Cisco Nexus 5500 Series NX-OS Configuration Manual Download Page 288 | Manualshive

Page: 288 / 320

background image

Copying the Port Security Database

We recommend that you copy the active database to the config database after disabling auto-learning.
This action ensures that the configuration database is in synchronization with the active database. If
distribution is enabled, this command creates a temporary copy (and a fabric lock) of the configuration
database. If you lock the fabric, you must commit the changes to the configuration databases in all the
switches.

Tip

Use the

port-security database copy vsan

command to copy from the active to the configured database. If

the active database is empty, this command is not accepted.

switch#

port-security database copy vsan 1

Use the

port-security database diff active vsan

command to view the differences between the active database

and the configuration database. This command can be used when resolving conflicts.

switch#

port-security database diff active vsan 1

Use the

port-security database diff config vsan

command to obtain information on the differences between

the configuration database and the active database:

switch#

port-security database diff config vsan 1

Deleting the Port Security Database

If the distribution is enabled, the deletion creates a copy of the database. You must enter the

port-security

commit

command to actually delete the database.

Tip

Use the

no port-security database vsan

command in configuration mode to delete the configured database

for a specified VSAN:

switch(config)#

no port-security database vsan 1

Clearing the Port Security Database

Use the

clear port-security statistics vsan

command to clear all existing statistics from the port security

database for a specified VSAN.

switch#

clear port-security statistics vsan 1

Use the

clear port-security database auto-learn interface

command to clear any learned entries in the active

database for a specified interface within a VSAN:

switch#

clear port-security database auto-learn interface fc2/1 vsan 1

Use the

clear port-security database auto-learn vsan

command to clear any learned entries in the active

database for the entire VSAN:

switch#

clear port-security database auto-learn vsan 1

The

clear port-security database auto-learn

and

clear port-security statistics

commands are only

relevant to the local switch and do not acquire locks. Also, learned entries are only local to the switch and
do not participate in distribution.

Note

Cisco Nexus 5500 Series NX-OS SAN Switching Configuration Guide, Release 7.x

264

OL-30895-01

Configuring Port Security

Database Interaction

«
...
286
287
288
289
290
...
»

Summary of Contents for Nexus 5500 Series NX-OS

Page 1: ...ide Release 7 x First Published January 29 2014 Last Modified May 22 2014 Americas Headquarters Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Text Part Number OL 30895 01 ...

Page 2: ... IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE T...

Page 3: ...C H A P T E R 2 Configuring Fibre Channel Interfaces 5 Configuring Fibre Channel Interfaces 5 Information About Fibre Channel Interfaces 5 Licensing Requirements for Fibre Channel 5 QOS Requirements for Fibre Channel 5 Physical Fibre Channel Interfaces 6 Virtual Fibre Channel Interfaces 6 VF Port 6 VE Ports 7 VNP Ports 8 Interface Modes 8 E Port 9 F Port 9 NP Port 9 TE Port 9 TF Port 10 TNP Port 1...

Page 4: ...ata Field Size 20 Understanding Bit Error Thresholds 20 Configuring Buffer to Buffer Credits 21 Configuring Global Attributes for Fibre Channel Interfaces 22 Configuring Switch Port Attribute Default Values 22 Information About N Port Identifier Virtualization 23 Enabling N Port Identifier Virtualization 23 Example Port Channel Configurations 24 Verifying Fibre Channel Interfaces 25 Verifying SFP ...

Page 5: ...D Lists 39 Configuring Allowed Domain ID Lists 39 CFS Distribution of Allowed Domain ID Lists 40 Enabling Distribution 40 Locking the Fabric 40 Committing Changes 41 Discarding Changes 41 Clearing a Fabric Lock 42 Displaying CFS Distribution Status 42 Displaying Pending Changes 42 Displaying Session Status 42 Contiguous Domain ID Assignments 43 Enabling Contiguous Domain ID Assignments 43 FC IDs 4...

Page 6: ...nk Selection 54 Traffic Maps 54 Disruptive Load Balancing 55 NPV Traffic Management Guidelines 55 NPV Guidelines and Limitations 55 Configuring NPV 56 Enabling NPV 56 Configuring NPV Interfaces 57 Configuring an NP Interface 57 Configuring a Server Interface 58 Configuring NPV Traffic Management 58 Configuring NPV Traffic Maps 58 Enabling Disruptive Load Balancing 59 Verifying NPV 59 Verifying NPV...

Page 7: ...Trunking Mismatches 84 VSAN Trunking Protocol 84 Configuring VSAN Trunking 85 Guidelines and Limitations 85 Enabling or Disabling the VSAN Trunking Protocol 85 Trunk Mode 85 Configuring Trunk Mode 86 Trunk Allowed VSAN Lists 87 Configuring an Allowed Active List of VSANs 89 Displaying VSAN Trunking Information 90 Default Settings for VSAN Trunks 90 C H A P T E R 7 Configuring SAN Port Channels 93 ...

Page 8: ...t Channel 105 SAN Port Channel Protocol 106 About Channel Group Creation 106 Autocreation Guidelines 108 Enabling and Configuring Autocreation 109 About Manually Configured Channel Groups 109 Converting to Manually Configured Channel Groups 109 Example Port Channel Configurations 109 Verifying SAN Port Channel Configuration 110 Default Settings for SAN Port Channels 111 C H A P T E R 8 Configuring...

Page 9: ...tion About Zones 127 Information About Zoning 127 Zoning Features 127 Zoning Example 129 Zone Implementation 130 Active and Full Zone Sets 130 Configuring a Zone 133 Configuration Examples 133 Zone Sets 134 Activating a Zone Set 135 Default Zone 135 Configuring the Default Zone Access Permission 136 FC Alias Creation 136 Creating FC Aliases 137 Creating FC Aliases Example 137 Creating Zone Sets an...

Page 10: ...iguring Zone Merge Control Policies 151 Default Zone Policies 152 Configuring System Default Zoning Settings 152 Verifying Enhanced Zone Information 153 Compacting the Zone Database 153 Analyzing the Zone and Zone Set 154 Default Settings for Zones 154 C H A P T E R 1 0 Distributing Device Alias Services 155 Distributing Device Alias Services 155 Information About Device Aliases 155 Device Alias F...

Page 11: ...FSPF 168 FSPF Examples 168 Fault Tolerant Fabric Example 168 Redundant Link Example 169 FSPF Global Configuration 169 SPF Computational Hold Times 170 Link State Records 170 Configuring FSPF on a VSAN 170 Resetting FSPF to the Default Configuration 171 Enabling or Disabling FSPF 171 Clearing FSPF Counters for the VSAN 172 FSPF Interface Configuration 172 FSPF Link Cost 172 Configuring FSPF Link Co...

Page 12: ... 183 Flow Statistics 183 Counting Aggregated Flow Statistics 183 Counting Individual Flow Statistics 184 Clearing FIB Statistics 184 Displaying Flow Statistics 184 Default Settings for FSFP 185 C H A P T E R 1 2 Managing FLOGI Name Server FDMI and RSCN Databases 187 Managing FLOGI Name Server FDMI and RSCN Databases 187 Fabric Login 187 Name Server Proxy 188 About Registering Name Server Proxies 1...

Page 13: ...ion 197 Default Settings for RSCN 197 C H A P T E R 1 3 Discovering SCSI Targets 199 Discovering SCSI Targets 199 Information About SCSI LUN Discovery 199 About Starting SCSI LUN Discovery 199 Starting SCSI LUN Discovery 200 About Initiating Customized Discovery 200 Initiating Customized Discovery 200 Displaying SCSI LUN Information 201 C H A P T E R 1 4 Configuring iSCSI TLV 203 Information about...

Page 14: ...alues 217 World Wide Names 218 Verifying the WWN Configuration 218 Link Initialization WWN Usage 218 Configuring a Secondary MAC Address 219 FC ID Allocation for HBAs 219 Default Company ID List 220 Verifying the Company ID Configuration 220 Switch Interoperability 221 About Interop Mode 221 Configuring Interop Mode 1 224 Verifying Interoperating Status 225 Default Settings for Advanced Fibre Chan...

Page 15: ...bric Security 241 Default Settings for Fabric Security 242 C H A P T E R 1 7 Configuring Port Security 245 Configuring Port Security 245 Information About Port Security 245 Port Security Enforcement 246 Auto Learning 246 Port Security Activation 246 Configuring Port Security 247 Configuring Port Security with Auto Learning and CFS Distribution 247 Configuring Port Security with Auto Learning witho...

Page 16: ...Database Scenarios 263 Copying the Port Security Database 264 Deleting the Port Security Database 264 Clearing the Port Security Database 264 Displaying Port Security Configuration 265 Default Settings for Port Security 265 C H A P T E R 1 8 Configuring Fabric Binding 267 Configuring Fabric Binding 267 Information About Fabric Binding 267 Licensing Requirements for Fabric Binding 267 Port Security...

Page 17: ...isplaying FCS Information 277 Default FCS Settings 277 C H A P T E R 2 0 Configuring Port Tracking 279 Configuring Port Tracking 279 Information About Port Tracking 279 Default Settings for Port Tracking 280 Configuring Port Tracking 281 Enabling Port Tracking 281 Configuring Linked Ports 282 Operationally Binding a Tracked Port 282 Tracking Multiple Ports 282 Tracking Multiple Ports 283 Monitorin...

Page 18: ...Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x xviii OL 30895 01 Contents ...

Page 19: ...model our documents to meet our customers requirements we have modified the manner in which we document configuration tasks As a result of this you may find a deviation in the style used to describe these tasks with the newly included sections of the document following the new format Note Command descriptions use the following conventions Description Convention Bold text indicates the commands and...

Page 20: ...ng conventions Description Convention Terminal sessions and information the switch displays are in screen font screen font Information you must enter is in boldface screen font boldface screen font Arguments for which you supply values are in italic screen font italic screen font Nonprinting characters such as passwords are in angle brackets Default responses to system prompts are in square bracke...

Page 21: ...00 Series NX OS Fundamentals Configuration Guide Cisco Nexus 5500 Series NX OS Interfaces Configuration Guide Cisco Nexus 5500 Series NX OS Layer 2 Switching Configuration Guide Cisco Nexus 5500 Series NX OS Multicast Routing Configuration Guide Cisco Nexus 5500 Series NX OS Quality of Service Configuration Guide Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Cisco Nexus 5500 Seri...

Page 22: ...nt Command Reference Cisco Nexus 5500 Series NX OS TrustSec Command Reference Cisco Nexus 5500 Series NX OS Unicast Routing Command Reference Cisco Nexus 5500 Series NX OS Virtual Port Channel Command Reference Technical References The Cisco Nexus 5500 Series NX OS MIB Reference is available at http www cisco com en US docs switches datacenter nexus5500 sw mib reference NX5500_MIBRef html Error an...

Page 23: ...ormation see What s New in Cisco Product Documentation To receive new and revised Cisco technical content directly to your desktop you can subscribe to the What s New in Cisco Product Documentation RSS feed RSS feeds are a free service Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x OL 30895 01 xxiii Preface Obtaining Documentation and Submitting a Service Request ...

Page 24: ...Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x xxiv OL 30895 01 Preface Obtaining Documentation and Submitting a Service Request ...

Page 25: ...ntifier virtualization NPIV which allows multiple N port fabric logins concurrently on a single physical Fibre Channel link HBAs that support NPIV can help improve SAN security by enabling zoning and port security to be configured independently for each virtual machine OS partition on a host In addition to being useful for server connections NPIV is beneficial for connectivity between core and edg...

Page 26: ...of a specified VSAN are confined within the VSAN s own domain which increases SAN security VSANs can reduce costs by facilitating consolidation of isolated SAN islands into a common infrastructure without compromising availability You can create administrator roles that are limited in scope to certain VSANs For example you can set up a network administrator role to allow configuration of all platf...

Page 27: ...special consideration FSPF automatically calculates the best path between any two switches in a fabric Specifically FSPF is used to perform these functions Dynamically compute routes throughout a fabric by establishing the shortest and quickest path between any two switches Select an alternative path if a failure occurs on a given path FSPF supports multiple paths and automatically computes an alt...

Page 28: ...abled on a switch port all devices connecting to that port must be in the port security database and must be listed in the database as bound to a given port If both of these criteria are not met the port will not achieve an operationally active state and the devices connected to the port will be denied access to the SAN Fabric Binding Fabric binding ensures Inter Switch Links ISLs are enabled only...

Page 29: ...se installed N5010SS or N5020SS before using Fibre Channel interfaces and capabilities You can configure virtual Fibre Channel interfaces without a Storage Protocol Services license but these interfaces will not become operational until the license is activated Note QOS Requirements for Fibre Channel The FCoE QoS must be configured if the following types of interfaces are in use Native FC for FC F...

Page 30: ...Cisco NX OS vFC interfaces are manipulable objects with properties such as configuration and state Native Fibre Channel and vFC interfaces are configured using the same CLI commands vFC interfaces support only F mode and operate in trunk mode only The following capabilities are not supported for virtual Fibre Channel interfaces SAN port channels The SPAN destination cannot be a vFC interface Buffe...

Page 31: ...ning Tree Protocol is disabled on the FCoE VLANs on any interface that a vFC interface is bound to which includes the interfaces that the VE ports are bound to The number of VE port pairs that can be supported between a given FCF and a peer FCF depends on the FCF MAC advertising capability of the peer FCF If a peer FCF advertises the same FCF MAC address over all its interfaces the FCF can connect...

Page 32: ...to Interface Modes Each physical Fibre Channel interface in a switch may operate in one of several port modes E mode TE mode F mode TF mode TNP mode and SD mode A physical Fibre Channel interface can be configured as an E port an F port or an SD port Interfaces may also be configured in Auto mode the port type is determined during interface initialization In NPV mode Fibre Channel interfaces may o...

Page 33: ...e configured as NP ports NP ports operate like N ports that function as proxies for multiple physical N ports Related Topics Configuring N Port Virtualization on page 51 TE Port In trunking E port TE port mode an interface functions as a trunking expansion port It may be connected to another TE port to create an extended ISL EISL between two switches TE ports connect to another Cisco Nexus device ...

Page 34: ...ses though a Fibre Channel interface This monitoring is done using a standard Fibre Channel analyzer or a similar switch probe that is attached to an SD port SD ports do not receive frames instead they transmit a copy of the source traffic The SPAN feature is nonintrusive and does not affect switching of network traffic for any SPAN source ports Auto Mode Interfaces configured in auto mode can ope...

Page 35: ...tate must be up and the interface initialization must be completed Up Interface cannot transmit or receive data traffic Down Interface is operational in TE or TF mode Trunking Reason Codes Reason codes are dependent on the operational state of the interface The following table describes the reason codes for operational states Table 3 Reason Codes for Interface States Reason Code Operational Status...

Page 36: ...rdware is not plugged in SFP not present All The physical layer link is operational and the protocol initialization is in progress Initializing The fabric is currently being reconfigured Reconfigure fabric in progress The switch software waits for the specified R_A_TOV time before retrying initialization Offline The interface VSAN is deleted or is in a suspended state To make the interface operati...

Page 37: ...ion due to ESC failure The Fibre Channel domains fcdomain overlap Isolation due to domain overlap The assigned domain ID is not valid Isolation due to domain ID assignment failure The E port at the other end of the link is isolated Isolation due to the other side of the link E port isolated The port is isolated due to fabric reconfiguration Isolation due to invalid fabric reconfiguration The fcdom...

Page 38: ...rames BB_credits are negotiated on a per hop basis In Cisco Nexus devices the BB_credit mechanism is used on Fibre Channel interfaces but not on virtual Fibre Channel interfaces The receive BB_credit determines the receive buffering capability on the receive side without having to acknowledge the peer This is important for links with large bandwidth delays long links with large latency to be able ...

Page 39: ...lot QSFP module port Note Configuring a Range of Fibre Channel Interfaces To configure a range of Fibre Channel interfaces perform this task Procedure Purpose Command or Action Enters configuration mode switch configuration terminal Step 1 Selects the range of Fibre Channel interfaces and enters interface configuration mode switch config interface fc slot port port fc slot port port vfc vfc id vfc...

Page 40: ...face vfc vfc id Example switch config interface vfc 20 switch config if Step 2 Sets the port mode switch config if switchport mode E NP Step 3 Example switch config if switchport mode E switch config if vFC interfaces support modes F E or NP SD ports cannot be configured automatically They must be administratively configured Note This example shows how to configure VE port 20 and bind it to Ethern...

Page 41: ...talled Cisco N55 M16UP expansion module Cisco Nexus 5672UP Cisco Nexus 56128 with N56 M24UP2Q GEM Cisco Nexus If you re configuring a unified port as Fibre Channel or FCoE confirm that you have enabled the feature fcoe command Procedure Purpose Command or Action Enters global configuration mode switch configure terminal Step 1 Identifies the slot on the switch switch config slot slot number Step 2...

Page 42: ... switch config slot poweroff module 2 switch config slot no poweroff module 2 Configuring the Interface Description Interface descriptions should help you identify the traffic or use for that interface The interface description can be any alphanumeric string To configure a description for an interface perform this task Procedure Purpose Command or Action Enters configuration mode switch configurat...

Page 43: ...ber indicates the speed in megabits per second Mbps You can set the speed to 1000 for 1 Gbps interfaces 2000 for 2 Gbps interfaces 4000 for 4 Gbps interfaces or auto default Reverts to the factory default auto administrative speed of the interface switch config if no switchport speed Step 4 Autosensing Configuring SD Port Frame Encapsulation The switchport encap eisl command only applies to SD por...

Page 44: ...s used by the switch to detect an increased error rate before performance degradation seriously affects traffic The bit errors can occur for the following reasons Faulty or bad cable Faulty or bad GBIC or SFP GBIC or SFP is specified to operate at 1 Gbps but is used at 2 Gbps GBIC or SFP is specified to operate at 2 Gbps but is used at 4 Gbps Short haul cable is used for long haul or long haul cab...

Page 45: ...redits Procedure Purpose Command or Action Enters global configuration mode switch configure terminal Step 1 Selects a Fibre Channel interface and enters interface configuration mode switch config interface fc slot port Step 2 If this is a QSFP GEM the slot port syntax is slot QSFP module port Note Applies the default operational value to the selected interface The operational value depends on the...

Page 46: ... port configurations even if you do not individually specify them at that time To configure switch port attributes perform this task Procedure Purpose Command or Action Enters configuration mode switch configuration terminal Step 1 Configures the default setting for administrative state of an interface as Up The factory default setting is Down switch config no system default switchport shutdown sa...

Page 47: ...g NPIV Figure 1 NPIV Example Enabling N Port Identifier Virtualization You can enable or disable NPIV on the switch Before You Begin You must globally enable NPIV for all VSANs on the switch to allow the NPIV enabled applications to use multiple N port identifiers All of the N port identifiers are allocated in the same VSAN Note Procedure Purpose Command or Action Enters configuration mode configu...

Page 48: ...ber interfaces on the core switch in dedicated mode switch config interface fc1 4 6 switch config if shut switch config if switchport mode F switch config if switchport speed 4000 switch config if switchport rate mode dedicated switch config if switchport trunk mode on switch config if channel group 2 switch config if no shut switch config if exit This example shows how to create the port channel ...

Page 49: ... configured interfaces in the switch You can also specify arguments a range of interfaces or multiple specified interfaces to display interface information You can specify a range of interfaces by entering a command with the following example format interface fc2 1 4 fc3 2 3 The following example shows how to display all interfaces switch show interface fc3 1 is up fc3 3 is up Ethernet1 3 is up mg...

Page 50: ...ce fc3 5 switchport mode E interface fc3 5 channel group 11 force no shutdown The following example shows the interface display when showing the running configuration for a specific interface switch show running configuration fc3 5 interface fc3 5 switchport speed 2000 switchport mode E channel group 11 force no shutdown Verifying BB_Credit Information The following example shows how to display th...

Page 51: ...de Auto Interface speed Shutdown unless changed during initial setup Administrative state On unless changed during initial setup Trunk mode 1 to 4093 Trunk allowed VSANs Default VSAN 1 Interface VSAN Off disabled Beacon mode Disabled EISL encapsulation 2112 bytes Data field size The following table lists the default settings for virtual Fibre Channel interface parameters Table 6 Default Virtual Fi...

Page 52: ...AN 1 Interface VSAN n a EISL encapsulation n a Data field size Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x 28 OL 30895 01 Configuring Fibre Channel Interfaces Default Fibre Channel Interface Settings ...

Page 53: ...liar with switch operations Caution When you change the configuration be sure to save the running configuration The next time you reboot the switch the saved configuration is used If you do not save the configuration the previously saved startup configuration is used Fibre Channel Domains The fcdomain has four phases Principal switch selection This phase guarantees the selection of a unique princi...

Page 54: ...t you must manually assign domain IDs A disruptive restart is required to apply most configuration changes including manually assigned domain IDs Nondisruptive domain restarts are acceptable only when changing a preferred domain ID into a static one and the actual domain ID remains the same A static domain is specifically configured by the user and may be different from the runtime domain If the d...

Page 55: ...ipal link fails the domain manager must select a new principal link By default the domain manager starts a build fabric BF phase followed by a principal switch selection phase Both of these phases involve all the switches in the VSAN and together take at least 15 seconds to complete To reduce the time required for the domain manager to select a new principal link you can enable the domain manager ...

Page 56: ...255 is accepted from other switches but cannot be locally configured Any new switch cannot become the principal switch when it joins a stable fabric During the principal switch selection phase the switch with the highest priority becomes the principal switch If two switches have the same configured priority the switch with the lower world wide name WWN becomes the principal switch The priority con...

Page 57: ... in a switch that switch can no longer participate with other switches in the fabric The fcdomain configuration is applied to runtime through a disruptive restart Disabling or Reenabling fcdomains To disable or reenable fcdomains in a single VSAN or a range of VSANs perform this task Procedure Purpose Command or Action Enters global configuration mode switch configure terminal Step 1 Disables the ...

Page 58: ...fcdomain fabric name 20 1 ac 16 5e 0 21 01 vsan 1 Step 3 Incoming RCFs You can configure the rcf reject option on a per interface per VSAN basis By default the rcf reject option is disabled that is RCF request frames are not automatically rejected The rcf reject option takes effect immediately No fcdomain restart is required You do not need to configure the RCF reject option on virtual Fibre Chann...

Page 59: ...ime You do not need to restart the fcdomain If a domain is currently isolated due to domain overlap and you later enable the autoreconfigure option on both switches the fabric continues to be isolated If you enabled the autoreconfigure option on both switches before connecting the fabric a disruptive reconfiguration RCF will occur A disruptive reconfiguration can affect data traffic You can nondis...

Page 60: ...configured domain ID can be preferred or static By default the configured domain ID is 0 zero and the configured type is preferred The 0 zero value can be configured only if you use the preferred option Note If you do not configure a domain ID the local switch sends a random ID in its request We recommend that you use static domain IDs When a subordinate switch requests a domain the following proc...

Page 61: ... are isolated When the assigned and requested domain IDs are the same the preferred and static options are not relevant and the assigned domain ID becomes the runtime domain ID When the assigned and requested domain IDs are different the following cases apply If the configured type is static the assigned domain ID is discarded all local interfaces are isolated and the local switch assigns itself t...

Page 62: ...accept only a specific value and moves the local interfaces fcdomain domain domain id static vsan vsan id Step 2 in the specified VSAN to an isolated state if the Example switch config fcdomain domain 1 static vsan 3 requested domain ID is not granted The domain ID range is 1 to 239 The VSAN ID range is 1 to 4093 Resets the configured domain ID to factory defaults in the specified VSAN The configu...

Page 63: ...abric we recommend that you configure the same list in all other switches in the fabric to ensure consistency or use CFS to distribute the configuration Configuring Allowed Domain ID Lists You can configure the allowed domain ID list Procedure Purpose Command or Action Enters global configuration mode configure terminal Example switch configure terminal switch config Step 1 Configures the list to ...

Page 64: ...for your device Enabling Distribution You can enable or disable allowed domain ID list configuration distribution CFS distribution of allowed domain ID lists is disabled by default You must enable distribution on all switches to which you want to distribute the allowed domain ID lists Procedure Purpose Command or Action Enters global configuration mode configure terminal Example switch configure t...

Page 65: ...ration mode configure terminal Example switch configure terminal switch config Step 1 Commits the pending domain configuration changes fcdomain commit vsan vsan id Example switch config fcdomain commit vsan 45 Step 2 Discarding Changes You can discard pending domain configuration changes and release the lock At any time you can discard the pending changes to the domain configuration and release th...

Page 66: ... pending configuration changes by using the show fcdomain pending command switch show fcdomain pending vsan 10 Pending Configured Allowed Domains VSAN 10 Assigned or unallowed domain IDs 1 9 24 100 231 239 User configured allowed domain IDs 10 230 You can display the differences between the pending configuration and the current configuration by using the show fcdomain pending diff command switch s...

Page 67: ...al switch config Step 1 Enables the contiguous allocation option in the specified VSAN range fcdomain contiguous allocation vsan vsan id vsan id Step 2 Example switch config fcdomain contiguous allocation vsan 22 30 The contiguous allocation option takes immediate effect at runtime You do not need to restart the fcdomain Note Disables the contiguous allocation option and reverts it to the factory ...

Page 68: ...mic entries that the switch has learned about after a device host or disk is plugged into a port interface If you connect to the switch from an AIX or HP UX host be sure to enable the persistent FC ID feature in the VSAN that connects these hosts Note When persistent FC IDs are enabled FC IDs cannot be changed after a reboot FC IDs are enabled by default but can be disabled for each VSAN Note A pe...

Page 69: ... that the domain part of the FC ID is the same as the runtime domain ID in the required VSAN If the software detects a domain mismatch the command is rejected Verify that the port field of the FC ID is 0 zero when configuring an area Configuring Persistent FC IDs You can configure persistent FC IDs Procedure Purpose Command or Action Enters global configuration mode configure terminal Example swit...

Page 70: ...ifferent area ID than for the storage ports when they are both connected to the same switch For example if the storage port FC ID is 0x6f7704 the area for this port is 77 In this case the HBA port s area can be anything other than 77 The HBA port s FC ID must be manually configured to be different from the storage port s FC ID Cisco SAN switches facilitate this requirement with the FC ID persisten...

Page 71: ...ure in the SAN switch switch configure terminal switch config fcdomain fcid persistent vsan 1 switch config end Step 5 Assign a new FC ID with a different area allocation In this example replace 77 with ee switch configure terminal switch config fcdomain fcid database switch config fcid db vsan 3 wwn 50 05 08 b2 00 71 c8 c2 fcid 0x6fee00 area Step 6 Enable the HBA interface in the SAN switch switc...

Page 72: ...rges all dynamic and unused FC IDs in the specified VSAN purge fcdomain fcid vsan vsan id Example switch purge fcdomain fcid vsan 667 Step 1 Purges dynamic and unused FC IDs in the specified VSAN range purge fcdomain fcid vsan vsan id vsan id Example switch purge fcdomain fcid vsan 50 100 Step 2 Verifying the fcdomain Configuration If the fcdomain feature is disabled the runtime fabric name in the...

Page 73: ...o display all existing persistent FC IDs for a specified VSAN You can also specify the unused option to view only persistent FC IDs that are still not in use switch show fcdomain fcid persistent vsan 1000 The following example shows how to display frame and other fcdomain statistics for a specified VSAN or SAN port channel switch show fcdomain statistics vsan 1 VSAN Statistics Number of Principal ...

Page 74: ...ontiguous allocation option 128 Priority 1 to 239 Allowed list 20 01 00 05 30 00 28 df Fabric name Disabled rcf reject Enabled Persistent FC ID Disabled Allowed domain ID list configuration distribution Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x 50 OL 30895 01 Configuring Fibre Channel Domain Parameters Default Settings for Fibre Channel Domains ...

Page 75: ... so the SAN has a limit of 239 switches In a SAN topology with a large number of edge switches the SAN may need to grow beyond this limit NPV alleviates the domain ID limit by sharing the domain ID of the core switch among multiple edge switches In NPV mode the edge switch relays all traffic from server side ports to the core switch The core switch provides F port functionality such as login and p...

Page 76: ...r the show flogi database and show fcns database commands on the core switch Server Interfaces Server interfaces are F ports on the edge switch that connect to the servers A server interface may support multiple end devices by enabling the N port identifier virtualization NPIV feature NPIV provides a means to assign multiple FC IDs to a single N port which allows the server to assign unique FC IDs...

Page 77: ...on page 187 FLOGI Operation When an NP port becomes operational the switch first logs itself in to the core switch by sending a FLOGI request using the port WWN of the NP port After completing the FLOGI request the switch registers itself with the fabric name server on the core switch using the symbolic port name of the NP port and the IP address of the edge switch The following table identifies p...

Page 78: ...isting load is not redistributed automatically to include the newly available uplink Server interfaces that become operational after the NP uplink can select the new NP uplink Traffic Maps In Release 4 0 1a N2 1 and later software releases NPV supports traffic maps A traffic map allows you to specify the NP uplinks that a server interface can use to connect to the core switches When an NPV traffic...

Page 79: ...t NPV will use automatic traffic management Server interfaces configured to use a set of NP uplink interfaces cannot use any other available NP uplink interfaces even if none of the configured interfaces are available When disruptive load balancing is enabled a server interface may be moved from one NP uplink to another NP uplink Moving between NP uplink interfaces requires NPV to relogin to the c...

Page 80: ...link is operational Servers can be connected to the switch when in NPV mode When initiators and targets are assigned to the same border port NP or NP PO then Cisco Nexus 5000 Series switches in NPIV mode do not support hairpinning Fibre Channel switching is not performed in the edge switch all traffic is switched in the core switch NPV supports NPIV capable servers This capability is called nested...

Page 81: ... boot variable username password details ntp configuration callhome configuration snmp server details feature fcoe Disables NPV mode which results in a reload of the switch switch config npv no npv enable Step 3 Configuring NPV Interfaces After you enable NPV you should configure the NP uplink interfaces and the server interfaces Configuring an NP Interface After you enable NPV you should configur...

Page 82: ...Selects an interface that will be connected to the core NPV switch switch config interface fc slot port Step 2 If this is a QSFP GEM the slot port syntax is slot QSFP module port Note Configures the interface as an F port switch config if switchport mode F Step 3 Brings up the interface switch config if no shutdown Step 4 Configuring NPV Traffic Management Configuring NPV Traffic Maps An NPV traff...

Page 83: ...t Step 3 If this is a QSFP GEM the slot port syntax is slot QSFP module port Note Enabling Disruptive Load Balancing If you configure additional NP uplinks you can enable the disruptive load balancing feature to distribute the server traffic load evenly among all the NP uplinks To enable disruptive load balancing perform this task Procedure Purpose Command or Action Enters configuration mode on th...

Page 84: ... interfaces enter the show npv status command switch show npv status npiv is enabled External Interfaces Interface fc2 1 VSAN 1 FCID 0x1c0000 State Up Interface fc2 2 VSAN 1 FCID 0x040000 State Up Interface fc2 3 VSAN 1 FCID 0x260000 State Up Interface fc2 4 VSAN 1 FCID 0x1a0000 State Up Number of External Interfaces 4 Server Interfaces Interface vfc3 1 VSAN 1 NPIV No State Up Number of Server Int...

Page 85: ... internal traffic details enter the show npv internal info traffic map command To display the disruptive load balancing status enter the show npv status command switch show npv status npiv is enabled disruptive load balancing is enabled External Interfaces Interface fc2 1 VSAN 2 FCID 0x1c0000 State Up Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x OL 30895 01 61 Config...

Page 86: ...Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x 62 OL 30895 01 Configuring N Port Virtualization Verifying NPV ...

Page 87: ... page 75 Configuring NPV Ports for FCoE NPV page 76 Verifying FCoE NPV Configuration page 76 Configuration Examples for FCoE NPV page 77 Information About FCoE NPV FCoE NPV is supported on the Cisco Nexus devices The FCoE NPV feature is an enhanced form of FIP snooping that provides a secure method to connect FCoE capable hosts to an FCoE capable FCoE forwarder FCF switch The FCoE NPV feature prov...

Page 88: ...e Storage Protocols Services Package FC_FEATURES_PKG license Enable FCoE NPV When you enable FCoE NPV using the feature fcoe npv command the mode changes to NPV When you use this method a write erase and reload does not occur This method requires a separate license package FCOE_NPV_PKG This license is also included in the Storage Protocol Services License Reload Write Erase License Method Yes Yes ...

Page 89: ...icense installation see the Cisco NX OS Licensing Guide For information about troubleshooting licensing issues see the Troubleshooting Guide for your device NX OS FCoE NPV Model The following figure shows the FCoE NPV bridge connecting hosts and FCFs From a control plane perspective FCoE NPV performs proxy functions towards the FCF and the hosts in order to load balance logins from the Cisco Nexus...

Page 90: ...he mapped VLAN is used to carry FIP and FCoE traffic for the corresponding VSAN The VLAN VSAN mapping must be configured consistently in the entire fabric The Cisco Nexus device supports 32 VSANs FC Mapping The FC MAP value associated with a SAN fabric must be configured on the FCoE NPV bridge which helps the FCoE NPV bridge isolate misconnections to FCFs in other fabrics Cisco Nexus 5500 Series N...

Page 91: ... Ethernet interface These vFC interfaces must be configured as VNP ports On the VNP port an FCoE NPV bridge emulates an FCoE capable host with multiple enodes each with a unique enode MAC address A VNP port interface binding to MAC address is not supported By default the VNP port is enabled in trunk mode Multiple VSANs can be configured on the VNP port The FCoE VLANs that correspond to the VNP por...

Page 92: ...ed links must be used for FCoE VLANs between the FCoE NPV bridge and the FCF connected over a vPC FCoE VLANs must not be configured on the inter switch vPC interfaces VF port binding to a vPC member port is not supported for an inter switch vPC Figure 6 VNP Ports in an Inter Switch vPC Topology Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x 68 OL 30895 01 Configuring F...

Page 93: ...l Figure 8 Cisco Nexus Device As An FCoE NPV Device Connected Over a vPC To Another Cisco Nexus Device Figure 9 Cisco Nexus Device With A 10GB Fabric Extender As An FCoE NPV Device Connected to a Cisco Nexus Device Over A Non vPC Port Channel Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x OL 30895 01 69 Configuring FCoE NPV Supported and Unsupported Topologies ...

Page 94: ...nected Over a vPC to Another Cisco Nexus Device Figure 11 Cisco Nexus Device As An FCoE NPV Bridge Connecting to a FIP Snooping Bridge Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x 70 OL 30895 01 Configuring FCoE NPV Supported and Unsupported Topologies ...

Page 95: ...Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x OL 30895 01 71 Configuring FCoE NPV Supported and Unsupported Topologies ...

Page 96: ...idge Over Multiple VF Ports Figure 13 Cisco Nexus Device As An FCoE NPV Bridge Connecting To A FIP Snooping Bridge Or Another FCoE NPV Bridge Figure 14 VF Port Trunk To Hosts In FCoE NPV Mode Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x 72 OL 30895 01 Configuring FCoE NPV Supported and Unsupported Topologies ...

Page 97: ...f FCoE NPV is enabled and if VNP ports are configured A warning is displayed if an ISSD is performed to Cisco NX OS Release 5 0 3 N1 1 or an earlier release when FCoE NPV is enabled but VNP ports are not configured Before performing an ISSU on an FCoE NPV bridge use the disable fka command to disable the timeout value check FKA check on the core switch FCoE NPV Configuration Limits The following t...

Page 98: ...ll of its interfaces then the FCoE NPV bridge can connect to it over one VNP Port In this scenario we recommend that one port channel interface be used for redundancy If an FCF advertises multiple FCF MAC addresses then the limits in the previous table apply For additional information see the best practices recommendations for the FCF switch The total number of supported VSANs is 31 excluding the ...

Page 99: ...le FCoE NPV using the feature fcoe npv command We recommend this method in topologies that include all FCoE connections A write erase reload does not occur when you use this method and a storage service license is not required Enabling FCoE NPV using the feature fcoe npv command requires an installed FCOE_NPV_PKG license Before You Begin FCoE NPV has the following prerequisites Ensure that the cor...

Page 100: ... configure terminal switch config feature fcoe switch config feature npv Configuring NPV Ports for FCoE NPV You can configure NVP port for FCoE NPV 1 Create a vFC port switch config t switch config interface vfc 20 switch config if 2 Bind the vFC to an Ethernet port switch config if bind interface ethernet 1 20 switch config if 3 Set the port mode to NP switch config if switchport mode NP switch c...

Page 101: ...abric login FLOGI session show npv flogi table Displays the status of Fibre Channel over Ethernet FCoE configurations show fcoe For detailed information about the fields in the output from these commands refer to the command reference for your device Configuration Examples for FCoE NPV This example shows how to enable FCoE NPV LACP QoS for no drop queuing and VLAN VSAN mapping switch config t swit...

Page 102: ...ow running config fcoe_mgr Time Wed Jan 20 21 59 39 2013 version 6 0 2 N1 1 interface vfc1 bind interface Ethernet1 19 interface vfc2 bind interface Ethernet1 2 interface vfc90 bind interface Ethernet1 9 interface vfc100 bind interface Ethernet1 10 interface vfc110 bind interface port channel110 interface vfc111 bind interface Ethernet1 11 interface vfc120 bind interface port channel120 interface ...

Page 103: ...annel Port WWN is 20 00 00 05 9b 74 bd bf Admin port mode is F trunk mode is on snmp link state traps are enabled Port mode is TF Port vsan is 20 Trunk vsans admin allowed and active 1 20 100 200 300 400 500 Trunk vsans up 20 Trunk vsans isolated Trunk vsans initializing 1 100 200 300 400 500 1 minute input rate 0 bits sec 0 bytes sec 0 frames sec 1 minute output rate 0 bits sec 0 bytes sec 0 fram...

Page 104: ... VSAN 4094 State Down Interface vfc6000 VSAN 4094 State Down Interface vfc7000 VSAN 4094 State Down Interface vfc8090 VSAN 4094 State Down Interface vfc8191 VSAN 4094 State Down Number of Server Interfaces 8 This example shows the running configuration of port channel 130 switch show running config interface port channel 130 Command show running config interface port channel130 Time Wed Jan 30 22 ...

Page 105: ... ISSU downgrade not supported as feature fcoe npv is enabled switch Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x OL 30895 01 81 Configuring FCoE NPV Configuration Examples for FCoE NPV ...

Page 106: ...Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x 82 OL 30895 01 Configuring FCoE NPV Configuration Examples for FCoE NPV ...

Page 107: ...terfaces and virtual Fibre Channel interfaces The VSAN trunking feature includes the following restrictions Trunking configurations are applicable only to E ports If trunk mode is enabled in an E port and that port becomes operational as a trunking E port it is referred to as a TE port The trunk allowed VSANs configured for TE ports are used by the trunking protocol to determine the allowed active...

Page 108: ... Trunking Protocol The trunking protocol is important for E port and TE port operations It supports the following capabilities Dynamic negotiation of operational trunk mode Selection of a common set of trunk allowed VSANs Detection of a VSAN mismatch across an ISL By default the VSAN trunking protocol is enabled If the trunking protocol is disabled on a switch no port on that switch can apply new ...

Page 109: ...figure terminal Example switch configure terminal switch config Step 1 Disables the trunking protocol no trunk protocol enable Example switch config no trunk protocol enable Step 2 Enables trunking protocol default trunk protocol enable Example switch config trunk protocol enable Step 3 Trunk Mode By default trunk mode is enabled in all Fibre Channel interfaces However trunk mode configuration tak...

Page 110: ...nfigure trunk mode Procedure Purpose Command or Action Enters global configuration mode configure terminal Example switch configure terminal switch config Step 1 Selects an interface that will be connected to the core NPV switch switch config interface fc slot port Step 2 If this is a QSFP GEM the slot port syntax is slot QSFP module port Note Configures the specified Fibre Channel or virtual Fibr...

Page 111: ...an is 1 Trunk vsans admin allowed and active 1 6 10 22 Trunk vsans up Trunk vsans isolated Trunk vsans initializing 1 6 10 22 5 minute input rate 0 bits sec 0 bytes sec 0 frames sec 5 minute output rate 0 bits sec 0 bytes sec 0 frames sec 0 frames input 0 bytes 0 discards 0 errors 0 frames output 0 bytes 0 discards 0 errors last clearing of show interface counters never Interface last changed at M...

Page 112: ...access to the VSANs specified in a trunking ISL Using the figure above as an example you can configure the list of allowed VSANs on a per interface basis see the following figure For example if VSANs 2 and 4 are removed from the allowed VSAN list of ISLs connecting to switch 1 the operational allowed list of VSANs for each ISL would be as follows The ISL between switch 1 and switch 2 includes VSAN...

Page 113: ...ample switch configure terminal switch config Step 1 Changes the allowed list for the specified VSAN range switchport trunk allowed vsan vsan id vsan id Example switch config if switchport trunk allowed vsan 35 55 Step 2 Expands the specified VSAN to the new allowed list switchport trunk allowed vsan add vsan id Example switch config if switchport trunk allowed vsan add 40 Step 3 Cisco Nexus 5500 ...

Page 114: ... SN Port WWN is 20 83 00 0d ec 6d 78 40 Peer port WWN is 20 0c 00 0d ec 0d d0 00 Admin port mode is auto trunk mode is on The following example shows how to display the trunk protocol of a Fibre Channel interface switch show trunk protocol Trunk protocol is enabled The following example shows how to display the VSAN information for all trunk interfaces switch show interface trunk vsan 1 1000 fc3 1...

Page 115: ...to 4093 user defined VSAN IDs Allowed VSAN list Enabled Trunking protocol Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x OL 30895 01 91 Configuring VSAN Trunking Default Settings for VSAN Trunks ...

Page 116: ...Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x 92 OL 30895 01 Configuring VSAN Trunking Default Settings for VSAN Trunks ...

Page 117: ...ect to interfaces across switching modules so a failure of a switching module cannot bring down the port channel link Cisco Nexus devices support a maximum of four SAN port channels in FC switch mode which includes E TE port port channels A SAN port channel has the following functionality Provides a point to point connection over ISL E ports or EISL TE ports Multiple links can be combined into a S...

Page 118: ... of a TF port and an F port channel This logical link uses the Cisco PTP and PCP protocols over Cisco EPP ELS Cisco Nexus devices support a maximum of four SAN port channels in FC switch mode which includes F TF port port channels Understanding Port Channels and VSAN Trunking Cisco Nexus devices implement VSAN trunking and port channels as follows A SAN port channel enables several physical links ...

Page 119: ...d Balancing Load balancing functionality can be provided using the following methods Flow based All frames between source and destination follow the same links for a given flow That is whichever link is selected for the first exchange of the flow is used for all subsequent exchanges Exchange based The first frame in an exchange is assigned to a link and then subsequent frames in the exchange follo...

Page 120: ... DID1 utilizes link 2 Figure 22 SID1 DID1 and Flow Based Load Balancing The following figure illustrates how exchange based load balancing works When the first frame in an exchange is received for forwarding on an interface link 1 is chosen by a hash algorithm All remaining frames in that Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x 96 OL 30895 01 Configuring SAN Por...

Page 121: ...use link 2 Figure 23 SID1 DID1 and Exchange Based Load Balancing Configuring SAN Port Channels SAN port channels are created with default values You can change the default configuration just as any other physical interface Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x OL 30895 01 97 Configuring SAN Port Channels Configuring SAN Port Channels ...

Page 122: ...xamples of invalid configurations Assuming that the links are brought up in the 1 2 3 4 sequence links 3 and 4 will be operationally down as the fabric is misconfigured Figure 25 Misconfigured Configurations Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x 98 OL 30895 01 Configuring SAN Port Channels Configuring SAN Port Channels ...

Page 123: ...the show interface command for that interface to verify that the SAN port channel is functioning as required F and TF Port Channel Guidelines The guidelines for F and TF port channels are as follows The ports must be in F mode Automatic creation is not supported ON mode is not supported Only Active Active mode is supported By default the mode is Active on the NPV switches Devices logged in through...

Page 124: ...mode are as follows On default The member ports only operate as part of a SAN port channel or remain inactive In this mode the port channel protocol is not initiated However if a port channel protocol frame is received from a peer port the software indicates its nonnegotiable status Port channels configured in the On mode require you to explicitly enable and disable the port channel member ports a...

Page 125: ...no protocol is exchanged Transitions misconfigured ports to the isolated state to correct the misconfiguration Once you correct the misconfiguration the protocol ensures automatic recovery Transitions misconfigured ports to the suspended state You must explicitly disable shut and enable no shut the member ports at either end You must explicitly configure this mode This is the default mode Configur...

Page 126: ...own You must explicitly enable those ports again If you use the Active mode then the port channel ports automatically recover from the deletion Related Topics Setting the Interface Administrative State on page 15 Deleting SAN Port Channels To delete a SAN port channel perform this task Procedure Purpose Command or Action Enters global configuration mode switch configure terminal Step 1 Deletes the...

Page 127: ...ends Administrative compatibility parameters speed mode port VSAN allowed VSAN and port security Operational parameters speed and remote switch s WWN A port addition procedure fails if the capability and administrative parameters in the remote switch are incompatible with the capability and administrative parameters in the local switch If the compatibility check is successful the interfaces are op...

Page 128: ...g interface type slot port Step 2 If this is a QSFP GEM the slot port syntax is slot QSFP module port Note Adds the Fibre Channel interface to the specified channel group If the channel group does not exist it is created The port is shut down switch config if channel group channel number Step 3 Forcing an Interface Addition You can force the port configuration to be overwritten by the SAN port cha...

Page 129: ... the port channel status is changed to a down state Deleting an interface from a SAN port channel decreases the channel size and bandwidth of the SAN port channel If you use the default On mode to avoid inconsistent states across switches and to maintain consistency across switches then the ports shut down You must explicitly enable those ports again If you use the Active mode then the port channe...

Page 130: ...et of ports are eligible to be part of the same SAN port channel They are only eligible to be part of the same port channel if all the ports have a compatible partner The port channel protocol uses two subprotocols Bringup protocol Automatically detects misconfigurations so you can correct them This protocol synchronizes the SAN port channel at both ends so that all frames for a given flow as iden...

Page 131: ...e in autocreation of channel groups The autocreation feature cannot be configured All ports included in the channel group participate in the SAN port channel No member port becomes isolated or suspended instead the member port is removed from the channel group when the link is found to be incompatible You can form the SAN port channel with a subset of the ports in the channel group Incompatible po...

Page 132: ...tocreated SAN port channel the channel is automatically deleted and the number is released for reuse An autocreated SAN port channel is not persistent through a reboot An autocreated SAN port channel can be manually configured to appear the same as a persistent SAN port channel Once the SAN port channel is made persistent the autocreation feature is disabled in all member ports You can enable or d...

Page 133: ...ver you can convert an autocreated channel group to a manual channel group This task is irreversible The channel group number does not change but the member ports operate according to the properties of the manually configured channel group and channel group autocreation is implicitly disabled for all the member ports If you enable persistence be sure to enable it at both ends of the SAN port chann...

Page 134: ...witch config if channel group 2 switch config if no shut switch config if exit Verifying SAN Port Channel Configuration You can view specific information about existing SAN port channels at any time from EXEC mode The following show commands provide further details on existing SAN port channels The show san port channel summary command displays a summary of SAN port channels within the switch A on...

Page 135: ...ollowing example shows how to display details of the used and unused port channel numbers switch show san port channel usage Totally 3 port channel numbers used Used 77 79 Unused 1 76 80 256 Autocreated SAN port channels are indicated explicitly to help differentiate them from the manually created SAN port channels The following example shows how to display an autocreated port channel switch show ...

Page 136: ...y up Create port channel On Default port channel mode Disabled Autocreation Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x 112 OL 30895 01 Configuring SAN Port Channels Default Settings for SAN Port Channels ...

Page 137: ...age devices primarily to exchange SCSI traffic In SANs you use the physical links to make these interconnections A set of protocols run over the SAN to handle routing naming and zoning You can design multiple SANs with different topologies You can achieve higher security and greater stability in Fibre Channel fabrics by using virtual SANs VSANs VSANs provide isolation among devices that are physic...

Page 138: ...ocation of the switches and the attached devices is independent of their segmentation into logical VSANs No communication between VSANs is possible Within each VSAN all members can talk to one another Figure 27 Logical VSAN Segmentation The application servers or storage arrays can be connected to the switch using Fibre Channel or virtual Fibre Channel interfaces A VSAN can include a mixture of Fi...

Page 139: ...nks for separate SANs By enabling VSANs the same switches and links might be shared by multiple VSANs VSANs allow SANs to be built on port granularity instead of switch granularity The preceding figure illustrates that a VSAN is a group of hosts or storage devices that communicate with each other using a virtual topology defined on the physical SAN The criteria for creating such groups differ base...

Page 140: ...a switch Of these one is a default VSAN VSAN 1 and another is an isolated VSAN VSAN 4094 User specified VSAN IDs range from 2 to 4093 VSANs Versus Zones Zones are always contained within a VSAN You can define multiple zones in a VSAN Because two VSANs are equivalent to two unconnected SANs zone A on VSAN 1 is different and separate from zone A in VSAN 2 The following table lists the differences be...

Page 141: ...N 2 is different and separate from zone A defined in VSAN 7 Figure 29 VSANS with Zoning Guidelines and Limitations for VSANs VSANs have the following configuration guidelines and limitations VSAN ID The VSAN ID identifies the VSAN as the default VSAN VSAN 1 user defined VSANs VSAN 2 to 4093 and the isolated VSAN VSAN 4094 State The administrative state of a VSAN can be configured to an active defa...

Page 142: ...e cannot be configured You can create only 14 VSANs in N5672UP 16G including the default VSAN 1 For an NPV switch which is configured for trunking on any interface or for a regular switch where the f port channel trunk command is issued to enable the Trunking F Port Channels feature follow these configuration guidelines for reserved VSANs and isolated VSAN If the trunk mode is enabled for any of t...

Page 143: ...vsan db no vsan 470 suspend Step 6 Returns you to EXEC mode switch config vsan db end Example switch config vsan db end Step 7 Port VSAN Membership Port VSAN membership on the switch is assigned on a port by port basis By default each port belongs to the default VSAN You can assign VSAN membership to ports using one of two methods Statically Assigning VSANs to ports Dynamically Assigning VSANs bas...

Page 144: ... is slot QSFP module port Note Updates the membership information of the interface to reflect the changed VSAN switch config vsan db vsan vsan id fc slot port vfc vfc id Step 5 To remove the VSAN membership of a FC or vFC interface assign the VSAN membership of that interface to another VSAN Cisco recommends that you assign it to VSAN 1 Note If this is a QSFP GEM the slot port syntax is slot QSFP ...

Page 145: ...default VSAN VSAN 1 cannot be deleted but it can be suspended Up to 256 VSANs can be configured in a switch Of these one is a default VSAN VSAN 1 and another is an isolated VSAN VSAN 4094 User specified VSAN IDs range from 2 to 4093 Note Isolated VSANs VSAN 4094 is an isolated VSAN When a VSAN is deleted all nontrunking ports are transferred to the isolated VSAN to avoid an implicit transfer of po...

Page 146: ... is deleted all the ports in that VSAN are made inactive and the ports are moved to the isolated VSAN If the same VSAN is recreated the ports do not automatically get assigned to that VSAN You must explicitly reconfigure the port VSAN membership see the figure below Figure 30 VSAN Port Membership Details VSAN based runtime name server zoning and configuration static routes information is removed w...

Page 147: ... Example switch config vsan db no vsan 5 Step 4 Places you in EXEC mode switch config vsan db end Example switch config vsan db end Step 5 About Load Balancing Load balancing attributes indicate the use of the source destination ID src dst id or the originator exchange OX ID src dst ox id the default for load balancing path selection Configuring Load Balancing You can configure load balancing on a...

Page 148: ...and reverts to the default values of the load balancing parameters no vsan vsan id loadbalancing src dst id Example switch config vsan db no vsan 15 loadbalancing src dst id Step 5 Changes the path selection setting to use the source ID the destination ID and the OX ID default vsan vsan id loadbalancing src dst ox id Example switch config vsan db vsan 15 loadbalancing src dst ox id Step 6 Suspends...

Page 149: ...4 vsan configured configured vsans 1 4 vsans available for configuration 5 4093 The following example shows how to display all VSANs switch show vsan Default Settings for VSANs The following table lists the default settings for all configured VSANs Table 18 Default VSAN Parameters Default Parameters VSAN 1 Default VSAN Active state State Concatenation of VSAN and a four digit string representing t...

Page 150: ...Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x 126 OL 30895 01 Configuring and Managing VSANs Default Settings for VSANs ...

Page 151: ...he existing basic zoning capabilities or the advanced standards compliant zoning capabilities Information About Zoning Zoning Features Zoning includes the following features A zone consists of multiple zone members Members in a zone can access each other members in different zones cannot access each other If zoning is not activated all devices are members of the default zone If zoning is activated...

Page 152: ...o as port based zoning FC ID Specifies the FC ID of an N port attached to the switch as a member of the zone Interface and switch WWN sWWN Specifies the interface of a switch identified by the sWWN This membership is also referred to as interface based zoning Interface and domain ID Specifies the interface of a switch identified by the domain ID Domain ID and port number Specifies the domain ID of...

Page 153: ...esides in both zones Figure 31 Fabric with Two Zones You can use other ways to partition this fabric into zones The following figure shows another possibility Assume that there is a need to isolate storage system S2 for the purpose of testing new software To achieve this zone 3 is configured which contains only host H2 and storage S2 You can restrict access to only H2 and S2 in zone 3 and to H1 an...

Page 154: ...r VSAN in the basic mode in the same switch without disrupting each other Bring E ports out of isolation Active and Full Zone Sets Before configuring a zone set consider the following guidelines Each VSAN can have multiple zone sets but only one zone set can be active at any given time When you create a zone set that zone set becomes a part of the full zone set When you activate a zone set a copy ...

Page 155: ...e information is not distributed to other switches If one zone set is active and you activate another zone set the currently active zone set is automatically deactivated You do not need to explicitly deactivate the currently active zone set before activating a new zone set Note Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x OL 30895 01 131 Configuring and Managing Zone...

Page 156: ... a zone being added to an activated zone set Figure 33 Active and Full Zone Sets Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x 132 OL 30895 01 Configuring and Managing Zones Information About Zoning ...

Page 157: ...ing Cisco NX OS if there is a Cisco MDS 9020 switch running FabricWare in the same fabric Caution Use a relevant display command for example the show interface or show flogi database commands to obtain the required value in hex format Tip Configuration Examples Use the show wwn switch command to retrieve the sWWN If you do not provide a sWWN the software automatically uses the local sWWN Tip The f...

Page 158: ...e AliasSample vsan 3 pWWN example switch config fcalias member pwwn 10 00 00 23 45 67 89 ab fWWN example switch config fcalias member fwwn 10 01 10 01 10 ab cd ef FC ID example switch config fcalias member fcid 0x222222 Domain ID example switch config fcalias member domain id 2 portnumber 23 Device alias example switch config fcalias member device alias devName Zone Sets In the following figure tw...

Page 159: ... zoneset name vsan vsan id Example switch config no zoneset activate name test vsan 30 Step 3 Default Zone Each member of a fabric in effect a device attached to an Nx port can belong to any zone If a member is not part of any active zone it is considered to be part of the default zone Therefore if no zone set is active in the fabric all devices are considered to be in the default zone Even though...

Page 160: ... deny traffic to members in the default zone perform this task Procedure Purpose Command or Action Enters global configuration mode configure terminal Example switch configure terminal switch config Step 1 Permits traffic flow to default zone members zone default zone permit vsan vsan id Example switch config zone default zone permit vsan 13 Step 2 Denies default traffic flow to default zone membe...

Page 161: ...configure terminal switch config Step 1 Configures an alias name The alias name can be any case sensitive alphanumeric string up to 64 characters fcalias name alias namevsan vsan id Example switch config fcalias name testname vsan 50 Step 2 Configures a member for the specified fcalias based on the type pWWN fabric pWWN FC ID domain ID or interface and value specified member type value Example swi...

Page 162: ...ber fwwn 10 01 10 01 10 ab cd ef FC ID example switch config fcalias member fcid 0x222222 Domain ID example switch config fcalias member domain id 2 portnumber 23 Local sWWN interface example switch config fcalias member interface fc 2 1 Remote sWWN interface example switch config fcalias member interface fc 2 1 swwn 20 00 00 05 30 00 4a de Domain ID interface example switch config fcalias member ...

Page 163: ...running configuration to the startup configuration to explicitly store full zone sets Tip Zone Enforcement Zoning can be enforced in two ways soft and hard Each end device N port discovers other devices in the fabric by querying the name server When a device logs in to the name server the name server returns the list of other devices that can be accessed by the querying device If an N port does no...

Page 164: ... active zone set during activation deactivation or merge process Enabling Full Zone Set Distribution All Cisco SAN switches distribute active zone sets when new E port links come up or when a new zone set is activated in a VSAN The zone set distribution takes effect while sending merge requests to the adjacent switch or while activating a zone set You can enable full zone set and active zone set d...

Page 165: ...nterop 100 mode basic merge control allow session none hard zoning enabled Default zone qos none broadcast disabled ronly disabled Full Zoning Database Zonesets 0 Zones 0 Aliases 0 Active Zoning Database Name nozoneset Zonesets 1 Zones 2 Status Zoneset distribution completed at 04 01 06 Aug 28 2010 Recovering from Link Isolation When two switches in a fabric are merged using a TE or E port these T...

Page 166: ...face fc slot port vsan vsan id Step 1 If this is a QSFP GEM the slot port syntax is slot QSFP module port Note Exports the zone set to the adjacent switch connected through the specified VSAN or range of VSANs zoneset export vsan vsan id Example switch zoneset export vsan 5 Step 2 Zone Set Duplication You can make a copy and then edit it without altering the existing active zone set You can copy a...

Page 167: ...e specified VSAN to the full zone set zone copy active zoneset full zoneset vsan vsan id Example switch zone copy active zoneset full zoneset vsan 301 Step 1 Copies the active zone in the specified VSAN to a remote location using SCP zone copy vsan vsan id active zoneset scp guest myserver tmp active_zoneset txt Example switch zone copy vsan 55 active zoneset scp guest myserver tmp active_zoneset ...

Page 168: ...one attribute group rename test mygroup vsan 12 Step 5 Activates the zone set and updates the new zone name in the active zone set zoneset activate name newname vsan vsan id Example switch config zoneset activate name myzone vsan 50 Step 6 Cloning Zones Zone Sets FC Aliases and Zone Attribute Groups You can clone a zone zone set fcalias or zone attribute group Procedure Purpose Command or Action E...

Page 169: ...Database You can clear all configured information in the zone server database for the specified VSAN To clear the zone server database use the following command switch clear zone database vsan 2 After entering a clear zone database command you must explicitly enter the copy running config startup config to ensure that the running configuration is used when the switch reboots Note Clearing a zone s...

Page 170: ...ribed in this section Enhanced Zoning The zoning feature complies with the FC GS 4 and FC SW 3 standards Both standards support the basic zoning functionalities explained in the previous section and the enhanced zoning functionalities described in this section Broadcast zoning is not supported on the Cisco Nexus 5000 Series switches Note The following table lists the advantages of the enhanced zon...

Page 171: ... switch Distribution of zone sets without activation avoids hardware changes for hard zoning in the switches Implements changes to the zoning database and distributes it without reactivation To distribute the zoning database you must reactivate the same zone set The reactivation may affect hardware changes for hard zoning on the local switch and on remote switches Unique vendor type Provides a ven...

Page 172: ...e Step 2 If such configurations exist delete them before proceeding with this procedure If you do not delete the existing configuration the switch software automatically removes them Step 3 Set the operation mode to basic zoning mode Enabling Enhanced Zoning You can enable enhanced zoning in a VSAN By default the enhanced zoning feature is disabled in all Cisco SAN switches Procedure Purpose Comma...

Page 173: ... you can force the operation and close the session You must have permission role to clear the lock in this switch and perform the operation on the switch from where the session was originally created Procedure Purpose Command or Action Enters global configuration mode configure terminal Example switch configure terminal switch config Step 1 Applies the changes to the enhanced zone database and clo...

Page 174: ... is still locked Note Merging the Database The merge method depends on the fabric wide merge control setting Restrict If the two databases are not identical the ISLs between the switches are isolated Allow The two databases are merged using the merge rules specified in the following table Table 22 Database Zone Merge Status Results of the Merge Merge Status Adjacent Database Local Database ISLs ar...

Page 175: ...e merge rules are used to perform the merge Configuring Zone Merge Control Policies You can configure merge control policies Procedure Purpose Command or Action Enters global configuration mode configure terminal Example switch configure terminal switch config Step 1 Configures a restricted merge control setting for this VSAN zone merge control restrict vsan vsan id Example switch config zone merg...

Page 176: ...ommits the changes made to the specified VSAN zone commit vsan vsan id Example switch config zone commit vsan 340 Step 4 Configuring System Default Zoning Settings You can configure default settings for default zone policies and full zone distribution for new VSANs on the switch Procedure Purpose Command or Action Enters global configuration mode configure terminal Example switch configure termina...

Page 177: ...shows how to display the zone status for a specified VSAN switch show zone status vsan 2 Compacting the Zone Database You can delete excess zones and compact the zone database for the VSAN A merge failure occurs when a switch supports more than 2000 zones per VSAN but its neighbor does not Also zone set activation can fail if the switch has more than 2000 zones per VSAN and not all switches in the...

Page 178: ... vsan 1 The following example shows how to display active zoning analysis switch show zone analysis active vsan 1 See the command reference for your device for the description of the information displayed in the command output Default Settings for Zones The following table lists the default settings for basic zone parameters Table 23 Default Basic Zone Parameters Default Parameters Denied to all m...

Page 179: ... device name may cause unexpected results You can circumvent this problem if you define a user friendly name for a pWWN and use this name in all the configuration commands as required These user friendly names are referred to as device aliases Device Alias Features Device aliases have the following features The device alias information is independent of the VSAN configuration The device alias conf...

Page 180: ...a to z or A to Z 1 to 9 hyphen and _ underscore dollar sign and up caret Zone Aliases Versus Device Aliases The following table compares the configuration differences between zone based alias configuration and device alias configuration Table 24 Comparison Between Zone Aliases and Device Aliases Device Aliases Zone Based Aliases You can define device aliases without specifying the VSAN number You ...

Page 181: ...s resulting from either a commit or merge operation Creating Device Aliases You can create a device alias in the pending database Procedure Purpose Command or Action Enters global configuration mode configure terminal Example switch configure terminal switch config Step 1 Enters the pending database configuration submode device alias database Example switch config device alias database switch conf...

Page 182: ...nges and enforce them accordingly The primary benefit of operating in enhanced mode is that you have a single point of change Whenever you change device alias modes the change is distributed to other switches in the network only if device alias distribution is enabled or on Otherwise the mode change only takes place on the local switch Enhanced mode or native device alias based configurations are ...

Page 183: ... enforcement changes accordingly In this case the zone server automatically enforces zoning based on the new HBA s pWWN Configuring Device Alias Modes You can configure device aliases to operate in enhanced mode Procedure Purpose Command or Action Enters global configuration mode configure terminal Example switch configure terminal switch config Step 1 Assigns the device alias to operate in enhanc...

Page 184: ...bric When you perform any device alias configuration task regardless of which device alias task the fabric is automatically locked for the device alias feature Once you lock the fabric the following situations apply No other user can make any configuration changes to this feature A copy of the effective database is obtained and used as the pending database Subsequent modifications are made to the ...

Page 185: ...ding database the following events occur The effective database contents remain unaffected The pending database is emptied of its contents The fabric lock is released for this feature Procedure Purpose Command or Action Enters global configuration mode configure terminal Example switch configure terminal switch config Step 1 Discards the currently active session device alias abort Example switch c...

Page 186: ...locked device alias session use the clear device alias session command in EXEC mode switch clear device alias session This example shows how to display the status of the clear operation switch show device alias status Fabric Distribution Enabled Database Device Aliases 24 Status of the last CFS operation issued from this switch Operation Clear Session Lock released by administrator Status Success ...

Page 187: ... can import legacy zone alias configurations to use this feature without losing data if they satisfy the following restrictions Each zone alias has only one member The member type is pWWN If any name or definition conflict exists the zone aliases are not imported Ensure that you copy any required zone aliases to the device alias database as required by your configuration When an import operation i...

Page 188: ... entries in both databases exceeds the supported configuration limit then the merge will fail For example if database N has 6000 device aliases and database M has 2192 device aliases and you are running SAN OS Release 3 0 x or earlier then this merge operation will fail Merge operations will also fail if there is a device alias mode mismatch For additional information refer to CFS Merge Support in...

Page 189: ...ngs for device alias parameters Table 25 Default Device Alias Parameters Default Parameters Enabled Device alias distribution Basic Device alias mode Effective database Database in use Pending database Database to accept changes Locked with the first device alias task Device alias fabric lock state Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x OL 30895 01 165 Distribu...

Page 190: ...Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x 166 OL 30895 01 Distributing Device Alias Services Default Settings for Device Alias Services ...

Page 191: ...rnative path in the event of the failure of a given path FSPF supports multiple paths and automatically computes an alternative path around a failed link It provides a preferred route when two equal paths are available Bases path status on a link state protocol Routes hop by hop based only on the domain ID Runs only on E ports or TE ports and provides a loop free topology Runs on a per VSAN basis ...

Page 192: ...Guarantees a fast reconvergence time in case of a topology change Uses the standard Dijkstra algorithm but there is a static dynamic option for a more robust efficient and incremental Dijkstra algorithm The reconvergence time is fast and efficient as the route computation is done on a per VSAN basis The FSPF feature can be used on any topology Note FSPF Examples Fault Tolerant Fabric Example The f...

Page 193: ...ion Figure 37 Fault Tolerant Fabric with Redundant Links For example if all links are of equal speed and no SAN port channels exist the FSPF calculates four equal paths from A to C A1 E C A2 E C A3 D C and A4 D C If SAN port channels exist these paths are reduced to two FSPF Global Configuration By default FSPF is enabled on Cisco SAN switches Some FSPF features can be globally configured in each ...

Page 194: ...s Acknowledgment interval RxmtInterval The time a switch waits before sending an LSR refresh transmission 30 minutes Refresh time LSRefreshTime The time a switch waits before dropping the LSR from the database 60 minutes Maximum age MaxAge The LSR minimum arrival time is the period between receiving LSR updates on this VSAN Any LSR updates that arrive before the LSR minimum arrival time are discar...

Page 195: ...rocessor consumption increases accordingly Note Configures the autonomous region for this VSAN and specifies the region ID region region id Example switch config fspf config region 1 Step 5 Resetting FSPF to the Default Configuration You can return the FSPF VSAN global configuration to its factory default Procedure Purpose Command or Action Enters global configuration mode configure terminal Examp...

Page 196: ...d all counters are cleared clear fspf counters vsan vsan id Example switch clear fspf counters vsan 345 Step 1 FSPF Interface Configuration Several FSPF commands are available on a per interface basis These configuration procedures apply to an interface in a specific VSAN FSPF Link Cost FSPF tracks the state of links on all switches in the fabric associates a cost with each link in its database an...

Page 197: ...e switch config if fspf cost 500 vsan 38 Step 3 Hello Time Intervals You can set the FSPF Hello time interval to specify the interval between the periodic hello messages that are sent to verify the health of the link The integer value can range from 1 to 65 535 seconds This value must be the same in the ports at both ends of the ISL Note Configuring Hello Time Intervals You can configure the FSPF ...

Page 198: ...e integer value can range from 1 to 65 535 seconds This value must be the same in the ports at both ends of the ISL Note An error is reported at the command prompt if the configured dead time interval is less than the hello time interval Caution Configuring Dead Time Intervals You can configure the FSPF dead time interval Procedure Purpose Command or Action Enters global configuration mode configu...

Page 199: ...ntervals You can configure the FSPF retransmit time interval Procedure Purpose Command or Action Enters global configuration mode configure terminal Example switch configure terminal switch config Step 1 Configures the specified interface or if already configured enters configuration mode for the specified interface switch config interface fc slot port Step 2 If this is a QSFP GEM the slot port sy...

Page 200: ...configure terminal Example switch configure terminal switch config Step 1 Configures a specified interface or if already configured enters configuration mode for the specified interface switch config interface fc slot port Step 2 If this is a QSFP GEM the slot port syntax is slot QSFP module port Note Disables FSPF for the specified interface in the specified VSAN fspf passive vsan vsan id Example...

Page 201: ...s a forwarding logic which forwards frames based on its FC ID Using the FC ID for the specified interface and domain you can configure the specified route for example FC ID 111211 and domain ID 3 in the switch with domain ID 1 see the following figure Figure 38 Fibre Channel Routes Configuring Fibre Channel Routes You can configure a Fibre Channel route Procedure Purpose Command or Action Enters g...

Page 202: ... is a QSFP GEM the slot port syntax is slot QSFP module port Note Adds a static route to the RIB If this is an active route and the Forwarding Information Base FIB records are free it is also added to the FIB fcroute fcid interface fc slot port domain domain id metric value remote vsan vsan id Step 5 Example switch config fcroute 0x111211 interface fc 2 1 domain 4 metric 50 remote vsan 10 If the c...

Page 203: ...ring Network Frames When you experience a route change in the network the new selected path might be faster or less congested than the old route See the following figure Figure 39 Route Change Delivery In the figure above the new path from Switch 1 to Switch 4 is faster In this scenario Frame 3 and Frame 4 might be delivered before Frame 1 and Frame 2 If the in order guarantee feature is enabled t...

Page 204: ...g the Drop Latency Time on page 182 About Enabling In Order Delivery You can enable IOD for a specific VSAN or for the entire switch By default IOD is disabled on Cisco SAN switches We recommend that you enable this feature only when devices that cannot handle any out of order frames are present in the switch Load balancing algorithms within the switch ensure that frames are delivered in order dur...

Page 205: ...e You can override this global value by enabling or disabling in order guarantee for the new VSAN Procedure Purpose Command or Action Enters configuration mode configuration terminal Example switch configuration terminal switch config Step 1 Enables in order delivery in the specified VSAN in order guarantee vsan vsan id Example switch config in order guarantee vsan 30 Step 2 Reverts the switch to ...

Page 206: ...h Procedure Purpose Command or Action Enters global configuration mode configure terminal Example switch configure terminal switch config Step 1 Configures network drop latency time for the network The valid range is from 0 to 60000 msec The default is 2000 msec fcdroplatency network value Example switch config fcdroplatency network 1000 Step 2 The network drop latency must be computed as the sum ...

Page 207: ...you can enable a maximum of 1000 entries for aggregate flow and flow statistics Be sure to assign an unused flow index for each new flow The number space for flow index is shared between the aggregate flow statistics and the flow statistics Counting Aggregated Flow Statistics You can count the aggregated flow statistics for a VSAN Procedure Purpose Command or Action Enters global configuration mod...

Page 208: ...e switch config no fcflow stats aggregated index 11 vsan 200 Clearing FIB Statistics Use the clear fcflow stats command to clear the aggregated flow counter switch clear fcflow stats aggregated index 1 The following example shows how to clear the flow counters for source and destination FC IDs switch clear fcflow stats index 1 Displaying Flow Statistics Use the show fcflow stats commands to view f...

Page 209: ... ports and TE ports FSPF Dynamic SPF computation 0 SPF hold time 0 Backbone region 5 seconds Acknowledgment interval RxmtInterval 30 minutes Refresh time LSRefreshTime 60 minutes Maximum age MaxAge 20 seconds Hello interval 80 seconds Dead interval Derived from the principal switch root node Distribution tree information FSPF stores up to 16 equal cost paths to a given destination Routing table Ba...

Page 210: ...s direct Remote destination switch Uses the principal switch to compute the multicast tree Multicast routing Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x 186 OL 30895 01 Configuring Fibre Channel Routing Services and Protocols Default Settings for FSFP ...

Page 211: ...e fabric login FLOGI table switch show flogi database INTERFACE VSAN FCID PORT NAME NODE NAME fc2 3 1 0xb200e2 21 00 00 04 cf 27 25 2c 20 00 00 04 cf 27 25 2c fc2 3 1 0xb200e1 21 00 00 04 cf 4c 18 61 20 00 00 04 cf 4c 18 61 fc2 3 1 0xb200d1 21 00 00 04 cf 4c 18 64 20 00 00 04 cf 4c 18 64 fc2 3 1 0xb200ce 21 00 00 04 cf 4c 16 fb 20 00 00 04 cf 4c 16 fb fc2 3 1 0xb200cd 21 00 00 04 cf 4c 18 f7 20 00...

Page 212: ...n enables WWNs to register specific parameters for another node Registering Name Server Proxies You can register the name server proxy Procedure Purpose Command or Action Enters global configuration mode configure terminal Example switch configure terminal switch config Step 1 Configures a proxy port for the specified VSAN fcns proxy port wwn id vsan vsan id Example switch config fcns proxy port 1...

Page 213: ...duplicate pwwn on different switch will be rejected and earlier FLOGI retained default fcns reject duplicate pwwn vsan vsan id Example switch config fcns reject duplicate pwwn vsan 100 Step 2 Any future flogi with duplicate pwwn on different switch will be allowed to succeed by deleting earlier FCNS entry no fcns reject duplicate pwwn vsan vsan id Example switch config no fcns reject duplicate pww...

Page 214: ...ow to display the name server database details for all VSANs switch show fcns database detail This example shows how to display the name server database statistics for all VSANs switch show fcns statistics FDMI Cisco SAN switches provide support for the Fabric Device Management Interface FDMI functionality as described in the FC GS 4 standard FDMI enables management of devices such as Fibre Channe...

Page 215: ... the name server again to obtain the new information The details of the changed information are not delivered by the switch in the RSCN sent to the nodes Note About RSCN Information A switch RSCN SW RSCN is sent to registered hosts and to all reachable switches in the fabric The switch sends an RSCN to notify registered nodes that a change has occurred It is up to the nodes to query the name serve...

Page 216: ...ulti pid RSCN payloads If so disable the RSCN multi pid option Note Configuring the multi pid Option You can configure the multi pid option Procedure Purpose Command or Action Enters global configuration mode configure terminal Example switch configure terminal switch config Step 1 Sends RSCNs in a multi pid format for the specified VSAN rscn multi pid vsan vsan id Example switch config rscn multi...

Page 217: ...eared counters by entering the show rscn statistics command switch show rscn statistics vsan 1 Configuring the RSCN Timer RSCN maintains a per VSAN event list queue where the RSCN events are queued as they are generated When the first RSCN event is queued a per VSAN timer starts When a timeout occurs all the events are dequeued and coalesced RSCNs are sent to registered users The default timer val...

Page 218: ...ion You verify the RSCN timer configuration using the show rscn event tov vsan command This example shows how to clear the RSCN statistics for VSAN 10 switch show rscn event tov vsan 10 Event TOV 1000 ms RSCN Timer Configuration Distribution Because the timeout value for each switch is configured manually a misconfiguration occurs when different switches time out at different times Different N por...

Page 219: ...tion Procedure Purpose Command or Action Enters global configuration mode configure terminal Example switch configure terminal switch config Step 1 Enables RSCN timer distribution rscn distribute Example switch config rscn distribute Step 2 Disables default RSCN timer distribution no rscn distribute Example switch config no rscn distribute Step 3 Locking the Fabric The first action that modifies t...

Page 220: ...ample switch config rscn commit vsan 500 Step 2 Discarding the RSCN Timer Configuration Changes If you discard abort the changes made to the pending database the configuration database remains unaffected and the lock is released You can discard RSCN timer configuration changes Procedure Purpose Command or Action Enters global configuration mode configure terminal Example switch configure terminal ...

Page 221: ... name rscn Enabled Yes Timeout 5s Merge Capable Yes Scope Logical A merge failure results when the RSCN timer values are different on the merging fabrics Note This example shows how to display the set of configuration commands that would take effect when you commit the configuration The pending database includes both existing and modified configuration Note switch show rscn pending rscn event tov ...

Page 222: ...Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x 198 OL 30895 01 Managing FLOGI Name Server FDMI and RSCN Databases Default Settings for RSCN ...

Page 223: ...device ID information To register the initiator and target features with the name server The SCSI LUN discovery feature uses the local domain controller Fibre Channel address It uses the local domain controller as the source FC ID and performs SCSI INQUIRY REPORT LUNS and READ CAPACITY commands on SCSI devices The SCSI LUN discovery feature is initiated on demand through CLI or SNMP This informati...

Page 224: ...d6 PWWN 00 00 00 00 00 00 00 00 PRLI RSP 0x01 SPARM 0x0012 SCSI TYPE 0 NLUNS 1 Vendor Company 4 Model ST318203FC Rev 0004 Other 00 00 02 32 8b 00 50 0a The following example discovers SCSI targets from the customized list assigned to the Linux OS switch discover scsi target custom list os linux discovery started About Initiating Customized Discovery Customized discovery consists of a list of VSAN ...

Page 225: ...lly if the fabric is large or if several devices are slow to respond Note The following example displays the FCNS database switch show fcns database The following example displays the SCSI target disks switch show scsi target disk The following example displays the discovered LUNs on all operating systems switch show scsi target lun os all The following example displays the port WWN that is assign...

Page 226: ...Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x 202 OL 30895 01 Discovering SCSI Targets Displaying SCSI LUN Information ...

Page 227: ... program CoS markings on each individual server and adapter For flexibility Enhanced Transmission Selection ETS and Priority Flow Control PFC parameters are coded in TLV format However the use of PFC or ETS for lossy and lossless protocol behavior is not a requirement for iSCSI TLV operations the TLV can be leveraged for both traditional TCP or drop behavior iSCSI networks as well as for a complet...

Page 228: ...cos value Step 4 This example shows how to identify iSCSI traffic switch configure terminal switch config class map type qos match all c1 switch config cmap qos match protocol iscsi switch config cmap qos match cos 5 Configuring Type QoS Policies Type qos policies are used for classifying the traffic of a specific system class identified by a unique qos group value A type qos policy can be attache...

Page 229: ...onfiguration mode switch configure terminal Step 1 Creates a named object that represents a class of traffic Class map names can contain alphabetic hyphen or underscore characters are case sensitive and can be up to 40 characters switch config class map type network qos queuing class name Step 2 Configures the traffic class by matching packets based on a list of QoS group values Values can range f...

Page 230: ...a class map with the policy map and enters configuration mode for the specified system class The associated class map must be the same type as the policy map type Note switch config pmap nq class type network qos class name Step 8 Enables the jumbo MTU for the whole switch by setting the MTU to its maximum size 9216 bytes in the policy map for the default system class class default switch config p...

Page 231: ...atch all then the default value of match any is applied to the traffic class Procedure Purpose Command or Action Enters global configuration mode switch configure terminal Step 1 Creates a named object that represents a class of traffic and enters class map mode Class map names can switch config class map type qos class map name Step 2 contain alphabetic hyphen or underscore characters are case se...

Page 232: ...config cmap qos exit switch config class map type queuing class fcoe switch config cmap que match qos group 1 Configuring Type QoS Policies Type qos policies are used for classifying the traffic of a specific system class identified by a unique qos group value A type qos policy can be attached to the system or to individual interfaces including Fabric Extender host interfaces for input traffic onl...

Page 233: ...ration mode and enters policy map mode switch config pmap c qos exit Step 8 Adds a reference to the system default class that does not match any traffic class switch config pmap qos class class default Step 9 This example shows how to define a QOS policy map switch configure terminal switch config policy map type qos c1 switch config pmap qos class c1 switch config pmap c qos set qos group 2 switc...

Page 234: ... Step 7 Creates a named object that represents a set of policies that are to be applied to a set of traffic classes Policy map names can switch config policy map type network qos policy name Step 8 contain alphabetic hyphen or underscore characters are case sensitive and can be up to 40 characters Associates a class map with the policy map and enters configuration mode for the specified system cla...

Page 235: ... class class default with the policy map and enters configuration mode for the specified system class The associated class map must be the same type as the policy map type Note switch config pmap nq class type network qos class name Step 14 Enables the jumbo MTU for the whole switch by setting the MTU to its maximum size 9216 bytes in the policy map for the default system class class default switc...

Page 236: ...erface switch config sys qos service policy type qos input policy map name Step 5 Attaches a policy map of type network qos to an interface switch config sys qos service policy type network qos policy map name Step 6 This example shows how to apply system service policies switch configure terminal switch config system qos switch config sys qos service policy type queuing input fcoe default in poli...

Page 237: ...ct TOV E_D_TOV The valid range is from 1 000 to 10 000 milliseconds The default is 2 000 milliseconds This value is matched with the other end during port initialization Resource allocation TOV R_A_TOV The valid range is from 5 000 to 10 000 milliseconds The default is 10 000 milliseconds This value is matched with the other end during port initialization The fabric stability TOV F_S_TOV constant ...

Page 238: ...Channel You can configure different E_D_TOV R_A_TOV and D_S_TOV values for individual VSANs Active VSANs are suspended and activated when their timer values are changed This configuration must be propagated to all switches in the fabric Be sure to configure the same value in all switches in the fabric Note You can configure per VSAN Fibre Channel timers Procedure Purpose Command or Action Enters g...

Page 239: ...ffective and pending database model to store or commit the commands based on your configuration For additional information refer to Using Cisco Fabric Services in the System Management Configuration Guide for your device Enabling or Disabling fctimer Distribution You can enable or disable fctimer fabric distribution Procedure Purpose Command or Action Enters global configuration mode configure ter...

Page 240: ...e Discarding fctimer Changes After making the configuration changes you can choose to discard the changes by discarding the changes instead of committing them In either case the lock is released Procedure Purpose Command or Action Enters global configuration mode configure terminal Example switch configure terminal switch config Step 1 Discards the fctimer configuration changes in the pending data...

Page 241: ...stribution is enabled The number of pending fctimer configuration operations cannot be more than 15 After 15 operations you must commit or abort the pending configurations before performing any more operations Note For additional information refer to CFS Merge Support in the System Management Configuration Guide for your device Verifying Configured fctimer Values Use the show fctimer command to di...

Page 242: ... commands to display the status of the WWN configuration This example shows how to display the status of all WWNs switch show wwn status Type Configured Available Resvd Alarm State 1 64 48 75 16 NONE 2 5 524288 442368 84 73728 NONE This example shows how to display the information for block ID 51 switch show wwn status block id 51 WWNs in this block 21 00 ac 16 5e 52 00 03 to 21 ff ac 16 5e 52 00 ...

Page 243: ...or HBAs Fibre Channel standards require a unique FC ID to be allocated to an N port attached to an F port in any switch To conserve the number of FC IDs used Cisco SAN switches use a special allocation scheme Some HBAs do not discover targets that have FC IDs with the same domain and area The switch software maintains a list of tested company IDs that do not exhibit this behavior These HBAs are al...

Page 244: ...d to subsequent releases are automatically added to existing company IDs The list of company IDs is saved as part of the running and saved configuration The list of company IDs is used only when the fcinterop FC ID allocation scheme is in auto mode By default the interop FC ID allocation is set to auto unless changed We recommend that you set the fcinterop FC ID allocation scheme to auto and use t...

Page 245: ...er Fibre Channel standards guide vendors towards common external Fibre Channel interfaces Not all vendors follow the standards in the same way which results in the need for interoperability modes This section briefly explains the basic concepts of these modes Each vendor has a regular mode and an equivalent interoperability mode which specifically turns off advanced or proprietary features and pro...

Page 246: ... domain ID Domain IDs All Fibre Channel timers must be the same on all switches as these values are exchanged by E ports when establishing an ISL The timers are F_S_TOV D_S_TOV E_D_TOV and R_A_TOV Timers Verify that the Fabric Stability Time Out Value timers match exactly F_S_TOV Verify that the Distributed Services Time Out Value timers match exactly D_S_TOV Verify that the Error Detect Time Out ...

Page 247: ... be used to connect to non Cisco SAN switches TE ports and SAN port channels can still be used to connect a Cisco switch to other Cisco SAN switches even when in interop mode TE ports and SAN port channels The routing of frames within the fabric is not changed by the introduction of interop mode The switch continues to use src id dst id and ox id to load balance across multiple ISL links FSPF This...

Page 248: ... fabric if the principal switch assigns a different ID If the static option is used the Cisco SAN switches do not join the fabric unless the principal switch agrees and assigns the requested ID When changing the domain ID the FC IDs assigned to N ports also change Note The Cisco SAN switches Brocade and McData FC Error Detect ED_TOV and Resource Allocation RA_TOV timers default to the same values ...

Page 249: ... of the license is available at http www gnu org licenses gpl html Software BIOS version 1 2 0 loader version N A kickstart version 4 0 1a N1 1 system version 4 0 1a N1 1 BIOS compile time 06 19 08 kickstart image file is bootflash n5000 uk9 kickstart 4 0 1a N1 latest bin kickstart compile time 11 25 2008 6 00 00 11 25 2008 14 17 12 system image file is bootflash n5000 uk9 4 0 1a N1 latest bin sys...

Page 250: ...6 1 auto on sfpAbsent fc3 7 1 auto auto sfpAbsent fc3 8 1 auto auto sfpAbsent Step 3 Verify if you are running the desired configuration Example switch show running config Building Configuration interface fc2 1 no shutdown interface fc2 2 no shutdown interface fc2 3 interface fc2 4 snip interface mgmt0 ip address 6 1 1 96 255 255 255 0 switchport encap default no shutdown vsan database vsan 1 inte...

Page 251: ...e interoperability mode yes verify mode loadbalancing src id dst id oxid operational state up Step 5 Verify the domain ID Example switch show fcdomain vsan 1 The local switch is a Subordinated Switch Local switch run time information State Stable Local switch WWN 20 01 00 05 30 00 51 1f Running fabric name 10 00 00 60 69 22 32 91 Running priority 128 Current domain ID 0x64 100 verify domain id Loc...

Page 252: ...n ID WWN 0x61 97 10 00 00 60 69 50 0c fe 0x62 98 20 01 00 05 30 00 47 9f 0x63 99 10 00 00 60 69 c0 0c 1d 0x64 100 20 01 00 05 30 00 51 1f Local 0x65 101 10 00 00 60 69 22 32 91 Principal Step 7 Verify the next hop and destination for the switch Example switch show fspf internal route vsan 1 FSPF Unicast Routes VSAN Number Dest Domain Route Cost Next hops 1 0x61 97 500 fc2 2 1 0x62 98 1000 fc2 1 fc...

Page 253: ...514e4 NL 21 00 00 20 37 a7 c7 e0 Seagate scsi fcp 0x6514e8 NL 21 00 00 20 37 a7 c7 df Seagate scsi fcp 0x651500 N 10 00 00 e0 69 f0 43 9f JNI Total number of entries 12 The Cisco switch name server shows both local and remote entries and does not time out the entries Note Default Settings for Advanced Fibre Channel Features The following table lists the default settings for the features included i...

Page 254: ...on protocol Passive Remote capture connection mode 10 frames Local capture frame limits Auto mode FC ID allocation mode Disabled Loop monitoring Disabled Interop mode Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x 230 OL 30895 01 Advanced Fibre Channel Features Default Settings for Advanced Fibre Channel Features ...

Page 255: ...ches and other devices DHCHAP consists of the CHAP protocol combined with the Diffie Hellman exchange Fabric Authentication All Cisco SAN switches enable fabric wide authentication from one switch to another switch or from a switch to a host These switch and host authentications are performed locally or remotely in each fabric As storage islands are consolidated and migrated to enterprise wide fab...

Page 256: ...ng DHCHAP Authentication You can configure DHCHAP authentication using the local password database Before You Begin You must explicitly enable the DHCHAP feature to access the configuration and verification commands for fabric authentication When you disable this feature all related configurations are automatically discarded Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7...

Page 257: ...urity or fabric binding Fabric binding policies are enforced based on identities authenticated by DHCHAP VSANs DHCHAP authentication is not done on a per VSAN basis By default the DHCHAP feature is disabled in all Cisco SAN switches About Enabling DHCHAP By default the DHCHAP feature is disabled in all Cisco SAN switches You must explicitly enable the DHCHAP feature to access the configuration and...

Page 258: ...ng switch initialization if the connecting device supports DHCHAP authentication the software performs the authentication sequence If the connecting device does not support DHCHAP authentication the software continues with the rest of the initialization sequence Auto Passive default The switch does not initiate DHCHAP authentication but participates in DHCHAP authentication if the connecting devic...

Page 259: ...nterfaces and enters the interface configuration mode switch config interface fc slot port slot port Step 2 If this is a QSFP GEM the slot port syntax is slot QSFP module port Note Sets the DHCHAP mode for the selected interfaces to be in the on state fcsp on Example switch config if fcsp on Step 3 Reverts to the factory default of auto passive for these three interfaces no fcsp on Example switch ...

Page 260: ...ollowed by SHA 1 for DHCHAP authentication If you change the hash algorithm configuration then change it globally for all switches in the fabric RADIUS and TACACS protocols always use MD5 for CHAP authentication Using SHA 1 as the hash algorithm may prevent RADIUS and TACACS usage even if these AAA protocols are enabled for DHCHAP authentication Caution Configuring the DHCHAP Hash Algorithm You ca...

Page 261: ...tizes the use of DH groups in the configured order fcsp dhchap dhgroup 0 1 2 3 4 Example switch config fcsp dhchap dhgroup 0 1 2 3 4 Step 2 Reverts to the DHCHAP factory default order of 0 1 2 3 and 4 no fcsp dhchap dhgroup 0 1 2 3 4 Example switch config no fcsp dhchap dhgroup 0 1 2 3 4 Step 3 DHCHAP Password DHCHAP authentication in each direction requires a shared secret password between the co...

Page 262: ...database you can continue to do so using Configuration 3 and using Cisco MDS 9000 Family Fabric Manager to manage the password database Configuring DHCHAP Passwords for the Local Switch You can configure the DHCHAP password for the local switch Procedure Purpose Command or Action Enters global configuration mode configure terminal Example switch configure terminal switch config Step 1 Configures a...

Page 263: ...chap devicename switch wwn password password Example switch config no fcsp dhchap devicename 21 00 05 30 23 1a 11 03 password mypassword Step 3 DHCHAP Timeout Value During the DHCHAP protocol exchange if the switch does not receive the expected DHCHAP message within a specified time interval authentication failure is assumed The time ranges from 20 no authentication is performed to 1000 seconds Th...

Page 264: ... display the DHCHAP configuration for the specified interface switch show fcsp interface fc2 4 fc2 4 fcsp authentication mode SEC_MODE_ON Status Successfully authenticated The following example shows how to display DHCHAP statistics for the specified interface switch show fcsp interface fc2 4 statistics The following example shows how to display the FC SP WWN of the device connected to the specifi...

Page 265: ... password for this switch This password is used by the connecting device Example switch config fcsp dhchap password rtp9216 Step 4 Configure a password for another switch in the fabric that is identified by the switch WWN device name Example switch config fcsp dhchap devicename 20 00 00 05 30 00 38 5e password rtp9509 Step 5 Enable the DHCHAP mode for the required interface Whenever DHCHAP port mo...

Page 266: ...P Local Password Non device specific password Other Devices Passwords Password for device with WWN 20 00 00 05 30 00 54 de is MDS 9509 show fcsp interface fc2 4 Fc2 4 fcsp authentication mode SEC_MODE_ON Status Successfully authenticated You have now enabled and configured DHCHAP authentication for the sample setup Default Settings for Fabric Security The following table lists the default settings...

Page 267: ...Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x OL 30895 01 243 Configuring FC SP and DHCHAP Default Settings for Fabric Security ...

Page 268: ...Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x 244 OL 30895 01 Configuring FC SP and DHCHAP Default Settings for Fabric Security ...

Page 269: ...d access SAN services based on zone membership Port security features prevent unauthorized access to a switch port using the following methods Login requests from unauthorized Fibre Channel devices N ports and switches xE ports are rejected All intrusion attempts are reported to the SAN administrator through system messages Configuration distribution uses the CFS infrastructure and is limited to t...

Page 270: ...e the port security feature for the first time beacuse it saves tedious manual configuration for each port You must configure auto learning per VSAN basis If enabled devices and switches that are allowed to connect to the switch are automatically learned even if you have not configured any port access When auto learning is enabled learning occurs only for the devices or interfaces that were not al...

Page 271: ... with Auto Learning and CFS Distribution You can configure port security using auto learning and CFS distribution Procedure Step 1 Enable port security Step 2 Enable CFS distribution Step 3 Activate port security on each VSAN This action turns on auto learning by default Step 4 Issue a CFS commit to copy this configuration to all switches in the fabric All switches have port security activated wit...

Page 272: ...he running configuration to the startup configuration which saves the port security configuration database to the startup configuration Step 7 Repeat the above steps for all switches in the fabric Related Topics Activating Port Security on page 249 Copying the Port Security Database on page 264 Disabling Auto Learning on page 253 Enabling Port Security on page 249 Configuring Port Security with Ma...

Page 273: ...terminal switch config Step 1 Enables port security on that switch port security enable Example switch config port security enable Step 2 Disables default port security on that switch no port security enable Example switch config no port security enable Step 3 Port Security Activation Activating Port Security You can activate port security Procedure Purpose Command or Action Enters global configur...

Page 274: ...he following cases Missing or conflicting entries exist in the configuration database but not in the active database The auto learning feature was enabled before the activation To reactivate a database in this state disable auto learning The exact security is not configured for each port channel member The configured database is empty but the active database is not If the database activation is re...

Page 275: ...ort security auto learn vsan 35 Step 2 the switch This command also enforces the database contents based on the devices learned up to this point Exits the configuration mode exit Example switch config exit Step 3 Copies from the active to the configured database port security database copy vsan vsan id Example switch port security database copy vsan 35 Step 4 Reenters configuration mode configure ...

Page 276: ...eature is not activated auto learning is disabled by default If the port security feature is activated auto learning is enabled by default unless you explicitly disabled this option If auto learning is enabled on a VSAN you can only activate the database for that VSAN by using the force option Tip Procedure Purpose Command or Action Enters global configuration mode configure terminal Example switc...

Page 277: ... the authorized connection conditions for device requests Table 34 Authorized Auto Learning Device Requests Authorization Requests Connection to Device pWWN nWWN sWWN Condition Permitted A configured switch port Configured with one or more switch ports 1 Denied Any other switch port 2 Permitted if auto learning enabled A switch port that is not configured Not configured 3 Denied if auto learning d...

Page 278: ...e following table summarizes the port security authorization results for this active database Table 35 Authorization Results for Scenario Reason Condition Authorization Device Connection Request No conflict 1 Permitted P1 N2 F1 No conflict 1 Permitted P2 N2 F1 F1 is bound to P1 P2 2 Denied P3 N2 F1 Wildcard match for N3 6 Permitted P1 N3 F1 Wildcard match for F3 5 Permitted P1 N1 F3 P1 is bound to...

Page 279: ...ning Device Authorization on page 253 Port Security Manual Configuration You can manually configure port security Procedure Step 1 Identify the WWN of the ports that need to be secured Step 2 Secure the fWWN to an authorized nWWN or pWWN Step 3 Activate the port security database Step 4 Verify your configuration WWN Identification Guidelines The WWN Identification has the following configuration g...

Page 280: ...nd you can add those pairs to the port security database Remote switch binding can be specified at the local switch To specify the remote interfaces you can use either the fWWN or sWWN interface combination Tip Procedure Purpose Command or Action Enters global configuration mode configure terminal Example switch configure terminal switch config Step 1 Enters the port security database mode for the...

Page 281: ...any WWN to log in through the specified interface in any switch switch config port security any wwn interface vfc 32 Port Security Configuration Distribution The port security feature uses the Cisco Fabric Services CFS infrastructure to enable efficient database management provide a single point of configuration for the entire fabric in the VSAN and enforce the port security policies throughout th...

Page 282: ...anges for the specified VSAN If you commit the changes made to the configurations the configurations in the pending database are distributed to other switches On a successful commit the configuration change is applied throughout the fabric and the lock is released Procedure Purpose Command or Action Enters global configuration mode configure terminal Example switch configure terminal switch config...

Page 283: ...pending database Learned entries are temporary and do not have any role in determining if a login is authorized or not As such learned entries do not participate in distribution When you disable learning and commit the changes in the pending database the learned entries become static entries in the active database and are distributed to all switches in the fabric After the commit the active databa...

Page 284: ...ng database empty Not applicable 3 You issue a commit configuration database A B active database null pending database A B activation to be enabled configuration database A B active database A B C D 1 You activate the port security database and enable auto learning A and B exist in the configuration database activation is not done and devices C and D are logged in configuration database A B active...

Page 285: ... the differences and interaction between the active and configuration databases Table 37 Active and Configuration Port Security Databases Configuration Database Active Database Read write Read only Saving the configuration saves all the entries in the configuration database Saving the configuration only saves the activated entries Learned entries are not saved Once activated the configuration data...

Page 286: ...ces between the active database and the configuration database Note The following figure shows various scenarios of the active database and the configuration database status based on port security configurations Figure 43 Port Security Database Scenarios Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x 262 OL 30895 01 Configuring Port Security Database Interaction ...

Page 287: ... the active database and the configuration database status based on port security configurations Figure 44 Port Security Database Scenarios Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x OL 30895 01 263 Configuring Port Security Database Interaction ...

Page 288: ...e distribution is enabled the deletion creates a copy of the database You must enter the port security commit command to actually delete the database Tip Use the no port security database vsan command in configuration mode to delete the configured database for a specified VSAN switch config no port security database vsan 1 Clearing the Port Security Database Use the clear port security statistics ...

Page 289: ...ivated database switch show port security database active The following example shows how to display difference between the temporary configuration database and the configuration database switch show port security pending diff vsan 1 The following example shows how to display the configured fWWN port security in VSAN 1 switch show port security database fwwn 20 01 00 05 30 00 95 de vsan 1 20 00 00...

Page 290: ...Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x 266 OL 30895 01 Configuring Port Security Default Settings for Port Security ...

Page 291: ...Membership Data EFMD protocol to ensure that the list of authorized switches is identical in all switches in the fabric Licensing Requirements for Fabric Binding Fabric Binding requires the Storage Protocol Services license Port Security Versus Fabric Binding Port security and fabric binding are two independent features that can be configured to complement each other The following table compares t...

Page 292: ...in uses both port security binding and fabric binding for a given VSAN Binding checks are performed on the port VSAN as follows E port security binding check on the port VSAN TE port security binding check on each allowed VSAN While port security complements fabric binding they are independent features and that you can enable or disable separately Fabric Binding Enforcement You must enable fabric ...

Page 293: ...Save the fabric binding configuration Step 6 Verify the fabric binding configuration Enabling Fabric Binding You can enable fabric binding on any participating switch Procedure Purpose Command or Action Enters global configuration mode configure terminal Example switch configure terminal switch config Step 1 Enables fabric binding on that switch feature fabric binding Example switch config feature...

Page 294: ...tes the sWWN and domain ID of a switch from the configured database list no swwn swwn id domain domain id Example switch config fabric binding no swwn 21 00 05 30 23 1a 11 03 domain 25 Step 5 Fabric Binding Activation and Deactivation Fabric binding maintains a configuration database config database and an active database The config database is a read write database that collects the configuration...

Page 295: ...abric binding activate vsan 25 Step 2 Deactivates the fabric binding database for the specified VSAN no fabric binding activate vsan vsan id Example switch config no fabric binding activate vsan 25 Step 3 Forcing Fabric Binding Activation You can forcefully activate the fabric binding database If the database activation is rejected due to one or more conflicts listed in the previous section you mi...

Page 296: ...e differences between the active database and the config database This command can be used when resolving conflicts switch fabric binding database diff active vsan 1 Use the fabric binding database diff config vsan command to obtain information on the differences between the config database and the active database switch fabric binding database diff config vsan 1 Use the copy running config startu...

Page 297: ... display the active fabric binding information for VSAN 4 switch show fabric binding database active vsan 4 This example shows how to display fabric binding violations switch show fabric binding violations VSAN Switch WWN domain Last Time Repeat count Reason 2 20 00 00 05 30 00 4a 1e 0xeb Nov 25 05 46 14 2003 2 Domain mismatch 3 20 00 00 05 30 00 4a 1e Nov 25 05 44 58 2003 2 sWWN not found 4 20 00...

Page 298: ...abric Binding Settings Default Parameters Disabled Fabric binding Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x 274 OL 30895 01 Configuring Fabric Binding Default Settings for Fabric Binding ...

Page 299: ...stems attached to the fabric Platform objects reside at the edge switches of the fabric Each object has its own set of attributes and values A null value may also be defined for some attributes In the Cisco Nexus device environment a fabric may consist of multiple VSANs One instance of the FCS is present per VSAN FCS supports the discovery of virtual devices The fcs virtual device add command ente...

Page 300: ...P manager can use the FCS management information base MIB to start discovery and obtain information about the fabric topology Support TE ports in addition to the standard F and E ports Can maintain a group of nodes with a logical name and management address when a platform registers with it FCSs maintain a backup of all registrations in secondary storage and update it with every change When a rest...

Page 301: ...nfig no fcs plat check global vsan vsan id Step 3 Displaying FCS Information You can use the show fcs commands to display the status of the WWN configuration The following example shows how to display the FCS local database switch show fcs database The following example shows how to display a list of all interconnect elements for VSAN 1 switch show fcs ie vsan 1 The following example shows how to ...

Page 302: ... Parameters Disabled Global checking of the platform name Unknown Platform node type Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x 278 OL 30895 01 Configuring Fabric Configuration Servers Default FCS Settings ...

Page 303: ...to another redundant link Information About Port Tracking Port tracking allows you to use information about the operational state of the link so that you can initiate a failure in the link that connects the edge device Converting the indirect failure to a direct failure triggers a faster recovery process towards redundant links When enabled port tracking brings down the configured links based on t...

Page 304: ...Gigabit Ethernet port can be tracked Generally ports in E and TE port modes can also be F ports Linked ports A port whose operational state is altered based on the operational state of the tracked ports Only physical Fibre Channel ports can be linked ports Port tracking has the following features The application brings the linked port down when the tracked port goes down When the tracked port reco...

Page 305: ...re is disabled by default When you enable this feature port tracking is globally enabled for the entire switch To configure port tracking enable the port tracking feature and configure the linked ports for the tracked port You can enable port tracking Procedure Purpose Command or Action Enters global configuration mode configure terminal Example switch configure terminal switch config Step 1 Enabl...

Page 306: ...QSFP module port Note Specifies the tracked port When the tracked port goes down the linked port is also brought down switch config if port track interface fc slot port san port channel port Step 3 If this is a QSFP GEM the slot port syntax is slot QSFP module port Note Removes the port tracking configuration that is currently applied to the interface switch config if no port track interface fc sl...

Page 307: ...ught down switch config if port track interface interface fc slot port san port channel port Step 3 If this is a QSFP GEM the slot port syntax is slot QSFP module port Note Monitoring Ports in a VSAN You can optionally configure one VSAN from the set of all operational VSANs on the tracked port with the linked port by specifying the required VSAN This level of flexibility provides higher granulari...

Page 308: ...annel 1 vsan 2 Example switch config if port track interface san port channel 1 vsan 2 Step 4 Forcefully Shutting down If a tracked port flaps frequently tracking ports using the operational binding feature may cause frequent topology changes You might choose to keep the port in the down state until you are able to resolve the reason for these frequent flaps Keeping the flapping port in the down s...

Page 309: ... track force shut Example switch config if no port track force shut Step 4 Displaying Port Tracking Information The show commands display the current port tracking settings for the switch The following example shows how to display tracked port configuration for a specific interface switch show interface vfc21 fc2 1 is down Administratively down Hardware is Fibre Channel FCOT is short wave laser w ...

Page 310: ...nked to interface vfc21 The following example shows how to display the port track mode switch show interface vfc 24 vfc24 is up Hardware is Fibre Channel FCOT is short wave laser Transmit B2B Credit is 64 Receive B2B Credit is 16 Receive data field Size is 2112 Beacon is turned off Port track mode is force_shut this port remains shut even if the tracked port is back up Cisco Nexus 5500 Series NX O...

Page 311: ...ription 20 bit errors 20 reasons 20 Brocade 221 native interop mode 221 buffer to buffer credits 14 21 configuring 21 build fabric frames 30 description 30 C company IDs 219 FC ID allocations 219 configuring 21 58 133 204 205 208 209 buffer to buffer credits 21 no drop policy map 205 no drop policy maps 209 NPV traffic maps 58 Type QoS Policies 204 208 iSCSI 204 iSCSI and FCoE 208 zones example 13...

Page 312: ...us assignments 43 interoperability 221 preferred 36 static 36 domain manager 11 31 fast restart feature 31 isolation 11 drop latency time 182 183 configuring 182 configuring for FSPF in order delivery 182 drop latency time continued displaying information 183 E E port mode 9 classes of service 9 description 9 E ports 11 16 85 141 167 168 267 275 configuring 16 fabric binding checking 267 FCS suppo...

Page 313: ...n 231 enabling 233 enabling on ISLs 240 fcaliases 137 143 144 cloning 144 configuring for zones 137 fcaliases continued creating 137 renaming 143 fcdomains 11 29 31 32 33 34 35 36 40 48 49 autoreconfigured merged fabrics 35 configuring CFS distribution 40 default settings 49 description 29 disabling 33 displaying information 48 displaying statistics 48 domain IDs 36 domain manager fast restart 31 ...

Page 314: ...WNs 136 configuring fcalias members 136 Fx ports 9 116 VSAN membership 116 H hard zoning 139 description 139 HBA ports 46 configuring area FCIDs 46 Hello time intervals 173 configuring for FSPF 173 description 173 I identifying 203 207 iSCSI and FCoE traffic 207 iSCSI traffic 203 in order delivery 179 180 181 182 configuring drop latency time 182 displaying status 182 enabling for VSANs 181 enabli...

Page 315: ...ts 51 NPIV 22 23 description 22 enabling 23 NPV 56 57 58 59 configuring NP interface 57 configuring server interface 58 enabling 56 verifying 59 O operational states 11 15 configuring on Fibre Channel interfaces 15 description 11 P passwords 237 DHCHAP 237 persistent FC IDs 44 46 48 configuring 44 description 44 displaying 48 enabling 44 purging 46 PLOGI 189 name server 189 port channels 11 177 18...

Page 316: ...zone membership 127 R RCFs 30 34 description 30 incoming 34 rejecting incoming 34 reason codes 11 description 11 reconfigure fabric frames 30 redundancy 116 VSANs 116 Registered State Change Notifications 191 retransmitting intervals 175 configuring for FSPF 175 description 175 route costs 172 computing 172 RSCN 191 192 197 default settings 197 description 191 displaying information 191 multiple p...

Page 317: ...bility 221 recovering from link isolations 141 trunking restrictions 84 timeout values 213 TOV 213 214 221 229 configuring across all VSANs 213 configuring for a VSAN 214 default settings 229 interoperability 221 ranges 213 tracked ports 282 binding operationally 282 traffic isolation 116 VSANs 116 trunk mode 22 85 86 90 administrative default 22 configuring 85 86 default settings 90 trunk ports 9...

Page 318: ...ion 113 trunk allowed 84 trunking ports 119 W world wide names 218 WWNs 11 218 219 description 218 displaying information 218 link initialization 218 secondary MAC addresses 219 suspended connections 11 Z zone aliases 163 conversion to device aliases 163 zone attribute groups 144 cloning 144 zone databases 145 150 migrating a non Cisco SAN database 145 release locks 150 zone members 135 displaying...

Page 319: ...mbership using pWWNs 116 merge failures 11 renaming 143 zones continued restoring procedure 143 viewing information 145 zoning 127 129 130 description 127 example 129 implementation 130 Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x OL 30895 01 IN 9 Index ...

Page 320: ...Cisco Nexus 5500 Series NX OS SAN Switching Configuration Guide Release 7 x IN 10 OL 30895 01 Index ...

Reviews:

No comments

Related manuals for Nexus 5500 Series NX-OS

Brand: JCG Pages: 2

Brand: Observint Pages: 11

VigorIPPBX 2820 Series

Brand: Draytek Pages: 29

8677 - BladeCenter Rack-mountable - Power...

Brand: IBM Pages: 126

301160U - 1TB Ethernet Disk RAID Network Attached...

Brand: LaCie Pages: 5

Brand: Paradyne Pages: 1

PG-FlexPlus AMU-912

Brand: ADC Pages: 130

totalstorage 200

Brand: IBM Pages: 180

Wisenet PRN-6400B4

Brand: Hanwha Techwin Pages: 14

Brand: EMCIS Pages: 14

DynaGST/2402G GEP-33224T-1

Brand: UNICOM Pages: 17

Brand: rtd Pages: 28

Brand: Extreme Networks Pages: 51

Brand: Ryobi Pages: 44

Brand: Supermicro Pages: 62

Brand: MAKER MADE Pages: 40

Brand: N-Tron Pages: 2

Brand: METREL Pages: 21

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands