Page 3
Document History The following table lists all versions of the Access Gateway Administrator’s Guide. Document Title Publication Number Summary of Changes Publication Date Access Gateway Administrator’s Guide 53-1000430-01 First version January 2007 Access Gateway Administrator’s Guide 53-1000633-01 Added support for the 200E June 2007 Access Gateway Administrator’s Guide 53-1000605-01...
Page 11
Tables Table 1 Fabric OS components supported on Access Gateway ..... 3 Table 2 Port configurations ..........5 Table 3 Port state description .
All Fabric OS switches must be running v6.1.0 or later; all M-EOS switches must be running M-EOSc 9.1 or later, M-EOSn must be running 9.6.2 or later, and Cisco switches with SAN OS must be running 3.0 (1) and 3.1 (1) or later. Access Gateway supports 4 and 8 Gbit bladed servers and blades.
Document conventions This section describes text formatting conventions and important notices formats. Text formatting The narrative-text formatting conventions that are used in this document are as follows: bold text Identifies command names Identifies the names of user-manipulated GUI elements Identifies keywords and operands Identifies text to enter at the GUI or CLI italic text Provides emphasis...
ATTENTION An Attention statement indicates potential damage to hardware or data. CAUTION A Caution statement alerts you to situations that can be potentially hazardous to you or cause damage to hardware, firmware, software, or data. DANGER A Danger statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you.
E_Port An ISL (Interswitch link) port. A switch port that connects switches together to form a fabric. Edge switch A fabric switch that connects host, storage, or other devices, such as Brocade Access Gateway, to the fabric. F_Port A fabric port. A switch port that connects a host, HBA (host bus adaptor), or storage device to the SAN.
• Best practice guides, white papers, data sheets, and other documentation is available through the Brocade Partner Web site. For additional resource information, visit the Technical Committee T11 Web site. This Web site provides interface standards for high-performance and mass storage applications for Fibre Channel, storage management, and other applications: http://www.t11.org For information about the Fibre Channel industry, visit the Fibre Channel Industry Association Web...
• Brocade 7600—On the bottom of the chassis • Brocade 48000—Inside the chassis next to the power supply bays • Brocade DCX—On the bottom right on the port side of the chassis • Brocade DCX-4S—On the bottom right on the port side of the chassis, directly above the cable management comb.
Fabric OS features in Access Gateway mode Fabric OS features in Access Gateway mode Table 1 lists Fabric OS components that are supported on a switch when AG mode is enabled. “No” indicates that the feature is not provided in AG mode. “NA” indicates this feature is not applicable in Access Gateway mode of operation.
Access Gateway port types TABLE 1 Fabric OS components supported on Access Gateway Feature Support Syslog Daemon Trunking Yes** ValueLineOptions (Static POD, DPOD) Web Tools When a switch is behaving as an AG, RBAC features in Fabric OS are available, but there are some limitations.
Page 26
Access Gateway limitations • Direct connections to SAN target devices are not supported. • Admin Domains is not supported. • FICON is not supported. • Extended Fabrics is not supported. • Management Platform Services is not supported. • Name Services is not supported. •...
Chapter Configuring Ports in Access Gateway mode In this chapter • Enabling and disabling Access Gateway mode ......7 •...
Page 28
Enabling and disabling Access Gateway mode The ag mapshow command shows all the N_Ports (with the portcfgnport value of 1) even if those N_Ports are not connected. switch:admin> ag --mapshow N_Port Configured_F_Ports Current_F_Ports Failover Failback PG_ID PG_Name ----------------------------------------------------------------------------- 4;5;6 4;5;6 SecondFabric 7;8;9 7;8;9...
Enabling and disabling Access Gateway mode 8. Enter the switchDisable command to disable the switch. switch:admin> switchdisable 9. Enter the ag command with the modedisable operand to disable AG mode. switch:admin> ag --modedisable 10. Enter the ag modeshow command to verify that AG mode is disabled. switch:admin>...
Access Gateway mapping Access Gateway mapping Access Gateway uses mapping—that is, pre-provisioned routes—to direct traffic from the hosts to the fabric. When you first enable a switch to AG mode, by default, the F_Ports are mapped to a set of predefined N_Ports. For the default F_Port-to-N_Port mapping, see Table 4.
Access Gateway mapping Default port mapping Table 5 shows the default F_Port-to-N_Port mapping. By default, Failover and Failback policy are enabled on all N_ports. NOTE All POD licenses must be present to use Access Gateway on the Brocade 5100, 300, and 200E. .Changing the default F_Port-to N_Port mapping TABLE 5 Access Gateway default F_Port-to-N_Port mapping...
Page 32
Access Gateway mapping TABLE 5 Access Gateway default F_Port-to-N_Port mapping Brocade Total Ports F_Ports N_Ports Default F_ to N_Port Mapping Model 4024 1–16 0, 17–23 1, 2 mapped to 17 9, 10 mapped to 18 3, 4 mapped to 19 11, 12 mapped to 20 5, 6 mapped to 21 13, 14 mapped to 22...
Access Gateway mapping 3. Enter the ag mapshow command and specify the port number to display the list of mapped F_Ports. Verify that the added F_Ports appear in the list. switch:admin> ag --mapshow 13 N_Port : 13 Failover(1=enabled/0=disabled) : 1 Failback(1=enabled/0=disabled) : 1 Current F_Ports : None...
N_Port configurations N_Port configurations You must have the role of securityadmin, admin, or user to configure ports in Access Gateway (AG) mode, The AG port connected to the Enterprise fabric must be configured as an N_Port. By default, on embedded switches, only the internal ports of Access Gateway are configured as F_Ports.
N_Port configurations Displaying N_Port configurations 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the portcfgnport command. switch:admin> portcfgnport Ports 9 10 11 12 13 14 15 --------------------+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+-- Locked N_Port ....ON ON ON ON ON ON Unlocking N_Ports By default, on embedded switches all external ports are configured in N_Port lock mode when you enable Access Gateway.
Advanced Device Security policy Access Gateway policy enforcement matrix The following table shows which combinations of policies can co-exist with each other. TABLE 6 Policy enforcement matrix Policies Auto Port Configuration Port Grouping N_Port Trunking ADS Policy Auto Port Configuration Cannot co-exist Can co-exist Can co-exist...
Advanced Device Security policy Enabling and disabling the Advanced Device Security policy By default, the ADS policy is disabled. When you manually disable the ADS policy, all of the allow lists (global and per-port) are cleared. Before disabling the ADS policy, you should save the configuration using the configupload command in case you need this configuration again.
Advanced Device Security policy Setting the list of devices not allowed to log in 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the ag --adsset command with the appropriate operands to set the list of devices not allowed to log into specific ports.
Automatic Port Configuration policy Displaying the list of allowed devices on the switch 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the ag --adsshow command. switch:admin> ag --adsshow F_Port WWNs Allowed -------------------------------------------------------------------------- ALL ACCESS 20:03:08:00:88:35:a0:12...
Automatic Port Configuration policy How the APC policy works When the APC policy is enabled, it applies to all ports on the switch. Enabling the APC policy is disruptive and erases all existing F_Port-to-N_Port mappings. Therefore, before enabling the APC policy, you must disable the AG module.
Port Grouping policy Automatic Port Configuration policy considerations Following are the considerations for the Automatic Port Configuration policy: • The APC and the PG policies cannot be enabled at the same time. • You cannot manually configure F_Port-to-N_Port mapping with this policy enabled. Upgrade and downgrade considerations for the APC policy The following are supported: •...
Port Grouping policy F_Port1 N_Port1 Storage F_Port2 Fabric-1 Array-1 F_Port3 N_Port2 F_Port4 F_Port5 N_Port3 Storage F_Port6 Array-2 Fabric-2 F_Port7 N_Port4 F_Port8 FIGURE 6 Port grouping behavior When a dual redundant fabric configuration is used, F_Ports connected to a switch in AG mode can access the same target devices from both of the fabrics.
Port Grouping policy Deleting an N_Port from a port group Before deleting an N_Port, all F_Ports mapped to that N_Port must be remapped before that N_Port is deleted from a port group. If an N-port is deleted from a port group enabled for Login Balancing, the F-ports mapped to that N-port stay with the port group as long as there are other N-ports in the group.
Port Grouping policy Port Grouping policy modes You can modify certain default behavior such as the following within a port group: • Login Balancing (LB) If login balancing mode is enabled for a port group and an F_Port goes offline, logins in the port group are redistributed among the remaining F_Ports.
Port Grouping policy Rebalancing F_Ports To minimize disruption that could occur once F_ports go offline or when additional N_ports are brought online you can modify the default behavior of the automatic login balancing feature by disabling or enabling rebalancing of F_Ports when F_Port offline or N_Port online events occur. 1.
Port Grouping policy Enabling Managed Fabric Name Monitoring mode 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the ag --pgsetmodes command with appropriate operands to enable MFNM mode. In the following example, MFNM mode is enabled for port group 3. switch:admin>...
Persistent ALPA Policy • If an N_Port is added to a port group or deleted from a port group and login balancing is enabled or disabled for the port group, the N_Port maintains its original failover or failback setting. If an N_Port is deleted from a port group, it automatically gets added to port group 0. •...
Persistent ALPA Policy • In the “Stringed” mode if the requested ALPA is not available the server login will be rejected and the server port will not be able to log in into the fabric. Enabling Persistent ALPA By default, Persistent ALPA is disabled. You can enable Persistent ALPA using the persistentalpaenable command with the following syntax and with one of the following value types: ag -persistentalpaenable 1/0[On/Off] -s/-f[Stringent/Flexible]...
Persistent ALPA Policy Displaying device data You can view the device data and the PWWN mapping with the ALPA of the host related to any ports you delete from the database. 1. Connect to the switch and log in using an account assigned to the admin role. 2.
Failover Failover Access Gateway Failover ensures maximum uptime for the servers. When a port is configured as an N_Port, failover is enabled by default and is enforced during power-up. Failover allows F_Ports to automatically remap to an online N_Port if the primary N_Port goes offline. If multiple N_Ports are available for failover, failover evenly distributes the F_Ports to available N_Ports belonging to the same N_Port group.
Failover Enabling and disabling Failover for a port group Failover policy can be enabled on a port group. To enable or disable use the following steps to enable or disable failover on all the N_ports belonging to the same port group. 1.
Failback The list of F_Ports must be enclosed in quotation marks. Port numbers must be separated by a semicolon. In the following example, F_Ports 3 and 9 are deleted from preferred secondary N_Port 4. switch:admin> ag --prefdel "3;9" 4 Preferred N_Port is deleted successfully for the F_Port[s] Failback Failback policy provides a means for hosts that have failed over to move back to their intended N_ports when these N_ports come back online.
Trunking in Access Gateway mode Enabling and disabling Failback for a port group Use the following steps to enable or disable Failback policy on all the N_ports belonging to the same port group. 1. Connect to the switch and log in using an account assigned to the admin role. 2.
Trunking in Access Gateway mode Trunking on the Edge switch in Access Gateway mode As all AG Trunking configuration is done on the Edge switch, information in this section is applicable to the Edge switch module and not the AG module. On the AG module you only need to ensure that the trunking license is applied and enabled.
Trunking in Access Gateway mode Configuration management for trunk areas Ports from different ADs are not allowed to join the same Trunk Area group. The porttrunkarea command prevents the different AD's from joining the TA group. When you assign a TA, the ports within the TA group will have the same Index. The Index that was assigned to the ports is no longer part of the switch.
Trunking in Access Gateway mode Slot Port Type State Master ------------------------------------------- 125 125 125 126 ------------------------------------------- 5. Enable ports specified in step 3. Continuing with the example shown in step 3, this would mean enabling ports 13 and 14. switch:admin> portenable 10/13 switch:admin>...
Page 61
Trunking in Access Gateway mode 5. Enter the switchshow command to display the switch or port information: switch:admin> switchshow switchName: SPIRIT_B4_01 switchType: 66.1 switchState: Online switchMode: Native switchRole: Principal switchDomain: switchId: fffc02 switchWwn: 10:00:00:05:1e:41:22:80 zoning: switchBeacon: FC Router: FC Router BB Fabric ID: 100 Area Port Media Speed State Proto =====================================...
Trunking in Access Gateway mode 6. Display TA-enabled port configuration: switch:admin> porttrunkarea --show enabled Port Type State Master ------------------------------------- Disabling F_Port trunking Use the following steps to disable F_Port Trunking. 1. Connect to the switch and log in using an account assigned to the admin role. 2.
Page 63
Trunking in Access Gateway mode TABLE 8 Access Gateway trunking considerations for the Edge switch Category Description Authentication Authentication occurs only on the F_Port trunk master port and only once per the entire trunk. This behavior is same as E_Port trunk master authentication.
Page 64
Trunking in Access Gateway mode TABLE 8 Access Gateway trunking considerations for the Edge switch Category Description Fast Write When you assign a Trunk Area to a trunk group, the trunk group cannot have fast write enabled on those ports; if a port is fast write enabled, the port cannot be assigned a Trunk Area.
Trunking in Access Gateway mode TABLE 8 Access Gateway trunking considerations for the Edge switch Category Description DCC Policy DCC policy enforcement for the F_Port trunk is based on the Trunk Area; the FDISC requests to a trunk port is accepted only if the WWN of the attached device is part of the DCC policy against the TA.
Adaptive Networking on Access Gateway Trunking considerations for Access Gateway mode Consider the following for Trunking in Access Gateway mode: • Access Gateway trunking is not supported on M-EOS or third-party switches. • Trunk groups cannot span across multiple N_Port groups within an AG module in AG mode. Multiple trunk groups are allowed within the same N_Port group.
Adaptive Networking on Access Gateway QoS: SID/DID traffic prioritization SID/DID traffic prioritization allows you to categorize the traffic flow between a given host and target as having a high or low priority; the default is medium. For example, you can assign online transaction processing (OLTP) to a high priority and the backup traffic to a low priority.
Page 68
Adaptive Networking on Access Gateway • Disable QoS on an AG port if it connects with a switch running Fabric OS 6.2. Otherwise, the port will automatically disable with an error. To recover, disable QoS on the port, then enable the port.
Fabric and Edge switch configuration F_Port N_Port F_Port N_Port F_ Port Edge Core Fabric F_Port N_Port F_ Port F_ Port FIGURE 11 Access Gateway cascading AG cascading provides higher over-subscription because it allows you to consolidate the number of ports going to the main fabric. There is no license requirement to use this feature. Note the following configuration considerations when cascading Access Gateways: •...
Fabric and Edge switch configuration • Disable long distance mode. • Allow multiple logins for M-EOS switches. The recommended fabric login setting is the maximum allowed per port and per switch. • Use only WWN zoning for devices behind AG. •...
Connectivity to Cisco Fabrics No_Module Online E-Port segmented,(zone conflict)(Trunk master) Online E-Port (Trunk port, master is Port 21 ) Online E-Port (Trunk port, master is Port 21 ) Table 3 on page 9 for a description of the port state. If the switch is in Native mode, you can enable AG mode;...
Connectivity to Cisco Fabrics Enabling NPIV on a Cisco switch 1. Log in as admin on the Cisco MDS switch. 2. Enter the show version command to determine that you are using the correct SAN-OS version and to see if NPIV is enabled on the switch. 3.
Connectivity to Cisco Fabrics Adding or deleting an OUI from the Company ID List The following example shows how to add or delete an OUI (0x112233) from the Company ID List. 1. Enter the following command: config t 2. Enter the following command to add the OUI ID 0x112233 to list: fcid-allocation area company-id 0x112233 3.
Rejoining Fabric OS switches to a fabric 3. Enter the following commands to enable the Flat FCID mode: vsan vsan# suspend no vsan vsan# suspend 4. Press Ctrl-Z to exit. 5. Enter the following command to save the MDS switch configuration: copy run start NOTE If there are any device(s) in the VSAN that you suspend, it takes that device offline until you...
Rejoining Fabric OS switches to a fabric 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the switchDisable command to disable the switch. 3. Enter the defZone allAccess command to allow the switch to merge with the fabric. 4.
Appendix Troubleshooting This appendix provides troubleshooting instructions. TABLE 10 Troubleshooting Problem Cause Solution Switch is not in Access Switch is in Native switch mode Disable switch using the switchDisable command. Gateway mode Enable Access Gateway mode using the ag modeenable command. Answer yes when prompted;...
Page 78
Troubleshooting TABLE 10 Troubleshooting (Continued) Problem Cause Solution Failover is not working Failover disabled on N_Port. Verify that the failover and failback policies are enabled, as follows: Enter the ag failoverShow command with the port_number operand. Enter the ag failbackShow command with the port_number operand.
Page 79
Index Access Gateway Cisco fabric cascading connectivity comparison to standard switches deleting OUIs from Cisco switch compatible fabrics displaying FCID on Cisco switch connecting devices editing Company ID list on Cisco switch connecting two AGs editing target devices on Cisco switch description enabling Flat FCID mode displaying information...
Page 80
configurations fabric enabling switch compatibility limitations with configdownload command inband queries merging switch with fabric join re-joining switch to fabric logins saving Management Server Platform using configdownload command zoning scheme Fabric OS Management Server Platform Service settings failback policy example failover policy daisy chaining enabling...
Page 81
management server Persistent ALPA mapping clearing ALPA values deleting hash table data example disabling ports enabling masterless trunking flexible ALPA value M-EOS switch, enabling NPIV reboot stringent ALPA value support tables value types N_Port Policies AG configurations Advance Device Security description enabling DCC policy displaying configurations...
Page 82
PWWN format sharing TA trunk group unlock N_Port upgrading firmware downgrade zoning ingress rate limiting schemes SID/DID traffic prioritization setting removing devices from switch removing trunk ports requirements, ports settings ACL policies FLOGI inband queries Management Server Platform zone, no access supported hardware and software xiii switch mode, verify...