manualshive.com logo in svg

HP Fabric OS v7.0.1, Administrator'S Manual

Share
Download
HP Fabric OS v7.0.1 Administrator'S Manual Download Page 566

528

Fabric OS Administrator’s Guide

53-1002446-01

Preparing the switch for FIPS

C

Disable in-flight encryption.

Disable IPsec for Ethernet and IPsec for FCIP.

Disable in-band management.

Disable root access.

Enable the KATs and the conditional tests.

Enable FIPS.

Enabling FIPS mode

1. Log in to the switch using an account with securityadmin permissions.

2. Enter the sshutil delpubkeys and sshutil delprivkey commands to remove legacy OpenSSH DSA 

keys. 

These keys, which were previously the default, do migrate to Fabric OS v7.0.0 but are no longer 
supported in FIPS mode. You must remove them to remain FIPS compliant.

NOTE

Support for RSA keys is retained. You can implement RSA keys using the sshutil command.

3.

Optional:

 Select the appropriate authentication method based on your needs:

If the switch is set for RADIUS, enter the aaaConfig

 --

change or aaaConfig

 --

remove 

command to modify each server to use only PEAP-MS-CHAPv2 as the authentication 
protocol.

The RADIUS server must also be configured to use only PEAP-MS-CHAPv2. Note that 
among the Windows RADIUS servers supported, only Windows 2000- and Windows 
2003-based RADIUS servers may be used in a FIPS-compliant configuration.

If the switch is set for LDAP, refer to the instructions in 

“Setting up LDAP for FIPS mode”

 on 

page 524.

4.

Optional:

 Set the authentication protocols.

a. Enter the authUtil

 --

set -h sha1 command to set the hash type for MD5, which is used in 

the DHCHAP and FCAP authentication protocols.

b. Enter the authUtil

 --

set -g 

n

 command (where 

n

 represents the DH group) to set the DH 

group to 1, 2, 3, or 4.

5. Install the LDAP CA certificate on the switch and Microsoft Active Directory server. Refer to 

“LDAP certificates for FIPS mode”

 on page 526.

6. Enter the ipFilter

 --

show command and verify that no active IP filter policy permits access to 

telnet, HTTP, or RPC ports, even if a higher priority policy explicitly denies such access. If an 
active IP policy does permit any of these ports, you must modify or deactivate the policy. Create 
separate policies for ipv4 and ipv6, and block access on Telnet, HTTP, and RPC ports.

a. Enter the ipFilter command to create IP Filter policies for IPv4 and IPv6. Refer to 

“Creating 

an IP Filter policy”

 on page 153.

b.  Add rules to each IP Filter policy, see 

“Adding a rule to an IP Filter policy”

 on page 159. You 

can use the following modifications to the rule to block access to telnet, HTTP, and RPC 
ports:

Summary of Contents for Fabric OS v7.0.1

Page 1: ...53 1002446 01 15 December 2011 Fabric OS Administrator s Guide Supporting Fabric OS v7 0 1 ...

Page 2: ...and obtain a copy of the programming source code please visit http www brocade com support oscd Brocade Communications Systems Incorporated Document History Corporate and Latin American Headquarters Brocade Communications Systems Inc 130 Holger Way San Jose CA 95134 Tel 1 408 333 8000 Fax 1 408 333 8101 E mail info brocade com Asia Pacific Headquarters Brocade Communications Systems China HK Ltd N...

Page 3: ...pter 1 Understanding Fibre Channel Services In this chapter 3 Fibre Channel services overview 3 Management server 4 Platform services 4 Platform services and Virtual Fabrics 5 Enabling platform services 5 Disabling platform services 5 Management server database 6 Displaying the management server ACL 6 Adding a member to the ACL 6 Deleting a member from the ACL 7 Viewing the contents of the managem...

Page 4: ...h 20 Virtual Fabrics and the Ethernet interface 20 Displaying the network interface settings 21 Static Ethernet addresses 22 DHCP activation 23 IPv6 autoconfiguration 24 Date and time settings 25 Setting the date and time 25 Time zone settings 26 Network time protocol 27 Domain IDs 28 Displaying the domain IDs 29 Setting the domain ID 29 Switch names 30 Customizing the switch name 30 Chassis names...

Page 5: ...D 40 Port identification by index 41 Swapping port area IDs 41 Port activation and deactivation 42 Port decommissioning 43 Setting port speeds 43 Setting the same speed for all ports on the switch 43 Setting port speed for a port octet 44 Blade terminology and compatibility 44 CP blades 47 Core blades 47 Port and application blade compatibility 47 FX8 24 compatibility notes 48 Enabling and disabli...

Page 6: ...4 FSPF 64 Fibre Channel NAT 65 Inter switch links 66 Buffer credits 67 Virtual channels 67 Gateway links 68 Configuring a link through a gateway 69 Routing policies 70 Displaying the current routing policy 70 Exchange based routing 71 Port based routing 71 AP route policy 71 Route selection 72 Dynamic Load Sharing 73 Frame order delivery 74 Forcing in order frame delivery across topology changes 7...

Page 7: ...or a Backbone with a recovery string 94 Setting the boot PROM password for a switch without a recovery string 95 Setting the boot PROM password for a Backbone without a recovery string 96 The authentication model using RADIUS and LDAP 97 Setting the switch authentication mode 99 Fabric OS user accounts 99 Fabric OS users on the RADIUS server 100 The RADIUS server 103 LDAP configuration and Microso...

Page 8: ... Deleting an ACL policy 133 Adding a member to an existing ACL policy 134 Removing a member from an ACL policy 134 Aborting unsaved policy changes 134 FCS policies 135 FCS policy restrictions 135 Ensuring fabric domains share policies 136 Creating an FCS policy 136 Modifying the order of FCS switches 137 FCS policy distribution 137 DCC policies 138 DCC policy restrictions 139 Creating a DCC policy...

Page 9: ...66 Configuration examples 167 IPsec protocols 168 Security associations 169 Authentication and encryption algorithms 169 IPsec policies 170 IKE policies 170 Creating the tunnel 172 Example of an End to end transport tunnel mode 174 Chapter 8 Maintaining the Switch Configuration File In this chapter 177 Configuration settings 177 Configuration file format 178 Configuration file backup 180 Uploading...

Page 10: ...USB using the relative path 202 Downloading from USB using the absolute path 202 FIPS support 202 Public and private key management 202 The firmwareDownload command 203 Power on firmware checksum test 204 Test and restore firmware on switches 204 Testing a different firmware version on a switch 204 Test and restore firmware on Backbones 206 Testing different firmware versions on Backbones 206 Vali...

Page 11: ...itch 230 Displaying logical switch configuration 231 Changing the fabric ID of a logical switch 232 Changing a logical switch to a base switch 232 Setting up IP addresses for a Virtual Fabric 234 Removing an IP address for a Virtual Fabric 234 Configuring a logical switch to use XISLs 234 Changing the context to a different logical fabric 235 Creating a logical fabric using XISLs 235 Chapter 11 Ad...

Page 12: ...ation 255 Removing zones members from a zone configuration 256 Enabling a zone configuration 256 Disabling a zone configuration 257 Deleting a zone configuration 257 Clearing changes to a configuration 258 Viewing all zone configuration information 258 Viewing selected zone configuration information 259 Viewing the configuration in the effective zone database 259 Clearing all zone configurations 2...

Page 13: ...ng TI zones 290 Troubleshooting TI zone routing problems 291 Setting up TI over FCR sample procedure 292 Chapter 13 Bottleneck Detection In this chapter 297 Bottleneck detection overview 297 Types of bottlenecks 298 How bottlenecks are reported 298 Using alerting parameters to determine whether alerts are generated 299 Supported configurations for bottleneck detection 300 Limitations of bottleneck...

Page 14: ... compression 317 Encryption and compression example 317 Example of enabling encryption and compression on a port 318 Example of disabling encryption and compression 320 Chapter 15 NPIV In this chapter 323 NPIV overview 323 Upgrade considerations 324 Fixed addressing mode 324 10 bit addressing mode 324 Configuring NPIV 325 Enabling and disabling NPIV 326 Viewing NPIV port configuration information ...

Page 15: ...ode for Admin Domains 346 Creating an Admin Domain 347 User assignments to Admin Domains 348 Removing an Admin Domain from a user account 350 Activating an Admin Domain 350 Deactivating an Admin Domain 351 Adding members to an existing Admin Domain 351 Removing members from an Admin Domain 352 Renaming an Admin Domain 352 Deleting an Admin Domain 353 Deleting all user defined Admin Domains 354 Del...

Page 16: ...considerations 382 Expired licenses 382 Universal temporary licenses 382 Extending a universal temporary license 383 Universal temporary license shelf life 383 Viewing installed licenses 383 Activating a license 383 Adding a licensed feature 383 Removing a licensed feature 384 Ports on Demand 385 Displaying installed licenses 386 Activating Ports on Demand 387 Dynamic Ports on Demand 387 Displayin...

Page 17: ...splaying EE monitor counters 404 Clearing EE monitor counters 405 Frame monitoring 406 Creating frame types to be monitored 406 Deleting frame types 407 Adding frame monitors to a port 408 Removing frame monitors from a port 408 Saving frame monitor configuration 408 Displaying frame monitors 409 Clearing frame monitor counters 409 Top Talker monitors 410 Top Talker monitors and FC FC routing 411 ...

Page 18: ...ive Networking license 422 Manually disabling QoS on trunked ports 422 QoS zones 424 QoS on E_Ports 425 QoS over FC routers 426 Virtual Fabrics considerations for QoS zone based traffic prioritization 427 High availability considerations for QoS zone based traffic prioritization 428 Supported configurations for QoS zone based traffic prioritization 428 Limitations and restrictions for QoS zone bas...

Page 19: ...ics 447 Configuring F_Port trunking for Access Gateway 447 Configuring F_Port trunking for Brocade adapters 448 Displaying F_Port trunking information 448 Disabling F_Port trunking 449 Enabling the DCC policy on a trunk area 449 Chapter 23 Managing Long Distance Fabrics In this chapter 451 Long distance fabrics overview 451 Extended Fabrics device limitations 452 Long distance link modes 452 Confi...

Page 20: ...unking configuration 484 LSAN zone configuration 485 Use of Admin Domains with LSAN zones and FC FC routing 485 Zone definition and naming 485 LSAN zones and fabric to fabric communications 486 Controlling device communication with the LSAN 486 Configuring backbone fabrics for interconnectivity 489 Setting the maximum LSAN count 489 HA and downgrade considerations for LSAN zones 489 LSAN zone poli...

Page 21: ...2 Correcting errors if LSAN devices appear in only one of the fabrics 513 Completing the configuration 513 Appendix B Port Indexing Appendix C FIPS Support In this appendix 521 FIPS overview 521 Zeroization functions 521 Power on self tests 522 Conditional tests 522 FIPS mode configuration 523 LDAP in FIPS mode 524 LDAP certificates for FIPS mode 526 Preparing the switch for FIPS 527 Overview of s...

Page 22: ...xxii Fabric OS Administrator s Guide 53 1002446 01 ...

Page 23: ...fter creating logical switches 213 Figure 19 Fabric IDs assigned to logical switches 214 Figure 20 Assigning ports to logical switches 214 Figure 21 Logical switches connected to devices and non Virtual Fabrics switch 216 Figure 22 Logical switches in a single chassis belong to separate fabrics 216 Figure 23 Logical switches connected to other logical switches through physical ISLs 217 Figure 24 L...

Page 24: ... switch and device WWNs 345 Figure 55 Filtered fabric views showing converted switch WWNs 345 Figure 56 AD0 and two user defined Admin Domains AD1 and AD2 356 Figure 57 AD0 with three zones 356 Figure 58 Minimum configuration for 64 Gbps ICLs 394 Figure 59 DCX 4S allowed ICL connections 396 Figure 60 ICL triangular topology with Brocade DCX 8510 8 chassis 397 Figure 61 64 Gbps ICL core edge topolo...

Page 25: ...ology 474 Figure 78 Example of setting up Speed LSAN tag 491 Figure 79 LSAN zone binding 494 Figure 80 EX_Ports in a base switch 502 Figure 81 Logical representation of EX_Ports in a base switch 503 Figure 82 Backbone to edge routing across base switch using FC router in legacy mode 504 ...

Page 26: ...xxvi Fabric OS Administrator s Guide 53 1002446 01 ...

Page 27: ...14 Default local user accounts 86 Table 15 Authentication configuration options 98 Table 16 Syntax for VSA based account roles 100 Table 17 Entries in dictionary brocade file 101 Table 18 Secure protocol support 115 Table 19 Items needed to deploy secure protocols 116 Table 20 Main security scenarios 116 Table 21 SSL certificate files 121 Table 22 Blocked listener applications 129 Table 23 Access ...

Page 28: ...cenarios TI zones 267 Table 56 Zone merging scenarios Default access mode 267 Table 57 Zone merging scenarios Mixed Fabric OS versions 268 Table 58 Traffic behavior when failover is enabled or disabled in TI zones 271 Table 59 Example ISL connections 317 Table 60 Number of supported NPIV devices 324 Table 61 AD user types 340 Table 62 Ports and devices in CLI output 359 Table 63 Admin Domain inter...

Page 29: ...ing 495 Table 82 Fabric OS and M EOSc interoperability compatibility matrix 508 Table 83 Fabric OS and M EOSn interoperability compatibility matrix 508 Table 84 Values of portCfgEXPort m option 510 Table 85 Zeroization behavior 521 Table 86 FIPS mode restrictions 523 Table 87 FIPS and non FIPS modes of operation 524 Table 88 Active Directory keys to modify 525 Table 89 Decimal to hexadecimal conve...

Page 30: ...xxx Fabric OS Administrator s Guide 53 1002446 01 ...

Page 31: ...3 Performing Advanced Configuration Tasks provides advanced connection and configuration procedures Chapter 4 Routing Traffic provides information and procedures for using switch routing features Chapter 5 Managing User Accounts provides information and procedures on managing authentication and user accounts for the switch management channel Chapter 6 Configuring Protocols provides procedures for ...

Page 32: ...plementation on SAN switches Chapter 19 Inter chassis Links describes the two different types of ICLs between Brocade Backbones Chapter 20 Monitoring Fabric Performance provides procedures for use of the Brocade Advanced Performance Monitoring licensed feature Chapter 21 Optimizing Fabric Behavior provides procedures for use of the Brocade Adaptive Networking suite of tools including Traffic Isola...

Page 33: ...DCX 8510 Backbone family Brocade DCX 8510 4 Brocade DCX 8510 8 What s new in this document Information that was modified Support for new platforms Brocade 6505 switch FC8 32E port blade FC8 48E port blade Added information about duplication PWWN detection Refer to Duplicate Port World Wide Name on page 13 and Configuring FLOGI time handling of duplicate PWWN on page 60 Added Enterprise ICL license...

Page 34: ...sented in mixed lettercase for example switchShow In actual examples command lettercase is often all lowercase Otherwise this manual specifically notes those cases in which a command is case sensitive Command syntax conventions Command syntax in this manual follows these conventions Notes cautions and warnings The following notices and statements are used in this manual They are listed below in or...

Page 35: ...ese conditions or situations Key terms For definitions specific to Brocade and Fibre Channel see the Brocade Glossary For definitions of SAN specific terms visit the Storage Networking Industry Association online dictionary at http www snia org education dictionary Notice to the reader This document may contain references to the trademarks of the following corporations These trademarks are the pro...

Page 36: ...resource information visit the Technical Committee T11 website This website provides interface standards for high performance and mass storage applications for Fibre Channel storage management and other applications http www t11 org For information about the Fibre Channel industry visit the Fibre Channel Industry Association website http www fibrechannel org Getting technical help Contact your swi...

Page 37: ... command to display the switch WWN If you cannot use the wwn command because the switch is inoperable you can get the WWN from the same place as the serial number except for the Brocade DCX enterprise class platform For the Brocade DCX enterprise class platform access the numbers on the WWN cards by removing the Brocade logo plate at the top of the nonport side of the chassis For the Brocade 5424 ...

Page 38: ...xl Fabric OS Administrator s Guide 53 1002446 01 ...

Page 39: ...ng Traffic Chapter 5 Managing User Accounts Chapter 6 Configuring Protocols Chapter 7 Configuring Security Policies Chapter 8 Maintaining the Switch Configuration File Chapter 9 Installing and Maintaining Firmware Chapter 10 Managing Virtual Fabrics Chapter 11 Administering Advanced Zoning Chapter 12 Traffic Isolation Zoning Chapter 13 Bottleneck Detection Chapter 14 In flight Encryption and Compr...

Page 40: ...2 Fabric OS Administrator s Guide 53 1002446 01 ...

Page 41: ...ces on the switch or other nodes in the fabric The fabric address is a 24 bit address 0x000000 containing three 3 byte nodes Reading from left to right the first node 0x000000 represents the domain ID the second node 0x000000 the port area number of the port where the node is attached and the third node 0x000000 the arbitrated loop physical address AL_PA if applicable Directory server The director...

Page 42: ... switches can be registered with the management server The management server provides several advantages for managing a Fibre Channel fabric It is accessed by an external Fibre Channel node at the well known address FFFFFAh so an application can access information about the entire fabric management with minimal knowledge of the existing configuration It is replicated on every Brocade switch within...

Page 43: ...ictions that may be in place 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the msCapabilityShow command to verify that all switches in the fabric support the MS platform service otherwise the next step fails 3 Enter the msplMgmtActivate command as in the following example switch admin msplmgmtactivate Request to activate MS Platform Service in progress Comp...

Page 44: ...g an account assigned to the admin role 2 Enter the msConfigure command The command becomes interactive 3 At the select prompt enter 1 to display the access list A list of WWNs that have access to the management server is displayed Example of an empty access list switch admin msconfigure 0 Done 1 Display the access list 2 Add member based on its Port Node WWN 3 Delete member based on its Port Node...

Page 45: ... 00 00 20 37 65 ce ff 20 00 00 20 37 65 ce 11 20 00 00 20 37 65 ce 22 20 00 00 20 37 65 ce 33 20 00 00 20 37 65 ce 44 10 00 00 60 69 04 11 24 10 00 00 60 69 04 11 23 21 00 00 e0 8b 04 70 3b 10 00 00 60 69 04 11 33 20 00 00 20 37 65 ce 55 20 00 00 20 37 65 ce 66 00 00 00 00 00 00 00 00 0 Done 1 Display the access list 2 Add member based on its Port Node WWN 3 Delete member based on its Port Node WW...

Page 46: ... 00 00 00 c9 29 b3 84 WWN is successfully deleted from the MS ACL 0 Done 1 Display the access list 2 Add member based on its Port Node WWN 3 Delete member based on its Port Node WWN select 0 3 3 1 MS Access list is empty 0 Done 1 Display the access list 2 Add member based on its Port Node WWN 3 Delete member based on its Port Node WWN select 0 3 1 0 Viewing the contents of the management server da...

Page 47: ...AD255 Displaying topology discovery status 1 Connect to the switch and log in using an account with admin permissions 2 Enter the mstdReadConfig command switch admin mstdreadconfig MS Topology Discovery is Enabled Enabling topology discovery 1 Connect to the switch and log in using an account with admin permissions 2 Enter the appropriate following command based on how you want to enable discovery...

Page 48: ...overy Disable Operation Complete Device login A device can be storage a host or a switch When new devices are introduced into the fabric they must be powered on and if a host or storage device connected to a switch Switch to switch logins using the E_Port are handled differently than storage and host logins E_Ports exchange different frames than the ones listed below with the Fabric Controller to ...

Page 49: ...e routing protocols and agree on a common routing protocol An SW_ACC frame is received from the principal switch and the new switch sends an Exchange Fabric Parameters EFP frame to the principal switch requesting principal switch priority and the domain ID list Buffer to buffer credits for the device and switch ports are exchanged in the SW_ACC command sent to the device in response to the FLOGI F...

Page 50: ... enabled the embedded port performs a PLOGI and attempts a PRLI into the device to retrieve information to enter into the name server This enables private devices that do not perform a FLOGI but accept a PRLI to be entered in the name server and receive full fabric access A fabric capable device registers its information with the name server during a FLOGI These devices typically register informat...

Page 51: ...aemon fails 1 A RASlog and AUDIT event message are logged 2 The daemon is automatically started again 3 If the restart is successful then another message is sent to RASlog and AUDIT reporting the successful restart status 4 If the restart fails another message is sent to RASlog and no further attempts are made to restart the daemon Schedule downtime and reboot the switch at your convenience Table ...

Page 52: ...rocesses 1 webd Webserver daemon used for WebTools includes httpd as well weblinkerd Weblinker daemon provides an HTTP interface to manageability applications for switch management and fabric discovery TABLE 1 Daemons that are automatically restarted Continued Daemon Description ...

Page 53: ...this chapter focuses on configuring a SAN using the CLI you can also use the following methods to configure a SAN Web Tools For Web Tools procedures refer to Web Tools Administrator s Guide Brocade Network Advisor For additional information refer to the Brocade Network Advisor User Manual for the version you have A third party application using the API For third party application procedures refer ...

Page 54: ...e which RBAC role you need to run a command review the section Role Based Access Control on page 82 NOTE When command examples in this guide show user input enclosed in quotation marks the quotation marks are required Console sessions using the serial port Note the following behaviors for serial connections Some procedures require that you connect through the serial port for example setting the IP...

Page 55: ...witch Never change the IP address of the switch while two Telnet sessions are active if you do your next attempt to log in fails To recover gain access to the switch by one of these methods You can use Web Tools to perform a fast boot When the switch comes up the Telnet quota is cleared For instructions on performing a fast boot with Web Tools see the Web Tools Administrator s Guide If you have th...

Page 56: ...etting help on a command You can display a list of all command help topics for a given login level For example if you log in as user and enter the help command a list of all user level commands that can be executed is displayed The same rule applies to the admin securityAdmin and the switchAdmin roles 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the help m...

Page 57: ...ault account passwords The change default account passwords prompt is a string that begins with the message Please change your passwords now User defined passwords can have from 8 through 40 characters They must begin with an alphabetic character and can include numeric characters the period and the underscore _ They are case sensitive and they are not displayed when you enter them on the command ...

Page 58: ...thernet settings using a console session through the serial port to maintain your session during the change You must connect through the serial port to set the Ethernet IP address if the Ethernet network interface is not configured already For details refer to Connecting to Fabric OS through the serial port on page 16 Virtual Fabrics and the Ethernet interface On the Brocade DCX and DCX 4S the sin...

Page 59: ...C address for virtual fabric ID 45 13 1 2 4 20 Slot 7 eth0 11 1 2 4 24 Gateway 11 1 2 1 Backplane IP address of CP0 10 0 0 5 Backplane IP address of CP1 10 0 0 6 IPv6 Autoconfiguration Enabled Yes Local IPv6 Addresses sw 0 stateless fd00 60 69bc 70 260 69ff fe00 2 64 preferred sw 0 stateless fec0 60 69bc 70 260 69ff fe00 2 64 preferred cp 0 stateless fd00 60 69bc 70 260 69ff fe00 197 64 preferred ...

Page 60: ...rface 1 Connect to the switch and log in using an account assigned to the admin role 2 Perform the appropriate action based on whether you have a switch or Backbone If you are setting the IP address for a switch enter the ipAddrSet command If you are setting the IP address for a Backbone enter the ipAddrSet command specifying either CP0 or CP1 You must set the IP address for both CP0 and CP1 Examp...

Page 61: ...s the string BROCADE followed by the SWBD model number of the platform For example the vendor class identifier for a request from a Brocade 5300 is BROCADESWBD64 NOTE The client conforms to the latest IETF Draft Standard RFCs for IPv4 IPv6 and DHCP Enabling DHCP Connect the DHCP enabled switch to the network power on the switch and the switch automatically obtains the Ethernet IP address Ethernet ...

Page 62: ... Gateway IP Address 10 1 2 1 DHCP On off IPv6 autoconfiguration IPv6 can assign multiple IP addresses to each network interface Each interface is configured with a link local address in almost all cases but this address is only accessible from other hosts on the same network To provide for wider accessibility interfaces are typically configured with at least one additional global scope IPv6 addres...

Page 63: ...tform Date and time settings Switches maintain the current date and time inside a battery backed real time clock RTC circuit that receives the date and time from the fabric s principal switch Date and time are used for logging events Switch operation does not depend on the date and time a switch with an incorrect date and time value functions properly However because the date and time are used for...

Page 64: ...or based on a time zone ID such as PST The time zone setting has the following characteristics Users can view the time zone settings However only those with administrative permissions can set the time zones The setting automatically adjusts for Daylight Savings Time Changing the time zone on a switch updates the local time zone setup and is reflected in local time calculations By default all switc...

Page 65: ...ary FCS switch to a maximum of eight external Network Time Protocol NTP servers To keep the time in your SAN current it is recommended that the principal or primary FCS switch has its time synchronized with at least one external NTP server The other switches in the fabric automatically take their time from the principal or primary FCS switch as described in Synchronizing the local time with an ext...

Page 66: ... Example of displaying the NTP server switch admin tsclockserver 10 1 2 3 Example of setting up more than one NTP server using a DNS name switch admin tsclockserver 10 1 2 4 10 1 2 5 ntp localdomain net Updating Clock Server configuration done Updated with the NTP servers Changes to the clock server value on the principal or primary FCS switch are propagated to all switches in the fabric Domain ID...

Page 67: ... 10 3 220 20 0 0 0 0 ras020 25 fffc19 10 00 00 05 1e 37 23 c6 10 3 220 25 0 0 0 0 ras025 30 fffc1e 10 00 00 60 69 90 04 1e 10 3 220 30 0 0 0 0 ras030 35 fffc23 10 00 00 05 1e 07 c7 26 10 3 220 35 0 0 0 0 ras035 40 fffc28 10 00 00 60 69 50 06 7f 10 3 220 40 0 0 0 0 ras040 45 fffc2d 10 00 00 05 1e 35 10 72 10 3 220 45 0 0 0 0 ras045 46 fffc2e 10 00 00 05 1e 34 c5 17 10 3 220 46 0 0 0 0 ras046 47 fff...

Page 68: ...hanging the switch name causes a domain address format RSCN to be issued and may be disruptive to the fabric Customizing the switch name 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the switchName command and enter a new name for the switch switch admin switchname newname 3 Record the new switch name for future reference Chassis names Brocade recommends th...

Page 69: ...abricname set command without a fabric name takes the existing fabric name and synchronizes it across the entire fabric An error message displays if no name is configured To set a fabric name that includes spaces enclose the fabric name in quotes as shown here switch user fabricname set my new fabric To set a fabric name that includes bash special meta characters or spaces use the command fabricna...

Page 70: ...ting your file system Brocade recommends that you perform graceful shutdowns of Brocade switches and Backbones Warm reboot also known as graceful shutdown refers to shutting down the switch or platform by way of the following instructions Cold boot also known as a hard boot refers to shutting down the switch or platform by suddenly shutting down power and powering on again Powering off a Brocade s...

Page 71: ...is going down for system halt NOW 4 Power off the switch Basic connections Before connecting a switch to a fabric that contains switches running different firmware versions you must first set the same port identification PID format on all switches The presence of different PID formats in a fabric causes fabric segmentation For information on PID formats and related procedures refer to Chapter 3 Pe...

Page 72: ...able management information The standard or default ISL mode is L0 ISL mode L0 is a static mode with the following maximum ISL distances 10 km at 1 Gbps 5 km at 2 Gbps 2 5 km at 4 Gbps 1 km at 8 Gbps 1 km at 10 Gbps 1 km at 16 Gbps For more information on extended ISL modes which enable long distance inter switch links refer to Chapter 23 Managing Long Distance Fabrics ...

Page 73: ...one port and plugging it into a different port as part of fabric maintenance or changing the domain ID of a switch which might be necessary when merging fabrics or changing compatibility mode settings Some device drivers use the PID to map logical disk drives to physical Fibre Channel counterparts Most drivers can either change PID mappings dynamically also called dynamic PID binding or use the WW...

Page 74: ... used only on the default logical switch With fixed addressing mode enabled each port has a fixed address assigned by the system based on the port number This address does not change unless you choose to swap the address using the portSwap command 10 bit addressing mode The 10 bit addressing mode is the default mode for all the logical switches created in the Brocade Backbones This addressing sche...

Page 75: ...sed mode is not supported on the default switch WWN based PID assignment WWN based PID assignment is disabled by default When the feature is enabled bindings are created dynamically as new devices log in they automatically enter the WWN based PID database The bindings exist until you explicitly unbind the mappings through the CLI or change to a different addressing mode If there are any existing d...

Page 76: ...guarantees NPIV devices get the same PID across reboots and AL_PAs assigned for the device do not depend on the order in which the devices come up For more information on NPIV refer to Chapter 15 NPIV Enabling automatic PID assignment NOTE To activate the WWN based PID assignment you do not need to disable the switch 1 Connect to the switch and log in using an account with admin permissions 2 Ente...

Page 77: ...manuals The different blades that can be inserted into a chassis are described as follows Control processor blades CPs contain communication ports for system management and are used for low level platform wide tasks Core blades are used for intra chassis switching as well as interconnecting two Backbones Port blades are used for host storage and interswitch connections AP blades are used for Fibre...

Page 78: ...admin portenable 2 4 Port identification by port area ID The relationship between the port number and area ID depends upon the PID format used in the fabric When Core PID format is in effect the area ID for port 0 is 0 for port 1 is 1 and so forth For 32 port blades FC8 32 FC8 32E FC16 32 the numbering is contiguous up to port 15 from port 16 the numbering is still contiguous but starts with 128 F...

Page 79: ...e portSwap command is not supported for ports above 256 Swapping port area IDs If a device that uses port binding is connected to a port that fails you can use port swapping to make another physical port use the same PID as the failed port The device can then be plugged into the new port without the need to reboot the device Use the following procedure to swap the port area IDs of two physical swi...

Page 80: ...nd log in using an account with admin permissions 2 Enter the appropriate command based on the current state of the port and on whether it is necessary to specify a slot number To enable a port that is disabled enter the command portEnable portnumber or portEnable slotnumber portnumber To enable a port that is persistently disabled enter the command portCfgPersistentEnable portnumber or portCfgPer...

Page 81: ...ric OS 7 0 0 or later Port decommissioning is not supported on links configured for encryption or compression Port decommissioning is not supported on ports with DWDM CWDM or TDM Port decommissioning requires that the lossless feature is enabled on both the local switch and the remote switch Use the portDecom slot port command to begin the decommission process Setting port speeds 1 Connect to the ...

Page 82: ...ize yourself with the platform CP blade and port blade nomenclature as well as the port blade compatibilities Table 5 includes core and CP blade terminology and descriptions Table 6 on page 45 includes port blade terminology and descriptions TABLE 5 Core and CP blade terminology and platform support Supported on Blade Blade ID slotshow DCX family DCX 8510 family Definition CP8 50 Yes Yes Brocade D...

Page 83: ...rts FC8 48E 126 No Yes 48 8 Gbps port blade supporting 2 4 and 8 Gbps port speeds Ports are numbered from 0 through 23 from bottom to top on the left set of ports and 24 through 47 from bottom to top on the right set of ports FC8 64 77 Yes Yes 64 8 Gbps port blade supporting 2 4 and 8 Gbps port speeds The Brocade DCX and Brocade DCX 8510 Backbone families support loop devices on 64 port blades in ...

Page 84: ...p GbE ports are numbered ge0 through ge1 from top to bottom Going from top to bottom the 2 GbE ports appear on the top of the blade followed by the 16 FC ports FCOE10 24 74 Yes No 24 10 GbE DCB ports An application blade that provides Converged Enhanced Ethernet to bridge a Fibre Channel and Ethernet SAN Ports are numbered from 0 through 11 from bottom to top on the left set of ports and 12 throug...

Page 85: ...8 supports two CR16 8 core blades Brocade DCX 8510 4 supports two CR16 4 core blades The core blades for each platform are not interchangeable or hot swappable with the core blades for any other platform If you try to interchange the blades they become faulty Port and application blade compatibility Table 6 on page 45 identifies which port and application blades are supported for each Brocade Back...

Page 86: ... chassis will fault the blade with reason code 91 However after blade removal if you reboot or power cycle the chassis inserting the other blade type is allowed The data paths in both blades are interoperable between FC ports FR4 18i FC ports can stream data over FX8 24 GbE ports and vice versa The FX8 24 and FS8 18 blades cannot co exist with the FCOE10 24 blade Enabling and disabling blades Port...

Page 87: ...nfigured FR4 18i blade is removed and another or the same FR4 18i blade is inserted into the same slot then the ports use the previous configuration and come up enabled If you do not want to use the previous configuration you must clear the configuration information remove the blade and then reseat the blade If a previously configured FR4 18i blade is removed and an FC8 16 FC8 32 FC8 48 or FC10 6 ...

Page 88: ...ntered the blade swap quits without disrupting traffic flowing through the blades If an unforeseen error does occur during the bladeSwap command an entry will be made into the RASlog and all ports that have been swapped as part of the blade swap operation will be swapped back On successful completion of the command the source and destination blades are left in a disabled state allowing you to comp...

Page 89: ...cation to application and so on Port count Both blades must support the same number of front ports for example 16 ports to 16 ports 32 ports to 32 ports 48 ports to 48 ports and so on Availability The ports on the destination blade must be available for the swap operation and not attached to any other devices 3 Port preparation The process of preparing ports for a swap operation includes basic ope...

Page 90: ...cal switches as long as they are carved the same way If slot 1 and slot 2 ports 0 7 are all in the same logical switch then blade swapping slot 1 to slot 2 will work The entire blade does not need to be in the same partition FIGURE 4 Blade swap with Virtual Fabrics after the swap Swapping blades 1 Connect to the Backbone and log in using an account with admin permissions 2 Enter the bladeSwap comm...

Page 91: ...power becomes available slots are powered up in the reverse order During the initial power up of a chassis or using the slotPowerOn command or the insertion of a blade the available power is compared to required power before power is applied to the blade NOTE Some FRUs in the chassis may use significant power yet cannot be powered off through software The powerOffListShow command displays the powe...

Page 92: ... haShow command to verify HA is enabled the heartbeat is up and that the HA state is synchronized between the active and standby CP blades 4 Enter the fanShow command to display the current status and speed of each fan in the system Refer to the hardware reference manual of your system to determine the appropriate values 5 Enter the psShow command to display the current status of the switch power ...

Page 93: ...30b1f 040000 050000 050200 050700 050800 050de8 050def 051700 061c00 071a00 073c00 090d00 0a0200 0a07ca 0a07cb 0a07cc 0a07cd 0a07ce 0a07d1 0a07d2 0a07d3 0a07d4 0a07d5 0a07d6 0a07d9 0a07da 0a07dc 0a07e0 0a07e1 0a0f01 0a0f02 0a0f0f 0a0f10 0a0f1b 0a0f1d 0b2700 0b2e00 0b2fe8 0b2fef 0f0000 0f0226 0f0233 0f02e4 0f02e8 0f02ef 210e00 211700 211fe8 211fef 2c0000 2c0300 611000 6114e8 6114ef 611600 620800 62...

Page 94: ...nges status ON Track changes generate SNMP TRAP NO Viewing the switch status policy threshold values The policy parameter determines the number of failed or inoperable units for each contributor that triggers a status change in the switch Each parameter can be adjusted so that a specific threshold must be reached before that parameter changes the overall status of a switch to MARGINAL or DOWN For ...

Page 95: ...d settings you have configured for each parameter Enter the switchStatusPolicyShow command to view your current switch status policy configuration Example output from a switch The following example displays what is typically seen from a Brocade switch but the quantity and types vary by platform switch admin switchstatuspolicyshow To change the overall switch status policy parameters The current ov...

Page 96: ... in the specified audit message format This ensures that they can be easily distinguished from other system message log events that occur in the network Then at some regular interval of your choosing you can review the audit events to look for unexpected changes Before you configure audit event logging familiarize yourself with the following audit event log behaviors and limitations By default all...

Page 97: ... operational and running Before configuring an audit log you must perform the following steps to ensure that the host syslog is operational 1 Set up an external host machine with a system message log daemon running to receive the audit events that will be generated 2 On the switch where the audit configuration is enabled enter the syslogdIpAdd command to add the IP address of the host machine so t...

Page 98: ...0 7 raslogd AUDIT 2008 10 10 08 28 16 GMT SEC 3021 INFO SECURITY admin NONE 10 3 220 13 None CLI None ras007 FID 128 Event login Status failed Info Failed login attempt via REMOTE IP Addr 10 3 220 13 Configuring FLOGI time handling of duplicate PWWN Fabric OS has two configurable options for handling duplicate PWWN conflicts occurring on the same switch Existing login takes precedence over second ...

Page 99: ...re enable the switch With either setting detection of duplicate PWWNs results in a RASLog Ports that are restricted become persistently disabled marked with the reason Duplicate Port WWN detected TABLE 9 Duplicate PWWN behavior Second login overrides existing login Input port Duplicate found on same F_Port Duplicate found on different F_Port Duplicate found on same NPIV port Duplicate found on dif...

Page 100: ...62 Fabric OS Administrator s Guide 53 1002446 01 Configuring FLOGI time handling of duplicate PWWN 3 ...

Page 101: ...rk There are two kinds of routing protocols on intranet networks distance vector and link state Distance vector is based on hop count This is the number of switches that a frame passes through to get from the source switch to the destination switch Link state is based on a metric value based on a cost The cost could be based on bandwidth line speed or round trip time With the link state protocol s...

Page 102: ...omputes paths from a switch to all the other switches in the fabric by adding the cost of all links traversed by the path and chooses the path that minimizes the costs This collection of the link states including costs of all the switches in the fabric constitutes the topology database or link state database Once established FSPF programs the hardware routing tables for all active ports on the swi...

Page 103: ...read word zero and word one of the Fibre Channel frame to perform what is known as cut through routing A frame may begin to emerge from the output port before it has been entirely received by the input port The entire frame does not need to be buffered in the switch If the destination domain ID is different than the source domain ID then the switch consults the FSPF route table to identify which l...

Page 104: ...ing two switches together Brocade recommends the best practice that the following parameters are differentiated Domain ID Switch name Chassis name You must also verify the following fabric parameters are identical on each switch for a fabric to merge R_A_TOV Resource Allocation TimeOut Value E_D_TOV Error Detect TimeOut Value Data Field Size Sequence Level Switching Disable Device Probing Suppress...

Page 105: ...al channels create multiple logical data paths across a single physical link or connection They are allocated their own network resources such as queues and buffer to buffer credits Virtual channel technology is the fundamental building block used to construct Adaptive Networking services For more information on Adaptive Networking services refer to Chapter 21 Optimizing Fabric Behavior Virtual ch...

Page 106: ...y establishing point to point E_Port connectivity between two Fibre Channel switches that are separated by a network with a protocol such as IP or SONET Except for link initialization gateways are transparent to switches the gateway simply provides E_Port connectivity from one switch to another Figure 8 shows two separate SANs A 1 and A 2 merged together using a gateway ...

Page 107: ...guidelines are followed All switches in the fabric use the core PID format as described in Configuring a link through a gateway on page 69 The switches connected to both sides of the gateway are included when determining switch count maximums Extended links those created using the Extended Fabrics licensed feature are not supported through gateway links Configuring a link through a gateway 1 Conne...

Page 108: ...Backbone families routing is handled by the FSPF protocol and either the port based routing or exchange based routing policy Each switch can have its own routing policy and different policies can exist in the same fabric ATTENTION For most configurations the default routing policy is optimal and provides the best performance You should change the routing policy only if there is a performance issue...

Page 109: ...ged Port based routing The choice of routing path is based only on the incoming port and the destination domain To optimize port based routing DLS can be enabled to balance the load across the available output ports within a domain NOTE For FC routers only When an FC router is in port based routing mode the backbone traffic is load balanced based on SID and DID When an FC router is in exchange bas...

Page 110: ...nnect to the VF switch and log in as admin 2 Enter the setcontext command for the correct FID switch admin setcontext 20 3 Enter the switchDisable command to disable the switch 4 Take the appropriate following action based on the AP route policy you choose to implement If the exchange based policy is required enter the aptPolicy 3 command If the port based policy is required enter the aptPolicy 1 ...

Page 111: ... command to view the current DLS setting One of the following messages appears DLS is set indicates that DLS is turned on DLS is not set indicates that DLS is turned off DLS is set with Lossless enabled DLS is enabled with the Lossless feature Load sharing is recomputed with every change in the fabric and existing routes can be moved to maintain optimal balance In Lossless mode no frames are lost ...

Page 112: ...frames are always delivered in order even when the traffic between switches is shared among multiple paths However when topology changes occur in the fabric for example if a link goes down traffic is rerouted around the failure and some frames could be delivered out of order Most destination devices tolerate out of order delivery but some do not By default out of order frame based delivery is allo...

Page 113: ...nted along the path between the target and initiator You can use Lossless DLS on ports connecting switches to perform the following functions Eliminate dropped frames and I O failures by rebalancing the paths going over the ISLs whenever there is a fabric event that might result in suboptimal utilization of the ISLs Eliminate the frame delay caused by establishing a new path when a topology change...

Page 114: ...ore blade removal it is equivalent to removing external E_Ports which may cause I O disruption on the ICL ports that have been removed If ICL ports are connected during a core blade insertion it is equivalent to adding external E_Ports which may cause I O disruption due to reroutes Lossless DLS if enabled takes effect to prevent I O disruption Traffic flow limitations The FA4 18 and FR4 18i AP bla...

Page 115: ...long to a logical switch where Lossless DLS is enabled the traffic in logical switch 2 is affected whenever traffic for logical switch 1 is rebalanced ATTENTION Although Lossless DSL is enabled for a specific logical switch you must have chassis level permissions to use this feature This effect on logical switch 2 is based on the configuration on logical switch 2 If logical switch 2 has IOD enable...

Page 116: ...able the FEC feature on a port range enter the following command switch admin portcfgfec disable 0 8 Frame Redirection Frame Redirection provides a means to redirect traffic flow between a host and a target that use virtualization and encryption applications such as the Brocade SAS blade and Brocade Data Migration Manager DMM so that those applications can perform without having to reconfigure the...

Page 117: ...one rdcreate command 3 Enter the cfgSave command to save the frame redirect zones to the defined configuration Example of creating a frame redirect zone The following example creates a redirect zone given a host 10 10 10 10 10 10 10 10 target 20 20 20 20 20 20 20 20 virtual initiator 30 30 30 30 30 30 30 30 and virtual target 40 40 40 40 40 40 40 40 switch admin zone rdcreate 10 10 10 10 10 10 10 ...

Page 118: ...80 Fabric OS Administrator s Guide 53 1002446 01 Frame Redirection 4 Viewing redirect zones 1 Connect to the switch and log in using an account with admin permissions 2 Enter the cfgShow command ...

Page 119: ...ons Associate roles with each user account to determine the functional access levels within the bounds of the your current Admin Domain Virtual Fabric list Specifies the Virtual Fabric a user account is allowed to log in to Home Virtual Fabric Specifies the Virtual Fabric that the user is logged in to if available The home Virtual Fabric must be a member of the user s Virtual Fabric list If the fa...

Page 120: ...log in to a switch your user account is associated with a predefined role or a user defined role The role that your account is associated with determines the level of access you have on that switch and in the fabric The chassis role can also be associated with user defined roles it has permissions for RBAC classes of commands which are configured during user defined role creation The chassis role ...

Page 121: ...uthentication are Role name Permission Admin OM Factory OM Root OM Security Admin OM You can also use the classConfig showcli command to show the permissions that apply to a specific command The management channel The management channel is the communication established between the management workstation and the switch Table 13 shows the number of simultaneous login sessions allowed for each role w...

Page 122: ...nimum of 4 letters and can be up to 16 letters long The maximum number of user defined roles that are allowed on a chassis is 256 The roleConfig command can be used to define unique roles You must have chassis level access and permissions to execute this command The following example creates a user defined role called mysecurityrole The RBAC class Security is added to the role and the Observe perm...

Page 123: ...d a chassis role to an account The following example assigns the mysecurityrole role to the existing anewuser account and adds the admin chassis role userConfig change anewuser r mysecurityrole c admin Local database user accounts User add change and delete operations are subject to the subset rule an admin with ADlist 0 10 or LFlist 1 10 cannot perform operations on an admin user or any role with...

Page 124: ...displays a list of users that include that LF in their LF permissions Creating an account 1 Connect to the switch and log in using an account with admin permissions or an account associated with a user defined role with permissions for the UserManagement class of commands 2 Enter the userConfig add command For example userconfig add metoo l 1 128 h 128 r admin c admin This example creates a user a...

Page 125: ...inistrative Domains 1 Connect to the switch and log in using an account with admin permissions 2 Enter the userConfig change command Local account passwords The following rules apply to changing passwords Users can change their own passwords To change the password for another account requires Admin permissions or an account associated with a user defined role with Modify permissions for the LocalU...

Page 126: ... database distribution One of the target switch s user database is protected One of the remote switches has logical switches defined Either the local switch or one of the remote switches has user accounts associated with user defined roles Distributing the local user database When distributing the local user database all user defined accounts residing in the receiving switches are logged out of an...

Page 127: ... information that was previously stored there Also password changes are not permitted on the standby CP Password authentication policies configured using the passwdCfg command are not enforced during initial prompts to change default passwords Password strength policy The password strength policy is enforced across all user accounts and enforces a set of format rules to which new passwords must ad...

Page 128: ...acter sequence exceeding two characters The range of allowed values is 1 40 The default value is 1 When set to 1 sequential characters are not enforced Example of a password strength policy The following example shows a password strength policy that requires passwords to contain at least 3 uppercase characters 4 lowercase characters and 2 numeric digits the minimum length of the password is 9 char...

Page 129: ...xpiration Warning Specifies the number of days prior to password expiration that a warning about password expiration is displayed Warning values range from 0 to 999 The default value is 0 days NOTE When MaxPasswordAge is set to a non zero value MinPasswordAge and Warning must be set to a value that is less than or equal to MaxPasswordAge Account lockout policy The account lockout policy disables a...

Page 130: ...ut duration begins with the first login attempt after the LockoutThreshold has been reached Subsequent failed login attempts do not extend the lockout period Enabling the admin lockout policy 1 Log in to the switch using an account that is an Admin securityAdmin permissions 2 Enter the passwdCfg enableadminlockout command Unlocking an account 1 Log in to the switch using an account that has Admin ...

Page 131: ...ffic flow through the switch until the switch is rebooted Perform this procedure during a planned downtime Setting the boot PROM password for a switch with a recovery string This procedure applies to the following switch models Brocade 300 5410 5424 5450 5460 5470 5480 5100 5300 65 10 7800 8000 and 8510 switches If your switch is not listed please contact your switch support provider for instructi...

Page 132: ... and DCX 4S Backbones 1 Connect to the serial port interface on the standby CP blade as described in Connecting to Fabric OS through the serial port on page 16 2 Connect to the active CP blade by serial or Telnet and enter the haDisable command to prevent failover during the remaining steps 3 Reboot the standby CP blade by sliding the On Off switch on the ejector handle of the standby CP blade to ...

Page 133: ...ach CP blade has a separate boot PROM password 11 Connect to the active CP blade by serial or Telnet and enter the haEnable command to restore high availability Although you can set the boot PROM password without also setting the recovery string it is strongly recommended that you set both the password and the string as described in Setting the boot PROM password for a switch with a recovery strin...

Page 134: ...in and entering the haShow command 2 Connect to the active CP blade by serial or Telnet and enter the haDisable command to prevent failover during the remaining steps 3 Create a serial connection to the standby CP blade as described in Connecting to Fabric OS through the serial port on page 16 4 Reboot the standby CP blade by sliding the On Off switch on the ejector handle of the standby CP blade ...

Page 135: ...witch sends all authentication authorization and accounting AAA service requests to the RADIUS or LDAP server The RADIUS or LDAP server receives the request validates the request and sends its response back to the switch The supported management access channels that integrate with RADIUS or LDAP include serial port Telnet SSH Web Tools and API All these require the switch IP address or name to con...

Page 136: ...S or LDAP is set up for a fabric that contains a mix of switches with and without RADIUS or LDAP support the way a switch authenticates users depends on whether a RADIUS or LDAP server is set up for that switch For a switch with RADIUS or LDAP support and configuration authentication bypasses the local password database For a switch without RADIUS or LDAP support or configuration authentication us...

Page 137: ...expiration date and add a warning for RADIUS login The password expiry date must be specified in UTC and in MM DD YYYY format The password warning specifies the number of days prior to the password expiration that a warning of password expiration notifies the user You either specify both attributes or none If you specify a single attribute or there is a authspec ldap Authenticates management conne...

Page 138: ...to pass the Admin role to the switch in the dial in profile the configuration specifies the Vendor code 1588 Vendor assigned attribute number 1 and attribute value admin as shown in Figure 10 TABLE 16 Syntax for VSA based account roles Item Value Description Type 26 1 octet Length 7 or higher 1 octet calculated by the server Vendor ID 1588 4 octet Brocade SMI Private Enterprise Code Vendor type 1 ...

Page 139: ...he user jsmith Admin permissions you would add the following statement to the configuration file swladmin Auth Type Local User Password myPassword Brocade Auth Role admin Brocade AVPairs1 HomeLF 70 Brocade AVPairs2 LFRoleList admin 2 4 8 70 80 128 ChassisRole admin Brocade Passwd ExpiryDate 11 10 2011 Brocade Passwd WarnPeriod 30 TABLE 17 Entries in dictionary brocade file Include Key Value VENDOR...

Page 140: ...occurrences of the same Admin Domain number are ignored HomeLF is the designated home Virtual Fabric for the account The valid values are between 1 to 128 and chassis context The first valid HomeLF key value pair is accepted by the switch additional HomeLF key value pairs are ignored LFRoleList is a comma separated list of Virtual Fabric ID numbers to which this account is a member Valid numbers r...

Page 141: ...ed in the RADIUS server configuration User accounts should be set up by their true network wide identity rather than by the account names created on a Fabric OS switch Along with each account name the administrator must assign appropriate switch access permissions To manage a fabric these permissions can be User Admin and SecurityAdmin Configuring RADIUS server support with Linux The following pro...

Page 142: ...ADIUS The user will log in using the permissions specified with Brocade Auth Role The valid permissions include Root Admin SwitchAdmin ZoneAdmin SecurityAdmin BasicSwitchAdmin FabricAdmin Operator and User You must use quotation marks around password and role Example of adding a user name to the RADIUS authentication For example to set up an account called JohnDoe with Admin permissions with a pas...

Page 143: ... instructions for setting up RADIUS on a Windows 2000 server are listed here for your convenience but are not guaranteed to be accurate for your network environment Always check with your system administrator before proceeding with setup NOTE All instructions involving Microsoft Windows 2000 can be obtained from www microsoft com or your Microsoft documentation Confer with your system or network a...

Page 144: ...lient for all switches on which RADIUS authentication will be used b In the Internet Authentication Service window right click the Remote Access Policies folder then select New Remote Access Policy from the pop up window A remote access policy must be created for each group of Brocade login permissions Root Admin Factory SwitchAdmin and User for which you want to use RADIUS Apply this policy to th...

Page 145: ...ager by adding an agent host 3 Configure the RSA RADIUS server Setting up the RSA RADIUS server involves adding RADIUS clients users and vendor specific attributes to the RSA RADIUS server a Add the following data to the vendor ini file vendor product Brocade dictionary brocade ignore ports no port number usage per port type help id 2000 b Create a brocade dct file that needs to be added into the ...

Page 146: ...format of this file Use the Radius specification attributes in lieu of the Brocade one radius dct MACRO Brocade VSA t s 26 vid 1588 type1 t len1 2 data s ATTRIBUTE Brocade Auth Role Brocade VSA 1 string r ATTRIBUTE Brocade Passwd ExpiryDate Brocade VSA 6 string r ATTRIBUTE Brocade Passwd WarnPeriod Brocade VSA 7 integer r brocade dct Brocade Dictionary dictiona dcm Generic Radius radius dct Specif...

Page 147: ...ew installations A user can belong to multiple groups as long as one of the groups is the primary group The primary group in the AD server should not be set to the group corresponding to the switch role You can choose any other group A user can be part of any Organizational Unit OU Active Directory LDAP 2000 2003 and 2008 is supported Roles for Brocade specific users can be added through the Micro...

Page 148: ...and entered as a range Creating a user To create a user in Active Directory refer to www microsoft com or Microsoft documentation There are no special attributes to set You can use a fully qualified name for logging in for example you can log in as user domain com Creating a group To create a group in Active Directory refer to www microsoft com or Microsoft documentation You will need to verify th...

Page 149: ...e the first value in the adlist Admin Domain list If a user has no values assigned in the adlist attribute then the homeAD 0 will be the default administrative domain for the user If you are using Virtual Fabrics enter the value of the logical fabric separated by an semi colon into the Value field Example for adding Virtual Fabrics HomeLF 10 LFRoleList admin 128 10 ChassisRole admin In this exampl...

Page 150: ... in effect This configuration is persistent after an HA failover The RADIUS or LDAP servers are contacted in the order they are listed starting from the top of the list and moving to the bottom Adding a RADIUS or LDAP server to the switch configuration 1 Connect to the switch and log in using an account with admin permissions 2 Enter the aaaConfig add command At least one RADIUS or LDAP server mus...

Page 151: ...local authentication so that the switch can take over authentication locally if the RADIUS or LDAP servers fail to respond because of power outage or network problems Example of enabling local authentication enter the following command for RADIUS switch admin aaaconfig authspec radius local backup Example for LDAP switch admin aaaconfig authspec ldap local backup For details about this command see...

Page 152: ...114 Fabric OS Administrator s Guide 53 1002446 01 The authentication model using RADIUS and LDAP 5 ...

Page 153: ...BLE 18 Secure protocol support Protocol Description HTTPS HTTPS is a Uniform Resource Identifier scheme used to indicate a secure HTTP connection Web Tools supports the use of hypertext transfer protocol over secure socket layer HTTPS IPsec Internet Protocol Security IPsec is a framework of open standards for providing confidentiality authentication and integrity for IP data transmitted over untru...

Page 154: ...ort HTTPS A certificate must be generated and installed on each switch to enable SSL Supports SSLv3 128 bit encryption by default TABLE 19 Items needed to deploy secure protocols Protocol Host side Switch side SSHv2 Secure shell client None HTTPS No requirement on host side except a browser that supports HTTPS Switch IP certificate for SSL SCP SSH daemon SCP server None SNMPv1 SNMPv2 SNMPv3 None N...

Page 155: ...wide variety of encryption algorithms such as Blowfish Cipher block chaining CBC and Advanced Encryption Standard AES NOTE To maintain a secure network you should avoid using Telnet or any other unprotected application when you are working on the switch Commands that require a secure login channel must originate from an SSH session If you start an SSH session and then use the login command to star...

Page 156: ...cation import and export keys generate a key pair for an outgoing connection and delete public and private keys Configuring incoming SSH authentication 1 Log in to your remote host 2 Generate a key pair for host to switch incoming authentication by verifying that SSH v2 is installed and working refer to your host s documentation as necessary by typing the following command ssh keygen t dsa Example...

Page 157: ...assphrase empty for no passphrase Enter same passphrase again Key pair generated successfully 5 Export the public key to the host by logging in to the switch as the allowed user and entering the sshUtil exportpubkey command to export the key Example of exporting a public key from the switch switch alloweduser sshutil exportpubkey Enter IP address 192 168 38 244 Enter remote directory auser ssh Ent...

Page 158: ...these types of changes accordingly Browser and Java support Fabric OS supports the following Web browsers for SSL connections Internet Explorer v7 0 Microsoft Windows Mozilla Firefox v2 0 Solaris and Red Hat Linux NOTE Review the release notes for the latest information and to verify if your platform and browser are supported In countries that allow the use of 128 bit encryption you should use the...

Page 159: ...low secure out of band communication between switches consider using one certificate authority CA to sign all management certificates for a fabric If you use different CAs management services operate correctly but the Web Tools Fabric Events button is unable to retrieve events for the entire fabric Each CA for example Verisign or GeoTrust has slightly different requirements for example some genera...

Page 160: ...n Name or IP address 192 1 2 3 Generating CSR file name is 192 1 2 3 csr Done Your CA may require specific codes for Country State or Province Locality Organization and Organizational Unit names Make sure that your spelling is correct and matches the CA requirements If the CA requires that the Common Name be specified as an FQDN make sure that the fully qualified domain name is set on the domain n...

Page 161: ... to the certificates on an FTP server make note of the path name and make sure you have a login name and password on the server Installing a switch certificate Perform this procedure on each switch 1 Connect to the switch and log in using an account with admin permissions 2 Enter the secCertUtil import command 3 Select a protocol enter the IP address of the host on which the switch certificate is ...

Page 162: ...action based on whether you find the certificate If the certificate is listed you do not need to install it You can skip the rest of this procedure If the certificate is not listed click Import 5 Browse to the certificate location and select the certificate For example select nameRoot crt 6 Click Open and follow the instructions to import the certificate Root certificates for the Java Plug in For ...

Page 163: ...evice and makes it available to a network management station You can manipulate information of your choice by trapping MIB elements using the Fabric OS command line interface CLI Web Tools or Brocade Network Advisor The SNMP access control list ACL provides a way for the administrator to restrict SNMP get set trap and inform operations to certain hosts and IP addresses This is used for enhanced ma...

Page 164: ... the local switch database SNMPv3 users whose names do not match with any of the existing Fabric OS local users have a default RBAC role of admin with the SNMPv3 user access control of read write Their SNMPv3 user logs in with an access control of read only Both user types will have the default switch as their home Virtual Fabrics The contextName field should have the format VF xxx where xxx is th...

Page 165: ...stem group For details on Brocade MIB files naming conventions loading instructions and information about using the Brocade SNMP agent see the Fabric OS MIB Reference Telnet protocol Telnet is enabled by default To prevent passing clear text passwords over the network when connecting to the switch you can block the Telnet protocol using an IP Filter policy For more information on IP Filter policie...

Page 166: ...he ipFilter show command 8 Activate the new ipfilter policy by typing the ipfilter activate command switch admin ipfilter activate BlockTelnet 9 Verify the new policy is active the default_ipv4 policy should be displayed as defined switch admin ipfilter show Name BlockTelnet Type ipv4 State defined Rule Source IP Protocol Dest Port Action 1 any tcp 23 deny 2 any tcp 22 permit 3 any tcp 22 permit 4...

Page 167: ...d features and capabilities Table 22 lists the listener applications that Brocade switches either block or do not start Ports and applications used by switches If you are using the FC FC Routing Service be aware that the secModeEnable command is not supported Table 23 on page 130 lists the defaults for accessing hosts devices switches and zones TABLE 22 Blocked listener applications Listener appli...

Page 168: ...y switch in the fabric Devices All devices can access the management server Any device can connect to any FC port in the fabric Switch access Any switch can join the fabric All switches in the fabric can be accessed through a serial port Zoning No zoning is enabled TABLE 24 Port information Port Type Common use Comment 22 TCP SSH SCP 23 TCP Telnet Use the ipfilter command to block the port 80 TCP ...

Page 169: ...o restrict which Fibre Channel device ports can connect to which Fibre Channel switch ports Switch connection control SCC policy Used to restrict which switches can join with a switch NOTE Run all commands in this chapter by logging in to Administrative Domain AD 255 with the suggested permissions If Administrative Domains have not been implemented log in to AD0 How the ACL policies are stored The...

Page 170: ...re specified by device port WWN switch WWN domain IDs or switch names depending on the policy The valid methods for specifying policy members are listed in Table 25 ACL policy management All policy modifications are temporarily stored in volatile memory until those changes are saved or activated You can create multiple sessions to the switch from one or more hosts It is recommended you make change...

Page 171: ...y changes You can implement changes to the ACL policies using the secPolicyActivate command This saves the changes to the active policy set and activates all policy changes since the last time the command was issued You cannot activate policies on an individual basis all changes to the entire policy set are activated by the command Until a secPolicySave or secPolicyActivate command is issued all p...

Page 172: ... DCC policy and to attach domain 3 ports 1 and 3 WWNs of devices are 11 22 33 44 55 66 77 aa and 11 22 33 44 55 66 77 bb switch admin secpolicyadd DCC_POLICY_abc 11 22 33 44 55 66 77 aa 11 22 33 44 55 66 77 bb 3 1 3 Removing a member from an ACL policy As soon as a policy has been activated the aspect of the fabric managed by that policy is enforced 1 Connect to the switch and log in using an acco...

Page 173: ...y FCS switch in the policy list is not reachable then a backup FCS switch is allowed to modify the policy Once an FCS policy is configured and distributed across the fabric only the Primary FCS switch can perform certain operations Operations that affect fabric wide configuration are allowed only from the Primary FCS switch Backup and non FCS switches cannot perform security zoning and AD operatio...

Page 174: ...BAC class of commands 2 Enter the secPolicyCreate FCS_POLICY command Example of creating an FCS policy The following example creates an FCS policy that allows a switch with domain ID 2 to become a primary FCS and domain ID 4 to become a backup FCS switch admin secpolicycreate FCS_POLICY 2 4 FCS_POLICY has been created TABLE 27 FCS switch operations Allowed on FCS switches Allowed on all switches s...

Page 175: ...2 to position 3 in the FCS list using interactive mode primaryfcs admin secpolicyfcsmove Pos Primary WWN DId swName 1 Yes 10 00 00 60 69 10 02 18 1 switch5 2 No 10 00 00 60 69 00 00 5a 2 switch60 3 No 10 00 00 60 69 00 00 13 3 switch73 Please enter position you d like to move from 1 3 1 2 Please enter position you d like to move to 1 3 1 3 ____________________________________________________ DEFIN...

Page 176: ... will be accepted and distribution may be initiated using the distribute p command Setting the configuration parameter to reject indicates the policy distribution is rejected and the switch may not distribute the policy The default value for the distribution configuration parameter is accept which means the switch accepts all database distributions and is able to initiate a distribute operation fo...

Page 177: ...ents a unique string The maximum length is 30 characters including the prefix DCC_POLICY_ Device ports must be specified by port WWN Switch ports can be identified by the switch WWN domain ID or switch name followed by the port or area number To specify an allowed connection enter the device port WWN a semicolon and the switch port identification The following methods of specifying an allowed conn...

Page 178: ...age that includes device port WWN 22 33 44 55 66 77 11 bb all ports of switch domain 2 and all currently connected devices of switch domain 2 switch admin secpolicycreate DCC_POLICY_storage 22 33 44 55 66 77 11 bb 2 DCC_POLICY_storage has been created To create the DCC policy DCC_POLICY_abc that includes device 33 44 55 66 77 11 22 cc and ports 1 through 6 and port 9 of switch domain 3 switch admi...

Page 179: ...policy created manually with the physical PWWN of a device The configurations shown in this table are the recommended configurations when an FA PWWN is logged into the switch TABLE 30 DCC policy behavior with FA PWWN when created using lockdown support Configuration WWN seen on DCC policy list Behavior when DCC policy activates Behavior on portDisable and portEnable FA PWWN has logged into the swi...

Page 180: ...ibute an SCC policy on a logical switch SCC enforcement is performed on a ISL based on the SCC policy present on the logical switch For more information on Virtual Fabrics refer to Chapter 10 Managing Virtual Fabrics TABLE 31 DCC policy behavior when created manually with PWWN Configuration WWN seen on DCC policy list Behavior when DCC policy activates Behavior on portDisable and portEnable FA PWW...

Page 181: ...nse is required FCAP requires the exchange of certificates between two or more switches to authenticate to each other before they form or join a fabric Beginning with Fabric OS v7 0 0 these certificates are no longer issued by Brocade but only by a third party which is now the root CA for all of the issued certificates You can use Brocade and third party certificates between switches that are Fabr...

Page 182: ...rtual Fabrics considerations If Virtual Fabrics is enabled all AUTH module parameters such as shared secrets and shared switch and device policies are logical switch wide That means you must configure shared secrets and policies separately on each logical switch and the shared secrets and policies must be set on each switch prior to authentication On logical switch creation authentication takes de...

Page 183: ... with admin permissions or an account with OM permissions for the Authentication RBAC class of commands 2 Enter the authUtil command to set the switch policy mode Example of configuring E_Port authentication The following example shows how to enable Virtual Fabrics and configure the E_Ports to perform authentication using the AUTH policies authUtil command switch admin fosconfig enable vf WARNING ...

Page 184: ...authentication policy Device authentication policy can also be categorized as an F_Port node port or an HBA authentication policy Fabric wide distribution of the device authentication policy is not supported because the device authentication requires manual interaction in setting the HBA shared secrets and switch shared secrets and most of the HBAs do not support the defined DH groups for use in t...

Page 185: ... and device Otherwise the F port will be disabled during next F port bring up ARE YOU SURE yes y no n no y Device authentication is set to PASSIVE AUTH policy restrictions All fabric element authentication configurations are performed on a local switch basis Device authentication policy supports devices that are connected to the switch in point to point manner and is visible to the entire fabric T...

Page 186: ...PE GROUP TYPE fcap dhchap sha1 md5 0 1 2 3 4 Switch Authentication Policy PASSIVE Device Authentication Policy OFF Setting the authentication protocol 1 Log in to the switch using an account with admin permissions or an account with OM permissions for the Authentication RBAC class of commands 2 Enter the authUtil set a command specifying fcap dhchap or all Example of setting the DH CHAP authentica...

Page 187: ...Chapter 14 In flight Encryption and Compression for details about in flight encryption NOTE When setting a secret key pair note that you are entering the shared secrets in plain text Use a secure channel for example SSH or the serial console to connect to the switch on which you are setting the secrets Viewing the list of secret key pairs in the current switch database 1 Log in to the switch using...

Page 188: ...WN Domain or switch name Leave blank when done 10 20 30 40 50 60 70 80 Enter peer secret hidden Re enter peer secret hidden Enter local secret hidden Re enter local secret hidden Enter WWN Domain or switch name Leave blank when done 10 20 30 40 50 60 70 81 Enter peer secret hidden Re enter peer secret hidden Enter local secret hidden Re enter local secret hidden Enter WWN Domain or switch name Lea...

Page 189: ...s or an account associated with the chassis role and having OM permissions for the PKI RBAC class of commands 2 Enter the secCertUtil generate fcapall keysize command on the local switch switch admin seccertutil generate fcapall keysize 1024 WARNING About to create FCAP ARE YOU SURE yes y no n no y Installing Private Key and Csr Switch key pair and CSR generated 3 Repeat step 2 on the remote switc...

Page 190: ...ed certificate CACert pem Importing the FCAP switch certificate ATTENTION The CA certificates must be installed prior to installing the switch certificate 1 Log in to the switch using an account with admin permissions or an account associated with the chassis role and having OM permissions for the PKI RBAC class of commands 2 Enter the secCertUtil import fcapcacert command switch admin seccertutil...

Page 191: ...fected management IP interfaces Audit messages will be generated for any changes to the IP Filter policies The rules in the IP Filter policy are examined one at a time until the end of the list of rules For performance reasons the most commonly used rules should be specified at the top On a chassis system changes to persistent IP Filter policies are automatically synchronized to the standby CP whe...

Page 192: ...Filter policy You can save one or all IP Filter policies persistently in the defined configuration The policy name is optional for this subcommand If the policy name is given the IP Filter policy in the temporary buffer is saved if the policy name is not given all IP Filter policies in the temporary buffer are saved Only the CLI session that owns the updated temporary buffer may run this command M...

Page 193: ...Telnet SSH HTTP HTTPS Protocol The protocol type Supported types are TCP or UDP Action The filtering action taken by this rule either Permit or Deny A rule type and destination IP can also be specified Source address For an IPv4 filter policy the source address has to be a 32 bit IPv4 address in dot decimal notation The group prefix has to be a CIDR block prefix representation For example 208 130 ...

Page 194: ...m a switch A valid port number range is represented by a dash for example 7 30 Alternatively service names can also be used instead of port number Table 34 lists the supported service names and their corresponding port numbers TABLE 34 Supported services Service name Port number echo 7 discard 9 systat 11 daytime 13 netstat 15 chargen 19 ftp data 20 ftp 21 fsp 21 ssh 22 telnet 23 smtp 25 time 27 n...

Page 195: ...nterfaces The FORWARD traffic type allows management of bidirectional traffic between the external management interface and the inband management interface In this case the destination IP element should also be specified Implicit filter rules For every IP Filter policy the two rules listed in Table 35 are always assumed to be appended implicitly to the end of the policy This ensures that TCP and U...

Page 196: ... ignored If there is no match then it is compared to the next rule in the policy This process continues until the incoming packet is compared to all rules in the active policy If none of the rules in the policy matches the incoming packet the two implicit rules are matched to the incoming packet If the rules still do not match the packet the default action which is to deny is taken When the IPv4 o...

Page 197: ...ction is not ended other command line or manageability sessions are blocked on the subcommands that would open a new transaction 1 Log in to the switch using an account with admin permissions or an account associated with the chassis role and having the OM permissions for the IPfilter RBAC class of commands 2 Enter the ipFilter transabort command IP Filter policy distribution The IP Filter policy ...

Page 198: ...iguration instructions see Database distribution settings on page 161 Virtual Fabric considerations FCS DCC SCC and AUTH databases can be distributed using the distribute command but the PWD and IPFILTER databases are blocked from distribution Manually distribute an ACL policy database Run the distribute command to push the local database of the specified policy type to target switches ACL policy ...

Page 199: ...Tolerant Strict Reject Database is protected it cannot be overwritten May not match other databases in the fabric Invalid configuration 1 1 An error is returned indicating that the distribution setting must be accept before you can set the fabric wide consistency policy Invalid configuration 1 Accept default Database is not protected the database can be overwritten If the switch initiating a distr...

Page 200: ...hes This section explains how to manually distribute local ACL policy databases The distribute command has the following dependencies All target switches must be running Fabric OS v6 2 0 or later All target switches must accept the database distribution see Database distribution settings on page 161 The fabric must have a tolerant or no absent fabric wide consistency policy see Fabric wide enforce...

Page 201: ... of the three to the other switches in the fabric NOTE FC routers cannot join a fabric with a strict fabric wide consistency policy FC routers do not support the fabric wide consistency policies Table 39 describes the fabric wide consistency settings Displaying the fabric wide consistency policy 1 Connect to the switch and log in using an account with admin permissions or an account with O permiss...

Page 202: ...on the fabric the switch joins the fabric successfully and the ACL policies are copied automatically from where they exist to where they are absent The Active policies set where they exist and overwrite the Active and Defined policies where they are absent If the ACL policies do not match the switch can join the fabric but an error message flags the mismatch Under both conflicting conditions secPo...

Page 203: ...CC DCC or both policies Non matching fabric wide consistency policies You may encounter one of the following two scenarios described in Table 41 and Table 42 where you are merging a fabric with a strict policy to a fabric with an absent tolerant or non matching strict policy and the merge fails and the ports are disabled Table 41 on page 166 shows merges that are not supported TABLE 40 Merging fab...

Page 204: ...ties Authentication Ensures that the sending and receiving end users and devices are known and trusted by one another Data Integrity Confirms that the data received was in fact the data transmitted Data Confidentiality Protects the user data being transmitted such as utilizing encryption to avoid sending data in clear text Replay Protection Prevents replay attack in which an attacker resends previ...

Page 205: ...e payload while tunnel mode encrypts the entire packet A single pair of addresses will be negotiated for packets protected by this SA It is possible in this scenario that one or both of the protected endpoints will be behind a network address translation NAT node in which case tunneled packets will have to be UDP encapsulated so that port numbers in the UDP headers can be used to identify individu...

Page 206: ...configuration RoadWarrior configuration In endpoint to endpoint security packets are encrypted and decrypted by the host which produces or consumes the traffic In the gateway to gateway example a router on the network encrypts and decrypts the packets on behalf of the hosts on a protected network A combination of the two is referred to as a RoadWarrior configuration where a host on the Internet re...

Page 207: ...ons to create IPsec SAs You must create an SA prior to creating an SA proposal You cannot modify an SA once it is created Use the ipsecConfig flush manual sa command to remove all SA entries from the kernel SADB and re create the SA For more information on the ipSecConfig command refer to the Fabric OS Command Reference IPsec proposal The IPsec sa proposal defines an SA or an SA bundle An SA is a ...

Page 208: ...is needed for the IPsec connection and the encryption and authentication algorithms to be used in security associations when IKE is used as the key management protocol IPsec can protect either the entire IP datagram or only the upper layer protocols using tunnel mode or transport mode Tunnel mode uses the IPsec protocol to encapsulate the entire IP datagram Transport mode handles only the IP datag...

Page 209: ...pre shared key has the psk extension and is one of the available methods IKE can be configured to use for primary authentication You can specify the pre shared keys used in IKE policies add and delete pre shared keys in local database corresponding to the identity of the IKE peer or group of peers The ipSecConfig command does not support manipulating pre shared keys corresponding to the identity o...

Page 210: ...ole and having OM permissions for the IPsec RBAC class of commands b Enter the ipSecConfig enable command to enable IPsec on the switch 4 Create an IPsec SA policy on each side of the tunnel using the ipSecConfig add command Example of creating an IPsec SA policy This example creates an IPsec SA policy named AH01 which uses AH protection with MD5 You would run this command on each switch on each s...

Page 211: ...as the remote r address or SELECTOR IN Similarly the local l address of SELECTOR IN is the same as the remote r address or SELECTOR OUT That is local refers to the source IP address of the packet and remote is the destination IP address Hence inbound packets have opposite source and destination addresses than outbound packets 10 Verify traffic is protected a Initiate a telnet SSH or ping session f...

Page 212: ... IPsec proposal IPSEC AH to use AH01 as SA switch admin ipsecconfig add policy ips sa proposal t IPSEC AH sa AH01 5 Configure the SA proposal s lifetime in time units The maximum lifetime is 86400 or one day switch admin ipsecconfig add policy ips sa proposal t IPSEC AH lttime 86400 sa AH01 6 Import the pre shared key file using the secCertUtil command The file name should have a psk extension For...

Page 213: ...E for the above traffic flow Use the ipSecConfig show manual sa a command with the operands specified to display the outbound and inbound SAs in the kernel SADB Use the ipSecConfig show policy ips sa a command with the specified operands to display all IPsec SA policies Use the ipSecConfig show policy ips sa proposal a command with the specified operands to display IPsec proposals Use the ipSecCon...

Page 214: ...176 Fabric OS Administrator s Guide 53 1002446 01 Management interface security 7 ...

Page 215: ...D enabled switches refer to Chapter 17 Managing Administrative Domains For more information about troubleshooting configuration file uploads and downloads refer to the Fabric OS Troubleshooting and Diagnostics Guide There are two ways to view configuration settings for a switch in a Brocade fabric Issue the configShow all command To display configuration settings connect to the switch log in as ad...

Page 216: ... 1 15 53 18 2011 FOS version v7 0 0 0 Number of LS 2 Chassis Configuration Begin fcRouting Chassis Configuration LicensesDB Bottleneck Configuration DMM_WWN Licenses Chassis Configuration End date Tue Mar 1 21 28 52 2011 Switch Configuration Begin 0 SwitchName Sprint5100 Fabric ID 128 Boot Parameters Configuration Bottleneck Configuration Zoning Defined Security policies fid To upload the specifie...

Page 217: ... configuration It defines configuration data for chassis components that affect the entire system not just one individual logical switch The chassis section is included in non Virtual Fabric modes only if you use the configUpload all command The chassis section specifies characteristics for the following software components FC Routing Fibre Channel Routing Chassis configuration Chassis configurati...

Page 218: ...ers Configuration Bottleneck configuration FCoE software configuration Zoning Defined security policies Active security policies iSCSI CryptoDev FICU saved files VS_SW_CONF Banner Configuration file backup Brocade recommends keeping a backup configuration file You should keep individual backup files for all switches in the fabric and avoid copying configurations from one switch to another The conf...

Page 219: ...e configuration file is printable but you may want to see how many pages will be printed before you send it to the printer Example of configUpload on a switch without Admin Domains switch admin configupload Protocol scp ftp sftp local ftp sftp Server Name or IP Address host 10 1 2 3 User Name user UserFoo Path Filename home dir config txt switchConfig txt Section all chassis FID all chassis userna...

Page 220: ...mless to the switch and can be ignored Note that while is possible to transfer a v6 4 1 config file to a v7 0 0 switch the reverse cannot be done You cannot transfer a v7 0 0 config file to a v6 4 1 switch Restrictions chassis The number of switches defined in the downloaded configuration file must match the number of switches currently defined on the switch fid FID The FID must be defined in both...

Page 221: ...downloads If Virtual Fabrics mode is enabled the chassisDisable and chassisEnable commands are used to disable all logical switches on the affected switch This bypasses the need to disable and enable each switch individually once the configuration download has completed Non Virtual Fabric configuration files downloaded to a Virtual Fabric system have configuration applied only to the default switc...

Page 222: ...tch has no configuration information you want to save 1 Verify that the FTP service is running on the server where the backup configuration file is located 2 Connect to the switch and log in using an account with admin permissions and if necessary with chassis permissions 3 If there are any changed parameters in the configuration file that do not belong to SNMP Fabric Watch or ACL disable the swit...

Page 223: ...ub configurations config txt CAUTION This command is used to download a backed up configuration for a specific switch If using a file from a different switch this file s configuration settings will override any current switch settings Downloading a configuration file which was uploaded from a different type of switch may cause this switch to fail A switch reboot might be required for some paramete...

Page 224: ...iguration file that begin with boot are ignored Security parameters lines in the configuration file that begin with sec such as secure mode setting and version stamp are ignored For more detailed information on security refer to Chapter 6 Configuring Protocols Configuration management for Virtual Fabrics You can use the configUpload vf or configDownload vf command to restore configurations to a lo...

Page 225: ...d of the regular configuration After the Virtual Fabrics configuration file is downloaded the switch is automatically rebooted On dual CP platforms if CPs are incompatible HA not in sync the Virtual Fabrics configuration file is not propagated to the standby CP Otherwise the active CP attempts to remain active after the reboot and the new Virtual Fabrics configuration file is then propagated to th...

Page 226: ...bled The vf option is incompatible with the fid sfid or all options Any attempt to combine it with any of the other three will fail the configuration upload or download operation You are not allowed to modify the Virtual Fabrics configuration file after it has been uploaded Only minimal verification is done by the configDownload command to ensure it is compatible much like the normal downloaded co...

Page 227: ...g tables The tables can be used to record configuration information for the various blades TABLE 45 Brocade configuration and connection Brocade configuration settings IP address Gateway address Chassis configuration option Management connections Serial cable tag Ethernet cable tag Configuration information Domain ID Switch name Ethernet IP address Ethernet subnet mask Total number of local device...

Page 228: ...190 Fabric OS Administrator s Guide 53 1002446 01 Brocade configuration form 8 ...

Page 229: ...e FC8 16 FC8 32 FC8 48 and FC8 64 AP blades contain extra processors and specialized ports Brocade FR4 18i FA4 18 FCOE10 24 and FX8 24 CP blades have a control processor CP used to control the entire switch CP blades can be inserted only into slots 6 and 7 on the Brocade DCX or DCX 8510 8 and slots 4 and 5 on the Brocade DCX 4S or DCX 8510 4 CORE8 and CR4S 8 core blades provide ICL functionality b...

Page 230: ...dual CP systems the firmware download process by default sequentially upgrades the firmware image on both CPs using HA failover to prevent disruption to traffic flowing through the Backbone This operation depends on HA status on the Backbone If the platform does not support HA you can still upgrade the CPs one at a time If you are using a Brocade DCX or DCX 8510 Backbone family platform with one o...

Page 231: ...permit passwordless logins for outgoing authentication as described in Configuring outgoing SSH authentication on page 119 Considerations for FICON CUP environments To prevent channel errors during nondisruptive firmware installation the switch CUP port must be taken offline from all host systems HA sync state High availability HA synchronization occurs when two CPs in a Backbone are synchronized ...

Page 232: ...p process first upgrade to v6 4 0 and then upgrade to v7 0 0 If you are running a pre Fabric OS v6 2 0 version you must upgrade to v6 2 0 then to v6 3 0 then to v6 4 0 and finally to v7 0 0 3 Perform a configUpload prior to the firmwareDownload Save the config file on your FTP or SSH server or USB memory device on supported platforms 4 Optional For additional support connect the switch to a comput...

Page 233: ... the version of switch kernel operating system Fabric OS displays the version of switch Fabric OS Made on displays the build date of firmware running in switch Flash displays the install date of firmware stored in nonvolatile memory BootProm displays the version of the firmware stored in the boot PROM Obtain and decompress firmware Firmware upgrades are available for customers with support service...

Page 234: ... system performs a high availability reboot haReboot After the haReboot the former secondary partition is the primary partition The system replicates the firmware from the primary to the secondary partition The upgrade process first downloads and then commits the firmware to the switch While the upgrade is proceeding you can start a session on the switch and use the firmwareDownloadStatus command ...

Page 235: ...DNS server using the dnsConfig command 7 At the Do you want to continue y n prompt enter y 8 After the HA reboot connect to the switch and log in again using an account with admin permissions 9 Enter the firmwareDownloadStatus command to determine if the firmware download process has completed 10 After the firmware commit is completed which takes several minutes enter the firmwareShow command to v...

Page 236: ...you enter the firmwareDownload command on the active CP blade the following actions occur 1 The standby CP blade downloads firmware 2 The standby CP blade reboots and comes up with the new Fabric OS 3 The active CP blade synchronizes its state with the standby CP blade 4 The active CP blade forces a failover and reboots to become the standby CP blade 5 The new active CP blade synchronizes its stat...

Page 237: ...in as admin 6 Use the firmwareShow command to check the current firmware version on connected switches Upgrade the firmware if necessary before proceeding with upgrading this switch See Connected switches on page 195 7 Enter the haShow command to confirm that the two CP blades are synchronized In the following example the active CP blade is CP0 and the standby CP blade is CP1 ecp admin hashow Loca...

Page 238: ... version compatibility Version compatibility check passed The following AP blades are installed in the system Slot Name Versions Traffic Disrupted 4 FR4 18i v7 0 0 None 10 FR4 18i v7 0 0 None This command will upgrade the firmware on both CPs and all AP blade s above If you want to upgrade firmware on a single CP only please use s option You may run firmwaredownloadstatus to get the status of this...

Page 239: ...areDownload command it must be enabled and mounted as a file system The firmware images to be downloaded must be stored under the relative path from usb usbstorage brocade firmware or use the absolute path in the USB file system Multiple images can be stored under this directory There is a firmwarekey directory where the public key signed firmware is stored When the firmwareDownload command line o...

Page 240: ...ad fails To enable or disable FIPS refer to Chapter 7 Configuring Security Policies Public and private key management For signed firmware Brocade uses RSA with 1024 bit length key pairs a private key and a public key The private key is used to sign the firmware files when the firmware is generated The public key is packaged in an RPM package as part of the firmware and is downloaded to the switch ...

Page 241: ...ed_firmware flag needs to be disabled If the firmware file has a signature but the validation fails firmwareDownload fails This means the firmware is not from Brocade or the contents have been modified If the firmware file has a signature and the validation succeeds firmwareDownload proceeds normally SAS DMM and third party application images are not signed Configuring the switch for signed firmwa...

Page 242: ...en restore the original version of the firmware Testing a new version of firmware in this manner ensures that you do not replace existing firmware because the evaluated version occupies only one partition on the switch ATTENTION When you evaluate new firmware make sure you disabled all features that are not supported by the original firmware before restoring to the original version Testing a diffe...

Page 243: ...witch which completes the firmware download operations 8 Commit the firmware a Enter the firmwareCommit command to update the secondary partition with new firmware Note that it takes several minutes to complete the commit operation b Enter the firmwareShow command to confirm both partitions on the switch contain the new firmware ATTENTION Stop If you have completed step 8 then you have committed t...

Page 244: ...how command and note the address of CP0 and CP1 3 Enter the haShow command and note which CP is active and which CP is standby Verify that both CPs are in sync 4 Enter the firmwareShow command and confirm that the current firmware on both partitions on both CPs is listed as expected 5 Exit the session 6 Update the firmware on the standby CP a Connect to the Backbone and log in as admin to the stan...

Page 245: ... reboots it The current Backbone session is disconnected c Wait one minute for the standby CP to reboot and then connect to the Backbone and log in as admin d Enter the firmwareShow command to confirm that both primary partitions now have the test drive firmware in place You are now ready to evaluate the new version of firmware ATTENTION Stop If you want to restore the firmware stop here and skip ...

Page 246: ...active CP b Enter the firmwareRestore command The standby CP reboots and the current Backbone session ends Both partitions have the same Fabric OS after several minutes c Wait five minutes and log in to the Backbone Enter the firmwareShow command and verify that all partitions have the original firmware If an AP blade is present Blade partitions always contain the same version of the firmware on b...

Page 247: ...f each CP within the Brocade Backbone The firmwareShow command displays the firmware version on the CPs firmwareDownloadStatus Displays an event log that records the progress and status of events during Fabric OS SAS and SA firmwareDownload The event log is created by the current firmwareDownload command and is kept until another firmwareDownload command is issued There is a timestamp associated w...

Page 248: ...210 Fabric OS Administrator s Guide 53 1002446 01 Validating a firmware download 9 ...

Page 249: ...logical switch 230 Displaying logical switch configuration 231 Changing the fabric ID of a logical switch 232 Changing a logical switch to a base switch 232 Setting up IP addresses for a Virtual Fabric 234 Removing an IP address for a Virtual Fabric 234 Configuring a logical switch to use XISLs 234 Changing the context to a different logical fabric 235 Creating a logical fabric using XISLs 235 Vir...

Page 250: ...articipates in a single fabric The logical switch feature allows you to divide a physical chassis into multiple fabric elements Each of these fabric elements is referred to as a logical switch Each logical switch functions as an independent self contained FC switch NOTE Each chassis can have multiple logical switches Default logical switch To use the Virtual Fabrics features you must first enable ...

Page 251: ... create a logical switch you must assign it a fabric ID FID The fabric ID uniquely identifies each logical switch within a chassis and indicates to which fabric the logical switch belongs You cannot define multiple logical switches with the same fabric ID within the chassis In Figure 19 on page 214 logical switches 2 3 4 and 5 are assigned FIDs of 1 15 8 and 20 respectively These logical switches ...

Page 252: ...initially has 10 ports labeled P0 through P9 After logical switches are created the ports are assigned to specific logical switches Note that ports 0 1 7 and 8 have not been assigned to a logical switch and so remain assigned to the default logical switch FIGURE 20 Assigning ports to logical switches Logical switch 5 FID 20 Physical chassis Logical switch 1 Default logical switch FID 128 Logical s...

Page 253: ... as are available in the chassis In Figure 20 the chassis has 10 ports You could assign all 10 ports to a single logical switch such as logical switch 2 if you did this however no ports would be available for logical switches 3 and 4 You can move only F_Ports and E_Ports from one logical switch to another If you want to configure a different type of port such as a VE_Port or EX_Port you must confi...

Page 254: ...bric is a fabric that contains at least one logical switch The four fabrics shown in Figure 21 and Figure 22 are logical fabrics because they each have at least one logical switch You can connect logical switches to non Virtual Fabrics switches and to other logical switches You connect logical switches to non Virtual Fabrics switches using an ISL as shown in Figure 21 You connect logical switches ...

Page 255: ...switches are dedicated ISLs because they carry traffic only for a single logical fabric In Figure 23 Fabric 128 has two switches the default logical switches but they cannot communicate with each other because they have no ISLs between them and they cannot use the ISLs between the other logical switches NOTE Only logical switches with the same FID can form a fabric If you connect two logical switc...

Page 256: ...ed ISL or extended ISL XISL An extended ISL connects base switches The XISL is used to share traffic among different logical fabrics Fabric formation across an XISL is based on the FIDs of the logical switches Figure 25 shows two physical chassis divided into logical switches Each chassis has one base switch An ISL connects the two base switches This ISL is an extended ISL XISL because it connects...

Page 257: ...igure 27 In this diagram traffic between the logical switches in FID 1 can travel over either the ISL or the XISL Traffic between the other logical switches travels only over the XISL FIGURE 27 Logical fabric using ISLs and XISLs Base switch Fabric ID 8 P9 Logical switch 7 Fabric ID 15 P7 Logical switch 6 Fabric ID 1 P4 Logical switch 5 Default logical switch Fabric ID 128 Physical chassis 2 Base ...

Page 258: ... the base fabric maintains connectivity for the logical fabrics Logical ports As shown in Figure 27 logical ISLs are formed to connect logical switches A logical port represents the ports at each end of a logical ISL A logical port is a software construct only and does not correspond to any physical port Most port commands are not supported on logical ports For example you cannot change the state ...

Page 259: ...termines which ports the user can see You can change the active context For example if you are working with logical switch 1 you can change the context to logical switch 5 When you change the context to logical switch 5 you only see the ports that are assigned to that logical switch You do not see any of the other ports in the chassis The scope of logical switch operations is defined by the active...

Page 260: ...cluding the base switch and default logical switch with the exception that F_Ports cannot belong to the base switch The default logical switch can use XISLs The default logical switch can also be a base switch Supported port configurations in the Brocade Backbones Some of the ports in the Brocade DCX and DCX 8510 Backbone families are not supported on all types of logical switches Table 47 lists t...

Page 261: ...1 In the Brocade DCX and DCX 8510 8 ports 56 63 of the FC8 64 blade are not supported as E_Ports on the default logical switch The Brocade DCX 4S and DCX 8510 4 do not have this limitation 2 In the Brocade DCX and DCX 8510 8 ports 48 63 of the FC8 64 blade are not supported in the base switch The Brocade DCX 4S and DCX 8510 4 do not have this limitation TABLE 48 Virtual Fabrics interaction with Fa...

Page 262: ...t the FICON logical switch must use ISLs and not XISLs Licensing Licenses are applicable for all logical switches in a chassis Performance monitoring Performance monitors are supported in a limited number of logical switches depending on the platform type Refer to Chapter 20 Monitoring Fabric Performance for more information about performance monitoring when Virtual Fabrics is enabled QoS QoS VCs ...

Page 263: ...d or has not yet joined the edge fabric you can allow XISL use however fabric segmentation occurs when the logical switch is enabled or is connected to an edge fabric Restrictions on moving ports The following are restrictions on moving ports among logical switches FC ports cannot be moved if any one of the following features is enabled Long distance QoS F_Port buffers F_Port trunking Before movin...

Page 264: ...a disruptive operation that requires a reboot to take effect All EX ports will be disabled upon reboot Would you like to continue Y N y VF has been enabled Your system is being rebooted Disabling Virtual Fabrics mode When you disable VF mode the following occurs The CPs are rebooted If F_Port trunking is enabled on ports in the default switch the F_Port trunking information is deleted If you want ...

Page 265: ...ce provider to determine if you need to use this procedure You need to run this procedure only once on each chassis after you enable Virtual Fabrics but before you create logical switches The configuration settings are then preserved across reboots and firmware upgrades and downgrades 1 Connect to the physical chassis and log in using an account with the chassis role permission 2 Enter the followi...

Page 266: ... you just created 4 Disable the logical switch switchdisable 5 Configure the switch attributes including assigning a unique domain ID configure 6 Enable the logical switch switchenable 7 Assign ports to the logical switch as described in Adding and moving ports on a logical switch on page 230 Example The following example creates a logical switch with FID 4 and then assigns domain ID 14 to it sw0 ...

Page 267: ...execute the command on all logical switches fosexec fid all cmd command Example 1 Executing the switchShow command in a different logical switch context sw0 FID128 admin fosexec fid 4 cmd switchshow switchshow on FID 4 switchName switch_4 switchType 66 1 switchState Online switchMode Native switchRole Principal switchDomain 14 switchId fffc0e switchWwn 10 00 00 05 1e 82 3c 2b zoning OFF switchBeac...

Page 268: ... the fabric ID of the logical switch to be deleted Example of deleting the logical switch with FID 7 switch_4 FID4 admin lscfg delete 7 All active login sessions for FID 7 have been terminated Switch successfully deleted Adding and moving ports on a logical switch This procedure explains how to add and move ports on logical switches You add ports to a logical switch by moving the ports from one lo...

Page 269: ...pported on the base switch The Brocade DCX 4S and DCX 8510 4 do not have this limitation 3 Enter y at the prompt The ports are automatically disabled then removed from their current logical switch and assigned to the logical switch specified by fabricID Example of assigning ports 18 through 20 to the logical switch with FID 5 sw0 FID128 admin lscfg config 5 port 18 20 This operation requires that ...

Page 270: ...hange fabricID newfid newFID 3 Enter y at the prompt 4 Enable the logical switch fosexec fid newFID cmd switchenable Example of changing the fabric ID on the logical switch from 5 to 7 sw0 FID128 admin lscfg change 5 newfid 7 Changing of a switch fid requires that the switch be disabled Would you like to continue y n y Disabling switch All active login sessions for FID 5 have been terminated Check...

Page 271: ... No Address Mode 0 output truncated switch_25 FID7 admin configure Not all options will be available on an enabled switch To disable the switch use the switchDisable command Configure Fabric parameters yes y no n no y WWN Based persistent PID yes y no n no Allow XISL Use yes y no n yes n WARNING Disabling this parameter will cause removal of LISLs to other logical switches Do you want to continue ...

Page 272: ...lete Configuring a logical switch to use XISLs When you create a logical switch it is configured to use XISLs by default Use the following procedure to allow or disallow the logical switch to use XISLs in the base fabric XISL use is not supported in some cases See Limitations and restrictions of Virtual Fabrics on page 224 for restrictions on XISL use 1 Connect to the physical chassis and log in u...

Page 273: ...his procedure describes how to create a logical fabric using multiple chassis and XISLs and refers to the configuration shown in Figure 28 as an example FIGURE 28 Example of logical fabrics in multiple chassis and XISLs 1 Set up the base switches in each chassis a Connect to the physical chassis and log in using an account with the chassis role permission b Enable the Virtual Fabrics feature if it...

Page 274: ... instructions For the example shown in Figure 28 you would create a logical switch with FID 1 and a logical switch with FID 15 c Assign ports to the logical switch as described in Adding and moving ports on a logical switch on page 230 d Physically connect devices and ISLs to these ports on the logical switch e Optional Configure the logical switch to use XISLs if it is not already XISL capable Se...

Page 275: ... are regular or standard zones Unless otherwise specified all references to zones in this chapter refer to these regular zones Broadcast zones Control which devices receive broadcast frames A broadcast zone restricts broadcast packets to only those devices that are members of the broadcast zone See Broadcast zones on page 244 for more information Frame redirection zones Re route frames between an ...

Page 276: ...device in a zone can communicate only with other devices connected to the fabric within the same zone A device not included in the zone is not available to members of that zone When zoning is enabled devices that are not included in any zone configuration are inaccessible to all other devices in the fabric Zones can be configured dynamically They can vary in size depending on the number of fabric ...

Page 277: ... also accesses tape devices a second zone is created with the HBA and associated tape devices in it In the case of clustered systems it could be appropriate to have an HBA from each of the cluster members included in the zone this is equivalent to having a shared SCSI bus between the cluster members and assumes that the clustering software can manage access to the shared devices In a large fabric ...

Page 278: ...ifications RSCNs or errors go out to a larger group than necessary Operating system Zoning by operating system has issues similar to zoning by application In a large site this type of zone can become very large and complex When zone changes are made they typically involve applications rather than a particular server type If members of different operating system clusters can see storage assigned to...

Page 279: ...s to define all NT hosts in the fabric Zone aliases also simplify repetitive entry of zone objects such as port numbers or a WWN For example you can use the name Eng as an alias for 10 00 00 80 33 3f aa 11 Naming zones for the initiator they contain can also be useful For example if you use the alias SRV_MAILSERVER_SLT5 to designate a mail server in PCI slot 5 then the alias for the associated zon...

Page 280: ... configuration is reinstated on the local switch Zoning enforcement Zoning enforcement describes a set of predefined rules that the switch uses to determine where to send incoming data Fabric OS uses hardware enforced zoning Hardware enforced zoning means that each frame is checked by hardware the ASIC before it is delivered to a zone member and is discarded if there is a zone mismatch When hardwa...

Page 281: ...nforcement frame or session based If security is a priority frame based hardware enforcement is recommended The best way to do this is to use WWN identification exclusively for all zoning configurations Use of aliases The use of aliases is optional with zoning Using aliases requires structure when defining zones Aliases aid administrators of zoned fabrics in understanding the structure and context...

Page 282: ...acket Devices that are not members of the broadcast zone can send broadcast packets even though they cannot receive them A broadcast zone can have domain port WWN and alias members Broadcast zones do not function in the same way as other zones A broadcast zone does not allow access within its members in any way If you want to allow or restrict access between any devices you must create regular zon...

Page 283: ...es member devices 2 1 3 1 and 4 1 Even though 2 1 is a member of AD1 it is not a member of AD2 and so is not added to the consolidated broadcast zone Device 3 1 is added to the consolidated broadcast zone because of its membership in the AD2 broadcast zone When a switch receives a broadcast packet it forwards the packet only to those devices which are zoned with the sender and are also part of the...

Page 284: ...ne configuration The default zoning mode has two options All Access All devices within the fabric can communicate with all other devices No Access Devices in the fabric cannot access any other device in the fabric If a broadcast zone is active even if it is the only zone in the effective configuration the default zone setting is not in effect If the effective configuration has only a broadcast zon...

Page 285: ...ble results with the potential of mismatched Effective Zoning configurations Do you want to save Defined zoning configuration only yes y no n no y Adding members to an alias 1 Connect to the switch and log in using an account with admin permissions 2 Enter the aliAdd command using the following syntax aliadd aliasname member member 3 Enter the cfgSave command to save the change to the defined conf...

Page 286: ...ic is not recommended and may cause unpredictable results with the potential of mismatched Effective Zoning configurations Do you want to save Defined zoning configuration only yes y no n no y Deleting an alias 1 Connect to the switch and log in using an account with admin permissions 2 Enter the aliDelete command using the following syntax alidelete aliasname 3 Enter the cfgSave command to save t...

Page 287: ... zoneCreate command using the following syntax zonecreate zonename member member To create a broadcast zone use the reserved name broadcast 3 Enter the cfgSave command to save the change to the defined configuration The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile memory If a transaction is open on a different switch in the fabric when this command is run t...

Page 288: ...th the potential of mismatched Effective Zoning configurations Do you want to save Defined zoning configuration only yes y no n no y Removing devices members from a zone 1 Connect to the switch and log in using an account with admin permissions 2 Enter the zoneRemove command using the following syntax zoneremove zonename member member 3 Enter the cfgSave command to save the change to the defined c...

Page 289: ...t is re enabled Until the Effective configuration is re enabled merging new switches into the fabric is not recommended and may cause unpredictable results with the potential of mismatched Effective Zoning configurations Do you want to save Defined zoning configuration only yes y no n no y Viewing a zone in the defined configuration 1 Connect to the switch and log in using an account with admin pe...

Page 290: ...st The mode flag m can be used to specify the zone database location Supported mode flag values are 0 zone database from the current transaction buffer 1 zone database stored from the persistent storage 2 currently effective zone database If no mode options are given the validated output of all three buffers is shown If the f option is specified all the zone members that are not enforceable would ...

Page 291: ... effective zone configuration and more than 120 devices are connected to the fabric 1 Connect to the switch and log in using an account with admin permissions 2 Enter the cfgActvShow command to view the current zone configuration 3 Enter the defZone command with one of the following options defzone noaccess defzone allaccess This command initiates a transaction if one is not already in progress 4 ...

Page 292: ... to keep track of the chassis wide zone database size ATTENTION In a fabric with some switches running Fabric OS 7 0 0 or later and some switches running Fabric OS versions earlier than 7 0 0 if you execute the cfgSave or cfgEnable command from a pre 7 0 0 switch a zone database size of 128 KB is enforced To avoid this problem use the switch with the highest Fabric OS version to perform zoning tas...

Page 293: ...to nonvolatile memory If a transaction is open on a different switch in the fabric when this command is run the transaction on the other switch is automatically aborted A message displays on the other switches to indicate that the transaction was aborted Example switch admin cfgcreate NEW_cfg purplezone bluezone greenzone switch admin cfgsave You are about to save the Defined zoning configuration ...

Page 294: ...c when this command is run the transaction on the other switch is automatically aborted A message displays on the other switches to indicate that the transaction was aborted Example switch admin cfgremove NEW_cfg purplezone switch admin cfgsave You are about to save the Defined zoning configuration This action will only save the changes on the Defined configuration Any changes made on the Effectiv...

Page 295: ...or information about setting this mode to No Access The following procedure ends and commits the current zoning transaction buffer to nonvolatile memory If a transaction is open on a different switch in the fabric when this procedure is run the transaction on the other switch is automatically aborted A message displays on the other switches to indicate that the transaction was aborted 1 Connect to...

Page 296: ...a member from zone1 was done in error switch admin zoneremove zone1 3 5 switch admin cfgtransabort Viewing all zone configuration information If you do not specify an operand when executing the cfgShow command to view zone configurations then all zone configuration information both defined and effective displays If there is an outstanding transaction then the newly edited zone configuration that h...

Page 297: ...iguration in the effective zone database 1 Connect to the switch and log in using an account with admin permissions 2 Enter the cfgActvShow command Example switch admin cfgactvshow Effective configuration cfg NEW_cfg zone Blue_zone 1 1 21 00 00 20 37 0c 76 8c 21 00 00 20 37 0c 71 02 1 2 21 00 00 20 37 0c 76 22 21 00 00 20 37 0c 76 28 zone Purple_zone 1 0 21 00 00 20 37 0c 76 85 21 00 00 20 37 0c 7...

Page 298: ...iginal The zone object can be a zone configuration a zone alias or a zone 1 Connect to the switch and log in using an account with admin permissions 2 Enter the cfgShow command to view the zone configuration objects you want to copy cfgshow pattern mode For example to display all zone configuration objects that start with Test switch admin cfgshow Test cfg Test1 Blue_zone cfg Test_cfg Purple_zone ...

Page 299: ...on cfg USA_cfg zone Blue_zone 1 1 21 00 00 20 37 0c 76 8c 21 00 00 20 37 0c 71 02 1 2 21 00 00 20 37 0c 76 22 21 00 00 20 37 0c 76 28 zone Purple_zone 1 0 21 00 00 20 37 0c 76 85 21 00 00 20 37 0c 71 df 3 Enter the zone expunge command to delete the zone object Zone configuration names are case sensitive blank spaces are ignored and it works in any Admin Domain other than AD255 switch admin zone e...

Page 300: ...oots enter the cfgSave command to save it to nonvolatile flash memory 6 Enter the cfgEnable command for the appropriate zone configuration to make the change effective Zone configuration management You can add delete or remove individual elements in an existing zone configuration to create an appropriate configuration for your SAN environment After the changes have been made save the configuration...

Page 301: ...tion on the switch using the procedure described in Viewing the configuration in the effective zone database on page 259 If you are adding a switch that is already configured for zoning clear the zone configuration on that switch before connecting it to the zoned fabric See Clearing all zone configurations on page 259 for instructions Adding a new fabric that has no zone configuration information ...

Page 302: ...y activated after the merge Check the TI zone enabled status using the zone show command and if the status does not match across switches issue the cfgenable command Merging two fabrics Both fabrics have identical zones and configurations enabled including the default zone mode The two fabrics will join to make one larger fabric with the same zone configuration across the newly created fabric If t...

Page 303: ... on page 267 TI zones Table 56 on page 267 Default access mode Table 57 on page 268 Mixed Fabric OS versions TABLE 52 Zone merging scenarios Defined and effective configurations Description Switch A Switch B Expected results Switch A has a defined configuration Switch B does not have a defined configuration defined cfg1 zone1 ali1 ali2 effective none defined none effective none Configuration from ...

Page 304: ...erent from the defined configuration defined none effective none defined cfg1 zone1 ali1 ali2 effective cfg1 zone1 ali1 ali2 zone2 ali3 ali4 Clean merge Switch A absorbs the defined configuration from the fabric with cfg1 as the effective configuration In this case however the effective configurations for Switch A and Switch B are different You should issue a cfgenable from the switch with the pro...

Page 305: ...Switch A has TI zones Switch B has identical TI zones defined cfg1 TI_zone1 effective cfg1 defined cfg1 TI_zone1 effective cfg1 Clean merge TI zones are not automatically activated after the merge Switch A has a TI zone Switch B has a different TI zone defined cfg1 TI_zone1 defined cfg1 TI_zone2 Fabric segments due to Zone Conflict cfg mismatch Cannot merge switches with different TI zone configur...

Page 306: ...fective configuration defzone noaccess Clean merge effective zone configuration from Switch A propagates to fabric Effective zone configuration effective cfg1 defzone allaccess No effective configuration defzone noaccess Fabric segments You can resolve the zone conflict by changing defzone to noaccess on Switch 1 TABLE 56 Zone merging scenarios Default access mode Continued Description Switch A Sw...

Page 307: ...u to control the flow of interswitch traffic by creating a dedicated path for traffic flowing from a specific set of source ports N_Ports For example you might use Traffic Isolation Zoning for the following scenarios To dedicate an ISL to high priority host to target traffic To force high volume low priority traffic onto a given ISL to limit the effect on the fabric of this high traffic pattern To...

Page 308: ...ommand to create and manage TI zones Refer to the Fabric OS Command Reference for details about the zone command TI zone failover A TI zone can have failover enabled or disabled Disable failover if you want to guarantee that TI zone traffic uses only the dedicated path and that no other traffic can use the dedicated path Enable failover if you want traffic to have alternate routes if either the de...

Page 309: ...d through E_Ports 1 1 and 3 9 that traffic continues through E_Ports 3 12 and 4 7 even though the non dedicated ISL between domains 3 and 4 is not broken Additional considerations when disabling failover If failover is disabled be aware of the following considerations This feature is intended for use in simple linear fabric configurations such as that shown in Figure 31 on page 270 Ensure that the...

Page 310: ...itions and regular zone definitions match Domain controller frames can use any path between switches Disabling failover does not affect Domain Controller connectivity For example in Figure 32 if failover is disabled Domain 2 can continue to send domain controller frames to Domain 3 and 4 even though the path between Domain 1 and Domain 3 is a dedicated path Domain controller frames include zone up...

Page 311: ... in Figure 33 there is a dedicated path between Domain 1 and Domain 3 and another non dedicated path that passes through Domain 2 If failover is enabled all traffic will use the dedicated path because the non dedicated path is not the shortest path If failover is disabled non TI zone traffic is blocked because the non dedicated path is not the shortest path FIGURE 33 Dedicated path is the only sho...

Page 312: ...es with overlapping port members are called enhanced TI zones ETIZ Figure 35 shows an example of two TI zones Because these TI zones have an overlapping port 3 8 they are enhanced TI zones FIGURE 35 Enhanced TI zones Enhanced TI zones are especially useful in FICON fabrics See the FICON Administrator s Guide for example topologies using enhanced TI zones See Additional configuration rules for enha...

Page 313: ...paths from a local port port 8 on Domain 3 to two or more devices on the same remote domain ports 1 and 4 on Domain 1 The TI zones are enhanced TI zones because they have an overlapping member 3 8 Each zone describes a different path from the Target to Domain 1 Traffic is routed correctly from Host 1 and Host 2 to the Target however traffic from the Target to the Hosts might not be Traffic from 3 ...

Page 314: ...ed features such as tape pipelining require the request and corresponding response traffic to traverse the same VE_Port tunnel across the metaSAN To ensure that the request and response traverse the same VE_Port tunnel you must set up Traffic Isolation zones in the edge and backbone fabrics Set up a TI zone in an edge fabric to guarantee that traffic from a specific device in that edge fabric is r...

Page 315: ...e edge fabrics must be running Fabric OS v6 1 0 or later TI within an edge fabric A TI zone within an edge fabric is used to route traffic between a real device and a proxy device through a particular EX_Port For example in Figure 39 you can set up a TI zone to ensure that traffic between Host 1 and the proxy target is routed through EX_Port 9 FIGURE 39 TI zone in an edge fabric Edge fabric 1 Edge...

Page 316: ... up a TI zone within the backbone fabric TI within a backbone fabric A TI zone within a backbone fabric is used to route traffic within the backbone fabric through a particular ISL For example in Figure 40 a TI zone is set up in the backbone fabric to ensure that traffic between EX_Ports 1 1 and 2 1 is routed through VE_Ports 1 4 and 2 7 FIGURE 40 TI zone in a backbone fabric TI zones within the b...

Page 317: ...not supported Non TI data traffic is not restricted from going through the TI path in the backbone fabric For TI over FCR failover must be enabled in the TI zones in the edge fabrics and in the backbone fabric TI over FCR is not supported with FC Fast Write For the FC8 16 FC8 32 FC8 48 FC8 64 and FX8 24 blades only If Virtual Fabrics is disabled two or more shared area EX_Ports connected to the sa...

Page 318: ...rted configurations for Traffic Isolation Zoning Note the following configuration rules for TI zones Ports in a TI zone must belong to switches that run Fabric OS v6 0 0 or later For TI over FCR zones all switches and FC routers in both edge and backbone fabrics must be running Fabric OS v6 1 0 or later For the FC8 64 blade in the Brocade DCX and DCX 8510 8 ports 48 63 can be in a TI zone only if ...

Page 319: ... TI zone you must include all ports of the trunk in the TI zone Trunked ISL ports cannot be members of more than one TI zone Limitations and restrictions of Traffic Isolation Zoning For switches running Fabric OS 6 1 0 or later a maximum of 255 TI zones can be created in one fabric For switches running Fabric OS 6 0 x no more than 239 TI zones should be created A fabric merge resulting in greater ...

Page 320: ...ven port can appear in only one TI zone Best practice Do not use ports that are shared across Admin Domains in a TI zone Virtual Fabric considerations for Traffic Isolation Zoning This section describes how TI zones work with Virtual Fabrics See Chapter 10 Managing Virtual Fabrics for information about the Virtual Fabrics feature including logical switches and logical fabrics TI zones can be creat...

Page 321: ...ing and activating a base fabric TI zone that consists of ports 10 12 14 and 16 You must also include ports 3 and 8 because they belong to logical switches participating in the logical fabric For the TI zone it is as though ports 3 and 8 belong to Domains 1 and 2 respectively FIGURE 44 Creating a TI zone in a base fabric Dedicated Path Chassis 1 Chassis 2 XISL XISL XISL XISL Domain 8 Domain 7 Base...

Page 322: ...es with the target in FID 3 over the EX_Ports in the base switches FIGURE 45 Example configuration for TI zones over FC routers in logical fabrics Figure 46 shows a logical representation of the configuration in Figure 45 This SAN is similar to that shown in Figure 38 on page 277 and you would set up the TI zones in the same way as described in Traffic Isolation Zoning over FC routers on page 276 ...

Page 323: ... 287 When you create a TI zone you can enable or disable failover mode By default failover mode is enabled If you want to change the failover mode after you create the zone see Modifying TI zones on page 288 If you are creating a TI zone with failover disabled note the following Ensure that the E_Ports of the TI zone correspond to valid paths otherwise the route might be missing for ports in that ...

Page 324: ...s 1 8 and 2 6 To create a TI zone with failover enabled and in the activated state default settings switch admin zone create t ti bluezone p 1 1 2 4 1 8 2 6 To create a TI zone with failover enabled the zone is set to the activated state by default switch admin zone create t ti o f bluezone p 1 1 2 4 1 8 2 6 To create a TI zone with failover disabled and the state set to activated switch admin zon...

Page 325: ... changes Do you want to enable USA_cfg configuration yes y no n no y zone config USA_cfg is in effect Updating flash Creating a TI zone in a base fabric 1 Connect to the switch and log in using an account with admin permissions 2 Create a dummy zone configuration in the base fabric For example zone create z1 1 1 cfgcreate base_config z1 3 Enter the zone create command to create the TI zone in the ...

Page 326: ... failover mode NOTE If you have overlapping TI zones and you want to change the failover option on these zones you must first remove the overlapping ports from the zones then change the failover type and finally re add the overlapping members 1 Connect to the switch and log in using an account with admin permissions 2 Enter one of the following commands depending on how you want to modify the TI z...

Page 327: ... zone add o f greenzone p 3 4 To remove ports from the TI zone bluezone switch admin zone remove bluezone p 3 4 3 6 Remember that your changes are not enforced until you enter the cfgEnable command Changing the state of a TI zone You can change the state of a TI zone to activated or deactivated Changing the state does not activate or deactivate the zone After you change the state of the TI zone yo...

Page 328: ...e delete name You can delete multiple zones by separating the zone names with a semicolon and enclosing them in quotation marks 3 Enter the cfgEnable command to reactivate your current effective configuration and enforce the TI zones cfgenable current_effective_configuration Example of deleting a TI zone To delete the TI zone bluezone type switch admin zone delete bluezone Remember that your chang...

Page 329: ...abled TI Zone Name greenzone Port List 2 2 3 3 4 11 5 3 Configured Status Activated Failover Enabled Enabled Status Activated Failover Enabled TI Zone Name purplezone Port List 1 2 1 3 3 3 4 5 Configured Status Activated Failover Enabled Enabled Status Deactivated Failover Enabled Troubleshooting TI zone routing problems Use the following procedure to generate a report of existing and potential pr...

Page 330: ...es a dedicated path for traffic between Host 1 in edge fabric 1 and Targets 1 and 2 in edge fabric 2 Host 1 has port WWN 10 00 00 00 00 08 00 00 Target 1 has port WWN 10 00 00 00 00 02 00 00 Target 2 has port WWN 10 00 00 00 00 03 00 00 FIGURE 47 TI over FCR example NOTE In the following procedure the three TI zones in the edge and backbone fabrics are all given the same name TI_Zone1 It is not re...

Page 331: ...Enter the following commands to create and display a TI zone E1switch admin zone create t ti TI_Zone1 p 4 8 4 5 1 1 6 1 E1switch admin zone show Defined TI zone configuration TI Zone Name TI_Zone1 Port List 4 8 4 5 1 1 6 1 Status Activated Failover Enabled c Enter the following commands to reactivate your current effective configuration and enforce the TI zones E1switch admin cfgactvshow Effective...

Page 332: ...nd enforce the TI zones E2switch admin cfgactvshow Effective configuration cfg cfg_TI zone lsan_t_i_TI_Zone1 10 00 00 00 00 00 02 00 00 10 00 00 00 00 00 03 00 00 10 00 00 00 00 00 08 00 00 E2switch admin cfgenable cfg_TI You are about to enable a new zoning configuration This action will replace the old zoning configuration with the current configuration selected If the update includes changes to...

Page 333: ... 00 00 00 00 03 00 00 10 00 00 00 00 00 08 00 00 BB_DCX_1 admin cfgenable cfg_TI You are about to enable a new zoning configuration This action will replace the old zoning configuration with the current configuration selected If the update includes changes to one or more traffic isolation zones the update may result in localized disruption to traffic on ports associated with the traffic isolation ...

Page 334: ...296 Fabric OS Administrator s Guide 53 1002446 01 Setting up TI over FCR sample procedure 12 ...

Page 335: ...n of throughput in the fabric The bottleneck detection feature alerts you to the existence and locations of devices that are causing latency If you receive alerts for one or more F_Ports use the CLI to check whether these F_Ports have a history of bottlenecks Reduce the time it takes to troubleshoot network problems If you notice one or more applications slowing down you can determine whether any ...

Page 336: ...a at 8 Gbps over a 4 Gbps ISL You can use the bottleneckMon command to configure alert thresholds for congestion and latency bottlenecks Advanced settings allow you to refine the criterion for defining latency bottleneck conditions to allow for more or less sensitive monitoring at the sub second level For example you would use the advanced settings to change the default value of 98 for loss of thr...

Page 337: ...which 6 seconds are affected by a congestion bottleneck and 3 seconds are affected by a latency bottleneck FIGURE 48 Affected seconds for bottleneck detection The time parameter specifies the time window For this example time 12 seconds The cthresh and lthresh parameters specify the thresholds on number of affected seconds that trigger alerts for congestion and latency bottlenecks respectively For...

Page 338: ...itional information on using bottleneck detection in VF mode Limitations of bottleneck detection Using this feature for latency bottleneck detection is not recommended for link utilizations above 85 The bottleneck detection feature detects latency bottlenecks only at the point of egress not ingress For example for E_Ports only the traffic egressing the port is monitored For FCoE ports bottleneck d...

Page 339: ...ny bottleneck on a dedicated ISL E_Port pertains entirely to the traffic of that logical fabric Access Gateway considerations for bottleneck detection If bottleneck detection is enabled on a logical switch with some F_Ports connected to an Access Gateway you do not get information about which device is causing a bottleneck because devices are not directly connected to this port To detect bottlenec...

Page 340: ... criterion parameters on specific ports causes an interruption in the detection of bottlenecks on those ports which means the history of bottlenecks is lost on these ports Also note the following behaviors if you change the sub second latency criterion parameters Traffic through these ports is not affected History of latency bottlenecks and congestion bottlenecks is lost on these ports Other ports...

Page 341: ...eneckmon enable Excluding a port from bottleneck detection When you exclude a port from bottleneck detection no data is collected from the port and no alerts are generated for the port All statistics history for the port is discarded Alerting parameters for the port are preserved so if you later include the port for bottleneck detection the alerting parameters are restored Per port exclusions migh...

Page 342: ...bottleneckmon status Bottleneck detection Enabled Switch wide sub second latency bottleneck criterion Time threshold 0 800 Severity threshold 50 000 Switch wide alerting parameters Alerts Yes Latency threshold for alert 0 100 Congestion threshold for alert 0 800 Averaging time for alert 300 seconds Quiet time for alert 300 seconds Per port overrides for sub second latency bottleneck criterion Slot...

Page 343: ...nd to remove any port specific alerting and sub second latency criterion parameters and revert to the switch wide parameters Example The following example disables alerts on port 1 excludes ports 2 3 and 4 from bottleneck monitoring and changes the alerting parameters on ports 2 and 3 The bottleneck status command shows the settings for these ports Note that this example changes the alerting param...

Page 344: ...old for alert 0 970 Congestion threshold for alert 0 800 Averaging time for alert 5000 seconds Quiet time for alert 300 seconds Per port overrides for alert parameters Port Alerts LatencyThresh CongestionThresh Time s QTime s 1 N 2 Y 0 990 0 900 4000 600 3 Y 0 990 0 900 4000 600 Excluded ports Port 2 3 4 Example The following example changes the sub second latency criterion parameters for port 6 s...

Page 345: ...ttleneck statistics for a single port bottleneck statistics for all ports on the switch or a list of ports affected by bottleneck conditions Continuously update the displayed data with fresh data 1 Connect to the switch and log in using an account with admin permissions 2 Enter the bottleneckmon show command Example of displaying the bottleneck history in 5 second windows over a period of 30 secon...

Page 346: ...tleneck detection on a switch all bottleneck configuration details are discarded including the list of excluded ports and non default values of alerting parameters 1 Connect to the switch and log in using an account with admin permissions 2 Enter the bottleneckmon disable command to disable bottleneck detection on the switch switch admin bottleneckmon disable ...

Page 347: ...res are supported only on 16 Gbps capable E_Ports on the Brocade 6510 switch and the Brocade DCX 8510 Backbone family The purpose of encryption is to provide security for frames while they are in flight between two switches The purpose of compression is for better bandwidth use on the ISLs especially over long distance An average compression ratio of 2 1 is provided Frames are never left in an enc...

Page 348: ...ession restrictions No more than two ports on one ASIC can be configured with encryption compression or both This restriction equates to a maximum of four ports per FC16 32 or FC16 48 blade or two ports per Brocade 6510 switch The number of ports in a trunk is limited to two ports when encryption or compression is enabled for the trunk Ports must be 16 Gbps capable although port speed can be any c...

Page 349: ...nd exchanged NOTE In flight encryption uses DH CHAP authentication SHA 1 algorithm followed by Internet Key Exchange IKE protocol HMAC SHA 512 algorithm to generate the keys These encryption keys never expire While the port remains online the keys generated for the port remain the same When a port is disabled segmented or taken offline a new set of keys is generated when the port is enabled again ...

Page 350: ...ion will occur during port initialization if these configurations do not match Before configuring a port for encryption you must configure the port for authentication using the authUtil and secAuthSecret commands Use the authUtil command to enable switch authentication enable the DH CHAP authentication protocol for ports that support encryption and select the appropriate DH Diffie Hellman group 4 ...

Page 351: ...atched encryption or compression configurations on the ports at either end of the ISL if port level authentication failed or if a required resource was not available The following topics provide step by step instructions for performing encryption and compression tasks Viewing the encryption and compression configuration on page 313 Configuring and enabling authentication on page 314 Configuring en...

Page 352: ...51 No No No No Configuring and enabling authentication To configure authentication for ports that will later be configured for encryption follow these steps 1 Log in to the switch using an account with admin permissions or an account with OM permissions for the Authentication RBAC class of commands 2 Enter the secAuthSecret set command to establish pre shared secrets at each end of the ISL It is r...

Page 353: ...henticate the port as described in Configuring and enabling authentication on page 314 It is also recommended that you check for port availability using the portEncCompShow command See Viewing the encryption and compression configuration on page 313 for details To configure encryption on a port follow these steps 1 Connect to the switch and log in using an account with secure admin permissions or ...

Page 354: ... enable 21 This example enables compression on port 15 of an FC16 32 blade in slot 9 of an enterprise class platform portcfgcompress enable 9 15 4 Enable the port with the portEnable command After enabling the port the new configuration becomes active Disabling encryption To disable encryption on a port follow these steps 1 Connect to the switch and log in using an account with secure admin permis...

Page 355: ...port with the portEnable command After enabling the port the new configuration becomes active Encryption and compression example The following example shows configuring and enabling encryption and compression In this case encryption and compression are applied to the E_Ports at either end of and ISL connecting a port on a blade in an enterprise class platform named myDCX to a port on a Brocade 651...

Page 356: ...olicy requires either DH CHAP secrets or PKI certificates depending on the protocol selected Otherwise ISLs will be segmented during next E port bring up ARE YOU SURE yes y no n no y Auth Policy is set to ON myswitch root authutil show AUTH TYPE HASH TYPE GROUP TYPE dhchap md5 4 Switch Authentication Policy ON Device Authentication Policy OFF myswitch root Next you set a secret key For this you ne...

Page 357: ...rrently enabled This example uses the portCfgShow command to check the result Notice that the output shows encryption to be enabled on the port myswitch root portcfgencrypt enable 0 Please disable port to configure Encryption Compression myswitch root portdisable 0 myswitch root portcfgencrypt enable 0 Turning ON Encryption on port 246 will cause the port to be disabled during next LOGIN myswitch ...

Page 358: ...FF Trunk Port ON Long Distance OFF VC Link Init OFF Locked L_Port OFF Locked G_Port OFF Disabled E_Port OFF Locked E_Port OFF ISL R_RDY Mode OFF RSCN Suppressed OFF Persistent Disable OFF LOS TOV enable OFF NPIV capability ON QOS E_Port AE Port Auto Disable OFF Rate Limit OFF EX Port OFF Mirror Port OFF Credit Recovery ON F_Port Buffers OFF Fault Delay 0 R_A_TOV NPIV PP Limit 126 CSCTL mode OFF Fr...

Page 359: ...0G Speed Level AUTO SW AL_PA Offset 13 OFF Trunk Port ON Long Distance OFF VC Link Init OFF Locked L_Port OFF Locked G_Port OFF Disabled E_Port OFF Locked E_Port OFF ISL R_RDY Mode OFF RSCN Suppressed OFF Persistent Disable OFF LOS TOV enable OFF NPIV capability ON QOS E_Port AE Port Auto Disable OFF Rate Limit OFF EX Port OFF Mirror Port OFF Credit Recovery ON F_Port Buffers OFF Fault Delay 0 R_A...

Page 360: ...322 Fabric OS Administrator s Guide 53 1002446 01 Encryption and compression example 14 ...

Page 361: ...r words multiple virtual devices emulated by NPIV appear no different than regular devices connected to a non NPIV port The same zoning rules apply to NPIV devices as non NPIV devices Zones can be defined by domain port notation by WWN zoning or both However to perform zoning to the granularity of the virtual N_Port IDs you must use WWN based zoning If you are using domain port zoning for an NPIV ...

Page 362: ...permitted in Fabric OS v6 4 0 and later Fixed addressing mode Fixed addressing mode is the default addressing mode used in all platforms that do not have Virtual Fabrics enabled When Virtual Fabrics is enabled on the Brocade DCX and DCX 4S fixed addressing mode is used only on the default logical switch The number of NPIV devices supported on shared area ports 48 port blades is reduced to 64 from ...

Page 363: ...his command during a scheduled maintenance 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the portDisable command 3 Enter the portCfgNPIVPort setloginlimit command with the port number and the number of logins per port 4 Press Enter 5 Enter the portEnable command to enable the port Example of setting the login limit switch adnin portcfgnpivport setloginlimit...

Page 364: ... 8510 Backbone families and the FA4 18 blade NPIV is enabled for every port NOTE NPIV is a requirement for FCoE The CEE FCoE ports on the Brocade 8000 have NPIV enabled by default but NPIV cannot be enabled or disabled on these ports The login limit can be set on these ports provided you disable and enable the ports using the fcoe disable and fcoe enable commands 1 Connect to the switch and log in...

Page 365: ...enter the switchShow command then the port WWN of the N_Port is returned For an NPIV F_Port there are multiple N_Ports each with a different port WWN The switchShow command output indicates whether or not a port is an NPIV F_Port and identifies the number of virtual N_Ports behind it The following example is sample output from the switchShow command switch admin switchshow switchName switch switch...

Page 366: ...wn 0 Loss_of_sync 422 Fbsy 0 Lli 294803 Loss_of_sig 808 Proc_rqrd 0 Protocol_err 0 Timed_out 0 Invalid_word 0 Rx_flushed 0 Invalid_crc 0 Tx_unavail 0 Delim_err 0 Free_buffer 0 Address_err 1458 Overrun 0 Lr_in 15 Suspended 0 Lr_out 17 Parity_err 0 Ols_in 16 2_parity_err 0 Ols_out 15 CMI_bus_err 0 Viewing virtual PID login information Use the portLoginShow command to display the login information fo...

Page 367: ...s and LUN masks you must find out the physical port world wide name PWWN of the server This means that administrative teams cannot start their configuration tasks until the physical server arrives and its physical PWWN is known Because the configuration tasks are sequential and interdependent across various administrative teams it may take several days before the server gets deployed in an FC SAN ...

Page 368: ... PWWN over the user assigned FA PWWN you must delete the user assigned FA PWWN from the port to which it has been assigned Checking for duplicate FA PWWNs The switch ensures that automatically assigned FA PWWNs are unique in a fabric However it is the responsibility of the administrators to ensure that user assigned FA PWWNs are also unique throughout the fabric ATTENTION The administrators should...

Page 369: ...s directly connected 2 Assign the FA PWWN If you are manually assigning a WWN enter the following command fapwwn assign ag AG_WWN port AG_port v Virtual_PWWN If you want the WWN to be automatically assigned enter the following command fapwwn assign ag AG_WWN port AG_port 3 Enter the following command fapwwn show ag all You should see output similar to the following sample In this example long line...

Page 370: ...A to a different port If you move an HBA to a different port on a switch running Fabric OS v7 0 0 or later the HBA will disable its port If the HBA moves to a different port on a switch running a version of Fabric OS earlier than 7 0 0 the HBA will continue to disable its port Configuring an FA PWWN for an HBA connected to an edge switch For this procedure some of the steps are to be executed on t...

Page 371: ...before moving the HBA to a different port If you move an HBA to a different port on a switch running Fabric OS v7 0 0 or later the HBA will disable its port If the HBA moves to a different port on a switch running a version of Fabric OS earlier than 7 0 0 the HBA will continue to disable its port Supported switches and configurations for FA PWWN The FA PWWN feature is supported on the following pl...

Page 372: ...S 7 0 0 If any of these zone configuration security configuration and target ACLs have FA PWWNs configured the SAN network may not function properly or at all Security considerations for FA PWWN The FA PWWN feature can be enabled only by authorized administrators Thus existing user level authentication and authorization mechanisms should be used to ensure only authorized users can configure this f...

Page 373: ...on directly attached Brocade HBAs Adapters NOTE FA PWWN is supported with F_Port trunking on the supported Access Gateway platforms Access Gateway N_Port failover with FA PWWN If an FA PWWN F_Port on an Access Gateway fails over to an N_Port that is connected to a different switch the FA PWWN of that Access Gateway F_Port must also be configured on that switch If not the FA PWWN assigned to the Ac...

Page 374: ...336 Fabric OS Administrator s Guide 53 1002446 01 Access Gateway N_Port failover with FA PWWN 16 ...

Page 375: ... you can put all the devices in a particular department in the same Admin Domain for ease of managing those devices If you have remote sites you could put the resources in the remote site in an Admin Domain and assign the remote site administrator to manage those resources Admin Domains and Virtual Fabrics are mutually exclusive and are not supported at the same time on a switch Do not confuse Adm...

Page 376: ...h in the fabric and has a range from 1 through 239 Figure 51 shows a fabric with two Admin Domains AD1 and AD2 FIGURE 51 Fabric with two Admin Domains Figure 52 shows how users get a filtered view of this fabric depending on which Admin Domain they are in As shown in Figure 52 users can see all switches and E_Ports in the fabric regardless of their Admin Domain however the switch ports and end dev...

Page 377: ...0 can be in AD0 only The default zone mode setting must be set to No Access before you create Admin Domains refer to Setting the default zoning mode for Admin Domains on page 346 for instructions Virtual Fabrics must be disabled before you create Admin Domains refer to Disabling Virtual Fabrics mode on page 226 for instructions Gigabit Ethernet GbE ports cannot be members of an Admin Domain Traffi...

Page 378: ... switch ports and switches used to create these user defined Admin Domains disappear from the AD0 implicit membership list The explicit membership list contains all devices switch ports and switches that you explicitly add to AD0 and can be used to force device and switch sharing between AD0 and other Admin Domains AD0 is managed like any user defined Admin Domain The only difference between AD0 a...

Page 379: ...t automatically becomes an implicit member of AD0 until it is explicitly added to an Admin Domain AD0 is useful when you create Admin Domains because you can see which devices switch ports and switches are not yet assigned to any Admin Domains AD0 owns the root zone database legacy zone database AD255 AD255 is a system defined Admin Domain that is used for Admin Domain management AD255 always cont...

Page 380: ...can later switch to a different Admin Domain refer to Switching to a different Admin Domain context on page 360 for instructions For default accounts such as admin and user the home Admin Domain defaults to AD0 and cannot be changed The Admin Domain list for the default admin account is 0 through 255 which gives this account automatic access to any Admin Domain as soon as the domain is created and...

Page 381: ...N member does not automatically grant usage of corresponding domain index members in the zone configuration If you specify a device WWN member in the Admin Domain member list zone enforcement ignores zones with the corresponding port the port to which the device is connected member usage Switch port members Switch port members are defined by switch domain index and have the following properties A ...

Page 382: ...e Admin Domain If you change the domain ID of the switch the Admin Domain ownership of the switch is not changed Admin Domains and switch WWNs Admin Domains are treated as fabrics Because switches cannot belong to more than one fabric switch WWNs are converted so that they appear as unique entities in different Admin Domains fabrics This WWN conversion is done only in the AD1 through AD254 context...

Page 383: ...AA 5 syntax the device WWNs and domain IDs remain the same FIGURE 55 Filtered fabric views showing converted switch WWNs Fabric Visible to AD3 User Fabric Visible to AD4 User WWN 10 00 00 00 c8 3a fe a2 WWN 10 00 00 00 c2 37 2b a3 Domain ID 2 WWN 50 00 52 e0 63 46 e9 04 WWN 10 00 00 00 c2 37 2b a3 Domain ID 2 WWN 50 00 52 e0 63 46 e9 03 Domain ID 1 WWN 50 00 51 f0 52 36 f9 03 WWN 10 00 00 00 c7 2b...

Page 384: ...n that is saved in flash memory There might be differences between the effective configuration and the defined configuration Transaction buffer The Admin Domain configuration that is in the current transaction buffer and has not yet been saved or canceled How you end the transaction determines the disposition of the Admin Domain configuration in the transaction buffer The following commands end th...

Page 385: ...rmat ADn the AD number is assigned to be n and not the lowest available AD number When you create an Admin Domain you must specify at least one member switch switch port or device You cannot create an empty Admin Domain For more information about these member types refer to Admin Domain member types on page 343 A newly created Admin Domain has no zoning defined and the default access mode is No Ac...

Page 386: ...evice designated by device WWN and two switches designated by domain ID and switch WWN switch AD255 admin ad create blue_ad d 100 5 1 3 21 00 00 e0 8b 05 4d 05 s 97 10 00 00 60 69 80 59 13 User assignments to Admin Domains After you create an Admin Domain you can specify one or more user accounts as the valid accounts that can use that Admin Domain User accounts have the following characteristics ...

Page 387: ...rconfig add ad2admin r admin h 2 a 1 2 Assigning Admin Domains to an existing user account 1 Connect to the switch and log in using an account with admin permissions 2 Enter the userConfig addad command using the a option to provide access to Admin Domains and the h option to specify the home Admin Domain userconfig addad username h home_AD a AD_list Example The following example assigns Admin Dom...

Page 388: ... account adm1 has been successfully deleted Activating an Admin Domain An Admin Domain can be in either an active or inactive state When you create an Admin Domain it is automatically in the active state 1 Connect to the switch and log in using an account with admin permissions 2 Switch to the AD255 context if you are not already in that context ad select 255 3 Enter the ad activate command ad act...

Page 389: ... To save the Admin Domain definition enter ad save To save the Admin Domain definition and directly apply the definition to the fabric enter ad apply All active user sessions associated with the Admin Domain are terminated The ad deactivate command does not disable ports Example of deactivating Admin Domain AD_B4 switch AD255 admin ad deactivate AD_B4 You are about to deactivate an AD This operati...

Page 390: ... to specify switch members ad remove ad_id d dev_list s switch_list Removing the last member element of an Admin Domain deletes the Admin Domain 4 Enter the appropriate command based on whether you want to save or activate the Admin Domain definition To save the Admin Domain definition enter ad save To save the Admin Domain definition and directly apply the definition to the fabric enter ad apply ...

Page 391: ...switch and log in using an account with admin permissions 2 Switch to the Admin Domain that you want to delete ad select ad_id 3 Enter the appropriate command to clear the zone database under the Admin Domain you want to delete To remove the effective configuration enter cfgdisable To remove the defined configuration enter cfgclear To save the changes to nonvolatile memory enter cfgsave 4 Switch t...

Page 392: ... context ad select 255 4 Enter the ad clear command This option prompts you for confirmation before triggering the deletion of all Admin Domains 5 Enter the ad apply command to save the Admin Domain definition and directly apply the definitions to the fabric Example switch AD255 admin ad clear You are about to delete all ADs definitions This operations will fail if zone configurations exists in AD...

Page 393: ...ad add AD0 d dev_list 8 Enter the ad apply command to save the Admin Domain definition and directly apply the definitions to the fabric ad apply At this point all of the devices in the user defined ADs are also defined and zoned in AD0 9 Clear the user defined ADs ad clear f 10 Enter the ad apply command to save the Admin Domain definition and directly apply the definitions to the fabric ad apply ...

Page 394: ...ains are deleted as shown in Figure 57 FIGURE 57 AD0 with three zones sw0 admin ad exec 255 cfgshow Zone CFG Info for AD_ID 0 AD Name AD0 State Active Defined configuration cfg AD0_cfg AD0_RedZone zone AD0_RedZone 10 00 00 00 01 00 00 00 10 00 00 00 02 00 00 00 Effective configuration cfg AD0_cfg zone AD0_RedZone 10 00 00 00 01 00 00 00 10 00 00 00 02 00 00 00 Zone CFG Info for AD_ID 1 AD Name AD1...

Page 395: ...cludes changes to one or more traffic isolation zones the update may result in localized disruption to traffic on ports associated with the traffic isolation zone changes Do you want to enable AD0_cfg configuration yes y no n no y zone config AD0_cfg is in effect Updating flash sw0 admin ad select 255 sw0 AD255 admin ad add AD0 d 10 00 00 00 03 00 00 00 10 00 00 00 04 00 00 00 10 00 00 00 05 00 00...

Page 396: ...ed in the persistent memory defined configuration 2 to display the currently enforced Admin Domain configuration effective configuration Example of validating the member list of Admin Domain 10 in the current transaction buffer switch AD255 admin ad validate 10 m 0 Current AD Number 255 AD Name AD255 Transaction buffer configuration AD Number 2 AD Name ad2 State Active Switch port members 1 1 1 3 ...

Page 397: ...AD context Executing a command in a different AD context You can execute a command in an Admin Domain that is different from your current AD context The Admin Domain must be one that you can access This option creates a new shell with the current User_ID switches to the specified Admin Domain performs the specified command and exits the shell 1 Connect to the switch and log in 2 Enter the ad exec ...

Page 398: ...nt transaction buffer 1 to display the Admin Domain configuration stored in the persistent memory defined configuration 2 to display the currently enforced Admin Domain configuration effective configuration Example of displaying membership information about AD1 switch AD1 admin ad show Current AD Number 1 AD Name TheSwitches Effective configuration AD Number 1 AD Name TheSwitches State Active Swit...

Page 399: ...Admin Domain interaction ACLs If no user defined Admin Domains exist you can run ACL configuration commands in only AD0 and AD255 If any user defined Admin Domains exist you can run ACL configuration commands only in AD255 You cannot use ACL configuration commands or validate ACL policy configurations against AD membership under each Admin Domain Advanced Performance Monitoring APM All APM related...

Page 400: ...nagement interfaces that access the fabric without a user s credentials continue to get the physical fabric view Examples include SNMPv1 Web Tools HTTP access unzoned management server query FAL in band CT requests from FAL Proxy to FAL Target and FC CT based management applications Access from applications or hosts using management server calls can be controlled using the management server ACL su...

Page 401: ... zone it must be defined by domain index in the Admin Domain If both zoning schemes are used then objects must be defined in the Admin Domain by both WWN and domain index Using the zone validate command you can see all zone members that are not part of the current zone enforcement table but are part of the zoning database A member might not be part of the zone enforcement table for the following r...

Page 402: ...o saved Table 64 lists the sections in the configuration file and the Admin Domain contexts in which you can upload and download these sections Refer to Chapter 8 Maintaining the Switch Configuration File for additional information about uploading and downloading configurations NOTE You cannot use configDownload to restore a single Admin Domain To restore a single Admin Domain you must first delet...

Page 403: ...Fabric OS features and includes the following chapters Chapter 18 Administering Licensing Chapter 19 Inter chassis Links Chapter 20 Monitoring Fabric Performance Chapter 21 Optimizing Fabric Behavior Chapter 22 Managing Trunking Connections Chapter 23 Managing Long Distance Fabrics Chapter 24 Using FC FC Routing to Connect Fabrics ...

Page 404: ...366 Fabric OS Administrator s Guide 53 1002446 01 ...

Page 405: ...ture version If a feature has a version based license that license is valid only for a particular version of the feature If you want a newer version of the feature you must purchase a new license If a license is not version based then it is valid for all versions of the feature Likewise if you downgrade Fabric OS to an earlier version some licenses associated with specific features of the version ...

Page 406: ...Prioritization and Ingress Rate Limiting features These features ensure high priority connections by obtaining the bandwidth necessary for optimum performance even in congested environments Available on all 8 Gbps and all 16 Gbps platforms Advanced Extension Enables two advanced extension features FCIP Trunking and Adaptive Rate Limiting FCIP Trunking feature allows all of the following Multiple u...

Page 407: ...ited Contact your vendor for details Encryption Performance Upgrade Provides additional encryption bandwidth on encryption platforms For the Brocade Encryption Switch two Encryption Performance Upgrade licenses can be installed to enable the full available bandwidth On a Brocade enterprise platform a single Performance License can be installed to enable full bandwidth on all FS8 18 blades installe...

Page 408: ... link ICL connections Available on the Brocade DCX only Inter Chassis Link 1st POD Activates half of the ICL bandwidth on a DCX 8510 8 or all the ICL bandwidth on a DCX 8510 4 allowing you to enable only the bandwidth needed and upgrade to additional bandwidth at a later time This license is also useful for environments that wish to create ICL connections between a DCX 8510 8 and a DCX 8510 4 the ...

Page 409: ...Extended Fabrics Local switch and any attached switches Fabric Watch No license required for baseline monitoring capabilities Fabric Watch license required for full functionality See the Fabric Watch Administrator s Guide FCIP High Performance Extension over FCIP FC NOTE Local and attached switches License is needed on both sides of tunnel FCIP Trunking Advanced Extension Local and attached switch...

Page 410: ...e Brocade DCX 8510 Backbone family only for topologies with more than four chassis with ICLs Local and attached platforms IPSec No license required N A IPsec for FCIP tunnels High Performance Extension over FCIP FC NOTE Local and attached switches License is needed on both sides of tunnel LDAP No license required N A Logical fabric No license required N A Logical switch No license required N A Lon...

Page 411: ...l included N A Security No license required NOTE DCC SCC FCS IP Filter and authentication policies all included N A SNMP No license required N A Speed 8 Gbps license needed to support 8 Gbps on the Brocade 300 5100 5300 and VA 40FC switches and embedded switches only NOTE The 8 Gbps license is installed by default and you should not remove it 10 Gigabit FCIP Fibre Channel license is needed to supp...

Page 412: ...10 4 can be used only with an ICL 1st POD licence ICL ports on core blades of a DCX can be used only with an ICL 16 link or ICL 8 link license ICL ports on core blades of a DCX 4S can be used only with an ICL 8 link licence After the addition or removal of a license the license enforcement is performed on the ICL ports only when the portDisable and portEnable commands are issued on the ports An IC...

Page 413: ...h ICL port on the Brocade DCX platform by enabling only half of the ICL links available This allows you to purchase half the bandwidth of the Brocade DCX ICL ports initially and upgrade with an additional ICL license to use the full ICL bandwidth later This license is also useful for environments with ICL connections between a Brocade DCX and a DCX 4S as the latter cannot support more than eight l...

Page 414: ...Gbps Slot based licensing Slot based licensing is used on the Brocade DCX and DCX 8510 Backbone families to support the FX8 24 blade and on the Brocade DCX 8510 Backbone family to support the 16 Gbps FC port blades FC16 24 and FC16 48 License capacity is equal to the number of slots These licenses allow you to select the slots that the license will enable up to the capacity purchased and to increa...

Page 415: ... is allowed but the slot based features that were licensed will not be functional On upgrade to Fabric OS v7 0 0 or later any slot based license that displayed the 10 GbE operation name in the earlier release displays instead as 10 Gigabit FCIP Fibre Channel FTR_10G license Assigning a license to a slot 1 Connect to the switch and log in using an account with admin permissions or an account with O...

Page 416: ...ivate the 10GE ports on the FX8 24 blade and enable 10 Gbps operation on the 10G FC ports on the FC16 48 blade After applying a 10G license to the Brocade 6510 chassis or to a 16 Gbps FC blade you must also configure the port octet portCfgOctetSpeedCombo command with the correct port octet speed group and configure each port to operate at 10 Gbps portCfgSpeed command It is necessary to configure t...

Page 417: ...CX 8510 8 Backbone and enables 10 Gbps operation on port 2 of the port blade in that slot In this example the 10G license was first automatically assigned to slot 1 8510 8switch admin licenseadd aTFPNFXGLmABANMGtT4LfSBJSDLWTYD3EFrr4WGAEMBA 8510 8switch admin licenseshow aTFPNFXGLmABANMGtT4LfSBJSDLWTYD3EFrr4WGAEMBA 10 Gigabit FCIP Fibre Channel FTR_10G license Capacity 1 Consumed 1 Configured Blade...

Page 418: ... 7 on a DCX 8510 4 Backbone and enables both 10 GbE ports on the FX8 24 blade in that slot In this example the license was first automatically assigned to slot 1 8510 4switch admin licenseadd aTFPNFXGLmABANMGtT4LfSBJSDLWTYD3EFrr4WGAEMBA 8510 4switch admin licenseshow aTFPNFXGLmABANMGtT4LfSBJSDLWTYD3EFrr4WGAEMBA 10 Gigabit FCIP Fibre Channel FTR_10G license Capacity 1 Consumed 1 Configured Blade Sl...

Page 419: ...nded Fabrics license High Performance Extension over FCIP FC license Integrated Routing license Server Application Optimization license ISL Trunking license Restrictions on upgrading temporary slot based licenses If the capacity of the permanent license is equal to or greater than the capacity of the temporary license and you use the same slot assignments then replacing the temporary license with ...

Page 420: ...have expired or are going to expire in the next five days An expired license may become unusable after a reboot failover firmware download or a port or switch disable or enable operation Removing an expired license CAUTION The following procedure is disruptive to the switch 1 Connect to the switch and log in using an account with admin permissions 2 Enter the reboot command for the expiry to take ...

Page 421: ... error copy and paste the transaction key The quotation marks are optional 1 Take the appropriate following action based on whether you have a license key If you have a license key go to Adding a licensed feature If you do not have a license key and are using a transaction key launch an Internet browser and go to the Brocade website at http www brocade com 2 Select Products Software License Keys T...

Page 422: ...g the licenseAdd command 3 Verify the license was added by entering the licenseShow command The licensed features currently installed on the switch are listed If the feature is not listed enter the licenseAdd command again Some features may require additional configuration or you may need to disable and re enable the switch to make them operational see the feature documentation for details switch ...

Page 423: ...icensed ports up to a particular maximum by purchasing and installing the optional Ports on Demand licensed product Brocade 300 Can be purchased with 8 ports and no E_Port 8 ports with full fabric access or 16 ports with full fabric access A maximum of 16 ports is allowed 8 port systems can be upgraded in 4 port increments An E_Port license upgrade is also available for purchase Brocade 5100 Can b...

Page 424: ...orts 16 through 23 If you later install a second license key insert the transceivers in ports 24 through 31 For details on inserting transceivers see the switch s hardware reference manual Displaying installed licenses If a single license is installed that enables all Ports on Demand the license will display as Full Ports on Demand license additional X port upgrade license If there are other indiv...

Page 425: ... the Licensed field indicates whether the port is licensed 3 Install the Brocade Ports on Demand license For instructions on how to install a license see Adding a licensed feature on page 383 4 Use the portEnable command to enable the ports Alternatively you can disable and re enable the switch to activate ports 5 Use the portShow command to check the newly activated ports Dynamic Ports on Demand ...

Page 426: ... to installed licenses 12 ports are assigned to the base switch license 12 ports are assigned to the full POD license Ports assigned to the base switch license 1 2 3 4 5 6 7 8 17 18 19 20 Ports assigned to the full POD license 0 9 10 11 12 13 14 15 16 21 22 23 Enabling Dynamic Ports on Demand If the switch is in the static POD mode then activating the Dynamic POD will erase any prior port license ...

Page 427: ... show command to verify the switch changed to static POD switch admin licenseport show 24 ports are available in this switch Full POD license is installed Dynamic POD method is in use 24 port assignments are provisioned for use in this switch 12 port assignments are provisioned by the base switch license 12 port assignments are provisioned by a full POD license 24 ports are assigned to installed l...

Page 428: ...e its POD license Follow the instructions in Releasing a port from a POD set to release a port from its POD assignment Once the port is released you can reserve it Releasing a port from a POD set Releasing a port removes it from the POD set the port appears as unassigned until it comes back online Persistently disabling the port ensures that the port cannot come back online and be automatically as...

Page 429: ...led licenses 10 ports are assigned to the base switch license 0 ports are assigned to the full POD license Ports assigned to the base switch license 1 2 3 4 5 6 8 21 22 23 Ports assigned to the full POD license None Ports not assigned to a license 0 7 9 10 11 12 13 14 15 16 17 18 19 20 6 Enter the switchEnable command to bring the switch back online 7 Enter the switchShow command to verify the swi...

Page 430: ...392 Fabric OS Administrator s Guide 53 1002446 01 Ports on Demand 18 ...

Page 431: ...ed only with an ICL license For more information on how license enforcement occurs refer to Chapter 18 Administering Licensing After the addition or removal of a license the license enforcement is performed on the ICL ports only when you issue the portDisable and portEnable commands on the switch for the ports or the bladeDisable and bladeEnable commands for the core blade All ICL ports must be di...

Page 432: ...ailability ICLs must be installed in groups of two Each pair of ICLs must be in the same port group The recommended minimum number of ICLs between two Brocade DCX 8510 chassis is four Additional ICLs should be added in increments of two For High Availability you should have at least two ICLs from each core blade Figure 58 shows two Brocade DCX 8510 8 chassis connected with full redundancy using fo...

Page 433: ...es form four ICL trunks with two ports in each trunk If you added two more QSFP cables connecting the same two trunk groups you would still have four ICL trunks but they would now have four ports in each trunk Refer to the hardware reference manuals for information about port numbering and connecting the ICL cables ICLs for the Brocade DCX Backbone family The Brocade DCX has two ICL connectors at ...

Page 434: ...ISL trunks On the Brocade DCX 4S each ICL is managed as one 8 port ISL trunk Follow the guidelines in the hardware reference manuals for connecting the ICL cables Virtual Fabrics considerations for ICLs In Virtual Fabrics the ICL ports can be split across the logical switch base switch and default switch The triangular topology requirement must be met for each fabric individually The following res...

Page 435: ...ckbone family DCX or DCX 4S Brocade DCX 8510 Backbone family DCX 8510 8 or DCX 8510 4 FIGURE 60 ICL triangular topology with Brocade DCX 8510 8 chassis During an ICL break in the triangular topology the chassis that has the connections of the other two is the main chassis Any error messages relating to a break in the topology appear in the RASlog of the main chassis For the Brocade DCX Backbone fa...

Page 436: ...logy For example Figure 61 shows six chassis connected in a core edge topology four edges and two cores Although Figure 61 shows only the Brocade DCX 8510 8 each chassis can be either a Brocade DCX 8510 4 or a DCX 8510 8 Each line in Figure 61 represents four QSFP cables The cabling scheme should follow the parallel example shown in Figure 58 FIGURE 61 64 Gbps ICL core edge topology ...

Page 437: ...ols Administrator s Guide and Brocade Network Advisor User Manual for information about monitoring performance using a graphical interface Advanced Performance Monitor commands are available only to users with admin permissions Use the perfhelp command to display a list of commands associated with Advanced Performance Monitoring NOTE The command examples in this chapter use the slot port syntax re...

Page 438: ... the ports that are present in the respective logical switch Top Talker and EE monitors are supported on the default logical switch the base switch and user defined logical switches Frame monitors are not supported on logical ISLs LISLs in user defined logical switches If a port is moved from one logical switch to another the behavior of monitors installed on that port is as follows Frame monitor ...

Page 439: ...T words in frames received at the port For frames received at the port with the EE monitor installed the RX_COUNT is updated if the frame SID is the same as the SID in the monitor and the frame DID is the same as the DID in the monitor TX_COUNT words in frames transmitted from the port For frames transmitted from the port with the EE monitor installed TX_COUNT is updated if the frame DID is the sa...

Page 440: ...addeemonitor slotnumber portnumber sourceID destID When you add an EE monitor to a port specify the sourceID and destID in the ingress direction For example Figure 62 shows two devices Host A is connected to domain 1 0x01 switch area ID 18 0x12 AL_PA 0x00 Dev B is a storage device connected to domain 2 0x02 switch area ID 30 0x1e AL_PA 0x00 FIGURE 62 Setting end to end monitors on a port End to en...

Page 441: ...ne or two of the three fields Domain ID Area ID and AL_PA to trigger the monitor You specify the masks in the form dd aa pp where dd is the domain ID mask aa is the area ID mask and pp is the AL_PA mask The values for dd aa and pp are either ff the field must match or 00 the field is ignored The default EE mask value is ff ff ff NOTE Only one mask per port can be set When you set a mask all existi...

Page 442: ...bers are listed in the KEY column and deletes monitor number 2 on port 0 switch admin perfmonitorshow class EE 0 There are 4 end to end monitor s defined on port 0 KEY SID DID OWNER_APP TX_COUNT RX_COUNT OWNER_IP_ADDR 0 0x000024 0x000016 WEB_TOOLS 0x0000000000000000 0x0000000000000000 10 106 7 179 1 0x000022 0x000033 WEB_TOOLS 0x0000000000000000 0x0000000000000000 10 106 7 179 2 0x000123 0x000789 ...

Page 443: ...0000004d0baa754 0x0000000067229e65 N A 2 0x21300 0x21de0 TELNET 0x00000004d0bab3a5 0x0000000067229e87 N A 3 0x21300 0x21de1 TELNET 0x00000004d0bac1e4 0x0000000067229e87 N A 4 0x21300 0x21de2 TELNET 0x00000004d0bad086 0x0000000067229e87 N A 5 0x11000 0x21fd6 WEB_TOOLS 0x00000004d0bade54 0x0000000067229e87 192 168 169 40 6 0x11000 0x21fe0 WEB_TOOLS 0x00000004d0baed41 0x0000000067229e98 192 168 169 4...

Page 444: ... Table 70 shows the maximum number of frame monitors in any combination of standard and user defined frame types and the maximum number of offsets per port The actual number of frame monitors that can be configured on a port depends on the complexity of the frame types For trunked ports the frame monitor is configured on the trunk master Virtual Fabrics considerations Frame monitors are not suppor...

Page 445: ...ed frame Complete details of the fmMonitor command parameters are provided in the Fabric OS Command Reference The highth and action options set values and actions for Fabric Watch but do not apply monitoring To apply the custom values use the thconfig apply command See the Fabric Watch Administrator s Guide for more information about using this command Example of creating a user defined frame type...

Page 446: ...ommand to remove a specific monitor from one or more ports The set of ports to be unmonitored is automatically saved to the persistent configuration unless you specify the nosave option on this command Example The following example removes the user defined frame monitor MyFrameMonitor from all ports switch admin fmmonitor delmonitor MyFrameMonitor Saving frame monitor configuration When you assign...

Page 447: ...is example displays configuration details for the pre defined SCSI frame monitor Note that in the last entry the in the Count column indicates that the monitor is configured but is not installed on the port switch admin fmmonitor show SCSI Port Frame Type Count HIGH Thres Actions TIMEBASE CFG 000001 scsi 0x0000000000000123 1000 Email None saved 000002 scsi 0x0000000000000125 1000 Email None saved ...

Page 448: ...e most bandwidth and can then configure them with certain Quality of Service QoS attributes so they get proper priority See Chapter 21 Optimizing Fabric Behavior for information on QoS The Top Talker monitor is based on SID DID and not WWNs Once Top Talker is installed on a switch or port it remains installed across power cycles Top Talkers supports two modes port mode and fabric mode Port mode To...

Page 449: ... are not supported on the embedded platforms Brocade 5410 5424 5450 5460 5470 and 5480 Top Talker monitors and FC FC routing You can enable Top Talker monitors on a platform that is configured to be an FC router Top Talker monitors and FC routers are concurrently supported on the following platforms Brocade 6505 Brocade 6510 Brocade DCX 8510 Backbone family with the following blades only FC16 32 F...

Page 450: ...r monitors cannot detect transient surges in traffic through a given flow You cannot install a Top Talker monitor on a mirrored port Top Talker can monitor only 10 000 flows at a time Top Talker is not supported on VE_Ports EX_Ports and VEX_Ports The maximum number of all port mode Top Talker monitors on an ASIC is 16 If Virtual Fabrics is enabled the maximum number of all port mode Top Talker mon...

Page 451: ...d fabricmode command perfttmon add fabricmode The system responds Before enabling fabric mode please remove all EE monitors in the fabric continue yes y no n 4 Type y at the prompt to continue Top Talker monitors are added to E_Ports in the fabric and fabric mode is enabled Any Top Talker monitors that were already installed on F_Ports are automatically uninstalled If EE monitors are present on th...

Page 452: ...s 2 Enter the perfTTmon show dom command perfttmon show dom domainid n wwn pid Fabric mode must be enabled for this option The output is sorted based on the data rate of each flow If you do not specify the number of flows to display then the command displays the top 8 flows or the total number of flows whichever is less The command can display a maximum of 32 flows For example to display the top 5...

Page 453: ...n the Brocade 6505 6510 and DCX 8510 family If an EE monitor is installed on a trunk group and you disable the trunk the EE monitor will be installed only on the last master port of that trunk group which might not be the actual port on which the EE monitor was installed when the trunk was enabled For F_Port trunks end to end masks are allowed only on the F_Port trunk master Unlike the monitors if...

Page 454: ... Do you want to continue yes y no n no y Please wait Performance monitoring configuration saved in FLASH To restore a saved monitor configuration use the perfCfgRestore command For example to restore the original performance monitor configuration after making several changes switch admin perfcfgrestore This will overwrite current Performance Monitoring settings in RAM Do you want to continue yes y...

Page 455: ...ecessary bandwidth for high priority mission critical applications and connections The Adaptive Networking suite includes the following features Bottleneck detection The bottleneck detection feature identifies devices attached to the fabric that are slowing down traffic Bottleneck detection does not require a license See Chapter 13 Bottleneck Detection for information about this feature Top Talker...

Page 456: ...eck detection feature detects ISL congestion you can use ingress rate limiting to slow down low priority application traffic if it is contributing to the congestion Ingress Rate Limiting Ingress rate limiting is a licensed feature that requires the Adaptive Networking license Ingress rate limiting restricts the speed of traffic from a particular device to the switch port Use ingress rate limiting ...

Page 457: ...t 3 9 QoS SID DID traffic prioritization SID DID traffic prioritization allows you to categorize the traffic flow between a host and target as having a high medium or low priority Fabric OS supports two types of prioritization Class Specific Control CS_CTL based frame prioritization Each frame between a host and a target is assigned a specific priority depending on the value of the CS_CTL field in...

Page 458: ...ority frames are allocated to different virtual channels VCs High priority frames receive more VCs than medium priority frames which receive more VCs than low priority frames The virtual channels are allocated according to the CS_CTL value as shown in Table 73 TABLE 72 Comparison between CS_CTL based and QoS zone based prioritization CS_CTL based frame prioritization QoS zone based traffic priorit...

Page 459: ...able it on both the source port and the destination port so that the frames returned from the destination port for a given exchange always have the same CS_CTL prioritization as the frames originating from the source port 1 Connect to the switch and log in to an account that has admin permissions 2 Enter the portcfgqos command portcfgqos enable slot port csctl_mode 3 Enter y at the prompt to overr...

Page 460: ...t QoS When you install the Adaptive Networking license QoS is automatically enabled on all ports for which you have not manually disabled QoS as the ports in the trunk group are set to QoS enabled by default Adding the license does not immediately affect the trunk groups however The trunks continue to operate without QoS until the next time one of the ISLs is toggled at which point the toggled ISL...

Page 461: ...tput the value of QOS_E_Port is AE for port 19 and for port 24 This means that QoS is enabled by default on port 19 and disabled on port 24 You need to disable QoS on port 19 switch admin islshow 1 2 300 10 00 00 05 1e 43 00 00 100 DCX sp 8 000G bw 32 000G TRUNK QOS 3 19 10 10 00 00 05 1e 41 43 ac 50 B300 sp 8 000G bw 64 000G TRUNK 4 24 12 10 00 00 05 1e 41 42 ad 30 B5300 sp 8 000G bw 16 000G TRUN...

Page 462: ...one name is as follows For high priority QOSHid_xxxxx For low priority QOSLid_xxxxx where id is a flow identifier that designates a specific virtual channel for the traffic flow and xxxxx is the user defined portion of the name For example the following are valid QoS zone names QOSH3_HighPriorityTraffic QOSL1_LowPriorityZone The switch automatically sets the priority for the host target pairs spec...

Page 463: ...1 QOSL_Zone3 Members H1 H2 S3 QoS on E_Ports In addition to configuring the hosts and targets in a zone you must also enable QoS on individual E_Ports that might carry traffic between the host and target pairs Path selection between the host target pairs is governed by FSPF rules and is not affected by QoS priorities For example in Figure 67 QoS should be enabled on the encircled E_Ports NOTE By d...

Page 464: ... on E_Ports 3 12 and 3 13 then the traffic from H1 and H2 to S3 would be low priority from the hosts to Domain 3 but would switch to the default medium priority from Domain 3 to the target S3 QoS over FC routers QoS over FCR is QoS traffic prioritization between devices in edge fabrics over an FC router See Chapter 24 Using FC FC Routing to Connect Fabrics for information about FC routers phantom ...

Page 465: ... be on switches running Fabric OS v6 3 0 or later QoS zones must use WWN notation only D I notation is not supported for QoS over FCR An Adaptive Networking license must be installed on every switch that is in the path between a given configured device pair including the switches in the backbone fabric and both edge fabrics Virtual Fabrics considerations for QoS zone based traffic prioritization Y...

Page 466: ...S v6 0 0 or later and must be one of the following platforms Brocade 300 4100 4900 5000 5100 5300 5410 5424 5450 5480 6510 7500 7500E 7600 7800 8000 VA 40FC 48000 Brocade DCX DCX 4S or DCX 8510 family QoS is enabled by default on 8 Gbps and 16 Gbps ports QoS is disabled by default on all 4 Gbps ports and long distance ports Limitations and restrictions for QoS zone based traffic prioritization Ena...

Page 467: ...ing an account with admin permissions 2 Enter the zoneCreate command to create zones for high and low priority traffic For high priority traffic use the following syntax zonecreate QOSHid_zonename member member For low priority traffic use the following syntax zonecreate QOSLid_zonename member member The id is from 1 5 for high priority traffic which corresponds to VCs 10 14 For low priority traff...

Page 468: ... 30 00 00 00 10 00 00 00 40 00 00 00 zone zone1 10 00 00 00 10 00 00 00 10 00 00 00 20 00 00 00 10 00 00 00 30 00 00 00 10 00 00 00 40 00 00 00 Effective configuration No Effective configuration No Access sw0 admin cfgsave You are about to save the Defined zoning configuration This action will only save the changes on Defined configuration Any changes made on the Effective configuration will not t...

Page 469: ...edge fabric See Controlling device communication with the LSAN on page 486 for instructions 4 Enter the portCfgQos command to enable QoS on the E_Ports 5 Repeat step 1 through step 3 to create QoS zones and LSAN zones on the other edge fabric 6 Connect to the FC router in the backbone fabric and log in using an account with admin permissions 7 Enter the portCfgQos command to enable QoS on the EX_P...

Page 470: ...432 Fabric OS Administrator s Guide 53 1002446 01 Disabling QoS zone based traffic prioritization 21 ...

Page 471: ...e trunking feature optimizes the use of bandwidth by allowing a group of links to merge into a single logical link called a trunk group Traffic is distributed dynamically and in order over this trunk group achieving greater performance with fewer links Within the trunk group multiple physical ports appear as a single port thus simplifying management Trunking also improves system reliability by mai...

Page 472: ...runk ports are N_Ports on the Access Gateway or adapter connected to F_Ports on the switch For more information see Configuring F_Port trunking for Brocade adapters on page 448 the Access Gateway Administrator s Guide and the Brocade Adapters Administrators Guide for more information about configuring this type of trunking NOTE This chapter uses the term F_Port trunking to refer to a trunk between...

Page 473: ...ght ports based on the user port number such as 0 7 8 15 16 23 and up to the number of ports on the switch The maximum number of port groups is platform specific Figure 69 shows the port groups for the Brocade 5100 Ports in a port group are usually contiguous but might not be Refer to the hardware reference manual for your switch for information about which ports can be used in the same port group...

Page 474: ...unked link is roughly equal to the others in the trunk For optimal performance no more than 30 meters difference is recommended Trunks are compatible with both short wavelength SWL and long wavelength LWL fiber optic cables and transceivers Trunking is performed based on the Quality of Service QoS configuration on the master and the slave ports That is in a given trunk group if there are some port...

Page 475: ... will affect existing traffic patterns A trunking group has the same link cost as the master ISL of the group regardless of the number of ISLs in the group This allows slave ISLs to be added or removed without causing data to be rerouted because the link cost remains constant The addition of a path that is shorter than existing paths causes traffic to be rerouted through that path The addition of ...

Page 476: ...edure only if trunking has been subsequently disabled on a port or switch Enabling trunking disables and re enables the affected ports As a result traffic through these ports may be temporarily disrupted 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the portCfgTrunkPort command to enable trunking on a port Enter the switchCfgTrunk command to enable trunking...

Page 477: ...ple shows trunking groups 1 2 and 3 ports 4 13 and 14 are masters switch admin trunkshow 1 6 4 10 00 00 60 69 51 43 04 99 deskew 15 MASTER 2 15 13 10 00 00 60 69 51 43 04 99 deskew 16 MASTER 12 12 10 00 00 60 69 51 43 04 99 deskew 15 14 14 10 00 00 60 69 51 43 04 99 deskew 17 13 15 10 00 00 60 69 51 43 04 99 deskew 16 3 24 14 10 00 00 60 69 51 42 dd 2 deskew 15 MASTER This example shows trunking i...

Page 478: ...ditional information on configuring long distance see Configuring an extended ISL on page 453 Table 75 describes Trunking over long distance support for the Backbones and supported blades NOTE The L0 mode supports up to 5 km at 2 Gbps up to 2 km at 4 Gbps and up to 1 km at 8 Gbps The distance for the LS mode is static You can specify any distance greater than 10 km The distance supported depends o...

Page 479: ...witches Virtual Fabrics can be enabled or disabled If masterless EX_Port trunking is not in effect and the master port goes offline the entire EX_Port based trunk re forms and is taken offline for a short period of time If there are no other links to the edge fabric from the backbone the master port going offline may cause a traffic disruption in the backbone Supported configurations and platforms...

Page 480: ...00 id N4 Online EX_Port Trunk port master is Slot 2 Port 7 22 2 6 ee1600 id N4 Online EX_Port Trunk port master is Slot 2 Port 7 23 2 7 ee1700 id N4 Online EX_Port 10 00 00 60 69 80 1d bc MtOlympus_72 fabric id 2 Trunk master F_Port trunking You can configure F_Port trunking in the following scenarios Between F_Ports on a Fabric OS switch and N_Ports on an Access Gateway module Between F_Ports on ...

Page 481: ...from becoming disabled when they are mapped to an N_Port on a switch in Access Gateway mode With F_Port trunking any link within a trunk can go offline or become disabled but the trunk remains fully functional and there are no reconfiguration requirements Figure 70 shows a switch in AG mode without F_Port masterless trunking Figure 71 shows a switch in AG mode with F_Port masterless trunking FIGUR...

Page 482: ...trunk group See the Brocade Adapters Administrator s Guide for information about configuring the corresponding N_Port trunking on the Access Gateway and the Brocade adapter F_Port trunking considerations Table 76 describes the F_Port trunking considerations TABLE 76 F_Port masterless considerations Category Description AD You cannot create a Trunk Area on ports with different Admin Domains You can...

Page 483: ...ll continue to go through DCC policy check Default Area Port X is a port that has its Default Area the same as its Trunk Area The only time you can remove port X from the trunk group is if the entire trunk group has the Trunk Area disabled Downgrade You can have trunking on but you must disable the trunk ports before performing a firmware downgrade Note Removing a Trunk Area on ports running traff...

Page 484: ...rue If you remove port 9 from the TA it adds Index 9 back to the switch That means port 3 9 can be seen by AD1 along with 3 8 4 13 and 4 14 Port Swap When you assign a Trunk Area to a trunk group the Trunk Area cannot be port swapped if a port is swapped then you cannot assign a Trunk Area to that port Port Types Only F_Port trunk ports are allowed on a Trunk Area port All other port types are per...

Page 485: ...k port You must explicitly remove the user bound area before enabling F_Port trunking If you swap a port using the portSwap command then you must undo the port swap before enabling F_Port trunking The Port WWN format in a Virtual Fabric is 2z zz xx xx xx xx xx xx The z zz is the logical port number for example the logical port 450 will be 1 c2 The xx xx xx xx xx xx is based on the logical fabric W...

Page 486: ...o on the switch See the Brocade Adapters Administrator s Guide for a detailed description and requirements of N_Port trunking on the adapters 1 On the switch side perform the following steps a Configure both ports for trunking using the portCfgTrunkPort command switch admin portcfgtrunkport 3 40 1 switch admin portcfgtrunkport 3 41 1 b Disable the ports to be used for trunking using the portDisabl...

Page 487: ...Bandwidth 32 00Gbps Throughput 3 24Gbps 11 80 Disabling F_Port trunking 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the portDisable command to disable the ports that are to be removed from the trunk area 3 Enter the portTrunkArea disable command to remove ports from the trunk area This command does not unassign a TA if its previously assigned Area_ID is t...

Page 488: ...ports should be turned on after issuing the secPolicyActivate command to prevent the ports from becoming disabled in the case where there is a DCC security policy violation You can configure authentication on all Brocade trunking configurations For more information on authentication see Chapter 7 Configuring Security Policies ...

Page 489: ...stalling licensed features see Chapter 18 Administering Licensing The Extended Fabrics feature enables the following Fabric interconnectivity over Fibre Channel at longer distances ISLs can use long distance dark fiber connections to transfer data Wave division multiplexing such as DWDM Dense Wave Division Multiplexing CWDM Coarse Wave Division Multiplexing and TDM Time Division Multiplexing can b...

Page 490: ...is the normal default mode for an E_Port It configures the E_Port as a standard not long distance ISL A total of 20 full size frame buffers are reserved for data traffic regardless of the E_Port operating speed therefore the maximum supported link distance is up to 5 km at 2 Gbps up to 2 km at 4 Gbps and up to 1 km at 8 10 and 16 Gbps Static Mode LE LE configures an E_Ports distance greater than 5...

Page 491: ...ing concepts and configurations refer to Chapter 22 Managing Trunking Connections Only qualified Brocade SFPs are used Only Brocade branded or certain Brocade qualified SFPs are supported 1 Connect to the switch and log in using an account assigned to the admin role 2 Enter the switchDisable command 3 Enter the configure command to set the switch fabric wide configurations You can set the followin...

Page 492: ... 010200 portIfId 4312003b portWwn 20 02 00 05 1e 94 0f 00 portWwn of device s connected Distance static desired 100 Km portSpeed N8Gbps LE domain 0 FC Fastwrite OFF Interrupts 0 Link_failure 0 Frjt 0 Unknown 0 Loss_of_sync 0 Fbsy 0 Lli 0 Loss_of_sig 3 Proc_rqrd 5 Protocol_err 0 Timed_out 0 Invalid_word 0 Rx_flushed 0 Invalid_crc 0 Tx_unavail 0 Delim_err 0 Free_buffer 0 Address_err 0 Overrun 0 Lr_i...

Page 493: ...distance ISLs between core and edge switches is possible but is not a recommended practice All switch ports provide protection against buffer depletion through buffer limiting A buffer limited port reserves a minimum of eight buffer credits allowing the port to continue to operate rather than being disabled due to a lack of buffers Buffer limited operations are supported for the LS and LD extended...

Page 494: ... switches and the link speed increases additional buffer credits are required for the ports used for long distance connections Distance levels define how buffer credits are allocated and managed for extended ISLs Buffer credits are managed from a common pool available to a group of ports on a switch The buffer credit can be changed for specific applications or operating environments but it must be...

Page 495: ...onal bytes for a total of an 88 byte header can be included Because the total frame size cannot exceed the maximum of 2 148 bytes the additional header bytes will subtract from the data segment size by as much as 64 bytes per frame This is why the maximum data payload size is 2 112 because 2 112 64 2 048 which is 2 kbs of data The final frame after it is constructed is passed through the 8 byte to...

Page 496: ...m 2 Determine the speed that you will use for the long distance connection This example uses 2 Gbps 3 Use one of the following formulas to calculate the reserved buffers for distance If QoS is enabled Reserved Buffer for Distance Y X LinkSpeed 2 6 14 If QoS is not enabled Reserved Buffer for Distance Y X LinkSpeed 2 6 Where X the distance determined in step 1 in kilometers LinkSpeed the speed of t...

Page 497: ...that port The floor of the resulting number is taken because fractions of a port are not allowed If you have a distance of 50 km at 1 Gbps then 484 31 8 21 ports Allocating buffer credits based on average size frames In cases where the frame size is average for example 1024 bytes you must allocate twice the buffer credits or give twice the distance in the long distance LS configuration mode Refer ...

Page 498: ...alues of desired_distance are permitted by Fabric OS Allocating buffer credits for F_Ports The default configured F_Port buffer credit is fixed at eight buffers You can use the portCfgFPortBuffers command to configure a given port with the specified number of buffers Note that in the sample commands provided in the following procedure 12 buffers are configured for an F_Port 1 Connect to the switch...

Page 499: ...ved buffers with buffer optimized mode enabled on the slot Use the bufOpMode command to display or change the buffer optimized mode TABLE 79 Buffer credits Switch blade model Total FC ports per switch blade User port group size Unreserved buffers per port group with QoS enabled 300 24 24 484 5100 40 40 1692 5300 80 16 292 5410 12 12 580 5424 24 24 484 5450 26 26 468 5480 24 24 484 6505 24 24 7424 ...

Page 500: ...e Size Switch blade model 2 Gbps 4 Gbps 8 Gbps 10 Gbps 16 Gbps 300 486 243 121 N A N A 5100 1694 847 423 N A N A 5300 294 147 73 N A N A 5410 582 291 145 5 N A N A 5424 486 243 121 5 N A N A 5450 470 235 117 5 N A N A 5480 486 243 121 5 N A N A 6505 7904 3952 1976 1580 988 6510 7712 3856 1928 1542 964 7800 410 205 102 N A N A 8000 Extended Fabrics is not supported on this switch VA 40FC 1694 847 4...

Page 501: ...ormance degradation This feature is only supported on E_Ports that are configured for long distance and are connected between the following switch or blade models Brocade 300 5100 5300 5410 5424 5450 5480 6505 6510 VA 40FC FC8 16 FC8 32 FC8 32E FC8 48 FC8 48E FC16 32 FC16 48 If a long distance E_Port from one of these supported switches or blades is connected to any other switch or blade type the ...

Page 502: ...464 Fabric OS Administrator s Guide 53 1002446 01 Buffer credit recovery 23 ...

Page 503: ... output ports connected to xlate domains 505 FC FC routing overview The FC FC routing service provides Fibre Channel routing between two or more fabrics without merging those fabrics For example using FC FC routing you can share tape drives across multiple fabrics without the administrative problems such as change management network management scalability reliability availability and serviceabilit...

Page 504: ...cted by an FC router The Integrated Routing license allows 8 Gbps and 16 Gbps FC ports to be configured as EX_Ports or VEX_Ports supporting FC FC routing Enabling the Integrated Routing license and capability does not require a switch reboot NOTE Brocade recommends that all FC routers in a backbone fabric either have the Integrated Routing license or not It is not recommended to mix licensed and u...

Page 505: ... are not directly attached to the same backbone fabric Routing over multiple backbone fabrics is a multi hop topology and is not allowed In an edge fabric that contains a mix of administrative domain AD capable switches and switches that are not aware of AD the FC router must be connected directly to an AD capable switch For more information refer to Use of Admin Domains with LSAN zones and FC FC ...

Page 506: ...atforms by using an EX_Port or VEX_Port Backbone fabric A backbone fabric is an intermediate network that connects one or more edge fabrics In a SAN the backbone fabric consists of at least one FC router and possibly a number of Fabric OS based Fibre Channel switches refer to Figure 74 on page 471 Inter fabric link IFL The link between an E_Port and EX_Port or VE_Port and VEX_Port is called an int...

Page 507: ...c 2 and between edge fabric 2 and edge fabric 3 FIGURE 73 A metaSAN with edge to edge and backbone fabrics and LSAN zones Proxy device A proxy device is a virtual device imported into a fabric by a Fibre Channel router and represents a real device on another fabric It has a name server entry and is assigned a valid port ID When a proxy device is created in a fabric the real Fibre Channel device is...

Page 508: ...ame edge fabric the backbone fabric IDs must be different but the edge fabric IDs must be the same If you configure the same fabric ID for two backbone fabrics that are connected to the same edge fabric a RASLog message displays a warning about fabric ID overlap NOTE Backbone fabrics that share connections to the same edge fabrics must have unique backbone fabric IDs MetaSAN A metaSAN is the colle...

Page 509: ...s For example a host in Fabric 1 can communicate with a target in Fabric 2 as follows A proxy target in Fabric 1 represents the real target in Fabric 2 Likewise a proxy host in Fabric 2 represents the real host in Fabric 1 The host discovers and sends Fibre Channel frames to the proxy target The FC router receives these frames translates them appropriately and then delivers them to the destination...

Page 510: ...st one translate phantom domain is created in the backbone fabric This translate phantom domain represents the entire edge fabric The shared physical devices in the edge have corresponding proxy devices on the translate phantom domain Each edge fabric has one and only one translate phantom domain to the backbone fabric The backbone fabric device communicates with the proxy devices whenever it need...

Page 511: ...mains in the fabric corresponding to the imported edge fabrics with active LSANs defined If you import devices into the backbone fabric then an xlate domain is created in the backbone device in addition to the one in the edge fabric Figure 76 shows a sample physical topology This figure shows four FC routers in a backbone fabric and four edge fabrics connected to the FC routers FIGURE 76 Sample to...

Page 512: ...are topologically connected to FC routers and participate in FC FC routing protocol in the backbone fabric Front domains are not needed in the backbone fabric As in the case of an xlate domain in an edge fabric backbone fabric xlate domains provide additional bandwidth and redundancy by being able to present themselves as connected to single or multiple FC routers with each FC router capable of co...

Page 513: ... Configure IFLs for edge and backbone fabric connection Refer to Inter fabric link configuration on page 478 5 Modify port cost for EX_Ports if you want to change from the default settings Refer to FC router port cost configuration on page 482 6 Configure trunking on EX_Ports that are connected to the same edge fabric Refer to EX_Port frame trunking configuration on page 484 7 Configure LSAN zones...

Page 514: ...ting license If you are connecting to a Fabric OS or M EOS fabric and the Integrated Routing license is not installed you must install it as described in Chapter 18 Administering Licensing The Integrated Routing license is not required if you are connecting to a Brocade Network OS fabric 4 Verify that the Fabric Wide Consistency Policy is not in strict mode by issuing the fddCfg showall command Wh...

Page 515: ...and backbone to edge routing In addition to ensuring that the backbone fabric IDs are the same within the same backbone you must make sure that when two different backbones are connected to the same edge fabric the backbone fabric IDs are different but the edge fabric ID should be the same Configuration of two backbones with the same backbone fabric ID that are connected to the same edge is invali...

Page 516: ... FCIP tunnel configuration is applicable only to Fabric OS fabrics and does not apply to Brocade Network OS or M EOS fabrics Refer to the Fibre Channel over IP Administrator s Guide for instructions on how to configure FCIP tunnels Inter fabric link configuration Before configuring an inter fabric link IFL be aware that you cannot configure both IFLs EX_Ports VEX_Ports and ISLs E_Ports from a back...

Page 517: ...WN 50 06 06 9e 20 38 6e 1e Fabric Parameters Auto Negotiate R_A_TOV Not Applicable E_D_TOV Not Applicable Authentication Type None DH Group N A Hash Algorithm N A Edge fabric s primary wwn N A Edge fabric s version stamp N A This port can now connect to another switch The following example configures an EX_Port for connecting to a Brocade Network OS fabric The m 5 option indicates Network OS conne...

Page 518: ...ed Level AUTO Trunk Port OFF Long Distance OFF VC Link Init OFF Locked L_Port OFF Locked G_Port OFF Disabled E_Port OFF ISL R_RDY Mode OFF RSCN Suppressed OFF Persistent Disable OFF NPIV capability ON EX Port ON Mirror Port ON FC Fastwrite ON 8 After identifying such ports enter the portCfgPersistentEnable command to enable the port and then the portCfgShow command to verify the port is enabled sw...

Page 519: ... Phantom state Not OK Pref Dom ID 160 Fabric params R_A_TOV 0 E_D_TOV 0 PID fmt auto Authentication Type None Hash Algorithm N A DH Group N A Edge fabric s primary wwn N A Edge fabric s version stamp N A portDisableReason None portCFlags 0x1 portFlags 0x1 PRESENT U_PORT EX_PORT portType 10 0 portState 2 Offline portPhys 2 No_Module portScn 0 port generation number 0 portId 014a00 portIfId 4372080f...

Page 520: ...0 FCR WWN 10 00 00 05 1e 12 e0 00 Dom ID 100 Info 10 32 156 50 fcr_Brocade 5300 EX_Port FID Neighbor Switch Info WWN enet IP name 4 95 10 00 00 05 1e 37 00 45 10 32 156 31 Brocade 5300 5 95 10 00 00 05 1e 37 00 45 10 32 156 31 Brocade 5300 6 95 10 00 00 05 1e 37 00 45 10 32 156 31 Brocade 5300 FC router port cost configuration The FC router port cost is set automatically This section provides info...

Page 521: ... speed IFL are going to the same edge fabric connect the lower router cost IFL to a separate port group for example ports 0 7 than the higher router cost IFL for example ports 8 15 For VEX_Ports you would use ports in the range of 16 23 or 24 31 You can connect multiple EX_Ports or VEX_Ports to the same edge fabric The EX_Ports can all be on the same FC router or they can be on multiple routers Mu...

Page 522: ...st 7 10 Port Cost 7 10 1000 4 Enter the appropriate form of the fcrRouterPortCost command based on the task you want to perform To set the router port cost for a single EX_Port enter the command with a port and slot number and a specific cost switch admin fcrrouterportcost 7 10 10000 To set the cost of the EX_Port back to the default enter a cost value of 0 switch admin fcrrouterportcost 7 10 0 5 ...

Page 523: ...nagement interfaces You can define and manage LSANs using Brocade Advanced Zoning NOTE For performance reasons Brocade recommends that you do not configure LSANs for device sharing between Fabric OS fabrics until after you activate the Integrated Routing license Use of Admin Domains with LSAN zones and FC FC routing You can create LSAN zones as a physical fabric administrator or as an individual A...

Page 524: ... port WWNs from both local and remote fabrics to each local zone as desired Zones on the backbone and on multiple edge fabrics that share a common set of devices will be recognized as constituting a single multi fabric LSAN zone and the devices that they have in common will be able to communicate with each other across fabric boundaries LSAN zones and fabric to fabric communications Zoning is enfo...

Page 525: ...ld zoning configuration with the current configuration selected Do you want to enable zone_cfg configuration yes y no n no y zone config zone_cfg is in effect Updating flash 6 Log in as admin to fabric2 7 Enter the nsShow command to list Target A 50 05 07 61 00 5b 62 ed and Target B 50 05 07 61 00 49 20 b4 switch admin nsshow Type Pid COS PortName NodeName TTL sec NL 0508e8 3 50 05 07 61 00 5b 62 ...

Page 526: ...one Name lsan_zone_fabric75 10 00 00 00 c9 2b c9 0c EXIST 50 05 07 61 00 5b 62 ed Imported fcrPhyDevShow shows the physical devices in the LSAN switch admin fcrphydevshow Device WWN Physical Exists PID in Fabric 75 10 00 00 00 c9 2b c9 0c c70000 2 50 05 07 61 00 49 20 b4 0100ef 2 50 05 07 61 00 5b 62 ed 0100e8 Total devices displayed 3 fcrProxyDevShow shows the proxy devices in the LSAN switch adm...

Page 527: ... current LSAN limit switch admin fcrlsancount LSAN Zone Limit 3000 2 Enter the fcrlsancount command and specify the new LSAN zone limit switch admin fcrlsancount 5000 LSAN Zone Limit 5000 For information on how to display the maximum allowed and currently used LSAN zones and devices refer to Resource monitoring on page 500 NOTE Because the maximum number of LSANs is configured for each switch if t...

Page 528: ...o indicate that a particular FC router should only accept zones that start with the prefix lsan_tag For example if you specify an Enforce tag of abc the FC router accepts only those LSAN zones that start with lsan_abc and does not import or export any other LSAN zones The Enforce tag can be up to eight characters long and can contain only letters and numbers The Enforce tag is not case sensitive f...

Page 529: ...r target to trigger the fast import process The super tag is needed only in the LSANs of the target fabrics The target proxies D1 and D2 are always present in the host fabric Edge fabric 2 even if the host is brought down A target proxy is removed from the host fabric when the target device is offline FIGURE 78 Example of setting up Speed LSAN tag Rules for LSAN tagging Note the following rules fo...

Page 530: ...ce LSAN tag 1 Log in to the FC router as admin 2 Enter the following command to disable the FC router switchdisable 3 Enter the following command to create an Enforce LSAN tag fcrlsan add enforce tagname The tagname variable is the name of the LSAN tag you want to create 4 Enter the following command to enable the FC router switchenable 5 Change the names of the LSAN zones in the edge fabrics to i...

Page 531: ...switchdisable sw0 admin fcrlsan remove enforce enftag1 LSAN tag removed successfully sw0 admin switchenable Example of removing a Speed LSAN tag sw0 admin fcrlsan remove speed fasttag2 LSAN tag removed successfully Displaying the LSAN tag configuration 1 Log in to the FC router as admin 2 Enter the fcrlsan show command Example sw0 admin fcrlsan show enforce Total LSAN tags 1 ENFORCE enftag1 sw0 ad...

Page 532: ... backbone fabric has two groups of FC routers and there is no LSAN zone sharing and device access between the two groups the number of FC routers and devices supported in the backbone fabric can be higher Figure 79 on page 494 shows a sample metaSAN with four FC routers in the backbone fabric Without LSAN zone binding each FC router in the backbone fabric would store information about LSAN zones 1...

Page 533: ... Fabric OS versions earlier than v6 1 0 If a new FC router joins the backbone fabric the matrix database is automatically distributed to that FC router unless it has a different LSAN fabric matrix or FC router matrix or both defined already Note the following for FC routers running a Fabric OS version earlier than 6 1 0 The matrix database is not automatically distributed from this FC router to ot...

Page 534: ...e fabrics can still communicate with the backbone fabric LSAN fabric matrix definition With LSAN zone binding you can specify pairs of fabrics that can access each other Using the metaSAN shown in Figure 79 as an example the following edge fabrics can access each other Fabric 1 and Fabric 2 Fabric 2 and Fabric 3 Fabric 4 and Fabric 5 Fabric 5 and Fabric 6 You can use the fcrLsanMatrix command with...

Page 535: ...hanges persistently FCR Admin fcrlsanmatrix apply all Example FCR Admin fcrlsanmatrix add fcr 10 00 00 60 69 c3 12 b2 10 00 00 60 69 c3 12 b3 FCR Admin fcrlsanmatrix add lsan 4 5 FCR Admin fcrlsanmatrix add lsan 4 7 FCR Admin fcrlsanmatrix add lsan 10 19 FCR Admin fcrlsanmatrix apply all Viewing the LSAN zone binding matrixes 1 Log in to the FC router as admin 2 Enter the following command to view...

Page 536: ...ese parameters manually To change the fabric parameters on a switch in the edge fabric use the configure command Note that to access all of the fabric parameters controlled by this command you must disable the switch using the switchDisable command If executed on an enabled switch only a subset of attributes is configurable To change the fabric parameters of an EX_Port on the FC router use the por...

Page 537: ...rame forwarding on the FC router because this can degrade FCR performance when there is excessive broadcast traffic Displaying the current broadcast configuration 1 Log in to the FC router as admin 2 Enter the following command fcr admin fcrbcastconfig show This command displays only the FIDs that have the broadcast frame option enabled The FIDs that are not listed have the broadcast frame option ...

Page 538: ... multiple times The default maximum number of LSAN zones is 3000 Refer to Setting the maximum LSAN count on page 489 for information on changing this limit Proxy Device Slots The physical and proxy devices use the 10 000 device slots The information shows the maximum pool size for translate phantom node and port WWNs and shows the number of translate node and port WWNs from this pool Phantom Node ...

Page 539: ...nge an EX_Port or VEX_Port on the logical switch to be a non EX_Port or VEX_Port you must use the portCfgDefault command You cannot use the portCfgExPort command because that command is allowed only on the base switch EX_Ports can connect to a logical switch that is in the same chassis or a different chassis However the FID of the EX_Port must be set to a different value than the FID of the logica...

Page 540: ...orts that connect to logical switches in the two edge fabrics Fabric 128 and Fabric 15 The other logical switches in Fabric 128 and Fabric 15 must be connected with physical ISLs and do not use the XISL connection in the base fabric The logical switches in Fabric 1 are configured to allow XISL use You cannot connect an EX_Port to these logical switches so the device in Fabric 1 cannot communicate ...

Page 541: ...bling backbone to edge routing If you connect a legacy FC router to a base switch you must set the backbone FID of the FC router to be the same as that of the base switch In Figure 80 no devices can be connected to the backbone fabric Fabric 8 because base switches cannot have F_Ports Figure 82 shows an FC router in legacy mode connected to a base switch This FC router can have devices connected t...

Page 542: ...rt configuration remains the same for the first 16 ports on the 8 Gbps port blade and for the first 12 FC ports on the FX8 24 blade For all other ports on the blade the EX_Port configuration is cleared No ports are persistently disabled If you replace an 8 Gbps port blade or FX8 24 blade with an FR4 18i blade the EX_Port configuration remains the same for all ports on the FR4 18i blade All ports a...

Page 543: ...e edge fabric In the lsDbShow output ports in the range from 129 through 255 are the output ports on the front domain The following example shows the range of output ports linkCnt 2 flags 0x0 LinkId 53 out port 1 rem port 35 cost 500 costCnt 0 type 1 LinkId 57 out port 129 rem port 18 cost 500 costCnt 0 type 1 The following example also shows the use of the lsDbShow display on the edge fabric The ...

Page 544: ...506 Fabric OS Administrator s Guide 53 1002446 01 Displaying the range of output ports connected to xlate domains 24 ...

Page 545: ...ted by an FC router the M EOS firmware can operate in McDATA Open Mode interopMode 3 or McDATA Fabric Mode interopMode 2 but the Fabric OS switches can only operate in interopMode 0 the Brocade Native mode NOTE In Fabric OS v7 0 0 and later releases Fabric OS switches cannot operate in interopmode2 or interopmode3 Fabric OS provides the ability to configure any EX_Port to connect to an M EOS fabri...

Page 546: ...s No No No No No v5 2 0 No Yes Yes No No No v5 3 0 No No Yes Yes No No v6 0 0 No No No No Yes No v6 1 0 No No No No Yes Yes v6 1 1 v6 1 1_enc v6 2 0 Yes Yes v6 3 0 Yes Yes v6 4 0 Yes Yes v7 0 0 and later3 3 In Fabric OS v7 0 0 and later interoperation with M EOS can be done only using FC Router with the M EOS fabric connected through an EX_Port Yes Yes TABLE 83 Fabric OS and M EOSn interoperabilit...

Page 547: ...ing Fabric OS and M EOS fabrics are limited only by the scalability of each individual fabric For the latest scalability information refer to the MyBrocade website at www brocade com Refer to the M EOS fabric documentation for scalability considerations Establishing interoperability The mechanism for establishing interoperability between the FC router and the M EOS fabric varies depending on wheth...

Page 548: ...ics as well as the router as described in the following sections NOTE Trunking is not supported on EX_Ports connected to the M EOS fabric Connectivity modes You can connect to M EOS fabrics in both McDATA Open mode or McDATA Fabric mode using Fibre Channel Routing as discussed in Chapter 24 Using FC FC Routing to Connect Fabrics If the mode is not configured correctly the port is disabled because ...

Page 549: ...o the M EOS switch 5 Enter the portCfgEXPort command to configure the port as an EX_Port with a unique FID within the McDATA Fabric Mode This port can now connect to an M EOS switch in McDATA Fabric mode or McDATA Open mode The following example sets port 10 13 to admin enabled assigns a Fabric ID of 37 and sets the M EOS connection to McDATA Fabric Mode switch admin_06 portcfgexport 10 13 a 1 f 3...

Page 550: ... create LSAN zones for the SAN After you set up LSAN zoning issue the cfgShow command to verify that the zoning is correct Configuring LSAN zones in the M EOS fabric To ensure connectivity with devices in the Fabric OS fabric you must set up LSAN zones in each edge fabric An LSAN is defined by a zone in an edge fabric When zoning an LSAN containing multiple fabrics with switches that are not runni...

Page 551: ... 5c 020001 10 011500 Imported 6 Connect to the switch and configure the connection to capture console output 7 Enter the supportShow or supportSave if available command and save the output 8 Try the following if the fabric does not appear a Disable the EX_Port on the connected fabric b Enter the portLogClear command for the port c Enable the port on the FC router d Enter the portLogDump command fo...

Page 552: ...o the fabric 6 Log in to the Fabric OS edge fabric switch and enter the nsAllShow or the nsCamShow command edgeswitch admin nsallshow 010e00 020000 03f001 04f002 4 Nx_Ports in the Fabric edgeswitch admin nscamshow nscam show for remote switches Switch entry for 1 state rev owner known v520 0xfffc02 Device list count 1 Type Pid COS PortName NodeName N 010e00 3 10 00 00 00 00 01 00 00 10 00 00 00 00...

Page 553: ...ue the cfgShow command to verify your zone configuration Use the cfgActvShow command to display the zone configuration currently in effect The following example illustrates the use of cfgActvShow switch admin cfgactvshow Effective configuration cfg test zone lsan_san 10 00 00 00 00 03 00 00 10 00 00 00 00 01 00 00 zone lsan_test 50 06 01 60 38 e0 0b a4 10 00 00 00 c9 44 54 04 7 Log into the FC rou...

Page 554: ...516 Fabric OS Administrator s Guide 53 1002446 01 Fabric configurations for interconnectivity A ...

Page 555: ...mbers respectively The corresponding QSFP number for the port is also shown For a core blade no PID exists in the Address column switch FID128 admin switchshow slot 3 qsfp switchName switch name switchType 121 3 switchState Online switchMode Native switchRole Subordinate switchDomain 75 switchId fffc4b switchWwn 10 00 00 05 1e 4f eb 00 zoning ON zoning name switchBeacon OFF FC Router OFF Allow XIS...

Page 556: ...slot 1 of a Brocade DCX 8510 8 Backbone The Address column shows the PID switch FID128 admin switchshow slot 1 switchName DCX8510_8 output truncated LS Attributes FID 128 Base Switch No Default Switch Yes Address Mode 0 Index Slot Port Address Media Speed State Proto 0 1 0 500000 N16 No_Module FC 1 1 1 500100 N16 No_Module FC 2 1 2 500200 N16 No_Module FC output truncated Example of port index map...

Page 557: ...0 N8 No_Module output truncated 48 1 48 0a3000 N8 No_Module 49 1 49 0a3100 N8 No_Module 50 1 50 0a3200 N8 No_Module output truncated 62 1 62 0a3e00 N8 No_Module 63 1 63 0a3f00 N8 No_Module 64 2 0 0a4000 N8 No_Module output truncated Example of port indexing on an FX8 24 blade on a DCX 8510 8 Backbone This example shows the truncated switchShow output for an FX8 24 application blade on the Brocade ...

Page 558: ... index numbers to PIDs will vary depending on blade type platform type and slot number switch FID128 admin switchshow slot 2 switchName myswitch output truncated Slot Blade Type ID Model Name Status 2 AP BLADE 43 FS8 18 ENABLED Index Slot Port Address Media Speed State Proto 16 2 0 501000 N8 No_Module FC 17 2 1 501100 N8 No_Module FC 18 2 2 501200 N8 No_Module FC 19 2 3 501300 N8 No_Module FC 20 2...

Page 559: ...console for your reference Conditional tests are performed whenever an RSA key pair is generated These tests verify the randomness of the deterministic random number generator DRNG and non deterministic random number generator non DRNG They also verify the consistency of RSA keys with regard to signing and verification and encryption and decryption ATTENTION FIPS mode when enabled is a chassis wid...

Page 560: ...fault accounts However only the root account has permissions for this command Users with securityadmin and admin permissions must use fipsCfg zeroize which in addition to removing user accounts and resetting passwords also does the complete zeroization of the system RADIUS secret aaaConfig remove The aaaConfig remove command zeroizes the secret and deletes a configured server RNG seed key No comma...

Page 561: ...ues to reboot you must return the switch to your switch service provider For information about how to prepare a service provider case refer to the Fabric OS Troubleshooting and Diagnostics Guide When the switch successfully reboots in FIPS mode only FIPS compliant algorithms are run Table 86 lists Fabric OS features and their behaviors in FIPS and non FIPS mode TABLE 86 FIPS mode restrictions Feat...

Page 562: ...123 123 123 Enter Name Server IP address in dot notation 123 123 123 124 DNS parameters saved successfully Enter option 1 Display Domain Name Service DNS configuration 2 Set DNS configuration 3 Remove DNS configuration 4 Quit Select an item 1 4 4 4 TABLE 87 FIPS and non FIPS modes of operation FIPS mode non FIPS mode The CA that issued the Microsoft Active Directory server certificate must be inst...

Page 563: ... up LDAP for FIPS mode switch admin aaaconfig add GEOFF5 ADLDAP LOCAL conf ldap d adldap local p 389 t 3 switch admin aaaconfig authspec ldap local switch admin aaaconfig show RADIUS CONFIGURATIONS RADIUS configuration does not exist LDAP CONFIGURATIONS Position 1 Server GEOFF5 ADLDAP LOCAL Port 389 Domain adldap local Timeout s 3 Primary AAA Service LDAP Secondary AAA Service Switch database 4 Se...

Page 564: ...to the switch and log in using an account with admin permissions or an account with OM permissions for the PKI RBAC class of commands 2 Enter the secCertUtil import ldapcacert command Example of importing an LDAP certificate switch admin seccertutil import ldapcacert Select protocol ftp or scp scp Enter IP address 192 168 38 206 Enter remote directory users aUser certs Enter certificate name must ...

Page 565: ...nd all root only functions are not available HTTP Telnet RPC and SNMP need to be disabled Once these ports are blocked you cannot use them to read or write data from and to the switch The configDownload and firmwareDownload commands using an FTP server are blocked See Table 87 on page 524 for a complete list of restrictions between FIPS and non FIPS modes ATTENTION You need the securityadmin and a...

Page 566: ... and Windows 2003 based RADIUS servers may be used in a FIPS compliant configuration If the switch is set for LDAP refer to the instructions in Setting up LDAP for FIPS mode on page 524 4 Optional Set the authentication protocols a Enter the authUtil set h sha1 command to set the hash type for MD5 which is used in the DHCHAP and FCAP authentication protocols b Enter the authUtil set g n command wh...

Page 567: ... Authentication and Privacy 3 No Access 0 3 0 Select SNMP SET Security Level 0 No security 1 Authentication only 2 Authentication and Privacy 3 No Access 0 3 0 3 8 Enter the fipsCfg disable bootprom command to block access to the boot PROM NOTE This command can be entered only from the root account It must be entered before disabling the root account 9 Enter the configure command and respond to th...

Page 568: ... command to delete the associated IPsec policy c Enter the policy delete ike command to delete the associated IKE policy 14 Enter the portCfg mgmtif delete command to disable in band management 15 Enter the fipsCfg enable selftests command to enable KAT and conditional tests on the switch 16 Enter the fipsCfg verify fips command to verify the switch is FIPS ready 17 Enter the fipsCfg enable fips c...

Page 569: ...Fibre Channel uses hexadecimal notation in hex triplets to specify well known addresses and port IDs Example conversion of the hexadecimal triplet Ox616000 Notice the PID 610600 bolded in the nsShow output is in hexadecimal switch admin nsshow Type Pid COS PortName NodeName TTL sec N 610600 2 3 10 00 00 00 c9 29 b3 84 20 00 00 00 c9 29 b3 84 na FC4s FCP NodeSymb 36 Emulex LP9002 FV3 90A7 DV5 5 10A...

Page 570: ... 76 77 78 79 80 Hex 47 48 49 4a 4b 4c 4d 4e 4f 50 Decimal 81 82 83 84 85 86 87 88 89 90 Hex 51 52 53 54 55 56 57 58 59 5a Decimal 91 92 93 94 95 96 97 98 99 100 Hex 5b 5c 5d 5e 5f 60 61 62 63 64 Decimal 101 102 103 104 105 106 107 108 109 110 Hex 65 66 67 68 69 6a 6b 6c 6d 6e Decimal 111 112 113 114 115 116 117 118 119 120 Hex 6f 70 71 72 73 74 75 76 77 78 Decimal 121 122 123 124 125 126 127 128 1...

Page 571: ...8 209 210 Hex c9 ca cb cc cd ce cf d0 d1 d2 Decimal 211 212 213 214 215 216 217 218 219 220 Hex d3 d4 d5 d6 d7 d8 d9 da db dc Decimal 221 222 223 224 225 226 227 228 229 230 Hex dd de df e0 e1 e2 e3 e4 e5 e6 Decimal 231 232 233 234 235 236 237 238 239 240 Hex e7 e8 e9 ea eb ec ed ef ee f0 Decimal 241 242 243 244 245 246 247 248 249 250 Hex f1 f2 f3 f4 f5 f6 f7 f8 f9 fa Decimal 251 252 253 254 255 ...

Page 572: ...534 Fabric OS Administrator s Guide 53 1002446 01 Hexadecimal overview D ...

Page 573: ...changing parameters 87 creating 86 deleting 87 displaying information 86 lockout policy 91 lockout policy duration 92 lockout policy threshold 92 managing passwords 88 password rules 87 user defined 85 activating Admin Domains 350 POD 387 ports on demand 385 TI zones 289 AD0 340 AD255 341 Adaptive Networking 417 adding a new switch or fabric to a zone 263 Admin Domain members 351 alias members 247...

Page 574: ...o Admin Domains 348 AUTH policy 143 authenticating users 82 authentication configuring 97 local 113 auto leveling FR4 18i blade 200 207 B backbone fabric ID 477 backbone to edge routing 472 477 backing up a configuration 180 base switches about 218 creating 227 blade swapping 50 blades compatibility 44 47 disabling and enabling 44 enabling exceptions for the FR4 18i 49 port area ID 40 port identif...

Page 575: ...S server 103 NTP 28 private key 121 public key 121 RADIUS server 103 RADIUS changing 113 root certificates 124 security levels 127 SNMP 127 SNMP traps 125 Speed LSAN tag 492 SSL 120 switch 111 switch RADIUS client 105 Windows RADIUS client 105 zone rules for 243 connecting Fabric OS and M EOS SANs 507 multiple EX_Ports to an edge fabric 475 to devices 33 connection restrictions 83 serial 17 telnet...

Page 576: ...tual Fabrics 225 zone configurations 256 enabling and disabling ISL trunking 438 encryption using SSL 120 encryption in flight 309 end to end monitors deleting 404 restoring configuration 415 saving configuration 415 setting a mask 403 end to end performance monitoring 401 enforce LSAN tag 490 equipment status 54 events date and time 25 EX_Port 500 511 EX_Ports 12 extended fabrics about 451 buffer...

Page 577: ...kbones 206 test and restore on switches 204 testing different firmware versions 206 USB device 201 validating 208 verify progress 192 FL_Port 11 FLOGI 12 frame monitors deleting 408 restoring configuration 415 saving 408 saving configuration 415 frame redirection 78 FreeRADIUS 103 G G_Port 11 gateway links buffer credits 451 H HA failover 89 103 high availability HA 54 home Admin Domain 102 342 HT...

Page 578: ... logical fabrics about 216 changing context 235 logical ISLs 219 logical ports 220 logical switches about 212 allowing XISL use 234 changing FID 232 changing to a base switch 232 creating 227 deleting 230 displaying configuration 231 moving ports 230 login changing password 87 fails 17 with Admin Domains 342 login sessions maximum allowed 83 lossless dynamic load sharing 75 LSAN 485 LSAN tags 490 ...

Page 579: ...ting supported 466 PLOGI 12 POD activating 387 enabling ports 42 policies routing 63 policy members identifying 132 password expiration 91 password strength 89 port 42 activating POD 387 enabling 42 port index 517 Port Login 10 port mirroring 12 port type E_Port 11 EX_Port 12 F_Port 12 FL_Port 11 G_Port 11 M_Port 12 U_Port 11 VE_Port 12 VEX_Port 12 primary FCS 5 Principal ISLs 64 priority groups 6...

Page 580: ...sh 117 secure sockets layer 120 security AUTH policy 143 Brocade MIB 125 browsers 120 certificates 116 encryption and SSL 120 FibreAlliance MIB 125 HTTPS certificate 116 IAS remote access policies 106 IP policy rules 158 obtaining certificates 123 policies ACL 131 secure protocols supported 115 116 setting levels 127 SNMP traps 125 SSH certificate 116 SSL certificate 116 security and zoning 262 se...

Page 581: ... fabric 287 deactivating 289 deleting 290 displaying 290 modifying 288 with Virtual Fabrics 284 time and date 25 time zones 25 Top Talkers 410 417 tracking and controlling switch changes 55 traffic isolation over FCR 276 traffic isolation over FCR with Virtual Fabrics 284 traffic patterns planning for 437 traffic prioritization 419 transaction model managing Admin Domains 346 traps MIB 125 SNMP 12...

Page 582: ...20 WWN based PID assignment 37 WWNs switch WWNs in Admin Domains 344 X XISL about 218 xlate domains 473 Z zone adding a new switch or fabric 263 adding members 250 administering security 262 alias adding members 247 alias deleting 248 alias removing members 248 alias viewing 249 aliases 241 aliases creating and managing 246 all access 252 concepts 238 configurations 241 configurations adding membe...

Page 583: ...dministrator s Guide 545 53 1002446 01 zone configurations creating 255 deleting 257 disabling 257 enabling 256 removing 256 zone database and Admin Domains 362 zone broadcast 244 zones QoS zones 424 TI zones 269 ...

Page 584: ...546 Fabric OS Administrator s Guide 53 1002446 01 ...

Reviews:

No comments

Brands by name

Popular brands

Load more brands