HP StorageWorks Fabric OS 6.1.
Legal and notice information © Copyright 2008 Hewlett-Packard Development Company, L.P. © Copyright 2008 Brocade Communications Systems, Incorporated. Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.
Contents About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Supported Fabric OS 6.1.x HP StorageWorks hardware. . . . Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Related documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . Document conventions and symbols . . . . . . . . . . . . . . . . . . Rack stability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disabling and enabling switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Disabling and enabling ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Making basic connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Connecting to devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Connecting to other switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3 Configuring standard security features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Security protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 The SSH protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 SSH public key authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deleting an ACL policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Aborting all uncommitted changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring the authentication policy for fabric elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E_Port authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Downloading configurations across a fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Configuration form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 6 Managing administrative domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Admin Domain features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Viewing the USB file system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Downloading the 6.1.0 image using the relative path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Downloading the 6.1.0 image using the absolute path. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Director restrictions for downgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disabling and enabling port blades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FR4-18i blade exceptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FC4-48 and FC8-48 blade exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conserving power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Automatic iSCSI VT creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Generating iSCSI VTs for every FC target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Generating an iSCSI VT for a specific FC target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Manual iSCSI VT creation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting traffic prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 16Using the FC-FC Routing Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 Supported platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Supported configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Filter-based performance monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding standard filter-based monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding custom filter-based monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deleting filter-based monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Platforms that support SAN extension over IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FCIP concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Virtual ports and FCIP tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Virtual port types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21FICON fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 Overview of Fabric OS support for FICON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Supported switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Types of FICON configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A Configuring the PID format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445 About PIDs and PID binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Summary of PID formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Impact of changing the fabric PID format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 Tables 1 2 3 4 5 6 7 8 16 Hardware-enforced nonoverlapping zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hardware-enforced overlapping zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Zoning with hardware assist (mixed-port and WWN zones) . . . . . . . . . . . . . . . . . . . . . .
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 Permission types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 RBAC permissions matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Default local user accounts . . . . . . . . . . . . . .
68 69 70 71 72 73 74 75 76 77 78 79 80 81 Led behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 Supported iSCSI initiators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 iSCSI target gateway configuration steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About this guide This guide provides information about: • Installing and configuring Fabric OS 6.1.x • Managing user accounts • Using licensed features Supported Fabric OS 6.1.x HP StorageWorks hardware Table 1 lists Brocade and HP StorageWorks product models supported by Fabric OS 6.1.x.
Intended audience This guide is intended for system administrators with knowledge of: • Storage area networks • HP StorageWorks Fibre Channel SAN switches Related documentation The following documents provide related information: • HP StorageWorks Fabric OS 6.1.x release notes • Web Tools administrator’s guide You can find these documents from the Manuals page of the HP Business Support Center website: http://www.hp.
NOTE: TIP: Provides additional information. Provides helpful hints and shortcuts. Rack stability Rack stability protects personnel and equipment. WARNING! To reduce the risk of personal injury or damage to equipment: • Extend leveling jacks to the floor. • Ensure that the full weight of the rack rests on the leveling jacks. • Install stabilizing feet on the rack. • In multiple-rack installations, secure racks together. • Extend only one rack component at a time.
Subscription service HP recommends that you register your product at the Subscriber's Choice for Business website: http://www.hp.com/go/e-updates. After registering, you will receive e-mail notification of product enhancements, new driver versions, firmware updates, and other product resources. HP websites For additional product information, see the following HP websites: • http://www.hp.com • http://www.hp.com/go/storage • http://www.hp.
1 Standard features This chapter describes how to configure your HP StorageWorks SAN using the Fabric OS Command Line Interface (CLI). Before you can configure a Storage Area Network (SAN), you must power-up the Director or switch and blades, and then set the IP addresses of those devices. Although this chapter focuses on configuring a SAN using the CLI, you can also use the following methods to configure a SAN: • Web Tools For Web Tools procedures, see the Web Tools Administrator’s Guide.
The following commands provide help files for specific topics to understand configuring your SAN: diagHelp ficonHelp fwHelp iscsiHelp licenseHelp perfHelp routeHelp trackChangesHelp zoneHelp Diagnostic help information FICON help information Fabric Watch help information iSCSI help informations License help information Performance Monitoring help information Routing help information Track Changes help information Zoning help information Connecting to the CLI Read this section for procedures.
5. Verify that the login was successful. The prompt displays the switch name and user ID to which you are connected. login: admin password: xxxxxxx switch:admin> Using a console session on the serial port Note the following behaviors for serial connections: • Some procedures require that you connect through the serial port; for example, setting the IP address or setting the boot PROM password. • If you are using a Fabric OS version prior to 6.
Every logical switch (domain) has a set of default accounts. The root and factory default accounts are reserved for development and manufacturing. The user account is primarily used for system monitoring. For more information on default accounts, see ”About the default accounts” on page 59. Table 3 describes the default administrative accounts for switches by model number.
Changing password for user Enter new password: ******** Password changed. Saving password to stable storage. Password saved to stable storage successfully. switch:admin> Configuring the Ethernet interface You can use Dynamic Host Configuration Protocol (DHCP) for the Ethernet network interface configuration. The Ethernet (network) interface provides management access, including direct access to the Fabric OS CLI, and allows other tools, such as Web Tools, to interact with the switch.
Setting static Ethernet addresses Use static Ethernet network interface addresses on HP StorageWorks 2/128, 4/256 SAN Director, DC Director models, and in environments where DHCP service is not available. To use static addresses for the Ethernet interface, you must first disable DHCP. You may enter static Ethernet information and disable DHCP at the same time. Refer to ”Activating DHCP” on page 29 for more information.
Activating DHCP By default, some HP switches have DHCP enabled; check the latest Fabric OS 6.x release notes for a complete list of switches. The 4/256 SAN Director and DC SAN Backbone Director (short name, DC Director) do not support DHCP.
4. When you are prompted for DHCP[On], disable it by entering off. switch:admin> ipaddrset Ethernet IP Address [192.168.74.102]: Ethernet Subnetmask [255.255.255.0]: Fibre Channel IP Address [220.220.220.2]: Fibre Channel Subnetmask [255.255.0.0]: Gateway IP Address [192.168.74.1]: DHCP [On]:off Setting the date and time Switches maintain the current date and time inside a battery-backed real-time clock (RTC) circuit. Date and time are used for logging events.
IMPORTANT: If you are downgrading to a Fabric OS version earlier than 6.x, or retaining the offset format, see prior versions of the Fabric OS Administrator’s Guide for detailed information about setting time zones using the offset format. See ”About the firmware download process” on page 163 for time zone downgrading considerations. You can set the time zone for a switch using the tsTimeZone command.
The following procedure describes how to set the current time zone using interactive mode to Pacific Standard Time. To set the time zone interactively: 1. Type the tsTimeZone command as follows: switch:admin> tstimezone --interactive 2. You are prompted to select a general location. Please identify a location so that time zone rules can be set correctly. 3. Enter the appropriate number or Ctrl-D to quit. 4. At the prompt, select a country location. 5.
The following example shows how to set up more than one NTP server using a DNS name: switch:admin> tsclockserver "10.32.170.1;10.32.170.2;ntp.localdomain.net" Updating Clock Server configuration...done. Updated with the NTP servers Changes to the clock server value on the principal or primary FCS switch are propagated to all switches in the fabric.
The Fabric has 4 switches The fields in the fabricShow display are: Switch ID — The switch Domain_ID and embedded port D_ID Worldwide Name — The switch WWN Enet IP Addr — The switch Ethernet IP address for IPv4 and IPv6 configured switches. For IPv6 switches, only the static IP address displays FC IP Addr —The switch FC IP address Name —The switch symbolic name. An arrow (>) indicates the principal switch. To set the Domain ID: 1. Connect to the switch and log in using an admin account. 2.
Generating a license key To generate a license key: 1. If you already have a license key, go to ”Activating a license key” on page 35 to activate. If you do not have a license key, launch an Internet browser and go to: http://webkey.external.hp.com/welcome.asp The Hewlett-Packard Authorization Center website main menu displays. 2. Click Generate a license key. The HP StorageWorks Software License Key instruction page opens:h 3. Enter the information in the required fields. 4.
3. Verify that the license was added by entering the licenseShow command. The licensed features currently installed on the switch display. If the feature is not listed, enter the licenseAdd command again. Some features may require additional configuration, or you may need to disable and reenable the switch to make them operational; see the feature documentation for details.
Features and required licenses Table 4 lists the licenses that should be installed on the local switch and any connecting switches for a particular feature. Table 4 License requirements Feature License Where license should be installed Administrative Domains No license required. n/a Configuration up/download No license required. Configupload or configdownload is a command and comes with the OS on the switch. n/a Diagnostic tools No license required.
Table 4 License requirements Feature License Where license should be installed QoS Adaptive Networking Local switch and attached switches. RADIUS No license required. n/a RBAC No license required. n/a Routing traffic No license required. This includes port-based or exchanged-based routing, static routes, frame-order deliver, and dynamic routes. n/a Security No license required. Includes the DCC, SCC, FCS, IP Filter, and authentication policies. n/a SNMP No license required.
• When you remove the 8Gb license, the ports which are online and already running at 8Gb would not be disturbed until the port goes offline or the switch is rebooted. The behavior would return to its pre-license state maximum speed of 4Gb. Time-based licenses A time-based license applies a try-before-you-buy approach to certain features so that you can experience the feature and its capabilities prior to buying the license. Once you have installed the license, you are given a time limit to use the feature.
Each POD license activates the next group of eight ports in numerical order. For example, the 4/8 SAN Switch or 4/16 SAN Switch activates the first eight with four port increments. Before installing a license key, you must insert transceivers in the ports to be activated. Remember to insert the transceivers in the lowest group of inactive port numbers first.
After a port is assigned to the POD set, the port is licensed until it is manually removed from the POD port set using the licensePort --release command. When a port is released from its POD port set (Base, Single, or Double), it creates a vacancy in that port set. Displaying the port license assignment Use the licensePort --show command to display the available licenses, the current port assignment of those licenses, and the POD method state (dynamic or static). To display the port licenses: 1.
8 ports are assigned to the base switch license 0 ports are assigned to the full POD license Ports assigned to the base switch license: 1, 2, 5, 6, 8*, 21, 22, 23 Ports assigned to the full POD license: None Ports not assigned to a license: 0, 3, 4, 7, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20 16 license reservations are still available for use by unassigned ports 1 license assignment is held by an offline port (indicated by *) Disabling Dynamic Ports on Demand Disabling the Dynamic POD feature (changi
Dynamic POD method is in use 24 port assignments are provisioned for use in this switch: 12 port assignments are provisioned by the base switch license 12 port assignments are provisioned by a full POD license 10 ports are assigned to installed licenses: 10 ports are assigned to the base switch license 0 ports are assigned to the full POD license Ports assigned to the base switch license: 1*, 2*, 3*, 4*, 5*, 6*, 8*, 21, 22, 23 Ports assigned to the full POD license: None Ports not assigned to a license: 0,
10 ports are assigned to installed licenses: 10 ports are assigned to the base switch license 0 ports are assigned to the full POD license Ports assigned to the base switch license: 1*, 2*, 3*, 4*, 5*, 6*, 8*, 21, 22, 23 Ports assigned to the full POD license: None Ports not assigned to a license: 0, 7, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20 switch:admin> 6. Enter the switchEnable command to bring the switch back online. 7. Enter the switchShow command to verify the switch state is now online.
switch:admin> portenable portnumber where portnumber is the port number of the port you want to enable. For 4/256 SAN Director and DC Director: Enter the following command: switch:admin> portenable slotnumber/portnumber where slotnumber and portnumber are the slot and port numbers of the port you want to enable. (Slots are numbered 1 through 4 and 7 through 10, counting from left to right.) If the port is connected to another switch, the fabric may be reconfigured.
Any number of E_Ports in a fabric can be configured for gateway links, provided the following rules are followed: • All switches in the fabric must be upgraded to Fabric OS 5.2.0 or later. • All switches in the fabric are using the core PID format. • The switches connected to both sides of the gateway are included when determining switch count maximums.
4. Use the switchStatusShow command to further check the status of the switch. High Availability (HA) features NOTE: HA features provide maximum reliability and nondisruptive replacement of key hardware and software modules. To verify HA features (Directors only): 1. Connect to the switch using an account with admin role 2. Enter the chassisShow command to verify the field replaceable units (FRUs). 3.
Show switches in Access Gateway mode To show switches in Access Gateway mode: 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the agShow command. switch:admin> agshow Worldwide Name Ports Enet IP Addr Firmware Local/Remote Name -------------------------------------------------------------10:00:00:05:1e:02:1d:b0 16 10.32.53.4 v5.2.1 local ag_01 10:00:00:05:1e:03:4b:e7 24 10.32.60.95 v5.2.1 local ag_02 10:00:00:05:1e:35:a2:58 20 10.32.53.180 v5.2.
To view the switch status policy threshold values: 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the switchStatusPolicyShow command. Whenever there is a switch change, an error message is logged and an SNMP connUnitStatusChange trap is sent.
3. Verify the threshold settings you have configured for each parameter. Enter the switchStatusPolicyShow command to view your current switch status policy configuration.
be easily distinguished from other system message log events that occur in the network. Then, at some regular interval of your choosing, you can review the audit events to look for unexpected changes. Before you configure audit event logging, familiarize yourself with the following audit event log behaviors and limitations: • By default, all event classes are configured for audit; to create an audit event log for specific events, you must explicitly set a filter with the class operand and then enable it.
NOTE: Only the active CP can generate audit messages because event classes being audited occur only on the active CP. Audit messages cannot originate from other blades in a Director. Audit events have the following message format: AUDIT, , [], , , ///,/,, Switch names are logged for switch components and Director names for Director components.
Jun 5 08:15:32 [10.32.248.73.2.2] raslogd: AUDIT, 2006/06/05-13:38:17, [SEC-1000], WARNING, SECURITY, JaneDoe/root/192.168.132.19/ telnet, Domain A/DoeSwitch, , Incorrect password during login attempt. Shutting down switches and Directors To avoid corrupting your file system, HP recommends that you perform graceful shutdowns of switches and Directors. The following procedure describes how to gracefully shut down a switch. To power off a switch: 1.
Schedule downtime and reboot the switch at your convenience. Table 6 lists the daemons that are considered non-critical and are automatically restarted on failure. Table 6 54 Daemons that are automatically restarted Daemon Description Arrd Asynchronous Response Router (used to send management data to hosts when the switch is accessed through the APIs (FA API or SMI-S). Cald Common Access Layer Daemon (used by Manageability Applications).
2 Managing user accounts This chapter provides information and procedures on managing authentication and user accounts for the switch management channel. Overview In addition to the default accounts—root, factory, admin, and user—Fabric OS supports up to 252 additional user-defined accounts in each logical switch (domain). These accounts expand your ability to track account access and audit administrative activities.
Using Role-Based Access Control (RBAC) Role-Based Action Control (RBAC) defines the capabilities that a user account has based on the role the account has been assigned. For each role, there is a set of pre-defined permissions on the jobs and tasks that can be performed on a fabric and its associated fabric elements. Fabric OS 6.1.x uses RBAC to determine which commands a user can issue. When you log in to a switch, your user account is associated with a pre-defined role.
Role permissions Table 9 describes the types of permissions that are assigned to roles. Table 9 Permission types Abbreviation Definition Description O Observe The user can run commands using options that display information only, such as running userConfig --show -a to show all users on a switch. M Modify The user can run commands using options that create, change, and delete objects on the system, such as running userconfig --change username -r rolename to change a user’s role.
Table 10 RBAC permissions matrix (continued) Category Role permission User Operator Switch admin Zone admin Fabric admin Basic switch admin Admin Security admin HA (High Availability) O O OM N OM O OM O iSCSI O O O O OM O OM N License O OM OM O OM O OM O LDAP N N N N N N OM OM Local User Environment OM OM OM OM OM OM OM OM Logging O OM OM O OM O OM OM Management Access Configuration O OM OM N OM O OM N Management Server O OM OM O
Managing the local database user accounts User add, change, and delete operations are subject to the subset rule: an admin with ADlist 0-10 cannot perform operations on an admin, user, or any role with an ADlist 11-25. The user account being changed must have an ADlist that is a subset of the account that is making the change. About the default accounts Fabric OS provides the following predefined accounts in the local switch user database.
To create an account: 1. Connect to the switch and log in using an admin account. 2. Enter the following command: userConfig --add -r [-h ] [-a ] [-d ] [-x] username Specifies the account name, which must begin with an alphabetic character. The name can be from 8 to 40 characters long. It is case-sensitive and can contain alphabetic and numeric characters, the period (.) and the underscore ( _ ).
To change account parameters: When changing account parameters, if you change the ADlist for the user account, all of the currently active sessions for that account will be logged out. 1. Connect to the switch and log in using an admin account. 2.
Recovering accounts The following conditions apply to recovering user accounts: • The attributes in the backup database replace the attributes in the current account database. • An event is stored in the system message log, indicating that accounts have been recovered. To recover an account: 1. Connect to the switch and log in using an admin account. 2. If a backup database exists, enter the following command.
Configuring the local user database This section covers the following topics: • ”Distributing the local user database” on page 63 • ”Protecting the local user database from distributions” on page 63 • ”Configuring password policies” on page 64 Distributing the local user database Distributing the local switch user database and passwords to other switches in the fabric causes the distributed database to replace (overwrite) the database on the target switch.
Configuring password policies The password policies described in this section apply to the local switch user database only. Configured password policies (and all user account attribute and password state information) are synchronized across CPs and remain unchanged after an HA failover. Password policies can also be manually distributed across the fabric (see ”Distributing the local user database” on page 63).
• Sequence Specifies the length of sequential character sequences that will be disallowed. A sequential character sequence is defined as a character sequence in which the ASCII value of each contiguous character differs by one. The ASCII value for the characters in the sequence must all be increasing or decreasing. For example, if the “sequence” value is set to 3, a password “passABCword” is disallowed because it contains the sequence “ABC”.
Upgrade and downgrade considerations If you are upgrading from a 5.3.x environment to 6.x, the existing password databases do not contain the state information that implements password expiration. So, when the password expiration policy is first set after an upgrade to 6.x, any user who has not changed their password will have their password expiration period set to the maximum password expiration period.
1. Log in to the switch using an admin or securityAdmin account. 2. Type userConfig --change -u. where is the name of the user account that is locked out. To disable the admin lockout policy: 1. Log in to the switch using an admin or securityAdmin account. 2. Type passwdCfg --disableadminlockout. The policy is now disabled.
Consider the following effects of the use of RADIUS or LDAP service on other Fabric OS features: • When RADIUS or LDAP service is enabled, all account passwords must be managed on the RADIUS or LDAP server. The Fabric OS mechanisms for changing switch passwords remain functional; however, such changes affect only the involved switches locally. They do not propagate to the RADIUS or LDAP server, nor do they affect any account on the RADIUS or LDAP server.
Table 12 Authentication configuration options (continued) aaaConfig options Description Equivalent setting in Fabric OS 5.1.0 and earlier --radius --switchdb1 --authspec “ldap” Authenticates management connections n/a against any LDAP database(s) only. If LDAP service is not available or the credentials do not match, the login fails. n/a --authspec “ldap; local” Authenticates management connections against any LDAP database first.
Table 13 Syntax for VSA-based account roles (continued) Item Value Description Vendor type 1 1 octet, Brocade-Auth-Role; valid attributes for the Brocade-Auth-Role are: SwitchAdmin ZoneAdmin FabricAdmin BasicSwitchAdmin Operator User Admin 2 Optional: Specifies the Admin Domain member list. For more information, see ”RADIUS configuration and Admin Domains” on page 71.
Linux FreeRadius server For the configuration on a Linux FreeRadius server, define the following in a vendor dictionary file called dictionary.brocade. Include the values outlined in Table 14. Table 14 dictionary.brocade file entries Include Key Value VENDOR Brocade 1588 ATTRIBUTE Brocade-Auth-Role 1 string Brocade AdminDomain After you have completed the dictionary file, define the role for the user in a configuration file.
Configuring the RADIUS server You must know the switch IP address, in either IPv4 or IPv6 notation, or name to connect to switches. Use the ipAddrShow command to display a switch IP address. For Directors (chassis-based systems), the switch IP addresses are aliases of the physical Ethernet interfaces on the CP blades. When specifying client IP addresses for the logical switches in such systems, make sure the CP blade IP addresses are used.
To create the user: • Open the $PREFIX/etc/raddb/user file in a text editor and add user names and roles for users who will be accessing the switch and authenticating RADIUS. The user will log in using the role specified with Brocade-Auth-Role. The valid roles include Root, Admin, SwitchAdmin, ZoneAdmin, SecurityAdmin, BasicSwitchAdmin, FabricAdmin, Operator and User. You must use quotation marks around “password” and “role”.
Each user group should be associated with a specific switch login role. For example, you should configure a user group for root, admin, factory, switchadmin, and user, and then add any users whose logins you want to associate to the appropriate group. • Configuring the server For more information and instructions on configuring the server, refer to the Microsoft website. Below is the information you will need to configure the RADIUS server for a HP StorageWorks switch.
Setting up the RSA RADIUS server For more information on how to install and configure the RSA Authentication Manager and the RSA RADIUS server, refer to your documentation or visit www.rsa.com. 1. Create user records in the RSA Authentication Manager. 2. Configure the RSA Authentication Manager. 3. Add an agent host in RSA Authentication Manager. 4. Configure the RSA RADIUS server.
####################################################################### # dictiona.dcm ####################################################################### # Generic Radius @radius.dct # # Specific Implementations (vendor specific) # @3comsw.dct @aat.dct @acc.dct @accessbd.dct @agere.dct @agns.dct @airespace.dct @alcatel.dct @altiga.dct @annex.dct @aptis.dct @ascend.dct @ascndvsa.dct @axc.dct @brocade.dct @bandwagn.dct @brocade.dct <------- Figure 2 Example of the dictiona.dcm file c.
To set up LDAP: 1. Install a Certificate Authority (CA) certificate on the Windows Active Directory server for LDAP. Follow Microsoft’s instructions for generating and installing CA certificates on a Windows server. 2. Create a user in Microsoft Active Directory server. For instructions on how to create a user, refer to Microsoft documentation to create a user in your Active Directory. 3.
NOTE: You can perform batch operations using the Ldifde.exe utility. For more information on importing and exporting schemas, refer to your Microsoft documentation or visit www.microsoft.com. Configuring authentication servers on the switch RADIUS and LDAP configuration of the switch is controlled by the aaaConfig command. At least one RADIUS or LDAP server must be configured before you can enable RADIUS or LDAP service. You can configure the RADIUS or LDAP service even if it is disabled on the switch.
To add a RADIUS server to the switch configuration: 1. Connect to the switch and log in using an admin account. 2. Enter this command: switch:admin> aaaConfig --add [-p port] [-s secret] [-t timeout] [-a pap | chap | peap-mschapv2] server Enter either a server name or IPv4 or IPv6 address. Avoid duplicating server listings (that is, listing the same server once by name and again by IP address). Up to five servers can be added to the configuration. -p port Optional: Enter a server port.
NOTE: When the RADIUS authentication mode is set to radius;local, you cannot downgrade the Fabric OS to any version earlier than 5.2.0. Previous versions do not support the radius;local mode. When the LDAP authentication mode is set to ldap;local, you cannot downgrade the Fabric OS to any version earlier than 6.x. Previous versions do not support the ldap;local mode. To enable and disable a RADIUS or LDAP server: 1. Connect to the switch and log in using an admin account. 2.
To change an LDAP server configuration: 1. Connect to the switch and log in using an admin account. 2. Enter this command: switch:admin> aaaConfig --change server [-p port] [-t timeout] [-d domain_name] server -p port -t timeout -d domain_name Enter either a server name or IPv4 address. Microsoft’s Active Directory does not support IPv6 addresses. Avoid duplicating server listings (that is, listing the same server once by name and again by IP address).
Setting the boot PROM password with a recovery string To set the boot PROM password with a recovery string, refer to the section that applies to your switch model. NOTE: Setting the boot PROM password requires accessing the boot prompt, which stops traffic flow through the switch until the switch is rebooted. You should perform this procedure during a planned down time.
4/256 SAN Director and DC SAN Backbone Director (short name, DC Director) The boot PROM and recovery passwords must be set for each CP blade on the 4/256 SAN Director or DC Director. To set the boot PROM password for a Director with a recovery string: 1. Connect to the serial port interface on the standby CP blade. 2. Connect to the active CP blade by serial or Telnet and enter the haDisable command to prevent failover during the remaining steps. 3.
Setting the boot PROM password without a recovery string Although you can set the boot PROM password without also setting the recovery string, it is strongly recommended that you set both the password and the string as described in ”Setting the boot PROM password with a recovery string” on page 82. If your site procedures dictate that you must set the boot PROM password without the string, follow the procedure that applies to your switch model.
The following options are available: Option Description 1 2 3 Start system. Continues the system boot process. Recovery password. Lets you set the recovery string and the boot PROM password. Enter command shell. Provides access to boot parameters. 6. Enter 3. 7. Enter the passwd command at the shell prompt. NOTE: The passwd command only applies to the boot PROM password when it is entered from the boot interface. 8. Enter your boot PROM password at the prompt, then re-enter it when prompted.
Managing user accounts
3 Configuring standard security features This chapter provides information and procedures for configuring standard Fabric OS security features such as protocol and certificate management. IMPORTANT: Secure Fabric OS is no longer supported in Fabric OS 6.x. However, all features of Secure Fabric OS are included in the base Fabric OS 6.x. Security protocols Security protocols provide endpoint authentication and communications privacy using cryptography.
For details on Brocade MIB files, naming conventions, loading instructions, and information about using Brocade's SNMP agent, see the Fabric OS MIB Reference. Table 16 describes additional software or certificates that you must obtain to deploy secure protocols.
Commands that require a secure login channel must originate from an SSH session. If you start an SSH session, and then use the login command to start a nested SSH session, commands that require a secure channel will be rejected. Fabric OS 6.1.x and later supports SSH protocol version 2.0 (ssh2). For more information on SSH, refer to the SSH IETF website: http://www.ietf.org/ids.by.wg/secsh.html For more information, refer to SSH, The Secure Shell: The Definitive Guide by Daniel J.
Generating a key pair for host-to-switch authentication (incoming) 1. Log in to your host as admin. 2. Verify that SSH v2 is installed and working. Refer to your host’s documentation. 3. Type the following command: ssh-keygen -t dsa Example of RSA/DSA key pair generation alloweduser@mymachine: ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/users/alloweduser/.
Example of adding the public key to the switch switch:alloweduser> sshutil importpubkey Enter IP address:192.168.38.244 Enter remote directory:~auser/.ssh Enter public key name(must have .pub suffix):id_dsa.pub Enter login name:auser Password: Public key is imported successfully. Exporting the public key for switch-to-host authentication (outgoing) 1. Log in to the switch as the allowed-user. 2. Use the sshUtil exportpubkey command to export the public key. 3.
Configuring the Telnet protocol Telnet is enabled by default. To prevent users from passing clear text passwords over the network when they connect to the switch, you can block the Telnet protocol using an IP Filter policy. NOTE: Before blocking Telnet, make sure you have an alternate method of establishing a connection with the switch. Blocking Telnet To block Telnet: 1. Connect to the switch and log in as admin. Connect through some means other than Telnet: for example, through SSH. 2.
Configuring for the SSL protocol Secure sockets layer (SSL) protocol provides a secure sockets layer (SSL) protocol, which provides secure access to a fabric through Web-based management tools like Web Tools. SSL support is a standard Fabric OS feature. Switches configured for SSL grant access to management tools through hypertext transfer protocol-secure links (which begin with https://) instead of standard links (which begin with http://).
Table 18 SSL certificate files (continued) Certificate file Description nameRoot.crt The root certificate. Typically, this certificate is already installed in the browser, but if not, you must install it. nameCA.crt The CA certificate. It needs to be installed in the browser to verify the validity of the server certificate or server validation fails. 4. On each switch, install and then activate the certificate. 5. If necessary, install the root certificate to the browser on the management workstation.
Your CA may require specific codes for Country, State or Province, Locality, Organization, and Organizational Unit names. Make sure that your spelling is correct and matches the CA requirements. If the CA requires that the Common Name be specified as an FQDN, make sure that the fully qualified domain name is set on the domain name server. 4. Enter this command to store the CSR: switch:admin> seccertutil export 5. Enter the requested information: Select protocol [ftp or scp]: ftp Enter IP address: 192.1.2.
Activating a switch certificate 1. Enter the configure command 2. When the ssl attributes comes up, type y 3. Respond to the prompts that apply to SSL certificates: SSL attributes Certificate File Enter y or yes. Enter the name of the switch certificate file: for example, 192.1.2.3.crt. CA Certificate File If you want the CA name to be displayed in the browser window, enter the name of the CA certificate file; otherwise, skip this prompt.
7. Browse to the certificate location and select the certificate. (For example, select nameRoot.crt.) 8. Click Open and follow the instructions to import the certificate. Installing a root certificate to the Java plug-in For information on Java requirements, see ”For more details on levels of browser and Java support, see the Web Tools Administrator’s Guide.” on page 93. This procedure is a guide for installing a root certificate to the Java Plug-in on the management workstation.
Configuring for SNMP You can configure for the automatic transmission of SNMP information to management stations. SNMPv3 and SNMPv1 are supported. The configuration process involves configuring the SNMP agent and configuring SNMP traps. The following commands are used in the process: • Use the configure command to set the security level. You can specify no security, authentication only, or authentication and privacy.
webtools attributes (yes, y, no, n): [no] System (yes, y, no, n): [no] No changes. Using the snmpConfig command 4. Use the snmpConfig --set command to change either the SNMPv3 or SNMPv1 configuration. You can also change access control, MIB capability, and system group. Sample SNMPv3 configuration switch:admin> snmpconfig --set snmpv3 SNMPv3 user configuration: User (rw): [snmpadmin1] adminuser Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..
Sample SNMPv1 configuration switch:admin> snmpconfig --set snmpv1 SNMP community and trap recipient configuration: Community (rw): [Secret C0de] admin Trap Recipient's IP address in dot notation: [0.0.0.0] 10.32.225.1 Trap recipient Severity level : (0..5) [0] 1 Community (rw): [OrigEquipMfr] Trap Recipient's IP address in dot notation: [10.32.225.2] Trap recipient Severity level : (0..5) [1] Community (rw): [private] Trap Recipient's IP address in dot notation: [10.32.225.
connUnitStatusChange: YES connUnitEventTrap: YES connUnitSensorStatusChange: YES connUnitPortStatusChange: YES SW-EXTTRAP: NO FICON-TRAP: YES linkRNIDDeviceRegistration: YES linkRNIDDeviceDeRegistration: YES linkLIRRListenerAdded: YES linkLIRRListenerRemoved: YES linkRLIRFailureIncident: YES HA-TRAP: YES fruStatusChanged: YES cpStatusChanged: YES fruHistoryTrap: YES FCIP-TRAP: NO Sample systemGroup configuration (default) switch:admin> snmpconfig --default systemGroup ***** This command will reset the agent
Listener applications Brocade switches block Linux subsystem listener applications that are not used to implement supported features and capabilities. Table 20 lists the listener applications that Brocade switches either block or do not start.
Port configuration Table 22 provides information on ports that the switch uses. When configuring the switch for various policies, take into consideration firewalls and other devices that may sit between switches in the fabric and your network or between the managers and the switch. Table 22 Port information Port Type Common use Comment 22 TCP SSH 23 TCP Telnet Use the ipfilter command to block the port. 80 TCP HTTP Use the ipfilter command to block the port.
Configuring standard security features
4 Configuring advanced security features This chapter provides information and procedures for configuring advanced Fabric OS security features such as Access Control List (ACL) policies, authentication policies, and IP Filtering for HP’s Fibre Channel switches. NOTE: Run all commands, with the suggested role, in this chapter by logging in to Administrative Domain (AD) 255 or, if Administrative Domains have not been implemented, log in to AD 0.
and active sets but they have different values, then the policy has been modified but the changes have not been activated. Admin Domain considerations: ACL management can be done on AD255 and in AD0 only if other there are no user-defined Admin Domains. Both AD0 (when no other user-defined Admin Domains exist) and AD255 provide an unfiltered view of the fabric.
• ”Adding a member to an existing policy” on page 115 Add one or more members to a policy. The aspect of the fabric covered by each policy is closed to access by all devices and switches that are not listed in that policy. • ”Removing a member from an ACL policy” on page 115 Remove one or more members from a policy. If all members are removed from a policy, that aspect of the fabric becomes closed to all access.
the changes have been saved or activated; they can be aborted later if you have set your fabric to distribute the changes manually. Table 25 FCS policy states Policy state Characteristics No active policy Any switch can perform fabric wide configuration changes. Active policy with one entry A primary FCS switch is designated (local switch), but there are no backup FCS switches. If the primary FCS switch becomes unavailable for any reason, the fabric is left without an FCS switch.
Table 26 Switch operations Allowed on FCS switches Allowed on all switches secPolicyRemove (Allowed on all switches for SCC/DCC policies as long as its not fabric-wide) secPolicyActivate fddcfg –-fabwideset secPolicySave Any fabric-wide commands secPolicyAbort All zoning commands except the show commands SNMP commands All AD commands configupload Any local-switch commands Any AD command that does not affect fabric-wide configuration FCS enforcement does not apply to pre-5.3.
This displays the WWNs of the current primary FCS switch and backup FCS switches. 3. Type secPolicyFCSMove; then provide the current position of the switch in the list and the desired position at the prompts. Alternatively, enter secPolicyFCSMove “From, To”. From is the current position in the list of the FCS switch and To is the desired position in the list for this switch.
NOTE: The FCS policy distribution is allowed to be distributed from a switch in the FCS list. However, if none of the FCS switches in the existing FCS list are reachable, receiving switches will accept distribution from any switch in the fabric. Local switch configuration parameters are needed to control whether a switch accepts or rejects distributions of FCS policy and whether the switch is allowed to initiate distribution of an FCS policy.
Table 28 DCC policy states (continued) Policy state Characteristics Policy with no entries Any device can connect to any switch port in the fabric. An empty policy is the same as no policy. Policy with entries If a device WWN is specified in a DCC policy, that device is only allowed access to the switch if connected by a switch port listed in the same policy. If a switch port is specified in a DCC policy, it only permits connections from devices that are listed in the policy.
deviceportWWN switch The WWN of the device port. The switch WWN, Domain ID, or switch name. The port can be specified by port or area number. Designating ports automatically includes the devices currently attached to those ports. The ports can be specified using any of the following syntax methods: (*) Selects all ports on the switch. (1-6) Selects ports 1 through 6. [*] Selects all ports and all devices attached to those ports. [3, 9] Selects ports 3 and 9 and all devices attached to those ports.
Creating an SCC policy The switch connection control (SCC) policy is used to restrict which switches can join the fabric. Switches are checked against the policy each time an E_Port-to-E_Port connection is made. The policy is named SCC_POLICY and accepts members listed as WWNs, Domain IDs, or switch names. Only one SCC policy can be created. By default, any switch is allowed to join the fabric; the SCC policy does not exist until it is created.
Activating changes to ACL policies To activate changes: 1. Connect to the switch and log in using an account assigned to the admin role. 2. Type the secPolicyActivate command: switch:admin> secpolicyactivate About to overwrite the current Active data. ARE YOU SURE (yes, y, no, n): [no] y Adding a member to an existing policy Add members to the ACL policies by using the secPolicyAdd command. As soon as a policy has been activated, the aspect of the fabric managed by that policy is enforced.
Aborting all uncommitted changes Use the secPolicyAbort command to abort all ACL policy changes that have not yet been saved. To abort all unsaved changes: 1. Connect to the switch and log in using an account assigned to the admin role. 2. Type the secPolicyAbort command: switch:admin> secpolicyabort Unsaved data has been aborted. All changes since the last time the secPolicySave or secPolicyActivate commands were entered are aborted.
Key database on switch Local secret A Peer secret B Key database on switch Local secret B Peer secret A Switch A Switch B Figure 3 DH-CHAP authentication If you use DH-CHAP authentication, then a secret key pair must be installed only in connected fabric elements. However, as connections are changed, new secret key pairs must be installed between newly connected elements.
port if it is connected to a switch which does not support authentication. Regardless of the policy, the E_Port is disabled if the DH-CHAP or FCAP protocol fails to authenticate each other. ACTIVE: In this state the switch is more tolerant and can connect to a switch with any type of policy. During switch initialization, authentication begins on all E_Ports, but the port is not disabled if the connecting switch does not support authentication or the AUTH policy is turned to the OFF state.
Since the F_Port authentication requires DH-CHAP protocol, selecting the PASSIVE mode will be blocked if only FCAP protocol is selected as the authentication protocol. Similarly de-selecting the DH-CHAP protocol from the authentication protocol list will be blocked if the device authentication is set to PASSIVE. Auth policy restrictions Fabric OS 5.1.0 implementation of DH-CHAP/FCAP does not support integration with RADIUS.
2. On a switch running Fabric OS 4.x or 5.x, type authUtil --set -a dhchap; on a switch running Fabric OS 3.x, type authUtil "--set -a dhchap". Output similar to the following is displayed: Authentication is set to dhchap. When using DH-CHAP, make sure that you configure the switches at both ends of a link. NOTE: If you set the authentication protocol to DH-CHAP, have not yet configured shared secrets, and authentication is checked (for example, you enable the switch), switch authentication fails.
This section illustrates using the secAuthSecret command to display the list of switches in the current switch’s shared secret database and to set the secret key pair for the current switch and a connected switch. See the for more details on the secAuthSecret command. NOTE: When setting a secret key pair, note that you are entering the shared secrets in plain text. Use a secure channel (for example, SSH or the serial console) to connect to the switch on which you are setting the secrets.
The command enters interactive mode. The command returns a description of itself and needed input; then it loops through a sequence of switch specification, peer secret entry, and local secret entry. To exit the loop, press Enter for the switch name; then type y. switchA:admin> secauthsecret --set This command is used to set up secret keys for the DH-CHAP authentication. The minimum length of a secret key is 8 characters and maximum 40 characters.
IP Filter policy The IP Filter policy is a set of rules applied to the IP management interfaces as a packet filtering firewall. The firewall permits or denies the traffic to go through the IP management interfaces according to the policy rules. Fabric OS supports multiple IP Filter policies to be defined at the same time. Each IP Filter policy is identified by a name and has an associated type. Two IP Filter policy types, IPv4 and IPv6, exist to provide separate packet filtering for IPv4 and IPv6.
Displaying an IP Filter policy Displays the IP Filter policy content for the specified policy name, or all IP Filter policies if policy name is not specified. For each IP Filter policy, the policy name, type, persistent state and policy rules are displayed. The policy rules are listed by the rule number in ascending order. There is no pagination stop for multiple screens of information. Pipe the output to the more command to achieve this.
Deleting an IP Filter policy You can delete a specified IP Filter policy. Deleting an IP Filter policy will remove it from the temporary buffer. To permanently delete the policy from persistent database, run ipfilter --save. An active IP Filter policy cannot be deleted. To delete an IP Filter policy: 1. Log in to the switch using an account assigned to the admin role. 2. Type in the following command: ipfilter –delete where is the name of the policy. 3.
Table 30 Supported services (continued) Service name Port number telnet 23 www 80 TCP and UDP protocols are valid selections. Fabric OS 5.3.0 and later does not support configuration to filter other protocols. Implicitly, ICMP type 0 and type 8 packets are always allowed to support ICMP echo request and reply on commands like ping and traceroute. For the action, only “permit” and “deny” are valid.
If none of the rules in the policy matches the incoming packet, the two implicit rules will be matched to the incoming packet. If the rules still do not match the packet, the default action, which is to deny, will be taken. When the IPv4 or IPv6 address for the management interface of a switch is changed through the ipAddrSet command or manageability tools, the active IP Filter policies will automatically become enforced on the management IP interface with the changed IP address.
Aborting a switch session transaction To abort a transaction associated with IP Filter: 1. Log in to the switch using an account assigned to the admin role. 2. Type in the following command: ipfilter –-transabort IP Filter policy distributions The IP Filter policy is manually distributed, using the distribute --p “IPFILTER” command. The distribution includes both active and defined IP Filter policies. All policies are combined as a single entity to be distributed and cannot be selectively distributed.
Table 33 explains how the local database distribution settings and the fabric-wide consistency policy affect the local database when the switch is the target of a distribution command. Table 33 Interaction between fabric-wide consistency policy and distribution settings Distribution setting Fabric-wide consistency policy Absent (default) Tolerant Strict Reject Database is protected, it cannot be overwritten. May not match other databases in the fabric. Invalid configuration.1 Invalid configuration.
2. Enter the following command: switch:admin> fddcfg --showall Local Switch Configuration for all Databases:DATABASE - Accept/Reject --------------------------------SCC accept DCC accept PWD accept FCS accept AUTH accept IPFILTER accept Fabric Wide Consistency Policy:- "" To enable local switch protection: 1. Connect to the switch and log in using an account assigned to the admin role. 2.
Table 35 describes how the target switch database distribution settings affect the distribution. Table 35 ACL policy database distribution behavior Target switch Distribution Results Fabric OS version Database setting 5.1.0 or earlier NA Fails An error is returned. The entire transaction is aborted and no databases are updated. 5.2.0 Reject Fails The target switch explicitly refuses the distribution. The entire transaction is aborted and no databases are updated.
Table 36 Fabric-wide consistency policy settings Setting Value When a policy is activated Absent null Database is not automatically distributed to other switches in the fabric. Tolerant database_id All updated and new policies of the type specified (SCC, DCC, or both) are distributed to all Fabric 5.2.0 and later switches in the fabric. Pre-Fabric OS 5.2.0 switches are allowed in the fabric, but no automated means are provided to ensure those switches have consistent databases.
Notes on joining a switch to the fabric When a switch is joined to a fabric with a tolerant SCC or DCC fabric-wide consistency policy, the joining switch must have a matching tolerant SCC or DCC fabric-wide consistency policy. If the tolerant SCC or DCC fabric-wide consistency policies do not match, the switch can join the fabric, but an error message flags the mismatch. If the tolerant SCC and DCC fabric-wide consistency policies match, the corresponding SCC and DCC ACL policies are compared.
Table 37 Merging fabrics with matching fabric-wide consistency policies (continued) Fabric-wide consistency policy Fabric A ACL policies Fabric B ACL policies Merge results Database copied Tolerant None None Succeeds No ACL policies copied. None SCC/DCC Succeeds ACL policies are copied from B to A. SCC/DCC SCC/DCC Succeeds If A and B policies do not match, a warning displays and policy commands are disabled1. None None Succeeds No ACL policies copied.
Table 39 Fabric merges with tolerant/absent combinations Fabric-wide consistency policy setting Fabric A Tolerant/Absent Expected behavior Fabric B SCC;DCC DCC SCC;DCC SCC DCC SCC Error message logged. Run fddCfg --fabwideset “” from any switch with the desired configuration to fix the conflict. The secPolicyActivate command is blocked until conflict is resolved.
Zeroization behavior Table 40 Keys Zeroization CLI Description TLS private keys seccertutil delkey The command seccertutil delkey is used to zeroize these keys.
Table 41 FIPS mode restrictions Features FIPS mode Non-FIPS mode RPC/secure RPC access Secure RPC only RPC and secure RPC Secure RPC protocols TLS - AES128 cipher suite SSL and TLS – all cipher suites SNMP Read-only operations Read and write operations DH-CHAP/FCAP hashing algorithms SHA-1 MD5 and SHA-1 Signed firmware Mandatory firmware signature validation Optional firmware signature validation Configupload/ download/ supportsave/ firmwaredownload SCP only FTP and SCP IPsec Usage o
Example of setting up LDAP for FIPS mode switch:admin> aaaconfig --add GEOFF5.ADLDAP.LOCAL -conf ldap -d 389 -t 3 switch:admin> aaaconfig --authspec "ldap;local" switch:admin> aaaconfig –show RADIUS CONFIGURATIONS ===================== RADIUS configuration does not exist. adldap.local -p LDAP CONFIGURATIONS =================== Position Server Port Domain Timeout(s) : : : : : 1 GEOFF5.ADLDAP.LOCAL 389 adldap.local 3 Primary AAA Service: LDAP Secondary AAA Service: Switch database 2.
Addtional Microsoft Active Directory settings a. Set the following SCHANNEL settings listed in Table 43 to allow. To support FIPS compliant TLS cipher suites on Microsoft’s Acitve Directory server, allow the SCHANNEL settings listed in Table 43. Refer to the Microsoft website for instructions on how to allow the SCHANNEL settings for the ciphers, hashes, key exchange and the TLS protocol.
Exporting an LDAP switch certificate This option exports the LDAP CA certificate from the switch to the remote host. 1. Connect to the switch and log in as admin. 2. Enter the secCertUtil export -ldapcacert command. Example of exporting an LDAP CA certificate switch:admin> seccertutil export -ldapcacert Select protocol [ftp or scp]: scp Enter IP address: 192.168.38.206 Enter remote directory: /users/aUser/certs Enter Login Name: aUser Enter LDAP certificate name (must have ".pem" \ suffix):LDAPTestCa.
Overview of steps 1. Optional: Configure RADIUS server 2. Optional: Configure authentication protocols 3. For LDAP only: Install SSL certificate on Microsoft Active Directory server and CA certificate on the switch for using LDAP authentication. 4. Block Telnet, HTTP, and RPC 5. Disable BootProm access 6. Configure the switch for signed firmware 7. Disable root access 8. Enable FIPS To enable FIPS mode: 1. Log in to the switch using an account assigned the admin or securityAdmin role. 2.
Example switch:admin> configure Not all options will be available on an enabled switch. To disable the switch, use the "switchDisable" command. Configure... System services (yes, y, no, n): [no] … cfgload attributes (yes, y, no, n): [no] yes Enforce secure config Upload/Download (yes, y, no, n): [no] Enforce firmware signature validation (yes, y, no, n): [no] yes 8.
5 Maintaining the switch configuration file This chapter provides procedures for basic switch configuration maintenance. Maintaining consistent configuration settings It is important to maintain consistent configuration settings on all switches in the same fabric because inconsistent parameters (such as inconsistent PID formats) can cause fabric segmentation.
4. Respond to the Protocol (scp or ftp) Server Name or IP Address User name File name Password prompts as follows: If your site requires the use of Secure Copy, specify scp. Otherwise, specify FTP. Enter the name or IP address of the server where the file is to be stored; for example, 192.1.2.3. You can enter a server name if DNS is enabled. For details about the dnsConfig command, see the Fabric OS Command Reference. Enter the user name of your account on the server; for example, JohnDoe.
Restoring a configuration Restoring a configuration involves overwriting the configuration on the switch by downloading a previously saved backup configuration file. Make sure that the configuration file you are downloading is compatible with your switch model, because configuration files from other model switches might cause your switch to fail. The configuration download process is additive, that is, the lines read from the files are added to the current switch configuration.
To restore a configuration: 1. Verify that the FTP service is running on the server where the backup configuration file is located. 2. Connect to the switch and log in as admin. 3. If there are any changed parameters in the configuration file that do not belong to SNMP, Fabric Watch, or ACL, disable the switch by entering the switchDisable command. 4. Enter the configDownload command. The command becomes interactive and you are prompted for the required information. 5.
The following example shows configDownload run on a switch with Admin Domains: switch:AD5:admin>configdownload Protocol (scp or ftp) [ftp]: Server Name or IP Address [host]: 10.1.2.3 User Name [user]: JohnDoe File Name [config.txt]: /pub/configurations/config.txt *** CAUTION *** This command is used to download a backed-up configuration for a specific switch. If using a file from a different switch, this file's configuration settings will override any current switch settings.
Table 45 Backup and restore in a FICON CUP environment ASM bit Command Description on or off configUpload All the files saved in the file access facility are uploaded to the management workstation. A section in the uploaded configuration file labeled FICON_CUP is in an encoded format. on configDownload Files saved on the switch that are also present in the FICON_CUP section of the configuration file are overwritten.
Configuration form Use Table 46 as a hard copy reference for your configuration information. In the hardware reference manuals for the 4/256 SAN Director and DC SAN Backbone Director (short name, DC Director) there is a guide for FC port setting tables. The tables can be used to record configuration information for the various blades.
Maintaining the switch configuration file
6 Managing administrative domains This chapter provides procedures for using administrative domains (Admin Domain or AD). An Admin Domain is a logical grouping of fabric elements that defines what switches, ports, and devices you can view and modify. An Admin Domain is a filtered administrative view of the fabric. NOTE: If you do not implement Admin Domains, the feature has no impact on users and you can skip this chapter. Admin Domains permit access to a configured set of users.
AD1 AD2 Figure 4 Fabric with two Admin Domains Figure 5 shows how users get a filtered view of this fabric, depending on which Admin Domain they are in. As shown in Figure 6, users can see all switches and E_Ports in the fabric, regardless of their Admin Domain; however, the switch ports and end devices are filtered based on Admin Domain membership.
Admin Domain features Admin Domains allow you to: • Define the scope of an Admin Domain to encompass ports and devices within a switch or a fabric. • Share resources across multiple Admin Domains. For example, you can share array ports and tape drives between multiple departments. In Figure 4, one of the storage devices is shared between AD1 and AD2. • Have a separate zone database for each Admin Domain. See ”Admin Domains, zones, and zone databases” on page 170 for more information.
Table 47 lists each Admin Domain user type and describes its administrative access and capabilities. Table 47 AD user types User type Description Physical Fabric Administrators User account with Admin role and with access to all Admin Domains (AD0 through AD255). Create and manage all Admin Domains. Assign other administrators or users to each Admin Domain. Only a physical fabric administrator can create other physical fabric administrators.
AD0 is useful when you create Admin Domains because you can see which devices, switch ports, and switches have not yet been assigned to any Admin Domains. AD0 owns the root zone database (legacy zone database). During zone merge or zone update, only the root zone database is exchanged with AD-unaware switches. AD255 AD255 is used for Admin Domain management. You can use AD255 to get an unfiltered view of the fabric and to view the hierarchical zone databases of AD0 through AD254.
• The Admin Domain list for the default admin account is 0–255, which gives this account automatic access to any Admin Domain as soon as the domain is created, and makes this account a physical fabric administrator. • The Admin Domain list for the default user account is AD0 only. • For user-defined accounts, the home Admin Domain also defaults to AD0 but an administrator can set the home Admin Domain to any Admin Domain to which the account has been given access.
NOTE: If the switch domain ID changes, the domain,index members are invalid (they are not automatically changed). You must then reconfigure the Admin Domain with the current domain,index members. Switch members Switch members are defined by the switch WWN or Domain ID. A switch member: • Grants administrative control to the switch. • Grants port control for all ports in that switch. • Allows switch administrative operations such as switchDisable, switchEnable, reboot, and firmwareDownload.
AD3 WWN = 10:00:00:00:c7:2b:fd:a3 WWN = 10:00:00:00:c2:37:2b:a3 Domain ID = 1 WWN = 10:00:00:05:1f:05:23:6f Domain ID = 2 WWN = 10:00:00:05:2e:06:34:6e AD4 WWN = 10:00:00:00:c8:3a:fe:a2 Figure 7 Fabric showing switch and device WWNs Figure 8 shows the filtered view of the fabric as seen from AD3 and AD4. The switch WWNs are converted to the NAA=5 syntax; the device WWNs and Domain IDs remain the same.
Compatibility Admin Domains can be implemented in fabrics with a mix of AD-capable switches and AD-uncapable switches. The following considerations apply: • In mixed-fabric configurations, the legacy switches allow unfiltered access to the fabric and its devices; hence, these legacy switches should be managed by the physical fabric administrator. • You must zone all ports and devices from legacy switches in the AD0 root zone database.
How you end the transaction determines the disposition of the Admin Domain configuration in the transaction buffer. The following commands end the Admin Domain transaction: ad --save Saves the changes in the transaction buffer to the defined configuration in persistent storage and propagates the defined configuration to all switches in the fabric.
If you specify AD name = “AD15” and the lowest available AD number is 6, then AD name is “AD15” and AD number is 15. Because the specified name is in the format “ADn”, the AD number is assigned to be n and not the lowest available AD number. The Admin Domain name cannot exceed 63 characters and can contain alphabetic and numeric characters. The only special character allowed is an underscore ( _ ). When you create an Admin Domain, you must specify at least one member (switch, switch port, or device).
• Adding an Admin Domain list, home Admin Domain, and role to a user configuration is backward compatible with pre-Fabric OS 5.2.0 firmware. When you downgrade to pre-Fabric OS 5.2.0 firmware, the userConfig command records are interpreted using legacy logic. To create a new user account for managing Admin Domains: 1. Connect to the switch and log in as admin. 2.
3. Enter the ad --activate option. The activate option prompts for confirmation. On default, after the Admin Domain is activated, the devices specified under that AD are not able to see each other until they are zoned together. 4. To end the transaction now, enter ad --save to save the Admin Domain definition or enter ad --apply to save the Admin Domain definition and directly apply the definitions to the fabric. The following example activates Admin Domain AD_B5.
The following example adds two switch ports, designated by domain,port, to Admin Domain AD1. sw5:AD255:admin> ad --add AD1 -d "100,5; 4,1" To remove members from an Admin Domain: 1. Connect to the switch and log in as admin. 2. Switch to the AD255 context, if you are not already in that context. ad --select 255 3.
4. Switch to the AD255 context. ad --select 255 5. Enter the ad --delete command. ad --delete ad_id The ad --delete command prompts you for confirmation before triggering the deletion. The command will succeed, whether the Admin Domain is in an activated or deactivated state. 6. Enter the ad --apply command to save the Admin Domain definition and directly apply the definition to the fabric. The following example deletes Admin Domain AD_B3. sw5:AD255:admin> ad --delete AD_B3 You are about to delete an AD.
The Admin Domain validation process is not applicable for AD0, as AD0 implicitly contains all unassigned and AD-unaware online switches and their devices. To list the switches and devices in an AD member list: 1. Connect to the switch and log in as admin. 2. Switch to the AD255 context, if you are not already in that context. ad --select 255 3. Enter the ad --validate command.
Table 48 Ports and devices in CLI output For Condition domain,port The port is specified in the domain,port member list of the Admin Domain. One or more WWNs specified in the AD member list is attached to the domain,port. Device WWN The device WWN is specified in the AD WWN member list. The device WWN is attached to one of the domain,port specified in the AD member list. RASLog and SYSlog output is not filtered based on AD membership.
The following example displays membership information about AD1. sw5:AD1:admin> ad --show Current AD Number: 1 AD Name: TheSwitches Effective configuration: -----------------------AD Number: 1 AD Name: TheSwitches Switch WWN members: State: Active 50:06:06:99:00:2a:e9:01; 50:00:51:e0:23:36:f9:01; 50:06:06:98:05:be:99:01; Switching to a different Admin Domain context The ad --select option is used to switch between different Admin Domain contexts.
Table 49 lists some of the Fabric OS features and considerations that apply when using Admin Domains. Table 49 Admin Domain interaction with Fabric OS features Fabric OS feature Admin Domain interaction ACLs If no user-defined Admin Domains exist, you can run ACL configuration commands in only AD0 and AD255. If any user-defined Admin Domains exist, you can run ACL configuration commands only in AD255.
Admin Domains, zones, and zone databases Each Admin Domain has its own zone database, with both defined and effective zone configurations and all related zone objects (zones, zone aliases, and zone members). Within an Admin Domain, you can configure zoning only with the devices that are present in that Admin Domain.
The auto-converted LSAN zone names might collide with LSAN zone names in AD0 (for example, in the above example, if AD0 contains lsan_for_linux_farm_AD005, this would cause a name collision). Fabric OS does not detect or report such name clash. LSAN zone names greater than 57 characters are not converted or sent to the FCR phantom domain. See ”Using the FC-FC routing service” on page 211 for additional information about LSAN zones.
See ”Maintaining the switch configuration file” on page 143 for additional information about uploading and downloading configurations.
7 Installing and maintaining firmware This chapter provides procedures for installing and maintaining firmware. Fabric OS 6.1.x provides nondisruptive firmware installation. This chapter refers to the following specific types of blades inserted into either Director platform: • Port blades contain only Fibre Channel ports: • FC4-16 • FC4-32 • FC4-48 • FC10-6 • FC8-16 • FC8-32 • FC8-48 • Some port blades contain extra processors and specialized ports like the FR4-18i and FC4-16IP for example.
The command supports both non-interactive and interactive modes. If the firmwareDownload command is issued without any operands, or if there is any syntax error in the parameters, the command enters an interactive mode, in which you are prompted for input. TIP: For each switch in your fabric, complete all firmware download changes on the current switch before issuing the firmwareDownload command on the next switch. This process ensures nondisruption of traffic between switches in your fabric.
Preparing for firmware downloads Before executing a firmware download, it is recommended that you perform the tasks listed in this section. In the unlikely event of a failure or time-out, the preparation tasks that are described in this section will enable you to provide HP the information required to perform advanced troubleshooting. It is recommended that you perform a configUpload to back up the current configuration before you download firmware to a switch.
Checking connected switches When checking connected switches, ensure that any older versions are supported. See the recommended version (shown in Table 52) before upgrading firmware on the switch. Go to http://www.hp.com to view end-of-life policies. Table 52 Recommended firmware Switch model Earliest compatible version HP StorageWorks 1 Gb Switch Not supported in same fabric with 6.1.x Recommended version for interoperating with Fabric OS 6.1.x switches. HP StorageWorks SAN Switch 2/8 EL, nl,,, 3.
Table 52 Recommended firmware (continued) Switch model Earliest compatible version Recommended version for interoperating with Fabric OS 6.1.x HP StorageWorks SAN Director 48 Port 6.0.0b 6.1.x (see http://www.hp.com for latest version released by HP) 6.0.0b 6.1.x (see http://www.hp.com for latest version released by HP) HP StorageWorks 48 Port 4Gb Blade (FC4-48) HP StorageWorks B-Series iSCSI Director Blade (FC4-16IP), HP StorageWorks 4/32B SAN Switch 5.2.1b 6.1.x (see http://www.hp.
Performing firmwareDownload on switches HP StorageWorks 4/8 SAN Switch, 4/16 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 8/8 SAN Switch, 8/24 SAN Switch, 8/40 SAN Switch, 8/80 SAN Switch, and 400 MP Router switches also maintain primary and secondary partitions for firmware.
4. Connect to the switch and log in as admin. 5. Issue the firmwareShow command to check the current firmware version on connected switches. Upgrade their firmware if necessary before proceeding with upgrading this switch. See ”Checking connected switches” on page 176 for details. 6. Enter the firmwareDownload command. 7.
problem persists, review ”Troubleshooting firmwareDownload” on page 183. If the troubleshooting information fails to help resolve the issue, contact HP. During the upgrade process, the Director fails over to its standby CP blade and the IP addresses for the logical switches move to that CP blade's Ethernet port. This may cause informational ARP address reassignment messages to appear on other switches in the fabric.
5. Use the firmwareShow command to check the current firmware version on connected switches. Upgrade the firmware, if necessary, before proceeding with upgrading this switch. See ”Checking connected switches” on page 176 6. Enter the haShow command to confirm that the two CP blades are synchronized.
Autoleveling takes place in parallel with the firmware download being performed on the CPs, but does not impact performance. Fibre Channel traffic is not disrupted during autoleveling, but GbE traffic on AP blades may be affected. sw77:admin> firmwaredownload Type of Firmware (FOS, SAS, or any application) [FOS]: Server Name or IP Address: 192.168.32.10 Network Protocol (1-auto-select, 2-FTP, 3-SCP) [1]: User Name: userfoo File Name: /home/userfoo/v6.1.
[8]: Thu Jul 28 00:37:50 2005 Slot 7 : Firmware commit is started. [9]: Thu Jul 28 00:37:50 2005 Slot 2 : Firmware commit has completed. [10]: Thu Jul 28 00:37:50 2005 Slot 7 : Firmware commit has completed. (Firmwaredownload has completed.) 11. Enter the firmwareShow command to display the new firmware versions. Following is an example of firmwareShow output on the 4/256 SAN Director.
v6.0.1\ 381MB 2007 config\ 0B 2007 support\ 0B 2007 firmwarekey\ 0B 2007 Available space on usbstorage 79% Oct Sep Sep Sep 19 28 28 28 10:39 15:33 15:33 15:33 Downloading the 6.1.0 image using the relative path To download the 6.1.0 image using the relative path: 1. Log in to the switch as admin. 2. Type the firmwareDownload command with the -U operand: admin>firmwaredownload –U v6.1.0 Downloading the 6.1.0 image using the absolute path To download the 6.1.0 image using the absolute path: 1.
The switch manufacturer generates one private and public key pair. These key pairs are stored in the privatekey.pem and pubkey.pem files, respectively. The private key file is used to sign the firmware files. The public key file is packaged in an RPM-package as part of the firmware, and will be downloaded to the switch. After it is downloaded, it can be used to validate the firmware to be downloaded next time. The public key file on the switch contains only one public key.
The firmwareDownload command As mentioned previously, the public key file will need to be packaged, installed, and run on your switch before downloading a signed firmware. When firmwareDownload installs a firmware file, it needs to validate the signature of the file. Different scenarios are handled as follows: a. If a firmware file does not have a signature, how it is handled depends on the “signed_firmware” parameter on the switch. If it is enabled, firmwareDownload will fail.
Testing and restoring firmware on switches Typically, users downgrade firmware after briefly evaluating a newer (or older) version and then restore the original version of the firmware. Testing a new version of firmware in this manner ensures that you do not replace existing firmware because the evaluated version occupies only one partition on the switch.
IMPORTANT: Stop! If you have completed step 8, then you have committed the firmware on the switch and you have completed the firmware download procedure. To restore the original firmware, refer to step 9 (should be performed after step 6). 9. Restore the firmware. a. Enter the firmwareRestore command. The switch will reboot and come up with the original firmware again. A firmwareCommit will automatically begin to copy the original firmware from the primary partition to the secondary partition.
IMPORTANT: If the CPs do not achieve synchronization, stop here; log in to the standby CP, and enter the firmwareRestore command to restore the original firmware. c. Enter the firmwareShow command to confirm that the primary partition of the standby CP contains the new firmware. d. Enter the haFailover command. The active CP will reboot and the current switch session will be disconnected. If an AP blade is present: At the point of the failover an autoleveling process is activated.
IMPORTANT: Stop! If you have completed step 11, then you have committed the firmware on both CPs and you have completed the firmware download procedure. The following step 12 through step 14 describe how to restore the original firmware, and should be performed after step 5. 12. Restore the firmware on the standby CP. In the current switch session for the standby CP, enter the firmwareRestore command. The standby CP will reboot and the current switch session will end.
maintain the same firmware level on both partitions of each CP within the Director. The command firmwareShow -v will display the firmware version on the Co-CPs. BrcdDCXBB:admin> firmwareshow -v Slot Name Appl Primary/Secondary Versions Status -----------------------------------------------------------------------6 CP0 FOS Co-FOS 7 CP1 FOS Co-FOS v6.1.0 v6.1.0 v6.1.0 v6.1.0 v6.1.0 v6.1.0 v6.1.0 v6.1.
Installing and maintaining firmware
8 Administering Advanced Zoning About zoning Zoning enables you to partition your SAN into logical groups of devices that can access each other. A device can communicate only with other devices connected to the fabric within its specified zone. For example, you can partition your SAN into two zones, winzone and unixzone, so that your Windows servers and storage do not interact with your UNIX servers and storage.
Zone types Table 53 summarizes the types of zoning available. Table 53 Types of zoning Zone type Description Storage-based Storage units typically implement LUN-based zoning, also called LUN masking. LUN-based zoning limits access to the LUNs on the storage port to the specific WWN of the server HBA. It is needed in most SANs. It functions during the probe portion of SCSI initialization. The server probes the storage port for a list of available LUNs and their properties.
Table 54 Approaches to fabric-based zoning (continued) Zoning approach Description Alternative approaches Application Zoning by application typically requires zoning multiple, perhaps incompatible, operating systems into the same zones. This method of zoning creates the possibility that a minor server in the application suite could disrupt a major server (such as a Web server disrupting a data warehouse server).
When a zone object is the port WWN name, only the single port is in the zone. The types of zone objects used to define a zone can be mixed. For example, a zone defined with the zone objects 2,12; 2,14; 10:00:00:80:33:3f:aa:11 contains the devices connected to domain 2, ports 12 and 14, and a device with the WWN (either node name or port name) 10:00:00:80:33:3f:aa:11 that is connected on the fabric.
• Disabled Configuration—The effective configuration is removed from flash memory. When you disable the effective configuration, the Advanced Zoning feature is disabled on the fabric, and all devices within the fabric can communicate with all other devices (unless you previously set up a default zone, as described in ”Activating default zones” on page 403). This does not mean that the zoning database is deleted, however, only that there is no configuration active in the fabric.
• Is available on 1, 2, 4, 8 and 10 Gbps platforms. • Ensures that the name server does not return any information to an unauthorized initiator in response to a name server query. • Is exclusively enforced through selective information presented to end nodes through the fabric Simple Name Server (SNS). When an initiator queries the name server for accessible devices in the fabric, the name server returns only those devices that are in the same zone as the initiator.
Table 55 Enforcing hardware zoning (continued) Fabric type Methodology Best practice HP StorageWorks 4/8 SAN Switch, 4/16 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 400 MP Router, 8/8 SAN Switch, 8/24 SAN Switch, 8/40 SAN Switch, and 8/80 SAN Switch, 4/256 SAN Director, and the DC SAN Backbone Director (short name, DC Director) Enable hardware-enforced zoning on domain,port zones,
WWN_Zone1 Port_Zone1 Port_Zone2 Core Switch Zone Boundaries WWN_Zone2 22.3b(13.3) Figure 12 Hardware-enforced overlapping zones Any zone using a mixed zoning scheme on the Fabric OS 2-Gbps platform relies on name server authentication as well as hardware-assisted (ASIC) authentication. Hardware-assisted authentication ensures that any PLOGI, ADISC, PDISC, or ACC from an unauthorized device is rejected if that device is attempting to access a device that is not in the same zone.
Considerations for zoning architecture Table 56 lists considerations for zoning architecture. Table 56 Considerations for zoning architecture Item Description Type of zoning: hard or soft (session-based) If security is a priority, hard zoning is recommended. Use of aliases The use of aliases is optional with zoning. Using aliases requires structure when defining zones. Aliases will aid administrators of zoned fabrics in understanding the structure and context.
Best practices for zoning The following are recommendations for using zoning: • Always zone using the highest Fabric OS-level switch. Switches with earlier Fabric OS versions do not have the capability to view all the functionality that a newer Fabric OS provides, as functionality is backwards compatible but not forwards compatible. • Zone using the core switch versus an edge switch. • Zone using an enterprise-class platform rather than a switch.
Broadcast zones and FC-FC routing If you create broadcast zones in a metaSAN consisting of multiple fabrics connected through an FC router, the broadcast zone must include the IP device that exists in the edge or backbone fabric as well as the proxy device in the remote fabric. See ”Using the FC-FC routing service” on page 211 for information about proxy devices and the FC router. Upgrade and downgrade considerations If you upgrade from a Fabric OS version earlier than 5.3.0 to Fabric OS 5.3.
Creating and managing zone aliases A zone alias is a logical group of ports or WWNs. You can simplify the process of creating zones by first specifying aliases, which eliminates the need for long lists of individual zone member names. If you are creating a new alias using aliCreate w, “1,1”, and a user in another Telnet session executes cfgEnable (or cfgDisable, or cfgSave), the other user’s transaction will abort your transaction and you will receive an error message.
You are about to save the Defined zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled. Do you want to save Defined zoning configuration only? (yes, y, no, n): [no] y \ To remove members from an alias: 1. Connect to the switch and log in as admin. 2. Enter the aliRemove command, using the following syntax: aliremove "aliasname", "member[; member...
3. Enter the cfgSave command to save the change to the defined configuration. switch:admin> alidelete "array1" switch:admin> cfgsave You are about to save the Defined zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled. Do you want to save Defined zoning configuration only? (yes, y, no, n): [no] y To view an alias in the defined configuration: 1.
The values represent the following: zonename The name of the zone to be created. member A member or list of members to be added to the zone. A zone member can be specified by one or more of the following methods: • A domain,port pair. • Device node or device port WWN • Zone alias name To create a broadcast zone, use the reserved name “broadcast”. 3. Enter the cfgSave command to save the change to the defined configuration.
To remove devices (members) from a zone: 1. Connect to the switch and log in as admin. 2. Enter the zoneRemove command, using the following syntax: zoneremove "zonename", "member[; member...]" The values represent the following: zonename The name of the zone to be created. member A member or list of members to be removed from the zone. A zone member can be specified by one or more of the following methods: • A domain,port pair. • Device node or device port WWN • Zone alias name 3.
The values represent the following: pattern A POSIX-style regular expression used to match zone names. mode Specify 0 to display the contents of the transaction buffer (the contents of the current transaction), or specify 1 to display the contents of the nonvolatile memory. The default value is 0.
Merging zones Table 57 presents zoning database size limitations for various Fabric OS release versions. The maximum size of a zone database is the upper limit for the defined configuration, and it is determined by the amount of flash memory available for storing the defined configuration. Table 57 Zoning database limitations Fabric OS version Maximum database size (KB) 2.4.0 64 2.5.0 64 2.6.0 96 3.0.0 128 3.1.0 96 3.2.0 256 4.0.0, 4.1.0, 4.2.0 128 4.4.0 256 5.0.1 256 5.1.0 256 5.2.
Table 58 Resulting database size: 0 to 96K (continued) Fabric OS 3.1 Fabric OS 3.2 Fabric OS 4.0/ 4.1/ 4.2 Fabric Fabric OS OS 4.4.0 5.0.0/ 5.0.1/ 5.1.0 Fabric OS 5.2.0 or later Fibre Channel Router XPath 7.3 Fabric OS 4.0/ 4.1/4.2 Join Join Join Join Join Join Join Join Fabric OS 4.4.0 Join Join Join Join Join Join Join Join Fabric OS 5.0.0/ 5.0.1/5.1.0 Join Join Join Join Join Join Join Join Fabric OS 5.2.
Table 60 Resulting database size: 128K to 256K (continued) Fabric OS Fabric 3.1 OS 3.2 Fabric OS Fabric OS 4.4.0 4.0/ 4.1/ 4.2 Fabric OS Fabric OS 5.2.0 or 5.0.0/ later 5.0.1/ 5.1.0 Fibre Channel Router XPath 7.3 FC router Segment Join Segment Join Join Join Join Segment XPath 7.3 Segment Segment Segment Segment Segment Segment Segment Segment Receiver Initiator Table 61 Resulting database size: 256K to 1M Fabric OS 3.1 Fabric OS 3.2 Fabric OS 4.0/v 4.1/ 4.2 Fabric OS 4.4.
Creating and modifying zoning configurations You can store a number of zones in a zoning configuration database. The maximum number of items that can be stored in the zoning configuration database depends on the following criteria: • Number of switches in the fabric. • Whether or not interoperability mode is enabled. • Number of bytes per item. The number of bytes required for an item depends on the specifics of the fabric, but cannot exceed 64 bytes per item.
The values represent the following: cfgname The name of the zone configuration. member The zone name or list of zone names to be added to the configuration. 3. Enter the cfgSave command to save the change to the defined configuration. switch:admin> cfgadd "newcfg", "bluezone" switch:admin> cfgsave You are about to save the Defined zoning configuration. This action will only save the changes on the Defined configuration.
Do you want to save Defined zoning configuration only? (yes, y, no, n): [no] y To clear changes to a configuration: 1. Enter the cfgTransAbort command. When this command is executed, all changes since the last save operation (performed with the cfgSave command) are cleared.
For example, to display all zone configurations that start with “Test”: switch:admin> cfgshow "Test*" cfg: Test1 Blue_zone cfg: Test_cfg Red_zone; Blue_zone To view a configuration in the effective zone database: 1. Connect to the switch and log in as admin. 2. Enter the cfgActvShow command.
4. Enter the cfgShow command to verify the new zone object is present. switch:admin> cfgshow "Test*" cfg: Test1 Blue_zone cfg: Test_cfg Red_zone; Blue_zone switch:admin> cfgShow "US_Test1" cfg: Test1 Blue_zone cfg: Test_cfg Red_zone; Blue_zone 5. If you want the change preserved when the switch reboots, enter the cfgSave command to save it to nonvolatile (flash) memory. 6. Enter the cfgEnable command for the appropriate zone configuration to make the change effective. To delete a zone object: 1.
To rename a zone object: 1. Connect to the switch and log in as admin. 2. Enter the cfgShow command to view the zone configuration objects you want to rename.
4. To validate all zones in the zone database in the defined configuration.
Before the new fabric can merge successfully, it must pass the following criteria: • Before merging zones To facilitate merging, check the following before merging switches or fabrics: • Zoning licenses: All switches running Fabric OS v6.0.x or earlier must have a Zoning license enabled. • Native operating mode: All switches must be in the native operating mode. • Secure Fabric OS: The switch being merged into the existing fabric must not have Secure Fabric OS enabled.
A merge is not possible if any of the following conditions exist: • Configuration mismatch: Zoning is enabled in both fabrics and the zone configurations that are enabled are different in each fabric. • Type mismatch: The name of a zone object in one fabric is used for a different type of zone object in the other fabric. • Content mismatch: The definition of a zone object in one fabric is different from the definition of zone object with the same name in the other fabric.
followed by a portDisable or portEnable command on one of the ISL ports that connects the fabrics. This will cause a merge, making the fabric consistent with the correct configuration. IMPORTANT: Be careful using the cfgClear command because it deletes the defined configuration..
9 Configuring Directors This chapter contains procedures that are specific to the: • HP StorageWorks 4/256 SAN Director • HP StorageWorks DC SAN Backbone Director For detailed information see the HP StorageWorks SAN Director hardware reference manual or the HP StorageWorks DC SAN Backbone Director hardware reference manual. Identifying ports Because Directors contain interchangeable port blades, their procedures differ from those for fixed-port switches.
Director port numbering schemes Table 62 lists the port numbering schemes for the 4/256 Director and DC Director. Table 62 Port numbering schemes for the 4/256 Director and DC Director Port blades Numbering scheme FC2-16 FC4-16 FC8-16 Ports are numbered from 0 through 15 from bottom to top. FC4-32 FC8-32 Ports are numbered from 0 through 15 from bottom to top on the left set of ports and 16 through 31 from bottom to top on the right set of ports.
A number of fabric-wide databases supported by Fabric OS (including ZoneDB, the ACL DDC, and Admin Domain) allow a port to be designated by the use of a “D,P” (domain,port) notation. While the “P” component appears to be the port number, in up to 255 ports it is actually the area assigned to that port. If the PID format is changed from Extended-edge to Core, the “P” value for ports 0-127 also changes. If two ports are changed using the portSwap command, their respective areas and “P” values are exchanged.
Table 63 Default index/area_ID core PID assignment with no port swap (continued) Port on blade Slot 1Idx/area Slot 2Idx/area Slot 3Idx/area Slot 4Idx/area Slot 7Idx/area Slot 8Idx/area Slot 9Idx/area Slot 10Idx/area 23 135/135 151/151 167/167 183/183 199/199 215/215 231/231 247/247 22 134/134 150/150 166/166 182/182 198/198 214/214 230/230 246/246 21 133/133 149/149 165/165 181/181 197/197 213/213 229/229 245/245 20 132/132 148/148 164/164 180/180 196/196 212/212
Powering port blades off and on All blades are powered on by default when the switch chassis is powered on. Blades cannot be powered off when POST or AP initialization is in progress. NOTE: In the DC Director, the core blades in slots 5 and 8 cannot be powered off with the CLI interface. You must manually power off the blades by unseating the blade from its mounting or removing the power from chassis. To power off a port blade: 1. Connect to the switch and log in as admin. 2.
If a previously configured FR4-18i blade is removed and another or the same FR4-18i blade is inserted into the same slot, then the ports use the previous configuration and come up enabled. If a previously-configured FR4-18i blade is removed and an FC4-48, FC4-32, FC4-16, FC8-48, FC8-32, FC8-16, or FC10-6 blade is plugged in, then—other than the port’s EX_Port configuration—all the remaining port configurations previously applied to the FR4-18i FC_Ports can be used.
Blade terminology and compatibility Before configuring a chassis, familiarize yourself with the Director CP blade and port blade nomenclature, as well as the port blade compatibilities. Often in procedures, only the abbreviated names for CP and port blades are used (for example, the FC4-16 blade). Table 64 includes CP and port blade abbreviations and descriptions.
type of CP blade installed and that each CP (primary and secondary partition) maintains the same firmware version. Core blades The DC Director supports two CR8 core blades. This blade is used for intra-chassis switching as well as ICL connectivity to another DC Director chassis. The 4/256 Director does not support core blades. Port blade compatibility Table 65 identifies which port blades are supported for each Director.
Table 67 lists chassis configuration options and resulting slot configurations. Table 67 Chassis configuration options Option Result 1 One 128-port switch (Blade IDs 4, 17 on slots 1–4, 7–10. Blade ID 5 and 16 on slots 5, 6) 5 One 384-port switch (Blade IDs 4, 17, 18, 31, and 36 on slots 1–4, 7–10. Blade ID 16 on slots 5, 6) See Table 64 for details about the different blades, including their corresponding IDs. Displaying slot information To display the status of all slots in the chassis: 1.
Inter Chassis Link behavior between two HP StorageWorks DC Directors Inter chassis links (ICL) is a licensed feature used to interconnect two DC Directors; there are two ICL connector ports ICL0 and ICL1 on each core blade, each aggregating a set of 16 ports. Thus each core blade provides 32 ICL ports and there are 64 ICL ports available for the entire DC Director chassis. All the ICL connector ports must be connected to the same two DC Director chassis. ICL ports can be used only with an ICL license.
10 Routing traffic This chapter provides information on routing policies. Data routing and routing policies Data moves through a fabric from switch to switch and from storage to server along one or more paths that make up a route. Routing policies determine the path for each frame of data. IMPORTANT: For most configurations, the default routing policy is optimal, and provides the best performance.
Whatever routing policy a switch is using applies to the VE_Ports as well. See ”Configuring and monitoring FCIP extension services” on page 375 for details about VE_Ports. To display the current routing policy and specify a different routing policy, use the aptPolicy command. The aptPolicy command detects the switch’s configuration options and provides the appropriate policies for you to select from. You must disable the switch before changing the routing policy, and re-enable it afterward.
In a stable fabric, frames are always delivered in order, even when the traffic between switches is shared among multiple paths. However, when topology changes occur in the fabric (for example, if a link goes down), traffic is rerouted around the failure, and some frames could be delivered out of order. Most destination devices tolerate out-of-order delivery, but some do not.
3. Enter the dlsSet command to enable DLS or enter the dlsReset command to disable it. switch:admin> dlsshow DLS is not set switch:admin> dlsset switch:admin> dlsshow DLS is set switch:admin> dlsreset switch:admin> dlsshow DLS is not set Viewing routing path information The topologyShow and uRouteShow commands provide information about the routing path. 1. Connect to the switch and log in as admin. 2.
3. Use the uRouteShow command to display unicast routing information.
Viewing routing information along a path You can display detailed routing information from a source port (or area) on the local switch to a destination port (or area) on another switch. This routing information describes the full path that a data stream travels between these ports, including all intermediate switches. 1. Connect to the switch and log in as admin. 2. Enter the pathInfo command.
The information that pathInfo provides is: Hops The number of switch-to-switch links (ISLs) traversed. The local switch is hop 0. In Port The port that the frames come in from on this path. For hop 0, the source port. Domain ID The domain ID of the switch. Name The name of the switch. Out Port The output port that the frames use to reach the next hop on this path. For the last hop, the destination port. BW The bandwidth of the output ISL, in Gbps. It does not apply to the embedded port.
Routing traffic
11 Implementing an interoperable fabric For information on HP supported interop configurations, refer to the HP StorageWorks Fabric interoperability: merging fabrics based on C-Series and B-Series Fibre Channel switches on the following HP website: = http://h18000.www1.hp.com/products/storageworks/san/documentation.html Fabric OS 6.1.
Implementing an interoperable fabric
12 Configuring the Distributed Management Server This chapter provides information on enabling and disabling the platform services, configuring and controlling access to the Management Server database, and using the topology discovery feature. Overview The Fabric OS Distributed Management Server allows a SAN management application to retrieve information and administer interconnected switches, servers, and storage devices.
Enabling platform services 1. Connect to the switch and log in as admin. 2. Enter the msplMgmtActivate command. switch:admin> msplmgmtactivate Request to activate MS Platform Service in progress...... *Completed activating MS Platform Service in the fabric! switch:admin> Disabling platform services 1. Connect to the switch and log in as admin. 2. Enter the msplMgmtDeactivate command. 3. Enter y to confirm the deactivation. switch:admin> msplmgmtdeactivate MS Platform Service is currently enabled.
1 Display the access list 2 Add member based on its Port/Node WWN 3 Delete member based on its Port/Node WWN select : (0..3) [1] 0 done ... switch:admin> Adding a member to the ACL 1. Connect to the switch and log in as admin. 2. Enter the msConfigure command. The command becomes interactive. 3. At the select prompt, enter 2 to add a member based on its port/node WWN. 4. Enter the WWN of the host to be added to the ACL. 5.
1 Display the access list 2 Add member based on its Port/Node WWN 3 Delete member based on its Port/Node WWN select : (0..3) [1] 0 done ... Update the FLASH? (yes, y, no, n): [yes] y *Successfully saved the MS ACL to the flash. switch:admin> Deleting a member from the ACL 1. Connect to the switch and log in as admin. 2. Enter the msConfigure command. The command becomes interactive. 3. At the select prompt, enter 3 to delete a member based on its port/node WWN. 4.
1 Display the access list 2 Add member based on its Port/Node WWN 3 Delete member based on its Port/Node WWN select : (0..3) [1] 0 done ... Update the FLASH? (yes, y, no, n): [yes] y *Successfully saved the MS ACL to the flash. switch:admin> Viewing the contents of the management server database The Management Server database can be viewed or cleared. The command msPlClearDB is allowed only in AD0 and AD255. To view the contents of the Management Server database: 1.
switch:admin> mstdreadconfig *MS Topology Discovery is Enabled. To enable topology discovery: 1. Connect to the switch and log in as admin. 2. Enter the mstdEnable command to enable the discovery feature locally. 3. Enter the mstdEnable all command to enable the discovery feature on the entire fabric. switch:admin> mstdenable Request to enable MS Topology Discovery Service in progress.... *MS Topology Discovery enabled locally.
13 iSCSI Gateway services Overview of iSCSI gateway service The FC4-16IP iSCSI gateway service is an intermediate device in the network, allowing iSCSI initiators in an IP SAN to access and utilize storage in a Fibre Channel (FC) SAN as shown in the figure below.
To represent all iSCSI initiators and sessions, each iSCSI portal has one iSCSI virtual initiator (VI) to the FC fabric that appears as an N_Port device with a special WWN format. Regardless of the number of iSCSI initiators or iSCSI sessions sharing the portal, Fabric OS uses one iSCSI VI per iSCSI portal. The following figure shows the interaction of different layers from the iSCSI initiator stack to the FC target stack, including the iSCSI gateway service used during protocol translation.
Advanced LUN mapping SCSI VTs can be mapped to more than one physical FC target, and the LUNs can be mapped to different virtual LUNs. The following figure shows an advanced mapping scenario.
The following figure shows an iSCSI gateway that has three iSCSI VTs and two iSCSI initiators. iS C S I initiator A iqn.2003-11.c om.mic ros oft: win2k-s n-192168101 iS C S I virtual targets (V T s ) VT 1 iqn.2002-12.c om.broc ade: 10: 00: 00: 05: 1e: aa: bb: c c IP Network VT 2 iqn.2002-12.c om.broc ade: 10: 00: 00: 05: 1e: c c : bb: aa VT 3 iqn.2002-12.c om.broc ade: 10: 00: 00: 05: 1e: bb: c c : aa iS C S I initiator B iiqn.2003-11.c om.
DDS et 1 iS C S I virtual targets (V T s ) DD1 iS C S I initiator A VT 1 IP network VT 2 VT 3 iS C S I initiator B DD2 iS C S I gateway s ervic e Figure 21 Discovery domain set configuration example Switch-to-iSCSI initiator authentication iSCSI sessions are authenticated using CHAP (Challenge Handshake Authentication Protocol). The iSCSI gateway service supports the following three strategies for CHAP authentication: • One-way—Only the iSCSI VT authenticates the session.
Enabling and disabling connection redirection for load balancing 1. Connect to the switch and log in. 2. Enter the appropriate form of the iscsiSwCfg command for the operation you want to perform: • To enable connection redirection, use the iscsiSwCfg - -enableconn command. For 4/256 SAN Directors, the -s option can be used to enable connection redirection for specific slots, and the all option may be used to enable connection redirection for all slots.
Supported iSCSI initiators Table 69 Supported iSCSI initiators iSCSI initiator driver versions Windows • MS iSCSI initiator 2.02 • MS iSCSI initiator 2.03 • MS iSCSI initiator 2.04 Linux • RH EL 4 default initiator • 2.6.10 - 4.0.2 iSCSI initiator (SourceForge,Net initiator) • 2.4.20 - 3.6.2 iSCSI initiator (SourceForge,Net initiator) • SUSE 9 • SUSE 10 Solaris • iSCSI is built-in with the 5.11 with the latest Solaris Express release AIX • iSCSI is built-in in the 5.3 ML4 HP-UX • 11i v1 - B.11.23.
Table 70 iSCSI target gateway configuration steps (continued) Step Command Procedure 7 Create discovery domains. Where members are iSCSI components identified using IQNs. iscsiCfg - -create dd -d \ -m “,,,.. .” ”Creating discovery domains” on page 267 8 Create discovery domain set. Where members are discovery domains. iscsiCfg - -create ddset -n \ -d “,,...
FC4-16IP Blade Configuration This section describes the initial setup required to deploy an iSCSI gateway solution. NOTE: Only the 4/256 SAN Director with an iSCSI-enabled FC4-16IP blade running Fabric OS 5.2.0 or later supports the iSCSI gateway service. You can also configure an FC4-16IP blade through the Web Tools Graphical User Interface as an alternative to the command line interface. Refer to the Web Tools Administrator’s Guide for descriptions of GUI-based configuration procedures.
Enabling the iSCSI gateway service The iSCSI gateway service translates and directs SCSI traffic between an iSCSI initiator and an FC target. This section explains how to enable the iSCSI gateway service on the 4/256 SAN Director. 1. Connect and log in to the switch. 2. Enter the fosConfig --show command to show the current Fabric OS configuration. switch:admin> fosconfig --show FC Routing service:disabled iSCSI service:disabled iSNS Client service: disabled 3.
3. Take the appropriate action based on the Persistent Disable setting: • If it is set to OFF, proceed to step 4. • If it is set to ON, enter the portCfgPersistentEnable command with the slot number and GbE port number. switch:admin> portcfgpersistentenable 10/ge0 4. Enter the portCfgShow command with the slot number and GbE port number to verify that the port is persistently enabled. In the following sample output, the Persistent Disable setting is set to OFF.
4. (Optional) Enter the portCfg command to define static routes to reach the destination IP through a preferred gateeway. switch:admin> portcfg iproute 3/ge0 create 0.0.0.0 0.0.0.0 30.0.0.1 1 Operation Succeeded The gateway must be on the same subnet as the GbE port. You can specify a maximum of 32 routes per GbE port. 5.
Automatic iSCSI VT creation An iSCSI VT is created using target LUNs from the attached FC network. LUNs are mapped to iSCSI VTs by creating unique iSCSI Qualified Names (IQNs) for each target. You can create iSCSI VTs by using the iscsiCfg --easycreate tgt command. There are two options. • An iSCSI VT may be created for every FC target. IQNs are created automatically, using the port WWNs as the user defined portion of the IQN.
20 2f:7f:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2f:7f:00:06:2b:0d:10:ba Operation Succeeded 21 2f:9f:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2f:9f:00:06:2b:0d:10:ba Operation Succeeded 22 2f:bf:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2f:bf:00:06:2b:0d:10:ba 23 2f:df:00:06:2b:0d:10:ba iqn.2002-12.com.brocade:2f:df:00:06:2b:0d:10:ba 24 2f:ff:00:06:2b:0d:12:9a iqn.2002-12.com.brocade:2f:ff:00:06:2b:0d:12:9a Operation Succeeded Operation Succeeded Operation Succeeded 4.
Name: State/Status: iqn.2002-12.com.brocade:2f:ff:00:06:2b:0d:12:9a Online/Defined Generating an iSCSI VT for a specific FC target 1. Connect and log in to the switch. 2. Enter the iscsiCfg --easycreate tgt command with the -w option to create an iSCSI VT that contains only the storage attached to the specified WWN. The default value of iqn.2002-12.com.brocade, is used for the fixed prefix, and the port WWN is used as the user-defined portion of the IQN. The following is an example.
The following is an example.
6. Enter the iscsiCfg --show lun command with –t options to verify that the LUN has been added to the iSCSI VT, where -t is the IQN that identifies the iSCSI VT. The following is an example. switch:admin> iscsicfg --show lun -t iqn.2002-12.com.brocade:example-disk001 Number of targets found: 1 Target: iqn.2006-10.com.example:disk001 Number of LUN Maps: 1 FC WWN Virtual LUN(s) 21:00:00:04:cf:e7:73:7e 0 Physical LUN(s) 0 Mapping LUNs on a specific port to an iSCSI VT 1.
Displaying the iSCSI virtual target LUN map 1. Connect and log in to the switch. 2. Enter the iscsiCfg --show lun command: switch:admin> iscsicfg --show lun Number of targets found: 2 Target: iqn.2006-10.com.example:disk001 Number of LUN Maps: 2 FC WWN Virtual LUN(s) 21:00:00:04:cf:e7:73:7e 0 2f:ff:00:06:2b:0d:12:99 1-2 Physical LUN(s) 0 0-1 Target: iqn.2002-10.com.
Displaying iSCSI initiator IQNs All iSCSI componenets in a DD must be identified using IQNs. Fabric OS temporarily stores the IQNs and IP addresses of iSCSI initiators that have logged in the gateway. NOTE: If an iSCSI initiator has more than one IP address, only one of the IP addresses is displayed. 1. Connect and log in to the switch. 2. Enter the iscsiCfg --show initiator command to display iSCSI initiator IQNs. switch:admin> iscsicfg --show initiator Number of records found: 1 Name iqn.1991-05.com.
iSCSI initiator-to-VT authentication configuration Fabric OS 5.2.0 or later supports both one-way and mutual CHAP authentication for iSCSI initiator-to-iSCSI VT target sessions. The authentication method (CHAP or none) is set on a per-iSCSI VT basis. Setting the user name and shared secret Authentication depends on a user name and shared secret. When an iSCSI VT authenticates an iSCSI initiator, it checks the user name and shared secret against all configured CHAP values.
Deleting user names from an iSCSI VT binding list User names can be deleted from the list of bound user names. 1. Connect and log in to the switch. 2. Enter the isciCfg - -deleteusername tgt command with the -t and -u options to delete a user name: switch:admin> iscsicfg --deleteusername tgt -t iqn.2002-10.com.
Resolving conflicts between iSCSI configurations When you merge two fabrics with different iSCSI configurations, a conflict will result. If there is a conflict, the database will not be merged and you must resolve the conflict. The iscsiCfg --show fabric command displays the “out of sync” state. The rest of the switches will function normally, however, since there is no segmentation of E_Ports as a result of discovery domain set database conflicts. 1. Connect to the switch and log in. 2.
• Enter the fcLunQuery command with the -s option to return the node and port WWNs of the switch. The following is an example. switch:admin> fclunquery -s The following WWNs will be used for any lun query from this switch: Node WWN: 10:00:00:60:69:80:04:4a Port WWN: 21:fd:00:60:69:80:04:4a iSCSI FC zoning overview After you have finished setting up the iSCSI target gateway, you can create an iSCSI FC zone for discovery domains.
iSCSI FC zone creation To create an iSCSI FC zone, you must include the following iSCSI elements in the zone: • The FC targets, used to create the virtual targets (VT). • The iSCSI virtual initiators (VIs): • If there is more than one FC4-16IP blade in the chassis, you must add all virtual initiators to the same zone. • If there is more than one FC4-16IP blade in the fabric, you must add all virtual initiators from all switches to the same zone.
4.
FC4s: FCP PortSymb: [23] "iSCSI Virtual Initiator" NodeSymb: [51] "IPAddr: 30.0.127.34 Slot/Port: 3/ge4 Logical pn: 44" Fabric Port Name: 00:00:00:00:00:00:00:00 Permanent Port Name: 50:06:06:9e:00:15:63:20 Port Index: 44 Share Area: No Device Shared in Other AD: No N 012d00; 3;50:06:06:9e:00:15:63:28;50:06:06:9e:00:15:63:29; na FC4s: FCP PortSymb: [23] "iSCSI Virtual Initiator" NodeSymb: [51] "IPAddr: 30.0.127.
8. Enter the zoneCreate command to create the zone. The following example illustrates the creation of a zone by specifying the aliases for FC targets and iSCSI virtual initiators as members of the named zone. switch:admin> zonecreate iscsi_zone001, "ISCSI_TARGETS; ISCSI_VI_SWITCH1_SLOT3" switch:admin> where: zonename The user-defined name for the created zone. member_FCtarget_pWWNiSCSI FC targets specified by either WWNs and/or alias.
iSNS client service configuration The internet storage name service (iSNS) server facilitates the automatic discovery and manages access control of iSCSI VTs on a TCP/IP network. iSNS clients initiate transactions with iSNS servers using the iSNS protocol, register available iSCSI VTs, download information about other registered clients (such as iSCSI initiators), and receive notification of events that occur in the DDs.
3. Enter the fosConfig - -show command to verify that the service is enabled: 4. switch:admin> fosconfig --show 5. FC Routing service:disabled iSCSI service:enabled iSNS Client service:enabled 6. Set the IP address of the iSNS server. You can use either the IP address of the GbE port that attaches the FC4-16IP blade, or the server management port IP address.
Clearing the iSNS client configuration The iSNS client configuration can be cleared with a single command. 1. Connect and log in to the switch. 2.
14 Administering NPIV This chapter describes the concepts and procedures for administering N-Port ID Virtualization (NPIV). About NPIV NPIV enables a single Fibre Channel protocol port to appear as multiple, distinct ports, providing separate port identification within the fabric for each operating system image behind the port (as if each operating system image had its own unique physical port). NPIV assigns a different virtual port ID to each Fibre Channel protocol device.
The following example shows the configuration of these parameters: switch:admin> switchdisable switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] Virtual Channel parameters (yes, y, no, n): [no] F-Port login parameters (yes, y, no, n): [no] y Maximum logins per switch: (1..4032) [4032] 2048 Maximum logins per port: (1..255) [255] 126 . . .
output indicates whether or not a port is an NPIV F_Port, and identifies the number of virtual N_Ports behind it. Following is sample output from the switchShow command: switch: admin> switchshow switchName:swd77 switchType:32.
Interrupts: Unknown: Lli: Proc_rqrd: Timed_out: Rx_flushed: Tx_unavail: Free_buffer: Overrun: Suspended: Parity_err: 2_parity_err: CMI_bus_err: 0 0 294803 0 0 0 0 0 0 0 0 0 0 Link_failure: Loss_of_sync: Loss_of_sig: Protocol_err: Invalid_word: Invalid_crc: Delim_err: Address_err: Lr_in: Lr_out: Ols_in: Ols_out: 16 422 808 0 0 0 0 1458 15 17 16 15 Frjt: Fbsy: 0 0 Displaying login information Use the portLoginShow command to display the login information for the virtual PIDs of a port.
15 Optimizing fabric behavior This chapter describes the Adaptive Networking features. Introduction to adaptive networking Adaptive Networking is a suite of tools and capabilities that enable you to ensure optimized behavior in the SAN. Even under the worst congestion conditions, the Adaptive Networking features can maximize the fabric behavior and provide necessary bandwidth for high-priority, mission-critical applications and connections.
Figure 25 shows a fabric with a TI zone consisting of N_Ports “1,8” and “4,6” and E_Ports “1,1”, “3,9”, “3,12”, and “4,7”. The dotted line indicates the dedicated path from Domain 1 to Domain 4. Domain 1 Domain 3 7 8 9 1 9 2 10 12 7 6 5 = Dedicated Path 4 = Ports in the TI zone Domain 4 Figure 25 Traffic Isolation zone creating a dedicated path through the fabric In Figure 25, all traffic entering Domain 1 from N_Port 8 is routed through E_Port 1.
For example, in Figure 26, there is a dedicated path between Domain 1 and Domain 3, and another, non-dedicated, path that passes through Domain 2. Since the non-dedicated path is not the shortest path between Domain 1 and Domain 3, all traffic will use the dedicated path.
• The TI zones appear in the defined zone configuration only and do not appear in the effective zone configuration. A TI zone only provides Traffic Isolation and is not a “regular” zone. • A TI zone must include a set (two or more) of E_Ports forming an end-to-end path. Inclusion of N_Ports is optional. • Each TI zone is interpreted by each switch and each switch considers only the routing required for its local ports.
• FCR does not support Traffic Isolation. • Ports in a TI zone must belong to switches that run Fabric OS v6.0 or later. • Traffic Isolation is not supported in fabrics with switches running firmware versions earlier than Fabric OS 6.0. However, the existence of a TI zone in such a fabric is backward compatible and does not disrupt fabric operation in switches running earlier firmware versions.
To create a TI zone with failover enabled and activate it (default settings), type: zone --create -t ti redzone -p "1,1; 2,4; 1,8; 2,6" To create a deactivated TI zone with failover disabled, type: zone --create -t ti -o dn redzone -p "1,1; 2,4; 1,8; 2,6" Modifying TI zones Using the zone --add and zone --remove commands, you can add and remove ports and change the failover option of existing TI zones. If you remove the last member of a TI zone, the TI zone is deleted. To modify a TI zone: 1.
2. Enter the zone --add command to add ports or change the failover option for an existing TI zone. Enter the zone --remove command to remove ports from an existing TI zone. zone --add [-o optlist] name -p "portlist" zone --remove name -p "portlist" where: optlist A list of options for controlling failover mode. • Disable failover mode. • Enable failover mode. name The name of the zone to be modified. portlist The list of ports to be added to or removed from the TI zone.
Deleting a TI zone Use the zone --delete command to delete a TI zone from the defined configuration. This command deletes the entire zone; to only remove port members from a TI zone, use the zone --remove command, as described in ”Modifying TI zones” on page 288. To delete a TI zone: 1. Connect to the switch and log in as admin. 2. Enter the zone --delete command. zone --delete name where: name The name of the zone to be deleted.
To limit the traffic, you set the maximum speed at which the traffic can flow through a particular F_Port or FL_Port. For example, if you set the rate limit at 4 Gbps, then traffic from a particular device is limited to a maximum of 4 Gbps. Ingress rate limiting enforcement is needed only if the port can run at a speed higher than the rate limit. For example, if the rate limit is 4 Gbps and the port is only a 2 Gbps port, then ingress rate limiting is not enforced.
QoS zones You assign high or low priority (QoS level) using a QoS zone. A QoS zone is a special zone that indicates the priority of the traffic flow between a given host/target pair. The members of a QoS zone are WWNs of the host/target pairs. QoS zones can contain only WWN members. “Domain,Index” zoning is not supported. A QoS zone has a special name, to differentiate it from a regular zone.
QoS on E_Ports In addition to configuring the hosts and targets in a zone, you must also enable QoS on individual E_Ports that might carry traffic between the given host and target pairs. Path selection between the “host,target” pairs is governed by FSPF rules and is not affected by QoS priorities. By default, QoS is enabled on E_Ports in port configuration. For example, in Figure 30, QoS should be enabled on the encircled E_Ports.
• Traffic prioritization is not supported on mirrored ports. • Trunking considerations: If some ports in a trunk group have QoS enabled and some ports have QoS disabled, then two different trunks are formed, one with QoS enabled and one with QoS disabled. • Traffic prioritization is enforced on the egress ports only, not on the ingress ports. Setting traffic prioritization 1. Connect to the switch and log in as admin. 2.
16 Using the FC-FC Routing Service Supported platforms FC-FC Routing is supported on the following platforms: • 400 MP Router • 4/256 SAN Director or DC SAN Backbone Director (short name, DC Director) when it is configured with an FR4-18i blade and uses chassis configuration option 5 NOTE: The DC Director only supports chassis configuration option 5.
Figure 31 shows a metaSAN consisting of three edge fabrics connected through a 4/256 SAN Director or DC Director containing an FR4-18i with interfabric links.
VE_Port Edge fabric 2 IP cloud Edge fabric 1 Edge fabric 3 E_Port E_Port IFL IFL IFL VEX_Port 400 MP Router EX_Port (2) = LSAN Backbone fabric 26416a Figure 32 A metaSAN with edge-to-edge and backbone fabrics Figure 32 shows a metaSAN with a backbone consisting of one 400 MP Router connecting hosts in Edge Fabrics 1 and 3 with storage in Edge Fabric 2 and the backbone through the use of LSANs.
If an FR4-18i blade is attached to an edge fabric using an EX_Port, it will create translate phantom domains in the fabric corresponding to the imported edge fabrics with active LSANs defined. If you import devices into the backbone fabric, then a translate phantom domain is created in the backbone device in addition to the one in the edge fabric.
Proxy host (imported device) Host Proxy target (imported device) Target Fabric 1 Fabric 2 E_Port IFL E_Port EX_Port IFL 400 MP Router Figure 34 MetaSAN with imported devices Routing types • Edge-to-Edge Occurs when devices in one edge fabric communicate with devices in another edge fabric through one or more Fibre Channel routers. • Backbone-to-Edge Occurs when Fibre Channel routers connect to a common fabric—known as a backbone fabric—through E_Ports.
Fibre Channel fabrics require that all ports be identified by a unique PID. In a single fabric, FC protocol guarantees that Domain IDs are unique, and so a PID formed by a Domain ID and area ID is unique within a fabric. However, the Domain IDs and PIDs in one fabric may be duplicated within another fabric, just as IP addresses are unique to one private network are likely to be duplicated within another private network.
Performing verification checks Before configuring a fabric to connect to another fabric, you must perform the following verification checks on the switch or director. To perform verification checks: 1. Log in to the switch or director as admin and enter the version command. Verify that Fabric OS 6.0 is installed on the 400 MP Router, 4/256 SAN Director or DC Director with the FR4-18i blade as shown in the following example. switch:admin_06> version Kernel: 2.4.19 Fabric OS: v6.
4. Enter the interopMode command and verify that Brocade switch interoperability with switches from other manufacturers is disabled. switch:admin> interopmode InteropMode: Off Usage: InteropMode 0|1 0: to turn it off 1: to turn it on 5. Enter the msPlatShow command to verify that Management Server Platform database is disabled in the backbone fabric. switch:admin_06> msplatshow *MS Platform Management Service is NOT enabled.
To assign backbone fabric IDs: 1. Log in to the switch or director. 2. Enter the fosConfig --disable fcr command to disable the FC-FC Routing Service. See the Fabric OS Command Reference or the CLI man pages for more information about the fosConfig command. NOTE: The default state for the FCR is disabled. The fcrEnable and fcrDisable commands continue to operate as before in Fabric OS versions 5.2.0 and earlier.
fabrics. Secure Fabric OS is an optional licensed product that provides customizable security restrictions through local and remote management channels on an HP fabric. Although Secure Fabric OS is not supported in Fabric OS 6.0, you can still connect a 6.0 switch to an edge switch that participates in a Secure Fabric OS. The FC-FC Routing Service uses only the DH-CHAP shared secrets to provide switch-to-switch authentication when connecting to a Secure Fabric OS fabric.
5. When prompted, type y. The DH-CHAP secret is now stored in the secret word database and is ready for use. switch:admin> secauthsecret --set This command is used to set up secret keys for the DH-CHAP authentication. The minimum length of a secret key is 8 characters and maximum 40 characters. Setting up secret keys does not initiate DH-CHAP authentication. If switch is configured to do DH-CHAP, it is performed whenever a port or a switch is enabled.
To configure an IFL for both edge and backbone connections: 1. On the 400 MP Router, or 4/256 SAN Director or DC Director with an FR4-18i blade, disable the port that you are configuring as an EX_Port (the one connected to the Brocade switch) by issuing the portDisable command. switch:admin> portdisable 7/10 You can verify that port 7 has been disabled by issuing the portShow command for the port. 2. Configure each port that connects to an edge fabric as an EX_Port or VEX_Port.
portCfgExport options This port can now connect to another switch. The following list describes the options for the portCfgExport command. For more information about the portCfgExport and portCfgVexport commands, see the Fabric OS Command Reference. -a -f -r -e -d Sets the EX_Port to enabled (1) or disabled (2). Admin use only. Sets the fabric ID (1 to 128). Each edge fabric must have a unique ID, and EX_Ports (or VEX_Ports) connected to the same edge fabric must have the same fabric ID.
4. Enter the portCfgShow command to view ports that are persistently disabled. switch:admin> portcfgshow Area Number: Speed Level: Trunk Port Long Distance VC Link Init Locked L_Port Locked G_Port Disabled E_Port ISL R_RDY Mode RSCN Suppressed Persistent Disable NPIV capability EX Port Mirror Port FC Fastwrite 7/10 74 AUTO OFF OFF OFF OFF OFF OFF OFF OFF OFF ON ON ON ON 5.
6.
Proc_rqrd: Timed_out: Rx_flushed: Tx_unavail: Free_buffer: Overrun: Suspended: Parity_err: 2_parity_err: CMI_bus_err: 0 0 0 0 0 0 0 0 0 0 Protocol_err: Invalid_word: Invalid_crc: Delim_err: Address_err: Lr_in: Lr_out: Ols_in: Ols_out: 0 0 0 0 0 0 0 0 0 Port part of other ADs: No 7. Enter the switchShow command to verify the EX_Port (or VEX_Port), edge fabric ID, and name of the edge fabric switch (containing the E_Port or VE_Port). 8.
The FCR router port cost settings are 0, 1000, or 10,000. If the cost is set to 0, the default cost will be used for that IFL. The FC router port cost is persistent and is saved in the existing port configuration file. Router port cost is passed to other routers in the same backbone. Link costs from the front domain to the translate (xlate) domain remain at 10,000. You can use the lsDbShow from the edge fabric to display these link costs.
Port cost considerations The router port cost has the following considerations: • Router port sets are defined as follows: • 0-7 and FCIP Tunnel 16-23 • 8-15 and FCIP Tunnel 24-31 More than two router port sets can exist in a 4/256 SAN Director or DC Director with two FR4-18i blades. • The router port cost does not help distinguish one IFL (or EX_ and VEX_Port link) from another, if all the IFLs are connected to the same port set.
400 MP Router or 4/256 SAN Director or DC Director with an FR4-18i blade, use the portCfgEXPort command. If you want to change the fabric parameters of a VEX_Port, then use the portCfgVEXPort command. The PID mode for the backbone fabric PID mode and the edge fabric PID mode do not need to match, but the PID mode for the EX_Port or VEX_Port and the edge fabric to which it is attached must match. You can statically set the PID mode for the fabric by using the -p option with the portCfgEXPort command.
Supported configurations and platforms The EX_Port trunking is an FCR software feature and requires that you have a trunking license installed on the FCR switch and on the edge fabric connected to the other side of the trunked EX_Ports. EX_Port trunking is supported only with edge fabrics. You can use EX_Port frame trunking in the following configurations and cases: • Ports with speeds of 2 Gbps up to a maximum speed of 4 Gbps and trunking over long distance.
through these ports may be disrupted for a short period of time. In addition to the commands for enabling and disabling trunking, you can also use the following E_Port commands for administering EX_Port Frame Trunking: • Use portCfgSpeed and switchCfgSpeed to set speed for a port or switch. • Display lists of trunks and members of trunks with the trunkShow command. • Use trunkDebug to list link characteristics for troubleshooting.
address authority (NAA) field in the WWN to detect an FC router. LSAN zone enforcement in the local fabric occurs only if the administration domain member list contains both of the devices (local and imported device) specified in the LSAN zone. For more information, see ”Managing administrative domains” on page 151. Defining and naming zones Zones are defined locally on a switch or director.
• Target B has WWN 50:05:07:61:00:49:20:b4 (connected to switch2). The following procedure shows how to control device communication with the LSAN. To control device communication with the LSAN: 1. Log in as admin and connect to switch1. 2. Enter the nsShow command to list the WWN of the host (10:00:00:00:c9:2b:c9:0c). NOTE: The nsShow output displays both the port WWN and node WWN; the port WWN must be used for LSANs.
9. Enter the cfgShow command to verify that the zones are correct. switch:admin> cfgshow Defined configuration: zone: lsan_zone_fabric2 10:00:00:00:c9:2b:c9:0c; 50:05:07:61:00:5b:62:ed; 50:05:07:61:00:49:20:b4 Effective configuration: no configuration in effect 10. Enter the cfgAdd and cfgEnable commands to create and enable the LSAN configuration. switch:admin> cfgadd "zone_cfg", "lsan_zone_fabric2" switch:admin> cfgenable "zone_cfg" You are about to enable a new zoning configuration.
LSAN zone binding (optional) By default, the Fibre Channel routers (FCR) in the backbone maintain the entire LSAN zone and device state database. On Fibre Channel routers with Fabric OS 5.3.0 and later, the LSAN zone binding allows you to specify pairs of edge fabrics that share devices, effectively creating an LSAN fabric matrix.
--cancel --display --fabricview --verify --quickmode Clears the information from the cache and put it back to the saved value. Displays the information that is saved in the cache. Displays the static and default and dynamic binding of the backbone to show which edge fabrics can access each other. Verifies if the information in the cache is valid and will not disrupt existing import/export devices. Runs a quick mode to derive the LSAN Zone matrix from the current import/export database.
The fcrlsancount command assumes that all the FCRs in the same LSAN fabric matrix or backbone have the same maximum LSAN count defined, to protect all the FCRs from running into indefinite state. Asymmetric LSAN configurations due to different maximum LSAN counts could lead to different devices being imported on different FCRs.
In the FC router, use the command fcrbcastconfig to prevent interfabric forwarding of broadcast frames of edge or backbone fabrics. Using the fcrbcastconfig command, you can disable or enable the broadcast frame forwarding option per FID (edge fabric or backbone fabric). If you have an FID with a pre-existing IPFC data session that you want to disable then the IPFC traffic across the FCR may not stop even after disabling the broadcasting to some edge fabrics.
2. Type the following command: fcr:admin> fcrbcastconfig --disable -f where is the specified FID where you want to disable frame forwarding. This command disables the broadcast frame forwarding option for an FID (edge or backbone fabric). Monitoring resources It is possible to exhaust resources, such as proxy PIDs. Whenever a resource is exhausted, Fabric OS generates an error message. The messages are described in the Fabric OS Message Reference.
The following example shows the use of the fcrResourceShow command display per physical port (EX_Port) resources.
To check for Fibre Channel connectivity problems: 1. On the edge Fabric OS switch, make sure that the source and destination devices are properly configured in the LSAN zone before entering the fcPing command. This command performs the following functions: • Checks the zoning configuration for the two ports specified. • Generates an ELS (extended link service) ECHO request to the source port specified and validates the response.
For the exact RASLog message descriptions, see the following RASLogs: FCR_1055, FCR_1056, and FCR_1073. For further information on these messages, refer to Fabric OS Message Reference. Backward compatibility In a fabric with Secure Fabric OS enabled, the edge fabric must have Fabric OS 3.2, 4.4.0, or later because only DH-CHAP authentication is supported. For a nonsecure fabric, the hardware and firmware compatibility is described in Table 71.
The portCfgExport command has additional options to verify the front Domain ID. The portCfgExport –d option is changed to enforce use of the same front Domain ID for the EX_Ports connected to the same edge fabric. The portCfgExport display results remain the same. For more information about the portCfgExport -d option, see ”portCfgExport options” on page 307 and the command details in the Fabric OS Command Reference. The following example illustrates the use of the portcfgexport command.
To display the range of output ports connected to the xlate domains: 1. Log in to the FC router. 2. Enter the lsDbShow command on the edge fabric. The following example shows the range of output ports. linkCnt = 2, flags = 0x0 LinkId = 53, out port = 1, rem port = 35, cost = 500, costCnt = 0, type = 1 LinkId = 57, out port = 129, rem port = 18, cost = 500, costCnt = 0, type = 1 The following example also shows the use of the lsDbShow display on the edge fabric.
17 Administering Advanced Performance Monitoring This chapter describes the Advanced Performance Monitoring licensed feature. About Advanced Performance Monitoring Additional performance monitoring features are provided through Web Tools. See the Web Tools Administrator’s Guide for information about monitoring performance using the Web Tools GUI.
NOTE: The command examples in this chapter use the slot/port syntax required by 4/256 SAN Director and DC Directors. For the 4/8 SAN Switch, 4/16 SAN Switch, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 8/8 SAN Switch, 8/24 SAN Switch, 8/40 SAN Switch, 8/80 SAN Switch and the 400 Multi-protocol Router, use only the port number where needed in the commands.
Figure 35 shows two devices: • Host A is connected to domain 5 (0x05), switch area ID 18 (0x12), AL_PA 0x00 on Switch X. • Dev B is a storage device connected to domain 17 (0x11), switch area ID 30 (0x1e), AL_PA 0xef on Switch Y. SID 0x051200 Switch x Host A Switch y ... Monitor 0 domain 0x05, switch area ID 0x12 AL_PA 0x00 DID 0x111eef ...
Table 73 lists commands associated with Advanced Performance Monitoring. Advanced Performance Monitor commands are available only to users with the admin or switchAdmin roles. For detailed information on these commands, see the Fabric OS Command Reference. Table 73 Advanced Performance Monitoring commands Command Description perfAddEEMonitor Add an end-to-end monitor to a port. perfAddIPMonitor Add an IP monitor to a port. perfAddReadMonitor Add a SCSI Read monitor to a port.
Monitoring AL_PAs You can use the perfShowAlpaCrc command to display the CRC error count for all AL_PA devices or for a single AL_PA on a specific active L_Port. The following example displays the CRC error count for all AL_PA devices on a port: switch:admin> perfshowalpacrc 1/1 AL_PA CRC count -------------------0xd9 0 The following example displays the CRC error count for a single AL_PA device on a port: switch:admin> perfshowalpacrc 1/1, 0xd9 The CRC count at ALPA 0xd9 on port 1 is 0x000000000.
Setting a mask for an end-to-end monitor You can specify a mask using the perfSetPortEEMask command in the form dd:aa:pp, where dd is the Domain ID mask, aa is the area ID mask, and pp is the AL_PA mask. The values for dd, aa, and pp are either ff (the field must match) or 00 (the field is ignored). The default EE mask value is ff:ff:ff. The perfSetPortEEMask command sets the mask for all end-to-end monitors of a port.
--------------------------------------------------------------------------0 0x000024 10.106.7.179 0x000016 WEB_TOOLS 0x0000000000000000 0x0000000000000000 1 0x000022 10.106.7.179 0x000033 WEB_TOOLS 0x0000000000000000 0x0000000000000000 2 0x000123 10.106.7.179 0x000789 WEB_TOOLS 0x0000000000000000 0x0000000000000000 3 0x001212 10.106.7.
You cannot add identical filter monitors to the same port. Two filter monitors are considered to be identical when they have the same values for the following items. • Filter monitor type • Owner (telnet, Web Tools, etc.
You can specify up to four values to compare against each offset. If more than one offset is required to properly define a filter, the bytes found at each offset must match one of the given values for the filter to increment its counter. If one or more of the given offsets does not match any of the given values, the counter does not increment. The value of the offset must be between 0 and 63, in decimal format.
ISL monitors are deleted when Top Talker is installed and are restored when Top Talker is deleted. (See ”Top Talker monitors” for information about Top Talker monitors.) You can monitor ISL performance using the perfMonitorShow command, as described in “”Displaying monitor counters”.” You can clear ISL counters using the perfMonitorClear command, as described in ”Clearing monitor counters” on page 344. ISL monitoring is not supported on the DC Director.
To add a Top Talker monitor on an F_Port: 1. Connect to the switch and log in as admin. 2. Enter the perfttmon --add command. perfttmon --add [egress | ingress] [slotnumber/]port where: slotnumber For director-class switches only (4/256 SAN Director and DC Director), the slot number. port The port number.
perfttmon --show 7 5 To display the top flows on slot 2, port 4 on the 4/256 SAN Director or DC Director in PID format: perfttmon --show 2/4 pid switch:admin> perfttmon --show 2/4 pid ======================================== Src_PID Dst_PID MB/sec ======================================== 0xa90800 0xa05200 6.926 0xa90800 0xa908ef 6.872 Using Top Talker monitors in fabric mode When fabric mode is enabled, you can no longer install Top Talker monitors on an F_Port unless you delete fabric mode.
The output is sorted based on the data rate of each flow. If you do not specify the number of flows to display, then the command displays the top 8 flows or the total number of flows, whichever is less. The command can display a maximum of 32 flows.
slotnumber The monitor class, which can be one of EE (end-to-end), FLT (filter-based), or ISL (inter-switch link). The --class monitor_class operand is required. Specifies the slot number for a 4/256 SAN Director director. For all other switches, this operand is not required. The slot number must be followed by a slash ( / ) and the port number, so that each port is represented by both slot number (1 through 4 or 7 through 10) and port number (0 through 15).
2 0x21300 0x21de0 0x0000000000000000 TELNET N/A 0x00000004d0bab3a5 0x0000000067229e87 3 0x21300 0x21de1 0x0000000000000000 TELNET N/A 0x00000004d0bac1e4 0x0000000067229e87 4 0x21300 0x21de2 0x0000000000000000 TELNET N/A 0x00000004d0bad086 0x0000000067229e87 5 0x11000 0x21fd6 WEB_TOOLS 0x00000004d0bade54 0x0000000000000000 192.168.169.40 0x0000000067229e87 6 0x11000 0x21fe0 WEB_TOOLS 0x00000004d0baed41 0x0000000000000000 192.168.169.
6 SCSI_WR WEB_TOOLS 0x000000000000033a 192.168.169.
where: monitor_class slotnumber portnumber monitorId The monitor class, which can be one of EE (end-to-end), FLT (filter-based), or ISL (inter-switch link). The --class monitor_class operand is required. For bladed systems only, specifies the slot number of the port on which the monitor counter is to be cleared. For all other switches, this operand is not required. The slot number must be followed by a slash ( / ) and the port number, so that each port is represented by both slot number and port number.
Saving and restoring monitor configurations To save the current end-to-end and filter monitor configuration settings into nonvolatile memory, use the perfCfgSave command: switch:admin> perfcfgsave This will overwrite previously saved Performance Monitoring settings in FLASH. Do you want to continue? (yes, y, no, n): [no] y Please wait ... Performance monitoring configuration saved in FLASH. To restore a saved monitor configuration, use the perfCfgRestore command.
18 Administering Extended Fabrics This chapter provides information on implementing Extended Fabrics software. Extended Fabrics licensing To implement long distance dynamic (LD) and long distance static (LS) distance levels, you must first install the Extended Fabrics license. Use the licenseShow command to verify that the license is present on both switches used on both ends of the extended ISL.
Table 76 describes Fibre Channel data frames Table 76 Fibre Channel data frames Start of frame 4 bytes 32 bits Standard frame header 24 bytes 192 bits Data (payload) {0 - 2,112 bytes {0 - 16,896} bits CRC 4 bytes 32 bits End of frame 4 bytes 32 bits Total (Nbr bits/frame) {36 0 2,148} bytes 288 - 17, 184 bits The term byte used in Table 76 means 8 bits. The maximum fibre channel frame is 2,148 bytes.
FC switch port Buffer Credit requirements for long distance calculations You can calculate how many ports can be configured for long distance on all switch modules or ASICs except Bloom-based switches. For information on the port, speed and distance for Bloom-based ASICs, see Table 78. Following are the considerations for the calculation: • Each user port reserves eight buffers when they are not online. • Remaining buffers can be reserved by any port in the port group.
Example: Consider the 8/24 SAN Switch, which has 24 ports and total buffers of 676 The maximum remaining number of buffer credits after each port is reserved is: 676 – (24 * 8) = 484 buffers Where: 24 = the number of ports in a port group retrieved from Table 77. 8 = the number of reserved buffers 676 = a static number retrieved from Table 77. If you allocate the entire 484 + 8 reserved buffers = 492 buffers to a single port; that port can support 486km @ 2G, which is the reserved buffer for distance.
2. Enter the portbuffershow command. switch:admin> portbuffershow 1 User Port Lx Max/Resv Port Type Mode Buffers ---------------0 U 8 1 U 8 2 U 8 3 U 8 4 U 8 5 U 8 6 U 8 7 U 8 8 U 8 9 U 8 10 U 8 11 U 8 12 8 13 8 14 8 15 8 16 U 8 17 U 8 18 U 8 19 8 20 U 8 21 U 8 22 U 8 23 U 8 switch:admin> Buffer Needed Usage Buffers ------ ------0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 - Link Remaining Distance Buffers --------- ----484 Fabric OS 6.1.
Table 77 Switch, port speed, and distance with ASIC and buffers Switch blade model ASIC Total ports in a switch or blade Total ports in a group Reserved buffers for ports B-Series 2Gb Switches Bloom 8, 16 or 32 108/4 0 4/8 SAN Switch or 4/16 SAN Switch Golden Eye 16 272/16 8 8/8 SAN Switch, 8/24 SAN Switch Golden Eye2 24 676/24 8 SAN Switch 4/32 and SAN Switch 4/32B Condor 32 1000/32 8 4/64 SAN Switch Condor 64 712/16 8 8/40 SAN Switch Condor2 40 2012/40 8 8/80 SAN Switc
Buffer credit recovery Buffer recovery credit allows links to recover after frames and R_RDYs are lost when the credit recovery logic is enabled. Buffer recovery credit maintains performance; as soon as one credit is lost, it attempts to recover. During link reset, the frame and credit loss counters are reset without performance degradation. This feature is only supported on long distance E_Ports connected between GoldenEye2 and condor2-based ports. Buffer recovery credit does not require any configuration.
Configuring an extended ISL Before configuring an extended ISL, ensure that the following conditions are met: • Be sure that the ports on both ends of the ISL are operating at the same port speed, and can be configured at the same distance level without compromising local switch performance. NOTE: A long-distance link also can be configured to be part of a trunk group.
vc_translation_link_in Enables the long-distance link initialization sequence. This it extended link initialization sequence is an enhanced link reset protocol, and avoids excessive resetting of ports. By default this option is set to 1 (enabled). It must be set to 1 (enabled) when configuring a trunk over Extended Fabrics. It must be set to 1 for a long-distance link not configured for ISL R_RDY mode; otherwise, it must be reset to 0.
Administering Extended Fabrics
19 Administering ISL Trunking This chapter contains procedures for using the ISL Trunking licensed feature, which optimizes the use of bandwidth by allowing a group of interswitch links to merge into a single logical link. About ISL Trunking ISL Trunking reduces or eliminates situations that require static traffic routes and individual ISL management to achieve optimal performance.
• 8 Gbps trunk links where supported. The maximum number of ports per trunk and trunks per switch depends on the HP model. NOTE: Director blade model FC10-6 does not support trunking. Standard trunking criteria Observe the following criteria for standard distance trunking: • There must be a direct connection between participating switches. • Trunk ports must reside in the same port group. • Trunk ports must run at the same speed (either 2 Gbps, 4 Gbps, or 8 Gbps).
• The addition of a path that is longer than existing paths may not be useful because the traffic will choose the shorter paths first. • Plan for future bandwidth addition to accommodate increased traffic. For trunking groups over which traffic is likely to increase as business requirements grow, consider leaving one or two ports in the group available for future nondisruptive addition of bandwidth.
Where 4 is a slave port of the F_Port Trunk. If you attempt to install a monitor on a slave port of an F_Port trunk and the same monitor is already installed on the corresponding master, the following message is displayed” switch:admin> perfaddeemonitor 4 0x010400 0x020800 Similar monitor already exists on the master port of the F-Port Trunk Where 4 is a slave port of the F_Port Trunk.
Enabling and disabling ISL Trunking You can enable or disable ISL Trunking for a single port or for an entire switch.When you execute the commands portCfgTrunkPort or switchCfgTrunk to update the trunking configuration, the ports for which the configuration applies are disabled and re-enabled with the new trunk configuration. As a result, traffic through those ports could be disrupted. IMPORTANT: Trunking is performed based on QoS configuration on the master and the slave ports.
Setting port speeds For long-distance ports, if a port is set to autonegotiate port speed, the maximum speed (which is 8 Gbps) is assumed for reserving buffers for the port. If the port is only running at 2 Gbps this wastes buffers. For long-distance ports, it is best to set the port speed (this applies to the 4/32 SAN Switch, 4/32B SAN Switch and the 4/256 SAN Director only).
portcfgspeed [slotnumber/]portnumber, speed_level slotnumber For bladed systems only, specify the slot number of the port to be configured, followed by a slash (/). This operand is only required for Directors. portnumber Specifies the port number relative to its slot for bladed systems. speedlevel Specifies the speed of the link: • 0—Autonegotiating mode. The port automatically configures for the highest speed. • 1—one Gbps mode. Fixes the port at a speed of one Gbps.
The following example sets the speed for all ports on the switch to eight Gbps: switch:admin> switchcfgspeed 8 Committing configuration...done. The following example sets the speed for all ports on the switch to autonegotiate: switch:admin> switchcfgspeed 0 Committing configuration...done. Displaying trunking information The trunkShow command offers an efficient means of listing out all the trunks and members of a trunk.
Trunking over Extended Fabrics In addition to the criteria listed in ”Standard trunking criteria” on page 358, observe the following criteria for trunking over Extended Fabrics: • ISL Trunking over Extended Fabrics is supported on switches running Fabric OS 4.4.0 and later. • Extended Fabrics and ISL Trunking licenses are required on all participating switches. • The vc_translation_link_init parameter must be set the same on all ports in an extended fabric.
F_Port trunking prevents reassignments of the Port ID when F_Ports go offline and it increases F_Port bandwidth. This feature supports the HP StorageWorks SAN Switch 4/32, 4/32B, 4/64 SAN Switch, 8/8 SAN Switch, 8/24 SAN Switch, 8/40 SAN Switch, 8/80 SAN Switch, 4/256 SAN Director and the DC Director enterprise-class platforms running Fabric OS 6.1.x. F_Port masterless trunking interoperates between Access Gateway (AG), 2 Gbps, 4 Gbps, and 8 Gbps-based platforms.
F_Port trunking considerations Table 82 F_Port masterless trunking considerations Category Description Area assignment You statically assign the area within the trunk group on the edge switch. That group is the F_Port masterless trunk. The static trunk area you assign must fall within the ASIC's trunk group of the switch or blade starting from port 0. The static trunk area you assign must be one of the port’s default areas of the trunk group.
Table 82 F_Port masterless trunking considerations Category Description portCfgTrunkPort , 0 The portCfgTrunkPort , 0 command will fail if a Trunk Area is enabled on a port. The port Trunk Area must be disabled first. switchCfgTrunk 0 The switchCfgTrunk 0 command will fail if a port has TA enabled. All ports on a switch must be TA disabled first.
Table 82 F_Port masterless trunking considerations Category Description DCC Policy DCC policy enforcement for the F_Port trunk is based on the Trunk Area; the FDISC requests to a trunk port is accepted only if the WWN of the attached device is part of the DCC policy against the TA. The PWWN of the FLOGI sent from the AG will be dynamic for the F_Port trunk master.
based on the user port number, with contiguous eight ports as one group, such as 0 – 7, 8- 15, 16-23 and up to the number of ports on the switch. Figure 41 Trunk group configuration for the SAN Switch 8/40 1. Connect to the switch and log in as admin. 2. Ensure that both modules (edge switch and the switch running in AG mode) have trunking the licenses enabled. 3. Ensure that the ports have trunking enabled by issuing the portCfgShow command.
switch:admin> porttrunkarea --show enabled Slot Port Type State Master TI DI ------------------------------------------10 13 ---125 125 10 14 ---125 126 ------------------------------------------- 5. Enable ports 13 aD 14: switch:admin> portenable 10/13 switch:admin> portenable 10/14 6.
20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 ------------id id id id id id id id N8 N8 N8 N8 N8 N8 N8 N8 N8 N8 N8 N8 N4 N4 N4 N4 N4 N4 N4 N4 No_Module No_Module No_Module No_Module No_Module No_Module No_Module No_Module No_Module No_Module No_Module No_Module No_Light No_Light No_Light No_Light Online Online Online Online F-Port 2 NPIV public (Trunk master) F-Port (Trunk port, master is Port 36 ) F-Port (Trunk port, master is P
Disabling F_Port trunking 1. Connect to the switch and log in as admin. 2. Enter the portTrunkArea --disable command. switch:admin> porttrunkarea --disable 36-39 ERROR: port 36 has to be disabled Disable each port prior to removing ports from the TA. Then reissue the command: switch:admin> porttrunkarea --disable 36-39 Trunk area 37 disabled for ports 36, 37, 38 and 39. F_Port Trunking Monitoring For F_Port masterless trunking, you must install Filter, EE or TT monitors on the F_Port trunk port.
Administering ISL Trunking
20 Configuring and monitoring FCIP extension services This chapter describes the FCIP concepts, configuration procedures, and tools and procedures for monitoring network performance. Commands described in this chapter require Admin or root user access. See the Fabric OS Command Reference for detailed information on command syntax. FCIP services licensing Most of the FCIP extension services described in this chapter require the High Performance Extension over FCIP/FC license.
Platforms that support SAN extension over IP Fabric OS supports SAN extension between 400 Multi-protocol Routers or between FR4-18i blades installed on 4/256 SAN Directors or DC SAN Backbone Directors. The 400 Multi-protocol Router and FR4-18i blade integrate sixteen physical Fibre Channel ports and two physical GbE ports as illustrated in Figure 42 and Figure 43.
FCIP concepts Fibre Channel over IP (FCIP) enables you to connect Fibre Channel SANs over IP-based networks. 400 Multi-protocol Router and FR4-18i blades use FCIP to encapsulate Fibre Channel frames within IP frames that can be sent over an IP network to a partner 400 Multi-protocol Router or FR4-18i blade. When the IP packets are received, the Fibre Channel frames are reconstructed. The Fibre Channel fabric and all Fibre Channel targets and initiators are unaware of the presence of the IP network.
Compression Data compression can be enabled or disabled on FCIP tunnels. The default setting is to disable compression. Traffic shaping Traffic can be shaped by establishing a rate limit per tunnel. A committed rate can be assigned to a port that guarantees a fixed amount of bandwidth. The committed rate setting insures that a FCIP tunnel will operate at a specific fixed rate (given enough FC traffic to consume it).
Table 86 shows the default mapping of DSCP priorities to L2Cos priorities per tunnel ID. This may be helpful when consulting with the network administrator. These values may be modified per FCIP tunnel.
IPSec uses some terms that you should be familiar with before beginning your configuration. These are standardized terms, but are included here for your convenience. Table 87 IPSec terminology Term Definition AES Advanced Encryption Standard. FIPS 197 endorses the Rijndael encryption algorithm as the approved AES for use by US Government organizations and others to protect sensitive information. It replaces DES as the encryption standard. AES-XCBC Cipher Block Chaining.
• IPSec can only be configured on IP V4 based tunnels. Secure tunnels can not be created on a 400 Multi-protocol Router or FR4-18i blade if any IP V6 addresses are defined on either ge0 or ge1. • Secure Tunnels cannot be defined with VLAN Tagged connections. Options for enhancing tape write I/O performance There are two options available for enhancing open systems SCSI tape write I/O performance. • FCIP fastwrite and tape pipelining. • FC fastwrite.
Table 88 Using FCIP fastwrite and tape pipelining (continued) FCIP fastwrite Tape pipelining Class 3 traffic is accelerated with fastwrite. Class 3 traffic is accelerated between host and sequential device. With sequential devices (tape drives), there are 1024 initiator-tape (IT) pairs per GbE port, but 2048 initiator-tape-LUN (ITL) pairs per GbE port. The ITL pairs are shared among the IT pairs. For example: Two ITL pairs for each IT pair as long as the target has two LUNs.
Figure 45 Multiple tunnels to multiple ports, fastwrite and tape pipelining enabled on a per-tunnel/per-port basis Unsupported configurations The following configurations are not supported with fastwrite and tape pipelining. These configurations use multiple equal-cost paths. Fabric OS 6.1.
VE-VE or VEX-VEX Figure 46 Unsupported configurations with fastwrite and tape pipelining FICON emulation concepts FICON emulation supports FICON traffic over IP WANs using FCIP as the underlying protocol. FICON emulation can be extended to support performance enhancements for specific applications.
XRC emulation The eXtended Remote Copy (XRC) application is a DASD application that implements disk mirroring, as supported by the disk hardware architecture and a host software component called System Data Mover (SDM). The primary volume and the secondary mirrored volume may be geographically distant across an IP WAN. The latency introduced by greater distance creates delays in anticipated responses to certain commands.
FCIP services configuration guidelines There are multiple configuration requirements and options associated with FCIP services. The following general guidelines may be helpful. The steps are presented in an order that minimizes the number of times ports need to be disabled and enabled. In practice, the steps do not have to be taken in this order. 1. Determine if you are implementing IPSec.
Table 89 Command checklist for configuring FCIP links (continued) Step Command 3. If a VEX port is to be implemented, configure the appropriate virtual port as a VEX_Port. portcfgvexport 4. Configure the IP interface for both ports of a tunnel. portcfg ipif 5. Verify the IP interface for both ports of a tunnel. portshow ipif 6.Create one or more IP routes connecting the IP interfaces across the IP network. portcfg iproute 7.
IPSec policies are managed using the policy command. You can configure up to 32 IKE and 32 IPSec policies. Policies cannot be modified; they must be deleted and recreated in order to change the parameters. You can delete and recreate any policy as long as the policy is not being used by an active FCIP tunnel. Each FCIP tunnel is configured separately and may have the same or different IKE and IPSec policies as any other tunnel. Only one IPSec tunnel can be configured for each GbE port.
Managing policies Use the policy command to create, delete, and show IKE and IPSec policies. To create a new policy: 1. Log in to the switch as admin. 2. At the command prompt, type: policy --create type number [-enc encryption_method][-auth authentication_algorithm] [-pfs off|on] [-dh DH_group] [-seclife secs] where: type and number The type of policy being created (IKE or IPSec) and the number for this type of policy.
The example below shows all of the IKE policies defined; in this example, there are two IKE policies.
SACK on Min Retransmit Time 100 Keepalive Timeout 80 Max Retransmissions 9 Status : Active Uptime 1 day, 23 hours, 24 minutes, 46 seconds IKE Policy 7 ----------------------------------------Authentication Algorithm: MD5 Encryption: 3DES Perfect Forward Secrecy: off Diffie-Hellman Group: 1 SA Life (seconds): 200000 IPSec Policy 7 ----------------------------------------Authentication Algorithm: AES-XCBC Encryption: 3DES SA Life (seconds): 1500000 Pre-Shared Key 1234567890123456 Persistently disabling ports
The following example configures a port as a VEX_Port for slot number 8 in port number 18, enables admin, and specifies fabric ID 2 and preferred Domain ID 220: switch:admin06> portcfgvexport 8/18 -a 1 -f 2 -d 220 Configuring IP interfaces and IP routes The IP network connection between two 400 Multi-protocol Router or two FR4-18i blades is configured by defining IP interfaces for origin and destination virtual ports, and then defining one or more IP routes to connect them. 1.
The following example verifies that the two routes have been successfully created: switch:admin06> portshow iproute 8/ge0 Slot: 8 Port: ge0 IP Address Mask Gateway Metric Flags ----------------------------------------------------------------192.168.100.0 Interface 255.255.255.0 192.168.100.40 0 192.168.100.0 Interface 255.255.255.0 192.168.100.41 0 192.168.11.0 255.255.255.0 192.168.100.1 1 192.168.12.0 255.255.255.0 192.168.100.1 1 3.
The following example tests the connection between 192.175.5.100 and 192.175.5.200, switch:admin06> portcmd --ping ge0 -s 192.175.5.100 -d 192.175.5.200 Pinging 192.175.5.200 from ip interface 192.175.5.100 on 0/ge0 with 64 bytes of data Reply from 192.175.5.200: bytes=64 rtt=1ms ttl=64 Reply from 192.175.5.200: bytes=64 rtt=0ms ttl=64 Reply from 192.175.5.200: bytes=64 rtt=0ms ttl=64 Reply from 192.175.5.200: bytes=64 rtt=1ms ttl=64 Ping Statistics for 192.175.5.
-f Enables FCIP fastwrite. -M Enables VC QoS mapping. -t Enables tape pipelining. If tape pipelining is enabled, fastwrite must also be enabled. -n remote_wwn The remote-side FC entity WWN. -k timeout The keep-alive timeout in seconds. The range of valid values is 8 through 7,200 sec and the default is 10. If tape pipelining is enabled both the default and minimum values are 80 sec. -r retransmissions The maximum number of retransmissions on the existing FCIP tunnel.
Where: slot The number of a slot in a 4/256 SAN Director or DC Director chassis that contains an FR4-18i blade. This parameter does not apply to the stand-alone 400 Multi-protocol Router. ge0|ge1 The Ethernet port used by the tunnel (ge0 or ge1). tunnel_id The tunnel number (0 - 7). config The config option creates a configuration. -x 1|0 Enables or disables XRC emulation. 1 is enable, O is disable. -w 1|0 Enables or disables tape write pipelining. 1 is enable, O is disable.
Configuring FTRACE FTRACE is a support tool primarily for use by Tech Support personnel. FTRACE includes the ability to freeze traces on certain events, and to retain the trace information for future examination.
The following example shows an active tunnel with FCIP fastwrite and tape pipelining enabled: switch:admin06> portshow fciptunnel ge0 all ------------------------------------------Tunnel ID 0 Remote IP Addr 10.0.10.224 Local IP Addr 10.0.10.225 Remote WWN Not Configured Local WWN 10:00:00:05:1e:37:91:dd Compression on Fastwrite on Tape Pipelining on Uncommitted bandwidth, minimum of 1000 Kbps (0.
To verify that a VE_Port or VEX_Port is online, use the switchShow command to view and verify that the FCIP tunnel is online. switch:admin06> portenable 8/18 switch:admin06> portenable 8/19 switch:admin06> switchshow switchName:switch switchType:42.
Enabling persistently disabled ports Before an FCIP tunnel can be used, the associated ports must be persistently enabled. NOTE: VEX_Port Users: If the fabric is already connected, you must leave the ge0 and ge1 ports disabled until after you have configured the VEX_Port; this will prevent unintentional merging of the two fabrics. To enable a persistently disabled port: 1. Enter the portCfgShow command to view ports that are persistently disabled. 2.
3.
Modify and delete command options Command options are available that allow you to modify or delete configured elements. NOTE: Using the Modify option disrupts traffic on the specified FCIP tunnel for a brief period of time. Modifying FCIP tunnels The portCfg fcipTunnel command to modify FCIP tunnels (you must specify at least one characteristic to modify).
-p control_L2Cos The layer 2 class of service used for control traffic. -P data_L2Cos The layer 2 class of service used for data traffic. The following example shows two FCIP tunnels created on slot 8, port ge0; the first with an uncommitted bandwidth (0), and the second with a committed bandwidth of 10000 Kb/sec: switch:admin06> portcfg fciptunnel 8/ge0 create 2 192.168.100.50 192.168.100.40 0 switch:admin06> portcfg fciptunnel 8/ge0 create 3 192.168.100.51 192.168.100.
modify The modify option changes the FICON emulation configuration options and parameters. The following options turn features on and off. The associates tunnels must be disabled to modify the option settings. If you attempt to do them on an enabled tunnel, the operation is not allowed, and you are prompted to disable the tunnel. -x 1|0 Enables or disables XRC emulation. 1 is enable, O is disable. -w 1|0 Enables or disables tape write pipelining. 1 is enable, O is disable.
wrtMaxChains value Defines the maximum amount of data that can be contained in a single CCW chain. If this value is exceeded, emulation is suspended. oxidBase value Defines the base value of an entry pool of 256 OXIDs supplied to emulation generated exchanges. It should fall outside the range used by FICON channels and devices to avoid conflicts. The default value is 0x1000. The range is 0x0000 to 0xF000. dbgFlags value Defines optional debug flags.
NOTE: If you do not specify a destination IP address, the destination address defaults to 0.0.0.0, and all frames are tagged with the associated VLAN tag. FCIP and ipPerf create and maintain entries in the VLAN tag table through their own configuration procedures. Manual entries are needed on both the local and remote sides for portcmd ping and portcmd traceroute commands when they are used to test and trace routes across a VLAN when no FCIP tunnel is active.
WAN performance analysis tools Introduced in Fabric OS 5.2.0, WAN analysis tools are designed to test connections, trace routes, and estimate the end-to-end IP path performance characteristics between a pair of HP FCIP port endpoints. WAN tools include the following commands and options: • portCmd ipPerf—Characterizes end-to-end IP path performance between a pair of HP FCIP ports. You can use the WAN tool ipPerf only on the FR4-18i or 400 Multi-protocol Router FCIP ports running Fabric OS 5.2.
WAN tool performance characteristics Table 92 lists the end-to-end IP path performance characteristics that you can display using the portCmd ipPerf command and option. All four of the base ipPerf performance characteristics (bandwidth, loss, RTT, PMTU) are provided in the command output in Fabric OS 5.2.0 or later. Table 92 WAN tool performance characteristics Characteristic Description Bandwidth Indicates the total packets and bytes sent.
To start an ipPerf session: 1. Configure the receiver test endpoint using the CP CLI. The syntax for invoking the receiver test endpoint using ipPerf for slot8, port ge0 on an FR4-18i is as follows: portcmd --ipperf 8/ge0 -s 192.168.255.10 -d 192.168.255.100 -R 2. Configure the sender test endpoint using a similar CP CLI. The syntax for invoking the sender test endpoint using ipPerf for slot8, port ge0 on an FR4-18i is as follows: portcmd --ipperf 8/ge0 -s 192.168.255.100 -d 192.168.255.
• Default size—1MSS Following is the syntax for portCmd ipPerf to display end-to-end IP path performance statistics: portCmd --ipPerf [slot]/ge0|ge1 -s source_ip -d destination_ip -S|-R [-r rate] [-z size] [-t time] [-i interval] [-p port] [-q diffserv] [-v vlan_id] [-c L2_Cos] Where: -s source_ip The source IP address. -d destination_ip The destination IP address. -S Operates the WAN tool FCIP port-embedded client in the sender mode.
Where: slot The number of a slot in a 4/256 SAN Director or DC Director chassis that contains an FR4-18i blade. This parameter does not apply to the stand-alone 400 Multi-protocol Router. ge0|ge1 The Ethernet port used by the tunnel (ge0 or ge1) -s source_ip The source IP interface that originates the ping request. -d destination_ip The destination IP address for the ping request. -n num-requests Generates a specified number of ping requests. The default is 4. -q diffserv The DiffServ QoS.
-h max_hops The maximum number of IP router hops allowed for the outbound probe packets. If this value is exceeded, the probe is stopped. The default is 30. -f first_ttl The initial time to live value for the first outbound probe packet. The default value is 1. -q diffserv The DiffServ QoS. The default is 0 (zero). The value must be an integer in the range from 0 through 255. -w wait-time The time to wait for the response of each ping request.
2013762456 compressed Bytes 33208083 Bps 30s avg, 4760667 Bps lifetime avg 7.35 compression ratio FC control traffic TCP connection: Local 192.175.4.100:4139, Remote 192.175.4.200:3225 Performance stats: 849 output packets 0 pkt/s 30s avg, 2 pkt/s lifetime avg 173404 output Bytes 39 Bps 30s avg, 409 Bps lifetime avg 0 packets lost (retransmits) 0.
Uptime 7 minutes, 3 seconds FC control traffic TCP connection: Local 192.175.4.100:4139, Remote 192.175.4.200:3225 Runtime parameters: Send MSS 1456 Bytes Sender stats: smoothed roundtrip 50 ms, variance 0 peer advertised window 1874944 Bytes negotiated window scale (shift count) 9 congestion window 149649 Bytes slow start threshold 1875000 Bytes operational mode: slow start 2 packets queued: TCP sequence# MIN(2950582519) MAX(2950582655) NXT(2950582655) 2 packets in-flight Send.
21 FICON fabrics This chapter provides procedures for managing FICON fabrics. Overview of Fabric OS support for FICON IBM Fibre Connection (FICON®) is an industry-standard, high-speed input/output (I/O) interface for mainframe connections to storage devices. Fabric OS supports intermix mode operations, in which FICON and Fibre Channel technology work together.
Supported switches FICON protocol is supported on the HP StorageWorks 4/256 SAN Director and DC SAN Backbone Director, short name, DC Director. The following port blades can exist in a FICON environment; however, FICON device connection to ports on these blades is not supported: • FC4-16IP • FC4-48 • FC8-48 NOTE: The FC4-48 and FC8-48 port blades are not supported for connecting to System z environments through FICON channels or through FCP zLinux on System z.
• The FC4-48 and FC8-48 port blades must not be inserted in slot 10 of the chassis in a FICON configuration. (Other blades are supported in slot 10, but the FC8-48 and FC4-48 blades are not.) Port 255 is reserved for CUP. FICON commands Table 93 summarizes the Fabric OS CLI commands that can be used for managing FICON fabrics. For detailed information on these commands, see the Fabric OS Command Reference.
User security considerations To administer FICON, you must have one of the following roles: • Admin • Operator • SwitchAdmin • FabricAdmin The User and BasicSwitchAdmin roles are view-only. The ZoneAdmin and SecurityAdmin roles have no access. In an Admin Domain-aware fabric, if you use the FICON commands (ficonshow, ficonclear, ficoncupshow, and ficoncupset) for any Admin Domain other than AD0 and AD255, the current switch must be a member of that Admin Domain.
Preparing a switch To verify and prepare a switch for use in a FICON environment, complete the following steps: 1. Connect to the switch and log in as admin. 2. Enter the switchShow command to verify that the switch and devices are online. 3. Change the routing policy on the switch from the default exchange-based policy to the required port-based policy for those switches with FICON devices directly attached using the aptPolicy command when working from the command line.
Figure 48 and Figure 49 show two viable cascaded configurations. These configurations require Channel A to be configured for two-byte addressing and require IDID and fabric binding. It is recommended that there are only 2 domains in a path from a FICON Channel interface to a FICON Control Unit interface.
8. Enter the switchEnable command to re-enable the switch. switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] yes Domain: (1..239) [3] 5 R_A_TOV: (4000..120000) [10000] E_D_TOV: (1000..5000) [2000] Data field size: (256..2112) [2112] Sequence Level Switching: (0..1) [0] Disable Device Probing: (0..1) [0] Suppress Class F Traffic: (0..1) [0] VC Encoded Address Mode: (0..1) [0] Per-frame Route Priority: (0..1) [0] Long Distance Fabric: (0..1) [0] BB credit: (1..
Swapping ports If a port malfunctions, or if you want to connect to different devices without having to re-wire your infrastructure, you can move a port’s traffic to another port (swap ports) without changing the I/O Configuration Data Set (IOCDS) on the mainframe computer. To swap ports: 1. Connect to the switch and log in as admin. 2. Enter the portSwapEnable command (to enable the command for port swapping). 3. Enter the portDisable command to disable the two ports to be swapped. 4.
Setup summary To set up FICON CUP, use the following procedure and be sure to perform the steps in the order indicated. 1. For directors with at least 256 ports installed, use the PortDisable command to disable (block) ports 254 and 255. Ports 254 and 255 are not supported in a CUP environment. After fmsmode has been successfully enabled, these two ports remain disabled and cannot be used either as an F_Port or an E_Port.
• Advanced Zoning, if used, continues to be in force. If there are any differences in restrictions set up with Advanced Zoning and PDCM, the most restrictive rules are automatically applied. • RSCNs are sent to devices if PDCM results in changes to connectivity between a set of ports. Changing fmsmode from enabled to disabled triggers the following events: • A device reset is performed on the control device. • PDCM is no longer enforced.
Displaying mode register bit settings The mode register bits are described in Table 94. Table 94 FICON CUP mode register bits POSC Programmed offline state control. When this bit is set on, the host is prevented from taking the switch offline. The default setting is 1 (on). UAM User alert mode. When this bit is set on, a warning is issued when an action is attempted that will write CUP parameters on the switch. The default setting is 0 (off). ASM Active=saved mode.
Setting mode register bits Use the ficoncupset modereg command to set the FICON CUP mode register bits for the local switch. Consider the following when changing mode register bits: • As required by the CUP protocol, the UAM bit cannot be changed using this command. • All mode register bits except UAM are saved across power on/off cycles; the UAM bit is reset to 0 following a power-on. • Mode register bits can be changed when the switch is offline or online.
Port and switch naming standards Fabric OS handles differences in port and switch naming rules between CUP and itself as follows: • CUP employs 8-bit characters in port address names and switch names; Fabric OS employs 7-bit characters. When fmsmode is enabled, all characters greater than 0x40 and not equal to 0xFF (EBCIDC code page 37 [0x25]) are allowed in the name; therefore, it is possible for a channel to set a name with nonprintable characters.
Troubleshooting The following sources provide useful problem-solving information: • The standard support commands (portLogDump, supportSave, supportShow) or the Fabric Manager Event Log. By default, the FICON group in the supportShow output is disabled. To enable the capture of FICON data in the supportShow output, enter the supportshowcfgenable ficon command.
Backing up and restoring FICON configuration files The FICON file access facility is used to store configuration files. This includes IPL and other configuration files. The Fabric OS saves the IPL and all other configuration files on the switch. A maximum of 16 configuration files, including the IPL file, are supported. You can upload the configuration files saved on the switch to a management workstation using the configUpload command.
Recording configuration information You can use the following worksheet for recording FICON configuration information.
Sample IOCP configuration file The channel subsystem controls communication between a configured channel, the control unit, and the device. The I/O Configuration Dataset (IOCDS) defines the channels, control units, and devices to the designated logical partitions (LPARs) within the server; this is defined using the Input/Output Configuration Program (IOCP). The IOCP statements are typically built using the hardware configuration dialog (HCD).
FICON fabrics
22 Configuring and monitoring FICON Extension Services This chapter describes the FICON extension concepts, configuration procedures, and tools and procedures for monitoring network performance. Commands described in this chapter require Admin or root user access. See the Fabric OS Command Reference for detailed information on command syntax. FICON extension products licensing Several specific licensed features are available for FICON extension. These include the following. • XRC emulation.
Platforms that support FICON extension over IP Fabric OS supports SAN extension between 400 MP Router, or between FR4-18i blades. The 400 MP Router and the FR4-18i blade both have 16 physical Fibre Channel ports and 2 physical GbE ports as illustrated in Figure 50 and Figure 51.
FCIP Configuration requirements for FICON extension FICON extension uses FCIP for transport. FCIP interfaces and tunnels used for FICON extension must be defined prior to configuring FICON emulation. Ports should remain persistently disabled until after FICON emulation is configured. Refer to ”Configuring and monitoring FCIP extension services” on page 389 for information about configuring FCIP interfaces and tunnels.
to block (prohibit) specific F_Port to E_Port connections. You can create a determinate data path by blocking all F_Port to E_Port connections except the one you want to use for FICON traffic. Figure 52 shows a portion of the allow/prohibit matrix. The F_Port addresses are in the vertical column to the left, and the E_Port addresses are in a horizontal row at the top. In the portion shown, F_Port address 04 can connect to E_Port 07.
responses to remote hosts, eliminating distance related delays. A FICON XRC Emulation License is required to enable XRC Emulation. Tape Write Pipelining FICON tape write pipelining improves performance for a variety of applications when writing to tape over extended distances. FICON tape write pipelining locally acknowledges write data records, enabling the host to generate more records while previous records are in transit across the IP WAN.
wrtMaxPipe value Defines a maximum number of channel commands that may be outstanding at a given time during write pipelining. Too small of a value will result in poor performance. The value should be chosen carefully based upon the typical tape channel program that requires optimum performance. The default value is 32. the range is 1-100. rdMaxPipe value Defines a maximum number of channel commands that may be outstanding at a given time during read pipelining.
Displaying FICON emulation configuration values You can display the values configured for FICON emulation by using the portShow ficon command. The following example shows FICON emulation configuration values for port ge1.
-t 1|0 Enables or disables TIN/TUR emulation. 1 is enable, O is disable.This option should be enabled when one or all of the following features are enabled: • • • -l 1|0 Enables or disables device level ACK emulation. 1 is enable, O is disable. This option should be enabled when one or all of the following features are enabled: • • • -b 1|0 XRC emulation. tape write pipelining. tape read pipelining. XRC emulation. tape write pipelining. tape read pipelining. Enables or disables FICON read block ID.
FICON performance statistics You can use the portshow ficon command to view the performance statistics and monitor the behavior of FICON emulation. The syntax is as follows. portShow ficon [Slot/]ge0|ge1 all|tunnel_id [arguments] Where: slot The slot number of a blade in a multi-slot chassis. Does not apply to the MP 400 Router. ge0|ge1 The Ethernet port (ge0 or ge1). tunnel_id Tunnel number (0-7). arguments are as follows: -globals General FICON Controls/Statistics.
Monitoring FICON emulation The -emul argument can be used to monitor FICON Emulation. The following is an example. Sprint108:root> portshow ficon ge1 0 -emul XRC and Tape statistics are presented different output formats. The following elements are common to both tape emulation and XRC emulation outputs: FDCB ptr A pointer to the FICON Device Control Block. Support personnel may use this pointer. Path The device path, in the format VE-HD-HP-DD-DP-LP-CU-DV.
Tape output example: TAPE EMULATION STATS +----------+----------------+-+-----+----+----+----+-----------+----------+------+----------+---+ | FDCB Ptr | Path |H|State|Emul|Emul|Rtry| Emulated |Emulated | (0x) |D| |Read CCWs | Size |Write CCWs| Size | (0x) | |Pipe|Q'd | Qd | Tape Ops |RdAvg |Emulated |WtAvg | +----------+----------------+-+-----+----+----+----+-----------+----------+------+----------+---+ |0x10018A00|2463016406050000|H| 0x14|0x20|000E|0000| 13212| 0| 0| 125754| 32760| |0x10
XRC output example: XRC EMULATION STATS +----------+----------------+-+-----+----+----+----+----+-----------+---+------+------+ | FDCB Ptr | Path |H|State|Cmds| Cmd|Data|Data| Emulated |Avg| RRS| RRS | | (0x) |D| |RRS| TLF| Read| (0x) | | Qd | Max| Qd |Max | RRS Ops +----------+----------------+-+-----+----+----+----+----+-----------+---+------+------+ |0x1017DC00|24B100B20E11092B|H| 0x00|0000|000F|0000|0230| 47184|213| 25636| 16063| |0x104B4C00|24B100B20E1109F7|H| 0x00|0000|000F|0000|01E0|
A Configuring the PID format Port identifiers (called PIDs) are used by the routing and zoning services in Fibre Channel fabrics to identify ports in the network. All devices in a fabric must use the same PID format, so when you add new equipment to the SAN, you might need to change the PID format on legacy equipment. NOTE: Any switch running Fabric OS 6.1.x uses the Core PID format and cannot be modified.
Impact of changing the fabric PID format If your fabric contains switches that use Native PID, it is recommended that you change the format to Core PID before you add the new, higher port count switches and directors. Also, it is recommended that you use Core PID when upgrading the Fabric OS version on 1Gb and 2Gb series switches.
Changes to configuration data Table 96 lists various combinations of before-and-after PID formats, and indicates whether the configuration is affected. NOTE: After changing the fabric PID format, if the change invalidates the configuration data (see Table 96 to determine this), do not download old (pre-PID format change) configuration files to any switch on the fabric.
Table 97 shows various combinations of existing fabrics, new switches added to those fabrics, and the recommended PID format for that combination. The criteria for the recommendations are first to eliminate host reboots, and second to minimize the need for a host reboot in the future. Table 97 PID format recommendations for adding new switches Existing Fabric OS versions; PID format Switch to be added Recommendations (in order of preference) 3.1.2 and later; Core PID 3.1.2 and later 1.
1. Collect device, software, hardware, and configuration data. The following is a non-comprehensive list of information to collect: • HBA driver versions • Fabric OS versions • RAID array microcode versions • SCSI bridge code versions • JBOD drive firmware versions • Multipathing software versions • HBA time-out values • Multipathing software timeout values • Kernel timeout values • Configuration of switch 2. Make a list of manually configurable PID drivers.
If either of the first two options are used, the procedures should again be validated in the test environment. Determine the behavior of multipathing software, including but not limited to: • HBA time-out values • Multipathing software time-out values • Kernel time-out values Planning the update procedure Whether it is best to perform an offline or online update depends on the uptime requirements of the site. • An offline update must have all devices attached to the fabric be offline.
Offline update The following steps are intended to provide SAN administrators a starting point for creating site-specific procedures. 1. Schedule an outage for all devices attached to the fabric. 2. Back up all data and verify backups. 3. Shut down all hosts and storage devices attached to the fabric. 4. Disable all switches in the fabric. 5. Change the PID format on each switch in the fabric. 6. Reenable the switches in the updated fabric one at a time.
Before changing the PID format, determine if host reboots will be necessary. The section ”Host reboots” on page 446 summarizes the situations that may require a reboot. switch:admin> switchdisable switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] y Domain: (1..239) [1] BB credit: (1..27) [16] R_A_TOV: (4000..120000) [10000] E_D_TOV: (1000..5000) [2000] WAN_TOV: (1000..120000) [0] Data field size: (256..2112) [2112] Sequence Level Switching: (0..1) [0] Disable Device Probing: (0..
Performing PID format changes There are several routine maintenance procedures which might result in a device receiving a new PID.
Suppress Class F Traffic: (0..1) [0] SYNC IO mode: (0..1) [0] Core Switch PID Format: (0..2) [0] 1 Per-frame Route Priority: (0..1) [0] Long Distance Fabric: (0..1) [0] BB credit: (1..27) [16] 10. After all switches are updated to use the new PID format and re-enabled, verify the fabric has fully reconverged. Each switch can communicate with other switches in the fabric and no segmentation has occurred. 11.
vgexport –a y /dev/jbod 17. If you are not using multipathing software, mount all devices again and restart I/O. For example: mount /mnt/jbod 18. If you are using multipathing software, reenable the affected path. The preceding steps do not “clean up” the results from ioscan. When viewing the output of ioscan, notice the that the original entry is still there, but now has a status of NO_HW.
3. If you are not using multipathing software, vary the volume groups offline. The command usage is varyoffvg . For example: varyoffvg datavg 4. If you are not using multipathing software, unmount the volumes from their mount points using umount. The command usage is umount . For example: umount /mnt/jbod 5. If you are using multipathing software, use that software to remove one fabric’s devices from its configuration. 6.
portdisable slot/port1 portdisable slot/port2 4. HP StorageWorks 4/8, 4/16, 4/32, 8/8 SAN Switch, 8/24 SAN Switch, 8/40 SAN Switch, 8/80 SAN Switch, and 400 Multi-protocol Router switches: Enter the following command: portswap port1 port2 4/256 SAN Director and DC SAN Backbone Director (short name, DC Director): Enter the following command: portswap slot1/port1 slot2/port2 5.
Configuring the PID format
B Understanding legacy password behaviour This appendix provides password information for early versions of Fabric OS firmware. Password management information Table 98 describes the password standards and behaviors between various versions of firmware. Table 98 Account/password characteristics matrix Topic 4.0.0 4.1.0 to 4.2.0 4.4.0 and later Number of default accounts on the switch 4, chassis-based Core Switch 2/64 8 for the director, 4 per switch. All other switches and directors - 4.
Table 98 Account/password characteristics matrix (continued) Topic 4.0.0 4.1.0 to 4.2.0 4.4.0 and later Can passwd change higher-level passwords? For example, can admin change root password? Yes, but will ask for the “old password” of the higher-level account (example “root”). Yes; if users connect as admin, they can change the root, factory, and admin passwords. However, if one connects as user, one can only change the user password. 4.4.0 to 5.1.
Password migration during firmware changes Table 100 describes the expected outcome of password settings when upgrading or downgrading firmware for various Fabric OS versions. Table 100 Password migration behavior during firmware upgrade/downgrade Topic 4.4.0 to 5.0.1 5.0.1 and later Passwords used when upgrading to a newer firmware release for the first time. Default accounts and passwords are preserved. Default accounts and passwords are preserved.
Understanding legacy password behaviour
C Interoperating with an M-EOS fabric For information on HP supported interop configurations, refer to the HP StorageWorks Fabric interoperability: merging fabrics based on C-Series and B-Series Fibre Channel switches on the following HP website: http://h18000.www1.hp.com/products/storageworks/san/documentation.html Fabric OS 6.1.
Interoperating with an M-EOS fabric
D Migrating from an MP Router to a 400 MP Router This section describes how to upgrade routers in your fabric with the least disruption, while providing better performance and scalability. Improper implementation could lead to a change in the xlate Domain IDs and proxy device PIDs, which may cause disruption in the fabric. Configurations FC routers are deployed in different configurations in a fabric.
. Figure 55 Configuration during the upgrade The switch Domain ID and BB fabric ID of the new FC router can be identical. Once the metaSAN is stable, EX_Ports on the new router are ‘active’, the old router can be taken out of the setup. Redundant configuration The configuration shown in Figure 56 on page 466, shows that old routers can be removed one by one. For example, FC router 2 can be replaced with the new FC router.
Figure 57 Dual backbone fabric configuration Devices directly connected to router In the Multi-protocol Router, end devices are allowed to be directly connected, but these devices cannot be imported to other edge fabrics (using LSAN zones). During the upgrade process, these devices will face disruption unless there is redundancy support provided from the device end. 400 MP Router allows the end devices to be imported to edge fabrics. Configuring a new FC router To configure the new router: 1.
Migrating from an MP Router to a 400 MP Router
E Using Remote Switch This appendix prrovides infromation on the Remote Switch feature. About Remote Switch The Remote Switch feature, which aids in ensuring gateway compatibility, was formerly a licensed feature. Its functionality is now available as part of the Fabric OS standard feature set through the use of the portCfgIslMode command, which is described in ”Linking through a gateway” on page 45.
You must connect the fabrics through the gateway device, and make sure that the configure parameters are compatible with the gateway device. You may be required to reconfigure the following parameters, depending on the gateway requirements: NOTE: Consult your gateway vendor for supported and qualified configurations. • R_A_TOV: Specify a Resource Allocation Timeout Value compatible with your gateway device. • E_D_TOV: Specify an Error Detect Timeout Value compatible with your gateway device.
This example shows how to modify the data field size and suppress class F traffic on a switch: switch:admin> switchdisable switch:admin> configure Configure... Fabric parameters (yes, y, no, n): [no] yes Domain: (1..239) [3] R_A_TOV: (4000..120000) [10000] E_D_TOV: (1000..5000) [2000] Data field size: (256..2112) [2112] 1000 Sequence Level Switching: (0..1) [0] Disable Device Probing: (0..1) [0] Suppress Class F Traffic: (0..1) [0] 1 VC Encoded Address Mode: (0..1) [0] Per-frame Route Priority: (0..
Using Remote Switch
F Zone merging scenarios Table 103 provides information on merging zones and the expected results. Table 103 Zone merging scenarios Description Switch A Switch B Expected results Switch A has a defined configuration. defined: cfg1: zone1: ali1; ali2 effective: none defined: none effective: none Configuration from Switch A to propagate throughout the fabric in an inactive state, because the configuration is not enabled.
Table 103 Zone merging scenarios (continued) Description Switch A Switch B Expected results Switch A and Switch B have different defined configurations. Switch B has an enabled configuration. defined: cfg2 zone2: ali3; ali4 effective: none defined: cfg1 zone1: ali1; ali2 effective: cfg1 Clean merge. The new configuration will be a composite of the two, with cfg1 as the effective configuration. Effective configuration mismatch.
Table 103 Zone merging scenarios (continued) Description Switch A Switch B Expected results Different default zone access mode settings. defzone: noaccess defzone: allaccess Clean merge — noaccess takes precedence and defzone configuration from Switch A propagates to fabric. defzone: noaccess Same default zone access mode settings. defzone: allaccess defzone: allaccess Clean merge — defzone configuration is allaccess in the fabric. Same default zone access mode settings.
478 Zone merging scenarios
A AAA service requests 67 aaaConfig command 69, 78, 80, 81 access browser support 93 changing account parameters 61 control 100 CP blade 72 creating accounts 60 deleting accounts 60 IP address changes 24 log in fails 24 NTP 32 other devices 45 other switches 45 password, changing 26 recovering accounts 62 remote access policies 74 secure, HTTPS 93 secure, SSL 93 SNMP ACL 87 access control 276 configuring discovery domain sets 266 discovery domains 266 discovery domains 252 limiting 252 access methods config
creating 204 deleting 205 removing members 205 aliCreate 274 all access zone setting 271 ARP.
licenseadd 35 licenseremove 36 licenseShow 36 licenseshow 36 nsallshow 47 nsShow 273 nsshow 47 ping 259 portCfg 255, 259, 260 portCfgPersistentEnable 259 portCfgShow 258, 259 portCmd 260 portdisable 44, 45 portShow 259, 260 slotshow 47 switchdisable 44 switchenable 44 switchName 33 switchshow 46 zoneCreate 256, 275 command list for configuration 255 commands 302 aaaConfig 69 configUpload 106 defZone 316 fcrConfigure 303 fosConfig 303 interopMode 302 passwdCfg 64 portDisable 122 portEnable 122 secPolicyAbort
core/edge topology and ISL trunking 358 CP blade 35 access 72 CRC errors, displaying 333 creating accounts 60 Admin Domains 160 alias 204 DCC policy 111 discovery domain sets 267 discovery domains 267 iSCSI FC zones 272 iSCSI virtual targets 263 policy 111, 114 SCC policy 114 user-defined virtual targets 265 zone configurations 213, 275 zones 206 CSR 94 customizing switch names 33 customizing the chassis name 33 customizing the switch name 33 D database, clearing in a FICON environment 417 date 30 date and
switch 44 zone configuration 275 enabling and disabling FICON management server mode 423 enabling and disabling ISL trunking 361 enabling and disabling local authentication 81 encryption 93 end-to-end monitoring 330 end-to-end monitors adding 333 deleting 334 restoring configuration 346 saving configuration 346 setting a mask 331 ensuring network security 88 evaluating the fabric 448 event date and time 30 events notification of 276 EX_Port 324 example chassisshow 47 fabricshow 47 nsallshow 47 slotshow 47
H HA failover 64, 72 hard zoning 197 hardware-enforced zoning 197 hashow command 47 help, obtaining 21, 22 high availability (HA) 47 high integrity fabric 416 HomeAD 71 host reboots 446 host-based zoning 194 HP storage web site 22 Subscriber’s choice web site 22 technical support 21 HP/UX procedure 454 HTTP 96 HTTPS 93, 96 certificates, security 88 hybrid update 451 I IAS configuring users 73 remote access policies 74 IAS (Internet Authentication Service), configuring 73 ID, account 24 identifying ports fr
user-defined 265 iscsiCfg add lun 255, 264, 265 addusername tgt 256, 268 commit 256 commit all 265, 268, 269, 270 create auth 256, 268 create dd 256, 267 create ddset 256, 267 create tgt 255, 263 delete lun 265 deleteusername tgt 269 easycreate 255 easycreate tgt 261, 263, 270 enable ddset 256, 267 modify tgt 256, 268 show 263 show auth 269 show dd 267 show ddset 267, 270 show fabric 270 show initiator 267 show lun 265, 266, 272 show tgt 263, 266, 268 show transaction 269 iscsiswCfg disableconn 254 enableco
maintaining zones 206 making basic connections 45 managing accounts 62 zoning configurations in a fabric 216 managing shared secrets 120 mapping advanced LUN 251 basic LUN 250 mask for end-to-end monitors setting 331 matching fabric parameters 300 members policy 106 policy, adding 115 policy, removing 115 merging zones 210 method authentication 266 MIB 98, 99 mibCapability 100 modifying zoning configurations 213 modifying the FCS policy 107 monitoring AL_PAs 333 monitoring end-to-end performance 333 monitor
creating, DCC 111 creating, SCC 114 DCC 111 deleting 115 members, adding 115 members, identifying 106 members, removing 115 password expiration 65 password strength 64 SCC 114 port 44 enabling 44 GbE 255 LUN mapping 265 numbering 257 port and switch naming standards 427 port swapping nodes, identifying in FICON environments 422 portCfg arp 260 ipif 255, 259 iproute 255, 260 portCfgPersistentEnable 259 portCfgShow 258, 259 portCmd ping 260 portDisable 122 portEnable 122 ports activating POD 40 enabling 258 G
saving monitor configuration 346 SCC policy 114 SCC list 304 secCertUtil 97 seccertutil 94, 95 Secure Fabric OS 304 secure file copy configuring 101 secure shell (ssh) 88 secure socket layer protocol 93 secure sockets layer 93 security 88, 243 activating certificates 96 and tunneling 380 Brocade MIB 98 browsers 93 certificates 88 configuring standard features 87, 105 encryption 93 FibreAlliance MIB 98 file copy 101 HTTPS, certificate 88 IAS remote access policies 74 obtaining certificates 95 secure protocol
displaying RADIUS configuration 78 enabling 44 FICON environment, configuring 418 identifying 33 IP 33 name customizing 33 RADIUS client 73 RADIUS configuration 78 RADIUS configuration, adding 79 RADIUS configuration, disabling 80 user-defined accounts 59 switch access 102 Switch Connection Controls list 304 switch WWN in Admin Domains 157 switchshow command 46 SWL, ISL Trunking support for 357 symbols in text 20 synchronize date and time 32 system-defined Admin Domains 154 systemGroup 101 T tag field, int
administering security 221 aliases 196 aliases, creating and managing 204 configuration, creating 275 configuration, enabling 275 configurations 196 configurations, creating and maintaining 213 configuring rules 201 creating 206 creating a configuration 213 creating, iSCSI FC 272 database size 210 default zone mode 209 default, set to all access 271 default, set to no access 271 defined zone configuration 196 deleting 208 deleting a configuration 214 disabled zone configuration 197 effective zone configurat
Figures 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 Example of a Brocade DCT file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Example of the dictiona.dcm file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 DH-CHAP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . .
57 Dual backbone fabric configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tables 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 Switch model naming matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Default administrative account names and passwords . . . . . . . . . .
57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 Zoning database limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Resulting database size: 0 to 96K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Resulting database size: 96K to 128K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .