Dell Brocade 300 Administrator's Guide

53-1002745-02
25 March 2013
Fabric OS
Administrator’s Guide
Supporting Fabric OS 7.1.0
®
Copyright © 2013 Brocade Communications Systems, Inc. All Rights Reserved.
ADX, AnyIO, Brocade, Brocade Assurance, the B-wing symbol, DCX, Fabric OS, ICX, MLX, MyBrocade, OpenScript, VCS, VDX, and
Vyatta are registered trademarks, and HyperEdge, The Effortless Network, and The On-Demand Data Center are trademarks of
Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names
mentioned may be trademarks of their respective owners.
Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning
any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to
this document at any time, without notice, and assumes no responsibility for its use. This informational document describes
features that may not be currently available. Contact a Brocade sales office for information on feature and product availability.
Export of technical data contained in this document may require an export license from the United States government.
The authors and Brocade Communications Systems, Inc. shall have no liability or responsibility to any person or entity with
respect to any loss, cost, liability, or damages arising from the information contained in this book or the computer programs that
accompany it.
The product described by this document may contain “open source” software covered by the GNU General Public License or other
open source license agreements. To find out which open source software is included in Brocade products, view the licensing
terms applicable to the open source software, and obtain a copy of the programming source code, please visit
http://www.brocade.com/support/oscd.
Brocade Communications Systems, Incorporated
Corporate and Latin American Headquarters
Brocade Communications Systems, Inc.
130 Holger Way
San Jose, CA 95134
Tel: 1-408-333-8000
Fax: 1-408-333-8101
E-mail: info@brocade.com
Asia-Pacific Headquarters
Brocade Communications Systems China HK, Ltd.
No. 1 Guanghua Road
Chao Yang District
Units 2718 and 2818
Beijing 100020, China
Tel: +8610 6588 8888
Fax: +8610 6588 9999
E-mail: china-info@brocade.com
European Headquarters
Brocade Communications Switzerland Sàrl
Centre Swissair
Tour B - 4ème étage
29, Route de l'Aéroport
Case Postale 105
CH-1215 Genève 15
Switzerland
Tel: +41 22 799 5640
Fax: +41 22 799 5641
E-mail: emea-info@brocade.com
Asia-Pacific Headquarters
Brocade Communications Systems Co., Ltd. (Shenzhen WFOE)
Citic Plaza
No. 233 Tian He Road North
Unit 1308 – 13th Floor
Guangzhou, China
Tel: +8620 3891 2000
Fax: +8620 3891 2111
E-mail: china-info@brocade.com
Document History
Title
Publication number Summary of changes
Date
Fabric OS Administrator’s Guide 53-1002745-01
Added Fabric OS v7.1.0 software features
and support for new hardware platforms:
Brocade 5430 and 6520.
December 2012
Fabric OS Administrator’s Guide 53-1002745-02
Corrected errors and omissions in the guide.
March 2013
Contents (High Level)
Section I
Standard Features
Chapter 1
Understanding Fibre Channel Services . . . . . . . . . . . . . . . . . . . . . . . . . 43
Chapter 2
Performing Basic Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Chapter 3
Performing Advanced Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . 79
Chapter 4
Routing Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111
Chapter 5
Managing User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
Chapter 6
Configuring Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Chapter 7
Configuring Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195
Chapter 8
Maintaining the Switch Configuration File . . . . . . . . . . . . . . . . . . . . . . 241
Chapter 9
Installing and Maintaining Firmware . . . . . . . . . . . . . . . . . . . . . . . . . .255
Chapter 10
Managing Virtual Fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275
Chapter 11
Administering Advanced Zoning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303
Chapter 12
Traffic Isolation Zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .345
Chapter 13
Bottleneck Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .375
Chapter 14
In-flight Encryption and Compression . . . . . . . . . . . . . . . . . . . . . . . . .393
Chapter 15
NPIV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .419
Chapter 16
Dynamic Fabric Provisioning: Fabric-Assigned PWWN. . . . . . . . . . . . .425
Chapter 17
Managing Administrative Domains . . . . . . . . . . . . . . . . . . . . . . . . . . .433
Section II
Licensed Features
Chapter 18
Administering Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .463
Chapter 19
Inter-chassis Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .491
Chapter 20
Monitoring Fabric Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .499
Chapter 21
Optimizing Fabric Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Chapter 22
Managing Trunking Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . .533
Chapter 23
Managing Long-Distance Fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . .551
Chapter 24
Using FC-FC Routing to Connect Fabrics . . . . . . . . . . . . . . . . . . . . . . .569
Fabric OS Administrator’s Guide
53-1002745-02
3
4
Appendix A
Port Indexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .611
Appendix B
FIPS Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .615
Appendix C
Hexadecimal Conversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .627
Fabric OS Administrator’s Guide
53-1002745-02
Contents
About This Document
How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . 34
What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Notice to the reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Additional information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Getting technical help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Document feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Section I
Chapter 1
Standard Features
Understanding Fibre Channel Services
Fibre Channel services overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Management server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Platform services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Platform services and Virtual Fabrics. . . . . . . . . . . . . . . . . . . . . 45
Enabling platform services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Disabling platform services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Management server database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Displaying the management server ACL. . . . . . . . . . . . . . . . . . . 46
Adding a member to the ACL. . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Deleting a member from the ACL . . . . . . . . . . . . . . . . . . . . . . . . 47
Viewing the contents of the management server database . . . 48
Clearing the management server database . . . . . . . . . . . . . . . 49
Topology discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Displaying topology discovery status . . . . . . . . . . . . . . . . . . . . . 49
Enabling topology discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Disabling topology discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Device login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Principal switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
E_Port login process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Fabric login process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Port login process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
RSCNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Duplicate Port World Wide Name . . . . . . . . . . . . . . . . . . . . . . . . 53
High availability of daemon processes . . . . . . . . . . . . . . . . . . . . . . . 53
Fabric OS Administrator’s Guide
53-1002745-02
5
Chapter 2
Performing Basic Configuration Tasks
Fabric OS overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Fabric OS command line interface. . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Console sessions using the serial port. . . . . . . . . . . . . . . . . . . . 56
Telnet or SSH sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Getting help on a command . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Viewing a history of command line entries . . . . . . . . . . . . . . . . 59
Password modification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Default account passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
The switch Ethernet interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Virtual Fabrics and the Ethernet interface . . . . . . . . . . . . . . . . . 63
Displaying the network interface settings . . . . . . . . . . . . . . . . . 63
Static Ethernet addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
DHCP activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
IPv6 autoconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Date and time settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Setting the date and time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Time zone settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Network time protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Domain IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Displaying the domain IDs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Setting the domain ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Switch names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Customizing the switch name . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Chassis names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Customizing chassis names . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Fabric name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Configuring the fabric name . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
High availability considerations for fabric names . . . . . . . . . . . 76
Upgrade and downgrade considerations for fabric names. . . . 76
Config file upload and download considerations for fabric
names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Switch activation and deactivation . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Disabling a switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Enabling a switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Switch and Backbone shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Powering off a Brocade switch . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Powering off a Brocade Backbone . . . . . . . . . . . . . . . . . . . . . . . 77
Basic connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Device connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Switch connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
6
Fabric OS Administrator’s Guide
53-1002745-02
Chapter 3
Performing Advanced Configuration Tasks
Port Identifiers (PIDs) and PID binding overview . . . . . . . . . . . . . . . 79
Core PID addressing mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Fixed addressing mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
10-bit addressing mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
256-area addressing mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
WWN-based PID assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Port Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Backbone port blades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Configuring two Ethernet ports on one CP8 blade . . . . . . . . . . 85
Setting port names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Port identification by slot and port number . . . . . . . . . . . . . . . . 87
Port identification by port area ID. . . . . . . . . . . . . . . . . . . . . . . . 87
Port identification by index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Configuring a device-switch connection . . . . . . . . . . . . . . . . . . . 88
Swapping port area IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Port activation and deactivation . . . . . . . . . . . . . . . . . . . . . . . . . 89
Port decommissioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Setting port modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Setting port speeds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Setting all ports on a switch to the same speed . . . . . . . . . . . . 92
Setting port speed for a port octet . . . . . . . . . . . . . . . . . . . . . . . 93
Blade terminology and compatibility . . . . . . . . . . . . . . . . . . . . . . . . . 93
CP blades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Core blades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Port and application blade compatibility . . . . . . . . . . . . . . . . . . 96
FX8-24 compatibility notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Enabling and disabling blades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Enabling blades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Disabling blades. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Blade swapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
How blades are swapped . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Swapping blades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
Enabling and disabling switches . . . . . . . . . . . . . . . . . . . . . . . . . . .100
Power management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Powering off a port blade . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
Powering on a port blade . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
Equipment status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
Checking switch operation . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
Verifying High Availability features (Backbones only) . . . . . . .103
Verifying fabric connectivity. . . . . . . . . . . . . . . . . . . . . . . . . . . .103
Verifying device connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . .104
Track and control switch changes . . . . . . . . . . . . . . . . . . . . . . . . . .104
Enabling the track changes feature . . . . . . . . . . . . . . . . . . . . .104
Displaying the status of the track changes feature. . . . . . . . .105
Viewing the switch status policy threshold values. . . . . . . . . .105
Setting the switch status policy threshold values . . . . . . . . . .106
Fabric OS Administrator’s Guide
53-1002745-02
7
Audit log configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Verifying host syslog prior to configuring the audit log . . . . . .108
Configuring an audit log for specific event classes . . . . . . . . .108
Duplicate PWWN handling during device login . . . . . . . . . . . . . . . .109
Setting the behavior for handling duplicate PWWNs. . . . . . . .110
Chapter 4
Routing Traffic
Routing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111
Paths and route selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
FSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
Fibre Channel NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
Inter-switch links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
Buffer credits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
Congestions versus over-subscription . . . . . . . . . . . . . . . . . . .115
Virtual channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
Gateway links. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Configuring a link through a gateway . . . . . . . . . . . . . . . . . . . .118
Routing policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118
Displaying the current routing policy . . . . . . . . . . . . . . . . . . . .119
Port-based routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119
Exchange-based routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119
Device-based routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
AP route policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
Route selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122
Dynamic Load Sharing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122
Frame order delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123
Forcing in-order frame delivery across topology changes . . . .123
Restoring out-of-order frame delivery across topology
changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123
Using Frame Viewer to understand why frames are dropped .124
Lossless Dynamic Load Sharing on ports . . . . . . . . . . . . . . . . . . . .125
Lossless core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
Configuring Lossless Dynamic Load Sharing . . . . . . . . . . . . . .127
Lossless Dynamic Load Sharing in Virtual Fabrics . . . . . . . . .127
Enabling forward error correction (FEC) . . . . . . . . . . . . . . . . . . . . .128
Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
Frame Redirection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Creating a frame redirect zone . . . . . . . . . . . . . . . . . . . . . . . . .130
Deleting a frame redirect zone . . . . . . . . . . . . . . . . . . . . . . . . .131
Viewing frame redirect zones . . . . . . . . . . . . . . . . . . . . . . . . . .131
Chapter 5
Managing User Accounts
User accounts overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
Role-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . .134
The management channel . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Managing user-defined roles . . . . . . . . . . . . . . . . . . . . . . . . . .136
8
Fabric OS Administrator’s Guide
53-1002745-02
Local database user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
Default accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
Local account passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
Local user account database distribution. . . . . . . . . . . . . . . . . . . .140
Distributing the local user database . . . . . . . . . . . . . . . . . . . .140
Accepting distributed user databases on the local switch . . .140
Rejecting distributed user databases on the local switch . . . 141
Password policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Password strength policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Password history policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
Password expiration policy . . . . . . . . . . . . . . . . . . . . . . . . . . . .143
Account lockout policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143
The boot PROM password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145
Setting the boot PROM password for a switch with a
recovery string . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145
Setting the boot PROM password for a Backbone with a
recovery string . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
Setting the boot PROM password for a switch without a
recovery string . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Setting the boot PROM password for a Backbone without
a recovery string. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148
Remote authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149
Remote Authentication Configuration . . . . . . . . . . . . . . . . . . .149
Setting the switch authentication mode . . . . . . . . . . . . . . . . .152
Fabric OS user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152
Fabric OS users on the RADIUS server . . . . . . . . . . . . . . . . . . .154
Setting up a RADIUS server. . . . . . . . . . . . . . . . . . . . . . . . . . . .156
LDAP configuration and Microsoft Active Directory . . . . . . . . .162
LDAP configuration and OpenLDAP . . . . . . . . . . . . . . . . . . . . .165
TACACS+ service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Remote authentication configuration on the switch . . . . . . . . 174
Configuring local authentication as backup. . . . . . . . . . . . . . . 176
Chapter 6
Configuring Protocols
Security protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Secure Copy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178
Setting up SCP for configuration uploads and downloads . . .179
Secure Shell protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
SSH public key authentication . . . . . . . . . . . . . . . . . . . . . . . . .180
Secure Sockets Layer protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . .182
Browser and Java support . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182
SSL configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . .183
The browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186
Root certificates for the Java plugin . . . . . . . . . . . . . . . . . . . . .187
Simple Network Management Protocol . . . . . . . . . . . . . . . . . . . . . .188
SNMP and Virtual Fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189
SNMP security levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190
SNMP configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190
Fabric OS Administrator’s Guide
53-1002745-02
9
Telnet protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190
Blocking Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190
Unblocking Telnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191
Listener applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192
Ports and applications used by switches . . . . . . . . . . . . . . . . . . . .192
Port configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193
Chapter 7
Configuring Security Policies
ACL policies overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195
How the ACL policies are stored . . . . . . . . . . . . . . . . . . . . . . . .195
Policy members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196
ACL policy management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196
Displaying ACL policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197
Saving changes without activating the policies . . . . . . . . . . . .197
Activating ACL policy changes . . . . . . . . . . . . . . . . . . . . . . . . . .197
Deleting an ACL policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197
Adding a member to an existing ACL policy . . . . . . . . . . . . . . .198
Removing a member from an ACL policy . . . . . . . . . . . . . . . . .198
Abandoning unsaved ACL policy changes . . . . . . . . . . . . . . . .198
FCS policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199
FCS policy restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199
Ensuring fabric domains share policies . . . . . . . . . . . . . . . . . .200
Creating an FCS policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201
Modifying the order of FCS switches . . . . . . . . . . . . . . . . . . . .201
FCS policy distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202
Device Connection Control policies . . . . . . . . . . . . . . . . . . . . . . . . .203
DCC policy restrictions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203
Creating a DCC policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204
Deleting a DCC policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205
DCC policy behavior with Fabric-Assigned PWWNs . . . . . . . . .205
SCC Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206
Creating an SCC policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207
Authentication policy for fabric elements . . . . . . . . . . . . . . . . . . . .207
E_Port authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .208
Device authentication policy . . . . . . . . . . . . . . . . . . . . . . . . . . .210
AUTH policy restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211
Authentication protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212
Secret key pairs for DH-CHAP . . . . . . . . . . . . . . . . . . . . . . . . . .213
FCAP configuration overview. . . . . . . . . . . . . . . . . . . . . . . . . . .215
Fabric-wide distribution of the authorization policy. . . . . . . . . 217
10
Fabric OS Administrator’s Guide
53-1002745-02
IP Filter policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Creating an IP Filter policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . .218
Cloning an IP Filter policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218
Displaying an IP Filter policy . . . . . . . . . . . . . . . . . . . . . . . . . . .218
Saving an IP Filter policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218
Activating an IP Filter policy. . . . . . . . . . . . . . . . . . . . . . . . . . . .219
Deleting an IP Filter policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219
IP Filter policy rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219
IP Filter policy enforcement. . . . . . . . . . . . . . . . . . . . . . . . . . . .223
Adding a rule to an IP Filter policy. . . . . . . . . . . . . . . . . . . . . . .223
Deleting a rule from an IP Filter policy . . . . . . . . . . . . . . . . . . .223
Aborting an IP Filter transaction . . . . . . . . . . . . . . . . . . . . . . . .223
IP Filter policy distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224
Managing filter thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . .224
Policy database distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224
Database distribution settings . . . . . . . . . . . . . . . . . . . . . . . . .225
ACL policy distribution to other switches . . . . . . . . . . . . . . . . .227
Fabric-wide enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .227
Notes on joining a switch to the fabric . . . . . . . . . . . . . . . . . . .229
Management interface security . . . . . . . . . . . . . . . . . . . . . . . . . . . .231
Configuration examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231
IP sec protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233
Security associations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233
Authentication and encryption algorithms . . . . . . . . . . . . . . . .234
IP sec policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234
IKE policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .235
Creating the tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236
Example of an end-to-end transport tunnel mode. . . . . . . . . .238
Chapter 8
Maintaining the Switch Configuration File
Configuration settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Configuration file format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242
Configuration file backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244
Uploading a configuration file in interactive mode . . . . . . . . .245
Configuration file restoration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .246
Restrictions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .246
Configuration download without disabling a switch . . . . . . . .248
Configurations across a fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250
Downloading a configuration file from one switch to
another switch of the same model . . . . . . . . . . . . . . . . . . . . . .250
Security considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250
Configuration management for Virtual Fabrics . . . . . . . . . . . . . . . .250
Uploading a configuration file from a switch with
Virtual Fabrics enabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251
Restoring a logical switch configuration using
configDownload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251
Restrictions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252
Brocade configuration form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253
Fabric OS Administrator’s Guide
53-1002745-02
11
Chapter 9
Installing and Maintaining Firmware
Firmware download process overview . . . . . . . . . . . . . . . . . . . . . . .255
Upgrading and downgrading firmware . . . . . . . . . . . . . . . . . . .257
Considerations for FICON CUP environments . . . . . . . . . . . . .257
HA sync state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257
Preparing for a firmware download . . . . . . . . . . . . . . . . . . . . . . . . .258
Obtaining and decompressing firmware . . . . . . . . . . . . . . . . .259
Connected switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259
Finding the switch firmware version . . . . . . . . . . . . . . . . . . . . .259
Firmware download on switches . . . . . . . . . . . . . . . . . . . . . . . . . . .260
Switch firmware download process overview. . . . . . . . . . . . . .260
Firmware download on a Backbone. . . . . . . . . . . . . . . . . . . . . . . . .262
Backbone firmware download process overview. . . . . . . . . . .262
Firmware download from a USB device . . . . . . . . . . . . . . . . . . . . . .265
Enabling the USB device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .265
Viewing the USB file system . . . . . . . . . . . . . . . . . . . . . . . . . . .265
Downloading from the USB device using the relative path. . .266
Downloading from the USB device using the absolute path. .266
FIPS support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266
Public and private key management . . . . . . . . . . . . . . . . . . . .266
The firmwareDownload command . . . . . . . . . . . . . . . . . . . . . .267
Power-on firmware checksum test . . . . . . . . . . . . . . . . . . . . . .268
Testing and restoring firmware on switches . . . . . . . . . . . . . . . . . .268
Testing a different firmware version on a switch . . . . . . . . . . .268
Testing and restoring firmware on Backbones . . . . . . . . . . . . . . . .270
Testing different firmware versions on Backbones . . . . . . . . .270
Validating a firmware download . . . . . . . . . . . . . . . . . . . . . . . . . . . .273
Chapter 10
Managing Virtual Fabrics
Virtual Fabrics overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275
Logical switch overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Default logical switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Logical switches and fabric IDs. . . . . . . . . . . . . . . . . . . . . . . . .277
Port assignment in logical switches . . . . . . . . . . . . . . . . . . . . .278
Logical switches and connected devices . . . . . . . . . . . . . . . . .279
Management model for logical switches. . . . . . . . . . . . . . . . . . . . .281
Logical fabric overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .281
Logical fabric and ISLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282
Base switch and extended ISLs . . . . . . . . . . . . . . . . . . . . . . . .283
Account management and Virtual Fabrics . . . . . . . . . . . . . . . . . . .286
Supported platforms for Virtual Fabrics . . . . . . . . . . . . . . . . . . . . .286
Supported port configurations in the fixed-port switches. . . .286
Supported port configurations in Brocade Backbones . . . . . .287
Virtual Fabrics interaction with other Fabric OS features . . . .288
12
Fabric OS Administrator’s Guide
53-1002745-02
Limitations and restrictions of Virtual Fabrics . . . . . . . . . . . . . . . .288
Restrictions on XISLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .289
Restrictions on moving ports . . . . . . . . . . . . . . . . . . . . . . . . . .289
Enabling Virtual Fabrics mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290
Disabling Virtual Fabrics mode . . . . . . . . . . . . . . . . . . . . . . . . . . . .290
Configuring logical switches to use basic configuration values. . .291
Creating a logical switch or base switch . . . . . . . . . . . . . . . . . . . . .292
Executing a command in a different logical switch context . . . . . .293
Deleting a logical switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294
Adding and moving ports on a logical switch . . . . . . . . . . . . . . . . .295
Displaying logical switch configuration . . . . . . . . . . . . . . . . . . . . . .296
Changing the fabric ID of a logical switch . . . . . . . . . . . . . . . . . . . .296
Changing a logical switch to a base switch . . . . . . . . . . . . . . . . . . .297
Setting up IP addresses for a Virtual Fabric . . . . . . . . . . . . . . . . . .298
Removing an IP address for a Virtual Fabric . . . . . . . . . . . . . . . . . .298
Configuring a logical switch to use XISLs . . . . . . . . . . . . . . . . . . . .299
Changing the context to a different logical fabric . . . . . . . . . . . . . .299
Creating a logical fabric using XISLs . . . . . . . . . . . . . . . . . . . . . . . .300
Chapter 11
Administering Advanced Zoning
Zone types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303
Zoning overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
Approaches to zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .305
Zone objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306
Zone aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307
Zone configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307
Zoning enforcement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .308
Considerations for zoning architecture . . . . . . . . . . . . . . . . . .309
Best practices for zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Broadcast zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Broadcast zones and Admin Domains . . . . . . . . . . . . . . . . . . . 310
Broadcast zones and FC-FC routing . . . . . . . . . . . . . . . . . . . . .311
High availability considerations with broadcast zones . . . . . .312
Loop devices and broadcast zones . . . . . . . . . . . . . . . . . . . . .312
Broadcast zones and default zoning mode . . . . . . . . . . . . . . .312
Zone aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312
Creating an alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313
Adding members to an alias . . . . . . . . . . . . . . . . . . . . . . . . . . .313
Removing members from an alias . . . . . . . . . . . . . . . . . . . . . . 314
Deleting an alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Viewing an alias in the defined configuration . . . . . . . . . . . . .315
Fabric OS Administrator’s Guide
53-1002745-02
13
Zone creation and maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Displaying existing zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Creating a zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Adding devices (members) to a zone . . . . . . . . . . . . . . . . . . . . 317
Removing devices (members) from a zone . . . . . . . . . . . . . . .318
Replacing zone members . . . . . . . . . . . . . . . . . . . . . . . . . . . . .319
Deleting a zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .320
Viewing a zone in the defined configuration . . . . . . . . . . . . . .322
Validating a zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .323
Default zoning mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326
Setting the default zoning mode. . . . . . . . . . . . . . . . . . . . . . . .326
Viewing the current default zone access mode . . . . . . . . . . . .327
Zone database size. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327
Zone configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .328
Creating a zone configuration . . . . . . . . . . . . . . . . . . . . . . . . . .328
Adding zones (members) to a zone configuration . . . . . . . . . .329
Removing zones (members) from a zone configuration . . . . .329
Enabling a zone configuration . . . . . . . . . . . . . . . . . . . . . . . . .330
Disabling a zone configuration . . . . . . . . . . . . . . . . . . . . . . . . .330
Deleting a zone configuration . . . . . . . . . . . . . . . . . . . . . . . . . .331
Abandoning zone configuration changes . . . . . . . . . . . . . . . . .331
Viewing all zone configuration information . . . . . . . . . . . . . . .331
Viewing selected zone configuration information . . . . . . . . . .332
Viewing the configuration in the effective zone database . . .332
Clearing all zone configurations . . . . . . . . . . . . . . . . . . . . . . . .333
Zone object maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .333
Copying a zone object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .333
Deleting a zone object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334
Renaming a zone object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .335
Zone configuration management. . . . . . . . . . . . . . . . . . . . . . . . . . .336
Security and zoning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336
Zone merging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336
Fabric segmentation and zoning. . . . . . . . . . . . . . . . . . . . . . . .338
Zone merging scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339
Concurrent zone transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .342
Chapter 12
Traffic Isolation Zoning
Traffic Isolation Zoning overview . . . . . . . . . . . . . . . . . . . . . . . . . . .345
TI zone failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .346
FSPF routing rules and traffic isolation . . . . . . . . . . . . . . . . . .349
Enhanced TI zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350
Illegal configurations with enhanced TI zones. . . . . . . . . . . . .351
Traffic Isolation Zoning over FC routers . . . . . . . . . . . . . . . . . . . . . .352
TI zones within an edge fabric . . . . . . . . . . . . . . . . . . . . . . . . .354
TI zones within a backbone fabric . . . . . . . . . . . . . . . . . . . . . .355
Limitations of TI zones over FC routers . . . . . . . . . . . . . . . . . .356
14
Fabric OS Administrator’s Guide
53-1002745-02
General rules for TI zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356
Traffic Isolation Zone violation handling for trunk ports . . . . .357
Supported configurations for Traffic Isolation Zoning . . . . . . . . . .358
Additional configuration rules for enhanced TI zones . . . . . . .358
Trunking with TI zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359
Limitations and restrictions of Traffic Isolation Zoning . . . . . . . . .359
Admin Domain considerations for Traffic Isolation Zoning . . . . . .360
Virtual Fabrics considerations for Traffic Isolation Zoning . . . . . . .361
Traffic Isolation Zoning over FC routers with Virtual Fabrics . . . . .363
Creating a TI zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .364
Creating a TI zone in a base fabric . . . . . . . . . . . . . . . . . . . . . .366
Modifying TI zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .367
Changing the state of a TI zone . . . . . . . . . . . . . . . . . . . . . . . . . . . .368
Deleting a TI zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369
Displaying TI zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369
Troubleshooting TI zone routing problems . . . . . . . . . . . . . . . . . . .370
Setting up TI over FCR (sample procedure). . . . . . . . . . . . . . . . . . . 371
Chapter 13
Bottleneck Detection
Bottleneck detection overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . .375
Types of bottlenecks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
How bottlenecks are reported. . . . . . . . . . . . . . . . . . . . . . . . . . 376
Supported configurations for bottleneck detection . . . . . . . . . . . .377
Limitations of bottleneck detection . . . . . . . . . . . . . . . . . . . . .377
High availability considerations for bottleneck detection . . . .378
Upgrade and downgrade considerations for bottleneck
detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378
Trunking considerations for bottleneck detection . . . . . . . . . .378
Virtual Fabrics considerations for bottleneck detection . . . . .378
Access Gateway considerations for bottleneck detection. . . .378
Credit Loss. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .379
Back-end credit loss detection and recovery support on
Brocade 5300 switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .379
Back-end credit loss detection and recovery support on
Brocade 6520 switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .379
Enabling back-end credit loss detection and recovery . . . . . .380
Enabling bottleneck detection on a switch . . . . . . . . . . . . . . . . . . .380
Displaying bottleneck detection configuration details . . . . . . . . . .381
Setting bottleneck detection alerts . . . . . . . . . . . . . . . . . . . . . . . . .382
Setting both a congestion alert and a latency alert . . . . . . . .383
Setting a congestion alert only . . . . . . . . . . . . . . . . . . . . . . . . .384
Setting a latency alert only . . . . . . . . . . . . . . . . . . . . . . . . . . . .384
Fabric OS Administrator’s Guide
53-1002745-02
15
Changing bottleneck detection parameters . . . . . . . . . . . . . . . . . .384
Examples of applying and changing bottleneck detection
parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .385
Advanced bottleneck detection settings . . . . . . . . . . . . . . . . . . . . .388
Excluding a port from bottleneck detection . . . . . . . . . . . . . . . . . .389
Displaying bottleneck statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . .391
Disabling bottleneck detection on a switch . . . . . . . . . . . . . . . . . .392
Chapter 14
In-flight Encryption and Compression
In-flight encryption and compression overview. . . . . . . . . . . . . . . .393
Encryption and compression restrictions. . . . . . . . . . . . . . . . .394
How encryption and compression are enabled . . . . . . . . . . . .396
Authentication and key generation. . . . . . . . . . . . . . . . . . . . . .398
Availability considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . .398
Virtual Fabrics considerations. . . . . . . . . . . . . . . . . . . . . . . . . .399
Recommendation for compression. . . . . . . . . . . . . . . . . . . . . .399
Configuring encryption and compression . . . . . . . . . . . . . . . . . . . .399
Viewing the encryption and compression configuration . . . . .401
Port speed and encryption/compression enabled ports . . . .401
Changing port speed on encryption/compression enabled
ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .402
Compression ratios and encryption/compression enabled
ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .402
Configuring and enabling authentication. . . . . . . . . . . . . . . . .403
Configuring encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404
Configuring compression. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404
Disabling encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .405
Disabling compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .405
Encryption and compression examples. . . . . . . . . . . . . . . . . . . . . .406
Example of enabling encryption and compression on an
E_Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .407
Examples of disabling encryption and compression . . . . . . . . 410
Working with EX_Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
In-flight encryption/compression on EX_Ports . . . . . . . . . . . . 411
Example of enabling encryption and compression on an
EX_Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .412
Chapter 15
NPIV
NPIV overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Upgrade considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .420
Fixed addressing mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .420
10-bit addressing mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .420
Configuring NPIV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421
Enabling and disabling NPIV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422
Viewing NPIV port configuration information . . . . . . . . . . . . . . . . .423
Viewing virtual PID login information . . . . . . . . . . . . . . . . . . . .424
16
Fabric OS Administrator’s Guide
53-1002745-02
Chapter 16
Dynamic Fabric Provisioning: Fabric-Assigned PWWN
Introduction to Dynamic Fabric Provisioning using FA-PWWN . . . .425
User- and auto-assigned FA-PWWN behavior . . . . . . . . . . . . . . . . .426
Checking for duplicate FA-PWWNs . . . . . . . . . . . . . . . . . . . . . .426
Configuring FA-PWWNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .426
Configuring an FA-PWWN for an HBA connected to an
Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .427
Configuring an FA-PWWN for an HBA connected to an
edge switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .428
Supported switches and configurations for FA-PWWN. . . . . . . . . .429
Configuration upload and download considerations for FA-PWWN430
Firmware upgrade and downgrade considerations for FA-PWWN .430
Security considerations for FA-PWWN . . . . . . . . . . . . . . . . . . . . . . .430
Restrictions of FA-PWWN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .431
Access Gateway N_Port failover with FA-PWWN . . . . . . . . . . . . . . .431
Chapter 17
Managing Administrative Domains
Administrative Domains overview . . . . . . . . . . . . . . . . . . . . . . . . . .433
Admin Domain features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435
Requirements for Admin Domains . . . . . . . . . . . . . . . . . . . . . .435
Admin Domain access levels. . . . . . . . . . . . . . . . . . . . . . . . . . .435
User-defined Admin Domains . . . . . . . . . . . . . . . . . . . . . . . . . .436
System-defined Admin Domains. . . . . . . . . . . . . . . . . . . . . . . .436
Home Admin Domains and login . . . . . . . . . . . . . . . . . . . . . . .438
Admin Domain member types. . . . . . . . . . . . . . . . . . . . . . . . . .439
Admin Domains and switch WWNs. . . . . . . . . . . . . . . . . . . . . .440
Admin Domain compatibility, availability, and merging . . . . . .442
Admin Domain management for physical fabric administrators . .442
Setting the default zoning mode for Admin Domains . . . . . . .443
Creating an Admin Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . .443
User assignments to Admin Domains . . . . . . . . . . . . . . . . . . .444
Removing an Admin Domain from a user account . . . . . . . . .446
Activating an Admin Domain . . . . . . . . . . . . . . . . . . . . . . . . . . .446
Deactivating an Admin Domain . . . . . . . . . . . . . . . . . . . . . . . .447
Adding members to an existing Admin Domain . . . . . . . . . . . .447
Removing members from an Admin Domain . . . . . . . . . . . . . .448
Renaming an Admin Domain . . . . . . . . . . . . . . . . . . . . . . . . . .448
Deleting an Admin Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . .449
Deleting all user-defined Admin Domains . . . . . . . . . . . . . . . .450
Deleting all user-defined Admin Domains non-disruptively . .450
Validating an Admin Domain member list . . . . . . . . . . . . . . . .454
Fabric OS Administrator’s Guide
53-1002745-02
17
SAN management with Admin Domains . . . . . . . . . . . . . . . . . . . . .454
CLI commands in an AD context . . . . . . . . . . . . . . . . . . . . . . . .455
Executing a command in a different AD context . . . . . . . . . . .455
Displaying an Admin Domain configuration . . . . . . . . . . . . . . .456
Switching to a different Admin Domain context. . . . . . . . . . . .456
Admin Domain interactions with other Fabric OS features . . .457
Admin Domains, zones, and zone databases . . . . . . . . . . . . .458
Admin Domains and LSAN zones . . . . . . . . . . . . . . . . . . . . . . .459
Configuration upload and download in an AD context . . . . . .460
Section II
Chapter 18
Licensed Features
Administering Licensing
Licensing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .463
Brocade 7800 Upgrade license . . . . . . . . . . . . . . . . . . . . . . . . . . . .470
ICL licensing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
ICL 1st POD license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
ICL 2nd POD license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
ICL 8-link license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .472
ICL 16-link license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .472
Enterprise ICL license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .472
8G licensing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .473
Slot-based licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Upgrade and downgrade considerations . . . . . . . . . . . . . . . . . 474
Assigning a license to a slot . . . . . . . . . . . . . . . . . . . . . . . . . . .475
Removing a license from a slot . . . . . . . . . . . . . . . . . . . . . . . . .475
10G licensing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .475
Enabling 10 Gbps operation on an FC port . . . . . . . . . . . . . . . 476
Enabling the 10-GbE ports on an FX8-24 blade . . . . . . . . . . . 477
Temporary licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .478
Restrictions on upgrading temporary slot-based licenses . . .479
Date change restriction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .479
Configupload and download considerations . . . . . . . . . . . . . .479
Expired licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .480
Universal temporary licenses . . . . . . . . . . . . . . . . . . . . . . . . . .480
Extending a universal temporary license . . . . . . . . . . . . . . . . .480
Universal temporary license shelf life. . . . . . . . . . . . . . . . . . . .480
Viewing installed licenses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .481
Activating a license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .481
Adding a licensed feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .481
Removing a licensed feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .482
18
Fabric OS Administrator’s Guide
53-1002745-02
Ports on Demand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .483
Displaying installed licenses . . . . . . . . . . . . . . . . . . . . . . . . . . .484
Activating Ports on Demand . . . . . . . . . . . . . . . . . . . . . . . . . . .485
Dynamic Ports on Demand . . . . . . . . . . . . . . . . . . . . . . . . . . . .485
Displaying the port license assignments . . . . . . . . . . . . . . . . .486
Enabling Dynamic Ports on Demand . . . . . . . . . . . . . . . . . . . .486
Disabling Dynamic Ports on Demand. . . . . . . . . . . . . . . . . . . .487
Reserving a port license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .488
Releasing a port from a POD set. . . . . . . . . . . . . . . . . . . . . . . .488
Chapter 19
Inter-chassis Links
Inter-chassis links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .491
ICLs for the Brocade DCX 8510 Backbone family. . . . . . . . . . . . . .492
ICL trunking on the Brocade DCX 8510-8 and DCX 8510-4 . .493
ICLs for the Brocade DCX Backbone family. . . . . . . . . . . . . . . . . . .493
ICL trunking on the Brocade DCX and DCX-4S. . . . . . . . . . . . .494
Virtual Fabrics considerations for ICLs . . . . . . . . . . . . . . . . . . . . . .494
Supported topologies for ICL connections . . . . . . . . . . . . . . . . . . .495
Mesh topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .495
Core-edge topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .496
Chapter 20
Monitoring Fabric Performance
Advanced Performance Monitoring overview . . . . . . . . . . . . . . . . .499
Types of monitors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .499
Restrictions for installing monitors . . . . . . . . . . . . . . . . . . . . . .500
Virtual Fabrics considerations for Advanced Performance
Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .500
Access Gateway considerations for Advanced Performance
Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .501
End-to-end performance monitoring . . . . . . . . . . . . . . . . . . . . . . . .501
Maximum number of EE monitors . . . . . . . . . . . . . . . . . . . . . .501
Supported port configurations for EE monitors . . . . . . . . . . . .502
Adding EE monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .502
Setting a mask for an EE monitor . . . . . . . . . . . . . . . . . . . . . . .503
Deleting EE monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .504
Displaying EE monitor counters . . . . . . . . . . . . . . . . . . . . . . . .504
Clearing EE monitor counters . . . . . . . . . . . . . . . . . . . . . . . . . .505
Frame monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .505
Creating frame types to be monitored . . . . . . . . . . . . . . . . . . .506
Creating a frame monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . .507
Deleting frame types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .507
Adding frame monitors to a port. . . . . . . . . . . . . . . . . . . . . . . .508
Removing frame monitors from a port . . . . . . . . . . . . . . . . . . .508
Saving a frame monitor configuration . . . . . . . . . . . . . . . . . . .508
Displaying frame monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . .508
Clearing frame monitor counters . . . . . . . . . . . . . . . . . . . . . . .509
Fabric OS Administrator’s Guide
53-1002745-02
19
Top Talker monitors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
Top Talker monitors and FC-FC routing. . . . . . . . . . . . . . . . . . .511
Limitations of Top Talker monitors . . . . . . . . . . . . . . . . . . . . . .512
Adding a Top Talker monitor to a port (port mode) . . . . . . . . .513
Adding Top Talker monitors on all switches in the fabric
(fabric mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .513
Displaying the top n bandwidth-using flows on a port
(port mode). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .513
Displaying top talking flows for a given domain ID
(fabric mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Deleting a Top Talker monitor on a port (port mode) . . . . . . . 514
Deleting all fabric mode Top Talker monitors. . . . . . . . . . . . . .515
Trunk monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .515
Saving and restoring monitor configurations . . . . . . . . . . . . . . . . .515
Performance data collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Chapter 21
Optimizing Fabric Behavior
Adaptive Networking overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Ingress Rate Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .518
Virtual Fabrics considerations. . . . . . . . . . . . . . . . . . . . . . . . . .519
Limiting traffic from a particular device . . . . . . . . . . . . . . . . . .519
Disabling Ingress Rate Limiting . . . . . . . . . . . . . . . . . . . . . . . .519
QoS: SID/DID traffic prioritization . . . . . . . . . . . . . . . . . . . . . . . . . .519
License requirements for SID/DID prioritization . . . . . . . . . . .520
CS_CTL-based frame prioritization. . . . . . . . . . . . . . . . . . . . . . . . . .521
QoS zone-based traffic prioritization . . . . . . . . . . . . . . . . . . . . . . . .523
Trunking considerations before you install the
Adaptive Networking license . . . . . . . . . . . . . . . . . . . . . . . . . . .523
Manually disabling QoS on trunked ports . . . . . . . . . . . . . . . .524
QoS zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .525
QoS on E_Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .526
QoS over FC routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .527
Virtual Fabrics considerations for QoS zone-based traffic
prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .528
High-availability considerations for QoS zone-based traffic
prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .528
Supported configurations for QoS zone-based traffic
prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .529
Limitations and restrictions for QoS zone-based traffic
prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .529
Setting QoS zone-based traffic prioritization. . . . . . . . . . . . . . . . . .530
Setting QoS zone-based traffic prioritization over FC routers . . . .532
Disabling QoS zone-based traffic prioritization. . . . . . . . . . . . . . . .532
20
Fabric OS Administrator’s Guide
53-1002745-02
Chapter 22
Managing Trunking Connections
Trunking overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .533
Types of trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .534
Masterless trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .534
License requirements for trunking . . . . . . . . . . . . . . . . . . . . . .535
Port groups for trunking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .535
Supported configurations for trunking . . . . . . . . . . . . . . . . . . . . . .535
High Availability support for trunking . . . . . . . . . . . . . . . . . . . .536
Supported platforms for trunking. . . . . . . . . . . . . . . . . . . . . . . . . . .536
Requirements for trunk groups . . . . . . . . . . . . . . . . . . . . . . . . . . . .536
Recommendations for trunk groups . . . . . . . . . . . . . . . . . . . . . . . .537
Configuring trunk groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .538
Enabling trunking on a port or switch . . . . . . . . . . . . . . . . . . . . . . .538
Disabling trunking on a port or switch. . . . . . . . . . . . . . . . . . . . . . .538
Displaying trunking information . . . . . . . . . . . . . . . . . . . . . . . . . . . .539
Trunk Area and Admin Domains. . . . . . . . . . . . . . . . . . . . . . . . . . . .540
ISL trunking over long-distance fabrics . . . . . . . . . . . . . . . . . . . . . .540
EX_Port trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .541
Masterless EX_Port trunking. . . . . . . . . . . . . . . . . . . . . . . . . . .542
Supported configurations and platforms for EX_Port
trunking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .542
Configuring EX_Port trunking . . . . . . . . . . . . . . . . . . . . . . . . . .542
Displaying EX_Port trunking information . . . . . . . . . . . . . . . . .542
F_Port trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .543
F_Port trunking for Access Gateway . . . . . . . . . . . . . . . . . . . . .543
F_Port trunking for Brocade adapters . . . . . . . . . . . . . . . . . . .545
F_Port trunking considerations. . . . . . . . . . . . . . . . . . . . . . . . .546
F_Port trunking in Virtual Fabrics . . . . . . . . . . . . . . . . . . . . . . .548
Displaying F_Port trunking information . . . . . . . . . . . . . . . . . . . . . .549
Disabling F_Port trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .549
Enabling the DCC policy on a trunk area. . . . . . . . . . . . . . . . . . . . .550
Trunking with TI zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .550
Chapter 23
Managing Long-Distance Fabrics
Long-distance fabrics overview . . . . . . . . . . . . . . . . . . . . . . . . . . . .551
Extended Fabrics device limitations . . . . . . . . . . . . . . . . . . . . . . . .552
Long -distance link modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .552
Configuring an extended ISL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .553
Enabling long distance when connecting to TDM devices . . .554
Fabric OS Administrator’s Guide
53-1002745-02
21
Buffer credit management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .555
Buffer-to-buffer flow control . . . . . . . . . . . . . . . . . . . . . . . . . . .555
Optimal buffer credit allocation . . . . . . . . . . . . . . . . . . . . . . . .556
Fibre Channel gigabit values reference definition. . . . . . . . . .557
Buffer credit allocation based on full-size frames. . . . . . . . . .557
Allocating buffer credits based on average-size frames . . . . .560
Configuring buffers for a single port directly . . . . . . . . . . . . . .561
Configuring buffers using frame size . . . . . . . . . . . . . . . . . . . .561
Calculating the number of buffers required given the
distance, speed, and frame size. . . . . . . . . . . . . . . . . . . . . . . .561
Allocating buffer credits for F_Ports . . . . . . . . . . . . . . . . . . . . .562
Monitoring buffers in a port group . . . . . . . . . . . . . . . . . . . . . .562
Buffer credits switch or blade model . . . . . . . . . . . . . . . . . . . .563
Maximum configurable distances for Extended Fabrics . . . . .564
Downgrade considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . .565
Buffer credit recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .566
Buffer credit recovery over an E_Port. . . . . . . . . . . . . . . . . . . .566
Buffer credit recovery over an F_Port. . . . . . . . . . . . . . . . . . . .566
Buffer credit recovery over an EX_Port. . . . . . . . . . . . . . . . . . .567
Enabling and disabling buffer credit recovery . . . . . . . . . . . . .567
Forward error correction on long-distance links . . . . . . . . . . . . . . .568
Enabling FEC on a long-distance link . . . . . . . . . . . . . . . . . . . .568
Disabling FEC on a long-distance link . . . . . . . . . . . . . . . . . . .568
Chapter 24
Using FC-FC Routing to Connect Fabrics
FC-FC routing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .569
License requirements for FC-FC routing . . . . . . . . . . . . . . . . . .570
Supported platforms for FC-FC routing. . . . . . . . . . . . . . . . . . .570
Supported configurations for FC-FC routing. . . . . . . . . . . . . . . 571
Network OS connectivity limitations . . . . . . . . . . . . . . . . . . . . . 571
Fibre Channel routing concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . .572
Proxy devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .575
FC-FC routing topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576
Phantom domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .577
FCR authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .579
Setting up FC-FC routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .579
Verifying the setup for FC-FC routing . . . . . . . . . . . . . . . . . . . .580
Backbone fabric IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .581
Assigning backbone fabric IDs . . . . . . . . . . . . . . . . . . . . . . . . .582
FCIP tunnel configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .582
Inter-fabric link configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .583
Configuring an IFL for both edge and backbone connections 583
FC router port cost configuration . . . . . . . . . . . . . . . . . . . . . . . . . . .587
Port cost considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .588
Setting router port cost for an EX_Port. . . . . . . . . . . . . . . . . . .588
EX_Port frame trunking configuration . . . . . . . . . . . . . . . . . . . . . . .589
22
Fabric OS Administrator’s Guide
53-1002745-02
LSAN zone configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .590
Use of Admin Domains with LSAN zones and FC-FC routing .590
Zone definition and naming . . . . . . . . . . . . . . . . . . . . . . . . . . .590
LSAN zones and fabric-to-fabric communications. . . . . . . . . .591
Controlling device communication with the LSAN . . . . . . . . . .591
Configuring backbone fabrics for interconnectivity . . . . . . . . .593
Setting the maximum LSAN count . . . . . . . . . . . . . . . . . . . . . .594
HA and downgrade considerations for LSAN zones . . . . . . . .594
LSAN zone policies using LSAN tagging . . . . . . . . . . . . . . . . . .594
LSAN zone binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .598
Proxy PID configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .603
Fabric parameter considerations . . . . . . . . . . . . . . . . . . . . . . . . . . .603
Inter-fabric broadcast frames. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .604
Displaying the current broadcast configuration. . . . . . . . . . . .604
Enabling broadcast frame forwarding . . . . . . . . . . . . . . . . . . .604
Disabling broadcast frame forwarding . . . . . . . . . . . . . . . . . . .604
Resource monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .604
FC-FC routing and Virtual Fabrics. . . . . . . . . . . . . . . . . . . . . . . . . . .606
Logical switch configuration for FC routing . . . . . . . . . . . . . . .607
Backbone-to-edge routing with Virtual Fabrics . . . . . . . . . . . .608
Upgrade and downgrade considerations for FC-FC routing . . . . . .609
How replacing port blades affects EX_Port configuration. . . .609
Displaying the range of output ports connected to xlate domains 609
Appendix A
Port Indexing
Appendix B
FIPS Support
FIPS overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .615
Zeroization functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .615
Power-on self tests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
Conditional tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
FIPS mode configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
LDAP in FIPS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .618
LDAP certificates for FIPS mode . . . . . . . . . . . . . . . . . . . . . . . .620
Preparing a switch for FIPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .621
Overview of steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .622
Enabling FIPS mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .622
Zeroizing for FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .624
Displaying FIPS configuration . . . . . . . . . . . . . . . . . . . . . . . . . .625
Appendix C
Hexadecimal Conversion
Example conversion of the hexadecimal triplet Ox616000 . .627
Decimal-to-hexadecimal conversion table . . . . . . . . . . . . . . . .628
Index
Fabric OS Administrator’s Guide
53-1002745-02
23
24
Fabric OS Administrator’s Guide
53-1002745-02
Figures
Figure 1
Well-known addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Figure 2
Identifying the blades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Figure 3
Blade swap with Virtual Fabrics during the swap. . . . . . . . . . . . . . . . . . . . . . . . . 99
Figure 4
Blade swap with Virtual Fabrics after the swap . . . . . . . . . . . . . . . . . . . . . . . . . 100
Figure 5
Principal ISLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Figure 6
New switch added to existing fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Figure 7
Virtual channels on a QoS-enabled ISL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Figure 8
Gateway link merging SANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Figure 9
Single host and target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Figure 10
Windows 2000 VSA configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Figure 11
Example of a Brocade DCT file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Figure 12
Example of the dictiona.dcm file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Figure 13
DH-CHAP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Figure 14
Protected endpoints configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Figure 15
Gateway tunnel configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Figure 16
Endpoint-to-gateway tunnel configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Figure 17
Switch before and after enabling Virtual Fabrics . . . . . . . . . . . . . . . . . . . . . . . . 276
Figure 18
Switch before and after creating logical switches . . . . . . . . . . . . . . . . . . . . . . . 277
Figure 19
Fabric IDs assigned to logical switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Figure 20
Assigning ports to logical switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Figure 21
Logical switches connected to devices and non-Virtual Fabrics switch . . . . . . 280
Figure 22
Logical switches in a single chassis belong to separate fabrics . . . . . . . . . . . . 280
Figure 23
Logical switches connected to other logical switches through physical ISLs. . 282
Figure 24
Logical switches connected to form logical fabrics . . . . . . . . . . . . . . . . . . . . . . 282
Figure 25
Base switches connected by an XISL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Figure 26
Logical ISLs connecting logical switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Figure 27
Logical fabric using ISLs and XISLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Figure 28
Example of logical fabrics in multiple chassis and XISLs . . . . . . . . . . . . . . . . . 300
Figure 29
Zoning example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Figure 30
Broadcast zones and Admin Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Figure 31
Traffic Isolation zone creating a dedicated path through the fabric . . . . . . . . . 346
Figure 32
Fabric incorrectly configured for TI zone with failover disabled . . . . . . . . . . . . 348
Figure 33
Dedicated path is the only shortest path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Figure 34
Dedicated path is not the shortest path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Figure 35
Enhanced TI zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Fabric OS Administrator’s Guide
53-1002745-02
25
26
Figure 36
Illegal ETIZ configuration: two paths from one port to two devices on the same remote
domain 351
Figure 37
Illegal ETIZ configuration: two paths from one port . . . . . . . . . . . . . . . . . . . . . . 352
Figure 38
Traffic Isolation Zoning over FCR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Figure 39
TI zone in an edge fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Figure 40
TI zone in a backbone fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Figure 41
TI zone misconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Figure 42
Dedicated path with Virtual Fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Figure 43
Creating a TI zone in a logical fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Figure 44
Creating a TI zone in a base fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Figure 45
Example configuration for TI zones over FC routers in logical fabrics . . . . . . . 363
Figure 46
Logical representation of TI zones over FC routers in logical fabrics . . . . . . . . 363
Figure 47
TI over FCR example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Figure 48
Affected seconds for bottleneck detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Figure 49
Encryption and compression on 16 Gbps ISLs. . . . . . . . . . . . . . . . . . . . . . . . . . 394
Figure 50
EX_Ports, E_Ports, IFLs, and ISLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Figure 51
Fabric-assigned port world wide name provisioning scenarios. . . . . . . . . . . . . 427
Figure 52
Fabric with two Admin Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Figure 53
Filtered fabric views when using Admin Domains . . . . . . . . . . . . . . . . . . . . . . . 434
Figure 54
Fabric with AD0 and AD255. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Figure 55
Fabric showing switch and device WWNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Figure 56
Filtered fabric views showing converted switch WWNs . . . . . . . . . . . . . . . . . . . 441
Figure 57
AD0 and two user-defined Admin Domains, AD1 and AD2 . . . . . . . . . . . . . . . . 452
Figure 58
AD0 with three zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
Figure 59
Minimum configuration for 64 Gbps ICLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Figure 60
DCX-4S allowed ICL connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Figure 61
ICL triangular topology with Brocade DCX 8510-8 chassis . . . . . . . . . . . . . . . . 495
Figure 62
Full nine-mesh topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Figure 63
64 Gbps ICL core-edge topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Figure 64
Setting end-to-end monitors on a port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
Figure 65
Mask positions for end-to-end monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Figure 66
Fabric mode Top Talker monitors on FC router do not monitor any flows . . . . 512
Figure 67
Fabric mode Top Talker monitors on FC router monitor flows over the E_Port 512
Figure 68
QoS traffic prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Figure 69
QoS with E_Ports enabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Figure 70
Traffic prioritization in a logical fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
Figure 71
Trunk group configuration for the Brocade 5100 . . . . . . . . . . . . . . . . . . . . . . . 535
Figure 72
Switch in Access Gateway mode without F_Port masterless trunking . . . . . . . 544
Figure 73
Switch in Access Gateway mode with F_Port masterless trunking . . . . . . . . . . 544
Figure 74
A metaSAN with inter-fabric links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572
Figure 75
A metaSAN with edge-to-edge and backbone fabrics and LSAN zones . . . . . . 573
Figure 76
Edge SANs connected through a backbone fabric. . . . . . . . . . . . . . . . . . . . . . . 575
Fabric OS Administrator’s Guide
53-1002745-02
Figure 77
MetaSAN with imported devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576
Figure 78
Sample topology (physical topology) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
Figure 79
EX_Port phantom switch topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
Figure 80
Example of setting up Speed LSAN tag. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596
Figure 81
LSAN zone binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
Figure 82
EX_Ports in a base switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Figure 83
Logical representation of EX_Ports in a base switch . . . . . . . . . . . . . . . . . . . . . 608
Figure 84
Backbone-to-edge routing across base switch using FC router in legacy mode 609
Fabric OS Administrator’s Guide
53-1002745-02
27
28
Fabric OS Administrator’s Guide
53-1002745-02
Tables
Table 1
Daemons that are automatically restarted. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Table 2
Terminal port parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Table 3
Help topic contents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Table 4
fabricShow fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Table 5
Core and CP blade terminology and platform support. . . . . . . . . . . . . . . . . . . . . 93
Table 6
Port blade terminology, numbering, and platform support . . . . . . . . . . . . . . . . . 94
Table 7
Blade compatibility within Brocade Backbone families . . . . . . . . . . . . . . . . . . . . 96
Table 8
Duplicate PWWN behavior: First login takes precedence over second login . . 109
Table 9
Duplicate PWWN behavior: Second login overrides first login . . . . . . . . . . . . . 110
Table 10
Duplicate PWWN behavior: Port type determines which login takes precedence 110
Table 11
Combinations of routing policy and IOD with Lossless DLS enabled . . . . . . . . 126
Table 12
Default Fabric OS roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Table 13
Permission types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Table 14
Maximum number of simultaneous sessions. . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Table 15
Default local user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Table 16
LDAP options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Table 17
Authentication configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Table 18
Syntax for VSA-based account roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Table 19
Entries in dictionary.brocade file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Table 20
Brocade custom TACACS+ attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Table 21
Secure protocol support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Table 22
Items needed to deploy secure protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Table 23
Main security scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Table 24
SSL certificate files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Table 25
Blocked listener applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Table 26
Access defaults. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Table 27
Port information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Table 28
Valid methods for specifying policy members . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Table 29
FCS policy states. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Table 30
FCS switch operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Table 31
Distribution policy states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Table 32
DCC policy states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Table 33
DCC policy behavior with FA-PWWN when created using lockdown support . . 205
Table 34
DCC policy behavior when created manually with PWWN . . . . . . . . . . . . . . . . . 206
Table 35
SCC policy states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Table 36
FCAP certificate files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Fabric OS Administrator’s Guide
53-1002745-02
29
30
Table 37
Supported services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Table 38
Implicit IP Filter rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Table 39
Default IP policy rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Table 40
Interaction between fabric-wide consistency policy and distribution settings . 225
Table 41
Supported policy databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Table 42
Fabric-wide consistency policy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Table 43
Merging fabrics with matching fabric-wide consistency policies. . . . . . . . . . . . 229
Table 44
Examples of strict fabric merges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Table 45
Fabric merges with tolerant and absent combinations . . . . . . . . . . . . . . . . . . . 230
Table 46
Algorithms and associated authentication policies . . . . . . . . . . . . . . . . . . . . . . 234
Table 47
CLI commands to display or modify switch configuration information . . . . . . . 247
Table 48
Brocade configuration and connection form . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Table 49
Backbone HA sync states. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Table 50
Blade and port types supported on logical switches . . . . . . . . . . . . . . . . . . . . . 287
Table 51
Virtual Fabrics interaction with Fabric OS features . . . . . . . . . . . . . . . . . . . . . . 288
Table 52
Maximum number of logical switches per chassis. . . . . . . . . . . . . . . . . . . . . . . 288
Table 53
Approaches to fabric-based zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Table 54
Considerations for zoning architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Table 55
Zone merging scenarios: Defined and effective configurations . . . . . . . . . . . . 339
Table 56
Zone merging scenarios: Different content . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Table 57
Zone merging scenarios: Different names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Table 58
Zone merging scenarios: TI zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Table 59
Zone merging scenarios: Default access mode . . . . . . . . . . . . . . . . . . . . . . . . . 341
Table 60
Zone merging scenarios: Mixed Fabric OS versions. . . . . . . . . . . . . . . . . . . . . . 342
Table 61
Traffic behavior when failover is enabled or disabled in TI zones . . . . . . . . . . 347
Table 62
Number of ports supported per chip or per trunk . . . . . . . . . . . . . . . . . . . . . . . 395
Table 63
Example ISL connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Table 64
Number of supported NPIV devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Table 65
AD user types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Table 66
Ports and devices in CLI output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
Table 67
Admin Domain interaction with Fabric OS features . . . . . . . . . . . . . . . . . . . . . . 457
Table 68
Configuration upload and download scenarios in an AD context . . . . . . . . . . . 460
Table 69
Available Brocade licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
Table 70
License requirements and location name by feature . . . . . . . . . . . . . . . . . . . . 467
Table 71
Base to Upgrade license comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
Table 72
List of available ports when implementing PODs . . . . . . . . . . . . . . . . . . . . . . . 484
Table 73
Number of logical switches that support performance monitors . . . . . . . . . . . 500
Table 74
Maximum number of frame monitors and offsets per port . . . . . . . . . . . . . . . . 506
Table 75
Predefined values at offset 0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Table 76
Comparison between CS_CTL-based and QoS zone-based prioritization. . . . . 520
Table 77
Fabric resources assigned to QoS priority for frame prioritization in CS_CTL default
mode 521
Fabric OS Administrator’s Guide
53-1002745-02
Table 78
VCs assigned to QoS priority for frame prioritization in CS_CTL auto mode . . 521
Table 79
Trunking over long-distance for the Backbones and blades . . . . . . . . . . . . . . . 541
Table 80
F_Port masterless trunking considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
Table 81
PWWN format for F_Port and N_Port trunk ports. . . . . . . . . . . . . . . . . . . . . . . . 548
Table 82
Fibre Channel data frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
Table 83
Total FC ports, ports per port group, and unreserved buffer credits per port group 563
Table 84
Configurable distances for Extended Fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
Table 85
LSAN information stored in FC routers, with and without LSAN zone binding . 600
Table 86
Zeroization behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
Table 87
FIPS mode restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
Table 88
FIPS and non-FIPS modes of operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
Table 89
Active Directory keys to modify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620
Table 90
Decimal-to-hexadecimal conversion table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628
Fabric OS Administrator’s Guide
53-1002745-02
31
32
Fabric OS Administrator’s Guide
53-1002745-02
About This Document
In this chapter
• How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Notice to the reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Additional information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Getting technical help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Document feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
33
34
35
36
37
38
38
40
How this document is organized
The document is divided into two sections; the first, “Standard Features,” contains the following
topics:
• Chapter 1, “Understanding Fibre Channel Services,” provides information on the Fibre Channel
services on Brocade switches.
• Chapter 2, “Performing Basic Configuration Tasks,” gives a brief overview of Fabric OS,
explains the Fabric OS CLI Help feature, and provides typical connection and configuration
procedures.
• Chapter 3, “Performing Advanced Configuration Tasks,” provides advanced connection and
configuration procedures.
• Chapter 4, “Routing Traffic,” provides information and procedures for using switch routing
features.
• Chapter 5, “Managing User Accounts,” provides information and procedures on managing
authentication and user accounts for the switch management channel.
• Chapter 6, “Configuring Protocols,” provides procedures for basic password and user account
management.
• Chapter 7, “Configuring Security Policies,” provides information and procedures for configuring
ACL policies for FC port and switch binding and managing the fabric-wide consistency policy.
• Chapter 8, “Maintaining the Switch Configuration File,” provides procedures for maintaining
and backing up your switch configurations.
• Chapter 9, “Installing and Maintaining Firmware,” provides preparations and procedures for
performing firmware downloads.
• Chapter 10, “Managing Virtual Fabrics,” describes the concepts and provides procedures for
using Virtual Fabrics.
Fabric OS Administrator’s Guide
53-1002745-02
33
• Chapter 11, “Administering Advanced Zoning,” provides procedures for use of the Brocade
Advanced Zoning feature.
• Chapter 12, “Traffic Isolation Zoning,” provides concepts and procedures for use of Traffic
Isolation Zones within a fabric.
• Chapter 13, “Bottleneck Detection,” describes how you can detect and configure alert
thresholds for latency and congestion bottlenecks in the fabric.
• Chapter 14, “In-flight Encryption and Compression,” describes concepts and provide
procedures for configuring encryption and compression on 16 Gbps ports that connect to other
switches using ISLs.
• Chapter 15, “NPIV,” provides procedures for enabling and configuring N-Port ID Virtualization
(NPIV).
• Chapter 16, “Dynamic Fabric Provisioning: Fabric-Assigned PWWN,” describes the Dynamic
Fabric Provisioning feature using the fabric-assigned port World Wide Name (FA-PWWN).
• Chapter 17, “Managing Administrative Domains,” describes the concepts and provides
procedures for using administrative domains.
The second section, “Licensed Features,” contains the following topics:
• Chapter 18, “Administering Licensing,” provides information about Brocade licenses and their
implementation on SAN switches.
• Chapter 19, “Inter-chassis Links,” describes the two different types of ICLs between Brocade
Backbones.
• Chapter 20, “Monitoring Fabric Performance,” provides procedures for use of the Brocade
Advanced Performance Monitoring licensed feature.
• Chapter 21, “Optimizing Fabric Behavior,” provides procedures for use of the Brocade Adaptive
Networking suite of tools, including Traffic Isolation, QoS Ingress Rate Limiting, and QoS
SID/DID Traffic Prioritization.
• Chapter 22, “Managing Trunking Connections,” provides procedures for use of the Brocade ISL
Trunking licensed feature.
• Chapter 23, “Managing Long-Distance Fabrics,” provides procedures for use of the Brocade
Extended Fabrics licensed feature.
• Chapter 24, “Using FC-FC Routing to Connect Fabrics,” provides information for setting up and
using the FC-FC Routing Service.
• The appendices provide special procedures or information for Fabric OS.
Supported hardware and software
In those instances in which procedures or parts of procedures documented here apply to some
switches but not to others, this guide identifies exactly which switches are supported and which are
not.
Although many different software and hardware configurations are tested and supported by
Brocade Communications Systems, Inc. for Fabric OS v7.1.0, documenting all possible
configurations and scenarios is beyond the scope of this document.
34
Fabric OS Administrator’s Guide
53-1002745-02
The following hardware platforms are supported by this release of Fabric OS:
• Fixed-port switches:
- Brocade 300 switch
- Brocade 5100 switch
- Brocade 5300 switch
- Brocade 5410 embedded switch
- Brocade 5424 embedded switch
- Brocade 5430 embedded switch
- Brocade 5450 embedded switch
- Brocade 5460 embedded switch
- Brocade 5470 embedded switch
- Brocade 5480 embedded switch
- Brocade 6505 switch
- Brocade 6510 switch
- Brocade 6520 switch
- Brocade 7800 extension switch
- Brocade 8000 FCoE switch
- Brocade VA-40FC
- Brocade Encryption Switch
• Brocade DCX Backbone family:
- Brocade DCX
- Brocade DCX-4S
• Brocade DCX 8510 Backbone family:
- Brocade DCX 8510-4
- Brocade DCX 8510-8
What’s new in this document
Information that was modified:
• Added a high-level Table of Contents.
• In “Switch and Backbone shutdown” on page 76, changed the advice about performing
graceful shutdowns from a recommendation to a “must”.
• In “Duplicate PWWN handling during device login” on page 109, added a third option for
configuring the behavior. The third option takes the port type into account when determining
which login to use.
• Added section “Supported LDAP options” on page 151.
• In “RADIUS configuration with Admin Domains or Virtual Fabrics” on page 155, added
ChassisRole to the list of accepted keys.
• In “Installing a switch certificate” on page 185, added an example of installing a certificate in
noninteractive mode.
Fabric OS Administrator’s Guide
53-1002745-02
35
• Updated the Note in “In-flight encryption and compression overview” on page 393.
• In “Encryption and compression restrictions” on page 394, clarified the restriction about the
number of ports supported.
• Corrected the “Example of enabling encryption and compression on an E_Port” on page 407
so that you activate authentication after setting up the DH-CHAP secret.
• In “Frame monitoring” on page 505, added information about static offsets.
• In “License requirements for trunking” on page 535, removed the note that said the Brocade
6520 did not require a Trunking license. The Brocade 6520 does require the Trunking license.
• In “Buffer credit recovery over an E_Port” on page 566, clarified that for an ISL between a
device that supports 16 Gbps and a device that supports only 8 Gbps, buffer credit recovery is
disabled.
Document conventions
This section describes text formatting conventions and important notice formats used in this
document.
Text formatting
The narrative-text formatting conventions that are used are as follows:
bold text
Identifies command names
Identifies the names of user-manipulated GUI elements
Identifies keywords and operands
Identifies text to enter at the GUI or CLI
italic text
Provides emphasis
Identifies variables
Identifies paths and Internet addresses
Identifies document titles
code text
Identifies CLI output
Identifies command syntax examples
For readability, command names in the narrative portions of this guide are presented in mixed
lettercase: for example, switchShow. In actual examples, command lettercase is often all
lowercase. Otherwise, this manual specifically notes those cases in which a command is case
sensitive.
Command syntax conventions
Command syntax in this manual follows these conventions:
36
command
Commands are printed in bold.
--option, option
Command options are printed in bold.
-argument, arg
Arguments.
[]
Optional element.
Fabric OS Administrator’s Guide
53-1002745-02
variable
Variables are printed in italics. In the help pages, values are underlined or
enclosed in angled brackets < >.
...
Repeat the previous element, for example “member[;member...]”
value
Fixed values following arguments are printed in plain font. For example,
--show WWN
|
Boolean. Elements are exclusive. Example: --show -mode egress | ingress
Notes, cautions, and warnings
The following notices and statements are used in this manual. They are listed below in order of
increasing severity of potential hazards.
NOTE
A note provides a tip, guidance or advice, emphasizes important information, or provides a reference
to related information.
ATTENTION
An Attention statement indicates potential damage to hardware or data.
CAUTION
A Caution statement alerts you to situations that can be potentially hazardous to you or cause
damage to hardware, firmware, software, or data.
DANGER
A Danger statement indicates conditions or situations that can be potentially lethal or extremely
hazardous to you. Safety labels are also attached directly to products to warn of these conditions
or situations.
Key terms
For definitions specific to Brocade and Fibre Channel, see the Brocade Glossary.
For definitions of SAN-specific terms, visit the Storage Networking Industry Association online
dictionary at:
http://www.snia.org/education/dictionary
Notice to the reader
This document may contain references to the trademarks of the following corporations. These
trademarks are the properties of their respective companies and corporations.
These references are made for informational purposes only.
Fabric OS Administrator’s Guide
53-1002745-02
37
Corporation
Referenced Trademarks and Products
Microsoft Corporation
Windows, Windows NT, Internet Explorer
Mozilla Corporation
Mozilla, Firefox
Netscape Communications Corporation
Netscape
Red Hat, Inc.
Red Hat, Red Hat Network, Maximum RPM, Linux Undercover
Sun Microsystems, Inc.
Sun, Solaris
Additional information
This section lists additional Brocade and industry-specific documentation that you might find
helpful.
Brocade resources
To get up-to-the-minute information, go to http://my.brocade.com and register at no cost for a user
ID and password.
For practical discussions about SAN design, implementation, and maintenance, you can obtain
Building SANs with Brocade Fabric Switches through:
http://www.amazon.com
For additional Brocade documentation, visit the Brocade SAN Info Center and click the Resource
Library location:
http://www.brocade.com
Release notes are available on the My Brocade website and are also bundled with the Fabric OS
firmware.
Other industry resources
For additional resource information, visit the Technical Committee T11 website. This website
provides interface standards for high-performance and mass storage applications for Fibre
Channel, storage management, and other applications:
http://www.t11.org
For information about the Fibre Channel industry, visit the Fibre Channel Industry Association
website:
http://www.fibrechannel.org
Getting technical help
Contact your switch support supplier for hardware, firmware, and software support, including
product repairs and part ordering. To expedite your call, have the following information available:
38
Fabric OS Administrator’s Guide
53-1002745-02
1. General Information
•
•
•
•
•
Switch model
Switch operating system version
Error numbers and messages received
supportSave command output
Detailed description of the problem, including the switch or fabric behavior immediately
following the problem, and specific questions
• Description of any troubleshooting steps already performed and the results
• Serial console and Telnet session logs
• syslog message logs
2. switch serial number
The switch serial number and corresponding bar code are provided on the serial number label,
as illustrated below.:
'"!&'
FT00X0054E9
The serial number label is located as follows:
• Brocade 5424 — On the bottom of the switch module.
• Brocade 300, 5100, and 5300 — On the switch ID pull-out tab located on the bottom of
the port side of the switch.
• Brocade 6510, and 6520 — On the switch ID pull-out tab located inside the chassis on the
port side on the left.
• Brocade 7800 and 8000 — On the bottom of the chassis.
• Brocade DCX-4S and DCX 8510-4 — On the nonport side of the chassis, on the lower left
side.
• Brocade DCX and DCX 8510-8 — On the port side of the chassis, on the lower right side
and directly above the cable management comb.
3. World Wide Name (WWN)
Use the wwn command to display the switch WWN.
If you cannot use the wwn command because the switch is inoperable, you can get the WWN
from the same place as the serial number, except for the Brocade DCX enterprise class
platform. For the Brocade DCX enterprise class platform, access the numbers on the WWN
cards by removing the Brocade logo plate at the top of the nonport side of the chassis.
For the Brocade 5424 embedded switch: Provide the license ID. Use the licenseIdShow
command to display the WWN.
Fabric OS Administrator’s Guide
53-1002745-02
39
Document feedback
Quality is our first concern at Brocade and we have made every effort to ensure the accuracy and
completeness of this document. However, if you find an error or an omission, or you think that a
topic needs further development, we want to hear from you. Forward your feedback to:
documentation@brocade.com
Provide the title and version number of the document and as much detail as possible about your
comment, including the topic heading and page number and your suggestions for improvement.
40
Fabric OS Administrator’s Guide
53-1002745-02
Section
Standard Features
I
This section describes standard Fabric OS features, and includes the following chapters:
• Chapter 1, “Understanding Fibre Channel Services”
• Chapter 2, “Performing Basic Configuration Tasks”
• Chapter 3, “Performing Advanced Configuration Tasks”
• Chapter 4, “Routing Traffic”
• Chapter 5, “Managing User Accounts”
• Chapter 6, “Configuring Protocols”
• Chapter 7, “Configuring Security Policies”
• Chapter 8, “Maintaining the Switch Configuration File”
• Chapter 9, “Installing and Maintaining Firmware”
• Chapter 10, “Managing Virtual Fabrics”
• Chapter 11, “Administering Advanced Zoning”
• Chapter 12, “Traffic Isolation Zoning”
• Chapter 13, “Bottleneck Detection”
• Chapter 14, “In-flight Encryption and Compression”
• Chapter 15, “NPIV”
• Chapter 16, “Dynamic Fabric Provisioning: Fabric-Assigned PWWN”
• Chapter 17, “Managing Administrative Domains”
Fabric OS Administrator’s Guide
53-1002745-02
41
42
Fabric OS Administrator’s Guide
53-1002745-02
Chapter
1
Understanding Fibre Channel Services
In this chapter
• Fibre Channel services overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Management server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Platform services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Management server database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Topology discovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Device login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• High availability of daemon processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
43
44
44
45
49
51
53
Fibre Channel services overview
Fibre Channel services define service functions that reside at well-know addresses, as illustrated in
Figure 1. A well-known address is a reserved three-byte address for each service. Services are
provided to either nodes or management applications in the fabric.
FIGURE 1
Well-known addresses
Fabric Login — The Fabric Login server assigns a fabric address to a fabric node, which allows it to
communicate with services on the switch or other nodes in the fabric. The fabric address is a 24-bit
address (0x000000) containing three 3-byte nodes. Reading from left to right, the first node
(0x000000) represents the domain ID, the second node (0x000000) the port area number of the
port where the node is attached, and the third node (0x000000) the arbitrated loop physical
address (AL_PA), if applicable.
Directory server — The directory server or name server registers fabric and public nodes and
conducts queries to discover other devices in the fabric.
Fabric controller — The fabric controller provides State Change Notifications (SCNs) to registered
nodes when a change in the fabric topology occurs.
Time server — The time server sends the time to the member switches in the fabric from either the
principal switch or, if configured, the primary fabric configuration server (FCS) switch.
Refer to Chapter 7, “Configuring Security Policies,” for additional information on FCS policies.
Fabric OS Administrator’s Guide
53-1002745-02
43
1
Management server
Management server — The management server provides a single point for managing the fabric.
This is the only service that users can configure. See “Management server” below for more details
Alias server — The alias server keeps a group of nodes registered as one name to handle multicast
groups.
Broadcast server — The broadcast server is optional. When frames are transmitted to this address,
they are broadcast to all operational N_ and NL_Ports.
When registration and query frames are sent to a well-known address, a different protocol service,
Fibre Channel Common Transport (FC-CT), is used. This protocol provides a simple, consistent
format and behavior when a service provider is accessed for registration and query purposes.
Management server
The Brocade Fabric OS management server (MS) allows a SAN management application to retrieve
information and administer interconnected switches, servers, and storage devices. The
management server assists in the autodiscovery of switch-based fabrics and their associated
topologies.
A client of the management server can find basic information about the switches in the fabric and
use this information to construct topology relationships. The management server also allows you to
obtain certain switch attributes and, in some cases, modify them. For example, logical names
identifying switches can be registered with the management server.
The management server provides several advantages for managing a Fibre Channel fabric:
• It is accessed by an external Fibre Channel node at the well-known address FFFFFAh, so an
application can access information about the entire fabric management with minimal
knowledge of the existing configuration.
• It is replicated on every Brocade switch within a fabric.
• It provides an unzoned view of the overall fabric configuration. This fabric topology view
exposes the internal configuration of a fabric for management purposes; it contains
interconnect information about switches and devices connected to the fabric. Under normal
circumstances, a device (typically an FCP initiator) queries the name server for storage devices
within its member zones. Because this limited view is not always sufficient, the management
server provides the application with a list of the entire name server database.
Platform services
By default, all management services except platform services are enabled; the MS platform service
and topology discovery are disabled.
You can activate and deactivate the platform services throughout the fabric. Activating the platform
services attempts to activate the MS platform service for each switch in the fabric. The change
takes effect immediately and is committed to the configuration database of each affected switch.
MS activation is persistent across power cycles and reboots.
NOTE
The commands msplMgmtActivate and msplMgmtDeactivate are allowed only in AD0 and AD255.
44
Fabric OS Administrator’s Guide
53-1002745-02
Management server database
1
Platform services and Virtual Fabrics
Each logical switch has a separate platform database. All platform registrations done to a logical
switch are valid only in that particular logical switch’s Virtual Fabric.
Activating the platform services on a switch activates the platform services on all logical switches in
a Virtual Fabric. Similarly, deactivating the platform services deactivates the platform service on all
logical switches in a Virtual Fabric. The msPlatShow command displays all platforms registered in a
Virtual Fabric.
Enabling platform services
When FCS policy is enabled, the msplMgmtActivate command can be issued only from the primary
FCS switch.
The execution of the msplMgmtActivate command is subject to Admin Domain restrictions that may
be in place.
Use the following procedure to enable platform services:
1. Connect to the switch and log in using an account assigned to the admin role.
2. Enter the msCapabilityShow command to verify that all switches in the fabric support the MS
platform service; otherwise, the next step fails.
3. Enter the msplMgmtActivate command, as in the following example.
switch:admin> msplmgmtactivate
Request to activate MS Platform Service in progress......
*Completed activating MS Platform Service in the fabric!
Disabling platform services
Use the following procedure to disable platform services:
1. Connect to the switch and log in using an account assigned to the admin role.
2. Enter the msplMgmtDeactivate command.
3. Enter y to confirm the deactivation, as in the following example.
switch:admin> msplmgmtdeactivate
MS Platform Service is currently enabled.
This will erase MS Platform Service configuration
information as well as database in the entire fabric.
Would you like to continue this operation? (yes, y, no, n): [no] y
Request to deactivate MS Platform Service in progress......
*Completed deactivating MS Platform Service in the fabric!
Management server database
You can control access to the management server database.
An access control list (ACL) of WWN addresses determines which systems have access to the
management server database. The ACL typically contains those WWNs of host systems that are
running management applications.
Fabric OS Administrator’s Guide
53-1002745-02
45
1
Management server database
If the list is empty (the default), the management server is accessible to all systems connected
in-band to the fabric. For more access security, you can specify WWNs in the ACL so that access to
the management server is restricted to only those WWNs listed.
NOTE
The management server is logical switch-capable. All management server features are supported
within a logical switch.
Displaying the management server ACL
Use the following procedure to display the management server ACL:
1. Connect to the switch and log in using an account assigned to the admin role.
2. Enter the msConfigure command.
The command becomes interactive.
3. At the “select” prompt, enter 1 to display the access list.
A list of WWNs that have access to the management server is displayed.
Example of an empty access list
switch:admin> msconfigure
0
Done
1
Display the access list
2
Add member based on its Port/Node WWN
3
Delete member based on its Port/Node WWN
select : (0..3) [1] 1
MS Access list is empty.
0
Done
1
Display the access list
2
Add member based on its Port/Node WWN
3
Delete member based on its Port/Node WWN
select : (0..3) [1] 0
done ...
Adding a member to the ACL
Use the following procedure to add a member to the ACL:
1. Connect to the switch and log in using an account assigned to the admin role.
2. Enter the msConfigure command.
The command becomes interactive.
3. At the “select” prompt, enter 2 to add a member based on its port/node WWN.
4. At the “Port/Node WWN” prompt, enter the WWN of the host to be added to the ACL.
5. At the “select” prompt, enter 1 to display the access list so you can verify that the WWN you
entered was added to the ACL.
6. After verifying that the WWN was added correctly, enter 0 at the prompt to end the session.
7.
At the “Update the FLASH?” prompt, enter y.
8. Press Enter to update the nonvolatile memory and end the session.
46
Fabric OS Administrator’s Guide
53-1002745-02
Management server database
1
Example of adding a member to the management server ACL
switch:admin> msconfigure
0
Done
1
Display the access list
2
Add member based on its Port/Node WWN
3
Delete member based on its Port/Node WWN
select : (0..3) [1] 2
Port/Node WWN (in hex): [00:00:00:00:00:00:00:00] 20:00:00:20:37:65:ce:aa
*WWN is successfully added to the MS ACL.
0
Done
1
Display the access list
2
Add member based on its Port/Node WWN
3
Delete member based on its Port/Node WWN
select : (0..3) [2] 1
MS Access List consists of (14): {
20:00:00:20:37:65:ce:aa
20:00:00:20:37:65:ce:bb
20:00:00:20:37:65:ce:ff
20:00:00:20:37:65:ce:11
20:00:00:20:37:65:ce:22
20:00:00:20:37:65:ce:33
20:00:00:20:37:65:ce:44
10:00:00:60:69:04:11:24
10:00:00:60:69:04:11:23
21:00:00:e0:8b:04:70:3b
10:00:00:60:69:04:11:33
20:00:00:20:37:65:ce:55
20:00:00:20:37:65:ce:66
00:00:00:00:00:00:00:00
}
0
Done
1
Display the access list
2
Add member based on its Port/Node WWN
3
Delete member based on its Port/Node WWN
select : (0..3) [1] 0
done ...
Update the FLASH? (yes, y, no, n): [yes] y
*Successfully saved the MS ACL to the flash.
Deleting a member from the ACL
When you delete a member from the ACL, that member no longer has access to the management
server.
NOTE
If you delete the last member of the ACL, leaving the ACL list is empty, then the management server
will be accessible to all systems connected in-band to the fabric.
Use the following procedure to delete a member from the ACL:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the msConfigure command.
The command becomes interactive.
3. At the “select” prompt, enter 3 to delete a member based on its port/node WWN.
4. At the “Port/Node WWN” prompt, enter the WWN of the member to be deleted from the ACL.
Fabric OS Administrator’s Guide
53-1002745-02
47
1
Management server database
5. At the “select” prompt, enter 1 to display the access list so you can verify that the WWN you
entered was deleted from the ACL.
6. After verifying that the WWN was deleted correctly, enter 0 at the “select” prompt to end the
session.
7.
At the “Update the FLASH?” prompt, enter y.
8. Press Enter to update the nonvolatile memory and end the session.
Example of deleting a member from the management server ACL
switch:admin> msconfigure
0
Done
1
Display the access list
2
Add member based on its Port/Node WWN
3
Delete member based on its Port/Node WWN
select : (0..3) [1] 3
Port/Node WWN (in hex): [00:00:00:00:00:00:00:00] 10:00:00:00:c9:29:b3:84
*WWN is successfully deleted from the MS ACL.
0
Done
1
Display the access list
2
Add member based on its Port/Node WWN
3
Delete member based on its Port/Node WWN
select : (0..3) [3] 1
MS Access list is empty
0
Done
1
Display the access list
2
Add member based on its Port/Node WWN
3
Delete member based on its Port/Node WWN
select : (0..3) [1] 0
Viewing the contents of the management server database
Use the following procedure to view the contents of the management server database:
1. Connect to the switch and log in using an account assigned to the admin role.
2. Enter the msPlatShow command.
Example of viewing the contents of the management server platform database
switch:admin> msplatshow
----------------------------------------------------------Platform Name: [9] "first obj"
Platform Type: 5 : GATEWAY
Number of Associated M.A.: 1
[35] "http://java.sun.com/products/plugin"
Number of Associated Node Names: 1
Associated Node Names:
10:00:00:60:69:20:15:71
----------------------------------------------------------Platform Name: [10] "second obj"
Platform Type: 7 : HOST_BUS_ADAPTER
Number of Associated M.A.: 1
Associated Management Addresses:
[30] "http://java.sun.com/products/1"
48
Fabric OS Administrator’s Guide
53-1002745-02
Topology discovery
1
Number of Associated Node Names: 1
Associated Node Names:
10:00:00:60:69:20:15:75
Clearing the management server database
Use the following procedure to clear the management server database:
NOTE
The command msPlClearDB is allowed only in AD0 and AD255.
1. Connect to the switch and log in using an account assigned to the admin role.
2. Enter the msplClearDb command.
3. Enter y to confirm the deletion.
The management server platform database is cleared.
Topology discovery
The topology discovery feature can be displayed, enabled, and disabled; it is disabled by default.
The commands mstdEnable and mstdDisable are allowed only in AD0 and AD255.
Displaying topology discovery status
Use the following procedure to display the status of the topology discovery:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the mstdReadConfig command.
switch:admin> mstdreadconfig
*MS Topology Discovery is Enabled.
Enabling topology discovery
Use the following procedure to enable topology discovery:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the appropriate following command based on how you want to enable discovery:
• For the local switch, enter the mstdEnable command.
• For the entire fabric, enter the mstdEnable all command.
Example of enabling discovery
switch:admin> mstdenable
Request to enable MS Topology Discovery Service in progress....
*MS Topology Discovery enabled locally.
switch:admin> mstdenable ALL
Request to enable MS Topology Discovery Service in progress....
Fabric OS Administrator’s Guide
53-1002745-02
49
1
Topology discovery
*MS Topology Discovery enabled locally.
*MS Topology Discovery Enable Operation Complete!!
Disabling topology discovery
Use the following procedure to disable topology discovery:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the appropriate following command based on how you want to disable discovery:
• For the local switch, enter the mstdDisable command.
• For the entire fabric, enter the mstdDisable all command.
A warning displays stating that all NID entries might be cleared.
3. Enter y to disable the Topology Discovery feature.
NOTE
Topology discovery is disabled by default.
ATTENTION
Disabling discovery of management server topology might erase all node ID entries.
If Admin Domains are enabled, you must be in the AD0 or AD255 context. Refer to Chapter 17,
“Managing Administrative Domains,” for additional information.
Example of disabling discovery
switch:admin> mstddisable
This may erase all NID entries. Are you sure?
(yes, y, no, n): [no] y
Request to disable MS Topology Discovery Service in progress....
*MS Topology Discovery disabled locally.
switch:admin> mstddisable all
This may erase all NID entries. Are you sure?
(yes, y, no, n): [no] y
Request to disable MS Topology Discovery Service in progress....
*MS Topology Discovery disabled locally.
*MS Topology Discovery Disable Operation Complete!!
50
Fabric OS Administrator’s Guide
53-1002745-02
Device login
1
Device login
A device can be storage, a host, or a switch. When new devices are introduced into the fabric, they
must be powered on and, if a host or storage device, connected to a switch. Switch-to-switch logins
(using the E_Port) are handled differently than storage and host logins. E_Ports exchange different
frames than the ones listed below with the Fabric Controller to access the fabric. Once storage and
host devices are powered on and connected, the following logins occur:
1. FLOGI—Fabric Login command establishes a 24-bit address for the device logging in, and
establishes buffer-to-buffer credits and the class of service supported.
2. PLOGI—Port Login command logs the device into the name server to register its information
and query for devices that share its zone. During the PLOGI process, information is exchanged
between the new device and the fabric. Some of the following types of information exchanges
occur:
• SCR—State Change Registration registers the device for State Change Notifications. If a
change in the fabric occurs, such as a zoning change or a change in the state of a device
to which this device has access, the device receives a Registered State Change
Notification (RSCN).
• Registration—A device exchanges registration information with the name server.
• Query—Devices query the name server for information about the device it can access.
Principal switch
In a fabric with multiple switches, and one inter-switch link (ISL) exists between any two switches, a
principal switch is automatically elected. The principal switch provides the following capabilities:
• Maintains time for the entire fabric. Subordinate switches synchronize their time with the
principal switch. Changes to the clock server value on the principal switch are propagated to all
switches in the fabric.
• Manages domain ID assignment within the fabric. If a switch requests a domain ID that has
been used before, the principal switch grants the same domain ID unless it is in use by another
switch.
E_Port login process
An E_Port does not use a FLOGI to log in to another switch. Instead, the new switch exchanges
frames with the principal switch to establish that the new switch is an E_Port and that it has
information to exchange. If everything is acceptable to the principal switch, it replies to the new
switch with an SW_ACC (accept) frame. The initializing frame is an Exchange Link Parameters (ELP)
frame that allows an exchange of parameters between two ports, such as flow control,
buffer-to-buffer credits, RA_TOV, and ED_TOV. This is not a negotiation. If one or the other port’s link
parameters do not match, a link does not occur. Once an SW_ACC frame is received from the
principal switch, the new switch sends an Exchange Switch Capabilities (ESC) frame. The two
switches exchange routing protocols and agree on a common routing protocol. An SW_ACC frame is
received from the principal switch and the new switch sends an Exchange Fabric Parameters (EFP)
frame to the principal switch, requesting principal switch priority and the domain ID list.
Buffer-to-buffer credits for the device and switch ports are exchanged in the SW_ACC command
sent to the device in response to the FLOGI.
Fabric OS Administrator’s Guide
53-1002745-02
51
1
Device login
Fabric login process
A device performs a fabric login (FLOGI) to determine if a fabric is present. If a fabric is detected
then it exchanges service parameters with the fabric controller. A successful FLOGI sends back the
24-bit address for the device in the fabric. The device must issue and successfully complete a
FLOGI command before communicating with other devices in the fabric.
Because the device does not know its 24-bit address until after the FLOGI, the source ID (SID) in
the frame header of the FLOGI request are zeros (0x000000).
Port login process
The steps in the port initialization process occur as the result of a protocol that functions to
discover the type of device connected and establish the port type and negotiate port speed. See
“Port Types” on page 84 for a discussion of available port types.
The Fibre Channel protocol (FCP) auto discovery process enables private storage devices that
accept the process login (PRLI) to communicate in a fabric.
If device probing is enabled, the embedded port performs a PLOGI and attempts a PRLI into the
device to retrieve information to enter into the name server. This enables private devices that do
not perform a FLOGI, but accept a PRLI, to be entered in the name server and receive full fabric
access.
A fabric-capable device registers its information with the name server during a FLOGI. These
devices typically register information with the name server before querying for a device list. The
embedded port still performs a PLOGI and attempts a PRLI with these devices.
If a port decides to end the current session, it initiates a logout. A logout concludes the session and
terminates any work in progress associated with that session.
To display the contents of a switch’s name server, use the nsShow or nsAllShow command.
For more information about these commands, refer to the Fabric OS Command Reference.
RSCNs
A Registered State Change Notification (RSCN) is a notification frame that is sent to devices that
are zoned together and are registered to receive a State Change Notification (SCN). The RSCN is
responsible for notifying all devices of fabric changes. The following general list of actions can
cause an RSCN to be sent through your fabric:
•
•
•
•
•
A new device has been added to the fabric.
An existing device has been removed from the fabric.
A zone has changed.
A switch name has changed or an IP address has changed.
Nodes leaving or joining the fabric, such as zoning, powering on or shutting down a device, or
zoning changes.
NOTE
Fabric reconfigurations with no domain change do not cause an RSCN.
52
Fabric OS Administrator’s Guide
53-1002745-02
High availability of daemon processes
1
Duplicate Port World Wide Name
According to Fibre Channel standards, the Port World Wide Name (PWWN) of a device cannot
overlap with that of another device, thus having duplicate PWWNs within the same fabric is an
illegal configuration.
If a PWWN conflict occurs with two devices attached to the same domain, Fabric OS handles device
login in such a way that only one device may be logged in to the fabric at a time. For more
information, refer to “Duplicate PWWN handling during device login” on page 109.
If a PWWN conflict occurs and two duplicate devices are attached to the fabric through different
domains, the devices are removed from the Name Server database and a RASlog is generated.
Device recovery
To recover devices that have been removed from the Name Server database due to duplicate
PWWNs, the devices must re-login to the fabric. This is true for any device—for example, a device on
an F_Port, NPIV devices, or devices attached to a switch in Access Gateway mode.
High availability of daemon processes
Starting non-critical daemons is automatic; you cannot configure the startup process. The following
sequence of events occurs when a non-critical daemon fails:
1. A RASlog and AUDIT event message are logged.
2. The daemon is automatically started again.
3. If the restart is successful, then another message is sent to RASlog and AUDIT reporting the
successful restart status.
4. If the restart fails, another message is sent to RASlog and no further attempts are made to
restart the daemon.
Schedule downtime and reboot the switch at your convenience. Table 1 lists the daemons that are
considered non-critical and are automatically restarted on failure.
TABLE 1
Daemons that are automatically restarted
Daemon
Description
arrd
Asynchronous Response Router, which is used to send management data to hosts when the switch is
accessed through the APIs (FA API or SMI-S).
cald
Common Access Layer daemon, which is used by manageability applications.
raslogd
Reliability, Availability, and Supportability daemon logs error detection, reporting, handling, and
presentation of data into a format readable by you and management tools.
rpcd
Remote Procedure Call daemon, which is used by the API (Fabric Access API and SMI-S).
snmpd
Simple Network Management Protocol daemon.
traced
Trace daemon provides trace entry date and time translation to Trace Device at startup and when
date/time changed by command. Maintains the trace dump trigger parameters in a Trace Device.
Performs the trace Background Dump, trace automatic FTP, and FTP “aliveness check” if auto-FTP is
enabled.
trafd
Traffic daemon implements Bottleneck detection.
Fabric OS Administrator’s Guide
53-1002745-02
53
1
High availability of daemon processes
TABLE 1
54
Daemons that are automatically restarted (Continued)
Daemon
Description
webd
Webserver daemon used for WebTools (includes httpd as well).
weblinkerd
Weblinker daemon provides an HTTP interface to manageability applications for switch management
and fabric discovery.
Fabric OS Administrator’s Guide
53-1002745-02
Chapter
2
Performing Basic Configuration Tasks
In this chapter
• Fabric OS overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Fabric OS command line interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Password modification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• The switch Ethernet interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Date and time settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Domain IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Switch names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Chassis names. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Fabric name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Switch activation and deactivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Switch and Backbone shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Basic connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
55
56
61
62
69
72
74
75
75
76
76
78
Fabric OS overview
This chapter describes how to configure your Brocade SAN using the Fabric OS command line
interface (CLI). Before you can configure a storage area network (SAN), you must power up the
Backbone platform or switch and blades, and then set the IP addresses of those devices. Although
this chapter focuses on configuring a SAN using the CLI, you can also use the following methods to
configure a SAN:
• Web Tools
For Web Tools procedures, refer to Web Tools Administrator’s Guide.
• Brocade Network Advisor
For additional information, refer to the Brocade Network Advisor User Manual for the version
you have.
• A third-party application using the API
For third-party application procedures, refer to the third-party API documentation.
Because of the differences between fixed-port and variable-port devices, procedures sometimes
differ among Brocade models. As new Brocade models are introduced, new features sometimes
apply only to those models.
When procedures or parts of procedures apply to some models but not others, this guide identifies
the specifics for each model. For example, a number of procedures that apply only to variable-port
devices are found in Chapter 3, “Performing Advanced Configuration Tasks”.
Fabric OS Administrator’s Guide
53-1002745-02
55
2
Fabric OS command line interface
Although many different software and hardware configurations are tested and supported by
Brocade Communications Systems, Inc., documenting all possible configurations and scenarios is
beyond the scope of this document. In some cases, earlier releases are highlighted to present
considerations for interoperating with them.
The hardware reference manuals for Brocade products describe how to power up devices and set
their IP addresses. After the IP address is set, you can use the CLI procedures contained in this
guide. For additional information about the commands used in the procedures, refer to the Fabric
OS Command Reference.
Fabric OS command line interface
Fabric OS uses Role-Based Access Control (RBAC) to control access to all Fabric OS operations.
Each feature is associated with an RBAC role and you need to know which role is allowed to run a
command, make modifications to the switch, or view the output of the command. To determine
which RBAC role you need to run a command, review the section “Role-Based Access Control” on
page 134.
Notes
• Commands are shown and can be entered either in all lower case or using Java-style
capitalization. This means that while bannershow and bannerShow will both work,
BANNERSHOW and BannerShow will not.
• When command examples in this guide show user input enclosed in quotation marks, the
quotation marks are required. Example: zonecreate "zonename" requires that the value for
zonename be in quotation marks.
Console sessions using the serial port
Be aware of the following behaviors for serial connections:
• Some procedures require that you connect through the serial port; for example, setting the IP
address or setting the boot PROM password.
• Brocade DCX and DCX 8510 Backbone families: You can connect to CP0 or CP1 using either of
the two serial ports.
Connecting to Fabric OS through the serial port
Use the following procedure to connect to the Fabric OS using the serial port:
1. Connect the serial cable to the serial port on the switch and to an RS-232 serial port on
the workstation.
If the serial port on the workstation is an RJ-45 port, instead of RS-232, remove the adapter on
the end of the serial cable and insert the exposed RJ-45 connector into the RJ-45 serial port on
the workstation.
2. Open a terminal emulator application (such as HyperTerminal on a PC, TERM, TIP, or Kermit in
a UNIX environment), and configure the application as follows:
56
Fabric OS Administrator’s Guide
53-1002745-02
Fabric OS command line interface
2
• In a Windows environment enter the following parameters:
TABLE 2
Terminal port parameters
Parameter
Value
Bits per second
9600
Databits
8
Parity
None
Stop bits
1
Flow control
None
• In a UNIX environment, enter the following string at the prompt:
tip /dev/ttyb -9600
If ttyb is already in use, use ttya instead and enter the following string at the prompt:
tip /dev/ttya -9600
Telnet or SSH sessions
You can connect to the Fabric OS through a Telnet or SSH connection or by using a console session
on the serial port. The switch must also be physically connected to the network. If the switch
network interface is not configured or the switch has been disconnected from the network, use a
console session on the serial port as described in “Console sessions using the serial port” on
page 56.
NOTE
To automatically configure the network interface on a DHCP-enabled switch, plug the switch into the
network and power it on. The DHCP client automatically gets the IP and gateway addresses from the
DHCP server. The DHCP server must be on the same subnet as the switch. Refer to “DHCP
activation” on page 66.
Rules for Telnet connections
The following rules must be observed when making Telnet connections to your switch:
• Never change the IP address of the switch while two Telnet sessions are active; if you do, your
next attempt to log in fails. To recover, gain access to the switch by one of these methods:
-
You can use Web Tools to perform a fast boot. When the switch comes up, the Telnet quota
is cleared. (For instructions on performing a fast boot with Web Tools, see the Web Tools
Administrator’s Guide.)
-
If you have the required privileges, you can connect through the serial port, log in as
admin, and use the killTelnet command to identify and kill the Telnet processes without
disrupting the fabric.
• For accounts with an admin role, Fabric OS limits the number of simultaneous Telnet sessions
per switch to two. For more details on session limits, refer to Chapter 5, “Managing User
Accounts”.
Fabric OS Administrator’s Guide
53-1002745-02
57
2
Fabric OS command line interface
Connecting to Fabric OS using Telnet
Use the following procedure to connect to the Fabric OS using Telnet:
1. Connect through a serial port to the switch that is appropriate for your fabric:
• If Virtual Fabrics is enabled, log in using an admin account assigned the chassis-role
permission.
• If Virtual Fabrics is not enabled, log in using an account assigned to the admin role.
2. Verify the switch’s network interface is configured and that it is connected to the IP network
through the RJ-45 Ethernet port.
Switches in the fabric that are not connected through the Ethernet port can be managed
through switches that are using IP over Fibre Channel. The embedded port must have an
assigned IP address.
3. Log off the switch’s serial port.
4. From a management station, open a Telnet connection using the IP address of the switch to
which you want to connect.
The login prompt is displayed when the Telnet connection finds the switch in the network.
5. Enter the account ID at the login prompt.
6. Enter the password.
If you have not changed the system passwords from the default, you are prompted to change
them. Enter the new system passwords, or press Ctrl+C to skip the password prompts. For
more information on system passwords, refer to “Default account passwords” on page 61.
7.
Verify the login was successful.
The prompt displays the switch name and user ID to which you are connected.
login: admin
password: xxxxxxx
Getting help on a command
You can display a list of all command help topics for a given login level. For example, if you log in as
user and enter the help command, a list of all user-level commands that can be executed is
displayed. The same rule applies to the admin, securityAdmin, and the switchAdmin roles.
Use the following procedure to get help on a command:
1. Connect to the switch and log in using an account assigned to the admin role.
2. Enter the help [|more] command with no specific command and all commands are displayed.
The optional |more argument displays the commands one page at a time.
For command-specific information, you can enter help command |more, where command is
the name of the command for which you need specific information.
58
Fabric OS Administrator’s Guide
53-1002745-02
Fabric OS command line interface
2
The commands in the following table provides help files for the indicated specific topics.
TABLE 3
Help topic contents
Topic name
Help contents description
diagHelp
Diagnostic help information
ficonHelp
FICON help information
fwHelp
Fabric Watch help information
iscsiHelp
iSCSI help information
licenseHelp
License help information
perfHelp
Performance Monitoring help information
routeHelp
Routing help information
trackChangesHelp
Track Changes help information
zoneHelp
Zoning help information
Viewing a history of command line entries
The CLI command history log file saves the last 512 commands from all users on a FIFO basis, and
this log is persistent across reboots and firmware downloads. This command is also supported for
standby CPs.
The log records the following information whenever a command ins entered in the switch CLI:
•
•
•
•
•
Timestamp
Username
IP address of the telnet session
Options
Arguments
Use the following procedure to view the CLI command log:
1. Connect to the switch and log in.
2. Enter the cliHistory command with the desired argument (see below for arguments).
Entering no specific argument displays only the command line history of the currently logged-in
user.
cliHistory
Entering the cliHistory command with no arguments displays the command line history for the
currently logged-in user only (even for the root user).
Example cliHistory command output from root login
switch:root> clihistory
CLI history
Date & Time
Thu Sep 27 04:58:00 2012
Thu Sep 27 04:58:19 2012
Thu Sep 27 05:25:45 2012
switch:root>
Fabric OS Administrator’s Guide
53-1002745-02
Message
root, 10.70.12.101, firmwareshow -v
root, 10.70.12.101, telnet 127.1.10.1
root, 10.70.12.101, ipaddrshow]
59
2
Fabric OS command line interface
Example cliHistory command output from admin login
switch:admin> clihistory
CLI history
Date & Time
Thu Sep 27 10:14:41 2012
Thu Sep 27 10:14:48 2012
switch:admin>
Message
admin, 10.70.12.101, clihistory
admin, 10.70.12.101, clihistory --show
cliHistory --show
Using the “--show” argument displays the same results as entering “cliHistory” without any
arguments.
cliHistory --showuser <username>
Using the “--showuser <username>” argument displays the command line history of the named
user. This argument is available only to Root, Admin, Factory and Securityadmin RBAC roles.
Example cliHistory command output showing username
switch:root> clihistory --showuser admin
CLI history
Date & Time
Message
Thu Sep 27 10:14:41 2012
admin, 10.70.12.101, clihistory
Thu Sep 27 10:14:48 2012
admin, 10.70.12.101, clihistory --show
Thu Sep 27 10:15:00 2012
admin, 10.70.12.101, clihistory
swd77:root>
cliHistory --showall
Using the “--showall” argument displays the command line history for all users. With this option,
admin/factory/securityadmin users can see the root user command history.
This argument is available only to Root, Admin, Factory and Securityadmin RBAC roles.
Example cliHistory showing history of all users
swd77:admin> clihistory --showall
CLI history
Date & Time
Message
Thu Sep 27 04:58:00 2012
root, 10.70.12.101,
Thu Sep 27 04:58:19 2012
root, 10.70.12.101,
Thu Sep 27 05:25:45 2012
root, 10.70.12.101,
Thu Sep 27 05:25:48 2012
root, 10.70.12.101,
swd77:admin>
firmwareshow -v
telnet 127.1.10.1
ipaddrshow]
ipaddrshow
cliHistory - -help
Using the “-- help” argument displays a list of the available command arguments.
swd77:admin> clihistory --help
clihistory usage:
clihistory:
Displays the CLI History of the
clihistory --show:
Displays the CLI History of the
clihistory --showuser <username>:
Displays the CLI History of the
clihistory --showall:
Displays the CLI History of all
clihistory --help:
Displays the command usage
60
current user
current user
given user
users
Fabric OS Administrator’s Guide
53-1002745-02
Password modification
2
Notes:
• SSH login CLI logs are not recorded in the command line history.
• The CLI command log will be collected as part of any “supportsave” operation.
The command long record of such an operation will be the equivalent of running
“cliHistory --showall”.
• For CLI commands that require a password (Examples: firmwaredownload,
configupload/download, supportsave, and so on), only the command (no arguments) is stored
(see below for an illustration).
sw0:FID128:root> firmwaredownload -s -p scp 10.70.4.109,fvt,/dist,pray4green
Server IP: 10.70.4.109, Protocol IPv4
Checking system settings for firmwaredownload...
Failed to access scp://fvt:**********@10.70.4.109//dist/release.plist
sw0:FID128:root> clihistory
Date & Time
Wed May 23 03:39:37 2012
Message
root, console, firmwaredownload
Password modification
The switch automatically prompts you to change the default account passwords after logging in for
the first time. If you do not change the passwords, the switch prompts you after each subsequent
login until all the default passwords have been changed.
NOTE
The default account passwords can be changed from their original values only when prompted
immediately following the login; the passwords cannot be changed using the passwd command later
in the session. If you skip the prompt, and then later decide to change the passwords, log out and
then back in.
The default accounts on the switch are admin, user, root, and factory. Use the “admin” account to
log in to the switch for the first time and to perform the basic configuration tasks. The password for
all of these accounts is “password”.
There is only one set of default accounts for the entire chassis. The root and factory default
accounts are reserved for development and manufacturing. The user account is primarily used for
system monitoring. For more information on default accounts, refer to “Default accounts” on
page 138.
Default account passwords
The change default account passwords prompt is a string that begins with the message “Please
change your passwords now”. User-defined passwords can have from 8 through 40 characters.
They must begin with an alphabetic character and can include numeric characters, the period (.),
and the underscore ( _ ). They are case-sensitive, and they are not displayed when you enter them
on the command line.
Record the passwords exactly as entered and store them in a secure place because recovering
passwords requires significant effort and fabric downtime. Although the root and factory accounts
are not meant for general use, change their passwords if prompted to do so and save the
passwords in case they are needed for recovery purposes.
Fabric OS Administrator’s Guide
53-1002745-02
61
2
The switch Ethernet interface
Changing the default account passwords at login
Use the following procedure to change the default account passwords:
1. Connect to the switch and log in using the default administrative account.
2. At each of the “Enter new password” prompts, either enter a new password or skip the prompt.
To skip a single prompt, press Enter. To skip all of the remaining prompts, press Ctrl-C.
Example output of changing passwords
login: admin
Password:
Please change your passwords now.
Use Control-C to exit or press 'Enter' key to proceed.
for user - root
Changing password for root
Enter new password: <hidden>
Password changed.
Saving password to stable storage.
Password saved to stable storage successfully.
(output truncated)
The switch Ethernet interface
The Ethernet (network) interface provides management access, including direct access to the
Fabric OS CLI, and allows other tools, such as Web Tools, to interact with the switch. You can use
either Dynamic Host Configuration Protocol (DHCP) or static IP addresses for the Ethernet network
interface configuration.
Brocade Backbones
On Brocade Backbones, you must set IP addresses for the following components:
• Both Control Processors (CP0 and CP1)
• Chassis management IP
Brocade switches
On Brocade switches, you must set the Ethernet and chassis management IP interfaces.
Setting the chassis management IP address eliminates the need to know which CP is active and
automatically connects the requestor to the currently active CP.
You can continue to use a static Ethernet addressing system or allow the DHCP client to
automatically acquire Ethernet addresses. Configure the Ethernet interface IP address, subnet
mask, and gateway addresses in one of the following manners:
• Using static Ethernet addresses (refer to “Static Ethernet addresses” on page 64)
• Activating DHCP (refer to “DHCP activation” on page 66)
62
Fabric OS Administrator’s Guide
53-1002745-02
The switch Ethernet interface
2
NOTE
When you change the Ethernet interface settings, open connections such as SSH or Telnet may be
dropped. Reconnect using the new Ethernet IP address information or change the Ethernet settings
using a console session through the serial port to maintain your session during the change. You
must connect through the serial port to set the Ethernet IP address if the Ethernet network interface
is not configured already. For details, refer to “Connecting to Fabric OS through the serial port” on
page 56.
Virtual Fabrics and the Ethernet interface
On the Brocade DCX and DCX-4S, the single-chassis IP address and subnet mask are assigned to
the management Ethernet ports on the front panels of the CPs. These addresses allow access to
the chassis—more specifically, the active CP of the chassis—and not individual logical switches. The
IP addresses can also be assigned to each CP individually. This allows for direct communication
with a CP, including the standby CP. On the Brocade DCX and DCX-4S Backbones, each CP has two
management Ethernet ports on its front panel. These two physical ports are bonded together to
create a single, logical Ethernet port, and it is the logical Ethernet port to which IP addresses are
assigned.
IPv4 addresses assigned to individual Virtual Fabrics are assigned to IP over Fibre Channel (IPFC)
network interfaces. In Virtual Fabrics environments, a single chassis can be assigned to multiple
fabrics, each of which is logically distinct and separate from one another. Each IPFC point of
connection to a given chassis needs a separate IPv4 address and prefix to be accessible to a
management host. For more information on how to set up these IPFC interfaces to your Virtual
Fabric, refer to Chapter 10, “Managing Virtual Fabrics”.
Displaying the network interface settings
If an IP address has not been assigned to the network interface (Ethernet), you must connect to the
Fabric OS CLI using a console session on the serial port. For more information, see “Console
sessions using the serial port” on page 56. Otherwise, connect using SSH.
Use the following procedure to display the network interface settings:
1. Connect to the switch and log in using an account assigned to the admin role.
2. Enter the ipAddrShow command.
ipAddrShow
Example output for a Brocade Backbone
ecp:admin> ipaddrshow
SWITCH
Ethernet IP Address: 10.1.2.3
Ethernet Subnetmask: 255.255.240.0
CP0
Ethernet IP Address: 10.1.2.3
Ethernet Subnetmask: 255.255.240.0
Host Name: ecp0
Gateway IP Address: 10.1.2.1
CP1
Ethernet IP Address: 10.1.2.4
Ethernet Subnetmask: 255.255.240.0
Fabric OS Administrator’s Guide
53-1002745-02
63
2
The switch Ethernet interface
Host Name: ecp1
Gateway IP Address: 10.1.2.3
IPFC address for virtual fabric ID 123: 11.1.2.3/24
IPFC address for virtual fabric ID 45: 13.1.2.4/20
Slot 7
eth0: 11.1.2.4/24
Gateway: 11.1.2.1
Backplane IP address of CP0 : 10.0.0.5
Backplane IP address of CP1 : 10.0.0.6
IPv6 Autoconfiguration Enabled: Yes
Local IPv6 Addresses:
sw 0 stateless fd00:60:69bc:70:260:69ff:fe00:2/64 preferred
sw 0 stateless fec0:60:69bc:70:260:69ff:fe00:2/64 preferred
cp 0 stateless fd00:60:69bc:70:260:69ff:fe00:197/64 preferred
cp 0 stateless fec0:60:69bc:70:260:69ff:fe00:197/64 preferred
cp 1 stateless fd00:60:69bc:70:260:69ff:fe00:196/64 preferred
cp 1 stateless fec0:60:69bc:70:260:69ff:fe00:196/64 preferred
IPv6 Gateways:
cp 0 fe80:60:69bc:70::3
cp 0 fe80:60:69bc:70::2
cp 0 fe80:60:69bc:70::1
cp 1 fe80:60:69bc:70::3
If the Ethernet IP address, subnet mask, and gateway address are displayed, then the network
interface is configured. Verify the information on your switch is correct. If DHCP is enabled,
the network interface information was acquired from the DHCP server.
NOTE
You can use either IPv4 or IPv6 with a classless inter-domain routing (CIDR) block notation (also
known as a network prefix length) to set up your IP addresses.
Static Ethernet addresses
Use static Ethernet network interface addresses on Brocade DCX and DCX-4S Backbones, and in
environments where DHCP service is not available. To use static addresses for the Ethernet
interface, you must first disable DHCP. You can enter static Ethernet information and disable DHCP
at the same time. For more information, refer to “DHCP activation” on page 66.
If you choose not to use DHCP or to specify an IP address for your switch Ethernet interface, you
can do so by entering “none” or “0.0.0.0” in the Ethernet IP address field.
On an application blade, configure the two external Ethernet interfaces to two different subnets.
If two subnets are not present, configure one of the interfaces and leave the other unconfigured.
Otherwise, the following message displays and blade status may go into a faulty state after a
reboot.
Neighbor table overflow.
print: 54 messages suppressed
64
Fabric OS Administrator’s Guide
53-1002745-02
The switch Ethernet interface
2
Setting the static addresses for the Ethernet network interface
Use the following procedure to set the Ethernet network interface static addresses:
1. Connect to the switch and log in using an account assigned to the admin role.
2. Perform the appropriate action based on whether you have a switch or Backbone:
• If you are setting the IP address for a switch, enter the ipAddrSet command.
• If you are setting the IP address for a Backbone, enter the ipAddrSet command specifying
either CP0 or CP1. You must set the IP address for both CP0 and CP1.
Example of setting an IPv4 address
switch:admin> ipaddrset
Ethernet IP Address [10.1.2.3]:
Ethernet Subnetmask [255.255.255.0]:
Fibre Channel IP Address [220.220.220.2]:
Fibre Channel Subnetmask [255.255.0.0]:
Gateway IP Address [10.1.2.1]:
DHCP [OFF]: off
Example of setting an IPv6 address on a switch
switch:admin> ipaddrset -ipv6 --add 1080::8:800:200C:417A/64
IP address is being changed...Done.
For more information on setting up an IP address for a Virtual Fabric, refer to Chapter 10,
“Managing Virtual Fabrics”.
3. Enter the network information in dotted-decimal notation for the Ethernet IPv4 address or in
semicolon-separated notation for IPv6.
4. Enter the Ethernet Subnetmask at the prompt.
5. The Fibre Channel prompts are not relevant; you can skip them by pressing Enter.
The Fibre Channel IP address is used for management.
6. Enter the Gateway Address at the prompt.
7.
Disable DHCP by entering off.
Setting the static addresses for the chassis management IP interface
Use the following procedure to set the chassis management IP interface static addresses:
1. Connect to the switch and log in using an account assigned to the admin role.
2. Enter the ipAddrSet -chassis command.
switch:admin> ipaddrset -chassis
Ethernet IP Address [192.168.166.148]:
Ethernet Subnetmask [255.255.255.0]:
Committing configuration...Done.
3. Enter the network information in dotted-decimal notation for the Ethernet IPv4 address or in
semicolon-separated notation for IPv6.
4. Enter the Ethernet Subnet mask at the prompt.
Fabric OS Administrator’s Guide
53-1002745-02
65
2
The switch Ethernet interface
DHCP activation
Some Brocade switches have DHCP enabled by default. Fabric OS support for DHCP functionality is
only provided for Brocade fixed-port switches. These are listed in the Preface.
NOTE
The Brocade DCX and Brocade DCX-4S Backbones do not support DHCP.
The Fabric OS DHCP client supports the following parameters:
• External Ethernet port IP addresses and subnet masks
• Default gateway IP address
The DHCP client uses a DHCP vendor-class identifier that allows DHCP servers to determine that
the discover/request packet are coming from a Brocade switch. The vendor-class identifier is the
string “BROCADE” followed by the SWBD model number of the platform. For example, the
vendor-class identifier for a request from a Brocade 5300 is “BROCADESWBD64.”
NOTE
The client conforms to the latest IETF Draft Standard RFCs for IPv4, IPv6, and DHCP. DHCP can
obtain stateful IPv6 addresses.
Enabling DHCP for IPv4
When you connect a DHCP-enabled switch to the network and power on the switch, the switch
automatically obtains the Ethernet IP address, Ethernet subnet mask, and default gateway address
from the DHCP server.
NOTE
The DHCP client can only connect to a DHCP server on the same subnet as the switch. Do not enable
DHCP if the DHCP server is not on the same subnet as the switch.
Enabling DHCP after the Ethernet information has been configured releases the current Ethernet
network interface settings. These include the Ethernet IP address, Ethernet subnet mask, and
gateway IP address. The Fibre Channel IP address and subnet mask are static and are not affected
by DHCP; for instructions on setting the FC IP address, see “Static Ethernet addresses” on
page 64.
Use the following procedure to enable DHCP for IPv4:
1. Connect to the switch and log in using an account assigned to the admin role.
2. Enter the ipAddrSet command.
ipaddrset
NOTE
Alternatively, you can enable DHCP for IPv4 by entering “ipaddrset –ipv4 -add -dhcp ON“as
a single command. If you do so, you do not need to complete the following steps.
3. If already set up, you can skip the Ethernet IP address, Ethernet subnet mask, Fibre Channel IP
address, and Fibre Channel subnet mask prompts by pressing Enter.
Otherwise, enter the network information in dotted-decimal notation for the IPv4 address.
4. Enable DHCP by entering on.
66
Fabric OS Administrator’s Guide
53-1002745-02
The switch Ethernet interface
2
5. You can confirm that the change has been made using the ipAddrShow command.
Example of enabling DHCP for IPv4 interactively:
switch:admin> ipaddrset
Ethernet IP Address [10.1.2.3]:
Ethernet Subnetmask [255.255.255.0]:
Fibre Channel IP Address [220.220.220.2]:
Fibre Channel Subnetmask [255.255.0.0]:
Gateway IP Address [10.1.2.1]:
DHCP [Off]:on
switch:admin>
Example of enabling DHCP for IPv4 using a single command:
switch:admin> ipaddrset –ipv4 -add -dhcp ON
switch:admin> ipaddrshow
SWITCH
Ethernet IP Address: 10.20.134.219
Ethernet Subnetmask: 255.255.240.0
Gateway IP Address: 10.20.128.1
DHCP: On
switch:admin>
Disabling DHCP for IPv4
When you disable DHCP, enter the static Ethernet IP address and subnet mask of the switch and
default gateway address. Otherwise, the Ethernet settings may conflict with other addresses
assigned by the DHCP server on the network.
Use the following procedure to disable DHCP for IPv4:
1. Connect to the switch and log in using an account assigned to the admin role.
2. Enter the ipAddrSet command.
ipaddrset
NOTE
Alternatively, you can disable DHCP for IPv4 by entering “ipaddrset –
ipv4 -add -dhcp OFF“as a single command. If you do so, you do not need to complete the
following steps.
3. Enter the network information using IPv4 dotted-decimal notation.
NOTE
If a static Ethernet address is not available when you disable DHCP, enter 0.0.0.0 at the
Ethernet IP address prompt.
4. You can skip the Fibre Channel prompts by pressing Enter.
5. When you are prompted for DHCP[On], disable it by entering off.
6. You can confirm that the change has been made using the ipAddrShow command.
Example of disabling DHCP for IPv4 interactively:
switch:admin> ipaddrset
Ethernet IP Address [10.1.2.3]:
Ethernet Subnetmask [255.255.255.0]:
Gateway IP Address [10.1.2.1]:
Fabric OS Administrator’s Guide
53-1002745-02
67
2
The switch Ethernet interface
DHCP [On]:off
switch:admin>
Example of disabling DHCP for IPv4 using a single command:
switch:admin> ipaddrset –ipv4 -add -dhcp OFF
switch:admin> ipaddrshow
SWITCH
Ethernet IP Address: 10.20.134.219
Ethernet Subnetmask: 255.255.240.0
Gateway IP Address: 10.20.128.1
DHCP: Off
switch:admin>
IPv6 autoconfiguration
IPv6 can assign multiple IP addresses to each network interface. Each interface is configured with
a link local address in almost all cases, but this address is only accessible from other hosts on the
same network. To provide for wider accessibility, interfaces are typically configured with at least
one additional global scope IPv6 address. IPv6 autoconfiguration allows more IPv6 addresses, the
number of which is dependent on the number of routers serving the local network and the number
of prefixes they advertise.
There are two methods of autoconfiguration for IPv6 addresses: stateless autoconfiguration and
stateful autoconfiguration. Stateless allows an IPv6 host to obtain a unique address using the
IEEE 802 MAC address; stateful uses a DHCPv6 server, which keeps a record of the IP address and
other configuration information for the host. Whether a host engages in autoconfiguration and
which method it uses is dictated by the routers serving the local network, not by a configuration of
the host. There can be multiple routers serving the network, each potentially advertising multiple
network prefixes. Thus, the host is not in full control of the number of IPv6 addresses that it
configures, much less the values of those addresses, and the number and values of addresses can
change as routers are added to or removed from the network.
When IPv6 autoconfiguration is enabled, the platform engages in stateless IPv6 autoconfiguration.
When IPv6 autoconfiguration is disabled, the platform relinquishes usage of any autoconfigured
IPv6 addresses that it may have acquired while it was enabled. This same enable or disable state
also enables or disables the usage of a link local address for each managed entity, though a link
local address continues to be generated for each nonchassis-based platform and for each CP of a
chassis-based platform because those link local addresses are required for router discovery. The
enabled or disabled state of autoconfiguration is independent of whether any static IPv6 addresses
have been configured.
Setting IPv6 autoconfiguration
Use the following procedure to enable IPv6 autoconfiguration:
1. Connect to the switch and log in using an account with admin permissions.
2. Take the appropriate following action based on whether you want to enable or disable IPv6
autoconfiguration:
• Enter the ipAddrSet -ipv6 -auto command to enable IPv6 autoconfiguration for all
managed entities on the target platform.
• Enter the ipAddrSet -ipv6 -noauto command to disable IPv6 autoconfiguration for all
managed entities on the target platform.
68
Fabric OS Administrator’s Guide
53-1002745-02
Date and time settings
2
Date and time settings
Switches maintain the current date and time inside a battery-backed real-time clock (RTC) circuit
that receives the date and time from the fabric’s principal switch. Date and time are used for
logging events. Switch operation does not depend on the date and time; a switch with an incorrect
date and time value functions properly. However, because the date and time are used for logging,
error detection, and troubleshooting, you must set them correctly.
In a Virtual Fabric, there can be a maximum of eight logical switches per Backbone. Only the
default switch in the chassis can update the hardware clock. When the date command is issued
from a non-principal pre-Fabric OS v6.2.0 or earlier switch, the date command request is dropped
by a Fabric OS v6.2.0 and later switch and the pre-Fabric OS v6.2.0 switch or earlier does not
receive an error.
Authorization access to set or change the date and time for a switch is role-based. For an
understanding of role-based access, refer to “Role-Based Access Control” on page 134.
Setting the date and time
Use the following procedure to set the device date and time:
1. Connect to the switch and log in using an account assigned to the admin role.
2. Enter the date command, using the following syntax:
date "mmddHHMMyy"
The values represent the following:
•
•
•
•
•
mm is the month; valid values are 01 through 12.
dd is the date; valid values are 01 through 31.
HH is the hour; valid values are 00 through 23.
MM is minutes; valid values are 00 through 59.
yy is the year, valid values are 00 through 37 and 70 through 99 (year values from 70
through 99 are interpreted as 1970 through 1999, year values from 00 through 37 are
interpreted as 2000 through 2037).
Example of showing and setting the date
switch:admin> date
Fri Sep 29 17:01:48 UTC 2007
Stealth200E:admin> date "0204101008"
Mon Feb 4 10:10:00 UTC 2008
Time zone settings
You can set the time zone for a switch by name. You can specify the setting using country and city
or time zone parameters. Switch operation does not depend on a date and time setting. However,
having an accurate time setting is needed for accurate logging and audit tracking.
If the time zone is not set with new options, the switch retains the offset time zone settings. The
tsTimeZone command includes an option to revert to the prior time zone format. For more
information about the tsTimeZone command, refer to the Fabric OS Command Reference.
Fabric OS Administrator’s Guide
53-1002745-02
69
2
Date and time settings
When you set the time zone for a switch, you can perform the following tasks:
• Display all of the time zones supported in the firmware.
• Set the time zone based on a country and city combination or based on a time zone ID,
such as PST.
The time zone setting has the following characteristics:
• Users can view the time zone settings. However, only those with administrative
permissions can set the time zones.
• The setting automatically adjusts for Daylight Savings Time.
• Changing the time zone on a switch updates the local time zone setup and is reflected in
local time calculations.
• By default, all switches are set to Greenwich Mean Time (0,0). If all switches in a fabric are
in one time zone, it is possible for you to keep the time zone setup at the default setting.
• System services that have already started reflect the time zone changes after the next
reboot.
• Time zone settings persist across failover for high availability.
• Setting the time zone on any dual domain Backbone has the following characteristics:
• Updating the time zone on any switch updates the entire Backbone.
• The time zone of the entire Backbone is the time zone of switch 0.
Setting the time zone
The following procedure describes how to set the time zone for a switch. You must perform the
procedure on all switches for which the time zone must be set. However, you only need to set the
time zone once on each switch because the value is written to nonvolatile memory.
Use the following procedure to set the device time zone:
1. Connect to the switch and log in using an account assigned to the admin role and with the
chassis-role permission.
2. Enter the tsTimeZone command.
• Use tsTimeZone with no parameters to display the current time zone setting.
• Use --interactive to list all of the time zones supported by the firmware.
• Use timeZone_fmt to set the time zone by Country/City or by time zone ID, such as Pacific
Standard Time (PST).
Example of displaying and changing the time zone to US/Central
switch:admin> tstimezone
Time Zone : US/Pacific
switch:admin> tstimezone US/Central
switch:admin> tstimezone
Time Zone : US/Central
70
Fabric OS Administrator’s Guide
53-1002745-02
Date and time settings
2
Setting the time zone interactively
Use the following procedure to set the current time zone to PST using interactive mode:
1. Connect to the switch and log in using an account assigned to the admin role and with the
chassis-role permission.
2. Enter the tsTimeZone --interactive command.
You are prompted to select a general location.
Please identify a location so that time zone rules can be set correctly.
3. Enter the appropriate number or press Ctrl-D to quit.
4. Select a country location at the prompt.
5. Enter the appropriate number at the prompt to specify the time zone region of Ctrl-D to quit.
Network time protocol
You can synchronize the local time of the principal and primary FCS switch to a maximum of eight
external Network Time Protocol (NTP) servers. To keep the time in your SAN current, it is
recommended that the principal or primary FCS switch has its time synchronized with at least one
external NTP server. The other switches in the fabric automatically take their time from the principal
or primary FCS switch, as described in “Synchronizing the local time with an external source.”
All switches in the fabric maintain the current clock server value in nonvolatile memory. By default,
this value is the local clock server (LOCL) of the principal or primary FCS switch. Changes to the
clock server value on the principal or primary FCS switch are propagated to all switches in the
fabric.
In a Virtual Fabric, all the switches in the fabric must have the same NTP clock server configured.
This includes any Fabric OS v6.2.0 or earlier switches in the fabric. This ensures that time does not
go out of sync in the logical fabric. It is not recommended to have LOCL in the server list.
When a new switch enters the fabric, the time server daemon of the principal or primary FCS switch
sends out the addresses of all existing clock servers and the time to the new switch. When a switch
enters the fabric, it stores the list and the active servers.
NOTE
In a Virtual Fabric, multiple logical switches can share a single chassis. Therefore, the NTP server
list must be the same across all fabrics.
Synchronizing the local time with an external source
The tsClockServer command accepts multiple server addresses in IPv4, IPv6, or Domain Name
System (DNS) name formats. When multiple NTP server addresses are passed, tsClockServer sets
the first obtainable address as the active NTP server. The rest are stored as backup servers that
can take over if the active NTP server fails. The principal or primary FCS switch synchronizes its
time with the NTP server every 64 seconds.
Fabric OS Administrator’s Guide
53-1002745-02
71
2
Domain IDs
Use the following procedure to synchronize the local time with an external source:
1. Connect to the switch and log in using an account assigned to the admin role.
2. Enter the tsClockServer command.
switch:admin> tsclockserver "ntp1;ntp2"
In this syntax, ntp1 is the IP address or DNS name of the first NTP server, which the switch
must be able to access. The second variable, ntp2, is the second NTP server and is optional.
The operand “ntp1;ntp2” is optional; by default, this value is LOCL, which uses the local clock
of the principal or primary FCS switch as the clock server.
Example of setting the NTP server
switch:admin> tsclockserver
LOCL
switch:admin> tsclockserver "10.1.2.3"
Example of displaying the NTP server
switch:admin> tsclockserver
10.1.2.3
Example of setting up more than one NTP server using a DNS name
switch:admin> tsclockserver "10.1.2.4;10.1.2.5;ntp.localdomain.net"
Updating Clock Server configuration...done.
Updated with the NTP servers
Changes to the clock server value on the principal or primary FCS switch are propagated to all
switches in the fabric.
Domain IDs
Although domain IDs are assigned dynamically when a switch is enabled, you can change them
manually so that you can control the ID number or resolve a domain ID conflict when you merge
fabrics.
If a switch has a domain ID when it is enabled, and that domain ID conflicts with another switch in
the fabric, the conflict is automatically resolved if the other switch’s domain ID is not persistently
set. The process can take several seconds, during which time traffic is delayed. If both switches
have their domain IDs persistently set, one of them needs to have its domain ID changed to a
domain ID not used within the fabric.
The default domain ID for Brocade switches is 1.
Domain ID issues
Keep the following restrictions in mind when working with domain IDs.
• Do not use domain ID 0. Using this domain ID can cause the switch to reboot continuously.
• Avoid changing the domain ID on the FCS switch in secure mode.
• To minimize downtime, change the domain IDs on the other switches in the fabric.
72
Fabric OS Administrator’s Guide
53-1002745-02
Domain IDs
2
Displaying the domain IDs
Use the following procedure to display device domain IDs:
1. Connect to the switch and log in using an account assigned to the admin role.
2. Enter the fabricShow command.
Example output of fabric information, including the domain ID (D_ID)
The principal switch is determined by the arrow ( > ) next to the name of the switch. In this
output, the principal switch appears in blue boldface.
switch:admin> fabricshow
Switch ID
Worldwide Name
Enet IP Addr
FC IP Addr
Name
------------------------------------------------------------------------2: fffc02
10:00:00:60:69:e0:01:46
10.3.220.1
0.0.0.0
"ras001"
3: fffc03
10:00:00:60:69:e0:01:47
10.3.220.2
0.0.0.0
"ras002"
5: fffc05
10:00:00:05:1e:34:01:bd
10.3.220.5
0.0.0.0
"ras005"
fec0:60:69bc:63:205:1eff:fe34:1bd
6: fffc06
10:00:00:05:1e:34:02:3e
10.3.220.6
0.0.0.0
"ras006"
7: fffc07
10:00:00:05:1e:34:02:0c
10.3.220.7
0.0.0.0
"ras007"
10: fffc0a
10:00:00:05:1e:39:e4:5a
10.3.220.10
0.0.0.0
"ras010"
15: fffc0f
10:00:00:60:69:80:47:74
10.3.220.15
0.0.0.0
"ras015"
19: fffc13
10:00:00:05:1e:34:00:ad
10.3.220.19
0.0.0.0
"ras019"
fec0:60:69bc:63:219:1eff:fe34:1bd
20: fffc14
10:00:00:05:1e:40:68:78
10.3.220.20
0.0.0.0
"ras020"
25: fffc19
10:00:00:05:1e:37:23:c6
10.3.220.25
0.0.0.0
"ras025"
30: fffc1e
10:00:00:60:69:90:04:1e
10.3.220.30
0.0.0.0
"ras030"
35: fffc23
10:00:00:05:1e:07:c7:26
10.3.220.35
0.0.0.0
"ras035"
40: fffc28
10:00:00:60:69:50:06:7f
10.3.220.40
0.0.0.0
"ras040"
45: fffc2d
10:00:00:05:1e:35:10:72
10.3.220.45
0.0.0.0
"ras045"
46: fffc2e
10:00:00:05:1e:34:c5:17
10.3.220.46
0.0.0.0
"ras046"
47: fffc2f
10:00:00:05:1e:02:aa:f7
10.3.220.47
0.0.0.0
"ras047"
50: fffc32
10:00:00:60:69:c0:06:64
10.1.220.50
0.0.0.0
"ras050"
(output truncated)
The Fabric has 26 switches
Table 4 displays the fabricShow fields.
TABLE 4
fabricShow fields
Field
Description
Switch ID
The switch domain_ID and embedded port D_ID. The numbers are broken down as follows:
Example 64: fffc40
64 is the switch domain_ID
fffc40 is the hexadecimal format of the embedded port D_ID.
World Wide Name The switch WWN.
Enet IP Addr
The switch Ethernet IP address for IPv4- and IPv6-configured switches. For IPv6 switches, only
the static IP address displays.
FC IP Addr
The switch Fibre Channel IP address.
Name
The switch symbolic or user-created name in quotes.
Fabric OS Administrator’s Guide
53-1002745-02
73
2
Switch names
Setting the domain ID
Use the following procedure to set the domain ID:
1. Connect to the switch and log in on an account assigned to the admin role.
2. Enter the switchDisable command to disable the switch.
3. Enter the configure command.
4. Enter y after the Fabric Parameters prompt.
Fabric parameters (yes, y, no, n): [no] y
5. Enter a unique domain ID at the Domain prompt. Use a domain ID value from 1 through 239
for normal operating mode (FCSW-compatible).
Domain: (1..239) [1] 3
6. Respond to the remaining prompts, or press Ctrl-D to accept the other settings and exit.
7.
Enter the switchEnable command to re-enable the switch.
Switch names
Switches can be identified by IP address, domain ID, World Wide Name (WWN), or by customized
switch names that are unique and meaningful.
Restrictions
• Switch names can be from 1 through 30 characters long.
• All switch names must begin with a letter, and can contain letters, numbers, or the underscore
character.
• Switch names must be unique across logical switches.
• Changing the switch name causes a domain address format RSCN to be issued and may be
disruptive to the fabric.
Customizing the switch name
1. Connect to the switch and log in using an account assigned to the admin role.
2. Enter the switchName command and enter a new name for the switch.
syntax: admin> switchname newname
dilbert:FID128:# admin> switchname dogbert
Committing configuration...
Done.
Switch name has been changed.Please re-login into the switch for the change to
be applied.
dilbert:FID128:# admin>
NOTE
The prompt does not change to the new switch name until AFTER you re-login.
3. Record the new switch name for future reference.
74
Fabric OS Administrator’s Guide
53-1002745-02
Chassis names
2
Chassis names
Brocade recommends that you customize the chassis name for each platform. Some system logs
identify devices by platform names; if you assign meaningful platform names, logs are more useful.
All chassis names supported by Fabric OS v7.0.0 allow 31 characters. Chassis names must begin
with an alphabetic character and can include alphabetic and numeric characters, and the
underscore ( _ ).
Customizing chassis names
Use the following procedure to customize the chassis name:
1. Connect to the switch and log in using an account assigned to the admin role.
2. Enter the chassisName command.
ecp:admin> chassisname newname
3. Record the new chassis name for future reference.
Fabric name
You can assign a alphanumeric name to identify and manage a logical fabric that formerly could
only be identified by a fabric ID. The fabric name does not replace the fabric ID or its usage.
The fabric continues to have a fabric ID, in addition to the assigned alphanumeric fabric name.
The following considerations apply to fabric naming:
• Each name must be unique for each logical switch within a chassis; duplicate fabric names are
not allowed.
• A fabric name can be from 1 through 128 alphanumeric characters.
• All switches in a logical fabric must be running Fabric OS v7.1.0. Switches running earlier
versions of the firmware can co-exist in the fabric, but do not show the fabric name details.
• You must have admin permissions to configure the fabric name.
Configuring the fabric name
To set and display the fabric name, use the fabricName command as shown here:
switch:user> fabricname --set myfabric@1
Using the fabricName --set command without a fabric name takes the existing fabric name and
synchronizes it across the entire fabric. An error message displays if no name is configured.
To set a fabric name that includes spaces, enclose the fabric name in quotes, as shown here:
switch:user> fabricname --set "my new fabric"
To set a fabric name that includes bash special meta-characters or spaces, use the command
fabricName as shown in the following example:
switch:user> fabricname --set 'red fabric $$'
To clear the fabric name, use the fabricName --clear command.
Fabric OS Administrator’s Guide
53-1002745-02
75
2
Switch activation and deactivation
High availability considerations for fabric names
Fabric names locally configured or obtained from a remote switch are saved in the configuration
database, and then synchronized to the standby CP on dual-CP-based systems.
Upgrade and downgrade considerations for fabric names
Fabric names are lost during a firmware downgrade. No default fabric name is provided. If a fabric
name is needed, it must be configured after the upgrade.
Config file upload and download considerations for fabric names
A new key, “fabric name” is added to store the user configuration. You can only configure fabric
names using config download when the switch is offline.
Switch activation and deactivation
By default, the switch is enabled after power is applied and diagnostics and switch initialization
routines have finished. You can disable and re-enable the switch as necessary.
Disabling a switch
Use the following procedure to disable a switch:
1. Connect to the switch and log in using an account assigned to the admin role.
2. Enter the switchDisable command.
All Fibre Channel ports on the switch are taken offline. If the switch is part of a fabric, the fabric
is reconfigured.
Enabling a switch
Use the following procedure to enable a switch:
1. Connect to the switch and log in using an account assigned to the admin role.
2. Enter the switchEnable command.
All Fibre Channel ports that passed Power On Self Test (POST) are enabled. If the switch has
inter-switch links (ISLs) to a fabric, it joins the fabric.
Switch and Backbone shutdown
To avoid corrupting your file system, you must perform graceful shutdowns of Brocade switches and
Backbones.
Warm reboot (also known as graceful shutdown) refers to shutting down the switch or platform by
way of the following instructions. Cold boot (also known as a hard boot) refers to shutting down the
switch or platform by suddenly shutting down power and powering on again.
76
Fabric OS Administrator’s Guide
53-1002745-02
Switch and Backbone shutdown
2
Powering off a Brocade switch
Use the following procedure to gracefully shut down a Brocade switch.
1. Connect to the switch and log in using an account assigned to the admin role.
2. Enter the sysShutdown command.
3. Enter y at the prompt.
switch:admin> sysshutdown
This command will shutdown the operating systems on your switch.
You are required to power-cycle the switch in order to restore operation.
Are you sure you want to shutdown the switch [y/n]?y
4. Wait until the following message displays:
Broadcast message from root (ttyS0) Wed Jan 25 16:12:09 2006...
The system is going down for system halt NOW !!
INIT: Switching to runlevel: 0
INIT: Sending processes the TERM signal
Unmounting all filesystems.
The system is halted
flushing ide devices: hda
Power down.
5. Power off the switch.
Powering off a Brocade Backbone
Use the following procedure to power off a Brocade Backbone device:
1. From the active CP in a dual-CP platform, enter the sysShutdown command.
NOTE
When the sysShutdown command is issued on the active CP, the active CP, the standby CP, and
any application blades are all shut down.
2. Enter y at the prompt.
3. Wait until the following message displays:
DCX:FID128:admin> sysshutdown
This command will shutdown the operating systems on your switch.
You are required to power-cycle the switch in order to restore operation.
Are you sure you want to shutdown the switch [y/n]?y
HA is disabled
Stopping blade 10
Shutting down the blade....
Stopping blade 12
Shutting down the blade....
Broadcast message from root (pts/0) Fri Oct 10 08:36:48 2008...
The system is going down for system halt NOW !!
4. Power off the switch.
Fabric OS Administrator’s Guide
53-1002745-02
77
2
Basic connections
Basic connections
Before connecting a switch to a fabric that contains switches running different firmware versions,
you must first set the same port identification (PID) format on all switches. The presence of
different PID formats in a fabric causes fabric segmentation.
• For information on PID formats and related procedures, refer to Chapter 3, “Performing
Advanced Configuration Tasks”.
• For information on configuring the routing of connections, refer to Chapter 4, “Routing Traffic”.
• For information on configuring extended inter-switch connections, refer to Chapter 23,
“Managing Long-Distance Fabrics”.
Device connection
To minimize port logins, power off all devices before connecting them to the switch. When powering
the devices back on, wait for each device to complete the fabric login before powering on the next
one.
For devices that cannot be powered off, first use the portDisable command to disable the port on
the switch, connect the device, and then use the portEnable command to enable the port.
Switch connection
See the hardware reference manual of your specific switch for ISL connection and cable
management information. The standard or default ISL mode is L0. ISL mode L0 is a static mode,
with the following maximum ISL distances:
•
•
•
•
•
•
10 km at 1 Gbps
5 km at 2 Gbps
2.5 km at 4 Gbps
1 km at 8 Gbps
1 km at 10 Gbps
1 km at 16 Gbps
For more information on extended ISL modes, which enable long distance inter-switch links, refer to
Chapter 23, “Managing Long-Distance Fabrics”.
78
Fabric OS Administrator’s Guide
53-1002745-02
Chapter
Performing Advanced Configuration Tasks
3
In this chapter
• Port Identifiers (PIDs) and PID binding overview. . . . . . . . . . . . . . . . . . . . . . 79
• Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
• Blade terminology and compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
• Enabling and disabling blades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
• Blade swapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
• Enabling and disabling switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
• Power management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
• Equipment status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
• Track and control switch changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
• Audit log configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
• Duplicate PWWN handling during device login . . . . . . . . . . . . . . . . . . . . . . 109
Port Identifiers (PIDs) and PID binding overview
Port identifiers (PIDs, also called Fabric Addresses) are used by the routing and zoning services in
Fibre Channel fabrics to identify ports in the network. All devices in a fabric must use the same PID
format. When you add new equipment to the SAN, you might need to change the PID format on
legacy equipment.
Many scenarios cause a device to receive a new PID; for example, unplugging the device from one
port and plugging it into a different port as part of fabric maintenance, or changing the domain ID
of a switch, which might be necessary when merging fabrics, or changing compatibility mode
settings.
Some device drivers use the PID to map logical disk drives to physical Fibre Channel counterparts.
Most drivers can either change PID mappings dynamically, also called dynamic PID binding, or use
the WWN of the Fibre Channel disk for mapping, also called WWN binding.
Some older device drivers behave as if a PID uniquely identifies a device; they use static PID
binding. These device drivers should be updated, if possible, to use WWN binding or dynamic PID
binding instead, because static PID binding creates problems in many routine maintenance
scenarios. Fortunately, very few device drivers still behave this way. Many current device drivers
enable you to select static PID binding as well as WWN binding. You should only select static PID
binding if there is a compelling reason, and only after you have evaluated the effect of doing so.
Fabric OS Administrator’s Guide
53-1002745-02
79
3
Port Identifiers (PIDs) and PID binding overview
Core PID addressing mode
Core PID is the default PID format for Brocade platforms. It uses the entire 24-bit address space of
the domain, area ID, and AL_PA to determine an object’s address within the fabric.
The Core PID is a 24-bit address built from the following three 8-bit fields:
• Domain ID, written in hex and the numeric range is from 01–ee (1–239)
• Area ID, written in hex and the numeric range is from 01–ff (1–255)
• AL_PA
For example, if a device is assigned an address of 0f1e00, the following would apply:
• 0f is the domain ID.
• 1e is the area ID.
• 00 is the assigned AL_PA.
From this information, you can determine which switch the device resides on from the domain ID,
which port the device is attached to from the area ID, and if this device is part of a loop from the
AL_PA number.
For more information on reading and converting hexadecimal, refer to Appendix C, “Hexadecimal
Conversion”.
Fixed addressing mode
Fixed addressing mode is the default addressing mode used in all platforms that do not have
Virtual Fabrics enabled. When Virtual Fabrics is enabled on the Brocade Backbone, fixed
addressing mode is used only on the default logical switch. With fixed addressing mode enabled,
each port has a fixed address assigned by the system based on the port number. This address
does not change unless you choose to swap the address using the portSwap command.
10-bit addressing mode
The 10-bit addressing mode is the default mode for all the logical switches created in the Brocade
Backbones. This addressing scheme is flexible to support a large number of F_Ports. In the regular
10-bit addressing mode, the portAddress --auto command supports addresses from 0x00 to 0x8F.
NOTE
The default switch in the Brocade Backbones uses the fixed addressing mode.
The 10-bit addressing mode utilizes the 8-bit area ID and the borrowed upper two bits from the
AL_PA portion of the PID. Areas 0x00 through 0x8F use only 8 bits for the port address and support
up to 256 NPIV devices. A logical switch can support up to 144 ports that can each support 256
devices. Areas 0x90 through 0xFF use an additional two bits from the AL_PA for the port address.
Therefore, these ports support only 64 NPIV devices per port.
10-bit addressing mode provides the following features:
• A PID is dynamically allocated only when the port is first moved to a logical switch and
thereafter it is persistently maintained.
• PIDs are assigned in each logical switch starting with 0xFFC0, and can go to 0x8000 in the
case of 64-port blades.
80
Fabric OS Administrator’s Guide
53-1002745-02
Port Identifiers (PIDs) and PID binding overview
3
• Shared area limitations are removed on 48-port and 64-port blades.
• Any port on a 48-port or 64-port blade can support up to 256 NPIV devices (in fixed addressing
mode, only 128 NPIV devices are supported in non-VF mode and 64 NPIV devices in VF mode
on a 48-port blade).
• Any port on a 48-port blade can support loop devices.
• Any port on a 48-port or 64-port blade can support hard port zoning.
• Port index is not guaranteed to be equal to the port area ID.
256-area addressing mode
This configurable addressing mode is available only in a logical switch on the Brocade Backbone.
In this mode, only 256 ports are supported and each port receives a unique 8-bit area address.
This mode can be used in FICON environments, which have strict requirements for 8-bit area
FC addresses.
There are two types of area assignment modes in the 256-area addressing mode: zero-based and
port-based.
• Zero-based mode assigns areas as ports are added to the logical switch, beginning at area
0x00. When a port is assigned to a logical switch, the next free PID starting from 0x00 is
assigned. This mode allows FICON customers to make use of the upper ports of a 48-port or
64-port blade.
• Zero-based mode is supported on the default switch.
• Port-based mode is a bit more complex:
• Port-based mode is not supported on the default switch.
• 48-port cards are supported in port-based addressing mode (mode 2) on both DCX-4S and
8510-4 devices. However, the upper 16 ports of a 64-port card are not supported.The
Brocade DCX does not support port-based addressing (mode 2) on the FC8-48 blade, but
does support zero-based addressing (mode 1).
• The Brocade DCX-4S supports port-based addressing (mode 2) on the FC8-48 blade.
• The Brocade 8510-4 supports port-based addressing (mode 2) on the FC16-48 blade.
• The Brocade 8510-8 does not support port based addressing (mode 2) on the FC16-48
blade, but does support zero-based addressing (mode 1).
ATTENTION
The DCX and 8510-8 Backbones have safeguards that disable all 49 port cards if FMS is enabled.
See the FICON Administrator’s Guide for more details if needed.
Fabric OS Administrator’s Guide
53-1002745-02
81
3
Port Identifiers (PIDs) and PID binding overview
WWN-based PID assignment
WWN-based PID assignment is disabled by default. When the feature is enabled, bindings are
created dynamically; as new devices log in, they automatically enter the WWN-based PID database.
The bindings exist until you explicitly unbind the mappings through the CLI or change to a different
addressing mode. If there are any existing devices when you enable the feature, you must manually
enter the WWN-based PID assignments through the CLI.
This feature also allows you to configure a PID persistently using a device WWN. When the device
logs in to the switch, the PID is bound to the device WWN. If the device is moved to another port in
the same switch, or a new blade is hot plugged, the device receives the same PID (area) at its next
login.
Once WWN-based PID assignment is enabled, you must manually enter the WWN-based PID
assignments through the CLI for any existing devices.
ATTENTION
When WWN-based PID assignment is enabled, the area assignment is dynamic and does not
guarantee any order in the presence of static WWN-area binding or when the devices are moved
around.
PID assignments are supported for a maximum of 4096 devices; this includes both point-to-point
and NPIV devices. The number of point-to-point devices supported depends on the areas available.
For example, 448 areas are available on Backbones and 256 areas are available on switches.
When the number of entries in the WWN-based PID database reaches 4096 areas are used up, the
oldest unused entry is purged from the database to free up the reserved area for the new FLOGI.
Virtual Fabrics considerations for WWN-based PID assignment
WWN-based PID assignment is disabled by default and is supported in the default switch on the
Brocade DCX and DCX 8510 Backbone families. This feature is not supported on application blades
such as the FS8-18, FX8-24, and the FCOE10-24. The total number of ports in the default switch
must be 256 or less.
When the WWN-based PID assignment feature is enabled and a new blade is plugged into the
chassis, the ports for which the area is not available are disabled.
NPIV
If any NPIV devices have static PIDs configured and the acquired area is not the same as the one
being requested, the FDISC coming from that device is rejected and the error is noted in the
RASlog.
If the NPIV device has Dynamic Persistent PID set, the same AL_PA value in the PID is used. This
guarantees NPIV devices get the same PID across reboots and AL_PAs assigned for the device do
not depend on the order in which the devices come up. For more information on NPIV, refer to
Chapter 15, “NPIV”.
Enabling automatic PID assignment
NOTE
To activate the WWN-based PID assignment, you do not need to disable the switch.
82
Fabric OS Administrator’s Guide
53-1002745-02
Port Identifiers (PIDs) and PID binding overview
3
Use the following procedure to enable automatic PID assignment:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the configure command.
3. At the Fabric Parameters prompt, type y.
4. At the WWN Based persistent PID prompt, type y.
5. Press Enter to bypass the remaining prompts without changing them.
Example of activating PID assignments
switch: admin> configure
Configure...
Fabric parameters (yes, y, no, n): [no] y
WWN Based persistent PID (yes, y, no, n): [no] y
System services (yes, y, no, n): [no]
ssl attributes (yes, y, no, n): [no]
rpcd attributes (yes, y, no, n): [no]
cfgload attributes (yes, y, no, n): [no]
webtools attributes (yes, y, no, n): [no]
Custom attributes (yes, y, no, n): [no]
system attributes (yes, y, no, n): [no]
Assigning a static PID
Use the following procedure to assign a static PID:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the wwnAddress -bind command to assign a 16-bit PID to a given WWN.
Clearing PID binding
Use the following procedure to clear a PID binding:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the wwnAddress -unbind command to clear the PID binding for the specified WWN.
Showing PID assignments
Use the following procedure to display PID assignments:
1. Connect to the switch and log in using an account with admin permissions.
2. Based on what you want to display, enter the appropriate command:
• wwnAddress –show displays the assigned WWN-PID bindings.
• wwnAddress –findPID wwn displays the PID assigned to the device WWN specified.
Fabric OS Administrator’s Guide
53-1002745-02
83
3
Ports
Ports
Ports provide either a physical or virtual network connection point for a device. Brocade devices
support a wide variety of ports.
Port Types
The following is a list of port types that may be part of a Brocade device:
• D_Port — A diagnostic port lets an administrator isolate the inter-switch link (ISL) to diagnose
link level faults. This port runs only specific diagnostics tests and does not carry any fabric
traffic. Refer to the Fabric OS Troubleshooting and Diagnostics Guide for more information on
this port type.
• E_Port — An expansion port that is assigned to ISL links to expand a fabric by connecting it to
other switches. Two connected E_Ports form an Inter-Switch Link (ISL). When E_Ports are used
to connect switches, those switches merge into a single fabric without an isolation
demarcation point. ISLs are non-routed links.
• EX_Port — A type of E_Port that connects a Fibre Channel router to an edge fabric.
From the point of view of a switch in an edge fabric, an EX_Port appears as a normal E_Port.
It follows applicable Fibre Channel standards as other E_Ports. However, the router terminates
EX_Ports rather than allowing different fabrics to merge as would happen on a switch with
regular E_Ports. An EX_Port cannot be connected to another EX_Port.
• F_Port — A fabric port that is assigned to fabric-capable devices, such as SAN storage devices.
• G_Port — A generic port that acts as a transition port for non-loop fabric-capable devices.
• L_/FL_Port — A loop or fabric loop port that connects loop devices. L_Ports are associated with
private loop devices and FL_Ports are associated with public loop devices.
• M_Port — A mirror port that is configured to duplicate (mirror) the traffic passing between a
specified source port and destination port. This is only supported for pairs of F_Ports.
Refer to the Fabric OS Troubleshooting and Diagnostics Guide for more information on
port mirroring.
• U_Port — A universal Fibre Channel port. This is the base Fibre Channel port type, and all
unidentified or uninitiated ports are listed as U_Ports.
• VE_Port — A virtual E_Port that is a gigabit Ethernet switch port configured for an FCIP tunnel.
• VEX_Port — A virtual EX_Port that connects a Fibre Channel router to an edge fabric. From the
point of view of a switch in an edge fabric, a VEX_Port appears as a normal VE_Port. It follows
the same Fibre Channel protocol as other VE_Ports. However, the router terminates VEX_Ports
rather than allowing different fabrics to merge as would happen on a switch with regular
VE_Ports.
Backbone port blades
Because Backbones contain interchangeable port blades, their procedures differ from those for
fixed-port switches. For example, fixed-port models identify ports only by the port number, while
Backbones identify ports by slot/port notation.
NOTE
For detailed information about the Brocade DCX and DCX 8510 Backbone families, refer to the
hardware reference manuals.
84
Fabric OS Administrator’s Guide
53-1002745-02
Ports
3
The different blades that can be inserted into a chassis are described as follows:
• Control processor blades (CPs) contain communication ports for system management, and are
used for low-level, platform-wide tasks.
• Core blades are used for intra-chassis switching as well as interconnecting two Backbones.
• Port blades are used for host, storage, and interswitch connections.
• AP blades are used for Fibre Channel Application Services and Routing Services, FCIP,
Converged Enhanced Ethernet, and encryption support.
NOTE
On each port blade, a particular port must be represented by both slot number and port number.
The Brocade DCX and DCX 8510-8 each have 12 slots that contain control processor, core, port,
and AP blades:
• Slot numbers 6 and 7 contain CPs.
• Slot numbers 5 and 8 contain core blades.
• Slot numbers 1 through 4 and 9 through 12 contain port and AP blades.
The Brocade DCX-4S and DCX 8510-4 each have 8 slots that contain control processor, core, port,
and AP blades:
• Slot numbers 4 and 5 contain CPs.
• Slot numbers 3 and 6 contain core blades.
• Slot numbers 1 and 2, and 7 and 8 contain port and AP blades.
When you have port blades with different port counts in the same Backbone (for example, 16-port
blades and 32-port blades, or 16-port blades and 18-port blades with 16 FC ports and 2 GbE ports,
or 16-port and 48-port blades), the area IDs no longer match the port numbers.
Table 6 on page 94 lists the port numbering schemes for the blades.
Configuring two Ethernet ports on one CP8 blade
This feature bonds the two external Ethernet ports of a CP8 blade together as a single logical
network interface. This uses an active-standby failover model to provide automatic failover support
for the primary Ethernet port on the blade. Basically, if the primary Ethernet port fails (due to
something other than power loss), the second Ethernet port immediately takes over to ensure link
layer communication is retained
The bonding functions as follows: the bonding driver selects one of the physical ports as an active
interface by inspecting the physical link state reported by the PHY. Once this is done, all traffic is
transmitted over the active interface. The second interface is set as the standby interface and no
traffic is transmitted over it unless the active interface is determined to be no longer connected; at
this point the second interface is made active.
When active, all the Fabric OS kernel modules and applications on the CP8 will use this logical
network interface named “bond0” instead of “eth0”.
NOTE
On bootup, physical port eth0 is always made active if it is connected.
Fabric OS Administrator’s Guide
53-1002745-02
85
3
Ports
Upgrade and Downgrade considerations
For an upgrade, unless both CP8 external Ethernet ports are upgraded and rebooted, the bonding
feature will not be enabled. On a downgrade, the first physical port named eth0 has to be
connected for the device to initialize correctly; the bonding feature will not be available.
Supported devices
This feature is available on a CP8 blade when it is installed on a Brocade DCX, Brocade DCX-4S,
Brocade DCX 8510-8 or Brocade DCX 8510-4.
Setting up the second Ethernet port on a CP8 blade
To set up the second Ethernet port on a CP8 blade for bonding:
1. Make sure that the speed and link operating mode settings are the same for both eth3 and
eth0. See “Setting port modes” on page 90 for instructions on setting port modes, and
“Setting port speeds” on page 92 for instructions on setting port speeds.
2. Physically connect the second Ethernet port to the same network as the primary Ethernet port.
Notes:
• The port speed and duplex mode between these Ethernet ports should always match with both
either set at a fixed speed or both set to autonegotiate.
• The CP8 blade actually contains multiple Ethernet devices, including eth0 and eth3 which map
to the two Ethernet ports on the front of the CP8 blade. Other Ethernet devices on the blade
are reserved for use by the operating system.
• The CP blade enables eth0 by default. If errors are encountered on eth0, these are treated the
same as for any other port, except if the error causes the eth0 port to go down.
If eth0 goes down, the eth3 interface becomes active (as described above) and will remain
active even if eth0 comes back up. The only ways to restore eth0 as the active interface are to:
-
Unplug the network cable, wait 5 seconds, and then plug it back in.
Perform a HA failover routine.
Take the entire switch down and then power it back up again (see note above).
ATTENTION
The second two options will cause a disruptive delay in content delivery.
Setting port names
Perform the following steps to specify a port name. For Backbones, specify the slot number where
the blade is installed.
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the portName command.
Example of naming port 0
ecp:admin> portname 1/0 trunk1
86
Fabric OS Administrator’s Guide
53-1002745-02
Ports
3
Port identification by slot and port number
The port number is a number assigned to an external port to give it a unique identifier in a switch.
To select a specific port in the Backbones, you must identify both the slot number and the port
number using the format slot number/port number. No spaces are allowed between the slot
number, the slash (/), and the port number.
Example of enabling port 4 on a blade in slot 2
ecp:admin> portenable 2/4
Port identification by port area ID
The relationship between the port number and area ID depends upon the PID format used in the
fabric. When Core PID format is in effect, the area ID for port 0 is 0, for port 1 is 1, and so forth.
For 32-port blades (FC8-32, FC8-32E, FC16-32), the numbering is contiguous up to port 15; from
port 16, the numbering is still contiguous, but starts with 128. For example, port 15 in slot 1 has a
port number and area ID of 15; port 16 has a port number and area ID of 128; port 17 has a port
number and area ID of 129.
For 48-port blades (FC8-48, FC8-48E, FC16-48), the numbering is the same as for 32-port blades
for the first 32 ports on the blade. For ports 32 through 47, area IDs are not unique and port index
should be used instead of area ID.
For the 64-port blade (FC8-64), the numbering is the same as for 32-port blades for the first 32
ports on the blade. For ports 32 through 64, area IDs are not unique and port index should be used
instead of area ID.
If you perform a port swap operation, the port number and area ID no longer match. On 48-port
blades, port swapping is supported only on ports 0–15.
To determine the area ID of a particular port, enter the switchShow command. This command
displays all ports on the current (logical) switch and their corresponding area IDs.
Port identification by index
With the introduction of 48-port blades, indexing was introduced. Unique area IDs are possible for
up to 255 areas, but beyond that there needed to be some way to ensure uniqueness.
A number of fabric-wide databases supported by Fabric OS (including ZoneDB, the ACL DDC, and
Admin Domain) allow a port to be designated by the use of a “D,P” (domain,port) notation. While
the “P” component appears to be the port number, for up to 255 ports it is actually the area
assigned to that port.
ATTENTION
Port area schema does not apply to the Brocade DCX-4S and DCX 8510-4 Backbones.
Fabric OS Administrator’s Guide
53-1002745-02
87
3
Ports
Configuring a device-switch connection
To configure an 8G (and 8G only) connection between a device and a switch, use the
portCfgFillWord command. This command provides the following configuration options:
•
•
•
•
•
Mode Link Init/Fill Word
Mode 0 IDLE/IDLE
Mode 1 ARBF/ARBF
Mode 2 IDLE/ARBF
Mode 3 If ARBF/ARBF fails use IDLE/ARBF
ATTENTION
Although this setting only affects devices logged in at 8G, changing the mode is disruptive regardless
of the speed at which the port is operating.
The setting is retained and applied any time an 8G device logs in. Upgrades from prior releases
which supported only modes 0 and 1 will not change the existing setting, but switches reset to
factory defaults with Fabric OS v6.3.1 or later will be configured to Mode 0 by default. The default
setting on new units may vary by vendor.
Modes 2 and 3 are compliant with FC-FS-3 specifications (standards specify the IDLE/ARBF
behavior of Mode 2, which is used by Mode 3 if ARBF/ARBF fails after 3 attempts). For most
environments, Brocade recommends using Mode 3, as it provides more flexibility and compatibility
with a wide range of devices. In the event that the default setting or Mode 3 does not work with a
particular device, contact your switch vendor for further assistance.
For more information on using this command, refer to the Fabric OS Command Reference.
Swapping port area IDs
If a device that uses port binding is connected to a port that fails, you can use port swapping to
make another physical port use the same PID as the failed port. The device can then be plugged
into the new port without the need to reboot the device.
If two ports are changed using the portSwap command, their respective areas and “P” values are
exchanged.
For ports that are numbered above 255, the “P” value is actually a logical index. The first 256 ports
continue to have an index value equal to the area ID assigned to the port. If a switch is using Core
PID format, and no port swapping has been done, the port index value for all ports is the same as
the physical port numbers. Using portSwap on a pair of ports will exchange those ports’ area ID
and index values.
NOTE
The portSwap command is not supported for ports above 256.
Use the following procedure to swap the port area IDs of two physical switch ports. In order to swap
port area IDs, the port swap feature must be enabled, and both switch ports must be disabled. The
swapped area IDs for the two ports remain persistent across reboots, power cycles, and failovers.
ATTENTION
Brocade DCX and DCX 8510 Backbone families only: You can swap only ports 0 through 15 on the
FC8-48 port blades. You cannot swap ports 16 through 47.
88
Fabric OS Administrator’s Guide
53-1002745-02
Ports
3
1. Connect to the switch and log in using an account with admin permissions.
2. Enable the portSwapEnable command to enable the feature.
3. Enter the portDisable command on each of the source and destination ports to be swapped.
switch:admin>portdisable 1
ecp:admin>portdisable 1/2
4. Enter the portSwap command.
switch:admin>portswap 1 2
ecp:admin>portswap 1/1 2/2
5. Enter the portSwapShow command to verify that the port area IDs have been swapped.
A table shows the physical port numbers and the logical area IDs for any swapped ports.
6. Enter the portSwapDisable command to disable the port swap feature.
Port activation and deactivation
By default, all licensed ports are enabled. You can disable and re-enable them as necessary. Ports
that you activate with the Ports on Demand license must be enabled explicitly, as described in
“Ports on Demand” on page 483.
If ports are persistently disabled and you use the portEnable command to enable a disabled port,
the port will revert to being disabled after a power cycle or a switch reboot. To ensure the port
remains enabled, use the portCfgPersistentEnable command as shown in the following
instructions.
CAUTION
The fabric will be reconfigured if the port you are enabling or disabling is connected to another
switch.
The switch with a port that has been disabled will be segmented from the fabric and all traffic
flowing between it and the fabric will be lost.
Enabling a port
Use the following procedure to enable a port:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the appropriate command based on the current state of the port and on whether it is
necessary to specify a slot number:
• To enable a port that is disabled, enter the command portEnable portnumber or
portEnable slotnumber/portnumber. You can also use the -x option to enter the value in
hexadecimal if you prefer. See the Fabric OS Command Reference for more details on this
command.
• To enable a port that is persistently disabled, enter the command portCfgPersistentEnable
portnumber or portCfgPersistentEnable slotnumber/portnumber.
If you change port configurations during a switch failover, the ports may become disabled. To
bring the ports online, re-issue the portEnable command after the failover is complete.
Fabric OS Administrator’s Guide
53-1002745-02
89
3
Ports
Disabling a port
Use the following procedure to disable a port:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the appropriate command based on the current state of the port and on whether it is
necessary to specify a slot number:
• To disable a port that is enabled, enter the command portDisable portnumber or
portDisable slotnumber/portnumber. You can also use the -x option to enter the value in
hexadecimal if you prefer. See the Fabric OS Command Reference for more details on this
command.
• To disable a port that is persistently enabled, enter the command
portCfgPersistentDisable portnumber or portCfgPersistentDisable
slotnumber/portnumber.
Port decommissioning
Fabric OS 7.0.0 and later provides an automated mechanism to remove an E_Port or E_Port trunk
port from use. This feature identifies the target port and communicates the intention to
decommission the port to those systems within the fabric affected by the action. Each affected
system can agree or disagree with the action, and these responses are automatically collected
before a port is decommissioned.
NOTE
All members of a trunk group must have an equal link cost value in order for any of the members to
be decommissioned. If any member of a trunk group does not have an equal cost, requests to
decommission a trunk member will fail and an error reminding the caller of this requirement is
produced.
The following restrictions apply to port decommissioning:
• The local switch and the remote switch on the other end of the E_Port must both be running
Fabric OS 7.0.0 or later.
• Port decommissioning is not supported on links configured for encryption or compression.
• Port decommissioning is not supported on ports with DWDM, CWDM, or TDM.
• Port decommissioning requires that the lossless feature is enabled on both the local switch
and the remote switch.
Use the portDecom [slot/]port command to begin the decommission process.
Setting port modes
Ports can be set to use one of three link operating modes: full duplex, half duplex, or autonegotiate,
subject to the following conditions and restrictions:
• Changing the link operating mode is not supported for all network interfaces or for all Ethernet
network interfaces. On the CP in a Brocade DCX, DCX-4S, DCX 8510-4, or DCX 8510-8, this
command supports eth0 and eth3 as interface parameters. On all other platforms, only eth0 is
supported.
90
Fabric OS Administrator’s Guide
53-1002745-02
Ports
3
• When selecting autonegotiation, you can choose the specific link operating modes that are
advertised to the link partner. At least one mode must be advertised in common by both sides
of the link.
• When forcing the link operating mode, both sides of the link must be forced to the same mode.
A link will not work reliably if one side is set to autonegotiate and the other side is set to a
forced mode.
• For dual-CP systems, the ifModeSet command affects only the CP you are currently logged in
to. Therefor, to set the link operating mode on the active CP, you must issue this command on
the active CP; and to set the mode on the standby CP, you must issue this command on the
standby CP. During failover, the mode is retained separately for each CP, because the physical
links might be set to operate in different modes.
• Active link operating mode values are confirmed by entering y or yes at the prompt. Entering n
or no deactivates that mode. If the mode selected is the same as the current mode, nothing is
changed and the command moves to the next option. If the mode selected differs from the
current mode, the change is saved and the command moves to the next option.
ATTENTION
Forcing the link to an operating mode not supported by the network equipment to which it is
attached might result in an inability to communicate with the system through its Ethernet interface.
It is recommended that this command be used only from the serial console port. When used through
an interface other than the serial console port, the command displays a warning message and
prompts for verification before continuing. This warning is not displayed and you are not prompted
when the command is used through the serial console port. See the examples below for illustrations.
NOTE
This command may be subject to Virtual Fabric or Admin Domain restrictions. Refer to the Fabric OS
Command Reference for details.
Use the following procedure to set the mode of a port:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the ifModeSet command.
Example of setting the port mode to full autonegotiate
The following example sets the mode for eth3 to autonegotiate, and permits both full and
half-duplex modes to be selected at both 10 and 100 Mbps:
switch:admin> ifmodeset eth3
Exercise care when using this command. Forcing the link to an operating mode
not supported by the network equipment to which it is attached may result in an
inability to communicate with the system through its ethernet interface.
It is recommended that you only use this command from the serial console port.
Are you sure you really want to do this? (yes, y, no, n): [no] y
Proceed with caution.
Auto-negotiate (yes, y, no, n): [no] y
Advertise 100 Mbps / Full Duplex (yes, y, no, n): [yes] y
Advertise 100 Mbps / Half Duplex (yes, y, no, n): [yes] y
Advertise 10 Mbps / Full Duplex (yes, y, no, n): [yes] y
Advertise 10 Mbps / Half Duplex (yes, y, no, n): [yes] y
Committing configuration...done.
switch:admin>
Fabric OS Administrator’s Guide
53-1002745-02
91
3
Ports
Example of setting the port mode to 10 Mbps half-duplex operation
To force the link for the eth0 interface from autonegotiation to 10 Mbps half-duplex operation,
when entering this command through the serial console port:
switch:admin> ifmodeset eth0
Auto-negotiate (yes, y, no, n): [yes] n
Force 100 Mbps / Full Duplex (yes, y, no, n): [no] n
Force 100 Mbps / Half Duplex (yes, y, no, n): [no] n
Force 10 Mbps / Full Duplex (yes, y, no, n): [no] n
Force 10 Mbps / Half Duplex (yes, y, no, n): [no] y
Committing configuration...done.
switch:admin>
NOTE
The caution shown in the first example is not displayed when the command is entered using the
serial console port
Setting port speeds
Use the following procedure to set port speeds:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the portCfgSpeed command.
Example of setting the port speed
The following example sets the speed for port 3 on slot 2 to 4 Gbps:
ecp:admin> portcfgspeed 2/3 4
done.
The following example sets the speed for port 3 on slot 2 to autonegotiate:
ecp:admin> portcfgspeed 2/3 0
done.
Setting all ports on a switch to the same speed
Use the following procedure to set all ports on a switch to the same speed:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the switchCfgSpeed command.
Example of setting the switch speed
The following example sets the speed for all ports on the switch to 8 Gbps:
switch:admin> switchcfgspeed 8
Committing configuration...done.
The following example sets the speed for all ports on the switch to autonegotiate:
switch:admin> switchcfgspeed 0
Committing configuration...done.
92
Fabric OS Administrator’s Guide
53-1002745-02
Blade terminology and compatibility
3
Setting port speed for a port octet
You can use the portCfgOctetSpeedCombo command to configure the speed for a port octet.
Be aware that in a Virtual Fabrics environment, this command applies chassis-wide and not just to
the logical switch.
Use the following procedure to set the port speed for a port octet:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the portCfgOctetSpeedCombo command.
Example
The following example configures the ports in the first octet for combination 3
(support autonegotiated or fixed port speeds of 16 Gbps and 10 Gbps):
switch:admin> portcfgoctetspeedcombo 1 3
NOTE
For information on how encryption and compression can affect port speed, see “Port speed and
encryption/compression enabled ports” on page 401.
Blade terminology and compatibility
Before configuring a chassis, familiarize yourself with the platform CP blade and port blade
nomenclature, as well as the port blade compatibilities. Table 5 includes core and CP blade
terminology and descriptions. Table 6 on page 94 includes port blade terminology and
descriptions.
TABLE 5
Core and CP blade terminology and platform support
Supported on:
Blade
Blade ID
DCX family
(slotshow)
DCX 8510 family
Definition
CP8
50
Yes
Yes
Brocade DCX and DCX 8510 Backbone family control
processor blade. This CP supports all blades used in the
DCX and DCX 8510 Backbone families.
CORE8
52
Yes
DCX only
No
A 16-port blade that provides 8 Gbps connectivity
between port blades in the Brocade DCX chassis.
CR4S-8
46
Yes
No
DCX-4S only
CR16-8
98
No
Yes
A core blade that has 16x4 QSFPs per blade. It can be
DCX 8510-8 only. connected to another CR16-8 or CR16-4 core blade.
CR16-4
99
No
Yes
DCX 8510-4 only
Fabric OS Administrator’s Guide
53-1002745-02
A 16-port blade that provides 8 Gbps connectivity
between port blades in the Brocade DCX-4S chassis.
A core blade that has 8x4 QSFPs per blade. It can be
connected to another CR16-4 or a CR16-8 core blade.
93
3
TABLE 6
Blade terminology and compatibility
Port blade terminology, numbering, and platform support
Supported on:
Blade
Blade ID
DCX family
(slotshow)
DCX 8510
family
Ports
Definition
FC8-161
21
Yes
No
16
8-Gbps port blade supporting 1, 2, 4, and 8 Gbps port speeds.
Ports are numbered from 0 through 15 from bottom to top.
FC8-321
55
Yes
No
32
8-Gbps port blade supporting 1, 2, 4, and 8 Gbps port speeds.
Ports are numbered from 0 through 15 from bottom to top on the left set of
ports and 16 through 31 from bottom to top on the right set of ports.
FC8-32E
125
No
Yes
32
8-Gbps port blade supporting 2, 4, and 8 Gbps port speeds.
Ports are numbered from 0 through 15 from bottom to top on the left set of
ports and 16 through 31 from bottom to top on the right set of ports.
FC8-481
51
Yes
No
48
8-Gbps port blade supporting 1, 2, 4, and 8 Gbps port speeds.
Ports are numbered from 0 through 23 from bottom to top on the left set of
ports and 24 through 47 from bottom to top on the right set of ports.
FC8-48E
126
No
Yes
48
8-Gbps port blade supporting 2, 4, and 8 Gbps port speeds.
Ports are numbered from 0 through 23 from bottom to top on the left set of
ports and 24 through 47 from bottom to top on the right set of ports.
FC8-64
77
Yes
Yes
64
8-Gbps port blade supporting 2, 4, and 8 Gbps port speeds. The Brocade
DCX and Brocade DCX 8510 Backbone families support loop devices on
64-port blades in a Virtual Fabric-enabled environment. The loop devices
can only be attached to ports on a 64-port blade that is not a part of the
default logical switch.
Ports are numbered from 0 through 31 from bottom to top on the left set of
ports and 32 through 63 from bottom to top on the right set of ports.
FC16-32
97
No
Yes
32
A 32-port, 16-Gbps port blade supporting 2, 4, 8, 10, and 16 Gbps port
speeds.
NOTE: 10 Gbps speed for FC16-xx blades requires the 10G license.
Ports are numbered from 0 through 15 from bottom to top on the left set of
ports and 16 through 31 from bottom to top on the right set of ports.
FC16-48
96
No
Yes
48
A 48-port, 16-Gbps port blade supporting 2, 4, 8, 10, and 16 Gbps port
speeds.
NOTE: 10 Gbps speed for FC16-xx blades requires the 10G license.
Ports are numbered from 0 through 23 from bottom to top on the left set of
ports and 24 through 47 from bottom to top on the right set of ports.
FS8-18
94
68
Yes
Yes
16 FC
2 GbE
Brocade Encryption blade that provides high performance 32-port
auto-sensing 8-Gbps Fibre Channel connectivity with data cryptographic
(encryption/decryption) and data compression capabilities.
Ports are numbered from 0 through 15 from bottom to top.
GbE ports are numbered ge0 through ge1 from top to bottom.
Going from top to bottom, the 2 GbE ports appear on the top of the blade
followed by the 16 FC ports.
Fabric OS Administrator’s Guide
53-1002745-02
Blade terminology and compatibility
TABLE 6
3
Port blade terminology, numbering, and platform support (Continued)
Supported on:
Blade
Blade ID
DCX family
(slotshow)
DCX 8510
family
Ports
Definition
FCOE10-24
74
Yes
‘No
24
10-GbE
DCB ports
An application blade that provides Converged Enhanced Ethernet to bridge
a Fibre Channel and Ethernet SAN.
Ports are numbered from 0 through 11 from bottom to top on the left set of
ports and 12 through 23 from bottom to top on the right set of ports.
FX8-24
75
Yes
Yes
12 FC
10 1-GbE
2 10-GbE
Extension blade with 8-Gbps Fibre Channel, FCIP, and 10-GbE technology.
Port numbering on this blade is as follows.
On the left side of the blade going from bottom to top:
• Six FC ports numbered from 0 through 5
• Two 10-GbE ports numbered xge0 and xge1
• Four 1-GbE ports numbered from ge0 through ge3
On the right side of the blade going from bottom to top:
• Six FC ports numbered from 6 through 11
• Six 1-GbE ports numbered from ge4 through ge9
1.
The Brocade DCX and DCX-4S support loop devices on this blade in a Virtual Fabrics-enabled environment.
CP blades
The control processor (CP) blade provides redundancy and acts as the main controller on the
Brocade Backbone. The Brocade DCX and DCX 8510 Backbone families support the CP8 blades.
The CP blades in the Brocade DCX and DCX 8510 Backbone families are hot-swappable. The CP8
blades are fully interchangeable among Brocade DCX, DCX-4S, DCX 8510-4, and DCX 8510-8
Backbones.
Brocade recommends that each CP (primary and secondary partition) should maintain the same
firmware version.
For more information on maintaining firmware in your Backbone, refer to Chapter 9, “Installing and
Maintaining Firmware”.
Core blades
Core blades provide intra-chassis switching and ICL connectivity, between DCX/DCX-4S platforms
and between DCX 8510 platforms.
•
•
•
•
Brocade DCX supports two CORE8 core blades.
Brocade DCX-4S supports two CR4S-8 core blades.
Brocade DCX 8510-8 supports two CR16-8 core blades.
Brocade DCX 8510-4 supports two CR16-4 core blades.
The core blades for each platform are not interchangeable or hot-swappable with the core blades
for any other platform. If you try to interchange the blades they become faulty.
Fabric OS Administrator’s Guide
53-1002745-02
95
3
Enabling and disabling blades
Port and application blade compatibility
Table 6 on page 94 identifies which port and application blades are supported for each Brocade
Backbone.
NOTE
During power up of a Brocade DCX or DCX-4S Backbone, if an FCOE10-24 is detected first before any
other AP blade, all other AP and FC8-64 blades are faulted. If a non-FCOE10-24 blade is detected
first, then any subsequently-detected FCOE10-24 blades are faulted. Blades are powered up
starting with slot 1.
The maximum number of intelligent blades supported on a Brocade DCX or DCX 8510-8 is eight.
The maximum number of intelligent blades supported on a Brocade DCX-4S or DCX 8510-4 is four.
Table 7 lists the maximum supported limits of each blade for a specific Fabric OS release. Software
functions are not supported across application blades.
TABLE 7
Blade compatibility within Brocade Backbone families
Intelligent blade
Fabric OS v6.3.0
Fabric OS v6.4.0
Fabric OS v7.0.0
DCX
DCX-4S
DCX
DCX-4S
DCX
DCX-4S
DCX 8510-8
DCX 8510-4
FS8-18
4
4
4
4
4
4
4
4
FCOE10-241
2
2
2
2
4
4
0
0
FX8-242
2
4
4
4
4
4
4
4
1.
Not compatible with other application blades or with the FC8-64 in the same chassis.
2.
The hardware limit is enforced by software.
FX8-24 compatibility notes
Follow these guidelines when using an FX8-24 in the Brocade DCX and DCX-4S Backbones:
• Brocade 7500 GbE ports cannot be connected to either the FX8-24 or Brocade 7800 GbE
ports. The ports may come online, but they will not communicate with each other.
• If an FX8-24 blade is replaced by another FX8-24 blade, the previous IP configuration data
would be applied to the new FX8-24.
• The FX8-24 and FS8-18 blades cannot co-exist with the FCOE10-24 blade.
Enabling and disabling blades
Port blades are enabled by default. In some cases, you will need to disable a port blade to perform
diagnostics. When diagnostics are executed manually (from the Fabric OS command line), many
commands require the port blade to be disabled. This ensures that diagnostic activity does not
interfere with normal fabric traffic.
If you need to replace an application blade with a different application blade, there may be extra
steps you need to take to ensure that the previous configuration is not interfering with your new
application blade.
96
Fabric OS Administrator’s Guide
53-1002745-02
Blade swapping
3
Enabling blades
Use the following procedure to enable a blade:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the bladeEnable command with the slot number of the port blade you want to enable.
ecp:admin> bladeenable 3
Slot 3 is being enabled
FC8-48, FC8-48E, FC8-64, and FC16-48 port blade enabling exceptions
Because the area IDs are shared with different port IDs, the FC8-48, FC8-48E, FC8-64, and
FC16-48 blades support only F_ and E_Ports. They do not support FL_Ports.
Port swapping on an FC8-48, FC8-48E, FC8-64, and FC16-48 is supported only on ports 0–15. For
the FC8-32, FC8-32E, and FC16-32 port blades, port swapping is supported on all 32 ports. This
means that if you replace a 32-port blade where a port has been swapped on ports 16–31 with a
48-port blade, the 48-port blade faults. To correct this, reinsert the 32-port blade and issue
portSwap to restore the original area IDs to ports 16–31.
Disabling blades
Use the following procedure to disable a blade:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the bladeDisable command with the slot number of the port blade you want to disable.
ecp:admin> bladedisable 3
Slot 3 is being disabled
Blade swapping
Blade swapping allows you to swap one blade with another of the same type; in this way, you can
replace a FRU with minimal traffic disruption. The entire operation is accomplished when the
bladeSwap command runs on the Fabric OS. The Fabric OS then validates each command before
actually implementing the command on the Backbone. If an error is encountered, the blade swap
quits without disrupting traffic flowing through the blades. If an unforeseen error does occur during
the bladeSwap command, an entry will be made into the RASlog and all ports that have been
swapped as part of the blade swap operation will be swapped back. On successful completion of
the command, the source and destination blades are left in a disabled state, allowing you to
complete the cable move.
Blade swapping is based on port swapping and has the same restrictions:
•
•
•
•
Shared area ports cannot be swapped.
Ports that are part of a trunk group cannot be swapped.
GbE ports cannot be swapped.
Swapping ports between different logical switches is not supported. The ports on the source
and destination blades must be in the same logical switch.
• Undetermined board types cannot be swapped. For example, a blade swap will fail if the blade
type cannot be identified.
Fabric OS Administrator’s Guide
53-1002745-02
97
3
Blade swapping
• Blade swapping is not supported when swapping to a different model of blade or a different
port count. For example, you cannot swap an FC8-32 blade with an FC8-48 port blade.
How blades are swapped
The bladeSwap command performs the following operations:
1. Blade selection
The selection process includes selecting the switch and the blades to be affected by the swap
operation. Figure 2 shows the source and destination blades identified to begin the process.
FIGURE 2
Identifying the blades
2. Blade validation
The validation process includes determining the compatibility between the blades selected for
the swap operation:
• Blade technology. Both blades must be of compatible technology types (for example, Fibre
Channel to Fibre Channel, Ethernet to Ethernet, application to application, and so on).
• Port count. Both blades must support the same number of front ports (for example, 16
ports to 16 ports, 32 ports to 32 ports, 48 ports to 48 ports, and so on).
• Availability. The ports on the destination blade must be available for the swap operation
and not attached to any other devices.
3. Port preparation
The process of preparing ports for a swap operation includes basic operations such as
ensuring the source and destination ports are offline, or verifying that none of the destination
ports have failed.
98
Fabric OS Administrator’s Guide
53-1002745-02
Blade swapping
3
The preparation process also includes any special handling of ports associated with logical
switches. For example Figure 3 shows the source blade has ports in a logical switch or logical
fabric, then the corresponding destination ports must be included in the associated logical
switch or logical fabric of the source ports.
FIGURE 3
Blade swap with Virtual Fabrics during the swap
4. Port swapping
The swap ports action is effectively an iteration of the portSwap command for each port on the
source blade to each corresponding port on the destination blade.
In Figure 4 shows Virtual Fabrics, where the blades can be carved up into different logical
switches as long as they are carved the same way. If slot 1 and slot 2 ports 0-7 are all in the
same logical switch, then blade swapping slot 1 to slot 2 will work. The entire blade does not
need to be in the same partition.
Fabric OS Administrator’s Guide
53-1002745-02
99
3
Enabling and disabling switches
FIGURE 4
Blade swap with Virtual Fabrics after the swap
Swapping blades
Use the following procedure to swap blades:
1. Connect to the Backbone and log in using an account with admin permissions.
2. Enter the bladeSwap command.
If no errors are encountered, the blade swap will complete successfully. If errors are
encountered, the command is interrupted and the ports are set back to their original
configurations.
3. Once the command completes successfully, move the cables from the source blade to the
destination blade.
4. Enter the bladeEnable command on the destination blade to enable all user ports.
Enabling and disabling switches
Switches are enabled by default. In some cases, you may need to disable a switch to perform
diagnostics. This ensures that diagnostic activity does not interfere with normal fabric traffic.
Use the following procedure to disable a switch:
1. Connect to the Backbone and log in using an account with admin permissions.
2. Enter the command switchCfgPersistentDisable --setdisablestate.
This sets the switch to the disabled state without actually disabling it. However, on reset, the switch
will be in a disabled state, and will need to be enabled.
100
Fabric OS Administrator’s Guide
53-1002745-02
Power management
3
Using switchCfgPersistentDisable
Entering switchCfgPersistentDisable with no arguments disables the switch immediately.
Example of using switchCfgPersistentDisable command output without arguments
switch:admin> switchCfgPersistentDisable
Switch's persistent state set to 'disabled'
Using switchCfgPersistentDisable - -disable
Using the - -disable argument disables the switch immediately. This is the same as entering
switchCfgPersistentDisable without any arguments.
Example of using switchCfgPersistentDisable command output from admin login
switch:admin> switchCfgPersistentDisable --disable
Switch's persistent state set to 'disabled'
Switch persistent disable set
Using switchCfgPersistentDisable - -setDisableState
Using the - -setDisableState argument sets the status of the switch to ‘disabled’.
Example of using switchCfgPersistentDisable command output from admin login
switch:admin> switchCfgPersistentDisable --setdisablestate
Switch's persistent state set to 'disabled'
Switch persistent disable set
Using switchCfgPersistentDisable --help
Using the - - help argument displays a list of the available command arguments.
Example of using switchCfgPersistentDisable command output from admin login
switch:admin> switchCfgPersistentDisable --help
switchCfgPersistentDisable usage:
switchCfgPersistentDisable:
Disables the switch immediately.
switchCfgPersistentDisable --disable:
Disables the switch immediately.
switchCfgPersistentDisable --setdisablestate:
sets the status of the switch to ’disabled’.
switchCfgPersistentDisable --help:
Displays the command usage.
Power management
All blades are powered on by default when the switch chassis is powered on. Blades cannot be
powered off when POST or AP initialization is in progress.
To manage power and ensure that more critical components are the least affected by power
changes, you can specify the order in which the components are powered off, using the
powerOffListSet command.
Fabric OS Administrator’s Guide
53-1002745-02
101
3
Equipment status
The power monitor compares the available power with the power required to determine if there will
be enough power to operate. If it is predicted to be less power available than required, the
power-off list is processed until there is enough power for operation. By default, the processing
begins with slot 1 and proceeds to the last slot in the chassis. As power becomes available, slots
are powered up in the reverse order. During the initial power up of a chassis, or using the
slotPowerOn command, or the insertion of a blade, the available power is compared to required
power before power is applied to the blade.
NOTE
Some FRUs in the chassis may use significant power, yet cannot be powered off through software.
The powerOffListShow command displays the power off order.
NOTE
In the Backbones, the core blades and CP blades cannot be powered off from the CLI. You must
manually power off the blades by lowering the slider or removing power from the chassis. If there is
no CP up and running, then physical removal or powering off the chassis is required.
Powering off a port blade
Use the following procedure to power off a port blade:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the slotPowerOff command with the slot number of the port blade you want to power off.
ecp:admin> slotpoweroff 3
Slot 3 is being powered off
Powering on a port blade
Use the following procedure to power on a port blade:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the slotPowerOn command with the slot number of the port blade you want to power on.
ecp:admin> slotpoweron 3
Powering on slot 3
Equipment status
You can check the status of switch operation, High Availability features, and fabric connectivity.
Checking switch operation
Use the following procedure to check switch operation:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the switchShow command. This command displays a switch summary and a port
summary.
3. Check that the switch and ports are online.
102
Fabric OS Administrator’s Guide
53-1002745-02
Equipment status
3
4. Use the switchStatusShow command to further check the status of the switch.
Verifying High Availability features (Backbones only)
High Availability (HA) features provide maximum reliability and nondisruptive management of key
hardware and software modules.
Use the following procedure to verify High Availability features for a Backbone:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the chassisShow command to verify the model of the DCX and obtain a listing of all
field-replaceable units (FRUs).
3. Enter the haShow command to verify HA is enabled, the heartbeat is up, and that the HA state
is synchronized between the active and standby CP blades.
4. Enter the fanShow command to display the current status and speed of each fan in the system.
Refer to the hardware reference manual of your system to determine the appropriate values.
5. Enter the psShow command to display the current status of the switch power supplies. Refer to
the hardware reference manual of your system to determine the appropriate values.
6. Enter the slotShow -m command to display the inventory and the current status of each slot in
the system.
Example of the slot information displayed for a DCX chassis
DCX:FID128:admin> slotshow -m
Slot
Blade Type
ID
Model Name
Status
-------------------------------------------------1
SW BLADE
55
FC8-32
ENABLED
2
SW BLADE
51
FC8-48
ENABLED
3
SW BLADE
39
FC8-16
ENABLED
4
SW BLADE
51
FC8-48
ENABLED
5
CORE BLADE
52
CORE8
ENABLED
6
CP BLADE
50
CP8
ENABLED
7
CP BLADE
50
CP8
ENABLED
8
CORE BLADE
52
CORE8
ENABLED
9
SW BLADE
37
FC8-16
ENABLED
10
AP BLADE
43
FS8-18
ENABLED
11
SW BLADE
55
FC8-32
ENABLED
12
AP BLADE
24
FS8-18
ENABLED
Verifying fabric connectivity
Use the following procedure to verify fabric connectivity:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the fabricShow command. This command displays a summary of all the switches in the
fabric.
The output of the fabricShow command is discussed in “Domain IDs” on page 72.
Fabric OS Administrator’s Guide
53-1002745-02
103
3
Track and control switch changes
Verifying device connectivity
Use the following procedure to verify device connectivity:
1. Connect to the switch and log in using an account with admin permissions.
2. Optional: Enter the switchShow command to verify devices, hosts, and storage are connected.
3. Optional: Enter the nsShow command to verify devices, hosts, and storage have successfully
registered with the name server.
4. Enter the nsAllShow command to display the 24-bit Fibre Channel addresses of all devices in
the fabric.
switch:admin> nsallshow
{
010e00 012fe8 012fef 030500
030b1e 030b1f 040000 050000
050def 051700 061c00 071a00
0a07cb 0a07cc 0a07cd 0a07ce
0a07d5 0a07d6 0a07d9 0a07da
0a0f02 0a0f0f 0a0f10 0a0f1b
0b2fef 0f0000 0f0226 0f0233
211700 211fe8 211fef 2c0000
611600 620800 621026 621036
621500 621700 621a00
75 Nx_Ports in the Fabric }
030b04
050200
073c00
0a07d1
0a07dc
0a0f1d
0f02e4
2c0300
6210e4
030b08
050700
090d00
0a07d2
0a07e0
0b2700
0f02e8
611000
6210e8
030b17
050800
0a0200
0a07d3
0a07e1
0b2e00
0f02ef
6114e8
6210ef
030b18
050de8
0a07ca
0a07d4
0a0f01
0b2fe8
210e00
6114ef
621400
The number of devices listed should reflect the number of devices that are connected.
Track and control switch changes
The track changes feature allows you to keep a record of specific changes that may not be
considered switch events, but may provide useful information. The output from the track changes
feature is dumped to the system messages log for the switch. Use the errDump or errShow
command to view the log.
Items in the log created from the track changes feature are labeled TRCK.
Trackable changes are:
•
•
•
•
•
Successful login
Unsuccessful login
Logout
Track changes on
Track changes off
Enabling the track changes feature
Use the following procedure to enable the track changes feature:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the trackChangesSet 1 command to enable the track changes feature.
A message displays, verifying that the track changes feature is on:
104
Fabric OS Administrator’s Guide
53-1002745-02
Track and control switch changes
3
switch:admin> trackchangesset 1
Committing configuration...done.
3. View the log using the commands errDump |more to display a page at a time or errShow to
view one line at a time.
2008/10/10-08:13:36, [TRCK-1001], 5, FID 128, INFO, ras007, Successful login
by user admin.
Displaying the status of the track changes feature
Use the following procedure to display the status of the track changes feature:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the trackChangesShow command.
The status of the track changes feature is displayed as either on or off. The display includes
whether or not the track changes feature is configured to send SNMP traps.
switch:admin> trackchangesshow
Track changes status: ON
Track changes generate SNMP-TRAP: NO
Viewing the switch status policy threshold values
The policy parameter determines the number of failed or inoperable units for each contributor that
triggers a status change in the switch.
Each parameter can be adjusted so that a specific threshold must be reached before that
parameter changes the overall status of a switch to MARGINAL or DOWN. For example, if the
FaultyPorts DOWN parameter is set to 3, the status of the switch will change if three ports fail. Only
one policy parameter needs to pass the MARGINAL or DOWN threshold to change the overall status
of the switch.
For more information about setting policy parameters, see the Fabric Watch Administrator’s Guide.
Use the following procedure to view the switch status policy threshold values:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the switchStatusPolicyShow command.
Whenever there is a switch change, an error message is logged and an SNMP
connUnitStatusChange trap is sent.
The output is similar to the following:
ecp:admin> switchstatuspolicyshow
switch:admin> switchstatuspolicyshow
The current overall switch status policy parameters:
Down
Marginal
---------------------------------PowerSupplies
0
0
Temperatures
0
0
Fans
1
0
WWN
0
0
CP
0
0
Blade
0
0
CoreBlade
0
0
Fabric OS Administrator’s Guide
53-1002745-02
105
3
Track and control switch changes
Flash
MarginalPorts
FaultyPorts
MissingSFPs
ErrorPorts
Number of ports: 4
0
0.00%[0]
0.00%[0]
0.00%[0]
0.00%[0]
0
0.00%[0]
0.00%[0]
0.00%[0]
0.00%[0]
Setting the switch status policy threshold values
Use the following procedure to set the switch status policy threshold values:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the switchStatusPolicySet command.
The current switch status policy parameter values are displayed. You are prompted to enter
values for each DOWN and MARGINAL threshold parameter.
NOTE
By setting the DOWN and MARGINAL values for a parameter to 0,0 that parameter is no longer
used in setting the overall status for the switch.
3. Verify the threshold settings you have configured for each parameter.
Enter the switchStatusPolicyShow command to view your current switch status policy
configuration.
Example output from a switch
The following example displays what is typically seen from a Brocade switch, but the quantity and
types vary by platform.
switch:admin> switchstatuspolicyshow
To change the overall switch status policy parameters
The current overall switch status policy parameters:
Down
Marginal
----------------------------------PowerSupplies
2
1
Temperatures
2
1
Fans
2
1
Flash
0
1
MarginalPorts
25.00%[12]
10.00%[5]
FaultyPorts
25.00%[12]
10.00%[5]
MissingSFPs
0.00%[0]
0.00%[0]
ErrorPorts
0.00%[0]
0.00%[0]
Number of ports: 48
Note that the value, 0, for a parameter, means that it is
NOT used in the calculation.
** In addition, if the range of settable values in the prompt is (0..0),
** the policy parameter is NOT applicable to the switch.
** Simply hit the Return key.
The minimum number of
Bad PowerSupplies contributing to DOWN status: (0..2) [2]
Bad PowerSupplies contributing to MARGINAL status: (0..2) [1]
Bad Temperatures contributing to DOWN status: (0..4) [2]1
Bad Temperatures contributing to MARGINAL status: (0..4) [1]2
106
Fabric OS Administrator’s Guide
53-1002745-02
Audit log configuration
3
Bad Fans contributing to DOWN status: (0..2) [2]
Bad Fans contributing to MARGINAL status: (0..2) [1]
(output truncated)
NOTE
On the Brocade Backbones, the command output includes parameters related to CP blades.
Audit log configuration
When managing SANs you may want to audit certain classes of events to ensure that you can view
and generate an audit log for what is happening on a switch, particularly for security-related event
changes. These events include login failures, zone configuration changes, firmware downloads,
and other configuration changes; in other words, critical changes that have a serious effect on the
operation and security of the switch.
Important information related to event classes is also tracked and made available. For example,
you can track changes from an external source by the user name, IP address, or type of
management interface used to access the switch.
Auditable events are generated by the switch and streamed to an external host through a
configured system message log daemon (syslog). You specify a filter on the output to select the
event classes that are sent through the system message log. The filtered events are streamed
chronologically and sent to the system message log on an external host in the specified audit
message format. This ensures that they can be easily distinguished from other system message log
events that occur in the network. Then, at some regular interval of your choosing, you can review
the audit events to look for unexpected changes.
Before you configure audit event logging, familiarize yourself with the following audit event log
behaviors and limitations:
• By default, all event classes are configured for audit; to create an audit event log for specific
events, you must explicitly set a filter with the class operand and then enable it.
• Audited events are generated specific to a switch and have no negative impact on
performance.
• The last 256 events are persistently stored on the switch and are streamed to a system
message log.
• The audit log depends on the system message log facility and IP network to send messages
from the switch to a remote host. Because the audit event log configuration has no control over
these facilities, audit events can be lost if the system message log and IP network facilities fail.
• If too many events are generated by the switch, the system message log becomes a bottleneck
and audit events are dropped by the Fabric OS.
• If the user name, IP address, or user interface is not transported, None is used instead for
each of the respective fields.
• For High Availability, the audit event logs exist independently on both active and standby CPs.
The configuration changes that occur on the active CP are propagated to the standby CP and
take effect.
• Audit log configuration is also updated through a configuration download.
Before configuring an audit log, you must select the event classes you want audited.
Fabric OS Administrator’s Guide
53-1002745-02
107
3
Audit log configuration
NOTE
Only the active CP can generate audit messages because event classes being audited occur only on
the active CP. Audit messages cannot originate from other blades in a Backbone.
Switch names are logged for switch components and Backbone names for Backbone components.
For example, a Backbone name may be FWDL or RAS and a switch component name may be zone,
name server, or SNMP.
Pushed messages contain the administrative domain of the entity that generated the event. Refer
to the Fabric OS Message Reference for details on event classes and message formats. For more
information on setting up the system error log daemon, refer to the Fabric OS Troubleshooting and
Diagnostics Guide.
NOTE
If an AUDIT message is logged from the CLI, any environment variables will be initialized with proper
values for login, interface, IP and other session information. Refer to the Fabric OS Message
Reference for more information.
Verifying host syslog prior to configuring the audit log
Audit logging assumes that your syslog is operational and running. Before configuring an audit log,
you must perform the following steps to ensure that the host syslog is operational.
1. Set up an external host machine with a system message log daemon running to receive the
audit events that will be generated.
2. On the switch where the audit configuration is enabled, enter the syslogdIpAdd command to
add the IP address of the host machine so that it can receive the audit events.
You can use IPv4, IPv6, or DNS names for the syslogdIpAdd command.
3. Ensure the network is configured with a network connection between the switch and the
remote host.
4. Check the host syslog configuration. If all error levels are not configured, you may not see some
of the audit messages.
Configuring an audit log for specific event classes
Use the following procedure to configure an audit log for specific event classes:
1. Connect to the switch from which you want to generate an audit log and log in using an account
with admin permissions.
2. Enter the auditCfg --class command, which defines the specific event classes to be filtered.
switch:admin> auditcfg --class 2,4
Audit filter is configured.
3. Enter the auditCfg --enable command, which enables audit event logging based on the classes
configured in step 2.
switch:admin> auditcfg --enable
Audit filter is enabled.
To disable an audit event configuration, enter the auditCfg --disable command.
108
Fabric OS Administrator’s Guide
53-1002745-02
Duplicate PWWN handling during device login
3
4. Enter the auditCfg --show command to view the filter configuration and confirm that the
correct event classes are being audited, and the correct filter state appears (enabled or
disabled).
switch:admin> auditcfg --show
Audit filter is enabled.
2-SECURITY
4-FIRMWARE
5. Issue the auditDump -s command to confirm that the audit messages are being generated.
Example of the syslog (system message log) output for audit logging
Oct 10 08:52:06 10.3.220.7 raslogd: AUDIT, 2008/10/10-08:20:19 (GMT),
[SEC-3020], INFO, SECURITY, admin/admin/10.3.220.13/telnet/CLI,
ad_0/ras007/FID 128, , Event: login, Status: success, Info: Successful login
attempt via REMOTE, IP Addr: 10.3.220.13.
Oct 10 08:52:23 10.3.220.7 raslogd: 2008/10/10-08:20:36, [CONF-1001], 13, WWN
10:00:00:05:1e:34:02:0c | FID 128, INFO, ras007, configUpload completed
successfully. All config parameters are uploaded.
Oct 10 09:00:04 10.3.220.7 raslogd: AUDIT, 2008/10/10-08:28:16 (GMT),
[SEC-3021], INFO, SECURITY, admin/NONE/10.3.220.13/None/CLI, None/ras007/FID
128, , Event: login, Status: failed, Info: Failed login attempt via REMOTE, IP
Addr: 10.3.220.13.
Duplicate PWWN handling during device login
If a device attempts to log in with the same PWWN as another device on the switch, you can
configure whether the new login or the existing login takes precedence.
You can configure how duplicate PWWNs are handled by selecting an option in the Enforce
FLOGI/FDISC login prompt of the configure command.
• Setting 0: First login takes precedence over second login (default behavior).
• Setting 1: Second login overrides first login.
• Setting 2: The port type determines whether the first or second login takes precedence.
Setting 0, First login precedence
When setting 0 is selected, the first login takes precedence over the second. This is the default
behavior. Table 8 describes the behavior when setting 0 is selected.
TABLE 8
Duplicate PWWN behavior: First login takes precedence over second login
Input port
First port login is NPIV port
First port login is F_Port
FLOGI received
The new login is rejected and the new port is
persistently disabled.
The new login is rejected and the new port is
persistently disabled.
FDISC received The new FDISC is rejected.
The new FDISC is rejected.
Setting 1, Second login precedence
When setting 1 is selected, the second login takes precedence over the first. Table 9 describes the
behavior when setting 1 is selected.
Fabric OS Administrator’s Guide
53-1002745-02
109
3
Duplicate PWWN handling during device login
TABLE 9
Duplicate PWWN behavior: Second login overrides first login
Input port
First port login is F_Port
First port login is NPIV port
FLOGI received
New login forces an explicit logout of original
login on the previous F_Port.
The previous F_Port is persistently disabled.
New login forces an explicit logout of original
FDISC on the previous NPIV port.
FDISC received New FDISC forces an explicit logout of original
login on the previous F_Port.
The previous F_Port is persistenly disabled.
New FDISC forces an explicit logout of original
FDISC on the previous NPIV port.
Setting 2, Mixed precedence
When setting 2 is selected, the precedence depends on the port type of the first login.
• If the previous port is an F_Port, the first login takes precedence.
• If the previous port is an NPIV port, the second login overrides the first login.
TABLE 10
Duplicate PWWN behavior: Port type determines which login takes precedence
Input port
First port login is NPIV port
First port login is F_Port
FLOGI received
New login forces an explicit logout of original
FDISC on the previous NPIV port.
New login is rejected and the new port is
persistently disabled.
FDISC received New FDISC forces an explicit logout of original
FDISC on the previous NPIV port.
New FDISC is rejected.
Setting the behavior for handling duplicate PWWNs
Use the following procedure to set the behavior for handling duplicate PWWNs:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the switchDisable command to disable the switch.
3. Enter the configure command.
4. Enter y after the F_Port login parameters prompt.
F-Port login parameters (yes, y, no, n): [no] y
5. Enter one of the following options at the Enforce FLOGI/FDISC login prompt to select the
behavior for handling duplicate PWWNs.
• Enter 0 to have the first login take precedence over the second login (default).
• Enter 1 to have the second login override the first login.
• Enter 2 to have the port type determine the behavior.
If a duplicate login is received on an F_Port, the duplicate login is rejected and the old
login is preserved; if a duplicate login is received on an NPIV port the newer login is
accepted.
Enforce FLOGI/FDISC login: (0..2) [0] 1
6. Respond to the remaining prompts, or press Ctrl-D to accept the other settings and exit.
7.
Enter the switchEnable command to re-enable the switch.
With any of these settings, detection of duplicate PWWNs results in a RASLog. Ports that are
restricted become persistently disabled, marked with the reason “Duplicate Port WWN detected”.
110
Fabric OS Administrator’s Guide
53-1002745-02
Chapter
4
Routing Traffic
In this chapter
• Routing overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Inter-switch links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Gateway links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Routing policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Route selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Frame order delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Lossless Dynamic Load Sharing on ports . . . . . . . . . . . . . . . . . . . . . . . . . .
• Enabling forward error correction (FEC). . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Frame Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
111
114
117
118
122
123
125
128
130
Routing overview
Data moves through a fabric from switch to switch and from storage to server along one or more
paths that make up a route. Routing policies determine the path for each frame of data.
Before the fabric can begin routing traffic, it must discover the route a packet should take to reach
the intended destination. Route tables are lists that indicate the next hop to which packets are
directed to reach a destination. Route tables include network addresses, the next address in the
data path, and a cost to reach the destination network. There are two kinds of routing protocols on
intranet networks, distance vector and link state.
• Distance vector is based on hop count. This is the number of switches that a frame passes
through to get from the source switch to the destination switch.
• Link state is based on a metric value based on a cost. The cost could be based on bandwidth,
line speed, or round-trip time.
With the link-state protocol, switches that discover a route identify the networks to which they are
attached, receiving an initial route table from the principal switch. After an initial message is sent
out, the switch only notifies the others when changes occur.
It is recommended that no more than seven hops occur between any two switches. This limit is not
required or enforced by Fabric Shortest Path First (FSPF). Its purpose is to ensure that a frame is
not delivered to a destination after Resource Allocation TimeOut Value (R_A_TOV) has expired.
Fabric OS v7.1.0 supports unicast Class 2 and 3 traffic, multicast, and broadcast traffic. Broadcast
and multicast are supported in Class 3 only.
Fabric OS Administrator’s Guide
53-1002745-02
111
4
Routing overview
Paths and route selection
Paths are possible ways to get from one switch to another. Each inter-switch link (ISL) has a metric
cost based on bandwidth. The cumulative cost is based on the sum of all costs of all traversed ISLs.
Route selection is the path that is chosen. Paths that are selected from the routing database are
chosen based on the minimal cost.
FSPF
Fabric Shortest Path First (FSPF) is a link state path selection protocol that directs traffic along the
shortest path between the source and destination based upon the link cost. FSPF is also referred
to as Layer 2 routing. FSPF detects link failures, determines the shortest route for traffic, updates
the routing table, provides fixed routing paths within a fabric, and maintains correct ordering of
frames. FSPF also keeps track of the state of the links on all switches in the fabric and associates a
cost with each link. The protocol computes paths from a switch to all the other switches in the
fabric by adding the cost of all links traversed by the path, and chooses the path that minimizes the
costs. This collection of the link states, including costs, of all the switches in the fabric constitutes
the topology database or link state database.
Once established, FSPF programs the hardware routing tables for all active ports on the switch.
FSPF is not involved in frame switching. FSPF uses several frames to perform its functions.
Because it may run before fabric routing is set up, FSPF does not use the routing tables to
propagate the frames, but floods the frames throughout the fabric hop-by-hop. Frames are first
flooded on all the ISLs; as the protocol progresses, it builds a spanning tree rooted on the principal
switch. Frames are only sent on the principal ISLs that belong to the spanning tree. When there are
multiple ISLs between switches, the first ISL to respond to connection requests becomes the
principal ISL. Only one ISL from each switch is used as the principal ISL. Figure 5 shows the thick
red lines as principal ISLs, and thin green lines as regular ISLs.
FIGURE 5
Principal ISLs
NOTE
FSPF only supports 16 routes in a zone, including Traffic Isolation Zones.
112
Fabric OS Administrator’s Guide
53-1002745-02
Routing overview
4
FSPF makes minimal use of the ISL bandwidth, leaving virtually all of it available for traffic. In a
stable fabric, a switch transmits 64 bytes every 20 seconds in each direction. FSPF frames have
the highest priority in the fabric. This guarantees that a control frame is not delayed by user data
and that FSPF routing decisions occur very quickly during convergence.
FSPF guarantees a routing loop-free topology at all times. It is essential for a fabric to include many
physical loops because, without loops, there would not be multiple paths between switches, and
consequently no redundancy. Without redundancy, if a link goes down, part of the fabric is isolated.
FSPF ensures both that the topology is loop-free and that a frame is never forwarded over the same
ISL more than once.
FSPF calculates paths based on the destination domain ID. The fabric protocol must complete
domain ID assignments before routing can begin. ISLs provide the physical pathway when the
Source ID (SID) address has a frame destined to a port on a remote switch Destination ID (DID).
When an ISL is attached or removed from a switch, the FSPF updates the route tables to reflect the
addition or deletion of the new routes.
As each host transmits a frame to the switch, the switch reads the SID and DID in the frame
header. If the domain ID of the destination address is the same as the switch (intra-switch
communications), the frame buffer is copied to the destination port and a credit R_RDY message is
sent to the host. The switch only needs to read word zero and word one of the Fibre Channel frame
to perform what is known as cut-through routing. A frame may begin to emerge from the output
port before it has been entirely received by the input port. The entire frame does not need to be
buffered in the switch.
If the destination domain ID is different than the source domain ID, then the switch consults the
FSPF route table to identify which local E_Port provides the Fabric Shortest Path First (FSPF) to the
remote domain.
Fibre Channel NAT
Within an edge fabric or across a backbone fabric, the standard Fibre Channel FSPF protocol
determines how frames are routed from the source Fibre Channel (FC) device to the destination FC
device. The source or destination device can be a proxy device.
Fibre Channel fabrics require that all ports be identified by a unique port identifier (PID). In a single
fabric, FC protocol guarantees that domain IDs are unique, and so a PID formed by a domain ID and
area ID is unique within a fabric. However, the domain IDs and PIDs in one fabric may be duplicated
within another fabric, just as IP addresses that are unique to one private network are likely to be
duplicated within another private network.
In an IP network, a network router can maintain network address translation (NAT) tables to replace
private network addresses with public addresses when a packet is routed out of the private
network, and to replace public addresses with private addresses when a packet is routed from the
public network to the private network. The Fibre Channel routing equivalent to this IP-NAT is the
Fibre Channel network address translation (FC-NAT). Using FC-NAT, the proxy devices in a fabric can
have PIDs that are different from the real devices they represent, allowing the proxy devices to have
appropriate PIDs for the address space of their corresponding fabric.
Fabric OS Administrator’s Guide
53-1002745-02
113
4
Inter-switch links
Inter-switch links
An inter-switch link (ISL) is a link between two switches, E_Port-to-E_Port. The ports of the two
switches automatically come online as E_Ports once the login process finishes successfully. For
more information on the login process, refer to Chapter 1, “Understanding Fibre Channel Services”.
FIGURE 6
New switch added to existing fabric
You can expand your fabric by connecting new switches to existing switches. Figure 6 shows a new
switch being added into an existing fabric. The thick red line is the newly formed ISL.
When connecting two switches together, Brocade recommends the best practice that the following
parameters are differentiated:
• Domain ID
• Switch name
• Chassis name
You must also verify the following fabric parameters are identical on each switch for a fabric to
merge:
•
•
•
•
•
•
•
R_A_TOV (Resource Allocation TimeOut Value)
E_D_TOV (Error Detect TimeOut Value)
Data Field Size
Sequence Level Switching
Disable Device Probing
Suppress Class F Traffic
Per-frame Route Priority
There are non-fabric parameters that must match as well, such as zoning. Some fabric services,
such as management server, must match. If the fabric service is enabled in the fabric, then the
switch you are introducing into the fabric must also have it enabled. If you experience a segmented
fabric, refer to the Fabric OS Troubleshooting and Diagnostics Guide to fix the problem.
114
Fabric OS Administrator’s Guide
53-1002745-02
Inter-switch links
4
Buffer credits
In order to prevent the dropping of frames in the fabric, a device can never send frames without the
receiving device being able to receive them, so an end-to-end flow control is used on the switch.
Flow control in Fibre Channel uses buffer-to-buffer credits, which are distributed by the switch.
When all buffer-to-buffer credits are utilized, a device waits for a VC_RDY or an R_RDY primitive
from the destination switch before resuming I/O. The primitive is dependent on whether you have
R_RDYs enabled on your switch using the portCfgISLMode command. When a device logs in to a
fabric, it typically requests from two to sixteen buffer credits from the switch, depending on the
device type, driver version, and configuration. This determines the maximum number of frames the
port can transmit before receiving an acknowledgement from the receiving device.
For more information on how to set the buffer-to-buffer credits on an extended link, refer to Chapter
23, “Managing Long-Distance Fabrics”.
Congestions versus over-subscription
Congestions occurs when a channel is bottlenecked and fully utilized. This kind of bottleneck is a
congestion bottleneck. You should be aware that “over-subscription” does not have the same
meaning as “congestion”. Over-subscription refers only to the potential for congestion; an
over-subscribed link may go through a lifetime of normal operation and never be congested. The
term over-subscription is not to be used in place of congestion, which is the actual contention for
bandwidth by devices through an ISL.
Virtual channels
Virtual channels create multiple logical data paths across a single physical link or connection. They are
allocated their own network resources such as queues and buffer-to-buffer credits. Virtual channel
technology is the fundamental building block used to construct Adaptive Networking services. For
more information on Adaptive Networking services, refer to Chapter 21, “Optimizing Fabric Behavior”.
Virtual channels are divided into three priority groups. P1 is the highest priority, which is used for
Class F, F_RJT, and ACK traffic. P2 is the next highest priority, which is used for data frames. The data
virtual channels can be further prioritized to provide higher levels of Quality of Service. P3 is the
lowest priority and is used for broadcast and multicast traffic. This example is illustrated in Figure 7.
Quality of Service (QoS) is a licensed traffic shaping feature available in Fabric OS. QoS allows the
prioritization of data traffic based on the SID and DID of each frame. Through the use of QoS zones, traffic
can be divided into three priorities: high, medium, and low, as shown in Figure 7. The seven data virtual
channels (VC8 through VC14) are used to multiplex data frames based upon QoS zones when congestion
occurs. For more information on QoS zones, refer to Chapter 21, “Optimizing Fabric Behavior”.
Fabric OS Administrator’s Guide
53-1002745-02
115
4
Inter-switch links
FIGURE 7
116
Virtual channels on a QoS-enabled ISL
Fabric OS Administrator’s Guide
53-1002745-02
Gateway links
4
Gateway links
A gateway merges SANs into a single fabric by establishing point-to-point E_Port connectivity
between two Fibre Channel switches that are separated by a network with a protocol such as IP or
SONET.
Except for link initialization, gateways are transparent to switches; the gateway simply provides
E_Port connectivity from one switch to another. Figure 8 shows two separate SANs, A-1 and A-2,
merged together using a gateway.
FIGURE 8
Gateway link merging SANs
By default, switch ports initialize links using the Exchange Link Parameters (ELP) mode 1. However,
gateways expect initialization with ELP mode 2, also referred to as ISL R_RDY mode. Therefore, to
enable two switches to link through a gateway, the ports on both switches must be set for ELP mode 2.
Any number of E_Ports in a fabric can be configured for gateway links, provided the following
guidelines are followed:
• All switches in the fabric use the core PID format, as described in “Configuring a link through a
gateway” on page 118.
• The switches connected to both sides of the gateway are included when determining
switch-count maximums.
• Extended links (those created using the Extended Fabrics licensed feature) are not supported
through gateway links.
Fabric OS Administrator’s Guide
53-1002745-02
117
4
Routing policies
Configuring a link through a gateway
1. Connect to the switch at one end of the gateway and log in using an account assigned to the
admin role.
2. Enter the portCfgIISLMode command.
3. Repeat steps 1 and 2 for any additional ports that are connected to the gateway.
4. Repeat this procedure on the switch at the other end of the gateway.
Example of enabling a gateway link on slot 2, port 3
ecp:admin> portcfgislmode 2/3, 1
Committing configuration...done.
ISL R_RDY Mode is enabled for port 3. Please make sure the PID
formats are consistent across the entire fabric.
Routing policies
By default, all routing protocols place their routes into a routing table. You can control the routes
that a protocol places into each table and the routes from that table that the protocol advertises by
defining one or more routing policies and then applying them to the specific routing protocol.
The routing policy is responsible for selecting a route based on one of two user-selected routing
policies:
• Port-based routing
• Exchange-based routing
Notes
• On the Brocade 300, 5100, 5300, 5410, 5430, 5450, 5460, 5470, 5480, 6505, 6510, 6520,
7800, 8000, and VA-40FC switches, and also the Brocade DCX and DCX 8510 Backbone
families, routing is handled by the FSPF protocol and either the port-based or exchange-based
routing policy.
• Each switch can have its own routing policy and different policies can exist in the same fabric.
ATTENTION
For most configurations, the default routing policy is optimal and provides the best performance. You
should change the routing policy only if there is a significant performance issue, or a particular fabric
configuration or application requires it.
118
Fabric OS Administrator’s Guide
53-1002745-02
Routing policies
4
Displaying the current routing policy
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the aptPolicy command with no parameters.
The current policy is displayed, followed by the supported policies for the switch.
Example of the output from the aptPolicy command
In the following example, the current policy is exchange-based routing (3) with the additional AP
dedicated link policy.
switch:admin> aptpolicy
Current Policy: 3
3 : Default Policy
1: Port Based Routing Policy
2: Device Based Routing Policy (FICON support only)
3: Exchange Based Routing Policy
0: AP Shared Link Policy
1: AP Dedicated Link Policy
Port-based routing
The choice of routing path is based only on the incoming port and the destination domain. To
optimize port-based routing, DLS can be enabled to balance the load across the available output
ports within a domain.
NOTE
For FC routers only: When an FC router is in port-based routing mode, the backbone traffic is
load-balanced based on SID and DID. When an FC router is in exchange-based routing mode, the
backbone traffic is load-balanced based on SID, DID, and OXID.
Whatever routing policy a switch is using applies to the VE_Ports as well. For more information on
VE_Ports, refer to the Fibre Channel over IP Administrator’s Guide.
Exchange-based routing
The choice of routing path is based on the Source ID (SID), Destination ID (DID), and Fibre Channel
originator exchange ID (OXID) optimizing path utilization for the best performance. Thus, every
exchange can take a different path through the fabric. Exchange-based routing requires the use of
the Dynamic Load Sharing (DLS) feature; when this policy is in effect, you cannot disable the DLS
feature.
Exchange-based routing is also known as Dynamic Path Selection (DPS). DPS is where exchanges
or communication between end devices in a fabric are assigned to egress ports in ratios
proportional to the potential bandwidth of the ISL or trunk group. When there are multiple paths to
a destination, the input traffic is distributed across the different paths in proportion to the
bandwidth available on each of the paths. This improves utilization of the available paths, thus
reducing possible congestion on the paths. Every time there is a change in the network (which
changes the available paths), the input traffic can be redistributed across the available paths.
This is a very easy and non-disruptive process when the exchange-based routing policy is engaged.
Fabric OS Administrator’s Guide
53-1002745-02
119
4
Routing policies
Device-based routing
Device-based routing optimizes routing path selection and utilization based on the Source ID (SID)
and Destination ID (DID) of the path source and destination ports. As a result, every distinct flow in
the fabric can take a different path through the fabric. Effectively, device based routing works the
same as exchange-based routing but does not use the OXID field. This helps to ensure that the
exchanges between a pair of devices stay in order.
NOTE
Device-based routing requires the use of the Dynamic Load Sharing (DLS) feature; when this policy
is in effect, you cannot disable the DLS feature.
Device-based routing is also a form of Dynamic Path Selection (DPS). DPS assigns communication
paths between end devices in a fabric to egress ports in ratios proportional to the potential
bandwidth of the ISL, ICL, or trunk group. When there are multiple paths to a destination, the input
traffic is distributed across the different paths in proportion to the bandwidth available on each of
the paths. This improves utilization of the available paths and reduces possible path congestion.
NOTE
Device-based routing is supported in FICON environments only.
AP route policies
Two additional AP policies are supported under exchange-based routing:
• AP Shared Link policy (default)
• AP Dedicated Link policy
NOTE
AP policies are independent of routing policies. Every routing policy supports both AP policies.
The AP Dedicated Link policy relieves internal congestion in an environment where:
• There is a large amount of traffic going through both directions at the same time.
• There is a reduction of the effect of slow devices on the overall switch performance.
It is recommended that the default AP Shared Link policy be used for most environments. Also, it is
recommended that you design a SAN that localizes host-to-target traffic by reducing the amount of
traffic through the router.
ATTENTION
Setting either AP route policy is a disruptive process.
Routing in Virtual Fabrics
Virtual Fabrics support DPS on all partitions. DPS is limited where multiple paths are available for a
logical fabric frame entering a Virtual Fabrics chassis from a base fabric that is sent out using one
of the dedicated ISLs in a logical switch.
The AP policy affecting the DPS behavior, whether it is exchange-based, device-based, or
port-based, is configured on a per-logical switch basis. In-order delivery (IOD) and DLS settings are
set per logical switch as well. IOD and DLS settings for the base switch affect all traffic going over
the base fabric including any logical fabric traffic that uses the base fabric.
120
Fabric OS Administrator’s Guide
53-1002745-02
Routing policies
4
CAUTION
Setting the routing policy is disruptive to the fabric because it requires that you disable the switch
where the routing policy is being changed.
Setting the routing policy
Use the following procedure to set the routing policy:
1. Connect to the VF switch and log in as admin.
2. Enter the setcontext command for the correct Fabric ID or switch name.
- The fabricID parameter is the FID of the logical switch you just created.
- The switchname parameter is the name assigned to the logical switch.
- You can only use one parameter at a time.
switch:admin> setcontext 20
3. Enter the switchDisable command to disable the switch.
4. Take the appropriate following action based on the AP route policy you choose to implement:
• If the exchange-based policy is required, enter the aptPolicy 3 command.
• If the port-based policy is required, enter the aptPolicy 1 command.
Setting up the AP route policy
The AP route policy can only be set in the base switches that are using Virtual Fabrics.
Use the following procedure to set the AP route policy:
1. Connect to the base switch and log in as admin.
2. Enter the switchDisable command to disable the switch.
3. Take the appropriate following action based on the AP route policy you choose to implement:
• If the AP Shared Link policy (default) is required, enter the aptPolicy -ap 0 command.
• If the AP Dedicated Link policy is required, enter the aptPolicy -ap 1 command.
Fabric OS Administrator’s Guide
53-1002745-02
121
4
Route selection
Route selection
Selection of specific routes can be dynamic, so that the router can constantly adjust to changing
network conditions; or it may be static, so that data packets always follow a predetermined path.
Dynamic Load Sharing
The exchange-based routing policy depends on the Fabric OS Dynamic Load Sharing (DLS) feature
for dynamic routing path selection. When using the exchange-based routing policy, DLS is enabled
by default and cannot be disabled. In other words, you cannot enable or disable DLS when the
exchange-based routing policy is in effect.
When the port-based policy is in force, you can enable DLS to optimize routing. When DLS is
enabled, it shares traffic among multiple equivalent paths between switches. DLS recomputes load
sharing when any of the following occurs:
•
•
•
•
A switch boots up
An E_Port goes offline and online
An EX_Port goes offline
A device goes offline
Setting DLS
Use the following procedure to set up DLS:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the dlsShow command to view the current DLS setting.
One of the following messages appears:
• “DLS is set” indicates that DLS is turned on.
• “DLS is not set” indicates that DLS is turned off.
• ”DLS is set with Lossless enabled.” DLS is enabled with the Lossless feature. Load sharing
is recomputed with every change in the fabric, and existing routes can be moved to
maintain optimal balance. In Lossless mode, no frames are lost during this operation.
• “DLS is set by default with current routing policy. DLS is set with Lossless enabled.” The
current routing policy (exchange-based) requires DLS to be enabled by default. In addition,
the Lossless option is enabled. Frame loss is prevented during a load sharing
recomputation. If you get this message, you cannot perform step 3, so you are done with
this procedure.
3. Enter the dlsSet command to enable DLS or enter the dlsReset command to disable it.
Example of setting and resetting DLS
switch:admin> dlsshow
DLS is not set
switch:admin> dlsset
switch:admin> dlsshow
DLS is set
switch:admin> dlsreset
switch:admin> dlsshow
DLS is not set
122
Fabric OS Administrator’s Guide
53-1002745-02
Frame order delivery
4
Frame order delivery
The order in which frames are delivered is maintained within a switch and determined by the
routing policy in effect. The frame delivery behaviors for each routing policy are:
• Port-based routing
All frames received on an incoming port destined for a destination domain are guaranteed to
exit the switch in the same order in which they were received.
• Exchange-based routing
All frames received on an incoming port for a given exchange are guaranteed to exit the switch
in the same order in which they were received. Because different paths are chosen for
different exchanges, this policy does not maintain the order of frames across exchanges.
If even one switch in the fabric delivers out-of-order exchanges, then exchanges are delivered to the
target out of order, regardless of the policy configured on other switches in the fabric.
NOTE
Some devices do not tolerate out-of-order exchanges; in such cases, use the port-based routing
policy.
In a stable fabric, frames are always delivered in order, even when the traffic between switches is
shared among multiple paths. However, when topology changes occur in the fabric (for example, if
a link goes down), traffic is rerouted around the failure, and some frames could be delivered out of
order. Most destination devices tolerate out-of-order delivery, but some do not.
By default, out-of-order frame-based delivery is allowed to minimize the number of frames dropped.
Enabling in-order delivery (IOD) guarantees that frames are either delivered in order or dropped.
You should only force in-order frame delivery across topology changes if the fabric contains
destination devices that cannot tolerate occasional out-of-order frame delivery.
Forcing in-order frame delivery across topology changes
Use the following procedure to force in-order frame delivery across topology changes:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the iodSet command.
NOTE
The iodSet command can cause a delay in the establishment of a new path when a topology
change occurs; use it with care.
3. Confirm the in-order delivery has been set by entering the iodShow command.
Restoring out-of-order frame delivery across topology changes
Use the following procedure to restore out-of-order frame delivery across topology changes:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the iodReset command.
Fabric OS Administrator’s Guide
53-1002745-02
123
4
Frame order delivery
Using Frame Viewer to understand why frames are dropped
When a frame is unable to reach its destination due to timeout, it is discarded. You can use
Frame Viewer to find out which flows contained the dropped frames, which in turn can help you
determine which applications might be impacted. Frame Viewer allows you to see the exact time
(within one second) that the frames were dropped.
You can view and filter up to 20 discarded frames per chip per second for 1200 seconds using a
number of fields with the frameLog command.
Use the following procedure to view frames.
1. Connect to the switch and log in using an account with admin permissions.
2. Type frameLog --show.
Example output of framelog --show
EDCX16_114064:root> framelog --show
==================================================================================================
Fri Jul 13 23:47:08 UTC 2012
==================================================================================================
Log
TX
RX
timestamp
port
port
SID
DID
SFID
DFID
Type
Count
===============================================================================================
Jul 13 23:47:07
11/45 11/45
0xfffffd
0x40e580
0
0
timeout
2
Jul 13 23:47:07
11/45 11/45
0xfffffc
0x40e580
0
0
timeout
5
Jul 13 23:47:07
11/45 11/45
0xfffffc
0x40e580
0
0
timeout
3
Jul 13 23:47:07
11/45 11/45
0xfffc40
0x40e580
0
0
timeout
2
Jul 13 23:47:07
11/45 11/45
0xfffc40
0x40e580
0
0
timeout
1
Notes
The output of --show displays the type of each discard.
Syntax
framelog --show [-type <discard_type>] [-txport <[slot/]port>] [-rxport
<[slot/]port>] [-sid <source_PID>] [-did <destination_PID>] [-sfid <source_FID>]
[-dfid <destination_FID>] [-mode summary | dump] [-n <num_items>]
Constraints
The following constraint applies to the frameLog --show command:
• The -type option requires an argument; currently only timeout is supported, this specifies that
only timeout discards be shown
Filtering Results by Back-End Port in Frame Viewer
The Frame Viewer --show command supports specifying that the TX port or RX port of displayed
frames should be a back-end port. To filter by TX port or RX port, you issue a command like:
framelog --show -txport [<slot>/]<port>
or
framelog --show -rxport [<slot>/]<port>
or
framelog --show -txport [<slot>/]<port> -rxport [<slot>/]<port>
124
Fabric OS Administrator’s Guide
53-1002745-02
Lossless Dynamic Load Sharing on ports
4
The -txport and -rxport options accept the arguments “-1” (for fixed-port switches) or “-1/-1”
(for modular switches). These stand for “any back-end port.”. Using this notation you can select
specifically those discarded frames that have a back-end port in the TX port or RX port field.
NOTE
Individual back-end ports cannot be specified, only the quality of being a back-end port can be
specified.
Lossless Dynamic Load Sharing on ports
Lossless Dynamic Load Sharing (DLS) allows you to rebalance port paths without causing
input/output (I/O) failures. For devices where in-order delivery (IOD) of frames is required, you can
set IOD separately. You can use this feature with the following hardware:
•
•
•
•
•
•
•
•
•
•
•
•
Brocade 300
Brocade 5100
Brocade 5300
Brocade 6505
Brocade 6510
Brocade 6520
Brocade VA-40FC
Brocade FC8-16, FC8-32, FC8-48, and FC8-64 port blades
Brocade DCX 8510 Backbone family and supported blades
Brocade FC16-32 and FC16-48 port blades
Brocade FC8-32E and FC8-48E port blades
Brocade FX8-24 application blades in the Brocade DCX and DCX-4S Backbones
On the Brocade 7800 switch and the FX8-24 application blade, Lossless DLS is supported only on
FC-to-FC port flows.
ATTENTION
When you implement Lossless DLS, the switches in the fabric must have either Fabric OS v6.3.0 or
Fabric OS v6.4.0 or later installed to guarantee no frame loss.
Lossless DLS must be implemented along the path between the target and initiator. You can use
Lossless DLS on ports connecting switches to perform the following functions:
• Eliminate dropped frames and I/O failures by rebalancing the paths going over the ISLs
whenever there is a fabric event that might result in suboptimal utilization of the ISLs.
• Eliminate the frame delay caused by establishing a new path when a topology change occurs.
Lossless mode means no frame loss during a rebalance and only takes effect if DLS is enabled.
Lossless DLS can be enabled on a fabric topology in order to have zero frame drops during
rebalance operations. If the end device also requires the order of frames to be maintained during
the rebalance operation, then IOD must be enabled. However this combination of Lossless DLS and
IOD is supported only in specific topologies, such as in a FICON environment.
Fabric OS Administrator’s Guide
53-1002745-02
125
4
Lossless Dynamic Load Sharing on ports
You can disable or enable IOD when Lossless DLS is enabled. You can also choose between
exchange- or port-based policies with Lossless DLS. Events that cause a rebalance include the
following:
•
•
•
•
Adding an E_Port
Adding a slave E_Port
Removing an E_Port (However, frame loss occurs on traffic flows to this port.)
Removing an F_Port (However, frame loss occurs on traffic flows to this port.)
Lossless DLS does the following whenever paths need to be rebalanced:
1. Pauses ingress traffic by not returning credits. Frames that are already in transit are not
dropped.
2. Changes the existing path to a more optimal path.
3. If IOD is enabled, waits for sufficient time for frames already received to be transmitted. This is
needed to maintain IOD.
4. Resumes traffic.
Table 11 shows the effect of frames when you have a specific routing policy turned on with IOD.
TABLE 11
Combinations of routing policy and IOD with Lossless DLS enabled
Policy
IOD
Rebalance result with Lossless DLS enabled
Port-based
Disabled
No frame loss, but out-of-order frames may occur.
Port-based
Enabled
No frame loss and no out-of-order frames. Topology restrictions apply. Intended
for FICON environment.
Exchange-based
Disabled
No frame loss, but out-of-order frames may occur.
Exchange-based
Enabled
No frame loss and no out-of-order frames. Topology restrictions apply. Intended
for FICON environment.
Device-based
Disabled
No frame loss, but out-of-order frames may occur.
Device-based
Enabled
No frame loss and no out-of-order frames. Topology restrictions apply. Intended
for FICON environment.
Lossless core
Lossless core works with the default configuration of the Brocade DCX 8510-8 and DCX 8510-4
hardware to prevent frame loss during a core blade removal and insertion. This feature is on by
default and cannot be disabled. Lossless core has the following limitations:
• Only supported with IOD disabled, which means Lossless core cannot guarantee in-order
delivery of exchanges
• ICL limitations
• Traffic flow limitations
126
Fabric OS Administrator’s Guide
53-1002745-02
Lossless Dynamic Load Sharing on ports
4
ICL limitations
If ICL ports are connected during a core blade removal, it is equivalent to removing external E_Ports
which may cause I/O disruption on the ICL ports that have been removed.
If ICL ports are connected during a core blade insertion, it is equivalent to adding external E_Ports
which may cause I/O disruption due to reroutes. Lossless DLS, if enabled, takes effect to prevent
I/O disruption.
Traffic flow limitations
FA4-18 AP blades, which are supported on the Brocade DCX and DCX-4S devices, may continue to
experience frame drops after core blade removal or insertion. The path between an FA4-18 blade
and an FX8-24 blade, or vice versa, experiences I/O disruption because the FA4-18 blades do not
support this feature.
Configuring Lossless Dynamic Load Sharing
You configure Lossless DLS switch- or chassis-wide by using the dlsSet command to specify that no
frames are dropped while rebalancing or rerouting traffic.
Use the following procedure to configure Lossless Dynamic Load Sharing:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the appropriate dlsSet command to enable or disable Lossless Dynamic Load Sharing.
switch:admin> dlsset --enable -lossLess
switch:admin> dlsset --disable -lossLess
Lossless Dynamic Load Sharing in Virtual Fabrics
Enabling Lossless Dynamic Load Sharing is optional on logical switches in Virtual Fabrics. If you
enable this feature, it must be on a per-logical switch basis and can affect other logical switches in
the fabric. XISL use must be disabled for Lossless DLS to be enabled.
How DLS affects other logical switches in the fabric
On a Brocade DCX platform, logical switch 1 consists of ports 0 through 5 in slot 1. Logical switch 2
consists of ports 6 through 10 in slot 1. The Lossless DLS feature is enabled on logical switch 1.
Because ports 0 through 10 in slot 1 belong to a logical switch where Lossless DLS is enabled, the
traffic in logical switch 2 is affected whenever traffic for logical switch 1 is rebalanced.
ATTENTION
Although Lossless DSL is enabled for a specific logical switch, you must have chassis-level
permissions to use this feature.
This effect on logical switch 2 is based on the configuration on logical switch 2:
• If logical switch 2 has IOD enabled (iodSet only), IOD is enforced.
• If logical switch 2 has Lossless DLS enabled, traffic is paused and resumed.
• If logical switch 2 has no IOD (iodReset), traffic is paused and resumed.
Fabric OS Administrator’s Guide
53-1002745-02
127
4
Enabling forward error correction (FEC)
To avoid this behavior, it is recommended to define your logical switches as follows:
• Define logical switches that require Lossless DLS at the blade boundary.
• Define logical switches that require Lossless DLS only using supported blades. For example,
do not use blades that support IOD, but do not support Lossless DLS.
For more information on Virtual Fabrics and chassis-level permissions, refer to Chapter 10,
“Managing Virtual Fabrics”.
Enabling forward error correction (FEC)
Forward error correction provides a data transmission error control method by including redundant
data (error-correcting code) to ensure error-free transmission on a specified port or port range.
When FEC is enabled, it can correct one burst of up to 11-bit errors in every 2112-bit transmission,
whether the error is in a frame or a primitive. FEC is enabled by default, and is supported on
E_Ports on 16 Gbps-capable switches and on the N_Ports and F_Ports of an access gateway using
RDY, Normal (R_RDY), or Virtual Channel (VC_RDY) flow control modes. It enables automatically
when negotiation with a switch detects FEC capability. This feature is enabled by default and
persists after driver reloads and system reboots. It functions with features such as QoS, trunking,
and BB_Credit recovery.
Limitations
The following are limitations of this feature:
• FEC is configurable only on 16 Gbps-capable switches (Brocade 6505, 6510, 6520, and the
Brocade DCX 8510 Backbone family).
• FEC is supported only on 1860 and 1867 Fabric Adapter ports operating in HBA mode
connected to 16 Gbps Brocade switches running Fabric OS 7.1 and later
• FEC is not supported
- when the HBA port is running on a 16 Gbps link. When HBA port speed changes to less
than this, this feature is disabled.
-
for HBA ports operating in loop mode or in direct-attach configurations.
on ports with DWDM.
Use the portCfgFec command to enable, disable and view FEC on a port.
Syntax:
portCfgFec --disable (this disables the PortFecCap feature)
portCfgFec --enable (this enables the PortFecCap feature)
portCfgFec --help (this displays the command usage)
portCfgFec --show (this displays the PortFecCap feature for the port)
Usage: portCfgFec mode [slot/]port
128
Fabric OS Administrator’s Guide
53-1002745-02
Enabling forward error correction (FEC)
4
Use the following procedure to enable and disable FEC:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the portCfgFec command, specifying the port or range of ports on which FEC is to be
enabled.
portcfgfec --enable slot/port
To enable the FEC feature on a single port and display the configuration, enter the following
commands.
switch:admin> portcfgfec --enable 1
switch:admin> portcfgfec --show 1
Port: 1
FEC Capable: YES
FEC Configured: ON
Enabling forward error correction
To enable the FEC feature on a port range, enter the portCfgFec --enable command. In this
example, port 1 already has FEC enabled, and so it remains enabled.
switch:admin> portcfgfec --enable 0-8
Same configuration for port 1
Disabling forward error correction
To disable the FEC feature on a port range, enter the portCfgFec --disable command.
switch:admin> portcfgfec --disable 0-8
Enabling and Disabling FEC for long distance ports
To enable or disable FEC for long distance ports, use portCfgLongDistance with the -fecEnable or
-fecDisable parameter as required.
switch:admin> portcfglongdistance [slot/]port,[other parameters]
<-fecenable/-fecdisable>
See Chapter 23, “Managing Long-Distance Fabrics” for more details on working with long distance
ports.
Viewing current FEC settings
Use portCfgFec --show to display the current FEC configuration.
Fabric OS Administrator’s Guide
53-1002745-02
129
4
Frame Redirection
Frame Redirection
Frame Redirection provides a means to redirect traffic flow between a host and a target that use
virtualization and encryption applications, such as the Brocade SAS blade and Brocade Data
Migration Manager (DMM), so that those applications can perform without having to reconfigure
the host and target. You can use this feature if the hosts and targets are not directly attached.
Frame Redirection depends on the wide distribution of the Defined Zone Database. The Defined
Zone Database on Fabric OS switches is pushed out to all other Fabric OS switches in the fabric
that support Frame Redirection. Redirection zones exist only in the defined configuration and
cannot be added to the effective configuration.
NOTE
Fabric OS v7.1.0 is not supported on the Brocade 7600 or Brocade SAS blade. However, this
hardware can run in a pre-Fabric OS v7.1.0 system and attach to a Fabric OS v7.1.0 fabric.
Frame Redirection uses a combination of special frame redirection zones and name server
changes to spoof the mapping of real device WWNs to virtual PIDs.
FIGURE 9
Single host and target
Figure 9 demonstrates the flow of Frame Redirection traffic. A frame starts at the host with a
destination to the target. The port where the appliance is attached to the host switch acts as the
virtual initiator and the port where the appliance is attached to the target switch is the virtual target.
Creating a frame redirect zone
The first time the zone –-rdcreate command is run, the following zone objects are created by default:
• The base zone object, “red_______base”.
• The redirect (RD) zone configuration, “r_e_d_i_r_c__fg”.
NOTE
Frame redirect zones are not supported with D or I initiator target zones.
Use the following procedure to create a frame redirect zone:
1. Connect to the switch and log in using an account with admin permissions.
2. Prior to creating the frame redirect zone, the user has to create a Layer 2 zone for the Initiator
(host) and Target (storage). This zone must be part of the effective configuration and must be
defined using port worldwide name. Please see “Creating a zone” on page 316, and “Enabling
a zone configuration” on page 330.
3. Enter the zone –-rdcreate command.
4. Enter the cfgSave command to save the frame redirect zones to the defined configuration.
130
Fabric OS Administrator’s Guide
53-1002745-02
Frame Redirection
4
Example of creating a frame redirect zone
The following example creates a redirect zone, given a host (10:10:10:10:10:10:10:10), target
(20:20:20:20:20:20:20:20), virtual initiator (30:30:30:30:30:30:30:30), and virtual target
(40:40:40:40:40:40:40:40):
switch:admin>zone --rdcreate 10:10:10:10:10:10:10:10 20:20:20:20:20:20:20:20 \
30:30:30:30:30:30:30:30 40:40:40:40:40:40:40:40 restartable noFCR
Deleting a frame redirect zone
Use the following procedure to delete a frame redirect zone:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the zone --rdDelete command to remove the base redirect zone object,
“red_______base”.
NOTE
When the base zone is removed, the redirect zone configuration “r_e_d_i_r_c__fg” is removed
as well.
3. Enter the cfgSave command to save changes to the defined configuration.
Example of deleting a frame redirect zone
switch:admin> zone --rddelete \
red_0917_10_10_10_10_10_10_10_10_20_20_20_20_20_20_20_20
Viewing frame redirect zones
Use the following procedure to view frame redirect zones:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the cfgShow command.
Fabric OS Administrator’s Guide
53-1002745-02
131
4
132
Frame Redirection
Fabric OS Administrator’s Guide
53-1002745-02
Chapter
5
Managing User Accounts
In this chapter
• User accounts overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Local database user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Local user account database distribution . . . . . . . . . . . . . . . . . . . . . . . . . .
• Password policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• The boot PROM password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Remote authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
133
137
140
141
145
149
User accounts overview
In addition to the default permissions assigned to the roles of root, factory, admin, and user,
Fabric OS supports up to 252 additional user accounts on the chassis. These accounts expand
your ability to track account access and audit administrative activities.
Each user account is associated with the following:
• Admin Domain list — Specifies the Administrative Domains to which a user account is allowed
to log in.
• Home Admin Domain — Specifies the Admin Domain that the user is logged into by default. The
home Admin Domain must be a member of the user’s Admin Domain list.
• Permissions — Associate roles with each user account to determine the functional access
levels within the bounds of the user’s current Admin Domain.
• Virtual Fabric list — Specifies the Virtual Fabric a user account is allowed to log in to.
• Home Virtual Fabric — Specifies the Virtual Fabric that the user is logged into, if available. The
home Virtual Fabric must be a member of the user’s Virtual Fabric list. If the fabric ID is not
available, the next-lower valid fabric ID is used.
• LF Permission List — Determines functional access levels within the bounds of the user’s
Virtual Fabrics.
• Chassis role — Similar to switch-level roles, but applies to a different subset of commands.
NOTE
Admin Domains are mutually exclusive from Virtual Fabrics permissions when you set up user
accounts. You will need to set up different user accounts for each feature.
You cannot have Admin Domain mode and Virtual Fabrics mode enabled at the same time.
For more information about Admin Domains, refer to Chapter 17, “Managing Administrative
Domains”.
For more information about Virtual Fabrics, refer to Chapter 10, “Managing Virtual Fabrics”.
Fabric OS Administrator’s Guide
53-1002745-02
133
5
User accounts overview
Fabric OS provides four options for authenticating users: remote RADIUS service, remote LDAP
service, remote TACACS+ service, and the local-switch user database. All options allow users to be
managed centrally by means of the following methods:
• Remote RADIUS service: Users are managed in a remote RADIUS server. All switches in the
fabric can be configured to authenticate against the centralized remote database.
• Remote LDAP service: Users are managed in a remote LDAP server. All switches in the fabric
can be configured to authenticate against the centralized remote database. The remote LDAP
server can run Microsoft Active Directory or OpenLDAP.
• Remote TACACS+ service. Users are managed in a remote TACACS+ server. All switches in the
fabric can be configured to authenticate against the centralized remote database.
• Local user database: Users are managed by means of the local user database. The local user
database is manually synchronized by means of the distribute command to push a copy of the
switch’s local user database to all other switches in the fabric running Fabric OS v5.3.0 and
later, but the distribute command is blocked if users with user-defined roles exist on the
sending switch or on any remote, receiving switch.
Role-Based Access Control
Role-Based Access Control (RBAC) specifies the permissions that a user account has on the basis
of the role the account has been assigned. For each role, a set of predefined permissions
determines the jobs and tasks that can be performed on a fabric and its associated fabric
elements. Fabric OS uses RBAC to determine which commands a user is allowed to access.
When you log in to a switch, your user account is associated with a predefined role or a
user-defined role. The role that your account is associated with determines the level of access you
have on that switch and in the fabric. The chassis role can also be associated with user-defined
roles; it has permissions for RBAC classes of commands that are configured when user-defined
roles are created. The chassis role is similar to a switch-level role, except that it affects a different
subset of commands. You can use the userConfig command to add this permission to a user
account.
Table 12 outlines the Fabric OS predefined (default) roles.
TABLE 12
134
Default Fabric OS roles
Role name
Duties
Description
Admin
All administration
All administrative commands
BasicSwitchAdmin
Restricted switch administration
Mostly monitoring with limited switch (local) commands
FabricAdmin
Fabric and switch administration
All switch and fabric commands, excluding user
management and Admin Domains commands
Operator
General switch administration
Routine switch-maintenance commands.
SecurityAdmin
Security administration
All switch security and user management functions
SwitchAdmin
Local switch administration
Most switch (local) commands, excluding security, user
management, and zoning commands
User
Monitoring only
Nonadministrative use, such as monitoring system
activity
ZoneAdmin
Zone administration
Zone management commands only
Fabric OS Administrator’s Guide
53-1002745-02
User accounts overview
5
Admin Domain considerations
Legacy users with no Admin Domain specified and whose current role is admin will have access to
AD0 through AD255 (physical fabric admin); otherwise, they will have access to AD0 only.
If some Admin Domains have been defined for the user and all of them are inactive, the user will
not be allowed to log in to any switch in the fabric. If no Home Domain is specified for a user, the
system provides a default home domain.
The default home domain for the predefined account is AD0. For user-defined accounts, the default
home domain is the Admin Domain in the user’s Admin Domain list with the lowest ID.
Role permissions
Table 13 describes the types of permissions that are assigned to roles.
TABLE 13
Permission types
Abbreviation
Definition
Description
O
Observe
The user can run commands by using options that display information only, such as
running userConfig --show -a to show all users on a switch.
M
Modify
The user can run commands by using options that create, change, and delete
objects on the system, such as running userConfig --change username -r rolename
to change a user’s role.
OM
Observe and
Modify
The user can run commands by using both observe and modify options; if a role has
modify permissions, it almost always has observe permissions.
N
None
The user is not allowed to run commands in a given category.
To view the permission type for categories of commands, use the classConfig command:
1. Enter the classConfig --show -classlist command to list all command categories.
2. Enter the classConfig --showroles command with the command category of interest as the
argument.
This command shows the permissions that apply to all commands in a specific category. For
example:
> classconfig --showroles authentication
Roles that have access to the RBAC Class ‘authentication’ are:
Role name
--------Admin
Factory
Root
Security Admin
Permission
---------OM
OM
OM
OM
You can also use the classConfig --showcli command to show the permissions that apply to a
specific command.
Fabric OS Administrator’s Guide
53-1002745-02
135
5
User accounts overview
The management channel
The management channel is the communication established between the management
workstation and the switch. Table 14 shows the number of simultaneous login sessions allowed for
each role when authenticated locally. The roles are displayed in alphabetic order, which does not
reflect their importance. When LDAP, RADIUS, or TACACS+ are used for authentication, the total
number of sessions on a switch may not exceed 32.
TABLE 14
Maximum number of simultaneous sessions
Role name
Maximum sessions
Admin
2
BasicSwitchAdmin
4
FabricAdmin
4
Operator
4
SecurityAdmin
4
SwitchAdmin
4
User
4
ZoneAdmin
4
Managing user-defined roles
Fabric OS provides an extensive toolset for managing user-defined roles:
• The roleConfig command is available for defining new roles, deleting created roles, or viewing
information about user-defined roles.
• The classConfig command is available for displaying RBAC information about each category or
class of commands, and includes an option to show all roles associated with a given RBAC
command category.
• The userConfig command can be used to assign a user-defined role to a user account.
Creating a user-defined role
You can define a role as long as it has a unique name that is not the same as any of the Fabric OS
default roles, any other user-defined role, or any existing user account name.
The following conditions also apply:
• A role name is case-insensitive and contains only letters.
• The role name should have a minimum of 4 letters and can be up to 16 letters long.
• The maximum number of user-defined roles that are allowed on a chassis is 256.
The roleConfig command can be used to define unique roles. You must have chassis-level access
and permissions to execute this command. The following example creates a user-defined role
called mysecurityrole. The RBAC class Security is added to the role, and the Observe permission is
assigned:
> roleconfig --add mysecurityrole -class security -perm O
Role added successfully
136
Fabric OS Administrator’s Guide
53-1002745-02
Local database user accounts
5
The assigned permissions can be no higher than the admin role permission assigned to the class.
The admin role permission for the Security class is Observe/Modify. Therefore, the Observe
permission is valid.
The roleConfig --show command is available to view the permissions assigned to a user-defined
role. You can also use the classConfig --showroles command to see that the role was indeed
added with Observe permission for the security commands:
> classConfig --showroles security
Roles that have access to RBAC Class ‘security’ are:
Role Name
--------User
Admin
Factory
Root
SwitchAdmin
FabricAdmin
BasicSwitchAdmin
SecurityAdmin
mysecurityrole
Permissions
----------O
OM
OM
OM
O
OM
O
OM
O
To delete a user-defined role, use the roleConfig --delete command.
Assigning a user-defined role to a user
You can assign a user-defined role to a user by using one of the following options of the userConfig
command:
• userConfig --add with the -r option to create a new user account and assign a role.
• userConfig --change with the -r option to add or change a user-defined role for an existing user
account.
• userConfig --add with the -c option to create a new user account and assign a chassis role.
• userConfig --change with the -c option to add a chassis role to an account.
The following example assigns the mysecurityrole role to the existing anewuser account and adds
the admin chassis role:
> userConfig --change anewuser -r mysecurityrole -c admin
Local database user accounts
User add, change, and delete operations are subject to the subset rule: an admin with ADlist 0–10
or LFlist 1–10 cannot perform operations on an admin, user, or any role with ADlist 11–25 or LFlist
11–128. The user account being changed must have an ADlist or LFlist that is a subset of the
account that is making the change.
In addition to the default administrative and user accounts, Fabric OS supports up to 252
user-defined accounts in each switch (domain). These accounts expand your ability to track
account access and audit administrative activities.
Fabric OS Administrator’s Guide
53-1002745-02
137
5
Local database user accounts
Default accounts
Table 15 lists the predefined accounts offered by Fabric OS that are available in the local-switch
user database. The password for all default accounts should be changed during the initial
installation and configuration of each switch.
TABLE 15
Default local user accounts
Account name
Role
Admin Domain
Logical Fabric
Description
admin
Admin
AD0–255
home: 0
LF1–128
home: 128
Most commands have
Observe/Modify permission.
factory
Factory
AD0–255
home: 0
LF1–128
home: 128
Reserved
root
Root
AD0-255
home: 0
LF1-128
home: 128
Reserved.
user
User
AD0
home: 0
LF-128
home: 128
Most commands have observe-only
permission.
Admin Domain and Virtual Fabrics considerations: Administrators can act on other accounts only if
that account has an Admin Domain or Logical Fabric list that is a subset of the administrator.
Displaying account information
1. Connect to the switch and log in using an account with admin permissions, or an account
associated with a user-defined role with permissions for the UserManagement class of
commands.
2. Enter the appropriate show operands for the account information you want to display:
• userConfig --show -a to show all account information for a switch
• userConfig --show username to show account information for the specified account
• userConfig --showad -a adminDomain_ID to show all accounts permitted to select the
specified adminDomain_ID
• userConfig --showlf -l logicalFabric_ID for each LF in an LF_ID_list, displays a list of users
that include that LF in their LF permissions.
Creating an account
1. Connect to the switch and log in using an account with admin permissions, or an account
associated with a user-defined role with permissions for the UserManagement class of
commands.
2. Enter the userConfig --add command. For example:
> userconfig --add metoo -l 1-128 -h 128 -r admin -c admin
This example creates a user account for the user metoo with the following properties:
•
•
•
•
138
Access to Virtual Fabrics 1 through 128
Default home logical switch to 128
Admin role permissions
Admin chassis role permissions
Fabric OS Administrator’s Guide
53-1002745-02
Local database user accounts
5
3. In response to the prompt, enter a password for the account.
The password is not displayed when you enter it on the command line.
Deleting an account
This procedure can be performed on local user accounts.
1. Connect to the switch and log in using an account with admin permissions, or an account
associated with a user-defined role with permissions for the UserManagement class of
commands.
2. Enter the userConfig --delete command.
You cannot delete the default accounts. An account cannot delete itself. All active CLI sessions
for the deleted account are logged out.
3. At the prompt for confirmation, enter y.
Changing account parameters
This procedure can be performed on local user accounts.
When changing account parameters, if you change the ADlist for the user account, all of the
currently active sessions for that account will be logged out. For more information about changing
the Admin Domain on an account, refer to Chapter 17, “Managing Administrative Domains”.
1. Connect to the switch and log in using an account with admin permissions, or an account
associated with a user-defined role with permissions for the UserManagement class of
commands.
2. Enter the userConfig --change command.
Local account passwords
The following rules apply to changing passwords:
• Users can change their own passwords.
• To change the password for another account requires admin permissions or an account
associated with a user-defined role with Modify permissions for the LocalUserEnvironment
RBAC class of commands. When changing an admin account password, you must provide the
current password.
• An admin with ADlist 0–10 or LFlist 1–10 cannot change the password on an account with
admin, user, or any permission with an ADlist 11–25 or LFlist 11–128. The user account being
changed must have an ADlist that is a subset of the account that is making the change.
• A new password must have at least one character different from the previous password.
• You cannot change passwords by using SNMP.
Changing the password for the current login account
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the passwd command.
3. Enter the requested information at the prompts.
Fabric OS Administrator’s Guide
53-1002745-02
139
5
Local user account database distribution
Changing the password for a different account
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the passwd command specifying the name of the account for which the password is
being changed.
3. Enter the requested information at the prompts.
Local user account database distribution
Fabric OS allows you to distribute the user database and passwords to other switches in the fabric.
When the switch accepts a distributed user database, it replaces the local user database with the
user database it receives.
By default, switches accept the user databases and passwords distributed from other switches.
The ‘Locked’ status of a user account is not distributed as part of local user database distribution.
When the user database is distributed, it may be rejected by a switch for one of the following
reasons:
•
•
•
•
One of the target switches does not support local account database distribution.
One of the target switch’s user database is protected.
One of the remote switches has logical switches defined.
Either the local switch or one of the remote switches has user accounts associated with
user-defined roles.
Distributing the local user database
When the local user database is distributed, all user-defined accounts residing in the receiving
switches are logged out of any active sessions.
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the distribute -p PWD -d command.
NOTE
If Virtual Fabrics mode is enabled and there are logical switches defined other than the default
logical switch, then distributing the password database to switches is not supported.
Distributing the password database to switches is not allowed if there are users associated with user
defined roles in either the sending switch or remote switch
Accepting distributed user databases on the local switch
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the fddCfg --localaccept PWD command.
140
Fabric OS Administrator’s Guide
53-1002745-02
Password policies
5
Rejecting distributed user databases on the local switch
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the fddCfg --localreject PWD command.
Password policies
The password policies described in this section apply to the local-switch user database only.
Configured password policies (and all user account attribute and password state information) are
synchronized across CPs and remain unchanged after an HA failover. Password policies can also be
manually distributed across the fabric (see “Local user account database distribution” on
page 140). A list of the configurable password policies follows.
•
•
•
•
Password strength
Password history
Password expiration
Account lockout
All password policies are enforced during logins to the standby CP. However, you may observe that
the password enforcement behavior on the standby CP is inconsistent with prior login activity; this
is because password state information from the active CP is automatically synchronized with the
standby CP, thereby overwriting any password state information that was previously stored there.
Also, password changes are not permitted on the standby CP.
Password authentication policies configured using the passwdCfg command are not enforced
during initial prompts to change default passwords.
Password strength policy
The password strength policy is enforced across all user accounts, and enforces a set of format
rules to which new passwords must adhere. The password strength policy is enforced only when a
new password is defined. The total of the other password-strength policy parameters (lowercase,
uppercase, digits, and punctuation) must be less than or equal to the value of the MinLength
parameter.
Use the following attributes to the passwdCfg command to set the password strength policy:
• Lowercase
Specifies the minimum number of lowercase alphabetic characters that must appear in the
password. The default value is zero. The maximum value must be less than or equal to the
MinLength value.
• Uppercase
Specifies the minimum number of uppercase alphabetic characters that must appear in the
password. The default value is zero. The maximum value must be less than or equal to the
MinLength value.
• Digits
Specifies the minimum number of numeric digits that must appear in the password. The
default value is zero. The maximum value must be less than or equal to the MinLength value.
Fabric OS Administrator’s Guide
53-1002745-02
141
5
Password policies
• Punctuation
Specifies the minimum number of punctuation characters that must appear in the password.
All printable, non-alphanumeric punctuation characters except the colon ( : ) are allowed. The
default value is zero. The maximum value must be less than or equal to the MinLength value.
• MinLength
Specifies the minimum length of the password. The minimum can be from 8 to 40 characters.
New passwords must be between the minimum length specified and 40 characters. The
default value is 8. The maximum value must be greater than or equal to the MinLength value.
• Repeat
Specifies the length of repeated character sequences that will be disallowed. For example, if
the “repeat” value is set to 3, a password “passAAAword” is disallowed because it contains the
repeated sequence “AAA”. A password of “passAAword” would be allowed because no repeated
character sequence exceeds two characters. The range of allowed values is 1 through 40. The
default value is 1.
• Sequence
Specifies the length of sequential character sequences that will be disallowed. A sequential
character sequence is defined as a character sequence in which the ASCII value of each
contiguous character differs by one. The ASCII value for the characters in the sequence must
all be increasing or decreasing. For example, if the “sequence” value is set to 3, a password
“passABCword” is disallowed because it contains the sequence “ABC”. A password of
“passABword” would be allowed because it contains no sequential character sequence
exceeding two characters. The range of allowed values is 1 through 40. The default value is 1.
When set to 1, sequential characters are not enforced.
Example of a password strength policy
The following example shows a password strength policy that requires passwords to contain at
least 3 uppercase characters, 4 lowercase characters, and 2 numeric digits; the minimum
length of the password is 9 characters.
> passwdcfg --set -uppercase 3 -lowercase 4 -digits 2 -minlength 9
Password history policy
The password history policy prevents users from recycling recently used passwords, and is enforced
across all user accounts when users are setting their own passwords. The password history policy is
enforced only when a new password is defined.
Specify the number of past password values that are disallowed when setting a new password. Allowable
password history values range between 0 and 24. If the value is set to 0, it means that the new password
cannot be set to the current password, but can be set to the most recent password. The default value
is 1, which means the current and one previous password cannot be reused. The value 2 indicates that
the current and the two previous passwords cannot be used (and so on, up to 24 passwords).
This policy does not verify that a new password meets a minimal standard of difference from prior
passwords; rather, it only determines whether or not a newly specified password is identical to one
of the specified number (1–24) of previously used passwords.
The password history policy is not enforced when an administrator sets a password for another
user; instead, the user’s password history is preserved and the password set by the administrator
is recorded in the user’s password history.
142
Fabric OS Administrator’s Guide
53-1002745-02
Password policies
5
Password expiration policy
The password expiration policy forces the expiration of a password after a configurable period of
time. The expiration policy can be enforced across all user accounts or on specified users only.
A warning that password expiration is approaching is displayed when the user logs in. When a
password expires, the user must change the password to complete the authentication process and
open a user session. You can specify the number of days prior to password expiration during which
warnings will commence. Password expiration does not disable or lock out the account.
Use the following attributes to the passwdCfg command to set the password expiration policy:
• MinPasswordAge
Specifies the minimum number of days that must elapse before a user can change a
password. MinPasswordAge values range from 0 through 999. The default value is zero.
Setting this parameter to a nonzero value discourages users from rapidly changing a password
in order to circumvent the password history setting to select a recently used password. The
MinPasswordAge policy is not enforced when an administrator changes the password for
another user.
• MaxPasswordAge
Specifies the maximum number of days that can elapse before a password must be changed,
and is also known as the password expiration period. MaxPasswordAge values range from 0
through 999. The default value is zero. Setting this parameter to zero disables password
expiration.
• Warning
Specifies the number of days prior to password expiration that a warning about password
expiration is displayed. Warning values range from 0 through 999. The default value is 0 days.
NOTE
When MaxPasswordAge is set to a nonzero value, MinPasswordAge and Warning must be set
to a value that is less than or equal to MaxPasswordAge.
Example password expiration policies
The following example configures a password expiration policy for the metoo user account. This
user must change the password within 90 days of setting the current password and no sooner than
10 days after setting the current password. The user will start to receive warning messages 3 days
before the 90-day limit, if the password is not already changed.
> passwdcfg --setuser metoo -minpasswordage 10 -maxpasswordage 90 -warning 3
The following example configures a password expiration policy for all users.
> passwdcfg --set -minpasswordage 5 -maxpasswordage 30 -warning 5
Account lockout policy
The account lockout policy disables a user account when that user exceeds a specified number of
failed login attempts, and is enforced across all user accounts. You can configure this policy to
keep the account locked until explicit administrative action is taken to unlock it, or the locked
account can be automatically unlocked after a specified period. Administrators can unlock a locked
account at any time.
Fabric OS Administrator’s Guide
53-1002745-02
143
5
Password policies
A failed login attempt counter is maintained for each user on each switch instance. The counters
for all user accounts are reset to zero when the account lockout policy is enabled. The counter for
an individual account is reset to zero when the account is unlocked after a lockout duration period
expires, or when the account user logs in successfully.
The admin account can also have the lockout policy enabled on it. The admin account lockout
policy is disabled by default and uses the same lockout threshold as the other permissions. It can
be automatically unlocked after the lockout duration passes or when it is manually unlocked by
either a user account that has a securityAdmin or other admin permissions.
Virtual Fabrics considerations: The home logical fabric context is used to validate user enforcement
for the account lockout policy.
Note that the account-locked state is distinct from the account-disabled state.
Use the following attributes to set the account lockout policy:
• LockoutThreshold
Specifies the number of times a user can attempt to log in using an incorrect password before
the account is locked. The number of failed login attempts is counted from the last successful
login. LockoutThreshold values range from 0 through 999, and the default value is 0. Setting
the value to 0 disables the lockout mechanism.
• LockoutDuration
Specifies the time, in minutes, after which a previously locked account is automatically
unlocked. LockoutDuration values range from 0 through 99999, and the default value is 30.
Setting the value to 0 disables lockout duration, and would require a user to seek
administrative action to unlock the account. The lockout duration begins with the first login
attempt after the LockoutThreshold has been reached. Subsequent failed login attempts do
not extend the lockout period.
Enabling the admin lockout policy
1. Log in to the switch using an account that has admin or securityAdmin permissions.
2. Enter the passwdCfg --enableadminlockout command.
Unlocking an account
1. Log in to the switch using an account that has admin or securityAdmin permissions.
2. Enter the userConfig --change account_name -u command specifying the name of the user
account that is locked out.
Disabling the admin lockout policy
1. Log in to the switch using an account that has admin or securityAdmin permissions.
2. Enter the passwdCfg --disableadminlockout command.
144
Fabric OS Administrator’s Guide
53-1002745-02
The boot PROM password
5
Denial of service implications
The account lockout mechanism may be used to create a denial of service condition when a user
repeatedly attempts to log in to an account by using an incorrect password. Selected privileged
accounts are exempted from the account lockout policy to prevent users from being locked out
from a denial of service attack. However, these privileged accounts may then become the target of
password guessing attacks. Audit logs should be examined to monitor if such attacks are
attempted.
The boot PROM password
The boot PROM password provides an additional layer of security by protecting the boot PROM from
unauthorized use. Setting a recovery string for the boot PROM password enables you to recover a
lost boot PROM password by contacting your switch service provider. Without the recovery string, a
lost boot PROM password cannot be recovered.
Although you can set the boot PROM password without also setting the recovery string, it is strongly
recommended that you set both the password and the recovery string. If your site procedures
dictate that you set the boot PROM password without the recovery string, see “Setting the boot
PROM password for a switch without a recovery string” on page 147.
To set the boot PROM password with or without a recovery string, refer to the section that applies to
your switch or Backbone model.
CAUTION
Setting the boot PROM password requires accessing the boot prompt, which stops traffic flow
through the switch until the switch is rebooted. Perform this procedure during a planned
downtime.
Setting the boot PROM password for a switch with a recovery string
This procedure applies to the following switch models: Brocade 300, 5410, 5424, 5450, 5460,
5470, 5480, 5100, 5300, 6505, 6510, 6520, 7800, 8000, and 8510 switches, as well as the
Brocade Encryption Switch and VA-40FC. If your switch is not listed, please contact your switch
support provider for instructions.
1. Connect to the serial port interface as described in “Connecting to Fabric OS through the serial
port” on page 56.
2. Reboot the switch.
3. Press Esc within four seconds after the message “Press escape within 4 seconds...” is
displayed.
The following options are available:
Option
1
2
3
Fabric OS Administrator’s Guide
53-1002745-02
Description
Start system.
Recovery password.
Enter command shell.
Continues the system boot process.
Lets you set the recovery string and the boot PROM password.
Provides access to boot parameters.
145
5
The boot PROM password
4. Enter 2.
• If no password was previously set, the following message is displayed:
Recovery password is NOT set. Please set it now.
• If a password was previously set, the following messages is displayed:
Send the following string to Customer Support for password recovery:
afHTpyLsDo1Pz0Pk5GzhIw==
Enter the supplied recovery password.
Recovery Password:
5. Enter the recovery password (string).
The recovery string must be between 8 and 40 alphanumeric characters. A random string that
is 15 characters or longer is recommended for higher security. The firmware prompts for this
password only once. It is not necessary to remember the recovery string, because it is
displayed the next time you enter the command shell.
The following prompt is displayed:
New password:
6. Enter the boot PROM password, and then reenter it when prompted. The password must be
eight alphanumeric characters (any additional characters are not recorded). Record this
password for future use.
The new password is automatically saved.
7.
Reboot the switch by typing the reset command at the prompt.
Setting the boot PROM password for a Backbone with a recovery string
This procedure applies to the Brocade DCX, DCX-4S, DCX 8510-4, and DCX 8510-8 Backbones. The
boot PROM and recovery passwords must be set for each CP blade.
1. Connect to the serial port interface on the standby CP blade, as described in “Connecting to
Fabric OS through the serial port” on page 56.
2. Connect to the active CP blade over a serial or Telnet connection and enter the haDisable
command to prevent failover during the remaining steps.
3. Reboot the standby CP blade by sliding the On/Off switch on the ejector handle of the standby
CP blade to Off, and then back to On.
4. Press Esc within four seconds after the message “Press escape within 4 seconds...” is
displayed.
The following options are available:
Option
Description
1
2
3
Continues the system boot process.
Lets you set the recovery string and the boot PROM password.
Provides access to boot parameters.
Start system.
Recovery password.
Enter command shell.
5. Enter 2. Take the following appropriate action based on whether you find the password was
previously set:
• If no password was previously set, the following message is displayed:
Recovery password is NOT set. Please set it now.
146
Fabric OS Administrator’s Guide
53-1002745-02
The boot PROM password
5
• If a password was previously set, the following messages are displayed:
Send the following string to Customer Support for password recovery:
afHTpyLsDo1Pz0Pk5GzhIw==
Enter the supplied recovery password.
Recovery Password:
6. Enter the recovery password (string).
The recovery string must be between 8 and 40 alphanumeric characters. A random string that
is 15 characters or longer is recommended for higher security. The firmware only prompts for
this password once. It is not necessary to remember the recovery string because it is displayed
the next time you enter the command shell.
The following prompt is displayed:
New password:
7.
Enter the boot PROM password, and then reenter it when prompted. The password must be
eight alphanumeric characters (any additional characters are not recorded). Record this
password for future use.
The new password is automatically saved (the saveEnv command is not required).
8. Connect to the active CP blade over a serial or Telnet connection and enter the haEnable
command to restore high availability, and then fail over the active CP blade by entering the
haFailover command.
Traffic flow through the active CP blade resumes when the failover is complete.
9. Connect the serial cable to the serial port on the new standby CP blade (previously the active
CP blade).
10. Repeat step 2 through step 7 for the new standby CP blade (each CP blade has a separate
boot PROM password).
11. Connect to the active CP blade over a serial or Telnet connection and enter the haEnable
command to restore high availability.
Although you can set the boot PROM password without also setting the recovery string, it is strongly
recommended that you set both the password and the string as described in “Setting the boot
PROM password for a switch with a recovery string” on page 145. If your site procedures dictate
that you must set the boot PROM password without the string, follow the procedure that applies to
your switch model.
Setting the boot PROM password for a switch without a recovery string
This procedure applies to the fixed-port switch models.
The password recovery instructions provided within this section are only for the switches listed in
the Preface. If your switch is not listed, contact your switch support provider for instructions.
1. Create a serial connection to the switch as described in “Connecting to Fabric OS through the
serial port” on page 56.
2. Reboot the switch by entering the reboot command.
3. Press Esc within four seconds after the message “Press escape within 4 seconds...” is
displayed.
Fabric OS Administrator’s Guide
53-1002745-02
147
5
The boot PROM password
The following options are available:
Option
Description
1
2
3
Continues the system boot process.
Lets you set the recovery string and the boot PROM password.
Provides access to boot parameters.
Start system.
Recovery password.
Enter command shell.
4. Enter 3.
5. At the shell prompt, enter the passwd command.
The passwd command only applies to the boot PROM password when it is entered from the
boot interface.
6. Enter the boot PROM password at the prompt, and then reenter it when prompted. The
password must be eight alphanumeric characters (any additional characters are not recorded).
Record this password for future use.
7.
Enter the saveEnv command to save the new password.
8. Reboot the switch by entering the reset command.
Setting the boot PROM password for a Backbone without a recovery
string
This procedure applies to the Brocade DCX, DCX-4S, DCX 8510-4, and DCX 8510-8 Backbones.
On the Brocade DCX Backbone, set the password on the standby CP blade, fail over, and then set
the password on the previously active (now standby) CP blade to minimize disruption to the fabric.
1. Determine the active CP blade by opening a Telnet session to either CP blade, connecting as
admin, and entering the haShow command.
2. Connect to the active CP blade over a serial or Telnet connection and enter the haDisable
command to prevent failover during the remaining steps.
3. Create a serial connection to the standby CP blade as described in “Connecting to Fabric OS
through the serial port” on page 56.
4. Reboot the standby CP blade by sliding the On/Off switch on the ejector handle of the standby
CP blade to Off, and then back to On.
This causes the blade to reset.
5. Press Esc within four seconds after the message Press escape within 4 seconds... is
displayed.
The following options are available:
Option
Description
1
2
3
Continues the system boot process.
Lets you set the recovery string and the boot PROM password.
Provides access to boot parameters.
Start system.
Recovery password.
Enter command shell.
6. Enter 3.
7.
148
Enter the passwd command at the shell prompt.
Fabric OS Administrator’s Guide
53-1002745-02
Remote authentication
5
The passwd command applies only to the boot PROM password when it is entered from the
boot interface.
8. Enter the boot PROM password at the prompt, and then re-enter it when prompted.
The password must be eight alphanumeric characters (any additional characters are not
recorded). Record this password for future use.
9. Enter the saveEnv command to save the new password.
10. Reboot the standby CP blade by entering the reset command.
11. Connect to the active CP blade by serial or Telnet and enter the haEnable command to restore
high availability, and then fail over the active CP blade by entering the haFailover command.
Traffic resumes flowing through the newly active CP blade after it has completed rebooting.
12. Connect the serial cable to the serial port on the new standby CP blade (previously the active
CP blade).
13. Repeat step 3 through step 10 for the new standby CP blade.
14. Connect to the active CP blade over a serial or Telnet connection and enter the haEnable
command to restore high availability.
NOTE
To recover lost passwords refer to the Fabric OS Troubleshooting and Diagnostics Guide.
Remote authentication
Fabric OS supports user authentication through the local user database or one of the following
external authentication services:
• Remote authentication dial-in user service (RADIUS)
• Lightweight directory access protocol (LDAP) using Microsoft Active Directory in Windows or
OpenLDAP in Linux.
• Terminal Access Controller Access-Control System Plus (TACACS+)
Remote Authentication Configuration
A switch can be configured to try one of the supported remote authentication services (RADIUS,
LDAP, or TACACS+) and local switch authentication. The switch can also be configured to use only a
remote authentication service, or only local switch authentication.
Client/server model
When configured to use one of the supported remote authentication services, the switch acts as a
network access server (NAS) and RADIUS, LDAP, or TACACS+ client. The switch sends all
authentication, authorization, and accounting (AAA) service requests to the authentication server.
The authentication server receives the request, validates the request, and sends its response back
to the switch.
Fabric OS Administrator’s Guide
53-1002745-02
149
5
Remote authentication
The supported management access channels that integrate with RADIUS, LDAP, and TACACS+
include serial port, Telnet, SSH, Web Tools, and API. All these access channels require the switch IP
address or name to connect. RADIUS, LDAP, and TACACS+ servers accept both IPv4 and IPv6
address formats. For accessing both the active and standby CP, and for the purpose of HA failover,
both CP IP addresses of a Backbone should be included in the authentication server configuration.
NOTE
For systems such as the Brocade DCX Backbone, the switch IP addresses are aliases of the physical
Ethernet interfaces on the CP blades. When specifying client IP addresses for the logical switches in
such systems, make sure that the CP IP addresses are used.
Authentication server data
When configured for remote authentication, a switch becomes a RADIUS, LDAP, or TACACS+ client.
In any of these configurations, authentication records are stored in the authentication host server
database. Login and logout account name, assigned permissions, and time-accounting records are
also stored on the authentication server for each user.
Switch configuration
By default, the remote authentication services are disabled, so AAA services default to the switch’s
local database.
To enable remote authentication, it is strongly recommended that you access the CLI through an
SSH connection so that the shared secret is protected. Multiple login sessions can configure
simultaneously, and the last session to apply a change leaves its configuration in effect. After a
configuration is applied, it persists after a reboot or an HA failover.
To enable the secure LDAP service, you need to install a certificate from the Microsoft Active
Directory server or the OpenLDAP server. By default, the LDAP service does not require certificates.
The configuration applies to all switches. On a Backbone, the configuration replicates itself on a
standby CP blade if one is present. It is saved in a configuration upload and applied in a
configuration download.
Brocade recommends configuring at least two authentication servers, so that if one fails the other
will assume service. Up to five servers are supported.
You can set the configuration with any one of the supported authentication services and local
authentication enabled, so that if the authentication servers do not respond because of a power
failure or network problems, the switch uses local authentication.
Consider the effects of the use of a remote authentication service on other Fabric OS features. For
example, when a remote authentication service is enabled, all account passwords must be
managed on the authentication server. The Fabric OS mechanisms for changing switch passwords
remain functional; however, such changes affect only the involved switches locally. They do not
propagate to the authentication server, nor do they affect any account on the authentication server.
Authentication servers also support notifying users of expiring passwords.
When RADIUS, LDAP, or TACACS+ is set up for a fabric that contains a mix of switches with and
without RADIUS, LDAP, and TACACS+ support, the way a switch authenticates users depends on
whether a RADIUS, LDAP, or TACACS+ server is set up for that switch. For a switch with remote
authentication support and configuration, authentication bypasses the local password database.
For a switch without remote authentication support or configuration, authentication uses the
switch’s local account names and passwords.
150
Fabric OS Administrator’s Guide
53-1002745-02
5
Remote authentication
Supported LDAP options
Table 16 summarizes the various LDAP options and Brocade support for each.
TABLE 16
LDAP options
Protocol
Description
Channel type Default port
URL
Brocade
supported?
LDAPv3
LDAP over TCP
Unsecured
389
ldap://
No
LDAPv3 with TLS
extension
LDAPv3 over TLS
Secured
389
ldap://
Yes
LDAPv3 with TLS
and Certificate
LDAPv3 over TLS channel and
authenticated using a certificate
Secured
389
ldap://
Yes
LDAPv2 with SSL1
LDAPv2 over SSL. Port 636 is used for
SSL. Port 389 is for connecting to
LDAP.
Secured
636 and 389
ldaps://
No
1.
This protocol was deprecated in 2003 when LDAPv3 was standardized.
Command options
Table 17 outlines the aaaConfig command options used to set the authentication mode.
TABLE 17
Authentication configuration options
aaaConfig options
Description
Equivalent setting in
Fabric OS v5.1.0 and
earlier
--radius
--switchdb1
--authspec “local”
Default setting. Authenticates management
connections against the local database only.
If the password does not match or the user is
not defined, the login fails.
Off
On
--authspec “radius”
Authenticates management connections
against any RADIUS databases only.
If the RADIUS service is not available or the
credentials do not match, the login fails.
On
Off
--authspec “radius;local”
Authenticates management connections
against any RADIUS databases first.
If RADIUS fails for any reason, authenticates
against the local user database.
not
not
supported supported
--authspec “radius;local” --backup
Authenticates management connections
against any RADIUS databases. If RADIUS fails
because the service is not available, it then
authenticates against the local user database.
The --backup option directs the service to try
the secondary authentication database only if
the primary authentication database is not
available.
On
On
--authspec “ldap”
Authenticates management connections
against any LDAP databases only. If LDAP
service is not available or the credentials do
not match, the login fails.
n/a
n/a
Fabric OS Administrator’s Guide
53-1002745-02
151
5
Remote authentication
TABLE 17
Authentication configuration options (Continued)
aaaConfig options
Description
Equivalent setting in
Fabric OS v5.1.0 and
earlier
--radius
--switchdb1
--authspec “ldap; local”
Authenticates management connections
against any LDAP databases first. If LDAP fails
for any reason, it then authenticates against
the local user database.
n/a
On
--authspec “ldap; local” --backup
Authenticates management connections
against any LDAP databases first. If LDAP fails
for any reason, it then authenticates against
the local user database. The --backup option
states to try the secondary authentication
database only if the primary authentication
database is not available.
n/a
On
--authspec “tacacs+”
Authenticates management connections
against any TACACS+ databases only. If
TACACS+ service is not available or the
credentials do not match, the login fails.
not
not
supported supported
--authspec “tacacs+; local”
Authenticates management connections
against any TACACS+ databases first. If
TACACS+ fails for any reason, it then
authenticates against the local user database.
not
not
supported supported
--authspec “tacacs+; local” --backup
Authenticates management connections
against any TACACS+ databases first. If
TACACS+ fails for any reason, it then
authenticates against the local user database.
The --backup option states to try the
secondary authentication database only if the
primary authentication database is not
available.
not
not
supported supported
--authspec -nologout
Prevents users from being logged out when
you change authentication. Default behavior is
to log users out when you change
authentication.
n/a
1.
n/a
Fabric OS v5.1.0 and earlier aaaConfig --switchdb <on | off> setting.
Setting the switch authentication mode
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the aaaConfig --authspec command.
Fabric OS user accounts
RADIUS, LDAP, and TACACS+ servers allow you to set up user accounts by their true network-wide
identity rather than by the account names created on a Fabric OS switch. With each account name,
assign the appropriate switch access permissions. For LDAP servers, you can use the
ldapCfg -–maprole ldap_role name switch_role command to map LDAP server permissions.
152
Fabric OS Administrator’s Guide
53-1002745-02
Remote authentication
5
RADIUS, LDAP, and TACACS+ support all the defined RBAC roles described in Table 12 on
page 134.
Users must enter their assigned RADIUS, LDAP, or TACACS+ account name and password when
logging in to a switch that has been configured with remote authentication. After the remote
authentication (RADIUS, LDAP, or TACACS+) server authenticates a user, it responds with the
assigned switch role in a Brocade Vendor-Specific Attribute (VSA). If the response does not have a
VSA permissions assignment, the user role is assigned. If no Administrative Domain is assigned,
then the user is assigned to the default Admin Domain AD0.
You can set a user password expiration date and add a warning for RADIUS login and TACACS+
login. The password expiry date must be specified in UTC and in MM/DD/YYYY format. The
password warning specifies the number of days prior to the password expiration that a warning of
password expiration notifies the user. You either specify both attributes or none. If you specify a
single attribute or there is a syntax error in the attributes, the password expiration warning will not
be issued. If your RADIUS server maintains its own password expiration attributes, you must set the
exact date twice to use this feature, once on your RADIUS server and once in the VSA attribute. If
the dates do not match, then the RADIUS server authentication fails.
Table 18 describes the syntax used for assigning VSA-based account switch roles on a RADIUS
server.
TABLE 18
Syntax for VSA-based account roles
Item
Value
Description
Type
26
1 octet
Length
7 or higher
1 octet, calculated by the server
Vendor ID
1588
4 octet, Brocade SMI Private Enterprise Code
Vendor type
1
1 octet, Brocade-Auth-Role; valid attributes for the Brocade-Auth-Role are:
Admin
BasicSwitchAdmin
FabricAdmin
Operator
SecurityAdmin
SwitchAdmin
User
ZoneAdmin
2
Optional: Specifies the Admin Domain or Virtual Fabric member list. For
more information on Admin Domains or Virtual Fabrics, see “RADIUS
configuration with Admin Domains or Virtual Fabrics” on page 155.
Brocade-AVPairs1
3
Brocade-AVPairs2
4
Brocade-AVPairs3
5
Brocade-AVPairs4
6
Brocade Password ExpiryDate
7
Brocade Password ExpiryWarning
Vendor length
2 or higher
1 octet, calculated by server, including vendor-type and vendor-length
Attribute-specific data
ASCII string
Multiple octet, maximum 253, indicating the name of the assigned role and
other supported attribute values such as Admin Domain member list.
Fabric OS Administrator’s Guide
53-1002745-02
153
5
Remote authentication
Fabric OS users on the RADIUS server
All existing Fabric OS mechanisms for managing local-switch user accounts and passwords remain
functional when the switch is configured to use RADIUS. Changes made to the local switch
database do not propagate to the RADIUS server, nor do the changes affect any account on the
RADIUS server.
Windows 2000 IAS
To configure a Windows 2000 internet authentication service (IAS) server to use VSA to pass the
admin role to the switch in the dial-in profile, the configuration specifies the Vendor code (1588),
Vendor-assigned attribute number (1), and attribute value (admin), as shown in Figure 10.
FIGURE 10
Windows 2000 VSA configuration
Linux FreeRADIUS server For the configuration on a Linux FreeRADIUS server, define the
values outlined in Table 19 in a vendor dictionary file called dictionary.brocade.
TABLE 19
Entries in dictionary.brocade file
Include
Key
Value
VENDOR
Brocade
1588
ATTRIBUTE
Brocade-Auth-Role
1 string Brocade
Brocade-AVPairs1, 2, 3, 4
2, 3, 4, 5 string
Admin Domain or Virtual Fabric member list
Brocade-Passwd-ExpiryDate
6 string MM/DD/YYYY in UTC
Brocade-Passwd-WarnPeriod
7 integer in days
After you have completed the dictionary file, define the permissions for the user in a configuration
file. For example, to grant the user jsmith admin permissions, you would add the following
statement to the configuration file:
swladmin
154
Auth-Type := Local, User-Password == "myPassword"
Brocade-Auth-Role = "admin",
Brocade-AVPairs1 = "HomeLF=70",
Fabric OS Administrator’s Guide
53-1002745-02
Remote authentication
5
Brocade-AVPairs2 =
"LFRoleList=admin:2,4-8,70,80,128;ChassisRole=admin",
Brocade-Passwd-ExpiryDate = "11/10/2011",
Brocade-Passwd-WarnPeriod = "30"
RADIUS configuration with Admin Domains or Virtual Fabrics
When configuring users with Admin Domains or Virtual Fabrics, you must also include the Admin
Domain or Virtual Fabric member list. This section describes the way that you configure attribute
types for this configuration.
The values for these attribute types use the syntax key=val[;key=val], where key is a text description
of attributes, value is the attribute value for the given key, the equal sign (=) is the separator
between key and value, and the semicolon (;) is an optional separator for multiple key-value pairs.
Multiple key-value pairs can appear for one Vendor-Type code. Key-value pairs with the same key
name may be concatenated across multiple Vendor-Type codes. You can use any combination of
the Vendor-Type codes to specify key-value pairs. Note that a switch always parses these attributes
from Vendor-Type code 2 to Vendor-Type code 4.
Only the following keys are accepted; all other keys are ignored.
• HomeAD is the designated home Admin Domain for the account. The valid range of values is
from 0 to 255. The first valid HomeAD key-value pair is accepted by the switch, and any
additional HomeAD key-value pairs are ignored.
• ADList is a comma-separated list of Administrative Domain numbers to which this account is a
member. Valid numbers range from 0 to 255. A dash between two numbers specifies a range.
Multiple ADlist key-value pairs within the same or across the different Vendor-Type codes are
concatenated. Multiple occurrences of the same Admin Domain number are ignored.
• HomeLF is the designated home Virtual Fabric for the account. The valid values are between 1
to 128 and chassis context. The first valid HomeLF key-value pair is accepted by the switch,
additional HomeLF key-value pairs are ignored.
• LFRoleList is a comma-separated list of Virtual Fabric ID numbers to which this account is a
member. Valid numbers range from 1 to 128. A dash between two numbers specifies a range.
Multiple Virtual Fabric list key-value pairs within the same or across different Vendor-Type
codes are concatenated. Multiple occurrences of the same Virtual Fabric ID number are
ignored.
• ChassisRole is the account access permission at the chassis level. The chassis role allows the
user to execute chassis-related commands in a Virtual Fabrics-enabled environment. Valid
chassis roles include the default roles and any of the user-defined roles.
RADIUS authentication requires that the account have valid permissions through the attribute type
Brocade-Auth-Role. The additional attribute values ADList, HomeAD, HomeLF, and LFRoleList are
optional. If they are unspecified, the account can log in with AD0 as its member list and home
Admin Domain or VF128 as its member list and home Virtual Fabric. If there is an error in the
ADlist, HomeAD, LFRoleList, or HomeLF specification, the account cannot log in until the AD list or
Virtual Fabric list is corrected; an error message is displayed.
Fabric OS Administrator’s Guide
53-1002745-02
155
5
Remote authentication
For example, on a Linux FreeRADIUS Server, the user (user-za) with the following settings takes the
“zoneAdmin” permissions, with AD member list: 1, 2, 4, 5, 6, 7, 8, 9, 12; the Home Admin Domain
will be 1.
user-za Auth-Type := Local, User-Password == "password"
Brocade-Auth-Role = "ZoneAdmin",
Brocade-AVPairs1 = "ADList=1,2,6,"
Brocade-AVPairs2 = "ADList=4-8;ADList=7,9,12"
In the next example, on a Linux FreeRADIUS Server, the user has the “operator” permissions, with
ADList 1, 2, 4, 5, 6, 7, 8, 9, 12, 20 and HomeAD 2.
user-opr Auth-Type := Local, User-Password == "password"
Brocade-Auth-Role = "operator",
Brocade-AVPairs1 = "ADList=1,2;HomeAD=2",
Brocade-AVPairs2 = "ADList=-4-8,20;ADList=7,9,12"
In the next example, on a Linux FreeRADIUS Server, the user has the “zoneAdmin” permissions,
with VFlist 2, 4, 5, 6, 7, 8, 10, 11, 12, 13, 15 17, 19, 22, 23, 24, 25, 29, 31 and HomeLF 1.
user300 Auth-Type := Local, User-Password == "password"
Brocade-Auth-Role = "zoneadmin",
Brocade-AVPairs1 = "HomeLF=1;LFRoleList=securityadmin:2,4-8,10”
Brocade-AVPairs2 = "LFRoleList=admin:11-13, 15, 17, 19;user:22-25,29,31"
Brocade-AVPairs3 = "ChassisRole=switchadmin"
Setting up a RADIUS server
NOTE
To set up the RADIUS server, you must know the switch IP address, in either IPv4 or IPv6 notation,
or the name to connect to switches. Use the ipAddrShow command to display a switch IP address.
For Brocade Backbones, the switch IP addresses are aliases of the physical Ethernet interfaces on
the CP blades. When specifying client IP addresses for the logical switches in these systems, make
sure the CP blade IP addresses are used. For accessing both the active and standby CP blade, and
for the purpose of HA failover, both of the CP blade IP addresses must be included in the RADIUS
server configuration.
User accounts should be set up by their true network-wide identity rather than by the account
names created on a Fabric OS switch. Along with each account name, the administrator must
assign appropriate switch access permissions. To manage a fabric, one can set these permissions
to user, admin, and securityAdmin.
Configuring RADIUS server support with Linux
The following procedures work for FreeRADIUS on Solaris and Red Hat Linux. FreeRADIUS is a
freeware RADIUS server that you can find at the following website:
http://www.freeradius.org
Follow the installation instructions at the website. FreeRADIUS runs on Linux (all versions),
FreeBSD, NetBSD, and Solaris. If you make a change to any of the files used in this configuration,
you must stop the server and restart it for the changes to take effect.
FreeRADIUS installation places the configuration files in $PREFIX/etc/raddb. By default, the
PREFIX is /usr/local.
156
Fabric OS Administrator’s Guide
53-1002745-02
Remote authentication
5
Configuring RADIUS service on Linux consists of the following tasks:
• Adding the Brocade attributes to the server
• Creating the user
• Enabling clients
Adding the Brocade attributes to the server
1. Create and save the file $PREFIX/etc/raddb/dictionary.brocade with the following information:
# dictionary.brocade
#
VENDOR Brocade 1588
#
# attributes
#
ATTRIBUTE
Brocade-Auth-Role
ATTRIBUTE
Brocade-AVPairs1
ATTRIBUTE
Brocade-AVPairs2
ATTRIBUTE
Brocade-AVPairs3
ATTRIBUTE
Brocade-AVPairs4
ATTRIBUTE
Brocade-Passwd-ExpiryDate
ATTRIBUTE
Brocade-Passwd-WarnPeriod
1
2
3
4
5
6
7
string
string
string
string
string
string
string
Brocade
Brocade
Brocade
Brocade
Brocade
Brocade
Brocade
This information defines the Brocade vendor ID as 1588, Brocade attribute 1 as
Brocade-Auth-Role, Brocade attribute 6 as Brocade-Passwd-ExpiryDate, and Brocade attribute
7 as Brocade-Passwd-WarnPeriod.
2. Open the file $PREFIX/etc/raddb/dictionary in a text editor and add the line:
$INCLUDE dictionary.brocade
As a result, the file dictionary.brocade is located in the RADIUS configuration directory and
loaded for use by the RADIUS server.
Creating the user
1. Open the $PREFIX/etc/raddb/user file in a text editor.
2. Add the user names and their permissions for users accessing the switch and authenticating
through RADIUS.
The user logs in using the permissions specified with Brocade-Auth-Role. The valid permissions
include root, admin, switchAdmin, zoneAdmin, securityAdmin, basicSwitchAdmin, fabricAdmin,
operator, and user. You must use quotation marks around “password” and “role”.
Example of adding a user name to the RADIUS authentication
For example, to set up an account called JohnDoe with admin permissions with a password
expiry date of May 28, 2008 and a warning period of 30 days:
JohnDoe Auth-Type := Local
User-Password == "johnPassword",
Brocade-Auth-Role = "admin",
Brocade-Passwd-ExpiryDate = "05/28/08",
Brocade-Passwd-WarnPeriod = "30"
Example of using the local system password to authenticate users
The next example uses the local system password file to authenticate users.
Fabric OS Administrator’s Guide
53-1002745-02
157
5
Remote authentication
swadmin
Auth-Type := System
Brocade-Auth-Role = "admin",
Brocade-AVPairs1 = "HomeLF=70",
Brocade-AVPairs2 = "LFRoleList=admin:2,4-8,70,80,128",
Brocade-AVPairs3 = "ChassisRole=switchadmin",
Brocade-Passwd-ExpiryDate = "11/10/2008",
Brocade-Passwd-WarnPeriod = "30"
When you use network information service (NIS) for authentication, the only way to enable
authentication with the password file is to force the Brocade switch to authenticate using password
authentication protocol (PAP); this requires the -a pap option with the aaaConfig command.
Enabling clients
Clients are the switches that will use the RADIUS server; each client must be defined. By default, all
IP addresses are blocked.
The Brocade Backbones send their RADIUS requests using the IP address of the active CP. When
adding clients, add both the active and standby CP IP addresses so that, in the event of a failover,
users can still log in to the switch.
1. Open the $PREFIX/etc/raddb/client.config file in a text editor and add the switches that are to
be configured as RADIUS clients.
For example, to configure the switch at IP address 10.32.170.59 as a client:
client 10.32.170.59
secret
= Secret
shortname
= Testing Switch
nastype
= other
In this example, shortname is an alias used to easily identify the client. Secret is the shared
secret between the client and server. Make sure the shared secret matches that configured on
the switch (see “Adding an authentication server to the switch configuration” on page 175).
2. Save the file $PREFIX/etc/raddb/client.config, and then start the RADIUS server as follows:
$PREFIX/sbin/radiusd
Configuring RADIUS server support with Windows 2000
The instructions for setting up RADIUS on a Windows 2000 server are listed here for your
convenience but are not guaranteed to be accurate for your network environment. Always check
with your system administrator before proceeding with setup.
NOTE
All instructions involving Microsoft Windows 2000 can be obtained from www.microsoft.com or your
Microsoft documentation. Confer with your system or network administrator prior to configuration
for any special needs your network environment may have.
Configuring RADIUS service on Windows 2000 consists of the following steps:
1. Installing Internet Authentication Service (IAS)
For more information and instructions on installing IAS, refer to the Microsoft website.
2. Enabling the Challenge Handshake Authentication Protocol (CHAP)
158
Fabric OS Administrator’s Guide
53-1002745-02
Remote authentication
5
If CHAP authentication is required, then Windows must be configured to store passwords with
reversible encryption. Reverse password encryption is not the default behavior; it must be
enabled.
NOTE
If a user is configured prior to enabling reverse password encryption, then the user’s password
is stored and cannot utilize CHAP. To use CHAP, the password must be reentered after
encryption is enabled. If the password is not re-entered, then CHAP authentication will not work
and the user will be unable to authenticate from the switch.
Alternatives to using CHAP are Password Authentication Protocol (PAP), or PEAP-MSCHAPv2.
3. Configuring a user
IAS is the Microsoft implementation of a RADIUS server and proxy. IAS uses the Windows
native user database to verify user login credentials; it does not list specific users, but instead
lists user groups. Each user group should be associated with a specific switch role. For
example, you should configure a user group for root, admin, factory, switchAdmin, and user,
and then add any users whose logins you want to associate to the appropriate group.
4. Configuring the server
For more information and instructions on configuring the server, refer to the Microsoft website.
Below is the information you will need to configure the RADIUS server for a Brocade switch. A
client is the device that uses the RADIUS server; in this case, it is the switch.
a.
For the Add RADIUS Client window, provide the following:
Client address (IP or DNS) — Enter the IP address of the switch.
Client-Vendor — Select RADIUS Standard.
Shared secret — Provide a password. Shared secret is a password used between the client
device and server to prevent IP address spoofing by unwanted clients. Keep your shared
secret password in a safe place. You will need to enter this password in the switch
configuration.
After clicking Finish, add a new client for all switches on which RADIUS authentication will
be used.
b.
In the Internet Authentication Service window, right-click the Remote Access Policies
folder, and then select New Remote Access Policy from the pop-up window.
A remote access policy must be created for each group of Brocade login permissions (root,
admin, factory, switchAdmin, and user) for which you want to use RADIUS. Apply this policy
to the user groups that you already created.
c.
In the Vendor-Specific Attribute Information window, enter the vendor code value 1588.
Click the Yes. It conforms radio button, and then click Configure Attribute.
d.
In the Configure VSA (RFC compliant) window, enter the following values, and then click
OK.
Vendor-assigned attribute number — Enter the value 1.
Attribute format — Enter String.
Attribute value — Enter the login role (root, admin, switchAdmin, user, and so on) that the
user group must use to log in to the switch.
Fabric OS Administrator’s Guide
53-1002745-02
159
5
Remote authentication
e.
After returning to the Internet Authentication Service window, add additional policies for all
Brocade login types for which you want to use the RADIUS server. After this is done, you
can configure the switch.
NOTE
Windows 2008 RADIUS (NPS) support is also available.
RSA RADIUS server
Traditional password-based authentication methods are based on one-factor authentication, where
you confirm your identity using a memorized password. Two-factor authentication increases the
security by using a second factor to corroborate identification. The first factor is either a PIN or
password and the second factor is the RSA SecurID token.
RSA SecurID with an RSA RADIUS server is used for user authentication. The Brocade switch does
not communicate directly with the RSA Authentication Manager, so the RSA RADIUS server is used
in conjunction with the switch to facilitate communication.
To learn more about how RSA SecurID works, visit www.rsa.com for more information.
Setting up the RSA RADIUS server
For more information on how to install and configure the RSA Authentication Manager and the RSA
RADIUS server, refer to your documentation or visit www.rsa.com.
1. Create user records in the RSA Authentication Manager.
2. Configure the RSA Authentication Manager by adding an agent host.
3. Configure the RSA RADIUS server.
Setting up the RSA RADIUS server involves adding RADIUS clients, users, and vendor specific
attributes to the RSA RADIUS server.
a.
Add the following data to the vendor.ini file:
vendor-product = Brocade
dictionary = brocade
ignore-ports = no
port-number-usage = per-port-type
help-id = 2000
b.
Create a brocade.dct file that needs to be added into the dictiona.dcm file located in the
following path:
C:\Program Files\RSA Security\RSA RADIUS\Service
Figure 11 on page 161 shows what the brocade.dct file should look like and Figure 12 on
page 162 shows what needs to be modified in the brocade.dcm file.
NOTE
The dictionary files for RSA RADIUS server must remain in the installation directory. Do not
move the files to other locations on your computer.
160
Fabric OS Administrator’s Guide
53-1002745-02
Remote authentication
c.
5
Add Brocade-VSA macro and define the attributes as follows:
• vid (Vendor-ID): 1588
• type1 (Vendor-Type): 1
• len1 (Vendor-Length): >=2
#######################################################################
# brocade.dct -- Brocade Dictionary
#
# (See readme.dct for more details on the format of this file)
#######################################################################
#
# Use the Radius specification attributes in lieu of the Brocade one:
#
@radius.dct
MACRO Brocade-VSA(t,s) 26 [vid=1588 type1=%t% len1=+2 data=%s%]
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
Brocade-Auth-Role
Brocade-Passwd-ExpiryDate
Brocade-Passwd-WarnPeriod
Brocade-VSA(1,string) r
Brocade-VSA(6,string) r
Brocade-VSA(7,integer) r
#######################################################################
# brocade.dct -- Brocade Dictionary
#######################################################################
FIGURE 11
Fabric OS Administrator’s Guide
53-1002745-02
Example of a Brocade DCT file
161
5
Remote authentication
#######################################################################
# dictiona.dcm
#######################################################################
# Generic Radius
@radius.dct
#
# Specific Implementations (vendor specific)
#
@3comsw.dct
@aat.dct
@acc.dct
@accessbd.dct
@agere.dct
@agns.dct
@airespace.dct
@alcatel.dct
@altiga.dct
@annex.dct
@aptis.dct
@ascend.dct
@ascndvsa.dct
@axc.dct
@bandwagn.dct
@brocade.dct <-------
FIGURE 12
Example of the dictiona.dcm file
d.
When selecting items from the Add Return List Attribute, select Brocade-Auth-Role and
type the string Admin. The string will equal the role on the switch.
e.
Add the Brocade profile.
f.
In RSA Authentication Manager, edit the user records that will be authenticating using RSA
SecurID.
LDAP configuration and Microsoft Active Directory
LDAP provides user authentication and authorization using the Microsoft Active Directory service or
using Open LDAP in conjunction with LDAP on the switch. This section discusses authentication
and authorization using Microsoft Active Directory. For information about authentication and
authorization using OpenLDAP, refer to “LDAP configuration and OpenLDAP” on page 165.
Two operational modes exists in LDAP authentication, FIPS mode and non-FIPS mode. This section
discusses LDAP authentication in non-FIPS mode. For more information on LDAP in FIPS mode,
refer to Chapter 7, “Configuring Security Policies”. The following are restrictions when using LDAP in
non-FIPS mode:
• There is no password change through Active Directory.
• There is no automatic migration of newly created users from the local switch database to
Active Directory. This is a manual process explained later.
• Only IPv4 is supported for LDAP on Windows 2000 and LDAP on Windows Server 2003.
For LDAP on Windows Server 2008, both IPv4 and IPv6 are supported.
162
Fabric OS Administrator’s Guide
53-1002745-02
Remote authentication
5
• LDAP authentication is used on the local switch only and not for the entire fabric.
• You can use the User-Principal-Name and not the Common-Name for AD LDAP authentication.
To provide backward compatibility, authentication based on the Common Name is still
supported for Active Directory LDAP 2000 and 2003. Common Name based-authentication is
not recommended for new installations.
• A user can belong to multiple groups as long as one of the groups is the primary group. The
primary group in the AD server should not be set to the group corresponding to the switch role.
You can choose any other group.
• A user can be part of any Organizational Unit (OU).
• Active Directory LDAP 2000, 2003, and 2008 are supported.
When authentication is performed by User-Principal-Name, in Fabric OS 7.1.0 and later releases,
the suffix part of the name (the @domain-name part) can be omitted when the user logs in. If the
suffix part of the User-Principal-Name name is omitted, the domain name configured for the LDAP
server (in the aaaConfig --add server -d domain command) is added and used for authentication
purposes.
Roles for Brocade-specific users can be added through the Microsoft Management Console.
Groups created in Active Directory must correspond directly to the RBAC user roles on the switch.
Role assignments can be achieved by including the user in the respective group. A user can be
assigned to multiple groups like Switch Admin and Security Admin. For LDAP servers, you can use
the ldapCfg -–maprole ldap_role_name switch_role command to map an LDAP server permissions
to one of the default roles available on a switch. For more information on RBAC roles, see
“Role-Based Access Control” on page 134.
NOTE
All instructions involving Microsoft Active Directory can be obtained from www.microsoft.com or your
Microsoft documentation. Confer with your system or network administrator prior to configuration
for any special needs your network environment may have.
Configuring Microsoft Active Directory LDAP service
The following is an overview of the process used to set up LDAP.
1. If your Windows Active Directory server for LDAP needs to be verified by the LDAP client (that is,
the Brocade switch), then you must install a Certificate Authority (CA) certificate on the
Windows Active Directory server for LDAP.
Follow Microsoft instructions for generating and installing CA certificates on a Windows server.
2. Create a user in Microsoft Active Directory server.
For instructions on how to create a user, refer to www.microsoft.com or Microsoft
documentation to create a user in your Active Directory.
3. Create a group name that uses the switch’s role name so that the Active Directory group’s
name is the same as the switch’s role name.
or
Use the ldapCfg -–maprole ldap_role_name switch_role command to map an LDAP server role
to one of the default roles available on the switch.
Fabric OS Administrator’s Guide
53-1002745-02
163
5
Remote authentication
4. Associate the user to the group by adding the user to the group.
For instructions on how to create a user refer to www.microsoft.com or Microsoft
documentation to create a user in your Active Directory.
5. Add the user’s Administrative Domains or Virtual Fabrics to the CN_list by either editing the
adminDescription value or adding the brcdAdVfData attribute to the existing Active Directory
schema.
This action maps the Admin Domains or Virtual Fabrics to the user name. Multiple Admin
Domains can be added as a string value separated by the underscore character ( _ ). Virtual
Fabrics are added as a string value separate by a comma ( , ) and entered as a range.
Creating a user
To create a user in Active Directory, refer to www.microsoft.com or Microsoft documentation. There
are no special attributes to set. You can use a fully qualified name for logging in, for example you
can log in as "user@domain.com".
Creating a group
To create a group in Active Directory, refer to www.microsoft.com or Microsoft documentation. You
will need to verify that the group has the following attributes:
•
•
•
•
The name of the group has to match the RBAC role.
The Group Type must be Security.
The Group Scope must be Global.
The primary group in the AD server should not be set to the group corresponding to the switch
role. You can choose any other group.
• If the user you created is not a member of the Users OU then the User Principal Name, in the
format of "user@domain", is required to login.
Assigning the group (role) to the user
To assign the user to a group in Active Directory, refer to www.microsoft.com or Microsoft
documentation. You will need to verify that the user has the following attributes:
• Update the memberOf field with the login permissions (root, admin, switchAdmin, user, and so
on) that the user must use to log in to the switch.
or
If you have a user-defined group, then use the ldapCfg -–maprole ldap_role_name switch_role
command to map an LDAP server permissions to one of the default roles available on a switch.
Adding an Admin Domain or Virtual Fabric list
1. From the Windows Start menu, select Programs> Administrative Tools> ADSI.msc
ADSI is a Microsoft Windows Resource Utility. This utility must be installed to proceed with the
rest of the setup. For Windows 2003, this utility comes with Service Pack 1 or you can
download this utility from the Microsoft website.
2. Go to CN=Users.
164
Fabric OS Administrator’s Guide
53-1002745-02
Remote authentication
5
3. Right click on select Properties. Click the Attribute Editor tab.
4. Double-click the adminDescription attribute.
The String Attribute Editor dialog box opens.
5. Perform the appropriate action based on whether you are using Administrative Domains or
Virtual Fabrics:
• If you are using Administrative Domains, enter the value of the Admin Domain separated
by an underscore ( _ ) into the Value field.
Example for adding Admin Domains
adlist_0_10_200_endAd
Home Admin Domain (homeAD) for the user will be the first value in the adlist (Admin
Domain list). If a user has no values assigned in the adlist attribute, then the homeAD ‘0’
will be the default administrative domain for the user.
• If you are using Virtual Fabrics, enter the value of the logical fabric separated by an
semi-colon ( ; ) into the Value field.
Example for adding Virtual Fabrics
HomeLF=10;LFRoleList=admin:128,10;ChassisRole=admin
In this example, the logical switch that would be logged into by default is 10. If 10 is not
available then the lowest FID available will be chosen. You would have permission to enter
logical switch 128 and 10 in an admin role and you would also have the chassis role
permission of admin.
NOTE
You can perform batch operations using the Ldifde.exe utility. For more information on
importing and exporting schemas, refer to your Microsoft documentation or visit
www.microsoft.com.
Adding attributes to the Active Directory schema
To create a group in Active Directory, refer to www.microsoft.com or Microsoft documentation. You
will need to verify that the schema has the following attributes:
• Add a new attribute brcdAdVfData as Unicode String.
• Add brcdAdVfData to the person’s properties.
LDAP configuration and OpenLDAP
Fabric OS provides user authentication and authorization by means of OpenLDAP or the Microsoft
Active Directory service in conjunction with LDAP on the switch. This section discusses
authentication and authorization using OpenLDAP. For information about authentication and
authorization using Microsoft Active Directory, refer to “LDAP configuration and Microsoft Active
Directory” on page 162.
Fabric OS Administrator’s Guide
53-1002745-02
165
5
Remote authentication
Two operational modes exist in LDAP authentication: FIPS mode and non-FIPS mode. This section
discusses LDAP authentication in non-FIPS mode. For information on LDAP in FIPS mode, refer to
Chapter 7, “Configuring Security Policies”. The following restrictions exist when using OpenLDAP in
non-FIPS mode:
• You must use the Common-Name for OpenLDAP authentication. User-Principal-Name is not
supported in OpenLDAP.
• OpenLDAP 2.4.23 is supported.
When a user is authenticated, the role of the user is obtained from the memberOf attribute, which
determines group membership. This feature is supported in OpenLDAP through the memberOf
overlay. You must use this overlay on the OpenLDAP server to assign membership information.
For OpenLDAP servers, you can use the ldapCfg -–maprole ldap_role_name switch_role command
to map LDAP server permissions to one of the default roles available on a switch. For more
information on RBAC roles, see “Role-Based Access Control” on page 134.
OpenLDAP server configuration overview
For complete details about how to install and configure an OpenLDAP server, refer to the OpenLDAP
user documentation at http://www.openldap.org/doc/. A few key steps for the Brocade
environment are outlined here.
1. If your OpenLDAP server needs to be verified by the LDAP client (that is, the Brocade switch),
then you must install a Certificate Authority (CA) certificate on the OpenLDAP server.
Follow OpenLDAP instructions for generating and installing CA certificates on an OpenLDAP
server.
2. Enable group membership through the memberOf mechanism by including the memberOf
overlay in the slapd.conf file.
3. Create entries (users) in the OpenLDAP Directory.
4. Assign users to groups by using the member attribute.
5. Use the ldapCfg -–maprole ldap_role_name switch_role command to map an LDAP server role
to one of the default roles available on the switch.
6. Add the user’s Administrative Domains or Virtual Fabrics to the user entry by performing the
following steps.
a.
Add the brcdAdVfData attribute to the existing OpenLDAP schema,
b.
Add the brcdAdVfData attribute to the user entry in the LDAP directory with a value that
identifies the Administrative Domains or Virtual Fabrics with which to associate the user.
Enabling group membership
Group membership in OpenLDAP is specified by an overlay called memberOf. Overlays are helpful
in customizing the backend behavior without requiring changes to the backend code. The
memberOf overlay updates the memberOf attribute whenever changes occur to the membership
attribute of entries of the groupOfNames objectClass. To include this overlay, add “overlay
memberof” to the slapd.conf file, as shown in the following example.
overlay memberof
Example file:
include
166
/usr/local/etc/openldap/schema/core.schema
Fabric OS Administrator’s Guide
53-1002745-02
Remote authentication
include
include
5
/usr/local/etc/openldap/schema/cosine.schema
/usr/local/etc/openldap/schema/local.schema
###############################################
TLSCACertificateFile /root/sachin/ldapcert/cacert.pem
TLSCertificateFile
/root/sachin/ldapcert/serverCert.pem
TLSCertificateKeyFile /root/sachin/ldapcert/serverKey.pem
TLSVerifyClient never
pidfile
argsfile
/usr/local/var/run/slapd.pid
/usr/local/var/run/slapd.args
database
suffix
rootdn
rootpw
bdb
"dc=mybrocade,dc=com"
"cn=Manager,dc=mybrocade,dc=com"
{SSHA}HL8uT5hPaWyIdcP6yAheMT8n0GoWubr3
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory
/usr/local/var/openldap-data
# Indices to maintain
index
objectClass
eq
overlay memberof
Adding entries to the directory
To add entries in the OpenLDAP directory, perform the following steps:
1. Using an editor of your choice, create a .ldif file and enter the information for the entry.
The following example defines an organizational role for the Directory Manager in a .ldif file for
an organization with the domain name mybrocade.com.
# Organization for mybrocade Corporation
dn: dc=mybrocade,dc=com
objectClass: dcObject
objectClass: organization
dc: mybrocade
o: Mybrocade Corporation
description: Mybrocade Corporation
############################################################################
# Organizational Role for Directory Manager
dn: cn=Manager,dc=mybrocade,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
2. Enter the ldapadd command to add the contents of the .ldif file to the Directory, where test.ldif
is the file you created in step 1.
> ldapadd -D cn=Manager,dc=mybrocade,dc=com -x -w secret -f test.ldif
Fabric OS Administrator’s Guide
53-1002745-02
167
5
Remote authentication
Assigning a user to a group
Before you can assign a user to a group, the memberOf overlay must be added to the slapd.conf
file. Refer to “Enabling group membership” on page 166 for details.
To create a group and assign a member:
1. In a .ldif file, create a “groupOfNames” objectClass entry with the name of the group, for
example, “admin,” to create a group.
2. Set a “member” attribute for the group instance to identify the member, as in this example:
“cn=Sachin,cn=Users,dc=mybrocade,dc=com”
Automatically the “memberOf” attribute of entry Sachin will have value
“cn=admin,ou=groups,dc=mybrocade,dc=com”, which assigns Sachin to the admin group.
3. Enter the ldapadd command.
For example, the .ldif file might contain something like the following:
#Groups in organization
dn: ou=groups,dc=mybrocade,dc=com
objectclass:organizationalunit
ou: groups
description: generic groups branch
dn: cn=admin,ou=groups,dc=mybrocade,dc=com
objectclass: groupofnames
cn: admin
description: Members having admin permission
#Add members for admin group
member: cn=sachin,cn=Users,dc=mybrocade,dc=com
Assigning the LDAP role to a switch role
Use the ldapCfg -–maprole ldap_role_name switch_role command to map LDAP server
permissions to one of the default roles available on a switch.
Modifying an entry
To modify a directory entry, perform the following steps:
1. Create a .ldif file containing the information to be modified.
2. Enter the ldapmodify -f filename command, where filename is the .ldif file you edited in step 1.
Example to delete a user attribute
1. Create or edit a .ldif file with an entry similar to the following.
#########Deleting an attr
#dn: cn=Sachin,cn=Users,dc=mybrocade,dc=com
#changetype: modify
#delete: memberof
2. Enter the following ldapmodify command, where test.ldif is the name of the file you edited in
step 1.
> ldapmodify -D cn=Sachin,dc=mybrocade,dc=com –x -w secret -f test.ldif
168
Fabric OS Administrator’s Guide
53-1002745-02
Remote authentication
5
Example to add a group member
1. Create or edit a .ldif file with an entry similar to the following.
##########Adding an attr value
dn: cn=admin,ou=groups,dc=mybrocade,dc=com
changetype: modify
add: member
member: cn=test1,cn=Users,dc=mybrocade,dc=com
2. Enter the following ldapmodify command, where test1.ldif is the name of the file you edited in
step 1.
> ldapmodify -D cn=admin,dc=mybrocade,dc=com –x -w secret -f test1.ldif
Example to delete a group member
1. Create or edit a .ldif file with contents similar to the following.
########Deleting an attr value
#dn: cn=admin,ou=groups,dc=mybrocade,dc=com
#changetype: modify
#delete: member
#member: cn=Sachin,cn=Users,dc=mybrocade,dc=com
2. Enter the following ldapmodify command, where test2.ldif is the name of the file you edited in
step 1.
> ldapmodify -D cn=admin,dc=mybrocade,dc=com –x -w secret -f test2.ldif
Example to change the value of an attribute
1. Create or edit a .ldif file with contents similar to the following.
#######Replacing an attribute value
dn: cn=test,cn=Users,dc=mybrocade,dc=com
changetype: modify
replace: uid
uid: test
2. Enter the following ldapmodify command, where test3.ldif is the name of the file you edited in
step 1.
> ldapmodify -D cn=admin,dc=mybrocade,dc=com –x -w secret -f test3.ldif
The value of the uid attribute is changed to “test”.
Adding an Admin Domain or Virtual Fabric list
If your network uses Admin Domains, you can specify a list of Admin Domain numbers to which the
user has access.
Use the brcdAdVfData attribute to map a role to a Virtual Fabric or Admin Domain. To perform this
operation, you must modify the schema to include the definition of the brcdAdVfData attribute and
the definition of a user class that can use this attribute. You can then add this attribute to user
entries in the LDAP directory.
1. In a schema file, assign the brcdAdVfData attribute to a user class.
The following sample schema file defines a new objectClass named “user” with optional
attributes “brcdAdVfData” and “description”.
#New attr brcdAdVfData
attributetype ( 1.3.6.1.4.1.8412.100
NAME ( 'brcdAdVfData' )
Fabric OS Administrator’s Guide
53-1002745-02
169
5
Remote authentication
DESC 'Brocade specific data for LDAP authentication'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
objectclass ( 1.3.6.1.4.1.8412.110 NAME 'user'
DESC 'Brocade switch specific person'
SUP top AUXILIARY
MAY ( brcdAdVfData $ description ) )
2. Include the schema file in the slapd.conf file.
The following example slapd.conf line assumes that local.schema contains the attribute
definition provided in step 1.
include
/usr/local/etc/openldap/schema/local.schema
3. Include the brcdAdVfData attribute in a user entry in the LDAP Directory.
• If you are using Administrative Domains, enter the value of each Admin Domain separated
by an underscore ( _ ). Each number represents the number of the Admin Domain to which
the user has access. The first such number represents the user’s Home domain.
Example for adding Admin Domains
In the following example, the user is granted access to Admin Domains 0, 10, and 200.
Admin Domain 0 is the domain that the user initially logs into.
brcdAdVfData: adlist_0_10_200_endAd
• If you are using Virtual Fabrics, enter the value of the logical fabrics to which the user has
access. Up to three value fields can be specified, separated by an semicolons ( ; ):
• The HomeLF field specifies the user’s home Logical Fabric.
• The LFRole list field specifies the additional Logical Fabrics to which the user has
access and the user’s access permissions for those Logical Fabrics. Logical Fabric
numbers are separated by commas ( , ). A hyphen ( - ) indicates a range.
• The ChassisRole field designates the permissions that apply to the ChassisRole
subset of commands.
Example for adding Virtual Fabrics
In the following example, the logical switch that would be logged into by default is 10. If 10
is not available then the lowest FID available will be chosen.The user is given permission to
enter logical switches 1 through 128 in an admin role and is also given the chassis role
permission of admin.
brcdAdVfData: HomeLF=10;LFRoleList=admin:1-128;ChassisRole=admin
The following fragment from a file named test4.ldif provides an entry for a user with Virtual Fabric
access roles.
# Organizational Role for Users
dn: cn=Users,dc=mybrocade,dc=com
objectClass: organizationalRole
cn: Users
description: User
# User entries
dn: cn=Sachin,cn=Users,dc=mybrocade,dc=com
objectClass: user
objectClass: person
170
Fabric OS Administrator’s Guide
53-1002745-02
Remote authentication
5
objectClass: uidObject
cn: Sachin
sn: Mishra
description: First user
brcdAdVfData: HomeLF=30;LFRoleList=admin:1-128;ChassisRole=admin
userPassword: pass
uid: mishras@mybrocade.com
The following command adds the user to the LDAP directory.
> ldapadd -D cn=Sachin,dc=mybrocade,dc=com -x -w secret -f test4.ldif
TACACS+ service
FabricOS can authenticate users with a remote server using the Terminal Access Controller
Access-Control System Plus (TACACS+) protocol. TACACS+ is a protocol used in AAA server
environments consisting of a centralized authentication server and multiple Network Access
Servers (NAS) or clients. Once configured to use TACACS+, a Brocade switch becomes a Network
Access Server (NAS).
The following authentication protocols are supported by the TACACS+ server for user
authentication:
• Password Authentication Protocol (PAP)
• Challenge Handshake Authentication Protocol (CHAP)
TACACS+ is not a FIPS-supported protocol, so you cannot configure TACACS+ in FIPS mode. To
enable FIPS, any TACACS+ configuration must be removed.
The TACACS+ server can be a Microsoft Windows server or a LINUX server. For LINUX servers, use
TACACS+ 4.0.4 or later from Cisco. For Microsoft Windows servers, use any TACACS+ freeware that
uses TACACS+ protocol v1.78 or later.
TACACS+ configuration overview
Configuration is required on both the TACACS+ server and the Brocade switch. On the TACACS+
server, you should assign a role for each user and, if Admin Domains or Virtual Fabrics are in use,
provide lists of Admin Domains or Virtual Fabrics to which the user should have access. For details,
refer to “The tac_plus.cfg file” on page 172.
On the Brocade switch, use the aaaConfig command to configure the switch to use TACACS+ for
authentication. The aaaConfig command also allows you to specify up to five TACACS+ servers.
When a list of servers is configured, failover from one server to another server happens only if a
TACACS+ server fails to respond. It does not happen when user authentication fails.
Failover to another TACACS+ server is achieved by means of a timeout. You can configure a timeout
value for each TACACS+ server, so that the next server can be used in case the first server is
unreachable. The default timeout value is 5 seconds.
Retry is also allowed for each server. The default value is 5. If authentication is rejected or times
out, FabricOS will try again. The retry value can also be customized for each user.
Refer to “Remote authentication configuration on the switch” on page 174 for details about
configuring the Brocade switch for authenticating users with a TACACS+ server.
Fabric OS Administrator’s Guide
53-1002745-02
171
5
Remote authentication
Configuring the TACACS+ server on LINUX
FabricOS software supports TACACS+ authentication on a LINUX server running the Open Source
TACACS+ LINUX package v4.0.4 from Cisco. To install and configure this software, perform the
following steps.
1. Download the TACACS+ software from http://www.cisco.com and install it.
Refer to the Cisco documentation for installation instructions.
2. Configure the TACACS+ server by editing the tac_plus.cfg file.
Refer to “The tac_plus.cfg file” (below) for details.
3. Run the tac_plus daemon to start and enable the TACACS+ service on the server.
Example
> tac_plus -d 16 /usr/local/etc/mavis/sample/tac_plus.cfg
The tac_plus.cfg file
All configuration of the TACACS+ server is done in the tac_plus.cfg file. Open the file by using the
editor of your choice and customize the file as needed.
You must add users into this file and provide some attributes specific to the Brocade
implementation. Table 20 lists and defines attributes specific to Brocade.
TABLE 20
Brocade custom TACACS+ attributes
Attribute
Purpose
brcd-role
Role assigned to the user account
brcd-AV-Pair1
The Admin Domain or Virtual Fabric member list, and chassis role
brcd-AV-Pair2
The Admin Domain or Virtual Fabric member list, and chassis role
brcd-passwd-expiryDate
The date on which the password expires
brcd-passwd-warnPeriod
The time before expiration for the user to receive a warning message
Adding a user and assigning a role
When adding a user to the tac_plus.cfg file, you should at least provide the brcd-role attribute. The
value assigned to this attribute should match a role defined for the switch. When a logon is
authenticated, the role specified by the brcd-role attribute represents the permissions granted to
the account. If no role is specified, or if the specified role does not exist on the switch, the account
is granted user role permissions only.
Refer to “Role-Based Access Control” on page 134 for details about roles.
The following fragment from a tac_plus.cfg file adds a user named fosuser1 and assigns the
securityAdmin role to the account.
user = fosuser1 {
chap = cleartext "my$chap$pswrd"
pap = cleartext "pap-password"
service = exec {
brcd-role = securityAdmin;
}
}
172
Fabric OS Administrator’s Guide
53-1002745-02
Remote authentication
5
Configuring Admin Domain lists
If your network uses Admin Domains, you should create Admin Domain lists for each user to
identify the Admin Domains to which the user has access.
Assign the following key-value pairs to the brcd-AV--Pair1 and, optionally, brcd-AV-Pair2 attributes to
grant the account access to the Admin Domains:
• HomeAD is the designated home Admin Domain for the account. The valid range of values is
from 0 through 255. The first valid HomeAD key-value pair is accepted by the switch, and any
additional HomeAD key-value pairs are ignored.
• ADList is a comma-separated list of Administrative Domain numbers to which this account is a
member. Valid numbers range from 0 through 255. A dash between two numbers specifies a
range.
The following example sets the home Admin Domain for the fosuser4 account to 255 and grants
the account access to Admin Domains 1, 2, 3, and 200 through 255.
user = fosuser4 {
pap = clear "password"
chap = clear "password"
password = clear "password"
service = shell {
set brcd-role = securityAdmin
set brcd-AV-Pair1 = "homeAD=255;ADList=1,2,3";
set brcd-AV-Pair2 = “ADList=200-255”;
}
}
Configuring Virtual Fabric lists
If your network uses Virtual Fabrics, you should create Virtual Fabric lists for each user to identify
the Virtual Fabrics to which the account has access.
Assign the following key-value pairs to the brcd-AV--Pair1 and, optionally, brcd-AV-Pair2 attributes to
grant access to the Virtual Fabrics:
• HomeLF is the designated home Virtual Fabric for the account. The valid values are from 1
through 128 and chassis context. The first valid HomeLF key-value pair is accepted by the
switch. Additional HomeLF key-value pairs are ignored.
• LFRoleList is a comma-separated list of Virtual Fabric ID numbers to which this account is a
member, and specifies the role the account has on those Virtual Fabrics. Valid numbers range
from 1 through 128. A dash between two numbers specifies a range.
The following example sets the home Virtual Fabric for the userVF account to 30 and allows the
account admin role access to Virtual Fabrics 1, 2, 3, and 4 and securityAdmin access to Virtual
Fabrics 5 and 6.
user = userVF {
pap = clear “password”
service = shell {
set brcd-role = zoneAdmin
set brcd-AV-Pair1 = “homeLF=30;LFRoleList=admin:1,3,4;securityAdmin:5,6”
set brcd-AV-Pair2 = “chassisRole=admin”
}
}
Fabric OS Administrator’s Guide
53-1002745-02
173
5
Remote authentication
Configuring the password expiration date
FabricOS lets you configure a password expiration date for each user account and to configure a
warning period for notifying the user that the account password is about to expire. To configure
these values, set the following attributes:
• brcd-passwd-expiryDate sets the password expiration date in mm/dd/yyyy format.
• brcd-passwd-warnPeriod sets the warning period as a number of days.
The following example sets the password expiration date for the fosuser5 account. It also specifies
that a warning be sent to the user 30 days before the password is due to expire.
user = fosuser5 {
pap = clear "password"
chap = clear "password"
password = clear "password"
service = shell {
set brcd-role = securityAdmin
set brcd-passwd-expiryDate = 03/21/2014;
set brcd-passwd-warnPeriod = 30;
}
}
Configuring a Windows TACACS+ server
FabricOS is compatible with any TACACS+ freeware for Microsoft Windows that uses TACACS+
protocol version v1.78. Refer to the vendor documentation for configuration details.
Remote authentication configuration on the switch
At least one RADIUS, LDAP, or TACACS+ server must be configured before you can enable a remote
authentication service. You can configure the remote authentication service even if it is disabled on
the switch. You can configure up to five RADIUS, LDAP, or TACACS+ servers. You must be logged in
as admin or switchAdmin to configure the RADIUS service.
NOTE
On dual-CP Backbones (Brocade DCX, DCX-4S, DCX 8510-4, and DCX 8510-8 devices), the switch
sends its RADIUS, LDAP, or TACACS+ request using the IP address of the active CP. When adding
clients, add both the active and standby CP IP addresses so that users can still log in to the switch
in the event of a failover.
RADIUS, LDAP, or TACACS+ configuration is chassis-based configuration data. On platforms
containing multiple switch instances, the configuration applies to all instances. The configuration is
persistent across reboots and firmware downloads. On a chassis-based system, the command
must replicate the configuration to the standby CP.
Multiple login sessions can invoke the aaaConfig command simultaneously. The last session that
applies the change is the one whose configuration is in effect. This configuration is persistent after
an HA failover.
The authentication servers are contacted in the order they are listed, starting from the top of the
list and moving to the bottom.
174
Fabric OS Administrator’s Guide
53-1002745-02
Remote authentication
5
Adding an authentication server to the switch configuration
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the aaaConfig --add command.
At least one authentication server must be configured before you can enable the RADIUS, LDAP, or
TACACS+ service.
If no RADIUS, LDAP, or TACACS+ configuration exists, turning on the authentication mode triggers
an error message. When the command succeeds, the event log indicates that the configuration is
enabled or disabled.
Enabling and disabling remote authentication
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the aaaConfig --authspec command to enable or disable RADIUS, LDAP, or TACACS+.
You must specify the type of service as one of RADIUS, LDAP, or TACACS+. Local is used for
local authentication if the user authentication fails on the authentication server.
Example enabling RADIUS
switch:admin> aaaconfig --authspec "radius;local" --backup
Example enabling LDAP
switch:admin> aaaconfig --authspec "ldap;local" --backup
Example enabling TACACS+
switch:admin> aaaconfig --authspec "tacacs+;local" --backup
Deleting an authentication server from the configuration
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the aaaConfig --remove command.
When the command succeeds, the event log indicates that the server is removed.
Changing an authentication server configuration
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the aaaConfig --change command.
Changing the order in which authentication servers are contacted for service
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the aaaConfig --move command.
When the command succeeds, the event log indicates that a server configuration is changed.
Fabric OS Administrator’s Guide
53-1002745-02
175
5
Remote authentication
Displaying the current authentication configuration
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the aaaConfig --show command.
If a configuration exists, its parameters are displayed. If the RADIUS, LDAP, or TACACS+ service
is not configured, only the parameter heading line is displayed. Parameters include:
Position
Server
Port
Secret
Timeouts
Authentication
The order in which servers are contacted to provide service.
The server names or IPv4 or IPv6 addresses. IPv6 is not supported when using PEAP
authentication.
The server ports.
The shared secrets.
The length of time servers have to respond before the next server is contacted.
The type of authentication being used on servers.
Configuring local authentication as backup
It is useful to enable local authentication, so that the switch can take over authentication locally if
the RADIUS or LDAP servers fail to respond because of power outage or network problems.
Example of enabling local authentication as a backup for RADIUS
switch:admin> aaaconfig --authspec "radius;local" --backup
Example for LDAP
switch:admin> aaaconfig --authspec "ldap;local" --backup
Example for TACACS+
switch:admin> aaaconfig --authspec "tacacs+;local" --backup
For details about this command see Table 17 on page 151.
When local authentication is enabled and the authentication servers fail to respond, you can log in
to the default switch accounts (admin and user) or any user-defined account. You must know the
passwords of these accounts.
When the aaaConfig command succeeds, the event log indicates that local database
authentication is disabled or enabled.
176
Fabric OS Administrator’s Guide
53-1002745-02
Chapter
6
Configuring Protocols
In this chapter
• Security protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Secure Copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Secure Shell protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Secure Sockets Layer protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Simple Network Management Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Telnet protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Listener applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Ports and applications used by switches. . . . . . . . . . . . . . . . . . . . . . . . . . .
177
178
179
182
188
190
192
192
Security protocols
Security protocols provide endpoint authentication and communications privacy using
cryptography. Typically, you are authenticated to the switch while the switch remains
unauthenticated to you. This means that you can be sure with what you are communicating. The
next level of security, in which both ends of the conversation are sure with whom they are
communicating, is known as two-factor authentication. Two-factor authentication requires public
key infrastructure (PKI) deployment to clients.
Fabric OS supports the secure protocols shown in Table 21.
TABLE 21
Secure protocol support
Protocol Description
HTTPS
HTTPS is a Uniform Resource Identifier scheme used to indicate a secure HTTP connection. Web Tools
supports the use of Hypertext Transfer Protocol over SSL (HTTPS).
IPsec
Internet Protocol Security (IPsec) is a framework of open standards for providing confidentiality,
authentication and integrity for IP data transmitted over untrusted links or networks.
LDAPS
Lightweight Directory Access Protocol over SSL (LDAPS) uses a certificate authority (CA). By default,
LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using
Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology in conjunction with LDAP.
SCP
Secure Copy (SCP) is a means of securely transferring computer files between a local and a remote host
or between two remote hosts, using the Secure Shell (SSH) protocol. Configuration upload and download
support the use of SCP.
SNMP
Simple Network Management Protocol (SNMP) is used in network management systems to monitor
network-attached devices for conditions that warrant administrative attention. Supports SNMPv1, v2,
and v3.
Fabric OS Administrator’s Guide
53-1002745-02
177
6
Secure Copy
TABLE 21
Secure protocol support (Continued)
Protocol Description
SSH
Secure Shell (SSH) is a network protocol that allows data to be exchanged over a secure channel
between two computers. Encryption provides confidentiality and integrity of data. SSH uses public-key
cryptography to authenticate the remote computer and allow the remote computer to authenticate the
user, if necessary.
SSL
Fabric OS uses Secure Socket Layer (SSL) to support HTTPS. A certificate must be generated and
installed on each switch to enable SSL. Supports SSLv3, 128-bit encryption by default.
Table 22 describes additional software or certificates that you must obtain to deploy secure
protocols.
TABLE 22
Items needed to deploy secure protocols
Protocol
Host side
Switch side
SSHv2
Secure shell client
None
HTTPS
No requirement on host side except a browser
that supports HTTPS
Switch IP certificate for SSL
SCP
SSH daemon, SCP server
None
SNMPv1, SNMPv2, SNMPv3
None
None
The security protocols are designed with the four main use cases described in Table 23.
TABLE 23
Main security scenarios
Fabric
Management interfaces Comments
Nonsecure
Nonsecure
No special setup is needed to use Telnet or HTTP.
Nonsecure
Secure
Secure protocols may be used. An SSL switch certificate must be installed if
HTTPS is used.
Secure
Secure
Switches running earlier Fabric OS versions can be part of the secure fabric,
but they do not support secure management.
Secure management protocols must be configured for each participating
switch. Nonsecure protocols may be disabled on nonparticipating switches.
If SSL is used, then certificates must be installed. For more information on
installing certificates, refer to “Installing a switch certificate” on page 185.
Secure
Nonsecure
You must use SSH because Telnet is not allowed with some features.
Secure Copy
The Secure Copy protocol (SCP) runs on port 22. It encrypts data during transfer, thereby avoiding
packet sniffers that attempt to extract useful information during data transfer. SCP relies on SSH to
provide authentication and security.
178
Fabric OS Administrator’s Guide
53-1002745-02
Secure Shell protocol
6
Setting up SCP for configuration uploads and downloads
Use the following procedure to configure SCP for configuration uploads and downloads.
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the configure command.
3. Enter y or yes at the cfgload attributes prompt.
4. Enter y or yes at the Enforce secure configUpload/Download prompt.
Example of setting up SCP for configUpload/download
switch:admin# configure
Not all options will be available on an enabled switch.
To disable the switch, use the "switchDisable" command.
Configure...
System services (yes, y, no, n): [no] n
ssl attributes (yes, y, no, n): [no] n
http attributes (yes, y, no, n): [no] n
snmp attributes (yes, y, no, n): [no] n
rpcd attributes (yes, y, no, n): [no] n
cfgload attributes (yes, y, no, n): [no] y
Enforce secure config Upload/Download (yes, y, no, n): [no]# y
Enforce signature validation for firmware (yes, y, no, n): [no]#
Secure Shell protocol
To ensure security, Fabric OS supports Secure Shell (SSH) encrypted sessions. SSH encrypts all
messages, including the client transmission of the password during login. The SSH package
contains a daemon (sshd), which runs on the switch. The daemon supports a wide variety of
encryption algorithms, such as Blowfish-Cipher block chaining (CBC) and Advanced Encryption
Standard (AES).
NOTE
To maintain a secure network, you should avoid using Telnet or any other unprotected application
when you are working on the switch.
Commands that require a secure login channel must originate from an SSH session. If you start an
SSH session, and then use the login command to start a nested SSH session, commands that
require a secure channel will be rejected.
Fabric OS supports OpenSSH protocol v2.0 (ssh2) version 5.2p1. For more information on SSH,
refer to the SSH IETF website:
http://www.ietf.org/ids.by.wg/secsh.html
You can also refer to SSH, The Secure Shell: The Definitive Guide by Daniel J. Barrett, Ph. D.,
Richard E. Silverman, and Robert G. Byrnes.
Fabric OS Administrator’s Guide
53-1002745-02
179
6
Secure Shell protocol
SSH public key authentication
OpenSSH public key authentication provides password-less logins, known as SSH authentication,
that uses public and private key pairs for incoming and outgoing authentication. This feature allows
only one allowed-user to be configured to utilize outgoing OpenSSH public key authentication.Any
admin user can perform incoming Open SSH public key authentication. Using OpenSSH RSA and
DSA, the authentication protocols are based on a pair of specially generated cryptographic keys,
called the private key and the public key. The advantage of using these key-based authentication
systems is that in many cases, it is possible to establish secure connections without having to
depend on passwords for security. RSA asynchronous algorithms are FIPS-compliant.
Incoming authentication is used when the remote host needs to authenticate to the switch.
Outgoing authentication is used when the switch needs to authenticate to a server or remote host,
such as when running the configUpload or configDownload commands, or performing firmware
download. Both password and public key authentication can coexist on the switch.
Allowed-user
For outgoing authentication, the default admin user must set up the allowed-user with admin
permissions. By default, the admin is the configured allowed-user. While creating the key pair, the
configured allowed-user can choose a passphrase with which the private key is encrypted. Then the
passphrase must always be entered when authenticating to the switch. The allowed-user must
have admin permissions to perform OpenSSH public key authentication, import and export keys,
generate a key pair for an outgoing connection, and delete public and private keys.
Configuring incoming SSH authentication
1. Log in to your remote host.
2. Generate a key pair for host-to-switch (incoming) authentication by verifying that SSH v2 is
installed and working (refer to your host’s documentation as necessary) by entering the
following command:
ssh-keygen -t dsa
Example of RSA/DSA key pair generation
anyuser@mymachine: ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/users/anyuser/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /users/anyuser/.ssh/id_dsa.
Your public key has been saved in /users/anyuser/.ssh/id_dsa.pub.
The key fingerprint is:
32:9f:ae:b6:7f:7e:56:e4:b5:7a:21:f0:95:42:5c:d1 anyuser@mymachine
3. Import the public key to the switch by logging in to the switch as any user with the admin role
and entering the sshUtil importpubkey command to import the key.
Example of adding the public key to the switch
switch:anyuser> sshutil importpubkey
Enter user name for whom key is imported: aswitchuser
Enter IP address:192.168.38.244
Enter remote directory:~auser/.ssh
Enter public key name(must have .pub suffix):id_dsa.pub
180
Fabric OS Administrator’s Guide
53-1002745-02
Secure Shell protocol
6
Enter login name:auser
Password:
Public key is imported successfully.
4. Test the setup by logging in to the switch from a remote device, or by running a command
remotely using SSH.
Configuring outgoing SSH authentication
After the allowed-user is configured, the remaining setup steps must be completed by the
allowed-user.
Use the following procedure to configure outgoing SSH authentication:
1. Log in to the switch as the default admin.
2. Change the allowed-user’s permissions to admin, if applicable.
switch:admin> userconfig --change username -r admin
where the username variable is the name of the user who can perform SSH public key
authentication, and who can import, export, and delete keys.
3. Set up the allowed-user by typing the following command:
switch:admin> sshutil allowuser username
where the username variable is the name of the user who can perform SSH public key
authentication, and who can import, export, and delete keys.
4. Generate a key pair for switch-to-host (outgoing) authentication by logging in to the switch as
the allowed user and entering the sshUtil genkey command.
You may enter a passphrase for additional security.
Example of generating a key pair on the switch
switch:alloweduser> sshutil genkey
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Key pair generated successfully.
5. Export the public key to the host by logging in to the switch as the allowed-user and entering
the sshUtil exportpubkey command to export the key.
Example of exporting a public key from the switch
switch:alloweduser> sshutil exportpubkey
Enter IP address:192.168.38.244
Enter remote directory:~auser/.ssh
Enter login name:auser
Password:
public key out_going.pub is exported successfully.
6. Append the public key to a remote host by logging in to the remote host, locating the directory
where authorized keys are stored, and appending the public key to the file.
You may need to refer to the host’s documentation to locate where the authorized keys are
stored.
7.
Test the setup by using a command that uses SCP and authentication, such as
firmwareDownload or configUpload.
Fabric OS Administrator’s Guide
53-1002745-02
181
6
Secure Sockets Layer protocol
Deleting public keys on the switch
Use the following procedure to delete public keys from the switch.
1. Connect to the switch and log in using an account with admin permissions.
2. Use the sshUtil delpubkeys command to delete public keys.
You will be prompted to enter the name of the user whose the public keys you want to delete.
Enter all to delete public keys for all users.
For more information on IP filter policies, refer to Chapter 7, “Configuring Security Policies”.
Deleting private keys on the switch
Use the following procedure to delete private keys from the switch.
1. Log in to the switch as the allowed-user.
2. Use the sshUtil delprivkey command to delete the private key.
For more information on IP filter policies, refer to Chapter 7, “Configuring Security Policies”.
Secure Sockets Layer protocol
Secure Sockets Layer (SSL) protocol provides secure access to a fabric through web-based
management tools such as Web Tools. SSL support is a standard Fabric OS feature.
Switches configured for SSL grant access to management tools through Hypertext Transfer Protocol
over SSL links (which begin with https://) instead of standard links (which begin with http://).
SSL uses public key infrastructure (PKI) encryption to protect data transferred over SSL
connections. PKI is based on digital certificates obtained from an Internet Certificate Authority (CA)
that acts as the trusted key agent.
Certificates are based on the switch IP address or fully qualified domain name (FQDN), depending
on the issuing CA. If you change a switch IP address or FQDN after activating an associated
certificate, you may have to obtain and install a new certificate. Check with the CA to verify this
possibility, and plan these types of changes accordingly.
Browser and Java support
Fabric OS supports the following web browsers for SSL connections:
• Internet Explorer v7.0 or later (Microsoft Windows)
• Mozilla Firefox v2.0 or later (Solaris and Red Hat Linux)
NOTE
Review the release notes for the latest information and to verify if your platform and browser are
supported.
In countries that allow the use of 128-bit encryption, you should use the latest version of your
browser. For example, Internet Explorer 7.0 and later supports 128-bit encryption by default. You
can display the encryption support (called “cipher strength”) using the Internet Explorer Help:About
menu option. If you are running an earlier version of Internet Explorer, you may be able to download
an encryption patch from the Microsoft website at http://www.microsoft.com.
182
Fabric OS Administrator’s Guide
53-1002745-02
Secure Sockets Layer protocol
6
You should upgrade to the Java 1.6.0 plug-in on your management workstation. To find the Java
version that is currently running, open the Java console and look at the first line of the window.
For more details on levels of browser and Java support, refer to the Web Tools
Administrator’s Guide.
SSL configuration overview
You configure SSL access for a switch by obtaining, installing, and activating digital certificates.
Certificates are required on all switches that are to be accessed through SSL.
Also, you must install a certificate in the Java plug-in on the management workstation, and you may
need to add a certificate to your web browser.
Configuring for SSL involves these main steps, which are shown in detail in the next sections.
1. Choose a certificate authority (CA).
2. Generate the following items on each switch:
a.
A public and private key by using the secCertUtil genkey command.
b.
A certificate signing request (CSR) by using the secCertUtil gencsr command.
3. Store the CSR on a file server by using the secCertUtil export command.
4. Obtain the certificates from the CA.
You can request a certificate from a CA through a web browser. After you request a certificate,
the CA either sends certificate files by e-mail (public) or gives access to them on a remote host
(private).
5. On each switch, install the certificate. Once the certificate is loaded on the switch, HTTPS
starts automatically.
6. If necessary, install the root certificate to the browser on the management workstation.
7.
Add the root certificate to the Java plug-in keystore on the management workstation.
Certificate authorities
To ease maintenance and allow secure out-of-band communication between switches, consider
using one certificate authority (CA) to sign all management certificates for a fabric. If you use
different CAs, management services operate correctly, but the Web Tools Fabric Events button is
unable to retrieve events for the entire fabric.
Each CA (for example, Verisign or GeoTrust) has slightly different requirements; for example, some
generate certificates based on IP address, while others require an FQDN, and most require a 1024-bit
public/private key pair while some may accept a 2048-bit key. Consider your fabric configuration,
check CA websites for requirements, and gather all the information that the CA requires.
Generating a public-private key pair
Use the following procedure to generate a public-private key pair.
NOTE
You must perform this procedure on each switch.
Fabric OS Administrator’s Guide
53-1002745-02
183
6
Secure Sockets Layer protocol
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the secCertUtil genkey command to generate a public/private key pair.
The system reports that this process will disable secure protocols, delete any existing CSR, and
delete any existing certificates.
3. Respond to the prompts to continue and select the key size.
Example of generating a key
Continue (yes, y, no, n): [no] y
Select key size [1024 or 2048]: 1024
Generating new rsa public/private key pair
Done.
Because CA support for the 2048-bit key size is limited, you should select 1024 in most cases.
Generating and storing a Certificate Signing Request
After generating a public/private key pair, you must generate and store a certificate signing request
(CSR).
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the secCertUtil gencsr command.
3. Enter the requested information.
Example of generating a CSR
Country Name (2 letter code, eg, US):US
State or Province Name (full name, eg, California):California
Locality Name (eg, city name):San Jose
Organization Name (eg, company name):Brocade
Organizational Unit Name (eg, department name):Eng
Common Name (Fully qualified Domain Name, or IP address): 192.1.2.3
Generating CSR, file name is: 192.1.2.3.csr
Done.
Your CA may require specific codes for Country, State or Province, Locality, Organization, and
Organizational Unit names. Make sure that your spelling is correct and matches the CA
requirements. If the CA requires that the Common Name be specified as an FQDN, make sure
that the fully qualified domain name is set on the domain name switch/director. The IP
address or FQDN is the switch where the certificate gets installed.
4. Enter the secCertUtil export command to store the CSR.
5. Enter the requested information. You can use either FTP or SCP.
Example of exporting a CSR
Select protocol [ftp or scp]: ftp
Enter IP address: 192.1.2.3
Enter remote directory: path_to_remote_directory
Enter Login Name: your account
Enter Password: your password
Success: exported CSR.
If you are set up for Secure Copy Protocol (SCP), you can select it; otherwise, select FTP. Enter
the IP address of the switch on which you generated the CSR. Enter the remote directory name
of the FTP server to which the CSR is to be sent. Enter your account name and password on the
server.
184
Fabric OS Administrator’s Guide
53-1002745-02
Secure Sockets Layer protocol
6
Obtaining certificates
Once you have generated a CSR, you will need to follow the instructions on the website of the
certificate issuing authority that you want to use; and then obtain the certificate.
Fabric OS and HTTPS support the following types of files from the Certificate Authority(CA):
• .cer (binary)
• .crt (binary)
• .pem (text)
Typically, the CA provides the certificate files listed in Table 24.
TABLE 24
SSL certificate files
Certificate file
Description
name.pem
The switch certificate.
nameRoot.pem
The root certificate. Typically, this certificate is already installed in the browser, but if not, you
must install it.
nameCA.pem
The CA certificate. It must be installed in the browser to verify the validity of the server certificate
or server validation fails.
NOTE
You must perform this procedure for each switch.
Use the following procedure to obtain a security certificate.
1. Generate and store the CSR as described in “Generating and storing a Certificate Signing
Request” on page 184.
2. Open a web browser window on the management workstation and go to the CA website. Follow
the instructions to request a certificate. Locate the area in the request form into which you are
to paste the CSR.
3. Through a Telnet window, connect to the switch and log in using an account with admin
permissions.
4. Enter the secCertUtil showcsr command. The contents of the CSR are displayed.
5. Locate the section that begins with “BEGIN CERTIFICATE REQUEST” and ends with “END
CERTIFICATE REQUEST”.
6. Copy and paste this section (including the BEGIN and END lines) into the area provided in the
request form; then, follow the instructions to complete and send the request.
It may take several days to receive the certificates. If the certificates arrive by e-mail, save them to
an FTP server. If the CA provides access to the certificates on an FTP server, make note of the path
name and make sure you have a login name and password on the server.
Installing a switch certificate
Use the following procedure to install a security certificate on a switch.
NOTE
You must perform this procedure on each switch.
Fabric OS Administrator’s Guide
53-1002745-02
185
6
Secure Sockets Layer protocol
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the secCertUtil import command.
3. Select a protocol, enter the IP address of the host on which the switch certificate is saved, and
enter your login name and password.
Example of installing a switch certificate in interactive mode
switch:admin> seccertutil import -config swcert -enable https
Select protocol [ftp or scp]: ftp
Enter IP address: 192.10.11.12
Enter remote directory: path_to_remote_directory
Enter certificate name (must have ".crt", ".cer", \
".pem" or “.psk” suffix): 192.1.2.3.crt
Enter Login Name: your_account
Enter Password: *****
Success: imported certificate [192.1.2.3.crt].
Example of installing a switch certificate in noninteractive mode
switch:admin> seccertutil import -config swcert -enable https \
-protocol ftp -ipaddr 192.10.11.12 -remotedir path_to_remote_directory \
-certname 192.1.2.3.crt -login your_account -password passwd
Success: imported certificate [192.1.2.3.crt].
Certificate file in configuration has been updated.
Secure http has been enabled.
Important Notes
• Certificate Authorities may provide their certificates in different encodings and different
extensions. Be sure to save the certificate with the applicable file extension before you import
the certificate to the switch:
For example, certificates that contain lines similar to the following are usually .pem encoded:
“----BEGIN REQUEST----” and “----END REQUEST---- (and may include the
strings "x509" or "certificate")
• For Certificate Authorities that request information regarding the type of web server, Fabric OS
uses the Apache web server running on Linux.
The browser
The root certificate may already be installed on your browser, if not, you must install it. To see
whether it is already installed, check the certificate store on your browser.
The next procedures are guides for installing root certificates to Internet Explorer and Mozilla
Firefox browsers. For more detailed instructions, refer to the documentation that came with the
certificate.
Checking and installing root certificates on Internet Explorer
Use the following procedure to check and install a root security certificate on a switch using IE:
1. Select Tools > Internet Options.
2. Click the Content tab.
3. Click Certificates.
186
Fabric OS Administrator’s Guide
53-1002745-02
Secure Sockets Layer protocol
6
4. Click the Intermediate or Trusted Root tab and scroll the list to see if the root certificate is
listed. Take the appropriate following action based on whether you find the certificate:
• If the certificate is listed, you do not need to install it. You can skip the rest of this
procedure.
• If the certificate is not listed, click Import.
5. Follow the instructions in the Certificate Import wizard to import the certificate.
Checking and installing root certificates on Mozilla Firefox
Use the following procedure to check and install a root security certificate on a switch using Firefox:
1. Select Tools > Options.
2. Click Advanced.
3. Click the Encryption tab.
4. Click View Certificates > Authorities tab and scroll the list to see if the root certificate is listed.
For example, its name may have the form nameRoot.crt. Take the appropriate following action
based on whether you find the certificate:
• If the certificate is listed, you do not need to install it. You can skip the rest of this
procedure.
• If the certificate is not listed, click Import.
5. Browse to the certificate location and select the certificate. For example, select nameRoot.crt.
6. Click Open and follow the instructions to import the certificate.
Root certificates for the Java plugin
For information on Java requirements, refer to “Browser and Java support” on page 182.
This procedure is a guide for installing a root certificate to the Java plugin on the management
workstation. If the root certificate is not already installed to the plugin, you should install it.
For more detailed instructions, refer to the documentation that came with the certificate and to the
Sun Microsystems website (www.sun.com).
Installing a root certificate to the Java plugin
Use the following procedure to install a root certificate to the Java plugin.
1. Copy the root certificate file from its location on the FTP server to the Java plugin bin directory.
For example, the bin location may be:
C: \program files\java\j2re1.6.0\bin
2. Open a Command Prompt window and change the directory to the Java plugin bin directory.
3. Enter the keyTool command and respond to the prompts.
Example of installing a root certificate
C:\Program Files\Java\j2re1.6.0\bin> keytool -import -alias RootCert -file
RootCert.crt -keystore ..\lib\security\RootCerts
Enter keystore password: changeit
Owner: CN=Brocade, OU=Software, O=Brocade Communications, L=San Jose,
ST=California, C=US
Fabric OS Administrator’s Guide
53-1002745-02
187
6
Simple Network Management Protocol
Issuer: CN=Brocade, OU=Software, O=Brocade Communications, L=San Jose,
ST=California, C=US
Serial number: 0
Valid from: Thu Jan 15 16:27:03 PST 2007 until: Sat Feb 14 16:27:03 PST 2007
Certificate fingerprints:
MD5: 71:E9:27:44:01:30:48:CC:09:4D:11:80:9D:DE:A5:E3
SHA1: 06:46:C5:A5:C8:6C:93:9C:FE:6A:C0:EC:66:E9:51:C2:DB:E6:4F:A1
Trust this certificate? [no]: yes
Certificate was added to keystore
In the example, changeit is the default password and RootCert is an example root certificate name.
Simple Network Management Protocol
The Simple Network Management Protocol (SNMP) is a standard method for monitoring and
managing network devices. Using SNMP components, you can program tools to view, browse, and
manipulate Brocade switch variables and set up enterprise-level management processes.
Every Brocade switch carries an SNMP agent and management information base (MIB). The agent
accesses MIB information about a device and makes it available to a network management station.
You can manipulate information of your choice by trapping MIB elements using the Fabric OS
command line interface (CLI), Web Tools, or Brocade Network Advisor.
The SNMP access control list (ACL) provides a way for the administrator to restrict SNMP get, set,
trap, and inform operations to certain hosts and IP addresses. This is used for enhanced
management security in the storage area network.
For details on Brocade MIB files, naming conventions, loading instructions, and information about
using Brocade's SNMP agent, refer to the Fabric OS MIB Reference.
You can configure SNMPv3 and SNMPv1 for the automatic transmission of SNMP information to
management stations.
The configuration process involves configuring the SNMP agent and configuring SNMP traps. Use
the snmpConfig command to configure the SNMP agent and traps for SNMPv3 or SNMPv1
configurations, and the security level. You can specify no security, authentication only, or
authentication and privacy.
The SNMP trap configuration specifies the MIB trap elements to be used to send information to the
SNMP management station. There are two main MIB trap choices:
• Brocade-specific MIB trap
Associated with the Brocade-specific MIB (SW-MIB), this MIB monitors Brocade switches
specifically.
• FibreAlliance MIB trap
Associated with the FibreAlliance MIB (FA-MIB), this MIB manages SAN switches and devices
from any company that complies with FibreAlliance specifications.
If you use both SW-MIB and FA-MIB, you may receive duplicate information. You can disable the
FA-MIB, but not the SW-MIB.
You can also use these additional MIBs and their associated traps:
• FICON-MIB (for FICON environments)
188
Fabric OS Administrator’s Guide
53-1002745-02
Simple Network Management Protocol
6
• SW-EXTTRAP
Includes the swSsn (Software Serial Number) as a part of Brocade SW traps.
For information on Brocade MIBs, refer to the Fabric OS MIB Reference.
SNMP and Virtual Fabrics
When an SNMPv3 request arrives with a particular user name, it executes in the home Virtual
Fabric. From the SNMP manager, all SNMPv3 requests must have a home Virtual Fabric that is
specified in the contextName field. When the home Virtual Fabric is specified, it will be converted to
the corresponding switch ID and the home Virtual Fabric will be set. If the user does not have
permission for the specified home Virtual Fabric, this request fails with an error code of noAccess.
For an SNMPv3 user to have a home Virtual Fabric, a list of allowed Virtual Fabrics, an RBAC role,
and the name of the SNMPv3 user should match that of the Fabric OS user in the local switch
database. SNMPv3 users whose names do not match with any of the existing Fabric OS local users
have a default RBAC role of admin with the SNMPv3 user access control of read/write. Their
SNMPv3 user logs in with an access control of read-only. Both user types will have the default
switch as their home Virtual Fabrics.
The contextName field should have the format “VF:xxx”, where xxx is the actual VF_ID, for example
“VF:1”. If the contextName field is empty, then the home Virtual Fabric of the local Fabric OS user
with the same name is used. As Virtual Fabrics and Admin Domains are mutually exclusive, this
field is considered as Virtual Fabrics context when Virtual Fabrics is enabled. You cannot specify
chassis context in the contextName field.
The following example shows how the VF:xxx field is used in the snmpwalk command. This
command is executed on the host and it walks the entire MIB tree specified (.1).
switch# snmpwalk -u admin -v 3 -n VF:4 10.168.176.181.1
Filtering ports
Each port can belong to only one Virtual Fabric at any time. An SNMP request coming to one Virtual
Fabric can only view the port information of the ports belonging to that Virtual Fabric. All port
attributes are filtered to allow SNMP to obtain the port information only from within the current
Virtual Fabrics context.
Switch and chassis context enforcement
All attributes are classified into one of two categories:
• Chassis-level attributes
• Switch-level attributes
Attributes that are specific to each logical switch belong to the switch category. These attributes are
available in the Virtual Fabrics context and not available in the Chassis context.
Attributes that are common across the logical switches belong to the chassis level. These attributes
are accessible to users having the chassis-role permission. When a chassis table is queried, the
context is set to chassis context, if the user has the chassis-role permission. The context is
switched back to the original context after the operation is performed.
Fabric OS Administrator’s Guide
53-1002745-02
189
6
Telnet protocol
SNMP security levels
Use the snmpConfig --set seclevel command to set the security level. For more information about
using the Brocade SNMP agent, refer to the Fabric OS MIB Reference.
SNMP configuration
Use the snmpConfig --set command to change either the SNMPv3 or SNMPv1 configuration. You
can also change access control, MIB capability, and system group.
For details on Brocade MIB files, naming conventions, loading instructions, and information about
using the Brocade SNMP agent, refer to the Fabric OS MIB Reference.
Telnet protocol
Telnet is enabled by default. To prevent passing clear text passwords over the network when
connecting to the switch, you can block the Telnet protocol using an IP filter policy. For more
information on IP filter policies, refer to “IP Filter policy” on page 217.
ATTENTION
Before blocking Telnet, make sure you have an alternate method of establishing a connection with
the switch.
Blocking Telnet
If you create a new policy using commands with just one rule, all the missing rules have an implicit
deny and you lose all IP access to the switch, including Telnet, SSH, and management ports.
Use the following procedure to block Telnet access.
1. Connect to the switch and log in using an account with admin permissions.
2. Clone the default policy by typing the ipFilter --clone command.
switch:admin> ipfilter --clone BlockTelnet -from default_ipv4
3. Save the new policy by typing the ipFilter --save command.
switch:admin> ipfilter --save BlockTelnet
4. Verify the new policy exists by typing the ipFilter --show command.
switch:admin> ipfilter --show
5. Add a rule to the policy, by typing the ipFilter --addrule command.
switch:admin> ipfilter --addrule BlockTelnet -rule 1 -sip any -dp 23 -proto
tcp -act deny
190
Fabric OS Administrator’s Guide
53-1002745-02
Telnet protocol
6
ATTENTION
The rule number assigned must precede the default rule number for this protocol. For
example, in the defined policy, the Telnet rule number is 2. Therefore, to effectively block
Telnet, the rule number to assign must be 1.
If you choose not to use 1, you must delete the Telnet rule number 2 after adding this rule.
Refer to “Deleting a rule from an IP Filter policy” on page 223 for more information on deleting
IP filter rules.
6. Save the new IP filter policy by typing the ipfilter --save command.
7.
Verify the new policy is correct by typing the ipFilter --show command.
8. Activate the new IP filter policy by typing the ipfilter --activate command.
switch:admin> ipfilter --activate BlockTelnet
9. Verify the new policy is active (the default_ipv4 policy should be displayed as defined).
switch:admin> ipfilter --show
Name: BlockTelnet, Type: ipv4, State: defined
Rule
Source IP
Protocol
Dest
Port
1
any
tcp
23
2
any
tcp
22
3
any
tcp
22
4
any
tcp
897
5
any
tcp
898
6
any
tcp
111
7
any
tcp
80
8
any
tcp
443
9
any
udp
161
10
any
udp
111
11
any
udp
123
12
any
tcp
600 - 1023
13
any
udp
600 - 1023
Action
deny
permit
permit
permit
permit
permit
permit
permit
permit
permit
permit
permit
permit
Name: default_ipv4, Type: ipv4, State: defined
Rule
Source IP
Protocol
Dest
Port
1
any
tcp
22
2
any
tcp
23
3
any
tcp
897
4
any
tcp
898
5
any
tcp
111
6
any
tcp
80
7
any
tcp
443
8
any
udp
161
9
any
udp
111
10
any
udp
123
11
any
tcp
600 - 1023
12
any
udp
600 - 1023
Action
permit
permit
permit
permit
permit
permit
permit
permit
permit
permit
permit
permit
Unblocking Telnet
Use the following procedure to unblock Telnet access.
1. Connect to the switch through a serial port or SSH and log in as admin.
2. Enter the ipfilter --delete command.
Fabric OS Administrator’s Guide
53-1002745-02
191
6
Listener applications
Refer to “Deleting a rule from an IP Filter policy” on page 223 for more information on deleting
IP filter rules.
3. To permanently delete the policy, type the ipfilter --save command.
ATTENTION
If you deleted the rule to permit Telnet, you must add a rule to permit Telnet.
Listener applications
Brocade switches block Linux subsystem listener applications that are not used to implement
supported features and capabilities. Table 25 lists the listener applications that Brocade switches
either block or do not start.
TABLE 25
Blocked listener applications
Listener application
Brocade DCX and DCX 8510 Backbone families
Brocade switches
chargen
Disabled
Disabled
daytime
Disabled
Disabled
discard
Disabled
Disabled
echo
Disabled
Disabled
ftp
Disabled
Disabled
rexec
Block with packet filter
Disabled
rlogin
Block with packet filter
Disabled
rsh
Block with packet filter
Disabled
rstats
Disabled
Disabled
rusers
Disabled
Disabled
time
Block with packet filter
Disabled
Ports and applications used by switches
If you are using the FC-FC Routing Service, be aware that the secModeEnable command is not
supported.
Table 26 lists the defaults for accessing hosts, devices, switches, and zones.
TABLE 26
Access defaults
Access default
Hosts
Any host can access the fabric by SNMP.
Any host can Telnet to any switch in the fabric.
Any host can establish an HTTP connection to any switch in the fabric.
Any host can establish an API connection to any switch in the fabric.
192
Fabric OS Administrator’s Guide
53-1002745-02
Ports and applications used by switches
TABLE 26
6
Access defaults (Continued)
Access default
Devices
All devices can access the management server.
Any device can connect to any FC port in the fabric.
Switch access
Any switch can join the fabric.
All switches in the fabric can be accessed through a serial port.
Zoning
No zoning is enabled.
Port configuration
Table 27 provides information on ports that the switch uses. When configuring the switch for
various policies, take into consideration firewalls and other devices that may sit between switches
in the fabric and your network or between the managers and the switch.
TABLE 27
Port information
Port
Type
Common use
22
TCP
SSH, SCP
23
TCP
Telnet
Use the ipfilter command to block the port.
80
TCP
HTTP
Use the ipfilter command to block the port.
111
UDP
sunrpc
This port is used by Platform API. Use the ipfilter command to block the port.
123
UDP
NTP
161
UDP
SNMP
Disable the SNMP service on the remote host if you do not use it, or filter
incoming UDP packets going to this port.
443
TCP
HTTPS
Use the ipfilter command to block the port.
512
TCP
exec
513
TCP
login
514
TCP
shell
897
TCP
Fabric OS Administrator’s Guide
53-1002745-02
Comment
This port is used by the Platform API.
193
6
194
Ports and applications used by switches
Fabric OS Administrator’s Guide
53-1002745-02
Chapter
7
Configuring Security Policies
In this chapter
• ACL policies overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• ACL policy management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• FCS policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Device Connection Control policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• SCC Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Authentication policy for fabric elements . . . . . . . . . . . . . . . . . . . . . . . . . .
• IP Filter policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Policy database distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Management interface security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
195
196
199
203
206
207
217
224
231
ACL policies overview
Each supported Access Control List (ACL) policy listed below is identified by a specific name, and
only one policy of each type can exist, except for DCC policies. Policy names are case-sensitive and
must be entered in all uppercase. Fabric OS provides the following policies:
• Fabric configuration server (FCS) policy — Used to restrict which switches can change the
configuration of the fabric.
• Device connection control (DCC) policies — Used to restrict which Fibre Channel device ports
can connect to which Fibre Channel switch ports.
• Switch connection control (SCC) policy — Used to restrict which switches can join with a switch.
NOTE
Run all commands in this chapter by logging in to Administrative Domain (AD) 255 with the
suggested permissions. If Administrative Domains have not been implemented, log in to AD0.
How the ACL policies are stored
The policies are stored in a local database. The database contains the ACL policy types of FCS,
DCC, SCC, and IPFilter. The number of policies that may be defined is limited by the size of the
database. FCS, SCC and DCC policies are all stored in the same database.
In a fabric with Fabric OS v6.2.0 and later switches present, the limit for security policy database
size is set to 1Mb. The policies are grouped by state and type. A policy can be in either of the
following states:
• Active, which means the policy is being enforced by the switch.
• Defined, which means the policy has been set up but is not enforced.
Fabric OS Administrator’s Guide
53-1002745-02
195
7
ACL policy management
Policies with the same state are grouped together in a Policy Set. Each switch has the following two
sets:
• Active policy set, which contains ACL policies being enforced by the switch.
• Defined policy set, which contains a copy of all ACL policies on the switch.
When a policy is activated, the defined policy either replaces the policy with the same name in the
active set or becomes a new active policy. If a policy appears in the defined set but not in the active
set, the policy was saved but has not been activated. If a policy with the same name appears in
both the defined and active sets but they have different values, then the policy has been modified
but the changes have not been activated.
Admin Domain considerations: ACL management can be done on AD255 and in AD0 only if there
are no user-defined Admin Domains. Both AD0 (when no other user-defined Admin Domains exist)
and AD255 provide an unfiltered view of the fabric.
Virtual Fabric considerations: ACL policies such as DCC, SCC, and FCS can be configured on each
logical switch. The limit for security policy database size is set to 1Mb per logical switch.
Policy members
The FCS, DCC and SCC policy members are specified by device port WWN, switch WWN, domain
IDs, or switch names, depending on the policy. The valid methods for specifying policy members
are listed in Table 28.
TABLE 28
Valid methods for specifying policy members
Policy name
Device port WWN or
Fabric port WWN
Switch WWN
Domain ID
Switch name
FCS_POLICY
No
Yes
Yes
Yes
DCC_POLICY_nnn
Yes
Yes
Yes
Yes
SCC_POLICY
No
Yes
Yes
Yes
ACL policy management
All policy modifications are temporarily stored in volatile memory until those changes are saved or
activated. You can create multiple sessions to the switch from one or more hosts. It is
recommended you make changes from one switch only to prevent multiple transactions from
occurring. Each logical switch will have its own access control list.
The FCS, SCC and DCC policies in Secure Fabric OS are not interchangeable with Fabric OS FCS,
SCC and DCC policies. Uploading and saving a copy of the Fabric OS configuration after creating
policies is strongly recommended. For more information on configuration uploads, see Chapter 8,
“Maintaining the Switch Configuration File”.
NOTE
All changes, including the creation of new policies, are saved and activated on the local switch only—
unless the switch is in a fabric that has a strict or tolerant fabric-wide consistency policy for the ACL
policy type for SCC or DCC. See “Policy database distribution” on page 224 for more information on
the database settings and fabric-wide consistency policy.
196
Fabric OS Administrator’s Guide
53-1002745-02
ACL policy management
7
Displaying ACL policies
You can view the active and defined policy sets at any time. Additionally, in a defined policy set,
policies created in the same login session also appear but these policies are automatically deleted
if the you log out without saving them.
1. Connect to the switch and log in using an account with admin permissions, or an account with
O permission for the Security RBAC class of commands.
2. Type the secPolicyShow command.
switch:admin> secPolicyShow
____________________________________________________
ACTIVE POLICY SET
____________________________________________________
DEFINED POLICY SET
Saving changes without activating the policies
1. Connect to the switch and log in using an account with admin permissions, or an account with
OM permissions for the Security RBAC class of commands.
2. Enter the secPolicySave command.
Activating ACL policy changes
You can implement changes to the ACL policies using the secPolicyActivate command. This saves
the changes to the active policy set and activates all policy changes since the last time the
command was issued. You cannot activate policies on an individual basis; all changes to the entire
policy set are activated by the command. Until a secPolicySave or secPolicyActivate command is
issued, all policy changes are in volatile memory only and are lost upon rebooting.
1. Connect to the switch and log in using an account with admin permissions, or an account with
OM permissions for the Security RBAC class of commands.
2. Type the secPolicyActivate command.
Example of activating policy changes
switch:admin> secpolicyactivate
About to overwrite the current Active data.
ARE YOU SURE (yes, y, no, n): [no] y
Deleting an ACL policy
1. Connect to the switch and log in using an account with admin permissions, or an account with
OM permissions for the Security RBAC class of commands.
2. Type secPolicyDelete “policy_name”.
where policy_name is the name of the ACL policy.
3. Save and activate the policy deletion by entering the secPolicyActivate command.
Fabric OS Administrator’s Guide
53-1002745-02
197
7
ACL policy management
Example of deleting an ACL policy
switch:admin> secpolicydelete "DCC_POLICY_010"
About to delete policy Finance_Policy.
Are you sure (yes, y, no, n):[no] y
Finance_Policy has been deleted.
Adding a member to an existing ACL policy
As soon as a policy has been activated, the aspect of the fabric managed by that policy is enforced.
1. Connect to the switch and log in using an account with admin permissions, or an account with
OM permissions for the Security RBAC class of commands.
2. Enter the secPolicyAdd command.
3. To implement the change immediately, enter the secPolicyActivate command.
Example of adding to an ACL policy
For example, to add a member to the SCC_POLICY using the switch WWN:
switch:admin> secpolicyadd "SCC_POLICY", "12:24:45:10:0a:67:00:40"
Member(s) have been added to SCC_POLICY.
Example of adding members to the DCC policy
To add two devices to the DCC policy, and to attach domain 3 ports 1 and 3 (WWNs of devices
are 11:22:33:44:55:66:77:aa and 11:22:33:44:55:66:77:bb):
switch:admin> secpolicyadd "DCC_POLICY_abc",
"11:22:33:44:55:66:77:aa;11:22:33:44:55:66:77:bb;3(1,3)"
Removing a member from an ACL policy
As soon as a policy has been activated, the aspect of the fabric managed by that policy is enforced.
1. Connect to the switch and log in using an account with admin permissions, or an account with
OM permissions for the Security RBAC class of commands.
2. Enter the secPolicyRemove command.
3. To implement the change immediately, enter the secPolicyActivate command.
Example of removing a member
For example, to remove a member that has a WWN of 12:24:45:10:0a:67:00:40 from the
SCC_POLICY:
switch:admin> secpolicyremove "SCC_POLICY", "12:24:45:10:0a:67:00:40"
Member(s) have been removed from SCC_POLICY.
Abandoning unsaved ACL policy changes
You can abandon all ACL policy changes that have not yet been saved.
1. Connect to the switch and log in using an account with admin permissions, or an account with
OM permissions for the Security RBAC class of commands.
2. Enter the secPolicyAbort command.
198
Fabric OS Administrator’s Guide
53-1002745-02
FCS policies
7
Example of aborting unsaved changes
switch:admin> secpolicyabort
Unsaved data has been aborted.
All changes since the last time the secPolicySave or secPolicyActivate commands were entered are
aborted.
FCS policies
Fabric configuration server (FCS) policy in base Fabric OS may be performed on a local switch basis
and may be performed on any switch in the fabric.
The FCS policy is not present by default, but must be created. When the FCS policy is created, the
WWN of the local switch is automatically included in the FCS list. Additional switches can be
included in the FCS list. The first switch in the list becomes the Primary FCS switch.
Switches in the fabric are designated as either a Primary FCS, backup FCS, or non-FCS switch. Only
the Primary FCS switch is allowed to modify and distribute the database within the fabric.
Automatic distribution is supported and you can either configure the switches in your fabric to
accept the FCS policy or manually distribute the FCS policy. Changes made to the FCS policy are
saved to permanent memory only after the changes have been saved or activated; they can be
aborted later if you have set your fabric to distribute the changes manually.
TABLE 29
FCS policy states
Policy state
Characteristics
No active policy
Any switch can perform fabric-wide configuration changes.
Active policy with one entry
A Primary FCS switch is designated (local switch), but there are no backup
FCS switches. If the Primary FCS switch becomes unavailable for any reason,
the fabric is left without an FCS switch.
Active policy with multiple entries
A Primary FCS switch and one or more backup FCS switches are designated. If
the Primary FCS switch becomes unavailable, the next switch in the list
becomes the Primary FCS switch.
FCS policy restrictions
The backup FCS switches normally cannot modify the policy. However, if the Primary FCS switch in
the policy list is not reachable, then a backup FCS switch is allowed to modify the policy.
Once an FCS policy is configured and distributed across the fabric, only the Primary FCS switch can
perform certain operations. Operations that affect fabric-wide configuration are allowed only from
the Primary FCS switch. Backup and non-FCS switches cannot perform security, zoning and AD
operations that affect the fabric configuration. The following error message is returned if a backup
or non-FCS switch tries to perform these operations:
Can only execute this command on the Primary FCS switch.
Operations that do not affect the fabric configuration, such as show or local switch commands, are
allowed on backup and non-FCS switches.
FCS enforcement applies only for user-initiated fabric-wide operations. Internal fabric data
propagation because of a fabric merge is not blocked. Consequently, a new switch that joins the
FCS-enabled fabric could still propagate the AD and zone database.
Fabric OS Administrator’s Guide
53-1002745-02
199
7
FCS policies
Table 30 shows the commands for switch operations for Primary FCS enforcement.
TABLE 30
FCS switch operations
Allowed on FCS switches
Allowed on all switches
secPolicyAdd (Allowed on all switches for SCC and DCC
policies as long as it is not fabric-wide)
secPolicyShow
secPolicyCreate (Allowed on all switches for SCC and
DCC policies as long as it is not fabric-wide)
fddCfg –-localaccept or fddCfg --localreject
secPolicyDelete (Allowed on all switches for SCC and
DCC policies as long as its not fabric-wide)
userconfig, Passwd, Passwdcfg (Fabric-wide distribution
is not allowed from a backup or non-FCS switch.)
secPolicyRemove (Allowed on all switches for SCC and
DCC policies as long as its not fabric-wide)
secPolicyActivate
fddCfg –-fabwideset
secPolicySave
Any fabric-wide commands
secPolicyAbort
All zoning commands except the show commands
SNMP commands
All AD commands
configupload
Any local-switch commands
Any AD command that does not affect fabric-wide
configuration
In Fabric OS v7.1.0 and later, to avoid segmentation of ports due to a member-list order mismatch,
security policy members are sorted based on WWN. By default, DCC and SCC policy members are
sorted based on WWN. Switches running earlier Fabric OS versions will have the member list in the
unsorted manner. Any older-version switch with a policy already created in unsorted order will have
port segmentation due to order mismatch when attempting to join any switch with Fabric OS v7.1.0
or later. To overcome the order mismatch, you can modify the member list in the switch by using the
-legacy option. For more information about using the -legacy option in the secPolicyAdd and
secPolicyCreate commands, refer to Fabric OS Command Reference, Supporting Fabric OS, v7.1.0.
Ensuring fabric domains share policies
Whether your intention is to create new FCS policies or manage your current FCS policies, you must
follow certain steps to ensure the domains throughout your fabric have the same policy.
The local-switch WWN cannot be deleted from the FCS policy.
1. Create the FCS policy using the secPolicyCreate command.
2. Activate the policy using the secPolicyActivate command.
If the command is not entered, the changes are lost when the session is logged out.
3. To distribute the policies, enter the distribute -p policy_list -d switch_list command to either
send the policies to intended domains, or enter the distribute -p policy_list -d wild_card (*)
command to send the policies to all switches.
200
Fabric OS Administrator’s Guide
53-1002745-02
FCS policies
7
Creating an FCS policy
1. Connect to the switch and log in using an account with admin permissions, or an account with
OM permissions for the Security RBAC class of commands.
2. Enter the secPolicyCreate “FCS_POLICY” command.
Example of creating an FCS policy
The following example creates an FCS policy that allows a switch with domain ID 2 to become a
primary FCS and domain ID 4 to become a backup FCS:
switch:admin> secpolicycreate "FCS_POLICY", "2;4"
FCS_POLICY has been created
3. To save or activate the new policy, enter either the secPolicySave or the secPolicyActivate
command. Once the policy has been activated you can distribute the policy.
NOTE
FCS policy must be consistent across the fabric. If the policy is inconsistent in the fabric, then you
will not be able to perform any fabric-wide configurations from the primary FCS.
Modifying the order of FCS switches
1. Log in to the Primary FCS switch using an account with admin permissions, or an account with
OM permissions for the Security RBAC class of commands.
2. Type secPolicyShow “Defined”, “FCS_POLICY”.
This displays the WWNs of the current Primary FCS switch and backup FCS switches.
3. Type secPolicyFCSMove; then provide the current position of the switch in the list and the
desired position at the prompts.
Alternatively, enter secPolicyFCSMove [From, To] command. From is the current position in the
list of the FCS switch and To is the desired position in the list for this switch.
Example of moving an FCS policy
The following example moves a backup FCS switch from position 2 to position 3 in the FCS list,
using interactive mode:
primaryfcs:admin> secpolicyfcsmove
Pos
Primary WWN
DId swName.
=================================================
1
Yes
10:00:00:60:69:10:02:18
1 switch5.
2
No
10:00:00:60:69:00:00:5a
2 switch60.
3
No
10:00:00:60:69:00:00:13
3 switch73.
Please enter position you’d like to move from : (1..3) [1] 2
Please enter position you’d like to move to : (1..3) [1] 3
____________________________________________________
DEFINED POLICY SET
FCS_POLICY
Pos
Primary WWN
DId swName
__________________________________________________
1
Yes
10:00:00:60:69:10:02:18
1 switch5.
2
No
10:00:00:60:69:00:00:13
3 switch73.
3
No
10:00:00:60:69:00:00:5a
2 switch60.
____________________________________________________
4. Type the secPolicyActivate command to activate and save the new order.
Fabric OS Administrator’s Guide
53-1002745-02
201
7
FCS policies
FCS policy distribution
The FCS policy can be automatically distributed using the fddCfg --fabwideset command or it can
be manually distributed to the switches using the distribute -p command. Each switch that receives
the FCS policy must be configured to receive the policy. To configure the switch to accept
distribution of the FCS policy, refer to “Database distribution settings” on page 225.
Database distributions may be initiated from only the Primary FCS switch. FCS policy configuration
and management is performed using the command line or a manageability interface.
Only the Primary FCS switch is allowed to distribute the database. The FCS policy can be manually
distributed across the fabric using the distribute -p command. Since this policy is distributed
manually, the command fddCfg –-fabwideset is used to distribute a fabric-wide consistency policy
for FCS policy in an environment consisting of only Fabric OS v6.2.0 and later switches.
FCS enforcement for the distribute command is handled differently for FCS and other databases in
an FCS fabric:
• For an FCS database, the enforcement allows any switch to initiate the distribution. This is to
support FCS policy creation specifying a remote switch as Primary.
• For other database distributions, only the Primary FCS switch can initiate the distribution.
The FCS policy distribution is allowed to be distributed from a switch in the FCS list. However, if
none of the FCS switches in the existing FCS list are reachable, receiving switches accept
distribution from any switch in the fabric. To learn more about how to distribute policies, refer to
“ACL policy distribution to other switches” on page 227.
Local switch configuration parameters are needed to control whether a switch accepts or rejects
distributions of FCS policy and whether the switch is allowed to initiate distribution of an FCS policy.
A configuration parameter controls whether the distribution of the policy is accepted or rejected on
the local switch. Setting the configuration parameter to accept indicates distribution of the policy
will be accepted and distribution may be initiated using the distribute -p command. Setting the
configuration parameter to reject indicates the policy distribution is rejected and the switch may
not distribute the policy.
The default value for the distribution configuration parameter is accept, which means the switch
accepts all database distributions and is able to initiate a distribute operation for all databases.
TABLE 31
Distribution policy states
Fabric OS
State
v6.2.0 and later configured to accept Target switch accepts distribution and fabric state change occurs.
v6.2.0 and later configured to reject
202
Target switch explicitly rejects the distribution and the operation fails.
The entire transaction is aborted and no fabric state change occurs.
Fabric OS Administrator’s Guide
53-1002745-02
Device Connection Control policies
7
Device Connection Control policies
Multiple Device Connection Control (DCC) policies can be used to restrict which device ports can
connect to which switch ports. The devices can be initiators, targets, or intermediate devices such
as SCSI routers and loop hubs. By default, all device ports are allowed to connect to all switch
ports; no DCC policies exist until they are created. For information regarding DCC policies and
F_Port trunking, refer to the Access Gateway Administrator’s Guide.
Each device port can be bound to one or more switch ports; the same device ports and switch
ports may be listed in multiple DCC policies. After a switch port is specified in a DCC policy, it
permits connections only from designated device ports. Device ports that are not specified in any
DCC policies are allowed to connect only to switch ports that are not specified in any DCC policies.
When a DCC violation occurs, the related port is automatically disabled and must be re-enabled
using the portEnable command.
Table 32 on page 203 shows the possible DCC policy states.
TABLE 32
DCC policy states
Policy state
Characteristics
No policy
Any device can connect to any switch port in the fabric.
Policy with no
entries
Any device can connect to any switch port in the fabric. An empty policy is the same as no
policy.
Policy with entries
If a device WWN or Fabric port WWN is specified in a DCC policy, that device is only allowed
access to the switch if connected by a switch port listed in the same policy.
If a switch port is specified in a DCC policy, it only permits connections from devices that are
listed in the policy.
Devices with WWNs that are not specified in a DCC policy are allowed to connect to the
switch at any switch ports that are not specified in a DCC policy.
Switch ports and device WWNs may exist in multiple DCC policies.
Proxy devices are always granted full access and can connect to any switch port in the fabric.
Virtual Fabrics considerations
The DCC policies that have entries for the ports that are being moved from one logical switch to
another will be considered stale and will not be enforced. You can choose to keep stale policies in
the current logical switch or delete the stale policies after the port movements. Use the
secPolicyDelete command to delete stale DCC policies.
DCC policy restrictions
The following restrictions apply when using DCC policies:
• Some older private-loop host bus adaptors (HBAs) do not respond to port login from the switch
and are not enforced by the DCC policy. This does not create a security problem because these
HBAs cannot contact any device outside of their immediate loop.
• DCC policies cannot manage or restrict iSCSI connections, that is, an FC Initiator connection
from an iSCSI gateway.
• You cannot manage proxy devices with DCC policies. Proxy devices are always granted full
access, even if the DCC policy has an entry that restricts or limits access of a proxy device.
• DCC policies are not supported on the CEE ports of the Brocade 8000.
Fabric OS Administrator’s Guide
53-1002745-02
203
7
Device Connection Control policies
Creating a DCC policy
DCC policies must follow the naming convention “DCC_POLICY_nnn,” where nnn represents a
unique string. The maximum length is 30 characters, including the prefix DCC_POLICY_.
Device ports must be specified by port WWN. Switch ports can be identified by the switch WWN,
domain ID, or switch name followed by the port or area number. To specify an allowed connection,
enter the device port WWN, a semicolon, and the switch port identification.
The following methods of specifying an allowed connection are possible:
• deviceportWWN;switchWWN (port or area number)
• deviceportWWN;domainID (port or area number)
• deviceportWWN;switchname (port or area number)
1. Connect to the switch and log in using an account with admin permissions, or an account with
OM permissions for the Security RBAC class of commands.
2. Enter the secPolicyCreate “DCC_POLICY_nnn” command.
DCC_POLICY_nnn is the name of the DCC policy; nnn is a string consisting of up to 19
alphanumeric or underscore characters to differentiate it from any other DCC policies.
3. To save or activate the new policy, enter the appropriate command:
• To save the policy, enter the secPolicySave command.
• To save and activate the policy, enter the secPolicyActivate command.
If neither of these commands is entered, the changes are lost when the session is logged out.
Example of creating DCC policies
To create the DCC policy “DCC_POLICY_server” that includes device 11:22:33:44:55:66:77:aa
and port 1 and port 3 of switch domain 1:
switch:admin> secpolicycreate
"DCC_POLICY_server","11:22:33:44:55:66:77:aa;1(1,3)"
DCC_POLICY_server has been created
To create the DCC policy “DCC_POLICY_storage” that includes device port WWN
22:33:44:55:66:77:11:bb, all ports of switch domain 2, and all currently connected devices of
switch domain 2:
switch:admin> secpolicycreate "DCC_POLICY_storage",
"22:33:44:55:66:77:11:bb;2[*]"
DCC_POLICY_storage has been created
To create the DCC policy “DCC_POLICY_abc” that includes device 33:44:55:66:77:11:22:cc
and ports 1 through 6 and port 9 of switch domain 3:
switch:admin> secpolicycreate "DCC_POLICY_abc",
"33:44:55:66:77:11:22:cc;3(1-6,9)"
DCC_POLICY_abc has been created
To create the DCC policy “DCC_POLICY_example” that includes devices
44:55:66:77:22:33:44:dd and 33:44:55:66:77:11:22:cc, ports 1 through 4 of switch domain
4, and all devices currently connected to ports 1 through 4 of switch domain 4:
switch:admin> secpolicycreate "DCC_POLICY_example",
"44:55:66:77:22:33:44:dd;33:44:55:66:77:11:22:cc;4[1-4]"
DCC_POLICY_example has been created
204
Fabric OS Administrator’s Guide
53-1002745-02
Device Connection Control policies
7
Deleting a DCC policy
1. Connect to the switch and log in using an account with admin permissions, or an account with
OM permissions for the Security RBAC class of commands.
2. Enter the secPolicyDelete command.
Example of deleting stale DCC policies
switch:admin> secpolicydelete ALL_STALE_DCC_POLICY
About to clear all STALE DCC policies
ARE YOU SURE (yes, y, no, n): [no] y
DCC policy behavior with Fabric-Assigned PWWNs
A DCC policy check is always performed for the physical port WWN of a device when the HBA has
established that the device is attempting a normal FLOGI and has both a fabric-assigned port WWN
(FA-PWWN) and a physical port WWN.
DCC policies created with FA-PWWNs will result in the disabling of FA-PWWN assigned ports on
subsequent FLOGI. It is therefore recommended to create policies with the physical PWWN
DCC policies created with the lock down feature result in DCC policies with FA-PWWNs. It is
therefore recommended to avoid using the lock down feature in fabrics that are using FA-PWWNs.
A DCC policy created with a device WWN for a specific port allows the device to log in only on the
same port. The same device will not be allowed to log in on a different port. For devices that log in
across an AG, the policy should be created with all the NPIV ports, so even if failover occurs the
device will be allowed to log in on a different NPIV port.
Table 33 lists the behavior of the DCC policy with FA-PWWNs in the fabric when the DCC policy is
created using lockdown support.
TABLE 33
DCC policy behavior with FA-PWWN when created using lockdown support
Configuration
WWN seen on
DCC policy list
Behavior when DCC policy
activates
Behavior on portDisable
and portEnable
•
•
FA-PWWN has logged into the switch
DCC policy creation with lock down
(uses FA-PWWN).
DCC policy activation.
FA-PWWN
Traffic will not be
disrupted.1
Ports will be disabled
for security violation.2
DCC policy creation with lockdown
(uses physical PWWN).
FA-PWWN has logged into the switch
DCC policy activation.
Physical
PWWN
Traffic will not be
disrupted.
Ports will come up
without security
issues.
DCC policy creation with lockdown
(uses physical PWWN)
DCC policy activation
FA-PWWN has logged into the switch
Physical
PWWN
Traffic will not be
disrupted.
Ports will come up
without any security
issues.
•
•
•
•
•
•
•
1. Indicates a security concern, because devices that are logged in with FA-PWWNs will not be disabled after
activation of DCC policies that are created with FA-PWWNs. This is done to avoid disturbing any existing
management.
2. Any disruption in the port will disable the port for a security violation. As the traffic is already disrupted for this
port, you must enforce the DCC policy for a physical device WWN; otherwise, the device will not be allowed to login
again.
Fabric OS Administrator’s Guide
53-1002745-02
205
7
SCC Policies
Table 34 shows the behavior of a DCC policy created manually with the physical PWWN of a device.
The configurations shown in this table are the recommended configurations when an FA-PWWN is
logged into the switch.
TABLE 34
DCC policy behavior when created manually with PWWN
Configuration
WWN seen on
DCC policy list
Behavior when DCC policy
activates
Behavior on portDisable
and portEnable
•
•
FA-PWWN has logged into the switch.
DCC policy creation manually with
physical PWWN of device.
DCC policy activation.
PWWN
Traffic will not be
disrupted.
Ports will come up
without security
issues.
DCC policy creation. manually with
physical PWWN
FA-PWWN has logged into the switch.
DCC policy activation.
PWWN
Traffic will not be
disrupted.
Ports will come up
without security
issues.
DCC policy creation manually with
physical PWWN,
DCC policy activation.
FA-PWWN has logged into the switch.
Physical PWWN Traffic will not be
disrupted.
•
•
•
•
•
•
•
Ports will come up
without any security
issues.
SCC Policies
The switch connection control (SCC) policy is used to restrict which switches can join the fabric.
Switches are checked against the policy each time an E_Port-to-E_Port connection is made. The
policy is named SCC_POLICY and accepts members listed as WWNs, domain IDs, or switch names.
Only one SCC policy can be created.
By default, any switch is allowed to join the fabric; the SCC policy does not exist until it is created.
When connecting a Fibre Channel router to a fabric or switch that has an active SCC policy, the
front domain of the Fibre Channel router must be included in the SCC policy.
SCC policy states are shown in Table 35.
TABLE 35
SCC policy states
Policy state
SCC policy enforcement
No active policy
All switches can connect to the switch with the specified policy.
Active policy that has no members
All neighboring switches are segmented.
Active policy that has members
The neighboring switches not specified in the SCC policy are segmented.
Virtual Fabrics considerations: In a logical fabric environment the SCC policy enforcement is not
done on the logical ISL. For a logical ISL-based switch, the SCC policy enforcement is considered as
the reference and the logical ISL is formed if the SCC enforcement passes on the extended ISL. The
following changes:
• A logical switch supports an SCC policy. You can configure and distribute an SCC policy on a
logical switch.
• SCC enforcement is performed on a ISL based on the SCC policy present on the logical switch.
For more information on Virtual Fabrics, refer to Chapter 10, “Managing Virtual Fabrics”.
206
Fabric OS Administrator’s Guide
53-1002745-02
Authentication policy for fabric elements
7
Creating an SCC policy
1. Connect to the switch and log in using an account with admin permissions, or an account with
OM permissions for the Security RBAC class of commands.
2. Enter the secPolicyCreate “SCC_POLICY” command.
3. Save or activate the new policy by entering either the secPolicySave or the secPolicyActivate
command.
If neither of these commands is entered, the changes are lost when the session is logged out.
Example of creating an SCC policy
For example, to create an SCC policy that allows switches that have domain IDs 2 and 4 to join
the fabric:
switch:admin> secpolicycreate "SCC_POLICY", "2;4"
SCC_POLICY has been created
switch:admin> secpolicysave
Authentication policy for fabric elements
By default, Fabric OS v6.2.0 and later use Diffie Hellman - Challenge Handshake Authentication
Protocol) (DH-CHAP) or Fibre Channel Authentication Protocol (FCAP) for authentication. These
protocols use shared secrets and digital certificates, based on switch WWN and public key
infrastructure (PKI) technology, to authenticate switches. Authentication automatically defaults to
FCAP if both switches are configured to accept FCAP protocol in authentication, unless ports are
configured for in-flight encryption, in which case authentication defaults to DH-CHAP if both
switches are configured to accept the DH-CHAP protocol in authentication. To use FCAP on both
switches, PKI certificates have to be installed.
NOTE
The fabric authentication feature is available in base Fabric OS. No license is required.
FCAP requires the exchange of certificates between two or more switches to authenticate to each
other before they form or join a fabric. Beginning with Fabric OS v7.0.0, these certificates are no
longer issued by Brocade, but by a third-party which is now the root CA for all of the issued
certificates. You can use Brocade and third-party certificates between switches that are Fabric OS
v6.4.0, but only Brocade-issued certificates (where Brocade is the root CA) for Fabric OS versions
earlier than v6.4.0. The certificates must be in PEM (Privacy Enhanced Mail) encoded format for
both root and peer certificates. The switch certificates issued from the third-party vendors can be
directly issued from the root CA or from an intermediate CA authority.
When you configure DH-CHAP authentication, you also must define a pair of shared secrets known
to both switches as a secret key pair. Figure 13 illustrates how the secrets are configured. A secret
key pair consists of a local secret and a peer secret. The local secret uniquely identifies the local
switch. The peer secret uniquely identifies the entity to which the local switch authenticates. Every
switch can share a secret key pair with any other switch or host in a fabric.
To use DH-CHAP authentication, a secret key pair has to be configured on both switches. For more
information on setting up secret key pairs, refer to “Setting a secret key pair” on page 214.
When configured, the secret key pair is used for authentication. Authentication occurs whenever
there is a state change for the switch or port. The state change can be due to a switch reboot, a
switch or port disable and enable, or the activation of a policy.
Fabric OS Administrator’s Guide
53-1002745-02
207
7
Authentication policy for fabric elements
Key database on switch
Local secret A
Peer secret B
Switch A
FIGURE 13
Key database on switch
Local secret B
Peer secret A
Switch B
DH-CHAP authentication
If you use DH-CHAP authentication, then a secret key pair must be installed only in connected
fabric elements. However, as connections are changed, new secret key pairs must be installed
between newly connected elements. Alternatively, a secret key pair for all possible connections
may be initially installed, enabling links to be arbitrarily changed while still maintaining a valid
secret key pair for any new connection.
The switch authentication (AUTH) policy initiates DH-CHAP/FCAP authentication on all E_Ports. This
policy is persistent across reboots, which means authentication will be initiated automatically on
ports or switches brought online if the policy is set to activate authentication. The AUTH policy is
distributed by command; automatic distribution of the AUTH policy is not supported.
The default configuration directs the switch to attempt FCAP authentication first, DH-CHAP second.
The switch may be configured to negotiate FCAP, DH-CHAP, or both.
The DH group is used in the DH-CHAP protocol only. The FCAP protocol exchanges the DH group
information, but does not use it.
Virtual Fabrics considerations
If Virtual Fabrics is enabled, all AUTH module parameters such as shared secrets, and shared
switch and device policies, are logical switch-wide. That means you must configure shared secrets
and policies separately on each logical switch and the shared secrets and policies must be set on
each switch prior to authentication. On logical switch creation, authentication takes default values
for policies and other parameters. FCAP certificates are installed on a chassis, but are configured
on each logical switch.
E_Port authentication
The authentication (AUTH) policy allows you to configure DH-CHAP authentication on switches with
Fabric OS v5.3.0 and later. By default the policy is set to PASSIVE and you can change the policy. All
changes to the AUTH policy take effect during the next authentication request. This includes
starting authentication on all E_Ports on the local switch if the policy is changed to ON or ACTIVE,
and clearing the authentication if the policy is changed to OFF. The authentication configurations
will be effective only on subsequent E_ and F_Port initialization.
ATTENTION
A secret key pair has to be installed prior to changing the policy. For more information on setting up
secret key pairs, refer to “Setting a secret key pair” on page 214.
208
Fabric OS Administrator’s Guide
53-1002745-02
Authentication policy for fabric elements
7
Virtual Fabrics considerations
The switch authentication policy applies to all E_Ports in a logical switch. This includes ISLs and
extended ISLs. Authentication of extended ISLs between two base switches is considered
peer-chassis authentication. Authentication between two physical entities is required, so the
extended ISL which connects the two chassis needs to be authenticated. The corresponding
extended ISL for a logical ISL authenticates the peer-chassis, therefore the logical ISL
authentication is not required. Because the logical ISLs do not carry actual traffic, they do not need
to be authenticated. Authentication on re-individualization is also blocked on logical ISLs. The
following error message is printed on the console when you execute the authUtil –-authinit
command on logical-ISLs, “Failed to initiate authentication. Authentication is not supported on
logical ports <port#>”. For more information on Virtual Fabrics, refer to Chapter 10, “Managing
Virtual Fabrics”.
Configuring E_Port authentication
1. Connect to the switch and log in using an account with admin permissions, or an account with
OM permissions for the Authentication RBAC class of commands.
2. Enter the authUtil command to set the switch policy mode.
Example of configuring E_Port authentication
The following example shows how to enable Virtual Fabrics and configure the E_Ports to perform
authentication using the AUTH policies authUtil command.
switch:admin> fosconfig -enable vf
WARNING: This is a disruptive operation that requires a reboot to take
effect.
All EX ports will be disabled upon reboot.
Would you like to continue [Y/N] y
switch:admin> authutil --authinit 2,3,4
CAUTION
If data input has not been completed and a failover occurs, the command is terminated without
completion and your entire input is lost.
If data input has completed, the enter key pressed, and a failover occurs, data may or may not be
replicated to the other CP depending on the timing of the failover. Log in to the other CP after the
failover is complete and verify the data was saved. If data was not saved, run the command
again.
Example of setting the policy to active mode
switch:admin> authutil --policy -sw active
Warning: Activating the authentication policy requires
either DH-CHAP secrets or PKI certificates depending
on the protocol selected. Otherwise, ISLs will be
segmented during next E-port bring-up.
ARE YOU SURE (yes, y, no, n): [no] y
Auth Policy is set to ACTIVE
NOTE
This authentication-policy change will not affect online EX_Ports.
Fabric OS Administrator’s Guide
53-1002745-02
209
7
Authentication policy for fabric elements
Re-authenticating E_Ports
Use the authUtil --authinit command to re-initiate the authentication on selected ports. It provides
flexibility to initiate authentication for specified E_Ports, a set of E_Ports, or all E_Ports on the
switch. This command does not work on loop, NPIV and FICON devices, or on ports configured for
in-flight encryption. The command authUtil can re-initiate authentication only if the device was
previously authenticated. If the authentication fails because shared secrets do not match, the port
is disabled.
This command works independently of the authentication policy; this means you can initiate the
authentication even if the switch is in PASSIVE mode. This command is used to restart
authentication after changing the DH-CHAP group, hash type, or shared secret between a pair of
switches.
ATTENTION
This command may bring down E_Ports if the DH-CHAP shared secrets are not installed correctly.
1. Log in to the switch using an account with admin permissions, or an account with OM
permissions for the Authentication RBAC class of commands.
2. Enter the authUtil –-authinit command.
Example for specific ports on the switch
switch:admin> authutil –-authinit 2,3,4
Example for all E_Ports on the switch
switch:admin> authutil –-authinit allE
Example for Backbones using the slot/port format
switch:admin> authutil –-authinit 1/1, 1/2
Device authentication policy
Device authentication policy can also be categorized as an F_Port, node port, or an HBA
authentication policy. Fabric-wide distribution of the device authentication policy is not supported
because the device authentication requires manual interaction in setting the HBA shared secrets
and switch shared secrets, and most of the HBAs do not support the defined DH groups for use in
the DH-CHAP protocol.
NOTE
Authentication is supported from Brocade fabric switches in native mode to Access Gateway
switches and from Access Gateway switches to HBAs. For more information, refer to the Access
Gateway Administrator’s Guide, Supporting Fabric OS v7.1.0
By default the devicepolicy is in the OFF state, which means the switch clears the security bit in the
FLOGI (fabric login). The authUtil command provides an option to change the device policy mode to
select PASSIVE policy, which means the switch responds to authentication from any device and
does not initiate authentication to devices. When the policy is set to ON, the switch expects a FLOGI
with the FC-SP bit set. If not, the switch rejects the FLOGI with reason LS_LOGICAL_ERROR (0x03),
explanation “Authentication Required”(0x48), and disables the port. Regardless of the policy, the
F_Port is disabled if the DH-CHAP protocol fails to authenticate. If the HBA sets the FC-SP bit during
FLOGI and the switch sends a FLOGI accept with the FC-SP bit set, then the switch expects the HBA
to start the AUTH_NEGOTIATE. From this point on until the AUTH_NEGOTIATE is completed, all ELS
210
Fabric OS Administrator’s Guide
53-1002745-02
Authentication policy for fabric elements
7
and CT frames, except the AUTH_NEGOTIATE ELS frame, are blocked by the switch. During this
time, the Fibre Channel driver rejects all other ELS frames. The F_Port does not form until the
AUTH_NEGOTIATE is completed. It is the HBA's responsibility to send an Authentication Negotiation
ELS frame after receiving the FLOGI accept frame with the FC-SP bit set.
Virtual Fabrics considerations
Because the device authentication policy has switch and logical switch-based parameters, each
logical switch is set when Virtual Fabrics is enabled. Authentication is enforced based on each
logical switch’s policy settings.
Configuring device authentication
1. Connect to the switch and log in using an account with admin permissions, or an account with
OM permissions for the Authentication RBAC class of commands.
2. Enter the authUtil command to set the device policy mode.
Example of setting the Device policy to passive mode:
switch:admin> authutil --policy -dev passive
Warning: Activating the authentication policy requires
DH-CHAP secrets on both switch and device. Otherwise,
the F-port will be disabled during next F-port
bring-up.
ARE YOU SURE (yes, y, no, n): [no] y
Device authentication is set to PASSIVE
AUTH policy restrictions
All fabric element authentication configurations are performed on a local switch basis.
Device authentication policy supports devices that are connected to the switch in point-to-point
manner and is visible to the entire fabric. The following are not supported:
•
•
•
•
•
•
•
Public loop devices
Single private devices
Private loop devices
Mixed public and private devices in loop
NPIV devices
FICON channels
Configupload and download will not be supported for the following AUTH attributes: auth type,
hash type, group type.
NOTE
For information about how to use authentication with Access Gateway, refer to the Access Gateway
Administrator’s Guide Supporting Fabric OS v7.1.0.
Fabric OS Administrator’s Guide
53-1002745-02
211
7
Authentication policy for fabric elements
Authentication protocols
Use the authUtil command to perform the following tasks:
• Display the current authentication parameters.
• Select the authentication protocol used between switches.
• Select the DH (Diffie-Hellman) group for a switch.
Run the authUtil command on the switch you want to view or change. Below are the different
options to specify which DH group you want to use.
•
•
•
•
•
00 – DH Null option
01 – 1024 bit key
02 – 1280 bit key
03 - 1536 bit key
04 – 2048 bit key
Viewing the current authentication parameter settings for a switch
1. Log in to the switch using an account with admin permissions, or an account with the O
permission for the Authentication RBAC class of commands.
2. Enter the authUtil --show.
Example of output from the authUtil --show command
AUTH TYPE
HASH TYPE
GROUP TYPE
-------------------------------------fcap,dhchap
sha1,md5
0, 1, 2, 3, 4
Switch Authentication Policy: PASSIVE
Device Authentication Policy: OFF
Setting the authentication protocol
1. Log in to the switch using an account with admin permissions, or an account with OM
permissions for the Authentication RBAC class of commands.
2. Enter the authUtil --set -a command specifying fcap, dhchap, or all.
Example of setting the DH-CHAP authentication protocol
switch:admin> authutil --set -a dhchap
Authentication is set to dhchap.
When using DH-CHAP, make sure that you configure the switches at both ends of a link.
NOTE
If you set the authentication protocol to DH-CHAP or FCAP, have not configured shared secrets
or certificates, and authentication is checked (for example, you enable the switch), then switch
authentication will fail.
If the E_Port is to carry in-flight encrypted traffic, the authentication protocol must be set to
DH-CHAP. You must also use the -g option to set the DH group value to group 4 or all groups.
See Chapter 14, “In-flight Encryption and Compression,” for details about in-flight encryption.
212
Fabric OS Administrator’s Guide
53-1002745-02
Authentication policy for fabric elements
7
Secret key pairs for DH-CHAP
When you configure the switches at both ends of a link to use DH-CHAP for authentication, you
must also define a secret key pair—one for each end of the link. Use the secAuthSecret command
to perform the following tasks:
• View the WWN of switches with a secret key pair.
• Set the secret key pair for switches.
• Remove the secret key pair for one or more switches.
Characteristics of a secret key pair
• The secret key pair must be set up locally on every switch. The secret key pair is not distributed
fabric-wide.
• If a secret key pair is not set up for a link, authentication fails. The “Authentication Failed”
(reason code 05h) error will be reported and logged.
• The minimum length of a shared secret is 8 characters and the maximum length is 40
characters. If the E_Port is to carry in-flight encrypted traffic, a shared secret or at least 32
characters is recommended. See Chapter 14, “In-flight Encryption and Compression” for
details about in-flight encryption.
NOTE
When setting a secret key pair, note that you are entering the shared secrets in plain text. Use a
secure channel (for example, SSH or the serial console) to connect to the switch on which you are
setting the secrets.
Viewing the list of secret key pairs in the current switch database
1. Log in to the switch using an account with admin permissions, or an account with the O
permission for the Authentication RBAC class of commands.
2. Enter the secAuthSecret --show command.
The output displays the WWN, domain ID, and name (if known) of the switches with defined
shared secrets:
WWN
DId
Name
----------------------------------------------10:00:00:60:69:80:07:52
Unknown
10:00:00:60:69:80:07:5c
1
switchA
Note about Access Gateway switches
Because Domain ID and name are not supported for Access Gateway, secAuthSecret --show output
for Access Gateway appears as follows:
WWN
DId
Name
----------------------------------------------10:00:8C:7C:FF:03:9E:00
-1
Unknown
10:00:8C:7C:FF:03:9E:01
-1
Unknown
10:00:8C:7C:FF:0D:AF:01
-1
Unknown
When setting and removing the secret for a switch or device on Access Gateway, only the WWN can
be used.
Fabric OS Administrator’s Guide
53-1002745-02
213
7
Authentication policy for fabric elements
Setting a secret key pair
1. Log in to the switch using an account with admin permissions, or an account with OM
permissions for the Authentication RBAC class of commands.
2. Enter the secAuthSecret --set command.
The command enters interactive mode. The command returns a description of itself and
needed input; then it loops through a sequence of switch specification, peer secret entry, and
local secret entry.
To exit the loop, press Enter for the switch name; then type y.
Example of setting a secret key pair
switchA:admin> secauthsecret --set
This command is used to set up secret keys for the DH-CHAP authentication.
The minimum length of a secret key is 8 characters and maximum 40
characters. Setting up secret keys does not initiate DH-CHAP
authentication. If switch is configured to do DH-CHAP, it is performed
whenever a port or a switch is enabled.
Warning: Please use a secure channel for setting secrets. Using
an insecure channel is not safe and may compromise secrets.
Following inputs should be specified for each entry.
1. WWN for which secret is being set up.
2. Peer secret: The secret of the peer that authenticates to peer.
3. Local secret: The local secret that authenticates peer.
Press Enter to start setting up shared secrets > <cr>
Enter WWN, Domain, or switch name (Leave blank when done):
10:20:30:40:50:60:70:80
Enter peer secret: <hidden>
Re-enter peer secret: <hidden>
Enter local secret: <hidden>
Re-enter local secret: <hidden>
Enter WWN, Domain, or switch name (Leave blank when done):
10:20:30:40:50:60:70:81
Enter peer secret: <hidden>
Re-enter peer secret: <hidden>
Enter local secret: <hidden>
Re-enter local secret: <hidden>
Enter WWN, Domain, or switch name (Leave blank when done): <cr>
Are you done? (yes, y, no, n): [no] y
Saving data to key store… Done.
3. Disable and enable the ports on a peer switch using the portDisable and portEnable
commands.
214
Fabric OS Administrator’s Guide
53-1002745-02
Authentication policy for fabric elements
7
FCAP configuration overview
Beginning with Fabric OS release 7.0.0, you must configure the switch to use third-party certificates
for authentication with the peer switch.
To perform authentication with FCAP protocol with certificates issued from third party, the user has
to perform following steps:
1. Choose a certificate authority (CA).
2. Generate a public, private key, passphrase and a CSR on each switch.
3. Store the CSR from each switch on a file server.
4. Obtain the certificates from the CA.
You can request a certificate from a CA through a Web browser. After you request a certificate,
the CA either sends certificate files by e-mail (public) or gives access to them on a remote host
(private). Typically, the CA provides the certificate files listed in Table 36.
ATTENTION
Only the .pem file is supported for FCAP authentication.
TABLE 36
FCAP certificate files
Certificate file
Description
nameCA.pem
The CA certificate. It must be installed on the remote and local switch to verify the
validity of the switch certificate or switch validation fails.
name.pem
The switch certificate.
5. On each switch, install the CA certificate before installing switch certificate.
6. After the CA certificate is installed, install the switch certificate on each switch.
7.
Update the switch database for peer switches to use third-party certificates.
8. Use the newly installed certificates by starting the authentication process.
Generating the key and CSR for FCAP
The public/private key and CSR has to be generated for the local and remote switches that will
participate in the authentication. In FCAP, one command is used to generate the public/private key
the CSR, and the passphrase.
1. Log in to the switch using an account with admin permissions, or an account associated with
the chassis role and having OM permissions for the PKI RBAC class of commands.
2. Enter the secCertUtil generate -fcapall -keysize command on the local switch.
switch:admin> seccertutil generate -fcapall -keysize 1024
WARNING!!!
About to create FCAP:
ARE YOU SURE (yes, y, no, n): [no] y
Installing Private Key and Csr...
Switch key pair and CSR generated...
3. Repeat step 2 on the remote switch.
Fabric OS Administrator’s Guide
53-1002745-02
215
7
Authentication policy for fabric elements
Exporting the CSR for FCAP
You will need to export the CSR file created in “Generating the key and CSR for FCAP” section and
send to a Certificate Authority (CA). The CA will in turn provide two files as outlined in “FCAP
configuration overview” on page 215.
1. Log in to the switch using an account with admin permissions, or an account associated with
the chassis role and having OM permissions for the PKI RBAC class of commands.
2. Enter the secCertUtil export –fcapswcsr command.
switch:admin> seccertutil export -fcapswcsr
Select protocol [ftp or scp]: scp
Enter IP address: 10.1.2.3
Enter remote directory: /myHome/jdoe/OPENSSL
Enter Login Name: jdoe
jdoe@10.1.2.3's password: <hidden text>
Success: exported FCAP CA certificate
Importing CA for FCAP
Once you receive the files back from the Certificate Authority, you will need to install or import them
onto the local and remote switches.
1. Log in to the switch using an account with admin permissions, or an account associated with
the chassis role and having OM permissions for the PKI RBAC class of commands.
2. Enter the secCertUtil import –fcapcacert command and verify the CA certificates are
consistent on both local and remote switches.
switch:admin> seccertutil import -fcapcacert
Select protocol [ftp or scp]: scp
Enter IP address: 10.1.2.3
Enter remote directory: /myHome/jdoe/OPENSSL
Enter certificate name (must have a ".pem" suffix):CACert.pem
Enter Login Name: jdoe
jdoe@10.1.2.3's password: <hidden text>
Success: imported certificate [CACert.pem].
Importing the FCAP switch certificate
ATTENTION
The CA certificates must be installed prior to installing the switch certificate.
1. Log in to the switch using an account with admin permissions, or an account associated with
the chassis role and having OM permissions for the PKI RBAC class of commands.
2. Enter the secCertUtil import –fcapswcert command.
switch:admin> seccertutil import -fcapswcert
Select protocol [ftp or scp]: scp
Enter IP address: 10.1.2.3
Enter remote directory: /myHome/jdoe/OPENSSL
Enter certificate name (must have ".crt" or ".cer" ".pem" or ".psk"
suffix):01.pem
Enter Login Name: jdoe
jdoe@10.1.2.3's password: <hidden text>
Success: imported certificate [01.pem].
216
Fabric OS Administrator’s Guide
53-1002745-02
IP Filter policy
7
Starting FCAP authentication
1. Log in to the switch using an account with admin permissions, or an account with OM
permissions for the Authentication RBAC class of commands.
2. Enter the authUtil --authinit command to start the authentication using the newly imported
certificates. (This command is not supported in Access Gateway mode.)
3. Enter the authUtil --policy -sw command and select active or on, the default is passive. This
makes the changes permanent and forces the switch to request authentication. (For Access
Gateway mode, the defaults for sw policy and dev policy are off, and there is no passive option
for sw policy.)
NOTE
This authentication-policy change does not affect online EX_Ports.
Fabric-wide distribution of the authorization policy
The AUTH policy can be manually distributed to the fabric by command; there is no support for
automatic distribution. To distribute the AUTH policy, see “Distributing the local ACL policies” on
page 227 for instructions.
Local Switch configuration parameters are needed to control whether a switch accepts or rejects
distributions of the AUTH policy using the distribute command and whether the switch may initiate
distribution of the policy. To set the local switch configuration parameter, refer to “Policy database
distribution” on page 224.
NOTE
This is not supported for Access Gateway mode.
IP Filter policy
The IP Filter policy is a set of rules applied to the IP management interfaces as a packet filtering
firewall. The firewall permits or denies the traffic to go through the IP management interfaces
according to the policy rules.
Fabric OS supports multiple IP Filter policies to be defined at the same time. Each IP Filter policy is
identified by a name and has an associated type. Two IP Filter policy types, IPv4 and IPv6, exist to
provide separate packet filtering for IPv4 and IPv6. It is not allowed to specify an IPv6 address in
the IPv4 filter, or specify an IPv4 address in the IPv6 filter. There can be up to six different IP Filter
policies defined for both types. Only one IP Filter policy for each IP type can be activated on the
affected management IP interfaces.
Audit messages will be generated for any changes to the IP Filter policies.
The rules in the IP Filter policy are examined one at a time until the end of the list of rules. For
performance reasons, the most commonly used rules should be specified at the top.
On a chassis system, changes to persistent IP Filter policies are automatically synchronized to the
standby CP when the changes are saved persistently on the active CP. The standby CP will enforce
the filter policies to its management interface after policies are synchronized with the active CP.
Fabric OS Administrator’s Guide
53-1002745-02
217
7
IP Filter policy
Virtual Fabrics considerations: Each logical switch cannot have its own different IP Filter policies. IP
Filter policies are treated as a chassis-wide configuration and are common for all the logical
switches in the chassis.
Creating an IP Filter policy
You can create an IP Filter policy specifying any name and using type IPv4 or IPv6. The policy
created is stored in a temporary buffer, and is lost if the current command session logs out. The
policy name is a unique string composed of a maximum of 20 alpha, numeric, and underscore
characters. The names default_ipv4 and default_ipv6 are reserved for default IP filter policies. The
policy name is case-insensitive and always stored as lowercase. The policy type identifies the policy
as an IPv4 or IPv6 filter. There can be a maximum of six IP Filter policies.
1. Log in to the switch using an account with admin permissions, or an account associated with
the chassis role and having OM permissions for the IPfilter RBAC class of commands.
2. Enter in the ipFilter --create command.
Cloning an IP Filter policy
You can create an IP Filter policy as an exact copy of an existing policy. The policy created is stored
in a temporary buffer and has the same type and rules as the existing defined or active policy.
1. Log in to the switch using an account with admin permissions, or an account associated with
the chassis role and having OM permissions for the IPfilter RBAC class of commands.
2. Enter the ipFilter --clone command.
Displaying an IP Filter policy
You can display the IP Filter policy content for the specified policy name, or all IP Filter policies if a
policy name is not specified.
For each IP Filter policy, the policy name, type, persistent state and policy rules are displayed. The
policy rules are listed by the rule number in ascending order. There is no pagination stop for
multiple screens of information. Pipe the output to the |more command to achieve this.
If a temporary buffer exists for an IP Filter policy, the --show subcommand displays the content in
the temporary buffer, with the persistent state set to no.
1. Log in to the switch using an account with admin permissions, or an account associated with
the chassis role and having the O permission for the IPfilter RBAC class of commands.
2. Enter the ipFilter –-show command.
Saving an IP Filter policy
You can save one or all IP Filter policies persistently in the defined configuration. The policy name is
optional for this subcommand. If the policy name is given, the IP Filter policy in the temporary
buffer is saved; if the policy name is not given, all IP Filter policies in the temporary buffer are
saved. Only the CLI session that owns the updated temporary buffer may run this command.
Modification to an active policy cannot be saved without being applied. Hence, the --save
subcommand is blocked for the active policies. Use --activate instead.
218
Fabric OS Administrator’s Guide
53-1002745-02
IP Filter policy
7
1. Log in to the switch using an account with admin permissions, or an account associated with
the chassis role and having the OM permissions for the IPfilter RBAC class of commands.
2. Enter the ipFilter –-save command.
Activating an IP Filter policy
IP Filter policies are not enforced until they are activated. Only one IP Filter policy per IPv4 and IPv6
type can be active. If there is a temporary buffer for the policy, the policy is saved to the defined
configuration and activated at the same time. If there is no temporary buffer for the policy, the
policy existing in the defined configuration becomes active. The activated policy continues to
remain in the defined configuration. The policy to be activated replaces the existing active policy of
the same type. Activating the default IP Filter policies returns the IP management interface to its
default state. An IP Filter policy without any rule cannot be activated. This subcommand prompts
for a user confirmation before proceeding.
1. Log in to the switch using an account with admin permissions, or an account associated with
the chassis role and having OM permissions for the IPfilter RBAC class of commands.
2. Enter the ipFilter –-activate command.
Deleting an IP Filter policy
You can delete a specified IP Filter policy. Deleting an IP Filter policy removes it from the temporary
buffer. To permanently delete the policy from the persistent database, run ipfilter --save. An active
IP Filter policy cannot be deleted.
1. Log in to the switch using an account with admin permissions, or an account associated with
the chassis role and having the OM permissions for the IPfilter RBAC class of commands.
2. Enter the ipFilter --delete command.
3. To permanently delete the policy, enter the ipfilter --save command.
IP Filter policy rules
An IP Filter policy consists of a set of rules. Each rule has an index number identifying the rule.
There can be a maximum of 256 rules within an IP Filter policy.
Each rule contains the following elements:
•
•
•
•
Source Address:
A source IP address or a group prefix.
Destination Port: The destination port number or name, such as: Telnet, SSH, HTTP, HTTPS.
Protocol:
The protocol type. Supported types are TCP or UDP.
Action:
The filtering action taken by this rule, either Permit or Deny.
A rule type and destination IP can also be specified
Fabric OS Administrator’s Guide
53-1002745-02
219
7
IP Filter policy
Source address
For an IPv4 filter policy, the source address has to be a 32-bit IPv4 address in dot decimal notation.
The group prefix has to be a CIDR block prefix representation. For example, 208.130.32.0/24
represents a 24-bit IPv4 prefix starting from the most significant bit. The special prefix 0.0.0.0/0
matches any IPv4 address. In addition, the keyword any is supported to represent any IPv4
address.
For an IPv6 filter policy, the source address has to be a 128-bit IPv6 address, in a format
acceptable in RFC 3513. The group prefix has to be a CIDR block prefix representation. For
example, 12AB:0:0:CD30::/64 represents a 64-bit IPv6 prefix starting from the most significant bit.
In addition, the keyword any is supported to represent any IPv6 address.
Destination port
For the destination port, a single port number or a port number range can be specified. According
to IANA (http://www.iana.org), ports 0 to 1023 are well-known port numbers, ports 1024 to 49151
are registered port numbers, and ports 49152 to 65535 are dynamic or private port numbers.
Well-known and registered ports are normally used by servers to accept connections, while
dynamic port numbers are used by clients.
For an IP Filter policy rule, you can only select port numbers in the well-known port number range,
between 0 and 1023, inclusive. This means that you have the ability to control how to expose the
management services hosted on a switch, but not the ability to affect the management traffic that
is initiated from a switch. A valid port number range is represented by a dash, for example 7-30.
Alternatively, service names can also be used instead of port number. Table 37 lists the supported
service names and their corresponding port numbers.
TABLE 37
220
Supported services
Service name
Port number
echo
7
discard
9
systat
11
daytime
13
netstat
15
chargen
19
ftp data
20
ftp
21
fsp
21
ssh
22
telnet
23
smtp
25
time
27
name
42
whois
43
domain
53
Fabric OS Administrator’s Guide
53-1002745-02
IP Filter policy
TABLE 37
7
Supported services (Continued)
Service name
Port number
bootps
67
bootpc
68
tftp
69
http
80
kerberos
88
hostnames
101
sunrpc
111
sftp
115
ntp
123
snmp
161
snmp trap
162
https
443
ssmtp
465
exec
512
login
513
shell
514
uucp
540
biff
512
who
513
syslog
514
route
520
timed
525
kerberos4
750
rpcd
897
securerpcd
898
Protocol
TCP and UDP protocols are valid protocol selections. Fabric OS v6.2.0 and later do not support
configuration to filter other protocols. Implicitly, ICMP type 0 and type 8 packets are always allowed
to support ICMP echo request and reply on commands like ping and traceroute.
Action
For the action, only “permit” and “deny” are valid.
Fabric OS Administrator’s Guide
53-1002745-02
221
7
IP Filter policy
Traffic type and destination IP
The traffic type and destination IP elements allow an IP policy rule to specify filter enforcement for
IP forwarding. The INPUT traffic type is the default and restricts rules to manage traffic on IP
management interfaces,
The FORWARD traffic type allows management of bidirectional traffic between the external
management interface and the inband management interface. In this case, the destination IP
element should also be specified.
Implicit filter rules
For every IP Filter policy, the two rules listed in Table 38 are always assumed to be appended
implicitly to the end of the policy. This ensures that TCP and UDP traffic to dynamic port ranges is
allowed, so that management IP traffic initiated from a switch, such as syslog, radius and ftp, is not
affected.
TABLE 38
Implicit IP Filter rules
Source address
Destination port
Protocol
Action
Any
1024-65535
TCP
Permit
Any
1024-65535
UDP
Permit
Default policy rules
A switch with Fabric OS v6.2.0 or later will have a default IP Filter policy for IPv4 and IPv6. The
default IP Filter policy cannot be deleted or changed. When an alternative IP Filter policy is
activated, the default IP Filter policy becomes deactivated. Table 39 lists the rules of the default IP
Filter policy.
TABLE 39
222
Default IP policy rules
Rule number
Source address
Destination port
Protocol
Action
1
Any
22
TCP
Permit
2
Any
23
TCP
Permit
3
Any
897
TCP
Permit
4
Any
898
TCP
Permit
5
Any
111
TCP
Permit
6
Any
80
TCP
Permit
7
Any
443
TCP
Permit
8
Any
161
UDP
Permit
9
Any
111
UDP
Permit
10
Any
123
UDP
Permit
11
Any
600-1023
TCP
Permit
12
Any
600-1023
UDP
Permit
Fabric OS Administrator’s Guide
53-1002745-02
IP Filter policy
7
IP Filter policy enforcement
An active IP Filter policy is a filter applied to the IP packets through the management interface. IPv4
management traffic passes through the active IPv4 filter policy, and IPv6 management traffic
passes through the active IPv6 filter policy. The IP Filter policy applies to the incoming (ingress)
management traffic only. When a packet arrives, it is compared against each rule, starting from the
first rule. If a match is found for the source address, destination port, and protocol, the
corresponding action for this rule is taken, and the subsequent rules in this policy are ignored. If
there is no match, then it is compared to the next rule in the policy. This process continues until the
incoming packet is compared to all rules in the active policy.
If none of the rules in the policy matches the incoming packet, the two implicit rules are matched to
the incoming packet. If the rules still do not match the packet, the default action, which is to deny,
is taken.
When the IPv4 or IPv6 address for the management interface of a switch is changed through the
ipAddrSet command or manageability tools, the active IP Filter policies automatically become
enforced on the management IP interface with the changed IP address.
NOTE
If a switch is part of a LAN behind a Network Address Translation (NAT) server, depending on the NAT
server configuration, the source address in an IP Filter rule may have to be the NAT server address.
Adding a rule to an IP Filter policy
There can be a maximum of 256 rules created for an IP Filter policy. The change to the specified IP
Filter policy is not saved to the persistent configuration until a save or activate subcommand is run.
1. Log in to the switch using an account with admin permissions, or an account associated with
the chassis role and having the OM permissions for the IPfilter RBAC class of commands.
2. Enter the ipFilter --addrule command.
Deleting a rule from an IP Filter policy
Deleting a rule in the specified IP Filter policy causes the rules following the deleted rule to shift up
in rule order. The change to the specified IP Filter policy is not saved to persistent configuration
until a save or activate subcommand is run.
1. Log in to the switch using an account with admin permissions, or an account associated with
the chassis role and having the OM permissions for the IPfilter RBAC class of commands.
2. Enter the ipFilter --delrule command.
Aborting an IP Filter transaction
A transaction is associated with a command line or manageability session. It is opened implicitly
when the --create, --addrule, --delrule, --clone, and --delete subcommands are run. The
--transabort, --save, or --activate subcommands explicitly end the transaction owned by the
current command line or manageability session. If a transaction is not ended, other command line
or manageability sessions are blocked on the subcommands that would open a new transaction.
Fabric OS Administrator’s Guide
53-1002745-02
223
7
Policy database distribution
1. Log in to the switch using an account with admin permissions, or an account associated with
the chassis role and having the OM permissions for the IPfilter RBAC class of commands.
2. Enter the ipFilter –-transabort command.
IP Filter policy distribution
The IP Filter policy is manually distributed by command. The distribution includes both active and
defined IP Filter policies. All policies are combined as a single entity to be distributed and cannot be
selectively distributed. However, you may choose the time at which to implement the policy for
optimization purposes. If a distribution includes an active IP Filter policy, the receiving switches
activate the same IP Filter policy automatically. When a switch receives IP Filter policies, all
uncommitted changes left in its local transaction buffer are lost, and the transaction is aborted.
The IPFilter policy can be manually distributed to the fabric by command; there is no support for
automatic distribution. To distribute the IPFilter policy, see “Distributing the local ACL policies” on
page 227 for instructions.
Switches with Fabric OS v6.2.0 or later have the ability to accept or deny IP Filter policy distribution,
through the commands fddCfg --localaccept or fddCfg --localreject. See “Policy database
distribution” on page 224 for more information on distributing the IP Filter policy.
Virtual Fabrics considerations: To distribute the IPFilter policy in a logical fabric, use the
chassisDistribute command.
Managing filter thresholds
Fabric OS v7.1.0 allows you to configure filter thresholds using the fmMonitor command.
1. Connect to the switch and log in using an account with admin permissions, or an account with
OM permissions for the FabricWatch RBAC class of commands.
2. Enter the fmMonitor command.
Example of fmMonitor command:
admin> fmMonitor -–create ex1 -pat 12,0xFF,0x08 -port 2/1-2,8/3 -highth
1000 - action snmp,raslog –timebase minute
Policy database distribution
Fabric OS lets you manage and enforce the ACL policy database on either a per-switch or
fabric-wide basis. The local switch distribution setting and the fabric-wide consistency policy affect
the switch ACL policy database and related distribution behavior.
The ACL policy database is managed as follows:
• Switch database distribution setting — Controls whether or not the switch accepts or rejects
databases distributed from other switches in the fabric. The distribute command sends the
database from one switch to another, overwriting the target switch database with the
distributed one. To send or receive a database the setting must be accept. For configuration
instructions, see “Database distribution settings” on page 225.
Virtual Fabric considerations: FCS, DCC, SCC, and AUTH databases can be distributed using
the -distribute command, but the PWD and IPFILTER databases are blocked from distribution.
224
Fabric OS Administrator’s Guide
53-1002745-02
Policy database distribution
7
• Manually distribute an ACL policy database — Run the distribute command to push the local
database of the specified policy type to target switches. “ACL policy distribution to other
switches” on page 227.
• Fabric-wide consistency policy — Use to ensure that switches in the fabric enforce the same
policies. Set a strict or tolerant fabric-wide consistency policy for each ACL policy type to
automatically distribute that database when a policy change is activated. If a fabric-wide
consistency policy is not set, then the policies are managed on a per switch basis. For
configuration instructions, see “Fabric-wide enforcement” on page 227.
Virtual Fabric considerations: Fabric-wide consistency policies are configured on a per logical
switch-basis and are applied to the fabrics connected to the logical switches. Automatic policy
distribution behavior for DCC, SCC and FCS is the same as that of pre-v6.2.0 releases and are
configured on a per logical switch basis.
Table 40 on page 225 explains how the local database distribution settings and the fabric-wide
consistency policy affect the local database when the switch is the target of a distribution
command.
TABLE 40
Interaction between fabric-wide consistency policy and distribution settings
Distribution
setting
Fabric-wide consistency policy
Absent (default)
Tolerant
Strict
1
Reject
Database is protected, it
cannot be overwritten.
May not match other
databases in the fabric.
Invalid configuration.
Invalid configuration.1
Accept (default)
Database is not protected,
the database can be
overwritten.
If the switch initiating a
distribute command has a
strict or tolerant fabric-wide
consistency policy, the
fabric-wide policy is also
overwritten.
May not match other
databases in the fabric.
Database is not protected.
Automatically distributes
activated changes to other
v6.2.0 or later switches in the
fabric.
May not match other
databases in the fabric.
Database is not protected.
Automatically distributes
activated changes to all
switches in the fabric.
Fabric can only contain
switches running Fabric OS
v6.2.0 or later.
Active database is the same for
all switches in the fabric.
1. An error is returned indicating that the distribution setting must be accept before you can set the fabric-wide
consistency policy.
Database distribution settings
The distribution settings control whether a switch accepts or rejects distributions of databases
from other switches and whether the switch may initiate a distribution. Configure the distribution
setting to reject when maintaining the database on a per-switch basis.
Table 41 lists the databases supported in Fabric OS v6.2.0 and later switches.
TABLE 41
Supported policy databases
Database type
Database identifier (ID)
Authentication policy database
AUTH
DCC policy database
DCC
Fabric OS Administrator’s Guide
53-1002745-02
225
7
Policy database distribution
TABLE 41
Supported policy databases (Continued)
Database type
Database identifier (ID)
FCS policy database
FCS
IP Filter policy database
IPFILTER
Password database
PWD
SCC policy database
SCC
Use the chassisDistribute command to distribute IP filter policies. To distribute other security
policies, use the distribute command.
Displaying the database distribution settings
1. Connect to the switch and log in using an account with admin permissions, or an account with
OM permissions for the FabricDistribution RBAC class of commands.
2. Enter the fddCfg --showall command.
Example shows the database distribution settings
switch:admin> fddcfg --showall
Local Switch Configuration for all Databases:DATABASE - Accept/Reject
--------------------------------SCC accept
DCC accept
PWD accept
FCS accept
AUTH accept
IPFILTER accept
Fabric Wide Consistency Policy:- ""
Enabling local switch protection
1. Connect to the switch and log in using an account with admin permissions, or an account with
OM permissions for the FabricDistribution RBAC class of commands.
2. Enter the fddCfg --localreject command.
Disabling local switch protection
1. Connect to the switch and log in using an account with admin permissions, or an account with
OM permissions for the FabricDistribution RBAC class of commands.
2. Enter the fddCfg --localaccept command.
226
Fabric OS Administrator’s Guide
53-1002745-02
Policy database distribution
7
ACL policy distribution to other switches
This section explains how to manually distribute local ACL policy databases. The distribute
command has the following dependencies:
• All target switches must be running Fabric OS v6.2.0 or later.
• All target switches must accept the database distribution (see “Database distribution settings”
on page 225).
• The fabric must have a tolerant or no (absent) fabric-wide consistency policy (see “Fabric-wide
enforcement” on page 227).
If the fabric-wide consistency policy for a database is strict, the database cannot be manually
distributed. When you set a strict fabric-wide consistency policy for a database, the distribution
mechanism is automatically invoked whenever the database changes.
• The local distribution setting must be accepted. To be able to initiate the distribute command,
set the local distribution to accept.
Distributing the local ACL policies
1. Connect to the switch and log in using an account with admin permissions, or an account with
OM permissions for the FabricDistribution RBAC class of commands.
2. Enter the distribute -p command.
Fabric-wide enforcement
The fabric-wide consistency policy enforcement setting determines the distribution behavior when
changes to a policy are activated. Using the tolerant or strict fabric-wide consistency policy ensures
that changes to local ACL policy databases are automatically distributed to other switches in the
fabric.
NOTE
To completely remove all policies from a fabric enter the fddCfg --fabwideset "” command.
When you set the fabric-wide consistency policy using the fddCfg command with the
--fabwideset database_id option, both the fabric-wide consistency policy and specified database
are distributed to the fabric.The active policies of the specified databases overwrite the
corresponding active and defined policies on the target switches.
Policy changes that are saved but not activated are stored locally until a policy database change is
activated. Activating a policy automatically distributes the Active policy set for that policy type (SCC,
DCC, FCS, or any combination of the three) to the other switches in the fabric.
NOTE
FC routers cannot join a fabric with a strict fabric-wide consistency policy. FC routers do not support
the fabric-wide consistency policies.
Table 42 describes the fabric-wide consistency settings.
Fabric OS Administrator’s Guide
53-1002745-02
227
7
Policy database distribution
TABLE 42
Fabric-wide consistency policy settings
Setting
Value
When a policy is activated
Absent
null
Database is not automatically distributed to other switches in the fabric.
Tolerant
database_id
All updated and new policies of the type specified (SCC, DCC, FCS, or any
combination) are distributed to all Fabric v6.2.0 and later switches in the fabric.
Strict
database_id:S
All updated and new policies of the type specified (SCC, DCC, FCS, or any
combination) are distributed to all switches in the fabric.
Displaying the fabric-wide consistency policy
1. Connect to the switch and log in using an account with admin permissions, or an account with
O permission for the FabricDistribution RBAC class of commands.
2. Enter the fddCfg --showall command.
Example shows policies for a fabric where no consistency policy is defined.
switch:admin> fddcfg --showall
Local Switch Configuration for all Databases:DATABASE - Accept/Reject
--------------------------------SCC accept
DCC accept
PWD accept
FCS accept
AUTH accept
IPFILTER accept
Fabric Wide Consistency Policy:- ""
Setting the fabric-wide consistency policy
1. Connect to the switch and log in using an account with admin permissions, or an account with
OM permissions for the FabricDistribution RBAC class of commands.
2. Enter the fddCfg --fabwideset command.
Example shows how to set a strict SCC and tolerant DCC fabric-wide consistency policy.
switch:admin> fddcfg --fabwideset "SCC:S;DCC"
switch:admin> fddcfg --showall
Local Switch Configuration for all Databases:DATABASE - Accept/Reject
--------------------------------SCC accept
DCC accept
PWD accept
FCS accept
AUTH accept
IPFILTER accept
Fabric Wide Consistency Policy:- "SCC:S;DCC"
228
Fabric OS Administrator’s Guide
53-1002745-02
Policy database distribution
7
Notes on joining a switch to the fabric
When a switch is joined to a fabric with a tolerant SCC, DCC, or FCS fabric-wide consistency policy,
the joining switch must have a matching tolerant SCC, DCC, or FCS fabric-wide consistency policy. If
the tolerant SCC, DCC, or FCS fabric-wide consistency policies do not match, the switch can join the
fabric, but an error message flags the mismatch. If the tolerant SCC, DCC, and FCS fabric-wide
consistency policies match, the corresponding SCC, DCC, and FCS ACL policies are compared.
The enforcement of fabric-wide consistency policy involves comparison of the Active policy set. If
the ACL polices match, the switch joins the fabric successfully. If the ACL policies are absent either
on the switch or on the fabric, the switch joins the fabric successfully, and the ACL policies are
copied automatically from where they are present to where they are absent. The Active policy set
where it is present overwrites the Active and Defined policy set where it is absent. If the ACL
policies do not match, the switch cannot join the fabric and the neighboring E_Ports are disabled.
Use the fddCfg –-fabwideset command on either this switch or the fabric to set a matching strict
SCC, DCC, or FCS fabric-wide consistency policy. Use ACL policy commands to delete the conflicting
ACL policy from one side to resolve ACL policy conflict. If neither the fabric nor the joining switch is
configured with a fabric-wide consistency policy, there are no ACL merge checks required. Under
both conflicting conditions, secPolicyActivate is blocked in the merged fabric. Use the distribute
command to explicitly resolve conflicting ACL policies.
The descriptions above also apply to joining two fabrics. In this context, the joining switch becomes
a joining fabric.
Matching fabric-wide consistency policies
This section describes the interaction between the databases with active SCC and DCC policies
and combinations of fabric-wide consistency policy settings when fabrics are merged.
For example: Fabric A with SCC:S;DCC (strict SCC and tolerant DCC) joins Fabric B with SCC:S;DCC
(strict SCC and tolerant DCC), the fabrics can merge as long as the SCC policies match, including
the order SCC:S;DCC and if both are set to strict.
Table 43 describes the impact of merging fabrics with the same fabric-wide consistency policy that
have SCC, DCC, or both policies.
TABLE 43
Merging fabrics with matching fabric-wide consistency policies
Fabric-wide
Fabric A
consistency policy ACL policies
Fabric B
ACL policies
Merge
results
Database copied
None
None
None
Succeeds
No ACL policies copied.
None
SCC/DCC
Succeeds
No ACL policies copied.
None
None
Succeeds
No ACL policies copied.
None
SCC/DCC
Succeeds
ACL policies are copied from B to A.
SCC/DCC
SCC/DCC
Succeeds
If A and B policies do not match, a
warning displays and policy
commands are disabled1.
Tolerant
Fabric OS Administrator’s Guide
53-1002745-02
229
7
Policy database distribution
TABLE 43
Merging fabrics with matching fabric-wide consistency policies (Continued)
Fabric-wide
Fabric A
consistency policy ACL policies
Fabric B
ACL policies
Merge
results
Database copied
Strict
None
None
Succeeds
No ACL policies copied.
None
SCC/DCC
Succeeds
ACL policies are copied from B to A.
Matching SCC/DCC
Matching SCC/DCC
Succeeds
No ACL policies copied.
Different SCC/DCC
policies
Different SCC/DCC
policies
Fails
Ports are disabled.
1. To resolve the policy conflict, manually distribute the database you want to use to the switch with the mismatched
database. Until the conflict is resolved, commands such as fddCfg --fabwideset and secPolicyActivate are
blocked.
Non-matching fabric-wide consistency policies
You may encounter one of the following two scenarios described in Table 44 and Table 45 where
you are merging a fabric with a strict policy to a fabric with an absent, tolerant, or non-matching
strict policy and the merge fails and the ports are disabled.
Table 44 on page 230 shows merges that are not supported.
TABLE 44
Examples of strict fabric merges
Fabric-wide consistency policy setting
Strict/Tolerant
Strict/Absent
Expected behavior
Fabric A
Fabric B
SCC:S;DCC:S
SCC;DCC:S
SCC;DCC:S
SCC:S;DCC
SCC:S;DCC
SCC:S
Ports connecting switches are disabled.
SCC:S;DCC:S
SCC:S
DCC:S
Strict/Strict
SCC:S
DCC:S
Table 45 has a matrix of merging fabrics with tolerant and absent policies.
TABLE 45
Fabric merges with tolerant and absent combinations
Fabric-wide consistency policy setting
Fabric A
Tolerant/Absent
Expected behavior
Fabric B
SCC;DCC
DCC
230
SCC;DCC
SCC
DCC
SCC
Error message logged.
Run fddCfg --fabwideset “policy_ID” from any
switch with the desired configuration to fix the
conflict. The secPolicyActivate command is blocked
until conflict is resolved.
Fabric OS Administrator’s Guide
53-1002745-02
Management interface security
7
Management interface security
You can secure an Ethernet management interface between two Brocade switches or Backbones
by implementing IP sec and IKE policies to create a tunnel that protects traffic flows. While the
tunnel must have a Brocade switch or Backbone at each end, there may be routers, gateways, and
firewalls in between the two ends.
ATTENTION
Enabling secure IP sec tunnels does not provide IP sec protection for traffic flows on the external
management interfaces of intelligent blades in a chassis, nor does it support protection of traffic
flows on FCIP interfaces.
Internet Protocol security (IP sec) is a framework of open standards that ensures private and
secure communications over Internet Protocol (IP) networks through the use of cryptographic
security services. The goal of IP sec is to provide the following capabilities:
• Authentication — Ensures that the sending and receiving end-users and devices are known and
trusted by one another.
• Data Integrity — Confirms that the data received was in fact the data transmitted.
• Data Confidentiality — Protects the user data being transmitted, such as utilizing encryption to
avoid sending data in clear text.
• Replay Protection — Prevents replay attack in which an attacker resends previously-intercepted
packets in an effort to fraudulently authenticate or otherwise masquerade as a valid user.
• Automated Key Management—Automates the process, as well as manages the periodic
exchange and generation of new keys.
Using the IP secConfig command, you must configure multiple security policies for traffic flows on
the Ethernet management interfaces based on IPv4 or IPv6 addresses, a range of IPv4 or IPv6
addresses, the type of application, port numbers, and protocols used (UDP/TCP/ICMP). You must
specify the transforms and processing choices for the traffic flow (drop, protect or bypass). Also,
you must select and configure the key management protocol using an automatic or manual key.
For more information on IPv4 and IPv6 addressing, refer to Chapter 2, “Performing Basic
Configuration Tasks”.
Configuration examples
Below are several examples of various configurations you can use to implement an IP sec tunnel
between two devices. You can configure other scenarios as nested combinations of these
configurations.
Endpoint-to-endpoint transport or tunnel
In this scenario, both endpoints of the IP connection implement IP sec, as required of hosts in
RFC4301. Transport mode encrypts only the payload while tunnel mode encrypts the entire packet.
A single pair of addresses will be negotiated for packets protected by this SA.
It is possible in this scenario that one or both of the protected endpoints will be behind a network
address translation (NAT) node, in which case tunneled packets will have to be UDP-encapsulated
so that port numbers in the UDP headers can be used to identify individual endpoints behind the
NAT.
Fabric OS Administrator’s Guide
53-1002745-02
231
7
Management interface security
FIGURE 14
Protected endpoints configuration
A possible drawback of end-to-end security is that various applications that require the ability to
inspect or modify a transient packet will fail when end-to-end confidentiality is employed. Various
QoS solutions, traffic shaping, and firewalling applications will be unable to determine what type of
packet is being transmitted and will be unable to make the decisions that they are supposed to
make.
Gateway-to-gateway tunnel
In this scenario, neither endpoint of the IP connection implements IP sec, but the network nodes
between them protect traffic for part of the way. Protection is transparent to the endpoints, and
depends on ordinary routing to send packets through the tunnel endpoints for processing. Each
endpoint would announce the set of addresses behind it, and packets would be sent in tunnel
mode where the inner IP header would contain the IP addresses of the actual endpoints.
FIGURE 15
Gateway tunnel configuration
Endpoint-to-gateway tunnel
In this scenario, a protected endpoint (typically a portable computer) connects back to its corporate
network through an IP sec-protected tunnel. It might use this tunnel only to access information on
the corporate network, or it might tunnel all of its traffic back through the corporate network in
order to take advantage of protection provided by a corporate firewall against Internet-based
attacks. In either case, the protected endpoint will want an IP address associated with the security
gateway so that packets returned to it will go to the security gateway and be tunneled back.
232
Fabric OS Administrator’s Guide
53-1002745-02
Management interface security
FIGURE 16
7
Endpoint-to-gateway tunnel configuration
RoadWarrior configuration
In endpoint-to-endpoint security, packets are encrypted and decrypted by the host which produces
or consumes the traffic. In the gateway-to-gateway example, a router on the network encrypts and
decrypts the packets on behalf of the hosts on a protected network. A combination of the two is
referred to as a RoadWarrior configuration where a host on the Internet requires access to a
network through a security gateway that is protecting the network.
IP sec protocols
IP sec ensures confidentiality, integrity, and authentication using the following protocols:
•
•
Authentication Header (AH)
Encapsulating Security Payload (ESP)
IP sec protocols protect IP datagram integrity using hash message authentication codes (HMAC).
Using hash algorithms with the contents of the IP datagram and a secret key, the IP sec protocols
generate this HMAC and add it to the protocol header. The receiver must have access to the secret
key in order to decode the hash.
IP sec protocols use a sliding window to assist in flow control, The IP sec protocols also use this
sliding window to provide protection against replay attacks in which an attacker attempts a denial
of service attack by replaying an old sequence of packets. IP sec protocols assign a sequence
number to each packet. The recipient accepts each packet only if its sequence number is within
the window. It discards older packets.
Security associations
A security association (SA) is the collection of security parameters and authenticated keys that are
negotiated between IP sec peers to protect the IP datagram. A security association database
(SADB) is used to store these SAs. Information in these SAs—IP addresses, secret keys, algorithms,
and so on—is used by peers to encapsulate and decapsulate the IP sec packets
An IP sec security association is a construct that specifies security properties that are recognized
by communicating hosts. The properties of the SA are the security protocol (AH or ESP), destination
IP address, and Security Parameter Index (SPI) number. SPI is an arbitrary 32-bit value contained in
IP sec protocol headers (AH or ESP) and an IP sec SA is unidirectional. Because most
communication is peer-to-peer or client-to-server, two SAs must be present to secure traffic in both
directions. An SA specifies the IP sec protocol (AH or ESP), the algorithms used for encryption and
authentication, and the expiration definitions used in security associations of the traffic. IKE uses
Fabric OS Administrator’s Guide
53-1002745-02
233
7
Management interface security
these values in negotiations to create IP sec SAs. You must create an SA prior to creating an
SA-proposal. You cannot modify an SA once it is created. Use the IP secConfig --flush manual-sa
command to remove all SA entries from the kernel SADB and re-create the SA. For more
information on the IP secConfig command, refer to the Fabric OS Command Reference.
IP sec proposal
The IP sec sa-proposal defines an SA or an SA bundle. An SA is a set of parameters that define how
the traffic is protected using IP sec. These are the IP sec protocols to use for an SA, either AH or
ESP, and the encryption and authentication algorithms to use to protect the traffic. For SA bundles,
[AH, ESP] is the supported combination.
Authentication and encryption algorithms
IP sec uses different protocols to ensure the authentication, integrity, and confidentiality of the
communication. Encapsulating Security Payload (ESP) provides confidentiality, data integrity and
data source authentication of IP packets, and protection against replay attacks. Authentication
Header (AH) provides data integrity, data source authentication, and protection against replay
attacks, but unlike ESP, AH does not provide confidentiality.
In AH and ESP, hmac_md5 and hmac_sha1 are used as authentication algorithms. Only in ESP,
3des_cbc, blowfish_cbc, aes256_cbc and null_enc are used as encryption algorithms. Use
Table 46 when configuring the authentication algorithm.
TABLE 46
Algorithms and associated authentication policies
Algorithm
Encryption Level Policy
Description
hmac_md5
128-bit
AH, ESP
hmac_sha1
160-bit
AH, ESP
A stronger MAC because it is a keyed hash inside a keyed hash. When
MD5 or SHA-1 is used in the calculation of an HMAC; the resulting MAC
algorithm is termed HMAC-MD5 or HMAC-SHA-1 accordingly.
NOTE: The MD5 hash algorithm is blocked when FIPS mode is
enabled
3des_cbc
168-bit
ESP
Triple DES is a more secure variant of DES. It uses three different
56-bit keys to encrypt blocks of 64-bit plain text. The algorithm is
FIPS-approved for use by Federal agencies.
blowfish_cbc
64-bit
ESP
Blowfish is a 32-bit to 448-bit keyed, symmetric block cipher.
aes128_cbc
128-bit
ESP
aes256_cbc
256-bit
ESP
Advanced Encryption Standard is a 128- or 256-bit fixed block size
cipher.
null_enc
n/a
ESP
A form of plaintext encryption.
IP sec policies
An IP sec policy determines the security services afforded to a packet and the treatment of a
packet in the network. An IP sec policy allows classifying IP packets into different traffic flows and
specifies the actions or transformations performed on IP packets on each of the traffic flows. The
main components of an IP sec policy are: IP packet filter and selector (IP address, protocol, and
port information) and transform set.
234
Fabric OS Administrator’s Guide
53-1002745-02
Management interface security
7
IP sec traffic selector
The traffic selector is a traffic filter that defines and identifies the traffic flow between two systems
that have IP sec protection. IP addresses, the direction of traffic flow (inbound, outbound) and the
upper layer protocol are used to define a filter for traffic (IP datagrams) that is protected using
IP sec.
IP sec transform
A transform set is a combination of IP sec protocols and cryptographic algorithms that are applied
on the packet after it is matched to a selector. The transform set specifies the IP sec protocol,
IP sec mode and action to be performed on the IP packet. It specifies the key management policy
that is needed for the IP sec connection and the encryption and authentication algorithms to be
used in security associations when IKE is used as the key management protocol.
IP sec can protect either the entire IP datagram or only the upper-layer protocols using tunnel mode
or transport mode. Tunnel mode uses the IP sec protocol to encapsulate the entire IP datagram.
Transport mode handles only the IP datagram payload.
IKE policies
When IKE is used as the key management protocol, IKE policy defines the parameters used in IKE
negotiations needed to establish IKE SA and parameters used in negotiations to establish IP sec
SAs. These include the authentication and encryption algorithms, and the primary authentication
method, such as preshared keys, or a certificate-based method, such as RSA signatures.
Key management
The IP sec key management supports Internet Key Exchange or Manual key/SA entry. The Internet
Key Exchange (IKE) protocol handles key management automatically. SAs require keying material
for authentication and encryption. The managing of keying material that SAs require is called key
management.
The IKE protocol secures communication by authenticating peers and exchanging keys. It also
creates the SAs and stores them in the SADB.
The manual key/SA entry requires the keys to be generated and managed manually. For the
selected authentication or encryption algorithms, the correct keys must be generated using a third
party utility on your LINUX system. The key length is determined by the algorithm selected.
Linux IP sec-tools 0.7 provides tools for manual key entry (MKE) and automatic keyed connections.
The LINUX setKey command can be used for manually keyed connections, which means that all
parameters needed for the setup of the connection are provided by you. Based on which protocol,
algorithm, and key used for the creation of the security associations, the switch populates the
security association database (SAD) accordingly.
Pre-shared keys
A pre-shared key has the .psk extension and is one of the available methods IKE can be configured
to use for primary authentication. You can specify the pre-shared keys used in IKE policies; add and
delete pre-shared keys (in local database) corresponding to the identity of the IKE peer or group of
peers.
Fabric OS Administrator’s Guide
53-1002745-02
235
7
Management interface security
The IP secConfig command does not support manipulating pre-shared keys corresponding to the
identity of the IKE peer or group of peers. Use the secCertUtil command to import, delete, or display
the pre-shared keys in the local switch database. For more information on this procedure, refer to
Chapter 6, “Configuring Protocols”.
Security certificates
A certificate is one of the available methods IKE can be configured to use for primary
authentication. You can specify the local public key and private key (in X.509 PEM format) and peer
public key (in X.509 format) to be used in a particular IKE policy.
Use the secCertUtil import command to import public key, private key and peer-public key (in X.509
PEM format) into the switch database. For more information on this procedure, refer to Chapter 6,
“Configuring Protocols”.
ATTENTION
The CA certificate name must have the IP secCA.pem name.
Static Security Associations
Manual Key Entry (MKE) provides the ability to manually add, delete and flush SA entries in the
SADB. Manual SA entries may not have an associated IP sec policy in the local policy database.
Manual SA entries are persistent across system reboots.
Creating the tunnel
Each side of the tunnel must be configured in order for the tunnel to come up. Once you are logged
into the switch, do not log off as each step requires that you be logged in to the switch. IP sec
configuration changes take effect upon execution and are persistent across reboots. Configure the
following on each side of the tunnel:
NOTE
A backslash ( \ ) is used to skip the return character so you can continue the command on the next
line without the return character being interpreted by the shell.
1. Determine the authentication protocol and algorithm to be used on the tunnel.
Refer to Table 46 on page 234 to determine which algorithm to use in conjunction with a
specific authentication protocol.
2. Determine the type of keys to be used on the tunnel.
If you are using CA signed keys, you must generate them prior to setting up your tunnels.
3. Enable IP sec.
a.
Connect to the switch and log in using an account with admin permissions, or an account
associated with the chassis role and having OM permissions for the IP sec RBAC class of
commands.
b.
Enter the IP secConfig --enable command to enable IP sec on the switch.
4. Create an IP sec SA policy on each side of the tunnel using the IP secConfig --add command.
236
Fabric OS Administrator’s Guide
53-1002745-02
Management interface security
7
Example of creating an IP sec SA policy
This example creates an IP sec SA policy named AH01, which uses AH protection with MD5.
You would run this command on each switch; on each side of the tunnel so that both sides
have the same IP sec SA policy.
switch:admin> IP secconfig --add policy ips sa -t AH01 -p ah -auth hmac_md5
5. Create an IP sec proposal on each side of the tunnel using the IP secConfig --add command.
Example of creating an IP sec proposal
This example creates an IP sec proposal IP sec-AH to use AH01 as SA.
switch:admin> IP secconfig --add policy ips sa-proposal -t IP sec-AH –sa AH01
6. Import the pre-shared key file.
Refer to Chapter 6, “Configuring Protocols” for information on how to set up pre-shared keys
and certificates.
7.
Configure the IKE policy using the IP secConfig --add command.
Example of creating an IKE policy
This example creates an IKE policy for the remote peer.
switch:admin> IP secconfig --add policy ike –t IKE01 -remote 10.33.74.13 \
-id 10.33.69.132 -remoteid 10.33.74.13 -enc 3des_cbc \
-hash hmac_md5 -prf hmac_md5 –auth psk -dh modp1024 \
-psk IP seckey.psk
8. Create an IP sec transform on each switch using the IP secConfig --add command.
Example of creating an IP sec transform
This example creates an IP sec transform TRANSFORM01 to use the transport mode to protect
traffic identified for IP sec protection and use IKE01 as key management policy.
switch:admin> IP secconfig --add policy ips transform –t TRANSFORM01 \
-mode transport -sa-proposal IP sec-AH \
-action protect –ike IKE01
9. Create a traffic selector on each switch using the IP secConfig --add command.
Example of creating a traffic selector
This example creates a traffic selector to select outbound and inbound traffic that needs to be
protected.
switch:admin> IP secconfig --add policy ips selector –t SELECTOR-OUT \
-d out -l 10.33.69.132 -r 10.33.74.13 –transform TRANSFORM01
switch:admin> IP secconfig --add policy ips selector –t SELECTOR-IN \
-d in -l 10.33.74.13 -r 10.33.69.132 –t transform TRANSFORM01
Inbound and outbound selectors use opposite values for local and remote IP addresses. In this
example, notice that the local ("-l") address of SELECTOR-OUT is the same as the remote ("-r")
address or SELECTOR-IN, Similarly, the local ("-l") address of SELECTOR-IN is the same as the
remote ("-r") address or SELECTOR-OUT. That is, “local” refers to the source IP address of the
packet, and “remote” is the destination IP address. Hence inbound packets have opposite
source and destination addresses than outbound packets.
Fabric OS Administrator’s Guide
53-1002745-02
237
7
Management interface security
10. Verify traffic is protected.
a.
Initiate a telnet, SSH, or ping session from the two switches.
b.
Verify that IP traffic is encapsulated.
c.
Monitor IP sec SAs created using IKE for above traffic flow
• Use the IP secConfig -–show manual-sa –a command with the operands specified to
display the outbound and inbound SAs in kernel SADB.
• Use the IP secConfig –-show policy ips sa -a command with the specified operands to
display all IP sec SA policies.
• Use the IP secConfig –-show policy ips sa-proposal –a command with the specified
operands to display IP sec proposals.
• Use the IP secConfig –-show policy ips transform –a command with the specified
operands to display IP sec transforms.
• Use the IP secConfig –-show policy ips selector –a command with the specified
operands to display IP sec traffic selectors.
• Use the IP secConfig –-show policy ike –a command with the specified operands to
display IKE policies.
• Use the IP secConfig –-flush manual-sa command with the specified operands to
flush the created SAs in the kernel SADB.
Example of an end-to-end transport tunnel mode
This example illustrates securing traffic between two systems using AH protection with MD5 and
configure IKE with pre-shared keys. The two systems are a switch, BROCADE300 (IPv4 address
10.33.74.13), and an external host (10.33.69.132).
NOTE
A backslash ( \ ) is used to skip the return character so you can continue the command on the next
line without the return character being interpreted by the shell.
1. On the system console, log in to the switch as Admin.
2. Enable IP sec.
a.
Connect to the switch and log in using an account with admin permissions, or an account
with OM permissions for the IP sec RBAC class of commands.
b.
Enter the IP secConfig --enable command to enable IP sec on the switch.
3. Create an IP sec SA policy named AH01, which uses AH protection with MD5.
switch:admin> IP secconfig --add policy ips sa -t AH01 \
-p ah -auth hmac_md5
4. Create an IP sec proposal IP sec-AH to use AH01 as SA.
switch:admin> IP secconfig --add policy ips sa-proposal \
-t IP sec-AH -sa AH01
5. Configure the SA proposal's lifetime in time units. The maximum lifetime is 86400, or one day.
switch:admin> IP secconfig --add policy ips sa-proposal \
-t IP sec-AH -lttime 86400 -sa AH01
238
Fabric OS Administrator’s Guide
53-1002745-02
Management interface security
7
6. Import the pre-shared key file using the secCertUtil command. The file name should have a
.psk extension.
For more information on importing the pre-shared key file, refer to “Installing a switch
certificate” on page 185.
7.
Configure an IKE policy for the remote peer.
switch:admin> IP secconfig --add policy ike -t IKE01 \
-remote 10.33.69.132 -id 10.33.74.13 -remoteid 10.33.69.132 \
-enc 3des_cbc -hash hmac_md5 -prf hmac_md5 -auth psk \
-dh modp1024 -psk IP seckey.psk
NOTE
IKE version (‘-v’ option) needs to be set to 1 (IKEv1) if remote peer is a Windows XP or 2000 Host as
Windows XP and 2000 do not support IKEv2.
8. Create an IP sec transform named TRANSFORM01 to use transport mode to protect traffic
identified for IP sec protection and use IKE01 as key management policy.
switch:admin> IP secconfig --add policy ips transform \
-t TRANSFORM01 -mode transport -sa-proposal IP sec-AH -action \
protect -ike IKE01
9. Create traffic selectors to select the outbound and inbound traffic that needs to be protected.
switch:admin> IP secconfig --add policy ips selector \
-t SELECTOR-OUT -d out -l 10.33.74.13 -r 10.33.69.132 \
-transform TRANSFORM01
switch:admin> IP secconfig --add policy ips selector \
-t SELECTOR-IN -d in -l 10.33.69.132 -r 10.33.74.13 \
-transform TRANSFORM01
10. Verify the IP sec SAs created with IKE using the IP secConfig --show manual-sa –a command.
11. Perform the equivalent steps on the remote peer to complete the IP sec configuration. Refer to
your server administration guide for instructions.
12. Generate IP traffic and verify that it is protected using defined policies.
a.
Initiate Telnet or SSH or ping session from BRCD300 to Remote Host.
b.
Verify that the IP traffic is encapsulated.
c.
Monitor IP sec SAs created using IKE for the above traffic flow.
• Use the IP secConfig -–show manual-sa –a command with the operands specified to
display the outbound and inbound SAs in the kernel SADB.
• Use the IP secConfig –-show policy ips sa -a command with the specified operands to
display all IP sec SA policies.
• Use the IP secConfig –-show policy ips sa-proposal –a command with the specified
operands to display IP sec proposals.
• Use the IP secConfig –-show policy ips transform –a command with the specified
operands to display IP sec transforms.
• Use the IP secConfig –-show policy ips selector –a command with the specified
operands to display IP sec traffic selectors.
Fabric OS Administrator’s Guide
53-1002745-02
239
7
Management interface security
• Use the IP secConfig –-show policy ike –a command with the specified operands to
display IKE policies.
• Use the IP secConfig –-flush manual-sa command with the specified operands to flush
the created SAs in the kernel SADB.
CAUTION
Flushing SAs requires IP sec to be disabled and re-enabled. This operation is disruptive to traffic
using the tunnel.
Notes
• As of Fabric OS 7.0.0, IP sec no longer supports null encryption (null_enc) for IKE policies.
• IPv6 policies cannot tunnel IMCP traffic.
240
Fabric OS Administrator’s Guide
53-1002745-02
Chapter
8
Maintaining the Switch Configuration File
In this chapter
• Configuration settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Configuration file backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Configuration file restoration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Configurations across a fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Configuration management for Virtual Fabrics . . . . . . . . . . . . . . . . . . . . . .
• Brocade configuration form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
241
244
246
250
250
253
Configuration settings
It is important to maintain consistent configuration settings on all switches in the same fabric
because inconsistent parameters, such as inconsistent PID formats, can cause fabric
segmentation. As part of standard configuration maintenance procedures, Brocade recommends
that you back up all important configuration data for every switch on a host computer server as a
safety measure.
NOTE
For information about AD-enabled switches, refer to Chapter 17, “Managing Administrative
Domains”.
For more information about troubleshooting configuration file uploads and downloads, refer to the
Fabric OS Troubleshooting and Diagnostics Guide.
There are two ways to view configuration settings for a switch in a Brocade fabric:
• Issue the configShow -all command.
To display configuration settings, connect to the switch, log in as admin, and enter the
configShow -all command. The configuration settings vary depending on switch model and
configuration. This command does not show as much configuration information as the text file
created from the configUpload command.
• Issue the configUpload -all command to upload an ASCII text file from the switch or switch
module.
You can open the text file with any text editor to view the configuration information of the
switch.
CAUTION
Editing of the uploaded file is unsupported and can result in system errors if an edited file is
subsequently downloaded.
Fabric OS Administrator’s Guide
53-1002745-02
241
8
Configuration settings
If your user account has chassis account permissions, you can use any of the following options
when uploading or downloading a configuration file:
-fid
To upload the specified FID configuration.
-all
To upload all of the system configuration, including the chassis section
and all switch sections for all logical switches.
NOTE: Use this parameter when obtaining a complete capture of the switch
configuration in a switch that has Virtual Fabrics mode disabled.
-chassis
To upload only the chassis section of the system configuration file.
Configuration file format
The configuration file is divided into three areas: the header, the chassis section, and one or more
logical-switch sections.
The following is an example of a configuration file with two logical-switch sections.
[Configuration upload Information]
Configuration Format = 3.0
Minimum Compatible Format = 3.0
Excluding Format = 0.0
date = Tue Mar 1 15:53:18 2011
FOS version = v7.0.0.0
Number of LS = 2
[Chassis Configuration Begin]
[fcRouting]
[Chassis Configuration]
[LicensesDB]
[Bottleneck Configuration]
[DMM_WWN]
[Licenses]
[Chassis Configuration End]
date = Tue Mar 1 21:28:52 2011
[Switch Configuration Begin : 0]
SwitchName = Sprint5100
Fabric ID = 128
[Boot Parameters]
[Configuration]
[Bottleneck Configuration]
[Zoning]
[Defined Security policies]
242
Fabric OS Administrator’s Guide
53-1002745-02
Configuration settings
8
[Active Security policies]
[cryptoDev]
[FICU SAVED FILES]
[Banner]
[End]
[Switch Configuration End : 0]
date = Tue Mar 1 21:28:52 2011
[Switch Configuration Begin : 1]
SwitchName = switch_2
Fabric ID = 1
[Boot Parameters]
[Configuration]
[Bottleneck Configuration]
[Zoning]
[Defined Security policies]
[Active Security policies]
[cryptoDev]
[FICU SAVED FILES]
[Banner]
[End]
[Switch Configuration End : 1]
Chassis section
There is only one chassis section within a configuration. It defines configuration data for chassis
components that affect the entire system, not just one individual logical switch. The chassis
section is included in non-Virtual Fabric modes only if you use the configUpload -all command.
The chassis section specifies characteristics for the following software components:
•
•
•
•
•
•
•
•
FC Routing – Fibre Channel Routing
Chassis configuration – Chassis configuration
FCOE_CH_CONF – FCoE chassis configuration
UDROLE_CONF – User-defined role configuration
LicensesDB – License Database (slot-based)
DMM_WWN – Data migration manager World Wide Name configuration
Licenses – (Feature-based) Licenses configuration
AGWWN_MAPPING_CONF – Access Gateway WWN mapping configuration
Fabric OS Administrator’s Guide
53-1002745-02
243
8
Configuration file backup
•
•
•
•
•
•
LicensesLservc – Sentinel License configuration
GE blade mode – GigE Mode configuration
FWD CHASSIS CFG – Fabric Watch configuration
FRAME LOG – Frame log configuration (enable/disable)
DMM_TB – Data migration manager configuration
MOTD – Message of the day
Switch section
There is always at least one switch section for the default switch or a switch that has Virtual Fabrics
mode disabled, and there are additional sections corresponding to each additionally defined
logical switch instance on a switch with Virtual Fabrics mode enabled. This data is switch-specific
and affects only that logical switch behavior.
The switch section of the configuration file contains information for all of the following:
•
•
•
•
•
•
•
•
•
•
•
•
Boot parameters
Configuration
Bottleneck configuration
FCoE software configuration
Zoning
Defined security policies
Active security policies
iSCSI
CryptoDev
FICU saved files
VS_SW_CONF
Banner
Configuration file backup
Brocade recommends keeping a backup configuration file. You should keep individual backup files
for all switches in the fabric and avoid copying configurations from one switch to another. The
configUpload command, by default, only uploads the switch context configuration for the logical
switch context in which the command is executed.
In non-Virtual Fabric mode, you must use the configUpload -all command to include both the
switch and the chassis information. In Virtual Fabric mode, the configUpload -all command can be
selected to upload all logical switches and the chassis configuration. Only administrators with
chassis permissions are allowed to upload other FIDs or the chassis configuration.
The following information is not saved in a backup:
• dnsConfig command information
• Passwords
244
Fabric OS Administrator’s Guide
53-1002745-02
Configuration file backup
8
Before you upload a configuration file, verify that you can reach the FTP server from the switch.
Using a Telnet connection, save a backup copy of the configuration file from a logical switch to a
host computer.
Secure File Transfer Protocol (SFTP) is now an option when uploading a configuration file. SFTP is
analogous to Secure Copy Protocol (SCP). SFTP can be used for the configupload/download,
supportsave, and auto FFDC/trace upload (supportftp) commands.
Uploading a configuration file in interactive mode
1. Verify that the FTP, SFTP, or SCP service is running on the host computer.
2. Connect to the switch and log in using an account with admin permissions.
3. Enter the configUpload command. The command becomes interactive and you are prompted
for the required information.
4. Store a soft copy of the switch configuration information in a safe place for future reference.
Example of configUpload on a switch without Admin Domains
switch:admin> configupload
Protocol (scp, ftp, sftp, local) [ftp]: sftp
Server Name or IP Address [host]: 10.1.2.3
User Name [user]: UserFoo
Path/Filename [<home dir>/config.txt]: switchConfig.txt
Section (all|chassis|FID# [all]): chassis
username@10.1.2.3's password:
Password: <hidden>
configUpload complete
Example of configUpload on a switch with Admin Domains
NOTE
Administrative domains other than AD255 upload a subset of information. If you want a
complete switch configuration, you must use the configUpload command while logged in to
AD255.
switch:AD5:admin> ad --select 5
switch:AD5:admin> configUpload
Protocol (scp or ftp) [ftp]:
Server Name or IP Address [host]: 10.1.2.3
User Name [user]: UserFoo
Path/Filename [<home dir>/config.txt]: /pub/configurations/config.txt
Password: <hidden>
configUpload complete: Only zoning parameters are uploaded from ad5.
Fabric OS Administrator’s Guide
53-1002745-02
245
8
Configuration file restoration
Configuration file restoration
When you restore a configuration file, you overwrite the existing configuration with a previously
saved backup configuration file.
CAUTION
Make sure that the configuration file you are downloading is compatible with your switch model.
Downloading a configuration file from a different switch model or from a different firmware could
cause your switch to fail.
CAUTION
If you have Virtual Fabrics enabled, you must follow the procedure in “Configuration management
for Virtual Fabrics” on page 250 to restore the logical switches.
If a configDownload command is issued on a non-FC router, any FC router parameters may be
viewed in the downloaded data. This is harmless to the switch and can be ignored.
NOTE
While it is possible to transfer a Fabric OS 6.4.1 configuration file to a Fabric OS 7.0.0 (or later)
switch, it is not possible to transfer a Fabric OS 7.0.0 (or later) configuration file to a Fabric OS 6.4.1
switch.
Restrictions
This section lists restrictions for some of the options of the configDownload command.
-chassis
The number of switches defined in the downloaded configuration file must
match the number of switches currently defined on the switch.
-fid FID
The FID must be defined in both the downloaded configuration file and the
current system.
NOTE
Brocade recommends you disable a switch before downloading a configuration
file. If you plan to download a configuration file while the switch is enabled, refer
to “Configuration download without disabling a switch” on page 248.
-fid FID -sfid FID The FID must be defined on the switch and the source FID must be defined in the
downloaded configuration file.
246
Fabric OS Administrator’s Guide
53-1002745-02
Configuration file restoration
-all
8
The number of switches or FIDs defined in the downloaded configuration file
must match the number of switches or FIDs currently defined on the switch.
The switches must be disabled first. If they are not, the configDownload
command will download the configuration for as many switches as possible until
a non-disabled switch is found. If a non-disabled switch is found, the
downloading process stops. Before running the configDownload command, verify
if any switches must be disabled.
If you are performing a configuration download due to a configuration error, it is
highly recommended to run the configDefault command before running the
configDownload command. Refer to “Configuration download without disabling a
switch” on page 248 for more information on non-disruptive configuration
downloads.
If Virtual Fabrics mode is enabled, the chassisDisable and chassisEnable
commands are used to disable all logical switches on the affected switch. This
process bypasses the need to disable and enable each switch individually once
the configuration download has completed.
Non-Virtual Fabric configuration files downloaded to a Virtual Fabric system have
a configuration applied only to the default switch. If there are multiple logical
switches created in a Virtual Fabric-enabled system, there may be problems if
there are ports that belong to the default switch in a Virtual Fabric-disabled
system, but are now assigned to logical switches in a Virtual Fabric-enabled
system. Only configurations related to ports within the default switch are applied.
If you must set up your switch again, run the commands listed in Table 47 and save the output in a
file format. Store the files in a safe place for emergency reference.
TABLE 47
CLI commands to display or modify switch configuration information
Command
Displays
configShow
System configuration parameters, settings, and license information.
fcLunQuery
LUN IDs and LUNs for all accessible targets.
fcrRouterPortCost
FC Router route information.
fcrXlateConfig
Translate (xlate) domain's domain ID for both EX_Port-attached fabric and backbone fabric.
fosConfig
Fabric OS features.
ipAddrShow
IP address.
isnscCfg
Configuration state of the iSNS client operation.
licenseShow
License keys installed with more detail than the license information from the configShow
command.
portCfgEXPort
EX_Port configuration parameters.
portCfgVEXPort
VEX_Port configuration parameters.
Fabric OS Administrator’s Guide
53-1002745-02
247
8
Configuration file restoration
CAUTION
Though the switch itself has advanced error checking, the configdownload feature within
Fabric OS was not designed for users to edit, and is limited in its ability. Edited files can become
corrupted and this corruption can lead to switch failures.
Configuration download without disabling a switch
You can download configuration files to a switch while the switch is enabled; that is, you do not
need to disable the switch for changes in SNMP, Fabric Watch, or ACL parameters. However, if there
is any changed parameter that does not belong to SNMP, Fabric Watch, or ACL, then you must
disable the switch. When you use the configDownload command, you are prompted to disable the
switch only when necessary.
Configuration download without disabling a switch is independent of the hardware platform and
supported on all hardware platforms running Fabric OS v6.1.0 and later.
ATTENTION
The configuration download process can restore only logical switches that already exist and that use
the same FIDs. It cannot be used to clone or repair the current switch because the configDownload
command cannot create logical switches if they do not exist.
Restoring a configuration
CAUTION
Using the SFID parameter erases all configuration information on the logical switch. Use the SFID
parameter only when the logical switch has no configuration information you want to save.
1. Verify that the FTP service is running on the server where the backup configuration file is
located.
2. Connect to the switch and log in using an account with admin permissions, and if necessary,
with chassis permissions.
3. If there are any changed parameters in the configuration file that do not belong to SNMP,
Fabric Watch, or ACL, disable the switch by entering the switchDisable command.
4. Enter the configDownload command.
The command becomes interactive and you are prompted for the required information.
5. At the “Do you want to continue [y/n]” prompt, enter y.
Wait for the configuration to be restored.
6. If you disabled the switch, enter the switchEnable command when the process is finished.
NOTE
Always perform a reboot after you download a configuration file. On dual-CP platforms, you must
reboot both CPs simultaneously.
248
Fabric OS Administrator’s Guide
53-1002745-02
Configuration file restoration
8
Example of configDownload without Admin Domains
switch:admin> configdownload
Protocol (scp, ftp, local) [ftp]:
Server Name or IP Address [host]: 10.1.2.3
User Name [user]: UserFoo
Path/Filename [<home dir>/config.txt]:
Section (all|chassis|FID# [all]): all
*** CAUTION ***
This command is used to download a backed-up configuration
for a specific switch. If using a file from a different
switch, this file's configuration settings will override
any current switch settings.
Downloading a configuration
file, which was uploaded from a different type of switch,
may cause this switch to fail.
A switch reboot is required for the changes to take effect.
Please make sure all the switches are disabled by
using "chassisdisable" command. Downloading configuration
to an online switch may result in some configuration not
being downloaded to that switch.
configDownload operation may take several minutes
to complete for large files.
Do you want to continue [y/n]:y
Password: <hidden>
configDownload complete.
Example of configDownload with Admin Domains
switch:AD5:admin>configdownload
Protocol (scp or ftp) [ftp]:
Server Name or IP Address [host]: 10.1.2.3
User Name [user]: UserFoo
Path/Filename [<home dir>/config.txt]: /pub/configurations/config.txt
*** CAUTION ***
This command is used to download a backed-up configuration
for a specific switch. If using a file from a different
switch, this file's configuration settings will override
any current switch settings.
Downloading a configuration
file, which was uploaded from a different type of switch,
may cause this switch to fail.
A switch reboot is required for the changes to take effect.
Please make sure all the switches are disabled by
using "chassisdisable" command. Downloading configuration
to an online switch may result in some configuration not
being downloaded to that switch.
configDownload operation may take several minutes
to complete for large files.
Do you want to continue [y/n]:y
Password: <hidden>
Fabric OS Administrator’s Guide
53-1002745-02
249
8
Configurations across a fabric
Activating configDownload: Switch is disabled
configDownload complete: Only zoning parameters are downloaded to ad5.
Example of a non-interactive download of all configurations (chassis and switches)
configdownload -a -ftp
10.1.2.3,UserFoo,/pub/configurations/config.txt,password
Configurations across a fabric
To save time when configuring fabric parameters and software features, you can save a
configuration file from one switch and download it to other switches of the same model type.
Do not download a configuration file from one switch to another switch that is a different model or
runs a different firmware version, because it can cause the switch to fail. If you need to reset
affected switches, issue the configDefault command after download is completed but before the
switch is enabled. If a switch is enabled with a duplicate domain ID, the switch becomes
segmented.
Downloading a configuration file from one switch to another switch of
the same model
1. Configure one switch.
2. Use the configUpload command to save the configuration information. Refer to “Configuration
file backup” on page 244 for more information.
3. Run configDefault on each of the target switches, and then use the configDownload command
to download the configuration file to each of the target switches. Refer to “Configuration file
restoration” on page 246 for more information.
Security considerations
Security parameters and the switch identity cannot be changed by the configDownload command.
Parameters such as the switch name and IP address (lines in the configuration file that begin with
“boot”) are ignored. Security parameters (lines in the configuration file that begin with “sec”), such
as secure mode setting and version stamp, are ignored.
For more detailed information on security, refer to Chapter 6, “Configuring Protocols”.
Configuration management for Virtual Fabrics
You can use the configUpload -vf or configDownload -vf command to restore configurations to a
logical switch. The -vf option only restores the Virtual Fabrics configuration information on to a
switch of the same model.
The Virtual Fabrics configuration on the switch defines all of the logical switches allowed and
configured for a particular platform.
250
Fabric OS Administrator’s Guide
53-1002745-02
Configuration management for Virtual Fabrics
8
Uploading a configuration file from a switch with Virtual Fabrics
enabled
The configUpload command with the -vf option specifies that configuration upload will upload the
Virtual Fabrics configuration instead of the non-Virtual Fabrics configuration information.
You must specify a file name with the configUpload -vf command. It is recommended not to use
config.txt for a file name as this name can be confused with a normal uploaded configuration file.
Example of configUpload on a switch with Virtual Fabrics
Sprint5100:FID128:admin> configupload
Protocol (scp, ftp, sftp, local) [ftp]:
Server Name or IP Address [host]: 10.1.2.3
User Name [user]: UserFoo
Path/Filename [<home dir>/config.txt]: 5100.txt
Potentially remote file may get overwritten
Section (all|chassis|FID# [all]):
Password: <hidden>
configUpload complete: All selected config parameters are uploaded
Example of configUpload on a logical switch configuration
DCX_80:FID128:admin> configupload -vf
Protocol (scp, ftp, sftp, local) [ftp]:
Server Name or IP Address [host]: 10.1.2.3
User Name [user]: anonymous
Path/Filename [<home dir>/config.txt]: 5100_vf.txt
configUpload complete: VF config parameters are uploaded
2009/07/20-09:13:40, [LOG-1000], 225, SLOT 7 | CHASSIS, INFO, BrocadeDCX,
Previous message repeated 7 time(s)
2009/07/20-10:27:14, [CONF-1001], 226, SLOT 7 | FID 128, INFO, DCX_80,
configUpload completed successfully for VF config parameters.
Restoring a logical switch configuration using configDownload
The configDownload -vf command specifies that the Virtual Fabrics configuration download file is
downloaded instead of the regular configuration. After the Virtual Fabrics configuration file is
downloaded, the switch is automatically rebooted.
On dual-CP platforms, if CPs are incompatible (HA not in sync), the Virtual Fabrics configuration file is
not propagated to the standby CP. If CPs are compatible, the active CP attempts to remain active after
the reboot, and the new Virtual Fabrics configuration file is then propagated to the standby CP.
CAUTION
You must issue the configDownload command on the switch after restoring the Virtual Fabrics
configuration to fully restore your switch or chassis configuration.
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the configDownload -vf command.
3. Respond to the prompts.
Fabric OS Administrator’s Guide
53-1002745-02
251
8
Configuration management for Virtual Fabrics
Wait for the configuration file to download on to the switch. You may need to reconnect to the
switch.
4. Enter the configDownload command.
5. Respond to the prompts.
Wait for the configuration file to download to the switch.
6. Verify the LISL ports are set up correctly.
Example of a non-interactive download from a switch with FID = 8 and SFID =10
configdownload -fid 8 -sfid 10 -ftp 10.1.2.3,UserFoo,config.txt,password
Example of configDownload on a switch
5100:FID128:admin> configdownload -vf
Protocol (scp, ftp, sftp, local) [ftp]:
Server Name or IP Address [host]: 10.1.2.3
User Name [user]: UserFoo
Path/Filename [<home dir>/config.txt]: 5100_FID89.txt
*** CAUTION ***
This command is used to download the VF configuration to the
switch. Afterwards, the switch will be automatically rebooted
and the new VF settings will be used. You will then need to
run configdownload again to install the configuration(s) for
any logical switch(s) that are setup in the new VF configuration.
Do you want to continue [y/n]: y
(output truncated)
Restrictions
The following restrictions apply when using the configUpload or configDownload commands when
Virtual Fabrics mode is enabled:
• The -vf option is incompatible with the –fid, –sfid, or –all options. Any attempt to combine it
with any of the other three will cause the configuration upload or download operation to fail.
• You are not allowed to modify the Virtual Fabrics configuration file after it has been uploaded.
Only minimal verification is done by the configDownload command to ensure it is compatible,
much like the normal downloaded configuration file.
• After the configDownload -vf command completes and reboots your switch, you must then
download the matching regular configuration using the configDownload -all command. This
ensures proper behavior of the system and logical switches.
All of the attributes of the Virtual Fabrics configuration file will be downloaded to the system and
take effect. This includes, but is not limited to, logical switch definitions, whether Virtual Fabrics is
enabled or disabled, and the F_Port trunking ports, except the LISL ports. The LISL ports on the
system are not affected by the Virtual Fabrics configuration file download.
252
Fabric OS Administrator’s Guide
53-1002745-02
Brocade configuration form
8
Brocade configuration form
Use the form in Table 48 as a hard copy reference for your configuration information.
In the hardware reference manuals for the Brocade DCX and DCX-4S Backbones, there is a guide
for FC port-setting.
TABLE 48
Brocade configuration and connection form
Brocade configuration settings
IP address
Gateway address
Chassis configuration option
Management connections
Serial cable tag
Ethernet cable tag
Configuration information
Domain ID
Switch name
Ethernet IP address
Ethernet subnet mask
Total number of local devices (nsShow)
Total number of devices in fabric (nsAllShow)
Total number of switches in the fabric (fabricShow)
Fabric OS Administrator’s Guide
53-1002745-02
253
8
254
Brocade configuration form
Fabric OS Administrator’s Guide
53-1002745-02
Chapter
9
Installing and Maintaining Firmware
In this chapter
• Firmware download process overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Preparing for a firmware download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Firmware download on switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Firmware download on a Backbone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Firmware download from a USB device . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• FIPS support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Testing and restoring firmware on switches . . . . . . . . . . . . . . . . . . . . . . . .
• Testing and restoring firmware on Backbones . . . . . . . . . . . . . . . . . . . . . .
• Validating a firmware download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
255
258
260
262
265
266
268
270
273
Firmware download process overview
Fabric OS v7.1.0 provides nondisruptive firmware installation.
This chapter refers to the following specific types of blades inserted into the Brocade DCX and
DCX 8510 Backbone families:
• FC blades or port blades that contain only Fibre Channel ports; the Brocade FC8-16, FC8-32,
FC8-48, and FC8-64; and the Brocade FC16-32 and FC16-48 blades for 16G-capable FC
blades.
• AP blades contain extra processors and specialized ports: FCOE10-24, FX8-24, and FS8-18
encryption blade.
• CP blades have a control processor (CP) used to control the entire switch; CP blades can be
inserted only into slots 6 and 7 on the Brocade DCX or DCX 8510-8, and slots 4 and 5 on the
Brocade DCX-4S or DCX 8510-4.
• CR8 and CR4S-8 core blades provide ICL functionality between two Brocade DCX Backbones.
CR8 blades can be inserted only into slots 5 and 8 on the Brocade DCX. CR4S-8 blades can be
inserted only into slots 3 and 6 on the Brocade DCX-4S.
• CR8 and CR4S-8 core blades provide ICL functionality between two Brocade DCX 8510-8
Backbones. CR4S-8 blades can be inserted only into slots 3 and 6 on the Brocade DCX
8510-4.
NOTE
For more information on troubleshooting a firmware download, refer to the Fabric OS
Troubleshooting and Diagnostics Guide.
Fabric OS Administrator’s Guide
53-1002745-02
255
9
Firmware download process overview
You can download Fabric OS to a Backbone, which is a chassis; and to a nonchassis-based system,
also referred to as a fixed-port switch. The difference in the download process is that Backbones
have two CPs and fixed-port switches have one CP. Use the firmwareDownload command to
download the firmware from either an FTP or SSH server by using FTP, SFTP, or SCP to the switch.
Or you can use a Brocade-branded USB device.
The new firmware consists of multiple files in the form of RPM packages listed in a .plist file. The
.plist file contains specific firmware information (time stamp, platform code, version, and so forth)
and the names of packages of the firmware to be downloaded. These packages are made available
periodically to add features or to remedy defects. Contact your switch support provider to obtain
information about available firmware versions.
All systems maintain two partitions (a primary and a secondary) of nonvolatile storage areas to
store firmware images. The firmware download process always loads the new image into the
secondary partition. It then swaps the secondary partition to be the primary and high availability
(HA) reboots (which is nondisruptive) the system. After the system boots up, the new firmware is
activated. The firmware download process then copies the new image from the primary partition to
the secondary partition.
ATTENTION
The Brocade 8000 does not support a nondisruptive firmware download. The switch reboots once
the firmware upgrade or downgrade is complete.
In dual-CP systems, the firmware download process, by default, sequentially upgrades the firmware
image on both CPs using HA failover to prevent disruption to traffic flowing through the Backbone.
This operation depends on the HA status on the Backbone. If the platform does not support HA, you
can still upgrade the CPs one at a time.
If you are using a Brocade DCX or DCX 8510 Backbone family platform, with one or more
AP blades: Fabric OS automatically detects mismatches between the active CP firmware and the
blade’s firmware and triggers the auto-leveling process. This auto-leveling process automatically
updates the blade firmware to match the active CP. At the end of the auto-leveling process, the
active CP and the blade run the same version of the firmware.
If the firmware download process is interrupted by an unexpected reboot, the system automatically
repairs and recovers the secondary partition. You must wait for the recovery to complete before
issuing another firmwareDownload command.
The command supports both non-interactive and interactive modes. If the firmwareDownload
command is issued without any operands, or if there is any syntax error in the parameters, the
command enters an interactive mode, in which you are prompted for input.
ATTENTION
For each switch in your fabric, complete all firmware download changes on the current switch before
issuing the firmwareDownload command on the next switch. This process ensures nondisruption of
traffic between switches in your fabric.
To verify the firmware download process is complete, enter the firmwareDownloadStatus command
on the switch, verify the process is complete, and then move to the next switch.
256
Fabric OS Administrator’s Guide
53-1002745-02
Firmware download process overview
9
Upgrading and downgrading firmware
Upgrading means installing a newer version of firmware. Downgrading means installing an older
version of firmware.
In most cases, you will be upgrading firmware; that is, installing a newer firmware version than the
one you are currently running. However, some circumstances may require installing an older
version; that is, downgrading the firmware. The procedures in this section assume that you are
upgrading firmware, but they work for downgrading as well, provided the old and new firmware
versions are compatible. Always reference the latest release notes for updates that may exist
regarding downgrades under particular circumstances.
For details on Administrative Domains and the firmware download process, refer to Chapter 17,
“Managing Administrative Domains” for more information.
For details about testing and restoring firmware, refer to “Testing and restoring firmware on
Backbones” on page 270.
Passwordless firmware download
You can download firmware without a password using the sshutil command for public key
authentication when SSH is selected. The switch must be configured to install the private key, and
then you must export the public key to the remote host. Before running the firmwareDownload
command, you must first configure the SSH protocol to permit passwordless logins for outgoing
authentication as described in “Configuring outgoing SSH authentication” on page 181.
Considerations for FICON CUP environments
To prevent channel errors during nondisruptive firmware installation, the switch CUP port must be
taken offline from all host systems.
HA sync state
High Availability (HA) synchronization occurs when two CPs in a Backbone are synchronized. This
state provides redundancy and a nondisruptive firmware download. In order for a firmware
download to successfully occur, the two CPs in a Backbone must be in sync.
If the CPs have mixed versions when you enter the firmwareDownload command, the CPs may not
be in HA sync. In this case, you must enter the firmwareDownload –s command first to upgrade or
downgrade the standby CP to the same level as the active CP, and then upgrade the CPs to the
desired version of firmware.
NOTE
Do not run mixed firmware levels on CPs.
Table 49 shows the sync state of a Backbone that has different Fabric OS versions installed on the
active and standby CPs. Use the table to determine if you need to use the firmwareDownload -s
command.
Fabric OS Administrator’s Guide
53-1002745-02
257
9
Preparing for a firmware download
TABLE 49
Backbone HA sync states
Active CP Fabric OS
version
Standby CP Fabric OS
version
HA sync state
Remedy
v6.2.0
v6.2.0
inSync
N/A
v6.2.x
v6.3.0
inSync
N/A
v6.3.0
v6.2.x
If Ethernet Switch Service
is enabled, no sync.
Run firmwareDownload -s on the
standby CP and upgrade it to v6.3.0.
v6.3.0
v6.3.0
inSync
N/A
v6.3.0
v6.4.0
inSync
N/A
v6.4.0
v6.3.0
inSync
Run firmwareDownload -s on the
standby CP and upgrade it to v6.4.0.
v6.4.0
v6.4.0
inSync
N/A
v7.0.0
v6.4.0
inSync
Run firmwareDownload -s on the
standby CP to upgrade it to v7.0.0
v7.0.0
v7.0.0
inSync
N/A
v7.1.0
v7.1.0
inSync
N/A
v7.0.0
v7.1.0
inSync
N/A
v7.1.0
v7.0.0
inSync
N/A
v6.4.0
v7.1.0
Not inSync
N/A
v7.1.0
v6.4.0
Not inSync
N/A
Preparing for a firmware download
Before executing a firmware download, it is recommended that you perform the tasks listed in this
section. In the unlikely event of a failure or timeout, these preparatory tasks enable you to provide
your switch support provider the information required to troubleshoot the firmware download.
It is recommended that you use the configUpload command to back up the current configuration
before you download firmware to a switch. Refer to “Configuration file backup” on page 244 for
details.
1. Read the release notes for the new firmware to find out if there are any updates related to the
firmware download process.
2. Connect to the switch and log in using an account with admin permissions. Enter the
firmwareShow command to verify the current version of Fabric OS.
Brocade does not support upgrades from more than one previous release. For example,
upgrading from Fabric OS v7.0.x to v7.1.0 is supported, but upgrading from Fabric OS v6.4.x
directly to v7.1.0 is not supported. Upgrading a switch from Fabric OS v6.4.x to v7.1.0 is a
two-step process—first upgrade to v7.0.x, and then upgrade to v7.1.0.
3. Use the configUpload command prior to the firmware download. Save the configuration file on
your FTP or SSH server or USB memory device on supported platforms.
4. Optional: For additional support, connect the switch to a computer with a serial console cable.
Ensure that all serial consoles (both CPs for Backbones) and any open network connection
sessions, such as Telnet, are logged and included with any trouble reports.
258
Fabric OS Administrator’s Guide
53-1002745-02
Preparing for a firmware download
9
5. Connect to the switch and log in using an account with admin permissions. Enter the
supportSave command to retrieve all current core files prior to executing the firmware
download. This information helps to troubleshoot the firmware download process if a problem
is encountered.
6. Optional: Enter the errClear command to erase all existing messages in addition to internal
messages.
Obtaining and decompressing firmware
Firmware upgrades are available for customers with support service contracts and for partners on
the Brocade website at http://www.brocade.com.
You must decompress the firmware before you can use the firmwareDownload command to update
the firmware on your equipment. Use the UNIX tar command for .tar files, the gunzip command for
all .gz files, or a Windows unzip program for all .zip files
When you unpack the downloaded firmware, it expands into a directory that is named according to
the version of Fabric OS it contains. For example, when you download and unzip v7.1.0.zip, it
expands into a directory called v7.1.0. When you issue the firmwareDownload command, there is
an automatic search for the correct package file type associated with the switch. Specify only the
path up to and including the v7.1.0 directory.
Connected switches
Before you upgrade the firmware on your switch, you must check the connected switches to ensure
compatibility and that any older versions are supported. Refer to the Fabric OS Compatibility
section of the Brocade Fabric OS Release Notes, for the recommended firmware version.
If fixed-port switches are adjacent and you start firmware downloads on them at the same time,
there may be traffic disruption.
To determine if you need to upgrade switches connected to the switch you are upgrading, use the
following procedure on each connected switch to display firmware information and build dates.
Finding the switch firmware version
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the version command.
The following information is displayed:
•
•
•
•
•
Fabric OS Administrator’s Guide
53-1002745-02
Kernel displays the version of the switch kernel operating system.
Fabric OS displays the version of the switch Fabric OS.
Made on displays the build date of the firmware running on the switch.
Flash displays the install date of firmware stored in nonvolatile memory.
BootProm displays the version of the firmware stored in the boot PROM.
259
9
Firmware download on switches
Firmware download on switches
Brocade fixed-port switches maintain primary and secondary partitions for firmware. The
firmwareDownload command defaults to an autocommit option that automatically copies the
firmware from one partition to the other.
NOTE
This section only applies when upgrading from Fabric OS v7.0.x to v7.1.0, downgrading from v7.1.0
to v7.0.x, or going from v7.1.x to v7.1.x.
If you are upgrading from Fabric OS v6.4.x to v7.1.0 or downgrading from v7.1.0 to v6.4.x or earlier,
you must enter the firmwareDownload –s command as described in “Testing and restoring firmware
on switches” on page 268.
You cannot perform a firmware download if you are going from v7.1.0 to v6.3 (or lower) or from v6.3
(or lower) to v7.1.0.
Do not override the autocommit option under normal circumstances; use the default. Refer to the
“Testing and restoring firmware on Backbones” on page 270 for details about overriding the
autocommit option.
Switch firmware download process overview
The following list describes the default behavior after you enter the firmwareDownload command
(without options) on Brocade fixed-port switches:
• The Fabric OS downloads the firmware to the secondary partition.
• The system performs a high availability reboot (haReboot). After the haReboot, the former
secondary partition is the primary partition.
• The system replicates the firmware from the primary to the secondary partition.
The upgrade process first downloads and then commits the firmware to the switch. While the
upgrade is proceeding, you can start a session on the switch and use the firmwareDownloadStatus
command to observe the upgrade progress.
CAUTION
After you start the process, do not enter any disruptive commands (such as reboot) that interrupt
the process. The entire firmware download and commit process takes approximately 17 minutes.
If there is a problem, wait for the timeout (30 minutes for network problems) before issuing the
firmwareDownload command again. Disrupting the process can render the switch inoperable and
require you to seek help from your switch service provider.
Do not disconnect the switch from power during the process. The switch could be inoperable
when rebooted.
260
Fabric OS Administrator’s Guide
53-1002745-02
Firmware download on switches
9
Upgrading firmware for Brocade fixed-port switches
1. Take the following appropriate action based on what service you are using:
• If you are using FTP, SFTP, or SCP, verify that the FTP or SSH server is running on the host
server and that you have a valid user ID and password on that server.
• If your platform supports a USB memory device, verify that it is connected and running.
2. Obtain the firmware file from the Brocade website at http://www.brocade.com and store the
file on the FTP or SSH server or the USB memory device.
3. Unpack the compressed files preserving directory structures.
The firmware is in the form of RPM packages with names defined in a .plist file. The .plist file
contains specific firmware information and the names of packages of the firmware to be
downloaded.
4. Connect to the switch and log in using an account with admin permissions.
5. Issue the firmwareShow command to check the current firmware version on connected
switches. Upgrade the firmware on the connected switches, if necessary, before proceeding
with upgrading this switch.
Refer to “Connected switches” on page 259 for details.
6. Enter the firmwareDownload command and respond to the prompts.
NOTE
If DNS is enabled and a server name instead of a server IP address is specified in the
command line, firmwareDownload determines whether IPv4 or IPv6 should be used.
To be able to mention the FTP server by name, you must enter at least one DNS server using
the dnsConfig command.
7.
At the “Do you want to continue [y/n]” prompt, enter y.
8. After the HA reboot, connect to the switch and log in again using an account with admin
permissions.
9. Enter the firmwareDownloadStatus command to determine if the firmware download process
has completed.
10. After the firmware commit is completed, which takes several minutes, enter the firmwareShow
command to verify the firmware level of both partitions is the same.
Example of an interactive firmware download
switch:root> firmwaredownload
Server Name or IP Address: 10.31.2.25
User Name: releaseuser
File Name: /home/SAN/fos/v7.1.0/v7.1.0
Network Protocol(1-auto-select, 2-FTP, 3-SCP, 4-SFTP) [1]: 4
Verifying if the public key authentication is available.Please wait ...
The public key authentication is not available.
Password:
Server IP: 10.31.2.25, Protocol IPv4
Checking system settings for firmwaredownload...
Fabric OS Administrator’s Guide
53-1002745-02
261
9
Firmware download on a Backbone
Firmware download on a Backbone
ATTENTION
To successfully download firmware, you must have an active Ethernet connection on each CP.
You can download firmware to a Backbone without disrupting the overall fabric if the two CP blades
are installed and fully synchronized. Use the haShow command to verify that the CPs are
synchronized prior to beginning the firmware download process. If only one CP blade is inserted,
powered on, or plugged into the network, you can run firmwareDownload –s to upgrade the CP.
If the CPs are not in sync, you can run firmwareDownload –s on each of the CPs to upgrade them.
These operations are disruptive. If the CPs are not in sync, run the haSyncStart command. If the
CPs are still not in sync, refer to the Fabric OS Troubleshooting and Diagnostics Guide. If the
troubleshooting information fails to help resolve the issue, contact your switch service provider.
During the upgrade process, the Backbone fails over to its standby CP blade and the IP address for
the Backbone moves to that CP blade's Ethernet port. This may cause informational ARP address
reassignment messages to appear on other switches in the fabric. This is normal behavior,
because the association between the IP addresses and MAC addresses has changed.
Backbone firmware download process overview
The following summary describes the default behavior of the firmwareDownload command (without
options) on a Backbone. After you enter the firmwareDownload command on the active CP blade
the following actions occur.
1. The standby CP blade downloads firmware.
2. The standby CP blade reboots and comes up with the new Fabric OS.
3. The active CP blade synchronizes its state with the standby CP blade.
4. The active CP blade forces a failover and reboots to become the standby CP blade.
5. The new active CP blade synchronizes its state with the new standby CP blade.
6. The new standby CP blade (the active CP blade before the failover) downloads firmware.
7.
The new standby CP blade reboots and comes up with the new Fabric OS.
8. The new active CP blade synchronizes its state with the new standby CP blade.
9. The firmwareCommit command runs automatically on both CP blades.
CAUTION
After you start the process, do not enter any disruptive commands (such as reboot) that interrupt
the process. The entire firmware download and commit process takes approximately 17 minutes.
If there is a problem, wait for the timeout (30 minutes for network problems) before issuing the
firmwareDownload command again. Disrupting the process can render the switch inoperable and
require you to seek help from your switch service provider.
Do not disconnect the switch from power during the process. The switch could be inoperable
when rebooted.
262
Fabric OS Administrator’s Guide
53-1002745-02
Firmware download on a Backbone
9
Upgrading firmware on Backbones (including blades)
There is only one chassis management IP address for the Brocade Backbones.
NOTE
By default, the firmwareDownload command automatically upgrades both the active and the
standby CPs and all co-CPs on the CP blades in the Brocade Backbones. It automatically upgrades
all AP blades in the Brocade Backbones using auto-leveling.
1. Verify that the Ethernet interfaces located on CP0 and CP1 are plugged into your network.
2. Verify that the FTP, SFTP, or SSH server is running on the host server and that you have a user
ID on that server.
3. Obtain the firmware file from the Brocade website at http://www.brocade.com and store the
file on the FTP or SSH server.
4. Unpack the compressed files preserving directory structures.
The firmware is in the form of RPM packages with names defined in a .plist file. The .plist file
contains specific firmware information and the names of packages of the firmware to be
downloaded.
5. Connect to the chassis IP management interface or active CP and log in using an account with
admin permissions.
6. Use the firmwareShow command to check the current firmware version on connected
switches. Upgrade the firmware, if necessary, before proceeding with upgrading this switch.
Refer to “Connected switches” on page 259.
7.
Enter the haShow command to confirm that the two CP blades are synchronized.
In the following example, the active CP blade is CP0 and the standby CP blade is CP1:
ecp:admin> hashow
Local CP (Slot 5, CP0): Active, Warm Recovered
Remote CP (Slot 6, CP1): Standby, Healthy
HA enabled, Heartbeat Up, HA State synchronized
CP blades must be synchronized and running Fabric OS v6.0.0 or later to provide a
nondisruptive download. If the two CP blades are not synchronized, enter the haSyncStart
command to synchronize them. If the CPs still are not synchronized, contact your switch
service provider.
For further troubleshooting, refer to the Fabric OS Troubleshooting and Diagnostics Guide.
8. Enter the firmwareDownload command and respond to the interactive prompts.
9. At the “Do you want to continue [y/n]” prompt, enter y.
The firmware is downloaded to one CP blade at a time, beginning with the standby CP blade.
During the process, the active CP blade fails over. After the firmware is downloaded, a firmware
commit starts on both CP blades. The entire firmware download and commit process takes
approximately 17 minutes.
Fabric OS Administrator’s Guide
53-1002745-02
263
9
Firmware download on a Backbone
If an AP blade is present: At the point of the failover, an autoleveling process is activated.
Autoleveling is triggered when the active CP detects a blade that contains a different version of
the firmware, regardless of which version is older. Autoleveling downloads firmware to the AP
blade, swaps partitions, reboots the blade, and copies the new firmware from the primary
partition to the secondary partition. If you have multiple AP blades, they are updated
simultaneously; however, the downloads can occur at different rates.
Autoleveling takes place in parallel with the firmware download being performed on the CPs,
but does not impact performance. Fibre Channel traffic is not disrupted during autoleveling,
but GbE traffic on AP blades may be affected. If there is an active FCIP tunnel on the FX8-24
blade, the FCIP tunnel traffic will be impacted for at least two minutes.
ecp:admin> firmwaredownload
Type of Firmware (FOS, SAS, or any application) [FOS]:
Server Name or IP Address: 10.1.2.3
User Name: userfoo
File Name: /home/userfoo/v7.1.0
Network Protocol (1-auto-select, 2-FTP, 3-SCP, 4-SFTP)) [1]:
Password: <hidden>
Checking version compatibility...
Version compatibility check passed.
The following AP blades are installed in the system.
Slot Name
Versions
Traffic Disrupted
----------------------------------------------------------------2 FS8-18
v7.1.0_main_bld27
Encrypted Traffic
8 FX8-24
v7.1.0_main_bld27
GigE
This command will upgrade the firmware on both CPs and all AP blade(s) above.
If you want to upgrade firmware on a single CP only, please use -s option.
You may run firmwaredownloadstatus to get the status of this
command.
This command will cause a warm/non-disruptive boot on the active CP,
but will require that existing telnet, secure telnet or SSH sessions
be restarted.
Do you want to continue [Y]: y
The firmware is being downloaded to the Standby CP. It may take up to 10
minutes.
10. Optionally, after the failover, connect to the switch, and log in again as admin. Using a separate
session to connect to the switch, enter the firmwareDownloadStatus command to monitor the
firmware download status.
sw0:FID128:admin> firmwaredownloadstatus
[1]: Mon Mar 22 04:27:21 2010
Slot 7 (CP1, active): Firmware is being downloaded to the switch. This step
may take up to 30 minutes.
[2]: Mon Mar 22 04:34:58 2010
Slot 7 (CP1, active): Relocating an internal firmware image on the CP blade.
[3]: Mon Mar 22 04:35:29 2010
Slot 7 (CP1, active): The internal firmware image is relocated successfully.
[4]: Mon Mar 22 04:35:30 2010
264
Fabric OS Administrator’s Guide
53-1002745-02
Firmware download from a USB device
9
Slot 7 (CP1, active): Firmware has been downloaded to the secondary partition
of the switch.
[5]: Mon Mar 22 04:37:24 2010
Slot 7 (CP1, standby): The firmware commit operation has started. This may
take up to 10 minutes.
[6]: Mon Mar 22 04:41:59 2010
Slot 7 (CP1, standby): The commit operation has completed successfully.
[7]: Mon Mar 22 04:41:59 2010
Slot 7 (CP1, standby): Firmwaredownload command has completed successfully.
Use firmwareshow to verify the firmware versions.
11. Enter the firmwareShow command to display the new firmware versions.
Firmware download from a USB device
The Brocade 300, 5100, 5300, 6505, 6510, 6520, 7800, 8000, and VA-40FC switches and the
Brocade DCX, DCX-4S, or DCX 8510 Backbones support a firmware download from a Brocade
branded USB device attached to the switch or active CP. Before the USB device can be accessed by
the firmwareDownload command, it must be enabled and mounted as a file system. The firmware
images to be downloaded must be stored under the relative path from
/usb/usbstorage/brocade/firmware or use the absolute path in the USB file system. Multiple
images can be stored under this directory. There is a firmwarekey directory where the public key
signed firmware is stored.
When the firmwareDownload command line option, -U (upper case), is specified, the
firmwareDownload command downloads the specified firmware image from the USB device. When
specifying a path to a firmware image in the USB device, you can only specify the relative path to
/firmware or the absolute path.
Enabling the USB device
1. Log in to the switch using an account assigned to the admin role.
2. Enter the usbStorage -e command.
Viewing the USB file system
1. Log in to the switch using an account assigned to the admin role.
2. Enter the usbStorage -l command.
BrcdDCXBB:admin> usbstorage –l
firmware\
381MB
2010
v7.1.0\
381MB
2010
config\
0B
2010
support\
0B
2010
firmwarekey\
0B
2010
Available space on usbstorage 79%
Fabric OS Administrator’s Guide
53-1002745-02
Mar
Mar
Mar
Mar
Mar
28
28
28
28
28
15:33
10:39
15:33
15:33
15:33
265
9
FIPS support
Downloading from the USB device using the relative path
1. Log in to the switch using an account assigned to the admin role.
2. Enter the firmwareDownload -U command.
ecp:admin>firmwaredownload –U v7.1.0
Downloading from the USB device using the absolute path
1. Log in to the switch using an account assigned to the admin role.
2. Enter the firmwareDownload command with the -U operand.
ecp:admin>firmwaredownload –U /usb/usbstorage/brocade/firmware/v7.1.0
FIPS support
Federal Information Processing Standards (FIPS) specify the security standards needed to satisfy a
cryptographic module utilized within a security system for protecting sensitive information in the
computer and telecommunication systems. For more information about FIPS, refer to Chapter 7,
“Configuring Security Policies”.
Fabric OS v7.1.0 firmware is digitally signed using the OpenSSL utility to provide FIPS support. To
use the digitally signed software, you must configure the switch to enable signed firmware
download. If it is not enabled, the firmware download process ignores the firmware signature and
performs as before.
If signed firmware download is enabled, and if the validation succeeds, the firmware download
process proceeds normally. If the firmware is not signed or if the signature validation fails,
firmwareDownload fails.
To enable or disable FIPS mode, refer to Chapter 7, “Configuring Security Policies”.
Public and private key management
For signed firmware, Brocade uses RSA with 1024-bit length key pairs, a private key and a public
key. The private key is used to sign the firmware files when the firmware is generated. The public
key is packaged in an RPM package as part of the firmware, and is downloaded to the switch. After
it is downloaded, it can be used to validate the firmware to be downloaded next time when you run
the firmwareDownload command.
The public key file on the switch contains only one public key. It is only able to validate firmware
signed using one corresponding private key. If the private key changes in future releases, you need
to change the public key on the switch by one of the following methods:
• By using the firmwareDownload command. When a new firmware is downloaded, firmware
download always replaces the public key file on the switch with what is in the new firmware.
This allows you to have planned firmware key changes.
• By using the firmwareKeyUpdate command. This command retrieves a specified public key file
from a specific server location and replaces the one on the switch. The information about
firmware versions and their corresponding public key files is documented in the release notes
or stored in a known location on the Brocade website. This command allows the customer to
handle unplanned firmware key changes.
266
Fabric OS Administrator’s Guide
53-1002745-02
FIPS support
9
NOTE
If FIPS mode is enabled, all logins should be handled through SSH or direct serial method, and the
transfer protocol should be SCP.
Updating the firmware key
1. Log in to the switch as admin.
2. Enter the firmwareKeyUpdate command and respond to the prompts.
The firmwareDownload command
The ipublic key file needs to be packaged, installed, and run on your switch before you download a
signed firmware.
When firmware download installs a firmware file, it must validate the signature of the file. Different
scenarios are handled as follows:
• If a firmware file does not have a signature, how it is handled depends on the
“signed_firmware” parameter on the switch. If it is enabled, firmware download fails.
Otherwise, firmware download displays a warning message and proceeds normally. When
downgrading to non-FIPS-compliant firmware, the “signed_firmware” flag needs to be disabled.
• If the firmware file has a signature but the validation fails, firmware download fails. This means
the firmware is not from Brocade, or the contents have been modified.
• If the firmware file has a signature and the validation succeeds, firmware download proceeds
normally.
SAS, DMM, and third-party application images are not signed.
Configuring a switch for signed firmware
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the configure command.
3. Respond to the prompts as follows:
System Service
ssl attributes
snmp
attributes
rpcd attributes
cfgload
attributes
Press Enter to select default setting; default is no.
Press Enter to select default setting; default is no.
Press Enter to select default setting; default is no.
Press Enter to select default setting; default is no.
Select Yes. The following questions are displayed:
Enforce secure config Upload/Download: Select yes.
Enforce signed firmware download: Select yes.
Webtools
attributes
System
Fabric OS Administrator’s Guide
53-1002745-02
Press Enter to select default setting; default is no.
Press Enter to select default setting; default is no.
267
9
Testing and restoring firmware on switches
Power-on firmware checksum test
FIPS requires the checksums of the executables and libraries on the filesystem to be validated
before Fabric OS modules are launched. This is to make sure these files have not been changed
after they are installed.
When firmware RPM packages are installed during firmware download, the MD5 checksums of the
firmware files are stored in the RPM database on the filesystem. The checksums go through all of
the files in the RPM database. Every file compares its current checksum with the checksum that is
in the RPM database. If they are different, the command displays an output message informing you
of the difference.
Because the validation may take up to a few minutes, it is not performed during a hot code load. It
is only performed after a cold reboot of the switch.
For more information on FIPS, refer to Chapter 7, “Configuring Security Policies”.
Testing and restoring firmware on switches
NOTE
This section does not apply to SAS or storage applications applied to the FA4-18 AP blade.
Typically, users downgrade firmware after briefly evaluating a newer (or older) version and then
restore the original version of the firmware. Testing a new version of firmware in this manner
ensures that you do not replace existing firmware because the evaluated version occupies only one
partition on the switch.
ATTENTION
When you evaluate new firmware, make sure you disable all features that are not supported by the
original firmware before restoring to the original version.
Testing a different firmware version on a switch
1. Verify that the FTP, SFTP, or SSH server is running on the host server and that you have a user
ID on that server.
2. Obtain the firmware file from the Brocade website at http://www.brocade.com or the switch
support provider and store the file on the FTP or SSH server.
3. Unpack the compressed files preserving directory structures.
The firmware is in the form of RPM packages with names defined in a .plist file, that contains
specific firmware information and the names of packages of the firmware to be downloaded.
4. Connect to the switch and log in using an account with admin permissions.
5. Enter the firmwareShow command to view the current firmware.
6. Enter the firmwareDownload -s command to update the firmware, and respond to the prompts.
Example of a firmware download to a single partition
ecp:admin> firmwareDownload -s
Type of Firmware (FOS, SAS, or any application) [FOS]:
Server Name or IP Address: 10.1.2.3
Network Protocol (1-auto-select, 2-FTP, 3-SCP, 4-SFTP) [1]:
268
Fabric OS Administrator’s Guide
53-1002745-02
Testing and restoring firmware on switches
9
User Name: userfoo
File Name: /home/userfoo/v7.0.0
Password: <hidden>
Do Auto-Commit after Reboot [Y]: n
Reboot system after download [N]: y
Firmware is being downloaded to the switch. This step may take up to 30
minutes.
Checking system settings for firmwaredownload...
The switch performs a reboot and comes up with the new firmware to be tested. Your current
switch session automatically disconnects.
ATTENTION
Downloading firmware to a switch can be disruptive to switch traffic.
7.
Connect to the switch, log in as admin, and enter the firmwareShow command to confirm that
the primary partition of the switch contains the new firmware.
You are now ready to evaluate the new version of firmware.
ATTENTION
Stop! If you want to restore the firmware, stop here and skip ahead to step 9; otherwise,
continue to step 8 to commit the firmware on the switch, which completes the firmware
download operations.
8. Commit the firmware.
a.
Enter the firmwareCommit command to update the secondary partition with new firmware.
Note that it takes several minutes to complete the commit operation.
b.
Enter the firmwareShow command to confirm both partitions on the switch contain the
new firmware.
ATTENTION
Stop! If you have completed step 8, then you have committed the firmware on the switch and
you have completed the firmware download procedure.
9. Restore the firmware.
a.
Enter the firmwareRestore command. The switch reboots and comes up with the original
firmware again.
A firmware commit automatically begins to copy the original firmware from the primary
partition to the secondary partition. At the end of the firmware commit process, both
partitions have the original firmware. Note that it takes several minutes to complete the
commit operation.
b.
Wait five minutes to ensure that all processes have completed and the switch is fully up
and operational.
c.
Log in to the switch. Enter the firmwareShow command and verify that both partitions on
the switch have the original firmware.
Fabric OS Administrator’s Guide
53-1002745-02
269
9
Testing and restoring firmware on Backbones
Testing and restoring firmware on Backbones
This procedure enables you to perform a firmware download on each CP and verify that the
procedure was successful before committing to the new firmware. The old firmware is saved in the
secondary partition of each CP until you enter the firmwareCommit command. If you decide to back
out of the installation prior to the firmware commit, you can enter the firmwareRestore command to
restore the former active Fabric OS firmware image.
The firmwareRestore command can only run if autocommit was disabled during the firmware
download. This command cannot be used to restore SAS and SA images.
NOTE
Brocade recommends that, under normal operating conditions, you maintain the same firmware
version on both CPs, and on both partitions of each CP. This organization enables you to evaluate
firmware before you commit. As a standard practice, do not run mixed firmware levels on CPs.
Testing different firmware versions on Backbones
1. Connect to the Brocade Backbone IP address.
2. Enter the ipAddrShow command and note the address of CP0 and CP1.
3. Enter the haShow command and note which CP is active and which CP is standby. Verify that
both CPs are in sync.
4. Enter the firmwareShow command and confirm that the current firmware on both partitions on
both CPs is listed as expected.
5. Exit the session.
6. Update the firmware on the standby CP.
a.
Connect to the Backbone and log in as admin to the standby CP.
b.
Enter the firmwareDownload -s command and respond to the prompts.
At this point, the firmware downloads to the standby CP only. When it has completed the
download to that CP, reboot it. The current Backbone session is disconnected.
7.
Fail over to the standby CP.
a.
Connect to the Backbone on the active CP.
b.
Enter the haShow command to verify that HA synchronization is complete. It takes a
minute or two for the standby CP to reboot and synchronize with the active CP.
c.
Enter the firmwareShow command to confirm that the primary partition of the standby CP
contains the new firmware.
d.
Enter the haFailover command. The active CP reboots and the current Backbone session
is disconnected.
If an AP blade is present: At the point of the failover, an autoleveling process is activated.
Refer to “Backbone firmware download process overview” on page 262 for details about
autoleveling.
270
Fabric OS Administrator’s Guide
53-1002745-02
Testing and restoring firmware on Backbones
9
8. Verify the failover.
a.
Connect to the Backbone on the active CP, which is the former standby CP.
b.
Enter the haShow command to verify that the HA synchronization is complete. It takes a
minute or two for the standby CP, which is the old active CP, to reboot and synchronize with
the active CP.
NOTE
If the CPs fail to synchronize, you can still proceed because the version being tested is already
present on the active CP, and subsequent steps ensure that the standby CP is updated to the
same version as the active CP.
c.
Confirm the evaluation version of firmware is now running on the active CP by entering the
firmwareShow command.
9. Update firmware on the standby CP.
a.
Connect to the Backbone on the standby CP, which is the former active CP.
b.
Enter the firmwareDownload command with the -s -b -n operands. This ensures that the
following steps are successful.
At this point the firmware downloads to the standby CP only and reboots it. The current
Backbone session is disconnected.
c.
Wait one minute for the standby CP to reboot, and then connect to the Backbone and log
in as admin.
d.
Enter the firmwareShow command to confirm that both primary partitions now have the
test drive firmware in place.
You are now ready to evaluate the new version of firmware.
ATTENTION
Stop! If you want to restore the firmware, stop here and skip ahead to step 12; otherwise,
continue to step 10 to commit the firmware on both CPs, which completes the firmware
download.
10. Perform a commit on the standby CP.
From the current Backbone session on the standby CP, enter the firmwareCommit command to
update the secondary partition with new firmware. It takes several minutes to complete the
commit operation. Do not do anything on the Backbone while this operation is in process.
11. Perform a commit on the active CP.
a.
From the current Backbone session on the active CP, enter the firmwareShow command
and confirm that only the active CP secondary partition contains the old firmware.
b.
Enter the firmwareCommit command to update the secondary partition with the new
firmware. It takes several minutes to complete the commit operation. Do not do anything
on the Backbone while this operation is in process.
c.
Upon completion of the firmwareCommit command, enter the firmwareShow command to
confirm both partitions on both CPs contain the new firmware.
d.
Enter the haShow command to confirm that the HA state is in sync.
Fabric OS Administrator’s Guide
53-1002745-02
271
9
Testing and restoring firmware on Backbones
ATTENTION
Stop! If you have completed step 11, then you have committed the firmware on both CPs and
you have completed the firmware download procedure.
12. Restore the firmware on the standby CP.
In the current Backbone session for the standby CP, enter the firmwareRestore command. The
standby CP reboots and the current Backbone session ends. Both partitions have the same
Fabric OS after several minutes.
13. Perform haFailover on the active CP.
a.
In the current Backbone session for the active CP, enter the haShow command to verify
that HA synchronization is complete. It takes a minute or two for the standby CP to reboot
and synchronize with the active CP.
b.
Enter the haFailover command. The active CP reboots and the current Backbone session
ends. The Backbone is now running the original firmware.
14. Restore firmware on the “new” standby CP.
a.
Wait one minute and connect to the Backbone on the new standby CP, which is the former
active CP.
b.
Enter the firmwareRestore command. The standby CP reboots and the current Backbone
session ends. Both partitions have the same Fabric OS after several minutes.
c.
Wait five minutes and log in to the Backbone. Enter the firmwareShow command and
verify that all partitions have the original firmware.
If an AP blade is present: Blade partitions always contain the same version of the firmware
on both partitions. The firmware is stored on the blade’s compact flash card and is always
synchronized with the active CP’s firmware. Thus, if you restore the active CP firmware, the
blade firmware is automatically downloaded (autoleveled) to become consistent with the
new CP firmware (the blade firmware is restored).
Your system is now restored to the original partitions on both CPs. Make sure that servers using the
fabric can access their storage devices.
If you want to upgrade a Backbone with only one CP in it, follow the procedures in “Testing and
restoring firmware on switches” on page 268. Be aware that upgrading a Backbone with only one
CP is disruptive to switch traffic.
272
Fabric OS Administrator’s Guide
53-1002745-02
Validating a firmware download
9
Validating a firmware download
Validate the firmware download by running the following commands: firmwareShow,
firmwareDownloadStatus, nsShow, nsAllShow, and fabricShow.
All of the connected servers, storage devices, and switches should be present in the output of
these commands. If there is a discrepancy, it is possible that a device or switch cannot connect to
the fabric and further troubleshooting is necessary.
firmwareShow
Displays the current firmware level on the switch. For Brocade Backbones, this
command displays the firmware loaded on both partitions (primary and secondary) for
both CPs and AP blades. Brocade recommends that you maintain the same firmware
level on both partitions of each CP within the Brocade Backbone. The firmwareShow
command displays the firmware version on each CP.
firmwareDownloadStatus Displays an event log that records the progress and status of events during Fabric OS,
SAS, and SA firmware download. The event log is created by the current
firmwareDownload command and is kept until another firmwareDownload command is
issued. There is a time stamp associated with each event. When downloading SAS or SA
in systems with two control processor (CP) cards, you can only run this command on the
active CP. When downloading Fabric OS, the event logs in the two CPs are synchronized.
This command can be run from either CP.
nsShow
Displays all devices directly connected to the switch that have logged in to the name
server. Make sure the number of attached devices after the firmware download is
exactly the same as the number of attached devices prior to the firmware download.
nsAllShow
Displays all devices connected to a fabric. Make sure the number of attached devices
after the firmware download is exactly the same as the number of attached devices
prior to the firmware download.
fabricShow
Displays all switches in a fabric. Make sure the number of switches in the fabric after
the firmware download is exactly the same as the number of attached devices prior to
the firmware download.
Fabric OS Administrator’s Guide
53-1002745-02
273
9
274
Validating a firmware download
Fabric OS Administrator’s Guide
53-1002745-02
Chapter
10
Managing Virtual Fabrics
In this chapter
• Virtual Fabrics overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Logical switch overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Logical fabric overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Management model for logical switches . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Account management and Virtual Fabrics. . . . . . . . . . . . . . . . . . . . . . . . . .
• Supported platforms for Virtual Fabrics. . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Limitations and restrictions of Virtual Fabrics. . . . . . . . . . . . . . . . . . . . . . .
• Enabling Virtual Fabrics mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Disabling Virtual Fabrics mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Configuring logical switches to use basic configuration values . . . . . . . . .
• Creating a logical switch or base switch . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Executing a command in a different logical switch context . . . . . . . . . . . .
• Deleting a logical switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Adding and moving ports on a logical switch . . . . . . . . . . . . . . . . . . . . . . .
• Displaying logical switch configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Changing the fabric ID of a logical switch . . . . . . . . . . . . . . . . . . . . . . . . . .
• Changing a logical switch to a base switch . . . . . . . . . . . . . . . . . . . . . . . . .
• Setting up IP addresses for a Virtual Fabric . . . . . . . . . . . . . . . . . . . . . . . .
• Removing an IP address for a Virtual Fabric . . . . . . . . . . . . . . . . . . . . . . . .
• Configuring a logical switch to use XISLs. . . . . . . . . . . . . . . . . . . . . . . . . . .
• Changing the context to a different logical fabric . . . . . . . . . . . . . . . . . . . .
• Creating a logical fabric using XISLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
275
276
281
281
286
286
288
290
290
291
292
293
294
295
296
296
297
298
298
299
299
300
Virtual Fabrics overview
Virtual Fabrics is an architecture to virtualize hardware boundaries. Traditionally, SAN design and
management is done at the granularity of a physical switch. Virtual Fabrics allows SAN design and
management to be done at the granularity of a port.
Virtual Fabrics is a suite of related features that can be customized based on your needs.
The Virtual Fabrics suite consists of the following specific features:
• Logical switch
• Logical fabric
• Device sharing
Fabric OS Administrator’s Guide
53-1002745-02
275
10
Logical switch overview
This chapter describes the logical switch and logical fabric features. For information about device
sharing with Virtual Fabrics, refer to “FC-FC routing and Virtual Fabrics” on page 606.
For information about supported switches and port types, refer to “Supported platforms for
Virtual Fabrics” on page 286.
Virtual Fabrics and Admin Domains are mutually exclusive and are not supported at the same time
on a switch.
NOTE
A note on terminology: Virtual Fabrics is the name of the suite of features. A logical fabric is a type
of fabric that you can create using the Virtual Fabrics suite of features.
Logical switch overview
Traditionally, each switch and all the ports in the switch act as a single Fibre Channel switch (FC
switch) that participates in a single fabric. The logical switch feature allows you to divide a physical
chassis into multiple fabric elements. Each of these fabric elements is referred to as a logical
switch. Each logical switch functions as an independent self-contained FC switch.
NOTE
Each chassis can have multiple logical switches.
Default logical switch
To use the Virtual Fabrics features, you must first enable Virtual Fabrics on the switch. Enabling
Virtual Fabrics creates a single logical switch in the physical chassis. This logical switch is called
the default logical switch, and it initially contains all of the ports in the physical chassis.
Figure 17 shows a switch before and after enabling Virtual Fabrics. In this example, the switch has
10 ports, labeled P0 through P9.
Before enabling Virtual Fabrics
After enabling Virtual Fabrics
Physical chassis
Physical chassis
P0
P3
P6
P1
P4
P7
P2
P5
P8
FIGURE 17
276
P9
Default logical switch
P0
P3
P6
P1
P4
P7
P2
P5
P8
P9
Switch before and after enabling Virtual Fabrics
Fabric OS Administrator’s Guide
53-1002745-02
Logical switch overview
10
After you enable Virtual Fabrics, you can create up to seven additional logical switches, depending
on the switch model.
Figure 18 shows a Virtual Fabrics-enabled switch before and after it is divided into logical switches.
Before you create logical switches, the chassis appears as a single switch (default logical switch).
After you create logical switches, the chassis appears as multiple independent logical switches. All
of the ports continue to belong to the default logical switch until you explicitly move them to other
logical switches.
The default logical switch always exists. You can add and delete other logical switches, but you
cannot delete the default logical switch unless you disable Virtual Fabrics.
Before logical switch creation
After logical switch creation
Physical chassis
Logical switch 1
(Default logical switch)
P0
P2
P4
P6
P8
P1
P3
P5
P7
P9
Default logical switch
P0
P3
P6
P1
P4
P7
P2
P5
P8
P9
Logical switch 2
Logical switch 3
Logical switch 4
FIGURE 18
Switch before and after creating logical switches
Logical switches and fabric IDs
When you create a logical switch, you must assign it a fabric ID (FID). The fabric ID uniquely
identifies each logical switch within a chassis and indicates to which fabric the logical switch
belongs. You cannot define multiple logical switches with the same fabric ID within the chassis.
In Figure 19 on page 278, logical switches 2, 3, 4, and 5 are assigned FIDs of 1, 15, 8, and 20,
respectively. These logical switches belong to different fabrics, even though they are in the same
physical chassis. For example, you could not assign logical switch 5 a fabric ID of 15, because
logical switch 3 is already assigned FID 15 in the chassis.
The default logical switch is initially assigned FID 128. You can change this value later.
NOTE
Each logical switch is assigned one and only one FID. The FID identifies the logical fabric to which
the logical switch belongs.
Fabric OS Administrator’s Guide
53-1002745-02
277
10
Logical switch overview
Physical chassis
Logical switch 1
(Default logical switch)
(FID = 128)
Logical switch 2
(FID = 1)
Logical switch 3
(FID = 15)
Logical switch 4
(FID = 8)
Logical switch 5
(FID = 20)
FIGURE 19
Fabric IDs assigned to logical switches
Port assignment in logical switches
Initially, all ports belong to the default logical switch. When you create additional logical switches,
they are empty and you must assign ports to those logical switches. As you assign ports to a logical
switch, the ports are moved from the default logical switch to the newly created logical switch.
A given port can be in only one logical switch.
In Figure 20, the default logical switch initially has 10 ports, labeled P0 through P9. After logical
switches are created, the ports are assigned to specific logical switches. Note that ports 0, 1, 7,
and 8 have not been assigned to a logical switch and so remain assigned to the default logical
switch.
Before port assignment
After port assignment
Logical switch 1
(Default logical switch)
Logical switch 1
(Default logical switch)
P0
P2
P4
P6
P8
P1
P3
P5
P7
P9
P0
P1
P7
P8
P2
Logical switch 2
Logical switch 2
P3
P4
Logical switch 3
P9
Logical switch 3
P5
P6
Logical switch 4
FIGURE 20
278
Logical switch 4
Assigning ports to logical switches
Fabric OS Administrator’s Guide
53-1002745-02
Logical switch overview
10
A given port is always in one (and only one) logical switch. The following scenarios refer to the
chassis after port assignment in Figure 20:
• If you assign P2 to logical switch 2, you cannot assign P2 to any other logical switch.
• If you want to remove a port from a logical switch, you cannot delete it from the logical switch,
but must move it to a different logical switch. For example, if you want to remove P4 from
logical switch 3, you must assign it to a different logical switch: logical switch 2, logical
switch 4, or logical switch 1 (the default logical switch).
• If you assign a port to a logical switch, it is removed automatically from the logical switch it is
currently in. If you assign P3 to Logical switch 3, P3 is automatically removed from logical switch 2.
• If you do not assign a port to any logical switch, it remains in the default logical switch, as is the
case with ports 0, 1, 7, and 8.
Refer to “Adding and moving ports on a logical switch” on page 295 for instructions for assigning
and moving ports on logical switches.
A logical switch can have as many ports as are available in the chassis. In Figure 20, the chassis
has 10 ports. You could assign all 10 ports to a single logical switch, such as logical switch 2; if you
did this, however, no ports would be available for logical switches 3 and 4.
You can move only F_Ports and E_Ports from one logical switch to another. If you want to configure
a different type of port, such as a VE_Port or EX_Port, you must configure them after you move
them. Some types of ports cannot be moved from the default logical switch. Refer to “Supported
platforms for Virtual Fabrics” on page 286 for detailed information about these ports.
Logical switches and connected devices
You can connect devices to logical switches, as shown in Figure 21 on page 280. In logical
switch 2, P2 is an F_Port that is connected to H1. In logical switch 3, P4 is an F_Port that is
connected to D1. H1 and D1 cannot communicate with each other because they are in different
fabrics, even though they are both connected to the same physical chassis.
You can also connect other switches to logical switches. In Figure 21, P6 is an E_Port that forms an
inter-switch link (ISL) between logical switch 4 and the non-Virtual Fabrics switch. Logical switch 4
is the only logical switch that can communicate with the non-Virtual Fabrics switch and D2,
because the other logical switches are in different fabrics.
Fabric OS Administrator’s Guide
53-1002745-02
279
10
Logical switch overview
Physical chassis
Logical switch 1
P1
(Default logical switch)
Fabric ID 128
Logical switch 2
Fabric ID 1
H1
P2
P3
D1
P4
Logical switch 3
Fabric ID 15
Logical switch 4
Fabric ID 8
P5
P6
D2
ISL
Switch
FIGURE 21
Logical switches connected to devices and non-Virtual Fabrics switch
Figure 22 shows a logical representation of the physical chassis and devices in Figure 21. As
shown in Figure 22, the devices are isolated into separate fabrics.
H1
Switch 1
D1
D2
Fabric 128
Switch 4
Switch 2
Fabric 1
FIGURE 22
Switch 3
Fabric 15
Fabric 8
Logical switches in a single chassis belong to separate fabrics
For information on allowing device sharing across fabrics in a Virtual Fabrics environment, refer to
“FC-FC routing and Virtual Fabrics” on page 606.
280
Fabric OS Administrator’s Guide
53-1002745-02
Management model for logical switches
10
Management model for logical switches
You can use one common IP address for the hardware that is shared by all of the logical switches in
the chassis and you can set up individual IPv4 addresses for each Virtual Fabric. For a
management host to manage a logical switch using the Internet Protocol over Fibre Channel (IPFC)
IP address, it must be physically connected to the Virtual Fabric using a host bus adapter (HBA).
All user operations are classified into one of the following:
• Chassis management operations
These are operations that span logical switch boundaries, such as:
-
Logical switch configuration (creating, deleting, or modifying logical switches)
Account management (determining which accounts can access which logical switches)
Field-replaceable unit (FRU) management (slot commands, such as slotShow)
Firmware management (firmware upgrade, HA failover)
• Logical switch operations
These are operations that are limited to the logical switch, such as displaying or changing port
states. Logical switch operations include all operations that are not covered in the chassis
management operations.
When a user logs in, the user is assigned an active context, or active logical switch. This context
filters the view that the user gets, and determines which ports the user can see. You can change
the active context. For example, if you are working with logical switch 1, you can change the context
to logical switch 5. When you change the context to logical switch 5, you only see the ports that are
assigned to that logical switch. You do not see any of the other ports in the chassis.
The scope of logical switch operations is defined by the active context. When you are in the context
of a logical switch, you can perform port, switch, and fabric-level operations, subject to Role-Based
Access Control (RBAC) rules.
If you have permission to execute chassis-level commands, you can do so, regardless of which
logical switch context you are in.
Logical fabric overview
A logical fabric is a fabric that contains at least one logical switch. The four fabrics shown in
Figure 21 and Figure 22 are logical fabrics because they each have at least one logical switch.
You can connect logical switches to non-Virtual Fabrics switches and to other logical switches.You
connect logical switches to non-Virtual Fabrics switches using an ISL, as shown in Figure 21.
You connect logical switches to other logical switches in two ways:
• Using ISLs
• Using base switches and extended ISLs (XISLs)
Fabric OS Administrator’s Guide
53-1002745-02
281
10
Logical fabric overview
Logical fabric and ISLs
Figure 23 shows two physical chassis divided into logical switches. In Figure 23, ISLs are used to
connect the logical switches with FID 1 and the logical switches with FID 15. The logical switches
with FID 8 are each connected to a non-Virtual Fabrics switch. The two logical switches and the
non-Virtual Fabrics switch are all in the same fabric, with FID 8.
Physical chassis 2
Physical chassis 1
P1
Logical switch 1
(Default logical switch)
Fabric ID 128
P1
P2
P2
P3
P3
P4
P5
Logical switch 2
Fabric ID 1
Logical switch 3
Fabric ID 15
Logical switch 4
Fabric ID 8
P5
P6
P6
P8
Logical switch 5
(Default logical switch)
Fabric ID 128
Logical switch 6
Fabric ID 1
P4
P7
Logical switch 7
Fabric ID 15
Logical switch 8
Fabric ID 8
P9
Switch
FIGURE 23
Logical switches connected to other logical switches through physical ISLs
Figure 24 shows a logical representation of the configuration in Figure 23.
Fabric 15
Fabric 128
SW3
SW1
SW7
SW5
Fabric 8
Fabric 1
SW4
SW2
SW8
SW6
FIGURE 24
Logical switches connected to form logical fabrics
The ISLs between the logical switches are dedicated ISLs because they carry traffic only for a single
logical fabric. In Figure 23, Fabric 128 has two switches (the default logical switches), but they
cannot communicate with each other because they have no ISLs between them and they cannot
use the ISLs between the other logical switches.
NOTE
Only logical switches with the same FID can form a fabric. If you connect two logical switches with
different FIDs, the link between the switches segments.
282
Fabric OS Administrator’s Guide
53-1002745-02
Logical fabric overview
10
Base switch and extended ISLs
Another way to connect logical switches is to use extended ISLs and base switches.
When you divide a chassis into logical switches, you can designate one of the switches to be a base
switch. A base switch is a special logical switch that is used for interconnecting the physical
chassis. A base switch has the following properties:
• ISLs connected through the base switch can be used for communication among the other
logical switches.
• Base switches do not support direct device connectivity. A base switch can have only E_Ports,
VE_Ports, EX_Ports, or VEX_Ports, but no F_Ports.
• The base switch provides a common address space for communication between different
logical fabrics.
• A base switch can be configured for the preferred domain ID just like a non-Virtual Fabrics
switch.
• You can have only one base switch in a physical chassis.
A base switch can be connected to other base switches through a special ISL, called a shared ISL
or extended ISL (XISL). An extended ISL connects base switches. The XISL is used to share traffic
among different logical fabrics.
Fabric formation across an XISL is based on the FIDs of the logical switches.
Figure 25 shows two physical chassis divided into logical switches. Each chassis has one base
switch. An ISL connects the two base switches. This ISL is an extended ISL (XISL) because it
connects base switches.
Physical chassis 1
Physical chassis 2
P1
Logical switch 1
(Default logical switch)
Fabric ID 128
P1
P2
P2
Logical switch 2
Fabric ID 1
Logical switch 5
(Default logical switch)
Fabric ID 128
Logical switch 6
Fabric ID 1
P4
P7
Logical switch 3
Fabric ID 15
P6
P5
XISL
Base switch
Fabric ID 8
FIGURE 25
P6
P8
Logical switch 7
Fabric ID 15
Base switch
Fabric ID 8
P9
Base switches connected by an XISL
Traffic between the logical switches can now flow across this XISL. The traffic can flow only
between logical switches with the same fabric ID. For example, traffic can flow between logical
switch 2 in chassis 1 and logical switch 6 in chassis 2, because they both have FID 1. Traffic cannot
flow between logical switch 2 and logical switch 7, because they have different fabric IDs (and are
thus in different fabrics).
Fabric OS Administrator’s Guide
53-1002745-02
283
10
Logical fabric overview
Think of the logical switches as being connected with logical ISLs, as shown in Figure 26. In this
diagram, the logical ISLs are not connected to ports because they are not physical cables. They are
a logical representation of the switch connections that are allowed by the XISL.
FIGURE 26
Logical ISLs connecting logical switches
To use the XISL, the logical switches must be configured to allow XISL use. By default, they are
configured to do so; you can change this setting, however, using the procedure described in
“Configuring a logical switch to use XISLs” on page 299.
NOTE
It is a good practice to configure at least two XISLs, for redundancy.
You can also connect logical switches using a combination of ISLs and XISLs, as shown in
Figure 27. In this diagram, traffic between the logical switches in FID 1 can travel over either the
ISL or the XISL. Traffic between the other logical switches travels only over the XISL.
FIGURE 27
284
Logical fabric using ISLs and XISLs
Fabric OS Administrator’s Guide
53-1002745-02
Logical fabric overview
10
By default, the physical ISL path is favored over the logical path (over the XISL) because the
physical path has a lower cost. This behavior can be changed by configuring the cost of the
dedicated physical ISL to match the cost of the logical ISL.
ATTENTION
If you disable a base switch, all of the logical ISLs are broken and the logical switches cannot
communicate with each other unless they are connected by a physical ISL.
Base fabric
Base switch ports on different chassis can be connected together to form a fabric, called a base
fabric. Similar to other logical switches, the base switches must have the same FID to be
connected. If the base switches have different FIDs, the link between the switches is disabled.
The base fabric follows normal routing policies. As long as physical connectivity is available, the
base fabric maintains connectivity for the logical fabrics.
Logical ports
As shown in Figure 27, logical ISLs are formed to connect logical switches. A logical port represents
the ports at each end of a logical ISL. A logical port is a software construct only and does not
correspond to any physical port.
Most port commands are not supported on logical ports. For example, you cannot change the state
or configuration of a logical port.
The World Wide Name (WWN) for logical ports is in NAA=5 format, using the following syntax:
5n:nn:nn:nz:zz:zz:zx:xx
The NAA=5 syntax uses the following variables:
• nnnnnn is the Brocade Organizationally Unique Identifier (OUI).
• zzzzzz is the logical fabric serial number.
• xxx is the logical port number, in the range 0 through FFF.
Logical fabric formation
Fabric formation is not based on connectivity, but on the FIDs of the logical switches. The basic
order of fabric formation is as follows:
1. Base fabric forms.
2. Logical fabrics form when the base fabric is stable.
3. Traffic is initiated between the logical switches.
4. Devices begin recognizing one another.
Fabric OS Administrator’s Guide
53-1002745-02
285
10
Account management and Virtual Fabrics
Account management and Virtual Fabrics
When user accounts are created, they are assigned a list of logical fabrics to which they can log in and
a home logical fabric (home FID). When you connect to a physical chassis, the home FID defines the
logical switch to which you are logged in by default. You can change to a different logical switch
context, as described in “Changing the context to a different logical fabric” on page 299.
When you are logged in to a logical switch, the system prompt changes to display the FID of that
switch. The following are example prompts for when you are logged in to the default logical switch
(FID = 128) and a user-defined logical switch (FID = 15):
switch:FID128:admin>
switch:FID15:admin>
Refer to Chapter 5, “Managing User Accounts,” for information about creating user accounts and
assigning FIDs to user accounts.
Supported platforms for Virtual Fabrics
The following platforms are Virtual Fabrics-capable:
•
•
•
•
•
•
•
•
•
Brocade 5100
Brocade 5300
Brocade 6510
Brocade 6520
Brocade 7800
Brocade VA-40FC, in Native mode only
Brocade DCX
Brocade DCX-4S
Brocade DCX 8510 family
Some restrictions apply to the ports, depending on the port type and blade type. The following
sections explain these restrictions.
Supported port configurations in the fixed-port switches
There are no restrictions on the ports in the Brocade 5100, 5300, 6510, 6520, and VA-40FC;
however, the following rules apply:
• Any port can belong to any logical switch (including the base switch and default logical switch),
with the exception that F_Ports cannot belong to the base switch.
• The default logical switch can use XISLs, except on Brocade DCX or DCX-4S devices.
• The default logical switch can also be a base switch.
Restrictions on fixed-port switches
Brocade 7800— Although it can be divided into four logical switches, you cannot use an XISL on
this switch because a base switch is not supported on this device.
286
Fabric OS Administrator’s Guide
53-1002745-02
Supported platforms for Virtual Fabrics
10
Supported port configurations in Brocade Backbones
Some of the ports in the Brocade DCX and DCX 8510 Backbone families are not supported on all
types of logical switches. Table 50 lists the blades and ports that are supported on each type of
logical switch.
TABLE 50
Blade and port types supported on logical switches
Blade type
Default logical switch
User-defined logical switch
Base switch
FC8-16
FC8-32
FC8-32E
FC8-48
FC8-48E
FC16-32
FC16-48
Yes (F, E)
Yes (F, E)
Yes (E, EX)
FC8-64
Yes (F, E)1
Yes (F, E)
Yes (E, EX)2
FS8-18
Yes (F, E)
No
No
FCOE10-24
Yes (F, E)
No
No
FX8-24: FC ports
GE ports
Yes (F, E)
Yes (VE)
Yes (F, E,)
Yes (VE)
Yes (E, EX)
Yes (VE, VEX)
ICL ports
Yes
Yes
Yes
1.
In the Brocade DCX and DCX 8510-8, ports 56–63 of the FC8-64 blade are not supported as E_Ports on the
default logical switch. The Brocade DCX-4S and DCX 8510-4 do not have this limitation.
2.
In the Brocade DCX and DCX 8510-8, ports 48–63 of the FC8-64 blade are not supported in the base switch.
The Brocade DCX-4S and DCX 8510-4 do not have this limitation.
Restrictions on Brocade Backbones
The following restrictions apply to Brocade Backbones:
• EX_Ports and VEX_Ports can be in only the base switch.
• ICL ports cannot be in a logical switch that is using XISLs.
• All of the user ports in an ICL cable must be in the same logical switch. Distributing the user
ports within the same cable across multiple logical switches is not supported.
• The default logical switch cannot use XISLs.
• The default logical switch cannot be designated as the base switch.
• In Fabric OS v7.0.0 and later, VE_Ports on the FX8-24 blade are supported on a logical switch
that is using an XISL, and on the base switch as an XISL.
NOTE
For the FX8-24 blade, if XISL use is enabled it is not recommended that you configure VE_Ports
on both the logical switch and the base switch, because FCIP tunnels support only two hops
maximum.
Fabric OS Administrator’s Guide
53-1002745-02
287
10
Limitations and restrictions of Virtual Fabrics
Virtual Fabrics interaction with other Fabric OS features
Table 51 lists some Fabric OS features and considerations that apply when using Virtual Fabrics.
TABLE 51
Virtual Fabrics interaction with Fabric OS features
Fabric OS feature
Virtual Fabrics interaction
Access Gateway
Virtual Fabrics is not supported on a switch if AG mode is enabled.
Admin Domains
Virtual Fabrics and Admin Domains are mutually exclusive and are not supported at the
same time on a switch. To use Admin Domains, you must first disable Virtual Fabrics; to
use Virtual Fabrics, you must first delete all Admin Domains.
Refer to “Deleting all user-defined Admin Domains non-disruptively” on page 450 for
information on deleting Admin Domains without disrupting device-to-device
communication.
Configuration upload
and download
Virtual Fabrics uses a configuration file that is different from the configuration file used
to download system configuration parameters. Refer to Chapter 8, “Maintaining the
Switch Configuration File,” for more information about how Virtual Fabrics affects the
configuration file.
Encryption
Encryption functionality using the FS8-18 blade is available only on the default logical
switch.
FC-FC Routing Service
All EX_Ports must reside in a base switch.
You cannot attach EX_Ports to a logical switch that has XISL use enabled. You must use
ISLs to connect the logical switches in an edge fabric.
Refer to Chapter 24, “Using FC-FC Routing to Connect Fabrics,” for more information
about Virtual Fabrics and FC-FC routing.
FICON
Up to two logical switches per chassis can run FICON Management Server (CUP), but the
FICON logical switch can use both ISLs and XISLs.
Licensing
Licenses are applicable for all logical switches in a chassis.
Performance
monitoring
Performance monitors are supported in a limited number of logical switches, depending
on the platform type. Refer to Chapter 20, “Monitoring Fabric Performance,” for more
information about performance monitoring when Virtual Fabrics is enabled.
QoS
QoS VCs are maintained across the base fabric. Refer to Chapter 21, “Optimizing Fabric
Behavior,” for more information about using the Adaptive Networking features with
Virtual Fabrics.
Traffic Isolation
Traffic Isolation zones with failover disabled are not supported in logical fabrics. Refer to
Chapter 21, “Optimizing Fabric Behavior,” for additional information about using TI Zones
with Virtual Fabrics.
Limitations and restrictions of Virtual Fabrics
The maximum number of logical switches per chassis varies depending on the switch model.
Table 52 lists the supported platforms and the maximum number of logical switches (including the
default logical switch) supported on each.
TABLE 52
288
Maximum number of logical switches per chassis
Platform
Maximum number of logical switches
Brocade DCX
8
Brocade DCX-4S
8
Fabric OS Administrator’s Guide
53-1002745-02
Limitations and restrictions of Virtual Fabrics
TABLE 52
10
Maximum number of logical switches per chassis (Continued)
Platform
Maximum number of logical switches
Brocade DCX 8510 family
8
Brocade 5300
4
Brocade 5100
3
Brocade 6510
4
Brocade 6520
4
Brocade 7800
4
Brocade VA-40FC
3
Refer to “Supported port configurations in Brocade Backbones” on page 287 for restrictions on the
default logical switch.
Restrictions on XISLs
The Allow XISL Use option under the configure command, allows a logical switch to use XISLs in the
base switch as well as any standard ISLs that are connected to that logical switch. To allow or
disallow XISL use for a logical switch, see “Configuring a logical switch to use XISLs” on page 299.
The following restrictions apply to XISL use. XISL use is not permitted in any of the following
scenarios:
• The logical switch has ICL ports.
• The logical switch is the default logical switch in the Brocade DCX, DCX-4S, or DCX 8510 family.
• The logical switch is a base switch.
• The logical switch is an edge switch for an FC router.
In this case, if the logical switch is enabled, you cannot allow XISL use. If the logical switch is
disabled or has not yet joined the edge fabric, you can allow XISL use; however, fabric
segmentation occurs when the logical switch is enabled or is connected to an edge fabric.
NOTE
Using XISL and fmsmode at the same time is permitted, but this combination will only work in a
one-hop topology.
Restrictions on moving ports
The following are restrictions on moving ports among logical switches:
• FC ports cannot be moved if any one of the following features is enabled:
- Long distance
- QoS
- F_Port buffers
- F_Port trunking
• Before moving VE_Ports, you must remove the VE_Port tunnel configuration.
• VE_Ports on the FX8-24 blade can be moved to any logical switch independent of the location
of the physical GE port.
Fabric OS Administrator’s Guide
53-1002745-02
289
10
Enabling Virtual Fabrics mode
Enabling Virtual Fabrics mode
A fabric is said to be in Virtual Fabrics mode (VF mode) when the Virtual Fabrics feature is enabled.
Before you can use the Virtual Fabrics features, such as logical switch and logical fabric, you must
enable VF mode.
VF mode is enabled by default.
NOTE
When you enable VF mode, the control processors (CPs) are rebooted and all EX_Ports are disabled
after the reboot.
Use the following procedure to enable Virtual Fabrics mode:
1. Connect to the physical chassis and log in using an account with the chassis-role permission.
2. Use the fosConfig command to check whether VF mode is enabled:
fosconfig --show
3. Delete all Admin Domains, as described in “Deleting all user-defined Admin Domains
non-disruptively” on page 450.
4. Use the fosConfig command to enable VF mode:
fosconfig --enable vf
5. Enter y at the prompt.
Example
The following example checks whether VF mode is enabled or disabled and then enables it.
switch:admin> fosconfig --show
FC Routing service:
iSCSI service:
iSNS client service:
Virtual Fabric:
Ethernet Switch Service:
disabled
Service not supported on this Platform
Service not supported on this Platform
disabled
Service not supported on this Platform
switch:admin> fosconfig --enable vf
WARNING: This is a disruptive operation that requires a reboot to take
effect.
All EX ports will be disabled upon reboot.
Would you like to continue [Y/N] y
VF has been enabled. Your system is being rebooted.
Disabling Virtual Fabrics mode
When you disable VF mode, the following occurs:
• The CPs are rebooted.
• If F_Port trunking is enabled on ports in the default switch, the F_Port trunking information is
deleted.
ATTENTION
If you want to use Admin Domains in a fabric, you must first disable VF mode.
290
Fabric OS Administrator’s Guide
53-1002745-02
Configuring logical switches to use basic configuration values
10
Use the following procedure to disable Virtual Fabrics mode:
1. Connect to the physical chassis and log in using an account with the chassis-role permission.
2. Use the fosConfig command to check whether VF mode is disabled:
fosconfig --show
3. Move all ports to the default logical switch.
lscfg --config 128 -slot slot -port port
4. Delete all of the non-default logical switches.
lscfg --delete fabricID
5. Use the fosConfig command to disable VF mode:
fosconfig --disable vf
6. Enter y at the prompt.
Example
The following example checks whether VF mode is enabled or disabled and then disables it.
switchA:FID128:admin> fosconfig
FC Routing service:
iSCSI service:
iSNS client service:
Virtual Fabric:
Ethernet Switch Service
--show
disabled
Service not supported on this Platform
Service not supported on this Platform
enabled
Service not supported on this Platform
switch:admin> fosconfig --disable vf
WARNING: This is a disruptive operation that requires a reboot to take
effect.
Would you like to continue [Y/N] y
Configuring logical switches to use basic configuration values
All switches in the fabric are configured to use the same basic configuration values. When you
create logical switches, the logical switches might have different configuration values than the
default logical switch. Use the following procedure to ensure that newly created logical switches
have the same basic configuration values as the default logical switch.
NOTE
For most users, you do not need to run this procedure. Contact your switch service provider to
determine if you need to use this procedure.
You need to run this procedure only once on each chassis, after you enable Virtual Fabrics but
before you create logical switches. The configuration settings are then preserved across reboots
and firmware upgrades and downgrades.
Use the following procedure to configure logical switches to use basic configuration values:
1. Connect to the physical chassis and log in using an account with the chassis-role permission.
2. Enter the configureChassis command to ensure that newly created logical switches have the
same basic configuration values as the default logical switch:
configurechassis
Fabric OS Administrator’s Guide
53-1002745-02
291
10
Creating a logical switch or base switch
3. Enter n at the prompts to configure system and cfgload attributes. Enter y at the prompt to
configure custom attributes.
System (yes, y, no, n): [no] n
cfgload attributes (yes, y, no, n): [no] n
Custom attributes (yes, y, no, n): [no] y
4. Enter the appropriate value at the Config Index prompt. Contact your switch service provider to
determine the appropriate value.
Config Index (0 to ignore): (0..1000) [3]:
Creating a logical switch or base switch
When the logical switch is created, it is automatically enabled and is empty—that is, it does not
have any ports. After creating the logical switch, you must disable the switch to configure it and set
the domain ID. You then assign ports to the logical switch.
Optionally, you can define the logical switch to be a base switch. Each chassis can have only one
base switch.
NOTE
Domain ID conflicts are detected before fabric ID conflicts. If you have both a domain ID conflict and
a fabric ID conflict, only the domain ID conflict is reported.
Use the following procedure to create a logical switch or a base switch:
1. Connect to the physical chassis and log in using an account with the chassis-role permission.
2. Enter the lsCfg command to create a logical switch:
lscfg --create fabricID [ -base ] [ -force ]
In the command syntax, fabricID is the fabric ID that is to be associated with the logical switch.
Specify the -base option if the logical switch is to be a base switch.
Specify the -force option to execute the command without any user prompts or confirmation.
3. Set the context to the new logical switch.
setcontext fabricID (or switchname)
The fabricID parameter is the FID of the logical switch you just created. The switchname
parameter is the name assigned to the logical switch.
You can only use one parameter at a time.
4. Disable the logical switch.
switchdisable
5. Configure the switch attributes, including assigning a unique domain ID.
configure
6. Enable the logical switch.
switchenable
7.
292
Assign ports to the logical switch, as described in “Adding and moving ports on a logical
switch” on page 295.
Fabric OS Administrator’s Guide
53-1002745-02
Executing a command in a different logical switch context
10
Example
The following example creates a logical switch with FID 4, and then assigns domain ID 14 to it.
sw0:FID128:admin> lscfg --create 4
About to create switch with fid=4. Please wait...
Logical Switch with FID (4) has been successfully created.
Logical Switch has been created with default configurations.
Please configure the Logical Switch with appropriate switch
and protocol settings before activating the Logical Switch.
sw0:FID128:admin> setcontext 4
switch_4:FID4:admin> switchdisable
switch_4:FID4:admin> configure
Configure...
Fabric parameters (yes, y, no, n): [no] yes
Domain: (1..239) [1] 100
Select Addressing Mode:
(1 = Zero Based Area Assignment,
2 = Port Based Area Assignment): (1..2) [2] 2
WWN Based persistent PID (yes, y, no, n): [no]
(output truncated)
WARNING: The domain ID will be changed. The port level zoning may be affected
switch_4:FID4:admin> switchenable
Executing a command in a different logical switch context
This procedure describes how to execute a command for a logical switch while you are in the
context of a different logical switch. You can also execute a command for all the logical switches in
a chassis.
The command is not executed on those logical switches for which you do not have permission.
Use the following procedure to execute a command in a different logical switch context:
1. Connect to the physical chassis and log in using an account with the chassis-role permission.
2. Enter one of the following commands:
• To execute a command in a different logical switch context:
fosexec --fid fabricID -cmd "command"
• To execute the command on all logical switches:
fosexec --fid all -cmd "command"
Example 1: Executing the switchShow command in a different logical switch context
sw0:FID128:admin> fosexec --fid 4 -cmd "switchshow"
--------------------------------------------------"switchshow" on FID 4:
switchName:
switchType:
switchState:
Fabric OS Administrator’s Guide
53-1002745-02
switch_4
66.1
Online
293
10
Deleting a logical switch
switchMode:
switchRole:
switchDomain:
switchId:
switchWwn:
zoning:
switchBeacon:
FC Router:
Fabric Name:
Allow XISL Use:
LS Attributes:
Native
Principal
14
fffc0e
10:00:00:05:1e:82:3c:2b
OFF
OFF
OFF
Fab4
ON
[FID: 4, Base Switch: No, Default Switch: No, Address Mode 0]
Index Port Address Media Speed State
Proto
==============================================
22 22
0e1600
-N8
No_Module
FC Disabled
23 23
0e1700
-N8
No_Module
FC Disabled
Example 2: Executing the fabricShow command on all logical switches
sw0:FID128:admin> fosexec --fid all -cmd "fabricshow"
--------------------------------------------------"fabricshow" on FID 128:
Switch ID
Worldwide Name
Enet IP Addr
FC IP Addr
Name
------------------------------------------------------------------------97: fffc61 10:00:00:05:1e:82:3c:2a 10.32.79.105
0.0.0.0
>"sw0"
--------------------------------------------------"fabricshow" on FID 4:
Switch ID
Worldwide Name
Enet IP Addr
FC IP Addr
Name
------------------------------------------------------------------------14: fffc0e 10:00:00:05:1e:82:3c:2b 10.32.79.105
0.0.0.0
>"switch_4"
(output truncated)
Deleting a logical switch
The following rules apply to deleting a logical switch:
• You must remove all ports from the logical switch before deleting it.
• You cannot delete the default logical switch.
NOTE
If you are in the context of the logical switch you want to delete, you are automatically logged out
when the fabric ID changes. To avoid being logged out, make sure you are in the context of a different
logical switch from the one you are deleting.
Use the following procedure to delete a logical switch:
1. Connect to the physical chassis and log in using an account with admin permissions.
2. Remove all ports from the logical switch as described in “Adding and moving ports on a logical
switch.”
3. Enter the lsCfg command to delete the logical switch:
lscfg --delete fabricID
The fabricID parameter is the fabric ID of the logical switch to be deleted.
294
Fabric OS Administrator’s Guide
53-1002745-02
Adding and moving ports on a logical switch
10
Example of deleting the logical switch with FID 7
switch_4:FID4:admin> lscfg --delete 7
All active login sessions for FID 7 have been terminated.
Switch successfully deleted.
Adding and moving ports on a logical switch
This procedure explains how to add and move ports on logical switches.
You add ports to a logical switch by moving the ports from one logical switch to another. See
“Supported platforms for Virtual Fabrics” on page 286 for port restrictions.
If you want to remove a port from a logical switch, you cannot remove it from the logical switch; you
must move the port to a different logical switch.
When you move a port from one logical switch to another, the port is automatically disabled. Any
performance monitors that were installed on the port are deleted. If monitors are required on the
port in its new location, you must manually reinstall them on the port after the move.
Notes
• If the logical switch to which the port is moved has fabric mode Top Talkers enabled, then if the
port is an E_Port, fabric mode Top Talker monitors are automatically installed on that port.
• If you are deploying ICLs in the base switch, all ports associated with those ICLs must be
assigned to the base switch. If you are deploying ICLs to connect to default switches (that is,
XISL use is not allowed), the ICL ports should be assigned (or left) in the default logical switch.
Use the following procedure to add or move ports on a logical switch:
1. Connect to the physical chassis and log in using an account with the chassis-role permission.
2. Enter the lsCfg command to move ports from one logical switch to another:
lscfg --config fabricID -slot slot -port port
The ports are assigned to the logical switch specified by fabricID and are removed from the
logical switch on which they are currently configured.
If the -port option is omitted, all ports on the specified slot are assigned to the logical switch.
NOTE
On the Brocade DCX and DCX 8510-8, the lscfg command does not allow you to add ports 48–
63 of the FC8-64 blade to the base switch. These ports are not supported on the base switch.
The Brocade DCX-4S and DCX 8510-4 do not have this limitation.
3. Enter y at the prompt.
The ports are automatically disabled, then removed from their current logical switch, and
assigned to the logical switch specified by fabricID.
Example of assigning ports 18 through 20 to the logical switch with FID 5
sw0:FID128:admin> lscfg --config 5 -port 18-20
This operation requires that the affected ports be disabled.
Would you like to continue [y/n]?: y
Making this configuration change. Please wait...
Configuration change successful.
Please enable your ports/switch when you are ready to continue.
Fabric OS Administrator’s Guide
53-1002745-02
295
10
Displaying logical switch configuration
Displaying logical switch configuration
Use the following procedure to display the configuration for a logical switch:
1. Connect to the physical chassis and log in using an account with the chassis-role permission.
2. Enter the lsCfg command to display a list of all logical switches and the ports assigned to them:
lscfg --show [ -provision ]
If the -provision option is specified, all ports on all slots are displayed, regardless of the slot
status.
Example displaying a list of all of the logical switches and the ports assigned to them
sw0:FID128:admin> lscfg --show
Created switches:
128(ds)
4
5
Port
0
1
2
3
4
5
6
7
8
9
------------------------------------------------------------------FID
128 | 128 | 128 | 128 | 128 | 128 | 128 | 128 |
5 |
5 |
(output truncated)
Changing the fabric ID of a logical switch
The following procedure describes how you can change the fabric ID of an existing logical switch.
The fabric ID indicates in which fabric the logical switch participates. By changing the fabric ID, you
are moving the logical switch from one fabric to another.
Changing the fabric ID requires permission for chassis management operations. You cannot
change the FID of your own logical switch context.
NOTE
If you are in the context of the logical switch with the fabric ID you want to change, you are
automatically logged out when the fabric ID changes. To avoid being logged out, make sure you are
in the context of a different logical switch from the one with the fabric ID you are changing.
Use the following procedure to change the fabric ID of a logical switch:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the lsCfg command to change the fabric ID of a logical switch:
lscfg --change fabricID -newfid newFID
3. Enter y at the prompt.
4. Enable the logical switch.
fosexec --fid newFID -cmd "switchenable"
Example of changing the fabric ID on the logical switch from 5 to 7
sw0:FID128:admin> lscfg --change 5 -newfid 7
Changing of a switch fid requires that the switch be disabled.
Would you like to continue [y/n]?: y
Disabling switch...
All active login sessions for FID 5 have been terminated.
296
Fabric OS Administrator’s Guide
53-1002745-02
Changing a logical switch to a base switch
10
Checking and logging message: fid = 5.
Please enable your switch.
sw0:FID128:admin> fosexec --fid 7 -cmd "switchenable"
--------------------------------------------------"switchenable" on FID 7:
Changing a logical switch to a base switch
Use the following procedure to change a logical switch to a base switch.
1. Connect to the switch and log in using an account with the chassis-role permission.
2. Set the context to the logical switch you want to change, if you are not already in that context.
setcontext fabricID (or switchname)
The fabricID parameter is the FID of the logical switch you want to change to a base switch.
The switchname parameter is the name assigned to the logical switch.
You can only use one parameter at a time.
3. Configure the switch to not allow XISL use, as described in “Configuring a logical switch to use
XISLs” on page 299.
4. Enter the lsCfg command to change the logical switch to a base switch:
lscfg --change fabricID -base
The fabricID parameter is the fabric ID of the logical switch with the attributes you want to
change.
5. Enable the switch.
switchenable
Example of changing the logical switch with FID 7 to a base switch
sw0:FID128:admin> setcontext 7
switch_25:FID7:admin> switchshow
switchName:
switch_25
switchType:
66.1
switchState:
Online
switchMode:
Native
switchRole:
Principal
switchDomain:
30
switchId:
fffc1e
switchWwn:
10:00:00:05:1e:82:3c:2c
zoning:
OFF
switchBeacon:
OFF
FC Router:
OFF
Fabric Name:
MktFab7
Allow XISL Use: ON
LS Attributes: [FID: 7, Base Switch: No, Default Switch: No, Address Mode 0]
(output truncated)
switch_25:FID7:admin> configure
Not all options will be available on an enabled switch.
To disable the switch, use the "switchDisable" command.
Fabric OS Administrator’s Guide
53-1002745-02
297
10
Setting up IP addresses for a Virtual Fabric
Configure...
Fabric parameters (yes, y, no, n): [no] y
WWN Based persistent PID (yes, y, no, n): [no]
Allow XISL Use (yes, y, no, n): [yes] n
WARNING!! Disabling this parameter will cause removal of LISLs to
other logical switches. Do you want to continue? (yes, y, no, n): [no] y
System services (yes, y, no, n): [no]
switch_25:FID7:admin> lscfg --change 7 -base
Creation of a base switch requires that the proposed new base switch on this
system be disabled.
Would you like to continue [y/n]?: y
Disabling the proposed new base switch...
Disabling switch fid 7
Please enable your switches when ready.
switch_25:FID7:admin> switchenable
Setting up IP addresses for a Virtual Fabric
NOTE
IPv6 is not supported when setting the IPFC interface for Virtual Fabrics.
Use the following procedure to set up IP addresses for a Virtual Fabric:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the ipAddrSet -ls command. For the --add parameter, specify the network information in
dotted-decimal notation for the Ethernet IPv4 address with a Classless Inter-Domain Routing
(CIDR) prefix.
The following example sets an IP address for a logical switch in a Virtual Fabric with an FID of
123 in non-interactive mode with the CIDR prefix:
switch:admin> ipaddrset -ls 123 --add 11.1.2.4/24
Removing an IP address for a Virtual Fabric
Use the following procedure to delete an IP address for a Virtual Fabric:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the ipAddrSet -ls FID - -delete command.
switch:admin> ipaddrset -ls 123 –delete
298
Fabric OS Administrator’s Guide
53-1002745-02
Configuring a logical switch to use XISLs
10
Configuring a logical switch to use XISLs
When you create a logical switch, it is configured to use XISLs by default. Use the following
procedure to allow or disallow the logical switch to use XISLs in the base fabric.
XISL use is not supported in some cases. See “Limitations and restrictions of Virtual Fabrics” on
page 288 for restrictions on XISL use.
Use the following procedure to configure a logical switch to use XISLs:
1. Connect to the physical chassis and log in using an account with the chassis-role permission.
2. Use the setContext command to set the context to the logical switch you want to manage, if you
are not already in that context.
setcontext fabricID (or switchname)
The fabricID parameter is the FID of the logical switch you want to switch to and manage.
The switchname parameter is the name assigned to the logical switch.
You can only use one parameter at a time.
3. Use the switchShow command and check the value of the Allow XISL Use parameter.
4. Enter the configure command:
configure
5. Enter y after the Fabric Parameters prompt:
Fabric parameters (yes, y, no, n): [no] y
6. Enter y at the Allow XISL Use prompt to allow XISL use; enter n at the prompt to disallow XISL
use:
Allow XISL Use (yes, y, no, n): y
7.
Respond to the remaining prompts or press Ctrl-d to accept the other settings and exit.
Changing the context to a different logical fabric
You can change the context to a different logical fabric. Your user account must have permission to
access the logical fabric.
Use the following procedure to change the context to a different logical fabric:
1. Connect to the physical chassis and log in using an account with the chassis-role permission.
2. Use the setContext command to switch to a different logical switch in the chassis:
setcontext fabricID (or switchname)
The fabricID parameter is the FID of the logical switch you want to switch to and manage.
The switchname parameter is the name assigned to the logical switch.
You can only use one parameter at a time.
The fabricID parameter is the fabric ID of the logical switch you want to switch to and manage.
Example of changing the context from FID 128 to FID 4
In this example, notice that the prompt changes when you change to a different logical fabric.
sw0:FID128:admin> setcontext 4
switch_4:FID4:admin>
Fabric OS Administrator’s Guide
53-1002745-02
299
10
Creating a logical fabric using XISLs
Creating a logical fabric using XISLs
This procedure describes how to create a logical fabric using multiple chassis and XISLs and refers
to the configuration shown in Figure 28 as an example.
FIGURE 28
Example of logical fabrics in multiple chassis and XISLs
Use the following procedure to create a logical fabric using XISLs:
1. Set up the base switches in each chassis:
a.
Connect to the physical chassis and log in using an account with the chassis-role
permission.
b.
Enable the Virtual Fabrics feature, if it is not already enabled. See “Enabling
Virtual Fabrics mode” on page 290 for instructions.
Enabling Virtual Fabrics automatically creates the default logical switch, with FID 128. All
ports in the chassis are assigned to the default logical switch.
c.
Create a base switch and assign it a fabric ID that will become the FID of the base fabric.
See “Creating a logical switch or base switch” on page 292 for instructions on creating a
base switch.
For the example shown in Figure 28, you would create a base switch with fabric ID 8.
d.
Assign ports to the base switch, as described in “Adding and moving ports on a logical
switch” on page 295.
e.
Repeat step a through step d in all chassis that are to participate in the logical fabric.
2. Physically connect ports in the base switches to form XISLs.
3. Enable all of the base switches. This forms the base fabric.
300
Fabric OS Administrator’s Guide
53-1002745-02
Creating a logical fabric using XISLs
10
4. Configure the logical switches in each chassis:
a.
Connect to the physical chassis and log in using an account with the chassis-role
permission.
b.
Create a logical switch and assign it a fabric ID for the logical fabric. This FID must be
different from the FID in the base fabric. See “Creating a logical switch or base switch” on
page 292 for instructions.
For the example shown in Figure 28, you would create a logical switch with FID 1 and a
logical switch with FID 15.
c.
Assign ports to the logical switch, as described in “Adding and moving ports on a logical
switch” on page 295.
d.
Physically connect devices and ISLs to these ports on the logical switch.
e.
(Optional) Configure the logical switch to use XISLs, if it is not already XISL-capable. See
“Configuring a logical switch to use XISLs” on page 299 for instructions.
By default, newly created logical switches are configured to allow XISL use.
f.
Repeat step a through step e in all chassis that are to participate in the logical fabric,
using the same fabric ID whenever two switches need to be part of a single logical fabric.
5. Enable all logical switches by entering the switchEnable command on each logical switch that
you created in step 4 (the base switches are already enabled).
The logical fabric is formed.
The fabricShow command displays all logical switches configured with the same fabric ID as the
local switch and all non-Virtual Fabrics switches connected through ISLs to these logical switches.
The switchShow command displays logical ports as E_Ports, with -1 for the slot and the user port
number for the slot port.
Fabric OS Administrator’s Guide
53-1002745-02
301
10
302
Creating a logical fabric using XISLs
Fabric OS Administrator’s Guide
53-1002745-02
Chapter
11
Administering Advanced Zoning
In this chapter
• Zone types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Zoning overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Broadcast zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Zone aliases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Zone creation and maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Default zoning mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Zone database size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Zone configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Zone object maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Zone configuration management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Security and zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Zone merging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Concurrent zone transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
303
304
310
312
316
326
327
328
333
336
336
336
342
Zone types
Zones enable you to partition your fabric into logical groups of devices that can access each other.
These are “regular” or “standard” zones. Unless otherwise specified, all references to zones in this
chapter refer to these regular zones. Beyond this, Fabric OS has the following types of special zones:
• Broadcast zones
Control which devices receive broadcast frames. A broadcast zone restricts broadcast packets
to only those devices that are members of the broadcast zone. See “Broadcast zones” on
page 310 for more information.
• Frame redirection zones
Re-route frames between an initiator and target through a Virtual Initiator and Virtual Target for
special processing or functionality, such as for storage virtualization or encryption. See “Frame
Redirection” on page 130 for more information.
• LSAN zones
Provide device connectivity between fabrics without merging the fabrics. See “LSAN zone
configuration” on page 590 for more information.
Fabric OS Administrator’s Guide
53-1002745-02
303
11
Zoning overview
• QoS zones
Assign high or low priority to designated traffic flows. QoS zones are regular zones with
additional QoS attributes specified by adding a QOS prefix to the zone name. See “QoS:
SID/DID traffic prioritization” on page 519 for more information.
• Traffic Isolation zones (TI zones)
Isolate inter-switch traffic to a specific, dedicated path through the fabric. See Chapter 12,
“Traffic Isolation Zoning,” for more information.
Zoning overview
Zoning is a fabric-based service that enables you to partition your storage area network (SAN) into
logical groups of devices that can access each other.
For example, you can partition your SAN into two zones, winzone and unixzone, so that your
Windows servers and storage do not interact with your UNIX servers and storage. You can use
zones to logically consolidate equipment for efficiency or to facilitate time-sensitive functions; for
example, you can create a temporary zone to back up nonmember devices.
A device in a zone can communicate only with other devices connected to the fabric within the
same zone. A device not included in the zone is not available to members of that zone. When
zoning is enabled, devices that are not included in any zone configuration are inaccessible to all
other devices in the fabric.
Zones can be configured dynamically. They can vary in size, depending on the number of
fabric-connected devices, and devices can belong to more than one zone.
Consider Figure 29 on page 305, which shows configured zones, Red, Green, and Blue.
•
•
•
•
Server 1 can communicate only with the Storage 1 device.
Server 2 can communicate only with the RAID and Storage 2 devices.
Server 3 can communicate with the RAID and Storage 1 devices.
The Storage 3 is not assigned to a zone; no other zoned fabric device can access it.
NOTE
When using a mixed fabric—that is, a fabric containing two or more switches running different
release levels of fabric operating systems—you should use the switch with the highest Fabric OS
level to perform zoning tasks.
To list the commands associated with zoning, use the zoneHelp command. For detailed information
on the zoning commands used in the procedures, see the Fabric OS Command Reference.
304
Fabric OS Administrator’s Guide
53-1002745-02
Zoning overview
11
Blue Zone
Server 2
Server 1
Storage 2
Red Zone
Storage 1
RAID
Green Zone
Storage 3
FIGURE 29
Server 3
Zoning example
Approaches to zoning
Table 53 lists the various approaches you can take when implementing zoning in a fabric.
TABLE 53
Approaches to fabric-based zoning
Zoning approach
Description
Recommended approach
Single HBA
Fabric OS Administrator’s Guide
53-1002745-02
Zoning by single HBA most closely re-creates the original SCSI bus. Each zone created has only
one HBA (initiator) in the zone; each of the target devices is added to the zone. Typically, a zone
is created for the HBA and the disk storage ports are added. If the HBA also accesses tape
devices, a second zone is created with the HBA and associated tape devices in it. In the case of
clustered systems, it could be appropriate to have an HBA from each of the cluster members
included in the zone; this is equivalent to having a shared SCSI bus between the cluster
members and assumes that the clustering software can manage access to the shared devices.
In a large fabric, zoning by single HBA requires the creation of possibly hundreds of zones;
however, each zone contains only a few members. Zone changes affect the smallest possible
number of devices, minimizing the impact of an incorrect zone change. This zoning philosophy
is the preferred method.
305
11
Zoning overview
TABLE 53
Approaches to fabric-based zoning (Continued)
Zoning approach
Description
Alternative approaches
Application
Zoning by application typically requires zoning multiple, perhaps incompatible, operating
systems into the same zones. This method of zoning creates the possibility that a minor server
in the application suite could disrupt a major server (such as a Web server disrupting a data
warehouse server). Zoning by application can also result in a zone with a large number of
members, meaning that more notifications, such as registered state change notifications
(RSCNs), or errors, go out to a larger group than necessary.
Operating
system
Zoning by operating system has issues similar to zoning by application. In a large site, this type
of zone can become very large and complex. When zone changes are made, they typically
involve applications rather than a particular server type. If members of different operating
system clusters can see storage assigned to another cluster, they might attempt to own the
other cluster’s storage and compromise the stability of the clusters.
Port allocation
Avoid zoning by port allocation unless the administration team has very rigidly enforced
processes for port and device allocation in the fabric. It does, however, provide some positive
features. For instance, when a storage port, server HBA, or tape drive is replaced, the change of
WWN for the new device is of no consequence. As long as the new device is connected to the
original port, it continues to have the same access rights. The ports on the edge switches can
be pre-associated to storage ports, and control of the fan-in ratio (the ratio of the input port to
output port) can be established. With this pre-assigning technique, the administrative team
cannot overload any one storage port by associating too many servers with it.
Not recommended
No fabric zoning
Using no fabric zoning is the least desirable zoning option because it allows devices to have
unrestricted access on the fabric. Additionally, any device attached to the fabric, intentionally or
maliciously, likewise has unrestricted access to the fabric. This form of zoning should be utilized
only in a small and tightly controlled environment, such as when host-based zoning or LUN
masking is deployed.
Zone objects
A zone object is any device in a zone, such as:
• Physical port number or port index on the switch
• Node World Wide Name (N-WWN)
• Port World Wide Name (P-WWN)
Zone objects identified by port number or index number are specified as a pair of decimal numbers
in the form D,I, where D is the domain ID of the switch and I is the index number on that switch in
relation to the port you want to specify.
For example, in Backbones, “4,30” specifies port 14 in slot number 2 (domain ID 4, port index 30).
On fixed-port models, “3,13” specifies port 13 in switch domain ID 3.
The following issues affect zone membership based on the type of zone object:
• When a zone object is the physical port number, then all devices connected to that port are in
the zone.
• World Wide Names are specified as 8-byte (16-digit) hexadecimal numbers, separated by
colons (:) for example, 10:00:00:90:69:00:00:8a.
• When a zone object is the node WWN name, only the specified device is in the zone.
• When a zone object is the port WWN name, only the single port is in the zone.
306
Fabric OS Administrator’s Guide
53-1002745-02
Zoning overview
11
The types of zone objects used to define a zone can be mixed. For example, a zone defined with the
zone objects 2,12; 2,14; 10:00:00:80:33:3f:aa:11 contains the devices connected to domain 2,
ports 12 and 14, and a device with the WWN 10:00:00:80:33:3f:aa:11 (either node name or port
name) that is connected on the fabric.
Zoning schemes
You can establish a zone by identifying zone objects using one or more of the following zoning
schemes:
• Domain,index (D,I)
All members are specified by domain ID, port number, or domain, index number pair or aliases.
• World Wide Name (WWN)
All members are specified only by World Wide Name (WWNs) or aliases of WWNs. They can be
node or port versions of the WWN.
• Mixed zoning
A zone containing members specified by a combination of domain,port or domain,index or
aliases, and WWNs or aliases of WWNs.
In any scheme, you can identify zone objects using aliases.
Zone aliases
A zone alias is a name assigned to a device or a group of devices. By creating an alias, you can
assign a familiar name to a device or group multiple devices into a single name. This simplifies
cumbersome data entry and allows an intuitive naming structure (such as using “NT_Hosts” to
define all NT hosts in the fabric).
Zone aliases also simplify repetitive entry of zone objects such as port numbers or a WWN. For
example, you can use the name “Eng” as an alias for “10:00:00:80:33:3f:aa:11”.
Naming zones for the initiator they contain can also be useful. For example, if you use the alias
SRV_MAILSERVER_SLT5 to designate a mail server in PCI slot 5, then the alias for the associated
zone is ZNE_MAILSERVER_SLT5. This clearly identifies the server host bus adapter (HBA)
associated with the zone.
Zone configuration naming is flexible. One configuration should be named PROD_fabricname,
where fabricname is the name that the fabric has been assigned. The purpose of the PROD
configuration is to easily identify the configuration that can be implemented and provide the most
generic services. If other configurations are used for specialized purposes, names such as
“BACKUP_A,” “RECOVERY_2,” and “TEST_18jun02” can be used.
Zone configurations
A zone configuration is a group of one or more zones. A zone can be included in more than one
zone configuration. When a zone configuration is in effect, all zones that are members of that
configuration are in effect.
Several zone configurations can reside on a switch at once, and you can quickly alternate between
them. For example, you might want to have one configuration enabled during the business hours
and another enabled overnight. However, only one zone configuration can be enabled at a time.
Fabric OS Administrator’s Guide
53-1002745-02
307
11
Zoning overview
The different types of zone configurations are:
• Defined Configuration
The complete set of all zone objects defined in the fabric.
• Effective Configuration
A single zone configuration that is currently in effect. The effective configuration is built when
you enable a specified zone configuration.
• Saved Configuration
A copy of the defined configuration plus the name of the effective configuration, which is saved
in flash memory. (You can also provide a backup of the zone configuration and restore the zone
configuration.) There might be differences between the saved configuration and the defined
configuration if you have modified any of the zone definitions and have not saved the
configuration.
• Disabled Configuration
The effective configuration is removed from flash memory.
If you disable the effective configuration, the Advanced Zoning feature is disabled on the fabric,
and all devices within the fabric can communicate with all other devices (unless you previously set
up a default zone, as described in “Default zoning mode” on page 326). This does not mean that
the zone database is deleted, however, only that there is no configuration active in the fabric.
On power-up, the switch automatically reloads the saved configuration. If a configuration was active
when it was saved, the same configuration is reinstated on the local switch.
Zoning enforcement
Zoning enforcement describes a set of predefined rules that the switch uses to determine where to
send incoming data. Fabric OS uses hardware-enforced zoning. Hardware-enforced zoning means
that each frame is checked by hardware (the ASIC) before it is delivered to a zone member and is
discarded if there is a zone mismatch. When hardware-enforced zoning is active, the Fabric OS
switch monitors the communications and blocks any frames that do not comply with the effective
zone configuration. The switch performs this blocking at the transmit side of the port on which the
destination device is located.
There are two methods of hardware enforcement:
• Frame-based hardware enforcement: All frames are checked by the hardware.
• Session-based hardware enforcement: The only frames checked by hardware are the ELS
frames (such as PLOGI and RNID) used to establish a session.
The method used depends on how the zones are configured.
A zone can contain all WWN members, or all D,I members, or a combination of WWN and D,I
members.
Frame-based hardware enforcement is in effect if all members of a zone are identified the same
way, either using WWNs or D,I notation, but not both. If the zone includes aliases, then the aliases
must also be defined the same way as the zone.
Session-based hardware enforcement is in effect if the zone has a mix of WWN and D,I members.
If a port is in multiple zones, and is defined by WWN in one zone and by D,I in another, then
session-based hardware enforcement is in effect.
308
Fabric OS Administrator’s Guide
53-1002745-02
Zoning overview
11
Identifying the enforced zone type
Use the following procedure to identify zones and zone types:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the portZoneShow command, using the following syntax:
portzoneshow
Considerations for zoning architecture
Table 54 lists considerations for zoning architecture.
TABLE 54
Considerations for zoning architecture
Item
Description
Type of zoning
enforcement: frameor session-based
If security is a priority, frame-based hardware enforcement is recommended. The best way
to do this is to use WWN identification exclusively for all zoning configurations.
Use of aliases
The use of aliases is optional with zoning. Using aliases requires structure when defining
zones. Aliases aid administrators of zoned fabrics in understanding the structure and
context.
Effect of changes in a
production fabric
Zone changes in a production fabric can result in a disruption of I/O under conditions
when an RSCN is issued because of the zone change and the HBA is unable to process the
RSCN fast enough. Although RSCNs are a normal part of a functioning SAN, the pause in
I/O might not be acceptable. For these reasons, you should perform zone changes only
when the resulting behavior is predictable and acceptable. Ensuring that the HBA drivers
are current can shorten the response time in relation to the RSCN.
Testing
Before implementing a new zone, you should run the Zone Analyzer from Web Tools to
isolate any possible problems. This is especially useful as fabrics increase in size.
Confirming operation
After changing or enabling a zone configuration, you should confirm that the nodes and
storage can identify and access one another. Depending on the platform, you might need
to reboot one or more nodes in the fabric with the new changes.
Zoning can be implemented and administered from any switch in the fabric, although it is
recommended that you use a switch running the latest Fabric OS version.
The zone configuration is managed on a fabric basis. When a change in the configuration is saved,
enabled, or disabled according to the transactional model, it is automatically (by closing the
transaction) distributed to all switches in the fabric, preventing a single point of failure for zone
information.
NOTE
Zoning commands make changes that affect the entire fabric. When executing fabric-level
configuration tasks, allow time for the changes to propagate across the fabric before executing any
subsequent commands. For a large fabric, you should wait several minutes between commands.
Fabric OS Administrator’s Guide
53-1002745-02
309
11
Broadcast zones
Best practices for zoning
The following are recommendations for using zoning:
• Always zone using the highest Fabric OS-level switch.
Switches with earlier Fabric OS versions do not have the capability to view all the functionality
that a newer Fabric OS provides, as functionality is backwards compatible but not forwards
compatible.
• Zone using the core switch versus an edge switch.
• Zone using a Backbone rather than a switch.
A Backbone has more resources to handle zoning changes and implementations.
Broadcast zones
Fibre Channel allows sending broadcast frames to all Nx_Ports if the frame is sent to a broadcast
well-known address (FFFFFF); however, many target devices and HBAs cannot handle broadcast
frames. To control which devices receive broadcast frames, you can create a special zone, called a
broadcast zone, that restricts broadcast packets to only those devices that are members of the
broadcast zone.
If there are no broadcast zones or if a broadcast zone is defined but not enabled, broadcast frames
are not forwarded to any F_Ports. If a broadcast zone is enabled, broadcast frames are delivered
only to those logged-in Nx_Ports that are members of the broadcast zone and are also in the same
zone (regular zone) as the sender of the broadcast packet.
Devices that are not members of the broadcast zone can send broadcast packets, even though
they cannot receive them.
A broadcast zone can have domain,port, WWN, and alias members.
Broadcast zones do not function in the same way as other zones. A broadcast zone does not allow
access within its members in any way. If you want to allow or restrict access between any devices,
you must create regular zones for that purpose. If two devices are not part of a regular zone, they
cannot exchange broadcast or unicast packets.
To restrict broadcast frames reaching broadcast-incapable devices, create a broadcast zone and
populate it with the devices that are capable of handling broadcast packets. Devices that cannot
handle broadcast frames must be kept out of the broadcast zone so that they do not receive any
broadcast frames.
You create a broadcast zone the same way you create any other zone except that a broadcast zone
must have the name “broadcast” (case-sensitive). You set up and manage broadcast zones using
the standard zoning commands, described in “Zone creation and maintenance” on page 316.
Broadcast zones and Admin Domains
Each Admin Domain can have only one broadcast zone. However, all of the broadcast zones from
all of the Admin Domains are considered as a single consolidated broadcast zone.
Broadcast packets are forwarded to all the ports that are part of the broadcast zone for any Admin
Domain, have membership in that Admin Domain, and are zoned together (in a regular zone) with
the sender of the broadcast frame.
310
Fabric OS Administrator’s Guide
53-1002745-02
Broadcast zones
11
Figure 30 illustrates how broadcast zones work with Admin Domains. Figure 30 shows a fabric with
five devices and two Admin Domains, AD1 and AD2. Each Admin Domain has two devices and a
broadcast zone.
"3,1"
"1,1"
"4,1"
"2,1"
AD1
AD2
broadcast
"2,1; 3,1; 4,1"
broadcast
"1,1; 3,1; 5,1"
"5,1"
"1,1"
"3,1; 4,1"
broadcast
"1,1; 3,1; 4,1"
FIGURE 30
Broadcast zones and Admin Domains
The dotted box represents the consolidated broadcast zone, which contains all of the devices that
can receive broadcast packets. The actual delivery of broadcast packets is also controlled by the
Admin Domain and zone enforcement logic. The consolidated broadcast zone is not an actual zone,
but is just an abstraction used for explaining the behavior.
• The broadcast zone for AD1 includes member devices “1,1”, “3,1” and “5,1”; however, “3,1”
and “5,1” are not members of AD1. Consequently, from the AD1 broadcast zone, only “1,1” is
added to the consolidated broadcast zone.
• The broadcast zone for AD2 includes member devices “2,1”, “3,1”, and “4,1”. Even though
“2,1” is a member of AD1, it is not a member of AD2 and so is not added to the consolidated
broadcast zone.
• Device “3,1” is added to the consolidated broadcast zone because of its membership in the
AD2 broadcast zone.
When a switch receives a broadcast packet it forwards the packet only to those devices which are
zoned with the sender and are also part of the consolidated broadcast zone.
You can check whether a broadcast zone has any invalid members that cannot be enforced in the
current AD context. Refer to “Validating a zone” on page 323 for complete instructions.
Broadcast zones and FC-FC routing
If you create broadcast zones in a metaSAN consisting of multiple fabrics connected through an FC
router, the broadcast zone must include the IP device that exists in the edge or backbone fabric as
well as the proxy device in the remote fabric. See Chapter 24, “Using FC-FC Routing to Connect
Fabrics,” for information about proxy devices and the FC router.
Fabric OS Administrator’s Guide
53-1002745-02
311
11
Zone aliases
High availability considerations with broadcast zones
If a switch has broadcast zone-capable firmware on the active CP (Fabric OS v5.3.x or later) and
broadcast zone-incapable firmware on the standby CP (Fabric OS version earlier than v5.3.0), then
you cannot create a broadcast zone because the zoning behavior would not be the same across an
HA failover. If the switch failed over, then the broadcast zone would lose its special significance and
would be treated as a regular zone.
Loop devices and broadcast zones
Delivery of broadcast packets to individual devices in a loop is not controlled by the switch.
Consequently, adding loop devices to a broadcast zone does not have any effect. If a loop device is
part of a broadcast zone, then all devices in that loop receive broadcast packets.
Best practice: All devices in a single loop should have uniform broadcast capability. If all the
devices in the loop can handle broadcast frames, then add the FL_Port to the broadcast zone.
Broadcast zones and default zoning mode
The default zoning mode defines the device accessibility behavior if zoning is not implemented or if
there is no effective zone configuration. The default zoning mode has two options:
• All Access—All devices within the fabric can communicate with all other devices.
• No Access—Devices in the fabric cannot access any other device in the fabric.
If a broadcast zone is active, even if it is the only zone in the effective configuration, the default
zone setting is not in effect.
If the effective configuration has only a broadcast zone, then the configuration appears as a No
Access configuration. To change this configuration to All Access, you must put all the available
devices in a regular zone.
See “Default zoning mode” on page 326 for additional information about default zoning.
Zone aliases
A zone alias is a logical group of ports or WWNs. You can simplify the process of creating zones by
first specifying aliases, which eliminates the need for long lists of individual zone member names.
If you are creating a new alias using aliCreate w, “1,1”, and a user in another Telnet session
executes cfgEnable (or cfgDisable, or cfgSave), the other user’s transaction will abort your
transaction and you will receive an error message. Creating a new alias while there is a zone merge
taking place might also abort your transaction. For more details about zone merging and zone
merge conflicts, see “Zone merging” on page 336.
Virtual Fabrics considerations: Alias definitions should not include logical port numbers. Zoning is
not enforced on logical ports.
312
Fabric OS Administrator’s Guide
53-1002745-02
Zone aliases
11
Creating an alias
Use the following procedure to create an alias:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the aliCreate command, using the following syntax:
alicreate "aliasname", "member[; member...]"
3. Enter the cfgSave command to save the change to the defined configuration.
The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile
memory. If a transaction is open on a different switch in the fabric when this command is run,
the transaction on the other switch is automatically aborted. A message displays on the other
switches to indicate that the transaction was aborted.
Example
switch:admin> alicreate "array1", "2,32; 2,33; 2,34; 4,4"
switch:admin> alicreate "array2", "21:00:00:20:37:0c:66:23; 4,3"
switch:admin> alicreate "loop1", "4,6"
switch:admin> cfgsave
WARNING!!!
The changes you are attempting to save will render the
Effective configuration and the Defined configuration
inconsistent. The inconsistency will result in different
Effective Zoning configurations for switches in the fabric if
a zone merge or HA failover happens. To avoid inconsistency
it is recommended to commit the configurations using the
'cfgenable' command.
Do you still want to proceed with saving the Defined
zoning configuration only? (yes, y, no, n): [no] y
Adding members to an alias
Use the following procedure to add a member to an alias:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the aliAdd command, using the following syntax:
aliadd "aliasname", "member[; member...]"
3. Enter the cfgSave command to save the change to the defined configuration.
The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile
memory. If a transaction is open on a different switch in the fabric when this command is run,
the transaction on the other switch is automatically aborted. A message displays on the other
switches to indicate that the transaction was aborted.
Example
switch:admin> aliadd "array1", "1,2"
switch:admin> aliadd "array2", "21:00:00:20:37:0c:72:51"
switch:admin> aliadd "loop1", "5,6"
switch:admin> cfgsave
WARNING!!!
The changes you are attempting to save will render the
Effective configuration and the Defined configuration
Fabric OS Administrator’s Guide
53-1002745-02
313
11
Zone aliases
inconsistent. The inconsistency will result in different
Effective Zoning configurations for switches in the fabric if
a zone merge or HA failover happens. To avoid inconsistency
it is recommended to commit the configurations using the
'cfgenable' command.
Do you still want to proceed with saving the Defined
zoning configuration only? (yes, y, no, n): [no] y
Removing members from an alias
Use the following procedure to removing a member from an alias:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the aliRemove command, using the following syntax:
aliremove "aliasname", "member[; member...]"
3. Enter the cfgSave command to save the change to the defined configuration.
The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile
memory. If a transaction is open on a different switch in the fabric when this command is run,
the transaction on the other switch is automatically aborted. A message displays on the other
switches to indicate that the transaction was aborted.
Example
switch:admin> aliremove "array1", "1,2"
switch:admin> aliremove "array2", "21:00:00:20:37:0c:72:51"
switch:admin> aliremove "loop1", "4,6"
switch:admin> cfgsave
WARNING!!!
The changes you are attempting to save will render the
Effective configuration and the Defined configuration
inconsistent. The inconsistency will result in different
Effective Zoning configurations for switches in the fabric if
a zone merge or HA failover happens. To avoid inconsistency
it is recommended to commit the configurations using the
'cfgenable' command.
Do you still want to proceed with saving the Defined
zoning configuration only? (yes, y, no, n): [no] y
Deleting an alias
Use the following procedure to delete an alias:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the aliDelete command, using the following syntax.
alidelete "aliasname"
3. Enter the cfgSave command to save the change to the defined configuration.
314
Fabric OS Administrator’s Guide
53-1002745-02
Zone aliases
11
The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile
memory. If a transaction is open on a different switch in the fabric when this command is run,
the transaction on the other switch is automatically aborted. A message displays on the other
switches to indicate that the transaction was aborted.
Example
switch:admin> alidelete "array1"
switch:admin> cfgsave
WARNING!!!
The changes you are attempting to save will render the
Effective configuration and the Defined configuration
inconsistent. The inconsistency will result in different
Effective Zoning configurations for switches in the fabric if
a zone merge or HA failover happens. To avoid inconsistency
it is recommended to commit the configurations using the
'cfgenable' command.
Do you still want to proceed with saving the Defined
zoning configuration only? (yes, y, no, n): [no] y
Viewing an alias in the defined configuration
Use the following procedure to view an alias in the configuration:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the aliShow command, using the following syntax
alishow "pattern"[, mode]
If no parameters are specified, the entire zone database (both the defined and effective
configuration) is displayed.
Example
The following example shows all zone aliases beginning with “arr”.
switch:admin> alishow "arr*"
alias: array1 21:00:00:20:37:0c:76:8c
alias: array2 21:00:00:20:37:0c:66:23
Fabric OS Administrator’s Guide
53-1002745-02
315
11
Zone creation and maintenance
Zone creation and maintenance
Fabric OS allows you to create zones to better manage devices.
Notes
• Broadcast Zone: To create a broadcast zone, use the reserved name “broadcast”. Do not give a
regular zone the name of “broadcast”.
See “Broadcast zones” on page 310 for additional information about this special type of zone.
• Virtual Fabrics considerations: Zone definitions should not include logical port numbers.
Zoning is not enforced on logical ports.
Displaying existing zones
Use the following procedure to display a list of existing zones:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the cfgShow command.
Example Displaying existing zones
switch:admin> cfgshow
Defined configuration:
zone: matt 30:06:00:07:1e:a2:10:20; 3,2
alias:
bawn
3,5; 4,8
alias:
bolt
10:00:00:02:1f:02:00:01
alias:
bond
10:00:05:1e:a9:20:00:01; 3,5
alias:
brain 11,4; 22,1; 33,6
alias:
jake
4,7; 8,9; 14,11
alias:
jeff
30:00:00:05:1e:a1:cd:02; 40:00:00:05:1e:a1:cd:04
alias:
jones 7,3; 4,5
alias:
zeus
4,7; 6,8; 9,2
Effective configuration:
No Effective configuration: (No Access)
Creating a zone
ATTENTION
This command will add all zone member aliases that match the “aliasname_pattern” in the zone
database to the new zone.
Use the following procedure to create a zone:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the zoneCreate command, using either of the following syntaxes:
zonecreate "zonename", "member[; member...]"
zonecreate "zonename", "aliasname_pattern*[;members]"
NOTE
This command supports partial pattern matching (“wildcards”) of zone member aliases.
This allows you to add multiple aliases that match the “aliasname_pattern” in the
command line.
316
Fabric OS Administrator’s Guide
53-1002745-02
Zone creation and maintenance
11
To create a broadcast zone, use the reserved name “broadcast”.
3. Enter the cfgSave command to save the change to the defined configuration.
The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile
memory. If a transaction is open on a different switch in the fabric when this command is run,
the transaction on the other switch is automatically aborted. A message displays on the other
switches to indicate that the transaction was aborted.
4. Enter the cfgShow command to view the changes.
Example Creating a new zone
switch:admin> zonecreate sloth, "b*; 10:00:00:00:01:1e:20:20"
switch:admin> cfgsave
switch:admin> cfgshow
Defined configuration:
zone: matt
30:06:00:07:1e:a2:10:20; 3,2
zone: sloth
bawn; bolt; bond; brain; 10:00:00:00:01:1e:20:20
alias: bawn
3,5; 4,8
alias: bolt
10:00:00:02:1f:02:00:01
alias: bond
10:00:05:1e:a9:20:00:01; 3,5
alias: brain 11,4; 22,1; 33,6
alias: jake
4,7; 8,9; 14,11
alias: jeff
30:00:00:05:1e:a1:cd:02; 40:00:00:05:1e:a1:cd:04
alias: jones 7,3; 4,5
alias: zeus
4,7; 6,8; 9,2
Effective configuration:
No Effective configuration: (No Access)
Adding devices (members) to a zone
ATTENTION
This command will add all zone member aliases that match the “aliasname_pattern” in the zone
database to the specified zone.
Use the following procedure to add members to a zone:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the zoneAdd command, using either of the following syntaxes:
zoneadd "zonename", "member[; member...]"
zoneadd "zonename", "aliasname_pattern*[;members]"
NOTE
This command supports partial pattern matching (“wildcards”) of zone member aliases.
This allows you to add multiple aliases that match the “aliasname_pattern” in the
command line.
3. Enter the cfgSave command to save the change to the defined configuration.
The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile
memory. If a transaction is open on a different switch in the fabric when this command is run,
the transaction on the other switch is automatically aborted. A message displays on the other
switches to indicate that the transaction was aborted.
4. Enter the cfgShow command to view the changes.
Fabric OS Administrator’s Guide
53-1002745-02
317
11
Zone creation and maintenance
Example Adding members to a zone
switch:admin> zoneadd matt, "ze*; bond*; j*"
switch:admin> cfgsave
switch:admin> cfgshow
Defined configuration:
zone: matt
30:06:00:07:1e:a2:10:20; 3,2; zeus; bond; jake; jeff; jones
zone: sloth bawn; bolt; bond; brain; 10:00:00:00:01:1e:20:20
alias:
bawn
3,5; 4,8
alias:
bolt
10:00:00:02:1f:02:00:01
alias:
bond
10:00:05:1e:a9:20:00:01; 3,5
alias:
brain 11,4; 22,1; 33,6
alias:
jake
4,7; 8,9; 14,11
alias:
jeff
30:00:00:05:1e:a1:cd:02; 40:00:00:05:1e:a1:cd:04
alias:
jones 7,3; 4,5
alias:
zeus
4,7; 6,8; 9,2
Effective configuration:
No Effective configuration: (No Access)
Removing devices (members) from a zone
ATTENTION
This command will remove all zone member aliases that match the “aliasname_pattern” in the zone
database from the specified zone.
Use the following procedure to remove members from a zone:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the zoneRemove command, using either of the following syntaxes:
zoneremove "zonename", "member[; member...]"
zoneremove "zonename", "aliasname_pattern*[;members]"
NOTE
This command supports partial pattern matching (“wildcards”) of zone member aliases.
This allows you to remove multiple aliases that match the “aliasname_pattern” in the
command line.
3. Enter the cfgSave command to save the change to the defined configuration.
The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile
memory. If a transaction is open on a different switch in the fabric when this command is run,
the transaction on the other switch is automatically aborted. A message displays on the other
switches to indicate that the transaction was aborted.
4. Enter the cfgShow command to view the changes.
Example Removing members from a zone
switch:admin> cfgshow
Defined configuration:
zone: matt
zeus;
zone: sloth bawn;
alias:
bawn
alias:
bolt
alias:
bond
alias:
brain
alias:
jake
318
bond; jake; jeff; jones; 3,2; 30:06:00:07:1e:a2:10:20
bolt; bond; brain; 10:00:00:00:01:1e:20:20
3,5; 4,8
10:00:00:02:1f:02:00:01
10:00:05:1e:a9:20:00:01; 3,5
11,4; 22,1; 33,6
4,7; 8,9; 14,11
Fabric OS Administrator’s Guide
53-1002745-02
Zone creation and maintenance
11
alias:
jeff
30:00:00:05:1e:a1:cd:02; 40:00:00:05:1e:a1:cd:04
alias:
jones 7,3; 4,5
alias:
zeus
4,7; 6,8; 9,2
Effective configuration:
No Effective configuration: (No Access)
switch:admin>
switch:admin> zoneremove matt,"30:06:00:07:1e:a2:10:20; ja*; 3,2"
switch:admin> cfgsave
switch:admin> cfgshow
Defined configuration:
zone: matt
zeus; bond; jeff; jones
zone: sloth bawn; bolt; bond; brain; 10:00:00:00:01:1e:20:20
alias:
bawn
3,5; 4,8
alias:
bolt
10:00:00:02:1f:02:00:01
alias:
bond
10:00:05:1e:a9:20:00:01; 3,5
alias:
brain 11,4; 22,1; 33,6
alias:
jake
4,7; 8,9; 14,11
alias:
jeff
30:00:00:05:1e:a1:cd:02; 40:00:00:05:1e:a1:cd:04
alias:
jones 7,3; 4,5
alias:
zeus
4,7; 6,8; 9,2
Effective configuration:
No Effective configuration: (No Access)
Replacing zone members
Fabric OS allows you to replace one zone member with another zone member using a CLI
command. This command takes two inputs. The first is the member which is to be replaced and the
second is the new member. These inputs can only be in either the format of WWN or of D,I.
Use the following procedure to replace members in a zone:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the zoneObjectReplace command, using the following syntax:
zoneobjectreplace old wwn/D,I new wwn/D,I
NOTE
This command does not support partial pattern matching (“wildcards”) of zone member
aliases.
3. Enter the cfgSave command to save the change to the defined configuration.
The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile
memory. If a transaction is open on a different switch in the fabric when this command is run,
the transaction on the other switch is automatically aborted. A message displays on the other
switches to indicate that the transaction was aborted.
4. Enter the cfgShow command to view the changes.
Example Replacing zone members
switch:admin> cfgshow
Defined configuration:
zone: matt
zeus;
zone: sloth bawn;
alias:
bawn
alias:
bolt
alias:
bond
alias:
brain
Fabric OS Administrator’s Guide
53-1002745-02
bond; jeff;jones; 11, 2
bolt; bond; brain; brit; bru; 10:00:00:00:01:1e:20:20
3,5
10:00:00:02:1f:02:00:01
10:00:05:1e:a9:20:00:01; 3,5
11,4; 22,1; 33,6
319
11
Zone creation and maintenance
alias:
jake
4,7; 8,9; 14,11
alias:
jeff
30:00:00:05:1e:a1:cd:02; 40:00:00:05:1e:a1:cd:04
alias:
jones 7,3; 4,5
alias:
zeus
4,7; 6,8; 9,2
Effective configuration:
No Effective configuration: (No Access)
switch:admin>
switch:admin> zoneobjectreplace 11,2 4,8
switch:admin> cfgsave
switch:admin> cfgshow
Defined configuration:
zone: matt
zeus; bond; jeff; 4,8
zone: sloth bawn; bolt; bond; brain; 10:00:00:00:01:1e:20:20
alias:
bawn
3,5
alias:
bolt
10:00:00:02:1f:02:00:01
alias:
bond
10:00:05:1e:a9:20:00:01; 3,5
alias:
brain 11,4; 22,1; 33,6
alias:
jake
4,7; 8,9; 14,11
alias:
jeff
30:00:00:05:1e:a1:cd:02; 40:00:00:05:1e:a1:cd:04
alias:
jones 7,3; 4,5
alias:
zeus
4,7; 6,8; 9,2
Effective configuration:
No Effective configuration: (No Access)
CAUTION
Executing this command replaces all instances of the older member with the new member in the
entire zone database.
Notes and restrictions
• In order to make a configuration change effective, a cfgEnable command should be issued
after the zoneObjectReplace command. Otherwise, the changes will be in the transaction
buffer but not committed.
• Only members of regular zones and aliases (those identified using either D,I or WWN) can be
replaced using zoneObjectReplace.
• The zoneObjectReplace command is not applicable for Frame Redirect (FR) and Traffic
Isolation (TI) zones. Only members of regular zones can be replaced using this command.
• The zoneObjectReplace command does not work with aliases. Alias members (that is,
members inside an alias) can be replaced using zoneObjectReplace, but an alias itself cannot
be directly replaced. To achieve the effect of replacement, create a new alias (with the desired
new name) containing the same members, and then delete the old alias.
Deleting a zone
Use the following procedure to delete a zone:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the zoneDelete command, using the following syntax:
zonedelete "zonename"
3. Enter the cfgSave command to save the change to the defined configuration.
320
Fabric OS Administrator’s Guide
53-1002745-02
Zone creation and maintenance
11
The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile
memory. If a transaction is open on a different switch in the fabric when this command is run,
the transaction on the other switch is automatically aborted. A message displays on the other
switches to indicate that the transaction was aborted.
Example Deleting zone members
switch:admin> cfgshow
Defined configuration:
zone: matt
zeus; bond; jeff; 4,8
zone: sloth bawn; bolt; bond; brain; brit; bru; 10:00:00:00:01:1e:20:20
alias:
bawn
3,5
alias:
bolt
10:00:00:02:1f:02:00:01
alias:
bond
10:00:05:1e:a9:20:00:01; 3,5
alias:
brain 11,4; 22,1; 33,6
alias:
jake
4,7; 8,9; 14,11
alias:
jeff
30:00:00:05:1e:a1:cd:02; 40:00:00:05:1e:a1:cd:04
alias:
jones 7,3; 4,5
alias:
zeus
4,7; 6,8; 9,2
Effective configuration:
No Effective configuration: (No Access)
switch:admin>
switch:admin> zonedelete sloth
switch:admin> cfgsave
WARNING!!!
The changes you are attempting to save will render the Effective configuration
and the Defined configuration inconsistent. The inconsistency will result in
different Effective Zoning configurations for switches in the fabric if a zone
merge or HA failover happens. To avoid inconsistency it is recommended to
commit the configurations using the 'cfgenable' command.
Do you still want to proceed with saving the Defined zoning configuration
only? (yes, y, no, n): [no] y
switch:admin>
switch:admin> cfgshow
Defined configuration:
zone: matt
zeus; bond; jeff; 4,8
alias:
bawn
3,5
alias:
bolt
10:00:00:02:1f:02:00:01
alias:
bond
10:00:05:1e:a9:20:00:01; 3,5
alias:
brain 11,4; 22,1; 33,6
alias:
jake
4,7; 8,9; 14,11
alias:
jeff
30:00:00:05:1e:a1:cd:02; 40:00:00:05:1e:a1:cd:04
alias:
jones 7,3; 4,5
alias:
zeus
4,7; 6,8; 9,2
Effective configuration:
No Effective configuration: (No Access)
Fabric OS Administrator’s Guide
53-1002745-02
321
11
Zone creation and maintenance
Viewing a zone in the defined configuration
Use the following procedure to view a zone in the configuration:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the zoneShow command, using the following syntax:
zoneshow[--sort] ["pattern"] [, mode]
If no parameters are specified, the entire zone database (both the defined and effective
configuration) is displayed.
Example
The following example shows all zones beginning with A, B, or C, in ascending order:
switch:admin> zoneshow --sort "[A-C]*"
zone: Blue_zone 1,1; array1; 1,2; array2
zone: Bobs_zone 4,5; 4,6; 4,7; 4,8; 4,9
Examining changes in the zone database
Fabric OS allows you to check for and display any differences between the transaction buffer and
the committed database by appending the options --transdiffs and --transdiffsonly to the
zoneShow and cfgShow commands.
The format of these commands with the new options is:
zoneShow –-transdiffs
zoneShow –-transdiffsonly
cfgShow --transdiffs
cfgShow –-transdiffsonly
To reflect the changes made to the zone database (A new zone is added or an existing zone is
deleted, or a zone member is added/deleted or any other valid zone database entity is modified),
the following notation is used.
• An asterisk “*” at the start indicates a change in that zone, zone configuration, alias or any
other entity in the zone database.
• A “+” before any entity (an alias or a zone name or a configuration) indicates that it is a newly
added entity.
• A “–” before any entity indicates that this entity has been deleted. If zone members are added
as well as deleted in a zone configuration, then “+-” will be displayed before the member and
a * sign will be displayed before the zone name.
• A “+” before any member of an alias or zone name or any other entity indicates this member has
been added and in the case of “–” the particular member has been deleted.
In the case of TI zones, for inter-fabric links for example, “5,-1” is a valid zone member.
Notice that “-” is in front of port index. If this was a deleted zone member, it would have been
shown as “-5,-1”. A “-” before a domain ID would indicate that this TI zone member has been
deleted.
Example Displaying existing zone database
switch:admin> cfgshow
Defined configuration:
cfg: fabric_cfg Blue_zone
zone: Blue_zone
1,1; array1; 1,2; array2
zone: green_zone
322
Fabric OS Administrator’s Guide
53-1002745-02
Zone creation and maintenance
1,1; 1,2
alias: array1
alias: array2
11
21:00:00:20:37:0c:76:8c; 21:00:00:20:37:0c:71:02
21:00:00:20:37:0c:76:22; 21:00:00:20:37:0c:76:28
Effective configuration:
cfg: fabric_cfg
zone: Blue_zone
1,1
21:00:00:20:37:0c:76:8c
21:00:00:20:37:0c:71:02
1,2
Example Adding a new zone ‘red_zone’, deleting “1,1” and adding “6,15” to green_zone
switch:admin> cfgshow --transdiffs
Defined configuration:
cfg: fabric_cfg Blue_zone
zone: Blue_zone
1,1; array1; 1,2; array2
*zone: green_zone
-1,1; 1,2; +6, 15
*zone: +red_zone
5,1; 4,2
alias: array1 21:00:00:20:37:0c:76:8c; 21:00:00:20:37:0c:71:02
alias: array2 21:00:00:20:37:0c:76:22; 21:00:00:20:37:0c:76:28
Effective configuration:
cfg: fabric_cfg
zone: Blue_zone
1,1
21:00:00:20:37:0c:76:8c
21:00:00:20:37:0c:71:02
1,2
Example cfgShow --transdiffsonly output for the example above
switch:admin> cfgshow --transdiffsonly
*zone: green_zone -1,1; 1,2; +6,15
*zone: +red_zone 5,1; 4,2
switch:admin>
Validating a zone
Use the following procedure to validate a zone:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the cfgShow command to view the zone configuration objects you want to validate.
switch:admin> cfgShow
Defined configuration:
cfg: USA_cfg Purple_zone; White_zone; Blue_zone
zone: Blue_zone
1,1; array1; 1,2; array2
zone: Purple_zone
1,0; loop1
zone: White_zone
1,3; 1,4
alias: array1 21:00:00:20:37:0c:76:8c; 21:00:00:20:37:0c:71:02
alias: array2 21:00:00:20:37:0c:76:22; 21:00:00:20:37:0c:76:28
Fabric OS Administrator’s Guide
53-1002745-02
323
11
Zone creation and maintenance
alias: loop1
21:00:00:20:37:0c:76:85; 21:00:00:20:37:0c:71:df
3. Enter the zone --validate command to list all zone members that are not part of the current
zone enforcement table. Note that zone configuration names are case-sensitive; blank spaces
are ignored.
switch:admin> zone --validate "White_zone"
4. Enter the following command to validate all zones in the zone database in the defined
configuration.
switch:admin> zone --validate -m 1
Defined configuration:
cfg:
cfg1
zone1
cfg:
cfg2
zone1; zone2
zone: zone1
1,1; ali1
zone: zone2
1,1; ali2
alias: ali1
10:00:00:05:1e:35:81:7f*; 10:00:00:05:1e:35:81:7d*
alias: ali2
10:00:00:05:1e:35:81:09*; 10:00:00:05:1e:35:81:88*
-----------------------------------~ - Invalid configuration
* - Member does not exist
The mode flag -m can be used to specify the zone database location. Supported mode flag
values are:
• 0 - zone database from the current transaction buffer
• 1 - zone database stored from the persistent storage
• 2 - currently effective zone database.
If no mode options are given, the validated output of all three buffers is shown.
If the -f option is specified, all the zone members that are not enforceable would be expunged
in the transaction buffer. This pruning operation always happens on the transaction and
defined buffers. You cannot specify a mode option or specify a zone object as an argument
with the -f option. This mode flag should be used after the zone has been validated.
Inconsistencies between the Defined and Effective Zone Databases
If you edit zone objects in the Defined Zone configuration that also exist in the Effective Zone
Configuration and then issue the cfgSave command, a warning message stating that mismatch is
observed between defined and effective configurations is posted, and you are asked to confirm
that you want cfgSave to continue. If you enter “y”, then the updated configuration will be saved;
if you enter “n”, then the updated configuration will be discarded.
Example warning message
switch: admin> cfgsave
WARNING!!!
The changes you are attempting to save will render the
Effective configuration and the Defined configuration inconsistent.
The inconsistency will result in different Effective Zoning
configurations for switches in the fabric if a zone merge or
HA failover happens. To avoid inconsistency it is recommended to
commit the configurations using the 'cfgenable' command.
Do you want to proceed with saving the Defined
zoning configuration only? (yes, y, no, n): [no] yes
324
Fabric OS Administrator’s Guide
53-1002745-02
Zone creation and maintenance
11
If you enter yes, and the cfgSave operation completes successfully then the following RASlog
message [ZONE-1062] will be posted.
[ZONE-1062], 620/181, FID 128, WARNING, sw0, Defined and Effective zone
configurations are inconsistent, ltime:2012/09/03-23:18:30:983609
You can then either re-enable the updated configuration or revert to the older configuration. If there
is no impact to the effective configuration with the latest update to the zoning configuration, then
the following message will be displayed.
“You are about to save the Defined zoning configuration. This action will only
save the changes on Defined configuration.
Do you want to proceed?” (yes, y, no, n): [no] y
Example ‘Inconsistent Defined and Effective Zone Database’ warning to user
switch: admin> zoneShow
Defined configuration:
cfg:
cfg1
zone1; zone2
zone:
zone1
10:00:00:00:00:00:00:01; 10:00:00:00:00:00:00:02
zone:
zone2
1,1; 1,2
Effective configuration:
cfg:
cfg1
zone:
zone1
10:00:00:00:00:00:00:01
10:00:00:00:00:00:00:02
zone:
zone2
1,1; 1,2
switch: admin> zoneadd zone1, 10:00:00:00:00:00:00:03
switch: admin> cfgsave
WARNING!!!
The changes you are attempting to save will render the
Effective configuration and the Defined configuration inconsistent.
The inconsistency will result in different Effective Zoning
configurations for switches in the fabric if a zone merge or
HA failover happens. To avoid inconsistency it is recommended to
commit the configurations using the 'cfgenable' command.
Do you want to proceed with saving the Defined zoning
configuration only? (yes, y, no, n): [no] y
Updating flash ...
switch:admin> zoneShow
Defined configuration:
cfg:
cfg1
zone1; zone2
zone:
zone1
10:00:00:00:00:00:00:01; 10:00:00:00:00:00:00:02;
10:00:00:00:00:00:00:03
zone:
zone2
1,1; 1,2
Effective configuration:
cfg:
cfg1
zone:
zone1
10:00:00:00:00:00:00:01; 10:00:00:00:00:00:00:02
zone:
zone2
1,1; 1,2
Fabric OS Administrator’s Guide
53-1002745-02
325
11
Default zoning mode
Default zoning mode
The default zoning mode controls device access if zoning is not implemented or if there is no
effective zone configuration. The default zoning mode has two options:
• All Access—All devices within the fabric can communicate with all other devices.
• No Access—Devices in the fabric cannot access any other device in the fabric.
The default zone mode applies to the entire fabric, regardless of switch model.
The default setting is “All Access”.
Typically, when you disable the zoning configuration in a large fabric with thousands of devices, the
name server indicates to all hosts that they can communicate with each other. In fact, each host
can receive an enormous list of PIDs, and ultimately cause other hosts to run out of memory or
crash. To ensure that all devices in a fabric do not see each other during a configuration disable
operation, set the default zoning mode to No Access.
NOTE
For switches in large fabrics, the default zone mode should be set to No Access. You cannot disable
the effective configuration if the default zone mode is All Access and you have more than 120
devices in the fabric.
Admin Domain considerations: If you want to use Admin Domains, you must set the default zoning
mode to No Access prior to setting up the Admin Domains. You cannot change the default zoning
mode to All Access if user-specified Admin Domains are present in the fabric.
Setting the default zoning mode
NOTE
You should not change the default zone mode from “No Access” to “All Access” if there is no effective
zone configuration and more than 120 devices are connected to the fabric.
Use the following procedure to set the default zoning mode:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the cfgActvShow command to view the current zone configuration.
3. Enter the defZone command with one of the following options:
defzone --noaccess
or
defzone --allaccess
This command initiates a transaction (if one is not already in progress).
4. Enter either the cfgSave, cfgEnable, or cfgDisable command to commit the change and
distribute it to the fabric. The change will not be committed and distributed across the fabric if
you do not enter one of these commands.
Example
switch:admin> defzone --noaccess
You are about to set the Default Zone access mode to No Access
Do you want to set the Default Zone access mode to No Access ? (yes, y, no, n):
[no] y
326
Fabric OS Administrator’s Guide
53-1002745-02
Zone database size
11
switch:admin> cfgsave
WARNING!!!
The changes you are attempting to save will render the Effective configuration
and the Defined configuration inconsistent. The inconsistency will result in
different Effective Zoning configurations for switches in the fabric if a zone
merge or HA failover happens. To avoid inconsistency it is recommended to
commit the configurations using the 'cfgenable' command.
Do you still want to proceed with saving the Defined
zoning configuration only? (yes, y, no, n): [no] y
Updating flash ...
Viewing the current default zone access mode
Use the following procedure to view the current default zone access mode:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the defZone --show command.
NOTE
If you perform a firmware download of an older release, then the current default zone access state
will appear as it did prior to the download. For example, if the default zoning mode was No Access
before the download, it will remain as No Access afterward.
Zone database size
The maximum size of a zone database is the upper limit for the defined configuration, and it is
determined by the amount of flash memory available for storing the defined configuration.
Use the cfgSize command to display the zone database size.
The supported maximum zone database size is 2 MB for systems running only Brocade DCX,
DCX-4S, and DCX 8520 platforms. The presence of any other platform reduces the maximum zone
database size to 1MB.
Virtual Fabric considerations: If Virtual Fabrics is enabled, the sum of the zone database sizes on
all of the logical fabrics must not exceed the maximum size allowed for the chassis (1 MB). The
maximum size limit is enforced per-partition, but is not enforced chassis-wide. If the chassis size
limit is exceeded, you are not informed of this and unpredictable behavior might occur. It is your
responsibility to keep track of the chassis-wide zone database size.
ATTENTION
In a fabric with some switches running Fabric OS 7.0.0 or later and some switches running Fabric OS
versions earlier than 7.0.0, if you execute the cfgSave or cfgEnable command from a pre-7.0.0
switch, a zone database size of 128 KB is enforced.
To avoid this problem, use the switch with the highest Fabric OS version to perform zoning tasks, as
described in “Best practices for zoning” on page 310. Alternatively make sure that your pre-7.0.0
switches are upgraded with the latest patch release.
Fabric OS Administrator’s Guide
53-1002745-02
327
11
Zone configurations
Zone configurations
You can store a number of zones in a zone configuration database. The maximum number of items
that can be stored in the zone configuration database depends on the following criteria:
• Number of switches in the fabric.
• Number of bytes for each item name. The number of bytes required for an item name depends
on the specifics of the fabric, but cannot exceed 64 bytes for each item.
When enabling a new zone configuration, ensure that the size of the defined configuration does not
exceed the maximum configuration size supported by all switches in the fabric. This is particularly
important if you downgrade to a Fabric OS version that supports a smaller zone database than the
current Fabric OS. In this scenario, the zone database in the current Fabric OS would have to be
changed to the smaller zone database before the downgrade.
You can use the cfgSize command to check both the maximum available size and the currently
saved size on all switches. If you think you are approaching the maximum, you can save a partially
completed zone configuration and use the cfgSize command to determine the remaining space.
The cfgSize command reports the maximum available size on the current switch only. It cannot
determine the maximum available size on other switches in the fabric.
NOTE
The minimum zone database size is 4 bytes, even if the zone database is empty.
For important considerations for managing zoning in a fabric, and more details about the maximum
zone database size for each version of the Fabric OS, see “Zone database size” on page 327.
If you create or make changes to a zone configuration, you must enable the configuration for the
changes to take effect.
Creating a zone configuration
Use the following procedure to create a zone configuration:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the cfgCreate command, using the following syntax:
cfgcreate "cfgname", "member[; member...]"
3. Enter the cfgSave command to save the change to the defined configuration.
The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile
memory. If a transaction is open on a different switch in the fabric when this command is run,
the transaction on the other switch is automatically aborted. A message displays on the other
switches to indicate that the transaction was aborted.
Example
switch:admin> cfgcreate "NEW_cfg", "purplezone; bluezone; greenzone"
switch:admin> cfgsave
WARNING!!!
The changes you are attempting to save will render the Effective configuration
and the Defined configuration inconsistent. The inconsistency will result in
different Effective Zoning configurations for switches in the fabric if a zone
merge or HA failover happens. To avoid inconsistency it is recommended to
commit the configurations using the 'cfgenable' command.
Do you still want to proceed with saving the Defined zoning configuration
only? (yes, y, no, n): [no] y
328
Fabric OS Administrator’s Guide
53-1002745-02
Zone configurations
11
Adding zones (members) to a zone configuration
Use the following procedure to add members to a zone configuration:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the cfgAdd command, using the following syntax:
cfgadd "cfgname", "member[; member...]"
3. Enter the cfgSave command to save the change to the defined configuration.
The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile
memory. If a transaction is open on a different switch in the fabric when this command is run,
the transaction on the other switch is automatically aborted. A message displays on the other
switches to indicate that the transaction was aborted.
Example
switch:admin> cfgadd "newcfg", "bluezone"
switch:admin> cfgsave
WARNING!!!
The changes you are attempting to save will render the Effective configuration
and the Defined configuration inconsistent. The inconsistency will result in
different Effective Zoning configurations for switches in the fabric if a zone
merge or HA failover happens. To avoid inconsistency it is recommended to
commit the configurations using the 'cfgenable' command.
Do you still want to proceed with saving the Defined zoning configuration
only? (yes, y, no, n): [no] y
Removing zones (members) from a zone configuration
Use the following procedure to remove members from a zone configuration:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the cfgRemove command, using the following syntax:
cfgremove "cfgname", "member[; member...]"
3. Enter the cfgSave command to save the change to the defined configuration.
The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile
memory. If a transaction is open on a different switch in the fabric when this command is run,
the transaction on the other switch is automatically aborted. A message displays on the other
switches to indicate that the transaction was aborted.
Example
switch:admin> cfgremove "NEW_cfg", "purplezone"
switch:admin> cfgsave
WARNING!!!
The changes you are attempting to save will render the Effective configuration
and the Defined configuration inconsistent. The inconsistency will result in
different Effective Zoning configurations for switches in the fabric if a zone
merge or HA failover happens. To avoid inconsistency it is recommended to
commit the configurations using the 'cfgenable' command.
Do you still want to proceed with saving the Defined zoning configuration
only? (yes, y, no, n): [no] y
Fabric OS Administrator’s Guide
53-1002745-02
329
11
Zone configurations
Enabling a zone configuration
The following procedure ends and commits the current zoning transaction buffer to nonvolatile
memory. If a transaction is open on a different switch in the fabric when this procedure is run, the
transaction on the other switch is automatically aborted. A message displays on the other switches
to indicate that the transaction was aborted.
Use the following procedure to enable a zone configuration:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the cfgenable command, using the following syntax:
cfgenable "cfgname"
3. Enter y at the prompt.
Example
switch:admin> cfgenable "USA_cfg"
You are about to enable a new zoning configuration.
This action will replace the old zoning configuration with the current
configuration selected. If the update includes changes to one or more traffic
isolation zones, the update may result in localized disruption to traffic on
ports associated with the traffic isolation zone changes.
Do you want to enable 'USA_cfg' configuration (yes, y, no, n): [no] y
zone config "USA_cfg" is in effect
Updating flash ...
Disabling a zone configuration
When you disable the current zone configuration, the fabric returns to non-zoning mode. All devices
can then access each other or not, depending on the default zone access mode setting.
NOTE
If the default zoning mode is set to All Access and more than 120 devices are connected to the
fabric, you cannot disable the zone configuration because this would enable All Access mode and
cause a large number of requests to the switch. In this situation, set the default zoning mode to
No Access prior to disabling the zone configuration. See “Default zoning mode” on page 326 for
information about setting this mode to No Access.
The following procedure ends and commits the current zoning transaction buffer to nonvolatile
memory. If a transaction is open on a different switch in the fabric when this procedure is run, the
transaction on the other switch is automatically aborted. A message displays on the other switches
to indicate that the transaction was aborted.
Use the following procedure to disable a zone configuration:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the cfgDisable command, using the following syntax:
cfgdisable
3. Enter y at the prompt.
Example
switch:admin> cfgdisable
You are about to disable zoning configuration. This action will disable any
previous zoning configuration enabled.
Do you want to disable zoning configuration? (yes, y, no, n): [no] y
330
Fabric OS Administrator’s Guide
53-1002745-02
Zone configurations
11
Deleting a zone configuration
Use the following procedure to delete a zone configuration:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the cfgDelete command, using the following syntax:
cfgdelete "cfgname"
3. Enter the cfgSave command to save the change to the defined configuration.
The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile
memory. If a transaction is open on a different switch in the fabric when this command is run,
the transaction on the other switch is automatically aborted. A message displays on the other
switches to indicate that the transaction was aborted.
Example
switch:admin> cfgdelete "testcfg"
switch:admin> cfgsave
You are about to save the Defined zoning configuration. This action will only
save the changes on Defined configuration.
Do you want to save Defined zoning configuration only? (yes, y, no, n): [no] y
Abandoning zone configuration changes
• Enter the cfgTransAbort command.
When this command is executed, all changes since the last save operation (performed with the
cfgSave, cfgEnable, or cfgDisable command) are cleared.
Example assuming that the removal of a member from zone1 was done in error
switch:admin> zoneremove "zone1","3,5"
switch:admin> cfgtransabort
Viewing all zone configuration information
If you do not specify an operand when executing the cfgShow command to view zone configurations,
then all zone configuration information (both defined and effective) displays. If there is an
outstanding transaction, then the newly edited zone configuration that has not yet been saved is
displayed. If there are no outstanding transactions, then the committed zone configuration displays.
Use the following procedure to view all zone configuration information:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the cfgShow command with no operands.
Example
switch:admin> cfgshow
Defined configuration:
cfg:
USA1
Blue_zone
cfg:
USA_cfg Purple_zone; Blue_zone
zone: Blue_zone
1,1; array1; 1,2; array2
zone: Purple_zone
1,0; loop1
Fabric OS Administrator’s Guide
53-1002745-02
331
11
Zone configurations
alias: array1
alias: array2
alias: loop1
21:00:00:20:37:0c:76:8c; 21:00:00:20:37:0c:71:02
21:00:00:20:37:0c:76:22; 21:00:00:20:37:0c:76:28
21:00:00:20:37:0c:76:85; 21:00:00:20:37:0c:71:df
Effective configuration:
cfg:
USA_cfg
zone: Blue_zone
1,1
21:00:00:20:37:0c:76:8c
21:00:00:20:37:0c:71:02
1,2
21:00:00:20:37:0c:76:22
21:00:00:20:37:0c:76:28
zone: Purple_zone
1,0
21:00:00:20:37:0c:76:85
21:00:00:20:37:0c:71:df
Viewing selected zone configuration information
Use the following procedure to view the selected zone configuration information:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the cfgShow command and specify a pattern.
cfgshow "pattern"[, mode]
Example Displaying all zone configurations that start with “Test”
switch:admin> cfgshow "Test*"
cfg:
Test1
Blue_zone
cfg:
Test_cfg Purple_zone; Blue_zone
Viewing the configuration in the effective zone database
Use the following procedure to view the configuration in the effective zone database:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the cfgActvShow command.
Example
switch:admin> cfgactvshow
Effective configuration:
cfg:
NEW_cfg
zone: Blue_zone
1,1
21:00:00:20:37:0c:76:8c
21:00:00:20:37:0c:71:02
1,2
21:00:00:20:37:0c:76:22
21:00:00:20:37:0c:76:28
zone: Purple_zone
1,0
21:00:00:20:37:0c:76:85
21:00:00:20:37:0c:71:df
332
Fabric OS Administrator’s Guide
53-1002745-02
Zone object maintenance
11
Clearing all zone configurations
Use the following procedure to clear all zone configurations:
1. Connect to the switch and log in using an account with admin permissions.
2. Use cfgClear to clear all zone information in the transaction buffer.
ATTENTION
Be careful using the cfgClear command because it deletes the defined configuration.
switch:admin> cfgclear
The Clear All action will clear all Aliases, Zones, FA Zones and configurations
in the Defined configuration.
Run cfgSave to commit the transaction or cfgTransAbort to cancel the transaction.
Do you really want to clear all configurations? (yes, y, no, n): [no]
3. Enter one of the following commands, depending on whether an effective zone configuration
exists:
• If no effective zone configuration exists, use the cfgSave command.
• If an effective zone configuration exists, use the cfgDisable command to disable and clear
the zone configuration in nonvolatile memory for all switches in the fabric.
Zone object maintenance
The following procedures describe how to copy, delete, and rename zone objects. Depending on
the operation, a zone object can be a zone member, a zone alias, a zone, or a zone configuration.
Copying a zone object
When you copy a zone object, the resulting object has the same name as the original. The zone
object can be a zone configuration, a zone alias, or a zone.
Use the following procedure to copy a zone object:
1. Connect to the switch and log in using an account with admin permissions.
2. Use cfgShow to view the zone configuration objects you want to copy.
cfgshow "pattern"[, mode]
For example, to display all zone configuration objects that start with “Test”:
switch:admin> cfgshow "Test*"
cfg:
Test1
Blue_zone
cfg:
Test_cfg Purple_zone; Blue_zone
3. Use zone --copy specifying the zone objects you want to copy along with the new object name.
NOTE
Zone configuration names are case-sensitive, blank spaces are ignored, and the zone --copy
command works in any Admin Domain except AD255.
switch:admin> zone --copy Test1 US_Test1
Fabric OS Administrator’s Guide
53-1002745-02
333
11
Zone object maintenance
4. Enter the cfgShow command to verify the new zone object is present.
switch:admin> cfgshow "Test*"
cfg:
Test1
Blue_zone
cfg:
Test_cfg Purple_zone; Blue_zone
switch:admin> cfgShow "US_Test1"
cfg:
US_Test1 Blue_zone
5. If you want the change preserved when the switch reboots, use cfgSave to save it to nonvolatile
(flash) memory.
6. Use cfgEnable for the appropriate zone configuration to make the change effective.
Deleting a zone object
The following procedure removes all references to a zone object and then deletes the zone object.
The zone object can be a zone member, a zone alias, or a zone.
Use the following procedure to delete a zone object:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the cfgShow command to view the zone configuration objects you want to delete.
switch:admin> cfgShow
Defined configuration:
cfg: USA_cfg Purple_zone; White_zone;
zone: Blue_zone
1,1; array1; 1,2; array2
zone: Purple_zone
1,0; loop1
zone: White_zone
1,3; 1,4
alias: array1 21:00:00:20:37:0c:76:8c;
alias: array2 21:00:00:20:37:0c:76:22;
alias: loop1
21:00:00:20:37:0c:76:85;
Blue_zone
21:00:00:20:37:0c:71:02
21:00:00:20:37:0c:76:28
21:00:00:20:37:0c:71:df
Effective configuration:
cfg: USA_cfg
zone: Blue_zone
1,1
21:00:00:20:37:0c:76:8c
21:00:00:20:37:0c:71:02
1,2
21:00:00:20:37:0c:76:22
21:00:00:20:37:0c:76:28
zone: Purple_zone
1,0
21:00:00:20:37:0c:76:85
21:00:00:20:37:0c:71:df
3. Use zone --expunge to delete the zone object.
NOTE
Zone configuration names are case-sensitive, blank spaces are ignored and the
zone --expunge command works in any Admin Domain except AD255.
switch:admin> zone --expunge "White_zone"
334
Fabric OS Administrator’s Guide
53-1002745-02
Zone object maintenance
11
You are about to expunge one configuration or member. This action could result
in removing many zoning configurations recursively. [Removing the last member
of a configuration removes the configuration.]
Do you want to expunge the member? (yes, y, no, n): [no] yes
4. Enter yes at the prompt.
5. Use cfgShow to verify the deleted zone object is no longer present.
6. If you want the change preserved when the switch reboots, use cfgSave to save it to nonvolatile
(flash) memory.
7.
Use cfgEnable for the appropriate zone configuration to make the change effective.
Renaming a zone object
Use the following procedure to rename a zone object:
1. Connect to the switch and log in using an account with admin permissions.
2. Use cfgShow to view the zone configuration objects you want to rename.
switch:admin> cfgShow
Defined configuration:
cfg: USA_cfg Purple_zone; White_zone; Blue_zone
zone: Blue_zone
1,1; array1; 1,2; array2
zone: Purple_zone
1,0; loop1
zone: White_zone
1,3; 1,4
alias: array1 21:00:00:20:37:0c:76:8c; 21:00:00:20:37:0c:71:02
alias: array2 21:00:00:20:37:0c:76:22; 21:00:00:20:37:0c:76:28
alias: loop1
21:00:00:20:37:0c:76:85; 21:00:00:20:37:0c:71:df
3. Use zoneObjectRename to rename zone configuration objects.
NOTE
Zone configuration names are case-sensitive, blank spaces are ignored, and the
zoneObjectRename command works in any Admin Domain except AD255.
switch:admin> zoneObjectRename "White_zone", "Purple_zone"
4. Enter the cfgShow command to verify the renamed zone object is present.
5. If you want the change preserved when the switch reboots, enter the cfgSave command to
save it to nonvolatile (flash) memory.
6. Enter the cfgEnable command for the appropriate zone configuration to make the change
effective.
Fabric OS Administrator’s Guide
53-1002745-02
335
11
Zone configuration management
Zone configuration management
You can add, delete, or remove individual elements in an existing zone configuration to create an
appropriate configuration for your SAN environment. After the changes have been made, save the
configuration to ensure the configuration is permanently saved in the switch and that the
configuration is replicated throughout the fabric.
The switch configuration file can also be uploaded to the host for archiving and it can be
downloaded from the host to a switch in the fabric. See “Configuration file backup” on page 244,
“Configuration file restoration” on page 246, or the configUpload and configDownload commands
in the Fabric OS Command Reference for additional information on uploading and downloading the
configuration file.
Security and zoning
Zones provide controlled access to fabric segments and establish barriers between operating
environments. They isolate systems with different uses, protecting individual systems in a
heterogeneous environment; for example, when zoning is in secure mode, no merge operations
occur.
Brocade Advanced Zoning is configured on the primary fabric configuration server (FCS). The
primary FCS switch makes zoning changes and other security-related changes. The primary FCS
switch also distributes zoning to all other switches in the secure fabric. All existing interfaces can
be used to administer zoning.
You must perform zone management operations from the primary FCS switch using a zone
management interface, such as Telnet or Web Tools. You can alter a zone database, provided you
are connected to the primary FCS switch.
When two secure fabrics join, the traditional zone merge does not occur. Instead, a zone database
is downloaded from the primary FCS switch of the merged secure fabric. When E_Ports are active
between two switches, the name of the FCS server and a zoning policy set version identifier are
exchanged between the switches. If the views of the two secure fabrics are the same, the fabric’s
primary FCS server downloads the zone database and security policy sets to each switch in the
fabric. If there is a view conflict, the E_Ports are segmented due to incompatible security data.
All zones should use frame-based hardware enforcement; the best way to do this is to use WWN
identification exclusively for all zoning configurations.
Zone merging
When a new switch is added to the fabric, it automatically takes on the zone configuration
information from the fabric. You can verify the zone configuration on the switch using the procedure
described in “Viewing the configuration in the effective zone database” on page 332.
If you are adding a switch that is already configured for zoning, clear the zone configuration on that
switch before connecting it to the zoned fabric. See “Clearing all zone configurations” on page 333
for instructions.
336
Fabric OS Administrator’s Guide
53-1002745-02
Zone merging
11
Adding a new fabric that has no zone configuration information to an existing fabric is very similar
to adding a new switch. All switches in the new fabric inherit the zone configuration data. If the
existing fabric has an effective zone configuration, then the same configuration becomes the
effective configuration for the new switches.
Before the new fabric can merge successfully, it must pass the following criteria:
• Before merging
To facilitate merging, check the following before merging switches or fabrics:
-
Default Zone: The switches must adhere to the default zone merge rules, as described in
“Zone merging scenarios” on page 339.
-
Effective and defined zone configuration match: Ensure that the effective and defined
zone configurations match. If they do not match, and you merge with another switch, the
merge might be successful, but unpredictable zoning and routing behavior can occur.
• Merging and segmentation
The fabric is checked for segmentation during power-up, when a switch is disabled or enabled,
or when a new switch is added.
The zone configuration database is stored in nonvolatile memory by the cfgSave command. All
switches in the fabric have a copy of this database. When a change is made to the defined
configuration, the switch where the changes were made must close its transaction for the
change to be propagated throughout the fabric.
If you have implemented default zoning you must set the switch you are adding into the fabric
to the same default zone mode setting as the rest of the fabric to avoid segmentation.
• Merging rules
Observe these rules when merging zones:
-
Local and adjacent configurations: If the local and adjacent zone database configurations
are the same, they will remain unchanged after the merge.
-
Effective configurations: If there is an effective configuration between two switches, the
effective zone configurations must match.
-
Zone object naming: If a zoning object has the same name in both the local and adjacent
defined configurations, the object types and member lists must match. When comparing
member lists, the content and order of the members are important.
-
Objects in adjacent configurations: If a zoning object appears in an adjacent defined
configuration, but not in the local defined configuration, the zoning object is added to the
local defined configuration. The modified zone database must fit in the nonvolatile
memory area allotted for the zone database.
-
Local configuration modification: If a local defined configuration is modified because of a
merge, the new zone database is propagated to other the switches within the merge
request.
-
TI zones: If there is an effective configuration between two switches and TI zones are
present on either switch, the TI zones are not automatically activated after the merge.
Check the TI zone enabled status using the zone --show command and if the status does
not match across switches, issue the cfgenable command.
Fabric OS Administrator’s Guide
53-1002745-02
337
11
Zone merging
• Merging two fabrics
Both fabrics have identical zones and configurations enabled, including the default zone
mode. The two fabrics will join to make one larger fabric with the same zone configuration
across the newly created fabric.
If the two fabrics have different zone configurations, they will not be merged. If the two fabrics
cannot join, the ISL between the switches will segment.
• Merge conflicts
When a merge conflict is present, a merge will not take place and the ISL will segment. Use the
switchShow or errDump commands to obtain additional information about possible merge
conflicts, because many non-zone related configuration parameters can cause conflicts. See
the Fabric OS Command Reference for detailed information about these commands.
If the fabrics have different zone configuration data, the system attempts to merge the two
sets of zone configuration data. If the zones cannot merge, the ISL will be segmented.
A merge is not possible if any of the following conditions exist:
-
Configuration mismatch: Zoning is enabled in both fabrics and the zone configurations
that are enabled are different in each fabric.
-
Type mismatch: The name of a zone object in one fabric is used for a different type of zone
object in the other fabric.
-
Content mismatch: The definition of a zone object in one fabric is different from the
definition of zone object with the same name in the other fabric.
-
Zone Database Size: If the zone database size exceeds the maximum limit of another
switch.
NOTE
If the zoneset members on two switches are not listed in the same order, the configuration is
considered a mismatch, resulting in the switches being segmented from the fabric. For
example: cfg1 = z1; z2 is different from cfg1 = z2; z1, even though members of the
configuration are the same. If zoneset members on two switches have the same names
defined in the configuration, make sure zoneset members are listed in the same order.
Fabric segmentation and zoning
If the connections between two fabrics are no longer available, the fabric segments into two
separate fabrics. Each new fabric retains the same zone configuration.
If the connections between two fabrics are replaced and no changes have been made to the zone
configuration in either of the two fabrics, then the two fabrics merge back into one single fabric. If
any changes that cause a conflict have been made to either zone configuration, then the fabrics
might segment.
338
Fabric OS Administrator’s Guide
53-1002745-02
Zone merging
11
Zone merging scenarios
The following tables provide information on merging zones and the expected results.
•
•
•
•
•
•
TABLE 55
Table 55 on page 339: Defined and effective configurations
Table 56 on page 340: Different content
Table 57 on page 340: Different names
Table 58 on page 341: TI zones
Table 59 on page 341: Default access mode
Table 60 on page 342: Mixed Fabric OS versions
Zone merging scenarios: Defined and effective configurations
Description
Switch A
Switch B
Expected results
Switch A has a defined configuration.
Switch B does not have a defined
configuration.
defined:
cfg1:
zone1: ali1; ali2
effective: none
defined: none
effective: none
Configuration from Switch A to propagate
throughout the fabric in an inactive state,
because the configuration is not enabled.
Switch A has a defined and effective
configuration.
Switch B has a defined configuration
but no effective configuration.
defined: cfg1
zone1: ali1; ali2
effective: cfg1:
defined: cfg1
zone1: ali1; ali2
effective: none
Configuration from Switch A to propagate
throughout the fabric. The configuration is
enabled after the merge in the fabric.
Switch A and Switch B have the same
defined configuration. Neither have an
effective configuration.
defined: cfg1
zone1: ali1; ali2
effective: none
defined: cfg1
zone1: ali1; ali2
effective: none
No change (clean merge).
Switch A and Switch B have the same
defined and effective configuration.
defined: cfg1
zone1: ali1; ali2
effective: cfg1:
defined: cfg1
zone1: ali1; ali2
effective: cfg1:
No change (clean merge).
Switch A does not have a defined
configuration.
Switch B has a defined configuration.
defined: none
effective: none
defined:cfg1
zone1: ali1; ali2
effective: none
Switch A will absorb the configuration from the
fabric.
Switch A does not have a defined
configuration.
Switch B has a defined configuration.
defined: none
effective: none
defined:cfg1
zone1: ali1; ali2
effective: cfg1
Switch A will absorb the configuration from the
fabric, with cfg1 as the effective configuration.
Switch A and Switch B have the same
defined configuration. Only Switch B
has an effective configuration.
defined: cfg1
zone1: ali1; ali2
effective: none
defined: cfg1
zone1: ali1; ali2
effective: cfg1
Clean merge, with cfg1 as the effective
configuration.
Switch A and Switch B have different
defined configurations. Neither have an
enabled zone configuration.
defined: cfg2
zone2: ali3; ali4
effective: none
defined: cfg1
zone1: ali1; ali2
effective: none
Clean merge. The new configuration will be a
composite of the two.
defined: cfg1
zone1: ali1; ali2
cfg2:
zone2: ali3; ali4
effective: none
Fabric OS Administrator’s Guide
53-1002745-02
339
11
Zone merging
TABLE 55
Zone merging scenarios: Defined and effective configurations (Continued)
Description
Switch A
Switch B
Expected results
Switch A and Switch B have different
defined configurations. Switch B has an
effective configuration.
defined: cfg2
zone2: ali3; ali4
effective: none
defined: cfg1
zone1: ali1; ali2
effective: cfg1
Clean merge. The new configuration will be a
composite of the two, with cfg1 as the
effective configuration.
Switch A does not have a defined
configuration.
Switch B has a defined configuration
and an effective configuration, but the
effective configuration is different from
the defined configuration.
defined: none
effective: none
defined: cfg1
zone1: ali1; ali2
effective: cfg1
zone1: ali1; ali2
zone2: ali3, ali4
Clean merge. Switch A absorbs the defined
configuration from the fabric, with cfg1 as the
effective configuration.
In this case, however, the effective
configurations for Switch A and Switch B are
different. You should issue a cfgenable from
the switch with the proper effective
configuration.
TABLE 56
Zone merging scenarios: Different content
Description
Switch A
Switch B
Expected results
Effective configuration mismatch.
defined: cfg1
zone1: ali1; ali2
effective: cfg1
zone1: ali1; ali2
defined: cfg2
zone2: ali3; ali4
effective: cfg2
zone2: ali3; ali4
Fabric segments due to: Zone Conflict cfg
mismatch
Configuration content mismatch.
defined: cfg1
zone1: ali1; ali2
effective: irrelevant
defined: cfg1
zone1: ali3; ali4
effective: irrelevant
Fabric segments due to: Zone Conflict content
mismatch
TABLE 57
Zone merging scenarios: Different names
Description
Switch A
Switch B
Expected results
Same content, different effective cfg
name.
defined: cfg1
zone1: ali1; ali2
effective: cfg1
zone1: ali1; ali2
defined:cfg2
zone1: ali1; ali2
effective: cfg2
zone1: ali1; ali2
Fabric segments due to: Zone Conflict cfg
mismatch
Same content, different zone name.
defined: cfg1
zone1: ali1; ali2
effective: irrelevant
defined: cfg1
zone2: ali1; ali2
effective: irrelevant
Fabric segments due to: Zone Conflict content
mismatch
Same content, different alias name.
defined: cfg1
ali1: A; B
effective: irrelevant
defined:cfg1
ali2: A; B
effective: irrelevant
Fabric segments due to: Zone Conflict content
mismatch
Same alias name, same content,
different order.
defined: cfg1
ali1: A; B; C
effective: irrelevant
defined: cfg1
ali1: B; C; A
effective: irrelevant
Fabric segments due to: Zone Conflict content
mismatch
Same name, different types.
effective: zone1:
MARKETING
effective: cfg1:
MARKETING
Fabric segments due to: Zone Conflict type
mismatch
Same name, different types.
effective: zone1:
MARKETING
effective: alias1:
MARKETING
Fabric segments due to: Zone Conflict type
mismatch
Same name, different types.
effective: cfg1:
MARKETING
effective: alias1:
MARKETING
Fabric segments due to: Zone Conflict type
mismatch
340
Fabric OS Administrator’s Guide
53-1002745-02
Zone merging
TABLE 58
11
Zone merging scenarios: TI zones
Description
Switch A
Switch B
Expected results
Switch A does not have Traffic Isolation
(TI) zones.
Switch B has TI zones.
defined: cfg1
effective: cfg1
defined: cfg1
TI_zone1
effective: cfg1
Clean merge. TI zones are not automatically
activated after the merge.
Switch A has TI zones.
Switch B has identical TI zones.
defined: cfg1
TI_zone1
effective: cfg1
defined: cfg1
TI_zone1
effective: cfg1
Clean merge. TI zones are not automatically
activated after the merge.
Switch A has a TI zone.
Switch B has a different TI zone.
defined: cfg1
TI_zone1
defined: cfg1
TI_zone2
Fabric segments due to: Zone Conflict cfg
mismatch. Cannot merge switches with
different TI zone configurations.
Switch A has Enhanced TI zones.
Switch B is running Fabric OS v6.4.0 or
later.
defined: cfg1
TI_zone1
TI_zone2
defined: none
Clean merge. TI zones are not automatically
activated after the merge.
Switch A has Enhanced TI zones.
Switch B is running a Fabric OS version
earlier than v6.4.0.
defined: cfg1
TI_zone1
TI_zone2
defined: none
Fabric segments because all switches in the
fabric must be running Fabric OS v6.4.0 or
later to support Enhanced TI zones.
TABLE 59
Zone merging scenarios: Default access mode
Description
Switch A
Switch B
Expected results
Different default zone access mode
settings.
defzone: allaccess
defzone: noaccess
Clean merge — noaccess takes precedence
and defzone configuration from Switch B
propagates to fabric.
defzone: noaccess
Same default zone access mode
settings.
defzone: allaccess
defzone: allaccess
Clean merge — defzone configuration is
allaccess in the fabric.
Same default zone access mode
settings.
defzone: noaccess
defzone: noaccess
Clean merge — defzone configuration is
noaccess in the fabric.
Effective zone configuration.
No effective
configuration.
defzone = allaccess
effective: cfg2
defzone: allaccess or
noaccess
Clean merge — effective zone configuration
and defzone mode from Switch B propagates
to fabric.
Effective zone configuration.
No effective
configuration.
defzone = noaccess
effective: cfg2
defzone: allaccess
Fabric segments because Switch A has a
hidden zone configuration (no access)
activated and Switch B has an explicit zone
configuration activated.
Effective zone configuration
effective: cfg1
defzone: noaccess
No effective
configuration.
defzone: noaccess
Clean merge — effective zone configuration
from Switch A propagates to fabric.
Effective zone configuration
effective: cfg1
defzone: allaccess
No effective
configuration.
defzone: noaccess
Fabric segments. You can resolve the zone
conflict by changing defzone to noaccess on
Switch 1.
Fabric OS Administrator’s Guide
53-1002745-02
341
11
Concurrent zone transactions
TABLE 60
Zone merging scenarios: Mixed Fabric OS versions
Description
Switch A
Switch B
Expected results
Switch A is running Fabric OS 7.0.0 or
later.
Switch B is running a Fabric OS version
earlier than 7.0.0.
effective: cfg1
defzone = allaccess
No effective
configuration.
defzone - noaccess
Fabric segments due to zone conflict.
Switch A is running Fabric OS 7.0.0 or
later.
Switch B is running a Fabric OS version
earlier than 7.0.0.
No effective
configuration.
defzone = noaccess
effective: cfg2
defzone - allaccess
Fabric segments due to zone conflict.
NOTE
When merging mixed versions of Fabric OS where both sides have default zone mode No Access set,
the merge results vary depending on which switch initiates the merge.
Concurrent zone transactions
While working on zone sets, a special work space is provided to allow you to manipulate the zone
sets of your choice. These changes are not put into effect until they are committed to the database.
Once they are committed, they will replace the existing active zone sets with the new zone sets or
create more zone sets in the defined database. When updates to the zoning database are being
made by multiple users, Fabric OS will warn you about the situation and allows you to choose which
operation will prevail.
Example of how users are warned if there is already a pending zoning transaction in the fabric
u30:FID128:admin> zonecreate z2, "2,3"
WARNING!!
Multiple open transactions are pending in this fabric. Only one
transaction can be saved. Please abort all unwanted transactions
using the cfgtransabort command. Use the cfgtransshow --opentrans
command to display a list of domains with open transactions
If no other transaction is open in this fabric, no message is shown.
Example of what is shown if there is not a pending zoning transaction in the fabric
sw0:FID128:admin> zonecreate z7, "4,5;10,3"
sw0:FID128:admin>
Similarly for cfgSave and cfgEnable:
u30:FID128:admin> cfgenable cfg
You are about to enable a new zoning configuration.
This action will replace the old zoning configuration with the
current configuration selected. If the update includes changes
to one or more traffic isolation zones, the update may result in
localized disruption to traffic on ports associated with
the traffic isolation zone changes
Multiple open transactions are pending in this fabric. Only one
transaction can be saved. Please abort all unwanted transactions
using the cfgtransabort command. Use the cfgtransshow --opentrans
command to display a list of domains with open transactions
Do you want to enable 'cfg' configuration (yes, y, no, n): [no]
342
Fabric OS Administrator’s Guide
53-1002745-02
Concurrent zone transactions
11
u30:FID128:admin> cfgsave
You are about to save the Defined zoning configuration.
This action will only save the changes on Defined configuration.
Multiple open transactions are pending in this fabric. Only one
transaction can be saved. Please abort all unwanted transactions
using the cfgtransabort command. Use the cfgtransshow --opentrans
command to display a list of domains with open transactions
Do you want to save the Defined zoning configuration only?
(yes, y, no, n): [no] n
Viewing zone database transactions
You can use the cfgTransShow command to list all the domains in the fabric with open transactions
Syntax:
cfgTransShow [ |–-opentrans | --help]
Sample output:
switch:admin> cfgtransshow
Current transaction token is 0x571010459
It is abortable
switch:admin> cfgtransshow --help
Usage:
cfgTransShow : Displays local open transaction token details
cfgTransShow --openTrans : Displays list of Domains with Open Transactions
cfgTransShow --help : Help
switch:admin> cfgtransshow --opentrans
Current transaction token is 0x3109
It is abortable
Transactions Detect: Capable
Current Open Transactions
Domain List:
-----------1 2 3 4
Fabric OS Administrator’s Guide
53-1002745-02
343
11
344
Concurrent zone transactions
Fabric OS Administrator’s Guide
53-1002745-02
Chapter
12
Traffic Isolation Zoning
In this chapter
• Traffic Isolation Zoning overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Enhanced TI zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Traffic Isolation Zoning over FC routers . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• General rules for TI zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Supported configurations for Traffic Isolation Zoning. . . . . . . . . . . . . . . . .
• Limitations and restrictions of Traffic Isolation Zoning. . . . . . . . . . . . . . . .
• Admin Domain considerations for Traffic Isolation Zoning. . . . . . . . . . . . .
• Virtual Fabrics considerations for Traffic Isolation Zoning . . . . . . . . . . . . .
• Traffic Isolation Zoning over FC routers with Virtual Fabrics . . . . . . . . . . .
• Creating a TI zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Modifying TI zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Changing the state of a TI zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Deleting a TI zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Displaying TI zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Troubleshooting TI zone routing problems. . . . . . . . . . . . . . . . . . . . . . . . . .
• Setting up TI over FCR (sample procedure) . . . . . . . . . . . . . . . . . . . . . . . . .
345
350
352
356
358
359
360
361
363
364
367
368
369
369
370
371
Traffic Isolation Zoning overview
The Traffic Isolation Zoning feature allows you to control the flow of interswitch traffic by creating a
dedicated path for traffic flowing from a specific set of source ports (N_Ports). For example, you
might use Traffic Isolation Zoning for the following scenarios:
• To dedicate an ISL to high priority, host-to-target traffic.
• To force high volume, low priority traffic onto a given ISL to limit the effect on the fabric of this
high traffic pattern.
• To ensure that requests and responses of FCIP-based applications such as tape pipelining use
the same VE_Port tunnel across a metaSAN.
Traffic Isolation Zoning does not require a license.
Traffic isolation is implemented using a special zone, called a Traffic Isolation zone (TI zone).
A TI zone indicates the set of N_Ports and E_Ports to be used for a specific traffic flow. When a
TI zone is activated, the fabric attempts to isolate all inter-switch traffic entering from a member
of the zone to only those E_Ports that have been included in the zone. The fabric also attempts to
exclude traffic not in the TI zone from using E_Ports within that TI zone.
Fabric OS Administrator’s Guide
53-1002745-02
345
12
Traffic Isolation Zoning overview
Figure 31 shows a fabric with a TI zone consisting of the following:
• N_Ports:
• E_Ports:
“1,7”, “1,8”, “4,5”, and “4,6”
“1,1”, “3,9”, “3,12”, and “4,7”
The dotted line indicates the dedicated path between the initiator in Domain 1 to the target in
Domain 4.
Domain 1
Domain 3
7
8
9
1
9
2
10
12
7
6
5
= Dedicated Path
4
= Ports in the TI zone
Domain 4
FIGURE 31
Traffic Isolation zone creating a dedicated path through the fabric
In Figure 31, all traffic entering Domain 1 from N_Ports 7 and 8 is routed through E_Port 1.
Similarly, traffic entering Domain 3 from E_Port 9 is routed to E_Port 12, and traffic entering
Domain 4 from E_Port 7 is routed to the devices through N_Ports 5 and 6. Traffic coming from
other ports in Domain 1 would not use E_Port 1, but would use E_Port 2 instead.
Use the zone command to create and manage TI zones. Refer to the Fabric OS Command
Reference for details about the zone command.
TI zone failover
A TI zone can have failover enabled or disabled.
Disable failover if you want to guarantee that TI zone traffic uses only the dedicated path, and that
no other traffic can use the dedicated path.
Enable failover if you want traffic to have alternate routes if either the dedicated or non-dedicated
paths cannot be used.
ATTENTION
If failover is disabled, use care when planning your TI zones so that non-TI zone devices are not
isolated. If this feature is not used correctly, it can cause major fabric disruptions that are difficult
to resolve. See “Additional considerations when disabling failover” on page 347 for additional
information about using this feature.
Table 61 compares the behavior of traffic when failover is enabled and disabled.
346
Fabric OS Administrator’s Guide
53-1002745-02
Traffic Isolation Zoning overview
TABLE 61
12
Traffic behavior when failover is enabled or disabled in TI zones
Failover enabled
Failover disabled
If the dedicated path is not the shortest path or if the
dedicated path is broken, the TI zone traffic will use a
non-dedicated path instead.
If the dedicated path is not the shortest path or if the
dedicated path is broken, traffic for that TI zone is
halted until the dedicated path is fixed.
Non-TI zone traffic will use the dedicated path if no
other paths through the fabric exist, or if the
non-dedicated paths are not the shortest paths.
Non-TI zone traffic will never use the dedicated path,
even if the dedicated path is the shortest path or if
there are no other paths through the fabric.
For example, in Figure 31 on page 346, if the dedicated ISL between Domain 1 and Domain 3 goes
offline, then the following occurs, depending on the failover option:
• If failover is disabled for the TI zone, the TI zone traffic is halted until the ISL between
Domain 1 and Domain 3 is back online.
• If failover is enabled for the TI zone, the TI zone traffic is routed from Domain 1 to Domain 3
through E_Ports “1,2” and “3,10”.
NOTE
When TI zone traffic enters the non-TI path, the TI zone traffic continues to flow through that
path. In this example, when the TI zone traffic is routed through E_Ports “1,2” and “3,10”, that
traffic continues through the non-TI path between domains 3 and 4, even though the TI path
between domains 3 and 4 is not broken.
If the non-dedicated ISL between Domain 1 and Domain 3 goes offline, then the following occurs,
depending on the failover option:
• If failover is disabled for the TI zone, non-TI zone traffic is halted until the non-dedicated ISL
between Domain 1 and Domain 3 is back online.
• If failover is enabled for the TI zone, non-TI zone traffic is routed from Domain 1 to Domain 3
through the dedicated ISL.
NOTE
When non-TI zone traffic enters the TI path, the non-TI zone traffic continues to flow through
that path. In this example, when the non-TI zone traffic is routed through E_Ports “1,1” and
“3,9”, that traffic continues through E_Ports “3,12” and “4,7”, even though the non-dedicated
ISL between domains 3 and 4 is not broken.
Additional considerations when disabling failover
If failover is disabled, be aware of the following considerations:
• This feature is intended for use in simple linear fabric configurations, such as that shown in
Figure 31 on page 346.
• Ensure that there are non-dedicated paths through the fabric for all devices that are not in a TI
zone.
• If you create a TI zone with just E_Ports, failover must be enabled. If failover is disabled, the
specified ISLs will not be able to route any traffic.
• If the path between devices in a TI zone is broken, no inter-switch RSCNs are generated. Each
switch that is part of the TI zone generates RSCNs to locally attached devices that are part of
the TI zone and are registered to receive RSCNs.
Fabric OS Administrator’s Guide
53-1002745-02
347
12
Traffic Isolation Zoning overview
• Ensure that there are multiple paths between switches.
Disabling failover locks the specified route so that only TI zone traffic can use it. Non-TI zone
traffic is excluded from using the dedicated path.
• You should enable failover-enabled TI zones before enabling failover-disabled TI zones, to avoid
dropped frames.
When you issue the cfgEnable command to enable the zone configuration, if you have failover
disabled zones, do the following:
1. Temporarily change failover-disabled TI zones to failover-enabled.
2. Enable the zones (cfgEnable).
3. Reset all the zones you changed in step 1 to failover-disabled.
4. Enable the zones again (cfgEnable).
These steps are listed in the procedures in this section.
• It is recommended that TI zone definitions and regular zone definitions match.
• Domain controller frames can use any path between switches. Disabling failover does not
affect Domain Controller connectivity.
For example, in Figure 32, if failover is disabled, Domain 2 can continue to send domain
controller frames to Domain 3 and 4, even though the path between Domain 1 and Domain 3
is a dedicated path. Domain controller frames include zone updates and name server queries.
Domain 1
8
Domain 3
1
9
9
12
3
15
7
6
= Dedicated Path
= Ports in the TI zone
5
Domain 2
FIGURE 32
Domain 4
Fabric incorrectly configured for TI zone with failover disabled
• It is recommended that the insistent Domain ID feature be enabled; if a switch changes its
active domain ID, the route is broken. See the configure command in the Fabric OS Command
Reference for information about setting insistent Domain ID.
348
Fabric OS Administrator’s Guide
53-1002745-02
Traffic Isolation Zoning overview
12
FSPF routing rules and traffic isolation
All traffic must use the lowest cost path. FSPF routing rules take precedence over the TI zones, as
described in the following situations.
If the dedicated ISL is not the lowest cost path ISL, then the following rules apply:
• If failover is enabled, the traffic path for the TI zone is broken, and TI zone traffic uses the
lowest cost path instead.
• If failover is disabled, the TI zone traffic is blocked.
If the dedicated ISL is the only lowest cost path ISL, then the following rules apply:
• If failover is enabled, non-TI zone traffic as well as TI zone traffic uses the dedicated ISL.
• If failover is disabled, non-TI zone traffic is blocked because it cannot use the dedicated ISL,
which is the lowest cost path.
For example, in Figure 33, there is a dedicated path between Domain 1 and Domain 3, and
another, non-dedicated, path that passes through Domain 2. If failover is enabled, all traffic will
use the dedicated path, because the non-dedicated path is not the shortest path. If failover is
disabled, non-TI zone traffic is blocked because the non-dedicated path is not the shortest path.
Domain 1
8
Domain 3
1
9
9
14
12
3
15
7
16
= Dedicated Path
= Ports in the TI zone
6
5
Domain 2
FIGURE 33
Domain 4
Dedicated path is the only shortest path
In Figure 34 on page 350, a dedicated path between Domain 1 and Domain 4 exists, but is not the
shortest path. In this situation, if failover is enabled, the TI zone traffic uses the shortest path, even
though the E_Ports are not in the TI zone. If failover is disabled, the TI zone traffic stops until the
dedicated path is configured to be the shortest path.
Fabric OS Administrator’s Guide
53-1002745-02
349
12
Enhanced TI zones
Domain 1
8
Domain 3
1
9
9
14
12
3
15
7
16
6
= Dedicated Path
= Ports in the TI zone
5
Domain 4
Domain 2
FIGURE 34
Dedicated path is not the shortest path
NOTE
For information about setting or displaying the FSPF cost of a path, see the linkCost and
topologyShow commands in the Fabric OS Command Reference.
Enhanced TI zones
In Fabric OS v6.4.0 and later, ports can be in multiple TI zones at the same time. Zones with
overlapping port members are called enhanced TI zones (ETIZ).
Figure 35 shows an example of two TI zones. Because these TI zones have an overlapping port
(3,8), they are enhanced TI zones.
Domain 1
Host 1
Domain 3
2
1
6
Target
8
7
Host 2
2
1
= ETIZ 1
= ETIZ 2
Domain 2
FIGURE 35
Enhanced TI zones
Enhanced TI zones are especially useful in FICON fabrics. See the FICON Administrator’s Guide for
example topologies using enhanced TI zones.
See “Additional configuration rules for enhanced TI zones” on page 358 for more information about
enhanced TI zones.
350
Fabric OS Administrator’s Guide
53-1002745-02
Enhanced TI zones
12
Illegal configurations with enhanced TI zones
When you create TI zones, ensure that all traffic from a port to all destinations on a remote domain
have the same path. Do not create separate paths from a local port to two or more ports on the
same remote domain.
If the TI zones are configured with failover disabled, some traffic will be dropped. If the TI zones are
configured with failover enabled, all traffic will go through, but half of the traffic will be routed
incorrectly according to the TI zone definitions.
A message is sent to the RASlog if a potential error condition is detected in the TI zone
configuration. You can also display a report of existing and potential problems with TI zone
configurations, as described in “Troubleshooting TI zone routing problems” on page 370.
Illegal ETIZ configuration: separate paths from a port to devices on same domain
Figure 36 shows two enhanced TI zones that are configured incorrectly because there are two
paths from a local port (port 8 on Domain 3) to two or more devices on the same remote domain
(ports 1 and 4 on Domain 1).
The TI zones are enhanced TI zones because they have an overlapping member (3,8). Each zone
describes a different path from the Target to Domain 1. Traffic is routed correctly from Host 1 and
Host 2 to the Target; however, traffic from the Target to the Hosts might not be.
Traffic from (3,8) destined for Domain 1 cannot go through both port 6 and port 7, so only one port
is chosen. If port 6 is chosen, frames destined for (1,4) will be dropped at Domain 1. If port 7 is
chosen, frames destined for (1,1) will be dropped.
Host 1
Domain 1
1
4
Domain 3
2
6
3
7
8
= ETIZ 1
= ETIZ 2
Host 2
FIGURE 36
Target
Illegal ETIZ configuration: two paths from one port to two devices on the same remote domain
Illegal ETIZ configuration: separate paths from a single port to the same domain
Figure 37 shows another example of an illegal ETIZ configuration. In this example, the two hosts
are on separate remote domains, but the path to each host goes through the same domain
(Domain 1).
This example contains two enhanced TI zones, with port (3,8) as the overlapping member:
• ETIZ 1 contains (1,1), (1,2), (3,6), (3,8)
• ETIZ 2 contains (2,1), (2,2), (1,4), (1,3), (3,7), (3,8)
Fabric OS Administrator’s Guide
53-1002745-02
351
12
Traffic Isolation Zoning over FC routers
In this example traffic from the Target to Domain 2 is routed correctly. Only one TI zone describes a
path to Domain 2. However, both TI zones describe different, valid paths from the Target to
Domain 1. Only one path will be able to get to (1,1). Traffic from port (3,8) cannot be routed to
Domain 1 over both (3,6) and (3,7), so one port will be chosen. If (3,7) is chosen, frames destined
for (1,1) will be dropped at Domain 1.
Domain 1
Host 1
1
Domain 3
2
6
3
7
Target
8
4
Host 2
2
1
= ETIZ 1
= ETIZ 2
Domain 2
FIGURE 37
Illegal ETIZ configuration: two paths from one port
Traffic Isolation Zoning over FC routers
This section describes how TI zones work with Fibre Channel routing (TI over FCR). See Chapter 24,
“Using FC-FC Routing to Connect Fabrics,” for information about FC routers, phantom switches, and
the FC-FC Routing Service.
Some VE_Port-based features, such as tape pipelining, require the request and corresponding
response traffic to traverse the same VE_Port tunnel across the metaSAN. To ensure that the
request and response traverse the same VE_Port tunnel, you must set up Traffic Isolation zones in
the edge and backbone fabrics.
• Set up a TI zone in an edge fabric to guarantee that traffic from a specific device in that edge
fabric is routed through a particular EX_Port or VEX_Port.
• Set up a TI zone in the backbone fabric to guarantee that traffic between two devices in
different fabrics is routed through a particular ISL (VE_Ports or E_Ports) in the backbone.
This combination of TI zones in the backbone and edge fabrics ensures that the traffic between
devices in different fabrics traverses the same VE_Port tunnel in a backbone fabric. Figure 38
shows how three TI zones form a dedicated path between devices in different edge fabrics.
The backbone fabric can contain one or more FC routers.
352
Fabric OS Administrator’s Guide
53-1002745-02
Traffic Isolation Zoning over FC routers
Edge fabric 1
Backbone
fabric
12
Edge fabric 2
= Dedicated path set up by TI zone in edge fabric 1
= Dedicated path set up by TI zone in edge fabric 2
= Dedicated path set up by TI zone in backbone fabric
FIGURE 38
Traffic Isolation Zoning over FCR
In addition to setting up TI zones, you must also ensure that the devices are in an LSAN zone so
that they can communicate with each other.
If failover is enabled and the TI path is not available, an alternate path is used. If failover is disabled
and the TI path is not available, then devices are not imported.
NOTE
For TI over FCR, all switches in the backbone fabric and in the edge fabrics must be running
Fabric OS v6.1.0 or later.
Fabric OS Administrator’s Guide
53-1002745-02
353
12
Traffic Isolation Zoning over FC routers
TI zones within an edge fabric
A TI zone within an edge fabric is used to route traffic between a real device and a proxy device
through a particular EX_Port. For example, in Figure 39, you can set up a TI zone to ensure that
traffic between Host 1 and the proxy target is routed through EX_Port 9.
Host 1
Domain 1
8
Front Domain 3
1
9
2
10
9
-1
Host 2
E_Ports
EX_Ports
-1
= Dedicated Path
= Ports in the TI zone
Xlate Domain 4
FIGURE 39
Proxy Target
TI zone in an edge fabric
In the TI zone, when you designate E_Ports between the front and xlate phantom switches,
you must use -1 in place of the “I” in the D,I notation. Both the front and xlate domains must be
included in the TI zone.
Using D,I notation, the members of the TI zone in Figure 39 are:
•
•
•
•
1,8
1,1
3,-1 (E_Port for the front phantom domain)
4,-1 (E_Port for the xlate phantom domain)
NOTE
In this configuration the traffic between the front and xlate domains can go through any path
between these two domains. The -1 does not identify any specific ISL. To guarantee a specific ISL,
you need to set up a TI zone within the backbone fabric.
354
Fabric OS Administrator’s Guide
53-1002745-02
Traffic Isolation Zoning over FC routers
12
TI zones within a backbone fabric
A TI zone within a backbone fabric is used to route traffic within the backbone fabric through a
particular ISL. For example, in Figure 40, a TI zone is set up in the backbone fabric to ensure that
traffic between EX_Ports “1,1” and “2,1” is routed through VE_Ports “1,4” and “2,7”.
Target 1
Target 2
WWN
WWN
Host
WWN
Target 3
Edge fabric 2
Edge fabric 1
Backbone fabric
1
3
1
2
4
VE_Ports
7
5
8
6
9
FC router 1
2
Edge fabric 3
3
FC router 2
= Dedicated Path
= Ports in the TI zone
FIGURE 40
TI zone in a backbone fabric
TI zones within the backbone fabric use the port WWN instead of D,I notation for devices that are to
communicate across fabrics. (You can use the portShow command to obtain the port WWN.)
Port WWNs should be used only in TI zones within a backbone fabric and should not be used in
other TI zones.
Using D,I and port WWN notation, the members of the TI zone in Figure 40 are:
•
•
•
•
•
•
•
1,1 (EX_Port for FC router 1)
1,4 (VE_Port for FC router 1)
2,7 (VE_Port for FC router 2)
2,1 (EX_Port for FC router 2)
10:00:00:00:00:01:00:00 (Port WWN for the host)
10:00:00:00:00:02:00:00 (Port WWN for target 1)
10:00:00:00:00:03:00:00 (Port WWN for target 2)
Fabric OS Administrator’s Guide
53-1002745-02
355
12
General rules for TI zones
Limitations of TI zones over FC routers
Be aware of the following when configuring TI zones over FC routers:
• A TI zone defined within the backbone fabric does not guarantee that edge fabric traffic will
arrive at a particular EX_Port. You must set up a TI zone in the edge fabric to guarantee this.
• TI zones within the backbone fabric cannot contain more than one destination router port
(DRP) per each fabric. This means you cannot define more than one EX_Port to any one edge
fabric unless they are part of a trunk.
• Only one egress E_Port or VE_Port connected to the next hop can be defined within TI zones.
Only one ISL or trunk can be defined between two backbone switches.
• TI over FCR is supported only from edge fabric to edge fabric. Traffic isolation from backbone to
edge is not supported.
• Non-TI data traffic is not restricted from going through the TI path in the backbone fabric.
• For TI over FCR, failover must be enabled in the TI zones in the edge fabrics and in the
backbone fabric.
• TI over FCR is not supported with FC Fast Write.
• For the FC8-16, FC8-32, FC8-48, FC8-64, and FX8-24 blades only: If Virtual Fabrics is disabled,
two or more shared area EX_Ports connected to the same edge fabric should not be configured
in different TI zones. This configuration is not supported.
General rules for TI zones
The following general rules apply to TI zones:
• A TI zone must include E_Ports and N_Ports that form a complete, end-to-end route from
initiator to target.
• When an E_Port is a member of a TI zone that E_Port cannot have its indexed swapped with
another port.
• A given E_Port used in a TI zone should not be a member of more than one TI zone.
If multiple E_Ports are configured that are on the lowest cost route to a domain, the various
source ports for that zone are load-balanced across the specified E_Ports.
• TI zones reside only in the defined configuration and not in the effective configuration. When
you make any changes to TI zones, including creating or modifying them, you must enable the
effective configuration for the changes to take effect, even if the effective configuration is
unchanged.
• A TI zone only provides traffic isolation and is not a “regular” zone.
• Routing rules imposed by TI zones with failover disabled override regular zone definitions.
Regular zone definitions should match TI zone definitions.
• FSPF supports a maximum of 16 paths to a given domain. This includes paths in a TI zone.
• Each TI zone is interpreted by each switch and each switch considers only the routing required
for its local ports. No consideration is given to the overall topology and to whether the TI zones
accurately provide dedicated paths through the whole fabric.
356
Fabric OS Administrator’s Guide
53-1002745-02
General rules for TI zones
12
For example, in Figure 41, the TI zone was configured incorrectly and E_Port “3,9” was
erroneously omitted from the zone. The domain 3 switch assumes that traffic coming from
E_Port 9 is not part of the TI zone and so that traffic is routed to E_Port 11 instead of E_Port
12, if failover is enabled. If failover is disabled, the route is broken and traffic stops.
Domain 1
8
Domain 3
1
9
2
10
9
12
11
8
7
6
= Dedicated path
5
= Ports in the TI zone
Domain 4
FIGURE 41
TI zone misconfiguration
Traffic Isolation Zone violation handling for trunk ports
For any trunk group, all the members of the group need to belong to the TI zone to prevent routing
issues resulting from changes in the members of the trunk group. This applies to any E_Port or
F_Port trunk groups that are included in TI zones using failover disabled mode.
Fabric OS posts a RASlog message (ZONE-1061) if any of the ports part of a trunk group is not
added to the TI zone with failover disabled. Also, a CLI (zone --showTItrunkerrors) is provided to
check if all ports per switch in a TI zone are proper. This will help you identify missing trunk
members and take corrective actions.
Example RASlog message when any port in a trunk group is not in the TI zone
SW82:FID128:admin> zone
[ZONE-1061], 620/181, FID 128, WARNING, sw0, Some trunk members are missing
from failover disabled active TI zones.
The CLI essentially displays the details of the trunk members present in the TI zone and those
not present in the TI zone. These details are displayed per TI Zone basis.
Example RASlog message when --showTItrunkerrors is added to zone command
switch:admin> zone --showTItrunkerrors
TI Zone Name: brackets
E-Port Trunks
Trunk members in TI zone: 16 18
Trunk members not in TI zone: 17
F-Port Trunks
Trunk members in TI zone: 4 5
Trunk members not in TI zone: 6
TI Zone Name: loop
E-Port Trunks
Trunk members in TI zone: 0
Trunk members not in TI zone: 1
TI Zone Name: operand
Fabric OS Administrator’s Guide
53-1002745-02
357
12
Supported configurations for Traffic Isolation Zoning
E-Port Trunks
Trunk members
Trunk members
E-Port Trunks
Trunk members
Trunk members
in TI zone: 8
not in TI zone: 9 10
in TI zone: 16
not in TI zone: 17 18
Supported configurations for Traffic Isolation Zoning
The following configuration rules apply to TI zones:
• Ports in a TI zone must belong to switches that run Fabric OS v6.0.0 or later. For TI over FCR
zones, all switches and FC routers in both edge and backbone fabrics must be running
Fabric OS v6.1.0 or later.
• For the FC8-64 blade in the Brocade DCX and DCX 8510-8, ports 48–63 can be in a TI zone
only if all switches in that TI zone are running Fabric OS v6.4.0 or later. Ports 48–63 can still be
in a failover path for TI traffic.
The Brocade DCX-4S and DCX 8510-4 do not have this limitation.
• VE_Ports are supported in TI zones.
• TI Zoning is not supported in fabrics with switches running firmware versions earlier than
Fabric OS v6.0.0. However, the existence of a TI zone in such a fabric is backward-compatible
and does not disrupt fabric operation in switches running earlier firmware versions.
TI over FCR is not backward compatible with Fabric OS v6.0.x or earlier. The -1 in the
domain,index entries causes issues to legacy switches in a zone merge. Firmware downgrade
is prevented if TI over FCR zones exist.
Additional configuration rules for enhanced TI zones
Enhanced TI zones (ETIZ) have the following additional configuration rules:
• Enhanced TI zones are supported only if every switch in the fabric is ETIZ capable. A switch is
ETIZ capable if it meets the following qualifications:
-
The switch must be one of the supported platforms, as listed in “Supported hardware and
software” on page 34.
-
The switch must be running Fabric OS v6.4.0 or later.
• If the fabric contains a switch running an earlier version of Fabric OS, you cannot create an
enhanced TI zone. You cannot merge a downlevel switch into a fabric containing enhanced TI
zones, and you cannot merge a switch with enhanced TI zones defined into a fabric containing
switches that do not support ETIZ.
• Overlapping TI zones must have the same failover type. That is, both must be either failover
enabled or failover disabled.
NOTE
FC router domains are excluded from the ETIZ platform restrictions. You can create enhanced TI
zones with these switches in the fabric.
358
Fabric OS Administrator’s Guide
53-1002745-02
Limitations and restrictions of Traffic Isolation Zoning
12
Trunking with TI zones
If you implement trunking and TI zones, you should keep the following points in mind:
• To include a trunk group in a TI zone, you must include all ports of the trunk in the TI zone.
• Trunked ISL ports cannot be members of more than one TI zone.
• The zone command includes an option to show TI trunk errors: zone --showTItrunkerrors
Description
This command parameter displays the details of the trunk members in the TI zone, separated
into present and not present, and displayed per TI Zone basis.
Sample output
switch:admin> zone --showTItrunkerrors
TI Zone Name: brackets
E-Port Trunks
Trunk members in TI zone: 16 18
Trunk members not in TI zone: 17
F-Port Trunks
Trunk members in TI zone: 4 5
Trunk members not in TI zone: 6
TI Zone Name: loop
E-Port Trunks
Trunk members in TI zone: 0
Trunk members not in TI zone: 1
TI Zone Name: operand
E-Port Trunks
Trunk members in TI zone: 8
Trunk members not in TI zone: 9 10
E-Port Trunks
Trunk members in TI zone: 16
Trunk members not in TI zone: 17 18
Limitations and restrictions of Traffic Isolation Zoning
The following limitations and restrictions apply to Traffic Isolation Zoning:
• For switches running Fabric OS 6.1.0 or later, a maximum of 255 TI zones can be created in
one fabric. For switches running Fabric OS 6.0.x, no more than 239 TI zones should be
created.
A fabric merge resulting in greater than the maximum allowed TI zones results in merge failure
and the fabrics are segmented.
• A TI zone can be created using D,I (Domain, Index) notation only, except for TI zones in a
backbone fabric, which use port WWNs. See “Traffic Isolation Zoning over FC routers” on
page 352 for information about TI zones in a backbone fabric.
Fabric OS Administrator’s Guide
53-1002745-02
359
12
Admin Domain considerations for Traffic Isolation Zoning
• To include a trunk group in a TI zone, you must include all ports of the trunk in the TI zone.
• If two N_Ports are online and have the same shared area, and one of them is configured in a
TI zone, then they both must be configured in that same TI zone. One of the online shared area
N_Ports should not remain outside the TI zone unless it is offline, then it may remain outside
the TI zone. This limitation does not apply to E_Ports that use the same shared area on FC4-48
and FC8-48 port blades.
• Ports that are in different TI zones cannot communicate with each other if failover is disabled.
• TI zone members that overlap must have the same TI failover policy across all TI zones to which
they belong. That is, if an overlapping member is part of a failover-disabled zone, then it can
belong only to other TI zones where the policy is also failover-disabled; the member cannot
overlap with failover-enabled TI zones.
• TI zones that have members with port index greater than 511 are not supported with Fabric OS
versions earlier than v6.4.0. If such a TI zone and Fabric OS version combination is detected,
a warning is issued. These configurations are not prevented, but their behavior is
unpredictable.
• When you merge two switches, if there is an effective configuration on the switches and
TI zones are present on either switch, the TI zones are not automatically activated after the
merge. Check the TI zone enabled status using the zone --show command, and if the TI Zone
Enabled status does not match across switches, issue the cfgEnable command.
• Use care when creating TI zones on ICL ports in topologies that span more than two switches
connected with ICLs. If a user-defined TI zone breaks the ICL connectivity requirements, a a
FSPF-1009 RASLOG entry and message is generated to notify you of this error condition.
ATTENTION
Removing a core blade when both ICL connections and lossless dynamic load sharing are enabled
may cause frame loss on a number of F_Ports.
Admin Domain considerations for Traffic Isolation Zoning
If you implement Admin Domains and TI zones, you should keep the following points in mind:
• TI zones are applicable only in AD0, and the E_Ports that are members of a TI zone must be in
the AD0 device list. Because TI zones must use D,I notation, the AD0 device list must be
declared using D,I notation for ports that are to be used in TI zones.
• A port used in a TI zone should not be a member of multiple Admin Domains.
• Use care if defining TI zones with ports that are shared across Admin Domains because of the
limitation that a given port can appear in only one TI zone.
Best practice: Do not use ports that are shared across Admin Domains in a TI zone.
360
Fabric OS Administrator’s Guide
53-1002745-02
Virtual Fabrics considerations for Traffic Isolation Zoning
12
Virtual Fabrics considerations for Traffic Isolation Zoning
This section describes how TI zones work with Virtual Fabrics. See Chapter 10, “Managing
Virtual Fabrics,” for information about the Virtual Fabrics feature, including logical switches and
logical fabrics.
TI zones can be created in a logical fabric like in regular fabrics, with the following exceptions:
• The disable failover option is not supported in logical fabrics that use XISLs.
Although logical switches that use XISLs allow the creation of a TI zone with failover disabled,
this is not a supported configuration. Base switches do not allow the creation of a TI zone with
failover disabled.
• To create a TI zone for a logical fabric that uses XISLs, you must create two TI zones: one in the
logical fabric and one in the base fabric. The combination of TI zones in the base fabric and
logical fabric sets the path through the base fabric for logical switches.
The TI zone in the logical fabric includes the extended XISL (XISL) port numbers, as well as the
F_Ports and ISLs in the logical fabric.
The TI zone in the base fabric reserves XISLs for a particular logical fabric. The base fabric TI zone
should also include ISLs that belong to logical switches participating in the logical fabric.
Figure 42 shows an initiator and target in a logical fabric (FID1). The dotted line indicates a
dedicated path between initiator and target. The dedicated path passes through the base fabric
over an XISL. (Figure 42 shows only physical ISLs, not logical ISLs.) To create the TI zones for this
dedicated path, you must create a TI zone in the logical fabric (FID 1) and one in the base fabric.
Host
Domain 8
8
9
1
2
3
4
LS3, FID1
Domain 3
Chassis 1
Target
Domain 9
LS4, FID3
Domain 4
10
XISL
12
11
XISL
13
6
8
7
LS1, FID1
Domain 5
Domain 7
Base switch
Domain 1
5
14
15
XISL
16
XISL
17
LS2, FID3
Domain 6
Chassis 2
Base switch
Domain 2
= Dedicated Path
= Ports in the TI zones
FIGURE 42
Dedicated path with Virtual Fabrics
Figure 43 shows a logical representation of FID1 in Figure 42. To create the dedicated path, you
must create and activate a TI zone in FID1 that includes the circled ports shown in Figure 43.
Fabric OS Administrator’s Guide
53-1002745-02
361
12
Virtual Fabrics considerations for Traffic Isolation Zoning
Domain 8
Host
Domain 3
2
4
Domain 5
Domain 9
11
17
7
6
10
16
8
5
8
Target
9
1
3
= Dedicated Path
= Ports in the TI zones
FIGURE 43
Creating a TI zone in a logical fabric
You must also create and activate a TI zone in the base fabric to reserve the XISLs for the dedicated
path. In Figure 44, the XISLs highlighted (by a dotted line) in the base fabric can be reserved for
FID1 by defining and activating a base fabric TI zone that consists of ports 10, 12, 14, and 16. You
must also include ports 3 and 8, because they belong to logical switches participating in the logical
fabric. For the TI zone, it is as though ports 3 and 8 belong to Domains 1 and 2 respectively.
Domain 1
Domain 7
11
13
4
3
10
12
Domain 2
15
14
17
16
7
8
= Dedicated Path
= Ports in the TI zones
FIGURE 44
Creating a TI zone in a base fabric
Using D,I notation, the port numbers for the TI zones in the logical fabric and base fabric are as
follows:
Port members for the TI zone in logical fabric Port members for the TI zone in base fabric
8,8 F_Port
8,1 E_Port
3,3 E_Port
3,10 E_Port
5,16 E_Port
5,8 E_Port
9,5 E_Port
9,9 F_Port
1,3 E_Port for ISL in logical switch
1,10 E_Port for XISL
7,12 E_Port for XISL
7,14 E_Port for XISL
2,16 E_Port for XISL
2,8 E_Port for ISL in logical switch
Notice that the base fabric zone contains a reference to port 1,3 even though the base switch with
domain 1 does not have a port 3 in the switch. This number refers to the port in the chassis with
port index 3, which actually belongs to LS3 in FID 1.
362
Fabric OS Administrator’s Guide
53-1002745-02
Traffic Isolation Zoning over FC routers with Virtual Fabrics
12
Traffic Isolation Zoning over FC routers with Virtual Fabrics
This section describes how you can set up TI zones over FC routers in logical fabrics. Figure 45
shows two physical chassis configured into logical switches. The initiator in FID 1 communicates
with the target in FID 3 over the EX_Ports in the base switches.
1
10
F
2
F
E
3
E
4
5
EX
11
LS2, FID3
Domain 6
LS3, FID1
Domain 3
E
E
E
Base switch
Domain 1
EX
E
6
15
7
16
E
EX
Base switch
Domain 2
E
12
13
14
EX
= Dedicated Path
= Ports in the TI zones
FIGURE 45
Example configuration for TI zones over FC routers in logical fabrics
Figure 46 shows a logical representation of the configuration in Figure 45. This SAN is similar to
that shown in Figure 38 on page 353 and you would set up the TI zones in the same way as
described in “Traffic Isolation Zoning over FC routers” on page 352.
Edge fabric
Fabric 1
1
SW3
3
10
2
12
4
5
SW1
FIGURE 46
Fabric OS Administrator’s Guide
53-1002745-02
SW6
11
6
15 13
7
Backbone fabric
Edge fabric
Fabric 3
16
SW2
14
Logical representation of TI zones over FC routers in logical fabrics
363
12
Creating a TI zone
Creating a TI zone
You create and modify TI zones using the zone command. Other zoning commands, such as
zoneCreate, aliCreate, and cfgCreate, cannot be used to manage TI zones.
When you create a TI zone, you can set the state of the zone to activated or deactivated. By default
the zone state is set to activated; however, this does not mean that the zone is activated. After you
create the TI zone, you must enable the current effective configuration to enforce the new TI zone,
which is either activated or deactivated.
Virtual Fabric considerations: Because base fabrics do not contain end devices, they normally do
not have an effective zone configuration. To activate a TI zone in a base fabric, you should create a
“dummy” configuration, as described in “Creating a TI zone in a base fabric” on page 366.
When you create a TI zone, you can enable or disable failover mode. By default, failover mode is
enabled. If you want to change the failover mode after you create the zone, see “Modifying TI
zones” on page 367.
If you are creating a TI zone with failover disabled, note the following:
• Ensure that the E_Ports of the TI zone correspond to valid paths; otherwise, the route might be
missing for ports in that TI zone. You can use the topologyShow command to verify the paths.
• Ensure that sufficient non-dedicated paths through the fabric exist for all devices that are not
in a TI zone; otherwise, these devices might become isolated.
See “TI zone failover” on page 346 for information about disabling failover mode.
Use the following procedure to create a TI zone. If you are creating a TI zone in a base fabric, use
the procedure described in “Creating a TI zone in a base fabric” on page 366.
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the zone --create command:
zone --create -t objtype [-o optlist] name -p "portlist"
Be aware of the ramifications if you create a TI zone with failover mode disabled. See “TI zone
failover” on page 346 for information about disabling failover mode.
3. Perform the following steps if you have any TI zones with failover disabled. If all of your TI zones
are failover-enabled, skip to step 4.
a.
Change the failover option to failover enabled. This is a temporary change to avoid frame
loss during the transition.
zone --add -o f name
b.
Enable the zones.
cfgenable "current_effective_configuration"
c.
Reset the failover option to failover disabled. Then continue with step 4.
zone --add -o n name
4. Enter the cfgEnable command to reactivate your current effective configuration and enforce
the TI zones.
cfgenable "current_effective_configuration"
364
Fabric OS Administrator’s Guide
53-1002745-02
Creating a TI zone
12
Example TI zone creation
The following examples create a TI zone named “bluezone”, which contains E_Ports 1,1 and 2,4
and N_Ports 1,8 and 2,6.
To create a TI zone with failover enabled and in the activated state (default settings):
switch:admin> zone --create -t ti bluezone -p "1,1; 2,4; 1,8; 2,6"
To create a TI zone with failover enabled (the zone is set to the activated state by default):
switch:admin> zone --create -t ti -o f bluezone -p "1,1; 2,4; 1,8; 2,6"
To create a TI zone with failover disabled and the state set to activated:
switch:admin> zone --create -t ti -o an bluezone -p "1,1; 2,4; 1,8; 2,6"
To create a TI zone and set the state to deactivated (failover is enabled by default):
switch:admin> zone --create -t ti -o d bluezone -p "1,1; 2,4; 1,8; 2,6"
To create a TI zone with failover disabled and the state set to deactivated:
switch:admin> zone --create -t ti -o dn bluezone -p "1,1; 2,4; 1,8; 2,6"
To create a TI zone in the edge fabric with failover enabled and the state set to activated (default
settings):
switch:admin> zone --create -t ti bluezone -p "1,1; 1,8; 2,-1; 3,-1"
To create a TI zone in the backbone fabric with failover enabled and the state set to activated
(default settings):
switch:admin> zone --create -t ti backbonezone -p "10:00:00:04:1f:03:16:f2;
1,1; 1,4; 2,7; 2,1; 10:00:00:04:1f:03:18:f1, 10:00:00:04:1f:04:06:e2"
To create TI zones in a logical fabric, such as the one shown in Figure 43 on page 362:
Log in to the logical switch FID1, Domain 7 and create a TI zone in the logical fabric with FID=1:
LS1> zone --create -t ti -o f "ti_zone1" -p "8,8; 8,1; 3,3; 3,10; 5,16; 5,8;
9,5; 9,9"
Then create a TI zone in the base fabric, as described in “Creating a TI zone in a base fabric”.
Remember that your changes are not enforced until you enter the cfgEnable command, as shown
here:
switch:admin> cfgenable "USA_cfg"
You are about to enable a new zoning configuration.
This action will replace the old zoning configuration with the
current configuration selected.
If the update includes changes to one or more traffic isolation zones, the
update may result in localized disruption to traffic on ports associated with
the traffic isolation zone changes
Do you want to enable 'USA_cfg' configuration (yes, y, no, n): [no] y
zone config "USA_cfg" is in effect
Updating flash ...
Fabric OS Administrator’s Guide
53-1002745-02
365
12
Creating a TI zone
Creating a TI zone in a base fabric
1. Connect to the switch and log in using an account with admin permissions.
2. Create a “dummy” zone configuration in the base fabric. For example:
zone --create "z1", "1,1"
cfgcreate "base_config", z1
3. Enter the zone --create command to create the TI zone in the base fabric:
zone --create -t objtype -o f name -p "portlist"
The disable failover option is not supported in base fabrics.
4. Perform the following steps if you have any TI zones with failover disabled. If all of your TI zones
are failover-enabled, skip to step 5.
a.
Change the failover option to failover enabled. This is a temporary change to avoid frame
loss during the transition.
zone --add -o f name
b.
Enable the zones.
cfgenable "current_effective_configuration"
c.
Reset the failover option to failover disabled. Then continue with step 4.
zone --add -o n name
5. Enter the cfgEnable command to reactivate your current effective configuration and enforce
the TI zones.
cfgenable "base_config"
Example
The following example creates TI zones in the base fabric shown in Figure 44 on page 362:
BS_D1>
BS_D1>
BS_D1>
2,8"
BS_D1>
366
zonecreate "z1", "1,1"
cfgcreate "base_cfg", z1
zone --create -t ti -o f "ti_zone2" -p "1,3; 1,10; 7,12; 7,14; 2,16;
cfgenable "base_config"
Fabric OS Administrator’s Guide
53-1002745-02
Modifying TI zones
12
Modifying TI zones
Using the zone --add command, you can add ports to an existing TI zone, change the failover
option, or both.You can also activate or deactivate the TI zone.
Using the zone --remove command, you can remove ports from existing TI zones. If you remove the
last member of a TI zone, the TI zone is deleted.
After you modify the TI zone, you must enable the current effective configuration to enforce the
changes.
ATTENTION
If failover is disabled, do not allocate all ISLs in TI zones. Make sure sufficient non-dedicated paths
exist through the fabric for all devices that are not in a TI zone. See “TI zone failover” on page 346
for additional information about disabling failover mode.
NOTE
If you have overlapping TI zones and you want to change the failover option on these zones, you must
first remove the overlapping ports from the zones, then change the failover type, and finally re-add
the overlapping members.
1. Connect to the switch and log in using an account with admin permissions.
2. Enter one of the following commands, depending on how you want to modify the TI zone.
• Enter the zone --add command to add ports or change the failover option for an existing TI
zone. You can also activate or deactivate the zone.
zone --add [-o optlist] name -p "portlist"
zone --add -o optlist name [-p "portlist"]
• Enter the zone --remove command to remove ports from an existing TI zone.
zone --remove name -p "portlist"
Be aware of the ramifications if you disable failover mode. See “TI zone failover” on page 346
for information about disabling failover mode.
3. Perform the following steps if you have any TI zones with failover disabled. If all of your TI zones
are failover-enabled, skip to step 4.
a.
Change the failover option to failover enabled. This is a temporary change to avoid frame
loss during the transition.
zone --add -o f name
b.
Enable the zones.
cfgenable "current_effective_configuration"
c.
Reset the failover option to failover disabled. Then continue with step 4.
zone --add -o n name
4. Enter the cfgEnable command to reactivate your current effective configuration and enforce
the TI zones.
cfgenable "current_effective_configuration"
Fabric OS Administrator’s Guide
53-1002745-02
367
12
Changing the state of a TI zone
Example of modifying a TI zone
To add port members to the existing TI zone bluezone:
switch:admin> zone --add bluezone -p "3,4; 3,6"
To add port members to the existing TI zone in a backbone fabric:
switch:admin> zone --add backbonezone -p "3,4; 3,6; 10:00:00:04:1f:03:16:f2;"
To disable failover on the existing TI zone bluezone:
switch:admin> zone --add -o n bluezone
To enable failover and add ports to TI zone greenzone:
switch:admin> zone --add -o f greenzone -p "3,4"
To remove ports from the TI zone bluezone:
switch:admin> zone --remove bluezone -p "3,4; 3,6"
Remember that your changes are not enforced until you enter the cfgEnable command.
Changing the state of a TI zone
You can change the state of a TI zone to activated or deactivated. Changing the state does not
activate or deactivate the zone. After you change the state of the TI zone, you must enable the
current effective configuration to enforce the change.
The TI zone must exist before you can change its state.
1. Connect to the switch and log in using an account with admin permissions.
2. Perform one of the following actions:
• To activate a TI zone, enter the zone --activate command.
zone --activate name
• To deactivate a TI zone, enter the zone --deactivate command.
zone --deactivate name
3. Enter the cfgEnable command to reactivate your current effective configuration and enforce
the TI zones.
cfgenable "current_effective_configuration"
Example of setting the state of a TI zone
To change the state of the existing TI zone bluezone to activated, type:
switch:admin> zone --activate bluezone
To change the state of the existing TI zone greenzone to deactivated, type:
switch:admin> zone --deactivate greenzone
Remember that your changes are not enforced until you enter the cfgEnable command.
368
Fabric OS Administrator’s Guide
53-1002745-02
Deleting a TI zone
12
Deleting a TI zone
Use the zone --delete command to delete a TI zone from the defined configuration. This command
deletes the entire zone; to only remove port members from a TI zone, use the zone --remove
command, as described in “Modifying TI zones” on page 367.
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the zone --delete command.
zone --delete name
You can delete multiple zones by separating the zone names with a semicolon and enclosing
them in quotation marks.
3. Enter the cfgEnable command to reactivate your current effective configuration and enforce
the TI zones.
cfgenable "current_effective_configuration"
Example of deleting a TI zone
To delete the TI zone bluezone, type:
switch:admin> zone --delete bluezone
Remember that your changes are not enforced until you enter the cfgEnable command.
Displaying TI zones
Use the zone --show command to display information about TI zones. This command displays the
following information for each zone:
•
•
•
•
•
Zone name
E_Port members
N_Port members
Configured status (the latest status, which may or may not have been activated by cfgEnable)
Enabled status (the status that has been activated by cfgEnable)
If you enter the cfgShow command to display information about all zones, the TI zones appear in
the defined zone configuration only and do not appear in the effective zone configuration.
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the zone --show command.
zone --show [ name ] [-ascending]
Example displaying information about the TI zone purplezone
switch:admin> zone --show purplezone
Defined TI zone configuration:
TI Zone Name:
Port List:
redzone:
1,2; 1,3; 3,3; 4,5
Configured Status: Activated / Failover-Enabled
Enabled Status: Activated / Failover-Enabled
Fabric OS Administrator’s Guide
53-1002745-02
369
12
Troubleshooting TI zone routing problems
Example displaying information about all TI zones in the defined configuration in ascending order
switch:admin> zone --show -ascending
Defined TI zone configuration:
TI Zone Name:
Port List:
bluezone:
8,3; 8,5; 9,2; 9,3;
Configured Status: Deactivated / Failover-Disabled
Enabled Status: Activated / Failover-Enabled
TI Zone Name:
Port List:
greenzone:
2,2; 3,3; 4,11; 5,3;
Configured Status: Activated / Failover-Enabled
Enabled Status: Activated / Failover-Enabled
TI Zone Name:
Port List:
purplezone:
1,2; 1,3; 3,3; 4,5;
Configured Status: Activated / Failover-Enabled
Enabled Status: Deactivated / Failover-Enabled
Troubleshooting TI zone routing problems
Use the following procedure to generate a report of existing and potential problems with TI zones.
The report displays an error type.
• “ERROR” indicates a problem currently exists in the fabric.
• “WARNING” indicates that there is not currently a problem, given the current set of online
devices and reachable domains, but given the activated TI zone configuration, parallel
exclusive paths between a shared device and a remote domain have been detected, which
might cause a problem for devices that join the fabric later.
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the zone --showTIerrors command.
zone --showTIerrors
Here is an example report that would be generated for the illegal configuration shown in Figure 36
on page 351.
switch:admin> zone --showTIerrors
My Domain: 3
Error type:
ERROR
Affected Remote Domain: 1
Affected Local Port:
8
Affected TI Zones:
etiz1, etiz2
Affected Remote Ports: 1, 2, 3, 4
370
Fabric OS Administrator’s Guide
53-1002745-02
Setting up TI over FCR (sample procedure)
12
Setting up TI over FCR (sample procedure)
The following example shows how to set up TI zones over FCR to provide a dedicated path shown in
Figure 47. In this example, three TI zones are created: one in each of the edge fabrics and one in
the backbone fabric. The combination of these three TI zones creates a dedicated path for traffic
between Host 1 in edge fabric 1 and Targets 1 and 2 in edge fabric 2.
Host 1 has port WWN 10:00:00:00:00:08:00:00
Target 1 has port WWN 10:00:00:00:00:02:00:00
Target 2 has port WWN 10:00:00:00:00:03:00:00
Host 1
Target 1
Target 2
Domain ID = 1
Domain ID = 2
2
9
8
5
3
6
1
7
4
Edge fabric 1
Domain ID = 4
Backbone
fabric
Edge fabric 2
Domain ID = 9
= Dedicated path set up by TI zone in edge fabric 1
= Dedicated path set up by TI zone in edge fabric 2
= Dedicated path set up by TI zone in backbone fabric
FIGURE 47
TI over FCR example
NOTE
In the following procedure the three TI zones in the edge and backbone fabrics are all given the same
name, TI_Zone1. It is not required that the TI zones have the same name, but this is done to avoid
confusion. If several dedicated paths are set up across the FC router, the TI zones for each path can
have the same name.
1. In each edge fabric, set up an LSAN zone that includes Host 1, Target 1, and Target 2, so these
devices can communicate with each other. See Chapter 24, “Using FC-FC Routing to Connect
Fabrics,” for information about creating LSAN zones.
2. Log in to the edge fabric 1 and set up the TI zone.
a.
Enter the fabricShow command to display the switches in the fabric. From the output, you
can determine the front and translate domains.
E1switch:admin> fabricshow
Switch ID
Worldwide Name
Enet IP Addr
FC IP Addr
Name
------------------------------------------------------------------------1: fffc01 50:00:51:e3:95:36:7e:04 0.0.0.0
0.0.0.0
"fcr_fd_1"
4: fffc04 10:00:00:60:69:80:1d:bc 10.32.72.4
0.0.0.0
>"E1switch"
6: fffc06 50:00:51:e3:95:48:9f:a0 0.0.0.0
0.0.0.0
"fcr_xd_6_9"
Fabric OS Administrator’s Guide
53-1002745-02
371
12
Setting up TI over FCR (sample procedure)
The Fabric has 3 switches
b.
Enter the following commands to create and display a TI zone:
E1switch:admin> zone --create -t ti TI_Zone1 -p "4,8; 4,5, 1,-1; 6,-1"
E1switch:admin> zone --show
Defined TI zone configuration:
TI Zone Name:
Port List:
TI_Zone1
4,8; 4,5; 1,-1; 6,-1
Status: Activated
c.
Failover: Enabled
Enter the following commands to reactivate your current effective configuration and
enforce the TI zones.
E1switch:admin> cfgactvshow
Effective configuration:
cfg:
cfg_TI
zone: lsan_t_i_TI_Zone1
10:00:00:00:00:00:02:00:00
10:00:00:00:00:00:03:00:00
10:00:00:00:00:00:08:00:00
E1switch:admin> cfgenable cfg_TI
You are about to enable a new zoning configuration.
This action will replace the old zoning configuration with the
current configuration selected.
If the update includes changes to one or more traffic isolation zones, the
update may result in localized disruption to traffic on ports associated
with the traffic isolation zone changes
Do you want to enable 'cfg_TI' configuration (yes, y, no, n): [no] y
zone config "cfg_TI" is in effect
Updating flash ...
3. Log in to the edge fabric 2 and set up the TI zone.
a.
Enter the fabricShow command to display the switches in the fabric. From the output, you
can determine the front and translate domains.
E2switch:admin> fabricshow
Switch ID
Worldwide Name
Enet IP Addr
FC IP Addr
Name
------------------------------------------------------------------------1: fffc01 50:00:51:e3:95:36:7e:09 0.0.0.0
0.0.0.0
"fcr_fd_1"
4: fffc04 50:00:51:e3:95:48:9f:a1 0.0.0.0
0.0.0.0
"fcr_xd_6_9"
9: fffc09 10:00:00:05:1e:40:f0:7d 10.32.72.9
0.0.0.0
>"E2switch"
The Fabric has 3 switches
b.
Enter the following commands to create and display a TI zone:
E2switch:admin> zone --create -t ti TI_Zone1 -p "9,2; 9,3; 9,6; 1,-1; 4,-1"
E2switch:admin> zone --show
Defined TI zone configuration:
TI Zone Name:
Port List:
TI_Zone1
9,2; 9,3; 9,6; 1,-1; 4,-1
Status: Activated
372
Failover: Enabled
Fabric OS Administrator’s Guide
53-1002745-02
Setting up TI over FCR (sample procedure)
c.
12
Enter the following commands to reactivate your current effective configuration and
enforce the TI zones.
E2switch:admin> cfgactvshow
Effective configuration:
cfg:
cfg_TI
zone: lsan_t_i_TI_Zone1
10:00:00:00:00:00:02:00:00
10:00:00:00:00:00:03:00:00
10:00:00:00:00:00:08:00:00
E2switch:admin> cfgenable cfg_TI
You are about to enable a new zoning configuration.
This action will replace the old zoning configuration with the
current configuration selected.
If the update includes changes to one or more traffic isolation zones, the
update may result in localized disruption to traffic on ports associated
with the traffic isolation zone changes
Do you want to enable 'cfg_TI' configuration (yes, y, no, n): [no] y
zone config "cfg_TI" is in effect
Updating flash ...
4. Log in to the backbone fabric and set up the TI zone.
a.
Enter the following commands to create and display a TI zone:
BB_DCX_1:admin> zone --create -t ti TI_Zone1 -p "1,9; 1,1; 2,4; 2,7;
10:00:00:00:00:08:00:00; 10:00:00:00:00:02:00:00; 10:00:00:00:00:03:00:00"
BB_DCX_1:admin> zone --show
Defined TI zone configuration:
TI Zone Name:
TI_Zone1
Port List:
1,9; 1,1; 2,4; 2,7; 10:00:00:00:00:08:00:00;
10:00:00:00:00:02:00:00; 10:00:00:00:00:03:00:00
Status: Activated
b.
Failover: Enabled
Enter the following commands to reactivate your current effective configuration and
enforce the TI zones.
BB_DCX_1:admin> cfgactvshow
Effective configuration:
cfg:
cfg_TI
zone: lsan_t_i_TI_Zone1
10:00:00:00:00:00:02:00:00
10:00:00:00:00:00:03:00:00
10:00:00:00:00:00:08:00:00
BB_DCX_1:admin> cfgenable cfg_TI
You are about to enable a new zoning configuration.
This action will replace the old zoning configuration with the
current configuration selected.
If the update includes changes to one or more traffic isolation zones, the
update may result in localized disruption to traffic on ports associated
with the traffic isolation zone changes
Do you want to enable 'cfg_TI' configuration (yes, y, no, n): [no] y
zone config "cfg_TI" is in effect
Updating flash ...
Fabric OS Administrator’s Guide
53-1002745-02
373
12
374
Setting up TI over FCR (sample procedure)
Fabric OS Administrator’s Guide
53-1002745-02
Chapter
13
Bottleneck Detection
In this chapter
• Bottleneck detection overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Supported configurations for bottleneck detection . . . . . . . . . . . . . . . . . .
• Credit Loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Enabling bottleneck detection on a switch . . . . . . . . . . . . . . . . . . . . . . . . .
• Displaying bottleneck detection configuration details . . . . . . . . . . . . . . . .
• Setting bottleneck detection alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Changing bottleneck detection parameters . . . . . . . . . . . . . . . . . . . . . . . .
• Advanced bottleneck detection settings . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Excluding a port from bottleneck detection. . . . . . . . . . . . . . . . . . . . . . . . .
• Displaying bottleneck statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Disabling bottleneck detection on a switch . . . . . . . . . . . . . . . . . . . . . . . . .
375
377
379
380
381
382
384
388
389
391
392
Bottleneck detection overview
A bottleneck is a port in the fabric where frames cannot get through as fast as they should. In other
words, a bottleneck is a port where the offered load is greater than the achieved egress
throughput. Bottlenecks can cause undesirable degradation in throughput on various links. When a
bottleneck occurs at one place, other points in the fabric can experience bottlenecks as the traffic
backs up.
The bottleneck detection feature enables you to do the following:
• Prevent degradation of throughput in the fabric.
The bottleneck detection feature alerts you to the existence and locations of devices that are
causing latency. If you receive alerts for one or more F_Ports, use the CLI to check whether
these F_Ports have a history of bottlenecks.
• Reduce the time it takes to troubleshoot network problems.
If you notice one or more applications slowing down, you can determine whether any latency
devices are attached to the fabric and where. You can use the CLI to display a history of
bottleneck conditions on a port. If the CLI shows above-threshold bottleneck severity, you can
narrow the problem down to device latency rather than problems in the fabric.
You can use the bottleneck detection feature with other Adaptive Networking features to optimize
the performance of your fabric. For example, you can do the following:
• If the bottleneck detection feature detects a latency bottleneck, you can use TI zones or QoS
SID/DID traffic prioritization to isolate latency device traffic from high priority application
traffic.
Fabric OS Administrator’s Guide
53-1002745-02
375
13
Bottleneck detection overview
• If the bottleneck detection feature detects ISL congestion, you can use ingress rate limiting to
slow down low priority application traffic, if it is contributing to the congestion.
Notes
• Bottleneck detection is configured on a per-switch basis, with optional per-port exclusions.
• Bottleneck detection is disabled by default. Best practice is to enable bottleneck detection on
all switches in the fabric, and leave it on to continuously gather statistics.
• Bottleneck detection does not require a license.
Types of bottlenecks
The bottleneck detection feature detects two types of bottlenecks:
• Latency bottleneck
• Congestion bottleneck
A latency bottleneck is a port where the offered load exceeds the rate at which the other end of the
link can continuously accept traffic, but does not exceed the physical capacity of the link. This
condition can be caused by a device attached to the fabric that is slow to process received frames
and send back credit returns. A latency bottleneck due to such a device can spread through the
fabric and can slow down unrelated flows that share links with the slow flow.
By default, bottleneck detection detects latency bottlenecks that are severe enough that they
cause 98% loss of throughput. This default value can be modified to a different percentage.
A congestion bottleneck is a port that is unable to transmit frames at the offered rate because the
offered rate is greater than the physical data rate of the line. For example, this condition can be
caused by trying to transfer data at 8 Gbps over a 4 Gbps ISL.
You can use the bottleneckMon command to configure separate alert thresholds for congestion
and latency bottlenecks.
Advanced settings allow you to refine the criterion for defining latency bottleneck conditions to
allow for more (or less) sensitive monitoring at the sub-second level. For example, you would use
the advanced settings to change the default value of 98% for loss of throughput. See “Advanced
bottleneck detection settings” on page 388 for specific details.
If a bottleneck is reported, you can investigate and optimize the resource allocation for the fabric.
Using the zone setup and Top Talkers, you can also determine which flows are destined to any
affected F_Ports.
How bottlenecks are reported
Bottleneck detection uses the concept of an affected second when determining whether a
bottleneck exists on a port. Each second is marked as being affected or unaffected by a latency or
congestion bottleneck, based on certain criteria.
The bottleneck detection feature maintains two histories of affected seconds for each port—one
history for latency bottlenecks and another for congestion bottlenecks. A history is maintained for a
maximum of three hours for each port. You can view the history using the bottleneckmon --show
command, as described in “Displaying bottleneck statistics” on page 391.
Bottlenecks are also reported through RASlog alerts and SNMP traps. These two alerting
mechanisms cannot be turned on and off independently.
376
Fabric OS Administrator’s Guide
53-1002745-02
Supported configurations for bottleneck detection
13
You can use the bottleneckMon command to specify alerting parameters for the following:
•
•
•
•
•
Whether alerts are to be sent when a bottleneck condition is detected
The size of the time window to look at when determining whether to alert
How many affected seconds are needed to generate the alert
How long to stay quiet after an alert
If an enabled alert is for congestion, for latency, or for both
NOTE
Changing alerting parameters affects RASlog alerting as well as SNMP traps.
For more detailed information on the bottleneckmon command, consult the Fabric OS Command
Reference.
Supported configurations for bottleneck detection
The following configuration rules apply to bottleneck detection:
• Bottleneck detection is supported only on Fibre Channel ports and FCoE F_Ports.
• Bottleneck detection is supported only on the following port types:
- E_Ports
- EX_Ports
- F_Ports
- FL_Ports
• F_Port and E_Port trunks are supported.
• Long distance E_Ports are supported.
• FCoE F_Ports are supported.
• Bottleneck detection is supported on 4-Gbps, 8-Gbps, and 16-Gbps platforms, including
10-Gbps speeds.
• Bottleneck detection is supported in Access Gateway mode.
• Bottleneck detection is supported whether Virtual Fabrics is enabled or disabled. In VF mode,
bottleneck detection is supported on all fabrics, including the base fabric. See “Virtual Fabrics
considerations for bottleneck detection” on page 378 for additional information on using
bottleneck detection in VF mode.
Limitations of bottleneck detection
The bottleneck detection feature detects latency bottlenecks only at the point of egress, not
ingress. For example, for E_Ports, only the traffic egressing the port is monitored. For FCoE ports at
the FC-DCB (Data Center Bridging) boundary, traffic going from FC to DCB is monitored, but traffic
going from DCB to FC is not monitored.
ATTENTION
Using this feature for latency bottleneck detection is not recommended for link utilizations above 85%.
Fabric OS Administrator’s Guide
53-1002745-02
377
13
Supported configurations for bottleneck detection
High availability considerations for bottleneck detection
The bottleneck detection configuration is maintained across a failover or reboot; however,
bottleneck statistics collected are lost.
Upgrade and downgrade considerations for bottleneck detection
The bottleneck detection configuration is persistent across firmware upgrades and downgrades.
The sub-second latency criterion parameter settings are not preserved on downgrade to firmware
versions earlier than Fabric OS 7.0.0. If you downgrade and then upgrade back to Fabric OS 7.0.0,
the settings revert to their default values.
Trunking considerations for bottleneck detection
A trunk behaves like a single port. Both latency and congestion bottlenecks are reported on the
master port only, but apply to the entire trunk.
For masterless trunking, if the master port goes offline, the new master acquires all the
configurations and bottleneck history of the old master and continues with bottleneck detection on
the trunk.
Virtual Fabrics considerations for bottleneck detection
Bottleneck detection is supported in both VF and non-VF modes.
In VF mode, if a port on which bottleneck detection is enabled is moved out of a logical switch, any
per-port configurations are retained by the logical switch. The per-port configuration does not
propagate outside of the logical switch. If the port is returned to the logical switch, the previous
per-port configurations are automatically set for the port. See “Changing bottleneck detection
parameters” on page 384 for more information about changing per-port configurations.
In logical fabrics, bottleneck detection is not performed on logical ISLs.
Because a base fabric carries traffic from multiple logical fabrics, bottlenecks reported in the base
fabric can be caused by a mixture of traffic from multiple logical fabrics or by traffic from a single
logical fabric. It is not possible to attribute a base fabric bottleneck to the exact logical fabric
causing it. Dedicated ISLs are exclusive to one logical fabric, and any bottleneck on a dedicated ISL
E_Port pertains entirely to the traffic of that logical fabric.
Access Gateway considerations for bottleneck detection
If bottleneck detection is enabled on a logical switch with some F_Ports connected to an Access
Gateway, you do not get information about which device is causing a bottleneck, because devices
are not directly connected to this port. To detect bottlenecks on an Access Gateway, enable
bottleneck detection on the Access Gateway to which the devices are actually connected.
378
Fabric OS Administrator’s Guide
53-1002745-02
Credit Loss
13
Credit Loss
Fabric OS v7.1 and later supports back-end credit loss detection back-end ports and core blades as
well as on the Brocade 5300 and 6520 switches, although the support is slightly different on each
device. See below for details on these switches, and the Fabric OS Troubleshooting and
Diagnostics Guide for more general information.
Back-end credit loss detection and recovery support on Brocade 5300
switches
The following credit loss detection methods are supported for Brocade 5300 back-end ports:
• Per-port polling to detect credit loss. If credit loss is detected using this method, the
RASlog C2-1012 message is displayed and recorded.
• On-demand VC credit loss detection. If credit loss is detected using this method, the
RASlog C2-1027 message is displayed and recorded.
• TX timeout trigger automatic VC credit loss detection. If credit loss is detected using this
method, the RASlog C2-1027 message is displayed and recorded.
The following credit loss recovery methods are supported for Brocade 5300 back-end ports:
• For the first two credit loss methods described above, a link reset will automatically be
performed, assuming that this option was enabled. See “Enabling back-end credit loss
detection and recovery” below for details on enabling this feature.
• For the third credit loss method described above, a link reset will be automatically performed if
complete credit loss on a VC is detected.
• A manual link reset option using the bottleneckmon command is also available. See “Enabling
back-end credit loss detection and recovery” below for instructions.
NOTE
Whenever a link reset is performed on this switch, the RASlog C2-1014 message is displayed
and recorded.
Back-end credit loss detection and recovery support on Brocade 6520
switches
The following credit loss detection methods are supported for Brocade 6520 back-end ports:
• Per-port polling to detect credit loss. If credit loss is detected using this method, the
RASlog C3-1012 message is displayed and recorded.
• Per-VC credit loss detection. If single-credit loss is detected using this method, it will be
automatically recovered and the RASlog C3-1023 message is displayed and recorded.
If multi-credit loss is detected using this method, the RASlog C3-1013 message is displayed
and recorded. There is no automatic recovery for multi-credit loss.
• Complete VC credit loss detection. If credit loss is detected using this method, the
RASlog C2-1011 message is displayed and recorded.
Fabric OS Administrator’s Guide
53-1002745-02
379
13
Enabling bottleneck detection on a switch
The following credit loss recovery methods are supported for Brocade 6520 back-end ports:
• For all the credit loss methods described above, a link reset will automatically be performed,
assuming that this option was enabled. See “Enabling back-end credit loss detection and
recovery” below for details on enabling this feature.
• A manual link reset option using the bottleneckmon command is also available. See “Enabling
back-end credit loss detection and recovery” below for instructions.
NOTE
Whenever a link reset is performed on this switch, the RASlog C3-1014 message is displayed
and recorded.
Enabling back-end credit loss detection and recovery
Credit loss detection and recovery is enabled and disabled through the CLI using the
bottleneckmon --cfgcredittools command.
Notes:
• The execution of this command is subject to Virtual Fabric or Admin Domain restrictions that
may be in place. Refer to the Fabric OS Troubleshooting and Diagnostics Guide for more
information.
• The bottleneck detection commands are supported on F_Ports, FL_Ports, E_Ports, and
EX_Ports.
• The credit recovery commands are supported only on back-end ports of 4G, 8G, and 16G
Capable FC platforms for blades in the Brocade DCX, DCX-4S, DCX 8510-8, and DCX 8510-4
chassis.
Enabling bottleneck detection on a switch
Enabling bottleneck detection permits both latency and congestion detection.
Bottleneck detection is enabled on a switch basis. It is recommended that you enable bottleneck
detection on every switch in the fabric. If you later add additional switches, including logical
switches, to the fabric, be sure to enable bottleneck detection on those switches as well.
When you enable bottleneck detection on a switch, the settings are applied to all eligible ports on
that switch. If ineligible ports later become eligible or, in the case of a logical switch, if ports are
moved to the logical switch, bottleneck detection is automatically applied to those ports.
You can later override these settings on a per-port basis, as described in “Changing bottleneck
detection parameters” on page 384.
Use the following procedure to enable bottleneck detection:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the bottleneckmon --enable command to enable bottleneck detection on all eligible
ports on the switch.
By default, alerts are not sent unless you specify the alert parameter; however, you can view a
history of bottleneck conditions for the port as described in “Displaying bottleneck statistics”
on page 391.
380
Fabric OS Administrator’s Guide
53-1002745-02
Displaying bottleneck detection configuration details
13
3. Repeat step 1 and step 2 on every switch in the fabric.
NOTE
Best practice is to use the default values for the alerting and sub-second latency criterion
parameters.
Example of enabling bottleneck detection
(Recommended use case) The following example enables bottleneck detection on the switch with
alerts using default values for thresholds and time.
switch:admin> bottleneckmon --enable -alert
The following example enables bottleneck detection on the switch without alerts. In this case, even
though alerts are not delivered, you can still view the bottleneck history using either the CLI or BNA.
switch:admin> bottleneckmon --enable
Displaying bottleneck detection configuration details
Use the following procedure to display the bottleneck detection configuration details:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the bottleneckmon --status command to display the details of bottleneck detection
configuration for the switch, which includes the following:
•
•
•
•
Whether the feature is enabled
Switch-wide parameters
Per-port overrides, if any
Excluded ports
The initials in the section “Per-port overrides for alert parameters,” indicate which alerts have been
set. The meanings are as follows:
•
•
•
•
C indicates a congestion alert has been set
L indicates a latency alert has been set
Y indicates both alerts are set
N indicates no alerts are set
The examples below show the status of different bottleneck alerts.
Example of status showing that bottleneck detection is not enabled
switch:admin> bottleneckmon --status
Bottleneck detection - Disabled
switch:admin>
See “Enabling bottleneck detection on a switch” on page 380 for instructions on enabling
bottleneck detection.
Example of status output showing that bottleneck detection is enabled for both congestion and latency
switch:admin> bottleneckmon --status
Bottleneck detection - Enabled
==============================
Fabric OS Administrator’s Guide
53-1002745-02
381
13
Setting bottleneck detection alerts
Switch-wide sub-second latency bottleneck criterion:
====================================================
Time threshold
- 0.800
Severity threshold
- 50.000
Switch-wide alerting parameters:
============================
Alerts
Latency threshold for alert
Congestion threshold for alert Averaging time for alert
Quiet time for alert
-
Yes
0.100
0.800
300 seconds
300 seconds
Example of status output showing that only a congestion alert at the switch level has been set
switch:admin> bottleneckmon --status
Bottleneck detection - Enabled
==============================
Switch-wide sub-second latency bottleneck criterion:
====================================================
Time threshold
- 0.800
Severity threshold
- 50.000
Switch-wide alerting parameters:
============================
Alerts
Congestion threshold for alert Averaging time for alert
Quiet time for alert
-
Congestion only
0.800
300 seconds
300 seconds
Per-port overrides for alert parameters:
========================================
Port
Alerts? LatencyThresh
CongestionThresh
Time (s)
QTime(s)
================================================================================
1
Y
0.100
0.800
300
300
2
C
-0.800
600
600
3
L
0.100
-300
300
4
N
-----
NOTE
If there are no per-port overrides, then that section is not displayed.
Setting bottleneck detection alerts
You can configure Fabric OS to log per-port alerts based on the latency and congestion history of
the port. Alerts are generated based on the number of affected seconds over a specified period of
time. If the number of affected seconds is higher than the threshold, an alert is generated.
This evaluation is done independently for latency and congestion.
The bottleneckmon -alert parameters described below determine whether an alert is generated
and what for.
For example, Figure 48 shows an interval of 12 seconds, in which 6 seconds are affected by a
congestion bottleneck and 3 seconds are affected by a latency bottleneck.
382
Fabric OS Administrator’s Guide
53-1002745-02
Setting bottleneck detection alerts
FIGURE 48
13
Affected seconds for bottleneck detection
The -time parameter specifies the time window. For this example, -time equals 12 seconds.
The -cthresh and -lthresh parameters specify the thresholds on number of affected seconds that
trigger alerts for congestion and latency bottlenecks, respectively. This example uses the default
values for these parameters, where -cthresh = 0.8 (80%) and -lthresh = 0.1 (10%).
For this time window, 50% of the seconds (6 out of 12 seconds) are affected by congestion. This is
below the threshold of 80%, so an alert would not be generated for a congestion bottleneck.
For the same time window, 25% of the seconds (3 out of 12 seconds) are affected by latency.
This exceeds the threshold of 10%, so an alert would be generated for a latency bottleneck.
Setting both a congestion alert and a latency alert
Entering the bottleneckmon --enable -alert command enables both alerts using the default alert
values.
Example of setting an alert for both congestion and latency
This example enables both alerts and shows their values.
switch:admin> bottleneckmon --enable -alert
switch:admin> bottleneckmon --status
Bottleneck detection - Enabled
==============================
Switch-wide sub-second latency bottleneck criterion:
====================================================
Time threshold
- 0.800
Severity threshold
- 50.000
Switch-wide alerting parameters:
================================
Alerts
Latency threshold for alert
Congestion threshold for alert Averaging time for alert
Quiet time for alert
-
Fabric OS Administrator’s Guide
53-1002745-02
Yes
0.100
0.800
300 seconds
300 seconds
383
13
Changing bottleneck detection parameters
Setting a congestion alert only
This example enables a congestion alert and shows its values.
Example of setting an alert for congestion
switch:admin> bottleneckmon --enable -alert=congestion
switch:admin> bottleneckmon --status
Bottleneck detection - Enabled
==============================
Switch-wide sub-second latency bottleneck criterion:
====================================================
Time threshold
- 0.800
Severity threshold
- 50.000
Switch-wide alerting parameters:
================================
Alerts
Congestion threshold for alert Averaging time for alert
Quiet time for alert
-
Congestion only
0.800
300 seconds
300 seconds
Setting a latency alert only
This example enables a latency alert shows its values.
Example of setting an alert for latency
switch:admin> bottleneckmon --enable -alert=latency
switch:admin> bottleneckmon --status
Bottleneck detection - Enabled
==============================
Switch-wide sub-second latency bottleneck criterion:
====================================================
Time threshold
- 0.800
Severity threshold
- 50.000
Switch-wide alerting parameters:
================================
Alerts
Latency threshold for alert
Averaging time for alert
Quiet time for alert
-
Latency only
0.100
300 seconds
300 seconds
Changing bottleneck detection parameters
When you enable bottleneck detection, you can configure switch-wide or port-specific alerting
parameters. The alerting parameters indicate whether alerts are sent, and the threshold, time, and
quiet time options, as well as sub-second latency criterion for ports.
After you enable bottleneck detection, you can change the alerting parameters for the entire switch
or just for individual ports. For example, you can change only the latency threshold for only port 47
without affecting any other port. You can also change the parameters on ports that have been
excluded from bottleneck detection.For a trunk, you can change the parameters only on the master
port.
384
Fabric OS Administrator’s Guide
53-1002745-02
Changing bottleneck detection parameters
13
NOTE
Entering a --config command changes only those settings specified in the command; all others are
left alone. The only exceptions are for the -alert (restores alerts using recorded values) or -noalert
(disables all alerts) switches. This means that if you want alerts, you must specify what you want as
the -alert value for every bottleneckmon - -config -alert command. See “Notes” on page 388 for
information about --config and -alert-related settings.
Use the following procedure to configure the bottleneck detection parameters:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the bottleneckmon --config command to set the alerting and sub-second latency
criterion parameters.
To remove any port-specific alerting and sub-second latency criterion parameters and revert to the
switch-wide parameters, enter the bottleneckMon --configclear command. To remove and erase all
bottleneck alerts and their criteria, enter bottleneckMon --disable. See “Disabling bottleneck
detection on a switch” on page 392 for more details.
Examples of applying and changing bottleneck detection parameters
The following examples show not just how to change various bottleneck detection parameters, but
how the changes made are retained when the next set of changes is made. For each example, after
the configuration command is run, the bottleneckMon --status command is run to show the new
settings, which are bolded just for the examples.
Example 1: Setting time window, quiet time, and threshold values for an entire switch
This example sets the time window to 150 seconds, the quiet time to 150 seconds, the congestion
threshold to 0.7 (70%) and the latency threshold to 0.2 (20%) for the entire switch.
switch:admin> bottleneckmon --config -alert -time 150 -qtime 150 -cthresh 0.7
-lthresh 0.2
switch:admin> bottleneckmon --status
Bottleneck detection - Enabled
==============================
Switch-wide sub-second latency bottleneck criterion:
====================================================
Time threshold
- 0.800
Severity threshold
- 50.000
Switch-wide alerting parameters:
================================
Alerts
Latency threshold for alert
Congestion threshold for alert Averaging time for alert
Quiet time for alert
-
Yes
0.200
0.700
150 seconds
150 seconds
Example 2: Changing time window value for an entire switch
This changes the time window value to 200 seconds for the entire switch.
switch:admin> bottleneckmon --config -alert -time 200
switch:admin> bottleneckmon --status
Bottleneck detection - Enabled
==============================
Fabric OS Administrator’s Guide
53-1002745-02
385
13
Changing bottleneck detection parameters
Switch-wide sub-second latency bottleneck criterion:
====================================================
Time threshold
- 0.800
Severity threshold
- 50.000
Switch-wide alerting parameters:
================================
Alerts
Latency threshold for alert
Congestion threshold for alert Averaging time for alert
Quiet time for alert
-
Yes
0.200
0.700
200 seconds
150 seconds
Example 3: Disabling bottleneck detection alerts for a port
This disables bottleneck detection alerts for port 46 only.
switch:admin> bottleneckmon --config -noalert 46
switch:admin> bottleneckmon --status
Bottleneck detection - Enabled
==============================
Switch-wide sub-second latency bottleneck criterion:
====================================================
Time threshold
- 0.800
Severity threshold
- 50.000
Switch-wide alerting parameters:
================================
Alerts
Latency threshold for alert
Congestion threshold for alert Averaging time for alert
Quiet time for alert
-
Yes
0.200
0.700
200 seconds
150 seconds
Per-port overrides for alert parameters:
========================================
Port
Alerts? LatencyThresh
CongestionThresh
Time (s)
QTime (s)
=================================================================================
46
N
-----
Example 4: Selecting latency-only alerts and changing the latency threshold value for a single port
This changes the alerts to latency-only and the latency threshold value to 0.75, both on port 47
only.
switch:admin> bottleneckmon --config -alert=latency -lthresh 0.75 47
switch:admin> bottleneckmon --status
Bottleneck detection - Enabled
==============================
Switch-wide sub-second latency bottleneck criterion:
====================================================
Time threshold
- 0.800
Severity threshold
- 50.000
Switch-wide alerting parameters:
================================
Alerts
- Yes
Latency threshold for alert
- 0.200
386
Fabric OS Administrator’s Guide
53-1002745-02
Changing bottleneck detection parameters
13
Congestion threshold for alert - 0.700
Averaging time for alert
- 200 seconds
Quiet time for alert
- 150 seconds
Per-port overrides for alert parameters:
========================================
Port
Alerts? LatencyThresh
CongestionThresh
Time (s)
QTime (s)
=================================================================================
46
N
----47
L
0.750
-200
150
Example 5: Changing the latency time value for a single port
This changes the time value to 250 seconds for port 47 only. Notice that the command must
include -alert=latency to preserve the latency-only alerts configured in the previous example.
In general, -alert must be specified (with =latency or =congestion if desired), on every --config
command when alerts are desired.
switch:admin> bottleneckmon --config -alert=latency -time 250 47
switch:admin> bottleneckmon --status
Bottleneck detection - Enabled
==============================
Switch-wide sub-second latency bottleneck criterion:
====================================================
Time threshold
- 0.800
Severity threshold
- 50.000
Switch-wide alerting parameters:
================================
Alerts
Latency threshold for alert
Congestion threshold for alert Averaging time for alert
Quiet time for alert
-
Yes
0.200
0.700
200 seconds
150 seconds
Per-port overrides for alert parameters:
========================================
Port
Alerts? LatencyThresh
CongestionThresh
Time (s)
QTime (s)
=================================================================================
46
N
----47
L
0.750
-250
150
Example 6: Clearing bottleneck detection override values from ports
This removes any changed bottleneck detection parameter values from ports 46 and 47.
Notice that the “Per-port overrides for alert parameters” section is not displayed as there are no
per-port overrides.
switch:admin> bottleneckmon --configclear 46-47
switch:admin> bottleneckmon --status
Bottleneck detection - Enabled
==============================
Switch-wide sub-second latency bottleneck criterion:
====================================================
Time threshold
- 0.800
Severity threshold
- 50.000
Fabric OS Administrator’s Guide
53-1002745-02
387
13
Advanced bottleneck detection settings
Switch-wide alerting parameters:
================================
Alerts
Latency threshold for alert
Congestion threshold for alert Averaging time for alert
Quiet time for alert
-
Yes
0.200
0.700
200 seconds
150 seconds
Adjusting the frequency of bottleneck alerts
Depending on the circumstances, a problematic switch or port might be triggering alerts more
frequently than desired. The -qtime parameter can be used to throttle alerts by specifying the
minimum number of seconds between consecutive alerts. Thresholds are configured separately for
each type of bottleneck and statistical data are collected independently for each condition.
This parameter applies individually to each type of bottleneck detection; so there can be one
latency alert and one congestion alert in one quiet time.
Example of setting quiet time
This example sets a latency threshold of 0.8 for a time window of 30 seconds, and specifies that an
alert should be sent when 80% (0.8) of the one-second samples over any period of 30 seconds
were affected by latency bottleneck conditions; the system then waits 60 seconds before issuing
the next alert (assuming that there is one).
switch:admin> bottleneckmon --enable -lthresh 0.8 -time 30 -qtime 60
-alert=latency
switch:admin>
Notes
• Alert-related parameters can only be specified with --config when -alert is specified.
This is because -noalert is assumed if -alert is not specified, and -noalert cancels all
alert-related parameters. As long as you want alerts, you must include the exact form of alert
(-alert, -alert=congestion, or -alert=latency) in every --config operation, even if alerts are
already enabled.
• The retention of settings applies only to the --config command, not to --enable.
An --enable operation behaves as if there is no preexisting user configuration, so if the --enable
command does not include -alert, but does specify alert-related parameters, that command
will fail.
Advanced bottleneck detection settings
Bottleneck detection uses the concept of an affected second when determining whether a
bottleneck exists on a port. Each second is marked as being affected or unaffected by a latency or
congestion bottleneck, based on certain criteria.
You can use the sub-second latency criterion parameters to refine the criterion for determining
whether a second is marked as affected by latency bottlenecks. For example, you might want to use
the sub-second latency criterion parameters in the following cases:
• You notice an under-performing application, but do not see any latency bottlenecks detected.
You can temporarily increase the sub-second sensitivity of latency bottleneck detection on the
specific F_Ports for this application.
388
Fabric OS Administrator’s Guide
53-1002745-02
Excluding a port from bottleneck detection
13
• You want greater-than-default (sub-second) latency sensitivity on your fabric, so you set
sub-second latency criterion parameters at the time you enable bottleneck detection.
• You want to reduce the number of alerts you are receiving about known latency bottlenecks in
the fabric, so you temporarily decrease the sub-second latency sensitivity on these ports.
• You have a latency bottleneck on an ISL that is not at the edge of the fabric.
The sub-second latency criterion parameters are always applicable. These parameters affect alerts
and, even if alerting is not enabled, they affect the history of bottleneck statistics.
The sub-second latency criterion parameters are the following, with default values in parentheses:
• -lsubsectimethresh (0.8) is similar to the -lthresh alerting parameter, except on a sub-second
level. The default value of 0.8 means that at least 80% of a second must be affected by latency
for the second to be marked as affected.
• -lsubsecsevthresh (50) specifies the factor by which throughput must drop in a second for that
second to be considered affected by latency. The default value of 50 means that the observed
throughput in a second must be no more than 1/50th the capacity of the port for that second
to be counted as an affected second. 1/50th of capacity means 2% of capacity, which means
98% loss of throughput.
Sub-second latency criterion parameters apply only to latency bottlenecks and not congestion
bottlenecks.
When you enable bottleneck detection, you can specify switch-wide sub-second latency criterion
parameters. After you enable bottleneck detection, you can change the sub-second latency
criterion parameters only on a per-port basis. You cannot change them on the entire switch, as you
can with alerting parameters, unless you disable and then re-enable bottleneck detection.
Changing the sub-second latency criterion parameters on specific ports causes an interruption in
the detection of bottlenecks on those ports, which means the history of bottlenecks is lost on these
ports. Also note the following behaviors if you change the sub-second latency criterion parameters:
• Traffic through these ports is not affected.
• History of latency bottlenecks and congestion bottlenecks is lost on these ports. Other ports
are not affected, however.
• The interruption occurs whether you set or clear per-port overrides on the sub-second latency
criterion parameters.
• Because of the interruption, you can never have an alert for a port such that the alert spans
periods of time with different sub-second latency criteria on that port.
Excluding a port from bottleneck detection
When you exclude a port from bottleneck detection, no data is collected from the port and no alerts
are generated for the port. All statistics history for the port is discarded.
Alerting parameters for the port are preserved, so if you later include the port for bottleneck
detection, the alerting parameters are restored.
Per-port exclusions might be needed if, for example, a long-distance port is known to be a
bottleneck because of credit insufficiency. In general, however, per-port exclusions are not
recommended.
Fabric OS Administrator’s Guide
53-1002745-02
389
13
Excluding a port from bottleneck detection
For trunking, if you exclude a slave port from bottleneck detection, the exclusion has no effect as
long as the port is a trunk slave. The exclusion takes effect only if the port becomes a trunk master
or leaves the trunk.
Use the following procedure to exclude a port from bottleneck detection:
1. Connect to the switch to which the target port belongs and log in using an account with admin
permissions.
2. Enter the bottleneckmon --exclude command to exclude the port from bottleneck detection.
To later include the port, enter the bottleneckmon --include command.
Example showing how to exclude a single port from bottleneck detection
This example excludes port 7 only from bottleneck detection. See “Disabling bottleneck detection
on a switch” on page 392 for more information on this command.
NOTE
Excluding the master port excludes the entire trunk, even if individual slave ports are not excluded.
switch:admin> bottleneckmon --exclude 7
switch:admin> bottleneckmon --status
Bottleneck detection - Enabled
==============================
Switch-wide sub-second latency bottleneck criterion:
====================================================
Time threshold
- 0.800
Severity threshold
- 50.000
Switch-wide alerting parameters:
================================
Alerts
Latency threshold for alert
Congestion threshold for alert Averaging time for alert
Quiet time for alert
-
Yes
0.200
0.700
200 seconds
150 seconds
Per-port overrides for alert parameters:
========================================
Port
Alerts? LatencyThresh
CongestionThresh
Time (s)
QTime (s)
=================================================================================
46
N
----47
L
0.750
-250
150
Excluded ports:
===============
Port
====
7
Example showing how to re-include bottleneck detection for a port
This restores bottleneck detection for port 7. Notice that the “Excluded ports” section is not
displayed as there are no excluded ports.
switch:admin> bottleneckmon --include 7
switch:admin> bottleneckmon --status
Bottleneck detection - Enabled
==============================
390
Fabric OS Administrator’s Guide
53-1002745-02
Displaying bottleneck statistics
13
Switch-wide sub-second latency bottleneck criterion:
====================================================
Time threshold
- 0.800
Severity threshold
- 50.000
Switch-wide alerting parameters:
================================
Alerts
Latency threshold for alert
Congestion threshold for alert Averaging time for alert
Quiet time for alert
-
Yes
0.200
0.700
200 seconds
150 seconds
Per-port overrides for alert parameters:
========================================
Port
Alerts? LatencyThresh
CongestionThresh
Time (s)
QTime (s)
=================================================================================
46
N
----47
L
0.750
-250
150
Displaying bottleneck statistics
You can use the bottleneckmon --show command to display a history of bottleneck conditions, for
up to three hours. This command has several display options:
• Display only latency bottlenecks, only congestion bottlenecks, or both combined.
• Display bottleneck statistics for a single port, bottleneck statistics for all ports on the switch, or
a list of ports affected by bottleneck conditions.
• Continuously update the displayed data with fresh data.
Use the following procedure to display the bottleneck statistics:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the bottleneckmon --show command.
Example of displaying the bottleneck history in 5-second windows over a period of 30 seconds
In this example, the definition of bottlenecked ports is any port that had a bottleneck occur during
any second in the corresponding interval.
switch:admin> bottleneckmon --show -interval 5 -span 30
==================================================================
Wed Jan 13 18:54:35 UTC 2010
==================================================================
List of bottlenecked ports in most recent interval:
5
==================================================================
Number of
From
To
bottlenecked ports
==================================================================
Jan 13 18:54:05
Jan 13 18:54:10
1
Jan 13 18:54:10
Jan 13 18:54:15
2
Jan 13 18:54:15
Jan 13 18:54:20
1
Jan 13 18:54:20
Jan 13 18:54:25
1
Jan 13 18:54:25
Jan 13 18:54:30
0
Jan 13 18:54:30
Jan 13 18:54:35
0
Fabric OS Administrator’s Guide
53-1002745-02
391
13
Disabling bottleneck detection on a switch
Disabling bottleneck detection on a switch
When you disable bottleneck detection on a switch, all bottleneck configuration details are
discarded, including the list of excluded ports and non-default values of alerting parameters.
Use the following procedure to disable bottleneck detection:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the bottleneckmon --disable command to disable bottleneck detection on the switch.
switch:admin> bottleneckmon --disable
Example of disabling bottleneck detection on a switch
switch:admin> bottleneckmon --disable
switch:admin> bottleneckmon --status
Bottleneck detection - Disabled
392
Fabric OS Administrator’s Guide
53-1002745-02
Chapter
14
In-flight Encryption and Compression
In this chapter
• In-flight encryption and compression overview . . . . . . . . . . . . . . . . . . . . . .
• Configuring encryption and compression . . . . . . . . . . . . . . . . . . . . . . . . . .
• Encryption and compression examples . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Working with EX_Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
393
399
406
411
In-flight encryption and compression overview
The in-flight encryption and compression features of Fabric OS allow frames to be encrypted or
compressed at the egress point of an ISL between two Brocade switches, and then to be decrypted
or decompressed at the ingress point of the ISL. These features use port-based encryption and
compression. You can enable the encryption and compression feature for both E_Ports and
EX_Ports on a per-port basis. By default this feature is initially disabled for all ports on a switch.
NOTE
The in-flight encryption and compression features are supported for any port speed, but only on
16G-capable E_Ports and EX_Ports on the Brocade 6510 and 6520 switches and the Brocade DCX
8510 Backbone family.
The purpose of encryption is to provide security for frames while they are in flight between two
switches. The purpose of compression is for better bandwidth use on the ISLs, especially over long
distance. An average compression ratio of 2:1 is provided. Frames are never left in an encrypted or
compressed state when delivered to an end device. Both ends of the ISL must terminate in
16G-capable FC ports.
Encryption and compression can be enabled at the same time for an ISL, or you can enable either
encryption or compression selectively. Figure 49 shows an example of 16 Gbps links connecting
three Brocade switches. One link is configured with encryption and compression, one with just
encryption, and one with just compression.
Fabric OS Administrator’s Guide
53-1002745-02
393
14
In-flight encryption and compression overview
En
cr
yp
tio
on
Compression/Encryption
si
es
pr
FIGURE 49
om
16G
C
n
16G
16G
Encryption and compression on 16 Gbps ISLs
The encryption and compression features are designed to work only with E_Ports, EX_Ports, and XISL
ports (in VF mode). Encryption and compression are also compatible with the following features:
•
•
•
•
E_Ports or EX_Ports with trunking, QoS, or long distance features enabled.
Flow control modes: R_RDY, VC_RDY, and EXT_VC_RDY.
XISL ports in VF mode.
FCP data frames and non-FCP data frames except ELS and BLS frames.
FCP data frames are of Type = 0x8. For encryption, R_CTL = 0x1 and R_CTL = 0x4 are
supported. For compression, only R_CTL = 0x1 is supported.
Non FCP data frames are of Type != 0x8.
Non FCP frames with ELS/BLS (R_CTL == 0x2 || R_CTL == 0x8) are not supported.
NOTE
No license is needed to configure and enable in-flight encryption or compression.
Encryption and compression restrictions
• Configuration is dynamic based on port speed. See Table 62 on page 395 for specific details
about the number of ports supported for encryption and compression.
• Ports must be 16 Gbps capable, although port speed can be any configurable value.
• The devices at either end of the ISL must run Fabric OS 7.0.0 or later software.
• Only E_Ports, EX_Ports, and XISL ports (in VF mode) support encryption or compression.
ICL ports do not currently support encryption or compression.
•
394
Encryption is not supported in FIPS mode, as in-flight encryption is not FIPS compliant.
Fabric OS Administrator’s Guide
53-1002745-02
In-flight encryption and compression overview
14
Bandwidth limits
Fabric OS supports up to 32 Gbps of data encryption and 32 Gbps of data compression per
16G-capable FC platform. This limits the number of ports that can have these features enabled at
any one time. Table 62 shows some examples of how port speed affects the number of supported
ports for different implementations.
TABLE 62
Number of ports supported per chip or per trunk
Blades (FC16-32, FC16-48)1
Port speed
Encryption only
Compression only
Encryption and compression
16 Gbps
4 ports
4 ports
4 ports
10 Gbps
6 ports
6 ports
6 ports
8/4/2 Gbps
8 ports
8 ports
8 ports
Auto-negotiate (AN)
4 ports
4 ports
4 ports
6510 Fixed-port switches2
16 Gbps
2 ports
2 ports
2 ports
10 Gbps
3 ports
3 ports
3 ports
8/4/2 Gbps
4 ports
4 ports
4 ports
Auto-negotiate (AN)
2 ports
2 ports
2 ports
6520 Fixed-port switches3
16 Gbps
8 ports
8 ports
8 ports
10 Gbps
12 ports
12 ports
12 ports
8/4/2 Gbps
16 ports
16 ports
16 ports
Auto-negotiate (AN)
8 ports
8 ports
8 ports
1.
For port blades, two ASICs; per ASIC limit = numbers above/two
2.
For Brocade 6510, one ASIC; per ASIC limit = numbers above/one
3.
For Brocade 6520, four edge ASICs; per ASIC limit = numbers above/four
NOTE
Even though this table does not show all the possible combinations of different speeds for the
encryption/compression ports, other combinations are also supported. The number of supported
ports is automatically calculated based on the speeds chosen.
Payload size limits
As the current encryption protocol can support only 560 words (2240 bytes), the payload size of
the frame has to be restricted to 2048 bytes. This is to ensure the frame reception on an
encryption-enabled XISL involving a Base switch works correctly.
Key Entry limitations
The current encryption supports the AES-GCM authenticated encryption block cipher mode. A key,
Initial Vector (IV), segment number and Salt are required to encrypt the data before it is
transmitted, and to decode the data after it is received on the other end of the link.
Fabric OS Administrator’s Guide
53-1002745-02
395
14
In-flight encryption and compression overview
The port level authentication security feature must be enabled before encryption configuration can
be enabled. Pre-shared secret keys should be configured on both ends of the ISL to perform
authentication. Once the link has been authenticated, the port (E_Port or EX_Port) will use the IKE
protocol to generate and exchange the keys, IV and Salt values.
At this time expiry keys are not supported. This means that the keys generated for a port will remain
the same for as long as the port is online. When a port is segmented, disabled, or taken offline,
a new and different set of keys will be generated when the port is enabled.
All members of the trunk group use the same set of keys as that of the master port, and slave ports
do not perform any key exchanges. If there is an E_Port or EX_Port change due to the master port
going offline, the same set of keys used by the trunk will continued to be used.
How encryption and compression are enabled
Encryption and compression capabilities and configurations from each end of the ISL are
exchanged during E_Port or EX_Port initialization. Capabilities and configurations must match,
otherwise port segmentation or disablement occurs. If the port was configured for compression,
then the compression feature is enabled.
If the port was configured for encryption, authentication is performed and the keys needed for
encryption are generated. The encryption feature is enabled if authentication is successful.
If authentication fails, then the ports are segmented.
You can also decommission any port that has in-flight encryption/compression enabled. See “Port
decommissioning” on page 90 for details on decommissioning ports.
Encryption and compression commands
Here are the commands most commonly associated with the encryption/compression feature.
See the Fabric OS Command Reference for more details on these commands.
portEncCompShow
The portEncCompShow command allows you to view the encryption and compression configuration
on any given port and whether it is active or not. It also shows the port speeds.
This command displays the speed of the port as part of the portStatsShow command. If the speed
is configured as AUTO NEG(otiation), the speed of the port is taken as 16G for capacity calculation
and will be displayed accordingly. The same value will be displayed as part of portEncCompShow
even if the link successfully negotiates a speed other than 16G. See also “Configuring encryption
and compression” on page 399 and the Fabric OS Command Reference for more details.
Usage: portEncCompShow [slot/]port
Example output
switch:admin> portStatsShow 16/17
16 16 011000 id N8 Online FC
2" (downstream)
17 17 011100 id N8 Online FC
2"
switch>
User
Port
---0
396
E-Port
10:00:00:05:33:13:71:3e "switch16
E-Port
10:00:00:05:33:13:71:3e "switch16
portenccompshow
Encryption
Compression
configured
Active
configured
-----------------------No
No
No
Config
Active
-----No
Speed
-----
Fabric OS Administrator’s Guide
53-1002745-02
In-flight encryption and compression overview
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
Yes
Yes
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
No
Yes
Yes
No
No
No
No
No
No
14
16G
16G
portCfgCompress
The portCfgCompress command allows you to enable or disable compression on the specified port.
Usage: portCfgCompress action [slot/]port
Example Enabling the compression configuration on port 2
switch:admin> portcfgcompress --enable 2
Example Disabling the compression configuration on port 2
switch:admin> portcfgcompress --disable 2
portCfgEncrypt
The portCfgEncrypt command allows you to enable or disable encryption on the specified port.
Usage: portCfgEncrypt action [slot/]port
Example Enabling the encryption configuration for port 2
switch:admin> portcfgencrypt --enable 2
Example Disabling the encryption configuration for port 2
switch:admin> portcfgencrypt --disable 2
portShow
The portShow command allows you to verify the port flags.
Usage: portShow
or alternatively portShow port to verify the port flags for an individual port.
Example Displaying the current state of a port with encryption enabled
switch:admin> portshow 10/44
portIndex: 348
portName: slot10 port44
Fabric OS Administrator’s Guide
53-1002745-02
397
14
In-flight encryption and compression overview
portHealth: No Fabric Watch License
Authentication: None
portDisableReason: None
portCFlags: 0x1
portFlags: 0x10000103 PRESENT ACTIVE E_PORT T_PORT T_MASTER G_PORT
U_PORT ENCRYPT LOGIN
LocalSwcFlags: 0x0
portType: 24.0
portState: 1
Online
Protocol: FC
portPhys: 6 In_Sync portScn: 1 Online Trunk master port
port generation number:
44
state transition count:
12
Authentication and key generation
The following points apply to authentication and Key generation on the supported devices:
• The Diffie-Hellman - Challenge Handshake Authentication Protocol (DH-CHAP) protocol must be
configured along with the DH group 4 for port level authentication as a prerequisite for in-flight
encryption. Pre-shared secret keys must be configured on the devices at either end of the ISL
to perform authentication. Authentication secrets greater than 32 characters are
recommended for stronger encryption keys. Once the link is authenticated, the keys are
generated and exchanged.
• Authentication and key generation only apply to ports that are configured for encryption.
They do not apply to ports that are only configured for compression.
• In-flight encryption uses DH-CHAP authentication (SHA-1 algorithm) followed by Internet Key
Exchange (IKE) protocol (HMAC-SHA-512 algorithm) to generate the keys.
• These encryption keys never expire. While the port remains online, the keys generated for the
port remain the same. When a port is disabled, segmented, or taken offline, a new set of keys
is generated when the port is enabled again.
• All members of a trunk group use the same set of keys as the master port. Slave ports do not
exchange keys. If the master port goes offline causing an E_Port or EX_Port change, the trunk
continues to use the same set of keys.
Availability considerations
For FC16-32 or FC16-48 blades, if the two ports configured for encryption or compression within
the same ASIC are not configured for trunking, it is recommended to connect each ISL to a different
ASIC on the peer switch. Similarly, configure the two ports on the other ASIC of the blade. If the
ports are configured for trunking, it is recommended to connect each trunk group to different ASICs
of the peer switch. Configuring all 4 ports of the blade with this suggested configuration will
provide redundancy in the event of encryption/compression port failures.
For Brocade 6510 and 6520 switches, if the two ports are not configured for trunking, we
recommend that you connect each ISL to different ASICs on the peer switch.
NOTE
If any port on the ASIC with encryption or compression enabled encounters rare error conditions that
would need error recovery to be performed on the encryption engine within that ASIC, it causes all
encryption or compression-enabled ports on that ASIC to go offline.
398
Fabric OS Administrator’s Guide
53-1002745-02
Configuring encryption and compression
14
Virtual Fabrics considerations
The E_Ports and EX_Ports in the user-created logical switch, base switch, or default switch; and
EX_Ports on base switches can support encryption and compression. You can configure encryption
on XISL ports, but not on LISL ports. However, frames from the LISL ports are implicitly encrypted or
compressed as they pass through encryption/compression enabled XISL ports.
If an encryption or compression enabled port needs to be moved from one logical switch to another
logical switch, the movement of the port is blocked. You must disable the encryption and
compression configurations before moving the port, and then enable encryption and compression
after the port has moved.
Recommendation for compression
When configuring compression on long distance ports, it is recommended to configure the long
distance ports with double the number of buffers. This can be done by configuring the port to use
the long distance LS mode and specifying the number of buffers to allocate to the port. You can see
what the average compression ratio and the average frame size values are and adjust the
allocated credit accordingly using the portEncCompShow and portBufferShow commands. You can
then use the portBufferCalc command to estimate the assigned credit value to optimize
performance. See the Fabric OS Command Reference for details on using these commands.
Configuring encryption and compression
On a given ISL between two 16 Gbps E_Ports or EX_Ports, you can configure each port for encryption,
compression, or both. Your encryption and compression settings must match at either end of the ISL.
Port segmentation will occur during port initialization if these configurations do not match.
Before configuring a port for encryption, you must configure the port for authentication using the
authUtil and secAuthSecret commands:
• Use the authUtil command to enable switch authentication, enable the DH-CHAP
authentication protocol for ports that support encryption, and select the appropriate
DH (Diffie-Hellman) group (4 or “*”).
To enable switch authentication, use the authUtil --policy command with the -sw option to
select either the on mode or the active mode.
To enable the DH-CHAP authentication protocol, use the authUtil --set command with the -a
option and select either dhchap or all. dhchap explicitly specifies the DH-CHAP protocol.
Although all enables both FCAP and DH-CHAP, the active protocol defaults to DH-CHAP for all
ports configured for in-flight encryption.
To select the appropriate DH group, use the authUtil --set command with the -g option and
choose either group 4 or “*”. If “*” is entered, then group 4 is selected from a list.
• Use the secAuthSecret command to configure a pre-shared secret on both sides of the ISL for
all ports configured for in-flight encryption. A secret of at least 32 characters is recommended.
The maximum length for a secret is 40 characters.
ATTENTION
Port segmentation will occur during port initialization if authentication fails.
Fabric OS Administrator’s Guide
53-1002745-02
399
14
Configuring encryption and compression
Notes
• If you need to disable authentication on a port that has encryption or compression configured,
you must first disable encryption or compression on the port, and then disable authentication.
• If you want to enable authentication across a FC router and an edge fabric switch, you must
first bring all EX_Ports online without using authentication. After this, the front wwn of any
online EX_Port connected to the same switch can be used to configure the secret keys in the
edge fabric switch.
Summary
These steps summarize how to enable encryption or compression on a port:
1. Use the portEncCompShow command to determine which ports are available for encryption or
compression.
NOTE
Enabling/disabling encryption/compression is a offline event. Ports must be disabled first, and
then re-enabled after.
2. If you are enabling encryption on the port, configure port level authentication for the port using
the secAuthSecret and authUtil commands. Omit this step if you want to enable only
compression on the port.
3. Use the portCfgEncrypt command to enable encryption on the port. This step fails if you try to
exceed the number of allowable ports available for encryption or compression on the ASIC.
4. Use the portCfgCompress command to enable compression on the port. This step fails if you
try to exceed the number of allowable ports available for encryption or compression on the
ASIC.
Following successful port initialization, the configured features are enabled and active. You can use
the islShow command to check that the E_Port (or fcrEdgeShow for EX_Ports) has come online with
encryption or compression enabled. Alternatively, you can use the portEncCompShow command to
see which ports are active.
If port initialization is not successful, you can check for port segmentation errors with the
switchShow command. This command will tell you if the segmentation was due to mismatched
encryption or compression configurations on the ports at either end of the ISL, if port-level
authentication failed, or if a required resource was not available.
The following topics provide step-by-step instructions for performing encryption and compression
tasks:
•
•
•
•
400
“Viewing the encryption and compression configuration” on page 401
“Configuring and enabling authentication” on page 403
“Configuring encryption” on page 404
“Configuring compression” on page 404
Fabric OS Administrator’s Guide
53-1002745-02
Configuring encryption and compression
14
Viewing the encryption and compression configuration
To determine which ports are available for encryption or compression on each ASIC on the switch,
follow these steps:
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the portEncCompShow command.
Example Using the portEncCompShow command
The following example shows the output for two ASICs. ASIC 1 (below the line of dashes) already
has compression configured and active on user ports 348 and 349. Given the limit of two ports per
ASIC, ASIC 1 has no more ports available for encryption or compression. ASIC 0 (above the dashed
line) has no ports configured for either encryption or compression and therefore has any two ports
available for this purpose. For bladed switches, use the switchShow command to determine the
slot number of a specific user port.
switch:admin> portenccompshow
User
Encryption
Compression
Config
Port
configured
Active
configured
Active
Speed
-----------------------------------17
No
No
No
No
4G
18
No
No
No
No
4G
19
No
No
No
No
4G
20
No
No
No
No
4G
21
No
No
No
No
4G
22
No
No
No
No
4G
23
No
No
No
No
4G
144
No
No
No
No
4G
145
No
No
No
No
4G
146
No
No
No
No
4G
147
No
No
No
No
4G
148
No
No
No
No
4G
149
No
No
No
No
4G
150
No
No
No
No
4G
151
No
No
No
No
4G
---------------------------------------------------------------88
No
No
No
No
4G
89
No
No
No
No
4G
90
No
No
No
No
4G
91
No
No
No
No
4G
[PORT LISTINGS HIDDEN TO SIMPLIFY DISPLAY]
345
No
No
No
No
4G
346
No
No
No
No
4G
347
No
No
No
No
4G
348
No
No
Yes
Yes
4G
349
No
No
Yes
Yes
4G
350
No
No
No
No
4G
351
No
No
No
No
4G
Port speed and encryption/compression enabled ports
The maximum number of ports on a device that can support the encryption and compression
feature depends on the port speeds and the device. Table 62 on page 395 describes how the
number of ports supported per chip is determined.
Fabric OS Administrator’s Guide
53-1002745-02
401
14
Configuring encryption and compression
Changing port speed on encryption/compression enabled ports
The port speed values can be displayed through several commands, including portStatsShow,
portEncCompShow, and portCfgSpeed. However, the port speed can only be changed using the
portCfgSpeed command.
If the port speed is configured as AUTO NEG, the speed of the port is taken as 16G for calculation
purposes. We recommend that you configure to the ports to a specific speed before enabling
encryption/compression. See “Configuring encryption and compression” on page 399 for more
details.
You can change the port speed on any port which has encryption or compression enabled with the
portCfgSpeed command. When you attempt to change speed on a port which has encryption or
compression enabled, a validation alert appears. If the capacity is available, the port will be
allowed to be configured with the new speed. If there is not enough capacity available, an error
message will appear, and you will not be able to change the port speed. See the Fabric OS
Command Reference for more details on this command.
Example Port speed change failure
switch>
User
Port
---0
1
2
3
4
portenccompshow
Encryption
Compression
configured
Active
Configured
-----------------------No
No
Yes
No
No
Yes
No
No
Yes
No
No
Yes
No
No
Yes
Config
Active
Speed
---------No
4G
No
4G
No
8G
No
16G
No
16G
switch> portcfgspeed 1 0
Configuration for port (1) failed as it exceeds current supported capacity.
Compression ratios and encryption/compression enabled ports
The compression ratio value is recalculated every 5 seconds, and is the ratio between the
accumulated original length and the compressed length of the data over the previous 5 seconds.
When a port is configured for compression, entering portStatsShow displays the port’s
compression ratio. See the Fabric OS Command Reference for more details on this command.
Limitations and restrictions
• The ASIC Compression Block can compress data only if there is at least 3 bytes of data.
• The value shown by portStatsShow is a five-second average. Your results will depend on the
pattern of the payload data.
• The average frame size reported by portCfgShow is the configured framesize, that is, what was
input using portCfgLongdistance on the CLI.
• The portBufferShow command shows the average framesize for both received (rx) and
transmitted (tx) frames. The rx values are after compression and the tx values are before
compression.
402
Fabric OS Administrator’s Guide
53-1002745-02
Configuring encryption and compression
14
• Because encryption adds more payload to the port in addition to compression, the
compression ratio calculation is significantly affected on ports configured for both encryption
and compression. This is because the compressed length then also includes the encryption
header. This overhead affects the ratio calculation. To obtain accurate compression ratio data,
we recommend that you enable ports for compression only.
Configuring and enabling authentication
To configure authentication for ports that will later be configured for encryption, follow these steps:
1. Log in to the switch using an account with admin permissions, or an account with OM
permissions for the Authentication RBAC class of commands.
2. Enter the secAuthSecret --set command to establish pre-shared secrets at each end of the ISL.
It is recommended to use a 32-bit secret for an ISL carrying encrypted or compressed traffic.
switch:admin> secauthsecret --set
When prompted, enter the WWN for the local switch and secret strings for the local switch and
the remote switch.
NOTE
When setting a secret key pair, you are entering the shared secrets in plain text. Use a secure
channel, such as SSH or the serial console, to connect to the switch on which you are setting
the secrets.
3. Enter the authUtil command to set the switch policy mode to Active or On:
switch:admin> authutil --policy -sw active
or alternatively:
switch:admin> authutil --policy -sw on
4. Enable the DH-CHAP authentication protocol:
switch:admin> authutil --set -a dhchap
or alternatively:
switch:admin> authutil --set -a all
NOTE
If the DH-CHAP protocol is specified, then all switches in the fabric must enable the DH-CHAP
protocol and establish pre-shared secrets. If the protocol is set to “all”, you will need to establish
pre-shared secrets or certificates based on the encryption method selected (FCAP or DH-CHAP).
5. Enable authentication with DH group 4 or “*”:
switch:admin> authutil --set -g 4
DH Group was set to 4.
or alternatively:
switch:admin> authutil --set -g "*"
DH Group was set to 0,1,2,3,4.
For additional information about establishing DH-CHAP secrets, see “Secret key pairs for DH-CHAP”
on page 213.
Fabric OS Administrator’s Guide
53-1002745-02
403
14
Configuring encryption and compression
For additional information about configuring DH-CHAP authentication for E_Ports and EX_Ports,
see “Authentication policy for fabric elements” on page 207.
Configuring encryption
NOTE
Before performing this procedure, you must authenticate the port as described in “Configuring and
enabling authentication” on page 403. It is also recommended that you check for port availability
using the portEncCompShow command. See “Viewing the encryption and compression
configuration” on page 401 for details.
To configure encryption on a port, follow these steps:
1. Connect to the switch and log in using an account with secure admin permissions, or an
account with OM permissions for the EncryptionConfiguration RBAC class of commands.
2. Use the portDisable command to disable the port on which you want to configure encryption.
3. Enter the portCfgEncrypt --enable command.
The following example enables encryption on port 21 on a Brocade 6510 switch:
switch:admin> portcfgencrypt --enable 21
The following example enables encryption on port 15 of an FC16-32 blade in slot 9 of an
enterprise class platform:
switch:admin> portcfgencrypt --enable 9/15
4. Enable the port with the portEnable command.
After manually enabling the port, the new configuration becomes active.
Configuring compression
NOTE
Before performing this procedure, it is recommended that you check for port availability using the
portEncCompShow command. See “Viewing the encryption and compression configuration” on
page 401 for details.
To configure compression on a port, follow these steps:
1. Connect to the switch and log in using an account with admin permissions, or an account with
OM permissions for the SwitchPortConfiguration RBAC class of commands.
2. Use the portDisable command to disable the port on which you want to configure compression.
3. Enter the portCfgCompress --enable command.
The following example enables compression on port 21 on a Brocade 6510 switch:
switch:admin> portcfgcompress --enable 21
The following example enables compression on port 15 of an FC16-32 blade in slot 9 of an
enterprise class platform:
switch:admin> portcfgcompress --enable 9/15
404
Fabric OS Administrator’s Guide
53-1002745-02
Configuring encryption and compression
14
4. Enable the port with the portEnable command.
After enabling the port, the new configuration becomes active.
Disabling encryption
To disable encryption on a port, follow these steps:
1. Connect to the switch and log in using an account with secure admin permissions, or an
account with OM permissions for the EncryptionConfiguration RBAC class of commands.
2. Use the portDisable command to disable the port on which you want to disable encryption
3. Enter the portCfgEncrypt --disable command.
The following example disables encryption on port 21 on a Brocade 6510 switch:
switch:admin> portcfgencrypt --disable 21
The following example disables encryption on port 15 of an FC16-32 blade in slot 9 of an
enterprise class platform:
switch:admin> portcfgencrypt --disable 9/15
4. Enable the port with the portEnable command.
After enabling the port, the new configuration becomes active.
Disabling compression
To disable compression on a port, follow these steps:
1. Connect to the switch and log in using an account with admin permissions, or an account with
OM permissions for the SwitchPortConfiguration RBAC class of commands.
2. Use the portDisable command to disable the port on which you want to disable compression.
3. Enter the portCfgCompress --disable command.
The following example disables compression on port 21 on a Brocade 6510 switch:
switch:admin> portcfgcompress --disable 21
The following example disables compression on port 15 of an FC16-32 blade in slot 9 of an
enterprise class platform:
switch:admin> portcfgcompress --disable 9/15
4. Enable the port with the portEnable command.
After enabling the port, the new configuration becomes active.
Fabric OS Administrator’s Guide
53-1002745-02
405
14
Encryption and compression examples
Encryption and compression examples
The following examples show configuring and enabling encryption and compression. In this case,
encryption and compression are being applied to the E_Ports at either end of an ISL connecting a
port on a blade in an enterprise class platform named ‘myDCX’ to a port on a Brocade 6510 switch
named ‘myswitch’. Table 63 identifies each end of the ISL connection by device name, device
WWN, and port number.
TABLE 63
Example ISL connections
Enterprise class platform
Brocade 6510
Name
myDCX
myswitch
WWN
10:00:00:05:1e:e5:cb:00
10:00:00:05:33:13:71:3e
port ID
port index: 246
slot number: 12
port number: 22
port number: 0
The examples below include the following procedures:
•
•
•
•
•
•
406
Setting up authentication to permit secret key generation
Generating a secret key
Enabling encryption
Enabling compression
Disabling encryption
Disabling compression
Fabric OS Administrator’s Guide
53-1002745-02
Encryption and compression examples
14
Example of enabling encryption and compression on an E_Port
This example configures and enables encryption and compression on a given port. The commands
in this example are shown entered on the Brocade 6510 named ‘myswitch’. The same commands
must also be entered on the peer switch.
NOTE
Authentication and a secret key must be configured and established before configuring encryption.
Authentication setup
This first part of the example shows a command sequence that sets up authentication in
preparation for in-flight encryption. Specifically, it configures the DH-CHAP protocol for
authentication, sets the DH group to group 4, and activates authentication:
myswitch:admin> authutil --show
AUTH TYPE
HASH TYPE
GROUP TYPE
---------------------------------------fcap,dhchap
sha1,md5
0,1,2,3,4
Switch Authentication Policy: PASSIVE
Device Authentication Policy: OFF
myswitch:admin> authutil --set -a dhchap
Authentication is set to dhchap.
myswitch:admin> authutil --set -g "4"
DH Group was set to 4.
Secret Key setup
Next, you set a secret key. For this you need to get the WWN of the peer switch.
myswitch:admin> secauthsecret --set
This command is used to set up secret keys for the DH-CHAP authentication.
The minimum length of a secret key is 8 characters and maximum 40
characters. Setting up secret keys does not initiate DH-CHAP
authentication. If switch is configured to do DH-CHAP, it is performed
whenever a port or a switch is enabled.
Warning: Please use a secure channel for setting secrets. Using
an insecure channel is not safe and may compromise secrets.
Following inputs should be specified for each entry.
1. WWN for which secret is being set up.
2. Peer secret: The secret of the peer that authenticates to peer.
3. Local secret: The local secret that authenticates peer.
Press enter to start setting up secrets >
Enter peer WWN, Domain, or switch name (Leave blank when done):
10:00:00:05:1e:e5:cb:00
Enter peer secret:
Re-enter peer secret:
Enter local secret:
Re-enter local secret:
Enter peer WWN, Domain, or switch name (Leave blank when done):
Fabric OS Administrator’s Guide
53-1002745-02
407
14
Encryption and compression examples
Are you done? (yes, y, no, n): [no] y
Saving data to key store... Done.
myswitch:admin> secauthsecret --show
WWN
DId
Name
----------------------------------------------10:00:00:05:1e:e5:cb:00
150
dcx_150
myswitch:admin>
Activate authentication
After you set up the DH-CHAP secrets, you activate DH-CHAP authentication.
myswitch:admin> authutil --policy -sw active
Warning: Activating the authentication policy requires either DH-CHAP secrets or
PKI certificates depending on the protocol selected. Otherwise, ISLs will be
segmented during next E-port bring-up.
ARE YOU SURE (yes, y, no, n): [no] y
Auth Policy is set to ON
myswitch:admin> authutil --show
AUTH TYPE
HASH TYPE
GROUP TYPE
-------------------------------------dhchap
md5
4
Switch Authentication Policy: ON
Device Authentication Policy: OFF
myswitch:admin>
Enabling encryption
Next, you enable encryption on port 0. Note that the first attempt fails because the port is currently
enabled. This example uses the portCfgShow command to check the result. Notice that the output
shows encryption to be enabled on the port.
myswitch:admin> portcfgencrypt --enable 0
Please disable port to configure Encryption/Compression.
myswitch:admin> portdisable 0
myswitch:admin> portcfgencrypt --enable 0
Turning ON Encryption on port(246) will cause the port to be disabled during next
LOGIN
myswitch:admin> portenable 0
myswitch:admin> portcfgshow 0
Area Number:
0
Octet Speed Combo:
3(16G,10G)
Speed Level:
AUTO(SW)
AL_PA Offset 13:
OFF
Trunk Port
ON
Long Distance
OFF
VC Link Init
OFF
Locked L_Port
OFF
Locked G_Port
OFF
Disabled E_Port
OFF
Locked E_Port
OFF
ISL R_RDY Mode
OFF
RSCN Suppressed
OFF
Persistent Disable
OFF
LOS TOV enable
OFF
NPIV capability
ON
QOS E_Port
AE
Port Auto Disable:
OFF
408
Fabric OS Administrator’s Guide
53-1002745-02
Encryption and compression examples
Rate Limit
EX Port
Mirror Port
Credit Recovery
F_Port Buffers
Fault Delay:
NPIV PP Limit:
CSCTL mode:
Frame Shooter Port
D-Port mode:
Compression:
Encryption:
FEC:
myswitch:admin>
14
OFF
OFF
OFF
ON
OFF
0(R_A_TOV)
126
OFF
OFF
OFF
OFF
ON
OFF
Enabling compression
Finally, you enable compression on the same port. The subsequent portCfgShow command shows
both encryption and compression to be enabled on the port.
myswitch:admin> portdisable 0
myswitch:admin> portcfgcompress --enable 0
Turning ON Compression on port(0) will cause the port to be disabled during next
LOGIN
myswitch:admin> portenable 0
myswitch:admin> portcfgshow 0
Area Number:
0
Octet Speed Combo:
3(16G,10G)
Speed Level:
AUTO(SW)
AL_PA Offset 13:
OFF
Trunk Port
ON
Long Distance
OFF
VC Link Init
OFF
Locked L_Port
OFF
Locked G_Port
OFF
Disabled E_Port
OFF
Locked E_Port
OFF
ISL R_RDY Mode
OFF
RSCN Suppressed
OFF
Persistent Disable
OFF
LOS TOV enable
OFF
NPIV capability
ON
QOS E_Port
AE
Port Auto Disable:
OFF
Rate Limit
EX Port
Mirror Port
Credit Recovery
F_Port Buffers
Fault Delay:
NPIV PP Limit:
CSCTL mode:
Frame Shooter Port
D-Port mode:
Compression:
Encryption:
FEC:
myswitch:admin>
Fabric OS Administrator’s Guide
53-1002745-02
OFF
OFF
OFF
ON
OFF
0(R_A_TOV)
126
OFF
OFF
OFF
ON
ON
OFF
409
14
Encryption and compression examples
Examples of disabling encryption and compression
This example disables the encryption and compression that were enabled in the previous example.
Example Disabling encryption on port 0
myswitch:admin> portdisable 0
myswitch:admin> portcfgencrypt --disable 0
myswitch:admin> portenable 0
Example Disabling compression on port 0:
myswitch:admin> portdisable 0
myswitch:admin> portcfgcompress --disable 0
myswitch:admin> portenable 0
Example Using the portCfgShow command to check the results:
myswitch:admin> portcfgshow 0
Area Number:
0
Octet Speed Combo:
3(16G,10G)
Speed Level:
AUTO(SW)
AL_PA Offset 13:
OFF
Trunk Port
ON
Long Distance
OFF
VC Link Init
OFF
Locked L_Port
OFF
Locked G_Port
OFF
Disabled E_Port
OFF
Locked E_Port
OFF
ISL R_RDY Mode
OFF
RSCN Suppressed
OFF
Persistent Disable
OFF
LOS TOV enable
OFF
NPIV capability
ON
QOS E_Port
AE
Port Auto Disable:
OFF
Rate Limit
EX Port
Mirror Port
Credit Recovery
F_Port Buffers
Fault Delay:
NPIV PP Limit:
CSCTL mode:
Frame Shooter Port
D-Port mode:
Compression:
Encryption:
FEC:
myswitch:admin>
410
OFF
OFF
OFF
ON
OFF
0(R_A_TOV)
126
OFF
OFF
OFF
OFF
OFF
OFF
Fabric OS Administrator’s Guide
53-1002745-02
Working with EX_Ports
14
Working with EX_Ports
An EX_Port is a type of E_Port (expansion port) that connects a Fibre Channel router to an edge
fabric. From the point of view of a switch in an edge fabric, an EX_Port appears as a normal E_Port;
It follows applicable Fibre Channel standards just line an E_Port. However, a router terminates an
EX_Port rather than allowing the two different fabrics to merge as would happen with an E_Port.
A connection between an EX_Port and an E_Port is called an Inter-Fabric Link (IFL). You cannot
connect two EX_Ports together; also, EX_Ports cannot be used in a FICON environment.
FIGURE 50
EX_Ports, E_Ports, IFLs, and ISLs
In-flight encryption/compression on EX_Ports
In-flight encryption/compression works on EX_Ports with trunking, QoS, and long distance enabled.
It also works with the VC_RDY and EXT_VC_RDY flow control modes.
Encryption and compression capabilities and configurations are exchanged on the IFL during
EX_Port initialization. The FCR enables encryption and compression only if both ends of the IFL
have matching capabilities and configurations.
NOTE
Any mismatch in configuration at either end of the IFL or authentication failure will result in
segmentation or in rare cases the port being disabled.
Reasons for EX_Port segmentation
Here are the most common reasons for EX_Port segmentation:
• Failure to authenticate correctly.
• Encryption or compression configurations do not match at both ends.
Example: If at one end there is a switch that does not support encryption/compression,
the port will be disabled.
• Encryption or compression configuration is enabled but resources are not available, or there
are other failures preventing encryption or compression from being enabled.
• The number of available ports has reached the bandwidth limitation.
Fabric OS Administrator’s Guide
53-1002745-02
411
14
Working with EX_Ports
NOTE
If trunking is enabled, be aware that the ports creating the bandwidth limitation will form a
trunk group, while the rest of the ports will be segmented.
Example of enabling encryption and compression on an EX_Port
This example configures and enables encryption and compression on an EX_Port. The commands
in this example are shown entered on a Brocade 6510 named ‘myswitch’ as Fibre Channel Router
(FCR) and an edge switch as ‘edge’.
Example Displaying port numbers on the FCR and Edge switches using the fcrEdgeShow command
switch:admin> fcredgeshow
FID
EX-port
E-port
Neighbor Switch (PWWN, SWWN )
Flags
-----------------------------------------------------------------------------20
1
1
20:01:00:05:33:13:70:3e
10:00:00:05:33:13:70:3e
NOTE
Authentication and a secret key must be configured and established before configuring encryption.
Example Setting up authentication in preparation for in-flight encryption
This is for a Fibre Channel Router on which the EX_Port is online; it configures the DH-CHAP
protocol for authentication and sets the DH group to group 4.
myswitch:admin> authutil --show
AUTH TYPE HASH TYPE GROUP TYPE
---------------------------------------fcap,dhchap sha1,md5 0,1,2,3,4
Switch Authentication Policy: PASSIVE
Device Authentication Policy: OFF
myswitch:admin> authutil --set -a dhchap
myswitch:admin> authutil --set -g "*"
switch:admin> authutil --show
AUTH TYPE
HASH TYPE
GROUP TYPE
-------------------------------------dhchap
sha1,md5
0,1,2,3,4
Switch Authentication Policy: PASSIVE
Device Authentication Policy: OFF
NOTE
On EX_Port enabled Fibre Channel Router, there is no need to set authentication policy to Active or
On. EX_Port can operate on any switch authentication policy.
Example Setting a secret key
For this you need to get the WWN of the peer Edge fabric switch.
myswitch:admin> secauthsecret
Usage: secAuthSecret <args>
--show: displays the secret key database
--set: sets up (add or modify) secret keys
--remove [wwn | domain | <sw name>]: removes an entry from secret key database
--remove --all: deletes secret key database
myswitch:admin> secauthsecret --set
412
Fabric OS Administrator’s Guide
53-1002745-02
Working with EX_Ports
14
This command is used to set up secret keys for the DH-CHAP authentication.
The minimum length of a secret key is 8 characters and maximum 40 characters.
Setting up secret keys does not initiate DH-CHAP authentication. If switch is
configured to do DH-CHAP, it is performed whenever a port or a switch is enabled.
Warning: Please use a secure channel for setting secrets. Using an insecure
channel is not safe and may compromise secrets.
Following inputs should be specified for each entry.
1. WWN for which secret is being set up.
2. Peer secret: The secret of the peer that authenticates to peer.
3. Local secret: The local secret that authenticates peer.
Press enter to start setting up secrets >
Enter peer WWN, Domain, or switch name (Leave blank when done):
10:00:00:05:33:13:70:3e
Enter peer secret:
Re-enter peer secret:
Enter local secret:
Re-enter local secret:
Enter peer WWN, Domain, or switch name (Leave blank when done):
Are you done? (yes, y, no, n): [no] y
Saving data to key store... Done.
myswitch:admin> secauthsecret --show
WWN
DId
Name
----------------------------------------------10:00:00:05:33:13:70:3e
8
sw0
Example Enabling encryption on port 1 of ‘myswitch’
There are two things to notice here— the first is that the initial attempt fails because the port is
currently enabled. The second is that the output from the second attempt shows encryption to be
enabled on the port, as shown by the portCfgShow command.
myswitch:admin> portcfgencrypt --enable 1
Please disable port to configure Encryption/Compression.
myswitch:admin> portdisable 1
myswitch:admin> portcfgencrypt --enable 1
myswitch:admin> portenable 1
myswitch:admin> portcfgshow 1
Area Number:
1
Octet Speed Combo:
1(16G|8G|4G|2G)
Speed Level:
AUTO(SW)
AL_PA Offset 13:
OFF
Trunk Port
OFF
Long Distance
OFF
VC Link Init
OFF
Locked L_Port
OFF
Locked G_Port
OFF
Disabled E_Port
OFF
Locked E_Port
OFF
ISL R_RDY Mode
OFF
RSCN Suppressed
OFF
Persistent Disable
OFF
LOS TOV enable
OFF
NPIV capability
ON
Fabric OS Administrator’s Guide
53-1002745-02
413
14
Working with EX_Ports
QOS Port
Port Auto Disable:
Rate Limit
EX Port
Mirror Port
Credit Recovery
F_Port Buffers
Fault Delay:
NPIV PP Limit:
CSCTL mode:
D-Port mode:
Compression:
Encryption:
FEC:
myswitch:admin>
AE
OFF
OFF
ON
OFF
ON
OFF
0(R_A_TOV)
255
OFF
OFF
OFF
ON
ON
Example Enabling compression on port 1 of ‘myswitch’
The subsequent portCfgShow command shows both encryption and compression to be enabled on
the port.
myswitch:admin> portdisable 1
myswitch:admin> portcfgcompress --enable 1
myswitch:admin> portenable 1
myswitch:admin> portcfgshow 1
Area Number:
1
Octet Speed Combo:
1(16G|8G|4G|2G)
Speed Level:
AUTO(SW)
AL_PA Offset 13:
OFF
Trunk Port
OFF
Long Distance
OFF
VC Link Init
OFF
Locked L_Port
OFF
Locked G_Port
OFF
Disabled E_Port
OFF
Locked E_Port
OFF
ISL R_RDY Mode
OFF
RSCN Suppressed
OFF
Persistent Disable
OFF
LOS TOV enable
OFF
NPIV capability
ON
QOS Port
AE
Port Auto Disable:
OFF
Rate Limit
OFF
EX Port
ON
Mirror Port
OFF
Credit Recovery
ON
F_Port Buffers
OFF
Fault Delay:
0(R_A_TOV)
NPIV PP Limit:
255
CSCTL mode:
OFF
D-Port mode:
OFF
Compression:
ON
Encryption:
ON
FEC:
ON
myswitch:admin>
Example Setting the secret key for the front phantom wwn projected by the FCR on the ‘edge’ switch
Use portCfgExPort EX_Port# on the remote FCR to learn the front phantom switch wwn value.
414
Fabric OS Administrator’s Guide
53-1002745-02
Working with EX_Ports
FCR:admin> portcfgexport 1
Port 1 info
Admin:
State:
Pid format:
Operate mode:
Edge Fabric ID:
Front Domain ID:
Front WWN:
Principal Switch:
Principal WWN:
Fabric Parameters:
R_A_TOV:
E_D_TOV:
Authentication Type:
DH Group:
Hash Algorithm:
Encryption:
Compression:
Forward Error Correction:
Edge fabric's primary wwn:
Edge fabric's version stamp:
14
enabled
OK
core(N)
Brocade Native
20
160
50:00:53:31:37:43:ee:14
8
10:00:00:05:33:13:70:3e
Auto Negotiate
10000(N)
2000(N)
None
N/A
N/A
OFF
OFF
OFF
N/A
N/A
Example Configuring the ‘edge’ switch to use DH-CHAP protocol for authentication, setting the DH group to
group 4, and activating switch authentication
edge:admin> authutil --show
AUTH TYPE HASH TYPE GROUP TYPE
---------------------------------------fcap,dhchap sha1,md5 0,1,2,3,4
Switch Authentication Policy: PASSIVE
Device Authentication Policy: OFF
edge:admin> authutil --set -a dhchap
edge:admin> authutil --set -g 4
edge:admin> authutil --policy -sw active
Warning: Activating the authentication policy requires either DH-CHAP secrets or
PKI certificates depending on the protocol selected. Otherwise, ISLs will be
segmented during next E-port bring-up.
ARE YOU SURE (yes, y, no, n): [no] y
Auth Policy is set to ON
edge:admin>
edge:admin> authutil --show
AUTH
TYPE HASH TYPE GROUP TYPE
-------------------------------------dhchap md5
4
Switch Authentication Policy: ON
Device Authentication Policy: OFF
edge:admin>
Example Setting a secret key
NOTE
For this you need the WWN of the front phantom switch. Use portCfgExPort EX_Port# on that switch
to learn its wwn value.
edge:admin> secauthsecret --set
This command is used to set up secret keys for the DH-CHAP authentication.
The minimum length of a secret key is 8 characters and maximum 40
Fabric OS Administrator’s Guide
53-1002745-02
415
14
Working with EX_Ports
characters. Setting up secret keys does not initiate DH-CHAP
authentication. If switch is configured to do DH-CHAP, it is performed
whenever a port or a switch is enabled.
Warning: Please use a secure channel for setting secrets. Using
an insecure channel is not safe and may compromise secrets.
Following inputs should be specified for each entry.
1. WWN for which secret is being set up.
2. Peer secret: The secret of the peer that authenticates to peer.
3. Local secret: The local secret that authenticates peer.
Press enter to start setting up secrets >
Enter peer WWN, Domain, or switch name (Leave blank when done):
50:00:53:31:37:43:ee:14
Enter peer secret:
Re-enter peer secret:
Enter local secret:
Re-enter local secret:
Enter peer WWN, Domain, or switch name (Leave blank when done):
Are you done? (yes, y, no, n): [no] y
Saving data to key store... Done.
edge:admin>
Example Enabling encryption on port 1 of the ‘edge’ switch
As with the FCR switch (‘myswitch’) there are two things to notice here— the first is that the initial
attempt fails because the port is currently enabled. The second is that the output from the second
attempt shows encryption to be enabled on the port, as shown by the portCfgShow command.
edge:admin> portcfgencrypt --enable 1
Please disable port to configure Encryption/Compression.
edge:admin> portdisable 1
edge:admin> portcfgencrypt --enable 1
edge:admin> portcfgshow 1
Area Number:
1
Octet Speed Combo:
1(16G|8G|4G|2G)
Speed Level:
AUTO(SW)
AL_PA Offset 13:
OFF
Trunk Port
ON
Long Distance
OFF
VC Link Init
OFF
Locked L_Port
OFF
Locked G_Port
OFF
Disabled E_Port
OFF
Locked E_Port
OFF
ISL R_RDY Mode
OFF
RSCN Suppressed
OFF
Persistent Disable
OFF
LOS TOV enable
OFF
NPIV capability
ON
QOS Port
AE
Port Auto Disable:
OFF
Rate Limit
OFF
EX Port
OFF
Mirror Port
OFF
Credit Recovery
ON
F_Port Buffers
OFF
Fault Delay:
0(R_A_TOV)
416
Fabric OS Administrator’s Guide
53-1002745-02
Working with EX_Ports
NPIV PP Limit:
CSCTL mode:
D-Port mode:
Compression:
Encryption:
FEC:
14
126
OFF
OFF
OFF
ON
ON
Example Enabling compression on the same port.
The portCfgShow command shows that both encryption and compression are now enabled on this
port.
edge:admin> portdisable 1
edge:admin> portcfgcompress --enable 1
edge:admin> portcfgshow 1
Area Number:
1
Octet Speed Combo:
1(16G|8G|4G|2G)
Speed Level:
AUTO(SW)
AL_PA Offset 13:
OFF
Trunk Port
ON
Long Distance
OFF
VC Link Init
OFF
Locked L_Port
OFF
Locked G_Port
OFF
Disabled E_Port
OFF
Locked E_Port
OFF
ISL R_RDY Mode
OFF
RSCN Suppressed
OFF
Persistent Disable
OFF
LOS TOV enable
OFF
NPIV capability
ON
QOS Port
AE
Port Auto Disable:
OFF
Rate Limit
OFF
EX Port
OFF
Mirror Port
OFF
Credit Recovery
ON
F_Port Buffers
OFF
Fault Delay:
0(R_A_TOV)
NPIV PP Limit:
126
CSCTL mode:
OFF
D-Port mode:
OFF
Compression:
ON
Encryption:
ON
FEC:
ON
NOTE
Once an EX_Port is enabled with encryption and compression, you can verify using either the
fcrEdgeShow or portCfgExPort commands. See the following section for details.
Fabric OS Administrator’s Guide
53-1002745-02
417
14
Working with EX_Ports
EX_Port commands
See the Fabric OS Command Reference for more details on these EX_Port -valid commands.
portCfgExPort
The portCfgExPort command sets a port to be an EX_Port, and also sets and displays EX_Port
configuration parameters (including those for encryption and compression).
Usage: portCfgExPort <action> [slot/]port
Example Setting port 47 to be an EX_Port, and displaying the port configuration parameters
switch:admin> portcfgexport 47
Port
47
info
Admin:
enabled
State:
OK
Pid format:
core(N)
Operate mode:
Brocade Native
Edge Fabric ID:
17
Preferred Domain ID:
160
Front WWN:
50:00:53:31:37:03:ee:11
Principal Switch:
8
Principal WWN:
10:00:00:05:33:13:70:3e
Fabric Parameters:
Auto Negotiate
R_A_TOV:
10000(N)
E_D_TOV:
2000(N)
Authentication Type:
DHCAP
DH Group:
4
Hash Algorithm:
SHA1
Encryption:
ON
Compression:
ON
Forward error correction:
ON
Edge fabric's primary wwn:
N/A
Edge fabric's version stamp: N/A
fcrEdgeShow
The fcrEdgeShow command displays the encryption and compression status for a switch.
Usage: fcrEdgeShow
Example Displaying the port configuration parameters for a switch
switch:admin> fcrEdgeShow
FID EX-port E-port Neighbor Switch (PWWN, SWWN)
Flags
-----------------------------------------------------------------------------34
4/12
9
20:09:00:05:33:7e:e8:7c 10:00:00:05:33:7e:e8:7c
ENCRYPTI
ON COMPRESSION
34
4/13
10
20:0a:00:05:33:7e:e8:7c 10:00:00:05:33:7e:e8:7c
ENCRYPTI
ON COMPRESSION
EX_Port downgrade considerations
Firmware downgrading is blocked if one or more EX_Ports has the Encryption/Compression feature
enabled.
418
Fabric OS Administrator’s Guide
53-1002745-02
Chapter
15
NPIV
In this chapter
• NPIV overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Configuring NPIV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Enabling and disabling NPIV. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Viewing NPIV port configuration information. . . . . . . . . . . . . . . . . . . . . . . .
419
421
422
423
NPIV overview
N_Port ID Virtualization (NPIV) enables a single Fibre Channel protocol port to appear as multiple,
distinct ports, providing separate port identification within the fabric for each operating system
image behind the port (as if each operating system image had its own unique physical port). NPIV
assigns a different virtual port ID to each Fibre Channel protocol device. NPIV is designed to enable
you to allocate virtual addresses without affecting your existing hardware implementation. The
virtual port has the same properties as an N_Port, and is therefore capable of registering with all
services of the fabric. This chapter does not discuss the Access Gateway feature. For more
information on the Access Gateway feature, refer to the Access Gateway Administrator’s Guide.
Each NPIV device has a unique device PID, Port WWN, and Node WWN, and behaves the same as
all other physical devices in the fabric. In other words, multiple virtual devices emulated by NPIV
appear no different than regular devices connected to a non-NPIV port.
The same zoning rules apply to NPIV devices as non-NPIV devices. Zones can be defined by
domain,port notation, by WWN zoning, or both. However, to perform zoning to the granularity of the
virtual N_Port IDs, you must use WWN-based zoning.
If you are using domain,port zoning for an NPIV port, and all the virtual PIDs associated with the
port are included in the zone, then a port login (PLOGI) to a non-existent virtual PID is not blocked
by the switch; rather, it is delivered to the device attached to the NPIV port. In cases where the
device is not capable of handling such unexpected PLOGIs, use WWN-based zoning.
The following example shows the number of NPIV devices in the output of the switchShow
command. The number of NPIV devices is equal to the sum of the base port plus the number of
NPIV public devices. The base port is the N_Port listed in the switchShow output. Based on the
formula, index 010000 shows only 1 NPIV device and index 010300 shows a total of 222 NPIV
devices (one N_Port FLOGI device and 221 NPIV devices).
Example of NPIV devices
switch:admin> switchshow
switchName:
5100
switchType:
71.2
switchState:
Online
switchMode:
Access Gateway Mode
switchWwn:
10:00:00:05:1e:41:49:3d
switchBeacon:
OFF
Fabric OS Administrator’s Guide
53-1002745-02
419
15
NPIV overview
Index Port Address Media Speed State Proto
==============================================
0
0
010000 id
N4
Online FC F-Port
1
1
010100 id
N4
Online FC F-Port
2
2
010200 id
N4
Online FC F-Port
3
3
010300 id
N4
Online FC F-Port
20:0c:00:05:1e:05:de:e4 0xa06601
1 N Port + 4 NPIV public
1 N Port + 119 NPIV public
1 N Port + 221 NPIV public
On the Brocade DCX and DCX-4S with the FC8-64 blade, the base port is not included in the NPIV
device count. The following example shows 63 NPIV devices total.
Index Slot Port Address Media Speed State
Proto
==================================================
127
12
15
a07f40 id
N4
Online FC F-Port
(AoQ)
1 N Port + 63 NPIV public
Upgrade considerations
The maximum logins per switch has decreased with Fabric OS v6.4.0. When upgrading from a
release previous to Fabric OS v6.4.0 and later, the configured maximum is carried forward and may
exceed the Fabric OS v6.4.0 limit. It is recommended to reconfigure this parameter to be within the
range permitted in Fabric OS v6.4.0 and later.
Fixed addressing mode
Fixed addressing mode is the default addressing mode used in all platforms that do not have
Virtual Fabrics enabled. When Virtual Fabrics is enabled on the Brocade DCX and DCX-4S, fixed
addressing mode is used only on the default logical switch. The number of NPIV devices supported
on shared area ports (48-port blades) is reduced to 64 from 128 when Virtual Fabrics mode is
enabled.
10-bit addressing mode
The 10-bit addressing mode is the default mode for all the logical switches created in the Brocade
DCX and DCX-4S Backbones. The number of NPIV or loop devices supported on a port is 64.
Table 64 shows the number of NPIV devices supported on the Brocade DCX and DCX-4S
Backbones.
TABLE 64
420
Number of supported NPIV devices
Platform
Virtual Fabrics
Logical switch type
NPIV support
DCX
Disabled
N/A
Yes, 127 virtual device limit.1
DCX
Enabled
Default switch
Yes, 63 virtual device limit.1
DCX
Enabled
Logical switch
Yes, 255 virtual device limit.2, 3
DCX
Enabled
Base switch
No.
DCX-4S
Disabled
N/A
Yes, 255 virtual device limit.
DCX-4S
Enabled
Default switch
Yes, 255 virtual device limit.
Fabric OS Administrator’s Guide
53-1002745-02
Configuring NPIV
TABLE 64
15
Number of supported NPIV devices (Continued)
Platform
Virtual Fabrics
Logical switch type
NPIV support
DCX-4S
Enabled
Logical switch
Yes, 255 virtual device limit.3
DCX-4S
Enabled
Base switch
No.
1. Maximum limit support takes precedence if user-configured maximum limit is greater. This applies to shared
areas on the FC4-48, FC8-48, and FC8-64 port blades.
2. The first 112 physical NPIV-capable devices connected to a logical switch using 10-bit addressing can log in 255
logical devices. The physical NPIV-capable devices after 112, 113, and higher, are limited to 63 logical devices.
3.
Maximum limit of 63 for 10-bit areas connected to third-party (non-Brocade) NPIV HBAs.
Configuring NPIV
The NPIV feature is enabled by default. You can set the number of virtual N_Port_IDs per port to a
value from 1 through 255 per port. The default setting is 126.
The portCfgNpivPort command is used to specify the maximum number of virtual N_port_IDs per
port on a switch. It can also be used to enable or disable NPIV. Once NPIV is enabled on the port,
you can specify the number of logins per port. If the NPIV feature has been disabled, then the NPIV
port configuration does not work.
The addressing mode can limit the maximum number of NPIV logins to 127 or 63 depending on the
mode. The portCfgNPIVPort command can set the maximum number of NPIV logins limit to
anything from 1 through 255, regardless of the addressing mode. Whichever of these two
(addressing mode or the value configured through portCfgNPIVPort) is lower will be the maximum
number that can be logged in.
CAUTION
The portDisable command disables the port and stops all traffic flowing to and from the port.
Perform this command during a scheduled maintenance.
1. Connect to the switch and log in using an account assigned to the admin role.
2. Enter the portDisable command.
3. Enter the portCfgNPIVPort --setloginlimit command with the port number and the number of
logins per port.
4. Press Enter.
5. Enter the portEnable command to enable the port.
Example of setting the login limit
switch:adnin> portcfgnpivport --setloginlimit 7/0 128
NPIV Limit Set to 128 for Port 128
switch:adnin> portcfgshow
Area Number:
Octet Speed Combo:
Speed Level:
AL_PA Offset 13:
Trunk Port
Long Distance
Fabric OS Administrator’s Guide
53-1002745-02
7/0
128
1(16G|8G|4G|2G)
AUTO(SW)
OFF
ON
OFF
421
15
Enabling and disabling NPIV
VC Link Init
Locked L_Port
Locked G_Port
Disabled E_Port
Locked E_Port
ISL R_RDY Mode
RSCN Suppressed
Persistent Disable
LOS TOV enable
NPIV capability
QOS E_Port
Port Auto Disable:
Rate Limit
EX Port
Mirror Port
Credit Recovery
F_Port Buffers
Fault Delay:
NPIV PP Limit:
CSCTL mode:
Frame Shooter Port
D-Port mode:
Compression:
Encryption:
FEC:
OFF
OFF
OFF
OFF
OFF
OFF
OFF
OFF
OFF
ON
AE
OFF
OFF
OFF
OFF
ON
OFF
0(R_A_TOV)
128
OFF
OFF
OFF
OFF
OFF
ON
Enabling and disabling NPIV
On the Brocade 300, 5100, 5300, 6505, 6510, 6520, 7800, and 8000 switches, the Brocade
5410, 5424, 5430, 5450, 5460, 5470, and 5480 embedded switches, Brocade DCX and DCX
8510 Backbone families, and the FA4-18 blade, NPIV is enabled for every port.
NOTE
NPIV is a requirement for FCoE. The CEE/FCoE ports on the Brocade 8000 have NPIV enabled by
default, but NPIV cannot be enabled or disabled on these ports. The login limit can be set on these
ports provided you disable and enable the ports using the fcoe --disable and fcoe --enable
commands.
1. Connect to the switch and log in using an account assigned to the admin role.
2. To enable or disable NPIV on a port, enter the portCfgNPIVPort command with either the
--enable or --disable option.
The following example shows NPIV being enabled on port 10 of a Brocade 5100:
switch:admin> portCfgNPIVPort --enable 10
NOTE
If the NPIV feature is disabled, the port is toggled if NPIV devices are logged in from that F_Port (a
true NPIV port). Otherwise, the firmware considers that port as an F_Port even though the NPIV
feature was enabled.
422
Fabric OS Administrator’s Guide
53-1002745-02
Viewing NPIV port configuration information
15
Viewing NPIV port configuration information
1. Connect to the switch and log in using an account assigned to the admin role.
2. Enter the portCfgShow command to view the switch ports information.
The following example shows whether a port is configured for NPIV:
switch:admin> portcfgshow
Ports of Slot 0
0 1 2 3
4 5 6 7
8 9 10 11
12 13 14 15
-----------------+--+--+--+--+----+--+--+--+----+--+--+--+----+--+--+-Speed
AN AN AN AN
AN AN AN AN
AN AN AN AN
AN AN AN AN
Trunk Port
ON ON ON ON
ON ON ON ON
ON ON ON ON
ON ON ON ON
Long Distance
.. .. .. ..
.. .. .. ..
.. .. .. ..
.. .. .. ..
VC Link Init
.. .. .. ..
.. .. .. ..
.. .. .. ..
.. .. .. ..
Locked L_Port
.. .. .. ..
.. .. .. ..
.. .. .. ..
.. .. .. ..
Locked G_Port
.. .. .. ..
.. .. .. ..
.. .. .. ..
.. .. .. ..
Disabled E_Port
.. .. .. ..
.. .. .. ..
.. .. .. ..
.. .. .. ..
ISL R_RDY Mode
.. .. .. ..
.. .. .. ..
.. .. .. ..
.. .. .. ..
RSCN Suppressed
.. .. .. ..
.. .. .. ..
.. .. .. ..
.. .. .. ..
Persistent Disable.. .. .. ..
.. .. .. ..
.. .. .. ..
.. .. .. ..
NPIV capability
ON ON ON ON
ON ON ON ON
ON ON ON ON
ON ON ON ON
3. Use the switchShow and portShow commands to view NPIV information for a given port. If a
port is an F_Port, and you enter the switchShow command, then the port WWN of the N_Port is
returned. For an NPIV F_Port, there are multiple N_Ports, each with a different port WWN. The
switchShow command output indicates whether or not a port is an NPIV F_Port, and identifies
the number of virtual N_Ports behind it. The following example is sample output from the
switchShow command:
switch:admin> switchshow
switchName:switch
switchType:66.1
switchState:Online
switchMode:Native
switchRole:Principal
switchDomain:1
switchId:fffc01
switchWwn:10:00:00:05:1e:82:3c:2a
zoning:OFF
switchBeacon:OFF
FC Router:OFF
FC Router BB Fabric ID:128
Area Port Media Speed State
Proto
=====================================
0
0
id
N1
Online
F-Port
1
1
id
N4
No_Light
2
2
id
N4
Online
F-Port
3
3
id
N4
No_Light
4
4
id
N4
No_Light
...
<output truncated>
1 Nport + 1 NPIV devices.
20:0e:00:05:1e:0a:16:59
4. Use the portShow command to view the NPIV attributes and all the N_Port (physical and
virtual) port WWNs that are listed under portWwn of device(s) connected. The following
example is sample output for the portShow command:
Fabric OS Administrator’s Guide
53-1002745-02
423
15
Viewing NPIV port configuration information
switch:admin> portshow 2
portName: 02
portHealth: HEALTHY
Authentication: None
portDisableReason: None
portCFlags: 0x1
portFlags: 0x24b03 PRESENT ACTIVE F_PORT G_PORT NPIV LOGICAL_ONLINE LOGIN
NOELP LED ACCEPT
portType: 10.0
portState: 1Online
portPhys: 6In_Sync
portScn:
32F_Port
port generation number:
148
portId:
630200
portIfId:
43020005
portWwn:
20:02:00:05:1e:35:37:40
portWwn of device(s) connected:
c0:50:76:ff:fb:00:16:fc
c0:50:76:ff:fb:00:16:f8
...
<output truncated>
...
c0:50:76:ff:fb:00:16:80
50:05:07:64:01:a0:73:b8
Distance: normal
portSpeed: N2Gbps
Interrupts:
Unknown:
Lli:
Proc_rqrd:
Timed_out:
Rx_flushed:
Tx_unavail:
Free_buffer:
Overrun:
Suspended:
Parity_err:
2_parity_err:
CMI_bus_err:
0
0
294803
0
0
0
0
0
0
0
0
0
0
Link_failure: 16
Loss_of_sync: 422
Loss_of_sig: 808
Protocol_err: 0
Invalid_word: 0
Invalid_crc: 0
Delim_err:
0
Address_err: 1458
Lr_in:
15
Lr_out:
17
Ols_in:
16
Ols_out:
15
Frjt:
Fbsy:
0
0
Viewing virtual PID login information
Use the portLoginShow command to display the login information for the virtual PIDs of a port. The
following example is sample output from the portLoginShow command:
switch:admin> portloginshow 2
Type PID
World Wide Name
credit df_sz cos
=====================================================
fe 630240 c0:50:76:ff:fb:00:16:fc
101 2048
c
fe 63023f c0:50:76:ff:fb:00:16:f8
101 2048
c
fe 63023e c0:50:76:ff:fb:00:17:ec
101 2048
c
...
<output truncated>
...
ff 630202 c0:50:76:ff:fb:00:17:70
192 2048
c
ff 630201 c0:50:76:ff:fb:00:16:80
192 2048
c
424
scr=3
scr=3
scr=3
d_id=FFFFFC
d_id=FFFFFC
Fabric OS Administrator’s Guide
53-1002745-02
Chapter
16
Dynamic Fabric Provisioning: Fabric-Assigned PWWN
In this chapter
• Introduction to Dynamic Fabric Provisioning using FA-PWWN . . . . . . . . . .
• User- and auto-assigned FA-PWWN behavior . . . . . . . . . . . . . . . . . . . . . . .
• Configuring FA-PWWNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Supported switches and configurations for FA-PWWN . . . . . . . . . . . . . . . .
• Configuration upload and download considerations for FA-PWWN . . . . . .
• Firmware upgrade and downgrade considerations for FA-PWWN . . . . . . .
• Security considerations for FA-PWWN . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Restrictions of FA-PWWN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Access Gateway N_Port failover with FA-PWWN . . . . . . . . . . . . . . . . . . . . .
425
426
426
429
430
430
430
431
431
Introduction to Dynamic Fabric Provisioning using FA-PWWN
Fabric OS v7.0.0 introduces Dynamic Fabric Provisioning (DFP) to simplify server deployment in
your Fibre Channel SAN (FC SAN) environment.
Server deployment typically requires that multiple administrative teams (for example, server and
storage teams) coordinate with each other to perform configuration tasks such as zone creation in
the fabric and LUN mapping and masking on the storage device. These tasks must be completed
before the server is deployed. Before you can configure WWN zones and LUN masks, you must find
out the physical port world wide name (PWWN) of the server. This means that administrative teams
cannot start their configuration tasks until the physical server arrives (and its physical PWWN is
known). Because the configuration tasks are sequential and interdependent across various
administrative teams, it may take several days before the server gets deployed in an FC SAN.
Dynamic Fabric Provisioning simplifies and accelerates new server deployment and improves
operational efficiency by using a fabric-assigned PWWN (FA-PWWN). An FA-PWWN is a “virtual” port
WWN that can be used instead of the physical PWWN to create zoning and LUN mapping and
masking. When the server is later attached to the SAN, the FA-PWWN is then assigned to the
server.
The FA-PWWN feature allows you to perform the following tasks:
• Replace one server with another server, or replace failed HBAs or adapters within a server,
without having to change any zoning or LUN mapping and masking configurations.
• Easily move servers across ports or Access Gateways by way of reassigning the FA-PWWN to
another port.
• Use the FA-PWWN to represent a server in boot LUN zone configurations so that any physical
server that is mapped to this FA-PWWN can boot from that LUN, thus simplifying boot over SAN
configuration.
Fabric OS Administrator’s Guide
53-1002745-02
425
16
User- and auto-assigned FA-PWWN behavior
NOTE
For the server to use the FA-PWWN feature, it must be using a Brocade HBA or adapter. Refer to the
release notes for the HBA or adapter versions that support this feature.
Some configuration of the HBA must be performed to use the FA-PWWN.
User- and auto-assigned FA-PWWN behavior
An FA-PWWN can be either user-generated or automatically assigned by the fabric. The
automatically assigned FA-PWWN is created by default when you enable the feature without
explicitly providing a virtual PWWN.
Each switch port and Access Gateway port can be assigned up to two WWNs, one assigned
automatically and one assigned by the user. Only one FA-PWWN can be active at any given time.
The user-assigned FA-PWWN takes precedence over the automatically assigned FA-PWWN. This
means the switch will bind the user-assigned FA-PWWN to the port if both a user-assigned and an
automatically assigned FA-PWWN are available. If you want to select the automatically assigned
FA-PWWN over the user-assigned FA-PWWN, you must delete the user-assigned FA-PWWN from the
port to which it has been assigned.
Checking for duplicate FA-PWWNs
The switch ensures that automatically assigned FA-PWWNs are unique in a fabric. However, it is the
responsibility of the administrators to ensure that user-assigned FA-PWWNs are also unique
throughout the fabric.
CAUTION
The administrators should ensure that the same user-assigned FA-PWWN is not used in multiple
chassis. There is no fabric-wide database, and adding the same FA-PWWNs in multiple chassis
causes duplicate PWWNs.
Configuring FA-PWWNs
Use the faPwwn command to create and manage FA-PWWNs. The faPwwn command supports the
following management tasks:
•
•
•
•
•
•
•
Binding an automatically assigned or a user-assigned FA-PWWN to a switch port.
Overriding an automatically assigned FA-PWWN with a user-assigned FA-PWWN.
Binding an Access Gateway port with an automatically assigned or a user-assigned FA-PWWN.
Deleting any existing FA-PWWN bindings.
Moving an FA-PWWN from one port to another port.
Moving an FA-PWWN assigned to an Access Gateway port to another Access Gateway.
Displaying information about configured FA-PWWN bindings.
Refer to the Fabric OS Command Reference for information about using the faPwwn command.
426
Fabric OS Administrator’s Guide
53-1002745-02
Configuring FA-PWWNs
16
This section includes an FA-PWWN configuration procedure for each of the following two topologies:
• An FA-PWWN for an HBA device that is connected to an Access Gateway switch.
• An FA-PWWN for an HBA device that is connected directly to an edge switch.
These topologies are shown in Figure 51.
Access Gateway Switch
Edge Switch
running FOS 7.0.0
running FOS 7.0.0
F-Port
N-Port
NPIV
F-Port
F-Port
HBA
Scenario 1
An FA-PWWN is
configured for an HBA
device connected to an
Access Gateway Switch.
HBA
Scenario 2
Configure an FA-PWWN
for an HBA device connected
directly to an edge switch.
FIGURE 51
Fabric-assigned port world wide name provisioning scenarios
Configuring an FA-PWWN for an HBA connected to an Access Gateway
For this procedure, some of the steps are to be executed on the switch and some are to be
executed on the server.
1. Log in to the edge switch to which the Access Gateway is directly connected.
2. Assign the FA-PWWN.
• If you are manually assigning a WWN, enter the following command:
fapwwn --assign -ag AG_WWN -port AG_port -v Virtual_PWWN
• If you want the WWN to be automatically assigned, enter the following command:
fapwwn --assign -ag AG_WWN -port AG_port
Fabric OS Administrator’s Guide
53-1002745-02
427
16
Configuring FA-PWWNs
3. Enter the fapwwn --show -ag all command:
You should see output similar to the following sample. (In this example, long lines of output are
shown split across two lines, for better readability.)
----------------------------------------------------------AG Port
Port
Device Port WWN
\
----------------------------------------------------------10:00:00:05:1e:65:8a:d5/16 ---:--:--:--:--:--:--:-- \
10:00:00:05:1e:d7:3d:dc/8
20
20:08:00:05:1e:d7:2b:74 \
\
10:00:00:05:1e:d7:3d:dc/9
20
20:09:00:05:1e:d7:2b:73 \
10:00:00:05:1e:d7:3d:dc/16 ---:--:--:--:--:--:--:-- \
-----------------------------------------------------------Virtual Port WWN
PID
Enable MapType
-----------------------------------------------------------52:00:10:00:00:0f:50:30
-Yes
AG/Auto
11:22:33:44:55:66:77:88
11403 Yes
AG/User
52:00:10:00:00:0f:50:32
2:00:10:00:00:0f:50:33
11404 Yes
AG/Auto
52:00:10:00:00:0f:50:38
-Yes
AG/Auto
4. Enable the FA-PWWN on the HBA. The following steps are to be executed on the server and not
the switch.
a.
Log in to the server as root.
b.
Enter the following command:
bcu port -faa port_id --enable
c.
Enter the following command:
bcu port -faa port_id --query
Once the Brocade HBA has been assigned the FA-PWWN, the HBA retains the FA-PWWN until
rebooted. This means you cannot unplug and plug the cable into a different port on the Access
Gateway. You must reboot the HBA before moving the HBA to a different port. If you move an HBA to
a different port on a switch running Fabric OS v7.0.0 or later, the HBA will disable its port. If the HBA
moves to a different port on a switch running a version of Fabric OS earlier than 7.0.0, the HBA will
continue to disable its port.
Configuring an FA-PWWN for an HBA connected to an edge switch
For this procedure, some of the steps are to be executed on the switch and some are to be
executed on the server.
1. Log in to the edge switch to which the device is connected.
2. Assign the FA-PWWN.
• If you are manually assigning a WWN, enter the following command:
fapwwn --assign -port [slot/]port -v Virtual_PWWN
• If you want the WWN to be automatically assigned, enter the following command:
fapwwn --assign -port [slot/]port
428
Fabric OS Administrator’s Guide
53-1002745-02
Supported switches and configurations for FA-PWWN
16
3. Enter the fapwwn --show -port all command:
You should see output similar to the following sample.
----------------------------------------------------------------------Port
PPWWN
VPWWN
PID Enable MapType
----------------------------------------------------------------------0 --:--:--:--:--:--:--:-- 52:00:10:00:00:0f:50:30 10101 Yes Port/Auto
1 --:--:--:--:--:--:--:-- 11:22:33:44:33:22:11:22 -Yes Port/User
52:00:10:00:00:0f:50:44
10 --:--:--:--:--:--:--:-- 52:00:10:00:00:0f:50:45 -Yes Port/Auto
4. Enable the FA-PWWN on the HBA. The following steps are to be executed on the server and not
the switch.
a.
Log in to the server as root.
b.
Enter the following command:
bcu port -faa port_id --enable
c.
Enter the following command:
bcu port -faa port_id --query
Once the Brocade HBA has been assigned the FA-PWWN, the HBA retains the FA-PWWN until it is
rebooted. This means you cannot unplug and plug the cable into a different port on the switch. You
must reboot the HBA before moving the HBA to a different port. If you move an HBA to a different
port on a switch running Fabric OS v7.0.0 or later, the HBA will disable its port. If the HBA moves to
a different port on a switch running a version of Fabric OS earlier than 7.0.0, the HBA will continue
to disable its port.
Supported switches and configurations for FA-PWWN
The FA-PWWN feature is supported on the following platforms:
• Switch platforms running Fabric OS v7.0.0 or later:
- Brocade DCX, DCX-4S, and DCX 8510 family
- Brocade 300
- Brocade 5100
- Brocade 5300
- Brocade 6505
- Brocade 6510
- Brocade 6520
- Brocade 7800
- Brocade VA-40FC
Fabric OS Administrator’s Guide
53-1002745-02
429
16
Configuration upload and download considerations for FA-PWWN
• Access Gateway platforms running Fabric OS v7.0.0 or later:
- Brocade 300
- Brocade 5100
- Brocade 6505
- Brocade 6510
• Brocade HBAs with driver version 3.0.0.0:
- Brocade 415
- Brocade 425
- Brocade 815
- Brocade 825
Configuration upload and download considerations for FA-PWWN
The configuration upload and download utilities can be used to import and export the FA-PWWN
configuration.
ATTENTION
Brocade recommends you delete all FA-PWWNs from the switch with the configuration being
replaced before you upload or download a modified configuration. This is to ensure no duplicate
FA-PWWNs in the fabric.
Firmware upgrade and downgrade considerations for FA-PWWN
Firmware downgrading is blocked if the FA-PWWN feature is enabled on the switch. All FA-PWWN
configurations are lost if firmware is downgraded, even if it is followed by an upgrade back to
Fabric OS v7.0.0. This is done to ensure that the FA-PWWN configurations are not tampered with
when the switch is running an earlier version of the firmware.
You must also consider zone configuration, security configuration, and target ACLs when
downgrading from Fabric OS v7.0.0. If any of these (zone configuration, security configuration, and
target ACLs) have FA-PWWNs configured, the SAN network may not function properly, or at all.
Security considerations for FA-PWWN
The FA-PWWN feature can be enabled only by authorized administrators. Thus, existing user-level
authentication and authorization mechanisms should be used to ensure only authorized users can
configure this feature.
If you are concerned about security for FA-PWWN, you should configure device authentication. You
can use authentication at the device level to ensure security between the switch and the server.
Refer to “Device authentication policy” on page 210 for information about configuring device
authentication.
You can also use the Device Connection Control (DCC) policy to ensure that only an authorized
physical server can connect to a specific switch port.
430
Fabric OS Administrator’s Guide
53-1002745-02
Restrictions of FA-PWWN
16
NOTE
When creating the DCC policy, use the physical device WWN and not the FA-PWWN.
If you use DCC, a policy check is done on the physical PWWN on the servers. In the case of an HBA,
the FA-PWWN is assigned to the HBA only after the DCC check is successful.
Refer to “DCC policy behavior with Fabric-Assigned PWWNs” on page 205 for additional
information.
Restrictions of FA-PWWN
Be aware of the following restrictions when using the FA-PWWN feature:
• FA-PWWN is supported only on Brocade HBAs and adapters. Refer to the release notes for the
supported Brocade HBA or adapter versions.
• FA-PWWN is not supported for the following:
- FCoE devices
- FL_Ports
- Swapped ports (using the portswap command)
- Cascaded Access Gateway topologies
- FICON/FMS mode
- With F_Port trunking on directly attached Brocade HBAs/adapters
NOTE
FA-PWWN is supported with F_Port trunking on the supported Access Gateway platforms.
Access Gateway N_Port failover with FA-PWWN
If an FA-PWWN F_Port on an Access Gateway fails over to an N_Port that is connected to a different
switch, the FA-PWWN of that Access Gateway F_Port must also be configured on that switch. If not,
the FA-PWWN assigned to the Access Gateway F_Port following a failover will be different than it
was before the failover occurred. This situation may require the host to reboot to bring it back
online. Even after the reboot, the host may potentially go into a different zone because the
FA-PWWN is different.
Fabric OS Administrator’s Guide
53-1002745-02
431
16
432
Access Gateway N_Port failover with FA-PWWN
Fabric OS Administrator’s Guide
53-1002745-02
Chapter
Managing Administrative Domains
17
In this chapter
• Administrative Domains overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
• Admin Domain management for physical fabric administrators . . . . . . . . 442
• SAN management with Admin Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
Administrative Domains overview
An Administrative Domain (Admin Domain or AD) is a logical grouping of fabric elements that
defines which switches, ports, and devices you can view and modify. An Admin Domain is a filtered
administrative view of the fabric.
NOTE
If you do not implement Admin Domains, the feature has no impact on users and you can ignore this
chapter.
Admin Domains permit access to a configured set of users. Using Admin Domains, you can
partition the fabric into logical groups and allocate administration of these groups to different user
accounts. These accounts can manage only the Admin Domains assigned to them and cannot
make changes to the rest of the fabric.
For example, you can put all the devices in a particular department in the same Admin Domain for
ease of managing those devices. If you have remote sites, you could put the resources in the
remote site in an Admin Domain and assign the remote site administrator to manage those
resources.
Admin Domains and Virtual Fabrics are mutually exclusive and are not supported at the same time
on a switch.
Do not confuse Admin Domains with zones:
• Zones define which devices and hosts can communicate with each other.
• Admin Domains define which users can manage which devices, hosts, and switches.
You can have up to 256 Admin Domains in a fabric (254 user-defined and 2 system-defined),
numbered from 0 through 255.
Admin Domains are designated by a name and a number. This document refers to specific Admin
Domains using the format “ADn” where n is a number between 0 and 255.
ATTENTION
The Admin Domain administrator can define up to 254 ADs (AD1 through AD254) in the AD
database; however, it is recommended that no more than 16 active Admin Domains run
concurrently. More than 16 active Admin Domains might cause performance degradation and
unpredictable system behavior.
Fabric OS Administrator’s Guide
53-1002745-02
433
17
Administrative Domains overview
NOTE
Do not confuse an Admin Domain number with the domain ID of a switch. They are two different
identifiers. The Admin Domain number identifies the Admin Domain and has a range from 0 through
255. The domain ID identifies a switch in the fabric and has a range from 1 through 239.
Figure 52 shows a fabric with two Admin Domains: AD1 and AD2.
AD1
AD2
FIGURE 52
Fabric with two Admin Domains
Figure 53 shows how users get a filtered view of this fabric, depending on which Admin Domain
they are in. As shown in Figure 53, users can see all switches and E_Ports in the fabric, regardless
of their Admin Domain; however, the switch ports and end devices are filtered based on Admin
Domain membership.
FIGURE 53
434
Filtered fabric views when using Admin Domains
Fabric OS Administrator’s Guide
53-1002745-02
Administrative Domains overview
17
Admin Domain features
Admin Domains allow you to do the following:
• Define the scope of an Admin Domain to encompass ports and devices within a switch or a
fabric.
• Share resources across multiple Admin Domains. For example, you can share array ports and
tape drives between multiple departments. In Figure 52 on page 434, one of the storage
devices is shared between AD1 and AD2.
• Have a separate zone database for each Admin Domain. Refer to “Admin Domains, zones, and
zone databases” on page 458 for more information.
• Move devices from one Admin Domain to another without traffic disruption, cable reconnects,
or discontinuity in zone enforcement.
• Provide strong fault and event isolation between Admin Domains.
• Have visibility of all physical fabric resources. All switches, E_Ports, and FRUs (including blade
information) are visible.
• Continue to run existing third-party management applications. Prior and existing versions of
third-party management applications continue to work with admin IDs and user IDs.
Requirements for Admin Domains
Implementing Admin Domains in a fabric has the following requirements:
• Admin Domains are not supported on the Brocade 8000. The Brocade 8000 can be in AD0
only.
• The default zone mode setting must be set to No Access before you create Admin Domains
(refer to “Setting the default zoning mode for Admin Domains” on page 443 for instructions).
• Virtual Fabrics must be disabled before you create Admin Domains (refer to “Disabling
Virtual Fabrics mode” on page 290 for instructions).
• Gigabit Ethernet (GbE) ports cannot be members of an Admin Domain.
• Traffic Isolation Zoning is supported within Admin Domains, with some restrictions, as
described in “Admin Domain considerations for Traffic Isolation Zoning” on page 360.
• If the fabric includes LSAN zones:
- The LSAN zone names must not end with “_ADn”.
- The LSAN zone names must not be longer than 57 characters.
Refer to Chapter 24, “Using FC-FC Routing to Connect Fabrics,” for information about the FC-FC
Routing Service and LSAN zones.
Admin Domain access levels
Admin Domains offer a hierarchy of administrative access. To manage Admin Domains, you must
be a physical fabric administrator. A physical fabric administrator is a user with admin permissions
and access to all Admin Domains (AD0 through AD255). Only a physical fabric administrator can
perform Admin Domain configuration and management.
Other administrative access is determined by your defined Role-Based Access Control (RBAC) role
and AD membership. Your role determines your access level and permission to perform an
operation. Your AD membership determines the fabric resources on which you can operate.
Fabric OS Administrator’s Guide
53-1002745-02
435
17
Administrative Domains overview
Table 65 lists each Admin Domain user type and describes its administrative access and
capabilities.
TABLE 65
AD user types
User type
Description
Physical fabric
administrator
User account with admin permissions and with access to all Admin Domains (AD0 through
AD255).
Creates and manages all Admin Domains.
Assigns other administrators or users to each Admin Domain.
The default admin account is the first physical fabric administrator.
Only a physical fabric administrator can create other physical fabric administrators.
Administrative
Domain users
Can be assigned to one or more Admin Domains.
Manage the resources within their Admin Domains.
If their role permits, can create user accounts and assign them to Admin Domains in their list.
Cannot view other Admin Domain definitions. They can view only members of their own Admin
Domains.
User-defined Admin Domains
AD1 through AD254 are user-defined Admin Domains. These user-defined Admin Domains can be
created only by a physical fabric administrator (refer to “Admin Domain access levels” on page 435
for more information).
In Figure 52 on page 434, AD1 and AD2 are user-defined Admin Domains.
System-defined Admin Domains
AD0 and AD255 are system-defined Admin Domains. AD0 and AD255 always exist and cannot be
deleted or renamed. They are reserved for use in creation and management of Admin Domains.
AD0
AD0 is a system-defined Admin Domain. Unlike user-defined Admin Domains, AD0 has an implicit
and an explicit membership list. User-defined Admin Domains have only an explicit membership
list.
• The implicit membership list contains all devices, switch ports, and switches that have not
been assigned to any other Admin Domain.
Initially, the AD0 implicit membership list contains all devices, switch ports, and switches in the
fabric. When you create AD1 through AD254, the devices, switch ports, and switches used to
create these user-defined Admin Domains disappear from the AD0 implicit membership list.
• The explicit membership list contains all devices, switch ports, and switches that you explicitly
add to AD0 and can be used to force device and switch sharing between AD0 and other Admin
Domains.
AD0 is managed like any user-defined Admin Domain. The only difference between AD0 and
user-defined Admin Domains is the implicit membership list.
The implicit members of AD0 change dynamically as the membership of other Admin Domains
changes. The explicit members of AD0 are not deleted unless you explicitly remove them.
436
Fabric OS Administrator’s Guide
53-1002745-02
Administrative Domains overview
17
For example, if DeviceA is not a member of any user-defined Admin Domain, then it is an implicit
member of AD0.
If you explicitly add DeviceA to AD0, then DeviceA is both an implicit and an explicit member of AD0.
AD0 implicit members
DeviceA
AD0 explicit members
DeviceA
AD2 members
none
If you add DeviceA to AD2, then DeviceA is deleted from the AD0 implicit membership list, but is not
deleted from the AD0 explicit membership list.
AD0 implicit members
none
AD0 explicit members
DeviceA
AD2 members
DeviceA
If you then remove DeviceA from AD2, DeviceA is added back to the AD0 implicit membership list
(assuming DeviceA is not in any other Admin Domain).
AD0 implicit members
DeviceA
AD0 explicit members
DeviceA
AD2 members
none
When a new device is added to the fabric, it automatically becomes an implicit member of AD0
until it is explicitly added to an Admin Domain.
AD0 is useful when you create Admin Domains because you can see which devices, switch ports,
and switches are not yet assigned to any Admin Domains.
AD0 owns the root zone database (legacy zone database).
AD255
AD255 is a system-defined Admin Domain that is used for Admin Domain management. AD255
always contains all of the devices in the entire physical fabric. You can use AD255 to get an
unfiltered view of the fabric and to view the hierarchical zone databases of AD0 through AD254. All
Admin Domain management is done in the AD255 context.
AD255 does not have a zone database associated with it; you cannot use AD255 to perform any
zoning management tasks (non-read operations such as creating or modifying zones).
Figure 54 on page 438 shows the same fabric from Figure 52 on page 434, but with AD0 and
AD255 shown. AD0 contains the two devices that are not in any of the user-defined Admin
Domains (AD1 and AD2). AD255 always encompasses the entire physical fabric.
Fabric OS Administrator’s Guide
53-1002745-02
437
17
Administrative Domains overview
FIGURE 54
Fabric with AD0 and AD255
Home Admin Domains and login
You are always logged in to an Admin Domain, and you can view and modify only the devices in that
Admin Domain.
If you have access to more than one Admin Domain, one of them is designated as your home
Admin Domain, the one you are automatically logged in to. If your home Admin Domain is deleted
or deactivated, then by default you are logged in to the lowest-numbered active Admin Domain in
your Admin Domain list. The home Admin Domain, like the Admin Domain list, is a configurable
property of a non-default user account. Here is some additional information about AD accounts:
• You can log in to only one Admin Domain at a time. You can later switch to a different Admin
Domain (refer to “Switching to a different Admin Domain context” on page 456 for
instructions).
• For default accounts such as admin and user, the home Admin Domain defaults to AD0 and
cannot be changed.
• The Admin Domain list for the default admin account is 0 through 255, which gives this
account automatic access to any Admin Domain as soon as the domain is created, and makes
this account a physical fabric administrator.
• The Admin Domain list for the default user account is AD0 only.
438
Fabric OS Administrator’s Guide
53-1002745-02
Administrative Domains overview
17
• For user-defined accounts, the home Admin Domain defaults to AD0 but an administrator can
set the home Admin Domain to any Admin Domain to which the account is given access.
• If you are in any Admin Domain context other than AD0, the Admin Domain number is included
in the system prompt displayed during your session. The following are example prompts for
when you are in the AD0, AD1, and AD255 contexts, respectively:
switch:admin>
switch:AD1:admin>
switch:AD255:admin>
Admin Domain member types
You define an Admin Domain by identifying members of that domain. Admin Domain members can
be devices, switch ports, or switches. Defining these member types is similar to defining a
traditional zone member type. An Admin Domain does not require or have a new domain ID or
management IP address linked to it.
Device members
Device members are defined by the device World Wide Name (WWN) and have the following
properties:
• A device member can be either a device port WWN or a device node WWN.
• A device member grants view access to the device and zoning rights. View rights are also
granted to the switch port to which the device is attached.
• A device member provides a pure virtual view. The cabling and switch port diagnostics and
control are done by the physical fabric administrator.
Port control is provided only through switch port membership and is not provided for device
members. When you create an Admin Domain, the end device members do not need to be online,
even though their WWNs are used in the Admin Domain definition.
You can share device members across multiple Admin Domains. You can also zone shared devices
differently in each Admin Domain. A device WWN member does not automatically grant usage of
corresponding domain,index members in the zone configuration. If you specify a device WWN
member in the Admin Domain member list, zone enforcement ignores zones with the
corresponding port (the port to which the device is connected) member usage.
Switch port members
Switch port members are defined by switch domain,index and have the following properties:
• A switch port member grants port control rights and zoning rights for that switch port.
• A switch port member grants view access and zoning rights to the device connected to that
switch port.
• A switch port member allows you to share domain,index members across multiple Admin
Domains. In each Admin Domain, you can also zone shared devices differently.
• A switch port member implicitly includes all devices connected to the specified domain,index
members in the Admin Domain membership.
• A switch port member allows you to specify a range of indices as Admin Domain members, for
example: 100,5-8. The index range arguments are expanded and stored in the Admin Domain
member list.
Fabric OS Administrator’s Guide
53-1002745-02
439
17
Administrative Domains overview
If a device is a member of an Admin Domain, the switch port to which the device is connected
becomes an indirect member of that Admin Domain and the domain,index is removed from the
AD0 implicit membership list.
NOTE
If the switch domain ID changes, the domain,index members are invalid (they are not automatically
changed). You must then reconfigure the Admin Domain with the current domain,index members.
Switch members
Switch members are defined by the switch WWN or domain ID, and have the following properties:
• A switch member grants administrative control to the switch.
• A switch member grants port control for all ports in that switch.
• A switch member allows switch administrative operations such as disabling and enabling a
switch, rebooting, and firmware downloads.
• A switch member does not provide zoning rights for the switch ports or devices.
To allow devices to be zoned within Admin Domains, you must specify the port members using
domain,index or device WWN members.
E_Ports (including VE_Ports, EX_Ports, and VEX_Ports) are implicitly shared across all Admin
Domains. An administrator can perform port control operations only if the domain,index of the
E_Port is part of the Admin Domain.
NOTE
Only the WWN of the switch is saved in the Admin Domain. If you change the domain ID of the switch,
the Admin Domain ownership of the switch is not changed.
Admin Domains and switch WWNs
Admin Domains are treated as fabrics. Because switches cannot belong to more than one fabric,
switch WWNs are converted so that they appear as unique entities in different Admin Domains
(fabrics). This WWN conversion is done only in the AD1 through AD254 context. AD0 and AD255
use unconverted switch WWNs.
The switch WWN has the following format:
10:00:nn:nn:nn:nn:nn:nn
In an Admin Domain context, the switch WWN is converted from NAA=1 to NAA=5 format, with the
Admin Domain number added, using the following syntax:
5n:nn:nn:nn:nn:nn:n9:xx
In the syntax, xx is the Admin Domain number.
For example, the following switch WWN is in NAA=1 format:
10:00:00:60:69:e4:24:e0
The following switch WWN is the converted WWN for the previous example in AD1:
50:06:06:9e:42:4e:09:01
440
Fabric OS Administrator’s Guide
53-1002745-02
Administrative Domains overview
17
Figure 55 on page 441 shows an unfiltered view of a fabric with two switches, three devices, and
two Admin Domains. The devices are labeled with device WWNs and the switches are labeled with
domain IDs and switch WWNs.
FIGURE 55
Fabric showing switch and device WWNs
Figure 56 shows the filtered view of the fabric as seen from AD3 and AD4. The switch WWNs are
converted to the NAA=5 syntax; the device WWNs and domain IDs remain the same.
Fabric Visible to AD3 User
WWN = 10:00:00:00:c2:37:2b:a3
WWN = 10:00:00:00:c7:2b:fd:a3
Domain ID = 1
WWN = 50:00:51:f0:52:36:f9:03
Domain ID = 2
WWN = 50:00:52:e0:63:46:e9:03
WWN = 10:00:00:00:c2:37:2b:a3
Fabric Visible to AD4 User
Domain ID = 1
WWN = 50:00:51:f0:52:36:f9:04
Domain ID = 2
WWN = 50:00:52:e0:63:46:e9:04
WWN = 10:00:00:00:c8:3a:fe:a2
FIGURE 56
Fabric OS Administrator’s Guide
53-1002745-02
Filtered fabric views showing converted switch WWNs
441
17
Admin Domain management for physical fabric administrators
Admin Domain compatibility, availability, and merging
Admin Domains maintain continuity of service for Fabric OS features and operate in mixed-release
Fabric OS environments. High availability is supported with some backward compatibility.
When an E_Port comes online, the adjacent switches merge their AD databases. The receiving
switch accepts an AD database from the neighboring switch only if the local AD database is empty
or if the new AD database exactly matches both the defined and effective configurations of the
local AD database. If the AD database merge fails, the E_Port is segmented with an “AD conflict”
error code.
Admin Domain management for physical fabric administrators
NOTE
This section is for physical fabric administrators who are managing Admin Domains.
The ad command follows a batched-transaction model, which means that changes to the Admin
Domain configuration occur in the transaction buffer.
An Admin Domain configuration can exist in several places:
• Effective configuration — The Admin Domain configuration that is currently in effect.
• Defined configuration — The Admin Domain configuration that is saved in flash memory. There
might be differences between the effective configuration and the defined configuration.
• Transaction buffer — The Admin Domain configuration that is in the current transaction buffer
and has not yet been saved or canceled.
How you end the transaction determines the disposition of the Admin Domain configuration in the
transaction buffer. The following commands end the Admin Domain transaction:
ad --save
Saves the changes in the transaction buffer to the defined configuration in
persistent storage and propagates the defined configuration to all switches
in the fabric. Note that for delete and clear operations, if one or more of the
deleted Admin Domains are in the effective configuration, you cannot use
--save, but must use --apply instead.
ad --apply
Saves the changes to the defined configuration in persistent storage and
enforces the defined configuration on all switches in the fabric, replacing the
effective configuration.
ad --transabort Aborts the transaction and clears the transaction buffer. The effective and
defined configurations remain unchanged.
You can enter the ad --transshow command at any time to display the ID of the current Admin
Domain transaction.
442
Fabric OS Administrator’s Guide
53-1002745-02
Admin Domain management for physical fabric administrators
17
Setting the default zoning mode for Admin Domains
To begin implementing an Admin Domain structure within your SAN, you must first set the default
zoning mode to No Access. You must be in AD0 to change the default zoning mode.
1. Log in to the switch with the appropriate RBAC role.
2. Ensure you are in the AD0 context by entering the ad --show command to determine the
current Admin Domain.
If necessary, switch to the AD0 context by entering the ad --select 0 command.
3. Set the default zoning mode to No Access, as described in “Setting the default zoning mode”
on page 326.
Creating an Admin Domain
To create an Admin Domain, you must specify an Admin Domain name, number, or both:
• If you create an Admin Domain using only a number, the Admin Domain name is automatically
assigned to be “ADn”, where n is the number you specified.
For example, if you specify AD number = 4, then AD name is set to “AD4”.
• If you create an Admin Domain using only a name, the Admin Domain number is automatically
assigned and is the lowest available AD number, except if you specify a name in the format
“ADn”, in which case the Admin Domain number is assigned to be n.
For example, if you specify AD name = “blueAD” and the lowest available AD number is 5, then
AD name is “blueAD” and AD number is 5.
If you specify AD name = “AD15” and the lowest available AD number is 6, then AD name is
“AD15” and AD number is 15. Because the specified name is in the format “ADn”, the AD
number is assigned to be n and not the lowest available AD number.
When you create an Admin Domain, you must specify at least one member (switch, switch port, or
device). You cannot create an empty Admin Domain. For more information about these member
types, refer to “Admin Domain member types” on page 439.
A newly created Admin Domain has no zoning defined and the default access mode is No Access.
This means the devices in the Admin Domain cannot communicate with each other. You must set
up zones in the newly created Admin Domain to allow devices to access each other, even if the
devices were already zoned together prior to your moving them to the Admin Domain. Refer to
“Admin Domains, zones, and zone databases” on page 458 for additional information about how
zones work with Admin Domains.
You create Admin Domains in the transaction buffer. You can either save the newly created Admin
Domain to a defined configuration or make it the effective configuration directly.
The following procedure describes the steps for creating Admin Domains.
1. Log in to the switch as the physical fabric administrator.
2. Disable Virtual Fabrics, if necessary, as described in “Disabling Virtual Fabrics mode” on
page 290. Admin Domains and Virtual Fabrics cannot co-exist.
3. Set the default zone mode to No Access, if you have not already done so. Refer to “Setting the
default zoning mode” on page 326 for instructions.
4. Switch to the AD255 context, if you are not already in that context:
Fabric OS Administrator’s Guide
53-1002745-02
443
17
Admin Domain management for physical fabric administrators
ad --select 255
5. Enter the ad --create command using the -d option to specify device and switch port members
and the -s option to specify switch members:
ad --create ad_id -d "dev_list" -s "switch_list"
6. Enter the appropriate command based on whether you want to save or activate the Admin
Domain definition:
• To save the Admin Domain definition, enter ad --save.
• To save the Admin Domain definition and directly apply the definition to the fabric, enter ad
--apply.
7.
Set up zones in the newly created Admin Domain. Refer to Chapter 11, “Administering
Advanced Zoning,” for instructions.
Example of creating Admin Domains
The following example creates Admin Domain AD1, consisting of two switches, which are
designated by domain ID and switch WWN.
switch:AD255:admin> ad --create AD1 -s "97; 10:00:00:60:69:80:59:13"
The following example creates Admin Domain “blue_ad,” consisting of two switch ports
(designated by domain,index), one device (designated by device WWN), and two switches
(designated by domain ID and switch WWN).
switch:AD255:admin> ad --create blue_ad –d "100,5; 1,3;
21:00:00:e0:8b:05:4d:05" –s "97; 10:00:00:60:69:80:59:13"
User assignments to Admin Domains
After you create an Admin Domain, you can specify one or more user accounts as the valid
accounts that can use that Admin Domain. User accounts have the following characteristics with
regard to Admin Domains:
• A user account can have only a single role.
• You can configure a user account to have access to the physical fabric through AD255 and to a
list of Admin Domains (AD0 through AD254).
• You can configure a user account to have access to only a subset of your own Admin Domain
list. Only a physical fabric administrator can create another physical fabric administrator user
account.
• Users capable of using multiple Admin Domains can designate one of these Admin Domains as
the home Admin Domain, which is the default Admin Domain context after login.
• If you do not specify one, the home Admin Domain is the lowest valid Admin Domain in the
numerically-sorted AD list.
• Users can log in to their Admin Domains and create their own Admin Domain-specific zones
and zone configurations.
444
Fabric OS Administrator’s Guide
53-1002745-02
Admin Domain management for physical fabric administrators
17
Creating a new user account for managing Admin Domains
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the userConfig --add command using the -r option to set the role, the -a option to provide
access to Admin Domains, and the -h option to specify the home Admin Domain.
userconfig --add username -r role -h home_AD -a "AD_list"
Example of creating new user accounts
The following example creates new user account ad1admin with an admin role and assigns
one Admin Domain, blue_ad1, to it. This example also assigns blue_ad1 as the user’s home
Admin Domain.
switch:admin> userconfig --add ad1admin -r admin -h blue_ad1 -a "blue_ad1"
The following example creates new user account ad2admin with an admin role, access to
Admin Domains 1 and 2, an