manualshive.com logo in svg

HP A7533A - Brocade 4Gb SAN Switch Base, Administrator'S Manual

The HP A7533A - Brocade 4Gb SAN Switch Base is a high-performance networking solution essential for seamless data transmission in large-scale storage area networks. Stay up-to-date with the latest features and enhancements by downloading the free Release Note and User Manual from manualshive.com. Experience hassle-free connectivity with this industry-leading product.

Share
Download
background image

150 Configuring advanced security features

operations), not a Feistel network. The cipher is specified in terms of repetitions of processing steps that are 

applied to make up rounds of keyed transformations between the input plain-text and the final output of 

cipher-text. A set of reverse rounds is applied to transform cipher-text back into the original plain-text using 

the same encryption key. AES is fast in both software and hardware, is relatively easy to implement, and 

requires little memory

Null encryption

A null cipher is an ancient form of encryption where the plaintext is mixed with a large amount of 

non-cipher material. Today, it is regarded as a simple form of steganography. Null ciphers can also be 

used to hide ciphertext, as part of a more complex system. In modern cryptology, null cipher is also defined 

as choosing not to use encryption in a system where various encryption options are offered, such as for 

testing/debugging, or authentication-only communication.

IPsec policies

An IPsec policy determines the security services afforded to a packet and the treatment of a packet in the 

network. An IPsec policy allows classifying IP packets into different traffic flows and specifies the actions or 

transformations performed on IP packets on each of the traffic flows. The main components of an IPsec 

policy are: IP packet filter and selector (IP address, protocol, and port information), and transform set.

IPsec traffic selector

The traffic selector is a traffic filter that defines and identifies the traffic flow between two systems that have 

IPsec protection. IP addresses, the direction of traffic flow (inbound, outbound) and the upper layer 

protocol are used to define a filter for traffic (IP datagrams) that is protected using IPsec.

IPsec transform

transform set

 is a combination of IPsec protocols and cryptographic algorithms that are applied on the 

packet after it is matched to a selector. The transform set specifies the IPsec protocol, IPsec mode and 

action to be performed on the IP packet. It specifies the key management policy that is needed for the IPsec 

connection and the encryption and authentication algorithms to be used in security associations when IKE 

is used as the key management protocol. 
IPsec can protect either the entire IP datagram or only the upper-layer protocols. The appropriate modes 

are called 

tunnel mode

 and 

transport mode

. In tunnel mode the IP datagram is fully encapsulated by a 

new IP datagram using the IPsec protocol. In transport mode only, the payload of the IP datagram is 

handled by the IPsec protocol; it inserts the IPsec header between the IP header and the upper-layer 

protocol header.

IKE policies

When IKE is used as the key management protocol, IKE policy defines the parameters used in IKE 

negotiations needed to establish IKE SA and parameters used in negotiations to establish IPsec SAs. These 

include the authentication and encryption algorithms, and the primary authentication method, such as 

preshared keys or a certificate-based method, such as RSA signatures.

Key management

The IPsec key management supports Internet Key Exchange or Manual key/SA entry. The Internet Key 

Exchange (IKE) protocol handles key management automatically. SAs require keying material for 

authentication and encryption. The managing of keying material that SAs require is called 

key 

management

The IKE protocol solves the most prominent problem in the setup of secure communication: the 

authentication of the peers and the exchange of the symmetric keys. It then creates the security associations 

and populates the SADB.
The manual key/SA entry requires the keys to be generated and managed manually. For the selected 

authentication or encryption algorithms, the correct keys must be generated using a third party utility on 

your LINUX system. The key length is determined by the algorithm selected.
Linux IPsec-tools 0.7 provides tools for manual key entry (MKE) and automatic keyed connections. The 

LINUX 

setKey

 command can be used for manually keyed connections, which means that all parameters 

needed for the setup of the connection are provided by you. Based on which protocol, algorithm, and key 

Summary of Contents for A7533A - Brocade 4Gb SAN Switch Base

Page 1: ...HP StorageWorks Fabric OS 6 2 administrator guide Part number 5697 0016 Edition May 2009 ...

Page 2: ...ted by copyright No part of this document may be photocopied reproduced or translated into another language without the prior written consent of Hewlett Packard The information is provided as is without warranty of any kind and is subject to change without notice The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and service...

Page 3: ...the default account passwords at login 32 The Ethernet interface on your switch 33 Virtual fabrics and the Ethernet interface 33 Displaying the network interface settings 34 Static Ethernet addresses 35 Setting the static addresses for the Ethernet network interface 35 DHCP activation 35 Activating DHCP 36 Deactivating DHCP 36 IPv6 autoconfiguration 37 Setting IPv6 autoconfiguration 37 Date and ti...

Page 4: ...ity features directors and enterprise class platforms only 57 Verifying fabric connectivity 58 Verifying device connectivity 59 Displaying switches in Access Gateway mode 60 Track and control switch changes 60 Enabling the track changes feature 60 Displaying the status of the track changes feature 60 Viewing the switch status policy threshold values 61 Setting the switch status policy threshold va...

Page 5: ...otten passwords 82 The authentication model 83 Effects of using RADIUS or LDAP service on Fabric OS features 83 Setting the switch authentication mode 84 Fabric OS user accounts 85 Fabric OS users on the RADIUS server 86 Windows 2000 IAS 86 Linux FreeRadius server 86 RADIUS configuration with Admin Domains or Virtual Fabrics 87 Acceptable keys 87 RADIUS authentication 87 The RADIUS server 88 Confi...

Page 6: ...installing root certificates on Mozilla Firefox 111 Root certificates for the Java Plug in 111 Installing a root certificate to the Java Plug in 111 Summary of certificate commands 112 Telnet protocol 112 Blocking Telnet 112 Unblocking Telnet 113 Listener applications 113 Ports and applications used by switches 114 Port configuration 115 4 Configuring advanced security features 117 ACL policies ov...

Page 7: ...36 IP Filter policy enforcement 138 Adding a rule to an IP Filter policy 138 Deleting a rule to an IP Filter policy 139 Aborting a transaction associated with IP Filter 139 IP Filter policy distributions 139 IP Filter policy restrictions 139 Policy database distribution 139 Database distribution settings 140 Displaying the database distribution settings 141 Enabling local switch protection 141 Dis...

Page 8: ...61 5 Maintaining the switch configuration file 163 Configuration settings 163 Configuration file format 163 Chassis section 164 Switch section 165 Configuration file backup 165 Uploading a configuration file in interactive mode 165 Configuration file restoration 166 Restrictions 167 Configuration download without disabling a switch 168 Restoring a configuration 168 Configurations across a fabric 1...

Page 9: ...ins 194 System defined Administrative Domains 194 AD0 194 AD255 195 Admin Domains and login 195 Admin Domain member types 196 Device members 196 Switch port members 196 Switch members 197 Admin Domains and switch WWN 197 Admin Domain compatibility availability and merging 198 Firmware upgrade considerations 199 Admin Domain management for physical fabric administrators 199 Setting the default zone...

Page 10: ...age using the absolute path 225 FIPS Support 225 Public and Private Key Management 225 Updating the firmwarekey 226 The firmwareDownload Command 226 Configuring the switch for signed firmware 226 Power on Firmware Checksum Test 227 Test and restore firmware on switches 227 Testing a different firmware version on a switch 227 Test and restore firmware on enterprise class platforms 228 Testing diffe...

Page 11: ...on 256 Viewing selected zone configuration information 257 Viewing the configuration in the effective zone database 257 Clearing all zone configurations 258 Zone object maintenance 258 Copying a zone object 258 Deleting a zone object 259 Renaming a zone object 260 Zoning configuration management 260 New switch or fabric additions 260 Fabric segmentation and zoning 262 Security and zoning 262 Resol...

Page 12: ...ices 294 Disabling platform services 294 Management server database 294 Displaying the management server ACL 294 Adding a member to the ACL 295 Deleting a member from the ACL 296 Viewing the contents of the management server database 297 Clearing the management server database 298 Topology discovery 298 Displaying topology discovery status 298 Enabling topology discovery 298 Disabling topology dis...

Page 13: ...onfiguration 322 Resolving conflicts between iSCSI configurations 322 LUN masking considerations 323 iSCSI FC zoning overview 323 324 iSCSI FC zone creation 325 Creating an iSCSI FC zone 325 Zoning configuration creation 328 Creating and enabling a zoning configuration 328 iSNS client service configuration 329 Displaying iSNS client service status 329 Enabling the iSNS client service 329 Disabling...

Page 14: ...rioritization 365 17Using the FC FC routing service 367 FC FC routing service overview 367 Supported platforms for Fibre Channel routing 367 Supported configurations 367 Integrated Routing 368 Fibre Channel routing concepts 368 Proxy devices 371 Routing types 372 Phantom domains 372 Fibre Channel Network Address Translation 374 Setting up the FC FC routing service 375 Verifying the setup for FC FC...

Page 15: ...ons for FC FC routing 403 How replacing port blades affects EX_Port configuration 403 Interoperability with legacy FCR switches 403 Range of output ports 404 Displaying the range of output ports connected to the xlate domains 404 Verifying normal operation of front domain consolidation 404 18Administering advanced performance monitoring 405 Advanced Performance Monitoring overview 405 End to end p...

Page 16: ...s for ISL trunking 436 Initializing trunking on ports 437 Disabling and re enabling ports 437 Lossless Dynamic load sharing on trunk ports 437 Configuring lossless dynamic load sharing on trunk ports 438 Lossless dynamic load sharing in Virtual Fabrics 438 Example How DLS affects other Logical Switches in the fabric 438 Performance monitoring 438 Adding a monitor to an F_Port master port 439 Displ...

Page 17: ...Tape Pipelining 468 FC Fastwrite concepts 469 Platforms and OS requirements for FC Fastwrite 470 Constraints for FC Fastwrite 470 How FC Fastwrite works 470 FC Fastwrite flow configuration requirements 471 Hardware considerations for FC Fastwrite 471 Configuring and enabling FC Fastwrite 471 Example Enabling Fastwrite on a switch 472 Disabling FC Fastwrite on a blade or switch 473 Example Disablin...

Page 18: ...ng fmsmode 505 Disabling fmsmode 505 FMSmode and FICON CUP 505 Setting up FICON CUP if fmsmode is already enabled 505 The fmsmode setting 505 Setting the MIHPTO value 505 Mode register bit settings 506 Setting the mode register bits 507 Persistently enabling and disabling ports 507 Port and switch naming standards 507 FICON CUP license considerations 508 Zoning and PDCM considerations 508 Zoning a...

Page 19: ...hanging the PID format online 528 Changing the PID format offline 528 Hybrid update 529 Changing to core PID format 529 Port number to area ID conversion 530 PID format changes 530 Basic procedure for changing the PID format 531 HP UX procedure for changing the PID format 532 AIX procedure for changing the PID format 533 Swapping port area IDs 534 B Understanding legacy password behavior 537 Passw...

Page 20: ...rm Logical Fabrics 178 16 Base switches connected by an XISL 179 17 Logical ISLs connecting Logical Switches 179 18 Logical Fabric using ISLs and XISLs 180 19 Example of Logical Fabrics in multiple chassis and XISLs 189 20 Fabric with two Admin Domains 192 21 Filtered fabric views when using Admin Domains 192 22 Fabric with AD0 and AD255 195 23 Fabric showing switch and device WWNs 198 24 Filtered...

Page 21: ...g end to end monitors on a port 408 72 Proper placement of end to end performance monitors 408 73 Mask positions for end to end monitors 410 74 Distribution of traffic over ISL Trunking groups 435 75 Switch in Access Gateway mode without F_Port trunking 445 76 Switch in Access Gateway mode with F_Port masterless trunking 445 77 Trunk group configuration for the HP StorageWorks 8 40 SAN Switch 449 ...

Page 22: ...abrics with matching fabric wide consistency policies 145 39 Examples of strict fabric merges 145 40 Fabric merges with tolerant absent combinations 146 41 Algorithms and associated authentication policies 148 42 Zeroization Behavior 154 43 FIPS mode restrictions 156 44 FIPS and non FIPS modes of operation 156 45 Active Directory Keys to modify 158 46 CLI commands to display or modify switch confi...

Page 23: ...bre Channel data frames 424 82 Buffer Credits 427 83 Supported Distances 428 84 long distance mode definitions 441 85 Trunking support for HP StorageWorks SAN Switch 4 32 and HP StorageWorks 4 64 SAN Switch Condor ASIC 444 86 Trunking over distance for the HP StorageWorks 4 256 SAN Director with supported blades 444 87 F_Port masterless trunking considerations 446 88 PWWN format for F_Port and N_P...

Page 24: ...24 ...

Page 25: ...Series Multi Protocol MP Router blade FC4 48 Blade HP StorageWorks 4 48 SAN Director 48 Port 4GB FC blade FC4 16IP Blade HP StorageWorks iSCSI Director Blade compatible with HP StorageWorks 4 256 SAN Director only Brocade 7500 HP StorageWorks 400 Multi Protocol MP Router Brocade 4012 Brocade 4Gb SAN Switch for HP p Class BladeSystem Brocade 4024 Brocade 4Gb SAN Switch for HP c Class BladeSystem Br...

Page 26: ...rm or death Brocade 5410 HP StorageWorksEVA4400 Embedded Switch Module 8Gb Brocade Brocade 5480 8Gb SAN Switch for HP BladeSystem c Class Table 1 Switch model naming matrix Brocade product name Equivalent HP StorageWorks B Series product name Table 2 Document conventions Convention Element Blue text Table 1 Cross reference links and e mail addresses Blue underlined text http www hp com Website add...

Page 27: ...ort For worldwide technical support information see the HP support website http www hp com support Before contacting HP collect the following information Product model names and numbers Technical support registration number if applicable Product serial numbers Error messages Operating system type and revision level Detailed questions Customer self repair HP customer self repair CSR programs allow ...

Page 28: ...roduct enhancements new driver versions firmware updates and other product resources HP websites For additional product information see the following HP websites http www hp com http www hp com go storage http www hp com support manuals Documentation feedback HP welcomes your feedback To make comments and suggestions about product documentation please send a message to storagedocs feedback hp com ...

Page 29: ...is document In some cases earlier releases are highlighted to present considerations for interoperating with them The hardware reference manuals describe how to power up devices and set their IP addresses After the IP address is set you can use the CLI procedures contained in this guide For additional information about the commands used in the procedures see online help or the Fabric OS Command Re...

Page 30: ...elnet sessions per switch to two For more details on session limits see Telnet protocol on page 1 12 and Chapter 2 Managing user accounts on page 67 Connecting to Fabric OS using Telnet 1 Connect to the switch that is appropriate for your fabric If Virtual Fabrics is enabled log in using an admin account assigned the chassis role permission If Virtual Fabrics is not enabled log in using an account...

Page 31: ...rompt tip dev ttyb 9600 If ttyb is already in use use ttya instead and enter the following string at the prompt tip dev ttya 9600 Password modification The switch automatically prompts you to change the default account passwords after logging in for the first time If you do not change the passwords the switch prompts you after each subsequent login until all the default passwords have been changed...

Page 32: ...ugh the root and factory accounts are not meant for general use change their passwords if prompted to do so and save the passwords in case they are needed for recovery purposes Changing the default account passwords at login 1 Connect to the switch and log in using the default administrative account 2 At each of the Enter new password prompts either enter a new password or skip the prompt Table 3 ...

Page 33: ...network interface provides management access including direct access to the Fabric OS CLI and allows other tools such as Web Tools to interact with the switch You can continue to use a static Ethernet addressing system or allow the DHCP client to automatically acquire Ethernet addresses Configure the Ethernet interface IP subnet mask and gateway addresses in one of the following sections Static Et...

Page 34: ...7 eth0 11 1 2 4 24 Gateway 11 1 2 1 Backplane IP address of CP0 10 0 0 5 Backplane IP address of CP1 10 0 0 6 IPv6 Autoconfiguration Enabled Yes Local IPv6 Addresses sw 0 stateless fd00 60 69bc 70 260 69ff fe00 2 64 preferred sw 0 stateless fec0 60 69bc 70 260 69ff fe00 2 64 preferred cp 0 stateless fd00 60 69bc 70 260 69ff fe00 197 64 preferred cp 0 stateless fec0 60 69bc 70 260 69ff fe00 197 64 ...

Page 35: ...55 0 Fibre Channel IP Address 220 220 220 2 Fibre Channel Subnetmask 255 255 0 0 Gateway IP Address 192 168 74 1 DHCP OFF off or to set an IPv6 address on a switch switch admin ipaddrset ipv6 add 1080 8 800 200C 417A 64 IP address is being changed Done or to set an IP address for a Virtual Fabric in non interactive mode switch admin ipaddrset vf 123 add 11 1 2 4 24 3 Enter the network information ...

Page 36: ...g in using an account assigned to the admin role 2 Enter the ipAddrSet command 3 If already set up skip the Ethernet IP address Ethernet subnet mask Fibre Channel IP address and subnet mask prompts by pressing Enter 4 When you are prompted for DHCP Off enable it by entering on switch admin ipaddrset Ethernet IP Address 192 168 74 102 Ethernet Subnetmask 255 255 255 0 Fibre Channel IP Address 220 2...

Page 37: ...ge of a link local address for each managed entity though a link local address continues to be generated for each nonchassis based platform and for each CP of a chassis based platform because those link local addresses are required for router discovery The enabled or disabled state of autoconfiguration is independent of whether any static IPv6 addresses have been configured Setting IPv6 autoconfig...

Page 38: ...ee Firmware download process overview on page 213 for time zone downgrading considerations When you set the time zone for a switch you can perform the following tasks Display all of the time zones supported in the firmware Set the time zone based on a country and city combination or based on a time zone ID such as PST The time zone setting has the following characteristics Users can view the time ...

Page 39: ...rent HP recommends that the principal or primary FCS switch has its time synchronized with at least one external NTP server The other switches in the fabric take their time from the principal or primary FCS switch as described in Synchronizing the local time with an external source on page 40 All switches in the fabric maintain the current clock server value in non volatile memory By default this ...

Page 40: ...value on the principal or primary FCS switch are propagated to all switches in the fabric Switch names Switches can be identified by IP address Domain ID World Wide Name WWN or by customized switch names that are unique and meaningful Switch names can be from 1 to 30 characters long The HP StorageWorks DC SAN Backbone Director and HP StorageWorks DC04 SAN Director Switch naming convention is 1 to ...

Page 41: ...bled and that domain ID conflicts with another switch in the fabric the conflict is automatically resolved if the other switch s Domain ID is not persistently set The process can take several seconds during which time traffic is delayed If both switches have their Domain IDs persistently set one of them must have its Domain ID changed to a Domain ID not used within the fabric The default domain ID...

Page 42: ...ras050 55 fffc37 10 00 00 05 1e 90 50 51 10 32 220 55 0 0 0 0 ras055 60 fffc3c 10 00 00 60 69 12 32 76 10 32 220 60 0 0 0 0 ras060 70 fffc46 10 00 00 05 1e 40 7a 5c 10 32 220 70 0 0 0 0 ras070 75 fffc4b 10 00 00 05 1e 53 00 c0 10 32 220 75 0 0 0 0 ras075 80 fffc50 10 00 00 60 69 e4 00 3c 10 32 220 80 0 0 0 0 ras080 85 fffc55 10 00 00 05 1e 07 74 d5 10 32 220 85 0 0 0 0 ras085 fec0 60 69bc 63 205 1...

Page 43: ...Version upgrade For example a zoning license that is for Fabric OS version 6 0 0 is added You can add another zoning license with a version later than 5 2 0 without removing the zoning license for Fabric OS 5 2 0 Upgrading is allowed but downgrading is not supported If a license is not version based it is valid for all versions of the feature Table 4 lists the licenses that must be installed on th...

Page 44: ...quired n a Long distance Extended Fabrics Local and attached switches License is needed on both sides of connection NPIV No license required n a OpenSSH public key No license required n a Performance monitoring Basic features no Advanced features yes Advance Performance Monitoring Local switch Port fencing Fabric Watch Local switch Ports Ports on demand licenses This license applies to a select se...

Page 45: ... individual port on the switch or the switchDisable and switchEnable commands must be entered on the switch to enable the 8 Gb s functionality When you remove the 8G license the ports which are online and already running at 8 Gb s are not disturbed until the port goes offline or the switch is rebooted The switch ports return to their pre licensed state maximum speed of 4 Gb s Speed 8 Gb s license ...

Page 46: ... 6 0 0 or earlier upon HA failover the time based license is no longer supported on the director or enterprise class platform You do not have access to the time based licensed feature until the CPs have Fabric OS 6 1 0 or later If both CPs have Fabric OS 6 1 0 or later there will be no change to the time based licenses or their associated features Firmware upgrade and downgrade consideration When ...

Page 47: ...itch admin licenseadd key For the HP StorageWorks 4 256 SAN Director and the HP StorageWorks DC SAN Backbone Director and HP StorageWorks DC04 SAN Director Switch enterprise class platforms licenses are effective on both CP blades but are valid only when the CP blade is inserted into an enterprise class platform that has an appropriate license ID stored in the WWN card If a CP is moved from one en...

Page 48: ...g FC license DataFort Compatibility license Server Application Optimization license Removing a licensed feature 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the licenseShow command to display the active licenses 3 Remove the license key using the licenseRemove command switch admin licenseremove key The license key is case sensitive and must be entered exac...

Page 49: ...of 80 ports by purchasing and installing the Ports on Demand optional licensed product Table 5 shows the ports that are enabled by default and the ports that can be enabled after you install the first and second Ports on Demand licenses for each switch type Ports on Demand is ready to be unlocked in the switch firmware Its license key may be part of the licensed paperpack supplied with switch soft...

Page 50: ...namic POD feature automatically assigns POD licenses from a pool of available licenses based on the server blade installation The Dynamic POD feature detects and assigns ports to a POD license only if the server blade is installed with an HBA present A server blade that does not have a functioning HBA is treated as an inactive link during initial POD port assignment The Dynamic POD feature assigns...

Page 51: ...Gb SAN Switch for HP BladeSystem c Class switch modules only 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the licensePort method command with the dynamic option to change the license assignment method to dynamic switch admin licenseport method dynamic The POD method has been changed to dynamic Please reboot the switch now for this change to take effect 3 E...

Page 52: ...e assigned to installed licenses 12 ports are assigned to the base switch license 12 ports are assigned to the full POD license Ports assigned to the base switch license 1 2 3 4 5 6 7 8 17 18 19 20 Ports assigned to the full POD license 0 9 10 11 12 13 14 15 16 21 22 23 POD license management This section explains how to allocate licenses by reserving and releasing POD assignments to specific port...

Page 53: ... POD license You must disable the port first by entering the command portDisable port num 4 Enter the licensePort release command to remove the port from the POD license switch admin licenseport release 0 5 Enter the licensePort show command to verify that there is an available port reservation switch admin licenseport show 24 ports are available in this switch Full POD license is installed Dynami...

Page 54: ... assigned to the full POD license Ports assigned to the base switch license 1 2 3 4 5 6 8 21 22 23 Ports assigned to the full POD license None Ports not assigned to a license 0 7 9 10 11 12 13 14 15 16 17 18 19 20 switch admin 6 Enter the switchEnable command to bring the switch back online 7 Enter the switchShow command to verify that the switch state is now online Switch activation and deactivat...

Page 55: ...ling a port 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the portEnable command that is appropriate for your hardware mo8el HP StorageWorks 4 8 and 4 16 SAN Switch HP StorageWorks 8 8 amd 8 24 SAN Switch HP StorageWorks SAN Switch 2 8V HP StorageWorks SAN Switch 2 16V HP StorageWorks SAN Switch 2 32 Brocade 4Gb SAN Switch for HP p Class BladeSystem Brocade...

Page 56: ...e information on extended ISL modes which enable longer distance interswitch links see Chapter 19 Administering extended fabrics on page 423 Gateway links A gateway merges SANs into a single fabric by establishing point to point E_Port connectivity between two Fibre Channel switches that are separated by a network with a protocol such as IP or SONET Except for link initialization gateways are tran...

Page 57: ...s required specify 1 to enable ISL R_RDY mode gateway link or specify 0 to disable it In the following example slot 2 port 3 is enabled for a gateway link switch admin portcfgislmode 2 3 1 Committing configuration done ISL R_RDY Mode is enabled for port 3 Please make sure the PID formats are consistent across the entire fabric switch admin 4 Repeat steps 1 through 3 for any additional ports that w...

Page 58: ... ENABLED 8 CORE BLADE 52 CORE8 ENABLED 9 SW BLADE 37 FC8 16 ENABLED 10 AP BLADE 43 FS8 18 ENABLED 11 SW BLADE 55 FC8 32 ENABLED 12 AP BLADE 24 FR4 18i ENABLED DCX 4S FID128 root slotshow m Slot Blade Type ID Model Name Status 1 AP BLADE 43 FS8 18 ENABLED 2 SW BLADE 51 FC8 48 ENABLED 3 CORE BLADE 46 CR4S 8 ENABLED 4 CP BLADE 50 CP8 ENABLED 5 CP BLADE 50 CP8 ENABLED 6 CORE BLADE 46 CR4S 8 ENABLED 7 ...

Page 59: ...055 60 fffc3c 10 00 00 60 69 12 32 76 10 32 220 60 0 0 0 0 ras060 70 fffc46 10 00 00 05 1e 40 7a 5c 10 32 220 70 0 0 0 0 ras070 75 fffc4b 10 00 00 05 1e 53 00 c0 10 32 220 75 0 0 0 0 ras075 80 fffc50 10 00 00 60 69 e4 00 3c 10 32 220 80 0 0 0 0 ras080 85 fffc55 10 00 00 05 1e 07 74 d5 10 32 220 85 0 0 0 0 ras085 fec0 60 69bc 63 205 1eff fe77 4d5 90 fffc5a 10 00 00 05 1e 00 00 35 10 32 220 90 0 0 0...

Page 60: ...e errDump or errShow command to view the log Items in the log created from the Track changes feature are labeled TRCK Trackable changes are Successful login Unsuccessful login Logout Configuration file change from task Track changes on Track changes off An SNMP TRAP mode can also be enabled see the trackChangesHelp command in the Fabric OS Command Reference Enabling the track changes feature 1 Con...

Page 61: ...ange an error message is logged and an SNMP connUnitStatusChange trap is sent The output is similar to the following switch admin switchstatuspolicyshow The current overall switch status policy parameters Down Marginal PowerSupplies 3 0 Temperatures 2 1 Fans 2 1 WWN 0 1 CP 0 1 Blade 0 1 Flash 0 1 MarginalPorts 2 1 FaultyPorts 2 1 MissingSFPs 0 0 Setting the switch status policy threshold values 1 ...

Page 62: ...OWN status 0 32 2 0 MarginalPorts contributing to MARGINAL status 0 32 1 0 FaultyPorts contributing to DOWN status 0 32 2 0 FaultyPorts contributing to MARGINAL status 0 32 1 0 MissingSFPs contributing to DOWN status 0 32 0 0 MissingSFPs contributing to MARGINAL status 0 32 0 0 Policy parameter set has been changed For the HP StorageWorks 4 256 SAN Director HP StorageWorks DC SAN Backbone Director...

Page 63: ...r name IP address or user interface is not transported an audit message is logged by adding the message None to each of the respective fields For High Availability the audit event logs exist independently on both active and standby CPs The configuration changes that occur on the active CP are propagated to the standby CP and take effect Audit log configuration is updated through a configuration do...

Page 64: ... a network connection between the switch and the remote host 4 Check the host SYSLOG configuration If all error levels are not configured you may not see some of the audit messages Configuring an audit log for specific event classes See the Fabric OS Command Reference for more information about the auditCfg command and command syntax 1 Connect to the switch from which you wish to generate an audit...

Page 65: ...wn as a graceful shutdown Cold boots see shutting down the appliance by suddenly shutting down power and then turning it back on also known as a hard boot Powering off a switch 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the sysShutdown command 3 At the prompt enter y switch admin sysshutdown This command will shutdown the operating systems on your switch...

Page 66: ...RASlog and no further attempts are made to restart the daemon Schedule downtime and reboot the switch at your convenience The following table lists the daemons that are considered non critical and are automatically restarted on failure Table 7 Daemons that are automatically restarted Daemon Description arrd Asynchronous Response Router used to send management data to hosts when the switch is acces...

Page 67: ...ns on page 191 For more information about Virtual Fabrics see Chapter 6 Managing virtual fabrics on page 173 Fabric OS provides three options for authenticating users remote RADIUS services remote LDAP service and the local switch user database All options allow users to be centrally managed using the following methods Remote RADIUS server Users are managed in a remote RADIUS server All switches i...

Page 68: ...mands Chassis role permission 6 2 0 Chassis specific configuration A role permission applied only to the user account through the userConfig command FabricAdmin 5 2 0 and later Fabric and switch administration All switch and fabric commands excluding user management and Admin Domains commands Operator 5 2 0 and later General switch administration Routine switch maintenance commands SecurityAdmin 5...

Page 69: ... N Chassis Management2 OM O OM N N N O N Configuration Management OM O O O O O N O Data Migration Manager OM N N N N N N N Debug N N N N N N N N Diagnostics OM O OM OM N OM O N Ethernet Configuration OM O OM O N OM O N Fabric OM O OM O O O O O Fabric Distribution OM N OM N OM N N N Fabric Routing OM O OM O N O O O Fabric Watch OM O OM OM N OM O N FICON OM O OM OM N OM O N Firmware Management OM O ...

Page 70: ... Device OM O OM OM N OM O N Statistics Port OM O OM OM N OM O N Switch Configuration OM O OM OM OM OM O N Switch Management OM O OM OM O OM O O Switch Management IP Configuration OM O OM OM OM OM O N Switch Port Configuration OM OM OM OM N OM O N Switch Port Management OM OM OM OM O OM O O Topology OM O OM O N O O N User Management OM N N N OM N N N WWN Card OM N OM OM N OM O N Zoning OM O OM O O ...

Page 71: ...mation 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the appropriate show operands for the account information you want to display Enter userConfig show a to show all account information for a Logical Switch Enter userConfig show username to show account information for the specified account Enter userConfig showad a adminDomain_ID to show all accounts perm...

Page 72: ...or Administrative Domain If no Virtual Fabric or Administrative Domain is specified the lowest number Virtual Fabric or Administrative Domain in the list is assigned l logicalFabric_ID_list Optional Specifies which Logical Fabrics the user may access if no Logical Fabrics are listed the user is automatically assigned to LF128 or the lowest Logical Fabric they belong to Use comma separated lists ra...

Page 73: ...ecure mode in secure mode you can also use NonfcsAdmin h logicalFabric_ID or adminDomain_ID Optional Specifies either the home Logical Fabric or Administrative Domain If no Logical Fabric or Administrative Domain is specified the lowest numbered Logical Fabric or Administrative Domain in the list is assigned l logicalFabric_ID_list Optional Specifies which Logical Fabric the user may access if no ...

Page 74: ... of the account for which the password is being changed 3 Enter the requested information at the prompts Local account database distribution Distributing the local switch user database and passwords to other switches in the fabric causes the distributed database to replace overwrite the database on the target switch The Locked status of a user account is not distributed as part of local user datab...

Page 75: ...d across CPs and remain unchanged after an HA failover Password policies can also be manually distributed across the fabric see Local account database distribution on page 74 The following is a list of the configurable password policies Password strength Password history Password expiration Account lockout All password policies are enforced during logins to the standby CP However you may observe t...

Page 76: ...ns the sequence ABC A password of passABword would be allowed because it contains no sequential character sequence exceeding two characters The range of allowed values is 1 40 The default value is 1 The following example shows a password strength policy that requires passwords to contain at least 3 uppercase characters 4 lowercase characters and 2 numeric digits the minimum length of the password ...

Page 77: ... users who have not changed their password will have their password expiration period set to the maximum password expiration period You must explicitly define the password expiration for users who have not performed a password change subsequent to the upgrade IMPORTANT You cannot upgrade your switch from Fabric OS 5 3 0 directly to 6 2 0 You first have to upgrade to 6 0 0 then to 6 1 0 and then to...

Page 78: ...in role 2 Enter the following command passwdCfg enableadminlockout The policy is now enabled Unlocking an account 1 Log in to the switch using an account that is an Admin role or securityAdmin role 2 Enter the following command userConfig change account_name u where account_name is the name of the user account that is locked out The account is now unlocked Disabling the admin lockout policy 1 Log ...

Page 79: ...nstructions 1 Connect to the serial port interface as described in Connecting to Fabric OS through the serial port on page 31 2 Reboot the switch 3 Press ESC within four seconds after the message Press escape within 4 seconds is displayed The following options are available 4 Enter 2 If no password was previously set the following message is displayed Recovery password is NOT set Please set it now...

Page 80: ... password recovery afHTpyLsDo1Pz0Pk5GzhIw Enter the supplied recovery password Recovery Password 6 Enter the recovery password string The recovery string must be between 8 and 40 alphanumeric characters HP recommends a random string of 15 characters or longer for higher security The firmware prompts for this password only once It is not necessary to remember the recovery string because it is displ...

Page 81: ...escribed in Connecting to Fabric OS through the serial port on page 31 2 Reboot the switch by entering the reboot command 3 Press ESC within four seconds after the message Press escape within 4 seconds is displayed The following options are available 4 Enter 3 5 At the shell prompt enter the passwd command NOTE The passwd command applies only to the boot PROM password when it is entered from the b...

Page 82: ... by entering the haFailover command Traffic resumes flowing through the newly active CP blade after it has finshed rebooting 12 Connect the serial cable to the serial port on the new standby CP blade previously the active CP blade 13 Repeat step 3 through step 10 for the new standby CP blade 14 Connect to the active CP blade by serial or Telnet and enter the haEnable command to restore high availa...

Page 83: ...hrough an SSH connection so that the shared secret is protected Multiple login sessions can configure simultaneously and the last session to apply a change leaves its configuration in effect After a configuration is applied it persists after a reboot or an HA failover To enable LDAP service you will need to install a certificate on the Microsoft Active Directory server The configuration applies to...

Page 84: ...radius local Authenticates management connections against any RADIUS databases first If RADIUS fails for any reason authenticates against the local user database not supported not supported authspec radius local backup Authenticates management connections against any RADIUS databases If RADIUS fails because the service is not available it then authenticates against the local user database The back...

Page 85: ...in UTC and in MM DD YYYY format The password warning value specifies the number of days prior to the password expiration that a warning of password expiration notifies the user You either specify both attributes or none If you specify a single attribute or there is a syntax error in the attributes the password expiration warning will not be displayed If your RADIUS server maintains its own passwor...

Page 86: ...dows 2000 VSA configuration Linux FreeRadius server For the configuration on a Linux FreeRadius server define the following in a vendor dictionary file called dictionary brocade Include the values outlined in Table 15 Vendor length 2 or higher 1 octet calculated by server including vendor type and vendor length Attribute specific data ASCII string Multiple octets maximum 253 indicating the name of...

Page 87: ...onal HomeAD key value pairs are ignored ADList is a comma separated list of Administrative Domain numbers of which this account is a member Valid numbers range from 0 to 255 inclusive A dash between two numbers specifies a range Multiple ADlist key value pairs within the same or across the different Vendor Type codes are concatenated Multiple occurrences of the same Admin Domain number are ignored...

Page 88: ...tches in these systems make sure the CP blade IP addresses are used For accessing both the active and standby CP blade and for the purpose of HA failover both of the CP blade IP addresses must be included in the RADIUS server configuration User accounts should be set up by their true network wide identity rather than by the account names created on a Fabric OS switch Along with each account name t...

Page 89: ...file in a text editor and add user names and roles for users who will be accessing the switch and authenticating RADIUS The user will log in using the role specified with Brocade Auth Role The valid roles include Root Admin SwitchAdmin ZoneAdmin SecurityAdmin BasicSwitchAdmin FabricAdmin Operator and User You must use quotation marks around password and role For example to set up an account called...

Page 90: ... www microsoft com or your Microsoft documentation Confer with your system or network administrator prior to configuration for any special needs your network environment may have Configuring RADIUS service on Windows 2000 consists of the following steps 1 Installing internet authentication service IAS For more information and instructions on installing IAS see the Microsoft Web site 2 Enabling the...

Page 91: ...vice window add additional policies for all B Series login types for which you want to use the RADIUS server After this is done you can configure the switch RSA RADIUS server Traditional password based authentication methods are based on one factor authentication where you confirm your identity using a memorized password Two factor authentication increases the security by using a second factor to ...

Page 92: ...attributes as follows vid Vendor ID 1588 type1 Vendor Type 1 len1 Vendor Length 2 Figure 2 Example of a Brocade DCT file brocade dct Brocade Dictionary See readme dct for more details on the format of this file Use the Radius specification attributes in lieu of the Brocade one radius dct MACRO Brocade VSA t s 26 vid 1588 type1 t len1 2 data s ATTRIBUTE Brocade Auth Role Brocade VSA 1 string r ATTR...

Page 93: ...ess explained later LDAP authentication is used on the local switch only and not for the entire fabric Roles for B Series specific users can be added through the Microsoft Management Console Groups created in Active Directory must correspond directly to the RBAC user roles on the switch Role assignments can be specified by including the user in the respective group A user can be assigned to multip...

Page 94: ... a group To create a group in Active Directory see www microsoft com or Microsoft documentation You will need to verify that the group has the following attributes The name of the group has to match the RBAC role The Group Type must be Security The Group Scope must be Global Assigning the group role to the user To assign the user to a group in Active Directory see www microsoft com or Microsoft do...

Page 95: ...ne Director and HP StorageWorks DC04 SAN Director Switch enterprise class platforms the switch sends its RADIUS or LDAP request using the IP address of the active CP When adding clients add both the active and standby CP IP addresses so that users can still log in to the switch in the event of a failover RADIUS or LDAP configuration is chassis based configuration data On platforms containing multi...

Page 96: ...command to enable RADIUS or LDAP using the local database switch admin aaaconfig authspec radius ldap local server Enter either a server name or IPv4 or IPv6 address Avoid duplicating server listings that is listing the same server once by name and again by IP address Up to five servers can be added to the configuration p port Optional Enter a server port The default is port 1812 s secret Optional...

Page 97: ...ct to the switch and log in using an account assigned to the admin role 2 Enter the following command switch admin aaaConfig change server p port t timeout d domain_name Changing the order in which RADIUS or LDAP servers are contacted for service 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the following command switch admin aaaConfig move server to_positi...

Page 98: ...or RADIUS switch admin aaaconfig authspec radius local backup or for LDAP switch admin aaaconfig authspec ldap local backup For details about this command see Table 13 on page 84 When local authentication is enabled and the RADIUS or LDAP servers fail to respond you can log in to the default switch accounts admin and user or any user defined account When the command succeeds the event log indicate...

Page 99: ...Fabric OS 6 2 administrator guide 99 ...

Page 100: ...100 Managing user accounts ...

Page 101: ...re HTTP connection Web Tools supports the use of hypertext transfer protocol over secure socket layer HTTPS LDAPS Lightweight Directory Access Protocol LDAP over SSL uses a certificate authority CA By default LDAP traffic is transmitted unsecured You can make LDAP traffic confidential and secure by using Secure Sockets Layer SSL Transport Layer Security TLS technology in conjunction with LDAP SCP ...

Page 102: ...18 Main security scenarios Fabric Management interfaces Comments Nonsecure Nonsecure No special setup is needed to use Telnet or HTTP Nonsecure Secure Secure protocols may be used An SSL switch certificate must be installed if HTTPS is used Secure Secure Switches running earlier Fabric OS versions can be part of the secure fabric but they do not support secure management Secure management protocol...

Page 103: ...ts and IP addresses This is used for enhanced management security in the storage area network For details on Brocade MIB files naming conventions loading instructions and information about using Brocade s SNMP agent see the Fabric OS MIB Reference You can configure SNMPv3 and SNMPv1 for the automatic transmission of SNMP information to management stations The configuration process involves configu...

Page 104: ...ame field Filtering ports Each port can belong to only one Virtual Fabric at any time An SNMP request coming to one Virtual Fabric is able to view only the port information of the ports belonging to that Virtual Fabric All port attributes are filtered to allow SNMP to obtain the port information only from within the current Virtual Fabrics context Switch and Chassis context enforcement All attribu...

Page 105: ...er rw snmpadmin3 nosec Auth Protocol MD5 1 SHA 2 noAuth 3 1 3 3 Priv Protocol DES 1 noPriv 2 2 2 2 User ro snmpuser1 Auth Protocol MD5 1 SHA 2 noAuth 3 3 3 3 Priv Protocol DES 1 noPriv 2 2 2 2 User ro snmpuser2 Auth Protocol MD5 1 SHA 2 noAuth 3 3 3 3 Priv Protocol DES 1 noPriv 2 2 2 2 User ro snmpuser3 Auth Protocol MD5 1 SHA 2 noAuth 3 3 3 3 Priv Protocol DES 1 noPriv 2 2 2 2 SNMPv3 trap recipie...

Page 106: ...rite true t false f true Access host subnet area in dot notation 0 0 0 0 Read Write true t false f true Committing configuration done Example mibCapability configuration DCX admin snmpconfig show mibcapability FE MIB YES SW MIB YES FA MIB YES FICON MIB YES HA MIB YES FCIP MIB YES ISCSI MIB NO SW TRAP YES swFCPortScn YES swEventTrap YES swFabricWatchTrap YES swTrackChangesTrap YES FA TRAP YES connU...

Page 107: ...ric OS 6 1 0 supports SSH protocol 2 0 ssh2 For more information on SSH see the SSH IETF Web site http www ietf org ids by wg secsh html For more information see SSH The Secure Shell The Definitive Guide by Daniel J Barrett Ph D Richard E Silverman and Robert G Byrnes SSH public key authentication OpenSSH public key authentication provides password less logins known as SSH authentication that uses...

Page 108: ...as admin verifying that SSH v2 is installed and working see your host s documentation as necessary and typing the following command ssh keygen t dsa If you need to generate a key pair for outgoing authentication skip steps 4 and 5 and proceed to step 6 Example RSA DSA key pair generation alloweduser mymachine ssh keygen t dsa Generating public private dsa key pair Enter file in which to save the k...

Page 109: ... kghanta sshutil exportpubkey Enter IP address 192 168 38 244 Enter remote directory auser ssh Enter login name auser Password public key out_going pub is exported successfully 8 Log in to the remote host locate the directory where authorized keys are stored and append the public key to the file You may need to see the host s documentation to locate where the authorized keys are stored 9 Test the ...

Page 110: ... encryption patch from the Microsoft Web site at http www microsoft com You should upgrade to the Java 1 6 0 Plug in on your management workstation To find the Java version that is currently running open the Java console and look at the first line of the window For more details on levels of browser and Java support see the Web Tools Administrator s Guide SSL configuration overview To configure for...

Page 111: ...enkey The system reports that this process will disable secure protocols delete any existing CSR and delete any existing certificates 3 Respond to the prompts to continue and select the key size Continue yes y no n no y Select key size 1024 or 2048 1024 Generating new rsa public private key pair Done Because CA support for the 2048 bit key size is limited you should select 1024 in most cases Gener...

Page 112: ... Locate the section that begins with BEGIN CERTIFICATE REQUEST and ends with END CERTIFICATE REQUEST 6 Copy and paste this section including the BEGIN and END lines into the area provided in the request form and then follow the instructions to complete and send the request It may take several days to receive the certificates If the certificates arrive by e mail save them to an FTP server If the CA...

Page 113: ...er the root certificate is listed For example its name may have the form nameRoot crt Take the appropriate following action based on whether you find the certificate If the certificate is listed you do not need to install it You can skip the rest of this procedure If the certificate is not listed click Import 5 Browse to the certificate location and select the certificate For example select nameRo...

Page 114: ...et is enabled by default To prevent passing clear text passwords over the network when connecting to the switch you can block the Telnet protocol using an IP Filter policy IMPORTANT Before blocking Telnet make sure you have an alternate method of establishing a connection with the switch Blocking Telnet 1 Connect to the switch and log in as admin connect through some means other than Telnet for ex...

Page 115: ...d capabilities Table 21 lists the listener applications that B Series switches either block or do not start Table 21 Blocked listener applications Listener application HP StorageWorks 4 256 SAN Director HP StorageWorks DC04 SAN Director and HP StorageWorks DC SAN Backbone Director enterprise class platforms HP StorageWorks 4 8 and 4 16 SAN Switches HP StorageWorks 8 8 and 8 24 SAN Switches Brocade...

Page 116: ...ageWorks EVA4400 embedded switch module 8Gb Brocade HP StorageWorks SAN Switch 4 32 HP StorageWorks 4 64 SAN Switch HP StorageWorks SAN Switch 4 32B HP StorageWorks 8 40 SAN Switch HP StorageWorks 8 80 SAN Switch and HP StorageWorks 400 Multi Protocol Router HP StorageWorks SAN Director 6 Port 10Gb FC blade HP StorageWorks SAN Director 48 Port 4Gb FC blade HP StorageWorks 16 Port 4Gb FC Blade HP S...

Page 117: ...ent 22 TCP SSH n a 23 TCP Telnet Use the ipfilter command to block the port 80 TCP HTTP Use the ipfilter command to block the port 1 1 1 TCP sunrpc This port is used by Platform API Use the ipfilter command to block the port 123 TCP NTP n a 161 UDP SNMP Disable the SNMP service on the remote host if you do not use it or filter incoming UDP packets going to this port 443 TCP HTTPS Use the ipfilter ...

Page 118: ...116 Configuring standard security features ...

Page 119: ...pes FCS DCC SCC and IPFilter The number of policies that may be defined is limited by the size of the database FCS SCC and DCC policies are all stored in the same database When a Fabric OS 6 2 0 switch joins the fabric containing only pre 6 0 0 switches the policy database size limit is restricted to the Fabric OS version s smallest database size Table 24 shows the Fabric OS version and its associ...

Page 120: ...ration uploads see the Chapter 5 Maintaining the switch configuration file on page 163 You can view the active and defined policy sets at any time Additionally in a defined policy set policies created in the same login session also appear but these policies are automatically deleted if the you log out without saving them NOTE All changes including the creation of new policies are saved and activat...

Page 121: ...S policy Changes made to the FCS policy are saved to permanent memory only after the changes have been saved or activated they can be aborted later if you have set your fabric to distribute the changes manually Table 26 shows the characteristics of policy states The FCS policy is designed to accommodate mixed fabric environments that contain switches with pre 5 3 0 and later versions of Fabric OS ...

Page 122: ...erations for Primary FCS enforcement FCS enforcement does not apply to pre 5 3 0 switches and they will be able to initiate all operations Overview of FCS policy management Whether your intention is to create new FCS policies or manage your current FCS policies you must follow certain steps to ensure that the domains throughout your fabric have the same policy NOTE The local switch WWN cannot be d...

Page 123: ... an FCS policy that allows a switch with domain ID 2 to become a primary FCS and domain ID 4 to become a backup FCS switch admin secpolicycreate FCS_POLICY 2 4 FCS_POLICY has been created 3 To save or activate the new policy enter either the secPolicySave or the secPolicyActivate command Once the policy has been activated you can distribute the policy NOTE FCS policy must be consistent across the ...

Page 124: ...ase The FCS policy may need to be manually distributed across the fabric using the distribute p command if there is no support for automatic distribution in a mixed environment with 5 3 0 and pre 5 3 0 switches Since this policy is distributed manually the command fddCfg fabwideset is used to distribute a fabric wide consistency policy for FCS policy in an environment consisting of only Fabric OS ...

Page 125: ...d port is automatically disabled and must be re enabled using the portEnable command Table 29 shows the possible DCC policy states Virtual Fabric considerations The DCC policies that have entries for the ports that are being moved from one Logical Switch to another will be considered stale and will not be enforced You can choose to keep Table 28 Distribution policy states Fabric OS State 5 3 0 and...

Page 126: ...owed connection are possible deviceportWWN switchWWN port or area number deviceportWWN domainID port or area number deviceportWWN switchname port or area number To create a DCC policy 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the secPolicyCreate DCC_POLICY_nnn member member command where DCC_POLICY_nnn is the name of the DCC policy nnn is a string consi...

Page 127: ...n 4 and all devices currently connected to ports 1 through 4 of switch domain 4 switch admin secpolicycreate DCC_POLICY_example 44 55 66 77 22 33 44 dd 33 44 55 66 77 11 22 cc 4 1 4 DCC_POLICY_xxx has been created Deleting a DCC policy 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the secPolicyDelete ALL_STALE_DCC_POLICY command switch admin secpolicydelete...

Page 128: ...ySave or the secPolicyActivate command If neither of these commands is entered the changes are lost when the session is logged out For more information about these commands see ACL policy modifications on page 126 ACL policy modifications You can save changes to the defined ACL policy set without activating them by entering the secPolicySave command You can implement changes to the ACL policies us...

Page 129: ...in secpolicyadd DCC_POLICY_abc 11 22 33 44 55 66 77 aa 11 22 33 44 55 66 77 bb 3 1 3 Removing a member from an ACL policy 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the secPolicyRemove policy_name member member command where policy_name is the name of the ACL policy member is the device or switch to be removed from the policy identified by IP address swi...

Page 130: ...mentation is fully backward compatible with 3 2 0 4 2 0 4 4 0 5 0 0 5 1 0 5 2 0 and 5 3 0 Use secAuthSecret to set a shared secret on the switch When configured the secret key pair is used for authentication Authentication occurs whenever there is a state change for the switch or port due to a switch reboot a switch or port disable and enable or the activation of a policy Figure 4 DH CHAP authenti...

Page 131: ...chassis therefore the logical ISL authentication is not required Since the logical ISLs do not carry actual traffic they do not need to be authenticated Authentication on re individualization is also blocked on logical ISLs The following error message is printed on the console when you execute the authUtil authinit command on logical ISLs Failed to initiate authentication Authentication is not sup...

Page 132: ...e connecting switch If the connecting switch does not support authentication or the policy is OFF the request is rejected Once the authentication negotiation succeeds the DH CHAP authentication is initiated If DH CHAP authentication fails the port is disabled and this is applicable in all modes of the policy Device authentication policy Device authentication policy can also be categorized as an HB...

Page 133: ... to a version of Fabric OS earlier than 6 2 0 the ON mode is automatically set to OFF Virtual Fabric considerations Because the device authentication policy has switch and Logical Switch based parameters each Logical Switch is set when Virtual Fabrics is enabled Authentication is enforced based on each Logical Switch s policy settings AUTH policy restrictions Fabric OS 5 1 0 implementation of DH C...

Page 134: ...NOTE If you set the authentication protocol to DH CHAP have not yet configured shared secrets and authentication is checked for example you enable the switch switch authentication fails Re authenticating E_Ports Use the command authUtil to re initiate the authentication on selected ports The command provides flexibility to initiate authentication for specified E_Ports a set of E_Ports or all E_Por...

Page 135: ...mmand to display the list of switches in the current switch s shared secret database and to set the secret key pair for the current switch and a connected switch See the for more details on the secAuthSecret command NOTE When setting a secret key pair note that you are entering the shared secrets in plain text Use a secure channel for example SSH or the serial console to connect to the switch on w...

Page 136: ...hen done 10 20 30 40 50 60 70 80 Enter peer secret hidden Re enter peer secret hidden Enter local secret hidden Re enter local secret hidden Enter WWN Domain or switch name Leave blank when done 10 20 30 40 50 60 70 81 Enter peer secret hidden Re enter peer secret hidden Enter local secret hidden Re enter local secret hidden Enter WWN Domain or switch name Leave blank when done cr Are you done yes...

Page 137: ... policy created is stored in a temporary buffer and is lost if the current command session logs out The policy name is a unique string composed of a maximum of 20 alpha numeric and underscore characters The names default_ipv4 and default_ipv6 are reserved for default IP filter policies The policy name is case insensitive and always stored as lowercase The policy type identifies the policy as an IP...

Page 138: ...policy remains in the defined configuration The policy to be activated replaces the existing active policy of the same type Activating the default IP Filter policies returns the IP management interface to its default state An IP Filter policy without any rule cannot be activated This subcommand prompts for a user confirmation before proceeding 1 Log in to the switch using an account assigned to th...

Page 139: ...le you can select port numbers only in either the well known or the registered port number range between 0 and 49151 inclusive This means that you have the ability to control how to expose the management services hosted on a switch but not the ability to affect the management traffic that is initiated from a switch A valid port number range is represented by a dash for example 7 30 Alternatively s...

Page 140: ...ken When the IPv4 or IPv6 address for the management interface of a switch is changed through the ipAddrSet command or manageability tools the active IP Filter policies automatically become enforced on the management IP interface with the changed IP address NOTE If a switch is part of a LAN behind a Network Address Translation NAT server depending on the NAT server configuration the source address...

Page 141: ...saction buffer are lost and the transaction is aborted Switches with Fabric OS 5 3 0 or later have the ability to accept or deny IP Filter policy distribution through the commands fddCfg localaccept or fddCfg localreject However automatic distribution of IP Filter policy through Fabric Wide Consistent Policy is not supported in Fabric OS 6 2 0 See Policy database distribution on page 139 for more ...

Page 142: ...ses and are configured on a per Logical Switch basis Table 34 explains how the local database distribution settings and the fabric wide consistency policy affect the local database when the switch is the target of a distribution command Database distribution settings The distribution settings control whether a switch accepts or rejects distributions of databases from other switches and whether or ...

Page 143: ...he following command fddCfg localaccept database_ID where Table 35 Supported policy databases Database type Database identifier ID Authentication policy database AUTH DCC policy database DCC FCS policy database FCS IP Filter policy database IPFILTER Password database PWD SCC policy database SCC localreject Refuse the databases distributed from other switches Cannot distribute local database manual...

Page 144: ...res that changes to local ACL policy databases are automatically distributed to other switches in the fabric When you set the fabric wide consistency policy using the fddCfg command with the fabwideset database_id option both the fabric wide consistency policy and specified database are distributed to the fabric The active policies of the specified databases overwrite the corresponding active and ...

Page 145: ...wing command fddCfg fabwideset policy_ID where policy_ID is a semicolon separated list database_setting database_setting equal to Table 37 Fabric wide consistency policy settings Setting Value When a policy is activated Absent null Database is not automatically distributed to other switches in the fabric Tolerant database_id All updated and new policies of the type specified SCC DCC or both are di...

Page 146: ...h is joined to a fabric with a strict SCC or DCC fabric wide consistency policy the joining switch must have a matching fabric wide consistency policy If the strict SCC or DCC fabric wide consistency policies do not match the switch cannot join the fabric and the neighboring E_Ports are disabled If the strict SCC and DCC fabric wide consistency policies match the corresponding SCC and DCC ACL poli...

Page 147: ...C Succeeds No ACL policies copied Tolerant None None Succeeds No ACL policies copied None SCC DCC Succeeds ACL policies are copied from B to A SCC DCC SCC DCC Succeeds If A and B policies do not match a warning is displayed and policy commands are disabled1 1 To resolve the policy conflict manually distribute the database you want to use to the switch with the mismatched database Until the conflic...

Page 148: ...rocessing them Automated Key Management Automates the process as well as manages the periodic exchange and generation of new keys Using the ipsecConfig command you must configure multiple security policies for traffic flows on the Ethernet management interfaces based on IPv4 or IPv6 addresses a range of IPv4 or IPv6 addresses the type of an application port numbers and port types used UDP TCP You ...

Page 149: ...the set of addresses behind it and packets would be sent in tunnel mode where the inner IP header would contain the IP addresses of the actual endpoints Figure 6 Gateway tunnel configuration Endpoint to Gateway Tunnel In this scenario a protected endpoint typically a portable computer connects back to its corporate network through an IPsec protected tunnel see Figure 7 It might use this tunnel to ...

Page 150: ...ocol AH or ESP destination IP address and Security Parameter Index SPI number SPI is an arbitrary 32 bit value contained in IPsec protocol headers AH or ESP and an IPsec SA is unidirectional Because most communication is peer to peer or client to server two SAs must be present to secure traffic in both directions An SA specifies the IPsec protocol AH or ESP the algorithms used for encryption and a...

Page 151: ...unction For example MD5 and SHA 1 operate on 512 bit blocks The size of the output of HMAC is the same as that of the underlying hash function 128 or 160 bits in the case of MD5 or SHA 1 respectively although it can be truncated if desired NOTE The MD5 hash algorithm is blocked when FIPS mode is enabled 3DES Triple DES 3DES or TDES is a block cipher formed from the Data Encryption Standard DES cip...

Page 152: ...de and action to be performed on the IP packet It specifies the key management policy that is needed for the IPsec connection and the encryption and authentication algorithms to be used in security associations when IKE is used as the key management protocol IPsec can protect either the entire IP datagram or only the upper layer protocols The appropriate modes are called tunnel mode and transport ...

Page 153: ... associated IPsec policy in the local policy database Manual SA entries are persistent across system reboots Creating the tunnel Each side of the tunnel must be configured in order for the tunnel to come up Once you are logged into the switch do not log off as each step requires that you be logged in to the switch IPsec configuration changes take effect upon execution and are persistent across reb...

Page 154: ...ame direction in out local IP_address prefixlength remote IP_address prefixlength transform name command The example below create a traffic selector to select outbound and inbound traffic that needs to be protected switch admin ipsecconfig add policy ips selector t SELECTOR OUT d out l 10 33 74 13 r 10 33 69 132 transform TRANSFORM01 switch admin ipsecconfig add policy ips selector t SELECTOR IN d...

Page 155: ...D7500 switch admin ipsecconfig add policy ike t IKE01 remote 10 33 69 132 id 10 33 74 13 remoteid 10 33 69 132 enc 3des_cbc hash hmac_md5 prf hmac_md5 auth psk dh modp1024 psk ipseckey psk 6 On the BRCD7500 import the pre shared key file and configure an IKE policy for remote peer BRCD300 a Import the pre shared key file e g ipseckey psk using secCertUtil import command b Create an IKE policy for ...

Page 156: ...ct sensitive information in the switch As part of FIPS 140 2 level 2 compliance passwords shared secrets and the private keys used in SSL TLS and system login need to be cleared out or zeroized Power up self tests POSTs are executed when the switch is powered on to check for the consistency of the algorithms implemented in the switch Known answer tests KATs are used to exercise various features of...

Page 157: ...ooted KATs are run on the reboot If the KATs are successful the switch enters FIPS mode If KATs fail the switch reboots until the KATs succeed If the switch cannot enter FIPS mode and continues to reboot you must access the switch in single user mode to break the reboot cycle For more information on how to fix this issue see the Fabric OS Troubleshooting and Diagnostics Guide SSH Session Key No CL...

Page 158: ...1 MD5 and SHA 1 Signed firmware Mandatory firmware signature validation Optional firmware signature validation Configupload download supports ave firmwaredownload SCP only FTP and SCP IPsec Usage of AES XCBC MD5 and DH group 0 and 1 is blocked No restrictions Radius auth protocols PEAP MSCHAPv2 CHAP PAP PEAP MSCHAPv2 Table 44 FIPS and non FIPS modes of operation FIPS mode non FIPS mode The CA who ...

Page 159: ...d Example Setting the DNS switch admin dnsconfig Enter option 1 Display Domain Name Service DNS configuration 2 Set DNS configuration 3 Remove DNS configuration 4 Quit Select an item 1 4 4 2 Enter Domain Name domain com Enter Name Server IP address in dot notation 123 123 123 123 Enter Name Server IP address in dot notation 123 123 123 124 DNS parameters saved successfully Enter option 1 Display D...

Page 160: ... certificate The CA certificate should be in any of the standard certificate formats cer crt or pem For storing and obtaining CA certificates follow the instructions earlier in this section LDAP CA certificate file names should not contain spaces when using the secCertUtil command to import and export the certificate Importing an LDAP switch certificate This option imports the LDAP CA certificate ...

Page 161: ...ate successfully Preparing the switch for FIPS The following functions are blocked in FIPS mode Therefore it is important to prepare the switch by disabling these functions prior to enabling FIPS The root account and all root only functions are not available HTTP Telnet RPC SNMP protocols need to be disabled Once these are blocked you cannot use these protocols to read or write data from and to th...

Page 162: ...wing modifications to the rule ipfilter addrule policyname rule rule_number sip source_IP dp dest_port proto protocol act deny sip option can be given as any dp option for the port numbers for Telnet HTTP and RPC are 23 80 and 898 respectively proto option should be set to tcp c Activate the IP filter policy protocol see Activating an IP Filter policy on page 136 d Save the IP filter policy protoc...

Page 163: ... enable bootprom 6 Optional Use the configure command to set switch to use non signed firmware By keeping the switch set to use signed firmware all firmware downloaded to the switch will have to be signed with a key For more information see Chapter 8 Configuring advanced security features on page 1 17 7 Disable selftests by typing the following command fipscfg disable selftests 8 Disable IPFilter ...

Page 164: ...162 Configuring advanced security features ...

Page 165: ... the configShow all command To display configuration settings connect to the switch log in as admin and enter the configShow all command The configuration settings vary depending on switch model and configuration This command does not show as much configuration information as the text file created from the configUpload command Enter the configUpload command to upload an ASCII text file from the sw...

Page 166: ...ILES Banner End Switch Configuration End 0 date Thu Oct 9 21 22 25 2008 Switch Configuration Begin 1 SwitchName n200 Fabric ID 100 Boot Parameters Configuration Zoning Defined Security policies Active Security policies iSCSI cryptoDev FICU SAVED FILES Banner End Switch Configuration End 1 Chassis section There is only one chassis section within a configuration It defines configuration data for cha...

Page 167: ...lected to upload all Logical Switches and the chassis configuration Only administrators with the chassis role permission are allowed to upload other FIDs or the chassis configuration The following information is not saved in a backup dnsConfig information passwords If your FTP setup supports anonymous users and you log in as an anonymous user password is still a required field even though its valu...

Page 168: ... Restoring a configuration involves overwriting the configuration on the switch by downloading a previously saved backup configuration file Protocol scp or ftp If your site requires the use of Secure Copy specify SCP Otherwise specify FTP If you leave it blank the default specified in the brackets is used Server Name or IP Address Enter the name or IP address of the server where the file is to be ...

Page 169: ...e must match the number of switches currently defined on the switch fid FID The FID must be defined in both the download configuration file and the current system fid FID sfid FID The fid FID must be defined on the switch and the sfid FID must be defined in the download configuration file all The number of switches or FIDs defined in the download configuration file must match the number of switche...

Page 170: ... the configDownload command cannot create Logical Switches if they do not exist Restoring a configuration 1 Verify that the FTP service is running on the server where the backup configuration file is located 2 Connect to the switch and log in as admin 3 If there are any changed parameters in the configuration file that do not belong to SNMP Fabric Watch or ACL disable the switch by entering the sw...

Page 171: ...n may take several minutes to complete for large files Do you want to continue y n y Password hidden configDownload complete Protocol scp or ftp If your site requires the use of Secure Copy specify scp Otherwise specify ftp Server Name or IP Address Enter the name or IP address of the server where the file is stored for example 192 1 2 3 You can enter a server name if DNS is enabled User name Ente...

Page 172: ...Only zoning parameters are downloaded to ad5 Example A download of all configurations chassis switches configdownload a ftp 10 1 2 3 gtian config txt password Example A download from a switch with an FID 8 to FID 10 configdownload fid 8 sfid 10 ftp 10 1 2 3 jdoe config txt password CAUTION Using the SFID parameter erases all configuration information on the Logical Switch Use this parameter only w...

Page 173: ...ress lines in the configuration file that begin with boot are ignored Security parameters lines in the configuration file that begin with sec such as secure mode setting and version stamp are ignored For more detailed information on security see Chapter 3 Configuring standard security features on page 99 Configuration restoration in a FICON environment If the switch is operating in a FICON CUP env...

Page 174: ...the HP StorageWorks 4 256 SAN Director and HP StorageWorks DC SAN Backbone Director enterprise class platform there is a guide for FC port setting tables The tables can be used to record configuration information for the various blades Table 48 B Series configuration and connection B Series configuration settings IP address Gateway address Chassis configuration option Management connections Serial...

Page 175: ...t types see Supported platforms for Virtual Fabrics on page 181 Virtual Fabrics and Admin Domains are mutually exclusive and are not supported at the same time on a switch Logical Switch Traditionally each switch and all the ports in the switch act as a single Fibre Channel switch FC switch that participates in a single fabric The Logical Switch feature allows you to divide a physical chassis into...

Page 176: ...gical Switches and fabric IDs When you create a Logical Switch you must assign it a fabric ID FID The fabric ID uniquely identifies each Logical Switch within a chassis and indicates to which fabric the Logical Switch belongs You cannot define multiple Logical Switches with the same fabric ID within the chassis In Figure 10 on page 175 Logical Switches 2 3 4 and 5 are assigned FIDs of 1 15 8 and 2...

Page 177: ...0 through P9 After Logical Switches are created the ports are assigned to specific Logical Switches Note that ports 0 1 7 and 8 have not been assigned to a Logical Switch and so remain assigned to the default Logical Switch Figure 1 1 Assigning ports to Logical Switches A given port is always in one and only one Logical Switch The following scenarios show the chassis after port assignment in Figur...

Page 178: ...rt such as a VE_Port or EX_Port you must configure the port after you move it Some types of ports cannot be moved from the default Logical Switch See Supported platforms for Virtual Fabrics on page 181 for detailed information about these ports Logical Switches and connected devices You can connect devices to Logical Switches as shown in Figure 12 In logical switch 2 P2 is an F_Port that is connec...

Page 179: ...ric and ISLs Figure 14 shows two physical chassis divided into Logical Switches In this figure ISLs are used to connect the Logical Switches with fabric ID 1 and the Logical Switches with fabric ID 15 The Logical Switches with fabric ID 8 are each connected to a non Virtual Fabrics switch The two Logical Switches and the non Virtual Fabrics switch are all in the same fabric with fabric ID 8 Figure...

Page 180: ...ase switch can be used for communication among the other Logical Switches For FC FC routing legacy EX_Ports must be connected to the base switch and no other Logical Switch Base switches do not support direct device connectivity A base switch can have only E_Ports VE_Ports EX_Ports or VEX_Ports but no F_Ports The base switch provides a common address space for communication between different Logic...

Page 181: ... described in Configuring a Logical Switch for XISL use on page 187 NOTE The default Logical Switch in the HP StorageWorks DC SAN Backbone Director or HP StorageWorks DC04 SAN Director cannot use XISLs You can also connect Logical Switches using a combination of ISLs and XISLs as shown in Figure 18 In this diagram traffic between the Logical Switches in fabric 1 can travel over either the ISL or t...

Page 182: ...nectivity but is based on the FIDs of the Logical Switches The basic order of fabric formation is as follows 1 The base fabric forms 2 Logical Fabrics form when the base fabric is stable 3 Traffic is initiated between the Logical Switches 4 Devices start seeing each other Management model for Logical Switches A Virtual Fabrics capable chassis is managed as a set of Logical Switches not as a single...

Page 183: ...en you connect to a physical chassis the home FID defines the Logical Switch to which you are logged in by default You can change to a different Logical Switch context as described in Changing the context to a different Logical Fabric on page 188 When you are logged in to a Logical Switch the system prompt changes to display the FID of that switch The following are sample prompts that display when...

Page 184: ...al Fabrics interaction with other Fabric OS features Table 49 lists some of the Fabric OS features and considerations that apply when using Virtual Fabrics Table 49 Virtual Fabrics interaction with Fabric OS features Fabric OS feature Interaction with Virtual Fabrics Admin Domains Virtual Fabrics and Admin Domains are mutually exclusive and are not supported at the same time on a switch To use Adm...

Page 185: ... you cannot use XISL in the Logical Fabric The Logical Switches must be connected only with ISLs Licensing Licenses are required for all Logical Switches in a chassis Performance monitoring Performance monitors are supported in a limited number of Logical Switches depending on the platform type See Chapter 18 Administering advanced performance monitoring on page 405 for more information about perf...

Page 186: ...osconfig show FC Routing service disabled iSCSI service Service not supported on this Platform iSNS client service Service not supported on this Platform Virtual Fabric disabled switch admin fosconfig enable vf WARNING This is a disruptive operation that requires a reboot to take effect All EX ports will be disabled upon reboot Would you like to continue Y N y For more information on the fosconfig...

Page 187: ...ne base switch NOTE Domain ID conflicts are detected before fabric ID conflicts If you have both a domain ID conflict and a fabric ID conflict only the domain ID conflict is reported To create a Logical Switch 1 Connect to the physical chassis and log in using an account assigned to the admin role with the chassis role permission 2 Enter the following command to create a Logical Switch lscfg creat...

Page 188: ... is moved has fabric mode Top Talkers enabled and the port is an E_Port fabric mode Top Talker monitors are automatically installed on that port NOTE If you are deploying ICLs in the base switch all ports associated with those ICLs must be assigned to the base switch If you are deploying ICLs to connect to default switches that is XISL use is not allowed the ICL ports should be assigned or left in...

Page 189: ...le the Logical Switch switchdisable 4 Enter the following command to change the fabric ID of a Logical Switch lscfg change fabricID newfid newFID force where fabricID is the fabric ID of the Logical Switch whose attributes you want to change and newFID is the fabric ID to be assigned Specify the force option to execute the command without any user prompts or confirmation 5 Enter the following comm...

Page 190: ...command configure 6 Enter y after the Fabric Parameters prompt Fabric parameters yes y no n no y 7 Enter 1 at the Allow XISL Use prompt to allow XISL use enter 0 at the prompt to disallow XISL use Allow XISL Use 0 1 8 Respond to the remaining prompts or press Ctrl d to accept the other settings and exit 9 Enter the following command to re enable the switch switchenable Changing the context to a di...

Page 191: ...hysical chassis and log in using an account assigned to the admin role with the chassis role permission b Create a Logical Switch and assign it a fabric ID for the Logical Fabric This FID must be different from the FID in the base fabric See Creating a Logical Switch or base switch on page 185 for instructions For the example shown in Figure 19 you would create a Logical Switch with FID 1 and a Lo...

Page 192: ...ready enabled switchenable The Logical Fabric is formed The fabricShow command displays all Logical Switches configured with the same fabric ID as the local switch and all non Virtual Fabric switches connected through ISLs to these Logical Switches The switchShow command displays logical ports as E_Ports with 1 for the slot and the user port number for the slot port ...

Page 193: ...mains with zones Zones define which devices and hosts can communicate with each other Admin Domains define which users can manage which devices hosts and switches You can have up to 256 Admin Domains in a fabric 254 user defined and 2 system defined numbered from 0 through 255 Admin Domains are designated by a name and a number This document refers to specific Admin Domains using the format ADn wh...

Page 194: ...er the switch ports and end devices are filtered based on Admin Domain membership Figure 21 Filtered fabric views when using Admin Domains Admin Domain features Admin Domains allow you to Define the scope of an Admin Domain to encompass ports and devices within a switch or a fabric Share resources across multiple Admin Domains For example you can share array ports and tape drives between multiple ...

Page 195: ...lt zone mode setting must be set to No Access before you create Admin Domains see Setting the default zone mode on page 200 for instructions Virtual Fabrics must be disabled before you create Admin Domains see Disabling Virtual Fabrics on page 184 for instructions The fabric must be in the native operating mode Admin Domains are not supported in interoperability mode Gigabit Ethernet GbE ports can...

Page 196: ...witch ports and switches used to create these user defined Admin Domains disappear from the AD0 implicit membership list The explicit membership list contains all devices switch ports and switches that you explicitly add to AD0 and that can be used to force device and switch sharing between AD0 and other Admin Domains AD0 can be managed like any user defined Admin Domain The only difference betwee...

Page 197: ...r modifying zones Figure 22 shows the same fabric as Figure 20 on page 192 but with AD0 and AD255 shown AD0 contains the two devices that are not in any of the user defined Admin Domains AD1 and AD2 AD255 encompasses the entire physical fabric Figure 22 Fabric with AD0 and AD255 Admin Domains and login You are always logged in to a home Admin Domain and you can view and modify only the devices in ...

Page 198: ...ual view The cabling switch port diagnostics and control are managed by the physical fabric administrator Port control is provided only through switch port membership and is not provided for device members When you create an Admin Domain the end device members do not need to be online even though their WWNs are used in the Admin Domain definition You can share device members across multiple Admin ...

Page 199: ...part of the Admin Domain NOTE Only the WWN of the switch is saved in the Admin Domain If you change the domain ID of the switch the Admin Domain ownership of the switch is not changed Admin Domains and switch WWN Admin Domains are treated as fabrics Because switches cannot belong to more than one fabric switch WWNs are converted so that they appear as unique entities in different Admin Domains fab...

Page 200: ...eighboring switch only if the local AD database is empty or if the new AD database exactly matches both the defined and effective configurations of the local AD database If the AD database merge fails the E_Port is segmented with AD conflict error code Admin Domains can be implemented in fabrics with a mix of AD capable and non AD capable switches The following considerations apply AD4 WWN 10 00 0...

Page 201: ...in Domain configuration occur in the transaction buffer An Admin Domain configuration can exist in several places In the effective configuration The Admin Domain configuration that is currently in effect In the defined configuration The Admin Domain configuration that is saved in flash memory There might be differences between the effective configuration and the defined configuration In the transa...

Page 202: ...in Domain number is automatically assigned and is the lowest available AD number except if you specify a name in the format ADn in which case the Admin Domain number is assigned to be n For example if you specify AD name blueAD and the lowest available AD number is 5 AD name is blueAD and AD number is 5 If you specify AD name AD15 and the lowest available AD number is 6 AD name is AD15 and AD numb...

Page 203: ...n index one device designated by device WWN and two switches designated by domain ID and switch WWN switch AD255 admin ad create blue_ad d 100 5 1 3 21 00 00 e0 8b 05 4d 05 s 97 10 00 00 60 69 80 59 13 Assigning a user to an Admin Domain After you create an Admin Domain you can specify one or more user accounts as the valid accounts who can use that Admin Domain User accounts have the following ch...

Page 204: ...list of Admin Domains to which the user account will have access The following example assigns Admin Domain green_ad2 to the existing user account ad1admin switch admin userconfig addad ad1admin a green_ad2 Creating a new physical fabric administrator user account 1 Connect to the switch and log in as admin 2 Enter the userConfig add command using the r option to set the role to admin and the a op...

Page 205: ... new admin domain Do you want to activate AD_B5 admin domain yes y no n no y switch AD255 admin Deactivating an Admin Domain If you deactivate an Admin Domain the members assigned to the Admin Domain can no longer access their hosts or storage unless those members are part of another Admin Domain You cannot log in to an Admin Domain that has been deactivated You must activate an Admin Domain befor...

Page 206: ...he following example adds two switch ports designated by domain index to AD1 switch AD255 admin ad add AD1 d 100 5 4 1 Removing members from an Admin Domain NOTE If you remove the last member of an Admin Domain that Admin Domain is automatically deleted 1 Connect to the switch and log in as admin 2 Switch to the AD255 context if you are not already in that context ad select 255 3 Enter the ad remo...

Page 207: ...g_AD2 Deleting an Admin Domain When you delete an Admin Domain its devices no longer have access to the members of the zones with which it was associated 1 Connect to the switch and log in as admin 2 Switch to the Admin Domain that you want to delete ad select ad_id 3 Clear the zone database under the Admin Domain you want to delete a Remove the effective configuration by entering the cfgDisable c...

Page 208: ...dmin Validating an Admin Domain member list You can validate the device and switch member list and flag all resources that are from non AD capable switches You can list Admin Domain members from non AD capable switches and non existing or offline Admin Domain members You can also identify misconfigurations of the Admin Domain For example in fabrics with a mix of AD capable and non AD capable switc...

Page 209: ...I command input arguments are validated against the AD member list they do not work with input arguments that specify resources that are not members of the current Admin Domain All commands present filtered output showing only the members of the current Admin Domain For example switchShow displays details for the list of AD members present in that switch Note the following about the switchShow out...

Page 210: ...nect to the switch and log in as any user type 2 Enter the ad show command ad show If you are in the AD0 context you can use the i option to display the implicit membership list of AD0 otherwise only the explicit membership list is displayed ad show i If you are in the AD255 context all Admin Domain configuration from the transaction buffer defined configuration and effective configuration is disp...

Page 211: ...rship Table 53 lists some of the Fabric OS features and considerations that apply when using Admin Domains Table 53 Admin Domain interaction with Fabric OS features continued Fabric OS feature Admin Domain interaction ACLs If no user defined Admin Domains exist you can run ACL configuration commands in only AD0 and AD255 If any user defined Admin Domains exist you can run ACL configuration command...

Page 212: ...physical control of the ports You must set up the switch as a physical member of the FICON AD Device Connection Control DCC and Switch Connection Control SCC policies are supported only in AD0 and AD255 because ACL configurations are supported only in AD0 and AD255 iSCSI iSCSI operations are supported only in AD0 Management applications Management interfaces that access the fabric without a user s...

Page 213: ...ne databases and zone transaction buffers You can concurrently edit the separate zone databases The AD zone database also has the following characteristics Each Admin Domain AD1 through AD254 has its own zone definitions These zone definitions include defined and effective zone configurations and all related zone objects including zones zone aliases and zone members For example you can define a zo...

Page 214: ... Admin Domains and then enter configDownload to restore them The configDefault command does not clear zone or Admin Domain database information This command is allowed only if the switch is a member of the current Admin Domain See Chapter 5 Maintaining the switch configuration file on page 163 for additional information about uploading and downloading configurations Table 54 Configuration upload a...

Page 215: ...at directors have two CPs and nonchassis based systems have one CP Use the firmwareDownload command to download the firmware from either an FTP or SSH server by using either the FTP or SCP protocol to the switch Or on the HP StorageWorks 8 8 and 8 24 SAN Switches HP StorageWorks 8 40 SAN Switch HP StorageWorks 8 80 SAN Switch and the HP StorageWorks DC SAN Backbone Director and HP StorageWorks DC0...

Page 216: ...of firmware In most cases you will be upgrading firmware However some circumstances may require installing an older version that is downgrading the firmware The procedures in this section assume that you are upgrading firmware but they work for downgrading as well provided the old and new firmware versions are compatible Always reference the latest release notes for any new information regarding d...

Page 217: ...orms on page 228 NOTE Downgrading from Fabric OS 6 2 0 to 6 1 x is disruptive to FC traffic Preparing for a firmware download Before executing a firmware download HP recommends that you perform the tasks listed in this section In the unlikely event of a failure or time out the preparation tasks that are described in this section will enable you to provide your switch support provider the informati...

Page 218: ...itches Before you upgrade the firmware on your switch you will need to check the connected switches to ensure compatibility and that any older versions are supported See the Fabric OS Compatibility section of the HP StorageWorks Fabric OS Release Notes for the recommended firmware version NOTE Go to http www hp com to view end of life policies If HP StorageWorks 4 8 and 4 16 SAN Switches HP Storag...

Page 219: ...d defaults to an autocommit option that automatically copies the firmware from one partition to the other NOTE This section applies only when upgrading from 6 1 x to 6 2 0 or from 6 2 0 to 6 2 0 If you are downgrading from 6 2 0 to 6 1 x you must enter the firmwareDownload s command as described in Test and restore firmware on switches on page 227 You should not override autocommit under normal ci...

Page 220: ...TP or SCP verify that the FTP or SSH server is running on the host server and that you have a valid user ID and password on that server If your platform supports a USB memory device verify that it is connected and running 2 Obtain the firmware file from www hp com and store the file on the FTP or SSH server or the USB memory device 3 Unpack the compressed files preserving directory structures The ...

Page 221: ...enterprise class platforms without disrupting the overall fabric if the two CP blades are installed and fully synchronized Use the haShow command to verify that the CPs are synchronized prior to beginning the firmware download process If only one CP blade is inserted or powered on you can run firmwareDownload s to upgrade the CP If the CPs are not in sync you can run firmwareDownload s on each of ...

Page 222: ...enter any disruptive commands such as reboot that will interrupt the process The entire firmware download and commit process takes approximately 15 minutes If there is a problem wait for the time out 30 minutes for network problems Disrupting the process can render the switch inoperable and require you to seek help from your switch service provider Do not disconnect the switch from power during th...

Page 223: ...ich version is older Autoleveling downloads firmware to the AP blade swaps partitions reboots the blade and copies the new firmware from the primary partition to the secondary partition If you have multiple AP blades they are updated simultaneously however the downloads can occur at different rates Auto leveling takes place in parallel with the firmware download being performed on the CPs but does...

Page 224: ...Traffic Disrupted 3 FC4 16IP v6 2 0 GigE 2 FA4 18 v6 2 0 Virtualization 4 FR4 18i v6 2 0 None 10 FR4 18i v6 2 0 None This command will upgrade both CPs and all AP blade s above It will temporarily disrupt the specified traffic on the AP blade s when it activates the new firmware If you want to upgrade a single CP only please use s option You can run firmwareDownloadStatus to get the status of this...

Page 225: ...lot 2 SAS Firmware has been downloaded successfully to the blade 4 Thu Mar 06 00 30 49 2008 Slot 7 SAS Firmware has been downloaded successfully to the blade 5 Thu Mar 06 00 30 49 2008 Slot 2 SAS Blade is rebooting 6 Thu Mar 06 00 30 49 2008 Slot 7 SAS Blade is rebooting 7 Thu Mar 06 00 30 49 2008 Slot 2 SAS Firmware commit is started 8 Thu Mar 06 00 30 49 2008 Slot 7 SAS Firmware commit is starte...

Page 226: ...G USB Drive attached to the switch or active CP Before the USB device can be accessed by the firmwareDownload command it must be enabled and mounted as a file system The firmware images to be downloaded must be stored under the relative path from usb usbstorage brocade firmware or using the absolute path in the USB file system Multiple images can be stored under this directory There is a firmwarek...

Page 227: ... FIPS see Chapter 4 Configuring advanced security features on page 1 17 Public and Private Key Management For signed firmware HP StorageWorks B Series products use RSA with 1024 bit length key pairs a private key and a public key The private key is used to sign the firmware files when the firmware is generated The public key is packaged in an RPM package as part of the firmware and is downloaded t...

Page 228: ...been modified If the firmware file has a signature and the validation succeeds firmwareDownload will proceed normally Configuring the switch for signed firmware 1 Log in to the switch as admin 2 Enter the configure command 3 Respond to the prompts as follows Server Name or IP Address Enter the name or IP address of the FTP server or SSH server for SCP where the firmwarekey file is stored for examp...

Page 229: ...led all features that are not supported by the original firmware before restoring to the original version Testing a different firmware version on a switch 1 Verify that the FTP or SSH server is running on the host server and that you have a user ID on that server 2 Obtain the firmware file from http www hp com or switch support provider and store the file on the FTP or SSH server 3 Unpack the comp...

Page 230: ...ral minutes to complete the commit operation b Wait five minutes to ensure that all processes have completed and the switch is fully up and operational c Log in to the switch Enter the firmwareShow command and verify that both partitions on the switch have the original firmware Test and restore firmware on enterprise class platforms This procedure enables you to perform a firmware download on each...

Page 231: ...on page 220 for details about autoleveling 8 Verify the failover a Connect to the enterprise class platform on the active CP which is the former standby CP b Enter the haShow command to verify that the HA synchronization is complete It will take a minute or two for the standby CP which is the old active CP to reboot and synchronize with the active CP NOTE If the CPs fail to synchronize you can sti...

Page 232: ...nt enterprise class platform session for the active CP enter the haShow command to verify that HA synchronization is complete It will take a minute or two for the standby CP to reboot and synchronize with the active CP b Enter the haFailover command The active CP will reboot and the current enterprise class platform session will end The enterprise class platform is now running the original firmwar...

Page 233: ...mmand firmwareShow v will display the firmware version on the Co CPs BrcdDCXBB admin firmwareshow v Slot Name Appl Primary Secondary Versions Status 6 CP0 FOS v6 2 0 ACTIVE v6 2 0 Co FOS v6 2 0 v6 2 0 7 CP1 FOS v6 2 0 STANDBY v6 2 0 Co FOS v6 2 0 v6 2 0 Local CP firmwareDownloadStatus Displays an event log that records the progress and status of events during Fabric OS firmwareDownload The event l...

Page 234: ...232 Installing and maintaining firmware ...

Page 235: ...6 1 0 or later do not require a license Before you configure zones you must install Brocade Advanced Zoning licenses on all Fabric OS 6 0 x or earlier switches in the fabric If a Zoning license is removed you must make sure it is re installed properly on the affected switch before enabling the zoning configuration Failure to follow these steps can cause inconsistency of the zoning configuration on...

Page 236: ...e type Description Storage based Storage units typically implement LUN based zoning also called LUN masking LUN based zoning limits access to the LUNs on the storage port to the specific WWN of the server HBA It is needed in most SANs It functions during the probe portion of SCSI initialization when the server probes the storage port for a list of available LUNs and their properties The storage sy...

Page 237: ... a zone with a large number of members meaning that more notifications such as registered state change notifications RSCNs or errors go out to a larger group than necessary Operating system Zoning by operating system has issues similar to zoning by application In a large site this type of zone can become very large and complex When zone changes are made they typically involve applications rather t...

Page 238: ...ld Wide Name WWNs or aliases of WWNs They can be node or port versions of the WWN Mixed zoning A zone containing members specified by a combination of domain port or domain index or aliases and WWNs or aliases of WWNs In any scheme you can identify zone objects using aliases Aliases are described in Zone aliases in this chapter NOTE If your fabric has a switch with a Fabric OS version earlier than...

Page 239: ...hat the zoning database is deleted however only that there is no configuration active in the fabric On power up the switch automatically reloads the saved configuration If a configuration was active when it was saved the same configuration is reinstated on the local switch Zoning enforcement Zoning enables you to restrict access to devices in a fabric Zoning enforcement describes a set of predefin...

Page 240: ...rced zoning Is also called hard zoning or ASIC enforced zoning Prevents a host from discovering unauthorized target devices Prevents a host from accessing a device it is not authorized to access Is enforced at the ASIC level Each ASIC maintains a list of source port IDs that have permission to access any of the ports on that ASIC Is available on 1 2 4 and 10 Gb s platforms Ensures that the name se...

Page 241: ...e enforced zoning on domain port zones and WWN zones Overlap of similar zone types does not result in the loss of hardware enforcement Overlap with other zone type results in the loss of hardware enforcement Connecting a device specified by WWN to a port specified in a domain port zone results in loss of the hardware enforcement in both zones For the HP StorageWorks 4 256 SAN Director with an HP S...

Page 242: ... 2 Gb s switches always deploy the hardware assist in any zone configuration see Figure 29 and Figure 30 on page 240 Figure 29 Zoning with hardware assist mixed port and WWN zones Figure 30 Session based hard zoning In Figure 30 only the overlapping ports are software enforced with hardware assist Identifying the enforced zone type 1 Connect to the switch and log in as admin Port_Zone1 Core Switch...

Page 243: ...ore resources to handle zoning changes and implementations Broadcast zones Fibre Channel allows sending broadcast frames to all Nx_Ports if the frame is sent to a broadcast well known address FFFFFF however many target devices and HBAs cannot handle broadcast frames To Table 60 Considerations for zoning architecture Item Description Type of zoning hard or soft session based HP recommends hard zoni...

Page 244: ...oadcast frames must be kept out of the broadcast zone so that they will not receive any broadcast frames Create a broadcast zone the same way you create any other zone except that a broadcast zone name must incluse the word broadcast case sensitive You can set up and manage broadcast zones using the standard zoning commands which are described in Zone creation and maintenance on page 246 Supported...

Page 245: ...and FC FC routing If you create broadcast zones in a metaSAN consisting of multiple fabrics connected through an FC router the broadcast zone must include the IP device that exists in the edge or backbone fabric as well as the proxy device in the remote fabric See Chapter 16 Optimizing fabric behavior on page 339 for information about proxy devices and the FC router Upgrade and downgrade considera...

Page 246: ... defines the device accessibility behavior if zoning is not implemented or if there is no effective zone configuration The default zoning mode has two options All Access All devices within the fabric can communicate with all other devices No Access A devices in the fabric cannot access any other device in the fabric If a broadcast zone is active even if it is the only zone in the effective configu...

Page 247: ...ve the change to the defined configuration switch admin aliadd array1 1 2 switch admin aliadd array2 21 00 00 20 37 0c 72 51 switch admin aliadd loop1 5 6 switch admin cfgsave You are about to save the Defined zoning configuration This action will only save the changes on the Defined configuration Any changes made on the Effective configuration will not take effect until it is re enabled Do you wa...

Page 248: ... Deleting an alias 1 Connect to the switch and log in as admin 2 Enter the aliDelete command using the following syntax alidelete aliasname where 3 Enter the cfgSave command to save the change to the defined configuration switch admin alidelete array1 switch admin cfgsave You are about to save the Defined zoning configuration This action will only save the changes on the Defined configuration Any ...

Page 249: ...ch to monitor the status of the zone configuration To create a broadcast zone use the reserved name broadcast Do not give a regular zone the name of broadcast See Broadcast zones on page 241 for additional information about this special type of zone Virtual Fabric considerations Zone definitions should not include logical port numbers Zoning is not enforced on logical ports Creating a zone 1 Conne...

Page 250: ...member member where 3 Enter the cfgSave command to save the change to the defined configuration switch admin zoneadd greenzone 1 2 switch admin zoneadd bluezone 21 00 00 20 37 0c 72 51 switch admin zoneadd broadcast 1 3 switch admin cfgsave You are about to save the Defined zoning configuration This action will only save the changes on the Defined configuration Any changes made on the Effective co...

Page 251: ...e zonename where 3 Enter the cfgSave command to save the change to the defined configuration switch admin zonedelete bluezone switch admin cfgsave You are about to save the Defined zoning configuration This action will only save the changes on the Defined configuration Any changes made on the Effective configuration will not take effect until it is re enabled Do you want to save Defined zoning con...

Page 252: ...ed switch admin zone validate White_zone 4 Enter the following command to validate all zones in the zone database in the defined configuration switch admin sw5 root zone validate m 1 Defined configuration cfg cfg1 zone1 cfg cfg2 zone1 zone2 zone zone1 1 1 ali1 zone zone2 1 1 ali2 alias ali1 10 00 00 05 1e 35 81 7f 10 00 00 05 1e 35 81 7d alias ali2 10 00 00 05 1e 35 81 09 10 00 00 05 1e 35 81 88 I...

Page 253: ...d be set to No Access If the default zone mode is All Access and the effective configuration is disabled the large number of requests to the switches might result in a queue full scenario Admin Domain considerations If you want to use Admin Domains you must set the default zoning mode to No Access prior to setting up the Admin Domains You cannot change the default zoning mode to All Access if user...

Page 254: ...database size exceeds 256 KB switches not upgraded to Fabric OS 5 2 0 or later are segmented out of the fabric Use the cfgSize command to display the zoning database size Symmetrical segmentation occurs when both ends of an ISL are shut down Subsequently no frames are exchanged between those two switches Asymmetrical segmentation not only prevents frames from being exchanged between switches but a...

Page 255: ...4 0 Segment Join Join Join Join Join Join Join Fabric OS 5 0 0 5 0 1 Segment Join Join Join Join Join Join Join Fabric OS 5 2 0 or later Segment Join Join Join Join Join Join Join FC router Segment Join Join Join Join Join Join Join XPath 7 3 Segment Segment Join Join Join Join Join Join Table 64 Resulting database size 128K to 256K Initiator Receiver Fabric OS 3 1 Fabric OS 3 2 Fabric OS 4 0 4 1 ...

Page 256: ...n and use the cfgSize command to determine the remaining space Fabric OS 5 0 0 5 0 1 Segment Join Segment Join Join Join Join Segment Fabric OS 5 2 0 or later Segment Join Join Join Join Join Join Join FC router Segment Join Segment Join Join Join Join Segment XPath 7 3 Segment Segment Segment Segment Segment Segment Segment Segment Table 64 Resulting database size 128K to 256K continued Initiator...

Page 257: ...ed zoning configuration only yes y no n no y The cfgSave command ends and commits the current zoning transaction buffer to both volatile and nonvolatile memory If a transaction is open on a different switch in the fabric when this command is run the transaction on the other switch is automatically aborted A message is displayed on the other switches to indicate that the transaction was aborted Add...

Page 258: ...played on the other switches to indicate that the transaction was aborted Enabling a zone configuration The following procedure ends and commits the current zoning transaction buffer to both volatile and nonvolatile memory If a transaction is open on a different switch in the fabric when this procedure is run the transaction on the other switch is automatically aborted A message is displayed on th...

Page 259: ...efined configuration switch admin cfgdelete testcfg switch admin cfgsave You are about to save the Defined zoning configuration This action will only save the changes on the Defined configuration Any changes made on the Effective configuration will not take effect until it is re enabled Do you want to save Defined zoning configuration only yes y no n no y The cfgSave command ends and commits the c...

Page 260: ...28 zone Purple_zone 1 0 21 00 00 20 37 0c 76 85 21 00 00 20 37 0c 71 df Viewing selected zone configuration information 1 Connect to the switch and log in as admin 2 Enter the cfgShow command and specify a pattern cfgshow pattern mode where For example to display all zone configurations that start with Test switch admin cfgshow Test cfg Test1 Blue_zone cfg Test_cfg Purple_zone Blue_zone Viewing th...

Page 261: ... procedures describe how to copy delete and rename zone objects Depending on the operation a zone object can be a zone member a zone alias a zone or a zone configuration Copying a zone object When you copy a zone object the resulting object has the same name as the original The zone object can be a zone configuration a zone alias or a zone 1 Connect to the switch and log in as admin 2 Enter the cf...

Page 262: ...g USA_cfg Purple_zone White_zone Blue_zone zone Blue_zone 1 1 array1 1 2 array2 zone Purple_zone 1 0 loop1 zone White_zone 1 3 1 4 alias array1 21 00 00 20 37 0c 76 8c 21 00 00 20 37 0c 71 02 alias array2 21 00 00 20 37 0c 76 22 21 00 00 20 37 0c 76 28 alias loop1 21 00 00 20 37 0c 76 85 21 00 00 20 37 0c 71 df Effective configuration cfg USA_cfg zone Blue_zone 1 1 21 00 00 20 37 0c 76 8c 21 00 00...

Page 263: ...ive Zoning configuration management You can add delete or remove individual elements in an existing zone configuration to create an appropriate configuration for your SAN environment After the changes have been made save the configuration to ensure the configuration is permanently saved in the switch and that the configuration is replicated throughout the fabric The switch configuration file can a...

Page 264: ... configurations If there is an effective configuration between two switches the effective zone configurations must match Zone object naming If a zoning object has the same name in both the local and adjacent defined configurations the object types and member lists must match When comparing member lists the content and order of the members are important Objects in adjacent configurations If a zonin...

Page 265: ... related changes The primary FCS switch also distributes zoning to all other switches in the secure fabric All existing interfaces can be used to administer zoning depending on the policies see the Secure HP StorageWorks Fabric OS 6 2 x administrator guide for information about security policies You must perform zone management operations from the primary FCS switch using a zone management interfa...

Page 266: ...fective none defined cfg1 zone1 ali1 ali2 effective none Switch A will absorb the configuration from the fabric Switch A does not have a defined configuration Switch B has a defined configuration defined none effective none defined cfg1 zone1 ali1 ali2 effective cfg1 Switch A will absorb the configuration from the fabric with cfg1 as the effective configuration Switch A and Switch B have the same ...

Page 267: ... TI_zone1 Clean merge Switch A has TI zones Switch B has identical TI zones defined cfg1 TI_zone1 defined cfg1 TI_zone1 Clean merge Switch A has a TI zone Switch B has a different TI zone defined cfg1 TI_zone1 defined cfg1 TI_zone2 Fabric segments due to Zone Conflict cfg mismatch Cannot merge switches with different TI zone configurations Different default zone access mode settings defzone allacc...

Page 268: ...266 Administering advanced zoning ...

Page 269: ... encryption support The HP StorageWorks 4 256 SAN Director has 10 slots that contain control processor port and application AP blades Slot numbers 5 and 6 contain control processor blades Slot numbers 1 through 4 and 7 through 10 contain port and AP blades The HP StorageWorks DCX SAN Backbone Director has 12 slots that contain control processor core port and AP blades Slot numbers 6 and 7 contain ...

Page 270: ...ort 4Gb blade HP StorageWorks SAN Director 16 Port 8Gb FC blade Ports are numbered from 0 through 15 from bottom to top HP StorageWorks 4 256 SAN Director 32 Port 4Gb blade HP StorageWorks SAN Director 32 Port 8Gb FC blade Ports are numbered from 0 through 15 from bottom to top on the left set of ports and 16 through 31 from bottom to top on the right set of ports HP StorageWorkds 4 256 SAN Direct...

Page 271: ...er in up to 255 ports it is actually the area assigned to that port IMPORTANT The port area schema does not apply to the HP StorageWorks DC04 SAN Director Switch enterprise class platform If the PID format is changed from Extended edge to Core the P value for ports 0 127 also changes If two ports are changed using the portSwap command their respective areas and P values are exchanged For ports tha...

Page 272: ...39 155 155 171 171 187 187 203 203 219 219 235 235 251 251 26 138 138 154 154 170 170 186 186 202 202 218 218 234 234 250 250 25 137 137 153 153 169 169 185 185 201 201 217 217 233 233 249 249 24 136 136 152 152 168 168 184 184 200 200 216 216 232 232 248 248 23 135 135 151 151 167 167 183 183 199 199 215 215 231 231 247 247 22 134 134 150 150 166 166 182 182 198 198 214 214 230 230 246 246 21 133...

Page 273: ...6 66 82 82 98 98 1 14 1 14 1 1 1 17 17 33 33 49 49 65 65 81 81 97 97 1 13 1 13 0 0 0 16 16 32 32 48 48 64 64 80 80 96 96 1 12 1 12 Table 68 Default index area_ID core PID assignment with no port swap continued Port on blade Slot 1Idx are a Slot 2Idx are a Slot 3Idx are a Slot 4Idx are a Slot 7Idx are a Slot 8Idx are a Slot 9Idx are a Slot 10Idx area Table 69 Default index area_ID core PID assignme...

Page 274: ...7 27 91 91 155 155 219 219 26 26 26 90 90 154 154 218 218 25 25 25 89 89 153 153 217 217 24 24 24 88 88 152 152 216 216 23 23 23 87 87 151 151 215 215 22 22 22 86 86 150 150 214 214 21 21 21 85 85 149 149 213 213 20 20 20 84 84 148 148 212 212 19 19 19 83 83 147 147 21 1 21 1 18 18 18 82 82 146 146 210 210 17 17 17 81 81 145 145 209 209 16 16 16 80 80 143 143 208 208 15 15 15 79 79 142 142 207 207...

Page 275: ...ades Port blades are enabled by default In some cases you will need to disable a port blade to perform diagnostics When diagnostics are executed manually from the Fabric OS command line many commands require the port blade to be disabled This ensures that diagnostic activity does not interfere with normal fabric traffic Disabling port blades 1 Connect to the switch and log in as admin 2 Enter the ...

Page 276: ...orks SAN Director 16 Port 8Gb FC Blade HP StorageWorks SAN Director 6 Port 10Gb FC Blade Then other than the port s EX_Port configuration all the remaining port configurations previously applied to the B Series Multi Protocol Router Blade ports can be used The EX_Port configuration on those ports is disabled before the 4Gb or 8Gb port blade becomes operational When a blade is present in the slot a...

Page 277: ...e configuring a chassis familiarize yourself with the platform CP blade and port blade nomenclature as well as the port blade compatibilities Often in procedures only the abbreviated names for CP and port blades are used for example the HP StorageWorks 4 256 SAN Director 16 Port 4Gb Blade Table 70 lists CP and port blades their abbreviated names and their descriptions Table 70 HP StorageWorks ente...

Page 278: ...256 SAN Director CP Blades 48 port 4 Gb s Port Blade HP Storage Works 4 256 SAN Director 48 Port 4Gb Blade 36 A 48 port HP StorageWorks Platform Port Blade supporting 1 2 and 4 Gb s port speeds in chassis mode 5 with port and exchange based routing This port blade is compatible only with the HP StorageWorks 4 256 SAN Director CP Blades HP StorageWorkds 4 256 SAN Director 48 Port 4Gb Blades do not ...

Page 279: ... orks SAN Director 6 Port 10Gb FC Blade 39 A 6 port HP StorageWorks Platform Port Blade supporting 10 Gb s port speed Blade provides 10 Gb s ISLs This port blade is compatible only with the HP StorageWorks 4 256 SAN Director CP Blades using chassis configuration option 5 and the HP StorageWorks DC SAN Backbone Director and HP StorageWorks DC04 SAN Director Switch CP Blades Fibre Channel Router Bla...

Page 280: ... or HP StorageWorks DC04 SAN Director Switch chassis This blade is not interchangeable or hot swappable with the HP StorageWorks DC SAN Backbone Director Core Blades If you try to interchange the blades they become faulty The HP StorageWorks 4 256 SAN Director does not support core blades Port and application blade compatibility Table 71 identifies which port and application blades are supported f...

Page 281: ...Port 4Gb Blade Table 71 Port blades supported by each platform continued Port blades HP StorageWorks 4 256 SAN Director CP4 HP StorageWorks DC SAN Backbone Director and HP StorageWorks DC04 SAN Director Switch Slot Displays the physical slot number Blade Type Displays the blade type SW BLADE The blade is a port blade CP BLADE The blade is a control processor CORE BLADE The blade is a core blade HP...

Page 282: ...ctor ports at ICL0 and ICL1 each aggregating a set of 8 ports Thus each core blade provides 16 ICL ports and there are 32 ICL ports available for the entire HP StorageWorks DC04 SAN Director Switch chassis All the ICL connector ports must be connected to the same two HP StorageWorks DC SAN Backbone Director or HP StorageWorks DC04 SAN Director Switch chassis Only cross ICL group connections are al...

Page 283: ...ith some restrictions All port parameters associated with ICL ports are static and all portCfg commands are blocked from changing any of the ICL port parameters The only management associated with ICL ports and cables is monitoring the status of the LEDs on the ICL ports and any maintenance if the ATTENTION LED is blinking yellow For additional information about the LED status for blades and ports...

Page 284: ...282 Configuring Enterprise class platforms ...

Page 285: ... minimal cost FSPF Fabric Shortest Path First FSPF is a link state path selection protocol that directs traffic along the shortest path between the source and destination based upon the link cost FSPF detects link failures determines the shortest route for traffic updates the routing table provides fixed routing paths within a fabric and maintains correct ordering of frames FSPF keeps track of the...

Page 286: ... remote domain Routing policies By default all routing protocols place their routes into a routing table You can control the routes that a protocol places into each table and the routes from that table that the protocol advertises by defining one or more routing policies and then applying them to the specific routing protocol The routing policy is responsible for selecting a route based on one of ...

Page 287: ...are assigned to egress ports in ratios proportional to the potential bandwidth of the ISL or trunk group When there are multiple paths to a destination the input traffic will be distributed across the different paths in proportion to the bandwidth available on each of the paths This improves utilization of the available paths thus reducing possible congestion on the paths Every time there is a cha...

Page 288: ...from a base fabric that is sent out using one of the dedicated ISLs in a Logical Switch The AP policy affecting the DPS behavior whether it is exchange based device based or port based is configured on a per Logical Switch basis IOD and DLS settings are set per Logical Switch as well IOD and DLS settings for the base switch affect all traffic going over the base fabric including any Logical Fabric...

Page 289: ... off DLS cannot be changed with current routing policy indicates that you are using the exchange based routing policy and you cannot enable or disable DLS If you get this message you cannot perform step 3 so you are done with this procedure 3 Enter the dlsSet command to enable DLS or enter the dlsReset command to disable it switch admin dlsshow DLS is not set switch admin dlsset switch admin dlssh...

Page 290: ... Frame order delivery The order of delivery of frames is maintained within a switch and determined by the routing policy in effect The frame delivery behaviors for each routing policy are Port based routing All frames received on an incoming port destined for a destination domain are guaranteed to exit the switch in the same order in which they were received Exchange based routing All frames recei...

Page 291: ...n order delivery IOD guarantees that frames are either delivered in order or dropped All HP B series switches enable IOD by default to ensure frames are delivered in order as not all HP destination devices can tolerate out of order frames Forcing out of order frame delivery across topology changes 1 Connect to the switch and log in as admin 2 Enter the iodReset command IMPORTANT This command can c...

Page 292: ...290 Routing traffic ...

Page 293: ...HP supported interop configurations see the HP StorageWorks Fabric interoperability application notes for merging B Series fabrics with fabrics based on C Series and M Series Fibre Channel switches on the following HP website http h18000 www1 hp com products storageworks san documentation html ...

Page 294: ...292 Interoperability for merged SANs ...

Page 295: ... Platform services The management server is located at the Fibre Channel address FFFFFAh By default all management services except platform services are enabled the MS platform service and topology discovery are disabled Use the msplMgmtActivate and msplMgmtDeactivate commands to activate and deactivate the platform services throughout the fabric The msplMgmtActivate command attempts to activate t...

Page 296: ...form Service in the fabric switch admin Management server database You can use the msConfigure command to control access to the management server database An access control list ACL of WWN addresses determines which systems have access to the management server database The ACL typically contains those WWNs of host systems that are running management applications If the list is empty the default th...

Page 297: ...one switch admin Adding a member to the ACL 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the msConfigure command The command becomes interactive 3 At the select prompt enter 2 to add a member based on its port node WWN 4 At the Port Node WWN prompt enter the WWN of the host to be added to the ACL 5 At the select prompt enter 1 to display the access list so...

Page 298: ...11 24 10 00 00 60 69 04 11 23 21 00 00 e0 8b 04 70 3b 10 00 00 60 69 04 11 33 20 00 00 20 37 65 ce 55 20 00 00 20 37 65 ce 66 00 00 00 00 00 00 00 00 0 Done 1 Display the access list 2 Add member based on its Port Node WWN 3 Delete member based on its Port Node WWN select 0 3 1 0 done Update the FLASH yes y no n yes y Successfully saved the MS ACL to the flash Deleting a member from the ACL 1 Conn...

Page 299: ... based on its Port Node WWN select 0 3 2 1 MS Access List consists of 1 10 00 00 00 c9 29 b3 84 0 Done 1 Display the access list 2 Add member based on its Port Node WWN 3 Delete member based on its Port Node WWN select 0 3 1 3 Port Node WWN in hex 00 00 00 00 00 00 00 00 10 00 00 00 c9 29 b3 84 WWN is successfully deleted from the MS ACL 0 Done 1 Display the access list 2 Add member based on its P...

Page 300: ...d 3 Enter y to confirm the deletion The management server platform database is cleared Topology discovery The topology discovery feature can be displayed enabled and disabled it is disabled by default The commands mstdEnable and mstdDisable are allowed only in AD0 and AD255 Displaying topology discovery status 1 Connect to the switch and log in as admin 2 Enter the mstdReadConfig command switch ad...

Page 301: ... be cleared 3 Enter y to disable the discovery feature NOTE Disabling discovery of management server topology might erase all NID entries switch admin mstddisable This may erase all NID entries Are you sure yes y no n no y Request to disable MS Topology Discovery Service in progress MS Topology Discovery disabled locally switch admin mstddisable all This may erase all NID entries Are you sure yes ...

Page 302: ...300 Configuring the Distributed Management Server ...

Page 303: ...nd a discovery domain set Session management such as session tracking and performance monitoring Session authentication using CHAP NOTE The HP StorageWorks B Series iSCSI Director Blade gateway service is not compatible with other iSCSI gateway platforms including Brocade iSCSI Gateway or the Brocade Multiprotocol Router iSCSI session translation The iSCSI gateway enables applications on an IP net...

Page 304: ... provides the following two methods to map physical FC targets LUNs to iSCSI virtual targets VTs Basic LUN mapping Advanced LUN mapping Basic LUN mapping Fabric OS provides a mechanism that maps LUNs to iSCSI VTs a one to one mapping with unique iSCSI Qualified Names IQNs for each target It presents an iSCSI VT for each native FC target to the IP network and an iSCSI VI for each iSCSI port to the ...

Page 305: ...s the iSCSI initiator and iSCSI VT Every iSCSI initiator and iSCSI VT on the same network and SAN must have a unique IQN A Brocade created IQN includes 2002 12 com brocade and the device WWN as shown in the following example Type Date Auth User defined iqn 2002 12 com brocade 10 00 00 05 1e aa bb cc A Microsoft created IQN includes microsoft and the system name iqn 2003 11 com microsoft win2k sn 1...

Page 306: ...ators and iSCSI VTs The iSCSI initiators can access only the iSCSI VTs that are in the same discovery domain Discovery domains are grouped together in a discovery domain set DDSet The active discovery domain set enforces the fabric wide iSCSI VT access Only the DDs in the active DDSet are enforced You can create multiple discovery domain sets but only one set can be active at a time It is also pos...

Page 307: ...se Existing connections are not redistributed when iSCSI ports change state from disabled to enabled or offline to online Connection redirection does not need to be committed as a configuration parameter It is independently enabled and disabled Enabling and disabling connection redirection for load balancing 1 Connect to the switch and log in 2 Enter the appropriate form of the iscsiSwCfg command ...

Page 308: ...n Supported iSCSI initiators Table 73 lists iSCSI initiators supported by the iSCSI gateway service Checklist for configuring iSCSI After you install the HP StorageWorks B Series iSCSI Director Blade in the HP StorageWorks 4 256 SAN Director see the Brocade FC4 16IP Hardware Reference Manual you configure the iSCSI gateway Table 73 Supported iSCSI initiators iSCSI initiator driver versions Windows...

Page 309: ...mbers are iSCSI components identified using IQNs iscsiCfg create dd d ddname m member member member Creating discovery domains on page 319 8 Create discovery domain set where members are discovery domains iscsiCfg create ddset n ddset_name d member member Creating and enabling a discovery domain sets on page 320 9 Activate the discovery domain set iscsiCfg enable ddset n ddset_name Creating and en...

Page 310: ...iptions of GUI based configuration procedures HP StorageWorks B Series iSCSI Director Blade port numbering The HP StorageWorks B Series iSCSI Director Blade has both GbE ports and FC ports Ports are addressed using slot number and port number notation for example 2 7 FC ports are numbered from 0 through 7 GbE ports are numbered from ge0 through ge7 NOTE The HP StorageWorks 4 256 SAN Director 16 Po...

Page 311: ...2 Enter the fosConfig show command to show the current Fabric OS configuration switch admin fosconfig show FC Routing service disabled iSCSI service disabled iSNS Client service disabled 3 Enter the fosConfig enable command to enable the iSCSI gateway service switch admin fosconfig enable iscsi iSCSI service is enabled 4 Verify that the iSCSI gateway service is enabled switch admin fosconfig show ...

Page 312: ...nd GbE port number parameters to display the Persistent Disable setting of the port switch admin portcfgshow 10 ge0 Mode ISCSI Persistent Disable ON Ipif configuration Interface IP Address NetMask MTU 0 30 0 130 100 255 255 0 0 1500 Arp configuration IP Address Mac Address Iproute Configuration IP Address Mask Gateway Metric switch admin 3 Take the appropriate action based on the Persistent Disabl...

Page 313: ... 255 255 0 0 8256 NOTE 1500 bytes is the standard maximum packet size in an IP network If your network supports jumbo packets a value of 8256 can improve performance The range allowed is 1500 to 8256 KB 3 Enter the portShow command to verify that the settings switch admin portshow ipif 3 ge0 Slot 3 Port ge0 InterfaceIP AddressNetMaskMTU 030 0 127 30 255 255 0 0 8256 4 Optional Enter the portCfg co...

Page 314: ...ures You create iSCSI VTs using the LUN values of FC targets The FC target must be accessible from the iSCSI gateway iSCSI VTs can be automatically generated or manually created After mapping iSCSI targets do not move the targets out of Administrative Domain 0 AD0 unless you then explicitly add them back to AD0 Automatic iSCSI VT creation An iSCSI VT is created using target LUNs from the attached ...

Page 315: ...02 12 com brocade 2e 9f 00 06 2b 0d 10 ba Operation Succeeded 14 2e bf 00 06 2b 0d 10 ba iqn 2002 12 com brocade 2e bf 00 06 2b 0d 10 ba Operation Succeeded 15 2e df 00 06 2b 0d 10 ba iqn 2002 12 com brocade 2e df 00 06 2b 0d 10 ba Operation Succeeded 16 2e ff 00 06 2b 0d 10 ba iqn 2002 12 com brocade 2e ff 00 06 2b 0d 10 ba Operation Succeeded 17 2f 1f 00 06 2b 0d 10 ba iqn 2002 12 com brocade 2f...

Page 316: ... ba State Status Online Defined Name iqn 2002 12 com brocade 2e 7f 00 06 2b 0d 10 ba State Status Online Defined Name iqn 2002 12 com brocade 2e 9f 00 06 2b 0d 10 ba State Status Online Defined Name iqn 2002 12 com brocade 2e bf 00 06 2b 0d 10 ba State Status Online Defined Name iqn 2002 12 com brocade 2e df 00 06 2b 0d 10 ba State Status Online Defined Name iqn 2002 12 com brocade 2e ff 00 06 2b ...

Page 317: ...SCSI VTs manually when there are FC targets on the fabric that should not be mapped to an iSCSI VT and if you want to map more than one target to the same iSCSI VT or a LUN to an iSCSI VT Up to 256 LUNs can be mapped to an iSCSI VT 1 Connect and log in to the switch 2 Enter the iscsiCfg create tgt command with the t IQN option to create an undefined iSCSI VT that is an iSCSI VT that contains no LU...

Page 318: ...Target Node WWN 20 00 00 04 cf e7 73 7e Target Port WWN 21 00 00 04 cf e7 73 7e Target Pid 120d9 Number of LUNs returned by query 1 LUN ID 0x00 Target Index 3 Target Node WWN 2f ff 00 06 2b 0d 12 99 Target Port WWN 2f ff 00 06 2b 0d 12 99 Target Pid 12300 Number of LUNs returned by query 16 LUN ID 0x00 LUN ID 0x01 LUN ID 0x02 LUN ID 0x03 LUN ID 0x04 LUN ID 0x05 LUN ID 0x06 LUN ID 0x07 LUN ID 0x08 ...

Page 319: ...he switch and log in 2 Enter the iscsiCfg add lun command with t IQN w port_WWN and l n n options to add LUNs attached to a specific port device to an iSCSI VT where t IQN Specifies the unique IQN name for the iSCSI VT in the format iqn 2002 12 com brocade user_defined_name w port_WWN Specifies the port WWN of the physical FC target l n n Maps the physical FC LUNs to virtual iSCSI LUNs and is spec...

Page 320: ...commit all command to commit the changes to the database If the LUN deletion is one of several configuration changes you may want to see Committing the iSCSI related configuration on page 322 for extra detail on the commit process Displaying the iSCSI virtual target LUN map 1 Connect and log in to the switch 2 Enter the iscsiCfg show lun command switch admin iscsicfg show lun Number of targets fou...

Page 321: ...ess with a single command An enabled DDSet is enforced fabric wide In a deployment with an active DDSet only iSCSI initiators in an enforced DD can access iSCSI VT in the same DD If you do not configure either discovery domains or iSNS for access control any iSCSI initiator on the IP network can access all iSCSI VTs and therefore all FC targets in the fabric Displaying iSCSI initiator IQNs All iSC...

Page 322: ...successfully iSCSI initiator to VT authentication configuration Fabric OS 5 2 0 or later supports both one way and mutual CHAP authentication for iSCSI initiator to iSCSI VT target sessions The authentication method CHAP or none is set on a per iSCSI VT basis Setting the user name and shared secret Authentication depends on a user name and a shared secret When an iSCSI VT authenticates an iSCSI in...

Page 323: ...This operation completed successfully 3 Enter the iscsiCfg commit all command 4 Enter the iscsiCfg show tgt command with the t and v options to verify that a user name has been bound to the iSCSI VT switch admin iscsicfg show tgt t iqn 2002 10 com brocade tgt v Number of records found 1 Name iqn 2002 10 com brocade tgt1 CHAP Users CHAP Status 1 iscsitgt1 Online Committed 2 hello123 Invalid Deletin...

Page 324: ... admin iscsicfg commit all This will commit ALL database changes made to all iSCSI switches in fabric This could be a long running operation Continue yes y no n n y The operation completed successfully 4 Enter the iscsiCfg show transaction command to verify that the changes were committed switch admin iscsicfg show transaction There is no active transaction Resolving conflicts between iSCSI config...

Page 325: ...the iscsiCfg easycreate tgt command with the s option to return the node and port WWNs of the switch The following is an example switch admin iscsicfg easycreate tgt s The following WWNs will be used for any easycreate operation from this switch Node WWN 10 00 00 60 69 80 04 4a Port WWN 21 fd 00 60 69 80 04 4a Enter the fcLunQuery command with the s option to return the node and port WWNs of the s...

Page 326: ...s function the same way with iSCSI as without To learn more about these operations see About Zones in the HP StorageWorks Fabric OS 6 2 x administrator guide and the zoneCreate command in the Fabric OS Command Reference For more information on configuring a zone see Creating and Maintaining Zones in the HP StorageWorks Fabric OS 6 2 x administrator guide IMPORTANT If you decide to start zoning the...

Page 327: ...advisable to create a separate zone so that iSCSI gateway service components can be easily differentiated from other devices in SAN fabric zones In order to more easily handle groups of targets and initiators you can create aliases for each group You can create aliases add and remove members from an alias and delete aliases These operations function the same way with iSCSI as they do without To le...

Page 328: ...0 23 00 60 69 e0 01 56 Permanent Port Name 2f ff 00 06 2b 0d 12 99 Port Index 35 Share Area No Device Shared in Other AD No N 012800 3 50 06 06 9e 00 15 63 00 50 06 06 9e 00 15 63 01 na FC4s FCP PortSymb 23 iSCSI Virtual Initiator NodeSymb 51 IPAddr 30 0 127 30 Slot Port 3 ge0 Logical pn 40 Fabric Port Name 00 00 00 00 00 00 00 00 Permanent Port Name 50 06 06 9e 00 15 63 00 Port Index 40 Share Are...

Page 329: ...rmanent Port Name 50 06 06 9e 00 15 63 30 Port Index 46 Share Area No Device Shared in Other AD No N 012f00 3 50 06 06 9e 00 15 63 38 50 06 06 9e 00 15 63 39 na FC4s FCP PortSymb 23 iSCSI Virtual Initiator NodeSymb 51 IPAddr 30 0 127 37 Slot Port 3 ge7 Logical pn 47 Fabric Port Name 00 00 00 00 00 00 00 00 Permanent Port Name 50 06 06 9e 00 15 63 38 Port Index 47 Share Area No Device Shared in Oth...

Page 330: ...rence 10 Enter the cfgSave command to save the change to the defined configuration switch admin cfgsave You are about to save the Defined zoning configuration This action will only save the changes on the Defined configuration Any changes made on the Effective configuration will not take effect until it is re enabled Do you want to save Defined zoning configuration only yes y no n no y Zoning conf...

Page 331: ... iSCSI VTs download information about other registered clients such as iSCSI initiators and receive notification of events that occur in the DDs Figure 41 iSCSI network with iSNS server and clients NOTE Fabric OS supports only Microsoft iSNS Server 3 0 and later Displaying iSNS client service status 1 Connect and log in to the switch 2 Enter the fosConfig command to show the current Fabric OS conf...

Page 332: ...address is the iSNS server IP address The following is an example switch admin isnsccfg set 10 ge0 s 10 32 0 145 iSNS client configuration updated peering with iSNS server 10 32 0 145 on slot 10 port ge0 Enter the isnscCfg show command to verify that the iSNS server has been configured correctly switch admin isnsccfg show iSNS client is peering with iSNS server 10 32 0 145 on slot 10 port ge0 Oper...

Page 333: ...admin fosconfig disable isnsc 3 Enter the fosConfig show command to verify that the service is disabled switch admin fosconfig show FC Routing service disabled iSCSI service enabled iSNS Client service disabled Clearing the iSNS client configuration The iSNS client configuration can be cleared with a single command 1 Connect and log in to the switch 2 Enter the isnscCfg clear command to clear the ...

Page 334: ...332 iSCSI gateway service ...

Page 335: ...PIV port In cases where the device is not capable of handling such unexpected PLOGIs you should use WWN based zoning Fixed addressing mode Fixed addressing mode is the default addressing mode used in all the platforms except for the HP StorageWorks DC SAN Backbone Director and HP StorageWorks DC04 SAN Director Switch that do not have Virtual Fabrics enabled The number of NPIV devices supported on ...

Page 336: ...rtual N_Port_IDs per switch to a value between 0 and 126 multiplied by the number of ports you specify when setting this parameter The default setting is 16 multiplied by the number of ports specified If no ports are specified all ports on the switch are used 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the switchDisable command IMPORTANT The switchDisable...

Page 337: ...atively you can enter the switchShow command to view the WWN of an N_Port or Enter the portShow command to view the N_Port attributes The following example shows whether or not a port is configured for NPIV switch admin portcfgshow Ports of Slot 0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Speed AN AN AN AN AN AN AN AN AN AN AN AN AN AN AN AN Trunk Port ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON L...

Page 338: ...Type 10 0 portState 1Online portPhys 6In_Sync portScn 32F_Port port generation number 148 portId 630200 portIfId 43020005 portWwn 20 02 00 05 1e 35 37 40 portWwn of device s connected c0 50 76 ff fb 00 16 fc c0 50 76 ff fb 00 16 f8 output truncated c0 50 76 ff fb 00 16 80 50 05 07 64 01 a0 73 b8 Distance normal portSpeed N2Gbps Interrupts 0 Link_failure 16 Frjt 0 Unknown 0 Loss_of_sync 422 Fbsy 0 ...

Page 339: ...e 630240 c0 50 76 ff fb 00 16 fc 101 2048 c scr 3 fe 63023f c0 50 76 ff fb 00 16 f8 101 2048 c scr 3 fe 63023e c0 50 76 ff fb 00 17 ec 101 2048 c scr 3 output truncated ff 630202 c0 50 76 ff fb 00 17 70 192 2048 c d_id FFFFFC ff 630201 c0 50 76 ff fb 00 16 80 192 2048 c d_id FFFFFC ...

Page 340: ...338 Administering NPIV ...

Page 341: ... this chapter and described in detail in Chapter 18 Administering advanced performance monitoring on page 405 Traffic Isolation Routing The Traffic Isolation Routing feature allows you to control the flow of interswitch traffic by creating a dedicated path for traffic flowing from a specific set of source ports N_Ports For example you might use Traffic Isolation Routing for the following scenarios...

Page 342: ...nal considerations when disabling failover on page 341 for additional information about using this feature Table 75 compares the behavior of traffic when failover is enabled and disabled For example in Figure 42 if the dedicated ISL between Domain 1 and Domain 3 goes offline the following occurs depending on the failover option If failover is enabled for the TI zone the traffic is routed from Doma...

Page 343: ...3 if failover is disabled Domain 2 cannot send domain controller frames to Domain 3 and 4 Domain controller frames include zone updates and Name Server queries To avoid this problem add a second non dedicated ISL between Domain 1 and Domain 3 Figure 43 Fabric incorrectly configured for TI zone with failover disabled HP recommends that regular zone definitions match the TI zone definition Regular z...

Page 344: ...affic stops until the dedicated path is configured to be the shortest path Figure 45 Dedicated path is not the shortest path NOTE For information about setting or displaying the FSPF cost of a path see the linkCost and topologyShow commands in the Fabric OS Command Reference Traffic Isolation Routing over FC routers This section describes how TI zones work with Fibre Channel routing TI over FCR Se...

Page 345: ...ion Routing over FCR In addition to setting up TI zones you must also ensure that the devices are in an LSAN zone so that they can communicate with each other If failover is enabled and the TI path is not available an alternate path is used If failover is disabled and the TI path is not available devices are not imported NOTE For TI over FCR all switches in the backbone fabric and in the edge fabr...

Page 346: ...the traffic between the front and xlate domains can go through any path between these two domains The 1 does not identify any specific ISL To guarantee a specific ISL you need to set up a TI zone within the backbone fabric TI within a backbone fabric A TI zone within a backbone fabric is used to route traffic within the backbone fabric through a particular ISL For example in Figure 48 a TI zone is...

Page 347: ...FC routers A TI zone defined within the backbone fabric does not guarantee that edge fabric traffic will arrive at a particular EX_Port You must set up a TI zone in the edge fabric to guarantee this TI zones within the backbone fabric cannot contain more than one destination router port DRP per each fabric Only one egress VE_Port for each FC router can be defined within TI zones TI over FCR is sup...

Page 348: ...ders only the routing required for its local ports No consideration is given to the overall topology and or whether the TI zones accurately provide dedicated paths through the whole fabric For example in Figure 49 the TI zone was configured incorrectly and E_Port 3 9 was erroneously omitted from the zone The domain 3 switch assumes that traffic coming from E_Port 9 is not part of the TI zone and s...

Page 349: ...TI zones Trunking with TI zones Note the following if you implement trunking and TI zones To include a trunk group in a TI zone you must include all ports of the trunk in the TI zone Trunked ISL ports cannot be members of more than one TI zone Limitations and restrictions of Traffic Isolation Routing The following are limitations of TI zones For switches running Fabric OS 6 1 0 or later a maximum ...

Page 350: ...and ISLs in the Logical Fabric The TI zone in the base fabric reserves XISLs for a particular Logical Fabric The base fabric TI zone should also include ISLs that belong to Logical Switches participating in the Logical Fabric Figure 50 shows an initiator and target in a Logical Fabric FID1 The dotted line indicates a dedicated path between initiator and target The dedicated path passes through the...

Page 351: ... 1 3 even though the base switch with domain 1 does not have a port 3 in the switch This number refers to the port in the chassis with port index 3 which actually belongs to LS3 in FID 1 Traffic Isolation Routing over FC routers with Virtual Fabrics This section describes how you can set up TI zones over FC routers in Logical Fabrics Figure 53 shows two physical chassis configured into Logical Swi...

Page 352: ...ate of the zone to activated or deactivated By default the zone state is set to activated however this does not mean that the zone is activated After you create the TI zone you must enable the current effective configuration to enforce the new TI zone which is either activated or deactivated Virtual Fabric considerations Because base fabrics do not contain end devices they normally do not have an ...

Page 353: ...fective_configuration Examples of creating a TI zone The following examples create a TI zone named bluezone which contains E_Ports 1 1 and 2 4 and N_Ports 1 8 and 2 6 To create a TI zone with failover enabled and in the activated state default settings switch admin zone create t ti bluezone p 1 1 2 4 1 8 2 6 To create a TI zone with failover enabled the zone is set to the activated state by defaul...

Page 354: ... a TI zone in a base fabric on page 352 Remember that your changes are not enforced until you enter the cfgEnable command as shown here switch admin cfgenable USA_cfg You are about to enable a new zoning configuration This action will replace the old zoning configuration with the current configuration selected If the update includes changes to one or more traffic isolation zones the update may res...

Page 355: ...TI zone failover on page 340 for additional information about disabling failover mode 1 Connect to the switch and log in as admin 2 Enter the zone add command to add ports or change the failover option for an existing TI zone 3 Enter the zone remove command to remove ports from an existing TI zone zone add o optlist name p portlist zone add o optlist name p portlist zone remove name p portlist whe...

Page 356: ...e 1 Connect to the switch and log in as admin 2 Enter the zone activate command to activate a TI zone 3 Enter the zone deactivate command to deactivate a TI zone zone activate name zone deactivate name where 4 Enter the cfgEnable command to reactivate your current effective configuration and enforce the TI zones cfgenable current_effective_configuration Examples of setting the state of a TI zone T...

Page 357: ...rt members N_Port members configured status the latest status which may or may not have been activated by cfgEnable enabled status the status that has been activated by cfgEnable If you enter the cfgShow command to display information about all zones the TI zones appear in the defined zone configuration only and do not appear in the effective zone configuration 1 Connect to the switch and log in a...

Page 358: ...The following example shows how to set up TI zones over FCR to provide a dedicated path shown in Figure 55 In this example three TI zones are created one in each of the edge fabrics and one in the backbone fabric The combination of these three TI zones creates a dedicated path for traffic between Host 1 in edge fabric 1 and Targets 1 and 2 in edge fabric 2 Host 1 has port WWN 10 00 00 00 00 08 00 ...

Page 359: ... 60 69 80 1d bc 10 32 72 4 0 0 0 0 E1switch 6 fffc06 50 00 51 e3 95 48 9f a0 0 0 0 0 0 0 0 0 fcr_xd_6_9 The Fabric has 3 switches b Enter the following commands to create and display a TI zone E1switch admin zone create t ti TI_Zone1 p 4 8 4 5 1 1 6 1 E1switch admin zone show Defined TI zone configuration TI Zone Name TI_Zone1 Port List 4 8 4 5 1 1 6 1 Status Activated Failover Enabled c Enter the...

Page 360: ...ined TI zone configuration TI Zone Name TI_Zone1 Port List 9 2 9 3 9 6 1 1 4 1 Status Activated Failover Enabled c Enter the following commands to reactivate your current effective configuration and enforce the TI zones E2switch admin cfgactvshow Effective configuration cfg cfg_TI zone lsan_t_i_TI_Zone1 10 00 00 00 00 00 02 00 00 10 00 00 00 00 00 03 00 00 10 00 00 00 00 00 08 00 00 E2switch admin...

Page 361: ...calized disruption to traffic on ports associated with the traffic isolation zone changes Do you want to enable cfg_TI configuration yes y no n no y zone config cfg_TI is in effect Updating flash QoS Ingress Rate Limiting Ingress rate limiting is a licensed feature that requires the Adaptive Networking license Ingress rate limiting restricts the speed of traffic from a particular device to the swi...

Page 362: ... Logical Switch it would have no rate limit applied to it in the new Logical Switch If that same port is moved back to the original Logical Switch the original rate limit would take effect again Limiting traffic from a particular device 1 Connect to the switch and log in as admin 2 Enter the portCfgQos setratelimit command portcfgqos setratelimit slot port ratelimit where For example to set the ra...

Page 363: ...ID it is possible that the medium priority flows would have less bandwidth because they have to share the medium priority VCs whereas the low priority flow would have a separate VC IMPORTANT SID DID traffic prioritization is a licensed feature An Adaptive Networking license must be installed on every switch that is in the path between a given configured device pair QoS zones You assign high or low...

Page 364: ... S2 S3 The traffic prioritization is as follows Traffic between H1 and S1 is high priority Traffic between H1 and S3 and between H2 and S3 is low priority All other traffic is medium priority which is the default Figure 56 QoS traffic prioritization For this fabric you could set up the following QoS zones QOSH_Zone1Members H1 S1 QOSL_Zone3Members H1 H2 S3 QoS on E_Ports In addition to configuring ...

Page 365: ... traffic prioritization stops at that point For example in Figure 57 on page 363 if you disabled QoS on E_Ports 3 12 and 3 13 the traffic from H1 and H2 to S3 would be low priority from the hosts to Domain 3 but would switch to the default medium priority from Domain 3 to the target S3 Virtual Fabric considerations for traffic prioritization You can prioritize flows between devices in a Logical Fa...

Page 366: ...tor 32 Port 8Gb FC blade or HP StorageWorks SAN Director 48 Port 8Gb FC blade in the HP StorageWorks DC SAN Backbone Director or HP StorageWorks DC04 SAN Director Switch platform To preserve the priority level across ISLs the switches must be running Fabric OS 6 0 0 or later and must be one of the following platforms HP StorageWorks 8 8 and 8 24 SAN Switches HP StorageWorks SAN Switch 4 32 HP Stor...

Page 367: ...2 for information about redirection zones If QoS is enabled an additional 16 buffer credits are allocated per port for 8 Gb s ports in LE mode See Chapter 19 Administering extended fabrics on page 423 for information about buffer credit allocation in extended fabrics Trunking considerations If some ports in a trunk group have QoS enabled and some ports have QoS disabled two different trunks are fo...

Page 368: ...he portCfgQos command to enable QoS on a specific port the port is toggled to apply this configuration even though the port already has QoS enabled The port is toggled because the user configuration changed even though the actual configuration of the port did not change If you later use the portCfgQos command to enable QoS on the port again the port is not toggled because the configuration did not...

Page 369: ...orks 400 Multi Protocol Router HP StorageWorks 4 256 SAN Director using chassis configuration option 5 B Series Multi Protocol Router Blade For the HP StorageWorks DC SAN Backbone Director and HP StorageWorks DC04 SAN Director Switch EX_Ports on 8 Gb s port blades and EX_Ports on the B Series Multi Protocol Router Blade can exist in the same chassis but cannot be online at the same time however EX...

Page 370: ...ch reboot For the HP StorageWorks DC SAN Backbone Director and HP StorageWorks DC04 SAN Director Switch if you do not have an Integrated Routing license you cannot use EX_Ports on the 8 Gb s port blades you can however use EX_Ports on the B Series Multi Protocol Router Blade without a license NOTE You cannot use EX_Ports on the B Series Multi Protocol Router Blade and Integrated Routing in the sam...

Page 371: ...ntaining the access controls of zones An LSAN device can be a physical device meaning that it physically exists in the fabric or it can be a proxy device Figure 60 on page 370 shows a metaSAN with a backbone consisting of one FC router connecting hosts in edge fabrics 1 and 3 with storage in edge fabric 2 and the backbone fabric through the use of LSANs Three LSAN zones allow device sharing betwee...

Page 372: ... ID FID Every EX_Port and VEX_Port uses the fabric ID FID to identify the fabric at the opposite end of the interfabric link The FID for every edge fabric must be unique from the perspective of each backbone fabric If EX_Ports and VEX_Ports are attached to the same edge fabric they must be configured with the same FID If EX_Ports and VEX_Ports are attached to different edge fabrics they must be co...

Page 373: ...er achieves interfabric device connectivity by creating proxy devices hosts and targets in attached fabrics that represent real devices in other fabrics For example a host in Fabric 1 can communicate with a target in Fabric 2 as follows A proxy target in Fabric 1 represents the real target in Fabric 2 Likewise a proxy host in Fabric 2 represents the real host in Fabric 1 The host discovers and sen...

Page 374: ... only one xlate domain to the backbone fabric The backbone fabric device communicates with the proxy devices whenever it needs to contact the shared physical devices in the edge The FC FC Routing Service receives the frames from the backbone switches destined to the proxy devices and redirects the frames to the actual physical devices As with an edge fabric the translate phantom domain can never b...

Page 375: ...rt devices into the backbone fabric an xlate domain is created in the backbone device in addition to the one in the edge fabric Figure 63 shows a sample physical topology This figure shows four FC routers in a backbone fabric and four edge fabrics connected to the FC routers Figure 63 Sample topology physical topology Figure 64 on page 374 shows a phantom topology for the physical topology shown i...

Page 376: ...nnecting multiple IFLs to edge fabrics Use the fcrXlateConfig command to display or assign a preferred domain ID to a translate domain or in some scenarios to prevent the creation of an unnecessary xlate domain See the Fabric OS Command Reference for more details about this command Fibre Channel Network Address Translation Within an edge fabric or across a backbone fabric the standard Fibre Channe...

Page 377: ...page 267 for more details about configuration options for Brocade directors Verifying the setup for FC FC routing Before configuring a fabric to connect to another fabric you must perform the following verification checks on the FC router 1 Log in to the switch or director as admin and enter the version command to command and verify that Fabric OS 6 1 is installed on the FC router as shown in the ...

Page 378: ...ith a B Series Multi Protocol Router Blade enter the chassisConfig command to verify that the director is using configuration option 5 switch admin chassisconfig Current Option 5 All Supported Options Option 5 One 384 port switch Blade ID s 17 18 24 31 36 39 37 51 55 in slots 1 4 7 10 Blade ID 16 in slots 5 6 4 If you are configuring EX_Ports on the 8 Gb s port blades on the HP StorageWorks DC SAN...

Page 379: ... S shown in the preceding sample output indicates the policy is strict The fabric wide policy must be tolerant before you can connect fabrics to the FC router See Chapter 4 Configuring advanced security features on page 1 17 for information about configuring the fabric wide consistency policy Backbone FIDs If your configuration has only one backbone fabric this task is not required because the bac...

Page 380: ...itch admin switchenable FCIP tunnel configuration The optional Fibre Channel over IP FCIP Tunneling Service enables you to use tunnels to connect instances of Fibre Channel SANs over IP based networks to transport all Fibre Channel ISL and IFL traffic FCIP is a prerequisite for configuring VEX_Ports if you are using only FC_Ports there is no need to perform this step If using FCIP in your FC FC Ro...

Page 381: ...he backbone fabric is segmented hosts may lose connectivity to imported targets Repair the edge fabric and then use the portCfgEXPort command to disable all EX_Ports to the edge fabric and enable the EX_Ports again to restore connectivity The following example enables the EX_Port or VEX_Port and assigns a FID of 30 to port 7 switch admin portcfgexport 7 10 a 1 f 30 switch admin portcfgexport 7 10 ...

Page 382: ...in portcfgshow 7 10 Area Number 74 Speed Level AUTO Trunk Port OFF Long Distance OFF VC Link Init OFF Locked L_Port OFF Locked G_Port OFF Disabled E_Port OFF ISL R_RDY Mode OFF RSCN Suppressed OFF Persistent Disable OFF NPIV capability ON EX Port ON Mirror Port ON FC Fastwrite ON 6 After identifying such ports enter the portCfgPersistentEnable command to enable the port and then the portCfgShow co...

Page 383: ...itch admin_06 portshow 7 10 portName portHealth OFFLINE Authentication None EX_Port Mode Enabled Fabric ID 30 Front Phantom state Not OK Pref Dom ID 160 Fabric params R_A_TOV 0 E_D_TOV 0 PID fmt au to Authentication Type None Hash Algorithm N A DH Group N A Edge fabric s primary wwn N A Edge fabric s version stamp N A portDisableReason None portCFlags 0x1 portFlags 0x1 PRESENT U_PORT EX_PORT portT...

Page 384: ...crFabricShow command displays the static IPv6 addresses for each FC router and each edge fabric switch connected to the EX_Ports switch admin fcrfabricshow FCR WWN 10 00 00 05 1e 13 59 00 Dom ID 2 Info 10 32 156 52 1080 8 800 200C 1234 64 fcr_7500 EX_Port FID Neighbor Switch Info WWN enet IP name 7 10 10 00 00 05 1e 34 11 e5 10 32 156 33 7500 1080 8 8FF FE0C 417A 64 4 116 10 00 00 05 1e 37 00 44 1...

Page 385: ...ollowing considerations Router port sets are defined as follows 0 7 and FCIP Tunnel 16 23 8 15 and FCIP Tunnel 24 31 More than two router port sets can exist in an HP StorageWorks 4 256 SAN Director HP StorageWorks DC SAN Backbone Director or HP StorageWorks DC04 SAN Director Switch with two B Series Multi Protocol Router Blades The router port cost does not help distinguish one IFL or EX_ and VEX...

Page 386: ... 3 Enter the fcrRouterPortCost command to display the router port cost for each EX_Port switch admin fcrrouterportcost Port Cost 7 3 1000 7 4 1000 7 9 1000 7 10 1000 7 13 1000 10 0 1000 You can also use the fcrRouteShow command to display the router port cost 4 Enter the fcrRouterPortCost command with a port and slot number to display the router port cost for a single EX_Port switch admin fcrroute...

Page 387: ... software feature and requires that you have a trunking license installed on the FC router and on the edge fabric connected to the other side of the trunked EX_Ports EX_Port trunking is supported only with B Series edge fabrics You can use EX_Port frame trunking in the following configurations and cases For ports with speeds of 2 Gb s up to a maximum speed of 8 Gb s and trunking over long distance...

Page 388: ...th devices are online FCR triggers a device import To support legacy applications WWNs are reported based on the administrative domain context As a result you must not use the network address authority NAA field in the WWN to detect an FC Router LSAN zone enforcement in the local fabric occurs only if the administration domain member list contains both of the devices local and imported device spec...

Page 389: ... that a default configuration is enabled when you use the cfgShow or cfgActvShow commands For more information about default zoning see Chapter 9 Administering advanced zoning on page 233 Controlling device communication with the LSAN sample procedure The following example procedure illustrates how LSANs control which devices can communicate with each other The example procedure shows the creation...

Page 390: ...0 05 07 61 00 49 20 b4 50 05 07 61 00 09 20 b4 na FC4s FCP IBM DNEF 309170 F90F Fabric Port Name 20 08 00 05 1e 34 11 e5 Permanent Port Name 50 05 07 61 00 49 20 b4 The Local Name Server has 2 entries 8 Enter the zoneCreate command to create the LSAN lsan_zone_fabric2 which includes the host 10 00 00 00 c9 2b 6a 2c Target A and Target B switch admin zonecreate lsan_zone_fabric2 10 00 00 00 c9 2b c...

Page 391: ...e_fabric2 does not allow it When a PLOGI PDISC or ADISC arrives at the FC router the SID and DID of the frame are checked If they are LSAN zoned at both SID and DID edge fabrics the frame is forwarded to the DID If they are not zoned only the PLOGI is dropped for the remaining frames zoning enforcement takes place in the edge fabrics Setting the maximum LSAN count You can set the maximum number of...

Page 392: ...LSANs will be synchronized as usual after the limit is increased and new LSANs are created LSAN zone policies using LSAN tagging You can create tags for LSAN zones to give them a special meaning LSAN zones are zones with names that start with the lsan_ prefix You can specify a tag to append to this prefix that causes the LSAN zone to be treated differently You can specify two types of tags Enforce...

Page 393: ... FC router and then configure the LSANs in the target edge fabrics with the tag For example in Figure 65 on page 392 assume that the host H1 needs fast access to target devices D1 and D2 You could set up the Speed tag as follows 1 In FC router 1 and FC router 2 configure the Speed tag as super 2 In edge fabric 2 configure two LSANs lsan_f2_f1 H1 D1 lsan_f2_f3 H1 D2 The LSAN in the host fabric does...

Page 394: ...uire that the FC router be disabled however after configuring the Speed tag you must toggle the host or target port to trigger the fast import process The tag is from 1 to 8 alphanumeric characters You can configure only one Speed tag on an FC router and up to 8 Enforce tags on an FC router The maximum number of tags Enforce and Speed on an FC router is 8 Up to 500 Speed LSANs are supported Config...

Page 395: ... with this tag in the name now behave as regular LSAN zones You must disable the switch before removing an Enforce LSAN tag You do not need to disable the switch to remove a Speed LSAN tag 1 Log in to the FC router as admin 2 Enter one of the following commands depending on which type of LSAN tag you want to remove To remove an Enforce LSAN tag switchdisable fcrlsan remove enf tagname switchenable...

Page 396: ...ne FC router In addition due to the lower LSAN count the CPU consumption by the FC router is lower If you configure the metaSAN such that the backbone fabric has two groups of FC routers and there is no LSAN zone sharing or device access between the two groups the number of FC routers and devices supported in the backbone fabric can be higher Figure 66 shows a sample metaSAN with four FC routers i...

Page 397: ... the other FC routers unless those FC routers are running Fabric OS versions earlier than 6 1 0 If a new FC router joins the backbone fabric the matrix database is automatically distributed to that FC router For FC routers running a Fabric OS version earlier than 6 1 0 The matrix database is not automatically distributed from this FC router to other FC routers You must manually configure the LSAN ...

Page 398: ...lsan 4 5 fcrlsanmatrix add lsan 5 6 Fabrics that are not specified are part of the default binding and can access other edge fabrics that are not specified So Fabrics 7 8 and 9 can access each other but cannot access Fabrics 1 through 6 CAUTION The command fcrLsanMatrix add lsan 0 0 erases the entire LSAN fabric matrix settings in the cache The FC router matrix and the LSAN fabric matrix are used ...

Page 399: ...b2 2 10 00 00 60 69 c3 12 b3 unknown 3 Enter the following command to view the LSAN fabric matrix FCR Admin fcrlsanmatrix fabricview lsan Example FCR Admin fcrlsanmatrix fabricview lsan LSAN MATRIX is activated Fabric ID 1 Fabric ID 2 4 5 4 7 10 19 Default LSAN Matrix 1 2 8 Proxy PID configuration When an FC router is first configured the PIDs for the proxy devices are automatically assigned Proxy...

Page 400: ... must match those values on other Fabric OS switches Only if you have adjusted these parameters for the edge fabric do you need to adjust them for an EX_Port or VEX_Port The default values for R_A_TOV and E_D_TOV are the recommended values for all but very large fabrics ones requiring four or more hops or high latency fabrics such as ones using long distance FCIP links Inter fabric broadcast frame...

Page 401: ...stconfig disable f fabricID where fabricID is the FID of the edge or backbone fabric on which you want to disable broadcast frame forwarding Resource monitoring It is possible to exhaust resources such as proxy PIDs Whenever a resource is exhausted Fabric OS generates an error message The messages are described in the Fabric OS Message Reference You can monitor FC router resources using the fcrRes...

Page 402: ... The information shows the maximum pool size for translate phantom node and port WWNs and shows the number of translate node and port WWNs from this pool Phantom Node WWN Phantom Port WWNs Max proxy devices Max NR_Port The following example shows the use of the fcrResourceShow command to display physical port EX_Port resources switch admin fcrresourceshow Daemon Limits Max AllowedCurrently Used LS...

Page 403: ...e that there are no Logical Switches with XISL use enabled in that edge fabric If any Logical Switch in the edge fabric allows XISL use the EX_Port or VEX_Port is disabled See Configuring a Logical Switch for XISL use on page 187 for instructions on disallowing XISL use Since XISL use is disallowed dedicated links must be configured to route traffic across fabrics as shown in Figure 14 on page 177...

Page 404: ... FC router In Figure 68 no devices can be connected to the backbone fabric Fabric 8 because base switches cannot have F_Ports Figure 70 shows an FC router in legacy mode connected to a base switch This FC router can have devices connected to it and so you can have backbone to edge routing through this FC router In this figure Host A in the backbone fabric can communicate with device B in the edge ...

Page 405: ...de All ports are persistently disabled If you replace an 8 Gb s port blade with another 8 Gb s port blade the EX_Port configuration remains the same Interoperability with legacy FCR switches A legacy FCR switch is a switch running Fabric OS 5 1 x or earlier or XPath OS The following interoperability considerations apply when administering legacy FCR switches in the same backbone fabric as switches...

Page 406: ... The front domain domain 3 has two links representing two EX_Port connections with output ports 129 and 132 Domain 3 Link State Database Entry pointer 0x100bbcc0 linkCnt 4 flags 0x0 LinkId 199 out port 129 rem port 2 cost 10000 costCnt 0 type 1 LinkId 199 out port 132 rem port 3 cost 10000 costCnt 0 type 1 LinkId 2 out port 1 rem port 2 cost 10000 costCnt 0 type 1 LinkId 1 out port 32 rem port 2 c...

Page 407: ...Fabric OS 6 2 administrator guide 405 ...

Page 408: ...406 Using the FC FC routing service ...

Page 409: ...If you enter commands for any Advanced Performance Monitors on VE_Ports or EX_Ports you will receive error messages Virtual Fabrics considerations Each Logical Switch can have its own set of performance monitors The installation of monitors is restricted to the ports that are present in the respective Logical Switch The type of monitors supported depends on the ASIC Table 78 shows the monitors sup...

Page 410: ...StorageWorks 400 Multi Protocol Router End to end performance monitoring End to end performance monitoring counts the number of words in Fibre Channel frames for a specified Source ID SID and Destination ID DID pair An end to end performance monitor includes these counts RX_COUNT words in frames received at the port TX_COUNT words in frames transmitted from the port To enable end to end performanc...

Page 411: ...iderations If Virtual Fabrics is enabled the following switches allow up to 337 end to end monitors on one Logical Switch HP StorageWorks DC SAN Backbone Director HP StorageWorks DC04 SAN Director Switch HP StorageWorks 8 40 SAN Switch The HP StorageWorks 4 48 SAN Director Blade allows end to end monitors on all 48 ports For the HP StorageWorks B Series iSCSI Director Blade end to end monitors are...

Page 412: ...g the traffic from Dev B to Host A Add Monitor 1 to slot 2 port 14 on Switch y specifying 0x1 1 1eef as the SID and 0x051200 as the DID as shown in the following example switch admin perfaddeemonitor 2 14 0x111eef 0x051200 End to End monitor number 1 added Monitor 1 counts the frames that have an SID of 0x1 1 1eef and a DID of 0x051200 For monitor 1 RX_COUNT is the number of words from Dev B to Ho...

Page 413: ... area ID and the AL_PA cannot be masked separately for any ports on HP StorageWorks SAN Director 48 Port 4Gb FC blades 1 Connect to the switch and log in as admin 2 Enter the perfSetPortEEMask command perfsetporteemask slotnumber portnumber TxSIDMsk TxDIDMsk RxSIDMsk RxDIDMsk where The perfSetPortEEMask command sets the mask for all end to end monitors of a port If any end to end monitors are prog...

Page 414: ...0000 0x0000000000000000 10 106 7 179 3 0x001212 0x003434 WEB_TOOLS 0x0000000000000000 0x0000000000000000 10 106 7 179 switch admin perfdeleemonitor 0 2 End to End monitor number 2 deleted switch admin Filter based performance monitoring Filter based performance monitoring counts the number of times a frame with a particular pattern is transmitted by a port Filter based monitoring is achieved by co...

Page 415: ...Virtual Fabrics considerations Filter based monitors are not supported on logical ISLs LISLs but are supported on ISLs and extended ISLs XISLs You can monitor filter based performance using the perfMonitorShow command as described in Displaying monitor counters on page 418 You can clear filter based counters using the perfMonitorClear command as described in Clearing monitor counters on page 420 A...

Page 416: ...2 7 0xff 0xd4 the operation would be successful because offset 4 is a canned monitor and has a resource already reserved for it Offsets 6 and 7 would exhaust all unique filter monitor resources on port 30 Therefore any additional filter monitors created on port 30 would have to be canned filter monitors The number of different offsets per port depends on the switch platform as follows HP StorageWo...

Page 417: ...05 or 0x08 Domain 2 is selected by monitoring offset 9 mask 0xff and matching a value of 0x02 The monitor counter is incremented for all outgoing frames from port 2 where byte 9 is 0x02 and byte 12 is 0x05 or 0x08 The second monitor 6 is for SOFi3 on slot 1 port 2 Deleting filter based monitors 1 Connect to the switch and log in as admin 2 Enter the perfDelFilterMonitor command to delete a specifi...

Page 418: ...tch 4 32 HP StorageWorks 4 64 SAN Switch HP StorageWorks SAN Switch 4 32B HP StorageWorks 8 40 SAN Switch HP StorageWorks 8 80 SAN Switch HP StorageWorks 400 Multi Protocol Router and HP StorageWorks 4 256 SAN Director Top Talker can be installed only on switches that run Fabric OS 6 0 0 or later Top Talker monitors are not supported on the HP StorageWorks 4 8 and 4 16 SAN Switches Applications ca...

Page 419: ... To monitor the outgoing traffic on slot 2 port 4 on the HP StorageWorks 4 256 SAN Director HP StorageWorks DC SAN Backbone Director or HP StorageWorks DC04 SAN Director Switch perfttmon add egress 2 4 See the Fabric OS Command Reference for details about the perfTTmon command Deleting a Top Talker monitor on an F_Port 1 Connect to the switch and log in as admin 2 Enter the perfTTmon delete comman...

Page 420: ...exist in the fabric 3 Enter the perfTTmon add fabricmode command perfttmon add fabricmode The system responds Before enabling fabric mode please remove all EE monitors in the fabric continue yes y no n 4 Enter y to continue Top Talker monitors are added to E_Ports in the fabric and fabric mode is enabled Any Top Talker monitors that were already installed on F_Ports are automatically uninstalled I...

Page 421: ...you do not specify the number of flows to display the command displays the top eight flows or the total number of flows whichever is less The command can display a maximum of 32 flows For example to display the top 5 flows on for domain 1 in WWN default format perfttmon show dom 1 5 To display the top flows on domain 2 in PID format perfttmon show dom 2 pid The following is a sample command and ou...

Page 422: ...itch HP StorageWorks SAN Switch 4 32B HP StorageWorks 8 40 SAN Switch HP StorageWorks 8 80 SAN Switch HP StorageWorks 400 Multi Protocol Router HP StorageWorks 4 256 SAN Director HP StorageWorks DC SAN Backbone Director HP StorageWorks DC04 SAN Director Switch Displaying monitor counters You can display the monitors on a specified port For end to end counters you can display either the cumulative ...

Page 423: ...000000000000000 N A 0 0x21300 0x21dda TELNET 0x00000004d0ba9915 0x0000000067229e65 N A 1 0x21300 0x21ddc TELNET 0x00000004d0baa754 0x0000000067229e65 N A 2 0x21300 0x21de0 TELNET 0x00000004d0bab3a5 0x0000000067229e87 N A 3 0x21300 0x21de1 TELNET 0x00000004d0bac1e4 0x0000000067229e87 N A 4 0x21300 0x21de2 TELNET 0x00000004d0bad086 0x0000000067229e87 N A 5 0x11000 0x21fd6 WEB_TOOLS 0x00000004d0bade5...

Page 424: ...r counters 1 Connect to the switch and log in as admin 2 Enter the perfmonitorshow command to display the monitor numbers on a specific port perfmonitorshow class monitor_class slotnumber portnumber where 3 Enter the perfmonitorclear command perfmonitorclear class monitor_class slotnumber portnumber monitorId where The following example clears statistics counters for an end to end monitor switch a...

Page 425: ...number of monitors per port or switch exceeds the limit you will receive an error message indicating the count has been exceeded and that some monitors have been discarded 1 Connect to the switch and log in as admin 2 Enter one of the following commands depending on the action you want to perform To save the current end to end and filter monitor configuration settings into nonvolatile memory use t...

Page 426: ...llection Data collected through Advanced Performance Monitoring is deleted when the switch is rebooted Using the Data Center Fabric Manager DCFM Enterprise Edition you can store performance data persistently For details on this feature see the DCFM Enterprise User Manual ...

Page 427: ...ections Distance levels define how these buffer credits are allocated and managed for extended ISLs Buffer credits are managed from a common pool available to a group of ports on a switch The buffer credit can be changed for specific applications or operating environments but it must be in agreement among all switches to allow formation of the fabric Information about switch characteristics and ca...

Page 428: ...e port speed The baseline for the calculation is one credit per km at 2 Gb s This yields the following values for 10 km 5 credits per port at 1 Gb s 10 credits per port at 2 Gb s 20 credits per port at 4 Gb s 40 credits per port at 8 Gb s Dynamic Mode LD LD calculates buffer credits based on the distance measured during port initialization An upper limit is placed on the calculation by providing a...

Page 429: ...ries iSCSI Director Blade HP StorageWorks B Series Multi Protocol Router Blade HP StorageWorks 4 256 SAN Director 16 Port 4Gb Blade HP StorageWorks 4 256 SAN Director 32 Port 4Gb Blade HP StorageWorks 4 256 SAN Director 48 Port 4Gb Blade NOTE The following switches do not have this limitation HP StorageWorks 8 8 and 8 24 SAN Switches HP StorageWorks 8 40 SAN Switch HP StorageWorks 8 80 SAN Switch ...

Page 430: ...g number of buffer credits for the port group after each port reserves its eight buffer credits is 676 24 8 484 unreserved buffer credits Where 24 the number of user ports in a port group retrieved from Table 82 on page 427 8 the number of reserved credits for each user port 676 the number of buffer credits available in the port group If you allocate the entire 484 8 8 for the reserved buffers alr...

Page 431: ...tep 2 lists the supported distances You can use these numbers to calculate the maximum remaining number of buffer credits after each port is reserved as described in the example on page 426 Table 82 Buffer Credits Switch blade model Total FC ports per switch blade User port group size Unreserved buffers per port group HP StorageWorks 4 8 and 4 16 SAN Switches 16 16 144 HP StorageWorks 8 8 and 8 24...

Page 432: ... 48 24 560 HP StorageWorks SAN Director 16 Port 8Gb FC Blade 16 16 1292 1338 HP StorageWorks SAN Director 32 Port 8Gb FC Blade 32 16 1292 1338 HP StorageWorks SAN Director 48 Port 8Gb FC Blade 48 24 1228 1324 B Series Multi Protocol Router Blade 16 441 8 8 Table 83 Supported Distances Maximum supported distances with 2112 Byte Frame Size 1 port allocated all unreserved buffer credits in km Switch ...

Page 433: ... HP StorageWorks 8 8 and 8 24 SAN Switches HP StorageWorks 8 40 SAN Switch HP StorageWorks 8 80 SAN Switch HP StorageWorks SAN Director 16 Port 8Gb FC blade HP StorageWorks SAN Director 32 Port 8Gb FC blade HP StorageWorks SAN Director 48 Port 8Gb FC blade If a long distance E_Port from one of these supported switches blades is connected to any other switch or blade type the buffer credit recovery...

Page 434: ...d enabling Configuring F_Port buffer credits The default configured F_Port buffer credit is fixed at eight buffers You can use the portCfgFPortBuffers command to configure a given port with the specified number of buffers To configure a F Port to use the specified number of buffers 1 Connect to the switch and log in as admin 2 Enter the portCfgFPortBuffers command using the following syntax portcf...

Page 435: ... ISL R_RDY mode this parameter must be set to 1 otherwise it must be reset to 0 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the portCfgLongDistance command to configure a switch port 63 to support a 100 km link and be initialized using the long distance link initialization protocol switch admin portcfglongdistance 4 15 LS 1 100 switch admin portshow 4 15 ...

Page 436: ...o can be configured to be part of a trunk group Two or more long distance links in a port group form a trunk group when they are configured for the same speed the same distance level and their link distances are nearly equal For information on trunking concepts and configurations see Chapter 20 Administering ISL trunking on page 435 Use only qualified HP B Series SFPs These are the only SFPs suppo...

Page 437: ...based on the actual link distance measured during E_Port initialization versus the user desired distance LS 6 Specify LS mode to configure a long distance link with a buffer allocation based on a fixed desired distance value vc_translation_link_init Enables the long distance link initialization sequence This extended link initialization sequence is an enhanced link reset protocol and avoids excess...

Page 438: ...434 Administering extended fabrics ...

Page 439: ...e for entire switches or for individual ports Trunks distribute traffic dynamically and in order at the frame level thus achieving greater performance with fewer inter switch links Trunks are compatible with both short wavelength SWL and long wavelength LWL fiber optic cables and transceivers Figure 74 illustrates how trunking can result in more throughput by distributing data over four ISLs with ...

Page 440: ...just like regular E_Ports EX_Port frame based trunking has a master trunk link If the master link goes down the entire trunk re forms and is taken offline for a short period of time The EX_Port restrictions are the same as E_Ports An E_Port or EX_Port trunk can be up to eight ports wide All the ports must be adjacent to each other using the clearly marked groups on the front of the product The swi...

Page 441: ...being used for ISLs so that they recognize that trunking is enabled This procedure needs to be performed only once To reinitialize the ports you can either disable and then re enable the switch or disable and then re enable the affected ports 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the switchDisable command 3 Enter the switchEnable command Disabling a...

Page 442: ...cal switch 2 is affected whenever traffic for logical switch 1 on ports 1 0 to 1 5 is rebalanced This effect on logical switch 2 is based on the configuration on logical switch 2 If logical switch 2 has IOD ON iodSet only IOD is enforced If logical switch 2 has lossless DLS ON traffic will be paused and resumed If logical switch 2 has no IOD iodReset traffic will be paused and resumed Although thi...

Page 443: ...played in 8 or 16 columns one column per port plus one column that displays the total for these ports Results display every second or over the specified interval until Enter Ctrl C or Ctrl D is pressed See the Fabric OS Command Reference for additional information Displaying port throughput performance information for all ports on the switch 1 Connect to the switch and log in using an account assi...

Page 444: ...e 361 Enabling or disabling ISL Trunking on a port 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the portCfgTrunkPort command The format is portcfgtrunkport slotnumber portnumber mode The following example enables trunking on slot 1 port 3 switch admin portcfgtrunkport 1 3 1 done switch admin Enabling or disabling ISL Trunking for all ports on a switch 1 Co...

Page 445: ... 8 and 8 24 SAN Switches HP StorageWorks 8 40 SAN Switch and HP StorageWorks 8 80 SAN Switch support long distance modes L0 LE LS and LD The distance supported on each platform depends on the available buffers number of back end ports and number of offline ports The distance supported on the HP StorageWorks DC04 SAN Director Switch depends on the available buffers number of back end ports and the ...

Page 446: ...rocade 4Gb SAN Switch for HP c Class BladeSystem HP StorageWorks SAN Switch 4 32 HP StorageWorks 4 64 SAN Switch HP StorageWorks SAN Switch 4 32B HP StorageWorks 400 Multi Protocol Router and HP StorageWorks 4 256 SAN Director only 8 Eight Gb s mode Fixes the port at a speed of eight Gb s HP StorageWorks 8 80 SAN Switch HP StorageWorks 8 40 SAN Switch HP StorageWorks 8 8 and 8 24 SAN Switches and ...

Page 447: ...4 10 83 deskew 16 Master 15 15 10 00 00 60 69 04 10 83 deskew 15 Trunking over extended fabrics In addition to the criteria listed in Standard trunking criteria on page 436 observe the following criteria for trunking over extended fabrics It is supported on switches running Fabric OS 4 4 0 and later Extended Fabrics and ISL Trunking licenses are required on all participating switches When configur...

Page 448: ... mapped to an N_Port on a switch in Access Gateway mode With F_Port trunking any link within a trunk can go offline or become disabled but the trunk remains fully functional and there are no reconfiguration requirements F_Port trunking prevents reassignments of the Port ID also referred to as the Address Identifier as described in Table 89 on page 449 when F_Ports go offline and it increases F_Por...

Page 449: ...6 Switch in Access Gateway mode with F_Port masterless trunking NOTE You do not need to manually map the host to the master port because Access Gateway will perform a cold failover to the master port To implement F_Port masterless trunking you must first configure an F_Port trunk group and statically assign an Area_ID within the trunk group Assigning a Trunk Area TA to a port or trunk group enable...

Page 450: ...ing a Trunk Area from a trunk group You cannot assign a Trunk Area to ports if the standby CP is running a firmware version earlier than Fabric OS 6 2 0 PWWN The entire Trunk Area trunk group share the same Port WWN within the trunk group The PWWN is the same across the F_Port trunk that will have 0x2f or 0x25 as the first byte of the PWWN The TA is part of the PWWN in the format listed in Table 8...

Page 451: ...ea enabled on ports 16 31 and the blade is swapped with an HP StorageWorks SAN Director 48 Port 8Gb FC blade the Trunk Area ports will be persistently disabled You can run the portTrunkArea command to assign a Trunk Area on those ports Access Gateway mode Does not support F_Port trunking It supports only N_Port trunking in AG mode Trunking You must first enable Trunking on the port before the port...

Page 452: ...through DCC policy check D I Zoning D I AD D I DCC and PWWN I DCC Creating a Trunk Area may remove the Index I from the switch to be grouped to the Trunk Area All ports in a Trunk Area share the same I This means that domain index D I which see an I that might have been removed will no longer be part of the switch Note Be sure to include AD zoning and DCC when creating a Trunk Area You can remove ...

Page 453: ...on all ports to be included in a Trunk Area before you can create a Trunk Area Use the portCfgTrunkPort or switchCfgTrunk command to enable trunking on a port or on all ports of a switch Enter the portTrunkArea command to assign a static TA on a port or port trunk group to remove a TA from a port or group of ports in a trunk and to display masterless F_Port trunking information For more informatio...

Page 454: ... Port Type State Master TI DI 10 13 F port Master 10 13 125 125 10 14 F port Slave 10 13 125 126 Enabling F_Port trunking The following example shows how to enable F_Port trunking on a stand alone switch using ports 36 39 1 Disable ports 36 39 by entering the portDisable port command for each port to be included in the TA 2 Enable Trunk Area for ports 36 39 with area number 37 switch admin porttru...

Page 455: ... 4 N8 No_Module 5 5 N8 No_Module 6 6 N8 No_Module 7 7 N8 No_Module 8 8 id N4 Online F Port 10 00 00 00 00 01 00 00 9 9 N8 No_Module 10 10 N8 No_Module 11 11 N8 No_Module 12 12 N8 No_Module 13 13 N8 No_Module 14 14 N8 No_Module 15 15 N8 No_Module 16 16 N8 No_Module 17 17 N8 No_Module 18 18 N8 No_Module 19 19 N8 No_Module 20 20 N8 No_Module 21 21 N8 No_Module 22 22 N8 No_Module 23 23 N8 No_Module 24...

Page 456: ...vices to the DCC policy against the TA 2 Enter the secPolicyActivate command to activate the DCC policy You must enable the TA before issuing the secPolicyActivate command in order for security to enforce the DCC policy on the trunk ports 3 Turn on the trunk ports Trunk ports should be turned on after issuing the secPolicyActivate command to prevent the ports from becoming disabled in the case whe...

Page 457: ...abric edge switch Following are the advantages of N_Port trunking When one or more N_Ports in a trunk group goes offline there is no change in the PID for the F_Ports that were mapped to the N_Ports as long as at least one N_Port in the trunk group is active This provides for a transparent path failover and failback within the trunk group N_Port links are efficient because of the trunking algorith...

Page 458: ...authentication by configuring the device authentication policies on a per Logical Switch basis The device for example an HBA must have the capability to perform authentication with the switch In Fabric OS 6 2 0 when the device authentication policy is set to ON or PASSIVE the switch authentication type cannot be set to FCAP Also if the switch authentication type is set to FCAP the device authentic...

Page 459: ...d to the admin role switch admin fosconfig enable vf WARNING This is a disruptive operation that requires a reboot to take effect All EX ports will be disabled upon reboot Would you like to continue Y N 2 Specify the E_Ports to authenticate for example 2 3 and 4 switch admin authutil authinit 2 3 4 ...

Page 460: ...456 Administering ISL trunking ...

Page 461: ... FCIP tunnels which are represented as 8 virtual ports on ge0 and 8 virtual ports on ge1 The mapping of tunnels on ge0 and ge1 to virtual port numbers is represented in Table 90 Virtual Port Types Virtual ports may be defined as VE_Ports or VEX_Ports VE_Ports virtual E_Ports are used to create interswitch links ISLs through an FCIP tunnel If VE_Ports are used on both ends of an FCIP tunnel the fab...

Page 462: ...do not allocate more bandwidth than the WAN can support or your FCIP tunnel may not be stable FCIP services license Most of the FCIP extension services described in this chapter require the B Series High Performance Extension over FCIP FC license Use the licenseShow command to verify that the license is present on the hardware used on both ends of the FCIP tunnel For details on obtaining and insta...

Page 463: ...ions may be configured with different DSCP values Before configuring DSCP settings determine if the IP network you are using implements PHB and consult with the network administrator to determine the appropriate DSCP values L2CoS quality of service Devices in physical LANs are constrained by LAN boundaries They are usually in close proximity to each other and share the same broadcast and multicast...

Page 464: ...5 001 1 1 1 3 01 1 Medium QoS 4 19 01001 1 3 01 1 Medium QoS 5 23 0101 1 1 3 01 1 Medium QoS 6 27 01 101 1 0 000 Class 3 Multicast 7 31 01 1 1 1 1 0 000 Broadcast Multicast 8 35 10001 1 0 000 Low Qos 9 39 1001 1 1 0 000 Low Qos 10 43 10101 1 4 100 High QoS 1 1 47 101 1 1 1 4 100 High QoS 12 51 1 1001 1 4 100 High QoS 13 55 1 101 1 1 4 100 High QoS 14 59 1 1 101 1 4 100 High QoS 15 63 1 1 1 1 1 1 0...

Page 465: ...ithms Diffie Hellman key exchange and SA lifetimes 4 Data is transferred between IPsec peers based on the IPsec parameters and keys stored in the SA database 5 IPsec tunnel termination SA lifetimes terminate through deletion or by timing out All of these steps require that the correct policies have been created Because policy creation is an independent procedure from FCIP tunnel creation you must ...

Page 466: ...listed inTable 94 can be modified Creating an IKE and IPsec policy For a complete description of the policy command see the Fabric OS Command Reference 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the policy command to create IKE and IPsec policies policy create type number enc encryption_method auth authentication_algorithm pfs off on dh DH_group seclife ...

Page 467: ...ult secs The security association lifetime in seconds 28800 is the default The following example shows how to create IKE policy number 10 using 3DES encryption MD5 authentication and Diffie Hellman Group 1 switch admin policy create ike 10 enc 3des auth md5 dh 1 The following policy has been set IKE Policy 10 Authentication Algorithm MD5 Encryption 3DES Perfect Forward Secrecy on Diffie Hellman Gr...

Page 468: ... 28800 Operation Succeeded Deleting an IKE and IPsec policy Policies cannot be modified You must delete and then re create a policy with the new parameters 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the following command policy delete type number where type is the policy type and number is the number assigned For example to delete the IPsec policy number...

Page 469: ...bric OS the port types supported by FCIP are either VE_ or VEX_Port When a GigE port is moved to a Logical Switch all eight VE_ and VEX_Ports are automatically moved There is no interaction required to assign or move them The following constraints on VE_ and VEX_Ports apply All VEX_Ports will be persistently disabled when Virtual Fabric mode is enabled You need to create a Logical Switch with the ...

Page 470: ...that disables the local Ethernet ports ge0 and ge1 making it impossible to configure FCIP Fastwrite and Tape Pipelining and FC Fastwrite on the same HP StorageWorks 400 Multi Protocol Router or FC4 18i blade See FC Fastwrite concepts on page 469 for information about FC Fastwrite FC Fastwrite flows may be routed to another HP StorageWorks 400 Multi Protocol Router or FC4 18i blade on the FC networ...

Page 471: ...elining Does not affect FICON traffic Does not affect FICON traffic FCIP Fastwrite and FC Fastwrite are mutually exclusive Tape pipelining uses FCIP Fastwrite not FC Fastwrite Does not support multiple equal cost path configurations see FCIP Fastwrite and Tape Pipelining configurations Does not support multiple equal cost path configurations or multiple non equal cost path configurations see FCIP ...

Page 472: ...multiple ports Fastwrite and Tape Pipelining enabled on a per tunnel per port basis Unsupported configurations for Fastwrite and Tape Pipelining The configurations shown in Figure 81 are not supported with Fastwrite and Tape Pipelining These configurations use multiple equal cost paths ...

Page 473: ...s with Fastwrite and Tape Pipelining FC Fastwrite concepts FC Fastwrite operates in Fibre Channel network topologies similar to the basic topology shown in Figure 82 FC Fastwrite provides accelerated speeds for SCSI Write operations over long distance Fibre VE VE or VEX VEX ...

Page 474: ... Fastwrite does not work in FICON environments FC Fastwrite flows may be routed to another HP StorageWorks 400 Multi Protocol Router or FC4 18i blade on the FC network The HP StorageWorks 400 Multi Protocol Router or FC4 18i blade may have active FCIP tunnels over an IP network FC Fastwrite flows may be passed through the FCIP tunnel but only if the FCIP Fastwrite option is disabled on the tunnel ...

Page 475: ... FC Fastwrite FC Fastwrite is implemented in a hardware configuration consisting of two HP StorageWorks 400 Multi Protocol Router or two HP StorageWorks 4 256 SAN Director or two HP StorageWorks DC SAN Backbone Director or HP StorageWorks DC04 SAN Director Switch enterprise class platforms with B Series Multi Protocol Router Blades connected by Fibre Channel ISLs Consider the following hardware ch...

Page 476: ...e HP StorageWorks 400 Multi Protocol Router the router is rebooted The process takes up to five minutes Example Enabling Fastwrite on a switch switch admin fastwritecfg enable slot where slot is the slot number in which the B Series Multi Protocol Router Blade is installed A slot number is not required for the HP StorageWorks 400 Multi Protocol Router switch admin fastwritecfg enable 7 WARNING Ena...

Page 477: ...alid_word 0 Rx_flushed 0 Invalid_crc 0 Tx_unavail 0 Delim_err 0 Free_buffer 0 Address_err 0 Overrun 0 Lr_in 2 Suspended 0 Lr_out 0 Parity_err 0 Ols_in 0 2_parity_err 0 Ols_out 2 CMI_bus_err 0 Port part of other ADs N Disabling FC Fastwrite on a blade or switch Disable FC Fastwrite using the fastWriteCfg command Disabling FC Fastwrite with this command disrupts data traffic For the B Series Multi P...

Page 478: ...l 0 you need to configure virtual port 16 and define an IP interface and one or more IP routes over ge0 3 Persistently disable the virtual ports before you configure them Ports on a new HP StorageWorks 400 Multi Protocol Router or B Series Multi Protocol Router Blade are persistently disabled by default On an HP StorageWorks 400 Multi Protocol Router or FC4 18i blade that has already been installe...

Page 479: ...member that a VEX_Port must be paired with a VE_Port VEX_Ports cannot communicate with other VEX_Ports 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the portCfgVEXPort command to configure a port to a VEX_Port The command syntax is as follows portCfgVEXPort slot portnumber ge0 ge1 a 1 2 f fabricid r ratov e edtov d domainid p 0 1 2 t 1 2 where slot The numb...

Page 480: ...is the normal value in an Ethernet network Some networks support jumbo packets packets larger than 1500 B If the network you are using supports jumbo packets a value of 2348 can improve performance By default the virtual ports will automatically become VE_Ports 2 Define IP routes on a GbE port After defining the IP interface of the remote switch you can define destination routes on an interface Yo...

Page 481: ...erification also ensures that data packets can be sent to the remote interface You can test a connection only if both ports have IP interfaces set The command syntax is as follows portCmd ping slot ge0 ge1 s source_ip d dest_ip c L2 class of service n num requests q type of service t ttl v vlan tag w wait time z size where slot The number of a slot in an HP StorageWorks 4 256 SAN Director and HP S...

Page 482: ...ions be aware that uncommitted rate tunnels use a minimum of 1000 Kbps up to a maximum of available uncommitted bandwidth on the GbE port The total bandwidth available on a GbE port is 1 Gb s You can configure tunnels as bidirectional entities with different commit rates in both directions NOTE You cannot create FCIP tunnels that connect to an HP StorageWorks Multi Protocol Router 1 Connect to the...

Page 483: ... using implements PHB and consult with the network administrator to determine the appropriate DSCP values Q data_dscp The DSCP marking for the FCIP tunnel s TCP data connection The range of valid values is 0 through 63 The default is 0 Before configuring DSCP settings determine if the IP network you are using implements PHB and consult with the network administrator to determine the appropriate DS...

Page 484: ...command The command syntax is as follows portShow fciptunnel slot ge0 ge1 all tunnel_id where all Displays all FCIP tunnels tunnel_id Displays the specified FCIP tunnel The following example shows an active tunnel FCIP Fastwrite and Tape Pipelining enabled If TCP Byte Streaming were enabled FCIP Fastwrite and Tape Pipelining would be disabled SP3 admin portshow fciptunnel ge1 1 Port ge1 Tunnel ID ...

Page 485: ...ression on Fastwrite on Tape Pipelining on Committed Rate 1000000 Kbps 1 000000 Gbps SACK on Min Retransmit Time 100 Keepalive Timeout 90 Max Retransmissions 9 VC QoS Mapping on DSCP Marking Control 45 DSCP Marking Data 30 VLAN Tagging Not Configured TCP Byte Streaming off Status Inactive Connected Count 0 IKE Policy 1 IPSec Policy 1 Pre Shared Key qbcdefghijklmnopqrstuvwxyz123456 After FCIP tunne...

Page 486: ...0d 30 0d 13 00 13 35 3 3 id N4 Online F Port 50 03 0d 30 0d 13 00 15 36 3 4 id N2 Online F Port 21 00 00 e0 8b 08 bd 20 output truncated 210 8 18 Online VE Port 50 00 51 e3 51 55 3f 1e fcr_xd_3_16 downstream 211 8 19 Online VE Port 50 00 51 e3 70 42 5f 76 fcr_xd_5_17 downstream output truncated 223 8 31 Offline 8 ge0 id 1G Online 8 ge1 id 1G Online Enabling persistently disabled ports Before an FC...

Page 487: ...N ON ON ON ON ON ON ON EX Port Mirror Port Ports of Slot 8 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Speed AN AN AN AN AN AN AN AN AN AN AN AN AN AN AN AN Trunk Port ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON Long Distance VC Link Init Locked L_Port Locked G_Port Disabled E_Port ISL R_RDY Mode RSCN Suppressed Persistent Disable ON ON ON ON ON ON ON ON ON ON ON ON NPIV capability ON ON O...

Page 488: ...bled you must also enable Fastwrite k timeout The keep alive timeout on the existing FCIP tunnel The range of valid values is 8 through 7200 seconds If Tape Pipelining is enabled the default and minimum value is 80 seconds m time The minimum retransmit time for the existing FCIP tunnel The range of valid values is 20 through 5000 milliseconds r retransmissions The maximum number of retransmissions...

Page 489: ... default values use the default option 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the portCfg fcipTunnel command to modify QoS settings on a virtual port You must specify at least one characteristic to modify The command syntax is as follows portCfg fciptunnel Slot ge0 ge1 qosmap tunnel_id default delete vc_num Q dscp P L2cos where tunnel_id The tunnel_i...

Page 490: ...a specific network you must create a destination address entry for the network For example if a destination address of 192 168 100 0 is specified all frames destined for the 192 168 100 0 network are tagged with the associated VLAN ID assuming a network mask of 255 255 255 0 If an entry contains a destination address of 0 0 0 0 all frames are tagged with the associated VLAN ID If frames are alread...

Page 491: ...nel online ipPerf sessions use different TCP ports than FCIP tunnels so you can simultaneously run an ipPerf session between a pair of ports while an FCIP tunnel is online You can for example revalidate the service provider Service Level Agreement SLA without bringing the FCIP tunnel down but the general recommendation is to run ipPerf only when there are no active tunnels on the IP network Data t...

Page 492: ...tax for invoking the receiver test endpoint using ipPerf for slot8 port ge0 on a B Series Multi Protocol Router Blade is as follows portcmd ipperf 8 ge0 s 192 168 255 10 d 192 168 255 100 R 2 Configure the sender test endpoint using a similar CP CLI The syntax for invoking the sender test endpoint using ipPerf for slot8 port ge0 on a B Series Multi Protocol Router Blade is as follows portcmd ipper...

Page 493: ...play interval Delay ms The TCP smoothed round trip time RTT and variance estimate in milliseconds PMTU The path MTU This is the largest IP layer datagram that can be transmitted over the end to end path without fragmentation This value is measured in bytes and includes the IP header and payload Note There is limited support for black hole PMTU detection If the Jumbo PMTU anything over 1500 does no...

Page 494: ...figuring DSCP settings determine if the IP network you are using implements PHB and consult with the network administrator to determine the appropriate DSCP values v vlan_id The VLAN ID Values must be in the range of 1 4094 There is no default value Note that a VLAN tag entry must exist on the local and remote sides prior to issuing the v option A VLAN Tag table entry will be dynamically maintaine...

Page 495: ...N Director and an HP StorageWorks DC SAN Backbone Director or HP StorageWorks DC04 SAN Director Switch enterprise class platforms that contains an FR4 18i blade This parameter does not apply to the stand alone HP StorageWorks 400 Multi Protocol Router ge0 ge1 The Ethernet port used by the tunnel ge0 or ge1 s source_ip The source IP interface that originates the traceroute request d destination_ipT...

Page 496: ...ssions 8 Status Active Connected Count 1 Uptime 1 hour 45 minutes 3 seconds QoS shaper performance stats 14808626616 Bytes 39615391 Bps 30s avg 35008573 Bps lifetime avg 2013762456 compressed Bytes 33208083 Bps 30s avg 4760667 Bps lifetime avg 7 35 compression ratio FC control traffic TCP connection Local 192 175 4 100 4139 Remote 192 175 4 200 3225 Performance stats 849 output packets 0 pkt s 30s...

Page 497: ... slow start threshold 18HP StorageWorks 400 Multi Protocol Router0 Bytes operational mode slow start 2 packets queued TCP sequence MIN 2950582519 MAX 2950582655 NXT 2950582655 2 packets in flight Send Unacknowledged TCP sequence 2950582519 recovery retransmit timeout 500 ms duplicate ACKs 0 retransmits 0 max retransmits 8 loss recovery fast retransmits 0 retransmit timeouts 0 Receiver stats advert...

Page 498: ...494 Configuring and monitoring FCIP extension services 556200 Bps 30s avg 491394 Bps lifetime avg ...

Page 499: ...es switch binding security methods that prevent unauthorized devices from joining a fabric The following Brocade management tools provide further support Data Center Fabric Manager Data Center Fabric Manager is an optional software program that can be used to manage a fabric that supports FICON and FCP devices and traffic This is the recommended GUI management tool for FICON environments on B seri...

Page 500: ...m CUP operations to and from the M6140 and the Mi10K EOS based chassis and vice versa The following port blades can exist in a FICON environment however FICON device connection to ports on these blades is not supported HP StorageWorks B Series iSCSI Director Blade HP StorageWorks SAN Director 48 Port 4Gb FC blade HP StorageWorks SAN Director 48 Port 8Gb FC blade The HP StorageWorks SAN Director 48...

Page 501: ... ports are disabled when you enable fmsmode The HP StorageWorks SAN Director 48 Port 4Gb FC blade and HP StorageWorks SAN Director 48 Port 8Gb FC blades must not be inserted in slot 10 of the chassis in a FICON configuration Other blades are supported in slot 10 but the HP StorageWorks SAN Director 48 Port 8Gb FC blade and HP StorageWorks SAN Director 48 Port 4Gb FC blade are not Port 255 is reser...

Page 502: ...ress bind Use this command to bind the 16 bit address to the lower two bytes of a port 24 bit Fibre Channel address portAddress unbind Use this command to unbind the currently bound address for the specified port portSwap Swaps ports portSwapDisable Disables the portSwap command portSwapEnable Enables the portSwap command portSwapShow Displays information about swapped ports Commands specific to F...

Page 503: ...he same two switches Specifically adding the new ISL might result in dropped frames as routes are adjusted to take advantage of the bandwidth provided By disabling DLS you ensure that there will be no dropped frames Configure ports that are connected to 1 Gb s channels for fixed 1 Gb s speed Otherwise when using fixed 1 Gb s channels both G5 and FICON Express the FICON host might generate erroneou...

Page 504: ...r each switch a Enable the IDID flag b Set the domain ID 3 Enable the switches this builds the fabric 4 Set the SCC policy as described in Chapter 4 Configuring advanced security features on page 1 17 5 Configure the Switch Connection Control policies on all switches to limit connectivity only to the switches in the selected fabric using the secPolicyCreate command switch admin secPolicyCreate SCC...

Page 505: ...que domain ID For instructions on displaying and changing the domain ID see Chapter 1 Performing basic configuration tasks on page 29 3 Enter the switchDisable command to disable the switch 4 Enter the configure command 5 Enter y after the Fabric Parameters prompt 6 To enable IDID mode enter y after the Insistent Domain ID Mode prompt You can disable this mode by entering n 7 Respond to the remain...

Page 506: ...s Link incidents The registered link incident record RLIR ELS contains the link incident information sent to a listener N_Port To display link incidents connect to the switch log in as user and enter one of the following commands For the local switch ficonShow rlir For all switches defined in the fabric ficonShow rlir fabric Registered listeners To display registered listeners for link incidents c...

Page 507: ...w command to display information about swapped ports in a switch You can use the portSwap command to disable the portswap feature You cannot use the portSwap command after this feature is disabled The enabled state of the portswap feature is persistent across reboots and power cycles Enabling and disabling the portswap feature does not affect previously executed portswap operations See the Fabric ...

Page 508: ...er completing the setup configure CUP attributes FMS parameters For more information see Setting the MIHPTO value on page 505 and Setting the mode register bits on page 507 FICON Management Server mode The fmsmode setting can be changed whether the switch is offline or online If fmsmode is changed while the switch is online a device reset is performed for the control device and an RSCN is generate...

Page 509: ...nstall a CUP license on a switch that already has fmsmode enabled you must disable fmsmode first and re enable it after the license is installed so the host systems receive the notification that CUP is enabled Setting up FICON CUP if fmsmode is already enabled 1 Verify that FICON Management Server mode is enabled by entering the ficonCupShow fmsmode command NOTE If fmsmode is already enabled disab...

Page 510: ...bitname is one of the mode register bits described in Table 98 To display all mode register bit settings for the switch switch admin ficoncupshow modereg POSC UAM ASM DCAM ACP HCP 1 0 1 0 1 0 Table 98 FICON CUP mode register bits POSC Programmed offline state control When this bit is set on the host is prevented from taking the switch offline The default setting is 1 on UAM User alert mode When th...

Page 511: ...ter bit HCP has been set to 0 The following example sets the mode register bit ACP to on switch admin ficoncupset modereg ACP 1 Mode register bit ACP has been set to 1 Persistently enabling and disabling ports When fmsmode is enabled you cannot use the portCfgPersistentEnable and portCfgPersistentDisable commands to persistently enable and disable ports Instead use the following procedure 1 Enter ...

Page 512: ... If there are any differences in restrictions set up with Advanced Zoning and PDCM the most restrictive rules are automatically applied All FICON devices should be configured in a single zone using the Domain Area notation PDCM can then be used to Allow or Prohibit access between specific port pairs PDCM persists across a failover because it is replicated at all times to the standby CP blade The a...

Page 513: ...will not be overwritten Downloading configuration files with Active Saved mode disabled See Chapter 5 Maintaining the switch configuration file on page 163 for more information on the configDownload command The contents of existing files saved on the switch which are also present in the FICON_CUP section are overwritten The files in the FICON section of the configuration file which are not current...

Page 514: ... the FICON director s range The switch ID has to be assigned by the user and must be unique within the scope of the definitions IOCP and HCD The domain ID is assigned by the manufacturer and can be customized to a different value It must be unique within the fabric HP recommends that the switch ID in IOCP or HCD be set to the same value as the domain ID of the FICON director which is defined to th...

Page 515: ...pecified in hex values in the IOCP and not in decimal values the Domain IDs in the example are for demonstration purposes only Brocade Domain_ID 61 in hex CNTLUNIT CUNUMBR 0D8 UNITADD 00 UNIT 2032 PATH 50 51 LINK 61FE 61FE IODEVICE ADDRESS 0D8 1 CUNUMBR 0D8 UNIT 2032 STADET Y UNITADD 00 CNTLUNIT CUNUMBR 0D9 UNITADD 00 UNIT 2032 PATH 8A 8B LINK 22FE 22FE IODEVICE ADDRESS 0D9 1 CUNUMBR 0D9 UNIT 2032...

Page 516: ...512 FICON fabrics ...

Page 517: ...ON emulation is configured See Administering ISL trunking on page 435 for information about configuring FCIP interfaces and tunnels Configuration requirements for switches and directors There are three configuration issues to consider when a SAN router is connected to a switch in a FICON configuration Ensure enough buffer credits are configured to support extending the FICON channel over distance ...

Page 518: ...low through paths between end points connected through M series and Fabric OS products Traffic isolation uses a special zone called a traffic isolation TI zone to create dedicated paths for specific traffic You can create a TI zone from either the command line as described in Installing and maintaining firmware on page 213 or from Web Tools Allow Prohibit for M series directors The Allow Prohibit ...

Page 519: ...host sends the status accept frame indicating that the data was delivered the read processing on the device side credits the pipeline and requests more data from the tape If exception status is received from the device the reading of data and emulation is terminated The FICON Tape Emulation License is required to enable FICON Tape Read Pipelining FICON emulation configuration Before you configure ...

Page 520: ...ied in milliseconds ms If a pipelined write chain takes longer than this value to complete the ending status for the next write chain will be withheld from the channel This limits processing to what the network and device can support Too small a value limits pipelining performance Too large a value results in too much data being accepted for one device on a path The default value is 300 millisecon...

Page 521: ...0000 0x0000 0x00000000 5 000 000 00 00 0000 0000000 0x0000 0x00000000 6 000 000 00 00 0000 0000000 0x0000 0x00000000 7 000 000 00 00 0000 0000000 0x0000 0x00000000 FICON emulation modification Following is the syntax for the portcfg ficon modify command portCfg ficon slot ge0 ge1 tunnel_Id modify x 1 0 w 1 0 r 1 0 t 1 0 l 1 0 b 1 0 wrtMaxPipe value rdMaxPipe value wrtMaxDevs value rdMaxDevs value ...

Page 522: ... of concurrent emulated tape read operations The default value is 16 The range is 1 32 wrtTimer value defines a time limit for pipelined write chains This value is be specified in milliseconds ms If a pipelined write chain takes longer than this value to complete the ending status for the next write chain will be withheld from the channel This limits processing to what the network and device can s...

Page 523: ...resented in different output formats The following elements are common to both tape emulation and XRC emulation outputs FDCB ptr is a pointer to the FICON Device Control Block Support personnel may use this pointer Path is the device path in the format VE HD HP DD DP LP CU DV where VE is the internal VE_Port number HD is the hex value for the Host Domain the entry domain for this host port into th...

Page 524: ...2760 0x10027B00 2463016407050001 H 0x14 0x20 0011 0000 8915 0 0 85966 32760 0x1002C400 2463016407050002 H 0x14 0x20 0007 0000 10365 0 0 99742 32760 0x1002B000 2463016407050003 H 0x14 0x20 0008 0000 9993 0 0 96088 32760 0x1003F000 2463046401050100 H 0x00 N A 0000 0000 19392 0 0 183111 32760 0x1003E400 2463046401050101 H 0x00 N A 0000 0000 19342 0 0 183111 32760 0x10041800 2463046401050102 H 0x00 N ...

Page 525: ...000 000F 0000 1112 3855 148 41613 27182 0x104B5800 24B100B20E1109F9 H 0x00 0000 000F 0000 1493 4365 153 36604 20090 0x104B6000 24B100B20E1109FD H 0x00 0000 000F 0000 1422 3983 144 40358 24305 0x103B7C00 24B102B20F11092B H 0x00 0000 000F 0000 0F52 46658 212 25910 16283 0x104B4400 24B102B20F1109F7 H 0x00 0000 000F 0000 0C42 4159 147 39379 23225 0x104B4800 24B102B20F1109F8 H 0x00 0000 000F 0000 1112 ...

Page 526: ...522 Configuring and monitoring FICON Extension Services ...

Page 527: ...ing reason and only after you have evaluated the impact of doing so Fixed addressing mode This is the default addressing mode used in all the platforms except for the HP StorageWorks DC SAN Backbone Director and HP StorageWorks DC04 SAN Director Switch that do not have Virtual Fabrics enabled In this mode each port has a fixed address assigned by the system based on the port number and does not ch...

Page 528: ...ative PID format HP recommends that you change the format to Core PID before you add the new higher port count switches and directors HP also recommends that you use Core PID format when upgrading the Fabric OS version on StorageWorks SAN Switch 8 and 16 StorageWorks SAN Switch 8 EL and 16 EL HP StorageWorks SAN Switch 2 8 EL 2 16 EL and 2 16 and HP StorageWorks MSA SAN Switch 2 8 Depending on you...

Page 529: ...0 to determine this do not download old pre PID format change configuration files to any switch on the fabric After changing the fabric PID format and verifying correct fabric operation resave configuration data by running the configUpload command Before downgrading firmware change the PID back to supported PIDs such as Core PID If the database is automatically converted save the converted databas...

Page 530: ...t device software hardware and configuration data The following is a non comprehensive list of information to collect HBA driver versions Fabric OS versions RAID array microcode versions SCSI bridge code versions Table 101 PID format recommendations for adding new switches Existing Fabric OS versions PID format Switch to be added Recommendations in order of preference 3 1 2 and later Core PID 3 1 ...

Page 531: ...or HP UX It is the HBA drivers shipping with these operating systems that bind by PID Both operating systems are expected to release HBA drivers that bind by WWN and these drivers might already be available through some support channels Work with the appropriate support provider to find out about driver availability It is also important to understand how multipathing software reacts when one of th...

Page 532: ... over between fabrics seamlessly If there is doubt use the software s administrative tools to manually disassociate or mark offline all storage devices on the first fabric to be updated 3 Verify that I O continues over the other fabric 4 Disable all switches in the fabric to be updated one switch at a time and verify that I O continues over the other fabric after each switch disable 5 Change the P...

Page 533: ...rid update It is possible to combine the online and offline methods for fabrics where only a few devices bind by PID Because any hybrid procedure is extremely customized it is necessary to work closely with the SAN service provider in these cases Changing to core PID format In Fabric OS release 4 2 0 and later Native PID format is not supported the default format is the Core PID format In Fabric O...

Page 534: ...PID format for example the HP StorageWorks 4 256 SAN Director with configuration option 5 and would like to map the output of the port number to the area ID use the following formula for ports 0 127 a p 16 128 where a is the area p is the port number is the modulus or remainder When the port number is greater than or equal to 128 the area ID and port number are the same PID format changes There ar...

Page 535: ... change on these switches 2 Telnet into one of the switches in the fabric 3 Enter the switchDisable command to disable the switch 4 Enter the configure command the configure prompts display sequentially 5 Enter y after the Fabric parameters prompt 6 Enter 1 at the Core Switch PID Format prompt 7 Respond to the remaining prompts or press Ctrl d to accept the remaining settings without responding to...

Page 536: ...xport the volume group using vgexport The proper usage would be vgexport m mapfile path_to_volume_group For example vgexport m tmp jbod_map dev jbod 7 Connect to each switch in the fabric 8 Enter the switchDisable command 9 Enter the configure command and change the Core Switch PID Format to 1 10 Enter the command cfgEnable effective_zone_configuration For example cfgEnable my_zones 1 1 Enter the ...

Page 537: ...ocedure is not intended to be comprehensive It provides a starting point from which a SAN administrator can develop a site specific procedure for a device that binds automatically by PID and cannot be rebooted due to uptime requirements 1 Back up all data Verify backups 2 Perform the appropriate actions based on whether you using or not using multipathing software If you are not using multipathing...

Page 538: ...r platforms only You can swap only ports 0 through 15 on the HP StorageWorks SAN Director 48 Port 4Gb FC blade and HP StorageWorks SAN Director 48 Port 8Gb FC blade You cannot swap ports 16 through 47 1 Connect to the switch and log in as admin 2 Enable the port swap feature portswapenable 3 HP StorageWorks 4 8 and 4 16 SAN Switches HP StorageWorks 8 8 and 8 24 SAN Switches HP StorageWorks SAN Swi...

Page 539: ...Fabric OS 6 2 administrator guide 535 6 Disable the port swap feature portswapdisable Table 102 Physical port numbers and logical area IDs for swapped ports Slot Slotport Swport Area 2 2 18 19 2 3 19 18 ...

Page 540: ...536 Configuring the PID format ...

Page 541: ...instances use a different password for the same account login level For example the password for admin for switch 0 can be different from password for admin for switch 1 No Yes for Core Switch 2 64 n a for all other switches Yes for Core Switch 2 64 n a for all other switches Does the root account use restricted shell No No No When connecting to a factory installed switch do you use the default pa...

Page 542: ...tial changes of all four passwords are allowed No Partial changes of all four passwords are allowed When does the password prompt appear When users connect as root factory or admin the accounts with default password will be prompted for change The accounts with non default password will not be prompted When users connect as root factory or admin the accounts with default password will be prompted ...

Page 543: ...counts multi user accounts and passwords When downgrading to an earlier firmware at subsequent times which passwords will be used Downgrades to 4 4 0 preserve all existing default accounts multi user accounts and passwords Multi user accounts with the switchAdmin role have the same permissions as the user role Downgrades to 5 0 1 preserve all existing default accounts multi user accounts and passw...

Page 544: ...540 Understanding legacy password behavior ...

Page 545: ...e SANs For information on HP supported interop configurations refer to the HP StorageWorks Fabric interoperability merging fabrics based on M Series and B Series Fibre Channel switches on the following HP website http h18000 www1 hp com products storageworks san documentation html ...

Page 546: ...542 Mixed fabric configurations for non merge SANs ...

Page 547: ...ied configuration whether it is non redundant redundant or in a dual backbone configuration Non redundant configuration Figure 87 shows an example of a simple non redundant configuration Figure 87 Non redundant router configuration A 400 MP Router can be inserted into an existing metaSAN so that the old and new configuration form one redundant configuration Before implementing this design configur...

Page 548: ...ge 545 should also be preconfigured on the new routers and match with the routers being replaced The backbone fabric ID of the new FC router should be the same as that of the replaced router The same procedure can be repeated for FC router 1 NOTE During the swap traffic flowing through the ISL is affected Figure 89 shows an example of a simple redundant configuration Figure 89 Redundant router con...

Page 549: ...On Fabric OS 5 2 x and earlier use the fcrenable command b On Fabric OS 5 3 0 and later use the fosconfig enable fcr command 3 Set respective fabric IDs while configuring each of the EX_Ports using the portcfgexport f command 4 Verify that the operating mode is native while configuring the EX_Port using the portcfgexport m command 5 Set the backbone Fabric ID by issuing the fcrconfigure command 6 ...

Page 550: ...546 Migrating from an MP Router to a 400 MP Router ...

Page 551: ...ented to allow communication to the CP through the GE port processors and then out the GE ports Therefore it is necessary to implement numerous IP routes throughout the network to allow the communication to take place NOTE IPsec is not supported over Inband Management interfaces Once the switch is set up with the appropriate IP addresses and routes the IP driver will compare the destination addres...

Page 552: ...as follows portCfg inbandmgmt ge_port option arguments where ipaddrset cp ge ip_address netmask Configures the IP address and netmask for a CP or a GbE inband management interface This command requires specifying the type of interface cp or ge an IPv4 address and the subnet mask For each management interface configure two IP addresses one for the CP and one for the GbE port ipaddrdel cp ge ip_addr...

Page 553: ...and to delete a route to the Management Station switch admin portcfg inbandmgmt ge0 routedel 192 168 3 0 255 255 255 0 Specifying the portCfg inbandmgmt command with the routeadd or routedel options adds and deletes route entries to the CP and the GE port processor routing tables IP addresses must be configured for both devices prior to configuring any routes When configuring the routes for the CP...

Page 554: ...you use host specific routes for the HP StorageWorks 400 Multi Protocol Router management destination routes This ensures that the HP StorageWorks 400 Multi Protocol Router is not acting as a full IP router between the various subnets To ensure proper connectivity routes must be added to each hop along the desired path Displaying IP routes 1 Connect to the switch and log in as admin 2 Enter the po...

Page 555: ...gram shown in Figure 92 the configuration would be set up as listed below Figure 92 Management station on same subnet 1 Configure the management interfaces on the 7500 L1 a Configure the internal addresses for the inbd devices for CP and GE port GE port 0 for this example switch admin portcfg inbandmgmt ge0 ipaddrset cp 192 168 255 1 255 255 255 0 switch admin portcfg inbandmgmt ge0 ipaddrset ge 1...

Page 556: ... station a host specific route can be used but are not necessary Figure 93 Management station on a different subnet 1 Configure the management addresses for the 7500 L1 a Configure the internal addresses for the inbd devices for CP and GE port GE port 0 for this example switch admin portcfg inbandmgmt ge0 ipaddrset cp 192 168 255 1 255 255 255 0 switch admin portcfg inbandmgmt ge0 ipaddrset ge 192...

Page 557: ... 10 1 2 20 gw 192 168 2 20 b Configure the route going to the Management Station linux route add net 192 168 3 0 24 gw 172 0 1 3 5 Configure the routes on Router C a Configure the route going to the 7500 L1 management address linux route add host 10 1 1 10 gw 172 0 1 1 b Configure route to 7500 R1 Management address linux route add host 10 1 2 20 gw 172 0 1 2 6 Configure the Management Station a C...

Page 558: ...554 Inband Management ...

Page 559: ...state change notification and alias service Distributed management Management tools such as Advanced Web Tools Fabric OS and SNMP are available from both the local switch and the remote switch Switch management is routed through the Fibre Channel connection thus no additional network connection is required between sites Support for interswitch links ISLs Sites requiring redundant configurations ca...

Page 560: ...rameters without changing their values until you reach the parameter you want to modify 6 Specify a new parameter value that is compatible with your gateway device 7 Press Enter to scroll through the remainder of the configuration parameters Make sure that the configuration changes are committed to the switch 8 Repeat for all switches in the fabrics to be connected through a gateway device These p...

Page 561: ...tches 186 RADIUS configuration 96 standard filter based monitors 411 switches to a zone 260 zone members 247 address resolution protocol adding additional entries 312 automatic creation 311 creating entries 311 ADList 87 Admin Domains about 191 access levels 193 activating 203 AD0 194 AD255 195 adding members 204 ADList 87 assigning users to 201 capable switch 191 configupload download 212 configu...

Page 562: ...root configuring 111 security 100 SSH 100 SSL 100 108 switch 108 changing an account password 75 FID of logical switch 187 logical switch to base switch 187 RADIUS configuration 97 RADIUS servers 97 CHAP iSCSI authentication 318 required 321 clearing performance monitor counters 420 clearing zone configurations 258 command line interface 29 configuration file backing up 165 chassis section 164 con...

Page 563: ... 203 TI zones 354 default IP Policy Rules 138 logical switch 173 zone mode 200 250 defined AD configuration 199 zone configuration 236 deleting accounts 72 Admin Domains 205 206 alias 245 end to end monitors 410 filter based monitors 413 logical switches 186 RADIUS configuration 97 TI zones 354 zone configurations 256 zones 248 designing fabric for trunking 436 devices no access 324 proxy 371 zoni...

Page 564: ...uring 99 117 supported protocols 99 100 Fabric Wide Consistency Policy 377 fabric designing for trunking 436 Fastwrite 466 514 FC device adding to iSCSI virtual target 316 FC Fastwrite 469 FC router 125 FC routing concepts 368 supported platforms 367 FC routing types 372 FC targets 312 315 for iSCSI zone creation 325 listing 316 LUNs 312 FC4 16IP 325 FC FC Routing 125 FC FC Routing and Virtual Fab...

Page 565: ...25 high availability synchronization 215 obtaining firmware 217 protocol FTP and SCP 213 test and restore on enterprise class platforms 228 test and restore on switches 227 testing different firmware versions 228 USB device 224 validating 231 verify progress 214 firmware upgrade with Admin Domains 199 frame transfer with brocade remote switch 555 FreeRADIUS 88 G gateway 555 gateway remote switch 5...

Page 566: ...gateway 329 Gateway Service 301 gateway service in iSCSI FC zone 324 gigabit Ethernet enabling 310 initiators 312 329 IQNs 302 IQNs changing prefix 304 IQNs default prefix 303 IQNs prefix 303 LUN mapping to iSCSI VTs 302 LUN mapping advanced 303 LUN mapping basic 302 network 329 physical interface enabling 310 port enabling 310 shared secret setting 307 supported initiators 306 translation 301 vir...

Page 567: ...211 LUN 326 mapping 315 LUN mapping 302 LUNs adding 316 configuration 316 deleting 318 display map 318 mapped via IQNs 312 mapping 317 virtual target creation 312 LWL ISL Trunking support for 435 M MAC address port 312 making basic connections 55 managing accounts 74 zoning configurations in a fabric 258 mask for end to end monitors setting 409 matching fabric parameters 375 members policy 118 pol...

Page 568: ... full fabric access 49 policies routing 283 policy account lockout 77 adding members 127 changes saving 126 creating 125 creating SCC 125 members adding 127 members identifying 118 password expiration 76 password strength 75 SCC 125 port 55 activating 49 activating POD 50 enabling 55 GbE 307 GbE enabling 310 licenses 49 LUN mapping 317 numbering 308 primary FCS 293 private key 109 PROM password 78...

Page 569: ...sessions maximum allowed 70 setting changing passwords 32 default zone mode 200 mask for end to end monitors 409 PROM password 79 80 security level 102 switch date and time 37 the IP address 35 time zone 39 time zones 38 traffic prioritization 365 setting chassis configurations 275 setting port speeds 440 SID DID traffic prioritization 361 SNMP 101 accessControl configuration 104 ACL 101 agent 101...

Page 570: ...ins 194 filter based monitors 412 users assigning to Admin Domains 201 authenticating 67 using security certificates 108 V validating Admin Domain members 206 VE_Ports 457 verification check 375 verify device connectivity 56 high availability HA 57 VEX_Port 457 viewing alias 246 zones 248 Virtual Fabric date settings 37 E_Port authentication 454 Virtual Fabrics and FC FC Routing 401 and ingress ra...

Page 571: ...C 325 database configurations viewing 257 database size 251 default zone mode 200 250 defined zone configuration 236 deleting 248 deleting a configuration 256 disabled zone configuration 237 disabling a configuration 255 effective zone configuration 236 enabling a configuration 255 enforcement 237 hard zoning 237 hardware enforced zoning 237 host based 234 LUN masking 234 merging 251 name server b...

Page 572: ...568 ...

Page 573: ...7 Hardware enforced nonoverlapping zones 239 28 Hardware enforced overlapping zones 239 29 Zoning with hardware assist mixed port and WWN zones 239 30 Session based hard zoning 240 31 Broadcast zones and Admin Domains 242 32 iSCSI gateway network 301 33 iSCSI gateway service basic implementation 301 34 iSCSI to FC translation 302 35 iSCSI VT basic LUN mapping 302 36 iSCSI VT advanced LUN mapping 3...

Page 574: ...roups 435 75 Switch in Access Gateway mode without F_Port trunking 445 76 Switch in Access Gateway mode with F_Port masterless trunking 445 77 Trunk group configuration for the HP StorageWorks 8 40 SAN Switch 449 78 Network using FCIP 458 79 Single tunnel Fastwrite and Tape Pipelining enabled 467 80 Multiple tunnels to multiple ports Fastwrite and Tape Pipelining enabled on a per tunnel per port b...

Page 575: ...s 137 32 Implicit IP Filter rules 137 33 Default IP policy rules 138 34 Interaction between fabric wide consistency policy and distribution settings 140 35 Supported policy databases 141 36 ACL policy database distribution behavior 142 37 Fabric wide consistency policy settings 143 38 Merging fabrics with matching fabric wide consistency policies 145 39 Examples of strict fabric merges 145 40 Fabr...

Page 576: ...rageWorks switch models 405 79 Number of Logical Switches that support performance monitors 406 80 Predefined values at offset 0 413 81 Fibre Channel data frames 424 82 Buffer Credits 427 83 Supported Distances 428 84 long distance mode definitions 441 85 Trunking support for HP StorageWorks SAN Switch 4 32 and HP StorageWorks 4 64 SAN Switch Condor ASIC 444 86 Trunking over distance for the HP St...

Reviews:

No comments

Related manuals for A7533A - Brocade 4Gb SAN Switch Base

Panasonic KX-PS10 Manual preview
KX-PS10
Brand: Panasonic Pages: 30
Zenisu Keisoku ZS-6225 Series User Manual preview
ZS-6225 Series
Brand: Zenisu Keisoku Pages: 22
Uponor ProPEX Installation Manual preview
ProPEX
Brand: Uponor Pages: 8
Ralink 300N User Manual preview
300N
Brand: Ralink Pages: 85
Allied Telesis AT-2812FX Installation And User Manual preview
AT-2812FX
Brand: Allied Telesis Pages: 82
Flexport BT-260-V2 Utility Manual preview
BT-260-V2
Brand: Flexport Pages: 17
ATI Technologies Component Video Adapter Installation And Setup User'S Manual preview
Component Video Adapter
Brand: ATI Technologies Pages: 16
Jabra LINK 280 - Software Manual preview
LINK 280 -
Brand: Jabra Pages: 3
Hainbuch mandoteX Operating Instructions Manual preview
mandoteX
Brand: Hainbuch Pages: 64
Inteltronic WL-BUI112-10I Spec Sheet preview
WL-BUI112-10I
Brand: Inteltronic Pages: 1
3idee hp-pav Assembly Instructions Manual preview
hp-pav
Brand: 3idee Pages: 6
StarTech.com USB2DVIPRO Instruction Manual preview
USB2DVIPRO
Brand: StarTech.com Pages: 17
Intel 2200BG User Manual preview
2200BG
Brand: Intel Pages: 84
SMC Networks EZ Connect g SMCWUSBT-G2 User Manual preview
EZ Connect g SMCWUSBT-G2
Brand: SMC Networks Pages: 56
Fritz! Powerline 510E Installation And Operation Manual preview
Powerline 510E
Brand: Fritz! Pages: 38
ATTO Technology FastStream SC 5300 Installation Manual preview
FastStream SC 5300
Brand: ATTO Technology Pages: 6
ATTO Technology ATTO Celerity FC-41XS Specification Sheet preview
ATTO Celerity FC-41XS
Brand: ATTO Technology Pages: 2
ATTO Technology ATTO Celerity FC-42ES Installation And Operation Manual preview
ATTO Celerity FC-42ES
Brand: ATTO Technology Pages: 53

Brands by name

Popular brands

Load more brands