53-1002148-02 03 June 2011 Fabric OS Administrator’s Guide Supporting Fabric OS v7.0.
Copyright © 2006-2011 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, the B-wing symbol, BigIron, DCFM, DCX, Fabric OS, FastIron, IronView, NetIron, SAN Health, ServerIron, TurboIron, and Wingspan are registered trademarks, and Brocade Assurance, Brocade NET Health, Brocade One, Extraordinary Networks, MyBrocade, VCS, and VDX are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries.
Title Publication number Summary of changes Date Fabric OS Administrator’s Guide 53-1000043-02 Removed SilkWorm 4016 and 4020 from supported switches; FCIP chapter updates. June 2006 Fabric OS Administrator’s Guide 53-1000239-01 Revised for Fabric OS v5.2.0 features. Added new hardware platforms: Brocade FC4-48 and FC4-16IP. September 2006 Fabric OS Administrator’s Guide 53-1000448-01 Added Fabric OS v5.3.0 features. Added support for new hardware platforms: Brocade 7600, FA4-18, and FC10-6.
iv Fabric OS Administrator’s Guide 53-1002148-02
Contents About This Document In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . xxxiv What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxv Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Device login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Principal switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 E_Port login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Fabric login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Port login process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 RSCN causes . . .
Basic connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Device connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Switch connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Chapter 3 Performing Advanced Configuration Tasks In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 PIDs and PID binding overview. . . . . . . . . . . . . . . . . . . .
Audit log configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Verifying host syslog prior to configuring the audit log . . . . . . . 59 Configuring an audit log for specific event classes . . . . . . . . . . 59 Chapter 4 Routing Traffic In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Routing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Paths and route selection . .
Local database user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Default accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Local account passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Local account database distribution . . . . . . . . . . . . . . . . . . . . . . . . . 90 Distributing the local user database . . . . . . . . . . . . . . . . . . . . . 90 Accepting distribution of user databases on the local switch .
Telnet protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129 Blocking Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129 Unblocking Telnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131 Listener applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131 Ports and applications used by switches . . . . . . . . . . . . . . . . . . . .131 Port configuration . . . . . . . . . . .
IP Filter policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155 Creating an IP Filter policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . .155 Cloning an IP Filter policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156 Displaying an IP Filter policy . . . . . . . . . . . . . . . . . . . . . . . . . . .156 Saving an IP Filter policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156 Activating an IP Filter policy. . . . . . . . . . .
Chapter 9 Installing and Maintaining Firmware In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193 Firmware download process overview . . . . . . . . . . . . . . . . . . . . . . .193 Upgrading and downgrading firmware . . . . . . . . . . . . . . . . . . .195 Considerations for FICON CUP environments . . . . . . . . . . . . .195 HA sync state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195 Preparing for a firmware download .
Supported platforms for Virtual Fabrics . . . . . . . . . . . . . . . . . . . . .224 Supported port configurations in the fixed-port switches. . . .224 Supported port configurations in the enterprise-class platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224 Virtual Fabrics interaction with other Fabric OS features . . . .225 Limitations and restrictions of Virtual Fabrics . . . . . . . . . . . . . . . .226 Restrictions on XISLs . . . . . . . . . . . . . . . . . .
Zone aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248 Creating an alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249 Adding members to an alias . . . . . . . . . . . . . . . . . . . . . . . . . . .249 Removing members from an alias . . . . . . . . . . . . . . . . . . . . . .250 Deleting an alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250 Viewing an alias in the defined configuration . . . . . . . .
Traffic Isolation Zoning over FC routers . . . . . . . . . . . . . . . . . . . . . .278 TI within an edge fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279 TI within a backbone fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . .280 Limitations of TI zones over FC routers . . . . . . . . . . . . . . . . . .281 General rules for TI zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .281 Supported configurations for Traffic Isolation Zoning . . . . . . . . . .
Disabling bottleneck detection on a switch . . . . . . . . . . . . . . . . . . 310 Chapter 14 In-flight Encryption and Compression In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311 In-flight encryption and compression overview. . . . . . . . . . . . . . . .311 Encryption and compression restrictions. . . . . . . . . . . . . . . . .312 How encryption and compression are enabled . . . . . . . . . . . .312 Authentication and key generation. . . . . . . . .
Configuration upload and download considerations for FA-PWWN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336 Firmware upgrade and downgrade considerations for FA-PWWN .336 Security considerations for FA-PWWN . . . . . . . . . . . . . . . . . . . . . . .336 Restrictions of FA-PWWN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337 Access Gateway N_Port failover with FA-PWWN . . . . . . . . . . . . . . .
Licensing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369 The Brocade 7800 Upgrade license . . . . . . . . . . . . . . . . . . . . . . . .375 ICL licensing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 ICL 1st POD license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 ICL 2nd POD license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 ICL 8-link license . . . . . . . . . . . .
Advanced Performance Monitoring overview . . . . . . . . . . . . . . . . .393 Types of monitors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393 Restrictions for installing monitors . . . . . . . . . . . . . . . . . . . . . .394 Virtual Fabrics considerations for Advanced Performance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394 Access Gateway considerations for Advanced Performance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CS_CTL-based frame prioritization. . . . . . . . . . . . . . . . . . . . . . . . . . 414 Supported configurations for CS_CTL-based frame prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 High availability considerations for CS_CTL-based frame prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 Enabling CS_CTL-based frame prioritization . . . . . . . . . . . . . . . . . .
ICL trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435 Supported platforms for ICL trunking . . . . . . . . . . . . . . . . . . . .435 ICL trunking on the Brocade DCX 8510-8 and 8510-4 . . . . . .435 ICL trunking on the Brocade DCX and DCX-4S. . . . . . . . . . . . .436 EX_Port trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .436 Masterless EX_Port trunking. . . . . . . . . . . . . . . . . . . . . . . . . . .
FC-FC routing service overview . . . . . . . . . . . . . . . . . . . . . . . . . . . .461 License requirements for Fibre Channel Routing . . . . . . . . . .462 Supported platforms for Fibre Channel routing . . . . . . . . . . . .462 Supported configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . .462 Fibre Channel routing concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . .463 Proxy devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Interoperability overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .501 Release Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .501 Features of Connected SANs . . . . . . . . . . . . . . . . . . . . . . . . . .503 Fabric configurations for interconnectivity . . . . . . . . . . . . . . . . . . .504 Connectivity modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .504 Configuring the FC router . . . . . . . . . . . . . . . . . . . . . .
xxiv Fabric OS Administrator’s Guide 53-1002148-02
Figures Figure 1 Well-known addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Figure 2 Identifying the blades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Figure 3 Blade swap with Virtual Fabrics during the swap. . . . . . . . . . . . . . . . . . . . . . . . . 52 Figure 4 Blade swap with Virtual Fabrics after the swap . . . . . . . . . . . . . . . . . . . . . . . . . .
xxvi Figure 37 Fabric incorrectly configured for TI zone with failover disabled . . . . . . . . . . . . 274 Figure 38 Dedicated path is the only shortest path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Figure 39 Dedicated path is not the shortest path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 Figure 40 Enhanced TI zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Figure 78 Sample topology (physical topology) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468 Figure 79 EX_Port phantom switch topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469 Figure 80 Example of setting up Speed LSAN tag. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487 Figure 81 LSAN zone binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xxviii Fabric OS Administrator’s Guide 53-1002148-02
Tables Table 1 Daemons that are automatically restarted. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Table 2 Terminal port parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Table 3 Help topic contents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Table 4 fabricShow fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xxx Table 36 Default IP policy rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Table 37 Interaction between fabric-wide consistency policy and distribution settings . 163 Table 38 Supported policy databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Table 39 Fabric-wide consistency policy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table 78 Fibre Channel data frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453 Table 79 Buffer credits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456 Table 80 Configurable distances for Extended Fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . .
xxxii Fabric OS Administrator’s Guide 53-1002148-02
About This Document In this chapter • How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii • Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiv • What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxv • Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvi • Notice to the reader . . . . . . . . . . . . . . . .
• Chapter 11, “Administering Advanced Zoning,” provides procedures for use of the Brocade Advanced Zoning feature. • Chapter 12, “Traffic Isolation Zoning,” provides concepts and procedures for use of Traffic Isolation Zones within a fabric. • Chapter 13, “Bottleneck Detection,” describes how you can detect and configure alert thresholds for latency and congestion bottlenecks in the fabric.
• • • • • • • • • • • • • • Brocade 5410 embedded switch Brocade 5424 embedded switch Brocade 5450 embedded switch Brocade 5460 embedded switch Brocade 5470 embedded switch Brocade 5480 embedded switch Brocade 6510 switch Brocade 7800 extension switch Brocade 8000 FCoE switch Brocade VA-40FC Brocade Encryption Switch Brocade DCX Brocade DCX-4S Brocade DCX 8510 family: - Brocade DCX 8510-4 Brocade DCX 8510-8 What’s new in this document Information that was added: • Port indexing information for the Broc
Document conventions This section describes text formatting conventions and important notice formats used in this document.
NOTE A note provides a tip, guidance or advice, emphasizes important information, or provides a reference to related information. ATTENTION An Attention statement indicates potential damage to hardware or data. CAUTION A Caution statement alerts you to situations that can be potentially hazardous to you or cause damage to hardware, firmware, software, or data. DANGER A Danger statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you.
Additional information This section lists additional Brocade and industry-specific documentation that you might find helpful. Brocade resources To get up-to-the-minute information, go to http://my.brocade.com and register at no cost for a user ID and password. For practical discussions about SAN design, implementation, and maintenance, you can obtain Building SANs with Brocade Fabric Switches through: http://www.amazon.
• syslog message logs 2. Switch Serial Number The switch serial number and corresponding bar code are provided on the serial number label, as illustrated below.: *FT00X0054E9* FT00X0054E9 The serial number label is located as follows: • Brocade 5424 — On the bottom of the switch module. • Brocade 300, 5100, and 5300 — On the switch ID pull-out tab located on the bottom of the port side of the switch. • Brocade 6510 — On the switch ID pull-out tab located inside the chassis on the port side on the left.
xl Fabric OS Administrator’s Guide 53-1002148-02
Section Standard Features I This section describes standard Fabric OS features, and includes the following chapters: • Chapter 1, “Understanding Fibre Channel Services” • Chapter 2, “Performing Basic Configuration Tasks” • Chapter 3, “Performing Advanced Configuration Tasks” • Chapter 4, “Routing Traffic” • Chapter 5, “Managing User Accounts” • Chapter 6, “Configuring Protocols” • Chapter 7, “Configuring Security Policies” • Chapter 8, “Maintaining the Switch Configuration File” • Chapter 9, “Installing
2 Fabric OS Administrator’s Guide 53-1002148-02
Chapter Understanding Fibre Channel Services 1 In this chapter • Fibre Channel services overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 • Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 • Platform services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 • Management server database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1 Management Server Time Server — The Time Server sends to the member switches in the fabric the time on either the principal switch or the primary Fabric Configuration Server (FCS) switch, depending on whether or not an FCS security policy has been implemented. See Chapter 7, “Configuring Security Policies” for additional information on FCS policies. Management Server — The Management Server provides a single point for managing the fabric.
Platform services 1 NOTE The commands msplMgmtActivate and msplMgmtDeactivate are allowed only in AD0 and AD255. Platform services in a Virtual Fabric Each logical switch has a separate Platform Database. All platform registrations done to a logical switch are valid only in that particular logical switch’s Virtual Fabric. Activating the platform services on a switch or enterprise-class platform activates the platform services on all logical switches in a Virtual Fabric.
1 Management server database Management server database You can control access to the management server database. An access control list (ACL) of WWN addresses determines which systems have access to the management server database. The ACL typically contains those WWNs of host systems that are running management applications. If the list is empty (the default), the management server is accessible to all systems connected in-band to the fabric.
Management server database 1 6. After verifying that the WWN was added correctly, enter 0 at the prompt to end the session. 7. At the “Update the FLASH?” prompt, enter y. 8. Press Enter to update the nonvolatile memory and end the session. Example of adding a member to the management server ACL switch:admin> msconfigure 0 Done 1 Display the access list 2 Add member based on its Port/Node WWN 3 Delete member based on its Port/Node WWN select : (0..
1 Management server database 6. After verifying that the WWN was deleted correctly, enter 0 at the “select” prompt to end the session. 7. At the “Update the FLASH?” prompt, enter y. 8. Press Enter to update the nonvolatile memory and end the session. Example of deleting a member from the management server ACL switch:admin> msconfigure 0 Done 1 Display the access list 2 Add member based on its Port/Node WWN 3 Delete member based on its Port/Node WWN select : (0..
Topology discovery 1 Clearing the management server database NOTE The command msPlClearDB is allowed only in AD0 and AD255. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the msplClearDb command. 3. Enter y to confirm the deletion. The management server platform database is cleared. Topology discovery The topology discovery feature can be displayed, enabled, and disabled; it is disabled by default.
1 Device login Disabling topology discovery 1. Connect to the switch and log in as admin. 2. Enter the appropriate following command based on how you want to disable discovery: • For the local switch, enter the mstdDisable command. • For the entire fabric, enter the mstdDisable all command. A warning displays stating that all NID entries might be cleared. 3. Enter y to disable the Topology Discovery feature. NOTE Disabling discovery of management server topology might erase all node ID entries.
Device login 1 Principal switch In a fabric with multiple switches, and one inter-switch link (ISL) exists between any two switches, a principal switch is automatically elected. The principal switch provides the following capabilities: • Maintains time for the entire fabric. Subordinate switches synchronize their time with the principal switch. Changes to the clock server value on the principal switch are propagated to all switches in the fabric. • Manages domain ID assignment within the fabric.
1 Device login • F_Port — A fabric port is assigned to fabric-capable devices, such as SAN storage devices. • EX_Port — A type of E_Port that connects a Fibre Channel router to an edge fabric. From the point of view of a switch in an edge fabric, an EX_Port appears as a normal E_Port. It follows applicable Fibre Channel standards as other E_Ports. However, the router terminates EX_Ports rather than allowing different fabrics to merge as would happen on a switch with regular E_Ports.
High availability of daemon processes 1 High availability of daemon processes Starting non-critical daemons is automatic; you cannot configure the startup process. The following sequence of events occurs when a non-critical daemon fails: 1. A RASlog and AUDIT event message is logged. 2. The daemon is automatically started again. 3. If the restart is successful, then another message is sent to RASlog and AUDIT, reporting the successful restart status. 4.
1 14 High availability of daemon processes Fabric OS Administrator’s Guide 53-1002148-02
Chapter 2 Performing Basic Configuration Tasks In this chapter • Fabric OS overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Fabric OS command line interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Password modification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • The Ethernet interface on your switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Date and time settings .
2 Fabric OS command line interface Although many different software and hardware configurations are tested and supported by Brocade Communications Systems, Inc., documenting all possible configurations and scenarios is beyond the scope of this document. In some cases, earlier releases are highlighted to present considerations for interoperating with them. The hardware reference manuals for Brocade products describe how to power up devices and set their IP addresses.
Fabric OS command line interface TABLE 2 2 Terminal port parameters (Continued) Parameter Value Stop bits 1 Flow control None • In a UNIX environment, enter the following string at the prompt: tip /dev/ttyb -9600 If ttyb is already in use, use ttya instead and enter the following string at the prompt: tip /dev/ttya -9600 Telnet or SSH sessions Connect to the Fabric OS through a Telnet or SSH connection or through a console session on the serial port.
2 Fabric OS command line interface 2. Verify the switch’s network interface is configured and that it is connected to the IP network through the RJ-45 Ethernet port. Switches in the fabric that are not connected through the Ethernet port can be managed through switches that are using IP over Fibre Channel. The embedded port must have an assigned IP address. 3. Log off the switch’s serial port. 4.
Password modification TABLE 3 2 Help topic contents (Continued) Topic name Help contents description trackChangesHelp Track Changes help information zoneHelp Zoning help information Password modification The switch automatically prompts you to change the default account passwords after logging in for the first time. If you do not change the passwords, the switch prompts you after each subsequent login until all the default passwords have been changed.
2 The Ethernet interface on your switch Use Control-C to exit or press 'Enter' key to proceed. for user - root Changing password for root Enter new password: Password changed. Saving password to stable storage. Password saved to stable storage successfully. (output truncated) The Ethernet interface on your switch The Ethernet (network) interface provides management access, including direct access to the Fabric OS CLI, and allows other tools, such as Web Tools, to interact with the switch.
The Ethernet interface on your switch 2 IPv4 addresses assigned to individual Virtual Fabrics are assigned to IP over Fibre Channel (IPFC) network interfaces. In Virtual Fabrics environments, a single chassis can be assigned to multiple fabrics, each of which is logically distinct and separate from one another. Each IPFC point of connection to a given chassis needs a separate IPv4 address and prefix to be accessible to a management host.
2 The Ethernet interface on your switch If the Ethernet IP address, subnet mask, and gateway address are displayed, then the network interface is configured. Verify the information on your switch is correct. If DHCP is enabled, the network interface information was acquired from the DHCP server. NOTE You can use either IPv4 or IPv6 with a classless inter-domain routing (CIDR) block notation (also known as a network prefix length) to set up your IP addresses.
The Ethernet interface on your switch 2 4. Enter the Ethernet Subnetmask at the prompt. 5. Skip the Fibre Channel prompts by pressing Enter. The Fibre Channel IP address is used for management. 6. Enter the Gateway Address at the prompt. 7. Disable DHCP by entering off. Setting the static addresses for the chassis management IP interface 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the ipAddrSet -chassis command.
2 The Ethernet interface on your switch 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the ipAddrSet command. 3. If already set up, skip the Ethernet IP address, Ethernet subnet mask, Fibre Channel IP address, and Fibre Channel subnet mask prompts by pressing Enter. 4. Enable DHCP by entering on. switch:admin> ipaddrset Ethernet IP Address [10.1.2.3]: Ethernet Subnetmask [255.255.255.0]: Fibre Channel IP Address [220.220.220.2]: Fibre Channel Subnetmask [255.255.
Date and time settings 2 configuration of the host. There can be multiple routers serving the network, each potentially advertising multiple network prefixes. Thus, the host is not in full control of the number of IPv6 addresses that it configures, much less the values of those addresses, and the number and values of addresses can change as routers are added to or removed from the network. When IPv6 autoconfiguration is enabled, the platform engages in stateless IPv6 autoconfiguration.
2 Date and time settings • • • • dd is the date; valid values are 01 through 31. HH is the hour; valid values are 00 through 23. MM is minutes; valid values are 00 through 59. yy is the year, valid values are 00 through 37 and 70 through 99 (year values from 70 through 99 are interpreted as 1970 through 1999, year values from 00 through 37 are interpreted as 2000 through 2037).
Date and time settings 2 1. Connect to the switch and log in using an account assigned to the admin role and with the chassis-role permission. 2. Enter the tsTimeZone command. • Use tsTimeZone with no parameters to display the current time zone setting. • Use --interactive to list all of the time zones supported by the firmware. • Use timeZone_fmt to set the time zone by Country/City or by time zone ID, such as Pacific Standard Time (PST).
2 Domain IDs NOTE In a Virtual Fabric, multiple logical switches can share a single chassis. Therefore, the NTP server list must be the same across all fabrics. Synchronizing the local time with an external source The tsClockServer command accepts multiple server addresses in IPv4, IPv6, or Domain Name System (DNS) name formats. When multiple NTP server addresses are passed, tsClockServer sets the first obtainable address as the active NTP server.
Domain IDs 2 ATTENTION Do not use domain ID 0. The use of this domain ID can cause the switch to reboot continuously. Avoid changing the domain ID on the FCS switch in secure mode. To minimize down time, change the domain IDs on the other switches in the fabric. Displaying the domain IDs 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the fabricShow command.
2 Switch names TABLE 4 fabricShow fields (Continued) Field Description FC IP Addr The switch’s Fibre Channel IP address. Name The switch’s symbolic or user-created name in quotes. An arrow (>) indicates the principal switch. Setting the domain ID 1. Connect to the switch and log in on an account assigned to the admin role. 2. Enter the switchDisable command to disable the switch. 3. Enter the configure command. 4. Enter y after the Fabric Parameters prompt.
Chassis names 2 Chassis names Brocade recommends that you customize the chassis name for each platform. Some system logs identify devices by platform names; if you assign meaningful platform names, logs are more useful. All chassis names supported by Fabric OS v7.0.0 allow 31 characters. Chassis names must begin with an alphabetic character and can include alphabetic and numeric characters, and the underscore ( _ ).? Customizing chassis names 1.
2 Switch activation and deactivation High availability considerations Fabric names locally configured or obtained from a remote switch are saved in the configuration database, and then synchronized to the standby CP on dual-CP-based systems. Upgrade and downgrade considerations Fabric names are lost during a firmware downgrade. No default fabric name is provided. If a fabric name is needed, it must be configured after the upgrade.
Switch and enterprise-class platform shutdown 2 Powering off a Brocade switch The following procedure describes how to gracefully shut down a switch. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the sysShutdown command. 3. Enter y at the prompt. switch:admin> sysshutdown This command will shutdown the operating systems on your switch. You are required to power-cycle the switch in order to restore operation.
2 Basic connections Basic connections Before connecting a switch to a fabric that contains switches running different firmware versions, you must first set the same port identification (PID) format on all switches. The presence of different PID formats in a fabric causes fabric segmentation. • For information on PID formats and related procedures, refer to Chapter 3, “Performing Advanced Configuration Tasks”.
Chapter 3 Performing Advanced Configuration Tasks In this chapter • PIDs and PID binding overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Blade terminology and compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Enabling and disabling blades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3 PIDs and PID binding overview Core PID addressing mode Core PID is the default PID format for Brocade platforms. It uses the entire 24-bit address space of the domain, area_ID, and AL_PA to determine an objects address within the fabric.
PIDs and PID binding overview 3 • Any port on a 48-port or 64-port blade can support up to 256 NPIV devices (in fixed addressing mode, only 128 NPIV devices are supported in non-VF mode and 64 NPIV devices in VF mode on a 48-port blade). • Any port on a 48-port blade can support loop devices. • Any port on a 48-port or 64-port blade can support hard port zoning. • Port index is not guaranteed to be equal to the port area_ID.
3 PIDs and PID binding overview Virtual Fabric considerations WWN-based PID assignment is disabled by default and is supported in the default switch on a Brocade DCX, DCX-4S, and the Brocade DCX 8510 family. This feature is not supported on application blades such as the FS8-18, FX8-24, and the FCOE10-24. The total number of ports in the default switch must be 256 or less.
Ports 3 Clearing PID binding 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the wwnAddress -unbind command to clear the PID binding for the specified WWN. Showing PID assignments 1. Connect to the switch and log in using an account with admin permissions. 2. Based on what you want to display, enter the appropriate command: • wwnAddress –show displays the assigned WWN-PID bindings. • wwnAddress –findPID wwn displays the PID assigned to the device WWN specified.
3 Ports When you have port blades with different port counts in the same director (for example, 16-port blades and 32-port blades, or 16-port blades and 18-port blades with 16 FC ports and 2 GbE ports, or 16-port and 48-port blades), the area IDs no longer match the port numbers. Table 5 lists the port numbering schemes for the blades. TABLE 5 Port numbering schemes for the port and application blades Port blades Numbering scheme FC8-16 Ports are numbered from 0 through 15 from bottom to top.
Ports 3 Port identification by port area ID The relationship between the port number and area ID depends upon the PID format used in the fabric. When Core PID format is in effect, the area ID for port 0 is 0, for port 1 is 1, and so forth. For 32-port blades (FC8-32, FC16-32), the numbering is contiguous up to port 15; from port 16, the numbering is still contiguous, but starts with 128.
3 Ports Swapping port area IDs If a device that uses port binding is connected to a port that fails, you can use port swapping to make another physical port use the same PID as the failed port. The device can then be plugged into the new port without the need to reboot the device. Use the following procedure to swap the port area IDs of two physical switch ports. In order to swap port area IDs, the port swap feature must be enabled, and both switch ports must be disabled.
Ports 3 Enabling a port 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the appropriate command based on the current state of the port and on whether it is necessary to specify a slot number: • To enable a port that is disabled, enter the command portEnable portnumber or portEnable slotnumber/portnumber. • To enable a port that is persistently disabled, enter the command portCfgPersistentEnable portnumber or portCfgPersistentEnable slotnumber/portnumber.
3 Ports Setting port speeds 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the portCfgSpeed command. Example of setting the port speed The following example sets the speed for port 3 on slot 2 to 4 Gbps: ecp:admin> portcfgspeed 2/3 4 done. The following example sets the speed for port 3 on slot 2 to autonegotiate: ecp:admin> portcfgspeed 2/3 0 done. Setting the same speed for all ports on the switch 1.
Blade terminology and compatibility 3 Blade terminology and compatibility Before configuring a chassis, familiarize yourself with the platform CP blade and port blade nomenclature, as well as the port blade compatibilities. Often in procedures, only the abbreviated names for CP and port blades are used. Table 6 includes CP and port blade abbreviations and descriptions.
3 Blade terminology and compatibility TABLE 6 Brocade enterprise-class platform blade terminology (Continued) Term Abbreviation Blade ID Definition (slotshow) 6-port 10-Gbps port blade FC10-6 39 A 6-port Brocade platform port blade supporting 10 Gbps port speed. Blade provides 10 Gbps ISLs. This port blade is compatible only with the Brocade DCX and DCX-4S and can be used to form ISLs only between other FC10-6 ports.
Blade terminology and compatibility 3 Core blades Core blades provide intra-chassis switching and ICL connectivity, between DCX/DCX-4S platforms and between DCX 8510 platforms. • • • • Brocade DCX supports two CORE8 core blades. Brocade DCX-4S supports two CR4S-8 core blades. Brocade DCX 8510-8 supports two CR16-8 core blades. Brocade DCX 8510-4 supports two CR16-4 core blades. The core blades for each platform are not interchangeable or hot-swappable with the core blades for any other platform.
3 Enabling and disabling blades TABLE 8 Blade compatibility within a Brocade DCX, DCX-4S, and the Brocade DCX 8510 family backbone Intelligent blade Fabric OS v6.3.0 Fabric OS v6.4.0 Fabric OS v7.0.0 DCX DCX-4S DCX DCX-4S DCX DCX-4S DCX 8510-8 DCX 8510-4 FR4-18i1 8 4 8 4 8 4 0 0 FS8-18 4 4 4 4 4 4 4 4 FCOE10-242 2 2 2 2 4 4 0 0 2 4 4 4 4 4 4 4 FX8-24 3 1. The iSCSI function over FCIP is not supported, but the FCIP link is the same as other FC E_Ports.
Enabling and disabling blades 3 If you need to replace an application blade with a different application blade, there may be extra steps you need to take to ensure that the previous configuration is not interfering with your new application blade. Enabling blades 1. Connect to the switch and log in as admin. 2. Enter the bladeEnable command with the slot number of the port blade you want to enable.
3 Blade swapping To summarize: • When an FC8-16, FC8-32, FC10-6, FS8-18, or FX8-24 blade is replaced by an FR4-18i blade, the current port configuration continues to be used, and all ports on the FR4-18i blade are persistently disabled. • When an FR4-18i blade is replaced by an FC8-16, FC8-32, FC8-48, or FC8-64 blade, then the EX_Port configuration is retained, but the ports are persistently disabled. All remaining port configurations are retained. NOTE The FC10-6 blade does not support EX_Ports.
Blade swapping 3 How blades are swapped The bladeSwap command performs the following operations: 1. Blade selection The selection process includes selecting the switch and the blades to be affected by the swap operation. Figure 2 shows the source and destination blades are identified to begin the process. FIGURE 2 Identifying the blades 2. Blade validation The validation process includes determining the compatibility between the blades selected for the swap operation: • Blade technology.
3 Blade swapping FIGURE 3 Blade swap with Virtual Fabrics during the swap 4. Port swapping The swap ports action is effectively an iteration of the portSwap command for each port on the source blade to each corresponding port on the destination blade. In Figure 4 shows Virtual Fabrics, where the blades can be carved up into different logical switches as long as they are carved the same way. If slot 1 and slot 2 ports 0-7 are all in the same logical switch, then blade swapping slot 1 to slot 2 will work.
Power management 3 3. Once the command completes successfully, move the cables from the source blade to the destination blade. 4. Enter the bladeEnable command on the destination blade to enable all user ports. Power management All blades are powered on by default when the switch chassis is powered on. Blades cannot be powered off when POST or AP initialization is in progress.
3 Equipment status Equipment status You can check the status of switch operation, High Availability features, and fabric connectivity. Checking switch operation 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the switchShow command. This command displays a switch summary and a port summary. 3. Check that the switch and ports are online. 4. Use the switchStatusShow command to further check the status of the switch.
Track and control switch changes 3 Verifying fabric connectivity 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the fabricShow command. This command displays a summary of all the switches in the fabric. The output of the fabricShow command is discussed in “Domain IDs” on page 28. Verifying device connectivity 1. Connect to the switch and log in using an account with admin permissions. 2.
3 Track and control switch changes Enabling the track changes feature 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the trackChangesSet 1 command to enable the track changes feature. A message displays, verifying that the track changes feature is on: switch:admin> trackchangesset 1 Committing configuration...done. 3. View the log using the commands errDump |more to display a page at a time or errShow to view one line at a time.
Track and control switch changes WWN CP Blade CoreBlade Flash MarginalPorts FaultyPorts MissingSFPs ErrorPorts Number of ports: 4 0 0 0 0 0 0.00%[0] 0.00%[0] 0.00%[0] 0.00%[0] 3 0 0 0 0 0 0.00%[0] 0.00%[0] 0.00%[0] 0.00%[0] Setting the switch status policy threshold values 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the switchStatusPolicySet command. The current switch status policy parameter values are displayed.
3 Audit log configuration Bad PowerSupplies contributing to MARGINAL status: (0..2) [1] Bad Temperatures contributing to DOWN status: (0..4) [2]1 Bad Temperatures contributing to MARGINAL status: (0..4) [1]2 Bad Fans contributing to DOWN status: (0..2) [2] Bad Fans contributing to MARGINAL status: (0..2) [1] (output truncated) On the enterprise-class platforms, the command output includes parameters related to CP blades.
Audit log configuration 3 NOTE Only the active CP can generate audit messages because event classes being audited occur only on the active CP. Audit messages cannot originate from other blades in an enterprise-class platform. Switch names are logged for switch components and enterprise-class platform names for enterprise-class platform components. For example, an enterprise-class platform name may be FWDL or RAS and a switch component name may be zone, name server, or SNMP.
3 Audit log configuration 4. Enter the auditCfg --show command to view the filter configuration and confirm that the correct event classes are being audited, and the correct filter state appears (enabled or disabled). switch:admin> auditcfg --show Audit filter is enabled. 2-SECURITY 4-FIRMWARE 5. Issue the auditDump -s command to confirm that the audit messages are being generated. Example of the SYSLOG (system message log) output for audit logging Oct 10 08:52:06 10.3.220.
Chapter 4 Routing Traffic In this chapter • Routing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Inter-switch links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Gateway links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Inter-chassis links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4 Routing overview Paths and route selection Paths are possible ways to get from one switch to another. Each Inter-Switch Link (ISL) has a metric cost based on bandwidth. The cumulative cost is based on the sum of all costs of all traversed ISLs. Route selection is the path that is chosen. Paths that are selected from the routing database are chosen based on the minimal cost.
Routing overview 4 NOTE FSPF only supports 16 routes in a zone, including Traffic Isolation Zones. FSPF makes minimal use of the ISL bandwidth, leaving virtually all of it available for traffic. In a stable fabric, a switch transmits 64 bytes every 20 seconds in each direction. FSPF frames have the highest priority in the fabric. This guarantees that a control frame is not delayed by user data and that FSPF routing decisions occur very quickly during convergence.
4 Inter-switch links Inter-switch links An inter-switch link (ISL) is a link between two switches, E_Port-to-E_Port. The ports of the two switches automatically come online as E_Ports once the login process finishes successfully. For more information on the login process, refer to Chapter 1, “Understanding Fibre Channel Services”. FIGURE 6 New switch added to existing fabric You can expand your fabric by connecting new switches to existing switches.
Inter-switch links 4 Buffer credits In order to prevent the dropping of frames in the fabric, a device can never send frames without the receiving device being able to receive them, so an end-to-end flow control is used on the switch. Flow control in Fibre Channel uses buffer-to-buffer credits, which are distributed by the switch. When all buffer-to-buffer credits are utilized, a device waits for a VC_RDY or an R_RDY primitive from the destination switch before resuming I/O.
4 Gateway links Quality of Service (QoS) is a licensed traffic shaping feature available in Fabric OS. QoS allows the prioritization of data traffic based on the SID and DID of each frame. Through the use of QoS zones, traffic can be divided into three priorities: high, medium, and low. The seven data virtual channels, VC8 through VC14, are used to multiplex data frames based upon QoS zones when congestion occurs. For more information on QoS zones, refer to Chapter 20, “Optimizing Fabric Behavior”.
Gateway links FIGURE 9 4 Gateway link merging SANs By default, switch ports initialize links using the Exchange Link Parameters (ELP) mode 1. However, gateways expect initialization with ELP mode 2, also referred to as ISL R_RDY mode. Therefore, to enable two switches to link through a gateway, the ports on both switches must be set for ELP mode 2.
4 Inter-chassis links Example of enabling a gateway link on slot 2, port 3 ecp:admin> portcfgislmode 2/3, 1 Committing configuration...done. ISL R_RDY Mode is enabled for port 3. Please make sure the PID formats are consistent across the entire fabric. Inter-chassis links An inter-chassis link (ICL) is a licensed feature used to interconnect two Brocade DCX Backbones, two Brocade DCX-4S Backbones, or a Brocade DCX and a Brocade DCX-4S Backbone.
Inter-chassis links 4 The following ICL connections are not allowed: • ICL0 ports to ICL0 ports • ICL1 ports to ICL1 ports For detailed ICL connection information, refer to the Brocade DCX Backbone Hardware Reference Manual. ICL ports can be used only with an ICL license. For more information on how license enforcement occurs, see Chapter 18, “Administering Licensing”.
4 Inter-chassis links cost of the ISL path being lesser or greater than the ICL path between the two switches. For instructions on how to cable ICLs, refer to the Brocade DCX Backbone Hardware Reference Manual and the Brocade DCX-4S Backbone Hardware Reference Manual. Figure 11 illustrates a triangular topology.
Inter-chassis links FIGURE 12 4 64 Gbps ICL topology To connect two Brocade DCX 8510 switches redundantly, at least 4 ICL connections are required. To achieve full redundancy, each core blade in a chassis must be connected to each of the two core blades in the destination chassis, as shown in Figure 13.
4 Routing policies Routing policies By default, all routing protocols place their routes into a routing table. You can control the routes that a protocol places into each table and the routes from that table that the protocol advertises by defining one or more routing policies and then applying them to the specific routing protocol.
Routing policies 4 Exchange-based routing is also known as Dynamic Path Selection (DPS). DPS is where exchanges or communication between end devices in a fabric are assigned to egress ports in ratios proportional to the potential bandwidth of the ISL or trunk group. When there are multiple paths to a destination, the input traffic is distributed across the different paths in proportion to the bandwidth available on each of the paths.
4 Route selection The AP policy affecting the DPS behavior, whether it is exchange-based, device-based, or port-based, is configured on a per-logical switch basis. In-order delivery (IOD) and DLS settings are set per logical switch as well. IOD and DLS settings for the base switch affect all traffic going over the base fabric including any logical fabric traffic that uses the base fabric.
Route selection 4 When the port-based policy is in force, you can enable DLS to optimize routing. When DLS is enabled, it shares traffic among multiple equivalent paths between switches. DLS recomputes load sharing when any of the following occurs: • • • • A switch boots up An E_Port goes offline and online An EX_Port goes offline A device goes offline Setting DLS 1. Connect to the switch and log in as admin. 2. Enter the dlsShow command to view the current DLS setting.
4 Frame order delivery Assigning a static route 1. Connect to the switch and log in as admin. 2. Enter the uRouteConfig command. Example of configuring a route The following example shows how to configure a static route for all traffic coming in from port 1 and addressed to domain 2 to go through port 5: switch:admin> urouteconfig 1 2 5 done. Removing a static route 1. Connect to the switch and log in as admin. 2. Enter the uRouteRemove command.
Lossless Dynamic Load Sharing on ports 4 Forcing in-order frame delivery across topology changes 1. Connect to the switch and log in as admin. 2. Enter the iodSet command. NOTE The iodSet command can cause a delay in the establishment of a new path when a topology change occurs; use it with care. 3. Confirm the in-order delivery has been set by entering the iodShow command. Restoring out-of-order frame delivery across topology changes 1. Connect to the switch and log in as admin. 2.
4 Lossless Dynamic Load Sharing on ports Lossless mode means no frame loss during a rebalance and only takes effect if DLS is enabled. Lossless DLS can be enabled on a fabric topology in order to have zero frame drops during rebalance operations. If the end device also requires the order of frames to be maintained during the rebalance operation, then IOD must be enabled. However this combination of Lossless DLS and IOD is supported only in specific topologies, such as in a FICON environment.
Lossless Dynamic Load Sharing on ports 4 If ICL ports are connected during a core blade insertion, it is equivalent to adding external E_Ports which may cause I/O disruption due to reroutes. Lossless DLS, if enabled, takes effect to prevent I/O disruption. Traffic flow limitations The FA4-18 and FR4-18i AP blades, which is supported on the Brocade DCX and DCX-4S, may continue to experience frame drops after core blade removal or insertion.
4 Forward error correction Forward error correction Forward error correction (FEC) provides method error control during data transmission by sending redundant data to ensure error-free transmission on a specified port or port range. If the ports are already in the requested configuration, no action is taken. If a range of ports is specified, some of which are already in the requested configuration, a notification is generated, and no action is taken for those ports only.
Frame Redirection 4 Frame Redirection depends on the wide distribution of the Defined Zone Database. The Defined Zone Database on Fabric OS switches is pushed out to all other Fabric OS switches in the fabric that support Frame Redirection. Redirection zones exist only in the defined configuration and cannot be added to the effective configuration. NOTE Fabric OS v7.0.0 is not supported on the Brocade 7600 or Brocade SAS blade. However, this hardware can run in a pre-Fabric OS v7.0.
4 Frame Redirection Deleting a frame redirect zone 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the zone --rdDelete command to remove the base RD zone object, "red_______base". When the base zone is removed, the RD zone configuration "r_e_d_i_r_c__fg” is removed as well. 3. Enter the cfgSave command to save changes to the defined configuration.
Chapter 5 Managing User Accounts In this chapter • User accounts overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Local database user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Local account database distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Password policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • The boot PROM password . . . . . . .
5 User accounts overview Fabric OS provides three options for authenticating users—remote RADIUS services, remote LDAP service, and the local switch user database. All options allow users to be centrally managed using the following methods: • Remote RADIUS server: Users are managed in a remote RADIUS server. All switches in the fabric can be configured to authenticate against the centralized remote database. • Remote LDAP server: Users are managed in a remote LDAP server.
User accounts overview 5 If some Admin Domains have been defined for the user and all of them are inactive, the user will not be allowed to log in to any switch in the fabric. If no Home Domain is specified for a user, the system provides a default home domain. The default home domain for the predefined account is AD0. For user-defined accounts, the default home domain is the Admin Domain in the user’s Admin Domain list with the lowest ID.
5 User accounts overview TABLE 13 Maximum number of simultaneous sessions Role name Maximum sessions Admin 2 BasicSwitchAdmin 4 FabricAdmin 4 Operator 4 SecurityAdmin 4 SwitchAdmin 4 User 4 ZoneAdmin 4 Managing user-defined roles Fabric OS provides an extensive toolset for managing user defined roles: • The roleConfig command is available for defining new roles, deleting created roles, or viewing information about user-defined roles.
Local database user accounts 5 > classConfig --showroles security Roles that have access to RBAC Class ‘security’ are: Role Name --------User Admin Factory Root SwitchAdmin FabricAdmin BasicSwitchAdmin SecurityAdmin mysecurityrole Permissions ----------O OM OM OM O OM O OM O To delete a user-defined role, use the roleConfig --delete command.
5 Local database user accounts TABLE 14 Default local user accounts Account name Role Admin Domain Logical Fabric Description admin Admin AD0-255 home: 0 LF1-128 home: 128 Most commands have observe-modify permission. factory Factory AD0-255 home: 0 LF1-128 home: 128 Reserved. root Root AD0-255 home: 0 LF1-128 home: 128 Reserved. user User AD0 home: 0 LF-128 home: 128 Most commands have observe-only permission.
Local database user accounts 5 Deleting an account This procedure can be performed on local user accounts. 1. Connect to the switch and log in using an account with admin permissions, or an account associated with a user-defined role with permissions for the UserManagement class of commands. 2. Enter the userConfig --delete command. NOTE You cannot delete the default accounts. An account cannot delete itself. All active CLI sessions for the deleted account are logged out. 3.
5 Local account database distribution Changing the password for a different account 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the passwd command specifying the name of the account for which the password is being changed. 3. Enter the requested information at the prompts. Local account database distribution Fabric OS allows you to distribute the user database and passwords to other switches in the fabric.
Password policies 5 Rejecting distributed user databases on the local switch 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the fddCfg --localreject PWD command. Password policies The password policies described in this section apply to the local switch user database only. Configured password policies (and all user account attribute and password state information) are synchronized across CPs and remain unchanged after an HA failover.
5 Password policies • Punctuation Specifies the minimum number of punctuation characters that must appear in the password. All printable, non-alphanumeric punctuation characters except the colon ( : ) are allowed. The default value is zero. The maximum value must be less than or equal to the MinLength value. • MinLength Specifies the minimum length of the password. The minimum can be from 8 to 40 characters. New passwords must be between the minimum length specified and 40 characters.
Password policies 5 Password expiration policy The password expiration policy forces expiration of a password after a configurable period of time, and is enforced across all user accounts. A warning that password expiration is approaching is displayed when the user logs in. When a user’s password expires, he or she must change the password to complete the authentication process and open a user session. You can specify the number of days prior to password expiration during which warnings will commence.
5 Password policies The following commands are used to manage the account lockout policy. • userConfig --change account_name -u • passwdCfg --disableadminlockout Note that the account-locked state is distinct from the account-disabled state. Use the following attributes to set the account lockout policy: • LockoutThreshold Specifies the number of times a user can attempt to log in using an incorrect password before the account is locked.
The boot PROM password 5 The boot PROM password The boot PROM password provides an additional layer of security by protecting the boot PROM from unauthorized use. Setting a recovery string for the boot PROM password enables you to recover a lost boot PROM password by contacting your switch service provider. Without the recovery string, a lost boot PROM password cannot be recovered.
5 The boot PROM password 5. Enter the recovery password (string). The recovery string must be between 8 and 40 alphanumeric characters. A random string that is 15 characters or longer is recommended for higher security. The firmware prompts for this password only once. It is not necessary to remember the recovery string because it is displayed the next time you enter the command shell. The following prompt displays: New password: 6. Enter the boot PROM password, then re-enter it when prompted.
The boot PROM password 5 6. Enter the recovery password (string). The recovery string must be between 8 and 40 alphanumeric characters. A random string that is 15 characters or longer is recommended for higher security. The firmware only prompts for this password once. It is not necessary to remember the recovery string because it is displayed the next time you enter the command shell. The following prompt displays: New password: 7. Enter the boot PROM password, then re-enter it when prompted.
5 The boot PROM password 4. Enter 3. 5. At the shell prompt, enter the passwd command. NOTE The passwd command only applies to the boot PROM password when it is entered from the boot interface. 6. Enter the boot PROM password at the prompt, then re-enter it when prompted. The password must be eight alphanumeric characters (any additional characters are not recorded). Record this password for future use. 7. Enter the saveEnv command to save the new password. 8.
The authentication model using RADIUS and LDAP 5 8. Enter the boot PROM password at the prompt, then re-enter it when prompted. The password must be eight alphanumeric characters (any additional characters are not recorded). Record this password for future use. 9. Enter the saveEnv command to save the new password. 10. Reboot the standby CP blade by entering the reset command. 11.
5 The authentication model using RADIUS and LDAP To enable RADIUS or LDAP service, it is strongly recommended that you access the CLI through an SSH connection so that the shared secret is protected. Multiple login sessions can configure simultaneously, and the last session to apply a change leaves its configuration in effect. After a configuration is applied, it persists after a reboot or an HA failover.
5 The authentication model using RADIUS and LDAP TABLE 15 Authentication configuration options (Continued) aaaConfig options Description Equivalent setting in Fabric OS v5.1.0 and earlier --radius --switchdb1 --authspec “radius;local” --backup Authenticates management connections against any RADIUS databases. If RADIUS fails because the service is not available, it then authenticates against the local user database.
5 The authentication model using RADIUS and LDAP Users must enter their assigned RADIUS or LDAP account name and password when logging in to a switch that has been configured with RADIUS or LDAP. After the RADIUS or LDAP server authenticates a user, it responds with the assigned switch role in a Brocade Vendor-Specific Attribute (VSA). If the response does not have a VSA permissions assignment, the User role is assigned.
The authentication model using RADIUS and LDAP 5 Fabric OS users on the RADIUS server All existing Fabric OS mechanisms for managing local switch user accounts and passwords remain functional when the switch is configured to use RADIUS. Changes made to the local switch database do not propagate to the RADIUS server, nor do the changes affect any account on the RADIUS server.
5 The authentication model using RADIUS and LDAP After you have completed the dictionary file, define the permissions for the user in a configuration file.
The authentication model using RADIUS and LDAP 5 For example, on a Linux FreeRadius Server, the user (user-za) with the following settings takes the “zoneAdmin” permissions, with AD member list: 1, 2, 4, 5, 6, 7, 8, 9, 12; the Home Admin Domain will be 1.
5 The authentication model using RADIUS and LDAP Configuring RADIUS service on Linux consists of the following tasks: • Adding the Brocade attribute to the server • Creating the user • Enabling clients Adding the Brocade attribute to the server 1. Create and save the file $PREFIX/etc/raddb/dictionary.brocade with the following information: # # dictionary.
The authentication model using RADIUS and LDAP 5 Example of using the local system password to authenticate users The next example uses the local system password file to authenticate users.
5 The authentication model using RADIUS and LDAP Configuring RADIUS service on Windows 2000 consists of the following steps: 1. Installing internet authentication service (IAS) For more information and instructions on installing IAS, refer to the Microsoft website. 2. Enabling the Challenge Handshake Authentication Protocol (CHAP) If CHAP authentication is required, then Windows must be configured to store passwords with reversible encryption.
The authentication model using RADIUS and LDAP d. 5 In the Configure VSA (RFC compliant) window, enter the following values and click OK. Vendor-assigned attribute number—Enter the value 1. Attribute format—Enter String. Attribute value—Enter the login role (Root, Admin, SwitchAdmin, User, etc.) the user group must use to log in to the switch. e.
5 The authentication model using RADIUS and LDAP NOTE The dictionary files for RSA RADIUS Server must remain in the installation directory. Do not move the files to other locations on your computer. Add Brocade-VSA macro and define the attributes as follows: • vid (Vendor-ID): 1588 • type1 (Vendor-Type): 1 • len1 (Vendor-Length): >=2 ########################################################################### # brocade.dct -- Brocade Dictionary # # (See readme.
The authentication model using RADIUS and LDAP 5 ####################################################################### # dictiona.dcm ####################################################################### # Generic Radius @radius.dct # # Specific Implementations (vendor specific) # @3comsw.dct @aat.dct @acc.dct @accessbd.dct @agere.dct @agns.dct @airespace.dct @alcatel.dct @altiga.dct @annex.dct @aptis.dct @ascend.dct @ascndvsa.dct @axc.dct @bandwagn.dct @brocade.
5 The authentication model using RADIUS and LDAP • You can use the User-Principal-Name and not the Common-Name for AD LDAP authentication. To provide backward compatibility, authentication based on the Common Name is still supported for Active Directory LDAP 2000 and 2003. Common Name based-authentication is not recommended for new installations. • A user can belong to multiple groups as long as one of the groups is the primary group.
The authentication model using RADIUS and LDAP 5 Creating a user To create a user in Active Directory, refer to www.microsoft.com or Microsoft documentation. There are no special attributes to set. You can use a fully qualified name for logging in, for example you can log in as "user@domain.com". Creating a group To create a group in Active Directory, refer to www.microsoft.com or Microsoft documentation.
5 The authentication model using RADIUS and LDAP Home Admin Domain (homeAD) for the user will be the first value in the adlist (Admin Domain list). If a user has no values assigned in the adlist attribute, then the homeAD ‘0’ will be the default administrative domain for the user. • If you are using Virtual Fabrics, enter the value of the logical fabric separated by an semi-colon ( ; ) into the Value field.
The authentication model using RADIUS and LDAP 5 Adding a RADIUS or LDAP server to the switch configuration 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the aaaConfig --add command. At least one RADIUS or LDAP server must be configured before you can enable the RADIUS or LDAP service. If no RADIUS or LDAP configuration exists, turning on the RADIUS authentication mode triggers an error message.
5 The authentication model using RADIUS and LDAP Displaying the current RADIUS configuration 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the aaaConfig --show command. If a configuration exists, its parameters are displayed. If RADIUS or LDAP service is not configured, only the parameter heading line is displayed. Parameters include: Position Server Port Secret Timeouts Authentication The order in which servers are contacted to provide service.
Chapter 6 Configuring Protocols In this chapter • Security protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Secure Copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Secure Shell protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Secure Sockets Layer protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6 Secure Copy TABLE 18 Secure protocol support (Continued) Protocol Description SSH Secure Shell (SSH) is a network protocol that allows data to be exchanged over a secure channel between two computers. Encryption provides confidentiality and integrity of data. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary. SSL Fabric OS uses secure socket layer (SSL) to support HTTPS.
Secure Shell protocol 6 Setting up SCP for configUploads and downloads 1. Log in to the switch as admin. 2. Type the configure command. 3. Type y or yes at the cfgload attributes prompt. 4. Type y or yes at the Enforce secure configUpload/Download prompt. Example of setting up SCP for configUpload/download switch:admin> configure Not all options will be available on an enabled switch. To disable the switch, use the "switchDisable" command. Configure...
6 Secure Shell protocol SSH public key authentication OpenSSH public key authentication provides password-less logins, known as SSH authentication, that uses public and private key pairs for incoming and outgoing authentication. This feature allows only one allowed-user to be configured to utilize outgoing OpenSSH public key authentication.Any admin user can perform incoming Open SSH public key authentication.
Secure Shell protocol 6 Enter public key name(must have .pub suffix):id_dsa.pub Enter login name:auser Password: Public key is imported successfully. 4. Test the setup by logging into the switch from a remote device, or by running a command remotely using ssh. Configuring outgoing SSH authentication After the allowed-user is configured, the remaining setup steps must be completed by the allowed-user. To configure outgoing authentication, follow these steps: 1. Log in to the switch as the default admin.
6 Secure Sockets Layer protocol Deleting public keys on the switch 1. Log in to the switch as any user with the Admin role. 2. Use the sshUtil delpubkeys command to delete public keys. You will be prompted to enter the name of the user whose the public keys you want to delete. Enter all to delete public keys for all users. For more information on IP Filter policies, refer to Chapter 7, “Configuring Security Policies”. Deleting private keys on the switch 1. Log in to the switch as the allowed-user. 2.
Secure Sockets Layer protocol 6 SSL configuration overview You configure for SSL by obtaining, installing, and activating digital certificates for SSL support. Certificates are required on all switches that are to be accessed through SSL. Also, you must install a certificate in the Java Plug-in on the management workstation, and you may need to add a certificate to your Web browser. Configuring for SSL involves these main steps, which are shown in detail in the next sections. 1.
6 Secure Sockets Layer protocol Generating a public and private key Perform this procedure on each switch. 1. Connect to the switch and log in as admin. 2. Enter the secCertUtil genkey command to generate a public/private key pair. The system reports that this process will disable secure protocols, delete any existing CSR, and delete any existing certificates. 3. Respond to the prompts to continue and select the key size.
Secure Sockets Layer protocol 6 If you are set up for secure file copy protocol, you can select it; otherwise, select ftp. Enter the IP address of the switch on which you generated the CSR. Enter the remote directory name of the FTP server to which the CSR is to be sent. Enter your account name and password on the server. Obtaining certificates Check the instructions on the CA website; then, perform this procedure for each switch. 1.
6 Secure Sockets Layer protocol Checking and installing root certificates on Internet Explorer 1. Select Tools > Internet Options. 2. Click the Content tab. 3. Click Certificates. 4. Click the Intermediate or Trusted Root tabs and scroll the list to see if the root certificate is listed. Take the appropriate following action based on whether you find the certificate: • If the certificate is listed, you do not need to install it. You can skip the rest of this procedure.
Simple Network Management Protocol 6 Example of installing a root certificate C:\Program Files\Java\j2re1.6.0\bin> keytool -import -alias RootCert -file RootCert.crt -keystore ..
6 Simple Network Management Protocol If you use both SW-MIB and FA-MIB, you may receive duplicate information. You can disable the FA-MIB, but not the SW-MIB. You can also use these additional MIBs and their associated traps: • FICON-MIB (for FICON environments) • SW-EXTTRAP Includes the swSsn (Software Serial Number) as a part of Brocade SW traps. For information on Brocade MIBs, see the Fabric OS MIB Reference.
Telnet protocol 6 Attributes that are specific to each logical switch belong to the switch category. These attributes are available in the Virtual Fabrics context and not available in the Chassis context. Attributes that are common across the logical switches belong to the chassis level. These attributes are accessible to users having the chassis-role permission. When a chassis table is queried the context is set to chassis context, if the user has the chassis-role permission.
6 Telnet protocol 5. Add a rule to the policy, by typing the ipFilter --addrule command. switch:admin> ipfilter --addrule BlockTelnet -rule 1 -sip any -dp 23 -proto tcp -act deny ATTENTION The rule number assigned has to precede the default rule number for this protocol. For example, in the defined policy, the Telnet rule number is 2, therefore to effectively block Telnet, the rule number to assign must be 1.
Listener applications 6 Unblocking Telnet 1. Connect to the switch through a serial port or SSH and log in as admin. 2. Type in the ipfilter --delete command. Refer to “Deleting a rule to an IP Filter policy” on page 161 for more information on deleting IP filter rules. 3. To permanently delete the policy, type the ipfilter --save command. ATTENTION If you deleted the rule to permit Telnet, you will need to add a rule to permit Telnet.
6 Ports and applications used by switches TABLE 23 Access defaults Access default Hosts Any host can access the fabric by SNMP. Any host can Telnet to any switch in the fabric. Any host can establish an HTTP connection to any switch in the fabric. Any host can establish an API connection to any switch in the fabric. Devices All devices can access the management server. Any device can connect to any FC port in the fabric. Switch access Any switch can join the fabric.
Chapter 7 Configuring Security Policies In this chapter • ACL policies overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • ACL policy management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • FCS policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • DCC policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7 ACL policy management Policies with the same state are grouped together in a Policy Set. Each switch has the following two sets: • Active policy set, which contains ACL policies being enforced by the switch. • Defined policy set, which contains a copy of all ACL policies on the switch. When a policy is activated, the defined policy either replaces the policy with the same name in the active set or becomes a new active policy.
ACL policy management 7 Displaying ACL policies You can view the active and defined policy sets at any time. Additionally, in a defined policy set, policies created in the same login session also appear but these policies are automatically deleted if the you log out without saving them. 1. Connect to the switch and log in using an account with admin permissions, or an account with O permission for the Security RBAC class of commands. 2. Type the secPolicyShow command.
7 ACL policy management Example of deleting an ACL policy switch:admin> secpolicydelete "DCC_POLICY_010" About to delete policy Finance_Policy. Are you sure (yes, y, no, n):[no] y Finance_Policy has been deleted. Adding a member to an existing ACL policy As soon as a policy has been activated, the aspect of the fabric managed by that policy is enforced. 1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions for the Security RBAC class of commands.
FCS policies 7 Example of aborting unsaved changes switch:admin> secpolicyabort Unsaved data has been aborted. All changes since the last time the secPolicySave or secPolicyActivate commands were entered are aborted. FCS policies Fabric Configuration Server (FCS) policy in base Fabric OS may be performed on a local switch basis and may be performed on any switch in the fabric. The FCS policy is not present by default, but must be created.
7 FCS policies Table 27 shows the commands for switch operations for Primary FCS enforcement.
FCS policies 7 3. To save or activate the new policy, enter either the secPolicySave or the secPolicyActivate command. Once the policy has been activated you can distribute the policy. NOTE FCS policy must be consistent across the fabric. If the policy is inconsistent in the fabric, then you will not be able to perform any fabric-wide configurations from the primary FCS. Modifying the order of FCS switches 1.
7 DCC policies Only the Primary FCS switch is allowed to distribute the database. The FCS policy may need to be manually distributed across the fabric using the distribute -p command. Since this policy is distributed manually, the command fddCfg –-fabwideset is used to distribute a fabric-wide consistency policy for FCS policy in an environment consisting of only Fabric OS v6.2.0 and later switches.
DCC policies TABLE 29 7 DCC policy states Policy state Characteristics No policy Any device can connect to any switch port in the fabric. Policy with no entries Any device can connect to any switch port in the fabric. An empty policy is the same as no policy. Policy with entries If a device WWN or Fabric port WWN is specified in a DCC policy, that device is only allowed access to the switch if connected by a switch port listed in the same policy.
7 DCC policies 1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions for the Security RBAC class of commands. 2. Enter the secPolicyCreate “DCC_POLICY_nnn” command. DCC_POLICY_nnn is the name of the DCC policy; nnn is a string consisting of up to 19 alphanumeric or underscore characters to differentiate it from any other DCC policies. 3.
DCC policies 7 DCC policy behavior with Fabric Assigned PWWNs A DCC policy check is always performed for the physical port WWN of a device when the HBA has established that the device is attempting a normal FLOGI and has both a fabric assigned port WWN (FA PWWN) and a physical port WWN. DCC policies created with FA PWWNs will result in the disabling of FA PWWN assigned ports on subsequent FLOGI.
7 SCC Policies TABLE 31 DCC policy behavior when created manually with PWWN Configuration WWN seen on DCC policy list Behavior when DCC policy activates Behavior on portDisable and portEnable • FA PWWN has logged into the switch. DCC policy creation manually with physical PWWN of device. DCC policy activation. PWWN Traffic will not be disrupted. Ports will come up without security issues. DCC policy creation. manually with physical PWWN FA PWWN has logged into the switch. DCC policy activation.
Authentication policy for fabric elements 7 Creating an SCC policy 1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions for the Security RBAC class of commands. 2. Enter the secPolicyCreate “SCC_POLICY” command. 3. Save or activate the new policy by entering either the secPolicySave or the secPolicyActivate command. If neither of these commands is entered, the changes are lost when the session is logged out.
7 Authentication policy for fabric elements Key database on switch Local secret A Peer secret B Switch A FIGURE 18 Key database on switch Local secret B Peer secret A Switch B DH-CHAP authentication If you use DH-CHAP authentication, then a secret key pair must be installed only in connected fabric elements. However, as connections are changed, new secret key pairs must be installed between newly connected elements.
Authentication policy for fabric elements 7 Virtual Fabric considerations: The switch authentication policy applies to all E_Ports in a logical switch. This includes ISLs and extended ISLs. Authentication of extended ISLs between two base switches is considered peer-chassis authentication. Authentication between two physical entities is required, so the extended ISL which connects the two chassis needs to be authenticated.
7 Authentication policy for fabric elements Re-authenticating E_Ports Use the authUtil --authinit command to re-initiate the authentication on selected ports. It provides flexibility to initiate authentication for specified E_Ports, a set of E_Ports, or all E_Ports on the switch. This command does not work on loop, NPIV and FICON devices, or on ports configured for in-flight encryption. The command authUtil can re-initiate authentication only if the device was previously authenticated.
Authentication policy for fabric elements 7 Virtual Fabric considerations: Because the device authentication policy has switch and logical switch-based parameters, each logical switch is set when Virtual Fabrics is enabled. Authentication is enforced based on each logical switch’s policy settings. Configuring device authentication 1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions for the Authentication RBAC class of commands. 2.
7 Authentication policy for fabric elements Authentication protocols Use the authUtil command to perform the following tasks: • Display the current authentication parameters. • Select the authentication protocol used between switches. • Select the DH (Diffie-Hellman) group for a switch. Run the authUtil command on the switch you want to view or change. Below are the different options to specify which DH group you want to use.
Authentication policy for fabric elements 7 Secret key pairs for DH-CHAP When you configure the switches at both ends of a link to use DH-CHAP for authentication, you must also define a secret key pair—one for each end of the link. Use the secAuthSecret command to perform the following tasks: • View the WWN of switches with a secret key pair. • Set the secret key pair for switches. • Remove the secret key pair for one or more switches.
7 Authentication policy for fabric elements Example of setting a secret key pair switchA:admin> secauthsecret --set This command is used to set up secret keys for the DH-CHAP authentication. The minimum length of a secret key is 8 characters and maximum 40 characters. Setting up secret keys does not initiate DH-CHAP authentication. If switch is configured to do DH-CHAP, it is performed whenever a port or a switch is enabled. Warning: Please use a secure channel for setting secrets.
Authentication policy for fabric elements 7 You can request a certificate from a CA through a Web browser. After you request a certificate, the CA either sends certificate files by e-mail (public) or gives access to them on a remote host (private). Typically, the CA provides the certificate files listed in Table 33. ATTENTION Only the .pem file is supported for FCAP authentication. TABLE 33 FCAP certificate files Certificate file Description nameCA.pem The CA certificate.
7 Authentication policy for fabric elements Enter Login Name: jdoe jdoe@10.1.2.3's password: Success: exported FCAP CA certificate Importing CA for FCAP Once you receive the files back from the Certificate Authority, you will need to install or import them onto the local and remote switches. 1. Log in to the switch using an account with admin permissions, or an account associated with the chassis role and having OM permissions for the PKI RBAC class of commands. 2.
IP Filter policy 7 Fabric-wide distribution of the Auth policy The AUTH policy can be manually distributed to the fabric by command; there is no support for automatic distribution. To distribute the AUTH policy, see “Distributing the local ACL policies” on page 164 for instructions. Local Switch configuration parameters are needed to control whether a switch accepts or rejects distributions of the AUTH policy using the distribute command and whether the switch may initiate distribution of the policy.
7 IP Filter policy Cloning an IP Filter policy You can create an IP Filter policy as an exact copy of an existing policy. The policy created is stored in a temporary buffer and has the same type and rules as the existing defined or active policy. 1. Log in to the switch using an account with admin permissions, or an account associated with the chassis role and having OM permissions for the IPfilter RBAC class of commands. 2. Enter the ipFilter --clone command.
IP Filter policy 7 1. Log in to the switch using an account with admin permissions, or an account associated with the chassis role and having OM permissions for the IPfilter RBAC class of commands. 2. Enter the ipFilter –-activate command. Deleting an IP Filter policy You can delete a specified IP Filter policy. Deleting an IP Filter policy removes it from the temporary buffer. To permanently delete the policy from the persistent database, run ipfilter --save.
7 IP Filter policy For an IP Filter policy rule, you can only select port numbers in the well-known port number range, between 0 and 1023, inclusive. This means that you have the ability to control how to expose the management services hosted on a switch, but not the ability to affect the management traffic that is initiated from a switch. A valid port number range is represented by a dash, for example 7-30. Alternatively, service names can also be used instead of port number.
IP Filter policy TABLE 34 7 Supported services (Continued) Service name Port number shell 514 uucp 540 biff 512 who 513 syslog 514 route 520 timed 525 kerberos4 750 rpcd 897 securerpcd 898 Protocol TCP and UDP protocols are valid protocol selections. Fabric OS v6.2.0 and later do not support configuration to filter other protocols. Implicitly, ICMP type 0 and type 8 packets are always allowed to support ICMP echo request and reply on commands like ping and traceroute.
7 IP Filter policy Default policy rules A switch with Fabric OS v6.2.0 or later will have a default IP Filter policy for IPv4 and IPv6. The default IP Filter policy cannot be deleted or changed. When an alternative IP Filter policy is activated, the default IP Filter policy becomes deactivated. Table 36 lists the rules of the default IP Filter policy.
IP Filter policy 7 Adding a rule to an IP Filter policy There can be a maximum of 256 rules created for an IP Filter policy. The change to the specified IP Filter policy is not saved to the persistent configuration until a save or activate subcommand is run. 1. Log in to the switch using an account with admin permissions, or an account associated with the chassis role and having the OM permissions for the IPfilter RBAC class of commands. 2. Enter the ipFilter --addrule command.
7 Policy database distribution Managing filter thresholds Fabric OS v7.0.0 allows you to configure filter thresholds using the fmMonitor command. 1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions for the FabricWatch RBAC class of commands. 2. Enter the fmMonitor command.
Policy database distribution TABLE 37 7 Interaction between fabric-wide consistency policy and distribution settings Distribution setting Fabric-wide consistency policy Absent (default) Tolerant configuration.1 Reject Database is protected, it cannot be overwritten. May not match other databases in the fabric. Invalid Accept (default) Database is not protected, the database can be overwritten.
7 Policy database distribution Example shows the database distribution settings switch:admin> fddcfg --showall Local Switch Configuration for all Databases:DATABASE - Accept/Reject --------------------------------SCC accept DCC accept PWD accept FCS accept AUTH accept IPFILTER accept Fabric Wide Consistency Policy:- "" Enabling local switch protection 1.
Policy database distribution 7 Fabric-wide enforcement The fabric-wide consistency policy enforcement setting determines the distribution behavior when changes to a policy are activated. Using the tolerant or strict fabric-wide consistency policy ensures that changes to local ACL policy databases are automatically distributed to other switches in the fabric. NOTE To completely remove all policies from a fabric enter the fddCfg --fabwideset "” command.
7 Policy database distribution Setting the fabric-wide consistency policy 1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions for the FabricDistribution RBAC class of commands. 2. Enter the fddCfg --fabwideset command. Example shows how to set a strict SCC and tolerant DCC fabric-wide consistency policy.
Policy database distribution 7 Use the fddCfg –-fabwideset command on either this switch or the fabric to set a matching strict SCC, DCC, or FCS fabric-wide consistency policy. Use ACL policy commands to delete the conflicting ACL policy from one side to resolve ACL policy conflict. If neither the fabric nor the joining switch is configured with a fabric-wide consistency policy, there are no ACL merge checks required. The descriptions above also apply to joining two fabrics.
7 Management interface security TABLE 41 Examples of strict fabric merges Fabric-wide consistency policy setting Strict/Tolerant Strict/Absent Expected behavior Fabric A Fabric B SCC:S;DCC:S SCC;DCC:S SCC;DCC:S SCC:S;DCC SCC:S;DCC SCC:S Ports connecting switches are disabled. SCC:S;DCC:S SCC:S DCC:S Strict/Strict SCC:S DCC:S Table 42 has a matrix of merging fabrics with tolerant and absent policies.
Management interface security 7 • Automated Key Management—Automates the process, as well as manages the periodic exchange and generation of new keys. Using the ipsecConfig command, you must configure multiple security policies for traffic flows on the Ethernet management interfaces based on IPv4 or IPv6 addresses, a range of IPv4 or IPv6 addresses, the type of application, port numbers, and protocols used (UDP/TCP/ICMP).
7 Management interface security FIGURE 20 Gateway tunnel configuration Endpoint-to-Gateway Tunnel In this scenario, a protected endpoint (typically a portable computer) connects back to its corporate network through an IPsec-protected tunnel. It might use this tunnel only to access information on the corporate network, or it might tunnel all of its traffic back through the corporate network in order to take advantage of protection provided by a corporate firewall against Internet-based attacks.
Management interface security 7 IPsec protocols use a sliding window to assist in flow control, The IPsec protocols also use this sliding window to provide protection against replay attacks in which an attacker attempts a denial of service attack by replaying an old sequence of packets. IPsec protocols assign a sequence number to each packet. The recipient accepts each packet only if its sequence number is within the window. It discards older packets.
7 Management interface security TABLE 43 Algorithms and associated authentication policies (Continued) Algorithm Encryption Level Policy Description 3des_cbc 168-bit ESP Triple DES is a more secure variant of DES. It uses three different 56-bit keys to encrypt blocks of 64-bit plain text. The algorithm is FIPS-approved for use by Federal agencies. blowfish_cbc 64-bit ESP Blowfish is a 32-bit to 448-bit keyed, symmetric block cipher.
Management interface security 7 Key management The IPsec key management supports Internet Key Exchange or Manual key/SA entry. The Internet Key Exchange (IKE) protocol handles key management automatically. SAs require keying material for authentication and encryption. The managing of keying material that SAs require is called key management. The IKE protocol secures communication by authenticating peers and exchanging keys. It also creates the SAs and stores them in the SADB.
7 Management interface security Creating the tunnel Each side of the tunnel must be configured in order for the tunnel to come up. Once you are logged into the switch, do not log off as each step requires that you are logged in to the switch. IPsec configuration changes take effect upon execution and are persistent across reboots.
Management interface security 7 8. Create an IPsec transform on each switch using the ipSecConfig --add command. Example of creating an IPsec transform This example creates an IPsec transform TRANSFORM01 to use the transport mode to protect traffic identified for IPsec protection and use IKE01 as key management policy. switch:admin> ipsecconfig --add policy ips transform –t TRANSFORM01 \ -mode transport -sa-proposal IPSEC-AH \ -action protect –ike IKE01 9.
7 Management interface security Example of an End-to-End Transport Tunnel mode This example illustrates securing traffic between two systems using AH protection with MD5 and configure IKE with pre-shared keys. The two systems are a switch, BROCADE300 (IPv4 address 10.33.74.13), and an external host (10.33.69.132). NOTE A backslash ( \ ) is used to skip the return character so you can continue the command on the next line without the return character being interpreted by the shell. 1.
Management interface security 7 9. Create traffic selectors to select the outbound and inbound traffic that needs to be protected. switch:admin> ipsecconfig --add policy ips selector \ -t SELECTOR-OUT -d out -l 10.33.74.13 -r 10.33.69.132 \ -transform TRANSFORM01 switch:admin> ipsecconfig --add policy ips selector \ -t SELECTOR-IN -d in -l 10.33.69.132 -r 10.33.74.13 \ -transform TRANSFORM01 10. Verify the IPsec SAs created with IKE using the ipsecConfig --show manual-sa –a command. 11.
7 178 Management interface security Fabric OS Administrator’s Guide 53-1002148-02
Chapter 8 Maintaining the Switch Configuration File In this chapter • Configuration settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuration file backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuration file restoration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configurations across a fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8 Configuration settings If your user account has chassis account permissions, you can do any of the following when uploading or downloading a configuration file: -fid To upload the specified FID configuration. -all To upload all of the system configuration, including the chassis section and all switch sections for all logical switches. Note: Use this parameter when obtaining a complete capture of the switch configuration in a switch that has Virtual Fabric mode disabled.
Configuration settings 8 [Configuration] [Bottleneck Configuration] [Zoning] [Defined Security policies] [Active Security policies] [cryptoDev] [FICU SAVED FILES] [Banner] [End] [Switch Configuration End : 0] date = Thu Apr 2 21:28:52 2009 [Switch Configuration Begin : 1] SwitchName = switch_2 Fabric ID = 1 [Boot Parameters] [Configuration] [Bottleneck Configuration] [Zoning] [Defined Security policies] [Active Security policies] [cryptoDev] [FICU SAVED FILES] [Banner] [End] [Switch Configuration End :
8 Configuration file backup • • • • • • • • • • • UDROLE_CONF - User defined role configuration LicensesDB - License Database (slot based) DMM_WWN- Data migration manager World Wide Name configuration Licenses - (Feature based) Licenses configuration AGWWN_MAPPING_CONF - Access Gateway WWN mapping configuration LicensesLservc - Sentinel License configuration GE blade mode - GigE Mode Configuration FWD CHASSIS CFG -- Fabric watch configuration FRAME LOG - Frame log configuration (enable/disable) DMM_TB -
Configuration file backup 8 The following information is not saved in a backup: • dnsConfig information • Passwords Before you upload a configuration file, verify that you can reach the FTP server from the switch. Using a Telnet connection, save a backup copy of the configuration file from a logical switch to a host computer. Secure File Transfer Protocol is now an option when uploading a configuration file.
8 Configuration file restoration Configuration file restoration When you restore a configuration file, you overwrite the existing configuration with a previously saved backup (configuration) file. CAUTION Make sure that the configuration file you are downloading is compatible with your switch model. Configuration files from a model other than the switch to which you are uploading, or your switch’s firmware could cause your switch to fail.
Configuration file restoration -all 8 The number of switches or FIDs defined in the downloaded configuration file must match the number of switches or FIDs currently defined on the switch. The switches must be disabled first. If they are not, the configDownload command will download the configuration for as many switches as possible until a non-disabled switch is found. Then it will stop. Before running this command, verify if any switches need to be disabled.
8 Configuration file restoration Configuration download without disabling a switch You can download configuration files to a switch while the switch is enabled; that is, you do not need to disable the switch for changes in SNMP, Fabric Watch, or ACL parameters. However, if there is any changed parameter that does not belong to SNMP, Fabric Watch, or ACL, then you must disable the switch. When you use the configDownload command, you will be prompted to disable the switch only when necessary.
Configuration file restoration 8 User Name [user]: UserFoo Path/Filename [/config.txt]: Section (all|chassis|FID# [all]): all *** CAUTION *** This command is used to download a backed-up configuration for a specific switch. If using a file from a different switch, this file's configuration settings will override any current switch settings. Downloading a configuration file, which was uploaded from a different type of switch, may cause this switch to fail.
8 Configurations across a fabric Configurations across a fabric To save time when configuring fabric parameters and software features, you can save a configuration file from one switch and download it to other switches of the same model type, as shown in the following procedure. Do not download a configuration file from one switch to another switch that is a different model or firmware version, because it can cause the switch to fail.
Configuration management for Virtual Fabrics 8 Example of configUpload on a switch with Virtual Fabrics Sprint5100:FID128:admin> configupload Protocol (scp, ftp, sftp, local) [ftp]: Server Name or IP Address [host]: 10.1.2.3 User Name [user]: UserFoo Path/Filename [/config.txt]: 5100.
8 Brocade configuration form 6. Verify the LISL ports are set up correctly. Example of a non-interactive download from a switch with an FID = 8, to FID 10 configdownload -fid 8 -sfid 10 -ftp 10.1.2.3,UserFoo,config.txt,password Example of configDownload on a switch 5100:FID128:admin> configdownload -vf Protocol (scp, ftp, sftp, local) [ftp]: Server Name or IP Address [host]: 10.1.2.3 User Name [user]: UserFoo Path/Filename [/config.txt]: 5100_FID89.
Brocade configuration form TABLE 45 8 Brocade configuration and connection Brocade configuration settings IP address Gateway address Chassis configuration option Management connections Serial cable tag Ethernet cable tag Configuration information Domain ID Switch name Ethernet IP address Ethernet subnet mask Total number of local devices (nsShow) Total number of devices in fabric (nsAllShow) Total number of switches in the fabric (fabricShow) Fabric OS Administrator’s Guide 53-1002148-02 191
8 192 Brocade configuration form Fabric OS Administrator’s Guide 53-1002148-02
Chapter 9 Installing and Maintaining Firmware In this chapter • Firmware download process overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Preparing for a firmware download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Firmware download on switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Firmware download on an enterprise-class platform . . . . . . . . . . . . . . . . . • Firmware download from a USB device . . . . . . . . . . . . . . . .
9 Firmware download process overview You can download Fabric OS to a director, which is a chassis; and to a nonchassis-based system, also referred to as a switch. The difference in the download process is that directors have two CPs and nonchassis-based systems have one CP. Use the firmwareDownload command to download the firmware from either an FTP or SSH server by using either the FTP, SFTP, or SCP protocol to the switch.
Firmware download process overview 9 Upgrading and downgrading firmware Upgrading means installing a newer version of firmware. Downgrading means installing an older version of firmware. In most cases, you will be upgrading firmware; that is, installing a newer firmware version than the one you are currently running. However, some circumstances may require installing an older version; that is, downgrading the firmware.
9 Preparing for a firmware download TABLE 46 Enterprise-class platform HA sync states Active CP Fabric OS version Standby CP Fabric OS version HA sync state Remedy v6.2.0 v6.2.0 inSync n/a v6.2.x v6.3.0 inSync n/a v6.3.0 v6.2.x If Ethernet Switch Service is enabled, no sync. Run firmwareDownload -s on the standby CP and upgrade it to v6.3.0. v6.3.0 v6.3.0 inSync n/a v6.3.0 v6.4.0 inSync n/a v6.4.0 v6.3.0 inSync Run firmwareDownload -s on the standby CP and upgrade it to v6.4.
Preparing for a firmware download 9 Connected switches Before you upgrade the firmware on your switch, you need to check the connected switches to ensure compatibility and that any older versions are supported. Refer to the Fabric OS Compatibility section of the Brocade Fabric OS Release Notes, for the recommended firmware version. NOTE Go to http://www.brocade.com to view end-of-life policies for Brocade products. Navigate to the Support tab, then select Policies and Locations.
9 Firmware download on switches Firmware download on switches Brocade 300, 5100, 5300, 5410, 5424, 5450, 5460, 5470, 5480, 6510, 7800, 8000, and VA-40FC switches maintain primary and secondary partitions for firmware. The firmwareDownload command defaults to an autocommit option that automatically copies the firmware from one partition to the other. NOTE This section only applies when upgrading from Fabric OS v6.1.x to v6.2.0, or from different versions of v6.2.0, such as patch releases.
Firmware download on switches 9 Upgrading firmware for Brocade 300, 5100, 5300, 5410, 5424, 5450, 5460, 5470, 5480, 6510, 7800, 8000, and VA-40FC switches 1. Take the following appropriate action based on what service you are using: • If you are using FTP, SFTP, or SCP, verify that the FTP or SSH server is running on the host server and that you have a valid user ID and password on that server. • If your platform supports a USB memory device, verify that it is connected and running. 2.
9 Firmware download on an enterprise-class platform Firmware download on an enterprise-class platform You can download firmware to a Brocade DCX, DCX-4S, or DCX 8510 enterprise-class platform without disrupting the overall fabric if the two CP blades are installed and fully synchronized. Use the haShow command to verify that the CPs are synchronized prior to beginning the firmware download process. If only one CP blade is inserted or powered on, you can run firmwareDownload – s to upgrade the CP.
Firmware download on an enterprise-class platform 9 Upgrading firmware on enterprise-class platforms (including blades) There is only one chassis management IP address for the Brocade DCX, DCX-4S, or DCX 8510 platforms. NOTE By default, the firmwareDownload command automatically upgrades both the active and the standby CP and all co-CPs on the CP blades in the Brocade DCX, DCX-4S, or DCX 8510 Backbones.
9 Firmware download on an enterprise-class platform If an AP blade is present: At the point of the failover an autoleveling process is activated. Autoleveling is triggered when the active CP detects a blade that contains a different version of the firmware, regardless of which version is older. Autoleveling downloads firmware to the AP blade, swaps partitions, reboots the blade, and copies the new firmware from the primary partition to the secondary partition.
Firmware download from a USB device 9 Slot 7 (CP1, active): Firmware has been downloaded to the secondary partition of the switch. [5]: Mon Mar 22 04:37:24 2010 Slot 7 (CP1, standby): The firmware commit operation has started. This may take up to 10 minutes. [6]: Mon Mar 22 04:41:59 2010 Slot 7 (CP1, standby): The commit operation has completed successfully. [7]: Mon Mar 22 04:41:59 2010 Slot 7 (CP1, standby): Firmwaredownload command has completed successfully.
9 FIPS Support Downloading from USB using the relative path 1. Log in to the switch as admin. 2. Enter the firmwareDownload -U command. ecp:admin>firmwaredownload –U v7.0.0 Downloading from USB using the absolute path 1. Log in to the switch as admin. 2. Enter the firmwareDownload command with the -U operand. ecp:admin>firmwaredownload –U /usb/usbstorage/brocade/firmware/v7.0.
FIPS Support 9 NOTE If FIPS is enabled, all logins should be done through SSH or direct serial and the transfer protocol should be SCP. Updating the firmware key 1. Log in to the switch as admin. 2. Type the firmwareKeyUpdate command and respond to the prompts. The firmwareDownload Command As mentioned previously, the public key file needs to be packaged, installed, and run on your switch before downloading a signed firmware.
9 Test and restore firmware on switches Power-on Firmware Checksum Test FIPS requires the checksums of the executables and libraries on the filesystem to be validated before Fabric OS modules are launched. This is to make sure these files have not been changed after they are installed. When firmware RPM packages are installed during firmwareDownload, the MD5 checksums of the firmware files are stored in the RPM database on the filesystem. The checksums go through all of the files in the RPM database.
Test and restore firmware on switches 9 User Name: userfoo File Name: /home/userfoo/v7.0.0 Password: Do Auto-Commit after Reboot [Y]: n Reboot system after download [N]: y Firmware is being downloaded to the switch. This step may take up to 30 minutes. Checking system settings for firmwaredownload... The switch performs a reboot and comes up with the new firmware to be tested. Your current switch session automatically disconnects.
9 Test and restore firmware on enterprise-class platforms Test and restore firmware on enterprise-class platforms This procedure enables you to perform a firmware download on each CP and verify that the procedure was successful before committing to the new firmware. The old firmware is saved in the secondary partition of each CP until you enter the firmwareCommit command.
Test and restore firmware on enterprise-class platforms d. 9 Enter the haFailover command. The active CP reboots and the current enterprise-class platform session is disconnected. If an AP blade is present: At the point of the failover an autoleveling process is activated. See “Enterprise-class platform firmware download process overview” on page 200 for details about autoleveling. 8. Verify the failover. a. Connect to the enterprise-class platform on the active CP, which is the former standby CP. b.
9 Test and restore firmware on enterprise-class platforms 11. Perform a commit on the active CP. a. From the current enterprise-class platform session on the active CP, enter the firmwareShow command and confirm that only the active CP secondary partition contains the old firmware. b. Enter the firmwareCommit command to update the secondary partition with the new firmware. It takes several minutes to complete the commit operation.
Validating a firmware download 9 Validating a firmware download Validate the firmware download by running the following commands: firmwareShow, firmwareDownloadStatus, nsShow, nsAllShow, and fabricShow. NOTE When you prepared for the firmware download earlier, you issued either the supportShow or supportSave command. Although you can issue the command again and compare the output from before and after, it may take up to 30 minutes for the command to execute.
9 212 Validating a firmware download Fabric OS Administrator’s Guide 53-1002148-02
Chapter 10 Managing Virtual Fabrics In this chapter • Virtual Fabrics overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Logical switch overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Logical fabric overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Management model for logical switches . . . . . . . . . . . . . . . . . . . . . . . . . . .
10 Logical switch overview This chapter describes the logical switch and logical fabric features. For information about device sharing with Virtual Fabrics, refer to “FC-FC Routing and Virtual Fabrics” on page 496. For information about supported switches and port types, refer to “Supported platforms for Virtual Fabrics” on page 224. Virtual Fabrics and Admin Domains are mutually exclusive and are not supported at the same time on a switch.
Logical switch overview 10 After you enable Virtual Fabrics, you can create up to seven additional logical switches, depending on the switch model. Figure 23 shows a Virtual Fabrics-enabled switch before and after it is divided into logical switches. Before you create logical switches, the chassis appears as a single switch (default logical switch). After you create logical switches, the chassis appears as multiple independent logical switches.
10 Logical switch overview Physical chassis Logical switch 1 (Default logical switch) (FID = 128) Logical switch 2 (FID = 1) Logical switch 3 (FID = 15) Logical switch 4 (FID = 8) Logical switch 5 (FID = 20) FIGURE 24 Fabric IDs assigned to logical switches Port assignment in logical switches Initially, all ports belong to the default logical switch. When you create additional logical switches, they are empty and you must assign ports to those logical switches.
Logical switch overview 10 A given port is always in one (and only one) logical switch. The following scenarios refer to the chassis after port assignment in Figure 25: • If you assign P2 to logical switch 2, you cannot assign P2 to any other logical switch. • If you want to remove a port from a logical switch, you cannot delete it from the logical switch, but must move it to a different logical switch.
10 Logical fabric overview Physical chassis Logical switch 1 P1 (Default logical switch) Fabric ID 128 Logical switch 2 Fabric ID 1 H1 P2 P3 D1 P4 Logical switch 3 Fabric ID 15 Logical switch 4 Fabric ID 8 P5 P6 D2 ISL Switch FIGURE 26 Logical switches connected to devices and non-Virtual Fabrics switch Figure 27 shows a logical representation of the physical chassis and devices in Figure 26. As shown in Figure 27, the devices are isolated into separate fabrics.
Logical fabric overview 10 Logical fabric and ISLs Figure 28 shows two physical chassis divided into logical switches. In Figure 28, ISLs are used to connect the logical switches with FID 1 and the logical switches with FID 15. The logical switches with FID 8 are each connected to a non-Virtual Fabrics switch. The two logical switches and the non-Virtual Fabrics switch are all in the same fabric, with FID 8.
10 Logical fabric overview Base switch and extended ISLs Another way to connect logical switches is to use extended ISLs and base switches. When you divide a chassis into logical switches, you can designate one of the switches to be a base switch. A base switch is a special logical switch that is used for interconnecting the physical chassis. A base switch has the following properties: • ISLs connected through the base switch can be used for communication among the other logical switches.
Logical fabric overview 10 Think of the logical switches as being connected with logical ISLs, as shown in Figure 31. In this diagram, the logical ISLs are not connected to ports because they are not physical cables. They are a logical representation of the switch connections that are allowed by the XISL.
10 Logical fabric overview By default, the physical ISL path is favored over the logical path (over the XISL) because the physical path has a lower cost. This behavior can be changed by configuring the cost of the dedicated physical ISL to match the cost of the logical ISL. ATTENTION If you disable a base switch, all of the logical ISLs are broken and the logical switches cannot communicate with each other unless they are connected by a physical ISL.
Management model for logical switches 10 Management model for logical switches You can use one common IP address for the hardware that is shared by all of the logical switches in the chassis and you can set up individual IPv4 addresses for each Virtual Fabric. For a management host to manage a logical switch using the Internet Protocol over Fibre Channel (IPFC) IP address, it must be physically connected to the Virtual Fabric using a host bus adapter (HBA).
10 Supported platforms for Virtual Fabrics Supported platforms for Virtual Fabrics The following platforms are Virtual Fabrics-capable: • • • • • • • Brocade 5100 Brocade 5300 Brocade 6510 Brocade VA-40FC, in Native mode only Brocade DCX Brocade DCX-4S Brocade DCX 8510 family Some restrictions apply to the ports, depending on the port type and blade type. The following sections explain these restrictions.
Supported platforms for Virtual Fabrics TABLE 47 10 Blade and port types supported on logical switches (Continued) Blade type Default logical switch User-defined logical switch Base switch FR4-18i: FC ports GE ports Yes (F, E) Yes (VE) No Yes (VE) No Yes (VE, VEX) ICL ports Yes Yes Yes 1. In the Brocade DCX and DCX 8510-8, ports 56–63 of the FC8-64 blade are not supported as E_Ports on the default logical switch. The Brocade DCX-4S and DCX 8510-4 do not have this limitation. 2.
10 Limitations and restrictions of Virtual Fabrics TABLE 48 Virtual Fabrics interaction with Fabric OS features (Continued) Fabric OS feature Virtual Fabrics interaction FC-FC Routing Service All EX_Ports must reside in a base switch. You cannot attach EX_Ports to a logical switch that has XISL use enabled. You must use ISLs to connect the logical switches in an edge fabric. NOTE: FC-FC Routing is not supported on a Brocade 6510 with more than 3 logical switches.
Enabling Virtual Fabrics mode 10 Restrictions on XISLs The Allow XISL Use option, available under the configure command, allows a logical switch to use XISLs in the base switch as well as any standard ISLs that are connected to that logical switch. To allow or disallow XISL use for a logical switch, see “Configuring a logical switch to use XISLs” on page 236. Following are restrictions on XISL use.
10 Disabling Virtual Fabrics mode 3. Delete all Admin Domains, as described in “Deleting all user-defined Admin Domains non-disruptively” on page 356. 4. Enter the following command to enable VF mode: fosconfig --enable vf 5. Enter y at the prompt. Example The following example checks whether VF mode is enabled or disabled and then enables it.
Configuring logical switches to use basic configuration values 10 Example The following example checks whether VF mode is enabled or disabled and then disables it.
10 Creating a logical switch or base switch NOTE Domain ID conflicts are detected before fabric ID conflicts. If you have both a domain ID conflict and a fabric ID conflict, only the domain ID conflict is reported. 1. Connect to the physical chassis and log in using an account with the chassis-role permission. 2.
Executing a command in a different logical switch context 10 Executing a command in a different logical switch context This procedure describes how to execute a command for a logical switch while you are in the context of a different logical switch. You can also execute a command for all the logical switches in a chassis. The command is not executed on those logical switches for which you do not have permission. 1.
10 Deleting a logical switch "fabricshow" on FID 4: Switch ID Worldwide Name Enet IP Addr FC IP Addr Name ------------------------------------------------------------------------14: fffc0e 10:00:00:05:1e:82:3c:2b 10.32.79.105 0.0.0.0 >"switch_4" (output truncated) Deleting a logical switch You must remove all ports from the logical switch before deleting it. You cannot delete the default logical switch.
Displaying logical switch configuration 10 NOTE If you are deploying ICLs in the base switch, all ports associated with those ICLs must be assigned to the base switch. If you are deploying ICLs to connect to default switches (that is, XISL use is not allowed), the ICL ports should be assigned (or left) in the default logical switch. 1. Connect to the physical chassis and log in using an account with the chassis-role permission. 2.
10 Changing the fabric ID of a logical switch Changing the fabric ID of a logical switch The following procedure describes how you can change the fabric ID of an existing logical switch. The fabric ID indicates in which fabric the logical switch participates. By changing the fabric ID, you are moving the logical switch from one fabric to another. Changing the fabric ID requires permission for chassis management operations. You cannot change the FID of your own logical switch context.
Setting up IP addresses for a Virtual Fabric 10 5. Enable the switch. switchenable Example of changing the logical switch with FID 7 to a base switch sw0:FID128:admin> setcontext 7 switch_25:FID7:admin> switchshow switchName: switch_25 switchType: 66.
10 Removing an IP address for a Virtual Fabric 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the ipAddrSet -ls command. For the --add parameter, specify the network information in dotted-decimal notation for the Ethernet IPv4 address with a Classless Inter-Domain Routing (CIDR) prefix.
Changing the context to a different logical fabric 10 Changing the context to a different logical fabric You can change the context to a different logical fabric. Your user account must have permission to access the logical fabric. 1. Connect to the physical chassis and log in using an account with the chassis-role permission. 2.
10 Creating a logical fabric using XISLs c. Create a base switch and assign it a fabric ID that will become the FID of the base fabric. See “Creating a logical switch or base switch” on page 229 for instructions on creating a base switch. For the example shown in Figure 33, you would create a base switch with fabric ID 8. d. Assign ports to the base switch, as described in “Adding and removing ports on a logical switch” on page 232. e.
Chapter 11 Administering Advanced Zoning In this chapter • Special zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Zoning overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Broadcast zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Zone aliases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11 Zoning overview • QoS zones Assign high or low priority to designated traffic flows. QoS zones are regular zones with additional QoS attributes specified by adding a QOS prefix to the zone name. See “QoS: SID/DID traffic prioritization” on page 413 for more information. • Traffic Isolation zones (TI zones) Isolate inter-switch traffic to a specific, dedicated path through the fabric. See Chapter 12, “Traffic Isolation Zoning,” for more information.
Zoning overview 11 Blue Zone Server 2 Server 1 Storage 2 Red Zone Storage 1 RAID Green Zone Storage 3 FIGURE 34 Server 3 Zoning example Approaches to zoning Table 50 lists the various approaches you can take when implementing zoning in a fabric. TABLE 50 Approaches to fabric-based zoning Zoning approach Description Recommended approach Single HBA Fabric OS Administrator’s Guide 53-1002148-02 Zoning by single HBA most closely re-creates the original SCSI bus.
11 Zoning overview TABLE 50 Approaches to fabric-based zoning (Continued) Zoning approach Description Alternative approaches Application Zoning by application typically requires zoning multiple, perhaps incompatible, operating systems into the same zones. This method of zoning creates the possibility that a minor server in the application suite could disrupt a major server (such as a Web server disrupting a data warehouse server).
Zoning overview 11 The types of zone objects used to define a zone can be mixed. For example, a zone defined with the zone objects 2,12; 2,14; 10:00:00:80:33:3f:aa:11 contains the devices connected to domain 2, ports 12 and 14, and a device with the WWN 10:00:00:80:33:3f:aa:11 (either node name or port name) that is connected on the fabric.
11 Zoning overview The different types of zone configurations are: • Defined Configuration The complete set of all zone objects defined in the fabric. • Effective Configuration A single zone configuration that is currently in effect. The effective configuration is built when you enable a specified zone configuration. • Saved Configuration A copy of the defined configuration plus the name of the effective configuration, which is saved in flash memory.
Zoning overview 11 Identifying the enforced zone type 1. Connect to the switch and log in as admin. 2. Enter the portZoneShow command, using the following syntax: portzoneshow Considerations for zoning architecture Table 51 lists considerations for zoning architecture. TABLE 51 Considerations for zoning architecture Item Description Type of zoning enforcement: frameor session-based If security is a priority, frame-based hardware enforcement is recommended.
11 Broadcast zones Best practices for zoning The following are recommendations for using zoning: • Always zone using the highest Fabric OS-level switch. Switches with earlier Fabric OS versions do not have the capability to view all the functionality that a newer Fabric OS provides, as functionality is backwards compatible but not forwards compatible. • Zone using the core switch versus an edge switch. • Zone using an enterprise-class platform rather than a switch.
Broadcast zones 11 Broadcast packets are forwarded to all the ports that are part of the broadcast zone for any Admin Domain, have membership in that Admin Domain, and are zoned together (in a regular zone) with the sender of the broadcast frame. Figure 35 illustrates how broadcast zones work with Admin Domains. Figure 35 shows a fabric with five devices and two Admin Domains, AD1 and AD2. Each Admin Domain has two devices and a broadcast zone.
11 Zone aliases Broadcast zones and FC-FC routing If you create broadcast zones in a metaSAN consisting of multiple fabrics connected through an FC router, the broadcast zone must include the IP device that exists in the edge or backbone fabric as well as the proxy device in the remote fabric. See Chapter 23, “Using the FC-FC Routing Service,” for information about proxy devices and the FC router.
Zone aliases 11 Virtual Fabric considerations: Alias definitions should not include logical port numbers. Zoning is not enforced on logical ports. Creating an alias 1. Connect to the switch and log in as admin. 2. Enter the aliCreate command, using the following syntax: alicreate "aliasname", "member[; member...]" 3. Enter the cfgSave command to save the change to the defined configuration. The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile memory.
11 Zone aliases configuration is re-enabled, merging new switches into the fabric is not recommended and may cause unpredictable results with the potential of mismatched Effective Zoning configurations. Do you want to save Defined zoning configuration only? (yes, y, no, n): [no] y Removing members from an alias 1. Connect to the switch and log in as admin. 2. Enter the aliRemove command, using the following syntax: aliremove "aliasname", "member[; member...]" 3.
Zone creation and maintenance 11 take effect until it is re-enabled. Until the Effective configuration is re-enabled, merging new switches into the fabric is not recommended and may cause unpredictable results with the potential of mismatched Effective Zoning configurations. Do you want to save Defined zoning configuration only? (yes, y, no, n): [no] y Viewing an alias in the defined configuration 1. Connect to the switch and log in as admin. 2.
11 Zone creation and maintenance You are about to save the Defined zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled. Until the Effective configuration is re-enabled, merging new switches into the fabric is not recommended and may cause unpredictable results with the potential of mismatched Effective Zoning configurations.
Zone creation and maintenance 11 switch:admin> zoneremove "bluezone", "21:00:00:20:37:0c:72:51" switch:admin> zoneremove "broadcast", "2,34" switch:admin> cfgsave You are about to save the Defined zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled.
11 Zone creation and maintenance Validating a zone 1. Connect to the switch and log in as admin. 2. Enter the cfgShow command to view the zone configuration objects you want to validate.
Default zoning mode 11 Default zoning mode The default zoning mode controls device access if zoning is not implemented or if there is no effective zone configuration. The default zoning mode has two options: • All Access—All devices within the fabric can communicate with all other devices. • No Access—Devices in the fabric cannot access any other device in the fabric. The default zone mode applies to the entire fabric, regardless of switch model. The default setting is All Access.
11 Zone database size You are about to save the Defined zoning configuration. This action will only save the changes on Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled. Until the Effective configuration is re-enabled, merging new switches into the fabric is not recommended and may cause unpredictable results with the potential of mismatched Effective Zoning configurations.
Zone configurations 11 Zone configurations You can store a number of zones in a zone configuration database. The maximum number of items that can be stored in the zone configuration database depends on the following criteria: • Number of switches in the fabric. • Number of bytes for each item name. The number of bytes required for an item name depends on the specifics of the fabric, but cannot exceed 64 bytes for each item.
11 Zone configurations Adding zones (members) to a zone configuration 1. Connect to the switch and log in as admin. 2. Enter the cfgAdd command, using the following syntax: cfgadd "cfgname", "member[; member...]" 3. Enter the cfgSave command to save the change to the defined configuration. The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile memory.
Zone configurations 11 Enabling a zone configuration The following procedure ends and commits the current zoning transaction buffer to nonvolatile memory. If a transaction is open on a different switch in the fabric when this procedure is run, the transaction on the other switch is automatically aborted. A message displays on the other switches to indicate that the transaction was aborted. 1. Connect to the switch and log in as admin. 2.
11 Zone configurations Deleting a zone configuration 1. Connect to the switch and log in as admin. 2. Enter the cfgDelete command, using the following syntax: cfgdelete "cfgname" 3. Enter the cfgSave command to save the change to the defined configuration. The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile memory. If a transaction is open on a different switch in the fabric when this command is run, the transaction on the other switch is automatically aborted.
Zone configurations 11 Example switch:admin> cfgshow Defined configuration: cfg: USA1 Blue_zone cfg: USA_cfg Purple_zone; Blue_zone zone: Blue_zone 1,1; array1; 1,2; array2 zone: Purple_zone 1,0; loop1 alias: array1 21:00:00:20:37:0c:76:8c; 21:00:00:20:37:0c:71:02 alias: array2 21:00:00:20:37:0c:76:22; 21:00:00:20:37:0c:76:28 alias: loop1 21:00:00:20:37:0c:76:85; 21:00:00:20:37:0c:71:df Effective configuration: cfg: USA_cfg zone: Blue_zone 1,1 21:00:00:20:37:0c:76:8c 21:00:00:20:37:0c:71:02 1,2 21:00:00:2
11 Zone object maintenance 21:00:00:20:37:0c:76:22 21:00:00:20:37:0c:76:28 zone: Purple_zone 1,0 21:00:00:20:37:0c:76:85 21:00:00:20:37:0c:71:df Clearing all zone configurations 1. Connect to the switch and log in as admin. 2. Enter the cfgClear command to clear all zone information in the transaction buffer. ATTENTION Be careful using the cfgClear command because it deletes the defined configuration.
Zone object maintenance 11 3. Enter the zone --copy command, specifying the zone objects you want to copy, along with the new object name. Note that zone configuration names are case-sensitive; blank spaces are ignored and it works in any Admin Domain other than AD255. switch:admin> zone --copy Test1 US_Test1 4. Enter the cfgShow command to verify the new zone object is present.
11 Zone configuration management switch:admin> zone --expunge "White_zone" You are about to expunge one configuration or member. This action could result in removing many zoning configurations recursively. [Removing the last member of a configuration removes the configuration.] Do you want to expunge the member? (yes, y, no, n): [no] yes 4. Enter yes at the prompt. 5. Enter the cfgShow command to verify the deleted zone object is no longer present. 6.
Security and zoning 11 The switch configuration file can also be uploaded to the host for archiving and it can be downloaded from the host to a switch in the fabric. See “Configuration file backup” on page 182, “Configuration file restoration” on page 184, or the configUpload and configDownload commands in the Fabric OS Command Reference for additional information on uploading and downloading the configuration file.
11 Zone merging Before the new fabric can merge successfully, it must pass the following criteria: • Before merging To facilitate merging, check the following before merging switches or fabrics: - Default Zone: The switches must adhere to the default zone merge rules, as described in “Zone merging scenarios” on page 267. - Effective and defined zone configuration match: Ensure that the effective and defined zone configurations match.
Zone merging 11 • Merge conflicts When a merge conflict is present, a merge will not take place and the ISL will segment. Use the switchShow or errDump commands to obtain additional information about possible merge conflicts, because many non-zone related configuration parameters can cause conflicts. See the Fabric OS Command Reference for detailed information about these commands. If the fabrics have different zone configuration data, the system attempts to merge the two sets of zone configuration data.
11 Zone merging TABLE 52 Zone merging scenarios: Defined and effective configurations Description Switch A Switch B Expected results Switch A has a defined configuration. Switch B does not have a defined configuration. defined: cfg1: zone1: ali1; ali2 effective: none defined: none effective: none Configuration from Switch A to propagate throughout the fabric in an inactive state, because the configuration is not enabled. Switch A has a defined and effective configuration.
Zone merging TABLE 53 11 Zone merging scenarios: Different content Description Switch A Switch B Expected results Effective configuration mismatch. defined: cfg1 zone1: ali1; ali2 effective: cfg1 zone1: ali1; ali2 defined: cfg2 zone2: ali3; ali4 effective: cfg2 zone2: ali3; ali4 Fabric segments due to: Zone Conflict cfg mismatch Configuration content mismatch.
11 Zone merging TABLE 55 Zone merging scenarios: TI zones (Continued) Description Switch A Switch B Expected results Switch A has Enhanced TI zones. Switch B is running Fabric OS v6.4.0 or later. defined: cfg1 TI_zone1 TI_zone2 defined: none Clean merge. TI zones are not automatically activated after the merge. Switch A has Enhanced TI zones. Switch B is running a Fabric OS version earlier than v6.4.0.
Chapter 12 Traffic Isolation Zoning In this chapter • Traffic Isolation Zoning overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Enhanced TI zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Traffic Isolation Zoning over FC routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . • General rules for TI zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
12 Traffic Isolation Zoning overview Figure 36 shows a fabric with a TI zone consisting of the following: • N_Ports: • E_Ports: “1,7”, “1,8”, “4,5”, and “4,6” “1,1”, “3,9”, “3,12”, and “4,7” The dotted line indicates the dedicated path between the initiator in Domain 1 to the target in Domain 4.
Traffic Isolation Zoning overview TABLE 58 12 Comparison of traffic behavior when failover is enabled or disabled in TI zones Failover enabled Failover disabled If the dedicated path is not the shortest path or if the dedicated path is broken, the TI zone traffic will use a non-dedicated path instead. If the dedicated path is not the shortest path or if the dedicated path is broken, traffic for that TI zone is halted until the dedicated path is fixed.
12 Traffic Isolation Zoning overview • Ensure that there are multiple paths between switches. Disabling failover locks the specified route so that only TI zone traffic can use it. Non-TI zone traffic is excluded from using the dedicated path. • You should enable failover-enabled TI zones before enabling failover-disabled TI zones, to avoid dropped frames. When you issue the cfgEnable command to enable the zone configuration, if you have failover disabled zones, do the following: 1.
Traffic Isolation Zoning overview 12 If the dedicated ISL is not the lowest cost path ISL, then the following rules apply: • If failover is enabled, the traffic path for the TI zone is broken, and TI zone traffic uses the lowest cost path instead. • If failover is disabled, the TI zone traffic is blocked. If the dedicated ISL is the only lowest cost path ISL, then the following rules apply: • If failover is enabled, non-TI zone traffic as well as TI zone traffic uses the dedicated ISL.
12 Enhanced TI zones Domain 1 8 Domain 3 1 9 9 14 12 3 15 7 16 6 = Dedicated Path = Ports in the TI zone 5 Domain 4 Domain 2 FIGURE 39 Dedicated path is not the shortest path NOTE For information about setting or displaying the FSPF cost of a path, see the linkCost and topologyShow commands in the Fabric OS Command Reference. Enhanced TI zones Prior to Fabric OS v6.4.0, a port could be in only one TI zone at a time. Starting in Fabric OS v6.4.
Enhanced TI zones 12 Illegal configurations with enhanced TI zones When you create TI zones, ensure that all traffic from a port to all destinations on a remote domain have the same path. Do not create separate paths from a local port to two or more ports on the same remote domain. If the TI zones are configured with failover disabled, some traffic will be dropped.
12 Traffic Isolation Zoning over FC routers In this example traffic from the Target to Domain 2 is routed correctly. Only one TI zone describes a path to Domain 2. However, both TI zones describe different, valid paths from the Target to Domain 1. Only one path will be able to get to (1,1). Traffic from port (3,8) cannot be routed to Domain 1 over both (3,6) and (3,7), so one port will be chosen. If (3,7) is chosen, frames destined for (1,1) will be dropped at Domain 1.
Traffic Isolation Zoning over FC routers Edge fabric 1 Backbone fabric 12 Edge fabric 2 = Dedicated path set up by TI zone in edge fabric 1 = Dedicated path set up by TI zone in edge fabric 2 = Dedicated path set up by TI zone in backbone fabric FIGURE 43 Traffic Isolation Zoning over FCR In addition to setting up TI zones, you must also ensure that the devices are in an LSAN zone so that they can communicate with each other.
12 Traffic Isolation Zoning over FC routers In the TI zone, when you designate E_Ports between the front and xlate phantom switches, you must use -1 in place of the “I” in the D,I notation. Both the front and xlate domains must be included in the TI zone.
General rules for TI zones 12 Using D,I and port WWN notation, the members of the TI zone in Figure 45 are: 1,1 (EX_Port for FC router 1) 1,4 (VE_Port for FC router 1) 2,7 (VE_Port for FC router 2) 2,1 (EX_Port for FC router 2) 10:00:00:00:00:01:00:00 (Port WWN for the host) 10:00:00:00:00:02:00:00 (Port WWN for target 1) 10:00:00:00:00:03:00:00 (Port WWN for target 2) Limitations of TI zones over FC routers Be aware of the following when configuring TI zones over FC routers: • A TI zone defined within
12 Supported configurations for Traffic Isolation Zoning • Each TI zone is interpreted by each switch and each switch considers only the routing required for its local ports. No consideration is given to the overall topology and to whether the TI zones accurately provide dedicated paths through the whole fabric. For example, in Figure 46, the TI zone was configured incorrectly and E_Port “3,9” was erroneously omitted from the zone.
Limitations and restrictions of Traffic Isolation Zoning 12 Additional configuration rules for enhanced TI zones Enhanced TI zones (ETIZ) have the following additional configuration rules: • Enhanced TI zones are currently supported only on the following platforms: Brocade 300, 5100, 5300, 5410, 5424, 5450, 5460, 5470, 5480, 6510, 7800, 8000, VA-40FC, DCX, DCX-4S, DCX 8510 family, and Brocade Encryption Switch.
12 Admin Domain considerations for Traffic Isolation Zoning • TI zone members that overlap must have the same TI failover policy across all TI zones to which they belong. That is, if an overlapping member is part of a failover-disabled zone, then it can belong only to other TI zones where the policy is also failover-disabled; the member cannot overlap with failover-enabled TI zones. • TI zones that have members with port index greater than 511 are not supported with Fabric OS versions earlier than v6.4.
12 Virtual Fabric considerations for Traffic Isolation Zoning Host Domain 8 8 9 1 2 5 6 3 4 8 7 LS3, FID1 Domain 3 Chassis 1 Target Domain 9 LS1, FID1 Domain 5 Domain 7 LS4, FID3 Domain 4 10 Base switch Domain 1 11 12 XISL XISL 14 13 15 XISL 16 XISL 17 Chassis 2 LS2, FID3 Domain 6 Base switch Domain 2 = Dedicated Path = Ports in the TI zones FIGURE 47 Dedicated path with Virtual Fabrics Figure 48 shows a logical representation of FID1 in Figure 47.
12 Traffic Isolation Zoning over FC routers with Virtual Fabrics Using D,I notation, the port numbers for the TI zones in the logical fabric and base fabric are as follows: Port members for the TI zone in logical fabric Port members for the TI zone in base fabric 8,8 8,1 3,3 3,10 5,16 5,8 9,5 9,9 1,3 1,10 7,12 7,14 2,16 2,8 F_Port E_Port E_Port E_Port E_Port E_Port E_Port F_Port E_Port for ISL in logical switch E_Port for XISL E_Port for XISL E_Port for XISL E_Port for XISL E_Port for ISL in logical
Creating a TI zone 12 Edge fabric Fabric 1 1 SW3 3 10 2 12 4 5 SW1 FIGURE 51 SW6 11 6 15 13 7 Backbone fabric Edge fabric Fabric 3 16 SW2 14 Logical representation of TI zones over FC routers in logical fabrics Creating a TI zone You create and modify TI zones using the zone command. Other zoning commands, such as zoneCreate, aliCreate, and cfgCreate, cannot be used to manage TI zones. When you create a TI zone, you can set the state of the zone to activated or deactivated.
12 Creating a TI zone Be aware of the ramifications if you create a TI zone with failover mode disabled. See “TI zone failover” on page 272 for information about disabling failover mode. 3. Perform the following steps if you have any TI zones with failover disabled. If all of your TI zones are failover-enabled, skip to step 4. a. Change the failover option to failover enabled. This is a temporary change to avoid frame loss during the transition. zone --add -o f name b. Enable the zones.
Creating a TI zone 12 To create TI zones in a logical fabric, such as the one shown in Figure 48 on page 285: Log in to the logical switch FID1, Domain 7 and create a TI zone in the logical fabric with FID=1: LS1> zone --create -t ti -o f "ti_zone1" -p "8,8; 8,1; 3,3; 3,10; 5,16; 5,8; 9,5; 9,9" Then create a TI zone in the base fabric, as described in “Creating a TI zone in a base fabric”.
12 Modifying TI zones Example The following example creates TI zones in the base fabric shown in Figure 49 on page 285: BS_D1> BS_D1> BS_D1> 2,8" BS_D1> zonecreate "z1", "1,1" cfgcreate "base_cfg", z1 zone --create -t ti -o f "ti_zone2" -p "1,3; 1,10; 7,12; 7,14; 2,16; cfgenable "base_config" Modifying TI zones Using the zone --add command, you can add ports to an existing TI zone, change the failover option, or both.You can also activate or deactivate the TI zone.
Changing the state of a TI zone c. 12 Reset the failover option to failover disabled. Then continue with step 4. zone --add -o n name 4. Enter the cfgEnable command to reactivate your current effective configuration and enforce the TI zones.
12 Deleting a TI zone Example of setting the state of a TI zone To change the state of the existing TI zone bluezone to activated, type: switch:admin> zone --activate bluezone To change the state of the existing TI zone greenzone to deactivated, type: switch:admin> zone --deactivate greenzone Remember that your changes are not enforced until you enter the cfgEnable command. Deleting a TI zone Use the zone --delete command to delete a TI zone from the defined configuration.
Troubleshooting TI zone routing problems 12 1. Connect to the switch and log in as admin. 2. Enter the zone --show command.
12 Setting up TI over FCR (sample procedure) Following is an example report that would be generated for the illegal configuration shown in Figure 41 on page 277. switch:admin> zone --showTIerrors My Domain: 3 Error type: ERROR Affected Remote Domain: 1 Affected Local Port: 8 Affected TI Zones: etiz1, etiz2 Affected Remote Ports: 1, 2, 3, 4 Setting up TI over FCR (sample procedure) The following example shows how to set up TI zones over FCR to provide a dedicated path shown in Figure 52.
Setting up TI over FCR (sample procedure) 12 1. In each edge fabric, set up an LSAN zone that includes Host 1, Target 1, and Target 2, so these devices can communicate with each other. See Chapter 23, “Using the FC-FC Routing Service,” for information about creating LSAN zones. 2. Log in to the edge fabric 1 and set up the TI zone. a. Enter the fabricShow command to display the switches in the fabric. From the output, you can determine the front and translate domains.
12 Setting up TI over FCR (sample procedure) 3. Log in to the edge fabric 2 and set up the TI zone. a. Enter the fabricShow command to display the switches in the fabric. From the output, you can determine the front and translate domains. E2switch:admin> fabricshow Switch ID Worldwide Name Enet IP Addr FC IP Addr Name ------------------------------------------------------------------------1: fffc01 50:00:51:e3:95:36:7e:09 0.0.0.0 0.0.0.0 "fcr_fd_1" 4: fffc04 50:00:51:e3:95:48:9f:a1 0.0.0.0 0.0.0.
Setting up TI over FCR (sample procedure) b. 12 Enter the following commands to reactivate your current effective configuration and enforce the TI zones. BB_DCX_1:admin> cfgactvshow Effective configuration: cfg: cfg_TI zone: lsan_t_i_TI_Zone1 10:00:00:00:00:00:02:00:00 10:00:00:00:00:00:03:00:00 10:00:00:00:00:00:08:00:00 BB_DCX_1:admin> cfgenable cfg_TI You are about to enable a new zoning configuration. This action will replace the old zoning configuration with the current configuration selected.
12 298 Setting up TI over FCR (sample procedure) Fabric OS Administrator’s Guide 53-1002148-02
Chapter 13 Bottleneck Detection In this chapter • Bottleneck detection overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Supported configurations for bottleneck detection . . . . . . . . . . . . . . . . . . • Advanced bottleneck detection settings . . . . . . . . . . . . . . . . . . . . . . . . . . . • Enabling bottleneck detection on a switch . . . . . . . . . . . . . . . . . . . . . . . . . • Excluding a port from bottleneck detection. . . . . . . . . . . . . . . . . . .
13 Bottleneck detection overview You configure bottleneck detection on a per-switch basis, with optional per-port exclusions. NOTE Bottleneck detection is disabled by default. Best practice is to enable bottleneck detection on all switches in the fabric, and leave it on to continuously gather statistics. Bottleneck detection does not require a license.
Bottleneck detection overview 13 • How many affected seconds are needed to generate the alert. • How long to stay quiet after an alert Changing alerting parameters affects RASlog alerting as well as SNMP traps. Using alerting parameters to determine whether alerts are generated You have the option of receiving per-port alerts based on the latency and congestion history of the port. Alerts are generated based on the number of affected seconds over a specified period of time.
13 Supported configurations for bottleneck detection Supported configurations for bottleneck detection Note the following configuration rules for bottleneck detection: • Bottleneck detection is supported only on Fibre Channel ports and FCoE F_Ports. • Bottleneck detection is supported only on the following port types: - E_Ports - EX_Ports - F_Ports - FL_Ports • F_Port and E_Port trunks are supported. • Long distance E_Ports are supported. • FCoE F_Ports are supported.
Advanced bottleneck detection settings 13 Trunking considerations for bottleneck detection A trunk behaves like a single port. Both latency and congestion bottlenecks are reported on the master port only, but apply to the entire trunk. For masterless trunking, if the master port goes offline, the new master acquires all the configurations and bottleneck history of the old master and continues with bottleneck detection on the trunk.
13 Enabling bottleneck detection on a switch • You have a latency bottleneck on an ISL that is not at the edge of the fabric. The sub-second latency criterion parameters are always applicable. These parameters affect alerts and, even if alerting is not enabled, they affect the history of bottleneck statistics. The sub-second latency criterion parameters are the following, with default values in parentheses: • -lsubsectimethresh (0.
Excluding a port from bottleneck detection 13 By default, alerts are not sent unless you specify the alert parameter; however, you can view a history of bottleneck conditions for the port as described in “Displaying bottleneck statistics” on page 309. 3. Repeat step 1 and step 2 on every switch in the fabric. NOTE Best practice is to use the default values for the alerting and sub-second latency criterion parameters.
13 Changing bottleneck parameters • Switch-wide parameters • Per-port overrides, if any • Excluded ports Example switch:admin> bottleneckmon --status Bottleneck detection - Enabled ============================== Switch-wide sub-second latency bottleneck criterion: ==================================================== Time threshold - 0.800 Severity threshold - 50.
Changing bottleneck parameters 13 The alerting parameters indicate whether alerts are sent, and the threshold, time, and quiet time options. For a trunk, you can change the parameters only on the master port. 1. Connect to the switch and log in as admin. 2. Enter the bottleneckmon --config command to set the alerting and sub-second latency criterion parameters.
13 Changing bottleneck parameters Example The following example changes alerting parameters for the entire logical switch. switch:admin> bottleneckmon --config -alert -lthresh .97 -cthresh .8 -time 5000 switch:admin> bottleneckmon --status Bottleneck detection - Enabled ============================== Switch-wide sub-second latency bottleneck criterion: ==================================================== Time threshold - 0.800 Severity threshold - 0.
Displaying bottleneck statistics 13 Per-port overrides for sub-second latency bottleneck criterion: =============================================================== Port TimeThresh SevThresh ================================= 6 0.600 40.
13 Disabling bottleneck detection on a switch Disabling bottleneck detection on a switch When you disable bottleneck detection on a switch, all bottleneck configuration details are discarded, including the list of excluded ports and non-default values of alerting parameters. 1. Connect to the switch and log in as admin. 2. Enter the bottleneckmon --disable command to disable bottleneck detection on the switch.
Chapter 14 In-flight Encryption and Compression In this chapter • In-flight encryption and compression overview . . . . . . . . . . . . . . . . . . . . . . 311 • Configuring encryption and compression . . . . . . . . . . . . . . . . . . . . . . . . . . 314 • Encryption and compression example . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14 In-flight encryption and compression overview The encryption and compression features are designed to work only with E_Ports. Encryption and compression are also compatible with the following features: • • • • E_Ports with trunking, QoS, or long distance features enabled. Flow control modes R_RDY, VC_RDY, and EXT_VC_RDY. XISL ports in VF mode. FCP data frames and non FCP data frames except ELS and BLS frames. FCP data frames are of Type=0x8. For encryption, R_CTL=0x1 and R_CTL=0x4 are supported.
In-flight encryption and compression overview 14 Authentication and key generation The DH-CHAP (Diffie Hellman - Challenge Handshake Authentication Protocol) protocol must be configured along with the DH group 4 for port level authentication as a prerequisite for in-flight encryption. Pre-shared secret keys must be configured on the devices at either end of the ISL to perform authentication. Authentication secrets greater than 32 characters are recommended for stronger encryption keys..
14 Configuring encryption and compression Configuring encryption and compression On a given ISL between two 16 Gbps E_Ports, you can configure each port for encryption, compression, or both. Your encryption and compression settings must match at either end of the ISL. Port segmentation will occur during port initialization if these configurations do not match.
Configuring encryption and compression 14 The following topics provide step-by-step instructions for performing encryption and compression tasks: • • • • “Viewing the encryption and compression configuration” on page 315 “Configuring and enabling authentication” on page 316 “Configuring encryption” on page 317 “Configuring compression” on page 317 Viewing the encryption and compression configuration To determine which ports are available for encryption or compression on each chip on the switch, follow
14 Configuring encryption and compression 212 213 214 215 344 345 346 347 348 349 350 351 No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No Yes Yes No No No No No No No No No No Yes Yes No No Configuring and enabling authentication To configure authentication for ports that will later be configured for encryption, follow these steps: 1.
Configuring encryption and compression 14 For additional information about establishing DH-CHAP secrets, see “Secret key pairs for DH-CHAP” on page 151. For additional information about configuring DH-CHAP authentication for E_Ports, see “Authentication policy for fabric elements” on page 145. Configuring encryption NOTE Before performing this procedure, you must authenticate the port as described in “Configuring and enabling authentication” on page 316.
14 Configuring encryption and compression This example enables compression on port 15 of an FC16-32 blade in slot 9 of an enterprise class platform: portcfgcompress --enable 9/15 4. Enable the port with the portEnable command. After enabling the port, the new configuration becomes active. Disabling encryption To disable encryption on a port, follow these steps: 1.
Encryption and compression example 14 Encryption and compression example The following example shows configuring and enabling encryption and compression.In this case, encryption and compression are applied to the E_Ports at either end of and ISL connecting a port on a blade in an enterprise class platform named myDCX to a port on a Brocade 6510 switch named myswitch. Table 59 identifies each end of the ISL connection by device name, device WWN, and port number.
14 Encryption and compression example myswitch:root> authutil --show AUTH TYPE HASH TYPE GROUP TYPE -------------------------------------dhchap md5 4 Switch Authentication Policy: ON Device Authentication Policy: OFF myswitch:root> Next, you set a secret key. For this you need to get the WWN of the peer switch.
Encryption and compression example 14 myswitch:root> portdisable 0 myswitch:root> portcfgencrypt --enable 0 Turning ON Encryption on port(246) will cause the port to be disabled during next LOGIN myswitch:root> portenable 0 myswitch:root> portcfgshow 0 Area Number: 0 Octet Speed Combo: 3(16G,10G) Speed Level: AUTO(SW) AL_PA Offset 13: OFF Trunk Port ON Long Distance OFF VC Link Init OFF Locked L_Port OFF Locked G_Port OFF Disabled E_Port OFF Locked E_Port OFF ISL R_RDY Mode OFF RSCN Suppressed OFF Persist
14 Encryption and compression example Locked E_Port ISL R_RDY Mode RSCN Suppressed Persistent Disable LOS TOV enable NPIV capability QOS E_Port Port Auto Disable: OFF OFF OFF OFF OFF ON AE OFF Rate Limit EX Port Mirror Port Credit Recovery F_Port Buffers Fault Delay: NPIV PP Limit: CSCTL mode: Frame Shooter Port D-Port mode: Compression: Encryption: FEC: myswitch:root> OFF OFF OFF ON OFF 0(R_A_TOV) 126 OFF OFF OFF ON ON OFF Example of disabling encryption and compression This example disables the encr
Encryption and compression example QOS E_Port Port Auto Disable: AE OFF Rate Limit EX Port Mirror Port Credit Recovery F_Port Buffers Fault Delay: NPIV PP Limit: CSCTL mode: Frame Shooter Port D-Port mode: Compression: Encryption: FEC: myswitch:root> OFF OFF OFF ON OFF 0(R_A_TOV) 126 OFF OFF OFF OFF OFF OFF Fabric OS Administrator’s Guide 53-1002148-02 14 323
14 324 Encryption and compression example Fabric OS Administrator’s Guide 53-1002148-02
Chapter 15 Administering NPIV In this chapter • NPIV overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring NPIV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Enabling and disabling NPIV. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Viewing NPIV port configuration information. . . . . . . . . . . . . . . . . . . . . . . .
15 NPIV overview Index Port Address Media Speed State Proto ============================================== 0 0 010000 id N4 Online FC F-Port 1 1 010100 id N4 Online FC F-Port 2 2 010200 id N4 Online FC F-Port 3 3 010300 id N4 Online FC F-Port 20:0c:00:05:1e:05:de:e4 0xa06601 1 N Port + 4 NPIV public 1 N Port + 119 NPIV public 1 N Port + 221 NPIV public On the Brocade DCX and DCX-4S with the FC8-64 blade, the base port is not included in the NPIV device count.
Configuring NPIV TABLE 60 15 Number of supported NPIV devices (Continued) Platform Virtual Fabrics Logical switch type NPIV support DCX-4S Enabled Logical switch Yes, 255 virtual device limit.3 DCX-4S Enabled Base switch No. 1. Maximum limit support takes precedence if user-configured maximum limit is greater. This applies to shared areas on the FC4-48, FC8-48 and FC8-64 port blades. 2.
15 Enabling and disabling NPIV Long Distance VC Link Init Locked L_Port Locked G_Port Disabled E_Port Locked E_Port ISL R_RDY Mode RSCN Suppressed Persistent Disable LOS TOV enable NPIV capability QOS E_Port Port Auto Disable: Rate Limit EX Port Mirror Port Credit Recovery F_Port Buffers Fault Delay: NPIV PP Limit: CSCTL mode: Frame Shooter Port D-Port mode: Compression: Encryption: FEC: OFF OFF OFF OFF OFF OFF OFF OFF OFF OFF ON AE OFF OFF OFF OFF ON OFF 0(R_A_TOV) 128 OFF OFF OFF OFF OFF ON Enabling a
Viewing NPIV port configuration information 15 Viewing NPIV port configuration information 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the portCfgShow command to view the switch ports information.
15 Viewing NPIV port configuration information portName: 02 portHealth: HEALTHY Authentication: None portDisableReason: None portCFlags: 0x1 portFlags: 0x24b03 PRESENT ACTIVE F_PORT G_PORT NPIV LOGICAL_ONLINE LOGIN NOELP LED ACCEPT portType: 10.0 portState: 1Online portPhys: 6In_Sync portScn: 32F_Port port generation number: 148 portId: 630200 portIfId: 43020005 portWwn: 20:02:00:05:1e:35:37:40 portWwn of device(s) connected: c0:50:76:ff:fb:00:16:fc c0:50:76:ff:fb:00:16:f8 ...
Chapter 16 Dynamic Fabric Provisioning: Fabric Assigned WWN In this chapter • Introduction to Dynamic Fabric Provisioning using FA-PWWN . . . . . . . . . . • User- and auto-assigned FA-PWWN behavior . . . . . . . . . . . . . . . . . . . . . . . • Configuring FA-PWWNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Supported switches and configurations for FA-PWWN . . . . . . . . . . . . . . . . • Configuration upload and download considerations for FA-PWWN . . . . . .
16 User- and auto-assigned FA-PWWN behavior • Use FA-PWWN to represent a server in boot LUN zone configurations so that any physical server that is mapped to this FA-PWWN can boot from that LUN, thus simplifying boot over SAN configuration. For the server to use this feature, it must be using a Brocade HBA/Adapter with HBA driver version 3.0.0.0 or later. Some configuration of the HBA must be performed to use FA-PWWN.
Configuring FA-PWWNs 16 This section includes an FA-PWWN configuration procedure for each of the following two topologies: • An FA-PWWN for an HBA device that is connected to an Access Gateway switch. • An FA-PWWN for an HBA device that is connected directly to an edge switch. These topologies are shown in Figure 55. Access Gateway Switch Edge Switch running FOS 7.0.0 running FOS 7.0.
16 Configuring FA-PWWNs 10:00:00:05:1e:d7:3d:dc/9 20 20:09:00:05:1e:d7:2b:73 \ 10:00:00:05:1e:d7:3d:dc/16 ---:--:--:--:--:--:--:-- \ -----------------------------------------------------------Virtual Port WWN PID Enable MapType -----------------------------------------------------------52:00:10:00:00:0f:50:30 -Yes AG/Auto 11:22:33:44:55:66:77:88 11403 Yes AG/User 52:00:10:00:00:0f:50:32 2:00:10:00:00:0f:50:33 11404 Yes AG/Auto 52:00:10:00:00:0f:50:38 -Yes AG/Auto 4. Enable the FA-PWWN on the HBA.
Supported switches and configurations for FA-PWWN 16 4. Enable the FA-PWWN on the HBA. The following steps are to be executed on the server and not the switch. a. Log in to the server as root. b. Enter the following command: bcu port -faa port_id --enable c. Enter the following command: bcu port -faa port_id --query Once the Brocade HBA has been assigned the FA-PWWN, the HBA retains the FA-PWWN until it is rebooted. This means you cannot unplug and plug the cable to a different port on the switch.
16 Configuration upload and download considerations for FA-PWWN Configuration upload and download considerations for FA-PWWN The configuration upload and download utilities can be used to import and export the FA-PWWN configuration. ATTENTION Brocade recommends you delete all FA-PWWNs from the switch whose configuration is being replaced before you upload or download a modified configuration. This is to ensure no duplicate FA-PWWNs in the fabric.
Restrictions of FA-PWWN 16 Restrictions of FA-PWWN Note the following restrictions when using the FA-PWWN feature: • FA-PWWN is supported only on Brocade HBAs. • FA-PWWN is not supported for the following: - FCoE devices - FL_Ports - Swapped ports (using the portswap feature) - Cascaded Access Gateway topologies - FICON/FMS mode NOTE FA-WWN is supported with F_Port trunking on the supported Access Gateway platforms.
16 338 Access Gateway N_Port failover with FA-PWWN Fabric OS Administrator’s Guide 53-1002148-02
Chapter Managing Administrative Domains 17 In this chapter • Administrative Domains overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 • Admin Domain management for physical fabric administrators . . . . . . . . 348 • SAN management with Admin Domains . . . . . . . . . . . . . . . . . . . . . . . . . . .
17 Administrative Domains overview NOTE Do not confuse an Admin Domain number with the domain ID of a switch. They are two different identifiers. The Admin Domain number identifies the Admin Domain and has a range from 0 through 255. The domain ID identifies a switch in the fabric and has a range from 1 through 239. Figure 56 shows a fabric with two Admin Domains: AD1 and AD2.
Administrative Domains overview 17 Admin Domain features Admin Domains allow you to do the following: • Define the scope of an Admin Domain to encompass ports and devices within a switch or a fabric. • Share resources across multiple Admin Domains. For example, you can share array ports and tape drives between multiple departments. In Figure 56 on page 340, one of the storage devices is shared between AD1 and AD2. • Have a separate zone database for each Admin Domain.
17 Administrative Domains overview Table 61 lists each Admin Domain user type and describes its administrative access and capabilities. TABLE 61 AD user types User type Description Physical fabric administrator User account with admin permissions and with access to all Admin Domains (AD0 through AD255). Creates and manages all Admin Domains. Assigns other administrators or users to each Admin Domain. The default admin account is the first physical fabric administrator.
Administrative Domains overview 17 For example, if DeviceA is not a member of any user-defined Admin Domain, then it is an implicit member of AD0. If you explicitly add DeviceA to AD0, then DeviceA is both an implicit and an explicit member of AD0. AD0 implicit members DeviceA AD0 explicit members DeviceA AD2 members none If you add DeviceA to AD2, then DeviceA is deleted from the AD0 implicit membership list, but is not deleted from the AD0 explicit membership list.
17 Administrative Domains overview FIGURE 58 Fabric with AD0 and AD255 Home Admin Domains and login You are always logged in to an Admin Domain, and you can view and modify only the devices in that Admin Domain. If you have access to more than one Admin Domain, one of them is designated as your home Admin Domain, the one you are automatically logged in to.
Administrative Domains overview 17 Admin Domain member types You define an Admin Domain by identifying members of that domain. Admin Domain members can be devices, switch ports, or switches. Defining these member types is similar to defining a traditional zone member type. An Admin Domain does not require or have a new domain ID or management IP address linked to it.
17 Administrative Domains overview Switch members Switch members are defined by the switch WWN or domain ID, and have the following properties: • A switch member grants administrative control to the switch. • A switch member grants port control for all ports in that switch. • A switch member allows switch administrative operations such as disabling and enabling a switch, rebooting, and firmware downloads. • A switch member does not provide zoning rights for the switch ports or devices.
Administrative Domains overview FIGURE 59 17 Fabric showing switch and device WWNs Figure 60 shows the filtered view of the fabric as seen from AD3 and AD4. The switch WWNs are converted to the NAA=5 syntax; the device WWNs and domain IDs remain the same.
17 Admin Domain management for physical fabric administrators Admin Domain compatibility, availability, and merging Admin Domains maintain continuity of service for Fabric OS features and operate in mixed-release Fabric OS environments. High availability is supported with some backward compatibility. When an E_Port comes online, the adjacent switches merge their AD databases.
Admin Domain management for physical fabric administrators 17 1. Log in to the switch with the appropriate RBAC role. 2. Ensure you are in the AD0 context by entering the ad --show command to determine the current Admin Domain. If necessary, switch to the AD0 context by entering the ad --select 0 command. 3. Set the default zoning mode to No Access, as described in “Setting the default zoning mode” on page 255.
17 Admin Domain management for physical fabric administrators 5. Enter the ad --create command using the -d option to specify device and switch port members and the -s option to specify switch members: ad --create ad_id -d "dev_list" -s "switch_list" 6. Enter the appropriate command based on whether you want to save or activate the Admin Domain definition: • To save the Admin Domain definition, enter ad --save.
Admin Domain management for physical fabric administrators 17 Creating a new user account for managing Admin Domains 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the userConfig --add command using the -r option to set the role, the -a option to provide access to Admin Domains, and the -h option to specify the home Admin Domain.
17 Admin Domain management for physical fabric administrators Removing an Admin Domain from a user account When you remove an Admin Domain from an account, all of the currently active sessions for that account are logged out. 1. Connect to the switch and log in using an account with admin permissions. 2.
Admin Domain management for physical fabric administrators 17 Deactivating an Admin Domain If you deactivate an Admin Domain, the members assigned to the Admin Domain can no longer access their hosts or storage unless those members are part of another Admin Domain. You cannot log in to an Admin Domain that has been deactivated. You must activate an Admin Domain before you can log in to it. 1. Connect to the switch and log in using an account with admin permissions. 2.
17 Admin Domain management for physical fabric administrators 4. Enter the appropriate command based on whether you want to save or activate the Admin Domain definition: • To save the Admin Domain definition, enter ad --save. • To save the Admin Domain definition and directly apply the definition to the fabric, enter ad --apply.
Admin Domain management for physical fabric administrators 17 3. Enter the ad --rename command with the present name and the new name. ad --rename present_name new_name 4. Enter the appropriate command based on whether you want to save or activate the Admin Domain definition: • To save the Admin Domain definition, enter ad --save. • To save the Admin Domain definition and directly apply the definition to the fabric, enter ad --apply. The Admin Domain numbers remain unchanged after the operation.
17 Admin Domain management for physical fabric administrators Deleting all user-defined Admin Domains When you clear the Admin Domain configuration, all user-defined Admin Domains are deleted, the explicit membership list of AD0 is cleared, and all fabric resources (switches, ports, and devices) are returned to the implicit membership list of AD0. You cannot clear the Admin Domain configuration if zone configurations exist in any of the user-defined Admin Domains.
Admin Domain management for physical fabric administrators 17 3. Enter the zone --copy command to copy the zones from all user-defined Admin Domains to AD0. zone --copy source_AD.source_name dest_name In this syntax, source_AD is the name of the user-defined AD from which you are copying the zone, source_name is the name of the zone to be copied, and dest_name is the name to give to the zone after it is copied to AD0. 4. Copy the newly added zones in AD0 to the zone configuration.
17 Admin Domain management for physical fabric administrators FIGURE 61 AD0 and two user-defined Admin Domains, AD1 and AD2 At the conclusion of the procedure, all devices and zones are moved to AD0, and the user-defined Admin Domains are deleted, as shown in Figure 62.
Admin Domain management for physical fabric administrators 17 10:00:00:00:02:00:00:00; 10:00:00:00:03:00:00:00 Effective configuration: cfg: AD1_cfg zone: AD1_BlueZone 10:00:00:00:02:00:00:00 10:00:00:00:03:00:00:00 Zone CFG Info for AD_ID: 2 (AD Name: AD2, State: Active) : Defined configuration: cfg: AD2_cfg AD2_GreenZone zone: AD2_GreenZone 10:00:00:00:04:00:00:00; 10:00:00:00:05:00:00:00 Effective configuration: cfg: AD2_cfg zone: AD2_GreenZone 10:00:00:00:04:00:00:00 10:00:00:00:05:00:00:00 sw0:adm
17 SAN management with Admin Domains Validating an Admin Domain member list You can validate the device and switch member list. You can list non-existing or offline Admin Domain members. You can also identify misconfigurations of the Admin Domain. The Admin Domain validation process is not applicable for AD0, because AD0 implicitly contains all unassigned online switches and their devices. 1. Connect to the switch and log in using an account with admin permissions. 2.
SAN management with Admin Domains 17 CLI commands in an AD context The CLI command input arguments are validated against the AD member list; they do not work with input arguments that specify resources that are not members of the current Admin Domain. All commands present filtered output, showing only the members of the current Admin Domain. For example, switchShow displays details for the list of AD members present in that switch.
17 SAN management with Admin Domains • AD0–AD254: The membership of the current Admin Domain is displayed. • AD0: The device and switch list members are categorized into implicit and explicit member lists. 1. Connect to the switch and log in as any user type. 2. Enter the ad --show command. ad --show If you are in the AD0 context, you can use the -i option to display the implicit membership list of AD0; otherwise, only the explicit membership list is displayed.
SAN management with Admin Domains 17 Example of switching to a different Admin Domain context The following example switches to the AD12 context and back. Note that the prompt changes to display the Admin Domain. switch:admin> ad --select 12 switch:AD12:admin> logout switch:admin> Admin Domain interactions with other Fabric OS features The Admin Domain feature provides interaction with other Fabric OS features and across third-party applications.
17 SAN management with Admin Domains TABLE 63 Admin Domain interaction with Fabric OS features (Continued) Fabric OS feature Admin Domain interaction FICON Admin Domains support FICON. However, you must perform additional steps because FICON management requires additional physical control of the ports. You must set up the switch as a physical member of the FICON AD.
SAN management with Admin Domains 17 The AD zone database also has the following characteristics: - Each zone database has its own name space. For example, you can define a zone name of test_z1 in more than one Admin Domain. - There is no zone database linked to the physical fabric (AD255) and no support for zone database updates. In the physical fabric context (AD255), you can only view the complete hierarchical zone database, which is all of the zone databases in AD0 through AD254.
17 SAN management with Admin Domains Configuration upload and download in an AD context The behavior of the configUpload and configDownload commands varies depending on the AD context and whether the switch is a member of the current Admin Domain. In the AD context, these commands include only the zone configuration of the current Admin Domain. If the switch is a member of the Admin Domain, all switch configuration parameters are saved and the zone database for that Admin Domain is also saved.
Section Licensed Features II This section describes optionally licensed Brocade Fabric OS features and includes the following chapters: • • • • • • Chapter 18, “Administering Licensing” Chapter 19, “Monitoring Fabric Performance” Chapter 20, “Optimizing Fabric Behavior” Chapter 21, “Managing Trunking Connections” Chapter 22, “Managing Long Distance Fabrics” Chapter 23, “Using the FC-FC Routing Service” Fabric OS Administrator’s Guide 53-1002148-02 367
368 Fabric OS Administrator’s Guide 53-1002148-02
Chapter 18 Administering Licensing In this chapter • Licensing overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • The Brocade 7800 Upgrade license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • ICL licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • 8G licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
18 Licensing overview Table 65 lists the optionally licensed features that are available in Fabric OS 7.0.0: TABLE 65 Available Brocade Licenses License Description 10 Gigabit FCIP/Fibre Channel License (10G license) • • • • 7800 Upgrade License • • • Allows 10 Gbps operation of FC ports on the Brocade 6510 switch or the FC ports of FC16-32 or FC16-48 port blades installed on a Brocade DCX 8510 enterprise-class platform.
Licensing overview TABLE 65 18 Available Brocade Licenses (Continued) License Description Brocade Advanced Performance Monitoring • Brocade Extended Fabrics Provides greater than 10km of switched fabric connectivity at full bandwidth over long distances (depending on the platform this can be up to 3000km). • Enables performance monitoring of networked storage resources. Includes the Top Talkers feature. NOTE: This license is not required for long distance connectivity using licensed 10G ports.
18 Licensing overview TABLE 65 Available Brocade Licenses (Continued) License Description High Performance Extension over FCIP/FC (formerly known as “FC-IP Services”) Includes the IPsec capabilities. Applies to FR4-18i blade. ICL 16-link License Provides dedicated high-bandwidth links between two Brocade DCX chassis, without consuming valuable front-end 8 Gbps ports. Each chassis must have the ICL license installed in order to enable the full 16-link ICL connections. Available on the DCX only.
Licensing overview TABLE 66 18 License Requirements and Location Name by Feature (Continued) Feature License Where license should be installed Bottleneck Detection No license required. n/a Configuration up/download No license required. n/a Converged Enhanced Ethernet Requires FCoE base license and POD1 license. Brocade Network Advisor No license required for base use. See also the Brocade Network Advisor User Manual. Diagnostic tools No license required.
18 Licensing overview TABLE 66 License Requirements and Location Name by Feature (Continued) Feature License Where license should be installed Ingress rate limiting Adaptive Networking Local switch. Integrated routing Integrated Routing. Local switch. Inter-chassis link (ICL) • Local and attached platforms. • • • ICL 1st POD (Ports on Demand) on the Brocade DCX 8510-8 and DCX 8510-4 only. ICL 2nd POD on the Brocade DCX 8510-8 only. ICL 8-link on the Brocade DCX and DCX-4S.
The Brocade 7800 Upgrade license TABLE 66 18 License Requirements and Location Name by Feature (Continued) Feature Routing traffic License Where license should be installed No license required. n/a NOTE: Port-based or exchanged-based routing, static routes, frame-order deliver, and dynamic routes all included. Security n/a No license required. NOTE: DCC, SCC, FCS, IP Filter, and authentication policies all included. SNMP No license required.
18 ICL licensing TABLE 67 Base to Upgrade License Comparison (Continued) Feature Base model Upgrade License Number of 10-GbE ports 0 0 Number of FCIP Tunnels 2 8 Tape Pipelining over FCIP Tunnel No Yes ICL licensing Brocade ICL links operate between the core blades of the DCX 8510 family of enterprise-class platforms, or between the core blades of the DCX and DCX-4S platforms.
8G licensing 18 ICL 16-link license This license provides dedicated high-bandwidth links between two Brocade DCX chassis, without consuming valuable front-end ports. Each Brocade DCX chassis must have the ICL 16-link license installed in order to enable the full number of ICL connections possible (16-links in the case of a DCX chassis). This license is available for the Brocade DCX only. 8G licensing ATTENTION This license is installed by default and you should not remove it.
18 Slot-based licensing NOTE The 10 GbE feature on the FX8-24 blade and the 10 Gbps FC feature on the 16 Gbps FC blades are both enabled by the same 10 Gigabit FCIP/Fibre Channel license (10G license). This license can also enable the 10 Gbps FC feature on a Brocade 6510 switch as a chassis based license. All other licensed blade features continue to be exclusively chassis-based licenses.
10G licensing 18 10G licensing The 10 Gbps FCIP/Fibre Channel license (10G license) enables the following features: • 10 Gbps access on the 16 Gbps FC ports on the Brocade 6510 switch, and the FC16-32 and FC16-48 port blades. This feature is new in the Fabric OS v7.0.0 release. • The two 10GbE ports on the FX8-24 extension blade. Before the Fabric OS v7.0.0 release, this feature was enabled by the 10 GbE license.
18 10G licensing Enabling 10 Gbps operation on an FC port To enable 10 Gbps operation on an FC port on a Brocade 6510 switch or an FC16-32 or FC16-48 blade, follow these steps: 1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions for the license and switchportconfiguration classes of RBAC commands. 2. Use the licenseAdd command to add the 10G license. 3.
10G licensing 18 6510-switch:admin> portcfgoctetspeedcombo 2 6510-switch:admin> portcfgspeed 2 10 6510-switch:admin> Enabling the 10 GbE ports on an FX8-24 blade To enable the 10 GbE ports on an FX8-24 blade, follow these steps: 1. Connect to the Brocade enterprise-class platform and log in using an account with admin permissions, or an account with OM permissions for the license class of RBAC commands. 2. Use the licenseAdd command to add the 10G license. 3.
18 Time-based licenses 7 ge8 7 ge9 7 xge0 7 xge1 ----- 1G 1G 10G 10G No_Module No_Module No_Module No_Module FCIP FCIP FCIP FCIP Disabled (10G Mode) Disabled (10G Mode) Time-based licenses A Time-based license applies a try-before-you-buy approach to certain features so that you can experience the feature and its capabilities prior to buying the license. Once you have installed the license, you are given a time limit to use the feature.
Universal Time-based licenses 18 Removing an expired license CAUTION The following procedure is disruptive to the switch. 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the reboot command for the expiry to take affect. Universal Time-based licenses Universal Time-based licenses behave the same way as the Time-based temporary licenses supported in prior Fabric OS versions. Prior to Fabric OS v6.3.
18 Viewing installed licenses Date change restriction Once temporary licenses (including Universal Time-based licenses) are installed, you are not allowed to change the system date. If there is a need to change the date, you are expected to remove the time-based licenses and then change the date. Universal Time-based license shelf life All Universal Time-based licenses are encoded with a “shelf life” expiration date. Once this date is reached, the time-based license can no longer be used on a switch.
Removing a licensed feature 18 For the Brocade enterprise-class platforms, licenses are effective on both CP blades, but are valid only when the CP blade is inserted into an enterprise-class platform that has an appropriate license ID stored in the WWN card. If a CP is moved from one enterprise-class platform to another, the license works in the new enterprise-class platform only if the WWN card is the same in the new enterprise-class platform.
18 Ports on Demand 3. Remove the license key using the licenseRemove command. The license key is case-sensitive and must be entered exactly as given. The quotation marks are optional. After removing a license key, the licensed feature is disabled when the switch is rebooted or when a switch disable and enable is performed. 4. Enter the licenseShow command to verify the license is disabled.
Ports on Demand 18 Table 68 shows the ports that are enabled by default and the ports that can be enabled after you install the first and second Ports on Demand licenses for each switch type.
18 Ports on Demand SdSSc9SyRSTeXTdn: Second Ports on Demand license - additional 16 port upgrade license SdSSc9SyRSTuXTd3: Full Ports on Demand license - additional 32 port upgrade license ATTENTION If you enable or disable an active port you will disrupt any traffic and potentially lose data flowing on that port. If the port is connected to another switch, you will segment the switch from the fabric and all traffic flowing between the disabled port and the fabric will be lost.
Ports on Demand 18 Displaying the port license assignments When you display the available licenses, you can also view the current port assignment of those licenses. 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the licensePort --show command. Example showing manually assigned POD licenses.
18 Ports on Demand Ports assigned to the base switch license: 1, 2, 5, 6, 8*, 21, 22, 23 Ports assigned to the full POD license: None Ports not assigned to a license: 0, 3, 4, 7, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20 16 license reservations are still available for use by unassigned ports 1 license assignment is held by an offline port (indicated by *) Disabling Dynamic Ports on Demand Disabling the Dynamic POD feature changes the POD method to static and erases any prior port license associations
Ports on Demand 18 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the licensePort --show command to verify there are port reservations available.
18 Ports on Demand 12 port assignments are provisioned by the base switch license 12 port assignments are provisioned by a full POD license 10 ports are assigned to installed licenses: 10 ports are assigned to the base switch license 0 ports are assigned to the full POD license Ports assigned to the base switch license: 1*, 2*, 3*, 4*, 5*, 6*, 8*, 21, 22, 23 Ports assigned to the full POD license: None Ports not assigned to a license: 0, 7, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20 6.
Chapter 19 Monitoring Fabric Performance In this chapter • Advanced Performance Monitoring overview . . . . . . . . . . . . . . . . . . . . . . . • End-to-end performance monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Frame monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Top Talker monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Trunk monitoring . . . . . . . . . . . . . . .
19 Advanced Performance Monitoring overview Restrictions for installing monitors • Advanced Performance Monitoring is not supported on VE_Ports and EX_Ports. If you issue commands for any Advanced Performance Monitors on VE_Ports or EX_Ports you will receive error messages. • For the Brocade 8000, performance monitoring is supported only on the FC ports and not on the CEE ports. • All monitor types are allowed only on physical ports.
End-to-end performance monitoring 19 Access Gateway considerations for Advanced Performance Monitoring EE monitors and frame monitors are supported on switches in Access Gateway mode. Top Talker monitors are not supported on these switches. EE monitors must be installed on F_Ports. Frame monitors can be installed on F_Ports or N_Ports. See the Access Gateway Administrator’s Guide for additional information.
19 End-to-end performance monitoring Supported port configurations for EE monitors You can configure EE monitors on F_Ports and, depending on the switch model, on E_Ports. The following platforms support EE monitors on E_Ports: • Brocade 6510 • Brocade DCX 8510 family Identical EE monitors cannot be added to the same port. Two EE monitors are considered identical if they have the same SID and DID values after applying the end-to-end mask.
End-to-end performance monitoring 19 Example of monitoring the traffic from Dev B to Host A On Domain 2, add a monitor to the F_Port as follows: switch:admin> perfaddeemonitor 2/14 "0x021e00" "0x011200" This monitor (Monitor 4) counts the frames that have an SID of 0x021e00 and a DID of 0x011200. For Monitor 4, RX_COUNT is the number of words from Dev B to Host A, and TX_COUNT is the number of words from Host A to Dev B.
19 End-to-end performance monitoring Figure 64 shows the mask positions in the command. A mask (“ff”) is set on slot 1, port 2 to compare the AL_PA fields on the SID and DID in all frames (transmitted and received) on port 2. The frame SID and DID must match only the AL_PA portion of the specified SID-DID pair. Each port can have only one EE mask. The mask is applied to all end-to-end monitors on the port. Individual masks for each monitor on the port cannot be specified.
End-to-end performance monitoring 19 Example of displaying an end-to-end monitor on a port at 10-second intervals switch:admin> perfMonitorShow --class EE 4/5 10 Showing EE monitors 4/5 10: Tx/Rx are # of bytes 0 1 2 3 4 --------- --------- --------- --------- --------Tx Rx Tx Rx Tx Rx Tx Rx Tx Rx ========= ========= ========= ========= ========= 0 0 0 0 0 0 0 0 0 0 53m 4.9m 53m 4.9m 53m 4.9m 53m 4.9m 53m 0 53m 4.4m 53m 4.4m 53m 4.4m 53m 4.4m 53m 0 53m 4.8m 53m 4.8m 53m 4.8m 53m 4.8m 53m 0 53m 4.6m 53m 4.
19 Frame monitoring Frame monitoring Frame monitoring counts the number of times a frame with a particular pattern is transmitted by a port and generates alerts when thresholds are crossed. Frame monitoring is achieved by defining a filter, or frame type, for a particular purpose. The frame type can be a standard type (for example, a SCSI read command filter that counts the number of SCSI read commands that have been transmitted by the port) or a user-defined frame type customized for your particular use.
Frame monitoring 19 You can specify up to four values to compare against each offset. If more than one offset is required to properly define a filter, the bytes found at each offset must match one of the given values for the filter to increment its counter. If one or more of the given offsets does not match any of the given values, the counter does not increment. The value of the offset must be between 0 and 63, in decimal format.
19 Frame monitoring Adding frame monitors to a port If the switch does not have enough resources to add a frame monitor to a port, then other frame monitors on that port might have to be deleted to free resources. 1. Connect to the switch and log in as admin. 2. Enter the fmMonitor --addmonitor command to add a frame monitor to one or more ports. The set of ports to be monitored is automatically saved to the persistent configuration unless you specify the -nosave option on this command.
Frame monitoring 19 Displaying frame monitors 1. Connect to the switch and log in as admin. 2. Enter the fmmonitor --show command.
19 Top Talker monitors Example This example clears the counters for the ABTS monitor from ports 7 through 10. switch:admin> fmmonitor --clear ABTS -port 7-10 Top Talker monitors Top Talker monitors determine the flows (SID/DID pairs) that are the major users of bandwidth (after initial stabilization). Top Talker monitors measure bandwidth usage data in real-time and relative to the port on which the monitor is installed.
Top Talker monitors 19 How do Top Talker monitors differ from EE monitors? EE monitors provide counter statistics for traffic flowing between a given SID-DID pair. Top Talker monitors identify all possible SID-DID flow combinations that are possible on a given port and provides a sorted output of the top talking flows.
19 Top Talker monitors Edge fabric E_Port FC router EX_Port Backbone fabric FIGURE 65 Fabric mode Top Talker monitors on the FC router do not monitor any flows Edge fabric E_Port E_Port E_Port FC router EX_Port Backbone fabric FIGURE 66 Fabric mode Top Talker monitors on the FC router monitor flows over the E_Port Limitations of Top Talker monitors Be aware of the following when using Top Talker monitors: • • • • • 406 Top Talker monitors cannot detect transient surges in traffic through
Top Talker monitors 19 Adding a Top Talker monitor to a port (port mode) 1. Connect to the switch and log in as admin. 2. Enter the perfTTmon --add command.
19 Top Talker monitors The output is sorted based on the data rate of each flow. If you do not specify the number of flows to display, then the command displays the top 8 flows or the total number of flows, whichever is less.
Trunk monitoring 19 For example, to delete the monitor on port 7: perfttmon --delete 7 To delete the monitor on slot 2, port 4 on an enterprise-class platform: perfttmon --delete 2/4 Deleting all fabric mode Top Talker monitors 1. Connect to the switch and log in as admin. 2. Enter the perfTTmon --delete fabricmode command. perfttmon --delete fabricmode All Top Talker monitors are deleted.
19 Performance data collection When there are more than 512 monitors in the system, monitors are saved to flash memory in the following order: • The EE monitors for each port (from 0 to MAX_PORT) • The frame monitors for each port EE monitors get preference saving to flash memory when the total number of monitors in a switch exceeds 512.
Chapter 20 Optimizing Fabric Behavior In this chapter • Adaptive Networking overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Ingress Rate Limiting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • QoS: SID/DID traffic prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • CS_CTL-based frame prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
20 Ingress Rate Limiting • Ingress Rate Limiting Ingress rate limiting restricts the speed of traffic from a particular device to the switch port. Ingress rate limiting requires an Adaptive Networking license. See “Ingress Rate Limiting” on page 412 for more information about this feature. • Quality of Service (QoS) SID/DID Traffic Prioritization SID/DID traffic prioritization allows you to categorize the traffic flow between a host and target has having a high or low priority.
QoS: SID/DID traffic prioritization 20 Virtual Fabrics considerations: If Virtual Fabrics is enabled, the rate limit configuration on a port is on a per-logical switch basis. That is, if a port is configured to have a certain rate limit value, and the port is then moved to a different logical switch, it would have no rate limit applied to it in the new logical switch. If that same port is moved back to the original logical switch, it would have the original rate limit take effect again.
20 CS_CTL-based frame prioritization TABLE 72 Comparison between CS_CTL-based and QoS zone-based prioritization CS_CTL-based frame prioritization QoS zone-based traffic prioritization Requires Adaptive Networking license. Requires Adaptive Networking license. Must be manually enabled after you install the license. Automatically enabled when you install the license. No zones are required. Requires you to create QoS zones. Enabled on F/FL_Ports. Enabled on E_Ports.
Enabling CS_CTL-based frame prioritization 20 Supported configurations for CS_CTL-based frame prioritization • CS_CTL-based frame prioritization is supported on all 8-Gbps and 16-Gbps platforms. • All switches in the fabric should be running Fabric OS v6.0.0 or later. NOTE If a switch is running a firmware version earlier than Fabric OS v6.0.0, the outgoing frames from that switch lose their priority.
20 QoS zone-based traffic prioritization High, medium, and low priority flows are allocated to different virtual channels (VCs). High priority flows receive more VCs than medium priority flows, which receive more VCs than low priority flows. The virtual channels are allocated as shown in Table 74.
QoS zone-based traffic prioritization 20 3. Identify E_Ports on which QoS should be manually disabled. In the islshow output, these ports have all of the following characteristics: • 8 Gbps or 16 Gbps ports • Trunking is enabled • QoS is disabled 4. Check whether QoS is enabled on each port identified in step 3 using the following command: portcfgshow In the output, the value of QOS E_Port is AE if QoS is automatically enabled by default, ON if QoS is enabled manually, and OFF or "..
20 QoS zones NPIV capability ON ON ON ON NPIV PP Limit 126 126 126 126 QOS E_Port AE AE AE AE EX Port .. .. .. .. Mirror Port ON .. .. .. Rate Limit .. .. .. .. Credit Recovery ON ON ON ON Fport Buffers .. .. .. .. Port Auto Disable .. .. .. .. CSCTL mode .. .. .. .. ON ON ON ON 126 126 126 126 AE AE AE AE .. .. .. .. ON .. .. .. .. .. .. .. ON ON ON ON .. .. .. .. .. .. .. .. .. .. .. .. ON ON ON ON 126 126 126 126 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ON ON ON ON .. .. .. .. .. .. .. .. .. .
QoS zones 20 For example, Figure 67 shows a fabric with two hosts (H1, H2) and three targets (S1, S2, S3). The traffic prioritization is as follows: • Traffic between H1 and S1 is high priority. • Traffic between H1 and S3 and between H2 and S3 is low priority. • All other traffic is medium priority, which is the default.
20 QoS zones Domain 1 H1 Domain 3 1 9 14 H2 3 13 12 15 8 7 = Low priority = Medium priority = High priority = E_Ports with QoS enabled FIGURE 68 S1 S3 16 Domain 2 S2 Domain 4 QoS with E_Ports enabled You need to enable QoS on the E_Ports on both ISLs between Domain 3 and Domain 4 because either path might be selected to carry the traffic.
QoS zones 20 • QoS over FC routers is supported for the following configurations: - Edge-to-edge fabric configuration: supported on all platforms. - Backbone-to-edge fabric configuration: supported on 16-Gbps-capable platforms only (Brocade 6510 and Brocade DCX 8510 family), and only if the setup contains no other platforms. For all other platforms, you cannot prioritize the flow between a device in an edge fabric and a device in the backbone fabric.
20 QoS zones High availability considerations for QoS zone-based traffic prioritization If the standby CP is running a Fabric OS version earlier than 6.3.0 and is synchronized with the active CP, then QoS zones using D,I notation cannot be created. If the standby CP is not synchronized or if no standby CP exists, then the QoS zone creation succeeds.
Setting QoS zone-based traffic prioritization 20 • Traffic prioritization is not supported in McDATA Fabric Mode (interopmode 2) or Open Fabric Mode (interopmode 3). • • • • You must be running Fabric OS v6.3.0 or later to create QoS zones using D,I notation. QoS zones using D,I notation are not supported for QoS over FCR. QoS zones using D,I notation should not be used for loop or NPIV ports. If QoS is enabled, an additional 16 buffer credits are allocated per port for 8-Gbps ports in LE mode.
20 Setting QoS zone-based traffic prioritization NOTE QoS is enabled by default on all ports (except long-distance ports). If you use the portCfgQos command to enable QoS on a specific port, the port is toggled to apply this configuration, even though the port already has QoS enabled. The port is toggled because the user configuration changed, even though the actual configuration of the port did not change.
Setting QoS zone-based traffic prioritization over FC routers 20 Setting QoS zone-based traffic prioritization over FC routers 1. Connect to the switch in the edge fabric and log in as admin. 2. Create QoS zones in the edge fabric. The QoS zones must have WWN members only, and not D,I members. See “Setting QoS zone-based traffic prioritization” on page 423 for instructions. 3. Create LSAN zones in the edge fabric. See “Controlling device communication with the LSAN” on page 481 for instructions. 4.
20 426 Disabling QoS zone-based traffic prioritization Fabric OS Administrator’s Guide 53-1002148-02
Chapter 21 Managing Trunking Connections In this chapter • Trunking overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Requirements for trunk groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Supported configurations for trunking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Supported platforms for trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Recommendations for trunking groups . . .
21 Trunking overview Types of trunking Trunking can be between two switches, between a switch and an Access Gateway module, or between a switch and a Brocade adapter. The types of trunking are as follows: • ISL trunking, or E_Port trunking, is configured on an inter-switch link (ISL) between two Fabric OS switches and is applicable only to E_Ports. • ICL trunking is configured on an inter-chassis link (ICL) between two enterprise-class platforms and is applicable only to ports on the core blades.
Requirements for trunk groups 21 License requirements for trunking All types of trunking require the Trunking license. This license must be installed on each switch that participates in trunking. ATTENTION After you add the Trunking license, to enable trunking functionality, you must disable and then re-enable each port to be used in trunking, or disable and re-enable the switch.
21 Supported configurations for trunking • There must be a direct connection between participating switches. • Trunking cannot be done if ports are in ISL R_RDY mode. (You can disable this mode using the portCfgIslMode command.) • Trunking is supported only on FC ports. Virtual FC ports (VE_ or VEX_Ports) do not support trunking. Supported configurations for trunking • Trunk links can be 2 Gbps, 4 Gbps, 8 Gbps, 10 Gbps, or 16 Gbps depending on the Brocade platform.
Recommendations for trunking groups 21 Recommendations for trunking groups To identify the most useful trunking groups, consider the following recommendations along with the standard guidelines for SAN design: • Evaluate the traffic patterns within the fabric. • Place trunking-capable switches adjacent to each other. This maximizes the number of trunking groups that can form.
21 Enabling trunking on a port or switch To re-initialize the ports, you can either disable and then re-enable the switch, or disable and then re-enable the affected ports. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the islShow command to determine which ports are used for ISLs. 3. Enter the portDisable command for each port to be used in a trunk group. Alternatively, you can enter the switchDisable command to disable all of the ports on the switch. 4.
Displaying trunking information 21 Displaying trunking information You can use the trunkShow command to view the following information: • • • • All the trunks and members of a trunk. Whether the trunking port connection is the master port connection for the trunking group. That trunks are formed correctly. Trunking information for a switch that is part of an FC Router backbone fabric interlinking several edge fabrics.
21 ISL trunking over long distance fabrics Tx: Bandwidth 16.00Gbps, Throughput 1.67Gbps (12.12%) Rx: Bandwidth 16.00Gbps, Throughput 1.66Gbps (12.11%) Tx+Rx: Bandwidth 32.00Gbps, Throughput 3.33Gbps (12.11%) ISL trunking over long distance fabrics both ports must have long distance enabled? In long-distance fabrics, if a port speed is set to autonegotiate, then the maximum speed, which is 16 Gbps, is assumed for reserving buffers for the port. If the port is only running at 2 Gbps, this wastes buffers.
ICL trunking 21 ICL trunking ICL trunking is configured on an inter-chassis link (ICL) between two enterprise-class platforms and is applicable only to ports on the core blades. ICL trunks automatically form on the ICLs when you install the Trunking license on each platform. Supported platforms for ICL trunking You can have ICL trunks only between platforms with the same ASIC type. The Brocade DCX and DCX-4S have the same ASIC type, and the Brocade DCX 8510 family has the same ASIC type.
21 EX_Port trunking FIGURE 71 ICL trunking between two Brocade DCX 8510-8 platforms See the hardware reference manuals for information about port numbering and connecting the ICL cables. ICL trunking on the Brocade DCX and DCX-4S On the Brocade DCX and DCX-4S, trunks are automatically formed on the ICLs, The ICLs are managed the same as ISL trunks. • On the Brocade DCX, each ICL is managed as two 8-port ISL trunks. • On the Brocade DCX-4S, each ICL is managed as one 8-port ISL trunk.
EX_Port trunking 21 If router port cost is used with EX_Port trunking, the master port and slave ports share the router port cost of the master port. See Chapter 23, “Using the FC-FC Routing Service,” for more information about EX_Ports and the FC router. Masterless EX_Port trunking EX_Port trunking is masterless except for EX_Ports on enterprise-class platforms. For the enterprise-class platforms, Virtual Fabrics must be enabled for masterless EX_Port trunking to take effect.
21 F_Port trunking Displaying EX_Port trunking information 1. Log in as an admin and connect to the switch. 2. Enter the switchShow command to display trunking information for the EX_Ports. The following is an example of a master EX_Port and a slave EX_Port displayed in switchShow.
F_Port trunking 21 Figure 72 shows a switch in AG mode without F_Port masterless trunking. Figure 73 shows a switch in AG mode with F_Port masterless trunking. FIGURE 72 Switch in Access Gateway mode without F_Port trunking FIGURE 73 Switch in Access Gateway mode with F_Port masterless trunking NOTE You do not need to manually map the host to the master port because Access Gateway will perform a cold failover to the master port.
21 F_Port trunking • The edge switch F_Port trunk ports are connected within the ASIC-supported trunk group on the Access Gateway module. • Both switches are running the same Fabric OS versions. • Trunking must be enabled on all ports to be included in a Trunk Area (TA) before you attempt to create a Trunk Area. See “Configuring trunk groups” on page 431 for details. F_Port trunking for Brocade adapters You can configure trunking between the F_Ports on an edge switch and the Brocade adapters.
F_Port trunking TABLE 76 21 F_Port masterless considerations (Continued) Category Description domain,index (D,I) Creating a Trunk Area may remove the Index ("I") from the switch to be grouped to the Trunk Area. All ports in a Trunk Area share the same "I". This means that domain,index (D,I), which refer to an "I" that might have been removed, will no longer be part of the switch. NOTE: Ensure to include AD, zoning, and DCC when creating a Trunk Area.
21 F_Port trunking TABLE 76 F_Port masterless considerations (Continued) Category Description QoS Supported. Routing Routing will route against the F_Port trunk master. Bandwidth information will be modified accordingly as the F_Port trunk forms. Trunk Master No more than one trunk master in a trunk group. The second trunk master will be persistently disabled with reason "Area has been acquired”. Upgrade There are no limitations on upgrading to Fabric OS v7.0.
Configuring F_Port trunking for Access Gateway 21 NOTE Because the DCX and DCX 8510-8 platforms have a maximum of 576 ports, out of the 1024 10-bit address range, addresses 448-1023 are reserved for the 10-bit address space. Addresses 0–447 are reserved for assigning to NPIV/Loop ports to support 112 [448/4] NPIV/Loop ports in a logical switch with 256 devices each.
21 Configuring F_Port trunking for Brocade adapters When you assign a trunk area on a port, it enables trunking on the F_Ports automatically. This command does not unassign a TA if its previously assigned Area_ID is the same address identifier (Area_ID) of the TA unless all the ports in the trunk group are specified to be unassigned. 5. Enter the portEnable command to re-enable the ports in the TA.
Disabling F_Port trunking 21 switch:admin> porttrunkarea --show trunk Trunk Index 37: 39->0 sp: 8.000G bw: 16.000G deskew 15 MASTER Tx: Bandwidth 16.00Gbps, Throughput 1.63Gbps (11.84%) Rx: Bandwidth 16.00Gbps, Throughput 1.62Gbps (11.76%) Tx+Rx: Bandwidth 32.00Gbps, Throughput 3.24Gbps (11.80%) 38->1 sp: 8.000G bw: 8.000G deskew 15 Tx: Bandwidth 16.00Gbps, Throughput 1.63Gbps (11.84%) Rx: Bandwidth 16.00Gbps, Throughput 1.62Gbps (11.76%) Tx+Rx: Bandwidth 32.00Gbps, Throughput 3.24Gbps (11.
21 446 Enabling the DCC policy on a trunk area Fabric OS Administrator’s Guide 53-1002148-02
Chapter 22 Managing Long Distance Fabrics In this chapter • Long distance fabrics overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Extended Fabrics device limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Long distance link modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring an extended ISL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Buffer credit management . . . . . . . .
22 Extended Fabrics device limitations Extended Fabrics device limitations Extended Fabrics is not supported on the following devices: • FC8-64 port blade • Brocade 8000 FCoE switch Long distance link modes Use the portCfgLongDistance command to support long distance links and to allocate sufficient numbers of full size frame buffers on a particular port. Changes made by this command are persistent across switch reboots and power cycles.
Configuring an extended ISL 22 NOTE A long-distance link also can be configured to be part of a trunk group. Two or more long-distance links in a port group form a trunk group when they are configured for the same speed, the same distance level, and their link distances are nearly equal. For information on trunking concepts and configurations, refer to Chapter 21, “Managing Trunking Connections”. • Only qualified Brocade SFPs are used.
22 Buffer credit management portState: 2 Offline Protocol: FC portPhys: 2 No_Module portScn: 0 port generation number: 0 portId: 010200 portIfId: 4312003b portWwn: 20:02:00:05:1e:94:0f:00 portWwn of device(s) connected: Distance: static (desired = 100 Km) portSpeed: N8Gbps LE domain: 0 FC Fastwrite: OFF Interrupts: Unknown: Lli: Proc_rqrd: Timed_out: Rx_flushed: Tx_unavail: Free_buffer: Overrun: Suspended: Parity_err: 2_parity_err: CMI_bus_err: 0 0 0 5 0 0 0 0 0 0 0 0 0 Link_failure: Loss_of_sync: Loss_
Buffer credit management 22 To prevent a target device (either host or storage) from being overwhelmed with frames, the Fibre Channel architecture provides flow control mechanisms based on a system of credits. Each of these credits represents the ability of the device to accept additional frames. If a recipient issues no credits to the sender, no frames can be sent.
22 Buffer credit management Optimal buffer credit allocation The optimal number of buffer credits is determined by the distance (frame delivery time), the processing time at the receiving port, link signaling rate, and size of the frames being transmitted. As the link speed increases, the frame transmission time is reduced and the number of buffer credits must be increased to obtain full link utilization, even in a short-distance environment.
Buffer credit management 22 Allocating buffer credits based on full-size frames Assuming that the frame size is full, one buffer credit allows a device to send one payload up to 2112 bytes (2148 with headers). Assuming that each payload is 2112, you need one credit per 1 km of link length at 2 Gbps (smaller payloads require additional BB credits to maintain link utilization). See “Allocating buffer credits based on average-size frames” on page 455 for additional information.
22 Buffer credit management Refer to the data in Table 79 on page 456 and Table 80 on page 457 to get the total ports in a switch or blade, number of user ports in a port group, and the unreserved buffer credits available per port group. The values reflect an estimate, and may differ from the supported values in Table 80. 1. Determine the desired distance in kilometers of the switch-to-switch connection. This example uses 50 km. 2. Determine the speed that you will use for the long-distance connection.
Buffer credit management 22 If you allocate the entire 484 + 8 (8 for the reserved buffers already allocated to that user port) = 492 buffers to a single port, you can calculate the maximum single port extended distance supported: [Maximum Distance X in km] = (BufferCredits + 6) * 2 / LinkSpeed 498 km = (492 + 6 buffers for Fabric Services) * 2 / 2 Gbps How many 50 km ports can you configure? If you have a distance of 50 km at 8 Gbps then, 484 / (206 – 8) = 2 ports The numbers used are: 484, which equals
22 Buffer credit management If buffer credit recovery is enabled, Fabric OS supports a BB_SC_N range of 1 to 15; therefore, it is impossible for the desired_distance to be more than the number of BB credits available in the pool as determined by the calculations above. The BB credit recovery supported distance is well within the range of all possible connections.
22 Buffer credit management TABLE 79 Buffer credits (Continued) Switch/blade model Total FC ports (per switch/blade) User port group size Unreserved buffers (per port group) 5300 80 16 292 5410 12 12 580 5424 24 24 484 5450 26 26 468 5480 24 24 484 6510 48 48 6752 7800 16 16 408 8000 *** Extended Fabrics is not supported on this switch *** VA-40FC 40 40 1692 Brocade Encryption Switch 32 16 1392 FC8-16 16 16 1292/ 508 FC8-32 32 16 1292/ 508 FC8-48 48 24 1
22 Buffer credit recovery TABLE 80 Configurable distances for Extended Fabrics (Continued) Maximum distances (km) that can be configured assuming 2112 Byte Frame Size Switch/blade model 1 Gbps 2 Gbps 4 Gbps 8 Gbps 10 Gbps 16 Gbps 5480 972 486 243 121.
Buffer credit recovery 22 This feature is only supported on E_Ports that are configured for long distance and are connected between the following switch or blade models: • Brocade 300, 5100, 5300, 5410, 5424, 5450, 5480, 6510, VA-40FC • FC8-16, FC8-32, FC8-48, FC16-32, FC16-48 If a long-distance E_Port from one of these supported switches or blades is connected to any other switch or blade type, the buffer credit recovery feature is disabled.
22 460 Buffer credit recovery Fabric OS Administrator’s Guide 53-1002148-02
Chapter 23 Using the FC-FC Routing Service In this chapter • FC-FC routing service overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Fibre Channel routing concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Setting up the FC-FC routing service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Backbone fabric IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • FCIP tunnel configuration . . . . . .
23 FC-FC routing service overview License requirements for Fibre Channel Routing Fibre Channel routing is a licensed feature that requires the Integrated Routing license. This license allows 8-Gbps and 16-Gbps FC ports to be configured as EX_Ports (or VEX_Ports) supporting Fibre Channel routing. Enabling the Integrated Routing license and capability does not require a switch reboot.
Fibre Channel routing concepts 23 NOTE In configurations with two backbones connected to the same edge fabric, routing is not supported between edge fabrics that are not directly attached to the same backbone. Routing over multiple backbones is a multi-hop topology and is not allowed. Fibre Channel routing concepts Fibre Channel routing introduces the following concepts: • Fibre Channel router (FC router) A switch running the FC-FC routing service.
23 Fibre Channel routing concepts Host Host Edge Edge fabric 1 E_Port fabric 1 E_Port Edge Edge fabric 2 fabric 2 Edge Edge fabric 3 fabric 3 E_Port E_Port E_Port E_Port Fibre Fibre Channel Channel switch switch Target Target Target Target IFL IFL IFL IFL EX_Ports EX_Ports Long distance IFL Long distance IFL Fibre Fibre Channel Channel switch switch FC router FC router FIGURE 74 A metaSAN with inter-fabric links • Logical SANs (LSANs) An LSAN is defined by zones in two or more edge or backbo
Fibre Channel routing concepts 23 VE_Port Edge fabric 2 IP cloud Edge fabric 1 Edge fabric 3 E_Port E_Port IFL IFL IFL VEX_Port FC router EX_Port (2) = LSAN Backbone fabric FIGURE 75 A metaSAN with edge-to-edge and backbone fabrics and LSAN zones • Proxy device A proxy device is a virtual device imported into a fabric by a Fibre Channel router, and represents a real device on another fabric. It has a name server entry and is assigned a valid port ID.
23 Fibre Channel routing concepts If two different backbone fabrics are connected to the same edge fabric, the backbone fabric IDs must be different, but the edge fabric IDs must be the same. If you configure the same fabric ID for two backbone fabrics that are connected to the same edge fabric, a RASLog message displays a warning about fabric ID overlap. NOTE Backbone fabrics that share connections to the same edge fabrics must have unique backbone fabric IDs.
Fibre Channel routing concepts 23 Proxy devices An FC router achieves inter-fabric device connectivity by creating proxy devices (hosts and targets) in attached fabrics that represent real devices in other fabrics. For example, a host in Fabric 1 can communicate with a target in Fabric 2 as follows: • A proxy target in Fabric 1 represents the real target in Fabric 2. • Likewise, a proxy host in Fabric 2 represents the real host in Fabric 1.
23 Fibre Channel routing concepts To do so, at least one translate phantom domain is created in the backbone fabric. This translate phantom domain represents the entire edge fabric. The shared physical devices in the edge have corresponding proxy devices on the translate phantom domain. Each edge fabric has one and only one xlate domain to the backbone fabric. The backbone fabric device communicates with the proxy devices whenever it needs to contact the shared physical devices in the edge.
Fibre Channel routing concepts 23 Figure 79 shows a phantom topology for the physical topology shown in Figure 78. In this figure, the dashed lines and shapes represent the phantom topology from the perspective of Fabric 1. Fabrics 2 and 3 also see phantom topologies, but they are not shown in this example. In this figure, note the following: • Front domain 1 and Front domain 2 are front domains for EX_Ports connecting to Fabric 1.
23 Setting up the FC-FC routing service Use the fcrXlateConfig command to display or assign a preferred domain ID to a translate domain or, in some scenarios, to prevent the creation of an unnecessary xlate domain. See the Fabric OS Command Reference for more details about this command.
Setting up the FC-FC routing service 23 Verifying the setup for FC-FC routing Before configuring a fabric to connect to another fabric, you must perform the following verification checks on the FC router. 1. Log in to the switch or director as admin and enter the version command. Verify that Fabric OS v7.0.0 is installed on the FC router as shown in the following example. switch:admin> version Kernel: 2.6.14.2 Fabric OS: v7.0.0 Made on: Fri Jan 21 01:15:34 2011 Flash: Mon Jan 24 20:53:48 2011 BootProm: 1.
23 Backbone fabric IDs --------------------------------------SCC - accept DCC - accept PWD - accept Fabric-Wide Consistency Policy :- "SCC:S;DCC" If the Fabric Wide Consistency Policy has the letter “S” in it in the edge fabric or the backbone fabric, do not connect the edge fabric to the FC router. The letter “S” (shown in the preceding sample output) indicates the policy is strict. The fabric-wide policy must be tolerant before you can connect fabrics to the FC router.
FCIP tunnel configuration 23 4. Enter the fcrConfigure command. At the prompt, enter the fabric ID, or press Enter to keep the current fabric ID, which is displayed in brackets. 5. Verify the backbone fabric ID is different from that set for edge fabrics. Multiple FC routers attached to the same backbone fabric must have the same backbone fabric ID. 6. Enter the fosConfig --enable fcr command. 7. Enter the switchEnable command.
23 Inter-fabric link configuration ATTENTION To ensure that fabrics remain isolated, disable the port prior to inserting the cable. If you are configuring an EX_Port, disable the port prior to making the connection. Configuring an IFL for both edge and backbone connections 1. On the FC router, disable the port that you are configuring as an EX_Port (the one connected to the Fabric OS switch) by issuing the portDisable command.
Inter-fabric link configuration 23 3. (Optional) Configure FC router port cost, if you want to change the default values. For information about using FC router port cost operations, see “FC Router port cost configuration” on page 477. 4. (Optional) Set up ISL or EX_Port trunking. For information on trunking setup, see “Configuring EX_Port trunking” on page 437. 5. Enter the portEnable command to enable the ports that you disabled in step 1. switch:admin> portenable 7/10 6.
23 Inter-fabric link configuration switch:admin> portcfgexport 7/10 Port 7/10 info Admin: enabled State: NOT OK Pid format: Not Applicable Operate mode: Brocade Native Edge Fabric ID: 30 Preferred Domain ID: 160 Front WWN: 50:06:06:9e:20:38:6e:1e Fabric Parameters: Auto Negotiate R_A_TOV: Not Applicable E_D_TOV: Not Applicable Authentication Type: None DH Group: N/A Hash Algorithm: N/A Edge fabric's primary wwn: N/A Edge fabric's version stamp: N/A switch:admin_06> portshow 7/10 portName: portHealth: OFF
FC Router port cost configuration Timed_out: Rx_flushed: Tx_unavail: Free_buffer: Overrun: Suspended: Parity_err: 2_parity_err: CMI_bus_err: 0 0 0 0 0 0 0 0 0 Invalid_word: Invalid_crc: Delim_err: Address_err: Lr_in: Lr_out: Ols_in: Ols_out: 23 0 0 0 0 0 0 0 0 Port part of other ADs: No 10. Enter the switchShow command to verify the EX_Port (or VEX_Port), edge fabric ID, and name of the edge fabric switch (containing the E_Port or VE_Port) are correct. 11.
23 FC Router port cost configuration The router port cost feature optimizes the usage of the router port links by directing the traffic to a link with a smaller cost. Every IFL has a default cost. The default router port cost values are: • 1000 for legacy (v5.1 or XPath FCR) IFL • 1000 for EX_Port IFL • 10,000 for VEX_Port IFL The FCR router port cost settings are 0, 1000, or 10,000. If the cost is set to 0, the default cost will be used for that IFL.
FC Router port cost configuration 23 Setting router port cost for an EX_Port The router port cost value for an EX_Port is set automatically when the EX_Port is created. However, you can modify the cost for that port. You can configure the EX_ or VEX_Port with values of either 1000 or 10,000. If you want to differentiate between two EX_Port links with different speeds, you can assign 1000 to one link and 10,000 to the other link.
23 EX_Port frame trunking configuration EX_Port frame trunking configuration You can configure EX_Ports to use frame-based trunking just as you do regular E_Ports. EX_Port frame trunking support is designed to provide the best utilization and balance of frames transmitted on each link between the FC router and the edge fabric. You should trunk all ports connected to the same edge fabrics. The FC router front domain has a higher node WWN—derived from the FC router—than that of the edge fabric.
LSAN zone configuration 23 Zone definition and naming Zones are defined locally on a switch or director. Names and memberships, with the exception of hosts and targets exported from one fabric to another, do not need to be coordinated with other fabrics. For example, in Figure 76 on page 466, when the zones for Edge SAN 1 are defined, you do not need to consider the zones in Edge SAN 2, and vice versa.
23 LSAN zone configuration 1. Log in as admin and connect to switch1. 2. Enter the nsShow command to list the WWN of the host (10:00:00:00:c9:2b:c9:0c). NOTE The nsShow output displays both the port WWN and node WWN; the port WWN must be used for LSANs. switch:admin> nsshow { Type Pid COS PortName NodeName TTL(sec) N 060f00; 2,3; 10:00:00:00:c9:2b:c9:0c; 20:00:00:00:c9:2b:c9:0c; na FC4s: FCP NodeSymb: [35] "Emulex LP9002 FV3.91A3 DV5-5.
LSAN zone configuration 23 8. Enter the zoneCreate command to create the LSAN lsan_zone_fabric2, which includes the host (10:00:00:00:c9:2b:6a:2c), Target A, and Target B. switch:admin> zonecreate "lsan_zone_fabric2", "10:00:00:00:c9:2b:c9:0c;50:05:07:61:00:5b:62:ed;50:05:07:61:00:49:20:b4" 9. Enter the cfgShow command to verify that the zones are correct.
23 LSAN zone configuration On the FC router, the host and Target A are imported, because both are defined by lsan_zone_fabric2 and lsan_zone_fabric75. However, target B is defined by lsan_zone_fabric2 and is not imported because lsan_zone_fabric75 does not allow it. When a PLOGI, PDISC, or ADISC arrives at the FC router, the SID and DID of the frame are checked. If they are LSAN-zoned at both SID and DID edge fabrics, the frame is forwarded to the DID.
LSAN zone configuration 23 HA and downgrade considerations for LSAN zones Be aware of how LSAN zones impact high availability and firmware downgrades: • The LSAN zone matrix is synchronized to the standby CP. • On a dual CP switch, both CPs must have Fabric OS v5.3.0 or later to enable the feature. • If the feature is enabled on the active CP, introducing a CP with an earlier version of Fabric OS as a standby will cause HA synchronization to fail.
23 LSAN zone configuration In this example, the following LSAN zones would all be accepted: lsan_abc Lsan_xyz123456 LSAN_FAB1_abc You can specify up to eight Enforce tags on an FC router. Speed tag During target discovery, the FC router process of presenting proxy devices and setting up paths to the proxy devices might cause some sensitive hosts to time out or fail.
LSAN zone configuration D1 D2 H1 Edge fabric 1 Edge fabric 2 FC router 1 23 Edge fabric 3 FC router 2 = LSAN FIGURE 80 Example of setting up Speed LSAN tag Rules for LSAN tagging Note the following rules for configuring LSAN tags: • You configure the tags on the FC router, and not on the edge switches. If Virtual Fabrics are enabled, you configure the tags on the base switch on which the EX_ and VEX_Ports are located.
23 LSAN zone configuration 4. Enter the following command to enable the FC router: switchenable 5. Change the names of the LSAN zones in the edge fabrics to incorporate the tag in the names. Example sw0:admin> switchdisable sw0:admin> fcrlsan --add -enforce enftag1 LSAN tag set successfully sw0:admin> switchenable Configuring a Speed LSAN tag 1. Log in to the FC router as admin. 2.
LSAN zone configuration 23 Displaying the LSAN tag configuration 1. Log in to the FC router as admin. 2. Enter the fcrlsan --show command.
23 LSAN zone configuration LSAN zone 2 LSAN zone 1 Fabric 1 Fabric 2 FC router 1 Fabric 3 Fabric 7 FC router 2 Backbone fabric FC router 4 FC router 3 Fabric 8 Fabric 9 Fabric 4 Fabric 5 Fabric 6 LSAN zone 3 FIGURE 81 LSAN zone 4 LSAN zone binding After you set up LSAN zone binding, each FC router stores information about only those LSAN zones that access its local edge fabrics.
LSAN zone configuration 23 How LSAN zone binding works LSAN zone binding uses an FC router matrix, which specifies pairs of FC routers in the backbone fabric that can access each other, and an LSAN fabric matrix, which specifies pairs of edge fabrics that can access each other. You set up LSAN zone binding using the fcrLsanMatrix command. This command has two options: -fcr and -lsan.
23 LSAN zone configuration Now edge fabrics 1, 2, 3, 7, and 8 can access each other, and edge fabrics 4, 5, 6, and 9 can access each other; however, edge fabrics in one group cannot access edge fabrics in the other group. LSAN fabric matrix definition With LSAN zone binding, you can specify pairs of fabrics that can access each other.
Proxy PID configuration FCR:Admin> FCR:Admin> FCR:Admin> FCR:Admin> fcrlsanmatrix fcrlsanmatrix fcrlsanmatrix fcrlsanmatrix 23 --add -lsan 4 5 --add -lsan 4 7 --add -lsan 10 19 --apply -all Viewing the LSAN zone binding matrixes 1. Log in to the FC router as admin. 2. Enter the following command to view the FC router matrix: fcrlsanmatrix --fabricview -fcr 3.
23 Fabric parameter considerations Fabric parameter considerations By default, EX_Ports and VEX_Ports detect, autonegotiate, and configure the fabric parameters without user intervention. You can optionally configure these parameters manually. • To change the fabric parameters on a switch in the edge fabric, use the configure command. Note that to access all of the fabric parameters controlled by this command, you must disable the switch using the switchDisable command.
Resource monitoring 23 Displaying the current broadcast configuration 1. Log in to the FC router as admin. 2. Type the following command: fcr:admin> fcrbcastconfig --show This command displays only the FIDs that have the broadcast frame option enabled. The FIDs that are not listed have the broadcast frame option disabled. Enabling broadcast frame forwarding 1. Log in to the FC router as admin. 2.
23 FC-FC Routing and Virtual Fabrics • Phantom Port WWNs • Max proxy devices • Max NR_Ports The following example shows the use of the fcrResourceShow command to display physical port (EX_Port) resources.
FC-FC Routing and Virtual Fabrics 23 If Virtual Fabrics is enabled, the following rules apply: • EX_Ports and VEX_Ports can be configured only on the base switch. When you enable Virtual Fabrics, the chassis is automatically rebooted. When the switch comes up, only one default logical switch is present, with the default fabric ID (FID) of 128. All previously configured EX_Ports and VEX_Ports are persistently disabled with the reason “ExPort in non base switch”.
23 FC-FC Routing and Virtual Fabrics • The other logical switches in Fabric 128 and Fabric 15 must be connected with physical ISLs, and do not use the XISL connection in the base fabric. • The logical switches in Fabric 1 are configured to allow XISL use. You cannot connect an EX_Port to these logical switches, so the device in Fabric 1 cannot communicate with the other two devices.
Upgrade and downgrade considerations for FC-FC routing 23 Backbone-to-edge routing with Virtual Fabrics Backbone-to-edge routing is not supported in the base switch, unless you use a legacy FC router. A legacy FC router is an FC router configured on a Brocade 7500 switch or an FR4-18i blade. Base switches can participate in a backbone fabric with legacy FC routers. You cannot connect devices to the base switch, because the base switch does not allow F_Ports.
23 Displaying the range of output ports connected to xlate domains How replacing port blades affects EX_Port configuration If you replace an FR4-18i blade with an 8-Gbps port blade or FX8-24 blade, the EX_Port configuration remains the same for the first 16 ports on the 8-Gbps port blade (and for the first 12 FC ports on the FX8-24 blade). For all other ports on the blade, the EX_Port configuration is cleared. No ports are persistently disabled.
Appendix Interoperation of Fabric OS and M-EOS Fabrics Using FC Router A In this appendix • Interoperability overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501 • Establishing Interoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503 • Fabric configurations for interconnectivity. . . . . . . . . . . . . . . . . . . . . . . . . .
A Interoperability overview TABLE 82 Fabric OS Fabric OS and M-EOSc interoperability compatibility matrix1 (Continued) Versions of M-EOSc v6.2.0 v7.1.3x v8.0 v9.2.0 v9.6.2 v9.7 v9.8 v9.9 v5.3.0 No No Yes Yes No No v6.0.0 No No No No Yes No v6.1.0 No No No No Yes Yes v6.2.0 Yes Yes v6.3.0 Yes Yes v6.4.0 Yes Yes v7.0.03 Yes Yes v6.1.1 v6.1.1_enc 1. Both Open and McDATA Fabric modes are supported. 2. Fabric OS v5.1.0 and M-EOSc v4.1.1, v5.1.2, 6.2.
Interoperability overview A Features of Connected SANs Connected SANs provide additional features not possible with segregated SANs. Some of these features are listed below: • Island consolidation—Uses the Fabric OS v6.0 or later FC router to connect isolated M-EOS and Fabric OS fabrics to share devices. • Backup consolidation—Consolidates backup solutions across Fabric OS and M-EOS fabrics. • Manageable large-scale storage network—Uses the Fabric OS v6.
A Fabric configurations for interconnectivity When configuring an EX_Port, you have the option to request a front domain with the portCfgEXPort -d command. If you request a front domain that is not within the valid range for M-EOSc, then the Fibre Channel router will internally request a valid M-EOSc domain ID. For M-EOSc switches, after the port is properly configured and connected, running switchShow on the FC router displays the M-EOSc switch that is connected.
Fabric configurations for interconnectivity A Configuring the FC router When configuring a fabric on which Fabric OS is installed to connect to a Native McDATA fabric, you must configure the FC router in advance. The following procedure shows how to connect an EX_Port of an FC router to a Native McDATA fabric configured in Fabric mode. NOTE For additional information on configuring the FC router, refer to Chapter 23, “Using the FC-FC Routing Service”. 1.
A Fabric configurations for interconnectivity 9. Capture a SAN profile of the M-EOS and Fabric OS SANs, identifying the number of devices in each SAN. By projecting the total number of devices and switches expected in each fabric when the LSANs are active, you can quickly determine the status of the SAN by issuing the commands nsAllShow and fabricShow on the Fabric OS fabric. The nsAllShow displays the global name server information and fabricShow displays the fabric membership information.
Fabric configurations for interconnectivity A Correcting errors if LSAN devices appear in only one of the fabrics If the LSAN devices appear in only one of the fabrics in a multiple-fabric SAN, use the following procedure to correct the problem. 1. Log in to each fabric and verify that all of the devices are physically logged in. 2. Verify that the devices are properly configured in the LSAN zone in both edge fabrics. 3. Enter the fabricShow command on the Fabric OS fabric. 4.
A Fabric configurations for interconnectivity 3. Physically connect the configured FC router EX_Port to the M-EOS switch, and issue the switchShow command on the Brocade FC router. New domains should be visible for each IFL (front domain) that connects the Fabric OS switch to the FC router and one domain for the xlate domain. 4. Start Network Advisor and select the fabric for the M-EOS switch. 5. View the fabric topology. New domains should be visible for each FC router connected to the M-EOS switch.
Fabric configurations for interconnectivity A Permanent Port Name: 10:00:00:00:00:03:00:00 Port Index: na Share Area: No Device Shared in Other AD: No All of the devices from both LSANs should appear in the output. If the devices do not appear in the output, issue the cfgShow command to verify your zone configuration. Use the cfgActvShow command to display the zone configuration currently in effect. The following example illustrates the use of cfgActvShow.
A 510 Fabric configurations for interconnectivity Fabric OS Administrator’s Guide 53-1002148-02
Appendix B Port Indexing This appendix shows how to use the switchShow command to determine the mapping among the port index, slot/port numbers, and the 24-bit port ID (PID) on any Brocade enterprise-class platform. Enter the switchShow command without parameters to show the port index mapping for the entire platform. Enter the switchShow -slot command for port mapping information for the ports on the blade in a specific slot.
B Port Indexing 739 3 19 4 740 3 20 5 741 3 21 5 742 3 22 5 743 3 23 5 744 3 24 6 745 3 25 6 746 3 26 6 747 3 27 6 748 3 28 7 10:00:00:05:1e:39:e4:5a 749 3 29 7 10:00:00:05:1e:39:e4:5a 750 3 30 7 10:00:00:05:1e:39:e4:5a 751 3 31 7 10:00:00:05:1e:39:e4:5a --------------------------------------------------trunkmaster -----trunkmaster -----trunkmaster -----trunkmaster -16G No_Module -16G No_Module -16G No_Module -16G No_Module -16G No_Module -16G No_Module -16G No_Module -16G No_Module -16G No_Module id 16
Port Indexing 17 2 1 0a1140 18 2 2 0a1240 (output truncated) --- N8 N8 B No_Module No_Module Example of port indexing on an FC8-64 blade on a Brocade DCX-4S Backbone. The Brocade DCX-4S does not need a mapping of ports on port blades because it is a one-to-one mapping. The order is sequential starting at slot 1 port 0 all the way through slot 8 port 255 for the FC8-64 blade.
B Port Indexing Example of port indexing on an FS8-18 blade on a DCX 8510-8 Backbone This example shows the truncated switchShow output for an FS8-18 encryption blade on the Brocade DCX 8510-8 enterprise-class platform. The assignment of port index numbers to PIDs will vary depending on blade type, platform type, and slot number.
Appendix C FIPS Support In this appendix • FIPS overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Zeroization functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • FIPS mode configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Preparing the switch for FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
C Zeroization functions TABLE 85 Zeroization behavior (Continued) Keys Zeroization CLI Description FCSP Challenge Handshake Authentication Protocol (CHAP) Secret secAuthSecret –-remove value | –-all The secAuthSecret --remove value command is used to remove the specified keys from the database. When the secAuthSecret command is used with the --remove –-all option, then the entire key database is deleted.
FIPS mode configuration C The results of the POST and conditional tests are recorded in the system log or are output to the local console. This action includes logging both passing and failing results. Refer to the Fabric OS Troubleshooting and Diagnostics Guide for instructions on how to recover if your system cannot get out of the conditional test mode. FIPS mode configuration By default, the switch comes up in non-FIPS mode.
C FIPS mode configuration LDAP in FIPS mode You can configure your Microsoft Active Directory server to use the Lightweight Directory Access Protocol (LDAP) while in FIPS mode. There is no option provided on the switch to configure TLS ciphers for LDAP in FIPS mode. However, the LDAP client checks if FIPS mode is set on the switch and uses the FIPS-compliant TLS ciphers for LDAP.
FIPS mode configuration C Specify the DNS IP address using either IPv4 or IPv6. This address is needed for the switch to resolve the domain name to the IP address because LDAP initiates a TCP session to connect to your Microsoft Active Directory server. A Fully Qualified Domain Name (FQDN) is needed to validate the server identity as mentioned in the common name of the server certificate. 3. Set the switch authentication mode and add your LDAP server by using the commands shown in the following example.
C FIPS mode configuration LDAP certificates for FIPS mode To utilize the LDAP services for FIPS between the switch and the host, you must generate a certificate signing request (CSR) on the Active Directory server and import and export the CA certificates. To support server certificate validation, it is essential to have the CA certificate installed on the switch and Microsoft Active Directory server. Use the secCertUtil command to import the CA certificate to the switch.
Preparing the switch for FIPS C 1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions for the PKI RBAC class of commands. 2. Enter the secCertUtil show -ldapcacert command to determine the name of the LDAP certificate file. 3. Enter the secCertUtil delete -ldapcacert command, where the is the name of the LDAP certificate on the switch.
C Preparing the switch for FIPS • Disable root access. • Enable the KATs and the conditional tests. • Enable FIPS. Enabling FIPS mode 1. Log in to the switch using an account with securityadmin permissions. 2. Enter the sshutil delpubkeys and sshutil delprivkey commands to remove legacy OpenSSH DSA keys. These keys, which were previously the default, do migrate to Fabric OS v7.0.0 but are no longer supported in FIPS mode. You must remove them to remain FIPS compliant.
Preparing the switch for FIPS d. C Save each IP Filter policy. Refer to “Saving an IP Filter policy” on page 156. Example ipfilter --create http_block_v4 -type ipv4 ipfilter --addrule http_block_v4 -rule 1 -sip any -dp 80 -proto tcp -act deny ipfilter --activate http_block_v4 7. Use the snmpConfig --set seclevel command to turn on SNMP security. When prompted to Select SNMP SET Security Level, enter 3, for no access.
C Preparing the switch for FIPS 13. Disable IPsec for FCIP connections. The procedure depends on the type of extension blade used. For FX8-24 extension blades, enter the portCfg fciptunnel <[slot/]port> modify -ipsec 0 command. For FR4-18i router blades, follow these steps: a. Enter the portCfg fciptunnel <[slot/port> delete command to delete the FCIP tunnel. b. Enter the policy --delete ipsec command to delete the associated IPsec policy. c.
Appendix D Hexadecimal Hexadecimal overview Hexadecimal, also known as hex, is a numeral system with a base of 16, usually written using unique symbols 0–9 and A–F, or a–f. Its primary purpose is to represent the binary code that computers interpret in a format easier for humans to remember. It acts as a form of shorthand, in which one hexadecimal digit takes the place of four binary bits.
D Hexadecimal overview TABLE 89 526 Decimal to hexadecimal conversion table (Continued) Decimal 11 12 13 14 15 16 17 18 19 20 Hex 0b 0c 0d 0e 0f 10 11 12 13 14 Decimal 21 22 23 24 25 26 27 28 29 30 Hex 15 16 17 18 19 1a 1b 1c 1d 1e Decimal 31 32 33 34 35 36 37 38 39 40 Hex 1f 20 21 22 23 24 25 26 27 28 Decimal 41 42 43 44 45 46 47 48 49 50 Hex 29 2a 2b 2c 2d 2e 2f 30 31 32 Decimal 51 52 53 54 55 56 57 58 59
D Hexadecimal overview TABLE 89 Decimal to hexadecimal conversion table (Continued) Decimal 191 192 193 194 195 196 197 198 199 200 Hex bf c0 c1 c2 c3 c4 c5 c6 c7 c8 Decimal 201 202 203 204 205 206 207 208 209 210 Hex c9 ca cb cc cd ce cf d0 d1 d2 Decimal 211 212 213 214 215 216 217 218 219 220 Hex d3 d4 d5 d6 d7 d8 d9 da db dc Decimal 221 222 223 224 225 226 227 228 229 230 Hex dd de df e0 e1 e2 e3 e4 e5 e6 Decimal
D 528 Hexadecimal overview Fabric OS Administrator’s Guide 53-1002148-02
Index A AAA service requests, 99 access browser support, 122 changing account parameters, 89 CP blade, 105 creating accounts, 88 deleting accounts, 89 IP address changes, 17 log in fails, 17 NTP, 28 password, changing, 19 remote access policies, 108 secure, HTTPS, 122 secure, SSL, 122 SNMP ACL, 127 accessing switches and fabrics, 131 account ID, 18 accounts changing parameters, 89 creating, 88 deleting, 89 displaying information, 88 lockout policy, 93 lockout policy, duration, 94 lockout policy, threshold,
Admin Domains about, 339 access levels, 341 activating, 352 AD0, 342 AD255, 343 adding members, 353 ADList, 104 assigning users to, 350 configupload, download, 366 configuration, displaying, 361 creating, 349 deactivating, 353 defined AD configuration, 348 deleting, 355, 356 effective AD configuration, 348 homeAD, 104, 344 implementing, 348 interaction with Fabric OS features, 363 logging in to, 344 LSAN zones, 365 member types, 345 numbering, 339 physical fabric administrator, 341 removing from user accoun
certificates browser, configuring, 125 CSR, certificate signing request, 124 HTTPS, 118 installing, 125 obtaining, 125 private key, 124 public key, 124 root, 123 root, configuring, 126 security, 118 SSH, 118 SSL, 118, 122, 123, 153 switch, 123, 153 changing an account password, 91 FID of logical switch, 234 logical switch to base switch, 234 RADIUS configuration, 115 RADIUS servers, 115 clearing performance monitor counters, 399 clearing zone configurations, 262 command line interface, 16 configuration file
D date and time, 25 DCFM (Data Center Fabric Manager), 15 deactivating Admin Domains, 353 TI zones, 291 default IP Policy Rules, 160 logical switch, 214 zone mode, 255, 348 defined AD configuration, 348 zone configuration, 244 deleting accounts, 89 Admin Domains, 355, 356 alias, 250 end-to-end monitors, 398 frame monitors, 402 logical switches, 232 RADIUS configuration, 115 TI zones, 292 zone configurations, 260 zones, 253 detecting bottlenecks, 299 devices proxy, 467 dictionary.
F F_Port, 12 fabric parameters, 64 fabric access, 131 fabric addresses, 35 fabric connectivity, 55 Fabric controller, 3 Fabric Login, 10 Fabric Login server, 3 Fabric OS supported protocols, 117, 118 Fabric Wide Consistency Policy, 472 FC router, 144 FC routing concepts, 463 supported platforms, 462 FC routing types, 467 FCAP, 145 FC-FC Routing, 144 FC-FC Routing and Virtual Fabrics, 496 FC-FC routing service, 461 FCIP link, 503 FCR and traffic isolation, 278 FCS policy modifying, 137 feature licenses, 369
ICLs about Inter-Chassis Links, 68 LEDs, 69 triangular topology, 69 IFL about, 463 configuring, 473 implementing Admin Domains, 348 ingress rate limiting, 412 installing certificates, 125 certificates for FIPS, 520 installing a root certificate to the Java plug-in, 126 Integrated Routing, 462 interfabric link, see IFL Internet Explorer and SSL support, 122 interswitch link, 34 inter-switch link (ISL), 64 IP Filter supported services, 158 IP-NAT, 63 IPsec algorithms, 171 Authentication Header protocol, 170 c
mask for end-to-end monitors setting, 397 matching fabric parameters, 470 members policy, 134 M-EOS SANs, connecting with Fabric OS SANs, 501 merging zones, 256 MIB, 127 modifying TI zones, 290 zoning configurations, 257 modifying the FCS policy, 137 monitoring end-to-end performance, 395 trunks, 409 monitors clearing counters, 399 Mozilla Firefox and SSL support, 122 N NAT, 63 network address translation, see NAT Network Advisor, 508 network security, 119 NPIV 10-bit addressing mode, 326 disabling, 328 en
QoS over FC routers, 420 QoS zones, 418 R RADIUS, 115, 116 ADList, 104 ContextRoleList, 104 homeAD, 104 Virtual Fabrics HomeContext, 104 RADIUS client Windows configuration, 108 RADIUS clients switch configuration, 107 RADIUS server, 103 configuration, 105 LINUX configuration, 105 RADIUS service Windows configuration, 108 RBAC, 84 Registered State Change Notification, 12 remote access policies, 108 remove feature, 385 removing Admin Domain members, 354 Admin Domains from user accounts, 352 alias members, 2
SNMP, 127 ACL, 127 agent, 127 attributes, 129 configuration changes, 129 configuring, 129 password change, 89 v1, 127 v3, 127 specifying frame order delivery, 76 Speed LSAN tag, 486 SSH certificates, 118 SSL, 122, 123, 153 SSL certificates, security, 118 standby CP blade, 105 State Change Registration, 10 static PIDs, NPIV, 38 static route, 75 support FC router, 144 Java version, 122 SNMPv3 and v1, 127 SW-EXTTRAP, 128 switch access methods, Web Tools, 15 certificates, installing, 125 certificates, installin
verify device connectivity, 34 high availability (HA), 54 VEX_Port, 12 VF mode definition, 227 See also Virtual Fabrics, 227 viewing alias, 251 zones, 253 virtual channels, 65 Virtual Fabrics and FC-FC Routing, 496 and ingress rate limiting, 413 base switches, about, 220 base switches, creating, 229 ContextRoleList, 104 date settings, 25 default logical switch, 214 disabling, 228 enabling, 227 extended ISL (XISL), 220 F_Port trunking, 442 FID, changing, 234 HomeContext, 104 logical fabric context change, 23
Z zone adding a new switch or fabric, 265 adding members, 252 administering security, 265 alias, adding members, 249 alias, deleting, 250 alias, removing members, 250 alias, viewing, 251 aliases, 243 aliases, creating and managing, 248 all access, 255 concepts, 240 configurations, 243 configurations, adding members, 258 configurations, creating and maintaining, 257 configurations, managing, 262 configuring rules, 245 creating, 251 creating a configuration, 257 database configurations, viewing, 261 database
540 Fabric OS Administrator’s Guide 53-1002148-02
