manualshive.com logo in svg

HP Fabric OS 7.1.0, Administrator'S Manual

Share
Download
HP Fabric OS 7.1.0 Administrator'S Manual Download Page 195

Fabric OS Administrator’s Guide

195

53-1002745-02

Chapter

7

Configuring Security Policies

In this chapter

ACL policies overview  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  195

ACL policy management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  196

FCS policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  199

Device Connection Control policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  203

SCC Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  206

Authentication policy for fabric elements  . . . . . . . . . . . . . . . . . . . . . . . . . .  207

IP Filter policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  217

Policy database distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  224

Management interface security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  231

ACL policies overview

Each supported Access Control List (ACL) policy listed below is identified by a specific name, and 
only one policy of each type can exist, except for DCC policies. Policy names are case-sensitive and 
must be entered in all uppercase. Fabric OS provides the following policies:

Fabric configuration server (FCS) policy — Used to restrict which switches can change the 
configuration of the fabric.

Device connection control (DCC) policies — Used to restrict which Fibre Channel device ports 
can connect to which Fibre Channel switch ports. 

Switch connection control (SCC) policy — Used to restrict which switches can join with a switch.

NOTE

Run all commands in this chapter by logging in to Administrative Domain (AD) 255 with the 
suggested permissions. If Administrative Domains have not been implemented, log in to AD0.

How the ACL policies are stored

The policies are stored in a local database. The database contains the ACL policy types of FCS, 
DCC, SCC, and IPFilter. The number of policies that may be defined is limited by the size of the 
database. FCS, SCC and DCC policies are all stored in the same database. 

In a fabric with Fabric OS v6.2.0 and later switches present, the limit for security policy database 
size is set to 1Mb. The policies are grouped by state and type. A policy can be in either of the 
following states:

Active, which means the policy is being enforced by the switch.

Defined, which means the policy has been set up but is not enforced.

 

Summary of Contents for Fabric OS 7.1.0

Page 1: ...53 1002745 02 25 March 2013 Fabric OS Administrator s Guide Supporting Fabric OS 7 1 0 ...

Page 2: ... this document may contain open source software covered by the GNU General Public License or other open source license agreements To find out which open source software is included in Brocade products view the licensing terms applicable to the open source software and obtain a copy of the programming source code please visit http www brocade com support oscd Brocade Communications Systems Incorpor...

Page 3: ...Firmware 255 Chapter 10 Managing Virtual Fabrics 275 Chapter 11 Administering Advanced Zoning 303 Chapter 12 Traffic Isolation Zoning 345 Chapter 13 Bottleneck Detection 375 Chapter 14 In flight Encryption and Compression 393 Chapter 15 NPIV 419 Chapter 16 Dynamic Fabric Provisioning Fabric Assigned PWWN 425 Chapter 17 Managing Administrative Domains 433 Section II Licensed Features Chapter 18 Adm...

Page 4: ...4 Fabric OS Administrator s Guide 53 1002745 02 Appendix A Port Indexing 611 Appendix B FIPS Support 615 Appendix C Hexadecimal Conversion 627 ...

Page 5: ...Platform services and Virtual Fabrics 45 Enabling platform services 45 Disabling platform services 45 Management server database 45 Displaying the management server ACL 46 Adding a member to the ACL 46 Deleting a member from the ACL 47 Viewing the contents of the management server database 48 Clearing the management server database 49 Topology discovery 49 Displaying topology discovery status 49 E...

Page 6: ...ration 68 Date and time settings 69 Setting the date and time 69 Time zone settings 69 Network time protocol 71 Domain IDs 72 Displaying the domain IDs 73 Setting the domain ID 74 Switch names 74 Customizing the switch name 74 Chassis names 75 Customizing chassis names 75 Fabric name 75 Configuring the fabric name 75 High availability considerations for fabric names 76 Upgrade and downgrade consid...

Page 7: ...Setting all ports on a switch to the same speed 92 Setting port speed for a port octet 93 Blade terminology and compatibility 93 CP blades 95 Core blades 95 Port and application blade compatibility 96 FX8 24 compatibility notes 96 Enabling and disabling blades 96 Enabling blades 97 Disabling blades 97 Blade swapping 97 How blades are swapped 98 Swapping blades 100 Enabling and disabling switches 1...

Page 8: ...sed routing 119 Exchange based routing 119 Device based routing 120 AP route policies 120 Route selection 122 Dynamic Load Sharing 122 Frame order delivery 123 Forcing in order frame delivery across topology changes 123 Restoring out of order frame delivery across topology changes 123 Using Frame Viewer to understand why frames are dropped 124 Lossless Dynamic Load Sharing on ports 125 Lossless co...

Page 9: ...t PROM password for a Backbone without a recovery string 148 Remote authentication 149 Remote Authentication Configuration 149 Setting the switch authentication mode 152 Fabric OS user accounts 152 Fabric OS users on the RADIUS server 154 Setting up a RADIUS server 156 LDAP configuration and Microsoft Active Directory 162 LDAP configuration and OpenLDAP 165 TACACS service 171 Remote authentication...

Page 10: ...mber from an ACL policy 198 Abandoning unsaved ACL policy changes 198 FCS policies 199 FCS policy restrictions 199 Ensuring fabric domains share policies 200 Creating an FCS policy 201 Modifying the order of FCS switches 201 FCS policy distribution 202 Device Connection Control policies 203 DCC policy restrictions 203 Creating a DCC policy 204 Deleting a DCC policy 205 DCC policy behavior with Fab...

Page 11: ...ity 231 Configuration examples 231 IP sec protocols 233 Security associations 233 Authentication and encryption algorithms 234 IP sec policies 234 IKE policies 235 Creating the tunnel 236 Example of an end to end transport tunnel mode 238 Chapter 8 Maintaining the Switch Configuration File Configuration settings 241 Configuration file format 242 Configuration file backup 244 Uploading a configurat...

Page 12: ...6 Public and private key management 266 The firmwareDownload command 267 Power on firmware checksum test 268 Testing and restoring firmware on switches 268 Testing a different firmware version on a switch 268 Testing and restoring firmware on Backbones 270 Testing different firmware versions on Backbones 270 Validating a firmware download 273 Chapter 10 Managing Virtual Fabrics Virtual Fabrics ove...

Page 13: ...c 298 Removing an IP address for a Virtual Fabric 298 Configuring a logical switch to use XISLs 299 Changing the context to a different logical fabric 299 Creating a logical fabric using XISLs 300 Chapter 11 Administering Advanced Zoning Zone types 303 Zoning overview 304 Approaches to zoning 305 Zone objects 306 Zone aliases 307 Zone configurations 307 Zoning enforcement 308 Considerations for zo...

Page 14: ...onfiguration 331 Abandoning zone configuration changes 331 Viewing all zone configuration information 331 Viewing selected zone configuration information 332 Viewing the configuration in the effective zone database 332 Clearing all zone configurations 333 Zone object maintenance 333 Copying a zone object 333 Deleting a zone object 334 Renaming a zone object 335 Zone configuration management 336 Se...

Page 15: ...ttleneck Detection Bottleneck detection overview 375 Types of bottlenecks 376 How bottlenecks are reported 376 Supported configurations for bottleneck detection 377 Limitations of bottleneck detection 377 High availability considerations for bottleneck detection 378 Upgrade and downgrade considerations for bottleneck detection 378 Trunking considerations for bottleneck detection 378 Virtual Fabric...

Page 16: ...yption and compression configuration 401 Port speed and encryption compression enabled ports 401 Changing port speed on encryption compression enabled ports 402 Compression ratios and encryption compression enabled ports 402 Configuring and enabling authentication 403 Configuring encryption 404 Configuring compression 404 Disabling encryption 405 Disabling compression 405 Encryption and compressio...

Page 17: ...Domains Administrative Domains overview 433 Admin Domain features 435 Requirements for Admin Domains 435 Admin Domain access levels 435 User defined Admin Domains 436 System defined Admin Domains 436 Home Admin Domains and login 438 Admin Domain member types 439 Admin Domains and switch WWNs 440 Admin Domain compatibility availability and merging 442 Admin Domain management for physical fabric adm...

Page 18: ...L 1st POD license 471 ICL 2nd POD license 471 ICL 8 link license 472 ICL 16 link license 472 Enterprise ICL license 472 8G licensing 473 Slot based licensing 474 Upgrade and downgrade considerations 474 Assigning a license to a slot 475 Removing a license from a slot 475 10G licensing 475 Enabling 10 Gbps operation on an FC port 476 Enabling the 10 GbE ports on an FX8 24 blade 477 Temporary licens...

Page 19: ...opology 495 Core edge topology 496 Chapter 20 Monitoring Fabric Performance Advanced Performance Monitoring overview 499 Types of monitors 499 Restrictions for installing monitors 500 Virtual Fabrics considerations for Advanced Performance Monitoring 500 Access Gateway considerations for Advanced Performance Monitoring 501 End to end performance monitoring 501 Maximum number of EE monitors 501 Sup...

Page 20: ...rics considerations 519 Limiting traffic from a particular device 519 Disabling Ingress Rate Limiting 519 QoS SID DID traffic prioritization 519 License requirements for SID DID prioritization 520 CS_CTL based frame prioritization 521 QoS zone based traffic prioritization 523 Trunking considerations before you install the Adaptive Networking license 523 Manually disabling QoS on trunked ports 524 ...

Page 21: ...s 540 ISL trunking over long distance fabrics 540 EX_Port trunking 541 Masterless EX_Port trunking 542 Supported configurations and platforms for EX_Port trunking 542 Configuring EX_Port trunking 542 Displaying EX_Port trunking information 542 F_Port trunking 543 F_Port trunking for Access Gateway 543 F_Port trunking for Brocade adapters 545 F_Port trunking considerations 546 F_Port trunking in Vi...

Page 22: ...66 Buffer credit recovery over an EX_Port 567 Enabling and disabling buffer credit recovery 567 Forward error correction on long distance links 568 Enabling FEC on a long distance link 568 Disabling FEC on a long distance link 568 Chapter 24 Using FC FC Routing to Connect Fabrics FC FC routing overview 569 License requirements for FC FC routing 570 Supported platforms for FC FC routing 570 Support...

Page 23: ...oadcast frame forwarding 604 Resource monitoring 604 FC FC routing and Virtual Fabrics 606 Logical switch configuration for FC routing 607 Backbone to edge routing with Virtual Fabrics 608 Upgrade and downgrade considerations for FC FC routing 609 How replacing port blades affects EX_Port configuration 609 Displaying the range of output ports connected to xlate domains609 Appendix A Port Indexing ...

Page 24: ...24 Fabric OS Administrator s Guide 53 1002745 02 ...

Page 25: ... after creating logical switches 277 Figure 19 Fabric IDs assigned to logical switches 278 Figure 20 Assigning ports to logical switches 278 Figure 21 Logical switches connected to devices and non Virtual Fabrics switch 280 Figure 22 Logical switches in a single chassis belong to separate fabrics 280 Figure 23 Logical switches connected to other logical switches through physical ISLs 282 Figure 24...

Page 26: ... AD0 and AD255 438 Figure 55 Fabric showing switch and device WWNs 441 Figure 56 Filtered fabric views showing converted switch WWNs 441 Figure 57 AD0 and two user defined Admin Domains AD1 and AD2 452 Figure 58 AD0 with three zones 452 Figure 59 Minimum configuration for 64 Gbps ICLs 492 Figure 60 DCX 4S allowed ICL connections 494 Figure 61 ICL triangular topology with Brocade DCX 8510 8 chassis...

Page 27: ...ology 577 Figure 79 EX_Port phantom switch topology 578 Figure 80 Example of setting up Speed LSAN tag 596 Figure 81 LSAN zone binding 599 Figure 82 EX_Ports in a base switch 607 Figure 83 Logical representation of EX_Ports in a base switch 608 Figure 84 Backbone to edge routing across base switch using FC router in legacy mode 609 ...

Page 28: ...28 Fabric OS Administrator s Guide 53 1002745 02 ...

Page 29: ...Table 14 Maximum number of simultaneous sessions 136 Table 15 Default local user accounts 138 Table 16 LDAP options 151 Table 17 Authentication configuration options 151 Table 18 Syntax for VSA based account roles 153 Table 19 Entries in dictionary brocade file 154 Table 20 Brocade custom TACACS attributes 172 Table 21 Secure protocol support 177 Table 22 Items needed to deploy secure protocols 17...

Page 30: ...tive configurations 339 Table 56 Zone merging scenarios Different content 340 Table 57 Zone merging scenarios Different names 340 Table 58 Zone merging scenarios TI zones 341 Table 59 Zone merging scenarios Default access mode 341 Table 60 Zone merging scenarios Mixed Fabric OS versions 342 Table 61 Traffic behavior when failover is enabled or disabled in TI zones 347 Table 62 Number of ports supp...

Page 31: ...unk ports 548 Table 82 Fibre Channel data frames 558 Table 83 Total FC ports ports per port group and unreserved buffer credits per port group 563 Table 84 Configurable distances for Extended Fabrics 564 Table 85 LSAN information stored in FC routers with and without LSAN zone binding 600 Table 86 Zeroization behavior 615 Table 87 FIPS mode restrictions 617 Table 88 FIPS and non FIPS modes of oper...

Page 32: ...32 Fabric OS Administrator s Guide 53 1002745 02 ...

Page 33: ...nced Configuration Tasks provides advanced connection and configuration procedures Chapter 4 Routing Traffic provides information and procedures for using switch routing features Chapter 5 Managing User Accounts provides information and procedures on managing authentication and user accounts for the switch management channel Chapter 6 Configuring Protocols provides procedures for basic password an...

Page 34: ...lementation on SAN switches Chapter 19 Inter chassis Links describes the two different types of ICLs between Brocade Backbones Chapter 20 Monitoring Fabric Performance provides procedures for use of the Brocade Advanced Performance Monitoring licensed feature Chapter 21 Optimizing Fabric Behavior provides procedures for use of the Brocade Adaptive Networking suite of tools including Traffic Isolat...

Page 35: ...ade DCX Brocade DCX 4S Brocade DCX 8510 Backbone family Brocade DCX 8510 4 Brocade DCX 8510 8 What s new in this document Information that was modified Added a high level Table of Contents In Switch and Backbone shutdown on page 76 changed the advice about performing graceful shutdowns from a recommendation to a must In Duplicate PWWN handling during device login on page 109 added a third option f...

Page 36: ...ocument conventions This section describes text formatting conventions and important notice formats used in this document Text formatting The narrative text formatting conventions that are used are as follows bold text Identifies command names Identifies the names of user manipulated GUI elements Identifies keywords and operands Identifies text to enter at the GUI or CLI italic text Provides empha...

Page 37: ...fety labels are also attached directly to products to warn of these conditions or situations Key terms For definitions specific to Brocade and Fibre Channel see the Brocade Glossary For definitions of SAN specific terms visit the Storage Networking Industry Association online dictionary at http www snia org education dictionary Notice to the reader This document may contain references to the trade...

Page 38: ...re Other industry resources For additional resource information visit the Technical Committee T11 website This website provides interface standards for high performance and mass storage applications for Fibre Channel storage management and other applications http www t11 org For information about the Fibre Channel industry visit the Fibre Channel Industry Association website http www fibrechannel ...

Page 39: ...e bottom of the port side of the switch Brocade 6510 and 6520 On the switch ID pull out tab located inside the chassis on the port side on the left Brocade 7800 and 8000 On the bottom of the chassis Brocade DCX 4S and DCX 8510 4 On the nonport side of the chassis on the lower left side Brocade DCX and DCX 8510 8 On the port side of the chassis on the lower right side and directly above the cable m...

Page 40: ...ss of this document However if you find an error or an omission or you think that a topic needs further development we want to hear from you Forward your feedback to documentation brocade com Provide the title and version number of the document and as much detail as possible about your comment including the topic heading and page number and your suggestions for improvement ...

Page 41: ...ng Traffic Chapter 5 Managing User Accounts Chapter 6 Configuring Protocols Chapter 7 Configuring Security Policies Chapter 8 Maintaining the Switch Configuration File Chapter 9 Installing and Maintaining Firmware Chapter 10 Managing Virtual Fabrics Chapter 11 Administering Advanced Zoning Chapter 12 Traffic Isolation Zoning Chapter 13 Bottleneck Detection Chapter 14 In flight Encryption and Compr...

Page 42: ...42 Fabric OS Administrator s Guide 53 1002745 02 ...

Page 43: ...rvices on the switch or other nodes in the fabric The fabric address is a 24 bit address 0x000000 containing three 3 byte nodes Reading from left to right the first node 0x000000 represents the domain ID the second node 0x000000 the port area number of the port where the node is attached and the third node 0x000000 the arbitrated loop physical address AL_PA if applicable Directory server The direc...

Page 44: ...gical names identifying switches can be registered with the management server The management server provides several advantages for managing a Fibre Channel fabric It is accessed by an external Fibre Channel node at the well known address FFFFFAh so an application can access information about the entire fabric management with minimal knowledge of the existing configuration It is replicated on ever...

Page 45: ...d to verify that all switches in the fabric support the MS platform service otherwise the next step fails 3 Enter the msplMgmtActivate command as in the following example switch admin msplmgmtactivate Request to activate MS Platform Service in progress Completed activating MS Platform Service in the fabric Disabling platform services Use the following procedure to disable platform services 1 Conne...

Page 46: ... an empty access list switch admin msconfigure 0 Done 1 Display the access list 2 Add member based on its Port Node WWN 3 Delete member based on its Port Node WWN select 0 3 1 1 MS Access list is empty 0 Done 1 Display the access list 2 Add member based on its Port Node WWN 3 Delete member based on its Port Node WWN select 0 3 1 0 done Adding a member to the ACL Use the following procedure to add ...

Page 47: ...00 e0 8b 04 70 3b 10 00 00 60 69 04 11 33 20 00 00 20 37 65 ce 55 20 00 00 20 37 65 ce 66 00 00 00 00 00 00 00 00 0 Done 1 Display the access list 2 Add member based on its Port Node WWN 3 Delete member based on its Port Node WWN select 0 3 1 0 done Update the FLASH yes y no n yes y Successfully saved the MS ACL to the flash Deleting a member from the ACL When you delete a member from the ACL that...

Page 48: ...the access list 2 Add member based on its Port Node WWN 3 Delete member based on its Port Node WWN select 0 3 3 1 MS Access list is empty 0 Done 1 Display the access list 2 Add member based on its Port Node WWN 3 Delete member based on its Port Node WWN select 0 3 1 0 Viewing the contents of the management server database Use the following procedure to view the contents of the management server da...

Page 49: ...in AD0 and AD255 Displaying topology discovery status Use the following procedure to display the status of the topology discovery 1 Connect to the switch and log in using an account with admin permissions 2 Enter the mstdReadConfig command switch admin mstdreadconfig MS Topology Discovery is Enabled Enabling topology discovery Use the following procedure to enable topology discovery 1 Connect to t...

Page 50: ...y to disable the Topology Discovery feature NOTE Topology discovery is disabled by default ATTENTION Disabling discovery of management server topology might erase all node ID entries If Admin Domains are enabled you must be in the AD0 or AD255 context Refer to Chapter 17 Managing Administrative Domains for additional information Example of disabling discovery switch admin mstddisable This may eras...

Page 51: ...between any two switches a principal switch is automatically elected The principal switch provides the following capabilities Maintains time for the entire fabric Subordinate switches synchronize their time with the principal switch Changes to the clock server value on the principal switch are propagated to all switches in the fabric Manages domain ID assignment within the fabric If a switch reque...

Page 52: ...ices that do not perform a FLOGI but accept a PRLI to be entered in the name server and receive full fabric access A fabric capable device registers its information with the name server during a FLOGI These devices typically register information with the name server before querying for a device list The embedded port still performs a PLOGI and attempts a PRLI with these devices If a port decides t...

Page 53: ...mon fails 1 A RASlog and AUDIT event message are logged 2 The daemon is automatically started again 3 If the restart is successful then another message is sent to RASlog and AUDIT reporting the successful restart status 4 If the restart fails another message is sent to RASlog and no further attempts are made to restart the daemon Schedule downtime and reboot the switch at your convenience Table 1 ...

Page 54: ...rocesses 1 webd Webserver daemon used for WebTools includes httpd as well weblinkerd Weblinker daemon provides an HTTP interface to manageability applications for switch management and fabric discovery TABLE 1 Daemons that are automatically restarted Continued Daemon Description ...

Page 55: ... chapter focuses on configuring a SAN using the CLI you can also use the following methods to configure a SAN Web Tools For Web Tools procedures refer to Web Tools Administrator s Guide Brocade Network Advisor For additional information refer to the Brocade Network Advisor User Manual for the version you have A third party application using the API For third party application procedures refer to t...

Page 56: ...ands are shown and can be entered either in all lower case or using Java style capitalization This means that while bannershow and bannerShow will both work BANNERSHOW and BannerShow will not When command examples in this guide show user input enclosed in quotation marks the quotation marks are required Example zonecreate zonename requires that the value for zonename be in quotation marks Console ...

Page 57: ...addresses from the DHCP server The DHCP server must be on the same subnet as the switch Refer to DHCP activation on page 66 Rules for Telnet connections The following rules must be observed when making Telnet connections to your switch Never change the IP address of the switch while two Telnet sessions are active if you do your next attempt to log in fails To recover gain access to the switch by o...

Page 58: ...the network 5 Enter the account ID at the login prompt 6 Enter the password If you have not changed the system passwords from the default you are prompted to change them Enter the new system passwords or press Ctrl C to skip the password prompts For more information on system passwords refer to Default account passwords on page 61 7 Verify the login was successful The prompt displays the switch na...

Page 59: ...s Entering no specific argument displays only the command line history of the currently logged in user cliHistory Entering the cliHistory command with no arguments displays the command line history for the currently logged in user only even for the root user Example cliHistory command output from root login switch root clihistory CLI history Date Time Message Thu Sep 27 04 58 00 2012 root 10 70 12...

Page 60: ...2012 admin 10 70 12 101 clihistory swd77 root cliHistory showall Using the showall argument displays the command line history for all users With this option admin factory securityadmin users can see the root user command history This argument is available only to Root Admin Factory and Securityadmin RBAC roles Example cliHistory showing history of all users swd77 admin clihistory showall CLI histo...

Page 61: ...words cannot be changed using the passwd command later in the session If you skip the prompt and then later decide to change the passwords log out and then back in The default accounts on the switch are admin user root and factory Use the admin account to log in to the switch for the first time and to perform the basic configuration tasks The password for all of these accounts is password There is...

Page 62: ...s management access including direct access to the Fabric OS CLI and allows other tools such as Web Tools to interact with the switch You can use either Dynamic Host Configuration Protocol DHCP or static IP addresses for the Ethernet network interface configuration Brocade Backbones On Brocade Backbones you must set IP addresses for the following components Both Control Processors CP0 and CP1 Chas...

Page 63: ...cal Ethernet port and it is the logical Ethernet port to which IP addresses are assigned IPv4 addresses assigned to individual Virtual Fabrics are assigned to IP over Fibre Channel IPFC network interfaces In Virtual Fabrics environments a single chassis can be assigned to multiple fabrics each of which is logically distinct and separate from one another Each IPFC point of connection to a given cha...

Page 64: ...erify the information on your switch is correct If DHCP is enabled the network interface information was acquired from the DHCP server NOTE You can use either IPv4 or IPv6 with a classless inter domain routing CIDR block notation also known as a network prefix length to set up your IP addresses Static Ethernet addresses Use static Ethernet network interface addresses on Brocade DCX and DCX 4S Back...

Page 65: ...0 8 800 200C 417A 64 IP address is being changed Done For more information on setting up an IP address for a Virtual Fabric refer to Chapter 10 Managing Virtual Fabrics 3 Enter the network information in dotted decimal notation for the Ethernet IPv4 address or in semicolon separated notation for IPv6 4 Enter the Ethernet Subnetmask at the prompt 5 The Fibre Channel prompts are not relevant you can...

Page 66: ...tomatically obtains the Ethernet IP address Ethernet subnet mask and default gateway address from the DHCP server NOTE The DHCP client can only connect to a DHCP server on the same subnet as the switch Do not enable DHCP if the DHCP server is not on the same subnet as the switch Enabling DHCP after the Ethernet information has been configured releases the current Ethernet network interface setting...

Page 67: ...dress Otherwise the Ethernet settings may conflict with other addresses assigned by the DHCP server on the network Use the following procedure to disable DHCP for IPv4 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the ipAddrSet command ipaddrset NOTE Alternatively you can disable DHCP for IPv4 by entering ipaddrset ipv4 add dhcp OFF as a single command If y...

Page 68: ...ion of the host There can be multiple routers serving the network each potentially advertising multiple network prefixes Thus the host is not in full control of the number of IPv6 addresses that it configures much less the values of those addresses and the number and values of addresses can change as routers are added to or removed from the network When IPv6 autoconfiguration is enabled the platfo...

Page 69: ...Use the following procedure to set the device date and time 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the date command using the following syntax date mmddHHMMyy The values represent the following mm is the month valid values are 01 through 12 dd is the date valid values are 01 through 31 HH is the hour valid values are 00 through 23 MM is minutes valid...

Page 70: ...high availability Setting the time zone on any dual domain Backbone has the following characteristics Updating the time zone on any switch updates the entire Backbone The time zone of the entire Backbone is the time zone of switch 0 Setting the time zone The following procedure describes how to set the time zone for a switch You must perform the procedure on all switches for which the time zone mu...

Page 71: ... clock server value in nonvolatile memory By default this value is the local clock server LOCL of the principal or primary FCS switch Changes to the clock server value on the principal or primary FCS switch are propagated to all switches in the fabric In a Virtual Fabric all the switches in the fabric must have the same NTP clock server configured This includes any Fabric OS v6 2 0 or earlier swit...

Page 72: ...nfiguration done Updated with the NTP servers Changes to the clock server value on the principal or primary FCS switch are propagated to all switches in the fabric Domain IDs Although domain IDs are assigned dynamically when a switch is enabled you can change them manually so that you can control the ID number or resolve a domain ID conflict when you merge fabrics If a switch has a domain ID when ...

Page 73: ...e 34 00 ad 10 3 220 19 0 0 0 0 ras019 fec0 60 69bc 63 219 1eff fe34 1bd 20 fffc14 10 00 00 05 1e 40 68 78 10 3 220 20 0 0 0 0 ras020 25 fffc19 10 00 00 05 1e 37 23 c6 10 3 220 25 0 0 0 0 ras025 30 fffc1e 10 00 00 60 69 90 04 1e 10 3 220 30 0 0 0 0 ras030 35 fffc23 10 00 00 05 1e 07 c7 26 10 3 220 35 0 0 0 0 ras035 40 fffc28 10 00 00 60 69 50 06 7f 10 3 220 40 0 0 0 0 ras040 45 fffc2d 10 00 00 05 1...

Page 74: ... ID World Wide Name WWN or by customized switch names that are unique and meaningful Restrictions Switch names can be from 1 through 30 characters long All switch names must begin with a letter and can contain letters numbers or the underscore character Switch names must be unique across logical switches Changing the switch name causes a domain address format RSCN to be issued and may be disruptiv...

Page 75: ...o the assigned alphanumeric fabric name The following considerations apply to fabric naming Each name must be unique for each logical switch within a chassis duplicate fabric names are not allowed A fabric name can be from 1 through 128 alphanumeric characters All switches in a logical fabric must be running Fabric OS v7 1 0 Switches running earlier versions of the firmware can co exist in the fab...

Page 76: ...hed You can disable and re enable the switch as necessary Disabling a switch Use the following procedure to disable a switch 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the switchDisable command All Fibre Channel ports on the switch are taken offline If the switch is part of a fabric the fabric is reconfigured Enabling a switch Use the following procedure...

Page 77: ...RM signal Unmounting all filesystems The system is halted flushing ide devices hda Power down 5 Power off the switch Powering off a Brocade Backbone Use the following procedure to power off a Brocade Backbone device 1 From the active CP in a dual CP platform enter the sysShutdown command NOTE When the sysShutdown command is issued on the active CP the active CP the standby CP and any application b...

Page 78: ...ce connection To minimize port logins power off all devices before connecting them to the switch When powering the devices back on wait for each device to complete the fabric login before powering on the next one For devices that cannot be powered off first use the portDisable command to disable the port on the switch connect the device and then use the portEnable command to enable the port Switch...

Page 79: ...example unplugging the device from one port and plugging it into a different port as part of fabric maintenance or changing the domain ID of a switch which might be necessary when merging fabrics or changing compatibility mode settings Some device drivers use the PID to map logical disk drives to physical Fibre Channel counterparts Most drivers can either change PID mappings dynamically also calle...

Page 80: ...g mode is used only on the default logical switch With fixed addressing mode enabled each port has a fixed address assigned by the system based on the port number This address does not change unless you choose to swap the address using the portSwap command 10 bit addressing mode The 10 bit addressing mode is the default mode for all the logical switches created in the Brocade Backbones This addres...

Page 81: ...Zero based mode assigns areas as ports are added to the logical switch beginning at area 0x00 When a port is assigned to a logical switch the next free PID starting from 0x00 is assigned This mode allows FICON customers to make use of the upper ports of a 48 port or 64 port blade Zero based mode is supported on the default switch Port based mode is a bit more complex Port based mode is not support...

Page 82: ...ices The number of point to point devices supported depends on the areas available For example 448 areas are available on Backbones and 256 areas are available on switches When the number of entries in the WWN based PID database reaches 4096 areas are used up the oldest unused entry is purged from the database to free up the reserved area for the new FLOGI Virtual Fabrics considerations for WWN ba...

Page 83: ...ls attributes yes y no n no Custom attributes yes y no n no system attributes yes y no n no Assigning a static PID Use the following procedure to assign a static PID 1 Connect to the switch and log in using an account with admin permissions 2 Enter the wwnAddress bind command to assign a 16 bit PID to a given WWN Clearing PID binding Use the following procedure to clear a PID binding 1 Connect to ...

Page 84: ...e devices such as SAN storage devices G_Port A generic port that acts as a transition port for non loop fabric capable devices L_ FL_Port A loop or fabric loop port that connects loop devices L_Ports are associated with private loop devices and FL_Ports are associated with public loop devices M_Port A mirror port that is configured to duplicate mirror the traffic passing between a specified source...

Page 85: ...he same Backbone for example 16 port blades and 32 port blades or 16 port blades and 18 port blades with 16 FC ports and 2 GbE ports or 16 port and 48 port blades the area IDs no longer match the port numbers Table 6 on page 94 lists the port numbering schemes for the blades Configuring two Ethernet ports on one CP8 blade This feature bonds the two external Ethernet ports of a CP8 blade together a...

Page 86: ...net ports should always match with both either set at a fixed speed or both set to autonegotiate The CP8 blade actually contains multiple Ethernet devices including eth0 and eth3 which map to the two Ethernet ports on the front of the CP8 blade Other Ethernet devices on the blade are reserved for use by the operating system The CP blade enables eth0 by default If errors are encountered on eth0 the...

Page 87: ...ng is the same as for 32 port blades for the first 32 ports on the blade For ports 32 through 47 area IDs are not unique and port index should be used instead of area ID For the 64 port blade FC8 64 the numbering is the same as for 32 port blades for the first 32 ports on the blade For ports 32 through 64 area IDs are not unique and port index should be used instead of area ID If you perform a por...

Page 88: ...cular device contact your switch vendor for further assistance For more information on using this command refer to the Fabric OS Command Reference Swapping port area IDs If a device that uses port binding is connected to a port that fails you can use port swapping to make another physical port use the same PID as the failed port The device can then be plugged into the new port without the need to ...

Page 89: ...a power cycle or a switch reboot To ensure the port remains enabled use the portCfgPersistentEnable command as shown in the following instructions CAUTION The fabric will be reconfigured if the port you are enabling or disabling is connected to another switch The switch with a port that has been disabled will be segmented from the fabric and all traffic flowing between it and the fabric will be lo...

Page 90: ...ally collected before a port is decommissioned NOTE All members of a trunk group must have an equal link cost value in order for any of the members to be decommissioned If any member of a trunk group does not have an equal cost requests to decommission a trunk member will fail and an error reminding the caller of this requirement is produced The following restrictions apply to port decommissioning...

Page 91: ...through its Ethernet interface It is recommended that this command be used only from the serial console port When used through an interface other than the serial console port the command displays a warning message and prompts for verification before continuing This warning is not displayed and you are not prompted when the command is used through the serial console port See the examples below for ...

Page 92: ... to set port speeds 1 Connect to the switch and log in using an account with admin permissions 2 Enter the portCfgSpeed command Example of setting the port speed The following example sets the speed for port 3 on slot 2 to 4 Gbps ecp admin portcfgspeed 2 3 4 done The following example sets the speed for port 3 on slot 2 to autonegotiate ecp admin portcfgspeed 2 3 0 done Setting all ports on a swit...

Page 93: ...Before configuring a chassis familiarize yourself with the platform CP blade and port blade nomenclature as well as the port blade compatibilities Table 5 includes core and CP blade terminology and descriptions Table 6 on page 94 includes port blade terminology and descriptions TABLE 5 Core and CP blade terminology and platform support Supported on Blade Blade ID slotshow DCX family DCX 8510 famil...

Page 94: ...ps port blade supporting 2 4 and 8 Gbps port speeds The Brocade DCX and Brocade DCX 8510 Backbone families support loop devices on 64 port blades in a Virtual Fabric enabled environment The loop devices can only be attached to ports on a 64 port blade that is not a part of the default logical switch Ports are numbered from 0 through 31 from bottom to top on the left set of ports and 32 through 63 ...

Page 95: ...lades The core blades for each platform are not interchangeable or hot swappable with the core blades for any other platform If you try to interchange the blades they become faulty FCOE10 24 74 Yes No 24 10 GbE DCB ports An application blade that provides Converged Enhanced Ethernet to bridge a Fibre Channel and Ethernet SAN Ports are numbered from 0 through 11 from bottom to top on the left set o...

Page 96: ...4 or Brocade 7800 GbE ports The ports may come online but they will not communicate with each other If an FX8 24 blade is replaced by another FX8 24 blade the previous IP configuration data would be applied to the new FX8 24 The FX8 24 and FS8 18 blades cannot co exist with the FCOE10 24 blade Enabling and disabling blades Port blades are enabled by default In some cases you will need to disable a...

Page 97: ... command with the slot number of the port blade you want to disable ecp admin bladedisable 3 Slot 3 is being disabled Blade swapping Blade swapping allows you to swap one blade with another of the same type in this way you can replace a FRU with minimal traffic disruption The entire operation is accomplished when the bladeSwap command runs on the Fabric OS The Fabric OS then validates each command...

Page 98: ... validation process includes determining the compatibility between the blades selected for the swap operation Blade technology Both blades must be of compatible technology types for example Fibre Channel to Fibre Channel Ethernet to Ethernet application to application and so on Port count Both blades must support the same number of front ports for example 16 ports to 16 ports 32 ports to 32 ports ...

Page 99: ...ic of the source ports FIGURE 3 Blade swap with Virtual Fabrics during the swap 4 Port swapping The swap ports action is effectively an iteration of the portSwap command for each port on the source blade to each corresponding port on the destination blade In Figure 4 shows Virtual Fabrics where the blades can be carved up into different logical switches as long as they are carved the same way If s...

Page 100: ...successfully move the cables from the source blade to the destination blade 4 Enter the bladeEnable command on the destination blade to enable all user ports Enabling and disabling switches Switches are enabled by default In some cases you may need to disable a switch to perform diagnostics This ensures that diagnostic activity does not interfere with normal fabric traffic Use the following proced...

Page 101: ...rsistentDisable command output from admin login switch admin switchCfgPersistentDisable setdisablestate Switch s persistent state set to disabled Switch persistent disable set Using switchCfgPersistentDisable help Using the help argument displays a list of the available command arguments Example of using switchCfgPersistentDisable command output from admin login switch admin switchCfgPersistentDis...

Page 102: ... blades by lowering the slider or removing power from the chassis If there is no CP up and running then physical removal or powering off the chassis is required Powering off a port blade Use the following procedure to power off a port blade 1 Connect to the switch and log in using an account with admin permissions 2 Enter the slotPowerOff command with the slot number of the port blade you want to ...

Page 103: ...he appropriate values 5 Enter the psShow command to display the current status of the switch power supplies Refer to the hardware reference manual of your system to determine the appropriate values 6 Enter the slotShow m command to display the inventory and the current status of each slot in the system Example of the slot information displayed for a DCX chassis DCX FID128 admin slotshow m Slot Bla...

Page 104: ...b2fe8 0b2fef 0f0000 0f0226 0f0233 0f02e4 0f02e8 0f02ef 210e00 211700 211fe8 211fef 2c0000 2c0300 611000 6114e8 6114ef 611600 620800 621026 621036 6210e4 6210e8 6210ef 621400 621500 621700 621a00 75 Nx_Ports in the Fabric The number of devices listed should reflect the number of devices that are connected Track and control switch changes The track changes feature allows you to keep a record of spec...

Page 105: ...of failed or inoperable units for each contributor that triggers a status change in the switch Each parameter can be adjusted so that a specific threshold must be reached before that parameter changes the overall status of a switch to MARGINAL or DOWN For example if the FaultyPorts DOWN parameter is set to 3 the status of the switch will change if three ports fail Only one policy parameter needs t...

Page 106: ...chStatusPolicyShow command to view your current switch status policy configuration Example output from a switch The following example displays what is typically seen from a Brocade switch but the quantity and types vary by platform switch admin switchstatuspolicyshow To change the overall switch status policy parameters The current overall switch status policy parameters Down Marginal PowerSupplie...

Page 107: ...inguished from other system message log events that occur in the network Then at some regular interval of your choosing you can review the audit events to look for unexpected changes Before you configure audit event logging familiarize yourself with the following audit event log behaviors and limitations By default all event classes are configured for audit to create an audit event log for specifi...

Page 108: ...ing an audit log you must perform the following steps to ensure that the host syslog is operational 1 Set up an external host machine with a system message log daemon running to receive the audit events that will be generated 2 On the switch where the audit configuration is enabled enter the syslogdIpAdd command to add the IP address of the host machine so that it can receive the audit events You ...

Page 109: ...tempt via REMOTE IP Addr 10 3 220 13 Duplicate PWWN handling during device login If a device attempts to log in with the same PWWN as another device on the switch you can configure whether the new login or the existing login takes precedence You can configure how duplicate PWWNs are handled by selecting an option in the Enforce FLOGI FDISC login prompt of the configure command Setting 0 First logi...

Page 110: ... an NPIV port the newer login is accepted Enforce FLOGI FDISC login 0 2 0 1 6 Respond to the remaining prompts or press Ctrl D to accept the other settings and exit 7 Enter the switchEnable command to re enable the switch With any of these settings detection of duplicate PWWNs results in a RASLog Ports that are restricted become persistently disabled marked with the reason Duplicate Port WWN detec...

Page 111: ...n network There are two kinds of routing protocols on intranet networks distance vector and link state Distance vector is based on hop count This is the number of switches that a frame passes through to get from the source switch to the destination switch Link state is based on a metric value based on a cost The cost could be based on bandwidth line speed or round trip time With the link state pro...

Page 112: ...he other switches in the fabric by adding the cost of all links traversed by the path and chooses the path that minimizes the costs This collection of the link states including costs of all the switches in the fabric constitutes the topology database or link state database Once established FSPF programs the hardware routing tables for all active ports on the switch FSPF is not involved in frame sw...

Page 113: ...of the Fibre Channel frame to perform what is known as cut through routing A frame may begin to emerge from the output port before it has been entirely received by the input port The entire frame does not need to be buffered in the switch If the destination domain ID is different than the source domain ID then the switch consults the FSPF route table to identify which local E_Port provides the Fab...

Page 114: ...ting two switches together Brocade recommends the best practice that the following parameters are differentiated Domain ID Switch name Chassis name You must also verify the following fabric parameters are identical on each switch for a fabric to merge R_A_TOV Resource Allocation TimeOut Value E_D_TOV Error Detect TimeOut Value Data Field Size Sequence Level Switching Disable Device Probing Suppres...

Page 115: ... for congestion an over subscribed link may go through a lifetime of normal operation and never be congested The term over subscription is not to be used in place of congestion which is the actual contention for bandwidth by devices through an ISL Virtual channels Virtual channels create multiple logical data paths across a single physical link or connection They are allocated their own network re...

Page 116: ...116 Fabric OS Administrator s Guide 53 1002745 02 Inter switch links 4 FIGURE 7 Virtual channels on a QoS enabled ISL ...

Page 117: ...default switch ports initialize links using the Exchange Link Parameters ELP mode 1 However gateways expect initialization with ELP mode 2 also referred to as ISL R_RDY mode Therefore to enable two switches to link through a gateway the ports on both switches must be set for ELP mode 2 Any number of E_Ports in a fabric can be configured for gateway links provided the following guidelines are follo...

Page 118: ...ocol places into each table and the routes from that table that the protocol advertises by defining one or more routing policies and then applying them to the specific routing protocol The routing policy is responsible for selecting a route based on one of two user selected routing policies Port based routing Exchange based routing Notes On the Brocade 300 5100 5300 5410 5430 5450 5460 5470 5480 6...

Page 119: ...based on SID DID and OXID Whatever routing policy a switch is using applies to the VE_Ports as well For more information on VE_Ports refer to the Fibre Channel over IP Administrator s Guide Exchange based routing The choice of routing path is based on the Source ID SID Destination ID DID and Fibre Channel originator exchange ID OXID optimizing path utilization for the best performance Thus every e...

Page 120: ...nly AP route policies Two additional AP policies are supported under exchange based routing AP Shared Link policy default AP Dedicated Link policy NOTE AP policies are independent of routing policies Every routing policy supports both AP policies The AP Dedicated Link policy relieves internal congestion in an environment where There is a large amount of traffic going through both directions at the...

Page 121: ...text 20 3 Enter the switchDisable command to disable the switch 4 Take the appropriate following action based on the AP route policy you choose to implement If the exchange based policy is required enter the aptPolicy 3 command If the port based policy is required enter the aptPolicy 1 command Setting up the AP route policy The AP route policy can only be set in the base switches that are using Vi...

Page 122: ...lowing procedure to set up DLS 1 Connect to the switch and log in using an account with admin permissions 2 Enter the dlsShow command to view the current DLS setting One of the following messages appears DLS is set indicates that DLS is turned on DLS is not set indicates that DLS is turned off DLS is set with Lossless enabled DLS is enabled with the Lossless feature Load sharing is recomputed with...

Page 123: ...d among multiple paths However when topology changes occur in the fabric for example if a link goes down traffic is rerouted around the failure and some frames could be delivered out of order Most destination devices tolerate out of order delivery but some do not By default out of order frame based delivery is allowed to minimize the number of frames dropped Enabling in order delivery IOD guarante...

Page 124: ...nt Jul 13 23 47 07 11 45 11 45 0xfffffd 0x40e580 0 0 timeout 2 Jul 13 23 47 07 11 45 11 45 0xfffffc 0x40e580 0 0 timeout 5 Jul 13 23 47 07 11 45 11 45 0xfffffc 0x40e580 0 0 timeout 3 Jul 13 23 47 07 11 45 11 45 0xfffc40 0x40e580 0 0 timeout 2 Jul 13 23 47 07 11 45 11 45 0xfffc40 0x40e580 0 0 timeout 1 Notes The output of show displays the type of each discard Syntax framelog show type discard_type...

Page 125: ...Brocade FX8 24 application blades in the Brocade DCX and DCX 4S Backbones On the Brocade 7800 switch and the FX8 24 application blade Lossless DLS is supported only on FC to FC port flows ATTENTION When you implement Lossless DLS the switches in the fabric must have either Fabric OS v6 3 0 or Fabric OS v6 4 0 or later installed to guarantee no frame loss Lossless DLS must be implemented along the ...

Page 126: ...D Lossless core Lossless core works with the default configuration of the Brocade DCX 8510 8 and DCX 8510 4 hardware to prevent frame loss during a core blade removal and insertion This feature is on by default and cannot be disabled Lossless core has the following limitations Only supported with IOD disabled which means Lossless core cannot guarantee in order delivery of exchanges ICL limitations...

Page 127: ...missions 2 Enter the appropriate dlsSet command to enable or disable Lossless Dynamic Load Sharing switch admin dlsset enable lossLess switch admin dlsset disable lossLess Lossless Dynamic Load Sharing in Virtual Fabrics Enabling Lossless Dynamic Load Sharing is optional on logical switches in Virtual Fabrics If you enable this feature it must be on a per logical switch basis and can affect other ...

Page 128: ... an access gateway using RDY Normal R_RDY or Virtual Channel VC_RDY flow control modes It enables automatically when negotiation with a switch detects FEC capability This feature is enabled by default and persists after driver reloads and system reboots It functions with features such as QoS trunking and BB_Credit recovery Limitations The following are limitations of this feature FEC is configurab...

Page 129: ... FEC feature on a port range enter the portCfgFec enable command In this example port 1 already has FEC enabled and so it remains enabled switch admin portcfgfec enable 0 8 Same configuration for port 1 Disabling forward error correction To disable the FEC feature on a port range enter the portCfgFec disable command switch admin portcfgfec disable 0 8 Enabling and Disabling FEC for long distance p...

Page 130: ...er changes to spoof the mapping of real device WWNs to virtual PIDs FIGURE 9 Single host and target Figure 9 demonstrates the flow of Frame Redirection traffic A frame starts at the host with a destination to the target The port where the appliance is attached to the host switch acts as the virtual initiator and the port where the appliance is attached to the target switch is the virtual target Cr...

Page 131: ...ing procedure to delete a frame redirect zone 1 Connect to the switch and log in using an account with admin permissions 2 Enter the zone rdDelete command to remove the base redirect zone object red_______base NOTE When the base zone is removed the redirect zone configuration r_e_d_i_r_c__fg is removed as well 3 Enter the cfgSave command to save changes to the defined configuration Example of dele...

Page 132: ...132 Fabric OS Administrator s Guide 53 1002745 02 Frame Redirection 4 ...

Page 133: ...ciate roles with each user account to determine the functional access levels within the bounds of the user s current Admin Domain Virtual Fabric list Specifies the Virtual Fabric a user account is allowed to log in to Home Virtual Fabric Specifies the Virtual Fabric that the user is logged into if available The home Virtual Fabric must be a member of the user s Virtual Fabric list If the fabric ID...

Page 134: ...has been assigned For each role a set of predefined permissions determines the jobs and tasks that can be performed on a fabric and its associated fabric elements Fabric OS uses RBAC to determine which commands a user is allowed to access When you log in to a switch your user account is associated with a predefined role or a user defined role The role that your account is associated with determine...

Page 135: ...to list all command categories 2 Enter the classConfig showroles command with the command category of interest as the argument This command shows the permissions that apply to all commands in a specific category For example classconfig showroles authentication Roles that have access to the RBAC Class authentication are Role name Permission Admin OM Factory OM Root OM Security Admin OM You can also...

Page 136: ...iven RBAC command category The userConfig command can be used to assign a user defined role to a user account Creating a user defined role You can define a role as long as it has a unique name that is not the same as any of the Fabric OS default roles any other user defined role or any existing user account name The following conditions also apply A role name is case insensitive and contains only ...

Page 137: ...options of the userConfig command userConfig add with the r option to create a new user account and assign a role userConfig change with the r option to add or change a user defined role for an existing user account userConfig add with the c option to create a new user account and assign a chassis role userConfig change with the c option to add a chassis role to an account The following example as...

Page 138: ...e specified account userConfig showad a adminDomain_ID to show all accounts permitted to select the specified adminDomain_ID userConfig showlf l logicalFabric_ID for each LF in an LF_ID_list displays a list of users that include that LF in their LF permissions Creating an account 1 Connect to the switch and log in using an account with admin permissions or an account associated with a user defined...

Page 139: ...inistrative Domains 1 Connect to the switch and log in using an account with admin permissions or an account associated with a user defined role with permissions for the UserManagement class of commands 2 Enter the userConfig change command Local account passwords The following rules apply to changing passwords Users can change their own passwords To change the password for another account require...

Page 140: ...sons One of the target switches does not support local account database distribution One of the target switch s user database is protected One of the remote switches has logical switches defined Either the local switch or one of the remote switches has user accounts associated with user defined roles Distributing the local user database When the local user database is distributed all user defined ...

Page 141: ...ation that was previously stored there Also password changes are not permitted on the standby CP Password authentication policies configured using the passwdCfg command are not enforced during initial prompts to change default passwords Password strength policy The password strength policy is enforced across all user accounts and enforces a set of format rules to which new passwords must adhere Th...

Page 142: ...ter sequence exceeding two characters The range of allowed values is 1 through 40 The default value is 1 When set to 1 sequential characters are not enforced Example of a password strength policy The following example shows a password strength policy that requires passwords to contain at least 3 uppercase characters 4 lowercase characters and 2 numeric digits the minimum length of the password is ...

Page 143: ...own as the password expiration period MaxPasswordAge values range from 0 through 999 The default value is zero Setting this parameter to zero disables password expiration Warning Specifies the number of days prior to password expiration that a warning about password expiration is displayed Warning values range from 0 through 999 The default value is 0 days NOTE When MaxPasswordAge is set to a nonz...

Page 144: ...mpt to log in using an incorrect password before the account is locked The number of failed login attempts is counted from the last successful login LockoutThreshold values range from 0 through 999 and the default value is 0 Setting the value to 0 disables the lockout mechanism LockoutDuration Specifies the time in minutes after which a previously locked account is automatically unlocked LockoutDu...

Page 145: ...ocedures dictate that you set the boot PROM password without the recovery string see Setting the boot PROM password for a switch without a recovery string on page 147 To set the boot PROM password with or without a recovery string refer to the section that applies to your switch or Backbone model CAUTION Setting the boot PROM password requires accessing the boot prompt which stops traffic flow thr...

Page 146: ...7 Reboot the switch by typing the reset command at the prompt Setting the boot PROM password for a Backbone with a recovery string This procedure applies to the Brocade DCX DCX 4S DCX 8510 4 and DCX 8510 8 Backbones The boot PROM and recovery passwords must be set for each CP blade 1 Connect to the serial port interface on the standby CP blade as described in Connecting to Fabric OS through the se...

Page 147: ...ugh the active CP blade resumes when the failover is complete 9 Connect the serial cable to the serial port on the new standby CP blade previously the active CP blade 10 Repeat step 2 through step 7 for the new standby CP blade each CP blade has a separate boot PROM password 11 Connect to the active CP blade over a serial or Telnet connection and enter the haEnable command to restore high availabi...

Page 148: ...tive CP blade by opening a Telnet session to either CP blade connecting as admin and entering the haShow command 2 Connect to the active CP blade over a serial or Telnet connection and enter the haDisable command to prevent failover during the remaining steps 3 Create a serial connection to the standby CP blade as described in Connecting to Fabric OS through the serial port on page 56 4 Reboot the...

Page 149: ...on and enter the haEnable command to restore high availability NOTE To recover lost passwords refer to the Fabric OS Troubleshooting and Diagnostics Guide Remote authentication Fabric OS supports user authentication through the local user database or one of the following external authentication services Remote authentication dial in user service RADIUS Lightweight directory access protocol LDAP us...

Page 150: ...To enable the secure LDAP service you need to install a certificate from the Microsoft Active Directory server or the OpenLDAP server By default the LDAP service does not require certificates The configuration applies to all switches On a Backbone the configuration replicates itself on a standby CP blade if one is present It is saved in a configuration upload and applied in a configuration downloa...

Page 151: ...radius switchdb1 authspec local Default setting Authenticates management connections against the local database only If the password does not match or the user is not defined the login fails Off On authspec radius Authenticates management connections against any RADIUS databases only If the RADIUS service is not available or the credentials do not match the login fails On Off authspec radius local...

Page 152: ...tication database only if the primary authentication database is not available n a On authspec tacacs Authenticates management connections against any TACACS databases only If TACACS service is not available or the credentials do not match the login fails not supported not supported authspec tacacs local Authenticates management connections against any TACACS databases first If TACACS fails for an...

Page 153: ...will not be issued If your RADIUS server maintains its own password expiration attributes you must set the exact date twice to use this feature once on your RADIUS server and once in the VSA attribute If the dates do not match then the RADIUS server authentication fails Table 18 describes the syntax used for assigning VSA based account switch roles on a RADIUS server TABLE 18 Syntax for VSA based ...

Page 154: ...dmin as shown in Figure 10 FIGURE 10 Windows 2000 VSA configuration Linux FreeRADIUS server For the configuration on a Linux FreeRADIUS server define the values outlined in Table 19 in a vendor dictionary file called dictionary brocade After you have completed the dictionary file define the permissions for the user in a configuration file For example to grant the user jsmith admin permissions you ...

Page 155: ...ch this account is a member Valid numbers range from 0 to 255 A dash between two numbers specifies a range Multiple ADlist key value pairs within the same or across the different Vendor Type codes are concatenated Multiple occurrences of the same Admin Domain number are ignored HomeLF is the designated home Virtual Fabric for the account The valid values are between 1 to 128 and chassis context Th...

Page 156: ...v4 or IPv6 notation or the name to connect to switches Use the ipAddrShow command to display a switch IP address For Brocade Backbones the switch IP addresses are aliases of the physical Ethernet interfaces on the CP blades When specifying client IP addresses for the logical switches in these systems make sure the CP blade IP addresses are used For accessing both the active and standby CP blade an...

Page 157: ... the file PREFIX etc raddb dictionary in a text editor and add the line INCLUDE dictionary brocade As a result the file dictionary brocade is located in the RADIUS configuration directory and loaded for use by the RADIUS server Creating the user 1 Open the PREFIX etc raddb user file in a text editor 2 Add the user names and their permissions for users accessing the switch and authenticating throug...

Page 158: ...d server Make sure the shared secret matches that configured on the switch see Adding an authentication server to the switch configuration on page 175 2 Save the file PREFIX etc raddb client config and then start the RADIUS server as follows PREFIX sbin radiusd Configuring RADIUS server support with Windows 2000 The instructions for setting up RADIUS on a Windows 2000 server are listed here for yo...

Page 159: ...ill need to configure the RADIUS server for a Brocade switch A client is the device that uses the RADIUS server in this case it is the switch a For the Add RADIUS Client window provide the following Client address IP or DNS Enter the IP address of the switch Client Vendor Select RADIUS Standard Shared secret Provide a password Shared secret is a password used between the client device and server t...

Page 160: ... more about how RSA SecurID works visit www rsa com for more information Setting up the RSA RADIUS server For more information on how to install and configure the RSA Authentication Manager and the RSA RADIUS server refer to your documentation or visit www rsa com 1 Create user records in the RSA Authentication Manager 2 Configure the RSA Authentication Manager by adding an agent host 3 Configure ...

Page 161: ... file brocade dct Brocade Dictionary See readme dct for more details on the format of this file Use the Radius specification attributes in lieu of the Brocade one radius dct MACRO Brocade VSA t s 26 vid 1588 type1 t len1 2 data s ATTRIBUTE Brocade Auth Role Brocade VSA 1 string r ATTRIBUTE Brocade Passwd ExpiryDate Brocade VSA 6 string r ATTRIBUTE Brocade Passwd WarnPeriod Brocade VSA 7 integer r ...

Page 162: ...OpenLDAP refer to LDAP configuration and OpenLDAP on page 165 Two operational modes exists in LDAP authentication FIPS mode and non FIPS mode This section discusses LDAP authentication in non FIPS mode For more information on LDAP in FIPS mode refer to Chapter 7 Configuring Security Policies The following are restrictions when using LDAP in non FIPS mode There is no password change through Active ...

Page 163: ...ts can be achieved by including the user in the respective group A user can be assigned to multiple groups like Switch Admin and Security Admin For LDAP servers you can use the ldapCfg maprole ldap_role_name switch_role command to map an LDAP server permissions to one of the default roles available on a switch For more information on RBAC roles see Role Based Access Control on page 134 NOTE All in...

Page 164: ...group has the following attributes The name of the group has to match the RBAC role The Group Type must be Security The Group Scope must be Global The primary group in the AD server should not be set to the group corresponding to the switch role You can choose any other group If the user you created is not a member of the Users OU then the User Principal Name in the format of user domain is requir...

Page 165: ...cal switch that would be logged into by default is 10 If 10 is not available then the lowest FID available will be chosen You would have permission to enter logical switch 128 and 10 in an admin role and you would also have the chassis role permission of admin NOTE You can perform batch operations using the Ldifde exe utility For more information on importing and exporting schemas refer to your Mi...

Page 166: ...er needs to be verified by the LDAP client that is the Brocade switch then you must install a Certificate Authority CA certificate on the OpenLDAP server Follow OpenLDAP instructions for generating and installing CA certificates on an OpenLDAP server 2 Enable group membership through the memberOf mechanism by including the memberOf overlay in the slapd conf file 3 Create entries users in the OpenL...

Page 167: ...p data Indices to maintain index objectClass eq overlay memberof Adding entries to the directory To add entries in the OpenLDAP directory perform the following steps 1 Using an editor of your choice create a ldif file and enter the information for the entry The following example defines an organizational role for the Directory Manager in a ldif file for an organization with the domain name mybroca...

Page 168: ... objectclass organizationalunit ou groups description generic groups branch dn cn admin ou groups dc mybrocade dc com objectclass groupofnames cn admin description Members having admin permission Add members for admin group member cn sachin cn Users dc mybrocade dc com Assigning the LDAP role to a switch role Use the ldapCfg maprole ldap_role_name switch_role command to map LDAP server permissions...

Page 169: ...reate or edit a ldif file with contents similar to the following Replacing an attribute value dn cn test cn Users dc mybrocade dc com changetype modify replace uid uid test 2 Enter the following ldapmodify command where test3 ldif is the name of the file you edited in step 1 ldapmodify D cn admin dc mybrocade dc com x w secret f test3 ldif The value of the uid attribute is changed to test Adding a...

Page 170: ...ist_0_10_200_endAd If you are using Virtual Fabrics enter the value of the logical fabrics to which the user has access Up to three value fields can be specified separated by an semicolons The HomeLF field specifies the user s home Logical Fabric The LFRole list field specifies the additional Logical Fabrics to which the user has access and the user s access permissions for those Logical Fabrics L...

Page 171: ...co For Microsoft Windows servers use any TACACS freeware that uses TACACS protocol v1 78 or later TACACS configuration overview Configuration is required on both the TACACS server and the Brocade switch On the TACACS server you should assign a role for each user and if Admin Domains or Virtual Fabrics are in use provide lists of Admin Domains or Virtual Fabrics to which the user should have access...

Page 172: ...butes specific to Brocade Adding a user and assigning a role When adding a user to the tac_plus cfg file you should at least provide the brcd role attribute The value assigned to this attribute should match a role defined for the switch When a logon is authenticated the role specified by the brcd role attribute represents the permissions granted to the account If no role is specified or if the spe...

Page 173: ...ecurityAdmin set brcd AV Pair1 homeAD 255 ADList 1 2 3 set brcd AV Pair2 ADList 200 255 Configuring Virtual Fabric lists If your network uses Virtual Fabrics you should create Virtual Fabric lists for each user to identify the Virtual Fabrics to which the account has access Assign the following key value pairs to the brcd AV Pair1 and optionally brcd AV Pair2 attributes to grant access to the Virt...

Page 174: ...ch At least one RADIUS LDAP or TACACS server must be configured before you can enable a remote authentication service You can configure the remote authentication service even if it is disabled on the switch You can configure up to five RADIUS LDAP or TACACS servers You must be logged in as admin or switchAdmin to configure the RADIUS service NOTE On dual CP Backbones Brocade DCX DCX 4S DCX 8510 4 ...

Page 175: ...AP or TACACS Local is used for local authentication if the user authentication fails on the authentication server Example enabling RADIUS switch admin aaaconfig authspec radius local backup Example enabling LDAP switch admin aaaconfig authspec ldap local backup Example enabling TACACS switch admin aaaconfig authspec tacacs local backup Deleting an authentication server from the configuration 1 Con...

Page 176: ...authspec radius local backup Example for LDAP switch admin aaaconfig authspec ldap local backup Example for TACACS switch admin aaaconfig authspec tacacs local backup For details about this command see Table 17 on page 151 When local authentication is enabled and the authentication servers fail to respond you can log in to the default switch accounts admin and user or any user defined account You ...

Page 177: ...e protocol support Protocol Description HTTPS HTTPS is a Uniform Resource Identifier scheme used to indicate a secure HTTP connection Web Tools supports the use of Hypertext Transfer Protocol over SSL HTTPS IPsec Internet Protocol Security IPsec is a framework of open standards for providing confidentiality authentication and integrity for IP data transmitted over untrusted links or networks LDAPS...

Page 178: ... SSL Supports SSLv3 128 bit encryption by default TABLE 22 Items needed to deploy secure protocols Protocol Host side Switch side SSHv2 Secure shell client None HTTPS No requirement on host side except a browser that supports HTTPS Switch IP certificate for SSL SCP SSH daemon SCP server None SNMPv1 SNMPv2 SNMPv3 None None TABLE 23 Main security scenarios Fabric Management interfaces Comments Nonse...

Page 179: ...e signature validation for firmware yes y no n no Secure Shell protocol To ensure security Fabric OS supports Secure Shell SSH encrypted sessions SSH encrypts all messages including the client transmission of the password during login The SSH package contains a daemon sshd which runs on the switch The daemon supports a wide variety of encryption algorithms such as Blowfish Cipher block chaining CB...

Page 180: ...lowed user While creating the key pair the configured allowed user can choose a passphrase with which the private key is encrypted Then the passphrase must always be entered when authenticating to the switch The allowed user must have admin permissions to perform OpenSSH public key authentication import and export keys generate a key pair for an outgoing connection and delete public and private ke...

Page 181: ... export and delete keys 4 Generate a key pair for switch to host outgoing authentication by logging in to the switch as the allowed user and entering the sshUtil genkey command You may enter a passphrase for additional security Example of generating a key pair on the switch switch alloweduser sshutil genkey Enter passphrase empty for no passphrase Enter same passphrase again Key pair generated suc...

Page 182: ... instead of standard links which begin with http SSL uses public key infrastructure PKI encryption to protect data transferred over SSL connections PKI is based on digital certificates obtained from an Internet Certificate Authority CA that acts as the trusted key agent Certificates are based on the switch IP address or fully qualified domain name FQDN depending on the issuing CA If you change a s...

Page 183: ...request a certificate from a CA through a web browser After you request a certificate the CA either sends certificate files by e mail public or gives access to them on a remote host private 5 On each switch install the certificate Once the certificate is loaded on the switch HTTPS starts automatically 6 If necessary install the root certificate to the browser on the management workstation 7 Add th...

Page 184: ...ornia Locality Name eg city name San Jose Organization Name eg company name Brocade Organizational Unit Name eg department name Eng Common Name Fully qualified Domain Name or IP address 192 1 2 3 Generating CSR file name is 192 1 2 3 csr Done Your CA may require specific codes for Country State or Province Locality Organization and Organizational Unit names Make sure that your spelling is correct ...

Page 185: ...ccount with admin permissions 4 Enter the secCertUtil showcsr command The contents of the CSR are displayed 5 Locate the section that begins with BEGIN CERTIFICATE REQUEST and ends with END CERTIFICATE REQUEST 6 Copy and paste this section including the BEGIN and END lines into the area provided in the request form then follow the instructions to complete and send the request It may take several d...

Page 186: ... in configuration has been updated Secure http has been enabled Important Notes Certificate Authorities may provide their certificates in different encodings and different extensions Be sure to save the certificate with the applicable file extension before you import the certificate to the switch For example certificates that contain lines similar to the following are usually pem encoded BEGIN REQ...

Page 187: ...o the certificate location and select the certificate For example select nameRoot crt 6 Click Open and follow the instructions to import the certificate Root certificates for the Java plugin For information on Java requirements refer to Browser and Java support on page 182 This procedure is a guide for installing a root certificate to the Java plugin on the management workstation If the root certi...

Page 188: ...L provides a way for the administrator to restrict SNMP get set trap and inform operations to certain hosts and IP addresses This is used for enhanced management security in the storage area network For details on Brocade MIB files naming conventions loading instructions and information about using Brocade s SNMP agent refer to the Fabric OS MIB Reference You can configure SNMPv3 and SNMPv1 for th...

Page 189: ...ontextName field is empty then the home Virtual Fabric of the local Fabric OS user with the same name is used As Virtual Fabrics and Admin Domains are mutually exclusive this field is considered as Virtual Fabrics context when Virtual Fabrics is enabled You cannot specify chassis context in the contextName field The following example shows how the VF xxx field is used in the snmpwalk command This ...

Page 190: ... information on IP filter policies refer to IP Filter policy on page 217 ATTENTION Before blocking Telnet make sure you have an alternate method of establishing a connection with the switch Blocking Telnet If you create a new policy using commands with just one rule all the missing rules have an implicit deny and you lose all IP access to the switch including Telnet SSH and management ports Use th...

Page 191: ...is active the default_ipv4 policy should be displayed as defined switch admin ipfilter show Name BlockTelnet Type ipv4 State defined Rule Source IP Protocol Dest Port Action 1 any tcp 23 deny 2 any tcp 22 permit 3 any tcp 22 permit 4 any tcp 897 permit 5 any tcp 898 permit 6 any tcp 111 permit 7 any tcp 80 permit 8 any tcp 443 permit 9 any udp 161 permit 10 any udp 111 permit 11 any udp 123 permit...

Page 192: ...rvice be aware that the secModeEnable command is not supported Table 26 lists the defaults for accessing hosts devices switches and zones TABLE 25 Blocked listener applications Listener application Brocade DCX and DCX 8510 Backbone families Brocade switches chargen Disabled Disabled daytime Disabled Disabled discard Disabled Disabled echo Disabled Disabled ftp Disabled Disabled rexec Block with pa...

Page 193: ... the fabric All switches in the fabric can be accessed through a serial port Zoning No zoning is enabled TABLE 27 Port information Port Type Common use Comment 22 TCP SSH SCP 23 TCP Telnet Use the ipfilter command to block the port 80 TCP HTTP Use the ipfilter command to block the port 111 UDP sunrpc This port is used by Platform API Use the ipfilter command to block the port 123 UDP NTP 161 UDP S...

Page 194: ...194 Fabric OS Administrator s Guide 53 1002745 02 Ports and applications used by switches 6 ...

Page 195: ...cies Used to restrict which Fibre Channel device ports can connect to which Fibre Channel switch ports Switch connection control SCC policy Used to restrict which switches can join with a switch NOTE Run all commands in this chapter by logging in to Administrative Domain AD 255 with the suggested permissions If Administrative Domains have not been implemented log in to AD0 How the ACL policies are...

Page 196: ...re specified by device port WWN switch WWN domain IDs or switch names depending on the policy The valid methods for specifying policy members are listed in Table 28 ACL policy management All policy modifications are temporarily stored in volatile memory until those changes are saved or activated You can create multiple sessions to the switch from one or more hosts It is recommended you make change...

Page 197: ...icy changes You can implement changes to the ACL policies using the secPolicyActivate command This saves the changes to the active policy set and activates all policy changes since the last time the command was issued You cannot activate policies on an individual basis all changes to the entire policy set are activated by the command Until a secPolicySave or secPolicyActivate command is issued all...

Page 198: ... policy and to attach domain 3 ports 1 and 3 WWNs of devices are 11 22 33 44 55 66 77 aa and 11 22 33 44 55 66 77 bb switch admin secpolicyadd DCC_POLICY_abc 11 22 33 44 55 66 77 aa 11 22 33 44 55 66 77 bb 3 1 3 Removing a member from an ACL policy As soon as a policy has been activated the aspect of the fabric managed by that policy is enforced 1 Connect to the switch and log in using an account ...

Page 199: ...y FCS switch in the policy list is not reachable then a backup FCS switch is allowed to modify the policy Once an FCS policy is configured and distributed across the fabric only the Primary FCS switch can perform certain operations Operations that affect fabric wide configuration are allowed only from the Primary FCS switch Backup and non FCS switches cannot perform security zoning and AD operatio...

Page 200: ...annot be deleted from the FCS policy 1 Create the FCS policy using the secPolicyCreate command 2 Activate the policy using the secPolicyActivate command If the command is not entered the changes are lost when the session is logged out 3 To distribute the policies enter the distribute p policy_list d switch_list command to either send the policies to intended domains or enter the distribute p polic...

Page 201: ...ommands 2 Type secPolicyShow Defined FCS_POLICY This displays the WWNs of the current Primary FCS switch and backup FCS switches 3 Type secPolicyFCSMove then provide the current position of the switch in the list and the desired position at the prompts Alternatively enter secPolicyFCSMove From To command From is the current position in the list of the FCS switch and To is the desired position in t...

Page 202: ... switch can initiate the distribution The FCS policy distribution is allowed to be distributed from a switch in the FCS list However if none of the FCS switches in the existing FCS list are reachable receiving switches accept distribution from any switch in the fabric To learn more about how to distribute policies refer to ACL policy distribution to other switches on page 227 Local switch configur...

Page 203: ...e port movements Use the secPolicyDelete command to delete stale DCC policies DCC policy restrictions The following restrictions apply when using DCC policies Some older private loop host bus adaptors HBAs do not respond to port login from the switch and are not enforced by the DCC policy This does not create a security problem because these HBAs cannot contact any device outside of their immediat...

Page 204: ...e the policy enter the secPolicySave command To save and activate the policy enter the secPolicyActivate command If neither of these commands is entered the changes are lost when the session is logged out Example of creating DCC policies To create the DCC policy DCC_POLICY_server that includes device 11 22 33 44 55 66 77 aa and port 1 and port 3 of switch domain 1 switch admin secpolicycreate DCC_...

Page 205: ...y should be created with all the NPIV ports so even if failover occurs the device will be allowed to log in on a different NPIV port Table 33 lists the behavior of the DCC policy with FA PWWNs in the fabric when the DCC policy is created using lockdown support TABLE 33 DCC policy behavior with FA PWWN when created using lockdown support Configuration WWN seen on DCC policy list Behavior when DCC p...

Page 206: ...the extended ISL The following changes A logical switch supports an SCC policy You can configure and distribute an SCC policy on a logical switch SCC enforcement is performed on a ISL based on the SCC policy present on the logical switch For more information on Virtual Fabrics refer to Chapter 10 Managing Virtual Fabrics TABLE 34 DCC policy behavior when created manually with PWWN Configuration WW...

Page 207: ...feature is available in base Fabric OS No license is required FCAP requires the exchange of certificates between two or more switches to authenticate to each other before they form or join a fabric Beginning with Fabric OS v7 0 0 these certificates are no longer issued by Brocade but by a third party which is now the root CA for all of the issued certificates You can use Brocade and third party ce...

Page 208: ...rtual Fabrics considerations If Virtual Fabrics is enabled all AUTH module parameters such as shared secrets and shared switch and device policies are logical switch wide That means you must configure shared secrets and policies separately on each logical switch and the shared secrets and policies must be set on each switch prior to authentication On logical switch creation authentication takes de...

Page 209: ...t with OM permissions for the Authentication RBAC class of commands 2 Enter the authUtil command to set the switch policy mode Example of configuring E_Port authentication The following example shows how to enable Virtual Fabrics and configure the E_Ports to perform authentication using the AUTH policies authUtil command switch admin fosconfig enable vf WARNING This is a disruptive operation that ...

Page 210: ...rmat switch admin authutil authinit 1 1 1 2 Device authentication policy Device authentication policy can also be categorized as an F_Port node port or an HBA authentication policy Fabric wide distribution of the device authentication policy is not supported because the device authentication requires manual interaction in setting the HBA shared secrets and switch shared secrets and most of the HBA...

Page 211: ...of commands 2 Enter the authUtil command to set the device policy mode Example of setting the Device policy to passive mode switch admin authutil policy dev passive Warning Activating the authentication policy requires DH CHAP secrets on both switch and device Otherwise the F port will be disabled during next F port bring up ARE YOU SURE yes y no n no y Device authentication is set to PASSIVE AUTH...

Page 212: ... GROUP TYPE fcap dhchap sha1 md5 0 1 2 3 4 Switch Authentication Policy PASSIVE Device Authentication Policy OFF Setting the authentication protocol 1 Log in to the switch using an account with admin permissions or an account with OM permissions for the Authentication RBAC class of commands 2 Enter the authUtil set a command specifying fcap dhchap or all Example of setting the DH CHAP authenticati...

Page 213: ...2 characters is recommended See Chapter 14 In flight Encryption and Compression for details about in flight encryption NOTE When setting a secret key pair note that you are entering the shared secrets in plain text Use a secure channel for example SSH or the serial console to connect to the switch on which you are setting the secrets Viewing the list of secret key pairs in the current switch datab...

Page 214: ...ch is configured to do DH CHAP it is performed whenever a port or a switch is enabled Warning Please use a secure channel for setting secrets Using an insecure channel is not safe and may compromise secrets Following inputs should be specified for each entry 1 WWN for which secret is being set up 2 Peer secret The secret of the peer that authenticates to peer 3 Local secret The local secret that a...

Page 215: ...the CA certificate is installed install the switch certificate on each switch 7 Update the switch database for peer switches to use third party certificates 8 Use the newly installed certificates by starting the authentication process Generating the key and CSR for FCAP The public private key and CSR has to be generated for the local and remote switches that will participate in the authentication ...

Page 216: ...dmin permissions or an account associated with the chassis role and having OM permissions for the PKI RBAC class of commands 2 Enter the secCertUtil import fcapcacert command and verify the CA certificates are consistent on both local and remote switches switch admin seccertutil import fcapcacert Select protocol ftp or scp scp Enter IP address 10 1 2 3 Enter remote directory myHome jdoe OPENSSL En...

Page 217: ...switch configuration parameter refer to Policy database distribution on page 224 NOTE This is not supported for Access Gateway mode IP Filter policy The IP Filter policy is a set of rules applied to the IP management interfaces as a packet filtering firewall The firewall permits or denies the traffic to go through the IP management interfaces according to the policy rules Fabric OS supports multip...

Page 218: ...count with admin permissions or an account associated with the chassis role and having OM permissions for the IPfilter RBAC class of commands 2 Enter the ipFilter clone command Displaying an IP Filter policy You can display the IP Filter policy content for the specified policy name or all IP Filter policies if a policy name is not specified For each IP Filter policy the policy name type persistent...

Page 219: ...g an account with admin permissions or an account associated with the chassis role and having OM permissions for the IPfilter RBAC class of commands 2 Enter the ipFilter activate command Deleting an IP Filter policy You can delete a specified IP Filter policy Deleting an IP Filter policy removes it from the temporary buffer To permanently delete the policy from the persistent database run ipfilter...

Page 220: ... port number range can be specified According to IANA http www iana org ports 0 to 1023 are well known port numbers ports 1024 to 49151 are registered port numbers and ports 49152 to 65535 are dynamic or private port numbers Well known and registered ports are normally used by servers to accept connections while dynamic port numbers are used by clients For an IP Filter policy rule you can only sel...

Page 221: ...ways allowed to support ICMP echo request and reply on commands like ping and traceroute Action For the action only permit and deny are valid bootps 67 bootpc 68 tftp 69 http 80 kerberos 88 hostnames 101 sunrpc 111 sftp 115 ntp 123 snmp 161 snmp trap 162 https 443 ssmtp 465 exec 512 login 513 shell 514 uucp 540 biff 512 who 513 syslog 514 route 520 timed 525 kerberos4 750 rpcd 897 securerpcd 898 T...

Page 222: ...t ranges is allowed so that management IP traffic initiated from a switch such as syslog radius and ftp is not affected Default policy rules A switch with Fabric OS v6 2 0 or later will have a default IP Filter policy for IPv4 and IPv6 The default IP Filter policy cannot be deleted or changed When an alternative IP Filter policy is activated the default IP Filter policy becomes deactivated Table 3...

Page 223: ...ion NAT server depending on the NAT server configuration the source address in an IP Filter rule may have to be the NAT server address Adding a rule to an IP Filter policy There can be a maximum of 256 rules created for an IP Filter policy The change to the specified IP Filter policy is not saved to the persistent configuration until a save or activate subcommand is run 1 Log in to the switch usin...

Page 224: ...n on page 224 for more information on distributing the IP Filter policy Virtual Fabrics considerations To distribute the IPFilter policy in a logical fabric use the chassisDistribute command Managing filter thresholds Fabric OS v7 1 0 allows you to configure filter thresholds using the fmMonitor command 1 Connect to the switch and log in using an account with admin permissions or an account with O...

Page 225: ...s or rejects distributions of databases from other switches and whether the switch may initiate a distribution Configure the distribution setting to reject when maintaining the database on a per switch basis Table 41 lists the databases supported in Fabric OS v6 2 0 and later switches TABLE 40 Interaction between fabric wide consistency policy and distribution settings Distribution setting Fabric ...

Page 226: ...DATABASE Accept Reject SCC accept DCC accept PWD accept FCS accept AUTH accept IPFILTER accept Fabric Wide Consistency Policy Enabling local switch protection 1 Connect to the switch and log in using an account with admin permissions or an account with OM permissions for the FabricDistribution RBAC class of commands 2 Enter the fddCfg localreject command Disabling local switch protection 1 Connect...

Page 227: ...bution RBAC class of commands 2 Enter the distribute p command Fabric wide enforcement The fabric wide consistency policy enforcement setting determines the distribution behavior when changes to a policy are activated Using the tolerant or strict fabric wide consistency policy ensures that changes to local ACL policy databases are automatically distributed to other switches in the fabric NOTE To c...

Page 228: ... permissions for the FabricDistribution RBAC class of commands 2 Enter the fddCfg fabwideset command Example shows how to set a strict SCC and tolerant DCC fabric wide consistency policy switch admin fddcfg fabwideset SCC S DCC switch admin fddcfg showall Local Switch Configuration for all Databases DATABASE Accept Reject SCC accept DCC accept PWD accept FCS accept AUTH accept IPFILTER accept Fabr...

Page 229: ...e conflicting ACL policy from one side to resolve ACL policy conflict If neither the fabric nor the joining switch is configured with a fabric wide consistency policy there are no ACL merge checks required Under both conflicting conditions secPolicyActivate is blocked in the merged fabric Use the distribute command to explicitly resolve conflicting ACL policies The descriptions above also apply to...

Page 230: ... database you want to use to the switch with the mismatched database Until the conflict is resolved commands such as fddCfg fabwideset and secPolicyActivate are blocked TABLE 44 Examples of strict fabric merges Fabric wide consistency policy setting Expected behavior Fabric A Fabric B Strict Tolerant SCC S DCC S SCC DCC S Ports connecting switches are disabled SCC DCC S SCC S DCC SCC S DCC SCC S S...

Page 231: ...lently authenticate or otherwise masquerade as a valid user Automated Key Management Automates the process as well as manages the periodic exchange and generation of new keys Using the IP secConfig command you must configure multiple security policies for traffic flows on the Ethernet management interfaces based on IPv4 or IPv6 addresses a range of IPv4 or IPv6 addresses the type of application po...

Page 232: ...endpoints and depends on ordinary routing to send packets through the tunnel endpoints for processing Each endpoint would announce the set of addresses behind it and packets would be sent in tunnel mode where the inner IP header would contain the IP addresses of the actual endpoints FIGURE 15 Gateway tunnel configuration Endpoint to gateway tunnel In this scenario a protected endpoint typically a ...

Page 233: ...e this sliding window to provide protection against replay attacks in which an attacker attempts a denial of service attack by replaying an old sequence of packets IP sec protocols assign a sequence number to each packet The recipient accepts each packet only if its sequence number is within the window It discards older packets Security associations A security association SA is the collection of s...

Page 234: ...a1 are used as authentication algorithms Only in ESP 3des_cbc blowfish_cbc aes256_cbc and null_enc are used as encryption algorithms Use Table 46 when configuring the authentication algorithm IP sec policies An IP sec policy determines the security services afforded to a packet and the treatment of a packet in the network An IP sec policy allows classifying IP packets into different traffic flows ...

Page 235: ...ncryption algorithms and the primary authentication method such as preshared keys or a certificate based method such as RSA signatures Key management The IP sec key management supports Internet Key Exchange or Manual key SA entry The Internet Key Exchange IKE protocol handles key management automatically SAs require keying material for authentication and encryption The managing of keying material ...

Page 236: ...iated IP sec policy in the local policy database Manual SA entries are persistent across system reboots Creating the tunnel Each side of the tunnel must be configured in order for the tunnel to come up Once you are logged into the switch do not log off as each step requires that you be logged in to the switch IP sec configuration changes take effect upon execution and are persistent across reboots...

Page 237: ... sec transform on each switch using the IP secConfig add command Example of creating an IP sec transform This example creates an IP sec transform TRANSFORM01 to use the transport mode to protect traffic identified for IP sec protection and use IKE01 as key management policy switch admin IP secconfig add policy ips transform t TRANSFORM01 mode transport sa proposal IP sec AH action protect ike IKE0...

Page 238: ...operands to flush the created SAs in the kernel SADB Example of an end to end transport tunnel mode This example illustrates securing traffic between two systems using AH protection with MD5 and configure IKE with pre shared keys The two systems are a switch BROCADE300 IPv4 address 10 33 74 13 and an external host 10 33 69 132 NOTE A backslash is used to skip the return character so you can contin...

Page 239: ...ips selector t SELECTOR OUT d out l 10 33 74 13 r 10 33 69 132 transform TRANSFORM01 switch admin IP secconfig add policy ips selector t SELECTOR IN d in l 10 33 69 132 r 10 33 74 13 transform TRANSFORM01 10 Verify the IP sec SAs created with IKE using the IP secConfig show manual sa a command 11 Perform the equivalent steps on the remote peer to complete the IP sec configuration Refer to your ser...

Page 240: ...es Use the IP secConfig flush manual sa command with the specified operands to flush the created SAs in the kernel SADB CAUTION Flushing SAs requires IP sec to be disabled and re enabled This operation is disruptive to traffic using the tunnel Notes As of Fabric OS 7 0 0 IP sec no longer supports null encryption null_enc for IKE policies IPv6 policies cannot tunnel IMCP traffic ...

Page 241: ...D enabled switches refer to Chapter 17 Managing Administrative Domains For more information about troubleshooting configuration file uploads and downloads refer to the Fabric OS Troubleshooting and Diagnostics Guide There are two ways to view configuration settings for a switch in a Brocade fabric Issue the configShow all command To display configuration settings connect to the switch log in as ad...

Page 242: ...e Tue Mar 1 15 53 18 2011 FOS version v7 0 0 0 Number of LS 2 Chassis Configuration Begin fcRouting Chassis Configuration LicensesDB Bottleneck Configuration DMM_WWN Licenses Chassis Configuration End date Tue Mar 1 21 28 52 2011 Switch Configuration Begin 0 SwitchName Sprint5100 Fabric ID 128 Boot Parameters Configuration Bottleneck Configuration Zoning Defined Security policies fid To upload the...

Page 243: ... configuration It defines configuration data for chassis components that affect the entire system not just one individual logical switch The chassis section is included in non Virtual Fabric modes only if you use the configUpload all command The chassis section specifies characteristics for the following software components FC Routing Fibre Channel Routing Chassis configuration Chassis configurati...

Page 244: ... Configuration Bottleneck configuration FCoE software configuration Zoning Defined security policies Active security policies iSCSI CryptoDev FICU saved files VS_SW_CONF Banner Configuration file backup Brocade recommends keeping a backup configuration file You should keep individual backup files for all switches in the fabric and avoid copying configurations from one switch to another The configU...

Page 245: ... prompted for the required information 4 Store a soft copy of the switch configuration information in a safe place for future reference Example of configUpload on a switch without Admin Domains switch admin configupload Protocol scp ftp sftp local ftp sftp Server Name or IP Address host 10 1 2 3 User Name user UserFoo Path Filename home dir config txt switchConfig txt Section all chassis FID all c...

Page 246: ...is is harmless to the switch and can be ignored NOTE While it is possible to transfer a Fabric OS 6 4 1 configuration file to a Fabric OS 7 0 0 or later switch it is not possible to transfer a Fabric OS 7 0 0 or later configuration file to a Fabric OS 6 4 1 switch Restrictions This section lists restrictions for some of the options of the configDownload command chassis The number of switches defin...

Page 247: ...sable all logical switches on the affected switch This process bypasses the need to disable and enable each switch individually once the configuration download has completed Non Virtual Fabric configuration files downloaded to a Virtual Fabric system have a configuration applied only to the default switch If there are multiple logical switches created in a Virtual Fabric enabled system there may b...

Page 248: ... that already exist and that use the same FIDs It cannot be used to clone or repair the current switch because the configDownload command cannot create logical switches if they do not exist Restoring a configuration CAUTION Using the SFID parameter erases all configuration information on the logical switch Use the SFID parameter only when the logical switch has no configuration information you wan...

Page 249: ...t switch configDownload operation may take several minutes to complete for large files Do you want to continue y n y Password hidden configDownload complete Example of configDownload with Admin Domains switch AD5 admin configdownload Protocol scp or ftp ftp Server Name or IP Address host 10 1 2 3 User Name user UserFoo Path Filename home dir config txt pub configurations config txt CAUTION This co...

Page 250: ...odel 1 Configure one switch 2 Use the configUpload command to save the configuration information Refer to Configuration file backup on page 244 for more information 3 Run configDefault on each of the target switches and then use the configDownload command to download the configuration file to each of the target switches Refer to Configuration file restoration on page 246 for more information Secur...

Page 251: ...P Address host 10 1 2 3 User Name user anonymous Path Filename home dir config txt 5100_vf txt configUpload complete VF config parameters are uploaded 2009 07 20 09 13 40 LOG 1000 225 SLOT 7 CHASSIS INFO BrocadeDCX Previous message repeated 7 time s 2009 07 20 10 27 14 CONF 1001 226 SLOT 7 FID 128 INFO DCX_80 configUpload completed successfully for VF config parameters Restoring a logical switch c...

Page 252: ...F configuration Do you want to continue y n y output truncated Restrictions The following restrictions apply when using the configUpload or configDownload commands when Virtual Fabrics mode is enabled The vf option is incompatible with the fid sfid or all options Any attempt to combine it with any of the other three will cause the configuration upload or download operation to fail You are not allo...

Page 253: ...kbones there is a guide for FC port setting TABLE 48 Brocade configuration and connection form Brocade configuration settings IP address Gateway address Chassis configuration option Management connections Serial cable tag Ethernet cable tag Configuration information Domain ID Switch name Ethernet IP address Ethernet subnet mask Total number of local devices nsShow Total number of devices in fabric...

Page 254: ...254 Fabric OS Administrator s Guide 53 1002745 02 Brocade configuration form 8 ...

Page 255: ...C8 16 FC8 32 FC8 48 and FC8 64 and the Brocade FC16 32 and FC16 48 blades for 16G capable FC blades AP blades contain extra processors and specialized ports FCOE10 24 FX8 24 and FS8 18 encryption blade CP blades have a control processor CP used to control the entire switch CP blades can be inserted only into slots 6 and 7 on the Brocade DCX or DCX 8510 8 and slots 4 and 5 on the Brocade DCX 4S or ...

Page 256: ...eboots once the firmware upgrade or downgrade is complete In dual CP systems the firmware download process by default sequentially upgrades the firmware image on both CPs using HA failover to prevent disruption to traffic flowing through the Backbone This operation depends on the HA status on the Backbone If the platform does not support HA you can still upgrade the CPs one at a time If you are us...

Page 257: ...n when SSH is selected The switch must be configured to install the private key and then you must export the public key to the remote host Before running the firmwareDownload command you must first configure the SSH protocol to permit passwordless logins for outgoing authentication as described in Configuring outgoing SSH authentication on page 181 Considerations for FICON CUP environments To prev...

Page 258: ... to v7 1 0 is not supported Upgrading a switch from Fabric OS v6 4 x to v7 1 0 is a two step process first upgrade to v7 0 x and then upgrade to v7 1 0 3 Use the configUpload command prior to the firmware download Save the configuration file on your FTP or SSH server or USB memory device on supported platforms 4 Optional For additional support connect the switch to a computer with a serial console...

Page 259: ...When you issue the firmwareDownload command there is an automatic search for the correct package file type associated with the switch Specify only the path up to and including the v7 1 0 directory Connected switches Before you upgrade the firmware on your switch you must check the connected switches to ensure compatibility and that any older versions are supported Refer to the Fabric OS Compatibil...

Page 260: ...irmware download process overview The following list describes the default behavior after you enter the firmwareDownload command without options on Brocade fixed port switches The Fabric OS downloads the firmware to the secondary partition The system performs a high availability reboot haReboot After the haReboot the former secondary partition is the primary partition The system replicates the fir...

Page 261: ...fore proceeding with upgrading this switch Refer to Connected switches on page 259 for details 6 Enter the firmwareDownload command and respond to the prompts NOTE If DNS is enabled and a server name instead of a server IP address is specified in the command line firmwareDownload determines whether IPv4 or IPv6 should be used To be able to mention the FTP server by name you must enter at least one...

Page 262: ... addresses and MAC addresses has changed Backbone firmware download process overview The following summary describes the default behavior of the firmwareDownload command without options on a Backbone After you enter the firmwareDownload command on the active CP blade the following actions occur 1 The standby CP blade downloads firmware 2 The standby CP blade reboots and comes up with the new Fabri...

Page 263: ...t with admin permissions 6 Use the firmwareShow command to check the current firmware version on connected switches Upgrade the firmware if necessary before proceeding with upgrading this switch Refer to Connected switches on page 259 7 Enter the haShow command to confirm that the two CP blades are synchronized In the following example the active CP blade is CP0 and the standby CP blade is CP1 ecp...

Page 264: ... FTP 3 SCP 4 SFTP 1 Password hidden Checking version compatibility Version compatibility check passed The following AP blades are installed in the system Slot Name Versions Traffic Disrupted 2 FS8 18 v7 1 0_main_bld27 Encrypted Traffic 8 FX8 24 v7 1 0_main_bld27 GigE This command will upgrade the firmware on both CPs and all AP blade s above If you want to upgrade firmware on a single CP only plea...

Page 265: ...Download command it must be enabled and mounted as a file system The firmware images to be downloaded must be stored under the relative path from usb usbstorage brocade firmware or use the absolute path in the USB file system Multiple images can be stored under this directory There is a firmwarekey directory where the public key signed firmware is stored When the firmwareDownload command line opti...

Page 266: ...gned or if the signature validation fails firmwareDownload fails To enable or disable FIPS mode refer to Chapter 7 Configuring Security Policies Public and private key management For signed firmware Brocade uses RSA with 1024 bit length key pairs a private key and a public key The private key is used to sign the firmware files when the firmware is generated The public key is packaged in an RPM pac...

Page 267: ...ware flag needs to be disabled If the firmware file has a signature but the validation fails firmware download fails This means the firmware is not from Brocade or the contents have been modified If the firmware file has a signature and the validation succeeds firmware download proceeds normally SAS DMM and third party application images are not signed Configuring a switch for signed firmware 1 Co...

Page 268: ...and then restore the original version of the firmware Testing a new version of firmware in this manner ensures that you do not replace existing firmware because the evaluated version occupies only one partition on the switch ATTENTION When you evaluate new firmware make sure you disable all features that are not supported by the original firmware before restoring to the original version Testing a ...

Page 269: ... switch which completes the firmware download operations 8 Commit the firmware a Enter the firmwareCommit command to update the secondary partition with new firmware Note that it takes several minutes to complete the commit operation b Enter the firmwareShow command to confirm both partitions on the switch contain the new firmware ATTENTION Stop If you have completed step 8 then you have committed...

Page 270: ...ess 2 Enter the ipAddrShow command and note the address of CP0 and CP1 3 Enter the haShow command and note which CP is active and which CP is standby Verify that both CPs are in sync 4 Enter the firmwareShow command and confirm that the current firmware on both partitions on both CPs is listed as expected 5 Exit the session 6 Update the firmware on the standby CP a Connect to the Backbone and log ...

Page 271: ...o the Backbone and log in as admin d Enter the firmwareShow command to confirm that both primary partitions now have the test drive firmware in place You are now ready to evaluate the new version of firmware ATTENTION Stop If you want to restore the firmware stop here and skip ahead to step 12 otherwise continue to step 10 to commit the firmware on both CPs which completes the firmware download 10...

Page 272: ...nute and connect to the Backbone on the new standby CP which is the former active CP b Enter the firmwareRestore command The standby CP reboots and the current Backbone session ends Both partitions have the same Fabric OS after several minutes c Wait five minutes and log in to the Backbone Enter the firmwareShow command and verify that all partitions have the original firmware If an AP blade is pr...

Page 273: ... and status of events during Fabric OS SAS and SA firmware download The event log is created by the current firmwareDownload command and is kept until another firmwareDownload command is issued There is a time stamp associated with each event When downloading SAS or SA in systems with two control processor CP cards you can only run this command on the active CP When downloading Fabric OS the event...

Page 274: ...274 Fabric OS Administrator s Guide 53 1002745 02 Validating a firmware download 9 ...

Page 275: ...logical switch 295 Displaying logical switch configuration 296 Changing the fabric ID of a logical switch 296 Changing a logical switch to a base switch 297 Setting up IP addresses for a Virtual Fabric 298 Removing an IP address for a Virtual Fabric 298 Configuring a logical switch to use XISLs 299 Changing the context to a different logical fabric 299 Creating a logical fabric using XISLs 300 Vir...

Page 276: ...articipates in a single fabric The logical switch feature allows you to divide a physical chassis into multiple fabric elements Each of these fabric elements is referred to as a logical switch Each logical switch functions as an independent self contained FC switch NOTE Each chassis can have multiple logical switches Default logical switch To use the Virtual Fabrics features you must first enable ...

Page 277: ... create a logical switch you must assign it a fabric ID FID The fabric ID uniquely identifies each logical switch within a chassis and indicates to which fabric the logical switch belongs You cannot define multiple logical switches with the same fabric ID within the chassis In Figure 19 on page 278 logical switches 2 3 4 and 5 are assigned FIDs of 1 15 8 and 20 respectively These logical switches ...

Page 278: ...initially has 10 ports labeled P0 through P9 After logical switches are created the ports are assigned to specific logical switches Note that ports 0 1 7 and 8 have not been assigned to a logical switch and so remain assigned to the default logical switch FIGURE 20 Assigning ports to logical switches Logical switch 5 FID 20 Physical chassis Logical switch 1 Default logical switch FID 128 Logical s...

Page 279: ... as are available in the chassis In Figure 20 the chassis has 10 ports You could assign all 10 ports to a single logical switch such as logical switch 2 if you did this however no ports would be available for logical switches 3 and 4 You can move only F_Ports and E_Ports from one logical switch to another If you want to configure a different type of port such as a VE_Port or EX_Port you must confi...

Page 280: ...fabrics FIGURE 22 Logical switches in a single chassis belong to separate fabrics For information on allowing device sharing across fabrics in a Virtual Fabrics environment refer to FC FC routing and Virtual Fabrics on page 606 Logical switch 4 Fabric ID 8 P6 Logical switch 3 Fabric ID 15 P5 P4 Logical switch 2 Fabric ID 1 P3 P2 Logical switch 1 Default logical switch Fabric ID 128 P1 Physical cha...

Page 281: ...perations When a user logs in the user is assigned an active context or active logical switch This context filters the view that the user gets and determines which ports the user can see You can change the active context For example if you are working with logical switch 1 you can change the context to logical switch 5 When you change the context to logical switch 5 you only see the ports that are...

Page 282: ...switches are dedicated ISLs because they carry traffic only for a single logical fabric In Figure 23 Fabric 128 has two switches the default logical switches but they cannot communicate with each other because they have no ISLs between them and they cannot use the ISLs between the other logical switches NOTE Only logical switches with the same FID can form a fabric If you connect two logical switc...

Page 283: ...ed ISL or extended ISL XISL An extended ISL connects base switches The XISL is used to share traffic among different logical fabrics Fabric formation across an XISL is based on the FIDs of the logical switches Figure 25 shows two physical chassis divided into logical switches Each chassis has one base switch An ISL connects the two base switches This ISL is an extended ISL XISL because it connects...

Page 284: ...ISL the logical switches must be configured to allow XISL use By default they are configured to do so you can change this setting however using the procedure described in Configuring a logical switch to use XISLs on page 299 NOTE It is a good practice to configure at least two XISLs for redundancy You can also connect logical switches using a combination of ISLs and XISLs as shown in Figure 27 In ...

Page 285: ... the base fabric maintains connectivity for the logical fabrics Logical ports As shown in Figure 27 logical ISLs are formed to connect logical switches A logical port represents the ports at each end of a logical ISL A logical port is a software construct only and does not correspond to any physical port Most port commands are not supported on logical ports For example you cannot change the state ...

Page 286: ...ounts and assigning FIDs to user accounts Supported platforms for Virtual Fabrics The following platforms are Virtual Fabrics capable Brocade 5100 Brocade 5300 Brocade 6510 Brocade 6520 Brocade 7800 Brocade VA 40FC in Native mode only Brocade DCX Brocade DCX 4S Brocade DCX 8510 family Some restrictions apply to the ports depending on the port type and blade type The following sections explain thes...

Page 287: ...er VE_Ports on the FX8 24 blade are supported on a logical switch that is using an XISL and on the base switch as an XISL NOTE For the FX8 24 blade if XISL use is enabled it is not recommended that you configure VE_Ports on both the logical switch and the base switch because FCIP tunnels support only two hops maximum TABLE 50 Blade and port types supported on logical switches Blade type Default lo...

Page 288: ...Switch Configuration File for more information about how Virtual Fabrics affects the configuration file Encryption Encryption functionality using the FS8 18 blade is available only on the default logical switch FC FC Routing Service All EX_Ports must reside in a base switch You cannot attach EX_Ports to a logical switch that has XISL use enabled You must use ISLs to connect the logical switches in...

Page 289: ...or an FC router In this case if the logical switch is enabled you cannot allow XISL use If the logical switch is disabled or has not yet joined the edge fabric you can allow XISL use however fabric segmentation occurs when the logical switch is enabled or is connected to an edge fabric NOTE Using XISL and fmsmode at the same time is permitted but this combination will only work in a one hop topolo...

Page 290: ...on disruptively on page 450 4 Use the fosConfig command to enable VF mode fosconfig enable vf 5 Enter y at the prompt Example The following example checks whether VF mode is enabled or disabled and then enables it switch admin fosconfig show FC Routing service disabled iSCSI service Service not supported on this Platform iSNS client service Service not supported on this Platform Virtual Fabric dis...

Page 291: ...ration that requires a reboot to take effect Would you like to continue Y N y Configuring logical switches to use basic configuration values All switches in the fabric are configured to use the same basic configuration values When you create logical switches the logical switches might have different configuration values than the default logical switch Use the following procedure to ensure that new...

Page 292: ...you have both a domain ID conflict and a fabric ID conflict only the domain ID conflict is reported Use the following procedure to create a logical switch or a base switch 1 Connect to the physical chassis and log in using an account with the chassis role permission 2 Enter the lsCfg command to create a logical switch lscfg create fabricID base force In the command syntax fabricID is the fabric ID...

Page 293: ...he domain ID will be changed The port level zoning may be affected switch_4 FID4 admin switchenable Executing a command in a different logical switch context This procedure describes how to execute a command for a logical switch while you are in the context of a different logical switch You can also execute a command for all the logical switches in a chassis The command is not executed on those lo...

Page 294: ...t IP Addr FC IP Addr Name 14 fffc0e 10 00 00 05 1e 82 3c 2b 10 32 79 105 0 0 0 0 switch_4 output truncated Deleting a logical switch The following rules apply to deleting a logical switch You must remove all ports from the logical switch before deleting it You cannot delete the default logical switch NOTE If you are in the context of the logical switch you want to delete you are automatically logg...

Page 295: ...ed to the base switch If you are deploying ICLs to connect to default switches that is XISL use is not allowed the ICL ports should be assigned or left in the default logical switch Use the following procedure to add or move ports on a logical switch 1 Connect to the physical chassis and log in using an account with the chassis role permission 2 Enter the lsCfg command to move ports from one logic...

Page 296: ...witch participates By changing the fabric ID you are moving the logical switch from one fabric to another Changing the fabric ID requires permission for chassis management operations You cannot change the FID of your own logical switch context NOTE If you are in the context of the logical switch with the fabric ID you want to change you are automatically logged out when the fabric ID changes To av...

Page 297: ... at a time 3 Configure the switch to not allow XISL use as described in Configuring a logical switch to use XISLs on page 299 4 Enter the lsCfg command to change the logical switch to a base switch lscfg change fabricID base The fabricID parameter is the fabric ID of the logical switch with the attributes you want to change 5 Enable the switch switchenable Example of changing the logical switch wi...

Page 298: ...r a Virtual Fabric NOTE IPv6 is not supported when setting the IPFC interface for Virtual Fabrics Use the following procedure to set up IP addresses for a Virtual Fabric 1 Connect to the switch and log in using an account with admin permissions 2 Enter the ipAddrSet ls command For the add parameter specify the network information in dotted decimal notation for the Ethernet IPv4 address with a Clas...

Page 299: ... command configure 5 Enter y after the Fabric Parameters prompt Fabric parameters yes y no n no y 6 Enter y at the Allow XISL Use prompt to allow XISL use enter n at the prompt to disallow XISL use Allow XISL Use yes y no n y 7 Respond to the remaining prompts or press Ctrl d to accept the other settings and exit Changing the context to a different logical fabric You can change the context to a di...

Page 300: ...led See Enabling Virtual Fabrics mode on page 290 for instructions Enabling Virtual Fabrics automatically creates the default logical switch with FID 128 All ports in the chassis are assigned to the default logical switch c Create a base switch and assign it a fabric ID that will become the FID of the base fabric See Creating a logical switch or base switch on page 292 for instructions on creating...

Page 301: ...gical switch e Optional Configure the logical switch to use XISLs if it is not already XISL capable See Configuring a logical switch to use XISLs on page 299 for instructions By default newly created logical switches are configured to allow XISL use f Repeat step a through step e in all chassis that are to participate in the logical fabric using the same fabric ID whenever two switches need to be ...

Page 302: ...302 Fabric OS Administrator s Guide 53 1002745 02 Creating a logical fabric using XISLs 10 ...

Page 303: ...herwise specified all references to zones in this chapter refer to these regular zones Beyond this Fabric OS has the following types of special zones Broadcast zones Control which devices receive broadcast frames A broadcast zone restricts broadcast packets to only those devices that are members of the broadcast zone See Broadcast zones on page 310 for more information Frame redirection zones Re r...

Page 304: ...device in a zone can communicate only with other devices connected to the fabric within the same zone A device not included in the zone is not available to members of that zone When zoning is enabled devices that are not included in any zone configuration are inaccessible to all other devices in the fabric Zones can be configured dynamically They can vary in size depending on the number of fabric ...

Page 305: ... also accesses tape devices a second zone is created with the HBA and associated tape devices in it In the case of clustered systems it could be appropriate to have an HBA from each of the cluster members included in the zone this is equivalent to having a shared SCSI bus between the cluster members and assumes that the clustering software can manage access to the shared devices In a large fabric ...

Page 306: ...fications RSCNs or errors go out to a larger group than necessary Operating system Zoning by operating system has issues similar to zoning by application In a large site this type of zone can become very large and complex When zone changes are made they typically involve applications rather than a particular server type If members of different operating system clusters can see storage assigned to ...

Page 307: ...s to define all NT hosts in the fabric Zone aliases also simplify repetitive entry of zone objects such as port numbers or a WWN For example you can use the name Eng as an alias for 10 00 00 80 33 3f aa 11 Naming zones for the initiator they contain can also be useful For example if you use the alias SRV_MAILSERVER_SLT5 to designate a mail server in PCI slot 5 then the alias for the associated zon...

Page 308: ... configuration is reinstated on the local switch Zoning enforcement Zoning enforcement describes a set of predefined rules that the switch uses to determine where to send incoming data Fabric OS uses hardware enforced zoning Hardware enforced zoning means that each frame is checked by hardware the ASIC before it is delivered to a zone member and is discarded if there is a zone mismatch When hardwa...

Page 309: ...em Description Type of zoning enforcement frame or session based If security is a priority frame based hardware enforcement is recommended The best way to do this is to use WWN identification exclusively for all zoning configurations Use of aliases The use of aliases is optional with zoning Using aliases requires structure when defining zones Aliases aid administrators of zoned fabrics in understa...

Page 310: ...acket Devices that are not members of the broadcast zone can send broadcast packets even though they cannot receive them A broadcast zone can have domain port WWN and alias members Broadcast zones do not function in the same way as other zones A broadcast zone does not allow access within its members in any way If you want to allow or restrict access between any devices you must create regular zon...

Page 311: ...es member devices 2 1 3 1 and 4 1 Even though 2 1 is a member of AD1 it is not a member of AD2 and so is not added to the consolidated broadcast zone Device 3 1 is added to the consolidated broadcast zone because of its membership in the AD2 broadcast zone When a switch receives a broadcast packet it forwards the packet only to those devices which are zoned with the sender and are also part of the...

Page 312: ...ne configuration The default zoning mode has two options All Access All devices within the fabric can communicate with all other devices No Access Devices in the fabric cannot access any other device in the fabric If a broadcast zone is active even if it is the only zone in the effective configuration the default zone setting is not in effect If the effective configuration has only a broadcast zon...

Page 313: ...will result in different Effective Zoning configurations for switches in the fabric if a zone merge or HA failover happens To avoid inconsistency it is recommended to commit the configurations using the cfgenable command Do you still want to proceed with saving the Defined zoning configuration only yes y no n no y Adding members to an alias Use the following procedure to add a member to an alias 1...

Page 314: ... in the fabric when this command is run the transaction on the other switch is automatically aborted A message displays on the other switches to indicate that the transaction was aborted Example switch admin aliremove array1 1 2 switch admin aliremove array2 21 00 00 20 37 0c 72 51 switch admin aliremove loop1 4 6 switch admin cfgsave WARNING The changes you are attempting to save will render the ...

Page 315: ...ctive Zoning configurations for switches in the fabric if a zone merge or HA failover happens To avoid inconsistency it is recommended to commit the configurations using the cfgenable command Do you still want to proceed with saving the Defined zoning configuration only yes y no n no y Viewing an alias in the defined configuration Use the following procedure to view an alias in the configuration 1...

Page 316: ...cfgshow Defined configuration zone matt 30 06 00 07 1e a2 10 20 3 2 alias bawn 3 5 4 8 alias bolt 10 00 00 02 1f 02 00 01 alias bond 10 00 05 1e a9 20 00 01 3 5 alias brain 11 4 22 1 33 6 alias jake 4 7 8 9 14 11 alias jeff 30 00 00 05 1e a1 cd 02 40 00 00 05 1e a1 cd 04 alias jones 7 3 4 5 alias zeus 4 7 6 8 9 2 Effective configuration No Effective configuration No Access Creating a zone ATTENTIO...

Page 317: ... 1e a1 cd 02 40 00 00 05 1e a1 cd 04 alias jones 7 3 4 5 alias zeus 4 7 6 8 9 2 Effective configuration No Effective configuration No Access Adding devices members to a zone ATTENTION This command will add all zone member aliases that match the aliasname_pattern in the zone database to the specified zone Use the following procedure to add members to a zone 1 Connect to the switch and log in using ...

Page 318: ...permissions 2 Enter the zoneRemove command using either of the following syntaxes zoneremove zonename member member zoneremove zonename aliasname_pattern members NOTE This command supports partial pattern matching wildcards of zone member aliases This allows you to remove multiple aliases that match the aliasname_pattern in the command line 3 Enter the cfgSave command to save the change to the def...

Page 319: ... and the second is the new member These inputs can only be in either the format of WWN or of D I Use the following procedure to replace members in a zone 1 Connect to the switch and log in using an account with admin permissions 2 Enter the zoneObjectReplace command using the following syntax zoneobjectreplace old wwn D I new wwn D I NOTE This command does not support partial pattern matching wild...

Page 320: ...rictions In order to make a configuration change effective a cfgEnable command should be issued after the zoneObjectReplace command Otherwise the changes will be in the transaction buffer but not committed Only members of regular zones and aliases those identified using either D I or WWN can be replaced using zoneObjectReplace The zoneObjectReplace command is not applicable for Frame Redirect FR a...

Page 321: ... alias zeus 4 7 6 8 9 2 Effective configuration No Effective configuration No Access switch admin switch admin zonedelete sloth switch admin cfgsave WARNING The changes you are attempting to save will render the Effective configuration and the Defined configuration inconsistent The inconsistency will result in different Effective Zoning configurations for switches in the fabric if a zone merge or ...

Page 322: ...lect the changes made to the zone database A new zone is added or an existing zone is deleted or a zone member is added deleted or any other valid zone database entity is modified the following notation is used An asterisk at the start indicates a change in that zone zone configuration alias or any other entity in the zone database A before any entity an alias or a zone name or a configuration ind...

Page 323: ...21 00 00 20 37 0c 76 22 21 00 00 20 37 0c 76 28 Effective configuration cfg fabric_cfg zone Blue_zone 1 1 21 00 00 20 37 0c 76 8c 21 00 00 20 37 0c 71 02 1 2 Example cfgShow transdiffsonly output for the example above switch admin cfgshow transdiffsonly zone green_zone 1 1 1 2 6 15 zone red_zone 5 1 4 2 switch admin Validating a zone Use the following procedure to validate a zone 1 Connect to the ...

Page 324: ...zone members that are not enforceable would be expunged in the transaction buffer This pruning operation always happens on the transaction and defined buffers You cannot specify a mode option or specify a zone object as an argument with the f option This mode flag should be used after the zone has been validated Inconsistencies between the Defined and Effective Zone Databases If you edit zone obje...

Page 325: ...nfiguration cfg cfg1 zone1 zone2 zone zone1 10 00 00 00 00 00 00 01 10 00 00 00 00 00 00 02 zone zone2 1 1 1 2 Effective configuration cfg cfg1 zone zone1 10 00 00 00 00 00 00 01 10 00 00 00 00 00 00 02 zone zone2 1 1 1 2 switch admin zoneadd zone1 10 00 00 00 00 00 00 03 switch admin cfgsave WARNING The changes you are attempting to save will render the Effective configuration and the Defined con...

Page 326: ... mode is All Access and you have more than 120 devices in the fabric Admin Domain considerations If you want to use Admin Domains you must set the default zoning mode to No Access prior to setting up the Admin Domains You cannot change the default zoning mode to All Access if user specified Admin Domains are present in the fabric Setting the default zoning mode NOTE You should not change the defau...

Page 327: ...r the defined configuration and it is determined by the amount of flash memory available for storing the defined configuration Use the cfgSize command to display the zone database size The supported maximum zone database size is 2 MB for systems running only Brocade DCX DCX 4S and DCX 8520 platforms The presence of any other platform reduces the maximum zone database size to 1MB Virtual Fabric con...

Page 328: ... database size is 4 bytes even if the zone database is empty For important considerations for managing zoning in a fabric and more details about the maximum zone database size for each version of the Fabric OS see Zone database size on page 327 If you create or make changes to a zone configuration you must enable the configuration for the changes to take effect Creating a zone configuration Use th...

Page 329: ...ons using the cfgenable command Do you still want to proceed with saving the Defined zoning configuration only yes y no n no y Removing zones members from a zone configuration Use the following procedure to remove members from a zone configuration 1 Connect to the switch and log in using an account with admin permissions 2 Enter the cfgRemove command using the following syntax cfgremove cfgname me...

Page 330: ... When you disable the current zone configuration the fabric returns to non zoning mode All devices can then access each other or not depending on the default zone access mode setting NOTE If the default zoning mode is set to All Access and more than 120 devices are connected to the fabric you cannot disable the zone configuration because this would enable All Access mode and cause a large number o...

Page 331: ...ly yes y no n no y Abandoning zone configuration changes Enter the cfgTransAbort command When this command is executed all changes since the last save operation performed with the cfgSave cfgEnable or cfgDisable command are cleared Example assuming that the removal of a member from zone1 was done in error switch admin zoneremove zone1 3 5 switch admin cfgtransabort Viewing all zone configuration i...

Page 332: ...ation 1 Connect to the switch and log in using an account with admin permissions 2 Enter the cfgShow command and specify a pattern cfgshow pattern mode Example Displaying all zone configurations that start with Test switch admin cfgshow Test cfg Test1 Blue_zone cfg Test_cfg Purple_zone Blue_zone Viewing the configuration in the effective zone database Use the following procedure to view the config...

Page 333: ...to disable and clear the zone configuration in nonvolatile memory for all switches in the fabric Zone object maintenance The following procedures describe how to copy delete and rename zone objects Depending on the operation a zone object can be a zone member a zone alias a zone or a zone configuration Copying a zone object When you copy a zone object the resulting object has the same name as the ...

Page 334: ...og in using an account with admin permissions 2 Enter the cfgShow command to view the zone configuration objects you want to delete switch admin cfgShow Defined configuration cfg USA_cfg Purple_zone White_zone Blue_zone zone Blue_zone 1 1 array1 1 2 array2 zone Purple_zone 1 0 loop1 zone White_zone 1 3 1 4 alias array1 21 00 00 20 37 0c 76 8c 21 00 00 20 37 0c 71 02 alias array2 21 00 00 20 37 0c ...

Page 335: ...fgShow to view the zone configuration objects you want to rename switch admin cfgShow Defined configuration cfg USA_cfg Purple_zone White_zone Blue_zone zone Blue_zone 1 1 array1 1 2 array2 zone Purple_zone 1 0 loop1 zone White_zone 1 3 1 4 alias array1 21 00 00 20 37 0c 76 8c 21 00 00 20 37 0c 71 02 alias array2 21 00 00 20 37 0c 76 22 21 00 00 20 37 0c 76 28 alias loop1 21 00 00 20 37 0c 76 85 2...

Page 336: ...g to all other switches in the secure fabric All existing interfaces can be used to administer zoning You must perform zone management operations from the primary FCS switch using a zone management interface such as Telnet or Web Tools You can alter a zone database provided you are connected to the primary FCS switch When two secure fabrics join the traditional zone merge does not occur Instead a ...

Page 337: ...o be propagated throughout the fabric If you have implemented default zoning you must set the switch you are adding into the fabric to the same default zone mode setting as the rest of the fabric to avoid segmentation Merging rules Observe these rules when merging zones Local and adjacent configurations If the local and adjacent zone database configurations are the same they will remain unchanged ...

Page 338: ...ations that are enabled are different in each fabric Type mismatch The name of a zone object in one fabric is used for a different type of zone object in the other fabric Content mismatch The definition of a zone object in one fabric is different from the definition of zone object with the same name in the other fabric Zone Database Size If the zone database size exceeds the maximum limit of anoth...

Page 339: ...me defined configuration Neither have an effective configuration defined cfg1 zone1 ali1 ali2 effective none defined cfg1 zone1 ali1 ali2 effective none No change clean merge Switch A and Switch B have the same defined and effective configuration defined cfg1 zone1 ali1 ali2 effective cfg1 defined cfg1 zone1 ali1 ali2 effective cfg1 No change clean merge Switch A does not have a defined configurat...

Page 340: ...cfg2 zone2 ali3 ali4 Fabric segments due to Zone Conflict cfg mismatch Configuration content mismatch defined cfg1 zone1 ali1 ali2 effective irrelevant defined cfg1 zone1 ali3 ali4 effective irrelevant Fabric segments due to Zone Conflict content mismatch TABLE 57 Zone merging scenarios Different names Description Switch A Switch B Expected results Same content different effective cfg name defined...

Page 341: ...zones TABLE 59 Zone merging scenarios Default access mode Description Switch A Switch B Expected results Different default zone access mode settings defzone allaccess defzone noaccess Clean merge noaccess takes precedence and defzone configuration from Switch B propagates to fabric defzone noaccess Same default zone access mode settings defzone allaccess defzone allaccess Clean merge defzone confi...

Page 342: ...is fabric no message is shown Example of what is shown if there is not a pending zoning transaction in the fabric sw0 FID128 admin zonecreate z7 4 5 10 3 sw0 FID128 admin Similarly for cfgSave and cfgEnable u30 FID128 admin cfgenable cfg You are about to enable a new zoning configuration This action will replace the old zoning configuration with the current configuration selected If the update inc...

Page 343: ... want to save the Defined zoning configuration only yes y no n no n Viewing zone database transactions You can use the cfgTransShow command to list all the domains in the fabric with open transactions Syntax cfgTransShow opentrans help Sample output switch admin cfgtransshow Current transaction token is 0x571010459 It is abortable switch admin cfgtransshow help Usage cfgTransShow Displays local op...

Page 344: ...344 Fabric OS Administrator s Guide 53 1002745 02 Concurrent zone transactions 11 ...

Page 345: ...ou to control the flow of interswitch traffic by creating a dedicated path for traffic flowing from a specific set of source ports N_Ports For example you might use Traffic Isolation Zoning for the following scenarios To dedicate an ISL to high priority host to target traffic To force high volume low priority traffic onto a given ISL to limit the effect on the fabric of this high traffic pattern T...

Page 346: ...zone command to create and manage TI zones Refer to the Fabric OS Command Reference for details about the zone command TI zone failover A TI zone can have failover enabled or disabled Disable failover if you want to guarantee that TI zone traffic uses only the dedicated path and that no other traffic can use the dedicated path Enable failover if you want traffic to have alternate routes if either ...

Page 347: ...d through E_Ports 1 1 and 3 9 that traffic continues through E_Ports 3 12 and 4 7 even though the non dedicated ISL between domains 3 and 4 is not broken Additional considerations when disabling failover If failover is disabled be aware of the following considerations This feature is intended for use in simple linear fabric configurations such as that shown in Figure 31 on page 346 Ensure that the...

Page 348: ...e steps are listed in the procedures in this section It is recommended that TI zone definitions and regular zone definitions match Domain controller frames can use any path between switches Disabling failover does not affect Domain Controller connectivity For example in Figure 32 if failover is disabled Domain 2 can continue to send domain controller frames to Domain 3 and 4 even though the path b...

Page 349: ...locked because it cannot use the dedicated ISL which is the lowest cost path For example in Figure 33 there is a dedicated path between Domain 1 and Domain 3 and another non dedicated path that passes through Domain 2 If failover is enabled all traffic will use the dedicated path because the non dedicated path is not the shortest path If failover is disabled non TI zone traffic is blocked because ...

Page 350: ...e called enhanced TI zones ETIZ Figure 35 shows an example of two TI zones Because these TI zones have an overlapping port 3 8 they are enhanced TI zones FIGURE 35 Enhanced TI zones Enhanced TI zones are especially useful in FICON fabrics See the FICON Administrator s Guide for example topologies using enhanced TI zones See Additional configuration rules for enhanced TI zones on page 358 for more ...

Page 351: ...o paths from a local port port 8 on Domain 3 to two or more devices on the same remote domain ports 1 and 4 on Domain 1 The TI zones are enhanced TI zones because they have an overlapping member 3 8 Each zone describes a different path from the Target to Domain 1 Traffic is routed correctly from Host 1 and Host 2 to the Target however traffic from the Target to the Hosts might not be Traffic from ...

Page 352: ...ed features such as tape pipelining require the request and corresponding response traffic to traverse the same VE_Port tunnel across the metaSAN To ensure that the request and response traverse the same VE_Port tunnel you must set up Traffic Isolation zones in the edge and backbone fabrics Set up a TI zone in an edge fabric to guarantee that traffic from a specific device in that edge fabric is r...

Page 353: ...ilover is enabled and the TI path is not available an alternate path is used If failover is disabled and the TI path is not available then devices are not imported NOTE For TI over FCR all switches in the backbone fabric and in the edge fabrics must be running Fabric OS v6 1 0 or later Edge fabric 1 Edge fabric 2 Backbone fabric Dedicated path set up by TI zone in edge fabric 1 Dedicated path set ...

Page 354: ...nt and xlate phantom switches you must use 1 in place of the I in the D I notation Both the front and xlate domains must be included in the TI zone Using D I notation the members of the TI zone in Figure 39 are 1 8 1 1 3 1 E_Port for the front phantom domain 4 1 E_Port for the xlate phantom domain NOTE In this configuration the traffic between the front and xlate domains can go through any path be...

Page 355: ...es that are to communicate across fabrics You can use the portShow command to obtain the port WWN Port WWNs should be used only in TI zones within a backbone fabric and should not be used in other TI zones Using D I and port WWN notation the members of the TI zone in Figure 40 are 1 1 EX_Port for FC router 1 1 4 VE_Port for FC router 1 2 7 VE_Port for FC router 2 2 1 EX_Port for FC router 2 10 00 ...

Page 356: ...fabric should not be configured in different TI zones This configuration is not supported General rules for TI zones The following general rules apply to TI zones A TI zone must include E_Ports and N_Ports that form a complete end to end route from initiator to target When an E_Port is a member of a TI zone that E_Port cannot have its indexed swapped with another port A given E_Port used in a TI z...

Page 357: ...s not added to the TI zone with failover disabled Also a CLI zone showTItrunkerrors is provided to check if all ports per switch in a TI zone are proper This will help you identify missing trunk members and take corrective actions Example RASlog message when any port in a trunk group is not in the TI zone SW82 FID128 admin zone ZONE 1061 620 181 FID 128 WARNING sw0 Some trunk members are missing f...

Page 358: ...isrupt fabric operation in switches running earlier firmware versions TI over FCR is not backward compatible with Fabric OS v6 0 x or earlier The 1 in the domain index entries causes issues to legacy switches in a zone merge Firmware downgrade is prevented if TI over FCR zones exist Additional configuration rules for enhanced TI zones Enhanced TI zones ETIZ have the following additional configurat...

Page 359: ...embers in TI zone 4 5 Trunk members not in TI zone 6 TI Zone Name loop E Port Trunks Trunk members in TI zone 0 Trunk members not in TI zone 1 TI Zone Name operand E Port Trunks Trunk members in TI zone 8 Trunk members not in TI zone 9 10 E Port Trunks Trunk members in TI zone 16 Trunk members not in TI zone 17 18 Limitations and restrictions of Traffic Isolation Zoning The following limitations a...

Page 360: ... is unpredictable When you merge two switches if there is an effective configuration on the switches and TI zones are present on either switch the TI zones are not automatically activated after the merge Check the TI zone enabled status using the zone show command and if the TI Zone Enabled status does not match across switches issue the cfgEnable command Use care when creating TI zones on ICL por...

Page 361: ...hes The TI zone in the logical fabric includes the extended XISL XISL port numbers as well as the F_Ports and ISLs in the logical fabric The TI zone in the base fabric reserves XISLs for a particular logical fabric The base fabric TI zone should also include ISLs that belong to logical switches participating in the logical fabric Figure 42 shows an initiator and target in a logical fabric FID1 The...

Page 362: ...g D I notation the port numbers for the TI zones in the logical fabric and base fabric are as follows Notice that the base fabric zone contains a reference to port 1 3 even though the base switch with domain 1 does not have a port 3 in the switch This number refers to the port in the chassis with port index 3 which actually belongs to LS3 in FID 1 Port members for the TI zone in logical fabric Por...

Page 363: ...r TI zones over FC routers in logical fabrics Figure 46 shows a logical representation of the configuration in Figure 45 This SAN is similar to that shown in Figure 38 on page 353 and you would set up the TI zones in the same way as described in Traffic Isolation Zoning over FC routers on page 352 FIGURE 46 Logical representation of TI zones over FC routers in logical fabrics Dedicated Path Base s...

Page 364: ... the route might be missing for ports in that TI zone You can use the topologyShow command to verify the paths Ensure that sufficient non dedicated paths through the fabric exist for all devices that are not in a TI zone otherwise these devices might become isolated See TI zone failover on page 346 for information about disabling failover mode Use the following procedure to create a TI zone If you...

Page 365: ...t settings switch admin zone create t ti bluezone p 1 1 1 8 2 1 3 1 To create a TI zone in the backbone fabric with failover enabled and the state set to activated default settings switch admin zone create t ti backbonezone p 10 00 00 04 1f 03 16 f2 1 1 1 4 2 7 2 1 10 00 00 04 1f 03 18 f1 10 00 00 04 1f 04 06 e2 To create TI zones in a logical fabric such as the one shown in Figure 43 on page 362 ...

Page 366: ...lover disabled If all of your TI zones are failover enabled skip to step 5 a Change the failover option to failover enabled This is a temporary change to avoid frame loss during the transition zone add o f name b Enable the zones cfgenable current_effective_configuration c Reset the failover option to failover disabled Then continue with step 4 zone add o n name 5 Enter the cfgEnable command to re...

Page 367: ... 1 Connect to the switch and log in using an account with admin permissions 2 Enter one of the following commands depending on how you want to modify the TI zone Enter the zone add command to add ports or change the failover option for an existing TI zone You can also activate or deactivate the zone zone add o optlist name p portlist zone add o optlist name p portlist Enter the zone remove command...

Page 368: ...ted Changing the state does not activate or deactivate the zone After you change the state of the TI zone you must enable the current effective configuration to enforce the change The TI zone must exist before you can change its state 1 Connect to the switch and log in using an account with admin permissions 2 Perform one of the following actions To activate a TI zone enter the zone activate comma...

Page 369: ... bluezone Remember that your changes are not enforced until you enter the cfgEnable command Displaying TI zones Use the zone show command to display information about TI zones This command displays the following information for each zone Zone name E_Port members N_Port members Configured status the latest status which may or may not have been activated by cfgEnable Enabled status the status that h...

Page 370: ...e the following procedure to generate a report of existing and potential problems with TI zones The report displays an error type ERROR indicates a problem currently exists in the fabric WARNING indicates that there is not currently a problem given the current set of online devices and reachable domains but given the activated TI zone configuration parallel exclusive paths between a shared device ...

Page 371: ...If several dedicated paths are set up across the FC router the TI zones for each path can have the same name 1 In each edge fabric set up an LSAN zone that includes Host 1 Target 1 and Target 2 so these devices can communicate with each other See Chapter 24 Using FC FC Routing to Connect Fabrics for information about creating LSAN zones 2 Log in to the edge fabric 1 and set up the TI zone a Enter ...

Page 372: ...f the update includes changes to one or more traffic isolation zones the update may result in localized disruption to traffic on ports associated with the traffic isolation zone changes Do you want to enable cfg_TI configuration yes y no n no y zone config cfg_TI is in effect Updating flash 3 Log in to the edge fabric 2 and set up the TI zone a Enter the fabricShow command to display the switches ...

Page 373: ...ands to create and display a TI zone BB_DCX_1 admin zone create t ti TI_Zone1 p 1 9 1 1 2 4 2 7 10 00 00 00 00 08 00 00 10 00 00 00 00 02 00 00 10 00 00 00 00 03 00 00 BB_DCX_1 admin zone show Defined TI zone configuration TI Zone Name TI_Zone1 Port List 1 9 1 1 2 4 2 7 10 00 00 00 00 08 00 00 10 00 00 00 00 02 00 00 10 00 00 00 00 03 00 00 Status Activated Failover Enabled b Enter the following c...

Page 374: ...374 Fabric OS Administrator s Guide 53 1002745 02 Setting up TI over FCR sample procedure 12 ...

Page 375: ...ce bottlenecks as the traffic backs up The bottleneck detection feature enables you to do the following Prevent degradation of throughput in the fabric The bottleneck detection feature alerts you to the existence and locations of devices that are causing latency If you receive alerts for one or more F_Ports use the CLI to check whether these F_Ports have a history of bottlenecks Reduce the time it...

Page 376: ...es at the offered rate because the offered rate is greater than the physical data rate of the line For example this condition can be caused by trying to transfer data at 8 Gbps over a 4 Gbps ISL You can use the bottleneckMon command to configure separate alert thresholds for congestion and latency bottlenecks Advanced settings allow you to refine the criterion for defining latency bottleneck condi...

Page 377: ...ly on the following port types E_Ports EX_Ports F_Ports FL_Ports F_Port and E_Port trunks are supported Long distance E_Ports are supported FCoE F_Ports are supported Bottleneck detection is supported on 4 Gbps 8 Gbps and 16 Gbps platforms including 10 Gbps speeds Bottleneck detection is supported in Access Gateway mode Bottleneck detection is supported whether Virtual Fabrics is enabled or disabl...

Page 378: ...on which bottleneck detection is enabled is moved out of a logical switch any per port configurations are retained by the logical switch The per port configuration does not propagate outside of the logical switch If the port is returned to the logical switch the previous per port configurations are automatically set for the port See Changing bottleneck detection parameters on page 384 for more inf...

Page 379: ... reset will automatically be performed assuming that this option was enabled See Enabling back end credit loss detection and recovery below for details on enabling this feature For the third credit loss method described above a link reset will be automatically performed if complete credit loss on a VC is detected A manual link reset option using the bottleneckmon command is also available See Enab...

Page 380: ...only on back end ports of 4G 8G and 16G Capable FC platforms for blades in the Brocade DCX DCX 4S DCX 8510 8 and DCX 8510 4 chassis Enabling bottleneck detection on a switch Enabling bottleneck detection permits both latency and congestion detection Bottleneck detection is enabled on a switch basis It is recommended that you enable bottleneck detection on every switch in the fabric If you later ad...

Page 381: ...Connect to the switch and log in using an account with admin permissions 2 Enter the bottleneckmon status command to display the details of bottleneck detection configuration for the switch which includes the following Whether the feature is enabled Switch wide parameters Per port overrides if any Excluded ports The initials in the section Per port overrides for alert parameters indicate which ale...

Page 382: ...alert 300 seconds Quiet time for alert 300 seconds Per port overrides for alert parameters Port Alerts LatencyThresh CongestionThresh Time s QTime s 1 Y 0 100 0 800 300 300 2 C 0 800 600 600 3 L 0 100 300 300 4 N NOTE If there are no per port overrides then that section is not displayed Setting bottleneck detection alerts You can configure Fabric OS to log per port alerts based on the latency and ...

Page 383: ...ngestion bottleneck For the same time window 25 of the seconds 3 out of 12 seconds are affected by latency This exceeds the threshold of 10 so an alert would be generated for a latency bottleneck Setting both a congestion alert and a latency alert Entering the bottleneckmon enable alert command enables both alerts using the default alert values Example of setting an alert for both congestion and l...

Page 384: ...ttleneckmon status Bottleneck detection Enabled Switch wide sub second latency bottleneck criterion Time threshold 0 800 Severity threshold 50 000 Switch wide alerting parameters Alerts Latency only Latency threshold for alert 0 100 Averaging time for alert 300 seconds Quiet time for alert 300 seconds Changing bottleneck detection parameters When you enable bottleneck detection you can configure s...

Page 385: ...Examples of applying and changing bottleneck detection parameters The following examples show not just how to change various bottleneck detection parameters but how the changes made are retained when the next set of changes is made For each example after the configuration command is run the bottleneckMon status command is run to show the new settings which are bolded just for the examples Example ...

Page 386: ...criterion Time threshold 0 800 Severity threshold 50 000 Switch wide alerting parameters Alerts Yes Latency threshold for alert 0 200 Congestion threshold for alert 0 700 Averaging time for alert 200 seconds Quiet time for alert 150 seconds Per port overrides for alert parameters Port Alerts LatencyThresh CongestionThresh Time s QTime s 46 N Example 4 Selecting latency only alerts and changing the...

Page 387: ...47 switch admin bottleneckmon status Bottleneck detection Enabled Switch wide sub second latency bottleneck criterion Time threshold 0 800 Severity threshold 50 000 Switch wide alerting parameters Alerts Yes Latency threshold for alert 0 200 Congestion threshold for alert 0 700 Averaging time for alert 200 seconds Quiet time for alert 150 seconds Per port overrides for alert parameters Port Alerts...

Page 388: ...sh 0 8 time 30 qtime 60 alert latency switch admin Notes Alert related parameters can only be specified with config when alert is specified This is because noalert is assumed if alert is not specified and noalert cancels all alert related parameters As long as you want alerts you must include the exact form of alert alert alert congestion or alert latency in every config operation even if alerts a...

Page 389: ...ks and not congestion bottlenecks When you enable bottleneck detection you can specify switch wide sub second latency criterion parameters After you enable bottleneck detection you can change the sub second latency criterion parameters only on a per port basis You cannot change them on the entire switch as you can with alerting parameters unless you disable and then re enable bottleneck detection ...

Page 390: ...ck detection on a switch on page 392 for more information on this command NOTE Excluding the master port excludes the entire trunk even if individual slave ports are not excluded switch admin bottleneckmon exclude 7 switch admin bottleneckmon status Bottleneck detection Enabled Switch wide sub second latency bottleneck criterion Time threshold 0 800 Severity threshold 50 000 Switch wide alerting p...

Page 391: ... statistics for a single port bottleneck statistics for all ports on the switch or a list of ports affected by bottleneck conditions Continuously update the displayed data with fresh data Use the following procedure to display the bottleneck statistics 1 Connect to the switch and log in using an account with admin permissions 2 Enter the bottleneckmon show command Example of displaying the bottlen...

Page 392: ...uded ports and non default values of alerting parameters Use the following procedure to disable bottleneck detection 1 Connect to the switch and log in using an account with admin permissions 2 Enter the bottleneckmon disable command to disable bottleneck detection on the switch switch admin bottleneckmon disable Example of disabling bottleneck detection on a switch switch admin bottleneckmon disa...

Page 393: ...ed for all ports on a switch NOTE The in flight encryption and compression features are supported for any port speed but only on 16G capable E_Ports and EX_Ports on the Brocade 6510 and 6520 switches and the Brocade DCX 8510 Backbone family The purpose of encryption is to provide security for frames while they are in flight between two switches The purpose of compression is for better bandwidth us...

Page 394: ...is supported Non FCP data frames are of Type 0x8 Non FCP frames with ELS BLS R_CTL 0x2 R_CTL 0x8 are not supported NOTE No license is needed to configure and enable in flight encryption or compression Encryption and compression restrictions Configuration is dynamic based on port speed See Table 62 on page 395 for specific details about the number of ports supported for encryption and compression P...

Page 395: ...h works correctly Key Entry limitations The current encryption supports the AES GCM authenticated encryption block cipher mode A key Initial Vector IV segment number and Salt are required to encrypt the data before it is transmitted and to decode the data after it is received on the other end of the link TABLE 62 Number of ports supported per chip or per trunk Blades FC16 32 FC16 48 1 1 For port b...

Page 396: ...ured for encryption authentication is performed and the keys needed for encryption are generated The encryption feature is enabled if authentication is successful If authentication fails then the ports are segmented You can also decommission any port that has in flight encryption compression enabled See Port decommissioning on page 90 for details on decommissioning ports Encryption and compression...

Page 397: ...ling the compression configuration on port 2 switch admin portcfgcompress enable 2 Example Disabling the compression configuration on port 2 switch admin portcfgcompress disable 2 portCfgEncrypt The portCfgEncrypt command allows you to enable or disable encryption on the specified port Usage portCfgEncrypt action slot port Example Enabling the encryption configuration for port 2 switch admin portc...

Page 398: ...l HMAC SHA 512 algorithm to generate the keys These encryption keys never expire While the port remains online the keys generated for the port remain the same When a port is disabled segmented or taken offline a new set of keys is generated when the port is enabled again All members of a trunk group use the same set of keys as the master port Slave ports do not exchange keys If the master port goe...

Page 399: ...nce for details on using these commands Configuring encryption and compression On a given ISL between two 16 Gbps E_Ports or EX_Ports you can configure each port for encryption compression or both Your encryption and compression settings must match at either end of the ISL Port segmentation will occur during port initialization if these configurations do not match Before configuring a port for enc...

Page 400: ...ortCfgEncrypt command to enable encryption on the port This step fails if you try to exceed the number of allowable ports available for encryption or compression on the ASIC 4 Use the portCfgCompress command to enable compression on the port This step fails if you try to exceed the number of allowable ports available for encryption or compression on the ASIC Following successful port initializatio...

Page 401: ...ose For bladed switches use the switchShow command to determine the slot number of a specific user port switch admin portenccompshow User Encryption Compression Config Port configured Active configured Active Speed 17 No No No No 4G 18 No No No No 4G 19 No No No No 4G 20 No No No No 4G 21 No No No No 4G 22 No No No No 4G 23 No No No No 4G 144 No No No No 4G 145 No No No No 4G 146 No No No No 4G 14...

Page 402: ...e details on this command Example Port speed change failure switch portenccompshow User Encryption Compression Config Port configured Active Configured Active Speed 0 No No Yes No 4G 1 No No Yes No 4G 2 No No Yes No 8G 3 No No Yes No 16G 4 No No Yes No 16G switch portcfgspeed 1 0 Configuration for port 1 failed as it exceeds current supported capacity Compression ratios and encryption compression ...

Page 403: ...secauthsecret set When prompted enter the WWN for the local switch and secret strings for the local switch and the remote switch NOTE When setting a secret key pair you are entering the shared secrets in plain text Use a secure channel such as SSH or the serial console to connect to the switch on which you are setting the secrets 3 Enter the authUtil command to set the switch policy mode to Active...

Page 404: ...n a Brocade 6510 switch switch admin portcfgencrypt enable 21 The following example enables encryption on port 15 of an FC16 32 blade in slot 9 of an enterprise class platform switch admin portcfgencrypt enable 9 15 4 Enable the port with the portEnable command After manually enabling the port the new configuration becomes active Configuring compression NOTE Before performing this procedure it is ...

Page 405: ... 32 blade in slot 9 of an enterprise class platform switch admin portcfgencrypt disable 9 15 4 Enable the port with the portEnable command After enabling the port the new configuration becomes active Disabling compression To disable compression on a port follow these steps 1 Connect to the switch and log in using an account with admin permissions or an account with OM permissions for the SwitchPor...

Page 406: ...CX to a port on a Brocade 6510 switch named myswitch Table 63 identifies each end of the ISL connection by device name device WWN and port number The examples below include the following procedures Setting up authentication to permit secret key generation Generating a secret key Enabling encryption Enabling compression Disabling encryption Disabling compression TABLE 63 Example ISL connections Ent...

Page 407: ...et a dhchap Authentication is set to dhchap myswitch admin authutil set g 4 DH Group was set to 4 Secret Key setup Next you set a secret key For this you need to get the WWN of the peer switch myswitch admin secauthsecret set This command is used to set up secret keys for the DH CHAP authentication The minimum length of a secret key is 8 characters and maximum 40 characters Setting up secret keys ...

Page 408: ...Authentication Policy OFF myswitch admin Enabling encryption Next you enable encryption on port 0 Note that the first attempt fails because the port is currently enabled This example uses the portCfgShow command to check the result Notice that the output shows encryption to be enabled on the port myswitch admin portcfgencrypt enable 0 Please disable port to configure Encryption Compression myswitc...

Page 409: ...rtcfgcompress enable 0 Turning ON Compression on port 0 will cause the port to be disabled during next LOGIN myswitch admin portenable 0 myswitch admin portcfgshow 0 Area Number 0 Octet Speed Combo 3 16G 10G Speed Level AUTO SW AL_PA Offset 13 OFF Trunk Port ON Long Distance OFF VC Link Init OFF Locked L_Port OFF Locked G_Port OFF Disabled E_Port OFF Locked E_Port OFF ISL R_RDY Mode OFF RSCN Suppr...

Page 410: ...switch admin portenable 0 Example Using the portCfgShow command to check the results myswitch admin portcfgshow 0 Area Number 0 Octet Speed Combo 3 16G 10G Speed Level AUTO SW AL_PA Offset 13 OFF Trunk Port ON Long Distance OFF VC Link Init OFF Locked L_Port OFF Locked G_Port OFF Disabled E_Port OFF Locked E_Port OFF ISL R_RDY Mode OFF RSCN Suppressed OFF Persistent Disable OFF LOS TOV enable OFF ...

Page 411: ...nd long distance enabled It also works with the VC_RDY and EXT_VC_RDY flow control modes Encryption and compression capabilities and configurations are exchanged on the IFL during EX_Port initialization The FCR enables encryption and compression only if both ends of the IFL have matching capabilities and configurations NOTE Any mismatch in configuration at either end of the IFL or authentication f...

Page 412: ... in flight encryption This is for a Fibre Channel Router on which the EX_Port is online it configures the DH CHAP protocol for authentication and sets the DH group to group 4 myswitch admin authutil show AUTH TYPE HASH TYPE GROUP TYPE fcap dhchap sha1 md5 0 1 2 3 4 Switch Authentication Policy PASSIVE Device Authentication Policy OFF myswitch admin authutil set a dhchap myswitch admin authutil set...

Page 413: ...ecret Enter local secret Re enter local secret Enter peer WWN Domain or switch name Leave blank when done Are you done yes y no n no y Saving data to key store Done myswitch admin secauthsecret show WWN DId Name 10 00 00 05 33 13 70 3e 8 sw0 Example Enabling encryption on port 1 of myswitch There are two things to notice here the first is that the initial attempt fails because the port is currentl...

Page 414: ...myswitch admin portcfgshow 1 Area Number 1 Octet Speed Combo 1 16G 8G 4G 2G Speed Level AUTO SW AL_PA Offset 13 OFF Trunk Port OFF Long Distance OFF VC Link Init OFF Locked L_Port OFF Locked G_Port OFF Disabled E_Port OFF Locked E_Port OFF ISL R_RDY Mode OFF RSCN Suppressed OFF Persistent Disable OFF LOS TOV enable OFF NPIV capability ON QOS Port AE Port Auto Disable OFF Rate Limit OFF EX Port ON ...

Page 415: ...SH TYPE GROUP TYPE fcap dhchap sha1 md5 0 1 2 3 4 Switch Authentication Policy PASSIVE Device Authentication Policy OFF edge admin authutil set a dhchap edge admin authutil set g 4 edge admin authutil policy sw active Warning Activating the authentication policy requires either DH CHAP secrets or PKI certificates depending on the protocol selected Otherwise ISLs will be segmented during next E por...

Page 416: ...ne Are you done yes y no n no y Saving data to key store Done edge admin Example Enabling encryption on port 1 of the edge switch As with the FCR switch myswitch there are two things to notice here the first is that the initial attempt fails because the port is currently enabled The second is that the output from the second attempt shows encryption to be enabled on the port as shown by the portCfg...

Page 417: ...el AUTO SW AL_PA Offset 13 OFF Trunk Port ON Long Distance OFF VC Link Init OFF Locked L_Port OFF Locked G_Port OFF Disabled E_Port OFF Locked E_Port OFF ISL R_RDY Mode OFF RSCN Suppressed OFF Persistent Disable OFF LOS TOV enable OFF NPIV capability ON QOS Port AE Port Auto Disable OFF Rate Limit OFF EX Port OFF Mirror Port OFF Credit Recovery ON F_Port Buffers OFF Fault Delay 0 R_A_TOV NPIV PP L...

Page 418: ...3 ee 11 Principal Switch 8 Principal WWN 10 00 00 05 33 13 70 3e Fabric Parameters Auto Negotiate R_A_TOV 10000 N E_D_TOV 2000 N Authentication Type DHCAP DH Group 4 Hash Algorithm SHA1 Encryption ON Compression ON Forward error correction ON Edge fabric s primary wwn N A Edge fabric s version stamp N A fcrEdgeShow The fcrEdgeShow command displays the encryption and compression status for a switch...

Page 419: ...r words multiple virtual devices emulated by NPIV appear no different than regular devices connected to a non NPIV port The same zoning rules apply to NPIV devices as non NPIV devices Zones can be defined by domain port notation by WWN zoning or both However to perform zoning to the granularity of the virtual N_Port IDs you must use WWN based zoning If you are using domain port zoning for an NPIV ...

Page 420: ...ermitted in Fabric OS v6 4 0 and later Fixed addressing mode Fixed addressing mode is the default addressing mode used in all platforms that do not have Virtual Fabrics enabled When Virtual Fabrics is enabled on the Brocade DCX and DCX 4S fixed addressing mode is used only on the default logical switch The number of NPIV devices supported on shared area ports 48 port blades is reduced to 64 from 1...

Page 421: ...his command during a scheduled maintenance 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the portDisable command 3 Enter the portCfgNPIVPort setloginlimit command with the port number and the number of logins per port 4 Press Enter 5 Enter the portEnable command to enable the port Example of setting the login limit switch adnin portcfgnpivport setloginlimit...

Page 422: ... and DCX 8510 Backbone families and the FA4 18 blade NPIV is enabled for every port NOTE NPIV is a requirement for FCoE The CEE FCoE ports on the Brocade 8000 have NPIV enabled by default but NPIV cannot be enabled or disabled on these ports The login limit can be set on these ports provided you disable and enable the ports using the fcoe disable and fcoe enable commands 1 Connect to the switch an...

Page 423: ...ort and you enter the switchShow command then the port WWN of the N_Port is returned For an NPIV F_Port there are multiple N_Ports each with a different port WWN The switchShow command output indicates whether or not a port is an NPIV F_Port and identifies the number of virtual N_Ports behind it The following example is sample output from the switchShow command switch admin switchshow switchName s...

Page 424: ...Frjt 0 Unknown 0 Loss_of_sync 422 Fbsy 0 Lli 294803 Loss_of_sig 808 Proc_rqrd 0 Protocol_err 0 Timed_out 0 Invalid_word 0 Rx_flushed 0 Invalid_crc 0 Tx_unavail 0 Delim_err 0 Free_buffer 0 Address_err 1458 Overrun 0 Lr_in 15 Suspended 0 Lr_out 17 Parity_err 0 Ols_in 16 2_parity_err 0 Ols_out 15 CMI_bus_err 0 Viewing virtual PID login information Use the portLoginShow command to display the login in...

Page 425: ...es and LUN masks you must find out the physical port world wide name PWWN of the server This means that administrative teams cannot start their configuration tasks until the physical server arrives and its physical PWWN is known Because the configuration tasks are sequential and interdependent across various administrative teams it may take several days before the server gets deployed in an FC SAN...

Page 426: ...the user assigned FA PWWN you must delete the user assigned FA PWWN from the port to which it has been assigned Checking for duplicate FA PWWNs The switch ensures that automatically assigned FA PWWNs are unique in a fabric However it is the responsibility of the administrators to ensure that user assigned FA PWWNs are also unique throughout the fabric CAUTION The administrators should ensure that ...

Page 427: ...re some of the steps are to be executed on the switch and some are to be executed on the server 1 Log in to the edge switch to which the Access Gateway is directly connected 2 Assign the FA PWWN If you are manually assigning a WWN enter the following command fapwwn assign ag AG_WWN port AG_port v Virtual_PWWN If you want the WWN to be automatically assigned enter the following command fapwwn assig...

Page 428: ...t_id enable c Enter the following command bcu port faa port_id query Once the Brocade HBA has been assigned the FA PWWN the HBA retains the FA PWWN until rebooted This means you cannot unplug and plug the cable into a different port on the Access Gateway You must reboot the HBA before moving the HBA to a different port If you move an HBA to a different port on a switch running Fabric OS v7 0 0 or ...

Page 429: ...ort_id query Once the Brocade HBA has been assigned the FA PWWN the HBA retains the FA PWWN until it is rebooted This means you cannot unplug and plug the cable into a different port on the switch You must reboot the HBA before moving the HBA to a different port If you move an HBA to a different port on a switch running Fabric OS v7 0 0 or later the HBA will disable its port If the HBA moves to a ...

Page 430: ...rade back to Fabric OS v7 0 0 This is done to ensure that the FA PWWN configurations are not tampered with when the switch is running an earlier version of the firmware You must also consider zone configuration security configuration and target ACLs when downgrading from Fabric OS v7 0 0 If any of these zone configuration security configuration and target ACLs have FA PWWNs configured the SAN netw...

Page 431: ...FA PWWN is not supported for the following FCoE devices FL_Ports Swapped ports using the portswap command Cascaded Access Gateway topologies FICON FMS mode With F_Port trunking on directly attached Brocade HBAs adapters NOTE FA PWWN is supported with F_Port trunking on the supported Access Gateway platforms Access Gateway N_Port failover with FA PWWN If an FA PWWN F_Port on an Access Gateway fails...

Page 432: ...432 Fabric OS Administrator s Guide 53 1002745 02 Access Gateway N_Port failover with FA PWWN 16 ...

Page 433: ... you can put all the devices in a particular department in the same Admin Domain for ease of managing those devices If you have remote sites you could put the resources in the remote site in an Admin Domain and assign the remote site administrator to manage those resources Admin Domains and Virtual Fabrics are mutually exclusive and are not supported at the same time on a switch Do not confuse Adm...

Page 434: ...h in the fabric and has a range from 1 through 239 Figure 52 shows a fabric with two Admin Domains AD1 and AD2 FIGURE 52 Fabric with two Admin Domains Figure 53 shows how users get a filtered view of this fabric depending on which Admin Domain they are in As shown in Figure 53 users can see all switches and E_Ports in the fabric regardless of their Admin Domain however the switch ports and end dev...

Page 435: ...0 can be in AD0 only The default zone mode setting must be set to No Access before you create Admin Domains refer to Setting the default zoning mode for Admin Domains on page 443 for instructions Virtual Fabrics must be disabled before you create Admin Domains refer to Disabling Virtual Fabrics mode on page 290 for instructions Gigabit Ethernet GbE ports cannot be members of an Admin Domain Traffi...

Page 436: ... switch ports and switches used to create these user defined Admin Domains disappear from the AD0 implicit membership list The explicit membership list contains all devices switch ports and switches that you explicitly add to AD0 and can be used to force device and switch sharing between AD0 and other Admin Domains AD0 is managed like any user defined Admin Domain The only difference between AD0 a...

Page 437: ...t automatically becomes an implicit member of AD0 until it is explicitly added to an Admin Domain AD0 is useful when you create Admin Domains because you can see which devices switch ports and switches are not yet assigned to any Admin Domains AD0 owns the root zone database legacy zone database AD255 AD255 is a system defined Admin Domain that is used for Admin Domain management AD255 always cont...

Page 438: ...min Domain list The home Admin Domain like the Admin Domain list is a configurable property of a non default user account Here is some additional information about AD accounts You can log in to only one Admin Domain at a time You can later switch to a different Admin Domain refer to Switching to a different Admin Domain context on page 456 for instructions For default accounts such as admin and us...

Page 439: ...trol are done by the physical fabric administrator Port control is provided only through switch port membership and is not provided for device members When you create an Admin Domain the end device members do not need to be online even though their WWNs are used in the Admin Domain definition You can share device members across multiple Admin Domains You can also zone shared devices differently in...

Page 440: ...rs using domain index or device WWN members E_Ports including VE_Ports EX_Ports and VEX_Ports are implicitly shared across all Admin Domains An administrator can perform port control operations only if the domain index of the E_Port is part of the Admin Domain NOTE Only the WWN of the switch is saved in the Admin Domain If you change the domain ID of the switch the Admin Domain ownership of the sw...

Page 441: ...re 56 shows the filtered view of the fabric as seen from AD3 and AD4 The switch WWNs are converted to the NAA 5 syntax the device WWNs and domain IDs remain the same FIGURE 56 Filtered fabric views showing converted switch WWNs Fabric Visible to AD3 User Fabric Visible to AD4 User WWN 10 00 00 00 c8 3a fe a2 WWN 10 00 00 00 c2 37 2b a3 Domain ID 2 WWN 50 00 52 e0 63 46 e9 04 WWN 10 00 00 00 c2 37 ...

Page 442: ...n The Admin Domain configuration that is currently in effect Defined configuration The Admin Domain configuration that is saved in flash memory There might be differences between the effective configuration and the defined configuration Transaction buffer The Admin Domain configuration that is in the current transaction buffer and has not yet been saved or canceled How you end the transaction dete...

Page 443: ...d the lowest available AD number is 6 then AD name is AD15 and AD number is 15 Because the specified name is in the format ADn the AD number is assigned to be n and not the lowest available AD number When you create an Admin Domain you must specify at least one member switch switch port or device You cannot create an empty Admin Domain For more information about these member types refer to Admin D...

Page 444: ...x one device designated by device WWN and two switches designated by domain ID and switch WWN switch AD255 admin ad create blue_ad d 100 5 1 3 21 00 00 e0 8b 05 4d 05 s 97 10 00 00 60 69 80 59 13 User assignments to Admin Domains After you create an Admin Domain you can specify one or more user accounts as the valid accounts that can use that Admin Domain User accounts have the following character...

Page 445: ...rconfig add ad2admin r admin h 2 a 1 2 Assigning Admin Domains to an existing user account 1 Connect to the switch and log in using an account with admin permissions 2 Enter the userConfig addad command using the a option to provide access to Admin Domains and the h option to specify the home Admin Domain userconfig addad username h home_AD a AD_list Example The following example assigns Admin Dom...

Page 446: ... account adm1 has been successfully deleted Activating an Admin Domain An Admin Domain can be in either an active or inactive state When you create an Admin Domain it is automatically in the active state 1 Connect to the switch and log in using an account with admin permissions 2 Switch to the AD255 context if you are not already in that context ad select 255 3 Enter the ad activate command ad act...

Page 447: ... save the Admin Domain definition and directly apply the definition to the fabric enter ad apply All active user sessions associated with the Admin Domain are terminated The ad deactivate command does not disable ports Example of deactivating Admin Domain AD_B4 switch AD255 admin ad deactivate AD_B4 You are about to deactivate an AD This operation will fail if an effective zone configuration exist...

Page 448: ...an Admin Domain deletes the Admin Domain 4 Enter the appropriate command based on whether you want to save or activate the Admin Domain definition To save the Admin Domain definition enter ad save To save the Admin Domain definition and directly apply the definition to the fabric enter ad apply Example 1 The following example removes port 5 of domain 100 and port 3 of domain 1 from AD1 switch AD25...

Page 449: ...ssions 2 Switch to the Admin Domain that you want to delete ad select ad_id 3 Enter the appropriate command to clear the zone database under the Admin Domain you want to delete To remove the effective configuration enter cfgdisable To remove the defined configuration enter cfgclear To save the changes to nonvolatile memory enter cfgsave 4 Switch to the AD255 context ad select 255 5 Enter the ad de...

Page 450: ... context ad select 255 4 Enter the ad clear command This option prompts you for confirmation before triggering the deletion of all Admin Domains 5 Enter the ad apply command to save the Admin Domain definition and directly apply the definitions to the fabric Example switch AD255 admin ad clear You are about to delete all ADs definitions This operations will fail if zone configurations exists in AD...

Page 451: ...ad add AD0 d dev_list 8 Enter the ad apply command to save the Admin Domain definition and directly apply the definitions to the fabric ad apply At this point all of the devices in the user defined ADs are also defined and zoned in AD0 9 Clear the user defined ADs ad clear f 10 Enter the ad apply command to save the Admin Domain definition and directly apply the definitions to the fabric ad apply ...

Page 452: ...ains are deleted as shown in Figure 58 FIGURE 58 AD0 with three zones sw0 admin ad exec 255 cfgshow Zone CFG Info for AD_ID 0 AD Name AD0 State Active Defined configuration cfg AD0_cfg AD0_RedZone zone AD0_RedZone 10 00 00 00 01 00 00 00 10 00 00 00 02 00 00 00 Effective configuration cfg AD0_cfg zone AD0_RedZone 10 00 00 00 01 00 00 00 10 00 00 00 02 00 00 00 Zone CFG Info for AD_ID 1 AD Name AD1...

Page 453: ...cludes changes to one or more traffic isolation zones the update may result in localized disruption to traffic on ports associated with the traffic isolation zone changes Do you want to enable AD0_cfg configuration yes y no n no y zone config AD0_cfg is in effect Updating flash sw0 admin ad select 255 sw0 AD255 admin ad add AD0 d 10 00 00 00 03 00 00 00 10 00 00 00 04 00 00 00 10 00 00 00 05 00 00...

Page 454: ...ed in the persistent memory defined configuration 2 to display the currently enforced Admin Domain configuration effective configuration Example of validating the member list of Admin Domain 10 in the current transaction buffer switch AD255 admin ad validate 10 m 0 Current AD Number 255 AD Name AD255 Transaction buffer configuration AD Number 2 AD Name ad2 State Active Switch port members 1 1 1 3 ...

Page 455: ... AD membership Refer to the Fabric OS Command Reference for more detailed information about command syntax and usage and to understand how existing commands behave in an AD context Executing a command in a different AD context You can execute a command in an Admin Domain that is different from your current AD context The Admin Domain must be one that you can access This option creates a new shell ...

Page 456: ...onfiguration are displayed unless you use the m option ad show ad_id m mode In the syntax ad_id is the Admin Domain for which you want to display information and mode is one of the following values 0 to display the Admin Domain configuration in the current transaction buffer 1 to display the Admin Domain configuration stored in the persistent memory defined configuration 2 to display the currently...

Page 457: ...hat apply when using Admin Domains TABLE 67 Admin Domain interaction with Fabric OS features Fabric OS feature Admin Domain interaction ACLs If no user defined Admin Domains exist you can run ACL configuration commands in only AD0 and AD255 If any user defined Admin Domains exist you can run ACL configuration commands only in AD255 You cannot use ACL configuration commands or validate ACL policy c...

Page 458: ... Management applications Management interfaces that access the fabric without a user s credentials continue to get the physical fabric view Examples include SNMPv1 Web Tools HTTP access unzoned management server query FAL in band CT requests from FAL Proxy to FAL Target and FC CT based management applications Access from applications or hosts using management server calls can be controlled using t...

Page 459: ...e defined by domain index in the Admin Domain If both zoning schemes are used then objects must be defined in the Admin Domain by both WWN and domain index Using the zone validate command you can see all zone members that are not part of the current zone enforcement table but are part of the zoning database A member might not be part of the zone enforcement table for the following reasons The devi...

Page 460: ...rent Admin Domain If the switch is a member of the Admin Domain all switch configuration parameters are saved and the zone database for that Admin Domain is also saved Table 68 lists the sections in the configuration file and the Admin Domain contexts in which you can upload and download these sections Refer to Chapter 8 Maintaining the Switch Configuration File for additional information about up...

Page 461: ...Fabric OS features and includes the following chapters Chapter 18 Administering Licensing Chapter 19 Inter chassis Links Chapter 20 Monitoring Fabric Performance Chapter 21 Optimizing Fabric Behavior Chapter 22 Managing Trunking Connections Chapter 23 Managing Long Distance Fabrics Chapter 24 Using FC FC Routing to Connect Fabrics ...

Page 462: ...462 Fabric OS Administrator s Guide 53 1002745 02 ...

Page 463: ...ature version If a feature has a version based license that license is valid only for a particular version of the feature If you want a newer version of the feature you must purchase a new license If a license is not version based then it is valid for all versions of the feature Likewise if you downgrade Fabric OS to an earlier version some licenses associated with specific features of the version...

Page 464: ...enses See Brocade 7800 Upgrade license on page 470 for details Adaptive Networking with QoS Provides a rich framework of capability allowing a user to ensure that high priority connections obtain the bandwidth necessary for optimum performance even in congested environments The QoS SID DID Prioritization and Ingress Rate Limiting features are included in this license and are fully available on all...

Page 465: ...ing additional ports using license key upgrades NOTE Applies to the Brocade 300 5100 5300 6505 6510 6520 and VA 40FC switches DataFort Compatibility Provides ability to read write decrypt and encrypt the NetApp DataFort encrypted Disk LUNs and Tapes to all of the following Brocade Encryption Switch Brocade enterprise platforms with FS8 18 blade Includes metadata encryption and compression algorith...

Page 466: ...ou to purchase half the bandwidth of DCX ICL ports initially and upgrade with an additional ICL 8 link license to utilize the full ICL bandwidth at a later time This license is also useful for environments that want to create ICL connections between a DCX and a DCX 4S the latter cannot support more than eight links on an ICL port Available on the Brocade DCX and DCX 4S Backbones only ICL 16 Link A...

Page 467: ...ilities are included by default on the Brocade 6520 TABLE 70 License requirements and location name by feature Feature License Where license should be installed Adaptive Rate Limiting Advanced Extension Local switch Administrative Domains No license required N A Bottleneck Detection No license required N A Configuration up download No license required NOTE The configUpload and configDownload comma...

Page 468: ...with Fabric OS on the switch N A Full fabric connectivity Full Fabric NOTE Also called the Fabric license visible in licenseShow output and the E_Port Upgrade license Local switch May be required on attached switches In flight encryption and compression No license required N A Inband Management No license required N A Ingress rate limiting Adaptive Networking with QoS Local switch Inter chassis li...

Page 469: ...d 6520 10 Gigabit FCIP Fibre Channel license to enable 10Gb Ethernet ports on the FX8 24 extension blades Brocade 8000 Must have license installed to enable the 8 FC ports A maximum of 8 FC ports are allowed Local switch QoS Adaptive Networking with QoS Brocade 6520 does not require this license Local switch and attached switches QoS on HBA Server Application Optimization and Adaptive Networking w...

Page 470: ... FC16 32 blades FC16 48 blades and the Brocade 6510 and 6520 as well as to support the 10Gb Ethernet ports on FX8 24 blades See the Ports feature above for more information Local switch SSH public key No license required N A TACACS No license required N A Top Talkers Advanced Performance Monitoring Local switch and attached switches Traffic Isolation No license required N A Trunking ISL Trunking o...

Page 471: ...rm or all of the ICL bandwidth on the Brocade DCX 8510 4 On the Brocade DCX 8510 8 this license enables QSFP ports 0 7 QSFP ports 8 15 are disabled QSFP ports 0 7 correspond to core blade port numbers 0 31 and QSFP ports 8 15 correspond to core blade port numbers 32 63 as observed in switchShow output This license allows you to purchase half the bandwidth of the Brocade DCX 8510 8 ICL ports initia...

Page 472: ...e Brocade DCX 8510 8 and DCX 8510 4 platforms only The EICL license is required in addition to the ICL POD license The following requirements apply Connection of four or fewer DCX 8510 Backbones with ICLs does not require the EICL license However if you add additional ICL connected chassis then all ICL connected chassis require the EICL license With the EICL license installed a maximum of 10 chass...

Page 473: ...move it Port operation may become disrupted and ports may be prevented from operating at 8 Gbps when the license is removed The 8 Gbps license applies to the Brocade 300 5100 5300 and VA 40FC switches and the 8 Gbps embedded switches this license does not apply to the Brocade 6505 6510 or 6520 The following list describes the basic rules of using adding or removing 8G licenses Without an 8G licens...

Page 474: ...re applicable blades than available license capacity then you can manually assign or re assign the licenses as necessary Once a license is assigned to a slot whether it has been automatically assigned or manually assigned the assignment will remain until you manually reassign the license to another slot This design allows for various maintenance operations to occur without having the license move ...

Page 475: ...g slot based licenses apply as described in Slot based licensing on page 474 When this license is applied to a Brocade 6510 or 6520 switch it is applied to the whole chassis Whether you have a bladed DCX DCX 4S DCX 8510 8 or DCX 8510 4 platform or nonbladed Brocade 6510 6520 switch you add the 10G license to the chassis using the LicenseAdd command as for any license For the bladed platforms you c...

Page 476: ... FC ports on the Mc 6140 platform The new FC ports use different protocols and physical connections Enabling 10 Gbps operation on an FC port Use the following procedure to enable 10 Gbps operation on an FC port on a Brocade 6510 or 6520 switch or an FC16 32 or FC16 48 blade 1 Connect to the switch and log in using an account with admin permissions or an account with OM permissions for the license ...

Page 477: ...10 GbE ports on an FX8 24 blade Use the following procedure to enable the 10 GbE ports on an FX8 24 blade 1 Connect to the Brocade Backbone and log in using an account with admin permissions or an account with OM permissions for the license class of RBAC commands 2 Use the licenseAdd command to add the 10G license 3 Use the licenseShow command to check the results of automatic license assignment I...

Page 478: ...ed 10G Mode 7 ge7 1G No_Module FCIP Disabled 10G Mode 7 ge8 1G No_Module FCIP Disabled 10G Mode 7 ge9 1G No_Module FCIP Disabled 10G Mode 7 xge0 10G No_Module FCIP 7 xge1 10G No_Module FCIP Temporary licenses A temporary license applies a try before you buy approach to certain features so that you can experience the feature and its capabilities prior to buying the license Once you have installed t...

Page 479: ...manent license is for different slots than the temporary license you must do the following 1 Install the permanent license The temporary license is automatically replaced on the original slots 2 Deconfigure the application that uses the licensed feature on the original slots 3 Remove the license from the original slots using the licenseSlotCfg remove command 4 Add the license to the new slots usin...

Page 480: ...ed until there is no remaining time at which point it is expired Because of this universal temporary licenses should not be installed on a switch until you are ready to use or test the feature so as not to unnecessarily consume a portion of the temporary use duration The expiration date is based on the system time at the installation of the license plus the number of days for which the universal t...

Page 481: ...correct If the information is incorrect click Previous correct the information and click Submit An information screen displays the license keys and you will receive an e mail with the software license keys and installation instructions Adding a licensed feature To enable a feature go to the feature s appropriate section in this manual Enabling a feature on a switch may be a separate task from addi...

Page 482: ...rformance Monitor license Trunking license 4 Domain Fabric license FICON_CUP license High Performance Extension over FCIP FC license Full Ports on Demand license additional 16 port upgrade license 2 Domain Fabric license Integrated Routing license Storage Application Services license FICON Tape license FICON XRC license Adaptive Networking license Inter Chassis Link license Enhanced Group Manageme...

Page 483: ...ems can be upgraded in 4 port increments An E_Port license upgrade is also available for purchase Brocade 5100 Can be purchased with 24 32 or 40 licensed ports A maximum of 40 ports is allowed Brocade 5300 Can be purchased with 48 64 or 80 licensed ports A maximum of 80 ports is allowed Brocade 6505 Can be purchased with 12 or 24 licensed ports A maximum of 24 ports is allowed Brocade 6510 Can be ...

Page 484: ...erence manual Displaying installed licenses If a single license is installed that enables all Ports on Demand the license will display as Full Ports on Demand license additional X port upgrade license If there are other individual Ports on Demand licenses installed these will also be displayed when listing the licenses for a switch and you will see either First Ports on Demand license additional Y...

Page 485: ...g procedure to activate Ports on Demand 1 Connect to the switch and log in using an account with admin permissions 2 Verify the current states of the ports using the portShow command In the portShow output the Licensed field indicates whether the port is licensed 3 Install the Brocade Ports on Demand license For instructions on how to install a license see Adding a licensed feature on page 481 4 U...

Page 486: ...n you display the available licenses you can also view the current port assignment of those licenses Use the following procedure to display the port license assignments 1 Connect to the switch and log in using an account with admin permissions 2 Enter the licensePort show command Example showing manually assigned POD licenses switch admin licenseport show 24 ports are available in this switch Full...

Page 487: ...gnment is held by an offline port indicated by Disabling Dynamic Ports on Demand Disabling the Dynamic POD feature changes the POD method to static and erases any prior port license associations or assignments the next time the switch is rebooted Use the following procedure to disable Dynamic Ports on Demand 1 Connect to the switch and log in using an account with admin permissions 2 Enter the lic...

Page 488: ...ch Full POD license is installed Dynamic POD method is in use 24 port assignments are provisioned for use in this switch 12 port assignments are provisioned by the base switch license 12 port assignments are provisioned by a full POD license 10 ports are assigned to installed licenses 10 ports are assigned to the base switch license 0 ports are assigned to the full POD license Ports assigned to th...

Page 489: ...licenseport release 0 5 Enter the licensePort show command to verify the port is no longer assigned to a POD set switch admin licenseport show 24 ports are available in this switch Full POD license is installed Dynamic POD method is in use 24 port assignments are provisioned for use in this switch 12 port assignments are provisioned by the base switch license 12 port assignments are provisioned by...

Page 490: ...490 Fabric OS Administrator s Guide 53 1002745 02 Ports on Demand 18 ...

Page 491: ...ly with an ICL license For more information on how license enforcement occurs refer to Chapter 18 Administering Licensing After the addition or removal of a license the license enforcement is performed on the ICL ports only when you issue the portDisable and portEnable commands on the switch for the ports or the bladeDisable and bladeEnable commands for the core blade All ICL ports must be disable...

Page 492: ... and each QSFP connector maps to four user ports Refer to the hardware reference manuals for details about the port groups Following are ICL configuration guidelines for trunking bandwidth and High Availability ICLs must be installed in groups of two Each pair of ICLs must be in the same port group The recommended minimum number of ICLs between two Brocade DCX 8510 chassis is four Additional ICLs ...

Page 493: ...rts cannot form a trunk with each other but can form trunks only with corresponding ports on another QSFP To establish ICL trunking between platforms in the Brocade DCX 8510 Backbone family follow these configuration rules The QSFP cables must be in the same trunk group as illustrated in Figure 59 Refer to the specific hardware reference manuals for information about port numbering and connecting ...

Page 494: ...de DCX each ICL is managed as two 8 port ISL trunks On the Brocade DCX 4S each ICL is managed as one 8 port ISL trunk Follow the guidelines in the specific hardware reference manuals for connecting the ICL cables Virtual Fabrics considerations for ICLs In Virtual Fabrics the ICL ports can be split across the logical switch base switch and default switch The triangular topology requirement must be ...

Page 495: ...You can connect the Brocade Backbones in a mesh topology in which every chassis is connected to every other chassis A simple form of the mesh topology is the triangular topology shown in Figure 61 The triangular topology is supported by three Brocade Backbone chassis The chassis for each topology must all be from the same family Brocade DCX Backbone family DCX or DCX 4S Brocade DCX 8510 Backbone f...

Page 496: ...e triangular topology is considered broken when the ISL path between the two switches is a multiple hop In this case the triangular topology broken message is posted independently of the cost of the ISL path being lesser or greater than the ICL path between the two switches Core edge topology You can also connect the Brocade DCX 8510 Backbones in a core edge topology For example Figure 63 shows si...

Page 497: ...Fabric OS Administrator s Guide 497 53 1002745 02 Supported topologies for ICL connections 19 FIGURE 63 64 Gbps ICL core edge topology ...

Page 498: ...498 Fabric OS Administrator s Guide 53 1002745 02 Supported topologies for ICL connections 19 ...

Page 499: ...ls Administrator s Guide and Brocade Network Advisor User Manual for information about monitoring performance using a graphical interface Advanced Performance Monitoring commands are available only to users with admin permissions Use the perfhelp command to display a list of commands associated with Advanced Performance Monitoring NOTE The command examples in this chapter use the slot port syntax ...

Page 500: ...s that are present in the respective logical switch Top Talker monitors and EE monitors are supported on the default logical switch the base switch and user defined logical switches Frame monitors are not supported on logical ISLs LISLs in user defined logical switches If a port is moved from one logical switch to another the behavior of monitors installed on that port is as follows Frame monitor ...

Page 501: ...mes received at the port For frames received at the port with the EE monitor installed the RX_COUNT is updated if the frame SID is the same as the SID in the monitor and the frame DID is the same as the DID in the monitor TX_COUNT Words in frames transmitted from the port For frames transmitted from the port with the EE monitor installed TX_COUNT is updated if the frame DID is the same as the SID ...

Page 502: ... not recommended because the statistics for the same flow going through ports on the same ASIC may be inaccurate Adding EE monitors 1 Connect to the switch and log in using an account with admin permissions 2 Enter the following command perfaddeemonitor slotnumber portnumber sourceID destID When you add an EE monitor to a port specify the sourceID and destID in the ingress direction For example Fi...

Page 503: ... only certain parts of the SID or DID By default the frame must match the entire SID and DID to trigger the monitor By setting a mask you can choose to have the frame match only one or two of the three fields domain ID area ID and AL_PA to trigger the monitor You specify the masks in the form dd aa pp where dd is the domain ID mask aa is the area ID mask and pp is the AL_PA mask The values for dd ...

Page 504: ...t to delete all entries Example The following example displays the end to end monitors on port 0 the monitor numbers are listed in the KEY column and deletes monitor number 2 on port 0 switch admin perfmonitorshow class EE 0 There are 4 end to end monitor s defined on port 0 KEY SID DID OWNER_APP TX_COUNT RX_COUNT OWNER_IP_ADDR 0 0x000024 0x000016 WEB_TOOLS 0x0000000000000000 0x0000000000000000 10...

Page 505: ...0x00000004d0bac1e4 0x0000000067229e87 N A 4 0x21300 0x21de2 TELNET 0x00000004d0bad086 0x0000000067229e87 N A 5 0x11000 0x21fd6 WEB_TOOLS 0x00000004d0bade54 0x0000000067229e87 192 168 169 40 6 0x11000 0x21fe0 WEB_TOOLS 0x00000004d0baed41 0x0000000067229e98 192 168 169 40 Clearing EE monitor counters The following example clears statistics counters for an end to end monitor switch admin perfMonitorC...

Page 506: ...lt of resource sharing Virtual Fabrics considerations Frame monitors are not supported on logical ISLs LISLs but are supported on ISLs and extended ISLs XISLs Creating frame types to be monitored In addition to the standard frame types you can create custom frame types to gather statistics that fit your needs To define a custom frame type you must specify a series of offsets bitmasks and values Fo...

Page 507: ...d actions for Fabric Watch but do not apply to monitoring To apply the custom values use the thconfig apply command Refer to the Fabric Watch Administrator s Guide for more information about using this command Example of creating a user defined frame type switch admin fmmonitor create myframemonitor pat 17 0xFF 0x07 7 0x4F 0x01 action email Example of creating a user defined frame type and applyin...

Page 508: ... ports to be removed from monitoring is automatically saved to the persistent configuration unless you specify the nosave option on the command Example The following example removes the user defined frame monitor myframemonitor from all ports switch admin fmmonitor delmonitor myframemonitor Saving a frame monitor configuration When you assign or remove frame monitors on ports the list of ports to ...

Page 509: ...the Count column indicates that the monitor is configured but is not installed on the port switch admin fmmonitor show SCSI Port Frame Type Count HIGH Thres Actions TIMEBASE CFG 000001 scsi 0x0000000000000123 1000 Email None saved 000002 scsi 0x0000000000000125 1000 Email None saved 000003 scsi 0x0000000000000143 1000 Email None saved 000022 scsi 0 None None saved The following example displays va...

Page 510: ...so they get proper priority Refer to Chapter 21 Optimizing Fabric Behavior for information on QoS The Top Talker monitor is based on SID and DID pairs and not WWNs Once Top Talker monitors are installed on a switch or port it remains installed across power cycles Top Talker monitors supports two modes port mode and fabric mode Port mode Top Talker monitor A Top Talker monitor can be installed on a...

Page 511: ...ot supported on the embedded platforms Brocade 5410 5424 5450 5460 5470 and 5480 Top Talker monitors and FC FC routing You can enable Top Talker monitors on a platform that is configured to be an FC router Top Talker monitors and FC routers are concurrently supported on the following platforms Brocade 6505 Brocade 6510 Brocade 6520 Brocade DCX 8510 Backbone family with the following blades only FC...

Page 512: ... monitor on a mirrored port Top Talker monitors can monitor only 10 000 flows at a time Top Talker monitors are not supported on VE_Ports EX_Ports and VEX_Ports The maximum number of all port mode Top Talker monitors on an ASIC is 16 If Virtual Fabrics is enabled the maximum number of all port mode Top Talker monitors on an ASIC is 8 If the ingress and egress monitor ports are configured on the sa...

Page 513: ...ode command perfttmon add fabricmode The system responds with the following message Before enabling fabric mode please remove all EE monitors in the fabric continue yes y no n 4 Enter y at the prompt to continue Top Talker monitors are added to E_Ports in the fabric and fabric mode is enabled Any Top Talker monitors that were already installed on F_Ports are automatically uninstalled If EE monitor...

Page 514: ...nid n wwn pid Fabric mode must be enabled for this option The output is sorted based on the data rate of each flow If you do not specify the number of flows to display then the command displays the top 8 flows or the total number of flows whichever is less The command can display a maximum of 32 flows The following example display the top 5 flows on for domain 1 in WWN default format perfttmon sho...

Page 515: ...nd to end masks are allowed only on the F_Port trunk master Unlike the monitors if the master changes the mask does not automatically move to the new master port All platforms support 12 frame monitors for trunks except for the Brocade 300 which supports 8 frame monitors for trunks For the Brocade 8000 trunk monitoring is supported only on the FC ports and not on the CEE ports Saving and restoring...

Page 516: ...after making several changes switch admin perfcfgrestore This will overwrite current Performance Monitoring settings in RAM Do you want to continue yes y no n no y Please wait Performance monitoring configuration restored from FLASH ROM To clear the previously saved performance monitoring configuration settings from nonvolatile memory use the perfCfgClear command switch admin perfcfgclear This wil...

Page 517: ...applications and connections The Adaptive Networking suite includes the following features Bottleneck detection The bottleneck detection feature identifies devices attached to the fabric that are slowing down traffic Bottleneck detection does not require a license See Chapter 13 Bottleneck Detection for information about this feature Top Talkers The Top Talkers feature provides real time informati...

Page 518: ...cation traffic If the bottleneck detection feature detects ISL congestion you can use Ingress Rate Limiting to slow down low priority application traffic if it is contributing to the congestion Ingress Rate Limiting Ingress Rate Limiting is a licensed feature that requires the Adaptive Networking license Ingress Rate Limiting restricts the speed of traffic from a particular device to the switch po...

Page 519: ...t command portcfgqos resetratelimit slot port Example of disabling Ingress Rate Limiting on slot 3 port 9 portcfgqos resetratelimit 3 9 QoS SID DID traffic prioritization SID DID traffic prioritization allows you to categorize the traffic flow between a host and target as having a high medium or low priority Fabric OS supports two types of prioritization Class Specific Control CS_CTL based frame p...

Page 520: ... traffic prioritization after you install the license ATTENTION To preserve existing trunk groups before you install the Adaptive Networking license you must manually disable QoS on the 8 Gbps ports See Trunking considerations before you install the Adaptive Networking license on page 523 for more information TABLE 76 Comparison between CS_CTL based and QoS zone based prioritization CS_CTL based f...

Page 521: ...ority frames are assigned to more fabric resources than are medium priority frames which in turn are assigned to more fabric resources than are low priority frames The resources are allocated according to the CS_CTL value as shown in Table 77 The values are enabled by default to ensure backward compatibility Alternatively the user can apply CS_CTL auto mode The CS_CTL auto mode uses only three CS_...

Page 522: ...ount that has admin permissions 2 Enter the portcfgqos command portcfgqos enable slot port csctl_mode 3 Enter y at the prompt to override QoS zone based traffic prioritization When you disable CS_CTL based frame prioritization QoS zone based traffic prioritization is restored if it had been previously enabled 1 Connect to the switch and log in to an account that has admin permissions 2 Enter the p...

Page 523: ...w priority All flows without QoS prioritization are considered medium priority High medium and low priority flows are allocated to different virtual channels VCs High priority flows receive more fabric resources than medium priority flows which receive more resources than low priority flows NOTE If there is a single low priority flow to a destination ID DID and several medium priority flows to tha...

Page 524: ...ommand portcfgshow In the output the value of QOS E_Port is AE if QoS is automatically enabled by default ON if QoS is enabled manually and OFF or if QoS is disabled 5 Manually disable QoS on all of the ports identified in step 3 for which QoS is enabled in the portcfgshow output QOS E_Port is AE or ON portcfgqos disable slot port ATTENTION This is a disruptive operation Example In this example th...

Page 525: ... where AE QoSAutoEnable AN AutoNegotiate OFF NA NotApplicable INVALID switch admin portcfgqos disable 19 QoS zones You assign high or low priority QoS level by configuring a QoS zone A QoS zone is a special zone that indicates the priority of the traffic flow between a given host target pair The members of a QoS zone are the host target pairs QoS zones can contain WWN members WWNN or WWPN or domai...

Page 526: ...ee QoS over FC routers on page 527 for additional considerations when using QoS to prioritize traffic between device pairs in different edge fabrics For example Figure 68 shows a fabric with two hosts H1 H2 and three targets S1 S2 S3 The traffic prioritization is as follows Traffic between H1 and S1 is high priority Traffic between H1 and S3 and between H2 and S3 is low priority All other traffic ...

Page 527: ...and enable QoS on only those E_Ports If QoS is not enabled on an E_Port the traffic prioritization stops at that point For example in Figure 69 if you disabled QoS on E_Ports 3 12 and 3 13 then the traffic from H1 and H2 to S3 would be low priority from the hosts to domain 3 but would switch to the default medium priority from domain 3 to the target S3 QoS over FC routers QoS over FC routers uses ...

Page 528: ... QoS over FCRs An Adaptive Networking license must be installed on every switch that is in the path between a given configured device pair including the switches in the backbone fabric and both edge fabrics Virtual Fabrics considerations for QoS zone based traffic prioritization You can prioritize flows between devices in a logical fabric The priority is retained for traffic going across ISLs and ...

Page 529: ...0 7800 8000 VA 40FC 48000 Brocade DCX DCX 4S or DCX 8510 family QoS is enabled by default on 8 Gbps and 16 Gbps ports QoS is disabled by default on all 4 Gbps ports and long distance ports Limitations and restrictions for QoS zone based traffic prioritization Enabling and disabling QoS is potentially disruptive to the I O on the affected port If a host and target are included in two or more QoS zo...

Page 530: ...rmation about buffer credit allocation in extended fabrics Trunking considerations If some ports in a trunk group have QoS enabled and some ports have QoS disabled then two different trunks are formed one with QoS enabled and one with QoS disabled Setting QoS zone based traffic prioritization 1 Connect to the switch and log in using an account with admin permissions 2 Enter the zoneCreate command ...

Page 531: ...0 00 00 00 10 00 00 00 20 00 00 00 zone QOSL2_zone 10 00 00 00 30 00 00 00 10 00 00 00 40 00 00 00 zone zone1 10 00 00 00 10 00 00 00 10 00 00 00 20 00 00 00 10 00 00 00 30 00 00 00 10 00 00 00 40 00 00 00 Effective configuration No Effective configuration No Access sw0 admin cfgsave You are about to save the Defined zoning configuration This action will only save the changes on Defined configurat...

Page 532: ...edge fabric See Controlling device communication with the LSAN on page 591 for instructions 4 Enter the portCfgQos command to enable QoS on the E_Ports 5 Repeat step 1 through step 3 to create QoS zones and LSAN zones on the other edge fabric 6 Connect to the FC router in the backbone fabric and log in using an account with admin permissions 7 Enter the portCfgQos command to enable QoS on the EX_P...

Page 533: ...zes the use of bandwidth by allowing a group of links to merge into a single logical link called a trunk group Traffic is distributed dynamically and in order over this trunk group achieving greater performance with fewer links Within the trunk group multiple physical ports appear as a single port thus simplifying management Trunking also improves system reliability by maintaining in order deliver...

Page 534: ... is the same as F_Port trunking The trunk ports are N_Ports on the Access Gateway or adapter connected to F_Ports on the switch For more information see Configuring F_Port trunking for a Brocade adapter on page 545 the Access Gateway Administrator s Guide and the Brocade Adapters Administrators Guide NOTE This chapter uses the term F_Port trunking to refer to a trunk between the F_Ports on a switc...

Page 535: ...same port group A port group is a group of eight ports based on the user port number such as 0 7 8 15 16 23 and up to the number of ports on the switch The maximum number of port groups is platform specific Figure 71 shows the port groups for the Brocade 5100 Ports in a port group are usually contiguous but they might not be Refer to the hardware reference manual for your switch for information ab...

Page 536: ...er the HA failover Supported platforms for trunking Trunking is supported on the FC ports of all Brocade platforms and blades supported in Fabric OS v7 0 0 and later EX_Port trunking is supported only on those platforms that support EX_Ports See Supported platforms for FC FC routing on page 570 for more information Requirements for trunk groups The following requirements apply to all types of trun...

Page 537: ...d to resolve ISL oversubscription if the total capability of the trunk group is not exceeded Consider how the addition of a new path will affect existing traffic patterns A trunk group has the same link cost as the master ISL of the group regardless of the number of ISLs in the group This allows slave ISLs to be added or removed without causing data to be rerouted because the link cost remains con...

Page 538: ...guring F_Port trunking for a Brocade adapter on page 545 for information Enabling trunking on a port or switch You can enable trunking for a single port or for an entire switch Because trunking is automatically enabled when you install the Trunking license you need to use this procedure only if trunking has been subsequently disabled on a port or switch Enabling trunking disables and re enables th...

Page 539: ...mation on using the Brocade Advanced Performance Monitor to monitor traffic see Chapter 20 Monitoring Fabric Performance To view detailed information about F_Port trunking see Displaying F_Port trunking information on page 549 Use the following procedure to view trunking information 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the trunkShow command This ex...

Page 540: ...then create a TA with index 8 with ports that have index 8 9 10 and 11 then index 9 10 and 11 are no longer with domain 3 This means that AD2 does not have access to any ports because index 10 and 11 no longer exist on domain 3 This also means that AD1 no longer has 3 9 in effect because index 9 no longer exists for domain 3 Port 3 8 which is the TA group can still be seen by AD1 along with 4 13 a...

Page 541: ...fabric Therefore the FC router front domain initiates the trunking protocol on the EX_Port After initiation the first port from the trunk group that comes online is designated as the master port The other ports that come online on the trunk group are considered to be the slave ports Adding or removing a slave port does not cause frame drop however removing a slave port causes the loss of frames in...

Page 542: ... a maximum speed of 16 Gbps and trunking over long distance In the edge fabric when the FC router is connected to a switch that supports eight ports from the trunkable group When the FC router is connected to an edge fabric through a mix of trunked and nontrunked EX_Ports all will share the same front domain In edge to edge backbone to edge and dual backbone configurations Masterless EX_Port trunk...

Page 543: ...t you assign must be within the 8 port trunk group beginning with port 0 zero After you assign a TA to a port the port immediately acquires the TA as the area of its PID Likewise after you remove a TA from a port the port immediately acquires the default area as its PID F_Port trunking prevents reassignments of the Port ID also referred to as the Address Identifier when F_Ports go offline and it i...

Page 544: ...runking for an Access Gateway on page 544 for instructions on configuring F_Port trunking Requirements for F_Port trunking on an Access Gateway In addition to the requirements listed in Requirements for trunk groups on page 536 refer to the Access Gateway Administrator s Guide for additional requirements that are specific to F_Port trunking on an Access Gateway Configuring F_Port trunking for an A...

Page 545: ...u can configure trunking between the F_Ports on an edge switch and the Brocade adapters In addition to the requirements listed in Requirements for trunk groups on page 536 note the following requirements which are specific to F_Port trunking for Brocade adapters The edge switch must be running in Native mode You cannot configure trunking between the Brocade adapters and the F_Ports of an Access Ga...

Page 546: ...ly on the F_Port trunk master port and only once per the entire trunk This behavior is the same as E_Port trunk master authentication Because only one port in the trunk does FLOGI to the switch and authentication follows FLOGI on that port only that port displays the authentication details when you issue the portShow command NOTE Switches in Access Gateway mode do not perform authentication config...

Page 547: ...orts that are not F_Port trunked within the same switch HA Sync If you plug in a standby CP with a firmware version earlier than Fabric OS v6 2 0 and a Trunk Area is present on the switch the CP blades will become out of sync Long Distance Long distance is not allowed on F_Port trunks which means that a Trunk Area is not allowed on long distance ports You cannot enable long distance on ports that ...

Page 548: ...tch If the user bound area for a port is configured by means of the portAddress command then the port cannot be configured as an F_Port trunk port You must explicitly remove the user bound area before enabling F_Port trunking If you swap a port by using the portSwap command then you must undo the port swap before enabling F_Port trunking The Port WWN format in a Virtual Fabric is 2z zz xx xx xx xx...

Page 549: ...w trunk Trunk Index 37 39 0 sp 8 000G bw 16 000G deskew 15 MASTER Tx Bandwidth 16 00Gbps Throughput 1 63Gbps 11 84 Rx Bandwidth 16 00Gbps Throughput 1 62Gbps 11 76 Tx Rx Bandwidth 32 00Gbps Throughput 3 24Gbps 11 80 38 1 sp 8 000G bw 8 000G deskew 15 Tx Bandwidth 16 00Gbps Throughput 1 63Gbps 11 84 Rx Bandwidth 16 00Gbps Throughput 1 62Gbps 11 76 Tx Rx Bandwidth 32 00Gbps Throughput 3 24Gbps 11 80...

Page 550: ...onger exists will not be in effect 1 Add the WWN of all the devices to the DCC policy against the TA 2 Enter the secPolicyActivate command to activate the DCC policy In order for security to enforce the DCC policy on the trunk ports you must enable the TA before issuing the secPolicyActivate command 3 Turn on the trunk ports Turn on trunk ports after issuing the secPolicyActivate command to preven...

Page 551: ... and long distance static LS distance levels The LD and LS settings are necessary to achieve maximum performance results over inter switch links ISLs that are greater than 10 km For details about obtaining and installing licensed features refer to Chapter 18 Administering Licensing The Extended Fabrics feature enables the following functionality Fabric interconnectivity over Fibre Channel at longe...

Page 552: ...gured in long distance mode and have buffers reserved for them insufficient buffers may remain for the other ports In this case some of the remaining ports may come up in degraded mode Long distance link modes Use the portCfgLongDistance command to support long distance links and to allocate sufficient numbers of full size frame buffers on a specific port Changes made by this command are persisten...

Page 553: ...the ISL are operating at the same port speed and can be configured for the same distance_level without compromising local switch performance NOTE A long distance link also can be configured to be part of a trunk group Two or more long distance links in a port group form a trunk group when they are configured for the same speed and distance and their link distances are nearly equal For information ...

Page 554: ...ort speed switch admin portshow 1 2 portName portHealth OFFLINE Authentication None portDisableReason None portCFlags 0x1 portFlags 0x1 PRESENT U_PORT portType 17 0 portState 2 Offline Protocol FC portPhys 2 No_Module portScn 0 port generation number 0 portId 010200 portIfId 4312003b portWwn 20 02 00 05 1e 94 0f 00 portWwn of device s connected Distance static desired 100 Km portSpeed N8Gbps LE do...

Page 555: ...ames and reduces the frequency of entire Fibre Channel sequences needing to be retransmitted across the link Because the number of buffer credits available for use within each port group is limited configuring buffer credits for extended links may affect the performance of the other ports in the group used for core to edge connections You must balance the number of long distance ISL connections an...

Page 556: ...needed to hold this new frame Unless the receiver is capable of processing frames as fast as the transmitter is capable of sending them it is possible for all of the receive buffers to fill up with received frames At this point if the transmitter should send another frame the receiver will not have a receive buffer available and the frame is lost Buffer to buffer flow control provides consistent a...

Page 557: ...quirements 1 0625 for 1 Gbps 2 125 for 2 Gbps 4 25 for 4 Gbps 8 5 for 8 Gbps 10 625 for 10 Gbps 17 for 16 Gbps Buffer credit allocation based on full size frames Assuming that the frame is a full size frame one buffer credit allows a device to send one payload up to 2112 bytes 2148 with headers Assuming that each payload is 2112 you need one credit per 1 km of link length at 2 Gbps smaller payload...

Page 558: ...buffers In this case the port operates in degraded mode instead of being disabled asa result of insufficient buffers In LS mode the actual link distance is not measured instead the desired_distance value is used to allocate the buffers required for the port Refer to the data in Table 83 on page 563 and Table 84 on page 564 to get the total ports in a switch or blade the number of user ports in a p...

Page 559: ...distance of 50 km at 8 Gbps then 50 km 8 Gbps 2 6 206 buffers If you have a distance of 50 km at 10 Gbps then 50 km 10 Gbps 2 6 256 buffers If you have a distance of 50 km at 16 Gbps then 50 km 16 Gbps 2 6 406 buffers Example Consider the Brocade 300 which has a single 24 port port group and a total of 676 buffer credits for that port group The maximum remaining number of buffer credits for the po...

Page 560: ...uses Fabric OS to allocate the correct number of buffer credits 2 Determine the speed you will use for the long distance connection This example uses 8 Gbps 3 Look up the data_rate value for the speed of the connection See Fibre Channel gigabit values reference definition on page 557 to determine the data_rate value For 8 Gbps the data_rate is 8 5 4 Use the following formula to calculate the numbe...

Page 561: ...s option with the distance option or the frameSize option Example switch admin portcfglongdistance 2 35 LS 1 buffers 400 Reserved Buffers 420 Configuring buffers using frame size You can configure the number of buffers by using the frameSize option of the portCfgLongDistance command along with the distance option Fabric OS calculates the number of buffers from the frameSize option value according ...

Page 562: ...wing procedure 12 buffers are configured for an F_Port 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the portCfgFPortBuffers command switch admin portcfgfportbuffers enable 2 44 12 3 To disable the port buffer configuration and return to the default buffer allocation use the disable option switch admin portcfgfportbuffers disable 2 44 NOTE The configured nu...

Page 563: ... credits switch or blade model Table 83 shows the total FC ports in a switch or blade the number of user ports in a port group and the unreserved buffer credits available per port group TABLE 83 Total FC ports ports per port group and unreserved buffer credits per port group Switch blade model Total FC ports per switch blade User port group size Unreserved buffer credits per port group 300 24 24 4...

Page 564: ... not supported on this blade FC16 32 32 16 5456 FC16 48 48 24 5008 FS8 18 16 8 1604 FX8 24 12 12 1060 TABLE 84 Configurable distances for Extended Fabrics Maximum distances km that can be configured assuming a 2112 byte frame size Switch blade model 2 Gbps 4 Gbps 8 Gbps 10 Gbps 16 Gbps 300 486 243 121 N A N A 5100 1694 847 423 N A N A 5300 294 147 73 N A N A 5410 582 291 145 5 N A N A 5424 486 243...

Page 565: ...ize option and the distance option more buffers will be reserved depending on the frame size With a firmware downgrade those ports that were configured with more reserved buffers will keep the reserved buffers as long as the ports remain online The next time the port is toggled buffers will again be reserved on the basis of distance only When a port is configured with the buffers option A firmware...

Page 566: ...it recovery E_Ports must be connected between devices that support 16 Gbps or between devices that support 8 Gbps Devices that support 16 Gbps Brocade 6505 6510 6520 FC8 32E FC8 48E FC16 32 FC16 48 Devices that support 8 Gbps Brocade 300 5100 5300 5410 5424 5450 5480 VA 40FC FC8 16 FC8 32 FC8 48 If a device that supports 16 Gbps is connected to a device that supports only 8 Gbps buffer credit reco...

Page 567: ...EX_Ports do not support the same data rate Either end of the ISL must support buffer credit recovery If the inter fabric link IFL connects devices that support 8 Gbps only long distance mode must also be enabled Long distance mode can be enabled or disabled on devices that support 16 Gbps Virtual Channel flow control VC_RDY or Extended VC flow control EXT_VC_RDY mode must be in use Buffer credit r...

Page 568: ...nclude the fecEnable option or issue the portCfgFec command with the enable option 3 Enter the portCfgFec show command to verify the configuration Example switch admin portcfglongdistance 1 20 LS 1 distance 122 fecenable FEC has been enabled Reserved Buffers 982 Warning port 132 may be reserving more credits depending on port speed switch admin portcfgfec show 1 20 Forward Error Correction capable...

Page 569: ...ts connected to xlate domains 609 FC FC routing overview The FC FC routing service provides Fibre Channel routing between two or more fabrics without merging those fabrics For example using FC FC routing you can share tape drives across multiple fabrics without the administrative problems such as change management network management scalability reliability availability and serviceability that migh...

Page 570: ...cs connected by an FC router The Integrated Routing license allows 8 Gbps and 16 Gbps FC ports to be configured as EX_Ports or VEX_Ports supporting FC FC routing Enabling the Integrated Routing license and capability does not require a switch reboot NOTE Brocade recommends that all FC routers in a backbone fabric either have the Integrated Routing license or not It is not recommended to mix licens...

Page 571: ...tiple backbone fabrics is a multi hop topology and is not allowed In an edge fabric that contains a mix of administrative domain AD capable switches and switches that are not aware of AD the FC router must be connected directly to an AD capable switch For more information refer to Use of Admin Domains with LSAN zones and FC FC routing on page 590 VEX edge to VEX edge device sharing is not supporte...

Page 572: ... Fibre Channel fabric with targets and initiators connected through the supported platforms by using an EX_Port or VEX_Port Backbone fabric A backbone fabric is an intermediate network that connects one or more edge fabrics In a SAN the backbone fabric consists of at least one FC router and possibly a number of Fabric OS based Fibre Channel switches refer to Figure 76 on page 575 Inter fabric link...

Page 573: ...c 2 and between edge fabric 2 and edge fabric 3 FIGURE 75 A metaSAN with edge to edge and backbone fabrics and LSAN zones Proxy device A proxy device is a virtual device imported into a fabric by a Fibre Channel router and represents a real device on another fabric It has a name server entry and is assigned a valid port ID When a proxy device is created in a fabric the real Fibre Channel device is...

Page 574: ...ame edge fabric the backbone fabric IDs must be different but the edge fabric IDs must be the same If you configure the same fabric ID for two backbone fabrics that are connected to the same edge fabric a RASLog message displays a warning about fabric ID overlap NOTE Backbone fabrics that share connections to the same edge fabrics must have unique backbone fabric IDs MetaSAN A metaSAN is the colle...

Page 575: ...s For example a host in Fabric 1 can communicate with a target in Fabric 2 as follows A proxy target in Fabric 1 represents the real target in Fabric 2 Likewise a proxy host in Fabric 2 represents the real host in Fabric 1 The host discovers and sends Fibre Channel frames to the proxy target The FC router receives these frames translates them appropriately and then delivers them to the destination...

Page 576: ...st one translate phantom domain is created in the backbone fabric This translate phantom domain represents the entire edge fabric The shared physical devices in the edge have corresponding proxy devices on the translate phantom domain Each edge fabric has one and only one translate phantom domain to the backbone fabric The backbone fabric device communicates with the proxy devices whenever it need...

Page 577: ...mains in the fabric corresponding to the imported edge fabrics with active LSANs defined If you import devices into the backbone fabric then an xlate domain is created in the backbone device in addition to the one in the edge fabric Figure 78 shows a sample physical topology This figure shows four FC routers in a backbone fabric and four edge fabrics connected to the FC routers FIGURE 78 Sample to...

Page 578: ...paths to an xlate domain provide additional bandwidth and redundancy There are some differences in how the xlate domain is presented in the backbone fabric The backbone xlate domains are topologically connected to FC routers and participate in FC FC routing protocol in the backbone fabric Front domains are not needed in the backbone fabric As in the case of an xlate domain in an edge fabric backbo...

Page 579: ...se note that while setting secret keys in the edge switch the front phantom WWN should be used as the remote switch WWN in the edge fabric The front phantom domain s WWN is available through the portCfgExport port command of the EX_Port connecting to the edge fabric The FCR switch should use the edge switch s WWN to configure the secret keys Refer to Secret key pairs for DH CHAP on page 213 for mo...

Page 580: ...Verify that Fabric OS v7 0 1 is installed on the FC router as shown in the following example switch admin version Kernel 2 6 14 2 Fabric OS v7 0 1 Made on Fri Nov 18 01 15 34 2011 Flash Mon Nov 21 20 53 48 2011 BootProm 1 0 9 2 If you are configuring a Backbone enter the slotShow command to verify that an FX8 24 blade is present or an 8 Gbps or 16 Gbps port blade is present The following example s...

Page 581: ...forms FC FC routing and fabric mode Top Talker monitors are concurrently supported only on the Brocade 6510 and 6520 switches and on the Brocade DCX Backbone family with only 16 Gbps capable ports Backbone fabric IDs If your configuration has only one backbone fabric then you do not need to assign a backbone fabric ID because the backbone fabric ID in this situation defaults to a value of 128 The ...

Page 582: ...witch admin fosconfig disable fcr FC Router service is disabled switch admin fcrconfigure FC Router parameter set cr to skip a parameter Please make sure new Backbone Fabric ID does not conflict with any configured EX Port s Fabric ID Backbone fabric ID 1 128 128 switch admin fosconfig enable fcr FC Router service is enabled switch admin switchenable FCIP tunnel configuration The optional Fibre Ch...

Page 583: ... one connected to the Fabric OS switch by issuing the portDisable command switch admin portdisable 7 10 You can verify that the port has been disabled by issuing the portShow command for the port 2 Configure each port that connects to an edge fabric as an EX_Port or VEX_Port Note the following portCfgVEXPort works only on VE_Ports portCfgEXPort only on the FC ports on the FC router commands work o...

Page 584: ...ge fabric 3 Optional Configure FC router port cost if you want to change the default values For information about using FC router port cost operations refer to FC router port cost configuration on page 587 4 Optional Set up ISL or EX_Port trunking For information on trunking setup refer to Configuring EX_Port trunking on page 542 5 Enter the portEnable command to enable the ports that you disabled...

Page 585: ...te ON 9 Enter either the portCfgEXPort or portShow command to verify that each port is configured correctly switch admin portcfgexport 7 10 Port 7 10 info Admin enabled State NOT OK Pid format Not Applicable Operate mode Brocade Native Edge Fabric ID 30 Preferred Domain ID 160 Front WWN 50 06 06 9e 20 38 6e 1e Fabric Parameters Auto Negotiate R_A_TOV Not Applicable E_D_TOV Not Applicable Authentic...

Page 586: ..._err 0 Ols_in 0 2_parity_err 0 Ols_out 0 CMI_bus_err 0 Port part of other ADs No 10 Enter the switchShow command to verify the EX_Port or VEX_Port edge fabric ID and name of the edge fabric switch containing the E_Port or VE_Port are correct 11 Enter the fcrFabricShow command to view any edge fabric switch names and ensure links are working as expected NOTE The fcrFabricShow command displays the s...

Page 587: ... cost is similar to the link cost setting available on E_Ports which allows you to customize traffic flow The router port link cost values are either 1000 or 10 000 The router module chooses the router port path based on the lowest cost for each FID connection If multiple paths exist where one path costs less than the others then the lowest cost path is used If exchange based routing has not been ...

Page 588: ...one path to another Using multiple paths in parallel to increase effective data transmission rates EX_Ports and VEX_Ports when connected are assigned different router port costs and traffic will flow only through the EX_Ports Routing failover is automatic but it can result in frames arriving out of order when frames take different routes The FC router can force in order delivery although frame del...

Page 589: ... as you do regular E_Ports EX_Port frame trunking support is designed to provide the best utilization and balance of frames transmitted on each link between the FC router and the edge fabric You should trunk all ports connected to the same edge fabrics The FC router front domain has a higher node WWN derived from the FC router than that of the edge fabric Therefore the FC router front domain initi...

Page 590: ... a result you must not use the network address authority NAA field in the WWN to detect an FC router LSAN zone enforcement in the local fabric occurs only if the Admin Domain member list contains both of the devices local and imported device specified in the LSAN zone For more information refer to Chapter 17 Managing Administrative Domains Zone definition and naming Zones are defined locally on a ...

Page 591: ...istrative control then separate administrators maintain access control Controlling device communication with the LSAN The following procedure illustrates how LSANs control which devices can communicate with each other The procedure shows the creation of two LSANs called lsan_zone_fabric75 and lsan_zone_fabric2 which involve the following devices and connections Switch1 and the host in fabric75 Swi...

Page 592: ...id COS PortName NodeName TTL sec NL 0508e8 3 50 05 07 61 00 5b 62 ed 50 05 07 61 00 1b 62 ed na FC4s FCP IBM DNEF 309170 F90F Fabric Port Name 20 08 00 05 1e 34 11 e5 Permanent Port Name 50 05 07 61 00 5b 62 ed NL 0508ef 3 50 05 07 61 00 49 20 b4 50 05 07 61 00 09 20 b4 na FC4s FCP IBM DNEF 309170 F90F Fabric Port Name 20 08 00 05 1e 34 11 e5 Permanent Port Name 50 05 07 61 00 49 20 b4 LSAN Yes Th...

Page 593: ...hows the proxy devices in the LSAN switch admin fcrproxydevshow Proxy WWN Proxy Device Physical State Created PID Exists PID in Fabric in Fabric 75 50 05 07 61 00 5b 62 ed 01f001 2 0100e8 Imported 2 10 00 00 00 c9 2b c9 0c 02f000 75 c70000 Imported Total devices displayed 2 On the FC router the host and Target A are imported because both are defined by lsan_zone_fabric2 and lsan_zone_fabric75 Howe...

Page 594: ...ring on page 604 NOTE Because the maximum number of LSANs is configured for each switch if there is a different maximum LSAN count on the switches throughout the metaSAN then the device import export will not be identical on the FC routers You should enter the same maximum LSAN count for all the FC routers in the same backbone that support this feature Verify the configured maximum limit against t...

Page 595: ...N zones The Enforce tag can be up to eight characters long and can contain only letters and numbers The Enforce tag is not case sensitive for example the tag abc is equivalent to ABC and Abc If you specify abc xyz and fab1 as Enforce tags then the FC router accepts only those LSAN zones with names that start with any of the following lsan_abc lsan_xyz lsan_fab1 In this example the following LSAN z...

Page 596: ...tag Rules for LSAN tagging Note the following rules for configuring LSAN tags You configure the tags on the FC router and not on the edge switches If Virtual Fabrics is enabled you configure the tags on the base switch on which the EX_Ports and VEX_Ports are located You then must ensure that the LSAN zones in the edge fabrics incorporate the tags correctly The LSAN tags are configured per FC route...

Page 597: ...ics to incorporate the tag in the names Example sw0 admin switchdisable sw0 admin fcrlsan add enforce enftag1 LSAN tag set successfully sw0 admin switchenable Configuring a Speed LSAN tag 1 Log in to the FC router as admin 2 Enter the following command to create a Speed LSAN tag fcrlsan add speed tagname The tagname variable is the name of the LSAN tag you want to create 3 Change the names of the ...

Page 598: ...er as admin 2 Enter the fcrlsan show command Example sw0 admin fcrlsan show enforce Total LSAN tags 1 ENFORCE enftag1 sw0 admin fcrlsan show speed Total SPEED tags 1 SPEED fasttag2 sw0 admin fcrlsan show all Total LSAN tags 2 ENFORCE enftag1 SPEED fasttag2 LSAN zone binding LSAN zone binding is an optional advanced feature that increases the scalability envelope for very large metaSANs NOTE LSAN z...

Page 599: ...en the two groups the number of FC routers and devices supported in the backbone fabric can be higher Figure 81 on page 599 shows a sample metaSAN with four FC routers in the backbone fabric Without LSAN zone binding each FC router in the backbone fabric would store information about LSAN zones 1 2 3 and 4 FIGURE 81 LSAN zone binding After you set up LSAN zone binding each FC router stores informa...

Page 600: ... Fabric OS versions earlier than v6 1 0 If a new FC router joins the backbone fabric the matrix database is automatically distributed to that FC router unless it has a different LSAN fabric matrix or FC router matrix or both defined already Note the following for FC routers running a Fabric OS version earlier than 6 1 0 The matrix database is not automatically distributed from this FC router to ot...

Page 601: ...e fabrics can still communicate with the backbone fabric LSAN fabric matrix definition With LSAN zone binding you can specify pairs of fabrics that can access each other Using the metaSAN shown in Figure 81 as an example the following edge fabrics can access each other Fabric 1 and Fabric 2 Fabric 2 and Fabric 3 Fabric 4 and Fabric 5 Fabric 5 and Fabric 6 You can use the fcrLsanMatrix command with...

Page 602: ...hanges persistently FCR Admin fcrlsanmatrix apply all Example FCR Admin fcrlsanmatrix add fcr 10 00 00 60 69 c3 12 b2 10 00 00 60 69 c3 12 b3 FCR Admin fcrlsanmatrix add lsan 4 5 FCR Admin fcrlsanmatrix add lsan 4 7 FCR Admin fcrlsanmatrix add lsan 10 19 FCR Admin fcrlsanmatrix apply all Viewing the LSAN zone binding matrixes 1 Log in to the FC router as admin 2 Enter the following command to view...

Page 603: ...ese parameters manually To change the fabric parameters on a switch in the edge fabric use the configure command Note that to access all of the fabric parameters controlled by this command you must disable the switch using the switchDisable command If executed on an enabled switch only a subset of attributes is configurable To change the fabric parameters of an EX_Port on the FC router use the por...

Page 604: ...ast traffic Displaying the current broadcast configuration 1 Log in to the FC router as admin 2 Enter the following command fcr admin fcrbcastconfig show This command displays only the FIDs that have the broadcast frame option enabled The FIDs that are not listed have the broadcast frame option disabled Enabling broadcast frame forwarding 1 Log in to the FC router as admin 2 Enter the following co...

Page 605: ...changing this limit Proxy Device Slots The physical and proxy devices use the 10 000 device slots The information shows the maximum pool size for translate phantom node and port WWNs and shows the number of translate node and port WWNs from this pool Phantom Node WWNs Phantom Port WWNs Max proxy devices Max NR_Ports The following example shows the use of the fcrResourceShow command to display phys...

Page 606: ...gical switch that is in the same chassis or a different chassis However the FID of the EX_Port must be set to a different value than the FID of the logical switch to which it connects EX_Ports and VEX_Ports those in FC routers and those in a base switch cannot connect to any edge fabric with logical switches configured to use XISLs If you connect an EX_Port or VEX_Port to an edge fabric you must e...

Page 607: ...he base fabric The logical switches in Fabric 1 are configured to allow XISL use You cannot connect an EX_Port to these logical switches so the device in Fabric 1 cannot communicate with the other two devices FIGURE 82 EX_Ports in a base switch Figure 83 shows a logical representation of the physical chassis and devices in Figure 82 As shown in Figure 83 Fabric 128 and Fabric 15 are edge fabrics c...

Page 608: ...bone to edge routing If you connect a legacy FC router to a base switch you must set the backbone FID of the FC router to be the same as that of the base switch In Figure 82 no devices can be connected to the backbone fabric Fabric 8 because base switches cannot have F_Ports Figure 84 shows an FC router in legacy mode connected to a base switch This FC router can have devices connected to it and s...

Page 609: ...f you replace an 8 Gbps port blade with an FX8 24 blade the EX_Port configuration remains the same for the first 12 FC ports on the FX8 24 blade If you replace an 8 Gbps port blade or FX8 24 blade with another 8 Gbps port blade the EX_Port configuration remains the same Displaying the range of output ports connected to xlate domains The edge fabric detects only one front domain from an FC router c...

Page 610: ...em port 35 cost 500 costCnt 0 type 1 LinkId 57 out port 129 rem port 18 cost 500 costCnt 0 type 1 The following example also shows the use of the lsDbShow display on the edge fabric The front domain domain 3 has two links representing two EX_Port connections with output ports 129 and 132 Domain 3 Link State Database Entry pointer 0x100bbcc0 linkCnt 4 flags 0x0 LinkId 199 out port 129 rem port 2 co...

Page 611: ...vely The corresponding QSFP number for the port is also shown For a core blade no PID exists in the Address column switch FID128 admin switchshow slot 3 qsfp switchName switch name switchType 121 3 switchState Online switchMode Native switchRole Subordinate switchDomain 75 switchId fffc4b switchWwn 10 00 00 05 1e 4f eb 00 zoning ON zoning name switchBeacon OFF FC Router OFF Allow XISL Use OFF LS A...

Page 612: ...ocade DCX 8510 8 Backbone The Address column shows the PID switch FID128 admin switchshow slot 1 switchName DCX8510_8 output truncated LS Attributes FID 128 Base Switch No Default Switch Yes Address Mode 0 Index Slot Port Address Media Speed State Proto 0 1 0 500000 N16 No_Module FC 1 1 1 500100 N16 No_Module FC 2 1 2 500200 N16 No_Module FC output truncated Example of port index mapping on an FC8...

Page 613: ...0 N8 No_Module output truncated 48 1 48 0a3000 N8 No_Module 49 1 49 0a3100 N8 No_Module 50 1 50 0a3200 N8 No_Module output truncated 62 1 62 0a3e00 N8 No_Module 63 1 63 0a3f00 N8 No_Module 64 2 0 0a4000 N8 No_Module output truncated Example of port indexing on an FX8 24 blade on a DCX 8510 8 Backbone This example shows the truncated switchShow output for an FX8 24 application blade on the Brocade ...

Page 614: ... index numbers to PIDs will vary depending on blade type platform type and slot number switch FID128 admin switchshow slot 2 switchName myswitch output truncated Slot Blade Type ID Model Name Status 2 AP BLADE 43 FS8 18 ENABLED Index Slot Port Address Media Speed State Proto 16 2 0 501000 N8 No_Module FC 17 2 1 501100 N8 No_Module FC 18 2 2 501200 N8 No_Module FC 19 2 3 501300 N8 No_Module FC 20 2...

Page 615: ...ts are performed whenever an RSA key pair is generated These tests verify the randomness of the deterministic random number generator DRNG and the non deterministic random number generator non DRNG They also verify the consistency of RSA keys with regard to signing and verification and encryption and decryption ATTENTION FIPS mode when enabled is a chassis wide setting that affects all logical swi...

Page 616: ... generic default passwords set To maintain FIPS 140 2 compliance passwords for the default accounts admin and user must be changed after every zeroization operation RADIUS secret aaaConfig remove The aaaConfig remove command zeroizes the secret and deletes a configured server The aaaConfig add command configures the RADIUS server RNG seed key No command required dev urandom is used as the initial ...

Page 617: ... can run the fipsCfg enable fips command to enable FIPS mode but you must configure the switch first Self test mode must be enabled before FIPS mode can be enabled A set of prerequisites as shown in Table 87 must be satisfied for the system to enter FIPS mode To be FIPS compliant the switch must be rebooted For directors either reboot both CPs or power the chassis down and then up again KATs are r...

Page 618: ...CBC cipher suites No restrictions SSH public keys RSA 1024 bit keys and RSA 2048 bit keys RSA 1024 bit keys RSA 2048 bit keys and DSA 1024 bit keys TACACS authentication Not supported Supported Telnet SSH access Only SSH Telnet and SSH TABLE 88 FIPS and non FIPS modes of operation FIPS mode non FIPS mode The certificate of the CA that issued the Microsoft Active Directory server certificate must b...

Page 619: ...elect an item 1 4 4 4 Specify the DNS IP address using either IPv4 or IPv6 This address is needed for the switch to resolve the domain name to the IP address because LDAP initiates a TCP session to connect to your Microsoft Active Directory server A Fully Qualified Domain Name FQDN is needed to validate the server identity as mentioned in the common name of the server certificate 3 Set the switch ...

Page 620: ...the switch This command will prompt for the remote IP and login credentials to retrieve the CA certificate The CA certificate should be in any of the standard certificate formats cer crt or pem LDAP CA certificate file names should not contain spaces when using the secCertUtil command to import and export the certificate Importing an LDAP switch certificate This procedure imports the LDAP CA certi...

Page 621: ...ions or an account with OM permissions for the PKI RBAC class of commands 2 Enter the secCertUtil show ldapcacert command to determine the name of the LDAP certificate file 3 Enter the secCertUtil delete ldapcacert file_name command where file_name is the name of the LDAP certificate on the switch Example of deleting an LDAP CA certificate switch admin seccertutil delete ldapcacert swLdapca pem WA...

Page 622: ...ble FIPS 16 Perform zeroization as described in the section Zeroizing for FIPS on page 624 Enabling FIPS mode 1 Log in to the switch using an account with securityadmin permissions 2 Enter the sshutil delpubkeys and sshutil delprivkey commands to remove legacy OpenSSH DSA keys These keys which previously were the default keys migrate to Fabric OS v7 0 0 but are no longer supported in FIPS mode You...

Page 623: ...he rule to block access to Telnet HTTP and RPC ports ipfilter addrule policyname rule rule_number sip source_IP dp dest_port proto protocol act deny The sip option can be given as any The dp options for the port numbers for Telnet HTTP and RPC are 23 80 and 898 respectively The proto option should be set to TCP c Activate each IP filter policy Refer to Activating an IP Filter policy on page 219 d ...

Page 624: ... Example myswitch root portdisable 0 myswitch root portcfgencrypt disable 0 myswitch root portenable 0 12 Enter the ipSecConfig disable command to disable Ethernet IPsec 13 Disable IPsec for FCIP connections The procedure depends on the type of extension blade used For FX8 24 extension blades enter the portCfg fciptunnel slot port modify ipsec 0 command 14 Enter the portCfg mgmtif delete command t...

Page 625: ... should be changed after every zeroization operation to maintain FIPS 140 2 compliance 3 Power cycle the switch Displaying FIPS configuration 1 Log in to the switch using an account with admin or securityadmin permissions or a user account with OM permissions for the FCIPCfg RBAC class of commands 2 Enter the fipsCfg showall command ...

Page 626: ...626 Fabric OS Administrator s Guide 53 1002745 02 Preparing a switch for FIPS B ...

Page 627: ... Channel uses hexadecimal notation in hex triplets to specify well known addresses and port IDs Example conversion of the hexadecimal triplet Ox616000 Notice the PID 610600 bolded in the nsShow output is in hexadecimal switch admin nsshow Type Pid COS PortName NodeName TTL sec N 610600 2 3 10 00 00 00 c9 29 b3 84 20 00 00 00 c9 29 b3 84 na FC4s FCP NodeSymb 36 Emulex LP9002 FV3 90A7 DV5 5 10A10 Fa...

Page 628: ... 42 43 44 45 46 Decimal 71 72 73 74 75 76 77 78 79 80 Hex 47 48 49 4a 4b 4c 4d 4e 4f 50 Decimal 81 82 83 84 85 86 87 88 89 90 Hex 51 52 53 54 55 56 57 58 59 5a Decimal 91 92 93 94 95 96 97 98 99 100 Hex 5b 5c 5d 5e 5f 60 61 62 63 64 Decimal 101 102 103 104 105 106 107 108 109 110 Hex 65 66 67 68 69 6a 6b 6c 6d 6e Decimal 111 112 113 114 115 116 117 118 119 120 Hex 6f 70 71 72 73 74 75 76 77 78 Dec...

Page 629: ...204 205 206 207 208 209 210 Hex c9 ca cb cc cd ce cf d0 d1 d2 Decimal 211 212 213 214 215 216 217 218 219 220 Hex d3 d4 d5 d6 d7 d8 d9 da db dc Decimal 221 222 223 224 225 226 227 228 229 230 Hex dd de df e0 e1 e2 e3 e4 e5 e6 Decimal 231 232 233 234 235 236 237 238 239 240 Hex e7 e8 e9 ea eb ec ed ef ee f0 Decimal 241 242 243 244 245 246 247 248 249 250 Hex f1 f2 f3 f4 f5 f6 f7 f8 f9 fa Decimal 25...

Page 630: ...630 Fabric OS Administrator s Guide 53 1002745 02 Hexadecimal Conversion C ...

Page 631: ...uthentication 211 configuring F_Port trunking on 544 considerations for Advanced Performance Monitoring 501 F_Port trunking for 543 F_Port trunking requirements on 544 N_Port failover with FA PWWN 431 shared secrets 213 accessing devices 192 hosts 192 switches and fabrics 192 zones 192 account ID 58 account management for Virtual Fabrics 286 accounts 133 176 changing parameters 139 creating 138 de...

Page 632: ...l switches in fabric fabric mode 513 zone members 317 address IPv4 filter policy 220 IPv6 filter policy 220 addressing mode 10 bit 80 256 area 81 core PID 80 fixed 80 420 Admin Domain number and domain ID 434 Admin Domains about 433 access levels 435 ACL policy considerations 196 activating 446 AD list Microsoft Active Directory 165 OpenLDAP 170 RADIUS 155 TACACS 173 AD0 436 AD255 436 437 adding m...

Page 633: ...plications blade compatibility 96 listener applications blocked 192 used by switches 192 aptPolicy command 119 121 assigning user defined roles 137 assigning users to Admin Domains 444 audit log configuration 107 configuring for specific event classes 108 auditCfg command 108 auditDump command 109 AUTH module Virtual Fabric considerations 208 AUTH policy 207 208 distributing fabric wide 217 authen...

Page 634: ...rmware 263 bladeCfgGeMode command 477 bladeDisable command 97 bladeEnable command 97 bladeSwap command 97 blocked listener applications list 192 blocking telnet access 190 bond0 logical network interface 85 boot PROM password 145 149 Backbone with recovery string 146 Backbone without recovery string 148 switch with recovery string 145 switch without recovery string 147 bottleneck 375 392 access ga...

Page 635: ...edit recovery 566 buffer credits 115 allocating 557 562 for average size frames 560 for F_Ports 562 for full size frames 557 by switch model 563 buffer to buffer credits 115 555 C capitalization in commands 56 certificate signing request See CSR certificates browser configuring 186 certificate authorities CA 183 FCAP 208 importing for FCAP 216 installing on switch 185 installing root certificate f...

Page 636: ...332 cfgAdd 329 530 cfgClear 333 cfgCreate 328 cfgDelete 331 cfgDisable 330 cfgEnable 330 348 368 cfgRemove 329 532 cfgSave 314 cfgShow 131 316 322 331 332 cfgSize 328 cfgTransAbort 331 cfgTransShow 343 chassisDistribute 224 226 chassisName 75 chassisShow 103 classConfig 135 cliHistory 59 configDefault 250 460 configDownload 246 248 250 251 336 479 restrictions 246 Virtual Fabrics mode restrictions...

Page 637: ...k 503 perfTTmon 513 514 515 portBufferCalc 399 portBufferShow 402 562 399 portCfg 624 portCfgCompress 397 404 405 portCfgEncrypt 397 404 405 624 portCfgExPort 414 415 418 portCfgExport 579 portCfgFec 128 portCfgFillWord 88 553 portCfgISLMode 115 118 portCfgLongDistance 129 553 portCfgNpivPort 421 422 portCfgOctetSpeedCombo 93 476 portCfgPersistentDisable 90 portCfgPersistentEnable 89 portCfgQos 51...

Page 638: ...current zone transactions 342 conditional tests for FIPS 617 configDefault command 250 460 configDownload command 246 248 250 251 336 479 restrictions 246 Virtual Fabrics mode restrictions 252 configShow command 241 configUpload command 241 244 250 251 258 336 479 in Admin Domain context 460 Virtual Fabrics mode restrictions 252 configuration changing for SNMPv3 or SNMPv1 190 configDownload comman...

Page 639: ...ches 279 connecting device to a switch 88 multiple EX_Ports to an edge fabric 579 switches running different firmware versions 78 to devices 78 to switch 78 connection restrictions 136 ssh 57 telnet 57 consistency policies matching fabric wide 229 consistency policies non matching fabric wide 230 console session on serial port 56 control processor See CP converting hexadecimal numbers 627 629 core...

Page 640: ...er monitors 515 DCC policy 205 end to end monitors 504 frame monitors 508 frame redirect zones 131 IP Filter policy 219 LDAP certificates 621 logical switches 294 private key from switch 182 public key from switch 182 rule from an IP Filter policy 223 TI zones 369 zone configurations 331 zones 320 delivery order forcing for frames 123 deploying secure protocols 178 device accessing 192 configuring...

Page 641: ...g authorization policy fabric wide 217 FCS policies 202 IP Filter policy 224 local ACL policies 227 local user account database 140 distribution policy states 202 DLS computation trigger 122 effect on other logical switches 127 overview 122 rebalancing triggers 126 See also Dynamic Load Sharing dlsReset command 122 dlsSet command 122 127 dlsShow command 122 dnsConfig command 619 domain ID and Admi...

Page 642: ... 398 license 394 payload length 395 payload size limits 395 restrictions 394 using SSL 182 viewing configuration 401 encryption keys expiration 396 end to end EE monitoring 501 end to end monitors deleting 504 restoring configuration 515 saving configuration 515 setting a mask 503 end to end performance monitoring 501 end to end transport tunnel mode example 238 enforce LSAN tag 595 enforcement of...

Page 643: ...teway 544 F_Port trunking 543 550 and Virtual Fabrics 548 configuring for Brocade adapters 545 considerations 546 for access gateways 543 for Brocade adapters 545 fabric access 192 adding Top Talker monitors 513 addresses See PID authentication availability 207 authentication license 207 authentication policies 207 217 changing name 75 configurations in 250 connectivity 103 deleting all Top Talker...

Page 644: ...ion 207 generating key and CSR 215 importing security certificate 216 importing switch certificate 216 PKI certificates required 207 specifying as authentication protocol 212 starting authentication 217 FC FC routing and FCIP 582 and Virtual Fabrics 606 backbone to edge 576 configurations supported 571 edge to edge 576 fabric mode Top Talker monitors 581 license requirements 570 platforms supporte...

Page 645: ... mode configuration 617 621 enabling 622 LDAP 618 LDAP certificates 620 restrictions 617 fipsCfg command 617 623 624 625 Firefox root certificate installation and verification 187 SSL support 182 firmware 255 273 Backbone 262 265 Backbone download process overview 262 Backbone version testing 270 downgrading 257 download process 255 downloading without a password 257 FA PWWN upgrade and downgrade ...

Page 646: ...ect zones 130 deleting frame redirect zones 131 discovering why dropped 124 forcing delivery order 123 restoring unordered delivery order 123 viewing frame redirect zones 131 FreeRADIUS clients enabling 158 configuring 156 Fabric OS user setup 154 user adding 157 vendor attributes 157 See also RADIUS and Linux FSPF described 112 number of routes supported 112 path calculation 113 traffic isolation...

Page 647: ...and port decommissioning 396 in flight encryption configuring 404 disabling 405 license 394 port decommissioning 396 restrictions 394 in flight encryption and compression 393 418 on EX_Ports 411 overview 393 ingress rate limiting 518 519 disabling 519 Virtual Fabrics considerations 519 in order frame delivery forcing 123 installing certificates on switch 185 LDAP certificates 620 root certificate ...

Page 648: ...L 78 best practices 114 configuring extended 553 fabric parameters 114 logical fabrics and 282 maximum distances in LO mode 78 ISL R_RDY mode 117 ISL trunking disabling 538 enabling 538 over long distance fabrics 540 islShow command 400 524 538 J Java installing root certificate in plugin 187 installing root certificate to plugin 187 support for SSL 182 supported version 183 Java plugin installing...

Page 649: ... Extended Fabrics 551 fabric authentication 207 ICL 471 472 491 ICL 16 link 472 ICL 1st POD 471 ICL 2nd POD 471 ICL 8 link 472 in flight encryption 394 installation requirements and location 467 Integrated Routing 570 preserving 463 purchasing keys 484 removing expired 480 removing features 482 requirements for SID DID prioritization 520 requirements for trunking 535 reserving for POD 488 slot bas...

Page 650: ...se 299 basic configuration values 291 changing to a base switch 297 commanding in a different context 293 connected devices and 279 creating 292 deleting 294 displaying configuration 296 DLS effect on 127 fabric IDs and 277 management model 281 moving ports 295 multiple FIDs 282 number 277 number per chassis 288 port assignment 278 restoring configuration 251 Top Talkers and 295 unique names for 7...

Page 651: ...ons 328 monitor configuration restoring 515 monitoring end to end performance 501 frames 505 trunks 515 Mozilla Firefox See Firefox msCapabilityShow command 45 msConfigure command 46 47 msPlatShow command 45 48 msPlClearDb command 49 msplMgmtActivate command 44 45 msplMgmtDeactivate command 44 45 mstdDisable command 50 mstdEnable command 49 mstdReadConfig command 49 N N_Port ID Virtualization See ...

Page 652: ...sswords boot PROM 145 149 Backbone with recovery string 146 Backbone without recovery string 148 switch with recovery string 145 switch without recovery string 147 local user accounts 139 policies for 141 145 rules 139 path calculation using FSPF 113 path selection for routing 112 paths defined 112 payload size limits for encryption 395 PEAP MSCHAPv2 159 618 622 perfAddEeMonitor command 502 perfCf...

Page 653: ... 207 SCC and Virtual Fabric considerations 206 security 195 240 switch database distribution setting 224 policy ACL deleting 197 ACL distribution 227 activating IP Filter 219 adding rule to an IP Filter policy 223 authentication restrictions 211 cloning an IP Filter 218 creating DCC 204 creating FCS 201 creating for IP Filter 218 creating SCC 207 DCC deleting 205 DCC restrictions 203 default IP Fi...

Page 654: ...ing 289 serial connection 56 setting mode 90 setting speed for a port octet 93 slave port bottleneck detection 390 SNMP filtering 189 speed and number of encryption compression ports 401 Top Talker monitor adding 513 port area ID 87 port area IDs swapping 88 port decommissioning on port with in flight encryption compression 396 port groups for trunking 535 port identifier See also PID port index 6...

Page 655: ... for virtual channels 115 private key deleting from switch 182 generation 183 PRLI 52 protocol Fibre Channel Common Transport FC CT described 44 HTTPS described 177 IPsec described 177 LDAPS described 177 SCP described 177 secure HTTPS 178 SCP 178 SNMPv1 178 SNMPv2 178 SNMPv3 178 SSHv2 178 SNMP described 177 SSH described 178 SSL 182 SSL described 178 telnet 190 protocols authentication 212 IP sec...

Page 656: ...Fabric OS 56 role permissions 135 recommendations for trunk groups 537 recovering a device 53 redirecting frames 130 Registered State Change Notification 52 rejecting distributed user databases locally 141 releasing a port from a POD set 488 remote access policies 159 remote authentication 149 176 adding server to the switch configuration 175 changing authentication server configuration 175 changi...

Page 657: ...route selection 122 setting AP route policy 121 setting policy 121 Virtual Fabrics 120 routing policies 118 121 VE_Ports 119 RPC unsupported in FIPS mode 617 RSA key pair generation 180 RSA RADIUS server 160 RSA RADIUS server setup 160 RSA SecurID 160 RSCN 74 RSCN See Registered State Change Notification rsh listener application 192 rstats listener application 192 rule adding to an IP Filter polic...

Page 658: ... 178 security scenarios 178 serial number location on switch 39 serial port connection 56 serial port console session 56 Server Application Optimization See SAO sessions maximum allowed 136 setContext command 121 299 setting changing passwords 62 chassis configurations 93 chassis management IP interface 65 date 69 default zone mode 443 fabric wide consistency policy 228 mask for end to end monitor...

Page 659: ...ck 391 status of equipment 102 status policy threshold values setting 106 status policy threshold values viewing 105 supported browsers 182 supportSave command 39 swapping blades 97 100 SW EXTTRAP 189 switch access 192 access methods Web Tools 55 ACL policy distribution 227 activation and deactivation 76 adding public key 180 applications used 192 buffer credits by model 563 certificates installin...

Page 660: ... service ADList 173 Admin Domains configuring 173 authentication service 171 configuration 171 configuration displaying 176 disabling 175 enabling 175 home Virtual Fabric 173 homeAD 173 LINUX based 172 modifying 175 overview 134 password expiration configuring 174 user adding 172 vendor attributes 172 Virtual Fabrics configuring 173 Windows server based 174 tags for LSAN zones 594 telnet blocking ...

Page 661: ... traffic prioritization 527 QoS zone based 523 SID DID 519 traffic selector and IP sec 235 traffic support 111 traffic limiting from a device 519 transaction model for managing Admin Domains 442 transform set and IP sec 235 transform set defined 235 traps MIB 188 SNMP 188 trunk area and admin domains 540 trunk area enabling DCC policy on 550 trunk groups configuring 538 recommendations 537 require...

Page 662: ...r defined role assigning 137 creating 136 managing 136 137 User Principal Name 163 users assigning to Admin Domains 444 authenticating 134 using security certificates 182 V validating a zone 323 validating Admin Domain members 454 VE_Ports described 84 routing policy 119 XISL and FX8 24 287 verification check 580 verifying device connectivity 78 104 High Availability features 103 host syslog 108 v...

Page 663: ...orm services 45 policy database distribution considerations 225 ports moving 295 QoS zone based traffic prioritization considerations 528 RADIUS configuration 155 RADIUS server configuration 155 restrictions 288 SCC policy considerations 206 supported platforms 286 TACACS service 173 TI zone considerations 361 364 with traffic isolation over FCR 363 XISL allowing on logical switches 299 zone alias...

Page 664: ... zone configuration defined 308 enabling a configuration 330 existing 316 frame redirection 303 LSAN 303 maximum database size 327 merging 327 336 342 merging scenarios 339 no access 326 objects 306 optimizing resources 304 QoS 304 QoS zones defined 525 removing members 318 from a configuration 329 replacing member 319 saved zone configuration defined 308 schemes 307 setting default zoning mode 32...

Page 665: ...Fabric OS Administrator s Guide 665 53 1002745 02 zoneRemove command 318 zoneShow command 322 zoning advanced 303 342 advanced commands 304 defined 304 enforcement 308 on logical ports 316 overview 304 ...

Page 666: ...666 Fabric OS Administrator s Guide 53 1002745 02 ...

Reviews:

No comments

Brands by name

Popular brands

Load more brands