Page of 465
Download Table of ContentsContents Print This PagePrint Bookmark

HP A7533A - Brocade 4Gb SAN Switch Base Administrator's Manual

Hp storageworks fabric os 5.3.x administrator guide (5697-0244, november 2009).
Hide thumbs
   
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465
HP StorageWorks
Fabric OS 5.3.x administrator guide
Part number:5697-0244
November 2009

Advertising

   Related Manuals for HP A7533A - Brocade 4Gb SAN Switch Base

   Summary of Contents for HP A7533A - Brocade 4Gb SAN Switch Base

  • Page 1

    HP StorageWorks Fabric OS 5.3.x administrator guide Part number:5697-0244 November 2009...

  • Page 2

    © Copyright 2007 Brocade Communications Systems, Incorporated. Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

  • Page 3: Table Of Contents

    Contents About this Guide ........... . . 17 Supported HP StorageWorks hardware.

  • Page 4: Table Of Contents

    Activating ports on demand ............42 How to activate Ports on Demand .

  • Page 5: Table Of Contents

    Changing local account passwords ..........69 How to change the password for the current login account .

  • Page 6: Table Of Contents

    How to enable telnet ............91 Blocking listeners .

  • Page 7: Table Of Contents

    Deleting an ACL policy............129 Aborting all uncommitted changes .

  • Page 8: Table Of Contents

    Assigning a user to an admin domain ..........161 How to create a new user account for managing Admin Domains .

  • Page 9: Table Of Contents

    9 Configuring Directors ..........203 Identifying ports .

  • Page 10: Table Of Contents

    Matching fabric parameters ........... . 247 EX_Port frame trunking (optional) .

  • Page 11: Table Of Contents

    Recording configuration information ..........281 Sample IOCP configuration file for SAN Switch 2/32, SAN Switch 4/32, SAN Switch 4/32B, SAN Director 2/128, and 4/256 SAN Director switches.

  • Page 12: Table Of Contents

    Supported hardware ............328 How port mirroring works.

  • Page 13: Table Of Contents

    Zone aliases ............. . . 371 Zone configurations .

  • Page 14: Table Of Contents

    Testing end-to-end IP path performance ..........406 Fastwrite and tape pipelining .

  • Page 15

    Password recovery options............450 D Using Remote Switch .

  • Page 17: About This Guide, Supported Hp Storageworks Hardware, Intended Audience, Related Documentation

    About this Guide This guide provides procedures to help you maintain Fabric OS 5.3.0 running in your Storage Area Network (SAN). Supported HP StorageWorks hardware Table 1 lists Brocade and HP StorageWorks product models supported by Fabric OS 5.3.0 at the time of this document’s release.

  • Page 18: Glossary Of Terms, Document Conventions And Symbols

    WARNING! For late breaking, supplemental information, access the latest version of the HP StorageWorks Fabric OS 5.3.x release notes Glossary of terms This guide uses industry standard SAN terminology. However, some terms are intrinsic to Fabric OS 5.3.0. See the Brocade Glossary supporting Fabric OS 5.3.0 for a complete list of terms and definitions. Access from the HP web site using the procedure outlined in ”Related documentation”.

  • Page 19: Hp Technical Support, Hp-authorized Reseller, Helpful Web Sites

    HP technical support Telephone numbers for worldwide technical support are listed on the HP support web site: http://www.hp.com/support/. Collect the following information before calling: • Technical support registration number (if applicable) • Product serial numbers • Product model names and numbers •...

  • Page 21: Introducing Fabric Os Cli Procedures, About Procedural Differences, Scope And References

    Introducing Fabric OS CLI procedures This chapter summarizes procedures for configuring and managing an HP StorageWorks SAN using the Fabric OS Command Line Interface (CLI). The guide applies to the following product models: • HP StorageWorks switches: 4/16 SAN Switch and 4/8 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, SAN Switch 4/32, SAN Switch 4/32B, 4/64 SAN Switch, and 400 MP Router...

  • Page 22: About The Cli

    There are several methods that you can use to configure a switch. These are listed with their respective documents: • Command Line Interface (CLI) • A telnet session into logical switches • A telnet session into active and standby CPs for Director class switches •...

  • Page 23: Help Information, Displaying Command Help, Displaying Additional Help Topics

    Help information Each Fabric OS command provides Help information that explains the command function, its possible operands, its level in the command hierarchy, and additional pertinent information. Displaying command Help Connect to the switch and log in as admin. To display a list of all command help topics for a given login level, enter the help command with no user arguments.

  • Page 24

    Introducing Fabric OS CLI procedures...

  • Page 25: Performing Basic Configuration Tasks, Connecting To The Cli, Using Telnet Or Ssh Session

    Performing basic configuration tasks Connecting to the CLI Connect to the CLI either through a telnet or SSH connection or through a console session on the serial port. Using telnet or SSH session Connect to the Fabric OS CLI of a switch that has a configured network interface using a telnet or SSH session.

  • Page 26: Using A Console Session On The Serial Port, How To Connect Via The Serial Port

    If you have not changed the system passwords from the default, you are prompted to change them. Enter the new system passwords, or press Ctrl-c to skip the password prompts. See ”How to change default passwords at login” on page 28. Verify that the login was successful.

  • Page 27: Changing Default Passwords Summary

    Every logical switch (domain) has a set of default accounts. The root and factory default accounts are reserved for development and manufacturing. The user account is primarily used for system monitoring. For more information on default accounts, see ”About the default accounts”...

  • Page 28: How To Change Default Passwords At Login, Configuring The Ethernet Interface

    How to change default passwords at login Connect to the switch and log in as admin. The default password for all default accounts is: password At each of the “Enter new password” prompts, either enter a new password or skip the prompt. Press Enter to skip a prompt.

  • Page 29: How To Display Network Interface Settings, Static Ethernet Addressing Summary

    How to display network interface settings If an IP address has not been assigned to the network interface (Ethernet), you must connect to the Fabric OS CLI using a console session on the serial port, see ”How to connect via the serial port”...

  • Page 30: How To Set Static Addresses For The Ethernet Network Interface, Configuring Dhcp

    How to set static addresses for the Ethernet network interface Connect to the switch and log in as admin. Enter the following command to set the IPv4 address: switch:admin> ipaddrset Ethernet IP Address [192.168.74.102]: Ethernet Subnetmask [255.255.255.0]: Fibre Channel IP Address [220.220.220.2]: Fibre Channel Subnetmask [255.255.0.0]: Gateway IP Address [192.168.74.1]: DHCP [OFF]: off...

  • Page 31: Dhcp Summary, How To Enable Dhcp, How To Disable Dhcp

    DHCP summary Plug DHCP enabled switches in to the network, power on the switch, and the switch automatically obtains the Ethernet IP address, Ethernet subnet mask, and default gateway address from the DHCP server. The DHCP client can only connect to a DHCP server on the same subnet as the switch. Do not enable DHCP, if the DHCP server is not on the same subnet as the switch.

  • Page 32: Setting The Date And Time, Setting Time Zones

    Setting the date and time Switches maintain the current date and time inside a battery-backed real-time clock (RTC) circuit. Date and time are used for logging events. Switch operation does not depend on the date and time; a switch with an incorrect date and time value still functions properly.

  • Page 33: How To Set The Time Zone

    You can set the time zone for a switch using the tsTimeZone command. The tsTimeZone command allows you to: • Display all of the time zones supported in the firmware • Set the time zone based on a Country and City combination or based on a time zone ID such as PST See the tsTimeZone command in the Fabric OS Command Reference Manual for more detailed information about the command parameters.

  • Page 34: How To Set The Time Zone Interactively

    How to set the time zone interactively Type the tsTimeZone command as follows: switch:admin> tstimezone --interactive Select a general location: Please identify a location so that time zone rules can be set correctly. Please select a continent or ocean. Africa Americas Antarctica Arctic Ocean...

  • Page 35: Synchronizing Local Time Using Network Time Protocol (ntp)

    You are finally prompted to specify the time zone region. Please select one of the following time zone regions. 1) Eastern Time 2) Eastern Time - Michigan - most locations 3) Eastern Time - Kentucky - Louisville area 4) Eastern Time - Kentucky - Wayne County 5) Eastern Time - Indiana - most locations 6) Eastern Time - Indiana - Crawford County 7) Eastern Time - Indiana - Starke County...

  • Page 36: Maintaining Licensed Software Features

    How to synchronize local time with an external source Connect to the switch and log in with an account assigned to the admin role. Enter the tsClockServer command: switch:admin> tsclockserver “<ntp1;ntp2> Where ntp1 is the IP address or DNS name of the first NTP server, which the switch must be able to access.

  • Page 37: How To Generate Or Activate A License Key

    You need the following items for each chassis to be licensed: • Transaction key in the paperpack document supplied with the switch software. Or, when you purchased a license, HP providesa transaction key to be used for generating a software license key. •...

  • Page 38: How To Remove A Licensed Feature

    b. Activate the license using the licenseAdd command: switch:admin> licenseadd “key” The license key is case-sensitive and must be entered exactly as given. The quotation marks are optional. For HP StorageWorks Director models, licenses are effective on both CP blades and on all logical switches, but are valid only when the CP blade is inserted into a chassis that has an appropriate license ID stored in the World Wide Name (WWN) card.

  • Page 39: Customizing A Switch Name, How To Customize The Switch Name

    After a reboot (or switchDisable and switchEnable) only the remaining licenses appear: switch:admin> licenseshow SybbzQQ9edTzcc0X: Fabric license switch:admin> If there are no license keys, licenseShow displays “No licenses.” Customizing a switch name Switches can be identified by IP address, Domain ID, World Wide Name (WWN), or by customized switch names that are unique and meaningful.

  • Page 40: Customizing The Chassis Name, How To Change The Chassis Name, Working With Domain Ids

    Record the new switch name for future reference. SAN Director 2/128 configured with two domains: Disconnect from the session and repeat the procedure for the second logical switch. switch:admin> switchname “switch62” Committing configuration... Done. switch62:admin> Customizing the chassis name Beginning with Fabric OS 4.4.x, it is recommended that you customize the chassis name for each switch. Some system logs identify switches by chassis names, so if you assign meaningful chassis names in addition to meaningful switch names, logs will be more useful.

  • Page 41: How To Display Domain Ids, How To Set The Domain Id

    How to display domain IDs Connect to a switch and log in as admin. Enter the fabricShow command. Fabric information is displayed, including the domain ID (D_ID): switch:admin> fabricshow Switch ID Worldwide Name Enet IP Addr FC IP Addr Name ------------------------------------------------------------------------- 1: fffc01 10:00:00:60:69:e4:00:3c 10.32.220.80...

  • Page 42: Activating Ports On Demand

    Enter the switchEnable command to re-enable the switch. Activating ports on demand The SAN Switch 2/32 can be purchased with 16 or 32 licensed ports. As your needs increase, you can activate unlicensed ports (up to the maximum of 32 ports) by purchasing and installing the HP Ports on Demand optional, licensed product.

  • Page 43: How To Activate Ports On Demand, Configuring Dynamic Ports On Demand (dpod)

    CAUTION: If you enable or disable an active port you will disrupt any traffic and potentially lose data transmission on that port. If the port is connected to another switch, you will segment the switch from the fabric and all traffic between the disabled port and the fabric will be lost.

  • Page 44: Activating Dynamic Ports On Demand, Disabling Dynamic Ports On Demand

    Full POD license is installed Static POD method is in use 24 port assignments are provisioned for use in this switch: 12 port assignments are provisioned by the base switch license 12 port assignments are provisioned by a full POD license 24 ports are assigned to installed licenses: 12 ports are assigned to the base switch license 12 ports are assigned to the full POD license...

  • Page 45: Managing Pod Licenses, Reserving A License

    Connect to the switch and log in as admin. Enter the licensePort method command with the static option to change the license assignment method to static. switch:admin> licenseport --method static The POD method has been changed to static. Please reboot the switch now for this change to take effect. Enter the reboot command to restart the switch.

  • Page 46: Releasing A Port

    switch:admin> licenseport -reserve 0 If all port reservations are assigned, select a port to release its POD license. You must disable the port first by entering the command portdisable <port num>. Enter the licensePort release command to remove the port from the POD license. switch:admin>...

  • Page 47: Disabling And Enabling A Switch, How To Disable A Switch, How To Enable A Switch

    Enter the switchShow command to verify the switch state is now online. Disabling and enabling a switch By default, the switch is enabled after power is applied and diagnostics and switch initialization routines have finished. You can disable and re-enable it as necessary. How to disable a switch Connect to the switch and log in as admin.

  • Page 48: How To Enable A Port, Making Basic Connections, Connecting To Devices, Connecting To Other Switches

    How to enable a port Connect to the switch and log in as admin. HP StorageWorks 4/16 SAN Switch and 4/8 SAN Switch, SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, SAN Switch 4/32, 4/64 SAN Switch, 4/32B SAN Switch and 400 MP Router: Enter the following command: switch:admin>...

  • Page 49: Linking Through A Gateway, How To Configure A Link Through A Gateway

    Linking through a gateway A gateway merges SANs into a single fabric by establishing point-to-point E_Port connectivity between two Fibre Channel switches that are separated by a network with a protocol such as IP or SONET. Except for link initialization, gateways are transparent to switches; the gateway simply provides E_Port connectivity from one switch to another.

  • Page 50: Checking Status, How To Verify Switch Operation, How To Verify High-availability Features

    Checking status You can check the status of switch operation, high availability features, and fabric connectivity. How to verify switch operation Connect to the switch and log in as admin. Enter the switchShow command at the command line. This command displays a switch summary and a port summary.

  • Page 51: How To Show Switches In Access Gateway Mode, Tracking And Controlling Switch Changes

    Enter the nsAllShow command at the command line. This command displays 24-bit Fibre Channel addresses of all devices in the fabric. switch:admin> nsallshow 010e00 012fe8 012fef 030500 030b04 030b08 030b17 030b18 030b1e 030b1f 040000 050000 050200 050700 050800 050de8 050def 051700 061c00 071a00 073c00 090d00 0a0200 0a07ca 0a07cb 0a07cc 0a07cd 0a07ce 0a07d1 0a07d2 0a07d3 0a07d4 0a07d5 0a07d6 0a07d9 0a07da 0a07dc 0a07e0 0a07e1 0a0f01 0a0f02 0a0f0f 0a0f10 0a0f1b 0a0f1d 0b2700 0b2e00 0b2fe8...

  • Page 52: How To Display The Status Of The Track Changes Feature

    A message displays, verifying that the track changes feature is on: switch:admin> trackchangesset 1 Committing configuration...done. switch:admin> The output from the track changes feature is dumped to the system message log for the switch. Use the errDump or errShow command to view the log. Items in the system message log created from the track changes feature are labeled TRCK: 2004/08/24-08:45:43, [TRCK-1001], 212,, INFO, ras007, Successful login by user admin.

  • Page 53: How To Set The Switch Status Policy Threshold Values

    The output is similar to the following: switch:admin> switchstatuspolicyshow The current overall switch status policy parameters: Down Marginal ---------------------------------- PowerSupplies Temperatures Fans Blade Flash MarginalPorts FaultyPorts MissingSFPs switch:admin> The policy parameter determines the number of failed or inoperable units for each contributor that will trigger a status change in the switch.

  • Page 54: Configuring The Audit Log

    shows the command as executed on a SAN Switch 2/32 switch. The output is similar on SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 4/32, 4/64 SAN Switch, and 400 MP Router models: switch:admin> switchstatuspolicyset To change the overall switch status policy parameters The current overall switch status policy parameters: Down Marginal...

  • Page 55: Auditable Event Classes

    • By default, all event classes are configured for audit; to create an audit event log for specific events, you must explicitly set a filter via the class operand and then enable it. • Audited events are generated specific to a switch and have no negative impact on performance. •...

  • Page 56: How To Verify Host Syslog Prior To Configuring The Audit Log

    Audit events have the following message format: AUDIT, <Timestamp>, [<Event ID>], <Severity>, <Event Class>, <User ID>/<Role>/<IP address>/<Interface>,<Admin Domain>/<Switch name>,<Reserved>,<Event-specific information> Switch names are logged for switch components and chassis names for chassis components. For example, a chassis name might be FWDL or RAS and a switch component name might be zone, name server, or SNMP.

  • Page 57: Shutting Down Switches And Directors, To Power Off A Director Gracefully (prior To 5.1.0)

    The following example shows the SYSLOG (system message log) output for audit logging. 2 08:33:04 [10.32.220.7.2.2] raslogd: AUDIT, 2006/06/02-15:25:53, [SULB-1003], INFO, FIRMWARE, root/root/NONE/console/CLI, ad_0/ras007_chassis, , Firmwarecommit has started. Jun 5 06:45:33 [10.32.220.70.2.2] raslogd: AUDIT, 2006/06/05-13:38:17, [CONF-1010], INFO, CONFIGURATION, root/root/NONE/ console/CLI, ad_0/ras070, , configDownload failed Jun 5 08:15:32 [10.32.248.73.2.2] raslogd: AUDIT, 2006/06/05-13:38:17, [SEC-1000], WARNING, SECURITY, JaneDoe/root/192.168.132.19/ telnet, Domain A/DoeSwitch, , Incorrect password during login attempt.

  • Page 58: High Availability Of Daemon Processes

    High availability of daemon processes Fabric OS 5.3.0 supports automatic restart of non-critical daemons. Starting these non-critical daemons is automatic, you cannot configure the startup process. The following sequence of events occur when a non-critical daemon fails: When a non-critical daemon fails or dies, a RASlog and AUDIT event message is logged. The daemon is automatically started again.

  • Page 59: Managing User Accounts, Overview, Accessing The Management Channel, Using Role-based Access Control (rbac)

    Managing user accounts This chapter provides information and procedures on managing authentication and user accounts. Overview Fabric OS provides two options for authenticating users—remote RADIUS services and/or the local switch user database. Both options allow users to be centrally managed using the following methods: •...

  • Page 60: Role Permissions

    Table 9 Fabric OS 5.3.0 roles Role name Version Duties Description 5.2.x and higher Restricted switch Mostly monitoring with limited BasicSwitchAdm administration switch (local) commands. Monitoring only Nonadministrative use, such as User monitoring system activity. Role Permissions Table 10 describes the types of permissions that are assigned to roles. Table 10 Permission types Abbreviation...

  • Page 61

    Table 1 1 RBAC permissions matrix (continued) Category Role permission User Operator Switch Zone Fabric Basic Admin Security admin admin admin switchadmin Admin Fabric Watch FICON Firmware Management FRU Management HA (High Availability) O iSCSI Switch Management—IP Configuration Local User Environment Logging License...

  • Page 62: Configuring The Authentication Model

    Table 1 1 RBAC permissions matrix (continued) Category Role permission User Operator Switch Zone Fabric Basic Admin Security admin admin admin switchadmin Admin Switch Port Management Topology User Management WWN Card Zoning Set the authentication model on each switch. Refer to “Configuring the authentication model”...

  • Page 63: How To Set The Switch Authentication Model, Managing The Local Database User Accounts

    Configuring the authentication model This section explains how to configure authentication of the switch management channel connections. Fabric OS 5.3.0 supports use of both the local user database and RADIUS service at the same time. Use the aaaConfig command to set the authentication model for Fabric OS switch management channel connection authentication model as shown in Table Table 12...

  • Page 64: About The Default Accounts, Defining Local User Accounts, How To Display Account Information

    About the default accounts Fabric OS provides the following predefined accounts in the switch-local user database. Change the password for all defaults during the initial installation and configuration, see Table Table 13 Default local user accounts Account Name Role Admin Description domain user...

  • Page 65: How To Create An Account, How To Delete An Account

    How to create an account Connect to the switch and log in. Enter the following command: userConfig --add <username> -r <rolename> [-h <admindomain_ID>] [-a <admindomain_ID list>] [-d <description>] [-x] Specifies the account name, which must begin with an alphabetic username character.

  • Page 66: How To Change Account Parameters, How To Add An Administrative Domain To The Account

    How to change account parameters When changing account parameters, if you change the ADlist for the user account, all of the currently active sessions for that account will be logged out. Connect to the switch and log in. Enter the following command: rolename userconfig --change username [-r ] [-h admindomain_ID]...

  • Page 67: Recovering Accounts, How To Recover An Account, Changing Local Account Passwords

    removed from the existing list. If the –h argument is not specified, the home Admin Domain will either remain as it was or will be the lowest Admin Domain ID in the remaining list. Recovering accounts The following conditions apply to recovering user accounts: •...

  • Page 68: How To Change The Password For A Different Account, Configuring The Local User Database

    How to change the password for a different account Connect to the switch and log in. Enter the following command: name passwd where name is the name of the account. Enter the requested information at the prompts. Configuring the local user database This section covers the following topics: •...

  • Page 69: How To Accept The User Database, How To Reject Distributed User Databases, Configuring Password Policies

    How to accept the user database Connect to the switch. Enter the following command: fddCfg --localaccept PWD where PWD is one of the three supported database policies. Supported policy databases are SCC, DCC, PWD. How to reject distributed user databases Connect to the switch.

  • Page 70: How To Set The Password History Policy, How To Set The Password Expiration Policy

    not allowed because it is incompatible Web Tools. The default value is zero. The maximum value must be less than or equal to the MinLength value. • MinLength Specifies the minimum length of the password. The minimum can be from 8 to 40 characters. New passwords must between the minimum length specified and 40 characters.

  • Page 71: Upgrade And Downgrade Considerations, How To Set The Account Lockout Policy

    password history setting to select a recently-used password. The MinPasswordAge policy is not enforced when an administrator changes the password for another user. • MaxPasswordAge Specifies the maximum number of days that can elapse before a password must be changed, and is also known as the password expiration period.

  • Page 72: Managing Fabric Os Users On The Radius Server, Switch To Radius Server Interaction

    Managing Fabric OS users on the RADIUS server All existing Fabric OS mechanisms for managing switch-local user accounts and passwords remain functional when the switch is configured to use RADIUS. Changes made to the switch-local database do not propagate to the RADIUS server, nor do the changes affect any account on the RADIUS server. Switch to RADIUS server interaction When configured to use RADIUS, the switch acts as a Network Access Server (NAS) and RADIUS client.

  • Page 73: Windows 2000 Ias, Linux Freeradius Server

    Table 14 Syntax for VSA-based account roles (continued) Item Value Description Vendor length 2 or higher 1 octet, calculated by server, including vendor-type and vendor-length Attribute-specific data ASCII string multiple octet, maximum 253, indicating the name of assigned role and other supported attribute values such as Admin Domain member list.

  • Page 74: Radius Configuration And Admin Domains, Setting Up Radius Aaa Service

    RADIUS configuration and admin domains When configuring users with Admin Domains, you must also include the Admin Domain member list. This section describes the way that you configure attribute types for this configuration. key=val[;key=val] The values for the new attribute types use the syntax , where is a text description of value...

  • Page 75: Configuring The Radius Server, Linux

    servers do not respond (because of power failure or network problems), the switch uses local authentication. Consider the following effects of the use of RADIUS service on other Fabric OS features: • When RADIUS service is enabled, all account passwords must be managed on the RADIUS server. The Fabric OS mechanisms for changing switch passwords remain functional;...

  • Page 76: How To Add The Brocade Attribute To The Server, How To Create The User

    $PREFIX/etc/raddb FreeRADIUS installation places the configuration files in . By default, the PREFIX is /usr/local. Configuring RADIUS service on Linux consists of the following tasks: • Adding the Brocade attribute to the server • Creating the user • Enabling clients How to add the Brocade attribute to the server Create and save the file $PREFIX/etc/raddb/dictionary.brocade with the following information:...

  • Page 77: How To Enable Chap, How To Configure Radius Users

    For example, to configure the switch at IP address 10.32.170.59 as a client: client 10.32.170.59 secret = Secret shortname = Testing Switch nastype = other shortname Secret In this example, is an alias used to easily identify the client. is the shared secret between the client and server.

  • Page 78: How To Configure The Radius Server

    Repeat this for every user you want to add. When you have completed adding all users, click OK. In the New Group window, verify that the users you added in step 4 appear in the Members field; then click Create to create this group. The new groups are created for each login type (admin, switchAdmin, user).

  • Page 79: Configuring Radius Servers On The Switch, How To Display The Current Radius Configuration

    Vendor-assigned attribute number—Enter the value 1. Attribute format—Enter String. Attribute value—Enter the login role (Root, Admin, Factory, SwitchAdmin, or User) the user group must use to log in to the switch. In the Multivalued Attribute Information window, click OK. In the Edit Dial-in Profile window, remove all additional parameters (except the one you just added, “Vendor-Specific”) and click OK.

  • Page 80: How To Add A Radius Server To The Switch Configuration

    How to add a RADIUS server to the switch configuration Connect to the switch and log in as admin. Enter this command: server port secret timeout switch:admin> aaaConfig --add ] [-s ] [-t [-a pap | chap] Enter either a server name or IP address. Avoid duplicating server listings server (that is, listing the same server once by name and again by IP address).

  • Page 81: How To Change A Radius Server Configuration

    How to change a RADIUS server configuration Connect to the switch and log in as admin. Enter this command: server port secret timeout switch:admin> aaaConfig --change ] [-s ] [-t ] [-a pap | chap] Servers are listed by either name or IP address. Enter either the name or IP server address of the server to be changed.

  • Page 82: Setting The Boot Prom Password

    Setting the boot PROM password The boot PROM password provides an additional layer of security by protecting the boot PROM from unauthorized use. Setting a recovery string for the boot PROM password enables you to recover a lost boot PROM password by contacting your switch service provider. Without the recovery string, a lost boot PROM password cannot be recovered.

  • Page 83: San Director 2/128 And 4/256 San Director

    Enter the boot PROM password; then reenter it when prompted. The password must be eight alphanumeric characters (any additional characters are not recorded). Record this password for future use. The new password is automatically saved. Reboot the switch. SAN Director 2/128 and 4/256 SAN Director The boot PROM and recovery passwords must be set for each CP blade on SAN Director 2/128 and 4/256 SAN Directors: How to set the boot PROM password for a Director with a recovery string...

  • Page 84: How To Set The Boot Prom Password For A Director Without A Recovery String

    Connect the serial cable to the serial port on the new standby CP blade (previously the active CP blade). Repeat step 2 through step 7 for the new standby CP blade (each CP blade has a separate boot PROM password). 1 1.

  • Page 85: Recovering User, Admin, And Factory Passwords, How To Recover Passwords

    Determine the active CP blade by opening a telnet session to either CP blade, connecting as admin, and entering the haShow command. Connect to the active CP blade by serial or telnet and enter the haDisable command to prevent failover during the remaining steps. Create a serial connection to the standby CP blade as described in ”How to connect via the serial port”...

  • Page 86

    To recover a lost root or boot PROM password, contact HP. You must have previously set a recovery string to recover the boot PROM password. Managing user accounts...

  • Page 87: Configuring Standard Security Features, Secure Protocols

    Configuring standard security features This chapter provides information and procedures for configuring standard Fabric OS security features such as account and password management. Additional security features are available when secure mode is enabled. For information about licensed security features available in Secure Fabric OS, refer to the Secure Fabric OS administrator’s guide. Secure protocols Fabric OS supports the secure protocols shown in Table...

  • Page 88: Ensuring Network Security

    The security protocols are designed with the four main usage cases described in Table Table 18 Main security scenarios Fabric Management Comments interfaces Nonsecure Nonsecure No special setup is needed to use telnet or HTTP. An HP switch certificate must be installed if sectelnet is used.

  • Page 89: Configuring The Telnet Interface, How To Disable Telnet, How To Enable Telnet

    Fabric OS 4.1.0 and later supports SSH protocol v2.0 (ssh2). For more information on SSH, refer to the SSH IETF web site: http://www.ietf.org/ids.by.wg/secsh.html Refer to SSH, The Secure Shell: The Definitive Guide by Daniel J. Barrett, Richard Silverman. Fabric OS 4.4.0 and later comes with the SSH server preinstalled; however, you must select and install the SSH client.

  • Page 90: Blocking Listeners

    Blocking listeners HP StorageWorks switches block Linux subsystem listener applications that are not used to implement supported features and capabilities. Table 19 lists the listener applications that switches either block or do not start. Table 19 Blocked listener applications Listener SAN Director 2/128 and 4/8 SAN Switch and 4/16 SAN Switch, application...

  • Page 91: Accessing Switches And Fabrics, Port Configuration

    Accessing switches and fabrics If you are using the FC-FC Routing Service, be aware that you cannot execute the secModeEnable command on backbone fabrics (you cannot run this command in secure mode when a backbone fabric is connected to edge fabrics). Refer to ”Using the FC-FC routing service”...

  • Page 92: Configuring For The Ssl Protocol, Browser And Java Support, Summary Of Ssl Procedures

    Table 21 Port information Port Type Common use Comment exec login shell This port is used by the Platform API. Disable this port using the configure command. Configuring for the SSL protocol Fabric OS v4.4.0 and later supports Secure Sockets Layer (SSL) protocol, which provides secure access to a fabric through Web-based management tools like Web Tools.

  • Page 93: Choosing A Certificate Authority, Generating A Public/private Key

    Obtain the certificates from the CA. You can request a certificate from a CA through a Web browser. After you request a certificate, the CA either sends certificate files by email (public) or gives access to them on a remote host (private). Typically, the CA provides the certificate files listed in Table Table 22...

  • Page 94: Generating And Storing A Csr, Obtaining Certificates

    Generating and storing a CSR After generating a public/private key (see ”Generating a public/private key” on page 95), perform this procedure on each switch: Connect to the switch and log in as admin. Enter this command: switch:admin> seccertutil gencsr Enter the requested information: Country Name (2 letter code, eg, US):US State or Province Name (full name, eg, California):California Locality Name (eg, city name):San Jose...

  • Page 95: Installing A Switch Certificate, Activating A Switch Certificate

    It might take several days to receive the certificates. If the certificates arrive by email, save them to an FTP server. If the CA provides access to the certificates on an FTP server, make note of the path name and make sure you have a login name and password on the server.

  • Page 96: Configuring The Browser, To Check And Install Root Certificates On Internet Explorer

    Configuring the browser The root certificate might already be installed on your browser, but if not, you must install it. To see whether it is already installed, check the certificate store on your browser. The next procedures are guides for installing root certificates to Internet Explorer and Mozilla browsers. For more detailed instructions, refer to the documentation that came with the certificate.

  • Page 97: Displaying And Deleting Certificates, Troubleshooting Certificates

    Displaying and deleting certificates Table 23 summarizes the commands for displaying and deleting certificates. For details on the commands, refer to the Fabric OS Command reference manual. Table 23 Commands for displaying and deleting SSL certificates Command Description Displays the state of the SSL key and a list of installed certificates secCertUtil show Displays the contents of a specific certificate secCertUtil show...

  • Page 98: Configuring Snmp

    Configuring SNMP You can configure for the automatic transmission of Simple Network Management Protocol (SNMP) information to management stations. SNMPv3 and SNMPv1 are supported. The configuration process involves configuring the SNMP agent and configuring SNMP traps. The following commands are used in the process: •...

  • Page 99: Setting The Security Level, Using The Snmpconfig Command

    Setting the security level Use the configure command to set the security level (called “SNMP attributes”). You can specify no security, authentication only, or authentication and privacy. For example, to configure for authentication and privacy: switch:admin> configure Not all options will be available on an enabled switch. To disable the switch, use the “switchDisable”...

  • Page 100

    Sample SNMPv3 configuration switch:admin> snmpconfig --set snmpv3 SNMPv3 user configuration: User (rw): [snmpadmin1] adminuser Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [3] 1 New Auth Passwd: Verify Auth Passwd: Priv Protocol [DES(1)/noPriv[2]): (1..2) [2] 1 New Priv Passwd: Verify Priv Passwd: User (rw): [snmpadmin2] shauser Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [3] 2 New Auth Passwd: Verify Auth Passwd:...

  • Page 101

    Sample accessControl configuration switch:admin> snmpconfig --set accessControl SNMP access list configuration: Access host subnet area in dot notation: [0.0.0.0] 192.168.0.0 Read/Write? (true, t, false, f): [true] Access host subnet area in dot notation: [0.0.0.0] 10.32.148.0 Read/Write? (true, t, false, f): [true] f Access host subnet area in dot notation: [0.0.0.0] Read/Write? (true, t, false, f): [true] Access host subnet area in dot notation: [0.0.0.0] 10.33.0.0...

  • Page 102: Using Legacy Commands For Snmpv1

    Using legacy commands for SNMPv1 You should use the snmpConfig command to configure the SNMPv1 agent and traps (refer to ”Using the snmpConfig command” on page 101). However, if necessary for backward compatibility, you can choose to use legacy commands. Sample SNMP agent configuration information switch:admin>...

  • Page 103

    Sample modification of the SNMP configuration values switch:admin> agtcfgset Customizing MIB-II system variables ... At each prompt, do one of the followings: o <Return> to accept current value, o enter the appropriate new value, o <Control-D> to skip the rest of configuration, or o <Control-C>...

  • Page 104

    Sample reset of the SNMP agent configuration to default values switch:admin> agtcfgdefault ***** This command will reset the agent's configuration back to factory default ***** Current SNMP Agent Configuration Customizable MIB-II system variables: sysDescr = Fibre Channel Switch. sysLocation = End User Premise sysContact = sweng authTraps = 0 (OFF) SNMPv1 community and trap recipient configuration:...

  • Page 105

    Sample modification of the options for configuring SNMP MIB traps switch:admin> snmpmibcapset The SNMP Mib/Trap Capability has been set to support FE-MIB SW-MIB FA-MIB FA-TRAP FA-MIB (yes, y, no, n): [yes] FICON-MIB (yes, y, no, n): [no] y HA-MIB (yes, y, no, n): [no] y SW-TRAP (yes, y, no, n): [no] y swFCPortScn (yes, y, no, n): [no] swEventTrap (yes, y, no, n): [no]...

  • Page 106: Configuring Secure File Copy

    Sample view of the SNMP MIB trap setup switch:admin> snmpmibcapshow FA-MIB: YES FICON-MIB: YES HA-MIB: YES SW-TRAP: YES swFCPortScn: YES swEventTrap: YES swFabricWatchTrap: YES swTrackChangesTrap: YES FA-TRAP: YES SW-EXTTRAP: YES HA-TRAP: YES fruStatusChanged: YES cpStatusChanged: YES fruHistoryTrap: YES Configuring secure file copy You can use the configure command to specify that secure file copy (scp) be used for configuration uploads and downloads.

  • Page 107: Maintaining Configurations, Displaying Configuration Settings, Backing Up A Configuration

    Maintaining configurations It is important to maintain consistent configuration settings on all switches in the same fabric, because inconsistent parameters (such as inconsistent PID formats) can cause fabric segmentation. As part of standard configuration maintenance procedures, it is recommended that you back up all important configuration data for every switch on a host computer server for emergency reference.

  • Page 108: To Upload A Configuration File

    Before beginning, verify that you can reach the FTP server from the switch. Using a telnet connection, save a backup copy of the configuration file from a logical switch to a host computer as follows: To upload a configuration file Verify that the FTP service is running on the host computer.

  • Page 109: Troubleshooting Configuration Upload, Restoring Switch Information, Restoring A Configuration

    NOTE: The configuration file is printable, but you might want to see how many pages will be printed before you send it to the printer; you might not want to print a lot of pages if it is too long. Troubleshooting configuration upload If the configuration upload fails, it may be because: •...

  • Page 110: Configuration Download Without Disabling A Switch

    Configuration download without disabling a switch Starting in Fabric OS 5.2.x, you can download configuration files to a switch while the switch is enabled, that is, you do not need to disable the switch for changes in SNMP, Fabric Watch, and ACL parameters. only when When you use the configDownload command, you will be prompted to disable the switch necessary...

  • Page 111: Security Considerations, Troubleshooting Configuration Download, Messages Captured In The Logs

    NOTE: Because some configuration parameters require a reboot to take effect, after you download a configuration file you must reboot to be sure that the parameters are enabled. Before the reboot, this type of parameter is listed in the configuration file, but it is not effective until after the reboot. Security considerations Security parameters and the switch's identity cannot be changed by configDownload.

  • Page 112: Restoring Configurations In A Ficon Environment, Downloading Configurations Across A Fabric

    Restoring configurations in a FICON environment If the switch is operating in a FICON CUP environment, and the ASM (active=saved) bit is set on, then the switch ignores the IPL file downloaded when you restore a configuration. Table 26 describes this behavior in more detail.

  • Page 113: San Director Configuration Form

    4/256 SAN Director configuration form Table 27 provides a form to use as a hardcopy reference for your configuration information. Table 27 Configuration and connection Configuration settings IP address Gateway address Chassis configuration option Management connections Serial cable tag Ethernet cable tag Configuration information Domain ID Switch name...

  • Page 114

    Table 28 FC port configuration setting FC port Port numbers configuration Speed Trunk Port Long Distance VC Link Init Locked L_Port Locked G_Port Disable E_Port ISL R_RDY Mode RSCN Suppressed Persistent disable NPIV capability EX Port 116 Maintaining configurations...

  • Page 115

    Table 29 FC port configuration setting FC Port Port Numbers Configuration Speed Trunk port Long distance VC link Init Locked L_Port Locked G_Port Disable E_Port ISL R_RDY mode RSCN suppressed Persistent disable NPIV capability EX port Fabric OS 5.3.0 administrator guide 117...

  • Page 116

    118 Maintaining configurations...

  • Page 117: Configuring Advanced Security, About Access Control List (acl) Policies, How The Acl Policies Are Stored

    Configuring advanced security This chapter provides information and procedures for configuring advanced Fabric OS 5.2.x security feature, Access Control Lists (ACL) policies for FC port and switch binding. NOTE: Run all commands in this chapter by logging in to Administrative Domain (AD) 255 or if Administrative Domains have not been implemented log in to AD 0.

  • Page 118: Identifying Policy Members, Configuring Acl Policies, Displaying Acl Policies

    Identifying policy members Specify the FCS, DCC and SCC policy members by device port WWN, switch WWN, domain IDs, or switch names, depending on the policy. The valid methods for specifying policy members are listed in Table Table 30 Valid methods for specifying policy members Policy name Device port Switch...

  • Page 119: Configuring An Fcs Policy

    Displaying ACL policies Use the secPolicyShow command to display the active and defined policy sets. Additionally, in a defined policy set, policies created in the same login session also appear but these policies are automatically deleted if the user logs out without saving. The following example shows a switch that has no SCC, DCC, and FCS policies.

  • Page 120: Fcs Policy Restrictions

    • Distribution to pre-5.3.0 switches using the wild (*) character When the wild card character is specified, distribution succeeds even if the fabric contains pre-5.3.0 switches. However, the FCS database will be sent only to switches with a Fabric OS of 5.2.0 or later in the fabric and not to pre-5.2.0 switches.

  • Page 121: Overview Of Steps To Create And Manage The Fcs Policies, Modifying The Primary Fcs

    Overview of steps to create and manage the FCS policies Whether your intention is to create new FCS policies or manage your current FCS policies. You must follow certain steps to ensure the domains throughout your fabric have the same policy. Create the FCS policy using the secPolicyCreate command Activate the policy using the secPolicyActivate command Distribute the policies to the intended domains using the distribute command...

  • Page 122: Distributing An Fcs Policy

    Distributing an FCS policy The FCS policy has to be manually distributed to the switches. Each switch that receives the FCS policy must be configured to receive the policy. To configure the switch to accept distribution of the FCS policy, refer to “Configuring the database distribution settings”...

  • Page 123: Configuring A Dcc Policy, Dcc Policy Restrictions

    Configuring a DCC policy Multiple DCC policies can be used to restrict which device ports can connect to which switch ports. The devices can be initiators, targets, or intermediate devices such as SCSI routers and loop hubs. By default, all device ports are allowed to connect to all switch ports; no DCC policies exist until they are created. Each device port can be bound to one or more switch ports;...

  • Page 124: Creating A Dcc Policy, Examples Of Creating Dcc Policies

    Creating a DCC policy DCC policies must follow the naming convention “DCC_POLICY_nnn,” where nnn represents a unique string. To save memory and improve performance, one DCC policy per switch or group of switches is recommended. Device ports must be specified by port WWN. Switch ports can be identified by the switch WWN, domain ID, or switch name followed by the port or area number.

  • Page 125: Creating An Scc Policy, Saving Changes To Acl Policies, Activating Changes To Acl Policies

    To create the DCC policy “DCC_POLICY_abc” that includes device 33:44:55:66:77:1 1:22:cc and ports 1 through 6 and port 9 of switch domain 3: switch:admin> secpolicycreate "DCC_POLICY_abc", "33:44:55:66:77:11:22:cc;3(1-6,9)" DCC_POLICY_xxx has been created To create the DCC policy “DCC_POLICY_example” that includes devices 44:55:66:77:22:33:44:dd and 33:44:55:66:77:1 1:22:cc, ports 1 through 4 of switch domain 4, and all devices currently connected to ports 1 through 4 of switch domain 4: switch:admin>...

  • Page 126: Adding A Member To An Existing Policy

    Saving changes to ACL policies You can save changes to ACL policies without activating them by entering the secPolicySave command. This saves the changes to the defined policy set. Until the secPolicySave or secPolicyActivate command is issued, all policy changes are in volatile memory only and are lost if the switch reboots or the current session is logged out.

  • Page 127: Removing A Member From An Acl Policy, Deleting An Acl Policy, Aborting All Uncommitted Changes

    Removing a member from an ACL policy To remove a member from an ACL policy Connect to the switch and log in. Type secPolicyRemove “policy_name”, “member;...;member”. where policy_name is the name of the ACL policy. member is the device or switch to be removed from the policy, identified by IP address, switch domain ID, device or switch WWN, or switch name.

  • Page 128

    Fabric OS 5.3.0 switch-to-switch authentication implementation is fully backward compatible with v3.2, v4.2, v4.4, v5.0, v5.1, and v5.2. Use secAuthSecret to set a shared secret on the switch. When configured, the secret key pair are used for authentication. Authentication occurs whenever there is a state change for the switch or port. The state change can be due to a switch reboot, a switch or port disable and enable, or the activation of a policy.

  • Page 129: E_port Authentication

    E_Port authentication The authentication (AUTH) policy allows you to configure the DH-CHAP authentication on the switch. By default the policy is set to PASSIVE and you can change the policy using the authutil command All changes to the AUTH policy are effective. This includes starting authentication on all E_Ports on the local switch if the policy is changed to ON or ACTIVE, and clearing the authentication if the policy is changed to OFF.

  • Page 130: Device Authentication Policy, Auth Policy Restrictions, Supported Configurations

    Device authentication policy Device authentication policy can also be categorized as an HBA authentication policy. Fabric wide distribution of the device authentication policy is not supported since the device authentication requires manual interaction in setting the HBA shared secrets and switch shared secrets, and most of the HBAs do not support the defined DH groups for use in the DH-CHAP protocol.

  • Page 131: Selecting Authentication Protocols, Re-authenticating Ports

    Selecting authentication protocols Use the authUtil command to perform the following tasks: • Display the current authentication parameters • Select the authentication protocol used between switches • Select the Diffie-Hellman (DH) group for a switch Run the authUtil command on the switch you want to view or change. Below are the different options to specify which DH group you want to use.

  • Page 132: Managing Secret Key Pairs

    To re-authenticate E_Ports: Log in to the switch as admin. On a switch running Fabric OS 5.3.0, type the following command: $authutil –-authinit <slot/port_number(s)|allE> $authutil –-authinit 2,3,4 $authutil –-authinit allE (all E_ports in the switch) For directors, use the slot/port format for specifying the port number. $authutil –-authinit 1/1, 1/2 Managing secret key pairs...

  • Page 133: Fabric Wide Distribution Of The Auth Policy, Accept Distributions Configuration Parameter

    To set a secret key pair: Log in to the switch as admin On a switch running Fabric OS 4.x or 5.x, type secAuthSecret --set; on a switch running Fabric OS v3.x, type secAuthSecret " set". The command enters interactive mode. The command returns a description of itself and needed input; then it loops through a sequence of switch specification, peer secret entry, and local secret entry.

  • Page 134: Creating An Ip Filter Policy, Cloning An Ip Filter Policy

    IP filter policy The IP Filter policy is a set of rules applied to the IP management interfaces as a packet filtering firewall. The firewall permits or denies the traffic to go through the IP management interfaces according to the policy rules.

  • Page 135: Displaying An Ip Filter Policy, Saving An Ip Filter Policy, Activating An Ip Filter Policy

    Displaying an IP Filter policy Displays the IP Filter policy content for the specified policy name, or all IP Filter policies if policy name is not specified. For each IP Filter policy, the policy name, type, persistent state and policy rules are displayed. The policy rules are listed by the rule number in ascending order.

  • Page 136: Deleting An Ip Filter Policy, Ip Filter Policy Rules

    Deleting an IP Filter policy You can delete a specified IP Filter policy. Deleting an IP Filter policy will remove it from the temporary buffer. To permanently delete the policy from persistent database, run ipfilter save. An active IP Filter policy cannot be deleted. To delete an IP Filter policy: Log in to the switch as admin.

  • Page 137

    For an IP Filter policy rule, users can only select port numbers in either the well known or the registered port number range, between 0 and 49151, inclusive. This means that customers have the ability to control how to expose the management services hosted on a switch, but not the ability to affect the management traffic that is initiated from a switch.

  • Page 138: Ip Filter Policy Enforcement, Creating Ip Filter Policy Rules

    Table 38 Default IP policy rules (continued) Rule number Source Destination Protocol Action address port Permit 600- 1 023 Permit IP Filter policy enforcement An active IP Filter policy is a filter applied to the IP packets through the management interface. IPv4 management traffic will pass through the active IPv4 filter policy, and IPv6 management traffic will pass through the active IPv6 filter policy.

  • Page 139: Deleting Ip Filter Policy Rules, Aborting A Switch Session Transaction, Ip Filter Policy Distributions

    Deleting IP Filter policy rules Deleting a rule in the specified IP Filter policy causes the rules following the deleted rule to shift up in rule order. The change to the specified IP Filter policy is not saved to persistent configuration until a save or activate sub-command is run.

  • Page 140: Distributing The Policy Database

    Distributing the policy database Fabric OS lets you manage and enforce the ACL policy database on either a per-switch or fabric-wide basis. The local switch distribution setting and the fabric-wide consistency policy affect the switch ACL policy database and related distribution behavior. The ACL policy database is managed as follows: Switch database distribution setting—Controls whether or not the switch accepts or rejects •...

  • Page 141: Configuring The Database Distribution Settings

    Configuring the database distribution settings The distribution settings control whether a switch accepts or rejects distributions of databases from other switches and whether or not the switch may initiate a distribution. Configure the distribution setting to reject when maintaining the database on a per-switch basis. Table 40 lists the databases supported starting in Fabric OS 5.3.0.

  • Page 142: Distributing Acl Policies To Other Switches, Setting The Consistency Policy Fabric-wide

    Distributing ACL policies to other switches This section explains how to manually distribute local ACL policy databases to other Fabric 5.2.0 and later switches. The distribute command has the following dependencies: • All target switches must be running Fabric OS 5.2.0 or later. •...

  • Page 143

    FC routers cannot join a fabric with a strict fabric-wide consistency policy. FC routers do not support the fabric-wide consistency policies. Table 42 describes the fabric-wide consistency settings. Table 42 Fabric-wide consistency policy settings Setting Value When a policy is activated Absent null Database is not automatically distributed to other switches in the fabric.

  • Page 144: Notes On Joining A Switch To The Fabric, Matching Fabric-wide Consistency Policies

    Notes on joining a switch to the fabric When a switch is joined to a fabric with a tolerant SCC or DCC fabric-wide consistency policy, the joining switch must have a matching tolerant SCC or DCC fabric-wide consistency policy. If the tolerant SCC or DCC fabric-wide consistency policies do not match, the switch can join the fabric, but an error message flags the mismatch.

  • Page 145: Non-matching Fabric-wide Consistency Policies

    Table 43 describes the impact of merging fabrics with the same fabric-wide consistency policy that have SCC, DCC, or both policies. Table 43 Merging fabrics with matching fabric-wide consistency policies Fabric-wide Fabric A Fabric B Merge Database copied consistency ACL policies ACL policies results policy...

  • Page 146

    Table 45 has a matrix of merging fabrics with tolerant and absent policies. Table 45 Fabric merges with tolerant/absent combinations Fabric-wide consistency policy setting Expected behavior Fabric A Fabric B Tolerant/Absent SCC;DCC Error message logged. Run fddCfg --fabwideset “<policy_ID>” from any switch with the desired configuration to fix SCC;DCC the conflict.

  • Page 147: Managing Administrative Domains, About Administrative Domains

    Managing administrative domains This chapter describes the concepts and procedures for using the administrative domain feature introduced in Fabric OS 5.2.x. About administrative domains Administrative Domain (Admin Domain or AD) is a logical grouping of fabric elements that defines what switches, ports, and devices you can view and modify. An Admin Domain is a filtered administrative view of the fabric.

  • Page 148: Admin Domain Features

    Figure 3 Fabric with two admin domains Figure 4 shows how users get a filtered view of this fabric, depending on which Admin Domain they are in. Users can see all switches and E_Ports in the fabric, regardless of their Admin Domain; however, the switch ports and end devices are filtered based on Admin Domain membership.

  • Page 149: Requirements For Admin Domains, User-defined Administrative Domains, System-defined Administrative Domains

    • Move devices from one Admin Domain to another without traffic disruption, cable reconnects, or discontinuity in zone enforcement. • Provide strong fault and event isolation between Admin Domains. • Have visibility of all physical fabric resources. All switches, E_Ports, and FRUs (including blade information) are visible.

  • Page 150

    always exist and cannot be deleted or renamed. They are reserved for use in creation and management of Admin Domains. AD0 is a system-defined Admin Domain that, in addition to containing members you explicitly added (similar to user-defined Admin Domains), contains all online devices, switch ports, and switches that have not been assigned to any user-defined Admin Domain.

  • Page 151: Admin Domain Access Levels

    AD255 Figure 5 Fabric with AD0 and AD255 Admin domain access levels Admin Domains offer a hierarchy of administrative access. To manage Admin Domains, you must be a physical fabric administrator. A “physical fabric administrator” is a user with the Admin role and access to all Admin Domains (AD0 through AD255). Other administrative access is determined by your defined RBAC role and AD membership.

  • Page 152: Admin Domains And Login, Admin Domain Member Types, Device Members

    Admin domains and login You are always logged in to an Admin Domain, and you can view and modify only the devices in that Admin Domain. If you have access to more than one Admin Domain, one of them will have been specified as your “home Admin Domain,”...

  • Page 153: Switch Port Members, Switch Members

    Switch port members Switch port members are defined by switch (domain, port). A switch port member: • Grants port control rights and zoning rights for that switch port. • Grants view access and zoning rights to the device connected to that switch port. •...

  • Page 154: Admin Domains And Switch Wwn

    Admin Domains and switch WWN Admin Domains are treated as fabrics. Because switches cannot belong to more than one fabric, switch WWNs are converted so that they appear as unique entities in different Admin Domains (fabrics). This WWN conversion is done only in the AD1 through AD254 context. AD0 and AD255 use unconverted switch WWNs.

  • Page 155: Admin Domain Compatibility And Availability, Admin Domains And Merging, Compatibility

    Fabric Visible to AD3 User WWN = 10:00:00:00:c2:37:2b:a3 WWN = 10:00:00:00:c7:2b:fd:a3 Domain ID = 1 Domain ID = 2 WWN = 50:00:51:f0:52:36:f9:03 WWN = 50:00:52:e0:63:46:e9:03 WWN = 10:00:00:00:c2:37:2b:a3 Fabric Visible to AD4 User Domain ID = 1 Domain ID = 2 WWN = 50:00:51:f0:52:36:f9:04 WWN = 50:00:52:e0:63:46:e9:04 WWN = 10:00:00:00:c8:3a:fe:a2...

  • Page 156: Firmware Upgrade And Downgrade Scenarios

    AD-aware fabric AD-unaware fabric AD-aware fabric These two subfabrics have different AD databases but the same root zone database. Figure 8 Isolated subfabrics Firmware upgrade and downgrade scenarios You cannot perform a firmware downgrade to a Fabric OS version earlier than 5.2.x, if ADs are configured in the fabric.

  • Page 157: Understanding The Ad Transaction Model, Implementing Admin Domains, How To Set The Default Zone Mode

    Understanding the AD transaction model This section summarizes the ad command. This command follows a batched-transaction model, which means that changes to the Admin Domain configuration occur in the transaction buffer. An Admin Domain configuration can exist in several places: Effective configuration—The Admin Domain configuration that is currently in effect.

  • Page 158: Creating An Admin Domain, How To Create An Admin Domain, Managing Administrative Domains

    Creating an admin domain To create an Admin Domain, you must specify an Admin Domain name or number or both. • If you create an Admin Domain using only a number, the Admin Domain name is automatically assigned to be “ADn”, where n is the number you specified. For example, if you specify AD number = 4, then AD name is set to “AD4”.

  • Page 159: Managing Admin Domains, Assigning A User To An Admin Domain

    Assigning a user to an admin domain After you create an Admin Domain, you can specify one or more user accounts as the valid accounts who can use that Admin Domain. You create these user accounts using the userConfig command. User accounts have the following characteristics with regard to Admin Domains: •...

  • Page 160: How To Create A New Physical Fabric Administrator User Account, Activating And Deactivating Admin Domains

    How to create a new physical fabric administrator user account Connect to the switch and log in as admin. Enter the userconfig --add command using the -r option to set the role to admin and the -a option to provide access to Admin Domains 0 through 255. username home_AD userconfig --add...

  • Page 161: Adding And Removing Admin Domain Members, How To Add Members To An Existing Admin Domain

    Adding and removing admin domain members Use the following procedures to add or remove members of an Admin Domain. NOTE: If you remove the last member of an Admin Domain, that Admin Domain is automatically deleted. How to add members to an existing Admin Domain Connect to an AD-aware switch and log in as admin.

  • Page 162: Deleting An Admin Domain, How To Delete An Admin Domain, Deleting All User-defined Admin Domains

    The rename operation does not take effect if the Admin Domain you want to rename is part of the effective configuration and thus enforced. Optional: To end the transaction now, enter ad --save to save the Admin Domain definition or enter ad --apply to save the Admin Domain definition and directly apply the definitions to the fabric.

  • Page 163: Validating An Admin Domain Member List

    Validating an Admin Domain member list The ad --validate option allows you to validate the device and switch member list and flag all resources that are from AD-unaware switches. You can use the validate option to list Admin Domain members from AD-unaware switches and non-existing or offline Admin Domain members. You can use the validate option to identify misconfigurations of the Admin Domain.

  • Page 164: Executing A Command In A Different Ad Context

    A port or device appears in CLI command output or other management tool outputs if any one of the conditions listed in is met, see Table Table 47 Ports and devices in CLI output Condition (domain, port) • The port is specified in the (domain, port) member list of the Admin Domain.

  • Page 165: How To Show An Admin Domain, Switching To A Different Admin Domain Context

    How to show an Admin Domain Connect to the switch and log in as any user type. Enter the ad --show command. If you are in the AD0 context, you can use the -i option to display the implicit membership list of AD0; otherwise, only the explicit membership list is displayed.

  • Page 166: Admin Domain Interactions

    that are not part of the current zone enforcement table. A member might not be part of the zone enforcement table because: • The device is offline. • The device is online, but is connected to an AD-unaware switch. • The device is online but is not part of the current Admin Domain.

  • Page 167: Admin Domains, Zones, And Zone Databases

    Table 48 Admin Domain interaction with Fabric OS features (continued) Fabric OS feature Admin Domain interaction FICON Admin Domains support FICON. However, you must perform additional steps because FICON management (CUP) requires additional physical control of the ports. You must set up the switch as a physical member of the FICON AD. DCC and SCC policies are supported only in AD0 and AD255, since ACL configurations are supported only in AD0 and AD255.

  • Page 168: Admin Domains And Lsan Zones, Configuration Upload And Download In An Ad Context

    Admin Domains introduce two types of zone database nomenclature and behavior: Root zone database—If you do not use Admin Domains, you will have only one zone database. • root zone database This legacy zone database is known as the . If you create Admin Domains, you will have the root zone database, which is owned by AD0, and other zone databases, one for each user-defined Admin Domain.

  • Page 169

    ”Maintaining configurations” on page 147 for additional information. Table 49 Configuration upload and download scenarios in an AD context Configuration file sections AD contexts iSCSI Secure Zone Switch configuration Fabric OS headers and other parameters AD255 With ADs Without ADs With ADs and switch membership With ADs and without...

  • Page 170

    172 Managing administrative domains...

  • Page 171: Installing And Maintaining Firmware, About The Firmware Download Process

    Installing and maintaining firmware This chapter contains procedures for installing and maintaining firmware. Fabric OS 5.3.0 provides nondisruptive firmware installation. Additionally, this chapter provides information on the following optional port blades: • FC blades contain only Fibre Channel ports: FC4- 1 6, FC4-32, FC4-48. •...

  • Page 172: Upgrading And Downgrading Firmware, Effects Of Firmware Changes On Accounts And Passwords

    CAUTION: For each switch in your fabric, complete all firmware download changes on the current switch before issuing the firmwareDownload command on the next switch. This process ensures nondisruption of traffic between switches in your fabric. To verify the firmwareDownload process is complete, enter the firmwareDownloadStatus command on the switch, verify the process is complete, then move on to the next switch.

  • Page 173: Considerations For Ficon Cup Environments, Preparing For A Firmware Download

    Considerations for FICON CUP environments To prevent channel errors during nondisruptive firmware installation, the switch CUP port must be taken offline from all host systems. Preparing for a firmware download Before executing a firmware download, it is recommended that you perform the tasks mentioned in this section.

  • Page 174: Checking Connected Switches

    NOTE: If you do not know the CP address, use the ipAddrShow command to view a list of all CP IP addresses associated with the switch. (Optional) Enter the supportSave command to capture a snapshot of your configuration and provide baseline information in case there is a need to troubleshoot or seek advanced support.

  • Page 175: Obtaining And Decompressing Firmware, Performing Firmware Download On Switches, Summary Of The Firmware Download Process

    Obtaining and decompressing firmware NOTE: The following steps describe how to download firmware. Web retrieval procedures may be subject to change. To access the latest Fabric OS 5.2.x firmware, configuration files and MIB files go to the following HP web site: http://h18006.www1.hp.com/storage/saninfrastructure/index.html You must decompress the firmware (using the UNIX tar command for .tar files, the gunzip command...

  • Page 176

    4/16 SAN Switch and 4/8 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, SAN Switch 4/32, SAN Switch 4/32B, 4/64 SAN Switch and 400 MP Router firmware download procedure The upgrade process first downloads and then commits the firmware to the switch.

  • Page 177

    User name Enter the user name of your account on the server; for example, “JohnDoe”. File name Fabric OS 5.2.x or higher: Specify the full path name of the firmware directory, for example, /pub/v5.2.x. Fabric OS 5.1.x or lower: Specify the full path name of the firmware directory, appended by release.plist;...

  • Page 178: Summary Of Firmware Downloads On Director Models, Summary Of The Firmware Download Process For Directors

    Summary of firmware downloads on Director models You can download firmware to SAN Director 2/128 and 4/256 SAN Director without disrupting the overall fabric if the two CP blades are installed and fully synchronized. Use the haShow command to confirm synchronization. If only one CP blade is powered on, the switch must reboot to activate firmware, which is disruptive to the overall fabric.

  • Page 179

    To upgrade the firmware on SAN Director 2/128 and 4/256 SAN Director (including the blades): Verify that the FTP or SSH server is running on the host server and that you have a user ID on that server. Obtain the firmware file from http://www.hp.com and store the file on the FTP or SSH server.

  • Page 180

    Respond to the prompts as follows: Server Name Enter the name or IP address of the server where the firmware file is stored: or IP Address for example, 192.1.2.3. IPv6 and DNS are supported by firmwareDownload in Fabric OS 5.3.0. If DNS is enabled and a server name instead of a server IP address is specified in the command line, firmwareDownload determines whether IPv4 or IPv6 should be used.

  • Page 181

    This command will cause the active CP to reset and will require that existing telnet or SSH sessions be restarted. Do you want to continue [Y]: y The firmware is being downloaded to the Standby CP. It may take up to 10 minutes Do you want to continue [Y]: y Optionally, after the failover, connect to the switch, and log in again as admin.

  • Page 182: Testing And Restoring Firmware On Switches

    Enter the firmwareShow command to display the new firmware versions. Following is an example of firmwareShow on the 4/256 SAN Director. switch:admin> firmwareshow Slot Name Appl Primary/Secondary Versions Status ----------------------------------------------------------- FA4-18 v5.3.0 v5.3.0 v3.0.0 v3.0.0 v3.0.0 v3.0.0 v5.3.0 Standby * v5.3.0 v5.3.0 Active...

  • Page 183

    Enter the firmwareDownload -s command to update the firmware and respond to the prompts as follows: switch:admin> firmwareDownload -s Type of Firmware (FOS, SAS, or any application) [FOS]: Server Name or IP Address: 192.168.32.10 Network Protocol (1-auto-select, 2-FTP, 3-SCP) [1]: User Name: userfoo File Name: /home/userfoo/v5.3.0 Password:...

  • Page 184: Testing And Restoring Firmware-on Directors

    Testing and restoring firmware-on Directors This procedure enables you to perform a firmware download on each CP and verify that the procedure was successful before committing to the new firmware. The old firmware is saved in the secondary partition of each CP until you enter the firmwareCommit command. If you decide to back out of the installation prior to the firmwareCommit you can enter the firmwareRestore command to restore the former, active Fabric OS firmware image.

  • Page 185

    NOTE: If the CPs fail to synchronize, you can still proceed because the version being tested is already present on the active CP, and subsequent steps will ensure that the standby CP is updated to the same version as the active CP c.

  • Page 186: Validating The Firmware Download

    b. Enter the firmwareRestore command. The standby CP will reboot and the current switch session will end. Both partitions will have the same Fabric OS after several minutes. c. Wait five minutes and log in to the switch. Enter the firmwareShow command and verify that all partitions have the original firmware.

  • Page 187: Troubleshooting Firmware Download, Downgrading Firmware From Fabric Os 5.2.x

    NOTE: You cannot perform a firmware downgrade from Fabric OS 5.2.x or higher if administrative domains are configured in the fabric. See ”Managing administrative domains” on page 157 for details. When the primary and secondary CPs in a 4/256 SAN Director are running pre-Fabric OS 5.2.x and are in HA-Sync, if firmware is downloaded to upgrade only one CP (using the firmwareDownload –s option), that CP will run in an AD-unaware mode (AD creation operations will fail and the local switch will appear as an AD-unaware switch in the fabric).

  • Page 188: Pre-installation Messages

    For more information on any of the commands in the Recommended Action section, see the Fabric OS Command Reference. NOTE: Some of the messages include error codes (as shown in the example below). These error codes are for internal use only and you can disregard them. Example: Port configuration with EX ports enabled along with trunking for port(s) 63, use the portcfgexport, portcfgvexport, and/or portcfgtrunkport commands to remedy this.

  • Page 189

    Message AP Blade type 31 is inserted. Please use slotshow to find out which slot it is in and remove it. Probable Cause and Recommended Action The firmware download operation was attempting to downgrade a system to Fabric OS v5.1.0 or earlier with one or more FC4- 1 6IP port blades (blade ID 31) in the system.

  • Page 190

    Execute the chassisConfig command with a supported option (1, 2, or 5 for SAN Director 2/128 and 1 or 5 for 4/256 SAN Director), and then retry the firmware download operation. The supported options are described briefly below: option 1 One 128-port switch with the following configuration: FC2- 1 6 (blade ID 4), FC4- 1 6 (blade ID 17) on slots 1–4 and 7–10;...

  • Page 191

    Message Cannot downgrade due to the presence of broadcast zone(s). Remove or disable them before proceeding. Probable cause and recommended action If the switch is running v5.3.0, and a “broadcast zone” is configured, the user will not be allowed to downgrade the switch to v5.2.0 or earlier, as a broadcast zone gets a special meaning in v5.3.0 but it will be treated as regular zone in v5.2.0 or earlier.

  • Page 192

    Message Cannot downgrade to v5.2.0 or lower because ge port(s) has IPSec and Fastwrite enabled. Please use portcfg command to disable Fastwrite and try again. Probable cause and recommended action If a GE port has IPSec and Fastwrite enabled, the user will not be allowed to downgrade to v5.2.0 or earlier.

  • Page 193

    Message Cannot upgrade directly to 5.3.0. Upgrade your switch to v5.1 or v5.2 first before upgrading to the requested version. Probable cause and recommended action If the switch is running v5.0.0 or earlier, you will not be allowed to upgrade directly to v5.3.0 because of the “two-version”...

  • Page 194

    Specify L2 long distance to support a long distance link up to 100 km. A total of 50, 100, or 200 full-size frame buffers are reserved for data traffic for the port at speeds of 1 Gbit/sec, 2 Gbit/sec, or 4 Gbit/sec respectively. For previously released switches (Bloom1-based), the number of frames buffers is limited to 63.

  • Page 195

    Downgrade the system to firmware v4.4.0 or v5.0.0 first, and then downgrade to the desired firmware version. Message The command failed due to network timeout. Probable Cause and Recommended Action The firmware download operation was attempting to upgrade a system from Fabric OS v4.4.0 or lower directly to firmware v5.2.0.

  • Page 196

    Message The command failed due to the presence of an Admin Domain. Use the command to remedy this before proceeding. Probable Cause and Recommended Action The firmware download operation was attempting to downgrade a system to Fabric OS v5.1.0 or lower with Admin Domain (AD) enabled on the system.

  • Page 197

    Message The command failed because IPSec is enabled. Please use the command to disable portcfg fciptunnel it before proceeding. Probable Cause and Recommended Action The firmwareDownload operation was attempting to downgrade a system to Fabric OS v5.1.0 or lower and the IPsec feature is enabled. The IPsec feature is not supported on firmware v5.1.0 or lower, so the firmwareDownload operation failed.

  • Page 198

    Disable the strict fabric-wide policy using the fddCfg --fabWideSet ""command. The “absent” • setting disables the fabric-wide consistency policy. Retry the firmware download operation. Message The switch is currently configured with “radiuslocal” mode. Please use the command to remedy aaaconfig it before proceeding.

  • Page 199: Blade Troubleshooting Tips, Synchronizing Firmware Versions On Partitions, Ftp Server Recommendations

    Remove all DCC policies containing more than 256 ports using the secPolicyDelete and secPolicyActivate commands. Retry the firmware download operation. Blade troubleshooting tips Typically, issues that evolve during firmware downloads to the B-Series MP Router blade do not require explicit actions on your part. However, if any of the following events occur, perform the suggestion action to correct: •...

  • Page 200

    202 Installing and maintaining firmware...

  • Page 201: Configuring Directors, Identifying Ports

    Configuring Directors This chapter contains procedures that are specific to the SAN Director 128 and 4/256 SAN Director models. For detailed information about these models, refer to the HP StorageWorks SAN Director installation guide available on http://www.hp.com. Because Directors contain interchangeable port blades, install procedures differ from the SAN Switches, domain, port which operate as fixed-port switches.

  • Page 202: By Slot And Port Number

    Table 51 Port numbering schemes for the 4/256 SAN Director (continued) Port 4/256 SAN Director blades FA4- 1 8 Fibre Channel ports are numbered from 0 through 15 from bottom to top. There are also 2 GbE ports (numbered A0 - A1, from top to bottom) that are for Storage Application manageability purposes;...

  • Page 203: By Index

    By index With the introduction of 48-port blades, the Index was introduced. Unique area IDs are possible up to 255 areas, but beyond that there needed to be some way to ensure uniqueness. A number of fabric-wide databases supported by Fabric OS (including ZoneDB, Secure FOS DDC policies, the ACL DDC, and Admin Domain) allow a port to be designated by the use of a “D,P”...

  • Page 204

    Table 52 Default index/area_ID Core PID assignment with no port swap (continued) Port on Slot Slot Slot Slot Slot Slot Slot Slot blade 1Idx/Area 2Idx/Area 3Idx/Area 4Idx/Area 7Idx/Area 8Idx/Area 9Idx/Area 10Idx/Area 142/142 158/158 174/174 190/190 206/206 222/222 238/238 254/254 141/141 157/157 173/173 189/189...

  • Page 205

    Table 53 Default index/area extended-edge PID assignment with no port swap Port on Slot Slot Slot Slot Slot Slot Slot Slot blade 1Idx/Area 2Idx/Area 3Idx/Area 4Idx/Area 7Idx/Area 8Idx/Area 9Idx/Area 10Idx/Area 271/135 287/151 303/167 319/183 335/199 351/215 367/231 383/247 270/134 286/150 302/166 318/182 334/198...

  • Page 206: Basic Blade Management, Powering Port Blades Off And On

    Table 53 Default index/area extended-edge PID assignment with no port swap (continued) Port on Slot Slot Slot Slot Slot Slot Slot Slot blade 1Idx/Area 2Idx/Area 3Idx/Area 4Idx/Area 7Idx/Area 8Idx/Area 9Idx/Area 10Idx/Area 29/29 45/45 61/61 77/77 93/93 109/109 125/125 13/13 28/28 44/44 60/60 76/76...

  • Page 207: Disabling And Enabling Port Blades, Fc4-48 Blade Exceptions

    Disabling and enabling port blades Port blades are enabled by default. In some cases, you will need to disable a port blade to perform diagnostics. When diagnostics are executed manually (from the Fabric OS command line), many commands require the port blade to be disabled. This ensures that diagnostic activity does not interfere with normal fabric traffic.

  • Page 208: Conserving Power, Blade Terminology And Compatibility, Cp Blades

    ports 16–31 with an FC4-48, the FC4-48 faults. To correct this, reinsert the FC4-32 and issue portSwap to restore the original area IDs to ports 16–31. Conserving power To conserve power and ensure that more critical components are the least affected by a power fluctuation, you can power off components in a specified order, using the powerOffListSet command.

  • Page 209: Port Blade Compatibility, Setting Chassis Configuration Options

    Term Abbreviation Blade ID Definition (slotshow) 48-port 4-Gbit/sec FC4-48 A 48 port Director port blade supporting 1, 2, and 4 port blades Gbit/sec port speeds in chassis mode 5 with port and exchange-based routing. This port blade is only compatible with the 4/256 SAN Director CP blades.

  • Page 210: Obtaining Slot Information

    Table 56 lists the supported configuration options. Table 57 lists configuration options and resulting slot configurations. Table 56 Supported configuration options Option Number of Maximum number Supported port Supported Notes domains of ports per switch blades CP blades FC2- 1 6, FC4- 1 6 CP2 or CP4 Option 1 is the default...

  • Page 211: Configuring A New San Director 2/128 With Two Domains

    Connect to the switch and log in as user or admin. Enter the slotShow command to display the current status of each slot in the system. The format of the display includes a header and four fields for each slot. The fields and their possible values are: Slot Displays the physical slot number.

  • Page 212: Converting An Installed San Director 2/128 To Support Two Domains

    Connect to the switch and log in as admin. Enter the chassisConfig command without options to verify that the switch is configured with one domain. For example: switch:admin> chassisconfig Current Option: 1 Enter the chassisConfig command to configure two domains. Use the -f option to suppress prompting for uploading the configuration.

  • Page 213

    This procedure restores most configuration parameters to factory defaults. After performing this procedure, you must check the new configuration and reconfigure those parameters that you customized in the old configuration. NOTE: This procedure restores most configuration parameters to factory defaults. After performing this procedure, you must check the new configuration and reconfigure those parameters that you customized in the old configuration.

  • Page 214: Setting The Blade Beacon Mode

    Setting the blade beacon mode When beaconing mode is enabled, the port LEDs will flash amber in a running pattern from port 0 through port 15 and back again. The pattern continues until the user turns it off. This can be used to locate a particular blade.

  • Page 215: Routing Traffic, About Data Routing And Routing Policies, Specifying The Routing Policy

    Routing traffic About data routing and routing policies Data moves through a fabric from switch to switch and storage to server along one or more paths that make up a route. Routing policies determine the correct path for each frame of data. Whatever routing policy a switch is using applies to the VE_Ports as well.

  • Page 216: Assigning A Static Route, Specifying Frame Order Delivery

    In the following example, the routing policy for a 400 MP Router is changed from exchange-based to port-based: switch:admin> aptpolicy Current Policy: 3 3: Default Policy 1: Port Based Routing Policy 3: Exchange Based Routing Policy switch:admin> switchdisable switch:admin> aptpolicy 1 Policy updated successfully.

  • Page 217: Using Dynamic Load Sharing

    NOTE: Certain devices do not tolerate out-of-order exchanges; in such cases, use the port-based routing policy. In a stable fabric, frames are always delivered in order, even when the traffic between switches is shared among multiple paths. However, when topology changes occur in the fabric (for example, if a link goes down), traffic is rerouted around the failure, and some frames could be delivered out of order.

  • Page 218: Viewing Routing Path Information

    Viewing routing path information The topologyShow and uRouteShow commands provide information about the routing path. Connect to the switch and log in as admin. Enter the topologyShow command to display the fabric topology, as it appears to the local switch. The following entries appear: switch:admin>...

  • Page 219

    SAN Director 2/128 and 4/256 SAN Director: Use the following syntax: slot portnumber domainnumber urouteshow [ The following entries appear: • Local Domain—Domain number of the local switch. • In Ports—Port from which a frame is received. • Domain—Destination domain of the incoming frame. •...

  • Page 220: Viewing Routing Information Along A Path

    Viewing routing information along a path You can display detailed routing information from a source port (or area) on the local switch to a destination port (or area) on another switch. This routing information describes the full path that a data stream travels between these ports, including all intermediate switches.

  • Page 221

    The information that pathInfo provides is: Hops The number of switch-to-switch links (ISLs) transversed. The local switch is hop In Port The port that the frames come in from on this path. For hop 0, the source port. Domain ID The domain ID of the switch.

  • Page 222

    224 Routing traffic...

  • Page 223: Using The Fc-fc Routing Service, Supported Platforms

    Using the FC-FC routing service The FC-FC Routing (FCR) Service provides Fibre Channel routing between two or more fabrics without merging those fabrics. The FC-FC Routing Service can be simultaneously used as a Fibre Channel router and for SAN extension over wide area networks (WANs) using FCIP. FCR supports backbone to edge routing, allowing devices in the backbone to talk to devices on the edge fabric.

  • Page 224: Fibre Channel Routing Concepts

    Fibre Channel routing concepts Fibre Channel routing introduces the following concepts: • Logical Storage Area Networks (LSANs) An LSAN is defined by zones in two or more edge or backbone fabrics that contain the same device(s). You can create LSANs that can span fabrics. These LSANs enable Fibre Channel zones to cross physical SAN boundaries without merging the fabrics while maintaining the access controls of zones (refer to Figure...

  • Page 225

    Figure 10 shows a metaSAN consisting of three edge fabrics connected through a 4/256 SAN Director containing an B-Series MP Router blade with interfabric links. Figure 10 A metaSAN with interfabric links Host Target Target Edge Edge Edge fabric 1 fabric 2 fabric 3 E_Port...

  • Page 226

    • MetaSAN A metaSAN is the collection of SANs interconnected with Fibre Channel routers. A simple metaSAN can be constructed using a 400 MP Router, 4/256 SAN Director with a B-Series MP Router blade, or MP Router to connect two or more separate fabrics. Additional 400 MP Routers, 4/256 SAN Director with B-Series MP Router blades, or MP Router can be used to increase the available bandwidth between fabrics, and for redundancy.

  • Page 227: Proxy Devices

    Figure 1 1 shows another metaSAN consisting of a host in Edge SAN 1 connecting to storage in Edge SAN 2 through a backbone fabric connecting two 4/256 SAN Directors, each containing B-Series MP Router blades. Figure 1 1 Edge SANs connected through a backbone fabric 4/256 SAN Director 4/256 SAN Director with B-Series...

  • Page 228: Routing Types, Fibre Channel Nat And Phantom Domains

    Routing types • Edge-to-Edge Occurs when devices in one edge fabric communicate with devices in another edge fabric through one or more Fibre Channel routers. • Backbone-to-Edge Occurs when Fibre Channel routers connect to a common fabric—known as a backbone fabric—via E_Ports.

  • Page 229: Performing Verification Checks

    domains allows routing around path failures, including path failures through the routers. The multiple paths to an xlate domain provide additional bandwidth and redundancy. There are some differences in how the xlate domain is presented in the BB. The BB xlate domains are topologically connected to FC routers and participate in FC-Protocol in BB.

  • Page 230: Assigning Backbone Fabric Ids

    If configuring the 4/256 SAN Director with a B-Series MP Router blade, then enter the chassisConfig command to verify that the director is using configuration option 5. switch:admin_06> chassisconfig Current Option: 5 All Supported Options ---------------------------------------------------- Option 1: One 128-port switch Blade ID's 4, 17 in slots 1-4, 7-10 Blade ID's 5, 16 in slots 5-6 Option 5: One 256-port switch...

  • Page 231

    In addition to ensuring that the backbone fabric IDs are the same within the same backbone, you need to make sure that when two different backbones are connected to the same edge fabric, the backbone fabric IDs are different (but the edge fabric FID should be the same). Configuration of two backbones with the same backbone fabric ID that are connected to the same edge is invalid.

  • Page 232

    fabrics. Secure Fabric OS is an optional licensed product that provides customizable security restrictions through local and remote management channels on a Brocade fabric. The FC-FC Routing Service uses only the DH-CHAP shared secrets to provide switch-to-switch authentication when connecting to a Secure Fabric OS fabric. You can set up DH-CHAP on the edge fabric, but it is not a prerequisite for FCR to work.

  • Page 233: Configuring An Interfabric Link

    Following inputs should be specified for each entry. 1. WWN for which secret is being set up. 2. Peer secret: The secret of the peer that authenticates to peer. 3. Local secret: The local secret that authenticates peer. Press enter to start setting up secrets > Enter WWN, Domain, or switch name (Leave blank when done): 10:00:00:60:69:80:05:14 Enter peer secret: Re-enter peer secret:...

  • Page 234: Portcfgexport Options

    switch:admin> portcfgexport 7/10 -a 1 -f 30 switch:admin> portcfgexport 7/10 Port 7/10 info Admin: enabled State: NOT OK Pid format: Not Applicable Operate mode: Brocade Native Edge Fabric ID: Preferred Domain ID: Front WWN: 50:06:06:9e:20:38:6e:1e Fabric Parameters: Auto Negotiate R_A_TOV: Not Applicable E_D_TOV: Not Applicable...

  • Page 235

    For related FC-FC Routing commands, see fcrxlateconfig, fcrconfigure, and fcrproxyconfig in the Fabric OS Command Reference Manual. A Fibre Channel router can interconnect multiple fabrics. EX_Ports or VEX_Ports attached to more than one edge fabric must configure a different fabric ID for each edge fabric. At this point you have some options to consider before proceeding to the next step.

  • Page 236

    Preferred Domain ID: Front WWN: 50:06:06:9e:20:38:6e:1e Fabric Parameters: Auto Negotiate R_A_TOV: Not Applicable E_D_TOV: Not Applicable Authentication Type: None DH Group: N/A Hash Algorithm: N/A Edge fabric's primary wwn: N/A Edge fabric's version stamp: N/A switch:admin_06> portshow 7/10 portName: portHealth: OFFLINE Authentication: None EX_Port Mode: Enabled...

  • Page 237: Using Router Port Cost

    The fcrFabricShow command displays the static IPv6 addresses for each FC router and each edge fabric switch connected to the EX_Ports. fcr:admin> fcrfabricshow FCR WWN: 10:00:00:05:1e:13:59:00, Dom ID: 2, Info: 10.32.156.52 1080::8:800:200C:1234/64, "fcr_mars_9" EX_Port FID Neighbor Switch Info (WWN, enet IP, name) ------------------------------------------------------------------- 10:00:00:05:1e:34:11:e5 10.32.156.33 "mojo_10"...

  • Page 238: Port Cost Considerations

    To set and display the router port cost Disable any port on which you want to set the router port cost. Enable admin for the EX_Port/VEX_Port with portCfgExport or portCfgVexport commands. Enter the fcrRouterPortCost command to display the router port cost per EX_Port. switch:admin>...

  • Page 239: Setting A Proxy Pid, Matching Fabric Parameters

    higher router cost IFLs (for example ports 8–15). For VEX_Ports, you would use ports in the range of 16-23 or 24-31. You can connect multiple EX_Ports or VEX_Ports to the same edge fabric. The EX_Ports can all be on the same 400 MP Router or 4/256 SAN Director with an B-Series MP Router blade, or they can be on multiple routers.

  • Page 240: Supported Configurations And Platforms

    The default values for R_A_TOV and E_D_TOV are the recommended values for all but very large fabrics (ones requiring four or more hops) or high-latency fabrics (such as ones using long-distance FCIP links). Configuring EX_Port frame trunking (optional) In Fabric OS v5.2.x or later, you can configure EX_Ports to use frame based trunking just as you do regular E_Ports.

  • Page 241

    Upgrade and downgrade considerations Table 58describes the upgrade and downgrade considerations for EX_Port Frame Trunking. Table 58 Trunking upgrade and downgrade considerations Upgrade or downgrade Consideration A firmware downgrade from Fabric OS If EX_Port trunking is on, prior to the firmware downgrade, the v5.2.x to Fabric OS v5.1.0 script displays a message requesting that you disable EX_Port trunking.

  • Page 242: Support

    To display EX_Port trunking information Log in as an admin and connect to the switch. Enter the switchShow command to display trunking information for the EX_Ports. fcr_switch:admin_06> switchshow The following is an example of a master EX_Port and a slave EX_Port displayed in switchShow. Index Slot Port Address Media Speed State ============================================== ee1000...

  • Page 243

    example, in Figure 1 1, when the zones for Edge SAN 1 are defined, you do not need to consider the zones in Edge SAN 2, and vice versa. Zones that contain hosts and targets that are shared between the two fabrics need to be explicitly coordinated.

  • Page 244

    The Local Name Server has 1 entry } Enter the zoneCreate command to create the LSAN lsan_zone_fabric75, which includes the host. switch:admin> zonecreate "lsan_zone_fabric75", "10:00:00:00:c9:2b:c9:0c" Enter the zoneAdd command to Target A to the LSAN. FID75Domain5:admin> zoneadd "lsan_zone_fabric75", "50:05:07:61:00:5b:62:ed" Enter the cfgAdd or cfgCreate and cfgEnable commands to add and enable the LSAN configuration.

  • Page 245: Proxy Devices

    Fabric ID: 75 Zone Name: lsan_zone_fabric75 10:00:00:00:c9:2b:c9:0c EXIST 50:05:07:61:00:5b:62:ed Imported fcrPhyDevShow shows the physical devices in the LSAN. switch:admin> fcrphydevshow Device Physical Exists in Fabric ----------------------------------------- 75 10:00:00:00:c9:2b:c9:0c c70000 50:05:07:61:00:5b:62:ed 0100ef 50:05:07:61:00:5b:62:ed 0100e8 Total devices displayed: 3 fcrProxyDevShow shows the proxy devices in the LSAN. switch:admin>...

  • Page 246

    NOTE: This feature is supported only in a fabric with Fabric OS 5.3.0 and later Fibre Channel routers in the backbone. The fcrlsanmatrix command is local to a Fibre Channel router and its configuration data will be saved locally. The configuration is not distributed automatically to other Fibre Channel routers on the backbone. The fcrlsanmatrix command is used to configure each of the FCRs in the backbone that support this feature.

  • Page 247: Dual Backbone Configuration, Maximum Lsan Count

    fcrlsanmatrix --fabricview The following is an example: FCR:Admin > fcrlsanmatrix --fabricview LSAN MATRIX is activated Fabric ID 1 Fabric ID 2 -------------------------------------- Default LSAN Matrix: 1 2 8 See the Fabric OS Command Reference Manual for additional information on the fcrlsanmatrix command.

  • Page 248: Configuring Backbone Fabrics For Interconnectivity, Ha And Downgrade Considerations, Ipfc Over Fcr, Broadcast Configuration

    Configuring backbone fabrics for interconnectivity If you want devices in backbone fabrics to communicate with devices in edge fabrics, follow the steps in the section To set up LSAN zone binding, page 253. However, instead of configuring the LSAN in the second edge fabric, configure the LSAN in the backbone fabric.

  • Page 249: Monitoring Resources

    fcrbcastconfig command to set edge fabrics to receive broadcast frames. On switches with an earlier Fabric OS version than v5.3.0 that do not support broadcast zoning, the fcrbcastconfig command sets up inter-fabric broadcast frame forwarding on the FC router and prevents inter-fabric forwarding of broadcast frames to the switches running older versions of firmware.

  • Page 250

    • Displays the maximum pool size for translate phantom node and port WWNs and shows the number of translate node and port WWNs from this pool. • Phantom Node WWN—The display shows the maximum versus the currently allocated phantom switch node WWNs.

  • Page 251: Routing Echo

    Routing ECHO The FC-FC Routing Service enables you to route the ECHO generated when an fcPing command is issued on a switch, providing fcPing capability between two devices in different fabrics across the 400 MP Router or 4/256 SAN Director with a B-Series MP Router blade. To check for Fibre Channel connectivity problems On the edge Fabric OS switch , make sure that the source and destination devices are properly...

  • Page 252: Interoperability With Legacy Fcr Switches, Backward Compatibility

    Interoperability with legacy FCR switches The following interoperability considerations apply when administering legacy FCR switches in the same backbone (BB) fabric as switches supporting Fabric OS v5.2.x: • When a legacy switch is connected to the fabric, a RAS log message is issued indicating that the capability of the backbone (BB) fabric is lower as legacy FCR switches (those with XPath OS and Fabric OS v5.1) support lower capability limits.

  • Page 253: Administering Ficon Fabrics, Overview Of Fabric Os Support For Ficon

    Administering FICON fabrics Overview of Fabric OS support for FICON ® IBM Fibre Connections (FICON ) is an industry-standard, high-speed input/output (I/O) interface for intermix mode mainframe connections to storage devices. Fabric OS supports operations, in which FICON and Fibre Channel technology work together. For specific information about intermix mode and other aspects of FICON, refer to the IBM Redbook, FICON®...

  • Page 254: Supported Switches, Types Of Ficon Configurations

    authenticated using digital certificates and unique private keys provided to the Switch Link Authentication Protocol (SLAP). • Switch binding is a security method for restricting devices that connect to a particular switch. If the device is another switch, this is handled by the SCC policy. If the device is a host or storage device, the Device Connection Control (DCC) policy binds those devices to a particular switch.

  • Page 255

    Control Unit Port (CUP) Control Unit Port (CUP) protocol is used by IBM mainframe management programs to provide in-band management for FICON switches. When it is enabled, you can set up Directors in a FICON environment to be managed through IBM mainframe management programs. CUP is an optionally licensed feature available with Fabric OS v4.4.0 or later.

  • Page 256: Ficon Commands

    FICON commands Table 61 summarizes the Fabric OS CLI commands that can be used for managing FICON fabrics. For detailed information on these commands, refer to the Fabric OS Command Reference Manual. Table 61 Fabric OS commands related to FICON and FICON CUP Command Description Standard Fabric OS commands:...

  • Page 257: Configuring Switches

    NOTE: The Fabric OS CLI supports only a subset of the management features for FICON fabrics. The full set of FICON CUP administrative procedures is available using the Fabric Manager and Web Tools software features. You can also use an SNMP agent and the FICON Management Information Base (MIB). For information on these tools, refer to: •...

  • Page 258: Preparing A Switch, Configuring A Single Switch

    • Some 1-Gbit/sec storage devices cannot auto-negotiate speed with the 4/256 SAN Director, SAN Switch 4/32 or SAN Switch 4/32B ports. For these types of devices, configure ports that are connected to 1-Gbit/sec storage devices for fixed 1-Gbit/sec speed. Preparing a switch To verify and prepare a switch for use in a FICON environment, complete the following steps: Connect to the switch and log in as admin.

  • Page 259: Setting A Unique Domain Id

    CAUTION: If Security is enabled via the CLI in the FICON environment, then you should use the following syntax for the secModeEnable command: secmodeenable --lockdown=scc --currentpwd --fcs “*” Issuing the secModeEnable command as it appears above enables security and creates an SCC policy with all of the switches that currently reside in the fabric.

  • Page 260: Displaying Information, Link Incidents, Registered Listeners, Node Identification Data

    Respond to the remaining prompts (or press Ctrl-d to accept the other settings and exit). Enter the switchEnable command to re-enable the switch. switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] yes Domain: (1..239) [3] 5 R_A_TOV: (4000..120000) [10000] E_D_TOV: (1000..5000) [2000] Data field size: (256..2112) [2112] Sequence Level Switching: (0..1) [0]...

  • Page 261: Fru Failures, Swapping Ports, Clearing The Ficon Management Database

    FRU failures To display FRU failure information, connect to the switch, log in as admin, and enter one of the following commands: • For the local switch: ficonshow ilir • For all switches defined in the fabric: ficonshow ilir fabric Swapping ports If a port malfunctions, or if you want to connect to different devices without having to re-wire your swap ports...

  • Page 262: Using Ficon Cup, Setup Summary

    Using FICON CUP Host-based management programs manage switches using CUP protocol by sending commands to an emulated control device in Fabric OS. A switch that supports CUP can be controlled by one or more host-based management programs. mode register controls the behavior of the switch with respect to CUP itself, and with respect to the behavior of other management interfaces.

  • Page 263: Enabling And Disabling Ficon Management Server Mode

    Enabling and disabling FICON management server mode To enable fmsmode: Connect to the switch and log in as admin. Enter ficoncupse fmsmode enable. To disable fmsmode: Connect to the switch and log in as admin. Enter ficoncupsetfmsmode disable. The fmsmode setting can be changed whether the switch is offline or online. If fmsmode is changed while the switch is online, a device reset is performed for the control device and an RSCN is generated with PID 0xDDFE00 (where 0xDD is the domain ID of the switch).

  • Page 264: Displaying The Fmsmode Setting

    enabled disabled Changing fmsmode from triggers the following events: A device reset is performed on the control device. PDCM is no longer enforced. RSCNs might be generated to some devices if PDCM removal results in changes to connectivity between a set of ports. If a given port was set to “Block”...

  • Page 265: Displaying Mode Register Bit Settings

    Displaying mode register bit settings The mode register bits are described in Table 62 Table 62 FICON CUP mode register bits POSC Programmed offline state control. When this bit is set on, the host is prevented from taking the switch offline. The default setting is 1 (on). User alert mode.

  • Page 266: Setting Mode Register Bits

    Setting mode register bits Use the ficoncupset modereg command to set the FICON CUP mode register bits for the local switch. Consider the following when changing mode register bits: • As required by the CUP protocol, the UAM bit cannot be changed using this command. •...

  • Page 267: Port And Switch Naming Standards, Adding And Removing Ficon Cup Licenses, Zoning And Pdcm Considerations

    Port and switch naming standards Fabric OS handles differences in port and switch naming rules between CUP and itself as follows: • CUP employs 8-bit characters in port address names and switch names; Fabric OS employs 7-bit characters. When fmsmode is enabled, all characters greater than 0x40 and not equal to 0xFF (EBCIDC code page 37 [0x25]) are allowed in the name;...

  • Page 268: Troubleshooting

    Troubleshooting The following sources provide useful problem-solving information: • The standard support commands (portLogDump, supportSave, supportShow) or the Fabric Manager Event Log By default, the FICON group in the supportShow output is disabled. To enable the capture of FICON data in the supportShow output, enter the supportshowcfgenable ficon command. After you get confirmation that the configuration has been updated, the following will be collected and appear in the output for the supportShow command: •...

  • Page 269: Backing Up Ficon Files, Recording Configuration Information

    Backing up FICON files The FICON file access facility is used to store configuration files. This includes IPL and other configuration files. The Fabric OS saves the IPL and all other configuration files on the switch. A maximum of 16 configuration files, including the IPL file, are supported.

  • Page 270

    Table 63 FICON switch configuration worksheet ® ® FICON Switch Manufacturer:___________________Type: _________ Model: ______ S/N: ________ HCD Defined Switch ID_________(Switch ID) Cascaded Directors No _____Yes _____ ® FICON Switch Domain ID_________(Switch @) Corresponding Cascaded Switch Domain ID _____ Fabric Name ________________________________ ®...

  • Page 271

    Sample IOCP configuration file for SAN Switch 2/32, SAN Switch 4/32, SAN Director 2/128, and 4/256 SAN Director switches The channel subsystem controls communication between a configured channel, the control unit, and the device. The I/O Configuration Dataset (IOCDS) defines the channels, control units, and devices to the designated logical partitions (LPARs) within the server;...

  • Page 272: Sample Rmf Configuration File For Mainframe

    In the following sample IOCP configuration file, the UNIT value for FICON CUP definitions is 2032 for any FICON Director regardless of vendor or platform. So all SAN Switch 2/32, SAN Switch 4/32, SAN Switch 4/32B, or SAN Director 2/128 switches require UNIT=2032 for the CUP definition. All Domain IDs are specified in hex values in the IOCP (and not in decimal values);...

  • Page 273

    /****************************************************************** ***/ /* MONITOR I OPTIONS O N L Y /****************************************************************** ***/ /* FICON Director CHAN /* COLLECT CHANNEL STATISTICS /* COLLECT CPU STATISTICS CYCLE(1000) /* SAMPLE ONCE EVERY SECOND DEVICE(NOSG) /* PREVENT SORT OF STORAGE GROUPS*/ DEVICE(NOCHRDR) /* CHARACTER READER STATISTICS WILL NOT BE COLLECTED DEVICE(COMM) /* COMMUNICATION EQUIPMENT STATS.

  • Page 274

    286 Administering FICON fabrics...

  • Page 275: Configuring The Distributed Manager Server, Enabling And Disabling The Platform Services

    Configuring the distributed manager server The Fabric OS Distributed Management Server allows a SAN management application to retrieve information and administer interconnected switches, servers, and storage devices. The management server assists in the autodiscovery of switch-based fabrics and their associated topologies. A client of the management server can find basic information about the switches in the fabric and use this information to construct topology relationships.

  • Page 276: Controlling Access

    To disable platform services Connect to the switch and log in as admin. Enter the msplMgmtActivate command. Press y to confirm deactivation. switch:admin> msplmgmtdeactivate MS Platform Service is currently enabled. This will erase MS Platform Service configuration information as well as database in the entire fabric. Would you like to continue this operation? (yes, y, no, n): [no] y Request to deactivate MS Platform Service in progress..

  • Page 277

    To add a member to the ACL Connect to the switch and log in as admin. Enter the msConfigure command. The command becomes interactive. At the select prompt, enter 2 to add a member based on its port/node WWN. Enter the WWN of the host to be added to the ACL. At the prompt, enter 1 to verify the WWN you entered was added to the ACL.

  • Page 278: Configuring The Server Database

    Press Enter to update the nonvolatile memory and end the session. switch:admin> msconfigure Done Display the access list Add member based on its Port/Node WWN Delete member based on its Port/Node WWN select : (0..3) [1] 3 Port/Node WWN (in hex): [00:00:00:00:00:00:00:00] 20:00:00:20:37:65:ce:aa *WWN is successfully deleted from the MS ACL.

  • Page 279: Controlling Topology Discovery

    The contents of the management server platform database are displayed. switch:admin> msplatshow ----------------------------------------------------------- Platform Name: [9] "first obj" Platform Type: 5 : GATEWAY Number of Associated M.A.: 1 [35] "http://java.sun.com/products/plugin" Number of Associated Node Names: 1 Associated Node Names: 10:00:00:60:69:20:15:71 ----------------------------------------------------------- Platform Name: [10] "second obj"...

  • Page 280

    Press y to disable the discovery feature. Enter the mstdDisable all command to disable the discovery feature on the entire fabric. Press y to disable the discovery feature. NOTE: Disabling management server topology discover might erase all NID entries. switch:admin> mstddisable This may erase all NID entries.

  • Page 281: Working With Diagnostic Features, About Fabric Os Diagnostics, Viewing Power-on Self Test

    Working with diagnostic features This chapter provides information on diagnostics and how to display system, port, and specific hardware information. It also describes how to set up system logging mapping (syslogd) and how to set up the offloading of error messages (supportSave). About Fabric OS diagnostics The purpose of the diagnostic subsystem is to evaluate the integrity of the system hardware.

  • Page 282: Viewing Switch Status

    The following example shows a typical boot sequence, including POST messages: The system is coming up, please wait... Read board ID of 0x80 from addr 0x23 Read extended model ID of 0x16 from addr 0x22 Matched board/model ID to platform index 4 PCI Bus scan at bus 0 Checking system RAM - press any key to stop test Checking memory address: 00100000...

  • Page 283

    To view the overall status of the switch Connect to the switch and log in as admin. Enter the switchStatusShow command: switch:admin> switchstatusshow Switch Health Report Report time: 03/21/2005 03:50:36 PM Switch Name: SWFCR IP address: 10.33.54.176 SwitchState: MARGINAL Duration: 863:23 Power supplies monitor MARGINAL...

  • Page 284: Viewing Port Information

    To display the uptime for a switch Connect to the switch and log in as admin. At the command line, enter the uptime command: switch:admin> uptime 4:43am up 1 day, 12:32, 1 user, load average: 1.29, 1.31, 1.27 switch:admin> The uptime command displays the length of time the system has been in operation, the total cumulative amount of uptime since the system was first powered-on, the date and time of the last reboot (applies only to FOS v3.x and v2.6.x systems), the reason for the last reboot (applies only to FOS v3.x and v2.6.x systems), and the load average over the past one minute (1.29 in the preceding example), five minutes...

  • Page 285

    To display the port statistics Connect to the switch and log in as admin. At the command line, enter the portStatsShow command. Port statistics include information such as number of frames received, number of frames sent, number of encoding errors received, and number of class 2 and class 3 frames received. Refer to the Fabric OS Command Reference Manual for additional portStatsShow command information, such as the syntax for slot or port numbering.

  • Page 286

    To display a summary of port errors for a switch Connect to the switch and log in as admin. At the command line, enter the portErrShow command. Refer to the Fabric OS Command Reference Manual for additional portErrShow command information. switch:admin>...

  • Page 287: Viewing Equipment Status

    Error Type Description frjt Frames rejected with F_RJT fbsy Frames busied with F_BSY Viewing equipment status You can display status for fans, power supply, and temperature. NOTE: The number of fans, power supply units, and temperature sensors depends on the switch type. For detailed specifications on these components, refer to the switch install guide.

  • Page 288: Viewing The System Message Log

    To display temperature status Connect to the switch and log in as admin. At the command line, enter the tempShow command: switch:admin> tempshow Index Status Centigrade Fahrenheit ---------------------------------------------------- switch:admin> Information displays for each temperature sensor in the switch. The possible temperature status values are: OK—Temperature is within acceptable range.

  • Page 289: Viewing The Port Log

    Viewing the port log The Fabric OS maintains an internal log of all port activity. The port log stores entries for each port as a circular buffer. Each port has space to store 8000 log entries. When the log is full, the newest log entries overwrite the oldest log entries.

  • Page 290: Configuring For Syslogd, Configuring The Host

    Because a portLogDump output is long, a truncated example is presented: switch:admin> portlogdump task event port cmd args ------------------------------------------------- 16:30:41.780 PORT Rx 9 40 02fffffd,00fffffd,0061ffff,14000000 16:30:41.780 PORT Tx 9 0 c0fffffd,00fffffd,0061030f 16:30:42.503 PORT Tx 9 40 02fffffd,00fffffd,0310ffff,14000000 16:30:42.505 PORT Rx 9 0 c0fffffd,00fffffd,03100062 16:31:00.464 PORT Rx 9 20 02fffc01,00fffca0,0063ffff,01000000 16:31:00.464 PORT Tx 9 0 c0fffca0,00fffc01,00630311 16:31:00.465 nsd ctin 9 fc 000104a0,0000007f...

  • Page 291: Configuring The Switch

    /etc/syslog.conf In this example, Fabric OS messages map to local7 facility level 7 in the file: local7.emerg /var/adm/swcritical local7.alert /var/adm/alert7 local7.crit /var/adm/crit7 local7.err /var/adm/swerror local7.warning /var/adm/swwarning local7.notice /var/adm/notice7 local7.info /var/adm/swinfo local7.debug /var/adm/debug7 If you prefer to map Fabric OS severities to a different UNIX local7 facility level, see ”To set the facility level”...

  • Page 292: Viewing And Saving Diagnostic Information, Setting Up Automatic Trace Dump Transfers

    Viewing and saving diagnostic information Enter the supportShow command to dump important diagnostic and status information to the session screen, where you can review it or capture its data. To save a set of files that customer support technicians can use to further diagnose the switch condition, enter the supportSave command.

  • Page 293

    To enable the automatic transfer of trace dumps Connect to the switch and log in as admin. Enter the following command: switch:admin> traceftp -e To set up periodic checking of the remote server Connect to the switch and log in as admin. Enter the following command: interval switch:admin>...

  • Page 294

    306 Working with diagnostic features...

  • Page 295: About Troubleshooting, Most Common Problem Areas

    Troubleshooting This chapter provides information on troubleshooting and the most common procedures used to diagnose and recover from problems. It also includes specific troubleshooting scenarios as examples. About troubleshooting Troubleshooting should begin at the center of the SAN — the fabric. Because switches are located between the hosts and storage devices and have visibility into both sides of the storage network, starting with them can help narrow the search path.

  • Page 296: Gathering Information For Technical Support, Troubleshooting Questions

    Gathering information for technical support If you are troubleshooting a production system, you need to gather data quickly. As soon as a problem is observed, perform the following tasks (if using a dual CP system, run the commands on both CPs): Enter the supportSave command to save RASLOG, TRACE, and supportShow (active CP only) information for the local CP to a remote FTP location.

  • Page 297: Analyzing Connection Problems

    Use the following steps to retrieve as much of the following informational items as possible prior to contacting HP. Switch information: • Serial number (located on the chassis) • World Wide Name (obtain using licenseIdShow or wwn commands) • Fabric OS version (obtain using the version command) •...

  • Page 298

    Regardless of the device’s zoning, the fcPing command sends the ELS frame to the destination port. A device can take any one of the following actions: • Send an ELS Accept to the ELS request. • Send an ELS Reject to the ELS request. •...

  • Page 299

    To check the Name Server (NS) Enter the nsShow command on the switch to which the device is attached: The Local Name Server has 9 entries { Type Pid PortName NodeName TTL(sec) 021a00; 2,3;20:00:00:e0:69:f0:07:c6;10:00:00:e0:69:f0:07:c6; 895 Fabric Port Name: 20:0a:00:60:69:10:8d:fd 051edc; 3;21:00:00:20:37:d9:77:96;20:00:00:20:37:d9:77:96;...

  • Page 300: To Check For Zoning Problems, Restoring A Segmented Fabric, To Reconcile Fabric Parameters Individually

    To check for zoning problems Enter the cfgActvShow command to determine if zoning is enabled. If zoning is enabled, it is possible that the problem is being caused by zoning enforcement (for example, two devices in different zones cannot see each other). Confirm that the specific edge devices that need to communicate with each other are in the same zone.

  • Page 301: To Download A Correct Configuration, To Reconcile A Domain Id Conflict, Correcting Zoning Setup Issues

    Enter the configure command to edit the fabric parameters for the segmented switch. Refer to the Fabric OS Command Reference Manual for more detailed information. Enable the switch by entering the switchEnable command. Alternatively, you can reconcile fabric parameters by entering the configUpload command for each switch.

  • Page 302: To Correct A Fabric Merge Problem Quickly, To Verify A Fabric Merge Problem

    Table 67 summarizes commands that are useful for debugging zoning issues. Table 67 Commands for debugging zoning Command Function Use to create a zone alias. aliCreate Use to delete a zone alias. aliDelete Use to create a zone configuration. cfgCreate Displays zoning configuration.

  • Page 303: To Edit Zone Configuration Members, To Reorder The Zone Member List, Recognizing Mq-write Errors

    To edit zone configuration members Log in to one of the switches in a segmented fabric as admin. Enter the cfgShow command. Print the output from the cfgShow command. Start another telnet session and connect to the next fabric as an administrator. Run the cfgShow command.

  • Page 304: To Check Fan Components, To Check The Switch Temperature, To Check The Power Supply

    Correcting I C bus errors C bus errors generally indicate defective hardware or poorly seated devices or blades; the specific item is listed in the error message. Refer to the Fabric OS System Error Message Reference Manual for information specific to the error that was received. Some CPT and Environmental Monitor (EM) messages contain I C-related information.

  • Page 305: Correcting Device Login Issues

    Correcting device login issues To try to pinpoint problems with device logins, use this procedure: Log in to the switch as admin. Enter the switchShow command; then, check for correct logins: switch:admin> switchshow switchName: sw094135 switchType: 26.1 switchState: Online switchMode: Native switchRole: Principal...

  • Page 306

    Enter the portErrShow command; then, check for errors that can cause login problems. switch:admin> porterrshow frames enc disc link loss loss frjt fbsy err shrt long c3 fail sync ===================================================================== 58k 111k 3.5g 3.5g 2.0k • A high number of errors relative to the frames transmitted and frames received can indicate a marginal link (refer to ”Correcting marginal links”...

  • Page 307

    Enter the portFlagsShow command; then, check to see how a port has logged in and where a login failed (if a failure occurred): switch:admin> portflagsshow Slot Port SNMP Physical Flags ------------------------------------ 0 Offline No_Module PRESENT U_PORT LED 1 Offline No_Module PRESENT U_PORT LED 2 Offline No_Module...

  • Page 308

    Enter the portLogDumpPort portid command where the port ID is the port number; then, view the device to switch communication. switch:admin> portlogdumpport 10 time task event port cmd args ------------------------------------------------- 12:38:21.590 SPEE 00000000,00000000,00000000 12:38:21.591 SPEE 000000ee,00000000,00000000 12:38:21.611 SPEE 00000001,00000000,00000000 12:38:21.871 SPEE 00000002,00000000,00000001 12:38:21.872...

  • Page 309: Identifying Media-related Issues, To Test A Port's External Transmit And Receive Path

    Identifying media-related issues This section provides procedures that help pinpoint any media-related issues in the fabric. The tests listed in Table 68 are a combination of structural and functional tests that can be used to provide an overview of the hardware components and help identify media-related issues. •...

  • Page 310: To Test Components To And From The Hba, To Test A Switch's Internal Components

    To test a switch’s internal components Connect to the switch and log in as admin. Connect the port you want to test to any other switch port with the cable you want to test. Enter the crossporttest -lb_mode 5 command where 5 is the operand that causes the test to be run on the internal switch components (this is a partial list—refer to the Fabric OS Command Reference Manual for additional command information): [-nframes count]—Specify the number of frames to send.

  • Page 311: Correcting Link Failures, To Determine If The Negotiation Was Successfully Completed

    Correcting link failures A link failure occurs when a server or storage is connected to a switch, but the link between the server/storage and the switch does not come up. This prevents the server/storage from communicating through the switch. If the switchShow command or LEDs indicate that the link has not come up properly, use one or more of the following procedures.

  • Page 312: To Correct A Port That Has Come Up In The Wrong Mode

    Skip point-to-point initialization. The switch changes to point-to-point initialization after the Loop Initialization Soft Assigned (LISA) phase of the loop initialization. This behavior sometimes causes trouble with old HBAs. If this is the case, then: Skip point-to-point initialization by using the portCfgLport Command. To check for a point-to-point initialization failure Enter the switchShow command to confirm that the port is active and has a module that is synchronized.

  • Page 313: Correcting Marginal Links

    Correcting marginal links A marginal link involves the connection between the switch and the edge device. Isolating the exact cause of a marginal link involves analyzing and testing many of the components that make up the link (including the switch port, switch SFP, cable, the edge device, and the edge device SFP). To troubleshoot a marginal link: Enter the portErrShow command.

  • Page 314: Inaccurate Information In The System Message Log

    You will need an adapter to run the loopback test for the SFP. Otherwise, run the portloopbacktest on the marginal port using the loopback mode lb=5. Refer to the Fabric OS Command Reference Manual for additional information. Loopback mode Description Port Loopback (loopback plugs) External (SERDES) loopback Internal (parallel) loopback (indicates no external...

  • Page 315: Port Mirroring

    • VE_Port—Functions somewhat like an E_Port, but terminates at the switch and does not propagate fabric services or routing topology information from one edge fabric to another. • VEX_Port—A type of VE_Port that connects a Fibre Channel router to an edge fabric. From the point of view of a switch in an edge fabric, an VEX_Port appears as a normal VE_Port.

  • Page 316: Supported Hardware

    Supported hardware Port mirroring is supported on Condor-based ASIC platforms, including: • SAN Switch 4/32 • SAN Switch 4/32B • 4/64 SAN Switch • 400 MP Router • 4/256 SAN Director with chassis option 5 Port mirroring can be used on the following blades within a chassis: •...

  • Page 317: How Port Mirroring Works

    How port mirroring works Port mirroring reroutes the data frames between two devices to the mirror port. Rerouting introduces latency for the data flow. The latency depends on the location of the mirror port. For a given port, the traffic received from the point of view of the switch can be captured before leaving this ASIC.

  • Page 318: Port Mirroring Considerations

    There are two types of transmit filter installation • If the E_Port is on the same chip, port mirroring installs an egress (transmitted information) filter on the source port. • If the E_Port is on a different chip, port mirror installs the filter on the C_Ports of the other chip. To better explain how the transmit filter works on each of these types, the method used for both types is described as follows: •...

  • Page 319: Creating, Deleting, And Displaying Port Mirroring

    Creating, deleting, and displaying port mirroring The following section describes how to use the port mirroring feature in the fabric. The method for adding a port mirror connection between two local switch ports and between a local switch port and a remote switch port is the same. To add a port mirror connection Log in to the switch as admin.

  • Page 320

    The switchShow command output shows the mirror port as shown in the following example. switch:admin> switchshow switchName:ESS118 switchType: 42.2 switchState: Online switchMode: Native switchRole:Subordinate switchDomain: 121 switchId:fffc79 switchWwn:10:00:00:60:69:e4:00:a0 zoning:ON (c) switchBeacon: OFF blade2 Beacon: Area Slot Port Media Speed State ===================================== --N4 No_Module...

  • Page 321: Administering Npiv, Enabling And Disabling Npiv, Configuring Npiv

    Administering NPIV N-Port ID Virtualization (NPIV) enables a single Fibre Channel protocol port to appear as multiple, distinct ports, providing separate port identification within the fabric for each operating system image behind the port (as if each operating system image had its own unique physical port). NPIV assigns a different virtual port ID to each Fibre Channel protocol device.

  • Page 322: Configuration Scenarios, Viewing Npiv Port Configuration Information

    The following example shows the configuration of these parameters: switch:admin> switchdisable switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] Virtual Channel parameters (yes, y, no, n): [no] F-Port login parameters (yes, y, no, n): [no] y Maximum logins per switch: (1..4032) [4032] 2048 Maximum logins per port: (1..255) [255] 126 switch:admin>...

  • Page 323

    output indicates whether or not a port is an NPIV F_Port, and identifies the number of virtual N_Ports behind it. Following is sample output from the switchShow command: switch: admin> switchshow switchName:swd77 switchType:32.0 switchState: Online switchMode:Native switchRole:Principal switchDomain: 99 switchId:fffc63 switchWwn:10:00:00:05:1e:35:37:40 zoning: switchBeacon:OFF...

  • Page 324: Displaying Login Information

    Use the portShow command to view the NPIV attributes and all the N_Port (physical and virtual) port WWNs under “portWwn of device(s) connected.” Following is sample output for portShow: switch:admin> portshow 2 portName: 02 portHealth: HEALTHY Authentication: None portDisableReason: None portCFlags: 0x1 portFlags: 0x24b03 PRESENT ACTIVE F_PORT G_PORT NPIV LOGICAL_ONLINE LOGIN NOELP LED ACCEPT...

  • Page 325: Administering Advanced Performance Monitoring

    Administering Advanced Performance Monitoring (APM) Based on Frame Filtering technology and a unique performance counter engine, Advanced Performance Monitoring (APM) is a comprehensive tool for monitoring the performance of networked storage resources. It supports direct-attach, loop, and switched fabric Fibre Channel SAN topologies by: •...

  • Page 326

    Table 72 lists commands associated with Advanced Performance Monitoring. Advanced Performance Monitor commands are available only to users with the admin or switchAdmin roles. For detailed information on these commands, refer to the Fabric OS Command Reference Manual. Table 72 APM commands Command Description...

  • Page 327: Displaying And Clearing The Crc Error Count, Monitoring End-to-end Performance

    Displaying and clearing the CRC error count You can use the perfShowAlpaCrc command to display the CRC error count for all AL_PA devices or for a single AL_PA on a specific active L_Port. Example: Displaying the CRC error count for all AL_PA devices on a port switch:admin>...

  • Page 328: Adding End-to-end Monitors

    Adding end-to-end monitors An end-to-end monitor counts the following items for a port: number of words received, number of words transmitted, and number of CRC errors detected in frames. 4/16 SAN Switch and 4/8 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, and SAN Director 2/128 models allow up to eight end-to-end monitors.

  • Page 329: Setting A Mask For End-to-end Monitors

    Add Monitor 0 to slot 2, port 2 on Switch x, specifying 0x051200 as the SID and 0x1 1 1eef as the DID, as shown in the following example: Monitor 0 counts the frames that have an SID of 0x051200 and a DID of 0x1 1 1eef. For monitor 0, RX_COUNT is the number of words from Host A to Dev B, TX_COUNT is the number of words from Dev B to Host A, and CRC_COUNT is the number of frames in both directions with CRC errors.

  • Page 330: Deleting End-to-end Monitors

    The mask is applied to all end-to-end monitors on the port. Individual masks for each monitor on the port cannot be specified. Figure 21 Mask positions for end-to-end monitors Received by port Transmitted from port SID mask DID mask SID mask DID mask perfsetporteemask 1/2, “00:00:ff”...

  • Page 331: Monitoring Filter-based Performance, Adding Standard Filter-based Monitors

    Monitoring filter-based performance Filter-based performance monitoring counts the number of times a frame with a particular pattern is transmitted by a port. Filter-based monitoring is achieved by configuring a filter for a particular purpose. The filter can be a standard filter (for example, a SCSI read command filter that counts the number of SCSI read commands that have been transmitted by the port) or a user-defined filter customized for your particular use.

  • Page 332

    Example: Add filter-based monitors to slot 1, port 2 and displays the results switch:admin> perfaddreadmonitor 1/2 SCSI Read filter monitor #0 added switch:admin> perfaddwritemonitor 1/2 SCSI Write filter monitor #1 added switch:admin> perfaddrwmonitor 1/2 SCSI Read/Write filter monitor #2 added switch:admin>...

  • Page 333: Deleting Filter-based Monitors

    • 4/16 SAN Switch and 4/8 SAN Switch models (Fabric OS v5.0.1) Up to 7 different offsets per port (6 offsets when FMS is enabled). You can specify up to four values to compare against each offset. If more than one offset is required to properly define a filter, the bytes found at each offset must match one of the given values for the filter to increment its counter.

  • Page 334: Monitoring Isl Performance, Monitoring Trunks

    The following example displays the monitors on slot 1, port 4 using the perfShowFilterMonitor command (the monitor numbers are listed in the KEY column) and deletes monitor number 1 on slot 1, port 4 using the perfDelFilterMonitor command: switch:admin> perfshowfiltermonitor 1/4 There are 4 filter-based monitors defined on port 4.

  • Page 335: Displaying Monitor Counters

    Displaying monitor counters Use the perfMonitorShow command to display the monitors on a specified port. For end-to-end counters, you can display either the cumulative count of the traffic detected by the monitors or a snapshot of the traffic at specified intervals. NOTE: 4/16 SAN Switch and 4/8 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, SAN Switch 4/32B, 4/64 SAN...

  • Page 336: Administering Advanced Performance Monitoring (apm)

    Example: Displaying EE monitors on a port switch:admin> perfMonitorShow --class EE 4/5 There are 7 end-to-end monitor(s) defined on port 53. OWNER_APP OWNER_IP_ADDR TX_COUNT RX_COUNT CRC_COUNT ------------------------------------------------------------------------------------------------------------ 0x58e0f 0x1182ef TELNET 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x21300 0x21dda TELNET 0x00000004d0ba9915 0x0000000067229e65 0x0000000000000000 0x21300 0x21ddc TELNET 0x00000004d0baa754...

  • Page 337: Clearing Monitor Counters

    Clearing monitor counters Before you clear statistics counters, verify the valid monitor numbers on a specific port using the perfMonitorShow command, to make sure the correct monitor counters are cleared. To clear statistics counters for all or a specified monitor, use the perfMonitorClear command. After the command has been executed, the telnet shell confirms that the counters on the monitor have been cleared.

  • Page 338: Saving And Restoring Monitor Configurations, Collecting Performance Data

    Saving and restoring monitor configurations To save the current end-to-end and filter monitor configuration settings into nonvolatile memory, use the perfCfgSave command: switch:admin> perfcfgsave This will overwrite previously saved Performance Monitoring settings in FLASH. Do you want to continue? (yes, y, no, n): [no] y Please wait ...

  • Page 339: Administering Extended Fabrics, About Extended Link Buffer Allocation

    Administering Extended Fabrics This chapter contains procedures for using the Extended Fabrics licensed feature, which extends the distance that interswitch links (ISLs) can reach over a dark fiber or DWM connection. The Extended Fabrics feature is not used over FCIP connections over IP WANs. To use extended ISL modes, you must first install the Extended Fabrics license.

  • Page 340: Fabric Considerations, Choosing An Extended Isl Mode

    Configuring Directors, page 203 for details about port blade nomenclature. For the following switches, buffer credits are used by all ports on the chip. Buffer-limited port technology allows all ports to remain operational, even when extended links are in use. •...

  • Page 341

    Extended ISL modes for switches that integrate the Bloom ASIC Table 75 lists the extended ISL modes for switches that have a Bloom ASIC. You can configure extended ISL modes with the portCfgLongDistance command when the Extended Fabrics license is activated. Table 75 Extended ISL modes: 3xxx switches (Bloom and Bloom II ASICs) Mode Buffer allocation...

  • Page 342

    Extended isl modes for 4/8 or 4/16 SAN Switches (Goldeneye ASIC) Table 76 lists the extended ISL modes for the 4/8 SAN Switch or 4/16 SAN Switch, (Goldeneye ASIC). Table 76 4/8 SAN Switch or 4/16 SAN Switch extended ISL modes (Goldeneye ASIC) Mode Buffer allocation Distance @ 1...

  • Page 343: Configuring External Ports

    Extended ISL modes for 4/32B SAN Switch, 400 MP Router, 4/256 SAN Director switches, and FR4- 1 8i blade (Condor ASIC) Table 77 lists the extended ISL modes for switches and blades that have a Condor ASIC. Table 77 Extended ISL modes: 4/32B SAN Switch, 400 MP Router, 4/256 SAN Director switches, FR4- 1 8i blades (Condor ASIC) Mode Buffer allocation Distance @ 1...

  • Page 344

    SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, SAN director 2/128, and 4/256 SAN Director (FC2- 1 6 port blades) Table 79 lists the number of ports that can be configured per port group at various distances. Table 79 SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, SAN director 2/128, and 4/256 (FC2-16 port blades) SAN Director...

  • Page 345

    Brocade 4Gb SAN Switch for c-Class BladeSystem Table 82 lists the number of ports that can be configured at various distances. Note that for the Brocade 4Gb SAN Switch for c-Class BladeSystem, exact distances (rather than set, incremental distances) are used. Table 82 Brocade 4Gb SAN Switch for c-Class BladeSystem Speed...

  • Page 346

    4/256 SAN Director (FC4- 1 6 port blades) Table 86 lists the number of ports that can be configured at various distances. Table 86 4/256 SAN Director (FC4- 1 6 blades) Speed Number of ports allowed at distance (km) (Gbps) 10 km 25 km 50 km...

  • Page 347: Configuring An Extended Isl

    4/256 SAN Director (FR4- 1 8i blades) For the FR4- 1 8i blade, long distance settings are applicable only to the physical FC_Ports (ports 0- 1 5). Long distance settings are not applicable to virtual FC_Ports (ports 16-31). Table 90 lists the number of ports that can be configured at various distances.

  • Page 348

    Where: slotnumber Specify the slot number for SAN Director 2/128 and 4/256 SAN Director. This option is not applicable to fixed-port switches. The slot number must be followed by a slash (/) and the port number. portnumber Specify the port number. distance_level The value of distance_level can be one of the following (the numerical value representing each distance_level is shown in...

  • Page 349

    desired_distance Specify the desired distance, in kilometers, for the link. desired_distance is a required parameter to configure a port as an LD and LS-mode link. For an LD-mode link, the desired distance is used as the upper limit of the link distance to calculate buffer availability for other ports in the same port group.

  • Page 350

    362 Administering Extended Fabrics...

  • Page 351: Administering Isl Trunking

    Administering ISL Trunking This chapter contains procedures for using the ISL Trunking licensed feature, which optimizes the use of bandwidth by allowing a group of interswitch links to merge into a single logical link. Overview ISL Trunking reduces or eliminates situations that require static traffic routes and individual ISL management to achieve optimal performance.

  • Page 352: Standard Trunking Criteria

    Connections between SAN Switch 4/32, SAN Switch 4/32B, 4/64 SAN Switch, and 4/256 SAN Director (using FC4- 1 6 and FC4-32 port blades) models support these advanced features: • Up to eight ports in one trunk group to create high performance 32-Gbit/sec ISL trunks between switches •...

  • Page 353: Initializing Trunking On Ports

    • Each physical ISL uses two ports that could otherwise be used to attach node devices or other switches. • Trunking groups can be used to resolve ISL oversubscription if the total capability of the trunking group is not exceeded. •...

  • Page 354: Monitoring Traffic

    Monitoring traffic To implement ISL Trunking effectively, you must monitor fabric traffic to identify congested paths or to identify frequently dropped links. While monitoring changes in traffic patterns, you can adjust the fabric design accordingly, such as by adding, removing, or reconfiguring ISLs and trunking groups in problem areas.

  • Page 355: Enabling And Disabling Isl Trunking

    Enabling and disabling ISL trunking You can enable or disable ISL Trunking for a single port or for an entire switch.When you execute the commands portCfgTrunkPort or switchCfgTrunk to update the trunking configuration, the ports for which the configuration applies are disabled and re-enabled with the new trunk configuration. As a result, traffic through those ports could be disrupted.

  • Page 356: Setting Port Speeds

    Setting port speeds For long-distance ports, if a port is set to autonegotiate port speed, the maximum speed (which is 4 Gbit/sec) is assumed for reserving buffers for the port–this wastes buffers if the port is actually running at 2 Gbit/sec.

  • Page 357: Displaying Trunking Information

    To set the speed for all of the ports on the switch Connect to the switch and log in as admin. Enter the switchCfgSpeed command. The format is: speedlevel switchcfgspeed Specifies the speed of the link: speedlevel • 0—Auto-negotiating mode. The port automatically configures for the highest speed.

  • Page 358: Trunking Over Extended Fabrics, Trunking Distances

    This example shows three trunking groups (1, 2, and 3); ports 1, 4, and 14 are masters: switch:admin> trunkshow 1: 1 -> 10:00:00:60:69:04:10:83 deskew 16 Master 0 -> 10:00:00:60:69:04:10:83 deskew 15 2: 4 -> 10:00:00:60:69:04:01:94 deskew 16 Master 5 -> 10:00:00:60:69:04:01:94 deskew 15 7 ->...

  • Page 359: Troubleshooting Trunking Problems, Listing Link Characteristics, Recognizing Buffer Underallocation

    Troubleshooting trunking problems If you have difficulty with trunking, try the solutions in this section. Listing link characteristics If a link that is part of an ISL Trunk fails, use the trunkDebug command to troubleshoot the problem, as shown in the following procedure: Connect to the switch and log in as admin.

  • Page 360

    Change LD/L1/L2/L0.5 back to L0 (of non-buffer limited ports). If you are in buffer-limited mode on the LD port, then increase the estimated distance. These changes are implemented only after disabling (portDisable) and enabling (portEnable) the buffer-limited port (or buffer-limited switch). Reconfiguring a port to LD from another mode can result in the port being disabled for lack of buffers–this does not apply to the SAN Switch 4/32, SAN Switch 4/32B and 4/256 SAN Director (using FC4- 1 6 and FC4-32 port blades).

  • Page 361: Administering Advanced Zoning, About Zoning

    20 Administering Advanced Zoning This chapter provides procedures for using the Advanced Zoning feature. About Zoning Zoning enables you to partition your SAN into logical groups of devices that can access each other. For example, you can partition your SAN into two zones, winzone and unixzone, so that your Windows servers and storage do not interact with your UNIX servers and storage.

  • Page 362: Zone Types

    Zone types Table 88 summarizes the types of Zoning. Table 88 Types of Zoning Zone type Description Storage-based Storage units typically implement LUN-based Zoning, also called masking . LUN-based Zoning limits access to the LUNs on the storage port to the specific WWN of the server HBA.

  • Page 363: Zone Objects, Zone Aliases

    Table 89 Approaches to fabric-based Zoning Zoning Description approach Operating Zoning by operating system has issues similar to Zoning by application. In a system large site, this type of zone can become very large and complex. When zone changes are made, they typically involve applications rather than a particular server type.

  • Page 364: Zone Configurations, Zoning Enforcement, Hardware-enforced Zoning

    Zone aliases also simplify repetitive entry of zone objects such as port numbers or a WWN. For example, you can use the name “Eng” as an alias for “10:00:00:80:33:3f:aa:1 1”. A useful convention is to name zones for the initiator they contain. For example, if you use the alias SRV_MAILSERVER_SLT5 to designate a mail server in PCI slot 5, then the alias for the associated zone is ZNE_MAILSERVER_SLT5.

  • Page 365: Software-enforced Zoning

    • Prevents hosts from discovering unauthorized target devices. • Ensures that the name server does not return any information to an unauthorized initiator in response to a name server query. • Is exclusively enforced through selective information presented to end nodes through the fabric Simple Name Server (SNS).

  • Page 366

    name server returns only those devices that are in the same zone as the initiator. Devices that are not part of the zone are not returned as accessible devices. Table 90 shows the various switch models, the hardware Zoning methodology for each, and tips for best usage.

  • Page 367

    Figure 24 shows a fabric with four non-overlapping hardware-enforced zones. Figure 24 Hardware-enforced non-overlapping Zones WWN_Zone1 Port_Zone1 Core WWN_Zone2 Port_Zone2 Switch Zone Boundaries 22.2b(13.2) Figure 25 shows the same fabric components zoned in an overlapping fashion. Fabric OS 5.3.0 administrator guide 375...

  • Page 368

    Figure 25 Hardware-enforced overlapping zones WWN_Zone1 Port_Zone1 Core Port_Zone2 WWN_Zone2 Switch Zone Boundaries 22.3b(13.3) domain, port Any zone using both WWNs and entries on the 2 Gbit/sec platform relies on Name Server authentication as well as hardware-assisted (ASIC) authentication, which ensures that any PLOGI/ADISC/PDISC/ACC from an unauthorized device attempting to access a device it is not zoned with is rejected.

  • Page 369: Rules For Configuring Zones, Broadcast Zones

    Rules for configuring zones Observe the following rules when configuring zones. • If security is a priority, you should use hard Zoning. • The use of aliases is optional with Zoning, and using aliases requires structure when defining zones. However, aliases aid administrators of a zoned fabric to understand the structure and context. •...

  • Page 370: Supported Switches For Broadcast Zones, Broadcast Zones And Admin Domains

    Broadcast zones do not function in the same way as other zones. A broadcast zone does not restrict access to its members in any way. If you want to restrict access to any devices in a broadcast zone, you must also include those devices in a regular zone.

  • Page 371: High Availability Considerations With Broadcast Zones, Loop Devices And Broadcast Zones

    • The broadcast zone for AD2 includes member devices “2,1”, “3,1”, and “4,1”. Even though “2,1” is a member of AD1, it is not a member of AD2 and so is not added to the consolidated broadcast zone. • Device “3,1” is added to the consolidated broadcast zone because of its membership in the AD2 broadcast zone.

  • Page 372: Creating And Managing Zone Aliases, To Create An Alias, To Add Members To An Alias

    If the effective configuration has only a broadcast zone, then the configuration appears as a No Access configuration. To change this configuration to All Access, you must put all the available devices in a regular zone. ”Activating default zones” on page 383 for additional information about default zoning. Creating and managing zone aliases A zone alias is a logical group of ports, WWNs, or AL_PAs.

  • Page 373: To Delete An Alias, To View An Alias In The Defined Configuration

    Enter the cfgSave command to save the change to the defined configuration. switch:admin> aliremove “array1”, “1,2” switch:admin> aliremove “array2”, “21:00:00:20:37:0c:72:51” switch:admin> aliremove “loop1”, “4,6” switch:admin> cfgsave You are about to save the Defined Zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled.

  • Page 374: To Delete A Zone, To View A Zone In The Defined Configuration

    Enter the cfgSave command to save the change to the defined configuration. switch:admin> zonecreate “greenzone”, “2,32; 2,33; 2,34; 4,4” switch:admin> zonecreate “redzone”, “21:00:00:20:37:0c:66:23; 4,3” switch:admin> cfgsave You are about to save the Defined Zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled.

  • Page 375: Activating Default Zones, To Activate A Default Zone

    The following example shows all zones beginning with A, B, or C: switch:admin> zoneshow “[A-C]*” zone: Blue_zone 1,1; array1; 1,2; array2 zone: Bobs_zone 4,5; 4,6; 4,7; 4,8; 4,9 If no parameters are specified, the entire zone database (both the defined and effective configuration) is displayed.

  • Page 376: Merging Zones

    Merging zones Table 91 presents Zoning database size limitations for various Fabric OS release versions. The maximum size of a zone database is the upper limit for the defined configuration, and it is determined by the amount of flash memory available for storing the defined configuration. Table 91 Zoning database limitations Fabric OS version...

  • Page 377

    Table 92 Resulting database size: 0 to 96K (continued) Receiver Fabric Fabric Fabric Fabric OS Fabric OS Fabric OS Fibre XPath 7.3 OS 2.6 OS 3.1 OS 3.2 4.0/4.1/4.2 4.3/4.4.0 5.0.0/ Channel 5.0.1/5.1.x Router Initiator Fibre Channel Join Join Join Join Join Join...

  • Page 378: Creating And Modifying Zoning Configurations, To Create A Zoning Configuration

    Table 95 Resulting database size: 256K to 1M Receiver Fabric Fabric Fabric Fabric OS Fabric Fabric Fibre XPath OS 2.6 OS 3.1 OS 3.2 4.0/4.1/4.2 Channel Initiator 4.3/4.4.x 5.0.0/ Router 5.0.1 Fabric OS Segment Segment Segment Segment Segment Segment Segment Segment 2.6/3.1 Fabric OS 3.2 Segment Segment Segment...

  • Page 379: To Delete A Zone Configuration, To Clear Changes To A Configuration

    To add zones (members) to a Zoning configuration Connect to the switch and log in as admin. Enter the cfgAdd command. Enter the cfgSave command to save the change to the defined configuration. switch:admin> cfgadd “newcfg”, “bluezone” switch:admin> cfgsave You are about to save the Defined Zoning configuration. This action will only save the changes on the Defined configuration.

  • Page 380: To View Selected Zone Configuration Information, To View A Configuration In The Effective Zone Database

    Enter the cfgShow command with no operands. switch:admin> cfgshow Defined configuration: cfg: USA1 Blue_zone cfg: USA_cfg Red_zone; Blue_zone zone: Blue_zone 1,1; array1; 1,2; array2 zone: Red_zone 1,0; loop1 alias: array1 21:00:00:20:37:0c:76:8c; 21:00:00:20:37:0c:71:02 alias: array2 21:00:00:20:37:0c:76:22; 21:00:00:20:37:0c:76:28 alias: loop1 21:00:00:20:37:0c:76:85; 21:00:00:20:37:0c:71:df Effective configuration: cfg: USA_cfg...

  • Page 381: Maintaining Zone Objects, To Copy A Zone Object

    Maintaining zone objects While you can use the cfgDelete command to delete a zone configuration, there is a quicker and easier way to perform the same task via the zone object commands (zoneObjectExpunge, zoneObjectCopy, and zoneObjectRename). You can also copy and rename zone objects. When you copy a zone object, the resulting object has the same type as the original.

  • Page 382: To Delete A Zone Object, To Rename A Zone Object

    To delete a zone object Connect to the switch and log in as admin. Enter the cfgShow command to view the zone configuration objects you want to delete. switch:admin> cfgShow Defined configuration: cfg: USA_cfg Red_zone; White_zone; Blue_zone zone: Blue_zone 1,1; array1; 1,2; array2 zone: Red_zone 1,0;...

  • Page 383: Managing Zoning Configurations In A Fabric, Adding A New Switch Or Fabric

    Enter the cfgShow command to verify the renamed zone object is present. If you want the change preserved when the switch reboots, save it to nonvolatile (also known as “flash”) memory by entering the cfgSave command. For the change to become effective, enable the appropriate zone configuration using the cfgEnable command.

  • Page 384

    • Merging rules Observe these rules when merging zones: Local and adjacent configurations If the local and adjacent zone database configurations are the same, they will remain unchanged after the merge. Effective configurations If there is an effective configuration between two switches, the zone configuration in effect match.

  • Page 385: Splitting A Fabric, Using Zoning To Administer Security, Resolving Zone Conflicts

    Splitting a fabric If the connections between two fabrics are no longer available, the fabric will segment into two separate fabrics. Each new fabric will retain the same zone configuration. If the connections between two fabrics are replaced and no changes have been made to the zone configuration in either of the two fabrics, then the two fabrics will merge back into one single fabric.

  • Page 386

    Table 96 Considerations for Zoning architecture Item Description Type of Zoning: hard or If security is a priority, hard Zoning is recommended. soft (session-based) Use of aliases The use of aliases is optional with Zoning. Using aliases requires structure when defining zones. Aliases will aid administrators of zoned fabric in understanding the structure and context.

  • Page 387: Configuring And Monitoring Fcip Tunneling, About Fcip Tunneling, Supported Platforms For Fcip

    Configuring and monitoring FCIP tunneling The Fibre Channel over IP (FCIP) Tunneling Service is an optional feature that enables you to use Fibre Channel “tunnels” to connect SANs over IP-based networks. An FCIP tunnel transports data between a pair of Fibre Channel switches. You can have more than one TCP connection between the pair of Fibre Channel switches.

  • Page 388: Fcip Licensing, Fcip Tunneling Concepts

    FCIP also supports: • Configuration and management of GbE ports and the virtual ports, IP interfaces, and tunnels enabled by GbE ports • Compression and decompression of Fibre Channel frames moving through FCIP tunnels NOTE: By default, the compression mode of Fibre Channel frames moving through FCIP tunnels is off.

  • Page 389: Port Numbering

    NOTE: Figure 28, because FCIP was configured with VE_Ports, the switches will merge over the IP WAN to become a single fabric. If any of the VE_Ports had been configured as VEX_Ports, that portion of the fabric would remain a separate fabric, but still enable sharing of storage and server devices. Figure 28 illustrates a portion of a Fibre Channel network using FCIP.

  • Page 390: Port Numbering On The B-series Mp Router Blade

    Port numbering on the B-Series MP Router blade There are sixteen physical Fibre Channel ports and two physical GbE ports on the B-Series MP Router blade. The two GbE ports (ge0 and ge1) support up to eight FCIP tunnels each (each FCIP tunnel is represented and managed as a VE_Port or VEX_Port).

  • Page 391: Port Numbering On The 400 Mp Router

    Port Numbering on the 400 MP Router You do not need to specify slot numbers for the 400 MP Router. Refer to the GbE ports as ge0 and ge1, and the Fibre Channel ports are numbered 0 through 15. Moving from left to right on the front of the chassis, the sixteen Fibre Channel ports, followed by the 2 GbE ports.

  • Page 392: Fcip Fastwrite And Tape Pipelining, Enabling Fastwrite And Tape Pipelining

    FCIP fastwrite and tape pipelining When the FCIP link is the slowest part of the network and it affects speed, consider using fastwrite and tape write acceleration, called “tape pipelining.” Supported only in Fabric OS 5.2.x and higher, fastwrite and tape pipelining are two features that provide accelerated speeds to FCIP tunnels in some configurations: •...

  • Page 393

    Table 99 Using fastwrite and tape pipelining (continued) Fastwrite Tape pipelining Class 3 traffic is accelerated with fastwrite. Class 3 traffic is accelerated between host and sequential device. With sequential devices (tape drives), there are 1024 initiator-tape (IT) pairs per GbE port, but 2048 initiator-tape-LUN (ITL) pairs per GbE port.

  • Page 394

    Figure 32 Multiple tunnels to multiple ports, fastwrite and tape pipelining enabled on a per-tunnel/per-port basis Connections must all be VEX-VE 400 Configuring and monitoring FCIP tunneling...

  • Page 395: Unsupported Configurations

    Unsupported configurations The following example configurations are not supported with fastwrite and tape pipelining. These configurations use multiple equal-cost paths. Figure 33 Unsupported configurations with fastwrite and tape pipelining VE-VE or VEX-VEX Fabric OS 5.3.0 administrator guide 401...

  • Page 396: Platforms And Os Requirements For Fc Fastwrite, How Fc Fastwrite Works

    FC fastwrite over Fibre Channel ISLs FC Fastwrite operates in Fibre Channel network topologies similar to the basic topology shown in Figure 34. FC Fastwrite provides accelerated speeds for SCSI Write operations over long distance Fibre Channel ISLs. FC Fastwrite is supported in Fabric OS v5.3.x and later. Figure 34 Typical network topology for FC Fastwrite Platforms and OS requirements for FC Fastwrite...

  • Page 397: Constraints For Fc Fastwrite, Hardware Considerations, Configuring And Enabling Fc Fastwrite

    The processing outlined eliminates the latency inherent in sending Transfer Ready back to the initiator when writing data across ISLs to geographically distant target devices. FC Fastwrite can improve Write performance. Read performance is unaffected. The gains seen from enabling FC Fastwrite depend on several factors, including the following: •...

  • Page 398

    Where: <slot#> is the slot in which the FR4- 1 8i blade is installed. A slot number is not required for the 400 MP Router. Example: SJ3_6A1_12000_0:root> fastwritecfg --enable 7 !!!! WARNING !!!! Enabling FC Fastwrite will require powering off and back on the and it may take upto 5 minutes.

  • Page 399

    portshow Use the command to verify that FC Fastwrite is enabled. rack1_6a1:root> portshow 3/3 portName: portHealth: HEALTHY Authentication: None portDisableReason: None portCFlags: 0x1 portFlags: 0x20b03 PRESENT ACTIVE F_PORT G_PORT U_PORT LOGICAL_ONLINE LOGIN NOELP ACCEPT portType: 10.0 portState: 1 Online portPhys: In_Sync portScn: F_Port...

  • Page 400: Disabling Fc Fastwrite On A Port, Tunneling And Ipsec

    Disabling FC Fastwrite on a port To disable FC Fastwrite on a port, enter the following command. #portcfg fastwrite <slot#/port_id> —disable Where <slot#> is the slot in which the FR4- 1 8i is installed. A slot number is not required for the 400 MP Router.

  • Page 401: Configuring Ipsec

    Table 100 IPSec terminology Term Definition Message Authentication Code is a key-dependent, one-way hash function used for generating and verifying authentication data. HMAC A stronger MAC because it is a keyed hash inside a keyed hash. Security association is the collection of security parameters and authenticated keys that are negotiated between IPSec peers.

  • Page 402: Ipsec Parameters, Managing Policies

    IPSec parameters Table 99 lists fixed policy parameters that you cannot modify. Table 101 Fixed policy parameters Parameter Fixed Value IKE negotiation protocol Main mode Tunnel mode IKE negotiation authentication method Preshared key 3DES encryption Key length of 168 bits AES encryption Key length of 128 or 256 Table 100...

  • Page 403

    The Diffie-Hellman group. Supported groups are Group 1 and Group 14. Group DH_Group 1 is the default. The security association lifetime in seconds. 28800 is the default. secs The following example shows how to create IKE policy number 10 using 3DES encryption, MD5 authentication, and Diffie-Hellman Goup 1: switch:admin06>...

  • Page 404: Configuring Fcip Tunnels, Enabling Persistently Disabled Ports

    For example, to delete the IPSec policy number 10: switch:admin06> policy --delete ipsec 10 The policy has been successfully deleted. Configuring FCIP Tunnels You can create only one FCIP tunnel on a given pair of IP address interfaces (local and remote). You can create multiple FCIP tunnels on a single IP interface if either the local or remote IP interface is unique and does not have any other FCIP tunnel on it.

  • Page 405: Defining The Ip Interface Of Each Virtual Port

    Enter the portCfgShow command to verify the port is persistently enabled as shown below: switch:admin06> portcfgpersistentenable 8/16 switch:admin06> portcfgpersistentenable 8/17 switch:admin06> portcfgpersistentenable 8/18 switch:admin06> portcfgpersistentenable 8/19 switch:admin06> portcfgshow Ports of Slot 8 9 10 11 12 13 14 15 -----------------+--+--+--+--+----+--+--+--+----+--+--+--+----+--+--+-- Speed AN AN AN AN AN AN AN AN...

  • Page 406: Configuring The Gbe Ports

    The following example shows IP interfaces defined for slot 8 on GbE port ge0: switch:admin06> portshow ipif 8/ge0 Port: 8/ge0 Interface IP Address NetMask ---------------------------------------------------------- 192.168.100.40 255.255.255.0 1500 192.168.100.41 255.255.255.0 1500 switch:admin06> portcfg ipif 8/ge0 create 192.168.100.40 255.255.255.0 1500 switch:admin06> portcfg ipif 8/ge0 create 192.168.100.41 255.255.255.0 1500 Then verify the newly-created IP interface using the portShow command: switch:admin06>...

  • Page 407

    The delete argument is: delete ipaddr netmask The gateway address must be on the same IP subnet as one of the port IP addresses. The following example shows two routes being added to an interface: switch:admin06> portcfg iproute 8/ge0 create 192.168.11.0 255.255.255.0 192.168.100.1 switch:admin06>...

  • Page 408: Verifying Ip Connectivity, Testing End-to-end Ip Path Performance

    Verifying IP connectivity After you add the IP addresses of the routes, enter the portCmd ping command to ping a destination IP address from one of the source IP interfaces on the GbE port and verify the Ethernet IP to IP connectivity. This verification also ensures that data packets can be sent to the remote interface.

  • Page 409: Fcip Tunnel Create Option

    Configuring FCIP tunnels After you have verified licensing and connectivity between source and destination IP interfaces, you can configure FCIP tunnels. As you plan the tunnel configurations, be aware that uncommitted rate tunnels use a minimum of 1000 Kb/sec, up to a maximum of available uncommitted bandwidth on the GbE port. The total bandwidth available on a GbE port is 1 Gbit/sec.

  • Page 410: Fcip Tunnel Modify And Delete Options

    FCIP Tunnel modify and delete options NOTE: Using the tunnel Modify option disrupts traffic on the specified FCIP tunnel for a brief period of time. Following is the syntax for the portCfg fcipTunnel command to modify FCIP tunnels (you must specify at least one characteristic to modify): portcfg fciptunnel [slot/][ge]port args [optional_args] modify <tunnel_num>...

  • Page 411: Verifying The Fcip Tunnel Configuration

    Verifying the FCIP tunnel configuration After you have created local and remote FCIP configurations, use the portEnable [slot/]port command to enable the port. It is recommended that you verify that the tunnel configuration operation succeeded using the portShow fcipTunnel command (be sure to specify the slot/port numbers and number of tunnels). Look at the “Status”...

  • Page 412

    To verify that a VE_Port or VEX_Port is online Use the switchShow command to view and verify that the FCIP tunnel is online. switch:admin06> portenable 8/18 switch:admin06> portenable 8/19 switch:admin06> switchshow switchName:switch switchType:42.2 switchState:Online switchMode:Native switchRole:Subordinate switchDomain:4 switchId:fffc04 switchWwn:10:00:00:60:69:80:0d:bc zoning:ON (LSAN001) switchBeacon:OFF blade3 Beacon: blade4 Beacon:...

  • Page 413: Checklist For Configuring Fcip Links, Troubleshooting Fcip Links, Wan Performance Analysis Tools

    Checklist for configuring FCIP links Table 100 as a checklist for creating FCIP links. Table 103 Steps for configuring FCIP links Step Command 1. Enable persistently disabled ports. portcfgpersistentenable [slot/]port 2. Disable the ports while performing portdisable [slot/]port the configuration. 3.

  • Page 414: About The Ipperf Option, Fcip Port Bandwidth

    About the Ipperf option The WAN tool ipPerf (referred to simply as “ipPerf” in this chapter) is an option of the Fabric OS portCmd command. This option allows you to specify the slot and port information for displaying performance statistics for a pair of ports. For this basic configuration, you can specify the IP addresses of the endpoints, target bandwidth for the path, and optional parameters such as the length of time to run the test and statistic polling interval.

  • Page 415: Wan Tool Performance Characteristics, Starting Wan Tool Analysis

    WAN Tool performance characteristics The following table lists the end-to-end IP path performance characteristics that you can display using the portCmd ipPerf command and option. All four of the base ipPerf performance characteristics (bandwidth, loss, RTT, PMTU) are provided in the command output in Fabric OS 5.2.0 or higher. Figure 36 WAN Tool performance characteristics Characteristic...

  • Page 416: Wan Tool Ipperf Syntax

    To start an ipPerf session Configure the receiver test endpoint using the CP CLI. The syntax for invoking the receiver test endpoint using ipPerf for slot8, port ge0 on an FR4- 1 8i is as follows: portcmd --ipperf 8/ge0 -s 192.168.255.10 -d 192.168.255.100 -R Configure the sender test endpoint using a similar CP CLI.

  • Page 417: Fcip Tunnel Performance Characteristics

    Following is the syntax for portCmd ipPerf to display end-to-end IP path performance statistics: portCmd --ipPerf [slot]/ge# -s <source_ip> -d <destination_ip> -S | -R [-r <rate>] [-z <size>] [-t <time>] [-i <interval>] [-p <port>] where: Source IP address. -s <source_ip> Destination IP address.

  • Page 418

    To view detailed fcipTunnel statistics, you must specify either the -perf or -params options. The following example shows the portCmd fcipTunnel with the performance option to display characteristics of tunnel 0. switch:admin06> portshow fciptunnel 8/ge0 all Slot: 8 Port: ge0 ------------------------------------------- Tunnel ID 0 Remote IP Addr 192.175.4.200...

  • Page 419

    The following example shows the portCmd fcipTunnel with the parameters options to display the parameters of tunnel 0: switch:admin06> portshow fciptunnel 8/ge0 0 Slot: 8 Port: ge0 ------------------------------------------- Tunnel ID 0 Remote IP Addr 192.175.4.200 Local IP Addr 192.175.4.100 Remote WWN Not Configured Local WWN 10:00:00:60:69:e2:09:be Compression on Fastwrite off...

  • Page 420

    The following example shows the portShow fcipTunnel command to display IPSec information for tunnel 0: switch:admin06> portshow fciptunnel 8/ge0 3 -ipsec Port: ge0 ------------------------------------------- Tunnel ID 3 Remote IP Addr 192.175.5.200 Local IP Addr 192.175.5.100 Remote WWN Not Configured Local WWN 10:00:00:05:1e:37:00:20 Compression off Fastwrite on Tape Pipelining on...

  • Page 421: A Configuring The Pid Format, About Pids And Pid Binding, Summary Of Pid Formats

    Configuring the PID format PIDs Port identifiers (called ) are used by the routing and zoning services in Fibre Channel fabrics to identify ports in the network. All devices in a fabric must use the same PID format, so when you add new equipment to your SAN, you might need to change the PID format on legacy equipment.

  • Page 422: Impact Of Changing The Fabric Pid Format, Host Reboots, Static Pid Mapping Errors

    Impact of changing the fabric PID format If your fabric contains switches that use Native PID, it is recommended that you change the format to Core PID before you add the new, higher port count switches and Directors. Also, it is recommended that you use Core PID when upgrading the Fabric OS version on 2000 and 3000 series switches.

  • Page 423: Selecting A Pid Format

    CAUTION: After changing the fabric PID format, if the change invalidates the configuration data (see Table 101 to determine this), do not download old (pre-PID format change) configuration files to any switch on the fabric. Table 101 Effects of PID format changes on configurations PID format PID format after Configuration effect...

  • Page 424

    Table 102 shows various combinations of existing fabrics, new switches added to those fabrics, and the recommended PID format for that combination. The criteria for the recommendations are first to eliminate host reboots, and second to minimize the need for a host reboot in the future. Table 102 PID format recommendations for adding new switches Existing Fabric OS...

  • Page 425: Evaluating The Fabric

    Evaluating the fabric In addition to this section, refer to the HP StorageWorks SAN Design reference guide for information on evaluating the fabric: http://h18000.www1.hp.com/products/storageworks/san/documentation.html If there is the possibility that your fabric contains host devices with static PID bindings, you should evaluate the fabric to: •...

  • Page 426: Planning The Update Procedure, Online Update

    It is also important to understand how multipathing software reacts when one of the two fabrics is taken offline. If the time-outs are set correctly, the failover between fabrics should be transparent to the users. You should use the multipathing software to manually fail a path before starting maintenance on that fabric.

  • Page 427: Offline Update, Hybrid Update, Changing To Core Pid Format

    After the fabric has reconverged, use the cfgEnable command to update zoning. Update their bindings for any devices manually bound by PID. This might involve changing them to the new PIDs, or preferably changing to WWN binding. For any devices automatically bound by PID, two options exist: a.

  • Page 428: Changing To Extended Edge Pid Format

    The following maps the PID format names to the names used in the management interfaces. PID format name Management interface name native PID switch PID address mode 0 core PID switch PID address mode 1 extended edge PID switch PID address mode 2 Before changing the PID format, determine if host reboots will be necessary.

  • Page 429

    Determine if the current switch firmware versions meet the minimum supported version levels. Table 103 lists the earliest Fabric OS version levels that support Extended Edge PID format. Use this table to determine if you need to upgrade the firmware in the switches in your fabric before you change the PID format.

  • Page 430

    Example: Configure Command on a Switch Running Fabric OS 3.1.2 Configure... Fabric parameters (yes, y, no, n): [no] yes Domain: (1..239) [217] BB credit: (1..27) [16] R_A_TOV: (4000..120000) [10000] E_D_TOV: (1000..5000) [2000] Data field size: (256..2112) [2112] Sequence Level Switching: (0..1) [0] Disable Device Probing: (0..1) [0] Suppress Class F Traffic: (0..1) [0] SYNC IO mode: (0..10 [0]...

  • Page 431: Converting Port Number To Area Id

    Converting port number to area ID Except for the following cases, the area ID is equal to the port number: • when you perform a port swap operation • when you enable Extended Edge (also known as “displaced PID”) PID on the Director If you are using Extended Edge PID format (for example, the 4/256 SAN Director with configuration option 5) and would like to map the output of the port number to the area ID, use the following formula (for ports 0- 1 27):...

  • Page 432

    When the port number is greater than or equal to 128, the area ID and port number are the same. Figure 37 shows a 4/256 SAN Director with Extended Edge PID. Figure 37 4/256 SAN Director with Extended Edge PID 434 Configuring the PID format...

  • Page 433: Performing Pid Format Changes, Basic Procedure

    Performing PID format changes There are several routine maintenance procedures which might result in a device receiving a new PID. Examples include, but are not limited to: • Changing compatibility mode settings • Changing switch domain IDs • Merging fabrics •...

  • Page 434: Hp/ux Procedure

    Example switch:admin> switchdisable switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] yes Domain: (1..239) [1] R_A_TOV: (4000..120000) [10000] E_D_TOV: (1000..5000) [2000] Data field size: (256..2112) [2112] Sequence Level Switching: (0..1) [0] Disable Device Probing: (0..1) [0] Suppress Class F Traffic: (0..1) [0] SYNC IO mode: (0..1) [0] Core Switch PID Format: (0..2) [0] 1 Per-frame Route Priority: (0..1) [0]...

  • Page 435: Aix Procedure

    Change to /dev and untar the file that was tared in step 4. For example: tar –xf /tmp/jbod.tar Import the volume groups using vgimport. The proper usage would be vgimport –m <mapfile> <path_to_volume_group> <physical_volume_path>. For example: vgimport –m /tmp/jbod_map /dev/jbod /dev/dsk/c64t8d0 /dev/dsk/c64t9d0 Activate the volume groups using vgchange.

  • Page 436: Swapping Port Area Ids

    If you are not using multipathing software, unmount the volumes from their mount points using umount. The command usage is umount <mount_point>. For example: umount /mnt/jbod If you are using multipathing software, use that software to remove one fabric’s devices from its configuration.

  • Page 437

    Verify that the port area IDs have been swapped: portswapshow A table is shows the physical port numbers and the logical area IDs for any swapped ports. Disable the port swap feature: portswapdisable Fabric OS 5.3.0 administrator guide 439...

  • Page 438

    440 Configuring the PID format...

  • Page 439: Vendor Switch Requirements, Hp Storageworks Switch Requirements

    Configuring McData Open Fabric mode This appendix provides information on setting up a heterogeneous fabric that includes HP StorageWorks switches and switches from other manufacturers. The interoperability mode enables HP StorageWorks switches and others to exchange interoperability parameters, allowing their fabrics to merge into one fabric with one principal switch and unique domain IDs.

  • Page 440: Supported Features, Unsupported Hp Storageworks Features, Configuration Recommendations, Configuration Restrictions

    Supported features The following features are supported on HP StorageWorks switches in interoperability mode: • Fabric Watch • Fabric Access API functions Accessible from HP StorageWorks switches only, but switch information for non- HP StorageWorks switches is reported. The object information and zoning actions are configurable from the API. •...

  • Page 441: Zoning Restrictions

    have a McDATA switch between two HP StorageWorks switches if you are managing zoning from the HP StorageWorks switches. • LC IBM GBICs are not supported if they are connected to a McData ISL. • When a switch gets a new domain ID assigned through a fabric reconfiguration, the new domain ID is written to nonvolatile memory and the old domain ID value is overwritten.

  • Page 442: Zone Name Restrictions, Enabling And Disabling Interoperability Mode, To Enable Interoperability Mode

    You can use the cfgSize command to check both the maximum available size and the currently saved size. If you believe you are approaching the maximum, you can save a partially completed zoning configuration and use the cfgSize command to determine the remaining space Zone name restrictions The name field must contain the ASCII characters that actually specify the name, not including any required fill bytes.

  • Page 443

    Enter the interopmode 0 command to disable interoperability. This command resets a number of parameters and disables interactive mode. You must reboot the switch after changing the interoperability mode: switch:admin> switchdisable switch:admin> interopmode 0 The switch effective configuration will be lost when the operating mode is changed; do you want to continue? (yes, y, no, n): [no] y done.

  • Page 444

    446 Configuring McData Open Fabric mode...

  • Page 445: C Understanding Legacy Password Behaviour, Password Management Information

    Understanding legacy password behaviour The following sections provide password information for early versions of Fabric OS firmware. Password management information Table 104 describes the password standards and behaviors between various versions of firmware. Table 104 Account/password characteristics matrix Topic v4.0.0 v4.1.0 to v4.2.0 v4.4.0 to 5.1.x Number of default...

  • Page 446

    Table 104 Account/password characteristics matrix (continued) Topic v4.0.0 v4.1.0 to v4.2.0 v4.4.0 to 5.1.x Does a user need to know Yes, except when Old password is Old password is the old passwords when the root user required only when required only when changing passwords using changes another changing password...

  • Page 447: Password Prompting Behaviors

    Password prompting behaviors Table 105 describes the expected password prompting behaviors of various Fabric OS versions. Table 105 Password Prompting Matrix Topic v4.0.0 v4.1.0 and later Must all password prompts No. Partial changes of all No. Partial changes of all be completed for any change four passwords are four passwords are...

  • Page 448: Password Migration During Firmware Changes, Password Recovery Options

    Password migration during firmware changes Table 106 describes the expected outcome of password settings when upgrading or downgrading firmware for various Fabric OS versions. Table 106 Password migration behavior during firmware upgrade/downgrade Topic v4.4.0 to v5.0.1 v5.0.1 to 5.1.x Passwords used when upgrading Default accounts and Default accounts and to a newer firmware release for the...

  • Page 449

    Table 107 Password recovery options (continued) Topic v4.0.0 v4.1.0 and later How to recover boot PROM Contact HP and provide the password? recovery string. Refer to ”Setting the Boot PROM Password” on page 1 12 for instructions on setting the password with a recovery string.

  • Page 450

    452 Understanding legacy password behaviour...

  • Page 451: D Using Remote Switch, About Remote Switch, Remote Switch Capabilities

    Using Remote Switch This appendix describes the concepts and procedures for using the Remote Switch feature and contains the following topics: About Remote Switch The Remote Switch feature, which aids in ensuring gateway compatibility, was formerly a licensed feature. Its functionality is now available as part of the Fabric OS standard feature set through the use of the portCfgIslMode command.

  • Page 452

    You might be required to reconfigure the following parameters, depending on the gateway requirements: • R_A_TOV: Specify a Resource Allocation Timeout Value compatible with your gateway device. • E_D_TOV: Specify a Error Detect Timeout Value compatible with your gateway device •...

  • Page 453: E Zone Merging Scenarios

    Zone merging scenarios Table 108 provides information on merging zones and the expected results. Table 108 Zone merging scenarios Description Switch A Switch B Expected results Switch A with a defined defined: defined: none Configuration from Switch A to configuration cfg1: effective: none propagate throughout the fabric in...

  • Page 454

    Table 108 Zone merging scenarios (continued) Description Switch A Switch B Expected results cfg content mismatch defined: cfg1 defined: cfg1 Fabric segments due to: Zone zone1: ali1; ali2 zone1: ali3; ali4 Conflict content mismatch effective: irrelevant effective: irrelevant defined: cfg1 defined: cfg1 Fabric segments due to: Zone zone1: ali1;...

  • Page 455

    Index adding a new switch or fabric AAA service requests Admin Domain members aaaConfig command alias members access and removing FICON CUP licenses active ports custom filter-based monitors browser support end-to-end monitors changing account parameters filter-based monitors control members to a zone configuration CP blade port mirror connection creating accounts...

  • Page 456

    assigning users to Admin Domains changing audience an account password Auth policy RADIUS configuration authenticating users RADIUS servers authentication SNMP MIB trap values configuring SNMP values local switch names authorized reseller, HP to core PID format auto-leveling, FR4-18i blade to extended edge PID format CHAP account policies enabling...

  • Page 457

    fosConfig SSL protocol interopMode switch passwdCfg switch for RADIUS portDisable switch, FICON environment portEnable switch, RADIUS client secPolicyAbort switch, single secPolicyActivate syslogd secPolicyAdd telnet interface secPolicyDelete Windows RADIUS client secPolicyFCSMove zone, rules for secPolicyRemove connecting secPolicySave multiple EX_Ports to an edge fabric secPolicyShow other devices slotshow...

  • Page 458

    accounts disabled zone configuration Admin Domains disabling DCC policy port IPSec tunnel RADIUS configuration policy switch SCC policy disabling and enabling a port zone disabling and enabling a switch creating a zone configuration disabling and enabling cards creating an alias disabling interoperability mode creating and maintaining zones displaying...

  • Page 459: Routing Types

    end-to-end monitors changing domain id adding configuration settings deleting disabling IDID mode displaying the mask displaying restoring configuration link incidents saving configuration registered listeners for link incidents setting a mask enabling IDID mode ensuring network security high integrity fabric event identifying port swapping nodes connectivity monitoring FRU failures...

  • Page 460: Matching Fabric Parameters

    host reboots Java version host-based zoning authorized reseller storage web site transaction, for licensed features Subscriber’s choice web site technical support HP/UX procedure legacy FCR switches HTTP license ID HTTPS license key certificates, security activating hybrid update licenseadd command licensed features licenseIdShow licenseremove command configuring users...

  • Page 461: Monitoring Resources

    policy password expiration policy policy, adding password management information policy, removing password migration during firmware changes password policies mibCapability password prompting behaviors modifying the FCS policy password recovery options monitoring end-to-end performance password strength policy monitoring filter-based performance passwords monitoring ISL performance recovering forgotten passwords monitoring resources perfaddeemonitor command...

  • Page 462: Preparing A Switch

    port numbering recovering forgotten passwords port swapping nodes, identifying in FICON recovery password environments recovery string port-based routing recovery string, boot PROM password portDisable registered listeners portEnable related documentation ports remote access policies activating POD remote switch buffer-limited remove feature identifying removing identifying by port area ID...

  • Page 463: Setting A Unique Domain Id

    security SNMP activating certificates SNMP default values and tunneling setup summary Brocade MIB shared secrets browsers managing certificates certificates, deleting SLAP certificates, displaying slotShow command configuring standard features slotshow command enabling CHAP SNMP encryption FibreAlliance MIB agent file copy and password change HTTPS, certificate configuring IAS remote access policies...

  • Page 464: Displaying Information, Swapping Ports, Using Ficon Cup

    supported features time and date Supported Services time zones –??, supportsave command tools swapping port area IDs cli overview swapping ports tracking and controlling switch changes SW-EXTTRAP traffic patterns switch planning for access methods, cli transaction key access methods, Fabric Manager traps access methods, Web Tools certificates, installing...

  • Page 465: Zoning And Pdcm Considerations, Viewing Power-on Self Tests, Viewing Switch Status, Viewing Port Information

    viewing zoning and PDCM considerations fan status zoning concepts port status zoning enforcement power supply status zoning restrictions temperature status zoning schemes viewing an alias zoning terminology alias viewing viewing and saving diagnostic information viewing equipment status viewing port information viewing power-on self test viewing routing information along a path viewing routing path information...

Comments to this Manuals

Symbols: 0
Latest comments: