manualshive.com logo in svg

HP 9124 - Cisco MDS Fabric Switch, Configuration Manual

The HP 9124 - Cisco MDS Fabric Switch is a high-performance networking device designed for seamless data transmission. Unlock its full potential by accessing the comprehensive Configuration Manual, available for free download from our website. Enhance your user experience and optimize your network setup with this essential manual.

Share
Download
background image

S e n d   d o c u m e n t a t i o n   c o m m e n t s   t o   m d s f e e d b a c k - d o c @ c i s c o . c o m

34-9

Cisco MDS 9000 Family CLI Configuration Guide

OL-16184-01, Cisco MDS SAN-OS Release 3.x

Chapter 34      Configuring Certificate Authorities and Digital Certificates

Configuring CAs and Digital Certificates

To authenticate the certificate of the CA by cutting and pasting the certificate from an e-mail message 
or a website, follow these steps:

Note

For subordinate CA authentication, the full chain of CA certificates ending in a self-signed CA is 
required because the CA chain is needed for certificate verification as well as for PKCS#12 format 
export.

Configuring Certificate Revocation Checking Methods

During security exchanges with a client (for example, an IKE peer or SSH user), the MDS switch 
performs the certificate verification of the peer certificate sent by the client and the verification process 
may involve certificate revocation status checking.

You can use different methods for checking for revoked sender certificates. You can configure the switch 
to check the CRL downloaded from the CA (see the 

“Configuring a CRL” section on page 34-14

), you 

can use OSCP if it is supported in your network, or both. Downloading the CRL and checking locally 
does not generate traffic in your network. However, certificates can be revoked between downloads and 
your switch would not be aware of the revocation. OCSP provides the means to check the current CRL 
on the CA. However, OCSP can generate network traffic that can impact network efficiency. Using both 
local CRL checking and OCSP provides the most secure method for checking for revoked certificates.

Command

Purpose

Step 1

switch# 

config t

switch(config)#

Enters configuration mode. 

Step 2

switch(config)# 

crypto ca authenticate admin-ca

input (cut & paste) CA certificate (chain) in PEM format;

end the input with a line containing only END OF INPUT :

-----BEGIN CERTIFICATE-----

MIIC4jCCAoygAwIBAgIQBWDSiay0GZRPSRIljK0ZejANBgkqhkiG9w0BAQUFADCB

kDEgMB4GCSqGSIb3DQEJARYRYW1hbmRrZUBjaXNjby5jb20xCzAJBgNVBAYTAklO

MRIwEAYDVQQIEwlLYXJuYXRha2ExEjAQBgNVBAcTCUJhbmdhbG9yZTEOMAwGA1UE

ChMFQ2lzY28xEzARBgNVBAsTCm5ldHN0b3JhZ2UxEjAQBgNVBAMTCUFwYXJuYSBD

QTAeFw0wNTA1MDMyMjQ2MzdaFw0wNzA1MDMyMjU1MTdaMIGQMSAwHgYJKoZIhvcN

AQkBFhFhbWFuZGtlQGNpc2NvLmNvbTELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUth

cm5hdGFrYTESMBAGA1UEBxMJQmFuZ2Fsb3JlMQ4wDAYDVQQKEwVDaXNjbzETMBEG

A1UECxMKbmV0c3RvcmFnZTESMBAGA1UEAxMJQXBhcm5hIENBMFwwDQYJKoZIhvcN

AQEBBQADSwAwSAJBAMW/7b3+DXJPANBsIHHzluNccNM87ypyzwuoSNZXOMpeRXXI

OzyBAgiXT2ASFuUOwQ1iDM8rO/41jf8RxvYKvysCAwEAAaOBvzCBvDALBgNVHQ8E

BAMCAcYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJyjyRoMbrCNMRU2OyRhQ

GgsWbHEwawYDVR0fBGQwYjAuoCygKoYoaHR0cDovL3NzZS0wOC9DZXJ0RW5yb2xs

L0FwYXJuYSUyMENBLmNybDAwoC6gLIYqZmlsZTovL1xcc3NlLTA4XENlcnRFbnJv

bGxcQXBhcm5hJTIwQ0EuY3JsMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEB

BQUAA08nKaGr0g0NIJaqNgLh0AFcT0rEyuyt/WYGPzksF9Ea

NBG7E0oN66zex0EOEfG1Vs6mXp1//w==

-----END CERTIFICATE-----

 END OF INPUT

Fingerprint(s): MD5 

Fingerprint=65:84:9A:27:D5:71:03:33:9C:12:23:92:38:6F:78:12

Do you accept this certificate? [yes/no]: 

y

Prompts you to cut and paste the 
certificate of the CA. Use the same 
name that you used when declaring the 
CA.

Note

The maximum number of trust 
points you can authenticate to 
a specific CA is 10.

Summary of Contents for 9124 - Cisco MDS Fabric Switch

Page 1: ...cas Headquarters Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Cisco MDS 9000 Family CLI Configuration Guide Release 3 x Cisco MDS SAN OS for Release 3 0 1 Through 3 3 1a April 2008 Text Part Number OL 16184 01 ...

Page 2: ...OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCDE CCENT Cisco Eos Cisco Lumin Cisco StadiumVision the Cisco logo DCE and Welcome to the Human Network are trademarks Changing the Way We Work Live Play and Learn is a service mark and Access Registrar Aironet AsyncOS Bringing the Meeting To You Catalyst CCDA CCDP CCIE CCIP CCNA CC...

Page 3: ... Command Line Interface 1 lxviii C H A P T E R 1 Product Overview 1 1 Hardware Overview 1 1 Cisco MDS 9500 Series Multilayer Directors 1 2 Cisco MDS 9200 Series Fabric Switches 1 3 Cisco MDS 9216i Multiprotocol Fabric Switch 1 3 Cisco MDS 9222i Cisco MDS 9216A and Cisco MDS 9216 Multilayer Fabric Switches 1 3 Cisco MDS 9100 Series Fixed Configuration Fabric Switches 1 4 Cisco SAN OS Software Confi...

Page 4: ... Using the ping and ping ipv6 Commands 2 15 Using the Extended ping and ping ipv6 Commands 2 15 Using traceroute and traceroute ipv6 Commands 2 16 Configuring Terminal Parameters 2 17 Setting the Terminal Session Timeout 2 17 Displaying Terminal Sessions 2 18 Clearing Terminal Sessions 2 18 Setting the Terminal Timeout 2 18 Setting the Terminal Type 2 19 Setting the Terminal Screen Length 2 19 Set...

Page 5: ...eleting Files 2 31 Displaying File Contents 2 31 Saving Command Output to a File 2 32 Compressing and Uncompressing Files 2 32 Displaying the Last Lines in a File 2 32 Command Scripts 2 33 Executing Commands Specified in a Script 2 33 Using CLI Variables in Scripts 2 34 Setting the Delay Time 2 34 C H A P T E R 3 Obtaining and Installing Licenses 3 1 Licensing Terminology 3 1 Licensing Model 3 2 L...

Page 6: ...Moving Licenses Among Ports 4 12 On Demand Port Activation License Example 4 13 C H A P T E R 5 Initial Configuration 5 1 Starting a Switch in the Cisco MDS 9000 Family 5 2 Initial Setup Routine 5 2 Preparing to Configure the Switch 5 3 Default Login 5 3 Setup Options 5 4 Assigning Setup Information 5 5 Configuring Out of Band Management 5 6 Configuring In Band Management 5 10 Using the setup Comm...

Page 7: ...Verifying Console Port Settings 5 28 Configuring COM1 Port Settings 5 29 Verifying COM1 Port Settings 5 30 Configuring Modem Connections 5 30 Guidelines to Configure Modems 5 31 Enabling Modem Connections 5 32 Configuring the Initialization String 5 32 Configuring the Default Initialization String 5 33 Configuring a User Specified Initialization String 5 34 Initializing a Modem in a Powered On Swi...

Page 8: ... Address for CFS over IP 6 13 Verifying IP Multicast Address Configuration for CFS over IP 6 14 CFS Regions 6 15 About CFS Regions 6 15 Managing CFS Regions 6 16 Creating CFS Regions 6 16 Assigning Applications to CFS Regions 6 16 Moving an Application to a Different CFS Region 6 16 Removing an Application from a Region 6 17 Deleting CFS Regions 6 17 Default Settings 6 17 C H A P T E R 7 Software ...

Page 9: ...26 Upgrading a Loader 7 27 Upgrading the BIOS 7 29 Quick Upgrade 7 31 Downgrading from a Higher Release 7 31 Maintaining Supervisor Modules 7 32 Replacing Supervisor Modules 7 32 Migrating from Supervisor 1 Modules to Supervisor 2 Modules 7 32 Standby Supervisor Module Boot Variable Version 7 40 Standby Supervisor Module Bootflash Memory 7 40 Standby Supervisor Module Boot Alert 7 40 Installing Ge...

Page 10: ...e Copied Boot Variables 9 4 Displaying HA Status Information 9 5 C H A P T E R 10 Managing System Hardware 10 1 Displaying Switch Hardware Inventory 10 1 Running Compact Flash Tests 10 4 Running the CompactFlash CRC Checksum Test On Demand 10 4 Enabling and Disabling the Automatic CompactFlash CRC Checksum Test 10 4 Setting the CompactFlash CRC Checksum Test Interval 10 5 Enabling and Disabling Fa...

Page 11: ...Environment Information 10 20 Default Settings 10 21 C H A P T E R 11 Managing Modules 11 1 About Modules 11 1 Supervisor Modules 11 2 Switching Modules 11 3 Services Modules 11 3 Verifying the Status of a Module 11 4 Checking the State of a Module 11 4 Connecting to a Module 11 5 Reloading Modules 11 6 Reloading a Switch 11 6 Power Cycling Modules 11 7 Reloading Switching Modules 11 7 Preserving ...

Page 12: ...12 1 Fibre Channel Interfaces 12 1 32 Port Switching Module Configuration Guidelines 12 2 About Interface Modes 12 3 E Port 12 4 F Port 12 4 FL Port 12 4 NP Ports 12 4 TL Port 12 5 TE Port 12 5 SD Port 12 5 ST Port 12 6 Fx Port 12 6 B Port 12 6 Auto Mode 12 6 N Port Identifier Virtualization 12 7 About Interface States 12 7 Administrative States 12 7 Operational States 12 7 Reason Codes 12 8 Confi...

Page 13: ...ng Entries into ALPA Cache 12 32 Displaying the ALPA Cache Contents 12 32 Clearing the ALPA Cache 12 32 Buffer Credits 12 32 About Buffer to Buffer Credits 12 32 Configuring Buffer to Buffer Credits 12 33 About Performance Buffers 12 34 Configuring Performance Buffers 12 34 About Extended BB_credits 12 34 Extended BB_credits on Generation 1 Switching Modules 12 35 Extended BB_credits on Generation...

Page 14: ...Switches 14 1 Port Groups 14 2 Port Rate Modes 14 4 Dedicated Mode 14 6 Shared Mode 14 6 Dynamic Bandwidth Management 14 6 Out of Service Interfaces 14 7 Buffer Credit Allocation 14 7 Buffer Pools 14 8 BB_Credit Buffers for Switching Modules 14 9 48 port 4 Gbps Fibre Channel Module BB_Credit Buffers 14 9 24 port 4 Gbps Fibre Channel Module BB_Credit Buffers 14 11 18 Port Fibre Channel 4 Port Gigab...

Page 15: ...on Ratio Restrictions Example 14 29 Enabling Restrictions on Oversubscription Ratios 14 31 Configuring Bandwidth Fairness 14 31 Enabling Bandwidth Fairness 14 32 Disabling Bandwidth Fairness 14 32 Upgrade or Downgrade Scenario 14 32 Taking Interfaces Out of Service 14 33 Releasing Shared Resources in a Port Group 14 34 Enabling the Buffer to Buffer State Change Number 14 34 Disabling ACL Adjacency...

Page 16: ...1 Compatibility Check 16 11 Suspended and Isolated States 16 11 Adding an Interface to a PortChannel 16 11 Forcing an Interface Addition 16 12 About Interface Deletion from a PortChannel 16 13 Deleting an Interface from a PortChannel 16 13 PortChannel Protocol 16 13 About Channel Group Creation 16 14 About Autocreation 16 15 Enabling and Configuring Autocreation 16 16 About Manually Configured Cha...

Page 17: ...Discarding Changes 17 12 Clearing a Fabric Lock 17 12 Displaying CFS Distribution Status 17 13 Displaying Pending Changes 17 13 Displaying Session Status 17 13 About Contiguous Domain ID Assignments 17 14 Enabling Contiguous Domain ID Assignments 17 14 FC IDs 17 14 About Persistent FC IDs 17 15 Enabling the Persistent FC ID Feature 17 15 About Persistent FC ID Configuration 17 16 Configuring Persi...

Page 18: ...cution Logs 18 9 About Execution Logs 18 10 Configuring Execution Logs 18 10 Displaying Execution Log File Contents 18 10 Clearing the Execution Log File Contents 18 10 Default Settings 18 11 C H A P T E R 19 Configuring and Managing VSANs 19 1 About VSANs 19 1 VSANs Topologies 19 1 VSAN Advantages 19 3 VSANs Versus Zones 19 4 VSAN Configuration 19 5 About VSAN Creation 19 6 Creating VSANs Statica...

Page 19: ...and SDV Virtual Target with LUN 20 8 SDV Virtual Initiator and Real Target with LUN 20 8 SDV Virtual Initiator and SDV Virtual Target with LUN 20 9 Resolving Fabric Merge Conflicts 20 9 SDV Requirements and Guidelines 20 9 Discarding Changes 20 10 Clearing SDV Changes 20 11 Guidelines for Downgrading SDV 20 11 Downgrading With Virtual Initiators Configured 20 11 Downgrading with SDV LUN Zoning Con...

Page 20: ...nfigurations 21 10 Sample DPVM Configuration 21 11 Default Settings 21 13 C H A P T E R 22 Configuring Inter VSAN Routing 22 1 Inter VSAN Routing 22 1 About IVR 22 2 IVR Features 22 3 IVR Terminology 22 3 IVR Limits Summary 22 4 Fibre Channel Header Modifications 22 4 IVR NAT 22 5 IVR NAT Requirements and Guidelines 22 5 IVR VSAN Topology 22 6 Autonomous Fabric ID 22 7 IVR Service Groups 22 7 Defa...

Page 21: ...t IVR Without IVR NAT or Auto Topology 22 17 Domain ID Guidelines 22 18 Transit VSAN Guidelines 22 18 Border Switch Guidelines 22 18 Configuring IVR Without NAT 22 19 Manually Configuring the IVR Topology 22 19 Activating a Manually Configured IVR Topology 22 20 Adding an IVR Enabled Switch to an Existing IVR Topology 22 21 Copying the Active IVR Topology 22 22 Clearing the Configured IVR Topology...

Page 22: ...VR Using Read Only Zoning 22 36 System Image Downgrading Considerations 22 36 Database Merge Guidelines 22 36 Resolving Database Merge Failures 22 38 Example Configurations 22 39 Manual Topology Configuration 22 39 Auto Topology Configuration 22 42 Default Settings 22 44 C H A P T E R 23 Configuring and Managing Zones 23 1 About Zoning 23 1 Zoning Example 23 2 Zone Implementation 23 3 Active and F...

Page 23: ...21 Configuring a LUN Based Zone 23 22 Assigning LUNs to Storage Subsystems 23 22 About Read Only Zones 23 23 Configuring Read Only Zones 23 23 Displaying Zone Information 23 24 Enhanced Zoning 23 30 About Enhanced Zoning 23 30 Changing from Basic Zoning to Enhanced Zoning 23 31 Changing from Enhanced Zoning to Basic Zoning 23 32 Enabling Enhanced Zoning 23 32 Modifying the Zone Database 23 33 Rele...

Page 24: ...fault Settings 24 11 C H A P T E R 25 Configuring Fibre Channel Routing Services and Protocols 25 1 About FSPF 25 2 FSPF Examples 25 2 Fault Tolerant Fabric 25 2 Redundant Links 25 3 Fail Over Scenarios for PortChannels and FSPF Links 25 3 FSPF Global Configuration 25 4 About SPF Computational Hold Times 25 4 About Link State Record Defaults 25 4 Configuring FSPF on a VSAN 25 5 Resetting FSPF to t...

Page 25: ...ing In Order Delivery for a VSAN 25 16 Displaying the In Order Delivery Status 25 16 Configuring the Drop Latency Time 25 17 Displaying Latency Information 25 17 Flow Statistics Configuration 25 18 About Flow Statistics 25 18 Counting Aggregated Flow Statistics 25 18 Counting Individual Flow Statistics 25 19 Clearing FIB Statistics 25 19 Displaying Flow Statistics 25 19 Displaying Global FSPF Info...

Page 26: ...mitting the RSCN Timer Configuration Changes 26 13 Discarding the RSCN Timer Configuration Changes 26 13 Clearing a Locked Session 26 13 Displaying RSCN Configuration Distribution Information 26 13 Default Settings 26 14 C H A P T E R 27 Discovering SCSI Targets 27 1 About SCSI LUN Discovery 27 1 About Starting SCSI LUN Discovery 27 1 Starting SCSI LUN Discovery 27 2 About Initiating Customized Di...

Page 27: ... 15 Setting Up a Basic FICON Configuration 28 15 Manually Enabling FICON on a VSAN 28 18 Configuring the code page Option 28 19 Allowing the Host to Move the Switch Offline 28 19 Allowing the Host to Change FICON Port Parameters 28 20 Allowing the Host to Control the Timestamp 28 20 Clearing the Time Stamp 28 21 Configuring SNMP Control of FICON Parameters 28 21 About FICON Device Allegiance 28 22...

Page 28: ...ON Alerts 28 42 Displaying FICON Port Address Information 28 43 Displaying FICON Configuration File Information 28 44 Displaying the Configured FICON State 28 46 Displaying a Port Administrative State 28 46 Displaying Buffer Information 28 47 Displaying FICON Information in the Running Configuration 28 47 Displaying FICON Information in the Startup Configuration 28 48 Displaying FICON Related Log ...

Page 29: ...C H A P T E R 30 Configuring FIPS 30 1 Configuration Guidelines 30 2 Enabling FIPS Mode 30 2 Checking for FIPS Status 30 2 FIPS Self Tests 30 2 C H A P T E R 31 Configuring SNMP 31 1 About SNMP Security 31 1 SNMP Version 1 and Version 2c 31 2 SNMP Version 3 31 2 Assigning SNMP Switch Contact and Location Information 31 2 SNMPv3 CLI User Management and AAA Integration 31 3 CLI and SNMP User Synchro...

Page 30: ...elines 32 4 Server Groups 32 4 AAA Service Configuration Options 32 4 Error Enabled Status 32 5 AAA Server Monitoring 32 5 Authentication and Authorization Process 32 6 Configuring RADIUS 32 8 Setting the RADIUS Server Address 32 8 About the Default RADIUS Server Encryption Type and Preshared Key 32 10 Configuring the Default RADIUS Server Encryption Type and Preshared Key 32 10 Setting the RADIUS...

Page 31: ...2 24 Password Aging Notification through TACACS Server 32 24 About Users Specifying a TACACS Server at Login 32 24 Allowing Users to Specify a TACACS Server at Login 32 25 Defining Custom Attributes for Roles 32 25 Supported TACACS Server Parameters 32 25 Displaying TACACS Server Details 32 26 Configuring Server Groups 32 27 AAA Server Distribution 32 30 Enabling AAA Server Distribution 32 30 Star...

Page 32: ...9 Applying an IP ACL to an Interface 33 9 Verifying Interface IP ACL Configuration 33 11 IP ACL Counter Cleanup 33 12 C H A P T E R 34 Configuring Certificate Authorities and Digital Certificates 34 1 About CAs and Digital Certificates 34 1 Purpose of CAs and Digital Certificates 34 2 Trust Model Trust Points and Identity CAs 34 2 RSA Key Pairs and Identity Certificates 34 2 Multiple Trusted CA Su...

Page 33: ...witch 34 16 Downloading a CA Certificate 34 19 Requesting an Identity Certificate 34 23 Revoking a Certificate 34 29 Generating and Publishing the CRL 34 32 Downloading the CRL 34 33 Importing the CRL 34 35 Maximum Limits 34 37 Default Settings 34 38 C H A P T E R 35 Configuring IPsec Network Security 35 1 About IPsec 35 2 About IKE 35 3 IPsec Prerequisites 35 3 Using IPsec 35 4 IPsec Compatibilit...

Page 34: ...to IPv4 ACLs 35 20 Creating Crypto IPv4 ACLs 35 21 About Transform Sets in IPsec 35 21 Configuring Transform Sets 35 22 About Crypto Map Entries 35 23 SA Establishment Between Peers 35 23 Crypto Map Configuration Guidelines 35 24 Creating Crypto Map Entries 35 24 About SA Lifetime Negotiation 35 25 Setting the SA Lifetime 35 25 About the AutoPeer Option 35 26 Configuring the AutoPeer Option 35 27 ...

Page 35: ...ds for Remote Devices 36 8 About the DHCHAP Timeout Value 36 8 Configuring the DHCHAP Timeout Value 36 8 Configuring DHCHAP AAA Authentication 36 8 Displaying Protocol Security Information 36 9 Sample Configuration 36 10 Default Settings 36 12 C H A P T E R 37 Configuring Port Security 37 1 About Port Security 37 1 Port Security Enforcement 37 2 About Auto Learning 37 2 Port Security Activation 37...

Page 36: ...ibution 37 13 Database Merge Guidelines 37 14 Database Interaction 37 14 Database Scenarios 37 15 Port Security Database Copy 37 16 Port Security Database Deletion 37 17 Port Security Database Cleanup 37 17 Displaying Port Security Configuration 37 18 Default Settings 37 20 C H A P T E R 38 Configuring Fabric Binding 38 1 About Fabric Binding 38 1 Licensing Requirements 38 1 Port Security Versus F...

Page 37: ...guration Distribution 39 6 Clearing Sessions 39 6 Database Merge Guidelines 39 6 Displaying Role Based Information 39 6 Displaying Roles When Distribution is Enabled 39 7 Configuring Common Roles 39 8 Mapping of CLI Operations to SNMP 39 9 Configuring User Accounts 39 10 About Users 39 11 Characteristics of Strong Passwords 39 11 Configuring Users 39 12 Logging Out Users 39 13 Displaying User Acco...

Page 38: ...ating FCIP Profiles 40 9 Displaying FCIP Profile Information 40 9 Creating FCIP Links 40 10 Advanced FCIP Profile Configuration 40 12 Configuring TCP Listener Ports 40 12 Configuring TCP Parameters 40 13 Displaying FCIP Profile Configuration Information 40 17 Displaying FCIP Profile Configuration Information 40 18 Advanced FCIP Interface Configuration 40 18 Configuring Peers 40 18 Peer IP Address ...

Page 39: ...idelines 41 4 Tuner Initialization 41 4 nWWN Configuration 41 4 Virtual N Port Configuration 41 5 SCSI Read Write Assignment 41 5 SCSI Tape Read Write Assignment 41 7 Configuring a Data Pattern 41 8 Verifying the SAN Extension Tuner Configuration 41 9 Default Settings 41 10 C H A P T E R 42 Configuring iSCSI 42 1 About iSCSI 42 1 About iSCSI Configuration Limits 42 4 Configuring iSCSI 42 4 Enablin...

Page 40: ...ying iSCSI Statistics 42 31 Displaying Proxy Initiator Information 42 33 Displaying Global iSCSI Information 42 34 Displaying iSCSI Sessions 42 34 Displaying iSCSI Initiators 42 36 Displaying iSCSI Virtual Targets 42 39 Displaying iSCSI User Information 42 39 Configuring iSLB 42 39 About iSLB Configuration Limits 42 40 iSLB Configuration Prerequisites 42 41 About iSLB Initiators 42 41 Configuring ...

Page 41: ... Displaying Pending iSLB Configuration Changes 42 57 Displaying iSLB CFS Status 42 58 Displaying iSLB CFS Distribution Session Status 42 58 Displaying iSLB CFS Merge Status 42 58 iSCSI High Availability 42 59 Transparent Target Failover 42 59 iSCSI High Availability with Host Running Multi Path Software 42 59 iSCSI HA with Host Not Having Any Multi Path Software 42 60 LUN Trespass for Storage Port...

Page 42: ...loud Discovery Configuration 42 95 Configuring iSNS Cloud Discovery Distribution 42 95 Configuring iSNS Cloud Discovery Message Types 42 95 Verifying Cloud Discovery Status 42 96 Verifying Cloud Discovery Membership 42 96 Displaying Cloud Discovery Statistics 42 96 Default Settings 42 96 C H A P T E R 43 Configuring IP Services 43 1 Traffic Management Services 43 2 Management Interface Configurati...

Page 43: ...erval for Advertisement Packets 43 22 Priority Preemption 43 22 Virtual Router Authentication 43 23 Priority Based on Interface State Tracking 43 24 Displaying IPv4 VRRP Information 43 25 Displaying IPv6 VRRP Information 43 26 Displaying VRRP Statistics 43 27 Clearing VRRP Statistics 43 27 DNS Server Configuration 43 27 Displaying DNS Host Information 43 28 Default Settings 43 29 C H A P T E R 44 ...

Page 44: ...figuring Autonegotiation 45 3 Configuring the MTU Frame Size 45 3 Configuring Promiscuous Mode 45 4 Verifying Gigabit Ethernet Connectivity 45 4 VLANs 45 5 About VLANs for Gigabit Ethernet 45 5 Configuring the VLAN Subinterface 45 6 Interface Subnet Requirements 45 6 Configuring Static IPv4 Routing 45 7 Displaying the IPv4 Route Table 45 7 IPv4 ACLs 45 7 Gigabit Ethernet IPv4 ACL Guidelines 45 7 A...

Page 45: ...46 14 Example Output for the show ipv6 neighbours Command 46 14 Example Output for the show ipv6 traffic Command 46 14 Clearing IPv6 Neighbor Discovery Cache 46 15 Configuring Neighbor Discovery Parameters 46 15 Duplicate Address Detection Attempts 46 15 Reachability Time 46 16 Retransmission Time 46 16 Verifying Neighbor Discovery Parameter Configuration 46 16 Configuring IPv6 Static Routes 46 17...

Page 46: ...e Acceleration 48 1 Fibre Channel Write Acceleration 48 1 About Fibre Channel Write Acceleration 48 1 Enabling Fibre Channel Write Acceleration 48 2 Displaying Fibre Channel Write Acceleration Information 48 2 Default Settings 48 4 C H A P T E R 49 Configuring SANTap 49 1 About SANTap 49 1 Configuring SANTap 49 4 Enabling SANTap 49 4 Configuring DVTs 49 5 Displaying SANTap Information 49 5 Removin...

Page 47: ...o Configure VSANs as a Source 52 4 SPAN Sessions 52 5 Specifying Filters 52 5 Guidelines to Specifying Filters 52 5 SD Port Characteristics 52 5 Guidelines to Configure SPAN 52 6 Configuring SPAN 52 6 Configuring SPAN 52 6 Configuring SPAN for Generation 2 Fabric Switches 52 9 Suspending and Reactivating SPAN Sessions 52 11 Encapsulating Frames 52 11 SPAN Conversion Behavior 52 11 Monitoring Traff...

Page 48: ... SPAN and RSPAN Settings 52 32 C H A P T E R 53 Configuring System Message Logging 53 1 About System Message Logging 53 1 System Message Logging Configuration 53 3 Message Logging Initiation 53 4 Console Severity Level 53 4 Monitor Severity Level 53 4 Module Logging 53 5 Facility Severity Levels 53 5 Log Files 53 6 System Message Logging Servers 53 6 Outgoing System Message Logging Server Faciliti...

Page 49: ...ion 54 13 Fabric Lock Override 54 15 Database Merge Guidelines 54 15 Call Home Communications Test 54 15 Displaying Call Home Information 54 16 Sample Syslog Alert Notification in Full txt Format 54 17 Sample Syslog Alert Notification in XML Format 54 18 Sample RMON Notification in XML Format 54 19 Default Settings 54 20 Event Triggers 54 21 Call Home Message Levels 54 23 Message Contents 54 24 C ...

Page 50: ...6 9 About Service Policy Enforcement 56 9 Applying Service Policies 56 9 About the DWRR Traffic Scheduler Queue 56 10 Changing the Weight in a DWRR Queue 56 10 Displaying Data Traffic Information 56 10 Example Configuration 56 12 Ingress Port Rate Limiting 56 14 Default Settings 56 14 C H A P T E R 57 Configuring Port Tracking 57 1 About Port Tracking 57 1 Port Tracking 57 2 About Port Tracking 57...

Page 51: ...Frames 58 9 Defining Display Filters 58 10 Examples of Display Filters 58 10 Capture Filters 58 13 Permitted Capture Filters 58 13 Loop Monitoring 58 14 About Loop Monitoring 58 14 Enabling Loop Monitoring 58 15 Verifying Loop Monitoring Configuration 58 15 The show tech support Command 58 15 The show tech support brief Command 58 16 The show tech support zone Command 58 18 The show tech support p...

Page 52: ...aying Kernel Core Information 59 11 Online System Health Management 59 12 About Online System Health Management 59 12 System Health Initiation 59 13 Loopback Test Configuration Frequency 59 13 Loopback Test Configuration Frame Length 59 14 Hardware Failure Action 59 14 Test Run Requirements 59 15 Tests for a Specified Module 59 15 Clearing Previous Error Reports 59 16 Performing Internal Loopback ...

Page 53: ...DS 9000 Family Release Notes available at the following Cisco Systems website http www cisco com en US products hw ps4159 ps4358 prod_release_notes_list html Table 1 1 summarizes the new and changed features for the Cisco MDS 9000 Family CLI Configuration Guide Release 3 x and tells you where they are documented The table includes a brief description of each new feature and the release in which th...

Page 54: ...vice Alias Services Configuring Generation 2 Switches and Modules Updated table Bandwidth and Port Groups for Generation 2 FC Modules and Fabric Switches in Port Groups section 3 3 1a Chapter 14 Configuring Generation 2 Switches and Modules Configuring iSCSI Added the enable and disable command for modules in the iSCSI feature 3 2 2b Chapter 42 Configuring iSCSI Obtaining and Installing Licenses R...

Page 55: ...on support of the switches throughout the book 3 1 2 Chapter 4 On Demand Port Activation Licensing Chapter 7 Software Images On Demand Port Activation Licensing Added port naming conventions f and switch behavior of Cisco Fabric Switch for HP c Class BladeSystem and Cisco Fabric Switch for IBM BladeCenter 3 1 2 Chapter 4 On Demand Port Activation Licensing Running the CompactFlash Report Enables u...

Page 56: ...its for IVR zones to 8000 and for IVR zone members to 20 000 3 0 3 Chapter 22 Configuring Inter VSAN Routing RLIR messages Allows you to specify a server to receive Registered Link Incident Report RLIR frames 3 0 3 Chapter 28 Configuring FICON User configuration limit Sets the maximum number of users on a switch to 256 3 0 3 Chapter 39 Configuring Users and Common Roles show tech support command A...

Page 57: ...nded supervisor module management procedures Preparing to remove supervisor modules from Cisco MDS 9500 Series Directors containing both Generation 1 and Generation 2 switching modules Migrating from Supervisor 1 modules to Supervisor 2 modules in the Cisco MDS 9500 Series Directors 3 0 1 Chapter 7 Software Images boot auto copy command enabled by default Changes the default state for the boot aut...

Page 58: ...N Increases the maximum number of zones per VSAN from 2000 to 8000 3 0 1 Chapter 23 Configuring and Managing Zones Zone analysis Provides a means to analyze zone characteristics using the show zone analysis command 3 0 1 Chapter 23 Configuring and Managing Zones Device alias rename Allows existing device aliases to be renamed 3 0 1 Chapter 24 Distributing Device Alias Services In order delivery en...

Page 59: ... interoperating with certificate authorities and using digital certificates for secure communication with peers 3 0 1 Chapter 34 Configuring Certificate Authorities and Digital Certificates IKE digital certificate support Allows IKE to use digital certificates for authentication instead of using preshared keys 3 0 1 Chapter 35 Configuring IPsec Network Security IKE fully qualified domain name FQDN...

Page 60: ...figuring Call Home QoS behavior Provides information about the behavior of QoS with different combinations of Generation 1 and Generation 2 switching modules 3 0 1 Chapter 56 Configuring Fabric Congestion Control and QoS On line system health maintenance OHMS enhancements Includes the following OHMS enhancements Configuring the global frame length for loopback test for all modules on the switch Sp...

Page 61: ...sents an overview of the Cisco MDS 9000 Family of multilayer switches and directors Chapter 2 Before You Begin Describes the command line interface CLI Chapter 3 Obtaining and Installing Licenses Describes license types procedure installation and management for the Cisco MDS SAN OS software Chapter 4 On Demand Port Activation Licensing Describes how to use the on demand port activation licensing f...

Page 62: ...and includes quidelines and requirements for configuring and verifying NPV Chapter 14 Configuring Generation 2 Switches and Modules Explains configuration concepts for Generation 2 module ports and interfaces Chapter 15 Configuring Trunking Explains TE ports and trunking concepts Chapter 16 Configuring PortChannels Explains PortChannels and load balancing concepts and provides details on configuri...

Page 63: ... required to manage storage devices and display registered state change notification RSCN databases Chapter 27 Discovering SCSI Targets Describes how the SCSI LUN discovery feature is started and displayed Chapter 28 Configuring FICON Provides details on the FI bre CON nection FICON interface fabric binding and the Registered Link Incident Report RLIR capabilities in Cisco MDS switches Chapter 29 ...

Page 64: ...access Fibre Channel storage using the iSCSI protocol Chapter 41 Configuring the SAN Extension Tuner Explains the SAN extension tuner SET feature that optimizes FCIP performance Chapter 42 Configuring iSCSI Describes the iSCSI feature that is specific to the IPS module and is available in the Cisco MDS 9200 Switches or Cisco MDS 9500 Directors Chapter 43 Configuring IP Services Provides details on...

Page 65: ...e fabric configuration server FCS feature is configured and displayed Chapter 56 Configuring Fabric Congestion Control and QoS Provides details on the quality of service QoS and Fibre Channel Congestion Control FCC features Chapter 57 Configuring Port Tracking Provides information about a port tracking feature that provides a faster recovery from link failures Chapter 58 Troubleshooting Your Fabri...

Page 66: ...in the manual Caution Means reader be careful In this situation you might do something that could result in equipment damage or loss of data screen font Terminal sessions and information the switch displays are in screen font boldface screen font Information you must enter is in boldface screen font italic screen font Arguments for which you supply values are in italic screen font Nonprinting char...

Page 67: ...S SAN OS Releases Cisco MDS 9000 Family Release Notes for Storage Services Interface Images Cisco MDS 9000 Family Release Notes for Cisco MDS 9000 EPLD Images Compatibility Information Cisco MDS 9000 SAN OS Hardware and Software Compatibility Information Cisco MDS 9000 Family Interoperability Support Matrix Cisco MDS SAN OS Release Compatibility Matrix for IBM SAN Volume Controller Software for Ci...

Page 68: ...mand Reference Cisco MDS 9020 Fabric Switch Configuration Guide and Command Reference Cisco MDS 9000 Family SAN Volume Controller Configuration Guide Intelligent Storage Networking Services Configuration Guides Cisco MDS 9000 Family Data Mobility Manager Configuration Guide Cisco MDS 9000 Family Storage Media Encryption Configuration Guide Cisco MDS 9000 Family Secure Erase Configuration Guide For...

Page 69: ...umentation DVD The Product Documentation DVD is a comprehensive library of technical product documentation on a portable medium The DVD enables you to access multiple versions of installation configuration and command guides for Cisco hardware and software products With the DVD you have access to the same HTML documentation that is found on the Cisco website without being connected to the Internet...

Page 70: ... Cisco products Register to receive security information from Cisco A current list of security advisories security notices and security responses for Cisco products is available at this URL http www cisco com go psirt To see security advisories security notices and security responses as they are updated in real time you can subscribe to the Product Security Incident Response Team Really Simple Syn...

Page 71: ...stance Center TAC engineers provide telephone support If you do not have a valid Cisco service contract contact your reseller Cisco Technical Support Documentation Website The Cisco Technical Support Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies The website is available 24 hours a day at this URL ht...

Page 72: ...ty To ensure that all service requests are reported in a standard format Cisco has established severity definitions Severity 1 S1 An existing network is down or there is a critical impact to your business operations You and Cisco will commit all necessary resources around the clock to resolve the situation Severity 2 S2 Operation of an existing network is severely degraded or significant aspects o...

Page 73: ... latest industry trends technology breakthroughs and Cisco products and solutions as well as network deployment and troubleshooting tips configuration examples customer case studies certification and training information and links to scores of in depth online resources You can access Packet magazine at this URL http www cisco com packet iQ Magazine is the quarterly publication from Cisco Systems d...

Page 74: ...c i s c o c o m lxxiv Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Preface Related Documentation World class networking training is available from Cisco You can view current offerings at this URL http www cisco com en US learning index html ...

Page 75: ...Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m P A R T 1 Getting Started ...

Page 76: ...Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m ...

Page 77: ...histicated debug analysis tools and unified SAN management This chapter lists the hardware features for the Cisco MDS 9000 Family and describes its software features It includes the following sections Hardware Overview page 1 1 Cisco SAN OS Software Configuration page 1 5 Hardware Overview This section provides an overview of the following Cisco MDS 9000 Family of multilayer directors and fabric s...

Page 78: ... chassis during migration See the Migrating from Supervisor 1 Modules to Supervisor 2 Modules section on page 7 32 The two supervisor modules ensure high availability and traffic load balancing capabilities The standby supervisor module provides redundancy if the active supervisor module fails Supervisor 1 modules provide management access through a 10 100BASE T Ethernet port switch and an RS 232 ...

Page 79: ...s support the following switching and services modules 48 port 4 Gbps Fibre Channel switching module 24 port 4 Gbps Fibre Channel switching module 12 port 4 Gbps Fibre Channel switching module 4 port 10 Gbps Fibre Channel switching module 32 port 2 Gbps Fibre Channel switching module 16 port 2 Gbps Fibre Channel switching module 14 2 port Multiprotocol Services MPS 14 2 module 8 port IP Storage Se...

Page 80: ... supports the following switching and services modules 32 port 2 Gbps Fibre Channel switching module 16 port 2 Gbps Fibre Channel switching module 14 2 port Multiprotocol Services MPS 14 2 module 8 port IP Storage Services IPS 8 module 4 port IP Storage Services IPS 4 module Refer to the Cisco MDS 9200 Series Hardware Installation Guide and the Cisco MDS 9216 Switch Hardware Installation Guide Cis...

Page 81: ...are configuration process with links to the appropriate chapters This section includes the following topics Tools for Software Configuration page 1 5 Software Configuration Overview page 1 6 Tools for Software Configuration You can use one of two configuration management tools to configure your SANs see Figure 1 1 The command line interface CLI can manage Cisco MDS 9000 Family switches using Telne...

Page 82: ...configuration information for a single switch Summary View presents real time performance statistics of all active interfaces and channels on the switch for Fibre Channel and IP connections Fabric Manager Web Services allows operators to monitor MDS events performance and inventory and perform minor configuration tasks from a remote location using a web browser Performance Manager provides detaile...

Page 83: ... Intelligent Storage Services page 1 8 Network and Switch Monitoring page 1 8 Traffic Management page 1 8 Switch Configuration On demand port activation licensing Chapter 4 On Demand Port Activation Licensing N Port virtualization Chapter 13 Configuring N Port Virtualization Generation 2 switching modules Chapter 14 Configuring Generation 2 Switches and Modules High Availability Chapter 9 Configur...

Page 84: ... Fabric Binding IP Services FCIP Chapter 40 Configuring FCIP SAN extension tuner Chapter 41 Configuring the SAN Extension Tuner iSCSI Chapter 42 Configuring iSCSI IP services Chapter 43 Configuring IP Services IP storage Chapter 44 Configuring IP Storage IPv4 Chapter 45 Configuring IPv4 for Gigabit Ethernet Interfaces IPv6 Chapter 46 Configuring IPv6 for Gigabit Ethernet Interfaces Intelligent Sto...

Page 85: ... 2 3 Using the CLI page 2 3 Getting Help page 2 10 Managing the Switch Configuration page 2 11 Displaying Users page 2 14 Sending Messages to Users page 2 14 Using the ping and ping ipv6 Commands page 2 15 Using the Extended ping and ping ipv6 Commands page 2 15 Using traceroute and traceroute ipv6 Commands page 2 16 Configuring Terminal Parameters page 2 17 Configuring the Switch Banner Message p...

Page 86: ...bootup log messages Basic System Configuration Dialog This setup utility will guide you through the basic configuration of the system Use ctrl c to abort configuration dialog at any prompt Basic management setup configures only enough connectivity for management of the system Would you like to enter the basic configuration dialog yes no yes after configuration switch login admin101 Password Cisco ...

Page 87: ...on of the command See Chapter 39 Configuring Users and Common Roles Using the CLI This section includes the following topics CLI Command Modes page 2 3 CLI Command Hierarchy page 2 4 CLI Command Hierarchy page 2 4 CLI Command Navigation page 2 9 Command Completion page 2 9 File System Completion page 2 9 The no and Default Forms of Commands page 2 10 CLI Command Configuration Options page 2 10 CLI...

Page 88: ... grouped under the show command and all commands that allow you to configure the switch are grouped under the config terminal command Figure 2 1 illustrates a portion of the config terminal command hierarchy Figure 2 1 CLI Command Hierarchy Example Table 2 1 Frequently Used Switch Command Modes Mode Description of Use How to Access Prompt EXEC Enables you to temporarily change terminal settings pe...

Page 89: ... EXEC Mode Options When you start a session on the switch you begin in EXEC mode Based on the role or group to which you belong you have access to limited commands or to all commands see the Role Based Authorization section on page 39 1 From EXEC mode you can enter configuration mode Most of the EXEC commands are one time commands such as show commands which display the current configuration statu...

Page 90: ...nfiguration these commands are preserved across switch reboots Once you are in configuration mode you can enter interface configuration submode zone configuration submode and a variety of feature specific submodes Configuration mode is the starting point for all configuration commands When you are in configuration mode the switch expects configuration commands from the user The following example s...

Page 91: ...onfigure IP features ips Various sibyte module related commands ipv6 Configure IPv6 features iscsi Enable Disable iSCSI islb ISCSI server load balancing isns Configure iSNS isns server ISNS server ivr Config commands for IVR kernel Kernel options line Configure a terminal line logging Modify message logging facilities mcast Configure multicast nasb Configure Third Party Copy Functionality no Negat...

Page 92: ...e within the configuration mode When in configuration mode or in any submode enter the do command along with the required EXEC mode command The entered command is executed at the EXEC level and the prompt resumes its current mode level switch config do terminal session timeout 0 switch config In this example terminal session timeout is an EXEC mode command you are issuing an EXEC mode command usin...

Page 93: ...sting command string Command Completion In any command mode you can begin a particular command sequence and immediately press the Tab key to complete the rest of the command switch config ro Tab switch config role Tab switch config role name This form of help is called command completion because it completes a word for you If several options are available for the typed letters all options that mat...

Page 94: ...lete a zone facility called test while residing in it You must first exit the zone configuration submode and return to configuration mode Revert to the default value If you issue the zone merge control restrict vsan command you can undo the results switch config zone zone merge control restrict vsan 10 switch config no zone merge control restrict vsan 10 switch config CLI Command Configuration Opt...

Page 95: ...nfiguration tree from the EXEC prompt issue the show running config command If the running configuration is different from the startup configuration issue the show startup config command to view the ASCII version of the current startup configuration that was used to boot the switch if a copy run start command was not issued after the reboot Use the show startup config command to view the contents ...

Page 96: ...n 1 1 2 kickstart version 2 0 1 build 2 0 0 6 gdb system version 2 0 1 build 2 0 0 6 gdb BIOS compile time 08 07 03 kickstart image file is bootflash m9500 sf1ek9 kickstart mzg 2 0 0 6 bin kickstart compile time 10 25 2010 12 00 00 system image file is bootflash m9500 sf1ek9 mzg 2 0 0 6 bin system compile time 10 25 2020 12 00 00 Hardware RAM 1024584 kB bootflash 1000944 blocks block size 512b slo...

Page 97: ...ion none iscsi enable iscsi import target fc iscsi virtual target name vt pWWN 21 00 00 04 cf 4c 52 c1 all initiator permit 1 20 fcip enable aaa accounting logsize 500 ip default gateway 172 22 91 1 iscsi authentication none iscsi enable iscsi initiator name junk iscsi virtual target name vt pWWN 21 00 00 04 cf 4c 52 c1 all initiator permit Example 2 6 Displays the Configuration for a Specified In...

Page 98: ...ued the switch s startup configuration reverts to factory defaults The running configuration is not affected Caution The write erase command erases the entire startup configuration with the exception of any configuration that affects the loader functionality The write erase boot command only erases the configuration that affects the loader functionality The loader functionality configuration inclu...

Page 99: ...f fe01 a4fa interface gigabitethernet 1 1 PING fe80 205 30ff fe01 a4fa fe80 205 30ff fe01 a4fa from 1 gige1 1 56 data bytes 64 bytes from fe80 205 30ff fe01 a4fa icmp_seq 1 ttl 64 time 0 091 ms 64 bytes from fe80 205 30ff fe01 a4fa icmp_seq 2 ttl 64 time 0 077 ms 64 bytes from fe80 205 30ff fe01 a4fa icmp_seq 3 ttl 64 time 0 080 ms 64 bytes from fe80 205 30ff fe01 a4fa icmp_seq 4 ttl 64 time 0 075...

Page 100: ... 642 0 872 0 120 ms To abnormally terminate a ping session type the Ctrl C escape sequence Using traceroute and traceroute ipv6 Commands Use the traceroute command to print the routes taken to reach a specified host or IP address The IPv4 syntax for this command is traceroute host or traceroute ipv4 address Sweep range of sizes The sizes of the echo packets being sent This option determines the mi...

Page 101: ... for this command is traceroute ipv6 host or traceroute ipv6 ipv6 address switch traceroute ipv6 Target IPv6 address 2001 0DB8 3 64 Datagram size 40 Extended commands n y Maximum time to live 30 Source address Port number 33434 To cancel a traceroute or traceroute ipv6 command before it completes enter Ctrl C Configuring Terminal Parameters This section includes the following topics Setting the Te...

Page 102: ...atabits 8 bits per byte Stopbits 1 bit s Parity none Modem In Disable Modem Init String default ATE0Q1 D2 C1S0 1 015 Hardware Flowcontrol ON Statistics tx 35 rx 0 Register Bits RTS DTR Clearing Terminal Sessions Use the clear line command to clear a specified terminal session switch clear line Aux Setting the Terminal Timeout Use the terminal session timeout command in EXEC mode to configure the a...

Page 103: ...d SSH sessions set the length automatically The syntax for this command is terminal length lines switch terminal length 20 Sets the screen length for the current session to 20 lines for the current terminal session The default is 24 lines Setting the Terminal Screen Width Use the terminal width command in EXEC mode to set the terminal screen width for the current session This command is specific t...

Page 104: ...tring Do not use and as delimiters You can include tokens in the form token in the message text Tokens will be replaced with the corresponding configuration variable For example hostname displays the host name for the switch line displays the vty or tty line or name The following example spans multiple lines and uses tokens to configure the banner message switch config t switch config banner motd ...

Page 105: ...ed CLI Session Variables You can define CLI session variables to persist only for the duration of your CLI session using the cli var name command in EXEC mode CLI session variables are useful for scripts that you execute periodically The following example shows how to create a user defined CLI session variable switch cli var name testinterface fc 1 1 You can reference a variable using the syntax v...

Page 106: ...The following example shows how to create a user defined CLI persistent variable switch config t switch config cli var name mgmtport mgmt 0 switch config exit switch You can reference a variable using the syntax variable The following example shows how to reference a user defined CLI persistent variable switch show interface mgmtport mgmt0 is up Hardware is FastEthernet Address is 000e 38c6 2c6c I...

Page 107: ... a file switch show running config rcfg TIMESTAMP Preparing to copy done switch dir volatile 7231 Oct 03 20 20 42 2005 rcfg 2005 10 03 20 20 42 Usage for volatile sup local 8192 bytes used 20963328 bytes free 20971520 bytes total Using Command Aliases Command alias support has the following characteristics Command aliases are global for all user sessions Command aliases are persist across reboots ...

Page 108: ...he switch using the alias default command alias The following example shows how to display the command aliases defined on the switch switch alias CLI alias commands alias show cli alias gigint interface gigabitethernet shintbr show interface brief shfcintup shintbr include up include fc About Flash Devices Every switch in the Cisco MDS 9000 Family contains one internal bootflash see Figure 2 2 The...

Page 109: ...state See the About Flash Devices section on page 2 24 and the Using Switch File Systems section on page 2 26 Initializing Internal bootflash When a switch is shipped the init system command is already performed and you do not need to issue it again Initializing the switch resets the entire internal Flash device and erases all data in the bootflash file system The internal Flash device is composed...

Page 110: ...will see the following message Device unavailable In this case you need to format the CompactFlash device using the format slot0 command Note The slot0 file system cannot be accessed from either the standby loader prompt or the switch boot prompt if the disk is inserted after booting the switch Caution The Cisco SAN OS software only supports CompactFlash devices that are certified by Cisco Systems...

Page 111: ...co MDS 9509 switches 2 Cisco MDS 9513 Directors Internal CompactFlash memory located on the active supervisor used for storing system images configuration files and other miscellaneous files sup standby sup remote sup 2 module 61 module 82 Internal CompactFlash memory located on the standby supervisor used for storing system images configuration files and other miscellaneous files slot0 External C...

Page 112: ... the directory and displays the current directory switch cd bootflash switch pwd bootflash Note If you issue this command from the active supervisor module in a Cisco MDS 9500 Series for example module 5 then you cannot change the current working directory to the bootflash of module 6 See the Supervisor Modules section on page 11 2 Displaying File Checksums The show file file md5sum command provid...

Page 113: ...ates a directory called test at the current directory level switch mkdir test If the current directory is slot0 mydir this command creates a directory called slot0 mydir test Deleting an Existing Directory The rmdir command deletes an existing directory at the current directory level or at a specified directory level The directory must be empty to be deleted The syntax for this command is rmdir di...

Page 114: ... copies a file between file systems within a switch Note Use the dir command to ensure that enough space is available in the target file system If enough space is not available use the delete command to remove unneeded files The syntax for the copy command follows and is explained in Table 2 5 switch copy scheme module filename scheme module filename This example copies the file called samplefile ...

Page 115: ...y You can also use the copy command to upload and download files from the slot0 or bootflash file system to or from a FTP TFTP SFTP or SCP server see the Copying Configuration Files section on page 8 5 Deleting Files The delete command deletes a specified file or the specified directory and all its contents see the Deleting Configuration Files section on page 8 8 This example shows how to delete a...

Page 116: ...le system The current directory can be viewed using the pwd command and changed using the cd command Compressing and Uncompressing Files The gzip command compresses zips the specified file using LZ77 coding This example directs the output of the show tech support command to a file Samplefile and then zips the file and displays the difference in the space used up in the volatile directory switch sh...

Page 117: ...ides in the bootflash directory The syntax for this command is run script filename This example displays the CLI commands specified in the testfile that resides in the slot0 directory switch show file slot0 testfile conf t interface fc 1 1 no shutdown end sh interface fc1 1 This file output is in response to the run script command executing the contents in the testfile file switch run script slot0...

Page 118: ...n is 1 Receive data field Size is 2112 Beacon is turned off 5 minutes input rate 0 bits sec 0 bytes sec 0 frames sec 5 minutes output rate 0 bits sec 0 bytes sec 0 frames sec 1 frames input 128 bytes 0 discards 0 errors 0 CRC 0 unknown class 0 too long 0 too short 1 frames output 128 bytes 0 discards 0 errors 0 input OLS 0 LRR 0 NOS 0 loop inits 0 output OLS 0 LRR 0 NOS 0 loop inits 0 receive B2B ...

Page 119: ...This command is useful within scripts For example if you create a command script called test script switch show file slot0 test script discover scsi target remote sleep 10 show scsi target disk switch run script slot0 test script When you execute the slot0 test script command script the switch software executes the discover scsi target remote command and then waits for 10 seconds before executing ...

Page 120: ... m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m 2 36 Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 2 Before You Begin Command Scripts ...

Page 121: ...Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m P A R T 2 Cisco MDS SAN OS Installation and Switch Management ...

Page 122: ...Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m ...

Page 123: ...e 3 2 Licensing High Availability page 3 8 Options to Install a License page 3 8 Obtaining a Factory Installed License page 3 9 Performing a Manual Installation page 3 9 Obtaining the License Key File page 3 10 Installing the License Key File page 3 10 Backing Up License Files page 3 12 Identifying License Features in Use page 3 12 Uninstalling Licenses page 3 13 Updating Licenses page 3 14 Grace ...

Page 124: ...e has been installed that license will show as missing The feature will still work but the license count will be inaccurate You should reinstall the license as soon as possible Incremental license An additional licensed feature that was not in the initial license file License keys are incremental if you purchase some features now and others later the license file and the software detect the sum of...

Page 125: ...hat are applicable to the entire switch The cost varies based on a per switch usage Table 3 1 lists the feature based license packages Module based licenses allow features that require additional hardware modules The cost varies based on a per module usage An example is the IPS 8 or IPS 4 module using the FCIP feature Note Each module requires its own separate license If you replace a module that ...

Page 126: ...uch as FCIP on the IP ports of the additional module Table 3 1 Feature Based Licenses Feature License Features Enterprise package ENTERPRISE_PKG Enhanced security features LUN zoning Read only zones FC Port security VSAN based access control Fibre Channel Security Protocol FC SP authentication Advanced traffic engineering quality of service QoS IP security IPsec protocol for iSCSI and FCIP using t...

Page 127: ...th the Cisco MDS 9216i switch and do not require the SAN extension over IP package to be installed for the fixed IP ports on the integrated supervisor module You must install a SAN extension over IP package if you install an MPS 14 2 IPS 8 or IPS 4 module in the Cisco MDS9216i switch The following features apply to the MPS 14 2 module and the fixed Cisco MDS 9216i IP ports FCIP Hardware based FCIP...

Page 128: ...M_SERVER_PKG Centralized Multiple physical fabric management Fabric discovery services Continuous MDS health and event monitoring Long term historical Fibre Channel performance monitoring and reporting Custom performance reports and charting for hotspot analysis Historical Performance Monitoring Performance prediction Performance threshold monitoring Fabric Manager Web Client for operational view ...

Page 129: ...e normal behaviour of the licensed ports Activates ports in 8 port increments on the Cisco MDS 9124 Fabric Switch which has 24 ports The first 8 ports are licensed by default Activates 8 ports of 4Gbps on the Cisco MDS 9134 Fabric Switch The switch has 32 ports 24 of which are licensed by default On the Cisco Fabric Switch for HP c Class BladeSystem any eight internal ports and external ports ext1...

Page 130: ...he 120 day grace period the switch does not have a valid license key for the feature the feature is automatically disabled by the switch Directors in the Cisco MDS 9500 Series have the following additional high availability features The license software runs on both supervisor modules and provides failover protection The license key file is mirrored on both supervisor modules Even if both supervis...

Page 131: ...ttp www cisco com warp public 687 Directory DirTAC shtml Your switch is shipped with the required licenses installed in the system The proof of purchase document is sent along with the switch Step 2 Obtain the host ID from the proof of purchase document for future use Step 3 Start to use the switch and the licensed features Performing a Manual Installation If you have existing switches or if you w...

Page 132: ...p 4 Locate the website URL from either the claim certificate or the proof of purchase document Step 5 Access the specified URL that applies to your switch and enter the switch serial number and the PAK The license key file is sent to you by e mail The license key file is digitally signed to only authorize use on the requested switch The requested features are also enabled once the Cisco SAN OS sof...

Page 133: ...visor module from the switch console switch install license bootflash license_file lic Installing license done Note If you provide a target name for the license key file the file is installed with the specified name Otherwise the filename specified in the license key file is used to install the license Step 3 Back up the license file to a tar file on bootflash using the copy licenses command switc...

Page 134: ...tftp Please provide a complete URI switch install license system scp Please provide a complete URI Example 3 1 A Sample of the install license Command Issued Using a Remote Download switch install license bootflash license_file lic kickstart tftp Backing Up License Files All installed license files can be backed up as a tar file in the user specified location Use the copy licenses command in EXEC ...

Page 135: ...permanent license that is currently being used the software rejects the request and issues an error message Uninstalling an unused license causes the grace period to come into effect The grace period is counted from the first use of the feature without a license and is reset when a valid license file is installed Note Permanent licenses cannot be uninstalled if they are currently being used Featur...

Page 136: ...Clearing license done The Enterprise lic license key file is now uninstalled Updating Licenses If your license is time bound you must obtain and install an updated license Contact technical support to request an updated license Note If you purchased Cisco support through a Cisco reseller contact the reseller directly If you purchased support directly from Cisco Systems contact Cisco Technical Supp...

Page 137: ...e evaluating a feature for which you have not installed a license Note There is no grace period for licenses purchased for the On Demand Port Activation license feature The grace period stops if you disable a feature you are evaluating but if you enable that feature again without a valid license the grace period countdown continues where it left off The grace period operates across all features in...

Page 138: ...D 16H MAINFRAME_PKG No Unused Grace expired ENTERPRISE_PKG Yes Unused never license missing DMM_FOR_SSM_PKG No 0 Unused SAN_EXTN_OVER_IP Yes 16 Unused never PORT_ACTIVATION_PKG No 0 Unused SME_FOR_IPS_184_PKG No 0 Unused Grace 86D 5H SAN_EXTN_OVER_IP_18_4 No 0 Unused SAN_EXTN_OVER_IP_IPS2 Yes 1 Unused never 1 license s missing SAN_EXTN_OVER_IP_IPS4 No 0 Unused 10G_PORT_ACTIVATION_PKG No 0 Unused S...

Page 139: ...EXTN_OVER_IP_IPS4 No 0 Unused 10G_PORT_ACTIVATION_PKG No 0 Unused SAN_EXTN_OVER_IP_18_4 No 0 Unused STORAGE_SERVICES_ENABLER_PKG Yes 1 Unused never 1 license s missing Example 3 3 Displays the List of Features in a Specified Package switch show license usage ENTERPRISE_PKG Application ivr qos_manager Example 3 4 Displays the Host ID for the License switch show license host id License hostid FOX064...

Page 140: ...cense Information Example 3 6 Displays a List of Installed License Key Files switch show license brief Enterprise lic Ficon lic FCIP lic Example 3 7 Displays the Contents of a Specified License Key File switch show license file Permanent lic Permanent lic SERVER this_host ANY VENDOR cisco INCREMENT MAINFRAME_PKG cisco 1 0 permanent uncounted HOSTID FOX0646S017 NOTICE LicFileID LicFileID LicLineID ...

Page 141: ...and Port Activation License Example page 4 13 About On Demand Port Activation Licensing As of Cisco MDS SAN OS Release 3 1 1 you can expand your SAN connectivity as needed by enabling users to purchase and install additional port licenses By default all ports are eligible for license activation On the Cisco MDS 9124 Fabric Switch licenses are allocated sequentially However you can move or reassign...

Page 142: ...orts in 8 port increments with each on demand port activation license up to a total of 24 ports On the Cisco MDS 9134 Switch the first 24 ports that can operate at 1 Gbps 2 Gbps or 4 Gbps are licensed by default If you need additional connectivity you can activate the remaining eight ports with one on demand port activation license A separate 10G license file is required to activate the remaining ...

Page 143: ...ports On the Cisco Fabric Switch for IBM BladeCenter any seven internal ports and the external ports ext0 ext15 and ext16 are licensed by default A single on demand port activation license is required to use the remaining seven internal and three external ports Figure 4 4 shows the external ports that are licensed by default for the Cisco Fabric Switch for IBM BladeCenter Figure 4 4 Cisco Fabric S...

Page 144: ...cquired fc1 9 16809984 eligible fc1 10 16814080 eligible fc1 11 16818176 eligible fc1 12 16822272 eligible fc1 13 16826368 eligible fc1 14 16830464 eligible fc1 15 16834560 eligible fc1 16 16838656 eligible fc1 17 16842752 eligible fc1 18 16846848 eligible fc1 19 16850944 eligible fc1 20 16855040 eligible fc1 21 16859136 eligible fc1 22 16863232 eligible fc1 23 16867328 eligible fc1 24 16871424 el...

Page 145: ...ed fc1 15 16834560 acquired fc1 16 16838656 acquired fc1 17 16842752 acquired fc1 18 16846848 acquired fc1 19 16850944 acquired fc1 20 16855040 acquired fc1 21 16859136 acquired fc1 22 16863232 acquired fc1 23 16867328 acquired fc1 24 16871424 acquired fc1 25 16875520 eligible fc1 26 16879616 eligible fc1 27 16883712 eligible fc1 28 16887808 eligible fc1 29 16891904 eligible fc1 30 16896000 eligib...

Page 146: ...ilable bay port activation licenses are 0 Interface Cookie Port Activation License bay1 16838656 acquired bay2 16834560 eligible bay3 16818176 acquired bay4 16809984 eligible bay5 16789504 acquired bay6 16781312 eligible bay7 16805888 eligible bay8 16863232 acquired bay9 16850944 acquired bay10 16842752 acquired bay11 16822272 acquired bay12 16826368 eligible bay13 16785408 acquired bay14 16797696...

Page 147: ... licenses are 0 Available bay port activation licenses are 0 Interface Cookie Port Activation License bay1 16850944 eligible bay2 16838656 eligible bay3 16842752 acquired bay4 16834560 eligible bay5 16822272 acquired bay6 16818176 eligible bay7 16826368 acquired bay8 16809984 eligible bay9 16797696 acquired bay10 16781312 eligible bay11 16785408 acquired bay12 16789504 eligible bay13 16801792 acqu...

Page 148: ...tch If a license is in use the status displayed is In use If a license is installed but no ports have acquired a license then the status displayed is Unused The default license package for the Cisco MDS 9124 Switch is as follows switch show license usage Feature Ins Lic Status Expiry Date Comments Count FM_SERVER_PKG Yes Unused never ENTERPRISE_PKG Yes In use never PORT_ACTIVATION_PKG No 8 In use ...

Page 149: ...cense usage Feature Ins Lic Status Expiry Date Comments Count FM_SERVER_PKG Yes Unused never ENTERPRISE_PKG Yes In use never PORT_ACTIVATION_PKG No 24 In use never 10G_PORT_ACTIVATION_PKG yes 2 Unused never Note The PORT_ACTIVATION_PKG does not appear as installed if you have only the default license installed Table 4 5 describes the port license assignments for the Cisco Fabric Switch for HP c Cl...

Page 150: ... IBM BladeCenter You can use the show license usage command to view any licenses assigned to a switch The default license package for the Cisco Fabric Switch for IBM BladeCenter is as follows switch show license usage Feature Ins Lic Status Expiry Date Comments Count FM_SERVER_PKG No Unused ENTERPRISE_PKG No Unused PORT_ACTIVATION_PKG No 10 In use never 10G_PORT_ACTIVATION_PKG No 0 Unused Note The...

Page 151: ... configuration mode Step 2 switch config interface fc1 1 switch config if Specifies the port interface that you want to make eligible for a license Note The name of the port depends on the switch you are using See Port Naming Conventions section on page 4 2 for information on port names Step 3 switch config if port license Makes the port eligible to acquire a license switch config if no port licen...

Page 152: ...ommand then on the next reload these ports will retain the licenses To move a license from one port to another in this example from fc1 1 to fc1 24 follow these steps Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config interface fc1 1 switch config if Specifies the port interface from which you want to move a license Note The name of the port depends...

Page 153: ...9124 Switch Step 1 Display the default port license configuration switch show port license Available port activation licenses are 0 Interface Cookie Port Activation License fc1 1 16777216 acquired fc1 2 16781312 acquired fc1 3 16785408 acquired fc1 4 16789504 acquired fc1 5 16793600 acquired fc1 6 16797696 acquired fc1 7 16801792 acquired fc1 8 16805888 acquired fc1 9 16809984 eligible fc1 10 1681...

Page 154: ...ired fc1 6 16797696 acquired fc1 7 16801792 acquired fc1 8 16805888 ineligible fc1 9 16809984 eligible fc1 10 16814080 eligible Step 4 Display the licensed features to confirm that you have successfully installed PORT_ACTIVATION_PKG switch show license default Feature Default License Count FM_SERVER_PKG ENTERPRISE_PKG PORT_ACTIVATION_PKG 8 10G_PORT_ACTIVATION_PKG 0 switch Step 5 Display the port l...

Page 155: ...ace Cookie Port Activation License fc1 1 16777216 acquired fc1 2 16781312 acquired fc1 3 16785408 acquired fc1 4 16789504 acquired fc1 5 16793600 acquired fc1 6 16797696 acquired fc1 7 16801792 acquired fc1 8 16805888 ineligible fc1 9 16809984 acquired fc1 10 16814080 acquired fc1 11 16818176 acquired fc1 12 16822272 acquired fc1 13 16826368 acquired fc1 14 16830464 acquired fc1 15 16834560 acquir...

Page 156: ... shutdown interface fc1 2 switchport trunk mode auto port license acquire channel group 122 force no shutdown interface fc1 3 switchport trunk mode auto port license acquire no shutdown interface fc1 4 port license acquire no shutdown interface fc1 5 switchport trunk mode auto port license acquire port track interface fc1 13 port track interface fc1 21 port track interface fc1 24 port track interf...

Page 157: ...page 5 2 Initial Setup Routine page 5 2 Accessing the Switch page 5 14 Assigning a Switch Name page 5 15 Where Do You Go Next page 5 15 Verifying the Module Status page 5 15 Configuring Date Time and Time Zone page 5 16 NTP Configuration page 5 19 Management Interface Configuration page 5 25 Default Gateway Configuration page 5 26 Telnet Server Connection page 5 27 Configuring Console Port Setting...

Page 158: ... ID information for future use for example to enable licensed features The host ID information is provided in the Proof of Purchase document that accompanies the switch Step 2 Verify that the default console port parameters are identical to those of the computer terminal or terminal server attached to the switch console port 9600 baud 8 data bits 1 stop bit No parity Note On Cisco terminal servers...

Page 159: ...The management interface can be an out of band Ethernet interface or an in band Fibre Channel interface recommended If you are using an IPv4 address for the management interface you need the following information IPv4 subnet mask for the switch s management interface optional Destination IPv4 prefix destination IPv4 prefix subnet mask and next hop IPv4 address if you want to enable IP routing IPv4...

Page 160: ...t bring up the loader prompt the only way to fix this condition is to RMA the switch The following commands are not allowed on the Cisco Fabric Switch for IBM BladeCenter write erase boot and init system nor can you boot variables manually Note If you issue a write erase command and reload the switch you must reconfigure the default user admin password using the setup procedure Setup Options The s...

Page 161: ...rator is a requirement and cannot be skipped See the Characteristics of Strong Passwords section on page 39 11 Tip If you do not wish to answer a previously configured question or if you wish to skip answers to any questions press Enter If a default answer is not available for example switch name the switch uses what was previously configured and skips to the next question Note The setup script on...

Page 162: ... guide you through the basic configuration of the system Setup configures only enough connectivity for management of the system Please register Cisco MDS 9000 Family devices promptly with your supplier Failure to register may affect response times for initial service calls MDS devices must be registered to receive entitled support services Press Enter incase you want to skip any dialog Use ctrl c ...

Page 163: ...ad only or read write SNMP community string Configure read only SNMP community string yes no n yes a Enter the SNMP community string SNMP community string snmp_community Step 8 Enter a name for the switch Note The switch name is limited to 32 alphanumeric characters The default is switch Enter the switch name switch_name Step 9 Enter yes yes is the default to configure out of band management Conti...

Page 164: ... default gateway IP address d Enter yes yes is the default to configure the default network recommended Configure the default network yes no y yes Enter the default network IPv4 address Note The default network IPv4 address is the destination prefix provided in Step 11c Default network IP address dest_prefix dest_prefix e Enter yes yes is the default to configure the DNS IPv4 address Configure the...

Page 165: ...ep 20 Enter on off is the default to configure the PortChannel auto create state Configure default port channel auto create state on off off on Step 21 Enter permit deny is the default to deny a default zone policy configuration Configure default zone policy permit deny deny permit Permits traffic flow to all members of the default zone Note If you are executing the setup script after issuing a wr...

Page 166: ...y configured see Chapter 7 Software Images Configuring In Band Management The in band management logical interface is VSAN 1 This management interface uses the Fibre Channel infrastructure to transport IP traffic An interface for VSAN 1 is created on every switch in the fabric Each switch should have its VSAN 1 interface configured with either an IPv4 address or an IPv6 address in the same subnetw...

Page 167: ...only or read write SNMP community string a Enter no no is the default to avoid configuring the read only SNMP community string Configure read only SNMP community string yes no n no b Enter no no is the default to configure the read only SNMP community string Configure read only SNMP community string yes no n yes c Enter the SNMP community string SNMP community string snmp_community Step 6 Enter a ...

Page 168: ...able the SSH service Enabled SSH service yes no n yes Step 12 Enter the SSH key type see the Overwriting a Generated Key Pair section on page 39 17that you would like to generate Type the SSH key you would like to generate dsa rsa rsa1 rsa Step 13 Enter the number of key bits within the specified range Enter the number of key bits 768 to 1024 1024 Step 14 Enter no no is the default to configure th...

Page 169: ...lt gateway default_gateway no telnet server enable ssh key rsa 1024 force ssh server enable system default switchport shutdown system default switchport trunk mode auto system default switchport mode F no zone default zone permit vsan 1 4093 no zoneset distribute full vsan 1 4093 Would you like to edit the configuration yes no n no Step 22 Enter yes yes is default to use and save this configuratio...

Page 170: ...can use Telnet or SSH to access a switch in the Cisco MDS 9000 Family or use SNMP to connect to a Cisco MDS 9000 Fabric Manager application Out of band 10 100 1000 BASE T Ethernet access You can use Telnet or SSH to access a switch in the Cisco MDS 9000 Family or use SNMP to connect to a Cisco MDS 9000 Fabric Manager application Supervisor 1 modules support 10 100 BASE T Ethernet and Supervisor 2 ...

Page 171: ...the CLI or the Device Manager and Fabric Manager applications To use the Cisco Fabric Manager refer to the Cisco MDS 9000 Family Fabric Manager Configuration Guide Verifying the Module Status Before you begin configuring the switch you need to ensure that the modules in the chassis are functioning as designed To verify the status of a module at any time issue the show module command in EXEC mode A...

Page 172: ... the switch issue the clock command from EXEC mode switch clock set HH MM SS DD Month in words YYYY For example switch clock set 15 58 09 23 September 2002 Mon Sep 23 15 58 09 UTC 2002 Where HH represents hours in military format 15 for 3 p m MM is minutes 58 SS is seconds 09 DD is the date 23 Month is the month in words September and YYYY is the year 2002 Note The date and time changes are saved ...

Page 173: ... adjust for daylight saving time You must manually configure the switch to adjust to the daylight saving time For example following U S standards you can have the switch advance the clock one hour at 2 00 a m on the first Sunday in April and move back the clock one hour at 2 00 a m on the last Sunday in October You can also explicitly specify the start and end dates and times and whether or not th...

Page 174: ... U S Pacific standard offset time as negative 8 hours and 0 minutes switch config no clock timezone Disables the time zone adjustment feature Step 3 switch config clock summer time daylight_timezone_name start_week start_day start_month start_time end_week end_day end_month end_time daylight_offset_inminutes Example switch config clock summer time PDT 2 Sunday March 02 00 1 Sunday November 02 00 6...

Page 175: ...ltiple devices Many enterprise customers with extremely mission critical networks maintain their own stratum 1 NTP source Time synchronization happens when several frames are exchanged between clients and servers The switches in client mode know the address of one or more NTP servers The servers act as the time source and receive client synchronization requests By configuring an IP address as a pe...

Page 176: ...that server Not even a server down time will affect well configured switches in the network Figure 5 3 displays a network with two NTP stratum 2 servers and two switches Figure 5 3 NTP Peer and Server Association In this configuration the switches were configured as follows Stratum 2 Server 1 IPv4 address 10 10 10 10 Stratum 2 Server 2 IPv4 address 10 10 10 9 Switch 1 IPv4 address 10 10 10 1 Switc...

Page 177: ...me Step 6 switch show ntp peers Peer IP Address Serv Peer 10 20 10 0 Peer configured 10 10 10 10 Server configured Displays the configured server and peer associations Note A domain name is resolved only when you have a DNS server configured Command Purpose Step 1 switch config t Enters configuration mode Step 2 switch config ntp server 2001 db8 800 200c 4101 Forms a server association with a serv...

Page 178: ... peer You can specify multiple associations Step 4 switch config exit switch Returns to EXEC mode Step 5 switch copy running config startup config Saves your configuration changes to NVRAM Tip This is one instance where you can save the configuration as a result of an NTP configuration change You can issue this command at any time Step 6 switch show ntp peers Peer IP Address Serv Peer NtpPeer Peer...

Page 179: ...5 24 NTP Session Status Verification page 5 24 Enabling NTP Distribution To enable NTP configuration fabric distribution follow these steps Committing NTP Configuration Changes When you commit the NTP configuration changes the effective database is overwritten by the configuration changes in the pending database and all the switches in the fabric receive the same configuration When you commit the ...

Page 180: ... volatile directory and are subject to being discarded if the switch is restarted To use administrative privileges and release a locked NTP session use the clear ntp session command switch clear ntp session Database Merge Guidelines When merging two fabrics follow these guidelines Be aware that the merge is a union of the existing and the received database in each switch in the fabric Do not confi...

Page 181: ... both the speed and the duplex mode On a Supervisor 1 module the default speed is 100 Mbps and the default duplex mode is auto On a Supervisor 2 module the default speed is auto and the default duplex mode is auto Note Before you begin to configure the management interface manually obtain the switch s IPv4 address and IPv4 subnet mask or the IPv6 address Also make sure the console cable is connect...

Page 182: ...witch config if shutdown force Note You need to explicitly configure a default gateway to connect to the switch and send IP packets or add a route for each subnet Default Gateway Configuration The supervisor module sends IP packets with unresolved destination IPv4 addresses to the default gateway see Figure 5 4 Command Command Step 1 switch config terminal switch config Enters configuration mode Y...

Page 183: ...nerating the SSH Server Key Pair section on page 39 16 Note For information on connecting a terminal to the supervisor module console port refer to the Cisco MDS 9200 Series Hardware Installation Guide or the Cisco MDS 9500 Series Hardware Installation Guide Tip A maximum of 16 sessions are allowed in any switch in the Cisco MDS 9500 Series or the Cisco MDS 9200 Series Make sure the terminal is co...

Page 184: ...n statistics Command Purpose Step 1 switch config t Enters configuration mode Step 2 switch config no telnet server enable updated Disables the Telnet server switch config telnet server enable updated Enables default the Telnet server to return a Telnet connection from a secure SSH connection Command Command Step 1 switch config terminal switch config Enters configuration mode Step 2 switch config...

Page 185: ...th a DB 9 interface that enables you to connect to an external serial communication device such as a modem Connection to a terminal requires the terminal emulator to be configured as 9600 baud 8 data bits 1 stop bit no parity To configure the COM1 port settings follow these steps Command Description Step 1 switch config terminal switch config Enters configuration mode Step 2 switch config line com...

Page 186: ...Modem Init String default ATE0Q0V1 D0 C0S0 1 015 Statistics tx 17 rx 0 Register Bits RTS DTR Configuring Modem Connections Modems can only be configured if you are connected to the console or COM1 ports A modem connection to a switch in the Cisco MDS 9000 Family does not affect switch functionality Note If you plan on connecting a modem to the console port or the COM1 port of a switch in the Cisco...

Page 187: ...sco SAN OS environment using Supervisor 2 modules Hayes Accura V 92 http www hayesmicro com Products accura prod v92 htm Zoom FaxModem 56K Dualmode Model 2949 http www zoom com products dial_up_external_serial html Multitech MT2834 BA 33 6K http www multitech com PRODUCTS Families CC1600 Series Note On the Multitech MT2834 BA 33 6K set the DIP switch1 pin1 also known as the DTR pin to the DOWN pos...

Page 188: ...tion C1 Enable tracking the state of the data carrier S0 1 Pick up after one ring 015 required Carriage return in octal The default string contents for Supervisor 2 modules are as follows AT Attention E0 required No echo Q0 Result code on V1 Display result codes as text D0 Data terminal ready DTR on C0 Data carrier detect DCD on Command Command Step 1 switch config t switch config Enters configura...

Page 189: ... written to the modem see the Configuring the Default Initialization String section on page 5 33 If the modem is not attached to the switch during boot up then attach the modem as outlined in the Cisco MDS 9000 Family Hardware Installation Guide depending on the product and follow the procedure provided in this section see the Configuring a User Specified Initialization String section on page 5 34...

Page 190: ... set string user input ATE0Q1 D2 C1S0 3 015 Assigns the user specified initialization string for a Supervisor 1 module to its corresponding profile Note You must first set the user input string before initializing the string switch config com1 modem set string user input ATE0Q0V1 D0 C0S0 1 Assigns the user specified initialization string for a Supervisor 2 module to its corresponding profile switc...

Page 191: ...e line Console Speed 9600 bauds Databits 8 bits per byte Stopbits 1 bit s Parity none Modem In Enable Modem Init String default ATE0Q1 D2 C1S0 1 015 Statistics tx 12842 rx 366 Register Bits RTS CTS DTR DSR CD RI line Aux Speed 9600 bauds Databits 8 bits per byte Stopbits 1 bit s Parity none Modem In Enable Modem Init String default ATE0Q1 D2 C1S0 1 015 Statistics tx 17 rx 0 Register Bits RTS DTR T...

Page 192: ...le the CDP protocol on a specific interface follow these steps Command Command Step 1 switch config terminal switch config Enters configuration mode Step 2 switch config no cdp enable Operation in progress Please check global parameters switch config console Disables the CDP protocol on the switch When CDP is disabled on an interface one packet is sent to clear out the switch state with each of th...

Page 193: ... table interface gigabitethernet 4 1 Displaying CDP Information Use the show cdp command to display CDP entries See Examples 5 1 to 5 11 Command Command Step 1 switch config terminal switch config Enters configuration mode Step 2 switch config cdp timer 100 switch config Sets the refresh time interval in seconds The default is 60 seconds and the valid range is from 5 to 255 seconds switch config n...

Page 194: ...ighbor Entries switch show cdp entry all Device ID 069038747 Kiowa3 Entry address es IP Address 172 22 92 5 Platform WS C5500 Capabilities Trans Bridge Switch Interface mgmt0 Port ID outgoing port 5 22 Holdtime 136 sec Version WS C5500 Software Version McpSW 2 4 3 NmpSW 2 4 3 Copyright c 1995 1997 by Cisco Systems Advertisement Version 1 Example 5 3 Displays the Specified CDP Neighbor switch show ...

Page 195: ... S Switch H Host I IGMP r Repeater Device ID Local Intrfce Hldtme Capability Platform Port ID 0 Gig4 1 135 H DS X9530 SF1 Gig4 1 069038732 Kiowa2 mgmt0 132 T S WS C5500 3 3 11 069038747 Kiowa3 mgmt0 156 T S WS C5500 6 20 069038747 Kiowa3 mgmt0 158 T S WS C5500 5 22 Example 5 8 Displays CDP Neighbors in detail switch show CDP neighbor detail Device ID 0 Entry address es IP Address 0 0 0 0 Platform ...

Page 196: ...traffic interface mgmt 0 Traffic statistics for mgmt0 Input Statistics Total Packets 1148 Valid CDP Packets 1148 CDP v1 Packets 1148 CDP v2 Packets 0 Invalid CDP Packets 0 Unsupported Version 0 Checksum Errors 0 Malformed Packets 0 Output Statistics Total Packets 2329 CDP v1 Packets 1164 CDP v2 Packets 1165 Send Errors 0 Example 5 11 Displays CDP Traffic Statistics for the Gigabit Ethernet Interfa...

Page 197: ...ication page 6 5 Locking the Fabric page 6 6 Committing Changes page 6 7 Discarding Changes page 6 8 Saving the Configuration page 6 8 Clearing a Locked Session page 6 8 CFS Merge Support page 6 8 CFS Distribution over IP page 6 11 CFS Regions page 6 15 Default Settings page 6 17 About CFS Many features in the Cisco MDS switches require configuration synchronization in all switches in the fabric M...

Page 198: ...Distribution section on page 37 11 iSNS see the iSNS section on page 42 79 Call Home see the Call Home Configuration Distribution section on page 54 13 Syslog see the System Message Logging Configuration Distribution section on page 53 8 fctimer see the About fctimer Distribution section on page 29 6 SCSI flow services see the Configuring SCSI Flow Services section on page 47 3 Saving startup conf...

Page 199: ...ion to other switches CFS uses a proprietary SW_ILS 0x77434653 protocol for all CFS packets CFS packets are sent to or from the switch domain controller addresses CFS can also use IP to send information to other switches see the CFS Distribution over IP section on page 6 11 Applications that use CFS are completely unaware of the lower layer transport CFS Distribution Scopes Different applications ...

Page 200: ...ributions are used to distribute information that can be manipulated and distributed from multiple switches for example the port security configuration Unrestricted Uncoordinated Distributions Unrestricted uncoordinated distributions allow multiple parallel distributions in the fabric in the presence of an existing coordinated distribution Unrestricted uncoordinated distributions are allowed to ru...

Page 201: ...abled or disabled on a per application basis The default enable or disable for CFS distribution state differs between applications If CFS distribution is disabled for an application then that application does not distribute any configuration nor does it accept a distribution from other switches in the fabric Explicit CFS commit Most applications require an explicit commit operation to copy the cha...

Page 202: ...ure first time configuration a Cisco SAN OS feature or application that uses the CFS infrastructure that feature starts a CFS session and locks the fabric When a fabric is locked the Cisco SAN OS software does not allow any configuration changes from a switch other than the switch holding the lock to this Cisco SAN OS feature and issues a message to inform the user about the locked status The conf...

Page 203: ... 20 00 00 05 30 00 6b 9e 10 76 100 167 admin CLI SNMP v3 Total number of entries 1 Committing Changes A commit operation saves the pending database for all application peers and releases the lock for all switches In general the commit function does not start a session only a lock function starts a session However an empty commit is allowed if configuration changes are not previously made In this c...

Page 204: ...ded to rescue you from situations where locks are acquired and not released This function requires Admin permissions Caution Exercise caution when using this function to clear locks in the fabric Any pending configurations in any switch in the fabric is flushed and lost CFS Merge Support An application keeps the configuration synchronized in a fabric through CFS Two such fabrics might merge as a r...

Page 205: ...merge failure or a merge in progress the local fabric and the remote fabric involved in the merge are indicated separately The application server in each fabric that is mainly responsible for the merge is indicated by the term Merge Master switch show cfs merge status name port security Logical VSAN 1 Merge Status Failed Local Fabric Domain Switch WWN IP Address 238 20 00 00 05 30 00 6b 9e 10 76 1...

Page 206: ...with CFS The command output shows all the peers for the physical scope or for each of the valid VSANs on the switch depending on the application scope For physical scope the switch WWNs for all the peers are indicated The local switch is indicated as Local switch show cfs peers name ntp Scope Physical Switch WWN IP Address 20 00 00 44 22 00 4a 9e 172 22 92 27 Local 20 00 00 05 30 01 1b c2 172 22 9...

Page 207: ...h IP and Fibre Channel is enabled Distribution over IP version 4 IPv4 or IP version 6 IPv6 Note CFS cannot distribute over both IPv4 and IPv6 from the same switch Keep alive mechanism to detect network topology changes using a configurable multicast address Compatibility with Cisco MDS SAN OS Release 2 x Distribution for logical scope applications is not supported because the VSAN implementation i...

Page 208: ...able or disable CFS over IPv4 follow these steps To enable or disable CFS over IPv6 follow these steps Node A Node B Node C Node E Node D FC IP 144861 Node A Node B Node C Node E Node D FC IP 144862 Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config cfs ipv4 distribute Globally enables CFS over IPv4 for all applications on the switch switch config n...

Page 209: ...fig Enters configuration mode Step 2 switch config cfs ipv4 mcast address 239 255 1 1 Distribution over this IP type will be affected Change multicast address for CFS IP Are you sure y n n y Configures the IPv4 multicast address for CFS distribution over IPv4 The ranges of valid IPv4 addresses are 239 255 0 0 through 239 255 255 255 and 239 192 16 through 239 251 16 switch config no cfs ipv4 mcast...

Page 210: ... 3 x Chapter 6 Using the CFS Infrastructure CFS Distribution over IP Verifying IP Multicast Address Configuration for CFS over IP To verify the IP multicast address configuration for CFS over IP use the show cfs status command switch show cfs status Fabric distribution Enabled IP distribution Enabled mode ipv4 IPv4 multicast address 10 1 10 100 IPv6 multicast address ff13 e244 4754 ...

Page 211: ...nnot configure a CFS region in a VSAN Example Scenario The callhome is an application that triggers alerts to Network Administrators when a situation arises or something abnormal occurs When the fabric covers many geographies and with multiple Network Administrators who are each responsible for a subset of switches in the fabric the callhome application sends alerts to all Network Administrators r...

Page 212: ...xample from Region 1 originating region with ntp and callhome applications assigned to it to Region 2 target region follow these steps Note If you try adding an application to the same region more than once you see the error message Application already present in the same region Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config cfs region 4 Creates...

Page 213: ...the warning All the applications in the region will be moved to the default region Default Settings Table 6 1 lists the default settings for CFS configurations Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config cfs region 1 Enters the Region 1 Step 3 switch config cfs region no ntp switch config cfs region no callhome Removes application s that belo...

Page 214: ...t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m 6 18 Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 6 Using the CFS Infrastructure Default Settings ...

Page 215: ...1 Maintaining Supervisor Modules page 7 32 Installing Generation 2 Modules in Generation 1 Chassis page 7 40 Replacing Modules page 7 41 Default Settings page 7 41 About Software Images Each switch is shipped with a Cisco MDS SAN OS operating system for Cisco MDS 9000 Family switches The Cisco MDS SAN OS consists of two images the kickstart image and the system image To upgrade the switch to a new...

Page 216: ...g the Correct Software Images for Cisco MDS 9200 Series Switches The Supervisor 1 and Supervisor 2 modules supported by Cisco MDS 9200 Series switches require different system and kicstart images You can determine which images to use on your switch by the naming conventions shown in Table 7 2 Selecting the Correct Software Images for Cisco MDS 9500 Family Switches The Supervisor 1 and Supervisor 2...

Page 217: ...ic 2 DS X9530 SF2 K9 active 8 0 Supervisor Fabric 2 DS X9530 SF2 K9 ha standby Essential Upgrade Prerequisites Before attempting to migrate to any software image version follow these guidelines Customer Service Before performing any software upgrade contact your respective customer service representative to review your software upgrade requirements and to provide recommendations based on your curr...

Page 218: ...0 Note 1000 BASE T Ethernet is only available on Supervisor 2 modules Ensure the switch has a route to the remote server The switch and the remote server must be in the same subnetwork if you do not have a router to route traffic between subnets Images Ensure that the specified system and kickstart images are compatible with each other If the kickstart image is not specified the switch uses the cu...

Page 219: ...tion Note Prior to Cisco SAN OS Release 3 0 to preserve the FC IDs in your configuration verify that the persistent FC ID feature is enabled before rebooting This feature is enabled by default In earlier releases the default is disabled See the FC IDs section on page 17 14 Software Upgrade Methods You can upgrade software without any disruptions using the Cisco MDS SAN OS software designed for mis...

Page 220: ...statements is true An incompatible feature is enabled in the image to be installed and it is not available in the running image and may cause the switch to move into an inconsistent state In this case the incompatibility is strict An incompatible feature is enabled in the image to be installed and it is not available in the running image and does not cause the switch to move into an inconsistent s...

Page 221: ...you can see the progress from both the supervisor modules Before a switchover process you can only see the progress from the active supervisor module The command automatically checks the image integrity This includes the running kickstart and system images The command performs a platform validity check to verify that a wrong image is not used for example to check if an MDS 9500 Series image is use...

Page 222: ...install all command is ended be sure to verify the state of the switch at every stage and reissue the command after 10 seconds If you reissue theinstall all command within the 10 second span the command is rejected with an error message indicating that an installation is currently in progress Tip All configurations are disallowed while the install all command is in progress However configurations ...

Page 223: ...start mz 2 1 1a bin 48063243 Mar 21 15 34 46 2005 m9500 sf1ek9 mz 2 1 1 bin 48036239 Apr 06 16 45 41 2005 m9500 sf1ek9 mz 2 1 1a bin Usage for bootflash sup local 141066240 bytes used 43493376 bytes free 184559616 bytes total switch standby exit switch Step 4 Download a Cisco SAN OS system image to the active supervisor module bootflash from a TFTP server if necessary switch copy tftp 10 16 10 100...

Page 224: ...e rolling Hitless upgrade is not supported 4 yes non disruptive rolling 5 yes non disruptive reset 6 yes non disruptive reset Images will be upgraded according to following table Module Image Running Version New Version Upg Required 1 slc 1 3 2a 1 3 1 yes 1 bios v1 1 0 10 24 03 v1 1 0 10 24 03 no 2 ips 1 3 2a 1 3 1 yes 2 bios v1 1 0 10 24 03 v1 1 0 10 24 03 no 3 ips 1 3 2a 1 3 1 yes 3 bios v1 1 0 ...

Page 225: ...tance If you purchased Cisco support through a Cisco reseller contact the reseller directly If you purchased support directly from Cisco Systems contact Cisco Technical Support at this URL http www cisco com warp public 687 Directory DirTAC shtml Upgrading Services Modules Any Fibre Channel switching module supports nondisruptive upgrades The14 2 port Multiprotocol Services MPS 14 2 module support...

Page 226: ...andby supervisor module Example 7 6 displays the result of the install all command issued from a console terminal for a system that contains an SSI image Similarly you can view the results of the install all command issued from the SSH or Telnet terminal that is connected to the active supervisor module Once a switchover happens you need to log back into the switch and issue the show install all s...

Page 227: ... New Version Upg Required 1 slc 1 3 2a 1 3 1 yes 1 bios v1 1 0 10 24 03 v1 1 0 10 24 03 no 2 ips 1 3 2a 1 3 1 yes 2 bios v1 1 0 10 24 03 v1 1 0 10 24 03 no 3 ips 1 3 2a 1 3 1 yes 3 bios v1 1 0 10 24 03 v1 1 0 10 24 03 no 4 slc 1 3 2a 1 3 1 yes 4 bios v1 1 0 10 24 03 v1 1 0 10 24 03 no 5 system 1 3 2a 1 3 1 yes 5 kickstart 1 3 2a 1 3 1 yes 5 bios v1 1 0 10 24 03 v1 1 0 10 24 03 no 5 loader 1 2 2 1 ...

Page 228: ...terface mgmt0 is up Jan 18 23 43 19 Hacienda LICMGR 3 LOG_LIC_NO_LIC No license s present for feature FM_SERVER_PKG Application s shutdown in 53 days Jan 18 23 43 19 Hacienda LICMGR 3 LOG_LIC_NO_LIC No license s present for feature ENTERPRISE_PKG Application s shutdown in 50 days Jan 18 23 43 19 Hacienda LICMGR 3 LOG_LIC_NO_LIC No license s present for feature SAN_EXTN_OVER_IP Application s shutdo...

Page 229: ...xample 7 6 Successful install all Command Including an SSI Image Cisco MDS install all system bootflash isan 2 1 1a kickstart bootflash boot 2 1 1a ssi bootflash ssi 2 1 1a Verifying image bootflash ssi 2 1 1a 100 SUCCESS Verifying image bootflash boot 2 1 1a 100 SUCCESS Verifying image bootflash isan 2 1 1a 100 SUCCESS Extracting slc version from image bootflash isan 2 1 1a 100 SUCCESS Extracting...

Page 230: ...ge bootflash boot 2 1 1a to standby 100 SUCCESS Syncing image bootflash isan 2 1 1a to standby 100 SUCCESS Setting boot variables 100 SUCCESS Performing configuration copy 100 SUCCESS Module 3 Upgrading Bios loader bootrom 100 SUCCESS Module 6 Waiting for module online SUCCESS Switching over onto standby Note If you perform the install all command to downgrade to a Cisco MDS SAN OS release that do...

Page 231: ...o bootflash m9500 sf1ek9 mz 1 3 2a bin 100 SUCCESS Verifying image bootflash m9500 sf1ek9 kickstart mz 1 3 2a bin 100 SUCCESS Verifying image bootflash m9500 sf1ek9 mz 1 3 2a bin 100 SUCCESS Extracting slc version from image bootflash m9500 sf1ek9 mz 1 3 2a bin 100 SUCCESS Extracting ips version from image bootflash m9500 sf1ek9 mz 1 3 2a bin 100 SUCCESS Extracting system version from image bootfl...

Page 232: ... no 9 ips 1 3 1 1 3 2a yes 9 bios v1 1 0 10 24 03 v1 0 8 08 07 03 no Do you want to continue with the installation y n n Example 7 8 displays the install all command output of a failed operation due to a lack of disk space Example 7 8 Failed Operation Due to a Full bootflash File System switch install all system bootflash isan 1 3 2a kickstart bootflash boot 1 3 2a Verifying image bootflash boot 1...

Page 233: ...3 no 8 slc 1 3 1 1 3 2a yes 8 bios v1 1 0 10 24 03 v1 0 8 08 07 03 no 9 ips 1 3 1 1 3 2a yes 9 bios v1 1 0 10 24 03 v1 0 8 08 07 03 no Do you want to continue with the installation y n n y Install is in progress please wait Syncing image bootflash boot 1 3 2a to standby 100 SUCCESS Syncing image bootflash isan 1 3 2a to standby 0 FAIL Return code 0x401E0008 request was aborted standby disk may be ...

Page 234: ...Enter Ctrl C to go back to the prompt Verifying image bootflash b 1 3 0 104 SUCCESS Verifying image bootflash i 1 3 0 104 SUCCESS Extracting system version from image bootflash i 1 3 0 104 SUCCESS Extracting kickstart version from image bootflash b 1 3 0 104 SUCCESS Extracting loader version from image bootflash b 1 3 0 104 SUCCESS switch show install all status This is the log of last installatio...

Page 235: ...ckstart image supervisor system image the linecard image and the system bios are all updated Non disruptive upgrades on these fabric switches take down the control plane for not more than 80 seconds In some cases when the upgrade has progressed past the point at which it cannot be stopped gracefully or if a failure occurs the software upgrade may be disruptive Note During the upgrade the control p...

Page 236: ... to log your session to a file in case you need it later for troubleshooting Also telnet sessions are lost when the switch is rebooted so if you wish to view the process in its entirety use the console port instead Example 7 11 Failed Nondisruptive Upgrade Due to Insufficient Resources switch install all kickstart bootflash boot fs9124 system bootflash isan 164 Verifying image bootflash boot fs912...

Page 237: ...1 system 3 1 1u 3 1 1 yes 1 kickstart 3 1 1u 3 1 1 yes 1 bios v1 0 0 10 04 06 v1 0 0 10 04 06 v1 0 0 10 04 06 no switch Performing a Non Disruptive Upgrade on a Fabric Switch To perform a non disruptive software upgrade on any of the following switches enter the install all kickstart command using the console port Cisco MDS 9124 Multilayer Fabric Switch Cisco MDS 9134 Multlayer Fabric Switch Cisco...

Page 238: ...tallation y n n Install is in progress please wait Notifying services about the upgrade 100 SUCCESS Setting boot variables 100 SUCCESS Performing configuration copy 100 SUCCESS Converting startup config 100 SUCCESS Upgrade can no longer be aborted any failure will result in a disruptive upgrade Note that after this point you cannot abort the upgrade Freeing memory in the file system 100 SUCCESS Lo...

Page 239: ...o the switch via a telnet session the upgrade may already be complete in this case the output will show the status of the upgrade switch show install all status This is the log of last installation Continuing with installation process please wait The login will be disabled until the installation is completed Status for linecard upgrade SUCCESS Performing supervisor state verification SUCCESS Insta...

Page 240: ...tware upgrade This section is for administrators or individuals who are completely familiar with specific switch functions You can manually upgrade the BIOS and the loader in any Cisco MDS switch using the procedures provided in this section This upgrade process requires you to implement some or all procedures depending on your switch or network configuration This section includes the following to...

Page 241: ...288 Jun 23 14 58 44 1980 lost found 27602159 Jul 30 23 05 16 1980 system image1 12447232 Aug 05 15 08 30 1980 kickstart image2 28364853 Aug 05 15 11 57 1980 system image2 Usage for bootflash sup local 135404544 bytes used 49155072 bytes free 184559616 bytes total Step 5 Ensure that the software images are not damaged or corrupted in the saved bootflash file system When copying a new image to your ...

Page 242: ...loader version 1 1 2 current running version kickstart version 2 0 1 system version 2 0 1 BIOS compile time 08 07 03 kickstart image file is bootflash m9500 sf1ek9 kickstart mzg 2 0 0 6 bin kickstart compile time 10 25 2010 12 00 00 system image file is bootflash m9500 sf1ek9 mzg 2 0 0 6 bin system compile time 10 25 2020 12 00 00 Hardware RAM 1024584 kB bootflash 1000944 blocks block size 512b sl...

Page 243: ...ystem compile time 10 25 2020 12 00 00 Hardware RAM 1024584 kB bootflash 1000944 blocks block size 512b slot0 0 blocks block size 512b 172 22 92 181 uptime is 0 days 2 hours 18 minute s 1 second s Last reset at 970069 usecs after Tue Sep 16 22 31 25 1980 Reason Reset Requested by CLI command reload System version 2 0 0 6 Service Upgrading the BIOS Tip Refer to the release notes to verify if the BI...

Page 244: ...2 Verify that the BIOS version of the system image is different from the running image switch show version image bootflash system image image name m9500 sf1ek9 mz 1 0 3 bin bios version v1 0 6 01 27 03 BIOS is same version 1 0 6 system version 1 0 3 compiled 2 28 2003 5 00 00 system service s list package name package version acl 1 0 3 ascii cfg 1 0 3 bios_daemon 1 0 3 Note If the versions are dif...

Page 245: ...9000 Family avoid using the reload command Note If you downgrade from Cisco MDS SAN OS Release 3 1 3 to any earlier SAN OS release after you execute the system default switchport mode F command the ports retain the configuration that resultedfrom the execution of the command In other words the ports do not revert back to the mode they were in prior to executing the command For example to revert to...

Page 246: ...when removing a supervisor module from a Cisco MDS 9500 Series Director take the supervisor modules out of service before removing the supervisor module Use the out of service command in EXEC mode before removing the supervisor module out of service module slot Where slot indicates the chassis slot number in which the supervisor module resides Note You must remove and reinsert or replace the super...

Page 247: ...al state down vsan 10 information name VSAN0010 state active interoperability mode default loadbalancing src id dst id operational state down vsan 4094 isolated_vsan b Display the current and configured domain IDs for a VSAN switch show fcdomain vsan 1 The local switch is the Principal Switch Local switch run time information State Stable Local switch WWN 20 01 00 05 30 00 35 df Running fabric nam...

Page 248: ... Supervisor 1 module is the standby switch show module Mod Ports Module Type Model Status 1 16 1 2 Gbps FC Module DS X9016 ok 2 32 Storage Services Module DS X9032 SSM ok 3 8 IP Storage Services Module DS X9308 SMIP ok 4 12 1 2 4 Gbps FC Module DS X9112 ok 5 0 Supervisor Fabric 1 DS X9530 SF1 K9 ha standby 6 0 Supervisor Fabric 1 DS X9530 SF1 K9 active Step 5 Take the standby Supervisor 1 module o...

Page 249: ...sor 2 module using the boot command and continue to Step 11 Otherwise continue to Step c loader boot bootflash kickstart img bootflash system img c Enter the local IPv4 address IPv4 subnet mask and IPv4 address for the default gateway for the switch using the network command loader network ip 10 16 1 2 nm 255 255 255 0 gw 10 16 1 1 d Boot the kickstart image file from the bootflash if present or f...

Page 250: ...The switch boot prompt indicates that you have a usable kickstart image e Enable the management interface mgmt0 switch boot config terminal Enter configuration commands one per line End with CNTL Z switch boot config interface mgmt 0 switch boot config if no shutdown switch boot config if end switch boot f Download a Cisco SAN OS system image to the Supervisor 2 module from a TFTP server switch bo...

Page 251: ...lligent services are configured perform Step a through Step c Otherwise continue to Step 16 a Power down all SSMs on the switch switch config t switch config poweroff module 2 switch config exit switch Caution Do not copy the running configuration to the startup configuration after powering down the SSMs If you do you will lose the configuration on the SSM interfaces b Verify that the SSMs are pow...

Page 252: ...7 43 IMAGE_DNLD SLOT3 2 IMG_DNLD_STARTED Module image download process Please wait until completion 2008 Jan 23 18 47 43 IMAGE_DNLD SLOT2 2 IMG_DNLD_COMPLETE Module image download process Download successful 2008 Jan 23 18 47 49 IMAGE_DNLD SLOT4 2 IMG_DNLD_STARTED Module image download process Please wait until completion 2008 Jan 23 18 47 57 IMAGE_DNLD SLOT3 2 IMG_DNLD_COMPLETE Module image downl...

Page 253: ... t switch config boot kickstart bootflash kickstart img switch config boot kickstart bootflash system img switch config end switch Step 22 Save the configuration switch copy running config startup config 100 switch Step 23 Verify that the standby Supervisor 2 module is in the HA standby state switch show system redundancy status Redundancy mode administrative HA operational HA This supervisor sup ...

Page 254: ... of Cisco MDS SAN OS images and kickstart images Standby Supervisor Module Boot Alert If a standby supervisor module fails to boot the active supervisor module detects that condition and generates a Call Home event and a system message and reboots the standby supervisor module approximately 3 to 6 minutes after the standby supervisor module moves to the loader prompt The following system message i...

Page 255: ...he following actions The proper system and kickstart images are copied on the standby bootflash file system The proper boot variables are set The loader and the BIOS are upgraded to the same version available on the active supervisor module To replace a module in any switch in the Cisco MDS 9200 Series or 9500 Series follow these steps Step 1 Create a backup of your existing configuration file if ...

Page 256: ... c c i s c o c o m 7 42 Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 7 Software Images Default Settings Table 7 6 Default Image Settings Parameters Default Kickstart image No image is specified System image No image is specified ...

Page 257: ...he same configuration file to several switches that have the same hardware configuration so that they have identical module and port configurations This section describes how to work with configuration files and has the following topics Displaying Configuration Files page 8 1 Downloading Configuration Files to the Switch page 8 2 Saving Configuration Files to an External Device page 8 3 Saving the...

Page 258: ...efore you begin downloading a configuration file using a remote server do the following Ensure the configuration file to be downloaded is in the correct directory on the remote server Ensure that the permissions on the file are set correctly Permissions on the file should be set to world read Ensure the switch has a route to the remote server The switch and the remote server must be in the same su...

Page 259: ... using the copy slot0 source file system running config command The commands are executed as the file is parsed line by line Use the following command to download a configuration file from an external CompactFlash to the running configuration switch copy slot0 dns config cfg system running config Saving Configuration Files to an External Device You can save a configuration file stored on internal ...

Page 260: ...ory you can save it to the startup configuration in NVRAM Use the following copy command to save the configuration to NVRAM switch copy system running config nvram startup config The copy running config startup config command is an alias to the previous command and is used frequently throughout this guide To cancel the copy operation initiated by another switch use the following command switch sys...

Page 261: ...locking the Startup Configuration File The startup configuration file can be locked by applications on the switch To display locks on the startup configuration file use the following command switch show system internal sysmgr startup config locks To release a lock on the startup configuration file use the following command switch system startup config unlock 10 Copying Configuration Files The synt...

Page 262: ...ddress to bootflash switch copy scp user 10 1 7 2 system image bootflash system image This example shows how to copy a script file from the SFTP server identified by an IPv4 address to the volatile file system switch copy sftp 172 16 10 100 myscript txt volatile myscript txt Note Use the show version image command to verify if the downloaded images are valid Backing UpConfiguration Files All switc...

Page 263: ... binary configuration file reduces the overall boot time significantly A binary file cannot be uploaded but its contents can be used to overwrite the existing startup configuration The write erase command clears the binary file Restoring the Configured Redundancy Mode Tip If you configure the combined mode as the redundancy mode for power supplies on a Cisco MDS 9509 switch be careful when using t...

Page 264: ... 0 39a bin 1864931 Apr 29 12 41 59 2003 dplug2 12288 Apr 18 20 23 11 2003 lost found 12097024 Nov 21 16 34 18 2003 m9500 sf1ek9 kickstart mz 1 3 1 1 bin 41574014 Nov 21 16 34 47 2003 m9500 sf1ek9 mz 1 3 1 1 bin Usage for bootflash sup remote 67747169 bytes used 116812447 bytes free 184559616 bytes total Use the delete scheme sup remote to remove files from a file system on the standby supervisor m...

Page 265: ...nondisruptive software upgrade capability See Chapter 7 Software Images Provides redundancy for supervisor module failure by using dual supervisor modules Performs nondisruptive restarts of a failed process on the same supervisor module A service running on the supervisor modules and on the switching module tracks the HA policy defined in the configuration and takes action based on this policy Thi...

Page 266: ...isor takes over this IP address Switchover Mechanisms Switchovers occur by one of the following two mechanisms The active supervisor module fails and the standby supervisor module automatically takes over You manually initiate a switchover from an active supervisor module to a standby supervisor module Once a switchover process has started another switchover process cannot be started on the same s...

Page 267: ...pervisor Fabric 1 DS X9530 SF1 K9 active 6 0 Supervisor Fabric 1 DS X9530 SF1 K9 ha standby 8 0 Caching Services Module DS X9560 SMAP ok 9 32 1 2 Gbps FC Module DS X9032 ok Mod Sw Hw World Wide Name s WWN 2 1 3 0 106a 0 206 20 41 00 05 30 00 00 00 to 20 48 00 05 30 00 00 00 5 1 3 0 106a 0 602 6 1 3 0 106a 0 602 8 1 3 0 106a 0 702 9 1 3 0 106a 0 3 22 01 00 05 30 00 00 00 to 22 20 00 05 30 00 00 00 ...

Page 268: ...page 7 41 Copying Boot Variable Images to the Standby Supervisor Module You can copy the boot variable images that are in the active supervisor module but not in the standby supervisor module to the standby supervisor module Only those KICKSTART and SYSTEM boot variables that are set for the standby supervisor module can be copied For module line card images all boot variables are copied to the co...

Page 269: ...option is disabled or if no files are copied switch show boot auto copy list No file currently being auto copied Displaying HA Status Information Use the show system redundancy status command to view the HA status of the system Tables 9 1 to 9 3 explain the possible output values for the redundancy supervisor and internal states switch show system redundancy status Redundancy mode administrative H...

Page 270: ...ion with the supervisor and the supervisor module is performing diagnostics Unknown The switch is in an invalid state If it persists call TAC Table 9 2 Supervisor States State Description Active The active supervisor module in the switch is ready to be configured HA standby A switchover is possible Offline The switch is intentionally shut down for debugging purposes Unknown The switch is in an inv...

Page 271: ...6184 01 Cisco MDS SAN OS Release 3 x Chapter 9 Configuring High Availability Displaying HA Status Information Active with failed standby The active supervisor module and the second supervisor module is present but is not functioning Other The switch is in a transient state If it persists call TAC Table 9 3 Internal States continued State Description ...

Page 272: ...o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m 9 8 Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 9 Configuring High Availability Displaying HA Status Information ...

Page 273: ...Configuration Modes page 10 10 About Crossbar Management page 10 13 About Module Temperature page 10 15 About Fan Modules page 10 17 About Clock Modules page 10 19 Displaying Environment Information page 10 20 Default Settings page 10 21 Displaying Switch Hardware Inventory Use the show inventory command to view information on the field replaceable units FRUs in the switch including product IDs se...

Page 274: ... 2004 by Cisco Systems Inc All rights reserved The copyright for certain works contained herein are owned by Cisco Systems Inc and or other third parties and are used and distributed under license Software BIOS version 1 0 8 loader version 1 1 0 114 kickstart version 1 3 4a system version 1 3 4a BIOS compile time 08 07 03 kickstart image file is bootflash boot 17r kickstart compile time 10 25 2010...

Page 275: ...is CNP6NT0AAA Module in slot 6 is empty Module in slot 7 is empty Module in slot 8 is empty Module in slot 9 is empty Chassis has 2 Slots for Power Supplies PS in slot A is ok Power supply type is 1153 32W 110v AC Model number is WS CAC 2500W H W version is 1 0 Part Number is 34 1535 01 Part Revision is A0 Manufacture Date is Year 6 Week 16 Serial number is ART061600US CLEI code is PS in slot B is...

Page 276: ...ompactFlash CRC Checksum Test On Demand page 10 4 Enabling and Disabling the Automatic CompactFlash CRC Checksum Test page 10 4 Setting the CompactFlash CRC Checksum Test Interval page 10 5 Enabling and Disabling Failure Action at the Failure of a CompactFlash Checksum Test page 10 5 Displaying the Frequency and Status of the CompactFlash CRC Checksum Test page 10 5 Running the CompactFlash CRC Ch...

Page 277: ...lt this feature is enabled in all switches in the Cisco MDS 9000 Family A failure action is controlled at the module level Use the system health module cf crc check failure action command in configuration mode to enable the CompactFlash CRC checksum test failure action for a module To enable the CompactFlash CRC checksum test failure action follow these steps To disable the CompactFlash CRC checks...

Page 278: ...nd in configuration mode You can also update the firmware on demand by using the system health cf re flash module command in EXEC mode Firmware updates can be enabled on the following modules DS X9016 DS X9032 DS X9302 14K9 DS X9308 SMIP DS X9304 SMIP DS X9530 SF1 K9 This section includes the following tasks Updating the CompactFlash Firmware On Demand page 10 6 Enabling and Disabling the CompactF...

Page 279: ...al use the system health module cf re flash frequency command in configuration mode The default interval is every 30 days To set the firmware update interval follow these steps Enabling and Disabling Failure Action at the Failure of a CompactFlash Firmware Update You can use the system health module cf re flash failure action command to prevent the Cisco SAN OS software from taking any action if a...

Page 280: ... Enabled CF re flash 30 Days Running Enabled Displaying CompactFlash CRC Test and Firmware Update Statistics To display the CompactFlash CRC checksum test and the flash update statistics use the show system health statistics command in EXEC mode switch show system health statistics Test statistics for module 2 Test Name State Freqency Run Pass Fail CFail Errs Bootflash Running 10s 28316 28316 0 0 ...

Page 281: ...erial number of your Cisco MDS 9000 Family switch can be obtained by looking at the serial number label on the back of the switch next to the power supply or by executing the operating system show sprom backplane 1 command switch show sprom backplane 1 DISPLAY backplane sprom contents Common block Block Signature 0xabab Block Version 2 Block Length 156 Block Checksum 0x106f EEPROM Size 512 Block C...

Page 282: ...C 2500W 1153 32 27 46 ok 2 WS CAC 2500W 1153 32 27 46 ok Mod Model Power Power Power Power Status Requested Requested Allocated Allocated Watts Amp 42V Watts Amp 42V 1 DS X9032 199 92 4 76 199 92 4 76 powered up 4 DS X9032 199 92 4 76 199 92 4 76 powered up 5 DS X9530 SF1 K9 126 00 3 00 126 00 3 00 powered up 6 DS X9530 SF1 K9 126 00 3 00 126 00 3 00 powered up 9 DS X9016 220 08 5 24 220 08 5 24 p...

Page 283: ...capacities are installed in the switch the total power available differs based on the configured mode either redundant or combined a Redundant mode the total power is the lesser of the two power supply capacities For example suppose you have the following usage figures configured Power supply 1 2500 W Additional power supply 2 not used Current usage 2000 W Current capacity 2500 W Then the followin...

Page 284: ...the minimum 2500 W 2 When you change the configuration from combined to redundant mode and the system detects a power supply that has a capacity lower than the current usage the power supply is shut down If both power supplies have a lower capacity than the current system usage the configuration is not allowed Several configuration scenarios are summarized in Table 10 3 Scenario 1 You have the fol...

Page 285: ...rent capacity is 3600 W You decide to change the switch to redundant mode Then the current capacity decreases to 2500 W and the configuration is rejected Reason 2500 W is less than the system usage 3000 W About Crossbar Management Cisco MDS SAN OS Release 3 0 1 and later supports two types of hardware for the Cisco MDS 9500 Series Directors Generation 1 and Generation 2 Generation 1 consists of al...

Page 286: ...ocated on the Supervisor 1 and Supervisor 2 modules The Cisco MDS 9506 and 9509 Directors only use integrated crossbars External crossbar Located on an external crossbar switching module Cisco MDS 9513 Directors require external crossbar modules Operational Considerations When Removing Crossbars You can mix and match Generation 1 and Generation 2 hardware on the Cisco MDS 9500 Series Directors run...

Page 287: ...e and backup Supervisor 2 modules are associated to a specific crossbar module The Supervisor 2 module in slot 7 is associated with crossbar module 1 and Supervisor 2 module in slot 8 is associated with crossbar module 2 You must plan for the following operational considerations before removing crossbar modules Whenever a crossbar module associated with the active Supervisor 2 module goes offline ...

Page 288: ...upervisor module with HA standby or standby present only that supervisor module is shut down and the standby supervisor module takes over If you do not have a standby supervisor module in your switch you have an interval of 2 minutes to decrease the temperature During this interval the software monitors the temperature every five 5 seconds and continuously sends system messages as configured Tip T...

Page 289: ...ontains multiple fans to provide redundancy The switch can continue functioning in the following situations One or more fans fail within a fan module Even with multiple fan failures switches in the Cisco MDS 9000 Family can continue functioning When a fan fails within a module the functioning fans in the module increase their speed to compensate for the failed fan s The fan module is removed for r...

Page 290: ... operating properly the status is ok If the fan is physically absent the status is absent If the fan is physically present but not working properly the status is failure On the Cisco MDS 9513 Director the front fan module has 15 fans If the front fan module DS 13SLT FAN F State field contains failure in the show environment fan command output it also displays the numbers of the failing fans see Ex...

Page 291: ...number see Example 10 8 Example 10 8 Displays Cisco MDS 9513 Rear Fan Module Failure switch show environment fan Fan Model Hw Status Chassis DS 13SLT FAN F 0 3 ok Chassis DS 13SLT FAN R 0 3 failure PS 1 ok PS 2 ok About Clock Modules All switches in the Cisco MDS 9000 Family have two clock modules Module A primary and Module B redundant The clock modules are designed tested and qualified for missi...

Page 292: ...0 CL 0 0 ok standby Displaying Environment Information Use the show environment command to display all environment related switch information Example 10 10 Displays All Environment Information switch show environment Clock Clock Model Hw Status A Clock Module 1 0 ok active B Clock Module 1 0 ok standby Fan FAN Model Hw Status Chassis DS 2SLOT FAN 0 0 ok PS 1 ok PS 2 absent Temperature Module Senso...

Page 293: ...ardware Default Settings Power Usage Summary Power Supply redundancy mode redundant Total Power Capacity 919 38 W Power reserved for Supervisor s 220 08 W Power reserved for Fan Module s 0 00 W Power currently used by Modules 0 00 W Total Power Available 699 30 W Default Settings Table 10 4 lists the default hardware settings Table 10 4 Default Hardware Parameters Parameters Default Power supply m...

Page 294: ... t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m 10 22 Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 10 Managing System Hardware Default Settings ...

Page 295: ...ifying the Status of a Module page 11 4 Checking the State of a Module page 11 4 Connecting to a Module page 11 5 Reloading Modules page 11 6 Preserving Module Configuration page 11 7 Purging Module Configuration page 11 8 Powering Off Switching Modules page 11 9 Identifying Module LEDs page 11 9 EPLD Configuration page 11 12 SSM Feature Support page 11 18 Installing the SSI Boot Image on an SSM p...

Page 296: ...the active module If the active module fails the standby module takes over without any impact to user traffic Cisco MDS 9216i switches have one supervisor module that includes an integrated switching module with 14 Fibre Channel ports and two Gigabit Ethernet ports Cisco MDS 9200 Series switches have one supervisor module that includes an integrated 16 port switching module Table 11 1 Supervisor M...

Page 297: ...t 5 and module 6 always refers to the supervisor module in slot 6 module 1 Fixed usage for MDS 9200 series module 1 always refers to the supervisor module in slot 1 sup 1 and sup 2 Fixed usage On the MDS 9506 and MDS 9509 switches sup 1 always refers to the supervisor module in slot 5 and sup 2 always refers to the supervisor module in slot 6 On the MDS 9513 Directors sup 1 always refers to the su...

Page 298: ...106a 0 702 9 1 3 0 106a 0 3 22 01 00 05 30 00 00 00 to 22 20 00 05 30 00 00 00 Mod MAC Address es Serial Num 2 00 05 30 00 9d d2 to 00 05 30 00 9d de JAB064605a2 5 00 05 30 00 64 be to 00 05 30 00 64 c2 6 00 d0 97 38 b3 f9 to 00 d0 97 38 b3 fd JAB06350B1R 8 00 05 30 01 37 7a to 00 05 30 01 37 fe JAB072705ja 9 00 05 30 00 2d e2 to 00 05 30 00 2d e6 JAB06280ae9 this terminal session The Status colum...

Page 299: ...ith the supervisor module and the switching module is performing bootup diagnostics initializing The diagnostics have completed successfully and the configuration is being downloaded failure The switch detects a switching module failure upon initialization and automatically attempts to power cycle the module three times After the third attempt it continues to display a failed state ok The switch i...

Page 300: ...ware Images Note If you need to issue the reload command be sure to save the running configuration using the copy running config startup config command Command Purpose Step 1 switch attach module 6 switch standby Provides direct access to the specified module in this example the standby supervisor module is in slot 6 Step 2 switch standby dir bootflash root 14502912 Jan 13 12 23 52 1980 kickstart_...

Page 301: ...wnload This procedure is provided for reference should a need arise To replace the image on a switching module follow these steps Step 1 Identify the switching module that requires the new image Step 2 Issue the reload module number force dnld command to update the image on the switching module switch reload module number force dnld Where number indicates the slot in which the identified module re...

Page 302: ...ued again The configured module information is lost A particular switching module is removed and the same switching module is replaced before the copy running config startup config command is issued again The configured module information is preserved A particular switching module is removed and replaced with the same type switching module and a reload module number command is issued The configure...

Page 303: ...onfig Powers up the specified module switching module 1 in the switch Table 11 5 LEDs for the Cisco MDS 9200 Series Supervisor Modules LED Status Description Status Green All diagnostics pass The module is operational normal initialization sequence Orange The module is booting or running diagnostics normal initialization sequence or The inlet air temperature of the system has exceeded the maximum ...

Page 304: ... normal initialization sequence or The inlet air temperature of the system has exceeded the maximum system operating temperature limit a minor environmental warning To ensure maximum product life you should immediately correct the environmental temperature and restore the system to normal operation Red The diagnostic test failed The module is not operational because a fault occurred during the ini...

Page 305: ...uence Orange The module is booting or running diagnostics normal initialization sequence or The inlet air temperature of the system has exceeded the maximum system operating temperature limit a minor environmental warning To ensure maximum product life you should immediately correct the environmental temperature and restore the system to normal operation Red The diagnostic test failed The module i...

Page 306: ...toring Red The diagnostic test failed The module is not operational because a fault occurred during the initialization sequence or An over temperature condition occurred a major threshold was exceeded during environmental monitoring System1 1 The System and Pwr Mgmt LEDs on a redundant supervisor module are synchronized to the active supervisor module Green All chassis environmental monitors are r...

Page 307: ...o the switch through the console port an SSH session or a Telnet session Step 2 Issue the show version command to verify the Cisco MDS SAN OS release running on the MDS switch switch show version Cisco Storage Area Networking Operating System SAN OS Software TAC support http www cisco com tac Copyright c 2002 2006 Cisco Systems Inc All rights reserved The copyrights to certain works contained here...

Page 308: ...sf1ek9 kickstart mz 2 1 1a bin 48063243 Mar 21 15 34 46 2005 m9500 sf1ek9 mz 2 1 1 bin 48036239 Apr 06 16 45 41 2005 m9500 sf1ek9 mz 2 1 1a bin Usage for bootflash sup local 141066240 bytes used 43493376 bytes free 184559616 bytes total switch show module Mod Ports Module Type Model Status 2 32 Storage Services Module DS X9032 SSM ok 5 0 Supervisor Fabric 1 DS X9530 SF1 K9 active 6 0 Supervisor Fa...

Page 309: ...21 15 35 06 2005 m9500 sf1ek9 kickstart mz 2 1 1 bin 15944704 Apr 06 16 46 04 2005 m9500 sf1ek9 kickstart mz 2 1 1a bin 48063243 Mar 21 15 34 46 2005 m9500 sf1ek9 mz 2 1 1 bin 48036239 Apr 06 16 45 41 2005 m9500 sf1ek9 mz 2 1 1a bin Usage for slot0 141066240 bytes used 43493376 bytes free 184559616 bytes total switch standby exit switch c If there is not enough space delete unneeded files switch d...

Page 310: ...urned If the module is present the command process continues To upgrade a module that is not online but is present in the chassis use the same command The switch software prompts you to continue after reporting the module state When you confirm your intention to continue the upgrade continues switch install module 2 epld bootflash m9000 epld 2 1 2 img progress twirl Module 2 EPLD upgrade is succes...

Page 311: ... IO 0x07 UD Flow Control 0x05 PCI ASIC I F 0x05 1 2 Gbps FC Module 32 Port XBUS IO 0x07 UD Flow Control 0x05 PCI ASIC I F 0x05 Advanced Services Module XBUS IO 0x07 UD Flow Control 0x05 PCI ASIC I F 0x05 PCI Bridge 0x07 IP Storage Services Module 8 Port Power Manager 0x07 XBUS IO 0x03 UD Flow Control 0x05 PCI ASIC I F 0x05 Service Module I F 0x0a IPS DB I F 0x1a IP Storage Services Module 4 Port P...

Page 312: ...dule For example if your switch is running Cisco SAN OS Release 2 1 2 you must have m9000 ek9 ssi mz 2 1 2 bin in modflash on the SSM To determine the correct SSI boot image to use refer to the Cisco MDS SAN OS Release Compatibility Matrix for Storage Service Interface Images You can find the SSI images at the following URL http www cisco com cgi bin tablebuild pl mds9000 ssi 3des Step 3 If the fi...

Page 313: ...or a Storage Services Module SSM to configure Fibre Channel switching and Intelligent Storage Services see Chapter 47 Configuring SCSI Flow Services and Statistics Chapter 48 Configuring Fibre Channel Write Acceleration Chapter 49 Configuring SANTap and Chapter 50 Configuring NASB Once you set the SSI image boot variable you do not need to reset it for upgrades or downgrades to any Cisco MDS SAN O...

Page 314: ... 1 1a configure the SSI boot variable to upgrade or downgrade the SSI boot image on the module see the Configuring the SSI Image Boot Variable section on page 11 23 b Use the install ssi command to upgrade or downgrade the SSI boot image on the module see the Using the install ssi Command section on page 11 25 Note The SSM must be running EPLD version 2 1 2 to use the install ssi command You must ...

Page 315: ...verify that the SSI software image file corresponding to your Cisco MDS SAN OS release is present on the active supervisor module For example if your switch is running Cisco MDS SAN OS Release 2 1 2 you must have m9000 ek9 ssi mz 2 1 2 bin in bootflash or slot0 on the active supervisor module Refer to the Cisco MDS SAN OS Release Compatibility Matrix for Storage Service Interface Images Note As of...

Page 316: ...ervisor module switch attach module 6 switch standby dir bootflash 12288 Jan 01 00 01 06 1980 lost found 14765056 Mar 21 15 35 06 2005 m9500 sf1ek9 kickstart mz 2 1 1 bin 15944704 Apr 06 16 46 04 2005 m9500 sf1ek9 kickstart mz 2 1 1a bin 48063243 Mar 21 15 34 46 2005 m9500 sf1ek9 mz 2 1 1 bin 48036239 Apr 06 16 45 41 2005 m9500 sf1ek9 mz 2 1 1a bin Usage for bootflash sup local 141066240 bytes use...

Page 317: ...elete bootflash m9500 sf1ek9 kickstart mz 2 1 1 bin The show module command output shows that the standby supervisor is in slot 6 Use the attach command to access the supervisor module switch attach module 6 switch standby delete bootflash m9500 sf1ek9 kickstart mz 2 1 1 bin switch standby exit switch d Copy the boot image file from the FTP server to the bootflash or slot0 device in the active sup...

Page 318: ...loads switch config terminal switch config boot ssi bootflash m9000 ek9 ssi mz 2 1 1a bin module 4 switch config exit switch Note You can only specify one image for the SSI variable per module Caution The SSI boot variable must reference the correct SSI boot image otherwise the SSM fails to initialize If you do not correctly set the SSI boot variable the SSM remains in the power down state after a...

Page 319: ...f 34 94 4d 34 to 00 0f 34 94 4d 38 JAB083407D3 this terminal session Using the install ssi Command You can use the install ssi command to update the boot image on an SSM If the SSM is performing Fibre Channel switching and no Intelligent Storage Services are provisioned on the module this operation does not disrupt traffic through the module If the SSM is configured for Intelligent Storage Service...

Page 320: ... you will be asked if you wish to continue Note As of Cisco MDS SAN OS Release 2 1 2 we recommend that you reference the SSI boot image on modflash on the SSM Use the install ssi modflash slot 1 filename module slot command to install the SSI image Step 5 Issue the show boot command to display the current contents of the image boot variable for the SSM switch show boot sup 1 kickstart variable boo...

Page 321: ...032 SSM ok 5 0 Supervisor Fabric 1 DS X9530 SF1 K9 active 6 0 Supervisor Fabric 1 DS X9530 SF1 K9 ha standby Mod Sw Hw World Wide Name s WWN 4 2 1 2 0 30 20 c1 00 05 30 00 06 de to 20 e0 00 05 30 00 06 de 5 2 1 2 4 0 6 2 1 2 4 0 Mod Application Image Description Application Image Version 4 SSI linecard image 2 1 2 Mod MAC Address es Serial Num 4 00 05 30 00 9e b2 to 00 05 30 00 9e b6 JAB06480590 5...

Page 322: ...module in a switch with active and standby supervisors no action is required because the boot image is automatically synchronized to the new supervisor module If you replace a supervisor module in a switch with no standby supervisor you need to reimplement the configuration on the new supervisor Recovering an SSM After Replacing Corrupted CompactFlash Memory In Cisco MDS SAN OS Release 2 1 2 and l...

Page 323: ...elease that does not support the SSM you must power down the module The boot variables for the module are lost The SSM cannot be configured for both the SSI and any other third party software on the module such as VSFN The following example shows successful install all command output including an SSI image Note The SSI boot variable setting is included in the install all output Also if the SSI boo...

Page 324: ...ing Version New Version Upg Required 2 slc 2 0 3 2 1 1a yes 2 bios v1 1 0 10 24 03 v1 1 0 10 24 03 no 3 slc 2 0 3 2 1 1a yes 3 SSI 2 0 3 2 1 1a yes 3 bios v1 0 8 08 07 03 v1 1 0 10 24 03 yes 4 ips4 2 0 3 2 1 1a yes 4 bios v1 1 0 10 24 03 v1 1 0 10 24 03 no 5 system 2 0 3 2 1 1a yes 5 kickstart 2 0 3 2 1 1a yes 5 bios v1 1 0 10 24 03 v1 1 0 10 24 03 no 5 loader 1 2 2 1 2 2 no Do you want to continu...

Page 325: ...ettings Parameters Default Administrative connection Serial connection Global switch information No value for system name No value for system contact No value for location System clock No value for system clock time In band VSAN 1 interface IP address subnet mask and broadcast address assigned to the VSAN are set to 0 0 0 0 Table 11 12 Default SSM Settings Parameters Default Initial state when ins...

Page 326: ... e n t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m 11 32 Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 11 Managing Modules Default Settings ...

Page 327: ...Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m P A R T 3 Switch Configuration ...

Page 328: ...Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m ...

Page 329: ... VSAN Interfaces page 12 39 Default Settings page 12 40 See Chapter 5 Initial Configuration and Chapter 43 Configuring IP Services for more information on configuring mgmt0 interfaces See Chapter 45 Configuring IPv4 for Gigabit Ethernet Interfaces and Chapter 46 Configuring IPv6 for Gigabit Ethernet Interfaces for more information on configuring Gigabit Ethernet interfaces Tip Before you begin con...

Page 330: ...timized ports the following port mode guidelines apply You can configure only the first port in each 4 port group for example the first port in ports 1 4 the fifth port in ports 5 8 and so on as an E port If the first port in the group is configured as an E port the other three ports in each group ports 2 4 6 8 and so on are not usable and remain shutdown If you execute the write erase command on ...

Page 331: ...nterface Modes Each physical Fibre Channel interface in a switch may operate in one of several port modes E port F port FL port TL port TE port SD port ST port and B port see Figure 12 1 Besides these modes each interface may be configured in auto or Fx port modes These two modes determine the port type during interface initialization Figure 12 1 Cisco MDS 9000 Family Switch Port Modes Note Interf...

Page 332: ...ust configure an E port on a 32 port oversubscribed module then you can only use the first port in a group of four ports for example ports 1 through 4 5 through 8 and so forth The other three ports cannot be used F Port In fabric port F port mode an interface functions as a fabric port This port may be connected to a peripheral device host or disk operating as an N port An F port can be attached t...

Page 333: ...n Generation 2 switching module interfaces TE Port In trunking E port TE port mode an interface functions as a trunking expansion port It may be connected to another TE port to create an extended ISL EISL between two switches TE ports are specific to Cisco MDS 9000 Family switches They expand the functionality of E ports to support the following VSAN trunking Transport quality of service QoS param...

Page 334: ...ically interconnect Fibre Channel switches some SAN extender devices such as the Cisco PA FC 1G Fibre Channel port adapter implement a bridge port B port model to connect geographically dispersed fabrics This model uses B ports as described in the T11 Standard FC BB 2 Figure 12 1 on page 12 3 depicts a typical SAN extension over an IP network If an FCIP peer is a SAN extender device that only supp...

Page 335: ...NPIV enabled applications to use multiple N port identifiers Note All of the N port identifiers are allocated in the same VSAN About Interface States The interface state depends on the administrative configuration of the interface and the dynamic state of the physical link Administrative States The administrative state refers to the administrative configuration of the interface as described in Tab...

Page 336: ...e nonoperational reason code as described in Table 12 4 Table 12 2 Operational States Operational State Description Up Interface is transmitting or receiving traffic as desired To be in this state an interface must be administratively up the interface link layer state must be up and the interface initialization must be completed Down Interface cannot transmit or receive data traffic Trunking Inter...

Page 337: ... OS software waits for the specified R_A_TOV time before retrying initialization Inactive The interface VSAN is deleted or is in a suspended state To make the interface operational assign that port to a configured and active VSAN Hardware failure A hardware failure is detected Error disabled Error conditions require administrative attention Interfaces may be error disabled for various reasons For ...

Page 338: ...n feature is disabled Isolation due to zone merge failure The zone merge operation failed Isolation due to VSAN mismatch The VSANs at both ends of an ISL are different Nonparticipating FL ports cannot participate in loop operations It may happen if more than one FL port exists in the same loop in which case all but one FL port in that loop automatically enters nonparticipating mode Only FL ports a...

Page 339: ...interface types within the same range For example bay 1 10 bay 12 or ext 0 ext 15 18 are valid ranges but bay 1 5 ext 15 17 is not Command Purpose Step 1 switch config t Enters configuration mode Step 2 switch config interface fc1 1 switch config if Selects a Fibre Channel interface and enters interface configuration submode Note When a Fibre Channel interface is configured it is automatically ass...

Page 340: ...is not possible in the following situations If you physically remove the port from the switch If in order delivery IOD is enabled see In Order Delivery section on page 25 13 If the Min_LS_interval interval is higher than 10 seconds see Displaying Global FSPF Information section on page 25 20 Note This feature is only triggered if both switches at either end of this E port interface are MDS switche...

Page 341: ...ing ports All user configured ports even if they are down All non F ports that are up however if non F ports are down this command changes the administrative mode of those ports Example 12 1 shows the command in the setup utility and Example 12 2 shows the command from the command line Example 12 1 Setup Utility Configure default switchport mode F yes no n y Example 12 2 Command Line switch config...

Page 342: ...P c_Class BladeSystem and Cisco Fabric Switch for IBM BladeCenter a port speed of 1 Gbps is not supported Auto negotiation is supported between 2 Gbps and 4 Gbps only Also if the BladeCenter is a T chassis then port speeds are fixed at 2 Gbps and auto negotiation is not enabled Command Purpose Step 1 switch config t Enters configuration mode Step 2 switch config system default switchport mode F Se...

Page 343: ... ports that are configured for autosensing Tip When migrating a host that supports up to 2 Gbps traffic that is not 4 Gbps with autosensing capabilities to the 4 Gbps switching modules use autosensing with a maximum bandwidth of 2 Gbps Enabling N Port Identifier Virtualization You must globally enable NPIV for all VSANs on the MDS switch to allow the NPIV enabled applications to use multiple N por...

Page 344: ... field size for Fibre Channel interfaces If the default data field size is 2112 bytes the frame length will be 2148 bytes Configuring Receive Data Field Size You can also configure the receive data field size for Fibre Channel interfaces If the default data field size is 2112 bytes the frame length will be 2148 bytes To configure the receive data field size follow these steps Identifying the Beaco...

Page 345: ...e second intervals About Beacon Mode By default the beacon mode is disabled on all switches The beacon mode is indicated by a flashing green light that helps you identify the physical location of the specified interface Configuring the beacon mode has no effect on the operation of the interface Configuring Beacon Mode To enable beacon mode for a specified interface or range of interfaces follow th...

Page 346: ...ends Improper GBIC or SFP connection at one or both ends A bit error rate threshold is detected when 15 error bursts occur in a 5 minute period By default the switch disables the interface when the threshold is reached You can issue shutdown no shutdown command sequence to reenable the interface You can configure the switch to not disable an interface when the threshold is crossed By default the t...

Page 347: ...he command output see the Displaying Interface Information section on page 12 20 Command Purpose Step 1 switch config t Enters configuration mode Step 2 switch config no system default switchport shutdown switch config Configures the default setting for administrative state of an interface as Up The factory default setting is Down Tip This command is applicable only to interfaces for which no user...

Page 348: ...2112 Beacon is turned off 5 minutes input rate 0 bits sec 0 bytes sec 0 frames sec 5 minutes output rate 0 bits sec 0 bytes sec 0 frames sec 134 frames input 8468 bytes 0 discards 0 errors 0 CRC 0 unknown class 0 too long 0 too short 154 frames output 46072 bytes 0 discards 0 errors 1 input OLS 1 LRR 0 NOS 0 loop inits 1 output OLS 0 LRR 1 NOS 0 loop inits 16 receive B2B credit remaining 3 transmi...

Page 349: ... Receive B2B Credit is 16 Receive data field Size is 2112 Beacon is turned off 5 minutes input rate 0 bits sec 0 bytes sec 0 frames sec 5 minutes output rate 0 bits sec 0 bytes sec 0 frames sec 8696 frames input 3227212 bytes 0 discards 0 errors 0 CRC 0 unknown class 0 too long 0 too short 16799 frames output 6782444 bytes 0 discards 0 errors 0 input OLS 0 LRR 0 NOS 0 loop inits 1 output OLS 1 LRR...

Page 350: ...up Hardware is Fibre Channel SFP is short wave laser Port WWN is 20 90 00 05 30 00 97 9e Admin port mode is FX Port mode is F FCID is 0x7d0100 Port vsan is 3000 Speed is 2 Gbps Transmit B2B Credit is 3 Receive B2B Credit is 12 Receive data field Size is 2112 Beacon is turned off 5 minutes input rate 504 bits sec 63 bytes sec 0 frames sec 5 minutes output rate 520 bits sec 65 bytes sec 0 frames sec...

Page 351: ...t OLS 1 LRR 1 NOS 0 loop inits 2 output OLS 1 LRR 0 NOS 0 loop inits 16 receive B2B credit remaining 3 transmit B2B credit remaining Example 12 6 Displays Port Description switch show interface description Interface Description fc3 1 test intest fc3 2 fc3 3 fc3 4 TE port fc3 5 fc3 6 fc3 10 Next hop switch 5 fc3 11 fc3 12 fc3 16 Interface Description port channel 1 port channel 5 port channel 6 Exa...

Page 352: ... IP Address Speed MTU mgmt0 up 172 19 48 96 25 100 Mbps 1500 Interface Vsan Admin Status Oper Oper Trunk Mode Speed Mode Gbps port channel 1 1 on trunking TE 4 port channel 2 1 on trunking TE 4 Interface Vsan Admin Admin Status Oper Profile Port channel Mode Trunk Mode Mode fcip10 1 auto on notConnected 10 Example 12 8 Display Interface Counters switch show interface counters fc3 1 5 minutes input...

Page 353: ...0 frame 0 overrun 0 fifo 113997 packets output 10969672 bytes 0 underruns 0 output errors 0 collisions 0 fifo 0 carrier errors mgmt0 31557 packets input 2230860 bytes 0 multicast frames 0 compressed 0 input errors 0 frame 0 overrun 0 fifo 26618 packets output 16824342 bytes 0 underruns 0 output errors 0 collisions 7 fifo 0 carrier errors vsan1 0 packets input 0 bytes 0 errors 0 multicast 0 packets...

Page 354: ...2 0 3946 0 3946 Note The show interface transceiver command can only be issued on a switch in the Cisco MDS 9100 Series if the SFP is present see Example 12 10 Example 12 10 Display Transceiver Information switch show interface transceiver fc1 1 SFP is present name is CISCO AGILENT part number is QFBR 5796L revision is serial number is A00162193 fc transmitter type is short wave laser cisco extend...

Page 355: ...down Example 12 13 displays the running configuration after the system default switchport mode F command is executed Example 12 14 displays the running configuration after two interfaces are individually configured for mode FL Example 12 13 Display the Running Configuration After the System Default Switchport Mode F Command is Executed switch show running config version 3 1 3 system default switch...

Page 356: ...notConnected swl fc4 2 1 F notConnected swl fc4 3 1 F notConnected swl fc4 4 1 F notConnected swl fc4 5 1 F sfpAbsent fc4 6 1 F sfpAbsent fc4 7 1 F sfpAbsent fc4 8 1 F sfpAbsent fc4 9 1 F sfpAbsent Example 12 16 Display Interface Information in a Brief Format After Two Interfaces Are Individually Configured for Mode FL switch show interface brief Interface Vsan Admin Admin Status SFP Oper Oper Por...

Page 357: ...age 12 3 Follow these guidelines when configuring private loops A maximum of 64 fabric devices can be proxied to a private loop Fabric devices must be in the same zone as private loop devices to be proxied to the private loop Each private device on a TL port may be included in a different zone All devices on the loop are treated as private loops You cannot mix private and public devices on the loo...

Page 358: ...e The ALPA cache is maintained in persistent storage and saves information across switch reboots The maximum cache size is 1000 entries If the cache is full and a new ALPA is allocated the Cisco SAN OS software discards an inactive cache entry if available to make space for the new entry See the TL Port section on page 12 5 for more information on TL ports Displaying TL Port Information Private lo...

Page 359: ...te devices and the switch acts as a SCSI initiator The first column in the output of the show tlport interface command is the ALPA identity of the device on the loop The columns that follow include the port WWNs the node WWNs for each device the device as a SCSI initiator or target and the real FC ID of the device Example 12 18 Displays the Detailed Information for a Specific TL Port switch show t...

Page 360: ...el interfaces use buffer credits to ensure all packets are delivered to their destination This section describes the different buffer credits available on the Cisco MDS Family switches and includes the following topics About Buffer to Buffer Credits page 12 32 Configuring Buffer to Buffer Credits page 12 33 About Performance Buffers page 12 34 Configuring Performance Buffers page 12 34 About Exten...

Page 361: ...e same rules as for the 32 port switching module Configuring Buffer to Buffer Credits To configure BB_credits for a Fibre Channel interface follow these steps Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config interface fc1 1 switch config if Selects a Fibre Channel interface and enters interface configuration submode Step 3 switch config if switchp...

Page 362: ...e buffer value is 0 If you use the default option the built in algorithm is used If you do not specify this command the default option is automatically used Configuring Performance Buffers To configure performance buffers for a Fibre Channel interface follow these steps Note Use the show interface bbcredit command to display performance buffer values and other BB_credit information About Extended ...

Page 363: ...t two Fibre Channel ports port 13 and port 14 and the two Gigabit Ethernet ports do not support the extended BB_credits feature see Figure 12 1 Explicitly enable this feature in the required Cisco MDS switch Disable the remaining three ports in the 4 port group if you need to assign more than 2 400 BB_credits to the first port in the port group If you assign less than 2 400 extended BB_credits to ...

Page 364: ... Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config fcrxbbcredit extended enable Enables the extended BB_credits feature switch config no fcrxbbcredit extended enable Disables default the extended BB_credits feature Step 3 switch config interface fc1 1 switch config if Selects a Fibre Channel interface and enters interface configuration submode Step...

Page 365: ...smit B2B Credit is 0 Receive B2B Credit is 12 Receive B2B Credit performance buffers is 48 12 receive B2B credit remaining 0 transmit B2B credit remaining fc2 32 is down Link failure or not connected Example 12 22 Displays BB_credit Information for a Specified Fibre Channel Interface switch show interface fc2 31 bbcredit fc2 31 is up Transmit B2B Credit is 0 Receive B2B Credit is 12 Receive B2B Cr...

Page 366: ...inal switch config Enters configuration mode Step 2 switch config interface mgmt0 switch config if Selects the management Ethernet interface on the switch and enters interface configuration submode Step 3 switch config if ip address 10 16 1 2 255 255 255 0 Configures the IPv4 address and IPv4 subnet mask Step 4 switch config if no shutdown Enables the interface Step 5 switch config if exit switch ...

Page 367: ...sical infrastructure You can create an IP interface on top of a VSAN and then use this interface to send frames to this VSAN To use this feature you must configure the IP address for this VSAN VSAN interfaces cannot be created for nonexisting VSANs This section describes VSAN interfaces and includes the following topics About VSAN Interfaces page 12 39 Creating VSAN Interfaces page 12 40 Displayin...

Page 368: ...WPN is 10 00 00 05 30 00 59 1f FCID is 0xb90100 Internet address is 10 1 1 1 24 MTU 1500 bytes BW 1000000 Kbit 0 packets input 0 bytes 0 errors 0 multicast 0 packets output 0 bytes 0 errors 0 dropped Default Settings Table 12 7 lists the default settings for interface parameters Command Purpose Step 1 switch config t Enters configuration mode Step 2 switch config interface vsan 2 switch config if ...

Page 369: ...uirements page 13 6 Configuring NPV page 13 7 Verifying NPV page 13 10 About NPV Typically Fibre Channel networks are deployed using a core edge model with a large number of fabric switches connected to core devices However as the number of ports in the fabric increases the number of switches deployed also increases and you can end up with a dramatic increase in the number of domain IDs the maximu...

Page 370: ...V also allows access control zoning and port security to be implemented at the application level NPV makes use of NPIV to get multiple FCIDs allocated from the core switch on the NP port Figure 13 2 shows a more granular view of an NPV configuration at the interface level F port NP port VSAN 15 Blade Server 1 VSAN 5 Blade Server 2 Blade Server n 20 5 1 Initiator Can have multiple uplinks on differ...

Page 371: ...vice core switches will enforce in order delivery if needed and or configured After entering NPV mode only the following commands are available aaa Configure aaa functions arp no remove an entry from the ARP cache banner Configure banner message boot Configure boot variables callhome Enter the callhome configuration mode cli CLI configuration commands clock Configure time of day clock do EXEC comm...

Page 372: ...PV core switch and then if the FLOGI is successful registers itself with the NPV core switch s name server Subsequent FLOGIs from end devices in this NP link are converted to FDISCs For more details refer to the Internal FLOGI Parameters section on page 13 4 Server links are uniformly distributed across the NP links All the end devices behind a server link will be mapped to only one NP link Intern...

Page 373: ...Default Port Numbers Port numbers on NPV enabled switches will vary depending on the switch model For details about port numbers for NPV eligible switches see Chapter 4 On Demand Port Activation Licensing NPV Traffic Management Before Cisco MDS SAN OS release 3 3 1a NPV supported automatic selection of external links When a server interface is brought up an external interface with the minimum load...

Page 374: ... across external switches NPV Guidelines and Requirements Following are recommended guidelines and requirements when deploying NPV NPV core switches must support NPIV You can have up to 100 NPV devices Nondisruptive upgrades are supported See Chapter 7 Software Images Port tracking is supported See Chapter 57 Configuring Port Tracking You can configure zoning for end devices that are connected to ...

Page 375: ...Moving the device between external interfaces requires NPV relogin to the core switch through F port leading to traffic disruption Link a set of servers to a core switch by configuring the server to a set of external interfaces that are linked to the core switch Configuring NPV When you enable NPV your system configuration is erased and the system is rebooted with NPV mode enabled Note We recommen...

Page 376: ...ig npiv enable switch config switch config no npiv enable Enables NPIV mode on the NPV core switch Disables NPIV mode on the NPV core switch Step 3 switch config interface fc2 1 switch config if switchport mode F switch config if no shutdown Configure the NPIV core switch port as an F port Changes Admin status to bring up the interfaces Step 4 switch config npv enable Enables NPV mode on a NPV dev...

Page 377: ...witch The correct uplink must be selected based on the VSAN s that the uplink can carry DPVM Configuration When NPV is enabled the following requirements must be met before you configure DPVM on the NPV core switch Command Purpose Step 1 switch config t switch config Enters configuration mode on the NPV Step 2 switch config npv traffic map server interface svr if range external interface ext if ra...

Page 378: ...the NPV core switch for devices logging in via NPV you must adhere to the following requirements The internal FLOGI must be in the port security database in this way the port on the NPV core switch will allow communications links All the end device pWWNs must also be in the port security database Once these requirements are met you can enable port security as you would in any other context For det...

Page 379: ...ech support NPV command and save the output so that support can use it to troubleshoot if necessary To display a list of the NPV devices that are logged in along with VSANs source information pWWNs and FCIDs enter the show npv flogi table command switch show npv flogi table SERVER EXTERNAL INTERFACE VSAN FCID PORT NAME NODE NAME INTERFACE fc1 19 1 0xee0008 10 00 00 00 c9 60 e4 9a 20 00 00 00 c9 60...

Page 380: ...N Port Virtualization Verifying NPV Verifying NPV Traffic Management To display the NPV traffic map enter the show npv traffic map command NPV Traffic Map Information Server If External If s fc1 3 fc1 10 fc1 11 fc1 5 fc1 1 fc1 2 To display the NPV internal traffic details enter the show npv internal info traffic map comand NPV Traffic Map Information Server If External If s fc1 3 fc1 10 fc1 11 fc1...

Page 381: ... page 14 20 Disabling ACL Adjacency Sharing for System Image Downgrade page 14 35 Displaying SFP Diagnostic Information page 14 35 Example Configurations page 14 36 Default Settings page 14 38 About Generation 2 Modules and Switches Table 14 1 identifies the modules supported by the Cisco MDS 9500 Series switches and Cisco MDS 9216A and Cisco MDS 9216i switches as well as the Fabric switches Table...

Page 382: ...ps Each module or switch can have one or more ports in port groups that share common resources such as bandwidth and buffer credits Table 14 2 shows the port groups for the Generation 2 Fibre Channel switches and modules DS C9134 K9 Cisco MDS 9134 Fabric switch 32 port 4 Gbps Fabric switch with 2 additional 10 Gbps ports DS C9124 Cisco MDS 9124 Fabric switch 24 port 4 Gbps Fabric switch DS C9222i ...

Page 383: ...ice MSM 18 4 module 18 port 4 Gbps Fibre Channel switching module with 4 GigabitEthernet ports 6 12 8 4 Gbps DS X9112 Cisco 12 port 4 Gbps Fibre Channel module 12 port 4 Gbps Fibre Channel switching module 3 12 8 4 Gbps DS X9704 Cisco 4 port 10 Gbps Fibre Channel module 4 port 10 Gbps Fibre Channel switching module 1 10 10 Gbps Switches DS C9134 K9 Cisco MDS 9134 Fabric switch 32 port 4 Gbps Fabri...

Page 384: ... Cisco MDS 9124 Fabric switch 24 port 4 Gbps 4 16 4 Gbps DS C9222i K9 Cisco MDS 9222i Multiservice Modular switch 18 port 4 Gbps 6 12 8 4 Gbps 1 By default all ports in a 48 port 4 Gbps switching module operate in shared mode with administrative operating speed set to auto All ports in a 48 port 4 Gbps switching module can operate in dedicated mode with a 1 Gbps operating speed However if you conf...

Page 385: ...ch Yes Yes 2 port 10 Gbps Fabric switch Yes No DS C9124 Cisco MDS 9124 Fabric switch 24 port 4 Gbps Fabric switch2 Yes No DS C9222i K9 Cisco MDS 9222i Multiservice Modular switch 18 port 4 Gbps Fibre Channel switch with 4 GigabitEthernet IP storage services ports and a modular expansion slot to host Cisco MDS 9000 Family Switching and Services Modules Yes Yes 1 By default all ports in a 48 port 4 ...

Page 386: ... fabric so that fabric bandwidth and related resources are shared Often the available bandwidth to the switch fabric may be less than the negotiated operating speed of a port Ports in this mode use local buffering for the BB_credit buffers All ports in switching modules where bandwidth is shared support 1 Gbps 2 Gbps or 4 Gbps traffic However it is possible to configure one or more ports in a port...

Page 387: ... migrating a host that supports up to 2 Gbps traffic that is not 4 Gbps with autosensing capabilities to the 4 Gbps switching modules use autosensing with a maximum bandwidth of 2 Gbps Note If you configure an interface for autosensing speed with a maximum bandwidth of 2 Gbps and want to change to the default of 4 Gbps ensure that there are enough shared resources available to support the configur...

Page 388: ...r configured or assigned by default Common unallocated buffer pool for BB_credits if any to be used for additional BB_credits as needed Performance buffers only used on 12 port 4 Gbps and 4 port 10 Gbps switching modules Figure 14 1 shows the allocation of BB_credit buffers on linecards 24 port and 48 port line cards Note In some modules performance buffers are not supported Figure 14 1 Receive Bu...

Page 389: ...Speed and Rate Configuration on a 24 Port 4 Gbps Switching Module page 14 12 4 Port 10 Gbps Switching Module BB_Credit Buffers page 14 13 48 port 4 Gbps Fibre Channel Module BB_Credit Buffers Table 14 5 lists the BB_credit buffer allocation for 48 port 4 Gbps Fibre Channel switching modules The following considerations apply to BB_credit buffers on 48 port 4 Gbps Fibre Channel switching modules 24...

Page 390: ...Fibre Channel switching modules Twelve ports with shared rate mode and 4 Gbps speed 4 1 oversubscription default One port with dedicated rate mode and 4 Gbps speed plus 11 ports with shared rate mode and 4 Gbps speed 5 1 oversubscription One port with dedicated rate mode and 4 Gbps speed plus 11 ports with shared rate mode and 2 Gbps speed 2 5 1 oversubscription Two ports with dedicated rate mode ...

Page 391: ...and the maximum of 250 buffers for dedicated rate mode or 16 buffers for shared rate mode Performance buffers are not supported on this module Each port group on the 24 port 4 Gbps Fibre Channel switching module consists of six ports The ports in shared rate mode have bandwidth oversubscription of 2 1 by default However some configurations of the shared ports in a port group can have maximum bandw...

Page 392: ...gabitEthernet Multiservice Module BB_Credit Buffers Table 14 7 lists the BB_credit buffer allocation for 18 port 4 Gbps multiservice modules The following considerations apply to BB_credit buffers on18 port 4 Gbps Fibre Channel switching modules BB_credit buffers for ISL connections can be configured from a minimum of 2 buffers to a maximum of 250 buffers for dedicated rate mode or 16 buffers for ...

Page 393: ...Note Extended BB_credits are allocated across all ports on the switch That is they are not allocated by port group Note By default the ports in the 12 port 4 Gbps switching modules come up in 4 Gbps dedicated rate mode but can be configured as 1 Gbps and 2 Gbps dedicated rate mode Shared mode is not supported 4 Port 10 Gbps Switching Module BB_Credit Buffers Table 14 9 lists the BB_credit buffer a...

Page 394: ... default BB_credit buffers for all the ports in ISL mode 5488 250 4 Note Extended BB_credits are allocated across all ports on the switch That is they are not allocated by port group BB_Credit Buffers for Fabric Switches This section describes how buffer credits are allocated to Cisco MDS 9000 Fabric switches and includes the following topics Cisco MDS 9134 Fabric Switch BB_Credit Buffers Cisco MD...

Page 395: ...dit Allocation section on page 14 7 When necessary you can reduce the buffers on one port and assign them to another port exceeding the default maximum The minimum extended BB_credits per port is 256 and the maximum is 4095 In general the user can configure any port in a port group to dedicated mode To do this you must first release the buffers from the other ports before configuring larger extend...

Page 396: ...neration 1 switching modules or a combination of Generation 1 and Generation 2 switching modules are installed in the chassis Port Indexes Cisco MDS 9000 switches allocate index identifiers for the ports on the modules These port indexes cannot be configured You can combine Generation 1 and Generation 2 switching modules with either Supervisor 1 modules or Supervisor 2 modules However combining sw...

Page 397: ...ervisor 2 modules the contiguous block can start anywhere The allowed mix of Generation 1 and Generation 2 switching modules in a chassis is determined at run time either when booting up the switch or when installing the modules In some cases the sequence in which switching modules are inserted into the chassis determines if one or more modules is powered up When a module does not power up because...

Page 398: ...32 63 3 16 64 79 Slot 1 shares 80 81 4 48 96 127 224 239 SUP 253 255 3 253 255 Note The output of the show port index allocation startup command does not display anything in the Allowed range column because the command extracts the indices from the persistent storage service PSS and displaying an allowed range for startup indices is meaningless If a module fails to power up you can use the show mo...

Page 399: ...PortChannel use the show port resources module command to check for resource availability Table 14 14 describes the results of adding a member to a PortChannel for various configurations Table 14 14 PortChannel Configuration and Addition Results PortChannel Members Configured Speed New Member Type Addition Type Result PortChannel New Member No members Any Any Generation 1 or Generation 2 Force Pas...

Page 400: ...strictions page 14 26 Configuring Bandwidth Fairness page 14 31 Taking Interfaces Out of Service page 14 33 Releasing Shared Resources in a Port Group page 14 34 Enabling the Buffer to Buffer State Change Number page 14 34 Displaying Interface Capabilities Before configuring a Generation 2 interface you can use the show interface capabilities command to display detailed information about the capab...

Page 401: ...section on page 14 33 2 Configure the traffic speed to use 1 Gbps 2 Gbps 4 Gbps or autosensing with a maximum of 2 Gbps or 4 Gbps See the Configuring Port Speed section on page 14 23 3 Configure the rate mode dedicated or shared to use See the Configuring Rate Mode section on page 14 24 4 Configure the port mode See the About Interface Modes section on page 12 3 Note ISL ports cannot operate in sh...

Page 402: ...dits Performance buffers To configure 4 port 10 Gbps switching modules when starting with the default configuration follow these guidelines 1 Configure the traffic speed 1 Gbps 2 Gbps 4 Gbps or autosensing with a maximum of 2 Gbps or 4 Gbps to use See the Configuring Port Speed section on page 14 23 2 Configure the port mode See the About Interface Modes section on page 12 3 3 Configure the BB_cre...

Page 403: ...en though the maximum operating speed is 2 Gbps For the same interface if autosensing with a maximum speed of 2 Gbps auto max 2000 is configured then only 2 Gbps of bandwidth is reserved and the unused 2 Gbps is shared with the other interface in the port group Caution Changing port speed and rate mode disrupts traffic on the port Traffic on other ports in the port group is not affected Note The 4...

Page 404: ...too short 326 frames output 21364 bytes 0 discards 0 errors 0 input OLS 0 LRR 1 NOS 0 loop inits 3 output OLS 2 LRR 0 NOS 0 loop inits 16 receive B2B credit remaining 64 transmit B2B credit remaining Configuring Rate Mode To configure the rate mode dedicated or shared on an interface on a 48 port or 24 port 4 Gbps Fibre Channel switching module follow these steps Command Purpose Step 1 switch conf...

Page 405: ...the Port Group B2B Credit Bandwidth Rate Mode Buffers Gbps fc9 1 16 4 0 shared fc9 2 16 4 0 shared fc9 3 16 4 0 shared fc9 4 16 4 0 shared fc9 5 16 4 0 shared fc9 6 16 4 0 shared Port Group 2 Total bandwidth is 12 8 Gbps Total shared bandwidth is 12 8 Gbps Allocated dedicated bandwidth is 0 0 Gbps Interfaces in the Port Group B2B Credit Bandwidth Rate Mode Buffers Gbps fc9 7 16 4 0 shared fc9 8 16...

Page 406: ...12 8 Gbps Total shared bandwidth is 12 8 Gbps Allocated dedicated bandwidth is 0 0 Gbps Interfaces in the Port Group B2B Credit Bandwidth Rate Mode Buffers Gbps fc9 19 16 4 0 shared fc9 20 16 4 0 shared fc9 21 16 4 0 shared fc9 22 16 4 0 shared fc9 23 16 4 0 shared fc9 24 16 4 0 shared Configuring Oversubscription Ratio Restrictions The 48 port and 24 port 4 Gbps Fibre Channel switching modules su...

Page 407: ... 8 Gbps Total shared bandwidth is 0 8 Gbps Allocated dedicated bandwidth is 12 0 Gbps Interfaces in the Port Group B2B Credit Bandwidth Rate Mode Buffers Gbps fc8 1 16 4 0 dedicated fc8 2 16 4 0 dedicated fc8 3 16 4 0 dedicated fc8 4 out of service fc8 5 out of service fc8 6 out of service For dedicated ports oversubscription ratio restrictions do not apply to the shared pool in port groups So if ...

Page 408: ...cated in equal proportions regardless of port speed so the bandwidth allocation for the same three ports mentioned in the example would be 1 1 1 Disabling Restrictions on Oversubscription Ratios Before disabling restrictions on oversubscription ratios ensure that you have explicitly shut down shared ports To disable restrictions on oversubscription ratios on a 48 port or 24 port 4 Gbps Fibre Chann...

Page 409: ...h is 12 8 Gbps Total shared bandwidth is 12 8 Gbps Allocated dedicated bandwidth is 0 0 Gbps Interfaces in the Port Group B2B Credit Bandwidth Rate Mode Buffers Gbps fc2 1 16 4 0 shared fc2 2 16 4 0 shared fc2 3 16 4 0 dedicated fc2 4 16 4 0 shared fc2 5 16 4 0 shared fc2 6 16 4 0 dedicated fc2 7 16 4 0 dedicated fc2 8 16 4 0 shared fc2 9 16 4 0 shared fc2 10 16 4 0 shared fc2 11 16 4 0 shared fc2...

Page 410: ... Enter configuration commands one per line End with CNTL Z switch config no rate mode oversubscription limit module 2 Step 5 Bring up the ports that you shut down in step 2 and display their status to confirm that they are no longer shut down switch config interface fc2 1 2 fc2 4 5 fc2 8 38 fc2 43 48 switch config if no shutdown switch config if end switch show interface brief Interface Vsan Admin...

Page 411: ...le Caution When you disable or enable bandwidth fairness the change does not take effect until you reload the module Use the show module bandwidth fairness command to check whether ports in a module are operating with bandwidth fairness enabled or disabled switch show module 2 bandwidth fairness Module 2 bandwidth fairness is enabled Command Purpose Step 1 switch config t switch config Enters conf...

Page 412: ... Release 3 1 2 all modules operate with bandwidth fairness disabled until the next module reload After the upgrade any new module that is inserted has bandwidth fairness enabled When you are downgrading to a release earlier than Cisco SAN OS Release 3 1 2 all modules keep operating in the same bandwidth fairness configuration prior to the downgrade After the downgrade any new module that is insert...

Page 413: ...e cannot come back into service unless the default shared resources for the port are available The operation to free up shared resources from another port is disruptive Note The interface cannot be a member of a PortChannel To take an interface out of service follow these steps Use the show port resources module command to verify the out of service configuration for interfaces on a Generation 2 sw...

Page 414: ...12 specifies the buffer to buffer state change BB_SC number The BB_SC_N field indicates that the sender of the port login PLOGI fabric login FLOGI or ISLs E or TE ports frame is requesting twice the number of frames specified by BB_SC_N to be sent between two consecutive BB_SC send primitives and twice the number of R_RDY primitives to be sent between two consecutive BB_SC receive primitives Comma...

Page 415: ...s when downgrading the system image on your switch to a release prior to Cisco SAN OS Release 3 0 3 issue the following command in EXEC mode switch system no acl adjacency sharing To reenable Fibre Channel ACL adjacency sharing on your switch issue the following command in EXEC mode switch system acl adjacency sharing Displaying SFP Diagnostic Information You can use the show interface transceiver...

Page 416: ...age 14 36 Configuring a 48 port 4 Gbps Fibre Channel Switching Module Example page 14 37 Configuring a 24 port 4 Gbps Fibre Channel Switching Module Example This section describes how to configure the example shown in Figure 14 5 on page 14 12 Step 1 Select interfaces fc 3 1 through fc 3 3 switch config t switch config interface fc 3 1 3 Step 2 Configure the port speed rate mode and port mode on t...

Page 417: ...ion mode switch config if exit switch Step 4 Select the interfaces fc 4 1 through fc 4 6 switch config t switch config interface fc 4 1 6 Step 5 Configure the port speed rate mode and port mode on the interfaces switch config if switchport speed auto max 2000 switch config if switchport rate mode dedicated switch config if switchport mode e Step 6 Enable the interfaces and return to configuration ...

Page 418: ...ing Module 24 Port 4 Gbps Switching Module 12 Port 4 Gbps Switching Module 4 Port 10 Gbps Switching Module Speed mode auto auto1 auto1 auto1 1 The 4 port 10 Gbps switching module only supports 10 Gbps traffic Rate mode shared shared dedicated dedicated Port mode Fx Fx auto2 2 Auto port mode on the 12 port 4 Gbps switching module interfaces can operate in E port mode TE port mode and Fx port mode a...

Page 419: ...same physical link using enhanced ISL EISL frame format see Figure 15 1 Figure 15 1 Trunking The trunking feature includes the following restrictions Trunking configurations are only applicable to E ports If trunk mode is enabled in an E port and that port becomes operational as a trunking E port it is referred to as a TE port The trunk allowed VSANs configured for TE ports are used by the trunkin...

Page 420: ...e zone applications The Cisco MDS 9000 Fabric Manager helps detect such topologies Refer to the Cisco MDS 9000 Family Fabric Manager Configuration Guide Trunking Protocol The trunking protocol is important for E port and TE port operations It supports the following Dynamic negotiation of operational trunk mode Selection of a common set of trunk allowed VSANs Detection of a VSAN mismatch across an ...

Page 421: ...tive List of VSANs page 15 6 Enabling or Disabling the Trunking Protocol To enable or disable the trunking protocol follow these steps About Trunk Mode By default trunk mode is enabled in all Fibre Channel interfaces However trunk mode configuration takes effect only in E port mode You can configure trunk mode as on enabled off disabled or auto automatic The default trunk mode is on The trunk mode...

Page 422: ... the switch are included in the trunk allowed VSAN list for an interface and they are called allowed active VSANs The trunking protocol uses the list of allowed active VSANs at the two ends of an ISL to determine the list of operational VSANs in which traffic is allowed In Figure 15 4 switch 1 has VSANs 1 through 5 switch 2 has VSANs 1 through 3 and switch 3 has VSANs 1 2 4 and 5 with a default co...

Page 423: ... on a per interface basis see Figure 15 5 For example if VSANs 2 and 4 are removed from the allowed VSAN list of ISLs connecting to switch 1 the operational allowed list of VSANs for each ISL would be as follows The ISL between switch 1 and switch 2 shall include VSAN 1 and VSAN 3 The ISL between switch 2 and switch 3 shall include VSAN 1 and VSAN 2 The ISL between switch 3 and switch 1 shall incl...

Page 424: ...erface switch show interface fc1 13 fc1 13 is trunking t s i l d e w o l l a e h t n o e r a 3 d n a 1 s N A S V l a n o i t a r e p o e r a 3 d n a 1 s N A S V VSANs 1 2 5 are operational VSANs 1 2 5 are on the allowed list VSANs 1 and 2 are operational VSANs 1 and 2 are on the allowed list Switch 3 VSAN1 VSAN2 VSAN4 VSAN5 Switch 1 VSAN1 VSAN2 VSAN3 VSAN4 VSAN5 Switch 2 VSAN1 VSAN2 VSAN3 79946 Co...

Page 425: ... 0 frames sec 233996 frames input 14154208 bytes 0 discards 0 CRC 0 unknown class 0 too long 0 too short 236 frames output 13818044 bytes 0 discards 11 input OLS 12 LRR 10 NOS 28 loop inits 34 output OLS 19 LRR 17 NOS 12 loop inits Example 15 2 Displays the Trunking Protocol switch show trunk protocol Trunk protocol is enabled Example 15 3 Displays Per VSAN Information on Trunk Ports switch show i...

Page 426: ...sco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 15 Configuring Trunking Default Settings Table 15 2 Default Trunk Configuration Parameters Parameters Default Switch port trunk mode On Allowed VSAN list 1 to 4093 user defined VSAN IDs Trunking protocol Enabled ...

Page 427: ...ault Settings page 16 20 About PortChannels A PortChannel has the following functionality Provides a point to point connection over ISL E ports or EISL TE ports Multiple links can be combined into a PortChannel Increases the aggregate bandwidth on an ISL by distributing traffic among all functional links in the channel Load balances across multiple links and maintains optimum bandwidth utilization...

Page 428: ...ut PortChanneling and Trunking page 16 3 About Load Balancing page 16 4 PortChannel Examples PortChannels on Cisco MDS 9000 Family switches allow flexibility in configuration Figure 16 1 illustrates three possible PortChannel configurations PortChannel A aggregates two links on two interfaces on the same switching module at each end of a connection PortChannel B also aggregates two links but each ...

Page 429: ... be a PortChannel The other three ports continue to remain in a no shutdown state Note In the Cisco MDS 9100 Series the left most groups of ports outlined in white 4 ports in the Cisco MDS 9120 Switch and 8 ports in the Cisco MDS 9140 Switch are full line rate like the 16 port switching module The other ports 16 ports in the Cisco MDS 9120 Switch and 32 ports in the Cisco MDS 9140 Switch are host ...

Page 430: ... based All frames between source and destination follow the same links for a given flow That is whichever link is selected for the first exchange of the flow is used for all subsequent exchanges Exchange based The first frame in an exchange picks a link and subsequent frames in the exchange follow the same link However subsequent exchanges can use a different link This provides more granular load ...

Page 431: ...cing works When the first frame in an exchange is received for forwarding on an interface link 1 is chosen by a hash algorithm All remaining frames in that particular exchange are sent on the same link For exchange 1 no frame uses link 2 For the next exchange link 2 is chosen by the hash algorithm Now all frames in exchange 2 use link 2 Frame 1 Frame 2 Frame 3 Frame 1 Frame 2 Frame 3 Frame n Frame...

Page 432: ...ncing For more information on configuring load balancing and in order delivery features see the Operational State of a VSAN section on page 19 9 PortChannel Configuration PortChannels are created with default values You can change the default configuration just like any other physical interface Figure 16 6 provides examples of valid PortChannel configurations Frame 1 Frame 2 Frame 3 Frame 1 Frame ...

Page 433: ...ions This section shows how to configure and modify PortChannels and contains the following topics About PortChannel Configuration page 16 8 Creating a PortChannel page 16 8 About PortChannel Modes page 16 8 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 Cisco MDS Switch A Cisco MDS Switch B Cisco MDS Switch A Cisco MDS Switch B Channel Group 10 Channel Group 20 Channel Group 10 Channel Group 20 Channel Group 1 ...

Page 434: ...ical links are disabled because an error has been detected A PortChannel error is detected if the following requirements are not met Each switch on either side of a PortChannel must be connected to the same number of interfaces Each interface must be connected to a corresponding interface on the other side see Figure 16 7 for an example of an invalid configuration Links in a PortChannel cannot be ...

Page 435: ...mber ports at either end Table 16 1 compares ON and ACTIVE modes To configure active mode follow these steps Table 16 1 Channel Group Configuration Differences ON Mode ACTIVE Mode No protocol is exchanged A PortChannel protocol negotiation is performed with the peer ports Moves interfaces to the suspended state if its operational values are incompatible with the PortChannel Moves interfaces to the...

Page 436: ...tChannel ports automatically recover from the deletion Deleting PortChannels To delete a PortChannel follow these steps Interfaces in a PortChannel You can add or remove a physical interface or a range of interfaces to an existing PortChannel The compatible parameters on the configuration are mapped to the PortChannel Adding an interface to a PortChannel increases the channel size and bandwidth of...

Page 437: ...t is added to the PortChannel The check ensures that the following parameters and settings match at both ends of a PortChannel Capability parameters type of interface Gigabit Ethernet at both ends or Fibre Channel at both ends Administrative compatibility parameters speed mode port VSAN allowed VSAN and port security Operational parameters speed and remote switch s WWN A port addition procedure fa...

Page 438: ...oing down see the Graceful Shutdown section on page 12 12 Step 2 switch config interface fc1 15 switch config if Configures the specified port interface fc1 15 Step 3 switch config if channel group 15 fc1 15 added to port channel 15 and disabled please do the same operation on the switch at the other end of the port channel then do no shutdown at both ends to bring them up Adds physical Fibre Chan...

Page 439: ...n on page 12 12 Deleting an Interface from a PortChannel To delete a physical interface or a range of physical interfaces from a PortChannel follow these steps PortChannel Protocol In earlier Cisco SAN OS releases PortChannels required additional administrative tasks to support synchronization The Cisco SAN OS software provides robust error detection and synchronization capabilities You can manual...

Page 440: ...b protocols Bringup protocol Automatically detects misconfigurations so you can correct them This protocol synchronizes the PortChannel at both ends so that all frames for a given flow as identified by the source FC ID destination FC ID and OX_ID are carried over the same physical link in both directions This helps make applications like write acceleration work for PortChannels over FCIP links Aut...

Page 441: ...links come up between two compatible switches if channel group autocreation is enabled in all ports at both ends Member ports cannot participate in autocreation of channel groups The autocreation feature cannot be configured None of these ports are members of a user configured channel group You can form the PortChannel with a subset of the ports in the channel group Incompatible ports remain in a ...

Page 442: ... a persistent PortChannel Once the PortChannel is made persistent the autocreation feature is disabled in all member ports You can enable or disable the autocreation feature on a per port basis or for all ports in the switch When this configuration is enabled the channel group mode is assumed to be active The default for this task is disabled If autocreation of channel groups is enabled for an int...

Page 443: ...ecific information about existing PortChannels at any time from EXEC mode The following show commands provide further details on existing PortChannels You can force all screen output to go to a printer or save it to a file See Examples 16 1 to 16 6 The show port channel summary command displays a summary of PortChannels within the switch A one line summary of each PortChannel provides the administ...

Page 444: ...orts up Ports fcip1 down fcip2 down port channel 78 Administrative channel mode is active Operational channel mode is active Last membership update succeeded 2 ports in total 0 ports up Ports fc2 1 down fc2 5 down port channel 79 Administrative channel mode is active Operational channel mode is active Last membership update succeeded First operational port is fcip200 2 ports in total 2 ports up Po...

Page 445: ...fcip1 down fcip2 down port channel 78 2 ports first operational port is none fc2 1 down fc2 5 down port channel 79 2 ports first operational port is fcip200 fcip101 up fcip200 up The show port channel usage command displays details of the used and unused PortChannel numbers Example 16 6 Displays the PortChannel Usage switch show port channel usage Totally 3 port channel numbers used Used 77 79 Unu...

Page 446: ...switch show port channel database interface port channel 128 port channel 128 Administrative channel mode is active Operational channel mode is active Last membership update succeeded Channel is auto created First operational port is fc1 1 1 ports in total 1 ports up Ports fc1 1 up Example 16 10 Displays the PortChannel Summary switch show port channel summary Interface Total Ports Oper Ports Firs...

Page 447: ...ou do not configure a domain ID the local switch uses a random ID Caution Changes to fcdomain parameters should not be performed on a daily basis These changes should be made by an administrator or individual who is completely familiar with switch operations Tip When you change the configuration be sure to save the running configuration The next time you reboot the switch the saved configuration i...

Page 448: ...l switch selection phase See Figure 17 1 Figure 17 1 Sample fcdomain Configuration Note Domain IDs and VSAN values used in all procedures are only provided as examples Be sure to use IDs and values that apply to your configuration This section describes the fcdomain feature and includes the following topics About Domain Restart page 17 3 Local WWN 20 02 ab ba cd dc f4 00 Configured domain ID 0 zer...

Page 449: ...abric BF frames are sent to other switches in the fabric and data traffic is disrupted only on the switch If you are attempting to resolve a domain ID conflict you must manually assign domain IDs A disruptive restart is required to apply most configuration changes including manually assigned domain IDs Non disruptive domain restarts are acceptable only when changing a preferred domain ID into a st...

Page 450: ...irectly attached to the failed link not the entire VSAN When a backup link is not available the domain manager reverts to the default behavior and starts a BF phase followed by a principal switch selection phase The fast restart feature can be used in any interoperability mode Tip We recommend using fast restart on most fabrics especially those with a large number of logical ports 3200 or more whe...

Page 451: ...ration is applicable to both disruptive and nondisruptive restarts Configuring Switch Priority To configure the priority for the principal switch follow these steps About fcdomain Initiation By default the fcdomain feature is enabled on each switch If you disable the fcdomain feature in a switch that switch can no longer participate with other switches in the fabric The fcdomain configuration is a...

Page 452: ...e isolated The autoreconfigure option takes immediate effect at runtime You do not need to restart the fcdomain If a domain is currently isolated due to domain overlap and you later enable the autoreconfigure option on both switches the fabric continues to be isolated If you enabled the autoreconfigure option on both switches before connecting the fabric a disruptive reconfiguration RCF will occur...

Page 453: ...tribution of Allowed Domain ID Lists page 17 11 Enabling Distribution page 17 11 Locking the Fabric page 17 12 Committing Changes page 17 12 Discarding Changes page 17 12 Clearing a Fabric Lock page 17 12 Displaying CFS Distribution Status page 17 13 Displaying Pending Changes page 17 13 Displaying Session Status page 17 13 About Contiguous Domain ID Assignments page 17 14 Enabling Contiguous Doma...

Page 454: ... requested domain IDs are the same the preferred and static options are not relevant and the assigned domain ID becomes the runtime domain ID When the assigned and requested domain IDs are different the following cases apply If the configured type is static the assigned domain ID is discarded all local interfaces are isolated and the local switch assigns itself the configured domain ID which becom...

Page 455: ...the IVR topology is configured with static domain IDs then the IVR domains that can be exported to that VSAN must also be assigned static domains Caution You must issue the fcdomain restart command if you want to apply the configured domain changes to the runtime domain Note If you have configured an allow domain ID list the domain IDs that you add must be in that range for the VSAN See the About ...

Page 456: ...e following conditions If this switch is a principal switch all the currently assigned domain IDs must be in the allowed list If this switch is a subordinate switch the local runtime domain ID must be in the allowed list The locally configured domain ID of the switch must be in the allowed list The intersection of the assigned domain IDs with other already configured domain ID lists must not be em...

Page 457: ... ID list using CFS Use CFS to distribute the allowed domain ID list to ensure consistency in the allowed domain ID lists on all switches in the VSAN Note We recommend configuring the allow domain ID list and committing it on the principle switch For more information about CFS see Chapter 6 Using the CFS Infrastructure Enabling Distribution CFS distribution of allowed domain ID lists is disabled by...

Page 458: ...omain configuration changes and release the lock follow these steps Discarding Changes At any time you can discard the pending changes to the domain configuration and release the fabric lock If you discard abort the pending changes the configuration remains unaffected and the lock is released To discard pending domain configuration changes and release the lock follow these steps Clearing a Fabric ...

Page 459: ...ending Configured Allowed Domains VSAN 10 Assigned or unallowed domain IDs 1 9 24 100 231 239 User configured allowed domain IDs 10 230 You can display the differences between the pending configuration and the current configuration using the show fcdomain pending diff command switch show fcdomain pending diff vsan 10 Current Configured Allowed Domains VSAN 10 Assigned or unallowed domain IDs 24 10...

Page 460: ...signed FC ID are retained and stored in a volatile cache The contents of this volatile cache are not saved across reboots The switch is designed to preserve the binding FC ID to the WWN on a best effort basis For example if one N port disconnects from the switch and its FC ID is requested by another device this request is granted and the WWN with the initial FC ID association is released The volat...

Page 461: ...tries that the switch has learned about after a device host or disk is plugged into a port interface Note If you connect to the switch from an AIX or HP UX host be sure to enable the persistent FC ID feature in the VSAN that connects these hosts Note FC IDs are enabled by default This change of default behavior from releases prior to Cisco MDS SAN OS Release 2 0 1b prevents FC IDs from being chang...

Page 462: ...ID feature is enabled in the required VSAN Ensure that the required VSAN is an active VSAN persistent FC IDs can only be configured on active VSANs Verify that the domain part of the FC ID is the same as the runtime domain ID in the required VSAN If the software detects a domain mismatch the command is rejected Verify that the port field of the FC ID is 0 zero when configuring an area Note FICON u...

Page 463: ...BA port connects to interface fc1 9 and the storage port connects to interface fc 1 10 in the same switch Configuring Unique Area FC IDs for an HBA To configure a different area ID for the HBA port follow these steps Step 1 Obtain the Port WWN Port Name field ID of the HBA using the show flogi database command switch show flogi database Command Purpose Step 1 switch config t switch config Enters c...

Page 464: ... Disabled If this feature is disabled continue with this procedure to enable the persistent FC ID If this feature is already enabled skip to Step 5 Step 4 Enable the persistent FC ID feature in the Cisco MDS switch switch conf t switch config fcdomain fcid persistent vsan 1 switch config end switch Step 5 Assign a new FC ID with a different area allocation In this example we replace 77 with ee swi...

Page 465: ...runtime fabric name is the same as the configured fabric name Example 17 1 Displays the Global fcdomain Information switch show fcdomain vsan 2 The local switch is the Principal Switch Local switch run time information State Stable Local switch WWN 20 01 00 0b 46 79 ef 41 Running fabric name 20 01 00 0b 46 79 ef 41 Running priority 128 Current domain ID 0xed 237 Local switch configuration informat...

Page 466: ...76 Number of domains 3 Domain ID WWN 0xc8 200 20 01 00 05 30 00 47 df Principal 0x63 99 20 01 00 0d ec 08 60 c1 Local 0x61 97 50 00 53 0f ff f0 10 06 Virtual IVR Use the show fcdomain allowed vsan command to display the list of allowed domain IDs configured on this switch See Example 17 3 Example 17 3 Displays the Allowed Domain ID Lists switch show fcdomain allowed vsan 1 Assigned or unallowed do...

Page 467: ...r a Specified VSAN switch show fcdomain statistics vsan 1 VSAN Statistics Number of Principal Switch Selections 5 Number of times Local Switch was Principal 0 Number of Build Fabric s 3 Number of Fabric Reconfigurations 0 Example 17 7 Displays fcdomain Statistics for a Specified PortChannel switch show fcdomain statistics interface port channel 10 vsan 1 Interface Statistics Transmitted Received E...

Page 468: ...gle or entire area of FC IDs See Example 17 9 Example 17 9 Displays Address Allocation Information switch show fcdomain address allocation cache Cache content line VSAN WWN FCID mask 1 12 21 00 00 e0 8b 08 a2 21 0xef0400 ENTIRE AREA 2 6 50 06 04 82 c3 a1 2f 5c 0xef0002 SINGLE FCID 3 8 20 4e 00 05 30 00 24 5e 0xef0300 ENTIRE AREA 4 8 50 06 04 82 c3 a1 2f 52 0xef0001 SINGLE FCID Default Settings Tab...

Page 469: ... or multiple jobs at a specified time in the future The job s can be executed once at a specified time in the future or at periodic intervals Note To use the command scheduler you do not need to obtain any license You can use this feature to schedule zone set changes QOS policy changes backup data save the configuration and other similar jobs Scheduler Terminology The following terms are used in t...

Page 470: ...ds pertaining to that feature is scheduled If a feature is disabled at the time when a job containing commands pertaining to that feature is scheduled If you have removed a module from a slot and the job has commands pertaining to the interfaces for that module or slot Verify that you have configured the time The scheduler does not have any default time configured If you create a schedule and assi...

Page 471: ...le this feature all related configurations are automatically discarded To enable the command scheduling feature follow these steps To display the command schedule status use the show scheduler config command switch show scheduler config config terminal scheduler enable scheduler logfile size 16 end Configuring Remote User Authentication Prior to Cisco MDS SAN OS Release 3 0 3 only users local to t...

Page 472: ...job has to perform Be sure to exit the config job submode to complete the job definition Caution You cannot modify or remove a command after entering the sequence of commands To make changes you must explicitly delete the defined job name and restart this process Note You must exit the config job submode for the job definition to be complete Command Purpose Step 1 switch config t Enters configurat...

Page 473: ...g terminal switch config job config vsan database switch config job config vsan db vsan 99 interface fc1 1 4 switch config job config vsan db end switch Specifies a sequence of actions for the specified job The defined commands are checked for validity and stored for future use Note Be sure you exit the config job submode switch config scheduler job name offpeakQOS switch config job conf t switch ...

Page 474: ...cified daily weekly monthly or delta intervals To specify a periodic job for the command scheduler follow these steps Command Purpose Step 1 switch conf t switch config Enters the configuration mode Step 2 switch config no scheduler job name addMemVsan99 Deletes a defined job and all commands defined within that job Command Purpose Step 1 switch conf t switch config Enters the configuration mode S...

Page 475: ...ob finishes at 22 02 after which the 1 minute interval is observed and the next execution occurs at 22 03 and finishes at 22 05 Specifying a One Time Schedule When you specify a one time job execution that job is only executed once To specify a one time job for the command scheduler follow these steps Step 5 switch config schedule time daily 23 00 Executes the specified jobs at 11 p m every day sw...

Page 476: ...nterface fc1 1 vsan 99 interface fc1 2 vsan 99 interface fc1 3 vsan 99 interface fc1 4 end config terminal scheduler schedule name configureVsan99 time start 2004 8 10 9 52 job name addMemVsan99 end Deleting a Schedule To delete a schedule follow these steps Step 3 switch config schedule job name addMemVsan99 Assigns a predefined job name addMemVsan99 for this schedule Step 4 switch config schedul...

Page 477: ...Logs This section describes execution logs for the command scheduler and contains the following sections About Execution Logs page 18 10 Configuring Execution Logs page 18 10 Clearing the Execution Log File Contents page 18 10 Command Purpose Step 1 switch conf t switch config Enters the configuration mode Step 2 switch config scheduler schedule name weekendbackupqos switch config schedule Specifi...

Page 478: ...ation use the show scheduler config command switch show scheduler config config terminal scheduler enable scheduler logfile size 1024 end Displaying Execution Log File Contents To display the execution log for all jobs executed in the system use the show scheduler logfile command switch show scheduler logfile Job Name addMemVsan99 Job Status Success 0 Schedule Name configureVsan99 User Name admin ...

Page 479: ... CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 18 Scheduling Maintenance Jobs Default Settings Default Settings Table 18 1 lists the default settings for command scheduling parameters Table 18 1 Default Command Scheduler Parameters Parameters Default Command scheduler Disabled Log file size 16 KB ...

Page 480: ...t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m 18 12 Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 18 Scheduling Maintenance Jobs Default Settings ...

Page 481: ...Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m P A R T 4 Fabric Configuration ...

Page 482: ...Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m ...

Page 483: ...ettings page 19 12 About VSANs A VSAN is a virtual storage area network SAN A SAN is a dedicated network that interconnects hosts and storage devices primarily to exchange SCSI traffic In SANs you use the physical links to make these interconnections A set of protocols run over the SAN to handle routing naming and zoning You can design multiple SANs with different topologies This section describes...

Page 484: ...features apply to any switch in the Cisco MDS 9000 Family Figure 19 1 shows a fabric with three switches one on each floor The geographic location of the switches and the attached devices is independent of their segmentation into logical VSANs No communication between VSANs is possible Within each VSAN all members can talk to one another Figure 19 1 Logical VSAN Segmentation Figure 19 2 shows a ph...

Page 485: ...te SANs By enabling VSANs the same switches and links may be shared by multiple VSANs VSANs allow SANs to be built on port granularity instead of switch granularity Figure 19 2 illustrates that a VSAN is a group of hosts or storage devices that communicate with each other using a virtual topology defined on the physical SAN The criteria for creating such groups differ based on the VSAN topology VS...

Page 486: ...se two VSANs are equivalent to two unconnected SANs zone A on VSAN 1 is different and separate from zone A in VSAN 2 Table 19 1 lists the differences between VSANs and zones Figure 19 3 shows the possible relationships between VSANs and zones In VSAN 2 three zones are defined zone A zone B and zone C Zone C overlaps both zone A and zone B as permitted by Fibre Channel standards In VSAN 7 two zones...

Page 487: ... a VSAN indicates that the VSAN is configured but not enabled If a port is configured in this VSAN it is disabled Use this state to deactivate a VSAN without losing the VSAN s configuration All ports in a suspended VSAN are disabled By suspending a VSAN you can preconfigure all the VSAN parameters for the whole fabric and activate the VSAN immediately VSAN name This text string identifies the VSAN...

Page 488: ...7 About the Default VSAN page 19 8 About the Isolated VSAN page 19 8 Displaying Isolated VSAN Membership page 19 9 Operational State of a VSAN page 19 9 About Static VSAN Deletion page 19 9 Deleting Static VSANs page 19 10 About Load Balancing page 19 10 Configuring Load Balancing page 19 11 About Interop Mode page 19 11 About FICON VSANs page 19 11 About VSAN Creation A VSAN is in the operational...

Page 489: ...e VSAN static membership information use the show vsan membership command see Example 19 1 through Example 19 3 Step 4 switch config vsan db vsan 2 name TechDoc updated vsan 2 Updates the VSAN with the assigned name TechDoc Step 5 switch config vsan db vsan 2 suspend Suspends the selected VSAN Step 6 switch config vsan db no vsan 2 suspend Negates the suspend command issued in the previous step St...

Page 490: ... 8 vsan 7 interfaces vsan 100 interfaces vsan 4094 isolated vsan interfaces Example 19 3 Displays Static Membership Information for a Specified Interface switch show vsan membership interface fc1 1 fc1 1 vsan 1 allowed list 1 4093 About the Default VSAN The factory settings for switches in the Cisco MDS 9000 Family have only the default VSAN 1 enabled We recommend that you do not use VSAN 1 as you...

Page 491: ... all ports associated with the isolated VSAN Operational State of a VSAN A VSAN is in the operational state if the VSAN is active and at least one port is up This state indicates that traffic can pass through this VSAN This state cannot be configured About Static VSAN Deletion When an active VSAN is deleted all of its attributes are removed from the running configuration VSAN related information i...

Page 492: ... a port to VSAN 10 is rejected Deleting Static VSANs To delete a VSAN and its various attributes follow these steps About Load Balancing Load balancing attributes indicate the use of the source destination ID src dst id or the originator exchange OX ID src dst ox id the default for load balancing path selection Default VSAN fc1 1 fc1 2 VSAN 7 fc1 3 fc1 4 Isolated VSAN VSAN 12 fc1 5 fc1 6 Before De...

Page 493: ...vsan 100 vsan 100 information name VSAN0100 state active in order guarantee no interoperability mode no loadbalancing src id dst id oxid Command Purpose Step 1 switch config t Enters configuration mode Step 2 switch config vsan database switch config vsan db Enters VSAN database configuration submode Step 3 switch config vsan db vsan 2 Specifies an existing VSAN Step 4 switch config vsan db vsan 2...

Page 494: ...rc id dst id oxid vsan 2 information name VSAN0002 state active in order guarantee no interoperability mode no loadbalancing src id dst id oxid vsan 7 information name VSAN0007 state active in order guarantee no interoperability mode no loadbalancing src id dst id oxid vsan 100 information name VSAN0100 state active in order guarantee no interoperability mode no loadbalancing src id dst id oxid vs...

Page 495: ...About SDV page 20 1 Configuring SDV page 20 4 SDV Requirements and Guidelines page 20 9 SDV Configuration Example page 20 12 Displaying SDV Information page 20 14 Default Settings page 20 14 About SDV As of Cisco SAN OS Release 3 1 2 and later you can use Cisco SDV to create virtual devices that represent physical end devices Virtualization of SAN devices accelerates swapout or failover to a repla...

Page 496: ...he case where a target is designed to be redundant Here two arrays are deployed a primary and secondary Enterprises often use some type of consistency technology such as EMF SRDF between the primary and secondary arrays to ensure that the secondary is a mirrored copy of the production LUN However if the primary array fails it must be replaced by the secondary as all I O must occur on the secondary...

Page 497: ... problem and the failover procedure must be repeated for each server of the cluster Think of a server cluster as a set of HBAs any storage array FC ID changes must be performed for each HBA SDV enables you to Reduce the amount of time it takes for data migration and ultimately the overall amount of downtime Easily scale to larger numbers of devices Figure 20 4 illustrates the benefits of SDV In th...

Page 498: ...application You must perform a commit operation to make the configuration active and to release the lock for all switches You can discard or stop changes from being distributed by issuing the abort clear command See Chapter 6 Using the CFS Infrastructure for more details about CFS Note When you enable SDV CFS distribution is also enabled CFS distribution cannot be disabled for SDV The following se...

Page 499: ...y Enterprise package license ENTERPRISE_PKG installed this command will fail Step 3 switch config sdv virtual device name vdev1 vsan 2 Configures a virtual device alias name vdev1 Enters SDV manager configuration submode Step 4 switch config sdv virt dev pwwn 21 00 00 04 cf cf 45 40 primary switch config sdv virt dev pwwn 21 00 00 04 cf cf 38 d6 Maps primary virtual device to the pWWN of real devi...

Page 500: ...s vt1 zoned with the real devices activated the primary device is online Figure 20 6 Zoning the Virtual Device with Real Devices To add the virtual device to a zone as a zone member follow these steps 159901 Primary Secondary Virtual Device SAN Device Virtualization SAN Device Virtualization Zone vtpwwn vt1 t2pwwn t2 t1pwwn t1 i1pwwn i1 i2pwwn i2 i3pwwn i3 Step 1 switch config t Enters configurati...

Page 501: ... same FC4 properties as the primary device it represents When a fabric containing a virtual device configuration reboots the virtual device s domain or FC ID may change there is no guarantee that the virtual device FC ID will remain the same because it is not a part of the configuration You can define the FC ID for a virtual device to be static Configuring a device to have a static FC ID ensures t...

Page 502: ... T1 supporting LUNs from 0 to 12 Virtual target VT1 virtualizing the real target T1 Virtual initiator VI1 virtualizing real initiator I1 Real Initiator and SDV Virtual Target with LUN In Example 20 1 a real initiator is zoned with an SDV virtual target including the LUN Example 20 1 Real Initiator and SDV Virtual Target with LUN zoneset name zs1 vsan 2 zone name z1 vsan 2 member device alias I1 me...

Page 503: ...virtual device and virtual FC ID are mismatched A blank commit is a commit operation that does not contain configuration changes and enforces the SDV configuration of the committing switch fabric wide A blank commit operation resolves merge conflicts by pushing the configuration from the committing switch throughout the fabric thereby reinitializing the conflicting virtual devices Exercise caution...

Page 504: ...ce zone cannot coexist with the real device real device zone If the real devices are not already zoned together then you can configure the real device virtual device zone with no negative impact If these devices are already zoned then adding the real device virtual device zone may cause the zone activation to fail If this occurs then you must delete one of the zones before activation For example a...

Page 505: ... virtual initiators are configured or SDV devices are configured as LUN based members of a zone a configuration check will indicate that downgrading to SAN OS Release 3 1 2 may be disruptive and is therefore not recommended Downgrading With Virtual Initiators Configured If SDV virtual initiators are configured you will be unable to downgrade to SAN OS release 3 1 2 This incompatibility is a loose ...

Page 506: ...irtual device switch config do show fcns database vsan 2 VSAN 2 FCID TYPE PWWN VENDOR FC4 TYPE FEATURE 0x9f0201 NL 21 00 00 04 cf cf 45 40 Seagate scsi fcp 0x9f0423 NL 21 00 00 04 cf cf 38 d6 Seagate scsi fcp Total number of entries 2 Step 4 Create a virtual device vdev1 for the VSAN and specify both the primary and secondary pWWNs switch config sdv virtual device name vdev1 vsan 2 switch config s...

Page 507: ...70 01 vdev1 pwwn 21 00 03 04 55 cf d6 40 Step 10 Activate the new zone configuration switch config zoneset activate name zs1 vsan 2 Zoneset activation initiated check zone status switch config exit Step 11 Display the active zone set to ensure the data in the new zone configuration is correct Also confirm that the pWWNs are correct switch show zoneset active vsan 2 zoneset name zs1 vsan 2 zone nam...

Page 508: ...s of the last CFS SDV fabric merge for a VSAN switch show sdv merge status vsan 1 Merge Status for VSAN 1 Last Merge Time Stamp None Last Merge State None Last Merge Result SUCCESS Last Merge Failure Reason None cfs_status 0 To display details about the SDV database switch show sdv database vsan 2 virtual device name vdev1 vsan 2 WWN 50 00 53 00 00 d2 e0 01 FCID 0x960001 Real FCID 0x9f0201 virtual...

Page 509: ...his chapter includes the following sections DPVM page 21 1 DPVM Database Distribution page 21 5 Database Merge Guidelines page 21 8 Displaying DPVM Configurations page 21 10 Sample DPVM Configuration page 21 11 Default Settings page 21 13 DPVM DPVM configurations are based on port world wide name pWWN and node world wide name nWWN assignments A DPVM database contains mapping information for each d...

Page 510: ...4 About Autolearned Entries page 21 4 Enabling Autolearning page 21 5 Clearing Learned Entries page 21 5 About DPVM Configuration To use the DPVM feature as designed be sure to verify the following requirements The interface through which the dynamic device connects to the Cisco MDS 9000 Family switch must be configured as an F port The static port VSAN of the F port should be valid not isolated n...

Page 511: ...ou activate the DPVM config database Changes to the DPVM pending database are not reflected in the config active DPVM database until you commit the DPVM pending database This database structure allows you to create multiple entries review changes and let the DPVM config and pending databases take effect Configuring DPVM Config and Pending Databases To create and populate the DPVM config and pendin...

Page 512: ...e active DPVM database when you enable autolearn These entries only become permanent in the active DPVM database when you disable autolearn Note Autolearning is only supported for devices connected to F ports Devices connected to FL ports are not entered into the DPVM database because DPVM is not supported on FL ports The following conditions apply to learned entries If a device logs out while aut...

Page 513: ...ion to the neighboring switches the database should be consistently administered and distributed across all switches in the fabric The Cisco SAN OS software uses the Cisco Fabric Services CFS infrastructure to achieve this requirement see Chapter 6 Using the CFS Infrastructure This section describes how to distribute the DPVM database and includes the following topics About DPVM Database Distribut...

Page 514: ...e existing configuration creates the DPVM pending database and locks the feature in the fabric Once you lock the fabric the following conditions apply No other user can make any configuration changes to this feature A copy of the configuration database becomes the DPVM pending database Modifications from this point on are made to the DPVM pending database The DPVM pending database remains in effec...

Page 515: ...ng database are distributed to other switches On a successful commit the configuration change is applied throughout the fabric and the lock is released To commit the DPVM pending database follow these steps Step 4 switch config dpvm db exit switch config Exits to configuration mode Step 5 switch config dpvm activate Activates the DPVM config database Command Purpose Command Purpose Step 1 switch c...

Page 516: ...tive privileges and release a locked DPVM session use the clear dpvm session command in EXEC mode switch clear dpvm session Database Merge Guidelines A database merge refers to a union of the configuration database and static unlearned entries in the active DPVM database See the CFS Merge Support section on page 6 8 for detailed concepts When merging the DPVM database between two fabric follow the...

Page 517: ...y pwwn 12 33 56 78 90 12 34 56 vsan 100 nwwn 14 21 30 12 63 39 72 81 vsan 101 Comparing Database Differences You can compare the DPVM databases as follows Use the dpvm database diff active command to compare the active DPVM database with the DPVM config database switch dpvm database diff active Legend New Entry Missing Entry Possible Conflict Entry pwwn 44 22 33 44 55 66 77 88 vsan 44 pwwn 11 22 3...

Page 518: ... dpvm database pwwn 11 22 33 44 55 66 77 88 vsan 11 pwwn 22 22 33 44 55 66 77 88 vsan 22 pwwn 33 22 33 44 55 66 77 88 vsan 33 pwwn 44 22 33 44 55 66 77 88 vsan 44 Total 4 entries Example 21 4 Displays the DPVM Database switch show dpvm database active pwwn 11 22 33 44 55 66 77 88 vsan 22 pwwn 22 22 33 44 55 66 77 88 vsan 22 pwwn 33 22 33 44 55 66 77 88 vsan 33 Total 3 entries is auto learnt entry ...

Page 519: ...autolearned entries switch1 config Enter configuration commands one per line End with CNTL Z switch1 config dpvm activate switch1 config dpvm commit switch1 config end switch1 show dpvm database switch1 show dpvm database active switch1 show dpvm status At this stage the database is successfully activated and the auto learn option continues to be disabled Step 3 Enable the auto learn option and co...

Page 520: ... 76 8a vsan 1 pwwn 21 01 00 e0 8b 2e 76 8a vsan 1 Total 2 entries is auto learnt entry switch3 show dpvm status DB is activated successfully auto learn is on Step 6 Disable autolearning in switch1 and commit the configuration changes switch1 config Enter configuration commands one per line End with CNTL Z switch1 config no dpvm auto learn switch1 config dpvm commit switch1 config end switch1 show ...

Page 521: ... vsan 1 pwwn 21 00 00 e0 8b 0e 87 8a vsan 1 pwwn 21 01 00 e0 8b 2e 74 8a vsan 1 pwwn 21 00 00 e0 8b 0e 74 8a vsan 4 pwwn 21 01 00 e0 8b 2e 87 8a vsan 5 Total 6 entries is auto learnt entry switch3 show dpvm status DB is activated successfully auto learn is off Note These basic steps help you ascertain that the information is identical in all the switches in the fabric You have now configured a bas...

Page 522: ...n t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m 21 14 Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 21 Creating Dynamic VSANs Default Settings ...

Page 523: ...s page 22 44 Inter VSAN Routing Virtual SANs VSANs improve storage area network SAN scalability availability and security by allowing multiple Fibre Channel SANs to share a common physical infrastructure of switches and ISLs These benefits are derived from the separation of Fibre Channel services in each VSAN and isolation of traffic between VSANs Data traffic isolation between the VSANs also inhe...

Page 524: ...ates third party switches however IVR enabled VSANs may have to be configured in one of the interop modes IVR is not limited to VSANs present on a common switch Routes that traverse one or more VSANs across multiple switches can be established if necessary to establish proper interconnections IVR used in conjunction with FCIP provides more efficient business continuity or disaster recovery solutio...

Page 525: ...t world wide names pWWNs and their native VSAN associations Prior to Cisco SAN OS Release 3 0 3 you can configure up to 2000 IVR zones and 10 000 IVR zone members on the switches in the network As of Cisco SAN OS Release 3 0 3 you can configure up to 8000 IVR zones and 20 000 IVR zone members on the switches in the network Inter VSAN routing zone sets IVR zone sets One or more IVR zones make up an...

Page 526: ... list of Cisco MDS SAN OS feature configuration limits Fibre Channel Header Modifications IVR works by virtualizing the remote end devices in the native VSAN using a virtual domain When IVR is configured to link end devices in two disparate VSANs the IVR border switches are responsible for modifying the Fibre Channel headers for all communication between the end devices The sections of the Fibre C...

Page 527: ... host bus adapter for a timeout of at least ten seconds most HBAs default to a value of 10 or 20 seconds Load balancing of IVR NAT traffic across equal cost paths from an IVR enabled switch is not supported However load balancing of IVR NAT traffic over PortChannel links is supported The load balancing algorithm for IVR NAT traffic over port channel with Generation 1 linecards is SRC DST only Gene...

Page 528: ... initially uses that topology information This reduces disruption in the network by gradually migrating from the user specified topology database to the automatically learned topology database User configured topology entries that are not part of the network are aged out in about three minutes New entries that are not part of the user configured database are added as they are discovered in the net...

Page 529: ... number of AFID VSAN combinations in a single service group is 128 IVR control traffic is distributed in all the members of all the service groups IVR data traffic between two end devices belonging to a service group stays within that service group For example two members pWWN 1 and pWWN 2 belonging to the same IVR zone but different service groups cannot communicate During a CFS merge service gro...

Page 530: ...so be present in the transit VSAN s or in the edge VSANs if one of the interop modes is enabled See the Switch Interoperability section on page 29 12 IVR Configuration Task List To configure IVR in a SAN fabric follow these steps Step 1 Determine whether to use IVR Network Address Translation NAT Step 2 If you do not plan to use IVR NAT verify that unique domain IDs are configured in all switches ...

Page 531: ...fying the IVR Virtual Domain Configuration page 22 24 Clearing the IVR fcdomain Database page 22 24 About Persistent FC IDs for IVR page 22 24 Configuring Persistent FC IDs for IVR page 22 25 Verifying the Persistent FC ID Configuration page 22 26 Configuring IVR Logging Levels page 22 27 Verifying Logging Level Configuration page 22 27 Enabling IVR The IVR feature must be enabled in all border sw...

Page 532: ...n all IVR enabled switches in the network This section includes the following topics Database Implementation page 22 10 Enabling Configuration Distribution page 22 10 Locking the Fabric page 22 11 Committing the Changes page 22 11 Discarding the Changes page 22 11 Clearing a Locked Session page 22 11 Database Implementation The IVR feature uses three databases to accept and implement configuration...

Page 533: ...anges If you discard abort the changes made to the pending database the configuration database remains unaffected and the lock is released To discard IVR configuration changes follow these steps Clearing a Locked Session If you have performed an IVR task and have forgotten to release the lock by either committing or discarding the changes an administrator can release the lock from any switch in th...

Page 534: ...e link costs on the path of any IVR path is less than 30 000 Note IVR enabled VSANs can be configured when the interop mode is enabled any interop mode or disabled no interop mode Transit VSAN Guidelines Consider the following guidelines for transit VSANs Besides defining the IVR zone membership you can choose to specify a set of transit VSANs to provide connectivity between two edge VSANs If two ...

Page 535: ... topology automatic mode see the Distributing the IVR Configuration using CFS section on page 22 10 Once IVR topology automatic mode is enabled you cannot disable IVR configuration distribution To configure IVR topology automatic mode follow these steps View automatically discovered IVR topology using the show ivr vsan topology command switch show ivr vsan topology AFID SWITCH WWN Active Cfg VSANS...

Page 536: ...ch config ivr nat Enables IVR NAT on the switch switch config no ivr nat Disables default IVR NAT on the switch Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config ivr service group name IVR SG1 switch config ivr sg Configures the IVR service group called IVR SG1 and enters IVR server group configuration mode switch config no ivr service group name I...

Page 537: ...uration Use the show ivr service group active command to view the active IVR service group database switch show ivr service group active IVR ACTIVE Service Group SG ID SG NAME AFID VSANS 1 IVR SG1 10 1 2 6 10 Step 4 switch config ivr sg exit switch config Returns to configuration mode Step 5 switch config ivr service group activate Activates the service group configuration and sets the communicati...

Page 538: ... switch that has a default AFID that subset uses the configured AFID while all other VSANs on that switch use the default AFID IVR supports a maximum of 64 AFIDs Note You can only use AFID configuration when the VSAN topology mode is automatic In user configured VSAN topology mode the AFIDs are specified in the VSAN topology configuration itself and a separate AFID configuration is not needed Conf...

Page 539: ...omain IDs across all VSANs and switches participating in IVR operations if you are not using IVR NAT The following switches participate in IVR operations All edge switches in the edge VSANs source and destination All switches in transit VSANs Configure IVR only in the relevant border switches Acquire a mandatory Enterprise License Package or SAN EXTENSION license package and one active IPS card fo...

Page 540: ... is configured with static domain IDs then the other VSANs edge or transit in the topology must be configured with static domain IDs Transit VSAN Guidelines Before configuring transit VSANS consider the following guidelines Besides defining the IVR zone membership you can choose to specify a set of transit VSANs to provide connectivity between two edge VSANs If two edge VSANs in an IVR zone overla...

Page 541: ...R enabled switch belongs The AFID which distinguishes two VSANs that are logically and physically separate but have the same VSAN number You can specify up to 64 AFIDs See Figure 22 2 Figure 22 2 Example IVR Topology with Non Unique VSAN IDs Using AFIDs Note If two VSANs in an IVR topology have the same VSAN ID and different AFIDs they count as two VSANs for the 128 VSAN limit for IVR Note The use...

Page 542: ...t VSANs are deduced based on your configuration The IVR feature does not have an explicit transit VSAN configuration Activating a Manually Configured IVR Topology After manually configuring the IVR topology database you must activate it Caution Active IVR topologies cannot be deactivated You can only switch to IVR topology automatic mode Command Purpose Step 1 switch config t Enters configuration ...

Page 543: ... using CFS section on page 22 10 you must add an entry to the IVR topology for the new switch and activate the new IVR topology To add the IVR enabled switch to the existing IVR topology on the IVR enabled switch where you update the IVR configuration follow these steps Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config ivr vsan topology activate Ac...

Page 544: ...nually created IVR VSAN topology entries from the configured database To clear the manually configured IVR VSAN topology database follow these steps Verifying the IVR Topology You can verify the IVR topology by using the show ivr vsan topology command See Example 22 1 to Example 22 3 Example 22 1 Displays the Configured IVR VSAN Topology switch show ivr vsan topology AFID SWITCH WWN Active Cfg VSA...

Page 545: ...to manual mode follow these steps About IVR Virtual Domains In a remote VSAN the IVR application does not automatically add the virtual domain to the assigned domains list Some switches for example the Cisco SN5428 do not query the remote name server until the remote domain appears in the assigned domains list in the fabric In such cases add the IVR virtual domains in a specific VSAN s to the assi...

Page 546: ...dd status IVR virtual domains are added to fcdomain list in VSANS 1 As well as to VSANs in interoperability mode 2 or 3 Clearing the IVR fcdomain Database You might want to clear the IVR fcdomain database You can do this using the following command switch clear ivr fcdomain database About Persistent FC IDs for IVR You can configure persistent FC IDs for IVR FC ID persistence across reboot improves...

Page 547: ...rent AFID Current VSAN Virtual domain to be used for the native AFID and VSAN in current AFID and VSAN Virtual FC ID entries Contain the virtual FC ID that should be used to represent a device in a specific VSAN current VSAN These entries contain the following information Port WWN Current AFID Current VSAN Virtual FC ID to be used to represent a device for the given pWWN in the current AFID and VS...

Page 548: ...no ivr fcdomain database autonomous fabric num 21 vsan 22 Deletes all the database entries including all the corresponding persistent FC ID entries for current AFID 21 and VSAN 22 Step 3 switch config fcdomain native autonomous fabric num 20 native vsan 11 domain 12 switch config fcdomain fcid Adds or replaces a database entry for native AFID 20 native VSAN 11 and domain 12 and enters IVR fcdomain...

Page 549: ...ature follow these steps Verifying Logging Level Configuration Use the show logging level command to view the configured logging level for the IVR feature switch show logging level Facility Default Severity Current Session Severity ivr 5 4 0 emergencies 1 alerts 2 critical 3 errors 4 warnings 5 notifications 6 information 7 debugging IVR Zones and IVR Zone Sets As part of the IVR configuration you...

Page 550: ... in IVR Zoning page 22 34 Configuring LUNs in IVR Zoning page 22 34 About QoS in IVR Zones page 22 35 Configuring the QoS Attribute page 22 35 Verifying the QoS Attribute Configuration page 22 35 Clearing the IVR Zone Database page 22 36 Clearing the IVR Zone Database page 22 36 Configuring IVR Using Read Only Zoning page 22 36 System Image Downgrading Considerations page 22 36 About IVR Zones Tab...

Page 551: ...n of the new IVR zone set does not cause any traffic disruption between them IVR zone and IVR zone set names are restricted to 64 alphanumeric characters Caution Prior to Cisco SAN OS Release 3 0 3 you can only configure a total of 2000 IVR zones and 32 IVR zone sets on the switches in the network As of Cisco SAN OS Release 3 0 3 you can only configure a total of 8000 IVR zones and 32 IVR zone set...

Page 552: ...0 8b 2e 80 93 vsan 4 Adds the specified pWWN in VSAN 4 as an IVR zone member Step 9 switch config ivr zone member pwwn 10 00 00 00 c9 2d 5a dd vsan 5 Adds the specified pWWN in VSAN 5 as an IVR zone member Step 10 switch config ivr zone exit switch config Reverts to configuration mode Step 11 switch config ivr zoneset name Ivr_zoneset1 switch config ivr zoneset Creates an IVR zone set named Ivr_zo...

Page 553: ...res enabled Any zoning related configuration or activation operation for normal zones IVR zones or iSLB zones must be performed on this switch Otherwise traffic might be disrupted in the fabric You can also use the force option to activate IVR zone sets Table 22 4 lists the various scenarios with and without the force option Caution Using the force option of IVR zone set activation may cause traff...

Page 554: ...n 21 00 00 20 37 c8 5c 6b vsan 2 zone name ivr_qa_z_all pwwn 21 00 00 e0 8b 06 d9 1d vsan 1 pwwn 21 01 00 e0 8b 2e 80 93 vsan 4 pwwn 10 00 00 00 c9 2d 5a dd vsan 1 pwwn 10 00 00 00 c9 2d 5a de vsan 2 pwwn 21 00 00 20 37 5b ce af vsan 6 pwwn 21 00 00 20 37 39 6b dd vsan 6 pwwn 22 00 00 20 37 39 6b dd vsan 3 pwwn 22 00 00 20 37 5b ce af vsan 3 pwwn 50 06 04 82 bc 01 c3 84 vsan 5 Example 22 7 Display...

Page 555: ...22 00 00 20 37 5b ce af vsan 3 pwwn 50 06 04 82 bc 01 c3 84 vsan 5 zoneset name IVR_ZoneSet1 zone name sample_vsan2 3 pwwn 21 00 00 e0 8b 02 ca 4a vsan 3 pwwn 21 00 00 20 37 c8 5c 6b vsan 2 Example 22 10 Displays the Active IVR Zone Set Configuration switch show ivr zoneset active zoneset name IVR_ZoneSet1 zone name sample_vsan2 3 pwwn 21 00 00 e0 8b 02 ca 4a vsan 3 pwwn 21 00 00 20 37 c8 5c 6b vs...

Page 556: ...g the Cisco MDS Fabric Manager you can distribute IVR zone configurations to all IVR capable switches in the interconnected VSAN network Refer to the Cisco MDS 9000 Family Fabric Manager Configuration Guide About LUNs in IVR Zoning LUN zoning can be used between members of active IVR zones You can configure the service by creating and activating LUN zones between the desired IVR zone members in al...

Page 557: ...ty medium Step 3 switch config ivr zone member pwwn 10 00 00 23 45 67 89 ab lun 0x64 vsan 10 Configures an IVR zone member based on the specified pWWN and LUN value Note The CLI interprets the LUN identifier value as a hexadecimal value whether or not the 0x prefix is included switch config ivr zone member pwwn 10 00 00 23 45 67 89 ab lun 0x64 vsan 10 autonomous fabric id 20 Configures an IVR zone...

Page 558: ...nning config startup config to ensure that the running configuration is used when you next start the switch Configuring IVR Using Read Only Zoning Read only zoning with or without LUNs can be used between members of active IVR zones To configure this service you must create and activate read only zones between the desired IVR zone members in all relevant edge VSANs using the zoning interface Note ...

Page 559: ...r zone exists in two fabrics the dissimilar zones are cloned into the zone set with appropriate names so both zones are present The merged topology contains a union of the topology entries for both fabrics The merge will fail if the merged database contains more topology entries than the allowed maximum The total number of VSANs across the two fabrics cannot exceed 128 Note VSANs with the same VSA...

Page 560: ...ceed 32 Table 22 5 describes the results of a CFS merge of two IVR enabled fabrics under different conditions Caution If you do not follow these conditions the merge will fail The next distribution will forcefully synchronize the databases and the activation states in the fabric Resolving Database Merge Failures If a merge failure occurs use the following commands to display the error conditions s...

Page 561: ... 22 16 and the IVR Limits Summary section on page 22 4 For other failures resolve the error causing the merge failure on the switch that has the correct configuration and perform a CFS commit to distribute the IVR configuration see the Configuring Individual AFIDs section on page 22 17 After a successful CFS commit the merge will be successful Example Configurations This section provides IVR confi...

Page 562: ...ig ivr topology db autonomous fabric id 1 switch wwn 20 00 00 05 40 01 1b c2 vsan ranges 1 4 mds config ivr topology db autonomous fabric id 1 switch wwn 20 02 00 44 22 00 4a 08 vsan ranges 1 4 mds config ivr topology db autonomous fabric id 1 switch wwn 20 00 00 44 22 02 8a 04 vsan ranges 2 4 mds config ivr topology db autonomous fabric id 1 switch wwn 20 00 00 44 22 40 aa 16 vsan ranges 2 4 mds ...

Page 563: ... pwwn 10 02 50 45 32 20 7a 52 vsan 1 mds config ivr zoneset zone member pwwn 10 02 66 45 00 20 89 04 vsan 2 mds config ivr zoneset zone exit mds config ivr zoneset zone name tape_server2 mds config ivr zoneset zone member pwwn 10 02 50 45 32 20 7a 52 vsan 1 mds config ivr zoneset zone member pwwn 10 00 ad 51 78 33 f9 86 vsan 3 mds config ivr zoneset zone exit Step 9 View the IVR zone configuration...

Page 564: ...tep for VSANs 2 and 3 mds show zoneset active vsan 1 zoneset name finance_dept vsan 1 zone name accounts_database vsan 1 pwwn 10 00 23 11 ed f6 23 12 pwwn 10 00 56 43 11 56 fe ee zone name IVRZ_tape_server1 vsan 1 pwwn 10 02 66 45 00 20 89 04 pwwn 10 02 50 45 32 20 7a 52 zone name IVRZ_tape_server2 vsan 1 pwwn 10 02 50 45 32 20 7a 52 pwwn 10 00 ad 51 78 33 f9 86 zone name default_zone vsan 1 mds s...

Page 565: ...Last Action Result None Last Action Failure Reason None Inter VSAN NAT mode status FCID NAT is disabled License status IVR is running based on the following license s ENTERPRISE_PKG Step 3 Enable CFS distribution on every IVR enabled switch in the fabric switch config t Enter configuration commands one per line End with CNTL Z switch config ivr distribution Step 4 Enable IVR auto topology mode swi...

Page 566: ... 22 Configuring Inter VSAN Routing Default Settings 1 20 00 00 0d ec 08 6e 40 yes no 1 336 338 1 20 00 00 0d ec 0c 99 40 yes no 336 339 Default Settings Table 22 6 lists the default settings for IVR parameters Table 22 6 Default IVR Parameters Parameters Default IVR feature Disabled IVR VSANs Not added to virtual domains IVR NAT Disabled QoS for IVR zones Low Configuration distribution Disabled ...

Page 567: ...compliant zoning capabilities This chapter includes the following sections About Zoning page 23 1 Zone Configuration page 23 6 Zone Sets page 23 7 Zone Set Distribution page 23 13 Zone Set Duplication page 23 16 Advanced Zone Attributes page 23 18 Displaying Zone Information page 23 24 Enhanced Zoning page 23 30 Compacting the Zone Database for Downgrading page 23 40 Zone and Zone Set Analysis pag...

Page 568: ...IDs Port world wide name pWWN Specifies the pWWN of an N port attached to the switch as a member of the zone Fabric pWWN Specifies the WWN of the fabric port switch port s WWN This membership is also referred to as port based zoning FC ID Specifies the FC ID of an N port attached to the switch as a member of the zone Interface and switch WWN sWWN Specifies the interface of a switch identified by t...

Page 569: ... To achieve this zone 3 is configured which contains only host H2 and storage S2 You can restrict access to just H2 and S2 in zone 3 and to H1 and S1 in zone 1 Figure 23 2 Fabric with Three Zones Zone Implementation All switches in the Cisco MDS 9000 Family automatically support the following basic zone features no additional configuration is required Zones are contained in a VSAN Hard zoning cann...

Page 570: ... across switch reboots Changes to the full database must be explicitly saved Zone reactivation a zone set is active and you activate another zone set does not disrupt existing traffic If required you can additionally configure the following zone features Propagate full zone sets to all switches on a per VSAN basis Change the default policy for unzoned members Interoperate with other vendors by con...

Page 571: ...l zone set even if a zone set with the same name is active However the modification will be enforced only upon reactivation When the activation is done the active zone set is automatically stored in persistent configuration This enables the switch to preserve the active zone set information across switch resets All other switches in the fabric receive the active zone set so they can enforce zoning...

Page 572: ... E Zone set Z3 Zone A Zone C Zone D Zone set Z1 Zone A Zone B Zone C Zone set Z2 Zone C Zone D Zone E Zone set Z3 Zone A Zone C Zone D Full zone set Zone set Z1 Zone A Zone B Zone C After activating Zone set Z1 Full zone set Active zone set Zone set Z1 Zone A Zone B Zone C Zone set Z2 Zone C Zone D Zone E Zone set Z3 Zone A Zone C Zone D Zone set Z1 Zone A Zone B Zone C After adding Zone D to Zone...

Page 573: ...e value pWWN example switch config zone member pwwn 10 00 00 23 45 67 89 ab Fabric pWWN example switch config zone member fwwn 10 01 10 01 10 ab cd ef FC ID example switch config zone member fcid 0xce00d1 FC alias example switch config zone member fcalias Payroll Domain ID example switch config zone member domain id 2 portnumber 23 IPv4 address example switch config zone member ip address 10 15 0 ...

Page 574: ...igure 23 4 two separate sets are created each with its own membership hierarchy and zone members Figure 23 4 Hierarchy of Zone Sets Zones and Zone Members Zones provide a mechanism for specifying access control while zone sets are a grouping of zones to enforce access control in the fabric Either zone set A or zone set B can be activated but not together Tip Zone sets are configured with the names...

Page 575: ...among members of the default zone This information is not distributed to all switches it must be configured in each switch Note When the switch is initialized for the first time no zones are configured and all members are considered to be part of the default zone Members are not permitted to talk to each other Configure the default zone policy on each switch in the fabric If you change the default...

Page 576: ...ptional subnet mask If a mask is specified any device within the subnet becomes a member of the specified zone IPv6 address The IPv6 address of an attached device is in 128 bits in colon separated hexadecimal format Interface Interface based zoning is similar to port based zoning because the switch interface is used to configure the zone You can specify a switch interface as a zone member for both...

Page 577: ...ess 2001 db8 800 200c 417a 64 Local sWWN interface example switch config fcalias member interface fc 2 1 Remote sWWN interface example switch config fcalias member interface fc2 1 swwn 20 00 00 05 30 00 4a de Domain ID interface example switch config fcalias member interface fc2 1 domain id 25 Configures a member for the specified fcalias AliasSample based on the type pWWN fabric pWWN FC ID domain...

Page 578: ...get does not appear in the zoning end devices database in Fabric Manager If you want to zone the virtual device with a pWWN you must enter it in the Add Member to Zone dialog box when creating a zone However if the device alias is in enhanced mode the virtual device names appear in the device alias database in the Fabric Manager zoning window In this case users can choose to select either the devi...

Page 579: ...y an Nx port As frames enter the switch source destination IDs are compared with permitted combinations to allow the frame at wirespeed Hard zoning is applied to all forms of zoning Note Hard zoning enforces zoning restrictions on every frame and prevents unauthorized access Switches in the Cisco MDS 9000 Family support both hard and soft zoning Zone Set Distribution You can distribute full zone s...

Page 580: ...guration You must explicitly issue the copy running config startup config command to save the full zone set information to the startup configuration Note The zoneset distribute vsan vsan id command is supported in interop 2 and interop 3 modes not in interop 1 mode Use the show zone status vsan vsan id command to check the status of the one time zone set distribution request switch show zone statu...

Page 581: ...ort and export commands from a single switch Importing from one switch and exporting from another switch can lead to isolation again Switch 1 Switch 2 79949 Isolated port due to active zone set mismatch From Switch 1 Import database forces Switch 1 to use the database configured in Switch 2 From Switch 1 Export database forces Switch 2 to use the database configured in Switch 1 Command Purpose Ste...

Page 582: ...3 16 Renaming Zones Zone Sets and Aliases page 23 17 Cloning Zones Zone Sets FC Aliases and Zone Attribute Groups page 23 17 Clearing the Zone Server Database page 23 17 Copying Zone Sets On the Cisco MDS Family switches you cannot edit an active zone set However you can copy an active zone set to create a new zone set that you can edit To make a copy of a zone set follow this step Caution If the ...

Page 583: ... database Command Purpose Step 1 switch config t Enters configuration mode Step 2 switch config zoneset rename oldname newname vsan 2 Renames a zone set in the specified VSAN switch config zone rename oldname newname vsan 2 Renames a zone in the specified VSAN switch config fcalias rename oldname newname vsan 2 Renames a fcalias in the specified VSAN switch config zone attribute group rename oldna...

Page 584: ...rol between devices Using this feature you can configure the Quality of Service QoS priority as a zone attribute You can assign the QoS traffic priority attribute to be high medium or low By default zones with no specified priority are implicitly assigned a low priority See the VSAN Versus Zone Based QoS section on page 56 6 for more information To use this feature you need to obtain the ENTERPRIS...

Page 585: ...ne switch config zone attribute qos priority low Configures this zone to assign low priority QoS traffic to each frame matching this zone switch config zone no attribute qos priority high Reverts to using the default low priority for this zone Step 4 switch config zone exit switch config Returns to configuration mode Step 5 switch config zoneset name QosZoneset vsan 2 switch config zoneset Configu...

Page 586: ...VSAN Configuring Broadcast Zoning To broadcast frames in the basic zoning mode follow these steps Step 3 switch config default zone attribute qos priority high Sets the QoS priority attribute for frames matching these zones switch config default zone no attribute qos priority high Removes the QoS priority attribute for the default zone and reverts to default low priority Command Purpose Command Pu...

Page 587: ... restrict access to specific LUNs associated with a device Note When LUN 0 is not included within a zone then as per standards requirements control traffic to LUN 0 for example REPORT_LUNS INQUIRY is supported but data traffic to LUN 0 for example READ WRITE is denied Host H1 can access LUN 2 in S1 and LUN 0 in S2 It cannot access any other LUNs in S1 or S2 Host H2 can access LUNs 1 and 3 in S1 an...

Page 588: ...g a LUN Based Zone section on page 23 22 Note Refer to the relevant user manuals to obtain the LUN number for each HBA Caution If you make any errors when assigning LUNs you might lose data S1 H1 S1 S2 H2 Zone 1 Zone 2 Zone 2 79540 Fabric LUN 0 LUN 1 LUN 2 LUN 3 LUN 0 LUN 1 LUN 2 LUN 3 Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config zone name Lun...

Page 589: ...op mode in that switch Read only volumes are not supported by some operating system and file system combinations for example Windows NT or Windows 2000 and NTFS file system Volumes within read only zones are not available to such hosts However if these hosts are already booted when the read only zones are activated then read only volumes are available to those hosts The read only zone feature beha...

Page 590: ...41 00 05 30 00 2a 1e fwwn 20 42 00 05 30 00 2a 1e fwwn 20 43 00 05 30 00 2a 1e zone name Zone1 vsan 1 pwwn 21 00 00 20 37 6f db dd pwwn 21 00 00 20 37 a6 be 2f pwwn 21 00 00 20 37 9c 48 e5 fcalias Alias1 zone name Techdocs vsan 3 ip address 10 15 0 0 255 255 255 0 zone name Zone21 vsan 5 pwwn 21 00 00 20 37 a6 be 35 pwwn 21 00 00 20 37 a6 be 39 fcid 0xe000ef fcid 0xe000e0 symbolic nodename iqn tes...

Page 591: ...xample 23 3 Displays Configured Zone Set Information switch show zoneset vsan 1 zoneset name ZoneSet2 vsan 1 zone name Zone2 vsan 1 fwwn 20 4e 00 05 30 00 2a 1e fwwn 20 4f 00 05 30 00 2a 1e fwwn 20 50 00 05 30 00 2a 1e fwwn 20 51 00 05 30 00 2a 1e fwwn 20 52 00 05 30 00 2a 1e zone name Zone1 vsan 1 pwwn 21 00 00 20 37 6f db dd pwwn 21 00 00 20 37 a6 be 2f pwwn 21 00 00 20 37 9c 48 e5 fcalias Alias...

Page 592: ...onfiguration switch show fcalias vsan 1 fcalias name Alias2 vsan 1 fcalias name Alias1 vsan 1 pwwn 21 00 00 20 37 6f db dd pwwn 21 00 00 20 37 9c 48 e5 Use the show zone member command to display all zones to which a member belongs using the FC ID Example 23 7 Displays Membership Status switch show zone member pwwn 21 00 00 20 37 9c 48 e5 VSAN 1 zone Zone3 zone Zone1 fcalias Alias1 Use the show zo...

Page 593: ...00 00 00 00 00 00 Number of Inquiry commands received 10 Number of Inquiry data No LU sent 5 Number of Report LUNs commands received 10 Number of Request Sense commands received 1 Number of Other commands received 0 Number of Illegal Request Check Condition sent 0 S ID 0x123456 D ID 0x22222 LUN 00 00 00 00 00 00 00 01 Number of Inquiry commands received 1 Number of Inquiry data No LU sent 1 Number...

Page 594: ...n 21 00 00 20 37 9c 48 e5 zone name Zone1 vsan 1667 fcid 0x123456 zone name default_zone vsan 1667 Example 23 14 Displays Active Zone Sets switch show zoneset active zoneset name ZoneSet4 vsan 1 zone name Zone2 vsan 1 fcid 0x6c01ef pwwn 21 00 00 20 37 9c 48 e5 zone name IVRZ_IvrZone1 vsan 1 pwwn 10 00 00 00 77 99 7a 1b fcid 0xce0000 pwwn 10 00 00 00 c9 2d 5a dd zoneset name QosZoneset vsan 2 zone ...

Page 595: ...ompleted at Thu Feb 13 10 23 50 2003 Use the show zone command to display the zone attributes for all configured zones Example 23 16 Displays Zone Statistics switch show zone zone name lunSample vsan 1 Read write attribute zone name ReadOnlyZone vsan 2 attribute read only Read only attribute Use the show running and show zone active commands to display the configured interface based zones see Exam...

Page 596: ...ng The zoning feature complies with the FC GS 4 and FC SW 3 standards Both standards support the basic zoning functionalities explained in the previous section and the enhanced zoning functionalities described in this section This section includes the following topics About Enhanced Zoning page 23 30 Changing from Basic Zoning to Enhanced Zoning page 23 31 Changing from Enhanced Zoning to Basic Zo...

Page 597: ... each zone set References to the zone are used by the zone sets as required once you define the zone Reduced payload size as the zone is referenced The size is more pronounced with bigger databases The default zone policy is defined per switch To ensure smooth fabric operation all switches in the fabric must have the same default zone setting Enforces and exchanges the default zone setting through...

Page 598: ...operation mode to basic zoning mode By doing so you will automatically start a session acquire a fabric wide lock distribute the zoning information using the basic zoning data structure apply the configuration changes and release the lock from all switches in the fabric All switches in the fabric then move to basic zoning mode Note If a switch running Cisco SAN OS Release 2 0 1b or later with enha...

Page 599: ...he zoning database on the switches in a VSAN use the no zone commit vsan command from the switch where the database was initially locked switch config t switch config no zone commit vsan 2 If session locks remain on remote switches after using the no zone commit vsan command you can use the clear zone lock vsan command on the remote switches switch clear zone lock vsan 2 Note We recommend using th...

Page 600: ...ed and only the configured attributes are present in the active zone set Merging the Database The merge behavior depends on the fabric wide merge control setting Restrict If the two database are not identical the ISLs between the switches are isolated Allow The two databases are merged using the merge rules specified in Table 23 3 Table 23 3 Database Zone Merge Status Local Database Adjacent Datab...

Page 601: ...ne set and the full zone set should be identical Otherwise the link is isolated b If the setting is allow then the merge rules are used to perform the merge Configuring Zone Merge Control Policies To configure merge control policies follow these steps Default Zone Policies To permit or deny traffic in the default zone follow these steps Command Purpose Step 1 switch config t switch config Enters c...

Page 602: ... broadcast zone with the source of broadcast frames No Yes Yes Broadcast to all Nx ports Yes No No Broadcasting is disabled Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config zone attribute group name BroadcastAttr vsan 2 Configures the zone attribute group for the required VSAN switch config no zone attribute group name BroadAttr vsan 1 Removes the...

Page 603: ...gh pwwn 21 01 00 e0 8b 2e a3 8a pwwn 22 00 00 0c 50 02 cb 59 zone name default_zone vsan 2 Step 6 switch config zone commit vsan 1 Commit operation initiated switch config end Applies the changes to the enhanced zone configuration and exits this submode Step 7 switch show zone vsan 1 zone name BroadcastAttr vsan 1 zone attribute group name BroadcastAttr vsan 1 broadcast pwwn 21 00 00 e0 8b 0b 66 5...

Page 604: ...ne name testzone3 vsan 2 pwwn 21 01 00 e0 8b 2e 68 8a pwwn 22 00 00 0c 50 02 cb 80 Example 23 22 Displays the Zone Attribute Group Information for a Specified VSAN switch show zone attribute group vsan 2 zone attribute group name default_zone_attr_group vsan 2 read only qos priority high broadcast zone attribute group name testattgp vsan 2 read only broadcast qos priority high Example 23 23 Displa...

Page 605: ... switch show zoneset pending vsan 2 No pending info found Example 23 27 Displays the Pending Zone Information for the VSAN to be Committed switch show zone pending vsan 2 No pending info found Example 23 28 Displays the Pending Zone Information for the VSAN to be Committed switch show zone attribute group pending vsan 2 No pending info found Example 23 29 Displays the Pending Active Zone Set Infor...

Page 606: ... procedure for every VSAN on the switch with more than 2000 zones Note A merge failure occurs when a switch supports more than 2000 zones per VSAN but its neighbor does not Also zone set activation can fail if the switch has more than 2000 zones per VSAN and not all switches in the fabric support more than 2000 zones per VSAN To delete zones and compact the zone database for a VSAN follow these st...

Page 607: ...m zones 1 Number of IVR zones 0 Number of IPS zones 0 Formattted size 38 bytes 2048 Kb Note The maximum size of the active zone set database per VSAN is 2000 KB Example 23 35 Zone Set Analysis switch show zone analysis zoneset zs1 vsan 1 Zoning database analysis vsan 1 Zoneset analysis zs1 Num zonesets 1 Num zones 0 Num aliases 0 Num attribute groups 0 Formattted size 20 bytes 2048 Kb See the Cisc...

Page 608: ... s c o c o m 23 42 Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 23 Configuring and Managing Zones Default Settings Broadcast zoning Disabled Enhanced zoning Disabled Table 23 5 Default Basic Zone Parameters continued Parameters Default ...

Page 609: ...e 24 11 About Device Aliases When the port WWN of a device must be specified to configure different features zoning QoS port security in a Cisco MDS 9000 Family switch you must assign the right device name each time you configure these features An inaccurate device name may cause unexpected results You can circumvent this problem if you define a user friendly name for a port WWN and use this name ...

Page 610: ...configuration differences between zone based alias configuration and device alias configuration Device Alias Databases The device alias feature uses two databases to accept and implement device alias configurations Effective database The database currently used by the fabric Pending database Your subsequent device alias configuration changes are stored in the pending database Table 24 1 Comparison...

Page 611: ...device alias name x pwwn 21 01 00 e0 8b 2e 80 93 About Device Alias Distribution By default device alias distribution is enabled The device alias feature uses the coordinated distribution mechanism to distribute the modifications to all switches in a fabric If you have not committed the changes and you disable distribution then a commit task will fail See Example 24 1 Example 24 1 Displays a Faile...

Page 612: ...ons from this point on are made to the pending database The pending database remains in effect until you commit the modifications to the pending database or discard abort the changes to the pending database Step 1 Select a switch from the drop down menu Step 2 Complete the Alias name and pWWN fields Committing Changes If you commit the changes made to the pending database the following events occu...

Page 613: ...able in the volatile directory and are subject to being discarded if the switch is restarted To use administrative privileges and release a locked device alias session use the clear device name session command in EXEC mode switch clear device alias session To display the status of the clear operation use the show device alias status command switch show device alias status Fabric Distribution Enabl...

Page 614: ...ssued from this switch Operation Disable Fabric Distribution Status Success About Legacy Zone Alias Configuration You can import legacy zone alias configurations to use this feature without loosing data if they satisfy the following restrictions Each zone alias has only one member The member type is pWWN The name and definition of the zone alias should not be the same as any existing device alias ...

Page 615: ...cid 0x670100 pwwn 21 01 00 e0 8b 2e 80 93 x pwwn 21 00 00 20 37 39 ab 5f y zone name z2 vsan 1 fcid 0x670200 pwwn 21 00 00 e0 8b 0b 66 56 SampleName pwwn 21 00 00 20 37 39 ac 0d z Device Alias Statistics Cleanup Use the clear device name statistics command to clear device alias statistics for debugging purposes switch clear device alias statistics Database Merge Guidelines Refer to the CFS Merge S...

Page 616: ...6 56 device alias name y pwwn 21 00 00 20 37 39 ab 5f device alias name z pwwn 21 00 00 20 37 39 ac 0d Total number of entries 4 Example 24 9 Displays the Specified Device Name in the Pending Database switch show device alias name x pending device alias name x pwwn 21 01 00 e0 8b 2e 80 93 Example 24 10 Displays the Specified pWWN in the Pending Database switch show device alias pwwn 21 01 00 e0 8b...

Page 617: ... 28 bytes from 21 01 00 e0 8b 2e 80 93 time 226 usec 28 bytes from 21 01 00 e0 8b 2e 80 93 time 372 usec Example 24 16 Displays the fctrace Information for the Specified Device Alias switch fctrace device alias x vsan 1 Route present for 21 01 00 e0 8b 2e 80 93 20 00 00 05 30 00 4a e2 0xfffc67 Where available device aliases are displayed regardless of a member being configured using a device alias...

Page 618: ... Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 24 Distributing Device Alias Services Device Alias Configuration Verification Activation requests received 0 Activation request rejects sent 0 Activation requests sent 2 Activation request rejects received 0 ...

Page 619: ...N OS Release 3 x Chapter 24 Distributing Device Alias Services Default Settings Default Settings Table 24 2 lists the default settings for device alias parameters Table 24 2 Default Device Alias Parameters Parameters Default Database in use Effective database Database to accept changes Pending database Device alias fabric lock state Locked with the first device alias task ...

Page 620: ...t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m 24 12 Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 24 Distributing Device Alias Services Default Settings ...

Page 621: ...lates the best path between any two switches in a fabric Specifically FSPF is used to Dynamically compute routes throughout a fabric by establishing the shortest and quickest path between any two switches Select an alternative path in the event of the failure of a given path FSPF supports multiple paths and automatically computes an alternative path around a failed link It provides a preferred rou...

Page 622: ...the links on all switches in the fabric and associates a cost with each link Guarantees a fast reconvergence time in case of a topology change Uses the standard Dijkstra s algorithm but there is a static dynamic option for a more robust efficient and incremental Dijkstra s algorithm The reconvergence time is fast and efficient as the route computation is done on a per VSAN basis FSPF Examples This...

Page 623: ... of routing loops traffic loss or fabric downtime for route reconfiguration Figure 25 2 Fault Tolerant Fabric with Redundant Links For example if all links are of equal speed and no PortChannels exist the FSPF calculates four equal paths from A to C A1 E C A2 E C A3 D C and A4 D C If PortChannels exist these paths are reduced to two Fail Over Scenarios for PortChannels and FSPF Links The SmartBits...

Page 624: ...mpatible with those settings This section includes the following topics About SPF Computational Hold Times page 25 4 About Link State Record Defaults page 25 4 Configuring FSPF on a VSAN page 25 5 Resetting FSPF to the Default Configuration page 25 5 Enabling or Disabling FSPF page 25 6 Clearing FSPF Counters for the VSAN page 25 6 About SPF Computational Hold Times The SPF computational hold time...

Page 625: ...knowledgment from the LSR before retransmission Refresh time LSRefreshTime 30 minutes The time a switch waits before sending an LSR refresh transmission Maximum age MaxAge 60 minutes The time a switch waits before dropping the LSR from the database Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config fspf config vsan 1 Enters FSPF global configuration...

Page 626: ...me Intervals page 25 8 About Retransmitting Intervals page 25 8 Configuring Retransmitting Intervals page 25 8 About Disabling FSPF for Specific Interfaces page 25 8 Disabling FSPF for Specific Interfaces page 25 9 Clearing FSPF Counters for an Interface page 25 9 About FSPF Link Cost FSPF tracks the state of links on all switches in the fabric associates a cost with each link in its database and ...

Page 627: ... interval for which a hello message must be received before the neighbor is considered lost and removed from the database The integer value can range from 1 to 65 535 seconds Note This value must be the same in the ports at both ends of the ISL Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config interface fc1 4 switch config if Configures the specifi...

Page 628: ...for Specific Interfaces You can disable the FSPF protocol for selected interfaces By default FSPF is enabled on all E ports and TE ports This default can be disabled by setting the interface as passive Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config interface fc1 4 switch config if Configures the specified interface or if already configured enter...

Page 629: ...e follow this step FSPF Routes FSPF routes traffic across the fabric based on entries in the FSPF database These routes can be learned dynamically or configured statically This section includes the following topics About Fibre Channel Routes page 25 10 Configuring Fibre Channel Routes page 25 10 About Broadcast and Multicast Routing page 25 12 About Multicast Root Switch page 25 12 Setting the Mul...

Page 630: ...ased on its FC ID Using the FC ID for the specified interface and domain you can configure the specified route for example FC ID 111211 and domain ID 3 in the switch with domain ID 1 see Figure 25 4 Figure 25 4 Fibre Channel Routes Note Other than in VSANs runtime checks are not performed on configured and suspended static routes Configuring Fibre Channel Routes To configure a Fibre Channel route ...

Page 631: ...1211 and a domain ID 3 to the next hop switch switch config fcroute 0x031211 interface fc1 1 domain 3 metric 1 vsan 1 switch config if Configures the static route for a specific FC ID and next hop domain ID and also assigns the cost of the route If the remote destination option is not specified the default is direct switch config fcroute 0x111112 interface fc1 1 domain 3 metric 3 remote vsan 3 Add...

Page 632: ...he root to compute the multicast tree in interop mode About Multicast Root Switch By default the native non interop mode uses the principal switch as the root If you change the default be sure to configure the same mode in all switches in the fabric Otherwise multicast traffic could face potential loop and frame drop problems Note The operational mode can be different from the configured interop m...

Page 633: ...ived Use IOD only if your environment cannot support out of order frame delivery Tip If you enable the in order delivery feature the graceful shutdown feature is not implemented This section includes the following topics About Reordering Network Frames page 25 13 About Reordering PortChannel Frames page 25 15 About Enabling In Order Delivery page 25 15 Enabling In Order Delivery Globally page 25 1...

Page 634: ...figuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 25 Configuring Fibre Channel Routing Services and Protocols In Order Delivery Frames in the network are delivered in the order in which they are transmitted Frames that cannot be delivered in order within the network latency drop period are dropped inside the network ...

Page 635: ...rs the frames crossing the PortChannel are treated as follows Frames using the old path are delivered before new frames are accepted The new frames are delivered through the new path after the switch latency drop period has elapsed and all old frames are flushed Frames that cannot be delivered in order through the old path within the switch latency drop period are dropped See the Configuring the D...

Page 636: ...domain switch for the multicast tree computation follow these steps Displaying the In Order Delivery Status Use the show in order guarantee command to display the present configuration status switch show in order guarantee global inorder delivery configuration guaranteed VSAN specific settings vsan 1 inorder delivery guaranteed vsan 101 inorder delivery not guaranteed vsan 1000 inorder delivery gu...

Page 637: ...vsan 2 network latency 2000 milliseconds vsan 103 network latency 2000 milliseconds Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config fcdroplatency network 5000 Configures network drop latency time to be 5000 msec for the network The valid range is 0 to 60000 msec The default is 2000 msec Note The network drop latency must be computed as the sum of...

Page 638: ...splaying Global FSPF Information page 25 20 About Flow Statistics If you enable flow counters you can enable a maximum of 1K entries for aggregate flow and flow statistics for Generation 1 modules and 2 K entries for Generation 2 modules Be sure to assign an unused flow index to a module for each new flow Flow indexes can be repeated across modules The number space for flow index is shared between...

Page 639: ...cs Use the show fcflow stats commands to view flow statistics see Example 25 4 to 25 6 Example 25 4 Displays Aggregated Flow Details for the Specified Module switch show fcflow stats aggregated module 2 Idx VSAN frames bytes 0000 4 387 653 674 235 875 0001 6 34 402 2 896 628 Example 25 5 Displays Flow Details for the Specified Module switch show fcflow stats module 2 Idx VSAN D ID S ID mask frames...

Page 640: ...ture is not implemented LS_refresh_time interval time lapse between refresh LSR transmissions Max_age maximum time aa LSR can stay before being deleted Example 25 7 Displays FSPF Information for a Specified VSAN switch show fspf vsan 1 FSPF routing for VSAN 1 FSPF routing administration status is enabled FSPF routing operational status is UP It is an intra domain router Autonomous region is 0 SPF ...

Page 641: ...LSR Type 1 Advertising domain ID 0x0c 12 LSR Age 1686 LSR Incarnation number 0x80000024 LSR Checksum 0x3caf Number of links 2 NbrDomainId IfIndex NbrIfIndex Link Type Cost 0x65 101 0x0000100e 0x00001081 1 500 0x65 101 0x0000100f 0x00001080 1 500 FSPF Link State Database for VSAN 1 Domain 0x65 101 LSR Type 1 Advertising domain ID 0x65 101 LSR Age 1685 LSR Incarnation number 0x80000028 LSR Checksum ...

Page 642: ...F routing administrative state is active Interface cost is 500 Timer intervals configured Hello 20 s Dead 80 s Retransmit 5 s FSPF State is FULL Neighbor Domain Id is 0x0c 12 Neighbor Interface index is 0x0f100000 Statistics counters Number of packets received LSU 8 LSA 8 Hello 118 Error packets 0 Number of packets transmitted LSU 8 LSA 8 Hello 119 Retransmitted LSU 0 Number of times inactivity ti...

Page 643: ... up to 16 equal cost paths to a given destination Load balancing Based on destination ID and source ID on different equal cost paths In order delivery Disabled Drop latency Disabled Static route cost If the cost metric of the route is not specified the default is 10 Remote destination switch If the remote destination switch is not specified the default is direct Multicast routing Uses the principa...

Page 644: ... m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m 25 24 Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 25 Configuring Fibre Channel Routing Services and Protocols Default Settings ...

Page 645: ...Fibre Channel fabric each host or disk requires an FC ID Use the show flogi command to verify if a storage device is displayed in the fabric login FLOGI table as in the following examples If the required device is displayed in the FLOGI table the fabric login is successful Examine the FLOGI database on a switch that is directly connected to the host HBA and connected ports Displaying FLOGI Details...

Page 646: ...37 5b cf b9 20 00 00 20 37 5b cf b9 fc1 11 1 0xa002d6 21 00 00 20 37 46 78 97 0 00 00 20 37 46 78 97 Total number of flogi 10 Example 26 3 Displays the FLOGI Database by VSAN switch show flogi database vsan 1 INTERFACE VSAN FCID PORT NAME NODE NAME fc1 3 1 0xef02ef 22 00 00 20 37 18 17 d2 20 00 00 20 37 18 17 d2 fc1 3 1 0xef02e8 22 00 00 20 37 38 a7 c1 20 00 00 20 37 38 a7 c1 fc1 3 1 0xef02e4 22 0...

Page 647: ...ate pWWN page 26 3 Rejecting Duplicate pWWNs page 26 4 About Name Server Database Entries page 26 4 Displaying Name Server Database Entries page 26 4 Displaying Name Server Database Entries page 26 4 About Registering Name Server Proxies All name server registration requests come from the same port whose parameter is registered or changed If it does not then the request is rejected This authorizat...

Page 648: ...or for all VSANs see Examples 26 5 to 26 8 Example 26 5 Displays the Name Server Database switch show fcns database FCID TYPE PWWN VENDOR FC4 TYPE FEATURE 0x010000 N 50 06 0b 00 00 10 a7 80 scsi fcp fc gs 0x010001 N 10 00 00 05 30 00 24 63 Cisco ipfc 0x010002 N 50 06 04 82 c3 a0 98 52 Company 1 scsi fcp 250 0x010100 N 21 00 00 e0 8b 02 99 36 Company A scsi fcp 0x020000 N 21 00 00 e0 8b 08 4b 20 Co...

Page 649: ...0 port wwn vendor 10 00 00 5a c9 28 c7 01 node wwn 10 00 00 5a c9 28 c7 01 class 3 node ip addr 0 0 0 0 ipa ff ff ff ff ff ff ff ff fc4 types fc4_features symbolic port name symbolic node name port type N port ip addr 0 0 0 0 fabric port wwn 22 0a 00 05 30 00 26 1e hard addr 0x000000 Total number of entries 2 Example 26 8 Displays the Name Server Statistics switch show fcns statistics registration...

Page 650: ...t Servers switch show fdmi database Registered HBA List for VSAN 1 10 00 00 00 c9 32 8d 77 21 01 00 e0 8b 2a f6 54 switch show fdmi database detail Registered HBA List for VSAN 1 HBA ID 10 00 00 00 c9 32 8d 77 Node Name 20 00 00 00 c9 32 8d 77 Manufacturer Emulex Corporation Serial Num 0000c9328d77 Model LP9002 Model Description Emulex LightPulse LP9002 2 Gigabit PCI Fibre Channel Adapter Hardware...

Page 651: ...dapter Hardware Ver FC5010409 10 Driver Ver 8 2 3 10 Beta 2 Test 1 DBG W2K VI ROM Ver 1 24 Firmware Ver 03 02 13 OS Name Ver 500 CT Payload Len 2040 Port id 21 01 00 e0 8b 2a f6 54 Example 26 11 Displays Details for the Specified HBA Entry switch show fdmi database detail hba id 21 01 00 e0 8b 2a f6 54 vsan 1 Node Name 20 01 00 e0 8b 2a f6 54 Manufacturer QLogic Corporation Serial Num 74262 Model ...

Page 652: ...SCN is sent to all reachable switches in the fabric Note The switch sends an RSCN to notify registered nodes that a change has occurred It is up to the nodes to query the name server again to obtain the new information The details of the changed information are not delivered by the switch in the RSCN sent to the nodes Displaying RSCN Information Use the show rscn command to display RSCN informatio...

Page 653: ...long to the same zone If disks D1 and D2 are online at the same time then one of the following applies The multi pid option is disabled on switch 1 two RSCNs are generated to host H one for the disk D1 and another for disk D2 The multi pid option is enabled on switch 1 a single RSCN is generated to host H and the RSCN payload lists the affected port IDs in this case both D1 and D2 Note Some Nx por...

Page 654: ...the show rscn command switch show rscn statistics vsan 1 Statistics for VSAN 1 Number of SCR received 0 Number of SCR ACC sent 0 Number of SCR RJT sent 0 Number of RSCN received 0 Number of RSCN sent 0 Number of RSCN ACC received 0 Number of RSCN ACC sent 0 Number of RSCN RJT received 0 Number of RSCN RJT sent 0 Number of SW RSCN received 0 Number of SW RSCN sent 0 Number of SW RSCN ACC received 0...

Page 655: ...ices CFS infrastructure alleviates this situation by automatically distributing the RSCN timer configuration information to all switches in a fabric This also reduces the number of SW RSCNs See Chapter 6 Using the CFS Infrastructure RSCN supports two modes distributed and nondistributed In distributed mode RSCN uses CFS to distribute configuration to all switches in the fabric In nondistributed mo...

Page 656: ...ading to an earlier Cisco MDS SAN OS release using show incompatibility system command You must disable RSCN timer distribution support before downgrading to an earlier release Note By default the RSCN timer distribution capability is disabled and is compatible when upgrading from any Cisco MDS SAN OS release earlier to 3 0 Note For CFS distribution to operate correctly for the RSCN timer configur...

Page 657: ...e lock by either committing or discarding the changes an administrator can release the lock from any switch in the fabric If the administrator performs this task your changes to the pending database are discarded and the fabric lock is released Tip The pending database is only available in the volatile directory and are subject to being discarded if the switch is restarted To use administrative pr...

Page 658: ... display the set of configuration commands that would take effect when you commit the configuration Note The pending database includes both existing and modified configuration switch show rscn pending rscn event tov 2000 ms vsan 1 rscn event tov 2000 ms vsan 2 rscn event tov 300 ms vsan 10 Use the show rscn pending diff command to display the difference between pending and active configurations Th...

Page 659: ... this information To report device capacity serial number and device ID information To register the initiator and target features with the name server The SCSI LUN discovery feature uses the local domain controller Fibre Channel address It uses the local domain controller as the source FC ID and performs SCSI INQUIRY REPORT LUNS and READ CAPACITY commands on SCSI devices The SCSI LUN discovery fea...

Page 660: ... Discovered Targets switch show scsi target status discovery completed Command Purpose Step 1 switch discover scsi target local os all discovery started Discovers local SCSI targets for all operating systems OS The operating system options are aix all hpux linux solaris or windows switch discover scsi target remote os aix discovery started Discovers remote SCSI targets assigned to the AIX OS switc...

Page 661: ...05 30 00 2a 20 Cisco FICON CUP Total number of entries 1 Example 27 3 Displays the Discovered Target Disks switch show scsi target disk VSAN FCID PWWN VENDOR MODEL REV 1 0x9c03d6 21 00 00 20 37 46 78 97 Company 4 ST318203FC 0004 1 0x9c03d9 21 00 00 20 37 5b cf b9 Company 4 ST318203FC 0004 1 0x9c03da 21 00 00 20 37 18 6f 90 Company 4 ST318203FC 0004 1 0x9c03dc 21 00 00 20 37 5a 5b 27 Company 4 ST31...

Page 662: ...d0001 in VSAN 7 PWWN is 21 00 00 04 cf fb 42 f8 OS LUN Capacity Status Serial Number Device Id MB SOL 0x0 36704 Online 3JA1B9QA00007338 C 1 A 0 T 3 20 00 00 04 cf fb 42 f8 The following command displays the port WWN that is assigned to each OS Windows AIX Solaris Linux or HPUX Example 27 6 Displays the pWWNs for each OS switch show scsi target pwwn OS PWWN WIN 24 91 00 05 30 00 2a 1e AIX 24 92 00 ...

Page 663: ...erations see Chapter 38 Configuring Fabric Binding The Registered Link Incident Report RLIR application provides a method for a switch port to send an LIR to a registered Nx port This chapter includes the following sections About FICON page 28 1 FICON Port Numbering page 28 7 Configuring FICON page 28 14 Configuring FICON Ports page 28 23 FICON Configuration Files page 28 32 Port Swapping page 28 ...

Page 664: ...ld be isolated using VSANs This section includes the following topics FICON Requirements page 28 2 MDS Specific FICON Advantages page 28 3 FICON Cascading page 28 7 FICON VSAN Prerequisites page 28 7 FICON Requirements The FICON feature has the following requirements You can implement FICON features in the following switches Any switch in the Cisco MDS 9500 Series Any switch in the Cisco MDS 9200 ...

Page 665: ...gh level of switch management and have a higher implementation cost Further the ports in each island may be over provisioned depending on the fabric configuration By using the Cisco MDS specific VSAN technology you can introduce greater efficiency between these physical fabrics by lowering the cost of over provisioning and reducing the number of switches to be managed VSANs also help you to move u...

Page 666: ...cards and are dynamic in size For example one FICON LPAR with 10 ports can span 10 different line cards FICON LPARs can also include ports on more than one switch in a cascaded configuration The consistent fairness of the Cisco MDS 9000 switching architecture means that all ports are created equal simplifying provisioning by eliminating the local switching issues seen on other vendors platforms Ad...

Page 667: ...vestment protection The Cisco MDS 9000 Family shares common switching and service modules across the Cisco MDS 9500 Series and the 9200 Series Refer to the Cisco MDS 9500 Series Hardware Installation Guide and the Cisco MDS 9200 Series Hardware Installation Guide High availability FICON enabled director The Cisco MDS 9500 Series combines nondisruptive software upgrades stateful process restart and...

Page 668: ...d statistics Configuration files Store and apply configuration files See the FICON Configuration Files section on page 28 32 FICON and Open Systems Management Server features if installed See the VSANs for FICON and FCP Mixing section on page 28 5 Enhanced cascading support See the CUP In Band Management section on page 28 40 Date and time Set the date and time on the switch See the Allowing the H...

Page 669: ...pter 17 Configuring Domain Parameters Verify that the configured domain ID and requested domain ID match See Chapter 17 Configuring Domain Parameters Add the CUP area FE to the zone if you are using zoning See the CUP In Band Management section on page 28 40 If any of these requirements are not met the FICON feature cannot be enabled FICON Port Numbering With reference to the FICON feature ports i...

Page 670: ... 16 port numbers assigned for each slot These default numbers are assigned regardless of the module s physical presence in the chassis the port status up or down or the number of ports on the module 4 12 16 24 or 48 If a module has fewer ports than the number of port numbers assigned to the slot then the excess port numbers are unused If a module has more ports than the number of port numbers assi...

Page 671: ...port 12 port 16 port or 24 port module are used and the rest remain unused Extra 16 ports on 48 port modules are not allocated numbers Slot 2 32 through 63 Cisco MDS 9506 Director Slot 1 0 through 31 128 through 153 154 through 253 and port 255 Supervisor modules are not allocated port numbers Slot 2 32 through 63 Slot 3 64 through 95 Slot 4 96 through 127 Slot 5 None Slot 6 None Cisco MDS 9134 Di...

Page 672: ...n your switch you can have ports without a port number assigned if they are not in a FICON VSAN or you can assign duplicate port numbers if they are not used in the same FICON VSAN For example you can configure port number 1 on interface fc1 1 in FICON VSAN 10 and fc10 1 in FICON VSAN 20 Note A VSAN can have a maximum of 250 port numbers Cisco MDS 9513 Director Slot 1 0 through 15 224 through 249 ...

Page 673: ...physical port fc1 4 The corresponding physical ports 0 to 3 and 5 to 249 are not in VSAN 2 When the FICON VSAN port address is displayed those port numbers with the physical ports not in VSAN 2 are not installed for example ports 0 to 3 or 5 to 249 Another scenario is if VSANs 1 through 5 are FICON enabled and trunking enabled interface fc1 1 has VSANs 3 through 10 then port address 0 is uninstall...

Page 674: ...display the port numbers reserved for logical ports switch show ficon port numbers assign logical port ficon logical port assign port numbers 128 153 About Port Numbers for FCIP and PortChannel FCIP and PortChannels cannot be used in a FICON enabled VSAN unless they are explicitly bound to a port number See the Configuring FICON Ports section on page 28 23 and the Binding Port Numbers to FCIP Inte...

Page 675: ...rfaces follow these steps FC ID Allocation FICON requires a predictable and static FC ID allocation scheme When FICON is enabled the FC ID allocated to a device is based on the port address of the port to which it is attached The port address forms the middle byte of the fabric address Additionally the last byte of the fabric address should be the same for all devices in the fabric By default the ...

Page 676: ...opics About Enabling FICON on a VSAN page 28 14 Enabling and Disabling FICON on the Switch page 28 15 Manually Enabling FICON on a VSAN page 28 18 Configuring the code page Option page 28 19 Allowing the Host to Move the Switch Offline page 28 19 Allowing the Host to Change FICON Port Parameters page 28 20 Allowing the Host to Control the Timestamp page 28 20 Clearing the Time Stamp page 28 21 Con...

Page 677: ...o MDS 9000 Family You can enable FICON on the switch either explicitly or implicitly by enabling FICON on a VSAN However disabling FICON on all VSANs does not disable FICON on the switch You must explicitly disable FICON To explicitly enable or disable FICON globally on the switch following these steps Setting Up a Basic FICON Configuration This section steps you through the procedure to set up FI...

Page 678: ... specified FICON VSAN Configure domain id for this ficon vsan 1 239 2 Step 7 Enter yes the default is no to set up FICON in cascaded mode If you enter no skip to Step 8 see the CUP In Band Management section on page 28 40 Would you like to configure ficon in cascaded mode yes no no yes a Assign the peer WWN for the FICON CUP Configure peer wwn hh hh hh hh hh hh hh hh 11 00 02 01 aa bb cc 00 b Assi...

Page 679: ...ding activate vsan 1 zone default zone permit vsan 1 ficon vsan 1 no host port control fcdomain domain 3 static vsan 2 fcdomain restart disruptive vsan 2 fabric binding activate vsan 2 force zone default zone permit vsan 2 ficon vsan 2 no host port control no active equals saved vsan database vsan 3 fcdomain domain 5 static vsan 3 fcdomain restart disruptive vsan 3 fabric binding activate vsan 3 f...

Page 680: ...Note This section describes the procedure to manually enable FICON on a VSAN If you have already enabled FICON on therequired VSAN using the automated setup recommended skip to the Automatically Saving the Running Configuration section on page 28 22 To manually enable FICON on a VSAN follow these steps Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch con...

Page 681: ...ch to an offline state To do this the host sends Set offline command x FD to CUP Control Unit Port Step 5 switch config fabric binding activate vsan 2 force Activates fabric binding on VSAN 2 See Chapter 38 Configuring Fabric Binding Step 6 switch config zone default zone permit vsan 2 Sets the default zone to permit for VSAN 2 See the CUP In Band Management section on page 28 40 Step 7 switch con...

Page 682: ...k and the hardware based director clock When a host mainframe sets the time the Cisco SAN OS software updates this difference between the clocks When a host reads the clock it computes the difference between the VSAN clock and the current director hardware clock and presents a value to the mainframe The VSAN clock s current time is reported in the output of show ficon vsan vsan id show ficon and s...

Page 683: ...u disable SNMP in the Cisco MDS switch you cannot configure FICON parameters using the Fabric Manager To configure SNMP control of FICON parameters follow these steps Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config ficon vsan 2 switch config ficon Enables FICON on VSAN 2 Step 3 switch config ficon no host set timestamp Prohibits mainframe users f...

Page 684: ... a switch reboot The active equals saved option can be enable on any FICON VSAN Table 28 2 displays the results of the active equals saved command and the implicit copy running config startup config command in various scenarios If the active equals saved is enabled in any FICON enabled VSAN in the fabric then the following apply see Number 1 and 2 in Table 28 2 All configuration changes FICON spec...

Page 685: ...Configuring Port Blocking page 28 24 2 Yes Yes even in one FICON VSAN Implicit FICON changes written to IPL file for only the VSAN that has active equals saved option enabled Non FICON changes saved to startup configuration and persistent storage 3 Yes Not in any FICON VSAN Not implicit FICON changes are not written to the IPL file Non FICON changes are saved in persistent storage only if you expl...

Page 686: ... interface with a FICON port number to bring up that interface To bind an FCIP interface with a FICON port number follow these steps Configuring Port Blocking If you block a port the port is retained in the operationally down state If you unblock a port a port initialization is attempted When a port is blocked data and control traffic are not allowed on that port Physical Fibre Channel port blocks...

Page 687: ... E or TE mode and you try to prohibit that port your prohibit configuration is rejected Similarly if a port is not up and you prohibit that port the port is not allowed to come up in E mode or in TE mode Configuring the Default State for Port Prohibiting By default port prohibiting is disabled on the implemented interfaces on the switch As of Cisco MDS SAN OS Release 3 0 2 you can change the defau...

Page 688: ...mode Step 2 switch config ficon port default state prohibit all Enables port prohibiting as the default for all implemented interfaces on the switch switch config no ficon port default state prohibit all Disables default port prohibiting as the default for all implemented interfaces on the switch Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config fi...

Page 689: ...ing config startup config command is issued Specifying an RLIR Preferred Host As of Cisco MDS SAN OS Release 3 0 3 you can specify a preferred host to receive RLIR frames The MDS switch sends RLIR frames to the preferred host only if it meets the following conditions No host in the VSAN is registered for RLIR with the registration function set to always receive If one or more hosts in the VSAN are...

Page 690: ...nt and rejected Specify the VSAN ID to obtain VSAN statistics for a specific VSAN If you do not specify the VSAN ID then the statistics are shown for all active VSANs see Examples 28 1 and 28 2 Example 28 1 Displays RLIR Statistics for All VSANs switch show rlir statistics Statistics for VSAN 1 Number of LIRR received 0 Number of LIRR ACC sent 0 Number of LIRR RJT sent 0 Number of RLIR sent 0 Numb...

Page 691: ...er of RLIR RJT received 0 Number of DRLIR received 0 Number of DRLIR ACC sent 0 Number of DRLIR RJT sent 0 Number of DRLIR sent 0 Number of DRLIR ACC received 0 Number of DRLIR RJT received 0 The show rlir erl command shows the list of Nx ports that are registered to receive the RLIRs with the switch If the VSAN ID is not specified the details are shown for all active VSANs see Examples 28 3 and 2...

Page 692: ...rked by the is available it is printed along with the switch time stamp If the host time stamp is not available only the switch time stamp is printed Example 28 5 Displays the LIR History switch show rlir history Link incident history Host Time Stamp Switch Time Stamp Port Interface Link Incident Sun Nov 30 21 47 28 2003 Sun Nov 30 13 47 55 2003 2 fc1 2 Implicit Incident Sun Nov 30 22 00 47 2003 S...

Page 693: ... includes remote link incidents that are received as DRLIRs from other switches RLIRs are generated as a result of DRLIRs as in previous Cisco SAN OS releases see Example 28 8 Example 28 8 Displays the LIR History as of Cisco SAN OS Release 3 0 3 switch show rlir history Link incident history Host Time Stamp Switch Time Stamp VSAN Domain Port Intf Link Incident Loc Rem Sep 20 12 42 44 2006 Sep 20 ...

Page 694: ... proprietary to IBM These files can be read and written by IBM hosts using the in band CUP protocol Additionally you can use the Cisco MDS CLI or Fabric Manager applications to operate on these FICON configuration files Note Multiple FICON configuration files with the same name can exist in the same switch provided they reside in different VSANs For example you can create a configuration file name...

Page 695: ...figuration files can be accessed by any host SNMP or CLI user who is permitted to access the switch The locking mechanism in the Cisco SAN OS software restricts access to one user at a time per file This lock applies to newly created files and previously saved files Before accessing any file you must lock the file and obtain the file key A new file key is used by the locking mechanism for each loc...

Page 696: ...e1 for VSAN 2 If this file does not exist it is created Note All FICON file names are restricted to eight alphanumeric characters switch config ficon no file IplFileA Deletes a previously created FICON configuration file Step 4 switch config ficon file portaddress 3 switch config ficon file portaddr Enters the submode for port address 3 to edit the contents of the configuration file named IplFile1...

Page 697: ... is blocked Prohibited port addresses are 5 250 253 255 0x5 0xfa 0xfd 0xff Use the show ficon vsan vsan id file name filename portaddress command to display the FICON configuration file information for a specific FICON port switch show ficon vsan 2 file name IPLfilea portaddress 3 FICON configuration file IPLFILEA in vsan 2 Description Port address 3 0x3 Port name is P3 Port is blocked Prohibited ...

Page 698: ... a port in a module that has limited oversubscription ratios then you may experience a degradation in bandwidth Tip If active equals saved is enabled on any FICON VSAN then the swapped configuration is automatically saved to startup Otherwise you must explicitly save the running configuration immediately after swapping the ports Once you swap ports the switch automatically performs the following a...

Page 699: ...fault values Port tracking information is not included in port swapping This information must be configured separately see Chapter 57 Configuring Port Tracking Note The 32 port module guidelines also apply for port swapping configurations see the Fibre Channel Interfaces section on page 12 1 Swapping Ports If there are no duplicate port numbers on the switch you can swap physical Fibre Channel por...

Page 700: ... stopping of the tape head reduces the lifespan of the tape except when I O operations are directed to a virtual tape Cisco MDS SAN OS software provides acceleration for the following FICON tape write operations The link between mainframe and native tape drives both IBM and Sun STK The back end link between the VSM Virtual Storage Management and tape drive Sun STK FICON tape acceleration over FCIP...

Page 701: ...tion has the following configuration considerations In addition to the normal FICON configuration FICON tape acceleration must be enabled on both ends of the FCIP interface If only one end has FICON tape acceleration enabled acceleration does not occur FICON tape acceleration is enabled on a per VSAN basis FICON tape acceleration cannot function if multiple ISLs are present in the same VSAN PortCh...

Page 702: ...s to log on again Note This command can be issued by the host if the host is allowed to do so see the Allowing the Host to Move the Switch Offline section on page 28 19 CUP In Band Management The Control Unit Port CUP protocol configures access control and provides unified storage management capabilities from a mainframe computer Cisco MDS 9000 FICON enabled switches are fully IBM CUP standard com...

Page 703: ...an 20 Step 2 Issue the show fcns database command for the required VSAN and obtain the required FICON CUP WWN switch show fcns database vsan 20 VSAN 20 FCID TYPE PWWN VENDOR FC4 TYPE FEATURE 0x0d0d00 N 50 06 04 88 00 1d 60 83 EMC FICON CU 0x0dfe00 N 25 00 00 0c ce 5c 5e c2 Cisco FICON CUP 0x200400 N 50 05 07 63 00 c2 82 d3 IBM scsi fcp FICON CU f 0x200800 N 50 05 07 64 01 40 15 0f IBM FICON CH 0x2...

Page 704: ... MAX 0 DESTATUS 0x0 Displaying FICON Information This section includes the following topics Receiving FICON Alerts page 28 42 Displaying FICON Port Address Information page 28 43 Displaying FICON Configuration File Information page 28 44 Displaying the Configured FICON State page 28 46 Displaying a Port Administrative State page 28 46 Displaying Buffer Information page 28 47 Displaying FICON Infor...

Page 705: ...e is fc1 2 Port name is Port is not admin blocked Prohibited port addresses are 0 241 253 255 Port Address 249 is not installed in vsan 2 Port name is Port is not admin blocked Prohibited port addresses are 0 241 253 255 Port Address 250 is not installed in vsan 2 Port name is Port is not admin blocked Prohibited port addresses are 0 241 253 255 Example 28 12 Displays the Available Port Numbers sw...

Page 706: ...rors outside frames 0 frames too big 0 frames too small 0 crc errors 0 eof errors 0 invalid ordered sets 0 frames discarded c3 0 address id errors 116620 frames output 10609188 words 0 frame pacing time 0 link failures 0 loss of sync 0 loss of signal 0 primitive seq prot errors 0 invalid transmission words 1 lrr input 0 ols input 5 ols output 0 error summary Displaying FICON Configuration File Inf...

Page 707: ...User alert mode is Disabled SNMP control is Disabled Active Saved is Disabled Number of implemented ports are 250 Key Counter is 9 FCID last byte is 0 Date Time is same as system time Sun Dec 14 01 26 30 273402 1980 Device Allegiance not locked Codepage is us canada Saved configuration files IPL IPLFILE1 Example 28 17 Displays the Specified Port Addresses for a FICON Configuration File switch show...

Page 708: ...ive state of a FICON port If the port is blocked the show ficon vsan number portaddress number command displays the blocked state of the port If a specific port is prohibited this command also displays the specifically prohibited port 3 along with the ports that are prohibited by default 0 241 to 253 and 255 If a name is assigned that name is also displayed Example 28 19 Displays an Administrative...

Page 709: ...ort address configuration was changed for each key counter value The director history buffer provides a mechanism to determine the change in the port state from the previous time when a value was contained in the key counter Example 28 21 Displays the History Buffer for the Specified VSAN switch show ficon vsan 20 director history Director History Buffer for vsan 20 Key Counter Ports Address Chang...

Page 710: ...main 117 fabric binding activate vsan 11 fabric binding activate vsan 75 ficon vsan 75 interface port channel 1 ficon portnumber 0x80 switchport mode E snmp server user mblair network admin auth md5 0x688fa3a2e51ba5538211606e59ac292 7 priv 0x688fa3a2e51ba5538211606e59ac2927 localizedkey snmp server user wwilson network admin auth md5 0x688fa3a2e51ba5538211606e59ac29 27 priv 0x688fa3a2e51ba55382116...

Page 711: ...vels for the FICON Feature switch show logging level ficon Facility Default Severity Current Session Severity ficon 2 2 0 emergencies 1 alerts 2 critical 3 errors 4 warnings 5 notifications 6 information 7 debugging Example 28 26 Displays FICON Related Log File Contents switch show logging logfile 2004 Feb 25 15 38 50 vegas6 PORT 5 IF_UP VSAN 75 2004 Wed Feb 25 13 22 04 131183 Interface fc1 8 is u...

Page 712: ...addresses FC ID last byte value 0 zero EBCDIC format option US Canada Switch offline state Hosts are allowed to move the switch to an offline state Mainframe users Allowed to configure FICON parameters on Cisco MDS switches Clock in each VSAN Same as the switch hardware clock Host clock control Allows host to set the clock on this switch SNMP users Configure FICON parameters Port address Not block...

Page 713: ...ironment This section contains the following sections About CIM page 29 1 Configuring Added Security on a CIM Server page 29 2 Displaying CIM Information page 29 2 About CIM CIM messages are independent of platform and implementation because they are encoded in N Extensible Markup Language XML CIM consists of a specification and a schema The specification defines the syntax and rules for describin...

Page 714: ...ple 29 2 Displays the CIM Server HTTPS Status switch show cimserver httpsstatus cimserver Https is enabled Command Purpose Step 1 switch config t Enters configuration mode Step 2 switch config cimserver certificate bootflash simserver pem Installs a Secure Socket Layer SSL certificate specified in the file named with a pem extension switch config cimserver clearcertificate Certificate1 Optional Cl...

Page 715: ...ST 20081202374964083 Query SELECT FROM CISCO_LinkUp Destination http 10 77 91 110 59901 SubscriptionState Enabled Example 29 5 Displays CIM Server indication filters switch show cimserver indication filters Filter root cimv2 Feb 7 2008 2 32 11 PM Query SELECT FROM CISCO_LinkUp Query Language WQL Example 29 6 Displays CIM Server indication recipients switch show cimserver indication recipients Hand...

Page 716: ...l is set to INFORMATION in CIMServer cimserver Https is enabled Example 29 11 Displays CIM Server Certificate Files switch show cimserver certificateName cimserver certificate file name is servcert pem Example 29 12 For clearing CIM Server Certificate Files switch config cimserver clearcertificate Fibre Channel Time Out Values You can modify Fibre Channel protocol related timer values for the swit...

Page 717: ...ied when you change the timer value the changed value is applied to all VSANs in the switch To configure Fibre Channel timers across all VSANs follow these steps Timer Configuration Per VSAN You can also issue the fctimer for a specified VSAN to configure different TOV values for VSANs with special links like FC or IP tunnels You can configure different E_D_TOV R_A_TOV and D_S_TOV values for indiv...

Page 718: ...tion To enable or disable fctimer fabric distribution follow these steps Committing fctimer Changes When you commit the fctimer configuration changes the effective database is overwritten by the configuration changes in the pending database and all the switches in the fabric receive the same configuration When you commit the fctimer configuration changes without implementing the session feature th...

Page 719: ...nd are subject to being discarded if the switch is restarted To use administrative privileges and release a locked fctimer session use the clear fctimer session command switch clear fctimer session Database Merge Guidelines See the CFS Merge Support section on page 6 8 for detailed concepts When merging two fabrics follow these guidelines Be aware of the following merge conditions The merge protoc...

Page 720: ... ms Note The F_S_TOV constant though not configured is displayed in the output of the show fctimer command Example 29 14 Displays Configured TOVs for a Specified VSAN switch show fctimer vsan 10 vsan no F_S_TOV D_S_TOV E_D_TOV R_A_TOV 10 5000 ms 5000 ms 3000 ms 10000 ms World Wide Names The world wide name WWN in the switch is equivalent to the Ethernet MAC address As with the MAC address you must...

Page 721: ... Resvd 73728 NKAU NKCR WWN Blks Configured 1760 Available 1760 100 Alarm Status Type1 NONE Types 2 5 NONE Example 29 16 Displays Specified Block ID Information switch show wwn status block id 51 WWNs in this block 21 00 ac 16 5e 52 00 03 to 21 ff ac 16 5e 52 00 03 Num of WWNs Configured 256 Allocated 0 Available 256 Block Allocation Status FREE Example 29 17 Displays the WWN for a Specific Switch ...

Page 722: ...on on page 29 10 To allow further scalability for switches with numerous ports the Cisco SAN OS software maintains a list of HBAs exhibiting this behavior Each HBA is identified by its company ID also know as Organizational Unique Identifier or OUI used in the pWWN during a fabric log in Hence a full area is allocated to the N ports with company IDs that are listed and for the others a single FC I...

Page 723: ...when the fcinterop FC ID allocation scheme is in auto mode By default the interop FC ID allocation is set to auto unless changed Tip We recommend that you set the fcinterop FC ID allocation scheme to auto and use the company ID list and persistent FC ID configuration to manipulate the FC ID device allocation Use the fcinterop FCID allocation auto command to change the FC ID allocation and the show...

Page 724: ... Specified WWN switch show fcid allocation company id from wwn 20 00 00 05 30 00 21 60 Extracted Company ID 0x000530 Switch Interoperability Interoperability enables the products of multiple vendors to come into contact with each other Fibre Channel standards guide vendors towards common external Fibre Channel interfaces If all vendors followed the standards in the same manner then interconnecting...

Page 725: ... ID Timers All Fibre Channel timers must be the same on all switches as these values are exchanged by E ports when establishing an ISL The timers are F_S_TOV D_S_TOV E_D_TOV and R_A_TOV F_S_TOV Verify that the Fabric Stability Time Out Value timers match exactly D_S_TOV Verify that the Distributed Services Time Out Value timers match exactly E_D_TOV Verify that the Error Detect Time Out Value time...

Page 726: ...de The switch continues to use src id dst id and ox id to load balance across multiple ISL links Domain reconfiguration disruptive This is a switch wide impacting event Brocade and McData require the entire switch to be placed in offline mode and or rebooted when changing domain IDs Domain reconfiguration nondisruptive This event is limited to the affected VSAN Only Cisco MDS 9000 Family switches ...

Page 727: ...SANs Step 2 Assign a domain ID in the range of 97 0x61 through 127 0x7F Note This is an limitation imposed by the McData switches switch config fcdomain domain 100 preferred vsan 1 In Cisco MDS 9000 switches the default is to request an ID from the principal switch If the preferred option is used Cisco MDS 9000 switches request a specific ID but still join the fabric if the principal switch assign...

Page 728: ...re TAC support http www cisco com tac Copyright c 2002 2003 Cisco Systems Inc All rights reserved The copyrights to certain works contained herein are owned by Cisco Systems Inc and or other third parties and are used and distributed under license Some parts of this software are covered under the GNU Public License A copy of the license is available at http www gnu org licenses gpl html Software B...

Page 729: ...8 1 auto on fcotAbsent fc2 9 1 auto on down fc2 10 1 auto on down Step 3 Use the show run command to verify if you are running the desired configuration switch show run Building Configuration interface fc2 1 no shutdown interface fc2 2 no shutdown interface fc2 3 interface fc2 4 interface fc2 5 interface fc2 6 interface fc2 7 no shutdown interface fc2 8 interface fc2 9 interface fc2 10 snip interf...

Page 730: ...tate Stable Local switch WWN 20 01 00 05 30 00 51 1f Running fabric name 10 00 00 60 69 22 32 91 Running priority 128 Current domain ID 0x64 100 verify domain id Local switch configuration information State Enabled Auto reconfiguration Disabled Contiguous allocation Disabled Configured fabric name 41 6e 64 69 61 6d 6f 21 Configured priority 128 Configured domain ID 0x64 100 preferred Principal swi...

Page 731: ... Seagate scsi fcp 0x6105e4 NL 21 00 00 20 37 28 26 0d Seagate scsi fcp 0x630400 N 10 00 00 00 c9 24 3f 75 Emulex scsi fcp 0x630500 N 50 06 01 60 88 02 90 cb scsi fcp 0x6514e2 NL 21 00 00 20 37 a7 ca b7 Seagate scsi fcp 0x6514e4 NL 21 00 00 20 37 a7 c7 e0 Seagate scsi fcp 0x6514e8 NL 21 00 00 20 37 a7 c7 df Seagate scsi fcp 0x651500 N 10 00 00 e0 69 f0 43 9f JNI Total number of entries 12 Note The ...

Page 732: ... MDS SAN OS Release 3 x Chapter 29 Advanced Features and Concepts Default Settings FC ID allocation mode Auto mode Loop monitoring Disabled Table 29 4 Default Settings for Advanced Features Parameters Default D_S_TOV 5 000 msec E_D_TOV 2 000 msec R_A_TOV 10 000 msec Interop mode Disabled Table 29 3 Default Settings for Advanced Features continued Parameters Default ...

Page 733: ...Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m P A R T 5 Security ...

Page 734: ...Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m ...

Page 735: ...are firmware or some combination thereof that implements cryptographic functions or processes including cryptographic algorithms and optionally key generation and is contained within a defined cryptographic boundary FIPS specifies certain crypto algorithms as secure and it also identifies which algorithms should be used if a cryptographic module is to be called FIPS compliant Note Cisco MDS SAN OS...

Page 736: ...hese steps Checking for FIPS Status To view FIPS status enter the show fips status command FIPS Self Tests A cryptographic module must perform power up self tests and conditional self tests to ensure that it is functional Note FIPS power up self tests automatically run when FIPS mode is enabledby entering the fips mode enable command A switch is in FIPS mode only after all self tests are successfu...

Page 737: ... when an applicable security function or operation is invoked Unlike the power up self tests conditional self tests are executed each time their associated function is accessed Conditional self tests include the following Pair wise consistency test This test is run when a public private key pair is generated Continuous random number generator test This test is run when a random number is generated...

Page 738: ...m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m 30 4 Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 30 Configuring FIPS FIPS Self Tests ...

Page 739: ...the Device Manager and vice versa This chapter includes the following sections About SNMP Security page 31 1 SNMPv3 CLI User Management and AAA Integration page 31 3 Creating and Modifying Users page 31 4 SNMP Trap and Inform Notifications page 31 8 Default Settings page 31 17 About SNMP Security SNMP is an application layer protocol that facilitates the exchange of management information between ...

Page 740: ...nts to prevent it from being seen by unauthorized sources SNMPv3 provides for both security models and security levels A security model is an authentication strategy that is set up for a user and the role in which the user resides A security level is the permitted level of security within a security model A combination of a security model and a security level determines which security mechanism is...

Page 741: ...P User Synchronization page 31 3 Restricting Switch Access page 31 4 Group Based SNMP Access page 31 4 CLI and SNMP User Synchronization Any configuration changes made to the user group role or password results in database synchronization for both SNMP and AAA To create an SNMP or CLI user use either the username or snmp server user commands The auth passphrase specified in the snmp server user co...

Page 742: ...he usmUserTable on the switch Once you have created the user change the cloned secret key before activating the user Refer to RFC 2574 CLI Create a user or modify an existing user using the snmp server user command A network operator and network admin roles are available in a Cisco MDS 9000 Family switch There is also a default role if you want to use the GUI Fabric Manager and Device Manager You ...

Page 743: ...I follow these steps Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config snmp server user joe network admin auth sha abcd1234 Creates or modifies the settings for a user joe in the network admin role using the HMAC SHA 96 authentication password abcd1234 switch config snmp server user sam network admin auth md5 abcdefgh Creates or modifies the settin...

Page 744: ...ult the SNMP agent allows the securityLevel parameters of authNoPriv and authPriv for the SNMPv3 messages that use user configured SNMPv3 message encryption with auth and priv keys To enforce the message encryption for a user follow these steps Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config snmp server user user1 role1 auth md5 0xab0211gh priv 0...

Page 745: ...s Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config snmp server globalEnforcePriv Enforces the SNMPv3 message encryption for all the users on the switch switch config no snmp server globalEnforcePriv Disables global SNMPv3 message encryption enforcement Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch con...

Page 746: ...ces page 31 13 Displaying SNMP Security Information page 31 14 Tip The SNMPv1 option is not available with the snmp server host ip address informs command Configuring SNMPv2c Notifications To configure SNMPv2c notifications using IPv4 follow these steps Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config snmp server host 171 71 187 101 traps version ...

Page 747: ... 0DB8 800 200C 417A informs version 2c private udp port 1163 Configures the specified host to receive SNMPv2c informs using SNMPv2c community string private switch config no snmp server host 2001 0DB8 800 200C 417A informs version 2c private udp port 2162 Prevents the specified host from receiving SNMPv2c informs on the configured UDP port using SNMPv2c community string private Command Purpose Ste...

Page 748: ...tep 2 switch config snmp server host 2001 0DB8 800 200C 417A traps version 3 noauth testuser udp port 1163 Configures the specified host to receive SNMPv3 traps using SNMPv3 user testuser and securityLevel of noAuthNoPriv switch config snmp server host 2001 0DB8 800 200C 417A informs version 3 auth testuser udp port 1163 Configures the specified host to receive SNMPv3 informs using SNMPv3 user tes...

Page 749: ... server enable traps link CISCO PSM MIB snmp server enable traps port security CISCO RSCN MIB snmp server enable traps rscn snmp server enable traps rscn els snmp server enable traps rscn ils SNMPv2 MIB snmp server enable traps snmp snmp server enable traps snmp authentication VRRP MIB CISCO IETF VRRP MIB snmp server enable traps vrrp CISCO ZS MIB snmp server enable traps zone snmp server enable t...

Page 750: ...e the same user credentials in its local configuration data store of users Configuring LinkUp LinkDown Notifications for Switches You can configure which linkUp linkDown notifications to enable on switches You can enable the following types of linkUp linkDown notifications Cisco Only notifications cieLinkUp cieLinkDown defined in CISCO IF EXTENSION MIB my are sent for an interface if ifLinkUpDownT...

Page 751: ...information on the varbinds defined in the IF MIB specific to the Cisco Systems implementation refer to the Cisco MDS 9000 Family MIB Quick Reference To configure the linkUp linkDown notification for a switch follow these steps Configuring Up Down SNMP Link State Traps for Interfaces By default SNMP link state traps are enabled for all interfaces Whenever a link toggles its state from Up to Down o...

Page 752: ...0 2c Admin port mode is auto trunk mode is on snmp link state traps are disabled Port vsan is 1 Receive data field Size is 2112 Beacon is turned off 5 minutes input rate 0 bits sec 0 bytes sec 0 frames sec 5 minutes output rate 0 bits sec 0 bytes sec 0 frames sec 0 frames input 0 bytes 0 discards 0 errors 0 CRC 0 unknown class 0 too long 0 too short 0 frames output 0 bytes 0 discards 0 errors 0 in...

Page 753: ...Displays SNMP Host Information switch show snmp host Host Port Version Level Type SecName ____ ____ _______ ______ ____ ______ 171 16 126 34 2162 v2c noauth trap public 171 16 75 106 2162 v2c noauth trap public 171 31 58 97 2162 v2c auth trap public The show snmp command displays counter information for SNMP contact location and packet settings This command provides information that is used entire...

Page 754: ...Priv ____ ____ ____ testtargetusr md5 des EngineID 0 0 0 63 0 1 0 0 0 15 10 3 Example 31 5 Displays SNMP Engine IDs switch show snmp engineID Local SNMP engineID 800000090300053000851E Example 31 6 Displays Information on SNMP Security Groups switch show snmp group groupname network admin security model any security level noAuthNoPriv readview network admin rd writeview network admin wr notifyview...

Page 755: ...ease 3 x Chapter 31 Configuring SNMP Default Settings readview network operator rd writeview network operator wr notifyview network operator rd storage type permanent row status active Default Settings Table 31 2 lists the default settings for all SNMP features in any switch Table 31 2 Default SNMP Settings Parameters Default User account No expiry unless configured Password None ...

Page 756: ... e n t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m 31 18 Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 31 Configuring SNMP Default Settings ...

Page 757: ...ides security for communication between the switch and AAA servers This secret key can be configured for all AAA servers or for only a specific AAA server This security feature provides a central management capability for AAA servers This chapter includes the following sections Switch Management Security page 32 1 Switch AAA Functionalities page 32 2 Configuring RADIUS page 32 8 Configuring TACACS...

Page 758: ...s iSCSI authentication see the Fibre Channel Security Protocol FC SP authentication see Chapter 36 Configuring FC SP and DHCHAP SNMP Security Options The SNMP agent supports security features for SNMPv1 SNMPv2c and SNMPv3 Normal SNMP security features apply to all applications that use SNMP for example Cisco MDS 9000 Fabric Manager SNMP security options also apply to Fabric Manager and Device Mana...

Page 759: ...ive session at any given time your login is deleted and you will not be allowed to perform SNMPv3 operations Authorization The following authorization roles exist in all Cisco MDS switches Network operator network operator Has permission to view the configuration only The operator cannot make any configuration changes Network administrator network admin Has permission to execute all commands and m...

Page 760: ...st one gateway switch connected to the Ethernet LAN reaching the AAA servers Server Groups You can specify remote AAA servers for authentication authorization and accounting using server groups A server group is a set of remote AAA servers implementing the same AAA protocol The purpose of a server group is to provide for failover servers in case a remote AAA server fails to respond If the first re...

Page 761: ...display use the aaa authentication login error enable command To disable this message display use the no aaa authentication login error enable command To view the current display status use the show aaa authentication login error enable command see Example 32 1 Example 32 1 Displays AAA Authentication Login Information switch show aaa authentication login error enable enabled AAA Server Monitoring...

Page 762: ...ity of the person managing the switch This identity verification is based on the user ID and password combination provided by the person managing the switch The Cisco MDS 9000 Family switches allow you to perform local authentication using the lookup database or remote authentication using one or more RADIUS servers or TACACS servers The following steps explain the authorization and authentication...

Page 763: ... same server to get the user roles specified as custom attributes for the shell If user roles are not successfully retrieved from the remote AAA server then the user is assigned the network operator role Step 4 When your user name and password are successfully authenticated locally you are allowed to log in and you are assigned the roles configured in the local database Figure 32 2 shows a flow ch...

Page 764: ... keys are always stored in encrypted form in persistent storage The running configuration also displays encrypted keys To specify the host RADIUS server IPv4 address and other options follow these steps Command Purpose Step 1 switch config t Enters configuration mode Step 2 switch config radius server host 10 10 0 0 key HostKey Specifies the preshared key for the selected RADIUS server This key ov...

Page 765: ...umber to which the RADIUS authentication messages should be sent In this example the host is 2001 0DB8 800 200C 417A and the authentication port is 2003 The default authentication port is 1812 and the valid range is 0 to 65366 Step 4 switch config radius server host 2001 0DB8 800 200C 417A acct port 2004 Specifies the destination UDP port number to which RADIUS accounting messages should be sent T...

Page 766: ...rt 2003 Specifies the destination UDP port number to which the RADIUS authentication messages should be sent In this example the host is radius2 and the authentication port is 2003 The default authentication port is 1812 and the valid range is 0 to 65366 Step 4 switch config radius server host radius2 acct port 2004 Specifies the destination UDP port number to which RADIUS accounting messages shou...

Page 767: ...enticate communication between the RADIUS client and server The default is clear text switch config radius server key 0 AnyWord Configures a preshared key AnyWord specified in clear text indicated by 0 to authenticate communication between the RADIUS client and server switch config radius server key 7 abe4DFeeweo00o Configures a preshared key specified in encrypted text specified in encrypted text...

Page 768: ...e time interval is 0 minutes periodic RADIUS server monitoring is not performed To configure the idle timer follow these steps Configuring Test User Name You can configure a username and password for periodic RADIUS server status testing You do not need to configure the test username and password to issue test messages to monitor RADIUS servers You can use the default test username test and defaul...

Page 769: ...ll not responding To avoid this scenario configure a test user with a shorter idle time than the dead timer time To configure the dead timer follow these steps Sending RADIUS Test Messages for Monitoring You can manually send test messages to monitor a RADIUS server Step 2 switch config radius server host 10 1 1 1 test username testuser Configures the test user testuser with the default password t...

Page 770: ...draft standard specifies a method for communicating vendor specific attributes VSAs between the network access server and the RADIUS server The IETF uses attribute 26 VSAs allow vendors to support their own extended attributes that are not suitable for general use The Cisco RADIUS implementation supports one vendor specific option using the format recommended in the specification The Cisco vendor ...

Page 771: ...min This subattribute is sent in the VSA portion of the Access Accept frames from the RADIUS server and it can only be used with the shell protocol value These are two examples using the roles attribute shell roles network admin vsan admin shell roles network admin vsan admin When an VSA is specified as shell roles network admin vsan admin this VSA is flagged as an optional attribute and other Cis...

Page 772: ...32 3 Displays Configured RADIUS Server Group Order switch show radius server groups total number of groups 4 following RADIUS server groups are configured group radius server all configured radius servers group Group1 server Server3 on auth port 1812 acct port 1813 server Server5 on auth port 1812 acct port 1813 group Group5 Displaying RADIUS Server Statistics You can display RADIUS server statist...

Page 773: ...Users Specifying a TACACS Server at Login page 32 24 Allowing Users to Specify a TACACS Server at Login page 32 25 Defining Custom Attributes for Roles page 32 25 Displaying TACACS Server Details page 32 26 About TACACS TACACS is a client server protocol that uses TCP TCP port 49 for transport requirements All switches in the Cisco MDS 9000 Family provide centralized authentication using the TACAC...

Page 774: ... verification commands for fabric authentication When you disable this feature all related configurations are automatically discarded To enable TACACS for a Cisco MDS switch follow these steps Setting the TACACS Server Address If a secret key is not configured for a configured server a warning message is issued if a global key is not configured If a server key is not configured the global key if c...

Page 775: ...host 2001 0DB8 800 200C 417A warning no key is configured for the host Configures the TACACS server identified by the specified IPv6 address switch config no tacacs server host 2001 0DB8 800 200C 417A Deletes the specified TACACS server identified by the IPv6 address By default no server is configured Step 3 switch config tacacs server host 2001 0DB8 800 200C 417A port 2 Configures the TCP port fo...

Page 776: ...t for all TACACS requests switch config no tacacs server host host1 cisco com port 2 Reverts to the factory default of using port 49 for server access Step 4 switch config tacacs server host host1 cisco com key MyKey Configures the TACACS server identified by the specified domain name and assigns the secret key Step 5 switch config tacacs server host host1 cisco com timeout 25 Configures the timeo...

Page 777: ...sign in global secret keys You can configure global values for the secret key for all TACACS servers Note If secret keys are configured for individual servers those keys override the globally configured key Configuring TACACS Server Monitoring Parameters You can configure parameters for monitoring TACACS servers This section includes the following topics Configuring the TACACS Test Idle Timer page...

Page 778: ...RADIUS section on page 32 8 Note If the dead timer of a dead TACACS server expires before it is sent a TACACS test message that server is marked as alive again even if it is still not responding To avoid this scenario configure a test user with a shorter idle time than the dead timer time To configure the dead timer follow these steps Command Purpose Step 1 switch config t Enters configuration mod...

Page 779: ...configuration mode Step 2 switch config tacacs server deadtime 30 Configures the dead time interval value in minutes The valid range is 1 to 1440 minutes Step 3 switch config no tacacs server deadtime 30 Reverts to the default value 0 minutes Note When the dead time interval is 0 minutes TACACS server monitoring is not performed unless the TACACS server is part of a server group and the dead time ...

Page 780: ...tification Notifies password aging Notification happens only if the AAA server is configured Password change after expiration Initiates password change after the old password expires Initiation happens from the AAA server To enable the password aging option in the AAA server enter the following command aaa authentication login password aging enable To determine whether or not password aging notifi...

Page 781: ...isco av pair shell roles network admin vsan admin You can also configure optional custom attributes to avoid conflicts with non MDS Cisco switches using the same AAA servers cisco av pair shell roles network admin vsan admin Additional custom attribute shell roles are also supported shell roles network admin vsan admin or shell roles network admin vsan admin Note TACACS custom attributes can be de...

Page 782: ... Family as shown in Examples 32 5 to 32 10 Example 32 5 Displays Configured TACACS Server Information switch show tacacs server Global TACACS shared secret timeout value 30 total number of servers 3 following TACACS servers are configured 171 71 58 91 available on port 2 cisco com available on port 49 171 71 22 95 available on port 49 TACACS shared secret Example 32 6 Displays AAA Authentication I...

Page 783: ...ponses with no matching requests 0 responses not processed 0 responses containing errors 0 Accounting Statistics failed transactions 0 sucessfull transactions 0 requests sent 0 requests timed out 0 responses with no matching requests 0 responses not processed 0 responses containing errors 0 Configuring Server Groups You can specify one or more remote AAA servers to authenticate users using server ...

Page 784: ... first within the server group RadServer Tip If the specified RADIUS server is not found configure it using the radius server host command and retry this command Step 4 switch config radius server 2001 0DB8 800 200C 417A Configures the RADIUS server at IPv6 address 2001 0DB8 800 200C 417A to be tried first within the server group RadServer switch config radius no server 2001 0DB8 800 200C 417A Rem...

Page 785: ...s precedence over the value set for the server group switch config radius no deadtime 30 Reverts to the default value 0 minutes Note If the dead time interval for both the RADIUS server group and an individual TACACS server in the RADIUS server group is set to 0 the switch does not mark the RADIUS server as dead when it is found to be unresponsive by periodic monitoring Also the switch does not pe...

Page 786: ... switch to participate in AAA server configuration distribution it must be running Cisco MDS SAN OS Release 2 0 1b or later Enabling AAA Server Distribution Only switches where distribution is enabled can participate in the distribution activity Step 4 switch config tacacs server ServerB Configures ServerB to be tried second within the server group TacacsServer1 switch config tacacs no server Serv...

Page 787: ...e Session Status Once the implicit distribution session has started you can check the session status You see the distribution status on the CFS tabuse the show radius command switch show radius distribution status distribution enabled session ongoing yes session owner admin session db exists merge protocol status merge activation done last operation enable last operation status success Once the im...

Page 788: ...se the show tacacs pending command switch config show tacacs pending diff tacacs server host testhost3 tacacs server host testhost4 Committing the Distribution The RADIUS or TACACS global and or server configuration stored in the temporary buffer can be applied to the running configuration across all switches in the fabric including the originating switch To commit RADIUS configuration changes fol...

Page 789: ...en merging the fabric be aware of the following conditions The server groups are not merged The server and global keys are not changed during the merge The merged configuration contains all servers found on all CFS enabled switches The timeout and retransmit parameters of the merged configuration are the largest values found per server and global configuration Caution If there is a conflict betwee...

Page 790: ...authentication server RADIUS or TACACS About Enabling MSCHAP By default the switch uses Password Authentication Protocol PAP authentication between the switch and the remote server If you enable MSCHAP you need to configure your RADIUS server to recognize the MSCHAP vendor specific attributes See the About Vendor Specific Attributes section on page 32 14 Table 32 2 shows the RADIUS vendor specific...

Page 791: ...mp_349154526_171 71 58 69 admin Sat Jan 24 03 22 06 1981 start snmp_349154526_171 71 58 69 admin Sat Jan 24 03 22 06 1981 update snmp_349154526_171 71 58 69 admin Added member WWN 21 00 00 20 37 a6 be 00 ID 2 to zone test 27 on VSAN 1 Sat Jan 24 23 59 56 1981 stop dev pts 0_349228792 root shell terminated Sun Jan 25 00 00 06 1981 start dev pts 1_349228806 admin Disabling AAA Authentication You can...

Page 792: ...ation operations are automatically recorded in the accounting log if they are performed in configuration mode Additionally important system events for example configuration save and system switchover are also recorded in the accounting log Displaying Accounting Configuration To display configured accounting information use show accounting command See Examples 32 15 to 32 17 To specify the size of ...

Page 793: ... Fri Jan 16 21 58 18 1981 start snmp_348530298_171 71 150 105 admin Fri Jan 16 21 58 18 1981 stop snmp_348530298_171 71 150 105 admin Fri Jan 16 23 37 02 1981 update dev pts 0_348527824 admin updated RADIUS parameters for group Group3 Fri Jan 16 23 37 26 1981 update dev pts 0_348527824 admin updated TACACS parameters for group TacacsServer1 Fri Jan 16 23 45 19 1981 update dev pts 0_348527824 admin...

Page 794: ...ure a secure environment When using the AAA server user management is normally done using Cisco ACS Figure 32 3 Figure 32 4 Figure 32 5 and Figure 32 6 display ACS server user setup configurations for network admin roles and multiple roles using either RADIUS or TACACS Caution Cisco MDS SAN OS does not support all numeric usernames whether created with RADIUS or TACACS or created locally Local use...

Page 795: ...d o c c i s c o c o m 32 39 Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 32 Configuring RADIUS and TACACS Configuring Cisco Access Control Servers Figure 32 4 Configuring Multiple Roles with SNMPv3 Attributes When Using RADIUS ...

Page 796: ...c c i s c o c o m 32 40 Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 32 Configuring RADIUS and TACACS Configuring Cisco Access Control Servers Figure 32 5 Configuring the network admin Role with SNMPv3 Attributes When Using TACACS ...

Page 797: ...lt Settings Figure 32 6 Configuring Multiple Roles with SNMPv3 Attributes When Using TACACS Default Settings Table 32 3 lists the default settings for all switch security features in any switch Table 32 3 Default Switch Security Settings Parameters Default Roles in Cisco MDS switches Network operator network operator AAA configuration services Local Authentication port 1821 Accounting port 1813 Pr...

Page 798: ...Configuring RADIUS and TACACS Default Settings RADIUS server timeout 1 one second RADIUS server retries Once RADIUS server directed requests Disabled TACACS Disabled TACACS servers None configured TACACS server timeout 5 seconds TACACS server directed requests Disabled AAA server distribution Disabled Accounting log size 250 KB Table 32 3 Default Switch Security Settings continued Parameters Defau...

Page 799: ...ing an overlay Ethernet network IP routing default routing and static routing If your configuration does not need an external router you can configure a default route using static routing Switches are compliant with RFC 2338 standards for Virtual Router Redundancy Protocol VRRP features VRRP is a restartable application that provides a redundant alternate path to the gateway switch IPv4 Access Con...

Page 800: ...ire channel group Configure the order of conditions accurately As the IPv4 ACL or the IPv6 ACL filters are sequentially applied to the IP flows only the first match determines the action taken Subsequent matches are not considered Be sure to configure the most important condition first If no conditions match the software drops the packet About Filter Contents An IP filter contains rules for matchi...

Page 801: ...d a one bit in the corresponding position of the packet s IPv4 or IPv6 address will be considered a match to this access list entry Place ones in the bit positions you want to ignore For example 0 0 255 255 requires an exact match of only the first 16 bits of the source Wildcard bits set to one do not need to be contiguous in the source wildcard For example a source wildcard of 0 255 0 64 would be...

Page 802: ... packets can be filtered based on the following optional TOS conditions The TOS level The level is specified by a number from 0 to 15 The TOS name The name can be max reliability max throughput min delay min monetary cost and normal TCP1 ftp 20 ftp data 21 ssh 22 telnet 23 smtp 25 tasacs ds 65 www 80 sftp 115 http 143 wbem http 5988 wbem https 5989 1 If the TCP connection is already established us...

Page 803: ...ccess condition s Filters require the source and destination address to match a condition Use optional keywords to configure finer granularity Note The filter entries are executed in sequential order You can only add the entries to the end of the list Take care to add the entries in the correct order Step 2 Apply the access filter to specified interfaces Creating IPv4 ACLs or IPv6 ACLs To create a...

Page 804: ... 0 0 0 0 255 any Defines an entry in an IPv4 ACL named restrict_mgmt allowing all addresses in the 10 67 16 0 24 subnet Step 3 switch config ip access list restrict_mgmt permit icmp any any eq 8 Adds an entry to an IPv4 ACL named restrict_mgmt to allow any device to ping the MDS icmp type 8 Step 4 switch config ip access list restrict_mgmt deny ip any any Explicitly blocks all other access to an a...

Page 805: ...st List2 deny tcp 2001 0DB8 800 200C 64 eq port 5 any Denies TCP traffic from 2001 0DB8 800 200C 64 through source port 5 to any destination Command Purpose Step 1 switch config t Enters configuration mode Step 2 switch config ip access list List1 permit tcp 10 1 1 2 0 0 0 0 172 16 1 1 0 0 0 0 eq port telnet Permits TCP for Telnet traffic Step 3 switch config ip access list List1 permit tcp 10 1 1...

Page 806: ...ers Each access filter can have several conditions See Example 33 2 and Example 33 3 Example 33 2 Displays Configured IPv6 ACLs switch show ipv6 access list Access List Name Number Filters IF Status Creation Time abc 3 7 active Tue Jun 24 17 51 40 2003 x1 3 1 active Tue Jun 24 18 32 25 2003 x3 0 1 not ready Tue Jun 24 18 32 28 2003 Example 33 3 Displays a Summary of the Specified IPv6 ACL switch s...

Page 807: ...formation dumped to the log For the output ACL the raw Layer 2 information is not logged The following example is an input ACL log dump Jul 17 20 38 44 excal 2 KERN 7 SYSTEM_MSG IPACL 7 DENY IN vsan1 OUT MAC 10 00 00 05 30 00 47 df 10 00 00 05 30 00 8a 1f aa aa 03 00 00 00 08 00 45 00 00 54 00 00 40 00 40 01 0e 86 0b 0b 0b 0c 0b 0b 0b 02 08 00 ff 9c 01 15 05 00 6f 09 17 3f 80 02 01 00 08 09 0a 0b ...

Page 808: ...ch In Traffic that arrives at the interface and goes through the switch the source is where it transmitted from and the destination is where it is transmitted to on the other side of the router Tip The IP ACL applied to the interface for the ingress traffic affects both local and remote traffic Out Traffic that has already been through the switch and is leaving the interface the source is where it...

Page 809: ...e 38c6 28b0 Internet address is 10 1 1 10 24 MTU 1500 bytes Step 4 switch config if ip access group restrict_mgmt in Applies an IPv4 ACL called restrict_mgmt if it does not already exist for ingress traffic switch config if no ip access group restrict_mgmt in Removes the IPv4 ACL called restrict_mgmt for ingress traffic switch config if ip access group SampleName2 out Applies an IPv4 ACL called Sa...

Page 810: ...You cannot use this command to clear the counters for individual filters switch show ip access list abc ip access list abc permit tcp any any 0 matches ip access list abc permit udp any any 0 matches ip access list abc permit icmp any any 0 matches ip access list abc permit ip 10 1 1 0 0 0 0 255 2 matches ip access list abc permit ip 10 3 70 0 0 0 0 255 7 matches switch clear ip access list counte...

Page 811: ...CAs and Digital Certificates page 34 5 Example Configurations page 34 15 Maximum Limits page 34 37 Default Settings page 34 38 About CAs and Digital Certificates This section provides information about certificate authorities CAs and digital certificates and includes the following topics Purpose of CAs and Digital Certificates page 34 2 Trust Model Trust Points and Identity CAs page 34 2 RSA Key P...

Page 812: ...w the CA s public key Normally this process is handled out of band or through an operation done at installation For instance most web browsers are configured with the public keys of several CAs by default The Internet Key Exchange IKE an essential component of IPsec can use digital signatures to scalably authenticate peer devices before setting up security associations Trust Model Trust Points and...

Page 813: ...ach can be associated to one or more trust points But no more than one key pair can be associated to a trust point which means only one identity certificate is allowed from a CA If multiple identity certificates each from a distinct CA have been obtained the certificate that an application selects to use in a security protocol exchange with a peer is application specific see the IPsec Digital Cert...

Page 814: ...d paste the encoded certificate request text in an e mail message or in a web form and send it to the CA 3 Receive the issued certificate in base64 encoded text form from the CA in an e mail message or in a web browser download 4 Cut and paste the issued certificate to the switch using the certificate import facility Multiple RSA Key Pair and Identity CA Support Multiple identity CA support enable...

Page 815: ...g CA s CRL is consulted only if the CRL has already been cached locally and the revocation checking is configured to use CRL Otherwise CRL checking is not performed and the certificate is considered to be not revoked if no other revocation checking methods are configured This mode of CRL checking is called CRL optional OCSP Support Online Certificate Status Protocol OCSP facilitates online certifi...

Page 816: ... Also the switch FQDN is used as a default key label when none is specified during key pair generation For example a certificate named SwitchA example com is based on a switch host name of SwitchA and a switch IP domain name of example com Caution Changing the host name or IP domain name after generating the certificate can invalidate the certificate To configure the host name and IP domain name o...

Page 817: ...ey is not exportable Note The security policy or requirement at the local site MDS switch and at the CA where enrollment is planned are considered in deciding the appropriate key modulus Note The maximum number of key pairs you can configure on a switch is 16 switch config crypto key generate rsa label SwitchA modulus 768 Generates an RSA key pair with the label SwitchA and modulus 768 Valid modul...

Page 818: ...on chain needs to be input during the CA authentication step This is called the CA certificate chain of the CA being authenticated The maximum number of certificates in a CA certificate chain is 10 Command Purpose Step 1 switch config crypto ca trustpoint admin ca switch config trustpoint Declares a trust point CA that the switch should trust and enters trust point configuration submode Note The m...

Page 819: ...fficiency Using both local CRL checking and OCSP provides the most secure method for checking for revoked certificates Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config crypto ca authenticate admin ca input cut paste CA certificate chain in PEM format end the input with a line containing only END OF INPUT BEGIN CERTIFICATE MIIC4jCCAoygAwIBAgIQBWDSi...

Page 820: ... use to check for revoked certificates switch config trustpoint no ocsp url http crlcheck cisco com Removes the URL for OCSP Step 3 switch config trustpoint revocation check oscp Specifies OCSP as the revocation checking method to be employed during verification of peer certificates issued by the same CA as that of this trust point Note The OSCP URL must be configured before specifying OSCP as a r...

Page 821: ...not be saved in the configuration Please make a note of it Password nbv123 The subject name in the certificate will be Vegas 1 cisco com Include the switch serial number in the subject name yes no no Include an IP address in the subject name yes no yes ip address 172 22 31 162 The certificate request will be displayed BEGIN CERTIFICATE REQUEST MIIBqzCCARQCAQAwHDEaMBgGA1UEAxMRVmVnYXMtMS5jaXNjby5jb2...

Page 822: ...mation in PKCS 12 Format section on page 34 13 Note Copying the configuration to an external server does include the certificates and key pairs Command Purpose Step 1 switch config terminal switch config Enters configuration mode Step 2 switch config crypto ca import admin ca certificate input cut paste certificate in PEM format BEGIN CERTIFICATE MIIEADCCA6qgAwIBAgIKCjOOoQAAAAAAdDANBgkqhkiG9w0BAQU...

Page 823: ...en specifying the export and import URL To export a certificate and key pair to a PKCS 12 formatted file follow these steps To import a certificate and key pair from a PKCS 12 formatted file follow these steps Note The trust point must be empty with no RSA key pair associated with it and no CA is associated with it using CA authentication for the PKCS 12 file import to succeed Command Purpose Step...

Page 824: ...rl bootflash adminca crl Download the CRL Step 2 switch config terminal switch config Enters configuration mode Step 3 switch config crypto ca crl request admin ca bootflash adminca crl Configures or replaces the current CRL with the one specified in the file Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config crypto ca trustpoint myCA Enters trustpo...

Page 825: ...ample Configurations This section shows an example of the tasks you can use to configure certificates and CRLs on the Cisco MDS 9000 Family switches using the Microsoft Windows Certificate server This section includes the following topics Configuring Certificates on the MDS Switch page 34 16 Downloading a CA Certificate page 34 19 Requesting an Identity Certificate page 34 23 Revoking a Certificat...

Page 826: ...as 1 config crypto key generate rsa label myKey exportable modulus 1024 Vegas 1 config do show crypto key mypubkey rsa key label myKey key size 1024 exportable yes Vegas 1 config Step 5 Associate the RSA key pair to the trust point Vegas 1 config crypto ca trustpoint myCA Vegas 1 config trustpoint rsakeypair myKey Vegas 1 config trustpoint exit Vegas 1 config do show crypto ca trustpoints trustpoi...

Page 827: ...al 0560D289ACB419944F4912258CAD197A notBefore May 3 22 46 37 2005 GMT notAfter May 3 22 55 17 2007 GMT MD5 Fingerprint 65 84 9A 27 D5 71 03 33 9C 12 23 92 38 6F 78 12 purposes sslserver sslclient ike Step 8 Generate a request certificate to use to enroll with a trust point Vegas 1 config crypto ca enroll myCA Create the certificate request Create a challenge password You will need to verbally prov...

Page 828: ...xMJQXBh cm5hIENBghAFYNKJrLQZlE9JEiWMrRl6MGsGA1UdHwRkMGIwLqAsoCqGKGh0dHA6 Ly9zc2UtMDgvQ2VydEVucm9sbC9BcGFybmElMjBDQS5jcmwwMKAuoCyGKmZpbGU6 Ly9cXHNzZS0wOFxDZXJ0RW5yb2xsXEFwYXJuYSUyMENBLmNybDCBigYIKwYBBQUH AQEEfjB8MDsGCCsGAQUFBzAChi9odHRwOi8vc3NlLTA4L0NlcnRFbnJvbGwvc3Nl LTA4X0FwYXJuYSUyMENBLmNydDA9BggrBgEFBQcwAoYxZmlsZTovL1xcc3NlLTA4 XENlcnRFbnJvbGxcc3NlLTA4X0FwYXJuYSUyMENBLmNydDANBgkqhkiG9w0BAQUF AA...

Page 829: ...A Certificate To download a CA certificate from the Microsoft Certificate Services web interface follow these steps Step 1 Select the Retrieve the CA certificate or certificate revocation task radio button in the Microsoft Certificate Services web interface and click the Next button Step 2 Select the CA certificate file to download from the displayed list Click the Base 64 encoded radio button and...

Page 830: ...iguration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 34 Configuring Certificate Authorities and Digital Certificates Example Configurations Step 4 Click the Copy to File button in the Certificate dialog box and click OK Step 5 Select the Base 64 encoded X 509 CER on the Certificate Export Wizard dialog box and click Next ...

Page 831: ...nfiguration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 34 Configuring Certificate Authorities and Digital Certificates Example Configurations Step 6 Click the Finish button on the Certificate Export Wizard dialog box Step 7 Display the CA certificate stored in Base 64 PEM format using the Microsoft Windows type command ...

Page 832: ...e n t s t o m d s f e e d b a ck d o c c i s c o c o m 34 22 Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 34 Configuring Certificate Authorities and Digital Certificates Example Configurations ...

Page 833: ...Authorities and Digital Certificates Example Configurations Requesting an Identity Certificate To request an identify certificate from a Microsoft Certificate server using a PKCS 10 certificate signing request CRS follow these steps Step 1 Select the Request an identity certificate radio button on the Microsoft Certificate Services web interface and click Next Step 2 Select the Advanced Request ra...

Page 834: ...Configurations Step 3 Select the Submit a certificate request using a base64 encoded PKCS 10 file or a renewal request using a base64 encoded PKCS 7 file radio button and click Next Step 4 Paste the base64 PKCS 10 certificate request in the Saved Request text box and click Next The certificate request is copied from the MDS switch console see the Generating Certificate Requests section on page 34 ...

Page 835: ...000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 34 Configuring Certificate Authorities and Digital Certificates Example Configurations Step 5 Wait one or two days until the certificate is issued by the CA administrator Step 6 The CA administrator approves the certificate request ...

Page 836: ... Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 34 Configuring Certificate Authorities and Digital Certificates Example Configurations Step 7 Select the Check on a pending certificate radio button on the Microsoft Certificate Services web interface and click Next Step 8 Select the certificate request you want to check and click Next ...

Page 837: ...isco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 34 Configuring Certificate Authorities and Digital Certificates Example Configurations Step 9 Select Base 64 encoded and click the Download CA certificate link Step 10 Click Open on the File Download dialog box ...

Page 838: ...rtificate Authorities and Digital Certificates Example Configurations Step 11 Click the Details tab on the Certificate dialog and click the Copy to File button Select the Base 64 encoded X 509 CER radio button on the Certificate Export Wizard dialog box and click Next Step 12 Enter the destination file name in the File name text box on the Certificate Export Wizard dialog box then click Next Step ...

Page 839: ... 16184 01 Cisco MDS SAN OS Release 3 x Chapter 34 Configuring Certificate Authorities and Digital Certificates Example Configurations Step 14 Display the identity certificate in base64 encoded format using the Microsoft Windows type command Revoking a Certificate To revoke a certificate using the Microsoft CA administrator program follow these steps ...

Page 840: ...guration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 34 Configuring Certificate Authorities and Digital Certificates Example Configurations Step 1 Click the Issued Certificates folder on the Certification Authority tree From the list right click the certificate you want to revoke Step 2 Select All Tasks Revoke Certificate ...

Page 841: ...iguration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 34 Configuring Certificate Authorities and Digital Certificates Example Configurations Step 3 Select a reason for the revocation from the Reason code drop down list and click Yes Step 4 Click the Revoked Certificates folder to list and verify the certificate revocation ...

Page 842: ...Chapter 34 Configuring Certificate Authorities and Digital Certificates Example Configurations Generating and Publishing the CRL To generate and publish the CRL using the Microsoft CA administrator program follow these steps Step 1 Select Action All Tasks Publish on the Certification Authority screen Step 2 Click Yes on the Certificate Revocation List dialog box to publish the latest CRL ...

Page 843: ...cate Authorities and Digital Certificates Example Configurations Downloading the CRL To download the CRL from the Microsoft CA website follow these steps Step 1 Select Request the CA certificate or certificate revocation list radio button on the Microsoft Certificate Services web interface and click Next Step 2 Click the Download latest certificate revocation list link Step 3 Click Save in the Fil...

Page 844: ...000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 34 Configuring Certificate Authorities and Digital Certificates Example Configurations Step 4 Enter the destination file name in the Save As dialog box and click Save Step 5 Display the CRL using the Microsoft Windows type command ...

Page 845: ... Vegas 1 copy tftp apranaCA crl bootflash aparnaCA crl Step 2 Configure the CRL Vegas 1 config t Vegas 1 config crypto ca crl request myCA bootflash aparnaCA crl Vegas 1 config Step 3 Display the contents of the CRL Vegas 1 config do sh crypto ca crl myCA Trustpoint myCA CRL Certificate Revocation List CRL Version 2 0x1 Signature Algorithm sha1WithRSAEncryption Issuer emailAddress admin yourcompan...

Page 846: ...T CRL entry extensions X509v3 CRL Reason Code CA Compromise Serial Number 53BD173C00000000000B Revocation Date Jul 4 18 04 01 2005 GMT CRL entry extensions X509v3 CRL Reason Code Certificate Hold Serial Number 591E7ACE00000000000C Revocation Date Aug 16 21 53 15 2005 GMT Serial Number 5D3FD52E00000000000D Revocation Date Jun 29 22 07 25 2005 GMT CRL entry extensions X509v3 CRL Reason Code Key Comp...

Page 847: ...Date Sep 5 17 07 06 2005 GMT Serial Number 3F0845DD00000000003F Revocation Date Sep 8 20 24 32 2005 GMT Serial Number 3F619B7E000000000042 Revocation Date Sep 8 21 40 48 2005 GMT Serial Number 6313C463000000000052 Revocation Date Sep 19 17 37 18 2005 GMT Serial Number 7C3861E3000000000060 Revocation Date Sep 20 17 52 56 2005 GMT Serial Number 7C6EE351000000000061 Revocation Date Sep 20 18 52 30 20...

Page 848: ...uring Certificate Authorities and Digital Certificates Default Settings Default Settings Table 34 2 lists the default settings for CAs and digital certificate parameters Table 34 2 Default CA and Digital Certificate Parameters Parameters Default Trust point None RSA key pair None RSA key pair label Switch FQDN RSA key pair modulus 512 RSA key pair exportable Yes Revocation check method of trust po...

Page 849: ...ncryption and authentication keys used by IPsec While IKE can be used with other protocols its initial implementation is with the IPsec protocol IKE provides authentication of the IPsec peers negotiates IPsec security associations and establishes IPsec keys IKE uses RFCs 2408 2409 2410 and 2412 and additionally implements the draft ietf ipsec ikev2 16 txt draft Note The term IPsec is sometimes use...

Page 850: ... service is dependent upon the data integrity service Anti replay protection The IPsec receiver can detect and reject replayed packets Note The term data authentication is generally used to mean data integrity and data origin authentication Within this chapter it also includes anti replay services unless otherwise specified With IPsec data can be transmitted across a public network without fear of...

Page 851: ...services Supports a manageable scalable IPsec configuration Allows dynamic authentication of peers Note IKE is not supported on the Cisco Fabric Switch for HP c Class BladeSystem and the Cisco Fabric Switch for IBM BladeSystem IPsec Prerequisites To use the IPsec feature you need to perform the following tasks Obtain the ENTERPRISE_PKG license see Chapter 3 Obtaining and Installing Licenses Config...

Page 852: ...and IKE Terminology page 35 5 Supported IPsec Transforms and Algorithms page 35 6 Supported IKE Transforms and Algorithms page 35 6 IPsec Compatibility IPsec features are compatible with the following Cisco MDS 9000 Family hardware Cisco 14 2 port Multiprotocol Services MPS 14 2 modules in Cisco MDS 9200 Switches or Cisco MDS 9500 Directors Cisco MDS 9216i Switch with the 14 2 port multiprotocol c...

Page 853: ...ation and data confidentiality For example one transform is the ESP protocol with the HMAC MD5 authentication algorithm Session key The key used by the transform to provide security services Lifetime A lifetime counter in seconds and bytes is maintained from the time the SA is created When the time limit expires the SA is no longer operational and if required is automatically renegotiated rekeyed ...

Page 854: ...gorithm It implements either 128 or 256 bits using Cipher Block Chaining CBC or counter mode Data Encryption Standard DES is used to encrypt packet data and implements the mandatory 56 bit DES CBC CBC requires an initialization vector IV to start encryption The IV is explicitly given in the IPsec packet Triple DES 3DES is a stronger form of DES with 168 bit encryption keys that allow sensitive inf...

Page 855: ...e HMAC variant The switch authentication algorithm uses the preshared keys based on the IP address see Setting Transmission Retry Count for the RADIUS Server section on page 32 11 for more information on preshared keys IPsec Digital Certificate Support This section describes the advantages of using certificate authorities CAs and digital certificates for authentication For more information on CAs ...

Page 856: ...etworks Figure 35 3 Four IPsec Switches Without a CA and Digital Certificates Implementing IPsec with CAs and Digital Certificates With CA and digital certificates you do not have to configure keys between all the encrypting switches Instead you individually enroll each participating switch with the CA requesting a certificate for the switch When this has been accomplished each participating switc...

Page 857: ...forming some public key cryptography Each switch must send its own unique certificate that was issued and validated by the CA This process works because the certificate of each switch encapsulates the public key of the switch each certificate is authenticated by the CA and all participating switches recognize the CA as an authenticating authority This scheme is called IKE with an RSA signature You...

Page 858: ...st between two peers to secure different data flows with each tunnel using a separate set of SAs After you have completed IKE configuration configure IPsec To configure IPsec in each participating IPsec peer follow these steps Step 1 Identify the peers for the traffic to which secure tunnels should be established Step 2 Configure the transform set with the required protocols and algorithms Step 3 ...

Page 859: ...ons of IKE are used in the Cisco SAN OS implementation IKE version 1 IKEv1 is implemented using RFC 2407 2408 2409 and 2412 IKE version 2 IKEv2 is a simplified and more efficient version and does not interoperate with IKEv1 IKEv2 is implemented using the draft ietf ipsec ikev2 16 txt draft About IKE Policy Negotiation To protect IKE negotiations each IKE negotiation begins with a common shared IKE...

Page 860: ...llowed transform combinations The following table lists the supported and verified settings for IPsec and IKE encryption authentication algorithms on the Microsoft Windows and Linux platforms Note When you configure the hash algorithm the corresponding HMAC version is used as the authentication algorithm When the IKE negotiation begins IKE looks for an IKE policy that is the same on both peers The...

Page 861: ...me FQDN Note The FQDN is required for using RSA signatures for authentication switch config ike ipsec no identity Revert to the default identity mode address Step 4 switch config ike ipsec key switch1 address 10 10 1 1 Associates a preshared key with the IP address of a peer switch config ike ipsec no key switch1 address 10 10 1 1 Deletes the association of a preshared key and the IP address of a ...

Page 862: ...for IKE with the specified device Use the following considerations when configuring the initiator version with FCIP tunnels If the switches on both sides of an FCIP tunnel are running MDS SAN OS Release 3 0 1 or later you must configure initiator version IKEv1 on both sides of an FCIP tunnel to use only IKEv1 If one side of an FCIP tunnel is using IKEv1 and the other side is using IKEv2 the FCIP t...

Page 863: ... each policy follow these steps Configuring the Keepalive Time for a Peer To configure the keepalive time for each peer follow these steps Command Purpose Step 1 switch config terminal switch config Enters configuration mode Step 2 switch config crypto ike domain ipsec switch config ike ipsec Allows IPsec domains to be configured in this switch Step 3 switch config ike ipsec policy 1 switch config...

Page 864: ...hen you delete the IKEv2 tunnel the associated IPsec tunnel under that IKE tunnel is automatically deleted Refreshing SAs Use the crypto ike domain ipsec rekey IPv4 ACL index command to refresh the SAs after performing IKEv2 configuration changes Crypto IPv4 ACLs IP access control lists IPv4 ACLs provide basic network security to all switches in the Cisco MDS 9000 Family IPv4 IP ACLs restrict IP r...

Page 865: ...t Forward Secrecy page 35 28 About Crypto Map Set Interface Application page 35 28 Applying a Crypto Map Set page 35 28 About Crypto IPv4 ACLs Crypto IPv4 ACLs are used to define which IP traffic requires crypto protection and which traffic does not Crypto IPv4 ACLs associated with IPsec crypto map entries have four primary functions Select outbound traffic to be protected by IPsec permit protect ...

Page 866: ...tement causes the traffic to be in clear text The crypto IPv4 ACL you define is applied to an interface after you define the corresponding crypto map entry and apply the crypto map set to the interface Different IPv4 ACLs must be used in different entries of the same crypto map set Inbound and outbound traffic is evaluated against the same outbound IPv4 ACL Therefore the IPv4 ACL s criteria is app...

Page 867: ...local iSCSI TCP port number default 3260 in the IPv4 ACL This configuration ensures the speedy recovery of encrypted iSCSI sessions following disruptions such as Gigabit Ethernet interfaces shutdowns VRRP switchovers and port failures The following example of a IPv4 ACL entry shows that the MDS switch IPv4 address is 10 10 10 50 and remote Microsoft host running encrypted iSCSI sessions is 10 10 1...

Page 868: ...cted but this is a superset of the specific flows permitted by the crypto IPv4 ACL at switch M so the request is not permitted Case 3 works because switch M s request is a subset of the specific flows permitted by the crypto IPv4 ACL at router N Because of the complexities introduced when crypto IPv4 ACLs are not configured as mirror images at peer IPsec devices we strongly encourage you to use mi...

Page 869: ... a certain combination of security protocols and algorithms During the IPsec security association negotiation the peers agree to use a particular transform set for protecting a particular data flow You can specify multiple transform sets and then specify one or more of these transform sets in a crypto map entry The transform set defined in the crypto map entry is used in the IPsec security associa...

Page 870: ...ion Parameters Parameter Accepted Values Keyword encryption algorithm 56 bit DES CBC 168 bit DES 128 bit AES CBC 128 bit AES CTR1 256 bit AES CBC 256 bit AES CTR1 1 If you configure the AES counter CTR mode you must also configure the authentication algorithm esp des esp 3des esp aes 128 esp aes 128 ctr esp aes 256 esp aes 256 ctr hash authentication algorithm1 optional SHA 1 HMAC variant MD5 HMAC...

Page 871: ...ccording to the parameters included in the crypto map entry The policy derived from the crypto map entries is used during the negotiation of SAs If the local switch initiates the negotiation it will use the policy specified in the crypto map entries to create the offer to be sent to the specified IPsec peer If the IPsec peer initiates the negotiation the local switch checks the policy from the cry...

Page 872: ... sequence number for each crypto map decides the order in which the policies are applied A lower sequence number is assigned a higher priority Only one IPv4 ACL is allowed for each crypto map entry the IPv4 ACL itself can have multiple permit or deny entries When the tunnel endpoint is the same as the destination address you can use the auto peer option to dynamically configure the peer For IPsec ...

Page 873: ...e matched address Step 4 switch config crypto map ip set peer 10 1 1 1 Configures a specific peer IPv4 address Note IKE only supports IPv4 addresses not IPv6 addresses Step 5 switch config crypto map ip no set peer 10 1 1 1 Deletes the configured peer Step 6 switch config crypto map ip set transform set SampleTransform1 SampleTransmfor2 Specifies which transform sets are allowed for the specified ...

Page 874: ...o map entry is needed for all the hosts from subnet X to set up SAs with the switch Each host will set up its own SA but will share the crypto map entry Without the auto peer option each host needs one crypto map entry See the Sample iSCSI Configuration section on page 35 39 for more details Step 4 switch config crypto map ip set security association lifetime kilobytes 2560 Configures the traffic ...

Page 875: ...he PFS feature is disabled by default If you set the PFS group you can set one of the DH groups 1 2 5 or 14 If you do not specify a DH group the software uses group 1 by default MDS A iPSEC iPSEC iPSEC Host 2 Host 3 Host 1 Router iPSEC 120879 Subnet X Command Purpose Step 1 switch config terminal switch config Enters configuration mode Step 2 switch config crypto map domain ipsec SampleMap 31 ips ...

Page 876: ...you want the new settings to take immediate effect you must clear the existing security associations so that they will be reestablished with the changed configuration If the switch is actively processing Command Purpose Step 1 switch config terminal switch config Enters configuration mode Step 2 switch config crypto map domain ipsec SampleMap 31 ips hac1 config crypto map ip Places you in the cryp...

Page 877: ...our and 450 GB If you change a global lifetime the new lifetime value will not be applied to currently existing SAs but will be used in the negotiation of subsequently established SAs If you wish to use the new values immediately you can clear all or part of the SA database Assuming that the particular crypto map entry does not have lifetime values configured when the switch requests new SAs it wi...

Page 878: ...ose Step 1 switch config terminal switch config Enters configuration mode Step 2 switch config crypto global domain ipsec security association lifetime seconds 86400 Configures the global timed lifetime for IPsec SAs to time out after the specified number of seconds have passed The global lifetime ranges from 120 to 86400 seconds switch config no crypto global domain ipsec security association lif...

Page 879: ...0 0 255 10 10 10 0 0 0 0 255 0 matches In Example 35 6 the display output match is only displayed of an interface not the crypto map meets this criteria Example 35 7 Displays the Transform Set Configuration switch show crypto transform set domain ipsec Transform set 3des md5 esp 3des esp md5 hmac will negotiate tunnel Transform set des md5 esp des esp md5 hmac will negotiate tunnel Transform set t...

Page 880: ...igabitEthernet4 2 Example 35 11 Displays SA Association for the Specified Interface switch show crypto sad domain ipsec interface gigabitethernet 4 1 interface GigabitEthernet4 1 Crypto map tag cm10 local addr 10 10 10 1 protected network local ident addr mask 10 10 10 0 255 255 255 0 remote ident addr mask 10 10 10 4 255 255 255 255 current_peer 10 10 10 4 local crypto endpt 10 10 10 1 remote cry...

Page 881: ...interface GigabitEthernet3 1 direction Both 0 deny udp any port eq 500 any 1 deny udp any any port eq 500 2 permit ip 10 10 10 0 255 255 255 0 10 10 10 0 255 255 255 0 127 deny ip any any Example 35 15 Displays Detailed iSCSI Session Information for a Specific Interface switch show iscsi session detail Initiator iqn 1987 05 com cisco 01 9f39f09c7468 ips host16 cisco com Initiator ip addr s 10 10 1...

Page 882: ... port mode disabled TCP Connection Information 2 Active TCP connections Control connection Local 10 10 11 2 3225 Remote 10 10 11 1 65520 Data connection Local 10 10 11 2 3225 Remote 10 10 11 1 65522 2 Attempts for active connections 0 close of connections TCP Parameters Path MTU 1400 bytes Current retransmission timeout is 200 ms Round trip time Smoothed 2 ms Variance 1 Advertized window Current 1...

Page 883: ...ne FCIP link Tunnel 2 Tunnel 2 carries encrypted data between MDS A and MDS C Figure 35 8 IP Security Usage in an FCIP Scenario To configure IPsec for the FCIP scenario shown in Figure 35 8 follow these steps Step 1 Enable IKE and IPsec in Switch MDS A sw10 1 1 100 conf t sw10 1 1 100 config crypto ike enable sw10 1 1 100 config crypto ipsec enable Step 2 Configure IKE in Switch MDS A sw10 1 1 100...

Page 884: ...o shut sw10 1 1 100 config if exit sw10 1 1 100 config Step 7 Configure FCIP in Switch MDS A sw10 1 1 100 config fcip enable sw10 1 1 100 config fcip profile 2 sw10 1 1 100 config profile ip address 10 10 100 231 sw10 1 1 100 config profile int fcip 2 sw10 1 1 100 config if peer info ipaddr 10 10 100 232 sw10 1 1 100 config if use profile 2 sw10 1 1 100 config if no shut sw10 1 1 100 config if end...

Page 885: ...231 0 0 0 0 Step 12 Configure the transform set in Switch MDS C sw11 1 1 100 config crypto transform set domain ipsec tfs 02 esp aes 128 esp sha1 hmac Step 13 Configure the crypto map in Switch MDS C sw11 1 1 100 config crypto map domain ipsec cmap 01 1 sw11 1 1 100 config crypto map ip match address acl1 sw11 1 1 100 config crypto map ip set peer 10 10 100 231 sw11 1 1 100 config crypto map ip se...

Page 886: ...255 63 deny ip any any sw11 1 1 100 show crypto sad domain ipsec interface GigabitEthernet1 2 Crypto map tag cmap 01 local addr 10 10 100 232 protected network local ident addr mask 10 10 100 232 255 255 255 255 remote ident addr mask 10 10 100 231 255 255 255 255 current_peer 10 10 100 231 local crypto endpt 10 10 100 232 remote crypto endpt 10 10 100 231 mode tunnel crypto algo esp 3des auth alg...

Page 887: ...rrent outbound spi 0x900b01e 151040030 index 10 lifetimes in seconds 120 lifetimes in bytes 3221225472000 current inbound spi 0x38fe700e 956198926 index 13 lifetimes in seconds 120 lifetimes in bytes 3221225472000 sw10 1 1 100 show crypto ike domain ipsec sa Tunn Local Addr Remote Addr Encr Hash Auth Method Lifetime 1 10 10 100 231 500 10 10 100 232 500 3des md5 preshared key 86300 You have now co...

Page 888: ... transform set domain ipsec tfs 01 esp 3des esp md5 hmac Step 3 Configure the crypto map in Switch MDS A sw10 1 1 100 config crypto map domain ipsec cmap 01 1 sw10 1 1 100 config crypto map ip match address acl1 sw10 1 1 100 config crypto map ip set peer auto peer sw10 1 1 100 config crypto map ip set transform set tfs 01 sw10 1 1 100 config crypto map ip end sw10 1 1 100 Step 4 Bind the interface...

Page 889: ... the default settings for IPsec parameters Table 35 3 Default IKE Parameters Parameters Default IKE Disabled IKE version IKE version 2 IKE encryption algorithm 3DES IKE hash algorithm SHA IKE authentication method Preshared keys IKE DH group identifier Group 1 IKE lifetime association 86 400 00 seconds equals 24 hours IKE keepalive time for each peer v2 3 600 seconds equals 1 hour Table 35 4 Defau...

Page 890: ...t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m 35 42 Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 35 Configuring IPsec Network Security Default Settings ...

Page 891: ...tication from one switch to another switch or from a switch to a host These switch and host authentications are performed locally or remotely in each fabric As storage islands are consolidated and migrated to enterprise wide fabrics new security challenges arise The approach of securing storage islands cannot always be guaranteed in enterprise wide fabrics For example in a campus environment with ...

Page 892: ...odes Step 3 Configure the hash algorithm and DH group Step 4 Configure the DHCHAP password for the local switch and other switches in the fabric Step 5 Configure the DHCHAP timeout value for reauthentication Step 6 Verify the DHCHAP configuration This section includes the following topics DHCHAP Compatibility with Existing Cisco MDS Features page 36 3 About Enabling DHCHAP page 36 3 Enabling DHCHA...

Page 893: ...cal interface Port security or fabric binding Fabric binding policies are enforced based on identities authenticated by DHCHAP VSANs DHCHAP authentication is not done on a per VSAN basis High availability DHCHAP authentication works transparently with existing HA features About Enabling DHCHAP By default the DHCHAP feature is disabled in all switches in the Cisco MDS 9000 Family You must explicitl...

Page 894: ...ve default The switch does not initiate DHCHAP authentication but participates in DHCHAP authentication if the connecting device initiates DHCHAP authentication Off The switch does not support DHCHAP authentication Authentication messages sent to such ports return error messages to the initiating switch Note Whenever DHCHAP port mode is changed to a mode other than the Off mode reauthentication is...

Page 895: ...0 Changes the DHCHAP authentication mode for the selected interfaces to auto active Zero 0 indicates that the port does not perform reauthentication Note The reauthorization interval configuration is the same as the default behavior switch config if fcsp auto active 120 Changes the DHCHAP authentication mode to auto active for the selected interfaces and enables reauthentication every two hours 12...

Page 896: ...ciously attempts to access any one switch in the fabric Approach 2 Use a different password for each switch and maintain that password list in each switch in the fabric When you add a new switch you create a new password list and update all switches with the new list Accessing one switch yields the password list for all switches in that fabric Approach 3 Use different passwords for different switc...

Page 897: ... mode Step 2 switch config fcsp dhchap password 0 mypassword Configures a clear text password for the local switch switch config fcsp dhchap password 0 mypassword 30 11 bb cc dd 33 11 22 Configures a clear text password for the local switch to be used for the device with the specified WWN switch config no fcsp dhchap password 0 mypassword 30 11 bb cc dd 33 11 22 Removes the clear text password for...

Page 898: ...n individually set authentication options If authentication is not configured local authentication is used by default Command Purpose Step 1 switch config t Enters configuration mode Step 2 switch config fcsp dhchap devicename 00 11 22 33 44 aa bb cc password NewPassword Configures a password for another switch in the fabric that is identified by the switch WWN device name switch config no fcsp dh...

Page 899: ...hentication Failed 0 FC SP Authentication Bypassed 0 Example 36 3 Displays the FC SP WWN of the Device Connected through a Specified Interface switch show fcsp interface fc 2 1 wwn fc2 1 fcsp authentication mode SEC_MODE_ON Status Successfully authenticated Other device s WWN 20 00 00 e0 8b 0a 5d e7 Example 36 4 Displays Hash Algorithm and DHCHAP Groups Configured for the Local Switch switch show ...

Page 900: ...h show fcsp asciiwwn 30 11 bb cc dd 33 11 22 Ascii representation of WWN to be used with AAA servers Ox_3011bbccdd331122 Tip Use the ASCII representation of the device WWN identified in bold in Example 36 6 to configure the switch information on RADIUS and TACACS servers Sample Configuration This section provides the steps to configure the example illustrated in Figure 36 2 Figure 36 2 Sample DHCH...

Page 901: ...n this switch by displaying the DHCHAP local password database MDS 9216 show fcsp dhchap database DHCHAP Local Password Non device specific password Other Devices Passwords Password for device with WWN 20 00 00 05 30 00 38 5e is Step 7 Display the DHCHAP configuration in the Fibre Channel interface MDS 9216 show fcsp interface fc 1 6 fc1 6 fcsp authentication mode SEC_MODE_ON Status Successfully a...

Page 902: ...ult Settings Default Settings Table 36 2 lists the default settings for all fabric security features in any switch Table 36 2 Default Fabric Security Settings Parameters Default DHCHAP feature Disabled DHCHAP hash algorithm A priority list of MD5 followed by SHA 1 for DHCHAP authentication DHCHAP authentication mode Auto passive DHCHAP group default priority exchange order 0 4 1 2 and 3 respective...

Page 903: ...ge 37 5 Activating Port Security page 37 5 About Enabling Auto learning page 37 7 Port Security Manual Configuration page 37 10 Port Security Configuration Distribution page 37 11 Database Merge Guidelines page 37 14 Port Security Activation page 37 5 Auto learning page 37 7 Port Security Manual Configuration page 37 10 Port Security Configuration Distribution page 37 11 Database Merge Guidelines ...

Page 904: ...es to accept and implement configuration changes Configuration database All configuration changes are stored in the configuration database Active database The database currently enforced by the fabric The port security feature requires all devices connecting to a switch to be part of the port security active database The software uses this active database to enforce authorization About Auto Learni...

Page 905: ... the auto learned entries You must disable auto learning before the auto learned entries become activated When you activate the port security feature auto learning is also automatically enabled You can choose to activate the port security feature and disable auto learning Tip If a port is shut down because of a denied login attempt and you subsequently configure the database to allow that login th...

Page 906: ... the configure database is the same on all switches in the fabric Step 10 Copy the running configuration to the startup configuration using the fabric option This saves the port security configure database to the startup configuration on all switches in the fabric Configuring Port Security with Auto Learning without CFS To configure port security using auto learning without CFS follow these steps ...

Page 907: ...peat Step 1 through Step 5 for all switches in the fabric Step 7 Enabling Port Security By default the port security feature is disabled in all switches in the Cisco MDS 9000 Family To enable port security follow these steps Port Security Activation This section includes the following topics Activating Port Security page 37 5 Database Activation Rejection page 37 6 Forcing Port Security Activation...

Page 908: ... forcing the port security activation Forcing Port Security Activation If the port security activation request is rejected you can force the activation Note An activation using the force option can log out existing devices if they violate the active database You can view missing or conflicting entries using the port security database diff active vsan command in EXEC mode To forcefully activate the...

Page 909: ...pends on the state of the port security feature If the port security feature is not activated auto learning is disabled by default If the port security feature is activated auto learning is enabled by default unless you explicitly disabled this option Tip If auto learning is enabled on a VSAN you can only activate the database for that VSAN by using the force option Command Purpose Step 1 switch c...

Page 910: ... are logged in the port security active database Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config no port security auto learn vsan 1 Disables auto learning and stops the switch from learning about new devices accessing the switch Enforces the database contents based on the devices learned up to this point Table 37 1 Authorized Auto Learning Device...

Page 911: ...authorization results for this active database The conditions listed refer to the conditions from Table 37 1 Table 37 2 Authorization Results for Scenario Device Connection Request Authorization Condition Reason P1 N2 F1 Permitted 1 No conflict P2 N2 F1 Permitted 1 No conflict P3 N2 F1 Denied 2 F1 is bound to P1 P2 P1 N3 F1 Permitted 6 Wildcard match for N3 P1 N1 F3 Permitted 5 Wildcard match for ...

Page 912: ...N or by the nWWN If an Nx port is allowed to log in to SAN switch port Fx then that Nx port can only log in through the specified Fx port If an Nx port s nWWN is bound to an Fx port WWN then all pWWNs in the Nx port are implicitly paired with the Fx port TE port checking is done on each VSAN in the allowed VSAN list of the trunk port All PortChannel xE ports must be configured with the same set of...

Page 913: ...tep 3 switch config port security swwn 20 01 33 11 00 2a 4a 66 interface port channel 5 Configures the specified sWWN to only log in through PortChannel 5 switch config port security any wwn interface fc1 1 fc1 8 Configures any WWN to log in through the specified interfaces switch config port security pwwn 20 11 00 33 11 00 2a 4a fwwn 20 81 00 44 22 00 4a 9e Configures the specified pWWN to only l...

Page 914: ...ssuing a port security activate vsan vsan id no auto learn command Tip In this case we recommend that you perform a commit at the end of each operation after After you activate port security and after you enable auto learning To enable the port security distribution follow these steps Locking The Fabric The first action that modifies the existing configuration creates the pending database and lock...

Page 915: ...tive database on all switches are identical and learning can be disabled If the pending database contains more than one activation and auto learning configuration when you commit the changes then the activation and auto learning changes are consolidated and the behavior may change see Table 37 3 Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config por...

Page 916: ...n databases A and B exist in the configuration database activation is not done and devices C D are logged in 1 You activate the port security database and enableauto learning configuration database A B active database A B C D configuration database A B active database null pending database A B activation to be enabled 2 You disable learning configuration database A B active database A B C D config...

Page 917: ...letion page 37 17 Port Security Database Cleanup page 37 17 Database Scenarios Figure 37 1 depicts various scenarios to depict the active database and the configuration database status based on port security configurations Figure 37 1 Port Security Database Scenarios Once activated all devices that have already logged into the VSAN are also learned and added to the active database Once activated t...

Page 918: ...s in all the switches CLI Switch 1 config Database 99301 pwwn1 fwwn1 pwwn2 fwwn2 pwwn3 fwwn3 active Database EMPTY Configuring authorized ports Switch 1 config Database pwwn1 fwwn1 pwwn2 fwwn2 pwwn3 fwwn3 pwwn4 fwwn4 pwwn5 fwwn5 active Database Saving the configuration copy running start Activating the database pwwn1 fwwn1 pwwn2 fwwn2 pwwn3 fwwn3 s Note Learned entries are not saved in the startup...

Page 919: ...nd is required to actually delete the database Use the no port security database vsan command in configuration mode to delete the configured database for a specified VSAN switch config no port security database vsan 1 Port Security Database Cleanup Use the clear port security statistics vsan command to clear all existing statistics from the port security database for a specified VSAN switch clear ...

Page 920: ...e show port security command to view the output of the activated port security see Example 37 2 Example 37 2 Displays the Port Security Configuration Database in VSAN 1 switch show port security database vsan 1 Vsan Logging in Entity Logging in Point Interface 1 20 85 00 44 22 00 4a 9e fc3 5 1 20 11 00 33 11 00 2a 4a pwwn 20 81 00 44 22 00 4a 9e fc3 1 Total 2 entries Example 37 3 Displays the Acti...

Page 921: ...erface are displayed see Examples 37 6 to 37 8 Example 37 6 Displays the Wildcard fWWN Port Security in VSAN 1 switch show port security database fwwn 20 85 00 44 22 00 4a 9e vsan 1 Any port can login thru this fwwn Example 37 7 Displays the Configured fWWN Port Security in VSAN 1 switch show port security database fwwn 20 01 00 05 30 00 95 de vsan 1 20 00 00 0c 88 00 4a e2 swwn Example 37 8 Displ...

Page 922: ...1 Displays the Violations in the Port Security Database switch show port security violations VSAN Interface Logging in Entity Last Time Repeat count 1 fc1 13 21 00 00 e0 8b 06 d9 1d pwwn Jul 9 08 32 20 2003 20 20 00 00 e0 8b 06 d9 1d nwwn 1 fc1 12 50 06 04 82 bc 01 c3 84 pwwn Jul 9 08 32 20 2003 1 50 06 04 82 bc 01 c3 84 nwwn 2 port channel 1 20 00 00 05 30 00 95 de swwn Jul 9 08 32 40 2003 1 Tota...

Page 923: ...MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 37 Configuring Port Security Default Settings Port security Disabled Distribution Disabled Note Enabling distribution enables it on all VSANs in the switch Table 37 6 Default Security Settings continued Parameters Default ...

Page 924: ... t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m 37 22 Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 37 Configuring Port Security Default Settings ...

Page 925: ...AN basis This feature helps prevent unauthorized switches from joining the fabric or disrupting current fabric operations It uses the Exchange Fabric Membership Data EFMD protocol to ensure that the list of authorized switches is identical in all switches in the fabric This section has the following topics Licensing Requirements page 38 1 Port Security Versus Fabric Binding page 38 1 Fabric Bindin...

Page 926: ...s optional Note All switches in a Fibre Channel VSAN using fabric binding must be running Cisco MDS SAN OS Release 3 0 1 or later Table 38 1 Fabric Binding and Port Security Comparison Fabric Binding Port Security Uses a set of sWWNs and a persistent domain ID Uses pWWNs nWWNs or fWWNs sWWNs Binds the fabric at the switch level Binds devices at the interface level Authorizes only the configured sW...

Page 927: ...ou disable this configuration all related configurations are automatically discarded To enable fabric binding on any participating switch follow these steps View the status of the fabric binding feature of a fabric binding enabled switch by issuing the show fabric binding status command switch show fabric binding status VSAN 1 Activated database VSAN 4 No Active database Configuring Switch WWN Lis...

Page 928: ...11 11 11 domain 102 Adds the sWWN and domain ID of a switch to the configured database list switch config fabric binding swwn 21 00 05 30 23 1a 11 03 domain 101 Adds the sWWN and domain ID of another switch to the configured database list switch config fabric binding no swwn 21 00 15 30 23 1a 11 03 domain 101 Deletes the sWWN and domain ID of a switch from the configured database list Step 4 switc...

Page 929: ...eed with the activation by using the force option To forcefully activate the fabric binding database follow these steps Saving Fabric Binding Configurations When you save the fabric binding configuration the config database is saved to the running configuration Caution You cannot disable fabric binding in a FICON enabled VSAN Use the fabric binding database copy vsan command to copy from the activ...

Page 930: ... running config startup config Clearing the Fabric Binding Statistics Use the clear fabric binding statistics command to clear all existing statistics from the fabric binding database for a specified VSAN switch clear fabric binding statistics vsan 1 Deleting the Fabric Binding Database Use the no fabric binding command in configuration mode to delete the configured database for a specified VSAN s...

Page 931: ...abric binding database vsan 4 Vsan Logging in Switch WWN Domain id 4 21 00 05 30 23 11 11 11 Any 4 21 00 05 30 23 1a 11 03 Any 4 20 00 00 05 30 00 2a 1e 0xea 234 Local Total 2 entries Example 38 4 Displays Active VSAN Specific Fabric Binding Information switch show fabric binding database active vsan 61 Vsan Logging in Switch WWN Domain id 61 21 00 05 30 23 1a 11 03 0x19 25 61 21 00 05 30 23 11 11...

Page 932: ...Logins denied 0 Statistics For VSAN 348 Number of sWWN permit 0 Number of sWWN deny 0 Total Logins permitted 0 Total Logins denied 0 Statistics For VSAN 789 Number of sWWN permit 0 Number of sWWN deny 0 Total Logins permitted 0 Total Logins denied 0 Statistics For VSAN 790 Number of sWWN permit 0 Number of sWWN deny 0 Total Logins permitted 0 Total Logins denied 0 Example 38 6 Displays Fabric Bind...

Page 933: ...d 0 Received 0 Merge Rejects Transmitted 0 Received 0 Merge Busy Transmitted 0 Received 0 Merge Errors Transmitted 0 Received 0 EFMD Protocol Statistics for VSAN 4 Merge Requests Transmitted 0 Received 0 Merge Accepts Transmitted 0 Received 0 Merge Rejects Transmitted 0 Received 0 Merge Busy Transmitted 0 Received 0 Merge Errors Transmitted 0 Received 0 EFMD Protocol Statistics for VSAN 61 Merge R...

Page 934: ... d b a ck d o c c i s c o c o m 38 10 Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 38 Configuring Fabric Binding Default Settings Table 38 2 Default Fabric Binding Settings Parameters Default Fabric binding Disabled ...

Page 935: ...ibutions page 39 4 Configuring Common Roles page 39 8 Configuring User Accounts page 39 10 Configuring SSH Services page 39 14 Recovering the Administrator Password page 39 19 Default Settings page 39 21 Role Based Authorization Switches in the Cisco MDS 9000 Family perform authentication based on roles Role based authorization limits access to switch operations by assigning users to roles This ki...

Page 936: ...to allow access to the required commands Configuring Roles and Profiles To create an additional role or to modify the profile for an existing role follow these steps Note Only users belonging to the network admin role can create roles Configuring Rules and Features for Each Role Up to 16 rules can be configured for each role The user specified rule number determines the order in which the rules ar...

Page 937: ... policy requires the ENTERPRISE_PKG license see Chapter 3 Obtaining and Installing Licenses You can configure a role so that it only allows tasks to be performed for a selected set of VSANs By default the VSAN policy for any role is permit which allows tasks to be performed for all VSANs You can configure a role that only allows tasks to be performed for a selected set of VSANs To selectively allo...

Page 938: ...ing the CFS Infrastructure The following configurations are distributed Role names and descriptions List of rules for the roles VSAN policy and the list of permitted VSANs This section includes the following topics About Role Databases page 39 5 Locking the Fabric page 39 5 Committing Role Based Configuration Changes page 39 5 Discarding Role Based Configuration Changes page 39 5 Enabling Role Bas...

Page 939: ...mit the changes Locking the Fabric The first action that modifies the database creates the pending database and locks the feature in the entire fabric Once you lock the fabric the following situations apply No other user can make any configuration changes to this feature A copy of the configuration database becomes the pending database along with the first change Committing Role Based Configuratio...

Page 940: ...bases the software generates an alert message See the CFS Merge Support section on page 6 8 for detailed concepts Verify that the role database is identical on all switches in the entire fabric Be sure to edit the role database on any switch to the desired database and then commit it This synchronizes the role databases on all the switches in the fabric Displaying Role Based Information Use the sh...

Page 941: ...vsan policy permit default Role sangroup Description SAN management group vsan policy deny Permitted vsans 10 30 Rule Type Command type Feature 1 permit config 2 deny config fspf 3 permit debug zone 4 permit exec fcping Displaying Roles When Distribution is Enabled Use the show role command to display the configuration database Use the show role status command to display whether distribution is en...

Page 942: ...r Description Predefined SVC Operator group This role cannot be modified Access to selected SAN Volume Controller commands Role TechDocs vsan policy permit default Role sangroup Description SAN management group vsan policy deny Permitted vsans 10 30 Rule Type Command type Feature 1 permit config 2 deny config fspf 3 permit debug zone 4 permit exec fcping Role myrole vsan policy permit default Rule...

Page 943: ... Reference CLI Use the role name command Mapping of CLI Operations to SNMP SNMP has only three possible operations GET SET and NOTIFY The CLI has five possible operations DEBUG SHOW CONFIG CLEAR and EXEC Note NOTIFY does not have any restrictions like the syslog messages in the CLI Table 39 1 explains how the CLI operations are mapped to the SNMP operations CLI SNMP Switch 1 Role network admin Des...

Page 944: ...h CONFIG is denied for NTP in rule 4 rule 9 allows the SET to NTP MIB objects because EXEC also maps to the SNMP SET operation Configuring User Accounts Every Cisco MDS 9000 Family switch user has the account information stored by the system Your authentication information user name user password password expiration date and role membership are stored in your user profile The tasks explained in th...

Page 945: ...Note User passwords are not displayed in the switch configuration file Tip If a password is trivial short easy to decipher your password configuration is rejected Be sure to configure a strong password as shown in the sample configuration Passwords are case sensitive admin is no longer the default password for any Cisco MDS 9000 Family switch You must explicitly configure a strong password Caution...

Page 946: ...d123AAA expire 2003 05 31 Creates or updates the user account usam along with a password abcd123AAA that is set to expire on 2003 05 31 The password is limited to 64 characters Note User account names must contain non numeric characters switch config username msam password 0 abcd12AAA role network operator Creates or updates the user account msam along with a password abcd12AAA specified in clear ...

Page 947: ...itch show user account user1 user user1 Step 4 switch config username admin sshkey ssh rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAtjIHrIt 3dDeohix6JcRSI YZ0EOdJ3l5RONWcwSgAuTUSrLk 3a9hdYkzY94fhHmNGQGCjVg 8cbOxyH4Z1jcVFcrDogtQT Q8d veqts 8XQhqkNAFeGy4u8TJ2Us oreCU6DlibwkpzDafzKTpA5vB6FmHd2TI6Gnse9FUgKD5fs Specifies the SSH key for an existing user account admin switch config no username admin sshkey ssh rsa A...

Page 948: ...no password set local login not allowed Remote login through RADIUS is possible Configuring SSH Services The Telnet service is enabled by default on all Cisco MDS 9000 Family switches Before enabling the SSH service generate a server key pair see the Generating the SSH Server Key Pair section on page 39 15 Use the ssh key command to generate a server key Caution If you are logging in to a switch t...

Page 949: ...he SSH version 1 protocol The dsa option generates the DSA key pair for the SSH version 2 protocol The rsa option generates the RSA key pair for the SSH version 2 protocol Caution If you delete all of the SSH keys you cannot start a new SSH session To generate the SSH server key pair follow these steps Specifying the SSH Key You can specify an SSH key to log in using the SSH client without being p...

Page 950: ...se9FUgKD5fs Specifies the SSH key for the user account admin switch config no username admin sshkey ssh rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAtjIHrIt 3dDeohix6JcRSIYZ 0EOdJ3l5RONWcwSgAuTUSrLk3a9hdYkzY94fhHmNGQGCjVg 8cbO xyH4Z1jcVFcrDogtQT Q8dveqts 8XQhqkNAFeGy4u8TJ2UsoreC U6DlibwkpzDafzKTpA5vB6FmHd2TI6Gnse9FUgKD5fs Deletes the SSH key for the user account admin Command Purpose Step 1 switch copy tftp 10...

Page 951: ...anges before you use SCP SFTP along with the copy command you will receive an error see Example 39 10 Example 39 10 Using SCP SFTP to Copy Files Error Caused by SSH Key Change switch copy scp apn 10 10 1 1 isan 104 bootflash isan ram 1 0 4 WARNING REMOTE HOST IDENTIFICATION HAS CHANGED IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY Someone could be eavesdropping on you right now man in the m...

Page 952: ... 07 16 26 1980 1024 35 fingerprint 1024 67 76 02 bd 3e 8d f5 ad 59 5a 1e c4 5e 44 03 07 could not retrieve rsa key information dsa Keys generated Sun Jan 13 07 40 08 1980 ssh dss AAAAB3NzaC1kc3MAAABBAJTCRQOydNRel2v7uiO6Fix OTn8eGdnnDVxw5eJs5OcOEXOyjaWcMMYsEgxc9ada1NElp 8Wy7GPMWGOQYj9CU0AAAAVAMCcWhNN18zFNOIPo7cU3t7d0iEbAAAAQBdQ8UAOi Cti84qFb3kTqXlS9mEhdQUo0lH cH5bw5PKfj2Y dLR437zCBKXetPj4p7mhQ6Fq5o...

Page 953: ...509 certificate or SSH authentication using a Public Key Certificate but not both If either of them is configured and the authentication fails you will be prompted for a password For more information on CAs and digital certificates see Chapter 34 Configuring Certificate Authorities and Digital Certificates Recovering the Administrator Password You can recover the administrator password using one o...

Page 954: ...ction To recover a administrator password by power cycling the switch follow these steps Step 1 For Cisco MDS 9500 Series switches with two supervisor modules remove the supervisor module in slot 6 from the chassis Note On the Cisco MDS 9500 Series the password recovery procedure must be performed on the active supervisor module Removing the supervisor module in slot 6 ensures that a switchover wi...

Page 955: ...so the SNMP password for Fabric Manager switch config t switch config username admin password new password switch config exit switch Step 10 Save the software configuration switch copy running config startup config Step 11 Insert the previously removed supervisor module into slot 6 in the chassis Default Settings Table 39 2 lists the default settings for all switch security features in any switch ...

Page 956: ... s c o c o m 39 22 Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 39 Configuring Users and Common Roles Default Settings SSH service Disabled Telnet service Enabled Table 39 2 Default Switch Security Settings continued Parameters Default ...

Page 957: ...Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m P A R T 6 IP Services ...

Page 958: ...Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m ...

Page 959: ...witch and the 14 2 Multiprotocol Services MPS 14 2 module also allow you to use Fibre Channel FCIP and iSCSI features The MPS 14 2 module is available for use in any switch in the Cisco MDS 9200 Series or Cisco MDS 9500 Series Note For information on configuring Gigabit Ethernet interfaces see Chapter 45 Configuring IPv4 for Gigabit Ethernet Interfaces This chapter includes the following sections ...

Page 960: ... configure IPS modules or MPS 14 2 modules for FCIP you should have a basic understanding of the following concepts FCIP and VE Ports page 40 2 FCIP Links page 40 3 FCIP Profiles page 40 4 FCIP Interfaces page 40 4 FCIP and VE Ports Figure 40 2 describes the internal model of FCIP with respect to Fibre Channel Inter Switch Links ISLs and Cisco s extended ISLs EISLs FCIP virtual E VE ports behave e...

Page 961: ...P link One connection is used for data frames The other connection is used only for Fibre Channel control frames that is switch to switch protocol frames all Class F This arrangement provides low latency for all control frames To enable FCIP on the IPS module or MPS 14 2 module an FCIP profile and FCIP interface interface FCIP must be configured The FCIP link is established between two peers the V...

Page 962: ... 3 Figure 40 3 FCIP Profile and FCIP Links FCIP Interfaces The FCIP interface is the local endpoint of the FCIP link and a VE port interface All the FCIP and E port parameters are configured in context to the FCIP interface The FCIP parameters consist of the following The FCIP profile determines which Gigabit Ethernet port initiates the FCIP links and defines the TCP connection behavior Peer infor...

Page 963: ... FCIP links in the PortChannel should be across the same two switches The Fibre Channel traffic is load balanced across the FCIP links in the PortChannel FSPF Figure 40 5 displays a FPSF based load balancing configuration example This configuration requires two IP addresses on each SAN island and addresses IP and FCIP link failures Figure 40 5 FSPF Based Load Balancing The following characteristic...

Page 964: ...ort takes over the VRRP IP address When the VRRP switchover happens the FCIP link automatically disconnects and reconnects This configuration has only one FCIP E ISL link Ethernet PortChannels Figure 40 7 displays an Ethernet PortChannel based high availability FCIP example This solution addresses the problem caused by individual Gigabit Ethernet link failures Figure 40 7 Ethernet PortChannel Base...

Page 965: ...r 3 4 to be combined in one Ethernet PortChannel see the Configuring Gigabit Ethernet High Availability section on page 44 5 This restriction only applies to Ethernet PortChannels The Fibre Channel PortChannel to which FCIP link can be a part of does not have a restriction on which E ISL links can be combined in a Fibre Channel PortChannel as long as it passes the compatibility check see the Compa...

Page 966: ...utomatically discarded To use the FCIP feature you need to obtain the SAN extension over IP package license SAN_EXTN_OVER_IP or SAN_EXTN_OVER_IP_IPS4 see Chapter 3 Obtaining and Installing Licenses To enable FCIP on any participating switch follow these steps Note If FICON is enabled FICON VSAN is present on both the switches the Figure 40 15 is displayed otherwise Figure 40 14 is displayed Basic ...

Page 967: ...e ProfileId Ipaddr TcpPort 1 10 10 100 150 3225 2 10 10 100 150 3226 40 40 1 1 2 3225 100 100 1 1 2 3225 200 200 1 1 2 3225 Switch 1 Switch 2 IP router IP router 91561 IP Network IP address of Gigabit Ethernet interface 3 1 10 100 1 25 IP address of Gigabit Ethernet interface 3 1 10 1 1 1 Command Purpose Step 1 switch1 config terminal switch1 config Enters configuration mode Step 2 switch1 config ...

Page 968: ...d an FCIP link is established between the two IPS modules or MPS 14 2 modules To create an FCIP link assign a profile to the FCIP interface and configure the peer information The peer IP switch information initiates creates an FCIP link to that peer switch see Figure 40 10 Figure 40 10 Assigning Profiles to Each Gigabit Ethernet Interface To create FCIP link endpoint in switch 1 follow these steps...

Page 969: ...onfig if peer info ip address 10 100 1 25 Assigns the peer IPv4 address information 10 100 1 25 for switch 1 to the FCIP interface Step 5 switch1 config if no shutdown Enables the interface Command Purpose Step 1 switch1 config terminal switch config Enters configuration mode Step 2 switch1 config interface fcip 51 switch1 config if Creates an FCIP interface 51 Step 3 switch1 config if use profile...

Page 970: ...nfiguration Information page 40 17 FCIP configuration options can be accessed from the switch config profile submode prompt Configuring TCP Listener Ports To configure TCP listener ports follow these steps The default TCP port for FCIP is 3225 You can change this port using the port command To change the default FCIP port number 3225 follow these steps Command Purpose Step 1 switch config terminal...

Page 971: ...c To configure the minimum retransmit time follow these steps Keepalive Timeout You can configure the interval that the TCP connection uses to verify that the FCIP link is functioning This ensures that an FCIP link failure is detected quickly even when there is no traffic If the TCP connection is idle for more than the specified time then keepalive timeout packets are sent to ensure that the conne...

Page 972: ...n only learn about a single lost packet per round trip A selective acknowledgment SACK mechanism helps overcome the limitations of multiple lost packets during a TCP transmission The receiving TCP sends back SACK advertisements to the sender The sender can then retransmit only the missing data segments By default SACK is enabled on Cisco MDS 9000 Family switches Command Purpose Step 1 switch confi...

Page 973: ...ysical link keeping in mind other traffic that might be going across this link for example other FCIP tunnels WAN limitations in other words maximum bandwidth should be the total bandwidth minus all other traffic going across that link To configure window management follow these steps Monitoring Congestion By enabling the congestion window monitoring CWM parameter you allow TCP to monitor congesti...

Page 974: ...e default burst size is 50 KB Tip We recommend that this feature remain enabled to realize optimal performance Increasing the CWM burst size can result in more packet drops in the IP network impacting TCP performance Only if the IP network has sufficient buffering try increasing the CWM burst size beyond the default to achieve lower transmit latency To change the CWM defaults follow these steps Es...

Page 975: ...7 FCIP Profile 7 Internet Address is 47 1 1 2 interface GigabitEthernet4 7 Listen Port is 3225 TCP parameters SACK is disabled PMTU discovery is enabled reset timeout is 3600 sec Keep alive is 60 sec Minimum retransmission timeout is 300 ms Maximum number of re transmissions is 4 Send buffer size is 0 KB Maximum allowed bandwidth is 1000000 kbps Minimum available bandwidth is 15000 kbps Estimated ...

Page 976: ...anced FCIP Interface Configuration This section describes the options you can configure on an FCIP interface to establish connection to a peer and includes the following topics Configuring Peers page 40 18 Active Connections page 40 20 Number of TCP Connections page 40 20 Time Stamp Control page 40 21 B Port Interoperability Mode page 40 22 Quality of Service page 40 24 To establish a peer connect...

Page 977: ...file ID only needs to be configured on one end of the link Once the connection is established a special frame is exchanged to discover and authenticate the link Command Purpose Step 1 switch config if peer info ipaddr 10 1 1 1 Assigns an IPv4 address to configure the peer information Because no port is specified the default port number 3225 is used switch config if no peer info ipaddr 10 10 1 1 De...

Page 978: ... these steps Number of TCP Connections You can specify the number of TCP connections from an FCIP link By default the switch tries two 2 TCP connections for each FCIP link You can configure one or two TCP connections For example the Cisco PA FC 1G Fibre Channel port adapter which has only one 1 TCP connection interoperates with Command Purpose Step 1 switch config if special frame peer wwn 12 12 3...

Page 979: ...seconds If the time stamp option is enabled be sure to configure NTP on both switches see the NTP Configuration section on page 5 19 Tip Do not enable time stamp control on an FCIP interface that has tape acceleration or write acceleration configured To enable or disable the time stamp control follow these steps Command Purpose Step 1 switch config if tcp connection 1 Specifies the number of TCP c...

Page 980: ...rt as described in the T11 Standard FC BB 2 Figure 40 11 shows a typical SAN extension over an IP network Figure 40 11 FCIP B Port and Fibre Channel E Port B ports bridge Fibre Channel traffic from a local E port to a remote E port without participating in fabric related activities such as principal switch election domain ID assignment and Fibre Channel fabric shortest path first FSPF routing For ...

Page 981: ...ks that originate from a B port SAN extender device by implementing the B access ISL protocol on a Gigabit Ethernet interface Internally the corresponding virtual B port connects to a virtual E port that completes the end to end E port connectivity requirement see Figure 40 12 Figure 40 12 FCIP Link Terminating in a B Port Mode The B port feature in the IPS module and MPS 14 2 module allows remote...

Page 982: ... VSANs see Chapter 15 Configuring Trunking PortChannels see Chapter 37 Configuring Port Security Multiple FCIP links can be bundled into a Fibre Channel PortChannel FCIP links and Fibre Channel links cannot be combined in one PortChannel FSPF see Chapter 25 Configuring Fibre Channel Routing Services and Protocols Fibre Channel domains fcdomains see Chapter 17 Configuring Domain Parameters Importin...

Page 983: ... 20 92 GE4 2 3 3 3 1 UP N N N N N 1000M 1000M 2000 21 21 GE3 2 601 30 1 1 1 DOWN N N N N N 1000M 500M 1000 22 22 GE3 2 602 30 1 2 1 DOWN N N N N N 1000M 500M 1000 Example 40 4 Displays the FCIP Interface Summary of Counters for a Specified Interface switch show interface fcip 10 fcip10 is up Hardware is GigabitEthernet Port WWN is 20 d0 00 0c 85 90 3e 80 Peer port WWN is 20 d4 00 0c 85 90 3e 80 Ad...

Page 984: ...Information switch show interface fcip 4 counters fcip4 TCP Connection Information 5 minutes input rate 207518944 bits sec 25939868 bytes sec 12471 frames sec 5 minutes output rate 205340328 bits sec 25667541 bytes sec 12340 frames sec 2239902537 frames input 4658960377152 bytes 18484 Class F frames input 1558712 bytes 2239884053 Class 2 3 frames input 4658958818440 bytes 0 Reass frames 0 Error fr...

Page 985: ...bles you to significantly improve application write performance when storage traffic is routed over wide area networks using FCIP When FCIP write acceleration is enabled WAN throughput is maximized by minimizing the impact of WAN latency for write operations Note The write acceleration feature is disabled by default and must be enabled on both sides of the FCIP link If it is only enabled on one si...

Page 986: ...rt Such a configuration might cause either SCSI discovery failure or failed WRITE or READ operations Tip Do not enable time stamp control on an FCIP interface with write acceleration configured Note Write acceleration cannot be used across FSPF equal cost paths in FCIP deployments Native Fibre Channel write acceleration can be used with Port Channels Also FCIP write acceleration can be used in Por...

Page 987: ...0690400 0x00620426 0x0005 0x0000321f 0xd4a8 0xffff 0x00690400 0x00620426 0x0005 0x00003220 0xd4c0 0xffff 0x00690400 0x00620426 0x0005 0x00003221 0xd4d8 0xffff 0x00690400 0x00620426 0x0005 0x00003222 0xd4f0 0xffff 0x00690400 0x00620426 0x0005 0x00003223 Example 40 9 Displays Exchanges Processed by Write Acceleration at the Specified Target End FCIP Link switch show fcip target map 100 MAP TABLE 3 e...

Page 988: ...This single command process limits the benefit of the tape acceleration feature when using an FCIP tunnel over a long distance WAN link It impacts backup restore and restore performance because each SCSI WRITE or READ operation does not complete until the host receives a good status response from the tape drive The FCIP tape acceleration feature helps solve this problem It improves tape backup arc...

Page 989: ...ins write data integrity by allowing the WRITE FILEMARKS operation to complete end to end without proxying The WRITE FILEMARKS operation signals the synchronization of the buffer data with the tape library data While tape media errors are returned to backup servers for error handling tape busy errors are retried automatically by the Cisco SAN OS software In an example of tape acceleration for read...

Page 990: ...a configuration might cause either SCSI discovery failure or broken write or read operations Caution When tape acceleration is enabled in an FCIP interface a FICON VSAN cannot be enabled in that interface Likewise if an FCIP interface is up in a FICON VSAN tape acceleration cannot be enabled on that interface Note When you enable the tape acceleration feature for an FCIP tunnel the tunnel is reini...

Page 991: ... stamp control on an FCIP interface with tape acceleration configured Note If one end of the FCIP tunnel is running Cisco MDS SAN OS Release 3 0 1 or later and the other end is running Cisco MDS SAN OS Release 2 x and tape acceleration is enabled then the FCIP tunnel will run only tape write acceleration not tape read acceleration Tape Library LUN Mapping for FCIP Tape Acceleration If a tape libra...

Page 992: ...n Table 40 3 Configuring FCIP Tape Acceleration To enable FCIP tape acceleration follow these steps Table 40 1 Correct LUN Mapping Example with Single Host Access Host LUN Mapping Drive Host 1 LUN 1 Drive 1 LUN 2 Drive 2 Host 2 LUN 3 Drive 3 LUN 4 Drive 4 Table 40 2 Incorrect LUN Mapping Example with Single Hosts Access Host LUN Mapping Drive Host 1 LUN 1 Drive 1 LUN 2 Drive 2 Host 2 LUN 1 Drive 3...

Page 993: ...Flags 0x0 FSM state Non TA Mode Cached Reads 0 First index 0xfffffff7 Last index 0xfffffff7 RA index 0x0000f99a Current index 0xfffffffe Els Oxid 0xfff7 Hosts 1 FCID 0x770100 Step 3 switch1 config if write accelerator tape accelerator Enables tape acceleration and write acceleration if not already enabled switch1 config if write accelerator tape accelerator flow control buffer size auto Enables ta...

Page 994: ...lerator statistics 1 Host Tape Sessions 0 Target Tape Sessions Host End statistics Received 31521 writes 31521 good status 0 bad status Sent 31517 proxy status 4 not proxied Estimated Write buffer 0 writes 0 bytes Received 31526 reads 10 status Sent 31516 cached reads Read buffer 0 reads 0 bytes Host End error recovery statistics Sent REC 0 received 0 ACCs 0 Rejects Sent ABTS 0 received 0 ACCs Rec...

Page 995: ...n Cisco SAN OS Release 1 3 1 and earlier Tip While upgrading from Cisco SAN OS Release 1 x to Cisco SAN OS Release 2 0 1b or later we recommend that you disable compression before the upgrade procedure and then enable the required mode after the upgrade procedure If both ends of the FCIP link are running Cisco SAN OS Release 2 0 1b or later and you enable compression at one end of the FCIP tunnel ...

Page 996: ...pkts Decompression stats 0 input compressed bytes 0 output bytes 0 input compressed pkts 0 output pkts Passthru stats 0 input bytes 0 output bytes 0 input pkts 0 output pkts Miscellaneous stats 32 min input pktlen 32 max input pktlen 28 min output pktlen 28 max output pktlen 0 len mismatch 0 incomplete processing 0 invalid result 0 invalid session drop 0 comp expanded HW Compression Statistics for...

Page 997: ...minimum retransmit time 200 msec Keepalive timeout 60 sec Maximum retransmissions 4 retransmissions PMTU discovery Enabled pmtu enable reset timeout 3600 sec SACK Enabled max bandwidth 1Gbps min available bandwidth 500 Mbps round trip time 1 msec Buffer size 0 KB Control TCP and data connection No packets are transmitted TCP congestion window monitoring Enabled Burst size 50 KB TCP connection mode...

Page 998: ... e n t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m 40 40 Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 40 Configuring FCIP Default Settings ...

Page 999: ...requisites page 41 3 Configuring the SAN Extension Tuner page 41 3 Verifying the SAN Extension Tuner Configuration page 41 9 Default Settings page 41 10 About the SAN Extension Tuner Note SAN Extension Tuner is not supported on the Cisco Fabric Switch for HP c Class BladeSystem and the Cisco Fabric Switch for IBM BladeCenter Note As of Cisco MDS SAN OS Release 3 3 1a SAN Extension Tuner is support...

Page 1000: ...te with tuner targets Verify that the Gigabit Ethernet interface is up at the physical layer GBIC and Cable connected an IP address is not required Enable iSCSI on the switch no other iSCSI configuration is required Create an iSCSI interface on the Gigabit Ethernet interface and enable the interface no other iSCSI interface configuration is required see the Creating iSCSI Interfaces section on pag...

Page 1001: ...ionally specify a file as the data pattern to be generated by selecting a data pattern file from one of three locations the bootflash directory the volatile directory or the slot0 directory This option is especially useful when testing compression over FCIP links You can also use Canterbury corpus or artificial corpus files for benchmarking purposes License Prerequisites To use the SET you need to...

Page 1002: ...egate the real initiators Ensure that the zoning configuration is setup to allow the virtual N ports to communicate with each other Step 5 Start the SCSI read and write I Os Step 6 Add more N ports as required to other Gigabit Ethernet ports in the switch to obtain maximum throughput One scenario that may require additional N ports is if you use FCIP PortChannels Tuner Initialization The tuning fe...

Page 1003: ...00 56 vsan 200 interface gigabitethernet 3 4 switch san ext nport Creates a virtual N port on the specified Gigabit Ethernet port and VSAN This N port can act as an initiator or a target switch san ext no nport pWWN 22 34 56 78 90 12 34 56 vsan 200 interface gigabitethernet 3 4 Removes a virtual N port on the specified Gigabit Ethernet port and VSAN Command Purpose Step 1 switch san ext tuner swit...

Page 1004: ... 22 22 22 22 22 22 22 22 transfer size 512000 outstanding ios 2 continuous Configures SCSI commands to be read continuously Tip Use the stop command id command to stop the outstanding configuration Step 5 switch san ext nport write command id 100 target 22 22 22 22 22 22 22 22 transfer size 512000 outstanding ios 2 continuous Configures SCSI commands to be written continuously Step 6 switch san ex...

Page 1005: ...Command Purpose Command Purpose Step 1 switch san ext tuner switch san ext Enters the SET configuration submode Step 2 switch san ext nWWN 10 00 00 00 00 00 00 00 Configures the nWWN for the SAN extension tuner Step 3 switch san ext nport pWWN 12 00 00 00 00 00 00 56 vsan 200 interface gigabitethernet 3 4 switch san ext nport Creates a virtual N port on the specified Gigabit Ethernet port and VSAN...

Page 1006: ...continuous filemark frequency 32 Configures SCSI tape write commands to be issued continuously Step 6 switch san ext nport stop command id 100 Stops the command with the specified ID switch san ext nport stop command id all Stops all outstanding commands Step 7 switch san ext nport clear counters Clears the counters associated with this N port Step 8 switch san ext nport end switch Exits the SAN e...

Page 1007: ...00 00 00 00 00 00 56 scsi fcp Example 41 3 Displays All Virtual N Ports Configured on the Specified Interface switch show san ext tuner interface gigabitethernet 3 4 nport pWWN 12 00 00 00 00 00 00 56 vsan 200 counters Statistics for nport Node name 10 00 00 00 00 00 00 00 Port name 12 00 00 00 00 00 00 56 I Os per second 148 Read 0 Write 100 Ingress MB per second 0 02 MBs sec Max 0 02 MBs sec Egr...

Page 1008: ...1 Node name 10 00 00 00 00 00 00 00 Port name 10 00 00 00 00 00 00 01 Transfer ready size all Example 41 6 Displays All Virtual N Ports Configured in This Switch switch show san ext tuner nports Interface NODE NAME PORT NAME VSAN GigabitEthernet3 1 10 00 00 00 00 00 00 00 10 00 00 00 00 00 00 01 91 Default Settings Table 41 1 lists the default settings for tuning parameters Table 41 1 Default Tuni...

Page 1009: ... the 14 2 Multiprotocol Services MPS 14 2 module also allow you to use Fibre Channel FCIP and iSCSI features The MPS 14 2 module is available for use in any switch in the Cisco MDS 9200 Series or Cisco MDS 9500 Series Note For information on configuring Gigabit Ethernet interfaces see Chapter 45 Configuring IPv4 for Gigabit Ethernet Interfaces This chapter includes the following sections About iSC...

Page 1010: ... driver similar to a Fibre Channel driver in the host The IPS module or MPS 14 2 module provides transparent SCSI routing IP hosts using the iSCSI protocol can transparently access targets on the Fibre Channel network Figure 42 1 provides an example of a typical configuration of iSCSI hosts connected to an IPS module or MPS 14 2 module through the IP network access Fibre Channel storage on the Fib...

Page 1011: ...e device consists of the following main actions The iSCSI requests and responses are transported over an IP network between the hosts and the IPS module or MPS 14 2 module The SCSI requests and responses are routed between the hosts on an IP network and the Fibre Channel storage device converting iSCSI to FCP and vice versa The IPS module or MPS 14 2 module performs this conversion and routing The...

Page 1012: ...ge 42 5 Presenting Fibre Channel Targets as iSCSI Targets page 42 5 Presenting iSCSI Hosts as Virtual Fibre Channel Hosts page 42 9 iSCSI Access Control page 42 19 iSCSI Session Authentication page 42 23 iSCSI Immediate Data and Unsolicited Data Features page 42 26 iSCSI Interface Advanced Features page 42 26 Displaying iSCSI Information page 42 30 Enabling iSCSI To use the iSCSI feature you must ...

Page 1013: ...el Targets as iSCSI Targets The IPS module or MPS 14 2 module presents physical Fibre Channel targets as iSCSI virtual targets allowing them to be accessed by iSCSI hosts It does this in one of two ways Dynamic mapping Automatically maps all the Fibre Channel target devices ports as iSCSI devices Use this mapping to create automatic iSCSI target names Static mapping Manually creates iSCSI target d...

Page 1014: ...slot port sub intf Target pWWN IPS ports that are part of a VRRP group use this format iqn 1987 05 com cisco 05 vrrp vrrp ID vrrp IP addr Target pWWN Ports that are part of a PortChannel use this format iqn 1987 02 com cisco 02 mgmt ip address pc port ch sub intf Target pWWN Note If you have configured a switch name then the switch name is used instead of the management IP address If you have not ...

Page 1015: ...sed By default iSCSI targets are advertised on all Gigabit Ethernet interfaces subinterfaces PortChannel interfaces and PortChannel subinterfaces To configure a specific interface that should advertise the iSCSI virtual target follow these steps Command Purpose Step 1 switch config terminal switch config Enters configuration mode Step 2 switch config iscsi import target fc IPS modules and MPS 14 2...

Page 1016: ...05 06 Example 2 This example maps a subset of LUNs of a Fibre Channel target to three iSCSI virtual targets Each iSCSI target only has one LUN see Figure 42 8 Figure 42 8 Mapping LUNs to an iSCSI Node Name iscsi virtual target name iqn 1987 02 com cisco target 1 pWWN 28 00 01 02 03 04 05 06 fc lun 0 iscsi lun 0 iscsi virtual target name iqn 1987 02 com cisco target 2 pWWN 28 00 01 02 03 04 05 06 f...

Page 1017: ...om the storage devices These modules use a virtual Fibre Channel N port to access the Fibre Channel storage devices on behalf of the iSCSI host iSCSI hosts are identified by either iSCSI qualified name IQN or IP address Initiator Identification iSCSI hosts can be identified by the IPS module or MPS 14 2 module using the following iSCSI qualified name IQN An iSCSI initiator is identified based on t...

Page 1018: ...t and all iSCSI hosts use that to access Fibre Channel targets In a scenario where the Fibre Channel storage device requires explicit LUN access control for every host the static configuration for each iSCSI initiator can be overwhelming In such case using the proxy initiator mode simplifies the configuration Caution Enabling proxy initiator mode of an iSCSI interface that is part of an iSLB VRRP ...

Page 1019: ... registered in the Fibre Channel name server The IPS module or MPS 14 2 module registers the following entries in the Fibre Channel name server IP address of the iSCSI host in the IP address field on the name server IQN of the iSCSI host in the symbolic node name field of the name server SCSI_FCP in the FC 4 type field of the name server Initiator flag in the FC 4 feature of the name server Vendor...

Page 1020: ...e Channel target device because the target device access control is usually configured using the host WWN The WWNs are allocated from the MDS switch s WWN pool The WWN mapping to the iSCSI host is maintained as long as the iSCSI host has at least one iSCSI session to the IPS port When all iSCSI sessions from the host are terminated and the IPS module or MPS 14 2 module performs an FLOGO for the vi...

Page 1021: ...ion Tip We recommend using the system assign option If you manually assign a WWN you must ensure its uniqueness see the World Wide Names section on page 29 8 You should not use any previously assigned WWNs To configure static mapping using the name option for an iSCSI initiator follow these steps Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config is...

Page 1022: ... Mapping section on page 42 12 Note You cannot convert a dynamic iSCSI initiator to a static iSLB initiator or a dynamic iSLB initiator to a static iSCSI initiator Command Purpose Step 1 switch config terminal switch config Enters configuration mode Step 2 switch config iscsi initiator ip address 10 50 0 0 switch config iscsi init Configures an iSCSI initiator using the IPv4 address of the initiat...

Page 1023: ...I initiator whose name is specified switch config iscsi save initiator ip address 10 10 100 11 Saves the nWWN and pWWNs that have automatically been assigned to the iSCSI initiator whose IPv4 address is specified switch config iscsi save initiator ip address 2001 0DB8 800 200C 417A Saves the nWWN and pWWNs that have automatically been assigned to the iSCSI initiator whose IPv6 unicast address is s...

Page 1024: ...initiator by configuring iSCSI virtual targets see the Static Mapping section on page 42 7 with LUN mapping and iSCSI access control see the iSCSI Access Control section on page 42 19 Figure 42 11 Multiplexing IPS Ports Proxy initiator mode can be configured on a per IPS port basis in which case only iSCSI initiators terminating on that IPS port will be in this mode When an IPS port is configured ...

Page 1025: ...host VSAN membership to iSCSI host This method takes precedent over the iSCSI interface iSCSI interface VSAN membership to iSCSI interface All iSCSI hosts connecting to this iSCSI interface inherit the interface VSAN membership if the host is not configured in any VSAN by the iSCSI host method VSAN Membership for iSCSI Hosts Individual iSCSI hosts can be configured to be in a specific VSAN similar...

Page 1026: ...Impact on Load Balancing section on page 42 51 To change the default port VSAN for an iSCSI interface follow these steps Example of VSAN Membership for iSCSI Devices Figure 42 12 provides an example of VSAN membership for iSCSI devices iSCSI interface 1 1 is a member of VSAN Y Command Purpose Step 1 switch config terminal switch config Enters configuration mode Step 2 switch config iscsi initiator...

Page 1027: ...SI host can be a member of multiple VSANs In this case multiple virtual Fibre Channel hosts are created one in each VSAN in which the iSCSI host is a member This configuration is useful when certain resources such as Fibre Channel tape devices need to be shared among different VSANs iSCSI Access Control Two mechanisms of access control are available for iSCSI devices Fibre Channel zoning based acc...

Page 1028: ...e same zone In transparent initiator mode where one Fibre Channel virtual N port is created for each iSCSI host as described in the Transparent Initiator Mode section on page 42 11 if an iSCSI host has static WWN mapping then the standard Fibre Channel device pWWN based zoning membership mechanism can be used Zoning membership mechanism has been enhanced to add iSCSI devices to zones based on the ...

Page 1029: ...rol in iSCSI follow these steps Command Purpose Step 1 switch config terminal switch config Enters configuration mode Step 2 switch config zone name iSCSIzone vsan 1 switch config zone Creates a zone name for the iSCSI devices in the IPS module or MPS 14 2 module to be included Step 3 switch config zone member symbolic nodename iqn 1987 02 com cisco initiator1 Assigns an iSCSI node name based memb...

Page 1030: ...to access this virtual target You can issue this command multiple times to allow multiple initiators switch config iscsi tgt no initiator iqn 1987 02 com cisco initiator1 permit Prevents the specified initiator node from accessing virtual targets switch config iscsi tgt initiator ip address 10 50 1 1 permit Allows the specified IPv4 address to access this virtual target You can issue this command ...

Page 1031: ...e Channel virtual N port of the iSCSI host and does a zone enforced name server query for the Fibre Channel target WWN If the FC ID is returned by the name server then the iSCSI session is accepted Otherwise the login request is rejected iSCSI Session Authentication The IPS module or MPS 14 2 module supports the iSCSI authentication mechanism to authenticate the iSCSI hosts that request access to ...

Page 1032: ...See the Characteristics of Strong Passwords section on page 39 11 to create the local password database To create users in the local password database for the iSCSI initiator the iSCSI keyword is mandatory To configure iSCSI users for local authentication follow these steps Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config iscsi authentication chap...

Page 1033: ...y the initiator To configure a global iSCSI target user name and password to be used by the switch to authenticate itself to an initiator follow these steps Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config iscsi initiator name iqn 1987 02 com cisco init switch config iscsi init Enters the configuration submode for the initiator iqn 1987 02 com cis...

Page 1034: ...r small write commands because it removes one round trip between the initiator and the target for the R2T PDU As an iSCSI target the MDS switch allows up to 64 KB of unsolicited data per command This is controlled by the FirstBurstLength parameter during iSCSI login negotiation phase If an iSCSI initiator supports immediate data and unsolicited data features these features are automatically enable...

Page 1035: ... timeout See the Minimum Retransmit Timeout section on page 40 13 Keepalive timeout See the Keepalive Timeout section on page 40 13 Maximum retransmissions See the Maximum Retransmissions section on page 40 14 Path MTU See the Path MTUs section on page 40 14 SACK SACK is enabled by default for iSCSI TCP configurations See the Selective Acknowledgments section on page 40 14 Window management The iS...

Page 1036: ...e enabled This helps protect the integrity of iSCSI data carried in the PDU over what TCP checksum offers Store and forward mode default In store and forward mode the port on the IPS module or MPS 14 2 module assembles all the Fibre Channel data frames of an exchange to build one large iSCSI data in PDU before forwarding it to the iSCSI client In the opposite direction the port on the IPS module o...

Page 1037: ...Pass Thru Store Forward Cut Thru iSCSI initiator MDS FC Target iSCSI initiator MDS FC Target iSCSI initiator MDS FC Targ TCP part 1 contains iSCSI Data in PDU 1 DSlen 16KB Wait for all Data to arrive TCP part 2 Data2 Data frame is forwarded as it is received 130687 iSCSI Data in PDU 2 TCP part 1 contains iSCSI Data in PDU 1 DSlen 16KB Table 42 1 Comparison of iSCSI Routing Modes Mode Advantages Di...

Page 1038: ...ge 42 36 Displaying iSCSI Virtual Targets page 42 39 Displaying iSCSI User Information page 42 39 Displaying iSCSI Interfaces Use the show iscsi interface command to view the summary counter description and status of the iSCSI interface Use the output to verify the administrative mode the interface status TCP parameters currently used and brief statistics Example 42 1 Displays the iSCSI Interface ...

Page 1039: ...e switch show iscsi stats iscsi 2 1 iscsi2 1 5 minutes input rate 704 bits sec 88 bytes sec 1 frames sec 5 minutes output rate 704 bits sec 88 bytes sec 1 frames sec iSCSI statistics 974756 packets input 142671620 bytes Command 2352 pdus Data out 44198 pdus 92364800 bytes 0 fragments unsolicited 0 bytes output 1022920 packets 143446248 bytes Response 2352 pdus with sense 266 R2T 1804 pdus Data in ...

Page 1040: ...pt 13039 succeed 110 fail 12918 authen fail 0 Rcvd NOP Out 914582 Sent NOP In 914582 NOP In 0 Sent NOP Out 0 TMF REQ 0 Sent TMF RESP 0 Text REQ 18 Sent Text RESP 27 SNACK 0 Unrecognized Opcode 0 Bad header digest 0 Command in window but not next 0 exceed wait queue limit 0 Received PDU in wrong phase 0 SCSI Busy responses 0 Immediate data failure Separation 0 Unsolicited data failure Separation 0 ...

Page 1041: ... 3260 PMTU discover is enabled reset timeout is 3600 sec Keepalive timeout is 60 sec Minimum retransmit time is 300 ms Max retransmissions 4 Sack is disabled QOS code point is 0 Forwarding mode pass thru TMF Queueing Mode disabled Proxy Initiator Mode enabled Proxy initiator is enabled nWWN is 28 00 00 05 30 00 a7 a1 system assigned System assigned nWWN pWWN is 28 01 00 05 30 00 a7 a1 system assig...

Page 1042: ... the overall configuration and the iSCSI status See Example 42 6 Example 42 6 Displays the Current Global iSCSI Configuration and State switch show iscsi global iSCSI Global information Authentication CHAP NONE Import FC Target Enabled Initiator idle timeout 300 seconds Number of target node 0 Number of portals 11 Number of session 0 Failed session 0 Last failed initiator name Displaying iSCSI Ses...

Page 1043: ... VT1 Initiator 10 10 100 199 Initiator name iqn 1987 05 com cisco 01 7e3183ae458a94b1cd6bc168cba09d2e Session 1 Target VT1 VSAN 1 ISID 246b00000000 Status active no reservation Example 42 9 Displays Detailed Information About the Specified iSCSI Session switch show iscsi session initiator 10 10 100 199 target VT1 detail Initiator 10 10 100 199 oasis qa Initiator name iqn 1987 05 com cisco 01 7e318...

Page 1044: ...rtual Port WWN is 22 04 00 05 30 00 10 e1 configured Interface iSCSI 4 1 Portal group tag 0x180 VSAN ID 1 FCID 0x6c0202 VSAN ID 2 FCID 0x6e0000 VSAN ID 10 FCID 0x790000 iSCSI Node name is 10 10 100 199 iSCSI Initiator name iqn 1987 05 com cisco 01 7e3183ae458a94b1cd6bc168cba09d2e iSCSI alias name oasis qa Node WWN is 22 03 00 05 30 00 10 e1 configured Member of vsans 1 5 Number of Virtual n_ports ...

Page 1045: ...bre Channel N port created for iSCSI initiators in the SAN See Example 42 12 and Example 42 13 Example 42 12 Displays the FCNS Database Contents switch show fcns database VSAN 1 FCID TYPE PWWN VENDOR FC4 TYPE FEATURE 0x020101 N 22 04 00 05 30 00 35 e1 Cisco scsi fcp init isc w iSCSI 0x020102 N 22 02 00 05 30 00 35 e1 Cisco scsi fcp init isc w initiator 0x0205d4 NL 21 00 00 04 cf da fe c6 Seagate s...

Page 1046: ...Cisco node wwn 22 01 00 05 30 00 35 e1 class 2 3 node ip addr 10 2 2 11 ipa ff ff ff ff ff ff ff ff fc4 types fc4_features scsi fcp init iscsi gw symbolic port name symbolic node name iqn 1987 05 com cisco 01 14ac33ba567f986f174723b5f9f2377 port type N port ip addr 0 0 0 0 fabric port wwn 22 01 00 05 30 00 35 de hard addr 0x000000 Total number of entries 1 Use the show iscsi initiator configured t...

Page 1047: ...arget VT2 Port WWN 21 00 00 04 cf 4c 52 c1 Configured node all initiator permit is disabled target iqn 1987 05 com cisco 05 switch 04 01 2100002037a6be32 Port WWN 21 00 00 20 37 a6 be 32 VSAN 1 Auto created node Displaying iSCSI User Information The show user account iscsi command displays all configured iSCSI user names See Example 42 16 Example 42 16 Displays iSCSI User Names switch show user ac...

Page 1048: ...istributed throughout the fabric using CFS Dynamically and statically mapped iSCSI initiator configurations are not distributed Dynamic load balancing of iSLB initiators is available using iSCSI login redirect and VRRP This section covers the following topics About iSLB Configuration Limits page 42 40 iSLB Configuration Prerequisites page 42 41 About iSLB Initiators page 42 41 Configuring iSLB Ini...

Page 1049: ... iSCSI see the Enabling iSCSI section on page 42 4 Configure the Gigabit Ethernet interfaces see the Basic Gigabit Ethernet Configuration for IPv4 section on page 45 2 or the Configuring Basic Connectivity for IPv6 page 46 11 Configure the VRRP groups see the Configuring Load Balancing Using VRRP section on page 42 54 Configure and activate a zone set see Chapter 23 Configuring and Managing Zones ...

Page 1050: ...address option for an iSLB initiator follow these steps Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config islb initiator name iqn 1987 02 com cisco initiator switch config islb init Configures an iSLB initiator using the iSCSI name of the initiator node iqn 1987 02 com cisco initiator and enters iSLB initiator configuration submode The maximum name...

Page 1051: ...or WWN Mapping Static After a dynamic iSLB initiator has logged in you may decide to permanently keep the automatically assigned nWWN pWWN mapping to allow this initiator to use the same mapping the next time it logs in You can convert a dynamic iSLB initiator to a static iSLB initiator and make its WWNs persistent see Dynamic Mapping section on page 42 12 Note You cannot convert a dynamic iSCSI i...

Page 1052: ...nd pWWNs that have automatically been assigned to the iSLB initiator whose name is specified switch config islb save initiator 10 10 100 11 Saves the nWWNs and pWWNs that have automatically been assigned to the iSLB initiator whose IPv4 address is specified switch config iscsi save initiator ip address 2001 0DB8 800 200C 417A Saves the nWWNs and pWWNs that have automatically been assigned to the i...

Page 1053: ...on use the show islb initiator configured command switch show islb initiator configured iSCSI Node name is 10 1 1 2 Member of vsans 10 Node WWN is 23 02 00 0c 85 90 3e 82 Load Balance Metric 100 Number of Initiator Targets 1 Initiator Target test targt Port WWN 01 01 01 01 02 02 02 02 Primary PWWN VSAN 1 Zoning support is enabled Trespass support is disabled Revert to primary support is disabled C...

Page 1054: ...t switch config iscsi islb init target pwwn 26 00 01 02 03 04 05 06 no zone Configures the iSLB initiator target using a pWWN with auto zoning disabled switch config iscsi islb init target device alias SampleAlias Configures the iSLB initiator target using a device alias with auto zoning enabled default switch config iscsi islb init target device alias SampleAlias fc lun 0x1234 iscsi lun 0x2345 Co...

Page 1055: ...nfiguration The following example shows the show zoneset active command output when the dynamically generated zone name is used switch show zoneset active zoneset name zoneset 1 vsan 1 zone name ips_zone_5d9603bcff68008a6fc5862a6670ca09 vsan 1 fcid 0x010009 ip address 10 1 1 3 pwwn 22 00 00 04 cf 75 28 4d pwwn 22 00 00 04 cf 75 ed 53 pwwn 22 00 00 04 cf 75 21 d5 pwwn 22 00 00 04 cf 75 ee 59 The fo...

Page 1056: ...thenticating itself to the IPS module or MPS 14 2 module the CHAP user name is independent of the iSLB initiator name The IPS module or MPS 14 2 module allows the initiator to log in as long as it provides a correct response to the CHAP challenge sent by the switch This can be a problem if one CHAP user name and password have been compromised To restrict an initiator to use a specific user name fo...

Page 1057: ...Targets 1 Initiator Target iqn 1987 05 com cisco 05 ips hac4 Port WWN 50 06 04 82 ca e1 26 8d Zoning Enabled No of LU mapping 3 iSCSI LUN 0x0001 FC LUN 0x0001 iSCSI LUN 0x0002 FC LUN 0x0002 iSCSI LUN 0x0003 FC LUN 0x0003 About Load Balancing Using VRRP You can configure Virtual Router Redundancy Protocol VRRP load balancing for iSLB Figure 42 14 shows an example of load balancing using iSLB Comman...

Page 1058: ...r port knows through CFS that the backup port has gone down and redirects the host to another backup port Note If an Ethernet PortChannel is configured between the IPS module and an Ethernet switch the load balancing policy on the Ethernet switch must be based on source destination IP address only not port numbers for load balancing with VRRP to operate correctly Note An initiator can also be redi...

Page 1059: ... initiator it first checks for an existing mapping to one of the interfaces in that VRRP group If such a mapping exists the VRRP master redirects the initiator to that interface If no such mapping exists the VRRP master selects the least loaded interface and updates the selected interface s load with the initiator s iSLB metric weight Note The VRRP master interface is treated specially and it take...

Page 1060: ...0 GigabitEthernet2 1 441 The follow example output shows load distribution for nine initiators The interface load metric values for the backup interfaces have changed switch show islb vrrp summary VVR Id VRRP IP Switch WWN Ifindex Load M 1 10 10 122 115 20 00 00 0b 5f 3c 01 80 GigabitEthernet2 1 441 1000 1 10 10 122 115 20 00 00 0b 5f 3c 01 80 GigabitEthernet2 2 441 3000 1 10 10 122 115 20 00 00 0...

Page 1061: ...122 115 20 00 00 0b 5f 3c 01 80 GigabitEthernet2 2 441 iqn cisco test linux init1 1 10 10 122 115 20 00 00 0c ce 5c 5b c0 GigabitEthernet1 2 441 iqn cisco test linux init2 1 10 10 122 115 20 00 00 0c ce 5c 5b c0 GigabitEthernet1 1 441 iqn cisco test linux init3 1 10 10 122 115 20 00 00 0b 5f 3c 01 80 GigabitEthernet2 1 441 The following example output shows load distribution for nine initiators Th...

Page 1062: ...6 1 IPv4 100 1 s master 10 10 10 1 To verify the iSLB VRRP load balancing configuration for IPv6 use the show vrrp ipv6 vr command switch show vrrp ipv6 vr 1 Interface VR IpVersion Pri Time Pre State VR IP addr GigE6 2 1 IPv6 100 100cs master 5000 1 100 PortCh 4 1 IPv6 100 100cs master 5000 1 100 Displaying iSLB VRRP Information Use the show islb vrrp summary vr command to display VRRP load balanc...

Page 1063: ...ation operation starts a CFS session and locks the iSLB configuration in the fabric The configuration changes are applied to the pending configuration database When you make the changes to the fabric the pending configuration is distributed to all the switches in the fabric Each switch then validates the configuration This check ensures the following The VSANs assigned to the iSLB initiators are c...

Page 1064: ...I configuration changes are not allowed when an iSLB CFS session is active Committing Changes to the Fabric To apply the pending iSLB configuration changes to the active configuration and to other MDS switches in the fabric you must commit the changes The pending configuration changes are distributed and on a successful commit the configuration changes are applied to the active configuration in th...

Page 1065: ...compares its running configuration to the received configuration for any conflicts If no conflicts are detected it merges the two configurations and sends it to all the switches in both the fabrics Each switch then validates the configuration This check ensures the following VSANs assigned to the iSLB initiators are configured on all the switches The static WWNs configured for the iSLB initiators ...

Page 1066: ...c distribute enable last action result success last action failure cause success Displaying iSLB CFS Merge Status You can display the iSLB CFS merge status using the show islb merge status command switch show islb merge status Merge Status Success Merge conflicts may occur User intervention is required for the following merge conflicts The iSCSI global authentication or iSCSI initiator idle timeou...

Page 1067: ...P Network page 42 63 VRRP Based High Availability page 42 64 Ethernet PortChannel Based High Availability page 42 65 Transparent Target Failover The following high availability configurations are available iSCSI high availability with host running multi path software iSCSI High availability with host not having multi path software iSCSI High Availability with Host Running Multi Path Software Figur...

Page 1068: ...ot connect to the IPS port and sessions 1 and 2 fail But sessions 3 and 4 are still available If the storage port 1 fails then the IPS ports will terminate sessions 1 and 3 put iSCSI virtual target iqn com cisco mds 5 1 2 p1 and iqn com cisco mds 5 1 1 p1 in offline state But sessions 2 and 4 are still available In this topology you have recovery from failure of any of the components The host mult...

Page 1069: ...over to a secondary port is done transparently by the IPS port without impacting the iSCSI session from the host All outstanding I Os are terminated with a check condition status when the primary port fails New I Os received during the failover are not completed and receive a busy status Tip If you use LUN mapping you can define a different secondary Fibre Channel LUN if the LU number is different...

Page 1070: ...uest to the target to move the LUs on the new active port The iSCSI session switches to use the new active port and the moved LUs are accessed over the new active port see Figure 42 17 Step 3 switch config iscsi tgt pwwn 26 00 01 02 03 04 05 06 Configures the primary port for this virtual target switch config iscsi tgt pwwn 26 00 01 02 03 04 05 06 secondary pwwn 26 00 01 02 03 10 11 12 Configures ...

Page 1071: ...Same IP Network Figure 42 18 provides an example of a configuration with multiple Gigabit Ethernet interfaces in the same IP network iSCSI iSCSI FC FC IP Addr 10 1 1 1 iqn initiator abc IP Addr 10 1 1 2 iqn virtual target abc pWWN a1 97 ac fcid 0610003 pWWN a1 94 cc fcid 0x550002 IP network Primary Secondary 105219 Command Purpose Step 1 switch config terminal switch config Enters configuration mo...

Page 1072: ...ifferent names The multi pathing software on the host provides load balancing over both paths If one Gigabit Ethernet interface fails the host multi pathing software is not affected because it can use the second path VRRP Based High Availability Figure 42 19 provides an example of a VRRP based high availability iSCSI configuration IP network 90861 IP 10 1 10 100 IP 10 1 1 1 FC fabric pWWN P1 iqn h...

Page 1073: ...cts to the target and the session comes up because the second Gigabit Ethernet interface has taken over the virtual IP address as the new master Ethernet PortChannel Based High Availability Note All iSCSI data traffic for one iSCSI link is carried on one TCP connection Consequently the aggregated bandwidth is 1 Gbps for that iSCSI link Figure 42 20 provides a sample Ethernet PortChannel based high...

Page 1074: ...he Ethernet switch must be based on source destination IP address only not port numbers for load balancing with VRRP to operate correctly iSCSI Authentication Setup Guidelines and Scenarios This section provides guidelines on iSCSI authentication possibilities setup requirements and sample scenarios It includes the following authentication setup guidelines No Authentication page 42 67 CHAP with Lo...

Page 1075: ... user names and passwords for iSCSI users switch config username iscsi user password abcd iscsi Note If you do not specify the iscsi option the user name is assumed to be a Cisco MDS switch user instead of an iSCSI user Step 4 Verify the global iSCSI authentication setup switch show iscsi global iSCSI Global information Authentication CHAP Verify Import FC Target Disabled CHAP with External RADIUS...

Page 1076: ...n information is for iSCSI switch show aaa authentication default local console local iscsi group iscsi radius group Group name dhchap local switch show radius server groups total number of groups 2 following RADIUS server groups are configured group radius server all configured radius servers group iscsi radius group server 10 1 1 1 on auth port 1812 acct port 1813 switch show radius server Globa...

Page 1077: ...th IPv4 address 10 15 1 10 and node name iqn 1987 05 com cisco 01 25589167f74c connects to IPS port 7 5 Figure 42 21 iSCSI Scenario 1 To configure scenario 1 see Figure 42 21 follow these steps Step 1 Configure null authentication for all iSCSI hosts in Cisco MDS switches switch config iscsi authentication none Step 2 Configure iSCSI to dynamically import all Fibre Channel targets into the iSCSI S...

Page 1078: ...tabase VSAN 1 FCID TYPE PWWN VENDOR FC4 TYPE FEATURE 0x6d0001 NL 21 00 00 20 37 6f fd 97 Seagate scsi fcp target 0x6d0101 NL 21 00 00 20 37 6f fe 54 Seagate scsi fcp target 0x6d0201 NL 21 00 00 20 37 a6 a6 5d Seagate scsi fcp target Total number of entries 3 Step 8 Create a zone named iscsi zone 1 with host 1 and one Fibre Channel target in it Note Use the IP address of the host in zone membership...

Page 1079: ...fcid 0x6d0201 pwwn 21 00 00 20 37 a6 a6 5d Target symbolic nodename iqn 1987 05 com cisco 01 25589167f74c iSCSI host host 2 not online Step 13 Bring up the iSCSI hosts host 1 and host 2 Step 14 Show all the iSCSI sessions use the detail option for detailed information switch show iscsi session Initiator iqn 1987 05 com cisco 01 25589167f74c Host 2 Initiator ip addr s 10 15 1 11 Session 1 Target iq...

Page 1080: ... 1 11 iSCSI alias name oasis11 cisco com Node WWN is 20 02 00 0b fd 44 68 c2 dynamic Member of vsans 1 Number of Virtual n_ports 1 Virtual Port WWN is 20 03 00 0b fd 44 68 c2 dynamic Interface iSCSI 7 5 Portal group tag 0x304 VSAN ID 1 FCID 0x6d0300 Host 2 Initiator ID based on node name because the initiator is entering iSCSI interface 7 5 iSCSI Node name is 10 11 1 10 iSCSI Initiator name iqn 19...

Page 1081: ...0b fd 44 68 c2 Cisco node wwn 20 02 00 0b fd 44 68 c2 class 2 3 node ip addr 10 15 1 11 ipa ff ff ff ff ff ff ff ff fc4 types fc4_features scsi fcp init iscsi gw symbolic port name IPv4 address of the iSCSI host iSCSI gateway node symbolic node name iqn 1987 05 com cisco 01 25589167f74c port type N port ip addr 0 0 0 0 fabric port wwn 21 91 00 0b fd 44 68 c0 hard addr 0x000000 Total number of entr...

Page 1082: ...Step 4 Configure the iSCSI interface in slot 7 port 1 to identify all dynamic iSCSI initiators by their IP address and enable the interface switch config interface iscsi 7 1 switch config if switchport initiator id ip address switch config if no shutdown Step 5 Configure the Gigabit Ethernet interface in slot 7 port 5 with the IPv4 address and enable the interface switch config interface gigabitet...

Page 1083: ... of PWWN 1 Port WWN is 20 06 00 0b fd 44 68 c2 Step 9 Create a zone with host 1 switch config zone name iscsi zone 1 vsan 1 Step 10 Add three members to the zone named iscsi zone 1 Note Fibre Channel storage for zone membership for the iSCSI initiator either the iSCSI symbolic node name or the pWWN can be used In this case the pWWN is persistent The following command is based on the symbolic node ...

Page 1084: ...iator iqn 1987 05 com cisco 01 e41695d16b1a Initiator ip addr s 10 11 1 10 Session 1 Discovery session ISID 00023d000001 Status active Session 2 Target iqn 1987 05 com cisco 05 172 22 92 166 07 01 21000020376ffd97 VSAN 1 ISID 00023d000001 Status active no reservation To Fibre Channel target switch show iscsi initiator iSCSI Node name is iqn 1987 05 com cisco 01 e41695d16b1a Initiator ip addr s 10 ...

Page 1085: ... N port ip addr 0 0 0 0 fabric port wwn 21 81 00 0b fd 44 68 c0 hard addr 0x000000 Step 20 Verify that zoning has resolved the FC ID for the iSCSI client switch show zoneset active vsan 1 zoneset name iscsi zoneset v1 vsan 1 zone name iscsi zone 1 vsan 1 fcid 0x680001 pwwn 21 00 00 20 37 6f fd 97 fcid 0x680102 pwwn 20 02 00 0b fd 44 68 c2 switch config show fcns database fcid 0x680102 detail vsan ...

Page 1086: ... 1987 05 com cisco 01 25589167f74c iSCSI alias name oasis11 cisco com Node WWN is 20 04 00 0b fd 44 68 c2 dynamic Member of vsans 2 vsan membership Number of Virtual n_ports 1 Dynamic WWN as staticWWN not assigned Virtual Port WWN is 20 06 00 0b fd 44 68 c2 configured Interface iSCSI 7 5 Portal group tag 0x304 VSAN ID 2 FCID 0x750200 Static pWWN for the initiator switch show fcns database vsan 2 V...

Page 1087: ...000 Family switch can act as an iSNS client and register all available iSCSI targets with an external iSNS server All switches in the Cisco MDS 9000 Family with IPS modules or MPS 14 2 modules installed support iSNS server functionality This allows external iSNS clients such as an iSCSI initiator to register with the switch and discover all available iSCSI targets in the SAN This section includes ...

Page 1088: ...SNS client is unable to register or deregister objects with the iSNS server for example the client is unable to make a TCP connection to the iSNS server it retries every minute to reregister all iSNS objects for the affected interfaces with the iSNS server The iSNS client uses a registration interval value of 15 minutes If the client fails to refresh the registration during this interval the serve...

Page 1089: ...iSNS Profiles switch show isns profile iSNS profile name ABC tagged interface GigabitEthernet2 3 tagged interface GigabitEthernet2 2 iSNS Server 10 10 100 204 iSNS profile name XYZ iSNS Server 10 10 100 211 Example 42 20 Displays a Specified iSNS Profile switch show isns profile ABC iSNS profile name ABC tagged interface GigabitEthernet2 3 tagged interface GigabitEthernet2 2 iSNS Server 10 10 100 ...

Page 1090: ...ofile ABC counters iSNS profile name ABC tagged interface port channel 1 iSNS statistics Input 54 pdus registration deregistration pdus only Reg pdus 37 Dereg pdus 17 Output 54 pdus registration deregistration pdus only Reg pdus 37 Dereg pdus 17 iSNS Server 10 10 100 204 Use the show isns command to view all objects registered on the iSNS server and specified in the given profile see Example 42 23...

Page 1091: ...r also provides the following functionalities Allows iSNS clients to register deregister and query other iSNS clients registered with the iSNS server Provides centralized management for enforcing access control to provide or deny access to targets from specific initiators Provides a notification mechanism for registered iSNS clients to receive change notifications on the status change of other iSN...

Page 1092: ...to the corresponding iSCSI targets This is based on the iSCSI configuration such as virtual target and its access control setting or whether the dynamic Fibre Channel target import feature is enabled or disabled 6 The iSNS server sends a response back to the query initiator This response contains a list all iSCSI portals known to the iSNS server This means iqn host1 can choose to log in to target ...

Page 1093: ...figuration to iSNS servers across the fabric This allows the iSNS server running on any switch to provide a querying iSNS client a list of iSCSI devices available anywhere on the fabric For information on CFS see Chapter 6 Using the CFS Infrastructure To enable iSNS configuration distribution using follow these steps Configuring the ESI Retry Count The iSNS client registers information with its co...

Page 1094: ...command to display all registered iSNS clients and their associated configuration iSNS client deregistration can occur either explicitly or when the iSNS server detects that it can no longer reach the client through ESI monitoring iSNS client registration and deregistration result in status change notifications SCNs being generated to all interested iSNS clients Target Discovery iSCSI initiators d...

Page 1095: ... down Dynamic import of FC target configuration changes Zone set changes Default zone access control changes IPS interface state changes Initiator configuration change makes the target accessible or inaccessible Verifying the iSNS Server Configuration Use the show isns config command to view the ESI interval and the summary information about the iSNS database contents see Example 42 25 Example 42 ...

Page 1096: ...ex 1 Node Type Target 1 Node Index 0x80000001 WWN s 22 00 00 20 37 39 dc 45 VSANS iSCSI Node Name iqn isns first virtual target Entity Index 1 Node Type Target 1 Node Index 0x80000002 VSANS iSCSI Node Name iqn com cisco disk2 Entity Index 1 Node Type Target 1 Node Index 0x80000003 WWN s 22 00 00 20 37 39 dc 45 VSANS Portal IP Address 192 168 100 5 TCP Port 3205 Entity Index 1 Portal Index 3 Portal...

Page 1097: ...P Address 192 168 100 5 TCP Port 3205 Entity Index 1 Portal Index 3 Portal IP Address 192 168 100 6 TCP Port 3205 Entity Index 1 Portal Index 5 Example 42 29 provides the virtual target information for a specific remote switch The remote switch is specified using the switch ID the WWN of the switch Example 42 29 Displays Virtual Target for a Specified Switch switch show isns database virtual targe...

Page 1098: ...1 05 cw53 Target Example 42 31 Displays the Specified Node switch show isns node name iqn com cisco disk1 iSCSI Node Name iqn com cisco disk1 Entity Index 1 Node Type Target 1 Node Index 0x80000001 WWN s 22 00 00 20 37 39 dc 45 VSANS 1 Example 42 32 Displays the Attribute Details for All Nodes switch show isns node all detail iSCSI Node Name iqn 1987 05 com cisco 05 switch1 02 03 22000020375a6c8f ...

Page 1099: ... 42 33 Displays the Attribute Information for All Portals switch show isns portal all IPAddress TCP Port Index SCN Port ESI port 192 168 100 5 3205 3 192 168 100 6 3205 5 Example 42 34 Displays Detailed Attribute Information for All Portals switch show isns portal all detail Portal IP Address 192 168 100 5 TCP Port 3205 Entity Index 1 Portal Index 3 Portal IP Address 192 168 100 6 TCP Port 3205 En...

Page 1100: ...in a compact format one per line Example 42 38 Displays All Registered Entries switch1 show isns entity Entity ID Last Accessed dp 204 Tue Sep 7 23 15 42 2004 Example 42 39 Displays All Entities in the Database switch show isns entity all Entity ID Last Accessed isns entity mds9000 Tue Sep 7 21 33 23 2004 dp 204 Tue Sep 7 23 15 42 2004 Example 42 40 Displays the Entity with the Specified ID switch...

Page 1101: ...00 44 0d ec 01 02 40 iSCSI Auto Import Enabled Use the show cfs peers command to display CFS peers switch information about the iSNS application see Example 42 45 Example 42 45 Displays the CFS Peer Switch Information for the iSNS Application switch show cfs peers name isns Scope Physical Switch WWN IP Address 20 00 00 00 ec 01 00 40 10 10 100 11 Local Total number of entries 1 iSNS Cloud Discover...

Page 1102: ...discovery from the CLI This action causes the destruction of existing memberships and makes new ones Auto discovery of the interface results in an interface being assigned to its correct cloud All other cloud members are not affected The membership of each cloud is built incrementally and is initiated by the following events A Gigabit Ethernet interface comes up This can be a local or remote Gigab...

Page 1103: ...ery Enabled Configuring iSNS Cloud Discovery Distribution To configure iSNS cloud discovery distribution using CFS follow these steps Configuring iSNS Cloud Discovery Message Types You can configure iSNS cloud discovery the type of message to use By default iSNS cloud discovery uses ICMP Step 2 switch config cloud discovery enable Enables iSNS cloud discovery switch config no cloud discovery enabl...

Page 1104: ...IP Addr 10 10 10 5 GigabitEthernet1 6 20 00 00 0d ec 02 c6 c0 IP Addr 10 10 10 6 members 2 Use the show cloud membership unresolved command to verify the unresolved membership on the switch switch show cloud membership unresolved Undiscovered Cloud No members Displaying Cloud Discovery Statistics Use the show cloud discovery statistics command to display the statistics for the cloud discovery oper...

Page 1105: ... window monitoring Enabled Burst size 50 KB Jitter 500 microseconds TCP connection mode Active mode is enabled Fibre Channel targets to iSCSI Not imported Advertising iSCSI target Advertised on all Gigabit Ethernet interfaces subinterfaces PortChannel interfaces and PortChannel subinterfaces iSCSI hosts mapping to virtual Fibre Channel hosts Dynamic mapping Dynamic iSCSI initiators Members of the ...

Page 1106: ...ck d o c c i s c o c o m 42 98 Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 42 Configuring iSCSI Default Settings Table 42 3 Default iSLB Parameters Parameters Default Fabric distribution Disabled Load balancing metric 1000 ...

Page 1107: ... techniques IP frames are encapsulated into Fibre Channel frames so NMS information can cross the Fibre Channel network without using an overlay Ethernet network IP routing default routing and static routing If your configuration does not need an external router you can configure a default route using static routing Switches are compliant with RFC 2338 standards for Virtual Router Redundancy Proto...

Page 1108: ...ing IPv6 for Gigabit Ethernet Interfaces On director class switches a single IP address is used to manage the switch The active supervisor module s management mgmt0 interface uses this IP address The mgmt0 interface on the standby supervisor module remains in an inactive state and cannot be accessed until a switchover happens After a switchover the mgmt0 interface on the standby supervisor module ...

Page 1109: ...ommands IP default network destination prefix and destination mask and next hop address Command Purpose Step 1 switch config terminal switch config Enters configuration mode Step 2 switch config interface mgmt0 switch config if Enters the interface configuration mode on the management Ethernet interface mgmt0 Step 3 switch config if ip address 10 1 1 1 255 255 255 0 Enters the IPv4 address 10 1 1 ...

Page 1110: ...onfigured Configuring the Default Gateway To configure the default gateway follow these steps Verifying the Default Gateway Configuration Use the show ip route command to verify the default gateway configuration switch show ip route Codes C connected S static Gateway of last resort is 1 12 11 1 S 5 5 5 0 24 via 1 1 1 1 GigabitEthernet1 1 C 1 12 11 0 24 is directly connected mgmt0 C 1 1 1 0 24 is d...

Page 1111: ...ateway switch see Figure 43 2 Figure 43 2 Overlay VSAN Functionality In Figure 43 2 switch A has the IPv4 address 1 12 11 1 switch B has the IPv4 address 1 12 11 2 switch C has the IPv4 address 1 12 11 3 and switch D has the IPv4 address 1 12 11 4 Switch A is the gateway switch with the Ethernet connection The NMS uses the IPv4 address 1 1 1 10 to connect to the gateway switch Frames forwarded to ...

Page 1112: ... See the Chapter 46 Configuring IPv6 for Gigabit Ethernet Interfaces for information about configuring IPv6 on the Cisco MDS 9000 Family switches This topic includes the following sections IPFC Configuration Guidelines page 43 6 Configuring an IPv4 Address in a VSAN page 43 7 Verifying the VSAN Interface Configuration page 43 7 Enabling IPv4 Routing page 43 7 Verifying the IPv4 Routing Configurati...

Page 1113: ...kets input 0 bytes 0 errors 0 multicast 0 packets output 0 bytes 0 errors 0 dropped Enabling IPv4 Routing By default the IPv4 routing feature is disabled in all switches To enable the IPv4 routing feature follow these steps Verifying the IPv4 Routing Configuration Use the show ip routing command to verify the IPv4 routing configuration switch config show ip routing ip routing is enabled Command Pu...

Page 1114: ...following steps show how to configure Switch_1 in the example network in Figure 43 3 Step 1 Create the VSAN interface and enter interface configuration submode switch_1 config t switch_1 config interface vsan 1 switch_1 config if Step 2 Configure the IP address and subnet mask switch_1 config if ip address 10 1 1 1 255 0 0 0 Step 3 Enable the VSAN interface and exit interface configuration submode...

Page 1115: ...figure the IP address and subnet mask switch_2 config if ip address 10 1 1 2 255 0 0 0 Step 4 Enable the VSAN interface and exit interface configuration submode switch_2 config if no shutdown switch_2 config if exit switch_2 config Step 5 Enable IPv4 routing switch_2 config ip routing switch_2 config exit switch_2 Step 6 Display the routes switch_2 show ip route Codes C connected S static C 10 0 0...

Page 1116: ... and exit interface configuration submode switch_3 config if no shutdown switch_3 config if exit switch_3 config Step 4 Enable IPv4 routing switch_3 config ip routing switch_3 config exit switch_3 Step 5 Display the routes switch_3 show ip route Codes C connected S static C 10 0 0 0 8 is directly connected vsan1 Step 6 Verify the connectivity to Switch_1 switch_3 ping 10 1 1 1 PING 10 1 1 1 10 1 1...

Page 1117: ...by default on any gateway switch between the out of band management interface and the default VSAN or between directly connected VSANs Configuring IPv4 Static Routes To configure an IPv4 static route follow these steps Verifying IPv4 Static Route Information Use the show ip route command to verifying the IPv4 static route configuration switch show ip route configured Destination Gateway Mask Metri...

Page 1118: ...iguration mode to remove an ARP entry from the ARP table switch config no arp 172 2 0 1 Use the clear arp command to delete all entries from the ARP table The ARP table is empty by default switch clear arp cache Overlay VSANs This section describes overlay VSANs and how to configure them This section includes the following topics About Overlay VSANs page 43 12 Configuring Overlay VSANs page 43 13 ...

Page 1119: ...fault route on every switch in the Fibre Channel fabric pointing to the switch that provides NMS access Step 4 Configure the default gateway route and the IPv4 address on switches that point to the NMS see Figure 43 4 Figure 43 4 Overlay VSAN Configuration Example Note To configure the management interface displayed in Figure 43 4 set the default gateway to an IPv4 address on the Ethernet network ...

Page 1120: ...itches and the IP cloud see Figure 43 5 Command Purpose Step 1 switch config t Enters configuration mode Step 2 switch config vsan database switch config vsan db Configures the VSAN database Step 3 switch config vsan db vsan 10 name MGMT_VSAN Defines the VSAN in the VSAN database on all of the switches in the Fibre Channel fabric Step 4 switch config vsan db exit switch config Exits the VSAN datab...

Page 1121: ... 0 0 0 0 0 0 0 next_hop 10 10 10 35 route 10 10 10 10 0 255 255 255 0 next_hop 11 11 11 35 ip route 10 10 10 0 255 255 255 0 172 23 84 74 ip route 11 11 11 0 255 255 255 0 172 23 84 74 IP cloud NMS 172 23 84 86 172 23 84 74 79545 VSAN 10 default gateway VSAN 11 default gateway Command Purpose Step 1 switch config t Enters configuration mode Step 2 switch config vsan database switch config vsan db ...

Page 1122: ... if exit switch config Exits the VSAN 10 interface mode Step 11 switch config interface vsan 11 switch config if Enters the interface configuration submode for VSAN 11 Step 12 switch config if ip address 11 11 11 0 netmask 255 255 255 0 switch config if Assigns an IPv4 address and subnet mask for this interface Step 13 switch config if no shutdown Enables the configured interface for VSAN 11 Step ...

Page 1123: ... multiple VSANs with different virtual router IP mapping Both IPv4 and IPv6 is supported The management interface mgmt 0 supports only one virtual router group All other interfaces each support up to seven virtual router groups including both IPv4 and IPv6 combined Up to 255 virtual router groups can be assigned in each VSAN VRRP security provides three options including no authentication simple t...

Page 1124: ...nt Gateway Configuring VRRP This section describes how to configure VRRP and includes the following topics Adding and Deleting Virtual Router page 43 19 Virtual Router Initiation page 43 19 Adding Virtual Router IP Addresses page 43 20 Priority for the Virtual Router page 43 21 Time Interval for Advertisement Packets page 43 22 Priority Preemption page 43 22 Virtual Router Authentication page 43 2...

Page 1125: ...v6 before attempting to enable a VR To enable or disable a virtual router configure for IPv4 follow these steps To enable or disable a virtual router configured for IPv6 follow these steps Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config interface vsan 10 switch config if Configures a VSAN interface VSAN 10 Step 3 switch config if vrrp 250 switch ...

Page 1126: ...Configures a VSAN interface VSAN 10 Step 3 switch config if interface ip address 10 0 0 12 255 255 255 0 Configures an IPv4 address and subnet mask The IPv4 address must be configured before the VRRP is added Step 4 switch config if vrrp 250 switch config if vrrp Creates VR ID 250 Step 5 switch config if vrrp address 10 0 0 10 Configures the IPv4 address for the selected VR Note This IP v4address ...

Page 1127: ...fig if vrrp ipv6 no address 2001 0db8 800 200c 417a Removes the IPv6 address for the selected VR Command Purpose Command Purpose Step 1 switch config t Enters configuration mode Step 2 switch config interface vsan 10 switch config if Configures a VSAN interface VSAN 10 Step 3 switch config if vrrp 250 switch config if vrrp Creates a virtual router Step 4 switch config if vrrp priority 2 Configures...

Page 1128: ...ption is implicitly applied Note The VRRP preemption is not supported on IP storage Gigabit Ethernet interfaces Command Purpose Step 1 switch config t Enters configuration mode Step 2 switch config interface vsan 10 switch config if Configures a VSAN interface VSAN 10 Step 3 switch config if vrrp 50 switch config if vrrp Creates a virtual router Step 4 switch config if vrrp advertisement interval ...

Page 1129: ...tion file The security parameter index SPI settings assigned in this option should be unique for each VSAN Note All VRRP configurations must be duplicated Command Purpose Step 1 switch config t Enters configuration mode Step 2 switch config interface vsan 10 switch config if Configures a VSAN interface VSAN 10 Step 3 switch config if vrrp 250 switch config if vrrp Creates a virtual router Step 4 s...

Page 1130: ...ge 43 22 To track the interface priority for a virtual router using IPv4 follow these steps Command Purpose Step 1 switch config t Enters configuration mode Step 2 switch config interface vsan 1 switch config if Configures a VSAN interface VSAN 1 Step 3 switch config if vrrp 250 switch config if vrrp Creates a virtual router Step 4 switch config if vrrp authentication text password Assigns the sim...

Page 1131: ...00 00 5e 00 01 07 Operational state init Example 43 4 Displays IPv4 VRRP Statistics switch show vrrp vr 7 interface vsan 2 statistics vr id 7 statistics Become master 0 Advertisement 0 Advertisement Interval Error 0 Command Purpose Step 1 switch config t Enters configuration mode Step 2 switch config interface vsan 12 switch config if Configures a VSAN interface VSAN 12 Step 3 switch config if vrr...

Page 1132: ...ddr GigE1 5 1 IPv6 100 100cs master 2004 1 GigE1 6 1 IPv6 100 100cs backup 2004 1 Example 43 6 Displays IPv6 VRRP Interface Configuration Information switch show vrrp ipv6 vr 1 interface gigabitethernet 1 5 configuration IPv6 vr id 1 configuration admin state up priority 100 associated ip 2004 1 advertisement interval 100 preempt no protocol IPv6 Example 43 7 Displays IPv6 VRRP Interface Status In...

Page 1133: ...command to clear both the IPv4 and IPv6 VRRP statistics for a specified interface see Example 43 10 Example 43 11 Clears VRRP Statistics on a Specified Interface switch clear vrrp vr 1 interface vsan 1 Use the clear vrrp ipv4 command to clear all the statistics for the specified IPv4 virtual router see Example 43 12 Example 43 12 Clears VRRP IPv4 Statistics on a Specified Interface switch clear vr...

Page 1134: ...t table switch config no ip domain name cisco com Disables default the domain name Step 4 switch config ip domain list harvard edu switch config ip domain list stanford edu switch config ip domain list yale edu Defines a filter of default domain names to complete unqualified host names by using the ip domain list global configuration command You can define up to 10 domain names in this filter To d...

Page 1135: ...Settings Table 43 1lists the default settings for DNS features Table 43 2lists the default settings for VRRP features Table 43 1 Default DNS Settings Parameters Default Domain lookup Disabled Domain name Disabled Domains None Domain server None Maximum domain servers 6 Table 43 2 Default VRRP Settings Parameters Default Virtual router state Disabled Maximum groups per VSAN 255 Maximum groups per G...

Page 1136: ...n t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m 43 30 Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 43 Configuring IP Services Default Settings ...

Page 1137: ...r includes the following sections Services Modules page 44 1 Supported Hardware page 44 4 IPS Module Core Dumps page 44 4 Configuring Gigabit Ethernet High Availability page 44 5 Configuring CDP page 44 9 Default Settings page 44 13 Services Modules The IP Storage services module IPS module and the MPS 14 2 module allow you to use FCIP and iSCSI features Both modules integrate seamlessly into the ...

Page 1138: ...nel storage devices The IP host sends SCSI commands encapsulated in iSCSI protocol data units PDUs to a Cisco MDS 9000 Family switch IPS port over a TCP IP connection At this point the commands are routed from an IP network into a Fibre Channel network and forwarded to the intended target Figure 44 2 depicts the iSCSI scenarios in which the IPS module is used Figure 44 2 iSCSI Scenarios Module Sta...

Page 1139: ...0 01 7f 32 to 00 05 30 01 7f 38 JAB081405AM 5 00 05 30 00 2c 4e to 00 05 30 00 2c 52 JAB06350B1M 6 00 05 30 00 19 66 to 00 05 30 00 19 6a JAB073705GL 9 00 0d bc 2f d6 00 to 00 0d bc 2f d6 08 JAB080804TN this terminal session IPS Module Upgrade Caution A software upgrade is only disruptive for the IPS module The SAN OS software continues to support nondisruptive software upgrades for Fibre Channel ...

Page 1140: ... OS unexpectedly resets it is useful to obtain a copy of the memory image called a IPS core dump to identify the cause of the reset Under that condition the IPS module sends the core dump to the supervisor module for storage Cisco MDS switches have two levels of IPS core dumps Partial core dumps default Each partial core dump consists of four parts four files All four files are saved in the active...

Page 1141: ...he IP address is always available see Figure 44 3 Figure 44 3 VRRP Scenario In Figure 44 3 all members of the VRRP group must be IP storage Gigabit Ethernet ports VRRP group members can be one or more of the following interfaces One or more interfaces in the same IPS module or MPS 14 2 module Interfaces across IPS modules or MPS 14 2 modules in one switch Interfaces across IPS modules or MPS 14 2 ...

Page 1142: ...r the selected VRRP group identified by the VR ID Note The virtual IPv4 address must be in the same subnet as the IPv4 address of the Gigabit Ethernet interface All members of the VRRP group must configure the same virtual IPv4 address Step 7 switch config if vrrp priority 10 Configures the priority for the selected interface within this VRRP group Note The interface with the highest priority is s...

Page 1143: ...r or MAC address Due to the load balancing scheme the data traffic from one TCP connection is always sent out on the same physical Gigabit Ethernet port of an Ethernet PortChannel For the traffic coming to the MDS an ethernet switch can implement load balancing based on its IP address its source destination MAC address or its IP address and port The data traffic from one TCP connection always trav...

Page 1144: ...follow these steps 90856 Switch 1 Ethernet PortChannel aggregation L2 switch IPS module Command Purpose Step 1 switch1 config terminal switch1 config Enters configuration mode Step 2 switch config interface port channel 10 switch config if Configures the specified PortChannel 10 Step 3 switch config if ip address 10 1 1 1 255 255 255 0 Enters the IPv4 address 10 1 1 1 and subnet mask 255 255 255 0...

Page 1145: ...nterfaces are up and functioning as desired See Example 44 1 and Example 44 2 Example 44 1 Displays the Gigabit Ethernet Interface switch show interface gigabitethernet 8 1 GigabitEthernet8 1 is up The interface is in the up state Hardware is GigabitEthernet address is 0005 3000 a98e Internet address is 10 1 3 1 24 MTU 1500 bytes BW 1000000 Kbit Port mode is IPS Speed is 1 Gbps Beacon is turned of...

Page 1146: ...er and returns Ethernet statistics for that interface See Example 44 3 Note Use the physical interface not the subinterface to display Ethernet MAC statistics Example 44 3 Displays Ethernet MAC Statistics switch show ips stats mac interface gigabitethernet 8 1 Ethernet MAC statistics for port GigabitEthernet8 1 Hardware Transmit Counters 237 frame 43564 bytes 0 collisions 0 late collisions 0 exces...

Page 1147: ...y drop 0 queue full drop 0 RDL ok 0 RDL drop too big Flow Control 0 0 0 1 0 2 0 3 This output shows all Fibre Channel frames that ingress or egress from the Gigabit Ethernet port Displaying TCP Statistics Use the show ips stats tcp interface gigabitethernet to display and verify TCP statistics This command takes the main Ethernet interface as a parameter and shows TCP stats along with the connecti...

Page 1148: ... persist timeout 12 keepalive timeout 11 keepalive probes TCP SACK Stats 0 recovery episodes 0 data packets 0 data bytes 0 data packets retransmitted 0 data bytes retransmitted 0 connections closed 0 retransmit timeouts TCP SYN Cache Stats 15 entries 3 connections completed 0 entries timed out 0 dropped due to overflow 12 dropped due to RST 0 dropped due to ICMP unreach 0 dropped due to bucket ove...

Page 1149: ... x Chapter 44 Configuring IP Storage Default Settings 0 parameter problem 0 source quench 0 redirect 0 echo request 0 echo reply 0 timestamp request 0 timestamp reply 0 address mask request 0 address mask reply Default Settings Table 44 1 lists the default settings for IP storage services parameters Table 44 1 Default Gigabit Ethernet Parameters Parameters Default IPS core size Partial ...

Page 1150: ...n t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m 44 14 Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 44 Configuring IP Storage Default Settings ...

Page 1151: ... MPS 14 2 module connectivity is provided in the form of Gigabit Ethernet interfaces that are appropriately configured This section covers the steps required to configure IP for subsequent use by FCIP and iSCSI Note For information about configuring FCIP see Chapter 40 Configuring FCIP For information about configuring iSCSI see Chapter 42 Configuring iSCSI A new port mode called IPS is defined fo...

Page 1152: ...nterface is connected should be configured as a host port also known as access port instead of a switch port Spanning tree configuration for that port on the Ethernet switch should disabled This helps avoid the delay in the management port coming up due to delay from Ethernet spanning tree processing that the Ethernet switch would run if enabled For Cisco Ethernet switches use either the switchpor...

Page 1153: ...ically detects the speed or pause method and duplex of incoming signals based on the link partner You can also detect link up conditions using the autonegotiation feature To configure autonegotiation follow these steps Configuring the MTU Frame Size You can configure the interfaces on a switch to transfer large or jumbo frames on a port The default IP maximum transmission unit MTU frame size is 15...

Page 1154: ...e host is active powered on The IP route is configured correctly The IP host has a route to get to the Gigabit Ethernet interface subnet The Gigabit Ethernet interface is in the up state Use the ping command to verify the Gigabit Ethernet connectivity see Example 45 1 The ping command sends echo request packets out to a remote device at an IP address that you specify see the Using the ping and pin...

Page 1155: ...ics About VLANs for Gigabit Ethernet page 45 5 Configuring the VLAN Subinterface page 45 6 Interface Subnet Requirements page 45 6 About VLANs for Gigabit Ethernet Virtual LANs VLANs create multiple virtual Layer 2 networks over a physical LAN network VLANs provide traffic isolation security and broadcast control Gigabit Ethernet ports automatically recognize Ethernet frames with IEEE 802 1Q VLAN ...

Page 1156: ...nterface number 100 in this example is the VLAN ID The VLAN ID ranges from 1 to 4093 Step 3 switch config if ip address 10 1 1 101 255 255 255 0 Enters the IPv4 address 10 1 1 100 and subnet mask 255 255 255 0 for the Gigabit Ethernet interface Step 4 switch config if no shutdown Enables the interface Table 45 1 Subnet Requirements for Interfaces Interface 1 Interface 2 Same Subnet Allowed Notes G...

Page 1157: ...d directly connected to the interface Static S identifies the static routes that go through the router IPv4 ACLs This section describes the guidelines for IPv4 access control lists IPv4 ACLs and how to apply them to Gigabit Ethernet interfaces This section includes the following topics Gigabit Ethernet IPv4 ACL Guidelines page 45 7 Applying IPv4 ACLs on Gigabit Ethernet Interfaces page 45 8 Note F...

Page 1158: ... A and destination is B is subsequently applied it will have no effect Tip If IPv4 ACLs are already configured in a Gigabit Ethernet interface you cannot add this interface to an Ethernet PortChannel group Chapter 33 Configuring IPv4 and IPv6 Access Control Lists for information on configuring IPv4 ACLs Applying IPv4 ACLs on Gigabit Ethernet Interfaces To apply an IPv4 ACL on a Gigabit Ethernet in...

Page 1159: ...20 1 1 11 16 0003 47ad 21c4 ARPA GigabitEthernet7 1 Internet 20 1 1 12 6 0003 4723 c4a6 ARPA GigabitEthernet7 1 Internet 20 1 1 13 13 0004 76f0 ef81 ARPA GigabitEthernet7 1 Internet 20 1 1 14 0 0004 76e0 2f68 ARPA GigabitEthernet7 1 Internet 20 1 1 15 6 0003 47b2 494b ARPA GigabitEthernet7 1 Internet 20 1 1 17 2 0003 479a b7a3 ARPA GigabitEthernet7 1 Clearing ARP Cache The ARP cache can be cleared...

Page 1160: ... stats ip interface gigabitethernet 4 1 Internet Protocol Statistics for port GigabitEthernet4 1 168 total received 168 good 0 error 0 reassembly required 0 reassembled ok 0 dropped after timeout 371 packets sent 0 outgoing dropped 0 dropped no route 0 fragments created 0 cannot fragment Default Settings Table 45 2 lists the default settings for IPv4 parameters Table 45 2 Default IPv4 Parameters P...

Page 1161: ...overy Parameters page 46 15 Configuring IPv6 Static Routes page 46 17 Gigabit Ethernet IPv6 ACL Guidelines page 46 18 Transitioning from IPv4 to IPv6 page 46 19 Displaying IPv6 Information page 46 19 Default Settings page 46 20 Note For Cisco SAN OS features that use IP addressing refer to the chapters in this guide that describe those features for information on IPv6 addressing support Note To co...

Page 1162: ...etworked devices functionality that is crucial to the applications and services that are driving the demand for more addresses IPv6 Address Formats IPv6 addresses are represented as a series of 16 bit hexadecimal fields separated by colons in the format x x x x x x x x The following are examples of IPv6 addresses 2001 0DB8 7654 3210 FEDC BA98 7654 3210 2001 0DB8 0 0 8 800 200C 417A It is common fo...

Page 1163: ...tended universal identifier EUI 64 format The Internet Assigned Numbers Authority IANA allocates the IPv6 address space in the range of 2000 16 to regional registries The aggregatable global address typically consists of a 48 bit global routing prefix and a 16 bit subnet ID or Site Level Aggregator SLA In the IPv6 aggregatable global unicast address format document RFC 2374 the global routing pref...

Page 1164: ...l Local U L bit the seventh bit of the first octet to a value of 0 or 1 A value of 0 indicates a locally administered identifier a value of 1 indicates a globally unique IPv6 interface identifier see Figure 46 2 Figure 46 2 Interface Identifier Format Link Local Address A link local address is an IPv6 unicast address that is automatically configured on an interface using the link local prefix FE80...

Page 1165: ...he prefix FF02 16 is a permanent multicast address with a link scope Figure 46 4 shows the format of the IPv6 multicast address Figure 46 4 IPv6 Multicast Address Format IPv6 hosts are required to join receive packets destined for the following multicast groups All node multicast group FF02 1 Solicited node multicast group FF02 0 0 0 0 1 FF00 0000 104 concatenated with the low order 24 bit of the ...

Page 1166: ...f the Internet Group Management Protocol IGMP for IPv4 A value of 58 in the Next Header field of the basic IPv6 packet header identifies an IPv6 ICMP packet ICMP packets in IPv6 resemble a transport layer packet in the sense that the ICMP packet follows all the extension headers and is the last piece of information in the IPv6 packet Within IPv6 ICMP packets the ICMPv6 Type and ICMPv6 Code fields ...

Page 1167: ... 1280 octets We recommend using an maximum transmission unit MTU value of 1500 octets for IPv6 links IPv6 Neighbor Discovery The IPv6 neighbor discovery process uses ICMP messages and solicited node multicast addresses to determine the link layer address of a neighbor on the same network local link verify the reachability of a neighbor and keep track of neighboring routers IPv6 Neighbor Solicitati...

Page 1168: ...neighbor advertisement is the all node multicast address Neighbor solicitation messages are also used to verify the reachability of a neighbor after the link layer address of a neighbor is identified Neighbor unreachability detection identifies the failure of a neighbor or the failure of the forward path to the neighbor and is used for all paths between hosts and neighboring nodes hosts or routers...

Page 1169: ...tation message If no neighbor advertisement messages are received in response to the neighbor solicitation message and no neighbor solicitation messages are received from other nodes that are attempting to verify the same tentative address the node that sent the original neighbor solicitation message considers the tentative link local address to be unique and assigns the address to the interface E...

Page 1170: ...l Stacks The dual IPv4 and IPv6 protocol stack technique is one technique for a transition to IPv6 It enables gradual one by one upgrades to applications running on nodes Applications running on nodes are upgraded to make use of the IPv6 protocol stack Applications that are not upgraded they support only the IPv4 protocol stack can coexist with upgraded applications on the same node New and upgrad...

Page 1171: ...ther required or optional This section includes the following topics Configuring IPv6 Addressing and Enabling IPv6 Routing page 46 11 Configuring IPv4 and IPv6 Protocol Addresses page 46 13 Verifying Basic IPv6 Connectivity Configuration and Operation page 46 13 Clearing IPv6 Neighbor Discovery Cache page 46 15 Configuring IPv6 Addressing and Enabling IPv6 Routing This task explains how to assign ...

Page 1172: ...nfigure an IPv6 address on an interface and enable IPv6 routing follow these steps Command or Action Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config interface gigabitethernet 1 1 switch config if Specifies a Gigabit Ethernet interface and enters interface configuration submode switch config interface mgmt 0 switch config if Specifies the management inter...

Page 1173: ...mmand Example Output for the show ipv6 traffic Command Step 5 switch config if exit switch config Exits interface configuration submode and returns to configuration mode Step 6 switch config ipv6 routing Enables the processing of IPv6 unicast datagrams Command or Action Purpose Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config interface gigabitethe...

Page 1174: ...Delay IPv6 Address Age State Link layer Addr Interface fe80 211 5dff fe53 500a 0 S 0011 5d53 500a GigE6 1 fe80 211 5dff fe53 500a 0 S 0011 5d53 500a GigE6 2 5000 1 250 0 S 0011 5d53 500a po 4 fe80 211 5dff fe53 500a 0 S 0011 5d53 500a po 4 fe80 211 5dff fe53 500a 0 S 0011 5d53 500a po 4 fe80 2d0 3ff fe61 4800 184 S 00d0 0361 4800 mgmt0 In the following example the show ipv6 neighbours interface co...

Page 1175: ...hbor discovery cache using the clear ipv6 neighbor command in EXEC mode switch clear ipv6 neighbor Configuring Neighbor Discovery Parameters You can configure the following neighbor discovery parameters Duplicate address detection attempts Reachability time Retransmission timer Note We recommend that you use the factory defined defaults for these parameters This section includes the following topi...

Page 1176: ...config if no ipv6 nd dad attempts Reverts to the default value 0 Note When the attempt count is set to 0 neighbor discovery is disabled Command or Action Purpose Command or Action Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config interface gigabitethernet 3 1 switch config if Specifies an interface and enters interface configuration submode Step 3 switch c...

Page 1177: ...s To configure a IPv6 static route follow these steps Verifying IPv6 Static Route Configuration and Operation The show ipv6 route command displays the IPv6 route table for the switch switch show ipv6 route IPv6 Routing Table Codes C Connected L Local S Static G Gateway G 0 via fe80 211 5dff fe53 500a GigabitEthernet6 1 distance 2 G 0 via fe80 2d0 3ff fe61 4800 mgmt0 distance 2 C 2000 64 via mgmt0 ...

Page 1178: ...ring IPv4 and IPv6 Access Control Lists for information on configuring IPv6 ACLs Follow these guidelines when configuring IPv6 ACLs for Gigabit Ethernet interfaces Only use Transmission Control Protocol TCP or Internet Control Message Protocol ICMP Note Other protocols such as User Datagram Protocol UDP and HTTP are not supported in Gigabit Ethernet interfaces Applying an ACL that contains rules f...

Page 1179: ...00 1 1 1 64 2592000 604800 Use the show ips ipv6 interface command for information about the IPv6 routes for an interface switch show ips ipv6 route interface gigabitethernet 6 1 IPv6 Routing Table 4 entries Codes C Connected L Local S Static G Gateway M Multicast C 6000 1 1 1 64 is directly connected GigabitEthernet6 1 C 6000 1 1 1 64 is directly connected GigabitEthernet6 1 C fe80 64 is directly...

Page 1180: ...output 0 rate limited unreach 0 routing 0 admin 0 neighbor 1160 address 0 port parameter 0 error 0 header 0 option 0 hopcount expired 0 reassembly timeout 0 too big 0 echo request 0 echo reply 0 group query 1466 group report 0 group reduce 1 router solicit 0 router advert 0 redirects 3412 neighbor solicit 6 neighbor advert Default Settings Table 46 2 lists the default settings for IPv6 parameters ...

Page 1181: ...Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m P A R T 7 Intelligent Storage Services ...

Page 1182: ...Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m ...

Page 1183: ...atures for SCSI flows such as write acceleration and flow monitoring for statistics gathering on an SSM This section includes the following topics About SCSI Flow Services page 47 1 Configuring SCSI Flow Services page 47 3 Enabling SCSI Flow Services page 47 3 Enabling SCSI Flow Configuration Distribution page 47 4 Configuring SCSI Flow Identifiers page 47 5 About SCSI Flow Services A SCSI initiat...

Page 1184: ...nfiguration of SCSI flows validating them and relaying configuration information to the appropriate SSM It also handles any dynamic changes to the status of the SCSI flow due to external events The SFM registers events resulting from operations such as port up or down VSAN suspension and zoning that affects the SCSI flow status and updates the flow status and configuration accordingly The SFM on t...

Page 1185: ...pecification is a distributed configuration because the SCSI initiator and the target might be physically connected to SSMs on two different switches located across the fabric The configuration does not require information to identify either the switch name or the SSM slot location for either the initiator or the target The manual SCSI flow configuration is performed only at the initiator side Thi...

Page 1186: ... scsi flow force module 2 Forces the switch to disable SCSI flow services on the SSM in slot 2 The default is disabled Step 3 switch config ssm enable feature scsi flow interface fc 2 5 8 Enables SCSI flow services on interface 5 through 8 on the SSM in slot 2 Note Interfaces must be specified in multiples of four beginning at ports 1 5 9 13 17 21 25 and 29 switch config no ssm enable feature scsi...

Page 1187: ...tics that can be collected for SCSI flows include the following SCSI reads Number of I Os Number of I O blocks Maximum I O blocks Minimum I O response time Maximum I O response time SCSI writes Number of I Os Number of I O blocks Maximum I O blocks Minimum I O response time Maximum I O response time Other SCSI commands not read or write Test unit ready Report LUN Inquiry Read capacity Mode sense C...

Page 1188: ... a Cisco MDS switch while the target can connect to any other switch in the fabric The SCSI flow initiator and target cannot connect to the same switch Configuring SCSI Flow Statistics This section includes the following topics Enabling SCSI Flow Statistics page 47 6 Clearing SCSI Flow Statistics page 47 6 Enabling SCSI Flow Statistics To enable SCSI flow statistics monitoring follow these steps C...

Page 1189: ... 102 Target WWN 21 00 00 20 37 38 7f 7d Target LUN ALL LUNs Flow Verification Status Initiator Verification Status success Target Verification Status success Initiator Linecard Status success Target Linecard Status success Feature Status Write Acceleration enabled Write Acceleration Buffers 1024 Configuration Status success Statistics enabled Configuration Status success Flow Id 4 Initiator VSAN 1...

Page 1190: ...tatistics for All SCSI Flow Identifiers switch show scsi flow statistics Stats for flow id 4 LUN 0x0000 Read Stats I O Total count 2 I O Timeout count 0 I O Total block count 4 I O Max block count 2 I O Min response time 5247 usec I O Max response time 10160 usec I O Active Count 0 Write Stats I O Total count 199935 I O Timeout count 0 I O Total block count 12795840 I O Max block count 64 I O Min ...

Page 1191: ...I O Max block count 2 I O Min response time 5247 usec I O Max response time 10160 usec I O Active Count 0 Write Stats I O Total count 199935 I O Timeout count 0 I O Total block count 12795840 I O Max block count 64 I O Min response time 492 usec I O Max response time 10056529 usec I O Active Count 16 Non Read Write Stats Test Unit Ready 4 Report LUN 38 Inquiry 50 Read Capacity 3 Mode Sense 0 Reque...

Page 1192: ...S Release 3 x Chapter 47 Configuring SCSI Flow Services and Statistics Default Settings Default Settings Table 47 1 lists the default settings for SCSI flow services and SCSI flow statistics parameters Table 47 1 Default Intelligent Storage Services Parameters Parameters Default SCSI flow services Disabled SCSI flow services distribution Enabled SCSI flow statistics Disabled ...

Page 1193: ...es effective latency to improve performance To take advantage of this feature both the initiator and target devices must be directly attached to an SSM This section includes the following topics About Fibre Channel Write Acceleration page 48 1 Enabling Fibre Channel Write Acceleration page 48 2 About Fibre Channel Write Acceleration The Fibre Channel write acceleration feature also allows the conf...

Page 1194: ... config t switch config Enters configuration mode Step 2 switch config ssm enable feature scsi flow module 2 Enables SCSI flow services on the SSM in slot 2 Note Fibre Channel write acceleration can only be configured on all interfaces on the SSM not on groups of interfaces Step 3 switch config scsi flow flow id 3 initiator vsan 2 initiator pwwn 21 00 00 e0 8b 07 5f aa target vsan 4 target pwwn 2a...

Page 1195: ... 20 37 38 a7 89 Target LUN ALL LUNs Flow Verification Status Initiator Verification Status success Target Verification Status success Initiator Linecard Status success Target Linecard Status success Feature Status Write Acceleration enabled Write Acceleration Buffers 1024 Configuration Status success Statistics enabled Configuration Status success Example 48 2 Displays Fibre Channel Write Accelera...

Page 1196: ...DS SAN OS Release 3 x Chapter 48 Configuring Fibre Channel Write Acceleration Default Settings Default Settings Table 48 1 lists the default settings for Fibre Channel write acceleration parameters Table 48 1 Default Fibre Channel Write Acceleration Parameters Parameters Default Fibre Channel write acceleration Disabled Fibre Channel write acceleration buffers 1024 ...

Page 1197: ...e 49 4 Displaying SANTap Information page 49 5 Removing Appliance Generated Entities page 49 8 Default Settings page 49 9 About SANTap The SANTap feature allows third party data storage applications such as long distance replication and continuous backup to be integrated into the SAN The protocol based interface that is offered by SANTap allows easy and rapid integration of the data storage servic...

Page 1198: ...sponses are sent to the control LUN on the appliance SANTap also allows LUN mapping to appliance virtual targets AVTs You can have a maximum of 512 target LUNs SANTap does not require reconfiguration of either the host or target when introducing SANTap based applications Also neither the host initiator nor the target is required to be directly connected to an SSM This is accomplished by assigning ...

Page 1199: ...allation of the deleted DVT LUNs is done even if the total number of LUNs remains the same In previous releases when the set of LUNs changed on the target the original LUN list was displayed on the DVT The new and changed LUNs were not reflected on the DVT However if the total number of LUNs increased then the additional LUNs were installed and displayed on the host Prior to Cisco SAN OS release 3...

Page 1200: ...telligent services SANTap and NASB on a single SSM Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config ssm enable feature santap module 4 Enables the SANTap application on the entire SSM switch config no ssm enable feature santap module 4 Disables the SANTap application on the entire SSM in slot 4 switch config no ssm enable feature santap force modu...

Page 1201: ...contains the host and the CVT switch config santap module 2 dvt target pwwn 50 06 0e 80 03 81 32 36 target vsan 9 dvt name MYDVT dvt vsan 12 dvt port 1 Configures the pWWN target VSAN DVT name DVT VSAN and DVT port The DVT port maps to one of the ports on the SSM You can assign a port for explicit load balancing or not assign a port which allows the SSM select the port and handle the load balancin...

Page 1202: ...vt tgt iofail behavior 0 dvt appio failover time 50 secs dvt inq data behavior 0 Example 49 3 Displays SANTap DVT LUN Information switch show santap module 2 dvtlun DVT LUN Information dvt pwwn 22 00 00 20 37 88 20 ef dvt lun 0x0 xmap id 8 dvt id 3 dvt mode 0 dvt vsan 3 tgt pwwn 22 00 00 20 37 88 20 ef tgt lun 0x0 tgt vsan 1 Example 49 4 Displays SANTap Session Information switch show santap modul...

Page 1203: ...000 hi pwwn 21 00 00 e0 8b 07 61 aa tgt pwwn 22 00 00 20 37 88 20 ef tgt vsan 1 Example 49 6 Displays SANTap AVT LUN Information switch show santap module 2 avtlun AVT LUN Information avt pwwn 2a 4b 00 05 30 00 22 25 avt lun 0x0 xmap id 16 avt id 12 tgt lun 0x0 Example 49 7 Displays SANTap Remote Virtual Terminal Information switch show santap module 2 rvt RVT Information rvt pwwn 2a 61 00 05 30 0...

Page 1204: ... session follow these steps Removing Initiator Target LUNs The initiator target LUN ITL triplet identifies a LUN loaded on a DVT Occasionally the ITL configuration remains after a SANTap application terminates To remove all LUNs for an ITL triplet follow these steps Command Purpose Step 1 switch show santap module 2 avt Displays the AVT pWWNs switch show santap module 2 avtlun Displays the AVT pWW...

Page 1205: ...Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 49 Configuring SANTap Default Settings Default Settings Table 49 1 lists the default settings for SANTap parameters Table 49 1 Default SANTap Parameters Parameters Default SANTap feature Disabled DVT IO timeout 10 seconds DVT LUN size handling flag 0 disabled ...

Page 1206: ... o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m 49 10 Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 49 Configuring SANTap ...

Page 1207: ...rver to focus on the coordination functions needed to complete the backup Most backups performed today are server free In server free backups the application server is not involved in moving the data The data can be moved by either a media server or a NASB device When the media server is the data mover it moves the data between the disks and the tapes The backup application runs on both the client...

Page 1208: ...pable of handling SCSI Extended Copy XCOPY commands as well as a SCSI initiator device capable of issuing READ WRITE commands to disks and other backup media such as tapes See Figure 50 2 Figure 50 2 Example Configuration with NASB Device as Data Mover The task of managing and preparing the source and destination targets is performed by the media server For example if the destination is a tape lib...

Page 1209: ...To configure the NASB feature follow these steps Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config ssm enable feature nasb module 4 Enables the NASB application on the entire SSM in slot 4 switch config no ssm enable feature nasb module 4 Disables the NASB application on the entire SSM in slot 4 switch config no ssm enable feature nasb force module...

Page 1210: ...ral Device Type 0x00 switch config nasb module 4 vsan 10 control Enables NASB on the SSM in slot 4 and on VSAN 10 for a single target LUN that is a Storage Array Controller Peripheral Device Type 0x0C switch config nasb module 4 vsan 10 multiple Enables NASB on the SSM in slot 4 and on VSAN 10 for up to 10 target LUNs that are Direct Access Devices Peripheral Device Type 0x00 Note Use the multiple...

Page 1211: ...vsan 1 DPP 6 VT nWWN 26030005300036a2 pWWN 26040005300036a2 provisioned NASB module 3 vsan 1 DPP 7 VT nWWN 26050005300036a2 pWWN 26060005300036a2 provisioned NASB module 3 vsan 1 DPP 8 VT nWWN 26070005300036a2 pWWN 26080005300036a2 provisioned NASB module 3 vsan 2 DPP 1 VT nWWN 26090005300036a2 pWWN 260a0005300036a2 provisioned NASB module 3 vsan 2 DPP 2 VT nWWN 260b0005300036a2 pWWN 260c000530003...

Page 1212: ...ration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 50 Configuring NASB Default Settings NASB module 3 vsan 1 DPP 8 VT nWWN 26070005300036a2 pWWN 26080005300036a2 provisioned Default Settings Table 50 1 lists the default settings for NASB parameters Table 50 1 Default NASB Parameters Parameters Default NASB feature Disabled ...

Page 1213: ...Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m P A R T 8 Network and Switch Monitoring ...

Page 1214: ...Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m ...

Page 1215: ...RFC 2819 Alarm Monitors a specific management information base MIB object for a specified interval triggers an alarm at a specified value rising threshold and resets the alarm at another value falling threshold Alarms can be used with events the alarm triggers an event which can generate a log entry or an SNMP trap Event Determines the action to take when an event is triggered by an alarm The acti...

Page 1216: ...Use the delta option to test any MIB objects that are counters The range for the rising threshold and falling threshold values is 2147483647 to 2147483647 Caution The falling threshold must be less than the rising threshold You can optionally specify the following parameters The event number to trigger if the rising or falling threshold exceeds the specified limit The owner of the alarm To enable ...

Page 1217: ... second s Taking absolute samples last value was 0 valuePositive Rising threshold low is 4294967295 high is 15 valuePositive Rising threshold assigned to event 1 Falling threshold low is 0 high is 0 valueNotAvailable Falling threshold assigned to event 0 On startup enable rising alarm Number of Failed Attempts is 0 Note High capacity RMON alarms can be configured using the CISCO HC ALARM MIB See t...

Page 1218: ... 01 Cisco MDS SAN OS Release 3 x Chapter 51 Configuring RMON Default Settings Event 500 is active owned by admin Description is Event firing causes log last fired 138807208 Default Settings Table 51 1 lists the default settings for all RMON features in any switch Table 51 1 Default RMON Settings Parameters Default RMON alarms Disabled RMON events Disabled ...

Page 1219: ...describes the Switched Port Analyzer SPAN features provided in switches in the Cisco MDS 9000 Family It includes the following sections About SPAN page 52 2 SPAN Sources page 52 2 SPAN Sessions page 52 5 Specifying Filters page 52 5 SD Port Characteristics page 52 5 Configuring SPAN page 52 6 Monitoring Traffic Using Fibre Channel Analyzers page 52 12 Displaying SPAN Information page 52 15 Remote ...

Page 1220: ...c The SPAN feature is non intrusive and does not affect switching of network traffic for any SPAN source ports see Figure 52 1 Figure 52 1 SPAN Transmission SPAN Sources SPAN sources refer to the interfaces from which traffic can be monitored You can also specify VSAN as a SPAN source in which case all supported interfaces in the specified VSAN are included as SPAN sources You can choose the SPAN ...

Page 1221: ...les Allowed Source Interface Types The SPAN feature is available for the following interface types Physical ports such as F ports FL ports TE ports E ports and TL ports Interface sup fc0 traffic to and from the supervisor The Fibre Channel traffic from the supervisor module to the switch fabric through the sup fc0 interface is called ingress traffic It is spanned when sup fc0 is chosen as an ingre...

Page 1222: ...on on the interfaces that are included in the VSAN Previously configured SPAN specific interface information is discarded If an interface in a VSAN is configured as a source you cannot configure that VSAN as a source You must first remove the existing SPAN configurations on such interfaces before configuring VSAN as a source Interfaces are only included as sources when the port VSAN matches the so...

Page 1223: ...ectively monitor network traffic on specified VSANs You can apply this VSAN filter to all sources in a session see Figure 52 4 Only VSANs present in the filter are spanned You can specify session VSAN filters that are applied to all sources in the specified session These filters are bidirectional and apply to all sources configured in the session Guidelines to Specifying Filters The following guid...

Page 1224: ...ure the same session in all four ports in one port group unit If you wish you can also configure only two or three ports in this unit see the 32 Port Switching Module Configuration Guidelines section on page 12 2 SPAN frames are dropped if the sum of the bandwidth of the sources exceeds the speed of the destination port Frames dropped by a source port are not spanned Configuring SPAN To monitor ne...

Page 1225: ...rface fc 7 1 from this session Step 5 switch config span source interface sup fc0 Configures the source interface sup fc0 in the session switch config span source interface fc1 5 6 fc2 1 3 Configures the specified interface ranges in the session switch config span source vsan 1 2 Configures source VSANs 1 and 2 in the session switch config span source interface port channel 1 Configures the source...

Page 1226: ... destination interface fc 9 1 in a session switch config span no destination interface fc9 1 Removes the specified destination interface fc 9 1 Step 4 switch config span source interface fc7 1 Configures the source fc7 1 interface in both directions Note The Cisco MDS 9124 Fabric Switch does not support bi directional SPAN sessions Rx and Tx switch config span no source interface fc7 1 Removes the...

Page 1227: ...e SPAN destination port instead of being dropped at the expense of data traffic throughput Caution The span drop threshold can be changed only if no span sessions are currently active on the switch Configuring SPAN for Generation 2 Fabric Switches Cisco Generation 2 Fabric Switches such as MDS 9124 support SPAN sessions in both directions Rx and Tx Note While using Generation 2 Fabric Switches you...

Page 1228: ... port with an active VSAN of 1 to 5 and you specify a VSAN filter for VSAN 2 then only the traffic on VSAN 2 will be filtered switch config span span session 1 switch config span source filter vsan 2 switch config span destination interface fc1 1 switch config span source interface fc1 2 tx However if you specify the VSAN filter for VSANs 1 to 2 then traffic from all VSANs 1 to 5 is filtered essen...

Page 1229: ...ed in any prior release are converted as follows If source interfaces and source VSANs are configured in a given session then all the source VSANs are removed from that session For example before Cisco MDS SAN OS Release 1 0 4 Session 1 active Destination is fc1 9 No session filters configured Ingress rx sources are vsans 10 11 fc1 3 Egress tx sources are fc1 3 Once upgraded to Cisco MDS SAN OS Re...

Page 1230: ...active as no active sources Destination is fc1 9 No session filters configured No ingress rx sources No egress tx sources Note The deprecated configurations are removed from persistent memory once a switchover or a new startup configuration is implemented Session 2 had a source VSAN 12 and a source interface fc1 6 with VSAN filters specified in Cisco MDS SAN OS Release 1 0 4 When upgraded to Cisco...

Page 1231: ...x links in both port 1 and port 2 Port 1 captures traffic exiting interface fc1 1 and port 2 captures ingress traffic into interface fc1 1 With SPAN Using SPAN you can capture the same traffic scenario shown in Figure 52 5 without any traffic disruption The Fibre Channel analyzer uses the ingress Rx link at port 1 to capture all the frames going out of the interface fc1 1 It uses the ingress link ...

Page 1232: ... the Fibre Channel analyzer To configure SPAN on the source and destination interfaces follow these steps Cisco MDS 9000 switch fc1 1 RX RX RX TX TX TX 1 2 FC Analyzer The egress TX traffic coming out from the analyzer ports will be dropped 85652 Dropped SD Port fc2 1 SD Port fc2 2 RX source in session 1 SD port fc2 1 TX source in session 2 SD port fc2 2 TX TX Storage device Command Purpose Step 1...

Page 1233: ...ng a full two port analyzer Figure 52 7 Fibre Channel Analyzer Using a Single SD Port To use this setup the analyzer should have the capability of distinguishing ingress and egress traffic for all captured frames To configure SPAN on a single SD port follow these steps Displaying SPAN Information Use the show span command to display configured SPAN information See Examples 52 4 to 52 9 Example 52 ...

Page 1234: ...o destination Destination is not specified Session filter vsans are 1 No ingress rx sources No egress tx sources Session 2 active Destination is fc9 5 No session filters configured Ingress rx sources are vsans 1 No egress tx sources Session 3 admin suspended Destination is not configured Session filter vsans are 1 20 Ingress rx sources are fc3 2 fc3 3 fc3 4 fcip 51 port channel 2 sup fc0 Egress tx...

Page 1235: ...ss BladeSystem and the Cisco Fabric Switch for IBM BladeSystem The Remote SPAN RSPAN feature enables you to remotely monitor traffic for one or more SPAN sources distributed in one or more source switches in a Fibre Channel fabric The SPAN destination SD port is used for remote monitoring in a destination switch A destination switch is usually different from the source switch es but is attached to...

Page 1236: ... ISL bandwidth with other ports in the fabric FC and RSPAN Tunnels An FC tunnel is a logical data path between a source switch and a destination switch The FC tunnel originates from the source switch and terminates at the remotely located destination switch RSPAN uses a special Fibre Channel tunnel FC tunnel that originates at the ST port in the source switch and terminates at the SD port in the d...

Page 1237: ... default VSAN interface must be configured The Fibre Channel tunnel feature must be enabled disabled by default IP routing must be enabled disabled by default Note If the IP address is in the same subnet as the VSAN the VSAN interface does not have to be configured for all VSANs on which the traffic is spanned A single Fibre Channel switch port must be dedicated for the ST port functionality Do no...

Page 1238: ... creation Step 2 Enable the FC tunnel in each switch in the end to end path of the tunnel Step 3 Initiate the FC tunnel in Switch S and map the tunnel to the VSAN interface s IP address in Switch D so all RSPAN traffic from the tunnel is directed to the SD port Step 4 Configure SD ports for SPAN monitoring in the destination switch Switch D Step 5 Configure the ST port in the source switch Switch ...

Page 1239: ...Note Be sure to enable this feature in each switch in the end to end path in the fabric Cisco MDS Fibre Channel fabric FC tunnel 100 FC tunnel source 99008 Cisco MDS source switch S Cisco MDS destination switch D IP address of VSAN 5 interface 10 10 10 1 IP address of VSAN 5 interface 10 10 10 2 Command Purpose Step 1 switchS config t Enters configuration mode Step 2 switchS config interface vsan ...

Page 1240: ...gured using Storage Services Modules SSMs To configure an ST port for the scenario in Figure 52 11 follow these steps Command Purpose Step 1 switchS config t Enters configuration mode Step 2 switchS config interface fc tunnel 100 switchS config if Initiates the FC tunnel 100 in the source switch switch S The tunnel IDs range from 1 to 255 Step 3 switchS config if source 10 10 10 1 Maps the IPv4 ad...

Page 1241: ...tination switch for the scenario in Figure 52 12 on page 52 25 follow these steps Step 3 switchS config if switchport mode ST Configures the ST port mode for interface fc2 1 Step 4 switchS config if switchport speed 2000 Configures the ST port speed to 2000 Mbps Step 5 switchS config if rspan tunnel interface fc tunnel 100 Associates and binds the ST port with the RSPAN tunnel 100 Step 6 switchS c...

Page 1242: ...e SD Port page 52 25 Mapping the FC Tunnel page 52 26 Configuring VSAN Interfaces Figure 52 12 on page 52 25 depicts an RSPAN tunnel configuration terminating in the destination switch Switch D Note This example assumes that VSAN 5 is already configured in the VSAN database To create a VSAN interface in the destination switch for the scenario in Figure 52 12 follow these steps Step 3 switchD confi...

Page 1243: ...gured Figure 52 12 RSPAN Tunnel Configuration Note SD ports cannot be configured using Storage Services Modules SSMs Step 3 switchD config if ip address 10 10 10 2 255 255 255 0 Configures the IPv4 address and subnet for the VSAN interface in the destination switch Switch D Step 4 switchD config if no shutdown Enables traffic flow to administratively allow traffic provided the operational state is...

Page 1244: ...able This option is especially useful if you prefer to direct the traffic through a certain path although other paths are available In an RSPAN situation you can specify the explicit path so the RSPAN traffic does not interfere with the existing user traffic You can create any number of explicit paths in a switch see Figure 52 14 Command Purpose Step 1 switchD config t Enters configuration mode St...

Page 1245: ... Step 3 switchS config explicit path next address 10 10 10 2 strict switchS config explicit path next address 10 10 10 3 strict switchS config explicit path next address 10 10 10 4 strict Specifies that the next hop VSAN interface IPv4 addresses and the previous hops specified in the explicit path do not require direct connection Step 4 switchS config fc tunnel explicit path Path2 switch config ex...

Page 1246: ...itor RSPAN Traffic To use this setup the analyzer should have the capability of distinguishing ingress and egress traffic for all captured frames Sample Scenarios Note RSPAN can be combined with the local SPAN feature so SD ports forward local SPAN traffic along with remote SPAN traffic Various SPAN source and tunnel scenarios are described in this section Single Source with One RSPAN Tunnel The s...

Page 1247: ...This configuration is useful for troubleshooting purposes Figure 52 17 RSPAN Scenario with One Source Switch One Destination Switch and Multiple Tunnels Multiple Sources with Multiple RSPAN Tunnels Figure 52 18 displays two separate RSPAN tunnels configured between Switches S1 and S2 Both tunnels have an associated ST port in their respective source switch and terminate in the same SD port in the ...

Page 1248: ...how commands to display configured RSPAN information See Examples 52 10 to 52 16 Example 52 10 Displays ST Port Interface Information switch show interface brief Interface Vsan Admin Admin Status Oper Oper Port channel Mode Trunk Mode Speed Mode Gbps fc1 1 1 auto on trunking TE 2 fc1 14 1 auto on trunking TE 2 fc1 15 1 ST on up ST 2 fc2 9 1 auto on trunking TE 2 port channel 21 fc2 10 1 auto on tr...

Page 1249: ... 11 Displays Detailed Information for the ST Port Interface switch show interface fc1 11 fc1 11 is up Hardware is Fibre Channel Port WWN is 20 0b 00 05 30 00 59 de Admin port mode is ST Port mode is ST Port vsan is 1 Speed is 1 Gbps Rspan tunnel is fc tunnel 100 Beacon is turned off 5 minutes input rate 248 bits sec 31 bytes sec 0 frames sec 5 minutes output rate 176 bits sec 22 bytes sec 0 frames...

Page 1250: ... Information switch show span session Session 2 active Destination is fc tunnel 100 No session filters configured Ingress rx sources are fc2 16 Egress tx sources are fc2 16 Example 52 16 Displays the FC Tunnel Interface switch show interface fc tunnel 200 fc tunnel 200 is up Dest IP Addr 200 200 200 7 Tunnel ID 200 Source IP Addr 200 200 200 4 LSP ID 1 Explicit Path Name Default SPAN and RSPAN Set...

Page 1251: ...ly CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 52 Monitoring Network Traffic Using SPAN Default SPAN and RSPAN Settings Table 52 2 Default RSPAN Configuration Parameters Parameters Default FC tunnel Disabled Explicit path Not configured Minimum cost path Used if explicit path is not configured ...

Page 1252: ... o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m 52 34 Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 52 Monitoring Network Traffic Using SPAN Default SPAN and RSPAN Settings ...

Page 1253: ... through Telnet SSH or the console port or by viewing the logs on a system message logging server Note When the switch first initializes the network is not connected until initialization completes Therefore messages are not redirected to a system message logging server for a few seconds Log messages are not saved across system reboots However a maximum of 100 log messages with a severity level of ...

Page 1254: ...g module Cisco MDS 9000 Family specific news USENET news Standard ntp NTP Cisco MDS 9000 Family specific platform Platform manager Cisco MDS 9000 Family specific port Port Cisco MDS 9000 Family specific port channel PortChannel Cisco MDS 9000 Family specific qos QoS Cisco MDS 9000 Family specific rdl RDL Cisco MDS 9000 Family specific rib RIB Cisco MDS 9000 Family specific rscn RSCN Cisco MDS 9000...

Page 1255: ...l page 53 4 Monitor Severity Level page 53 4 Module Logging page 53 5 Facility Severity Levels page 53 5 Log Files page 53 6 System Message Logging Servers page 53 6 vshd vshd Cisco MDS 9000 Family specific wwn WWN manager Cisco MDS 9000 Family specific xbar Xbar system messages Cisco MDS 9000 Family specific zone Zone server Cisco MDS 9000 Family specific Table 53 1 Internal Logging Facilities co...

Page 1256: ... maintained if the console baud speed is 9600 baud default All attempts to change the console logging level generates an error message To increase the logging level above critical you must change the console baud speed to 38400 baud See the Configuring Console Port Settings section on page 5 28 To configure the severity level for the console session follow these steps Monitor Severity Level When l...

Page 1257: ...splayed on the monitor switch config no logging monitor Reverts monitor logging to the factory set default severity level of 5 notifications Logging messages with a severity level of 5 or above are displayed on the console Command Purpose Step 1 switch config t switch config Enters configuration mode Step 2 switch config logging module 1 Configures module logging at level 1 alerts for all modules ...

Page 1258: ...ng Configuration Files section on page 8 5 System Message Logging Servers You can configure a maximum of three system message logging servers To send log messages to a UNIX system message logging server you must configure the system message logging daemon on a UNIX server Log in as root and follow these steps Step 1 Add the following line to the etc syslog conf file local1 debug var log myfile log...

Page 1259: ...sed on the configured facility option If no facility is specified local7 is the default outgoing facility The internal facilities are listed in Table 53 1 and the outgoing logging facilities are listed in Table 53 3 Command Purpose Step 1 switch config t switch Enters configuration mode Step 2 switch config logging server 172 22 00 00 Configures the switch to forward log messages according to the ...

Page 1260: ...iscard the changes by aborting the changes instead of committing them In either case the lock is released See Chapter 6 Using the CFS Infrastructure for more information on the CFS application To enable fabric distribution for system message logging server configurations follow these steps Table 53 3 Outgoing Logging Facilities Facility Keyword Description Standard or Cisco MDS Specific auth Autho...

Page 1261: ...f the administrator performs this task your changes to the pending database are discarded and the fabric lock is released Tip The changes are only available in the volatile directory and are subject to being discarded if the switch is restarted To use administrative privileges and release a locked system message logging session use the clear logging session command switch clear logging session Com...

Page 1262: ...Logging Information Use the show logging command to display the current system message logging configuration See Examples 53 1 to 53 10 Note When using the show logging command output is displayed only when the configured logging levels for the switch are different from the default levels Example 53 1 Displays Current System Message Logging switch show logging Logging console enabled Severity crit...

Page 1263: ... 1 alerts 2 critical 3 errors 4 warnings 5 notifications 6 information 7 debugging Feb 14 09 50 57 excal 113 TTYD 6 TTYD_MISC TTYD TTYD started Feb 14 09 50 58 excal 113 DAEMON 6 SYSTEM_MSG precision 8 usec Use the show logging nvram command to view the log messages saved in NVRAM Only log messages with a severity level of critical and below levels 0 1 and 2 are saved in NVRAM Example 53 2 Display...

Page 1264: ..._UP Interface mgmt0 is up Jul 16 21 06 58 172 22 91 204 MODULE 5 ACTIVE_SUP_OK Supervisor 5 is active Example 53 4 Displays Console Logging Status switch show logging console Logging console enabled Severity notifications Example 53 5 Displays Logging Facility switch show logging level Facility Default Severity Current Session Severity kern 6 6 user 3 3 mail 3 3 daemon 7 7 auth 0 7 syslog 3 3 lpr ...

Page 1265: ...h show logging info Logging console enabled Severity critical Logging monitor enabled Severity debugging Logging linecard enabled Severity debugging Logging server enabled 172 20 102 34 server severity debugging server facility local7 10 77 202 88 server severity debugging server facility local7 10 77 202 149 server severity debugging server facility local7 Logging logfile enabled Name messages Se...

Page 1266: ...l 3 errors 4 warnings 5 notifications 6 information 7 debugging Example 53 7 Displays Last Few Lines of a Log File switch show logging last 2 Nov 8 16 48 04 excal 113 LOG_VSHD 5 VSHD_SYSLOG_CONFIG_I Configuring console from pts 1 171 71 58 56 Nov 8 17 44 09 excal 113 LOG_VSHD 5 VSHD_SYSLOG_CONFIG_I Configuring console from pts 0 171 71 58 72 Example 53 8 Displays Switching Module Logging Status sw...

Page 1267: ...tings Table 53 4 lists the default settings for system message logging Table 53 4 Default System Message Log Settings Parameters Default System message logging to the console Enabled for messages at the critical severity level System message logging to Telnet sessions Disabled Logging file size 4194304 Log file name Message change to a name with up to 200 characters Logging server Disabled Syslog ...

Page 1268: ...t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m 53 16 Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 53 Configuring System Message Logging Default Settings ...

Page 1269: ...ges port syslog messages and RMON alert messages are added to the list of deliverable Call Home messages If required you can also use the Cisco Fabric Services application to distribute the Call Home configuration to all other switches in the fabric This chapter includes the following sections Call Home Features page 54 2 Cisco AutoNotify page 54 2 Call Home Configuration Process page 54 3 Contact...

Page 1270: ... communication with the Cisco Systems Technical Assistance Center Multiple concurrent message destinations You can configure up to 50 e mail destination addresses for each destination profile Multiple message categories including system environment switching module hardware supervisor module hardware inventory syslog RMON and test Cisco AutoNotify For those who have service contracts directly with...

Page 1271: ...er include An e mail server and at least one destination profile predefined or user defined must be configured The destination profile s used depends on whether the receiving entity is a pager e mail or automated service such as Cisco AutoNotify Switches can forward events SNMP traps informs up to 10 destinations The contact name SNMP server contact phone and street address information must be con...

Page 1272: ...t username company com Assigns the customer s e mail address Up to 128 alphanumeric characters are accepted in e mail address format Note You can use any valid e mail address You cannot use spaces Step 5 switch config callhome phone contact 1 800 123 4567 Assigns the customer s phone number Up to 20 alphanumeric characters are accepted in international format Note You cannot use spaces Be sure to ...

Page 1273: ...allhome destination profile full txt destination email addr person place com Configures an e mail address for the predefined full txt destination profile The e mail addresses in this destination profile receives messages in full txt format The full text format provides the complete detailed explanation of the failure Tip Use a standard e mail address that does not have any text size restrictions s...

Page 1274: ...le XML destination The valid range is 0 to 1 000 000 bytes and the default is 500 000 A value of 0 implies that a message of any size can be sent Command Purpose Command Purpose Step 1 switch config t Enters configuration mode Step 2 switch config callhome switch config callhome Enters the Call Home configuration submode Step 3 switch config callhome destination profile test Configures a new desti...

Page 1275: ...s switch config callhome destination profile short txt destination alert group test Optional Configures predefined short text destination profile to receive all user generated Call Home test notifications Step 4 switch config callhome destination profile test1 alert group all Optional Configures user defined destination profile test1 to receive Call Home notifications for all events switch config ...

Page 1276: ... Call Home notifications for inventory status events switch config callhome destination profile short txt destination alert group inventory Optional Configures predefined short text destination message profile to receive Call Home notifications for inventory status events Step 8 switch config callhome destination profile test1 alert group linecard hardware Optional Configures user defined destinat...

Page 1277: ...th a Call Home message level threshold Any message with a value lower that the urgency threshold is not sent The urgency level ranges from 0 lowest level of urgency to 9 highest level of urgency and the default is 0 all messages are sent Note Call Home severity levels are not the same as system message logging severity levels To set the message level for each destination profile for Call Home foll...

Page 1278: ...evel Feature section on page 54 9 Note Call Home does not change the syslog message level in the message text The syslog message texts in the Call Home log appear as they are described in the Cisco MDS 9000 Family System Messages Guide To configure the syslog group port alert group follow these steps Step 3 switch config callhome destination profile test message level 5 Optional Configures the mes...

Page 1279: ...Mail Options To configure general e mail options follow these steps Configuring SMTP Server and Ports To configure the SMTP server and port follow these steps Command Purpose Step 1 switch config t Enters configuration mode Step 2 switch config callhome switch config callhome Enters Call Home configuration submode Step 3 switch config callhome destination profile xml destination alert group rmon O...

Page 1280: ...rver 192 168 1 1 Configures the DNS IPv4 address or IPv6 address of the SMTP server to reach the server The port usage defaults to 25 if no port is specified Note The port number is optional and if required may be changed depending on the server location switch config callhome transport email smtp server 192 168 1 1 port 30 Command Purpose Command Purpose Step 1 switch config t Enters configuratio...

Page 1281: ...amily switch follow these steps Call Home Enable Function Once you have configured the contact information you must enable the Call Home function To enable the Call Home function follow these steps Call Home Configuration Distribution You can enable fabric distribution for all Cisco MDS switches in the fabric When you perform Call Home configurations and distribution is enabled that configuration ...

Page 1282: ...ow these steps To commit the Call Home configuration changes follow these steps To discard the Call Home configuration changes follow these steps Command Purpose Step 1 switch config t Enters configuration mode Step 2 switch config callhome switch config callhome Enters Call Home configuration submode Step 3 switch config callhome distribute Enables Call Home configuration distribution to all swit...

Page 1283: ...nes Be aware that the merged database contains the following information A superset of all the destination profiles from the dominant and subordinate switches take part in the merge protocol The e mail addresses and alert groups for the destination profiles Other configuration information for example message throttling periodic inventory from the switch that existed in the dominant switch before t...

Page 1284: ...te1ManhattanNewYork customer id Customer1234 contract id Cisco1234 switch priority 0 Example 54 2 Displays Information for All Destination Profiles Predefined and User Defined switch show callhome destination profile XML destination profile information maximum message size 500000 message format XML message level 0 email addresses configured alert groups configured cisco_tac test destination profil...

Page 1285: ...ddresses configured person2 company2 com Example 54 5 Displays the Short Text Profile switch show callhome destination profile profile short txt destination Short txt destination profile information maximum message size 4000 email addresses configured person2 company2 com Example 54 6 Displays the XML Destination Profile switch show callhome destination profile profile XML destination XML destinat...

Page 1286: ...l Number FG 07120011 Affected Chassis Hardware Version 0 104 Affected Chassis Software Version 3 1 1 Affected Chassis Part No 73 8607 01 end chassis information Sample Syslog Alert Notification in XML Format X Mozilla Status2 02000000 Return Path tester cisco com xml version 1 0 encoding UTF 8 standalone no DOCTYPE mml SYSTEM mml10 dtd Alert SYSLOG_ALERT mml header time 2004 09 30T06 12 36 time na...

Page 1287: ...r time 2004 10 12T04 59 13 time name RMON_ALERT name type RMON type level 2 level source MDS9000 source priority 3 priority deviceId DS C9506 C FOX0712S00H deviceId custId 0 custId contractId u contractId siteId amp siteId serverId DS C9506 C FOX0712S00H serverId header body msgDesc rlaxmina w2k07 msgDesc sysName switch186 sysName sysContact USA sysContact sysContactEmail admin yourcompany com sys...

Page 1288: ...1 lists the default Call Home settings Table 54 1 Default Call Home Settings Parameters Default Destination message size for a message sent in full text format 500 000 Destination message size for a message sent in XML format 500 000 Destination message size for a message sent in short text format 4000 DNS or IP address of the SMTP server to reach the server if no port is specified 25 Alert group ...

Page 1289: ...84 01 Cisco MDS SAN OS Release 3 x Chapter 54 Configuring Call Home Event Triggers Event Triggers This section discusses Call Home trigger events Trigger events are divided into categories with each category assigned CLI commands to execute when the event occurs The command output is included in the transmitted message Table 54 2 lists the trigger events ...

Page 1290: ...POWER_UP_DIAGNOSTICS_ FAILURE Line card hardware failed power up diagnostics 7 Line Card Hardware and CISCO_TAC PORT_FAILURE Hardware failure of interface port s 6 Line Card Hardware Supervisor Hardware and CISCO_TAC BOOTFLASH_FAILURE Failure of boot compact Flash card 6 Supervisor Hardware and CISCO_TAC NVRAM_FAILURE Hardware failure of NVRAM on Supervisor hardware 6 Supervisor Hardware and CISCO...

Page 1291: ...OT Switch is powered up and reset to a cold boot sequence 2 HARDWARE_INSERTION New piece of hardware inserted into the chassis 2 HARDWARE_REMOVAL Hardware removed from the chassis 2 Test Test and CISCO_TAC TEST User generated test 2 Port syslog Syslog group port SYSLOG_ALERT Syslog messages corresponding to the port facility 2 RMON RMON RMON_ALERT RMON alert trigger messages 2 Table 54 2 Event Tri...

Page 1292: ...pes Table 54 6 Table 54 7 and Table 54 8 display the information contained in plain text and XML messages Table 54 4 Severity and Syslog Level Mapping Call Home Level Keyword Used Syslog Level Description Catastrophic 9 Catastrophic N A Network wide catastrophic failure Disaster 8 Disaster N A Significant network impact Fatal 7 Fatal Emergency 0 System is unusable Critical 6 Critical Alert 1 Criti...

Page 1293: ...ackplane SEEPROM is a separator character Sid is C identifying the serial ID as a chassis serial number serial is the number identified by the Sid field Example DS C9509 C 12345678 mml header deviceId Customer ID Optional user configurable field used for contract info or other ID by any support service mml header customerID Contract ID Optional user configurable field used for contract info or oth...

Page 1294: ...isor module software version Top level software version mml body chassis swVersion Affected FRU name Name of the affected FRU generating the event message mml body fru name Affected FRU serial number Serial number of affected FRU mml body fru serialNo Affected FRU part number Part number of affected FRU mml body fru partNo FRU slot Slot number of FRU generating the event message mml body fru slot ...

Page 1295: ...ype Sid serial where type is the product model number from backplane SEEPROM is a separator character Sid is C identifying the serial ID as a chassis serial number serial is the number identified by the Sid field Example DS C9509 C 12345678 mml header deviceId Customer ID Optional user configurable field used for contact info or other ID by any support service mml header customerID Contract ID Opt...

Page 1296: ... chassis hwVersion Supervisor module software version Top level software version mml body chassis swVersion FRU name Name of the affected FRU generating the event message mml body fru name FRU s n Serial number of FRU mml body fru serialNo FRU part number Part number of FRU mml body fru partNo FRU slot Slot number of FRU mml body fru slot FRU hardware version Hardware version of FRU mml body fru h...

Page 1297: ...ource Device ID Unique device identifier UDI for end device generating message This field should empty if the message is non specific to a fabric switch Format type Sid serial where type is the product model number from backplane SEEPROM is a separator character Sid is C identifying the serial ID as a chassis serial number serial is the number identified by the Sid field Example DS C9509 C 1234567...

Page 1298: ...ated with this unit mml body sysStreetAddress Model name Model name of the switch This is the specific model as part of a product family name mml body chassis name Serial number Chassis serial number of the unit mml body chassis serialNo Chassis part number Top assembly number of the chassis For example 800 xxx xxxx mml body chassis partNo Command output text Output of command automatically execut...

Page 1299: ...bject This includes the switch ports xE Fx and TL ports and their attached Nx ports Platform object A set of nodes may be defined as a platform object to make it a single manageable entity These nodes are end devices host systems storage subsystems attached to the fabric Platform objects reside at the edge switches of the fabric Each object has its own set of attributes and values A null value may...

Page 1300: ...cance of FCS This section lists the significance of FCSs FCSs support network management including the following N port management application can query and obtain information about fabric elements SNMP manager can use the FCS management information base MIB to start discovery and obtain information about the fabric topology FCSs support TE and TL ports in addition to the standard F and E ports FC...

Page 1301: ...nfig fcs register platform name SamplePlatform vsan 1 switch config fcs register attrib Enters the FCS registration attributes submode switch config fcs register no platform name SamplePlatform vsan 1 switch config fcs register Deletes a registered platform Step 4 switch config fcs register attrib mgmt addr 1 1 1 1 Configures the platform management IPv4 address switch config fcs register attrib n...

Page 1302: ...ip http 172 22 92 58 eth ip Fabric Name 20 01 00 05 30 00 16 df Switch Logical Name 172 22 92 58 Switch Information List Cisco Systems DS C9509 0 20 00 00 05 30 00 Switch Ports Interface pWWN Type Attached pWWNs fc2 1 20 41 00 05 30 00 16 de TE 20 01 00 05 30 00 20 de fc2 2 20 42 00 05 30 00 16 de Unknown None fc2 17 20 51 00 05 30 00 16 de TE 20 0a 00 05 30 00 20 de FCS Local Database in VSAN 5 S...

Page 1303: ...tion for a Specific nWWN switch show fcs ie nwwn 20 01 00 05 30 00 16 df vsan 1 IE Attributes Domain Id 0x7f 127 Management Id 0xfffc7f Fabric Name 20 01 00 05 30 00 16 df Logical Name 172 22 92 58 Management Address List snmp 172 22 92 58 eth ip http 172 22 92 58 eth ip Information List Vendor Name Cisco Systems Model Name Number DS C9509 Release Code 0 Example 55 4 Displays Information for a Spe...

Page 1304: ...0 00 20 df Port WWN Type Module Type Tx Type 20 01 00 05 30 00 20 de TE_Port SFP with Serial Id Shortwave Laser 20 0a 00 05 30 00 20 de TE_Port SFP with Serial Id Shortwave Laser Total 2 switch ports in IE Example 55 7 Displays Port Information for a Specified pWWN switch show fcs port pwwn 20 51 00 05 30 00 16 de vsan 24 Port Attributes Port Type TE_Port Port Number 0x1090000 Attached Port WWNs 2...

Page 1305: ...pter 55 Configuring Fabric Configuration Servers Default Settings Example 55 9 Displays Platform Settings for Each VSAN switch show fcs vsan VSAN Plat Check fabric wide 0001 Yes 0010 No 0020 No 0021 No 0030 No Default Settings Table 55 1 lists the default FCS settings Table 55 1 Default FCS Settings Parameters Default Global checking of the platform name Disabled Platform node type Unknown ...

Page 1306: ...i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m 55 8 Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 55 Configuring Fabric Configuration Servers Default Settings ...

Page 1307: ...Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m P A R T 9 Traffic Management ...

Page 1308: ...Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m ...

Page 1309: ...ver another for example prioritizing transactional traffic over bulk traffic through bandwidth and latency differentiation This chapter provides details on the QoS and FCC features provided in all switches It includes the following sections FCC page 56 1 QoS page 56 3 Example Configuration page 56 12 Ingress Port Rate Limiting page 56 14 Default Settings page 56 14 FCC FCC reduces the congestion i...

Page 1310: ...n one of these ways It forwards the frame It limits the rate of the frame flow in the congested port The behavior of the flow control mechanism differs based on the Fibre Channel DID If the Fibre Channel DID is directly connected to one of the switch ports the input rate limit is applied to that port If the destination of the edge quench frame is a Cisco domain or the next hop is a Cisco MDS 9000 ...

Page 1311: ... standard is defined in RFCs 2474 and 2475 All switches support the following types of traffic About Control Traffic page 56 4 Enabling or Disabling Control Traffic page 56 4 Displaying Control Traffic Information page 56 4 About Data Traffic page 56 5 VSAN Versus Zone Based QoS page 56 6 Configuring Data Traffic page 56 6 QoS Initiation for Data Traffic page 56 7 About Class Map Creation page 56 ...

Page 1312: ...riority as they enter a switch in the Cisco MDS 9000 Family Enabling or Disabling Control Traffic By default the QoS feature for certain critical control traffic is enabled These critical control frames are assigned the highest absolute priority Tip We do not recommend disabling this feature as all critical control traffic is automatically assigned the lowest priority once you issue this command T...

Page 1313: ...witch 1 is marked with a high priority level of throughput classification class map and marking policy map Similarly the backup traffic is marked with a low priority level The traffic is sent to the corresponding priority queue within a virtual output queue VOQ A deficit weighted round robin DWRR scheduler configured in the first switch ensures that high priority traffic is treated better than low...

Page 1314: ...ities based on VSANs versus zones See the About Zone Based Traffic Priority section on page 23 18 for details on configuring a zone based QoS policy Configuring Data Traffic To configure QoS follow these steps Step 1 Enable the QoS feature Step 2 Create and define class maps Step 3 Define service policies Step 4 Apply the configuration Table 56 1 QoS Configuration Differences VSAN Based QoS Zone B...

Page 1315: ...on WWN Fibre Channel ID FC ID The source ID SID or the destination ID DID The possible values for mask are FFFFFF the entire FC ID is used this is the default FFFF00 only domain and area FC ID is used or FF0000 only domain FC ID is used Note An SID or DID of 0x000000 is not allowed Source interface The ingress interface Tip The order of entries to be matched within a class map is not significant C...

Page 1316: ... QoS DSCP values Command Purpose Step 1 switch config qos class map MyClass switch config cmap Creates a class map called MyClass and places you in the class map submode to match all criteria specified for this class switch config qos class map MyClass match all switch config cmap Specifies a logical AND operator for all matching statements in this class If a frame matches all default configured c...

Page 1317: ...map Creates a policy map called MyPolicy and places you in the policy map submode switch config no qos policy map OldPolicy switch config Deletes the policy map called OldPolicy and places you in the policy map submode Step 2 switch config pmap class MyClass switch config pmap c Specifies the name of a predefined class and places you at the policy map submode for that class switch config pmap no c...

Page 1318: ...ation 2 switching modules Changing the Weight in a DWRR Queue To associate a weight with a DWRR queue follow these steps Displaying Data Traffic Information The show qos commands display the current QoS settings for data traffic see Examples 56 3 to 56 11 Example 56 3 Displays the Contents of all Class Maps switch show qos class map qos class map MyClass match any match destination wwn 20 01 00 05...

Page 1319: ... match input interface fc2 1 Example 56 5 Displays All Configured Policy Maps switch show qos policy map qos policy map MyPolicy class MyClass priority medium qos policy map Policy1 class Class2 priority low Example 56 6 Displays a Specified Policy Map switch show qos policy map name MyPolicy qos policy map MyPolicy class MyClass priority medium Example 56 7 Displays Scheduled DWRR Configurations ...

Page 1320: ...ample Application for Traffic Prioritization Both the OLTP server and the backup server are accessing the disk The backup server is writing large amounts of data to the disk This data does not require specific service guarantees The volumes of data generated by the OLTP server to the disk are comparatively much lower but this traffic requires faster response because transaction processing is a low...

Page 1321: ...e policy Switch 2 config qos service policy jp1 vsan 1 Step 4 Assign the weights for the DWRR queues Switch 2 config qos dwrr q high weight 50 Switch 2 config qos dwrr q medium weight 30 Switch 2 config qos dwrr q low weight 20 Step 5 Repeat Step 1 through Step 4 on Switch 1 to address forward path congestion at both switches Congestion could occur anywhere in the example configuration To address ...

Page 1322: ... default is 100 Note Port rate limiting can only be configured on Cisco MDS 9100 Series switches Cisco MDS 9216i switches and MPS 14 2 modules This feature can only be configured if the QoS feature is enabled and if this configuration is performed on a Cisco MDS 9100 series switch Cisco MDS 9216i switch or MPS 14 2 module To configure the port rate limiting value follow these steps Default Setting...

Page 1323: ... redirected to another redundant link This chapter includes the following sections About Port Tracking page 57 1 Port Tracking page 57 2 Displaying Port Tracking Information page 57 6 Default Port Tracking Settings page 57 8 About Port Tracking Generally hosts can instantly recover from a link failure on a link that is immediately direct link connected to a switch However recovering from an indire...

Page 1324: ...annel FCIP or a Gigabit Ethernet port can be tracked Generally ports in E and TE port modes can also be Fx ports Linked ports A port whose operational state is altered based on the operational state of the tracked ports Only a Fibre Channel port can be linked Port Tracking Before configuring port tracking consider the following guidelines Verify that the tracked ports and the linked ports are on t...

Page 1325: ...king feature and configure the linked port s for the tracked port To enable port tracking follow these steps About Configuring Linked Ports You can link ports using one of two methods Operationally binding the linked port s to the tracked port default Continuing to keep the linked port down forcefully even if the tracked port has recovered from the link failure Operationally Binding a Tracked Port...

Page 1326: ...t be brought down if either 2 or 3 are still functioning as desired Figure 57 2 Traffic Recovery Using Port Tracking Tracking Multiple Ports To track multiple ports follow these steps Step 3 switch config if port track interface port channel 1 Tracks interface fc8 6 with interface port channel 1 When port channel 1 goes down interface fc8 6 is also brought down Note This link symbolizes the ISL 2 ...

Page 1327: ...n for these frequent flaps Keeping the flapping port in the down state forces the traffic to flow through the redundant path until the primary tracked port problems are resolved When the problems are resolved and the tracked port is back up you can explicitly enable the interface Tip If you configure this feature the linked port continues to remain in the shutdown state even after the tracked port...

Page 1328: ...p 5 Tracked port 5 minutes input rate 0 bits sec 0 bytes sec 0 frames sec 5 minutes output rate 0 bits sec 0 bytes sec 0 frames sec 269946 frames input 22335204 bytes 0 discards 0 errors 0 CRC 0 unknown class 0 too long 0 too short 205007 frames output 10250904 bytes 0 discards 0 errors 0 input OLS 0 LRR 0 NOS 0 loop inits 2 output OLS 2 LRR 0 NOS 1 loop inits 0 receive B2B credit remaining 0 tran...

Page 1329: ...PortChannel Interface switch show interface port channel 1 port channel 1 is down No operational members Hardware is Fibre Channel Port WWN is 24 01 00 05 30 00 0d de Admin port mode is auto trunk mode is on Port vsan is 2 Linked to 1 port s Port linked to interface fc1 1 5 minutes input rate 0 bits sec 0 bytes sec 0 frames sec 5 minutes output rate 0 bits sec 0 bytes sec 0 frames sec 0 frames inp...

Page 1330: ...e OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 57 Configuring Port Tracking Default Port Tracking Settings Default Port Tracking Settings Table 57 1 lists the default settings for port tracking parameters Table 57 1 Default Port Tracking Parameters Parameters Default Port tracking Disabled Operational binding Enabled along with port tracking ...

Page 1331: ...Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m P A R T 1 0 Troubleshooting ...

Page 1332: ...Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m ...

Page 1333: ... FC ID the N port or the NL port WWN or the device alias of the destination The frames are routed normally as long as they are forwarded through TE ports Once the frame reaches the edge of the fabric the F port or FL port connected to the end node with the given port WWN or the FC ID the frame is looped back swapping the source ID and the destination ID to the originator If the destination cannot ...

Page 1334: ...20 00 00 05 30 00 18 db 0xfffcd7 Invokes fctrace for the specified FC ID of the destination N port switch fctrace pwwn 21 00 00 e0 8b 06 d9 1d vsan 1 timeout 5 Route present for 21 00 00 e0 8b 06 d9 1d 20 00 00 0b 46 00 02 82 0xfffcd5 Timestamp Invalid 20 00 00 05 30 00 18 db 0xfffcd7 Timestamp Invalid 20 00 00 05 30 00 18 db 0xfffcd7 Invokes fctrace using the pWWN of the destination N port By def...

Page 1335: ...225 usec 28 bytes from 0xd70000 time 229 usec 28 bytes from 0xd70000 time 183 usec 10 frames sent 10 frames received 0 timeouts Round trip min avg max 165 270 730 usec Sets the number of frames to be sent using the count option The range is from 0 through 2147483647 A value of 0 pings forever switch fcping fcid 0xd500b4 vsan 1 timeout 10 28 bytes from 0xd500b4 time 1345 usec 5 frames sent 5 frames...

Page 1336: ...ysis The Cisco Fabric Analyzer is based on two popular public domain software applications libpcap See http www tcpdump org Ethereal See http www ethereal com Note The Cisco Fabric Analyzer is useful in capturing and decoding control traffic not data traffic It is suitable for control path captures and is not intended for high speed data path captures This section includes the following topics Abo...

Page 1337: ... The Cisco Fabric Analyzer consists of two separate components see Figure 58 1 Software that runs on the Cisco MDS 9000 Family switch and supports two modes of capture A text based analyzer that supports local capture and decodes captured frames A daemon that supports remote capture GUI based client that runs on a host that supports libpcap such as Windows or Linux and communicates with the remote...

Page 1338: ...n to the switch Multiple hosts can be configured to be in passive mode and multiple hosts can be connected and receive remote captures at the same time Active mode The switch initiates the connection to a configured host one host at a time Using capture filters you can limit the amount of traffic that is actually sent to the client Capture filters are specified at the client end on Ethereal not on...

Page 1339: ...zer local display filter SampleF Capturing on eth2 Displays the filtered frames switch config fcanalyzer local limit frame size 64 Capturing on eth2 switch config Limits the size of the frame capture to the first 64 bytes The allowed range is 64 to 65536 bytes switch config fcanalyzer local limit captured frames 10 Capturing on eth2 switch config Limits the number of frames captured to 10 The allo...

Page 1340: ... fcanalyzer remote 10 21 0 3 Configures the remote IPv4 address 10 21 0 3 to which the captured frames are sent switch config fcanalyzer remote 10 21 0 3 active Enables active mode passive is the default with the remote host Ethereal is assumed to be running when the capture is performed The switch tries to connect forever unless a capture stop instruction is sent from Ethereal switch config fcana...

Page 1341: ...nd to display the list of hosts configured for a remote capture See Example 58 1 Example 58 1 Displays Configured Hosts switch show fcanalyzer PassiveClient 10 21 0 3 PassiveClient 10 21 0 3 ActiveClient 10 21 0 3 DEFAULT Note The DEFAULT in the ActiveClient line indicates that the default port is used Displaying Captured Frames You can selectively view captured frames by using the display filters...

Page 1342: ...ust be saved and identified with a name Note This GUI assisted feature is part of Ethereal and you can obtain more information from http www ethereal com Examples of Display Filters Some examples of using display filters with the Fabric Analyzer local are provided in this section The brief option is used in all examples to restrict the size of the output See Example 58 2 Example 58 2 Displays Only...

Page 1343: ...76 ff fc 70 ff fc 64 SW_ILS 999 0xd34 0xb2e 0x1 0xf SW_ACC SW_RSCN 14 504025 ff fc 64 ff fc 70 FC 999 0xd34 0xb2e 0xff 0x0 Link Ctl ACK1 By excluding FSPF hellos and ACK1 you can focus on the frames of interest See Example 58 5 Example 58 5 Displays All VSAN 1 Traffic Excluding FSPF Hellos and ACK1 Frames switch config fcan lo bri dis mdshdr vsan 0x01 not swils opcode 0x14 or fc r_ctl 0xc0 Capturi...

Page 1344: ...es on zone server changes Prior knowledge of the domain controller ID is required The switch domain ID where the fcanalyzer is run is x79 the domain controller is FF FC 79 See Example 58 7 Example 58 7 Display Switch Internal Link Services SW_ILS Traffic to and from Fabric Domain Controller ff fc 79 switch config fcan lo bri dis fc type 0x22 fc d_id ff fc 79 fc s_id ff fc 79 Capturing on eth2 64 0...

Page 1345: ...are visible until you specify a completely new capture The syntax for capture filters is different from the syntax for display filters Capture filters use the Berkeley Packet Filter BPF library that is used in conjunction with the libpcap freeware The list of all valid Fibre Channel capture filter fields are provided later in this section Procedures to configure capture filters are already documen...

Page 1346: ...as fc x y where x is offset and y is length to compare o els use as els x y similar to fc o swils use as swils x y similar to fc o fcp use as fcp x y similar to fc o fcct use as fcct x y similar to fc Loop Monitoring This section includes the following topics About Loop Monitoring page 58 14 Enabling Loop Monitoring page 58 15 Verifying Loop Monitoring Configuration page 58 15 About Loop Monitorin...

Page 1347: ...mmand output is separated by line and the command precedes the output Note Explicitly set the terminal length command to 0 zero to disable auto scrolling and enable manual scrolling Use the show terminal command to view the configured the terminal size After obtaining the output of this command remember to reset your terminal length as required see the Setting the Terminal Screen Length section on...

Page 1348: ...ing purposes The output of this command can be provided to technical support representatives when reporting a problem Tip You can save the output of this command to a file by appending left arrow and the filename to the show tech support brief command see the Saving Command Output to a File section on page 2 32 Example 58 8 Displays the Condensed View of Switch Configurations vegas01 show tech sup...

Page 1349: ...efault zone deny VSAN 4092 name VSAN4092 state active interop mode default domain id 0x78 120 WWN 2f fc 00 05 30 00 84 9f Principal active zone NONE default zone deny VSAN 4093 name VSAN4093 state active interop mode default domain id 0x77 119 WWN 2f fd 00 05 30 00 84 9f Principal active zone NONE default zone deny Interface Vsan Admin Admin Status FCOT Oper Oper Port Mode Trunk Mode Speed Channel...

Page 1350: ...ending vsan show zone attribute group pending vsan show zone policy pending vsan show zone pending diff vsan show zone analysis active vsan show zone analysis vsan show zone ess vsan show zone statistics vsan show zone statistics lun zoning vsan show zone statistics read only zoning vsan Tip You can save the output of this command to a file by appending left arrow and the filename to the show tech...

Page 1351: ...nel summary show port channel internal database show port channel consistency detail Tip You can save the output of this command to a file by appending left arrow and the filename to the show tech support port channel command see the Saving Command Output to a File section on page 2 32 Example 58 10 Displays the PortChannel Configurations switch show tech support port channel cp missing destinatio...

Page 1352: ...des the output of the following commands show vsan show vsan membership show interface brief show port channel database show port channel consistency show flogi database vsan show fcdomain vsan show fcdomain domain list vsan show fcdomain address allocation vsan show fcns database vsan show fcs ie vsan show rscn statistics vsan show fspf vsan show fspf database vsan show span session show snmp sho...

Page 1353: ...wing commands show fcdomain show fcdomain domain list show fcdomain allowed show fcdomain pending diff show fcdomain address allocation show fcdomain address allocation cache show fcdomain fcid persistent show fcdomain internal event history show fcdomain internal event history fcid show fcdomain internal mem stats detail show fcdomain statistics show fcdomain internal info mts show fcdomain inter...

Page 1354: ...able the SAN Extension Tuner which is a prerequisite for enabling and using the network simulator Note As of Cisco MDS SAN OS Release 3 3 1a IP Network Simulator is supported on the Multiservice Module MSM and the Multiservice Modular Switch Note You must have a pair of Gigabit Ethernet ports dedicated for each Ethernet path requiring simulation these ports cannot provide FCIP or iSCSI functionali...

Page 1355: ... ports Simulations are applied to ingress traffic only All packets received on one Gigabit Ethernet port are sent out of the other Gigabit Ethernet port and all network configuration simulations are made with respect to the ingress Gigabit Ethernet port Figure 58 3 Network Simulator Packet Flow The network simulator tool can simulate the following network functions Network delays maximum network d...

Page 1356: ... to delay all packets entering the Gigabit Ethernet ports After configuring the delay in one direction you need to also enter the same command to introduce the delay in the opposite direction if desired You can specify the delay in either milliseconds allowable range is 0 to150 ms or microseconds allowable range is 0 to 150000 µs Command Purpose Step 1 switch config t switch config Enters configur...

Page 1357: ... netsim delay ms 50 ingress gigabitethernet 2 3 switch ips netsim delay us 50 ingress gigabitethernet 2 3 Configures the network simulator to delay all packets entering the Gigabit Ethernet port 2 3 by 50 ms Configures the network simulator to delay all packets entering the Gigabit Ethernet port 2 3 by 50 µs Step 2 switch ips netsim delay ms 50 ingress gigabitethernet 2 4 switch ips netsim delay u...

Page 1358: ...parameter then only one packet is dropped each time a decision is made to drop packets The burst limit for either random or Nth drops is between 1 and 100 packets Take the burst parameter into account when specifying the percentage of packet drops For example if you select random drops of 100 packets in 10 000 one percent with a burst size of 2 then 200 packets or two percent are dropped every 10 ...

Page 1359: ...w far back in the queue a reordered packet is placed Command Purpose Step 1 switch ips netsim drop random 100 burst 1 ingress gigabitethernet 2 3 switch ips netsim drop nth 100 burst 2 ingress gigabitethernet 2 3 Configures the network simulator to simulate random packet drops of 1 for the Gigabit Ethernet port 2 3 in one direction only The burst is one packet Configures the network simulator to d...

Page 1360: ...ckets dropped Queue size Command Purpose Step 1 switch ips netsim reorder random 50 distance 2 ingress gigabitethernet 2 3 switch ips netsim reorder nth 50 distance 2 ingress gigabitethernet 2 3 Configures the network simulator to randomly simulate packet reordering at 50 for the Gigabit Ethernet port 2 3 in one direction only The distance limit is 5 Configures the network simulator to simulate pa...

Page 1361: ...sim ingress gigabitethernet 2 4 Network Simulator Configuration for Ingress on GigabitEthernet2 4 Delay 50000 microseconds Rate 1000000 kbps Max_q 100000 bytes Max_qdelay 600000 clocks Reorder nth pkt 50 distance 2 Network Simulator Statistics for Ingress on GigabitEthernet2 4 Dropped tot 0 Dropped netsim 0 Reordered netsim 2 Max Qlen pkt 8 Qlen pkt 0 Max Qlen byte 0 Qlen byte 0 Mintxdel poll 3788...

Page 1362: ... for all the packets that are arriving on the specified Gigabit Ethernet port switch ips netsim delay ms 50 ingress gigabitethernet 2 3 switch ips netsim delay ms 50 ingress gigabitethernet 2 4 Step 5 Confirm that the delay you introduced is configured switch show ips stats netsim ingress gigabitethernet 2 3 Network Simulator Configuration for Ingress on GigabitEthernet2 3 Delay 50000 microseconds...

Page 1363: ...0 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 58 Troubleshooting Your Fabric Default Settings Local capture frame limits 10 frames FC ID allocation mode Auto mode Loop monitoring Disabled Table 58 1 Default Settings for Fabric Troubleshooting Features continued Parameters Default ...

Page 1364: ...t a t i o n c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m 58 32 Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Chapter 58 Troubleshooting Your Fabric Default Settings ...

Page 1365: ...5 Kernel Core Dumps page 59 10 Online System Health Management page 59 12 On Board Failure Logging page 59 22 Default Settings page 59 26 Displaying System Processes Use the show processes command to obtain general information about all processes see Example 59 1 to Example 59 6 Example 59 1 Displays System Processes switch show processes PID State PC Start_cnt TTY Process 868 S 2ae4f33e 1 snmpd 8...

Page 1366: ... 0 zone 1277 738 21010 35 0 0 xbar_client 1278 1159 6789 170 0 0 wwn 1279 515 67617 7 0 0 vsan Where Runtime ms CPU time the process has used expressed in milliseconds Invoked number of times the process has been invoked uSecs microseconds of CPU time on average for each process invocation 1Sec CPU utilization in percentage for the last one second Example 59 3 Displays Process Log Information swit...

Page 1367: ...4 XSS 0000002B Stack 1740 bytes ESP 7FFFF654 TOP 7FFFFD20 0x7FFFF654 00000000 00000008 00000003 08051E95 0x7FFFF664 00000005 7FFFF8CC 00000000 00000000 0x7FFFF674 7FFFF6CC 00000001 7FFFF95C 080522CD 0x7FFFF684 7FFFF9A4 00000008 7FFFFC34 2AC1F18C 4 Example 59 5 Displays All Process Log Details switch show processes log details Service snmpd Description SNMP Agent Started at Wed Jan 9 00 14 55 1980 ...

Page 1368: ... 59 8 Displays Error Information for a Specified ID switch show system error id 0x401D0019 Error Facility module Error Description Failed to stop Linecard Async Notification Example 59 9 Displays the System Reset Information switch Show system reset reason module 5 reset reason for module 5 1 At 224801 usecs after Fri Nov 21 16 36 40 2003 Reason Reset Requested by CLI command reload Service Versio...

Page 1369: ... Cisco MDS 9200 Series switch this command clears the reset reason information stored in NVRAM and volatile persistent storage in the active supervisor module Example 59 10 Displays System Uptime switch show system uptime Start Time Sun Oct 13 18 09 23 2030 Up Time 0 days 9 hours 46 minutes 26 seconds Use the show system resources command to display system related CPU and memory statistics see Exa...

Page 1370: ...e standby supervisor module slot 6 and acltcam and fib were generated on the switching module slot 8 Example 59 14 Displays Logs on the Local System switch show processes log Process PID Normal exit Stack Core Log create time ExceptionLog 2862 N Y N Wed Aug 6 15 08 34 2003 acl 2299 N Y N Tue Oct 28 02 50 01 2003 bios_daemon 2227 N Y N Mon Sep 29 15 30 51 2003 capability 2373 N Y N Tue Aug 19 13 30...

Page 1371: ...sk does not exist the switch software logs a system message each time a copy cores is attempted To copy the core and log files on demand follow this step If the core file for the specified process ID is not available you see the following response switch copy core 133 slot0 foo No core file found with pid 133 If two core files exist with the same process ID only one file is copied switch copy core...

Page 1372: ...tory Use the clear cores command to clean out the core directory The software keeps the last few cores per service and per slot and clears all other cores present on the active supervisor module switch clear cores First and Last Core The First and last core feature uses the limited system resource and retains the most important core files Generally the first core and the most recently generated co...

Page 1373: ...2 1 5 pixm 5107 Jan 29 01 33 1 5 pixm 5108 Jan 29 01 40 switch show cores vdc all VDC No Module num Process name PID Core create time 1 5 pixm 4103 Jan 29 01 30 1 5 pixm 5106 Jan 29 01 32 1 5 pixm 5107 Jan 29 01 33 1 5 pixm 5108 Jan 29 01 40 Example 59 16 Regular Service on vdc 2 on Active Supervisor Module For example there are five radius core files from vdc2 on the active supervisor module The ...

Page 1374: ...sco application that runs on Linux It creates a repository for kernel core dumps You can download the Cisco MDS 9000 System Debug Server from the Cisco com website at http www cisco com kobayashi sw center sw stornet shtml Kernel core dumps are only useful to your technical support representative The kernel core dump file which is a large binary file must be transferred to an external server that ...

Page 1375: ...isplays the External Server switch show kernel core target 10 50 5 5 Example 59 19 Displays the Core Settings for the Specified Module switch show kernel core module 5 module 5 core is enabled level is header dst_ip is 10 50 5 5 src_port is 6671 Command Purpose Step 1 switch config terminal switch config Enters configuration mode Step 2 switch config kernel core target 10 50 5 5 succeeded Configur...

Page 1376: ...reting the Current Status page 59 19 Displaying System Health page 59 20 About Online System Health Management The Online Health Management System OHMS is a hardware fault detection and recovery feature It runs on all Cisco MDS switching services and supervisor modules and ensures the general health of any switch in the Cisco MDS 9000 Family The OHMS monitors system hardware in the following ways ...

Page 1377: ...est relevant to that module You can change the default parameters of the test in each module as required System Health Initiation By default the system health feature is enabled in each switch in the Cisco MDS 9000 Family To disable or enable this feature in any switch in the Cisco MDS 9000 Family follow these steps Loopback Test Configuration Frequency Loopback tests are designed to identify hard...

Page 1378: ...em health loopback frame length command switch show system health loopback frame length Loopback frame length is set to auto size between 0 128 bytes Hardware Failure Action The failure action command controls the Cisco SAN OS software from taking any action if a hardware failure is determined while running the tests By default this feature is enabled in all switches in the Cisco MDS 9000 Family a...

Page 1379: ... the fabric Standby supervisor s arbiter availability Bootflash connectivity and accessibility on all modules EOBC connectivity and accessibility on all modules Data path integrity for each interface on all modules Management port s connectivity Caching Services Module CSM batteries for temperature age full charge capacity dis charge ability and backup capability and cache disks for connectivity a...

Page 1380: ...ollowing steps can be performed in any order Step 2 switch config system health module 8 battery charger battery charger test is not configured to run on module 8 Enables the battery charger test on both batteries in the CSM residing in slot 8 If the switch does not have a CSM in slot 8 this message is issued Step 3 switch config system health module 8 cache disk cache disk test is not configured ...

Page 1381: ...en in microseconds These tests are available for Fibre Channel IPS and iSCSI interfaces Use the EXEC level system health internal loopback command to explicitly run this test on demand when requested by the user within ports for the entire module switch system health internal loopback interface iscsi 8 1 Internal loopback test on interface iscsi8 1 was successful Sent 1 received 1 frames Round tri...

Page 1382: ... fc 3 1 destination interface fc 3 2 This will shut the requested interfaces Do you want to continue y n n y External loopback test on interface fc3 1 and interface fc3 2 was successful Sent 1 received 1 frames Use the EXEC level system health external loopback interface frame count command to run this test on demand for external devices connected to a switch that is part of a long haul network an...

Page 1383: ...override the frame length configured on the switch switch system health serdes loopback interface fc 3 1 frame length 32 This will shut the requested interfaces Do you want to continue y n n y Serdes loopback test passed for module 3 port 1 Note If the test fails to complete successfully the software analyzes the failure and prints the following error External loopback test on interface fc 3 1 fai...

Page 1384: ...Running Enabled Loopback 5 Sec Running Enabled Current health information for module 6 Test Frequency Status Action InBand 5 Sec Running Enabled Bootflash 5 Sec Running Enabled EOBC 5 Sec Running Enabled Management Port 5 Sec Running Enabled Example 59 21 Displays the Current Health of a Specified Module switch show system health module 8 Current health information for module 8 Test Frequency Stat...

Page 1385: ...g 5s 12892 12892 0 0 0 Test statistics for module 5 Test Name State Freq s Run Pass Fail CFail Errs InBand Running 5s 12911 12911 0 0 0 Bootflash Running 5s 12911 12911 0 0 0 EOBC Running 5s 12911 12911 0 0 0 Management Port Running 5s 12911 12911 0 0 0 Test statistics for module 6 Test Name State Freq s Run Pass Fail CFail Errs InBand Running 5s 12907 12907 0 0 0 Bootflash Running 5s 12907 12907 ...

Page 1386: ...nless the module specific loopback test reports errors or failures Example 59 26 Displays the Loopback Test Time Log for All Modules switch show system health statistics loopback timelog Mod Samples Min usecs Max usecs Ave usecs 1 1872 149 364 222 3 1862 415 743 549 8 1865 134 455 349 Example 59 27 Displays the Loopback Test Time Log for a Specified Module switch show system health statistics loop...

Page 1387: ...mpactFlash It also provides the mechanism to retrieve the stored data The data stored by the OBFL facility includes the following Time of initial power on Slot number of the card in the chassis Initial temperature of the card Firmware BIOS FPGA and ASIC versions Serial number of the card Stack trace for crashes CPU hog information Memory leak information Software error messages Hardware exception ...

Page 1388: ...teps Step 2 switch config hw module logging onboard Enables all OBFL features switch config hw module logging onboard cpu hog Enables the OBFL CPU hog events switch config hw module logging onboard environmental history Enables the OBFL environmental history switch config hw module logging onboard error stats Enables the OBFL error statistics switch config hw module logging onboard interrupt stats...

Page 1389: ...ch config hw module logging onboard module 1 cpu hog Enables the OBFL CPU hog events on a module switch config hw module logging onboard module 1 environmental history Enables the OBFL environmental history on a module switch config hw module logging onboard module 1 error stats Enables the OBFL error statistics on a module switch config hw module logging onboard module 1 interrupt stats Enables t...

Page 1390: ...Displays environmental history show logging onboard error stats Displays error statistics show logging onboard exception log Displays exception log information show logging onboard interrupt stats Displays interrupt statistics show logging onboard mem leak Displays memory leak information show logging onboard miscellaneous error Displays miscellaneous error information show logging onboard module ...

Page 1391: ...in a single MDS physical fabric or VSAN 56 switches per fabric1 60 switches per fabric 75 switches per fabric1 239 switches Switches in multivendor switch fabric 32 switches per VSAN 32 switches per VSAN 239 switches Domains per VSAN 56 domains per VSAN1 60 domains per VSAN 75 domains per VSAN1 239 domains FCNS entries per fabric 10K per fabric 10K per fabric 10K per fabric Device alias2 8K per fa...

Page 1392: ...c per NPV port group See Port Naming Conventions section on page 4 2 for information on port groups N A 114 114 NPV switches per NPV core switch N A 105 105 FLOGIs per line card on NPV core switch N A 400 400 ISL instances per switch3 Up to 200 ISLs each with 16 VSANs for a total of 3200 port VSAN instances You can configure more than 200 ISLs with fewer than 16 VSANs or fewer than 200 ISLs with m...

Page 1393: ...and initiator targets 6000 targets 6000 targets 6000 targets ISLB VRRP 20 per switch 20 per switch 20 per switch Event Traps forward via Email 1 destination 1 destination 1 destination 1 Certain design considerations must be met to reach this limit We recommend that you have the large fabric design validated by Cisco Advanced Services 2 Device aliases can be restricted to switches where zoning is ...

Page 1394: ... c o m m e n t s t o m d s f e e d b a ck d o c c i s c o c o m 60 4 Cisco MDS 9000 Family CLI Configuration Guide OL 16184 01 Cisco MDS SAN OS Release 3 x Appendix 60 Configuration Limits for Cisco MDS SAN OS Release 3 1 x and 3 2 x ...

Page 1395: ...ersubscription 14 26 shared resources 14 7 See also switching modules 32 port switching modules configuring BB_credits 12 33 PortChannel configuration guidelines 16 2 SPAN guidelines 52 6 See also switching modules 3DES encryption IKE 35 7 IPsec 35 6 48 port 4 Gbps switching modules bandwidth fairness 14 31 configuration guidelines 14 21 default settings 14 38 example configurations 14 10 14 37 ov...

Page 1396: ...dministrative states description 12 7 setting 12 12 administrator passwords recovering procedure 39 19 administrators default passwords 5 6 password requirements note 5 7 Advanced Encrypted Standard encryption See AES encryption advertisement packets setting time intervals 43 22 AES encryption description 31 5 IKE 35 6 IPsec 35 6 SNMP support 31 5 AES XCBC MAC IPsec 35 6 AFIDs configuring 22 16 22...

Page 1397: ... contract requirements 54 3 auto port mode description 12 6 interface configuration 12 3 autosensing speed Generation 2 switching modules 12 15 auto topology configuration guidelines 22 12 IVR 22 6 AVTs description 49 2 removing 49 8 B bandwidth fairness disabling 14 32 enabling 14 32 Generation 2 switching modules 14 31 banner message configuring 2 19 BB_credit buffers 12 port 4 Gbps switching mo...

Page 1398: ...rop mode 29 13 buffer pools Generation 2 switching modules 14 8 buffer sizes configuring in FCIP profiles 40 17 buffer to buffer credits See BB_credits buffer to buffer start change See BB_SC build fabric frames description 17 3 C Call Home alert groups 54 7 to 54 9 AutoNotify feature 54 2 CFS support 6 2 configuration distribution 54 13 configuring 54 3 to 54 15 configuring e mail options 54 11 c...

Page 1399: ... 40 configuring hold times 5 37 configuring refresh time interval globally 5 37 configuring versions 5 37 disabling globally 5 36 disabling on Gigabit Ethernet interfaces 5 36 displaying information 5 37 packet transmission interval 5 36 certificate authorities See CAs certificate revocation lists See CRLs CFS application requirements 6 5 configuring for NTP 5 23 default settings 6 17 description ...

Page 1400: ...mes 58 9 displaying filters 58 9 GUI based client 58 6 local text based capture 58 6 remote capture daemon 58 6 See also fcanalyzer Cisco Fabric Service See CFS Cisco MDS 9000 Family connecting a terminal 5 27 description 1 1 initial setup 5 2 to 5 14 starting switches 5 2 Cisco MDS 9100 Series Cisco MDS 9120 switches 1 4 Cisco MDS 9124 switches 1 4 Cisco MDS 9140 switches 1 4 description 1 4 high...

Page 1401: ...cription 10 19 displaying status 10 19 cloud discovery See iSNS cloud discovery code pages FICON text string formatting 28 19 COM1 ports configuring settings 5 29 verifying settings 5 30 command aliases defining 2 24 description 2 23 command line interface See CLI command scheduler configuring 18 2 default settings 18 11 defining jobs 18 4 deleting jobs 18 6 description 18 1 enabling 18 3 executio...

Page 1402: ... CompactFlash 59 8 core files clearing directory 59 8 copying manually 59 7 copying periodically 59 7 displaying information 59 6 saving to external devices 59 7 CRLs configuring 34 14 configuring revocation checking methods 34 9 description 34 5 downloading example 34 33 generation example 34 32 importing example 34 35 to 34 37 crossbars compatibility with Generation 1 modules 10 15 description 1...

Page 1403: ...8 description 25 7 dedicated rate mode description 14 6 migrating from shared rate mode 14 21 migrating to shared rate mode 14 21 default gateways See IPv4 default gateways default networks See IPv4 default networks defaults setting with no commands 2 10 default users description 5 3 default VSANs description 19 8 default zones configuring access permissions 23 9 configuring QoS priorities 23 19 d...

Page 1404: ...Authentication Protocol See DHCHAP Diffie Hellman protocol See DH digital certificates configuration example 34 16 to 34 19 configuring 34 5 to 34 15 default settings 34 38 deleting from CAs 34 14 description 34 1 to 34 5 exporting 34 5 34 13 generating requests for identity certificates 34 10 importing 34 5 34 13 installing identity certificates 34 11 IPsec 35 7 to 35 10 maintaining 34 13 maximum...

Page 1405: ...gs 21 13 description 21 1 displaying configurations 21 10 enabling 21 2 requirements 21 2 sample configuration 21 11 to 21 13 DPVM databases autolearned entries 21 4 clearing 21 5 comparing differences 21 9 configuring CFS distribution 21 5 to 21 8 copying 21 9 description 21 3 displaying 21 10 enabling autolearning 21 5 merging guidelines 21 8 drivers iSCSI 42 2 drop latency time configuring for ...

Page 1406: ...nterprise package licenses description 3 4 entity status inquiry See ESI EPLD images downgrading 11 16 upgrading 11 13 E port mode classes of service 12 4 description 12 4 E ports 32 port guidelines 12 2 32 port switching module configuration guidelines 16 3 configuring 12 13 40 24 fabric binding checking 38 2 FCS support 55 1 FSPF topologies 25 2 isolation 12 10 recovering from link isolations 23...

Page 1407: ... 9 deleting database 38 6 description 38 1 to 38 2 EFMD 38 1 enforcement 38 2 forceful activation 38 5 licensing requirements 38 1 port security comparison 38 1 saving configurations 38 5 verifying configuration 38 6 to 38 9 Fabric Configuration Server See FCS Fabric Configuration Servers See FCSs Fabric Device Management Interface See FDMI fabric login See FLOGI fabric loop port mode See FL port ...

Page 1408: ...rities 17 5 FC ID allocation FICON implementation 28 14 FC IDs allocating 17 2 29 10 allocating default company ID lists 29 10 allocating for FICON 28 13 allocation for HBAs 29 10 configuring fcalias members 23 10 description 17 14 persistent 17 15 to FCIP 42 1 advanced features 40 27 compatibility with DHCHAP 36 3 compression 40 36 configuring 40 7 to 40 17 to 40 18 default parameters 40 39 disca...

Page 1409: ...guring buffer size 40 17 configuring CWM 40 15 configuring keepalive timeouts 40 13 configuring maximum jitter 40 16 configuring maximum retransmissions 40 14 configuring minimum retransmit timeouts 40 13 configuring PMTUs 40 14 configuring SACKs 40 14 configuring window management 40 15 displaying 40 17 40 18 FCIP write acceleration configuring 40 29 description 40 27 displaying information 40 29...

Page 1410: ...mbership 19 8 enabling 12 12 extended BB_credits 12 34 graceful shutdown 12 12 modes 12 3 to 12 6 operational states 12 7 performance buffers 12 34 reason codes 12 8 states 12 7 taking out of service on Generation 2 switching modules 14 33 troubleshooting operational states 12 9 See also interfaces 12 7 Fibre Channel over IP See FCIP Fibre Channel Protocol See FCP Fibre Channel protocol analyzers ...

Page 1411: ...28 12 implemented addresses 28 10 installed ports 28 11 logical interfaces 28 12 numbering guidelines 28 11 PortChannel interfaces 28 12 port swapping 28 10 reserved numbering scheme 28 10 unimplemented addresses 28 10 uninstalled ports 28 11 FICON ports assigning address names 28 26 binding to FCIP interfaces 28 24 binding to PortChannels 28 24 blocking 28 24 configuring prohibiting default state...

Page 1412: ...example 40 5 frame encapsulation configuring 12 16 frames configuring MTU size 45 3 FSCN displaying databases 27 3 FSPF clearing counters 25 9 clearing VSAN counters 25 6 computing link cost 25 7 configuring globally 25 4 to 25 6 configuring Hello time intervals 25 7 configuring link cost 25 6 configuring on a VSAN 25 5 configuring on interfaces 25 6 to 25 9 dead time intervals 25 7 default settin...

Page 1413: ...ds 14 23 configuring rate modes 14 24 default settings 14 38 description 14 1 to disabling ACL adjacency sharing 14 35 displaying port resources 14 33 dynamic bandwidth management 14 6 example configurations 14 36 to 14 37 extended BB_credits 12 36 14 15 installing in Generation 1 chassis 7 40 interface capabilities 14 20 out of service interfaces 14 7 port groups 14 2 port index allocations 14 16...

Page 1414: ...40 6 Fibre Channel PortChannels 40 7 licensing 3 8 process restartability 9 4 protection against link failures 9 1 software upgrades 7 5 supervisor module switchover mechanism 9 2 switchover characteristics 9 2 synchronizing supervisor modules 9 4 VRRP 40 6 42 64 VRRPVRRP based high availability 42 64 host control FICON 28 19 host keys assigning 32 8 host names configuring for digital certificates...

Page 1415: ...efits 7 7 examples 7 12 failure cases 7 8 remote location path caution 7 16 requirements 7 5 usage 7 8 Intelligent Storage Services Fibre Channel write acceleration 48 1 to 48 4 installing SSI boot images 11 18 to 11 27 SCSI flow services 47 1 to 47 10 SCSI flow statistics 47 1 to 47 10 traffic disruption 11 20 upgrading SSI boot images 11 19 interfaces adding to PortChannels 16 11 assigning to VS...

Page 1416: ...1 to 35 35 fabric setup requirements 35 4 global lifetime values 35 29 hardware compatibility 35 4 licensing requirements 35 3 maintenance 35 28 prerequisites 35 3 RFC implementations 35 1 sample FCIP configuration 35 35 to 35 39 sample iSCSI configuration 35 39 to 35 41 terminology 35 5 transform sets 35 21 transforms for encryption 35 6 unsupported features 35 4 IP security See IPsec IPS modules...

Page 1417: ...ressing 46 11 configuring IPv4 and IPv6 addresses 46 13 configuring management interfaces 43 3 configuring neighbor discovery parameters 46 15 configuring virtual routers 43 19 default settings 46 20 description 46 1 to 46 11 displaying information 46 19 dual IPv4 and IPv6 protocol stack applications figure 46 11 dual IPv4 and IPv6 protocol stacks 46 10 dual IPv4 and IPv6 protocol stack technique ...

Page 1418: ...configuring with Fabric Manager 42 12 initiator name 42 25 IPS module support 44 2 IQNs 42 9 login redirect 42 41 LUN mapping for targets 42 73 to 42 79 MPS 14 2 module support 44 2 multiple IPS ports 42 63 PortChannel based high availability 42 65 PortChannel based high availabilityEthernet PortChannel based high availability 42 65 protocol 42 2 requests and responses 42 3 restrict an initiator t...

Page 1419: ... TCP tuning parameters 42 27 creating 42 5 creatingiSCSI creating interfaces 42 5 displaying information 42 30 SPAN sources 52 3 VSAN membership 42 18 iSCSI LUs 42 6 iSCSI protocol 42 1 iSCSI server load balancing 42 39 iSCSI Server Load Balancing See iSLB iSCSI sessions authentication 42 23 to 42 26 displaying information 42 34 iSCSI targets advertising 42 7 dynamic importing 42 6 dynamic mapping...

Page 1420: ...splaying information 42 54 enabling 42 54 verifying configuration 42 54 ISLs PortChannel links 16 1 iSMS servers enabling 42 85 iSNS CFS support 6 2 client registration 42 86 cloud discovery 42 93 42 96 configuring 42 87 configuring servers 42 84 to 42 87 description 42 79 ESI 42 85 iSNS client description 42 79 iSNS clients creating profiles 42 80 verifying configuration 42 81 iSNS cloud discover...

Page 1421: ... 3 persistent FC IDs 22 24 read only zoning 22 36 SDV limitations 20 10 service groups 22 14 to 22 16 sharing resources 22 2 terminology 22 3 transit VSAN configuration guidelines 22 18 transit VSANs 22 3 virtual domains 22 23 VSAN topologies 22 6 zone communication 22 28 zones 22 3 22 28 to 22 29 zone sets 22 3 IVR databases active 22 10 configured 22 10 merge guidelines 22 36 pending 22 10 IVR l...

Page 1422: ... 4 renaming 22 36 verifying configuration 22 32 verifying QoS configuration 22 35 IVR zone sets activating 22 32 configuring 22 29 to 22 32 deactivating 22 32 description 22 3 22 27 downgrading considerations 22 36 maximum number 22 4 renaming 22 36 verifying configuration 22 32 J jitter configuring estimated maximum in FCIP profiles 40 16 jobs assigning to a schedule 18 6 18 8 command scheduler 1...

Page 1423: ...nology 3 1 transferring between switches 3 16 uninstalling 3 13 updating 3 14 limits description table 60 1 line cards See switching modules services modules link costs configuring for FSPF 25 7 description 25 6 link failures protection against 9 1 recovering 57 1 Link Incident Records See LIRs link local addresses description 46 4 format figure 46 4 link redundancy Ethernet PortChannel aggregatio...

Page 1424: ...5 14 obtaining remote access 5 25 out of band 5 4 5 6 to 5 10 using force option during shutdown 5 26 management interfaces configuring 12 37 12 38 configuring for IPv4 43 3 configuring for IPv6 43 3 default settings 12 40 displaying information 12 39 features 12 38 See also mgmt0 interfaces maximum retransmissions configuring in FCIP profiles 40 14 McData native interop mode 29 13 MD5 authenticat...

Page 1425: ...35 FCIP 40 2 port modes 45 1 software upgrades 44 3 supported features 44 1 upgrading software 7 11 MSCHAP description 32 34 MTUs configuring frame sizes 45 3 configuring size path discovery for IPv6 46 7 multicast addresses IPv6 alternative to broadcast addresses 46 6 IPv6 format figure 46 5 IPv6 solicited node format figure 46 6 multicast root switches configuring 25 12 description 25 12 multi p...

Page 1426: ...PV mode 13 3 NTP CFS support 6 2 configuration guidelines 5 19 configuring 5 19 to 5 24 configuring CFS distribution 5 23 logging facility 53 2 time stamp option 40 21 nWWNs DPVM 21 1 Nx ports FCS support 55 1 See also N ports NL ports O OBFL configuring for modules 59 24 configuring for the switch 59 23 description 59 22 displaying configuration status 59 24 59 25 displaying logs 59 26 OHMS descr...

Page 1427: ...17 20 enabling 17 15 purging 17 19 ping commands verifying connectivity 2 15 PKI enrollment support 34 4 PLOGI name server 26 4 PMTUs configuring in FCIP profiles 40 14 port addresses FICON 28 10 PortChannel interfaces 42 7 subinterfaces 42 7 PortChannel modes description 16 8 PortChannel Protocol autocreation 16 15 configuring autocreation 16 16 converting autocreated groups to manually configure...

Page 1428: ...rate limiting configuring 56 14 default 56 14 description 56 14 hardware restrictions 56 14 port rate modes configuring 14 24 dedicated 14 6 description 14 4 oversubscribed 14 6 shared 14 6 See also rate modes ports aggregation 9 1 on demand port activation licensing 4 1 virtual E 40 2 VSAN membership 19 7 port security activating 37 5 activation 37 3 activation rejection 37 6 adding authorized pa...

Page 1429: ...elines 57 2 monitoring ports in a VSAN 57 5 multiple ports 57 4 shutting down ports forcefully 57 5 port world wide names See pWWNs power cycling modules 11 7 powering off switching modules 11 9 power supplies configuration guidelines 10 11 to 10 13 configuring modes 10 10 default state 10 21 displaying configuration 10 11 modes 8 7 power usage displaying 10 10 preshared keys RADIUS 32 10 TACACS 3...

Page 1430: ...ing server groups 32 28 configuring server monitoring parameters 32 12 default settings 32 42 description 32 8 discarding configuration distribution changes 32 32 displaying configured parameters 32 15 enabling configuration distribution 32 30 sending test messages for monitoring 32 13 setting preshared keys 32 10 specifying server at user login 32 14 specifying servers 32 8 to 32 10 specifying se...

Page 1431: ... 4 description 51 1 displaying information 51 3 enabling alarms 51 2 enabling events 51 3 events 51 1 role databases clearing distribution sessions 39 6 committing changes to fabric 39 5 disabling distribution 39 6 discarding database changes 39 5 enabling distribution 39 6 roles authentication 39 1 CFS support 6 2 configuring 39 2 configuring rules 39 2 default permissions 32 3 defaults 2 3 defau...

Page 1432: ...itoring traffic example 52 28 to 52 30 referencing explicit paths 52 28 tunnels 52 18 rules configuring 39 2 runtime checks static routes 25 10 S SACKs configuring in FCIP profiles 40 14 SAN extension package licenses description 3 5 SAN extension tuner assigning SCSI read write commands 41 5 41 7 configuring 41 2 configuring data patterns 41 8 configuring nWWNs 41 4 configuring virtual N ports 41...

Page 1433: ...ure 47 2 SCSI flow configuration clients 47 3 SCSI flow data path support 47 3 SCSI flow managers 47 2 SCSI flow statistics clearing 47 6 default settings 47 10 description 47 5 displaying 47 7 enabling 47 6 SCSI LUNs customized discovery 27 2 discovering targets 27 1 displaying information 27 2 starting discoveries 27 2 SD port mode description 12 5 interface modes 12 5 SD ports bidirectional tra...

Page 1434: ...m dedicated rate mode 14 21 migrating to dedicated rate mode 14 21 oversubscription 14 26 show commands directing output to a file 2 20 site IDs description 54 24 slot0 description 2 25 formatting 2 26 small computer system interface See SCSI SMARTnet Call Home AutoNotify registration 54 2 SMTP server address 54 11 SNMP access control 31 2 access groups 31 4 adding communities 31 7 assigning conta...

Page 1435: ...s 7 28 default settings 7 41 selecting for supervisor modules 7 2 space requirements 7 5 synchronizing 9 4 upgrade prerequisites 7 3 to 7 5 upgrading SAN OS images 7 1 variables 7 1 software upgrades automated with install all command 7 6 BIOS images 7 29 disruptive 7 5 install all command 7 5 manual dual supervisor modules 7 26 to 7 30 mechanisms 7 5 nondisruptive 9 1 quick 7 31 verifying status ...

Page 1436: ...rwriting 39 16 SSH sessions message logging 53 4 SSI boot images configuring with install ssi command 11 25 configuring with SSI boot variable 11 23 verifying 11 20 SSI boot variables verifying configuration 11 26 SSMs Cisco SAN OS release upgrade and downgrade considerations 11 29 default settings 11 31 features 11 18 Fibre Channel write acceleration 48 1 to 48 4 installing image for Intelligent ...

Page 1437: ...or 2 modules description 1 2 Generation 1 chassis 7 40 migrating from Supervisor 1 modules 7 32 to 7 40 modem initialization strings 5 32 select software images 7 2 USB ports 1 2 supervisor modules active state 11 5 default settings 11 31 description 1 2 11 1 displaying information 11 6 high availability 9 2 managing standby bootflash 7 40 manual switchovers 9 2 migrating to Supervisor 2 modules 7...

Page 1438: ...26 displaying 59 20 displaying status 59 20 interpreting current status 59 19 testing modules 59 15 test run requirements 59 15 system images description 7 2 selecting for supervisor modules 7 2 SYSTEM variable 7 1 system messages configuring log files 53 6 configuring logging 53 3 configuring logging servers 53 6 default settings 53 15 displaying information 53 10 to 53 15 logging server 53 1 sev...

Page 1439: ...sholds 10 16 monitoring hardware 10 15 TE port mode classes of service 12 5 description 12 5 TE ports fabric binding checking 38 2 FCS support 55 1 55 2 fctrace 58 1 FSPF topologies 25 2 interoperability 29 14 recovering from link isolations 23 14 SPAN sources 52 3 trunking restrictions 15 1 terminal parameters configuring 2 17 to 2 19 displaying settings 2 19 screen length 2 19 screen width 2 19 ...

Page 1440: ...onitoring 58 14 show tech support command 58 15 to 58 22 SSM recovery 11 28 verifying switch connectivity 58 4 trunk allowed VSAN lists description 15 4 to 15 6 trunking comparison with PortChannels 16 3 configuration guidelines 15 2 configuring modes 15 3 default settings 15 7 description 15 1 displaying information 15 6 interoperability 29 13 link state 15 3 merging traffic 15 2 restrictions 15 ...

Page 1441: ...dancy Protocol See VRRP Virtual Router Redundancy Protocolprotocols Virtual Router Redundancy 42 40 virtual routers adding 43 19 adding primary IP addresses 43 20 authentication 43 23 configuring for IPv4 43 19 configuring for IPv6 43 19 default settings 43 29 deleting 43 19 initiating 43 19 setting priorities 43 21 virtual SANs See VSANs VLANs configuring on Gigabit Ethernet subinterfaces 45 6 de...

Page 1442: ...17 iSCSI interfaces 42 18 VSAN policies default roles 39 21 licensing 39 3 modifying 39 4 VSANs advantages 19 3 allowed active 15 1 allowed list 52 4 broadcast addresses 25 12 cache contents 17 22 clocks 28 20 comparison with QoS 56 6 comparison with zones table 19 4 compatibility with DHCHAP 36 3 configuring 19 6 to configuring allowed active lists 15 6 configuring FSPF 25 4 configuring multiple ...

Page 1443: ... 15 W window management configuring in FCIP profiles 40 15 world wide names See WWNs WWNs configuring 29 8 displaying information 29 9 link initialization 29 9 port security 37 10 secondary MAC addresses 29 10 static binding 42 16 suspended connections 12 10 X XRC FICON support 28 4 Z zone attribute groups cloning 23 17 zone databases release locks 23 33 zones access control 23 8 adding to zone se...

Page 1444: ...ing 23 9 adding member zones 23 11 analyzing 23 40 cloning 23 17 configuring 23 7 to 23 10 considerations 23 5 copying 23 16 creating 23 11 default settings 23 41 displaying information 23 24 to 23 30 distributing configuration 23 13 enabling distribution 23 14 exporting 23 15 exporting databases 23 15 features 23 1 importing 23 15 importing databases 23 15 one time distribution 23 14 recovering f...

Reviews:

No comments

Related manuals for 9124 - Cisco MDS Fabric Switch

Paradyne 6512 Quick Installation preview
6512
Brand: Paradyne Pages: 2
Conrad 97 55 39 Operating Instructions preview
97 55 39
Brand: Conrad Pages: 4
Origaudio Socket2Me Quick Start Manual preview
Socket2Me
Brand: Origaudio Pages: 1
KAT VR PiSystem Installation & Use Instructions preview
PiSystem
Brand: KAT VR Pages: 2
Yealink Expansion PSTN Box CPN10 Quick Start Manual preview
Expansion PSTN Box CPN10
Brand: Yealink Pages: 8
SENAO AT53V214 User Manual preview
AT53V214
Brand: SENAO Pages: 25
Quatech Asynchronous Communications Adapter... User Manual preview
Asynchronous Communications Adapter...
Brand: Quatech Pages: 39
Hamlet XPW2UTRAVEL User Manual preview
XPW2UTRAVEL
Brand: Hamlet Pages: 2
NEC N8104-7151 Startup Manual preview
N8104-7151
Brand: NEC Pages: 7
Acard AEC-6885MLP User Manual preview
AEC-6885MLP
Brand: Acard Pages: 35
3idee hp2xi-o Assembly Instructions Manual preview
hp2xi-o
Brand: 3idee Pages: 7
National Instruments BNC-2142 Installation Manual preview
BNC-2142
Brand: National Instruments Pages: 6
Hama 49244 Operating Instructions Manual preview
49244
Brand: Hama Pages: 53
VOLTCRAFT 19 73 39 Operating Instructions preview
19 73 39
Brand: VOLTCRAFT Pages: 2
Elnec DIL32/PLCC32 ZIF-CS Manual preview
DIL32/PLCC32 ZIF-CS
Brand: Elnec Pages: 2
StarTech.com DKT3CHSD4GPD Instruction Manual preview
DKT3CHSD4GPD
Brand: StarTech.com Pages: 11
Linksys LINKSYS WMP300N Quick Installation Manual preview
LINKSYS WMP300N
Brand: Linksys Pages: 8
Belkin F5D7050ceE User Manual preview
F5D7050ceE
Brand: Belkin Pages: 25

Brands by name

Popular brands

Load more brands