brocade-AVPairs1 = "HomeLF=70", Brocade-AVPairs2 =...

  • Page 88: Linux Freeradius Server

    In the next example, on a Linux FreeRadius Server, the user takes the “operator” role, with ADList 1, 2, 4, 5, 6, 7, 8, 9, 12, 20 and HomeAD 2. user-opr Auth-Type := Local, User-Password == "password" Brocade-Auth-Role = "operator", Brocade-AVPairs1 = "ADList=1,2;HomeAD=2", Brocade-AVPairs2 = "ADList=-4-8,20;ADList=7,9,12"...

  • Page 89

    Adding the Brocade attribute to the server Create and save the file $PREFIX/etc/raddb/dictionary.brocade with the following information: # dictionary.brocade VENDOR Brocade 1588 # attributes ATTRIBUTE Brocade-Auth-Role string Brocade ATTRIBUTE Brocade-AVPairs1 string Brocade ATTRIBUTE Brocade-AVPairs2 string Brocade ATTRIBUTE Brocade-AVPairs3 string Brocade ATTRIBUTE Brocade-AVPairs4 string...

  • Page 90: The Radius Server, Enabling Clients

    Clients are the switches that will use the RADIUS server; each client must be defined. By default, all IP addresses are blocked. The HP StorageWorks 4/256 SAN Director, HP StorageWorks DC SAN Backbone Director and HP StorageWorks DC04 SAN Director Switch enterprise-class platforms send their RADIUS requests using the IP address of the active CP.

  • Page 91: Radius Authentication, Rsa Radius Server, Setting Up The Rsa Radius Server

    a. For the Add RADIUS Client window, provide the following: • Client address (IP or DNS)—Enter the IP address of the switch. • Client-Vendor—Select RADIUS Standard. • Shared secret—Provide a password. Shared secret is a password used between the client device and server to prevent IP address spoofing by unwanted clients.

  • Page 92

    Figure 2 shows what the brocade.dct file should look like and Figure 3 shows what needs to be modified in the brocade.dcm file. IMPORTANT: The dictionary files for RSA RADIUS Server must remain in the installation directory. Do not move the files to other locations on your computer. Add Brocade-VSA macro and define the attributes as follows: •...

  • Page 93: Ldap Configuration And Microsoft Active Directory

    ####################################################################### # dictiona.dcm ####################################################################### # Generic Radius @radius.dct # Specific Implementations (vendor specific) @3comsw.dct @aat.dct @acc.dct @accessbd.dct @agere.dct @agns.dct @airespace.dct @alcatel.dct @altiga.dct @annex.dct @aptis.dct @ascend.dct @ascndvsa.dct @axc.dct @brocade.dct @bandwagn.dct @brocade.dct <------- Figure 3 Example of the dictiona.dcm file c. When selecting items from the Add Return List Attribute, select Brocade-Auth-Role and enter the string Admin.

  • Page 94: Creating A User, Creating A Group, Assigning The Group (role) To The User

    Install a Certificate Authority (CA) certificate on the Windows Active Directory server for LDAP. Follow Microsoft instructions for generating and installing CA certificates on a Windows server. Create a user in Microsoft Active Directory server. For instructions on how to create a user, see www.microsoft.com or Microsoft documentation to create a user in your Active Directory.

  • Page 95: Authentication Servers On The Switch, Displaying The Current Radius Configuration

    Example using Administrative Domains: adlist_0_10_200_endAd Home Admin Domain (homeAD) for the user will be the first value in the adlist (Admin Domain list). If a user has no values assigned in the adlist attribute, the homeAD ‘0’ will be the default administrative domain for the user.

  • Page 96: Adding A Radius Server To The Switch Configuration

    Adding a RADIUS server to the switch configuration Connect to the switch and log in using an account assigned to the admin role. Enter the following command: switch:admin> aaaConfig --add server [-p port] [-s secret] [-t timeout] [-a pap | chap | peap-mschapv2] Enter either a server name or IPv4 or IPv6 address.

  • Page 97: Deleting A Radius Or Ldap Server From The Configuration, Changing A Radius Server Configuration

    where you specify the type of server as either RADIUS or LDAP, but not both; local is used for local authentication if the user authentication fails on the RADIUS or LDAP server. Example switch:admin> aaaconfig --authspec "radius;local" --backup Deleting a RADIUS or LDAP server from the configuration Connect to the switch and log in using an account assigned to the admin role.

  • Page 98: Configuring Local Authentication As Backup

    Enter either the name or IP address of the server whose position is to be changed. server Enter the position number to which the server is to be moved. to_position When the command succeeds, the event log indicates that a server configuration is changed. Configuring local authentication as backup It is useful to enable local authentication so that the switch can take over authentication locally if the RADIUS or LDAP servers fail to respond because of power outage or network problems.

  • Page 99

    Fabric OS 6.2 administrator guide...

  • Page 100

    100 Managing user accounts...

  • Page 101: Configuring Standard Security Features, Security Protocols, Secure Protocol Support

    Configuring standard security features This chapter provides information and procedures for configuring standard Fabric OS security features such as protocol and certificate management. IMPORTANT: Secure Fabric OS is no longer supported in Fabric OS 6.x. However, all features of Secure Fabric OS are included in the base Fabric OS 6.x.

  • Page 102: Secure File Copy, Setting Up Scp For Configuploads And Downloads

    Table 17 describes additional software or certificates that you must obtain to deploy secure protocols. Table 17 Items needed to deploy secure protocols Protocol Host side Switch side SSHv2 Secure shell client None HTTPS No requirement on host Switch IP certificate for SSL side except a browser that supports HTTPS SSH daemon, scp server...

  • Page 103: Simple Network Management Protocol

    Example: Setting up SCP for configUpload/download: switch:admin> configure Not all options will be available on an enabled switch. To disable the switch, use the "switchDisable" command. Configure... System services (yes, y, no, n): [no] ssl attributes (yes, y, no, n): [no] http attributes (yes, y, no, n): [no] snmp attributes (yes, y, no, n): [no] rpcd attributes (yes, y, no, n): [no]...

  • Page 104: Snmp And Virtual Fabrics, Filtering Ports, Switch And Chassis Context Enforcement, The Security Level

    For information on the specific commands used in these procedures, see online help or the Fabric OS Command Reference. SNMP and Virtual Fabrics When an SNMPv3 request arrives with a particular username, it executes in the home-Virtual Fabric. From the SNMP manager all SNMPv3 requests must have a home-Virtual Fabric that is specified in the contextName field.

  • Page 105: The Snmpconfig Command

    The snmpConfig command Use the snmpConfig set command to change either the SNMPv3 or SNMPv1 configuration. You can also change access control, MIB capability, and system group. Example: SNMPv3 configuration switch:admin> snmpconfig --set snmpv3 SNMPv3 user configuration: User (rw): [snmpadmin1] adminuser Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [3] 1 New Auth Passwd: Verify Auth Passwd:...

  • Page 106

    Example: accessControl configuration switch:admin> snmpconfig --set accessControl SNMP access list configuration: Access host subnet area in dot notation: [0.0.0.0] 192.168.0.0 Read/Write? (true, t, false, f): [true] Access host subnet area in dot notation: [0.0.0.0] 10.32.148.0 Read/Write? (true, t, false, f): [true] f Access host subnet area in dot notation: [0.0.0.0] Read/Write? (true, t, false, f): [true] Access host subnet area in dot notation: [0.0.0.0] 10.33.0.0...

  • Page 107: Secure Shell Protocol, Ssh Public Key Authentication, Allowed-user

    Example: systemGroup configuration (default) switch:admin> snmpconfig --default systemGroup ***** This command will reset the agent's system group configuration back to factory default ***** sysDescr = Fibre Channel Switch sysLocation = End User Premise sysContact = Field Support authTraps = 0 (OFF) ***** Are you sure? (yes, y, no, n): [no] y Secure Shell protocol...

  • Page 108: Configuring Ssh Authentication

    Configuring SSH authentication Incoming authentication is used when the remote host needs to authenticate to the switch. Outgoing authentication is used when the switch needs to authenticate to a server or remote host and is more commonly used for the configUpload command. Both password and public key authentication can coexist on the switch.

  • Page 109: Deleting Keys On The Switch

    switch:alloweduser> sshutil importpubkey Enter IP address: 192.168.38.244 Enter remote directory: ~auser/.ssh Enter public key name(must have .pub suffix): id_dsa.pub Enter login name: auser Password: Public key is imported successfully. Generate a key pair for switch-to-host (outgoing) authentication by logging in to the switch as the allowed user and entering the following command: sshUtil genkey Enter a passphrase for additional security.

  • Page 110: Secure Sockets Layer Protocol, Browser And Java Support, Ssl Configuration Overview, Ssl Certificate Files

    Secure Sockets Layer protocol Secure sockets layer (SSL) protocol provides secure access to a fabric through Web-based management tools like Web Tools. SSL support is a standard Fabric OS feature. Switches configured for SSL grant access to management tools through hypertext transfer protocol over SSL links (which begin with https://) instead of standard links (which begin with http://).

  • Page 111: Certificate Authorities, Generating A Public And Private Key, Generating And Storing A Csr

    Install the certificate on each switch. Once the certificate is loaded on the switch, HTTPS starts automatically. If necessary, install the root certificate to the browser on the management workstation. Add the root certificate to the Java Plug-in keystore on the management workstation. Certificate authorities To ease maintenance and allow secure out-of-band communication between switches, consider using one certificate authority (CA) to sign all management certificates for a fabric.

  • Page 112: Obtaining Certificates, Installing A Switch Certificate, The Browser

    Enter the requested information. You can use either FTP or SCP. Select protocol [ftp or scp]: Enter IP address: 192.1.2.3 Enter remote directory: path_to_remote_directory Enter Login Name: your account Enter Password: your password Success: exported CSR. If you are set up for secure file copy protocol, you can select it; otherwise, select ftp, enter the IP address of the switch on which you generated the CSR, enter the remote directory name of the FTP server to which the CSR is to be sent, and then enter your account name and password on the server.

  • Page 113: Checking And Installing Root Certificates On Internet Explorer

    The next procedures are guides for installing root certificates to Internet Explorer and Mozilla Firefox browsers. For more detailed instructions, see the documentation that came with the certificate. Checking and installing root certificates on Internet Explorer Select Tools > Internet Options. Select the Content tab.

  • Page 114: Summary Of Certificate Commands, Telnet Protocol, Blocking Telnet, Commands For Displaying And Deleting Ssl Certificates

    Enter the keytool command and respond to the prompts (in the following example, changeit is the default password and RootCert is an example root certificate name): C:\Program Files\Java\j2re1.6.0\bin> keytool -import -alias RootCert -file RootCert.crt -keystore ..\lib\security\RootCerts Enter keystore password: changeit Owner: CN=Brocade, OU=Software, O=Brocade Communications, L=San Jose, ST=California, C=US Issuer: CN=Brocade, OU=Software, O=Brocade Communications, L=San Jose,...

  • Page 115: Unblocking Telnet, Listener Applications, Blocked Listener Applications

    where the -sip option can be given as any, dp is the port number for Telnet (23), and -proto is TCP. Example: Adding a rule ipfilter --addrule block_telnet_v4 -rule 2 -sip any -dp 23 -proto tcp -act deny Save the new ipfilter policy by issuing the following command: ipfilter --save policyname where policyname is the name of the policy and is optional.

  • Page 116: Ports And Applications Used By Switches, Access Defaults

    Table 21 Blocked listener applications (continued) Listener application HP StorageWorks 4/256 SAN HP StorageWorks 4/8 and 4/16 SAN Switches, HP Director, HP StorageWorks DC04 StorageWorks 8/8 and 8/24 SAN Switches, Brocade 4Gb SAN SAN Director, and HP StorageWorks Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for DC SAN Backbone Director HP c-Class BladeSystem, Brocade 8Gb SAN Switch for HP enterprise-class platforms...

  • Page 117: Port Configuration, Port Information

    Port configuration Table 23 provides information on ports that the switch uses. When configuring the switch for various policies, take into consideration firewalls and other devices that may sit between switches in the fabric and your network or between the managers and the switch. Table 23 Port information Port...

  • Page 118

    116 Configuring standard security features...

  • Page 119: Configuring Advanced Security Features, Acl Policies Overview, How The Acl Policies Are Stored

    Configuring advanced security features This chapter provides information and procedures for configuring advanced Fabric OS security features such as Access Control List (ACL) policies, authentication policies, and IP Filtering for HP’s Fibre Channel switches. ACL policies overview Each supported Access Control List (ACL) policy listed below is identified by a specific name. Only one policy of each type can exist, except for DCC policies.

  • Page 120: Policy Members, Acl Policy Management, Valid Methods For Specifying Policy Members

    When a policy is activated, the defined policy either replaces the policy with the same name in the active set or becomes a new active policy. If a policy appears in the defined set but not in the active set, the policy was saved but has not been activated.

  • Page 121: Displaying Acl Policies, Fcs Policies, Fcs Policy States

    and switches that are not listed in that policy. You can remove one or more members from a policy. If all members are removed from a policy, that aspect of the fabric becomes closed to all access. • ”Policy database distribution”...

  • Page 122: Fcs Policy Restrictions, Overview Of Fcs Policy Management, Switch Operations

    fabric and not to pre-5.2.0 switches. Fabric OS 5.2.0 switches receive the distribution and will ignore the FCS database. FCS policy restrictions The backup FCS switches normally cannot modify the policy. However, if the Primary FCS switch in the policy list is not reachable, a backup FCS switch is allowed to modify the policy. Once an FCS policy is configured and distributed across the fabric, only the Primary FCS switch can perform certain operations.

  • Page 123: Creating An Fcs Policy, Modifying The Order Of Fcs Switches

    Activate the policy using the secPolicyActivate command. If the command is not entered, the changes are lost when the session is logged out. For more information about this command, see ”ACL policy modifications” on page 126. To distribute the policies, enter either the distribute -p policy_list -d switch_list command to either send the policies to intended domains, or the distribute -p policy_list -d wild_card (*) command to send the policies to all switches.

  • Page 124: Fcs Policy Distribution

    For example, to move a backup FCS switch from position 2 to position 3 in the FCS list, using interactive mode: primaryfcs:admin> secpolicyfcsmove PosPrimary WWN DIdswName. ================================================= 10:00:00:60:69:10:02:181switch5. 10:00:00:60:69:00:00:5a2switch60. 10:00:00:60:69:00:00:133switch73. Please enter position you’d like to move from : (1..3) [1] 2 Please enter position you’d like to move to : (1..3) [1] 3 ____________________________________________________ DEFINED POLICY SET...

  • Page 125: Dcc Policies, Distribution Policy States, Dcc Policy States

    configuration parameter controls whether the distribution of the policy is accepted or rejected on the local switch. Setting the configuration parameter to accept indicates distribution of the policy will be accepted and distribution may be initiated using the distribute -p command. Setting the configuration parameter to reject indicates the policy distribution is rejected and the switch may not distribute the policy.

  • Page 126: Dcc Policy Restrictions, Creating A Dcc Policy

    stale policies in the current Logical Switch or delete the stale policies after the port movements. Use the secPolicyDelete command to delete stale DCC policies. DCC policy restrictions The following restrictions apply when using DCC policies: • Some older private-loop HBAs do not respond to port login from the switch and are not enforced by the DCC policy.

  • Page 127: Deleting A Dcc Policy, Scc Policies, Scc Policy States

    • To save and activate the policy, enter the secPolicyActivate command. If neither of these commands is entered, the changes are lost when the session is logged out. For more information about these commands, see ”ACL policy modifications” on page 126. xamples: Creating DCC policies To create the DCC policy DCC_POLICY_server that includes device 1 1:22:33:44:55:66:77:aa and port 1 and port 3 of switch domain 1:...

  • Page 128: Creating An Scc Policy, Acl Policy Modifications, Saving Changes Without Activating The Policies

    Virtual Fabric considerations: In a Logical Fabric environment the SCC policy enforcement is not done on the logical ISL. For a logical ISL-based switch, the SCC policy enforcement is considered as the reference and the logical ISL is formed if the SCC enforcement passes on the extended ISL. The following functionality changes: •...

  • Page 129: Member Modification To Existing Policies, Adding A Member To An Existing Acl Policy

    Save and activate the policy deletion by entering the secPolicyActivate command. switch:admin> secpolicydelete "DCC_POLICY_010" About to delete policy Finance_Policy. Are you sure (yes, y, no, n):[no] y Finance_Policy has been deleted. Member modification to existing policies You can add and members to and remove members from the ACL policies by using the secPolicyAdd command.

  • Page 130: Dh-chap Authentication

    configured to accept FCAP protocol in authentication. To use FCAP on both switches, PKI certificates have to be installed. NOTE: The fabric authentication feature is available in base Fabric OS. No license is required. You can configure a switch with Fabric OS 5.3.0 or later to use DH-CHAP for device authentication. Use the authUtil command to configure the authentication parameters used by the switch.

  • Page 131: E_port Authentication

    The AUTH policy is designed to accommodate mixed fabric environments that contain Fabric OS 6.0.0 and later along with pre-6.0.0 switches. The policy states PASSIVE and OFF allow connection from Fabric OS 6.0.0 and later switches to pre-6.0.0 switches. These policy states do not allow switches to send the authentication negotiation and therefore continue with the rest of port initialization.

  • Page 132: Device Authentication Policy

    The authentication begins automatically during the E_Port initialization. A switch with this policy can safely connect to pre-6.0.0 switches, since it continues E_Port initialization if the connecting switch does not support authentication. The switches with firmware pre-3.2.0 do not support FCAP or DH-CHAP authentication, so an E_Port initializes without authentication.

  • Page 133: Auth Policy Restrictions, Supported Hbas, Authentication Protocols

    PASSIVE Authentication is optional. If the attached device is capable of doing the authentication, the switch participates in authentication; otherwise it forms an F_Port without authentication. In PASSIVE mode, an F_Port is disabled if the HBA shared secret does not match with the secret installed on the switch.

  • Page 134: Viewing The Current Authentication Parameter Settings For A Switch

    • 00 for the DH Null option • 01 for the1024 bit key • 02 for the 1280 bit key • 03 for the 1536 bit key • 04 for the 2048 bit key This section illustrates using the authUtil command to display the current authentication parameters and to set the authentication protocol to DH-CHAP.

  • Page 135: Secret Key Pairs, Viewing The List Of Secret Key Pairs In The Current Switch Database

    Example: All E_Ports on the switch switch:admin> authutil –-authinit allE Example: Enterprise-class platforms using the slot/port format switch:admin> authutil –-authinit 1/1, 1/2 Secret key pairs When you configure the switches at both ends of a link to use DH-CHAP for authentication, you must also define a secret key pair—one for each end of the link.

  • Page 136: Fabric-wide Distribution Of The Auth Policy, Accept Distributions Configuration Parameter

    loops through a sequence of switch specification, peer secret entry, and local secret entry. To exit the loop, press Enter for the switch name; and then enter y. switchA:admin> secauthsecret --set This command is used to set up secret keys for the DH-CHAP authentication. The minimum length of a secret key is 8 characters and maximum 40 characters.

  • Page 137: Ip Filter Policy, Creating An Ip Filter Policy, Cloning An Ip Filter Policy

    IP Filter policy The IP Filter policy is a set of rules applied to the IP management interfaces as a packet filtering firewall. The firewall permits or denies the traffic to go through the IP management interfaces according to the policy rules.

  • Page 138: Saving An Ip Filter Policy, Activating An Ip Filter Policy, Deleting An Ip Filter Policy

    Enter the following command: ipfilter –-show [<policyname>] where is the name of the policy and is optional. <policyname> Saving an IP Filter policy You can save one or all IP Filter policies persistently in the defined configuration. The policy name is optional for this subcommand.

  • Page 139: Supported Services, Implicit Ip Filter Rules

    For an IPv4 filter policy, the source address has to be a 32-bit IPv4 address in dot decimal notation. The group prefix has to be a CIDR block prefix representation. For example, 208.130.32.0/24 represents a 24-bit IPv4 prefix starting from the most significant bit. The special prefix 0.0.0.0/0 matches any IPv4 address.

  • Page 140: Ip Filter Policy Enforcement, Adding A Rule To An Ip Filter Policy

    A switch with Fabric OS 5.3.0 or later will have a default IP Filter policy for IPv4 and IPv6. The default IP Filter policy cannot be deleted or changed. When an alternative IP Filter policy is activated, the default IP Filter policy becomes deactivated.

  • Page 141: Deleting A Rule To An Ip Filter Policy, Aborting A Transaction Associated With Ip Filter

    Specifies a valid rule number between 1 and the current maximum rule -rule rule number number plus 1. Specifies the source IP address. For IPv4 filter type, the address must be a -sip source IP 32-bit address in dot decimal notation, or a CIDR block IPv4 prefix. For IPv6 filter type, the address must be a 128-bit IPv6 address in any format specified by RFC, or a CIDR block IPv6 prefix.

  • Page 142: Database Distribution Settings, Interaction Between Fabric-wide Consistency Policy And Distribution Settings

    The ACL policy database is managed as follows: Switch database distribution setting: Controls whether or not the switch accepts or rejects databases • distributed from other switches in the fabric. The distribute command sends the database from one switch to another, overwriting the target switch database with the distributed one. To send or receive a database the setting must be accept.

  • Page 143: Displaying The Database Distribution Settings, Enabling Local Switch Protection, Disabling Local Switch Protection

    Table 35 Supported policy databases Database type Database identifier (ID) Authentication policy database AUTH DCC policy database FCS policy database IP Filter policy database IPFILTER Password database SCC policy database Displaying the database distribution settings Connect to the switch and log in using an account assigned to the admin role. Enter the following command: switch:admin>...

  • Page 144: Acl Policy Distribution To Other Switches, Distributing The Local Acl Policies, Fabric-wide Enforcement

    ACL policy distribution to other switches This section explains how to manually distribute local ACL policy databases. The distribute command has the following dependencies: • All target switches must be running Fabric OS 5.2.0 or later. • All target switches must accept the database distribution (see ”Database distribution settings”...

  • Page 145: Displaying The Fabric-wide Consistency Policy, Setting The Fabric-wide Consistency Policy, Fabric-wide Consistency Policy Settings

    NOTE: FC routers cannot join a fabric with a strict fabric-wide consistency policy. FC routers do not support the fabric-wide consistency policies. Table 37 on page 143 describes the fabric-wide consistency settings. Table 37 Fabric-wide consistency policy settings Setting Value When a policy is activated Absent null...

  • Page 146: Notes On Joining A Switch To The Fabric, Matching Fabric-wide Consistency Policies

    The following example shows how to set a strict SCC and tolerant DCC fabric-wide consistency policy. switch:admin> fddcfg --fabwideset "SCC:S;DCC" switch:admin> fddcfg --showall Local Switch Configuration for all Databases:- DATABASE Accept/Reject --------------------------------- accept accept accept accept AUTH accept IPFILTER accept Fabric Wide Consistency Policy:- "SCC:S;DCC"...

  • Page 147: Non-matching Fabric-wide Consistency Policies, Merging Fabrics With Matching Fabric-wide Consistency Policies

    Table 38 describes the impact of merging fabrics with the same fabric-wide consistency policy that have SCC, DCC, or both policies. Table 38 Merging fabrics with matching fabric-wide consistency policies Fabric-wide Fabric A Fabric B Merge Database copied consistency ACL policies ACL policies results policy...

  • Page 148: Securing The Management Interface, Configuration Examples, Endpoint-to-endpoint Transport Or Tunnel, Fabric Merges With Tolerant/absent Combinations

    Table 40 Fabric merges with tolerant/absent combinations Fabric-wide consistency policy setting Expected behavior Policy type Fabric A Fabric B Tolerant/Absent SCC;DCC Error message logged. Run fddCfg --fabwideset “<policy_ID>” from any switch SCC;DCC with the desired configuration to fix the conflict. The secPolicyActivate command is blocked until conflict is resolved.

  • Page 149: Gateway-to-gateway Tunnel, Endpoint-to-gateway Tunnel, Roadwarrior Configuration, Protected Endpoints Configuration, Gateway Tunnel Configuration

    It is possible in this scenario that one or both of the protected endpoints will be behind a network address translation (NAT) node, in which case the tunneled packets will have to be UDP-encapsulated so that port numbers in the UDP headers can be used to identify individual endpoints behind the NAT. Figure 5 Protected endpoints configuration A possible drawback of end-to-end security is that various applications that require the ability to inspect or...

  • Page 150: Nested Configurations, Ipsec Protocols, Security Associations, Ipsec Sa-proposal, Authentication And Encryption Algorithms

    Nested Configurations You can configure other scenarios as nested combinations of the above configurations. IPsec protocols IPsec uses two different protocols, Authentication Header (AH) and Encapsulating Security Payload (ESP), to ensure the authentication, integrity, and confidentiality of the communication. To protect the integrity of the IP datagram, the IPsec protocols use hash message authentication codes (HMAC).

  • Page 151: Block Ciphers, Hmac, Blowfish

    Table 41 Algorithms and associated authentication policies Algorithm Encryption Level Policy 128-bit aes128_cbc 256-bit aes256_cbc null_enc Block ciphers In cryptography, a block cipher is a symmetric key cipher which operates on fixed-length groups of bits, termed blocks, with an unvarying transformation. For example, when encrypting, a block cipher might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext.

  • Page 152: Null Encryption, Ipsec Policies, Ipsec Traffic Selector, Ipsec Transform, Ike Policies, Key Management

    operations), not a Feistel network. The cipher is specified in terms of repetitions of processing steps that are applied to make up rounds of keyed transformations between the input plain-text and the final output of cipher-text. A set of reverse rounds is applied to transform cipher-text back into the original plain-text using the same encryption key.

  • Page 153: Pre-shared Keys, Security Certificates, Static Security Associations, Creating The Tunnel

    is used for the creation of the security associations, the switch populates the security association database (SAD) accordingly. Pre-shared keys A pre-shared key is one of the available methods for configuring IKE to use for primary authentication. You can specify the pre-shared keys used in IKE policies. You can also add and delete pre-shared keys (in local database) corresponding to the identity of the IKE peer or group of peers.

  • Page 154

    See Chapter 3, ”Configuring standard security features” on page 99 for information on how to set up pre-shared keys and certificates. Configure the IKE policy using the ipSecConfig add policy ike -tag name -remote IP_address[/prefixlength] -id IP_address[/prefixlength] -remoteid IP_address[/prefixlength] -enc algorithm -hash algorithm -prf algorithm -auth psk|dss|rsasig -dh number -psk file command.

  • Page 155: Example Of An End-to-end Transport Tunnel Mode

    Example of an End-to-End Transport Tunnel mode This example illustrates securing traffic between two systems using AH protection with MD5 and configure IKE with pre-shared keys. The following list defines the switch models and their associated IP addresses. • The two systems are named BRCD300 and BRCD7500. •...

  • Page 156: Fips Support, Zeroization Functions, Zeroization Behavior

    Generate IP traffic and verify that it is protected using defined policies. a. Initiate Telnet or SSH or ping session from BRCD300 to BRCD7500. b. Verify that the IP traffic is encapsulated. c. Monitor IPsec SAs created using IKE for the above traffic flow. •...

  • Page 157: Power-on Self Tests, Conditional Tests, Fips Mode Configuration

    Table 42 Zeroization Behavior (continued) Keys Zeroization CLI Description SSH Session Key No CLI required Generated for each SSH session that is established to and from the host. Automatically zeroizes on session termination. SSH RSA private Key No CLI required Key-based SSH authentication is not used for SSH sessions.

  • Page 158: Ldap In Fips Mode, Fips Mode Restrictions, Fips And Non-fips Modes Of Operation

    Only FIPS-compliant algorithms are run at this stage. Table 43 FIPS mode restrictions Features FIPS mode Non-FIPS mode Root account Disabled Enabled Telnet/SSH access Only SSH Telnet and SSH • HMAC-SHA1 (mac) SSH algorithms No restrictions • 3DES-CBC, AES128-CBC, AES192-CBC, AES256-CBC (cipher suites) HTTP/HTTPS access HTTPS only...

  • Page 159: Setting Up Ldap For Fips Mode

    Setting up LDAP for FIPS mode Set the switch authentication mode and add your LDAP server by using the commands in the example below. Provide the Fully Qualified Domain Name (FQDN) of the Active Directory server for the hostname parameter while configuring LDAP. Example: Setting up LDAP for FIPS mode switch:admin>...

  • Page 160: Ldap Certificates For Fips Mode, Importing An Ldap Switch Certificate, Exporting An Ldap Switch Certificate

    For additional Microsoft Active Directory settings: a. Set the following SCHANNEL settings listed in Table 45 to allow. To support FIPS compliant TLS cipher suites on Microsoft’s Active Directory server, allow the SCHANNEL settings listed in Table 45. See www.microsoft.com for instructions on how to allow the SCHANNEL settings for the ciphers, hashes, key exchange, and the TLS protocol.

  • Page 161: Deleting An Ldap Switch Certificate, Preparing The Switch For Fips, Overview Of Steps

    Example of exporting an LDAP CA certificate switch:admin> seccertutil export -ldapcacert Select protocol [ftp or scp]: scp Enter IP address: 192.168.38.206 Enter remote directory: /users/aUser/certs Enter Login Name: aUser Enter LDAP certificate name (must have ".pem" \ suffix):LDAPTestCa.cer Password: <hidden> Success: exported LDAP certificate Deleting an LDAP switch certificate This option deletes the LDAP CA certificate from the switch.

  • Page 162: Enabling Fips Mode

    Enabling FIPS mode Log in to the switch using an account assigned the admin or securityAdmin role. Optional: Select the appropriate method based on your needs: • If the switch is set for RADIUS, modify each server to use only peap-mschapv2 as the authentication protocol using the aaaConfig change or aaaConfig remove command.

  • Page 163: Disabling Fips Mode, Zeroizing For Fips, Displaying Fips Configuration

    Enter the following command to block access to root: userconfig --change root -e no By disabling the root account, RADIUS and LDAP users with root roles are also blocked in FIPS mode. Verify that your switch is FIPS ready: fipscfg --verify fips Enter the command fipsCfg enable fips.

  • Page 164

    162 Configuring advanced security features...

  • Page 165: Maintaining The Switch Configuration File, Configuration Settings, Configuration File Format

    Maintaining the switch configuration file This chapter provides procedures for basic switch configuration maintenance. Configuration settings It is important to maintain consistent configuration settings on all switches in the same fabric because inconsistent parameters, such as inconsistent PID formats, can cause fabric segmentation. As part of standard configuration maintenance procedures, HP recommends that you back up all important configuration data for every switch on a host computer server for emergency reference.

  • Page 166: Chassis Section

    Example: Configuration file [Configuration upload Information] Configuration Format = 2.0 date = Thu Oct 9 21:22:25 2008 FOS version = v6.2.0.0 Number of LS = 2 [Chassis Configuration Begin] [fcRouting] [Chassis Configuration] [LicensesDB] [DMM_WWN] [Licenses] [Chassis Configuration End] date = Thu Oct 9 21:22:25 2008 [Switch Configuration Begin : 0] SwitchName = n200...

  • Page 167: Switch Section, Configuration File Backup, Uploading A Configuration File In Interactive Mode

    Switch section There is always at least one switch section for the default switch or a switch that has Virtual Fabric mode disabled. There are additional sections corresponding to each additionally defined Logical Switch instance on a switch with Virtual Fabrics mode enabled. These are the switch-specific data that affect only that Logical Switch’s behavior.

  • Page 168: Configuration File Restoration

    Respond to the prompts as follows: If your site requires the use of Secure Copy, specify SCP. Otherwise, specify FTP. If Protocol (scp or you leave it blank, the default specified in the brackets ( [ ] ) is used. ftp) Enter the name or IP address of the server where the file is to be stored;...

  • Page 169: Restrictions

    CAUTION: Make sure that the configuration file you are downloading is compatible with your switch model, because configuration files from other model switches or firmware versions might cause your switch to fail. If your setup supports anonymous users, and you log in as an anonymous user, password is still a required field, even though its value may be ignored by the FTP service.

  • Page 170: Configuration Download Without Disabling A Switch, Restoring A Configuration

    In case something happens to your switch and you need to set it up again, run the commands listed in Table 46 and save the output in a file format. Store the files in a safe place for emergency reference. Table 46 CLI commands to display or modify switch configuration information Command...

  • Page 171

    Respond to the prompts as follows: If your site requires the use of Secure Copy, specify scp. Otherwise, specify ftp. Protocol (scp or ftp) Enter the name or IP address of the server where the file is stored; for example, Server Name or IP 192.1.2.3.

  • Page 172: Configurations Across A Fabric

    The following example shows configDownload run on a switch with Admin Domains: switch:AD5:admin>configdownload Protocol (scp or ftp) [ftp]: Server Name or IP Address [host]: 10.1.2.3 User Name [user]: JohnDoe File Name [config.txt]: /pub/configurations/config.txt *** CAUTION *** This command is used to download a backed-up configuration for a specific switch.

  • Page 173: Downloading A Configuration File From One Switch To Another Same Model Switch, Security Considerations

    CAUTION: Do not download a configuration file from one switch to another switch that is a different model or firmware version, because it can cause the switch to fail. If you need to reset affected switches, enter the configDefault command. IMPORTANT: Verify that all domain IDs are unique prior to performing the configDownload because the switches will segment if they all have the same domain ID.

  • Page 174: B-series Configuration Form, B-series Configuration And Connection

    If fmsmode is enabled in a configuration file, but is disabled on the switch, the configDownload command fails and displays an error message. This prevents undesirable conditions that could result from enabling fmsmode on a switch that does not require it. B-Series configuration form Use this form (Table...

  • Page 175: Managing Virtual Fabrics, Virtual Fabrics Overview, Logical Switch, Default Logical Switch

    Managing virtual fabrics Virtual Fabrics overview Virtual Fabrics is an architecture used to virtualize hardware boundaries. Traditionally, SAN design and management is done at the granularity of a physical switch. The Virtual Fabrics feature allows SAN design and management to be done at the granularity of a port. Virtual Fabrics is a suite of related features that can be customized based on your needs.

  • Page 176: Logical Switches And Fabric Ids, Switch Before And After Enabling Virtual Fabrics

    Before enabling Virtual Fabrics After enabling Virtual Fabrics Physical chassis Physical chassis Default logical switch Figure 8 Switch before and after enabling Virtual Fabrics After you enable Virtual Fabrics, you can create up to eight Logical Switches, depending on the switch model.

  • Page 177: Port Assignment In Logical Switches, Fabric Ids Assigned To Logical Switches

    already assigned FID 15 in the chassis. Each Logical Switch must have a unique fabric ID within the chassis. The default Logical Switch is initially assigned FID 128. You can change this value later. Physical chassis Logical switch 1 (Default logical switch) (FID = 128) Logical switch 2 (FID = 1)

  • Page 178: Logical Switches And Connected Devices, Logical Switches Connected To Devices And Non-virtual Fabrics Switch

    • If you want to remove a port from a Logical Switch, you must move it to a different Logical Switch. For example, if you want to remove P4 from logical switch 3, you must assign it to a different Logical Switch, either logical switch 2, logical switch 4, or logical switch 1 (the default Logical Switch).

  • Page 179: Logical Fabric, Logical Fabric And Isls

    Switch 1 Fabric 128 Switch 2 Switch 3 Switch 4 Fabric 1 Fabric 15 Fabric 8 Figure 13 Logical Switches in a single chassis belonging to separate fabrics If you want to allow device sharing across fabrics in a Virtual Fabrics environment, see ”FC-FC routing and Virtual Fabrics”...

  • Page 180: Logical Fabric And Isl Sharing, Logical Switches Connected To Form Logical Fabrics

    Fabric 15 Fabric 128 Fabric 8 Fabric 1 Figure 15 Logical Switches connected to form Logical Fabrics The ISLs between the Logical Switches are dedicated ISLs because they carry traffic only for a single Logical Fabric. In Figure 14, Fabric 128 has two switches (the default Logical Switches), but they cannot communicate with each other because they have no ISLs between them and they cannot use the ISLs between the other Logical Switches.

  • Page 181: Base Switches Connected By An Xisl, Logical Isls Connecting Logical Switches

    Physical chassis 1 Physical chassis 2 Logical switch 1 Logical switch 5 (Default logical switch) (Default logical switch) Fabric ID 128 Fabric ID 128 Logical switch 2 Logical switch 6 Fabric ID 1 Fabric ID 1 Logical switch 3 Logical switch 7 Fabric ID 15 Fabric ID 15 XISL...

  • Page 182: Logical Fabric Formation, Management Model For Logical Switches, Logical Fabric Using Isls And Xisls

    Physical chassis 1 Physical chassis 2 Logical switch 1 Logical switch 5 Logical ISL (Default logical switch) (Default logical switch) Fabric ID 128 Fabric ID 128 Logical switch 2 Logical switch 6 Fabric ID 1 Fabric ID 1 Logical ISL Logical ISL Logical switch 3 Logical switch 7...

  • Page 183: Account Management And Virtual Fabrics, Supported Platforms For Virtual Fabrics, Switch

    • Firmware management (one firmware applies to all Logical Switches, firmware upgrade, HA failover) • Logical Switch operations These are operations that are limited to the Logical Switch, such as displaying or changing port states. Logical Switch operations include all operations that are not covered in the chassis management operations.

  • Page 184: Dc04 San Director, Virtual Fabrics Interaction With Other Fabric Os Features

    Supported port configurations in the HP StorageWorks DC SAN Backbone Director and HP StorageWorks DC04 SAN Director Some of the ports in the HP StorageWorks DC SAN Backbone Director and HP StorageWorks DC04 SAN Director are not supported on all types of Logical Switches. The following is a list of which ports are supported on which Logical Switches: •...

  • Page 185: Limitations And Restrictions Of Virtual Fabrics, Maximum Number Of Logical Switches Per Chassis

    Table 49 Virtual Fabrics interaction with Fabric OS features (continued) Fabric OS feature Interaction with Virtual Fabrics Interoperability mode In interoperability modes 2 and 3, you cannot use XISL in the Logical Fabric. The Logical Switches must be connected only with ISLs. Licensing Licenses are required for all Logical Switches in a chassis.

  • Page 186: Enabling Virtual Fabrics, Disabling Virtual Fabrics

    Enabling Virtual Fabrics Virtual Fabrics is disabled by default on switches that you upgrade to Fabric OS 6.2.0 or later. Virtual Fabrics is enabled by default on a new chassis. Before you can use the Virtual Fabrics features, such as Logical Switch and Logical Fabric, you must enable Virtual Fabrics.

  • Page 187: Creating A Logical Switch Or Base Switch

    The following example checks whether Virtual Fabrics is enabled or disabled and then disables it: switchA:FID128:admin> fosconfig --show FC Routing service: disabled iSCSI service: Service not supported on this Platform iSNS client service: Service not supported on this Platform Virtual Fabric: enabled switch:admin>...

  • Page 188: Deleting A Logical Switch, Adding And Removing Ports On A Logical Switch

    Deleting a Logical Switch The following procedure describes how to delete a Logical Switch. You must remove all ports from the Logical Switch before deleting it. You cannot delete the default Logical Switch. Connect to the physical chassis and log in using an account assigned to the admin role. Remove all ports from the Logical Switch, as described in ”Adding and removing ports on a Logical Switch”...

  • Page 189: Displaying Logical Switch Configuration, Changing The Fabric Id Of A Logical Switch

    Displaying Logical Switch configuration Connect to the physical chassis and log in using an account assigned to the admin role with the chassis-role permission. Enter the following command to display a list of all Logical Switches and the ports assigned to them: lscfg --show [ -provision ] If the -provision option is specified, all ports on all slots are displayed, regardless of the slot status.

  • Page 190: Changing The Context To A Different Logical Fabric, Creating A Logical Fabric Using Xisls

    where fabricID is the fabric ID of the Logical Switch you want to switch to and manage. Enter the switchshow command and check the Allow XISL Use parameter to verify whether the switch is configured to use XISLs: switch218:FID128:admin> switchshow switchName: switch218 switchType:...

  • Page 191: Example Of Logical Fabrics In Multiple Chassis And Xisls

    Physical chassis 1 Physical chassis 2 Logical switch 1 Logical switch 5 (Default logical switch) (Default logical switch) Fabric ID 128 Fabric ID 128 Logical switch 2 Logical switch 6 Fabric ID 1 Fabric ID 1 Logical switch 3 Logical switch 7 Fabric ID 15 Fabric ID 15 XISL...

  • Page 192

    Enable all Logical Switches by entering the following command on each Logical Switch that you created step 4 (the base switches are already enabled): switchenable The Logical Fabric is formed. The fabricShow command displays all Logical Switches configured with the same fabric ID as the local switch and all non-Virtual Fabric switches connected through ISLs to these Logical Switches.

  • Page 193: Managing Administrative Domains, Administrative Domains Overview

    Managing administrative domains Administrative Domains overview An Administrative Domain (Admin Domain or AD) is a logical grouping of fabric elements that defines which switches, ports, and devices you can view and modify. An Admin Domain is a filtered administrative view of the fabric. NOTE: If you do not implement Admin Domains, the feature has no impact on users and you can ignore this chapter.

  • Page 194: Admin Domain Features, Fabric With Two Admin Domains, Filtered Fabric Views When Using Admin Domains

    Figure 20 shows a fabric with two Admin Domains: AD1 and AD2. Figure 20 Fabric with two Admin Domains Figure 21 shows how users get a filtered view of this fabric, depending on which Admin Domain they are in. As shown in Figure 21, users can see all switches and E_Ports in the fabric, regardless of their Admin Domain;...

  • Page 195: Requirements For Admin Domains, Admin Domain Access Levels

    • Have a separate zone database for each Admin Domain. See ”Admin Domains, zones, and zone databases” on page 210 for more information. • Move devices from one Admin Domain to another without traffic disruption, cable reconnects, or discontinuity in zone enforcement. •...

  • Page 196: User-defined Administrative Domains, System-defined Administrative Domains, Ad User Types

    Table 51 lists each Admin Domain user type and describes its administrative access and capabilities. Table 51 AD user types User type Description Physical fabric User account with admin role and with access to all Admin Domains (AD0 through administrator AD255).

  • Page 197: Ad255, Admin Domains And Login, Fabric With Ad0 And Ad255

    When a new device is added to the fabric, it automatically becomes an implicit member of AD0 until it is explicitly added to another Admin Domain. AD0 is useful when you create Admin Domains because you can see which devices, switch ports, and switches are not yet assigned to any Admin Domains.

  • Page 198: Admin Domain Member Types, Device Members, Switch Port Members

    • For default accounts such as admin and user, the home Admin Domain defaults to AD0 and cannot be changed. • The Admin Domain list for the default admin account is 0–255, which gives this account automatic access to any Admin Domain as soon as the domain is created, and makes this account a physical fabric administrator.

  • Page 199: Switch Members, Admin Domains And Switch Wwn

    NOTE: If the switch domain ID changes, the domain,index members are invalid (they are not automatically changed). You must then reconfigure the Admin Domain with the current domain,index members. Switch members Switch members are defined by the switch WWN or domain ID, and have the following properties: •...

  • Page 200: Admin Domain Compatibility, Availability, And Merging, Fabric Showing Switch And Device Wwns

    WWN = 10:00:00:00:c7:2b:fd:a3 WWN = 10:00:00:00:c2:37:2b:a3 Domain ID = 1 Domain ID = 2 WWN = 10:00:00:05:1f:05:23:6f WWN = 10:00:00:05:2e:06:34:6e WWN = 10:00:00:00:c8:3a:fe:a2 Figure 23 Fabric showing switch and device WWNs Figure 24 shows the filtered view of the fabric as seen from AD3 and AD4. The switch WWNs are converted to the NAA=5 syntax;...

  • Page 201: Firmware Upgrade Considerations, Admin Domain Management For Physical Fabric Administrators, Isolated Subfabrics

    • In mixed-fabric configurations, the legacy switches allow unfiltered access to the fabric and its devices; therefore, these legacy switches should be managed by the physical fabric administrator. • You must zone all ports and devices from legacy switches in the AD0 root zone database. •...

  • Page 202: Setting The Default Zone Mode, Creating An Admin Domain

    See the Fabric OS Command Reference for detailed information about CLI syntax and options. Setting the default zone mode To begin implementing an Admin Domain structure within your SAN, you must first set the default zone mode to No Access. You must be in AD0 to change the default zone mode. Log in to an AD-capable switch in the fabric with the appropriate RBAC role.

  • Page 203: Assigning A User To An Admin Domain

    Disable Virtual Fabrics, if necessary, as described in ”Disabling Virtual Fabrics” on page 184. Admin Domains and Virtual Fabrics cannot co-exist. Set the default zone mode to No Access, if you have not already done so. See ”Setting the default zone mode”...

  • Page 204: Creating A New User Account For Managing Admin Domains

    Creating a new user account for managing Admin Domains Connect to the switch and log in as admin. Enter the userConfig add command using the -r option to set the role, the -a option to provide access to Admin Domains, and the -h option to specify the home Admin Domain. userconfig --add username -r role -h home_AD -a "AD_list"...

  • Page 205: Activating An Admin Domain, Deactivating An Admin Domain

    Activating an Admin Domain An Admin Domain can be in either an active or inactive state. When you create an Admin Domain, it is automatically in the active state. Connect to the switch and log in as admin. Switch to the AD255 context, if you are not already in that context. ad --select 255 Enter the ad activate option.

  • Page 206: Adding Members To An Existing Admin Domainconnect To An Ad-capable Switch And Log In As Admin

    The following example deactivates Admin Domain AD_B4. switch:AD255:admin> ad --deactivate AD_B4 You are about to deactivate an AD. This operation will fail if an effective zone configuration exists in the Do you want to deactivate ’AD_B5’ admin domain (yes, y, no, n): [no] y switch:AD255:admin>...

  • Page 207: Renaming An Admin Domain, Deleting An Admin Domain

    Renaming an Admin Domain Use this procedure if you want to change the name of an Admin Domain. You can also change auto-assigned names (ADn). Connect to the switch and log in as admin. Switch to the AD255 context, if you are not already in that context. ad --select 255 Enter the ad rename command with the present name and the new name.

  • Page 208: Deleting All User-defined Admin Domains, Validating An Admin Domain Member List

    Deleting all user-defined Admin Domains When you clear the Admin Domain configuration, all user-defined Admin Domains are deleted, the explicit membership list of AD0 is cleared, and all fabric resources (switches, ports, and devices) are returned to the implicit membership list of AD0. You cannot clear the Admin Domain configuration if zone configurations exist in any of the user-defined Admin Domains.

  • Page 209: San Management With Admin Domains, Cli Commands In An Ad Context

    The following example validates the member list of Admin Domain 10 in the current transaction buffer. switch:AD255:admin> ad --validate 10 –m 0 Current AD Number: 255 AD Name: AD255 Transaction buffer configuration: --------------------------------- AD Number: AD Name: ad2 State: Active Switch port members: 1,1;...

  • Page 210: Executing A Command In A Different Ad Context, Displaying An Admin Domain Configuration

    Executing a command in a different AD context You can execute a command in an Admin Domain that is different from your current AD context. The Admin Domain must be one that you can access. This option creates a new shell with the current user_id, switches to the specified Admin Domain, performs the specified command, and exits the shell.

  • Page 211: Admin Domain Interactions With Other Fabric Os Features, Admin Domain Interaction With Fabric Os Features

    Connect to the switch and log in as any user type. Enter the ad select command and the Admin Domain you want to switch to. Leave the new Admin Domain context by exiting from the shell. logout You cannot switch to another Admin Domain context from within the shell created by ad select.

  • Page 212: Admin Domains, Zones, And Zone Databases

    Fabric OS feature Admin Domain interaction FICON • Admin Domains support FICON. However, you must perform additional steps because FICON management (CUP) requires additional physical control of the ports. You must set up the switch as a physical member of the FICON AD. •...

  • Page 213: Admin Domains And Lsan Zones

    ”Validating a zone” on page 249 for instructions on using the zone validate command. For more information about the zone command and its use with Admin Domains, see the Fabric OS Command Reference. NOTE: AD zone databases do not have an enforced size limit. The zone database size is calculated by the upper limit of the AD membership definition and the sum of all the zone databases for each AD.

  • Page 214: Configuration Upload And Download In An Ad Context

    Configuration upload and download in an AD context The behavior of the configUpload and configDownload commands varies depending on the AD context and whether the switch is a member of the current Admin Domain. In the AD context, these commands include only the zone configuration of the current Admin Domain. If the switch is a member of the Admin Domain, all switch configuration parameters are saved and the zone database for that Admin Domain is also saved.

  • Page 215: Installing And Maintaining Firmware, Firmware Download Process Overview

    Installing and maintaining firmware Firmware download process overview Fabric OS 6.2.0 provides nondisruptive firmware installation. This chapter refers to the following specific types of blades inserted into either the HP StorageWorks 4/256 SAN Director or HP StorageWorks DC SAN Backbone Director and HP StorageWorks DC04 SAN Director Switch platforms: •...

  • Page 216: Upgrading And Downgrading Firmware, Effects Of Firmware Changes On Accounts And Passwords

    If you are using an HP StorageWorks 4/256 SAN Director, or an HP StorageWorks DC SAN Backbone Director or HP StorageWorks DC04 SAN Director Switch enterprise-class platform, with one or more AP blades: The Fabric OS automatically detects mismatches between the active CP firmware and the blade’s firmware.

  • Page 217: High Available Sync State, Preparing For A Firmware Download, Enterprise-class Platform Ha Sync States

    High Available sync state HA synchronization occurs when two CPs in an enterprise-class platform are synchronized. This state provides redundancy and a non-disruptive firmware download. In order for a firmware download to successfully occur, the two CPs in an enterprise-class platform must be in sync. If the CPs have mixed versions when you enter the firmwareDownload command, the CPs may not be in HA sync.

  • Page 218: Connected Switches, Finding The Switch Firmware Version

    NOTE: IPv6 and DNS are supported by firmwareDownload in 6.0.0 or later. If DNS is enabled and a server name instead of a server IP address is specified in the command line, firmwareDownload determines whether IPv4 or IPv6 should be used. To be able to mention the FTP server by name, you must enter at least one DNS server using the dnsConfig command.

  • Page 219: Obtain And Decompress Firmware, Firmware Download On Switches, Switch Firmware Download Process Overview

    Obtain and decompress firmware Firmware upgrades are available for customers on the HP website http://www.hp.com. You must decompress the firmware before you can use the firmwareDownload command to update the firmware on your equipment. Use the UNIX tar command for .tar files, the gunzip command for all .gz files, or a Windows unzip program for all .zip files When you unpack the downloaded firmware, it expands into a directory that is named according to the version of Fabric OS it contains.

  • Page 220: Upgrading Firmware For Switch And Router Products

    The upgrade process first downloads and then commits the firmware to the switch. While the upgrade is proceeding, you can start a session on the switch and use the firmwareDownloadStatus command to observe the upgrade progress if you wish. CAUTION: After you start the process, do not enter any disruptive commands (such as reboot) that will interrupt the process.

  • Page 221: Firmware Download On An Enterprise-class Platform

    Specify the file transfer protocol used to download the firmware from the file server. Valid Network values are FTP and SCP. The Values are not case-sensitive. If -p is not specified, protocol firmwareDownload will determine the protocol automatically by checking the config.security parameter on the switch.

  • Page 222: Enterprise-class Platform Firmware Download Process Overview, Upgrading Firmware On Enterprise-class Platforms (including Blades)

    During the upgrade process, the director fails over to its standby CP blade and the IP address for the enterprise-class platform moves to that CP blade's Ethernet port. This may cause informational ARP address reassignment messages to appear on other switches in the fabric. This is normal behavior, because the association between the IP addresses and MAC addresses has changed.

  • Page 223

    Use the firmwareShow command to check the current firmware version on connected switches. Upgrade the firmware, if necessary, before proceeding with upgrading this switch. ”Connected switches” on page 216 Enter the haShow command to confirm that the two CP blades are synchronized. In the following example, the active CP blade is CP0 and the standby CP blade is CP1: switch:admin>...

  • Page 224

    NOTE: HP does not support the FA4- 1 8 product. sw77:admin> firmwaredownload Type of Firmware (FOS, SAS, or any application) [FOS]: Server Name or IP Address: 192.168.32.10 Network Protocol (1-auto-select, 2-FTP, 3-SCP) [1]: User Name: userfoo File Name: /home/userfoo/v6.2.0 Password: Verifying the input parameters …...

  • Page 225

    As an option, after the failover, connect to the switch, and log in again as admin. Using a separate session to connect to the switch, enter the firmwareDownloadStatus command to monitor the firmware download status. sw77:admin> firmwareDownloadstatus [1]: Thu Mar 06 00:30:49 2008 Slot 2 (SAS): Firmware is being downloaded to the blade.

  • Page 226: Firmware Download From A Usb Device, Enabling Usb, Viewing The Usb File System

    NOTE: HP does not support the FA4- 1 8 product. switch:admin> firmwareshow Slot Name Appl Primary/Secondary Versions Status ----------------------------------------------------------- FA4-18 v6.2.0 v6.2.0 v3.3.0 v3.3.0 v3.3.0 v3.3.0 v6.2.0Standby * v6.2.0 v6.2.0Active v6.2.0 7 FA4-18 v6.2.0 v6.2.0 v3.3.0 v3.3.0 v3.3.0 v3.3.0 Local CP Note: If Local CP and Remote CP have different versions of firmware, please retry firmwaredownload command.

  • Page 227: Downloading The 6.2.0 Image Using The Relative Path

    Enter the usbStorage -l command: BrcdDCXBB:admin> usbstorage –l firmware\ 381MB 2008 Sep 28 15:33 v6.2.0\ 381MB 2008 Oct 19 10:39 config\ 2008 Sep 28 15:33 support\ 2008 Sep 28 15:33 firmwarekey\ 2008 Sep 28 15:33 Available space on usbstorage 79% Downloading the 6.2.0 image using the relative path Log in to the switch as admin.

  • Page 228: Updating The Firmwarekey, The Firmwaredownload Command, Configuring The Switch For Signed Firmware

    A different firmware key pair is created for digitally signed firmware releases. The private key file for the digitally signed firmware releases is used to sign released firmware, and the public key file is packaged inside these digitally signed firmware releases. NOTE: If FIPS is enabled, all logins should be done through SSH or direct serial and the transfer protocol should be SCP.

  • Page 229: Power-on Firmware Checksum Test, Test And Restore Firmware On Switches

    cfgload attributes Select Yes. The following questions are displayed: Enforce secure config Upload/Download: Select yes Enforce signed firmware download: Select yes Default is no; press Enter to select default setting. Webtools attributes Default is no; press Enter to select default setting. System Power-on Firmware Checksum Test FIPS requires the checksums of the executables and libraries on the filesystem to be validated before Fabric...

  • Page 230: Test And Restore Firmware On Enterprise-class Platforms, Testing Different Firmware Versions On Enterprise-class Platforms

    The switch will perform a reboot and come up with the new firmware to be tested. Your current switch session will automatically disconnect. Connect to the switch, log in as admin, and enter the firmwareShow command to confirm that the primary partition of the switch contains the new firmware.

  • Page 231

    Exit the session. Update the firmware on the standby CP: a. Connect to the enterprise-class platform and log in as admin to the standby CP. b. Enter the firmwareDownload -s command and respond to the prompts. At this point, the firmware should download to the standby CP only. When it has completed the download to that CP, reboot it.

  • Page 232

    Perform a commit on the standby CP. From the current enterprise-class platform session on the standby CP, enter the firmwareCommit command to update the secondary partition with new firmware. It takes several minutes to complete the commit operation. Do not do anything on the enterprise-class platform while this operation is in process.

  • Page 233: Validating A Firmware Download

    Validating a firmware download Validate the firmware download by running the following commands: firmwareShow, firmwareDownloadStatus, nsShow, nsAllShow, and fabricShow. NOTE: When you prepared for the firmware download earlier, you entered either the supportShow or supportSave command. Although you can enter the command again and compare the output from before and after, it may take up to 30 minutes for the command to execute.

  • Page 234

    232 Installing and maintaining firmware...

  • Page 235: Administering Advanced Zoning, Zoning Overview, Zoning Example

    Administering advanced zoning Zoning overview Zoning enables you to partition your storage area network (SAN) into logical groups of devices that can access each other. A device can communicate only with other devices connected to the fabric within its specified zone. For example, you can partition your SAN into two zones, winzone and unixzone, so that your Windows servers and storage do not interact with your UNIX servers and storage.

  • Page 236: Zone Types, Types Of Zoning, Approaches To Fabric-based Zoning

    To list the commands associated with zoning, use the zoneHelp command. For detailed information on the zoning commands used in the procedures, see the Fabric OS Command Reference or the online man page for each command. NOTE: The information in this chapter applies to Brocade Native mode only. For information about zoning in InteropMode 2 or 3, see Chapter 12, ”Interoperability for merged SANs”...

  • Page 237: Zone Objects

    Table 58 Approaches to fabric-based zoning Zoning Description approach Recommended approach Single HBA Zoning by single HBA most closely re-creates the original SCSI bus. Each zone created has only one HBA (initiator) in the zone; each of the target devices is added to the zone.

  • Page 238: Zoning Schemes, Zone Aliases, Zone Configurations

    Zone objects identified by port number or index number are specified as a pair of decimal numbers in the form d, index, where d is the domain ID of the switch and index is the index number on that switch in relation to the port you want to specify.

  • Page 239: Zoning Enforcement, Software-enforced Zoning, Hardware-enforced Zoning

    Zone configurations A zone configuration is a group of one or more zones. A zone can be included in more than one zone configuration. When a zone configuration is in effect, all zones that are members of that configuration are in effect.

  • Page 240

    Hardware-enforced zoning Hardware-enforced zoning means that each frame is checked by hardware (the ASIC) before it is delivered to a zone member and is discarded if there is a zone mismatch. When hardware-enforced zoning is active, the Fabric OS switch monitors the communications and blocks any frames that do not comply with the effective zone configuration.

  • Page 241: Hardware-enforced Nonoverlapping Zones, Enforcing Hardware Zoning

    Table 59 Enforcing hardware zoning Fabric type Methodology Best practice HP StorageWorks SAN Switch Enable hardware-enforced zoning on domain,port Use either WWN or 2/8V, 2/8-EL, 2/16, 2/16-EL, zones, and WWN zones. Overlap of similar zone domain,port identifiers. 2/16V, 2/16N, 2/32, HP types does not result in the loss of hardware StorageWorks MSA SAN Switch enforcement.

  • Page 242: Identifying The Enforced Zone Type, Hardware-enforced Overlapping Zones

    WWN_Zone1 Port_Zone1 Core Port_Zone2 WWN_Zone2 Switch Zone Boundaries 22.3b(13.3) Figure 28 Hardware-enforced overlapping zones Any zone using a mixed zoning scheme on the Fabric OS 2-Gb/s platform relies on name server authentication as well as hardware-assisted (ASIC) authentication. Hardware-assisted authentication ensures that any PLOGI, ADISC, PDISC, or ACC from an unauthorized device is rejected if that device is attempting to access a device that is not in the same zone.

  • Page 243: Considerations For Zoning Architecture, Best Practices For Zoning, Broadcast Zones

    Enter the portZoneShow command, using the following syntax: portzoneshow Considerations for zoning architecture Table 60 lists considerations for zoning architecture. Table 60 Considerations for zoning architecture Item Description Type of zoning: hard HP recommends hard zoning if security is a priority. or soft (session-based) Use of aliases Optional with zoning.

  • Page 244: Supported Switches For Broadcast Zones, Broadcast Zones And Admin Domains

    control which devices receive broadcast frames, you can create a special zone, called a broadcast zone, which restricts broadcast packets to only those devices that are members of the broadcast zone. If there are no broadcast zones or if a broadcast zone is defined but not enabled, broadcast frames are not forwarded to any F_Ports.

  • Page 245: Broadcast Zones And Fc-fc Routing, Upgrade And Downgrade Considerations For Broadcast Zones

    "3,1" "1,1" "2,1" "4,1" broadcast broadcast "1,1; 3,1; 5,1" "2,1; 3,1; 4,1" "5,1" "1,1" "3,1; 4,1" broadcast "1,1; 3,1; 4,1" Figure 31 Broadcast zones and Admin Domains The dotted box represents the consolidated broadcast zone, which contains all of the devices that can receive broadcast packets.

  • Page 246: Loop Devices And Broadcast Zones, Backward Compatibility With Pre-5.3.0 Switches, Broadcast Zones And Default Zoning

    Loop devices and broadcast zones Delivery of broadcast packets to individual devices in a loop is not controlled by the switch. Consequently, adding loop devices to a broadcast zone does not have any effect. If a loop device is part of a broadcast zone, all devices in that loop receive broadcast packets.

  • Page 247: Adding Members To An Alias, Removing Members From An Alias

    The values represent the following: The name of the zone alias to be created. aliasname A member or list of members to be added to the alias. An alias member can be member specified by one or more of the following methods: •...

  • Page 248: Deleting An Alias

    Enter the aliRemove command, using the following syntax: aliremove "aliasname", "member[; member...]" where: The name of the zone alias aliasname A member or list of members to be removed from the alias. An alias member can member be specified by one or more of the following methods: •...

  • Page 249: Viewing An Alias In The Defined Configuration, Zone Creation And Maintenance, Creating A Zone

    Viewing an alias in the defined configuration Connect to the switch and log in as admin. Enter the aliShow command, using the following syntax: alishow "pattern"[, mode] where: A POSIX-style regular expression used to match zone alias names. pattern Specify 0 to display the contents of the transaction buffer (the contents of the mode current transaction), or specify 1 to display the contents of the nonvolatile memory.

  • Page 250: Adding Devices (members) To A Zone, Removing Devices (members) From A Zone

    Enter the cfgSave command to save the change to the defined configuration: switch:admin> zonecreate "greenzone", "2,32; 2,33; 2,34; 4,4" switch:admin> zonecreate "bluezone", "21:00:00:20:37:0c:66:23; 4,3" switch:admin> zonecreate "broadcast", "1,2; 2,33; 2,34" switch:admin> cfgsave You are about to save the Defined zoning configuration. This action will only save the changes on the Defined configuration.

  • Page 251: Deleting A Zone, Viewing A Zone In The Defined Configuration

    where: The name of the zone to be created. zonename A member or list of members to be removed from the zone. A zone member can member be specified by one or more of the following methods: • A domain,port pair •...

  • Page 252: Validating A Zone

    where: A POSIX-style regular expression used to match zone names pattern Specify 0 to display the contents of the transaction buffer (the contents of the mode current transaction), or specify 1 to display the contents of the nonvolatile memory. The default value is 0. The following example shows all zones beginning with A, B, or C: switch:admin>...

  • Page 253: Default Zoning Mode, Setting The Default Zoning Mode, Viewing The Current Default Zone Access Mode

    cannot specify a mode option or specify a zone object as an argument with the -f option. This mode flag should be used after the zone has been validated. For more details about the zone, cfgShow, cfgEnable, and cfgSave commands, see the Fabric OS Command Reference.

  • Page 254: Zoning Database Size And Zone Merging, Zoning Database Limitations, Resulting Database Size: 0 To 96k

    Zoning database size and zone merging Table 61 presents zoning database size limitations for various Fabric OS release versions. The maximum size of a zone database is the upper limit for the defined configuration. It is determined by the amount of flash memory available for storing the defined configuration.

  • Page 255: Resulting Database Size: 96k To 128k, Resulting Database Size: 128k To 256k

    Table 62 Resulting database size: 0 to 96K (continued) Initiator Receiver Fabric Fabric Fabric Fabric Fabric Fabric Fibre XPath 7.3 OS 3.1 OS 3.2 OS 4.0/ Channel 4.1/ 4.4.0 5.0.0/ 5.2.0 Router 5.0.1/ or later 5.1.0 Fabric OS 4.0/ Join Join Join Join...

  • Page 256: Zoning Configurations, Resulting Database Size: 256k To 1m

    Table 64 Resulting database size: 128K to 256K (continued) Initiator Receiver Fabric Fabric Fabric Fabric Fabric Fabric OS Fibre XPath 7.3 OS 3.1 OS 3.2 OS 4.0/ 5.2.0 or Channel 4.1/ 4.4.0 5.0.0/ later Router 5.0.1/ 5.1.0 Fabric OS Segment Join Segment Join...

  • Page 257: Creating A Zoning Configuration, Adding Zones (members) To A Zoning Configuration

    NOTE: For Fabric OS 5.3.0 and later, the minimum zoning database size is 4 bytes, even if the zoning database is empty. For important considerations for managing zoning in a fabric, and more details about the maximum zone database size for each version of the Fabric OS, see ”Zoning database size and zone merging”...

  • Page 258: Removing Zones (members) From A Zone Configuration, Enabling A Zone Configuration, Disabling A Zone Configuration

    The cfgSave command ends and commits the current zoning transaction buffer to both volatile and nonvolatile memory. If a transaction is open on a different switch in the fabric when this command is run, the transaction on the other switch is automatically aborted. A message is displayed on the other switches to indicate that the transaction was aborted.

  • Page 259: Deleting A Zone Configuration, Clearing Changes To A Configuration, Viewing All Zone Configuration Information

    NOTE: If the default zoning mode is set to All Access and more than 120 devices are connected to the fabric, you cannot disable the zone configuration. See ”Default zoning mode” on page 250 for information about setting this mode to No Access. The following procedure ends and commits the current zoning transaction buffer to both volatile and nonvolatile memory.

  • Page 260: Viewing Selected Zone Configuration Information, Viewing The Configuration In The Effective Zone Database

    transaction, the newly edited zone configuration that has not yet been saved is displayed. If there are no outstanding transactions, the committed zone configuration is displayed. Connect to the switch and log in as admin. Enter the cfgShow command with no operands: switch:admin>...

  • Page 261: Clearing All Zone Configurations, Zone Object Maintenance, Copying A Zone Object

    21:00:00:20:37:0c:76:85 21:00:00:20:37:0c:71:df Clearing all zone configurations Connect to the switch and log in as admin. Enter the cfgClear command to clear all zone information in the transaction buffer. CAUTION: Be careful using the cfgClear command because it deletes the defined configuration. switch:admin>...

  • Page 262: Deleting A Zone Object

    Enter the cfgShow command to verify that the new zone object is present. switch:admin> cfgshow "Test*" cfg: Test1 Blue_zone cfg: Test_cfg Purple_zone; Blue_zone switch:admin> cfgShow "US_Test1" cfg: US_Test1 Blue_zone If you want the change preserved when the switch reboots, enter the cfgSave command to save it to nonvolatile (flash) memory.

  • Page 263: Renaming A Zone Object, Zoning Configuration Management, New Switch Or Fabric Additions

    Enter yes at the prompt. Enter the cfgShow command to verify that the deleted zone object is no longer present. If you want the change preserved when the switch reboots, enter the cfgSave command to save it to nonvolatile (flash) memory. Enter the cfgEnable command for the appropriate zone configuration to make the change effective.

  • Page 264

    • Before merging zones To facilitate merging, check the following before merging switches or fabrics: • Zoning licenses: All switches running Fabric OS 6.0.x or earlier must have a Zoning license enabled. • Native operating mode: All switches must be in the native operating mode. •...

  • Page 265: Fabric Segmentation And Zoning, Security And Zoning, Resolving Zone Conflicts

    • Type mismatch: The name of a zone object in one fabric is used for a different type of zone object in the other fabric. • Content mismatch: The definition of a zone object in one fabric is different from the definition of zone object with the same name in the other fabric.

  • Page 266: Zone Merging Scenarios

    Entering these commands causes a merge, making the fabric consistent with the correct configuration. Zone merging scenarios Table 66 provides information on merging zones and the expected results. Table 66 Zone merging scenarios Description Switch A Switch B Expected results Switch A has a defined defined: defined: none...

  • Page 267

    Table 66 Zone merging scenarios (continued) Description Switch A Switch B Expected results Same content, different effective cfg defined: cfg1 defined:cfg2 Fabric segments due to: Zone name. zone1: ali1; ali2 zone1: ali1; ali2 Conflict cfg mismatch effective: cfg1 effective: cfg2 zone1: ali1;...

  • Page 268

    266 Administering advanced zoning...

  • Page 269: Configuring Enterprise-class Platforms, Ports

    Configuring Enterprise-class platforms Ports Because enterprise-class platforms contain interchangeable port blades, their procedures differ from those for fixed-port switches. For example, fixed-port models identify ports only by the port number, while enterprise-class platforms identify ports by slot/port notation. NOTE: For detailed information about the HP StorageWorks 4/256 SAN Director, the HP StorageWorks DC SAN Backbone Director, and HP StorageWorks DC04 SAN Director Switch enterprise-class platforms, see the relevant hardware documentation.

  • Page 270: Port Identification By Slot And Port Number

    Table 67 Port numbering schemes for the HP StorageWorks 4/256 SAN Director, HP StorageWorks DC SAN Backbone Director and HP StorageWorks DC04 SAN Director Switch enterprise-class platforms Port blades Numbering scheme • HP StorageWorks SAN Ports are numbered from 0 through 15 from bottom to top. Director 2/128 16-port blade •...

  • Page 271: Port Identification By Port Area Id, Port Identification By Index

    Port Identification by Port Area ID The relationship between the port number and area ID depends upon the PID format used in the fabric. When Core PID format is in effect, the area ID for port 0 is 0, for port 1 is 1, and so forth. For 32-port blades (HP StorageWorks 4/256 SAN Director 16 Port 4Gb blade, HP StorageWorks SAN Director 32 Port 8Gb FC blade), the numbering is contiguous up to port 15;...

  • Page 272

    Table 68 Default index/area_ID core PID assignment with no port swap (continued) Port Slot Slot Slot Slot Slot Slot Slot Slot 1Idx/are 2Idx/are 3Idx/are 4Idx/are 7Idx/are 8Idx/are 9Idx/are 10Idx/area blade 269/133 285/149 301/165 317/181 333/197 349/213 365/229 381/245 268/132 284/148 300/164 316/180 332/196...

  • Page 273

    Table 68 Default index/area_ID core PID assignment with no port swap (continued) Port Slot Slot Slot Slot Slot Slot Slot Slot 1Idx/are 2Idx/are 3Idx/are 4Idx/are 7Idx/are 8Idx/are 9Idx/are 10Idx/area blade 23/23 39/39 55/55 71/71 87/87 103/103 1 19/1 19 22/22 38/38 54/54 70/70...

  • Page 274: Power Conservation

    Table 69 Default index/area_ID core PID assignment with no port swap for the HP StorageWorks DC04 SAN Director Switch (continued) Port on Slot Slot Slot Slot blade 1Idx/area 2Idx/area 7Idx/area 8Idx/area 27/27 91/91 155/155 219/219 26/26 90/90 154/154 218/218 25/25 89/89 153/153 217/217...

  • Page 275: Powering Off A Port Blade, Powering On A Port Blade, Disabling And Enabling Port Blades

    NOTE: Some FRUs in the chassis may use significant power, yet cannot be powered off through software. For example, a missing blower FRU may change the power computation enough to affect how many slots can be powered up. Powering off a port blade NOTE: In the HP StorageWorks DC SAN Backbone Director and HP StorageWorks DC04 SAN Director Switch the core blades and CPs cannot be powered off from the CLI interface.

  • Page 276

    • HP StorageWorks 4/256 SAN Director 32 Port 4Gb Blade • HP StorageWorks SAN Director 16 Port 8Gb FC Blade • HP StorageWorks SAN Director 6 Port 10Gb FC Blade • HP StorageWorks B-Series iSCSI Director Blade • FS8- 1 8 NOTE: The HP StorageWorks B-Series iSCSI Director Blade is not supported in either the HP StorageWorks DC SAN Backbone Director or HP StorageWorks DC04 SAN Director Switch...

  • Page 277: Hp Storageworks 4/256 San Director 48 Port 4gb Blade And Hp Storageworks San Director 48 Port 8gb Fc Blade Enabling Exceptions

    NOTE: This is not true for the HP StorageWorks SAN Director 16 Port 8Gb FC Blade. Since FC8 type blades support EX_Ports, they are still retained in the configuration, but they are persistently disabled. HP StorageWorks 4/256 SAN Director 48 Port 4Gb Blade and HP StorageWorks SAN Director 48 Port 8Gb FC Blade enabling exceptions The HP StorageWorkds 4/256 SAN Director 48 Port 4Gb Blade is compatible only in the HP StorageWorks 4/256 SAN Director with the HP StorageWorks 4/256 SAN Director 16 Port 4Gb Blade,...

  • Page 278

    Table 70 HP StorageWorks enterprise-class platform terminology and abbreviations (continued) Blade name Abbrev. Blade Definition (slotsh 16-port 2-Gb/s port blade The second generation HP StorageWorks16-port StorageW Blade supporting 1 and 2 Gb/s port speeds. This orks SAN port blade is compatible only with the HP Director StorageWorks 4/256 SAN Director CP Blades.

  • Page 279: Cp Blades

    Table 70 HP StorageWorks enterprise-class platform terminology and abbreviations (continued) Blade name Abbrev. Blade Definition (slotsh 48-port 8-Gb/s Port Blade A 48-port HP StorageWorks Platform Port Blade StorageW supporting 1, 2, 4, and 8 Gb/s port speeds. HP orks SAN StorageWorks SAN Director 48 Port 8Gb FC Director Blade support only F_Ports and E_Ports;...

  • Page 280: Core Blades, Port And Application Blade Compatibility, Port Blades Supported By Each Platform

    Mixed CP blades are not supported on a single chassis, except during specific upgrade procedures detailed in the HP StorageWorks 4/256 SAN Director Hardware Reference Manual. CP4 and CP8 blades cannot be mixed in the same chassis under any circumstances. HP recommends that each platform have only one type of CP blade installed and that each CP (primary and secondary partition) maintains the same firmware version.

  • Page 281: Displaying Slot Information

    Table 71 Port blades supported by each platform (continued) Port blades HP StorageWorks HP StorageWorks 4/256 SAN DC SAN Backbone Director (CP4) Director and HP StorageWorks DC04 SAN Director Switch B-Series Multi-Protocol Supported Supported Router Blade FS8- 1 8 Supported Supported Can coexist only with HP StorageWorks 4/256 SAN Director 16 Port 4Gb Blade.

  • Page 282: Inter-chassis Links

    Table 70 for a list of blades and their corresponding IDs. on page 275 Status (Displays the status of the blade) DIAG RUNNING POST1: The blade is present, powered on, and running the post-initialization power-on self test (POST). DIAG RUNNING POST2: The blade is present, powered on, and running the POST.

  • Page 283: Led Behavior

    ICL1 <--> ICL1 ICL ports can be used only with an ICL license. For more information license enforcement, see ”Licensed features” on page 43. After the addition or removal of a license, the license enforcement is performed on the ICL ports only when you enter the portDisable or portEnable commands on the switch for the ports.

  • Page 284

    282 Configuring Enterprise-class platforms...

  • Page 285: Routing Traffic, Routing Overview, Path Versus Route Selection, Fspf

    Routing traffic Routing overview Data moves through a fabric from switch to switch and from storage to server along one or more paths that make up a route. Routing policies determine the path for each frame of data. Before the fabric can begin to route a packet, it must discover the route that packet should take to reach the intended destination.

  • Page 286: Routing Policies

    redundancy. If a link goes down, part of the fabric becomes isolated. FSPF ensures that the topology is loop free and that the frame is never forwarded over the same ISL more than once. FSPF calculates paths based on the destination domain ID. The fabric protocol must complete domain ID assignments before routing can begin.

  • Page 287: Displaying The Current Routing Policy, Exchange-based Routing, Port-based Routing

    IMPORTANT: For most configurations, the default routing policy is optimal and provides the best performance. You should change the routing policy only if there is a performance issue that is of concern, or if a particular fabric configuration requires it. Displaying the current routing policy Connect to the switch and log in as admin.

  • Page 288: Ap Route Policy, Routing In Virtual Fabrics, Setting The Routing Policy

    AP route policy On the HP StorageWorks 400 Multi-Protocol Router and B-Series Multi-Protocol Router Blade, there are eight internal physical links used by EX_ and VEX_Port functionality. The links are shared by both ingress and egress traffic on EX_ and VEX_Ports. The AP (appliance) route policy dedicates some links for ingress traffic and some links for egress traffic.

  • Page 289: Dynamic Load Sharing, Setting Dls, Static Route Assignment

    Dynamic load sharing The exchange-based routing policy depends on the Fabric OS Dynamic Load Sharing feature (DLS) for dynamic routing path selection. When using the exchange-based routing policy, DLS is enabled by default and cannot be disabled. In other words, you cannot enable or disable DLS when the exchange-based routing policy is in effect.

  • Page 290: Assigning A Static Route, Removing A Static Route, Frame Order Delivery

    Instead, you can use the traffic isolation feature to create a dedicated path for interswitch traffic. See ”Traffic Isolation Routing” on page 339 for information about this feature. Assigning a static route Connect to the switch and log in as admin. Enter the uRouteConfig command.

  • Page 291

    In a stable fabric, frames are always delivered in order, even when the traffic between switches is shared among multiple paths. However, when topology changes occur in the fabric (for example, if a link goes down), traffic is rerouted around the failure, and some frames could be delivered out of order. Most destination devices tolerate out-of-order delivery, but some do not.

  • Page 292

    290 Routing traffic...

  • Page 293: Interoperability For Merged Sans

    Interoperability for merged SANs For information on HP supported interop configurations, see the HP StorageWorks Fabric interoperability application notes for merging B-Series fabrics with fabrics based on C-Series and M-Series Fibre Channel switches on the following HP website: http://h18000.www1.hp.com/products/storageworks/san/documentation.html Fabric OS 6.2 administrator guide 291...

  • Page 294

    292 Interoperability for merged SANs...

  • Page 295: Configuring The Distributed Management Server, Distributed Management Server Overview, Platform Services

    Configuring the Distributed Management Server Distributed Management Server overview The Fabric OS Distributed Management Server (MS) allows a SAN management application to retrieve information and administer interconnected switches, servers, and storage devices. The management server assists in the autodiscovery of switch-based fabrics and their associated topologies. A client of the management server can find basic information about the switches in the fabric and use this information to construct topology relationships.

  • Page 296: Enabling Platform Services, Disabling Platform Services, Management Server Database, Displaying The Management Server Acl

    Enabling platform services Connect to the switch and log in using an account assigned to the admin role. Enter the msplMgmtActivate command. switch:admin> msplmgmtactivate Request to activate MS Platform Service in progress..*Completed activating MS Platform Service in the fabric! switch:admin>...

  • Page 297: Adding A Member To The Acl

    In the following example, the list is empty: switch:admin> msconfigure Done Display the access list Add member based on its Port/Node WWN Delete member based on its Port/Node WWN select : (0..3) [1] 1 MS Access list is empty. Done Display the access list Add member based on its Port/Node WWN Delete member based on its Port/Node WWN...

  • Page 298: Deleting A Member From The Acl

    Press Enter to update the nonvolatile memory and end the session. switch:admin> msconfigure Done Display the access list Add member based on its Port/Node WWN Delete member based on its Port/Node WWN select : (0..3) [1] 2 Port/Node WWN (in hex): [00:00:00:00:00:00:00:00] 20:00:00:20:37:65:ce:aa *WWN is successfully added to the MS ACL.

  • Page 299: Viewing The Contents Of The Management Server Database

    Press Enter to update the nonvolatile memory and end the session. switch:admin> msconfigure Done Display the access list Add member based on its Port/Node WWN Delete member based on its Port/Node WWN select : (0..3) [1] 2 Port/Node WWN (in hex): [00:00:00:00:00:00:00:00] 10:00:00:00:c9:29:b3:84 *WWN is successfully added to the MS ACL.

  • Page 300: Clearing The Management Server Database, Topology Discovery, Displaying Topology Discovery Status, Enabling Topology Discovery

    The contents of the management server platform database are displayed. switch:admin> msplatshow ----------------------------------------------------------- Platform Name: [9] "first obj" Platform Type: 5 : GATEWAY Number of Associated M.A.: 1 [35] "http://java.sun.com/products/plugin" Number of Associated Node Names: 1 Associated Node Names: 10:00:00:60:69:20:15:71 ----------------------------------------------------------- Platform Name: [10] "second obj"...

  • Page 301: Disabling Topology Discovery

    Disabling topology discovery Connect to the switch and log in as admin. Enter the appropriate following command based on how you want to disable discovery: • For the local switch, enter the mstdDisable command. • For the entire fabric, enter the mstdDisable all command. A warning is displayed, saying that all NID entries might be cleared.

  • Page 302

    300 Configuring the Distributed Management Server...

  • Page 303: Iscsi Gateway Service, Iscsi Gateway Service Overview, Iscsi Session Translation, Iscsi Gateway Network

    iSCSI gateway service iSCSI gateway service overview This chapter describes the HP StorageWorks B-Series iSCSI Director Blade gateway service. The iSCSI gateway service is supported only on the HP StorageWorks 4/256 SAN Director running Fabric OS 5.2.0 or later with one or more iSCSI-enabled HP StorageWorks B-Series iSCSI Director Blade. The HP StorageWorks B-Series iSCSI Director Blade gateway service is an intermediate device in the network, allowing iSCSI initiators in an IP SAN to access and utilize storage in a Fibre Channel (FC) SAN as shown in...

  • Page 304: Basic Vs. Advanced Lun Mapping, Basic Lun Mapping, Advanced Lun Mapping, Iscsi-to-fc Translation

    At the iSCSI gateway port, the incoming iSCSI data is converted to FCP (SCSI on FC) by the iSCSI virtual initiator, and then forwarded to the FC target. This allows low-cost servers to leverage an existing FC infrastructure. To represent all iSCSI initiators and sessions, each iSCSI portal has one iSCSI virtual initiator (VI) to the FC fabric that appears as an N_Port device with a special WWN format.

  • Page 305: Iscsi Component Identification, Iqn Prefix, Iscsi Vt Advanced Lun Mapping

    F C target 1 iS C S I virtual target 1 F C target 2 iS C S I virtual target 2 iS C S I virtual target 3 Figure 36 iSCSI VT advanced LUN mapping iSCSI component identification IQN Prefix Unique iSCSI Qualified Names (IQNs) are used to identify each iSCSI VT.

  • Page 306: Changing And Displaying The Iqn Prefix, Access Control With Discovery Domains, Iqn Example

    iS C S I initiator A iqn.2003-11.c om.mic ros oft: win2k-s n-192168101 iS C S I virtual targets (V T s ) V T 1 iqn.2002-12.c om.broc ade: 10: 00: 00: 05: 1e: aa: bb: c c IP Network V T 2 iqn.2002-12.c om.broc ade: 10: 00: 00: 05: 1e: c c : bb: aa V T 3 iqn.2002-12.c om.broc ade: 10: 00: 00: 05: 1e: bb: c c : aa...

  • Page 307: Switch-to-iscsi Initiator Authentication, Load Balancing Through Connection Redirection

    DDS et 1 iS C S I virtual targets (V T s ) iS C S I initiator A V T 1 IP network V T 2 V T 3 iS C S I initiator B iS C S I gateway s ervic e Figure 38 Discovery domain set configuration example Switch-to-iSCSI initiator authentication...

  • Page 308: Displaying Connection Redirection Status, Supported Iscsi Initiators, Checklist For Configuring Iscsi

    connection redirection for specific slots, and the all option may be used to disable connection redirection for all slots. The following example disables connection redirection for ports on a blade located in slot 9. switch:admin> iscsiswcfg --disableconn -s 9 The operation completed successfully Displaying connection redirection status Connect to the switch and log in.

  • Page 309: Iscsi Target Gateway Configuration Steps

    service. Table 74 provides a high-level overview of the commands and links to the sections that detail the procedures. See the Fabric OS Command Reference for detailed information on the commands. Table 74 iSCSI target gateway configuration steps Step Command Procedure Activate iSCSI for the HP ”Enabling the iSCSI gateway...

  • Page 310: Hp Storageworks B-series Iscsi Director Blade Configuration, Hp Storageworks B-series Iscsi Director Blade Port Numbering

    Table 74 iSCSI target gateway configuration steps (continued) Step Command Procedure 16 Enable zone ”Creating and enabling a cfgEnable “cfgname” configuration. zoning configuration” on page 328 17 Optional: Enable ”Enabling and disabling iscsiSwCfg - -enableconn -s connection redirection connection redirection for <slot number>|<all>...

  • Page 311: Enabling The Iscsi Gateway Service, Hp Storageworks B-series Iscsi Director Blade Ports

    s c al e: 5/ 16" = 1" 56-0000590-01 G bE ports F C ports F C 4 16IP 40. 1 Figure 39 HP StorageWorks B-Series iSCSI Director Blade ports Enabling the iSCSI gateway service The iSCSI gateway service translates and directs SCSI traffic between an iSCSI initiator and an FC target. This procedure explains how to enable the iSCSI gateway service on the HP StorageWorks 4/256 SAN Director.

  • Page 312: Enabling Gbe Ports

    iSNS Client service:disabled Enabling GbE ports By default, GbE ports are enabled on an HP StorageWorks B-Series iSCSI Director Blade installed in the HP StorageWorks 4/256 SAN Director. However, if you insert the HP StorageWorks B-Series iSCSI Director Blade into a slot that was previously occupied by an FR- 1 8i blade, GbE ports are disabled. Before enabling the physical iSCSI interface, enable the iSCSI gateway service as described in ”Enabling the iSCSI gateway...

  • Page 313: Configuring The Gbe Interface

    configuration: IP Address Mac Address ------------------------------ Iproute Configuration: IP Address Mask Gateway Metric ------------------------------------------------------ switch:admin> Configuring the GbE interface NOTE: You can set the TCP/IP parameters of a GbE port even when iSCSI gateway service is disabled. Address resolution protocol (ARP) entries for the IP interfaces are created automatically when you verify that the network connectivity using the ping command.

  • Page 314: Iscsi Virtual Target Configuration, Automatic Iscsi Vt Creation, Generating Iscsi Vts For Every Fc Target

    Reply from 30.0.0.1: bytes=64 rtt=0ms ttl=255 Reply from 30.0.0.1: bytes=64 rtt=0ms ttl=255 Reply from 30.0.0.1: bytes=64 rtt=0ms ttl=255 Reply from 30.0.0.1: bytes=64 rtt=0ms ttl=255 Ping Statistics for 30.0.0.1: Packets: Sent = 4, Received = 4, Loss = 0 ( 0 percent loss) RTT = 0ms, Max RTT = 0ms Average = 0ms Optional: Enter the portCfg arp command to configure additional ARP entries.

  • Page 315

    switch:admin> iscsicfg --easycreate tgt This will create iSCSI targets for ALL FC targets. This could be a long-running operation. Continue [N]: y Index FC WWN iSCSI Name Status 2e:1f:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2e:1f:00:06:2b:0d:10:ba Operation Succeeded 2e:3f:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2e:3f:00:06:2b:0d:10:ba Operation Succeeded 2e:5f:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2e:5f:00:06:2b:0d:10:ba Operation Succeeded 2e:7f:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2e:7f:00:06:2b:0d:10:ba Operation...

  • Page 316

    2f:bf:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2f:bf:00:06:2b:0d:10:ba Operation Succeeded 2f:df:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2f:df:00:06:2b:0d:10:ba Operation Succeeded 2f:ff:00:06:2b:0d:12:9a iqn.2002-12.com.brocade:2f:ff:00:06:2b:0d:12:9a Operation Succeeded Enter the iscsiCfg show tgt command to display the status of the created iSCSI VTs. The following is an example: switch:admin> iscsicfg --show tgt Number of records found: 16 Name: iqn.2002-12.com.brocade:2e:1f:00:06:2b:0d:10:ba State/Status:...

  • Page 317: Generating An Iscsi Vt For A Specific Fc Target, Manual Iscsi Vt Creation

    State/Status: Online/Defined Name: iqn.2002-12.com.brocade:2f:df:00:06:2b:0d:10:ba State/Status: Online/Defined Name: iqn.2002-12.com.brocade:2f:ff:00:06:2b:0d:12:9a State/Status: Online/Defined Generating an iSCSI VT for a specific FC target Connect and log in to the switch. Enter the iscsiCfg easycreate tgt command with the -w <port WWN> option to create an iSCSI VT that contains only the storage attached to the specified WWN.

  • Page 318

    The following is an example. switch:admin> iscsicfg --show tgt -t iqn.2002-12.com.brocade:example-disk001 -v Number of records found: 1 Name: iqn.2002-10.com.brocade.example:disk001 State/Status: Offline/Defined Auth. Method: None Enter the fcLunQuery command to display a list of connected FC targets and show the LUN configurations.

  • Page 319: Mapping Luns On A Specific Port To An Iscsi Vt

    Maps the physical FC LUNs to virtual iSCSI LUNs and is specified as a pair: -l <n:n> LUNs:physical LUNs The following is an example: switch:admin> iscsicfg --add lun -t iqn.2002-12.com.brocade:example-disk001 \ -w 21:00:00:04:cf:e7:73:7e -l 0:0 The operation completed successfully. Enter the iscsiCfg show lun command with –t <IQN>...

  • Page 320: Deleting Luns From An Iscsi Vt, Displaying The Iscsi Virtual Target Lun Map

    Deleting LUNs from an iSCSI VT You can delete individual LUNs, a list or range of LUNs, or all LUNs associated with an iSCSI VT. Connect to the switch and log in. Enter the iscsiCfg delete lun command with –t <target_IQN>, –w <port_WWN>, and –l <LUN_list>...

  • Page 321: Discovery Domain And Domain Set Configuration, Displaying Iscsi Initiator Iqns, Creating Discovery Domains

    Number of records found: 2 Name: iqn.2006-10.com.example-disk001 State/Status: Online/Defined Auth. Method: None Name: iqn.2002-10.com.brocade:21:00:00:04:cf:e7:74:cf State/Status: Online/Defined Auth. Method: None Discovery domain and domain set configuration Discovery domains (DDs) and discovery domain sets can be used to configure access control between iSCSI initiators and iSCSI VTs manually.

  • Page 322: Creating And Enabling A Discovery Domain Sets, Iscsi Initiator-to-vt Authentication Configuration

    Name: dd-host001 Status: Defined Num. Members: 2 iqn.1991-05.com.microsoft:host001.brocade.com iqn.2006-10.com.example:disk001 Creating and enabling a discovery domain sets Connect and log in to the switch. Enter the iscsiCfg create ddset command with the -n and -d options to create a new DDSet: switch:admin>...

  • Page 323: Binding User Names To An Iscsi Vt

    To verify that CHAP is enabled for the iSCSI VT, enter the iscsiCfg show tgt command with the -t and -v options: switch:admin> iscsicfg --show tgt -t iqn.2006-10.com.brocade:example-disk001 -v Number of records found: 1 Name: iqn.2006-10.com.brocade:example-disk001 State/Status: Online/Defined Auth. Method: CHAP Binding user names to an iSCSI VT For additional security, you can bind specific user names to an iSCSI VT.

  • Page 324: Committing The Iscsi-related Configuration, Resolving Conflicts Between Iscsi Configurations

    Committing the iSCSI-related configuration After you have configured iSCSI-related configuration parameters, including iSCSI VTs, discovery domains, discovery domain sets, and CHAP authentication, after they have been defined, you must save them through a commit process. Each set of changes, additions, and deletions is called a “transaction.” Review the current transaction before committing the changes;...

  • Page 325: Lun Masking Considerations, Iscsi Fc Zoning Overview

    Num. members: 1 Enter the iscsiCfg commit all command with the -f option on the switch that has the database you want to use fabric-wide: switch:admin> iscsicfg --commit all -f This will commit ALL database changes made to all iSCSI switches in fabric.

  • Page 326: Iscsi Gateway Service In An Iscsi Fc Zone

    iS C S I virtual targets (V T s ) iS C S I G bE portal group iS C S I initiator A T arget 1 L UNs V T 1 iS C S I virtual initiator P ortal IP network iS C S I virtual initiator P ortal...

  • Page 327: Iscsi Fc Zone Creation, Creating An Iscsi Fc Zone

    iSCSI FC zone creation To create an iSCSI FC zone, you must include the following iSCSI elements in the zone: • The FC targets, used to create the virtual targets (VT). • The iSCSI virtual initiators (VIs): • If there is more than one HP StorageWorks B-Series iSCSI Director Blade in the chassis, you must add all virtual initiators to the same zone.

  • Page 328

    Write down or copy and paste the FC WWN information for each LUN, which you will need during the zone creation process. Enter the nsShow command to display the WWN information for the iSCSI virtual initiators: switch:admin> nsshow Type Pid PortName NodeName TTL(sec)

  • Page 329

    PortSymb: [23] "iSCSI Virtual Initiator" NodeSymb: [51] "IPAddr: 30.0.127.33 Slot/Port: 3/ge3 Logical pn: 43" Fabric Port Name: 00:00:00:00:00:00:00:00 Permanent Port Name: 50:06:06:9e:00:15:63:18 Port Index: 43 Share Area: No Device Shared in Other AD: No 012c00; 3;50:06:06:9e:00:15:63:20;50:06:06:9e:00:15:63:21; na FC4s: FCP PortSymb: [23] "iSCSI Virtual Initiator" NodeSymb: [51] "IPAddr: 30.0.127.34 Slot/Port: 3/ge4 Logical pn: 44"...

  • Page 330: Zoning Configuration Creation, Creating And Enabling A Zoning Configuration

    Enter the cfgSave command to save the change to the defined configuration: switch:admin> cfgsave You are about to save the Defined zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled.

  • Page 331: Isns Client Service Configuration, Displaying Isns Client Service Status, Enabling The Isns Client Service

    switch:admin> cfgenable iscsi_cfg001 You are about to enable a new zoning configuration. This action will replace the old zoning configuration with the current configuration selected. Do you want to enable 'iscsi_cfg001' configuration (yes, y, no, n): [no] zone config "iscsi_cfg001" is in effect Updating flash ...

  • Page 332

    NOTE: If DD and DDSets are configured on the fabric, clear the DD and DDSet configurations before enabling iSNS client services. Connect to the switch and log in. Enter the fosConfig --enable isnsc command to enable the iSNS client service: switch:admin>...

  • Page 333: Disabling The Isns Client Service, Clearing The Isns Client Configuration

    Disabling the iSNS client service When the iSNS client service is disabled, the DD and DDSets are kept in the fabric. Connect and log in to the switch. Enter the fosConfig --disable isnsc command to disable the iSNS client service: switch:admin>...

  • Page 334

    332 iSCSI gateway service...

  • Page 335: Administering Npiv, Npiv Overview, Fixed Addressing Mode, Bit Addressing Mode, Enabling And Disabling Npiv

    Administering NPIV NPIV overview N_Port ID Virtualization (NPIV) enables a single Fibre Channel protocol port to appear as multiple, distinct ports, providing separate port identification within the fabric for each operating system image behind the port (as if each operating system image had its own unique physical port). NPIV assigns a different virtual port ID to each Fibre Channel protocol device.

  • Page 336: Configuring Npiv

    NOTE: If the NPIV feature is disabled, the port is toggled if NPIV devices are logged in from that F_Port (a true NPIV port). Otherwise the firmware considers that port as an F_Port even though the NPIV feature was enabled. Configuring NPIV To specify the number of virtual N_Port_IDs per port or per switch, use the configure command with either of the following parameters:...

  • Page 337: Configuration Scenarios, Viewing Npiv Port Configuration Information

    Configuration scenarios The actual number of virtual N_Port_IDs accepted per port and per switch is determined by the limits you set, and also by the limit that is reached first. For example, if you have set switch.login.perPortMax to 25, and switch.login.perSwitchMax to 100, the first 4 ports will accept up to 25 virtual N_Port_IDs each.

  • Page 338: Viewing Virtual Pid Login Information

    Online F-Port 50:05:07:64:01:20:73:b8 Online F-Port 50:05:07:64:01:60:73:b8 Online F-Port 65 NPIV public Online F-Port 50:05:07:64:01:e0:73:b8 Online F-Port 50:05:07:64:01:20:73:b5 <output truncated> Use the portShow command to view the NPIV attributes and all the N_Port (physical and virtual) port WWNs that are listed under portWwn of device(s) connected. The following is sample output for the portShow command: switch:admin>...

  • Page 339

    Type World Wide Name credit df_sz cos ===================================================== 630240 c0:50:76:ff:fb:00:16:fc 2048 scr=3 63023f c0:50:76:ff:fb:00:16:f8 2048 scr=3 63023e c0:50:76:ff:fb:00:17:ec 2048 scr=3 <output truncated> 630202 c0:50:76:ff:fb:00:17:70 2048 d_id=FFFFFC 630201 c0:50:76:ff:fb:00:16:80 2048 d_id=FFFFFC Fabric OS 6.2 administrator guide 337...

  • Page 340

    338 Administering NPIV...

  • Page 341: Optimizing Fabric Behavior, Adaptive Networking Overview, Traffic Isolation Routing

    Optimizing fabric behavior Adaptive Networking overview Adaptive Networking is a suite of tools and capabilities that enable you to ensure optimized behavior in the SAN. Even under the worst congestion conditions, the Adaptive Networking features can maximize the fabric behavior and provide necessary bandwidth for high-priority, mission-critical applications and connections.

  • Page 342: Ti Zone Failover, Traffic Isolation Zone Creating A Dedicated Path Through The Fabric

    Domain 1 Domain 3 = Dedicated Path = Ports in the TI zone Domain 4 Figure 42 Traffic Isolation zone creating a dedicated path through the fabric Figure 42, all traffic entering Domain 1 from N_Ports 7 and 8 is routed through E_Port 1. Similarly, traffic entering Domain 3 from E_Port 9 is routed to E_Port 12, and traffic entering Domain 4 from E_Port 7 is routed to the devices through N_Ports 5 and 6.

  • Page 343: Additional Considerations When Disabling Failover, Fspf Routing Rules And Traffic Isolation

    • If failover is enabled for the TI zone, non-TI zone traffic is routed from Domain 1 to Domain 3 through the dedicated ISL. • If failover is disabled for the TI zone, non-TI zone traffic is halted until the non-dedicated ISL between Domain 1 and Domain 3 is back online.

  • Page 344: Traffic Isolation Routing Over Fc Routers, Dedicated Path Is The Shortest Path

    • If failover is disabled, non-TI zone traffic is blocked because it cannot use the dedicated ISL, which is the lowest cost path. For example, in Figure 44, there is a dedicated path between Domain 1 and Domain 3, and another, non-dedicated, path that passes through Domain 2.

  • Page 345: Ti Within An Edge Fabric, Traffic Isolation Routing Over Fcr

    • Set up a TI zone in an edge fabric to guarantee that traffic from a specific device in that edge fabric is routed through a particular EX_Port or VEX_Port. • Set up a TI zone in the backbone fabric to guarantee that traffic between two devices in different fabrics is routed through a particular ISL (VE_Ports or E_Ports) in the backbone.

  • Page 346: Ti Within A Backbone Fabric, Ti Zone In An Edge Fabric

    Host 1 Domain 1 Front Domain 3 E_Ports EX_Ports Host 2 = Dedicated Path = Ports in the TI zone Proxy Target Xlate Domain 4 Figure 47 TI zone in an edge fabric In the TI zone, when you designate E_Ports between the front and xlate phantom switches, you must use - 1 in place of the “I”...

  • Page 347: Limitations Of Ti Zones Over Fc Routers, Ti Zone In A Backbone Fabric

    Target 1 Target 2 Host Target 3 Edge fabric 2 Edge fabric 1 Backbone fabric Edge fabric 3 VE_Ports FC router 1 FC router 2 = Dedicated Path = Ports in the TI zone Figure 48 TI zone in a backbone fabric TI zones within the backbone fabric use the port WWN instead of D,I notation for devices that are to communicate across fabrics.

  • Page 348: General Rules For Ti Zones, Supported Configurations For Traffic Isolation Routing, Misconfigured Ti Zone

    General rules for TI zones Note the following general rules for TI zones: • A TI zone must include E_Ports and N_Ports that form a complete, end-to-end route from initiator to target. • A given port (N_Port or E_Port) used in a TI zone should not be a member of more than one TI zone. If multiple E_Ports are configured on the lowest cost route to a domain, the various source ports for that zone are load-balanced across the specified E_Ports.

  • Page 349: Trunking With Ti Zones, Limitations And Restrictions Of Traffic Isolation Routing

    • HP StorageWorks DC SAN Backbone Directors, . • Ports in a TI zone must belong to switches that run Fabric OS 6.0.0 or later. For TI over FCR zones, ports must belong to switches that run Fabric OS 6.1.0 or later. •...

  • Page 350: Virtual Fabric Considerations For Traffic Isolation Routing, Dedicated Path With Virtual Fabrics

    • Use care if defining TI zones with ports that are shared across Admin Domains because of the limitation that a given port can appear in only one TI zone. Best practice: Do not use ports that are shared across Admin Domains in a TI zone. Virtual Fabric considerations for Traffic Isolation Routing This section describes how TI zones work with Virtual Fabrics.

  • Page 351: Traffic Isolation Routing Over Fc Routers With Virtual Fabrics

    You must also create and activate a TI zone in the base fabric to reserve the XISLs for the dedicated path. Figure 50, the XISLs highlighted (by a dotted line) in the base fabric can be reserved for FID1 by defining and activating a base fabric TI zone that consists of ports 10, 12, 14, and 16.

  • Page 352: Creating A Ti Zone, Example Configuration For Ti Zones Over Fc Routers In Logical Fabrics

    LS2, FID3 LS3, FID1 Domain 6 Domain 3 Base switch Base switch Domain 1 Domain 2 = Dedicated Path = Ports in the TI zones Figure 53 Example configuration for TI zones over FC routers in Logical Fabrics Figure 54 shows a logical representation of the configuration in Figure 53.

  • Page 353: Examples Of Creating A Ti Zone

    When you create a TI zone, you can enable or disable failover mode. By default, failover mode is enabled. If you want to change the failover mode after you create the zone, see ”Modifying TI zones” on page 353. If you are creating a TI zone with failover disabled, note the following: •...

  • Page 354: Creating A Ti Zone In A Base Fabric

    To create a TI zone and set the state to deactivated (failover is enabled by default): switch:admin> zone --create -t ti -o d bluezone -p "1,1; 2,4; 1,8; 2,6" To create a TI zone with failover disabled and the state set to deactivated: switch:admin>...

  • Page 355: Modifying Ti Zones, Examples Of Modifying A Ti Zone

    Enter the cfgEnable command to reactivate your current effective configuration and enforce the TI zones. cfgenable "base_config" For example, to create TI zones in the base fabric shown in Figure 52 on page 349: BS_D1> zonecreate "z1", "1,1" BS_D1> cfgcreate "base_cfg", z1 BS_D1>...

  • Page 356: Changing The State Of A Ti Zone

    To add port members to the existing TI zone in a backbone fabric: switch:admin> zone --add backbonezone -p "3,4; 3,6; 10:00:00:04:1f:03:16:f2;" To disable failover on the existing TI zone bluezone: switch:admin> zone --add -o n bluezone To enable failover and add ports to TI zone greenzone: switch:admin>...

  • Page 357: Example Of Deleting A Ti Zone, Displaying Ti Zones

    Enter the zone delete command. zone --delete name where: The name of the zone to be deleted. name You can delete multiple zones by separating the zone names with a semicolon and enclosing them in quotation marks. Enter the cfgEnable command to reactivate your current effective configuration and enforce the TI zones.

  • Page 358: Setting Up Ti Over Fcr (sample Procedure), Ti Over Fcr Example

    To display information about all TI zones in the defined configuration: switch:admin> zone --show Defined TI zone configuration: TI Zone Name: greenzone: Port List: 2,2; 3,3; 5,3; 4,11; Configured Status: Activated / Failover-Enabled Enabled Status: Activated / Failover-Enabled TI Zone Name: purplezone: Port List: 1,2;...

  • Page 359

    NOTE: In the following procedure the three TI zones in the edge and backbone fabrics are all given the same name, TI_Zone1. It is not required that the TI zones have the same name; this is done to avoid confusion. If several dedicated paths are set up across the FC router, the TI zones for each path can have the same name.

  • Page 360

    Log in to edge fabric 2 and set up the TI zone. a. Enter the fabricShow command to display the switches in the fabric. From the output, you can determine the front and translate domains. E2switch:admin> fabricshow Switch ID Worldwide Name Enet IP Addr FC IP Addr Name...

  • Page 361: Qos: Ingress Rate Limiting

    Log in to the backbone fabric and set up the TI zone. a. Enter the following commands to create and display a TI zone: BB_DCX_1:admin> zone --create -t ti TI_Zone1 -p "1,9; 1,1; 2,4; 2,7; 10:00:00:00:00:08:00:00; 10:00:00:00:00:02:00:00; 10:00:00:00:00:03:00:00" BB_DCX_1:admin> zone --show Defined TI zone configuration: TI Zone Name: TI_Zone1...

  • Page 362: Limiting Traffic From A Particular Device

    NOTE: Ingress rate limiting is applicable only to F_Ports and FL_Ports and is available only on the following platforms: • HP StorageWorks 8/8 and 8/24 SAN Switches • HP StorageWorks 8/40 SAN Switch • HP StorageWorks 8/80 SAN Switch • HP StorageWorks DC SAN Backbone Director •...

  • Page 363: Disabling Ingress Rate Limiting, Qos: Sid/did Traffic Prioritization, Qos Zones

    Disabling ingress rate limiting Connect to the switch and log in as admin. Enter the portCfgQos resetratelimit command. portcfgqos --resetratelimit slot/port where: The slot and port number of the F_Port or FL_Port for which you want to disable slot/port ingress rate limiting. For example, to disable ingress rate limiting on slot 3, port 9, enter the following command: portcfgqos --resetratelimit 3/9 QoS: SID/DID traffic prioritization...

  • Page 364: Qos On E_ports, Qos Traffic Prioritization

    The switch automatically sets the priority for the host,target pairs specified in the zones based on the priority level in the zone name. NOTE: QoS can be used for device pairs that exist within the same fabric only. QoS priority information is not passed over EX_ or VEX_Ports and should not be used for devices in separate fabrics.

  • Page 365: Virtual Fabric Considerations For Traffic Prioritization, Qos With E_ports Enabled

    Domain 1 Domain 3 = Low priority = Medium priority = High priority = E_Ports with QoS enabled Domain 2 Domain 4 Figure 57 QoS with E_Ports enabled You need to enable QoS on the E_Ports on both ISLs between Domain 3 and Domain 4 because either path might be selected to carry the traffic.

  • Page 366: Supported Configurations For Traffic Prioritization, Traffic Prioritization In A Logical Fabric

    Domain 1 Domain 3 LS3, FID1 LS1, FID1 Domain 2 Domain 7 Domain 5 Chassis 1 Chassis 2 LS4, FID3 LS2, FID3 Domain 8 Domain 6 Base switch Base switch Domain 10 Domain 9 = High priority = E_Ports with QoS enabled Figure 58 Traffic prioritization in a Logical Fabric Supported configurations for traffic prioritization...

  • Page 367: Limitations And Restrictions For Traffic Prioritization, Setting Traffic Prioritization

    Limitations and restrictions for traffic prioritization Note the following configuration rules for traffic prioritization: • If a host and target are included in two or more QoS zones with different priorities, the zone with the lowest priority takes precedence. For example, if an effective zone configuration has QOSH_z1 (H,T) and QOSL_z2 (H,T), the traffic flow between H and T will be of low QoS priority.

  • Page 368

    Enter the portCfgQos command to enable QoS on the E_Ports, using the following syntax: portcfgqos --enable [slot/]port where: The slot and port number of the E_Port on which you want to enable QoS. The slot/port slot number is required for the HP StorageWorks 4/256 SAN Director HP StorageWorks DC SAN Backbone Director platforms.

  • Page 369: Using The Fc-fc Routing Service, Fc-fc Routing Service Overview, Supported Platforms For Fibre Channel Routing

    Using the FC-FC routing service FC-FC routing service overview The FC-FC routing service provides Fibre Channel routing (FCR) between two or more fabrics without merging those fabrics. A Fibre Channel router (FC router) is a switch running the FC-FC routing service. The FC-FC routing service can be simultaneously used as an FC router and as a SAN extension over wide area networks (WANs) using FCIP.

  • Page 370: Integrated Routing, Fibre Channel Routing Concepts

    • FC router connected to a B-Series secured edge fabric • FC router connected to a McDATA Open Mode 1 edge fabric • FC router connected to a McDATA Fabric Mode edge fabric • FC router connected to B-Series secured and nonsecured fabrics with EX_Port trunking enabled •...

  • Page 371: A Metasan With Interfabric Links

    Figure 59 shows a metaSAN consisting of three edge fabrics connected through an HP StorageWorks DC SAN Backbone Director with interfabric links. Target Host Target Edge Edge Edge fabric 1 fabric 2 fabric 3 E_Port E_Port E_Port Fibre Channel Fibre Long distance IFL switch Channel...

  • Page 372: A Metasan With Edge-to-edge And Backbone Fabrics And Lsan Zones

    VE_Port Edge fabric 2 IP cloud Edge fabric 1 Edge fabric 3 E_Port E_Port VEX_Port FC router EX_Port (2) = LSAN Backbone fabric Figure 60 A metaSAN with edge-to-edge and backbone fabrics and LSAN zones • Proxy device A proxy device is a virtual device imported into a fabric by a Fibre Channel router, to represent a real device on another fabric.

  • Page 373: Proxy Devices, Edge Sans Connected Through A Backbone Fabric

    A simple metaSAN can be constructed using an FC router to connect two or more separate fabrics. Additional FC routers can be used to increase the available bandwidth between fabrics and to provide redundancy. Figure 61 shows a metaSAN consisting of a host in Edge SAN 1 connected to storage in Edge SAN 2 through a backbone fabric connecting two FC routers.

  • Page 374: Routing Types, Phantom Domains, Metasan With Imported Devices

    Proxy host Host (impor t ed devic e ) Proxy tar g et (impor t ed devic e ) Target Fabric 2 Fabric 1 Br ocade 7500 Figure 62 MetaSAN with imported devices Routing types The FC-FC routing service provides two types of routing: •...

  • Page 375: Sample Topology (physical Topology)

    connected from that router to the edge fabric. Another FC router connected to the same edge fabric projects a different front phantom domain. The second level of phantom domains is known as a translate phantom domain, also referred to as translate domain or xlate domain.

  • Page 376: Fibre Channel Network Address Translation, Ex_port Phantom Switch Topology

    Host 1 Fabric 1 Front domain 1 Front domain 2 (FC router 1) (FC router 2) Xlate domain 1 Xlate domain 2 (Fabric 2) (Fabric 3) Target 1' Target 2' Target 3' Figure 64 EX_Port phantom switch topology All EX_Ports or VEX_Ports connected to an edge fabric use the same xlate domain ID number for an imported edge fabric;...

  • Page 377: Setting Up The Fc–fc Routing Service, Verifying The Setup For Fc–fc Routing

    translation (FC-NAT). Using FC-NAT, the proxy devices in a fabric can have different PIDs than the real devices that they represent, allowing the proxy devices to have appropriate PIDs for the address space of their corresponding fabric. Setting up the FC–FC routing service To set up the FC–FC Routing Service, perform the following tasks in the order listed: •...

  • Page 378

    • If you are not configuring an HP StorageWorks 4/256 SAN Director, HP StorageWorks DC SAN Backbone Director, or HP StorageWorks DC04 SAN Director Switch platform, skip to step switch:admin> slotshow -m Slot Blade Type Model Name Status -------------------------------------------------- AP BLADE FA4-18 ENABLED AP BLADE...

  • Page 379: Backbone Fids

    Enter the interopMode command and verify that Fabric OS switch interoperability with switches from other manufacturers is disabled. switch:admin> interopmode InteropMode: Off usage: InteropMode [0|2|3 [-z McDataDefaultZone] [-s McDataSafeZone]] 0: to turn interopMode off 2: to turn McDATA Fabric mode on Valid McDataDefaultZone: 0 (disabled), 1 (enabled) Valid McDataSafeZone: 0 (disabled), 1 (enabled) 3: to turn McDATA Open Fabric mode on...

  • Page 380: Assigning Backbone Fids, Fcip Tunnel Configuration, Interfabric Link Configuration

    IMPORTANT: In a multi-switch backbone fabric, modification of FID within the backbone fabric will cause disruption to local traffic. Assigning backbone FIDs Log in to the switch or director. Enter the switchDisable command. Enter the fosConfig disable fcr command to disable the FC-FC Routing Service. See the Fabric OS Command Reference or the CLI man pages for more information about the fosConfig command.

  • Page 381: Configuring An Ifl For Both Edge And Backbone Connections

    NOTE: To ensure that fabrics remain isolated, disable the port prior to inserting the cable. If you are configuring an EX_Port, disable the port prior to making the connection. Configuring an IFL for both edge and backbone connections On the FC router, disable the port that you are configuring as an EX_Port (the one connected to the Fabric OS switch) by issuing the portDisable command.

  • Page 382

    Determine whether to set up FC Router port cost operations and/or ISL or EX-Port trunking. These options include FC Router port cost operations and setting up either ISL or EX_Port trunking. For information about using FCR Router Port Cost operations, see ”FC Router port cost configuration”...

  • Page 383

    Port 7/10 info Admin: enabled State: NOT OK Pid format: Not Applicable Operate mode: Brocade Native Edge Fabric ID: Preferred Domain ID: Front WWN: 50:06:06:9e:20:38:6e:1e Fabric Parameters: Auto Negotiate R_A_TOV: Not Applicable E_D_TOV: Not Applicable Authentication Type: None DH Group: N/A Hash Algorithm: N/A Edge fabric's primary wwn: N/A Edge fabric's version stamp: N/A...

  • Page 384

    LE domain: 0 FC Fastwrite: ON Interrupts: Link_failure: 0 Frjt : Unknown: Loss_of_sync: 0 Fbsy : Lli: Loss_of_sig: Proc_rqrd: Protocol_err: 0 Timed_out: Invalid_word: 0 Rx_flushed: Invalid_crc: Tx_unavail: Delim_err: Free_buffer: Address_err: Overrun: Lr_in: Suspended: Lr_out: Parity_err: Ols_in: 2_parity_err: Ols_out: CMI_bus_err: Port part of other ADs: No Enter the switchShow command to verify that the EX_Port (or VEX_Port), edge FID, and name of the edge fabric switch (containing the E_Port or VE_Port) are correct.

  • Page 385: Fc Router Port Cost Configuration, Port Cost Considerations

    FC Router port cost configuration The router port cost is set automatically. This section provides information about the router port cost and describes how you can modify the cost for a port if you want to change the default value. FC routers optimize the usage of the router port links by directing traffic to the link with the smallest router port cost.

  • Page 386: Upgrade, Downgrade, And Ha Considerations For Router Port Cost

    Upgrade, downgrade, and HA considerations for router port cost For HA, the router port cost is synchronized to the standby CP. Legacy routers in the backbone fabric program all the router ports without considering router port cost. Fabric OS 5.2.0 or later considers legacy router port cost as 1000 for both EX or VEX_Ports. Setting router port cost for an EX_Port The router port cost value for an EX_Port is set automatically when the EX_Port is created.

  • Page 387: Supported Configurations And Platforms, High Availability Support, Backward Compatibility Support, Configuring Ex_port Frame Trunking

    The FC router front domain has a higher node WWN—derived from the FC router—than that of the edge fabric. Therefore, the FC router front domain initiates the trunking protocol on the EX_Port. After initiation, the first port from the trunk group that comes online is designated as the master port. The other ports that come online on the trunk group are considered the slave ports.

  • Page 388: Displaying Ex_port Trunking Information, Lsan Zone Configuration

    Displaying EX_Port trunking information Log in as an admin and connect to the switch. Enter the switchShow command to display trunking information for the EX_Ports. fcr_switch:admin_06> switchshow The following is an example of a master EX_Port and a slave EX_Port displayed in switchShow: Index Slot Port Address Media Speed State ============================================== ee1000...

  • Page 389: Lsan Zones And Fabric-to-fabric Communications, Controlling Device Communication With The Lsan (sample Procedure)

    To enable device sharing across multiple fabrics, you must create LSAN zones on the edge fabrics (and, as an option on the backbone fabric as well), using normal zoning operations to create zones with names that begin with the prefix LSAN_, and adding host and target port WWNs from both local and remote fabrics to each local zone as desired.

  • Page 390

    Enter the zoneAdd command to add Target A to the LSAN. FID75Domain5:admin> zoneadd "lsan_zone_fabric75", "50:05:07:61:00:5b:62:ed" Enter the cfgAdd or cfgCreate and cfgEnable commands to add and enable the LSAN configuration. switch:admin> cfgadd "zone_cfg", "lsan_zone_fabric75" switch:admin> cfgenable "zone_cfg" You are about to enable a new zoning configuration. This action will replace the old zoning configuration with the current configuration selected.

  • Page 391: Setting The Maximum Lsan Count

    Enter the following commands to display information about the LSANs. • lsanZoneShow -s shows the LSAN switch:admin> lsanzoneshow -s Fabric ID: 2 Zone Name: lsan_zone_fabric2 10:00:00:00:c9:2b:c9:0c Imported 50:05:07:61:00:5b:62:ed EXIST 50:05:07:61:00:49:20:b4 EXIST Fabric ID: 75 Zone Name: lsan_zone_fabric75 10:00:00:00:c9:2b:c9:0c EXIST 50:05:07:61:00:5b:62:ed Imported •...

  • Page 392: Configuring Backbone Fabrics For Interconnectivity, Ha And Downgrade Considerations For Lsan Zones

    For information on how to display the maximum allowed and currently used LSAN zones and devices, see ”Resource monitoring” on page 399. NOTE: Since the maximum number of LSANs is configured for each switch, if there is a different maximum LSAN count on the switches throughout the metaSAN, the device import/export will not be identical on the FC routers.

  • Page 393: Speed Tag

    lsan_abc lsan_xyz lsan_fab1 In this example, the following LSAN zones would all be accepted: lsan_abc Lsan_xyz123456 LSAN_FAB1_abc You can specify up to eight Enforce tags on an FC router. Speed tag During target discovery, the FC router process of presenting proxy devices and setting up paths to the proxy devices might cause some sensitive hosts to time out or fail.

  • Page 394: Rules For Lsan Tagging, Configuring An Enforce Lsan Tag

    Edge fabric 1 Edge fabric 2 Edge fabric 3 FC router 1 FC router 2 = LSAN Figure 65 Example of setting up Speed LSAN tag Rules for LSAN tagging Note the following rules for configuring LSAN tags: • Configure the tags on the FC router, and not on the edge switches. If Virtual Fabrics are enabled, configure the tags on the base switch on which the EX_ and VEX_Ports are located.

  • Page 395: Configuring A Speed Lsan Tag, Removing An Lsan Tag, Displaying The Lsan Tag Configuration

    Configuring a Speed LSAN tag Log in to the FC router as admin. Enter the following command to create a Speed LSAN tag: fcrlsan --add -speed tagname where tagname is the name of the LSAN tag you want to create. Change the names of the LSAN zones in the edge fabrics to incorporate the tag in the names.

  • Page 396: Lsan Zone Binding

    LSAN zone binding LSAN zone binding is an optional, advanced feature that increases the scalability envelope for very large metaSANs. NOTE: LSAN zone binding is supported only on FC routers with Fabric OS 5.3.0 and later. The FC router matrix feature is supported only on FC routers with Fabric OS 6.1.0 and later. Without LSAN zone binding, every FC router in the backbone fabric maintains the entire LSAN zone and device state database.

  • Page 397: How Lsan Zone Binding Works

    Table 77 LSAN information stored in each FC router with and without LSAN zone binding WIthout LSAN zone binding With LSAN zone binding router 1 router 2 router 3 router 4 router 1 router 2 router 3 router 4 LSAN 1 LSAN 1 LSAN 1 LSAN 1...

  • Page 398: Fc Router Matrix Definition, Lsan Fabric Matrix Definition

    FC router matrix definition Depending on how the backbone fabric is structured, you can specify pairs of FC routers that can access each other. For the metaSAN shown in Figure 66 on page 394, the following FC routers can access each other: •...

  • Page 399: Setting Up Lsan Zone Binding, Viewing The Lsan Zone Binding Matrixes, Proxy Pid Configuration

    Setting up LSAN zone binding Log in to the FC router as admin. Enter the following command to add a pair of FC routers that can access each other: FCR:Admin > fcrlsanmatrix --add -fcr wwn1 wwn2 where wwn1 and wwn2 are the WWNs of the FC routers. Enter the following command to add a pair of edge fabrics that can access each other: FCR:Admin >...

  • Page 400: Fabric Parameter Considerations, Inter-fabric Broadcast Frames

    used to determine the Area_ID field of the PID) and the Port_ID field. Like the PIDs in a fabric, a proxy PID must be unique. If the slot argument results in a duplicate PID, it will be ignored. Proxy PIDs are automatically assigned to devices imported into a fabric, starting at f001.

  • Page 401: Displaying The Current Broadcast Configuration, Enabling Broadcast Frame Forwarding, Disabling Broadcast Frame Forwarding, Resource Monitoring

    Backbone fabric FC router 1 FC router 2 Edge fabric 3 Edge fabric 1 Edge fabric 2 v5.3.0+ Fabric OS Fabric OS earlier than v5.3.0 v5.3.0 or later Pre-v5.3.0 Figure 67 Inter-fabric broadcast frames Displaying the current broadcast configuration Log in to the FC router as admin. Enter the following command: fcr:admin>...

  • Page 402

    In Fabric OS 5.3.0 and later, you can have 3000 LSAN zones configurable up to a maximum of 5000. On a dual-CP switch, both CPs must have 5.3.0 code or later to select 5000. If the active CP is running Fabric OS 5.3.0 or later with a maximum count of 5000 LSANs and the standby CP is running an earlier firmware version, HA synchronization will fail.

  • Page 403: Fc-fc Routing And Virtual Fabrics, Logical Switch Configuration For Fc Routing

    See the Fabric OS Command Reference for details about the fcrResourceShow command. FC-FC routing and Virtual Fabrics If Virtual Fabrics is not enabled, FC-FC routing behavior is unchanged. If Virtual Fabrics is enabled, in the FC-FC routing context, a base switch is like a backbone switch and a base fabric is like a backbone fabric. If Virtual Fabrics is enabled, the following rules apply: •...

  • Page 404: Backbone-to-edge Routing With Virtual Fabrics, Ex_ports In A Base Switch

    Physical chassis 1 Physical chassis 2 Logical switch 1 Logical switch 5 (Default logical switch) (Default logical switch) Fabric ID 128 Fabric ID 128 Logical ISL Logical switch 2 Logical switch 6 Fabric ID 1 Fabric ID 1 Allows XISL use Allows XISL use Logical switch 3 Logical switch 7...

  • Page 405: Upgrade And Downgrade Considerations For Fc-fc Routing, How Replacing Port Blades Affects Ex_port Configuration

    Physical chassis 1 Physical chassis 2 Logical switch 1 Logical switch 5 (Default logical switch) (Default logical switch) Fabric ID 128 Fabric ID 128 Edge fabric Logical switch 2 Logical switch 6 FID 20 Fabric ID 1 Fabric ID 1 Allows XISL use Allows XISL use Logical switch 3...

  • Page 406: Range Of Output Ports, Displaying The Range Of Output Ports Connected To The Xlate Domains

    Range of output ports The edge fabric detects only one front domain from an FC router connected through multiple output ports. The output port of the front domain is not fixed to 0; the values can be in a range of 129–255. The range of the output ports connected to the xlate domain is also 129–255.

  • Page 407

    Fabric OS 6.2 administrator guide 405...

  • Page 408

    406 Using the FC-FC routing service...

  • Page 409: Administering Advanced Performance Monitoring, Advanced Performance Monitoring Overview, End-to-end Monitors

    Administering advanced performance monitoring Advanced Performance Monitoring overview This chapter describes the Advanced Performance Monitoring licensed feature. Additional performance monitoring features are provided through Web Tools and DCFM. See the Web Tools Administrator’s Guide and DCFM User’s Manual for information about monitoring performance using a graphical interface. Based on Frame Filtering technology and a unique performance counter engine, Advanced Performance Monitoring is a comprehensive tool for monitoring the performance of networked storage resources.

  • Page 410: End-to-end Performance Monitoring, Number Of Logical Switches That Support Performance Monitors

    Table 79 Number of Logical Switches that support performance monitors Platform Maximum number of Logical Maximum number of Logical Switches supported Switches on which monitors are supported HP StorageWorks DC SAN Backbone Director HP StorageWorks DC04 SAN Director Switch HP StorageWorks 8/40 SAN Switch HP StorageWorks 8/80 SAN Switch...

  • Page 411: Adding End-to-end Monitors

    You can monitor end-to-end performance using the perfMonitorShow command, as described in ”Displaying monitor counters” on page 418. You can clear end-to-end counters using the perfMonitorClear command, as described in ”Clearing monitor counters” on page 420. End-to-end monitors The maximum number of end-to-end monitors supported varies depending on the switch model: •...

  • Page 412: Monitoring The Traffic From Host A To Dev B

    where: For bladed systems only, specifies the slot number of the port on which the monitor is slotnumber to be added. For all other switches, this operand is not required. Specifies the port number portnumber Specifies the 3-byte SID (source ID) of the originator device sourceID Specifies the 3-byte DID (destination ID) of the destination device destID...

  • Page 413: Setting A Mask For An End-to-end Monitor

    Setting a mask for an end-to-end monitor End-to-end monitors count the number of words in Fibre Channel frames that match a specific SID/DID pair. If you want to match only part of the SID or DID, you can set a mask on the port to compare only certain parts of the SID or DID.

  • Page 414: Deleting End-to-end Monitors, Filter-based Performance Monitoring, Mask Positions For End-to-end Monitors

    must match only the AL_PA portion of the specified SID-DID pair. Each port can have only one EE mask. The mask is applied to all end-to-end monitors on the port. Individual masks for each monitor on the port cannot be specified. Received by port Transmitted from port SID mask...

  • Page 415: Adding Standard Filter-based Monitors

    • HP StorageWorks 8/40 SAN Switch • HP StorageWorks 400 Multi-Protocol Router • HP StorageWorks DC SAN Backbone Director • HP StorageWorks DC04 SAN Director Switch For the HP StorageWorks 4/256 SAN Directors, the maximum number of filters is 12 per port in any combination of standard filters and user-defined filters, except for the HP StorageWorks SAN Director 48 Port 4Gb FC blade.

  • Page 416: Custom Filter-based Monitors

    The following example adds filter-based monitors to slot 1, port 2 and displays the results: switch:admin> perfaddreadmonitor 1/2 SCSI Read filter monitor #0 added switch:admin> perfaddwritemonitor 1/2 SCSI Write filter monitor #1 added switch:admin> perfaddrwmonitor 1/2 SCSI Read/Write filter monitor #2 added switch:admin>...

  • Page 417: Adding Custom Filter-based Monitors, Deleting Filter-based Monitors, Isl Performance Monitoring, Predefined Values At Offset 0

    part of a filter definition. Offset 0 is a special case, which can be used to monitor the first 4 bytes of the frame (SOF). When the offset is set to 0, the values 0–7 that are checked against that offset are predefined as shown in Table Table 80...

  • Page 418: Top Talker Monitors

    An ISL monitor measures traffic to all reachable destination domains for an ISL, showing which destination domain is consuming the most traffic. If there are more than 16 domains, the monitor samples traffic and extrapolates the measurement. EE monitors on E_Ports are deleted when they become part of an ISL. ISL monitors are deleted when Top Talker is installed and are restored when Top Talker is deleted.

  • Page 419: Adding A Top Talker Monitor On An F_port

    combinations that are possible on a given port and provides a sorted output of the top talking flows. Also, if the number of flows exceeds the hardware resources, existing end-to-end monitors fail to get real time data for all of them; however, Top Talker monitors can monitor all flows for a given E_Port or F_Port (up to 10,000 flows).

  • Page 420: Adding Top Talker Monitors On All Switches In The Fabric (fabric Mode)

    where: For enterprise-class platforms only (HP StorageWorks 4/256 SAN Director, HP slotnumber StorageWorks DC SAN Backbone Director, and HP StorageWorks DC04 SAN Director Switch), the slot number. The port number port The number of top talking flows to display, between 1 and 32. The maximum number of flows that are actually displayed depends on the platform: For HP StorageWorks 8/8 and 8/24 SAN Switches, HP StorageWorks 8/40 SAN Switch, HP StorageWorks 8/80 SAN Switch, and FC8-xx port...

  • Page 421: Deleting The Fabric Mode Top Talker Monitors

    If end-to-end monitors are present on remote switches running Fabric OS 6.1.0 or later, the command succeeds; however, on the remote switches, fabric mode fails and a raslog message is displayed on those switches. If end-to-end monitors are present on remote switches running Fabric OS 6.0.x, the command succeeds. If a new switch joins the fabric, you must run the perfTTmon --add fabricmode command on the new switch.

  • Page 422: Trunk Monitoring, Displaying Monitor Counters

    Trunk monitoring To monitor E_Port (ISL) and F_Port trunks, you can set monitors only on the master port of the trunk. If the master changes, the monitor automatically moves to the new master port. If a monitor is installed on a port that later becomes a slave port when a trunk comes up, the monitor automatically moves to the master port of the trunk.

  • Page 423

    The following example displays an end-to-end monitor on a port at 10-second intervals: switch:admin> perfMonitorShow --class EE 4/5 10 Showing EE monitors 4/5 10: Tx/Rx are # of bytes --------- --------- --------- --------- --------- ========= ========= ========= ========= ========= 4.9m 4.9m 4.9m 4.9m...

  • Page 424: Clearing Monitor Counters

    The following example displays filter monitor information on a port: switch:admin> perfMonitorShow --class FLT 2/5 There are 7 filter-based monitors defined on port 21. ALIAS OWNER_APP FRAME_COUNT OWNER_IP_ADDR ----------------------------------------------------------------- SCSI_Frame TELNET 0x00000000002c2229 SCSI_WR TELNET 0x000000000000464a SCSI_RW TELNET 0x000000000000fd8c SCSI_RW WEB_TOOLS 0x0000000000007ba3 192.168.169.40 SCSI_RW...

  • Page 425: Saving And Restoring Monitor Configurations

    The following example clears statistics counters for a filter-based monitor: switch:admin> perfMonitorClear --class FLT 1/2 4 Filter-based monitor number 4 counters are cleared switch:admin> perfMonitorClear --class FLT 1/2 This will clear ALL filter-based monitors' counters on port 2, continue? (yes, y, no, y): [no] y The following example clears statistics counters for an ISL monitor: switch:admin>...

  • Page 426: Performance Data Collection

    Performance data collection Data collected through Advanced Performance Monitoring is deleted when the switch is rebooted. Using the Data Center Fabric Manager (DCFM) Enterprise Edition, you can store performance data persistently. For details on this feature, see the DCFM Enterprise User Manual. 422 Administering advanced performance monitoring...

  • Page 427: Administering Extended Fabrics, Licensing For Extended Fabrics, Extended Fibre Channel Over Distance

    Administering extended fabrics Licensing for Extended Fabrics An Extended Fabrics license is required before you can implement long distance dynamic (LD) and long distance static (LS) distance levels. The LD and LS settings are necessary to achieve maximum performance results over Inter-Switch Links (ISLs) that are greater than 10 km. Use the Time-Based Temporary Licensing that can be generated with the expiration date embedded in the license key to activate the Extended Fabrics feature.

  • Page 428: Fibre Channel Data Frames

    The following table describes Fibre Channel data frames. Table 81 Fibre Channel data frames Fibre Channel Frame fields Field size Start of frame 4 bytes 32 bits Standard frame header 24 bytes 192 bits Data (payload) 0–21 12 bytes 0–16,896 bits 4 bytes 32 bits End of frame...

  • Page 429: Fc Switch Port Buffer Credit Requirements For Long-distance Calculations

    FC switch port buffer credit requirements for long-distance calculations You can calculate how many ports can be configured for long distance on all Fabric OS 6.x capable switch modules. Following are the considerations for the calculation: • Each port is part of a port group that includes a pool of buffer credits that can be utilized. This is not the same as the port groups used for ISL Trunking.

  • Page 430: Displaying The Remaining Buffers In A Port Group

    Determine the desired distance in kilometers between the switch-to-switch connection. This example uses 50 km. Determine the speed that you will use for the long-distance connection. This example uses 2 Gb/s. Use the following formula to calculate the reserved buffers for distance: (Reserved Buffer for Distance Y) = (X * LinkSpeed / 2) + 6 Where: X = the distance determined in step 1 (in kilometers).

  • Page 431: Supported Distances

    Connect to the switch and log in as admin. Enter the portBufferShow command. switch:admin> portbuffershow 1 User Port Max/Resv Buffer Needed Link Remaining Port Type Mode Buffers Usage Buffers Distance Buffers ---- ---- ---- ------- ------ ------- --------- ----- - 484 Table 82 describes buffer credits and step 2...

  • Page 432

    Table 82 Buffer Credits (continued) Switch/blade model Total FC ports User port group size Unreserved (per buffers switch/blade) (per port group) HP StorageWorks 4/256 SAN Director 16 Port 4Gb Blade HP StorageWorks B-Series iSCSI Director Blade HP StorageWorks 4/256 SAN Director 32 Port 4Gb Blade HP StorageWorks 4/256 SAN Director 48 Port 4Gb...

  • Page 433: Buffer Credit Recovery

    Table 83 Supported Distances (continued) Maximum supported distances with 2112 Byte Frame Size (1-port allocated all unreserved buffer credits) in km @ Switch/blade model 1 Gb/s 2 Gb/s 4 Gb/s 8 Gb/s HP StorageWorks 400 Multi-Protocol Router HP StorageWorks 4/256 SAN Director 16 Port 4Gb Blade HP StorageWorks B-Series iSCSI Director Blade...

  • Page 434: Fabric Considerations For Buffer Credit Management, Configuring F_port Buffer Credits

    Virtual E_Ports and Virtual EX_Ports do not support long distance. The buffer credit recovery feature is enabled for the following flow control modes: Normal, Virtual Channel (VC), and Extended VC modes. An FC_Port that supports BB_Credit recovery, maintains the following BB_Credit recovery values: •...

  • Page 435: Enabling Long Distance When Connecting To Time-division Multiplexing Devices

    (vc_translation_link_init) parameter of the portCfgLongDistance command is enabled for long-distance links. On switches running Fabric OS 6.2.0 or later, during port configuration, you can specify fill words used on long-distance links to be either ARBs or IDLEs in the VC_RDY flow control mode. The vc_translation_link_init parameter specifies the fill words used on long-distance links.

  • Page 436: Extended Fabrics Device Limitations, Configuring An Extended Isl, Administering Isl Trunking

    Disable the credit recovery; credit recovery is not compatible with the IDLE mode. If you do not disable the credit recovery, it continues to perform a link reset. switch: admin> portcfgcreditrecovery –disable <slot/port> Configure the port to support long-distance links. switch: admin>...

  • Page 437

    One of the following (the numerical value representing each distance_level distance_level is shown in parentheses): • L0 (0) Specify L0 to configure the port to be a regular (default) switch port. • LE (3) Specify LE mode for distances up to 10 km. •...

  • Page 438

    434 Administering extended fabrics...

  • Page 439: Isl Trunking Overview, Distribution Of Traffic Over Isl Trunking Groups

    20 Administering ISL trunking ISL Trunking overview This chapter contains procedures for using the B-Series Inter-Switch Link (ISL) Trunking licensed feature, which optimizes the use of bandwidth by allowing a group of inter-switch links to merge into a single logical link. ISL Trunking reduces or eliminates situations that require static traffic routes and individual ISL management to achieve optimal performance.

  • Page 440: Standard Trunking Criteria, Fabric Considerations For Isl Trunking

    B-Series Multi-Protocol Router Blade, and the HP StorageWorks DC04 SAN Director Switch using HP StorageWorks SAN Director 16 Port 8Gb FC blade, HP StorageWorks SAN Director 32 Port 8Gb FC blade, HP StorageWorks SAN Director 48 Port 8Gb FC blade, and the B-Series Multi-Protocol Router Blade support these advanced features: •...

  • Page 441: Initializing Trunking On Ports, Disabling And Re-enabling Ports, Lossless Dynamic Load Sharing On Trunk Ports

    • Trunking groups can be used to resolve ISL oversubscription if the total capability of the trunking group is not exceeded. • Consider how the addition of a new path will affect existing traffic patterns: • A trunking group has the same link cost as the master ISL of the group, regardless of the number of ISLs in the group.

  • Page 442: Configuring Lossless Dynamic Load Sharing On Trunk Ports, Lossless Dynamic Load Sharing In Virtual Fabrics

    • Change the existing path to a more optimal path. • Wait for sufficient time for frames already received to be transmitted. This is needed to maintain IOD. • Resume traffic. Configuring lossless dynamic load sharing on trunk ports Configure load sharing on trunk ports by using the iodSet command to specify that no frames are dropped while rebalancing or rerouting traffic: Connect to the switch and log in using an account assigned to the admin role.

  • Page 443: Adding A Monitor To An F_port Master Port

    Adding a monitor to an F_Port master port Connect to the switch and log in using an account assigned to the admin role. Enter the perfAddEEMonitor command. switch:admin> perfaddeemonitor 4 0x010400 0x020800 Adding monitor to the master port <port no.> of the F-Port Trunk. where 4 is a slave port of the F_Port Trunk.

  • Page 444: Enabling Or Disabling Isl Trunking On A Port

    The following example shows traffic flowing through a trunking group (ports 5, 6, and 7). After port 6 fails, traffic is redistributed over the remaining two links in the group, ports 5 and 7: switch:admin> portperfshow 4567 Total -------------------------------------------------------------------- 0145m144m145m 0144m143m144m 431 0162m0162m 0186m0186m 372...

  • Page 445: Long-distance Mode Definitions

    On the HP StorageWorks 4/8 and 4/16 SAN Switches, HP StorageWorks 8/8 and 8/24 SAN Switches, HP StorageWorks SAN Switch 4/32 HP StorageWorks 4/256 SAN Director, HP StorageWorks 4/64 SAN Switch, HP StorageWorks 8/40 SAN Switch, and HP StorageWorks 8/80 SAN Switch, for long-distance ports, you should specify the port speed instead of setting it to autonegotiate.

  • Page 446: Setting The Same Speed For All Ports On The Switch

    Enter the portCfgSpeed command. The format is: portcfgspeed [slotnumber/]portnumber, speed_level where: slotnumber For bladed systems only, specify the slot number of the port to be configured, followed by a slash (/). This operand is required only for directors and enterprise-class platforms. portnumber Specifies the port number relative to its slot for bladed systems.

  • Page 447: Displaying Trunking Information, Trunking Over Extended Fabrics, Trunking Distances

    The following example sets the speed for all ports on the switch to 8 Gb/s: switch:admin> switchcfgspeed 8 Committing configuration...done. The following example sets the speed for all ports on the switch to autonegotiate: switch:admin> switchcfgspeed 0 Committing configuration...done. Displaying trunking information You can display all the trunks and members of a trunk, and whether the trunking port connection is the master port connection for the trunking group.

  • Page 448: F_port Masterless Trunking

    Table 85 Trunking support for HP StorageWorks SAN Switch 4/32 and HP StorageWorks 4/64 SAN Switch (Condor ASIC) Mode Distance Number of 2 Gb/s ports Number of 4 Gb/s ports 10 km 32 (four 8-port trunks) 32 (four 8-port trunks) 200 km 3 (one 3-port trunk) 250 km...

  • Page 449: F_port Trunking Considerations, Switch In Access Gateway Mode Without F_port Trunking

    • HP StorageWorks 4/256 SAN Director and the HP StorageWorks DC SAN Backbone Director platforms running Fabric OS 6.2.0. F_Port masterless trunking interoperates between Access Gateway (AG), 2 Gb/s, 4 Gb/s, and 8 Gb/s-based platforms. This feature does not work on M-EOS or third party switches. Figure 75 shows a switch in AG mode without F_Port masterless trunking.

  • Page 450: F_port Masterless Trunking Considerations

    Table 87 F_Port masterless trunking considerations Category Description Area assignment Statically assign the area within the trunk group on the edge switch. That group is the F_Port masterless trunk. The static trunk area you assign must fall within the ASIC's trunk group of the switch or blade starting from port 0 and must be one of the port’s default areas of the trunk group.

  • Page 451

    Table 87 F_Port masterless trunking considerations (continued) Category Description The portCfgTrunkPort <port>, 0 command will fail if portCfgTrunkPort a Trunk Area is enabled on a port. The port Trunk Area must <port>, 0 be disabled first. The switchCfgTrunk 0 command will fail if a port has TA switchCfgTrunk 0 enabled.

  • Page 452: Setting Up F_port Trunking, Pwwn Format For F_port And N_port Trunk Ports

    Table 87 F_Port masterless trunking considerations (continued) Category Description DCC policy DCC policy enforcement for the F_Port trunk is based on the Trunk Area; the FDISC requests to a trunk port are accepted only if the WWN of the attached device is part of the DCC policy against the TA.

  • Page 453: Assigning A Trunk Area, Trunk Group Configuration For The Hp Storageworks 8/40 San Switch

    trunking groups are based on the user port number, with contiguous eight ports as one group, such as 0–7, 8–15, 16–23 and up to the number of ports on the switch (see Figure 77). Figure 77 Trunk group configuration for the HP StorageWorks 8/40 SAN Switch Connect to the switch and log in using an account assigned to the admin role.

  • Page 454: Enabling F_port Trunking

    Show the TA port configuration (ports still disabled): switch:admin> porttrunkarea --show enabled Slot Port Type State Master ------------------------------------------- 125 125 125 126 ------------------------------------------- Enable ports 13 and 14: switch:admin> portenable 10/13 switch:admin> portenable 10/14 Show the TA port configuration: switch:admin> porttrunkarea --show enabled Slot Port Type...

  • Page 455

    Show switch and port information: switch:admin> switchshow switchName: SPIRIT_B4_01 switchType: 66.1 switchState: Online switchMode: Native switchRole: Principal switchDomain: switchId: fffc02 switchWwn: 10:00:00:05:1e:41:22:80 zoning: switchBeacon: FC Router: FC Router BB Fabric ID: 100 Area Port Media Speed State Proto ===================================== No_Module No_Module No_Module No_Module...

  • Page 456: Enabling The Dcc Policy On A Trunk Area, Disabling F_port Trunking, F_port Trunking Monitoring

    Online F-Port 2 NPIV public (Trunk master) Online F-Port (Trunk port, master is Port 36 ) Online F-Port (Trunk port, master is Port 36 ) Online F-Port (Trunk port, master is Port 36 ) Display TA-enabled port configuration: switch:admin> porttrunkarea --show enabled Port Type State...

  • Page 457: Configuration Management For Trunk Areas, Example: How Trunk Area Assignment Affect The Port Domain,index

    old master and install the monitor on the new master port. If you attempt to add a monitor to a slave port, it is automatically added to the master port instead. Configuration management for trunk areas Ports from different ADs are not allowed to join the same Trunk Area group. The portTrunkArea command prevents the different ADs from joining the TA group.

  • Page 458: F_port Authentication, Configuring E_port Authentication In Virtual Fabrics

    The following are considerations for F_Port trunking when you enable a Virtual Fabric: If a port is enabled for F_Port trunking, you must disable the configuration before you can move a port • from the Logical Switch. • If the user bound area for a port is configured using the portAddress command, the port cannot be configured as an F_Port trunk port.

  • Page 459

    Connect to the switch and log in using an account assigned to the admin role. switch:admin> fosconfig -enable vf WARNING: This is a disruptive operation that requires a reboot to take effect. All EX ports will be disabled upon reboot. Would you like to continue [Y/N] Specify the E_Ports to authenticate, for example 2, 3, and 4.

  • Page 460

    456 Administering ISL trunking...

  • Page 461: Configuring And Monitoring Fcip Extension Services, Fcip Concepts, Virtual Ports And Fcip Tunnels

    Configuring and monitoring FCIP extension services FCIP concepts Fibre Channel over IP (FCIP) enables you to connect Fibre Channel SANs over IP-based networks. The HP StorageWorks 400 Multi-Protocol Router and B-Series Multi-Protocol Router Blade uses FCIP to encapsulate Fibre Channel frames within IP frames that can be sent over an IP network to a partner HP StorageWorks 400 Multi-Protocol Router or B-Series Multi-Protocol Router Blade.

  • Page 462: Compression On Fcip Tunnels, Traffic Shaping, Fcip Services License

    Fibre Fibre Channel Channel initiator initiator Data Center Office FC SAN FC SAN IP WAN VE_Port Network VE_Port Brocade Brocade 7500 7500 VE_Port VE_Port Brocade Brocade Office 48000 48000 FC SAN with FR4-18i with FR4-18i Office Blade Blade FC SAN Fibre Fibre Channel...

  • Page 463: Qos Implementation Over Fcip, Dscp Quality Of Service, L2cos Quality Of Service

    enterprise-class platforms. The HP StorageWorks 400 Multi-Protocol Router and the B-Series Multi-Protocol Router Blade both have 16 physical Fibre Channel ports and 2 physical GbE ports. NOTE: The FCIP Tunneling Service for the HP StorageWorks 400 Multi-Protocol Router and B-Series Multi-Protocol Router Blade is not compatible with the XPath FCIP service, nor is it compatible with any other vendor’s implementation.

  • Page 464: Ipsec Implementation Over Fcip, Ipsec Terminology

    Table 91 Default Mapping of DSCP priorities to L2Cos Priorities (continued) Virtual DSCP priority/bits L2CoS priority/bits Assigned to: CIrcuit (VC) 15 / 001 1 1 1 3 / 01 1 Medium QoS 19 / 01001 1 3 / 01 1 Medium QoS 23 / 0101 1 1 3 / 01 1...

  • Page 465: Ipsec Configuration, Ipsec Parameters

    Table 92 IPsec terminology (continued) Term Definition Encapsulating Security Payload is the IPsec protocol that provides confidentiality, data integrity and data source authentication of IP packets, and protection against replay attacks. Internet Key Exchange is defined in RFC 2407, RFC 2408 and RFC 2409. IKEv2 is defined in RFC 4306.

  • Page 466: Creating An Ike And Ipsec Policy, Fixed Policy Parameters, Modifiable Policy Parameters

    The first step to configuring IPsec is to create a policy for IKE and a policy for IPsec. Once the policies have been created, you assign the policies when creating the FCIP tunnel. IKE negotiates SA parameters and authenticates the peer using the preshared key authentication method. Once the two phases of the negotiation are completed successfully, the actual encrypted data transfer can begin.

  • Page 467: Displaying Ike And Ipsec Policy Settings

    where: type and number The type of policy being created (IKE or IPsec) and the number for this type of policy. To easily determine how many policies have been created, consider using sequential numbering. The range of valid values is any whole number from 1 through 32. encryption_method The supported type of encryption.

  • Page 468: Deleting An Ike And Ipsec Policy, Viewing Ipsec Information For An Fcip Tunnel

    The example below shows all of the IKE policies defined; in this example, there are two IKE policies. switch:admin> policy --show ike all IKE Policy 1 ----------------------------------------- Authentication Algorithm: MD5 Encryption: 3DES Perfect Forward Secrecy: off Diffie-Hellman Group: 1 SA Life (seconds): 0 IKE Policy 32 ----------------------------------------- Authentication Algorithm: SHA-1...

  • Page 469: Virtual Fabrics And Fcip, Tcp Byte Streaming

    The following example shows the portShow fcipTunnel command used to display IPsec information for tunnel 3: switch:admin> portshow fciptunnel 8/ge0 3 -ipsec Port: ge0 ------------------------------------------- Tunnel ID 3 Remote IP Addr 192.175.5.200 Local IP Addr 192.175.5.100 Remote WWN Not Configured Local WWN 10:00:00:05:1e:37:00:20 Compression off Fastwrite on...

  • Page 470: Supported Third Party Wan Optimizer Hardware, Options For Enhancing Tape I/o Performance

    The TCP Byte Streaming feature supports an FCIP frame that has been split into a maximum of eight separate TCP segments. If the frame is split into more than eight segments, it results in prematurely sending a frame to the FCIP layer with an incorrect size and the FCIP tunnel bounces. Only one tunnel is allowed to be configured for a GigE port that has TCP Byte Streaming configured.

  • Page 471: Constraints For Fcip Fastwrite And Tape Pipelining, Fcip Fastwrite And Tape Pipelining Configurations

    Constraints for FCIP Fastwrite and Tape Pipelining Consider the constraints described in Table 95 when configuring tunnels to use either of these features. Table 95 Using FCIP Fastwrite and Tape Pipelining FCIP Fastwrite Tape pipelining Each GbE port supports up to 2048 simultaneous Each GbE port supports up to 2048 simultaneous accelerated exchanges, which means a total of accelerated exchanges, which means a total of...

  • Page 472: Unsupported Configurations For Fastwrite And Tape Pipelining

    Figure 80 Multiple tunnels to multiple ports, Fastwrite and Tape Pipelining enabled on a per-tunnel/per-port basis Unsupported configurations for Fastwrite and Tape Pipelining The configurations shown in Figure 81 are not supported with Fastwrite and Tape Pipelining. These configurations use multiple equal-cost paths. 468 Configuring and monitoring FCIP extension services...

  • Page 473: Fc Fastwrite Concepts, Unsupported Configurations With Fastwrite And Tape Pipelining

    VE-VE or VEX-VEX Unsupported configurations with Fastwrite and Tape Pipelining Figure 81 FC Fastwrite concepts FC Fastwrite operates in Fibre Channel network topologies similar to the basic topology shown in Figure 82. FC Fastwrite provides accelerated speeds for SCSI Write operations over long distance Fibre Fabric OS 6.2 administrator guide 469...

  • Page 474: Platforms And Os Requirements For Fc Fastwrite, Constraints For Fc Fastwrite, How Fc Fastwrite Works

    Channel ISLs implemented through the FC-FC Routing Service rather than FCIP. FC Fastwrite is supported in Fabric OS 5.3.x and later. Figure 82 Typical network topology for FC Fastwrite Platforms and OS requirements for FC Fastwrite Fabric OS supports FC Fastwrite between two HP StorageWorks 400 Multi-Protocol Routers or two HP StorageWorks 4/256 SAN Directors with B-Series Multi-Protocol Router Blade connected by a Fibre Channel network.

  • Page 475: Fc Fastwrite Flow Configuration Requirements, Hardware Considerations For Fc Fastwrite, Configuring And Enabling Fc Fastwrite

    The PI continues to stage data received from the initiator, respond locally to a Transfer Ready, and send the data to the target device until the target device sends a Response (FCP_RSP). Figure 83 How FC Fastwrite works FC Fastwrite can improve write performance. Read performance is unaffected. The gains seen from enabling FC Fastwrite depend on several factors, including the following: •...

  • Page 476: Example: Enabling Fastwrite On A Switch

    Take the following steps to configure and enable FC Fastwrite. Create a zone configuration to filter FC Fastwrite flows. FC Fastwrite flows are configured by creating a zone name with an fcacc token as a prefix. For LSAN configuration, use lsan_fcacc as a prefix, as shown in the following example.

  • Page 477: Disabling Fc Fastwrite On A Blade Or Switch

    Use the portShow command to verify that FC Fastwrite is enabled. switch:admin> k portName: portHealth: HEALTHY Authentication: None portDisableReason: None portCFlags: 0x1 portFlags: 0x20b03 PRESENT ACTIVE F_PORT G_PORT U_PORT LOGICAL_ONLINE LOGIN NOELP ACCEPT portType: 10.0 portState: 1 Online portPhys: In_Sync portScn: F_Port port generation number:...

  • Page 478: Example: Disabling Fc Fastwrite On A Switch, Disabling Fc Fastwrite On A Port

    Example: Disabling FC Fastwrite on a switch switch:admin> fastwritecfg --disable 7 !!!! WARNING !!!! Disabling FC Fastwrite will require powering off and back on the and it may take up to 5 minutes. For non bladed system, the switch will be rebooted. Data traffic will be disrupted.

  • Page 479: Setting Persistently Disabled Ports, Configuring Vex_ports

    1 1. If you are implementing FICON emulation, configure FICON emulation using the portCfg ficon command. See Chapter 23, ”Configuring and monitoring FICON Extension Services” on page 513 for specific instructions. If you are implementing FTRACE, configure FTRACE using the portCfg ftrace command. See the Fabric OS Troubleshooting and Diagnostics Guide.

  • Page 480: Creating Ip Interfaces And Routes

    Creating IP interfaces and routes The IP network connection between two HP StorageWorks 400 Multi-Protocol Routers or two FR4- 1 8i blades or one HP StorageWorks 400 Multi-Protocol Router and one FR4- 1 8i blade is configured by defining IP interfaces for origin and destination virtual ports, and then defining one or more IP routes to connect them.

  • Page 481

    The following example shows two routes being added to an interface: switch:admin06> portcfg iproute 8/ge0 create 192.168.11.0 255.255.255.0 192.168.100.1 1 switch:admin06> portcfg iproute 8/ge0 create 192.168.12.0 255.255.255.0 192.168.100.1 1 The following example verifies that the two routes have been successfully created: switch:admin06>...

  • Page 482: Creating An Fcip Tunnel

    The size in bytes of the ping packet to use. The total size cannot be greater than the configured -z size MTU size (see step 1). The default size is 64 bytes. The following example tests the connection between 192.175.5.100 and 192.175.5.200, switch:admin06>...

  • Page 483: Example: Creating An Fcip Tunnel

    Disables selective acknowledgement code (SACK) on the specified tunnel. Enables FCIP Fastwrite. Enables VC QoS mapping. Enables Read and Write Tape Pipelining on the specified tunnel. If Read and Write Tape Pipelining is enabled, Fastwrite must also be enabled. -n remote_wwn The remote-side FC entity WWN.

  • Page 484: Example: Creating An Fcip Tunnel With Fastwrite And Tape Pipelining Enabled

    Example: Creating an FCIP tunnel with FastWrite and Tape Pipelining enabled switch:admin> portcfg fciptunnel ge1 create 1 192.168.1.2 192.168.1.201 0 -f -t !!!! WARNING !!!! The fastwrite and tape pipelining features are incompatible with multiple equal cost paths. Please ensure that there are no multiple equal cost paths in your fabric before continuing.

  • Page 485

    is configured, and can be displayed by entering the portShow fciptunnel <ge_port> all command: switch0:admin> portshow fciptunnel ge0 all Port: ge0 ------------------------------------------- Tunnel ID 0 Tunnel Description Not Configured Remote IP Addr 10.10.12.100 Local IP Addr 10.62.0.100 Remote WWN Not Configured Local WWN 10:00:00:05:1e:38:58:61 Compression on Fastwrite on...

  • Page 486: Enabling Persistently Disabled Ports

    Verify that the VE_Port or VEX_Port is online, use the switchShow command to view and verify that the FCIP tunnel is online. switch:admin06> portenable 8/18 switch:admin06> portenable 8/19 switch:admin06> switchshow switchName:switch switchType:42.2 switchState:Online switchMode:Native switchRole:Subordinate switchDomain:4 switchId:fffc04 switchWwn:10:00:00:60:69:80:0d:bc zoning:ON (LSAN001) switchBeacon:OFF blade3 Beacon: blade4 Beacon:...

  • Page 487: Managing Fcip Tunnels

    Enter the portCfgShow command to verify that the port is persistently enabled as shown below: switch:admin06> portcfgpersistentenable 8/16 switch:admin06> portcfgpersistentenable 8/17 switch:admin06> portcfgpersistentenable 8/18 switch:admin06> portcfgpersistentenable 8/19 switch:admin06> portcfgshow Ports of Slot 8 9 10 11 12 13 14 15 -----------------+--+--+--+--+----+--+--+--+----+--+--+--+----+--+--+-- Speed AN AN AN AN...

  • Page 488

    Enter the portCfg fcipTunnel command to modify FCIP tunnels. You must specify at least one characteristic to modify. The command syntax is as follows: portCfg fciptunnel [slot/]ge[port] modify tunnel_id [-b comm_rate] [-c 0|1] [-s 0|1] [-f 0|1] [-k timeout] [-m time] [-q control_dscp] [-Q data_dscp] [-p control_L2Cos] [-P data_L2Cos} [-r retransmissions] [-t 0|1] [-bstr 0|1 TCP Byte Streaming] where:...

  • Page 489: Modifying And Deleting Qos Settings

    -P data_L2Cos The PL2 Class of Service/Priority, as defined by IEEE 802.1p, for the FCIP data connection. Range is 0-7. Default is 0. Enables (1)/Disables (0) TCP Byte Streaming. -bstr 0|1 The following example shows two FCIP tunnels created on slot 8, port ge0; the first with an uncommitted bandwidth (0), and the second with a committed bandwidth of 10000 bps: switch:admin>...

  • Page 490: Deleting An Fcip Tunnel, Deleting An Ip Interface (ipif), Deleting An Iproute

    Deleting an FCIP tunnel Connect to the switch and log in using an account assigned to the admin role. Enter the portCfg fciptunnel command to delete FCIP tunnels. The command syntax is as follows. portcfg fciptunnel [slot/]ge0|ge1 delete tunnel_id The following example shows two tunnels deleted on slot 8, port ge0: switch:admin>...

  • Page 491: Wan Performance Analysis Tools, Ipperf Option, Wan Tool Sessions With An Fcip Tunnel Online

    The following example adds an entry that tags all frames from IP address 192.168.10.1 destined for IP address 192.168.20.1 with a VLAN ID of 100, and a L2 CoS value of 3. switch:admin> portcfg vlantag 8/ge0 add 192.168.10.1 100 3 7 192.168.20.1 WAN performance analysis tools Introduced in Fabric OS 5.2.0, WAN analysis tools are designed to test connections, trace routes, and estimate the end-to-end IP path performance characteristics between a pair of B-Series FCIP port endpoints.

  • Page 492: Wan Tool Performance Characteristics, Wan Tool Analysis, Wan Tool Ipperf Syntax

    WAN tool performance characteristics Table 96 lists the end-to-end IP path performance characteristics that you can display using the portCmd ipPerf command and option. All four of the base ipPerf performance characteristics (bandwidth, loss, RTT, PMTU) are provided in the command output in Fabric OS 5.2.0 or later. Table 96 WAN tool performance characteristics Characteristic...

  • Page 493: Wan Tool Ipperf Syntax

    The following example shows the results of the performance analysis for slot 8, port ge0: ipperf to 192.41.70.43 from IP interface 192.41.70.42 on 0/1:3227 Sampling frequency(30s) Total time(30s) BW:112.73MBps WBW:55.57MBps Loss(%):0.00 Delay(ms):23 PMTU:1500 Sampling frequency(30s) Total time(60s) BW:112.77MBps WBW:83.61MBps Loss(%):0.00 Delay(ms):23 PMTU:1500 Sampling frequency(30s) Total time(90s) BW:112.43MBps WBW:97.46MBps Loss(%):0.00 Delay(ms):22 PMTU:1500...

  • Page 494: Testing A Connection

    Operates the WAN tool FCIP port-embedded client in the sender mode. The test endpoint will generate a traffic stream and report the end-to-end IP path characteristics from this endpoint toward the receiver endpoint. This option cannot be used with the –R option. Operates the WAN tool FCIP-port embedded client in the receiver mode.

  • Page 495: Tracing A Route

    The VLAN ID. Values must be in the range of 1 - 4094. There is no default value. Note that a -v vlan_id VLAN tag entry must exist on the local and remote sides prior to issuing the -v option. A VLAN Tag table entry will be dynamically maintained by the ipperf application.See the portCfg help page for details on creating a VLAN tag table.

  • Page 496: Fcip Tunnel Performance Characteristics

    FCIP tunnel performance characteristics You can use the portShow fcipTunnel command to view the performance statistics and monitor the behavior of an online FCIP tunnel. To view detailed fcipTunnel statistics, you must specify either the -perf or -params options. The command syntax is as follows. portShow fciptunnel [Slot]/ge0|ge1 all|tunnel ID -perf -params The following example shows the portCmd fcipTunnel with the -perf option to display performance characteristics of tunnel 0.

  • Page 497

    The following example shows the portCmd fcipTunnel with the parameters options to display the parameters of tunnel 0: switch:admin06> portshow fciptunnel 8/ge0 0 —params Slot: 8 Port: ge0 ------------------------------------------- Tunnel ID 0 Remote IP Addr 192.175.4.200 Local IP Addr 192.175.4.100 Remote WWN Not Configured Local WWN 10:00:00:60:69:e2:09:be Compression on...

  • Page 498

    556200 Bps 30s avg, 491394 Bps lifetime avg 494 Configuring and monitoring FCIP extension services...

  • Page 499: Ficon Fabrics, Fabric Os Support For Ficon

    22 FICON fabrics Fabric OS support for FICON ® IBM Fibre Connection (FICON ) is an industry-standard, high-speed input/output (I/O) interface for mainframe connections to storage devices. Fabric OS supports intermix mode operations, in which FICON and Fibre Channel technology work together. For specific information about intermix mode and other aspects of FICON, see the IBM Redbook, FICON®...

  • Page 500: Platforms Supporting Ficon, Types Of Ficon Configurations

    • Port binding is a security method for restricting host or storage devices that connect to particular switch ports. The DCC policy also binds device ports to switch ports. Policies range from completely restrictive to reasonably flexible, based on customer needs. SCC ACL with strict fabric-wide consistency is necessary for FICON switch binding.

  • Page 501: Control Unit Port (cup), Ficon And Ficon Cup In Virtual Fabrics, Example: The Configure Command

    predefined list of switches (domains) to exist in the fabric and prevents other switches from joining the fabric. This type of configuration is described in ”Configuring a high-integrity fabric” on page 500. Control Unit Port (CUP) Control Unit Port (CUP) protocol is used by IBM mainframe management programs to provide in-band management for FICON switches.

  • Page 502: Cup Limitations, Ficon Commands, Fabric Os Commands Related To Ficon And Ficon Cup

    will result in a port that appears as: Index Slot Port Address ======================== 3e0200 Port addresses that have not been assigned to a Logical Switch will appear as “uninstalled” in the PIB’s Port Descriptor. NOTE: The CUP port address will always be xxFExx. Port Addresses xxFExx and xxFFxx are unavailable to assign to physical ports.

  • Page 503: User Security Considerations, Switch Configuration

    Table 97 Fabric OS commands related to FICON and FICON CUP (continued) Command Description ficoncupshow fmsmode Displays the FICON Management Server mode setting for the switch. ficoncupshow modereg Displays the mode register bit settings for the switch. NOTE: The Fabric OS CLI supports only a subset of the management features for FICON fabrics. The full set of FICON CUP administrative procedures is available using the Data Center Fabric Manager and Web Tools software features.

  • Page 504: Preparing A Switch For Ficon, Single Switch Configuration, Configuring A High-integrity Fabric, Link Incidents

    Preparing a switch for FICON To verify and prepare a switch for use in a FICON environment, complete the following steps. Connect to the switch and log in using an account assigned to the admin role. Enter the switchShow command to verify that the switch and devices are online. Change the routing policy on the switch from the default exchange-based policy to the required port-based policy for those switches with FICON devices directly attached using the aptPolicy command when working from the command line.

  • Page 505: Setting Unique Domain Ids, Cascaded Configuration, Two Switches, Cascaded Configuration, Three Switches

    Control Channel Switch Switch Unit Domain ID = 21 Domain ID = 22 Figure 84 Cascaded configuration, two switches Control Channel Switch Switch Unit Domain ID = 21 Domain ID = 22 Control Switch Unit Domain ID = 23 Figure 85 Cascaded configuration, three switches Setting unique domain IDs In a cascaded configuration, each switch must have a unique domain ID, and insistent domain ID (IDID)

  • Page 506: Ficon Information, Registered Listeners, Node Identification Data, Fru Failures

    Enter the switchEnable command to re-enable the switch. switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] yes Domain: (1..239) [3] 5 R_A_TOV: (4000..120000) [10000] E_D_TOV: (1000..5000) [2000] Data field size: (256..2112) [2112] Sequence Level Switching: (0..1) [0] Disable Device Probing: (0..1) [0] Suppress Class F Traffic: (0..1) [0] VC Encoded Address Mode: (0..1) [0] Per-frame Route Priority: (0..1) [0]...

  • Page 507: Port Swapping, Example: Port Swapping, Clearing The Ficon Management Database, Ficon Cup

    • For all switches defined in the fabric: ficonShow ilir fabric Port swapping If a port malfunctions, or if you want to connect to different devices without having to re-wire your infrastructure, you can move a port’s traffic to another port (swap ports) without changing the I/O Configuration Data Set (IOCDS) on the mainframe computer.

  • Page 508: Setting Up Ficon Cup, Ficon Management Server Mode, Enabling Fmsmode

    If Advanced Zoning is in use, see ”Zoning and PDCM considerations” on page 508. Setting up FICON CUP To set up FICON CUP, use the following procedure and be sure to perform the steps in the order indicated. Take the appropriate action based on whether you have both B- and M-series switches in your fabric: •...

  • Page 509: Disabling Fmsmode, Fmsmode And Ficon Cup, Setting Up Ficon Cup If Fmsmode Is Already Enabled

    • PDCM values are read from the IPL; the default is “Allow All.” • Advanced Zoning, if used, continues to be in force. If there are any differences in restrictions set up with Advanced Zoning and PDCM, the most restrictive rules are automatically applied. •...

  • Page 510: Mode Register Bit Settings, Setting The Mode Register Bits, Ficon Cup Mode Register Bits

    change it and notify the channel of the change. The channel will ask what the MIHPTO is set to during the time where it is bringing that link to the CUP online. The MIHPTO setting will persist across reboots, POR, and failovers. Setting this value to the upper end of the time range will allow the CUP to process more requests, such as at peak usage times, without timing out the channels.

  • Page 511: Persistently Enabling And Disabling Ports, Port And Switch Naming Standards

    To display the mode register bit HCP for the switch: switch:admin> ficoncupshow modereg HCP Setting the mode register bits Use the ficonCupSet modereg command to set the FICON CUP mode register bits for the local switch. Consider the following when changing mode register bits: •...

  • Page 512: Ficon Cup License Considerations, Zoning And Pdcm Considerations, Zoning And Link Incident Reporting

    • CUP employs 8-bit characters in port address names and switch names; Fabric OS employs 7-bit characters. When fmsmode is enabled, all characters greater than 0x40 and not equal to 0xFF (EBCIDC code page 37 [0x25]) are allowed in the name; therefore, it is possible for a channel to set a name with nonprintable characters.

  • Page 513: Uploading The Configuration Files, Downloading Configuration Files With Active=saved Mode Enabled

    Uploading the configuration files See Chapter 5, ”Maintaining the switch configuration file” on page 163 for more information on the configUpload command. When you execute the configUpload command, all the files saved in the file access facility are uploaded to a management workstation (there is a section in the uploaded configuration file labeled “FICON_CUP”...

  • Page 514: Sample Iocp Configuration File

    Table 99 FICON configuration worksheet (continued) ® FICON Switch Configuration Worksheet ® FICON Switch Manufacturer:___________________Type: _________ Model: ______ S/N: ________ HCD Defined Switch ID_________(Switch ID) Cascaded Directors No _____Yes _____ ® FICON Switch Domain ID_________(Switch @) Corresponding Cascaded Switch Domain ID _____ Fabric Name ________________________________ ®...

  • Page 515

    For more information on switch numbering, see the IBM publication FICON® Implementation Guide (SG24-6497-00). In the following sample IOCP configuration file, the UNIT value for FICON CUP definitions is 2032 for any FICON director regardless of vendor or platform. All B-Series switches require UNIT=2032 for the CUP definition.

  • Page 516

    512 FICON fabrics...

  • Page 517: Configuring And Monitoring Ficon Extension Services, Ficon Extension Products Licensing

    23 Configuring and monitoring FICON Extension Services This chapter describes the FICON extension concepts, configuration procedures, and tools and procedures for monitoring network performance. Commands described in this chapter require Admin or root user access. See the Fabric OS Command Reference for detailed information on command syntax. FICON extension products licensing Several specific licensed features are available for FICON extension.

  • Page 518: One Ethernet Interface, One Ip Route And One Fcip Tunnel Between Sites, Traffic Isolation Zoning

    FICON emulation requirement for a determinate path FICON emulation processing creates FICON commands and responses on extended FICON Channel Path IDs (CHPIDs), and must know exactly what exchanges are occurring between a Channel and a control unit (CU) on a CHPID to function correctly. For FICON Emulation processing to function correctly, the responses to Host I/O (channel I/O) must be carried on the same ISL as the commands.

  • Page 519: Ficon Emulation Configuration

    XRC emulation The eXtended Remote Copy (XRC) application is a DASD application that implements disk mirroring, as supported by the disk hardware architecture and a host software component called System Data Mover (SDM). The primary volume and the secondary mirrored volume may be geographically distant across an IP WAN.

  • Page 520

    • tape read pipelining. • -b 1|0 enables or disables FICON read block ID. 1 is enable, O is disable. • wrtMaxPipe value defines a maximum number of channel commands that may be outstanding at a given time during write pipelining. Too small of a value will result in poor performance. The value should be chosen carefully based upon the typical tape channel program that requires optimum performance.

  • Page 521: Ficon Emulation Configuration Values, Ficon Emulation Modification

    FICON emulation configuration values You can display the values configured for FICON emulation by issuing the portShow ficon command. The following example shows FICON emulation configuration values for port ge1: Sprint108:root> portshow ficon ge1 all Port: ge1 VE_STATUS TunnelId vePort vePortStatus veFeatureBitMap veHashEntryCount DOWN DOWN DOWN...

  • Page 522: Ficon Performance Statistics

    • -r 1|0 enables or disables tape read pipelining. 1 is enable, O is disable. • -t 1|0 enables or disables TIN/TUR emulation. 1 is enable, O is disable.This option should be enabled when one or all of the following features are enabled: •...

  • Page 523: Ficon Emulation Monitoring

    • -globals are general FICON Controls/Statistics. • -images are discovered Images (FCUB). • -emul represents emulated FDCBs. • -active represents active FDCBs. • -epcb is the emulation Control Block (port specific). • -fhpb is the FICON Host Path Block. • -fdpb adrs is the FICON Device Path Block.

  • Page 524

    Tape output example: TAPE EMULATION STATS +----------+----------------+-+-----+----+----+----+-----------+----------+------+----------+----+ | FDCB Ptr | Path |H|State|Emul|Emul|Rtry| Emulated |Emulated |RdAvg |Emulated |WtAvg | (0x) (0x) |Pipe|Q'd | Qd | Tape Ops |Read CCWs | Size |Write CCWs| Size | +----------+----------------+-+-----+----+----+----+-----------+----------+------+----------+----+ |0x10018A00|2463016406050000|H| 0x14|0x20|000E|0000| 13212| 125754| 32760| |0x1001E800|2463016406050001|H| 0x14|0x20|001A|0000| 13647| 128776| 32760|...

  • Page 525

    XRC output example: XRC EMULATION STATS +----------+----------------+-+-----+----+----+----+----+-----------+---+------+------+ | FDCB Ptr | Path |H|State|Cmds| Cmd|Data|Data| Emulated |Avg| RRS| RRS | (0x) (0x) | Qd | Max| Qd |Max | RRS Ops |RRS| TLF| Read| +----------+----------------+-+-----+----+----+----+----+-----------+---+------+------+ |0x1017DC00|24B100B20E11092B|H| 0x00|0000|000F|0000|0230| 47184|213| 25636| 16063| |0x104B4C00|24B100B20E1109F7|H| 0x00|0000|000F|0000|01E0| 3961|146| 41409| 26313| |0x104B5000|24B100B20E1109F8|H| 0x00|0000|000F|0000|1112| 3855|148| 41613| 27182|...

  • Page 526

    522 Configuring and monitoring FICON Extension Services...

  • Page 527: A Configuring The Pid Format, Pids And Pid Binding Overview, Fixed Addressing Mode

    Configuring the PID format PIDs and PID binding overview Port identifiers (called PIDs) are used by the routing and zoning services in Fibre Channel fabrics to identify ports in the network. All devices in a fabric must use the same PID format, so when you add new equipment to the SAN, you might need to change the PID format on legacy equipment.

  • Page 528: Impact Of Changing The Fabric Pid Format, Host Reboots

    PID formats HP StorageWorks switches employ the following types of PID formats: • VC encoded is the format defined by the HP Fibre Channel Switch 8 and 16. Connections to these switches are not supported in Fabric OS 4.0.0 and later. •...

  • Page 529: Static Pid Mapping Errors, Changes To Configuration Data, Pid Format Selection

    which is capable of addressing higher port counts. Changing from Native PID format to Core PID format changes the PID, which requires hosts that use port binding to be rebooted. Static PID mapping errors If you can avoid using drivers that employ static PID binding, you should do so. With the WWN or dynamic PID binding most typically used with drivers, changing the device’s PID does not affect the PID mapping.

  • Page 530: Evaluating The Fabric, Pid Format Recommendations For Adding New Switches

    NOTE: Switches that are queried using outside calls should be configured using PID 1 (core PID) to ensure that the correct port numbering is used in other management applications. Table 101 shows various combinations of existing fabrics, new switches added to those fabrics, and the recommended PID format for that combination.

  • Page 531: Changing The Pid Format

    • JBOD drive firmware versions • Multipathing software versions • HBA time-out values • Multipathing software timeout values • Kernel timeout values • Configuration of switch Make a list of manually configurable PID drivers. Some device drivers do not automatically bind by PID, but allow the operator to manually create a PID binding.

  • Page 532: Changing The Pid Format Online, Changing The Pid Format Offline, Pid Format Changes

    Changing the PID format Whether it is best to perform an offline or online update depends on the uptime requirements of the site. Following are some aspects of offline and online changes: • An offline update must have all devices attached to the fabric be offline. •...

  • Page 533: Hybrid Update, Changing To Core Pid Format

    Reenable the switches in the updated fabric one at a time. In a core/edge network, enable the core switches first. After the fabric has reconverged, use the cfgEnable command to update zoning. Bring the devices online in the order appropriate to the SAN. This usually involves starting up the storage arrays first, and the hosts last.

  • Page 534: Port Number To Area Id Conversion

    Before changing the PID format, determine if host reboots will be necessary. The section ”Host reboots” on page 524 summarizes the situations that may require a reboot. switch:admin> switchdisable switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] y Domain: (1..239) [1] BB credit: (1..27) [16] R_A_TOV: (4000..120000) [10000]...

  • Page 535: Basic Procedure For Changing The Pid Format

    The following sections contain a basic procedure that summarizes the steps necessary to perform PID format changes without disrupting the fabric, and special procedures for HP/UX and AIX. Basic procedure for changing the PID format This process should be executed as part of the overall online or offline update process. However, it can be implemented in a stand-alone manner on a non-production fabric, or a switch that has not yet joined a fabric.

  • Page 536: Hp-ux Procedure For Changing The Pid Format

    At this point, all switches in the fabric are operating in the new addressing mode. HP-UX procedure for changing the PID format This procedure is not intended to be comprehensive. It provides a starting point from which a SAN administrator could develop a site-specific procedure for a device that binds automatically by PID, and cannot be rebooted due to uptime requirements.

  • Page 537: Aix Procedure For Changing The Pid Format

    # ioscan -funC disk Class H/W Path Driver S/W State H/W Type Description ------------------------------------------------------------------------------------- disk 0/0/1/1.2.0 adisk CLAIMED DEVICE SEAGATE ST39204LC /dev/dsk/clt2d0 /dev/rdsk/c1t2d0 disk 0/0/2/1.2.0 adisk CLAIMED DEVICE DVD-ROM 304 /dev/dsk/c3t2d0 /dev/rdsk/c3t2d0 disk 319 0/4/0/0.1.2.255.14.8.0 adisk CLAIMED DEVICE SEAGATE ST336605FC /dev/dsk/c64t8d0 /dev/rdsk/c64t8d0 disk 320 0/4/0/0.1.18.255.14.8.0 adisk NO_HW...

  • Page 538: Swapping Port Area Ids

    Rebuild the device entries for the affected fabric using the cfgMgr command. For example: cfgmgr –v This command might take several minutes to complete. 1 1. Perform the appropriate actions based on whether you using or not using multipathing software: •...

  • Page 539: Physical Port Numbers And Logical Area Ids For Swapped Ports

    Disable the port swap feature: portswapdisable Table 102 Physical port numbers and logical area IDs for swapped ports Slot Slotport Swport Area Fabric OS 6.2 administrator guide 535...

  • Page 540

    536 Configuring the PID format...

  • Page 541: B Understanding Legacy Password Behavior, Password Management Information, Account/password Characteristics Matrix

    Understanding legacy password behavior This appendix provides password information for early versions of Fabric OS firmware. Password management information Table 103 describes the password standards and behaviors between various versions of firmware. Table 103 Account/password characteristics matrix Topic 4.0.0 4.1.0 to 4.2.0 4.4.0 and later Number of default accounts 4, chassis-based...

  • Page 542: Password Prompting Behaviors, Password Prompting Matrix

    Table 103 Account/password characteristics matrix (continued) Topic 4.0.0 4.1.0 to 4.2.0 4.4.0 and later Can passwd change Yes, but will ask for Yes; if users connect as 4.4.0 to 5.1.0 only: higher-level passwords? For the old password of admin, they can change Yes, if users connect as example, can admin change the higher-level...

  • Page 543: Password Migration During Firmware Changes, Password Recovery Options, Password Migration Behavior During Firmware Upgrade/downgrade

    Password migration during firmware changes Table 105 describes the expected outcome of password settings when upgrading or downgrading firmware for various Fabric OS versions. Table 105 Password migration behavior during firmware upgrade/downgrade Topic 4.4.0 to 5.0.1 5.0.1 and later Passwords used when upgrading to a Default accounts and passwords Default accounts and passwords newer firmware release for the first time.

  • Page 544

    540 Understanding legacy password behavior...

  • Page 545: C Mixed Fabric Configurations For Non-merge Sans

    Mixed fabric configurations for non-merge SANs For information on HP supported interop configurations, refer to the HP StorageWorks Fabric interoperability: merging fabrics based on M-Series and B-Series Fibre Channel switches on the following HP website: http://h18000.www1.hp.com/products/storageworks/san/documentation.html. Fabric OS 6.2 administrator guide 541...

  • Page 546

    542 Mixed fabric configurations for non-merge SANs...

  • Page 547: D Migrating From An Mp Router To A 400 Mp Router

    Migrating from an MP Router to a 400 MP Router Introduction to MP Router upgrades This appendix describes how to upgrade routers in your fabric with the least disruption, while providing better performance and scalability. Improper implementation could lead to a change in the xlate Domain IDs and proxy device PIDs, which may cause disruption in the fabric.

  • Page 548: Dual Backbone Fabric Configuration

    Redundant configuration Figure 89 shows an example of a simple redundant configuration. The configuration shown in Figure shows that old routers can be removed one by one. For example, FC router 2 can be replaced with the new FC router. You are expected to maintain the connections to the edge fabrics and the other router, same as with old router.

  • Page 549: Configuring A New Fc Router

    In the Multi-Protocol Router, end devices are allowed to be directly connected, but these devices cannot be imported to other edge fabrics (using LSAN zones). During the upgrade process, these devices will face disruption unless there is redundancy support provided from the device end. 400 MP Router allows the end devices to be imported to edge fabrics.

  • Page 550

    546 Migrating from an MP Router to a 400 MP Router...

  • Page 551: E Inband Management, Inband Management Overview, Internal Ethernet Devices

    Inband Management Inband Management overview Inband Management on the HP StorageWorks 400 Multi-Protocol Router allows a management station to communicate to the CP through the GE ports for tasks such as downloading firmware, SNMP polling, SNMP traps, troubleshooting, and configuration. To facilitate this communication, the HP StorageWorks 400 Multi-Protocol Router uses IP forwarding and IP routing to forward IP traffic through the switch to the management station.

  • Page 552: Ip Address And Routing Management, Inband Management Process

    Figure 91 Inband Management process The NAT IP table is loaded and automatically configured on bootup.The source address NAT is configured on the inband management interfaces to use the address of the CP management interface (eth0). The switch automatically uses the IP address of the CP management interface to source address NAT the new inband management interfaces, so no additional configuration will be required.

  • Page 553: Setting The Ip Address For The Cp Inband Management Interface

    Adds a route to the management station for an existing routeadd destination netmask CP or GbE port (CP or GbE designation is made [gateway] automatically). You must specify the destination IP address and the subnet mask when adding a management route. You must create the IP addresses for the CP and the GbE port interfaces before you can add a route to the routing table.

  • Page 554: Viewing Ip Addresses And Routes, Displaying Ip Routes

    is specified, it is assumed that the management station is on the same subnet as the external GE IP address, so no route is created on the GE port processor. Only a route on the CP is created with the internal GE port processor inband device address as the gateway.

  • Page 555: Fips, Examples Of Supported Configurations, Configuring A Management Station On The Same Subnet

    FIPS To maintain security while in FIPs mode, these devices will not function if FIPs mode is enabled. If these devices are configured and you try to enter FIPs mode, an error will occur. You must delete the configuration of these devices prior to entering FIPs mode. Examples of supported configurations The examples below demonstrate how to set up your HP StorageWorks 400 Multi-Protocol Routers using two different network scenarios.

  • Page 556: Configuring A Management Station On Different Subnets, Management Station On A Different Subnet

    b. Add the route on the Management Station that is going to the 7500 linux> route ge0 -host 10.1.2.20 gw 192.186.3.20 Configuring a Management Station on different subnets For a configuration with multiple subnets, the routes must be added to all intermediate hops in the network. To minimize the impact on IP traffic and limit the possibility that unnecessary access will be given, a host specific route can be used on all routes specified for the HP StorageWorks 400 Multi-Protocol Routers.

  • Page 557

    Configure the routes on Router A. a. Configure the route going to the management address. 7500 L1 linux> route add -host 10.1.1.10 gw 192.168.1.10 b. Configure the route on the router going to the Management Station. linux> route add -net 192.168.3.0/24 gw 172.0.1.3 Configure the routes on Router B.

  • Page 558

    554 Inband Management...

  • Page 559: F Using Remote Switch, About Remote Switch, Remote Switch Capabilities

    Using Remote Switch This appendix provides information on the Remote Switch feature. About Remote Switch The Remote Switch feature, which aids in ensuring gateway compatibility, was formerly a licensed feature. Its functionality is now available as part of the Fabric OS standard feature set through the use of the portCfgIslMode command, which is described in ”Gateway links”...

  • Page 560

    NOTE: Consult your gateway vendor for supported and qualified configurations. • R_A_TOV: Specify a Resource Allocation Timeout Value compatible with your gateway device. • E_D_TOV: Specify an Error Detect Timeout Value compatible with your gateway device. • Data field size: Specify the maximum Fibre Channel data field reported by the fabric. Verify the maximum data field size the network-bridge can handle.

  • Page 561: Index

    Index zone members address resolution protocol AAA service requests adding additional entries access automatic creation active ports creating entries browser support ADList changing account parameters Admin Domains CP blade about creating accounts access levels deleting accounts activating full fabric IP address changes AD255 log in fails adding members...

  • Page 562

    audience switch Auth policy changing authenticating users an account password authentication FID of logical switch configuring logical switch to base switch defining iSCSI VT to iSCSI initiator RADIUS configuration local RADIUS servers auto-leveling, FR4-18i blade CHAP iSCSI authentication required clearing performance monitor counters backbone fabric ID clearing zone configurations backbone-to-edge routing...

  • Page 563

    Speed LSAN tag zone mode defined switch AD configuration switch, RADIUS client zone configuration switch, single deleting Windows RADIUS client accounts zone Admin Domains zone, rules for alias connecting end-to-end monitors multiple EX_Ports to an edge fabric filter-based monitors connecting to devices logical switches connection RADIUS configuration...

  • Page 564

    related documentation FC device, adding to iSCSI virtual target domain ID, insistent FC Fastwrite domain, phantom FC router FC routing concepts supported platforms edge-to-edge routing FC routing types effective AD configuration FC targets effective zone configuration for iSCSI zone creation enabling listing discovery domain sets...

  • Page 565

    configuration, high-integrity fabric gateway disabling IDID mode gateway, remote switch disabling the managment server mode GbE, see gigabit Ethernet displaying information gigabit Ethernet dynamic load sharing configuring enabling IDID mode enabling the management server mode fmsmode setting, displaying HA failover FRU failure monitoring hard zoning FRU failures...

  • Page 566

    assigning gigabit Ethernet, enabling port initiators IP Filter IQNs supported services IQNs, changing prefix IP routes IQNs, default prefix adding static IQNs, prefix IP-NAT LUN mapping to iSCSI VTs IPsec LUN mapping, advanced 3DES LUN mapping, basic network algorithms physical interface, enabling Authentication Header protocol port, enabling block cipher...

  • Page 567

    mapped via IQNs mapping Java support, SSL virtual target creation Java version ISL Trunking support for legacy FCR switches license MAC address, port advanced zoning making basic connections license ID managing licensed features accounts licenses zoning configurations in a fabric Extended Fabrics mask for end-to-end monitors license ID...

  • Page 568

    PROM port recovery activating recovery string activating POD rules enabling set PROM password expiration policy GbE, enabling password management information licenses password migration during firmware changes LUN mapping password policies numbering password prompting behaviors primary FCS password recovery options private key password strength policy PROM permissions and roles...

  • Page 569

    filter-based monitors PROM password licensed feature security level LSAN tags switch date and time members from a zone configuration the IP address ports from logical switches time zone zone configurations time zones zone members traffic prioritization renaming Admin Domains setting chassis configurations requirements setting port speeds Admin Domains...

  • Page 570

    switch firmware version, finding authenticating switch names using security certificates switch WWN in Admin Domains SWL, ISL Trunking support for symbols in text validating Admin Domain members system-defined Admin Domains VE_Ports verification check verify tags for LSAN zones device connectivity Tape Pipelining high availability (HA) Tape pipelining...

  • Page 571

    working with domain IDs resolving conflicts saved zone configuration displaying FC target information schemes displaying iSCSI virtual initiator information soft-zoning virtual target creation splitting a fabric WWNs storage-based switch WWNs in Admin Domains troubleshooting types viewing viewing configurations XISL, about zone configuration xlate domains clearing...

  • Page 573: Example Of A Brocade Dct File, Example Of The Dictiona.dcm File

    Figures Windows 2000 VSA configuration ..........86 Example of a Brocade DCT file .

  • Page 574

    59 A metaSAN with interfabric links ..........369 60 A metaSAN with edge-to-edge and backbone fabrics and LSAN zones .

  • Page 575: Switch Model Naming Matrix, Document Conventions, Default Administrative Account Names And Passwords

    Tables Switch model naming matrix ........... . . 25 Document conventions .

  • Page 576

    59 Enforcing hardware zoning ........... . 238 60 Considerations for zoning architecture .

Comments to this Manuals

Symbols: 0
Latest comments: