Download Print this page

HP A7533A - Brocade 4Gb SAN Switch Base Administrator's Manual

Hp storageworks fabric os 6.1.1 administrator guide (5697-0235, december 2009)
Hide thumbs


HP StorageWorks
Fabric OS 6.1.1 administrator guide
Part number: 5697-0235
edition: November 2009



  Related Manuals for HP A7533A - Brocade 4Gb SAN Switch Base

  Summary of Contents for HP A7533A - Brocade 4Gb SAN Switch Base

  • Page 1 HP StorageWorks Fabric OS 6.1.1 administrator guide Part number: 5697-0235 edition: November 2009...
  • Page 2 © Copyright 2008 Brocade Communications Systems, Incorporated. Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.
  • Page 3: Table Of Contents

    Contents About this guide ............19 Supported Fabric OS 6.1.x HP StorageWorks hardware.
  • Page 4 Reserving a license ............43 Releasing a port from a POD set .
  • Page 5 Setting the boot PROM password without a recovery string ....... . 86 4/256 SAN Director and DC SAN Backbone Director (short name, DC Director) .
  • Page 6 E_Port authentication ............119 Device authentication policy .
  • Page 7 6 Managing administrative domains ........153 Admin Domain features .
  • Page 8 Director restrictions for downgrading ..........186 FIPS Support .
  • Page 9 FC4-48 and FC8-48 blade exceptions ......... . . 230 Conserving power .
  • Page 10 Generating an iSCSI VT for a specific FC target ........267 Manual iSCSI VT creation.
  • Page 11 QoS: SID/DID traffic prioritization ..........306 QoS zones .
  • Page 12 End-to-end monitors ............344 Adding end-to-end monitors .
  • Page 13 F_Port Trunking Monitoring ........... . . 383 Configuration management for trunk areas .
  • Page 14 ............... . 421 21FICON fabrics .
  • Page 15 FICON performance statistics............446 FICON emulation monitoring .
  • Page 16 11 Zoning example ............195 12 Hardware-enforced non-overlapping zones .
  • Page 17 License requirements ............37 AuditCfg event class operands .
  • Page 18 63 Default index/area_ID core PID assignment with no port swap ......227 64 Director terminology and abbreviations ..........231 65 Port blades supported by each Director .
  • Page 19: About This Guide

    About this guide This guide provides information about: • Installing and configuring Fabric OS 6.1.x • Managing user accounts • Using licensed features Supported Fabric OS 6.1.x HP StorageWorks hardware Table 1 lists Brocade and HP StorageWorks product models supported by Fabric OS 6.1.x. Table 1 Switch model naming matrix Brocade product name...
  • Page 20: Intended Audience

    Intended audience This guide is intended for system administrators with knowledge of: • Storage area networks • HP StorageWorks Fibre Channel SAN switches Related documentation The following documents provide related information: • HP StorageWorks Fabric OS 6.1.x release notes • Web Tools administrator’s guide You can find these documents from the Manuals page of the HP Business Support Center website:
  • Page 21: Rack Stability

    NOTE: Provides additional information. TIP: Provides helpful hints and shortcuts. Rack stability Rack stability protects personnel and equipment. WARNING! To reduce the risk of personal injury or damage to equipment: • Extend leveling jacks to the floor. • Ensure that the full weight of the rack rests on the leveling jacks. •...
  • Page 22: Subscription Service

    Subscription service HP recommends that you register your product at the Subscriber's Choice for Business website: After registering, you will receive e-mail notification of product enhancements, new driver versions, firmware updates, and other product resources. HP websites For additional product information, see the following HP websites: •...
  • Page 23: Standard Features

    Standard features This chapter describes how to configure your HP StorageWorks SAN using the Fabric OS Command Line Interface (CLI). Before you can configure a Storage Area Network (SAN), you must power-up the Director or switch and blades, and then set the IP addresses of those devices. Although this chapter focuses on configuring a SAN using the CLI, you can also use the following methods to configure a SAN: •...
  • Page 24: Connecting To The Cli

    The following commands provide help files for specific topics to understand configuring your SAN: Diagnostic help information diagHelp FICON help information ficonHelp Fabric Watch help information fwHelp iSCSI help informations iscsiHelp License help information licenseHelp Performance Monitoring help information perfHelp Routing help information routeHelp trackChangesHelp Track Changes help information...
  • Page 25: Using A Console Session On The Serial Port

    The login prompt is displayed when the Telnet connection finds the switch in the network Enter the account ID at the login prompt. ”Changing passwords” on page 25 for instructions on how to log in for the first time. Enter the password. If you have not changed the system passwords from the default, you are prompted to change them.
  • Page 26: Changing Default Account Passwords At Login

    NOTE: The default account passwords can be changed from their original value only when prompted immediately following the login; the passwords cannot be changed using the passwd command later in the session. If you skip the prompt, and then later decide to change the passwords, log out and then back The default accounts on the switch are admin, user, root, and factory.
  • Page 27: Configuring The Ethernet Interface

    To skip a single prompt press Enter. To skip all of the remaining prompts press Ctrl-c. login: admin Password: Please change your passwords now. Use Control-C to exit or press 'Enter' key to proceed. for user - root Changing password for root Enter new password: ******** Password changed.
  • Page 28: Setting Static Ethernet Addresses

    Issue the ipAddrShow command: 200E:admin> ipaddrshow SWITCH Ethernet IP Address: Ethernet Subnetmask: Fibre Channel IP Address: none Fibre Channel Subnetmask: Gateway IP Address: DHCP: Off IPv6 Autoconfiguration Enabled: No Local IPv6 Addresses: static 1080::9:800:400c:416a/64 If the Ethernet IP address, subnet mask, and gateway address are displayed, the network interface is configured.
  • Page 29: Activating Dhcp

    Enter the network information in dotted-decimal notation for the Ethernet IPv4 address and in semicolon-separated notation for IPv6. Example of setting logical switch (sw0)'s IPv6 address on an enterprise-class platform: ecp:admin> ipaddrset -ipv6 -sw 0 --add 1080::8:800:200C:417B/64 IP address is being changed...Done. Enter the Ethernet Subnetmask at the prompt.
  • Page 30: Disabling Dhcp

    When you are prompted for DHCP[Off], enable it by entering at the prompt: switch:admin> ipaddrset Ethernet IP Address []: Ethernet Subnetmask []: Fibre Channel IP Address []: Fibre Channel Subnetmask []: Gateway IP Address []: DHCP [Off]:on Disabling DHCP When you disable DHCP, enter the static Ethernet IP address and subnet mask of the switch and default gateway address.
  • Page 31: Setting Time Zones

    • yy is the year; valid values are 00 through 99 (values greater than 69 are interpreted as 1970 through 1999, and values less than 70 are interpreted as 2000-2069). switch:admin> date Fri Sep 29 17:01:48 UTC 2007 switch:admin> date "0927123007" Thu Sep 27 12:30:00 UTC 2007 switch:admin>...
  • Page 32: Synchronizing Local Time Using Ntp

    The following example shows how to display the current time zone setup and how to change the time zone to US/Central. switch:admin> tstimezone Time Zone : US/Pacific switch:admin> tstimezone US/Central switch:admin> tstimezone Time Zone : US/Central The following procedure sets the current time zone to Pacific Standard Time using interactive mode: Connect to the switch and log in using an account assigned to the admin role.
  • Page 33: Customizing Switch Names

    optional; by default, this value is LOCL, which uses the local clock of the principal or primary switch as the clock server. switch:admin> tsclockserver LOCL switch:admin> tsclockserver "" switch:admin> tsclockserver switch:admin> The following example shows how to set up more than one NTP server using a DNS name: switch:admin>...
  • Page 34: Licensed Features

    Connect to a switch and log in using an account assigned to the admin role. Issue the fabricShow command. Fabric information is displayed, including the Domain ID (D_ID) switch:admin> fabricshow Switch ID Worldwide Name Enet IP Addr FC IP Addr Name ------------------------------------------------------------------------- 64: fffc40 10:00:00:60:69:00:06:56...
  • Page 35: Generating A License Key

    35 to activate. If you do not have a license key, launch an Internet browser and go to: The Hewlett-Packard Authorization Center website main menu displays. Click Generate a license key. The HP StorageWorks Software License Key instruction page opens: Enter the information in the required fields.
  • Page 36: Removing A Licensed Feature

    If you move a standby CP from one Director to another, the active CP will propagate its configuration (including license keys). Verify that the license was added by issuing the licenseShow command. The licensed features currently installed on the switch display are listed. If the feature is not listed, issue the licenseAdd command again.
  • Page 37: Features And Required Licenses

    Features and required licenses Table 4 lists the licenses that should be installed on the local switch and any connecting switches for a particular feature. Table 4 License requirements Feature License Where license should be installed Administrative No license required. Domains Configuration No license required.
  • Page 38: Inter-Chassis Link (Icl) Licensing

    Table 4 License requirements Feature License Where license should be installed Adaptive Networking Local switch and attached switches. RADIUS No license required. RBAC No license required. Routing traffic No license required. This includes port-based or exchanged-based routing, static routes, frame-order deliver, and dynamic routes. Security No license required.
  • Page 39: Time-Based Licenses

    • When you remove the 8-Gbps license, the ports that are online and already running at 8-Gbps are not disturbed until the port goes offline or the switch is rebooted. The switch’s ports return to their pre-licensed state maximum speed of 4-Gbps. Time-based licenses A time-based license applies a try-before-you-buy approach to certain features so that you can experience the feature and its capabilities prior to buying the license.
  • Page 40: Activating Pod

    need to generate a license key from a transaction key supplied with your purchase, see ”Generating a license key” on page 35. Each POD license activates the next group of eight ports in numerical order. For example, the 4/8 SAN Switch or 4/16 SAN Switch activates the first eight with four port increments.
  • Page 41: Displaying The Port License Assignment

    Displaying the port license assignment Use the licensePort show command to display the available licenses. You can also view the current port assignment of those licenses and the POD method state (dynamic or static). To display the port licenses: Connect to the switch and log in on an account assigned to the admin role. Issue the licensePort show command.
  • Page 42: Disabling Dynamic Ports On Demand

    Issue the licensePort show command to verify that the switch started the Dynamic POD feature. switch:admin> licenseport --show 24 ports are available in this switch Full POD license is installed Dynamic POD method is in use 24 port assignments are provisioned for use in this switch: 12 port assignments are provisioned by the base switch license 12 port assignments are provisioned by a full POD license 8 ports are assigned to installed licenses:...
  • Page 43: Reserving A License

    Reserving a license Reserving a license for a port assigns a POD license to that port whether the port is online or offline. That license will not be available to other ports that come online before the specified port. To allocate license to a specific port instead of automatically assigning them as the ports come online, reserve a license for the port.
  • Page 44: Releasing A Port From A Pod Set

    Releasing a port from a POD set Releasing a port removes it from the POD set; the port appears as unassigned until it comes back online. Persistently disabling the port ensures that the port cannot come back online and be automatically assigned to a POD assignment.
  • Page 45: Disabling And Enabling Ports

    Disabling and enabling ports By default, all licensed ports are enabled. You can disable and reenable them as necessary. Ports that you activate with Ports on Demand must be enabled explicitly, as described in ”Activating POD” on page 40. WARNING! The fabric will be reconfigured if the port you are enabling or disabling is connected to another switch.
  • Page 46: Connecting To Other Switches

    the device. When powering the devices back on, wait for each device to complete the fabric login before powering on the next one. Connecting to other switches See the hardware reference guide for your specific switch for interswitch link (ISL) connection and cable management information.
  • Page 47: Checking Switch Status

    Specify a slot/port number pair. Valid values for slot and port number vary depending on the switch type. The mode operand is required: specify 1 to enable ISL R_RDY mode (gateway link) or specify 0 to disable it. In the following example, slot 2, port 3 is enabled for a gateway link: switch:admin>...
  • Page 48: Fabric Connectivity

    Fabric connectivity To verify fabric connectivity: Connect to the switch and log in using an account assigned to the admin role. Issue the fabricShow command. This command displays a summary of all the switches in the fabric. switch:admin> fabricshow Switch ID Worldwide Name Enet IP Addr FC IP Addr...
  • Page 49: Tracking And Controlling Switch Changes

    Tracking and controlling switch changes The track changes feature allows you to keep a record of specific changes that may not be considered switch events, but may provide useful information. The output from the track changes feature is dumped to the system messages log for the switch.
  • Page 50 Issue the switchStatusPolicyShow command. Whenever there is a switch change, an error message is logged and an SNMP connUnitStatusChange trap is sent. The output is similar to the following: switch:admin> switchstatuspolicyshow The current overall switch status policy parameters: Down Marginal ---------------------------------- PowerSupplies Temperatures...
  • Page 51: Configuring The Audit Log

    HP StorageWorks 4/8 SAN Switch and 4/16 SAN Switch, 8/8 SAN Switch, 8/24 SAN Switch, 8/40 SAN Switch, 8/80 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 400 Multi-protocol Router: switch:admin>...
  • Page 52: Auditable Event Classes

    system message log on an external host in the specified audit message format. This ensures that they can be easily distinguished from other system message log events that occur in the network. Then, at some regular interval of your choosing, you can review the audit events to look for unexpected changes. Before you configure audit event logging, familiarize yourself with the following audit event log behaviors and limitations: •...
  • Page 53 NOTE: Only the active CP can generate audit messages because event classes being audited occur only on the active CP. Audit messages cannot originate from other blades in a Director. Audit events have the following message format: AUDIT, <Timestamp>, [<Event ID>], <Severity>, <Event Class>, <User ID>/<Role>/<IP address>/<Interface>,<Admin Domain>/<Switch name>,<Reserved>,<Event-specific information>...
  • Page 54: Switch And Platform-Class Platform Shutdown

    To verify the audit event log setup, make a change affecting an enabled event class, and confirm that the remote host machine receives the audit event messages. The following example shows the SYSLOG (system message log) output for audit logging. 2 08:33:04 [] raslogd: AUDIT, 2006/06/02-15:25:53, [SULB-1003], INFO, FIRMWARE, root/root/NONE/console/CLI, ad_0/ras007_chassis, , Firmwarecommit has started.
  • Page 55: High Availability Of Daemon Processes

    High Availability of daemon processes Fabric OS 6.x supports automatic restart of non-critical daemons. Starting these non-critical daemons is automatic, you cannot configure the startup process. The following sequence of events occurs when a non-critical daemon fails: When a non-critical daemon fails or dies, a RASLog and AUDIT event message is logged. The daemon is automatically started again.
  • Page 56 Standard features...
  • Page 57: Managing User Accounts

    Managing user accounts This chapter provides information and procedures on managing authentication and user accounts for the switch management channel. Overview In addition to the default accounts—root, factory, admin, and user—Fabric OS supports up to 252 additional user-defined accounts in each logical switch (domain). These accounts expand your ability to track account access and audit administrative activities.
  • Page 58: Role-Based Access Control (Rbac)

    Role-Based Access Control (RBAC) Role-Based Action Control (RBAC) defines the capabilities that a user account has, based on the role the account has been assigned. For each role, there is a set of pre-defined permissions on the jobs and tasks that can be performed on a fabric and its associated fabric elements.
  • Page 59: Role Permissions

    Role permissions Table 9 describes the types of permissions that are assigned to roles. Table 9 Permission types Abbreviation Definition Description Observe The user can run commands using options that display information only, such as running userConfig --show -a to show all users on a switch.
  • Page 60 Table 10 RBAC permissions matrix (continued) Category Role permission User Operator Switch Zone Fabric Basic Admin Security admin admin admin switch admin admin HA (High Availability) iSCSI License LDAP Local User Environment Logging Management Access Configuration Management Server Name Server Nx_Port Management Physical Computer System Port Mirroring...
  • Page 61: Managing The Local Database User Accounts

    Managing the local database user accounts User add, change, and delete operations are subject to the subset rule: an admin with ADlist 0- 1 0 cannot perform operations on an admin, user, or any role with an ADlist 1 1-25. The user account being changed must have an ADlist that is a subset of the account that is making the change.
  • Page 62 To create an account: Connect to the switch and log in using an admin account. Issue the following command: userConfig --add <username> -r <rolename> [-h <admindomain_ID>] [-a <admindomain_ID_list>] [-d <description>] [-x] where: username Specifies the account name, which must begin with an alphabetic character.
  • Page 63: Recovering Accounts

    To change account parameters: When changing account parameters, if you change the ADlist for the user account, all of the currently active sessions for that account will be logged out. For more information about changing the Admin Domain on an account, see Chapter 6, ”Managing administrative domains”...
  • Page 64: Configuring The Local User Database

    • Only users with Admin roles can change the password for another account. When changing an Admin account password, you must provide the current password. • An admin with ADlist 0- 1 0 cannot change the password on an admin, user, or any role with an ADlist 1 1-25.
  • Page 65: Protecting The Local User Database From Distributions

    where <switch_list> is a semicolon-separated list of switch Domain IDs, switch names, or switch WWN addresses. You can also specify —d “*” to send the local user database only to Fabric OS 5.2.0 or later switches in the fabric. Protecting the local user database from distributions Fabric OS 5.2.0 and later allow you to distribute the user database and passwords to other switches in the fabric.
  • Page 66: Setting The Password History Policy

    • Digits Specifies the minimum number of numeric digits that must appear in the password. The default value is zero. The maximum value must be less than or equal to the MinLength value. • Punctuation Specifies the minimum number of punctuation characters that must appear in the password. All printable, non-alphanumeric punctuation characters except the colon ( : ) are allowed.
  • Page 67: Upgrade And Downgrade Considerations For Password Management

    Specifies the minimum number of days that must elapse before a user can change a password. MinPasswordAge values range from 0 to 999. The default value is zero. Setting this parameter to a non-zero value discourages users from rapidly changing a password in order to circumvent the password history setting to select a recently-used password.
  • Page 68 NOTE: Note that the account-locked state is distinct from the account-disabled state. Use the following attributes to set the account lockout policy: • LockoutThreshold Specifies the number of times a user can attempt to log in using an incorrect password before the account is locked.
  • Page 69: Denial Of Service Implications

    To enable the admin lockout policy: Log in to the switch using an admin or securityAdmin account. Issue the following command: passwdCfg enableadminlockout The policy is now enabled. To unlock an account: Log in to the switch using an admin or securityAdmin account. Issue the following command: userConfig change <account_name>...
  • Page 70: Authentication Configuration Options

    To enable LDAP service, you will need to install a certificate on the Microsoft Active Directory server. The configuration applies to all switches and on a Director the configuration replicates itself on a standby CP blade if one is present. It is saved in a configuration upload and applied in a configuration download. You should configure at least two RADIUS servers so that if one fails, the other will assume service.
  • Page 71: Creating Fabric Os User Accounts

    Table 12 Authentication configuration options (continued) aaaConfig options Description Equivalent setting in Fabric OS 5.1.0 and earlier radius switchdb Replaces --radiuslocalbackup. --authspec “radius;local” Authenticates management connections --backup against any RADIUS databases. If RADIUS fails because the service is not available, authenticates against the local user database.
  • Page 72: Managing Fabric Os Users On The Radius Server

    Table 13 Syntax for VSA-based account roles (continued) Item Value Description Vendor type 1 octet, Brocade-Auth-Role; valid attributes for the Brocade-Auth-Role are: SwitchAdmin ZoneAdmin FabricAdmin BasicSwitchAdmin Operator User Admin Optional: Specifies the Admin Domain member list. For more information, see ”RADIUS configuration and Admin Domains”...
  • Page 73: Linux Freeradius Server

    Figure 1 Windows 2000 VSA configuration Linux FreeRadius server For the configuration on a Linux FreeRadius server, define the following in a vendor dictionary file called dictionary.brocade. Include the values outlined in Table Table 14 dictionary.brocade file entries Include Value VENDOR Brocade 1588...
  • Page 74: Configuring The Radius Server

    • ADList is a comma-separated list of Administrative Domain numbers to which this account is a member. Valid numbers range from 0 to 255, inclusive. A dash between two numbers specifies a range. Multiple ADList key-value pairs within the same or across the different Vendor-Type codes are concatenated. Multiple occurrences of the same AD number are ignored.
  • Page 75 To add the Brocade attribute to the server: Create and save the file $PREFIX/etc/raddb/dictionary.brocade with the following information: # Brocade FabricOS 5.0.1 dictionary VENDOR Brocade 1588 # attribute 1 defined to be Brocade-Auth-Role # string defined in user configuration ATTRIBUTE Brocade-Auth-Role string Brocade This defines the Brocade vendor ID as 1588, the Brocade attribute 1 as Brocade-Auth-Role, and it is a...
  • Page 76: Configuring Radius Server Support With Windows 2000

    Save the file $PREFIX/etc/raddb/client.config and then start the RADIUS server as follows: $PREFIX/sbin/radiusd Configuring RADIUS server support with Windows 2000 The instructions for setting up RADIUS on a Windows 2000 server are listed here for your convenience but are not guaranteed to be accurate for your network environment. Always check with your system administrator before proceeding with setup.
  • Page 77: Rsa Radius Server

    e. After returning to the Internet Authentication Service window, add additional policies for all login types for which you want to use the RADIUS server. After this is done, you can configure the switch. RSA RADIUS server Traditional password-based authentication methods are based on one-factor authentication, where you confirm your identity using a memorized password.
  • Page 78: Ldap Configuration And Microsoft's Active Directory

    ########################################################################### # brocade.dct -- Brocade Dictionary # (See readme.dct for more details on the format of this file) ########################################################################### # Use the Radius specification attributes in lieu of the Brocade one: @radius.dct MACRO Brocade-VSA(t,s) 26 [vid=1588 type1=%t% len1=+2 data=%s%] ATTRIBUTE Brocade-Auth-Role Brocade-VSA(1,string) r ###########################################################################...
  • Page 79 LDAP in FIPS mode, see ”Configuring advanced security features” on page 107. The following are restrictions when using LDAP: • In Fabric OS 6.1.x and later there will be no password change through Active Directory. • There is no automatic migration of newly created users from local switch database to Active Directory. This is a manual process explained later.
  • Page 80: Adding The Adlist

    Adding the adlist From the Windows Start menu, select Programs > Administrative Tools > ADSI.msc ADSI is a Microsoft Windows Resource Utility. This will need to be installed to proceed with the rest of the setup. For Windows 2003, this utility comes with Service Pack 1 or you can download this utility from the Microsoft website.
  • Page 81 Secret The shared secrets. Timeouts The length of time servers have to respond before the next server is contacted. Authentication The type of authentication being used on servers. To add a RADIUS server to the switch configuration: Connect to the switch and log in using an admin account. Issue the following command: switch:admin>...
  • Page 82 If no RADIUS or LDAP configuration exists, turning on the RADIUS authentication mode triggers an error message. When the command succeeds, the event log indicates that the configuration is enabled or disabled. NOTE: When the RADIUS authentication mode is set to radius;local, you cannot downgrade the Fabric OS to any version earlier than 5.2.0.
  • Page 83: Configuring Local Authentication As Backup

    Issue the following command: switch:admin> aaaConfig --change server [-p port] [-t timeout] [-d domain_name] where: Enter either a server name or IPv4 address. Microsoft’s Active Directory server does not support IPv6 addresses. Avoid duplicating server listings (that is, listing the same server once by name and again by IP address). Up to five servers can be added to the configuration.
  • Page 84: Setting The Boot Prom Password With A Recovery String

    Setting the boot PROM password with a recovery string To set the boot PROM password with a recovery string, see the section that applies to your switch model. NOTE: Setting the boot PROM password requires accessing the boot prompt, which stops traffic flow through the switch until the switch is rebooted.
  • Page 85: 4/256 San Director And Dc San Backbone Director (Short Name, Dc Director)

    4/256 SAN Director and DC SAN Backbone Director (short name, DC Director) The boot PROM and recovery passwords must be set for each CP blade on the 4/256 SAN Director or DC Director. To set the boot PROM password for a Director with a recovery string: Connect to the serial port interface on the standby CP blade.
  • Page 86: Setting The Boot Prom Password Without A Recovery String

    Setting the boot PROM password without a recovery string Although you can set the boot PROM password without also setting the recovery string, HP recommends that you set both the password and the string as described in ”Setting the boot PROM password with a recovery string”...
  • Page 87: Recovering Forgotten Passwords

    The following options are available: Option Description Start system. Continues the system boot process. Recovery password. Lets you set the recovery string and the boot PROM password. Enter command shell. Provides access to boot parameters. Enter 3. Issue the passwd command at the shell prompt. NOTE: The passwd command only applies to the boot PROM password when it is entered from the boot interface.
  • Page 88 Managing user accounts...
  • Page 89: Configuring Standard Security Features

    Configuring standard security features This chapter provides information and procedures for configuring standard Fabric OS security features such as protocol and certificate management. IMPORTANT: Secure Fabric OS is no longer supported in Fabric OS 6.x. However, all features of Secure Fabric OS are included in the base Fabric OS 6.x.
  • Page 90: The Ssh Protocol

    For details on Brocade MIB files, naming conventions, loading instructions, and information about using Brocade's SNMP agent, see the Fabric OS MIB Reference. Table 16 describes additional software or certificates that you must obtain to deploy secure protocols. Table 16 Items needed to deploy secure protocols Protocol Host side...
  • Page 91: Ssh Public Key Authentication

    Commands that require a secure login channel must originate from an SSH session. If you start an SSH session, and then use the login command to start a nested SSH session, commands that require a secure channel will be rejected. Fabric OS 6.1.x and later supports SSH protocol version 2.0 (ssh2).
  • Page 92 Sample RSA/DSA key pair generation alloweduser@mymachine: ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/users/alloweduser/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /users/alloweduser/.ssh/id_dsa. Your public key has been saved in /users/alloweduser/.ssh/
  • Page 93: Deleting Keys On The Switch

    Example: exporting a public key from the switch switch:kghanta> sshutil exportpubkey Enter IP address: Enter remote directory:~auser/.ssh Enter login name:auser Password: public key is exported successfully. Append the public key to a remote host by logging in to the remote host, locating the directory where authorized keys are stored, and appending the public key to the file.
  • Page 94: Unblocking Telnet

    Example: ipfilter --save block_telnet_v4 Activate the new ipfilter policy by issuing the following command: ipfilter --activate <policyname> where policyname is the name of the policy you created in step Example: ipfilter --activate block_telnet_v4 Unblocking Telnet To unblock Telnet: Connect to the switch through a means other than Telnet (for example, SSH) and log in as admin. Issue in the following command: ipfilter –delete <telnet_policyname>...
  • Page 95: Summary Of Ssl Procedures

    Summary of SSL procedures Configure SSL by obtaining, installing, and activating digital certificates for SSL support. Certificates are required on all switches that are to be accessed through SSL. You must also install a certificate in the Java Plug-in on the management workstation, and you may need to add a certificate to your Web browser.
  • Page 96: Generating And Storing A Csr

    IMPORTANT: HP recommends selecting 1024 in most cases. CA support for the 2048-bit key size is limited. Generating and storing a CSR After generating a public/private key, perform this procedure on each switch. Connect to the switch and log in as admin. Issue the following command: switch:admin>...
  • Page 97: Installing A Switch Certificate

    Copy and paste this section (including the BEGIN and END lines) into the area provided in the request form; then, follow the instructions to complete and send the request. It may take several days to receive the certificates. If the certificates arrive by e-mail, save them to an FTP server.
  • Page 98: Configuring The Browser

    Configuring the browser The root certificate may already be installed on your browser. If it is not, you must install it. To determine whether it is already installed, check the certificate store on your browser. The following procedures are guides for installing root certificates to Internet Explorer and Mozilla Firefox browsers.
  • Page 99: Summary Of Certificate Commands

    Issue the keytool command and respond to the prompts: C:\Program Files\Java\j2re1.5.0_06\bin> keytool -import -alias RootCert -file RootCert.crt -keystore ..\lib\security\RootCerts Enter keystore password: changeit Owner: CN=Brocade, OU=Software, O=Brocade Communications, L=San Jose, ST=California, C=US Issuer: CN=Brocade, OU=Software, O=Brocade Communications, L=San Jose, ST=California, C=US Serial number: 0 Valid from: Thu Jan 15 16:27:03 PST 2007 until: Sat Feb 14 16:27:03 PST 2007 Certificate fingerprints:...
  • Page 100: Setting The Security Level

    • FibreAlliance MIB trap Associated with the FibreAlliance MIB (FA-MIB), this MIB manages SAN switches and devices from any company that complies with FibreAlliance specifications. If you use both SW-MIB and FA-MIB, you may receive duplicate information. You can disable the FA-MIB, but not the SW-MIB.
  • Page 101 Sample SNMPv3 configuration switch:admin> snmpconfig --set snmpv3 SNMPv3 user configuration: User (rw): [snmpadmin1] adminuser Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [3] 1 New Auth Passwd: Verify Auth Passwd: Priv Protocol [DES(1)/noPriv(2)/3DES(3)/AES128(4)/AES192(5)/AES256(6)]): (1..2) [2] 1 New Priv Passwd: Verify Priv Passwd: User (rw): [snmpadmin2] shauser Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [3] 2 New Auth Passwd: Verify Auth Passwd:...
  • Page 102 Sample accessControl configuration switch:admin> snmpconfig --set accessControl SNMP access list configuration: Access host subnet area in dot notation: [] Read/Write? (true, t, false, f): [true] Access host subnet area in dot notation: [] Read/Write? (true, t, false, f): [true] f Access host subnet area in dot notation: [] Read/Write? (true, t, false, f): [true] Access host subnet area in dot notation: []
  • Page 103: Secure File Copy

    Sample mibCapability configuration DCX:admin> snmpconfig --show mibcapability FE-MIB:YES SW-MIB: YES FA-MIB: YES FICON-MIB: YES HA-MIB: YES FCIP-MIB: YES ISCSI-MIB: NO SW-TRAP: YES swFCPortScn: YES swEventTrap: YES swFabricWatchTrap: YES swTrackChangesTrap: YES FA-TRAP: YES connUnitStatusChange: YES connUnitEventTrap: YES connUnitSensorStatusChange: YES connUnitPortStatusChange: YES SW-EXTTRAP: NO FICON-TRAP: YES linkRNIDDeviceRegistration: YES...
  • Page 104: Setting Up Scp For Configuploads And Downloads

    Setting up SCP for configuploads and downloads Log in to the switch as admin. Issue the configure command. Enter y or yes at the cfgload attributes prompt. Enter y or yes at the Enforce secure config Upload/Download prompt. Example of setting up SCP for config upload/download: switch:admin>...
  • Page 105: Ports And Applications Used By Switches

    Ports and applications used by switches If you are using the FC-FC Routing Service, be aware that the secModeEnable command is not supported in Fabric OS 6.1.0. Table 21 lists the defaults for accessing hosts, devices, switches, and zones. Table 21 Access defaults Access default Hosts...
  • Page 106 106 Configuring standard security features...
  • Page 107: Configuring Advanced Security Features

    Configuring advanced security features This chapter provides information and procedures for configuring advanced Fabric OS security features such as Access Control List (ACL) policies, authentication policies, and IP Filtering for HP’s Fibre Channel switches. ACL policies overview Each supported Access Control List (ACL) policy listed below is identified by a specific name; only one policy of each type can exist, except for DCC policies.
  • Page 108: Identifying Policy Members

    When a policy is activated, the defined policy either replaces the policy with the same name in the active set or becomes a new active policy. If a policy appears in the defined set but not in the active set, the policy was saved but has not been activated.
  • Page 109: Displaying Acl Policies

    • ”Activating changes to ACL policies” on page 1 16 Simultaneously save and implement all the policy changes made since the last time changes were activated. The activated policies are known as the “active policy set.” • ”Adding a member to an existing policy”...
  • Page 110: Fcs Policy Restrictions

    Table 25 FCS policy states (continued) Policy state Characteristics Active policy with one entry A primary FCS switch is designated (local switch), but there are no backup FCS switches. If the primary FCS switch becomes unavailable for any reason, the fabric is left without an FCS switch. Active policy with multiple A primary FCS switch and one or more backup FCS switches are entries...
  • Page 111: Overview Of Fcs Policy Management

    Table 26 Switch operations (continued) Allowed on FCS switches Allowed on all switches Any fabric-wide commands secPolicyAbort All zoning commands except the show commands SNMP commands All AD commands configupload Any local-switch commands Any AD command that does not affect fabric-wide configuration FCS enforcement does not apply to pre-5.3.0 switches;...
  • Page 112: Distributing An Fcs Policy

    Issue the secPolicyFCSMove command; then provide the current position of the switch in the list and the desired position at the prompts. Alternatively, issue the secPolicyFCSMove “From, To” command, where From is the current position in the list of the FCS switch and To is the desired position in the list for this switch. For example, to move a backup FCS switch from position 2 to position 3 in the FCS list, using interactive mode: primaryfcs:admin>...
  • Page 113: Configuring A Dcc Policy

    NOTE: The FCS policy distribution is allowed to be distributed from a switch in the FCS list. However, if none of the FCS switches in the existing FCS list are reachable, receiving switches will accept distribution from any switch in the fabric. Local switch configuration parameters are needed to control whether a switch accepts or rejects distributions of FCS policy and whether the switch is allowed to initiate distribution of an FCS policy.
  • Page 114: Dcc Policy Restrictions

    Table 28 DCC policy states (continued) Policy state Characteristics Policy with no entries Any device can connect to any switch port in the fabric. An empty policy is the same as no policy. Policy with entries If a device WWN is specified in a DCC policy, that device is only allowed access to the switch if connected by a switch port listed in the same policy.
  • Page 115: Examples Of Creating Dcc Policies

    The WWN of the device port. deviceportWWN The switch WWN, Domain ID, or switch name. The port can switch be specified by port or area number. Designating ports automatically includes the devices currently attached to those ports. The ports can be specified using any of the following syntax methods: (*) Selects all ports on the switch.
  • Page 116: Creating An Scc Policy

    Creating an SCC policy The switch connection control (SCC) policy is used to restrict which switches can join the fabric. Switches are checked against the policy each time an E_Port-to-E_Port connection is made. The policy is named SCC_POLICY and accepts members listed as WWNs, Domain IDs, or switch names. Only one SCC policy can be created.
  • Page 117: Adding A Member To An Existing Policy

    Issue the secPolicyActivate command: switch:admin> secpolicyactivate About to overwrite the current Active data. ARE YOU SURE (yes, y, no, n): [no] y Adding a member to an existing policy Add members to the ACL policies by using the secPolicyAdd command. As soon as a policy has been activated, the aspect of the fabric managed by that policy is enforced.
  • Page 118: Configuring The Authentication Policy For Fabric Elements

    Issue the secPolicyAbort command: switch:admin> secpolicyabort Unsaved data has been aborted. All changes since the last time the secPolicySave or secPolicyActivate commands were entered are aborted. Configuring the authentication policy for fabric elements By default, Fabric OS 6.1.0 and later uses DH-CHAP or FCAP protocols for authentication. These protocols use shared secrets and digital certificates, based on switch WWN and public key infrastructure (PKI) technology, to authenticate switches.
  • Page 119: E_Port Authentication

    elements. Alternatively, a secret key pair for all possible connections may be initially installed, enabling links to be arbitrarily changed while still maintaining a valid secret key pair for any new connection. The switch authentication (AUTH) policy initiates DH-CHAP/FCAP authentication on all E_Ports. This policy is persistent across reboots, which means authentication will be initiated automatically on ports or switches brought online if the policy is set to activate authentication.
  • Page 120: Device Authentication Policy

    switches can have authentication enabled and this will not impact the pre-5.3.0 switches. By default the pre-5.3.0 switches act as passive switches, since they accept incoming authentication requests. Regardless of the policy, E_Port is disabled if the DH-CHAP or FCAP protocol fails to authenticate the attached E_Port. OFF: This setting turns off the policy.
  • Page 121: Supported Hbas

    Supported HBAs The following HBAs support authentication: • Emulex LP1 1000 (Tested with Storport Miniport 2.0 windows driver) • Qlogic QLA2300 (Tested with Solaris 5.04 driver) Authentication protocols Use the authUtil command to perform the following tasks: • Display the current authentication parameters •...
  • Page 122: Secret Key Pairs

    This command works independently of the authentication policy; this means you can initiate the authentication even if the switch is in PASSIVE mode. This command is used to restart authentication after changing the DH-CHAP group, hash type, and shared secret between a pair of switches. WARNING! This command may bring down the E_Ports if the DH-CHAP shared secrets are not installed correctly.
  • Page 123 The output displays the WWN, Domain ID, and name (if known) of the switches with defined shared secrets: Name ----------------------------------------------- 10:00:00:60:69:80:07:52 Unknown 10:00:00:60:69:80:07:5c switchA To set a secret key pair: Log in to the switch using an account assigned to the admin role. On a switch running Fabric OS 4.x, 5.x, or 6.0.0 or later, enter secAuthSecret --set.
  • Page 124: Fabric-Wide Distribution Of The Auth Policy

    Fabric-wide distribution of the Auth policy The AUTH policy can be manually distributed to the fabric using the distribute command; there is no support for automatic distribution. To distribute the AUTH policy, see ”To distribute the local ACL policies:” on page 132. Accept distributions configuration parameter Local Switch configuration parameters are needed to control whether a switch accepts or rejects distributions of the AUTH policy using the distribute command and whether the switch may initiate...
  • Page 125: Displaying An Ip Filter Policy

    Displaying an IP Filter policy You can Display the IP Filter policy content for the specified policy name, or all IP Filter policies if policy name is not specified. For each IP Filter policy, the policy name, type, persistent state and policy rules are displayed. The policy rules are listed by the rule number in ascending order.
  • Page 126: Ip Filter Policy Rules

    Log in to the switch using an account assigned to the admin role. Issue the following command: ipfilter –delete <policyname> where is the name of the policy. <policyname> To permanently delete the policy, issue the following command: ipfilter --save IP Filter policy rules An IP Filter policy consists of a set of rules.
  • Page 127: Ip Filter Policy Enforcement

    For every IP Filter policy, the following two rules are always assumed to be appended implicitly to the end of the policy. This is to ensure TCP and UDP traffics to dynamic port ranges is allowed, that way management IP traffic initiated from a switch, such as syslog, radius and ftp, is not affected. Table 31 Implicit IP Filter rules Source address...
  • Page 128: Creating Ip Filter Policy Rules

    Creating IP Filter policy rules A maximum of 256 rules can be created for an IP Filter policy. The change to the specified IP Filter policy is not saved to the persistent configuration until a save or activate sub-command is run. To add a rule to an IP Filter policy: Log in to the switch using an account assigned to the admin role.
  • Page 129: Ip Filter Policy Restrictions

    implement the policy for optimization purposes. If a distribution includes an active IP Filter policy, the receiving switches will activate the same IP Filter policy automatically. When a switch receives IP Filter policies, all uncommitted changes left in its local transaction buffer will be lost, and the transaction is aborted.
  • Page 130: Configuring The Database Distribution Settings

    Error is returned indicating that the distribution setting must be accepted before you can set the fabric-wide consistency policy. Configuring the database distribution settings The distribution settings control whether a switch accepts or rejects distributions of databases from other switches and whether or not the switch may initiate a distribution. Configure the distribution setting to reject when maintaining the database on a per-switch basis.
  • Page 131: Distributing Acl Policies To Other Switches

    To display the database distribution settings: Connect to the switch and log in using an account assigned to the admin role. Issue the following command: switch:admin> fddcfg --showall Local Switch Configuration for all Databases:- DATABASE Accept/Reject --------------------------------- accept accept accept accept AUTH accept...
  • Page 132: Setting The Consistency Policy Fabric-Wide

    Table 35 describes how the target switch database distribution settings affect the distribution. Table 35 ACL policy database distribution behavior Target switch Distribution Results Fabric OS Database version setting 5.1.0 or Fails An error is returned. The entire transaction is aborted and earlier no databases are updated.
  • Page 133: Fabric-Wide Consistency Policy Settings

    Table 36 Fabric-wide consistency policy settings Setting Value When a policy is activated Absent null Database is not automatically distributed to other switches in the fabric. Tolerant database_id All updated and new policies of the type specified (SCC, DCC, or both) are distributed to all Fabric 5.2.0 and later switches in the fabric.
  • Page 134: Notes On Joining A Switch To The Fabric

    Notes on joining a switch to the fabric When a switch is joined to a fabric with a tolerant SCC or DCC fabric-wide consistency policy, the joining switch must have a matching tolerant SCC or DCC fabric-wide consistency policy. If the tolerant SCC or DCC fabric-wide consistency policies do not match, the switch can join the fabric, but an error message flags the mismatch.
  • Page 135: Non-Matching Fabric-Wide Consistency Policies

    Table 37 describes the effect of merging fabrics with the same fabric-wide consistency policy that have SCC, DCC, or both policies. Table 37 Merging fabrics with matching fabric-wide consistency policies Fabric-wide Fabric A Fabric B Merge Database copied consistency policy ACL policies ACL policies results...
  • Page 136: Fips Support

    Table 39 Fabric merges with tolerant/absent combinations Fabric-wide consistency policy setting Expected behavior Fabric A Fabric B Tolerant/Absent SCC;DCC Error message logged. Run fddCfg --fabwideset “<policy_ID>” from any switch with the desired configuration to fix SCC;DCC the conflict. The secPolicyActivate command is blocked until conflict is resolved.
  • Page 137: Power-Up Self Tests

    Table 40 Zeroization behavior (continued) Keys Zeroization CLI Description Passwords passwddefault This will remove user defined accounts in addition to default passwords for the root, admin, and user fipscfg –-zeroize default accounts. However only root has permissions for this command. So securityadmin and admin roles need to use fipscfg –-zeroize, which, in addition to removing user accounts and resetting passwords, also does the...
  • Page 138: Ldap In Fips Mode

    Table 41 FIPS mode restrictions (continued) Features FIPS mode Non-FIPS mode SSH algorithms HMAC-SHA1 (mac) No restrictions 3DES-CBC, AES128-CBC, AES192-CBC, AES256-CBC (cipher suites) HTTP/HTTPS access HTTPS only HTTP and HTTPS HTTPS TLS/AES128 cipher suite TLS/AES128 cipher suite protocol/algorithms (SSL will no longer be supported) RPC/secure RPC Secure RPC only RPC and secure RPC...
  • Page 139 To set up LDAP for FIPS mode: Set the switch authentication mode and add your LDAP server by using the commands in the example below. Provide the Fully Qualified Domain Name (FQDN) of the Active Directory server for the hostname parameter while configuring LDAP. Example of setting up LDAP for FIPS mode: switch:admin>...
  • Page 140: Additional Microsoft Active Directory Settings

    Additional Microsoft Active Directory settings a. Set the following SCHANNEL settings listed in Table 43 to allow. To support FIPS compliant TLS cipher suites on Microsoft’s Active Directory server, allow the SCHANNEL settings listed in Table 43. See the Microsoft website for instructions that explain how to allow the SCHANNEL settings for the ciphers, hashes, key exchange and the TLS protocol.
  • Page 141: Exporting An Ldap Switch Certificate

    Exporting an LDAP switch certificate This option exports the LDAP CA certificate from the switch to the remote host. Connect to the switch and log in as admin. Issue the secCertUtil export -ldapcacert command. Example of exporting an LDAP CA certificate: switch:admin>...
  • Page 142: Overview Of Steps

    Overview of steps Optional: Configure RADIUS server Optional: Configure authentication protocols For LDAP only: Install SSL certificate on Microsoft Active Directory server and CA certificate on the switch for using LDAP authentication. Block Telnet, HTTP, and RPC Disable BootProm access Configure the switch for signed firmware Disable root access Enable FIPS...
  • Page 143: Disabling Fips Mode

    Enforce secure config Upload/Download Press Enter to accept default. Enforce firmware signature validation Example: switch:admin> configure Not all options will be available on an enabled switch. To disable the switch, use the "switchDisable" command. Configure... System services (yes, y, no, n): [no] …...
  • Page 144 144 Configuring advanced security features...
  • Page 145: Maintaining The Switch Configuration File

    Maintaining the switch configuration file This chapter provides procedures for basic switch configuration maintenance. Configuration settings It is important to maintain consistent configuration settings on all switches in the same fabric because inconsistent parameters (such as inconsistent PID formats) can cause fabric segmentation. As part of standard configuration maintenance procedures, it is recommended that you back up all important configuration data for every switch on a host computer server for emergency reference.
  • Page 146 Respond to the prompts as follows: Protocol (scp If your site requires the use of Secure Copy, specify SCP. Otherwise, specify or ftp) FTP. If you leave it blank, the default specified in [ ] is used. Server Name Enter the name or IP address of the server where the file is to be stored; for or IP Address example,
  • Page 147: Restoring A Configuration

    Restoring a configuration Restoring a configuration involves overwriting the configuration on the switch by downloading a previously saved backup configuration file. WARNING! Make sure that the configuration file you are downloading is compatible with your switch model, because configuration files from other model switches might cause your switch to fail. If your setup supports anonymous users and you log in as an anonymous user, password is still a required field, even though its value may be ignored by the FTP service.
  • Page 148 Configuration download without disabling a switch is independent of the hardware platform and supported on all hardware platforms running Fabric OS 5.2.0 and later. To restore a configuration: Verify that the FTP service is running on the server where the backup configuration file is located. Connect to the switch and log in as admin.
  • Page 149: Security Considerations

    Protocol (scp or ftp) [ftp]: Server Name or IP Address [host]: User Name [user]: JohnDoe File Name [config.txt]: /pub/configurations/config.txt *** CAUTION *** This command is used to download a backed-up configuration for a specific switch. If using a file from a different switch, this file's configuration...
  • Page 150: Downloading Configurations Across A Fabric

    Table 45 Backup and restore in a FICON CUP environment (continued) ASM bit Command Description Files saved on the switch that are also present in the configDownload FICON_CUP section of the configuration file are overwritten. Files in the FICON section of the configuration file that are not currently present on the switch are saved.
  • Page 151: Configuration Form

    Configuration form Table 46 as a hard copy reference for your configuration information. In the hardware reference manuals for the 4/256 SAN Director and DC SAN Backbone Director (short name, DC Director) there is a guide for FC port setting tables. The tables can be used to record configuration information for the various blades.
  • Page 152 152 Maintaining the switch configuration file...
  • Page 153: Managing Administrative Domains

    Managing administrative domains This chapter provides procedures for using administrative domains (Admin Domain or AD). An Admin Domain is a logical grouping of fabric elements that defines what switches, ports, and devices you can view and modify. An Admin Domain is a filtered administrative view of the fabric. NOTE: If you do not implement Admin Domains, the feature has no affect on users and you can skip this chapter.
  • Page 154: Fabric With Two Admin Domains

    Figure 5 Fabric with two Admin Domains Figure 6 shows how users get a filtered view of this fabric, depending on which Admin Domain they are in. As shown in Figure 7, users can see all switches and E_Ports in the fabric, regardless of their Admin Domain;...
  • Page 155: Admin Domain Features

    Admin Domain features Admin Domains allow you to: • Define the scope of an Admin Domain to encompass ports and devices within a switch or a fabric. • Share resources across multiple Admin Domains. For example, you can share array ports and tape drives between multiple departments.
  • Page 156: User-Defined Administrative Domains

    Table 47 lists each Admin Domain user type and describes its administrative access and capabilities. Table 47 AD user types User type Description Physical fabric User account with Admin role and with access to all Admin Domains (AD0 through administrator AD255).
  • Page 157: Ad255

    AD0 is useful when you create Admin Domains because you can see which devices, switch ports, and switches have not yet been assigned to any Admin Domains. AD0 owns the root zone database (legacy zone database). During zone merge or zone update, only the root zone database is exchanged with AD-unaware switches.
  • Page 158: Admin Domain Member Types

    • The Admin Domain list for the default admin account is 0–255, which gives this account automatic access to any Admin Domain as soon as the domain is created, and makes this account a physical fabric administrator. • The Admin Domain list for the default user account is AD0 only. •...
  • Page 159: Switch Members

    NOTE: If the switch domain ID changes, the domain,index members are invalid (they are not automatically changed). You must then reconfigure the Admin Domain with the current domain,index members. Switch members Switch members are defined by the switch WWN or Domain ID and have the following properties: •...
  • Page 160: Admin Domain Compatibility And Availability

    WWN = 10:00:00:00:c7:2b:fd:a3 WWN = 10:00:00:00:c2:37:2b:a3 Domain ID = 1 Domain ID = 2 WWN = 10:00:00:05:1f:05:23:6f WWN = 10:00:00:05:2e:06:34:6e WWN = 10:00:00:00:c8:3a:fe:a2 Figure 8 Fabric showing switch and device WWNs Figure 9 shows the filtered view of the fabric as seen from AD3 and AD4. The switch WWNs are converted to the NAA=5 syntax;...
  • Page 161: Compatibility

    Compatibility Admin Domains can be implemented in fabrics with a mix of AD-capable switches and non-AD-capable switches. The following considerations apply: • In mixed-fabric configurations, the legacy switches allow unfiltered access to the fabric and its devices; therefore, these legacy switches should be managed by the physical fabric administrator. •...
  • Page 162: Setting The Default Zone Mode

    How you end the transaction determines the disposition of the Admin Domain configuration in the transaction buffer. The following commands end the Admin Domain transaction: Saves the changes in the transaction buffer to the defined configuration in save persistent storage and propagates the defined configuration to all switches in the fabric.
  • Page 163: Assigning A User To An Admin Domain

    If you specify AD name = AD15 and the lowest available AD number is 6, AD name is AD15 and AD number is 15. Because the specified name is in the format ADn, the AD number is assigned to be n and not the lowest available AD number.
  • Page 164: Removing An Admin Domain From A User Account

    • If you do not specify one, the home Admin Domain is the lowest valid Admin Domain in the numerically-sorted AD list. • Users can log in to their Admin Domains and create their own Admin Domain-specific zones and zone configurations.
  • Page 165: Activating And Deactivating Admin Domains

    where username is the account from which the Admin Domain is being removed (the account must already exist), admindomain_ID is the home Admin Domain, and admindomain_ID_list is the Admin Domain list to be removed from the existing list. If the -h argument is not specified, the home Admin Domain either remains as it was or becomes the lowest Admin Domain ID in the remaining list.
  • Page 166: Adding And Removing Admin Domain Members

    The following example deactivates Admin Domain AD_B4. switch:AD255:admin> ad --deactivate AD_B4 You are about to deactivate an AD. This operation will fail if an effective zone configuration exists in the AD Do you want to deactivate ’AD_B5’ admin domain (yes, y, no, n): [no] y sw5:AD255:admin>...
  • Page 167: Renaming An Admin Domain

    Issue the appropriate command, based on whether you want to save or activate the Admin Domain definition: • To save the Admin Domain definition, issue the ad --save command. • To save the Admin Domain definition and directly apply the definition to the fabric, issue the ad --apply command.
  • Page 168: Deleting All User-Defined Admin Domains

    Issue the ad apply command to save the Admin Domain definition and directly apply the definition to the fabric. The following example deletes Admin Domain AD_B3. switch:AD255:admin> ad --delete AD_B3 You are about to delete an AD. This operation will fail if zone configuration exists in the AD Do you want to delete ’AD_B3’...
  • Page 169: San Management With Admin Domains

    Issue the following command. ad --validate ad_id -m mode If you do not specify any parameters, the entire AD database (transaction buffer, defined configuration, and effective configuration) is displayed. If you do not specify an Admin Domain, information about all existing Admin Domains is displayed. The -m mode flag can be used as follows: •...
  • Page 170: Executing A Command In A Different Ad Context

    Table 48 Ports and devices in CLI output Condition domain,port The port is specified in the domain,port member list of the Admin Domain. One or more WWNs specified in the AD member list is attached to the domain,port. Device WWN The device WWN is specified in the AD WWN member list.
  • Page 171: Switching To A Different Admin Domain Context

    switch:AD1:admin> ad --show Current AD Number: 1 AD Name: TheSwitches Effective configuration: ------------------------ AD Number: 1 AD Name: TheSwitches State: Active Switch WWN members: 50:06:06:99:00:2a:e9:01; 50:00:51:e0:23:36:f9:01; 50:06:06:98:05:be:99:01; Switching to a different Admin Domain context You can switch between different Admin Domain contexts. This option creates a new shell with a new Admin Domain context.
  • Page 172: Admin Domains, Zones, And Zone Databases

    Table 49 Admin Domain interaction with Fabric OS features (continued) Fabric OS feature Admin Domain interaction FC-FC Routing Service You can create LSAN zones as a physical fabric administrator or as an individual AD administrator. The LSAN zone can be part of the root zone database or the AD zone database.
  • Page 173: Admin Domains And Lsan Zones

    Using the zone --validate command, you can see all zone members that are not part of the current zone enforcement table, but are part of the zoning database. A member might not be part of the zone enforcement table because: •...
  • Page 174: Configuration Upload And Download In An Ad Context

    ”Using the FC-FC routing service” on page 31 1 for additional information about LSAN zones. Configuration upload and download in an AD context The behavior of configUpload and configDownload varies depending on the AD context and whether the switch is a member of the current Admin Domain. In the AD context, these commands include only the zone configuration of the current Admin Domain.
  • Page 175: Installing And Maintaining Firmware

    Installing and maintaining firmware This chapter provides procedures for installing and maintaining firmware. Fabric OS 6.1.0 provides nondisruptive firmware installation. This chapter refers to the following specific types of blades inserted into either Director platform: • Port blades contain only Fibre Channel ports: •...
  • Page 176: Upgrading And Downgrading Firmware

    If the firmware download process is interrupted by an unexpected reboot, the system will automatically repair and recover the secondary partition. You must wait for the recovery to complete before issuing another firmwareDownload command. The command supports both non-interactive and interactive modes. If the firmwareDownload command is issued without any operands, or if there is any syntax error in the parameters, the command enters an interactive mode, and you are prompted for input.
  • Page 177: Preparing For A Firmware Download

    Preparing for a firmware download Before executing a firmware download, HP recommends that you perform the tasks listed in this section. In the unlikely event of a failure or time-out, the preparation tasks that are described in this section will enable you to provide HP the information required to perform advanced troubleshooting.
  • Page 178: Checking Connected Switches

    Checking connected switches When checking connected switches, ensure that any older versions are supported. See the recommended version (shown in Table 52) before upgrading firmware on the switch. Go to for the latest supported versions of firmware for each switch and to view end-of-life policies. Table 52 Recommended firmware Switch model...
  • Page 179: Finding The Firmware Version

    Table 52 Recommended firmware (continued) Switch model Earliest compatible version 6.0.0b HP StorageWorks SAN Director 48 Port 8Gb FC blade (FC8-48) 6.0.0b HP StorageWorks SAN Director 6 Port 10Gb ISL blade (FC10-6) HP StorageWorks 48 Port 4Gb Blade 5.2.1b (FC4-48) HP StorageWorks B-Series iSCSI Director Blade (FC4- 1 6IP), HP StorageWorks 4/32B SAN Switch...
  • Page 180: Firmware Download On Switches

    Firmware download on switches HP StorageWorks 4/8 SAN Switch, 4/16 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 8/8 SAN Switch, 8/24 SAN Switch, 8/40 SAN Switch, 8/80 SAN Switch, and 400 MP Router switches also maintain primary and secondary partitions for firmware.
  • Page 181: Downloading Firmware To A Director

    The firmware is in the form of RPM packages with names defined in a .plist file. The .plist file contains specific firmware information and the names of packages of the firmware to be downloaded. Connect to the switch and log in as admin. Issue the firmwareShow command to check the current firmware version on connected switches.
  • Page 182: Overview Of The Firmware Download Process On Directors

    CPs are not in sync, you can run firmwareDownload –s on each of the CPs to upgrade them. These operations will be disruptive. If the CPs are not in sync, run the haSyncStart command. If the problem persists, review ”The firmwareDownload command”...
  • Page 183 Connect to the switch and log in as admin. Issue the firmwareShow command to check the current firmware version on connected switches. Upgrade the firmware, if necessary, before proceeding with upgrading this switch. ”Checking connected switches” on page 178 Issue the haShow command to confirm that the two CP blades are synchronized. In the following example, the active CP blade is CP0 and the standby CP blade is CP1: switch:admin>...
  • Page 184 Autoleveling takes place in parallel with the firmware download being performed on the CPs, and does not impact performance. Fibre Channel traffic is not disrupted during autoleveling, but GbE traffic on AP blades may be affected. sw77:admin> firmwaredownload Type of Firmware (FOS, SAS, or any application) [FOS]: Server Name or IP Address: Network Protocol (1-auto-select, 2-FTP, 3-SCP) [1]: User Name: userfoo...
  • Page 185: Firmwaredownload From A Usb Device

    [8]: Thu Jul 28 00:37:50 2005 Slot 7 : Firmware commit is started. [9]: Thu Jul 28 00:37:50 2005 Slot 2 : Firmware commit has completed. [10]: Thu Jul 28 00:37:50 2005 Slot 7 : Firmware commit has completed. (Firmwaredownload has completed.) 1 1.
  • Page 186: Downloading The 6.1.1 Image Using The Relative Path

    firmware\ 381MB 2007 Sep 28 15:33 v6.0.1\ 381MB 2007 Oct 19 10:39 config\ 2007 Sep 28 15:33 support\ 2007 Sep 28 15:33 firmwarekey\ 2007 Sep 28 15:33 Available space on usbstorage 79% Downloading the 6.1.1 image using the relative path To download the 6.1.1 image using the relative path: Log in to the switch as admin.
  • Page 187: Updating The Firmwarekey

    The switch manufacturer generates one private and public key pair. These key pairs are stored in the privatekey.pem and pubkey.pem files, respectively. The private key file is used to sign the firmware files. The public key file is packaged in an RPM-package as part of the firmware, and will be downloaded to the switch.
  • Page 188: The Firmwaredownload Command

    The firmwareDownload command As mentioned previously, the public key file will need to be packaged, installed, and run on your switch before downloading a signed firmware. When firmwareDownload installs a firmware file, it needs to validate the signature of the file. Different scenarios are handled as follows: a.
  • Page 189: Testing And Restoring Firmware On Switches

    Testing and restoring firmware on switches Typically, users downgrade firmware after briefly evaluating a newer (or older) version and then restore the original version of the firmware. Testing a new version of firmware in this manner ensures that you do not replace existing firmware because the evaluated version occupies only one partition on the switch.
  • Page 190: Testing And Restoring Firmware On Directors

    IMPORTANT: Stop! If you have completed step 8, you have committed the firmware on the switch and you have completed the firmware download procedure. To restore the original firmware, see step 9 (should be performed after step Restore the firmware. a.
  • Page 191 IMPORTANT: If the CPs do not achieve synchronization, stop here. Log in to the standby CP, and issue the firmwareRestore command to restore the original firmware. c. Issue the firmwareShow command to confirm that the primary partition of the standby CP contains the new firmware.
  • Page 192: Validating Firmwaredownload

    IMPORTANT: Stop! If you have completed step 1 1, you have committed the firmware on both CPs and you have completed the firmware download procedure. The following step 12 through step 14 describe how to restore the original firmware, and should be performed after step Restore the firmware on the standby CP.
  • Page 193 BrcdDCXBB:admin> firmwareshow -v Slot Name Appl Primary/Secondary Versions Status ------------------------------------------------------------------------ v6.1.0 ACTIVE * v6.1.0 Co-FOS v6.1.0 v6.1.0 v6.1.0 STANDBY v6.1.0 Co-FOS v6.1.0 v6.1.0 * Local CP The firmwareDownloadStatus command displays an event log that records the progress and status of events during firmwaredownload.
  • Page 194 194 Installing and maintaining firmware...
  • Page 195: Administering Advanced Zoning

    Administering Advanced Zoning About zoning Zoning enables you to partition your SAN into logical groups of devices that can access each other. A device can communicate only with other devices connected to the fabric within its specified zone. For example, you can partition your SAN into two zones, winzone and unixzone, so that your Windows servers and storage do not interact with your UNIX servers and storage.
  • Page 196: Zone Types

    Zone types Table 53 summarizes the types of zoning available. Table 53 Types of zoning Zone type Description Storage-based Storage units typically implement LUN-based zoning, also called LUN masking. LUN-based zoning limits access to the LUNs on the storage port to the specific WWN of the server HBA.
  • Page 197: Zone Objects

    Table 54 Approaches to fabric-based zoning (continued) Zoning Description approach Alternative approaches Application Zoning by application typically requires zoning multiple, perhaps incompatible, operating systems into the same zones. This method of zoning creates the possibility that a minor server in the application suite could disrupt a major server (such as a Web server disrupting a data warehouse server).
  • Page 198: Zoning Schemes

    • When a zone object is the node WWN name, only the specified device is in the zone. • When a zone object is the port WWN name, only the single port is in the zone. The types of zone objects used to define a zone can be mixed. For example, a zone defined with the zone objects 2,12;...
  • Page 199: Zoning Enforcement

    defined configuration if you have modified any of the zone definitions and have not saved the configuration. • Disabled Configuration—The effective configuration is removed from flash memory. When you disable the effective configuration, the Advanced Zoning feature is disabled on the fabric, and all devices within the fabric can communicate with all other devices (unless you previously set up a default zone, as described in ”Default zoning...
  • Page 200: Enforcing Hardware Zoning

    • Is enforced at the ASIC level. Each ASIC maintains a list of source port IDs that have permission to access any of the ports on that ASIC. • Is available on 1, 2, 4, 8 and 10 Gbps platforms. •...
  • Page 201: Hardware-Enforced Non-Overlapping Zones

    Table 55 Enforcing hardware zoning (continued) Fabric type Methodology Best practice HP StorageWorks Enable hardware-enforced zoning on Use either WWN or 4/8 SAN Switch, domain,port zones, and WWN zones. domain,port identifiers. 4/16 SAN Switch, Overlap of similar zone types does not result in Brocade 4Gb the loss of hardware enforcement.
  • Page 202: Hardware-Enforced Overlapping Zones

    WWN_Zone1 Port_Zone1 Core Port_Zone2 WWN_Zone2 Switch Zone Boundaries 22.3b(13.3) Figure 13 Hardware-enforced overlapping zones Any zone using a mixed zoning scheme on the Fabric OS 2-Gbps platform relies on name server authentication as well as hardware-assisted (ASIC) authentication. Hardware-assisted authentication ensures that any PLOGI, ADISC, PDISC, or ACC from an unauthorized device is rejected if that device is attempting to access a device that is not in the same zone.
  • Page 203: Identifying The Enforced Zone Type

    Identifying the enforced zone type Connect to the switch and log in as admin. Issue the portZoneShow command. Considerations for zoning architecture Table 56 lists considerations for zoning architecture. Table 56 Considerations for zoning architecture Item Description Type of zoning: If security is a priority, hard zoning is recommended.
  • Page 204: Broadcast Zones

    An enterprise-class platform has more resources to handle zoning changes and implementations. Broadcast zones Fibre Channel allows sending broadcast frames to all Nx_Ports if the frame is sent to a broadcast well-known address (FFFFFF); however, many target devices and HBAs cannot handle broadcast frames. To control which devices receive broadcast frames, you can create a special zone, called a broadcast zone, which restricts broadcast packets to only those devices that are members of the broadcast zone.
  • Page 205: Broadcast Zones And Fc-Fc Routing

    "3,1" "1,1" "2,1" "4,1" broadcast broadcast "1,1; 3,1; 5,1" "2,1; 3,1; 4,1" "5,1" "1,1" "3,1; 4,1" broadcast "1,1; 3,1; 4,1" Figure 16 Broadcast zones and Admin Domains The dotted box represents the consolidated broadcast zone, which contains all of the device that can receive broadcast packets.
  • Page 206: High Availability Considerations With Broadcast Zones

    High Availability considerations with broadcast zones If a switch has broadcast zone-capable firmware on the active CP (Fabric OS 5.3.x or later) and broadcast zone-incapable firmware on the standby CP (Fabric OS version earlier than 5.3.0), you cannot create a broadcast zone because the zoning behavior would not be the same across an HA failover.
  • Page 207 where: aliasname The name of the zone alias to be created. member A member or list of members to be added to the alias. An alias member can be specified by one or more of the following methods: • A domain,port pair. •...
  • Page 208 where: aliasname The name of the zone alias. member A member or list of members to be removed from the alias. An alias member can be specified by one or more of the following methods: • A domain,port pair. • Device node or device port WWN Issue the cfgSave command to save the change to the defined configuration.
  • Page 209: Creating And Maintaining Zones

    Creating and maintaining zones Reliable Commit Service (RCS) is a fabric-wide capability and is supported only if all switches in the fabric are running Fabric OS 4.1 and later. RCS guarantees that either all or none of the switches receive the new zone configuration.
  • Page 210 You are about to save the Defined zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled. Do you want to save Defined zoning configuration only? (yes, y, no, n): [no] y To remove devices (members) from a zone: Connect to the switch and log in as admin.
  • Page 211 Issue the cfgSave command to save the change to the defined configuration. switch:admin> zonedelete "redzone" switch:admin> cfgsave You are about to save the Defined zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled.
  • Page 212: Default Zoning Mode

    Issue the following command to validate all zones in the zone database in the defined configuration: switch:admin> sw5:root> zone --validate -m 1 Defined configuration: cfg: cfg1 zone1 cfg: cfg2 zone1; zone2 zone: zone1 1,1; ali1 zone: zone2 1,1; ali2 alias: ali1 10:00;00;05:1e:35:81:7f*;...
  • Page 213: Viewing The Current Default Zone Access Mode

    Issue either the cfgSave, cfgEnable, or cfgDisable command to commit the change and distribute it to the fabric. The change will not be committed and distributed across the fabric if you do not issue one of these commands. Viewing the current default zone access mode To view the current default zone access mode: Connect to the switch and log in as admin.
  • Page 214: Resulting Database Size: 0 To 96K

    Symmetrical segmentation occurs when both ends of an ISL are shut down. Subsequently, no frames are exchanged between those two switches. Asymmetrical segmentation not only prevents frames from being exchanged between switches, but also causes routing inconsistencies. The best way to avoid either type of segmentation is to know the zone database size limit of adjacent switches.
  • Page 215: Resulting Database Size: 128K To 256K

    Table 60 Resulting database size: 128K to 256K Receiver Fabric OS Fabric Fabric OS Fabric Fabric OS Fabric OS Fibre XPath 7.3 OS 3.2 4.0/ OS 4.4.0 5.0.0/ 5.2.0 or Channel 4.1/ 5.0.1/ later Router Initiator 5.1.0 Fabric OS 3.1 Segment Segment Segment...
  • Page 216: Zoning Configurations

    Zoning configurations You can store a number of zones in a zoning configuration database. The maximum number of items that can be stored in the zoning configuration database depends on the following criteria: • Number of switches in the fabric. •...
  • Page 217 where: cfgname The name of the zone configuration. member The zone name or list of zone names to be added to the configuration. Issue the cfgSave command to save the change to the defined configuration. switch:admin> cfgadd "newcfg", "bluezone" switch:admin> cfgsave You are about to save the Defined zoning configuration.
  • Page 218 switch:admin> zoneremove "zone1","3,5" switch:admin> cfgtransabort To view all zone configuration information: If you do not specify an operand when executing the cfgShow command to view zone configurations, all zone configuration information (both defined and effective) displays. If there is an outstanding transaction, the newly edited zone configuration that has not yet been saved is displayed.
  • Page 219: Maintaining Zone Objects

    zone: Blue_zone 21:00:00:20:37:0c:76:8c 21:00:00:20:37:0c:71:02 21:00:00:20:37:0c:76:22 21:00:00:20:37:0c:76:28 zone: Red_zone 21:00:00:20:37:0c:76:85 21:00:00:20:37:0c:71:df To clear all zone configurations: Connect to the switch and log in as admin. Issue the cfgClear command to clear all zone information in the transaction buffer. NOTE: Be careful using the cfgClear command; it deletes the defined configuration. switch:admin>...
  • Page 220 Issue the zone copy command, specifying the zone configuration objects you want to copy, along with the new object name. Note that zone configuration names are case-sensitive; blank spaces are ignored and it works in any Admin Domain other than AD255. switch:admin>...
  • Page 221: Zoning Configuration Management

    To rename a zone object: Connect to the switch and log in as admin. Issue the cfgShow command to view the zone configuration objects you want to rename. switch:admin> cfgShow Defined configuration: cfg: USA_cfg Red_zone; White_zone; Blue_zone zone: Blue_zone 1,1; array1; 1,2; array2 zone: Red_zone 1,0;...
  • Page 222 If Secure Fabric OS is enabled on one switch, it must be enabled on all switches in the fabric; however, Secure Fabric OS is not supported in Fabric OS 6.0.0 or later. • Default Zone: The switch being merged into the existing fabric should be configured with the same default zone mode as the existing switches.
  • Page 223: Fabric Segmentation And Zoning

    NOTE: If the zoneset members on two switches are not listed in the same order, the configuration is considered a mismatch, resulting in the switches being segmented from the fabric. For example: cfg1 = is different from even though members of the configuration are the same. If z1;...
  • Page 224 224 Administering Advanced Zoning...
  • Page 225: Configuring Directors

    Configuring Directors This chapter contains procedures that are specific to the: • HP StorageWorks 4/256 SAN Director • HP StorageWorks DC SAN Backbone Director For detailed information see the HP StorageWorks SAN Director hardware reference manual or the HP StorageWorks DC SAN Backbone Director hardware reference manual. Identifying ports Because Directors contain interchangeable port blades, their procedures differ from those for fixed-port switches.
  • Page 226: Director Port Numbering Schemes

    Director port numbering schemes Table 62 lists the port numbering schemes for the 4/256 Director and DC Director. Table 62 Port numbering schemes for the 4/256 Director and DC Director Port blades Numbering scheme FC2- 1 6 Ports are numbered from 0 through 15 from bottom to top. FC4- 1 6 FC8- 1 6 FC4-32...
  • Page 227: Port Identification By Index

    Port identification by index With the introduction of 48-port blades, indexing was introduced. Unique area IDs are possible up to 255 areas, but beyond that there needed to be some way to ensure uniqueness. A number of fabric-wide databases supported by Fabric OS (including ZoneDB, the ACL DDC, and Admin Domain) allow a port to be designated by the use of a D,P (domain,port) notation.
  • Page 228 Table 63 Default index/area_ID core PID assignment with no port swap (continued) Port on Slot Slot Slot Slot Slot Slot Slot Slot blade 1Idx/area 2Idx/area 3Idx/area 4Idx/area 7Idx/area 8Idx/area 9Idx/area 10Idx/area 142/142 158/158 174/174 190/190 206/206 222/222 238/238 254/254 141/141 157/157 173/173 189/189...
  • Page 229: Basic Blade Management

    Basic blade management The following sections provide procedures for naming a switch, powering a port blade off and on, and disabling and enabling a port blade. Customizing enterprise-class platform names HP recommends that you customize the enterprise-class platform name for each platform. Some system logs identify devices by platform names;...
  • Page 230: Fr4-18I Blade Exceptions

    To enable a port blade: Connect to the switch and log in as admin. Issue the bladeEnable command with the slot number of the port blade you want to enable: switch:admin> bladeenable 3 Slot 3 is being enabled FR4- 1 8i blade exceptions Note the following port blade exceptions: •...
  • Page 231: Blade Terminology And Compatibility

    NOTE: Some FRUs in the chassis may use significant power, yet cannot be powered off through software. For example, a missing blower FRU may change the power computation enough to affect how many slots can be powered up. The powerOffListShow command displays the power off order. Blade terminology and compatibility Before configuring a chassis, familiarize yourself with the Director CP blade and port blade nomenclature, as well as the port blade compatibilities.
  • Page 232: Cp Blades

    CP blades The 4/256 Director supports the CP4 blade. The DC Director supports the CP8 blade. Mixed CP blades are not supported on a single chassis, except during specific upgrade procedures detailed in the HP StorageWorks SAN Director hardware reference manual. CP4 and CP8 blades cannot be mixed in the same chassis under any circumstances.
  • Page 233: Setting Chassis Configuration Options For The 4/256 Director

    Table 65 Port blades supported by each Director Director Port blades 4/256 Director DC Director (CP4) FC2- 1 6 Supported FC4- 1 6 Supported FC4-32 Supported FC4-48 Supported FC8- 1 6 Supported Supported FC8-32 Supported Supported FC8-48 Supported Supported FC10-6 Supported Supported FC4- 1 6IP...
  • Page 234: Displaying Slot Information

    Table 67 Platform configuration options Option Result One 128-port switch (Blade IDs 4, 17 on slots 1–4, 7–10. Blade ID 5 and 16 on slots 5, 6) One 384-port switch (Blade IDs 4, 17, 18, 31, and 36 on slots 1–4, 7–10. Blade ID 16 on slots 5, 6) Table 64 for details about the different blades, including their corresponding IDs.
  • Page 235: Inter-Chassis Link Behavior Between Two Hp Storageworks Dc Directors

    Inter-chassis Link behavior between two HP StorageWorks DC Directors An Inter-chassis link (ICL) is a licensed feature used to interconnect two DC Directors; there are two ICL connector ports ICL0 and ICL1 on each core blade, each aggregating a set of 16 ports. Thus, each core blade provides 32 ICL ports and there are 64 ICL ports available for the entire DC Director chassis.
  • Page 236 236 Configuring Directors...
  • Page 237: 10Routing Traffic

    Routing traffic This chapter provides information on routing policies. Data routing and routing policies Data moves through a fabric from switch to switch and from storage to server along one or more paths that make up a route. Routing policies determine the path for each frame of data. IMPORTANT: For most configurations, the default routing policy is optimal, and provides the best performance.
  • Page 238: Static Route Assignment

    switch:admin> aptpolicy Current Policy: 3 1(ap) 3 0(ap): Default Policy 1: Port Based Routing Policy 3: Exchange Based Routing Policy 0: AP Shared Link Policy 1: AP Dedicated Link Policy See the Fabric OS Command Reference for more details on the aptPolicy command. Static route assignment A static route can be assigned only when the active routing policy is port-based routing.
  • Page 239: Frame Order Delivery

    Frame order delivery The order of delivery of frames is maintained within a switch and determined by the routing policy in effect. The frame delivery behaviors for each routing policy are: • Port-based routing All frames received on an incoming port destined for a destination domain are guaranteed to exit the switch in the same order in which they were received.
  • Page 240: Setting Dls

    • A device goes offline Setting DLS Connect to the switch and log in as admin. Issue the dlsShow command to view the current DLS setting. One of the following messages appears: • DLS indicates that dynamic load sharing is turned on. IS SET •...
  • Page 241 Total Bandwidth The maximum bandwidth of the out port. Bandwidth Demand The maximum bandwidth demand of the in ports. Flags An indication whether the route is dynamic (D) or static (S). This value is always “D”, indicating a dynamic path. Issue the uRouteShow command to display unicast routing information.
  • Page 242: Viewing Routing Information Along A Path

    Viewing routing information along a path You can display detailed routing information from a source port (or area) on the local switch to a destination port (or area) on another switch. This routing information describes the full path that a data stream travels between these ports, including all intermediate switches.
  • Page 243 The information that pathInfo provides is: Hops The number of switch-to-switch links (ISLs) traversed. The local switch is hop 0. In Port The port that the frames come in from on this path. For hop 0, the source port. Domain ID The domain ID of the switch.
  • Page 244 244 Routing traffic...
  • Page 245: 11Implementing An Interoperable Fabric

    Implementing an interoperable fabric For information on HP supported interop configurations, see the HP StorageWorks Fabric interoperability application notes for merging B-Series fabrics with fabrics based on C-Series and M-Series Fibre Channel switches on the following HP website: Fabric OS 6.1.1 administrator guide 245...
  • Page 246 246 Implementing an interoperable fabric...
  • Page 247: 12Configuring The Distributed Management Server

    Configuring the Distributed Management Server This chapter provides information on enabling and disabling the platform services, configuring and controlling access to the Management Server database, and using the topology discovery feature. Distributed Management Server overview The Fabric OS Distributed Management Server allows a SAN management application to retrieve information and administer interconnected switches, servers, and storage devices.
  • Page 248: Enabling Platform Services

    Enabling platform services Connect to the switch and log in as admin. Issue the msplMgmtActivate command: switch:admin> msplmgmtactivate Request to activate MS Platform Service in progress..*Completed activating MS Platform Service in the fabric! switch:admin> Disabling platform services Connect to the switch and log in as admin. Issue the msplMgmtDeactivate command.
  • Page 249: Adding A Member To The Acl

    switch:admin> Adding a member to the ACL Connect to the switch and log in as admin. Issue the msConfigure command. The command becomes interactive. At the select prompt, enter 2 to add a member based on its port/node WWN. Enter the WWN of the host to be added to the ACL. At the prompt, enter 1 to display the access list so you can verify that the WWN you entered was added to the ACL.
  • Page 250: Viewing The Contents Of The Management Server Database

    At the select prompt, enter 3 to delete a member based on its port/node WWN. At the prompt, enter the WWN of the member to be deleted from the ACL. At the prompt, enter 1 to display the access list so you can verify that the WWN you entered was deleted from the ACL.
  • Page 251: Clearing The Management Server Database

    The contents of the Management Server platform database are displayed. switch:admin> msplatshow -------------------------------------------------- Platform Name: [9] "first obj" Platform Type: 5 : GATEWAY Number of Associated M.A.: 1 [35] "" Number of Associated Node Names: 1 Associated Node Names: 10:00:00:60:69:20:15:71 -------------------------------------------------- Platform Name: [10] "second obj"...
  • Page 252 • For the local switch, issue the mstdDisable command. • For the entire fabric, issue the mstdDisable all command. A warning displays that all NID entries might be cleared. Enter y to disable the discovery feature. NOTE: Disabling discovery of Management Server topology might erase all NID entries. switch:admin>...
  • Page 253: 13Iscsi Gateway Services

    iSCSI Gateway services Overview of iSCSI gateway service The FC4- 1 6IP iSCSI gateway service is an intermediate device in the network, allowing iSCSI initiators in an IP SAN to access and utilize storage in a Fibre Channel (FC) SAN as shown in Figure F C 4-16IP F C target 1...
  • Page 254: Basic Versus Advanced Lun Mapping

    To represent all iSCSI initiators and sessions, each iSCSI portal has one iSCSI virtual initiator (VI) to the FC fabric that appears as an N_Port device with a special WWN format. Regardless of the number of iSCSI initiators or iSCSI sessions sharing the portal, Fabric OS uses one iSCSI VI per iSCSI portal. Figure 19 shows the interaction of different layers from the iSCSI initiator stack to the FC target stack, including the iSCSI gateway service used during protocol translation.
  • Page 255: Advanced Lun Mapping

    Advanced LUN mapping SCSI VTs can be mapped to more than one physical FC target, and the LUNs can be mapped to different virtual LUNs. Figure 21 shows an advanced mapping scenario. F C target 1 iS C S I virtual target 1 F C target 2 iS C S I virtual target 2 iS C S I virtual target 3...
  • Page 256: Changing And Displaying The Iqn Prefix

    Figure 22 shows an iSCSI gateway that has three iSCSI VTs and two iSCSI initiators. iS C S I initiator A iqn.2003-11.c om.mic ros oft: win2k-s n-192168101 iS C S I virtual targets (V T s ) V T 1 iqn.2002-12.c om.broc ade: 10: 00: 00: 05: 1e: aa: bb: c c IP Network V T 2...
  • Page 257: Switch-To-Iscsi Initiator Authentication

    DDS et 1 iS C S I virtual targets (V T s ) iS C S I initiator A V T 1 IP network V T 2 V T 3 iS C S I initiator B iS C S I gateway s ervic e Figure 23 Discovery domain set configuration example Switch-to-iSCSI initiator authentication...
  • Page 258: Enabling And Disabling Connection Redirection For Load Balancing

    Enabling and disabling connection redirection for load balancing Connect to the switch and log in. Issue the appropriate form of the iscsiSwCfg command for the operation you want to perform: • To enable connection redirection, use the iscsiSwCfg --enableconn command. For 4/256 SAN Directors, the -s <slot number>...
  • Page 259: Supported Iscsi Initiators

    Supported iSCSI initiators Table 69 lists iSCSI intitiators supported by the iSCSI gateway service. Table 69 Supported iSCSI initiators iSCSI initiator driver versions Windows • MS iSCSI initiator 2.02 • MS iSCSI initiator 2.03 • MS iSCSI initiator 2.04 Linux •...
  • Page 260 Table 70 iSCSI target gateway configuration steps (continued) Step Command Procedure (Advanced) Create ”Manual iSCSI VT creation” iscsiCfg --create tgt –t iSCSI virtual target. on page 268 <targetname> Add LUNs to the virtual iscsiCfg --add lun -t target. <targetname> \ -w <fcwwn>...
  • Page 261: Fc4-16Ip Blade Configuration

    FC4- 1 6IP Blade Configuration This section describes the initial setup required to deploy an iSCSI gateway solution. Install and configure the FC4- 1 6IP blade in a 4/256 SAN Director as described in the FC4- 1 6IP hardware reference manual before performing these procedures.
  • Page 262: Enabling The Iscsi Gateway Service

    Enabling the iSCSI gateway service The iSCSI gateway service translates and directs SCSI traffic between an iSCSI initiator and an FC target. This section explains how to enable the iSCSI gateway service on the 4/256 SAN Director. Connect and log in to the switch. Issue the fosConfig --show command to show the current Fabric OS configuration: switch:admin>...
  • Page 263: Configuring The Gbe Interface

    Take the appropriate action based on the Persistent Disable setting: • If it is set to OFF, proceed to step • If it is set to ON, issue the portCfgPersistentEnable command with the slot number and GbE port number: switch:admin> portcfgpersistentenable 10/ge0 Issue the portCfgShow command with the slot number and GbE port number to verify that the port is persistently enabled.
  • Page 264: Iscsi Virtual Target Configuration

    (Optional) Issue the portCfg command to define static routes to reach the destination IP through a preferred gateway: switch:admin> portcfg iproute 3/ge0 create 1 Operation Succeeded The gateway must be on the same subnet as the GbE port. You can specify a maximum of 32 routes per GbE port.
  • Page 265: Automatic Iscsi Vt Creation

    Automatic iSCSI VT creation An iSCSI VT is created using target LUNs from the attached FC network. LUNs are mapped to iSCSI VTs by creating unique iSCSI Qualified Names (IQNs) for each target. You can create iSCSI VTs by issuing the iscsiCfg --easycreate tgt command. There are two options.
  • Page 266 switch:admin> iscsicfg --easycreate tgt This will create iSCSI targets for ALL FC targets. This could be a long-running operation. Continue [N]: y Index FC WWN iSCSI Name Status 2e:1f:00:06:2b:0d:10:ba Operation Succeeded 2e:3f:00:06:2b:0d:10:ba Operation Succeeded 2e:5f:00:06:2b:0d:10:ba Operation Succeeded 2e:7f:00:06:2b:0d:10:ba Operation Succeeded...
  • Page 267: Generating An Iscsi Vt For A Specific Fc Target

    For example: switch:admin> iscsicfg --show tgt Number of records found: 16 Name: State/Status: Online/Defined Name: State/Status: Online/Defined Name: State/Status: Online/Defined Name: State/Status: Online/Defined Name: State/Status: Online/Defined Name: State/Status: Online/Defined Name: State/Status: Online/Defined Name: State/Status: Online/Defined...
  • Page 268: Manual Iscsi Vt Creation, is used for the fixed prefix, and the port WWN is used as the user-defined portion of the IQN. For example: switch:admin> iscsicfg --easycreate tgt -w 21:00:00:04:cf:e7:74:cf IndexFC WWN iSCSIName Status 21:00:00:04:cf:e7:74:cf Operation Succeeded Issue the iscsiCfg --show tgt command to display the status of the created iSCSI VTs: For example: switch:admin>...
  • Page 269 For example: switch:admin> fclunquery Target Index: 1 Target Node WWN: 20:00:00:04:cf:e7:74:cf Target Port WWN: 21:00:00:04:cf:e7:74:cf Target Pid: 120d6 Number of LUNs returned by query: 1 LUN ID: 0x00 Target Index: 2 Target Node WWN: 20:00:00:04:cf:e7:73:7e Target Port WWN: 21:00:00:04:cf:e7:73:7e Target Pid: 120d9 Number of LUNs returned by query: 1 LUN ID: 0x00 Target Index: 3...
  • Page 270: Mapping Luns On A Specific Port To An Iscsi Vt

    Issue the iscsiCfg --show lun command with –t <IQN> options to verify that the LUN has been added to the iSCSI VT, where -t is the IQN that identifies the iSCSI VT. For example. switch:admin> iscsicfg --show lun -t Number of targets found: 1 Target: Number of LUN Maps: 1...
  • Page 271: Displaying The Iscsi Virtual Target Lun Map

    Issue the iscsiCfg --commit all command to commit the changes to the database. If the LUN deletion is one of several configuration changes, you may want to see ”Committing the iSCSI-related configuration” on page 274 for extra detail on the commit process. Displaying the iSCSI virtual target LUN map Connect and log in to the switch.
  • Page 272: Displaying Iscsi Initiator Iqns

    If you do not configure either discovery domains or iSNS for access control, any iSCSI initiator on the IP network can access all iSCSI VTs (and therefore all FC targets) in the fabric. Displaying iSCSI initiator IQNs All iSCSI components in a DD must be identified using IQNs. Fabric OS temporarily stores the IQNs and IP addresses of iSCSI initiators that have logged in the gateway.
  • Page 273: Iscsi Initiator-To-Vt Authentication Configuration

    iSCSI initiator-to-VT authentication configuration Fabric OS 5.2.0 or later supports both one-way and mutual CHAP authentication for iSCSI initiator-to-iSCSI VT target sessions. The authentication method (CHAP or none) is set on a per-iSCSI VT basis. Setting the user name and shared secret Authentication depends on a user name and shared secret.
  • Page 274: Deleting User Names From An Iscsi Vt Binding List

    Deleting user names from an iSCSI VT binding list User names can be deleted from the list of bound user names. Connect and log in to the switch. Issue the isciCfg --deleteusername tgt command with the -t and -u options to delete a user name: switch:admin>...
  • Page 275: Resolving Conflicts Between Iscsi Configurations

    Resolving conflicts between iSCSI configurations When you merge two fabrics with different iSCSI configurations, a conflict will result. If there is a conflict, the database will not be merged and you must resolve the conflict. The iscsiCfg show fabric command displays the out of sync state. The rest of the switches will function normally, however, since there is no segmentation of E_Ports as a result of discovery domain set database conflicts.
  • Page 276: Iscsi Fc Zoning Overview

    • Issue the fcLunQuery command with the -s option to return the node and port WWNs of the switch. The following is an example. switch:admin> fclunquery -s The following WWNs will be used for any lun query from this switch: Node WWN: 10:00:00:60:69:80:04:4a Port WWN: 21:fd:00:60:69:80:04:4a iSCSI FC zoning overview...
  • Page 277: Iscsi Fc Zone Creation

    iSCSI FC zone creation To create an iSCSI FC zone, you must include the following iSCSI elements in the zone: • The FC targets, used to create the virtual targets (VT). • The iSCSI virtual initiators (VIs): • If there is more than one FC4- 1 6IP blade in the chassis, you must add all virtual initiators to the same zone.
  • Page 278 Issue the nsShow command to display the WWN information for the iSCSI virtual initiators: switch:admin> nsshow Type Pid PortName NodeName TTL(sec) 0120d6; 3;21:00:00:04:cf:e7:74:cf;20:00:00:04:cf:e7:74:cf; na FC4s: FCP [SEAGATE ST336607FC 0004] Fabric Port Name: 20:20:00:60:69:e0:01:56 Permanent Port Name: 21:00:00:04:cf:e7:74:cf Port Index: 32 Share Area: No Device Shared in Other AD: No 0120d9;...
  • Page 279 Port Index: 43 Share Area: No Device Shared in Other AD: No 012c00; 3;50:06:06:9e:00:15:63:20;50:06:06:9e:00:15:63:21; na FC4s: FCP PortSymb: [23] "iSCSI Virtual Initiator" NodeSymb: [51] "IPAddr: Slot/Port: 3/ge4 Logical pn: 44" Fabric Port Name: 00:00:00:00:00:00:00:00 Permanent Port Name: 50:06:06:9e:00:15:63:20 Port Index: 44 Share Area: No Device Shared in Other AD: No 012d00;...
  • Page 280: Zoning Configuration Creation

    Issue the cfgSave command to save the change to the defined configuration: switch:admin> cfgsave You are about to save the Defined zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled.
  • Page 281: Isns Client Service Configuration

    Issue the cfgEnable command. switch:admin> cfgenable iscsi_cfg001 You are about to enable a new zoning configuration. This action will replace the old zoning configuration with the current configuration selected. Do you want to enable 'iscsi_cfg001' configuration (yes, y, no, n): [no] y zone config "iscsi_cfg001"...
  • Page 282: Enabling The Isns Client Service

    Enabling the iSNS client service This section explains how to enable the iSNS client service and configure the iSNS server IP address. Fabric OS supports one iSNS server connection. NOTE: If DD and DDSets are configured on the fabric, clear the DD and DDSet configurations before enabling iSNS client services.
  • Page 283: Disabling The Isns Client Service

    Disabling the iSNS client service When the iSNS client service is disabled, the DD and DDSets are kept in the fabric. Connect and log in to the switch. Issue the fosConfig --disable isnsc command to disable the iSNS client service: switch:admin>...
  • Page 284 284 iSCSI Gateway services...
  • Page 285: 14Administering Npiv

    Administering NPIV This chapter describes the concepts and procedures for administering N-Port ID Virtualization (NPIV). NPIV Overview N_Port Virtualization (NPIV) enables a single Fibre Channel protocol port to appear as multiple, distinct ports, providing separate port identification within the fabric for each operating system image behind the port (as if each operating system image had its own unique physical port).
  • Page 286: Configuration Scenarios

    Connect to the switch and log in using an account assigned to the admin role. Issue the switchDisable command. IMPORTANT: The switchDisable command disables the switch and stops all traffic flowing to and from the switch. Issue this command during a scheduled maintenance. Issue the configure command.
  • Page 287 The following example shows whether or not a port is configured for NPIV: switch:admin> portcfgshow Ports of Slot 0 9 10 11 12 13 14 15 -----------------+--+--+--+--+----+--+--+--+----+--+--+--+----+--+--+-- Speed AN AN AN AN AN AN AN AN AN AN AN AN AN AN AN AN Trunk Port ON ON ON ON...
  • Page 288 Use the portShow command to view the NPIV attributes and all the N_Port (physical and virtual) port WWNs that are listed under portWwn of device(s) connected. Following is sample output for the portShow command: switch:admin> portshow 2 portName: 02 portHealth: HEALTHY Authentication: None portDisableReason: None portCFlags: 0x1...
  • Page 289: Viewing Virtual Pid Login Information

    Viewing virtual PID login information Use the portLoginShow command to display the login information for the virtual PIDs of a port. Following is sample output from the portLoginShow command: switch:admin> portloginshow 2 Type World Wide Name credit df_sz cos ===================================================== 630240 c0:50:76:ff:fb:00:16:fc 2048...
  • Page 290 290 Administering NPIV...
  • Page 291: 15Optimizing Fabric Behavior

    Optimizing fabric behavior This chapter describes the Adaptive Networking features. Adaptive networking overview Adaptive Networking is a suite of tools and capabilities that enable you to ensure optimized behavior in the SAN. Even under the worst congestion conditions, the Adaptive Networking features can maximize the fabric behavior and provide necessary bandwidth for high-priority, mission-critical applications and connections.
  • Page 292: Ti Zone Failover

    Domain 1 Domain 3 = Dedicated Path = Ports in the TI zone Domain 4 Traffic Isolation zone creating a dedicated path through the fabric Figure 27 Figure 27, all traffic entering Domain 1 from N_Port 8 is routed through E_Port 1. Similarly, traffic entering Domain 3 from E_Port 9 is routed to E_Port 12, and traffic entering Domain 4 from E_Port 7 is routed to the device through N_Port 6.
  • Page 293: Fspf Routing Rules And Traffic Isolation

    • If failover is disabled for the TI zone, non-TI zone traffic is halted until the non-dedicated ISL between Domain 1 and Domain 3 is back online. FSPF routing rules and Traffic Isolation All traffic must use the lowest cost path. FSPF routing rules take precedence over the TI zones, as described in the following situations.
  • Page 294: Traffic Isolation Over Fc Routers

    the TI zone. If failover is disabled, the TI zone traffic stops until the dedicated path is configured to be the shortest path. Domain 1 Domain 3 = Dedicated Path = Ports in the TI zone Domain 2 Domain 4 Figure 29 Dedicated path is not the shortest path NOTE:...
  • Page 295: Ti Within An Edge Fabric

    Edge fabric 1 Backbone Edge fabric 2 fabric = Dedicated path set up by TI zone in edge fabric 1 = Dedicated path set up by TI zone in edge fabric 2 = Dedicated path set up by TI zone in backbone fabric Figure 30 Traffic isolation over FCR In addition to setting up TI zones, you must also ensure that the devices are in an LSAN zone, so that they...
  • Page 296: Ti Within A Backbone Fabric

    Using D,I notation, the members of the TI zone in Figure 31 are: • • • 3,- 1 (E_Port for the front phantom domain) • 4,- 1 (E_Port for the xlate phantom domain) Note that in this configuration the traffic between the front and xlate domains can go through any path between these two domains.
  • Page 297: Limitations Of Ti Zones Over Fc Routers

    Limitations of TI zones over FC routers Consider the following when configuring TI zones over FC routers: • A TI zone defined within the backbone fabric does not guarantee that edge fabric traffic will arrive at a particular EX_Port. You must set up a TI zone in the edge fabric to guarantee this. •...
  • Page 298: Trunking With Ti Zones

    • Ports in a TI zone must belong to switches that run Fabric OS 6.0.0 or later. For TI over FCR zones, ports must belong to switches that run Fabric OS 6.1.0 or later. • Traffic Isolation has limited support for FICON FCIP in McDATA Fabric Mode (interopmode 2), in the following configuration only: •...
  • Page 299 When you create a TI zone, by default, failover is enabled and the zone is activated. If you want to change the failover mode after you create the zone, see ”Modifying TI zones” on page 300. If you are creating a TI zone with failover disabled, consider the following: •...
  • Page 300: Modifying Ti Zones

    Your changes are not enforced until you issue the cfgEnable command: switch:admin> cfgenable “USA_cfg” You are about to enable a new zoning configuration. This action will replace the old zoning configuration with the current configuration selected. Do you want to enable ‘USA_cfg’ configuration (yes, y, no, n): [no] y zone config “USA_cfg”...
  • Page 301: Activating And Deactivating A Ti Zone

    Activating and deactivating a TI zone The TI zone must exist before you can activate it. To activate or deactivate a TI zone: Connect to the switch and log in as admin. Issue the zone --activate command to activate a TI zone. Issue the zone --deactivate command to deactivate a TI zone.
  • Page 302: Setting Up Ti Over Fcr (Sample Procedure)

    To display information about TI zones: Connect to the switch and log in as admin. Issue the zone show command. zone --show [ name ] where: name is the name of the zone to be displayed. If the name is omitted, the command displays information about all TI zones in the defined configuration.
  • Page 303: Ti Over Fcr Example

    Host 1 Target 1 Target 2 Domain ID = 1 Domain ID = 2 Edge fabric 1 Edge fabric 2 Backbone Domain ID = 9 fabric Domain ID = 4 = Dedicated path set up by TI zone in edge fabric 1 = Dedicated path set up by TI zone in edge fabric 2 = Dedicated path set up by TI zone in backbone fabric Figure 34...
  • Page 304 c. Issue the following commands to reactivate your current effective configuration and enforce the TI zones. E1switch:admin> cfgactvshow Effective configuration: cfg: cfg_TI zone: lsan_t_i_TI_Zone1 10:00:00:00:00:00:02:00:00 10:00:00:00:00:00:03:00:00 10:00:00:00:00:00:08:00:00 E1switch:admin> cfgenable cfg_TI You are about to enable a new zoning configuration. This action will replace the old zoning configuration with the current configuration selected.
  • Page 305: Qos: Ingress Rate Limiting

    Log in to the backbone fabric and set up the TI zone. a. Issue the following commands to create and display a TI zone: BB_DCX_1:admin> zone --create -t ti TI_Zone1 -p "1,9; 1,1; 2,4; 2,7; 10:00:00:00:00:08:00:00; 10:00:00:00:00:02:00:00; 10:00:00:00:00:03:00:00" BB_DCX_1:admin> zone --show Defined TI zone configuration: TI Zone Name: TI_Zone1...
  • Page 306: Qos: Sid/Did Traffic Prioritization

    Issue the portcfgqos setratelimit command. portcfgqos --setratelimit [slot/]port ratelimit where: • slot/port is the slot and port number of the F_Port or FL_Port on which you want to limit traffic. • ratelimit is the maximum speed, in megabits per second (Mbps), for traffic coming from the device.
  • Page 307: Qos Traffic Prioritization

    NOTE: QoS can be used for device pairs that exist within the same fabric only. QoS priority information is not passed over EX_ or VEX_Ports and should not be used for devices in separate fabrics. If a QoS zone name prefix is specified in an LSAN zone (a zone beginning with prefix LSAN_), the QoS tag is ignored.
  • Page 308: Qos On E_Ports

    QoS on E_Ports In addition to configuring the hosts and targets in a zone, you must also enable QoS on individual E_Ports that might carry traffic between the given host and target pairs. Path selection between the host,target pairs is governed by FSPF rules and is not affected by QoS priorities. By default, QoS is enabled on E_Ports in port configuration.
  • Page 309: Limitations And Restrictions For Traffic Prioritization

    Limitations and restrictions for traffic prioritization Note the following configuration rules for traffic prioritization: • If a host and target are included in two or more QoS zones with different priorities, the zone with the lowest priority takes precedence. For example, if an effective zone configuration has QOSH_z1 (H,T) and QOSL_z2 (H,T), the traffic flow between H and T will be of low QoS priority.
  • Page 310 310 Optimizing fabric behavior...
  • Page 311: 16Using The Fc-Fc Routing Service

    Using the FC-FC routing service FC-FC routing service overview The FC-FC routing service provides Fibre Channel routing (FCR) between two or more fabrics without merging those fabrics. A Fibre Channel router (FC router) is a switch running the FC-FC routing service. The FC-FC routing service can be used simultaneously as an FC router and as a SAN extension over wide area networks (WANs) using FCIP.
  • Page 312: Supported Configurations

    Supported configurations In an edge fabric that contains a mix of administrative domain (AD)-capable switches and switches that are not aware of AD, the FC router must be connected directly to the AD-capable switch. For more information, see ”Use of administrative domains with LSAN zones and FCR”...
  • Page 313: A Metasan With Interfabric Links

    Host Target Target Edge Edge Edge fabric 1 fabric 2 fabric 3 E_Port E_Port E_Port Fibre Channel Fibre Long Distance IFL switch Channel switch EX_Ports 4/256 SAN Director with FR4-18i blade 26415a Figure 37 A metaSAN with interfabric links Fabric ID (FID) •...
  • Page 314: A Metasan With Edge-To-Edge And Backbone Fabrics

    VE_Port Edge fabric 2 IP cloud Edge fabric 1 Edge fabric 3 E_Port E_Port VEX_Port 400 MP Router EX_Port (2) = LSAN Backbone fabric 26416a Figure 38 A metaSAN with edge-to-edge and backbone fabrics Figure 38 shows a metaSAN with a backbone consisting of one 400 MP Router connecting hosts in Edge Fabrics 1 and 3 with storage in Edge Fabric 2 and the backbone through the use of LSANs.
  • Page 315: Proxy Devices

    a router virtual domain that represents an entire fabric. Device connectivity can be achieved from one fabric to another—over the backbone or edge fabric through this virtual domain—without merging the two fabrics. Translate phantom domains are sometimes referred to as translate domains or xlate domains.
  • Page 316: Routing Types

    Proxy host Host (imported device) Proxy target (imported device) Target Fabric 2 Fabric 1 E_Port E_Port EX_Port 400 MP Router Figure 40 MetaSAN with imported devices Routing types The FC-FC routing service provides two types of routing: Edge-to-Edge • Occurs when devices in one edge fabric communicate with devices in another edge fabric through one or more Fibre Channel routers.
  • Page 317: Setting Up The Fc-Fc Routing Service

    Fibre Channel fabrics require that all ports be identified by a unique PID. In a single fabric, FC protocol guarantees that Domain IDs are unique, and so a PID formed by a Domain ID and area ID is unique within a fabric.
  • Page 318 Log in to the switch or director as admin and issue the version command. Verify that Fabric OS 6.1 is installed on the FC router as shown in the following example. switch:admin> version Kernel: Fabric OS: v6.1.0 Made on: Wed Mar 12 01:15:34 2008 Flash: Fri Mar 14 20:53:48 2008...
  • Page 319: Assigning Backbone Fabric Ids

    Issue the interopMode command and verify that Fabric OS switch interoperability with switches from other manufacturers is disabled. switch:admin> interopmode InteropMode: Off usage: InteropMode [0|2|3 [-z McDataDefaultZone] [-s McDataSafeZone]] 0: to turn interopMode off 2: to turn McDATA Fabric mode on Valid McDataDefaultZone: 0 (disabled), 1 (enabled) Valid McDataSafeZone: 0 (disabled), 1 (enabled) 3: to turn McDATA Open Fabric mode on...
  • Page 320: Configuring Fcip Tunnels

    IMPORTANT: In a multi-switch backbone fabric, modification of FID within the backbone fabric causes disruption to local traffic. To assign backbone fabric IDs: Log in to the switch or director. Issue the switchDisable command. Issue the fosConfig --disable fcr command to disable the FC-FC Routing Service. See the Fabric OS Command Reference or the CLI man pages for more information about the fosConfig command.
  • Page 321 NOTE: To ensure that fabrics remain isolated, disable the port prior to inserting the cable. If you are configuring an EX_Port, disable the port prior to making the connection. To configure an IFL for both edge and backbone connections: On the FC Router, disable the port that you are configuring as an EX_Port (the one connected to the Fabric OS switch) by issuing the portDisable command.
  • Page 322 Issue the portEnable command to enable the ports that you disabled in step 2. You can now physically attach ISLs from the Fibre Channel Router to the edge fabric. switch:admin> portenable 7/10 Issue the portCfgShow command to view ports that are persistently disabled. switch:admin>...
  • Page 323 Issue either the portCfgEXPort or portShow command to verify that each port is configured correctly: switch:admin> portcfgexport 7/10 Port 7/10 info Admin: enabled State: NOT OK Pid format: Not Applicable Operate mode: Brocade Native Edge Fabric ID: Preferred Domain ID: Front WWN: 50:06:06:9e:20:38:6e:1e Fabric Parameters:...
  • Page 324: Configuring The Fc Router Port Cost

    Proc_rqrd: Protocol_err: 0 Timed_out: Invalid_word: 0 Rx_flushed: Invalid_crc: Tx_unavail: Delim_err: Free_buffer: Address_err: Overrun: Lr_in: Suspended: Lr_out: Parity_err: Ols_in: 2_parity_err: Ols_out: CMI_bus_err: Port part of other ADs: No Issue the switchShow command to verify the EX_Port (or VEX_Port), edge fabric ID, and name of the edge fabric switch (containing the E_Port or VE_Port).
  • Page 325: Setting The Router Port Cost For An Ex_Port

    Every IFL has a default cost. The default router port cost values are: 1000 for legacy (v5.1 or XPath FCR) IFL • • 1000 for EX_Port IFL • 10,000 for VEX_Port IFL The FCR router port cost settings are 0, 1000, or 10,000. If the cost is set to 0, the default cost will be used for that IFL.
  • Page 326: Port Cost Considerations

    Legacy routers in the backbone fabric program all the router ports without considering router port cost. Fabric OS 5.2.0 or later considers the legacy router port cost as 1000 for both EX or VEX_Ports. Port cost considerations The router port cost has the following considerations: •...
  • Page 327: Configuring Ex_Port Frame Trunking (Optional)

    As an option, you can configure these parameters manually. To change the fabric parameters on a switch in the edge fabric, execute the configure command. To change the fabric parameters of an EX_Port on the 400 MP Router or 4/256 SAN Director or DC Director with an FR4- 1 8i blade, use the portCfgEXPort command.
  • Page 328: Supported Configurations And Platforms

    Supported configurations and platforms The EX_Port trunking is an FCR software feature and requires that you have a trunking license installed on the FCR switch and on the edge fabric connected to the other side of the trunked EX_Ports. EX_Port trunking is supported only with edge fabrics.
  • Page 329: Configuring Lsans And Zoning

    Configuring LSANs and zoning An LSAN consists of zones in two or more edge or backbone fabrics that contain the same devices. LSANs essentially provide selective device connectivity between fabrics without forcing you to merge those fabrics. FC routers provide multiple mechanisms to manage interfabric device connectivity through extensions to existing switch management interfaces.
  • Page 330: Controlling Device Communication With Lsan (Sample Procedure)

    NOTE: If you are managing other switches in a fabric, HP recommends that you run the defZone --show command on your Fabric OS 5.1.0 and later switches as a precaution. Default zoning behavior in Fabric OS 5.1.0 and later operates differently compared to earlier versions of Fabric OS (2.x, 3.x v4.x and 5.0.1).
  • Page 331 Issue the cfgAdd or cfgCreate and cfgEnable commands to add and enable the LSAN configuration: switch:admin> cfgadd "zone_cfg", "lsan_zone_fabric75" switch:admin> cfgenable "zone_cfg" You are about to enable a new zoning configuration. This action will replace the old zoning configuration with the current configuration selected.
  • Page 332: Lsan Zone Binding

    • lsanZoneShow -s shows the LSAN. switch:admin> lsanzoneshow -s Fabric ID: 2 Zone Name: lsan_zone_fabric2 10:00:00:00:c9:2b:c9:0c Imported 50:05:07:61:00:5b:62:ed EXIST 50:05:07:61:00:49:20:b4 EXIST Fabric ID: 75 Zone Name: lsan_zone_fabric75 10:00:00:00:c9:2b:c9:0c EXIST 50:05:07:61:00:5b:62:ed Imported • fcrPhyDevShow shows the physical devices in the LSAN. switch:admin>...
  • Page 333: How Lsan Zone Binding Works

    LSAN zone 1 LSAN zone 2 Fabric 1 Fabric 2 Fabric 3 Fabric 7 FC router 1 FC router 2 Backbone fabric Fabric 8 FC router 3 FC router 4 Fabric 9 Fabric 4 Fabric 5 Fabric 6 LSAN zone 3 LSAN zone 4 Figure 41 LSAN zone binding...
  • Page 334: Fc Router Matrix Definition

    creating and updating the LSAN fabric matrix. See the Fabric OS Command Reference for a complete description of this command. Best practice: Use this feature in a backbone fabric in which all FC routers are running Fabric OS 6.1.0 or later.
  • Page 335: Upgrade, Downgrade, And Ha Considerations For Lsan Zone Binding

    The command fcrLsanMatrix add -lsan 0 0 erases the entire LSAN fabric matrix settings in the cache. The FC router matrix and the LSAN fabric matrix are used together to determine which fabrics can access each other, with the LSAN fabric matrix providing more specific binding. Upgrade, downgrade, and HA considerations for LSAN zone binding When a CP is upgraded from Fabric OS 6.0.x or 5.3.x to 6.1.0, the LSAN zone binding and handling remains the same.
  • Page 336: Dual Backbone Configuration

    For example: FCR:Admin > fcrlsanmatrix --fabricview -lsan LSAN MATRIX is activated Fabric ID 1 Fabric ID 2 -------------------------------------- Default LSAN Matrix: 1 2 8 Dual backbone configuration When dual backbones share edge fabrics, one of the backbones is selected to be the owner of the edge fabric which sends device state updates to the other backbone through the shared edge fabric.
  • Page 337: Ha And Downgrade Considerations For Lsan Zones

    HA and downgrade considerations for LSAN zones LSAN zones affect high availability and firmware downgrades as follows: • The LSAN zone matrix is synchronized to the standby CP. • On a dual CP switch, both CPs need to have Fabric OS 5.3.0 or later to enable the feature. •...
  • Page 338: Monitoring Resources

    To display the current broadcast configuration: Log in to the FC router as admin. Issue the following command: fcr:admin> fcrbcastconfig --show This command displays only the FIDs that have the broadcast frame option disabled. The FIDs that are not listed have the broadcast frame option enabled. To enable broadcast frame forwarding: Log in to the FC router as admin.
  • Page 339: Upgrade And Downgrade Considerations

    The following example shows the use of the fcrResourceShow command display per physical port (EX_Port) resources. switch:admin> fcrresourceshow Daemon Limits: Max Allowed Currently Used ---------------------------------- LSAN Zones: 3000 28 LSAN Devices: 10000 51 Proxy Device Slots: 10000 20 WWN Pool Size Allocated ---------------------------------- Phantom Node WWN: 8192 5413 Phantom Port WWN: 32768 16121...
  • Page 340: Interoperability With Legacy Fcr Switches

    If you replace an 8-Gbps port blade with another 8-Gbps port blade, the EX_Port configuration remains the same. Interoperability with legacy FCR switches A legacy FCR switch is a switch running Fabric OS 5.1. or earlier or XPath OS. The following interoperability considerations apply when administering legacy FCR switches in the same backbone fabric as switches supporting Fabric OS 5.2.0 or later: •...
  • Page 341: Range Of Output Ports

    The following example illustrates the use of the portcfgexport command. switch:admin_06> portcfgexport 2/0 Port 2/0 info Admin: enabled State: OK Pid format: core(N) Operate mode: Brocade Native Edge Fabric ID: 16 Front Domain ID: 160 Front WWN: 50:06:06:9e:20:9f:ce:10 Principal Switch: 7 principal WWN: 10:00:00:60:69:c0:05:8a Fabric Parameters: Auto Negotiate R_A_TOV: 9000(N)
  • Page 342 Log in to an FC router tat is connected to an edge fabric switch through multiple EX_Ports from the same router. Issue the portCfgShow command and confirm the ports are enabled. Issue the portCfgExport command and confirm that the EX_Ports share the same front domain ID (DID) and node WWN.
  • Page 343: 17Administering Advanced Performance Monitoring

    Administering advanced performance monitoring This chapter describes the Advanced Performance Monitoring licensed feature. About Advanced Performance Monitoring Additional performance monitoring features are provided through Web Tools. See the Web Tools Administrator’s Guide for information about monitoring performance using the Web Tools GUI. Based on Brocade Frame Filtering technology and a unique performance counter engine, Advanced Performance Monitoring is a comprehensive tool for monitoring the performance of networked storage resources.
  • Page 344: End-To-End Performance Monitoring

    NOTE: The command examples in this chapter use the slot/port syntax required by 4/256 SAN Director and DC Directors. For the 4/8 SAN Switch, 4/16 SAN Switch, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 8/8 SAN Switch, 8/24 SAN Switch, 8/40 SAN Switch, 8/80 SAN Switch and the 400 Multi-protocol Router, use only the port number where needed in the commands.
  • Page 345: Adding End-To-End Monitors

    Adding end-to-end monitors Figure 43 shows two devices: • Host A is connected to domain 5 (0x05), switch area ID 18 (0x12), AL_PA 0x00 on Switch X. • Dev B is a storage device connected to domain 17 (0x1 1), switch area ID 30 (0x1e), AL_PA 0xef on Switch Y.
  • Page 346: Deleting End-To-End Monitors

    monitor. By setting a mask, you can choose to have the frame match only one or two of the three fields (Domain ID, Area ID, and AL_PA) to trigger the monitor. You specify the masks in the form dd:aa:pp, where dd is the domain ID mask, aa is the area ID mask, and pp is the AL_PA mask.
  • Page 347: Filter-Based Performance Monitoring

    0x000123 0x000789 WEB_TOOLS 0x0000000000000000 0x0000000000000000 0x001212 0x003434 WEB_TOOLS 0x0000000000000000 0x0000000000000000 switch:admin> perfdeleemonitor 0, 2 End-to-End monitor number 2 deleted switch:admin> Filter-based performance monitoring Filter-based performance monitoring counts the number of times a frame with a particular pattern is transmitted by a port.
  • Page 348: Custom Filter-Based Monitors

    The following example adds filter-based monitors to slot 1, port 2 and displays the results: switch:admin> perfaddreadmonitor 1/2 SCSI Read filter monitor #0 added switch:admin> perfaddwritemonitor 1/2 SCSI Write filter monitor #1 added switch:admin> perfaddrwmonitor 1/2 SCSI Read/Write filter monitor #2 added switch:admin>...
  • Page 349: Deleting Filter-Based Monitors

    frame (SOF). When the offset is set to 0, the values 0–7 that are checked against that offset are predefined as shown in Table Table 74 Predefined values at offset 0 Value Value SOFf SOFi2 SOFc1 SOFn2 SOFi1 SOFi3 SOFn1 SOFn3 If the switch does not have enough resources to create a given filter, other filters might have to be deleted to free resources.
  • Page 350: Top Talker Monitors

    Top Talker monitors Top Talker monitors determine the flows (SID/DID pairs) that are the major users of bandwidth (after initial stabilization). Top Talker monitors measure bandwidth usage data in real-time and relative to the port on which the monitor is installed. NOTE: Initial stabilization is the time taken by a flow to reach the maximum bandwidth.
  • Page 351: Deleting A Top Talker Monitor On An F_Port

    • port is the port number For example, to monitor the incoming traffic on port 7: perfttmon --add ingress 7 To monitor the outgoing traffic on slot 2, port 4 on the 4/256 SAN Director or DC Director: perfttmon --add egress 2/4 Deleting a Top Talker monitor on an F_Port To delete a Top Talker monitor on an F_Port: Connect to the switch and log in as admin.
  • Page 352: Adding Top Talker Monitors On All Switches In The Fabric

    Use the perfttmon command to add, delete, and display Top Talker monitors. Adding Top Talker monitors on all switches in the fabric To add Top Talker monitors on all switches in the fabric: Connect to the switch and log in as admin. Remove any end-to-end monitors in the fabric, as described in ”Deleting end-to-end monitors”...
  • Page 353: Limitations Of Top Talker Monitors

    To display the top flows on domain 2 in PID format: perfttmon --show dom 2 pid switch:admin> perfttmon --show dom 2 pid ======================================== Src_PID Dst_PID MB/sec ======================================== 0xa908ef 0xa05200 6.926 0xa05200 0xa908ef 6.872 0xa905ef 0xa05200 6.830 0xa909d5 0xa05200 6.772 Limitations of Top Talker monitors Note the following when using Top Talker monitors: •...
  • Page 354 The Directors have a total of 10 slots. Slot numbers 5 and 6 are control processor blades; slots 1 through 4 and 7 through 10 are port blades. For 16-port blades, there are 16 ports, counted from the bottom, numbered 0 to 15. For 32-port blades, there are 32 ports numbered 0 to 31. •...
  • Page 355 The following example displays EE monitors on a port: switch:admin> perfMonitorShow --class EE 4/5 There are 7 end-to-end monitor(s) defined on port 53. OWNER_APP TX_COUNT RX_COUNT CRC_COUNT OWNER_IP_ADDR -------------------------------------------------------------------------------------------------------- 0x58e0f 0x1182ef TELNET 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x21300 0x21dda TELNET 0x00000004d0ba9915 0x0000000067229e65 0x0000000000000000 0x21300 0x21ddc TELNET...
  • Page 356: Clearing Monitor Counters

    The following example displays ISL monitor information on a port: switch:admin> perfMonitorShow --class ISL 1/1 Total transmit count for this ISL: 1462326 Number of destination domains monitored: 3 Number of ports in this ISL: 2 Domain 110379 Domain 98: 13965 Domain 1337982 Clearing monitor counters...
  • Page 357: Saving And Restoring Monitor Configurations

    The following example clears statistics counters for an end-to-end monitor: switch:admin> perfMonitorClear --class EE 1/2 5 End-to-End monitor number 5 counters are cleared switch:admin> perfMonitorClear --class EE 1/2 This will clear ALL EE monitors' counters on port 2, continue? (yes, y, no, n): [no] y The following example clears statistics counters for a filter-based monitor: switch:admin>...
  • Page 358 • To clear the previously saved performance monitoring configuration settings from nonvolatile memory, use the perfCfgClear command: switch:admin> perfcfgclear This will clear Performance Monitoring settings in FLASH. The RAM settings won’t change. Do you want to continue? (yes, y, no, n): [no] y Please wait...
  • Page 359: 18Administering Extended Fabrics

    Administering extended fabrics This chapter provides information on implementing Extended Fabrics software. Extended Fabrics licensing To implement long distance dynamic (LD) and long distance static (LS) distance levels, you must first install . Use the licenseShow command to verify that the license is present on both Extended Fabrics license switches used on both ends of the extended ISL.
  • Page 360: Fibre Channel Data Frames

    Table 75 describes Fibre Channel data frames Table 75 Fibre Channel data frames Start of frame 4 bytes 32 bits Standard frame 24 bytes 192 bits header Data (payload) {0 - 2,1 12} bytes {0 - 16,896} bits 4 bytes 32 bits End of frame 4 bytes...
  • Page 361: Fc Switch Port Buffer Credit Requirements For Long Distance Calculations

    FC switch port Buffer Credit requirements for long distance calculations You can calculate how many ports can be configured for long distance on all switch modules or ASICs except Bloom-based switches. For information on the port, speed, and distance for Bloom-based ASICs, Table 77.
  • Page 362: Displaying The Remaining Buffers In A Port Group

    676 = a static number retrieved from Table If you allocate the entire 484 + 8 reserved buffers = 492 buffers to a single port, that port can support 486 km at 2 G, which is the reserved buffer for distance. How many 50 km ports you can configure? If you have a distance of 50 km at 8 Gbps then 484 / (206 –...
  • Page 363: Switch, Port Speed, And Distance With Asic And Buffers

    Table 76 Switch, port speed, and distance with ASIC and buffers Switch blade ASIC Total ports in Total ports in a Reserved model a switch or group buffers for ports blade B-Series 2Gb Bloom 8, 16 or 32 108/4 Switches 4/8 SAN Switch Golden Eye 272/16...
  • Page 364: Buffer Credit Recovery

    NOTE: Additional buffers are available with 4 Gbps chassis for 8 Gbps blades because of fewer buffers allocated for back-end port connections. Buffer credit recovery Buffer recovery credit allows links to recover after frames and R_RDYs are lost when the credit recovery logic is enabled.
  • Page 365: Configuring An Extended Isl

    Configuring an extended ISL Before configuring an extended ISL, ensure that the following conditions are met: • Be sure that the ports on both ends of the ISL are operating at the same port speed, and can be configured at the same distance level without compromising local switch performance. NOTE: A long-distance link also can be configured to be part of a trunk group.
  • Page 366: Extended Isl Modes: B-Series 2Gb Switches (Bloom And Bloom Ii Asics)

    • desired_distance is, for an LD-mode link, a threshold limit for link distance to ensure buffer availability for other ports in the same port group. If the measured distance exceeds desired_distance, desired_distance is used. For an LS-mode link, desired_distance is used to calculate the buffers required for the port. Repeat step 4 for the remote extended ISL port.
  • Page 367: 19Administering Isl Trunking

    Administering ISL trunking This chapter contains procedures for using the ISL Trunking licensed feature, which optimizes the use of bandwidth by allowing a group of interswitch links to merge into a single logical link. About ISL Trunking ISL Trunking reduces or eliminates situations that require static traffic routes and individual ISL management to achieve optimal performance.
  • Page 368: Standard Trunking Criteria

    • Dynamic trunk master reassignment if a trunk master is disabled (on other platforms, all ports on a trunk must be disabled temporarily to reassign a master). • 4 Gbps trunk links. • 8 Gbps trunk links where supported. The maximum number of ports per trunk and trunks per switch depends on the HP model. NOTE: Director blade model FC10-6 does not support trunking.
  • Page 369: Initializing Trunking On Ports

    • A trunking group has the same link cost as the master ISL of the group, regardless of the number of ISLs in the group. This allows slave ISLs to be added or removed without causing data to be rerouted, because the link cost remains constant. •...
  • Page 370: Adding A Monitor To An F_Port Master Port

    Adding a monitor to an F_Port master port Connect to the switch and log in as admin. Issue the perfAddEEMonitor command: switch:admin> perfaddeemonitor 4 0x010400 0x020800 Adding monitor to the master port <port no.> of the F-Port Trunk. where 4 is a slave port of the F_Port Trunk. If you attempt to install a monitor on a slave port of an F_Port trunk and the same monitor is already installed on the corresponding master, the following message is displayed: switch:admin>...
  • Page 371: Enabling And Disabling Isl Trunking

    The following example shows traffic flowing through a trunking group (ports 5, 6, and 7). After port 6 fails, traffic is redistributed over the remaining two links in the group, ports 5 and 7: switch:admin> portperfshow 4567 Total -------------------------------------------------------------------- 0145m144m145m 0144m143m144m 431 0162m0162m Enabling and disabling ISL Trunking...
  • Page 372: Setting Port Speeds

    Setting port speeds For long-distance ports, if a port is set to autonegotiate port speed, the maximum speed (8 Gbps) is assumed for reserving buffers for the port. If the port is running at only 2 Gbps, this wastes buffers. For long-distance ports, it is best to set the port speed (this applies to the 4/32 SAN Switch, 4/32B SAN Switch and the 4/256 SAN Director only).
  • Page 373: Setting The Same Speed For All Ports On The Switch

    • 4—four Gbps mode. Fixes the port at a speed of four Gbps. (HP StorageWorks 4/8 SAN Switch, 4/16 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 400 Multi-protocol Router and 4/256 SAN Director only) •...
  • Page 374: Trunking Over Extended Fabrics

    Use the trunkShow command to display the following information about ISL Trunking groups: Trunking Group Number Displays each trunking group on a switch. All the ports that are part of this trunking group are displayed. Port-to-port connections, Displays the port-to-port trunking connections. Displays the WWN of the connected port.
  • Page 375: F_Port Masterless Trunking

    Enhanced trunking support for the FC4-48 port blade in the 4/256 SAN Director is summarized in Table Table 80 Trunking support for 4/256 SAN Director and DC Directors with supported blades (Condor and Condor2 ASIC) Mode Distance Number of 2 Gbps ports Number of 4 or 8 Gbps ports 10 km 48 (six 8-port trunks)
  • Page 376: Switch In Access Gateway Mode Without F_Port Trunking

    work on M-EOS or third party switches. Figure 47 shows a switch in AG mode without F_Port masterless trunking. Figure 48 shows a switch in AG mode with F_Port masterless trunking. Figure 47 Switch in Access Gateway mode without F_Port trunking Figure 48 Switch in Access Gateway mode with F_Port masterless trunking NOTE:...
  • Page 377: F_Port Trunking Considerations

    F_Port trunking considerations Table 81 F_Port masterless trunking considerations Category Description Area assignment You statically assign the area within the trunk group on the edge switch. That group is the F_Port masterless trunk. The static trunk area you assign must fall within the ASIC's trunk group of the switch or blade starting from port 0.
  • Page 378 Table 81 F_Port masterless trunking considerations (continued) Category Description portCfgTrunkPort <port>, 0 The portCfgTrunkPort <port>, 0 command fails if a Trunk Area is enabled on a port. The port Trunk Area must be disabled first. switchCfgTrunk 0 The switchCfgTrunk 0 command will fail if a port has TA enabled.
  • Page 379: Setting Up F_Port Trunking

    Table 81 F_Port masterless trunking considerations (continued) Category Description DCC Policy DCC policy enforcement for the F_Port trunk is based on the Trunk Area; the FDISC requests to a trunk port is accepted only if the WWN of the attached device is part of the DCC policy against the TA.
  • Page 380: Assigning A Trunk Area

    user port number, with contiguous eight ports as one group, such as 0 – 7, 8- 15, 16-23 and up to the number of ports on the switch. Figure 49 Trunk group configuration for the SAN Switch 8/40 To set up F_Port trunking: Connect to the switch and log in as admin.
  • Page 381: Enabling F_Port Trunking

    Issue the TA for ports 13 and 14 on slot 10 with a port index of 125: switch:admin> porttrunkarea --enable 10/13-14 -index 125 Trunk index 125 enabled for ports 10/13 and 10/14. Show the TA port configuration (ports still disabled): switch:admin>...
  • Page 382 Show switch/port information: switch:admin> switchshow switchName: SPIRIT_B4_01 switchType: 66.1 switchState: Online switchMode: Native switchRole: Principal switchDomain: switchId: fffc02 switchWwn: 10:00:00:05:1e:41:22:80 zoning: switchBeacon: FC Router: FC Router BB Fabric ID: 100 Area Port Media Speed State Proto ===================================== No_Module No_Module No_Module No_Module No_Module No_Module...
  • Page 383: Enabling The Dcc Policy On Trunk

    Display TA enabled port configuration: switch:admin> porttrunkarea --show enabled Port Type State Master ------------------------------------- F-port Master F-port Slave F-port Slave F-port Slave Display the trunking information. For example, to display trunk details for a user assigned TA 37 that includes ports 36-39: switch:admin>...
  • Page 384: Trunking For Access Gateway

    Example: How Trunk Area assignment affects the port Domain,Index If you have AD1: 3,7; 3,8; 4,13; 4,14 and AD2: 3,9; 3,10, and then create a TA with Index 8 with ports that have index 7, 8, 9, and 10, index 7, 9, and 10 are no longer with domain 3. This means that AD2 does not have access to any ports because index 9 and 10 no longer exist on domain 3.
  • Page 385: 20Configuring And Monitoring Fcip Extension Services

    Configuring and monitoring FCIP extension services This chapter describes the FCIP concepts, configuration procedures, and tools and procedures for monitoring network performance. Commands described in this chapter require Admin or root user access. See the Fabric OS Command Reference for detailed information on command syntax. FCIP concepts Fibre Channel over IP (FCIP) enables you to connect Fibre Channel SANs over IP-based networks.
  • Page 386: Compression On Fcip Tunnels

    • A VEX_Port enables FC-FC Routing Service functionality over an FCIP tunnel. VEX_Ports enable interfabric links (IFLs). If a VEX_Port is on one end of an FCIP tunnel, the fabrics connected by the tunnel are not merged. The other end of the tunnel must be defined as a VE_Port. VEX_Ports are not used in pairs.
  • Page 387: Platforms That Support San Extension Over Ip

    FCIP services license Most of the FCIP extension services described in this chapter require the High Performance Extension over FCIP/FC license. Use the licenseShow command to verify the license is present on the hardware used on both ends the FCIP tunnel. For details on obtaining and installing licensed features, see ”Licensed features”...
  • Page 388: Ipsec Implementation Over Fcip

    When both DSCP and L2CoS are used If an FCIP tunnel is not VLAN tagged, only DSCP is relevant. If the FCIP tunnel is VLAN tagged, both DSCP and L2CoS are relevant, unless the VLAN is end-to-end, with no intermediate hops in the IP network. Table 85 shows the default mapping of DSCP priorities to L2Cos priorities per tunnel ID.
  • Page 389: Ipsec Terminology

    IPSec uses some terms that you should be familiar with before beginning your configuration. These are standardized terms, but are included here for your convenience. Table 86 IPSec terminology Term Definition Advanced Encryption Standard. FIPS 197 endorses the Rijndael encryption algorithm as the approved AES for use by US Government organizations and others to protect sensitive information.
  • Page 390: Configuring Ipsec

    • IPSec can be configured only on IP V4-based tunnels. Secure tunnels can not be created on a 400 Multi-protocol Router or FR4- 1 8i blade if any IP V6 addresses are defined on either ge0 or ge1. • Secure Tunnels cannot be defined with VLAN Tagged connections. Configuring IPSec IPSec requires predefined configurations for IKE and IPSec.
  • Page 391: Managing Policies

    The parameters listed inTable 88 can be modified: Table 88 Modifiable policy parameters Parameter Description Encryption Algorithm 3DES—168-bit key AES- 1 28—128-bit key (default) AES-256—256-bit key Authentication Algorithm SHA- 1 —Secure Hash Algorithm (default) MD5—Message Digest 5 AES-XCBC—Used only for IPSec Security Association lifetime in The lifetime in seconds of the security association.
  • Page 392 The following example shows how to create IKE policy number 10 using 3DES encryption, MD5 authentication, and Diffie-Hellman Goup 1: switch:admin06> policy --create ike 10 -enc 3des -auth md5 -dh 1 The following policy has been set: IKE Policy 10 ----------------------------------------- Authentication Algorithm: MD5 Encryption: 3DES...
  • Page 393: Options For Enhancing Tape Write I/O Performance

    where type is the policy type and number is the number assigned. For example, to delete the IPSec policy number 10: switch:admin06> policy --delete ipsec 10 The policy has been successfully deleted. To view IPSec information for an FCIP tunnel: Log in to the switch as admin.
  • Page 394: Fcip Fastwrite And Tape Pipelining

    fastwrite flows may be passed through the FCIP tunnel, but only if the FCIP fastwrite option is disabled on the tunnel. FCIP fastwrite and tape pipelining When the FCIP link is the slowest part of the network, consider using FCIP fastwrite and tape pipelining. Supported only in Fabric OS 5.2.x and later, FCIP fastwrite and tape pipelining are two features that provide accelerated speeds for write I/O over FCIP tunnels in some configurations: •...
  • Page 395: Fcip Fastwrite/Tape Pipelining Configurations

    FCIP fastwrite/tape pipelining configurations To help understand the supported configurations, consider the configurations shown in the Figure 51 Figure 52. In both cases, there are no multiple equal-cost paths. In Figure 51, there is a single tunnel with fastwrite and tape pipelining enabled. In Figure 52, there are multiple tunnels, but none of them create a multiple equal-cost path.
  • Page 396: Fc Fastwrite Concepts

    VE-VE or VEX-VEX Figure 53 Unsupported configurations with fastwrite and tape pipelining FC Fastwrite concepts FC Fastwrite operates in Fibre Channel network topologies similar to the basic topology shown in Figure 54. FC Fastwrite provides accelerated speeds for SCSI Write operations over long distance Fibre 396 Configuring and monitoring FCIP extension services...
  • Page 397: Platforms And Os Requirements For Fc Fastwrite

    Channel ISLs implemented through the FC-FC Routing Service (FRS) rather than FCIP. FC Fastwrite is supported in Fabric OS 5.3.x and later. Figure 54 Typical network topology for FC Fastwrite Platforms and OS requirements for FC Fastwrite Fabric OS supports FC Fastwrite between two 400 Multi-Protocol Routers, two 4/256 SAN Directors with FR4- 1 8i blades, or two DC SAN Backbone Directors with FR418i blades, connected by a Fibre Channel network.
  • Page 398: Fc Fastwrite Flow Configuration Requirements

    The PI continues to stage data received from the initiator, respond locally to a Transfer Ready, and send the data to the target device until the target device sends a Response (FCP_RSP). Figure 55 How FC Fastwrite works FC Fastwrite can improve write performance. Read performance is unaffected. The gains seen from enabling FC Fastwrite depend on several factors, including the following: •...
  • Page 399 Perform the following procedure to configure and enable FC Fastwrite. Create a zone configuration to filter FC Fastwrite flows. FC Fastwrite flows are configured by creating a zone name with an fcacc token as a prefix. For LSAN configuration, use lsan_fcacc as a prefix, as shown in the following example: #zonecreate fcacc_myzone1, "initiator-wwn;...
  • Page 400: Disabling Fc Fastwrite On A Blade Or Switch

    Issue the portShow command to verify that FC Fastwrite is enabled: switch:admin> portshow 3/3 portName: portHealth: HEALTHY Authentication: None portDisableReason: None portCFlags: 0x1 portFlags: 0x20b03 PRESENT ACTIVE F_PORT G_PORT U_PORT LOGICAL_ONLINE LOGIN NOELP ACCEPT portType: 10.0 portState: 1 Online portPhys: In_Sync portScn: F_Port...
  • Page 401: Disabling Fc Fastwrite On A Port

    Example of disabling FC Fastwrite on a switch : switch:admin> fastwritecfg --disable 7 !!!! WARNING !!!! Disabling FC Fastwrite will require powering off and back on the and it may take upto 5 minutes. For non bladed system, the switch will be rebooted.
  • Page 402: Setting Persistently Disabled Ports

    1 1. If you are implementing FTRACE, configure FTRACE using the portcfg ftrace command. See ”FICON fabrics” on page 423 for specific instructions. Check the configuration using the portshow fciptunnel command. Persistently enable the ports using the portpersistentenable command. Create a matching configuration on the 400 Multi-protocol Router or FR4- 1 8i blade at the other end of the tunnel.
  • Page 403 where: slot The number of a slot in a 4/256 SAN Director or DC Director chassis that contains an FR4- 1 8i blade. This parameter does not apply to the stand-alone 400 Multi-protocol Router. ge0|ge1 The Ethernet port used by the tunnel (ge0 or ge1). src_ipaddr Specify source IP address in either IPv6 or IPv4 format: src_IPv6_addr/[prefix_len]...
  • Page 404 The following example verifies that the two routes have been successfully created: switch:admin06> portshow iproute 8/ge0 Slot: 8 Port: ge0 IP Address Mask Gateway Metric Flags ------------------------------------------------------------------ Interface Interface If you are implementing VLAN tagging, create a static ARP entry for the IP interfaces on both ends of the tunnel using the portcfg arp command with the add option:...
  • Page 405: Creating An Fcip Tunnels

    The following example tests the connection between and, switch:admin06> portcmd --ping ge0 -s -d Pinging from ip interface on 0/ge0 with 64 bytes of data Reply from bytes=64 rtt=1ms ttl=64 Reply from bytes=64 rtt=0ms ttl=64 Reply from bytes=64 rtt=0ms ttl=64 Reply from bytes=64 rtt=1ms ttl=64 Ping Statistics for
  • Page 406: Verifying The Fcip Tunnel Configuration

    -k timeout is the keep-alive timeout in seconds. The range of valid values is 8 through 7,200 seconds and the default is 10. If tape pipelining is enabled both the default and minimum values are 80 seconds. -r retransmissions is the maximum number of retransmissions on the existing FCIP tunnel. The range of valid values is 1 through 16.
  • Page 407 The following example shows an active tunnel with FCIP fastwrite and tape pipelining enabled: switch:admin06> portshow fciptunnel ge0 all ------------------------------------------- Tunnel ID 1 Remote IP Addr Local IP Addr Remote WWN Not Configured Local WWN 10:00:00:05:1e:35:1f:ed Compression off Fastwrite on Tape Pipelining on Uncommitted bandwidth, minimum of 1000 Kbps (0.001000 Gbps)
  • Page 408: Enabling Persistently Disabled Ports

    To verify that a VE_Port or VEX_Port is online, use the switchShow command to view and verify that the FCIP tunnel is online. switch:admin06> portenable 8/18 switch:admin06> portenable 8/19 switch:admin06> switchshow switchName:switch switchType:42.2 switchState:Online switchMode:Native switchRole:Subordinate switchDomain:4 switchId:fffc04 switchWwn:10:00:00:60:69:80:0d:bc zoning:ON (LSAN001) switchBeacon:OFF blade3 Beacon: blade4 Beacon:...
  • Page 409: Managing Fcip Tunnels

    switch:admin06> portcfgpersistentenable 8/18 switch:admin06> portcfgpersistentenable 8/19 switch:admin06> portcfgshow Ports of Slot 8 9 10 11 12 13 14 15 -----------------+--+--+--+--+----+--+--+--+----+--+--+--+----+--+--+-- Speed AN AN AN AN AN AN AN AN AN AN AN AN AN AN AN AN Trunk Port ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON...
  • Page 410 Issue the portCfg fcipTunnel command to modify FCIP tunnels (you must specify at least one characteristic to modify). The command syntax is as follows: portcfg fciptunnel [slot/]ge[port] modify tunnel_id [-b comm_rate] [-c 0|1] [-s 0|1] [-f 0|1] [-k timeout] [-m time] [-q control_dscp] [-Q data_dscp] [-p control_L2Cos] [-P data_L2Cos} [-r retransmissions] [-t 0|1] where:...
  • Page 411: Modifying And Deleting Qos Settings

    The following example shows two FCIP tunnels created on slot 8, port ge0; the first with an uncommitted bandwidth (0), and the second with a committed bandwidth of 10000 b/sec: switch:admin06> portcfg fciptunnel 8/ge0 create 2 0 switch:admin06> portcfg fciptunnel 8/ge0 create 3 10000 The following example shows an FCIP tunnel created between a remote interface, and a local IP interface
  • Page 412: Deleting An Ip Interface (Ipif)

    Deleting an IP interface (IPIF) The following command deletes an IP interface: portcfg ipif delete ipaddr Deleting an IProute The following command deletes an IP route: portcfg iproute [slot/]ge0|ge1 delete ipaddr netmask Managing the VLAN tag tables The VLAN tag table is used by ingress processing to filter inbound VLAN tagged frames. If a VLAN tagged frame is received from the network and there is no entry in the VLAN tag table for the VLAN ID, the frame id discarded.
  • Page 413: About The Ipperf Option

    • portCmd traceroute traces routes from a local Ethernet port (ge0 or ge1) to a destination IP address. • portShow fcipTunnel displays performance statistics generated from the WAN analysis. About the ipperf option The WAN tool ipPerf is an option of the Fabric OS portCmd command. This option allows you to specify the slot and port information for displaying performance statistics for a pair of ports.
  • Page 414: Wan Tool Performance Characteristics

    WAN tool performance characteristics Table 90 lists the end-to-end IP path performance characteristics that you can display using the portCmd ipPerf command and option. All four of the base ipPerf performance characteristics (bandwidth, loss, RTT, PMTU) are provided in the command output in Fabric OS 5.2.0 or later. Table 90 WAN tool performance characteristics Characteristic...
  • Page 415: Wan Tool Ipperf Syntax

    Configure the sender test endpoint using a similar CP CLI. The syntax for invoking the sender test endpoint using ipPerf for slot8, port ge0 on an FR4- 1 8i is as follows: portcmd --ipperf 8/ge0 -s -d –S The following example shows the results of the performance analysis for slot 8, port ge0: ipperf to from IP interface on 8/0:3227 30s: BW:113.03MBps WBW(30s): 55.39MBps...
  • Page 416: Using Portcmd Ping

    Following is the syntax for portCmd ipPerf to display end-to-end IP path performance statistics: portCmd --ipPerf [slot]/ge0|ge1 -s source_ip -d destination_ip -S|-R [-r rate] [-z size] [-t time] [-i interval] [-p port] [-q diffserv] [-v vlan_id] [-c L2_Cos] where: -s source_ip The source IP address.
  • Page 417: Using Portcmd Traceroute

    where: slot The number of a slot in a 4/256 SAN Director or DC Director chassis that contains an FR4- 1 8i blade. This parameter does not apply to the stand-alone 400 Multi-protocol Router. ge0|ge1 The Ethernet port used by the tunnel (ge0 or ge1) -s source_ip The source IP interface that originates the ping request.
  • Page 418: Fcip Tunnel Performance Characteristics

    -h max_hops The maximum number of IP router hops allowed for the outbound probe packets. If this value is exceeded, the probe is stopped. The default is 30. -f first_ttl The initial time to live value for the first outbound probe packet. The default value is 1.
  • Page 419 The following example shows the portCmd fcipTunnel with the -perf option to display performance characteristics of tunnel 0. switch:admin06> portshow fciptunnel 8/ge0 all —perf Slot: 8 Port: ge0 ------------------------------------------- Tunnel ID 0 Remote IP Addr Local IP Addr Remote WWN Not Configured Local WWN 10:00:00:60:69:e2:09:be Compression on...
  • Page 420 The following example shows the portCmd fcipTunnel with the parameters options to display the parameters of tunnel 0: switch:admin06> portshow fciptunnel 8/ge0 0 —params Slot: 8 Port: ge0 ------------------------------------------- Tunnel ID 0 Remote IP Addr Local IP Addr Remote WWN Not Configured Local WWN 10:00:00:60:69:e2:09:be Compression on...
  • Page 421: Command Checklist For Configuring Fcip Links

    556200 Bps 30s avg, 491394 Bps lifetime avg Table 91 Command checklist for configuring FCIP links Step Command 1. Configure IPSec policies (optional). policy - -create 2. Persistently disable ports. portcfgpersistentdisable 3. If a VEX port is to be implemented, portcfgvexport configure the appropriate virtual port as a VEX_Port.
  • Page 422 422 Configuring and monitoring FCIP extension services...
  • Page 423: 21Ficon Fabrics

    FICON fabrics This chapter provides procedures for managing FICON fabrics. Fabric OS support for FICON ® IBM Fibre Connection (FICON ) is an industry-standard, high-speed input/output (I/O) interface for mainframe connections to storage devices. Fabric OS supports intermix mode operations, in which FICON and Fibre Channel technology work together.
  • Page 424: Platforms Supporting Ficon

    Platforms supporting FICON FICON protocol is supported on the HP StorageWorks 4/256 SAN Director and DC SAN Backbone Director, short name, DC Director. Contact your HP storage representative for FICON support on switches not listed here. The following port blades can exist in a FICON environment; however, FICON device connection to ports on these blades is not supported: •...
  • Page 425: Ficon Commands

    • The FC4-48 and FC8-48 port blades must not be inserted in slot 10 of the chassis in a FICON configuration. (Other blades are supported in slot 10, but the FC8-48 and FC4-48 blades are not.) Port 255 is reserved for CUP. FICON commands Table 92 summarizes the Fabric OS CLI commands that can be used for managing FICON fabrics.
  • Page 426: User Security Considerations

    User security considerations To administer FICON, you must have one of the following roles: • Admin • Operator • SwitchAdmin • FabricAdmin The User and BasicSwitchAdmin roles are view-only. The ZoneAdmin and SecurityAdmin roles have no access. In an Admin Domain-aware fabric, if you use the FICON commands (ficonshow, ficonclear, ficoncupshow, and ficoncupset) for any Admin Domain other than AD0 and AD255, the current switch must be a member of that Admin Domain.
  • Page 427: Configuring A Single Switch

    command when working from the command line. For GUI-based procedures, see the Web Tools Administrator’s Guide for configuring the routing policy using the FICON tab in Web Tools. Issue the ficonshow rnid command to verify that the FICON devices are registered with the switch. Issue the ficonshow lirr command to verify that the FICON host channels are registered to listen for link incidents.
  • Page 428: Cascaded Configuration, Two Switches

    there are only 2 domains in a path from a FICON Channel interface to a FICON Control Unit interface. Control Switch Switch Channel Unit Domain ID = 21 Domain ID = 22 Figure 56 Cascaded configuration, two switches Control Switch Switch Channel Unit...
  • Page 429: Setting Unique Domain Ids

    Setting unique Domain IDs In a cascaded configuration, each switch must have a unique Domain ID, and insistent Domain ID (IDID) mode must be enabled. To set a unique Domain ID and enable IDID mode: Connect to the switch and log in as admin. Verify that the switch has a unique Domain ID.
  • Page 430: Registered Listeners

    Registered listeners To display registered listeners for link incidents: Connect to the switch, log in as user, and issue one of the following commands: • For the local switch: ficonshow lirr • For all switches defined in the fabric: ficonshow lirr fabric Node identification data To display node-identification data: Connect to the switch, log in as user, and issue any of the following commands:...
  • Page 431: Clearing The Ficon Management Database

    See the Fabric OS Command Reference for additional details about the portSwap command. Clearing the FICON management database Perform the following steps to clear RLIR and RNID records from the FICON management database. Connect to the switch and log in as admin. To remove all the RLIR records from the local RLIR database, issue the ficonclear rlir command.
  • Page 432: Fmsmode And Ficon Cup

    This serialization prevents interference from local switch commands when a host-based management program is being used to administer the switch. bladeDisable bladeEnable portDisable switchCfgPersistentDisable portEnable switchDisable portName switchEnable portShow switchName portSwap switchShow NOTE: You cannot use the portCfgPersistentEnable and portCfgPersistentDisable commands to persistently enable and disable ports when FICON Management Server mode is on.
  • Page 433: Displaying The Fmsmode Setting

    To set up FICON CUP if fmsmode is already enabled: Verify that FICON Management Server mode is enabled by issuing the ficoncupshow fmsmode command. NOTE: If fmsmode is already enabled, disabling it might be disruptive to operation because ports that were previously prevented from communicating will now be able to do so.
  • Page 434: Displaying Mode Register Bit Settings

    Displaying mode register bit settings The mode register bits are described in Table Table 93 FICON CUP mode register bits POSC Programmed offline state control. When this bit is set on, the host is prevented from taking the switch offline. The default setting is 1 (on). User alert mode.
  • Page 435: Persistently Enabling And Disabling Ports

    where: • bitname is one of the mode register bits described in ”FICON CUP mode register bits” on page 434. • 0 specifies that the bit is off. • 1 specifies that the bit is on. The following example sets the mode register bit HCP to off: switch:admin>...
  • Page 436: Ficon Cup License Considerations

    FICON CUP license considerations If fmsmode is enabled when the FICON CUP license is removed, the control device is reset. PDCM enforcement continues. If fmsmode is disabled when the FICON CUP license is removed, no special action is taken. If fmsmode is enabled on a switch that does not have a FICON CUP license and then the license is installed, you must first disable and then reenable fmsmode.
  • Page 437: Downloading Configuration Files With Active=Saved Mode Disabled

    The IPL will not be replaced because Active=Saved mode is enabled. A warning message is displayed in the event log to warn users that the IPL will not be overwritten. Downloading configuration files with Active=Saved mode disabled ”Maintaining the switch configuration file”...
  • Page 438: Recording Configuration Information

    Recording configuration information You can use the worksheet in Table 94 to record FICON configuration information. Table 94 FICON configuration worksheet FICON Switch Configuration Worksheet ® FICON Switch Manufacturer:___________________Type: _________ Model: ______ S/N: ________ ® HCD Defined Switch ID_________(Switch ID) Cascaded Directors No _____Yes _____ FICON Switch Domain ID_________(Switch @)
  • Page 439: Sample Iocp Configuration File

    Sample IOCP configuration file The channel subsystem controls communication between a configured channel, the control unit, and the device. The I/O Configuration Dataset (IOCDS) defines the channels, control units, and devices to the designated logical partitions (LPARs) within the server; this is defined using the Input/Output Configuration Program (IOCP).
  • Page 440 440 FICON fabrics...
  • Page 441: 22Configuring And Monitoring Ficon Extension Services

    Configuring and monitoring FICON Extension Services This chapter describes the FICON extension concepts, configuration procedures, and tools and procedures for monitoring network performance. Commands described in this chapter require Admin or root user access. See the Fabric OS Command Reference for detailed information on command syntax. FICON extension products licensing Several specific licensed features are available for FICON extension.
  • Page 442: Ficon Emulation Requirement For A Determinate Path

    FICON emulation requirement for a determinate path FICON emulation processing creates FICON commands and responses on extended FICON Channel Path IDs (CHPIDs), and must know exactly what exchanges are occurring between a Channel and a control unit (CU) on a CHPID to function correctly. For FICON Emulation processing to function correctly, the responses to Host I/O (channel I/O) must be carried on the same ISL as the commands.
  • Page 443: Xrc Emulation

    XRC emulation The eXtended Remote Copy (XRC) application is a DASD application that implements disk mirroring, as supported by the disk hardware architecture and a host software component called System Data Mover (SDM). The primary volume and the secondary mirrored volume may be geographically distant across an IP WAN.
  • Page 444 • tape read pipelining. • -b 1|0 enables or disables FICON read block ID. 1 is enable, O is disable. • wrtMaxPipe value defines a maximum number of channel commands that may be outstanding at a given time during write pipelining. Too small of a value will result in poor performance. The value should be chosen carefully based upon the typical tape channel program that requires optimum performance.
  • Page 445: Ficon Emulation Configuration Values

    FICON emulation configuration values You can display the values configured for FICON emulation by issuing the portShow ficon command. The following example shows FICON emulation configuration values for port ge1: Sprint108:root> portshow ficon ge1 all Port: ge1 VE_STATUS TunnelId vePort vePortStatus veFeatureBitMap veHashEntryCount DOWN DOWN DOWN...
  • Page 446: Ficon Performance Statistics

    • -t 1|0 enables or disables TIN/TUR emulation. 1 is enable, O is disable.This option should be enabled when one or all of the following features are enabled: • XRC emulation. • tape write pipelining. • tape read pipelining. • -l 1|0 enables or disables device level ACK emulation.
  • Page 447: Ficon Emulation Monitoring

    • -images are discovered Images (FCUB). • -emul represents emulated FDCBs. • -active represents active FDCBs. • -epcb is the emulation Control Block (port specific). • -fhpb is the FICON Host Path Block. • -fdpb adrs is the FICON Device Path Block. •...
  • Page 448 |0x10018A00|2463016406050000|H| 0x14|0x20|000E|0000| 13212| 125754| 32760| |0x1001E800|2463016406050001|H| 0x14|0x20|001A|0000| 13647| 128776| 32760| |0x1001C400|2463016406050002|H| 0x18|0x20|000A|0000| 13164| 125758| 32760| |0x1001CC00|2463016406050003|H| 0x14|0x20|0008|0000| 13908| 131716| 32760| |0x1002BC00|2463016407050000|H| 0x14|0x20|0008|0000| 10094| 97917| 32760| |0x10027B00|2463016407050001|H| 0x14|0x20|0011|0000| 8915| 85966| 32760| |0x1002C400|2463016407050002|H| 0x14|0x20|0007|0000| 10365| 99742| 32760| |0x1002B000|2463016407050003|H| 0x14|0x20|0008|0000| 9993| 96088| 32760| |0x1003F000|2463046401050100|H| 0x00| N/A|0000|0000| 19392| 183111| 32760|...
  • Page 449 XRC output example: XRC EMULATION STATS +----------+----------------+-+-----+----+----+----+----+-----------+---+------+------+ | FDCB Ptr | Path |H|State|Cmds| Cmd|Data|Data| Emulated |Avg| RRS| RRS | (0x) (0x) | Qd | Max| Qd |Max | RRS Ops |RRS| TLF| Read| +----------+----------------+-+-----+----+----+----+----+-----------+---+------+------+ |0x1017DC00|24B100B20E11092B|H| 0x00|0000|000F|0000|0230| 47184|213| 25636| 16063| |0x104B4C00|24B100B20E1109F7|H| 0x00|0000|000F|0000|01E0| 3961|146| 41409| 26313| |0x104B5000|24B100B20E1109F8|H| 0x00|0000|000F|0000|1112| 3855|148| 41613| 27182|...
  • Page 450 450 Configuring and monitoring FICON Extension Services...
  • Page 451: A Configuring The Pid Format

    Configuring the PID format Port identifiers (called PIDs) are used by the routing and zoning services in Fibre Channel fabrics to identify ports in the network. All devices in a fabric must use the same PID format, so when you add new equipment to the SAN, you might need to change the PID format on legacy equipment.
  • Page 452: Impact Of Changing The Fabric Pid Format

    NOTE: Extended Edge is not supported on any switch with Fabric OS 6.0 or later. In addition to the PID formats list here, Interoperability mode supports additional PID formats that are not discussed in this guide. Impact of changing the fabric PID format If your fabric contains switches that use Native PID, it is recommended that you change the format to Core PID before you add the new, higher port count switches and directors.
  • Page 453: Changes To Configuration Data

    Changes to configuration data Table 95 lists various combinations of before-and-after PID formats, and indicates whether the configuration is affected. NOTE: After changing the fabric PID format, if the change invalidates the configuration data (see Table 95 to determine this), do not download old (pre-PID format change) configuration files to any switch on the fabric.
  • Page 454: Evaluating The Fabric

    Table 96 shows various combinations of existing fabrics, new switches added to those fabrics, and the recommended PID format for that combination. The criteria for the recommendations are first to eliminate host reboots, and second to minimize the need for a host reboot in the future. Table 96 PID format recommendations for adding new switches Existing Fabric OS versions;...
  • Page 455 Collect device, software, hardware, and configuration data. The following is a non-comprehensive list of information to collect: • HBA driver versions • Fabric OS versions • RAID array microcode versions • SCSI bridge code versions • JBOD drive firmware versions •...
  • Page 456: Changing The Pid Format

    If either of the first two options are used, the procedures should again be validated in the test environment. Determine the behavior of multipathing software, including but not limited to: • HBA time-out values • Multipathing software time-out values • Kernel time-out values Changing the PID format Whether it is best to perform an offline or online update depends on the uptime requirements of the site.
  • Page 457: Changing The Pid Format Offline

    Changing the PID format offline The following steps are intended to provide SAN administrators a starting point for creating site-specific procedures. Schedule an outage for all devices attached to the fabric. Back up all data and verify backups. Shut down all hosts and storage devices attached to the fabric. Disable all switches in the fabric.
  • Page 458: Converting Port Number To Area Id

    Before changing the PID format, determine whether host reboots will be necessary. The section ”Host reboots” on page 452 summarizes the situations that may require a reboot. switch:admin> switchdisable switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] y Domain: (1..239) [1] BB credit: (1..27) [16] R_A_TOV: (4000..120000) [10000]...
  • Page 459: Basic Procedure For Changing The Pid Format

    In some cases, device drivers allow you to specify static PID binding. In these cases, such devices must be identified and their PID binding should be changed to WWN binding. The following sections contain a basic procedure that summarizes the steps necessary to perform PID format changes without disrupting the fabric, and special procedures for HP-UX (1 1iv2 or earlier only) and AIX.
  • Page 460: Hp-Ux Procedure

    HP-UX procedure This procedure is not intended to be comprehensive. It provides a starting point from which a SAN administrator could develop a site-specific procedure for a device that binds automatically by PID, and cannot be rebooted due to uptime requirements. Back up all data and verify the backups.
  • Page 461: Aix Procedure For Changing The Pid Format

    # ioscan -funC disk Class H/W Path Driver S/W State H/W Type Description --------------------------------------------------------------------------- disk 0/0/1/1.2.0 adisk CLAIMED DEVICE SEAGATE ST39204LC /dev/dsk/clt2d0 /dev/rdsk/c1t2d0 disk 0/0/2/1.2.0 adisk CLAIMED DEVICE HP DVD-ROM 304 /dev/dsk/c3t2d0 /dev/rdsk/c3t2d0 disk 319 0/4/0/ adisk CLAIMED DEVICE SEAGATE ST336605FC /dev/dsk/c64t8d0 /dev/rdsk/c64t8d0 disk 320 0/4/0/ NO_HW...
  • Page 462: Swapping Port Area Ids

    Connect to each switch in the fabric. Issue the switchDisable command. Issue the configure command and change the Core Switch PID Format to 1. Issue the configEnable [effective_zone_configuration] command. For example: configenable my_config 1 1. Issue the switchEnable command. Enable the core switches first, and then the edges. Rebuild the device entries for the affected fabric using the cfgMgr command.
  • Page 463 Verify that the port area IDs have been swapped: portswapshow A table is shows the physical port numbers and the logical area IDs for any swapped ports. Disable the port swap feature: portswapdisable Fabric OS 6.1.x administrator guide 463...
  • Page 464 464 Configuring the PID format...
  • Page 465: B Understanding Legacy Password Behavior

    Understanding legacy password behavior This appendix provides password information for early versions of Fabric OS firmware. Password management information Table 97 describes the password standards and behaviors between various versions of firmware. Table 97 Account/password characteristics matrix Topic 4.0.0 4.1.0 to 4.2.0 4.4.0 and later Core Switch 2/64 - Core Switch 2/64 - 8...
  • Page 466: Password Prompting Behaviors

    Table 97 Account/password characteristics matrix (continued) Topic 4.0.0 4.1.0 to 4.2.0 4.4.0 and later Does a user need to know the Yes, except when Old password is 4.4.0 to 5.1.0 only: old passwords when the root user required only when Old password is changing passwords using changes another...
  • Page 467: Password Migration During Firmware Changes

    Table 98 Password prompting matrix (continued) Topic 4.0.0 4.1.0 and later Is password prompting disabled when security mode is enabled? Is the passwd command disabled until the user has answered password prompting? Does password prompting reappear when passwords are changed back to the default using the passwd command? Does password prompting reappear when passwords are changed back to the...
  • Page 468 Table 100 Password recovery options Topic 4.0.0 4.1.0 and later If all the passwords are forgotten, Contact HP. A non-disruptive Contact HP. A non-disruptive what is the password recovery procedure is available only on procedure is available only on mechanism? Are these procedures chassis systems.
  • Page 469: C Interoperating With An M-Eos Fabric

    Interoperating with an M-EOS fabric For information on HP supported interop configurations, see the HP StorageWorks Fabric interoperability application notes for merging B-Series fabrics with fabrics based on C-Series and M-Series Fibre Channel switches on the following HP website: Fabric OS 6.1.x administrator guide 469...
  • Page 470 470 Interoperating with an M-EOS fabric...
  • Page 471: D Migrating From An Mp Router To A 400 Mp Router

    Migrating from an MP Router to a 400 MP Router Introduction to MP Router upgrades This appendix describes how to upgrade routers in your fabric with the least disruption, while providing better performance and scalability. Improper implementation could lead to a change in the xlate Domain IDs and proxy device PIDs, which may cause disruption in the fabric.
  • Page 472: Redundant Configuration

    Figure 60 Configuration during the upgrade The switch Domain ID and backbone fabric ID of the new FC router can be identical. Once the metaSAN is stable, EX_Ports on the new router are active, the old router can be taken out of the setup. Redundant configuration Figure 61 shows an example of a simple redundant configuration.
  • Page 473: Dual Backbone Fabric Configuration

    Figure 62 Dual backbone fabric configuration Fabric OS 6.1.x administrator guide 473...
  • Page 474: Configuring A New Fc Router

    In the Multi-protocol Router, end devices are allowed to be directly connected, but these devices cannot be imported to other edge fabrics (using LSAN zones). During the upgrade process, these devices will face disruption unless there is redundancy support provided from the device end. 400 MP Router allows the end devices to be imported to edge fabrics.
  • Page 475: E Using Remote Switch

    Using Remote Switch This appendix provides information on the Remote Switch feature. About Remote Switch The Remote Switch feature, which aids in ensuring gateway compatibility, was formerly a licensed feature. Its functionality is now available as part of the Fabric OS standard feature set through the use of the portCfgIslMode command, which is described in ”Linking through a gateway”...
  • Page 476 You may be required to reconfigure the following parameters, depending on the gateway requirements: NOTE: Consult your gateway vendor for supported and qualified configurations. • R_A_TOV: Specify a Resource Allocation Timeout Value compatible with your gateway device. • E_D_TOV: Specify an Error Detect Timeout Value compatible with your gateway device. •...
  • Page 477: F Zone Merging Scenarios

    Zone merging scenarios Table 101 provides information on merging zones and the expected results. Table 101 Zone merging scenarios Description Switch A Switch B Expected results Switch A has a defined defined: defined: none Configuration from Switch A to configuration. cfg1: effective: none propagate throughout the fabric...
  • Page 478 Table 101 Zone merging scenarios (continued) Description Switch A Switch B Expected results Effective configuration mismatch. defined: cfg1 defined: cfg2 Fabric segments due to: Zone zone1: ali1; ali2 zone2: ali3; ali4 Conflict cfg mismatch effective: cfg1 effective: cfg2 zone1: ali1; ali2 zone2: ali3;...
  • Page 479 Table 101 Zone merging scenarios (continued) Description Switch A Switch B Expected results Same default zone access mode defzone: allaccess defzone: allaccess Clean merge — defzone settings. configuration is allaccess in the fabric. Same default zone access mode defzone: noaccess defzone: noaccess Clean merge —...
  • Page 480 480 Zone merging scenarios...
  • Page 481: Index

    policy changes ports on demand AAA service requests aaaConfig command AD255 access adding browser support a new switch or fabric to a zone changing account parameters Admin Domain members control alias members CP blade and removing FICON CUP licenses creating accounts custom filter-based monitors deleting accounts filter-based monitors...
  • Page 482 all access zone setting switch ARP. See address resolution protocol cfgAdd assigning a static route cfgClear assigning users to Admin Domains cfgCreate audience cfgDisable Auth policy cfgEnable authenticating users cfgSave authentication Challenge Handshake Authentication Protocol. See binding user names CHAP CHAP changes to configuration data configuring...
  • Page 483 nsShow interfabric link nsshow iSCSI initiator to VT authentication ping iSCSI virtual targets portCfg LINUX RADIUS server portCfgPersistentEnable portCfgShow private key portCmd public key portdisable RADIUS server portShow RADIUS, changing slotshow root certificates switchdisable secure file copy switchenable security features switchName SNMP traps switchshow...
  • Page 484 zones not deleted using to limit access customizing displaying switch names LUN map customizing the chassis name node identification data, FICON environments customizing the switch name RADIUS configuration registered listeners for link incidents, FICON environment virtual targets, state and status database, clearing in a FICON environment WWNs for FC targets date...
  • Page 485 firmware download fosConfig fabric disable isnsc high integrity enable fabric access enable isnsc fabric connectivity show fabric considerations frame transfer with brocade remote switch Fabric Manager FreeRADIUS access methods fru failures Fabric OS fru failures, monitoring in FICON environments standard security features, configuring supported protocols Fabric Wide Consistency Policy fabric, designing for trunking...
  • Page 486 initializing trunking on ports iSCSI virtual initiators initiators. See iSCSI initiators adding to same zone insistent domain ID connection redirection installing for iSCSI FC zone creation certificates virtual FC devices installing a switch certificate iSCSI virtual targets Integrated Routing binding user names interfabric link creation configuring...
  • Page 487 iSNS (Internet Storage Name Service) virtual target creation iSNS server isnscCfg ISL Trunking support for clear reregister MAC address, port show maintaining zones making basic connections managing Java support, SSL accounts Java version zoning configurations in a fabric managing shared secrets mapping advanced LUN keys...
  • Page 488 members, adding members, identifying packet size members, removing passwd command password expiration passwdCfg command password strength password boot prom port changing enabling changing defaults default LUN mapping limits numbering PROM port and switch naming standards recovery port swapping nodes, identifying in FICON recovery string environments rules...
  • Page 489 RADIUS clients activating certificates switch configuration and tunneling RADIUS server Brocade MIB configuration browsers configuring certificates LINUX configuration configuring standard features RADIUS service encryption Windows configuration FibreAlliance MIB RBAC file copy recording configuration information HTTPS, certificate recovering IAS remote access policies accounts obtaining certificates recovering forgotten passwords...
  • Page 490 certificates Tape pipelining tape write acceleration certificates, security TCP/IP standard filter-based monitors technical support, HP standard trunking criteria telnet standby configuring CP blade telnet connection state text symbols virtual targets time static PID mapping errors time and date static route time zones static routes, maximum tracking and controlling switch changes...
  • Page 491 viewing routing path information merging viewing zone database configurations name server-based virtual initiators. See iSCSI virtual initiators objects virtual targets optimizing resources limiting access to removing members See Also iSCSI virtual targets removing members from a configuration state resolving conflicts status saved zone configuration schemes...
  • Page 493: Multiple Tunnels To Multiple Ports, Fastwrite And Tape Pipelining Enabled On A Per-Tunnel/Per-Port Basis

    Figures Windows 2000 VSA configuration ..........73 Example of a Brocade DCT file .
  • Page 494 57 Cascaded configuration, three switches ......... . . 428 58 Allow/Prohibit example .
  • Page 495 Tables Switch model naming matrix ........... . . 19 Document conventions .
  • Page 496: Trunking Support For 4/256 San Director And Dc Directors With Supported Blades (Condor And Condor2 Asic)375

    53 Types of zoning............. 196 54 Approaches to fabric-based zoning .