manualshive.com logo in svg

HP AA979A - StorageWorks SAN Switch 2/8V, Administrator'S Manual, Page: 117 / 465

Share
Download
HP AA979A - StorageWorks SAN Switch 2/8V Administrator'S Manual Download Page 117

Fabric OS 5.3.0 administrator guide 119

6

Configuring advanced security

This chapter provides information and procedures for configuring advanced Fabric OS 5.2.x security 

feature, Access Control Lists (ACL) policies for FC port and switch binding.

NOTE:

Run all commands in this chapter by logging in to Administrative Domain (AD) 255 or if 

Administrative Domains have not been implemented log in to AD 0.

For information about licensed security features available in Secure Fabric OS, see the 

Secure Fabric OS 

Administrator’s Guide

.

About access control list (ACL) policies

Fabric OS provides the following policies:

Fabric Configuration Server

 (FCS) policy—Used to restrict which switches can change the 

configuration of the fabric.

Device Connection Control

 (DCC) policies—Used to restrict which Fibre Channel device ports can 

connect to which Fibre Channel switch ports. 

Switch Connection Control

 (SCC) policy—Used to restrict which switches can join with a switch.

IP Filter Policy

 (IPFilter) policy—Used to filter traffic based on IP addresses

Each supported policy is identified by a specific name, and only one policy of each type can exist (except 

for DCC policies). Policy names are case sensitive and must be entered in all uppercase.

How the ACL policies are stored

The policies are stored in a local database. The database contains the ACL policies types of FCS, DCC, 

SCC, and IPFilter. The policies are grouped by state and type.
A policy can be in the following state:

Active

—The policy is being enforced by the switch.

Defined

—The policy has been set up but is not enforced.

A group of policies is called a 

Policy Set

Each switch has the following two sets:

Active policy set

—Contains ACL policies being enforced by the switch.

Defined policy set

—Contains a copy of all ACL policies on the switch.

When a policy is activated, the defined policy either replaces the policy with the same name in the active 

set or becomes a new active policy. If a policy appears in the defined set but not in the active set, the 

policy was saved but has not been activated. If a policy with the same name appears in both the defined 

and active sets but they have different values, then the policy has been modified but the changes have not 

been activated.

Summary of Contents for AA979A - StorageWorks SAN Switch 2/8V

Page 1: ...HP StorageWorks Fabric OS 5 3 x administrator guide Part number 5697 0244 November 2009 ...

Page 2: ...rior written consent of Hewlett Packard The information is provided as is without warranty of any kind and is subject to change without notice The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services Nothing herein should be construed as constituting an additional warranty HP shall not be liable for technical or edito...

Page 3: ...g a console session on the serial port 26 How to connect via the serial port 26 Setting the default account passwords 26 Changing default passwords summary 27 How to change default passwords at login 28 Configuring the Ethernet interface 28 How to display network interface settings 29 Static Ethernet addressing summary 29 How to set static addresses for the Ethernet network interface 30 Configurin...

Page 4: ...2 How to display the status of the track changes feature 53 How to view the switch status policy threshold values 53 How to set the switch status policy threshold values 54 Configuring the audit log 55 Auditable event classes 55 How to verify host syslog prior to configuring the audit log 56 How to configure an audit log for specific event classes 57 Shutting down switches and Directors 57 To powe...

Page 5: ...lay the current RADIUS configuration 82 How to add a RADIUS server to the switch configuration 82 How to enable and disable a RADIUS server 83 How to delete a RADIUS server from the configuration 83 How to change a RADIUS server configuration 83 How to change the order in which RADIUS servers are contacted for service 84 Enabling and disabling local authentication as backup 84 Setting the boot PRO...

Page 6: ...nfiguration 109 Troubleshooting configuration upload 111 Restoring switch information 111 Restoring a configuration 111 Configuration download without disabling a switch 112 Security considerations 113 Troubleshooting configuration download 113 Messages captured in the logs 113 Restoring configurations in a FICON environment 114 Downloading configurations across a fabric 114 4 256 SAN Director con...

Page 7: ...ilter policy restrictions 141 Distributing the policy database 142 Configuring the database distribution settings 143 Distributing ACL policies to other switches 144 Setting the consistency policy fabric wide 144 Notes on joining a switch to the fabric 146 Matching fabric wide consistency policies 146 Non matching fabric wide consistency policies 147 7 Managing administrative domains 149 About adm...

Page 8: ...168 Admin Domains zones and zone databases 169 Admin Domains and LSAN zones 170 Configuration upload and download in an AD context 170 8 Installing and maintaining firmware 173 About the firmware download process 173 Upgrading and downgrading firmware 174 Effects of firmware changes on accounts and passwords 174 Considerations for FICON CUP environments 175 Preparing for a firmware download 175 Ho...

Page 9: ...information along a path 222 11Using the FC FC routing service 225 Supported platforms 225 Fibre Channel routing concepts 225 Front domain consolidation 228 Supported configurations and platforms 228 Upgrade and downgrade considerations 229 Using front domain consolidation 229 Range of output ports 230 Support 230 Proxy devices 230 Routing types 231 Fibre Channel NAT and phantom domains 232 Settin...

Page 10: ...Director SAN Switch 4 32 and SAN Switch 4 32B FICON notes 266 Types of FICON configurations 267 Control Unit Port CUP 267 FICON commands 268 Security considerations 269 Configuring switches 269 Preparing a switch 270 Configuring a single switch 270 Configuring a high integrity fabric 270 Setting a unique domain ID 271 Displaying information 272 Link incidents 272 Registered listeners 272 Node iden...

Page 11: ...s 309 To check for zoning problems 312 Restoring a segmented fabric 312 To reconcile fabric parameters individually 312 To download a correct configuration 313 To reconcile a domain ID conflict 313 Correcting zoning setup issues 313 To correct a fabric merge problem quickly 314 To verify a fabric merge problem 314 To edit zone configuration members 315 To reorder the zone member list 315 Recognizi...

Page 12: ...aving and restoring monitor configurations 350 Collecting performance data 350 18Administering Extended Fabrics 351 About extended link buffer allocation 351 SAN Switch 2 8V SAN Switch 2 16V SAN Switch 2 32 SAN Director 2 128 and 4 256 SAN Director FC2 16 port blades 351 HP StorageWorks SAN Switch 4 32 4 256 SAN Director 4 64 SAN Switch 400 MP Router and FC4 16 FC4 32 and B Series MP Router port b...

Page 13: ...onfiguration 385 To delete a zone configuration 385 To clear changes to a configuration 385 To view all zone configuration information 385 To view selected zone configuration information 386 To view a configuration in the effective zone database 386 Maintaining zone objects 387 To copy a zone object 387 To delete a zone object 388 To rename a zone object 388 Managing Zoning configurations in a fab...

Page 14: ...e fabric PID format 424 Host reboots 424 Static PID mapping errors 424 Changes to configuration data 424 Selecting a PID format 425 Evaluating the fabric 427 Planning the update procedure 428 Online update 428 Offline update 429 Hybrid update 429 Changing to core PID format 429 Changing to extended edge PID format 430 Converting port number to area ID 433 Performing PID format changes 435 Basic pr...

Page 15: ...0 16 Adding a zone set name in SAN Pilot 261 17 Cascaded configuration two switches 271 18 Cascaded configuration three switches 271 19 Setting end to end monitors on a port 340 20 Proper placement of end to end performance monitors 341 21 Mask positions for end to end monitors 342 22 Distribution of traffic over ISL Trunking groups 359 23 Zoning example 369 24 Hardware enforced non overlapping Zo...

Page 16: ...16 ...

Page 17: ...t Model Brocade 200E switch HP StorageWorks 4 8 SAN Switch or HP StorageWorks 4 16 SAN Switch Brocade 3250 switch switch HP StorageWorks SAN Switch 2 8V Brocade 3850 switch HP StorageWorks SAN Switch 2 16V Brocade 3900 switch HP StorageWorks SAN Switch 2 32 Brocade 4100 switch HP StorageWorks SAN Switch 4 32 Brocade 4900 switch HP StorageWorks 4 64 SAN Switch Brocade 24000 Director HP StorageWorks...

Page 18: ...s could result in damage to equipment or data IMPORTANT Provides clarifying information or specific instructions NOTE Provides additional information TIP Provides helpful hints and shortcuts Table 2 Document conventions Convention Element Medium blue text Figure 1 Cross reference links and e mail addresses Medium blue underlined text web site addresses Bold font Key names Text typed into a GUI ele...

Page 19: ...ice web site http www hp com go e updates Subscribing to this service provides you with e mail updates on the latest product enhancements newest versions of drivers and firmware documentation updates as well as instant access to numerous other product resources After signing up you can quickly locate your products by selecting Business support and then Storage under Product Category HP authorized ...

Page 20: ...18 ...

Page 21: ... 4 256 SAN Director can have up to 384 ports and the SAN Director 2 128 can have up to 128 ports About procedural differences As a result of the differences between fixed port and variable port devices procedures sometimes differ among models As new models are introduced new features sometimes apply only to those models When procedures or parts of procedures apply to some models but not others thi...

Page 22: ...to a network through the switch Ethernet port out of band or from the Fibre Channel in band The switch must be configured with an IP address to allow for the network connection Refer to the installation guide for your specific switch for information on physically connecting to the switch You can access switches from different connections such as Web Tools CLI and API When these connections are sim...

Page 23: ... for which you need information Displaying additional Help topics The following commands provide help files for specific topics switch admin help timeout Administrative Commands timeout 1m NAME timeout Sets or displays the timeout value for a login session SYNOPSIS timeout timeval AVAILABILITY admin set all users display DESCRIPTION Use this command without any operands to display in min utes the ...

Page 24: ...24 Introducing Fabric OS CLI procedures ...

Page 25: ... root and use operating system commands to identify and kill the telnet processes without disrupting the fabric For admin level accounts Fabric OS limits the number of simultaneous telnet sessions per switch to two For more details on session limits see Managing user accounts on page 61and Configuring the telnet interface on page 1 15 How to connect via telnet Use these steps to connect via telnet...

Page 26: ...45 serial port on the workstation 2 Open a terminal emulator application such as HyperTerminal on a PC or TERM TIP or Kermit in a UNIX environment and configure the application as follows In a Windows environment In a UNIX environment enter the following string at the prompt tip dev ttyb 9600 If ttyb is already in use you can use ttya enter tip dev ttya 9600 Setting the default account passwords T...

Page 27: ...haracter limit User defined passwords can have 8 to 40 characters They must begin with an alphabetic character and can include numeric characters the dot and the underscore _ They are case sensitive and they are not displayed when you enter them on the command line Record the passwords exactly as entered and store them in a secure place Recovering passwords requires significant effort and fabric d...

Page 28: ...s SSH or telnet may be dropped Reconnect using the new Ethernet IP information or change the Ethernet settings using a console session through the serial port to maintain your session through the change You must connect through the serial port to set the Ethernet IP address if an the Ethernet network interface is not configured already See How to connect via the serial port on page 26 for details ...

Page 29: ...t addressing summary Use static Ethernet network interface addresses on SAN Director 2 128 and 4 256 SAN Director models and in environments where DHCP service is not available To use static addresses for the Ethernet interface you must first disable DHCP You may enter static Ethernet information and disable DHCP at the same time Refer to Configuring DHCP page 30 for more information If you choose...

Page 30: ...ion for IPv6 Enter the Ethernet Subnetmask and Gateway Address at the prompts Press Enter to skip Fibre Channel prompts Type Off to disable DHCP NOTE You can use either IPv4 or IPv6 with a CIDR block notation to set up your IP addresses Configuring DHCP By default some HP switches have DHCP enabled SAN Director 2 128 and 4 256 SAN Director models do not support DHCP The Fabric OS DHCP client suppo...

Page 31: ...tch admin ipaddrset Ethernet IP Address 192 168 74 102 Ethernet Subnetmask 255 255 255 0 Fibre Channel IP Address 220 220 220 2 Fibre Channel Subnetmask 255 255 0 0 Gateway IP Address 192 168 74 1 DHCP Off on How to disable DHCP When you disable DHCP enter the static Ethernet IP address and subnet mask of the switch and default gateway address Otherwise the Ethernet settings may conflict with othe...

Page 32: ...gh 23 MM is minutes valid values are 00 through 59 yy is the year valid values are 00 through 99 values greater than 69 are interpreted as 1970 through 1999 and values less than 70 are interpreted as 2000 2069 For details about how to change time zones refer to tsTimeZone command in the Fabric OS Command Reference Manual Setting time zones Fabric OS 5 2 x and later provides the capability to set t...

Page 33: ... a dual domain chassis has the following characteristics Updating the time zone on any switch updates the entire chassis The time zone of the entire chassis is the time zone of the switch 0 For dual domain Directors SAN Director 2 128 both switches in the same chassis will be in the same time zone Dual Domain chassis do not support different time zones on each domain The following procedure descri...

Page 34: ...Z format Enter number or control D to quit 10 Local time is now Thu May 11 07 39 37 PDT 2006 Universal Time is now Thu May 11 14 39 37 UTC 2006 Is the above information OK Yes No Enter number or control D to quit 1 Please select a country 1 Chile 15 Northern Mariana Islands 2 Cook Islands 16 Palau 3 Ecuador 17 Papua New Guinea 4 Fiji 18 Pitcairn 5 French Polynesia 19 Samoa American 6 Guam 20 Samoa...

Page 35: ...tches will ignore the new list parameter in the payload and will update only the active server address If the active NTP server configured is IPv6 then distributing the same in the fabric will not be possible to a pre 5 3 0 switch since IPv6 is not supported the default value LOCL will be distributed to pre 5 3 0 switches Please select one of the following time zone regions 1 Eastern Time 2 Easter...

Page 36: ...ed software features If you purchase an HP StorageWorks Power Pack switch model optional software licenses are included with the licensed Power Pack supplied with the switch software If you did not purchased an HP StorageWorks Power Pack switch model you can purchase licenses separately from HP HP then provides you with keys to unlock the optional software features License keys are provided on a p...

Page 37: ...sed to obtain a license key To see a switch license ID issue the licenseIdShow command How to generate or activate a license key 1 If you already have a license key go to step 6 to activate If you do not have a license key launch an Internet browser and go to http webkey external hp com welcome asp The HP StorageWorks Software License Key instruction page opens Figure 1 HP StorageWorks license key...

Page 38: ...d d Some features may require additional configuration or you might need to disable and re enable the switch to make them operational refer to the feature documentation for details How to remove a licensed feature 1 Connect to the switch and log in as admin 2 Enter the licenseShow command to display the active licenses 3 Remove the license key using the licenseRemove command The license key is cas...

Page 39: ...Director 2 128 4 256 SAN Director NOTE Changing the switch name causes a domain address format Registered State Change Notification RSCN to be issued and in older versions of the Fabric OS may be disruptive to the fabric How to customize the switch name 1 HP StorageWorks 4 16 SAN Switch and 4 8 SAN Switch SAN Switch 2 8V SAN Switch 2 16V SAN Switch 2 32 SAN Switch 4 32 4 64 SAN Switch 4 32B SAN Sw...

Page 40: ...t you can control the ID number or to resolve a domain ID conflict when you merge fabrics If a switch already has a domain ID when it is enabled and that domain ID conflicts with a switch already in the fabric the conflict is automatically resolved The process can take several seconds during which time traffic is delayed The default domain ID for HP StorageWorks switches is 1 The default domain ID...

Page 41: ...fc05 10 00 00 05 1e 34 01 bd 10 32 220 5 0 0 0 0 ras005 6 fffc06 10 00 00 05 1e 34 02 3e 10 32 220 6 0 0 0 0 ras006 7 fffc07 10 00 00 60 69 34 02 0c 10 32 220 7 0 0 0 0 ras007 10 fffc0a 10 00 00 60 69 80 04 46 10 32 220 10 10 32 219 0 ras010 11 fffc0b 10 00 00 60 69 80 04 47 10 32 220 11 10 32 219 1 ras011 15 fffc0f 10 00 00 60 69 80 47 74 10 32 220 15 0 0 0 0 ras015 16 fffc10 10 00 00 60 69 80 47...

Page 42: ...the licensed software supplied with your switch or you can purchase the license key separately You might need to generate a license key from a transaction key supplied with your purchase If so see How to generate or activate a license key on page 37 By default ports 0 through 15 are activated on the SAN Switch 4 32 Each Port upgrade license activates the next group of eight ports in numerical orde...

Page 43: ...eature assigns the ports to the POD license as they come online Typically assignments are sequential starting with the lowest port number However variations in the equipment attached to the ports can cause the ports to take different amounts of time to come online This means that the port assignment order is not guaranteed If the switch detects more active links than allowed by the current POD lic...

Page 44: ...le Dynamic Ports on Demand 1 Connect to the switch and log in as admin 2 Enter the licensePort method command with the dynamic option to change the license assignment method to dynamic switch admin licenseport method dynamic The POD method has been changed to dynamic Please reboot the switch now for this change to take effect 3 Enter the reboot command to restart the switch switch admin reboot 4 E...

Page 45: ...orts are not candidates for automatic license assignment by the Dynamic POD feature Persistently disable an otherwise viable port to prevent it from coming online and thereby preserve a license assignment for another port Before you can re assign a license you must disable the port and release the license Reserving a license Reserving a license for a port assigns a POD license to that port regardl...

Page 46: ...ing a port removes it from the POD set the port will appear as unassigned until it comes back online Persistently disabling the port will ensure that the port cannot come back online and be automatically assigned to a POD assignment To release a port from a POD set 1 Connect to the switch and log in as admin 2 Enter the switchDisable command to take the switch offline switch admin switchdisable 3 ...

Page 47: ...ts are enabled by default You can disable and re enable them as necessary Ports that you activate with Ports on Demand must be enabled explicitly as described in Activating ports on demand on page 42 CAUTION The fabric will be reconfigured if the port you are enabling or disabling is connected to another switch The switch whose port has been disabled will be segmented from the fabric and all traff...

Page 48: ...c causes fabric segmentation For information on PID formats and related procedures refer to Selecting a PID format on page 425 For information on configuring the routing of connections refer to Routing traffic on page 221 For information on configuring extended interswitch connections refer to Administering Extended Fabrics on page 341 Connecting to devices To minimize port logins power off all de...

Page 49: ...link through a gateway 1 If you are not sure that the PID format is consistent across the entire fabric enter the configShow command on all switches to check the PID setting If necessary change the PID format on any nonconforming switches as described in Configuring the PID format on page 423 2 Connect to the switch on one end of the gateway and log in as admin 3 Enter the portCfgIslMode command I...

Page 50: ...ty 1 Connect to the switch and log in as admin 2 Optional Enter the switchShow command to verify that devices hosts and storage are connected 3 Optional Enter the nsShow command to verify that devices hosts and storage have successfully registered with the Name Server switch admin fabricshow Switch ID Worldwide Name Enet IP Addr FC IP Addr Name 1 fffc01 10 00 00 60 69 80 04 5a 192 168 186 61 192 1...

Page 51: ... view the log Items in the log created from the Track changes feature are labeled Track Trackable changes are Successful login Unsuccessful login Logout Configuration file change from task Track changes on Track changes off An SNMP TRAP mode can also be enabled refer to the trackChangesHelp command in the Fabric OS Command Reference Manual For troubleshooting information on the track changes featu...

Page 52: ...og in as admin 2 Enter the switchStatusPolicyShow command at the command line Whenever there is a switch change an error message is logged and an SNMP connUnitStatusChange trap is sent HP StorageWorks 4 16 SAN Switch and 4 8 SAN Switch SAN Switch 2 8V SAN Switch 2 16V SAN Switch 2 32 SAN Switch 4 32 4 64 SAN Switch 4 32B SAN Switch and 400 MP Router The output is similar to the following HP Storag...

Page 53: ... Connect to the switch and log in as admin 2 Enter the switchStatusPolicySet command at the command line The current switch status policy parameter values are displayed You are prompted to enter values for each DOWN and MARGINAL threshold parameter NOTE By setting the DOWN and MARGINAL value for a parameter to 0 0 that parameter is no longer used in setting the overall status for the switch 3 Veri...

Page 54: ...they can be easily distinguished from other system message log events that occur in the network Then at some regular interval of your choosing you can review the audit events to look for unexpected changes Before you configure audit event logging familiarize yourself with the following audit event log behaviors and limitations switch admin switchstatuspolicyset To change the overall switch status ...

Page 55: ...nformation about the auditCfg command and command syntax Auditable event classes You configure the audit log using the auditCfg command Before configuring an audit log you must select the event classes you want audited When enabled the audit log feature audits any RASLOG messages system message log previously tagged as AUDIT in Fabric OS v5 1 0 which includes SEC 3001 through SEC 3017 SEC 3024 thr...

Page 56: ...th a network connection between the switch and the remote host 4 Check the host SYSLOG configuration If all error levels are not configured you may not see some of the audit messages How to configure an audit log for specific event classes 1 Connect to the switch from which you wish to generate an audit log and log in as admin 2 Enter the auditCfg class command which defines the specific event cla...

Page 57: ...witches and Directors running Fabric OS 5 1 0 and later it is recommended that you use the following graceful shutdown procedures To power off a switch gracefully 5 1 0 and later 1 Connect to the switch and log in as admin 2 Enter the sysShutdown command 3 At the prompt type y 4 Wait until the following message displays 5 Power off the switch Jun 2 08 33 04 10 32 220 7 2 2 raslogd AUDIT 2006 06 02...

Page 58: ...ed on failure Table 7 List of daemons that are automatically restarted Daemon Description Arrd Asynchronous Response Router used to send management data to hosts when the switch is accessed via the APIs FA API or SMI S Cald Common Access Layer Daemon used by Manageability Applications Evmd Event Monitor Daemon Port and Switch SCNs firmwareDownload configDownload Raslogd Remote Access Service Log D...

Page 59: ...llowed for each role Using role based access control RBAC Fabric OS 5 3 0 uses Role Based Access Control RBAC to determine which commands a user can run Assign one of the Fabric OS predefined roles to a user as shown in Table 9 Table 8 Maximum number of simultaneous sessions Role name Maximum sessions User 4 Operator 4 SwitchAdmin 4 ZoneAdmin 4 FabricAdmin 4 BasicSwitchAdmin 4 SecurityAdmin 4 Admi...

Page 60: ...er can run commands using options that create change and delete objects on the system such as running userconfig change username r rolename to change a user s role OM Observe Mod ify The user can run commands using both observe and modify options if a role has modify permissions it almost always has observe N None The user is not allowed to run commands in that category Table 1 1 RBAC permissions ...

Page 61: ...M N Nx_Port Management O O OM O OM O OM N Physical Computer System O O O N O O O O PKI O O O N O O OM OM Port Mirroring N N N N N N OM N RADIUS N N N N N N OM OM Routing Basic O OM OM O OM O OM N Routing Advanced O O O N OM O OM N Security O N O N OM O OM OM Session Management O OM OM N OM OM OM OM SNMP O O OM N OM O OM OM Statistics O OM OM N OM O OM N Statistics Device O OM OM N OM O OM N Statis...

Page 62: ...ch Refer to Configuring the authentication model page 65 for more information Switch Port Management O OM OM O OM OM OM O Topology O O O N OM O OM N User Management N N N N N N OM OM WWN Card O OM OM N OM N OM N Zoning O O O OM OM O OM O Table 1 1 RBAC permissions matrix continued Category Role permission User Operator Switch admin Zone admin Fabric admin Basic switchadmin Admin Security Admin ...

Page 63: ...escription Equivalent setting in Fabric OS 5 1 x and later radius switchdb1 1 Fabric OS 5 1 x and earlier aaaConfig switchdb on off setting localonly Default setting Authenticates management connections against the local database only If the password does not match or the user is not defined the login fails Off On radiusonly2 2 The console login will never be set to radiusonly mode for login recov...

Page 64: ... When operating in secure mode you must perform these operations on the primary FCS switch The userConfig command with Admin Domain related options is not valid in secure mode How to display account information 1 Connect to the switch and log in 2 Enter one of the show commands userConfig show a to show all account information for a logical switch userConfig show b to show all backup account infor...

Page 65: ...derscore _ It must be different than all other account names on the logical switch The account name cannot be the same as a role name r rolename Specifies the role either User SwitchAdmin ZoneAdmin FabricAdmin BasicSwitchAdmin Operator or Admin in nonsecure mode in secure mode you can also use NonfcsAdmin h admindomain_ID Optional Specifies the home Administrative Domain if no Administrative Domai...

Page 66: ...e for username the account must already exist admindomain_ID is the home Admin Domain and admindomain_ID_list is the Admin Domain list to be userconfig change username r rolename h admindomain_ID a admindomain_ID_ list d description e yes no u x username Changes the account attribute for username The account must already exist r rolename Optionally changes the role to one of the names listed in Ta...

Page 67: ...ds The following rules apply to changing passwords A user can change their own password Only users with Admin roles can change the password for other accounts When changing an Admin account password you must provide the current password An admin with ADlist 0 10 cannot change the password on an admin user or any role with an ADlist 1 1 25 The user account being changed must have an ADlist that is ...

Page 68: ...r database is protected CAUTION Distribute the user database and password policies only to Fabric OS 5 2 x or higher switches the distribution command fails if any of the targets is an earlier version How to distribute the local user database When distributing the local user database all user defined accounts residing in the receiving switches will be logged out of any active sessions 1 Connect to...

Page 69: ...hange default passwords Password strength Password history Password expiration Account lockout NOTE Secure mode supports only the default values of the password policies If you attempt to enable secure mode after configuring changing any of the password policies you receive an error How to set the password strength policy The password strength policy is enforced across all user accounts and enforc...

Page 70: ...ers from recycling recently used passwords and is enforced across all user accounts when users are setting their own passwords The password history policy is enforced only when a new password is defined Specify the number of past password values that are disallowed when setting a new password Allowable password history values range between 1 and 24 The default value is 1 which means both the curre...

Page 71: ... password will expire on September 1 User B s password will expire on August 1 How to set the account lockout policy The account lockout policy disables a user account when that user exceeds a specified number of failed login attempts and is enforced across all user accounts You can configure this policy to keep the account locked until explicit administrative action is taken to unlock it or the l...

Page 72: ...server configuration Creating Fabric OS user accounts With RADIUS servers set up user accounts by their true network wide identity rather than by the account names created on a Fabric OS switch Along with each account name assign appropriate switch access roles RADIUS supports all the defined RBAC roles described in Table 9 on page 61 Users must enter their assigned RADIUS account name and passwor...

Page 73: ...ctionary file define the role for the user in a configuration file For example to grant the user jsmith the Admin role you would add into the configuration file jsmithAuth Type Local User Password jspassword Brocade Auth Role admin Vendor length 2 or higher 1 octet calculated by server including vendor type and vendor length Attribute specific data ASCII string multiple octet maximum 253 indicatin...

Page 74: ... or HomeAD specification the account cannot login until the AD list is corrected an error message is displayed For example on a Linux FreeRadius Server the user user za with the following settings takes the ZoneAdmin role with AD member list 1 2 4 5 6 7 8 9 12 the Home Admin Domain will be 1 user za Auth Type Local User Password password Brocade Auth Role ZoneAdmin Brocade AVPairs1 ADList 1 2 6 Br...

Page 75: ...ng open session although a password change on the local switch does If you cannot log in because of a RADIUS server connection problem Web Tools displays a message indicating server outage Configuring the RADIUS server You must know the switch IP address or name to connect to switches Use the ipAddrShow command to display a switch IP address For Directors chassis based systems the switch IP addres...

Page 76: ...x are also valid You must use quotation marks around password and role For example to set up an account called JohnDoe with the Admin role The next example uses the local system password file to authenticate users When you use NIS for authentication the only way to enable authentication with the password file is to force the switch to authenticate using PAP this requires the a pap option with the ...

Page 77: ...uses the Windows native user database to verify user login credentials it does not list specific users but instead lists user groups Each user group should be associated with a specific switch login role For example you should configure a user group for root admin factory switchadmin and user and then add any users whose logins you want to associate to the appropriate group Configuring the server ...

Page 78: ...r then select New Remote Access Policy from the pop up window A remote access policy must be created for each login role Root Admin Factory SwitchAdmin and User for which you want to use RADIUS Apply this policy to the user groups that you already created 6 In the Add Remote Access Policy window enter an easily identifiable Policy friendly name that will enable you to see the switch login for whic...

Page 79: ... still log in the event of a failover The following procedures show how to use the aaaConfig command to set up a switch for RADIUS service RADIUS configuration is chassis based configuration data On platforms containing multiple switch instances the configuration applies to all instances The configuration is persistent across reboot and firmwareDownload On a chassis based system the command must r...

Page 80: ...prompt enter y to complete the command When the command succeeds the event log indicates that the server is removed switch admin aaaConfig add server p port s secret t timeout a pap chap server Enter either a server name or IP address Avoid duplicating server listings that is listing the same server once by name and again by IP address Up to five servers can be added to the configuration p port Op...

Page 81: ...ifferent from aaaConfig radiuslocal see Table 12 on page 65 When local authentication is enabled and RADIUS servers fail to respond you can log in to the default switch accounts admin and user or any user defined account You must know the passwords of these accounts When the command succeeds the event log indicates that local database authentication is disabled or enabled switch admin aaaConfig ch...

Page 82: ...4 64 SAN Switch 4 32B SAN Switch and 400 MP Router How to set the boot PROM password for a switch with a recovery string 1 Connect to the serial port interface as described in How to connect via the serial port on page 26 2 Reboot the switch 3 Press ESC within four seconds after the message Press escape within 4 seconds displays The following options are available 4 Enter 2 If no password was prev...

Page 83: ...eviously set the following messages display 6 Enter the recovery password string The recovery string must be between 8 and 40 alphanumeric characters A random string that is 15 characters or longer is recommended for higher security The firmware only prompts for this password once It is not necessary to remember the recovery string because it is displayed the next time you enter the command shell ...

Page 84: ...h and 400 MP Router How to set the boot PROM password for a switch without a recovery string 1 Create a serial connection to the switch as described in How to connect via the serial port on page 26 2 Reboot the switch by entering the reboot command 3 Press ESC within four seconds after the message Press escape within 4 seconds displays The following options are available 4 Enter 3 5 At the shell p...

Page 85: ... the saveEnv command to save the new password 10 Reboot the standby CP blade by entering the reset command 1 1 Connect to the active CP blade by serial or telnet and enter the haEnable command to restore high availability then fail over the active CP blade by entering the haFailover command Traffic resumes flowing through the newly active CP blade after it has completed rebooting 12 Connect the se...

Page 86: ...88 Managing user accounts To recover a lost root or boot PROM password contact HP You must have previously set a recovery string to recover the boot PROM password ...

Page 87: ...Fabric Manager The SNMP Access Control List ACL provides a way for the administrator to restrict SNMP get set operations to certain hosts IP addresses This is used for enhanced management security in the storage area network For details on MIB files naming conventions loading instructions and information about using the SNMP agent refer to the Fabric OS MIB reference manual Table 17 describes addi...

Page 88: ...reDownload Commands that require a secure login channel must be issued from an original SSH session If you start an SSH session and then use the login command to start a nested SSH session commands that require a secure channel will be rejected Table 18 Main security scenarios Fabric Management interfaces Comments Nonsecure Nonsecure No special setup is needed to use telnet or HTTP An HP switch ce...

Page 89: ...dmin Connect through some other means than telnet for example through SSH 2 Enter the following command 3 In response to the System Services prompt type y 4 In response to the telnetd prompt type off The telnet interface is disabled If you entered the command during a standard telnet session the session terminates How to enable telnet 1 Connect to the switch through a means other than telnet for e...

Page 90: ... 4 16 SAN Switch Brocade 4Gb SAN Switch for HP p Class BladeSystem Brocade 4Gb SAN Switch for HP c Class BladeSystem SAN Switch 2 8V SAN Switch 2 16V SAN Switch 2 32 SAN Switch 4 32 SAN Switch 4 32B 4 64 SAN Switch 4 32B SAN Switch 400 MP Router FC4 48 and FC4 16IP blades chargen Disabled Disabled echo Disabled Disabled daytime Disabled Disabled discard Disabled Disabled ftp Disabled Disabled rexe...

Page 91: ...e fabric by SNMP Any host can telnet to any switch in the fabric Any host can establish an HTTP connection to any switch in the fabric Any host can establish an API connection to any switch in the fabric Devices All device ports can access SES All devices can access the management server Any device can connect to any FC port in the fabric Switch access Any switch can join the fabric All switches i...

Page 92: ...e the latest version of your browser For example Internet Explorer 6 0 and later supports 128 bit encryption by default You can display the encryption support called cipher strength using the Internet Explorer Help About menu option If you are running an earlier version of Internet Explorer you might be able to download an encryption patch from the Microsoft Web site at http www microsoft com You ...

Page 93: ...ome generate certificates based on IP address while others require an FQDN and most require a 1024 bit public private key while some might accept a 2048 bit key Consider your fabric configuration check CA Web sites for requirements and gather all the information that the CA requires Generating a public private key Perform this procedure on each switch 1 Connect to the switch and log in as admin 2 ...

Page 94: ...nerate and store the CSR as described in Generating a public private key on page 95 2 Open a Web browser window on the management workstation and go to the CA Web site Follow the instructions to request a certificate Locate the area in the request form into which you are to paste the CSR 3 Through a telnet window connect to the switch and log in as admin 4 Enter this command The contents of the CS...

Page 95: ... import Select protocol ftp or scp ftp Enter IP address 192 10 11 12 Enter remote Directory path_to_remote_Directory Enter certificate name must have crt suffix 192 1 2 3 crt Enter Login Name your_account Enter Password Success imported certificate 192 1 2 3 crt To use this certificate run the configure command to activate it SSL attributes Type yes Certificate File Enter the name of the switch ce...

Page 96: ...ertificate is not listed click Import 7 Browse to the certificate location and select the certificate For example select nameRoot crt 8 Click Open and follow the instructions to import the certificate Installing a root certificate to the Java Plug in For information on Java requirements refer to Browser and Java support on page 94 This procedure is a guide for installing a root certificate to the ...

Page 97: ...rectly or HTTPS is not enabled correctly Make sure that the certificate has not expired that HTTPS is enabled and that certificate file names are configured correctly The security certificate was issued by a company you have not chosen to trust The certificate is not installed in the browser Install it as described in Configuring the browser on page 98 The security certificate has expired or is no...

Page 98: ...configuration specifies the MIB trap elements to be used to send information to the SNMP management station There are two main MIB trap choices Brocade specific MIB trap Associated with the specific Brocade MIB SW MIB this MIB monitors Brocade switches specifically FibreAlliance MIB trap Associated with the FibreAlliance MIB FA MIB this MIB manages SAN switches and devices from any company that co...

Page 99: ...e the snmpConfig set command to change either the SNMPv3 or SNMPv1 configuration You can also change access control MIB capability and system group switch admin configure Not all options will be available on an enabled switch To disable the switch use the switchDisable command Configure System services yes y no n no ssl attributes yes y no n no http attributes yes y no n no snmp attributes yes y n...

Page 100: ...1 Trap recipient Severity level 0 5 0 4 Trap Recipient s IP address in dot notation 0 0 0 0 192 168 45 92 UserIndex 1 6 2 Trap recipient Severity level 0 5 0 2 Trap Recipient s IP address in dot notation 0 0 0 0 Trap Recipient s IP address in dot notation 0 0 0 0 Trap Recipient s IP address in dot notation 0 0 0 0 Trap Recipient s IP address in dot notation 0 0 0 0 Committing configuration done sw...

Page 101: ... dot notation 0 0 0 0 Read Write true t false f true Access host subnet area in dot notation 0 0 0 0 Read Write true t false f true Committing configuration done switch admin snmpconfig show mibCapability FA MIB YES FICON MIB YES HA MIB YES SW TRAP YES swFCPortScn YES swEventTrap YES swFabricWatchTrap YES swTrackChangesTrap NO FA TRAP YES connUnitStatusChange YES connUnitEventTrap NO connUnitSenso...

Page 102: ...NMPv1 community and trap recipient configuration Community 1 Secret C0de rw Trap recipient 192 168 1 51 Trap recipient Severity level 4 Community 2 OrigEquipMfr rw Trap recipient 192 168 1 26 Trap recipient Severity level 0 Community 3 private rw No trap recipient configured yet Community 4 public ro No trap recipient configured yet Community 5 common ro No trap recipient configured yet Community ...

Page 103: ...s in dot notation 192 168 1 26 Trap recipient Severity level 0 5 0 Community rw private Trap Recipient s IP address in dot notation 0 0 0 0 192 168 64 88 Trap recipient Severity level 0 5 0 1 Community ro public Trap Recipient s IP address in dot notation 0 0 0 0 Community ro common Trap Recipient s IP address in dot notation 0 0 0 0 Community ro FibreChannel Trap Recipient s IP address in dot not...

Page 104: ...ient configured yet SNMP access list configuration Entry 0 Access host subnet area 192 168 64 0 rw Entry 1 No access host configured yet Entry 2 No access host configured yet Entry 3 No access host configured yet Entry 4 No access host configured yet Entry 5 No access host configured yet Are you sure yes y no n no y Committing configuration done agent configuration reset to factory default Current...

Page 105: ... indicates that the status of the sensor associated with the connectivity unit has changed connUnitPortStatus shows overall protocol status for the port connUnitPortState shows the user specified state of the port hardware switch admin snmpmibcapset The SNMP Mib Trap Capability has been set to support FE MIB SW MIB FA MIB FA TRAP FA MIB yes y no n yes FICON MIB yes y no n no y HA MIB yes y no n no...

Page 106: ...S swFabricWatchTrap YES swTrackChangesTrap YES FA TRAP YES SW EXTTRAP YES HA TRAP YES fruStatusChanged YES cpStatusChanged YES fruHistoryTrap YES switch admin configure Not all options will be available on an enabled switch To disable the switch use the switchDisable command Configure System services yes y no n no n ssl attributes yes y no n no n http attributes yes y no n no n snmp attributes yes...

Page 107: ...ress Licenses lists the licenses that are active on the switch Chassis Configuration contains configuration variables such as diagnostic settings fabric configuration settings and SNMP settings Configuration contains licensed option configuration parameters Zoning contains zoning configuration information Defined Security Policie lists all of the defined security policies Active Security Policies ...

Page 108: ...ference Manual User name Enter the user name of your account on the server for example JohnDoe File name Specify a file name for the backup file for example config txt Absolute path names can be specified using forward slash Relative path names create the file in the user s home Directory on UNIX servers and in the Directory where the FTP server is running on Windows servers Password Enter your ac...

Page 109: ...ocess is additive that is the lines read from the files are added to the current switch configuration You can change a single configuration variable by downloading a file with that specific variable only When you do so all other variables remain unchanged If your setup supports anonymous users and you log in as an anonymous user password is still a required field even though its value may be ignor...

Page 110: ...nd to the prompts as follows 6 At the Do you want to continue y n prompt enter y 7 Wait for the configuration to be restored The following example shows configDownload run on a switch without Admin Domains 8 If you disabled the switch when the process is finished enter the switchEnable command Protocol scp or ftp If your site requires the use of Secure Copy specify scp Otherwise specify ftp Server...

Page 111: ...n downloads see Configuration download without disabling a switch on page 1 12 The host name is known to the switch The host IP address can be contacted You have permission on the host to perform configuration download The configuration file you are trying to download exists on the host The configuration file you are trying to download is a switch configuration file If you selected the default FTP...

Page 112: ...tion file from one switch to another same model switch 1 Configure one switch first 2 Use the configUpload command to save the configuration information Refer to Backing up a configuration on page 109 3 First run configDefault on each of the target switches and then use the configDownload command to download the configuration file to each of the target switches Refer to Restoring a configuration o...

Page 113: ...figuration and connection Configuration settings IP address Gateway address Chassis configuration option Management connections Serial cable tag Ethernet cable tag Configuration information Domain ID Switch name Ethernet IP address Ethernet subnetmask Total number of local devices nsShow Total number of devices in fabric nsAllShow Total number of switches in the fabric fabricShow ...

Page 114: ...figuration setting FC port configuration Port numbers 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Speed Trunk Port Long Distance VC Link Init Locked L_Port Locked G_Port Disable E_Port ISL R_RDY Mode RSCN Suppressed Persistent disable NPIV capability EX Port ...

Page 115: ...figuration setting FC Port Configuration Port Numbers 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Speed Trunk port Long distance VC link Init Locked L_Port Locked G_Port Disable E_Port ISL R_RDY mode RSCN suppressed Persistent disable NPIV capability EX port ...

Page 116: ...118 Maintaining configurations ...

Page 117: ...c based on IP addresses Each supported policy is identified by a specific name and only one policy of each type can exist except for DCC policies Policy names are case sensitive and must be entered in all uppercase How the ACL policies are stored The policies are stored in a local database The database contains the ACL policies types of FCS DCC SCC and IPFilter The policies are grouped by state an...

Page 118: ...FCS and SCC policies For instructions relating to a specific policy refer to the appropriate section Displaying ACL policies on page 99 Displays a list of all active and defined ACL policies on the switch Saving changes to ACL policies on page 107 Save changes to memory without actually implementing the changes within the fabric or to the switch This saved but inactive information is known as the ...

Page 119: ... first switch in the list becomes the Primary FCS switch Only the Primary FCS switch is allowed to modify and distribute the database within the fabric Automatic distribution is not supported and it is required to manually distribute the FCS policy using the distribute p command Refer to Adding a member to an existing policy on page 107 Changes made to the FCS policy are saved to permanent memory ...

Page 120: ... allowed on back up and non FCS switches FCS enforcement applies only for user initiated fabric wide operations Internal fabric data propagation because of a fabric merge is not blocked Consequently a new switch which joins the FCS enabled fabric could still propagate the AD and zone database NOTE All current FCS policies will be deleted if you enable secmode Table 32 shows the commands for switch...

Page 121: ...difying the primary FCS The secFCSFailover command is not supported for failing over to a new Primary switch If your Primary FCS switch is experiencing problems or will be replaced select a new Primary FCS immediately Use the secPolicyFCSMove command to change the order in which switches are listed in the FCS policy To modify the order of FCS switches 1 Log in to the Primary FCS switch as admin 2 ...

Page 122: ...up FCS switch if the Primary is not reachable or from a non FCS switch if the Primary FCS and none of the backup FCS switches are reachable To learn more about how to distribute policies refer to Distributing ACL policies to other switches on page 124 NOTE The FCS policy distribution is allowed to be distributed from a switch in the FCS list However if none of the FCS switches in the existing FCS ...

Page 123: ...policies created in Fabric OS are deleted when Secure Fabric OS is enabled Therefore back up DCC policies before enabling or disabling Secure Fabric OS Some older private loop HBAs do not respond to port login from the switch and are not enforced by the DCC policy This does not create a security problem because these HBAs cannot contact any device outside of their immediate loop DCC policies canno...

Page 124: ...icyActivate command If neither of these commands is entered the changes are lost when the session is logged out For more information about these commands see Saving changes to ACL policies on page 107 and Activating changes to ACL policies on page 107 Examples of creating DCC policies To create the DCC policy DCC_POLICY_server that includes device 1 1 22 33 44 55 66 77 aa and port 1 and port 3 of ...

Page 125: ...switch names Only one SCC policy can be created By default any switch is allowed to join the fabric the SCC policy does not exist until it is created When connecting a Fibre Channel router to a fabric or switch that has an active SCC policy the front domain of the Fibre Channel router must be included in the SCC policy SCC policy states are shown in Table 27 To create an SCC policy 1 Connect to th...

Page 126: ... are lost upon rebooting To activate changes 1 Connect to the switch and log in 2 Type the secPolicyActivate command switch admin secpolicyactivate About to overwrite the current Active data ARE YOU SURE yes y no n no y Adding a member to an existing policy Add members to the ACL policies by using the secPolicyAdd command As soon as a policy has been activated the aspect of the fabric managed by t...

Page 127: ...r fabric elements By default Fabric OS 5 3 0 uses DH CHAP or FCAP protocols for authentication These protocols use shared secrets and digital certificates based on switch WWN and public key infrastructure PKI technology to authenticate switches Authentication automatically defaults to FCAP if both switches configured to accept FCAP protocol in authentication The fabric authentication feature is av...

Page 128: ... is persistent across reboots which means authentication will be initiated automatically on ports or switches brought online if the policy is set to activate authentication The AUTH policy is distributed using the distribute command The automatic distribution of the AUTH policy is not supported Once the AUTH policy is activated you are not allowed to implement a Secure Fabric OS environment The se...

Page 129: ...s automatically during the E_Port initialization A switch with this policy can safely connect to pre 5 3 0 switches since it continues E_Port initialization if the connecting switch does not support authentication The switches with firmware pre v3 2 0 do not support FCAP DH CHAP authentication so an E_Port initializes without authentication The switches with firmware version v3 2 0 and later respo...

Page 130: ...erwise it will form an F_Port without authentication In PASSIVE mode an F_Port will be disabled if the HBA shared secret does not match with the secret installed on the switch If the secret provided by the switch does not match the secrets installed on the HBA then the HBA will disable the port on its side On any authentication handshaking rejection the switch will disable the F_Port with reason A...

Page 131: ...witch as admin 2 On a switch running Fabric OS v4 x or v5 x type authUtil set a dhchap on a switch running Fabric OS v3 x type authUtil set a dhchap Output similar to the following is displayed Authentication is set to dhchap When using DH CHAP make sure that you configure the switches at both ends of a link If you set the authentication protocol to DH CHAP have not yet configured shared secrets a...

Page 132: ... key pair are not set up for a link authentication fails The Authentication Failed reason code 05h error will be reported and logged The minimum length of a shared secret is 8 bytes and the maximum length is 40 bytes This section illustrates using the secAuthSecret command to display the list of switches in the current switch s shared secret database and to set the secret key pair for the current ...

Page 133: ...crets cr Enter WWN Domain or switch name Leave blank when done 10 20 30 40 50 60 70 80 Enter peer secret hidden Re enter peer secret hidden Enter local secret hidden Re enter local secret hidden Enter WWN Domain or switch name Leave blank when done 10 20 30 40 50 60 70 81 Enter peer secret hidden Re enter peer secret hidden Enter local secret hidden Re enter local secret hidden Enter WWN Domain or...

Page 134: ...ve CP to the standby CP The standby CP will enforce the filter policies to its management interface after policies are synchronized with the active CP Creating an IP Filter policy You can create an IP Filter policy with the specified name and type The policy created is stored in a temporary buffer and will be lost if the current command session logs out The policy name is a unique string composed ...

Page 135: ...ession that owns the updated temporary buffer may run this command Modification to an active policy cannot be saved without being applied Hence the save sub command is blocked for the active policies Use activate instead To save an IP Filter policy 1 Log in to the switch as admin 2 Type in the following command ipfilter save policyname where policyname is the name of the policy and is optional Act...

Page 136: ...ion taken by this rule Permit or Deny For an IPv4 filter policy the source address has to be a 32 bit IPv4 address in dot decimal notation The group prefix has to be a CIDR block prefix representation For example 208 130 32 0 24 represents a 24 bit IPv4 prefix starting from the most significant bit The special prefix 0 0 0 0 0 matches any IPv4 address In addition the keyword any is supported to re...

Page 137: ...llowing two rules are always assumed to be appended implicitly to the end of the policy see Table 37 This is to ensure TCP and UDP traffics to dynamic port ranges is allowed that way management IP traffic initiated from a switch such as syslog radius and ftp will not be affected A switch with Fabric OS 5 3 0 or later will have a default IP Filter policy for IPv4 and IPv6 The default IP Filter poli...

Page 138: ... server configuration the source address in an IP Filter rule may have to be the NAT server address Creating IP Filter policy rules There can be a maximum of 256 rules created for an IP Filter policy The change to the specified IP Filter policy is not saved to the persistent configuration until a save or activate sub command is run To add a rule to an IP Filter policy 1 Log in to the switch as adm...

Page 139: ...mmitted changes left in its local transaction buffer will be lost and the transaction will be aborted When firmware is upgraded for the first time from pre 5 3 0 to 5 3 0 the default IPv4 and IPv6 filter policies are active If non default IP Filter policies are created and then saved but not activated and firmware is downgraded to pre 5 3 0 the non default IP Filter policies are preserved Subseque...

Page 140: ...policy is not set then the policies are managed on per switch basis For configuration instructions seeSetting the consistency policy fabric wide page 142 Table 39 explains how the local database distribution settings and the fabric wide consistency policy affect the local database when the switch is the target of a distribution command Table 39 Interaction between fabric wide consistency policy an...

Page 141: ... the following command fddCfg localreject database_ID To disable local switch protection 1 Connect to the switch and log in as admin 2 Enter the following command fddCfg localaccept database_ID Table 40 Supported policy databases Database type Database identifier ID Authentication policy database AUTH DCC policy database DCC FCS policy database FCS IP Filter policy database IPFILTER Password datab...

Page 142: ...wide consistency policy ensures that changes to local ACL policy databases are automatically distributed to other switches in the fabric When you set the fabric wide consistency policy using the fddCfg command with the fabwideset database_id option both the fabric wide consistency policy and specified database are distributed to the fabric The active policies of the specified databases overwrite t...

Page 143: ...ual to The following example shows how to set a strict SCC and tolerant DCC fabric wide consistency policy switch admin fddcfg fabwideset SCC S DCC switch admin fddcfg showall Local Switch Configuration for all Databases DATABASE Accept Reject SCC accept DCC accept PWD accept FCS accept AUTH accept IPFILTER accept Fabric Wide Consistency Policy SCC S DCC Table 42 Fabric wide consistency policy set...

Page 144: ...C fabric wide consistency policies do not match the switch cannot join the fabric and the neighboring E_Ports will be disabled If the strict SCC and DCC fabric wide consistency policies match the corresponding SCC and DCC ACL policies are compared The enforcement of fabric wide consistency policy involves comparison of only the Active policy set If the ACL polices match the switch joins the fabric...

Page 145: ...ceeds No ACL policies copied None SCC DCC Succeeds ACL policies are copied from B to A SCC DCC SCC DCC Succeeds If A and B policies do not match a warning displays and policy commands are disabled1 1 To resolve the policy conflict manually distribute the database you want to use to the switch with the mismatched database Until the conflict is resolved commands such as fddcfg fabwideset and secpoli...

Page 146: ...tolerant absent combinations Fabric wide consistency policy setting Expected behavior Fabric A Fabric B Tolerant Absent SCC DCC Error message logged Run fddCfg fabwideset policy_ID from any switch with the desired configuration to fix the conflict The secPolicyActivate command is blocked until conflict is resolved DCC SCC DCC SCC DCC SCC ...

Page 147: ... in the remote site in an Admin Domain and assign the remote site administrator to manage those resources You set up zones to define which devices and hosts can communicate with each other you set up Admin Domains to define which users can manage which devices hosts and switches You can have up to 256 Admin Domains in a fabric 254 user defined and 2 system defined numbered from 0 through 255 Admin...

Page 148: ...e 4 Filtered fabric views Admin domain features Admin Domains allow you to Define the scope of an Admin Domain to encompass ports and devices within a switch or a fabric Share resources across multiple Admin Domains For example you can share array ports and tape drives between multiple departments One of the storage devices is shared between AD1 and AD2 see Figure 3 Have a separate zone database f...

Page 149: ...ic OS 5 2 x release notes Admin Domains are supported only on fabrics with one or more switches running Fabric OS 5 2 x and higher You must have a valid Advanced Zoning license to use Admin Domains The default zone mode setting must be set to No Access before you create Admin Domains see Implementing admin domains on page 159 To use Admin Domains and the FC FC Routing Service in the same fabric th...

Page 150: ...cit members of AD0 change dynamically as the membership of other Admin Domains changes The explicit members of AD0 are not deleted unless you explicitly remove them For example if you explicitly add DeviceA to AD0 and it is not a member of any other Admin Domain then DeviceA is both an implicit and an explicit member of AD0 If you add DeviceA to AD2 then DeviceA is deleted from the AD0 implicit me...

Page 151: ...pe and describes its administrative access and capabilities AD2 AD255 AD1 AD0 Table 46 AD user types User type Description Physical Fabric Administrators User account with Admin role and with access to all Admin Domains AD0 through AD255 Create and manage all Admin Domains Only a physical fabric administrator can perform Admin Domain configuration and management Assign other administrators or user...

Page 152: ...ou are in the AD0 AD1 and AD255 contexts respectively Admin domain member types You define an Admin Domain by identifying members of that domain Admin Domain members can be devices switch ports or switches Defining these member types is similar to defining a traditional zone member type An Admin Domain does not require or have a new domain ID or management IP address linked to it The following sec...

Page 153: ...n and the domain port is removed from the AD0 implicit membership list NOTE The domain port members are not automatically changed when the switch domain ID changes Switch members Switch members are defined by the switch WWN or domain ID A switch member Grants administrative control to the switch Grants port control for all ports in that switch Allows switch administrative operations such as switch...

Page 154: ... nn nn nn nn nn n9 xx where xx is the AdminDomain_number For example if the switch WWN is 10 00 00 60 69 e4 24 e0 then the converted WWN for that switch in AD1 would be 50 06 06 9e 42 4e 09 01 Figure 6 shows an unfiltered view of a fabric with two switches three devices and two Admin Domains The devices are labeled with device WWN and the switches are labeled with domain ID and switch WWN Figure 6...

Page 155: ...lict error code Compatibility Admin Domains can be implemented in fabrics with mix of AD aware switches and AD unaware switches The following considerations apply In mixed fabric configurations the legacy switches allow unfiltered access to the fabric and its devices hence these legacy switches should be managed by the physical fabric administrator You must zone all ports and devices from legacy s...

Page 156: ... one or both CPs to pre Fabric OS 5 2 x versions will fail The Admin Domain configuration must be cleared before you can perform the downgrade see Deleting all user defined Admin Domains on page 164 Managing admin domains This section is for physical fabric administrators who are managing Admin Domains You must be a physical fabric administrator to perform the tasks in this section Implementing ad...

Page 157: ...itches in the fabric replacing the effective configuration ad transabort Aborts the transaction and clears the transaction buffer The effective and defined configurations remain unchanged You can enter the ad transshow command at any time to display the ID of the current Admin Domain transaction Detailed information about CLI syntax and options is available in the Fabric OS Command Reference Manua...

Page 158: ...nfiguration using ad save or make it the effective Admin Domain configuration directly using ad apply The following procedures describe the steps for creating Admin Domains and include examples How to create an Admin Domain 1 Log in as the physical fabric administrator to an AD aware switch in the fabric 2 Set the default zone mode to No Access if you have not already done so See How to set the de...

Page 159: ...firmware the userConfig command records are interpreted using legacy logic How to create a new user account for managing Admin Domains 1 Connect to the switch and log in as admin 2 Enter the userconfig add command using the r option to set the role the a option to provide access to Admin Domains and the h option to specify the home Admin Domain userconfig add username r role h home_AD a AD_list wh...

Page 160: ... prompts for confirmation On default after the Admin Domain is activated the devices specified under that AD are not able to see each other until they are zoned together 4 To end the transaction now enter ad save to save the Admin Domain definition or enter ad apply to save the Admin Domain definition and directly apply the definitions to the fabric The following example activates Admin Domain AD_...

Page 161: ...to the AD255 context if you are not already in that context ad select 255 3 Enter the ad remove command using the d option to specify device and switch port members and the s option to specify switch members ad remove ad_id d dev_list s switch_list where ad_id is the Admin Domain name or number dev_list is a list of device WWNs or domain port members and switch_list is a list of switch WWNs or dom...

Page 162: ...deletes Admin Domain AD_B3 Deleting all user defined Admin Domains When you clear the Admin Domain configuration all user defined Admin Domains are deleted the explicit membership list of AD0 is cleared and all fabric resources switches ports and devices are returned to the implicit membership list of AD0 You cannot clear the Admin Domain configuration if zone configurations exist in any of the us...

Page 163: ...n the persistent memory defined configuration 2 to display the currently enforced Admin Domain configuration effective configuration The following example validates the member list of Admin Domain 10 in the current transaction buffer Using Admin Domains This section is for users and administrators and describes how you use Admin Domains If you are a physical fabric administrator and you want to cr...

Page 164: ...n Domain and the command you want to execute ad exec ad_id command The following example executes the switchShow command in the AD7 context Displaying an Admin Domain configuration The ad show option displays the membership information and zone database information of the specified Admin Domain Note the following differences in the information displayed based on the Admin Domain AD255 if you do no...

Page 165: ...e ad select option is used to switch between different Admin Domain contexts This option creates a new shell with a new Admin Domain context If the corresponding Admin Domain is not yet activated the select option fails How to switch to a new Admin Domain context 1 Connect to the switch and log in as any user type 2 Enter the ad select command and the Admin Domain you want to switch to 3 To leave ...

Page 166: ...f Admin Domains are configured you cannot use Secure Fabric OS Table 48 lists some of the Fabric OS features and considerations that apply when using Admin Domains Table 48 Admin Domain interaction with Fabric OS features Fabric OS feature Admin Domain interaction ACLs If no user defined Admin Domains exist you can run ACL configuration commands in only AD0 and AD255 If any user defined Admin Doma...

Page 167: ... page 381 for more information FICON Admin Domains support FICON However you must perform additional steps because FICON management CUP requires additional physical control of the ports You must set up the switch as a physical member of the FICON AD DCC and SCC policies are supported only in AD0 and AD255 since ACL configurations are supported only in AD0 and AD255 iSCSI iSCSI operations are suppo...

Page 168: ...abase which is made up of the zone databases in AD0 through A254 With AD support zoning updates are supported selectively at each AD level For example a zone change in AD1 results in an update request only for the AD1 zone database Admin Domains and LSAN zones LSANs under each Admin Domain are collated into a single name space and sent out to FCR phantom domains using the following format original...

Page 169: ...h configuration and other parameters AD255 With ADs Yes Yes No Yes1 1 Zone databases for AD0 through AD254 Yes Yes Without ADs Yes Yes Yes Yes1 Yes Yes AD0 With ADs and switch membership Yes No No Yes2 2 Only zone database for AD0 No Yes With ADs and without switch membership Yes No No Yes2 No No Without ADs Yes Yes Yes Yes2 No Yes AD1 AD254 With switch membership No No No Yes3 3 Only zone databas...

Page 170: ...172 Managing administrative domains ...

Page 171: ...to traffic flowing through the switch This operation depends on HA status in the switch If the switch does not support HA you can still upgrade the CPs one at a time using the firmwareDownload s option This mode enables you to select or disable install on both CPs autoreboot and autocommit modes on directors and switches On directors this mode enables you to upgrade a single CP When downloading th...

Page 172: ...simultaneously on multiple switches For more details on Fabric Manager and other licensed software tools go to the HP web site http www hp com Effects of firmware changes on accounts and passwords The following table describes what happens to accounts and passwords when you replace the switch firmware with a different version For more details on administrative domains and firmware download see Man...

Page 173: ...nload in Fabric OS 5 3 0 If DNS is enabled and a server name instead of a server IP address is specified in the command line firmwareDownload determines whether IPv4 or IPv6 should be used To be able to mention the FTP server by name you must enter a couple of DNS servers using the dnsconfig command CAUTION Newer Fabric OS versions 4 4 x and above can support large zone databases However exercise ...

Page 174: ...ion shown in Table 46 before upgrading firmware on the switch NOTE Please go to http h18006 www1 hp com storage saninfrastructure index html to view end of life policies for HP products End of life products are not supported If the switch to be upgraded is running version 4 1 x or later it is recommended that all switches directly connected to it be running versions no earlier than 2 6 1 3 1 x or ...

Page 175: ...ass BladeSystem SAN Switch 2 8V SAN Switch 2 16V SAN Switch 2 32 SAN Switch 4 32 SAN Switch 4 32B 4 64 SAN Switch 4 32B SAN Switch and 400 MP Router maintain primary and secondary partitions for firmware The firmwareDownload command defaults to an autocommit option that automatically copies the firmware from one partition to the other You should not override autocommit under normal circumstances u...

Page 176: ...d becaome inoperable upon reboot To upgrade firmware for 4 16 SAN Switch and 4 8 SAN Switch Brocade 4Gb SAN Switch for HP p Class BladeSystem Brocade 4Gb SAN Switch for HP c Class BladeSystem SAN Switch 2 8V SAN Switch 2 16V SAN Switch 2 32 SAN Switch 4 32 SAN Switch 4 32B 4 64 SAN Switch and 400 MP Router 1 Verify that the FTP service is running on the host server and that you have a user ID on t...

Page 177: ...estarted Do you want to continue Y y Firmware is being downloaded to the switch This step may take up to 30 minutes User name Enter the user name of your account on the server for example JohnDoe File name Fabric OS 5 2 x or higher Specify the full path name of the firmware directory for example pub v5 2 x Fabric OS 5 1 x or lower Specify the full path name of the firmware directory appended by re...

Page 178: ... on the active CP blade The standby CP blade downloads firmware The standby CP blade reboots and comes up with the new Fabric OS The active CP blade synchronizes its state with the standby CP blade The active CP blade forces a failover and reboots to become the standby CP blade The new standby CP blade the active CP blade before the failover downloads firmware The new standby CP blade reboots and ...

Page 179: ...ries MP Router blade If you are running 5 1 0x firmware you cannot downgrade to earlier versions without removing the blade s 4 256 SAN Director with an FC4 48 or FC4 16IP blade If you are running 5 2 x firmware then you cannot downgrade to earlier versions without removing the blade s Do not remove blades until the EX_Ports are removed first The firmwareDownload command will indicate when blades ...

Page 180: ...firmwaredownload The following AP blades are installed in the system Slot Name Versions Traffic Disrupted 3 FC4 16IP v5 3 0 GigE 2 FA4 18 v5 3 0 Virtualization 4 FR4 18i v5 3 0 None 10 FR4 18i v5 3 0 None This command will upgrade both CPs and all AP blade s above It will temporarily disrupt the specified traffic on the AP blade s when it activates the new firmware If you want to upgrade a single ...

Page 181: ...irmware is being downloaded to the blade It may take up to 30 minutes 2 Thu Jul 28 00 30 49 2005 Slot 7 SAS Firmware is being downloaded to the blade It may take up to 30 minutes 3 Thu Jul 28 00 37 42 2005 Slot 2 SAS Firmware has been downloaded successfully to the blade 4 Thu Jul 28 00 37 42 2005 Slot 7 SAS Firmware has been downloaded successfully to the blade 5 Thu Jul 28 00 37 50 2005 Slot 2 S...

Page 182: ...g a new version of firmware in this manner ensures that you do not compromise your existing firmware because the test drive version only occupies one partition on your switch CAUTION When you test drive new firmware make sure you have disabled all features that are not supported by the original firmware before restoring to the original version To test a different firmware version on a switch 1 Ver...

Page 183: ...the firmware on the switch which completes the firmware download operations 8 Commit the firmware a Enter the firmwareCommit command to update the secondary partition with new firmware Note that it takes several minutes to complete the commit operation b Enter the firmwareShow command to confirm both partitions on the switch contain the new firmware CAUTION Stop If you have completed step 8 then y...

Page 184: ...nchronized contact your switch service provider 4 Enter the firmwareShow command and confirm that the current firmware on both partitions on both CPs is listed as expected 5 Exit the session 6 Update the firmware on the standby CP a Connect to the switch and log in as admin to the standby CP b Enter the firmwareDownload s command and respond to the prompts At this point the firmware should downloa...

Page 185: ...mit on the active CP a From the current switch session on the active CP enter the firmwareShow command and confirm that only the active CP secondary partition contains the old firmware b Enter the firmwareCommit command to update the secondary partition with the new firmware It takes several minutes to complete the commit operation Do not do anything on the switch while this operation is in proces...

Page 186: ...ded that you use the commands listed below which are all are subsets of the supportSave output All of the connected servers storage and switches should be present in the output of these commands If there is a discrepancy it is possible that a device or switch cannot connect to the fabric and further troubleshooting is necessary firmwareShow Displays the current firmware level on the switch For Dir...

Page 187: ...tion was gathered before and after issuing the firmwareDownload command If the firmware download fails to complete refer to the Fabric OS System Error Message Reference Manual for details about any error messages If a firmware download fails in a Director the firmwareDownload command synchronizes the firmware on the two partitions of each CP by starting a firmware commit operation Wait at least 10...

Page 188: ...blade ID 24 in the system B Series MP Router port blades are not supported on firmware 5 0 0 or lower so the firmware download operation is aborted Use the slotShow command to display which slot the B Series MP Router port blade is in and physically remove the blade s from the chassis Retry the firmware download operation The following items need to be addressed before downloading the specified fi...

Page 189: ...r earlier so the firmware download operation is aborted Use the slotShow command to display which slot the FR4 18i port blade is in and physically remove the blade s from the chassis Retry the firmware download operation Message SW Blade type 36 is inserted Please use slotshow to find out which slot it is in and remove it Probable cause and recommended action The firmware download operation was at...

Page 190: ...e 256 port switch with the following configuration FC4 16 blade ID 17 FC4 32 blade ID 18 on slots 1 4 and 7 10 CP4 blade ID 16 on slots 5 6 policy 1 Port based routing policy With this policy the path chosen for an ingress frame is based on 1 Ingress port on which the frame was received 2 Destination domain for the frame The chosen path remains the same if Dynamic Load Sharing DLS feature is not e...

Page 191: ...lowed to downgrade to a version that does not support IPv6 Use the ipaddrset command to change the IPv6 addresses to IPv4 addresses Message Cannot downgrade due to LSAN count is set to 3000 please disable it before proceeding Probable cause and recommended action If a switch is running v5 3 0 and the LSAN count is at 3000 then you will not be allowed to downgrade to v5 2 0 or earlier Use the fcrls...

Page 192: ... with Port Mirroring enabled Port Mirroring is not supported on firmware v5 1 0 or earlier so the firmware download operation failed Remove the mirror connections using the portMirror delete command Retry the firmware download operation Message Cannot downgrade directly to version 4 4 or lower Please downgrade to v5 1 0 or v5 0 0 first and then download the desired version Probable cause and recom...

Page 193: ...em to Fabric OS v5 0 0 or lower with long distance ports in LS mode Long distance ports in LS mode is not supported in firmware v5 0 0 or lower so the firmware download operation failed Change the long distance port setting to a supported distance setting using the portCfgLongDistance command the numerical value representing each distance level is shown in parentheses and then retry the firmware d...

Page 194: ...2 or lower Please downgrade to 5 0 or 4 4 first and then download the desired version Probable Cause and Recommended Action The firmware download operation was attempting to downgrade a system from Fabric OS v5 1 0 directly to firmware v4 2 0 or lower This firmware jump is not supported so the firmware download operation aborted L2 Specify L2 long distance to support a long distance link up to 100...

Page 195: ...elete command Retry the firmware download operation Message AP Blade type 31 is inserted Please use slotshow to find out which slot it is in and remove it Probable Cause and Recommended Action The firmware download operation was attempting to downgrade a system to Fabric OS v5 1 0 or lower with one or more FC4 16IP port blades blade ID 31 in the system FC4 16IP port blades are not supported on fir...

Page 196: ... command to disable it before proceeding Probable Cause and Recommended Action The firmware download operation was attempting to downgrade a system to Fabric OS v5 1 0 or lower and the fast write feature is enabled Fast write is not supported on firmware v5 1 0 or lower so the firmware download operation failed Disable the fast write feature using the portCfg fcipTunnel command Retry the firmware ...

Page 197: ...e download operation was attempting to downgrade a system to Fabric OS v5 1 0 or lower and trunking is enabled on an EX_Port EX_Port trunking is not supported on firmware v5 1 0 or lower so the firmware download operation failed Disable the trunking on the EX_Port using the portCfgTrunkPort command or disable trunking on all ports on the switch using the switchCfgTrunk command Retry the firmware d...

Page 198: ...mmand Retry the firmware download operation Message Cannot downgrade directly to version 4 4 or lower Please downgrade to 5 1 or 5 0 first and then download the desired version Probable Cause and Recommended Action The firmware download operation was attempting to downgrade a system directly to Fabric OS v4 4 0 or lower This firmware jump is not supported so the firmware download operation aborted...

Page 199: ...nd CP1 is running v5 0 1 on the primary partition and v4 4 0e on the secondary partition then synchronize the partitions on CP1 as follows 1 Start a telnet session on the CP with the out of sync partitions 2 Enter the firmwareCommit command which copies the primary partition to the secondary partition If there is a discrepancy in the number of switches or attached devices in the fabric after a fir...

Page 200: ...202 Installing and maintaining firmware ...

Page 201: ...TE CPs perform blade to blade switching over the Director s passive backplane contain communication ports for system management and are used for low level chassis wide tasks Port blades are used for host storage and interswitch connections On each port blade a particular port must be represented by both slot number 1 through 4 and 7 through 10 and port number When you have port blades with differe...

Page 202: ...r and area ID of 128 port number 15 has a port number and area ID of 15 For 48 port blades in the 4 256 SAN Director using FC4 48 the numbering is contiguous up to port 15 from port 16 the numbering is still contiguous but you must add 128 to each port number For example port 48 in slot 1 has a port number and area ID of 176 port number 48 has a port number and area ID of 48 When Extended edge PID...

Page 203: ...ent Note that up to 255 areas the area_ID mapping to the index is one to one Beyond this the index is similar but not exact and in some instances the area ID is shared among multiple ports These tables provide the area_ID Index assignment for the maximum number of ports used by the FC4 48 blade If your blade does not have the maximum number of ports use the lower sections of the table to determine...

Page 204: ...5 241 241 16 128 128 144 144 160 160 176 176 192 192 208 208 224 224 240 240 15 15 15 31 31 47 47 63 63 79 79 95 95 1 1 1 1 1 1 127 127 14 14 14 30 30 46 46 62 62 78 78 94 94 1 10 1 10 126 126 13 13 13 29 29 45 45 61 61 77 77 93 93 109 109 125 125 12 12 12 28 28 44 44 60 60 76 76 92 92 108 108 124 124 1 1 1 1 1 1 27 27 43 43 59 59 75 75 91 91 107 107 123 123 10 10 10 26 26 42 42 58 58 74 74 90 90 ...

Page 205: ...6 322 202 338 218 354 234 370 250 33 257 137 273 153 289 169 305 185 321 201 337 217 353 233 369 249 32 256 136 272 152 288 168 304 184 320 200 336 216 352 232 368 248 31 143 143 159 159 175 175 191 191 207 207 223 223 239 239 255 255 30 142 142 158 158 174 174 190 190 206 206 222 222 238 238 254 254 29 141 141 157 157 173 173 189 189 205 205 221 221 237 237 253 253 28 140 140 156 156 172 172 188 ...

Page 206: ...8 124 124 12 12 1 1 27 27 43 43 59 59 75 75 91 91 107 107 123 123 1 1 1 1 10 26 26 42 42 58 58 74 74 90 90 106 106 122 122 10 10 9 25 25 41 41 57 57 73 73 89 89 105 105 121 121 9 9 8 24 24 40 40 56 56 72 72 88 88 104 104 120 120 8 8 7 23 23 39 39 55 55 71 71 87 87 103 103 1 19 1 19 7 7 6 22 22 38 38 54 54 70 70 86 86 102 102 1 18 1 18 6 6 5 21 21 37 37 53 53 69 69 85 85 101 101 1 17 1 17 5 5 4 20 ...

Page 207: ... use the previous configuration and come up enabled If a previously configured B Series MP Router blade is removed and an FC4 48 FC4 32 or FC4 16 blade is plugged in then other than the port s EX_Port configuration all the remaining port configurations previously applied to the B Series MP Router FC_Ports can be used So the EX_Port configuration on those ports will be disabled before the FC4 48 FC...

Page 208: ...udes CP and port blade abbreviations and descriptions Table 54 Director terminology and abbreviations Term Abbreviation Blade ID slotshow Definition SAN Director 2 128 control processor blade CP2 5 The second generation CP blade provided with the SAN Director 2 128 This CP supports 1 2 and 4 Gbit sec port speeds It supports both the dual domain and a single domain configuration within the chassis ...

Page 209: ... FC4 16IP FC4 32 FR4 18i and FC4 48 blades 48 port 4 Gbit sec port blades FC4 48 36 A 48 port Director port blade supporting 1 2 and 4 Gbit sec port speeds in chassis mode 5 with port and exchange based routing This port blade is only compatible with the 4 256 SAN Director CP blades 16 port 4 Gbit sec port blade with 2 port 1 GbE FCIP capabilities FR4 18i 24 A16 port Fibre Channel routing and FCIP...

Page 210: ...sis wide commands display and control the single logical switch To display the status of all slots in the chassis Table 56 Supported configuration options Option Number of domains Maximum number of ports per switch Supported port blades Supported CP blades Notes 1 1 128 FC2 16 FC4 16 CP2 or CP4 Option 1 is the default configuration for SAN Director 2 128 2 2 64 64 FC2 16 CP2 5 1 384 FC4 16 FC4 16I...

Page 211: ...cal slot number Blade Type Displays the blade type SW BLADE The blade is a switch CP BLADE The blade is a control processor AP BLADE The blade is the FR4 18i blade UNKNOWN The blade is not present or its type is not recognized ID Displays the hardware ID of the blade type See Table 54 on page 210 for a list of blades and their corresponding IDs Status Displays the status of the blade VACANT The sl...

Page 212: ... FCS policy to include them If not skip this step c On sw0 enable security mode and use the secModeEnable command to create an FCS list that matches your overall fabric s FCS policy d Reset the version stamp on sw0 e If you connected sw0 and sw1 in step a and you do not want them connected disconnect the ISL link between them If you did not connect them repeat step 8b through step 8d on sw1 9 Opti...

Page 213: ...he fabric 7 If the fabric is in secure mode perform the following steps otherwise proceed to step 8 a Optionally to configure sw0 and sw1 in one operation connect them with an ISL link to form a temporary fabric b If you want sw0 and sw1 to be fabric configuration servers update the overall fabric s FCS policy to include them If not skip this step c On sw0 enable security mode and use the secModeE...

Page 214: ...turns it off This can be used to locate a particular blade To set the blade beacon mode on 1 Connect to the switch and log in as admin 1 Enter the bladeBeacon command The slotnumber is the blade on which you want to enable beacon mode this slot number must exist on the logical switch The value 1 turns beaconing mode on and 0 turns beaconing mode off switch admin bladebeacon slotnumber mode switch ...

Page 215: ...ast exchange based routing policies always employ dynamic path selection Port based routing is supported by all models Specifying the routing policy The following routing policies are supported Port based path selection Default on SAN Switch 2 8V SAN Switch 2 16V SAN Switch 2 32 SAN Director 2 128 and 4 256 SAN Director using configuration option 1 These switches support the port based policy only...

Page 216: ... tries to rebalance the route A platform conflict occurs if a static route was configured with a destination port that is currently down The static route is ignored in this case in favor of a normal dynamic route When the configured destination port comes back up the system attempts to reestablish the static route potentially causing a conflict Specifying frame order delivery The order of delivery...

Page 217: ...livery across topology changes 1 Connect to the switch and log in as admin 2 Enter the iodSet command at the command line Using Dynamic Load Sharing The exchange based routing policy depends on the Fabric OS Dynamic Load Sharing feature DLS for dynamic routing path selection When using the exchange based routing policy DLS is by default enabled and cannot be disabled In other words you cannot enab...

Page 218: ...yshow 4 domains in the fabric Local Domain ID 2 Domain 1 Metric 10500 Name fcr_xd_1_1 Path Count 1 Hops 2 Out Port 39 In Ports 35 56 Total Bandwidth 4 000 Gbps Bandwidth Demand 300 Flags D switch admin Local Domain ID Domain number of the local switch Domain Domain number of the destination switch Metric Cost of reaching the destination domain Name The name of the destination switch Path Count The...

Page 219: ...e destination domain Flags Indicates if the route is dynamic D or static S A static route is assigned using the command uRouteConfig Next Dom Port Domain number and port number of the next hop The following example displays the routing information of all the active ports The next example displays the routing information for port 1 1 on slot 1 This example displays the routing information of port 1...

Page 220: ...nformation Max hops The maximum number of hops that the pathinfo frame is allowed to traverse Domain The destination domain ID Source Port The port number or area number for SAN Director 2 128 or 4 256 SAN Director on which the switch receives frames Destination Port The output port that the frames use to reach the next hop on this path For the last hop the destination port Basic stats Basic stati...

Page 221: ...me in from on this path For hop 0 the source port Domain ID The domain ID of the switch Name The name of the switch Out Port The output port that the frames use to reach the next hop on this path For the last hop the destination port BW The bandwidth of the output ISL in Gbit sec It does not apply to the embedded port Cost The cost of the ISL used by FSPF routing protocol It only applies to an E_P...

Page 222: ...224 Routing traffic ...

Page 223: ...ckbone to talk to devices on the edge fabric A Fibre Channel router is a switch running the FC FC routing services FCR also supports interoperability with M EOS v7 x 8 x and v9 x For more information about M EOS interoperability support see Interoperating with an M EOS fabric page 255 Supported platforms FC FC Routing is supported on the following platforms HP StorageWorks B Series MP Router blade...

Page 224: ...tch and do not propagate fabric services or routing topology information from one edge fabric to another The link between an E_Port and EX_Port or VE_Port and VEX_Port is called an interfabric Link IFL You can configure multiple IFLs from a 400 MP Router a B Series MP Router blade operating in a 4 256 SAN Director using chassis configuration option 5 from additional MP Routers or from all three Th...

Page 225: ...ate communication between devices in edge fabrics with those in a backbone fabric this is not true of the MP Router Fabric ID FID Every EX_Port and VEX_Port uses the fabric ID FID to identify the fabric at the opposite end of the IFL Configure all of the EX_Ports and VEX_Ports attached to the same edge fabric with the same FID The FID for every edge fabric must be unique from each backbone fabric ...

Page 226: ...ric The second level of phantom domains is known as a translate phantom domain The EX_Ports also present translate phantom domains in edge fabrics as being topologically behind the front domains if the translate phantom domain is in a backbone fabric then it is topologically present behind the Fibre Channel router because there is no front domain in a backbone fabric The translate phantom domain i...

Page 227: ...proxy host in Fabric 2 represents the real host in Fabric 1 The host discovers and sends Fibre Channel frames to the proxy target The 400 MP Router or 4 256 SAN Director with an B Series MP Router blade receives these frames translates them appropriately then delivers them to the de The target responds by sending frames to the proxy host Hosts and targets are exported from the edge SAN to which th...

Page 228: ...how frames are routed from the source Fibre Channel FC device to the destination FC device The source or destination device can be a proxy device When frames traverse the fabric through a 400 MP Router or 4 256 SAN Director in the backbone BB the frames are routed to another EX_Port or VEX_Port Fibre Channel fabrics require that all ports EX_Ports or VEX_Ports be identified by a unique PID In a si...

Page 229: ... 5 Configuring an interfabric link on page 238 6 FC router port cost optional on page 246 7 EX_Port frame trunking optional on page 249 8 Configuring LSANs and zoning on page 243 See Configuring Directors on page 207 for more details about configuration options Performing verification checks Before configuring a fabric to connect to another fabric you must perform the following verification checks...

Page 230: ...FC router See the Fabric OS Command Reference Manual for details Assigning backbone fabric IDs If your configuration has only one backbone fabric then this task is not required because the backbone fabric ID in this situation defaults to a value of 1 All switches in a backbone fabric must have the same backbone fabric ID You can configure the backbone fabric ID using the fcrConfigure command The b...

Page 231: ...rvice is disabled switch admin fcrconfigure FC Router parameter set cr to skip a parameter Backbone fabric ID 1 128 1 switch admin fosconfig enable fcr FC Router service is enabled Configuring FCIP tunnels Optional The optional Fibre Channel over IP FCIP Tunneling Service enables you to use tunnels to connect instances of Fibre Channel SANs over IP based networks to transport all Fibre Channel ISL...

Page 232: ...onnected For example on the 400 MP Router and 4 256 SAN Director with a B Series MP Router blade specify the WWN of the Secure Fabric OS switch and the secrets On the Secure Fabric OS switch specify the WWN of the front domain EX_Port or VEX_Port and the secrets To view the front domain WWN issue the portCfgEXPort command on the Fibre Channel router side The WWN of the front domain EX_Port or VEX_...

Page 233: ...n strict mode ACL cannot support Fibre Channel routing in the fabric Before connecting an edge fabric to an FC router and before setting up the FC router in the BB verify that the Fabric Wide Consistency Policy is not in strict mode by issuing the fddCfg showall command If the Fabric Wide Consistency Policy has the S letter in it in the edge fabric or the BB fabric do not connect the edge fabric o...

Page 234: ... ports connected to the same edge fabric When this option is specified the preferred front domain ID is compared against the online ports If the preferred front domain ID is different an error message is issued and the command fails When the d option is not specified if there are online ports connected to the same edge fabric the preferred front domain ID is set to the preferred front domain ID of...

Page 235: ...e 7 10 4 Enter the portCfgShow command to view ports that are persistently disabled switch admin portcfgshow 7 10 Area Number 74 Speed Level AUTO Trunk Port OFF Long Distance OFF VC Link Init OFF Locked L_Port OFF Locked G_Port OFF Disabled E_Port OFF ISL R_RDY Mode OFF RSCN Suppressed OFF Persistent Disable OFF NPIV capability ON EX Port ON Mirror Port ON FC Fastwrite ON 5 After identifying such ...

Page 236: ...ENT U_PORT EX_PORT portType 10 0 portState 2 Offline portPhys 2 No_Module portScn 0 port generation number 0 portId 014a00 portIfId 4372080f portWwn 20 4a 00 60 69 e2 03 86 portWwn of device s connected Distance normal portSpeed N4Gbps LE domain 0 FC Fastwrite ON Interrupts 0 Link_failure 0 Frjt 0 Unknown 0 Loss_of_sync 0 Fbsy 0 Lli 0 Loss_of_sig 2 Proc_rqrd 0 Protocol_err 0 Timed_out 0 Invalid_wo...

Page 237: ...th a smaller cost For example if there are EX and VEX_Port connections to the same edge fabric the traffic will be directed through the EX_Port link Every IFL has a default cost The default router port cost values are 1000 for legacy v5 1 or XPath FCR IFL 1000 for EX_Port IFL 10 000 for VEX_Port IFL The FCR router port cost settings are 0 1000 or 10 000 If the cost is set to 0 the default cost wil...

Page 238: ... online the default port cost is used When downgrading the router switch from Fabric OS v5 2 0 or later to a prior Fabric OS version that does not support router port cost the port configuration file retains the router port cost values However they are not used by the legacy Fabric OS Legacy routers in the backbone fabric program all the router ports without considering router port cost Fabric OS ...

Page 239: ... number which is used to determine the Area_ID field of the PID and the Port_ID field Like the PIDs in a fabric a proxy PID must be unique If the slot argument results in a duplicate PID it will be ignored Proxy PIDs are automatically assigned to devices imported into a fabric starting at f001 For Proxy IDs projected to a McDATA edge fabric in McDATA fabric mode use valid ALPAs lower 8 bits See th...

Page 240: ...share the router port of the master port For information about setting up E_Port trunking on an edge fabric see Administering ISL Trunking on page 359 in this guide Supported configurations and platforms The EX_Port trunking is an FCR software feature and requires that you have the FCR trunking license installed on the FCR switch and on the edge fabric connected to the other side of the trunked EX...

Page 241: ...the configuration applies are disabled and reenabled with the new trunk configuration As a result the traffic through these ports might be disrupted for a short period of time In addition to the commands for enabling and disabling trunking you can also use the following E_Port commands for administering EX_Port Frame Trunking Use portCfgSpeed and switchCfgSpeed to set speed for a port or switch Di...

Page 242: ...are reported based on the administrative domain context As a result you must not use the network address authority NAA field in the WWN to detect an FC Router LSAN zone enforcement in the local fabric occurs only if the administration domain member list contains both of the devices local and imported device specified in the LSAN zone For more information see Managing administrative domains page 14...

Page 243: ... 1 0 or later switch then default zoning configurations will be created on each switch in the fabric v2 x v3 x v4 x or v5 0 1 switches Fabric OS v5 1 0 or later switches do not indicate that a default configuration is enabled when you use the cfgShow or cfgActvShow commands For more information about default zoning refer to Administering Advanced Zoning page 369 The following example procedure ill...

Page 244: ...P IBM DNEF 309170 F90F Fabric Port Name 20 08 00 05 1e 34 11 e5 Permanent Port Name 50 05 07 61 00 49 20 b4 The Local Name Server has 2 entries 8 Enter the zoneCreate command to create the LSAN lsan_zone_fabric2 which includes the host 10 00 00 00 c9 2b 6a 2c Target A and Target B switch admin zonecreate lsan_zone_fabric2 10 00 00 00 c9 2b c9 0c 50 05 07 61 00 5b 62 ed 50 05 07 61 00 49 20 b4 9 En...

Page 245: ...er uses this information to store only the LSAN zone entries of the remote edge fabrics that can access its local edge fabrics and also to search and do a pair match only against the specified edge fabrics The advantage is that an individual Fibre Channel router may store fewer LSAN zone entries and the LSAN zone limit supported in the backbone will not be limited by the capability of one FCR In a...

Page 246: ...detail below fcrlsanmatrix add FabricID1 FabricID2 remove FabricID1 FabricID2 apply cancel display fabricview verify quickmode CAUTION The command fcrlsanmatrix add 0 0 will erase the entire LSAN Zone Matrix settings in the cache To set up LSAN zone binding 1 Log in to the switch as admin 2 To add a pair enter the command as follows FCR Admin fcrlsanmatrix add FabricID1 FabricID2 3 To apply the ch...

Page 247: ...000 This command lets you create more LSANs on your edge fabric where needed The maximum devices supported is still 10000 This command is also supported in Secure Fabric OS The fcrlsancount command assumes that all the FCRs in the same LSAN fabric matrix or backbone have the same maximum number of LSAN count defined to protect all the FCRs from running into indefinite state Asymmetric LSAN configu...

Page 248: ...To route broadcast frames to edge fabrics or the backbone fabric FCR maintains a link state database LSDB and broadcast tree per edge fabric The LSDB is a database that contains link state records LSR of all the switches in edge fabrics Using data from the LSDB the FC router constructs a broadcast tree and routes the frame to the destination using the shortest path of the broadcast tree The IPFC o...

Page 249: ...cast frame forwarding option for an FID edge fabric or backbone fabric To disable a broadcast zone forwarding 1 Log in to the switch as admin 2 Type the following command fcr admin fcrbcastconfig disable f fabric id where fabric id is the specified FID where you want to disable frame forwarding This command disables the broadcast frame forwarding option for an FID edge or backbone fabric Upgrade a...

Page 250: ...allocated from the pool sequentially and are not resumed until the pool is exhausted and rolls over The last allocated phantom port WWN is persistently stored If the switch is disabled phantom port WWNs are not returned to the pool until the system reboots because the phantom switch might still be accessible through other switches Across the switch reboot the allocation starts from the next usable...

Page 251: ...considerations If you downgrade to a version of Fabric OS that does not support FC FC Routing Services then your FC FC routing configuration will be lost HP recommends that you enter the configUpload command to save your FC FC routing configuration before performing any downgrades If you have a 4 256 SAN Director with a B Series MP Router blade configured using chassis option 5 with the blade powe...

Page 252: ...bric with Secure Fabric OS enabled the edge fabric must have Fabric OS v3 2 v4 4 0 or later because only DH CHAP authentication is supported For a nonsecure fabric the hardware and firmware compatibility is described in Table 59 Table 59 Hardware and firmware compatibility for nonsecure fabrics HP StorageWorks model Supported version 1 Gb switches Fabric OS 2 6 1 or later SAN Switch 2 8EL SAN Swit...

Page 253: ...s connected to a switch It supplements other MIBs used to manage switches and should be used in conjunction with those other MIBs For more information refer to the Fabric OS MIB Reference Manual Link incident detection registration and reporting Provide administrative and diagnostic information Switch Connection Control SCC policy Includes switch binding security methods that prevent unauthorized ...

Page 254: ...d in a FICON environment The following port blades can exist in a FICON environment however FICON device connection to ports on these blades is not supported FC4 16IP FC4 48 FR4 18i In an Admin Domain enabled fabric you should put all of the ports on these blades in an Admin Domain other than the one used for FICON ports The ports on these blades should not belong to the zone in which FICON device...

Page 255: ... For Fabric OS 5 2 x and higher the following restrictions apply to the 4 256 SAN Director when FICON Management Server mode fmsmode is enabled and CUP protocol is used to manage the switch The switch is advertised to the mainframe via CUP as a 256 port switch due to CUP protocol limitation Port Information Block PDCM and port names are available for ports 0 through 254 only CUP is not supported o...

Page 256: ...the local RNID database ficonshow ilir fabric Displays FRU failure information on the local switch or on the fabric ficonshow lirr fabric Displays registered listeners for link incidents for the local switch or for the fabric ficonshow rlir fabric Displays link incidents for the local switch or for the fabric ficonshow rnid fabric Displays node identification data for all devices registered with t...

Page 257: ...sult in dropped frames as routes are adjusted to take advantage of the bandwidth provided By disabling DLS you ensure that there will be no dropped frames A similar situation occurs when an ISL port is taken offline and then brought back online When the ISL port goes offline the traffic on that port is rerouted to another ISL with a common destination When the ISL port comes back online and DLS is...

Page 258: ...on the switch from the default exchange based policy to the required port based policy for those switches with FICON devices directly attached For the SAN Switch 4 32 and SAN Switch 4 32B refer to the Fabric OS Command Reference Manual for details about the aptPolicy command For the 4 256 SAN Director refer to the Web Tools Administrator s Guide 5 Enter the ficonshow rnid command to verify that th...

Page 259: ...unit CU devices The Query for Security Attributes QSA response to the channel indicates that the fabric binding and IDID are enabled Figure 17 shows one viable cascaded configurations These configurations require Channel A to be configured for two byte addressing and require IDID and fabric binding There can be only two switches in the path from the channel to the control unit Figure 17 Cascaded c...

Page 260: ...Node identification data To display node identification data connect to the switch log in as user and enter any of the following commands For the local switch ficonshow switchrnid For all switches defined in the fabric ficonshow switchrnid fabric For all devices registered with the local switch ficonshow rnid For all devices registered with all switches defined in the fabric ficonshow rnid fabric ...

Page 261: ...ort swapping In the following example slot is the slot number of the port blade for a system with port blades optional portA is the original port number portB is the alternate port number You can use the portSwapShow command to display information about swapped ports in a switch You can use the portSwap command to disable the portswap feature You cannot use the portSwap command after this feature ...

Page 262: ...irector 2 128 only Use the portDisable command to disable block port 126 For 4 256 SAN Director only Use the portDisable command to disable block ports 254 and 255 Port 126 Core Switch 2 64 and 254 and 255 4 256 SAN Director are not supported in a CUP environment After fmsmode has been successfully enabled these two ports remain disabled and cannot be used either as an F_Port or an E_Port Because ...

Page 263: ...nnot use the portCfgPersistentEnable and portCfgPersistentDisable commands to persistently enable and disable ports when FICON Management Server mode is on Refer to the procedure Persistently enabling disabling ports on page 278 Changing fmsmode from disabled to enabled triggers the following events Access to switch parameters is serialized The active CUP configuration data is established as follo...

Page 264: ...d consequently will never try to communicate with it Hence it is possible that fmsmode may already be enabled on the switch If FICON Management Server mode is already enabled set up CUP as follows 1 Verify that FICON Management Server mode is enabled by entering the ficoncupshow fmsmode command If FICON Management Server mode is not enabled refer to Enabling and disabling FICON management server m...

Page 265: ...P parameters on the switch The default setting is 0 off ASM Active saved mode When this bit is set on all CUP configuration parameters are persistent meaning that they will be saved in nonvolatile storage in the initial program load IPL file that is applied upon a cold reboot or a power cycle The default setting is 1 on DCAM Switch clock alert mode When this bit is set on a warning is issued when ...

Page 266: ...s When fmsmode is enabled you cannot use the portCfgPersistentEnable and portCfgPersistentDisable commands to persistently enable and disable ports Instead use the following procedure 1 Enter the ficoncupshow modereg command to display the mode register bit settings 2 Verify that the ASM bit is set on 1 3 If the ASM bit is set off 0 enter the ficoncupset modereg asm 1 command to set it on 4 Use th...

Page 267: ...nstalled you must first disable and then re enable fmsmode If fmsmode is disabled and a FICON CUP license is installed no special action is required Zoning and PDCM considerations The FICON Prohibit Dynamic Connectivity Mask PDCM controls whether or not communication between a pair of ports in the switch is prohibited or allowed If there are any differences in restrictions set up with Advanced Zon...

Page 268: ...ir command displays among other information a tag field for the switch port You can use this tag to identify the port on which a FICON link incident occurred The tag field is a concatenation of the switch domain ID and port number in hexadecimal format The following example shows a link incident for the switch port at domain ID 120 port 93 785d in hex switch admin ficonshow rlir Fmt Type PID Port ...

Page 269: ...anagement workstation there is a section in the uploaded configuration file labeled FICON_CUP that exists in an encoded format To download configuration files with Active Saved mode enabled Enter the configDownload command The contents of existing files saved on the switch which are also present in the FICON_CUP section are overwritten The files in the FICON section of the configuration file which...

Page 270: ...ID_________ Switch ID FICON Switch Domain ID_________ Switch Cascaded Directors No _____Yes _____ Corresponding Cascaded Switch Domain ID _____ Fabric Name ________________________________ FICON Switch F_Ports Attached N_Ports E_Ports CU CPC or ISL Slot Number Port Number Port Address Laser Type LX SX Port Name Node Type CU CHNL Machine Type Model Serial Number ISL CU I F CPC CHPID ...

Page 271: ... have a unique domain ID and a unique switch ID The switch ID used in the IOCP definitions can be any value between x 00 to x FF The domain ID range for Directors is hex x 01 to x EF or decimal 1 to 239 When defining the switch IDs in the IOCP definitions ensure that you use values within the FICON Director s range The switch ID has to be assigned by the user and must be unique within the scope of...

Page 272: ...s data collected in the form of System Management Facility SMF records This data is essential for any kind of FICON channel performance troubleshooting To obtain an RMF FICON Director activity report you must include the keyword FCD in the RMF configuration file for the FICON Director this is generic for any FICON Director You must also define the CUP port In the sample below the keyword is boldfa...

Page 273: ...DEVICE DASD DIRECT ACCESS DEVICE STATISTICS WILL BE COLLECTED DEVICE GRAPH GRAPHICS DEVICE STATISTICS WILL BE COLLECTED DEVICE TAPE TAPE DEVICE STATISTICS WILL BE COLLECTED DEVICE NOUNITR UNIT RECORD DEVICE STATISTICS WILL NOT BE COLLECTED DEVICE NONMBR NO DEVICE SELECTIVITY BY DEVICE NUMBERS IOQ DASD COLLECT DASD I O QUEUING STATISTICS IOQ NOCHRDR PREVENT CHARACTER READER I O QUEUING STATISTICS I...

Page 274: ...286 Administering FICON fabrics ...

Page 275: ...eplicated on every HP StorageWorks switch within a fabric It provides an unzoned view of the overall fabric configuration This fabric topology view exposes the internal configuration of a fabric for management purposes it contains interconnect information about switches and devices connected to the fabric Under normal circumstances a device typically an FCP initiator queries the Name Server for st...

Page 276: ...owed to access the management server NOTE The msConfigure command is disabled if the switch is in secure mode Refer to the Secure Fabric OS Administrator s Guide for more information To display the management server ACL 1 Connect to the switch and log in as admin 2 Enter the msConfigure command The command becomes interactive 3 At the select prompt enter 1 to display the access list A list of WWNs...

Page 277: ...rom the ACL 14 After verifying that the WWN was deleted correctly enter 0 at the prompt to end the session 15 At the Update the FLASH prompt enter y switch admin msconfigure 0 Done 1 Display the access list 2 Add member based on its Port Node WWN 3 Delete member based on its Port Node WWN select 0 3 1 2 Port Node WWN in hex 00 00 00 00 00 00 00 00 20 00 00 20 37 65 ce aa WWN is successfully added ...

Page 278: ...hex 00 00 00 00 00 00 00 00 20 00 00 20 37 65 ce aa WWN is successfully deleted from the MS ACL 0 Done 1 Display the access list 2 Add member based on its Port Node WWN 3 Delete member based on its Port Node WWN select 0 3 2 1 MS Access List consists of 13 20 00 00 20 37 65 ce aa 20 00 00 20 37 65 ce bb 20 00 00 20 37 65 ce ff 20 00 00 20 37 65 ce 11 20 00 00 20 37 65 ce 22 20 00 00 20 37 65 ce 33...

Page 279: ... the entire fabric To disable topology discovery 1 Connect to the switch and log in as admin 2 Enter the mstdDisable command to disable the discovery feature locally A warning displays that all NID entries might be cleared switch admin msplatshow Platform Name 9 first obj Platform Type 5 GATEWAY Number of Associated M A 1 35 http java sun com products plugin Number of Associated Node Names 1 Assoc...

Page 280: ...ogy discover might erase all NID entries switch admin mstddisable This may erase all NID entries Are you sure yes y no n no y Request to disable MS Topology Discovery Service in progress MS Topology Discovery disabled locally switch admin mstddisable all This may erase all NID entries Are you sure yes y no n no y Request to disable MS Topology Discovery Service in progress MS Topology Discovery di...

Page 281: ...loads a Fabric OS kernel image The POST tests provide a quick indication of hardware readiness when hardware is powered up These tests do not require user input to function They typically operate within several minutes and support minimal validation because of the restriction on test duration Their purpose is to give a basic health check before a new switch joins a fabric These tests are divided i...

Page 282: ...ric OS Paulsa45 Paulsa45 console login 2005 03 31 20 12 42 TRCE 5000 0 INFO trace trace_buffer c line 1170 2005 03 31 20 12 42 LOG 5000 0 INFO SWSAN Switch 4 32_P45 Previous message repeat 1 time s trace_ulib c line 540 2005 03 31 20 12 43 HAM 1004 219 INFO SWSAN Switch 4 32_P45 Processor rebooted Unknown SNMP Research SNMP Agent Resident Module Version 15 3 1 4 Copyright 1989 1990 1991 1992 1993 ...

Page 283: ...he switch beaconing state either ON or OFF The switchShow command also displays the following information for ports on the specified switch Module type The SFP type if a SFP is present Port speed The speed of the Port 1G 2G 4G N1 N2 N4 or AN The speed can be fixed negotiated or auto negotiated Port state The port status Comment Displays information about the port This section might be blank or dis...

Page 284: ...ying the number that corresponds to the port you are troubleshooting In this example the status of port two is shown Refer to the Fabric OS Command Reference Manual for additional portShow command information such as the syntax for slot or port numbering switch admin uptime 4 43am up 1 day 12 32 1 user load average 1 29 1 31 1 27 switch admin switch admin portshow 2 portName portHealth HEALTHY Aut...

Page 285: ...received stat_mc_rx 0 Multicast frames received stat_mc_to 0 Multicast timeouts stat_mc_tx 0 Multicast frames transmitted tim_rdy_pri 0 Time R_RDY high priority tim_txcrd_z 0 Time BB credit zero er_enc_in 0 Encoding errors inside of frames er_crc 0 Frames with CRC errors er_trunc 0 Frames shorter than minimum er_toolong 0 Frames longer than maximum er_bad_eof 0 Frames with bad end of frame er_enc_...

Page 286: ... 0 0 0 0 0 0 0 0 0 2 0 0 12 0 0 0 0 0 0 0 0 0 0 0 2 0 0 13 0 0 0 0 0 0 0 0 0 0 0 2 0 0 14 0 0 0 0 0 0 0 0 0 0 0 2 0 0 15 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 0 0 0 0 0 0 0 0 0 0 0 0 33 0 0 0 0 0 0 0 0 0 0 0 0 0 0 34 0 0 0 0 0 0 0 0 0 0 0 0 0 0 35 0 0 0 0 0 0 0 0 0 0 0 0 0 0 36 0 0 0 0 0 0 0 0 0 0 0 0 0 0 37 0 0 0 0 0 0 0 0 0 0 0 0 0 0 38 0 0 0 0 0 0 0 0 0 0 0 0 0 0 39 0 0 0 0 0 0 0 0 0 0 0 0 0 0 40 ...

Page 287: ...ware tolerance To display the status of a power supply 1 Connect to the switch and log in as admin 2 Enter the psShow command The possible status values are OK Power supply functioning correctly Absent Power supply not present Unknown Unknown power supply unit installed Predicting failure Power supply is present but predicting failure FAULTY Power supply is present but faulty no power cable power ...

Page 288: ...r each of the two CP blades For these models you should configure syslogd to support chronological system message logs For details see Configuring for syslogd on page 302 For details on error messages refer to the Fabric OS System Error Message Reference Manual To display the system message log with no page breaks 1 Connect to the switch and log in as admin 2 Enter the errDump command at the comma...

Page 289: ...ame The payload contains the information being transported by the frame and is determined by the higher level service or FC_4 upper level protocol There are many different payload formats based on the protocol switch admin portlogshow 12 time task event port cmd args Thu Apr 14 12 07 09 2005 12 07 09 350 PORT Rx 0 40 02fffffd 00fffffd 0608ffff 14000000 12 07 09 350 PORT Tx 0 0 c0fffffd 00fffffd 06...

Page 290: ...message severities to UNIX severities as shown in Table 64 In switch admin portlogdump task event port cmd args 16 30 41 780 PORT Rx 9 40 02fffffd 00fffffd 0061ffff 14000000 16 30 41 780 PORT Tx 9 0 c0fffffd 00fffffd 0061030f 16 30 42 503 PORT Tx 9 40 02fffffd 00fffffd 0310ffff 14000000 16 30 42 505 PORT Rx 9 0 c0fffffd 00fffffd 03100062 16 31 00 464 PORT Rx 9 20 02fffc01 00fffca0 0063ffff 0100000...

Page 291: ...7 indicating a UNIX local7 facility The default is 7 It is necessary to set the facility level only if you specified a facility other than local7 in the host etc syslog conf file To remove a syslogd host from the list 1 Connect to the switch and log in as admin 2 Enter the syslogDipRemove command 3 Verify the IP address was deleted using the syslogDipShow command local7 emerg var adm swcritical lo...

Page 292: ...the files Enable the automatic transfer of trace dumps to the server Trace dumps overwrite each other by default sending them to a server preserves information that would otherwise be lost You should also set up a periodic checking of the remote server so that you are alerted if the server becomes unavailable and you can correct the problem After the setup is complete you can run the supportSave c...

Page 293: ...server 1 Connect to the switch and log in as admin 2 Enter the following command The interval is in hours The minimum interval is 1 hour Specify 0 hours to disable the checking feature To save a comprehensive set of diagnostic files to the server 1 Connect to the switch and log in as admin 2 Enter the following command switch admin traceftp e switch admin supportftp t interval switch admin support...

Page 294: ...306 Working with diagnostic features ...

Page 295: ...e is still a problem between the host and switch Most common problem areas Refer to Table 65 for a list of the most common problem areas that arise within SANs and a list of tools that can be used to resolve them Table 65 Common troubleshooting problems and tools Problem Area Investigate Tools Fabric Missing devices Marginal links unstable connections Incorrect zoning configurations Incorrect swit...

Page 296: ...nic 3 Enter the saveCore command to save or remove core files created by daemons For more details about these commands refer to the Fabric OS Command Reference Manual Troubleshooting questions Common steps and questions to ask yourself when troubleshooting a system problem are as follows 1 What is the current Fabric OS level 2 What is the switch hardware version 3 Is the switch operational 4 Impac...

Page 297: ...d 2 Review the output and determine if the device is logically connected to the switch A device that is logically connected to the switch will be registered as an F_Port or L_Port A device that is not logically connected to the switch will be registered as something other than an F_Port or L_Port 3 If the missing device is logically connected proceed to the next troubleshooting procedure To check ...

Page 298: ...ply from 10 00 00 00 c9 29 0e c4 12 bytes time 1013 usec received reply from 10 00 00 00 c9 29 0e c4 12 bytes time 1442 usec received reply from 10 00 00 00 c9 29 0e c4 12 bytes time 1052 usec received reply from 10 00 00 00 c9 29 0e c4 12 bytes time 1012 usec 5 frames sent 5 frames received 0 frames rejected 0 frames timeout Round trip min avg max 1012 1136 1442 usec Pinging 21 00 00 20 37 25 ad ...

Page 299: ... the number of successful logins and SCSI INQUIRY commands sent over this port and a list of the attached devices 5 Check the port log to determine whether or not the device sent the FLOGI frame to the switch and the switch probed the device The Local Name Server has 9 entries Type Pid COS PortName NodeName TTL sec N 021a00 2 3 20 00 00 e0 69 f0 07 c6 10 00 00 e0 69 f0 07 c6 895 Fabric Port Name 2...

Page 300: ... domain ID conflict on page 313 A switch in a secure fabric is not running Secure Fabric OS Refer to the Secure Fabric OS Administrator s Guide for additional information There are a number of settings that control the overall behavior and operation of the fabric Some of these values such as the domain ID are assigned automatically by the fabric and can differ from one switch to another in the fab...

Page 301: ...until all domain ID conflicts are resolved 1 Enter the fabricShow command on a switch from one of the fabrics 2 In a separate telnet window enter the fabricShow command on a switch from the second fabric 3 Compare the fabricShow output from the two fabrics Note the number of domain ID conflicts there might be several duplicate domain IDs that will need to be changed Determine which switches have d...

Page 302: ...out disrupting the fabric first verify fabric merge problem then edit zone configuration members and then reorder the zone member list To verify a fabric merge problem 1 Enter the switchShow command to validate that the segmentation is due to a zone issue 2 Refer to Table 66 to view the different types of zone discrepancies Table 67 Commands for debugging zoning Command Function aliCreate Use to c...

Page 303: ...e members of the configuration are the same One simple approach to making sure that the zoneset members are in the same order is to keep the members in alphabetical order To reorder the zone member list 1 Use the output from the cfgShow for both switches 2 Compare the order that the zone members are listed Members must be listed in the same order 3 Rearrange zone members so that the configuration ...

Page 304: ... and plug it back in To check the switch temperature 1 Log in to the switch as user 2 Enter the tempShow command 3 Check the temperature output Look for indications of high or low temperatures To check the power supply 1 Log in to the switch as user 2 Enter the psShow command 3 Check the power supply status Refer to the appropriate hardware reference manual for details regarding the power supply s...

Page 305: ... 5 5 id N2 Online E Port 10 00 00 05 1e 34 00 8b Dazz125 downstream Trunk master 6 id N2 No_Light 7 id N2 No_Light 8 id N1 Online L Port 4 public 1 private 1 phantom 9 id N2 No_Light 10 id N2 Online G Port 11 id N2 Online F Port 10 00 00 01 c9 28 c7 01 12 id N1 Online L Port 4 public 1 private 1 phantom 13 N2 No_Module 14 id N2 Online E Port Trunk port master is Port 15 15 id N2 Online E Port 10 0...

Page 306: ... 0 0 0 0 0 0 0 0 0 0 1 0 0 68 0 0 0 0 0 0 0 0 0 0 0 1 0 0 69 0 0 0 0 0 0 0 0 0 0 0 1 0 0 70 0 0 0 0 0 0 0 0 0 0 0 1 0 0 71 0 0 0 0 0 0 0 0 0 0 0 1 0 0 72 0 0 0 0 0 0 0 0 0 0 0 1 0 0 73 0 0 0 0 0 0 0 0 0 0 0 1 0 0 74 0 0 0 0 0 0 0 0 0 0 0 1 0 0 75 0 0 0 0 0 0 0 0 0 0 0 1 0 0 76 0 0 0 0 0 0 0 0 0 0 0 1 0 0 77 0 0 0 0 0 0 0 0 0 0 0 1 0 0 78 0 0 0 0 0 0 0 0 0 0 0 1 0 0 79 0 0 0 0 0 0 0 0 0 0 0 1 0 0 8...

Page 307: ...ffline No_Module PRESENT U_PORT LED 7 23 Offline No_Module PRESENT U_PORT LED 7 24 Offline No_Module PRESENT U_PORT LED 7 25 Offline No_Module PRESENT U_PORT LED 7 26 Offline No_Module PRESENT U_PORT LED 7 27 Offline No_Module PRESENT U_PORT DISABLED LED 7 28 Offline No_Module PRESENT U_PORT LED 7 29 Offline No_Module PRESENT U_PORT LED 7 30 Offline No_Module PRESENT U_PORT LED 7 31 Offline No_Mod...

Page 308: ...00000000 00000000 00000002 12 38 22 311 PORT scn 10 1 00000000 00000000 00000001 12 38 22 311 PORT debug 10 00000001 00654320 00000001 00000000 12 38 22 311 PORT debug 10 00000001 00654320 00000002 00000000 12 38 22 311 PORT debug 10 00000001 00654320 00000003 00000000 12 38 22 313 PORT Tx 10 164 02fffffd 00fffffd 025effff 10000000 12 38 22 314 PORT debug 10 00000001 00654320 00000003 00000000 7 1...

Page 309: ...bric OS Command Reference Manual for additional command information nframes count Specify the number of frames to send lb_mode mode Select the loopback point for the test spd_mode mode Select the speed mode for the test ports itemlist Specify a list of user ports to test Example Table 68 Component test descriptions Test Name Operands Checks crossporttest nframes count lb_mode mode spd_mode mode gb...

Page 310: ...that can be used to determine the switch components that are not functioning properly Refer to the Fabric OS Command Reference Manual for additional command information switchname admin fporttest 100 8 0xaa55 2 512 Will use pattern aa55 aa55 aa55 aa55 aa55 aa55 Running fPortTest port 8 test passed value 0 Table 69 Switch component tests Test Function portloopbacktest Functional test of port N to N...

Page 311: ...eed 4 Enter the portLogShow or portLogDump command 5 Check the events area of the output The first example is 1 Gbit sec and the second example is 2 Gbit sec sn indicates a speed negotiation NC indicates negotiation complete 01 or 02 indicate the speed that has been negotiated If these fields do not appear proceed to the step 6 6 Correct the negotiation by entering the portCfgSpeed slotnumber port...

Page 312: ...ow command 2 Refer to the comment fields refer to Table 70 and follow the suggested actions switch admin portlogdumpport 4 time task event port cmd args 11 38 21 726 INTR pstate 4 AC Table 70 SwitchShow output and suggested action Output Suggested action Disabled Check the output from the switchShow command to determine whether or not the switch is disabled If the port is disabled for example due ...

Page 313: ...nc crc too too bad enc disc link loss loss frjt fbsy tx rx in err shrt long eof out c3 fail sync sig sig 0 22 24 0 0 0 0 0 1 5m 0 7 3 0 0 0 1 22 24 0 0 0 0 0 1 2m 0 7 3 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4 149m 99m 0 0 0 0 0 448 0 7 6 0 0 0 5 149m 99m 0 0 0 0 0 395 0 7 6 0 0 0 6 147m 99m 0 0 0 0 0 706 0 7 6 0 0 0 7 150m 99m 0 0 0 0 0 160 0 7 5 0 0 0 8 0 0 0 0 0 0 0 0...

Page 314: ...rt this event inaccurately to the system message log it will appear that the login was successful This scenario only occurs when the maximum number of users has been reached otherwise the login information displayed in the system message log should reflect reality Refer to Tracking and controlling switch changes on page 52 for information regarding enabling and disabling track changes TC Recognizi...

Page 315: ...b Tools Administrator s Guide for more information Port mirroring Port mirroring lets you configure a switch port as an analyzer port to mirror a specific source port and destination port traffic passing though any switch port This is a useful way to troubleshoot without bringing down the host and destination links to insert an inline analyzer Port mirroring captures traffic between two devices It...

Page 316: ...t mirroring reroutes a given connection to the mirror port where the mirror traffic takes an extra route to the mirror port When the extra route is removed the frames between the two ports goes directly to the destination port Since the frames at the mirror port could be queued at the destination port behind those frames that went directly to the destination port port mirroring drops those frames ...

Page 317: ...nly two ports are involved to capture the sent and received traffic The destination port mirrors the received from the switch s point of view traffic Traffic is received at the source port and the switch routes these frames to the destination port The destination port has a port mirror which redirects matching frames to the mirror port The mirror port then routes those frames it receives back to t...

Page 318: ...ions A mirror port can be any port on the same switch as the source identifier port Only one domain can be mirrored per chip after a domain is defined only mirror ports on the defined domain can be used For example in a three domain fabric containing switches 4100A 4100B and 4100C a mirror connection that is created between 4100A and 4100B only allows 4100A to add mirror connections for those port...

Page 319: ...d and the chunk number When removing a mirror connection always use this method to ensure that the data is cleared Deleting a connection removes the information from the database To delete a port mirror connection between two local switch ports or a local and a remote switch port 1 Log in to the switch as admin 2 Type portMirror del SourceID DestID For example to delete the port mirror connection ...

Page 320: ...21 switchId fffc79 switchWwn 10 00 00 60 69 e4 00 a0 zoning ON c switchBeacon OFF blade2 Beacon OFF Area Slot Port Media Speed State 16 2 0 N4 No_Module 17 2 1 idN2 No_Light 18 2 2 idN2 No_Light 19 2 3 idN2 No_Light 20 2 4 N4 No_Module 21 2 5 idN2 No_Light 22 2 6 idN2 No_Light 23 2 7 idN2 No_Light 24 2 8 idN1 OnlineL_Port output truncated 156 2 28 N4 No_Module 157 2 29 idN2 No_Light 158 2 30 N4 No...

Page 321: ... port are included in the zone then a port login PLOGI to a non existent virtual PID is not blocked by the switch rather it is delivered to the device attached to the NPIV port In cases where the device is not capable of handling such unexpected PLOGIs you should use WWN based zoning Enabling and disabling NPIV For Bloom based switches SAN Switch 2 32 and SAN Director 2 128 NPIV is disabled for ev...

Page 322: ...ion To view the NPIV capability of switch ports enter the portCfgShow command The following example shows whether or not a port is configured for NPIV Use the switchShow and portShow commands to view NPIV information for a given port If a port is an F_Port and you enter the switchShow command then the port WWN of the N_Port is returned For an NPIV F_Port there are multiple N_Ports each with a diff...

Page 323: ...77 switchType 32 0 switchState Online switchMode Native switchRole Principal switchDomain 99 switchId fffc63 switchWwn 10 00 00 05 1e 35 37 40 zoning OFF switchBeacon OFF Area Port Media Speed State 0 0 id N2 Online F Port 50 05 07 64 01 20 73 b8 1 1 id N2 Online F Port 50 05 07 64 01 60 73 b8 2 2 id N2 Online F Port 65 NPIV public 3 3 id N2 Online F Port 50 05 07 64 01 e0 73 b8 4 4 id N2 Online F...

Page 324: ... portWwn 20 02 00 05 1e 35 37 40 portWwn of device s connected c0 50 76 ff fb 00 16 fc c0 50 76 ff fb 00 16 f8 output truncated c0 50 76 ff fb 00 16 80 50 05 07 64 01 a0 73 b8 Distance normal portSpeed N2Gbps Interrupts 0 Link_failure 16 Frjt 0 Unknown 0 Loss_of_sync 422 Fbsy 0 Lli 294803 Loss_of_sig 808 Proc_rqrd 0 Protocol_err 0 Timed_out 0 Invalid_word 0 Rx_flushed 0 Invalid_crc 0 Tx_unavail 0 ...

Page 325: ...ance Monitoring is not supported on VE_Ports virtual FC_Ports and EX_Ports If you issue commands for any Advanced Performance Monitors on VE_Ports or EX_Ports you will receive error messages Refer to Using the FCIP Tunneling Service on page 273 for more information about VE_Ports Additional features are provided through Web Tools For additional information refer to Web Tools Administrator s Guide ...

Page 326: ... a port perfAddSCSIMonitor Add a SCSI traffic frame monitor to a port perfAddUserMonitor Add a filter based monitor to a port perfAddWriteMonitor Add a SCSI Write monitor to a port perfCfgClear Clear the performance monitoring settings from nonvolatile flash memory perfCfgRestore Restore performance monitoring settings from nonvolatile flash memory perfCfgSave Save the current performance monitori...

Page 327: ...on a port specifying the SID DID pair in hexadecimal The monitor counts only those frames with matching SID and DID Each SID or DID has three fields listed in the following order Domain ID DD Area ID AA AL_PA PP For example the SID 0x1 18a0f denotes DD 0x1 1 AA 0x8a and AL_PA 0x0f You can monitor end to end performance using the perfMonitorShow command as described in Displaying monitor counters o...

Page 328: ...sing either of following conditions For frames received at the port with the end to end monitor installed the frame SID is the same as SourceID and the frame DID is the same as DestID The RX_COUNT and CRC_COUNT are updated accordingly For frames transmitted from the port with the end to end monitor installed the frame DID is the same as SourceID and the frame SID is the same as DestID The TX_COUNT...

Page 329: ...ng a mask you can choose to have the frame match only one or two of the three fields Domain ID Area ID and AL_PA to trigger the monitor NOTE Only one mask per port can be set When you set a mask all existing end to end monitors are deleted You can specify a mask using the perfSetPortEeMask command in the form dd aa pp where dd is the domain ID mask aa is the area ID mask and pp is the AL_PA mask T...

Page 330: ...orShow command as described in Displaying monitor counters on page 347 Deleting end to end monitors Enter the perfDelEeMonitor command to delete end to end monitors You can delete all monitors or specific monitors The following example deletes the end to end monitor number 0 on slot 1 port 2 switch admin perfsetporteemask 1 11 00 00 ff 00 00 ff 00 00 ff 00 00 ff The EE mask on port 11 is set and E...

Page 331: ...n of standard filters and user defined filters except for the FC4 48 port blade For the FC4 48 port blade Ports 0 through 15 have a maximum of 12 filter monitors per port Ports 16 through 31 have a maximum of 6 filter monitors per port Ports 32 through 47 do not have filter monitors For the FC4 16IP port blade the maximum number of filters is 12 per port and 15 offsets per port The actual number o...

Page 332: ...ust all unique filter monitor resources on port 30 Therefore any additional filter monitors created on port 30 would have to be canned filter monitors SAN Switch 2 8V SAN Switch 2 16V SAN Switch 2 32 and SAN Director 2 128 models Fabric OS v4 0 0 or later Up to two different offsets per port one offset when FICON management server mode FMS is enabled 4 64 SAN Switch 400 MP Router and 4 256 SAN Dir...

Page 333: ...switch does not have enough resources to create a given filter then other filters might have to be deleted to free resources To add filter based monitors Two filter based monitors are added The first monitor 5 counts all FCP and IP frames transmitted from domain 0x02 for slot 4 port 2 The FCP and IP protocols are selected by monitoring offset 12 mask 0xff and matching values of 0x05 or 0x08 Domain...

Page 334: ...nters on page 349 Monitoring trunks For trunked ISLs on Fabric OS v4 x or higher switches monitoring is set only on the master ISL which communicates with the associated slave ISLs Note the following For Fabric OS v3 x switches monitoring can be set on slave ISLs End to end monitors are not supported for ISLs 4 16 SAN Switch and 4 8 SAN Switch Brocade 4Gb SAN Switch for HP p Class BladeSystem Broc...

Page 335: ...umber 0 through 15 The Director has a total of 10 slots Slot numbers 5 and 6 are control processor blades slots 1 through 4 and 7 through 10 are port blades For 16 port blades there are 16 ports counted from the bottom numbered 0 to 15 For 32 port blades there are 32 ports numbered 0 to 31 portnumber Specifies a port number Valid values for port number vary depending on the switch type This operan...

Page 336: ...000000000000000 switch admin perfMonitorShow class FLT 2 5 6 perfmonitorshow 21 6 0 1 2 3 4 5 6 Frames Frames Frames Frames Frames Frames Frames 0 0 0 0 0 0 0 26k 187 681 682 682 494 187 26k 177 711 710 710 534 176 26k 184 734 734 734 550 184 26k 182 649 649 649 467 182 26k 188 754 755 755 567 184 26k 183 716 716 717 534 183 26k 167 657 656 655 488 167 26k 179 749 749 749 570 179 26k 164 752 752 7...

Page 337: ...ber must be followed by a slash and the port number so that each port is represented by both slot number 1 through 4 or 7 through 10 and port number 0 through 15 The Director has a total of 10 slots Slot numbers 5 and 6 are control processor blades slots 1 through 4 and 7 through 10 are port blades For 16 port blades there are 16 ports counted from the bottom numbered 0 to 15 For 32 port blades th...

Page 338: ...ference saving to flash memory when the total number of monitors in a switch exceeds 512 If the total number of monitors per port or switch exceeds the limit then you will receive an error message indicating the count has been exceeded and that some monitors have been discarded Collecting performance data Data collected through Advanced Performance Monitoring is deleted when the switch is rebooted...

Page 339: ...d uses a common pool of credits 4 8 SAN Switch or 4 16 SAN Switch MSA SAN Switch 2 8 SAN Switch 2 8 EL SAN Switch 2 8V SAN Switch 2 16V SAN Switch 2 32 Core Switch 2 64 SAN director 2 128 Because the number of credits available for use within each port group is limited configuring ports for extended links on these models might cause other ports to become disabled if there are not enough buffer cre...

Page 340: ...d ISLs Balance the number of long distance ISL connections and core to edge ISL connections within a switch Configuring long distance ISLs between core and edge switches is possible but is not a recommended practice VC translation link initialization an option of the portCfgLongDistance command is enabled by default for long distance links To avoid inconsistency in the fabric make sure that this v...

Page 341: ...E 13 19 n a 10 km v3 x v4 x No L0 52 2 This mode is supported but cannot be configured on switches running Fabric OS v5 2 0 and later 19 34 25 km 25 km v3 1 0 v4 1 0 v4 x v5 x Yes L12 27 54 50 km 50 km All Yes L22 60 65 108 for Bloom II 100 km 60 km 100 km for Bloom II All Yes LD3 3 The dynamic long distance mode LD automatically configures the number of buffer credits required based on the actual...

Page 342: ... 0 Yes L22 56 106 n a 100 km 100 km n a v5 1 0 Yes LD Auto3 Auto Auto Auto Auto Auto v5 1 0 Yes LS4 Based on user speci fied distance Based on user speci fied distance Based on user speci fied distance Based on user specified distance Maximum is 293 km Based on user specified distance Maximum is 146 km Based on user specified distance Maximum is 73 km v5 1 0 Yes 1 For each data channel in this cas...

Page 343: ...5 km v3 1 0 v4 1 0 v4 x v5 x Yes L12 31 56 106 50 km 50 km 50 km All Yes L22 56 106 206 100 km 100 km 100 km All Yes LD3 Auto Auto Auto Auto Maximum is 500 km Auto Maximum is 250 km Auto Maximum is 100 km v3 1 0 v4 1 0 v4 4 0 v5 x depending on the model Yes LS4 Based on user speci fied distance Based on user specif ied distance Based on user specif ied distance Based on user specified distance Max...

Page 344: ... 32 SAN director 2 128 and 4 256 SAN Director FC2 16 port blades Speed Gbps Number of ports allowed at distance km 10 km 25 km 50 km 100 km 250 km 500 km 1 4 ports 4 ports L1 mode 4 ports LD mode 3 ports up to 2 ports n a n a 2 4 ports 3 ports up to 2 ports 1port n a n a 4 n a n a n a n a n a n a Table 80 SAN Switch 4 32 Speed Gbps Number of ports allowed at distance km 10 km 25 km 50 km 100 km 25...

Page 345: ... to 3 ports Up to 4 ports Up to 5 ports Up to 6 ports Up to 7 ports Up to 8 ports 1 38 km 30 km 27 2 km 26 km 25 2 km 24 4 km 24 28 km 24 km 2 19 km 15 km 13 6 km 13 km 12 6 km 12 2 km 12 14 km 12 km 4 9 5 km 7 5 km 6 8 km 6 5 km 6 3 km 6 1 km 6 07 km 6 km Table 83 4 64 SAN Switch Speed Gbps Number of ports allowed at distance km 10 km 25 km 50 km 100 km 250 km 500 km 1 64 ports 64 ports 64 ports ...

Page 346: ... ports up to 12 ports up to 5 ports up to 2 ports 0 0 Table 87 4 256 SAN Director FC4 16IP blades Speed Gbps Number of ports allowed at distance km 10 km 25 km 50 km 100 km 250 km 500 km 1 8 ports 8 ports 8 ports 8 ports 5 ports 2 ports 2 8 ports 8 ports 8 ports 6 ports 2 ports 0 port 4 8 ports 8 ports 6 ports 3 ports 0 port 0 Table 88 4 256 SAN Director FC4 32 blades Speed Gbps Number of ports al...

Page 347: ... default Under certain circumstances for example if you want extended distance between 3xxx switches this mode must be enabled set to 1 on switches running Fabric OS v3 x or v4 x Talk to your switch provider for details The ports on both ends of the ISL must have the same configuration Use only qualified SFPs To configure an extended ISL 1 Connect to the switch and log in as admin 2 If the fabric ...

Page 348: ...is limited to 63 LS 6 Specify LS mode to configure a long distance link with a fixed buffer allocation Up to a total of 250 full size frame buffers are reserved for data traffic depending on the desired distance value provided with the portCfgLongDistance command For 2Gb switches the number of frame buffers is limited to 63 Depending on the switch platform and the frame buffers availability within...

Page 349: ...per limit of the link distance to calculate buffer availability for other ports in the same port group When the measured distance is more than desired_distance the desired_distance is used to allocate the buffers In this case the port operates in degraded mode instead being disabled due to insufficient buffers For an LS mode link the actual distance is not measured instead the desired_distance is ...

Page 350: ...362 Administering Extended Fabrics ...

Page 351: ... software features on page 36 Trunking is enabled automatically when the ISL Trunking license is activated and ports are reinitialized after installing the license you enter the switchDisable and switchEnable commands and trunks are easily managed using either Fabric OS CLI commands or Web Tools You can enable and disable trunking and set trunk port speeds for example 2 Gig sec 4 Gig sec or autone...

Page 352: ...pplier When the ISL Trunking license is activated after you have entered the switchDisable and switchEnable commands trunking is automatically implemented for any eligible ISLs A license must be activated on each switch that participates in trunking To use ISL Trunking in the fabric the fabric must be designed to allow trunking groups to form To identify the most useful trunking groups evaluate th...

Page 353: ...where additional ports are available or paths are particularly critical This helps to protect against oversubscription of trunking groups multiple ISL failures in the same group and the rare occurrence of an ASIC failure To provide the highest level of reliability deploy trunking groups in redundant fabrics to further ensure ISL failures do not disrupt business operations Initializing trunking on ...

Page 354: ...and log in as admin 2 Enter the following command where interval is the number of seconds between each data gathering sample the default is one sample every second 3 Record the traffic flow for each port participating in an ISL 4 Repeat step 1 through step 3 for each switch in the fabric until all ISL traffic flow is captured In a large fabric it might be necessary to only identify and capture the...

Page 355: ...r disable ISL Trunking for all of the ports on a switch 1 Connect to the switch and log in as admin 2 Enter the switchCfgTrunk command The format is Mode 1 enables and mode 0 disables ISL Trunking for all ports on the switch The following example enables trunking all ports in the switch portcfgtrunkport slotnumber portnumber mode slotnumber Specifies the number of the slot in which the port blade ...

Page 356: ...portnumber speed_level slotnumber For bladed systems only specify the slot number of the port to be configured followed by a slash This operand is only required for switches with slots such as the SAN Director 2 128 and 4 256 SAN Director portnumber Specifies the port number relative to its slot for bladed systems speedlevel Specifies the speed of the link 0 Autonegotiating mode The port automatic...

Page 357: ...ime difference in nanoseconds divided by 10 for traffic to travel over each ISL as compared to the shortest ISL in the group The system automatically sets the minimum deskew value of the shortest ISL to 15 Master ports To display trunking information 1 Connect to the switch and log in as admin 2 Enter the trunkShow command switchcfgspeed speedlevel speedlevel Specifies the speed of the link 0 Auto...

Page 358: ... summarized in Table 87 switch admin trunkshow 1 1 1 10 00 00 60 69 04 10 83 deskew 16 Master 0 0 10 00 00 60 69 04 10 83 deskew 15 2 4 4 10 00 00 60 69 04 01 94 deskew 16 Master 5 5 10 00 00 60 69 04 01 94 deskew 15 7 7 10 00 00 60 69 04 01 94 deskew 17 6 6 10 00 00 60 69 04 01 94 deskew 16 3 14 14 10 00 00 60 69 04 10 83 deskew 16 Master 15 15 10 00 00 60 69 04 10 83 deskew 15 switch admin Table...

Page 359: ...overcommitment of buffers to ports configured for extended trunking the switches at both ends of the trunk try to disable some ports so that others can operate using the available buffers Standard trunks are not affected by buffer allocation This issue of buffer underallocation does not apply to the SAN Switch 4 32 SAN Switch 4 32B and 4 256 SAN Director models A port disabled at one end because o...

Page 360: ...ed port or buffer limited switch Reconfiguring a port to LD from another mode can result in the port being disabled for lack of buffers this does not apply to the SAN Switch 4 32 SAN Switch 4 32B and 4 256 SAN Director using FC4 16 and FC4 32 port blades If this happens In Fabric OS v4 2 x reconfigure the disabled LD port back to the original mode In Fabric OS v4 4 0 and later specify a slightly s...

Page 361: ...tion on the affected switches should a zoning operation be attempted from a remote switch in the fabric On the affected switches an error message indicates that the Zoning license is missing You can use zones to logically consolidate equipment for efficiency or to facilitate time sensitive functions for example use zoning to create a temporary zone to back up nonmember devices Any zone object conn...

Page 362: ...e 89 Table 89 Approaches to fabric based Zoning Zoning approach Description Single HBA Zoning by single HBA most closely re creates the original SCSI bus Each zone created has only one HBA initiator in the zone each of the target devices is added to the zone Typically a zone is created for the HBA and the disk storage ports are added If the HBA also accesses tape devices a second zone is created w...

Page 363: ...rsome data entry and allows an intuitive naming structure such as using NT_Hosts to define all NT hosts in the fabric Operating system Zoning by operating system has issues similar to Zoning by application In a large site this type of zone can become very large and complex When zone changes are made they typically involve applications rather than a particular server type If members of different op...

Page 364: ...e might be differences between the saved configuration and the defined configuration if the system administrator has modified any of the zone definitions and has not saved the configuration Disabled Configuration The effective configuration is removed from flash memory On power up the switch automatically reloads the saved configuration If a configuration was active when it was saved the same conf...

Page 365: ...orced Zoning prevents hosts from discovering unauthorized target devices while hardware enforced Zoning prevents a host from accessing a device it is not authorized to access Software enforced Zoning Is also called soft Zoning Name Server Zoning fabric based Zoning session based Zoning or hardware assisted Zoning Is available on 1 Gbit sec 2 Gbit sec and 4 Gbit sec platforms Prevents hosts from di...

Page 366: ...eWorks MSA SAN Switch 2 8 HP StorageWorks 2 16 EL HP StorageWorks 2 16 4 16 SAN Switch and 4 8 SAN Switch Brocade 4Gb SAN Switch for HP p Class BladeSystem Brocade 4Gb SAN Switch for HP c Class BladeSystem SAN Switch 4 32 SAN Switch 4 32B 4 64 SAN Switch 400 MP Router SAN Director 2 128 and 4 256 SAN Director models Enable hardware enforced Zoning on domain port zones and WWN zones Overlap of simi...

Page 367: ...abric with four non overlapping hardware enforced zones Figure 24 Hardware enforced non overlapping Zones Figure 25 shows the same fabric components zoned in an overlapping fashion Port_Zone1 Port_Zone2 Core Switch Zone Boundaries WWN_Zone1 WWN_Zone2 22 2b 13 2 ...

Page 368: ...s rejected 2 Gbit sec switches always deploy the hardware assist in any zone configuration see Figure 26 and Figure 27 Figure 26 Zoning with hardware assist mixed port and WWN zones Figure 27 Session based hard Zoning In Figure 27 only the ports that are overlapped are software enforced with hardware assist Port_Zone1 Core Switch Zone Boundaries WWN_Zone1 Port_Zone2 WWN_Zone2 22 3b 13 3 Port_WWN Z...

Page 369: ...fy the situation Final verification After changing or enabling a zone configuration confirm that the nodes and storage can identify and access one another Depending on the platform you might need to reboot one or more nodes in the fabric with the new changes The zone configuration is managed on a fabric basis Zoning can be implemented and administered from any switch in the fabric it is best to us...

Page 370: ...adcast zones Broadcast zoning is enforced only for Fabric OS v5 3 x or later switches If the fabric contains switches running Fabric OS versions earlier than v5 3 x then all devices connected to those switches receive broadcast packets even if they are members of a broadcast zone Broadcast zones and Admin Domains Each Admin Domain can have only one broadcast zone However all of the broadcast zones...

Page 371: ...nd would be treated as a regular zone Loop devices and broadcast zones Delivery of broadcast packets to individual devices in a loop is not controlled by the switch So adding loop devices to a broadcast zone does not have any effect If a loop device is part of a broadcast zone then all devices in that loop receive broadcast packets Best practice All devices in a single loop should have uniform bro...

Page 372: ...ch and log in as admin 2 Enter the aliCreate command 3 Enter the cfgSave command to save the change to the defined configuration To add members to an alias 1 Connect to the switch and log in as admin 2 Enter the aliAdd command 3 Enter the cfgSave command to save the change to the defined configuration To remove members from an alias 1 Connect to the switch and log in as admin 2 Enter the aliRemove...

Page 373: ... is enabled by default RCS is available on all switch versions 4 1 and later RCS guarantees that either all or none of the switches receive the new zone configuration It is recommended that you use RCS to secure a reliable propagation of the latest zone configuration If you use non RCS mode you must log in to every switch to monitor the status of the zone configuration To create a zone 1 Connect t...

Page 374: ...you want to save Defined Zoning configuration only yes y no n no y switch admin zoneadd greenzone 1 2 switch admin zoneadd redzone 21 00 00 20 37 0c 72 51 switch admin zoneadd bluezone 4 6 21 00 00 20 37 0c 66 23 switch admin cfgsave You are about to save the Defined Zoning configuration This action will only save the changes on the Defined configuration Any changes made on the Effective configura...

Page 375: ... fabric Then when you issue the cfgDisable command if the zone alias exists Zoning actually interprets the cfgDisable command as a cfgEnable command for the default zone The default zone applies to the entire fabric regardless of switch model To activate a default zone 1 Connect to the switch and log in as admin 2 Enter the cfgActvShow command to view the current zone configuration 3 If no zone co...

Page 376: ... switches Asymmetrical segmentation not only prevents frames from being exchanged between switches but also causes routing inconsistencies The best way to avoid either type of segmentation is to know the zone database size limit of adjacent switches The following tables provide the expected behavior based on different database sizes after a zone merge is specified Table 91 Zoning database limitati...

Page 377: ... Segment Segment Join Join Join Join Join Table 94 Resulting database size 128K to 256K Receiver Initiator Fabric OS 2 6 Fabric OS 3 1 Fabric OS 3 2 Fabric OS 4 0 4 1 4 2 Fabric OS 4 3 4 4 0 Fabric OS 5 0 0 5 0 1 5 1 x Fibre Channel Router XPath 7 3 Fabric OS 2 6 3 1 Segment Segment Segment Segment Segment Segment Join Segment Fabric OS 3 2 Segment Segment Join Segment Join Join Join Segment Fabri...

Page 378: ...onsiderations for managing Zoning in a fabric and more details about the maximum zone database size for each version of the Fabric OS refer to Maintaining zone objects on page 387 To create a Zoning configuration 1 Connect to the switch and log in as admin 2 Enter the cfgCreate command 3 Enter the cfgSave command to save the change to the defined configuration Table 95 Resulting database size 256K...

Page 379: ...outstanding transaction then the newly edited zone configuration that has not yet been saved is displayed If there are no outstanding transactions then the committed zone configuration displays 1 Connect to the switch and log in as admin switch admin cfgadd newcfg bluezone switch admin cfgsave You are about to save the Defined Zoning configuration This action will only save the changes on the Defi...

Page 380: ... zone Red_zone 1 0 loop1 alias array1 21 00 00 20 37 0c 76 8c 21 00 00 20 37 0c 71 02 alias array2 21 00 00 20 37 0c 76 22 21 00 00 20 37 0c 76 28 alias loop1 21 00 00 20 37 0c 76 85 21 00 00 20 37 0c 71 df Effective configuration cfg USA_cfg zone Blue_zone 1 1 21 00 00 20 37 0c 76 8c 21 00 00 20 37 0c 71 02 1 2 21 00 00 20 37 0c 76 22 21 00 00 20 37 0c 76 28 zone Red_zone 1 0 21 00 00 20 37 0c 76...

Page 381: ...o copy For example to display all zone configuration objects that start with Test 3 Enter the zoneObjectCopy command specifying the zone configuration objects you want to copy along with the new object name Note that zone configuration names are case sensitive blank spaces are ignored 4 Enter the cfgShow command to verify the new zone object is present 5 If you want the change preserved when the s...

Page 382: ...te that zone configuration names are case sensitive blank spaces are ignored switch admin cfgShow Defined configuration cfg USA_cfg Red_zone White_zone Blue_zone zone Blue_zone 1 1 array1 1 2 array2 zone Red_zone 1 0 loop1 zone White_zone 1 3 1 4 alias array1 21 00 00 20 37 0c 76 8c 21 00 00 20 37 0c 71 02 alias array2 21 00 00 20 37 0c 76 22 21 00 00 20 37 0c 76 28 alias loop1 21 00 00 20 37 0c 7...

Page 383: ... Zoning use the cfgClear and cfgSave commands or use cfgClear and cfgDisable if there is an effective configuration before connecting it to the zoned fabric Adding a new fabric that has no zone configuration information to an existing fabric is very similar to adding a new switch All switches in the new fabric inherit the Zoning configuration data If a zone configuration is in effect then the same...

Page 384: ...ve the same names defined in the configuration make sure zoneset members are listed in the same order Local and adjacent configurations If the local and adjacent zone database configurations are the same they will remain unchanged after the merge Effective configurations If there is an effective configuration between two switches the zone configuration in effect match Zone object naming If a Zonin...

Page 385: ...rge does not occur Instead a Zoning database is downloaded from the primary FCS switch of the merged secure fabric When E_Ports are active between two switches the name of the FCS server and a Zoning policy set version identifier are exchanged between the switches If the views of the two secure fabrics are the same the fabric s primary FCS server downloads the Zoning database and security policy s...

Page 386: ... Fabric Assist A switch running Fabric OS v4 1 0 or later cannot have a Fabric Assist host directly connected to it However such a switch can be part of a Fabric Assist zone if a Fabric Assist host is connected to a compatible switch in the fabric Testing Testing a new zone configuration Before implementing a zone the user should run the Zone Analyzer from Web Tools to isolate any possible problem...

Page 387: ...haring devices This enables you for example to connect one central office to different branch offices without having to merge the fabrics The port types for FCIP tunneling are either VE_Port or VEX_Port An FCIP tunnel using VE_Ports will merge the two fabrics and an FCIP tunnel using a VEX_Port will not merge the fabrics A VEX_Port can only connect to a VE_Port Fibre Channel frame encapsulation on...

Page 388: ...r blade These ports support the FCIP feature with link speeds up to 1 Gbit sec Each GbE port ge0 ge1 supports up to eight FCIP tunnels for a total of sixteen virtual ports that can be configured as either VE_Ports or VEX_Ports NOTE The ports on the 400 MP Router and B Series MP Router blade are initially persistently disabled Refer to Enable the persistently disabled ports page 371 for information...

Page 389: ...E_Ports connected over the IP WAN network joins the office and data center SANs into a single larger SAN Figure 28 Network using FCIP Port numbering Port numbering differs on individual hardware platforms The following sections detail the differences Port numbering on the B Series MP Router blade page 396 Port Numbering on the 400 MP Router page 397 Fibre Channel initiator Fibre Channel initiator ...

Page 390: ...cal Fibre Channel ports on physical GbE port ge1 refer to Figure 29 Figure 29 B Series MP Router Blade port numbering You manage the B Series MP Router blade as if it has thirty two Fibre Channel ports sixteen standard Fibre Channel ports and sixteen virtual Fibre Channel Ports Specify port addresses using the slot and port numbers For example to disable VE_Port 18 on slot 1 the syntax is portDisa...

Page 391: ...Points DSCP Layer three class of service DiffServ Code Points DSCP refers to a specific IEEE 802 1p VLAN tag priority implementation for establishing QoS policies DSCP uses six bits of the Type of Service TOS field in the 802 1p header which allows up to 64 different values to associate with data traffic priority DSCP settings are useful only if IP routers are configured to enforce QoS policies un...

Page 392: ... optional parameters such as c f or t when you create FCIP tunnels Enabling fastwrite and tape pipelining Fastwrite and tape pipelining require no parameters Both features are enabled by turning them on during the tunnel creation process They are enabled on a per FCIP tunnel basis See Configuring FCIP tunnels on page 41 1 for details Constraints for Fastwrite and Tape Pipelining Consider the const...

Page 393: ...evice With sequential devices tape drives there are 1024 initiator tape IT pairs per GbE port but 2048 initiator tape LUN ITL pairs per GbE port The ITL pairs are shared among the IT pairs For example 2 ITL pairs for each IT pair as long as the target has two LUNs If a target has 32 LUNs 32 ITL pairs for IT pairs In this case only 64 IT pairs are associated with ITL pairs The rest of the IT pairs ...

Page 394: ...400 Configuring and monitoring FCIP tunneling Figure 32 Multiple tunnels to multiple ports fastwrite and tape pipelining enabled on a per tunnel per port basis Connections must all be VEX VE ...

Page 395: ...rted configurations The following example configurations are not supported with fastwrite and tape pipelining These configurations use multiple equal cost paths Figure 33 Unsupported configurations with fastwrite and tape pipelining VE VE or VEX VEX ...

Page 396: ...e is no backwards compatibility with previous releases Release v5 3 0 or later is required in the switches blades at both ends of the FC Fastwrite flow to enable this feature How FC Fastwrite works Figure 35 shows how FC Fastwrite works Fastwrite provides a proxy target PT local to the initiator host and a proxy initiator PI local to the target storage device 1 The initiator sends a write command ...

Page 397: ...re than one device Hardware considerations FC Fastwrite is implemented in a hardware configuration consisting of two 400 MP Routers or two 4 256 SAN Directos with FR4 18i blades connected by Fibre Channel ISLs Consider the following hardware characteristics and requirements when planning to implement FC Fastwrite FC ports on both the 400 MP Router and the FR4 18i blade are organized into two group...

Page 398: ...ough 3 for the blade or switch on the other end of the FC Fastwrite path SJ3_6A1_12000_0 root fastwritecfg enable 7 WARNING Enabling FC Fastwrite will require powering off and back on the and it may take upto 5 minutes For non bladed system the switch will be rebooted Data traffic will be disrupted Continue Y y N n n y SJ3_6A1_12000_0 root fastwritecfg disable 7 WARNING Disabling FC Fastwrite will...

Page 399: ...PORT LOGICAL_ONLINE LOGIN NOELP ACCEPT portType 10 0 portState 1 Online portPhys 6 In_Sync portScn 32 F_Port port generation number 0 portId 022300 portIfId 43320004 portWwn 20 23 00 60 69 80 04 8a portWwn of device s connected 10 00 00 00 c9 2f 68 4d Distance normal portSpeed N2Gbps LE domain 0 FC Fastwrite ON Interrupts 18 Link_failure 0 Frjt 0 Unknown 0 Loss_of_sync 2 Fbsy 0 Lli 12 Loss_of_sig ...

Page 400: ...Sec uses some terms that you should be familiar with before beginning your configuration These are standardized terms but are included here for your convenience Table 100 IPSec terminology Term Definition AES Advanced Encryption Standard FIPS 197 endorses the Rijndael encryption algorithm as the approved AES for use by US Government organizations and others to protect sensitive information It repl...

Page 401: ...otiates SA parameters setting up matching SAs in the peers Some of the negotiated SA parameters include encryption and authentication algorithms Diffie Hellman group and SA lifetimes Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database IPSec tunnel termination SA lifetimes terminate through deletion or by timing out The first step to configuring ...

Page 402: ...d AES 256 AES 128 is the default authentication_algorithm The authentication algorithm Valid options are SHA 1 MD5 and AES XCBC IPSec only HA 1 is the default Table 101 Fixed policy parameters Parameter Fixed Value IKE negotiation protocol Main mode ESP Tunnel mode IKE negotiation authentication method Preshared key 3DES encryption Key length of 168 bits AES encryption Key length of 128 or 256 Tab...

Page 403: ...of the IKE policies defined in this example there are two IKE policies Policies cannot be modified You must delete and then recreate a policy with the newly determined parameters To delete a policy 1 Log in to the switch as admin 2 At a command prompt type policy delete type number where type is the policy type and number is the number assigned switch admin06 policy create ike 10 enc 3des auth md5...

Page 404: ...sing the commands in this section Following are the steps for configuring an FCIP tunnel 1 Enabling persistently disabled ports on page 402 2 Defining the IP interface of each virtual port on page 403 3 Configuring the GbE ports on page 404 4 Adding IP routes on a GbE port on page 404 5 Verifying IP connectivity on page 406 6 Verifying the FCIP tunnel configuration on page 413 Before you begin con...

Page 405: ... 17 switch admin06 portcfgpersistentenable 8 18 switch admin06 portcfgpersistentenable 8 19 switch admin06 portcfgshow Ports of Slot 8 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Speed AN AN AN AN AN AN AN AN AN AN AN AN AN AN AN AN Trunk Port ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON Long Distance VC Link Init Locked L_Port Locked G_Port Disabled E_Port ISL R_RDY Mode RSCN Suppressed Persistent D...

Page 406: ...fy 1 to 239 for the preferred domain ID p pidformat Specify 1 for core 2 for extended edge and 3 for native port ID format t fabric_parameter Specify 1 to enable or 2 to disable negotiate fabric parameters For example to configure a port as a VEX_Port for slot number 8 in port number 18 enable the admin with fabric ID 2 and preferred domain ID 220 Adding or deleting IP routes on a GbE port After d...

Page 407: ...ve been successfully created switch admin06 portcfg iproute 8 ge0 create 192 168 11 0 255 255 255 0 192 168 100 1 1 switch admin06 portcfg iproute 8 ge0 create 192 168 12 0 255 255 255 0 192 168 100 1 1 switch admin06 portshow iproute 8 ge0 Slot 8 Port ge0 IP Address Mask Gateway Metric Flags 192 168 100 0 255 255 255 0 192 168 100 40 0 Interface 192 168 100 0 255 255 255 0 192 168 100 41 0 Interf...

Page 408: ...ach ping request This parameter is specified in milliseconds and the default value is 5000 milliseconds 5 sec The maximum allowed wait time for ping is 9000 milliseconds 9 sec z size Optional Specifies the size in bytes of the ping packet to use The default size is 64 bytes The total size including ICMP IP headers 28 bytes without IP options cannot be greater than IP MTU configured on the interfac...

Page 409: ... this tunnel s Disables selective acknowledgement code SACK on the specified tunnel f Enables fastwrite n remote_wwn Specifies the remote side FC entity WWN k timeout Specifies the keep alive timeout in seconds The range of valid values is 8 through 7 200 sec and the default is 10 If tape pipelining is enabled both the default and minimum values are 80 sec r retransmissions Specifies the maximum n...

Page 410: ...values is 1 through 16 If tape pipelining is enabled the number of retransmissions is calculated based on the minimum retransmit time to ensure that the tunnel does not time out before the host times out about 80 sec If you change this value the value specified must be greater than the calculated value s 0 1 SACK ON 1 SACK OFF 0 on the existing FCIP tunnel t 0 1 Enables 1 Disables 0 tape pipelinin...

Page 411: ...PSec has been enabled and a policy added to the configuration you will see the policy information under the status section of the output as shown below The policy information is visible only when IPSec is configured and is displayed with the information shown in the example above when the portShow command is issued After FCIP tunnels are created the configuration is saved in a persistent database ...

Page 412: ...AN001 switchBeacon OFF blade3 Beacon OFF blade4 Beacon OFF blade8 Beacon OFF FC Router ON FC Router BB Fabric ID 1 Area Slot Port Media Speed State 32 3 0 id N4 Online F Port 50 03 0d 30 0d 13 00 09 33 3 1 id N4 Online F Port 50 03 0d 30 0d 13 00 11 34 3 2 id N4 Online F Port 50 03 0d 30 0d 13 00 13 35 3 3 id N4 Online F Port 50 03 0d 30 0d 13 00 15 36 3 4 id N2 Online F Port 21 00 00 e0 8b 08 bd ...

Page 413: ...kbone fabric will use VEX_Ports for a single tunnel If an FCIP tunnel fails with the Disabled Fabric ID Oversubscribed message the solution is to reconfigure the VEX_Port to the same Fabric ID as all of the other ports connecting to the edge fabric WAN performance analysis tools Introduced in Fabric OS 5 2 0 WAN analysis tools are designed to estimate the end to end IP path performance characteris...

Page 414: ...e active tunnel will compete for the same network bandwidth as the ipPerf session Unless you have a method to quiesce all storage traffic over the FCIP tunnel during ipPerf testing you might experience undesirable interactions FCIP port bandwidth Allocation of the FCIP GbE port bandwidth behaves exactly the same for ipPerf as for FCIP tunnels If bandwidth is allocated for FCIP tunnels the ipPerf s...

Page 415: ...oth the host source mode S option and receiver sink mode R option See WAN Tool IpPerf syntax on page 418for more information about specifying source and sink mode Figure 36 WAN Tool performance characteristics Characteristic Description Bandwidth Indicates the total packets and bytes sent Bytes second estimate are maintained as a weighted average with a 30 second sampling frequency and also as an ...

Page 416: ...observed in the last display interval using the following units MBps megabytes per second Mbps megabits per second KBps kilobytes per second Kbps kilobits per second Bps bytes per second bps bits per second Third column The 30s weighted bandwidth WAN Tool IpPerf syntax When using the portCmd ipPerf option you must specify the following Source IP address If the ipPerf is started with S source mode ...

Page 417: ...layer If a size is not specified the maximum size data buffer will be used based on the outgoing IP interface MTU The size is the only buffer size that will be handed over to the TCP layer t time Total time in seconds to run the test traffic stream If a time is not specified the test will run continuously until the command is explicitly aborted ctrl C The maximum allowed size is 1MSS If you plan t...

Page 418: ...Bps lifetime avg 2013762456 compressed Bytes 33208083 Bps 30s avg 4760667 Bps lifetime avg 7 35 compression ratio FC control traffic TCP connection Local 192 175 4 100 4139 Remote 192 175 4 200 3225 Performance stats 849 output packets 0 pkt s 30s avg 2 pkt s lifetime avg 173404 output Bytes 39 Bps 30s avg 409 Bps lifetime avg 0 packets lost retransmits 0 00 loss rate 30s avg 806 input packets 0 p...

Page 419: ...old 1875000 Bytes operational mode slow start 2 packets queued TCP sequence MIN 2950582519 MAX 2950582655 NXT 2950582655 2 packets in flight Send Unacknowledged TCP sequence 2950582519 recovery retransmit timeout 500 ms duplicate ACKs 0 retransmits 0 max retransmits 8 loss recovery fast retransmits 0 retransmit timeouts 0 Receiver stats advertised window 1874944 Bytes max 1874944 negotiated window...

Page 420: ...0 00 00 05 1e 37 00 20 Compression off Fastwrite on Tape Pipelining on Uncommitted bandwidth minimum of 1000 Kbps 0 001000 Gbps SACK on Min Retransmit Time 100 Keepalive Timeout 80 Max Retransmissions 9 Status Active Uptime 1 day 23 hours 24 minutes 46 seconds IKE Policy 7 Authentication Algorithm MD5 Encryption 3DES Perfect Forward Secrecy off Diffie Hellman Group 1 SA Life seconds 200000 IPSec P...

Page 421: ...ry few device drivers still behave this way Many current device drivers enable you to select static PID binding as well as WWN binding You should only select static binding if there is a compelling reason and only after you have evaluated the impact of doing so Summary of PID formats Switches running Fabric OS 5 1 x employ these types of PID formats VC encoded This is the format defined by the 100...

Page 422: ...ents the hosts and target HBAs in a SAN need to know the full 24 bit PIDs of the hosts and targets they are communicating with but they do not care how the PIDs are determined But if a storage device PID is changed the host must reestablish a new binding which requires the host to be rebooted With the introduction of the 4 16 SAN Switch and 4 8 SAN Switch SAN Switch 2 8V SAN Switch 2 16V SAN Switc...

Page 423: ...of Fabric OS in use for example Extended Edge PID format is only available in Fabric OS v2 6 2 and later Fabric OS v3 1 2 and later and Fabric OS v4 2 0 and later If you are building a new fabric with switches running various Fabric OS versions use Core PID format to simplify port to area_ID mapping NOTE Switches that are queried using outside calls should be configured using PID 1 core PID to ens...

Page 424: ...re bound statically and it is not possible to reboot convert existing fabric to Extended Edge PID format upgrading the version of Fabric OS if necessary Use Extended Edge PID format for new switch Host reboot is not required v4 2 0 and later 1 Convert existing fabric to Core PID format upgrading the version of Fabric OS if necessary Set Core PID format for new switch Host reboot is required 2 If d...

Page 425: ...ers do not automatically bind by PID but allow the operator to manually create a PID binding For example persistent binding of PIDs to logical drives might be done in many HBA drivers Make a list of all devices that are configured this way If manual PID binding is in use consider changing to WWN binding The following are some of the device types that might be manually configured to bind by PID HBA...

Page 426: ...all devices attached to the fabric be offline With careful planning it should be safe to update the core PID format parameter in a live production environment This requires dual fabrics with multipathing software Avoid running backups during the update process as tape drives tend to be very sensitive to I O interruption The online update process is only intended for use only in uptime critical dua...

Page 427: ...propriate to the SAN This usually involves starting up the storage arrays first and the hosts last 9 For any devices manually bound by PID bring the device back online but do not start applications Update their bindings and reboot again if necessary This might involve changing them to the new PIDs or might preferably involve changing to WWN binding 10 For any devices automatically bound by PID reb...

Page 428: ... uses the same PID mapping for the first 16 ports and can support switches and Directors with higher port counts However because Extended Edge format only supports 128 ports per domain its use can lead to port addressing issues in Directors Use the following procedure only if your fabric contains devices that are bound statically and you cannot reboot the host PID format name Management interface ...

Page 429: ...d Edge PID Format 2 on each switch See Figure 18 for a sample configure command on a switch running Fabric OS v3 1 2 and later and see Figure 18 for a sample configure command on a switch running Fabric OS 4 2 0 and later b Run the switchEnable command all switches c Verify that all the switches form a fabric d Use the switchShow command to verify the interswitch links ISLs are correct and the dev...

Page 430: ...D Format configure Configure Fabric parameters yes y no n no y Domain 1 239 11 R_A_TOV 4000 120000 10000 E_D_TOV 1000 5000 2000 WAN_TOV 0 30000 0 MAX_HOPS 7 19 7 Data field size 256 2112 2112 Sequence Level Switching 0 1 0 Disable Device Probing 0 1 0 Suppress Class F Traffic 0 1 0 Switch PID Format 1 2 1 2 Per frame Route Priority 0 1 0 Long Distance Fabric 0 1 0 BB credit 1 27 16 Insistent Domai...

Page 431: ...swap operation when you enable Extended Edge also known as displaced PID PID on the Director If you are using Extended Edge PID format for example the 4 256 SAN Director with configuration option 5 and would like to map the output of the port number to the area ID use the following formula for ports 0 127 where aarea pport number modulus or remainder a p 16 128 0 p 128 ...

Page 432: ...he PID format When the port number is greater than or equal to 128 the area ID and port number are the same Figure 37 shows a 4 256 SAN Director with Extended Edge PID Figure 37 4 256 SAN Director with Extended Edge PID ...

Page 433: ...ed in a stand alone manner on a non production fabric or a switch that has not yet joined a fabric 1 Ensure that all switches in the fabric are running Fabric OS versions that support the addressing mode It is recommended that you use v2 6 2 for 1 GB switches v3 1 2 for 2 8EL and 2 16 SAN switches v4 2 0 for HP StorageWorks Core Switch 2 64 and SAN Director 2 128 Directors as well as SAN Switch 2 ...

Page 434: ...g umount The proper usage would be umount mount_point For example umount mnt jbod 4 If you are using multipathing software use that software to remove one fabric s devices from its configuration 5 Deactivate the appropriate volume groups using vgchange The proper usage would be vgchange a n path_to_volume_group For example vgchange a n dev jbod 6 Make a backup copy of the volume group Directory us...

Page 435: ...the core switches first then the edges AIX procedure This procedure is not intended to be comprehensive It provides a starting point from which a SAN administrator can develop a site specific procedure for a device that binds automatically by PID and cannot be rebooted due to uptime requirements 1 Backup all data Verify backups 2 If you are not using multipathing software stop all I O going to all...

Page 436: ...ou are using multipathing software re enable the affected path 16 Repeat for all fabrics Swapping port area IDs If a device that uses port binding is connected to a port that fails you can use port swapping to make another physical port use the same PID as the failed port The device can then be plugged into the new port without the need to reboot the device Use the following procedure to swap the ...

Page 437: ...inistrator guide 439 5 Verify that the port area IDs have been swapped portswapshow A table is shows the physical port numbers and the logical area IDs for any swapped ports 6 Disable the port swap feature portswapdisable ...

Page 438: ...440 Configuring the PID format ...

Page 439: ... compatible is required For more infoirmation on supported switches and firmware versions access the HP StorageWorks Fabric Interoperability Merging Fabrics Based on M Series and B Series Fibre Channel Switches application notes http www hp com country us eng prodserv storage html Important variables that determine the supportability of a particular mixed vendor SAN include the number of switches ...

Page 440: ...p Fabric Assist Remote Switch Extended Fabrics Trunking Alias Server Platform Service Virtual Channels FCIP Configuration recommendations The following is recommended when configuring an interoperable fabric Avoid domain ID conflicts before fabric reconfiguration Every switch in the fabric must have a unique domain ID When you are configuring multiple switches you should wait for a fabric reconfig...

Page 441: ...rt 5 When a zoning configuration is not in effect by default all ports are isolated and traffic is not permitted This is unlike HP StorageWorks switch behavior where Interoperability mode is off and all data traffic is enabled If using default zoning no device can communicate with any other device in the fabric if zoning has been disabled on an HP StorageWorks switch Refer to the section Activatin...

Page 442: ...ity mode on the fabric refer to Configuration recommendations and Configuration restrictions on page 442 2 Connect to the switch and log in as admin 3 Enter the switchDisable command to disable the switch 4 Use the configure command to set the domain ID to a number in the range from 97 to 126 For detailed instructions refer to Working with domain IDs on page 40 5 Enter the interopmode 1 command to...

Page 443: ... removing each switch 6 Each non HP StorageWorks switch might require the execution of a similar command to disable interoperability 7 Repeat this procedure on all HP StorageWorks switches in the fabric switch admin switchdisable switch admin interopmode 0 The switch effective configuration will be lost when the operating mode is changed do you want to continue yes y no n no y done Interopmode is ...

Page 444: ...446 Configuring McData Open Fabric mode ...

Page 445: ...tch 2 32 SAN Switch 4 32 SAN Director 2 128 Default account names root factory admin user root factory admin user root factory admin user Account name changing feature No No regardless of security mode N A Maximum and minimum amount of characters for a password 0 8 Standard UNIX 8 40 characters with printable ASCII 8 40 characters with printable ASCII Note The minimum password length for 5 1 x is ...

Page 446: ...er does not require old password For example users connect as admin old admin password is required to change the admin password But old user password is not required to change the user password Can passwd change higher level passwords For example can admin change root password Yes but will ask for the old password of the higher level account example root Yes if users connect as admin they can chan...

Page 447: ...lt password will be prompted for change The accounts with non default password will NOT be prompted Is a user forced to answer password prompts before getting access to the firmware No users can type in Ctrl c to get out of password prompting No users can type in Ctrl c to get out of password prompting Do users need to know the old root password when answering prompting Yes in v4 0 0 No in v4 0 2 ...

Page 448: ... same permissions as the user role Downgrades to v5 0 1 preserve all existing default accounts MUA accounts and passwords When downgrading to an older firmware at subsequent times which passwords will be used Downgrades to v4 4 0 preserve all existing default accounts MUA accounts and passwords MUA accounts with the switchAdmin role have the same permissions as the user role Downgrades to v5 0 1 p...

Page 449: ...covery string Refer to Setting the Boot PROM Password on page 1 12 for instructions on setting the password with a recovery string How do I recover a user admin or factory password Refer to Recovering Forgotten Passwords on page 1 16 Table 107 Password recovery options continued Topic v4 0 0 v4 1 0 and later ...

Page 450: ...452 Understanding legacy password behaviour ...

Page 451: ...orts all fabric services including distributed name service registered state change notification and alias service Distributed management Management tools such as Advanced Web Tools Fabric OS and SNMP are available from both the local switch and the remote switch Switch management is routed through the Fibre Channel connection thus no additional network connection is required between sites Support...

Page 452: ...e Fabric Parameters without changing their values until you reach the parameter you want to modify 6 Specify a new parameter value that is compatible with your gateway device 7 Press Enter to scroll through the remainder of the configuration parameters Make sure that the configuration changes are committed to the switch 8 Repeat for all switches in the fabrics to be connected through a gateway dev...

Page 453: ...a defined configuration Switch B with a defined configuration defined none effective none defined cfg1 zone1 ali1 ali2 effective none Switch A will absorb the configuration from the fabric Switch A does not have a defined configuration Switch B with a defined configuration defined none effective none defined cfg1 zone1 ali1 ali2 effective cfg1 Switch A will absorb the configuration from the fabric...

Page 454: ...efined cfg1 zone1 ali1 ali2 effective irrelevant defined cfg1 zone2 ali1 ali2 effective irrelevant Fabric segments due to Zone Conflict content mismatch Same content different alias name defined cfg1 ali1 A B effective irrelevant defined cfg1 ali2 A B effective irrelevant Fabric segments due to Zone Conflict content mismatch Same name different types effective zone1 MARKETING effective cfg1 MARKET...

Page 455: ... unlicensed ports 42 AD0 150 AD255 150 adding a new switch or fabric 383 Admin Domain members 161 alias members 372 and removing FICON CUP licenses 267 custom filter based monitors 332 end to end monitors 328 filter based monitors 331 members to a zone configuration 379 port mirror connection 319 RADIUS configuration 80 standard filter based monitors 331 switches to a zone 383 zone members 374 ADL...

Page 456: ... 96 secure telnet 87 security 87 SSH 87 SSL 87 92 93 switch 93 troubleshooting 97 changes to configuration data 422 changing an account password 69 RADIUS configuration 81 RADIUS servers 81 SNMP MIB trap values 105 SNMP values 103 switch names 39 to core PID format 427 to extended edge PID format 428 CHAP account policies 77 enabling 77 chassis name 40 chassisshow command 50 checking connected swi...

Page 457: ... security levels 99 server database 278 SNMP 98 SNMP traps 98 SSH client 89 SSL 92 SSL protocol 92 switch 79 257 switch for RADIUS 79 switch FICON environment 257 switch RADIUS client 76 switch single 258 syslogd 290 telnet interface 89 Windows RADIUS client 77 zone rules for 369 connecting multiple EX_Ports to an edge fabric 229 other devices 48 other switches 48 connecting to devices 48 connecti...

Page 458: ...ration 80 switch 47 disabling and enabling a port 47 disabling and enabling a switch 40 disabling and enabling cards 207 disabling interoperability mode 442 displaying CRC error count 327 end to end mask 330 node identification data FICON environments 260 RADIUS configuration 79 registered listeners for link incidents FICON environment 260 displaying additional help topics 23 displaying and cleari...

Page 459: ...ascaded configuration 254 changing domain id 40 configuration settings 257 disabling IDID mode 256 displaying link incidents 256 registered listeners for link incidents 260 enabling IDID mode 256 high integrity fabric 254 identifying port swapping nodes 261 monitoring FRU failures 261 node identification data displaying 260 switched point to point configuration 254 switches configuring 257 FICON M...

Page 460: ...erswitch link 48 IP switch address 39 IP security 400 ipAddrSet 29 43 45 IPComp 400 IP NAT 228 IPSec 400 changeable parameters 402 fixed parameters 402 ISL 48 387 maximums 48 J Java support SSL 92 Java version 92 K key transaction for licensed features 37 L legacy FCR switches 252 license ID 37 license key activating 37 licenseadd command 38 licensed features 36 licenseIdShow 37 licenseremove comm...

Page 461: ...t information 445 password migration during firmware changes 448 password policies 68 password prompting behaviors 447 password recovery options 448 password strength policy 69 passwords recovering forgotten passwords 85 perfaddeemonitor command 328 perfaddIPmonitor command 331 perfaddusermonitor command 332 perfcfgrestore command 338 perfcfgsave command 338 perfdeleemonitor command 330 perfdelfil...

Page 462: ...ion information 269 recovering accounts 67 recovering forgotten passwords 85 recovery password 84 recovery string 82 recovery string boot PROM password 82 registered listeners 260 related documentation 17 remote access policies 78 remote switch 451 remove feature 38 removing Admin Domain members 161 end to end monitors 330 filter based monitors 333 licensed feature 38 removing members zone 374 rem...

Page 463: ...words 32 setting the IP address 29 32 setting the security level 99 setting the switch date and time 32 setting up automatic trace dump transfers 292 setting up RADIUS AAA service 74 settings changing passwords 27 CHAP local security 77 date and time 32 PROM password 82 83 84 84 security level 99 SNMP 103 SNMP default values 104 setup summary 262 shared secrets managing 132 SID 316 SLAP 232 slotSh...

Page 464: ...telnet configuring 89 support overview 22 telnet connection 25 temperature status of 288 text symbols 18 time 32 time and date 32 time zones 32 36 tools cli overview 22 tracking and controlling switch changes 51 traffic patterns planning for 353 transaction key 37 traps MIB 98 SNMP 98 SNMP MIB traps 105 troubleshooting 268 certicates 97 corrupt certificate 97 invalid certificate 97 port mirroring ...

Page 465: ...criber s choice 19 Web Tools access methods 22 support overview 22 Windows RADIUS configuring 77 working with domain IDs 40 WWN 39 X xlate domains 226 Z zone adding members 374 adding switches 383 aliases creating and managing 372 configuring rules 369 creating 373 creating a configuration 378 deleting 374 deleting a configuration 379 optimizing resources 361 removing members 374 viewing 374 viewi...

Reviews:

No comments