HP AE370A - Brocade 4Gb SAN Switch 4/12 Administrator'S Manual Download

Page: 84 / 447

Configuring standard security features

The security protocols are designed with the four main usage cases described in

Table 18

Ensuring network security

To ensure security, Fabric OS supports secure shell (SSH) encrypted sessions in v4.1.x and later. SSH

encrypts all messages, including the client’s transmission of password during login. The SSH package

contains a daemon (sshd), which runs on the switch. The daemon supports a wide variety of encryption

algorithms, such as Blowfish-CBC and AES.

NOTE:

To maintain a secure network, you should avoid using telnet (you can use secTelnet if you are

using FOS 2.6 or later, or 3.1 or later) or any other unprotected application when you are working on the

switch. For example, if you use telnet to connect to a machine, and then start an SSH or secure telnet

session from that machine to the switch, the communication to the switch is in clear text and therefore is not

secure.

The FTP protocol is also not secure. When you use FTP to copy files to or from the switch, the contents are

in clear text. This includes the remote FTP server's login and password. This limitation affects the following

commands:

saveCore

configUpload

configDownload

, and

firmwareDownload

Commands that require a secure login channel must be issued from an original SSH session. If you start an

SSH session, and then use the login command to start a nested SSH session, commands that require a

secure channel will be rejected.

Table 18

Main security scenarios

Fabric

Management

interfaces

Comments

Nonsecure

No special setup is needed to use telnet or HTTP.

An HP switch certificate must be installed if

sectelnet is used.

Nonsecure

Secure

Secure protocols may be used. An SSL switch

certificate must be installed if SSH/HTTPS is used.

Secure

Secure protocols are supported on Fabric OS

4.4.0 (and later) switches. Switches running

earlier Fabric OS versions can be part of the

secure fabric, but they do not support secure

management.
Secure management protocols must be configured

for each participating switch. Nonsecure protocols

may be disabled on nonparticipating switches.
If SSL is used, then certificates must be installed.

Secure

Nonsecure

You must use sectelnet because telnet is not

allowed in secure mode.
Nonsecure management protocols are necessary

under these circumstances:

•

The fabric contains switches running

Fabric OS 3.2.0.

•

The presence of software tools that do not

support Secure protocols: for example, Fabric

Manager 4.0.0.

•

The fabric contains switches running Fabric OS

versions earlier than 4.4.0. Nonsecure

management is enabled by default.

Summary of Contents for AE370A - Brocade 4Gb SAN Switch 4/12

Page 1: ...HP StorageWorks Fabric OS 5 2 x administrator guide Part number 5697 0014 Fifth edition May 2009 ...

Page 2: ...rior written consent of Hewlett Packard The information is provided as is without warranty of any kind and is subject to change without notice The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services Nothing herein should be construed as constituting an additional warranty HP shall not be liable for technical or edito...

Page 3: ...fault passwords at login 26 Configuring the Ethernet interface 26 How to display network interface settings 27 Static Ethernet addressing summary 27 How to set static addresses for the Ethernet network interface 27 Configuring DHCP 28 DHCP summary 28 How to enable DHCP 28 How to disable DHCP 28 Setting the date and time 29 Setting time zones 29 How to set the time zone 30 How to set the time zone ...

Page 4: ...Configuring the audit log 51 Auditable Event Classes 51 How to verify host syslog prior to configuring the audit log 52 How to configure an audit log for specific event classes 53 Shutting down switches and Directors 53 To power off a Director gracefully Prior to 5 1 0 53 To power off a switch gracefully 5 1 0 and later 54 High availability of daemon processes 54 3 Managing user accounts 55 Overvi...

Page 5: ...and disable a RADIUS server 76 How to delete a RADIUS server from the configuration 76 How to change a RADIUS server configuration 76 How to change the order in which RADIUS servers are contacted for service 76 Enabling and disabling local authentication as backup 77 Setting the boot PROM password 77 SSSetting the boot PROM password with a recovery String 77 4 8 and 4 16 SAN Switch SAN Switch 2 8V...

Page 6: ...106 Creating a DCC policy 106 Examples of creating DCC policies 107 Creating an SCC policy 107 Saving changes to ACL policies 108 Activating changes to ACL policies 108 Adding a member to an existing policy 109 Removing a member from a policy 109 Deleting a policy 109 Aborting all uncommitted changes 110 Distributing the policy database 110 Configuring the database distribution settings 111 Distri...

Page 7: ...ntext 143 Executing a command in a different AD context 143 Displaying an Admin Domain configuration 144 Switching to a different Admin Domain context 144 Performing zone validation 145 Admin Domain interactions 145 Admin Domains zones and zone databases 146 Admin Domains and LSAN zones 147 Configuration upload and download in an AD context 148 8 Installing and maintaining firmware 149 About the f...

Page 8: ...fic 191 About data routing and routing policies 191 Specifying the routing policy 191 Assigning a static route 192 Specifying frame order delivery 192 Using Dynamic Load Sharing 193 Viewing routing path information 194 Viewing routing information along a path 196 11Using the FC FC routing service 199 Supported platforms 199 Fibre Channel routing concepts 199 Front domain consolidation 202 Supporte...

Page 9: ...ty modes 229 Configuring the FC router 229 Configuring M Series or McDATA for interconnection 232 LSAN zoning with McDATA 235 Completing the configuration 236 12Administering FICON fabrics 239 Overview of Fabric OS support for FICON 239 Supported switches 240 4 256 Director and SAN Switch 4 32 FICON notes 240 Types of FICON configurations 241 Control Unit Port CUP 241 FICON commands 242 Security c...

Page 10: ...h 277 Viewing and saving diagnostic information 278 Setting up automatic trace dump transfers 278 15Troubleshooting 281 Most common problem areas 281 Gathering information for technical support 282 Troubleshooting questions 282 Analyzing connection problems 283 To check for zoning problems 286 Restoring a segmented fabric 286 To reconcile fabric parameters individually 286 To download a correct co...

Page 11: ...ng filter based performance 317 Adding standard filter based monitors 317 Adding custom filter ased monitors 318 Deleting filter based monitors 319 Monitoring ISL performance 320 Monitoring trunks 320 Displaying monitor counters 321 Clearing monitor counters 323 Saving and restoring monitor configurations 324 Collecting performance data 324 18Administering Extended Fabrics 325 About extended link ...

Page 12: ...ng configurations 358 To create a Zoning configuration 358 To add zones members to a Zoning configuration 358 To remove zones members from a zone configuration 359 To delete a zone configuration 359 To clear changes to a configuration 359 To view all zone configuration information 359 To view selected zone configuration information 360 To view a configuration in the effective zone database 360 Mai...

Page 13: ...re 394 AIX procedure 395 Swapping port area IDs 396 B Configuring interoperability mode 399 Vendor switch requirements 399 HP StorageWorks switch requirements 399 Supported features 400 Unsupported HP StorageWorks Features 400 Configuration recommendations 400 Configuration restrictions 400 Zoning restrictions 401 Zone name restrictions 402 Enabling and disabling interoperability mode 402 To enabl...

Page 14: ...a zone set name in SAN Pilot 229 16 Cascaded configuration two switches 239 17 Cascaded configuration three switches 239 18 Setting end to end monitors on a port 308 19 Proper placement of end to end performance monitors 309 20 Mask positions for end to end monitors 310 21 Distribution of traffic over ISL Trunking groups 327 22 Zoning example 338 23 Hardware enforced non overlapping Zones 343 24 H...

Page 15: ...es Product Model Brocade 200E switch HP StorageWorks 4 8 SAN Switch or HP StorageWorks 4 16 SAN Switch Brocade 3250 switch switch HP StorageWorks SAN Switch 2 8V Brocade 3850 switch HP StorageWorks SAN Switch 2 16V Brocade 3900 switch HP StorageWorks SAN Switch 2 32 Brocade 4100 switch HP StorageWorks SAN Switch 4 32 Brocade 4900 switch HP StorageWorks 4 64 SAN Switch Brocade 24000 Director HP Sto...

Page 16: ...See the Brocade Glossary supporting Fabric OS 5 2 x for a complete list of terms and definitions Access from the HP web site using the procedure outlined in Related documentation Document conventions and symbols WARNING Indicates that failure to follow directions could result in bodily harm or death Table 2 Document conventions Convention Element Medium blue text Figure 1 Cross reference links and...

Page 17: ...vement calls may be recorded or monitored HP strongly recommends that customers sign up online using the Subscriber s choice web site http www hp com go e updates Subscribing to this service provides you with e mail updates on the latest product enhancements newest versions of drivers and firmware documentation updates as well as instant access to numerous other product resources After signing up ...

Page 18: ...18 ...

Page 19: ...ferences As a result of the differences between fixed port and variable port devices procedures sometimes differ among models As new models are introduced new features sometimes apply only to those models When procedures or parts of procedures apply to some models but not others this guide identifies the specifics for each model For example a number of procedures that apply only to variable port d...

Page 20: ...g To manage a switch using telnet SSH2 session into SNMP or Web Tools the switch must be connected to a network through the switch Ethernet port out of band or from the Fibre Channel in band The switch must be configured with an IP address to allow for the network connection Refer to the installation guide for your specific switch for information on physically connecting to the switch You can acce...

Page 21: ...l Help topics The following commands provide help files for specific topics NOTE At the time of printing IBM Fibre Connections FICON is not supported on HP B Series Fibre Channel switches Please refer to http www hp com for a list of current supported features switch admin help timeout Administrative Commands timeout 1m NAME timeout Sets or displays the timeout value for a login session SYNOPSIS t...

Page 22: ...22 Introducing Fabric OS CLI procedures trackChangesHelp Track Changes help information zoneHelp Zoning help information Table 3 Help file commands continued ...

Page 23: ...nstructions on performing a fast boot with Web Tools see the Web Tools Administrator s Guide If you have the required privileges you can connect through the serial port log in as root and use operating system commands to identify and kill the telnet processes without disrupting the fabric For admin level accounts Fabric OS limits the number of simultaneous telnet sessions per switch to two For mor...

Page 24: ...J 45 connector into the RJ 45 serial port on the workstation 2 Open a terminal emulator application such as HyperTerminal on a PC or TERM TIP or Kermit in a UNIX environment and configure the application as follows In a Windows environment In a UNIX environment enter the following string at the prompt tip dev ttyb 9600 If ttyb is already in use you can use ttya enter tip dev ttya 9600 Setting the ...

Page 25: ...e eight character limit User defined passwords can have 8 to 40 characters They must begin with an alphabetic character and can include numeric characters the dot and the underscore _ They are case sensitive and they are not displayed when you enter them on the command line Record the passwords exactly as entered and store them in a secure place Recovering passwords requires significant effort and...

Page 26: ...s SSH or telnet may be dropped Reconnect using the new Ethernet IP information or change the Ethernet settings using a console session through the serial port to maintain your session through the change You must connect through the serial port to set the Ethernet IP address if an the Ethernet network interface is not configured already See How to connect via the serial port on page 24 for details ...

Page 27: ...DHCP at the same time If you choose not use DHCP or to specify an IP address for your switch Ethernet interface you can do so by entering none or 0 0 0 0 in the Ethernet IP address field CAUTION The use of IP address 0 0 0 0 is not supported in pre Fabric OS 5 2 x fabrics Fabric OS beginning with 2 6 0 3 1 0 and 4 0 0 supports Classless Inter Domain Routing CIDR How to set static addresses for the...

Page 28: ...net information has been configured releases the current Ethernet network interface settings including Ethernet IP Ethernet Subnetmask and Gateway The Fibre Channel FC IP address and subnet mask is static and is not affected by DHCP see How to set static addresses for the Ethernet network interface on page 27 for instructions on setting the FC IP address How to enable DHCP 1 Connect to the switch ...

Page 29: ... are 01 through 12 dd is the date valid values are 01 through 31 HH is the hour valid values are 00 through 23 MM is minutes valid values are 00 through 59 yy is the year valid values are 00 through 99 values greater than 69 are interpreted as 1970 through 1999 and values less than 70 are interpreted as 2000 2069 For details about how to change time zones refer to tsTimeZone command in the Fabric ...

Page 30: ... a dual domain chassis has the following characteristics Updating the time zone on any switch updates the entire chassis The time zone of the entire chassis is the time zone of the switch 0 For dual domain Directors SAN Director 2 128 both switches in the same chassis will be in the same time zone Dual Domain chassis do not support different time zones on each domain The following procedure descri...

Page 31: ...Z format Enter number or control D to quit 10 Local time is now Thu May 11 07 39 37 PDT 2006 Universal Time is now Thu May 11 14 39 37 UTC 2006 Is the above information OK Yes No Enter number or control D to quit 1 Please select a country 1 Chile 15 Northern Mariana Islands 2 Cook Islands 16 Palau 3 Ecuador 17 Papua New Guinea 4 Fiji 18 Pitcairn 5 French Polynesia 19 Samoa American 6 Guam 20 Samoa...

Page 32: ...entucky Wayne County 5 Eastern Time Indiana most locations 6 Eastern Time Indiana Crawford County 7 Eastern Time Indiana Starke County 8 Eastern Time Indiana Switzerland County 9 Central Time 10 Central Time Indiana Daviess Dubois Knox Martin Perry Pulaski 11 Central Time Indiana Pike County 12 Central Time Michigan Dickinson Gogebic Iron Menominee Counties 13 Central Time North Dakota Oliver Coun...

Page 33: ...r chassis basis so for products that support multiple logical switches domains a license key applies to all domains within the chassis to unlock a licensed feature you can either use the license key provided in the Power Pack or execute the following procedure to generate a license key at the HP web site http webkey external hp com welcome asp NOTE For each chassis to be licensed you need a transa...

Page 34: ...company 6 Activate and verify the license as follows a Connect to the switch and log in as admin b Activate the license using the licenseAdd command switch admin licenseadd key The license key is case sensitive and must be entered exactly as given The quotation marks are optional For HP StorageWorks Director models licenses are effective on both CP blades and on all logical switches but are valid ...

Page 35: ...r when a switch disable or enable is performed 4 Enter the licenseShow command to verify that the license is disabled After a reboot or switchDisable and switchEnable only the remaining licenses appear If there are no license keys licenseShow displays No licenses switch admin licenseshow RzdeSee9wVlfTu Web license Zoning license SES license Fabric license Remote Switch license Extended Fabric lice...

Page 36: ...versions of the Fabric OS may be disruptive to the fabric How to customize the switch name 1 HP StorageWorks 4 16 SAN Switch and 4 8 SAN Switch SAN Switch 2 8V SAN Switch 2 16V SAN Switch 2 32 SAN Switch 4 32 4 64 SAN Switch 400 MP Router and 4 256 SAN Director Proceed to the next step HP StorageWorks SAN Director 2 128 Open a telnet window for each logical switch and enter the switchName command ...

Page 37: ...in ID conflict when you merge fabrics If a switch already has a domain ID when it is enabled and that domain ID conflicts with a switch already in the fabric the conflict is automatically resolved The process can take several seconds during which time traffic is delayed The default domain ID for HP StorageWorks switches is 1 The default domain ID applies to the logical switches in the SAN Director...

Page 38: ...1e 34 01 bd 10 32 220 5 0 0 0 0 ras005 6 fffc06 10 00 00 05 1e 34 02 3e 10 32 220 6 0 0 0 0 ras006 7 fffc07 10 00 00 60 69 34 02 0c 10 32 220 7 0 0 0 0 ras007 10 fffc0a 10 00 00 60 69 80 04 46 10 32 220 10 10 32 219 0 ras010 11 fffc0b 10 00 00 60 69 80 04 47 10 32 220 11 10 32 219 1 ras011 15 fffc0f 10 00 00 60 69 80 47 74 10 32 220 15 0 0 0 0 ras015 16 fffc10 10 00 00 60 69 80 47 75 10 32 220 16 ...

Page 39: ... a license key from a transaction key supplied with your purchase If so see How to generate or activate a license key on page 34 Each Ports on Demand license activates the next group of 4 8 or 16 ports in numerical order Before installing a license key you must insert transceivers in the ports to be activated Remember to insert the transceivers in the lowest group of inactive port numbers first Fo...

Page 40: ... the online state Ports that cannot be brought online because insufficient POD licenses have a state of No POD License Disabled Use the switchShow command to display the port states To allocate licenses to a specific port instead of automatically assigning them as the ports come online reserve a license for the port using the licensePort command described in Maintaining licensed software features ...

Page 41: ...Disabling the Dynamic POD feature changing the POD method to static erases any prior port license associations and or assignments the next time the switch is rebooted To disable Dynamic Ports on Demand 1 Connect to the switch and log in 2 Enter the licensePort method command with the static option to change the license assignment method to static switch admin licenseport method dynamic The POD met...

Page 42: ...ic The POD method has been changed to static Please reboot the switch now for this change to take effect switch admin reboot switch admin licenseport show 24 ports are available in this switch Full POD license is installed Static POD method is in use 24 port assignments are provisioned for use in this switch 12 port assignments are provisioned by the base switch license 12 port assignments are pro...

Page 43: ...switch and log in as admin 2 Enter the switchDisable command to take the switch offline 3 Enter the switchShow command to verify that the switch state is offline 4 Enter the licensePort release command to remove the port from the POD license switch admin licenseport reserve 0 switch admin licenseport release 0 switch admin licenseport show 24 ports are available in this switch Full POD license is ...

Page 44: ...d ports are enabled by default You can disable and re enable them as necessary Ports that you activate with Ports on Demand must be enabled explicitly as described in Activating ports on demand on page 39 How to disable a port 1 Connect to the switch and log in as admin 2 HP StorageWorks 4 16 SAN Switch and 4 8 SAN Switch SAN Switch 2 8V SAN Switch 2 16V SAN Switch 2 32 SAN Switch 4 32 4 64 SAN Sw...

Page 45: ... switches Before connecting a switch to a fabric that contains switches running different firmware versions you must first set the same PID format on all switches The presence of different PID formats in a fabric causes fabric segmentation For information on PID formats and related procedures refer to Selecting a PID format on page 383 For information on configuring the routing of connections refe...

Page 46: ...ected to both sides of the gateway Extended links those created using the Extended Fabrics licensed feature and the security features in Secure Fabric OS are not supported through gateway links How to configure a link through a gateway 1 If you are not sure that the PID format is consistent across the entire fabric enter the configShow command on all switches to check the PID setting If necessary ...

Page 47: ...tches in the fabric How to verify device connectivity 1 Connect to the switch and log in as admin 2 Optional Enter the switchShow command to verify that devices hosts and storage are connected 3 Optional Enter the nsShow command to verify that devices hosts and storage have successfully registered with the Name Server switch admin fabricshow Switch ID Worldwide Name Enet IP Addr FC IP Addr Name 1 ...

Page 48: ...stem message log on page 300 How to enable the track changes feature 1 Connect to the switch and log in as admin 2 Enter this command to enable the track changes feature trackChangesSet 1 A message displays verifying that the track changes feature is on The output from the track changes feature is dumped to the system message log for the switch 3 Use the errDump or errShow command to view the log ...

Page 49: ...P StorageWorks SAN Director 2 128 and 4 256 SAN Director The output is similar to the following The policy parameter determines the number of failed or inoperable units for each contributor that will trigger a status change in the switch Each parameter can be adjusted so that a specific threshold must be reached before that parameter changes the overall status of a switch to MARGINAL or DOWN For e...

Page 50: ... 4 64 SAN Switch and 400 MP Router models SAN Director 2 128 and 4 256 SAN Director Command output includes parameters related to CP blades switch admin switchstatuspolicyset To change the overall switch status policy parameters The current overall switch status policy parameters Down Marginal PowerSupplies 2 1 Temperatures 2 1 Fans 2 1 Flash 0 1 MarginalPorts 2 1 FaultyPorts 2 1 MissingSFPs 0 0 N...

Page 51: ...figured for audit to create an audit event log for specific events you must explicitly set a filter via the class operand and then enable it Audited events are generated specific to a switch and have no negative impact on performance All Secure Fabric OS event are audited Events are not persistently stored on the switch but are streamed to a system message log The audit log depends on the system m...

Page 52: ...it can receive the audit events 3 Ensure the network is configured with a network connection between the switch and the remote host 4 Check the host SYSLOG configuration If all error levels are not configured you may not see some of the audit messages Table 6 AuditCfg Event Class Operands Operand Event class Description 1 Zone Audit zone event configuration changes but not the actual values that w...

Page 53: ...1 Verify which CP is the active CP and log in to the active CP using a Serial Console connection 2 On the standby CP set the slider switch to the off position or eject the standby CP from the chassis This disables the standby CP 3 Enter the reboot command from the active CP This will gracefully take down the system 4 When you see the Press escape within 4 seconds to enter boot interface message pr...

Page 54: ... are considered non critical and are automatically restarted on failure switch admin sysshutdown This command will shutdown the operating systems on your switch You are required to power cycle the switch in order to restore operation Are you sure you want to shutdown the switch y n y Broadcast message from root ttyS0 Wed Jan 25 16 12 09 2006 The system is going down for system halt NOW INIT Switch...

Page 55: ... control RBAC Fabric OS 5 2 x uses Role Based Access Control RBAC to determine which commands a user can run Assign one of the Fabric OS predefined roles to a user as shown in Table 9 Table 8 Maximum number of simultaneous sessions Role name Maximum sessions User 4 Operator 4 SwitchAdmin 4 ZoneAdmin 4 FabricAdmin 4 BasicSwitchAdmin 4 Admin 2 Table 9 Fabric OS 5 2 x roles Role name Version Duties D...

Page 56: ...user can run commands using both observe and modify options if a role has modify permissions it almost always has observe N None The user is not allowed to run commands in that category Table 1 1 RBAC permissions matrix Category Role permission User Operator Switch admin Zone admin Fabric admin Basic switchadmin Admin Admin Domains N N N N N N OM Admin Domains Selection OM OM OM OM OM OM OM APM O ...

Page 57: ...ng Basic O OM OM O OM O OM Routing Advanced O O O N OM O OM Security O N O N OM O OM Session Management O OM OM N OM OM OM SNMP O O OM N OM O OM Statistics O OM OM N OM O OM Statistics Device O OM OM N OM O OM Statistics Port O OM OM N OM O OM Switch Management O OM OM O OM O OM Switch Configuration O OM OM N OM O OM Switch Port Configuration O OM OM N OM OM OM Switch Port Management O OM OM O OM ...

Page 58: ...ions aaaConfig Option Description Equivalent setting in Fabric OS 5 1 x and later radius switchdb1 1 Fabric OS 5 1 x and earlier aaaConfig switchdb on off setting localonly Default setting Authenticates management connections against the local database only If the password does not match or the user is not defined the login fails Off On radiusonly2 2 The console login will never be set to radiuson...

Page 59: ...r NOTE When operating in secure mode you must perform these operations on the primary FCS switch The userConfig command with Admin Domain related options is not valid in secure mode How to display account information 1 Connect to the switch and log in 2 Enter one of the show commands userConfig show a to show all account information for a logical switch userConfig show b to show all backup account...

Page 60: ...re _ It must be different than all other account names on the logical switch The account name cannot be the same as a role name r rolename Specifies the role either User SwitchAdmin ZoneAdmin FabricAdmin BasicSwitchAdmin Operator or Admin in nonsecure mode in secure mode you can also use NonfcsAdmin h admindomain_ID Optional Specifies the home Administrative Domain if no Administrative Domain is s...

Page 61: ...tribute for username the account must already exist admindomain_ID is the home Admin Domain and admindomain_ID_list is the Admin Domain list to be userconfig change username r rolename h admindomain_ID a admindomain_ID_ list d description e yes no u x username Changes the account attribute for username The account must already exist r rolename Optionally changes the role to one of the names listed...

Page 62: ...following rules apply to changing passwords A user can change their own password Only users with Admin roles can change the password for other accounts When changing an Admin account password you must provide the current password An admin with ADlist 0 10 cannot change the password on an admin user or any role with an ADlist 1 1 25 The user account being changed must have an ADlist that is a subse...

Page 63: ...es user database is protected CAUTION Distribute the user database and password policies only to Fabric OS 5 2 x or higher switches the distribution command fails if any of the targets is an earlier version How to distribute the local user database When distributing the local user database all user defined accounts residing in the receiving switches will be logged out of any active sessions 1 Conn...

Page 64: ...default passwords Password strength Password history Password expiration Account lockout NOTE Secure mode supports only the default values of the password policies If you attempt to enable secure mode after configuring changing any of the password policies you receive an error How to set the password strength policy The password strength policy is enforced across all user accounts and enforces a s...

Page 65: ...ets a password for another user instead the user s password history is preserved and the password set by the administrator is recorded in the user s password history How to set the password expiration policy The password expiration policy forces expiration of a password after a configurable period of time and is enforced across all user accounts A warning that password expiration is approaching is...

Page 66: ...ecifies the number of times a user can attempt to login using an incorrect password before the account is locked The number of failed login attempts is counted from the last successful login LockoutThreshold values range from 0 to 999 and the default value is 0 Setting the value to 0 disables the lockout mechanism LockoutDuration Specifies the time in minutes after which a previously locked accoun...

Page 67: ...ssigned to the default Admin Domain AD0 The syntax used for assigning VSA based account switch roles on a RADIUS server is described in Table 14 Table 14 Syntax for VSA based account roles Item Value Description Type 26 1 octet Length 7 or higher 1 octet calculated by the server Vendor ID 1588 4 octet Brocade s SMI Private Enterprise Code Vendor type 1 1 octet Brocade Auth Role valid attributes fo...

Page 68: ...he configuration on a Linux FreeRadius server define the following in a vendor dictionary file called dictionary brocade See Table 15 After you have completed the dictionary file define the role for the user in a configuration file For example to grant the user jsmith the Admin role you would add into the configuration file jsmithAuth Type Local User Password jspassword Brocade Auth Role admin Tab...

Page 69: ...ADList or HomeAD specification the account cannot login until the AD list is corrected an error message is displayed For example on a Linux FreeRadius Server the user user za with the following settings takes the ZoneAdmin role with AD member list 1 2 4 5 6 7 8 9 12 the Home Admin Domain will be 1 user za Auth Type Local User Password password Brocade Auth Role ZoneAdmin Brocade AVPairs1 ADList 1 ...

Page 70: ...password change on a switch invalidates an open session and requires the user to log in again When integrated with RADIUS a switch password change on the RADIUS server does not invalidate an existing open session although a password change on the local switch does If you cannot log in because of a RADIUS server connection problem Web Tools displays a message indicating server outage Configuring th...

Page 71: ...add the line As a result the file dictionary brocade is located in the RADIUS configuration directory and loaded for use by the RADIUS server How to create the user 1 Open the PREFIX etc raddb user file in a text editor and add user names and roles for users who will be accessing the switch and authenticating RADIUS The user will log in using the role specified with Brocade Auth Role The valid rol...

Page 72: ...cryption Reverse password encryption is not the default behavior it must be enabled NOTE If a user is configured prior to enabling reverse password encryption then the user s password is stored and cannot utilize CHAP To use CHAP the password must be reentered after encryption is enabled If the password is not reentered then CHAP authentication will not work and the user will be unable to authenti...

Page 73: ...ent window enter the following Client address IP or DNS Enter the IP address of the switch Client Vendor Select RADIUS Standard Shared secret Provide a password Shared secret is a password used between the client device and server to prevent IP address spoofing by unwanted clients Keep your shared secret password in a safe place You will need to enter this password in the switch configuration Afte...

Page 74: ...Add Remote Access Policy window click Finish 20 After returning to the Internet Authentication Service window repeat steps 5 through 19 to add additional policies for all login types you want to use the RADIUS server After this is done you can configure the switch Configuring RADIUS servers on the switch RADIUS configuration of the switch is controlled by the aaaConfig command NOTE On dual CP swit...

Page 75: ...ition The order in which servers are contacted to provide service Server The server names or IP addresses Port The server ports Secret The shared secrets Timeouts The length of time servers have to respond before the next server is contacted Authenticati on The type of authentication being used on servers switch admin aaaConfig add server p port s secret t timeout a pap chap server Enter either a ...

Page 76: ...d succeeds the event log indicates that a server configuration is changed switch admin aaaconfig radiuslocal switch admin aaaconfig radiuslocalbackup switch admin aaaConfig remove server all server Servers are listed by either name or IP address Enter either the name or IP address of the server to be removed switch admin aaaConfig change server p port s secret t timeout a pap chap server Servers a...

Page 77: ...nd the recovery string on all switches as described next If your site procedures dictate that you set the boot PROM password without the recovery string see Without a Recovery String on page 1 14 SS Setting the boot PROM password with a recovery String To set the boot PROM password with a recovery string refer to the section that applies to your switch model NOTE Setting the boot PROM password req...

Page 78: ...described in How to connect via the serial port on page 24 2 Connect to the active CP blade by serial or telnet and enter the haDisable command to prevent failover during the remaining steps 3 SAN Director 2 128 and 4 256 SAN Director Reboot the standby CP blade by sliding the On Off switch on the ejector handle of the standby CP blade to Off and then back to On 4 Press ESC within four seconds aft...

Page 79: ...o restore high availability How to set the boot PROM password for a Director without a recovery string Although you can set the boot PROM password without also setting the recovery string it is strongly recommended that you set both the password and the string as described in Without a Recovery String on page 1 14 If your site procedures dictate that you must set the boot PROM password without the...

Page 80: ...ding the On Off switch on the ejector handle of the standby CP blade to Off and then back to On This causes the blade to reset 5 Press ESC within four seconds after the message Press escape within 4 seconds displays The following options are available 6 Enter 3 7 Enter the passwd command at the shell prompt NOTE The passwd command only applies to the boot PROM password when it is entered from the ...

Page 81: ... How to recover passwords 1 Open a CLI connection serial or telnet to the switch If secure mode is enabled connect to the primary FCS switch 2 Log in as root 3 Enter the command for the type of password that was lost passwd user passwd admin passwd factory 4 Enter the requested information at the prompts To recover a lost root password contact HP To recover a lost boot PROM password contact your s...

Page 82: ...82 Managing user accounts ...

Page 83: ...eb Tools or Fabric Manager The SNMP Access Control List ACL provides a way for the administrator to restrict SNMP get set operations to certain hosts IP addresses This is used for enhanced management security in the storage area network For details on MIB files naming conventions loading instructions and information about using the SNMP agent refer to the Fabric OS MIB Reference Manual Table 17 de...

Page 84: ...reDownload Commands that require a secure login channel must be issued from an original SSH session If you start an SSH session and then use the login command to start a nested SSH session commands that require a secure channel will be rejected Table 18 Main security scenarios Fabric Management interfaces Comments Nonsecure Nonsecure No special setup is needed to use telnet or HTTP An HP switch ce...

Page 85: ...dmin Connect through some other means than telnet for example through SSH 2 Enter the following command 3 In response to the System Services prompt type y 4 In response to the telnetd prompt type off The telnet interface is disabled If you entered the command during a standard telnet session the session terminates How to enable telnet 1 Connect to the switch through a means other than telnet for e...

Page 86: ...16 SAN Switch SAN Switch 2 8V SAN Switch 2 16V SAN Switch 2 32 SAN Switch 4 32 4 64 SAN Switch and 400 MP Router chargen Do not start Do not start echo Do not start Do not start daytime Do not start Do not start discard Do not start Do not start ftp Do not start Do not start rexec Block with packet filter Do not start rsh Block with packet filter Do not start rlogin Block with packet filter Do not...

Page 87: ...ased on digital certificates obtained from an Internet Certificate Authority CA which acts as the trusted key agent Certificates are based on the switch IP address or Fully Qualified Domain Name FQDN depending on the issuing CA If you change a switch IP address or FQDN after activating an associated certificate you might have to obtain and install a new certificate Check with the CA to verify this...

Page 88: ...ajor steps which are shown in detail in the next sections 1 Choose a CA 2 On each switch a Generate a public private key secCertUtil genkey command b Generate a certificate signing request CSR secCertUtil gencsr command and store the CSR on an FTP server secCertUtil export command 3 Obtain the certificates from the CA You can request a certificate from a CA through a Web browser After you request ...

Page 89: ...Connect to the switch and log in as admin 2 Enter this command 3 Enter the requested information Your CA might require specific codes for Country State or Province Locality Organization and Organizational Unit names Make sure that your spelling is correct and matches the CA requirements If the CA requires that the Common Name be specified as an FQDN make sure that the fully qualified domain name i...

Page 90: ...CATE REQUEST 6 Copy and paste this section including the BEGIN and END lines into the area provided in the request form then follow the instructions to complete and send the request It might take several days to receive the certificates If the certificates arrive by email save them to an FTP server If the CA provides access to the certificates on an FTP server make note of the path name and make s...

Page 91: ... the certificate To check and install root certificates on Mozilla 1 From the browser Edit menu select Preferences 2 In the left pane of the Preferences window expand the Privacy Security list and select Certificates 3 In the right pane click Manage Certificates 4 In the next window click the Authorities tab 5 Scroll the authorities list to see if the root certificate is listed For example its nam...

Page 92: ...ates Table 22 summarizes the commands for displaying and deleting certificates For details on the commands refer to the Fabric OS Command Reference Manual C program files java j2re1 4 2_03 bin C Program Files Java j2re1 4 2_03 bin keytool import alias RootCert file RootCert crt keystore lib security RootCerts Enter keystore password changeit Owner CN Brocade OU Software O Brocade Communications L ...

Page 93: ...pecifically FibreAlliance MIB trap Associated with the FibreAlliance MIB FA MIB this MIB manages SAN switches and devices from any company that complies with FibreAlliance specifications If you use both SW MIB and FA MIB you might receive duplicate information You can disable the FA MIB but not the SW MIB Table 24 SSL Messages and Actions Message Action The page cannot be displayed The SSL certifi...

Page 94: ...e Manual Setting the security level Use the configure command to set the security level called SNMP attributes You can specify no security authentication only or authentication and privacy For example to configure for authentication and privacy Using the snmpConfig command Use the snmpConfig set command to change either the SNMPv3 or SNMPv1 configuration You can also change access control MIB capa...

Page 95: ...Trap recipient Severity level 0 5 0 4 Trap Recipient s IP address in dot notation 0 0 0 0 192 168 45 92 UserIndex 1 6 2 Trap recipient Severity level 0 5 0 2 Trap Recipient s IP address in dot notation 0 0 0 0 Trap Recipient s IP address in dot notation 0 0 0 0 Trap Recipient s IP address in dot notation 0 0 0 0 Trap Recipient s IP address in dot notation 0 0 0 0 Committing configuration done swit...

Page 96: ...n dot notation 0 0 0 0 Read Write true t false f true Access host subnet area in dot notation 0 0 0 0 Read Write true t false f true Committing configuration done switch admin snmpconfig show mibCapability FA MIB YES FICON MIB YES HA MIB YES SW TRAP YES swFCPortScn YES swEventTrap YES swFabricWatchTrap YES swTrackChangesTrap NO FA TRAP YES connUnitStatusChange YES connUnitEventTrap NO connUnitSens...

Page 97: ...v1 community and trap recipient configuration Community 1 Secret C0de rw Trap recipient 192 168 1 51 Trap recipient Severity level 4 Community 2 OrigEquipMfr rw Trap recipient 192 168 1 26 Trap recipient Severity level 0 Community 3 private rw No trap recipient configured yet Community 4 public ro No trap recipient configured yet Community 5 common ro No trap recipient configured yet Community 6 F...

Page 98: ...ss in dot notation 192 168 1 26 Trap recipient Severity level 0 5 0 Community rw private Trap Recipient s IP address in dot notation 0 0 0 0 192 168 64 88 Trap recipient Severity level 0 5 0 1 Community ro public Trap Recipient s IP address in dot notation 0 0 0 0 Community ro common Trap Recipient s IP address in dot notation 0 0 0 0 Community ro FibreChannel Trap Recipient s IP address in dot no...

Page 99: ...nt configured yet SNMP access list configuration Entry 0 Access host subnet area 192 168 64 0 rw Entry 1 No access host configured yet Entry 2 No access host configured yet Entry 3 No access host configured yet Entry 4 No access host configured yet Entry 5 No access host configured yet Are you sure yes y no n no y Committing configuration done agent configuration reset to factory default Current S...

Page 100: ...e indicates that the status of the sensor associated with the connectivity unit has changed connUnitPortStatus shows overall protocol status for the port connUnitPortState shows the user specified state of the port hardware switch admin snmpmibcapset The SNMP Mib Trap Capability has been set to support FE MIB SW MIB FA MIB FA TRAP FA MIB yes y no n yes FICON MIB yes y no n no y HA MIB yes y no n n...

Page 101: ...swFabricWatchTrap YES swTrackChangesTrap YES FA TRAP YES SW EXTTRAP YES HA TRAP YES fruStatusChanged YES cpStatusChanged YES fruHistoryTrap YES switch admin configure Not all options will be available on an enabled switch To disable the switch use the switchDisable command Configure System services yes y no n no n ssl attributes yes y no n no n http attributes yes y no n no n snmp attributes yes y...

Page 102: ...102 Configuring standard security features ...

Page 103: ...ocal database The database contains both ACL policies types SCC and DCC The policy are grouped by state and type A policy can be in the following state Active The policy is being enforced by the switch Defined The policy has been set up but is not enforced A group of policies is called a Policy Set Each switch has the following two sets Active policy set Contains ACL policies being enforced by the...

Page 104: ...age DCC and SCC policies Displaying ACL policies on page 105 Displays a list of all active and defined ACL policies on the switch Configuring a DCC policy on page 105 Multiple DCC policies can be created using the naming convention DCC_POLICY_nnn with nnn representing a unique string Creating an SCC policy on page 107 One SCC policy can be created Saving changes to ACL policies on page 108 Save ch...

Page 105: ...initiators targets or intermediate devices such as SCSI routers and loop hubs By default all device ports are allowed to connect to all switch ports no DCC policies exist until they are created Each device port can be bound to one or more switch ports the same device ports and switch ports might be listed in multiple DCC policies After a switch port is specified in a DCC policy it permits connecti...

Page 106: ...rt WWN Switch ports can be identified by the switch WWN domain ID or switch name followed by the port or area number To specify an allowed connection enter the device port WWN a semicolon and the switch port identification Following are the possible methods of specifying an allowed connection deviceportWWN switchWWN port or area number deviceportWWN domainID port or area number deviceportWWN switc...

Page 107: ...devices currently connected to ports 1 through 4 of switch domain 4 Creating an SCC policy Fabric OS 5 2 x and higher supports a SCC policy in Fabric OS An SCC policy created in Secure Fabric OS cannot directly transfered to Fabric OS Policies created in Secure Fabric OS are deleted when Secure deviceportWWN WWN of the device port switch Either the switch WWN domain ID or switch name The port can ...

Page 108: ...n the session is logged out For more information about these commands see Saving changes to ACL policies on page 108 and Activating changes to ACL policies on page 108 Saving changes to ACL policies You can save changes to ACL policies without activating them by entering the secPolicySave command This saves the changes to the defined policy set Until the secPolicySave or secPolicyActivate command ...

Page 109: ...o the switch and log in 2 Type secPolicyRemove policy_name member member where policy_name is the name of the ACL policy member is the device or switch to be removed from the policy identified by IP address switch domain ID device or switch WWN or switch name 3 To implement the change immediately enter the secPolicyActivate command For example to remove a member that has a WWN of 12 24 45 10 0a 67...

Page 110: ...e same policies Set a strict or tolerant fabric wide consistency policy for each ACL policy type to automatically distribute that database when a policy change is activated If a fabric wide consistency policy is not set then the policies are managed on per switch basis For configuration instructions see Setting the consistency policy fabric wide on page 1 13 Table 27 explains the how the local dat...

Page 111: ...switch local protection 1 Connect to the switch 2 Enter the following command To disable switch local protection 1 Connect to the switch 1 Error returned indicating that the distribution setting must be accept before you can set the fabric wide consistency policy Table 28 Supported Databases Starting in Fabric OS 5 2 x Database type Database identifier ID SCC policy database SCC DCC policy databas...

Page 112: ... changes The local distribution setting must be accepted To be able to initiate the distribute command set the local distribution to accept Table 29 describes how the target switch database distribution settings affect the distribution To distribute the local ACL policies 1 Connect to the switch fddCfg localaccept database_ID localaccept Default setting Allows local database to be overwritten with...

Page 113: ...rs cannot join a fabric with a strict fabric wide consistency policy FC routers do not support the fabric wide consistency policies Table 30 describes the fabric wide consistency settings To display the fabric wide consistency policy 1 Connect to the switch and log in 2 Enter the fddCfg showall command distribute p database_id d switch_list database_id A semicolon separated list of the local datab...

Page 114: ...sent side to where they are absent The Active policies set where they are present overwrite the Active and Defined policies set where they are absent If the ACL policies do not match the switch can join the fabric but an error message flags the mismatch Under both conflicting conditions secPolicyActivate is blocked in the merged fabric Use fddcfg fabwideset command to resolve the fabric wide consi...

Page 115: ...before the fabric wide consistency policy is applied The next sections describe the interaction between the databases with active SCC and DCC policies and combinations of fabric wide consistency policy settings when fabrics are merged Matching fabric wide consistency policies For example Fabric A with SCC S DCC strict SCC and tolerant DCC joins Fabric B with SCC S DCC strict SCC and tolerant DCC t...

Page 116: ...strict fabric merges Fabric wide consistency policy setting Expected behavior Fabric A Fabric B Strict Tolerant SCC S DCC S SCC DCC S Ports connecting switches are disabled SCC DCC S SCC S DCC Strict Absent SCC S DCC S SCC S DCC S Strict Strict SCC S DCC S Table 33 Fabric merges with tolerant absent combinations Fabric wide consistency policysetting Expected behavior Fabric A Fabric B Tolerant Abs...

Page 117: ...ress Licenses lists the licenses that are active on the switch Chassis Configuration contains configuration variables such as diagnostic settings fabric configuration settings and SNMP settings Configuration contains licensed option configuration parameters Zoning contains zoning configuration information Defined Security Policie lists all of the defined security policies Active Security Policies ...

Page 118: ...ference Manual User name Enter the user name of your account on the server for example JohnDoe File name Specify a file name for the backup file for example config txt Absolute path names can be specified using forward slash Relative path names create the file in the user s home Directory on UNIX servers and in the Directory where the FTP server is running on Windows servers Password Enter your ac...

Page 119: ...cess is additive that is the lines read from the files are added to the current switch configuration You can change a single configuration variable by downloading a file with that specific variable only When you do so all other variables remain unchanged If your setup supports anonymous users and you log in as an anonymous user password is still a required field even though its value may be ignore...

Page 120: ...nd to the prompts as follows 6 At the Do you want to continue y n prompt enter y 7 Wait for the configuration to be restored The following example shows configDownload run on a switch without Admin Domains 8 If you disabled the switch when the process is finished enter the switchEnable command Protocol scp or ftp If your site requires the use of Secure Copy specify scp Otherwise specify ftp Server...

Page 121: ...n downloads see Configuration download without disabling a switch on page 120 The host name is known to the switch The host IP address can be contacted You have permission on the host to perform configuration download The configuration file you are trying to download exists on the host The configuration file you are trying to download is a switch configuration file If you selected the default FTP ...

Page 122: ...tion file from one switch to another same model switch 1 Configure one switch first 2 Use the configUpload command to save the configuration information Refer to Backing up a configuration on page 1 17 3 First run configDefault on each of the target switches and then use the configDownload command to download the configuration file to each of the target switches Refer to Restoring a configuration ...

Page 123: ...figuration and connection Configuration settings IP address Gateway address Chassis configuration option Management connections Serial cable tag Ethernet cable tag Configuration information Domain ID Switch name Ethernet IP address Ethernet subnetmask Total number of local devices nsShow Total number of devices in fabric nsAllShow Total number of switches in the fabric fabricShow ...

Page 124: ...figuration setting FC port configuration Port numbers 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Speed Trunk Port Long Distance VC Link Init Locked L_Port Locked G_Port Disable E_Port ISL R_RDY Mode RSCN Suppressed Persistent disable NPIV capability EX Port ...

Page 125: ...figuration setting FC Port Configuration Port Numbers 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Speed Trunk port Long distance VC link Init Locked L_Port Locked G_Port Disable E_Port ISL R_RDY mode RSCN suppressed Persistent disable NPIV capability EX port ...

Page 126: ...126 Maintaining configurations ...

Page 127: ...put the resources in the remote site in an Admin Domain and assign the remote site administrator to manage those resources You set up zones to define which devices and hosts can communicate with each other you set up Admin Domains to define which users can manage which devices hosts and switches You can have up to 256 Admin Domains in a fabric 254 user defined and 2 system defined numbered from 0 ...

Page 128: ...e 3 Filtered fabric views Admin domain features Admin Domains allow you to Define the scope of an Admin Domain to encompass ports and devices within a switch or a fabric Share resources across multiple Admin Domains For example you can share array ports and tape drives between multiple departments One of the storage devices is shared between AD1 and AD2 see Figure 2 Have a separate zone database f...

Page 129: ... about supported AD platforms see the latest version of the HP StorgeWorks Fabric OS 5 2 x release notes Admin Domains are supported only on fabrics with one or more switches running Fabric OS 5 2 x and higher You must have a valid Advanced Zoning license to use Admin Domains The default zone mode setting must be set to No Access before you create Admin Domains see Implementing admin domains on pa...

Page 130: ...ain The only difference between AD0 and user defined Admin Domains is the implicit membership list The implicit members of AD0 change dynamically as the membership of other Admin Domains changes The explicit members of AD0 are not deleted unless you explicitly remove them For example if you explicitly add DeviceA to AD0 and it is not a member of any other Admin Domain then DeviceA is both an impli...

Page 131: ...pe and describes its administrative access and capabilities AD2 AD255 AD1 AD0 Table 39 AD user types User type Description Physical Fabric Administrators User account with Admin role and with access to all Admin Domains AD0 through AD255 Create and manage all Admin Domains Only a physical fabric administrator can perform Admin Domain configuration and management Assign other administrators or user...

Page 132: ...ou are in the AD0 AD1 and AD255 contexts respectively Admin domain member types You define an Admin Domain by identifying members of that domain Admin Domain members can be devices switch ports or switches Defining these member types is similar to defining a traditional zone member type An Admin Domain does not require or have a new domain ID or management IP address linked to it The following sec...

Page 133: ...e switch Grants port control for all ports in that switch Allows switch administrative operations such as switchDisable switchEnable reboot and firmwareDownload Does not provide zoning rights for the switch ports or devices To allow devices to be zoned within Admin Domains you must specify the port members using domain port or device WWN members E_Ports E_Ports VE_Ports EX_Ports and VEX_Ports are ...

Page 134: ...the device WWNs and domain IDs remain the same Figure 6 Filtered fabric views showing converted switch WWNs AD4 WWN 10 00 00 00 c8 3a fe a2 AD3 WWN 10 00 00 00 c2 37 2b a3 Domain ID 2 WWN 10 00 00 05 2e 06 34 6e Domain ID 1 WWN 10 00 00 05 1f 05 23 6f WWN 10 00 00 00 c7 2b fd a3 Fabric Visible to AD3 User Fabric Visible to AD4 User WWN 10 00 00 00 c8 3a fe a2 WWN 10 00 00 00 c2 37 2b a3 Domain ID ...

Page 135: ...all ports and devices from legacy switches in the AD0 root zone database If you have legacy switches in your AD activated fabric you must ensure that all new AD resources have enough interconnectivity so that they do not get isolated into subfabrics with a legacy subfabric interposed in the middle as shown in Figure 7 Figure 7 Isolated subfabrics Firmware upgrade and downgrade scenarios You cannot...

Page 136: ...mory There might be differences between the effective configuration and the defined configuration Transaction buffer The Admin Domain configuration that is in the current transaction buffer and has not yet been saved or canceled How you end the transaction determines the disposition of the Admin Domain configuration in the transaction buffer The following commands end the Admin Domain transaction ...

Page 137: ... member types on page 132 You create Admin Domains in the transaction buffer using the ad create command You can either save the newly created Admin Domain to a defined configuration using ad save or make it the effective Admin Domain configuration directly using ad apply The following procedures describe the steps for creating Admin Domains and include examples Before creating an Admin Domain you...

Page 138: ... Admin Domain which is the default Admin Domain context after login If you do not specify one the home Admin Domain is the lowest valid Admin Domain in the numerically sorted AD list Users can log in to their Admin Domains and create their own Admin Domain specific zones and zone configurations Adding an Admin Domain list home Admin Domain and role to a user configuration is backward compatible wi...

Page 139: ...tor Activating and deactivating admin domains An Admin Domain can be in either an active or inactive state When you create an Admin Domain it is automatically in the active state If you deactivate an Admin Domain the members assigned to the Admin Domain can no longer access their hosts or storage unless those members are part of another Admin Domain You cannot log in to an Admin Domain that has be...

Page 140: ...itch port members and the s option to specify switch members ad add ad_id d dev_list s switch_list where ad_id is the Admin Domain name or number dev_list is a list of device WWNs or domain port members and switch_list is a list of switch WWNs or domain IDs 4 Optional To end the transaction now enter ad save to save the Admin Domain definition or enter ad apply to save the Admin Domain definition ...

Page 141: ...ve the Admin Domain definition and directly apply the definitions to the fabric The Admin Domain numbers remain unchanged after the operation The following example changes the name of Admin Domain Eng_AD to Eng_AD2 Deleting an Admin Domain When you delete an Admin Domain its devices no longer have access to the members of the zones with which it was associated To delete an Admin Domain 1 Connect t...

Page 142: ...to identify misconfigurations of the Admin Domain For example in fabrics with a mix of AD aware and AD unaware switches elements in the Admin Domain member list from old AD unaware switches are not enforced The Admin Domain validation process is not applicable for AD0 as AD0 implicitly assumes all unassigned and AD unaware online switches and their devices To list the switches and devices in an AD...

Page 143: ...without any attribute details with an explanation that they are not part of the your Admin Domain Table 40 A port or device appears in CLI command output or other management tool outputs if any one of the conditions listed in is met RASlog and SYSlog output is not filtered based on AD membership See the Fabric OS Command Reference Manual for more detailed information about command syntax and usage...

Page 144: ... in the current transaction buffer 1 to display the Admin Domain configuration stored in the persistent memory defined configuration 2 to display the currently enforced Admin Domain configuration effective configuration The following example displays membership information about AD1 Switching to a different Admin Domain context The ad select option is used to switch between different Admin Domain ...

Page 145: ...witch ports as specified in the Admin Domain When the fabric is in secure mode the following applies There is no support for ACL configuration under each Administrative Domain ACL configuration commands are allowed only in AD0 and AD255 None of the policy configurations are validated with AD membership You cannot use Admin Domains and Secure Fabric OS in combination The Secure Fabric OS environmen...

Page 146: ...However you must perform additional steps because FICON management CUP requires additional physical control of the ports You must set up the switch as a physical member of the FICON AD DCC and SCC policies are supported only in AD0 and AD255 since ACL configurations are supported only in AD0 and AD255 iSCSI iSCSI operations are supported only in AD0 Management applications Management interfaces th...

Page 147: ...ed to AD0 AD0 supports both defzone allaccess and noaccess modes Zone databases The Admin Domains each have separate zone databases and zone transaction buffers You can concurrently edit the separate zone databases The AD zone database also has the following characteristics Each Admin Domain AD1 through AD254 has its own zone definitions These zone definitions include defined and effective zoneset...

Page 148: ...nd does not clear zone or Admin Domain database information This command is allowed only if the switch is a member of the current Admin Domain See Maintaining configurations on page 147 for additional information Table 42 Configuration upload and download scenarios in an AD context Configuration file sections AD contexts iSCSI ACL Secure Fabric OS Zone AD headers Switch configuration and other par...

Page 149: ...models have two partitions of nonvolatile storage areas a primary and a secondary to store two firmware images The firmwareDownload command always loads the new image into the secondary partition and swaps the secondary partition to be the primary It then reboots the partition and activates the new image Finally it performs the firmwareCommit procedure automatically to copy the new image to the ot...

Page 150: ...on will enable you to provide HP Technical Support all the information required to perform advanced troubleshooting To provide specific information about why a firmware downgrade might fail starting in Fabric OS 5 2 x the following exception cases are checked If you re attempting to downgrade to Fabric OS 5 1 x or lower Table 43 Effects of firmware changes on accounts and passwords Change First ti...

Page 151: ...rts Fabric OS 4 4 x through 5 1 x support zone databases up to 256k in size and then up to 1 MB in 5 2 x If you upgrade to Fabric OS 5 2 x from 4 4 x or later and then want to downgrade you must reduce the size of the zone database to 256 KB or less 3 Upon initial setup of a factory delivered switch make sure that all IP address have been set and the switch has been rebooted prior to running a fir...

Page 152: ...version of switch kernel operating system Fabric OS Displays the version of switch Fabric OS Made on Displays the build date of firmware running in switch Flash Displays the install date of firmware stored in nonvolatile memory BootProm Displays the version of the firmware stored in the boot PROM Obtaining and decompressing firmware NOTE The following steps describe how to download firmware Web re...

Page 153: ...rt another telnet session on the switch and observe the upgrade progress if you wish NOTE After you start the process do not enter any disruptive commands such as reboot that will interrupt the process The entire firmware download and commit process takes approximately 17 minutes If there is a problem wait for the time out 30 minutes for network problems Disrupting the process can render the switc...

Page 154: ...y partition If you have multiple AP blades they are updated simultaneously however the downloads can occur at different rates Server Name or IP Address Enter the name or IP address of the FTP server where the firmware file is stored for example 192 1 2 3 You can enter a server name if DNS is enabled User name Enter the user name of your account on the server for example JohnDoe File name Fabric OS...

Page 155: ...run the haSyncStart command If the problem persists review Troubleshooting firmware download on page 165 If the troubleshooting information fails to help resolve the issue contact HP Summary of the firmware download process for Directors The following summary describes the default behavior of the firmwareDownload command without options on SAN Director 2 128 and 4 256 SAN Director After you enter ...

Page 156: ... a B Series MP Router blade If you are running 5 1 0x firmware you cannot downgrade to earlier versions without removing the blade s 4 256 SAN Director with an FC4 48 or FC4 16IP blade If you are running 5 2 x firmware then you cannot downgrade to earlier versions without removing the blade s At the time of this document s release HP does not support the FC4 16IP blade Consult http www hp com for ...

Page 157: ...toleveling takes place in parallel with the firmware download being performed on the CPs but does not impact performance Fibre Channel traffic is not disrupted during autoleveling but GbE traffic on AP blades may be affected Server Name or IP Address Enter the name or IP address of the server where the firmware file is stored for example 192 1 2 3 You can enter a server name if DNS is enabled User...

Page 158: ...load The following AP blades are installed in the system Slot Name Versions Traffic Disrupted 3 FC4 16IP v5 2 x_main_bld47 GigE 4 FR4 18i v5 2 x_main_bld47 None 10 FR4 18i v5 2 x_main_bld47 None This command will update the firmware on both CPs and all AP blade s above If you want to update firmware on a single CP only please use s option You can run firmwaredownloadstatus to get the status of thi...

Page 159: ...e 7 Fri Sep 22 09 54 01 2006 Slot 6 CP1 active Firmware is being download to standby CP This step may take up to 30 minutes 8 Fri Sep 22 09 54 59 2006 Slot 10 FC4 16IP Firmware has been downloaded successfully Blade is rebooting with the new firmware 9 Fri Sep 22 09 55 36 2006 Slot 10 FC4 16IP Firmware commit has started on the blade This may take up to 10 minutes 10 Fri Sep 22 09 56 19 2006 Slot ...

Page 160: ...as follows The switch will reboot and come up with the new firmware to be tested Your telnet session will be automatically disconnected b Start a new telnet session and log in as admin then enter the firmwareShow command to confirm that the primary partition of the switch contains the new firmware You are now ready to evaluate the new version of firmware NOTE Stop If you wish to restore the firmwa...

Page 161: ...to the new firmware The old firmware is saved in the secondary partition of each CP until you enter the firmwareCommit command If you decide to back out of the installation prior to the firmwareCommit you can enter the firmwareRestore command to restore the old firmware version Typically users downgrade firmware after briefly test driving a newer or older version and then restore the original firm...

Page 162: ...esent At the point of the failover an auto leveling process is activated Refer to step 8 in the SAN Director 2 128 and 4 256 SAN Director firmware download procedure on page 156 for details about auto leveling 4 Verify failover a Start a telnet session on the active CP which is the old standby CP b Enter the haShow command to verify that the HA synchronization is complete It will take a minute or ...

Page 163: ... to update the secondary partition with new firmware Note that it takes several minutes to complete the commit operation c Enter the firmwareShow command to confirm both partitions on both CPs contain the new firmware d Enter the haShow command to confirm that the HA state is in sync NOTE Stop If you have completed step 7 then you have committed the firmware on both CPs and you have completed the ...

Page 164: ...n you prepared for the firmware download you should have issued either the supportShow 4 2 x or earlier or supportSave 4 4 x or later command While you can issue the command again and compare the outputs from before and after be aware that it may take as long as 30 minutes for the command to execute To save time it is recommended that you use the commands listed below which are all are subsets of ...

Page 165: ...ng the firmwareDownload command If the firmware download fails to complete refer to the Fabric OS System Error Message Reference Manual for details about any error messages If a firmware download fails in a Director the firmwareDownload command synchronizes the firmware on the two partitions of each CP by starting a firmware commit operation Wait at least 10 minutes for this commit operation to co...

Page 166: ...blade ID 24 in the system B Series MP Router port blades are not supported on firmware 5 0 0 or lower so the firmware download operation is aborted Use the slotShow command to display which slot the B Series MP Router port blade is in and physically remove the blade s from the chassis Retry the firmware download operation The following items need to be addressed before downloading the specified fi...

Page 167: ...nfig command with a supported option 1 2 or 5 for SAN Director 2 128 and 1 or 5 for 4 256 SAN Director and then retry the firmware download operation The supported options are described briefly below option 1 One 128 port switch with the following configuration FC2 16 blade ID 4 FC4 16 blade ID 17 on slots 1 4 and 7 10 CP2 blade ID 5 CP4 blade ID 16 on slots 5 6 option 2 Two 64 port switches with ...

Page 168: ...he chosen path remains the same if Dynamic Load Sharing DLS feature is not enabled If DLS is enabled then a different path might be chosen on a fabric event Refer to the dlsSet command for the definition of a fabric event This policy may provide better ISL utilization when there is little or no oversubscription of the ISLs NOTE Static routes are supported only with this policy policy 3 Exchange ba...

Page 169: ...to support a long distance link up to 50 km A total of 25 50 or 100 full size frame buffers are reserved for data traffic for the port at speeds of 1 Gbit sec 2 Gbit sec or 4 Gbit sec respectively L2 2 Specify L2 long distance to support a long distance link up to 100 km A total of 50 100 or 200 full size frame buffers are reserved for data traffic for the port at speeds of 1 Gbit sec 2 Gbit sec o...

Page 170: ... or VEX configuration enabled Ports with EX or VEX configuration enabled are not supported in firmware v5 0 0 or lower so the firmware download operation failed Disable either the EX port configuration using the portCfgExPort command or the VEX port configuration using the portCfgVexPort command Retry the firmware download operation Message Cannot downgrade to version 4 2 or lower Please downgrade...

Page 171: ...with one or more FC4 16IP port blades blade ID 31 in the system FC4 16IP port blades are not supported on firmware v5 1 0 or lower so the firmware download operation failed Use the slotShow command to display which slot the FC4 16IP port blade is in Physically remove the blade s from the chassis or use the micro switch to turn the blade off Retry the firmware download operation Message SW Blade ty...

Page 172: ... command to disable it before proceeding Probable Cause and Recommended Action The firmware download operation was attempting to downgrade a system to Fabric OS v5 1 0 or lower and the fast write feature is enabled Fast write is not supported on firmware v5 1 0 or lower so the firmware download operation failed Disable the fast write feature using the portCfg fcipTunnel command Retry the firmware ...

Page 173: ... firmware download operation was attempting to downgrade a system to Fabric OS v5 1 0 or lower and trunking is enabled on an EX_Port EX_Port trunking is not supported on firmware v5 1 0 or lower so the firmware download operation failed Disable the trunking on the EX_Port using the portCfgTrunkPort command or disable trunking on all ports on the switch using the switchCfgTrunk command Retry the fi...

Page 174: ...mmand Retry the firmware download operation Message Cannot downgrade directly to version 4 4 or lower Please downgrade to 5 1 or 5 0 first and then download the desired version Probable Cause and Recommended Action The firmware download operation was attempting to downgrade a system directly to Fabric OS v4 4 0 or lower This firmware jump is not supported so the firmware download operation aborted...

Page 175: ...rmware on one of your partitions for example CP0 is running v5 0 1 on the primary and secondary partitions and CP1 is running v5 0 1 on the primary partition and v4 4 0e on the secondary partition then synchronize the partitions on CP1 as follows 1 Start a telnet session on the CP with the out of sync partitions 2 Enter the firmwareCommit command which will copy the primary partition to the second...

Page 176: ...mware Ensure that the decompress process created multiple SWBDxx folders where xx is a number in the main folder If the files are unpacked without folder creation then the firmwareDownload command will be unable to locate the plist file ...

Page 177: ...e represented by both slot number 1 through 4 and 7 through 10 and port number 0 through 15 When you have port blades with different port counts in the same Director for example 16 port blade and 32 port blades or 16 port blades and 18 port blades with 16 FC ports and 2 GbE ports or 16 port and 48 port blades the area IDs no longer match the port numbers Following are the port numbering schemes fo...

Page 178: ...ID is the port number plus 16 for ports 0 to 1 1 1 For port numbers higher than 1 1 1 the area ID wraps around so that port 1 12 has an area ID of 0 and so on Each 64 port logical switch domain has area IDs ranging from 16 to 79 Port numbers higher than 128 are mapped directly to the core PID For details about port area IDs in Extended edge PID mode see Changing to extended edge PID format page 38...

Page 179: ... 194 346 210 362 226 378 242 41 265 129 281 145 297 161 313 177 329 193 345 209 361 225 377 241 40 264 128 280 144 296 160 312 176 328 192 344 208 360 224 376 240 39 263 143 279 159 295 175 31 1 191 327 207 343 223 359 239 375 255 38 262 142 278 158 294 174 310 190 326 206 342 222 358 238 374 254 37 261 141 277 157 293 173 309 189 325 205 341 221 357 237 373 253 36 260 140 276 156 292 172 308 188 ...

Page 180: ... 1 17 17 33 33 49 49 65 65 81 81 97 97 1 13 1 13 0 0 0 16 16 32 32 48 48 64 64 80 80 96 96 1 12 1 12 Table 44 Default index area_ID Core PID assignment with no port swap continued Port on blade Slot 1Idx Area Slot 2Idx Area Slot 3Idx Area Slot 4Idx Area Slot 7Idx Area Slot 8Idx Area Slot 9Idx Area Slot 10Idx Area Table 45 Default index area extended edge PID assignment with no port swap Port on bl...

Page 181: ...13 213 229 229 245 245 20 132 132 148 148 164 164 180 180 196 196 212 212 228 228 244 244 19 131 131 147 147 163 163 179 179 195 195 21 1 21 1 227 227 243 243 18 130 130 146 146 162 162 178 178 194 194 210 210 226 226 242 242 17 129 129 145 145 161 161 177 177 193 193 209 209 225 225 241 241 16 128 128 144 144 160 160 176 176 192 192 208 208 224 224 240 240 15 31 31 47 47 63 63 79 79 95 95 1 1 1 1...

Page 182: ...from the Fabric OS command line many commands require the port blade to be disabled This ensures that diagnostic activity does not interfere with normal fabric traffic To disable a port blade 1 Connect to the switch and log in as admin 2 Enter the bladeDisable command with the slot number of the port blade you want to disable To enable a port blade 1 Connect to the switch and log in as admin 2 Ent...

Page 183: ...ore accepting the request To summarize When an FC4 16 or FC4 32 blade is replaced by an B Series MP Router blade the FC configuration of the previously configured FC_Ports will continue to be used and all FC_Ports on the B Series MP Router blade will be persistently disabled When an B Series MP Router blade is replaced by an FC4 16 or FC4 32 blade then the EX_Port configuration will be removed fro...

Page 184: ...rt speeds This port blade is only compatible with the SAN Director 2 128 CP blades 16 port 2 Gbit sec port blade FC2 16 4 The second generation Director 16 port blade supporting 1 and 2 Gbit sec port speeds This port blade is only compatible with the SAN Director 2 128 or 4 256 SAN Director CP blades 16 port 4 Gbit sec port blade FC4 16 17 The third generation Director 16 port blade supporting 1 2...

Page 185: ...s document s release HP does not support the FC4 16IP blade Consult http www hp com for the latest updated information Setting chassis configuration options The chassisConfig command allows you to set the chassis configuration for the SAN Director 2 128 which supports both single domain and dual domain operation The 4 256 SAN Director allows you to use chassis configuration options 1 and 5 Configu...

Page 186: ...e 48 Supported configuration options Option Number of domains Maximum number of ports per switch Supported port blades Supported CP blades Notes 1 1 128 FC2 16 FC4 16 CP2 or CP4 Option 1 is the default configuration for SAN Director 2 128 2 2 64 64 FC2 16 CP2 5 1 384 FC4 16 FC4 16IP FC4 32 FR4 18i FR4 481 1 L_Ports are not supported on the FC4 48 blade CP4 Option 5 is the default configuration opt...

Page 187: ...t present or its type is not recognized ID Displays the hardware ID of the blade type See Table 46 on page 184 for a list of blades and their corresponding IDs Status Displays the status of the blade VACANT The slot is empty INSERTED NOT POWERED ON The blade is present in the slot but is turned off POWERING UP The blade is present and powering on LOADING The blade is present powered on and loading...

Page 188: ...he Director into the fabric 7 Log in to the second logical switch sw1 as admin 8 Use the configure command to configure the sw1 to match your fabric specifications If the Director is to be merged into an existing fabric do not configure zoning parameters these will be propagated automatically when you merge the Director into the fabric 9 If the fabric is in secure mode perform the following steps ...

Page 189: ...ssign a name to the new switch 6 Using the configuration file saved in step 3 as a guide manually reconfigure sw0 and sw1 7 Do not configure zoning parameters these are propagated automatically when you merge the Director into the fabric 8 If the fabric is in secure mode perform the following steps otherwise proceed to step 9 a Optionally to configure sw0 and sw1 in one operation connect them with...

Page 190: ...attern from port 0 through port 15 and back again The pattern continues until the user turns it off This can be used to locate a particular blade To set the blade beacon mode on 1 Connect to the switch and log in as admin 1 Enter the bladeBeacon command The slotnumber is the blade on which you want to enable beacon mode this slot number must exist on the logical switch The value 1 turns beaconing ...

Page 191: ...in Using port based routing you can assign a static route in which the path chosen for traffic never changes In contrast exchange based routing policies always employ dynamic path selection Port based routing is supported by all models Specifying the routing policy The following routing policies are supported Port based path selection Default on SAN Switch 2 8V SAN Switch 2 16V SAN Switch 2 32 SAN...

Page 192: ... that is currently down The static route is ignored in this case in favor of a normal dynamic route When the configured destination port comes back up the system attempts to reestablish the static route potentially causing a conflict Specifying frame order delivery The order of delivery of frames is maintained within a switch and determined by the routing policy in effect Following are the frame d...

Page 193: ... and log in as admin 2 Enter the iodSet command at the command line Using Dynamic Load Sharing The exchange based routing policy depends on the Fabric OS Dynamic Load Sharing feature DLS for dynamic routing path selection When using the exchange based routing policy DLS is by default enabled and cannot be disabled In other words you cannot enable or disable DLS when the exchange based routing poli...

Page 194: ...tric 10500 Name fcr_xd_1_1 Path Count 1 Hops 2 Out Port 39 In Ports 35 56 Total Bandwidth 4 000 Gbps Bandwidth Demand 300 Flags D switch admin Local Domain ID Domain number of the local switch Domain Domain number of the destination switch Metric Cost of reaching the destination domain Name The name of the destination switch Path Count The number of currently active paths to the destination domain...

Page 195: ...e destination domain Flags Indicates if the route is dynamic D or static S A static route is assigned using the command uRouteConfig Next Dom Port Domain number and port number of the next hop The following example displays the routing information of all the active ports The next example displays the routing information for port 1 1 on slot 1 This example displays the routing information of port 1...

Page 196: ...nformation Max hops The maximum number of hops that the pathinfo frame is allowed to traverse Domain The destination domain ID Source Port The port number or area number for SAN Director 2 128 or 4 256 SAN Director on which the switch receives frames Destination Port The output port that the frames use to reach the next hop on this path For the last hop the destination port Basic stats Basic stati...

Page 197: ...me in from on this path For hop 0 the source port Domain ID The domain ID of the switch Name The name of the switch Out Port The output port that the frames use to reach the next hop on this path For the last hop the destination port BW The bandwidth of the output ISL in Gbit sec It does not apply to the embedded port Cost The cost of the ISL used by FSPF routing protocol It only applies to an E_P...

Page 198: ...198 Routing traffic ...

Page 199: ...on option 5 Fibre Channel routing concepts Fibre Channel routing introduces the following concepts Logical Storage Area Networks LSANs An LSAN is defined by zones in two or more edge or backbone fabrics that contain the same device s You can create LSANs that can span fabrics These LSANs enable Fibre Channel zones to cross physical SAN boundaries without merging the fabrics while maintaining the a...

Page 200: ...with devices in the other edge fabrics see to Figure 10 A backbone fabric also enables hosts and targets in one edge fabric to communicate with devices in other edge or backbone fabrics NOTE While the 400 MP Router and 4 256 SAN Director with a B Series MP Router blade facilitate communication between devices in edge fabrics with those in a backbone fabric this is not true of the MP Router metaSAN...

Page 201: ...This prevents unnecessary fabric disruptions caused by translate phantom domains repeatedly going offline and online due to corresponding IFL failures To remove the translate phantom domain in the backbone disable all EX_Ports or VEX_Ports through which the translate phantom domain was created Figure 8 shows a metaSAN with a backbone consisting of one 400 MP Router connecting hosts in Edge Fabric ...

Page 202: ...CR switches with multiple EX_Ports connected to the same edge fabric raises the overhead of projecting a front domain for each EX_Port and quickly uses up resources within the edge fabric and resource consumption on the FCR In previous releases every EX_Port connected to the same edge fabric had a unique domain and unique domains require separate WWNs With front domain consolidation the domain is ...

Page 203: ...ge and configure the router Existing CLI commands offer additional options to support the front domain consolidation feature The portCfgExport command has additional options to verify the front domain ID The portCfgExport d option is changed to enforce use of the same front domain ID for the EX_Ports connected to the same edge fabric The portCfgExport display results remain the same For more infor...

Page 204: ...the Normal Operation setup described previously the EX_Ports do not share the same front domain consolidation PID and node WWN Support In case of an unexpected failure at the customer site save the output from the supportShow and supportSave run on the FC router and edge fabric switches Proxy devices A 400 MP Router or 4 256 SAN Director with an B Series MP Router blade achieves interfabric device...

Page 205: ...bric To do so at least one translate phantom domain switch is projected into the backbone fabric This translate phantom switch represents the entire edge fabric The shared physical device in the edge has a corresponding proxy device on the translate phantom domain switch Each edge fabric has one and only one xlate switch to the backbone fabric The backbone fabric device communicates with the proxy...

Page 206: ...for each edge fabric accessed through it All EX_Ports and VEX_Ports connected to an edge fabric use the same xlate domain ID number for an imported edge fabric this value persists across switch reboots and fabric reconfigurations Xlate domains are presented as being connected topologically behind one or more front domains each FC Router presents one front domain to edge fabric This allows redundan...

Page 207: ...nd to verify that the director is using configuration option 5 4 Enter the interopMode command and verify that switch interoperability with switches from other manufacturers is disabled switch admin_06 version Kernel 2 4 19 Fabric OS v5 2 x Made on Thu Sep 21 01 15 34 2006 Flash Fri Sep 22 20 53 48 2006 BootProm 4 5 3 switch admin_06 slotshow Slot Blade Type ID Status 1 SW BLADE 17 ENABLED 2 AP BL...

Page 208: ...e fabric administrator is responsible for making sure that all switches in the backbone have the same fabric ID Because fabric IDs are used heavily by the routing protocol between the Fibre Channel routers using the wrong fabric ID can affect both edge to edge and backbone to edge routing In addition to ensuring that the backbone fabric IDs are the same within the same backbone you need to make su...

Page 209: ...on an HP fabric The FC FC Routing Service uses only the DH CHAP shared secrets to provide switch to switch authentication when connecting to a Secure Fabric OS fabric To determine whether or not an EX_Port or VEX_Port is connected to a Secure Fabric OS fabric enter the portShow portCfgEXPort or portCfgVEXPort command as described in the Fabric OS Command Reference Manual Note that you should issue...

Page 210: ... only the WWN as the input The domain ID or switch name is not acceptable b Type and confirm the peer secret c Type and confirm the local secret 4 After you have added all of the DH CHAP secret information press Enter to indicate that you have completed the secret key setup 5 When prompted type y The DH CHAP secret is now stored in the secret word database and is ready for use switch admin_06 seca...

Page 211: ... Policy has the S letter in it in the edge fabric or the BB fabric do not connect the edge fabric or the BB to the FC router NOTE To ensure that fabrics remain isolated disable the port prior to inserting the cable If you are configuring an EX_Port disable the port prior to making the connection To configure an IFL for both edge and backbone connections 1 On the 400 MP Router or B Series MP Router...

Page 212: ...rmat Not Applicable Operate mode Brocade Native Edge Fabric ID 30 Preferred Domain ID 160 Front WWN 50 06 06 9e 20 38 6e 1e Fabric Parameters Auto Negotiate R_A_TOV Not Applicable E_D_TOV Not Applicable Authentication Type None DH Group N A Hash Algorithm N A Edge fabric s primary wwn N A Edge fabric s version stamp N A a Sets the EX_Port to enabled 1 or disabled 2 Admin use only f Sets the fabric...

Page 213: ...tion is not specified if there are online ports connected to the same edge fabric the preferred domain ID is set to the preferred domain ID of those online ports Otherwise if there are offline ports that are set to EX Port the preferred domain ID is set to those offline ports If none of the above conditions apply the existing value is left untouched p PID format 0 native 1 core 2 extended edge The...

Page 214: ...Port OFF Long Distance OFF VC Link Init OFF Locked L_Port OFF Locked G_Port OFF Disabled E_Port OFF ISL R_RDY Mode OFF RSCN Suppressed OFF Persistent Disable OFF NPIV capability ON EX Port ON Mirror Port ON switch admin_06 portcfgexport 7 10 Port 7 10 info Admin enabled State NOT OK Pid format Not Applicable Operate mode Brocade Native Edge Fabric ID 30 Preferred Domain ID 160 Front WWN 50 06 06 9...

Page 215: ... None portCFlags 0x1 portFlags 0x1 PRESENT U_PORT EX_PORT portType 10 0 portState 2 Offline portPhys 2 No_Module portScn 0 port generation number 0 portId 014a00 portIfId 4372080f portWwn 20 4a 00 60 69 e2 03 86 portWwn of device s connected Distance normal portSpeed N4Gbps LE domain 0 Interrupts 0 Link_failure 0 Frjt 0 Unknown 0 Loss_of_sync 0 Fbsy 0 Lli 0 Loss_of_sig 2 Proc_rqrd 0 Protocol_err 0...

Page 216: ... using the same tools as any other zone on the edge fabric two behaviors distinguish an LSAN from a conventional zone A required naming convention The name of an LSAN begins with the prefix LSAN_ The LSAN name is letter case insensitive for example lsan_ is equivalent to LSAN_ Lsan_ and so on Members must be identified by their port WWN because PIDs are not necessarily unique across fabrics The na...

Page 217: ... b4 switch admin_06 nsshow Type Pid COS PortName NodeName TTL sec N 060f00 2 3 10 00 00 00 c9 2b c9 0c 20 00 00 00 c9 2b c9 0c na FC4s FCP NodeSymb 35 Emulex LP9002 FV3 91A3 DV5 5 20A6 Fabric Port Name 20 0f 00 05 1e 37 00 44 Permanent Port Name 10 00 00 00 c9 2b c9 0c The Local Name Server has 1 entry switch admin_06 zonecreate lsan_zone_fabric75 10 00 00 00 c9 2b c9 0c FID75Domain5 admin zoneadd...

Page 218: ...uration in effect switch admin_06 cfgadd zone_cfg lsan_zone_fabric2 switch admin_06 cfgenable zone_cfg You are about to enable a new zoning configuration This action will replace the old zoning configuration with the current configuration selected Do you want to enable zone_cfg configuration yes y no n no y zone config zone_cfg is in effect Updating flash switch admin_06 lsanzoneshow s Fabric ID 2...

Page 219: ... FC router port cost is similar to the link cost setting available on E_Ports which allows the user to customize traffic flow The router port link cost values are either 1000 or 10 000 The router module chooses the router port path based on the lowest cost per FID connection If multiple paths exist with the same lowest cost there will be load sharing over these paths You need only to differentiate...

Page 220: ...s However they are not used by the legacy Fabric OS Legacy switches in the backbone fabric program all the router ports without considering router port cost Fabric OS v5 2 x considers the legacy router port cost as 1000 for both EX or VEX_ports Port cost considerations The router port cost has the following considerations Router port sets are defined as follows 0 7 and FCIP Tunnel 16 23 8 15 and F...

Page 221: ...which is used to determine the Area_ID field of the PID and the Port_ID field Like the PIDs in a fabric a proxy PID must be unique If the slot argument results in a duplicate PID it will be ignored Proxy PIDs are automatically assigned to devices imported into a fabric starting at f001 For Proxy IDs projected to a McDATA edge fabric in McDATA fabric mode use valid ALPAs lower 8 bits See the fcrPro...

Page 222: ...he router port of the master port For information about setting up E_Port trunking on an edge fabric see Administering ISL Trunking on page 333 in this guide Supported configurations and platforms The EX_Port trunking is an FCR software feature and requires that you have the FCR trunking license installed on the FCR switch and on the edge fabric connected to the other side of the trunked EX_Ports ...

Page 223: ...the configuration applies are disabled and reenabled with the new trunk configuration As a result the traffic through these ports might be disrupted for a short period of time In addition to the commands for enabling and disabling trunking you can also use the following E_Port commands for administering EX_Port Frame Trunking Use portCfgSpeed and switchCfgSpeed to set speed for a port or switch Di...

Page 224: ...splay shows the maximum versus the currently used proxy device slots A proxy device is presented to an edge fabric as being connected to a translate domain slot A slot is the port number and AL_PA combination The slot to device WWN association is persistently stored The physical and proxy devices use the 10000 device slots Displays the maximum pool size for translate phantom node and port WWNs and...

Page 225: ...xhausted and rolls over The last allocated phantom port WWN is persistently stored If the switch is disabled phantom port WWNs are not returned to the pool until the system reboots because the phantom switch might still be accessible through other switches Across the switch reboot the allocation starts from the next usable WWN base from the pool and not from the beginning Proxy Devices The maximum...

Page 226: ...nsiderations If you downgrade to a version of Fabric OS that does not support FC FC Routing Services then your FC FC routing configuration will be lost HP recommends that you enter the configUpload command to save your FC FC routing configuration before performing any downgrades If you have a 4 256 SAN Director with a B Series MP Router blade configured using chassis option 5 with the blade powere...

Page 227: ... Fabric OS enabled the edge fabric must have Fabric OS v3 2 v4 4 0 or later because only DH CHAP authentication is supported For a nonsecure fabric the hardware and firmware compatibility is described in Table 51 NOTE At the time of this document s release HP does not support the FC4 16IP iSCSI blade or Brocade 5000 switch Consult http www hp com for the latest updated information Table 51 Hardwar...

Page 228: ...long distance IP link beyond 1000 km Sharing across a long distance FC link share devices between HP fabrics over long distance FC links as far as 300 km LUN sharing use your high end RAID array connected to HP M Series or McDATA Directors to share targets with a B Series HP fabric just connect one M Series or McDATA Director port to an FC router EX_Port and the one EX_Port to the HP fabric The co...

Page 229: ... McDATA firmware version To display the front domain on the McDATA fabric use the McDATA show command 2 Using the version command make sure that Fabric OS 5 2 x is installed on the 400 MP Router or B Series MP Router FR4 18i blade as shown in the following 3 On the 400 MP Router and B Series MP Router FR4 18i blade disable the port being configured as an EX_Port the one connected to the switch by ...

Page 230: ...nline switchMode Native switchRole Principal switchDomain 3 switchId fffc03 switchWwn 10 00 00 60 69 e4 00 86 zoning ON test switchBeacon OFF blade3 Beacon OFF blade8 Beacon OFF blade10 Beacon OFF FC Router ON FC Router BB Fabric ID 1 Index Slot Port Address Media Speed State Proto 112 10 0 037000 id N4 No_Light Disabled Persistent 113 10 1 037100 id N4 No_Light Disabled Persistent 114 10 2 037200...

Page 231: ...chRole Principal switchDomain 3 switchId fffc03 switchWwn 10 00 00 60 69 e4 00 86 zoning ON test switchBeacon OFF blade3 Beacon OFF blade8 Beacon OFF blade10 Beacon OFF FC Router ON FC Router BB Fabric ID 1 Index Slot Port Address Media Speed State Proto 112 10 0 037000 id N4 No_Light Disabled Persistent 113 10 1 037100 id N4 No_Light Disabled Persistent 114 10 2 037200 id N4 No_Light Disabled Per...

Page 232: ...i blade to connect to a HP fabric you must create LSAN and zones for the SAN Once you have set up LSAN zoning you can issue the cfgShow command to verify that the zoning is correct NOTE The procedures related to McDATA that are described in this section were current when the document was written but may have changed since then For the most up to date information refer to the McDATA documentation a...

Page 233: ... screens provided in this section are for illustrative purposes only Depending on the McDATA firmware release you are using the McDATA web based management tool may display a user interface different from those shown Additionally HP M Series fabrics are supported with HAFM High Availability Fabric Manager which utilizes similar functionality and user interfaces 4 Type the desired name in the Zone ...

Page 234: ...ew Zone members If you are using EFCM in the WWN field of Potential Zone Members New Member enter the WWN port name and click Add NOTE If you are using EFCM 8 0 or later some of the steps will be different To obtain current information about your McDATA product visit McData s web site to become familiar with the McDATA Zoning User Manual for your specific EFCM release 8 Select the Zone Set tab in ...

Page 235: ... not necessarily unique across fabrics you cannot use the domain port method of identification If the LSAN is configured and the proxy devices are created the proxy device will show in the name server of the edge fabric and the xlate domain will show in the fabric of the edge fabric For more details about LSAN zoning see Configuring LSANs and zoning on page 216 If the LSAN devices appear in only o...

Page 236: ...Series MP Router FR4 18i blade for use complete the configuration using the following procedure 1 Physically connect the EX_Port that you configured for the HP StorageWorks switch to the FC router 2 Log in to the HP StorageWorks switch as an admin 3 Physically connect the configured FC router EX_Port to the McDATA switch and issue the switchShow command New domains should be visible for each IFL f...

Page 237: ...00 00 00 00 00 01 00 Fabric Port Name 20 0e 00 60 69 e2 18 b6 Permanent Port Name 10 00 00 00 00 01 00 00 Port Index 14 Share Area No Device Shared in Other AD No Switch entry for 3 state rev owner known v410 0xfffc02 Device list count 1 Type Pid COS PortName NodeName N 03f001 2 3 10 00 00 00 c9 44 54 04 20 00 00 00 c9 44 54 04 FC4s FCP NodeSymb 36 Emulex LP9002 FV3 92A2 DV5 5 10A10 Fabric Port Na...

Page 238: ...238 Using the FC FC routing service ...

Page 239: ...s connected to a switch It supplements other MIBs used to manage switches and should be used in conjunction with those other MIBs For more information refer to the Fabric OS MIB Reference Manual Link incident detection registration and reporting Provide administrative and diagnostic information Switch Connection Control SCC policy Includes switch binding security methods that prevent unauthorized ...

Page 240: ...ctor 2 128 and 4 256 SAN Director port blades FC2 16 FC4 16 or FC4 32 in the same director are not supported in a FICON environment The following port blades can exist in a FICON environment however FICON device connection to ports on these blades is not supported NOTE At the time of this document s release HP does not support the FC4 16IP blade Consult http www hp com for the latest updated infor...

Page 241: ... the time of printing IBM Fibre Connections FICON is not supported on HP B Series Fibre Channel switches Please refer to http www hp com for a list of current supported features CUP functionality is present on the SAN Switch 2 32 and SAN Director 2 128 models running Fabric OS v4 4 0 or later CUP functionality is also present on the SAN Switch 4 32 and 4 256 SAN Director models running Fabric OS v...

Page 242: ...the local RNID database ficonshow ilir fabric Displays FRU failure information on the local switch or on the fabric ficonshow lirr fabric Displays registered listeners for link incidents for the local switch or for the fabric ficonshow rlir fabric Displays link incidents for the local switch or for the fabric ficonshow rnid fabric Displays node identification data for all devices registered with t...

Page 243: ...might result in dropped frames as routes are adjusted to take advantage of the bandwidth provided By disabling DLS you ensure that there will be no dropped frames A similar situation occurs when an ISL port is taken offline and then brought back online When the ISL port goes offline the traffic on that port is rerouted to another ISL with a common destination When the ISL port comes back online an...

Page 244: ...y on the switch from the default exchange based policy to the required port based policy for those switches with FICON devices directly attached For the SAN Switch 4 32 refer to the Fabric OS Command Reference Manual for details about the aptPolicy command For the 4 256 SAN Director refer to the Web Tools Administrator s Guide 5 Enter the ficonshow rnid command to verify that the FICON devices are...

Page 245: ...unit CU devices The Query for Security Attributes QSA response to the channel indicates that the fabric binding and IDID are enabled Figure 16 shows one viable cascaded configurations These configurations require Channel A to be configured for two byte addressing and require IDID and fabric binding There can be only two switches in the path from the channel to the control unit Figure 16 Cascaded c...

Page 246: ...Node identification data To display node identification data connect to the switch log in as user and enter any of the following commands For the local switch ficonshow switchrnid For all switches defined in the fabric ficonshow switchrnid fabric For all devices registered with the local switch ficonshow rnid For all devices registered with all switches defined in the fabric ficonshow rnid fabric ...

Page 247: ...ort swapping In the following example slot is the slot number of the port blade for a system with port blades optional portA is the original port number portB is the alternate port number You can use the portSwapShow command to display information about swapped ports in a switch You can use the portSwap command to disable the portswap feature You cannot use the portSwap command after this feature ...

Page 248: ...irector 2 128 only Use the portDisable command to disable block port 126 For 4 256 SAN Director only Use the portDisable command to disable block ports 254 and 255 Port 126 Core Switch 2 64 and 254 and 255 4 256 SAN Director are not supported in a CUP environment After fmsmode has been successfully enabled these two ports remain disabled and cannot be used either as an F_Port or an E_Port Because ...

Page 249: ...nnot use the portCfgPersistentEnable and portCfgPersistentDisable commands to persistently enable and disable ports when FICON Management Server mode is on Refer to the procedure Persistently enabling disabling ports on page 252 Changing fmsmode from disabled to enabled triggers the following events Access to switch parameters is serialized The active CUP configuration data is established as follo...

Page 250: ...d consequently will never try to communicate with it Hence it is possible that fmsmode may already be enabled on the switch If FICON Management Server mode is already enabled set up CUP as follows 1 Verify that FICON Management Server mode is enabled by entering the ficoncupshow fmsmode command If FICON Management Server mode is not enabled refer to Enabling and disabling FICON management server m...

Page 251: ...P parameters on the switch The default setting is 0 off ASM Active saved mode When this bit is set on all CUP configuration parameters are persistent meaning that they will be saved in nonvolatile storage in the initial program load IPL file that is applied upon a cold reboot or a power cycle The default setting is 1 on DCAM Switch clock alert mode When this bit is set on a warning is issued when ...

Page 252: ...s When fmsmode is enabled you cannot use the portCfgPersistentEnable and portCfgPersistentDisable commands to persistently enable and disable ports Instead use the following procedure 1 Enter the ficoncupshow modereg command to display the mode register bit settings 2 Verify that the ASM bit is set on 1 3 If the ASM bit is set off 0 enter the ficoncupset modereg asm 1 command to set it on 4 Use th...

Page 253: ...nstalled you must first disable and then re enable fmsmode If fmsmode is disabled and a FICON CUP license is installed no special action is required Zoning and PDCM considerations The FICON Prohibit Dynamic Connectivity Mask PDCM controls whether or not communication between a pair of ports in the switch is prohibited or allowed If there are any differences in restrictions set up with Advanced Zon...

Page 254: ...ir command displays among other information a tag field for the switch port You can use this tag to identify the port on which a FICON link incident occurred The tag field is a concatenation of the switch domain ID and port number in hexadecimal format The following example shows a link incident for the switch port at domain ID 120 port 93 785d in hex switch admin ficonshow rlir Fmt Type PID Port ...

Page 255: ...anagement workstation there is a section in the uploaded configuration file labeled FICON_CUP that exists in an encoded format To download configuration files with Active Saved mode enabled Enter the configDownload command The contents of existing files saved on the switch which are also present in the FICON_CUP section are overwritten The files in the FICON section of the configuration file which...

Page 256: ...ID_________ Switch ID FICON Switch Domain ID_________ Switch Cascaded Directors No _____Yes _____ Corresponding Cascaded Switch Domain ID _____ Fabric Name ________________________________ FICON Switch F_Ports Attached N_Ports E_Ports CU CPC or ISL Slot Number Port Number Port Address Laser Type LX SX Port Name Node Type CU CHNL Machine Type Model Serial Number ISL CU I F CPC CHPID ...

Page 257: ... have a unique domain ID and a unique switch ID The switch ID used in the IOCP definitions can be any value between x 00 to x FF The domain ID range for Directors is hex x 01 to x EF or decimal 1 to 239 When defining the switch IDs in the IOCP definitions ensure that you use values within the FICON Director s range The switch ID has to be assigned by the user and must be unique within the scope of...

Page 258: ...ollected in the form of System Management Facility SMF records This data is essential for any kind of FICON channel performance troubleshooting To obtain an RMF FICON Director activity report you must include the keyword FCD in the RMF configuration file for the FICON Director this is generic for any FICON Director You must also define the CUP port In the sample below the keyword is boldfaced SAN ...

Page 259: ...DEVICE DASD DIRECT ACCESS DEVICE STATISTICS WILL BE COLLECTED DEVICE GRAPH GRAPHICS DEVICE STATISTICS WILL BE COLLECTED DEVICE TAPE TAPE DEVICE STATISTICS WILL BE COLLECTED DEVICE NOUNITR UNIT RECORD DEVICE STATISTICS WILL NOT BE COLLECTED DEVICE NONMBR NO DEVICE SELECTIVITY BY DEVICE NUMBERS IOQ DASD COLLECT DASD I O QUEUING STATISTICS IOQ NOCHRDR PREVENT CHARACTER READER I O QUEUING STATISTICS I...

Page 260: ...260 Administering FICON fabrics ...

Page 261: ...eplicated on every HP StorageWorks switch within a fabric It provides an unzoned view of the overall fabric configuration This fabric topology view exposes the internal configuration of a fabric for management purposes it contains interconnect information about switches and devices connected to the fabric Under normal circumstances a device typically an FCP initiator queries the Name Server for st...

Page 262: ...owed to access the management server NOTE The msConfigure command is disabled if the switch is in secure mode Refer to the Secure Fabric OS Administrator s Guide for more information To display the management server ACL 1 Connect to the switch and log in as admin 2 Enter the msConfigure command The command becomes interactive 3 At the select prompt enter 1 to display the access list A list of WWNs...

Page 263: ...rom the ACL 14 After verifying that the WWN was deleted correctly enter 0 at the prompt to end the session 15 At the Update the FLASH prompt enter y switch admin msconfigure 0 Done 1 Display the access list 2 Add member based on its Port Node WWN 3 Delete member based on its Port Node WWN select 0 3 1 2 Port Node WWN in hex 00 00 00 00 00 00 00 00 20 00 00 20 37 65 ce aa WWN is successfully added ...

Page 264: ...hex 00 00 00 00 00 00 00 00 20 00 00 20 37 65 ce aa WWN is successfully deleted from the MS ACL 0 Done 1 Display the access list 2 Add member based on its Port Node WWN 3 Delete member based on its Port Node WWN select 0 3 2 1 MS Access List consists of 13 20 00 00 20 37 65 ce aa 20 00 00 20 37 65 ce bb 20 00 00 20 37 65 ce ff 20 00 00 20 37 65 ce 11 20 00 00 20 37 65 ce 22 20 00 00 20 37 65 ce 33...

Page 265: ... the entire fabric To disable topology discovery 1 Connect to the switch and log in as admin 2 Enter the mstdDisable command to disable the discovery feature locally A warning displays that all NID entries might be cleared switch admin msplatshow Platform Name 9 first obj Platform Type 5 GATEWAY Number of Associated M A 1 35 http java sun com products plugin Number of Associated Node Names 1 Assoc...

Page 266: ...ogy discover might erase all NID entries switch admin mstddisable This may erase all NID entries Are you sure yes y no n no y Request to disable MS Topology Discovery Service in progress MS Topology Discovery disabled locally switch admin mstddisable all This may erase all NID entries Are you sure yes y no n no y Request to disable MS Topology Discovery Service in progress MS Topology Discovery di...

Page 267: ...image The POST tests provide a quick indication of hardware readiness when hardware is powered up These tests do not require user input to function They typically operate within several minutes and support minimal validation because of the restriction on test duration Their purpose is to give a basic health check before a new switch joins a fabric These tests are divided into two groups POST1 and ...

Page 268: ...ric OS Paulsa45 Paulsa45 console login 2005 03 31 20 12 42 TRCE 5000 0 INFO trace trace_buffer c line 1170 2005 03 31 20 12 42 LOG 5000 0 INFO SWSAN Switch 4 32_P45 Previous message repeat 1 time s trace_ulib c line 540 2005 03 31 20 12 43 HAM 1004 219 INFO SWSAN Switch 4 32_P45 Processor rebooted Unknown SNMP Research SNMP Agent Resident Module Version 15 3 1 4 Copyright 1989 1990 1991 1992 1993 ...

Page 269: ...he switch beaconing state either ON or OFF The switchShow command also displays the following information for ports on the specified switch Module type The SFP type if a SFP is present Port speed The speed of the Port 1G 2G 4G N1 N2 N4 or AN The speed can be fixed negotiated or auto negotiated Port state The port status Comment Displays information about the port This section might be blank or dis...

Page 270: ...ying the number that corresponds to the port you are troubleshooting In this example the status of port two is shown Refer to the Fabric OS Command Reference Manual for additional portShow command information such as the syntax for slot or port numbering switch admin uptime 4 43am up 1 day 12 32 1 user load average 1 29 1 31 1 27 switch admin switch admin portshow 2 portName portHealth HEALTHY Aut...

Page 271: ...received stat_mc_rx 0 Multicast frames received stat_mc_to 0 Multicast timeouts stat_mc_tx 0 Multicast frames transmitted tim_rdy_pri 0 Time R_RDY high priority tim_txcrd_z 0 Time BB credit zero er_enc_in 0 Encoding errors inside of frames er_crc 0 Frames with CRC errors er_trunc 0 Frames shorter than minimum er_toolong 0 Frames longer than maximum er_bad_eof 0 Frames with bad end of frame er_enc_...

Page 272: ... 0 0 0 0 0 0 0 0 0 2 0 0 12 0 0 0 0 0 0 0 0 0 0 0 2 0 0 13 0 0 0 0 0 0 0 0 0 0 0 2 0 0 14 0 0 0 0 0 0 0 0 0 0 0 2 0 0 15 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 0 0 0 0 0 0 0 0 0 0 0 0 33 0 0 0 0 0 0 0 0 0 0 0 0 0 0 34 0 0 0 0 0 0 0 0 0 0 0 0 0 0 35 0 0 0 0 0 0 0 0 0 0 0 0 0 0 36 0 0 0 0 0 0 0 0 0 0 0 0 0 0 37 0 0 0 0 0 0 0 0 0 0 0 0 0 0 38 0 0 0 0 0 0 0 0 0 0 0 0 0 0 39 0 0 0 0 0 0 0 0 0 0 0 0 0 0 40 ...

Page 273: ...ware tolerance To display the status of a power supply 1 Connect to the switch and log in as admin 2 Enter the psShow command The possible status values are OK Power supply functioning correctly Absent Power supply not present Unknown Unknown power supply unit installed Predicting failure Power supply is present but predicting failure FAULTY Power supply is present but faulty no power cable power ...

Page 274: ...r each of the two CP blades For these models you should configure syslogd to support chronological system message logs For details see Configuring for syslogd on page 276 For details on error messages refer to the Fabric OS System Error Message Reference Manual To display the system message log with no page breaks 1 Connect to the switch and log in as admin 2 Enter the errDump command at the comma...

Page 275: ...ame The payload contains the information being transported by the frame and is determined by the higher level service or FC_4 upper level protocol There are many different payload formats based on the protocol switch admin portlogshow 12 time task event port cmd args Thu Apr 14 12 07 09 2005 12 07 09 350 PORT Rx 0 40 02fffffd 00fffffd 0608ffff 14000000 12 07 09 350 PORT Tx 0 0 c0fffffd 00fffffd 06...

Page 276: ...message severities to UNIX severities as shown in Table 56 In switch admin portlogdump task event port cmd args 16 30 41 780 PORT Rx 9 40 02fffffd 00fffffd 0061ffff 14000000 16 30 41 780 PORT Tx 9 0 c0fffffd 00fffffd 0061030f 16 30 42 503 PORT Tx 9 40 02fffffd 00fffffd 0310ffff 14000000 16 30 42 505 PORT Rx 9 0 c0fffffd 00fffffd 03100062 16 31 00 464 PORT Rx 9 20 02fffc01 00fffca0 0063ffff 0100000...

Page 277: ...7 indicating a UNIX local7 facility The default is 7 It is necessary to set the facility level only if you specified a facility other than local7 in the host etc syslog conf file To remove a syslogd host from the list 1 Connect to the switch and log in as admin 2 Enter the syslogDipRemove command 3 Verify the IP address was deleted using the syslogDipShow command local7 emerg var adm swcritical lo...

Page 278: ...the files Enable the automatic transfer of trace dumps to the server Trace dumps overwrite each other by default sending them to a server preserves information that would otherwise be lost You should also set up a periodic checking of the remote server so that you are alerted if the server becomes unavailable and you can correct the problem After the setup is complete you can run the supportSave c...

Page 279: ...server 1 Connect to the switch and log in as admin 2 Enter the following command The interval is in hours The minimum interval is 1 hour Specify 0 hours to disable the checking feature To save a comprehensive set of diagnostic files to the server 1 Connect to the switch and log in as admin 2 Enter the following command switch admin traceftp e switch admin supportftp t interval switch admin support...

Page 280: ...280 Working with diagnostic features ...

Page 281: ...a problem between the host and switch Most common problem areas Refer to Table 57 for a list of the most common problem areas that arise within SANs and a list of tools that can be used to resolve them Table 57 Common troubleshooting problems and tools Problem Area Investigate Tools Fabric Missing devices Marginal links unstable connections Incorrect zoning configurations Incorrect switch configur...

Page 282: ...nic 3 Enter the saveCore command to save or remove core files created by daemons For more details about these commands refer to the Fabric OS Command Reference Manual Troubleshooting questions Common steps and questions to ask yourself when troubleshooting a system problem are as follows 1 What is the current Fabric OS level 2 What is the switch hardware version 3 Is the switch operational 4 Impac...

Page 283: ...nd 2 Review the output and determine if the device is logically connected to the switch A device that is logically connected to the switch will be registered as an F_Port or L_Port A device that is not logically connected to the switch will be registered as something other than an F_Port or L_Port 3 If the missing device is logically connected proceed to the next troubleshooting procedure To check...

Page 284: ...ply from 10 00 00 00 c9 29 0e c4 12 bytes time 1013 usec received reply from 10 00 00 00 c9 29 0e c4 12 bytes time 1442 usec received reply from 10 00 00 00 c9 29 0e c4 12 bytes time 1052 usec received reply from 10 00 00 00 c9 29 0e c4 12 bytes time 1012 usec 5 frames sent 5 frames received 0 frames rejected 0 frames timeout Round trip min avg max 1012 1136 1442 usec Pinging 21 00 00 20 37 25 ad ...

Page 285: ... the number of successful logins and SCSI INQUIRY commands sent over this port and a list of the attached devices 5 Check the port log to determine whether or not the device sent the FLOGI frame to the switch and the switch probed the device The Local Name Server has 9 entries Type Pid COS PortName NodeName TTL sec N 021a00 2 3 20 00 00 e0 69 f0 07 c6 10 00 00 e0 69 f0 07 c6 895 Fabric Port Name 2...

Page 286: ... domain ID conflict on page 287 A switch in a secure fabric is not running Secure Fabric OS Refer to the Secure Fabric OS Administrator s Guide for additional information There are a number of settings that control the overall behavior and operation of the fabric Some of these values such as the domain ID are assigned automatically by the fabric and can differ from one switch to another in the fab...

Page 287: ...until all domain ID conflicts are resolved 1 Enter the fabricShow command on a switch from one of the fabrics 2 In a separate telnet window enter the fabricShow command on a switch from the second fabric 3 Compare the fabricShow output from the two fabrics Note the number of domain ID conflicts there might be several duplicate domain IDs that will need to be changed Determine which switches have d...

Page 288: ...out disrupting the fabric first verify fabric merge problem then edit zone configuration members and then reorder the zone member list To verify a fabric merge problem 1 Enter the switchShow command to validate that the segmentation is due to a zone issue 2 Refer to Table 58 to view the different types of zone discrepancies Table 59 Commands for debugging zoning Command Function aliCreate Use to c...

Page 289: ...e members of the configuration are the same One simple approach to making sure that the zoneset members are in the same order is to keep the members in alphabetical order To reorder the zone member list 1 Use the output from the cfgShow for both switches 2 Compare the order that the zone members are listed Members must be listed in the same order 3 Rearrange zone members so that the configuration ...

Page 290: ... and plug it back in To check the switch temperature 1 Log in to the switch as user 2 Enter the tempShow command 3 Check the temperature output Look for indications of high or low temperatures To check the power supply 1 Log in to the switch as user 2 Enter the psShow command 3 Check the power supply status Refer to the appropriate hardware reference manual for details regarding the power supply s...

Page 291: ... 5 5 id N2 Online E Port 10 00 00 05 1e 34 00 8b Dazz125 downstream Trunk master 6 id N2 No_Light 7 id N2 No_Light 8 id N1 Online L Port 4 public 1 private 1 phantom 9 id N2 No_Light 10 id N2 Online G Port 11 id N2 Online F Port 10 00 00 01 c9 28 c7 01 12 id N1 Online L Port 4 public 1 private 1 phantom 13 N2 No_Module 14 id N2 Online E Port Trunk port master is Port 15 15 id N2 Online E Port 10 0...

Page 292: ... 0 0 0 0 0 0 0 0 0 0 1 0 0 68 0 0 0 0 0 0 0 0 0 0 0 1 0 0 69 0 0 0 0 0 0 0 0 0 0 0 1 0 0 70 0 0 0 0 0 0 0 0 0 0 0 1 0 0 71 0 0 0 0 0 0 0 0 0 0 0 1 0 0 72 0 0 0 0 0 0 0 0 0 0 0 1 0 0 73 0 0 0 0 0 0 0 0 0 0 0 1 0 0 74 0 0 0 0 0 0 0 0 0 0 0 1 0 0 75 0 0 0 0 0 0 0 0 0 0 0 1 0 0 76 0 0 0 0 0 0 0 0 0 0 0 1 0 0 77 0 0 0 0 0 0 0 0 0 0 0 1 0 0 78 0 0 0 0 0 0 0 0 0 0 0 1 0 0 79 0 0 0 0 0 0 0 0 0 0 0 1 0 0 8...

Page 293: ...ffline No_Module PRESENT U_PORT LED 7 23 Offline No_Module PRESENT U_PORT LED 7 24 Offline No_Module PRESENT U_PORT LED 7 25 Offline No_Module PRESENT U_PORT LED 7 26 Offline No_Module PRESENT U_PORT LED 7 27 Offline No_Module PRESENT U_PORT DISABLED LED 7 28 Offline No_Module PRESENT U_PORT LED 7 29 Offline No_Module PRESENT U_PORT LED 7 30 Offline No_Module PRESENT U_PORT LED 7 31 Offline No_Mod...

Page 294: ...00000000 00000000 00000002 12 38 22 311 PORT scn 10 1 00000000 00000000 00000001 12 38 22 311 PORT debug 10 00000001 00654320 00000001 00000000 12 38 22 311 PORT debug 10 00000001 00654320 00000002 00000000 12 38 22 311 PORT debug 10 00000001 00654320 00000003 00000000 12 38 22 313 PORT Tx 10 164 02fffffd 00fffffd 025effff 10000000 12 38 22 314 PORT debug 10 00000001 00654320 00000003 00000000 7 1...

Page 295: ...bric OS Command Reference Manual for additional command information nframes count Specify the number of frames to send lb_mode mode Select the loopback point for the test spd_mode mode Select the speed mode for the test ports itemlist Specify a list of user ports to test Example Table 60 Component test descriptions Test Name Operands Checks crossporttest nframes count lb_mode mode spd_mode mode gb...

Page 296: ...that can be used to determine the switch components that are not functioning properly Refer to the Fabric OS Command Reference Manual for additional command information switchname admin fporttest 100 8 0xaa55 2 512 Will use pattern aa55 aa55 aa55 aa55 aa55 aa55 Running fPortTest port 8 test passed value 0 Table 61 Switch component tests Test Function portloopbacktest Functional test of port N to N...

Page 297: ...eed 4 Enter the portLogShow or portLogDump command 5 Check the events area of the output The first example is 1 Gbit sec and the second example is 2 Gbit sec sn indicates a speed negotiation NC indicates negotiation complete 01 or 02 indicate the speed that has been negotiated If these fields do not appear proceed to the step 6 6 Correct the negotiation by entering the portCfgSpeed slotnumber port...

Page 298: ...ow command 2 Refer to the comment fields refer to Table 62 and follow the suggested actions switch admin portlogdumpport 4 time task event port cmd args 11 38 21 726 INTR pstate 4 AC Table 62 SwitchShow output and suggested action Output Suggested action Disabled Check the output from the switchShow command to determine whether or not the switch is disabled If the port is disabled for example due ...

Page 299: ...nc crc too too bad enc disc link loss loss frjt fbsy tx rx in err shrt long eof out c3 fail sync sig sig 0 22 24 0 0 0 0 0 1 5m 0 7 3 0 0 0 1 22 24 0 0 0 0 0 1 2m 0 7 3 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4 149m 99m 0 0 0 0 0 448 0 7 6 0 0 0 5 149m 99m 0 0 0 0 0 395 0 7 6 0 0 0 6 147m 99m 0 0 0 0 0 706 0 7 6 0 0 0 7 150m 99m 0 0 0 0 0 160 0 7 5 0 0 0 8 0 0 0 0 0 0 0 0...

Page 300: ...rt this event inaccurately to the system message log it will appear that the login was successful This scenario only occurs when the maximum number of users has been reached otherwise the login information displayed in the system message log should reflect reality Refer to Tracking and controlling switch changes on page 48 for information regarding enabling and disabling track changes TC Recognizi...

Page 301: ...b Tools Administrator s Guide for more information Port mirroring Port mirroring lets you configure a switch port as an analyzer port to mirror a specific source port and destination port traffic passing though any switch port This is a useful way to troubleshoot without bringing down the host and destination links to insert an inline analyzer Port mirroring captures traffic between two devices It...

Page 302: ...ng or deleting a port mirror connection causes a frame drop Port mirroring reroutes a given connection to the mirror port where the mirror traffic takes an extra route to the mirror port When the extra route is removed the frames between the two ports goes directly to the destination port Since the frames at the mirror port could be queued at the destination port behind those frames that went dire...

Page 303: ...nly two ports are involved to capture the sent and received traffic The destination port mirrors the received from the switch s point of view traffic Traffic is received at the source port and the switch routes these frames to the destination port The destination port has a port mirror which redirects matching frames to the mirror port The mirror port then routes those frames it receives back to t...

Page 304: ...ions A mirror port can be any port on the same switch as the source identifier port Only one domain can be mirrored per chip after a domain is defined only mirror ports on the defined domain can be used For example in a three domain fabric containing switches 4100A 4100B and 4100C a mirror connection that is created between 4100A and 4100B only allows 4100A to add mirror connections for those port...

Page 305: ...d and the chunk number When removing a mirror connection always use this method to ensure that the data is cleared Deleting a connection removes the information from the database To delete a port mirror connection between two local switch ports or a local and a remote switch port 1 Log in to the switch as admin 2 Type portMirror del SourceID DestID For example to delete the port mirror connection ...

Page 306: ...21 switchId fffc79 switchWwn 10 00 00 60 69 e4 00 a0 zoning ON c switchBeacon OFF blade2 Beacon OFF Area Slot Port Media Speed State 16 2 0 N4 No_Module 17 2 1 idN2 No_Light 18 2 2 idN2 No_Light 19 2 3 idN2 No_Light 20 2 4 N4 No_Module 21 2 5 idN2 No_Light 22 2 6 idN2 No_Light 23 2 7 idN2 No_Light 24 2 8 idN1 OnlineL_Port output truncated 156 2 28 N4 No_Module 157 2 29 idN2 No_Light 158 2 30 N4 No...

Page 307: ...with the port are included in the zone then a port login PLOGI to a non existent virtual PID is not blocked by the switch rather it is delivered to the device attached to the NPIV port In cases where the device is not capable of handling such unexpected PLOGIs you should use WWN based zoning Enabling and disabling NPIV For Bloom based switches SAN Switch 2 32 and SAN Director 2 128 NPIV is disable...

Page 308: ...ion To view the NPIV capability of switch ports enter the portCfgShow command The following example shows whether or not a port is configured for NPIV Use the switchShow and portShow commands to view NPIV information for a given port If a port is an F_Port and you enter the switchShow command then the port WWN of the N_Port is returned For an NPIV F_Port there are multiple N_Ports each with a diff...

Page 309: ...77 switchType 32 0 switchState Online switchMode Native switchRole Principal switchDomain 99 switchId fffc63 switchWwn 10 00 00 05 1e 35 37 40 zoning OFF switchBeacon OFF Area Port Media Speed State 0 0 id N2 Online F Port 50 05 07 64 01 20 73 b8 1 1 id N2 Online F Port 50 05 07 64 01 60 73 b8 2 2 id N2 Online F Port 65 NPIV public 3 3 id N2 Online F Port 50 05 07 64 01 e0 73 b8 4 4 id N2 Online F...

Page 310: ... portWwn 20 02 00 05 1e 35 37 40 portWwn of device s connected c0 50 76 ff fb 00 16 fc c0 50 76 ff fb 00 16 f8 output truncated c0 50 76 ff fb 00 16 80 50 05 07 64 01 a0 73 b8 Distance normal portSpeed N2Gbps Interrupts 0 Link_failure 16 Frjt 0 Unknown 0 Loss_of_sync 422 Fbsy 0 Lli 294803 Loss_of_sig 808 Proc_rqrd 0 Protocol_err 0 Timed_out 0 Invalid_word 0 Rx_flushed 0 Invalid_crc 0 Tx_unavail 0 ...

Page 311: ...nking performance and resource usage NOTE Advanced Performance Monitoring is not supported on VE_Ports virtual FC_Ports and EX_Ports If you issue commands for any Advanced Performance Monitors on VE_Ports or EX_Ports you will receive error messages Refer to Using the FCIP Tunneling Service on page 273 for more information about VE_Ports Additional features are provided through Web Tools For additi...

Page 312: ... to a port perfAddUserMonitor Add a filter based monitor to a port perfAddWriteMonitor Add a SCSI Write monitor to a port perfCfgClear Clear the performance monitoring settings from nonvolatile flash memory perfCfgRestore Restore performance monitoring settings from nonvolatile flash memory perfCfgSave Save the current performance monitoring settings to nonvolatile flash memory perfClearAlpaCrc Cl...

Page 313: ...rmance monitoring you must configure an end to end monitor on a port specifying the SID DID pair in hexadecimal The monitor counts only those frames with matching SID and DID Each SID or DID has three fields listed in the following order Domain ID DD Area ID AA AL_PA PP For example the SID 0x1 18a0f denotes DD 0x1 1 AA 0x8a and AL_PA 0x0f You can monitor end to end performance using the perfMonito...

Page 314: ...ualified using either of following conditions For frames received at the port with the end to end monitor installed the frame SID is the same as SourceID and the frame DID is the same as DestID The RX_COUNT and CRC_COUNT are updated accordingly For frames transmitted from the port with the end to end monitor installed the frame DID is the same as SourceID and the frame SID is the same as DestID Th...

Page 315: ...ng a mask you can choose to have the frame match only one or two of the three fields Domain ID Area ID and AL_PA to trigger the monitor NOTE Only one mask per port can be set When you set a mask all existing end to end monitors are deleted You can specify a mask using the perfSetPortEeMask command in the form dd aa pp where dd is the domain ID mask aa is the area ID mask and pp is the AL_PA mask T...

Page 316: ...orShow command as described in Displaying monitor counters on page 321 Deleting end to end monitors Enter the perfDelEeMonitor command to delete end to end monitors You can delete all monitors or specific monitors The following example deletes the end to end monitor number 0 on slot 1 port 2 switch admin perfsetporteemask 1 11 00 00 ff 00 00 ff 00 00 ff 00 00 ff The EE mask on port 11 is set and E...

Page 317: ...a maximum of 12 filter monitors per port Ports 16 through 31 have a maximum of 6 filter monitors per port Ports 32 through 47 do not have filter monitors For the FC4 16IP port blade the maximum number of filters is 12 per port and 15 offsets per port At the time of this document s release HP does not support the FC4 16IP iSCSI blade Consult http www hp com for the latest updated information The ac...

Page 318: ...ould exhaust all unique filter monitor resources on port 30 Therefore any additional filter monitors created on port 30 would have to be canned filter monitors SAN Switch 2 8V SAN Switch 2 16V SAN Switch 2 32 and SAN Director 2 128 models Fabric OS v4 0 0 or later Up to two different offsets per port one offset when FICON management server mode FMS is enabled 4 64 SAN Switch 400 MP Router and 4 25...

Page 319: ...switch does not have enough resources to create a given filter then other filters might have to be deleted to free resources To add filter based monitors Two filter based monitors are added The first monitor 5 counts all FCP and IP frames transmitted from domain 0x02 for slot 4 port 2 The FCP and IP protocols are selected by monitoring offset 12 mask 0xff and matching values of 0x05 or 0x08 Domain...

Page 320: ...rfMonitorClear command as described in Clearing monitor counters on page 323 Monitoring trunks For trunked ISLs on Fabric OS v4 x or higher switches monitoring is set only on the master ISL which communicates with the associated slave ISLs Note the following For Fabric OS v3 x switches monitoring can be set on slave ISLs End to end monitors are not supported for ISLs 4 16 SAN Switch and 4 8 SAN Sw...

Page 321: ...ot numbers 5 and 6 are control processor blades slots 1 through 4 and 7 through 10 are port blades For 16 port blades there are 16 ports counted from the bottom numbered 0 to 15 For 32 port blades there are 32 ports numbered 0 to 31 portnumber Specifies a port number Valid values for port number vary depending on the switch type This operand is required interval Specifies an interval in seconds Th...

Page 322: ...000000000000000 switch admin perfMonitorShow class FLT 2 5 6 perfmonitorshow 21 6 0 1 2 3 4 5 6 Frames Frames Frames Frames Frames Frames Frames 0 0 0 0 0 0 0 26k 187 681 682 682 494 187 26k 177 711 710 710 534 176 26k 184 734 734 734 550 184 26k 182 649 649 649 467 182 26k 188 754 755 755 567 184 26k 183 716 716 717 534 183 26k 167 657 656 655 488 167 26k 179 749 749 749 570 179 26k 164 752 752 7...

Page 323: ...ber must be followed by a slash and the port number so that each port is represented by both slot number 1 through 4 or 7 through 10 and port number 0 through 15 The Director has a total of 10 slots Slot numbers 5 and 6 are control processor blades slots 1 through 4 and 7 through 10 are port blades For 16 port blades there are 16 ports counted from the bottom numbered 0 to 15 For 32 port blades th...

Page 324: ...ference saving to flash memory when the total number of monitors in a switch exceeds 512 If the total number of monitors per port or switch exceeds the limit then you will receive an error message indicating the count has been exceeded and that some monitors have been discarded Collecting performance data Data collected through Advanced Performance Monitoring is deleted when the switch is rebooted...

Page 325: ...ce that is in loopback mode might become disabled for lack of buffers if another port in that group is set to L2 mode Refer to Configuring Directors on page 109 for details about port blade nomenclature HP StorageWorks SAN Switch 4 32 4 256 SAN Director 4 64 SAN Switch 400 MP Router and FC4 16 FC4 32 and B Series MP Router port blades For the SAN Switch 4 32 4 256 SAN Director 4 64 SAN Switch 400 ...

Page 326: ...gnated LM when listed with the portcfgshow command 19 34 25 km 25 km v3 1 0 v4 1 0 v4 x 5 x Yes L1 Level 1 static mode 27 54 50 km 50 km All Yes L2 Level 2 static mode 60 65 108 for Bloom II 100 km 60 km 100 km for Bloom II All Yes LD2 Dynamic mode uses automatic distance detection for a user specified distance Auto Auto Auto Maximum is 200 km Auto Maximum is 100 km v3 1 0 v4 1 0 v4 4 0 5 x depend...

Page 327: ...credits required based on the actual link distance 3 The static long distance mode LS allocates the number of buffer credits based on the user specified distance Table 69 Extended ISL Modes switches with Condor ASIC Mode Buffer allocation Distance 1 Gbit sec Distance 2 Gbit sec Distance 4 Gbit sec Earliest Fabric OS release Extended Fabrics license required 1 Gbit sec 2 Gbit sec 4 Gbit sec L0 5 26...

Page 328: ...blades The number of ports that can be configured per port group at various distances is summarized in Table 71 SAN Switch 4 32 The number of ports that can be configured at various distances is summarized in Table 72 Table 70 4 16 SAN Switch and 4 8 SAN Switch Speed Gbit sec Number of ports allowed at distance km 10 km 25 km 50 km 100 km 250 km 500 km 1 16 ports 12 ports 6 ports 3 ports 1 port n ...

Page 329: ...rts allowed at distance km 10 km 25 km 50 km 100 km 250 km 500 km 1 64 ports 64 ports 64 ports 44 ports 16 ports 8 ports 2 64 ports 64 ports 48 ports 20 ports 8 ports n a 4 64 ports 48 ports 20 ports 8 ports n a n a Table 74 400 MP Router Speed Gbit sec Number of ports allowed at distance km 10 km 25 km 50 km 100 km 250 km 500 km 1 16 ports 16 ports 16 ports 16 ports 6 ports 2 ports 2 16 ports 16 ...

Page 330: ...ed before setting this parameter For fabrics that contain a mix of switch models the fabric ops mode longDistance parameter must be set to 0 the default Under certain circumstances for example if you want extended distance between Bloom based switches this mode needs to be enabled set to 1 on switches running Fabric OS v3 x or v4 x Talk to your switch provider for details The ports on both ends of...

Page 331: ...is not applicable to fixed port switches The slot number must be followed by a slash and the port number portnumber Specify the port number distance_level Specify the ISL mode to be set on the port refer to Table 67 vc_translation_link_init This extended link initialization sequence which is an enhanced link reset protocol avoids excessive resetting of ports By default this option is set to 1 enab...

Page 332: ...332 Administering Extended Fabrics ...

Page 333: ... software features on page 33 Trunking is enabled automatically when the ISL Trunking license is activated and ports are reinitialized after installing the license you enter the switchDisable and switchEnable commands and trunks are easily managed using either Fabric OS CLI commands or Web Tools You can enable and disable trunking and set trunk port speeds for example 2 Gig sec 4 Gig sec or autone...

Page 334: ...hen the ISL Trunking license is activated after you have entered the switchDisable and switchEnable commands trunking is automatically implemented for any eligible ISLs A license must be activated on each switch that participates in trunking To use ISL Trunking in the fabric the fabric must be designed to allow trunking groups to form To identify the most useful trunking groups evaluate the traffi...

Page 335: ...where additional ports are available or paths are particularly critical This helps to protect against oversubscription of trunking groups multiple ISL failures in the same group and the rare occurrence of an ASIC failure To provide the highest level of reliability deploy trunking groups in redundant fabrics to further ensure ISL failures do not disrupt business operations Initializing trunking on ...

Page 336: ...and log in as admin 2 Enter the following command where interval is the number of seconds between each data gathering sample the default is one sample every second 3 Record the traffic flow for each port participating in an ISL 4 Repeat step 1 through step 3 for each switch in the fabric until all ISL traffic flow is captured In a large fabric it might be necessary to only identify and capture the...

Page 337: ...r disable ISL Trunking for all of the ports on a switch 1 Connect to the switch and log in as admin 2 Enter the switchCfgTrunk command The format is Mode 1 enables and mode 0 disables ISL Trunking for all ports on the switch The following example enables trunking all ports in the switch portcfgtrunkport slotnumber portnumber mode slotnumber Specifies the number of the slot in which the port blade ...

Page 338: ...n slot 2 to autonegotiate portcfgspeed slotnumber portnumber speed_level slotnumber For bladed systems only specify the slot number of the port to be configured followed by a slash This operand is only required for switches with slots such as the SAN Director 2 128 and 4 256 SAN Director portnumber Specifies the port number relative to its slot for bladed systems speedlevel Specifies the speed of ...

Page 339: ...remote port number WWNs of the remote switches Deskew values the time difference in nanoseconds divided by 10 for traffic to travel over each ISL as compared to the shortest ISL in the group The system automatically sets the minimum deskew value of the shortest ISL to 15 Master ports To display trunking information 1 Connect to the switch and log in as admin 2 Enter the trunkShow command switchcfg...

Page 340: ... ASICs is summarized in Table 79 switch admin trunkshow 1 1 1 10 00 00 60 69 04 10 83 deskew 16 Master 0 0 10 00 00 60 69 04 10 83 deskew 15 2 4 4 10 00 00 60 69 04 01 94 deskew 16 Master 5 5 10 00 00 60 69 04 01 94 deskew 15 7 7 10 00 00 60 69 04 01 94 deskew 17 6 6 10 00 00 60 69 04 01 94 deskew 16 3 14 14 10 00 00 60 69 04 10 83 deskew 16 Master 15 15 10 00 00 60 69 04 10 83 deskew 15 switch ad...

Page 341: ...tion or overcommitment of buffers to ports configured for extended trunking the switches at both ends of the trunk try to disable some ports so that others can operate using the available buffers Standard trunks are not affected by buffer allocation This issue of buffer underallocation does not apply to the SAN Switch 4 32 and 4 256 SAN Director models A port disabled at one end because of buffer ...

Page 342: ...fer limited port or buffer limited switch Reconfiguring a port to LD from another mode can result in the port being disabled for lack of buffers this does not apply to the SAN Switch 4 32 and 4 256 SAN Director using FC4 16 and FC4 32 port blades If this happens In Fabric OS v4 2 x reconfigure the disabled LD port back to the original mode In Fabric OS v4 4 0 and later specify a slightly shorter d...

Page 343: ...he affected switches should a zoning operation be attempted from a remote switch in the fabric On the affected switches an error message indicates that the Zoning license is missing You can use zones to logically consolidate equipment for efficiency or to facilitate time sensitive functions for example use zoning to create a temporary zone to back up nonmember devices Any zone object connected to ...

Page 344: ...e 81 Table 81 Approaches to fabric based Zoning Zoning approach Description Single HBA Zoning by single HBA most closely re creates the original SCSI bus Each zone created has only one HBA initiator in the zone each of the target devices is added to the zone Typically a zone is created for the HBA and the disk storage ports are added If the HBA also accesses tape devices a second zone is created w...

Page 345: ...rsome data entry and allows an intuitive naming structure such as using NT_Hosts to define all NT hosts in the fabric Operating system Zoning by operating system has issues similar to Zoning by application In a large site this type of zone can become very large and complex When zone changes are made they typically involve applications rather than a particular server type If members of different op...

Page 346: ...e might be differences between the saved configuration and the defined configuration if the system administrator has modified any of the zone definitions and has not saved the configuration Disabled Configuration The effective configuration is removed from flash memory On power up the switch automatically reloads the saved configuration If a configuration was active when it was saved the same conf...

Page 347: ...orced Zoning prevents hosts from discovering unauthorized target devices while hardware enforced Zoning prevents a host from accessing a device it is not authorized to access Software enforced Zoning Is also called soft Zoning Name Server Zoning fabric based Zoning session based Zoning or hardware assisted Zoning Is available on 1 Gbit sec 2 Gbit sec and 4 Gbit sec platforms Prevents hosts from di...

Page 348: ...y a zone member by its WWN HP StorageWorks 2 8 EL HP StorageWorks MSA SAN Switch 2 8 HP StorageWorks 2 16 EL HP StorageWorks 2 16 4 16 SAN Switch and 4 8 SAN Switch SAN Switch 4 32 4 64 SAN Switch 400 MP Router SAN Director 2 128 and 4 256 SAN Director models Enable hardware enforced Zoning on domain port zones and WWN zones Overlap of similar zone types does not result in the loss of hardware enf...

Page 349: ...abric with four non overlapping hardware enforced zones Figure 23 Hardware enforced non overlapping Zones Figure 24 shows the same fabric components zoned in an overlapping fashion Port_Zone1 Port_Zone2 Core Switch Zone Boundaries WWN_Zone1 WWN_Zone2 22 2b 13 2 ...

Page 350: ...s rejected 2 Gbit sec switches always deploy the hardware assist in any zone configuration see Figure 25 and Figure 26 Figure 25 Zoning with hardware assist mixed port and WWN zones Figure 26 Session based hard Zoning In Figure 26 only the ports that are overlapped are software enforced with hardware assist Port_Zone1 Core Switch Zone Boundaries WWN_Zone1 Port_Zone2 WWN_Zone2 22 3b 13 3 Port_WWN Z...

Page 351: ...when the resulting behavior is predictable and acceptable Changing HBA drivers can rectify the situation Final verification After changing or enabling a zone configuration confirm that the nodes and storage can identify and access one another Depending on the platform you might need to reboot one or more nodes in the fabric with the new changes The zone configuration is managed on a fabric basis Z...

Page 352: ...n cfgsave You are about to save the Defined Zoning configuration This action will only save the changes on the Defined configuration Any changes made on the Effective configuration will not take effect until it is re enabled Do you want to save Defined Zoning configuration only yes y no n no y switch admin aliadd array1 1 2 switch admin aliadd array2 21 00 00 20 37 0c 72 51 switch admin aliadd loo...

Page 353: ...hat you use RCS to secure a reliable propagation of the latest zone configuration If you use non RCS mode you must log in to every switch to monitor the status of the zone configuration To create a zone 1 Connect to the switch and log in as admin 2 Enter the zoneCreate command 3 Enter the cfgSave command to save the change to the defined configuration switch admin alidelete array1 switch admin cfg...

Page 354: ...6 23 switch admin cfgsave You are about to save the Defined Zoning configuration This action will only save the changes on the Defined configuration Any changes made on the Effective configuration will not take effect until it is re enabled Do you want to save Defined Zoning configuration only yes y no n no y switch admin zoneremove greenzone 1 2 switch admin zoneremove redzone 21 00 00 20 37 0c 7...

Page 355: ...model To activate a default zone 1 Connect to the switch and log in as admin 2 Enter the cfgActvShow command to view the current zone configuration 3 If no zone configuration transactions are in progress then enter the defZone noaccess command which prevents all Nx_Ports from communicating with each other 4 Enter either the cfgSave cfgEnable or cfgDisable command to commit the change and distribut...

Page 356: ... to know the zone database size limit of adjacent switches The following tables provide the expected behavior based on different database sizes after a zone merge is specified 3 x 128 3 1 x 96 3 2 x 256 4 x 4 1 x 4 2 x 128 4 4 x 256 5 0 1 256 5 0 x 256 5 1 x 256 5 2 x 1024 Table 83 Zoning database limitations continued Fabric OS version Maximum database size KB Table 84 Resulting database size 0 t...

Page 357: ...abric OS 4 3 4 4 0 Fabric OS 5 0 0 5 0 1 5 1 x Fibre Channel Router XPath 7 3 Fabric OS 2 6 3 1 Segment Segment Segment Segment Segment Segment Join Segment Fabric OS 3 2 Segment Segment Join Segment Join Join Join Segment Fabric OS 4 0 4 1 4 2 Segment Segment Segment Segment Segment Segment Segment Segment Fabric OS 4 3 4 4 0 Segment Segment Join Segment Join Join Join Segment Fabric OS 5 0 0 5 0...

Page 358: ...cfgSize command to determine the remaining space For important considerations for managing Zoning in a fabric and more details about the maximum zone database size for each version of the Fabric OS refer to Maintaining zone objects on page 361 To create a Zoning configuration 1 Connect to the switch and log in as admin 2 Enter the cfgCreate command 3 Enter the cfgSave command to save the change to...

Page 359: ...ation that has not yet been saved is displayed If there are no outstanding transactions then the committed zone configuration displays 1 Connect to the switch and log in as admin switch admin cfgadd newcfg bluezone switch admin cfgsave You are about to save the Defined Zoning configuration This action will only save the changes on the Defined configuration Any changes made on the Effective configu...

Page 360: ... zone Red_zone 1 0 loop1 alias array1 21 00 00 20 37 0c 76 8c 21 00 00 20 37 0c 71 02 alias array2 21 00 00 20 37 0c 76 22 21 00 00 20 37 0c 76 28 alias loop1 21 00 00 20 37 0c 76 85 21 00 00 20 37 0c 71 df Effective configuration cfg USA_cfg zone Blue_zone 1 1 21 00 00 20 37 0c 76 8c 21 00 00 20 37 0c 71 02 1 2 21 00 00 20 37 0c 76 22 21 00 00 20 37 0c 76 28 zone Red_zone 1 0 21 00 00 20 37 0c 76...

Page 361: ...o copy For example to display all zone configuration objects that start with Test 3 Enter the zoneObjectCopy command specifying the zone configuration objects you want to copy along with the new object name Note that zone configuration names are case sensitive blank spaces are ignored 4 Enter the cfgShow command to verify the new zone object is present 5 If you want the change preserved when the s...

Page 362: ...te that zone configuration names are case sensitive blank spaces are ignored switch admin cfgShow Defined configuration cfg USA_cfg Red_zone White_zone Blue_zone zone Blue_zone 1 1 array1 1 2 array2 zone Red_zone 1 0 loop1 zone White_zone 1 3 1 4 alias array1 21 00 00 20 37 0c 76 8c 21 00 00 20 37 0c 71 02 alias array2 21 00 00 20 37 0c 76 22 21 00 00 20 37 0c 76 28 alias loop1 21 00 00 20 37 0c 7...

Page 363: ... Zoning use the cfgClear and cfgSave commands or use cfgClear and cfgDisable if there is an effective configuration before connecting it to the zoned fabric Adding a new fabric that has no zone configuration information to an existing fabric is very similar to adding a new switch All switches in the new fabric inherit the Zoning configuration data If a zone configuration is in effect then the same...

Page 364: ...ve the same names defined in the configuration make sure zoneset members are listed in the same order Local and adjacent configurations If the local and adjacent zone database configurations are the same they will remain unchanged after the merge Effective configurations If there is an effective configuration between two switches the zone configuration in effect match Zone object naming If a Zonin...

Page 365: ...rge does not occur Instead a Zoning database is downloaded from the primary FCS switch of the merged secure fabric When E_Ports are active between two switches the name of the FCS server and a Zoning policy set version identifier are exchanged between the switches If the views of the two secure fabrics are the same the fabric s primary FCS server downloads the Zoning database and security policy s...

Page 366: ... Fabric Assist A switch running Fabric OS v4 1 0 or later cannot have a Fabric Assist host directly connected to it However such a switch can be part of a Fabric Assist zone if a Fabric Assist host is connected to a compatible switch in the fabric Testing Testing a new zone configuration Before implementing a zone the user should run the Zone Analyzer from Web Tools to isolate any possible problem...

Page 367: ... connect one central office to different branch offices without having to merge the fabrics The port types for FCIP tunneling are either VE_Port or VEX_Port An FCIP tunnel using VE_Ports will merge the two fabrics and an FCIP tunnel using a VEX_Port will not merge the fabrics A VEX_Port can only connect to a VE_Port Fibre Channel frame encapsulation on one port and the reconstruction of Fibre Chan...

Page 368: ...r blade These ports support the FCIP feature with link speeds up to 1 Gbit sec Each GbE port ge0 ge1 supports up to eight FCIP tunnels for a total of sixteen virtual ports that can be configured as either VE_Ports or VEX_Ports NOTE The ports on the 400 MP Router and B Series MP Router blade are initially persistently disabled Refer to Enable the persistently disabled ports page 371 for information...

Page 369: ...E_Ports connected over the IP WAN network joins the office and data center SANs into a single larger SAN Figure 27 Network using FCIP Port numbering Port numbering differs on individual hardware platforms The following sections detail the differences Port numbering on the B Series MP Router blade page 370 Port Numbering on the 400 MP Router page 371 Fibre Channel initiator Fibre Channel initiator ...

Page 370: ...cal Fibre Channel ports on physical GbE port ge1 refer to Figure 28 Figure 28 B Series MP Router Blade port numbering You manage the B Series MP Router blade as if it has thirty two Fibre Channel ports sixteen standard Fibre Channel ports and sixteen virtual Fibre Channel Ports Specify port addresses using the slot and port numbers For example to disable VE_Port 18 on slot 1 the syntax is portDisa...

Page 371: ...rectional approximately 90MB sec Used to provide greater security in tunneling on an FR4 18i blade or a 400 MP Router the IPSec feature does not require you to configure separate security for each application that uses TCP IP When configuring for IPSec however you must ensure that there is an FR4 18i blade or a 400 MP Router 7500 in each end of the FCIP tunnel IPSec works on FCIP tunnels with or w...

Page 372: ...ecure channel for negotiation of phase 2 IPSec SAs IKE negotiates SA parameters setting up matching SAs in the peers Some of the negotiated SA parameters include encryption and authentication algorithms Diffie Hellman group and SA lifetimes Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database IPSec tunnel termination SA lifetimes terminate throug...

Page 373: ...g policies the following parameters are fixed and cannot be modified The following parameters can be modified Figure 30 Fixed policy parameters Parameter Fixed Value IKE negotiation protocol Main mode ESP Tunnel mode IKE negotiation authentication method Preshared key 3DES encryption Key length of 168 bits AES encryption Key length of 128 or 256 Figure 31 Policy parameters Parameter Description En...

Page 374: ...rithm Valid options are SHA 1 MD5 and AES XCBC IPSec only HA 1 is the default DH_Group The Diffie Hellman group Supported groups are Group 1 and Group 14 Group 1 is the default secs The security association lifetime in seconds 28800 is the default The following example shows how to create IKE policy number 10 using 3DES encryption MD5 authentication and Diffie Hellman Goup 1 For a complete descrip...

Page 375: ... delete type number where type is the policy type and number is the number assigned For example to delete the IPSec policy number 10 switch admin06 policy show ike all IKE Policy 1 Authentication Algorithm MD5 Encryption UNKNOWN Perfect Forward Secrecy off Diffie Hellman Group 1 SA Life seconds 0 IKE Policy 32 Authentication Algorithm SHA 1 Encryption AES 128 Perfect Forward Secrecy on Diffie Hell...

Page 376: ...nformation on using the commands in this section Following are the steps for configuring an FCIP tunnel 1 Enabling persistently disabled ports on page 376 2 Defining the IP interface of each virtual port on page 377 3 Configuring the GbE ports on page 378 4 Adding IP routes on a GbE port on page 378 5 Verifying IP connectivity on page 379 6 Verifying the FCIP tunnel configuration on page 386 Befor...

Page 377: ... 17 switch admin06 portcfgpersistentenable 8 18 switch admin06 portcfgpersistentenable 8 19 switch admin06 portcfgshow Ports of Slot 8 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Speed AN AN AN AN AN AN AN AN AN AN AN AN AN AN AN AN Trunk Port ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON Long Distance VC Link Init Locked L_Port Locked G_Port Disabled E_Port ISL R_RDY Mode RSCN Suppressed Persistent D...

Page 378: ...D d domainid Specify 1 to 239 for the preferred domain ID p pidformat Specify 1 for core 2 for extended edge and 3 for native port ID format t fabric_parameter Specify 1 to enable or 2 to disable negotiate fabric parameters For example to configure a port as a VEX_Port for slot number 8 in port number 18 enable the admin with fabric ID 2 and preferred domain ID 220 Adding IP routes on a GbE port A...

Page 379: ...that the two routes have been successfully created switch admin06 portcfg iproute 8 ge0 create 192 168 11 0 255 255 255 0 192 168 100 1 1 switch admin06 portcfg iproute 8 ge0 create 192 168 12 0 255 255 255 0 192 168 100 1 1 switch admin06 portshow iproute 8 ge0 Slot 8 Port ge0 IP Address Mask Gateway Metric Flags 192 168 100 0 255 255 255 0 192 168 100 40 0 Interface 192 168 100 0 255 255 255 0 1...

Page 380: ...ping request This parameter is specified in milliseconds and the default value is 5000 milliseconds 5 sec The maximum allowed wait time for ping is 9000 milliseconds 9 sec z size Optional Specifies the size in bytes of the ping packet to use The default size is 64 bytes The total size including ICMP IP headers 28 bytes without IP options cannot be greater than IP MTU configured on the interface Fo...

Page 381: ...nal parameters such as c f or t when you create FCIP tunnels Enabling fastwrite and tape pipelining Fastwrite and tape pipelining require no parameters Both features are enabled by turning them on during the tunnel creation process They are enabled on a per FCIP tunnel basis See Configuring FCIP tunnels on page 383 for details Constraints for Fastwrite and Tape Pipelining Consider the constraints ...

Page 382: ...For example 2 ITL pairs for each IT pair as long as the target has two LUNs If a target has 32 LUNs 32 ITL pairs for IT pairs In this case only 64 IT pairs are associated with ITL pairs The rest of the IT pairs are not associated to any ITL pairs so no tape pipelining is performed for those pairs By default only fastwrite based acceleration is performed on the unassociated pairs Does not support m...

Page 383: ... paths In Figure 32 there is a single tunnel with fastwrite and tape pipelining enabled In Figure 33 there are multiple tunnels but none of them create a multiple equal cost path Figure 32 Single tunnel fastwrite and tape pipelining enabled Figure 33 Multiple tunnels to multiple ports fastwrite and tape pipelining enabled on a per tunnel per port basis Connection can be VE VE or VEX VE Connections...

Page 384: ...pported configurations The following example configurations are not supported with fastwrite and tape pipelining These configurations use multiple equal cost paths Figure 34 Unsupported configurations with fastwrite and tape pipelining VE VE or VEX VEX ...

Page 385: ... this tunnel s Disables selective acknowledgement code SACK on the specified tunnel f Enables fastwrite n remote_wwn Specifies the remote side FC entity WWN k timeout Specifies the keep alive timeout in seconds The range of valid values is 8 through 7 200 sec and the default is 10 If tape pipelining is enabled both the default and minimum values are 80 sec r retransmissions Specifies the maximum n...

Page 386: ...values is 1 through 16 If tape pipelining is enabled the number of retransmissions is calculated based on the minimum retransmit time to ensure that the tunnel does not time out before the host times out about 80 sec If you change this value the value specified must be greater than the calculated value s 0 1 SACK ON 1 SACK OFF 0 on the existing FCIP tunnel t 0 1 Enables 1 Disables 0 tape pipelinin...

Page 387: ... If IPSec has been enabled and a policy added to the configuration you will see the policy information under the status section of the output as shown below The policy information is visible only when IPSec is configured and is displayed with the information shown in the example above when the portShow command is issued After FCIP tunnels are created the configuration is saved in a persistent data...

Page 388: ...AN001 switchBeacon OFF blade3 Beacon OFF blade4 Beacon OFF blade8 Beacon OFF FC Router ON FC Router BB Fabric ID 1 Area Slot Port Media Speed State 32 3 0 id N4 Online F Port 50 03 0d 30 0d 13 00 09 33 3 1 id N4 Online F Port 50 03 0d 30 0d 13 00 11 34 3 2 id N4 Online F Port 50 03 0d 30 0d 13 00 13 35 3 3 id N4 Online F Port 50 03 0d 30 0d 13 00 15 36 3 4 id N2 Online F Port 21 00 00 e0 8b 08 bd ...

Page 389: ...bric will use VEX_Ports for a single tunnel If an FCIP tunnel fails with the Disabled Fabric ID Oversubscribed message the solution is to reconfigure the VEX_Port to the same Fabric ID as all of the other ports connecting to the edge fabric WAN performance analysis tools Introduced in Fabric OS 5 2 0 WAN analysis tools are designed to estimate the end to end IP path performance characteristics bet...

Page 390: ...e active tunnel will compete for the same network bandwidth as the ipPerf session Unless you have a method to quiesce all storage traffic over the FCIP tunnel during ipPerf testing you might experience undesirable interactions FCIP port bandwidth Allocation of the FCIP GbE port bandwidth behaves exactly the same for ipPerf as for FCIP tunnels If bandwidth is allocated for FCIP tunnels the ipPerf s...

Page 391: ...oth the host source mode S option and receiver sink mode R option See WAN Tool IpPerf syntax on page 391for more information about specifying source and sink mode Figure 35 WAN Tool performance characteristics Characteristic Description Bandwidth Indicates the total packets and bytes sent Bytes second estimate are maintained as a weighted average with a 30 second sampling frequency and also as an ...

Page 392: ...observed in the last display interval using the following units MBps megabytes per second Mbps megabits per second KBps kilobytes per second Kbps kilobits per second Bps bytes per second bps bits per second Third column The 30s weighted bandwidth WAN Tool IpPerf syntax When using the portCmd ipPerf option you must specify the following Source IP address If the ipPerf is started with S source mode ...

Page 393: ...layer If a size is not specified the maximum size data buffer will be used based on the outgoing IP interface MTU The size is the only buffer size that will be handed over to the TCP layer t time Total time in seconds to run the test traffic stream If a time is not specified the test will run continuously until the command is explicitly aborted ctrl C The maximum allowed size is 1MSS If you plan t...

Page 394: ...Bps lifetime avg 2013762456 compressed Bytes 33208083 Bps 30s avg 4760667 Bps lifetime avg 7 35 compression ratio FC control traffic TCP connection Local 192 175 4 100 4139 Remote 192 175 4 200 3225 Performance stats 849 output packets 0 pkt s 30s avg 2 pkt s lifetime avg 173404 output Bytes 39 Bps 30s avg 409 Bps lifetime avg 0 packets lost retransmits 0 00 loss rate 30s avg 806 input packets 0 p...

Page 395: ...old 1875000 Bytes operational mode slow start 2 packets queued TCP sequence MIN 2950582519 MAX 2950582655 NXT 2950582655 2 packets in flight Send Unacknowledged TCP sequence 2950582519 recovery retransmit timeout 500 ms duplicate ACKs 0 retransmits 0 max retransmits 8 loss recovery fast retransmits 0 retransmit timeouts 0 Receiver stats advertised window 1874944 Bytes max 1874944 negotiated window...

Page 396: ...0 00 00 05 1e 37 00 20 Compression off Fastwrite on Tape Pipelining on Uncommitted bandwidth minimum of 1000 Kbps 0 001000 Gbps SACK on Min Retransmit Time 100 Keepalive Timeout 80 Max Retransmissions 9 Status Active Uptime 1 day 23 hours 24 minutes 46 seconds IKE Policy 7 Authentication Algorithm MD5 Encryption 3DES Perfect Forward Secrecy off Diffie Hellman Group 1 SA Life seconds 200000 IPSec P...

Page 397: ...ry few device drivers still behave this way Many current device drivers enable you to select static PID binding as well as WWN binding You should only select static binding if there is a compelling reason and only after you have evaluated the impact of doing so Summary of PID formats Switches running Fabric OS 5 1 x employ these types of PID formats VC encoded This is the format defined by the 100...

Page 398: ...ments the hosts and target HBAs in a SAN need to know the full 24 bit PIDs of the hosts and targets they are communicating with but they do not care how the PIDs are determined But if a storage device PID is changed the host must reestablish a new binding which requires the host to be rebooted With the introduction of the 4 16 SAN Switch and 4 8 SAN Switch SAN Switch 2 8V SAN Switch 2 16V SAN Swit...

Page 399: ...of Fabric OS in use for example Extended Edge PID format is only available in Fabric OS v2 6 2 and later Fabric OS v3 1 2 and later and Fabric OS v4 2 0 and later If you are building a new fabric with switches running various Fabric OS versions use Core PID format to simplify port to area_ID mapping NOTE Switches that are queried using outside calls should be configured using PID 1 core PID to ens...

Page 400: ...e bound statically and it is not possible to reboot convert existing fabric to Extended Edge PID format upgrading the version of Fabric OS if necessary Use Extended Edge PID format for new switch Host reboot is not required v4 2 0 and later 1 Convert existing fabric to Core PID format upgrading the version of Fabric OS if necessary Set Core PID format for new switch Host reboot is required 2 If de...

Page 401: ...ers do not automatically bind by PID but allow the operator to manually create a PID binding For example persistent binding of PIDs to logical drives might be done in many HBA drivers Make a list of all devices that are configured this way If manual PID binding is in use consider changing to WWN binding The following are some of the device types that might be manually configured to bind by PID HBA...

Page 402: ...all devices attached to the fabric be offline With careful planning it should be safe to update the core PID format parameter in a live production environment This requires dual fabrics with multipathing software Avoid running backups during the update process as tape drives tend to be very sensitive to I O interruption The online update process is only intended for use only in uptime critical dua...

Page 403: ...propriate to the SAN This usually involves starting up the storage arrays first and the hosts last 9 For any devices manually bound by PID bring the device back online but do not start applications Update their bindings and reboot again if necessary This might involve changing them to the new PIDs or might preferably involve changing to WWN binding 10 For any devices automatically bound by PID reb...

Page 404: ... uses the same PID mapping for the first 16 ports and can support switches and Directors with higher port counts However because Extended Edge format only supports 128 ports per domain its use can lead to port addressing issues in Directors Use the following procedure only if your fabric contains devices that are bound statically and you cannot reboot the host PID format name Management interface ...

Page 405: ...d Edge PID Format 2 on each switch See Figure 18 for a sample configure command on a switch running Fabric OS v3 1 2 and later and see Figure 18 for a sample configure command on a switch running Fabric OS 4 2 0 and later b Run the switchEnable command all switches c Verify that all the switches form a fabric d Use the switchShow command to verify the interswitch links ISLs are correct and the dev...

Page 406: ...D Format configure Configure Fabric parameters yes y no n no y Domain 1 239 11 R_A_TOV 4000 120000 10000 E_D_TOV 1000 5000 2000 WAN_TOV 0 30000 0 MAX_HOPS 7 19 7 Data field size 256 2112 2112 Sequence Level Switching 0 1 0 Disable Device Probing 0 1 0 Suppress Class F Traffic 0 1 0 Switch PID Format 1 2 1 2 Per frame Route Priority 0 1 0 Long Distance Fabric 0 1 0 BB credit 1 27 16 Insistent Domai...

Page 407: ...swap operation when you enable Extended Edge also known as displaced PID PID on the Director If you are using Extended Edge PID format for example the 4 256 SAN Director with configuration option 5 and would like to map the output of the port number to the area ID use the following formula for ports 0 127 where aarea pport number modulus or remainder a p 16 128 0 p 128 ...

Page 408: ...he PID format When the port number is greater than or equal to 128 the area ID and port number are the same Figure 29 shows a 4 256 SAN Director with Extended Edge PID Figure 29 4 256 SAN Director with Extended Edge PID ...

Page 409: ...ed in a stand alone manner on a non production fabric or a switch that has not yet joined a fabric 1 Ensure that all switches in the fabric are running Fabric OS versions that support the addressing mode It is recommended that you use v2 6 2 for 1 GB switches v3 1 2 for 2 8EL and 2 16 SAN switches v4 2 0 for HP StorageWorks Core Switch 2 64 and SAN Director 2 128 Directors as well as SAN Switch 2 ...

Page 410: ...g umount The proper usage would be umount mount_point For example umount mnt jbod 4 If you are using multipathing software use that software to remove one fabric s devices from its configuration 5 Deactivate the appropriate volume groups using vgchange The proper usage would be vgchange a n path_to_volume_group For example vgchange a n dev jbod 6 Make a backup copy of the volume group Directory us...

Page 411: ...the core switches first then the edges AIX procedure This procedure is not intended to be comprehensive It provides a starting point from which a SAN administrator can develop a site specific procedure for a device that binds automatically by PID and cannot be rebooted due to uptime requirements 1 Backup all data Verify backups 2 If you are not using multipathing software stop all I O going to all...

Page 412: ...ou are using multipathing software re enable the affected path 16 Repeat for all fabrics Swapping port area IDs If a device that uses port binding is connected to a port that fails you can use port swapping to make another physical port use the same PID as the failed port The device can then be plugged into the new port without the need to reboot the device Use the following procedure to swap the ...

Page 413: ...inistrator guide 397 5 Verify that the port area IDs have been swapped portswapshow A table is shows the physical port numbers and the logical area IDs for any swapped ports 6 Disable the port swap feature portswapdisable ...

Page 414: ...398 Configuring the PID format ...

Page 415: ...compatible is required For more infoirmation on supported switches and firmware versions access the HP StorageWorks Fabric Interoperability Merging Fabrics Based on M Series and B Series Fibre Channel Switches application notes http www hp com country us eng prodserv storage html Important variables that determine the supportability of a particular mixed vendor SAN include the number of switches v...

Page 416: ... Fabric Assist Remote Switch Extended Fabrics Trunking Alias Server Platform Service Virtual Channels FCIP Configuration recommendations The following is recommended when configuring an interoperable fabric Avoid domain ID conflicts before fabric reconfiguration Every switch in the fabric must have a unique domain ID When you are configuring multiple switches you should wait for a fabric reconfigu...

Page 417: ...rt 5 When a zoning configuration is not in effect by default all ports are isolated and traffic is not permitted This is unlike HP StorageWorks switch behavior where Interoperability mode is off and all data traffic is enabled If using default zoning no device can communicate with any other device in the fabric if zoning has been disabled on an HP StorageWorks switch Refer to the section Activatin...

Page 418: ...ty mode on the fabric refer to Configuration recommendations and Configuration restrictions on page 400 2 Connect to the switch and log in as admin 3 Enter the switchDisable command to disable the switch 4 Use the configure command to set the domain ID to a number in the range from 97 to 126 For detailed instructions refer to Working with domain IDs on page 37 5 Enter the interopmode 1 command to ...

Page 419: ... removing each switch 6 Each non HP StorageWorks switch might require the execution of a similar command to disable interoperability 7 Repeat this procedure on all HP StorageWorks switches in the fabric switch admin switchdisable switch admin interopmode 0 The switch effective configuration will be lost when the operating mode is changed do you want to continue yes y no n no y done Interopmode is ...

Page 420: ...404 Configuring interoperability mode ...

Page 421: ...ch 2 32 SAN Switch 4 32 SAN Director 2 128 Default account names root factory admin user root factory admin user root factory admin user Account name changing feature No No regardless of security mode N A Maximum and minimum amount of characters for a password 0 8 Standard UNIX 8 40 characters with printable ASCII 8 40 characters with printable ASCII Note The minimum password length for 5 1 x is c...

Page 422: ...er does not require old password For example users connect as admin old admin password is required to change the admin password But old user password is not required to change the user password Can passwd change higher level passwords For example can admin change root password Yes but will ask for the old password of the higher level account example root Yes if users connect as admin they can chan...

Page 423: ...t password will be prompted for change The accounts with non default password will NOT be prompted Is a user forced to answer password prompts before getting access to the firmware No users can type in Ctrl c to get out of password prompting No users can type in Ctrl c to get out of password prompting Do users need to know the old root password when answering prompting Yes in v4 0 0 No in v4 0 2 o...

Page 424: ...same permissions as the user role Downgrades to v5 0 1 preserve all existing default accounts MUA accounts and passwords When downgrading to an older firmware at subsequent times which passwords will be used Downgrades to v4 4 0 preserve all existing default accounts MUA accounts and passwords MUA accounts with the switchAdmin role have the same permissions as the user role Downgrades to v5 0 1 pr...

Page 425: ...covery string Refer to Setting the Boot PROM Password on page 1 12 for instructions on setting the password with a recovery string How do I recover a user admin or factory password Refer to Recovering Forgotten Passwords on page 1 16 Table 97 Password recovery options continued Topic v4 0 0 v4 1 0 and later ...

Page 426: ...410 Understanding legacy password behaviour ...

Page 427: ...orts all fabric services including distributed name service registered state change notification and alias service Distributed management Management tools such as Advanced Web Tools Fabric OS and SNMP are available from both the local switch and the remote switch Switch management is routed through the Fibre Channel connection thus no additional network connection is required between sites Support...

Page 428: ...e Fabric Parameters without changing their values until you reach the parameter you want to modify 6 Specify a new parameter value that is compatible with your gateway device 7 Press Enter to scroll through the remainder of the configuration parameters Make sure that the configuration changes are committed to the switch 8 Repeat for all switches in the fabrics to be connected through a gateway dev...

Page 429: ... defined configuration Switch B with a defined configuration defined none effective none defined cfg1 zone1 ali1 ali2 effective none Switch A will absorb the configuration from the fabric Switch A does not have a defined configuration Switch B with a defined configuration defined none effective none defined cfg1 zone1 ali1 ali2 effective cfg1 Switch A will absorb the configuration from the fabric ...

Page 430: ...defined cfg1 zone1 ali1 ali2 effective irrelevant defined cfg1 zone2 ali1 ali2 effective irrelevant Fabric segments due to Zone Conflict content mismatch Same content different alias name defined cfg1 ali1 A B effective irrelevant defined cfg1 ali2 A B effective irrelevant Fabric segments due to Zone Conflict content mismatch Same name different types effective zone1 MARKETING effective cfg1 MARKE...

Page 431: ...26 adding a new switch or fabric 357 Admin Domain members 136 alias members 346 and removing FICON CUP licenses 247 custom filter based monitors 312 end to end monitors 308 filter based monitors 311 members to a zone configuration 352 port mirror connection 299 RADIUS configuration 71 standard filter based monitors 311 switches to a zone 357 zone members 348 ADList 65 Admin Domain configuration di...

Page 432: ...d 231 changes to configuration data 376 changing an account password 60 RADIUS configuration 72 RADIUS servers 72 SNMP MIB trap values 96 SNMP values 94 switch names 36 to core PID format 381 to extended edge PID format 382 CHAP account policies 68 enabling 68 chassis name 37 chassisshow command 43 checking connected switches 148 status 43 choosing a CA 84 an extended ISL mode 320 clearing FICON m...

Page 433: ...ey 84 RADIUS 69 RADIUS server 66 RADIUS changing 72 root certicates 87 secure file copy 97 security features 79 99 security levels 90 server database 258 SNMP 89 SNMP traps 89 SSH client 81 SSL 83 SSL protocol 83 switch 70 237 switch for RADIUS 70 switch FICON environment 237 switch RADIUS client 68 switch single 238 syslogd 270 telnet interface 81 Windows RADIUS client 68 zone rules for 345 conne...

Page 434: ...ing 333 device connecting 41 devices connecting 41 devices proxy 196 198 DH CHAP 203 DHCHAP 203 DH CHAP secret 204 disabled zone configuration 340 disabling 40 port 40 RADIUS configuration 72 switch 40 disabling and enabling a port 40 disabling and enabling a switch 37 disabling and enabling cards 178 disabling interoperability mode 396 displaying CRC error count 307 end to end mask 310 node ident...

Page 435: ...fcrXlateConfig command 215 fddCfg 202 fddCfg command 202 feature licenses 33 Fibre Channel NAT 200 Fibre Channel over IP 203 361 Fibre Channel routing 193 FICON 296 FICON environment cascaded configuration 235 changing domain id 37 configuration settings 237 disabling IDID mode 236 displaying link incidents 236 registered listeners for link incidents 240 enabling IDID mode 236 high integrity fabri...

Page 436: ... 83 interopMode command 201 interswitch link 41 IP switch address 36 ipAddrSet 27 IP NAT 200 ISL 41 maximums 41 ISL extended configuring 324 J Java support SSL 83 Java version 83 L legacy FCR switches 221 license key activating 34 licenseadd command 34 licensed features 33 licenseremove command 35 licenses remove feature 35 licenseshow command 34 link incidents displaying in a FICON environment 23...

Page 437: ...formation 399 password migration during firmware changes 402 password policies 59 password prompting behaviors 401 password recovery options 402 password strength policy 60 passwords recovering forgotten passwords 77 perfaddeemonitor command 308 perfaddIPmonitor command 311 perfaddusermonitor command 312 perfcfgrestore command 318 perfcfgsave command 318 perfdeleemonitor command 310 perfdelfilterm...

Page 438: ...ss 294 recording configuration information 249 recovering accounts 58 recovering forgotten passwords 77 recovery password 75 recovery string 73 recovery string boot PROM password 73 registered listeners 240 related documentation 16 remote access policies 69 remote switch 405 remove feature 35 removing Admin Domain members 136 end to end monitors 310 filter based monitors 313 licensed feature 35 re...

Page 439: ...ng the IP address 27 29 setting the security level 90 setting the switch date and time 29 setting up automatic trace dump transfers 272 setting up RADIUS AAA service 65 settings changing passwords 25 CHAP local security 68 date and time 29 PROM password 73 74 75 75 security level 90 SNMP 94 SNMP default values 95 setup summary 242 SID 296 SLAP 203 slotShow command 201 slotshow command 43 SNMP 89 9...

Page 440: ...mperature status of 268 text symbols 16 time 29 time and date 29 time zones 29 32 tools cli overview 20 tracking and controlling switch changes 44 traffic patterns planning for 329 traps MIB 89 SNMP 89 SNMP MIB traps 96 troubleshooting 248 certicates 88 corrupt certificate 88 invalid certificate 88 port mirroring 295 troubleshooting certificates 88 troubleshooting the migration 161 troubleshooting...

Page 441: ...upport overview 20 WebTools AP Edition 213 Windows RADIUS configuring 68 working with domain IDs 37 WWN 36 X xlate domains 195 Z zone adding members 348 adding switches 357 configuring rules 345 creating 347 creating a configuration 352 deleting 348 deleting a configuration 353 removing members 348 viewing 348 viewing configurations 354 zone aliases 340 zone configuration adding members 352 removi...

Page 442: ...426 ...

Page 443: ...Pending Zone Set list in SAN Pilot and EFCM zone screens 228 15 Adding a zone set name in SAN Pilot 229 16 Cascaded configuration two switches 239 17 Cascaded configuration three switches 239 18 Setting end to end monitors on a port 308 19 Proper placement of end to end performance monitors 309 20 Mask positions for end to end monitors 310 21 Distribution of traffic over ISL Trunking groups 327 22...

Page 444: ......

Page 445: ... Databases Starting in Fabric OS 5 2 x 106 ACL policy database distribution behavior 108 Fabric wide consistency policy settings 109 Merging fabrics with matching fabric wide consistency policies 110 Examples of strict fabric merges 111 Fabric merges with tolerant absent combinations 112 CLI Commands to display switch configuration information 115 Backup and restore in a FICON CUP environment 118 ...

Page 446: ... Director 2 128 and 4 256 SAN Director 322 SAN Switch 4 32 322 4 64 SAN Switch 323 400 MP Router 323 4 256 SAN Director FC4 16 blades 323 4 256 SAN Director FC4 32 blades 324 4 256 SAN Director B Series MP Router blades 324 Trunking support for Bloom ASICs 334 Trunking support for SAN Switch 4 32 and 4 64 SAN Switch Condor ASIC 334 Types of Zoning 338 Approaches to fabric based Zoning 339 Enforcin...

Page 447: ......

Search results

Summary of Contents for AE370A - Brocade 4Gb SAN Switch 4/12

Reviews:

Related manuals for AE370A - Brocade 4Gb SAN Switch 4/12

Brands by name

Popular brands

HP AE370A - Brocade 4Gb SAN Switch 4/12, Administrator'S Manual

Search results

Summary of Contents for AE370A - Brocade 4Gb SAN Switch 4/12

Reviews:

Related manuals for AE370A - Brocade 4Gb SAN Switch 4/12

Brands by name

Popular brands