Page 1 HP StorageWorks Fabric OS 6.1.x administrator guide Part number: 5697-0234 November 2009...
Page 2 © Copyright 2008 Brocade Communications Systems, Incorporated. Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.
Page 3: Table Of Contents
Contents About this guide ............19 Supported Fabric OS 6.1.x HP StorageWorks hardware.
Page 4 Disabling and enabling switches ........... . 44 Disabling and enabling ports .
Page 5 3 Configuring standard security features ........87 Security protocols .
Page 6 Deleting an ACL policy............115 Aborting all uncommitted changes .
Page 7 Downloading configurations across a fabric ......... 148 Configuration form .
Page 8 Viewing the USB file system ........... . 183 Downloading the 6.1.0 image using the relative path .
Page 9 Disabling and enabling port blades ..........227 FR4-18i blade exceptions.
Page 10 Automatic iSCSI VT creation ........... . 261 Generating iSCSI VTs for every FC target .
Page 11 Setting traffic prioritization ........... . . 294 16Using the FC-FC Routing Service.
Page 12 Filter-based performance monitoring ..........335 Adding standard filter-based monitors .
Page 13 Platforms that support SAN extension over IP ......... . . 376 FCIP concepts.
Page 14 21FICON fabrics ........... 415 Overview of Fabric OS support for FICON .
Page 15 A Configuring the PID format ......... . . 445 About PIDs and PID binding .
Page 16 11 Hardware-enforced nonoverlapping zones ......... 199 12 Hardware-enforced overlapping zones.
Page 17 Permission types ............. 57 10 RBAC permissions matrix .
Page 18 68 Led behavior ............. . . 232 69 Supported iSCSI initiators .
Page 19: About This Guide
About this guide This guide provides information about: • Installing and configuring Fabric OS 6.1.x • Managing user accounts • Using licensed features Supported Fabric OS 6.1.x HP StorageWorks hardware Table 1 lists Brocade and HP StorageWorks product models supported by Fabric OS 6.1.x. Table 1 Switch model naming matrix Brocade product name...
Page 20: Intended Audience
Intended audience This guide is intended for system administrators with knowledge of: • Storage area networks • HP StorageWorks Fibre Channel SAN switches Related documentation The following documents provide related information: • HP StorageWorks Fabric OS 6.1.x release notes • Web Tools administrator’s guide You can find these documents from the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals...
Page 21: Rack Stability
NOTE: Provides additional information. TIP: Provides helpful hints and shortcuts. Rack stability Rack stability protects personnel and equipment. WARNING! To reduce the risk of personal injury or damage to equipment: • Extend leveling jacks to the floor. • Ensure that the full weight of the rack rests on the leveling jacks. •...
Page 22: Subscription Service
Subscription service HP recommends that you register your product at the Subscriber's Choice for Business website: http://www.hp.com/go/e-updates. After registering, you will receive e-mail notification of product enhancements, new driver versions, firmware updates, and other product resources. HP websites For additional product information, see the following HP websites: •...
Page 23: Standard Features
Standard features This chapter describes how to configure your HP StorageWorks SAN using the Fabric OS Command Line Interface (CLI). Before you can configure a Storage Area Network (SAN), you must power-up the Director or switch and blades, and then set the IP addresses of those devices. Although this chapter focuses on configuring a SAN using the CLI, you can also use the following methods to configure a SAN: •...
Page 24: Connecting To The Cli
The following commands provide help files for specific topics to understand configuring your SAN: Diagnostic help information diagHelp FICON help information ficonHelp Fabric Watch help information fwHelp iSCSI help informations iscsiHelp License help information licenseHelp Performance Monitoring help information perfHelp Routing help information routeHelp trackChangesHelp Track Changes help information...
Page 25: Using A Console Session On The Serial Port
Verify that the login was successful. The prompt displays the switch name and user ID to which you are connected. login: admin password: xxxxxxx switch:admin> Using a console session on the serial port Note the following behaviors for serial connections: •...
Page 26: Changing Default Account Passwords At Login
Every logical switch (domain) has a set of default accounts. The root and factory default accounts are reserved for development and manufacturing. The user account is primarily used for system monitoring. For more information on default accounts, see ”About the default accounts”...
Page 27: Configuring The Ethernet Interface
Changing password for user Enter new password: ******** Password changed. Saving password to stable storage. Password saved to stable storage successfully. switch:admin> Configuring the Ethernet interface You can use Dynamic Host Configuration Protocol (DHCP) for the Ethernet network interface configuration. The Ethernet (network) interface provides management access, including direct access to the Fabric OS CLI, and allows other tools, such as Web Tools, to interact with the switch.
Page 28: Setting Static Ethernet Addresses
Setting static Ethernet addresses Use static Ethernet network interface addresses on HP StorageWorks 2/128, 4/256 SAN Director, DC Director models, and in environments where DHCP service is not available. To use static addresses for the Ethernet interface, you must first disable DHCP. You may enter static Ethernet information and disable DHCP at the same time.
Page 29: Activating Dhcp
Activating DHCP By default, some HP switches have DHCP enabled; check the latest Fabric OS 6.x release notes for a complete list of switches. The 4/256 SAN Director and DC SAN Backbone Director (short name, DC Director) do not support DHCP. The Fabric OS DHCP client supports the following parameters: •...
Page 30: Setting The Date And Time
When you are prompted for DHCP[On], disable it by entering off. switch:admin> ipaddrset Ethernet IP Address [192.168.74.102]: Ethernet Subnetmask [255.255.255.0]: Fibre Channel IP Address [220.220.220.2]: Fibre Channel Subnetmask [255.255.0.0]: Gateway IP Address [192.168.74.1]: DHCP [On]:off Setting the date and time Switches maintain the current date and time inside a battery-backed real-time clock (RTC) circuit.
Page 31 IMPORTANT: If you are downgrading to a Fabric OS version earlier than 6.x, or retaining the offset format, see prior versions of the Fabric OS Administrator’s Guide for detailed information about setting time zones using the offset format. See ”About the firmware download process”...
Page 32: Synchronizing Local Time Using Ntp
The following procedure describes how to set the current time zone using interactive mode to Pacific Standard Time. To set the time zone interactively: Type the tsTimeZone command as follows: switch:admin> tstimezone --interactive You are prompted to select a general location. Please identify a location so that time zone rules can be set correctly.
Page 33: Customizing Switch Names
The following example shows how to set up more than one NTP server using a DNS name: switch:admin> tsclockserver "10.32.170.1;10.32.170.2;ntp.localdomain.net" Updating Clock Server configuration...done. Updated with the NTP servers Changes to the clock server value on the principal or primary FCS switch are propagated to all switches in the fabric.
Page 34: Licensed Features
The Fabric has 4 switches The fields in the fabricShow display are: Switch ID — The switch Domain_ID and embedded port D_ID Worldwide Name — The switch WWN Enet IP Addr — The switch Ethernet IP address for IPv4 and IPv6 configured switches. For IPv6 switches, only the static IP address displays FC IP Addr —The switch FC IP address Name —The switch symbolic name.
Page 35: Generating A License Key
35 to activate. If you do not have a license key, launch an Internet browser and go to: http://webkey.external.hp.com/welcome.asp The Hewlett-Packard Authorization Center website main menu displays. Click Generate a license key. The HP StorageWorks Software License Key instruction page opens:h Enter the information in the required fields.
Page 36: Removing A Licensed Feature
Verify that the license was added by entering the licenseShow command. The licensed features currently installed on the switch display. If the feature is not listed, enter the licenseAdd command again. Some features may require additional configuration, or you may need to disable and reenable the switch to make them operational;...
Page 37: Features And Required Licenses
Features and required licenses Table 4 lists the licenses that should be installed on the local switch and any connecting switches for a particular feature. Table 4 License requirements Feature License Where license should be installed Administrative No license required. Domains Configuration No license required.
Page 38: Inter-Chassis Link (Icl) Licensing
Table 4 License requirements Feature License Where license should be installed Adaptive Networking Local switch and attached switches. RADIUS No license required. RBAC No license required. Routing traffic No license required. This includes port-based or exchanged-based routing, static routes, frame-order deliver, and dynamic routes. Security No license required.
Page 39: Time-Based Licenses
• When you remove the 8Gb license, the ports which are online and already running at 8Gb would not be disturbed until the port goes offline or the switch is rebooted. The behavior would return to its pre-license state maximum speed of 4Gb. Time-based licenses A time-based license applies a try-before-you-buy approach to certain features so that you can experience the feature and its capabilities prior to buying the license.
Page 40: Activating Pod
Each POD license activates the next group of eight ports in numerical order. For example, the 4/8 SAN Switch or 4/16 SAN Switch activates the first eight with four port increments. Before installing a license key, you must insert transceivers in the ports to be activated. Remember to insert the transceivers in the lowest group of inactive port numbers first.
Page 41: Displaying The Port License Assignment
After a port is assigned to the POD set, the port is licensed until it is manually removed from the POD port set using the licensePort release command. When a port is released from its POD port set (Base, Single, or Double), it creates a vacancy in that port set. Displaying the port license assignment Use the licensePort show command to display the available licenses, the current port assignment of...
Page 42: Disabling Dynamic Ports On Demand
8 ports are assigned to the base switch license 0 ports are assigned to the full POD license Ports assigned to the base switch license: 1, 2, 5, 6, 8*, 21, 22, 23 Ports assigned to the full POD license: None Ports not assigned to a license: 0, 3, 4, 7, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20...
Page 43: Releasing A Port
Dynamic POD method is in use 24 port assignments are provisioned for use in this switch: 12 port assignments are provisioned by the base switch license 12 port assignments are provisioned by a full POD license 10 ports are assigned to installed licenses: 10 ports are assigned to the base switch license 0 ports are assigned to the full POD license Ports assigned to the base switch license:...
Page 44: Disabling And Enabling Switches
10 ports are assigned to installed licenses: 10 ports are assigned to the base switch license 0 ports are assigned to the full POD license Ports assigned to the base switch license: 1*, 2*, 3*, 4*, 5*, 6*, 8*, 21, 22, 23 Ports assigned to the full POD license: None Ports not assigned to a license:...
Page 45: Making Basic Connections
switch:admin> portenable portnumber where portnumber is the port number of the port you want to enable. For 4/256 SAN Director and DC Director: Enter the following command: switch:admin> portenable slotnumber/portnumber where slotnumber and portnumber are the slot and port numbers of the port you want to enable. (Slots are numbered 1 through 4 and 7 through 10, counting from left to right.) If the port is connected to another switch, the fabric may be reconfigured.
Page 46: Checking Switch Status
Any number of E_Ports in a fabric can be configured for gateway links, provided the following rules are followed: • All switches in the fabric must be upgraded to Fabric OS 5.2.0 or later. • All switches in the fabric are using the core PID format. •...
Page 47: High Availability (Ha) Features
Use the switchStatusShow command to further check the status of the switch. High Availability (HA) features NOTE: HA features provide maximum reliability and nondisruptive replacement of key hardware and software modules. To verify HA features (Directors only): Connect to the switch using an account with admin role Enter the chassisShow command to verify the field replaceable units (FRUs).
Page 48: Show Switches In Access Gateway Mode
Show switches in Access Gateway mode To show switches in Access Gateway mode: Connect to the switch and log in using an account assigned to the admin role. Enter the agShow command. switch:admin> agshow Worldwide Name Ports Enet IP Addr Firmware Local/Remote Name -------------------------------------------------------------- 10:00:00:05:1e:02:1d:b0...
Page 49 To view the switch status policy threshold values: Connect to the switch and log in using an account assigned to the admin role. Enter the switchStatusPolicyShow command. Whenever there is a switch change, an error message is logged and an SNMP connUnitStatusChange trap is sent.
Page 50: Configuring The Audit Log
Verify the threshold settings you have configured for each parameter. Enter the switchStatusPolicyShow command to view your current switch status policy configuration. HP StorageWorks 4/8 SAN Switch and 4/16 SAN Switch, 8/8 SAN Switch, 8/24 SAN Switch, 8/40 SAN Switch, 8/80 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 400 Multi-protocol Router: switch:admin>...
Page 51: Auditable Event Classes
be easily distinguished from other system message log events that occur in the network. Then, at some regular interval of your choosing, you can review the audit events to look for unexpected changes. Before you configure audit event logging, familiarize yourself with the following audit event log behaviors and limitations: •...
Page 52 NOTE: Only the active CP can generate audit messages because event classes being audited occur only on the active CP. Audit messages cannot originate from other blades in a Director. Audit events have the following message format: AUDIT, <Timestamp>, [<Event ID>], <Severity>, <Event Class>, <User ID>/<Role>/<IP address>/<Interface>,<Admin Domain>/<Switch name>,<Reserved>,<Event-specific information>...
Page 53: Shutting Down Switches And Directors
Jun 5 08:15:32 [10.32.248.73.2.2] raslogd: AUDIT, 2006/06/05-13:38:17, [SEC-1000], WARNING, SECURITY, JaneDoe/root/192.168.132.19/ telnet, Domain A/DoeSwitch, , Incorrect password during login attempt. Shutting down switches and Directors To avoid corrupting your file system, HP recommends that you perform graceful shutdowns of switches and Directors.
Page 54: Daemons That Are Automatically Restarted
Schedule downtime and reboot the switch at your convenience. Table 6 lists the daemons that are considered non-critical and are automatically restarted on failure. Table 6 Daemons that are automatically restarted Daemon Description Asynchronous Response Router (used to send management data to hosts when the switch is accessed Arrd through the APIs (FA API or SMI-S).
Page 55: Managing User Accounts
Managing user accounts This chapter provides information and procedures on managing authentication and user accounts for the switch management channel. Overview In addition to the default accounts—root, factory, admin, and user—Fabric OS supports up to 252 additional user-defined accounts in each logical switch (domain). These accounts expand your ability to track account access and audit administrative activities.
Page 56: Using Role-Based Access Control (Rbac)
Using Role-Based Access Control (RBAC) Role-Based Action Control (RBAC) defines the capabilities that a user account has based on the role the account has been assigned. For each role, there is a set of pre-defined permissions on the jobs and tasks that can be performed on a fabric and its associated fabric elements.
Page 57: Role Permissions
Role permissions Table 9 describes the types of permissions that are assigned to roles. Table 9 Permission types Abbreviation Definition Description Observe The user can run commands using options that display information only, such as running userConfig --show -a to show all users on a switch.
Page 58 Table 10 RBAC permissions matrix (continued) Category Role permission User Operator Switch Zone Fabric Basic Admin Security admin admin admin switch admin admin HA (High Availability) iSCSI License LDAP Local User Environment Logging Management Access Configuration Management Server Name Server Nx_Port Management Physical Computer System Port Mirroring...
Page 59: Managing The Local Database User Accounts
Managing the local database user accounts User add, change, and delete operations are subject to the subset rule: an admin with ADlist 0- 1 0 cannot perform operations on an admin, user, or any role with an ADlist 1 1-25. The user account being changed must have an ADlist that is a subset of the account that is making the change.
Page 60 To create an account: Connect to the switch and log in using an admin account. Enter the following command: userConfig --add <username> -r <rolename> [-h <admindomain_ID>] [-a <admindomain_ID_list>] [-d <description>] [-x] username Specifies the account name, which must begin with an alphabetic character.
Page 61 To change account parameters: When changing account parameters, if you change the ADlist for the user account, all of the currently active sessions for that account will be logged out. Connect to the switch and log in using an admin account. Enter the following command: userconfig --change username [-r rolename] [-h admindomain_ID] [-a admindomain_ID_list] [-d description] [-e yes | no] -u -x...
Page 62: Recovering Accounts
Recovering accounts The following conditions apply to recovering user accounts: • The attributes in the backup database replace the attributes in the current account database. • An event is stored in the system message log, indicating that accounts have been recovered. To recover an account: Connect to the switch and log in using an admin account.
Page 63: Configuring The Local User Database
Configuring the local user database This section covers the following topics: • ”Distributing the local user database” on page 63 • ”Protecting the local user database from distributions” on page 63 • ”Configuring password policies” on page 64 Distributing the local user database Distributing the local switch user database and passwords to other switches in the fabric causes the distributed database to replace (overwrite) the database on the target switch.
Page 64: Configuring Password Policies
Configuring password policies The password policies described in this section apply to the local switch user database only. Configured password policies (and all user account attribute and password state information) are synchronized across CPs and remain unchanged after an HA failover. Password policies can also be manually distributed across the fabric (see ”Distributing the local user database”...
Page 65: Setting The Password History Policy
• Sequence Specifies the length of sequential character sequences that will be disallowed. A sequential character sequence is defined as a character sequence in which the ASCII value of each contiguous character differs by one. The ASCII value for the characters in the sequence must all be increasing or decreasing. For example, if the “sequence”...
Page 66: Upgrade And Downgrade Considerations
Upgrade and downgrade considerations If you are upgrading from a 5.3.x environment to 6.x, the existing password databases do not contain the state information that implements password expiration. So, when the password expiration policy is first set after an upgrade to 6.x, any user who has not changed their password will have their password expiration period set to the maximum password expiration period.
Page 67: Denial Of Service Implications
Log in to the switch using an admin or securityAdmin account. Type userConfig change <account_name> -u. where <account_name> is the name of the user account that is locked out. To disable the admin lockout policy: Log in to the switch using an admin or securityAdmin account. Type passwdCfg --disableadminlockout.
Page 68: Authentication Configuration Options
Consider the following effects of the use of RADIUS or LDAP service on other Fabric OS features: When RADIUS or LDAP service is enabled, all account passwords must be managed on the RADIUS or • LDAP server. The Fabric OS mechanisms for changing switch passwords remain functional; however, such changes affect only the involved switches locally.
Page 69: Creating Fabric Os User Accounts
Table 12 Authentication configuration options (continued) aaaConfig options Description Equivalent setting in Fabric OS 5.1.0 and earlier radius switchdb Authenticates management connections --authspec “ldap” against any LDAP database(s) only. If LDAP service is not available or the credentials do not match, the login fails. Authenticates management connections --authspec “ldap;...
Page 70: Managing Fabric Os Users On The Radius Server
Table 13 Syntax for VSA-based account roles (continued) Item Value Description Vendor type 1 octet, Brocade-Auth-Role; valid attributes for the Brocade-Auth-Role are: SwitchAdmin ZoneAdmin FabricAdmin BasicSwitchAdmin Operator User Admin Optional: Specifies the Admin Domain member list. For more information, see ”RADIUS configuration and Admin Domains”...
Page 71: Linux Freeradius Server
Linux FreeRadius server For the configuration on a Linux FreeRadius server, define the following in a vendor dictionary file called dictionary.brocade. Include the values outlined in Table Table 14 dictionary.brocade file entries Include Value VENDOR Brocade 1588 ATTRIBUTE Brocade-Auth-Role 1 string Brocade AdminDomain After you have completed the dictionary file, define the role for the user in a configuration file.
Page 72: Configuring The Radius Server
Configuring the RADIUS server You must know the switch IP address, in either IPv4 or IPv6 notation, or name to connect to switches. Use the ipAddrShow command to display a switch IP address. For Directors (chassis-based systems), the switch IP addresses are aliases of the physical Ethernet interfaces on the CP blades.
Page 73: Windows 2000
To create the user: Open the $PREFIX/etc/raddb/user file in a text editor and add user names and roles for users who will • be accessing the switch and authenticating RADIUS. The user will log in using the role specified with Brocade-Auth-Role. The valid roles include Root, Admin, SwitchAdmin, ZoneAdmin, SecurityAdmin, BasicSwitchAdmin, FabricAdmin, Operator and User.
Page 74: Rsa Radius Server
Each user group should be associated with a specific switch login role. For example, you should configure a user group for root, admin, factory, switchadmin, and user, and then add any users whose logins you want to associate to the appropriate group. •...
Page 75: Setting Up The Rsa Radius Server
Setting up the RSA RADIUS server For more information on how to install and configure the RSA Authentication Manager and the RSA RADIUS server, refer to your documentation or visit www.rsa.com. Create user records in the RSA Authentication Manager. Configure the RSA Authentication Manager. Add an agent host in RSA Authentication Manager.
Page 76: Ldap Configuration And Microsoft's Active Directory
####################################################################### # dictiona.dcm ####################################################################### # Generic Radius @radius.dct # Specific Implementations (vendor specific) @3comsw.dct @aat.dct @acc.dct @accessbd.dct @agere.dct @agns.dct @airespace.dct @alcatel.dct @altiga.dct @annex.dct @aptis.dct @ascend.dct @ascndvsa.dct @axc.dct @brocade.dct @bandwagn.dct @brocade.dct <------- Figure 2 Example of the dictiona.dcm file c. When selecting items from the Add Return List Attribute, select Brocade-Auth-Role and type the string Admin.
Page 77: Adding The Adlist
To set up LDAP: Install a Certificate Authority (CA) certificate on the Windows Active Directory server for LDAP. Follow Microsoft’s instructions for generating and installing CA certificates on a Windows server. Create a user in Microsoft Active Directory server. For instructions on how to create a user, refer to Microsoft documentation to create a user in your Active Directory.
Page 78: Configuring Authentication Servers On The Switch
NOTE: You can perform batch operations using the Ldifde.exe utility. For more information on importing and exporting schemas, refer to your Microsoft documentation or visit www.microsoft.com. Configuring authentication servers on the switch RADIUS and LDAP configuration of the switch is controlled by the aaaConfig command. At least one RADIUS or LDAP server must be configured before you can enable RADIUS or LDAP service.
Page 79 To add a RADIUS server to the switch configuration: Connect to the switch and log in using an admin account. Enter this command: switch:admin> aaaConfig --add <server> [-p port] [-s secret] [-t timeout] [-a pap | chap | peap-mschapv2] server Enter either a server name or IPv4 or IPv6 address.
Page 80 NOTE: When the RADIUS authentication mode is set to radius;local, you cannot downgrade the Fabric OS to any version earlier than 5.2.0. Previous versions do not support the radius;local mode. When the LDAP authentication mode is set to ldap;local, you cannot downgrade the Fabric OS to any version earlier than 6.x.
Page 81: Enabling And Disabling Local Authentication As Backup
To change an LDAP server configuration: Connect to the switch and log in using an admin account. Enter this command: switch:admin> aaaConfig --change server [-p port] [-t timeout] [-d domain_name] Enter either a server name or IPv4 address. Microsoft’s Active Directory server does not support IPv6 addresses.
Page 82: Setting The Boot Prom Password With A Recovery String
Setting the boot PROM password with a recovery string To set the boot PROM password with a recovery string, refer to the section that applies to your switch model. NOTE: Setting the boot PROM password requires accessing the boot prompt, which stops traffic flow through the switch until the switch is rebooted.
Page 83: 4/256 San Director And Dc San Backbone Director (Short Name, Dc Director)
4/256 SAN Director and DC SAN Backbone Director (short name, DC Director) The boot PROM and recovery passwords must be set for each CP blade on the 4/256 SAN Director or DC Director. To set the boot PROM password for a Director with a recovery string: Connect to the serial port interface on the standby CP blade.
Page 84: Setting The Boot Prom Password Without A Recovery String
Setting the boot PROM password without a recovery string Although you can set the boot PROM password without also setting the recovery string, it is strongly recommended that you set both the password and the string as described in ”Setting the boot PROM password with a recovery string”...
Page 85: Recovering Forgotten Passwords
The following options are available: Option Description Start system. Continues the system boot process. Recovery password. Lets you set the recovery string and the boot PROM password. Enter command shell. Provides access to boot parameters. Enter 3. Enter the passwd command at the shell prompt. NOTE: The passwd command only applies to the boot PROM password when it is entered from the boot interface.
Page 86 Managing user accounts...
Page 87: Configuring Standard Security Features
Configuring standard security features This chapter provides information and procedures for configuring standard Fabric OS security features such as protocol and certificate management. IMPORTANT: Secure Fabric OS is no longer supported in Fabric OS 6.x. However, all features of Secure Fabric OS are included in the base Fabric OS 6.x.
Page 88: The Ssh Protocol
For details on Brocade MIB files, naming conventions, loading instructions, and information about using Brocade's SNMP agent, see the Fabric OS MIB Reference. Table 16 describes additional software or certificates that you must obtain to deploy secure protocols. Table 16 Items needed to deploy secure protocols Protocol Host side...
Page 89: Ssh Public Key Authentication
Commands that require a secure login channel must originate from an SSH session. If you start an SSH session, and then use the login command to start a nested SSH session, commands that require a secure channel will be rejected. Fabric OS 6.1.x and later supports SSH protocol version 2.0 (ssh2).
Page 90: Generating A Key Pair For Host-To-Switch Authentication (Incoming)
Generating a key pair for host-to-switch authentication (incoming) Log in to your host as admin. Verify that SSH v2 is installed and working. Refer to your host’s documentation. Type the following command: ssh-keygen -t dsa Example of RSA/DSA key pair generation alloweduser@mymachine: ssh-keygen -t dsa Generating public/private dsa key pair.
Page 91: Exporting The Public Key For Switch-To-Host Authentication (Outgoing)
Example of adding the public key to the switch switch:alloweduser> sshutil importpubkey Enter IP address:192.168.38.244 Enter remote directory:~auser/.ssh Enter public key name(must have .pub suffix):id_dsa.pub Enter login name:auser Password: Public key is imported successfully. Exporting the public key for switch-to-host authentication (outgoing) Log in to the switch as the allowed-user.
Page 92: Configuring The Telnet Protocol
Configuring the Telnet protocol Telnet is enabled by default. To prevent users from passing clear text passwords over the network when they connect to the switch, you can block the Telnet protocol using an IP Filter policy. NOTE: Before blocking Telnet, make sure you have an alternate method of establishing a connection with the switch.
Page 93: Configuring For The Ssl Protocol
Configuring for the SSL protocol Secure sockets layer (SSL) protocol provides a secure sockets layer (SSL) protocol, which provides secure access to a fabric through Web-based management tools like Web Tools. SSL support is a standard Fabric OS feature. Switches configured for SSL grant access to management tools through hypertext transfer protocol-secure links (which begin with https://) instead of standard links (which begin with http://).
Page 94: Choosing A Ca
Table 18 SSL certificate files (continued) Certificate file Description nameRoot.crt The root certificate. Typically, this certificate is already installed in the browser, but if not, you must install it. nameCA.crt The CA certificate. It needs to be installed in the browser to verify the validity of the server certificate or server validation fails.
Page 95: Obtaining Certificates
Your CA may require specific codes for Country, State or Province, Locality, Organization, and Organizational Unit names. Make sure that your spelling is correct and matches the CA requirements. If the CA requires that the Common Name be specified as an FQDN, make sure that the fully qualified domain name is set on the domain name server.
Page 96: Activating A Switch Certificate
Activating a switch certificate Enter the configure command When the ssl attributes comes up, type y Respond to the prompts that apply to SSL certificates: SSL attributes Enter y or yes. Certificate File Enter the name of the switch certificate file: for example, 192.1.2.3.crt.
Page 97: Installing A Root Certificate To The Java Plug-In
Browse to the certificate location and select the certificate. (For example, select nameRoot.crt.) Click Open and follow the instructions to import the certificate. Installing a root certificate to the Java plug-in For information on Java requirements, see ”For more details on levels of browser and Java support, see the Web Tools Administrator’s Guide.”...
Page 98: Configuring For Snmp
Configuring for SNMP You can configure for the automatic transmission of SNMP information to management stations. SNMPv3 and SNMPv1 are supported. The configuration process involves configuring the SNMP agent and configuring SNMP traps. The following commands are used in the process: •...
Page 99: Using The Snmpconfig Command
webtools attributes (yes, y, no, n): [no] System (yes, y, no, n): [no] No changes. Using the snmpConfig command Use the snmpConfig set command to change either the SNMPv3 or SNMPv1 configuration. You can also change access control, MIB capability, and system group. Sample SNMPv3 configuration switch:admin>...
Page 100 Sample SNMPv1 configuration switch:admin> snmpconfig --set snmpv1 SNMP community and trap recipient configuration: Community (rw): [Secret C0de] admin Trap Recipient's IP address in dot notation: [0.0.0.0] 10.32.225.1 Trap recipient Severity level : (0..5) [0] 1 Community (rw): [OrigEquipMfr] Trap Recipient's IP address in dot notation: [10.32.225.2] Trap recipient Severity level : (0..5) [1] Community (rw): [private] Trap Recipient's IP address in dot notation: [10.32.225.3]...
Page 101: Secure File Copy
connUnitStatusChange: YES connUnitEventTrap: YES connUnitSensorStatusChange: YES connUnitPortStatusChange: YES SW-EXTTRAP: NO FICON-TRAP: YES linkRNIDDeviceRegistration: YES linkRNIDDeviceDeRegistration: YES linkLIRRListenerAdded: YES linkLIRRListenerRemoved: YES linkRLIRFailureIncident: YES HA-TRAP: YES fruStatusChanged: YES cpStatusChanged: YES fruHistoryTrap: YES FCIP-TRAP: NO Sample systemGroup configuration (default) switch:admin> snmpconfig --default systemGroup ***** This command will reset the agent's system group configuration back to factory default...
Page 102: Listener Applications
Listener applications Brocade switches block Linux subsystem listener applications that are not used to implement supported features and capabilities. Table 20 lists the listener applications that Brocade switches either block or do not start. Table 20 Blocked listener applications Listener 4/256 SAN Director and DC HP StorageWorks 4/8 or 4/16, 8/8 application...
Page 103: Port Configuration
Port configuration Table 22 provides information on ports that the switch uses. When configuring the switch for various policies, take into consideration firewalls and other devices that may sit between switches in the fabric and your network or between the managers and the switch. Table 22 Port information Port...
Page 104 104 Configuring standard security features...
Page 105: Configuring Advanced Security Features
Configuring advanced security features This chapter provides information and procedures for configuring advanced Fabric OS security features such as Access Control List (ACL) policies, authentication policies, and IP Filtering for HP’s Fibre Channel switches. NOTE: Run all commands, with the suggested role, in this chapter by logging in to Administrative Domain (AD) 255 or, if Administrative Domains have not been implemented, log in to AD 0.
Page 106: Identifying Policy Members
and active sets but they have different values, then the policy has been modified but the changes have not been activated. Admin Domain considerations: ACL management can be done on AD255 and in AD0 only if other there are no user-defined Admin Domains. Both AD0 (when no other user-defined Admin Domains exist) and AD255 provide an unfiltered view of the fabric.
Page 107: Displaying Acl Policies
• ”Adding a member to an existing policy” on page 1 15 Add one or more members to a policy. The aspect of the fabric covered by each policy is closed to access by all devices and switches that are not listed in that policy. •...
Page 108: Fcs Policy Restrictions
the changes have been saved or activated; they can be aborted later if you have set your fabric to distribute the changes manually. Table 25 FCS policy states Policy state Characteristics No active policy Any switch can perform fabric wide configuration changes. Active policy with one entry A primary FCS switch is designated (local switch), but there are no backup FCS switches.
Page 109: Overview Of Steps To Create And Manage The Fcs Policies
Table 26 Switch operations Allowed on FCS switches Allowed on all switches secPolicyRemove (Allowed on all switches for secPolicyActivate SCC/DCC policies as long as its not fabric-wide) fddcfg –-fabwideset secPolicySave Any fabric-wide commands secPolicyAbort All zoning commands except the show commands SNMP commands All AD commands configupload...
Page 110: Distributing An Fcs Policy
This displays the WWNs of the current primary FCS switch and backup FCS switches. Type secPolicyFCSMove; then provide the current position of the switch in the list and the desired position at the prompts. Alternatively, enter secPolicyFCSMove “From, To”. From is the current position in the list of the FCS switch and To is the desired position in the list for this switch.
Page 111: Configuring A Dcc Policy
NOTE: The FCS policy distribution is allowed to be distributed from a switch in the FCS list. However, if none of the FCS switches in the existing FCS list are reachable, receiving switches will accept distribution from any switch in the fabric. Local switch configuration parameters are needed to control whether a switch accepts or rejects distributions of FCS policy and whether the switch is allowed to initiate distribution of an FCS policy.
Page 112: Dcc Policy Restrictions
Table 28 DCC policy states (continued) Policy state Characteristics Policy with no entries Any device can connect to any switch port in the fabric. An empty policy is the same as no policy. Policy with entries If a device WWN is specified in a DCC policy, that device is only allowed access to the switch if connected by a switch port listed in the same policy.
Page 113: Examples Of Creating Dcc Policies
The WWN of the device port. deviceportWWN The switch WWN, Domain ID, or switch name. The port can switch be specified by port or area number. Designating ports automatically includes the devices currently attached to those ports. The ports can be specified using any of the following syntax methods: (*) Selects all ports on the switch.
Page 114: Creating An Scc Policy
Creating an SCC policy The switch connection control (SCC) policy is used to restrict which switches can join the fabric. Switches are checked against the policy each time an E_Port-to-E_Port connection is made. The policy is named SCC_POLICY and accepts members listed as WWNs, Domain IDs, or switch names. Only one SCC policy can be created.
Page 115: Activating Changes To Acl Policies
Activating changes to ACL policies To activate changes: Connect to the switch and log in using an account assigned to the admin role. Type the secPolicyActivate command: switch:admin> secpolicyactivate About to overwrite the current Active data. ARE YOU SURE (yes, y, no, n): [no] y Adding a member to an existing policy Add members to the ACL policies by using the secPolicyAdd command.
Page 116: Aborting All Uncommitted Changes
Aborting all uncommitted changes Use the secPolicyAbort command to abort all ACL policy changes that have not yet been saved. To abort all unsaved changes: Connect to the switch and log in using an account assigned to the admin role. Type the secPolicyAbort command: switch:admin>...
Page 117: E_Port Authentication
Key database on switch Key database on switch Local secret B Local secret A Peer secret A Peer secret B Switch A Switch B Figure 3 DH-CHAP authentication If you use DH-CHAP authentication, then a secret key pair must be installed only in connected fabric elements.
Page 118: Device Authentication Policy
port if it is connected to a switch which does not support authentication. Regardless of the policy, the E_Port is disabled if the DH-CHAP or FCAP protocol fails to authenticate each other. ACTIVE: In this state the switch is more tolerant and can connect to a switch with any type of policy. During switch initialization, authentication begins on all E_Ports, but the port is not disabled if the connecting switch does not support authentication or the AUTH policy is turned to the OFF state.
Page 119: Auth Policy Restrictions
Since the F_Port authentication requires DH-CHAP protocol, selecting the PASSIVE mode will be blocked if only FCAP protocol is selected as the authentication protocol. Similarly de-selecting the DH-CHAP protocol from the authentication protocol list will be blocked if the device authentication is set to PASSIVE. Auth policy restrictions Fabric OS 5.1.0 implementation of DH-CHAP/FCAP does not support integration with RADIUS.
Page 120: Re-Authenticating Ports
On a switch running Fabric OS 4.x or 5.x, type authUtil --set -a dhchap; on a switch running Fabric OS 3.x, type authUtil " set -a dhchap". Output similar to the following is displayed: Authentication is set to dhchap. When using DH-CHAP, make sure that you configure the switches at both ends of a link. NOTE: If you set the authentication protocol to DH-CHAP, have not yet configured shared secrets, and authentication is checked (for example, you enable the switch), switch authentication fails.
Page 121 This section illustrates using the secAuthSecret command to display the list of switches in the current switch’s shared secret database and to set the secret key pair for the current switch and a connected switch. See the for more details on the secAuthSecret command. NOTE: When setting a secret key pair, note that you are entering the shared secrets in plain text.
Page 122: Fabric Wide Distribution Of The Auth Policy
The command enters interactive mode. The command returns a description of itself and needed input; then it loops through a sequence of switch specification, peer secret entry, and local secret entry. To exit the loop, press Enter for the switch name; then type y. switchA:admin>...
Page 123: Ip Filter Policy
IP Filter policy The IP Filter policy is a set of rules applied to the IP management interfaces as a packet filtering firewall. The firewall permits or denies the traffic to go through the IP management interfaces according to the policy rules.
Page 124: Displaying An Ip Filter Policy
Displaying an IP Filter policy Displays the IP Filter policy content for the specified policy name, or all IP Filter policies if policy name is not specified. For each IP Filter policy, the policy name, type, persistent state and policy rules are displayed. The policy rules are listed by the rule number in ascending order.
Page 125: Deleting An Ip Filter Policy
Deleting an IP Filter policy You can delete a specified IP Filter policy. Deleting an IP Filter policy will remove it from the temporary buffer. To permanently delete the policy from persistent database, run ipfilter save. An active IP Filter policy cannot be deleted. To delete an IP Filter policy: Log in to the switch using an account assigned to the admin role.
Page 126: Ip Filter Policy Enforcement
Table 30 Supported services (continued) Service name Port number telnet TCP and UDP protocols are valid selections. Fabric OS 5.3.0 and later does not support configuration to filter other protocols. Implicitly, ICMP type 0 and type 8 packets are always allowed to support ICMP echo request and reply on commands like ping and traceroute.
Page 127: Creating Ip Filter Policy Rules
If none of the rules in the policy matches the incoming packet, the two implicit rules will be matched to the incoming packet. If the rules still do not match the packet, the default action, which is to deny, will be taken.
Page 128: Aborting A Switch Session Transaction
Aborting a switch session transaction To abort a transaction associated with IP Filter: Log in to the switch using an account assigned to the admin role. Type in the following command: ipfilter –-transabort IP Filter policy distributions The IP Filter policy is manually distributed, using the distribute --p “IPFILTER” command. The distribution includes both active and defined IP Filter policies.
Page 129: Configuring The Database Distribution Settings
Table 33 explains how the local database distribution settings and the fabric-wide consistency policy affect the local database when the switch is the target of a distribution command. Table 33 Interaction between fabric-wide consistency policy and distribution settings Distribution Fabric-wide consistency policy setting Absent (default) Tolerant...
Page 130: Distributing Acl Policies To Other Switches
Enter the following command: switch:admin> fddcfg --showall Local Switch Configuration for all Databases:- DATABASE Accept/Reject --------------------------------- accept accept accept accept AUTH accept IPFILTER accept Fabric Wide Consistency Policy:- "" To enable local switch protection: Connect to the switch and log in using an account assigned to the admin role. Enter the following command: fddCfg --localreject <database_ID>...
Page 131: Setting The Consistency Policy Fabric-Wide
Table 35 describes how the target switch database distribution settings affect the distribution. Table 35 ACL policy database distribution behavior Target switch Distribution Results Fabric OS Database version setting 5.1.0 or Fails An error is returned. The entire transaction is aborted and earlier no databases are updated.
Page 132: Fabric-Wide Consistency Policy Settings
Table 36 Fabric-wide consistency policy settings Setting Value When a policy is activated Absent null Database is not automatically distributed to other switches in the fabric. Tolerant database_id All updated and new policies of the type specified (SCC, DCC, or both) are distributed to all Fabric 5.2.0 and later switches in the fabric.
Page 133: Notes On Joining A Switch To The Fabric
Notes on joining a switch to the fabric When a switch is joined to a fabric with a tolerant SCC or DCC fabric-wide consistency policy, the joining switch must have a matching tolerant SCC or DCC fabric-wide consistency policy. If the tolerant SCC or DCC fabric-wide consistency policies do not match, the switch can join the fabric, but an error message flags the mismatch.
Page 134: Non-Matching Fabric-Wide Consistency Policies
Table 37 Merging fabrics with matching fabric-wide consistency policies (continued) Fabric-wide Fabric A Fabric B Merge Database copied consistency policy ACL policies ACL policies results Tolerant None None Succeeds No ACL policies copied. None SCC/DCC Succeeds ACL policies are copied from B to A.
Page 135: Fips Support
Table 39 Fabric merges with tolerant/absent combinations Fabric-wide consistency policy setting Expected behavior Fabric A Fabric B Tolerant/Absent SCC;DCC Error message logged. Run fddCfg --fabwideset “<policy_ID>” from any switch with the desired configuration to fix SCC;DCC the conflict. The secPolicyActivate command is blocked until conflict is resolved.
Page 136: Power-Up Self Tests
Table 40 Zeroization behavior Keys Zeroization CLI Description TLS private keys seccertutil delkey The command seccertutil delkey is used to zeroize these keys. TLS pre-master secret No CLI required Automatically zeroized on session termination TLS session key No CLI required Automatically zeroized on session termination TLS authentication key No CLI required...
Page 137: Ldap In Fips Mode
Table 41 FIPS mode restrictions Features FIPS mode Non-FIPS mode RPC/secure RPC Secure RPC only RPC and secure RPC access Secure RPC protocols TLS - AES128 cipher suite SSL and TLS – all cipher suites SNMP Read-only operations Read and write operations DH-CHAP/FCAP SHA- 1 MD5 and SHA- 1...
Page 138 Example of setting up LDAP for FIPS mode switch:admin> aaaconfig --add GEOFF5.ADLDAP.LOCAL -conf ldap -d adldap.local -p 389 -t 3 switch:admin> aaaconfig --authspec "ldap;local" switch:admin> aaaconfig –show RADIUS CONFIGURATIONS ===================== RADIUS configuration does not exist. LDAP CONFIGURATIONS =================== Position Server : GEOFF5.ADLDAP.LOCAL Port : 389...
Page 139: Addtional Microsoft Active Directory Settings
Addtional Microsoft Active Directory settings a. Set the following SCHANNEL settings listed in Table 43 to allow. To support FIPS compliant TLS cipher suites on Microsoft’s Acitve Directory server, allow the SCHANNEL settings listed in Table 43. Refer to the Microsoft website for instructions on how to allow the SCHANNEL settings for the ciphers, hashes, key exchange and the TLS protocol.
Page 140: Exporting An Ldap Switch Certificate
Exporting an LDAP switch certificate This option exports the LDAP CA certificate from the switch to the remote host. Connect to the switch and log in as admin. Enter the secCertUtil export -ldapcacert command. Example of exporting an LDAP CA certificate switch:admin>...
Page 141: Overview Of Steps
Overview of steps Optional: Configure RADIUS server Optional: Configure authentication protocols For LDAP only: Install SSL certificate on Microsoft Active Directory server and CA certificate on the switch for using LDAP authentication. Block Telnet, HTTP, and RPC Disable BootProm access Configure the switch for signed firmware Disable root access Enable FIPS...
Page 142: Disabling Fips Mode
Example switch:admin> configure Not all options will be available on an enabled switch. To disable the switch, use the "switchDisable" command. Configure... System services (yes, y, no, n): [no] … cfgload attributes (yes, y, no, n): [no] yes Enforce secure config Upload/Download (yes, y, no, n): [no] Enforce firmware signature validation (yes, y, no, n): [no] yes Type the following command to block access to root: userconfig --change root -e no...
Page 143: Maintaining The Switch Configuration File
Maintaining the switch configuration file This chapter provides procedures for basic switch configuration maintenance. Maintaining consistent configuration settings It is important to maintain consistent configuration settings on all switches in the same fabric because inconsistent parameters (such as inconsistent PID formats) can cause fabric segmentation. As part of standard configuration maintenance procedures, it is recommended that you back up all important configuration data for every switch on a host computer server for emergency reference.
Page 144 Respond to the prompts as follows: Protocol (scp If your site requires the use of Secure Copy, specify scp. Otherwise, specify or ftp) FTP. Server Name Enter the name or IP address of the server where the file is to be stored; for or IP Address example, 192.1.2.3.
Page 145: Restoring A Configuration
Restoring a configuration Restoring a configuration involves overwriting the configuration on the switch by downloading a previously saved backup configuration file. Make sure that the configuration file you are downloading is compatible with your switch model, because configuration files from other model switches might cause your switch to fail.
Page 146 To restore a configuration: Verify that the FTP service is running on the server where the backup configuration file is located. Connect to the switch and log in as admin. If there are any changed parameters in the configuration file that do not belong to SNMP, Fabric Watch, or ACL, disable the switch by entering the switchDisable command.
Page 147: Security Considerations
The following example shows configDownload run on a switch with Admin Domains: switch:AD5:admin>configdownload Protocol (scp or ftp) [ftp]: Server Name or IP Address [host]: 10.1.2.3 User Name [user]: JohnDoe File Name [config.txt]: /pub/configurations/config.txt *** CAUTION *** This command is used to download a backed-up configuration for a specific switch.
Page 148: Downloading Configurations Across A Fabric
Table 45 Backup and restore in a FICON CUP environment ASM bit Command Description on or off All the files saved in the file access facility are uploaded to the configUpload management workstation. A section in the uploaded configuration file labeled FICON_CUP is in an encoded format. Files saved on the switch that are also present in the configDownload FICON_CUP section of the configuration file are overwritten.
Page 149: Configuration Form
Configuration form Table 46 as a hard copy reference for your configuration information. In the hardware reference manuals for the 4/256 SAN Director and DC SAN Backbone Director (short name, DC Director) there is a guide for FC port setting tables. The tables can be used to record configuration information for the various blades.
Page 150 150 Maintaining the switch configuration file...
Page 151: Managing Administrative Domains
Managing administrative domains This chapter provides procedures for using administrative domains (Admin Domain or AD). An Admin Domain is a logical grouping of fabric elements that defines what switches, ports, and devices you can view and modify. An Admin Domain is a filtered administrative view of the fabric. NOTE: If you do not implement Admin Domains, the feature has no impact on users and you can skip this chapter.
Page 152: Fabric With Two Admin Domains
Figure 4 Fabric with two Admin Domains Figure 5 shows how users get a filtered view of this fabric, depending on which Admin Domain they are in. As shown in Figure 6, users can see all switches and E_Ports in the fabric, regardless of their Admin Domain;...
Page 153: Admin Domain Features
Admin Domain features Admin Domains allow you to: • Define the scope of an Admin Domain to encompass ports and devices within a switch or a fabric. • Share resources across multiple Admin Domains. For example, you can share array ports and tape drives between multiple departments.
Page 154: User-Defined Administrative Domains
Table 47 lists each Admin Domain user type and describes its administrative access and capabilities. Table 47 AD user types User type Description Physical Fabric User account with Admin role and with access to all Admin Domains (AD0 through Administrators AD255).
Page 155: Ad255
AD0 is useful when you create Admin Domains because you can see which devices, switch ports, and switches have not yet been assigned to any Admin Domains. AD0 owns the root zone database (legacy zone database). During zone merge or zone update, only the root zone database is exchanged with AD-unaware switches.
Page 156: Admin Domain Member Types
• The Admin Domain list for the default admin account is 0–255, which gives this account automatic access to any Admin Domain as soon as the domain is created, and makes this account a physical fabric administrator. • The Admin Domain list for the default user account is AD0 only. •...
Page 157: Switch Members
NOTE: If the switch domain ID changes, the domain,index members are invalid (they are not automatically changed). You must then reconfigure the Admin Domain with the current domain,index members. Switch members Switch members are defined by the switch WWN or Domain ID. A switch member: •...
Page 158: Admin Domain Compatibility And Availability
WWN = 10:00:00:00:c7:2b:fd:a3 WWN = 10:00:00:00:c2:37:2b:a3 Domain ID = 1 Domain ID = 2 WWN = 10:00:00:05:1f:05:23:6f WWN = 10:00:00:05:2e:06:34:6e WWN = 10:00:00:00:c8:3a:fe:a2 Figure 7 Fabric showing switch and device WWNs Figure 8 shows the filtered view of the fabric as seen from AD3 and AD4. The switch WWNs are converted to the NAA=5 syntax;...
Page 159: Compatibility
Compatibility Admin Domains can be implemented in fabrics with a mix of AD-capable switches and AD-uncapable switches. The following considerations apply: • In mixed-fabric configurations, the legacy switches allow unfiltered access to the fabric and its devices; hence, these legacy switches should be managed by the physical fabric administrator. •...
Page 160: Setting The Default Zone Mode
How you end the transaction determines the disposition of the Admin Domain configuration in the transaction buffer. The following commands end the Admin Domain transaction: Saves the changes in the transaction buffer to the defined configuration in save persistent storage and propagates the defined configuration to all switches in the fabric.
Page 161: Assigning A User To An Admin Domain
If you specify AD name = “AD15” and the lowest available AD number is 6, then AD name is “AD15” and AD number is 15. Because the specified name is in the format “ADn”, the AD number is assigned to be n and not the lowest available AD number. The Admin Domain name cannot exceed 63 characters and can contain alphabetic and numeric characters.
Page 162: Activating And Deactivating Admin Domains
• Adding an Admin Domain list, home Admin Domain, and role to a user configuration is backward compatible with pre-Fabric OS 5.2.0 firmware. When you downgrade to pre-Fabric OS 5.2.0 firmware, the userConfig command records are interpreted using legacy logic. To create a new user account for managing Admin Domains: Connect to the switch and log in as admin.
Page 163: Adding And Removing Admin Domain Members
Enter the ad activate option. The activate option prompts for confirmation. On default, after the Admin Domain is activated, the devices specified under that AD are not able to see each other until they are zoned together. To end the transaction now, enter ad save to save the Admin Domain definition or enter ad apply to save the Admin Domain definition and directly apply the definitions to the fabric.
Page 164: Renaming An Admin Domain
The following example adds two switch ports, designated by domain,port, to Admin Domain AD1. sw5:AD255:admin> ad --add AD1 -d "100,5; 4,1" To remove members from an Admin Domain: Connect to the switch and log in as admin. Switch to the AD255 context, if you are not already in that context. ad --select 255 Enter the ad remove command using the -d option to specify device and switch port members and...
Page 165: Deleting All User-Defined Admin Domains
Switch to the AD255 context. ad --select 255 Enter the ad delete command. ad --delete ad_id The ad delete command prompts you for confirmation before triggering the deletion. The command will succeed, whether the Admin Domain is in an activated or deactivated state. Enter the ad apply command to save the Admin Domain definition and directly apply the definition to the fabric.
Page 166: San Management With Admin Domains
The Admin Domain validation process is not applicable for AD0, as AD0 implicitly contains all unassigned and AD-unaware online switches and their devices. To list the switches and devices in an AD member list: Connect to the switch and log in as admin. Switch to the AD255 context, if you are not already in that context.
Page 167: Executing A Command In A Different Ad Context
Table 48 Ports and devices in CLI output Condition The port is specified in the domain,port member list of the Admin Domain. domain,port One or more WWNs specified in the AD member list is attached to the domain,port. The device WWN is specified in the AD WWN member list. Device WWN The device WWN is attached to one of the domain,port specified in the AD member list.
Page 168: Switching To A Different Admin Domain Context
The following example displays membership information about AD1. sw5:AD1:admin> ad --show Current AD Number: 1 AD Name: TheSwitches Effective configuration: ------------------------ AD Number: 1 AD Name: TheSwitches State: Active Switch WWN members: 50:06:06:99:00:2a:e9:01; 50:00:51:e0:23:36:f9:01; 50:06:06:98:05:be:99:01; Switching to a different Admin Domain context The ad select option is used to switch between different Admin Domain contexts.
Page 169: Admin Domain Interaction With Fabric Os Features
Table 49 lists some of the Fabric OS features and considerations that apply when using Admin Domains. Table 49 Admin Domain interaction with Fabric OS features Fabric OS feature Admin Domain interaction ACLs If no user-defined Admin Domains exist, you can run ACL configuration commands in only AD0 and AD255.
Page 170: Admin Domains, Zones, And Zone Databases
Admin Domains, zones, and zone databases Each Admin Domain has its own zone database, with both defined and effective zone configurations and all related zone objects (zones, zone aliases, and zone members). Within an Admin Domain, you can configure zoning only with the devices that are present in that Admin Domain. With a hierarchical zoning model, the name space for each Admin Domain and the root zones are separate;...
Page 171: Configuration Upload And Download In An Ad Context
The auto-converted LSAN zone names might collide with LSAN zone names in AD0 (for example, in the above example, if AD0 contains lsan_for_linux_farm_AD005, this would cause a name collision). Fabric OS does not detect or report such name clash. LSAN zone names greater than 57 characters are not converted or sent to the FCR phantom domain. ”Using the FC-FC routing service”...
Page 172 ”Maintaining the switch configuration file” on page 143 for additional information about uploading and downloading configurations. 172 Managing administrative domains...
Page 173: Installing And Maintaining Firmware
Installing and maintaining firmware This chapter provides procedures for installing and maintaining firmware. Fabric OS 6.1.x provides nondisruptive firmware installation. This chapter refers to the following specific types of blades inserted into either Director platform: • Port blades contain only Fibre Channel ports: •...
Page 174: Upgrading And Downgrading Firmware
The command supports both non-interactive and interactive modes. If the firmwareDownload command is issued without any operands, or if there is any syntax error in the parameters, the command enters an interactive mode, in which you are prompted for input. TIP: For each switch in your fabric, complete all firmware download changes on the current switch before issuing the firmwareDownload command on the next switch.
Page 175: Preparing For Firmware Downloads
Preparing for firmware downloads Before executing a firmware download, it is recommended that you perform the tasks listed in this section. In the unlikely event of a failure or time-out, the preparation tasks that are described in this section will enable you to provide HP the information required to perform advanced troubleshooting.
Page 176: Checking Connected Switches
Checking connected switches When checking connected switches, ensure that any older versions are supported. See the recommended version (shown in Table 52) before upgrading firmware on the switch. Go to http://www.hp.com to view end-of-life policies. Table 52 Recommended firmware Switch model Earliest compatible version Recommended version for interoperating with Fabric OS 6.1.x...
Page 177: Finding The Firmware Version
Table 52 Recommended firmware (continued) Switch model Earliest compatible version Recommended version for interoperating with Fabric OS 6.1.x http://www.hp.com 6.0.0b 6.1.x (see for latest HP StorageWorks SAN Director 48 Port version released by HP) 8Gb FC blade (FC8-48) http://www.hp.com 6.0.0b 6.1.x (see for latest HP StorageWorks SAN Director 6 Port...
Page 178: Performing Firmwaredownload On Switches
Performing firmwareDownload on switches HP StorageWorks 4/8 SAN Switch, 4/16 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 8/8 SAN Switch, 8/24 SAN Switch, 8/40 SAN Switch, 8/80 SAN Switch, and 400 MP Router switches also maintain primary and secondary partitions for firmware.
Page 179: Downloading Firmware To A Director
Connect to the switch and log in as admin. Issue the firmwareShow command to check the current firmware version on connected switches. Upgrade their firmware if necessary before proceeding with upgrading this switch. ”Checking connected switches” on page 176 for details. Enter the firmwareDownload command.
Page 180: Overview Of The Firmware Download Process On Directors
problem persists, review ”Troubleshooting firmwareDownload” on page 183. If the troubleshooting information fails to help resolve the issue, contact HP. During the upgrade process, the Director fails over to its standby CP blade and the IP addresses for the logical switches move to that CP blade's Ethernet port. This may cause informational ARP address reassignment messages to appear on other switches in the fabric.
Page 181 Use the firmwareShow command to check the current firmware version on connected switches. Upgrade the firmware, if necessary, before proceeding with upgrading this switch. ”Checking connected switches” on page 176 Enter the haShow command to confirm that the two CP blades are synchronized. In the following example, the active CP blade is CP0 and the standby CP blade is CP1: switch:admin>...
Page 182 Autoleveling takes place in parallel with the firmware download being performed on the CPs, but does not impact performance. Fibre Channel traffic is not disrupted during autoleveling, but GbE traffic on AP blades may be affected. sw77:admin> firmwaredownload Type of Firmware (FOS, SAS, or any application) [FOS]: Server Name or IP Address: 192.168.32.10 Network Protocol (1-auto-select, 2-FTP, 3-SCP) [1]: User Name: userfoo...
Page 183: Firmwaredownload From A Usb Device
[8]: Thu Jul 28 00:37:50 2005 Slot 7 : Firmware commit is started. [9]: Thu Jul 28 00:37:50 2005 Slot 2 : Firmware commit has completed. [10]: Thu Jul 28 00:37:50 2005 Slot 7 : Firmware commit has completed. (Firmwaredownload has completed.) 1 1.
Page 184: Downloading The 6.1.0 Image Using The Relative Path
v6.0.1\ 381MB 2007 Oct 19 10:39 config\ 2007 Sep 28 15:33 support\ 2007 Sep 28 15:33 firmwarekey\ 2007 Sep 28 15:33 Available space on usbstorage 79% Downloading the 6.1.0 image using the relative path To download the 6.1.0 image using the relative path: Log in to the switch as admin.
Page 185: Updating The Firmwarekey
The switch manufacturer generates one private and public key pair. These key pairs are stored in the privatekey.pem and pubkey.pem files, respectively. The private key file is used to sign the firmware files. The public key file is packaged in an RPM-package as part of the firmware, and will be downloaded to the switch.
Page 186: The Firmwaredownload Command
The firmwareDownload command As mentioned previously, the public key file will need to be packaged, installed, and run on your switch before downloading a signed firmware. When firmwareDownload installs a firmware file, it needs to validate the signature of the file. Different scenarios are handled as follows: a.
Page 187: Testing And Restoring Firmware On Switches
Testing and restoring firmware on switches Typically, users downgrade firmware after briefly evaluating a newer (or older) version and then restore the original version of the firmware. Testing a new version of firmware in this manner ensures that you do not replace existing firmware because the evaluated version occupies only one partition on the switch.
Page 188: Testing And Restoring Firmware On Directors
IMPORTANT: Stop! If you have completed step 8, then you have committed the firmware on the switch and you have completed the firmware download procedure. To restore the original firmware, refer to step 9 (should be performed after step Restore the firmware. a.
Page 189 IMPORTANT: If the CPs do not achieve synchronization, stop here; log in to the standby CP, and enter the firmwareRestore command to restore the original firmware. c. Enter the firmwareShow command to confirm that the primary partition of the standby CP contains the new firmware.
Page 190: Validating Firmwaredownload
IMPORTANT: Stop! If you have completed step 1 1, then you have committed the firmware on both CPs and you have completed the firmware download procedure. The following step 12 through step 14 describe how to restore the original firmware, and should be performed after step Restore the firmware on the standby CP.
Page 191 maintain the same firmware level on both partitions of each CP within the Director. The command firmwareShow -v will display the firmware version on the Co-CPs. BrcdDCXBB:admin> firmwareshow -v Slot Name Appl Primary/Secondary Versions Status ------------------------------------------------------------------------ v6.1.0 ACTIVE * v6.1.0 Co-FOS v6.1.0 v6.1.0...
Page 192 192 Installing and maintaining firmware...
Page 193: Administering Advanced Zoning
Administering Advanced Zoning About zoning Zoning enables you to partition your SAN into logical groups of devices that can access each other. A device can communicate only with other devices connected to the fabric within its specified zone. For example, you can partition your SAN into two zones, winzone and unixzone, so that your Windows servers and storage do not interact with your UNIX servers and storage.
Page 194: Zone Types
Zone types Table 53 summarizes the types of zoning available. Table 53 Types of zoning Zone type Description Storage-based Storage units typically implement LUN-based zoning, also called LUN masking. LUN-based zoning limits access to the LUNs on the storage port to the specific WWN of the server HBA.
Page 195: Zone Objects
Table 54 Approaches to fabric-based zoning (continued) Zoning Description approach Alternative approaches Application Zoning by application typically requires zoning multiple, perhaps incompatible, operating systems into the same zones. This method of zoning creates the possibility that a minor server in the application suite could disrupt a major server (such as a Web server disrupting a data warehouse server).
Page 196: Zoning Schemes
When a zone object is the port WWN name, only the single port is in the zone. The types of zone objects used to define a zone can be mixed. For example, a zone defined with the zone objects 2,12; 2,14; 10:00:00:80:33:3f:aa:1 1 contains the devices connected to domain 2, ports 12 and 14, and a device with the WWN (either node name or port name) 10:00:00:80:33:3f:aa:1 1 that is connected on the fabric.
Page 197: Zoning Enforcement
• Disabled Configuration—The effective configuration is removed from flash memory. When you disable the effective configuration, the Advanced Zoning feature is disabled on the fabric, and all devices within the fabric can communicate with all other devices (unless you previously set up a default zone, as described in ”Activating default zones”...
Page 198: Enforcing Hardware Zoning
• Is available on 1, 2, 4, 8 and 10 Gbps platforms. • Ensures that the name server does not return any information to an unauthorized initiator in response to a name server query. • Is exclusively enforced through selective information presented to end nodes through the fabric Simple Name Server (SNS).
Page 199: Hardware-Enforced Nonoverlapping Zones
Table 55 Enforcing hardware zoning (continued) Fabric type Methodology Best practice HP StorageWorks Enable hardware-enforced zoning on Use either WWN or 4/8 SAN Switch, domain,port zones, and WWN zones. domain,port identifiers. 4/16 SAN Switch, Overlap of similar zone types does not result in Brocade 4Gb the loss of hardware enforcement.
Page 200: Hardware-Enforced Overlapping Zones
WWN_Zone1 Port_Zone1 Core Port_Zone2 WWN_Zone2 Switch Zone Boundaries 22.3b(13.3) Figure 12 Hardware-enforced overlapping zones Any zone using a mixed zoning scheme on the Fabric OS 2-Gbps platform relies on name server authentication as well as hardware-assisted (ASIC) authentication. Hardware-assisted authentication ensures that any PLOGI, ADISC, PDISC, or ACC from an unauthorized device is rejected if that device is attempting to access a device that is not in the same zone.
Page 201: Considerations For Zoning Architecture
Considerations for zoning architecture Table 56 lists considerations for zoning architecture. Table 56 Considerations for zoning architecture Item Description Type of zoning: If security is a priority, hard zoning is recommended. hard or soft (session-based) Use of aliases The use of aliases is optional with zoning. Using aliases requires structure when defining zones.
Page 202: Best Practices For Zoning
Best practices for zoning The following are recommendations for using zoning: • Always zone using the highest Fabric OS-level switch. Switches with earlier Fabric OS versions do not have the capability to view all the functionality that a newer Fabric OS provides, as functionality is backwards compatible but not forwards compatible. •...
Page 203: Broadcast Zones And Fc-Fc Routing
Broadcast zones and FC-FC routing If you create broadcast zones in a metaSAN consisting of multiple fabrics connected through an FC router, the broadcast zone must include the IP device that exists in the edge or backbone fabric as well as the proxy device in the remote fabric.
Page 204: Creating And Managing Zone Aliases
Creating and managing zone aliases A zone alias is a logical group of ports or WWNs. You can simplify the process of creating zones by first specifying aliases, which eliminates the need for long lists of individual zone member names. If you are creating a new alias using aliCreate w, “1,1”, and a user in another Telnet session executes cfgEnable (or cfgDisable, or cfgSave), the other user’s transaction will abort your transaction and you will receive an error message.
Page 205 You are about to save the Defined zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled. Do you want to save Defined zoning configuration only? (yes, y, no, n): [no] y To remove members from an alias: Connect to the switch and log in as admin.
Page 206: Creating And Maintaining Zones
Enter the cfgSave command to save the change to the defined configuration. switch:admin> alidelete "array1" switch:admin> cfgsave You are about to save the Defined zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled.
Page 207 The values represent the following: The name of the zone to be created. zonename A member or list of members to be added to the zone. A zone member member can be specified by one or more of the following methods: •...
Page 208 To remove devices (members) from a zone: Connect to the switch and log in as admin. Enter the zoneRemove command, using the following syntax: zoneremove "zonename", "member[; member...]" The values represent the following: The name of the zone to be created. zonename A member or list of members to be removed from the zone.
Page 209: Default Zoning Mode
The values represent the following: A POSIX-style regular expression used to match zone names. pattern Specify 0 to display the contents of the transaction buffer (the contents of mode the current transaction), or specify 1 to display the contents of the nonvolatile memory.
Page 210: Merging Zones
Merging zones Table 57 presents zoning database size limitations for various Fabric OS release versions. The maximum size of a zone database is the upper limit for the defined configuration, and it is determined by the amount of flash memory available for storing the defined configuration. Table 57 Zoning database limitations Fabric OS version...
Page 211: Resulting Database Size: 96K To 128K
Table 58 Resulting database size: 0 to 96K (continued) Receiver Fabric Fabric Fabric OS Fabric Fabric OS Fabric Fibre XPath 7.3 OS 3.1 OS 3.2 4.0/ OS 4.4.0 5.0.0/ Channel 4.1/ 5.0.1/ 5.2.0 or Router Initiator 5.1.0 later Fabric OS 4.0/ Join Join Join...
Page 212: Resulting Database Size: 256K To 1M
Table 60 Resulting database size: 128K to 256K (continued) Receiver Fabric OS Fabric Fabric OS Fabric Fabric OS Fabric OS Fibre XPath 7.3 OS 3.2 4.0/ OS 4.4.0 5.0.0/ 5.2.0 or Channel 4.1/ 5.0.1/ later Router Initiator 5.1.0 FC router Segment Join Segment...
Page 213: Creating And Modifying Zoning Configurations
Creating and modifying zoning configurations You can store a number of zones in a zoning configuration database. The maximum number of items that can be stored in the zoning configuration database depends on the following criteria: • Number of switches in the fabric. •...
Page 214 The values represent the following: The name of the zone configuration. cfgname The zone name or list of zone names to be added to the configuration. member Enter the cfgSave command to save the change to the defined configuration. switch:admin> cfgadd "newcfg", "bluezone" switch:admin>...
Page 215 Do you want to save Defined zoning configuration only? (yes, y, no, n): [no] y To clear changes to a configuration: Enter the cfgTransAbort command. When this command is executed, all changes since the last save operation (performed with the cfgSave command) are cleared.
Page 216: Maintaining Zone Objects
For example, to display all zone configurations that start with “Test”: switch:admin> cfgshow "Test*" cfg: Test1 Blue_zone cfg: Test_cfg Red_zone; Blue_zone To view a configuration in the effective zone database: Connect to the switch and log in as admin. Enter the cfgActvShow command. switch:admin>...
Page 217 Enter the cfgShow command to verify the new zone object is present. switch:admin> cfgshow "Test*" cfg: Test1 Blue_zone cfg: Test_cfg Red_zone; Blue_zone switch:admin> cfgShow "US_Test1" cfg: Test1 Blue_zone cfg: Test_cfg Red_zone; Blue_zone If you want the change preserved when the switch reboots, enter the cfgSave command to save it to nonvolatile (flash) memory.
Page 218 To rename a zone object: Connect to the switch and log in as admin. Enter the cfgShow command to view the zone configuration objects you want to rename. switch:admin> cfgShow Defined configuration: cfg: USA_cfg Red_zone; White_zone; Blue_zone zone: Blue_zone 1,1; array1; 1,2; array2 zone: Red_zone 1,0;...
Page 219: Managing Zoning Configurations In A Fabric
To validate all zones in the zone database in the defined configuration. switch:admin> sw5:root> zone --validate -m 1 Defined configuration: cfg: cfg1 zone1 cfg: cfg2 zone1; zone2 zone: zone1 1,1; ali1 zone: zone2 1,1; ali2 alias: ali1 10:00:00:05:1e:35:81:7f*; 10:00:00:05:1e:35:81:7d* alias: ali2 10:00:00:05:1e:35:81:09*;...
Page 220 Before the new fabric can merge successfully, it must pass the following criteria: Before merging zones • To facilitate merging, check the following before merging switches or fabrics: • Zoning licenses: All switches running Fabric OS v6.0.x or earlier must have a Zoning license enabled.
Page 221: Fabric Segmentation
A merge is not possible if any of the following conditions exist: • Configuration mismatch: Zoning is enabled in both fabrics and the zone configurations that are enabled are different in each fabric. • Type mismatch: The name of a zone object in one fabric is used for a different type of zone object in the other fabric.
Page 222 followed by a portDisable or portEnable command on one of the ISL ports that connects the fabrics. This will cause a merge, making the fabric consistent with the correct configuration. IMPORTANT: Be careful using the cfgClear command because it deletes the defined configuration.. 222 Administering Advanced Zoning...
Page 223: Configuring Directors
Configuring Directors This chapter contains procedures that are specific to the: • HP StorageWorks 4/256 SAN Director • HP StorageWorks DC SAN Backbone Director For detailed information see the HP StorageWorks SAN Director hardware reference manual or the HP StorageWorks DC SAN Backbone Director hardware reference manual. Identifying ports Because Directors contain interchangeable port blades, their procedures differ from those for fixed-port switches.
Page 224: Director Port Numbering Schemes
Director port numbering schemes Table 62 lists the port numbering schemes for the 4/256 Director and DC Director. Table 62 Port numbering schemes for the 4/256 Director and DC Director Port blades Numbering scheme FC2- 1 6 Ports are numbered from 0 through 15 from bottom to top. FC4- 1 6 FC8- 1 6 FC4-32...
Page 225: Default Index/Area_Id Core Pid Assignment With No Port Swap
A number of fabric-wide databases supported by Fabric OS (including ZoneDB, the ACL DDC, and Admin Domain) allow a port to be designated by the use of a “D,P” (domain,port) notation. While the “P” component appears to be the port number, in up to 255 ports it is actually the area assigned to that port. If the PID format is changed from Extended-edge to Core, the “P”...
Page 226: Basic Blade Management
Table 63 Default index/area_ID core PID assignment with no port swap (continued) Port on Slot Slot Slot Slot Slot Slot Slot Slot blade 1Idx/area 2Idx/area 3Idx/area 4Idx/area 7Idx/area 8Idx/area 9Idx/area 10Idx/area 135/135 151/151 167/167 183/183 199/199 215/215 231/231 247/247 134/134 150/150 166/166 182/182...
Page 227: Powering Port Blades Off And On
Powering port blades off and on All blades are powered on by default when the switch chassis is powered on. Blades cannot be powered off when POST or AP initialization is in progress. NOTE: In the DC Director, the core blades in slots 5 and 8 cannot be powered off with the CLI interface. You must manually power off the blades by unseating the blade from its mounting or removing the power from chassis.
Page 228: Fc4-48 And Fc8-48 Blade Exceptions
If a previously configured FR4- 1 8i blade is removed and another or the same FR4- 1 8i blade is inserted into the same slot, then the ports use the previous configuration and come up enabled. If a previously-configured FR4- 1 8i blade is removed and an FC4-48, FC4-32, FC4- 1 6, FC8-48, FC8-32, FC8- 1 6, or FC10-6 blade is plugged in, then—other than the port’s EX_Port configuration—all the remaining port configurations previously applied to the FR4- 1 8i FC_Ports can be used.
Page 229: Blade Terminology And Compatibility
Blade terminology and compatibility Before configuring a chassis, familiarize yourself with the Director CP blade and port blade nomenclature, as well as the port blade compatibilities. Often in procedures, only the abbreviated names for CP and port blades are used (for example, the FC4- 1 6 blade). Table 64 includes CP and port blade abbreviations and descriptions.
Page 230: Core Blades
type of CP blade installed and that each CP (primary and secondary partition) maintains the same firmware version. Core blades The DC Director supports two CR8 core blades. This blade is used for intra-chassis switching as well as ICL connectivity to another DC Director chassis. The 4/256 Director does not support core blades.
Page 231: Displaying Slot Information
Table 67 lists chassis configuration options and resulting slot configurations. Table 67 Chassis configuration options Option Result One 128-port switch (Blade IDs 4, 17 on slots 1–4, 7–10. Blade ID 5 and 16 on slots 5, 6) One 384-port switch (Blade IDs 4, 17, 18, 31, and 36 on slots 1–4, 7–10. Blade ID 16 on slots 5, 6) Table 64 for details about the different blades, including their corresponding IDs.
Page 232: Inter Chassis Link Behavior Between Two Hp Storageworks Dc Directors
Inter Chassis Link behavior between two HP StorageWorks DC Directors Inter chassis links (ICL) is a licensed feature used to interconnect two DC Directors; there are two ICL connector ports ICL0 and ICL1 on each core blade, each aggregating a set of 16 ports. Thus each core blade provides 32 ICL ports and there are 64 ICL ports available for the entire DC Director chassis.
Page 233: 10Routing Traffic
Routing traffic This chapter provides information on routing policies. Data routing and routing policies Data moves through a fabric from switch to switch and from storage to server along one or more paths that make up a route. Routing policies determine the path for each frame of data. IMPORTANT: For most configurations, the default routing policy is optimal, and provides the best performance.
Page 234: Static Route Assignment
Whatever routing policy a switch is using applies to the VE_Ports as well. See ”Configuring and monitoring FCIP extension services” on page 375 for details about VE_Ports. To display the current routing policy and specify a different routing policy, use the aptPolicy command. The aptPolicy command detects the switch’s configuration options and provides the appropriate policies for you to select from.
Page 235: Forcing In-Order Frame Delivery Across Topology Changes
In a stable fabric, frames are always delivered in order, even when the traffic between switches is shared among multiple paths. However, when topology changes occur in the fabric (for example, if a link goes down), traffic is rerouted around the failure, and some frames could be delivered out of order. Most destination devices tolerate out-of-order delivery, but some do not.
Page 236: Viewing Routing Path Information
Enter the dlsSet command to enable DLS or enter the dlsReset command to disable it. switch:admin> dlsshow DLS is not set switch:admin> dlsset switch:admin> dlsshow DLS is set switch:admin> dlsreset switch:admin> dlsshow DLS is not set Viewing routing path information The topologyShow and uRouteShow commands provide information about the routing path.
Page 237 Use the uRouteShow command to display unicast routing information. Use the following syntax for the 4/8 SAN Switch, 4/16 SAN Switch, 8/8 SAN Switch 8/24 SAN Switch Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, , and SAN Switch 4/32 4/64 SAN Switch, SAN Switch 4/32...
Page 238: Viewing Routing Information Along A Path
Viewing routing information along a path You can display detailed routing information from a source port (or area) on the local switch to a destination port (or area) on another switch. This routing information describes the full path that a data stream travels between these ports, including all intermediate switches.
Page 239 The information that pathInfo provides is: The number of switch-to-switch links (ISLs) traversed. The local switch is hop 0. Hops The port that the frames come in from on this path. For hop 0, the source In Port port. Domain ID The domain ID of the switch. The name of the switch.
Page 240 240 Routing traffic...
Page 241: 11Implementing An Interoperable Fabric
Implementing an interoperable fabric For information on HP supported interop configurations, refer to the HP StorageWorks Fabric interoperability: merging fabrics based on C-Series and B-Series Fibre Channel switches on the following HP website: http://h18000.www1.hp.com/products/storageworks/san/documentation.html Fabric OS 6.1.x administrator guide 241...
Page 242 242 Implementing an interoperable fabric...
Page 243: 12Configuring The Distributed Management Server
Configuring the Distributed Management Server This chapter provides information on enabling and disabling the platform services, configuring and controlling access to the Management Server database, and using the topology discovery feature. Overview The Fabric OS Distributed Management Server allows a SAN management application to retrieve information and administer interconnected switches, servers, and storage devices.
Page 244: Enabling Platform Services
Enabling platform services Connect to the switch and log in as admin. Enter the msplMgmtActivate command. switch:admin> msplmgmtactivate Request to activate MS Platform Service in progress..*Completed activating MS Platform Service in the fabric! switch:admin> Disabling platform services Connect to the switch and log in as admin. Enter the msplMgmtDeactivate command.
Page 245: Adding A Member To The Acl
Display the access list Add member based on its Port/Node WWN Delete member based on its Port/Node WWN select : (0..3) [1] 0 done ... switch:admin> Adding a member to the ACL Connect to the switch and log in as admin. Enter the msConfigure command.
Page 246: Deleting A Member From The Acl
Display the access list Add member based on its Port/Node WWN Delete member based on its Port/Node WWN select : (0..3) [1] 0 done ... Update the FLASH? (yes, y, no, n): [yes] y *Successfully saved the MS ACL to the flash. switch:admin>...
Page 247: Viewing The Contents Of The Management Server Database
Display the access list Add member based on its Port/Node WWN Delete member based on its Port/Node WWN select : (0..3) [1] 0 done ... Update the FLASH? (yes, y, no, n): [yes] y *Successfully saved the MS ACL to the flash. switch:admin>...
Page 248 switch:admin> mstdreadconfig *MS Topology Discovery is Enabled. To enable topology discovery: Connect to the switch and log in as admin. Enter the mstdEnable command to enable the discovery feature locally. Enter the mstdEnable all command to enable the discovery feature on the entire fabric. switch:admin>...
Page 249: 13Iscsi Gateway Services
iSCSI Gateway services Overview of iSCSI gateway service The FC4- 1 6IP iSCSI gateway service is an intermediate device in the network, allowing iSCSI initiators in an IP SAN to access and utilize storage in a Fibre Channel (FC) SAN as shown in the figure below. F C 4-16IP F C target 1 iS C S I gateway...
Page 250: Basic Versus Advanced Lun Mapping
To represent all iSCSI initiators and sessions, each iSCSI portal has one iSCSI virtual initiator (VI) to the FC fabric that appears as an N_Port device with a special WWN format. Regardless of the number of iSCSI initiators or iSCSI sessions sharing the portal, Fabric OS uses one iSCSI VI per iSCSI portal. The following figure shows the interaction of different layers from the iSCSI initiator stack to the FC target stack, including the iSCSI gateway service used during protocol translation.
Page 251: Advanced Lun Mapping
Advanced LUN mapping SCSI VTs can be mapped to more than one physical FC target, and the LUNs can be mapped to different virtual LUNs. The following figure shows an advanced mapping scenario. F C target 1 iS C S I virtual target 1 F C target 2 iS C S I virtual target 2 iS C S I virtual target 3...
Page 252: Changing And Displaying The Iqn Prefix
The following figure shows an iSCSI gateway that has three iSCSI VTs and two iSCSI initiators. iS C S I initiator A iqn.2003-11.c om.mic ros oft: win2k-s n-192168101 iS C S I virtual targets (V T s ) V T 1 iqn.2002-12.c om.broc ade: 10: 00: 00: 05: 1e: aa: bb: c c IP Network V T 2...
Page 253: Switch-To-Iscsi Initiator Authentication
DDS et 1 iS C S I virtual targets (V T s ) iS C S I initiator A V T 1 IP network V T 2 V T 3 iS C S I initiator B iS C S I gateway s ervic e Figure 21 Discovery domain set configuration example Switch-to-iSCSI initiator authentication...
Page 254: Enabling And Disabling Connection Redirection For Load Balancing
Enabling and disabling connection redirection for load balancing Connect to the switch and log in. Enter the appropriate form of the iscsiSwCfg command for the operation you want to perform: • To enable connection redirection, use the iscsiSwCfg - -enableconn command. For 4/256 SAN Directors, the -s <slot number>...
Page 255: Supported Iscsi Initiators
Supported iSCSI initiators Table 69 Supported iSCSI initiators iSCSI initiator driver versions Windows • MS iSCSI initiator 2.02 • MS iSCSI initiator 2.03 • MS iSCSI initiator 2.04 Linux • RH EL 4 default initiator • 2.6.10 - 4.0.2 iSCSI initiator (SourceForge,Net initiator) •...
Page 256 Table 70 iSCSI target gateway configuration steps (continued) Step Command Procedure Create discovery ”Creating discovery domains” iscsiCfg - -create dd -d domains. Where on page 267 <ddname> \ members are iSCSI components identified “<member>,<member>,<member>,.. using IQNs. .” Create discovery ”Creating and enabling a iscsiCfg - -create ddset -n domain set.
Page 257: Fc4-16Ip Blade Configuration
FC4- 1 6IP Blade Configuration This section describes the initial setup required to deploy an iSCSI gateway solution. NOTE: Only the 4/256 SAN Director with an iSCSI-enabled FC4- 1 6IP blade running Fabric OS 5.2.0 or later supports the iSCSI gateway service. You can also configure an FC4- 1 6IP blade through the Web Tools Graphical User Interface as an alternative to the command line interface.
Page 258: Enabling The Iscsi Gateway Service
Enabling the iSCSI gateway service The iSCSI gateway service translates and directs SCSI traffic between an iSCSI initiator and an FC target. This section explains how to enable the iSCSI gateway service on the 4/256 SAN Director. Connect and log in to the switch. Enter the fosConfig --show command to show the current Fabric OS configuration.
Page 259: Configuring The Gbe Interface
Take the appropriate action based on the Persistent Disable setting: • If it is set to OFF, proceed to step 4. • If it is set to ON, enter the portCfgPersistentEnable command with the slot number and GbE port number. switch:admin>...
Page 260: Iscsi Virtual Target Configuration
(Optional) Enter the portCfg command to define static routes to reach the destination IP through a preferred gateeway. switch:admin> portcfg iproute 3/ge0 create 0.0.0.0 0.0.0.0 30.0.0.1 1 Operation Succeeded The gateway must be on the same subnet as the GbE port. You can specify a maximum of 32 routes per GbE port.
Page 261: Automatic Iscsi Vt Creation
Automatic iSCSI VT creation An iSCSI VT is created using target LUNs from the attached FC network. LUNs are mapped to iSCSI VTs by creating unique iSCSI Qualified Names (IQNs) for each target. You can create iSCSI VTs by using the iscsiCfg easycreate tgt command.
Page 262 2f:7f:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2f:7f:00:06:2b:0d:10:ba Operation Succeeded 2f:9f:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2f:9f:00:06:2b:0d:10:ba Operation Succeeded 2f:bf:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2f:bf:00:06:2b:0d:10:ba Operation Succeeded 2f:df:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2f:df:00:06:2b:0d:10:ba Operation Succeeded 2f:ff:00:06:2b:0d:12:9a iqn.2002-12.com.brocade:2f:ff:00:06:2b:0d:12:9a Operation Succeeded Enter the iscsiCfg show tgt command to display the status of the created iSCSI VTs. The following is an example. switch:admin>...
Page 263: Generating An Iscsi Vt For A Specific Fc Target
Name: iqn.2002-12.com.brocade:2f:ff:00:06:2b:0d:12:9a State/Status: Online/Defined Generating an iSCSI VT for a specific FC target Connect and log in to the switch. Enter the iscsiCfg easycreate tgt command with the -w <port WWN> option to create an iSCSI VT that contains only the storage attached to the specified WWN. The default value of , is used for the fixed prefix, and the port WWN is used as the user-defined iqn.2002-12.com.brocade portion of the IQN.
Page 264 The following is an example. switch:admin> fclunquery Target Index: 1 Target Node WWN: 20:00:00:04:cf:e7:74:cf Target Port WWN: 21:00:00:04:cf:e7:74:cf Target Pid: 120d6 Number of LUNs returned by query: 1 LUN ID: 0x00 Target Index: 2 Target Node WWN: 20:00:00:04:cf:e7:73:7e Target Port WWN: 21:00:00:04:cf:e7:73:7e Target Pid: 120d9 Number of LUNs returned by query: 1 LUN ID: 0x00...
Page 265: Mapping Luns On A Specific Port To An Iscsi Vt
Enter the iscsiCfg show lun command with –t <IQN> options to verify that the LUN has been added to the iSCSI VT, where -t is the IQN that identifies the iSCSI VT. The following is an example. switch:admin> iscsicfg --show lun -t iqn.2002-12.com.brocade:example-disk001 Number of targets found: 1 Target: iqn.2006-10.com.example:disk001 Number of LUN Maps: 1...
Page 266: Displaying The Iscsi Virtual Target Lun Map
Displaying the iSCSI virtual target LUN map Connect and log in to the switch. Enter the iscsiCfg show lun command: switch:admin> iscsicfg --show lun Number of targets found: 2 Target: iqn.2006-10.com.example:disk001 Number of LUN Maps: 2 FC WWN Virtual LUN(s) Physical LUN(s) 21:00:00:04:cf:e7:73:7e 2f:ff:00:06:2b:0d:12:99...
Page 267: Displaying Iscsi Initiator Iqns
Displaying iSCSI initiator IQNs All iSCSI componenets in a DD must be identified using IQNs. Fabric OS temporarily stores the IQNs and IP addresses of iSCSI initiators that have logged in the gateway. NOTE: If an iSCSI initiator has more than one IP address, only one of the IP addresses is displayed. Connect and log in to the switch.
Page 268: Iscsi Initiator-To-Vt Authentication Configuration
iSCSI initiator-to-VT authentication configuration Fabric OS 5.2.0 or later supports both one-way and mutual CHAP authentication for iSCSI initiator-to-iSCSI VT target sessions. The authentication method (CHAP or none) is set on a per-iSCSI VT basis. Setting the user name and shared secret Authentication depends on a user name and shared secret.
Page 269: Deleting User Names From An Iscsi Vt Binding List
Deleting user names from an iSCSI VT binding list User names can be deleted from the list of bound user names. Connect and log in to the switch. Enter the isciCfg - -deleteusername tgt command with the -t and -u options to delete a user name: switch:admin>...
Page 270: Resolving Conflicts Between Iscsi Configurations
Resolving conflicts between iSCSI configurations When you merge two fabrics with different iSCSI configurations, a conflict will result. If there is a conflict, the database will not be merged and you must resolve the conflict. The iscsiCfg show fabric command displays the “out of sync” state. The rest of the switches will function normally, however, since there is no segmentation of E_Ports as a result of discovery domain set database conflicts.
Page 271: Iscsi Fc Zoning Overview
• Enter the fcLunQuery command with the -s option to return the node and port WWNs of the switch. The following is an example. switch:admin> fclunquery -s The following WWNs will be used for any lun query from this switch: Node WWN: 10:00:00:60:69:80:04:4a Port WWN: 21:fd:00:60:69:80:04:4a iSCSI FC zoning overview...
Page 272: Iscsi Fc Zone Creation
iSCSI FC zone creation To create an iSCSI FC zone, you must include the following iSCSI elements in the zone: • The FC targets, used to create the virtual targets (VT). • The iSCSI virtual initiators (VIs): • If there is more than one FC4- 1 6IP blade in the chassis, you must add all virtual initiators to the same zone.
Page 273 Enter the nsShow command to display the WWN information for the iSCSI virtual initiators: switch:admin> nsshow Type Pid PortName NodeName TTL(sec) 0120d6; 3;21:00:00:04:cf:e7:74:cf;20:00:00:04:cf:e7:74:cf; na FC4s: FCP [SEAGATE ST336607FC 0004] Fabric Port Name: 20:20:00:60:69:e0:01:56 Permanent Port Name: 21:00:00:04:cf:e7:74:cf Port Index: 32 Share Area: No Device Shared in Other AD: No 0120d9;...
Page 274 FC4s: FCP PortSymb: [23] "iSCSI Virtual Initiator" NodeSymb: [51] "IPAddr: 30.0.127.34 Slot/Port: 3/ge4 Logical pn: 44" Fabric Port Name: 00:00:00:00:00:00:00:00 Permanent Port Name: 50:06:06:9e:00:15:63:20 Port Index: 44 Share Area: No Device Shared in Other AD: No 012d00; 3;50:06:06:9e:00:15:63:28;50:06:06:9e:00:15:63:29; na FC4s: FCP PortSymb: [23] "iSCSI Virtual Initiator"...
Page 275: Zoning Configuration Creation
Enter the zoneCreate command to create the zone. The following example illustrates the creation of a zone by specifying the aliases for FC targets and iSCSI virtual initiators as members of the named zone. switch:admin> zonecreate iscsi_zone001, "ISCSI_TARGETS; ISCSI_VI_SWITCH1_SLOT3" switch:admin> where: The user-defined name for the created zone.
Page 276: Isns Client Service Configuration
iSNS client service configuration The internet storage name service (iSNS) server facilitates the automatic discovery and manages access control of iSCSI VTs on a TCP/IP network. iSNS clients initiate transactions with iSNS servers using the iSNS protocol, register available iSCSI VTs, download information about other registered clients (such as iSCSI initiators), and receive notification of events that occur in the DDs.
Page 277: Disabling The Isns Client Service
Enter the fosConfig - -show command to verify that the service is enabled: switch:admin> fosconfig --show FC Routing service:disabled iSCSI service:enabled iSNS Client service:enabled Set the IP address of the iSNS server. You can use either the IP address of the GbE port that attaches the FC4- 1 6IP blade, or the server management port IP address.
Page 278: Clearing The Isns Client Configuration
Clearing the iSNS client configuration The iSNS client configuration can be cleared with a single command. Connect and log in to the switch. Enter the isnscCfg - -clear command to clear the iSNS configuration: switch:admin> isnsccfg --clear Cleared iSNS server IP address 278 iSCSI Gateway services...
Page 279: 14Administering Npiv
Administering NPIV This chapter describes the concepts and procedures for administering N-Port ID Virtualization (NPIV). About NPIV NPIV enables a single Fibre Channel protocol port to appear as multiple, distinct ports, providing separate port identification within the fabric for each operating system image behind the port (as if each operating system image had its own unique physical port).
Page 280: Configuration Scenarios
The following example shows the configuration of these parameters: switch:admin> switchdisable switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] Virtual Channel parameters (yes, y, no, n): [no] F-Port login parameters (yes, y, no, n): [no] y Maximum logins per switch: (1..4032) [4032] 2048 Maximum logins per port: (1..255) [255] 126 switch:admin>...
Page 281 output indicates whether or not a port is an NPIV F_Port, and identifies the number of virtual N_Ports behind it. Following is sample output from the switchShow command: switch: admin> switchshow switchName:swd77 switchType:32.0 switchState: Online switchMode:Native switchRole:Principal switchDomain: 99 switchId:fffc63 switchWwn:10:00:00:05:1e:35:37:40 zoning: switchBeacon:OFF...
Page 282: Displaying Login Information
Interrupts: Link_failure: 16 Frjt: Unknown: Loss_of_sync: 422 Fbsy: Lli: 294803 Loss_of_sig: Proc_rqrd: Protocol_err: 0 Timed_out: Invalid_word: 0 Rx_flushed: Invalid_crc: Tx_unavail: Delim_err: Free_buffer: Address_err: 1458 Overrun: Lr_in: Suspended: Lr_out: Parity_err: Ols_in: 2_parity_err: Ols_out: CMI_bus_err: Displaying login information Use the portLoginShow command to display the login information for the virtual PIDs of a port. Following is sample output from the portLoginShow command: switch:admin>...
Page 283: 15Optimizing Fabric Behavior
Optimizing fabric behavior This chapter describes the Adaptive Networking features. Introduction to adaptive networking Adaptive Networking is a suite of tools and capabilities that enable you to ensure optimized behavior in the SAN. Even under the worst congestion conditions, the Adaptive Networking features can maximize the fabric behavior and provide necessary bandwidth for high-priority, mission-critical applications and connections.
Page 284: Ti Zone Failover
Figure 25 shows a fabric with a TI zone consisting of N_Ports “1,8” and “4,6” and E_Ports “1,1”, “3,9”, “3,12”, and “4,7”. The dotted line indicates the dedicated path from Domain 1 to Domain 4. Domain 1 Domain 3 = Dedicated Path = Ports in the TI zone Domain 4 Figure 25...
Page 285: General Rules For Ti Zones
For example, in Figure 26, there is a dedicated path between Domain 1 and Domain 3, and another, non-dedicated, path that passes through Domain 2. Since the non-dedicated path is not the shortest path between Domain 1 and Domain 3, all traffic will use the dedicated path. Domain 1 Domain 3 = Dedicated Path...
Page 286: Supported Configurations For Traffic Isolation
• The TI zones appear in the defined zone configuration only and do not appear in the effective zone configuration. A TI zone only provides Traffic Isolation and is not a “regular” zone. • A TI zone must include a set (two or more) of E_Ports forming an end-to-end path. Inclusion of N_Ports is optional.
Page 287: Limitations And Restrictions Of Traffic Isolation
• FCR does not support Traffic Isolation. • Ports in a TI zone must belong to switches that run Fabric OS v6.0 or later. • Traffic Isolation is not supported in fabrics with switches running firmware versions earlier than Fabric OS 6.0.
Page 288: Modifying Ti Zones
To create a TI zone with failover enabled and activate it (default settings), type: zone --create -t ti redzone -p "1,1; 2,4; 1,8; 2,6" To create a deactivated TI zone with failover disabled, type: zone --create -t ti -o dn redzone -p "1,1; 2,4; 1,8; 2,6" Modifying TI zones Using the zone --add and zone --remove commands, you can add and remove ports and change the failover option of existing TI zones.
Page 289: Activating And Deactivating A Ti Zone
Enter the zone --add command to add ports or change the failover option for an existing TI zone. Enter the zone --remove command to remove ports from an existing TI zone. zone --add [-o optlist] name -p "portlist" zone --remove name -p "portlist" where: A list of options for controlling failover mode.
Page 290: Deleting A Ti Zone
Deleting a TI zone Use the zone --delete command to delete a TI zone from the defined configuration. This command deletes the entire zone; to only remove port members from a TI zone, use the zone --remove command, as described in ”Modifying TI zones”...
Page 291: Qos: Sid/Did Traffic Prioritization
To limit the traffic, you set the maximum speed at which the traffic can flow through a particular F_Port or FL_Port. For example, if you set the rate limit at 4 Gbps, then traffic from a particular device is limited to a maximum of 4 Gbps.
Page 292: Qos Zones
QoS zones You assign high or low priority (QoS level) using a QoS zone. A QoS zone is a special zone that indicates the priority of the traffic flow between a given host/target pair. The members of a QoS zone are WWNs of the host/target pairs.
Page 293: Qos On E_Ports
QoS on E_Ports In addition to configuring the hosts and targets in a zone, you must also enable QoS on individual E_Ports that might carry traffic between the given host and target pairs. Path selection between the “host,target” pairs is governed by FSPF rules and is not affected by QoS priorities. By default, QoS is enabled on E_Ports in port configuration.
Page 294: Setting Traffic Prioritization
• Traffic prioritization is not supported on mirrored ports. Trunking considerations: If some ports in a trunk group have QoS enabled and some ports have • QoS disabled, then two different trunks are formed, one with QoS enabled and one with QoS disabled.
Page 295: 16Using The Fc-Fc Routing Service
Using the FC-FC Routing Service Supported platforms FC-FC Routing is supported on the following platforms: • 400 MP Router • 4/256 SAN Director or DC SAN Backbone Director (short name, DC Director) when it is configured with an FR4- 1 8i blade and uses chassis configuration option 5 NOTE: The DC Director only supports chassis configuration option 5.
Page 296: A Metasan With Interfabric Links
Figure 31 shows a metaSAN consisting of three edge fabrics connected through a 4/256 SAN Director or DC Director containing an FR4- 1 8i with interfabric links. Host Target Target Edge Edge Edge fabric 1 fabric 2 fabric 3 E_Port E_Port E_Port Fibre...
Page 297: A Metasan With Edge-To-Edge And Backbone Fabrics
VE_Port Edge fabric 2 IP cloud Edge fabric 1 Edge fabric 3 E_Port E_Port VEX_Port 400 MP Router EX_Port (2) = LSAN Backbone fabric 26416a Figure 32 A metaSAN with edge-to-edge and backbone fabrics Figure 32 shows a metaSAN with a backbone consisting of one 400 MP Router connecting hosts in Edge Fabrics 1 and 3 with storage in Edge Fabric 2 and the backbone through the use of LSANs.
Page 298: Proxy Devices
If an FR4- 1 8i blade is attached to an edge fabric using an EX_Port, it will create translate phantom domains in the fabric corresponding to the imported edge fabrics with active LSANs defined. If you import devices into the backbone fabric, then a translate phantom domain is created in the backbone device in addition to the one in the edge fabric.
Page 299: Routing Types
Proxy host Host (imported device) Proxy target (imported device) Target Fabric 2 Fabric 1 E_Port E_Port EX_Port 400 MP Router Figure 34 MetaSAN with imported devices Routing types • Edge-to-Edge Occurs when devices in one edge fabric communicate with devices in another edge fabric through one or more Fibre Channel routers.
Page 300: Setting Up The Fc-Fc Routing Service
Fibre Channel fabrics require that all ports be identified by a unique PID. In a single fabric, FC protocol guarantees that Domain IDs are unique, and so a PID formed by a Domain ID and area ID is unique within a fabric.
Page 301: Performing Verification Checks
Performing verification checks Before configuring a fabric to connect to another fabric, you must perform the following verification checks on the switch or director. To perform verification checks: Log in to the switch or director as admin and enter the version command. Verify that Fabric OS 6.0 is installed on the 400 MP Router, 4/256 SAN Director or DC Director with the FR4- 1 8i blade as shown in the following example.
Page 302: Assigning Backbone Fabric Ids
Enter the interopMode command and verify that Brocade switch interoperability with switches from other manufacturers is disabled. switch:admin> interopmode InteropMode: Off Usage: InteropMode 0|1 0: to turn it off 1: to turn it on Enter the msPlatShow command to verify that Management Server Platform database is disabled in the backbone fabric.
Page 303: Configuring Fcip Tunnels (Optional)
To assign backbone fabric IDs: Log in to the switch or director. Enter the fosConfig disable fcr command to disable the FC-FC Routing Service. See the Fabric OS Command Reference or the CLI man pages for more information about the fosConfig command.
Page 304: Configuring Dh-Chap Secret
fabrics. Secure Fabric OS is an optional licensed product that provides customizable security restrictions through local and remote management channels on an HP fabric. Although Secure Fabric OS is not supported in Fabric OS 6.0, you can still connect a 6.0 switch to an edge switch that participates in a Secure Fabric OS.
Page 305: Configuring An Interfabric Link
When prompted, type y. The DH-CHAP secret is now stored in the secret word database and is ready for use. switch:admin> secauthsecret --set This command is used to set up secret keys for the DH-CHAP authentication. The minimum length of a secret key is 8 characters and maximum 40 characters.
Page 306 To configure an IFL for both edge and backbone connections: On the 400 MP Router, or 4/256 SAN Director or DC Director with an FR4- 1 8i blade, disable the port that you are configuring as an EX_Port (the one connected to the Brocade switch) by issuing the portDisable command.
Page 307: Portcfgexport Options
portCfgExport options This port can now connect to another switch. The following list describes the options for the portCfgExport command. For more information about the portCfgExport and portCfgVexport commands, see the Fabric OS Command Reference. Sets the EX_Port to enabled (1) or disabled (2). Admin use only. Sets the fabric ID (1 to 128).
Page 308 Enter the portCfgShow command to view ports that are persistently disabled. switch:admin> portcfgshow 7/10 Area Number: Speed Level: AUTO Trunk Port Long Distance VC Link Init Locked L_Port Locked G_Port Disabled E_Port ISL R_RDY Mode RSCN Suppressed Persistent Disable NPIV capability EX Port Mirror Port FC Fastwrite...
Page 309 Enter either the portCfgEXPort or portShow command to verify that each port is configured correctly: switch:admin> portcfgexport 7/10 Port 7/10 info Admin: enabled State: NOT OK Pid format: Not Applicable Operate mode: Brocade Native Edge Fabric ID: Preferred Domain ID: Front WWN: 50:06:06:9e:20:38:6e:1e Fabric Parameters:...
Page 310: Configuring The Fc Router Port Cost (Optional)
Proc_rqrd: Protocol_err: 0 Timed_out: Invalid_word: 0 Rx_flushed: Invalid_crc: Tx_unavail: Delim_err: Free_buffer: Address_err: Overrun: Lr_in: Suspended: Lr_out: Parity_err: Ols_in: 2_parity_err: Ols_out: CMI_bus_err: Port part of other ADs: No Enter the switchShow command to verify the EX_Port (or VEX_Port), edge fabric ID, and name of the edge fabric switch (containing the E_Port or VE_Port).
Page 311: Using Router Port Cost
The FCR router port cost settings are 0, 1000, or 10,000. If the cost is set to 0, the default cost will be used for that IFL. The FC router port cost is persistent and is saved in the existing port configuration file. Router port cost is passed to other routers in the same backbone.
Page 312: Port Cost Considerations
Port cost considerations The router port cost has the following considerations: • Router port sets are defined as follows: • 0-7 and FCIP Tunnel 16-23 • 8- 1 5 and FCIP Tunnel 24-31 More than two router port sets can exist in a 4/256 SAN Director or DC Director with two FR4- 1 8i blades. •...
Page 313: Configuring Ex_Port Frame Trunking (Optional)
400 MP Router or 4/256 SAN Director or DC Director with an FR4- 1 8i blade, use the portCfgEXPort command. If you want to change the fabric parameters of a VEX_Port, then use the portCfgVEXPort command. The PID mode for the backbone fabric PID mode and the edge fabric PID mode do not need to match, but the PID mode for the EX_Port or VEX_Port and the edge fabric to which it is attached must match.
Page 314: Supported Configurations And Platforms
Supported configurations and platforms The EX_Port trunking is an FCR software feature and requires that you have a trunking license installed on the FCR switch and on the edge fabric connected to the other side of the trunked EX_Ports. EX_Port trunking is supported only with edge fabrics.
Page 315: Configuring Lsans And Zoning
through these ports may be disrupted for a short period of time. In addition to the commands for enabling and disabling trunking, you can also use the following E_Port commands for administering EX_Port Frame Trunking: • Use portCfgSpeed and switchCfgSpeed to set speed for a port or switch. •...
Page 316: Defining And Naming Zones
address authority (NAA) field in the WWN to detect an FC router. LSAN zone enforcement in the local fabric occurs only if the administration domain member list contains both of the devices (local and imported device) specified in the LSAN zone. For more information, see ”Managing administrative domains”...
Page 317 • Target B has WWN 50:05:07:61:00:49:20:b4 (connected to switch2). The following procedure shows how to control device communication with the LSAN. To control device communication with the LSAN: Log in as admin and connect to switch1. Enter the nsShow command to list the WWN of the host (10:00:00:00:c9:2b:c9:0c). NOTE: The nsShow output displays both the port WWN and node WWN;...
Page 318 Enter the cfgShow command to verify that the zones are correct. switch:admin> cfgshow Defined configuration: zone: lsan_zone_fabric2 10:00:00:00:c9:2b:c9:0c; 50:05:07:61:00:5b:62:ed; 50:05:07:61:00:49:20:b4 Effective configuration: no configuration in effect Enter the cfgAdd and cfgEnable commands to create and enable the LSAN configuration. switch:admin> cfgadd "zone_cfg", "lsan_zone_fabric2" switch:admin>...
Page 319: Lsan Zone Binding (Optional)
LSAN zone binding (optional) By default, the Fibre Channel routers (FCR) in the backbone maintain the entire LSAN zone and device state database. On Fibre Channel routers with Fabric OS 5.3.0 and later, the LSAN zone binding allows you to specify pairs of edge fabrics that share devices, effectively creating an LSAN fabric matrix. The Fibre Channel router uses this information to store only the LSAN zone entries of the remote edge fabrics that can access its local edge fabrics and also to search and do a pair match only against the specified edge fabrics.
Page 320: Dual Backbone Configuration
Clears the information from the cache and put it back to the saved cancel value. Displays the information that is saved in the cache. display Displays the static and default and dynamic binding of the backbone fabricview to show which edge fabrics can access each other. Verifies if the information in the cache is valid and will not disrupt verify existing import/export devices.
Page 321: Configuring Backbone Fabrics For Interconnectivity
The fcrlsancount command assumes that all the FCRs in the same LSAN fabric matrix or backbone have the same maximum LSAN count defined, to protect all the FCRs from running into indefinite state. Asymmetric LSAN configurations due to different maximum LSAN counts could lead to different devices being imported on different FCRs.
Page 322: Broadcast Configuration
In the FC router, use the command fcrbcastconfig to prevent interfabric forwarding of broadcast frames of edge or backbone fabrics. Using the fcrbcastconfig command, you can disable or enable the broadcast frame forwarding option per FID (edge fabric or backbone fabric). If you have an FID with a pre-existing IPFC data session that you want to disable then the IPFC traffic across the FCR may not stop even after disabling the broadcasting to some edge fabrics.
Page 323: Monitoring Resources
Type the following command: fcr:admin> fcrbcastconfig --disable -f <fabric id> where <fabric id> is the specified FID where you want to disable frame forwarding. This command disables the broadcast frame forwarding option for an FID (edge or backbone fabric). Monitoring resources It is possible to exhaust resources, such as proxy PIDs.
Page 324: Routing Echo
The following example shows the use of the fcrResourceShow command display per physical port (EX_Port) resources. switch:admin> fcrresourceshow Daemon Limits: Max Allowed Currently Used ---------------------------------- LSAN Zones: 3000 28 LSAN Devices: 10000 51 Proxy Device Slots: 10000 20 WWN Pool Size Allocated ---------------------------------- Phantom Node WWN: 8192 5413 Phantom Port WWN: 32768 16121...
Page 325: Upgrade And Downgrade Considerations
To check for Fibre Channel connectivity problems: On the edge Fabric OS switch, make sure that the source and destination devices are properly configured in the LSAN zone before entering the fcPing command. This command performs the following functions: • Checks the zoning configuration for the two ports specified. •...
Page 326: Backward Compatibility
For the exact RASLog message descriptions, see the following RASLogs: FCR_1055, FCR_1056, and FCR_1073. For further information on these messages, refer to Fabric OS Message Reference. Backward compatibility In a fabric with Secure Fabric OS enabled, the edge fabric must have Fabric OS 3.2, 4.4.0, or later because only DH-CHAP authentication is supported.
Page 327: Range Of Output Ports
The portCfgExport command has additional options to verify the front Domain ID. The portCfgExport –d option is changed to enforce use of the same front Domain ID for the EX_Ports connected to the same edge fabric. The portCfgExport display results remain the same. For more information about the portCfgExport -d option, see ”portCfgExport options”...
Page 328 To display the range of output ports connected to the xlate domains: Log in to the FC router. Enter the lsDbShow command on the edge fabric. The following example shows the range of output ports. linkCnt = 2, flags = 0x0 LinkId = 53, out port = 1, rem port =...
Page 329: 17Administering Advanced Performance Monitoring
Administering Advanced Performance Monitoring This chapter describes the Advanced Performance Monitoring licensed feature. About Advanced Performance Monitoring Additional performance monitoring features are provided through Web Tools. See the Web Tools Administrator’s Guide for information about monitoring performance using the Web Tools GUI. Based on Brocade Frame Filtering technology and a unique performance counter engine, Advanced Performance Monitoring is a comprehensive tool for monitoring the performance of networked storage resources.
Page 330: End-To-End Performance Monitoring
NOTE: The command examples in this chapter use the slot/port syntax required by 4/256 SAN Director and DC Directors. For the 4/8 SAN Switch, 4/16 SAN Switch, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 8/8 SAN Switch, 8/24 SAN Switch, 8/40 SAN Switch, 8/80 SAN Switch and the 400 Multi-protocol Router, use only the port number where needed in the commands.
Page 331: Setting A Mask For End-To-End Monitors
Figure 35 shows two devices: Host A is connected to domain 5 (0x05), switch area ID 18 (0x12), AL_PA 0x00 on Switch X. • • Dev B is a storage device connected to domain 17 (0x1 1), switch area ID 30 (0x1e), AL_PA 0xef on Switch Y.
Page 332: Advanced Performance Monitoring Commands
Table 73 lists commands associated with Advanced Performance Monitoring. Advanced Performance Monitor commands are available only to users with the admin or switchAdmin roles. For detailed information on these commands, see the Fabric OS Command Reference. Table 73 Advanced Performance Monitoring commands Command Description Add an end-to-end monitor to a port.
Page 333: Monitoring Al_Pas
Monitoring AL_PAs You can use the perfShowAlpaCrc command to display the CRC error count for all AL_PA devices or for a single AL_PA on a specific active L_Port. The following example displays the CRC error count for all AL_PA devices on a port: switch:admin>...
Page 334: Setting A Mask For An End-To-End Monitor
Setting a mask for an end-to-end monitor You can specify a mask using the perfSetPortEEMask command in the form dd:aa:pp, where dd is the Domain ID mask, aa is the area ID mask, and pp is the AL_PA mask. The values for dd, aa, and pp are either ff (the field must match) or 00 (the field is ignored).
Page 335: Filter-Based Performance Monitoring
--------------------------------------------------------------------------- 0x000024 0x000016 WEB_TOOLS 0x0000000000000000 0x0000000000000000 10.106.7.179 0x000022 0x000033 WEB_TOOLS 0x0000000000000000 0x0000000000000000 10.106.7.179 0x000123 0x000789 WEB_TOOLS 0x0000000000000000 0x0000000000000000 10.106.7.179 0x001212 0x003434 WEB_TOOLS 0x0000000000000000 0x0000000000000000 10.106.7.179 switch:admin> perfdeleemonitor 0, 2 End-to-End monitor number 2 deleted switch:admin> Filter-based performance monitoring Filter-based performance monitoring counts the number of times a frame with a particular pattern is transmitted by a port.
Page 336: Adding Custom Filter-Based Monitors
You cannot add identical filter monitors to the same port. Two filter monitors are considered to be identical when they have the same values for the following items. • Filter monitor type • Owner (telnet, Web Tools, etc.) • Alias The following example adds filter-based monitors to slot 1, port 2 and displays the results: switch:admin>...
Page 337: Deleting Filter-Based Monitors
You can specify up to four values to compare against each offset. If more than one offset is required to properly define a filter, the bytes found at each offset must match one of the given values for the filter to increment its counter.
Page 338: Top Talker Monitors
ISL monitors are deleted when Top Talker is installed and are restored when Top Talker is deleted. (See ”Top Talker monitors” for information about Top Talker monitors.) You can monitor ISL performance using the perfMonitorShow command, as described in “”Displaying monitor counters”.”...
Page 339: Deleting A Top Talker Monitor On An F_Port
To add a Top Talker monitor on an F_Port: Connect to the switch and log in as admin. Enter the perfttmon add command. perfttmon --add [egress | ingress] [slotnumber/]port where: For director-class switches only (4/256 SAN Director and DC Director), the slotnumber slot number.
Page 340: Using Top Talker Monitors In Fabric Mode
perfttmon --show 7 5 To display the top flows on slot 2, port 4 on the 4/256 SAN Director or DC Director in PID format: perfttmon --show 2/4 pid switch:admin> perfttmon --show 2/4 pid ======================================== Src_PID Dst_PID MB/sec ======================================== 0xa90800 0xa05200 6.926 0xa90800...
Page 341: Limitations Of Top Talker Monitors
The output is sorted based on the data rate of each flow. If you do not specify the number of flows to display, then the command displays the top 8 flows or the total number of flows, whichever is less. The command can display a maximum of 32 flows.
Page 342 The monitor class, which can be one of EE (end-to-end), FLT (filter-based), or monitor_class ISL (inter-switch link). The class monitor_class operand is required. Specifies the slot number for a 4/256 SAN Director director. For all other slotnumber switches, this operand is not required. The slot number must be followed by a slash ( / ) and the port number, so that each port is represented by both slot number (1 through 4 or 7 through 10) and port number (0 through 15).
Page 343 0x21300 0x21de0 TELNET 0x00000004d0bab3a5 0x0000000067229e87 0x0000000000000000 0x21300 0x21de1 TELNET 0x00000004d0bac1e4 0x0000000067229e87 0x0000000000000000 0x21300 0x21de2 TELNET 0x00000004d0bad086 0x0000000067229e87 0x0000000000000000 0x11000 0x21fd6 WEB_TOOLS 0x00000004d0bade54 0x0000000067229e87 0x0000000000000000 192.168.169.40 0x11000 0x21fe0 WEB_TOOLS 0x00000004d0baed41 0x0000000067229e98 0x0000000000000000 192.168.169.40 The following example displays a filter-based monitor on a port at 6-second intervals: switch:admin>...
Page 344: Clearing Monitor Counters
SCSI_WR WEB_TOOLS 0x000000000000033a 192.168.169.40 The following example displays ISL monitor information on a port: switch:admin> perfMonitorShow --class ISL 1/1 Total transmit count for this ISL: 1462326 Number of destination domains monitored: 3 Number of ports in this ISL: 2 Domain 110379 Domain 98: 13965...
Page 345 where: monitor_class The monitor class, which can be one of EE (end-to-end), FLT (filter-based), or ISL (inter-switch link). The class monitor_class operand is required. For bladed systems only, specifies the slot number of the port on which the slotnumber monitor counter is to be cleared. For all other switches, this operand is not required.
Page 346: Saving And Restoring Monitor Configurations
Saving and restoring monitor configurations To save the current end-to-end and filter monitor configuration settings into nonvolatile memory, use the perfCfgSave command: switch:admin> perfcfgsave This will overwrite previously saved Performance Monitoring settings in FLASH. Do you want to continue? (yes, y, no, n): [no] y Please wait ...
Page 347: 18Administering Extended Fabrics
Administering Extended Fabrics This chapter provides information on implementing Extended Fabrics software. Extended Fabrics licensing To implement long distance dynamic (LD) and long distance static (LS) distance levels, you must first install . Use the licenseShow command to verify that the license is present on both Extended Fabrics license switches used on both ends of the extended ISL.
Page 348: Fibre Channel Data Frames
Table 76 describes Fibre Channel data frames Table 76 Fibre Channel data frames Start of frame 4 bytes 32 bits Standard frame 24 bytes 192 bits header Data (payload) {0 - 2,1 12 bytes {0 - 16,896} bits 4 bytes 32 bits End of frame 4 bytes...
Page 349: Fc Switch Port Buffer Credit Requirements For Long Distance Calculations
FC switch port Buffer Credit requirements for long distance calculations You can calculate how many ports can be configured for long distance on all switch modules or ASICs except Bloom-based switches. For information on the port, speed and distance for Bloom-based ASICs, see Table 78.
Page 350: Displaying The Remaining Buffers In A Port Group
Example: Consider the , which has 24 ports and total buffers of 676 8/24 SAN Switch The maximum remaining number of buffer credits after each port is reserved is: 676 – (24 * 8) = 484 buffers Where: 24 = the number of ports in a port group retrieved from Table 8 = the number of reserved buffers 676 = a static number retrieved from...
Page 351 Enter the portbuffershow command. switch:admin> portbuffershow 1 User Port Max/Resv Buffer Needed Link Remaining Port Type Mode Buffers Usage Buffers Distance Buffers ---- ---- ---- ------- ------ ------- --------- ----- switch:admin> Fabric OS 6.1.x administrator guide 351...
Page 352: Switch, Port Speed, And Distance With Asic And Buffers
Table 77 Switch, port speed, and distance with ASIC and buffers Switch blade ASIC Total ports in Total ports in a Reserved model a switch or group buffers for ports blade B-Series 2Gb Bloom 8, 16 or 32 108/4 Switches 4/8 SAN Switch Golden Eye 272/16...
Page 353: Buffer Credit Recovery
Buffer credit recovery Buffer recovery credit allows links to recover after frames and R_RDYs are lost when the credit recovery logic is enabled. Buffer recovery credit maintains performance; as soon as one credit is lost, it attempts to recover. During link reset, the frame and credit loss counters are reset without performance degradation. This feature is only supported on long distance E_Ports connected between GoldenEye2 and condor2-based ports.
Page 354: Configuring An Extended Isl
Configuring an extended ISL Before configuring an extended ISL, ensure that the following conditions are met: • Be sure that the ports on both ends of the ISL are operating at the same port speed, and can be configured at the same distance level without compromising local switch performance. NOTE: A long-distance link also can be configured to be part of a trunk group.
Page 355: Extended Isl Modes: B-Series 2Gb Switches (Bloom And Bloom Ii Asics)
Enables the long-distance link initialization sequence. This vc_translation_link_in extended link initialization sequence is an enhanced link reset protocol, and avoids excessive resetting of ports. By default this option is set to 1 (enabled). It must be set to 1 (enabled) when configuring a trunk over Extended Fabrics.
Page 356 356 Administering Extended Fabrics...
Page 357: 19Administering Isl Trunking
Administering ISL Trunking This chapter contains procedures for using the ISL Trunking licensed feature, which optimizes the use of bandwidth by allowing a group of interswitch links to merge into a single logical link. About ISL Trunking ISL Trunking reduces or eliminates situations that require static traffic routes and individual ISL management to achieve optimal performance.
Page 358: Standard Trunking Criteria
• 8 Gbps trunk links where supported. The maximum number of ports per trunk and trunks per switch depends on the HP model. NOTE: Director blade model FC10-6 does not support trunking. Standard trunking criteria Observe the following criteria for standard distance trunking: •...
Page 359: Initializing Trunking On Ports
• The addition of a path that is longer than existing paths may not be useful because the traffic will choose the shorter paths first. • Plan for future bandwidth addition to accommodate increased traffic. For trunking groups over which traffic is likely to increase as business requirements grow, consider leaving one or two ports in the group available for future nondisruptive addition of bandwidth.
Page 360: Displaying Port Throughput Performance
Where 4 is a slave port of the F_Port Trunk. If you attempt to install a monitor on a slave port of an F_Port trunk and the same monitor is already installed on the corresponding master, the following message is displayed” switch:admin>...
Page 361: Enabling And Disabling Isl Trunking
Enabling and disabling ISL Trunking You can enable or disable ISL Trunking for a single port or for an entire switch.When you execute the commands portCfgTrunkPort or switchCfgTrunk to update the trunking configuration, the ports for which the configuration applies are disabled and re-enabled with the new trunk configuration. As a result, traffic through those ports could be disrupted.
Page 362: Setting Port Speeds
Setting port speeds For long-distance ports, if a port is set to autonegotiate port speed, the maximum speed (which is 8 Gbps) is assumed for reserving buffers for the port. If the port is only running at 2 Gbps this wastes buffers. For long-distance ports, it is best to set the port speed (this applies to the 4/32 SAN Switch, 4/32B SAN Switch and the 4/256 SAN Director only).
Page 363: Setting The Same Speed For All Ports On The Switch
portcfgspeed [slotnumber/]portnumber, speed_level slotnumber For bladed systems only, specify the slot number of the port to be configured, followed by a slash (/). This operand is only required for Directors. portnumber Specifies the port number relative to its slot for bladed systems. speedlevel Specifies the speed of the link: •...
Page 364: Displaying Trunking Information
The following example sets the speed for all ports on the switch to eight Gbps: switch:admin> switchcfgspeed 8 Committing configuration...done. The following example sets the speed for all ports on the switch to autonegotiate: switch:admin> switchcfgspeed 0 Committing configuration...done. Displaying trunking information The trunkShow command offers an efficient means of listing out all the trunks and members of a trunk.
Page 365: Trunking Over Extended Fabrics
Trunking over Extended Fabrics In addition to the criteria listed in ”Standard trunking criteria” on page 358, observe the following criteria for trunking over Extended Fabrics: • ISL Trunking over Extended Fabrics is supported on switches running Fabric OS 4.4.0 and later. •...
Page 366: Switch In Access Gateway Mode Without F_Port Trunking
F_Port trunking prevents reassignments of the Port ID when F_Ports go offline and it increases F_Port bandwidth. This feature supports the HP StorageWorks SAN Switch 4/32, 4/32B, 4/64 SAN Switch, 8/8 SAN Switch, 8/24 SAN Switch, 8/40 SAN Switch, 8/80 SAN Switch, 4/256 SAN Director and the DC Director enterprise-class platforms running Fabric OS 6.1.x.
Page 367: F_Port Masterless Trunking Considerations
F_Port trunking considerations Table 82 F_Port masterless trunking considerations Category Description Area assignment You statically assign the area within the trunk group on the edge switch. That group is the F_Port masterless trunk. The static trunk area you assign must fall within the ASIC's trunk group of the switch or blade starting from port 0.
Page 368 Table 82 F_Port masterless trunking considerations Category Description portCfgTrunkPort <port>, 0 The portCfgTrunkPort <port>, 0 command will fail if a Trunk Area is enabled on a port. The port Trunk Area must be disabled first. switchCfgTrunk 0 The switchCfgTrunk 0 command will fail if a port has TA enabled.
Page 369: Setting Up F_Port Trunking
Table 82 F_Port masterless trunking considerations Category Description DCC Policy DCC policy enforcement for the F_Port trunk is based on the Trunk Area; the FDISC requests to a trunk port is accepted only if the WWN of the attached device is part of the DCC policy against the TA.
Page 370: Assigning A Trunk Area
based on the user port number, with contiguous eight ports as one group, such as 0 – 7, 8- 15, 16-23 and up to the number of ports on the switch. Figure 41 Trunk group configuration for the SAN Switch 8/40 Connect to the switch and log in as admin.
Page 371: Enabling F_Port Trunking
switch:admin> porttrunkarea --show enabled Slot Port Type State Master ------------------------------------------- 125 125 125 126 ------------------------------------------- Enable ports 13 aD 14: switch:admin> portenable 10/13 switch:admin> portenable 10/14 Show the TA port configuration after enabling the ports: switch:admin> porttrunkarea --show enabled Slot Port Type State...
Page 372: Enabling The Dcc Policy On Trunk
No_Module No_Module No_Module No_Module No_Module No_Module No_Module No_Module No_Module No_Module No_Module No_Module No_Light No_Light No_Light No_Light Online F-Port 2 NPIV public (Trunk master) Online F-Port (Trunk port, master is Port 36 ) Online F-Port (Trunk port, master is Port 36 ) Online F-Port (Trunk port, master is Port 36 Display TA enabled port configuration:...
Page 373: Disabling F_Port Trunking
Disabling F_Port trunking Connect to the switch and log in as admin. Enter the portTrunkArea --disable command switch:admin> porttrunkarea --disable 36-39 ERROR: port 36 has to be disabled Disable each port prior to removing ports from the TA. Then reissue the command: switch:admin>...
Page 374 374 Administering ISL Trunking...
Page 375: 20Configuring And Monitoring Fcip Extension Services
20 Configuring and monitoring FCIP extension services This chapter describes the FCIP concepts, configuration procedures, and tools and procedures for monitoring network performance. Commands described in this chapter require Admin or root user access. See the Fabric OS Command Reference for detailed information on command syntax. FCIP services licensing Most of the FCIP extension services described in this chapter require the High Performance Extension over FCIP/FC license.
Page 376: Platforms That Support San Extension Over Ip
Platforms that support SAN extension over IP Fabric OS supports SAN extension between 400 Multi-protocol Routers or between FR4- 1 8i blades installed on 4/256 SAN Directors or DC SAN Backbone Directors. The 400 Multi-protocol Router and FR4- 1 8i blade integrate sixteen physical Fibre Channel ports and two physical GbE ports as illustrated in Figure 42 Figure Figure 42...
Page 377: Fcip Concepts
FCIP concepts Fibre Channel over IP (FCIP) enables you to connect Fibre Channel SANs over IP-based networks. 400 Multi-protocol Router and FR4- 1 8i blades use FCIP to encapsulate Fibre Channel frames within IP frames that can be sent over an IP network to a partner 400 Multi-protocol Router or FR4- 1 8i blade. When the IP packets are received, the Fibre Channel frames are reconstructed.
Page 378: Compression
Compression Data compression can be enabled or disabled on FCIP tunnels. The default setting is to disable compression. Traffic shaping Traffic can be shaped by establishing a rate limit per tunnel. A committed rate can be assigned to a port that guarantees a fixed amount of bandwidth.
Page 379: When Both Dscp And L2Cos Are Used
Table 86 shows the default mapping of DSCP priorities to L2Cos priorities per tunnel ID. This may be helpful when consulting with the network administrator. These values may be modified per FCIP tunnel. Table 86 Default Mapping of DSCP priorities to L2Cos Priorities Virtual CIrcuit DSCP priority/bits L2CoS priority/bits...
Page 380: Ipsec Terminology
IPSec uses some terms that you should be familiar with before beginning your configuration. These are standardized terms, but are included here for your convenience. Table 87 IPSec terminology Term Definition Advanced Encryption Standard. FIPS 197 endorses the Rijndael encryption algorithm as the approved AES for use by US Government organizations and others to protect sensitive information.
Page 381: Options For Enhancing Tape Write I/O Performance
• IPSec can only be configured on IP V4 based tunnels. Secure tunnels can not be created on a 400 Multi-protocol Router or FR4- 1 8i blade if any IP V6 addresses are defined on either ge0 or ge1. • Secure Tunnels cannot be defined with VLAN Tagged connections.
Page 382: Constraints For Fcip Fastwrite And Tape Pipelining
Table 88 Using FCIP fastwrite and tape pipelining (continued) FCIP fastwrite Tape pipelining Class 3 traffic is accelerated with fastwrite. Class 3 traffic is accelerated between host and sequential device. With sequential devices (tape drives), there are 1024 initiator-tape (IT) pairs per GbE port, but 2048 initiator-tape-LUN (ITL) pairs per GbE port.
Page 383: Unsupported Configurations
Figure 45 Multiple tunnels to multiple ports, fastwrite and tape pipelining enabled on a per-tunnel/per-port basis Unsupported configurations The following configurations are not supported with fastwrite and tape pipelining. These configurations use multiple equal-cost paths. Fabric OS 6.1.x administrator guide 383...
Page 384: Ficon Emulation Concepts
VE-VE or VEX-VEX Unsupported configurations with fastwrite and tape pipelining Figure 46 FICON emulation concepts FICON emulation supports FICON traffic over IP WANs using FCIP as the underlying protocol. FICON emulation can be extended to support performance enhancements for specific applications. 384 Configuring and monitoring FCIP extension services...
Page 385: Xrc Emulation
XRC emulation The eXtended Remote Copy (XRC) application is a DASD application that implements disk mirroring, as supported by the disk hardware architecture and a host software component called System Data Mover (SDM). The primary volume and the secondary mirrored volume may be geographically distant across an IP WAN.
Page 386: Fcip Services Configuration Guidelines
FCIP services configuration guidelines There are multiple configuration requirements and options associated with FCIP services. The following general guidelines may be helpful. The steps are presented in an order that minimizes the number of times ports need to be disabled and enabled. In practice, the steps do not have to be taken in this order. Determine if you are implementing IPSec.
Page 387: Configuring Ipsec
Table 89 Command checklist for configuring FCIP links (continued) Step Command 3. If a VEX port is to be implemented, portcfgvexport configure the appropriate virtual port as a VEX_Port. 4. Configure the IP interface for both portcfg ipif ports of a tunnel. 5.
Page 388: Ipsec Parameters
IPSec policies are managed using the policy command. You can configure up to 32 IKE and 32 IPSec policies. Policies cannot be modified; they must be deleted and recreated in order to change the parameters. You can delete and recreate any policy as long as the policy is not being used by an active FCIP tunnel.
Page 389: Managing Policies
Managing policies Use the policy command to create, delete, and show IKE and IPSec policies. To create a new policy: Log in to the switch as admin. At the command prompt, type: policy --create type number [-enc encryption_method][-auth authentication_algorithm] [-pfs off|on] [-dh DH_group] [-seclife secs] where: type and number The type of policy being created (IKE or IPSec) and the number for...
Page 390 The example below shows all of the IKE policies defined; in this example, there are two IKE policies. switch:admin06> policy --show ike all IKE Policy 1 ----------------------------------------- Authentication Algorithm: MD5 Encryption: 3DES Perfect Forward Secrecy: off Diffie-Hellman Group: 1 SA Life (seconds): 0 IKE Policy 32 ----------------------------------------- Authentication Algorithm: SHA-1...
Page 391: Persistently Disabling Ports
SACK on Min Retransmit Time 100 Keepalive Timeout 80 Max Retransmissions 9 Status : Active Uptime 1 day, 23 hours, 24 minutes, 46 seconds IKE Policy 7 ----------------------------------------- Authentication Algorithm: MD5 Encryption: 3DES Perfect Forward Secrecy: off Diffie-Hellman Group: 1 SA Life (seconds): 200000 IPSec Policy 7 -----------------------------------------...
Page 392: Configuring Ip Interfaces And Ip Routes
The following example configures a port as a VEX_Port for slot number 8 in port number 18, enables admin, and specifies fabric ID 2 and preferred Domain ID 220: switch:admin06> portcfgvexport 8/18 -a 1 -f 2 -d 220 Configuring IP interfaces and IP routes The IP network connection between two 400 Multi-protocol Router or two FR4- 1 8i blades is configured by defining IP interfaces for origin and destination virtual ports, and then defining one or more IP routes to connect them.
Page 393 The following example verifies that the two routes have been successfully created: switch:admin06> portshow iproute 8/ge0 Slot: 8 Port: ge0 IP Address Mask Gateway Metric Flags -------------------------------------------------------------- ---- 192.168.100.0 255.255.255.0 192.168.100.40 Interface 192.168.100.0 255.255.255.0 192.168.100.41 Interface 192.168.11.0 255.255.255.0 192.168.100.1 192.168.12.0 255.255.255.0 192.168.100.1 If you are implementing VLAN tagging, create a static ARP entry for the IP interfaces on both ends of...
Page 394: Configuring Fcip Tunnels
The following example tests the connection between 192.175.5.100 and 192.175.5.200, switch:admin06> portcmd --ping ge0 -s 192.175.5.100 -d 192.175.5.200 Pinging 192.175.5.200 from ip interface 192.175.5.100 on 0/ge0 with 64 bytes of data Reply from 192.175.5.200: bytes=64 rtt=1ms ttl=64 Reply from 192.175.5.200: bytes=64 rtt=0ms ttl=64 Reply from 192.175.5.200: bytes=64 rtt=0ms ttl=64 Reply from 192.175.5.200: bytes=64 rtt=1ms ttl=64 Ping Statistics for 192.175.5.200:...
Page 395: Configuring Ficon Emulation
Enables FCIP fastwrite. Enables VC QoS mapping. Enables tape pipelining. If tape pipelining is enabled, fastwrite must also be enabled. The remote-side FC entity WWN. -n remote_wwn The keep-alive timeout in seconds. The range of valid values is 8 through -k timeout 7,200 sec and the default is 10.
Page 396 Where: The number of a slot in a 4/256 SAN Director or DC Director chassis that slot contains an FR4- 1 8i blade. This parameter does not apply to the stand-alone 400 Multi-protocol Router. The Ethernet port used by the tunnel (ge0 or ge1). ge0|ge1 The tunnel number (0 - 7).
Page 397: Configuring Ftrace
Configuring FTRACE FTRACE is a support tool primarily for use by Tech Support personnel. FTRACE includes the ability to freeze traces on certain events, and to retain the trace information for future examination. The syntax for the portcfg ftrace command is as follows: portcfg ftrace [slot/]ge0|ge1 tunnel_Id cfg [-a 1|0] [-b value] [-e 1|0] [-i value] [-p value] [-r value] [-s value] [-t value] [-z value] Where:...
Page 398 The following example shows an active tunnel with FCIP fastwrite and tape pipelining enabled: switch:admin06> portshow fciptunnel ge0 all ------------------------------------------- Tunnel ID 0 Remote IP Addr 10.0.10.224 Local IP Addr 10.0.10.225 Remote WWN Not Configured Local WWN 10:00:00:05:1e:37:91:dd Compression on Fastwrite on Tape Pipelining on Uncommitted bandwidth, minimum of 1000 Kbps (0.001000 Gbps)
Page 399 To verify that a VE_Port or VEX_Port is online, use the switchShow command to view and verify that the FCIP tunnel is online. switch:admin06> portenable 8/18 switch:admin06> portenable 8/19 switch:admin06> switchshow switchName:switch switchType:42.2 switchState:Online switchMode:Native switchRole:Subordinate switchDomain:4 switchId:fffc04 switchWwn:10:00:00:60:69:80:0d:bc zoning:ON (LSAN001) switchBeacon:OFF blade3 Beacon: blade4 Beacon:...
Page 400: Enabling Persistently Disabled Ports
Enabling persistently disabled ports Before an FCIP tunnel can be used, the associated ports must be persistently enabled. NOTE: VEX_Port Users: If the fabric is already connected, you must leave the ge0 and ge1 ports disabled until after you have configured the VEX_Port; this will prevent unintentional merging of the two fabrics. To enable a persistently disabled port: Enter the portCfgShow command to view ports that are persistently disabled.
Page 401 Enter the portCfgShow command to verify the port is persistently enabled as shown below: switch:admin06> portcfgpersistentenable 8/16 switch:admin06> portcfgpersistentenable 8/17 switch:admin06> portcfgpersistentenable 8/18 switch:admin06> portcfgpersistentenable 8/19 switch:admin06> portcfgshow Ports of Slot 8 9 10 11 12 13 14 15 -----------------+--+--+--+--+----+--+--+--+----+--+--+--+----+--+--+ Speed AN AN AN AN AN AN AN AN...
Page 402: Modify And Delete Command Options
Modify and delete command options Command options are available that allow you to modify or delete configured elements. NOTE: Using the Modify option disrupts traffic on the specified FCIP tunnel for a brief period of time. Modifying FCIP tunnels The portCfg fcipTunnel command to modify FCIP tunnels (you must specify at least one characteristic to modify).
Page 403: Modifying/Deleting Qos Settings
The layer 2 class of service used for control traffic. -p control_L2Cos The layer 2 class of service used for data traffic. -P data_L2Cos The following example shows two FCIP tunnels created on slot 8, port ge0; the first with an uncommitted bandwidth (0), and the second with a committed bandwidth of 10000 b/sec: switch:admin06>...
Page 404 The modify option changes the FICON emulation configuration modify options and parameters. The following options turn features on and off. The associates tunnels must be disabled to modify the option settings. If you attempt to do them on an enabled tunnel, the operation is not allowed, and you are prompted to disable the...
Page 405: Deleting An Fcip Tunnel
Defines the maximum amount of data that can be contained in a wrtMaxChains value single CCW chain. If this value is exceeded, emulation is suspended. Defines the base value of an entry pool of 256 OXIDs supplied to oxidBase value emulation generated exchanges.
Page 406: Troubleshooting Fcip Links
NOTE: If you do not specify a destination IP address, the destination address defaults to 0.0.0.0, and all frames are tagged with the associated VLAN tag. FCIP and ipPerf create and maintain entries in the VLAN tag table through their own configuration procedures.
Page 407: Wan Performance Analysis Tools
WAN performance analysis tools Introduced in Fabric OS 5.2.0, WAN analysis tools are designed to test connections, trace routes, and estimate the end-to-end IP path performance characteristics between a pair of HP FCIP port endpoints. WAN tools include the following commands and options: •...
Page 408: Wan Tool Performance Characteristics
WAN tool performance characteristics Table 92 lists the end-to-end IP path performance characteristics that you can display using the portCmd ipPerf command and option. All four of the base ipPerf performance characteristics (bandwidth, loss, RTT, PMTU) are provided in the command output in Fabric OS 5.2.0 or later. Table 92 WAN tool performance characteristics Characteristic...
Page 409: Wan Tool Ipperf Syntax
To start an ipPerf session: Configure the receiver test endpoint using the CP CLI. The syntax for invoking the receiver test endpoint using ipPerf for slot8, port ge0 on an FR4- 1 8i is as follows: portcmd --ipperf 8/ge0 -s 192.168.255.10 -d 192.168.255.100 -R Configure the sender test endpoint using a similar CP CLI.
Page 410: Using Portcmd Ping
• Default size—1MSS Following is the syntax for portCmd ipPerf to display end-to-end IP path performance statistics: portCmd --ipPerf [slot]/ge0|ge1 -s source_ip -d destination_ip -S|-R [-r rate] [-z size] [-t time] [-i interval] [-p port] [-q diffserv] [-v vlan_id] [-c L2_Cos] Where: The source IP address.
Page 411: Using Portcmd Traceroute
Where: The number of a slot in a 4/256 SAN Director or DC Director slot chassis that contains an FR4- 1 8i blade. This parameter does not apply to the stand-alone 400 Multi-protocol Router. The Ethernet port used by the tunnel (ge0 or ge1) ge0|ge1 The source IP interface that originates the ping request.
Page 412: Fcip Tunnel Performance Characteristics
The maximum number of IP router hops allowed for the outbound -h max_hops probe packets. If this value is exceeded, the probe is stopped. The default is 30. The initial time to live value for the first outbound probe packet. The -f first_ttl default value is 1.
Page 413 2013762456 compressed Bytes 33208083 Bps 30s avg, 4760667 Bps lifetime avg 7.35 compression ratio FC control traffic TCP connection: Local 192.175.4.100:4139, Remote 192.175.4.200:3225 Performance stats: 849 output packets 0 pkt/s 30s avg, 2 pkt/s lifetime avg 173404 output Bytes 39 Bps 30s avg, 409 Bps lifetime avg 0 packets lost (retransmits) 0.00% loss rate 30s avg 806 input packets...
Page 414 Uptime 7 minutes, 3 seconds FC control traffic TCP connection: Local 192.175.4.100:4139, Remote 192.175.4.200:3225 Runtime parameters: Send MSS 1456 Bytes Sender stats: smoothed roundtrip 50 ms, variance 0 peer advertised window 1874944 Bytes negotiated window scale (shift count) 9 congestion window 149649 Bytes slow start threshold 1875000 Bytes operational mode: slow start 2 packets queued: TCP sequence# MIN(2950582519)
Page 415: 21Ficon Fabrics
FICON fabrics This chapter provides procedures for managing FICON fabrics. Overview of Fabric OS support for FICON ® IBM Fibre Connection (FICON ) is an industry-standard, high-speed input/output (I/O) interface for mainframe connections to storage devices. Fabric OS supports intermix mode operations, in which FICON and Fibre Channel technology work together.
Page 416: Supported Switches
Supported switches FICON protocol is supported on the HP StorageWorks 4/256 SAN Director and DC SAN Backbone Director, short name, DC Director. The following port blades can exist in a FICON environment; however, FICON device connection to ports on these blades is not supported: •...
Page 417: Ficon Commands
• The FC4-48 and FC8-48 port blades must not be inserted in slot 10 of the chassis in a FICON configuration. (Other blades are supported in slot 10, but the FC8-48 and FC4-48 blades are not.) Port 255 is reserved for CUP. FICON commands Table 93 summarizes the Fabric OS CLI commands that can be used for managing FICON fabrics.
Page 418: User Security Considerations
User security considerations To administer FICON, you must have one of the following roles: • Admin • Operator • SwitchAdmin • FabricAdmin The User and BasicSwitchAdmin roles are view-only. The ZoneAdmin and SecurityAdmin roles have no access. In an Admin Domain-aware fabric, if you use the FICON commands (ficonshow, ficonclear, ficoncupshow, and ficoncupset) for any Admin Domain other than AD0 and AD255, the current switch must be a member of that Admin Domain.
Page 419: Preparing A Switch
Preparing a switch To verify and prepare a switch for use in a FICON environment, complete the following steps: Connect to the switch and log in as admin. Enter the switchShow command to verify that the switch and devices are online. Change the routing policy on the switch from the default exchange-based policy to the required port-based policy for those switches with FICON devices directly attached using the aptPolicy command when working from the command line.
Page 420: Setting A Unique Domain Id
Figure 48 Figure 49 show two viable cascaded configurations. These configurations require Channel A to be configured for two-byte addressing and require IDID and fabric binding. It is recommended that there are only 2 domains in a path from a FICON Channel interface to a FICON Control Unit interface. Control Channel Switch...
Page 421: Displaying Information
Enter the switchEnable command to re-enable the switch. switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] yes Domain: (1..239) [3] 5 R_A_TOV: (4000..120000) [10000] E_D_TOV: (1000..5000) [2000] Data field size: (256..2112) [2112] Sequence Level Switching: (0..1) [0] Disable Device Probing: (0..1) [0] Suppress Class F Traffic: (0..1) [0] VC Encoded Address Mode: (0..1) [0] Per-frame Route Priority: (0..1) [0]...
Page 422: Swapping Ports
Swapping ports If a port malfunctions, or if you want to connect to different devices without having to re-wire your infrastructure, you can move a port’s traffic to another port (swap ports) without changing the I/O Configuration Data Set (IOCDS) on the mainframe computer. To swap ports: Connect to the switch and log in as admin.
Page 423: Setup Summary
Setup summary To set up FICON CUP, use the following procedure and be sure to perform the steps in the order indicated. For directors with at least 256 ports installed, use the PortDisable command to disable (block) ports 254 and 255. Ports 254 and 255 are not supported in a CUP environment.
Page 424: Setting Up Cup When Ficon Management Server Mode Is Enabled
• Advanced Zoning, if used, continues to be in force. If there are any differences in restrictions set up with Advanced Zoning and PDCM, the most restrictive rules are automatically applied. • RSCNs are sent to devices if PDCM results in changes to connectivity between a set of ports. Changing fmsmode from enabled to disabled triggers the following events: •...
Page 425: Displaying Mode Register Bit Settings
Displaying mode register bit settings The mode register bits are described in Table Table 94 FICON CUP mode register bits POSC Programmed offline state control. When this bit is set on, the host is prevented from taking the switch offline. The default setting is 1 (on). User alert mode.
Page 426: Setting Mode Register Bits
Setting mode register bits Use the ficoncupset modereg command to set the FICON CUP mode register bits for the local switch. Consider the following when changing mode register bits: • As required by the CUP protocol, the UAM bit cannot be changed using this command. •...
Page 427: Port And Switch Naming Standards
Port and switch naming standards Fabric OS handles differences in port and switch naming rules between CUP and itself as follows: • CUP employs 8-bit characters in port address names and switch names; Fabric OS employs 7-bit characters. When fmsmode is enabled, all characters greater than 0x40 and not equal to 0xFF (EBCIDC code page 37 [0x25]) are allowed in the name;...
Page 428: Troubleshooting
Troubleshooting The following sources provide useful problem-solving information: • The standard support commands (portLogDump, supportSave, supportShow) or the Fabric Manager Event Log. By default, the FICON group in the supportShow output is disabled. To enable the capture of FICON data in the supportShow output, enter the supportshowcfgenable ficon command. After you get confirmation that the configuration has been updated, the following will be collected and appear in the output for the supportShow command: •...
Page 429: Backing Up And Restoring Ficon Configuration Files
Backing up and restoring FICON configuration files The FICON file access facility is used to store configuration files. This includes IPL and other configuration files. The Fabric OS saves the IPL and all other configuration files on the switch. A maximum of 16 configuration files, including the IPL file, are supported.
Page 430: Recording Configuration Information
Recording configuration information You can use the following worksheet for recording FICON configuration information. Table 95 FICON configuration worksheet FICON Switch Configuration Worksheet ® FICON Switch Manufacturer:___________________Type: _________ Model: ______ S/N: ________ ® HCD Defined Switch ID_________(Switch ID) Cascaded Directors No _____Yes _____ FICON Switch Domain ID_________(Switch @) Corresponding Cascaded Switch Domain ID _____...
Page 431: Sample Iocp Configuration File
Sample IOCP configuration file The channel subsystem controls communication between a configured channel, the control unit, and the device. The I/O Configuration Dataset (IOCDS) defines the channels, control units, and devices to the designated logical partitions (LPARs) within the server; this is defined using the Input/Output Configuration Program (IOCP).
Page 432 432 FICON fabrics...
Page 433: 22Configuring And Monitoring Ficon Extension Services
22 Configuring and monitoring FICON Extension Services This chapter describes the FICON extension concepts, configuration procedures, and tools and procedures for monitoring network performance. Commands described in this chapter require Admin or root user access. See the Fabric OS Command Reference for detailed information on command syntax. FICON extension products licensing Several specific licensed features are available for FICON extension.
Page 434: Platforms That Support Ficon Extension Over Ip
Platforms that support FICON extension over IP Fabric OS supports SAN extension between 400 MP Router, or between FR4- 1 8i blades. The 400 MP Router and the FR4- 1 8i blade both have 16 physical Fibre Channel ports and 2 physical GbE ports as illustrated in Figure 50 Figure...
Page 435: Fcip Configuration Requirements For Ficon Extension
FCIP Configuration requirements for FICON extension FICON extension uses FCIP for transport. FCIP interfaces and tunnels used for FICON extension must be defined prior to configuring FICON emulation. Ports should remain persistently disabled until after FICON emulation is configured. Refer to ”Configuring and monitoring FCIP extension services”...
Page 436: Cross-Coupled Configurations
to block (prohibit) specific F_Port to E_Port connections. You can create a determinate data path by blocking all F_Port to E_Port connections except the one you want to use for FICON traffic. Figure 52 shows a portion of the allow/prohibit matrix. The F_Port addresses are in the vertical column to the left, and the E_Port addresses are in a horizontal row at the top.
Page 437: Tape Write Pipelining
responses to remote hosts, eliminating distance related delays. A FICON XRC Emulation License is required to enable XRC Emulation. Tape Write Pipelining FICON tape write pipelining improves performance for a variety of applications when writing to tape over extended distances. FICON tape write pipelining locally acknowledges write data records, enabling the host to generate more records while previous records are in transit across the IP WAN.
Page 438 wrtMaxPipe value Defines a maximum number of channel commands that may be outstanding at a given time during write pipelining. Too small of a value will result in poor performance. The value should be chosen carefully based upon the typical tape channel program that requires optimum performance.
Page 439: Displaying Ficon Emulation Configuration Values
Displaying FICON emulation configuration values You can display the values configured for FICON emulation by using the portShow ficon command. The following example shows FICON emulation configuration values for port ge1. Sprint108:root> portshow ficon ge1 all Port: ge1 VE_STATUS TunnelId vePort vePortStatus veFeatureBitMap veHashEntryCount DOWN DOWN DOWN...
Page 440 -t 1|0 Enables or disables TIN/TUR emulation. 1 is enable, O is disable.This option should be enabled when one or all of the following features are enabled: • XRC emulation. • tape write pipelining. • tape read pipelining. -l 1|0 Enables or disables device level ACK emulation.
Page 441: Ficon Performance Statistics
FICON performance statistics You can use the portshow ficon command to view the performance statistics and monitor the behavior of FICON emulation. The syntax is as follows. portShow ficon [Slot/]ge0|ge1 all|tunnel_id [arguments] Where: slot The slot number of a blade in a multi-slot chassis. Does not apply to the MP 400 Router.
Page 442: Monitoring Ficon Emulation
Monitoring FICON emulation The -emul argument can be used to monitor FICON Emulation. The following is an example. Sprint108:root> portshow ficon ge1 0 -emul XRC and Tape statistics are presented different output formats. The following elements are common to both tape emulation and XRC emulation outputs: FDCB ptr A pointer to the FICON Device Control Block.
Page 443 Tape output example: TAPE EMULATION STATS +----------+----------------+-+-----+----+----+----+-----------+----------+------+----------+---- | FDCB Ptr | Path |H|State|Emul|Emul|Rtry| Emulated |Emulated |RdAvg |Emulated |WtAvg | (0x) (0x) |Pipe|Q'd | Qd | Tape Ops |Read CCWs | Size |Write CCWs| Size | +----------+----------------+-+-----+----+----+----+-----------+----------+------+----------+---- |0x10018A00|2463016406050000|H| 0x14|0x20|000E|0000| 13212| 125754| 32760| |0x1001E800|2463016406050001|H| 0x14|0x20|001A|0000| 13647| 128776| 32760|...
Page 444 XRC output example: XRC EMULATION STATS +----------+----------------+-+-----+----+----+----+----+-----------+---+------+------+ | FDCB Ptr | Path |H|State|Cmds| Cmd|Data|Data| Emulated |Avg| RRS| RRS | (0x) (0x) | Qd | Max| Qd |Max | RRS Ops |RRS| TLF| Read| +----------+----------------+-+-----+----+----+----+----+-----------+---+------+------+ |0x1017DC00|24B100B20E11092B|H| 0x00|0000|000F|0000|0230| 47184|213| 25636| 16063| |0x104B4C00|24B100B20E1109F7|H| 0x00|0000|000F|0000|01E0| 3961|146| 41409| 26313| |0x104B5000|24B100B20E1109F8|H| 0x00|0000|000F|0000|1112| 3855|148| 41613| 27182|...
Page 445: A Configuring The Pid Format
Configuring the PID format Port identifiers (called PIDs) are used by the routing and zoning services in Fibre Channel fabrics to identify ports in the network. All devices in a fabric must use the same PID format, so when you add new equipment to the SAN, you might need to change the PID format on legacy equipment.
Page 446: Impact Of Changing The Fabric Pid Format
Impact of changing the fabric PID format If your fabric contains switches that use Native PID, it is recommended that you change the format to Core PID before you add the new, higher port count switches and directors. Also, it is recommended that you use Core PID when upgrading the Fabric OS version on 1Gb and 2Gb series switches.
Page 447: Changes To Configuration Data
Changes to configuration data Table 96 lists various combinations of before-and-after PID formats, and indicates whether the configuration is affected. NOTE: After changing the fabric PID format, if the change invalidates the configuration data (see Table 96 to determine this), do not download old (pre-PID format change) configuration files to any switch on the fabric.
Page 448: Evaluating The Fabric
Table 97 shows various combinations of existing fabrics, new switches added to those fabrics, and the recommended PID format for that combination. The criteria for the recommendations are first to eliminate host reboots, and second to minimize the need for a host reboot in the future. Table 97 PID format recommendations for adding new switches Existing Fabric OS versions;...
Page 449 Collect device, software, hardware, and configuration data. The following is a non-comprehensive list of information to collect: • HBA driver versions • Fabric OS versions • RAID array microcode versions • SCSI bridge code versions • JBOD drive firmware versions •...
Page 450: Planning The Update Procedure
If either of the first two options are used, the procedures should again be validated in the test environment. Determine the behavior of multipathing software, including but not limited to: • HBA time-out values • Multipathing software time-out values • Kernel time-out values Planning the update procedure Whether it is best to perform an offline or online update depends on the uptime requirements of the site.
Page 451: Offline Update
Offline update The following steps are intended to provide SAN administrators a starting point for creating site-specific procedures. Schedule an outage for all devices attached to the fabric. Back up all data and verify backups. Shut down all hosts and storage devices attached to the fabric. Disable all switches in the fabric.
Page 452: Converting Port Number To Area Id
Before changing the PID format, determine if host reboots will be necessary. The section ”Host reboots” on page 446 summarizes the situations that may require a reboot. switch:admin> switchdisable switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] y Domain: (1..239) [1] BB credit: (1..27) [16] R_A_TOV: (4000..120000) [10000]...
Page 453: Performing Pid Format Changes
Performing PID format changes There are several routine maintenance procedures which might result in a device receiving a new PID. Examples include, but are not limited to: • Changing compatibility mode settings • Changing switch Domain IDs • Merging fabrics •...
Page 454: Hp/Ux Procedure
Suppress Class F Traffic: (0..1) [0] SYNC IO mode: (0..1) [0] Core Switch PID Format: (0..2) [0] 1 Per-frame Route Priority: (0..1) [0] Long Distance Fabric: (0..1) [0] BB credit: (1..27) [16] After all switches are updated to use the new PID format and re-enabled, verify the fabric has fully reconverged.
Page 455: Aix Procedure
vgexport –a y /dev/jbod If you are not using multipathing software, mount all devices again and restart I/O. For example: mount /mnt/jbod If you are using multipathing software, reenable the affected path. The preceding steps do not “clean up” the results from ioscan. When viewing the output of ioscan, notice the that the original entry is still there, but now has a status of NO_HW.
Page 456: Swapping Port Area Ids
If you are not using multipathing software, vary the volume groups offline. The command usage is varyoffvg <volume_group_name>. For example: varyoffvg datavg If you are not using multipathing software, unmount the volumes from their mount points using umount. The command usage is umount <mount_point>. For example: umount /mnt/jbod If you are using multipathing software, use that software to remove one fabric’s devices from its configuration.
Page 457 portdisable slot/port1 portdisable slot/port2 HP StorageWorks 4/8, 4/16, 4/32, 8/8 SAN Switch, 8/24 SAN Switch, 8/40 SAN Switch, 8/80 SAN Switch, and 400 Multi-protocol Router switches: Enter the following command: portswap port1 port2 4/256 SAN Director and DC SAN Backbone Director (short name, DC Director): Enter the following command: portswap slot1/port1 slot2/port2 Verify that the port area IDs have been swapped:...
Page 458 458 Configuring the PID format...
Page 459: B Understanding Legacy Password Behaviour
Understanding legacy password behaviour This appendix provides password information for early versions of Fabric OS firmware. Password management information Table 98 describes the password standards and behaviors between various versions of firmware. Table 98 Account/password characteristics matrix Topic 4.0.0 4.1.0 to 4.2.0 4.4.0 and later Number of default accounts 4, chassis-based...
Page 460: Password Prompting Behaviors
Table 98 Account/password characteristics matrix (continued) Topic 4.0.0 4.1.0 to 4.2.0 4.4.0 and later Can passwd change Yes, but will ask for Yes; if users connect as 4.4.0 to 5.1.0 only: higher-level passwords? For the “old password” admin, they can change Yes, if users connect as example, can admin change of the higher-level...
Page 461: Password Migration During Firmware Changes
Password migration during firmware changes Table 100 describes the expected outcome of password settings when upgrading or downgrading firmware for various Fabric OS versions. Table 100 Password migration behavior during firmware upgrade/downgrade Topic 4.4.0 to 5.0.1 5.0.1 and later Passwords used when upgrading to a Default accounts and passwords Default accounts and passwords newer firmware release for the first time.
Page 462 462 Understanding legacy password behaviour...
Page 463: C Interoperating With An M-Eos Fabric
Interoperating with an M-EOS fabric For information on HP supported interop configurations, refer to the HP StorageWorks Fabric interoperability: merging fabrics based on C-Series and B-Series Fibre Channel switches on the following HP website: http://h18000.www1.hp.com/products/storageworks/san/documentation.html Fabric OS 6.1.x administrator guide 463...
Page 464 464 Interoperating with an M-EOS fabric...
Page 465: D Migrating From An Mp Router To A 400 Mp Router
Migrating from an MP Router to a 400 MP Router This section describes how to upgrade routers in your fabric with the least disruption, while providing better performance and scalability. Improper implementation could lead to a change in the xlate Domain IDs and proxy device PIDs, which may cause disruption in the fabric.
Page 466: Redundant Configuration
Figure 55 Configuration during the upgrade The switch Domain ID and BB fabric ID of the new FC router can be identical. Once the metaSAN is stable, EX_Ports on the new router are ‘active’, the old router can be taken out of the setup. Redundant configuration The configuration shown in Figure 56...
Page 467: Devices Directly Connected To Router
Figure 57 Dual backbone fabric configuration Devices directly connected to router In the Multi-protocol Router, end devices are allowed to be directly connected, but these devices cannot be imported to other edge fabrics (using LSAN zones). During the upgrade process, these devices will face disruption unless there is redundancy support provided from the device end.
Page 468 468 Migrating from an MP Router to a 400 MP Router...
Page 469: E Using Remote Switch
Using Remote Switch This appendix prrovides infromation on the Remote Switch feature. About Remote Switch The Remote Switch feature, which aids in ensuring gateway compatibility, was formerly a licensed feature. Its functionality is now available as part of the Fabric OS standard feature set through the use of the portCfgIslMode command, which is described in ”Linking through a gateway”...
Page 470 You must connect the fabrics through the gateway device, and make sure that the configure parameters are compatible with the gateway device. You may be required to reconfigure the following parameters, depending on the gateway requirements: NOTE: Consult your gateway vendor for supported and qualified configurations. •...
Page 471: Zone Merging Scenarios
This example shows how to modify the data field size and suppress class F traffic on a switch: switch:admin> switchdisable switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] yes Domain: (1..239) [3] R_A_TOV: (4000..120000) [10000] E_D_TOV: (1000..5000) [2000] Data field size: (256..2112) [2112] 1000 Sequence Level Switching: (0..1) [0] Disable Device Probing: (0..1) [0]...
Page 472 472 Using Remote Switch...
Page 473: Zone Merging Scenarios
Zone merging scenarios Table 103 provides information on merging zones and the expected results. Table 103 Zone merging scenarios Description Switch A Switch B Expected results Switch A has a defined defined: defined: none Configuration from Switch A to configuration. cfg1: effective: none propagate throughout the fabric...
Page 474 Table 103 Zone merging scenarios (continued) Description Switch A Switch B Expected results Switch A and Switch B have defined: cfg2 defined: cfg1 Clean merge. The new different defined configurations. zone2: ali3; ali4 zone1: ali1; ali2 configuration will be a Switch B has an enabled effective: none effective: cfg1...
Page 475: F Zone Merging Scenarios
Table 103 Zone merging scenarios (continued) Description Switch A Switch B Expected results Different default zone access defzone: noaccess defzone: allaccess Clean merge — noaccess takes mode settings. precedence and defzone configuration from Switch A propagates to fabric. defzone: noaccess Same default zone access mode defzone: allaccess defzone: allaccess...
Page 476: 478 Zone Merging Scenarios
478 Zone merging scenarios...
Page 477 policy policy changes AAA service requests ports on demand aaaConfig command access AD255 browser support adding changing account parameters a new switch or fabric to a zone control Admin Domain members CP blade alias members creating accounts and removing FICON CUP licenses deleting accounts custom filter-based monitors IP address changes...
Page 478 creating root, configuring deleting security removing members aliCreate all access switch zone setting cfgAdd ARP. See address resolution protocol cfgClear assigning a static route cfgCreate assigning users to Admin Domains cfgDisable audience cfgEnable Auth policy cfgSave authenticating users Challenge Handshake Authentication Protocol. See authentication CHAP binding user names...
Page 479: Index
licenseadd date and time licenseremove discovery domain access control, manual licenseShow discovery domain set access control, manual licenseshow discovery domain sets nsallshow discovery domains nsShow FC4-16IP blade nsshow FibreAlliance MIB ping FICON environment switches for portCfg gigabit Ethernet portCfgPersistentEnable HTTPS access portCfgShow portCmd IAS user...
Page 480 core/edge topology and ISL trunking dictionary.brocade CP blade disabled zone configuration access disabling CRC errors, displaying port creating RADIUS configuration accounts switch Admin Domains disabling and enabling a port alias disabling and enabling a switch DCC policy disabling and enabling cards discovery domain sets discovery domain sets discovery domains...
Page 481 switch FCIP tunneling zone configuration fcLunQuery enabling and disabling FICON management server fcrConfigure command mode fcrProxyConfig command enabling and disabling ISL trunking fcrResourceShow command enabling and disabling local authentication fcrXlateConfig command encryption FCS policy end-to-end monitoring modifying end-to-end monitors fddCfg adding fddCfg command deleting...
Page 482 IP routes adding static HA failover IP security hard zoning ipAddrSet hardware-enforced zoning IPComp hashow command IP-NAT help, obtaining IPSec high availability (HA) changeable parameters high integrity fabric fixed parameters HomeAD IQNs host reboots changing prefix host-based zoning default prefix displaying initiator storage web site displaying prefix...
Page 483 user-defined keys iscsiCfg purchasing add lun addusername tgt commit legacy FCR switches commit all license ID create auth license key create dd activating create ddset licenseadd command create tgt licensed features delete lun licenseIdShow deleteusername tgt licenseremove command easycreate licenses easycreate tgt license ID enable ddset...
Page 484 maintaining zones making basic connections packet size managing passwd command accounts passwdCfg command zoning configurations in a fabric password managing shared secrets boot prom mapping changing advanced LUN changing defaults basic LUN default mask for end-to-end monitors limits setting PROM matching fabric parameters recovery members...
Page 485 creating, DCC creating, SCC rack stability, warning RADIUS deleting RADIUS client members, adding Windows configuration members, identifying RADIUS clients members, removing switch configuration password expiration RADIUS server password strength configuration configuring port LINUX configuration enabling RADIUS service Windows configuration LUN mapping RBAC numbering reboot...
Page 486 saving monitor configuration shared secrets managing policy SLAP SCC list slotShow command secCertUtil slotshow command seccertutil SNMP Secure Fabric OS secure file copy agent configuring and password change secure shell (ssh) SNMP attributes secure socket layer protocol snmpConfig secure sockets layer snmpconfig security snmpMibCapSet...
Page 487 displaying RADIUS configuration userConfig command enabling user-defined FICON environment, configuring accounts identifying user-defined Admin Domains user-defined filter-based monitors name users, authenticating customizing using RADIUS client certificates RADIUS configuration using dynamic load sharing RADIUS configuration, adding using FICON CUP RADIUS configuration, disabling using legacy commands for SNMPv1 user-defined accounts switch access...
Page 488 administering security aliases aliases, creating and managing configuration, creating configuration, enabling configurations configurations, creating and maintaining configuring rules creating creating a configuration creating, iSCSI FC database size default zone mode default, set to all access default, set to no access defined zone configuration deleting deleting a configuration...
Page 489 Figures Example of a Brocade DCT file ..........75 Example of the dictiona.dcm file .
Page 490 57 Dual backbone fabric configuration ..........466...
Page 491 Tables Switch model naming matrix ........... . . 19 Document conventions .
Page 492: Trunking Support For 4/256 San Director And Dc Directors With Supported Blades
57 Zoning database limitations ........... . 210 58 Resulting database size: 0 to 96K .

This manual is also suitable for:

Ae370a - brocade 4gb san switch 4/12 Storageworks 8/40 - san switch Storageworks 8/8 - san switch Storageworks 8/80 - san switch

HP A7533A - Brocade 4Gb SAN Switch Base Administrator's Manual

Tables

About this Guide

Standard Features

Managing User Accounts

Figures

Configuring Standard Security Features

Configuring Advanced Security Features

Maintaining the Switch Configuration File

Managing Administrative Domains

Quick Links

Troubleshooting

Related Manuals for HP A7533A - Brocade 4Gb SAN Switch Base

Summary of Contents for HP A7533A - Brocade 4Gb SAN Switch Base