ADMINISTRATION GUIDE Brocade Fabric OS Administration Guide, 8.0.1 Supporting Fabric OS 8.0.
© 2016, Brocade Communications Systems, Inc. All Rights Reserved. Brocade, Brocade Assurance, the B-wing symbol, ClearLink, DCX, Fabric OS, HyperEdge, ICX, MLX, MyBrocade, OpenScript, VCS, VDX, Vplane, and Vyatta are registered trademarks, and Fabric Vision is a trademark of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned may be trademarks of others.
Contents Preface.........................................................................................................................................................................................................................................................................................19 Document conventions................................................................................................................................................................................................
Fabric OS command line interface.................................................................................................................................................................................................................. 37 Console sessions using the serial port................................................................................................................................................................................................38 Telnet or SSH sessions...........
10-bit addressing (mode 0)........................................................................................................................................................................................................................70 256-area addressing (mode 1 and mode 2).................................................................................................................................................................................... 70 WWN-based PID assignment....................
Forward error correction...................................................................................................................................................................................................................................... 103 FEC limitations..............................................................................................................................................................................................................................................
Configuring buffers using frame size................................................................................................................................................................................................. 132 Calculating the number of buffers required given the distance, speed, and frame size........................................................................................132 Allocating buffer credits for F_Ports.................................................................
LDAP configuration and OpenLDAP................................................................................................................................................................................................. 176 TACACS+ service..........................................................................................................................................................................................................................................
DCC policy restrictions..............................................................................................................................................................................................................................222 Creating a DCC policy...............................................................................................................................................................................................................................
Configuration file restoration..............................................................................................................................................................................................................................261 Restrictions....................................................................................................................................................................................................................................................
Zone objects...................................................................................................................................................................................................................................................300 Zone configurations.....................................................................................................................................................................................................................................
Zone merging...........................................................................................................................................................................................................................................................332 Fabric segmentation and zoning.........................................................................................................................................................................................................
Ingress Rate Limiting............................................................................................................................................................................................................................................387 Virtual Fabrics considerations...............................................................................................................................................................................................................
Disabling D_Port in static mode...........................................................................................................................................................................................................427 Disabling D_Port globally.........................................................................................................................................................................................................................
Core-edge topology................................................................................................................................................................................................................................... 465 Managing Trunking Connections.............................................................................................................................................................................................................................
FC router authentication ......................................................................................................................................................................................................................... 502 Setting up FC-FC routing..................................................................................................................................................................................................................................
Hexadecimal overview.........................................................................................................................................................................................................................................549 Example conversion of the hexadecimal triplet Ox616000................................................................................................................................................549 Decimal-to-hexadecimal conversion table..............
Brocade Fabric OS Administration Guide, 8.0.
Preface ∙ ∙ ∙ ∙ Document conventions................................................................................................................................................................................................... 19 Brocade resources........................................................................................................................................................................................................... 20 Contacting Brocade Technical Support................
Preface Convention Description ... Repeat the previous element, for example, member[member...]. \ Indicates a “soft” line break in command examples. If a backslash separates two lines of a command input, enter the entire command at the prompt without the backslash. Notes, cautions, and warnings Notes, cautions, and warning statements may be used in this document. They are listed in the order of increasing severity of potential hazards.
Preface Online Telephone E-mail Preferred method of contact for non-urgent issues: Required for Sev 1-Critical and Sev 2-High issues: support@brocade.com ∙ My Cases through MyBrocade ∙ Continental US: 1-800-752-8061 ∙ Software downloads and licensing tools ∙ Europe, Middle East, Africa, and Asia Pacific: +800-AT FIBREE (+800 28 34 27 33) ∙ Knowledge Base ∙ For areas unable to access toll free number: +1-408-333-6061 ∙ Toll-free numbers are available in many countries.
Preface 22 Brocade Fabric OS Administration Guide, 8.0.
About This Document ∙ ∙ Supported hardware and software.......................................................................................................................................................................... 23 What's new in this document for 8.0.1...................................................................................................................................................................
About This Document Brocade Gen 6 Directors ∙ Brocade X6-4 Director ∙ Brocade X6-8 Director Fabric OS support for the Brocade Analytics Monitoring Platform (AMP) device depends on the specific version of the software running on that platform. For more information, refer to the Brocade Analytics Monitoring Platform documentation and release notes. What's new in this document for 8.0.1 The following changes are applied to this document. ∙ Port Mirror feature is deprecated.
Understanding Fibre Channel Services ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ Fibre Channel services overview..............................................................................................................................................................................25 Management server.........................................................................................................................................................................................................26 Platform services............
Understanding Fibre Channel Services Alias server — The alias server keeps a group of nodes registered as one name to handle multicast groups. Broadcast server — The broadcast server is optional. When frames are transmitted to this address, they are broadcast to all operational N_ and NL_Ports. When registration and query frames are sent to a well-known address, a different protocol service, Fibre Channel Common Transport (FC-CT), is used.
Understanding Fibre Channel Services Enabling platform services When FCS policy is enabled, the msplMgmtActivate command can be issued only from the primary FCS switch. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the msCapabilityShow command to verify that all switches in the fabric support the MS platform service; otherwise, the next step fails. 3. Enter the msplMgmtActivate command, as in the following example.
Understanding Fibre Channel Services The following is an example of an empty access list switch:admin> msconfigure 0 Done 1 Display the access list 2 Add member based on its Port/Node WWN 3 Delete member based on its Port/Node WWN select : (0..3) [1] 1 MS Access list is empty. 0 Done 1 Display the access list 2 Add member based on its Port/Node WWN 3 Delete member based on its Port/Node WWN select : (0..3) [1] 0 done ... Adding a member to the ACL Use the following procedure to add a member to the ACL: 1.
Understanding Fibre Channel Services The following is an example of adding a member to the management server ACL switch:admin> msconfigure 0 Done 1 Display the access list 2 Add member based on its Port/Node WWN 3 Delete member based on its Port/Node WWN select : (0..3) [1] 2 Port/Node WWN (in hex): [00:00:00:00:00:00:00:00] 20:00:00:20:37:65:ce:aa *WWN is successfully added to the MS ACL.
Understanding Fibre Channel Services The following is an example of deleting a member from the management server ACL switch:admin> msconfigure 0 Done 1 Display the access list 2 Add member based on its Port/Node WWN 3 Delete member based on its Port/Node WWN select : (0..3) [1] 3 Port/Node WWN (in hex): [00:00:00:00:00:00:00:00] 10:00:00:00:c9:29:b3:84 *WWN is successfully deleted from the MS ACL.
Understanding Fibre Channel Services 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the msplClearDb command. 3. Enter y to confirm the deletion. The management server platform database is cleared. Topology discovery The topology discovery feature can be displayed, enabled, and disabled; it is disabled by default. The commands mstdEnable and mstdDisable are allowed only in AD0 and AD255.
Understanding Fibre Channel Services 3. Enter y to disable the Topology Discovery feature. NOTE Topology discovery is disabled by default. ATTENTION Disabling discovery of management server topology might erase all node ID entries. Example of disabling discovery The following example shows what happens when you disable topology discovery. switch:admin> mstddisable This may erase all NID entries. Are you sure? (yes, y, no, n): [no] y Request to disable MS Topology Discovery Service in progress....
Understanding Fibre Channel Services E_Port login process An E_Port does not use a FLOGI to log in to another switch. Instead, the new switch exchanges frames with the neighboring switch to establish that the new switch is an E_Port and that it has information to exchange. If everything is acceptable to the neighboring switch, it replies to the new switch with an SW_ACC (accept) frame.
Understanding Fibre Channel Services ∙ Nodes leaving or joining the fabric, such as zoning, powering on or shutting down a device, or zoning changes. NOTE Fabric reconfigurations with no domain change do not cause an RSCN. Duplicate Port World Wide Name According to Fibre Channel standards, the Port World Wide Name (PWWN) of a device cannot overlap with that of another device, thus having duplicate PWWNs within the same fabric is an illegal configuration.
Understanding Fibre Channel Services TABLE 1 Daemons that are automatically restarted (continued) Daemon Description traced Trace daemon provides trace entry date and time translation to Trace Device at startup and when date/time changed by command. Maintains the trace dump trigger parameters in a Trace Device. Performs the trace Background Dump, trace automatic FTP, and FTP "aliveness check" if auto-FTP is enabled. webd Webserver daemon used for Web Tools (includes httpd as well).
Understanding Fibre Channel Services 36 Brocade Fabric OS Administration Guide, 8.0.
Performing Basic Configuration Tasks ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ Fabric OS overview.......................................................................................................................................................................................................... 37 Fabric OS command line interface..........................................................................................................................................................................
Performing Basic Configuration Tasks Note the following about the command display in this guide: ∙ The entire command line (both commands and options) is case-sensitive. Selected command names and options may also support Java-style capitalization. Java-style capitalization means that while bannershow and bannerShow will both work, BANNERSHOW and BannerShow will not. Refer to the Fabric OS Command Reference for explicit instructions on supported capitalization for each command.
Performing Basic Configuration Tasks By default, the root user is disabled on the serial ports. Use the following steps to enable the root user. 1. Login as admin on the serial port. 2. Enable the root account using the userconfig --change root -e yes command. 3. Login as root and change the default password because login to the root with default password is not supported. 4. To enable root access via Telnet or SSH, run the rootaccess --set all command .
Performing Basic Configuration Tasks 1. 2. Connect through a serial port to the switch that is appropriate for your fabric: ∙ If Virtual Fabrics is enabled, log in using an admin account assigned the chassis-role permission. ∙ If Virtual Fabrics is not enabled, log in using an account assigned to the admin role. Verify the switch’s network interface is configured and that it is connected to the IP network through the RJ-45 Ethernet port.
Performing Basic Configuration Tasks TABLE 2 Help topic contents (continued) Topic name Help contents description zoneHelp Zoning help information Viewing a history of command line entries The CLI command history log file saves the last 1680 commands from all users on a FIFO basis, and this log is persistent across reboots and firmware downloads. This command is also supported for standby CPs.
Performing Basic Configuration Tasks Fri Fri Fri Fri Fri Fri Fri Fri Sep Sep Sep Sep Sep Sep Sep Sep 19 19 19 19 19 19 19 19 09:41:08 09:41:41 09:42:10 09:42:54 09:42:59 09:43:14 09:43:32 09:43:42 2014 2014 2014 2014 2014 2014 2014 2014 root, root, root, root, root, root, root, root, FID FID FID FID FID FID FID FID 128, console, clihistory --clear 128, console, lscfg --create 10 128, console, lscfg --create 120 128, console, lscfg --create 30 128, console, setcontext 30 30, console, rasdecode -m 65
Performing Basic Configuration Tasks The following example shows the output of the clihistory --help command.
Performing Basic Configuration Tasks WWN Based persistent PID (yes, y, no, n): [no] Location ID: (0..4) [0] High Integrity Fabric Mode (yes, y, no, n): [no] Edge Hold Time(Low(80ms), Medium(220ms), High(500ms), UserDefined(80-500ms): (80..
Performing Basic Configuration Tasks Example 1 sw_85:user9> fosexec --domain all -cmd "islshow" Domain 19 ========= 1: 80-> 40 10:00:00:05:1e:0f:73:40 53 ls20d53_5100_8_ sp:-------- bw: 2: 81->289 10:00:00:05:33:0d:7b:02 4 ls20d4_plpl_8_4 sp:-------- bw: 8.000G 8.000G Domain 23 ========= Remote fosexec feature is disabled. Domain 53 ========= 1: 40-> 80 10:00:00:05:33:39:0d:da 2: 41->288 10:00:00:05:33:0d:7b:02 Domain 65 ========= Remote fosexec feature is disabled.
Performing Basic Configuration Tasks NOTE When you log in as admin and the default passwords are not changed, you are requested to change the default passwords only for admin and user accounts. You cannot change the default password for root account if you log in as admin. Default password for root account can be changed when you login as root. Default account passwords The change default account passwords prompt is a string that begins with the message "Please change your passwords now".
Performing Basic Configuration Tasks Brocade switches On Brocade switches, you must set the Ethernet and chassis management IP interfaces. Setting the chassis management IP address eliminates the need to know which CP is active and automatically connects the requestor to the currently active CP. You can continue to use a static Ethernet addressing system or allow the DHCP client to automatically acquire Ethernet addresses.
Performing Basic Configuration Tasks The CP blade enables eth0 by default. If an error is encountered on eth0, it is treated the same as for any other port, unless the error causes the eth0 port to go down. If eth0 goes down, the eth3 interface becomes active and will remain active ev en if eth0 comes back up. Use one of the following actions to restore eth0 as the active interface. ∙ Unplug the network cable, wait 5 seconds, and then plug it back in. ∙ Perform a High Availability (HA) failover routine.
Performing Basic Configuration Tasks IPFC address for virtual fabric ID 123: 11.1.2.3/24 IPFC address for virtual fabric ID 45: 13.1.2.4/20 Slot 7 eth0: 11.1.2.4/24 Gateway: 11.1.2.1 Backplane IP address of CP0 : 10.0.0.5 Backplane IP address of CP1 : 10.0.0.
Performing Basic Configuration Tasks Setting the static addresses for the Ethernet network interface Use the following procedure to set the Ethernet network interface static addresses: 1. Connect to the switch and log in using an account assigned to the admin role. 2. Perform the appropriate action based on whether you have a switch or Backbone: ∙ If you are setting the IP address for a switch, enter the ipAddrSet command.
Performing Basic Configuration Tasks DHCP activation Some Brocade switches have Dynamic Host Configuration Protocol (DHCP) enabled by default.
Performing Basic Configuration Tasks The following example enables DHCP for IPv4 interactively. switch:admin> ipaddrset DHCP [Off]:on IP address is being changed... Done. The following example enables DHCP for IPv4 using a single command. switch:admin> ipaddrset -ipv4 -add -dhcp ON switch:admin> ipaddrshow SWITCH Ethernet IP Address: 10.20.134.219 Ethernet Subnetmask: 255.255.240.0 Gateway IP Address: 10.20.128.
Performing Basic Configuration Tasks Info : This feature got enabled on all Management Interfaces of this chassis Done. 2. To display the configured IP address, run the ipAddrShow command. switch:admin>ipaddrshow CHASSIS Ethernet IP Address: 10.17.46.231 Ethernet Subnetmask: 255.255.240.0 CP0 Ethernet IP Address: 10.17.46.228 Ethernet Subnetmask: 255.255.240.0 Host Name: cp0 Gateway IP Address: 10.17.32.1 CP1 Ethernet IP Address: 10.17.46.229 Ethernet Subnetmask: 255.255.240.
Performing Basic Configuration Tasks Local IPv6 Addresses: dhcpv6 2620:100:0:f603::f912/64 preferred link local fe80::205:33ff:fe3a:77f9/64 CP0 Local IPv6 Addresses: dhcpv6 2620:100:0:f603::f9fb/64 preferred link local fe80::205:33ff:fe3a:77f8/64 IPv6 Gateways: fe80::21b:edff:fe0b:9000 DHCPv6: On CP1 Local IPv6 Addresses: dhcpv6 2620:100:0:f603::f9fa/64 preferred link local fe80::205:33ff:fe3a:77f7/64 IPv6 Gateways: fe80::21b:edff:fe0b:9000 DHCPv6: On 3.
Performing Basic Configuration Tasks chassis 0 dhcpv6 2620:100:0:f603::f1a2/64 preferred cp 0 link local fe80::205:1eff:febf:7069/64 chassis 0 stateless 2620:100:0:f603:205:1eff:feb7:3c00/64 preferred cp 0 static 2620:100:0:f603::f1a3/64 preferred cp 0 stateless 2620:100:0:f603:205:1eff:febf:7069/64 preferred cp 0 dhcpv6 2620:100:0:f603::f773/64 preferred cp 1 link local fe80::205:1eff:febf:7068/64 cp 1 stateless 2620:100:0:f603:205:1eff:febf:7068/64 preferred cp 1 dhcpv6 2620:100:0:f603::f49f/64 preferred
Performing Basic Configuration Tasks Setting the Ethernet interface mode and speed Network interfaces can be set to use one of three link operating modes: full duplex, half duplex, or autonegotiate. Changing the link operating mode is not supported for all network interfaces or for all Ethernet network interfaces. On the CP blade in a Brocade Backbone, the supported interfaces are eth0 and eth3. On all other platforms, only eth0 is supported.
Performing Basic Configuration Tasks with an incorrect date and time value functions properly. However, because the date and time are used for logging, error detection, and troubleshooting, you must set them correctly. In a Virtual Fabric, there can be a maximum of eight logical switches per Backbone. Only the default switch in the chassis can update the hardware clock. When the date command is issued from a non-principal pre-Fabric OS v6.2.
Performing Basic Configuration Tasks ∙ Changing the time zone on a switch updates the local time zone setup and is reflected in local time calculations. ∙ By default, all switches are set to Greenwich Mean Time (0,0). If all switches in a fabric are in one time zone, it is possible for you to keep the time zone setup at the default setting. ∙ System services that have already started reflect the time zone changes after the next reboot.
Performing Basic Configuration Tasks 3. Enter the appropriate number or press Ctrl-D to quit. Please select a country. 1) Algeria 18) Gabon 2) Angola 19) Gambia 3) Benin 20) Ghana 4) Botswana 21) Guinea 5) Burkina Faso 22) Guinea-Bissau 6) Burundi 23) Kenya 7) Cameroon 24) Lesotho 8) Central African Rep. 25) Liberia 9) Chad 26) Libya 10) Congo (Dem. Rep.) 27) Malawi 11) Congo (Rep.
Performing Basic Configuration Tasks All switches in the fabric maintain the current NTP clock server value in nonvolatile memory. By default, this value is the local clock (LOCL) of the principal or primary FCS switch. Changes to the clock server value on the principal or primary FCS switch are propagated to all switches in the fabric.
Performing Basic Configuration Tasks In switch mode, the principal or primary FCS switch synchronizes its time with the external NTP server every 64 seconds and sends time updates to other switches in the fabric. The time updates are not sent in-band to AG devices. An AG device need not sync with the external NTP server as it can receive NTP server configuration from the connected FOS switch. If the AG device is connected to more than one fabric, the latest clock server request received is configured.
Performing Basic Configuration Tasks Displaying the domain IDs Use the following procedure to display device domain IDs: 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the fabricShow command. The following is an example of output of fabric information, including the domain ID (D_ID) The principal switch is determined by the arrow ( > ) next to the name of the switch.
Performing Basic Configuration Tasks 6. Respond to the remaining prompts, or press Ctrl-D to accept the other settings and exit. 7. Enter the switchEnable command to re-enable the switch. Switch names Switches can be identified by IP address, domain ID, World Wide Name (WWN), or by customized switch names that are unique and meaningful. The following considerations apply to switch naming: ∙ Switch names can be from 1 through 30 characters long.
Performing Basic Configuration Tasks Fabric name You can assign a alphanumeric name to identify and manage a logical fabric that formerly could only be identified by a fabric ID. The fabric name does not replace the fabric ID or its usage. The fabric continues to have a fabric ID, in addition to the assigned alphanumeric fabric name. The following considerations apply to fabric naming: ∙ Each name must be unique for each logical switch within a chassis; duplicate fabric names are not allowed.
Performing Basic Configuration Tasks TABLE 4 Ports affected when you enable or disable a switch in VF or non-VF mode Operation Virtual Fabrics enabled Virtual Fabrics not enabled Enable switch Enables all ports on logical switch Enables all ports on physical chassis Enable chassis Enables all ports on physical chassis Not allowed Disable switch Disables all ports on logical switch Disables all ports on physical chassis Disable chassis Disables all ports on physical chassis Not allowed Disabl
Performing Basic Configuration Tasks NOTE After a chassisDisable , if you want to do an haFailover , you should wait at least 30 seconds. Enabling a chassis Enabling a chassis enables all Fibre Channel ports on all logical switches in the chassis. The chassis is enabled by default after it is powered on and switch initialization routines have finished. You must re-enable the chassis after making fabric-wide configuration changes or running offline diagnostics. 1.
Performing Basic Configuration Tasks NOTE When the sysShutdown command is issued on the active CP, the active CP, the standby CP, and any application blades are all shut down. 2. Enter y at the prompt. 3. Wait until the following message displays: DCX:FID128:admin> sysshutdown This command will shutdown the operating systems on your switch. You are required to power-cycle the switch in order to restore operation.
Performing Basic Configuration Tasks 68 Brocade Fabric OS Administration Guide, 8.0.
Performing Advanced Configuration Tasks ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ Port identifiers (PIDs) and PID binding overview............................................................................................................................................69 Ports..........................................................................................................................................................................................................................................
Performing Advanced Configuration Tasks ∙ 00 is the assigned AL_PA. From this information, you can determine which switch the device resides on from the domain ID, which port the device is attached to from the area ID, and if this device is part of a loop from the AL_PA number. Fixed addressing mode With fixed addressing mode, each port has a fixed address assigned by the system based on the port number. This address does not change unless you choose to swap the address using the portSwap command.
Performing Advanced Configuration Tasks Zero-based addressing (mode 1) With zero-based addressing, unique area assignments begin at zero regardless of where the port is physically located. This allows FICON users to make use of high port count blades with port indexes greater than 256. Zero-based addressing assigns areas when the ports are added to the logical switch, beginning at area 0x00. When a port is assigned to a logical switch, the next free PID starting from 0x00 is assigned.
Performing Advanced Configuration Tasks When the WWN-based PID assignment feature is enabled and a new blade is plugged into the chassis, the ports for which the area is not available are disabled. NPIV If any N_Port ID Virtualization (NPIV) devices have static PIDs configured and the acquired area is not the same as the one being requested, the FDISC coming from that device is rejected and the error is noted in the RASlog.
Performing Advanced Configuration Tasks Showing PID assignments Use the following procedure to display PID assignments. 1. Connect to the switch and log in using an account with admin permissions. 2. Based on what you want to display, enter the appropriate command.
Performing Advanced Configuration Tasks NOTE For detailed information about the Brocade DCX 8510 and X6 Director families, refer to the respective hardware reference manuals. The different blades that can be inserted into a chassis are described as follows: ∙ Control processor (CP) blades contain communication ports for system management, and are used for low-level, platformwide tasks. ∙ Core blades are used for intra-chassis switching as well as interconnecting two Directors.
Performing Advanced Configuration Tasks Port identification by slot and port number The port number is a number assigned to an external port to give it a unique identifier in a switch. To select a specific port in the Backbones, you must identify both the slot number and the port number using the format slot number/ port number. No spaces are allowed between the slot number, the slash (/), and the port number.
Performing Advanced Configuration Tasks The Dynamic Portname feature is not supported on a switch if AG mode is enabled. The Dynamic Portname feature is not supported in FMS mode. MAPS rules and alerts use the dynamically populated port name to report the thresholds.
Performing Advanced Configuration Tasks Example to configure the Dynamic Portname feature The configure command is used to configure the Dynamic Portname. The option to configure the Dynamic Portname appears under Fabric parameters. switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] yes WWN Based persistent PID (yes, y, no, n): [no] Location ID: (0..4) [0] Dynamic Portname (on, off): [off] on Edge Hold Time(Low(80ms), Medium(220ms), High(500ms), UserDefined(80-500ms): (80..
Performing Advanced Configuration Tasks Example to show the portname output The portname command displays the switch name, port type, port index, and alias in the output. none indicates the error in alias name and null indicates that the alias is not present. switch:admin> portname port 0: EDGE1_sw76.E_PORT.0 port 1: EDGE1_sw76..1 port 2: EDGE1_sw76..2 port 3: EDGE1_sw76..3 port 4: EDGE1_sw76..4 port 5: EDGE1_sw76..5 port 6: EDGE1_sw76.F_PORT.6.emlx port 7: EDGE1_sw76.F_PORT.7. port 8: EDGE1_sw76.F_PORT.8.
Performing Advanced Configuration Tasks Example to show the switchshow output The switchshow -portname command displays the switch name, port type, port index, and alias in the output. switch:admin> switchshow -portname switchName: switchType: switchState: switchMode: switchRole: switchDomain: switchId: switchWwn: zoning: switchBeacon: FC Router: Fabric Name: Allow XISL Use: LS Attributes: sw0 66.
Performing Advanced Configuration Tasks Control key (case sensitive) Port name field S Switch name T Port type I Port index C Slot number / port number A F-Port alias F FDMI hostname R Remote switch name Consider the following conditions while configuring the dynamic port name format. ∙ The default format string is "S.T.I.A" and the default field separator is dot ".". “S.T.I.A” represents ... ∙ The maximum number of characters can be 128.
Performing Advanced Configuration Tasks Configuring a device-switch connection For 8-Gbps platforms only: To configure an 8 Gbps (and 8 Gbps only) connection between a device and a switch, use the portCfgFillWord command. The portCfgFillWord command provides the following configuration options: ∙ Mode Link Init/Fill Word ∙ Mode 0 IDLE/IDLE ∙ Mode 1 ARBF/ARBF ∙ Mode 2 IDLE/ARBF ∙ Mode 3 If ARBF/ARBF fails, use IDLE/ARBF This command not applicable to Gen 5 (16-Gbps) and Gen 6 (32-Gbps) platforms.
Performing Advanced Configuration Tasks To swap port area IDs, the port swap feature must be enabled, and both switch ports must be disabled. 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the portSwapEnable port_ID command to enable the feature. 3. Enter the portDisable port_ID command on each of the source and destination ports to be swapped. The following example disables port 1 and port 1/2. switch:admin> portdisable 1 switch:admin> portdisable 1/2 4.
Performing Advanced Configuration Tasks 2. Enter the appropriate command based on the current state of the port and whether it is necessary to specify a slot number: ∙ To disable a port that is enabled, enter the portDisable command. ∙ To disable a port that is persistently enabled, enter the portCfgPersistentDisable command. In FMS mode, you cannot use the portCfgPersistentDisable command, so you must use the portDisable command instead.
Performing Advanced Configuration Tasks The following example sets the speed for port 3 on slot 2 to auto-negotiate: switch:admin> portcfgspeed 2/3 0 Setting all ports on a switch to the same speed Use the following procedure to set all ports on a switch to the same speed. 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the switchCfgSpeed command.
Performing Advanced Configuration Tasks Example 2: if you have ports 8-15 octet set to combination 2, port 8 may be set to fixed 10G, port 9 to ASN up to 8G, port 10 to ASN up to 4G, etc as long as only port speeds of 4G, 8G, or 10G are configured. The octet can be specified by any port within the octet. To change the first octet, for example, any port from 0, 1, through 7 can be used as port argument value. This command is non-disruptive.
Performing Advanced Configuration Tasks Octet Combination 1 (32G|16G|8G|4G) 2 (10G|8G|4G) Supported Argument Setting portCfgShow Combo String 0 1 portCfgShow Speed String AN 4 4G 8 8G 16 16G 32 32G 0 2 AN 4 4G 8 8G 10 10 The final speed achieved also depends on the SFP used.
Performing Advanced Configuration Tasks 30:03:00:05:1e:0e:ee:b9 Port attributes: FC4 Types: FCP Supported Speed: 1 2 4 8 Gb/s Port Speed: 8 Gb/s Max Frame Size: 2048 bytes Device Name: /proc/scsi/brcd/edsim Host Name: EDSIM-FDMI Node Name: 10:00:00:05:1e:0e:ee:b9 Port Name: 30:03:00:05:1e:0e:ee:b9 Port Type: N_PORT (0x1) Port Symb Name: dsim:fdmi_host Class of Service: F, 1 Fabric Name: 00:00:00:00:00:00:00:00 FC4 Active Type: FCP Port State: 0x0 Discovered Ports: 0x1 Port Identifier: 0x000000 HBA attribut
Performing Advanced Configuration Tasks TABLE 6 Port blade terminology, numbering, and platform support Blade Blade ID (slotshow) Supported on: DCX 8510 family X6 family Ports Definition FC32-48 178 No Yes 48 A 48-port, 32-Gbps port blade supporting 8, 10, 16, and 32 Gbps port speeds. SX6 186 No Yes 24 Extension blade with 32-Gbps Fibre Channel, FCIP, and 10-GbE technology. FC16-32 97 Yes No 32 A 32-port, 16-Gbps port blade supporting 2, 4, 8, 10, and 16 Gbps port speeds.
Performing Advanced Configuration Tasks Core blades Core blades provide intra-chassis switching and inter-chassis link (ICL) connectivity between DCX 8510 and X6 platforms. ∙ Brocade DCX 8510-8 supports two CR16-8 core blades. ∙ Brocade DCX 8510-4 supports two CR16-4 core blades. ∙ Brocade X6-8 supports two CR32-8 core blades. ∙ Brocade X6-4 supports two CR32-4 core blades. The core blades for each platform are not interchangeable or hot-swappable with the core blades for any other platform.
Performing Advanced Configuration Tasks 2. Enter the bladeEnable command with the slot number of the port blade you want to enable. ecp:admin> bladeenable 3 Slot 3 is being enabled Exceptions in enabling 48-port and 64-port blades Because the area IDs are shared with different port IDs, the 48-port and 64-port blades support only F_Ports and E_Ports. They do not support FL_Ports. (FL_Ports are not supported on any of the 16-Gbps or 32-Gbps blades.
Performing Advanced Configuration Tasks How blades are swapped The bladeSwap command performs the following operations: 1. Blade selection The selection process includes selecting the switch and the blades to be affected by the swap operation. The following figure shows the source and destination blades identified to begin the process. FIGURE 2 Identifying the blades 2.
Performing Advanced Configuration Tasks ∙ Port count. Both blades must support the same number of front ports (for example, 32 ports to 32 ports, 48 ports to 48 ports, and 64 ports to 64 ports). ∙ Availability. The ports on the destination blade must be available for the swap operation and not attached to any other devices.
Performing Advanced Configuration Tasks FIGURE 3 Blade swap with Virtual Fabrics during the swap 4. Port swapping The swap ports action is an iteration of the portSwap command for each port on the source blade to each corresponding port on the destination blade. As shown in the following figure, the blades can be divided into different logical switches as long as they are divided the same way.
Performing Advanced Configuration Tasks FIGURE 4 Blade swap with Virtual Fabrics after the swap Swapping blades Use the following procedure to swap blades. 1. Connect to the Backbone and log in using an account with admin permissions. 2. Enter the bladeSwap command. If no errors are encountered, the blade swap will complete successfully. If errors are encountered, the command is interrupted and the ports are set back to their original configurations. 94 3.
Performing Advanced Configuration Tasks Disabling switches Switches are enabled by default. In some cases, you may need to disable a switch to perform diagnostic testing. This ensures that diagnostic activity does not interfere with normal fabric traffic. Use the following procedure to disable a switch. 1. Connect to the switch and log in using an account with admin permissions. 2. Enter switchCfgPersistentDisable --setdisablestate.
Performing Advanced Configuration Tasks Powering on a port blade or core blade All blades are powered on by default when the switch chassis is powered on. 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the slotPowerOn command with the slot number of the port blade or core blade you want to power on. ecp:admin> slotpoweron 3 Powering on slot 3 Equipment status You can check the status of switch operation, High Availability features, and fabric connectivity.
Performing Advanced Configuration Tasks 7. Enter the slotShow -m command to display the inventory and the current status of each slot in the system.
Performing Advanced Configuration Tasks firmware downloads, and other configuration changes; in other words, critical changes that have a serious effect on the operation and security of the switch. Important information related to event classes is also tracked and made available. For example, you can track changes from an external source by the user name, IP address, or type of management interface used to access the switch.
Performing Advanced Configuration Tasks 2. On the switch where the audit configuration is enabled, enter the syslogAdmin command to add the IP address of the host machine so that it can receive the audit events. You can use IPv4, IPv6, or DNS names for the syslogAdmin command. 3. Ensure the network is configured with a network connection between the switch and the remote host. 4. Check the host syslog configuration. If all error levels are not configured, you may not see some of the audit messages.
Performing Advanced Configuration Tasks an encryption protocol over the TCP/IP network protocol and it can be used only with the TCP-based destinations (tcp() and tcp6()). The default TLS port is 6514. While enabling secure syslog mode, you must specify a port that is configured to receive the log messages from the switch. Refer to the following examples to configure syslog server hosts. To configure an IPv4 secure syslog server to which error log messages are sent: switch:admin> syslogadmin --set -ip 172.
Performing Advanced Configuration Tasks ∙ Sample output of the syslog server information: switch:admin> syslogadmin --show –ip syslog.1 10.20.58.113 syslog.
Performing Advanced Configuration Tasks TABLE 9 Duplicate PWWN behavior: Second login overrides first login (continued) Input port First port login is F_Port First port login is NPIV port If Base Device Logout is enabled on the NPIV port, only the base device is logged out and the remaining NPIV devices stay logged in. Setting 2, Mixed precedence When setting 2 is selected, the precedence depends on the port type of the first login: ∙ If the previous port is an F_Port, the first login takes precedence.
Performing Advanced Configuration Tasks 7. Enter the switchEnable command to re-enable the switch. With any of these settings, detection of duplicate PWWNs results in a RASLog. Ports that are restricted become persistently disabled, marked with the reason "Duplicate Port WWN detected".
Performing Advanced Configuration Tasks ATTENTION Enabling FEC is disruptive to traffic. FEC can be enabled or disabled only at 16 Gbps, or at 10 Gbps on E_Ports with octet mode 2 or 3 on Gen 5 devices. The FEC is always enabled at 32 Gbps. 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the portCfgFec --enable command, specifying the port or range of ports on which FEC is to be enabled. portcfgfec --enable -FEC slot/port 3.
Performing Advanced Configuration Tasks Enabling or disabling FEC for long-distance ports To enable or disable FEC for long-distance ports, use portCfgLongDistance with the -fecEnable or -fecDisable parameter as required. switch:admin> portcfglongdistance 12/6 LS 1 -distance 100 -fecenable Refer to Managing Long-Distance Fabrics on page 483 for more details on working with long-distance ports.
Performing Advanced Configuration Tasks 2. To enable FEC-via-TTS on all ports of a 32-port blade in slot 1 without confirmation: switch:admin> portcfgfec --enable –tts –f 1/0-31 3. To enable FEC-via-TTS on port 0 of slot 1 with confirmation: switch:admin> portcfgfec --enable –tts 1/0 4. To disable FEC-via-TTS on port 0 of slot 1 without confirmation: switch:admin> portcfgfec --disable –tts –f 1/0 5.
Routing Traffic ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ Routing overview..............................................................................................................................................................................................................107 Inter-switch links.............................................................................................................................................................................................................. 109 Gateway links...........
Routing Traffic also keeps track of the state of the links on all switches in the fabric and associates a cost with each link. The protocol computes paths from a switch to all the other switches in the fabric by adding the cost of all links traversed by the path, and chooses the path that minimizes the costs. This collection of the link states, including costs, of all the switches in the fabric constitutes the topology database or link state database.
Routing Traffic Destination ID (DID). When an ISL is attached or removed from a switch, FSPF updates the route tables to reflect the addition or deletion of the new routes. As each host transmits a frame to the switch, the switch reads the SID and DID in the frame header. If the domain ID of the destination address is the same as the switch (intra-switch communications), the frame buffer is copied to the destination port and a credit R_RDY message is sent to the host.
Routing Traffic FIGURE 6 New switch added to existing fabric When connecting two switches together, Brocade recommends the best practice that the following parameters are differentiated: ∙ Domain ID ∙ Switch name ∙ Chassis name You must also verify the following fabric parameters are identical on each switch for a fabric to merge: 110 ∙ R_A_TOV (Resource Allocation TimeOut Value) ∙ E_D_TOV (Error Detect TimeOut Value) ∙ Data Field Size ∙ Sequence Level Switching ∙ Disable Device Probing
Routing Traffic There are non-fabric parameters that must match as well, such as zoning. Some fabric services, such as management server, must match. If the fabric service is enabled in the fabric, then the switch you are introducing into the fabric must also have it enabled. If you experience a segmented fabric, refer to the Fabric OS Troubleshooting and Diagnostics Guide to fix the problem.
Routing Traffic FIGURE 7 Virtual channels on a QoS-enabled ISL Gateway links A gateway merges SANs into a single fabric by establishing point-to-point E_Port connectivity between two Fibre Channel switches that are separated by a network with a protocol such as IP or SONET. Except for link initialization, gateways are transparent to switches; the gateway simply provides E_Port connectivity from one switch to another.
Routing Traffic FIGURE 8 Gateway link merging SANs By default, switch ports initialize links using the Exchange Link Parameters (ELP) mode 1. However, gateways expect initialization with ELP mode 2, also referred to as ISL R_RDY mode. Therefore, to enable two switches to link through a gateway, the ports on both switches must be set for ELP mode 2.
Routing Traffic Example of enabling a gateway link on slot 2, port 3: ecp:admin> portcfgislmode 2/3, 1 Committing configuration...done. ISL R_RDY Mode is enabled for port 3. Please make sure the PID formats are consistent across the entire fabric. Routing policies By default, all routing protocols place their routes into a routing table.
Routing Traffic NOTE For FC routers only: When an FC router is in port-based routing mode, the backbone traffic is load-balanced based on SID and DID. When an FC router is in exchange-based routing mode, the backbone traffic is load-balanced based on SID, DID, and OXID. Whatever routing policy a switch is using applies to the VE_Ports as well. For more information on VE_Ports, refer to the Fabric OS FCIP Administrator's Guide.
Routing Traffic Domain: 1 Name: sw0 WWN: 10:00:00:05:33:c1:26:00 Port Channel: None Domain: 2 Name: DCX_35_F_128 WWN: 10:00:00:05:1e:38:e5:23 Port Channel: Ports: 384, 385, 386, 387, 400, 401, 417, 418, 419, 432, 433, 434, 435 402, 403, 402, 403, Domain: 3 Name: SW_122_F_128 WWN: 10:00:00:05:1e:9b:10:5b Port Channel: Ports: 111, 248 Domain: 5 Name: SW_65_F128 WWN: 10:00:00:05:1e:5c:f6:fd Port Channel: Ports: 384, 385, 386, 387, 400, 401, 417, 418, 419, 432, 433, 434, 435 Domain: 6 Name: SW_121_F_128 W
Routing Traffic ∙ A device goes offline Setting DLS Use the following procedure to set DLS. 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the dlsShow command to view the current DLS setting. One of the following messages appears: 3. ∙ "DLS is set with Lossless disabled" indicates that DLS is turned on. ∙ "DLS is not set with Lossless disabled" indicates that DLS is turned off. ∙ "DLS is set with Lossless enabled." DLS is enabled with the Lossless feature.
Routing Traffic In a stable fabric, frames are always delivered in order, even when the traffic between switches is shared among multiple paths. However, when topology changes occur in the fabric (for example, if a link goes down), traffic is rerouted around the failure, and some frames could be delivered out of order. Most destination devices tolerate out-of-order delivery, but some do not. By default, out-of-order frame-based delivery is allowed to minimize the number of frames dropped.
Routing Traffic NOTE Frame viewing for unrouteable and “destination unreachable” frames is supported only on the following devices: ∙ Brocade 6505, 6510, 6520, G620, DCX 8510-4, DCX 8510-8, X6-4 and X6-8 switches. ∙ Brocade CR32-4, CR32-8, CR16-4, CR16-8, FC32-48, FC16-32, FC16-48, and FC16-64 blades. If a chassis has any older blades, only the timeout frames will be captured for those blades.
Routing Traffic Specify -1 for fixed-port switches and -1/-1 for Brocade Backbones. These indicate “any back-end port”. NOTE Frame discards can be logged as audit messages using the Fabric OS syslog facility. Lossless Dynamic Load Sharing on ports Lossless Dynamic Load Sharing (DLS) allows you to rebalance port paths without causing input/output (I/O) failures. For devices where in-order delivery (IOD) of frames is required, you can set IOD separately.
Routing Traffic 2. Applies the results of the rebalance calculations. 3. If IOD is enabled, waits for sufficient time for frames already received to be transmitted. This is needed to maintain IOD. 4. Resumes traffic. The following table shows the effect of frames when you have a specific routing policy turned on with IOD.
Routing Traffic To configure Lossless Dynamic Load Sharing, complete the following steps. 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the appropriate dlsSet command to enable or disable Lossless Dynamic Load Sharing.
Routing Traffic new link prior to the rest of the fabric. For devices on those two switches, when they attempt to start using the new link, Two-hop Lossless DLS ensures that the routes are ready for use prior to their route updates. For a switch that is directly connected to one of the two switches with the new link, when it performs the rebalance operation, its device traffic is shifted to the new path in a lossless manner.
Routing Traffic NOTE Fabric OS v7.2.0 is not supported on the Brocade 7600 or Brocade SAS blade. However, this hardware can run in a pre-Fabric OS v7.2.0 system and attach to a Fabric OS v7.2.0 fabric. Frame Redirection uses a combination of special frame redirection zones and name server changes to spoof the mapping of real device WWNs to virtual PIDs. FIGURE 9 Single host and target Figure 9 demonstrates the flow of Frame Redirection traffic. A frame starts at the host with a destination to the target.
Routing Traffic Deleting a frame redirect zone Use the following procedure to delete a frame redirect zone. 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the zone --rddelete command to remove the base redirect zone object, "red_______base". NOTE When the base zone is removed, the redirect zone configuration "r_e_d_i_r_c__fg" is removed as well. 3. Enter the cfgSave command to save changes to the defined configuration.
Routing Traffic 126 Brocade Fabric OS Administration Guide, 8.0.
Buffer-to-Buffer Credits and Credit Recovery ∙ ∙ ∙ Buffer credit management .........................................................................................................................................................................................127 Buffer credit recovery .................................................................................................................................................................................................. 139 Credit loss detection...
Buffer-to-Buffer Credits and Credit Recovery Upon arriving at a receiver, a frame goes through several steps. It is received, deserialized, and decoded, and is stored in a receive buffer where it is processed by the receiving port. If another frame arrives while the receiver is processing the first frame, a second receive buffer is needed to hold this new frame.
Buffer-to-Buffer Credits and Credit Recovery TABLE 12 Fibre Channel gigabit values (continued) Gigabit value Line rate 16 Gbps 17 32 Gbps 28.05 Buffer credit allocation based on full-size frames Assuming that the frame is a full-size frame, one buffer credit allows a device to send one payload up to 2,112 bytes (2,148 with headers).
Buffer-to-Buffer Credits and Credit Recovery Refer to the data in Table 14 on page 135 and Table 17 on page 136 to get the total ports in a switch or blade, the number of user ports in a port group, and the unreserved buffer credits available per port group. The values reflect an estimate, and may differ from the supported values in Table 17 on page 136.
Buffer-to-Buffer Credits and Credit Recovery 676 - (24 * 8) = 484 unreserved buffer credits 492 buffers to a single port (484 + 8 [8 for the reserved buffers already allocated to that user port]), you can calculate the maximum single-port extended distance supported: Maximum_Distance_X (in km) = (BufferCredits + 6) * 2 / LinkSpeed 498 km = (492 + 6 buffers for Fabric Services) * 2 / 2 Gbps If you have a distance of 50 km at 8 Gbps, then 484 / (206 - 8) = 2 ports.
Buffer-to-Buffer Credits and Credit Recovery If buffer credit recovery is enabled, Fabric OS supports a BB_SC_N range of 1 to 15; therefore, it is impossible for the desired_distance value to be more than the number of buffer credits available in the pool as determined by the previous calculations The distance for buffer credit recovery is well within the range of all possible connections.
Buffer-to-Buffer Credits and Credit Recovery 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the portBufferCalc command and provide values for the distance, port speed, and frame size. The following example calculates the number of buffers required for an 8-Gbps port on a 100-km link with an average frame size of 512 bytes.
Buffer-to-Buffer Credits and Credit Recovery NOTE The configured number of buffers for a given port is stored in the configuration database and is persistent across reboots. The F_Port buffer feature does not support EX_Port, Long-Distance, L_Port, FastWrite, QoS, and Trunk Area enabled ports.
Buffer-to-Buffer Credits and Credit Recovery 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 - E E E E E E E E 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 - ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( - ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) - ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( - ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) 0 0 0 0 0 0 0 70 70 70 70 70 70 105 105 70 70 70 70 70 70 105 105 <2km <2km <2km <2km <2km <2km <2km <2km 11522 Buffer credits per switch or blade model The following table shows the total FC ports in a switch or b
Buffer-to-Buffer Credits and Credit Recovery TABLE 15 Total FC ports, ports per port group, and unreserved buffer credits per port group (continued) Switch/blade model Total FC ports per switch/blade User port group size Unreserved buffer credits per port group (with minimum buffer allocation) Unreserved buffer credits per port group (with QoS) Unreserved buffer credits per port group (without QoS) 6558 48 48 7712 6464 6752 6559 48 48 7712 6464 6752 7840 24 24 5024 4400 4544 FC16-32
Buffer-to-Buffer Credits and Credit Recovery Formula for Gen-5 16-Gbps and older devices The remaining buffers = (Total FE Ports * 8) + (Total BE/BI Ports * Buffers for BE/BI Port) + EMB Buffers + SAB Buffers TABLE 18 Configurable distances for Extended Fabrics Maximum distances (km) that can be configured (assuming a 2112-byte frame size) Switch/blade model 2 Gbps 4 Gbps 8 Gbps 10 Gbps 16 Gbps M6505 N/A 3949 1974 N/A 987 6505 7898 3949 1974 N/A 987 6510 7706 3853 1926 1541 963 6520
Buffer-to-Buffer Credits and Credit Recovery When Fabric OS firmware is downgraded from version 7.1 to an earlier version, the effect depends on whether the number of buffer credits for the long-distance port is configured with the -framesize and -distance options or with the -buffers option. When a port is configured with -framesize and -distance options In Fabric OS v7.1, if you configure the port by using the -distance option alone, the reserved buffers are calculated according to the distance.
Buffer-to-Buffer Credits and Credit Recovery Buffer credit recovery Buffer credit recovery allows links to recover after buffer credits are lost when the buffer credit recovery logic is enabled. The buffer credit recovery feature also maintains performance. If a credit is lost, a recovery attempt is initiated. During link reset, the frame and credit loss counters are reset without performance degradation. Credit recovery is supported on E_Ports, F_Ports, and EX_Ports.
Buffer-to-Buffer Credits and Credit Recovery For an F_Port on a Brocade switch or Access Gateway connected to an adapter, the following conditions must be met: ∙ The Brocade switch or Access Gateway must run Fabric OS v7.1 or later. ∙ Fabric OS must support buffer credit recovery at both ends of the link. ∙ The adapter must be running HBA v3.2 firmware or later. ∙ The adapter must operate at maximum speed. ∙ The flow-control mode must be R_RDY.
Buffer-to-Buffer Credits and Credit Recovery Credit loss detection Fabric OS 7.1.0 and later supports credit loss detection for back-end ports and core blades, and on the Brocade 5300 and 6520 switches, although the support is slightly different on each device. Refer to the following topics for information on credit loss detection for these devices; and the Fabric OS Troubleshooting and Diagnostics Guide for more general information on credit loss detection.
Buffer-to-Buffer Credits and Credit Recovery In the following example, back-end port credit loss recovery is enabled with the link reset only option. switch:admin> creditrecovmode --cfg onLrOnly 3. Enter creditrecovmode --show to display information about the back-end port credit recovery configuration. In the following example, back-end port credit loss recovery is enabled with the “link reset only” option.
Buffer-to-Buffer Credits and Credit Recovery For example, to activate both credit loss and loss of sync with link reset and NO threshold, use the following command: switch:admin> creditrecovmode --cfg onLrOnly For example, to activate both credit loss and loss of sync with link reset and threshold (10), use the following command: switch:admin> creditrecovmode --cfg onLrThresh --lrthreshold 2 switch:admin> creditrecovmode –show Internal port credit recovery is Enabled with LrThresh Back end port Loss of Sy
Buffer-to-Buffer Credits and Credit Recovery TABLE 19 Blade fault scenarios (continued) Fault Option Back-end link failure location Edge chip fault count Core chip fault count Faulted blade when director has single active core Faulted blade when director has dual active cores coreblade Edge Blade N/A N/A Edge Blade Core Blade coreblade Core Blade N/A N/A Edge Blade Core Blade edgecoreblade Edge blade N/A <2 Edge blade Edge blade edgecoreblade Edge blade N/A >2 Edge blade Core B
Managing User Accounts ∙ ∙ ∙ ∙ ∙ ∙ User accounts overview ..............................................................................................................................................................................................145 Local database user accounts.................................................................................................................................................................................. 149 Local user account database distribution........
Managing User Accounts When you log in to a switch, your user account is associated with a predefined role or a user-defined role. The role that your account is associated with determines the level of access you have on that switch and in the fabric. The chassis role can also be associated with user-defined roles; it has permissions for RBAC classes of commands that are configured when user-defined roles are created.
Managing User Accounts This command shows the permissions that apply to all commands in a specific category. switch:admin> classconfig --showroles authentication Roles that have access to the RBAC Class ‘authentication’ are: Role name Permission -----------------Admin OM Root OM Security Admin OM You can also use the classConfig --showcli command to show the permissions that apply to a specific command.
Managing User Accounts ∙ A role name is case-insensitive and contains only letters. ∙ The role name should have a minimum of 4 letters and can be up to 16 letters long. ∙ The maximum number of user-defined roles that are allowed on a chassis is 150. The roleConfig command can be used to define unique roles. You must have chassis-level access and permissions to execute this command. The following example creates a user-defined role called mysecurityrole.
Managing User Accounts Run the userConfig --add todUser command to add time-based users. switch:admin> userconfig --add hh:mm-hh:mm toduser -r user –l 1-128 –h 128 –c user –d “Time of day User” –at The first instance of hh:mm after the "-at" option indicates the start time and the second instance indicates the end time. To downgrade to a previous Fabric OS version, you need to remove the time-based user configuration.
Managing User Accounts WARNING Do not use the passwdDefault command that is supported only on root because it deletes all user defined accounts and resets the passwords of root, admin, and user to the default passwords. It also deletes factory account, resets the root access back to console only, and disables the root account. Displaying account information 1.
Managing User Accounts 1. Connect to the switch and log in using an account with admin permissions, or an account associated with a user-defined role with permissions for the UserManagement class of commands. 2. Enter the userConfig --change command. Local account passwords The following rules apply to changing passwords: ∙ Users can change their own passwords.
Managing User Accounts 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the distribute -p PWD -d command. NOTE If Virtual Fabrics mode is enabled and there are logical switches defined other than the default logical switch, then distributing the password database to switches is not supported.
Managing User Accounts Specifies the minimum number of punctuation characters that must appear in the password. All printable, non-alphanumeric punctuation characters except the colon ( : ) are allowed. The default value is zero. The maximum value must be less than or equal to the MinLength value. ∙ MinLength Specifies the minimum length of the password. The minimum can be from 8 through 40 characters. New passwords must be between the minimum length specified and 40 characters. The default value is 8.
Managing User Accounts password. The default value is 1, which means the current and one previous password cannot be reused. The value 2 indicates that the current and the two previous passwords cannot be used (and so on, up to 24 passwords). This policy does not verify that a new password meets a minimal standard of difference from prior passwords; rather, it only determines whether or not a newly specified password is identical to one of the specified number (1-24) of previously used passwords.
Managing User Accounts Account lockout policy The account lockout policy disables a user account when that user exceeds a specified number of failed login attempts, and is enforced across all user accounts. You can configure this policy to keep the account locked until explicit administrative action is taken to unlock it, or the locked account can be automatically unlocked after a specified period. Administrators can unlock a locked account at any time.
Managing User Accounts Changing the root password without the old password Starting with Fabric OS 7.4.0, in environments where switch account passwords are controlled by password management appliances, you can configure an option to not verify the old password while changing the root password. By default, this option is disabled, which means that you must provide the old password to change the root password. To disable verification of the old password, complete the following steps: 1.
Managing User Accounts ∙ When a password database update is received, the hash type is not reset if the received hash configuration is weaker than existing hash configuration. For example, if the switch is currently using SHA512, and the configuration request is for SHA256 by distribute command, then the hash type is retained as SHA512. ∙ When you upgrade the switch to Fabric OS 8.0.1 or later, the MD5 hash type configuration is retained. ∙ When you downgrade the switch from Fabric OS 8.0.
Managing User Accounts ∙ If no password was previously set, the following message is displayed: Recovery password is NOT set. Please set it now. ∙ If a password was previously set, the following messages is displayed: Send the following string to Customer Support for password recovery: afHTpyLsDo1Pz0Pk5GzhIw== Enter the supplied recovery password. Recovery Password: 5. Enter the recovery password (string). The recovery string must be from 8 through 40 alphanumeric characters in length.
Managing User Accounts The following prompt is displayed: New password: 7. Enter the boot PROM password, and then re-enter it when prompted. The password must be eight alphanumeric characters long any additional characters are not recorded). Record this password for future use. The new password is automatically saved (the saveEnv command is not required). 8.
Managing User Accounts 3. Create a serial connection to the standby CP blade as described in Connecting to Fabric OS through the serial port on page 38. 4. Reboot the standby CP blade by sliding the On/Off switch on the ejector handle of the standby CP blade to Off , and then back to On . This causes the blade to reset. 5. Press Esc within four seconds after the message "Press escape within 4 seconds..."is displayed. 6. When prompted, enter 3 to enter the command shell. 7.
Managing User Accounts NOTE For systems such as the Brocade DCX Backbone, the switch IP addresses are aliases of the physical Ethernet interfaces on the CP blades. When specifying client IP addresses for the logical switches in such systems, make sure that the CP IP addresses are used. Authentication server data When configured for remote authentication, a switch becomes a RADIUS, LDAP, or TACACS+ client.
Managing User Accounts TABLE 24 LDAP options (continued) Protocol Description Channel type Default port URL Brocade supported? Secured 636 and 389 ldaps:// No authenticated using a certificate LDAPv2 with SSL1 LDAPv2 over SSL. Port 636 is used for SSL. Port 389 is for connecting to LDAP. Command options The following table outlines the aaaConfig command options used to set the authentication mode.
Managing User Accounts TABLE 25 Authentication configuration options (continued) aaaConfig options Description --authspec "tacacs+; local" --backup Authenticates management connections against any TACACS+ databases first. If TACACS+ fails for any reason, it then authenticates against the local user database. The --backup option states to try the secondary authentication database only if the primary authentication database is not available.
Managing User Accounts TABLE 26 Syntax for VSA-based account roles (continued) Item Value Description ZoneAdmin 2 Optional: Specifies the Virtual Fabric member list. For more information on Virtual Fabrics, refer to RADIUS configuration with Virtual Fabrics on page 166.
Managing User Accounts Windows 2012 VSA configuration Linux FreeRADIUS server For the configuration on a Linux FreeRADIUS server, define the values outlined in Table 27 in a vendor dictionary file called dictionary.brocade. TABLE 27 Entries in dictionary.
Managing User Accounts RADIUS configuration with Virtual Fabrics When configuring users with Virtual Fabrics, you must also include the Virtual Fabric member list. This section describes the way that you configure attribute types for this configuration.
Managing User Accounts NOTE The combination of “peap-mschapv2” and IPv6 when used together, rejects RADIUS authentication. PEAP with IPv4 succeeds. Combination of PEAP-MSCHAPv2 and IPv6 is not supported and hence blocked during configuration. Configuring RADIUS server support with Linux The following procedures work for FreeRADIUS on Solaris and Red Hat Linux. FreeRADIUS is a freeware RADIUS server that you can find at the following website: http://www.freeradius.
Managing User Accounts Example of adding a user name to the RADIUS authentication For example, to set up an account called JohnDoe with admin permissions with a password expiry date of May 28, 2008 and a warning period of 30 days: JohnDoe Auth-Type := Local User-Password == "johnPassword", Brocade-Auth-Role = "admin", Brocade-Passwd-ExpiryDate = "05/28/08", Brocade-Passwd-WarnPeriod = "30" Example of using the local system password to authenticate users The following example uses the local system password
Managing User Accounts Configuring RADIUS service on Windows 2012 consists of the following steps: 1. Installing Internet Authentication Service (IAS) For more information and instructions on installing IAS, refer to the Microsoft website. 2. Enabling the Challenge Handshake Authentication Protocol (CHAP) If CHAP authentication is required, then Windows must be configured to store passwords with reversible encryption. Reverse password encryption is not the default behavior; it must be enabled.
Managing User Accounts a) In the Internet Authentication Service window, right-click the Remote Access Policies folder, and then select New Remote Access Policy from the pop-up window. A remote access policy must be created for each group of Brocade login permissions (root, admin, switchAdmin, and user) for which you want to use RADIUS. Apply this policy to the user groups that you already created. b) In the Vendor-Specific Attribute Information window, enter the vendor code value 1588 . Click the Yes.
Managing User Accounts The Configure Settings window is displayed. h) Select the Vendor Specific option from the left pane and click Add. The Add Vendor Specific Attribute dialog box is displayed. i) Select RADIUS Standard from the list and click Add. The Vendor Specific Attribute Information dialog box is displayed. j) Select RADIUS Standard from the list and choose the Yes, it confirms option. Click Ok. The Configure VSA (RFC Compliant) dialog box is displayed.
Managing User Accounts Setting up the RSA RADIUS server For more information on how to install and configure the RSA Authentication Manager and the RSA RADIUS server, refer to your documentation or visit www.rsa.com. 1. Create user records in the RSA Authentication Manager. 2. Configure the RSA Authentication Manager by adding an agent host. 3. Configure the RSA RADIUS server.
Managing User Accounts @aptis.dct @ascend.dct @ascndvsa.dct @axc.dct @bandwagn.dct @brocade.dct <------- Example of a brocade.dct file shows what the brocade.dct file should look like and Example of the dictiona.dcm file shows what needs to be modified in the dictiona.dcm file. NOTE The dictionary files for the RSA RADIUS server must remain in the installation directory. Do not move the files to other locations on your computer.
Managing User Accounts –-change server -conf radius|ldap|tacacs+ [-p port] [-s secret] [-t timeout] [-a chap|pap|peapmschapv2] [-d domain-name] [-e -encr_type encryption_level] NOTE For –conf ldap, -a, -s and -e options are not applicable. For –conf tacacs+, -e option is not applicable. LDAP configuration and Microsoft Active Directory LDAP provides user authentication and authorization using the Microsoft Active Directory service or using OpenLDAP in conjunction with LDAP on the switch.
Managing User Accounts Follow Microsoft instructions for generating and installing CA certificates on a Windows server. 2. Create a user in Microsoft Active Directory server. For instructions on how to create a user, refer to www.microsoft.com or Microsoft documentation to create a user in your Active Directory. 3. Create a group name that uses the switch’s role name so that the Active Directory group’s name is the same as the switch’s role name.
Managing User Accounts 3. Select Properties. Click the Attribute Editor tab. 4. Double-click the adminDescription attribute. The String Attribute Editor dialog box displays. NOTE The attribute can be added to user objects only. 5. Enter the values of the logical fabrics separated by a semi-colon ( ; ) into the Value field. Example for adding Virtual Fabrics: HomeLF=10;LFRoleList=admin:128,10;ChassisRole=admin In this example, the logical switch that would be logged in to by default is 10.
Managing User Accounts Follow OpenLDAP instructions for generating and installing CA certificates on an OpenLDAP server. 2. Enable group membership through the memberOf mechanism by including the memberOf overlay in the slapd.conf file. 3. Create entries (users) in the OpenLDAP Directory. 4. Assign users to groups by using the member attribute. 5. Use the ldapCfg --maprole ldap_role_name switch_role command to map an LDAP server role to one of the default roles available on the switch. 6.
Managing User Accounts dn: cn=Manager,dc=mybrocade,dc=com objectClass: organizationalRole cn: Manager description: Directory Manager 2. Enter the ldapadd command to add the contents of the .ldif file to the Directory, where test.ldif is the file you created in step 1. switch:admin> ldapadd -D cn=Manager,dc=mybrocade,dc=com -x -w secret -f test.ldif Assigning a user to a group Before you can assign a user to a group, the memberOf overlay must be added to the slapd.conf file.
Managing User Accounts The following sample schema file defines a new objectClass named "user" with optional attributes "brcdAdVfData" and "description". #New attr brcdAdVfData attributetype ( 1.3.6.1.4.1.8412.100 NAME ( 'brcdAdVfData' ) DESC 'Brocade specific data for LDAP authentication' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) objectclass ( 1.3.6.1.4.1.8412.
Managing User Accounts TACACS+ service Fabric OS can authenticate users with a remote server using the Terminal Access Controller Access-Control System Plus (TACACS+) protocol. TACACS+ is a protocol used in AAA server environments consisting of a centralized authentication server and multiple Network Access Servers or clients. Once configured to use TACACS+, a Brocade switch becomes a Network Access Server (NAS).
Managing User Accounts TABLE 28 Brocade custom TACACS+ attributes Attribute Purpose brcd-role Role assigned to the user account brcd-AV-Pair1 The Virtual Fabric member list, and chassis role brcd-AV-Pair2 The Virtual Fabric member list, and chassis role brcd-passwd-expiryDate The date on which the password expires brcd-passwd-warnPeriod The time before expiration for the user to receive a warning message Adding a user and assigning a role When adding a user to the tac_plus.
Managing User Accounts ∙ brcd-passwd-warnPeriod sets the warning period as a number of days. The following example sets the password expiration date for the fosuser5 account. It also specifies that a warning be sent to the user 30 days before the password is due to expire.
Managing User Accounts You must specify the type of service as one of RADIUS, LDAP, or TACACS+. Local is used for local authentication if the user authentication fails on the authentication server.
Managing User Accounts Configuring local authentication as backup It is useful to enable local authentication, so that the switch can take over authentication locally if the RADIUS or LDAP servers fail to respond because of power outage or network problems. 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the aaaConfig --authspec command to enable or disable RADIUS, LDAP, or TACACS+ with local authentication as a backup authentication mechanism.
Configuring Protocols ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ Security protocols............................................................................................................................................................................................................185 Secure Copy.......................................................................................................................................................................................................................
Configuring Protocols TABLE 29 Secure protocol support (continued) Protocol Description authenticate the remote computer and allow the remote computer to authenticate the user, if necessary. SSL Fabric OS uses Secure Socket Layer (SSL) to support HTTPS. A certificate must be generated and installed on each switch to enable SSL. Supports SSLv3, 128-bit encryption by default. Also supports TLSv1.0, TLSv1.1, and TLSv1.2. NOTE Challenge Response Authentication (CRA) is supported in SCP and SSH sessions.
Configuring Protocols Setting up SCP for configuration uploads and downloads Use the following procedure to configure SCP for configuration uploads and downloads. 1. Connect to the switch and log in using an account with admin permissions. 2. Enter one of the following commands: ∙ If Virtual Fabrics is enabled, enter the configurechassis command. ∙ If Virtual Fabrics is not enabled, enter the configure command. 3. Enter y at the cfgload attributes prompt. 4.
Configuring Protocols Using OpenSSH RSA, DSA, and ECDSA, the authentication protocols are based on a pair of specially generated cryptographic keys, called the private key and the public key. The advantage of using these key-based authentication systems is that in many cases, it is possible to establish secure connections without having to depend on passwords for security. RSA and ECDSA asynchronous algorithms are FIPS-compliant.
Configuring Protocols Configuring outgoing SSH authentication After the allowed-user is configured, the remaining setup steps must be completed by the allowed-user. Use the following procedure to configure outgoing SSH authentication. 1. Log in to the switch as the default admin. 2. Change the allowed-user’s permissions to admin, if applicable.
Configuring Protocols You will be prompted to enter the name of the user whose the public keys you want to delete. Enter all to delete public keys for all users. For more information on IP filter policies, refer to Configuring Security Policies on page 215. Deleting private keys on the switch Use the following procedure to delete private keys from the switch. 1. Log in to the switch as the allowed-user. 2. Use the sshUtil delprivkey command to delete the private key.
Configuring Protocols Group Option FIPS Enable, Zeroize, selfTests ∙ The version must be specified to identify the version type. ∙ If an option is mentioned multiple times, the last value is considered. ∙ Lines starting with /* are considered to be comments and must be terminated with */ ∙ Configuration upload/download does not include these template files. You must use the commands to import, export, apply, and delete templates. Use the following commands to manage the template files: 1.
Configuring Protocols * Group : SSH * Rules : Comma Separated * Example : aes128-ctr,aes192-ctr -> Note, no space before and after comma.
Configuring Protocols * Group : HTTPS * Rules : Textual openssl cipherlist (colan,comma and space separated) * Example: ALL:-MD5:!PSK * Valid options: Ciphers */ [HTTPS] Ciphers:!ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM:!SSLv3 Default_fips FIPS template has the ciphers that are certified for Brocade products.
Configuring Protocols Default_cc /************************************************************************ * Brocade - Common Criteria (CC) Template for Security Crypto Configuration * * Desc: * * Default values for security crypto configurations for CC compliance * *************************************************************************/ [Ver] 0.1 /* * Group : SSH * Rules : Comma Separated * Example : aes128-ctr,aes192-ctr -> Note, no space before and after comma.
Configuring Protocols Secure Sockets Layer protocol Secure Sockets Layer (SSL) protocol provides secure access to a fabric through web-based management tools such as Web Tools. SSL support is a standard Fabric OS feature. Switches configured for SSL grant access to management tools through Hypertext Transfer Protocol over SSL links (which begin with https:// ) instead of standard links (which begin with http:// ).
Configuring Protocols You can request a certificate from a CA through a web browser. After you request a certificate, the CA either sends certificate files by e-mail (public) or gives access to them on a remote host (private). 5. On each switch, install the certificate. Once the certificate is loaded on the switch, HTTPS starts automatically. 6. If necessary, install the root certificate to the browser on the management workstation. 7.
Configuring Protocols Your CA may require specific codes for Country, State or Province, Locality, Organization, and Organizational Unit names. Make sure that your spelling is correct and matches the CA requirements. If the CA requires that the Common Name be specified as an FQDN, make sure that the fully qualified domain name is set on the domain name switch/director. The IP address or FQDN is the switch where the certificate gets installed.
Configuring Protocols 4. Enter the secCertUtil showcsr command. The contents of the CSR are displayed. 5. Locate the section that begins with "BEGIN CERTIFICATE REQUEST" and ends with "END CERTIFICATE REQUEST". 6. Copy and paste this section (including the BEGIN and END lines) into the area provided in the request form; then, follow the instructions to complete and send the request. It may take several days to receive the certificates. If the certificates arrive by e-mail, save them to an FTP server.
Configuring Protocols Example of installing a common certificate in non-interactive mode switch:admin> seccertutil import -commonswcert -config swcert -enable https -protocol scp -ipaddr 192.10.11.12 -remotedir path_to_remote_directory -login cert -certname 192.1.2.3.
Configuring Protocols ∙ If the certificate is listed, you do not need to install it. You can skip the rest of this procedure. ∙ If the certificate is not listed, click Import. 5. Browse to the certificate location and select the certificate. For example, select nameRoot.crt. 6. Click Open and follow the instructions to import the certificate. Root certificates for the Java plugin For information on Java requirements, refer to Browser and Java support on page 195.
Configuring Protocols SNMP Manager The SNMP Manager can communicate to the devices within a network using the SNMP protocol. Typically, SNMP Managers are network management systems (NMS) that manage networks by monitoring the network parameters, and optionally, setting parameters in managed devices. Normally, the SNMP Manager sends read requests to the devices that host the SNMP Agent, to which the SNMP Agent responds with the requested data.
Configuring Protocols FIGURE 11 SNMP query The management station can also receive traps, unsolicited messages from the switch agent if an unusual event occurs. FIGURE 12 SNMP trap The agent can receive queries from one or more management stations and can send traps to up to six management stations. Configuring SNMP using CLI For information about Fabric OS commands for configuring SNMP, refer to the Fabric OS Command Reference.
Configuring Protocols TABLE 33 Security level options (continued) Security level Protocol Query behavior Traps Authentication only [1] (authNoPriv) SNMPv1 Allowed. Sent. SNMPv3 All SNMPv3 users allowed except noAuthNoPriv users. Sent for all SNMPv3 users except noAuthNoPriv users. Authentication and Privacy [2] SNMPv1 Not allowed. Not Sent. (authPriv) SNMPv3 Only SNMPv3 users with authPriv privilege are allowed. Sent only for authPriv users. No Access [3 ] SNMPv1 Not allowed.
Configuring Protocols New Auth Passwd: Priv Protocol [DES(1)/noPriv(2)/AES128(3)/AES256(4)]): (1..4) [3] New Priv Passwd: Engine ID: [80:00:05:23:01:ac:1a:1a:ac] User (rw): [passpass] Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [1] New Auth Passwd: Priv Protocol [DES(1)/noPriv(2)/AES128(3)/AES256(4)]): (1..4) [4] New Priv Passwd: Engine ID: [80:00:05:23:01:ac:1a:1a:ac] User (rw): [snmpadmin3] password1 Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..
Configuring Protocols SNMPv3 USM configuration: User 1 (rw): password Auth Protocol: MD5 Priv Protocol: AES128 Engine ID: 80:00:05:23:01:ac:1a:1a:ac User 2 (rw): passpass Auth Protocol: MD5 Priv Protocol: AES256 Engine ID: 80:00:05:23:01:ac:1a:1a:ac User 3 (rw): password1 Auth Protocol: MD5 Priv Protocol: AES128 Engine ID: 80:00:05:23:01:ac:1a:1a:ac User 4 (ro): snmpuser1 Auth Protocol: MD5 Priv Protocol: AES128 Engine ID: 00:00:00:00:00:00:00:00:00 User 5 (ro): snmpuser2 Auth Protocol: SHA Priv Protocol:
Configuring Protocols Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [1] New Auth Passwd: Priv Protocol [DES(1)/noPriv(2)/AES128(3)/AES256(4)]): New Priv Passwd: Engine ID: [80:00:05:23:01:ac:1a:1a:ac] User (ro): [snmpuser1] Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [1] New Auth Passwd: Priv Protocol [DES(1)/noPriv(2)/AES128(3)/AES256(4)]): New Priv Passwd: Engine ID: [00:00:00:00:00:00:00:00:00] User (ro): [snmpuser2] Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..
Configuring Protocols Trap User: password Trap recipient Severity level: 4 Notify Type: INFORM(2) Trap Entry 2: HCL0389U.corp.brocade.com Trap Port: 1000 Trap User: password Trap recipient Severity level: 5 Notify Type: TRAP(1) Trap Entry 3: 172.26.26.
Configuring Protocols To send all traps to the recipient 10.35.52.33: switch:admin> snmpTraps --send -ip_address 10.35.52.33 Number of traps sent : 30 To send the sw-fc-port-scn trap to the configured recipients: switch:admin> snmpTraps --send -trap_name sw-fc-port-scn Number of traps sent : 1 To send the sw-fc-port-scn trap to the recipient 10.35.52.33: switch:admin> snmpTraps --send -trap_name sw-fc-port-scn -ip_address 10.35.52.
Configuring Protocols swDeviceStatusTrap: NO swZoneConfigChangeTrap: NO (output truncated) To enable the SW-MIB only without changing the current trap configuration: switch:admin> snmpconfig --enable mibCapability -mib_name SW-MIB Operation succeeded switch:admin> snmpconfig --show mibCapability [...
Configuring Protocols FA-TRAP: YES FICON-TRAP: YES HA-TRAP: YES IF-TRAP: YES BD-TRAP: YES MAPS-TRAP: YES DesiredSeverity:None swIPv6ChangeTrap: YES swPmgrEventTrap: YES swFabricReconfigTrap: YES swFabricSegmentTrap: YES swExtTrap: NO swStateChangeTrap: NO swPortMoveTrap: NO swBrcdGenericTrap: YES swDeviceStatusTrap: YES swZoneConfigChangeTrap: NO connUnitStatusChange: YES connUnitEventTrap: YES connUnitPortStatusChange: YES linkRNIDDeviceRegistration: YES linkRNIDDeviceDeRegistration: YES linkLIRRListe
Configuring Protocols GET security level = 0, SET level = 3 SNMP GET Security Level: No security SNMP SET Security Level: No Access 4. Set audit interval. switch:admin> snmpconfig --set auditinterval -interval 31 Committing configuration.....done. Spike-7800:FID128:root> snmpconfig --show auditInterval SNMP Audit Interval (in min): 31 Set to the default audit interval.
Configuring Protocols 4. Verify the new policy exists by entering the ipFilter --show command. switch:admin> ipfilter --show 5. Add a rule to the policy, by entering the ipFilter --addrule command. switch:admin> ipfilter --addrule BlockTelnet -rule 1 -sip any -dp 23 -proto tcp -act deny ATTENTION The rule number assigned must precede the default rule number for this protocol. For example, in the defined policy, the Telnet rule number is 2.
Configuring Protocols 1. Connect to the switch through a serial port or SSH and log in as admin. 2. Enter the ipfilter --delete command. Refer to Deleting a rule from an IP Filter policy on page 241 for more information on deleting IP filter rules. 3. To permanently delete the policy, type the ipfilter --save command. ATTENTION If you deleted the rule to permit Telnet, you must add a rule to permit Telnet.
Configuring Protocols Port configuration The following table provides information on ports that the switch uses. When configuring the switch for various policies, take into consideration firewalls and other devices that may sit between switches in the fabric and your network or between the managers and the switch. TABLE 37 Port information Port Type Common use 22 TCP SSH, SCP 23 TCP Telnet Use the ipfilter command to block the port. 80 TCP HTTP Use the ipfilter command to block the port.
Configuring Security Policies ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ACL policies overview...................................................................................................................................................................................................215 ACL policy management............................................................................................................................................................................................ 216 FCS policies.................
Configuring Security Policies Policy members The FCS, DCC and SCC policy members are specified by device port WWN, switch WWN, domain IDs, or switch names, depending on the policy. The valid methods for specifying policy members are listed in Table 38.
Configuring Security Policies Activating ACL policy changes You can implement changes to the ACL policies using the secPolicyActivate command. This saves the changes to the active policy set and activates all policy changes since the last time the command was issued. You cannot activate policies on an individual basis; all changes to the entire policy set are activated by the command.
Configuring Security Policies Removing a member from an ACL policy As soon as a policy has been activated, the aspect of the fabric managed by that policy is enforced. 1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions for the Security RBAC class of commands. 2. Enter the secPolicyRemove command. 3. To implement the change immediately, enter the secPolicyActivate command.
Configuring Security Policies TABLE 39 FCS policy states (continued) Policy state Characteristics Active policy with multiple entries A Primary FCS switch and one or more backup FCS switches are designated. If the Primary FCS switch becomes unavailable, the next switch in the list becomes the Primary FCS switch. FCS policy restrictions The backup FCS switches normally cannot modify the policy.
Configuring Security Policies Ensuring fabric domains share policies Whether your intention is to create new FCS policies or manage your current FCS policies, you must follow certain steps to ensure the domains throughout your fabric have the same policy. The local-switch WWN cannot be deleted from the FCS policy. 1. Create the FCS policy using the secPolicyCreate command. 2. Activate the policy using the secPolicyActivate command.
Configuring Security Policies The following example moves a backup FCS switch from position 2 to position 3 in the FCS list, using interactive mode: primaryfcs:admin> secpolicyfcsmove Pos Primary WWN DId swName. ================================================= 1 Yes 10:00:00:60:69:10:02:18 1 switch5. 2 No 10:00:00:60:69:00:00:5a 2 switch60. 3 No 10:00:00:60:69:00:00:13 3 switch73. Please enter position you’d like to move from : (1..3) [1] 2 Please enter position you’d like to move to : (1..
Configuring Security Policies TABLE 41 Distribution policy states (continued) Fabric OS State v6.2.0 and later configured to reject Target switch explicitly rejects the distribution and the operation fails. The entire transaction is aborted and no fabric state change occurs. Device Connection Control policies Multiple Device Connection Control (DCC) policies can be used to restrict which device ports can connect to which switch ports.
Configuring Security Policies ∙ DCC policies cannot manage or restrict iSCSI connections, that is, an FC Initiator connection from an iSCSI gateway. ∙ You cannot manage proxy devices with DCC policies. Proxy devices are always granted full access, even if the DCC policy has an entry that restricts or limits access of a proxy device. Creating a DCC policy DCC policies must follow the naming convention "DCC_POLICY_nnn", where nnn represents a unique string.
Configuring Security Policies Examples of creating DCC policies To create the DCC policy "DCC_POLICY_server" that includes device 11:22:33:44:55:66:77:aa and port 1 and port 3 of switch domain 1: switch:admin> secpolicycreate "DCC_POLICY_server","11:22:33:44:55:66:77:aa;1(1,3)" DCC_POLICY_server has been created To create the DCC policy "DCC_POLICY_storage" that includes device port WWN 22:33:44:55:66:77:11:bb, all ports of switch domain 2, and all currently connected devices of switch domain 2: switch:ad
Configuring Security Policies TABLE 43 DCC policy behavior with FA-PWWN when created using lockdown support Configuration ∙ FA-PWWN has logged into the switch ∙ DCC policy creation with lock down (uses FAPWWN). ∙ DCC policy activation. ∙ DCC policy creation with lockdown (uses physical PWWN). ∙ FA-PWWN has logged into the switch ∙ DCC policy activation.
Configuring Security Policies TABLE 44 DCC policy behavior when created manually with PWWN (continued) Configuration ∙ WWN seen on DCC policy list Behavior when DCC policy activates Behavior on portDisable and portEnable FA-PWWN has logged into the switch. SCC Policies The switch connection control (SCC) policy is used to restrict which switches can join the fabric. Switches are checked against the policy each time an E_Port-to-E_Port connection is made.
Configuring Security Policies Authentication policy for fabric elements By default, Fabric OS v6.2.0 and later use Diffie Hellman - Challenge Handshake Authentication Protocol) (DH-CHAP) or Fibre Channel Authentication Protocol (FCAP) for authentication. These protocols use shared secrets and digital certificates, based on switch WWN and public key infrastructure (PKI) technology, to authenticate switches.
Configuring Security Policies If you use DH-CHAP authentication, then a secret key pair must be installed only in connected fabric elements. However, as connections are changed, new secret key pairs must be installed between newly connected elements. Alternatively, asecret key pair for all possible connections may be initially installed, enabling links to be arbitrarily changed while still maintaining a valid secret key pair for any new connection.
Configuring Security Policies Example of configuring E_Port authentication The following example shows how to enable Virtual Fabrics and configure the E_Ports to perform authentication using the AUTH policies authUtil command. switch:admin> fosconfig -enable vf WARNING: This is a disruptive operation that requires a reboot to take effect. All EX ports will be disabled upon reboot.
Configuring Security Policies Device authentication policy Device authentication policy can also be categorized as an F_Port, node port, or an HBA authentication policy. Fabric-wide distribution of the device authentication policy is not supported because the device authentication requires manual interaction in setting the HBA shared secrets and switch shared secrets, and most of the HBAs do not support the defined DH groups for use in the DH-CHAP protocol.
Configuring Security Policies ∙ Private loop devices ∙ Mixed public and private devices in loop ∙ NPIV devices ∙ FICON channels ∙ Configupload and download will not be supported for the following AUTH attributes: auth type, hash type, group type. NOTE For information about how to use authentication with Access Gateway, refer to the Access Gateway Administrator's Guide.
Configuring Security Policies NOTE When you set the authentication protocol to FCAP, ensure that the certificates are present at both ends. NOTE If you set the authentication protocol to DH-CHAP or FCAP, have not configured shared secrets or certificates, and authentication is checked (for example, you enable the switch), then switch authentication will fail. If the E_Port is to carry in-flight encrypted traffic, the authentication protocol must be set to DH-CHAP.
Configuring Security Policies Note about Access Gateway switches Because Domain ID and name are not supported for Access Gateway, secAuthSecret --show output for Access Gateway appears as follows: WWN DId Name ----------------------------------------------10:00:8C:7C:FF:03:9E:00 -1 Unknown 10:00:8C:7C:FF:03:9E:01 -1 Unknown 10:00:8C:7C:FF:0D:AF:01 -1 Unknown When setting and removing the secret for a switch or device on Access Gateway, only the WWN can be used. Setting a secret key pair 1.
Configuring Security Policies 3. Store the CSR from each switch on a file server. 4. Obtain the certificates from the CA. You can request a certificate from a CA through a Web browser. After you request a certificate, the CA either sends certificate files by e-mail (public) or gives access to them on a remote host (private). Typically, the CA provides the certificate files listed in the following table. ATTENTION Only the .pem file is supported for FCAP authentication.
Configuring Security Policies Importing CA for FCAP Once you receive the files back from the Certificate Authority, you will need to install or import them onto the local and remote switches. 1. Log in to the switch using an account with admin permissions, or an account associated with the chassis role and having OM permissions for the PKI RBAC class of commands. 2. Enter the secCertUtil import -fcapcacert command and verify the CA certificates are consistent on both local and remote switches.
Configuring Security Policies Fabric-wide distribution of the authorization policy The AUTH policy can be manually distributed to the fabric by command; there is no support for automatic distribution. To distribute the AUTH policy, see Distributing the local ACL policies on page 244 for instructions.
Configuring Security Policies 1. Log in to the switch using an account with admin permissions, or an account associated with the chassis role and having OM permissions for the IPfilter RBAC class of commands. 2. Enter the ipFilter --clone command. Displaying an IP Filter policy You can display the IP Filter policy content for the specified policy name, or all IP Filter policies if a policy name is not specified.
Configuring Security Policies 3. To permanently delete the policy, enter the ipfilter --save command. IP Filter policy rules An IP Filter policy consists of a set of rules. Each rule has an index number identifying the rule. There can be a maximum of 256 rules within an IP Filter policy. Each rule contains the following elements: ∙ Source Address: A source IP address or a group prefix. ∙ Destination Port: The destination port number or name, such as: Telnet, SSH, HTTP, HTTPS.
Configuring Security Policies TABLE 46 Supported services (continued) Service name Port number ssh 22 telnet 23 smtp 25 time 27 name 42 whois 43 domain 53 bootps 67 bootpc 68 tftp 69 http 80 kerberos 88 hostnames 101 sftp 115 ntp 123 snmp 161 snmp trap 162 https 443 ssmtp 465 exec 512 login 513 shell 514 uucp 540 biff 512 who 513 syslog 514 route 520 timed 525 kerberos4 750 Protocol TCP and UDP protocols are valid protocol selections.
Configuring Security Policies The FORWARD traffic type allows management of bidirectional traffic between the external management interface and the inband management interface. In this case, the destination IP element should also be specified. Implicit filter rules For every IP Filter policy, the two rules listed in Table 47 are always assumed to be appended implicitly to the end of the policy.
Configuring Security Policies NOTE If a switch is part of a LAN behind a Network Address Translation (NAT) server, depending on the NAT server configuration, the source address in an IP Filter rule may have to be the NAT server address. Adding a rule to an IP Filter policy There can be a maximum of 256 rules created for an IP Filter policy. The change to the specified IP Filter policy is not saved to the persistent configuration until a save or activate subcommand is run. 1.
Configuring Security Policies Policy database distribution Fabric OS lets you manage and enforce the ACL policy database on either a per-switch or fabric-wide basis. The local switch distribution setting and the fabric-wide consistency policy affect the switch ACL policy database and related distribution behavior.
Configuring Security Policies NOTE Starting with Fabric OS 7.3.0, Access Gateways are capable of receiving the password database distributed by native switches and domains. However, the Access Gateways are not capable of distributing the password database to the switches or domains. Database distribution settings The distribution settings control whether a switch accepts or rejects distributions of databases from other switches and whether the switch may initiate a distribution.
Configuring Security Policies Disabling local switch protection 1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions for the FabricDistribution RBAC class of commands. 2. Enter the fddCfg --localaccept command. ACL policy distribution to other switches This section explains how to manually distribute local ACL policy databases. The distribute command has the following dependencies: ∙ All target switches must be running Fabric OS v6.2.
Configuring Security Policies TABLE 51 Fabric-wide consistency policy settings (continued) Setting Value When a policy is activated Tolerant database_id All updated and new policies of the type specified (SCC, DCC, FCS, or any combination) are distributed to all Fabric OS v6.2.0 and later switches in the fabric. Strict database_id :S All updated and new policies of the type specified (SCC, DCC, FCS, or any combination) are distributed to all switches in the fabric.
Configuring Security Policies The enforcement of fabric-wide consistency policy involves comparison of the Active policy set. If the ACL polices match, the switch joins the fabric successfully. If the ACL policies are absent either on the switch or on the fabric, the switch joins the fabric successfully, and the ACL policies are copied automatically from where they are present to where they are absent.
Configuring Security Policies Table 53 shows merges that are not supported. TABLE 53 Examples of strict fabric merges Fabric-wide consistency policy setting Strict/Tolerant Strict/Absent Expected behavior Fabric A Fabric B SCC:S;DCC:S SCC;DCC:S SCC;DCC:S SCC:S;DCC SCC:S;DCC SCC:S Ports connecting switches are disabled. SCC:S;DCC:S SCC:S DCC:S Strict/Strict SCC:S DCC:S Table 54 has a matrix of merging fabrics with tolerant and absent policies.
Configuring Security Policies Using the ipSecConfig command, you must configure multiple security policies for traffic flows on the Ethernet management interfaces based on IPv4 or IPv6 addresses, a range of IPv4 or IPv6 addresses, the type of application, port numbers, and protocols used (UDP/TCP/ICMP). You must specify the transforms and processing choices for the traffic flow (drop, protect or bypass). Also, you must select and configure the key management protocol using an automatic or manual key.
Configuring Security Policies FIGURE 15 Gateway tunnel configuration Endpoint-to-gateway tunnel In this scenario, a protected endpoint (typically a portable computer) connects back to its corporate network through an IPsec-protected tunnel. It might use this tunnel only to access information on the corporate network, or it might tunnel all of its traffic back through the corporate network in order to take advantage of protection provided by a corporate firewall against Internet-based attacks.
Configuring Security Policies IPsec protocols protect IP datagram integrity using hash message authentication codes (HMAC). Using hash algorithms with the contents of the IP datagram and a secret key, the IPsec protocols generate this HMAC and add it to the protocol header. The receiver must have access to the secret key in order to decode the hash.
Configuring Security Policies TABLE 55 Algorithms and associated authentication policies (continued) Algorithm Encryption Level Policy Description NOTE The MD5 hash algorithm is blocked when FIPS mode is enabled 3des_cbc 168-bit ESP Triple DES is a more secure variant of DES. It uses three different 56bit keys to encrypt blocks of 64-bit plain text. The algorithm is FIPSapproved for use by Federal agencies. blowfish_cbc 64-bit ESP Blowfish is a 32-bit to 448-bit keyed, symmetric block cipher.
Configuring Security Policies Key management The IPsec key management supports Internet Key Exchange or Manual key/SA entry. The Internet Key Exchange (IKE) protocol handles key management automatically. SAs require keying material for authentication and encryption. The managing of keying material that SAs require is called key management . The IKE protocol secures communication by authenticating peers and exchanging keys. It also creates the SAs and stores them in the SADB.
Configuring Security Policies If you are using CA signed keys, you must generate them prior to setting up your tunnels. 3. 4. Enable IPsec. a) Connect to the switch and log in using an account with admin permissions, or an account associated with the chassis role and having OM permissions for the IPsec RBAC class of commands. b) Enter the ipSecConfig --enable command to enable IPsec on the switch. Create an IPsec SA policy on each side of the tunnel using the ipSecConfig --add command.
Configuring Security Policies the packet, and "remote" is the destination IP address. Hence inbound packets have opposite source and destination addresses than outbound packets. 10. Verify traffic is protected. a) Initiate a telnet, SSH, or ping session from the two switches. b) Verify that IP traffic is encapsulated.
Configuring Security Policies -prf hmac_md5 -auth psk -dh modp1024 -psk ipseckey.psk NOTE IKE version (‘-v’ option) needs to be set to 1 (IKEv1) if remote peer is a Windows XP or 2000 Host as Windows XP and 2000 do not support IKEv2. 8. Create an IPsec transform named TRANSFORM01 to use transport mode to protect traffic identified for IPsec protection and use IKE01 as key management policy.
Configuring Security Policies 256 Brocade Fabric OS Administration Guide, 8.0.
Maintaining the Switch Configuration File ∙ ∙ ∙ ∙ ∙ ∙ Configuration settings.................................................................................................................................................................................................. 257 Configuration file backup...........................................................................................................................................................................................
Maintaining the Switch Configuration File -map Uploads the port-to-area addressing mode configuration files. This command should be used in FICON environment before replacing bot the CP blades. -vf Upload the virtual fabric data. Configuration file format The configuration file is divided into three areas: the header, the chassis section, and one or more logical-switch sections. Chassis section There is only one chassis section within a configuration.
Maintaining the Switch Configuration File ∙ iSCSI ∙ CryptoDev ∙ FICU saved files ∙ VS_SW_CONF ∙ MAPS configuration ∙ Banner Configuration file backup Brocade recommends keeping a backup configuration file. You should keep individual backup files for all switches in the fabric and avoid copying configurations from one switch to another. The configUpload command, by default, only uploads the switch context configuration for the logical switch context in which the command is executed.
Maintaining the Switch Configuration File A list of some of the more commonly used special characters and their alternate meaning is as follows: ∙ & is used to put a command in background/batch mode. ∙ ! is used to recall the last invocation of the command matching the pattern that follows the character. ∙ | is used to pipe output to the command that follows the character. ∙ ; is used to concatenate multiple bash commands. ∙ * is used to represent a wildcard character.
Maintaining the Switch Configuration File To verify using the quotes around the \! for password aaa!01, resulting in different password pattern: switch:admin> echo ‘aaa!01’ aaa!01 Uploading a configuration file in interactive mode 1. Verify that the FTP, SFTP, or SCP service is running on the host computer. 2. Connect to the switch and log in using an account with admin permissions. 3. Enter the configUpload command. The command becomes interactive and you are prompted for the required information.
Maintaining the Switch Configuration File Option Restrictions NOTE Brocade recommends you disable a switch before downloading a configuration file. If you plan to download a configuration file while the switch is enabled, refer to Configuration download without disabling a switch on page 263. -fid FID -sfid FID The FID must be defined on the switch and the source FID must be defined in the downloaded configuration file.
Maintaining the Switch Configuration File Configuration download without disabling a switch You can download configuration files to a switch while the switch is enabled; that is, you do not need to disable the switch for changes in SNMP, MAPS, Fabric Watch, or ACL parameters. However, if there is any changed parameter that does not belong to SNMP, MAPS, or ACL, then you must disable the switch. When you use the configDownload command, you are prompted to disable the switch only when necessary .
Maintaining the Switch Configuration File Example of a non-interactive download of all configurations (chassis and switches) configdownload -a -ftp 10.1.2.3,UserFoo,/pub/configurations/config.txt,password Configurations across a fabric To save time when configuring fabric parameters and software features, you can save a configuration file from one switch and download it to other switches of the same model type.
Maintaining the Switch Configuration File 2014/07/20-10:27:14, [CONF-1001], 226, SLOT 7 | FID 128, INFO, DCX_80, configUpload completed successfully for VF config parameters. Example of configUpload on a logical switch configuration Sprint5100:FID128:admin> configupload Protocol (scp, ftp, sftp, local) [ftp]: Server Name or IP Address [host]: 10.1.2.3 User Name [user]: UserFoo Path/Filename [/config.txt]: 5100.
Maintaining the Switch Configuration File Restrictions The following restrictions apply when using the configUpload or configDownload commands when Virtual Fabrics mode is enabled: ∙ The -vf option is incompatible with the -fid, -sfid, or -all options. Any attempt to combine it with any of the other three will cause the configuration upload or download operation to fail. ∙ You are not allowed to modify the Virtual Fabrics configuration file after it has been uploaded.
Managing Virtual Fabrics ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ Virtual Fabrics overview.............................................................................................................................................................................................. 267 Logical switch overview..............................................................................................................................................................................................
Managing Virtual Fabrics Logical switch overview Traditionally, each switch and all the ports in the switch act as a single Fibre Channel switch (FC switch) that participates in a single fabric. The logical switch feature allows you to divide a physical chassis into multiple fabric elements. Each of these fabric elements is referred to as a logical switch . Each logical switch functions as an independent self-contained FC switch. NOTE Each chassis can have multiple logical switches.
Managing Virtual Fabrics After you enable Virtual Fabrics, you can create up to seven additional logical switches, depending on the switch model. The following figure shows a Virtual Fabrics-enabled switch before and after it is divided into logical switches. Before you create logical switches, the chassis appears as a single switch (default logical switch). After you create logical switches, the chassis appears as multiple independent logical switches.
Managing Virtual Fabrics In the following figure, logical switches 2, 3, 4, and 5 are assigned FIDs of 1, 15, 8, and 20, respectively. These logical switches belong to different fabrics, even though they are in the same physical chassis. For example, you could not assign logical switch 5 a fabric ID of 15, because logical switch 3 is already assigned FID 15 in the chassis. The default logical switch is initially assigned FID 128. You can change this value later.
Managing Virtual Fabrics FIGURE 20 Assigning ports to logical switches A given port is always in one (and only one) logical switch. The following scenarios refer to the chassis after port assignment in Figure 20: ∙ If you assign P2 to logical switch 2, you cannot assign P2 to any other logical switch. ∙ If you want to remove a port from a logical switch, you cannot delete it from the logical switch, but must move it to a different logical switch.
Managing Virtual Fabrics You can move only F_Ports and E_Ports from one logical switch to another. If you want to configure a different type of port, such as a VE_Port or EX_Port, you must configure them after you move them. Some types of ports cannot be moved from the default logical switch. Refer to Supported platforms for Virtual Fabrics on page 281 for detailed information about these ports. Logical switches and connected devices You can connect devices to logical switches, as shown in Figure 21.
Managing Virtual Fabrics Figure 22 shows a logical representation of the physical chassis and devices in Figure 21. As shown in Figure 22, the devices are isolated into separate fabrics. FIGURE 22 Logical switches in a single chassis belong to separate fabrics Management model for logical switches The operations you can perform on a logical switch depend on the context you are in. Some operations affect only a single logical switch, and some operations affect the entire physical chassis.
Managing Virtual Fabrics Logical fabric overview A logical fabric is a fabric that contains at least one logical switch. The four fabrics shown in Figure 21 on page 272 and Figure 22 on page 273 are logical fabrics because they each have at least one logical switch. You can connect logical switches to non-Virtual Fabrics switches and to other logical switches.You connect logical switches to nonVirtual Fabrics switches using an ISL, as shown in Figure 21 on page 272.
Managing Virtual Fabrics Figure 24 shows a logical representation of the configuration in Figure 23. FIGURE 24 Logical switches connected to form logical fabrics The ISLs between the logical switches are dedicated ISLs because they carry traffic only for a single logical fabric. In Figure 23, Fabric 128 has two switches (the default logical switches), but they cannot communicate with each other because they have no ISLs between them and they cannot use the ISLs between the other logical switches.
Managing Virtual Fabrics Figure 25 shows two physical chassis divided into logical switches. Each chassis has one base switch. An ISL connects the two base switches. This ISL is an extended ISL (XISL) because it connects base switches. FIGURE 25 Base switches connected by an XISL Traffic between the logical switches can now flow across this XISL. The traffic can flow only between logical switches with the same fabric ID.
Managing Virtual Fabrics FIGURE 26 Logical ISLs connecting logical switches To use the XISL, the logical switches must be configured to allow XISL use. By default, they are configured to do so; you can change this setting, however, using the procedure described in Configuring a logical switch for XISL use on page 292. NOTE It is a good practice to configure at least two XISLs, for redundancy. You can also connect logical switches using a combination of ISLs and XISLs, as shown in Figure 27.
Managing Virtual Fabrics FIGURE 27 Logical fabric using ISLs and XISLs By default, the physical ISL path is favored over the logical path (over the XISL) because the physical path has a lower cost. This behavior can be changed by configuring the cost of the dedicated physical ISL to match the cost of the logical ISL. ATTENTION If you disable a base switch, all of the logical ISLs are broken and the logical switches cannot communicate with each other unless they are connected by a physical ISL.
Managing Virtual Fabrics Most port commands are not supported on logical ports. For example, you cannot change the state or configuration of a logical port. However, state change on a logical link is permitted using the lfcfg --lislEnable command. The World Wide Name (WWN) for logical ports is in NAA=5 format, using the following syntax: 5n:nn:nn:nz:zz:zz:zx:xx The NAA=5 syntax uses the following variables: ∙ nnnnnn is the Brocade Organizationally Unique Identifier (OUI).
Managing Virtual Fabrics Use the following procedure to set up IP addresses for a logical switch: 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the ipAddrSet -ls command. 3. ∙ To add an IPv4 address, use the--add parameter. Specify the network information in dotted-decimal notation for the Ethernet IPv4 address with a Classless Inter-Domain Routing (CIDR) prefix. ∙ To delete an IPv4 address, use the --delete parameter.
Managing Virtual Fabrics Password Expiration Date: Not Applicable (UTC) Locked: No Home LF Role: admin Role-LF List: admin: 1-128 Chassis Role: admin Home LF: 128 Day Time Access: N/A Role-LF is the list of logical switch contexts for which you have permission to log in over the IPFC address. Home LF Role is the default logical switch context when you have no permission to log in to a particular logical switch context or over management interface.
Managing Virtual Fabrics ∙ The default logical switch can use XISLs, except on Brocade Backbone family devices. ∙ The default logical switch can also be a base switch except on Brocade 8510 Backbones and X6 Directors. For the Brocade 7840, the following rules apply: ∙ A base switch is supported on the Brocade 7840 starting with Fabric OS 7.4.0. ∙ XISL is supported on the Brocade 7840 starting with Fabric OS 7.4.0.
Managing Virtual Fabrics TABLE 60 Virtual Fabrics interaction with Fabric OS features Fabric OS feature Virtual Fabrics interaction Access Gateway Virtual Fabrics is not supported on a switch if AG mode is enabled. Configuration upload and download Virtual Fabrics uses a configuration file that is different from the configuration file used to download system configuration parameters.
Managing Virtual Fabrics Refer to Supported port configurations in Brocade Backbones and Directors on page 282 for restrictions on the default logical switch. If a blade slot is being decommissioned and has ports configured in logical switches, it is recommended that the logical port assignments be removed from that blade before removing the blade. This ensures a seamless transition for any new port or AP blade that might occupy that slot in the future.
Managing Virtual Fabrics 1. Connect to the physical chassis and log in using an account with the chassis-role permission. 2. Use the fosConfig command to check whether VF mode is enabled: fosconfig --show 3. Use the fosConfig command to enable VF mode: fosconfig --enable vf 4. Enter y at the prompt. The following example checks whether VF mode is enabled or disabled and then enables it.
Managing Virtual Fabrics The following example checks whether VF mode is enabled or disabled and then disables it. switchA:FID128:admin> fosconfig --show FC Routing service: iSCSI service: iSNS client service: Virtual Fabric: Ethernet Switch Service disabled Service not supported on this Platform Service not supported on this Platform enabled Service not supported on this Platform switch:admin> fosconfig --disable vf WARNING: This is a disruptive operation that requires a reboot to take effect.
Managing Virtual Fabrics 1. Connect to the physical chassis and log in using an account with the chassis-role permission. 2. Enter the lsCfg command to create a logical switch: lscfg --create fabricID [ -base ] In the command syntax, fabricID is the fabric ID that is to be associated with the logical switch. Specify the -base option if the logical switch is to be a base switch. 3. Set the context to the new logical switch.
Managing Virtual Fabrics Executing a command in a different logical switch context If you are in the context of a logical switch, you can execute a command for a different logical switch. You can also execute a command for all of the logical switches in a chassis. The command is not executed on those logical switches for which you do not have permission. 1. Connect to the physical chassis and log in using an account with the chassis-role permission. 2.
Managing Virtual Fabrics ∙ You cannot delete the default logical switch. NOTE If you are in the context of the logical switch you want to delete, you are automatically logged out when the fabric ID changes. To avoid being logged out, make sure you are in the context of a different logical switch from the one you are deleting. 1. Connect to the physical chassis and log in using an account with admin permissions. 2.
Managing Virtual Fabrics Example of assigning ports 18 through 20 to the logical switch with FID 5 NOTE On the Brocade DCX 8510-8, the lscfg command does not allow you to add ports 48-63 of the FC16-64 blade to the base switch. These ports are not supported on the base switch. The Brocade DCX 8510-4 does not have this limitation. sw0:FID128:admin> lscfg --config 5 -port 18-20 This operation requires that the affected ports be disabled. Would you like to continue [y/n]?: y Making this configuration change.
Managing Virtual Fabrics NOTE If you are in the context of the logical switch with the fabric ID you want to change, you are automatically logged out when the fabric ID changes. To avoid being logged out, make sure you are in the context of a different logical switch from the one with the fabric ID you are changing. 1. Connect to the switch and log in using an account with admin permissions. 2.
Managing Virtual Fabrics Example of changing the logical switch with FID 7 to a base switch sw0:FID128:admin> setcontext 7 switch_25:FID7:admin> switchshow switchName: switch_25 switchType: 66.
Managing Virtual Fabrics 6. Enter y at the Allow XISL Use prompt to allow XISL use; enter n at the prompt to disallow XISL use: Allow XISL Use (yes, y, no, n): y 7. Respond to the remaining prompts or press Ctrl-d to accept the other settings and exit. Changing the context to a different logical fabric You can change the context to a different logical fabric. Your user account must have permission to access the logical fabric. 1.
Managing Virtual Fabrics FIGURE 28 Example of logical fabrics in multiple chassis and XISLs Use the following procedure to create a logical fabric using XISLs: 1. Set up the base switches in each chassis: a) Connect to the physical chassis and log in using an account with the chassis-role permission. b) Enable the Virtual Fabrics feature, if it is not already enabled. See Enabling Virtual Fabrics mode on page 284 for instructions.
Managing Virtual Fabrics For the example shown in Figure 28, you would create a logical switch with FID 1 and a logical switch with FID 15. c) Assign ports to the logical switch, as described in Adding and moving ports on a logical switch on page 289. d) Physically connect devices and ISLs to these ports on the logical switch. e) (Optional ) Configure the logical switch to use XISLs, if it is not already XISL-capable. See Configuring a logical switch for XISL use on page 292 for instructions.
Managing Virtual Fabrics 296 Brocade Fabric OS Administration Guide, 8.0.
Administering Advanced Zoning ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ Zone types..........................................................................................................................................................................................................................297 Zoning overview........................................................................................................................................................................................................
Administering Advanced Zoning Allow targets to create or activate peer zones. Refer to Target Driven Zoning on page 347for more information. Zoning overview Zoning is a fabric-based service that enables you to partition your storage area network (SAN) into logical groups of devices that can access each other. For example, you can partition your SAN into two zones, “winzone” and “unixzone”, so that your Windows servers and storage do not interact with your UNIX servers and storage.
Administering Advanced Zoning Refer to Best practices for zoning on page 302 for additional information that should be kept in mind when working with zones. To list the commands associated with zoning, use the zoneHelp command. For detailed information on the zoning commands used in the procedures, refer to the Fabric OS Command Reference. Approaches to zoning Table 62 lists the various approaches you can take when implementing zoning in a fabric.
Administering Advanced Zoning TABLE 62 Approaches to fabric-based zoning (continued) Zoning approach Description unrestricted access to the fabric. This form of zoning should be utilized only in a small and tightly controlled environment, such as when hostbased zoning or LUN masking is deployed.
Administering Advanced Zoning Zone configurations A zone configuration is a group of one or more zones. A zone can be included in more than one zone configuration. When a zone configuration is in effect, all zones that are members of that configuration are in effect. Several zone configurations can reside on a switch at once, and you can quickly alternate between them. For example, you might want to have one configuration enabled during the business hours and another enabled overnight.
Administering Advanced Zoning If a port is in multiple zones, and is defined by WWN in one zone and by D,I in another, then session-based hardware enforcement is in effect. Identifying the enforced zone type Use the following procedure to identify zones and zone types: 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the portZoneShow command. Considerations for zoning architecture Table 63 lists considerations for zoning architecture.
Administering Advanced Zoning ∙ Zone using the core switch in preference to using an edge switch. ∙ Zone using a Backbone rather than a switch. A Backbone has more resources to handle zoning changes and implementations.
Administering Advanced Zoning Broadcast zones and FC-FC routing If you create broadcast zones in a metaSAN consisting of multiple fabrics connected through an FC router, the broadcast zone must include the IP device that exists in the edge or backbone fabric as well as the proxy device in the remote fabric. Refer to Using FC-FC Routing to Connect Fabrics on page 489 for information about proxy devices and the FC router.
Administering Advanced Zoning "RECOVERY_2," and "TEST_18jun02" can be used. If you are creating a new alias using aliCreate w, "1,1" , and a user in another Telnet session executes cfgEnable (or cfgDisable , or cfgSave ), the other user’s transaction will abort your transaction and you will receive an error message. Creating a new alias while there is a zone merge taking place may also abort your transaction. For more details about zone merging and zone merge conflicts, refer to Zone merging on page 332.
Administering Advanced Zoning switch:admin> aliadd "loop1", "5,6" switch:admin> cfgsave WARNING!!! You are about to save the Defined zoning configuration. This action will only save the changes on Defined configuration. If the update includes changes to one or more traffic isolation zones, you must issue the 'cfgenable' command for the changes to take effect.
Administering Advanced Zoning Example switch:admin> alidelete "array1" switch:admin> cfgsave WARNING!!! You are about to save the Defined zoning configuration. This action will only save the changes on Defined configuration. If the update includes changes to one or more traffic isolation zones, you must issue the 'cfgenable' command for the changes to take effect.
Administering Advanced Zoning 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the cfgShow command.
Administering Advanced Zoning alias: bond 10:00:05:1e:a9:20:00:01; 3,5 alias: brain 11,4; 22,1; 33,6 alias: jake 4,7; 8,9; 14,11 alias: jeff 30:00:00:05:1e:a1:cd:02; 40:00:00:05:1e:a1:cd:04 alias: jones 7,3; 4,5 alias: zeus 4,7; 6,8; 9,2 Effective configuration: No Effective configuration: (No Access) Adding devices (members) to a zone ATTENTION The zoneAdd command will add all zone member aliases that match the "aliasname_pattern" in the zone database to the specified zone.
Administering Advanced Zoning Removing devices (members) from a zone ATTENTION The zoneRemove command will remove all zone member aliases that match the "aliasname_pattern" in the zone database from the specified zone. Use the following procedure to remove members from a zone: 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the zoneRemove command, using either of the following syntaxes: zoneremove "zonename ", "member [; member ...
Administering Advanced Zoning Replacing zone members Fabric OS allows you to replace one zone member with another zone member using a CLI command. This command takes two inputs. The first is the member to be replaced and the second is the new member. These inputs can be formatted only with WWN or D,I zoning schemes. Notes and restrictions ∙ To make a configuration change effective, a cfgEnable command should be issued after the zoneObjectReplace command.
Administering Advanced Zoning Defined configuration: zone: matt zeus; bond; jeff; 4,8 zone: sloth bawn; bolt; bond; brain; 10:00:00:00:01:1e:20:20 alias: bawn 3,5 alias: bolt 10:00:00:02:1f:02:00:01 alias: bond 10:00:05:1e:a9:20:00:01; 3,5 alias: brain 11,4; 22,1; 33,6 alias: jake 4,7; 8,9; 14,11 alias: jeff 30:00:00:05:1e:a1:cd:02; 40:00:00:05:1e:a1:cd:04 alias: jones 7,3; 4,5 alias: zeus 4,7; 6,8; 9,2 Effective configuration: No Effective configuration: (No Access) CAUTION Executing this command replace
Administering Advanced Zoning zone: matt zeus; bond; jeff; 4,8 alias: bawn 3,5 alias: bolt 10:00:00:02:1f:02:00:01 alias: bond 10:00:05:1e:a9:20:00:01; 3,5 alias: brain 11,4; 22,1; 33,6 alias: jake 4,7; 8,9; 14,11 alias: jeff 30:00:00:05:1e:a1:cd:02; 40:00:00:05:1e:a1:cd:04 alias: jones 7,3; 4,5 alias: zeus 4,7; 6,8; 9,2 Effective configuration: No Effective configuration: (No Access) Viewing a zone The zoneshow --sort command displays the defined and effective configurations for a zone.
Administering Advanced Zoning Displaying the sorted zone database example The following example shows all zones in the zone database with sorted D,I pairs and WWNs: switch:admin> zoneshow --sort Defined configuration: cfg: cfgnpr npr cfg: cfgz prz; diz; lsan_bb zone: diz 1,1; 1,2; 3,2; 4,7 zone: diz1 00:02:00:00:00:02:00:01; zone: lsan_bb 30:00:00:05:1e:61:23:8f; zone: npr 20:04:00:05:33:88:bb:be; 20:06:00:05:33:88:bb:be zone: prz 00:02:00:00:00:03:00:01; 20:05:00:05:33:88:bb:be; zone: upr 00:02:00:00:00:0
Administering Advanced Zoning ∙ A plus sign (+) before any entity (an alias or a zone name or a configuration) indicates that it is a newly added entity. ∙ A minus sign (-) before any entity indicates that this entity has been deleted. If zone members are added as well as deleted in a zone configuration, then a plus sign and a minus sign (+-) will be displayed before the member and a * sign will be displayed before the zone name.
Administering Advanced Zoning 2. Enter the cfgShow command to view the zone configuration objects you want to validate. switch:admin> cfgShow Defined configuration: cfg: USA_cfg Purple_zone; White_zone; Blue_zone zone: Blue_zone 1,1; array1; 1,2; array2 zone: Purple_zone 1,0; loop1 zone: White_zone 1,3; 1,4 alias: array1 alias: array2 alias: loop1 3.
Administering Advanced Zoning ~ - Invalid configuration * - Member does not exist # - Invalid usage of broadcast zone Inconsistencies between the defined and effective configurations If you edit zone objects in the defined configuration that also exist in the effective configuration and then issue the cfgSave command, a warning message stating that a mismatch is observed between the defined and effective configurations is posted, and you are asked to confirm that you want cfgSave to continue.
Administering Advanced Zoning Example of Inconsistent defined and effective configuration warning to use switch: admin> zoneShow Defined configuration: cfg: cfg1 zone1; zone2 zone: zone1 10:00:00:00:00:00:00:01; 10:00:00:00:00:00:00:02 zone: zone2 1,1; 1,2 Effective configuration: cfg: cfg1 zone: zone1 10:00:00:00:00:00:00:01 10:00:00:00:00:00:00:02 zone: zone2 1,1; 1,2 switch: admin> zoneadd zone1, 10:00:00:00:00:00:00:03 switch: admin> cfgsave WARNING!!! The changes you are attempting to save will render
Administering Advanced Zoning Setting the default zoning mode NOTE You should not change the default zone mode from "No Access" to "All Access" if there is no effective zone configuration and more than 120 devices are connected to the fabric. Use the following procedure to set the default zoning mode. 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the cfgActvShow command to view the current zone configuration. 3.
Administering Advanced Zoning Zone database size The maximum size of a zone database is the upper limit for the defined configuration, and it is determined by the amount of flash memory available for storing the defined configuration. To display the zone database size, enter cfgSize. The supported maximum zone database size is 2 MB for systems running Brocade DCX 8510 Backbones and X6 Directors. The presence of any other platform reduces the maximum zone database size to 1 MB.
Administering Advanced Zoning Creating a zone configuration Use the following procedure to create a zone configuration. 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the cfgCreate command, using the following syntax: cfgcreate "cfgname ", "member [; member ...]" 3. Enter the cfgSave command to save the change to the defined configuration. The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile memory.
Administering Advanced Zoning Removing members from a zone configuration Use the following procedure to remove members from a zone configuration. 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the cfgRemove command, using the following syntax: cfgremove "cfgname ", "member [; member ...]" 3. Enter the cfgSave command to save the change to the defined configuration. The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile memory.
Administering Advanced Zoning NOTE If the default zoning mode is set to All Access and more than 120 devices are connected to the fabric, you cannot disable the zone configuration because this would enable All Access mode and cause a large number of requests to the switch. In this situation, set the default zoning mode to No Access prior to disabling the zone configuration. Refer to Default zoning mode on page 318 for information about setting this mode to No Access.
Administering Advanced Zoning Validating all zone members example The following example displays the validated zone members of all the zone configurations of the zone database: switch:admin> zoneshow --validate Defined configuration: cfg: cfg1 zone1; zone10; zone2 zone: zone1 20:1c:00:05:1e:57:b1:c6*; 20:1d:00:05:1e:57:b1:c6 zone: zone10 20:1e:00:05:1e:57:b1:c6; 20:1f:00:05:1e:57:b1:c6* zone: zone2 20:03:00:05:1e:57:b1:c6; 20:1f:00:05:1e:57:b1:c6* Effective configuration: cfg: cfg1 zone: zone1 20:1c:00:05:
Administering Advanced Zoning Validating zone members with mode The following example displays the validated zone members for a specified mode of a zone configuration switch:admin> zoneshow --validate zone200, 0 Defined configuration: zone: zone200 20:1d:00:05:1e:57:b1:c6; 20:1f:00:05:1e:57:b1:c6* -----------------------------------~ - Invalid configuration * - Member does not exist # - Invalid usage of broadcast zone Deleting a zone configuration Use the following procedure to delete a zone configuration
Administering Advanced Zoning Abandoning zone configuration changes To abandon zone configuration changes, enter the cfgTransAbort command. When this command is executed, all changes since the last save operation (performed with the cfgSave , cfgEnable , or cfgDisable command) are cleared.
Administering Advanced Zoning Example displaying all zone configurations that start with "Test" switch:admin> cfgshow "Test*" cfg: cfg: Test1 Test_cfg Blue_zone Purple_zone; Blue_zone Example displaying all zone configurations that start with "Test", regardless of the case switch:admin> cfgshow --ic "Test*" cfg: cfg: Test1 Test_2 Blue_zone Red zone; Blue_zone Viewing the zone aliases in the zone configuration The following procedure lists the zone aliases, including the user-defined aliases, in the z
Administering Advanced Zoning zone: zone2 Ali1 switch:admin> zoneshow --alias "?l?1" zone: Zone3 ald1 zone: h1 al; Ali1; dev3 zone: zone1 ali1 zone: zone2 Ali1 switch:admin> zoneshow --alias "al[id]1" zone: Zone3 ald1 zone: zone1 ali1 You can also find the list of zones containing the alias matching the pattern that you specify (not case sensitive).
Administering Advanced Zoning ATTENTION Be careful using the cfgClear command because it deletes the defined configuration. switch:admin> cfgclear The Clear All action will clear all Aliases, Zones, FA Zones and configurations in the Defined configuration. Run cfgSave to commit the transaction or cfgTransAbort to cancel the transaction. Do you really want to clear all configurations? (yes, y, no, n): [no] 3.
Administering Advanced Zoning Deleting a zone object The following procedure removes all references to a zone object and then deletes the zone object. The zone object can be a zone member, a zone alias, or a zone. Use the following procedure to delete a zone object. 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the cfgShow command to view the zone configuration objects you want to delete.
Administering Advanced Zoning zone: Blue_zone 1,1; array1; 1,2; array2 zone: Purple_zone 1,0; loop1 zone: White_zone 1,3; 1,4 alias: array1 21:00:00:20:37:0c:76:8c; 21:00:00:20:37:0c:71:02 alias: array2 21:00:00:20:37:0c:76:22; 21:00:00:20:37:0c:76:28 alias: loop1 21:00:00:20:37:0c:76:85; 21:00:00:20:37:0c:71:df 3. Enter zoneObjectRename to rename zone configuration objects. NOTE Zone configuration names are case-sensitive and blank spaces are ignored.
Administering Advanced Zoning All zones should use frame-based hardware enforcement; the best way to do this is to use WWN identification exclusively for all zoning configurations. Zone merging When a new switch is added to the fabric, it automatically takes on the zone configuration information from the fabric. You can verify the zone configuration on the switch using the procedure described in Viewing the configuration in the effective zone database on page 328.
Administering Advanced Zoning Both fabrics have identical zones and configurations enabled, including the default zone mode. The two fabrics will join to make one larger fabric with the same zone configuration across the newly created fabric. If the two fabrics have different zone configurations, they will not be merged. If the two fabrics cannot join, the ISL between the switches will segment. ∙ Merge conflicts When a merge conflict is present, a merge will not take place and the ISL will segment.
Administering Advanced Zoning ∙ Table 68: Default access mode ∙ Table 72: Mixed Fabric OS versions TABLE 64 Zone merging scenarios: Defined and effective configurations Description Switch A Switch B Expected results Switch A has a defined configuration. defined:cfg1: zone1: ali1; ali2effective: none defined: none effective: none Configuration from Switch A to propagate throughout the fabric in an inactive state, because the configuration is not enabled.
Administering Advanced Zoning TABLE 65 Zone merging scenarios: Different content Description Switch A Switch B Expected results Effective configuration mismatch. defined: cfg1 zone1: ali1; ali2effective: cfg1 zone1: ali1; ali2 defined: cfg2 zone2: ali3; ali4 effective: cfg2 zone2: ali3; ali4 Fabric segments due to: Zone Conflict cfg mismatch Configuration content mismatch.
Administering Advanced Zoning TABLE 68 Zone merging scenarios: Default access mode (pre-Fabric OS 7.3.0) Description Switch A Switch B Expected results Different default zone access mode settings. defzone: allaccess defzone: noaccess Clean merge -- noaccess takes precedence and defzone configuration from Switch B propagates to fabric. defzone: noaccess Same default zone access mode settings. Effective zone configuration. Effective zone configuration.
Administering Advanced Zoning TABLE 69 Zone merging scenarios: Default access mode (with Fabric OS 7.3.0 or later on initiator and responder) (continued) Description Responder has effective zone configuration. Switch A (Initiator with FOS 7.3.0) Switch B (Responder with FOS 7.3.0) Expected results effective: cfg1 No effective configuration. defzone: noaccess defzone: noaccess Fabric merges -- effective zone configuration from Switch A propagates to fabric. No effective configuration.
Administering Advanced Zoning TABLE 70 Zone merging scenarios: Default access mode (with Fabric OS 7.3.0 or later on initiator and pre-Fabric OS 7.3.0 on responder) (continued) Description Switch A (Initiator with FOS 7.3.0) Switch B (Responder with pre-FOS 7.3.0) Expected results No effective configuration. effective: cfg2 defzone: allaccess defzone: noaccess Fabric merges -- effective zone configuration from Switch B propagates to fabric. Allaccess on Switch A changes to noaccess.
Administering Advanced Zoning TABLE 71 Zone merging scenarios: Default access mode (with pre-Fabric OS 7.3.0 on initiator and Fabric OS 7.3.0 or later on responder) (continued) Description Switch A (Initiator with pre-FOS 7.3.0) Switch B (Responder with FOS 7.3.0) Expected results an explicit zone configuration activated. No effective configuration. effective: cfg2 defzone: noaccess defzone: noaccess Fabric merges -- effective zone configuration from Switch B propagates to fabric.
Administering Advanced Zoning to one or more traffic isolation zones, the update may result in localized disruption to traffic on ports associated with the traffic isolation zone changes Multiple open transactions are pending in this fabric. Only one transaction can be saved. Please abort all unwanted transactions using the cfgtransabort command.
Administering Advanced Zoning a Peer Zone has a single principal device and one or more non-principal devices, but configurations having multiple principal devices are allowed. Peer Zones are not mutually exclusive with traditional zones; multiple zoning styles can coexist within the same zoning configuration and fabric.
Administering Advanced Zoning FIGURE 31 One-to-many Zoning example One-to-many Zoning: One-to-many Zoning creates a zone with multiple hosts and one target. This approach creates fewer zones as compared to Single-Initiator Zoning, but the host-to-host connectivity generates an extraneous amount of RSCN traffic. The Figure 31 shows an example of One-to-many Zoning where the hosts H1 to H8 are part of the same zone and can communicate with each other. 342 Brocade Fabric OS Administration Guide, 8.0.
Administering Advanced Zoning FIGURE 32 Flat Zoning example Flat Zoning: Flat Zoning consists of a single zone that allows all devices to communicate with each other. This type of zoning supports a large number of hosts. One drawback to this type of zoning is the significant increase in RSCN traffic when compared to other zoning types.
Administering Advanced Zoning FIGURE 33 Peer Zoning example Peer Zoning: Using Peer Zoning, a Peer Zone can be created with one device designated as a principal device for that zone. All nonprincipal devices in the Peer Zone can access only the principal device and cannot communicate with each other. The principal device can communicate with all other non-principal devices. The RSCN traffic generated is the same as for Single-Initiator Zoning. The zone database size is the same as One-to-many Zoning.
Administering Advanced Zoning ∙ The maximum number of Peer Zones is determined by the zone database size. Refer to Zone database size on page 320 for information on zone database sizing. Firmware upgrade and downgrade considerations for Peer Zoning When a switch containing Peer Zones is upgraded to Fabric OS 7.4.0, Peer Zoning connectivity rules are enforced on the devices attached to the upgraded switch. If the device is a member of a Peer Zone, the upgrade can cause disruption.
Administering Advanced Zoning Adding devices to a Peer Zone To add devices to the Peer Zone, complete the following steps. 1. Connect to the switch and log in using an account with admin permissions. 2. Add Peer Zone devices using the zoneadd --peerzone command. The following example adds the device "10:00:05:1e:a9:20:00:02" to "peerzone_wwn_mbrs".
Administering Advanced Zoning ∙ Use the user option to list only the user-created Peer Zones. ∙ Use the target option to list all Target Driven Peer Zones. For more information about the commands, refer to the Fabric OS Command Reference. The following example displays the Peer Zone configuration using the all option to show all the Peer Zones. Property member field is used to distinguish a Peer Zone from a regular zone. Peer Member (s) field lists the non-principal members of the Peer Zone.
Administering Advanced Zoning FIGURE 34 Target Driven Zoning example Limitations and considerations for Target Driven Zoning The following are the general limitations and considerations for Target Driven Zoning: ∙ A zone configuration must be created and enabled before a principal device adds or activates a Target Driven Peer Zone.
Administering Advanced Zoning 1. Connect to the switch and log in using an account with admin permissions. By default, Target Driven Zoning configuration is disabled for all ports. 2. Create a zone for Target Driven Zoning using the zonecreate command. The following example creates a zone for Target Driven Zoning. switch:admin> zonecreate "targetzone1", "10:00:00:00:c9:2b:c9:0c; 50:05:07:61:00:5b:62:ed;50:05:07:61:00:49:20:b4"" 3.
Administering Advanced Zoning You will get a peer zone change RSCN if an active principle device is attached to the specified port. Viewing Target Driven Zoning To view the Target Driven Zoning status, complete the following steps. 1. Connect to the switch and log in using an account. 2. View Target Driven Zoning status on a port or port range. The following example displays Target Driven Zoning status on the ports using the portcfgtdz --show command.
Administering Advanced Zoning Property Member: 00:02:00:00:00:03:00:01 Created by: User Principal Member(s): 10:00:00:00:01:1e:20:20 Peer Member(s): 10:00:00:02:1f:02:00:01; 10:00:05:1e:a9:20:00:01 zone: targetzone1 Property Member: 00:01:00:00:00:03:00:01 Created by: Target Principal Member(s): 30:04:00:05:1e:61:23:8f Peer Member(s): 10:00:00:02:1f:02:00:05; 10:00:00:02:1f:02:00:12 Effective configuration: zone: peerzone_wwn_mbrs Property Member: 00:02:00:00:00:03:00:01 Created by: User Principal Member(s
Administering Advanced Zoning TABLE 73 Supported commands for Peer Zones and Target Driven Peer Zones Command Support for Peer Zones Support for Target Driven Peer Zones cfgAdd Yes Yes cfgCreate Yes Yes cfgDelete Yes Yes cfgDisable Yes Yes cfgEnable Yes Yes cfgRemove Yes Yes cfgSave Yes Yes cfgShow Yes Yes zone No No zoneAdd Yes, using --peerzone operand No zoneCreate Yes, using --peerzone operand No zoneDelete Yes Yes zoneObjectCopy Yes No zoneObjectExpunge No N
Administering Advanced Zoning FIGURE 35 Boot LUN zoning As Boot LUN zones must not be part of a fabric zone configuration, Fabric OS 7.3.0 and later blocks the creation of any zone with a zone name having the format "BFA_XXXX_BLUN" (that is, starting with "BFA_" and ending in "_BLUN"). Zone names with this configuration are considered to indicate an HBA Boot LUN Zone. As part of the support for peer zoning introduced in Fabric OS 7.3.
Administering Advanced Zoning Setting up boot LUN zoning You must configure the server, HBA, and Brocade switch for boot LUN zoning to work. You must also know how to flash the HBA BIOS or upload the latest version of Brocade Fabric OS (FOS) on a Brocade SAN switch or director. Note that Brocade FOS 6.2 or later and HBA BIOS version 1.1 or later are required, and we recommend always using the latest BIOS and FOS version.
Administering Advanced Zoning 2. To display existing BLUN mappings, use the bootLunCfg --show command. switch:admin> bootluncfg --show 00:11:22:33:44:55:66:77 00:00:00:00:aa:bb:cc:dd;00:00:00:01:ee:ff:11:22; \ 00:00:00:02:9a:bc:34:5f;00:00:00:03:a1:11:24:10 aa:aa:aa:aa:aa:aa:aa:aa 00:00:00:00:11:11:11:11;00:00:00:01:11:11:11:11; \ 00:00:00:02:9a:bc:34:5f;00:00:00:03:a1:11:24:10 bb:aa:aa:aa:aa:aa:aa:aa 00:00:00:00:11:11:11:11;00:00:00:01:11:11:11:11; \ 00:00:00:02:9a:bc:34:5f;00:00:00:03:a1:11:24:10 3.
Administering Advanced Zoning 356 Brocade Fabric OS Administration Guide, 8.0.
Traffic Isolation Zoning ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ Traffic Isolation Zoning overview...........................................................................................................................................................................357 FSPF routing rules and traffic isolation.............................................................................................................................................................359 Enhanced TI zones..............................
Traffic Isolation Zoning FIGURE 37 Traffic Isolation zone creating a dedicated path through the fabric In this illustration, all traffic entering Domain 1 from N_Ports 7 and 8 is routed through E_Port 1. Similarly, traffic entering Domain 3 from E_Port 9 is routed to E_Port 12, and traffic entering Domain 4 from E_Port 7 is routed to the devices through N_Ports 5 and 6. Traffic coming from other ports in Domain 1 would not use E_Port 1, but would use E_Port 2 instead.
Traffic Isolation Zoning TABLE 74 Traffic behavior when failover is enabled or disabled in TI zones Failover enabled Failover disabled If the dedicated path is not the shortest path or if the dedicated path is broken, the TI zone traffic will use a non-dedicated path instead. If the dedicated path is not the shortest path or if the dedicated path is broken, traffic for that TI zone is halted until the dedicated path is fixed. This condition is RAS logged.
Traffic Isolation Zoning ∙ If failover is disabled, non-TI zone traffic is blocked because it cannot use the dedicated ISL, which is the lowest cost path. For example, in Figure 38, there is a dedicated path between Domain 1 and Domain 3, and another non-dedicated path that passes through Domain 2. If failover is enabled, all traffic will use the dedicated path, because the non-dedicated path is not the shortest path.
Traffic Isolation Zoning FIGURE 39 Dedicated path is not the shortest path For information about setting or displaying the FSPF cost of a path, see the linkCost and topologyShow commands in the Fabric OS Command Reference. Enhanced TI zones In Fabric OS v6.4.0 and later, ports can be in multiple TI zones at the same time. Zones with overlapping port members are called enhanced TI zones (ETIZ). Enhanced TI zones are especially useful in FICON fabrics. The following figure shows an example of two TI zones.
Traffic Isolation Zoning FIGURE 40 Enhanced TI zones See the FICON Administrator's Guide for example topologies using enhanced TI zones. See Additional configuration rules for enhanced TI zones on page 365 for more information about enhanced TI zones. Invalid configurations with enhanced TI zones When you create TI zones, ensure that all traffic from a port to all destinations on a remote domain have the same path.
Traffic Isolation Zoning FIGURE 41 Invalid ETIZ configuration: two paths from one port to two devices on the same remote domain The solution is to overlap the E_port members [(1,2, (1,3), (3,6), (3,7)] across both ETIZ zones, in addition to the Target at (3,8). Invalid ETIZ configuration: separate paths from a single port to the same domain The following figure shows another example of an invalid ETIZ configuration.
Traffic Isolation Zoning FIGURE 42 Invalid ETIZ configuration: two paths from one port The solution is to overlap the E_Port members [(1,2),(1,3), (3,6), (3,7)] across both ETIZ zones, in addition to the Target at (3,8); or, overlap all members of both ETIZ zones in this case. General rules for TI zones The following general rules apply to TI zones: 364 ∙ Ports in a TI zone must belong to switches that run Fabric OS v6.0.0 or later.
Traffic Isolation Zoning ∙ FSPF supports a maximum of 16 paths to a given domain. This includes paths in a TI zone. ∙ To include a trunk group in a TI zone, you must include all ports of the trunk in the TI zone. ∙ Each TI zone is interpreted by each switch and each switch considers only the routing required for its local ports. No consideration is given to the overall topology and to whether the TI zones accurately provide dedicated paths through the whole fabric.
Traffic Isolation Zoning NOTE FC router domains are excluded from the ETIZ platform restrictions. You can create enhanced TI zones with these switches in the fabric. Limitations and restrictions of Traffic Isolation Zoning The following limitations and restrictions apply to Traffic Isolation Zoning: ∙ A maximum of 255 TI zones can be created in one fabric. A fabric merge resulting in greater than the maximum allowed TI zones results in merge failure and the fabrics are segmented.
Traffic Isolation Zoning Possible values for "-o" option list Description a Configure the TI zone as activated; mutually exclusive with the 'd' option d Configure the TI zone as deactivated; mutually exclusive with the 'a' option The "name" option specifies the TI zone name. The "-p" option lets you define the members of the TI zone, typically the N_Ports and E_Ports specified using Domain and Port Index.
Traffic Isolation Zoning Changing the state of a TI zone You can change the configured state of an existing TI zone to activated or deactivated. As is the case with other TI zoning operations, you must enable the current effective configuration to apply the change. 1. Connect to the switch and log in using an account with admin permissions. 2. Perform one of the following actions: ∙ To activate a TI zone, enter the zone --activate command.
Traffic Isolation Zoning Examples Example: Displaying information about the TI zone purplezone switch:admin> zone --show purplezone Defined TI zone configuration: TI Zone Name: redzone: Port List: 1,2; 1,3; 3,3; 4,5 Configured Status: Activated / Failover-Enabled Enabled Status: Activated / Failover-Enabled Example: Displaying information about all TI zones in the defined configuration in ascending order switch:admin> zone --show -ascending Defined TI zone configuration: TI Zone Name: bluezone: Port List:
Traffic Isolation Zoning Configuring the Local TI Filtering example Use Local TI Filtering, listed under Zoning Operation parameters of the configure command, to enable or disable the feature. switch:admin> switchdisable switch:admin> configure Configure... ……… Zoning Operation parameters (yes, y, no, n): [no] yes ……… Local TI Filtering (on, off): [off] on ……… Traffic Isolation Zoning over FC routers TI zoning can be used with FC routed fabrics with failover enabled.
Traffic Isolation Zoning FIGURE 44 Traffic Isolation Zoning over FCR In addition to setting up TI zones, you must also ensure that the devices are in an LSAN zone so that they can communicate with each other. If failover is enabled and the TI path is not available, an alternate path is used. If failover is disabled and the TI path is not available, then devices are not imported.
Traffic Isolation Zoning FIGURE 45 TI zone in an edge fabric In the TI zone, when you designate E_Ports between the front and xlate phantom switches, you must use -1 in place of the "I" in the D,I notation. Both the front and xlate domains must be included in the TI zone.
Traffic Isolation Zoning FIGURE 46 TI zone in a backbone fabric TI zones within the backbone fabric use the port WWN instead of D,I notation for devices that are to communicate across fabrics. (You can use the portShow command to obtain the port WWN.) Port WWNs should be used only in TI zones within a backbone fabric and should not be used in other TI zones.
Traffic Isolation Zoning ∙ A TI zone defined within the backbone fabric does not guarantee that edge fabric traffic will arrive at a particular EX_Port. You must set up a TI zone in the edge fabric to guarantee this. ∙ TI zones within the backbone fabric cannot contain more than one destination router port (DRP) per each fabric. This means you cannot define more than one EX_Port to any one edge fabric unless they are part of a trunk.
Traffic Isolation Zoning FIGURE 47 Fabric-level traffic isolation In the figure, there are two links between each edge fabric and the backbone fabric, and there are five links between the two FC routers in the backbone. Fabric ID 1 and Fabric ID 4 communicate only with each other. Two backbone ISLs are dedicated to traffic between FID1 and FID4. These dedicated ISL are indicted in red and blue. Fabric-Level TI zones Fabric-Level Traffic Isolation is accomplished through the use of TI zones.
Traffic Isolation Zoning ∙ Include E_Ports for the path between the backbone switches. ∙ Do not include E_Ports from the edge fabrics. ∙ Do not include device PWWNs. ∙ Ensure that failover is enabled. There are two options for defining the Fabric-Level Traffic Isolation paths within TI zones. The option you select affects the failover behavior of the TI zones.
Traffic Isolation Zoning Be aware that although the configured status is "Activated", the enabled status is "Deactivated". 3. Activate TI zones. switch:admin> cfgactvshow Effective configuration: cfg: ... switch:admin> cfgenable You are about to enable a new zoning configuration. This action will replace the old zoning configuration with the current configuration selected.
Traffic Isolation Zoning cfg: ... switch:admin> cfgenable You are about to enable a new zoning configuration. This action will replace the old zoning configuration with the current configuration selected.
Traffic Isolation Zoning FIGURE 48 TI over FCR example NOTE In the following procedure the three TI zones in the edge and backbone fabrics are all given the same name, TI_Zone1. It is not required that the TI zones have the same name, but this is done to avoid confusion. If several dedicated paths are set up across the FC router, the TI zones for each path can have the same name. 1.
Traffic Isolation Zoning Port List: 4,8; 4,5; 1,-1; 6,-1 Status: Activated Failover: Enabled c) Enter the following commands to reactivate your current effective configuration and enforce the TI zones. E1switch:admin> cfgactvshow Effective configuration: cfg: cfg_TI zone: lsan_t_i_TI_Zone1 10:00:00:00:00:00:02:00:00 10:00:00:00:00:00:03:00:00 10:00:00:00:00:00:08:00:00 E1switch:admin> cfgenable cfg_TI You are about to enable a new zoning configuration.
Traffic Isolation Zoning 4. Log in to the backbone fabric and set up the TI zone. FCR_Domain_1:admin> fabricshow Switch ID Worldwide Name Enet IP Addr FC IP Addr Name ------------------------------------------------------------------------1: fffc01 10:00:00:05:1e:52:3a:00 10.38.135.15 0.0.0.0 >"FCR_Domain_1" 2: fffc02 10:00:00:27:f8:f1:0b:40 10.38.135.19 0.0.0.0 "FCR_Domain_2" The Fabric has 2 switches The above Backbone domains are represented in "D,I" notation in TI zone configuration.
Traffic Isolation Zoning Figure 49 shows an initiator and target in a logical fabric (FID1). The dotted line indicates a dedicated path between initiator and target. The dedicated path passes through the base fabric over an XISL. (The figure shows only physical ISLs, not logical ISLs.) To create the TI zones for this dedicated path, you must create a TI zone in the logical fabric (FID 1) and one in the base fabric.
Traffic Isolation Zoning You must also create and activate a TI zone in the base fabric to reserve the XISLs for the dedicated path. In Figure 51, the XISLs highlighted (by a dotted line) in the base fabric can be reserved for FID1 by defining and activating a base fabric TI zone that consists of ports 10, 12, 14, and 16. You must also include ports 3 and 8, because they belong to logical switches participating in the logical fabric.
Traffic Isolation Zoning FIGURE 52 Example configuration for TI zones over FC routers in logical fabrics Figure 53 shows a logical representation of the configuration in Figure 52. This SAN is similar to that shown in Figure 44 on page 371 and you would set up the TI zones in the same way as described in Traffic Isolation Zoning over FC routers on page 370. 384 Brocade Fabric OS Administration Guide, 8.0.
Traffic Isolation Zoning FIGURE 53 Logical representation of TI zones over FC routers in logical fabrics Troubleshooting TI zone routing problems Use the following procedure to generate a report of existing and potential problems with TI zones. The report displays an error type. ∙ "ERROR" indicates a problem currently exists in the fabric.
Traffic Isolation Zoning Traffic Isolation Zone violation handling for trunk ports For any trunk group, all the members of the group need to belong to the TI zone to prevent routing issues resulting from changes in the members of the trunk group. This applies to any E_Port or F_Port trunk groups that are included in TI zones using failover disabled mode. Fabric OS posts a RASlog message (ZONE-1061) if any of the ports part of a trunk group is not added to the TI zone with failover disabled.
Optimizing Fabric Behavior ∙ ∙ ∙ ∙ Adaptive Networking overview............................................................................................................................................................................... 387 Ingress Rate Limiting................................................................................................................................................................................................... 387 QoS............................................
Optimizing Fabric Behavior Ingress Rate Limiting enforcement is needed only if the port can run at a speed higher than the rate limit. For example, if the rate limit is 4 Gbps and the port is only a 2-Gbps port, then Ingress Rate Limiting is not enforced. The Ingress Rate Limiting configuration is persistent across reboots. You should keep in mind the following considerations about Ingress Rate Limiting: ∙ Ingress Rate Limiting is applicable only to F_Ports and FL_Ports.
Optimizing Fabric Behavior CS_CTL-based frame prioritization and QoS zone-based traffic prioritization are mutually exclusive. If you enable CS_CTL-based frame prioritization on F_Ports or FL_Ports, then QoS zone-based traffic prioritization cannot be used between any devices connected to the F_Ports or FL_Ports. CS_CTL-based frame prioritization takes precedence over QoS zone-based traffic prioritization.
Optimizing Fabric Behavior FIGURE 54 QoS with E_Ports enabled You must enable QoS on the E_Ports on both ISLs between domain 3 and domain 4, because either path might be selected to carry the traffic. You do not need to enable QoS on the E_Ports on the ISLs between domain 1 and domain 2 and between domain 2 and domain 3, because these are not the shortest paths between the hosts and the targets. However, if the ISL between domain 1 and domain 3 is broken, then the path through domain 2 would be used.
Optimizing Fabric Behavior ∙ QoS over FC routers is supported for the following configurations: – – Edge-to-edge fabric configuration: Supported on all platforms. Backbone-to-edge fabric configuration: Supported on 16-Gbps (Gen 5) and 32-Gbps (Gen 6) platforms only (Brocade 6505, 6510, 6520, G620, M6505, 6547, 6548, Brocade DCX 8510 Backbones and X6 Directors), and only if no other platforms are used.
Optimizing Fabric Behavior compatibility is enabled. However, creation of new QoSH5 zones using the zoneCreate command, Webtools, or BNA version 14.0.1 or higher are not allowed when vTap/QoSH compatibility is enabled. This enforcement is only applied on and for the local switch. For example, if a QoSH5 zone create, rename, or update command is run in a switch that is not configured for vTap/QoSH compatibility, the zone update is accepted on those switches where vTap/QoSH compatibility is enabled.
Optimizing Fabric Behavior FIGURE 55 Traffic prioritization in a logical fabric Traffic prioritization based on QoS zones Quality of service (QoS) zones are user-defined zones that allow you to manage the traffic priority between specified host–target pairs. You assign these pairs high, medium, or low quality of service (QoS)-level priority by configuring a QoS zone for that level, and then identifying those pairs as members of the appropriate zone. A host–target pair can only belong to one QoS zone.
Optimizing Fabric Behavior As examples, “QOSH3_HighPriorityTraffic” and “QOSL1_LowPriorityZone” are both valid QoS zone names. Each priority level is allocated to different virtual channels (VCs). High-priority flows receive more fabric resources than medium-priority flows, which receive more resources than low-priority flows. For example, you could assign online transaction processing (OLTP) to a high priority zone and backup traffic to a low priority zone.
Optimizing Fabric Behavior Notes on QoS zoning The following items should be kept in mind when working with QoS zoning: ∙ For new switches, QoS mode is automatically enabled on the E_Ports, except for long-distance E_Ports. For long-distance E_Ports, you must manually enable QoS mode. ∙ If you upgrade to Fabric OS 7.2.0 or later from Fabric OS 7.1.
Optimizing Fabric Behavior sw0:admin> zonecreate "QOSH1_zone", "10:00:00:00:10:00:00:00; 10:00:00:00:20:00:00:00" sw0:admin> zonecreate "QOSL2_zone", "10:00:00:00:30:00:00:00; 10:00:00:00:40:00:00:00" sw0:admin> zoneshow sw0:admin> cfgadd "cfg1", "QOSH1_zone" sw0:admin> cfgadd "cfg1", "QOSL2_zone" sw0:admin> cfgshow Defined configuration: cfg: cfg1 QOSH1_zone; QOSL2_zone zone: QOSH1_zone 10:00:00:00:10:00:00:00; 10:00:00:00:20:00:00:00 zone: QOSL2_zone 10:00:00:00:30:00:00:00; 10:00:00:00:40:00:00:00 Effec
Optimizing Fabric Behavior Disabling QoS zone-based traffic prioritization 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the cfgRemove command to remove the QoS zones from the current zone configuration. cfgremove "configname" "qos_zonename" 3. Enter the cfgEnable command for the appropriate zone configuration to make the change effective. cfgenable "configname" 4. Enter the portCfgQos --disable command to disable QoS on the E_Ports.
Optimizing Fabric Behavior ∙ QoS zones that use D,I notation should not be used for loop or NPIV ports. ∙ If QoS is enabled, an additional 16 buffer credits are allocated per port for 8-Gbps ports in Extended Mode (LE). Refer to Managing Long-Distance Fabrics on page 483 for information about buffer credit allocation in extended fabrics.
Optimizing Fabric Behavior NOTE If a switch is running a firmware version earlier than Fabric OS v6.3.0, the outgoing frames from that switch lose their priority. High availability considerations for CS_CTL-based frame prioritization If the standby CP is running a Fabric OS version earlier than 6.3.0 and is synchronized with the active CP, then you cannot enable CS_CTL-based frame prioritization on the active CP.
Optimizing Fabric Behavior ATTENTION After changing the CS_CTL QoS mode in a Chassis, you must run the slotPowerOff/On commands for all the edge blades; Whereas, in a fixed-port switch, you must reboot the switch. This is required for the new CS_CTL QoS mode to become effective, because this mode change affects the persistent storage in the switch/chassis. To know the current mode, use the following command: switch:admin> configshow –all | grep csctl Default mode – fos.csctlMode:0 Auto mode – fos.
In-flight Encryption and Compression ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ In-flight encryption and compression overview.............................................................................................................................................401 Configuring in-flight encryption and compression on an EX_Port................................................................................................... 407 Configuring in-flight encryption and compression on an E_Port.......................................
In-flight Encryption and Compression FIGURE 57 Encryption and compression on 16 Gbps ISLs Supported ports for in-flight encryption and compression The in-flight encryption and compression features are supported only on E_Ports and EX_Ports, and only on the Brocade 6510, 6520, G620 switches, and 7840 extension switches, 16 Gbps Blade Server SAN I/O Modules, DCX 8510 Backbones and X6 Directors. The ports can run at any speed, but must be 16 Gbps-capable or 32 Gbps-capable.
In-flight Encryption and Compression In-flight encryption and compression restrictions NOTE In-flight encryption is not supported on any Gen 6 (32-Gbps) platform in Fabric OS release 8.0.1. However, In-flight compression is supported all Gen 6 (32-Gbps) platforms starting with Fabric OS 8.0.1. A maximum of four ports per ASIC can be enabled with compression regardless of the port speed on 32-Gbps Gen 6 platforms.
In-flight Encryption and Compression TABLE 79 Gen 5: Number of ports supported for in-flight encryption and compression at various port speeds (continued) Port speed Encryption only Compression only Encryption and compression Auto-negotiate (AN) 4 ports 4 ports 4 ports 6510 Fixed-port switches and 16 Gbps Blade Server SAN I/O Modules10 16 Gbps 2 ports 2 ports 2 ports 10 Gbps 3 ports 3 ports 3 ports 8/4/2 Gbps 4 ports 4 ports 4 ports Auto-negotiate (AN) 2 ports 2 ports 2 ports 6520 F
In-flight Encryption and Compression ATTENTION Any mismatch in configuration at either end of the IFL or authentication failure results in segmentation or, in rare cases, the port being disabled. The most common reasons for E_Port or EX_Port segmentation include the following situations: ∙ Port authentication fails. One of the following error messages is displayed: Authentication Rejected Authentication Failure ∙ Encryption or compression configurations do not match at both ends.
In-flight Encryption and Compression ∙ The in-flight encryption protocol supports the AES-GCM authenticated encryption block cipher mode. A key, Initial Vector (IV), segment number, and salt are required to encrypt the data before it is transmitted, and to decode the data after it is received on the other end of the link.
In-flight Encryption and Compression In-flight compression on long-distance ports When configuring in-flight compression on long-distance ports, it is recommended to configure the long-distance ports with double the number of buffers. Configure the port to use the long-distance LS mode and specify the number of buffers to allocate to the port.
In-flight Encryption and Compression Refer to Enabling in-flight compression on page 412 for instructions. 6. Obtain the WWN of the front phantom domain using the portCfgExPort command. You need this WWN when you set up the secret key on the E_Port on the other end of the IFL.
In-flight Encryption and Compression Refer to Enabling in-flight compression on page 412 for instructions. Following successful port initialization, the configured features are enabled and active. You can use the islShow command to check that the E_Port has come online with encryption or compression enabled. Alternatively, you can use the portEncCompShow command to see which ports are active. If port initialization is not successful, you can check for port segmentation errors with the switchShow command.
In-flight Encryption and Compression You must obtain the WWN of the peer switch to configure the secret key. If you are configuring an EX_Port on an FC router, you can use the fcrEdgeShow command to obtain the WWN of the switch at the other end of the IFL. NOTE Only DH-CHAP authentication is supported for in-flight encryption of EX_Ports. 1. Log in to the switch using an account with admin permissions, or an account with OM permissions for the Authentication RBAC class of commands.
In-flight Encryption and Compression If you are configuring authentication on an EX_Port, there is no need to set the authentication policy to Active or On. EX_Ports can operate on any switch authentication policy. 6. Verify the authentication configuration using the authUtil --show command. The following example sets up authentication in preparation for in-flight encryption.
In-flight Encryption and Compression Enabling in-flight encryption Enable in-flight encryption to provide security for frames while they are in flight between two switches. Frames are encrypted at the egress point of an ISL and then decrypted at the ingress point. Enabling encryption is an offline event. Ports must be disabled first, and then re-enabled after. Before performing this procedure, it is recommended that you check for port availability.
In-flight Encryption and Compression 1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions for the SwitchPortConfiguration RBAC class of commands. 2. Enter the portDisable command to disable the port on which you want to configure compression. 3. Enter the portCfgCompress --enable command to enable compression.
In-flight Encryption and Compression Speed Level: (output truncated) D-Port mode: D-Port over DWDM Compression: Encryption: AUTO(SW) OFF .. OFF OFF Disabling in-flight compression Disabling compression is an offline event. Ports must be disabled first, and then re-enabled after. NOTE Firmware downgrade from Fabric OS 7.3.0 to an earlier version is blocked if in-flight encryption with FCAP protocol is set. Please set the DHCHAP protocol using the authutil --set command before downgrade. 1.
Diagnostic Port ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ Supported platforms for D_Port............................................................................................................................................................................. 415 Licensing requirements for D_Port....................................................................................................................................................................... 416 Understanding D_Port......................................
Diagnostic Port ∙ Brocade 16-Gbps HBA (Brocade Fabric Adapter 1860) ports operating in HBA mode with a 16-Gbps SFP+ on Brocade 16Gbps switches running Fabric OS version 7.1 or later. ∙ Non-Brocade 16-Gbps HBAs: Emulex LPe16002B-M6, QLogic QLE-2672, QLogic 1860-2P ∙ Non-Brocade 32-Gbps HBAs: Emulex LPe32000B, QLogic QLE2764, QLogic QLE2742 Brocade HBA v3.1 provides limited support for D_Port. Brocade HBA v3.2 provides extensive support for D_Port, including dynamic D_Port mode.
Diagnostic Port FIGURE 58 Example of a basic D_Port connection between switches Once the ports are configured and enabled as D_Ports, the following basic test suite is executed in the following order, depending on the SFPs installed: 1. Electrical loopback (with 16/32-Gbps SFP+ and QSFP) 2. Optical loopback (with 16/32-Gbps SFP+ and QSFP) 3.
Diagnostic Port ∙ Dynamic — The port is automatically set to a D_Port based on an external request from a remote port on the other end of the connection. In this mode, the port remains a D_Port until all the diagnostic tests are completed and the remote port reverts to normal mode. For the port to become a dynamic D_Port, the remote port on the other end of the connection must be either a static D_Port or an on-demand D_Port.
Diagnostic Port TABLE 82 D_Port configuration mode and nature of test D_Port mode/nature of test Description Mode Static You must configure the port explicitly. Port remains a D_Port until you remove the configuration. Dynamic No user configuration is required. D_Port mode is initiated by external request/event from the remote port. The remote port can either be a static or on-demand D_Port. On-demand No user configuration is required.
Diagnostic Port ∙ When you run a D_Port test on the links between a FC16-64 port blade and a fixed-port switch or blade, run the test on one link at time for short distance links. If you have 100-km links, you should start the test on other links only after the 100-km link test is completed. ∙ In case of switch-to-Host Bus Adapter (HBA) or Access Gateway-to-HBA connections with Brocade HBA v3.2.3 or later, Brocade recommends that D_Port tests be limited to a maximum of eight D_Ports at once.
Diagnostic Port ∙ There is no HA support for D_Port test options and results. Any information from a previous test is lost following a failover or reboot. ∙ During an HA failover reboot on one side of the link, the link is reinitialized and may restart the test. However, the test cannot proceed if the remote port is not ready to proceed further (the remote port may already be done with the D_Port test and in the final state).
Diagnostic Port Topology 2: ICLs The following figure illustrates inter-chassis links (ICLs) between slots 5 and 8 in corresponding chassis. The letter E represents E_Ports to be configured as D_Ports. FIGURE 60 ICLs connecting chassis blades Static-static, static-dynamic, and on-demand-dynamic D_Port modes are also supported on the ICLs. Topology 3: Access Gateways The following figure illustrates a switch configured as a single Access Gateway connected to a fabric switch.
Diagnostic Port FIGURE 61 Single Access Gateway to switch The above topology is supported only with static-static D_Port modes. The following figure illustrates multiple Access Gateways connected to a switch in a cascaded topology. The letters N and F represent, respectively, an N_Port and an F_Port to be configured as D_Ports. FIGURE 62 Multiple Access Gateways cascaded to switch The above topology is supported only with static-static D_Port modes.
Diagnostic Port FIGURE 63 Access Gateway to HBA Static-static and static (HBA) - dynamic (AG) D_Port modes are supported. Saving port mappings on an Access Gateway Before configuring ports as D_Ports on a switch configured as an Access Gateway, you must remove N_Port-to-F_Port and device (WWN) mappings. Fabric OS commands are available to save N_Port mappings. Once you save them, you can display the saved N_Port mappings to reconfigure them after D_Port is disabled.
Diagnostic Port FIGURE 64 HBA to switch For configuration details, refer to "Using D_Port with HBAs" in this chapter. Using D_Port in static-static mode between switches You can configure D_Ports in static-static modes between switches (ISLs), chassis (ICLs), Access Gateways, and switch-Access Gateway links.
Diagnostic Port 2. Configure Port 1 on Switch A as a D_Port in static mode. switchA:admin> portcfgdport --enable 1 3. Repeat Step 1 and Step 2 for the corresponding port (in this example, Port 2) on Switch B. switchB:admin> portdisable 2 switchB:admin> portcfgdport --enable 2 4. Reenable Port 1 on Switch A. switchA:admin> portenable 1 5. Renable Port 2 on Switch B. switchB:admin> portenable 2 The basic test suite starts as soon as both ports are enabled and ready to perform the test. 6.
Diagnostic Port Disabling D_Port in static mode Use this procedure to disable a D_Port diagnostics session in static mode, as configured in "Enabling D_Port in static mode." NOTE "Port 1" and "Port 2" simply represent corresponding peer ports at opposite ends of the link to be tested. 1. Disable Port 1 on Switch A. switchA:admin> portdisable 1 2. Disable the D_Port functionality in static mode on Port 1 on Switch A. switchA:admin> portcfgdport --disable 1 3.
Diagnostic Port The following example shows how to provision a port with the DWDM option. Switch:admin> portcfgdport --provision -add -dwdm 7/16 The following example shows how to provision a port without the DWDM option. Switch:admin> portcfgdport --provision -add 7/20 2. (Optional). To remove one or more ports from the provision list, use the portcfgdport --provision -delete [-dwdm] [slot/]port_list command. Specifying the -dwdm is optional.
Diagnostic Port The following example disables the port as DWDM. Switch:admin> portcfgdport --disable -dwdm 5 Using D_Port between switches and HBAs When HBAs are used, D_Port mode initiates electrical loopback, optical loopback, and link-traffic diagnostic tests on the link between the HBA and the connected switch port.
Diagnostic Port 1. Configure the Brocade switch into dynamic D_Port mode as follows. a) Disable the switch by entering the switchDisable command. NOTE Dynamic D_Port is enabled by default. switch:admn> switchdisable b) Enter the configure command, and then select "D-Port Parameters" and ensure that dynamic D_port testing is enabled and on-demand port testing is disabled. Configure...
Diagnostic Port NOTE These commands are for Brocade HBAs only. Refer to documentation from other vendors as appropriate. ∙ bcu diag --dportenable -- Enables D_Port on a specific port, sets the test pattern, and sets the frame count for testing. ∙ bcu diag --dportdisable -- Disables D_Port on a specific port and sets the port back to an N_Port or NL_Port. ∙ bcu diag --dportshow -- Displays test results for a test in progress on a specific port.
Diagnostic Port ∙ Powering off and on or plugging in and out slots containing ports in D_Port mode results in those ports losing the dynamic D_Port state when the slot or port is back up. If this happens, you must reconfigure the static D_Port mode on the HBA. NOTE Note the following considerations applicable to 32-Gbps SFPs and QSFPs. With the introduction of the new SFPs and QSFPs, FEC and FEC with Transmitter Training SIgnal (TTS) mode is enabled by default for 32 Gbps.
Diagnostic Port 5. Connect to the HBA without the SFP and disable the native port. # bcu port --disable 1/0 port disabled 6. Attempt to enable the D_Port. # bcu diag --dportenable 1/0 ERROR: SFP is not present. D-port will be enabled but it will be operational only after inserting a valid SFP. Using D_Port in on-demand mode Enabling on-demand D_Port switch-wide configuration forces the ports on that switch or chassis to respond to an internal requests within the switch as a result of certain events.
Diagnostic Port The following example shows the portdporttest --show output where the electrical and optical tests pass but the link traffic test fails.
Diagnostic Port End time: Tue Jun 23 07:28:15 2015 Status: PASSED ====================================================================================== Test Start time Result EST(HH:MM:SS) Comments ====================================================================================== Electrical loopback 07:27:45 PASSED ----------------Optical loopback 07:28:04 PASSED ----------------Link traffic test 07:28:10 PASSED ----------------==========================================================================
Diagnostic Port 436 Brocade Fabric OS Administration Guide, 8.0.
NPIV ∙ ∙ ∙ ∙ ∙ NPIV overview..................................................................................................................................................................................................................437 Configuring NPIV...........................................................................................................................................................................................................438 Enabling and disabling NPIV...................
NPIV Upgrade considerations The maximum logins per switch decreased with Fabric OS v6.4.0. When upgrading from a release previous to Fabric OS v6.4.0, the configured maximum is carried forward and may exceed the Fabric OS v6.4.0 limit. It is recommended to reconfigure this parameter to be within the range permitted in Fabric OS v6.4.0 and later. Fixed addressing mode Fixed addressing mode is the default addressing mode used in all platforms that do not have Virtual Fabrics enabled.
NPIV Whichever of these two (addressing mode or the value configured through portCfgNPIVPort) is lower will be the maximum number that can be logged in. CAUTION The portDisable command disables the port and stops all traffic flowing to and from the port. Use this command during a scheduled maintenance. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the portDisable command. 3.
NPIV NOTE If the NPIV feature is disabled, the port is toggled if NPIV devices are logged in from that F_Port (a true NPIV port). Otherwise, the firmware considers that port as an F_Port even though the NPIV feature was enabled. Base device logout Base device logout is a Fibre Channel - Lin Service 2 (FC-LS2) standard-based feature in which the Fabric OS firmware allows NPIV devices to remain logged in after the base device logs out.
NPIV Enabling base device logout Both the active and the standby switches/AGs should be upgraded to Fabric OS 7.3.0 or later. The purpose of this feature is to make it possible for all devices; including base device and NPIV devices on a NPIV port to logout and login without disrupting the remaining logged on devices. By default, the base device logout option is disabled in all the ports. 1. Enable NPIV on the required ports.
NPIV ∙ Default switch behavior is the legacy functionality (base device logout is disabled). ∙ All checks for duplicate WWN remain valid. ∙ The base device logout feature can coexist with other switches that do not have base device logout enabled, even if they are in the same fabric. ∙ Any port-related Fabric OS features that depend on the base device cannot work when the base device logs out. One example of this is device probing.
NPIV Viewing NPIV port configuration information Fabric OS allows you to see N_Port ID Virtualization (NPIV) port configuration information using the portcfgshow and switchshow commands. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter portcfgshow to view the switch ports information.
NPIV portDisableReason: None portCFlags: 0x1 portFlags: 0x24b03 PRESENT ACTIVE F_PORT G_PORT NPIV LOGICAL_ONLINE LOGIN NOELP LED ACCEPT portType: 10.0 portState: 1 Online portPhys: 6 In_Sync portScn: 32 F_Port port generation number: 148 portId: 630200 portIfId: 43020005 portWwn: 20:02:00:05:1e:35:37:40 portWwn of device(s) connected: c0:50:76:ff:fb:00:16:fc c0:50:76:ff:fb:00:16:f8 ... (output truncated) ...
Fabric-Assigned PWWN ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ Fabric-Assigned PWWN overview...................................................................................................................................................................... 445 User- and auto-assigned FA-PWWN behavior ..........................................................................................................................................446 Configuring an FA-PWWN for an HBA connected to an Access Gateway.........................
Fabric-Assigned PWWN FIGURE 65 Fabric-assigned port World Wide Name provisioning scenarios User- and auto-assigned FA-PWWN behavior Each switch port and Access Gateway port can have up to two FA-PWWNs, one assigned automatically and one assigned by the user. FA-PWWNs must be unique, and only one FA-PWWN can be active at any given time. The automatically assigned FA-PWWN is created by default if you enable the feature without explicitly providing a virtual PWWN.
Fabric-Assigned PWWN Configuring an FA-PWWN for an HBA connected to an Access Gateway To configure an FA-PWWN, assign the FA-PWWN on the Access Gateway switch. The FA-PWWN feature is enabled by default on the HBA. Refer to the Brocade Adapters Administrator’s Guide for a list of supported HBAs. 1. Log in to the edge switch to which the Access Gateway is directly connected. 2. Assign the FA-PWWN.
Fabric-Assigned PWWN 1. Log in to the edge switch to which the device is connected. 2. Assign the FA-PWWN. ∙ If you are manually assigning a WWN, enter the following command: fapwwn --assign -port [slot/]port -v Virtual_PWWN ∙ If you want the WWN to be automatically assigned, enter the following command: fapwwn --assign -port [slot/]port 3. Display the FA-PWWN. fapwwn --show -port all You should see output similar to the following sample. The FA-PWWNs are in the VPWWN column.
Fabric-Assigned PWWN – ∙ Brocade 6520 Access Gateway platforms running Fabric OS v7.0.0 or later: – – Brocade 6505 Brocade 6510 Refer to the release notes for the supported Brocade HBA or adapter versions. Configuration upload and download considerations for FA-PWWN The configuration upload and download utilities can be used to import and export the FA-PWWN configuration.
Fabric-Assigned PWWN NOTE FA-PWWN is supported with F_Port trunking on the supported Access Gateway platforms. Access Gateway N_Port failover with FA-PWWN If an Access Gateway is connected to multiple switches, you should configure the same FA-PWWNs on both switches to avoid having to reboot the host in case of failover.
Inter-chassis Links ∙ ∙ ∙ ∙ ∙ ∙ Inter-chassis links ...........................................................................................................................................................................................................451 ICLs between DCX 8510 Backbones.................................................................................................................................................................452 ICLs between X6 Directors...............................
Inter-chassis Links Enterprise ICL (EICL) license enforcement is applicable for Inter Fabric Links(IFL) via ICL links on Gen-5 platforms and is not applicable for Gen-6 platforms. In a mixed Gen-5 and Gen-6 environment, the edge fabric will additionally count the ICL IFL links for its license enforcement. When a Gen-5 chassis is connected to a Gen-6 chassis, the Gen-5 takes precedence and imposes the EICL license limit on the links. Prior to 8.0.
Inter-chassis Links The Brocade DCX 8510-8 has four port groups on the CR16-8 core blade. The Brocade DCX 8510-4 has two port groups on the CR16-4 core blade. Each port group has four QSFP connectors, and each QSFP connector maps to four user ports. Refer to the hardware reference manuals for details about the port groups. The following table shows the mappings from the numbered QSFP ports on the face of the core blade to the individual FC port numbers as shown by the slotShow command.
Inter-chassis Links ∙ The maximum number of ICLs between two Brocade DCX 8510-4 chassis or between a Brocade DCX 8510-8 and a Brocade DCX 8510-4 is 16. The maximum number of ICLs between two Brocade DCX 8510-8 chassis is 32. Because the FSPF routing logic uses only the first 16 paths to come online, only 16 ICLs are utilized. With Virtual Fabrics, however, you can define two logical switches on the chassis and have 16 ICLs in each.
Inter-chassis Links The following tables summarize the possible trunking connections between DCX 8510 Backbones: Connecting blades 2 to 4-port ICL trunks CR16-8 and CR16-8 Supported with QSFPs located within the same trunk group on each blade CR16-8 and CR16-4 Supported with QSFPs located within the same trunk group on each blade CR16-4 and CR16-4 Supported with QSFPs located within the same trunk group on each blade Refer to the specific hardware reference manuals for information about port number
Inter-chassis Links TABLE 88 External port to slotShow port mapping for core blades External port number slotShow FC port numbers External port number slotShow FC port numbers 0 0-3 8 32-35 1 4-7 9 36-39 2 8-11 10 40-43 3 12-15 11 44-47 4 16-19 12 48-51 5 20-23 13 52-55 6 24-27 14 56-59 7 28-31 15 60-63 Following are ICL configuration guidelines for trunking bandwidth and High Availability: 456 ∙ A minimum of four ICL ports (two on each core blade) must be connected b
Inter-chassis Links FIGURE 67 Minimum configuration for 128 Gbps ICLs 1. X6-8 Chassis with two CR32-8 blades 2. X6-4 Chassis with two CR32-4 blades ∙ The maximum number of ICLs between two X6-4 chassis or between a X6-8 and a X6-4 is 16. The maximum number of ICLs between two X6-8 chassis is 32. Because the FSPF routing logic uses only the first 16 paths to come online, only 16 ICLs are utilized.
Inter-chassis Links NOTE QSFP ICLs and ISLs in the same logical switch and connected to the same neighboring switch are not supported. This is a topology restriction with 16 Gbps ICLs and any ISLs that are E_Ports or VE_Ports.If Virtual Fabrics is enabled, you can have ICLs and ISLs between a pair of X6 chassis if the ICLs are in a different logical switch than the ISLs.
Inter-chassis Links Ports belonging to the same trunking groups are indicated with the same color border under the ports on the blade faceplate. These colors are also applied to the port map labels on each blade faceplate to indicate ports belonging to the same trunking groups.
Inter-chassis Links The Brocade DCX 8510-8/X6-8 has four port groups on the CR16-8/CR32-8 core blade. The Brocade DCX 8510-4/X6-4 has two port groups on the CR16-4/CR32-4 core blade. Each port group has four QSFP connectors, and each QSFP connector maps to four user ports. Refer to the hardware reference manuals for details about the port groups. Note the port numbers that form a port group in Gen 5 vs Gen 6 CR blades represented in the following illustration.
Inter-chassis Links NOTE QSFP ICLs and ISLs in the same logical switch and connected to the same neighboring switch are not supported. This is a topology restriction with 16 Gbps ICLs and any ISLs that are E_Ports or VE_Ports.If Virtual Fabrics is enabled, you can have ICLs and ISLs between a pair of DCX 8510 Backbone/X6 Director chassis if the ICLs are in a different logical switch than the ISLs.
Inter-chassis Links Refer to the specific hardware reference manuals for information about port numbering, port trunk groups, and connecting the ICL cables. Virtual Fabrics considerations for ICLs In Virtual Fabrics, the ICL ports can be split across the logical switch, base switch, and default switch. The triangular topology requirement must be met for each fabric individually. The following restrictions apply: ∙ 462 ICL ports cannot be in a logical switch that is using XISLs.
Inter-chassis Links Supported topologies for ICL connections You can connect the Brocade Backbones and/or Directors in a mesh topology and a core-edge topology. A brief description of each follows. (You can also connect two DCX 8510 chassis or X Directors point-to-point.) The illustrations in this section show sample topologies. Refer to the Brocade SAN Scalability Guidelines for details about maximum topology configurations.
Inter-chassis Links FIGURE 69 Three Brocade X6-8 chassis in full mesh triangular ICL topology During an ICL break in the triangular topology, the chassis that has the connections of the other two is the main chassis. Any error messages relating to a break in the topology appear in the RASlog of the main chassis.
Inter-chassis Links FIGURE 70 Full nine-mesh topology Core-edge topology NOTE A maximum of 12 chassis can be interconnected to form a core-edge topology using ICL links. You can also connect the Brocade DCX 8510 Backbones in a core-edge topology. For example, Figure 71 shows six chassis connected in a core-edge topology (four edges and two cores). Although Figure 71 shows only the Brocade DCX 8510-8, each chassis can be either a Brocade DCX 8510-4 or a DCX 8510-8.
Inter-chassis Links FIGURE 71 Gen 5 DCX 8510 64 Gbps ICL core-edge topology 466 Brocade Fabric OS Administration Guide, 8.0.
Managing Trunking Connections ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ Trunking overview...........................................................................................................................................................................................................467 Supported platforms for trunking.........................................................................................................................................................................
Managing Trunking Connections ∙ N_Port trunking is configured on a link between a switch and either an Access Gateway module or a Brocade adapter. It is similar to F_Port trunking. The trunk ports are N_Ports (on the Access Gateway or adapter) connected to F_Ports (on the switch). For more information, refer to Configuring F_Port trunking for a Brocade adapter on page 478, the Access Gateway Administrator's Guide, and the Brocade Adapters Administrators Guide .
Managing Trunking Connections FIGURE 72 Port group configuration for the Brocade G620 Supported platforms for trunking Trunking is supported on the FC ports of all Brocade platforms and blades supported in Fabric OS v7.0.0 and later. EX_Port trunking is supported only on those platforms that support EX_Ports. Refer to Supported platforms for FC-FC routing on page 490 for more information.
Managing Trunking Connections ∙ All of the ports in a trunk group must belong to the same port group. ∙ All of the ports in a trunk group must meet the following conditions: – – – – They must be running at the same speed. They must be configured for the same distance. They must have the same QoS and FEC state. They must have the same encryption and compression state. ∙ Trunk groups must be between Brocade switches (or Brocade adapters in the case of F_Port trunking).
Managing Trunking Connections Configuring trunk groups After you install the Trunking license, you must re-initialize the ports that are to be used in trunk groups so that they recognize that trunking is enabled. This procedure needs to be performed only once, and is required for all types of trunking. To re-initialize the ports, you can either disable and then re-enable the switch, or disable and then re-enable the affected ports. 1.
Managing Trunking Connections 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the portCfgTrunkPort command to disable trunking on a port. Enter the switchCfgTrunk command to disable trunking on all ports on the switch. portcfgtrunkport[slot/]port mode switchcfgtrunk mode Mode 0 disables trunking.
Managing Trunking Connections The following example shows trunking information along with the bandwidth and throughput for all the trunk groups in a switch. switch:admin> trunkshow -perf 1: 2-> 2 10:00:00:05:1e:81:56:8b 1 deskew 15 MASTER 3-> 3 10:00:00:05:1e:81:56:8b 1 deskew 17 Tx: Bandwidth 4.00Gbps, Throughput 1.66Gbps (48.45%) Rx: Bandwidth 4.00Gbps, Throughput 1.66Gbps (48.44%) Tx+Rx: Bandwidth 8.00Gbps, Throughput 3.33Gbps (48.
Managing Trunking Connections The distance supported depends on the available buffers, the number of back-end ports, and the number of ports that are offline. For more information on setting port speeds, refer to Performing Advanced Configuration Tasks on page 69. EX_Port trunking You can configure EX_Ports to use trunking just as you do regular E_Ports.
Managing Trunking Connections Masterless EX_Port trunking has additional configuration requirements. Refer to Masterless EX_Port trunking on page 474 for these additional requirements. NOTE QoS and EX_Port trunking can coexist. However, if some ports in the trunk group have QoS enabled and some have QoS disabled, then two trunk groups will form: one with QoS enabled and one with QoS disabled.
Managing Trunking Connections Refer to the Access Gateway Administrator's Guide for information about configuring the corresponding N_Port trunking on the Access Gateway. F_Port trunking for Access Gateway You can configure trunking between the F_Ports on an edge switch and the N_Ports on an Access Gateway module. NOTE You cannot configure F_Port trunking on the F_Ports of an Access Gateway module.
Managing Trunking Connections FIGURE 74 Switch in Access Gateway mode with F_Port masterless trunking NOTE You do not need to map the host to the master port manually because the Access Gateway will perform a cold failover to the master port. Refer to Configuring F_Port trunking for an Access Gateway on page 477 for instructions on configuring F_Port trunking.
Managing Trunking Connections 2. Enter the portCfgShow command to ensure that the ports have trunking enabled. If trunking is not enabled, enter the portCfgTrunkPort port 1 command. 3. Enter the portDisable command for each port to be included in the TA. 4. Enter theportTrunkArea --enable command to enable the trunk area. For example, the following command creates a TA for ports 36-39 with index number 37.
Managing Trunking Connections F_Port trunking considerations Table 90 describes the F_Port masterless trunking considerations. TABLE 90 F_Port masterless trunking considerations Category Description Area assignment You statically assign the area within the trunk group on the edge switch. That group is the F_Port trunk. The static trunk area you assign must fall within the ASIC's trunk group of the switch or blade starting from port 0, and must be one of the port’s default areas of the trunk group.
Managing Trunking Connections TABLE 90 F_Port masterless trunking considerations (continued) Category Description Long Distance Long distance is not allowed on F_Port trunks, which means that a Trunk Area is not allowed on long-distance ports. You cannot enable long distance on ports that have a Trunk Area assigned to them. Management Server Registered Node ID (RNID), Link Incident Record Registration (LIRR), and Query Security Attribute (QSA) ELSs are not supported on F_Port trunks.
Managing Trunking Connections ∙ If a port is enabled for F_Port trunking, you must disable the configuration before you can move a port from the logical switch. ∙ If the user-bound area for a port is configured by means of the portAddress command, the port cannot be configured as an F_Port trunk port. You must explicitly remove the user-bound area before enabling F_Port trunking. ∙ If you swap a port by using the portSwap command, you must undo the port swap before enabling F_Port trunking.
Managing Trunking Connections This command does not unassign a TA if its previously assigned Area_ID is the same address identifier (Area_ID) of the TA unless all the ports in the trunk group are specified to be unassigned. switch:admin> portdisable 0-2 switch:admin> porttrunkarea --disable 0-2 Trunk index 2 disabled for ports 0, 1, and 2.
Managing Long-Distance Fabrics ∙ ∙ ∙ ∙ ∙ Long-distance fabrics overview............................................................................................................................................................................ 483 Extended Fabrics device limitations....................................................................................................................................................................483 Long-distance link modes....................................
Managing Long-Distance Fabrics Long-distance link modes Use the portCfgLongDistance command to support long-distance links and to allocate sufficient numbers of full-size frame buffers on a specific port. Changes made by this command are persistent across switch reboots and power cycles. The portCfgLongDistance command supports the following long-distance link modes: ∙ Normal Mode (L0) — L0 is the normal (default) mode for an E_Port. It configures the E_Port as a standard (not long-distance) ISL.
Managing Long-Distance Fabrics TABLE 92 Fabric-wide settings 4. Field Type Default Range Domain Number 1 Varies R_A_TOV Number 10000 E_D_TOV * 2 to 120000 E_D_TOV Number 2000 1000 to R_A_TOV/2 WAN_TOV Number 0 0 to R_A_TOV/4 MAX_HOPS Number 7 7 to 19 For 8-Gbps platforms only, enter the portCfgFillword command to set ARB as the fill word. Refer to the Fabric OS Command Reference for more information on configuring the fill word for a single 8G FC port.
Managing Long-Distance Fabrics 2_parity_err: CMI_bus_err: 0 0 Ols_out: 0 Enabling long distance when connecting to TDM devices Use this procedure when connecting to time-division multiplexing (TDM) devices and your Brocade switch has QoS and buffer credit recovery enabled. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Disable QoS.
Managing Long-Distance Fabrics 2. Enter the portCfgLongDistance command and include the -fecDisable option, or issue the portCfgFec command with the -disable option. 3. Enter the portCfgFec --show command to verify the configuration. switch:admin> portcfglongdistance 1/20 LS 1 -buffers 500 -fecdisable FEC has been disabled. Reserved Buffers = 982 Warning: port (132) may be reserving more credits depending on port speed.
Managing Long-Distance Fabrics 488 Brocade Fabric OS Administration Guide, 8.0.
Using FC-FC Routing to Connect Fabrics ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ FC-FC routing overview............................................................................................................................................................................................ 489 Fibre Channel routing concepts..............................................................................................................................................................................
Using FC-FC Routing to Connect Fabrics The Integrated Routing license is not required for connectivity between Fabric OS and Brocade Network OS fabrics or between Brocade Network OS fabrics connected by an FC router. The Integrated Routing license allows 8-Gbps and 16-Gbps FC ports on Gen 5 platforms to be configured as EX_Ports (or VEX_Ports) supporting FC-FC routing. To enable EX_Port on the Brocade G620 switch, Integrated Routing License needs to be installed.
Using FC-FC Routing to Connect Fabrics Supported configurations for FC-FC routing FC-FC routing supports the following configurations: ∙ FC router connected to a Fabric OS nonsecured edge fabric. ∙ FC router connected to a Fabric OS secured edge fabric. ∙ FC router connected to a Brocade Network OS edge fabric (Refer to the Release Notes for the supported Network OS version). ∙ FC router interoperating with legacy FC routers (Brocade 7500 switch).
Using FC-FC Routing to Connect Fabrics FIGURE 75 A metaSAN with inter-fabric links ∙ EX_Port and VEX_Port An EX_Port and VEX_Port function similarly to an E_Port and VE_Port respectively, but terminate at the switch and do not propagate fabric services or routing topology information from one edge fabric to another. Refer to the Fabric OS FCIP Administrator's Guide for details about VE_Ports.
Using FC-FC Routing to Connect Fabrics FIGURE 76 A metaSAN with edge-to-edge and backbone fabrics and LSAN zones ∙ Proxy device A proxy device is a virtual device imported into a fabric by a Fibre Channel router, and represents a real device on another fabric. It has a name server entry and is assigned a valid port ID. When a proxy device is created in a fabric, the real Fibre Channel device is considered to be imported into this fabric.
Using FC-FC Routing to Connect Fabrics – If EX_Ports and VEX_Ports are attached to different edge fabrics, they must be configured with a unique FID for each edge fabric. NOTE Backbone fabrics that share connections to the same edge fabrics must have unique backbone fabric IDs. If two different backbone fabrics are connected to the same edge fabric, the backbone fabric IDs must be different, but the edge fabric IDs must be the same.
Using FC-FC Routing to Connect Fabrics FIGURE 77 Edge SANs connected through a backbone fabric ∙ Phantom domains A phantom domain is a domain emulated by the Fibre Channel router. The FC router can emulate two types of phantom domains: front phantom domains and translate phantom domains. For detailed information about phantom domains, refer to Phantom domains on page 497. Brocade Fabric OS Administration Guide, 8.0.
Using FC-FC Routing to Connect Fabrics Proxy devices An FC router achieves inter-fabric device connectivity by creating proxy devices (hosts and targets) in attached fabrics that represent real devices in other fabrics. For example, a host in Fabric 1 can communicate with a target in Fabric 2 as follows: ∙ A proxy target in Fabric 1 represents the real target in Fabric 2. ∙ Likewise, a proxy host in Fabric 2 represents the real host in Fabric 1.
Using FC-FC Routing to Connect Fabrics FC-FC routing topologies The FC-FC routing service provides two types of routing: ∙ Edge-to-edge : Occurs when devices in one edge fabric communicate with devices in another edge fabric through one or more FC routers. ∙ Backbone-to-edge : Occurs when devices in the FC routers communicate with devices in an edge fabric--known as a backbone fabric --through E_Ports. A backbone fabric can be used as a transport fabric that interconnects edge fabrics.
Using FC-FC Routing to Connect Fabrics FIGURE 79 Sample topology (physical topology) Figure 80 shows a phantom topology for the physical topology shown in Figure 79. In this figure, the dashed lines and shapes represent the phantom topology from the perspective of Fabric 1. Fabrics 2 and 3 also see phantom topologies, but they are not shown in this example. In this figure, note the following: 498 ∙ Front domain 1 and Front domain 2 are front domains for EX_Ports connecting to Fabric 1.
Using FC-FC Routing to Connect Fabrics FIGURE 80 EX_Port phantom switch topology Brocade Fabric OS Administration Guide, 8.0.
Using FC-FC Routing to Connect Fabrics 500 Brocade Fabric OS Administration Guide, 8.0.
Using FC-FC Routing to Connect Fabrics All EX_Ports or VEX_Ports connected to an edge fabric use the same xlate domain ID for an imported edge fabric; this value persists across switch reboots and fabric reconfigurations. If you lose connectivity to the edge fabric because of link failures or the IFL being disabled, xlate domains remain visible. This prevents unnecessary fabric disruptions caused by xlate domains repeatedly going offline and online due to corresponding IFL failures.
Using FC-FC Routing to Connect Fabrics switches can either be merged with the fabric using a different domain ID (front or translate domain ID) or they are segmented from the fabric. ∙ If preferred domain ID is configured on an FC router for front and/or translate domain, the FC router requests the preferred domain ID. Phantom domain IDs are stored persistently and used in RDI request. To utilize the new range (160 to 239), do one of the following tasks: Option 1: 1.
Using FC-FC Routing to Connect Fabrics Setting up FC-FC routing To set up FC-FC routing, perform the following tasks in the order listed. 1. Verify that you have the proper setup for FC-FC routing. (Refer to Verifying the setup for FC-FC routing on page 503.) 2. Assign backbone fabric IDs. (Refer to Backbone fabric IDs on page 504.) 3. Configure FCIP tunnels if you are connecting Fibre Channel SANs over IP-based networks. 4. Configure IFLs for edge and backbone fabric connection.
Using FC-FC Routing to Connect Fabrics Integrated Routing Ports on Demand license Capacity 128 If you are connecting to a Fabric OS and the Integrated Routing license is not installed, you must install it, as described in the Fabric OS Software Licensing Guide. The Integrated Routing license is not required if you are connecting to a Brocade Network OS fabric. For configuring EX_Ports on an ICL, both the Integrated Routing license and the ICL POD license are required. 4.
Using FC-FC Routing to Connect Fabrics Assigning backbone fabric IDs 1. Log in to the switch or backbone. 2. Enter the switchDisable command if EX_Ports are online. 3. Enter the fosConfig --disable fcr command to disable the FC-FC routing service. The default state for the FC router is disabled. 4. Enter the fcrConfigure --bbfid command. At the prompt, enter the fabric ID, or press Enter to keep the current fabric ID, which is displayed in brackets. 5.
Using FC-FC Routing to Connect Fabrics The following example configures alias names for three fabrics, and then configures an EX_Port using the FID alias name.
Using FC-FC Routing to Connect Fabrics 2. Configure each port that connects to an edge fabric as an EX_Port or VEX_Port using either the portCfgVEXPort or portCfgEXPort command. ∙ portCfgVEXPort works only on VE_Ports. ∙ portCfgEXPort (only on the FC ports on the FC router) commands work only on ports that are capable of FC-FC routing. The following example configures an EX_Port and assigns a Fabric ID of 30 to port 10.
Using FC-FC Routing to Connect Fabrics 7. Enter the portCfgShow command to view ports that are persistently disabled. FC ports on the Brocade 7800 and 7840 switches and FX8-24 blades are configured as persistently disabled by default to avoid inadvertent fabric merges when installing a new FC router.
Using FC-FC Routing to Connect Fabrics Fabric params: R_A_TOV: 0 E_D_TOV: 0 Authentication Type: None Hash Algorithm: N/A DH Group: N/A Edge fabric's primary wwn: N/A Edge fabric's version stamp: N/A portDisableReason: None portCFlags: 0x1 portFlags: 0x1 PRESENT U_PORT EX_PORT portType: 10.
Using FC-FC Routing to Connect Fabrics -------------------------------------------------------------------------------1 : 350 --> 12 10:00:08:00:88:04:93:94 39 fcr_sw 4G 8G TRUNK Configuring EX_Ports on an ICL The following restrictions apply when configuring EX_Ports on an ICL: ∙ Both the active and standby CP must be running Fabric OS 7.2.0 or later in the case of DCX 8510 Backbone.
Using FC-FC Routing to Connect Fabrics 2013/04/25-21:21:55, [FCR-1071], 29808, SLOT 4 | FID 2, INFO, Pluto, Port 6/23 is changed from non FCR port to FCR port. 4. (Optional) Configure FC router port cost if you want to change the default values. For information about using FC router port cost operations, refer to FC router port cost configuration on page 511. 5. Enter the portEnable command to enable the QSFP ports that you disabled in step 1. switch:admin> portenable 6/20-23 6.
Using FC-FC Routing to Connect Fabrics connection. If multiple paths exist where one path costs less than the others, then the lowest cost path is used. If exchange-based routing has not been disabled and multiple paths exist with the same lowest cost, there will be load sharing over these paths. Every IFL has a default cost. The default router port cost values are as follows: ∙ 1,000 for a legacy (v5.
Using FC-FC Routing to Connect Fabrics 1. Enter the portDisable command to disable any port on which you want to set the router port cost. switch:admin> portdisable 7/10 2. Enable EX_Port or VEX_Port mode with the portCfgEXPort or portCfgVEXPort command. switch:admin> portcfgexport 7/10 -a 1 3. Enter the fcrRouterPortCost command to display the router port cost for each EX_Port.
Using FC-FC Routing to Connect Fabrics ∙ For any path for which the cumulative ISL link cost of the path is less than 10,000, the link cost from front domain to translate domain will remain at 10,000, which is the shortest IFL path. NOTE The shortest IFL solution is applicable only when the edge fabric has multiple FC router connections and the backbone fabric has at least one available low cost path.
Using FC-FC Routing to Connect Fabrics FIGURE 81 Shortest IFL solution Brocade Fabric OS Administration Guide, 8.0.
Using FC-FC Routing to Connect Fabrics 516 Brocade Fabric OS Administration Guide, 8.0.
Using FC-FC Routing to Connect Fabrics Configuring shortest IFL cost 1. Enter the fcrFabricShow command to view the FC routers on the backbone fabric. switch:admin>fcrfabricshow FC Router WWN: 10:00:00:05:1e:58:bd:69, Dom ID: 10, Info: 10.17.33.59, "DID_10" EX_Port FID Neighbor Switch Info (enet IP, WWN, name) -----------------------------------------------------------------------34 1 10.17.33.
Using FC-FC Routing to Connect Fabrics ∙ The following example shows the cumulative ISL cost for the second path identified in step 3: first from FC router ID Domain 40 to FC router ID Domain 30, and then from FC router Domain ID 30 to FC router ID Domain 20. switch:admin>linkcost 10 Interface10 (E_PORT) Cost switch:admin>linkcost 10 Interface10 (E_PORT) Cost 500 500 The cumulative link cost for this path is 1000. This path is now known as path 2. Path 1 is selected as the low cost path. 5.
Using FC-FC Routing to Connect Fabrics After initiation, the first port from the trunk group that comes online is designated as the master port. The other ports that come online on the trunk group are considered the slave ports. Adding or removing a slave port does not cause frame drop. However, removing a slave port causes the loss of frames in transit. If router port cost is used with EX_Port trunking, the master port and slave ports share the router port cost of the master port.
Using FC-FC Routing to Connect Fabrics Controlling device communication with the LSAN The following procedure illustrates how LSANs control which devices can communicate with each other.
Using FC-FC Routing to Connect Fabrics NL 0508ef; 3; 50:05:07:61:00:49:20:b4; 50:05:07:61:00:09:20:b4; na FC4s: FCP [IBM DNEF-309170 F90F] Fabric Port Name: 20:08:00:05:1e:34:11:e5 Permanent Port Name: 50:05:07:61:00:49:20:b4 LSAN: Yes The Local Name Server has 2 entries } 8. Enter the zoneCreate command to create the LSAN "lsan_zone_fabric2", which includes the host (10:00:00:00:c9:2b:6a:2c), Target A, and Target B.
Using FC-FC Routing to Connect Fabrics ∙ fcrProxyDevShow shows the proxy devices in the LSAN.
Using FC-FC Routing to Connect Fabrics HA and downgrade considerations for LSAN zones Be aware of how LSAN zones impact high availability and firmware downgrades: ∙ The LSAN zone matrix is synchronized to the standby CP. ∙ On a dual CP switch, both CPs must have Fabric OS v5.3.0 or later. ∙ If the feature is enabled on the active CP, introducing a CP with an earlier version of Fabric OS as a standby will cause HA synchronization to fail.
Using FC-FC Routing to Connect Fabrics FIGURE 82 Example of setting up Enforce LSAN tag FC router 1 does not need to know about the LSAN between edge fabrics 2 and 3. Likewise, FC router 3 does not need to know about the LSAN between edge fabrics 1 and 2. In this scenario, you could set up two Enforce tags, one for each LSAN. On FC router 2, both Enforce tags would be needed, since FC router 2 uses both LSANs. FC router 1 and FC router 3 each need only one tag, for their respective LSANs.
Using FC-FC Routing to Connect Fabrics ∙ LSAN_FAB1_abc You can specify up to eight Enforce tags on an FC router. For example, in the figure above, you could configure the following Enforce tags on the FC routers: ∙ For FC router 1, configure one Enforce tag, "21". FC router 1 would accept all LSAN zones starting with "LSAN_21", and so would accept LSAN_21_fab, but not LSAN_23fabrics. ∙ For FC router 2, configure two Enforce tags, "21" and "23".
Using FC-FC Routing to Connect Fabrics FIGURE 83 Example of setting up Speed LSAN tag Rules for LSAN tagging Note the following rules for configuring LSAN tags: 526 ∙ You configure the tags on the FC router, and not on the edge switches. If Virtual Fabrics is enabled, you configure the tags on the base switch on which the EX_Ports and VEX_Ports are located. You then must ensure that the LSAN zones in the edge fabrics incorporate the tags correctly.
Using FC-FC Routing to Connect Fabrics Configuring an Enforce LSAN tag 1. Log in to the FC router as admin. 2. Enter the following command to disable the FC router: switchdisable 3. Enter the following command to create an Enforce LSAN tag: fcrlsan --add -enforce tagname The tagname variable is the name of the LSAN tag you want to create. 4. Enter the following command to enable the FC router: switchenable 5.
Using FC-FC Routing to Connect Fabrics Displaying the LSAN tag configuration 1. Log in to the FC router as admin. 2. Enter the fcrlsan --show command.
Using FC-FC Routing to Connect Fabrics FIGURE 84 LSAN zone binding Brocade Fabric OS Administration Guide, 8.0.
Using FC-FC Routing to Connect Fabrics After you set up LSAN zone binding, each FC router stores information about only those LSAN zones that access its local edge fabrics. The following table shows what LSAN information is stored in each FC router before and after LSAN zone binding is in effect.
Using FC-FC Routing to Connect Fabrics FC router matrix definition Depending on the structure of the backbone fabric, you can specify pairs of FC routers that can access each other.
Using FC-FC Routing to Connect Fabrics 4. Enter the following command to apply the changes persistently: FCR:Admin> fcrlsanmatrix --apply -all FCR:Admin> FCR:Admin> FCR:Admin> FCR:Admin> FCR:Admin> fcrlsanmatrix fcrlsanmatrix fcrlsanmatrix fcrlsanmatrix fcrlsanmatrix --add -fcr 10:00:00:60:69:c3:12:b2 10:00:00:60:69:c3:12:b3 --add -lsan 4 5 --add -lsan 4 7 --add -lsan 10 19 --apply -all Viewing the LSAN zone binding matrixes 1. Log in to the FC router as admin. 2.
Using FC-FC Routing to Connect Fabrics Creating location embedded LSAN zones To create location embedded LSAN zones, complete the following steps: 1. Identify the location and use the portCfgExport command to get the remote fabric ID that needs to be embedded in the LSAN zone. 2. Specify the location in the zone name along with the RFID tag.
Using FC-FC Routing to Connect Fabrics Example configuration FIGURE 85 Sample location embedded LSAN zones environment The following are the LSAN configurations made in the respective fabrics.
Using FC-FC Routing to Connect Fabrics FCR 1 has the following zones: FID FID FID FID FID FID 1: 1: 2: 4: 4: 3: LSAN_A_RFID_2: LSAN_B_RFID_4: LSAN_RFID_1_A: LSAN_A_RFID_1: LSAN_B_RFID_3: LSAN_B_RFID_4: dev1 dev1 dev2 dev4 dev3 dev3 dev2 dev4 dev1 dev1 dev4 dev4 dev2 dev2 dev1 dev1 dev4 dev3 dev3 dev3 dev1 dev3 dev2 dev4 dev1 dev4 dev2 dev4 dev3 dev3 dev2 dev4 dev3 dev1 dev2 dev4 dev3 dev1 dev4 dev4 FCR 2 has the following zones: FID FID FID FID FID FID FID FID 2: 2: 1: 1: 4: 4: 3: 3: LSAN_RFID_1
Using FC-FC Routing to Connect Fabrics ∙ ∙ If you need to change the fabric ID for an EX_Port whose FID is already being used as an RFID value in other edge fabric LSAN zones, you must modify the LSAN zone configuration to new a RFID value. The recommended steps are as follows: 1. Disable the EX_Ports that need an FID change. 2. Configure the EX_Ports with the new FID value. 3. Enable the zone configuration in the respective edge fabrics with the new RFID value. 4.
Using FC-FC Routing to Connect Fabrics Fabric parameter considerations By default, EX_Ports and VEX_Ports detect, autonegotiate, and configure the fabric parameters without user intervention. You can optionally configure these parameters manually. ∙ To change the fabric parameters on a switch in the edge fabric, use the configure command. Note that to access all of the fabric parameters controlled by this command, you must disable the switch using the switchDisable command.
Using FC-FC Routing to Connect Fabrics Disabling broadcast frame forwarding 1. Log in to the FC router as admin. 2. Enter the following command: fcr:admin> fcrbcastconfig --disable -f fabricID The fabricID variable is the FID of the edge or backbone fabric on which you want to disable broadcast frame forwarding. Resource monitoring It is possible to exhaust resources, such as proxy PIDs. Whenever a resource is exhausted, Fabric OS generates an error message.
Using FC-FC Routing to Connect Fabrics 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | | | | | | | | | | | | | | 6 6 6 6 6 6 8 8 8 8 8 8 8 8 34 34 34 34 34 34 34 34 34 34 34 34 34 34 FC-FC routing and Virtual Fabrics If Virtual Fabrics is not enabled, FC-FC routing behavior is unchanged. If Virtual Fabrics is enabled, then in the FC-FC routing context, a base switch is like a backbone switch and a base fabric is like a backbone fabric.
Using FC-FC Routing to Connect Fabrics ∙ All FC router commands can be executed only in the base switch context. ∙ The fcrConfigure command is not allowed when Virtual Fabrics is enabled. Instead, use the lsCfg command to configure the FID. ∙ Although the Brocade 6510 and 6520 support up to four logical switches, if you are using FC-FC routing, they can have a maximum of only three logical switches. ∙ In the Brocade 7840, FC-FC routing is not supported on the base switch.
Using FC-FC Routing to Connect Fabrics Figure 87 shows a logical representation of the physical chassis and devices in Figure 86. As shown in Figure 87, Fabric 128 and Fabric 15 are edge fabrics connected to a backbone fabric. Fabric 1 is not connected to the backbone, so the device in Fabric 1 cannot communicate with any of the devices in the other fabrics.
Using FC-FC Routing to Connect Fabrics FIGURE 88 Backbone-to-edge routing across base switch using FC router in legacy mode If a backbone fabric has both a Virtual Fabrics-enabled FC router and a Virtual Fabrics-disabled FC router, EX_Ports are not allowed from the base switch of the Virtual Fabrics-enabled FC router to the same edge fabric that is performing backbone-to-edge routing with the Virtual Fabrics-disabled FC router.
Using FC-FC Routing to Connect Fabrics If you replace an 8-Gbps port blade with an FX8-24 blade, the EX_Port configuration remains the same for the first 12 FC ports on the FX8-24 blade. If you replace an 8-Gbps port blade or FX8-24 blade with another 8-Gbps port blade, the EX_Port configuration remains the same. Displaying the range of output ports connected to xlate domains The edge fabric detects only one front domain from an FC router connected through multiple output ports.
Using FC-FC Routing to Connect Fabrics 544 Brocade Fabric OS Administration Guide, 8.0.
Port Indexing This section shows how to use the switchShow command to determine the mapping among the port index, slot or port numbers, and the 24-bit port ID (PID) on any Brocade Backbone. Enter the switchShow command without parameters to show the port index mapping for the entire platform. Enter the switchShow -slot command for port mapping information for the ports on the blade in a specific slot. Include the --qsfp option to list also the QSFP number, for slots that contain core blades.
Port Indexing 751 3 31 7 -----trunkmaster name (Trunk master) id 16G Online FC E-Port 10:00:00:05:1e:39:e4:5a This example shows the truncated output of the switchShow command for an FC16-32 port blade in slot 1 of a Brocade DCX 8510-8 Backbone. The Address column shows the PID.
Switch and blade sensors ∙ ∙ ∙ Brocade switch sensors..............................................................................................................................................................................................547 Brocade blade temperature sensors................................................................................................................................................................... 547 System temperature monitoring..................................
Switch and blade sensors TABLE 96 Brocade blade temperature sensors (continued) Model Temperature sensors SX6 7 System temperature monitoring Brocade blades, chassis, and fixed-port switches are continuously monitored for thermal safety. Fabric OS thermal policies are based on a matrix of sensor values particular to each device. Different versions of Fabric OS may also have different thermal policies, as these limits are determined by testing and real-world experience.
Hexadecimal Conversion ∙ Hexadecimal overview................................................................................................................................................................................................ 549 Hexadecimal overview Hexadecimal, also known as hex, is a numeral system with a base of 16, usually written by means of symbols 0-9 and A-F (or a-f).
Hexadecimal Conversion Decimal 21 22 23 24 25 26 27 28 29 30 Hex 15 16 17 18 19 1a 1b 1c 1d 1e Decimal 31 32 33 34 35 36 37 38 39 40 Hex 1f 20 21 22 23 24 25 26 27 28 Decimal 41 42 43 44 45 46 47 48 49 50 Hex 29 2a 2b 2c 2d 2e 2f 30 31 32 Decimal 51 52 53 54 55 56 57 58 59 60 Hex 33 34 35 36 37 38 39 3a 3b 3c Decimal 61 62 63 64 65 66 67 68 69 70 Hex 3d 3e 3f 40 41 42 43 44 45 46 Decimal 71 72 7
Hexadecimal Conversion Hex e7 e8 e9 ea eb ec ed ef ee f0 Decimal 241 242 243 244 245 246 247 248 249 250 f6 f7 f8 f9 fa Hex f1 f2 f3 f4 f5 Decimal 251 252 253 254 255 Hex fb fc fd fe ff Brocade Fabric OS Administration Guide, 8.0.
