HP SN3000B Administrator's Manual

HP SN3000B Administrator's Manual

Brocade fabric os administrator's guide - supporting fabric os v7.0.1 (53-1002446-01, march 2012)
Hide thumbs Also See for SN3000B:
Table of Contents

Advertisement

53-1002446-01
®
15 December 2011
Fabric OS
Administrator's Guide
Supporting Fabric OS v7.0.1

Advertisement

Table of Contents
loading

Summary of Contents for HP SN3000B

  • Page 1 53-1002446-01 ® 15 December 2011 Fabric OS Administrator’s Guide Supporting Fabric OS v7.0.1...
  • Page 2 Copyright © 2011 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, the B-wing symbol, BigIron, DCX, Fabric OS, FastIron, NetIron, SAN Health, ServerIron, and TurboIron are registered trademarks, and Brocade Assurance, Brocade NET Health, Brocade One, CloudPlex, MLX, VCS, VDX, and When the Mission Is Critical, the Network Is Brocade are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries.
  • Page 3: Table Of Contents

    Contents About This Document In this chapter ......... xxxiii How this document is organized .
  • Page 4 Device login ..........10 Principal switch .
  • Page 5 Switch and Backbone shutdown ......32 Powering off a Brocade switch ......32 Powering off a Brocade Backbone .
  • Page 6 Track and control switch changes ......55 Enabling the track changes feature ..... . 56 Displaying the status of the track changes feature.
  • Page 7 User accounts overview ........81 Role-Based Access Control ......82 The management channel .
  • Page 8 Simple Network Management Protocol ..... .125 SNMP and Virtual Fabrics ......126 The security level .
  • Page 9 IP Filter policy ......... .153 Creating an IP Filter policy.
  • Page 10 Chapter 9 Installing and Maintaining Firmware In this chapter ......... .191 Firmware download process overview .
  • Page 11 Supported platforms for Virtual Fabrics .....222 Supported port configurations in the fixed-port switches..222 Supported port configurations in the Brocade Backbones. . .222 Virtual Fabrics interaction with other Fabric OS features .
  • Page 12 Zone aliases ......... . .246 Creating an alias .
  • Page 13 Traffic Isolation Zoning over FC routers ..... . 276 TI within an edge fabric .......277 TI within a backbone fabric .
  • Page 14 Disabling bottleneck detection on a switch ....308 Chapter 14 In-flight Encryption and Compression In this chapter ......... .309 In-flight encryption and compression overview.
  • Page 15 Configuration upload and download considerations for FA-PWWN334 Firmware upgrade and downgrade considerations for FA-PWWN .334 Security considerations for FA-PWWN ..... . .334 Restrictions of FA-PWWN .
  • Page 16 Licensing overview ........367 Brocade 7800 Upgrade license .
  • Page 17 Virtual Fabrics considerations for ICLs ..... .396 Supported topologies for ICL connections ....397 Mesh topology .
  • Page 18 Chapter 21 Optimizing Fabric Behavior In this chapter ......... . 417 Adaptive Networking overview .
  • Page 19 Supported platforms for trunking......436 Recommendations for trunking groups ..... .437 Configuring trunk groups .
  • Page 20 Chapter 24 Using FC-FC Routing to Connect Fabrics In this chapter ......... .465 FC-FC routing overview .
  • Page 21 Appendix A Interoperation of Fabric OS and M-EOS Fabrics Using FC Router In this appendix .........507 Interoperability overview.
  • Page 22 xxii Fabric OS Administrator’s Guide 53-1002446-01...
  • Page 23 Figures Figure 1 Well-known addresses ..........3 Figure 2 Identifying the blades .
  • Page 24 Figure 36 Illegal ETIZ configuration: two paths from one port to two devices on the same remote domain ..........275 Figure 37 Illegal ETIZ configuration: two paths from one port .
  • Page 25 Figure 77 EX_Port phantom switch topology ........474 Figure 78 Example of setting up Speed LSAN tag.
  • Page 26 xxvi Fabric OS Administrator’s Guide 53-1002446-01...
  • Page 27 Tables Table 1 Daemons that are automatically restarted......13 Table 2 Terminal port parameters .
  • Page 28 Table 37 Interaction between fabric-wide consistency policy and distribution settings . 161 Table 38 Supported policy databases ........161 Table 39 Fabric-wide consistency policy settings .
  • Page 29 Table 79 Buffer credits ........... . 461 Table 80 Configurable distances for Extended Fabrics .
  • Page 30 Fabric OS Administrator’s Guide 53-1002446-01...
  • Page 31: About This Document

    About This Document In this chapter • How this document is organized ....... . xxxiii •...
  • Page 32: Supported Hardware And Software

    • Chapter 11, “Administering Advanced Zoning,” provides procedures for use of the Brocade Advanced Zoning feature. • Chapter 12, “Traffic Isolation Zoning,” provides concepts and procedures for use of Traffic Isolation Zones within a fabric. • Chapter 13, “Bottleneck Detection,” describes how you can detect and configure alert thresholds for latency and congestion bottlenecks in the fabric.
  • Page 33: What's New In This Document

    The following hardware platforms are supported by this release of Fabric OS: • Fixed-port switches: Brocade 300 switch Brocade 5100 switch Brocade 5300 switch Brocade 5410 embedded switch Brocade 5424 embedded switch Brocade 5450 embedded switch Brocade 5460 embedded switch Brocade 5470 embedded switch Brocade 5480 embedded switch Brocade 6505 switch...
  • Page 34: Document Conventions

    Document conventions This section describes text formatting conventions and important notice formats used in this document. Text formatting The narrative-text formatting conventions that are used are as follows: bold text Identifies command names Identifies the names of user-manipulated GUI elements Identifies keywords and operands Identifies text to enter at the GUI or CLI italic text...
  • Page 35: Notice To The Reader

    NOTE A note provides a tip, guidance or advice, emphasizes important information, or provides a reference to related information. ATTENTION An Attention statement indicates potential damage to hardware or data. CAUTION A Caution statement alerts you to situations that can be potentially hazardous to you or cause damage to hardware, firmware, software, or data.
  • Page 36: Additional Information

    Additional information This section lists additional Brocade and industry-specific documentation that you might find helpful. Brocade resources To get up-to-the-minute information, go to http://my.brocade.com and register at no cost for a user ID and password. For practical discussions about SAN design, implementation, and maintenance, you can obtain Building SANs with Brocade Fabric Switches through: http://www.amazon.com For additional Brocade documentation, visit the Brocade SAN Info Center and click the Resource...
  • Page 37: Document Feedback

    • syslog message logs 2. Switch Serial Number The switch serial number and corresponding bar code are provided on the serial number label, as illustrated below.: *FT00X0054E9* FT00X0054E9 The serial number label is located as follows: • Brocade 5424 — On the bottom of the switch module. •...
  • Page 38 Fabric OS Administrator’s Guide 53-1002446-01...
  • Page 39: Standard Features

    Section Standard Features This section describes standard Fabric OS features, and includes the following chapters: • Chapter 1, “Understanding Fibre Channel Services” • Chapter 2, “Performing Basic Configuration Tasks” • Chapter 3, “Performing Advanced Configuration Tasks” • Chapter 4, “Routing Traffic” •...
  • Page 40 Fabric OS Administrator’s Guide 53-1002446-01...
  • Page 41: Understanding Fibre Channel Services

    Chapter Understanding Fibre Channel Services In this chapter • Fibre Channel services overview ........3 •...
  • Page 42: Management Server

    Management server Management server — The management server provides a single point for managing the fabric. This is the only service that users can configure. Alias server — The alias server keeps a group of nodes registered as one name to handle multicast groups.
  • Page 43: Platform Services And Virtual Fabrics

    Platform services Platform services and Virtual Fabrics Each logical switch has a separate Platform Database. All platform registrations done to a logical switch are valid only in that particular logical switch’s Virtual Fabric. Activating the platform services on a switch activates the platform services on all logical switches in a Virtual Fabric.
  • Page 44: Management Server Database

    Management server database Management server database You can control access to the management server database. An access control list (ACL) of WWN addresses determines which systems have access to the management server database. The ACL typically contains those WWNs of host systems that are running management applications.
  • Page 45: Deleting A Member From The Acl

    Management server database 6. After verifying that the WWN was added correctly, enter 0 at the prompt to end the session. At the “Update the FLASH?” prompt, enter y. 8. Press Enter to update the nonvolatile memory and end the session. Example of adding a member to the management server ACL switch:admin>...
  • Page 46: Viewing The Contents Of The Management Server Database

    Management server database 4. At the “Port/Node WWN” prompt, enter the WWN of the member to be deleted from the ACL. 5. At the “select” prompt, enter 1 to display the access list so you can verify that the WWN you entered was deleted from the ACL.
  • Page 47: Clearing The Management Server Database

    Topology discovery Number of Associated Node Names: 1 Associated Node Names: 10:00:00:60:69:20:15:75 Clearing the management server database NOTE The command msPlClearDB is allowed only in AD0 and AD255. 1. Connect to the switch and log in using an account assigned to the admin role. 2.
  • Page 48: Disabling Topology Discovery

    Device login Disabling topology discovery Topology discovery is disabled by default. NOTE Disabling discovery of management server topology might erase all node ID entries. If Admin Domains are enabled, you must be in the AD0 or AD255 context. Refer to Chapter 17, “Managing Administrative Domains,”...
  • Page 49: Principal Switch

    Device login Principal switch In a fabric with multiple switches, and one inter-switch link (ISL) exists between any two switches, a principal switch is automatically elected. The principal switch provides the following capabilities: • Maintains time for the entire fabric. Subordinate switches synchronize their time with the principal switch.
  • Page 50: Rscns

    Device login • F_Port — A fabric port is assigned to fabric-capable devices, such as SAN storage devices. • EX_Port — A type of E_Port that connects a Fibre Channel router to an edge fabric. From the point of view of a switch in an edge fabric, an EX_Port appears as a normal E_Port. It follows applicable Fibre Channel standards as other E_Ports.
  • Page 51: Duplicate Port World Wide Name

    High availability of daemon processes Duplicate Port World Wide Name According to Fibre Channel standards, the Port World Wide Name (PWWN) of a device cannot overlap with that of another device, thus having duplicate PWWNs within the same fabric is an illegal configuration.
  • Page 52 High availability of daemon processes TABLE 1 Daemons that are automatically restarted (Continued) Daemon Description webd Webserver daemon used for WebTools (includes httpd as well). weblinkerd Weblinker daemon provides an HTTP interface to manageability applications for switch management and fabric discovery. Fabric OS Administrator’s Guide 53-1002446-01...
  • Page 53: Performing Basic Configuration Tasks

    Chapter Performing Basic Configuration Tasks In this chapter • Fabric OS overview ..........15 •...
  • Page 54: Fabric Os Command Line Interface

    Fabric OS command line interface Although many different software and hardware configurations are tested and supported by Brocade Communications Systems, Inc., documenting all possible configurations and scenarios is beyond the scope of this document. In some cases, earlier releases are highlighted to present considerations for interoperating with them.
  • Page 55: Telnet Or Ssh Sessions

    Fabric OS command line interface TABLE 2 Terminal port parameters (Continued) Parameter Value Stop bits Flow control None • In a UNIX environment, enter the following string at the prompt: tip /dev/ttyb -9600 If ttyb is already in use, use ttya instead and enter the following string at the prompt: tip /dev/ttya -9600 Telnet or SSH sessions Connect to the Fabric OS through a Telnet or SSH connection or through a console session on the...
  • Page 56: Getting Help On A Command

    Fabric OS command line interface Switches in the fabric that are not connected through the Ethernet port can be managed through switches that are using IP over Fibre Channel. The embedded port must have an assigned IP address. 3. Log off the switch’s serial port. 4.
  • Page 57: Password Modification

    Password modification Password modification The switch automatically prompts you to change the default account passwords after logging in for the first time. If you do not change the passwords, the switch prompts you after each subsequent login until all the default passwords have been changed. NOTE The default account passwords can be changed from their original values only when prompted immediately following the login;...
  • Page 58: The Ethernet Interface On Your Switch

    The Ethernet interface on your switch The Ethernet interface on your switch The Ethernet (network) interface provides management access, including direct access to the Fabric OS CLI, and allows other tools, such as Web Tools, to interact with the switch. You can use either Dynamic Host Configuration Protocol (DHCP) or static IP addresses for the Ethernet network interface configuration.
  • Page 59: Displaying The Network Interface Settings

    The Ethernet interface on your switch Displaying the network interface settings If an IP address has not been assigned to the network interface (Ethernet), you must connect to the Fabric OS CLI using a console session on the serial port. For more information, see “Console sessions using the serial port”...
  • Page 60: Static Ethernet Addresses

    The Ethernet interface on your switch Static Ethernet addresses Use static Ethernet network interface addresses on Brocade DCX and DCX-4S Backbones, and in environments where DHCP service is not available. To use static addresses for the Ethernet interface, you must first disable DHCP. You can enter static Ethernet information and disable DHCP at the same time.
  • Page 61: Dhcp Activation

    The Ethernet interface on your switch Setting the static addresses for the chassis management IP interface 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the ipAddrSet -chassis command. switch:admin> ipaddrset -chassis Ethernet IP Address [192.168.166.148]: Ethernet Subnetmask [255.255.255.0]: Committing configuration...Done.
  • Page 62: Ipv6 Autoconfiguration

    The Ethernet interface on your switch 4. Enable DHCP by entering on. switch:admin> ipaddrset Ethernet IP Address [10.1.2.3]: Ethernet Subnetmask [255.255.255.0]: Fibre Channel IP Address [220.220.220.2]: Fibre Channel Subnetmask [255.255.0.0]: Gateway IP Address [10.1.2.1]: DHCP [Off]:on Disabling DHCP When you disable DHCP, enter the static Ethernet IP address and subnet mask of the switch and default gateway address.
  • Page 63: Date And Time Settings

    Date and time settings When IPv6 autoconfiguration is enabled, the platform engages in stateless IPv6 autoconfiguration. When IPv6 autoconfiguration is disabled, the platform relinquishes usage of any autoconfigured IPv6 addresses that it may have acquired while it was enabled. This same enable or disable state also enables or disables the usage of a link local address for each managed entity, though a link local address continues to be generated for each nonchassis-based platform and for each CP of a chassis-based platform because those link local addresses are required for router discovery.
  • Page 64: Time Zone Settings

    Date and time settings • yy is the year, valid values are 00 through 37 and 70 through 99 (year values from 70 through 99 are interpreted as 1970 through 1999, year values from 00 through 37 are interpreted as 2000 through 2037). Example of showing and setting the date switch:admin>...
  • Page 65: Network Time Protocol

    Date and time settings • Use tsTimeZone with no parameters to display the current time zone setting. • interactive to list all of the time zones supported by the firmware. • Use timeZone_fmt to set the time zone by Country/City or by time zone ID, such as Pacific Standard Time (PST).
  • Page 66: Domain Ids

    Domain IDs Synchronizing the local time with an external source The tsClockServer command accepts multiple server addresses in IPv4, IPv6, or Domain Name System (DNS) name formats. When multiple NTP server addresses are passed, tsClockServer sets the first obtainable address as the active NTP server. The rest are stored as backup servers that can take over if the active NTP server fails.
  • Page 67: Displaying The Domain Ids

    Domain IDs Displaying the domain IDs 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the fabricShow command. Example output of fabric information, including the domain ID (D_ID) The principal switch is determined by the arrow ( > ) next to the name of the switch. In this output, the principal switch appears in blue boldface.
  • Page 68: Switch Names

    Switch names 3. Enter the configure command. 4. Enter y after the Fabric Parameters prompt. Fabric parameters (yes, y, no, n): [no] y 5. Enter a unique domain ID at the Domain prompt. Use a domain ID value from 1 through 239 for normal operating mode (FCSW-compatible).
  • Page 69: Fabric Name

    Fabric name Fabric name You can assign a alphanumeric name to identify and manage a logical fabric that formerly could only be identified by a fabric ID. The fabric name does not replace the fabric ID or its usage. The fabric continues to have a fabric ID, in addition to the assigned alphanumeric fabric name.
  • Page 70: Switch Activation And Deactivation

    Switch activation and deactivation Switch activation and deactivation By default, the switch is enabled after power is applied and diagnostics and switch initialization routines have finished. You can disable and re-enable the switch as necessary. Disabling a switch 1. Connect to the switch and log in using an account assigned to the admin role. 2.
  • Page 71: Powering Off A Brocade Backbone

    Basic connections The system is halted flushing ide devices: hda Power down. 5. Power off the switch. Powering off a Brocade Backbone 1. From the active CP in a dual-CP platform, enter the sysShutdown command. NOTE When the sysShutdown command is issued on the active CP, the active CP, the standby CP, and any application blades are all shut down.
  • Page 72: Switch Connection

    Basic connections Switch connection See the hardware reference manual of your specific switch for ISL connection and cable management information. The standard or default ISL mode is L0. ISL mode L0 is a static mode, with the following maximum ISL distances: •...
  • Page 73: Performing Advanced Configuration Tasks

    Chapter Performing Advanced Configuration Tasks In this chapter • PIDs and PID binding overview ........35 •...
  • Page 74: Core Pid Addressing Mode

    PIDs and PID binding overview Core PID addressing mode Core PID is the default PID format for Brocade platforms. It uses the entire 24-bit address space of the domain, area ID, and AL_PA to determine an object’s address within the fabric. The Core PID is a 24-bit address built from the following three 8-bit fields: •...
  • Page 75: 256-Area Addressing Mode

    PIDs and PID binding overview • Shared area limitations are removed on 48-port and 64-port blades. • Any port on a 48-port or 64-port blade can support up to 256 NPIV devices (in fixed addressing mode, only 128 NPIV devices are supported in non-VF mode and 64 NPIV devices in VF mode on a 48-port blade).
  • Page 76 PIDs and PID binding overview Virtual Fabrics considerations for WWN-based PID assignment WWN-based PID assignment is disabled by default and is supported in the default switch on the Brocade DCX and DCX 8510 Backbone families. This feature is not supported on application blades such as the FS8-18, FX8-24, and the FCOE10-24.
  • Page 77: Ports

    Ports Clearing PID binding 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the wwnAddress -unbind command to clear the PID binding for the specified WWN. Showing PID assignments 1. Connect to the switch and log in using an account with admin permissions. 2.
  • Page 78: Setting Port Names

    Ports When you have port blades with different port counts in the same Backbone (for example, 16-port blades and 32-port blades, or 16-port blades and 18-port blades with 16 FC ports and 2 GbE ports, or 16-port and 48-port blades), the area IDs no longer match the port numbers. Table 6 on page 45 lists the port numbering schemes for the blades.
  • Page 79: Port Identification By Index

    Ports Port identification by index With the introduction of 48-port blades, indexing was introduced. Unique area IDs are possible for up to 255 areas, but beyond that there needed to be some way to ensure uniqueness. A number of fabric-wide databases supported by Fabric OS (including ZoneDB, the ACL DDC, and Admin Domain) allow a port to be designated by the use of a “D,P”...
  • Page 80: Port Activation And Deactivation

    Ports Port activation and deactivation By default, all licensed ports are enabled. You can disable and re-enable them as necessary. Ports that you activate with the Ports on Demand license must be enabled explicitly, as described in “Ports on Demand” on page 385.
  • Page 81: Port Decommissioning

    Ports Port decommissioning Fabric OS 7.0.0 and later provides an automated mechanism to remove an E_Port or E_Port trunk port from use. This feature identifies the target port and communicates the intention to decommission the port to those systems within the fabric affected by the action. Each affected system can agree or disagree with the action, and these responses are automatically collected before a port is decommissioned.
  • Page 82: Setting Port Speed For A Port Octet

    Blade terminology and compatibility The following example sets the speed for all ports on the switch to autonegotiate: switch:admin> switchcfgspeed 0 Committing configuration...done. Setting port speed for a port octet You can use the portCfgOctetSpeedCombo command to configure the speed for a port octet. Note that in a Virtual Fabrics environment, this command applies chassis-wide and not just to the logical switch.
  • Page 83: Table 6 Port Blade Terminology, Numbering, And Platform Support

    Blade terminology and compatibility TABLE 6 Port blade terminology, numbering, and platform support Supported on: Blade Blade ID DCX 8510 Ports Definition (slotshow) family family FC8-16 8-Gbps port blade supporting 1, 2, 4, and 8 Gbps port speeds. Ports are numbered from 0 through 15 from bottom to top.
  • Page 84 Blade terminology and compatibility TABLE 6 Port blade terminology, numbering, and platform support (Continued) Supported on: Blade Blade ID DCX 8510 Ports Definition (slotshow) family family FC16-48 A 48-port, 16-Gbps port blade supporting 2, 4, 8, 10, and 16 Gbps port speeds. NOTE: 10 Gbps speed for FC16-xx blades requires the 10G license.
  • Page 85: Cp Blades

    Blade terminology and compatibility CP blades The control processor (CP) blade provides redundancy and acts as the main controller on the Brocade Backbone. The Brocade DCX and DCX 8510 Backbone families support the CP8 blades. The CP blades in the Brocade DCX and DCX 8510 Backbone families are hot-swappable. The CP8 blades are fully interchangeable among Brocade DCX, DCX-4S, DCX 8510-4, and DCX 8510-8 Backbones.
  • Page 86: Fx8-24 Compatibility Notes

    Enabling and disabling blades TABLE 7 Blade compatibility within Brocade Backbone families Intelligent blade Fabric OS v6.3.0 Fabric OS v6.4.0 Fabric OS v7.0.0 DCX-4S DCX-4S DCX-4S DCX 8510-8 DCX 8510-4 FR4-18i FS8-18 FCOE10-24 FX8-24 The iSCSI function over FCIP is not supported, but the FCIP link is the same as other FC E_Ports. This is not restricted by software.
  • Page 87: Enabling Blades

    Enabling and disabling blades Enabling blades 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the bladeEnable command with the slot number of the port blade you want to enable. ecp:admin> bladeenable 3 Slot 3 is being enabled FC8-48, FC8-48E, FC8-64, and FC16-48 port blade enabling exceptions Because the area IDs are shared with different port IDs, the FC8-48, FC8-48E, FC8-64, and...
  • Page 88: Disabling Blades

    Blade swapping • When an FR4-18i blade is replaced by an FC8-16, FC8-32, FC8-48, or FC8-64 blade, then the EX_Port configuration is retained, but the ports are persistently disabled. All remaining port configurations are retained. NOTE The FC10-6 blade does not support EX_Ports. Disabling blades 1.
  • Page 89: How Blades Are Swapped

    Blade swapping How blades are swapped The bladeSwap command performs the following operations: 1. Blade selection The selection process includes selecting the switch and the blades to be affected by the swap operation. Figure 2 shows the source and destination blades identified to begin the process. FIGURE 2 Identifying the blades 2.
  • Page 90: Swapping Blades

    Blade swapping FIGURE 3 Blade swap with Virtual Fabrics during the swap 4. Port swapping The swap ports action is effectively an iteration of the portSwap command for each port on the source blade to each corresponding port on the destination blade. Figure 4 shows Virtual Fabrics, where the blades can be carved up into different logical switches as long as they are carved the same way.
  • Page 91: Power Management

    Power management 3. Once the command completes successfully, move the cables from the source blade to the destination blade. 4. Enter the bladeEnable command on the destination blade to enable all user ports. Power management All blades are powered on by default when the switch chassis is powered on. Blades cannot be powered off when POST or AP initialization is in progress.
  • Page 92: Equipment Status

    Equipment status Equipment status You can check the status of switch operation, High Availability features, and fabric connectivity. Checking switch operation 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the switchShow command. This command displays a switch summary and a port summary.
  • Page 93: Verifying Fabric Connectivity

    Track and control switch changes Verifying fabric connectivity 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the fabricShow command. This command displays a summary of all the switches in the fabric. The output of the fabricShow command is discussed in “Domain IDs”...
  • Page 94: Enabling The Track Changes Feature

    Track and control switch changes Enabling the track changes feature 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the trackChangesSet 1 command to enable the track changes feature. A message displays, verifying that the track changes feature is on: switch:admin>...
  • Page 95: Setting The Switch Status Policy Threshold Values

    Track and control switch changes Blade CoreBlade Flash MarginalPorts 0.00%[0] 0.00%[0] FaultyPorts 0.00%[0] 0.00%[0] MissingSFPs 0.00%[0] 0.00%[0] ErrorPorts 0.00%[0] 0.00%[0] Number of ports: 4 Setting the switch status policy threshold values 1. Connect to the switch and log in using an account with admin permissions. 2.
  • Page 96: Audit Log Configuration

    Audit log configuration Bad PowerSupplies contributing to MARGINAL status: (0..2) [1] Bad Temperatures contributing to DOWN status: (0..4) [2]1 Bad Temperatures contributing to MARGINAL status: (0..4) [1]2 Bad Fans contributing to DOWN status: (0..2) [2] Bad Fans contributing to MARGINAL status: (0..2) [1] (output truncated) On the Brocade Backbones, the command output includes parameters related to CP blades.
  • Page 97: Verifying Host Syslog Prior To Configuring The Audit Log

    Audit log configuration NOTE Only the active CP can generate audit messages because event classes being audited occur only on the active CP. Audit messages cannot originate from other blades in a Backbone. Switch names are logged for switch components and Backbone names for Backbone components. For example, a Backbone name may be FWDL or RAS and a switch component name may be zone, name server, or SNMP.
  • Page 98: Configuring Flogi-Time Handling Of Duplicate Pwwn

    Configuring FLOGI-time handling of duplicate PWWN 4. Enter the auditCfg show command to view the filter configuration and confirm that the correct event classes are being audited, and the correct filter state appears (enabled or disabled). switch:admin> auditcfg --show Audit filter is enabled. 2-SECURITY 4-FIRMWARE 5.
  • Page 99: Setting The Behavior For Handling Duplicate Pwwns

    Configuring FLOGI-time handling of duplicate PWWN TABLE 9 Duplicate PWWN behavior: Second login overrides existing login Input port Duplicate found on Duplicate found on different Duplicate found on Duplicate found on same F_Port F_Port same NPIV port different NPIV port FLOGI Implicit logout.
  • Page 100 Configuring FLOGI-time handling of duplicate PWWN Fabric OS Administrator’s Guide 53-1002446-01...
  • Page 101: Routing Traffic

    Chapter Routing Traffic In this chapter • Routing overview ..........63 •...
  • Page 102: Paths And Route Selection

    Routing overview Paths and route selection Paths are possible ways to get from one switch to another. Each inter-switch link (ISL) has a metric cost based on bandwidth. The cumulative cost is based on the sum of all costs of all traversed ISLs. Route selection is the path that is chosen.
  • Page 103: Fibre Channel Nat

    Routing overview NOTE FSPF only supports 16 routes in a zone, including Traffic Isolation Zones. FSPF makes minimal use of the ISL bandwidth, leaving virtually all of it available for traffic. In a stable fabric, a switch transmits 64 bytes every 20 seconds in each direction. FSPF frames have the highest priority in the fabric.
  • Page 104: Inter-Switch Links

    Inter-switch links Inter-switch links An inter-switch link (ISL) is a link between two switches, E_Port-to-E_Port. The ports of the two switches automatically come online as E_Ports once the login process finishes successfully. For more information on the login process, refer to Chapter 1, “Understanding Fibre Channel Services”.
  • Page 105: Buffer Credits

    Inter-switch links Buffer credits In order to prevent the dropping of frames in the fabric, a device can never send frames without the receiving device being able to receive them, so an end-to-end flow control is used on the switch. Flow control in Fibre Channel uses buffer-to-buffer credits, which are distributed by the switch.
  • Page 106: Gateway Links

    Gateway links FIGURE 7 Virtual channels on a QoS-enabled ISL Gateway links A gateway merges SANs into a single fabric by establishing point-to-point E_Port connectivity between two Fibre Channel switches that are separated by a network with a protocol such as IP or SONET.
  • Page 107: Configuring A Link Through A Gateway

    Gateway links FIGURE 8 Gateway link merging SANs By default, switch ports initialize links using the Exchange Link Parameters (ELP) mode 1. However, gateways expect initialization with ELP mode 2, also referred to as ISL R_RDY mode. Therefore, to enable two switches to link through a gateway, the ports on both switches must be set for ELP mode 2.
  • Page 108: Routing Policies

    Routing policies Example of enabling a gateway link on slot 2, port 3 ecp:admin> portcfgislmode 2/3, 1 Committing configuration...done. ISL R_RDY Mode is enabled for port 3. Please make sure the PID formats are consistent across the entire fabric. Routing policies By default, all routing protocols place their routes into a routing table.
  • Page 109: Exchange-Based Routing

    Routing policies Exchange-based routing The choice of routing path is based on the Source ID (SID), Destination ID (DID), and Fibre Channel originator exchange ID (OXID) optimizing path utilization for the best performance. Thus, every exchange can take a different path through the fabric. Exchange-based routing requires the use of the Dynamic Load Sharing (DLS) feature;...
  • Page 110: Route Selection

    Route selection Routing in Virtual Fabrics Virtual Fabrics support DPS on all partitions. DPS is limited where multiple paths are available for a logical fabric frame entering a Virtual Fabrics chassis from a base fabric that is sent out using one of the dedicated ISLs in a logical switch.
  • Page 111: Dynamic Load Sharing

    Route selection Dynamic Load Sharing The exchange-based routing policy depends on the Fabric OS Dynamic Load Sharing (DLS) feature for dynamic routing path selection. When using the exchange-based routing policy, DLS is enabled by default and cannot be disabled. In other words, you cannot enable or disable DLS when the exchange-based routing policy is in effect.
  • Page 112: Frame Order Delivery

    Frame order delivery Frame order delivery The order of delivery of frames is maintained within a switch and determined by the routing policy in effect. The frame delivery behaviors for each routing policy are: • Port-based routing All frames received on an incoming port destined for a destination domain are guaranteed to exit the switch in the same order in which they were received.
  • Page 113: Lossless Dynamic Load Sharing On Ports

    Lossless Dynamic Load Sharing on ports Lossless Dynamic Load Sharing on ports Lossless Dynamic Load Sharing (DLS) allows you to rebalance port paths without causing input/output (I/O) failures. For devices where in-order delivery (IOD) of frames is required, you can set IOD separately.
  • Page 114: Lossless Core

    Lossless Dynamic Load Sharing on ports Lossless DLS does the following whenever paths need to be rebalanced: 1. Pauses ingress traffic by not returning credits. Frames that are already in transit are not dropped. 2. Changes the existing path to a more optimal path. 3.
  • Page 115: Configuring Lossless Dynamic Load Sharing

    Enabling forward error correction Configuring Lossless Dynamic Load Sharing You configure Lossless DLS switch- or chassis-wide by using the dlsSet command to specify that no frames are dropped while rebalancing or rerouting traffic. 1. Connect to the switch and log in using an account with admin permissions. 2.
  • Page 116: Frame Redirection

    Frame Redirection FEC is useful when broadcasting data to many destinations simultaneously from a single source, when retransmissions might be costly. Use the portCfgFec command to enable and disable FEC on a port, as shown in the following examples. 1. Connect to the switch and log in using an account with admin permissions. 2.
  • Page 117: Creating A Frame Redirect Zone

    Frame Redirection FIGURE 9 Single host and target Figure 9 demonstrates the flow of Frame Redirection traffic. A frame starts at the host with a destination to the target. The port where the appliance is attached to the host switch acts as the virtual initiator and the port where the appliance is attached to the target switch is the virtual target.
  • Page 118: Viewing Redirect Zones

    Frame Redirection Viewing redirect zones 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the cfgShow command. Fabric OS Administrator’s Guide 53-1002446-01...
  • Page 119: Managing User Accounts

    Chapter Managing User Accounts In this chapter • User accounts overview ......... 81 •...
  • Page 120: Role-Based Access Control

    User accounts overview Fabric OS provides three options for authenticating users—remote RADIUS services, remote LDAP service, and the local switch user database. All options allow users to be centrally managed using the following methods: • Remote RADIUS server: Users are managed in a remote RADIUS server. All switches in the fabric can be configured to authenticate against the centralized remote database.
  • Page 121: The Management Channel

    User accounts overview If some Admin Domains have been defined for the user and all of them are inactive, the user will not be allowed to log in to any switch in the fabric. If no Home Domain is specified for a user, the system provides a default home domain.
  • Page 122: Managing User-Defined Roles

    User accounts overview TABLE 13 Maximum number of simultaneous sessions Role name Maximum sessions Admin BasicSwitchAdmin FabricAdmin Operator SecurityAdmin SwitchAdmin User ZoneAdmin Managing user-defined roles Fabric OS provides an extensive toolset for managing user defined roles: • The roleConfig command is available for defining new roles, deleting created roles, or viewing information about user-defined roles.
  • Page 123: Local Database User Accounts

    Local database user accounts > classConfig --showroles security Roles that have access to RBAC Class ‘security’ are: Role Name Permissions --------- ----------- User Admin Factory Root SwitchAdmin FabricAdmin BasicSwitchAdmin SecurityAdmin mysecurityrole To delete a user-defined role, use the roleConfig delete command. Assigning a user-defined role to a user You can assign a user-defined role to a user using one of the following options of the userConfig command:...
  • Page 124: Table 14 Default Local User Accounts

    Local database user accounts TABLE 14 Default local user accounts Account name Role Admin Domain Logical Fabric Description admin Admin AD0-255 LF1-128 Most commands have home: 0 observe-modify permission. home: 128 factory Factory AD0-255 LF1-128 Reserved. home: 0 home: 128 root Root AD0-255...
  • Page 125: Local Account Passwords

    Local database user accounts Deleting an account This procedure can be performed on local user accounts. 1. Connect to the switch and log in using an account with admin permissions, or an account associated with a user-defined role with permissions for the UserManagement class of commands.
  • Page 126: Local Account Database Distribution

    Local account database distribution Changing the password for a different account 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the passwd command specifying the name of the account for which the password is being changed.
  • Page 127: Rejecting Distributed User Databases On The Local Switch

    Password policies Rejecting distributed user databases on the local switch 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the fddCfg localreject PWD command. Password policies The password policies described in this section apply to the local switch user database only. Configured password policies (and all user account attribute and password state information) are synchronized across CPs and remain unchanged after an HA failover.
  • Page 128: Password History Policy

    Password policies • Punctuation Specifies the minimum number of punctuation characters that must appear in the password. All printable, non-alphanumeric punctuation characters except the colon ( : ) are allowed. The default value is zero. The maximum value must be less than or equal to the MinLength value. •...
  • Page 129: Password Expiration Policy

    Password policies Password expiration policy The password expiration policy forces expiration of a password after a configurable period of time, and is enforced across all user accounts. A warning that password expiration is approaching is displayed when the user logs in. When a user’s password expires, he or she must change the password to complete the authentication process and open a user session.
  • Page 130 Password policies The following commands are used to manage the account lockout policy. • userConfig change account_name -u • passwdCfg disableadminlockout Note that the account-locked state is distinct from the account-disabled state. Use the following attributes to set the account lockout policy: •...
  • Page 131: The Boot Prom Password

    The boot PROM password The boot PROM password The boot PROM password provides an additional layer of security by protecting the boot PROM from unauthorized use. Setting a recovery string for the boot PROM password enables you to recover a lost boot PROM password by contacting your switch service provider.
  • Page 132: Setting The Boot Prom Password For A Backbone With A Recovery String

    The boot PROM password 5. Enter the recovery password (string). The recovery string must be between 8 and 40 alphanumeric characters. A random string that is 15 characters or longer is recommended for higher security. The firmware prompts for this password only once.
  • Page 133: Setting The Boot Prom Password For A Switch Without A Recovery String

    The boot PROM password 6. Enter the recovery password (string). The recovery string must be between 8 and 40 alphanumeric characters. A random string that is 15 characters or longer is recommended for higher security. The firmware only prompts for this password once.
  • Page 134: Setting The Boot Prom Password For A Backbone Without A Recovery String

    The boot PROM password 5. At the shell prompt, enter the passwd command. NOTE The passwd command only applies to the boot PROM password when it is entered from the boot interface. 6. Enter the boot PROM password at the prompt, then re-enter it when prompted. The password must be eight alphanumeric characters (any additional characters are not recorded).
  • Page 135: The Authentication Model Using Radius And Ldap

    The authentication model using RADIUS and LDAP 9. Enter the saveEnv command to save the new password. 10. Reboot the standby CP blade by entering the reset command. 11. Connect to the active CP blade by serial or Telnet and enter the haEnable command to restore high availability;...
  • Page 136: Table 15 Authentication Configuration Options

    The authentication model using RADIUS and LDAP To enable the secure LDAP service, you need to install a certificate from the Microsoft Active Directory server. By default, the LDAP service does not require certificates. The configuration applies to all switches and on a Backbone the configuration replicates itself on a standby CP blade if one is present.
  • Page 137: Setting The Switch Authentication Mode

    The authentication model using RADIUS and LDAP TABLE 15 Authentication configuration options (Continued) aaaConfig options Description Equivalent setting in Fabric OS v5.1.0 and earlier radius switchdb --authspec “ldap” Authenticates management connections against any LDAP databases only. If LDAP service is not available or the credentials do not match, the login fails.
  • Page 138: Fabric Os Users On The Radius Server

    The authentication model using RADIUS and LDAP syntax error in the attributes, the password expiration warning will not be issued. If your RADIUS server maintains its own password expiration attributes, you must set the exact date twice to use this feature, once on your RADIUS server and once in the VSA attribute. If the dates do not match, then the RADIUS server authentication fails.
  • Page 139: Figure 10 Windows 2000 Vsa Configuration

    The authentication model using RADIUS and LDAP FIGURE 10 Windows 2000 VSA configuration Linux FreeRadius server For the configuration on a Linux FreeRadius server, define the values outlined in Table 17 in a vendor dictionary file called dictionary.brocade. TABLE 17 Entries in dictionary.brocade file Include Value...
  • Page 140 The authentication model using RADIUS and LDAP RADIUS configuration with Admin Domains or Virtual Fabrics When configuring users with Admin Domains or Virtual Fabrics, you must also include the Admin Domain or Virtual Fabric member list. This section describes the way that you configure attribute types for this configuration.
  • Page 141: The Radius Server

    The authentication model using RADIUS and LDAP In the next example, on a Linux FreeRadius Server, the user has the “zoneAdmin” permissions, with VFlist 2, 4, 5, 6, 7, 8, 10, 11, 12, 13, 15 17, 19, 22, 23, 24, 25, 29, 31 and HomeLF 1. user300 Auth-Type := Local, User-Password == "password"...
  • Page 142 The authentication model using RADIUS and LDAP # attributes ATTRIBUTE Brocade-Auth-Role string Brocade ATTRIBUTE Brocade-AVPairs1 string Brocade ATTRIBUTE Brocade-AVPairs2 string Brocade ATTRIBUTE Brocade-AVPairs3 string Brocade ATTRIBUTE Brocade-AVPairs4 string Brocade ATTRIBUTE Brocade-Passwd-ExpiryDate string Brocade ATTRIBUTE Brocade-Passwd-WarnPeriod string Brocade This defines the Brocade vendor ID as 1588, the Brocade attribute 1 as Brocade-Auth-Role and 6 as Brocade-Passwd-ExpiryDate, both are string values.
  • Page 143 The authentication model using RADIUS and LDAP Enabling clients Clients are the switches that will use the RADIUS server; each client must be defined. By default, all IP addresses are blocked. The Brocade Backbones send their RADIUS requests using the IP address of the active CP. When adding clients, add both the active and standby CP IP addresses so that, in the event of a failover, users can still log in to the switch.
  • Page 144 The authentication model using RADIUS and LDAP 3. Configuring a user IAS is the Microsoft implementation of a RADIUS server and proxy IAS uses the Windows native user database to verify user login credentials; it does not list specific users, but instead lists user groups.
  • Page 145 The authentication model using RADIUS and LDAP RSA SecurID with an RSA RADIUS server is used for user authentication. The Brocade switch does not communicate directly with the RSA Authentication Manager, so the RSA RADIUS server is used in conjunction with the switch to facilitate communication. To learn more about how RSA SecurID works, visit www.rsa.com for more information.
  • Page 146: Figure 11 Example Of A Brocade Dct File

    The authentication model using RADIUS and LDAP ########################################################################### # brocade.dct -- Brocade Dictionary # (See readme.dct for more details on the format of this file) ########################################################################### # Use the Radius specification attributes in lieu of the Brocade one: @radius.dct MACRO Brocade-VSA(t,s) 26 [vid=1588 type1=%t% len1=+2 data=%s%] ATTRIBUTE Brocade-Auth-Role Brocade-VSA(1,string) r...
  • Page 147: Ldap Configuration And Microsoft Active Directory

    The authentication model using RADIUS and LDAP d. Add the Brocade profile. e. In RSA Authentication Manager, edit the user records that will be authenticating using RSA SecurID. LDAP configuration and Microsoft Active Directory LDAP provides user authentication and authorization using the Microsoft Active Directory service in conjunction with LDAP on the switch.
  • Page 148: Creating A Group

    The authentication model using RADIUS and LDAP For instructions on how to create a user, refer to www.microsoft.com or Microsoft documentation to create a user in your Active Directory. 3. Create a group name that uses the switch’s role name so that the Active Directory group’s name is the same as the switch’s role name.
  • Page 149 The authentication model using RADIUS and LDAP Adding an Admin Domain or Virtual Fabric list 1. From the Windows Start menu, select Programs> Administrative Tools> ADSI.msc ADSI is a Microsoft Windows Resource Utility. This will need to be installed to proceed with the rest of the setup.
  • Page 150: Authentication Servers On The Switch

    The authentication model using RADIUS and LDAP Authentication servers on the switch At least one RADIUS or LDAP server must be configured before you can enable RADIUS or LDAP service. You can configure the RADIUS or LDAP service even if it is disabled on the switch. You can configure up to five RADIUS or LDAP servers.
  • Page 151: Configuring Local Authentication As Backup

    The authentication model using RADIUS and LDAP Changing a RADIUS or LDAP server configuration 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the aaaConfig change command. Changing the order in which RADIUS or LDAP servers are contacted for service 1.
  • Page 152 The authentication model using RADIUS and LDAP Fabric OS Administrator’s Guide 53-1002446-01...
  • Page 153: Configuring Protocols

    Chapter Configuring Protocols In this chapter • Security protocols ..........115 •...
  • Page 154: Secure Copy

    Secure Copy TABLE 18 Secure protocol support (Continued) Protocol Description Secure Shell (SSH) is a network protocol that allows data to be exchanged over a secure channel between two computers. Encryption provides confidentiality and integrity of data. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary.
  • Page 155: Secure Shell Protocol

    Secure Shell protocol 3. Type y or yes at the cfgload attributes prompt. 4. Type y or yes at the Enforce secure configUpload/Download prompt. Example of setting up SCP for configUpload/download switch:admin> configure Not all options will be available on an enabled switch. To disable the switch, use the "switchDisable"...
  • Page 156 Secure Shell protocol DSA, the authentication protocols are based on a pair of specially generated cryptographic keys, called the private key and the public key. The advantage of using these key-based authentication systems is that in many cases, it is possible to establish secure connections without having to depend on passwords for security.
  • Page 157 Secure Shell protocol Configuring outgoing SSH authentication After the allowed-user is configured, the remaining setup steps must be completed by the allowed-user. To configure outgoing authentication, follow these steps: 1. Log in to the switch as the default admin. 2. Change the allowed-user’s permissions to admin, if applicable. switch:admin>...
  • Page 158: Secure Sockets Layer Protocol

    Secure Sockets Layer protocol Deleting private keys on the switch 1. Log in to the switch as the allowed-user. 2. Use the sshUtil delprivkey command to delete the private key. For more information on IP Filter policies, refer to Chapter 7, “Configuring Security Policies”.
  • Page 159: Certificate Authorities

    Secure Sockets Layer protocol Configuring for SSL involves these main steps, which are shown in detail in the next sections. 1. Choose a certificate authority (CA). 2. Generate the following items on each switch: a. A public and private key by using the secCertUtil genkey command. b.
  • Page 160 Secure Sockets Layer protocol 3. Respond to the prompts to continue and select the key size. Example of generating a key Continue (yes, y, no, n): [no] y Select key size [1024 or 2048]: 1024 Generating new rsa public/private key pair Done.
  • Page 161: The Browser

    Secure Sockets Layer protocol Obtaining certificates Check the instructions on the CA website; then, perform this procedure for each switch. 1. Generate and store the CSR as described in “Generating and storing a CSR” on page 122. 2. Open a Web browser window on the management workstation and go to the CA website. Follow the instructions to request a certificate.
  • Page 162: Root Certificates For The Java Plug-In

    Secure Sockets Layer protocol Checking and installing root certificates on Internet Explorer 1. Select Tools > Internet Options. 2. Click the Content tab. 3. Click Certificates. 4. Click the Intermediate or Trusted Root tabs and scroll the list to see if the root certificate is listed.
  • Page 163: Simple Network Management Protocol

    Simple Network Management Protocol Example of installing a root certificate C:\Program Files\Java\j2re1.6.0\bin> keytool -import -alias RootCert -file RootCert.crt -keystore ..\lib\security\RootCerts Enter keystore password: changeit Owner: CN=Brocade, OU=Software, O=Brocade Communications, L=San Jose, ST=California, C=US Issuer: CN=Brocade, OU=Software, O=Brocade Communications, L=San Jose, ST=California, C=US Serial number: 0 Valid from: Thu Jan 15 16:27:03 PST 2007 until: Sat Feb 14 16:27:03 PST 2007...
  • Page 164: Snmp And Virtual Fabrics

    Simple Network Management Protocol If you use both SW-MIB and FA-MIB, you may receive duplicate information. You can disable the FA-MIB, but not the SW-MIB. You can also use these additional MIBs and their associated traps: • FICON-MIB (for FICON environments) •...
  • Page 165: The Security Level

    Telnet protocol Attributes that are specific to each logical switch belong to the switch category. These attributes are available in the Virtual Fabrics context and not available in the Chassis context. Attributes that are common across the logical switches belong to the chassis level. These attributes are accessible to users having the chassis-role permission.
  • Page 166 Telnet protocol 5. Add a rule to the policy, by typing the ipFilter addrule command. switch:admin> ipfilter --addrule BlockTelnet -rule 1 -sip any -dp 23 -proto tcp -act deny ATTENTION The rule number assigned has to precede the default rule number for this protocol. For example, in the defined policy, the Telnet rule number is 2, therefore to effectively block Telnet, the rule number to assign must be 1.
  • Page 167: Unblocking Telnet

    Listener applications Unblocking Telnet 1. Connect to the switch through a serial port or SSH and log in as admin. 2. Type in the ipfilter delete command. Refer to “Deleting a rule to an IP Filter policy” on page 159 for more information on deleting IP filter rules.
  • Page 168: Port Configuration

    Ports and applications used by switches TABLE 23 Access defaults Access default Hosts Any host can access the fabric by SNMP. Any host can Telnet to any switch in the fabric. Any host can establish an HTTP connection to any switch in the fabric. Any host can establish an API connection to any switch in the fabric.
  • Page 169: Configuring Security Policies

    Chapter Configuring Security Policies In this chapter • ACL policies overview ......... . 131 •...
  • Page 170: Policy Members

    ACL policy management Policies with the same state are grouped together in a Policy Set. Each switch has the following two sets: • Active policy set, which contains ACL policies being enforced by the switch. • Defined policy set, which contains a copy of all ACL policies on the switch. When a policy is activated, the defined policy either replaces the policy with the same name in the active set or becomes a new active policy.
  • Page 171: Displaying Acl Policies

    ACL policy management Displaying ACL policies You can view the active and defined policy sets at any time. Additionally, in a defined policy set, policies created in the same login session also appear but these policies are automatically deleted if the you log out without saving them. 1.
  • Page 172: Adding A Member To An Existing Acl Policy

    ACL policy management Example of deleting an ACL policy switch:admin> secpolicydelete "DCC_POLICY_010" About to delete policy Finance_Policy. Are you sure (yes, y, no, n):[no] y Finance_Policy has been deleted. Adding a member to an existing ACL policy As soon as a policy has been activated, the aspect of the fabric managed by that policy is enforced. 1.
  • Page 173: Fcs Policies

    FCS policies Example of aborting unsaved changes switch:admin> secpolicyabort Unsaved data has been aborted. All changes since the last time the secPolicySave or secPolicyActivate commands were entered are aborted. FCS policies Fabric configuration server (FCS) policy in base Fabric OS may be performed on a local switch basis and may be performed on any switch in the fabric.
  • Page 174: Ensuring Fabric Domains Share Policies

    FCS policies Table 27 shows the commands for switch operations for Primary FCS enforcement. TABLE 27 FCS switch operations Allowed on FCS switches Allowed on all switches secPolicyAdd (Allowed on all switches for SCC and DCC secPolicyShow policies as long as it is not fabric-wide) secPolicyCreate (Allowed on all switches for SCC and fddCfg localaccept or fddCfg --localreject...
  • Page 175: Modifying The Order Of Fcs Switches

    FCS policies 3. To save or activate the new policy, enter either the secPolicySave or the secPolicyActivate command. Once the policy has been activated you can distribute the policy. NOTE FCS policy must be consistent across the fabric. If the policy is inconsistent in the fabric, then you will not be able to perform any fabric-wide configurations from the primary FCS.
  • Page 176: Dcc Policies

    DCC policies Only the Primary FCS switch is allowed to distribute the database. The FCS policy may need to be manually distributed across the fabric using the distribute -p command. Since this policy is distributed manually, the command fddCfg –-fabwideset is used to distribute a fabric-wide consistency policy for FCS policy in an environment consisting of only Fabric OS v6.2.0 and later switches.
  • Page 177: Dcc Policy Restrictions

    DCC policies TABLE 29 DCC policy states Policy state Characteristics No policy Any device can connect to any switch port in the fabric. Policy with no entries Any device can connect to any switch port in the fabric. An empty policy is the same as no policy.
  • Page 178: Deleting A Dcc Policy

    DCC policies 1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions for the Security RBAC class of commands. 2. Enter the secPolicyCreate “DCC_POLICY_nnn” command. DCC_POLICY_nnn is the name of the DCC policy; nnn is a string consisting of up to 19 alphanumeric or underscore characters to differentiate it from any other DCC policies.
  • Page 179: Dcc Policy Behavior With Fabric-Assigned Pwwns

    DCC policies DCC policy behavior with Fabric-Assigned PWWNs A DCC policy check is always performed for the physical port WWN of a device when the HBA has established that the device is attempting a normal FLOGI and has both a fabric-assigned port WWN (FA-PWWN) and a physical port WWN.
  • Page 180: Scc Policies

    SCC Policies TABLE 31 DCC policy behavior when created manually with PWWN Configuration WWN seen on Behavior when DCC policy Behavior on portDisable and DCC policy list activates portEnable • FA-PWWN has logged into the PWWN Traffic will not be disrupted. Ports will come up without switch.
  • Page 181: Creating An Scc Policy

    Authentication policy for fabric elements Creating an SCC policy 1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions for the Security RBAC class of commands. 2. Enter the secPolicyCreate “SCC_POLICY” command. 3.
  • Page 182: E_Port Authentication

    Authentication policy for fabric elements Key database on switch Key database on switch Local secret B Local secret A Peer secret A Peer secret B Switch A Switch B FIGURE 13 DH-CHAP authentication If you use DH-CHAP authentication, then a secret key pair must be installed only in connected fabric elements.
  • Page 183 Authentication policy for fabric elements Virtual Fabrics considerations: The switch authentication policy applies to all E_Ports in a logical switch. This includes ISLs and extended ISLs. Authentication of extended ISLs between two base switches is considered peer-chassis authentication. Authentication between two physical entities is required, so the extended ISL which connects the two chassis needs to be authenticated.
  • Page 184: Device Authentication Policy

    Authentication policy for fabric elements Re-authenticating E_Ports Use the authUtil authinit command to re-initiate the authentication on selected ports. It provides flexibility to initiate authentication for specified E_Ports, a set of E_Ports, or all E_Ports on the switch. This command does not work on loop, NPIV and FICON devices, or on ports configured for in-flight encryption.
  • Page 185: Auth Policy Restrictions

    Authentication policy for fabric elements Virtual Fabrics considerations: Because the device authentication policy has switch and logical switch-based parameters, each logical switch is set when Virtual Fabrics is enabled. Authentication is enforced based on each logical switch’s policy settings. Configuring device authentication 1.
  • Page 186: Authentication Protocols

    Authentication policy for fabric elements Authentication protocols Use the authUtil command to perform the following tasks: • Display the current authentication parameters. • Select the authentication protocol used between switches. • Select the DH (Diffie-Hellman) group for a switch. Run the authUtil command on the switch you want to view or change. Below are the different options to specify which DH group you want to use.
  • Page 187: Secret Key Pairs For Dh-Chap

    Authentication policy for fabric elements Secret key pairs for DH-CHAP When you configure the switches at both ends of a link to use DH-CHAP for authentication, you must also define a secret key pair—one for each end of the link. Use the secAuthSecret command to perform the following tasks: •...
  • Page 188: Fcap Configuration Overview

    Authentication policy for fabric elements Example of setting a secret key pair switchA:admin> secauthsecret --set This command is used to set up secret keys for the DH-CHAP authentication. The minimum length of a secret key is 8 characters and maximum 40 characters.
  • Page 189: Table 33 Fcap Certificate Files

    Authentication policy for fabric elements You can request a certificate from a CA through a Web browser. After you request a certificate, the CA either sends certificate files by e-mail (public) or gives access to them on a remote host (private).
  • Page 190 Authentication policy for fabric elements Enter Login Name: jdoe jdoe@10.1.2.3's password: <hidden text> Success: exported FCAP CA certificate Importing CA for FCAP Once you receive the files back from the Certificate Authority, you will need to install or import them onto the local and remote switches.
  • Page 191: Fabric-Wide Distribution Of The Auth Policy

    IP Filter policy Fabric-wide distribution of the Auth policy The AUTH policy can be manually distributed to the fabric by command; there is no support for automatic distribution. To distribute the AUTH policy, see “Distributing the local ACL policies” page 162 for instructions. Local Switch configuration parameters are needed to control whether a switch accepts or rejects distributions of the AUTH policy using the distribute command and whether the switch may initiate distribution of the policy.
  • Page 192: Cloning An Ip Filter Policy

    IP Filter policy Cloning an IP Filter policy You can create an IP Filter policy as an exact copy of an existing policy. The policy created is stored in a temporary buffer and has the same type and rules as the existing defined or active policy. 1.
  • Page 193: Deleting An Ip Filter Policy

    IP Filter policy 1. Log in to the switch using an account with admin permissions, or an account associated with the chassis role and having OM permissions for the IPfilter RBAC class of commands. 2. Enter the ipFilter activate command. –- Deleting an IP Filter policy You can delete a specified IP Filter policy.
  • Page 194: Table 34 Supported Services

    IP Filter policy For an IP Filter policy rule, you can only select port numbers in the well-known port number range, between 0 and 1023, inclusive. This means that you have the ability to control how to expose the management services hosted on a switch, but not the ability to affect the management traffic that is initiated from a switch.
  • Page 195: Table 35 Implicit Ip Filter Rules

    IP Filter policy TABLE 34 Supported services (Continued) Service name Port number shell uucp biff syslog route timed kerberos4 rpcd securerpcd Protocol TCP and UDP protocols are valid protocol selections. Fabric OS v6.2.0 and later do not support configuration to filter other protocols. Implicitly, ICMP type 0 and type 8 packets are always allowed to support ICMP echo request and reply on commands like ping and traceroute.
  • Page 196: Ip Filter Policy Enforcement

    IP Filter policy Default policy rules A switch with Fabric OS v6.2.0 or later will have a default IP Filter policy for IPv4 and IPv6. The default IP Filter policy cannot be deleted or changed. When an alternative IP Filter policy is activated, the default IP Filter policy becomes deactivated.
  • Page 197: Adding A Rule To An Ip Filter Policy

    IP Filter policy Adding a rule to an IP Filter policy There can be a maximum of 256 rules created for an IP Filter policy. The change to the specified IP Filter policy is not saved to the persistent configuration until a save or activate subcommand is run. 1.
  • Page 198: Managing Filter Thresholds

    Policy database distribution Managing filter thresholds Fabric OS v7.0.0 allows you to configure filter thresholds using the fmMonitor command. 1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions for the FabricWatch RBAC class of commands. 2.
  • Page 199: Database Distribution Settings

    Policy database distribution TABLE 37 Interaction between fabric-wide consistency policy and distribution settings Distribution Fabric-wide consistency policy setting Absent (default) Tolerant Strict Reject Database is protected, it Invalid configuration. Invalid configuration. cannot be overwritten. May not match other databases in the fabric. Accept (default) Database is not protected, Database is not protected.
  • Page 200: Acl Policy Distribution To Other Switches

    Policy database distribution Example shows the database distribution settings switch:admin> fddcfg --showall Local Switch Configuration for all Databases:- DATABASE Accept/Reject --------------------------------- accept accept accept accept AUTH accept IPFILTER accept Fabric Wide Consistency Policy:- "" Enabling local switch protection 1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions for the FabricDistribution RBAC class of commands.
  • Page 201: Fabric-Wide Enforcement

    Policy database distribution Fabric-wide enforcement The fabric-wide consistency policy enforcement setting determines the distribution behavior when changes to a policy are activated. Using the tolerant or strict fabric-wide consistency policy ensures that changes to local ACL policy databases are automatically distributed to other switches in the fabric.
  • Page 202: Notes On Joining A Switch To The Fabric

    Policy database distribution Setting the fabric-wide consistency policy 1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions for the FabricDistribution RBAC class of commands. 2. Enter the fddCfg fabwideset command. Example shows how to set a strict SCC and tolerant DCC fabric-wide consistency policy.
  • Page 203: Table 40 Merging Fabrics With Matching Fabric-Wide Consistency Policies

    Policy database distribution Use the fddCfg fabwideset command on either this switch or the fabric to set a matching strict –- SCC, DCC, or FCS fabric-wide consistency policy. Use ACL policy commands to delete the conflicting ACL policy from one side to resolve ACL policy conflict. If neither the fabric nor the joining switch is configured with a fabric-wide consistency policy, there are no ACL merge checks required.
  • Page 204: Management Interface Security

    Management interface security TABLE 41 Examples of strict fabric merges Fabric-wide consistency policy setting Expected behavior Fabric A Fabric B Strict/Tolerant SCC:S;DCC:S SCC;DCC:S Ports connecting switches are disabled. SCC;DCC:S SCC:S;DCC SCC:S;DCC SCC:S Strict/Absent SCC:S;DCC:S SCC:S DCC:S Strict/Strict SCC:S DCC:S Table 42 has a matrix of merging fabrics with tolerant and absent policies.
  • Page 205: Configuration Examples

    Management interface security • Automated Key Management—Automates the process, as well as manages the periodic exchange and generation of new keys. Using the ipsecConfig command, you must configure multiple security policies for traffic flows on the Ethernet management interfaces based on IPv4 or IPv6 addresses, a range of IPv4 or IPv6 addresses, the type of application, port numbers, and protocols used (UDP/TCP/ICMP).
  • Page 206: Ipsec Protocols

    Management interface security FIGURE 15 Gateway tunnel configuration Endpoint-to-gateway tunnel In this scenario, a protected endpoint (typically a portable computer) connects back to its corporate network through an IPsec-protected tunnel. It might use this tunnel only to access information on the corporate network, or it might tunnel all of its traffic back through the corporate network in order to take advantage of protection provided by a corporate firewall against Internet-based attacks.
  • Page 207: Security Associations

    Management interface security IPsec protocols use a sliding window to assist in flow control, The IPsec protocols also use this sliding window to provide protection against replay attacks in which an attacker attempts a denial of service attack by replaying an old sequence of packets. IPsec protocols assign a sequence number to each packet.
  • Page 208: Ipsec Policies

    Management interface security TABLE 43 Algorithms and associated authentication policies (Continued) Algorithm Encryption Level Policy Description 3des_cbc 168-bit Triple DES is a more secure variant of DES. It uses three different 56-bit keys to encrypt blocks of 64-bit plain text. The algorithm is FIPS-approved for use by Federal agencies.
  • Page 209: Key Management

    Management interface security Key management The IPsec key management supports Internet Key Exchange or Manual key/SA entry. The Internet Key Exchange (IKE) protocol handles key management automatically. SAs require keying material for authentication and encryption. The managing of keying material that SAs require is called key management.
  • Page 210: Creating The Tunnel

    Management interface security Creating the tunnel Each side of the tunnel must be configured in order for the tunnel to come up. Once you are logged into the switch, do not log off as each step requires that you are logged in to the switch. IPsec configuration changes take effect upon execution and are persistent across reboots.
  • Page 211 Management interface security 8. Create an IPsec transform on each switch using the ipSecConfig add command. Example of creating an IPsec transform This example creates an IPsec transform TRANSFORM01 to use the transport mode to protect traffic identified for IPsec protection and use IKE01 as key management policy. switch:admin>...
  • Page 212: Example Of An End-To-End Transport Tunnel Mode

    Management interface security Example of an End-to-end transport tunnel mode This example illustrates securing traffic between two systems using AH protection with MD5 and configure IKE with pre-shared keys. The two systems are a switch, BROCADE300 (IPv4 address 10.33.74.13), and an external host (10.33.69.132). NOTE A backslash ( \ ) is used to skip the return character so you can continue the command on the next line without the return character being interpreted by the shell.
  • Page 213 Management interface security 9. Create traffic selectors to select the outbound and inbound traffic that needs to be protected. switch:admin> ipsecconfig --add policy ips selector \ -t SELECTOR-OUT -d out -l 10.33.74.13 -r 10.33.69.132 \ -transform TRANSFORM01 switch:admin> ipsecconfig --add policy ips selector \ -t SELECTOR-IN -d in -l 10.33.69.132 -r 10.33.74.13 \ -transform TRANSFORM01 10.
  • Page 214 Management interface security Fabric OS Administrator’s Guide 53-1002446-01...
  • Page 215: Maintaining The Switch Configuration File

    Chapter Maintaining the Switch Configuration File In this chapter • Configuration settings ......... . 177 •...
  • Page 216: Configuration File Format

    Configuration settings If your user account has chassis account permissions, you can use any of the following options when uploading or downloading a configuration file: -fid To upload the specified FID configuration. -all To upload all of the system configuration, including the chassis section and all switch sections for all logical switches.
  • Page 217 Configuration settings [Active Security policies] [cryptoDev] [FICU SAVED FILES] [Banner] [End] [Switch Configuration End : 0] date = Tue Mar 1 21:28:52 2011 [Switch Configuration Begin : 1] SwitchName = switch_2 Fabric ID = 1 [Boot Parameters] [Configuration] [Bottleneck Configuration] [Zoning] [Defined Security policies] [Active Security policies]...
  • Page 218: Configuration File Backup

    Configuration file backup • LicensesLservc – Sentinel License configuration • GE blade mode – GigE Mode Configuration • FWD CHASSIS CFG – Fabric watch configuration • FRAME LOG – Frame log configuration (enable/disable) • DMM_TB – Data migration manager configuration •...
  • Page 219: Uploading A Configuration File In Interactive Mode

    Configuration file restoration Before you upload a configuration file, verify that you can reach the FTP server from the switch. Using a Telnet connection, save a backup copy of the configuration file from a logical switch to a host computer. Secure File Transfer Protocol is now an option when uploading a configuration file.
  • Page 220: Restrictions

    Configuration file restoration CAUTION Make sure that the configuration file you are downloading is compatible with your switch model. Downloading a configuration file from a different switch model or from a different firmware could cause your switch to fail. CAUTION If you have Virtual Fabrics enabled, you must follow the procedure in “Configuration management for Virtual Fabrics”...
  • Page 221: Table 44 Cli Commands To Display Or Modify Switch Configuration Information

    Configuration file restoration -all The number of switches or FIDs defined in the downloaded configuration file must match the number of switches or FIDs currently defined on the switch. The switches must be disabled first. If they are not, the configDownload command will download the configuration for as many switches as possible until a non-disabled switch is found.
  • Page 222: Configuration Download Without Disabling A Switch

    Configuration file restoration Configuration download without disabling a switch You can download configuration files to a switch while the switch is enabled; that is, you do not need to disable the switch for changes in SNMP, Fabric Watch, or ACL parameters. However, if there is any changed parameter that does not belong to SNMP, Fabric Watch, or ACL, then you must disable the switch.
  • Page 223: Configurations Across A Fabric

    Configurations across a fabric Section (all|chassis|FID# [all]): all *** CAUTION *** This command is used to download a backed-up configuration for a specific switch. If using a file from a different switch, this file's configuration settings will override any current switch settings. Downloading a configuration file, which was uploaded from a different type of switch,...
  • Page 224: Downloading A Configuration File From One Switch To Another Same Model Switch

    Configuration management for Virtual Fabrics Do not download a configuration file from one switch to another switch that is a different model or runs a different firmware version, because it can cause the switch to fail. If you need to reset affected switches, issue the configDefault command after download is completed but before the switch is enabled.
  • Page 225: Restoring Logical Switch Configuration Using Configdownload

    Configuration management for Virtual Fabrics Potentially remote file may get overwritten Section (all|chassis|FID# [all]): Password: <hidden> configUpload complete: All selected config parameters are uploaded Example of configUpload of a logical switch configuration DCX_80:FID128:admin> configupload -vf Protocol (scp, ftp, sftp, local) [ftp]: Server Name or IP Address [host]: 10.1.2.3 User Name [user]: anonymous Path/Filename [<home dir>/config.txt]:...
  • Page 226: Restrictions

    Configuration management for Virtual Fabrics Example of configDownload on a switch 5100:FID128:admin> configdownload -vf Protocol (scp, ftp, sftp, local) [ftp]: Server Name or IP Address [host]: 10.1.2.3 User Name [user]: UserFoo Path/Filename [<home dir>/config.txt]: 5100_FID89.txt *** CAUTION *** This command is used to download the VF configuration to the switch.
  • Page 227: Brocade Configuration Form

    Brocade configuration form Brocade configuration form Use the form in Table 45 as a hard copy reference for your configuration information. In the hardware reference manuals for the Brocade DCX and DCX-4S Backbones, there is a guide for FC port setting tables. The tables can be used to record configuration information for the various blades.
  • Page 228 Brocade configuration form Fabric OS Administrator’s Guide 53-1002446-01...
  • Page 229: In This Chapter

    Chapter Installing and Maintaining Firmware In this chapter • Firmware download process overview ......191 •...
  • Page 230: Upgrading And Downgrading Firmware

    Firmware download process overview You can download Fabric OS to a Backbone, which is a chassis; and to a nonchassis-based system, also referred to as a fixed-port switch. The difference in the download process is that Backbones have two CPs and fixed-port switches have one CP. Use the firmwareDownload command to download the firmware from either an FTP or SSH server by using either the FTP, SFTP, or SCP protocol to the switch.
  • Page 231: Considerations For Ficon Cup Environments

    Firmware download process overview In most cases, you will be upgrading firmware; that is, installing a newer firmware version than the one you are currently running. However, some circumstances may require installing an older version; that is, downgrading the firmware. The procedures in this section assume that you are upgrading firmware, but they work for downgrading as well, provided the old and new firmware versions are compatible.
  • Page 232: Preparing For A Firmware Download

    Preparing for a firmware download TABLE 46 Backbone HA sync states (Continued) Active CP Fabric OS Standby CP Fabric OS HA sync state Remedy version version v6.3.0 v6.3.0 inSync v6.3.0 v6.4.0 inSync v6.4.0 v6.3.0 inSync Run firmwareDownload -s on the standby CP and upgrade it to v6.4.0.
  • Page 233: Connected Switches

    Preparing for a firmware download Connected switches Before you upgrade the firmware on your switch, you need to check the connected switches to ensure compatibility and that any older versions are supported. Refer to the Fabric OS Compatibility section of the Brocade Fabric OS Release Notes, for the recommended firmware version. NOTE Go to http://www.brocade.com...
  • Page 234: Firmware Download On Switches

    Firmware download on switches Firmware download on switches Brocade fixed-port switches maintain primary and secondary partitions for firmware. The firmwareDownload command defaults to an autocommit option that automatically copies the firmware from one partition to the other. NOTE This section only applies when upgrading from Fabric OS v6.1.x to v6.2.0, or from different versions of v6.2.0, such as patch releases.
  • Page 235: Firmware Download On A Backbone

    Firmware download on a Backbone 2. Obtain the firmware file from the Brocade website at http://www.brocade.com and store the file on the FTP or SSH server or the USB memory device. 3. Unpack the compressed files preserving directory structures. The firmware is in the form of RPM packages with names defined in a .plist file. The .plist file contains specific firmware information and the names of packages of the firmware to be downloaded.
  • Page 236: Backbone Firmware Download Process Overview

    Firmware download on a Backbone the CPs are not in sync, you can run firmwareDownload –s on each of the CPs to upgrade them. These operations are disruptive. Or if the CPs are not in sync, run the haSyncStart command. If the problem persists, refer to the Fabric OS Troubleshooting and Diagnostics Guide.
  • Page 237 Firmware download on a Backbone Upgrading firmware on Backbones (including blades) There is only one chassis management IP address for the Brocade Backbones. NOTE By default, the firmwareDownload command automatically upgrades both the active and the standby CP and all co-CPs on the CP blades in the Brocade Backbones. It automatically upgrades all AP blades in the Brocade Backbones using auto-leveling.
  • Page 238 Firmware download on a Backbone If an AP blade is present: At the point of the failover an autoleveling process is activated. Autoleveling is triggered when the active CP detects a blade that contains a different version of the firmware, regardless of which version is older. Autoleveling downloads firmware to the AP blade, swaps partitions, reboots the blade, and copies the new firmware from the primary partition to the secondary partition.
  • Page 239: Firmware Download From A Usb Device

    Firmware download from a USB device Slot 7 (CP1, active): Firmware has been downloaded to the secondary partition of the switch. [5]: Mon Mar 22 04:37:24 2010 Slot 7 (CP1, standby): The firmware commit operation has started. This may take up to 10 minutes. [6]: Mon Mar 22 04:41:59 2010 Slot 7 (CP1, standby): The commit operation has completed successfully.
  • Page 240: Downloading From Usb Using The Relative Path

    FIPS support Downloading from USB using the relative path 1. Log in to the switch as admin. 2. Enter the firmwareDownload -U command. ecp:admin>firmwaredownload –U v7.0.0 Downloading from USB using the absolute path 1. Log in to the switch as admin. 2.
  • Page 241: The Firmwaredownload Command

    FIPS support NOTE If FIPS is enabled, all logins should be done through SSH or direct serial and the transfer protocol should be SCP. Updating the firmware key 1. Log in to the switch as admin. 2. Type the firmwareKeyUpdate command and respond to the prompts. The firmwareDownload command As mentioned previously, the public key file needs to be packaged, installed, and run on your switch before downloading a signed firmware.
  • Page 242: Power-On Firmware Checksum Test

    Test and restore firmware on switches Power-on firmware checksum test FIPS requires the checksums of the executables and libraries on the filesystem to be validated before Fabric OS modules are launched. This is to make sure these files have not been changed after they are installed.
  • Page 243 Test and restore firmware on switches User Name: userfoo File Name: /home/userfoo/v7.0.0 Password: <hidden> Do Auto-Commit after Reboot [Y]: n Reboot system after download [N]: y Firmware is being downloaded to the switch. This step may take up to 30 minutes.
  • Page 244: Test And Restore Firmware On Backbones

    Test and restore firmware on Backbones Test and restore firmware on Backbones This procedure enables you to perform a firmware download on each CP and verify that the procedure was successful before committing to the new firmware. The old firmware is saved in the secondary partition of each CP until you enter the firmwareCommit command.
  • Page 245 Test and restore firmware on Backbones If an AP blade is present: At the point of the failover an autoleveling process is activated. “Backbone firmware download process overview” on page 198 for details about autoleveling. 8. Verify the failover. a. Connect to the Backbone on the active CP, which is the former standby CP. b.
  • Page 246: Validating A Firmware Download

    Validating a firmware download d. Enter the haShow command to confirm that the HA state is in sync. ATTENTION Stop! If you have completed step 11, then you have committed the firmware on both CPs and you have completed the firmware download procedure. 12.
  • Page 247 Validating a firmware download NOTE When you prepared for the firmware download earlier, you issued either the supportShow or supportSave command. Although you can issue the command again and compare the output from before and after, it may take up to 30 minutes for the command to execute. To save time, it is recommended that you use the commands listed below, which are all subsets of the supportSave output.
  • Page 248 Validating a firmware download Fabric OS Administrator’s Guide 53-1002446-01...
  • Page 249: In This Chapter

    Chapter Managing Virtual Fabrics In this chapter • Virtual Fabrics overview ........211 •...
  • Page 250: Logical Switch Overview

    Logical switch overview This chapter describes the logical switch and logical fabric features. For information about device sharing with Virtual Fabrics, refer to “FC-FC routing and Virtual Fabrics” on page 501. For information about supported switches and port types, refer to “Supported platforms for Virtual Fabrics”...
  • Page 251: Logical Switches And Fabric Ids

    Logical switch overview After you enable Virtual Fabrics, you can create up to seven additional logical switches, depending on the switch model. Figure 18 shows a Virtual Fabrics-enabled switch before and after it is divided into logical switches. Before you create logical switches, the chassis appears as a single switch (default logical switch). After you create logical switches, the chassis appears as multiple independent logical switches.
  • Page 252: Port Assignment In Logical Switches

    Logical switch overview Physical chassis Logical switch 1 (Default logical switch) (FID = 128) Logical switch 2 (FID = 1) Logical switch 3 (FID = 15) Logical switch 4 (FID = 8) Logical switch 5 (FID = 20) FIGURE 19 Fabric IDs assigned to logical switches Port assignment in logical switches Initially, all ports belong to the default logical switch.
  • Page 253: Logical Switches And Connected Devices

    Logical switch overview A given port is always in one (and only one) logical switch. The following scenarios refer to the chassis after port assignment in Figure • If you assign P2 to logical switch 2, you cannot assign P2 to any other logical switch. •...
  • Page 254: Logical Fabric Overview

    Logical fabric overview Physical chassis Logical switch 1 (Default logical switch) Fabric ID 128 Logical switch 2 Fabric ID 1 Logical switch 3 Fabric ID 15 Logical switch 4 Fabric ID 8 Switch FIGURE 21 Logical switches connected to devices and non-Virtual Fabrics switch Figure 22 shows a logical representation of the physical chassis and devices in Figure...
  • Page 255: Logical Fabric And Isls

    Logical fabric overview Logical fabric and ISLs Figure 23 shows two physical chassis divided into logical switches. In Figure 23, ISLs are used to connect the logical switches with FID 1 and the logical switches with FID 15. The logical switches with FID 8 are each connected to a non-Virtual Fabrics switch.
  • Page 256: Base Switch And Extended Isls

    Logical fabric overview Base switch and extended ISLs Another way to connect logical switches is to use extended ISLs and base switches. When you divide a chassis into logical switches, you can designate one of the switches to be a base switch.
  • Page 257: Figure 26 Logical Isls Connecting Logical Switches

    Logical fabric overview Think of the logical switches as being connected with logical ISLs, as shown in Figure 26. In this diagram, the logical ISLs are not connected to ports because they are not physical cables. They are a logical representation of the switch connections that are allowed by the XISL. Physical chassis 1 Physical chassis 2 Logical switch 5...
  • Page 258 Logical fabric overview By default, the physical ISL path is favored over the logical path (over the XISL) because the physical path has a lower cost. This behavior can be changed by configuring the cost of the dedicated physical ISL to match the cost of the logical ISL. ATTENTION If you disable a base switch, all of the logical ISLs are broken and the logical switches cannot communicate with each other unless they are connected by a physical ISL.
  • Page 259: Management Model For Logical Switches

    Management model for logical switches Management model for logical switches You can use one common IP address for the hardware that is shared by all of the logical switches in the chassis and you can set up individual IPv4 addresses for each Virtual Fabric. For a management host to manage a logical switch using the Internet Protocol over Fibre Channel (IPFC) IP address, it must be physically connected to the Virtual Fabric using a host bus adapter (HBA).
  • Page 260: Supported Platforms For Virtual Fabrics

    Supported platforms for Virtual Fabrics Supported platforms for Virtual Fabrics The following platforms are Virtual Fabrics-capable: • Brocade 5100 • Brocade 5300 • Brocade 6510 • Brocade VA-40FC, in Native mode only • Brocade DCX • Brocade DCX-4S • Brocade DCX 8510 family Some restrictions apply to the ports, depending on the port type and blade type.
  • Page 261: Virtual Fabrics Interaction With Other Fabric Os Features

    Supported platforms for Virtual Fabrics TABLE 47 Blade and port types supported on logical switches (Continued) Blade type Default logical switch User-defined logical switch Base switch FR4-18i: FC ports Yes (F, E) GE ports Yes (VE) Yes (VE) Yes (VE, VEX) ICL ports In the Brocade DCX and DCX 8510-8, ports 56–63 of the FC8-64 blade are not supported as E_Ports on the default logical switch.
  • Page 262: Limitations And Restrictions Of Virtual Fabrics

    Limitations and restrictions of Virtual Fabrics TABLE 48 Virtual Fabrics interaction with Fabric OS features (Continued) Fabric OS feature Virtual Fabrics interaction FC-FC Routing Service All EX_Ports must reside in a base switch. You cannot attach EX_Ports to a logical switch that has XISL use enabled. You must use ISLs to connect the logical switches in an edge fabric.
  • Page 263: Restrictions On Xisls

    Enabling Virtual Fabrics mode Restrictions on XISLs The Allow XISL Use option, available under the configure command, allows a logical switch to use XISLs in the base switch as well as any standard ISLs that are connected to that logical switch. To allow or disallow XISL use for a logical switch, see “Configuring a logical switch to use XISLs”...
  • Page 264: Disabling Virtual Fabrics Mode

    Disabling Virtual Fabrics mode 3. Delete all Admin Domains, as described in “Deleting all user-defined Admin Domains non-disruptively” on page 354. 4. Enter the following command to enable VF mode: fosconfig --enable vf 5. Enter y at the prompt. Example The following example checks whether VF mode is enabled or disabled and then enables it.
  • Page 265: Configuring Logical Switches To Use Basic Configuration Values

    Configuring logical switches to use basic configuration values Example The following example checks whether VF mode is enabled or disabled and then disables it. switchA:FID128:admin> fosconfig --show FC Routing service: disabled iSCSI service: Service not supported on this Platform iSNS client service: Service not supported on this Platform Virtual Fabric: enabled...
  • Page 266 Creating a logical switch or base switch NOTE Domain ID conflicts are detected before fabric ID conflicts. If you have both a domain ID conflict and a fabric ID conflict, only the domain ID conflict is reported. 1. Connect to the physical chassis and log in using an account with the chassis-role permission. 2.
  • Page 267: Executing A Command In A Different Logical Switch Context

    Executing a command in a different logical switch context Executing a command in a different logical switch context This procedure describes how to execute a command for a logical switch while you are in the context of a different logical switch. You can also execute a command for all the logical switches in a chassis.
  • Page 268: Deleting A Logical Switch

    Deleting a logical switch "fabricshow" on FID 4: Switch ID Worldwide Name Enet IP Addr FC IP Addr Name ------------------------------------------------------------------------- 14: fffc0e 10:00:00:05:1e:82:3c:2b 10.32.79.105 0.0.0.0 >"switch_4" (output truncated) Deleting a logical switch You must remove all ports from the logical switch before deleting it. You cannot delete the default logical switch.
  • Page 269: Displaying Logical Switch Configuration

    Displaying logical switch configuration NOTE If you are deploying ICLs in the base switch, all ports associated with those ICLs must be assigned to the base switch. If you are deploying ICLs to connect to default switches (that is, XISL use is not allowed), the ICL ports should be assigned (or left) in the default logical switch.
  • Page 270: Changing The Fabric Id Of A Logical Switch

    Changing the fabric ID of a logical switch Changing the fabric ID of a logical switch The following procedure describes how you can change the fabric ID of an existing logical switch. The fabric ID indicates in which fabric the logical switch participates. By changing the fabric ID, you are moving the logical switch from one fabric to another.
  • Page 271 Changing a logical switch to a base switch 5. Enable the switch. switchenable Example of changing the logical switch with FID 7 to a base switch sw0:FID128:admin> setcontext 7 switch_25:FID7:admin> switchshow switchName: switch_25 switchType: 66.1 switchState: Online switchMode: Native switchRole: Principal switchDomain: switchId:...
  • Page 272: Setting Up Ip Addresses For A Virtual Fabric

    Setting up IP addresses for a Virtual Fabric Setting up IP addresses for a Virtual Fabric NOTE IPv6 is not supported when setting the IPFC interface for Virtual Fabrics. 1. Connect to the switch and log in using an account with admin permissions. 2.
  • Page 273: Changing The Context To A Different Logical Fabric

    Changing the context to a different logical fabric Changing the context to a different logical fabric You can change the context to a different logical fabric. Your user account must have permission to access the logical fabric. 1. Connect to the physical chassis and log in using an account with the chassis-role permission. 2.
  • Page 274 Creating a logical fabric using XISLs Create a base switch and assign it a fabric ID that will become the FID of the base fabric. “Creating a logical switch or base switch” on page 227 for instructions on creating a base switch.
  • Page 275: Administering Advanced Zoning

    Chapter Administering Advanced Zoning In this chapter • Special zones..........237 •...
  • Page 276: Zoning Overview

    Zoning overview • QoS zones Assign high or low priority to designated traffic flows. QoS zones are regular zones with additional QoS attributes specified by adding a QOS prefix to the zone name. See “QoS: SID/DID traffic prioritization” on page 419 for more information. •...
  • Page 277: Approaches To Zoning

    Zoning overview Blue Zone Server 2 Server 1 Storage 2 Red Zone Storage 1 RAID Green Zone Storage 3 Server 3 FIGURE 29 Zoning example Approaches to zoning Table 50 lists the various approaches you can take when implementing zoning in a fabric. TABLE 50 Approaches to fabric-based zoning Zoning approach...
  • Page 278: Zone Objects

    Zoning overview TABLE 50 Approaches to fabric-based zoning (Continued) Zoning approach Description Alternative approaches Application Zoning by application typically requires zoning multiple, perhaps incompatible, operating systems into the same zones. This method of zoning creates the possibility that a minor server in the application suite could disrupt a major server (such as a Web server disrupting a data warehouse server).
  • Page 279: Zone Aliases

    Zoning overview The types of zone objects used to define a zone can be mixed. For example, a zone defined with the zone objects 2,12; 2,14; 10:00:00:80:33:3f:aa:11 contains the devices connected to domain 2, ports 12 and 14, and a device with the WWN 10:00:00:80:33:3f:aa:11 (either node name or port name) that is connected on the fabric.
  • Page 280: Zoning Enforcement

    Zoning overview The different types of zone configurations are: • Defined Configuration The complete set of all zone objects defined in the fabric. • Effective Configuration A single zone configuration that is currently in effect. The effective configuration is built when you enable a specified zone configuration.
  • Page 281: Considerations For Zoning Architecture

    Zoning overview Identifying the enforced zone type 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the portZoneShow command, using the following syntax: portzoneshow Considerations for zoning architecture Table 51 lists considerations for zoning architecture. TABLE 51 Considerations for zoning architecture Item...
  • Page 282: Best Practices For Zoning

    Broadcast zones Best practices for zoning The following are recommendations for using zoning: • Always zone using the highest Fabric OS-level switch. Switches with earlier Fabric OS versions do not have the capability to view all the functionality that a newer Fabric OS provides, as functionality is backwards compatible but not forwards compatible.
  • Page 283: Broadcast Zones And Fc-Fc Routing

    Broadcast zones Figure 30 illustrates how broadcast zones work with Admin Domains. Figure 30 shows a fabric with five devices and two Admin Domains, AD1 and AD2. Each Admin Domain has two devices and a broadcast zone. "3,1" "1,1" "4,1" "2,1"...
  • Page 284: High Availability Considerations With Broadcast Zones

    Zone aliases High availability considerations with broadcast zones If a switch has broadcast zone-capable firmware on the active CP (Fabric OS v5.3.x or later) and broadcast zone-incapable firmware on the standby CP (Fabric OS version earlier than v5.3.0), then you cannot create a broadcast zone because the zoning behavior would not be the same across an HA failover.
  • Page 285: Creating An Alias

    Zone aliases Creating an alias 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the aliCreate command, using the following syntax: alicreate "aliasname", "member[; member...]" 3. Enter the cfgSave command to save the change to the defined configuration. The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile memory.
  • Page 286: Removing Members From An Alias

    Zone aliases Removing members from an alias 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the aliRemove command, using the following syntax: aliremove "aliasname", "member[; member...]" 3. Enter the cfgSave command to save the change to the defined configuration. The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile memory.
  • Page 287: Viewing An Alias In The Defined Configuration

    Zone creation and maintenance Viewing an alias in the defined configuration 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the aliShow command, using the following syntax alishow "pattern"[, mode] If no parameters are specified, the entire zone database (both the defined and effective configuration) is displayed.
  • Page 288: Adding Devices (Members) To A Zone

    Zone creation and maintenance Adding devices (members) to a zone 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the zoneAdd command, using the following syntax: zoneadd "zonename", "member[; member...]" 3. Enter the cfgSave command to save the change to the defined configuration. The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile memory.
  • Page 289: Deleting A Zone

    Zone creation and maintenance Deleting a zone 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the zoneDelete command, using the following syntax: zonedelete "zonename" 3. Enter the cfgSave command to save the change to the defined configuration. The cfgSave command ends and commits the current zoning transaction buffer to nonvolatile memory.
  • Page 290: Default Zoning Mode

    Default zoning mode 1,0; loop1 zone: White_zone 1,3; 1,4 alias: array1 21:00:00:20:37:0c:76:8c; 21:00:00:20:37:0c:71:02 alias: array2 21:00:00:20:37:0c:76:22; 21:00:00:20:37:0c:76:28 alias: loop1 21:00:00:20:37:0c:76:85; 21:00:00:20:37:0c:71:df 3. Enter the zone validate command to list all zone members that are not part of the current zone enforcement table. Note that zone configuration names are case-sensitive; blank spaces are ignored.
  • Page 291: Setting The Default Zoning Mode

    Default zoning mode Typically, when you disable the zoning configuration in a large fabric with thousands of devices, the name server indicates to all hosts that they can communicate with each other. In fact, each host can receive an enormous list of PIDs, and ultimately cause other hosts to run out of memory or crash.
  • Page 292: Viewing The Current Default Zone Access Mode

    Zone database size Viewing the current default zone access mode 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the defZone show command. NOTE If you perform a firmware download of an older release, then the current default zone access state will appear as it did prior to the download.
  • Page 293: Creating A Zone Configuration

    Zone configurations You can use the cfgSize command to check both the maximum available size and the currently saved size on all switches. If you think you are approaching the maximum, you can save a partially completed zone configuration and use the cfgSize command to determine the remaining space. The cfgSize command reports the maximum available size on the current switch only.
  • Page 294: Removing Zones (Members) From A Zone Configuration

    Zone configurations Example switch:admin> cfgadd "newcfg", "bluezone" switch:admin> cfgsave You are about to save the Defined zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled. Until the Effective configuration is re-enabled, merging new switches into the fabric is not recommended and may cause unpredictable results with the potential of mismatched Effective Zoning...
  • Page 295: Disabling A Zone Configuration

    Zone configurations Example switch:admin> cfgenable "USA_cfg" You are about to enable a new zoning configuration. This action will replace the old zoning configuration with the current configuration selected. If the update includes changes to one or more traffic isolation zones, the update may result in localized disruption to traffic on ports associated with the traffic isolation zone changes.
  • Page 296: Clearing Changes To A Configuration

    Zone configurations Example switch:admin> cfgdelete "testcfg" switch:admin> cfgsave You are about to save the Defined zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled. Until the Effective configuration is re-enabled, merging new switches into the fabric is not recommended and may cause unpredictable results with the potential of mismatched Effective Zoning...
  • Page 297: Viewing Selected Zone Configuration Information

    Zone configurations 21:00:00:20:37:0c:76:22 21:00:00:20:37:0c:76:28 zone: Purple_zone 21:00:00:20:37:0c:76:85 21:00:00:20:37:0c:71:df Viewing selected zone configuration information 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the cfgShow command and specify a pattern. cfgshow "pattern"[, mode] Example The following example displays all zone configurations that start with “Test”: switch:admin>...
  • Page 298: Zone Object Maintenance

    Zone object maintenance and configurations in the Defined configuration. Run cfgSave to commit the transaction or cfgTransAbort to cancel the transaction. Do you really want to clear all configurations? (yes, y, no, n): [no] 3. Enter one of the following commands, depending on whether an effective zone configuration exists: •...
  • Page 299: Deleting A Zone Object

    Zone object maintenance Deleting a zone object The following procedure removes all references to a zone object and then deletes the zone object. The zone object can be a zone member, a zone alias, or a zone. 1. Connect to the switch and log in using an account with admin permissions. 2.
  • Page 300: Renaming A Zone Object

    Zone configuration management Renaming a zone object 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the cfgShow command to view the zone configuration objects you want to rename. switch:admin> cfgShow Defined configuration: cfg: USA_cfg Purple_zone;...
  • Page 301: Zone Merging

    Zone merging Brocade Advanced Zoning is configured on the primary fabric configuration server (FCS). The primary FCS switch makes zoning changes and other security-related changes. The primary FCS switch also distributes zoning to all other switches in the secure fabric. All existing interfaces can be used to administer zoning.
  • Page 302 Zone merging If you have implemented default zoning you must set the switch you are adding into the fabric to the same default zone mode setting as the rest of the fabric to avoid segmentation. • Merging rules Observe these rules when merging zones: Local and adjacent configurations: If the local and adjacent zone database configurations are the same, they will remain unchanged after the merge.
  • Page 303: Fabric Segmentation And Zoning

    Zone merging NOTE If the zoneset members on two switches are not listed in the same order, the configuration is considered a mismatch, resulting in the switches being segmented from the fabric. For example: is different from even though members of the cfg1 = z1;...
  • Page 304 Zone merging TABLE 52 Zone merging scenarios: Defined and effective configurations (Continued) Description Switch A Switch B Expected results Switch A does not have a defined defined: none defined:cfg1 Switch A will absorb the configuration from the configuration. effective: none zone1: ali1;...
  • Page 305: Table 55 Zone Merging Scenarios: Ti Zones

    Zone merging TABLE 54 Zone merging scenarios: Different names (Continued) Description Switch A Switch B Expected results Same content, different alias name. defined: cfg1 defined:cfg1 Fabric segments due to: Zone Conflict content ali1: A; B ali2: A; B mismatch effective: irrelevant effective: irrelevant Same alias name, same content, defined: cfg1...
  • Page 306: Table 57 Zone Merging Scenarios: Mixed Fabric Os Versions

    Zone merging TABLE 56 Zone merging scenarios: Default access mode (Continued) Description Switch A Switch B Expected results Effective zone configuration. No effective effective: cfg2 Clean merge — effective zone configuration configuration. and defzone mode from Switch B propagates defzone: allaccess or defzone = allaccess to fabric.
  • Page 307: In This Chapter

    Chapter Traffic Isolation Zoning In this chapter • Traffic Isolation Zoning overview ....... . . 269 •...
  • Page 308: Ti Zone Failover

    Traffic Isolation Zoning overview Figure 31 shows a fabric with a TI zone consisting of the following: • N_Ports: “1,7”, “1,8”, “4,5”, and “4,6” • E_Ports: “1,1”, “3,9”, “3,12”, and “4,7” The dotted line indicates the dedicated path between the initiator in Domain 1 to the target in Domain 4.
  • Page 309: Table 58 Traffic Behavior When Failover Is Enabled Or Disabled In Ti Zones

    Traffic Isolation Zoning overview TABLE 58 Traffic behavior when failover is enabled or disabled in TI zones Failover enabled Failover disabled If the dedicated path is not the shortest path or if the If the dedicated path is not the shortest path or if the dedicated path is broken, the TI zone traffic will use a dedicated path is broken, traffic for that TI zone is non-dedicated path instead.
  • Page 310: Fspf Routing Rules And Traffic Isolation

    Traffic Isolation Zoning overview • Ensure that there are multiple paths between switches. Disabling failover locks the specified route so that only TI zone traffic can use it. Non-TI zone traffic is excluded from using the dedicated path. • You should enable failover-enabled TI zones before enabling failover-disabled TI zones, to avoid dropped frames.
  • Page 311: Figure 33 Dedicated Path Is The Only Shortest Path

    Traffic Isolation Zoning overview If the dedicated ISL is not the lowest cost path ISL, then the following rules apply: • If failover is enabled, the traffic path for the TI zone is broken, and TI zone traffic uses the lowest cost path instead.
  • Page 312: Enhanced Ti Zones

    Enhanced TI zones Domain 1 Domain 3 = Dedicated Path = Ports in the TI zone Domain 2 Domain 4 FIGURE 34 Dedicated path is not the shortest path NOTE For information about setting or displaying the FSPF cost of a path, see the linkCost and topologyShow commands in the Fabric OS Command Reference.
  • Page 313: Illegal Configurations With Enhanced Ti Zones

    Enhanced TI zones Illegal configurations with enhanced TI zones When you create TI zones, ensure that all traffic from a port to all destinations on a remote domain have the same path. Do not create separate paths from a local port to two or more ports on the same remote domain.
  • Page 314: Traffic Isolation Zoning Over Fc Routers

    Traffic Isolation Zoning over FC routers In this example traffic from the Target to Domain 2 is routed correctly. Only one TI zone describes a path to Domain 2. However, both TI zones describe different, valid paths from the Target to Domain 1.
  • Page 315: Ti Within An Edge Fabric

    Traffic Isolation Zoning over FC routers Edge fabric 1 Backbone Edge fabric 2 fabric = Dedicated path set up by TI zone in edge fabric 1 = Dedicated path set up by TI zone in edge fabric 2 = Dedicated path set up by TI zone in backbone fabric FIGURE 38 Traffic Isolation Zoning over FCR In addition to setting up TI zones, you must also ensure that the devices are in an LSAN zone so...
  • Page 316: Ti Within A Backbone Fabric

    Traffic Isolation Zoning over FC routers In the TI zone, when you designate E_Ports between the front and xlate phantom switches, you must use -1 in place of the “I” in the D,I notation. Both the front and xlate domains must be included in the TI zone.
  • Page 317: Limitations Of Ti Zones Over Fc Routers

    General rules for TI zones Using D,I and port WWN notation, the members of the TI zone in Figure 40 are: (EX_Port for FC router 1) (VE_Port for FC router 1) (VE_Port for FC router 2) (EX_Port for FC router 2) 10:00:00:00:00:01:00:00 (Port WWN for the host) 10:00:00:00:00:02:00:00...
  • Page 318: Supported Configurations For Traffic Isolation Zoning

    Supported configurations for Traffic Isolation Zoning • Routing rules imposed by TI zones with failover disabled override regular zone definitions. Regular zone definitions should match TI zone definitions. • FSPF supports a maximum of 16 paths to a given domain. This includes paths in a TI zone. •...
  • Page 319: Additional Configuration Rules For Enhanced Ti Zones

    Limitations and restrictions of Traffic Isolation Zoning Additional configuration rules for enhanced TI zones Enhanced TI zones (ETIZ) have the following additional configuration rules: • Enhanced TI zones are supported only if every switch in the fabric is ETIZ capable. A switch is ETIZ capable if it meets the following qualifications: The switch must be one of the supported platforms, as listed in “Supported hardware and...
  • Page 320: Admin Domain Considerations For Traffic Isolation Zoning

    Admin Domain considerations for Traffic Isolation Zoning • TI zones that have members with port index greater than 511 are not supported with Fabric OS versions earlier than v6.4.0. If such a TI zone and Fabric OS version combination is detected, a warning is issued.
  • Page 321: Figure 42 Dedicated Path With Virtual Fabrics

    Virtual Fabric considerations for Traffic Isolation Zoning Target Host Domain 8 Domain 9 LS3, FID1 LS1, FID1 Domain 7 Domain 3 Domain 5 Chassis 1 Chassis 2 LS4, FID3 LS2, FID3 Domain 4 Domain 6 Base switch Base switch Domain 1 Domain 2 = Dedicated Path = Ports in the TI zones...
  • Page 322: Traffic Isolation Zoning Over Fc Routers With Virtual Fabrics

    Traffic Isolation Zoning over FC routers with Virtual Fabrics Using D,I notation, the port numbers for the TI zones in the logical fabric and base fabric are as follows: Port members for the TI zone in logical fabric Port members for the TI zone in base fabric F_Port E_Port for ISL in logical switch E_Port...
  • Page 323: Creating A Ti Zone

    Creating a TI zone Edge fabric Fabric 1 Edge fabric Fabric 3 Backbone fabric FIGURE 46 Logical representation of TI zones over FC routers in logical fabrics Creating a TI zone You create and modify TI zones using the zone command. Other zoning commands, such as zoneCreate, aliCreate, and cfgCreate, cannot be used to manage TI zones.
  • Page 324 Creating a TI zone Be aware of the ramifications if you create a TI zone with failover mode disabled. See “TI zone failover” on page 270 for information about disabling failover mode. 3. Perform the following steps if you have any TI zones with failover disabled. If all of your TI zones are failover-enabled, skip to step a.
  • Page 325: Creating A Ti Zone In A Base Fabric

    Creating a TI zone To create TI zones in a logical fabric, such as the one shown in Figure 43 on page 283: Log in to the logical switch FID1, Domain 7 and create a TI zone in the logical fabric with FID=1: LS1>...
  • Page 326: Modifying Ti Zones

    Modifying TI zones Example The following example creates TI zones in the base fabric shown in Figure 44 on page 283: BS_D1> zonecreate "z1", "1,1" BS_D1> cfgcreate "base_cfg", z1 BS_D1> zone --create -t ti -o f "ti_zone2" -p "1,3; 1,10; 7,12; 7,14; 2,16; 2,8"...
  • Page 327: Changing The State Of A Ti Zone

    Changing the state of a TI zone Reset the failover option to failover disabled. Then continue with step zone --add -o n name 4. Enter the cfgEnable command to reactivate your current effective configuration and enforce the TI zones. cfgenable "current_effective_configuration" Example of modifying a TI zone To add port members to the existing TI zone bluezone: switch:admin>...
  • Page 328: Deleting A Ti Zone

    Deleting a TI zone Example of setting the state of a TI zone To change the state of the existing TI zone bluezone to activated, type: switch:admin> zone --activate bluezone To change the state of the existing TI zone greenzone to deactivated, type: switch:admin>...
  • Page 329: Troubleshooting Ti Zone Routing Problems

    Troubleshooting TI zone routing problems 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the zone show command. zone --show [ name ] [-ascending] To display information about the TI zone purplezone: switch:admin> zone --show purplezone Defined TI zone configuration: TI Zone Name: redzone:...
  • Page 330: Setting Up Ti Over Fcr (Sample Procedure)

    Setting up TI over FCR (sample procedure) Following is an example report that would be generated for the illegal configuration shown in Figure 36 on page 275. switch:admin> zone --showTIerrors My Domain: 3 Error type: ERROR Affected Remote Domain: 1 Affected Local Port: Affected TI Zones: etiz1, etiz2...
  • Page 331 Setting up TI over FCR (sample procedure) 1. In each edge fabric, set up an LSAN zone that includes Host 1, Target 1, and Target 2, so these devices can communicate with each other. See Chapter 24, “Using FC-FC Routing to Connect Fabrics,”...
  • Page 332 Setting up TI over FCR (sample procedure) 3. Log in to the edge fabric 2 and set up the TI zone. a. Enter the fabricShow command to display the switches in the fabric. From the output, you can determine the front and translate domains. E2switch:admin>...
  • Page 333 Setting up TI over FCR (sample procedure) b. Enter the following commands to reactivate your current effective configuration and enforce the TI zones. BB_DCX_1:admin> cfgactvshow Effective configuration: cfg: cfg_TI zone: lsan_t_i_TI_Zone1 10:00:00:00:00:00:02:00:00 10:00:00:00:00:00:03:00:00 10:00:00:00:00:00:08:00:00 BB_DCX_1:admin> cfgenable cfg_TI You are about to enable a new zoning configuration. This action will replace the old zoning configuration with the current configuration selected.
  • Page 334 Setting up TI over FCR (sample procedure) Fabric OS Administrator’s Guide 53-1002446-01...
  • Page 335: In This Chapter

    Chapter Bottleneck Detection In this chapter • Bottleneck detection overview ........297 •...
  • Page 336: Types Of Bottlenecks

    Bottleneck detection overview You configure bottleneck detection on a per-switch basis, with optional per-port exclusions. NOTE Bottleneck detection is disabled by default. Best practice is to enable bottleneck detection on all switches in the fabric, and leave it on to continuously gather statistics. Bottleneck detection does not require a license.
  • Page 337: Using Alerting Parameters To Determine Whether Alerts Are

    Bottleneck detection overview • How many affected seconds are needed to generate the alert. • How long to stay quiet after an alert Changing alerting parameters affects RASlog alerting as well as SNMP traps. Using alerting parameters to determine whether alerts are generated You have the option of receiving per-port alerts based on the latency and congestion history of the port.
  • Page 338: Supported Configurations For Bottleneck Detection

    Supported configurations for bottleneck detection Supported configurations for bottleneck detection Note the following configuration rules for bottleneck detection: • Bottleneck detection is supported only on Fibre Channel ports and FCoE F_Ports. • Bottleneck detection is supported only on the following port types: E_Ports EX_Ports F_Ports...
  • Page 339: Trunking Considerations For Bottleneck Detection

    Advanced bottleneck detection settings Trunking considerations for bottleneck detection A trunk behaves like a single port. Both latency and congestion bottlenecks are reported on the master port only, but apply to the entire trunk. For masterless trunking, if the master port goes offline, the new master acquires all the configurations and bottleneck history of the old master and continues with bottleneck detection on the trunk.
  • Page 340: Enabling Bottleneck Detection On A Switch

    Enabling bottleneck detection on a switch The sub-second latency criterion parameters are always applicable. These parameters affect alerts and, even if alerting is not enabled, they affect the history of bottleneck statistics. The sub-second latency criterion parameters are the following, with default values in parentheses: •...
  • Page 341: Excluding A Port From Bottleneck Detection

    Excluding a port from bottleneck detection By default, alerts are not sent unless you specify the alert parameter; however, you can view a history of bottleneck conditions for the port as described in “Displaying bottleneck statistics” on page 307. 3. Repeat step 1 step 2 on every switch in the fabric.
  • Page 342: Displaying Bottleneck Detection Configuration Details

    Displaying bottleneck detection configuration details Displaying bottleneck detection configuration details 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the bottleneckmon status command to display the details of bottleneck detection configuration for the switch, which includes the following: •...
  • Page 343: Changing Bottleneck Parameters

    Changing bottleneck parameters Changing bottleneck parameters When you enable bottleneck detection, you can configure switch-wide alerting and sub-second latency criterion parameters that apply to every port on the switch. After you enable bottleneck detection, you can change the alerting parameters on the entire switch or on individual ports. You can change the sub-second latency criterion parameters on individual ports only.
  • Page 344 Changing bottleneck parameters ==== Example The following example changes alerting parameters for the entire logical switch. switch:admin> bottleneckmon --config -alert -lthresh .97 -cthresh .8 -time 5000 switch:admin> bottleneckmon --status Bottleneck detection - Enabled ============================== Switch-wide sub-second latency bottleneck criterion: ==================================================== Time threshold - 0.800 Severity threshold...
  • Page 345: Displaying Bottleneck Statistics

    Displaying bottleneck statistics Alerts - Yes Latency threshold for alert - 0.100 Congestion threshold for alert - 0.800 Averaging time for alert - 300 seconds Quiet time for alert - 300 seconds Per-port overrides for sub-second latency bottleneck criterion: =============================================================== Port TimeThresh SevThresh...
  • Page 346: Disabling Bottleneck Detection On A Switch

    Disabling bottleneck detection on a switch Disabling bottleneck detection on a switch When you disable bottleneck detection on a switch, all bottleneck configuration details are discarded, including the list of excluded ports and non-default values of alerting parameters. 1. Connect to the switch and log in using an account with admin permissions. 2.
  • Page 347: In-Flight Encryption And Compression

    Chapter In-flight Encryption and Compression In this chapter • In-flight encryption and compression overview ..... . 309 • Configuring encryption and compression ......312 •...
  • Page 348: Encryption And Compression Restrictions

    In-flight encryption and compression overview Compression/Encryption FIGURE 49 Encryption and compression on 16 Gbps ISLs The encryption and compression features are designed to work only with E_Ports. Encryption and compression are also compatible with the following features: • E_Ports with trunking, QoS, or long distance features enabled. •...
  • Page 349: How Encryption And Compression Are Enabled

    In-flight encryption and compression overview How encryption and compression are enabled This feature provides encryption and decryption or compression and decompression between two E_Ports across an ISL. You can enable encryption or compression or both on an E_Port on a per port basis.
  • Page 350: Virtual Fabrics Considerations

    Configuring encryption and compression Virtual Fabrics considerations The E_Ports in the user-created logical switch, base switch, or default switch can support encryption and compression. You can configure encryption on XISL ports, but not on LISL ports. However, frames from the LISL ports are implicitly encrypted or compressed as they pass through encryption/compression enabled XISL ports.
  • Page 351: Viewing The Encryption And Compression Configuration

    Configuring encryption and compression These steps summarize how to enable encryption or compression on a port: 1. Use the portEncCompShow command to determine which ports are available for encryption or compression. 2. If you are enabling encryption on the port, configure port level authentication for the port using the secAuthSecret and authUtil commands.
  • Page 352: Configuring And Enabling Authentication

    Configuring encryption and compression ----------------------------------------------------- Configuring and enabling authentication To configure authentication for ports that will later be configured for encryption, follow these steps: 1. Log in to the switch using an account with admin permissions, or an account with OM permissions for the Authentication RBAC class of commands.
  • Page 353: Configuring Encryption

    Configuring encryption and compression 3. Enter the authUtil command to set the switch policy mode to Active or On: authutil --policy -sw active authutil --policy -sw on 4. Enable the DH-CHAP authentication protocol: authutil --set -a dhchap authutil --set -a all 5.
  • Page 354: Configuring Compression

    Configuring encryption and compression Configuring compression NOTE Before performing this procedure, it is recommended that you check for port availability using the portEncCompShow command. See “Viewing the encryption and compression configuration” page 313 for details. To configure compression on a port, follow these steps: 1.
  • Page 355: Disabling Compression

    Encryption and compression example Disabling compression To disable compression on a port, follow these steps: 1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions for the SwitchPortConfiguration RBAC class of commands. 2.
  • Page 356: Example Of Enabling Encryption And Compression On A Port

    Encryption and compression example Example of enabling encryption and compression on a port This example configures and enables encryption and compression on a given port. Authentication and secret key must also be configured as these are required before configuring encryption. The commands in this example are shown entered on the Brocade 6510 named myswitch.
  • Page 357 Encryption and compression example 2. Peer secret: The secret of the peer that authenticates to peer. 3. Local secret: The local secret that authenticates peer. Press enter to start setting up secrets >1 Enter peer WWN, Domain, or switch name (Leave blank when done): 10:00:00:05:1e:e5:cb:00 Enter peer secret: Re-enter peer secret:...
  • Page 358: Example Of Disabling Encryption And Compression

    Encryption and compression example Frame Shooter Port D-Port mode: Compression: Encryption: FEC: myswitch:root> Finally, you enable compression on the same port. The subsequent portCfgShow command shows both encryption and compression to be enabled on the port. myswitch:root> portdisable 0 myswitch:root> portcfgcompress --enable 0 Turning ON Compression on port(0) will cause the port to be disabled during next LOGIN myswitch:root>...
  • Page 359 Encryption and compression example Next, disable compression: myswitch:root> portdisable 0 myswitch:root> portcfgcompress --disable 0 myswitch:root> portenable 0 Now use the portCfgShow command to check the results: myswitch:root> portcfgshow 0 Area Number: Octet Speed Combo: 3(16G,10G) Speed Level: AUTO(SW) AL_PA Offset 13: Trunk Port Long Distance VC Link Init...
  • Page 360 Encryption and compression example Fabric OS Administrator’s Guide 53-1002446-01...
  • Page 361: Npiv

    Chapter NPIV In this chapter • NPIV overview ..........323 •...
  • Page 362: Upgrade Considerations

    NPIV overview Index Port Address Media Speed State Proto ============================================== 010000 Online FC F-Port 20:0c:00:05:1e:05:de:e4 0xa06601 010100 Online FC F-Port 1 N Port + 4 NPIV public 010200 Online FC F-Port 1 N Port + 119 NPIV public 010300 Online FC F-Port 1 N Port + 221 NPIV public On the Brocade DCX and DCX-4S with the FC8-64 blade, the base port is not included in the NPIV device count.
  • Page 363: Configuring Npiv

    Configuring NPIV TABLE 60 Number of supported NPIV devices (Continued) Platform Virtual Fabrics Logical switch type NPIV support DCX-4S Enabled Logical switch Yes, 255 virtual device limit. DCX-4S Enabled Base switch Maximum limit support takes precedence if user-configured maximum limit is greater. This applies to shared areas on the FC4-48, FC8-48 and FC8-64 port blades.
  • Page 364: Enabling And Disabling Npiv

    Enabling and disabling NPIV VC Link Init Locked L_Port Locked G_Port Disabled E_Port Locked E_Port ISL R_RDY Mode RSCN Suppressed Persistent Disable LOS TOV enable NPIV capability QOS E_Port Port Auto Disable: Rate Limit EX Port Mirror Port Credit Recovery F_Port Buffers Fault Delay: 0(R_A_TOV)
  • Page 365: Viewing Npiv Port Configuration Information

    Viewing NPIV port configuration information Viewing NPIV port configuration information 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the portCfgShow command to view the switch ports information. The following example shows whether a port is configured for NPIV: switch:admin>...
  • Page 366: Viewing Virtual Pid Login Information

    Viewing NPIV port configuration information portName: 02 portHealth: HEALTHY Authentication: None portDisableReason: None portCFlags: 0x1 portFlags: 0x24b03 PRESENT ACTIVE F_PORT G_PORT NPIV LOGICAL_ONLINE LOGIN NOELP LED ACCEPT portType: 10.0 portState: 1Online portPhys: 6In_Sync portScn: 32F_Port port generation number: portId: 630200 portIfId: 43020005 portWwn:...
  • Page 367: In This Chapter

    Chapter Dynamic Fabric Provisioning: Fabric-Assigned WWN In this chapter • Introduction to Dynamic Fabric Provisioning using FA-PWWN ..329 • User- and auto-assigned FA-PWWN behavior ..... . . 330 •...
  • Page 368: User- And Auto-Assigned Fa-Pwwn Behavior

    User- and auto-assigned FA-PWWN behavior NOTE For the server to use the FA-PWWN feature, it must be using a Brocade HBA or Adapter. Refer to the release notes for the HBA or Adapter versions that support this feature. Some configuration of the HBA must be performed to use the FA-PWWN. User- and auto-assigned FA-PWWN behavior An FA-PWWN can be either user-generated or automatically assigned by the fabric.
  • Page 369: Configuring An Fa-Pwwn For An Hba Connected To An Access Gateway

    Configuring FA-PWWNs This section includes an FA-PWWN configuration procedure for each of the following two topologies: • An FA-PWWN for an HBA device that is connected to an Access Gateway switch. • An FA-PWWN for an HBA device that is connected directly to an edge switch. These topologies are shown in Figure Access Gateway Switch...
  • Page 370: Configuring An Fa-Pwwn For An Hba Connected To An Edge Switch

    Configuring FA-PWWNs 10:00:00:05:1e:d7:3d:dc/9 20:09:00:05:1e:d7:2b:73 10:00:00:05:1e:d7:3d:dc/16 --:--:--:--:--:--:--:-- \ ------------------------------------------------------------ Virtual Port WWN Enable MapType ------------------------------------------------------------ 52:00:10:00:00:0f:50:30 AG/Auto 11:22:33:44:55:66:77:88 11403 AG/User 52:00:10:00:00:0f:50:32 2:00:10:00:00:0f:50:33 11404 AG/Auto 52:00:10:00:00:0f:50:38 AG/Auto 4. Enable the FA-PWWN on the HBA. The following steps are to be executed on the server and not the switch.
  • Page 371: Supported Switches And Configurations For Fa-Pwwn

    Supported switches and configurations for FA-PWWN 4. Enable the FA-PWWN on the HBA. The following steps are to be executed on the server and not the switch. a. Log in to the server as root. b. Enter the following command: bcu port -faa port_id --enable Enter the following command: bcu port -faa port_id --query...
  • Page 372: Firmware Upgrade And Downgrade Considerations For Fa-Pwwn

    Configuration upload and download considerations for FA-PWWN Configuration upload and download considerations for FA-PWWN The configuration upload and download utilities can be used to import and export the FA-PWWN configuration. ATTENTION Brocade recommends you delete all FA-PWWNs from the switch with the configuration being replaced before you upload or download a modified configuration.
  • Page 373: Restrictions Of Fa-Pwwn

    Restrictions of FA-PWWN Restrictions of FA-PWWN Note the following restrictions when using the FA-PWWN feature: • FA-PWWN is supported only on Brocade HBAs and Adapters. Refer to the release notes for the supported Brocade HBA or Adapter versions. • FA-PWWN is not supported for the following: FCoE devices FL_Ports Swapped ports (using the portswap command)
  • Page 374 Access Gateway N_Port failover with FA-PWWN Fabric OS Administrator’s Guide 53-1002446-01...
  • Page 375: Managing Administrative Domains

    Chapter Managing Administrative Domains In this chapter • Administrative Domains overview ....... . 337 •...
  • Page 376: Figure 51 Fabric With Two Admin Domains

    Administrative Domains overview NOTE Do not confuse an Admin Domain number with the domain ID of a switch. They are two different identifiers. The Admin Domain number identifies the Admin Domain and has a range from 0 through 255. The domain ID identifies a switch in the fabric and has a range from 1 through 239. Figure 51 shows a fabric with two Admin Domains: AD1 and AD2.
  • Page 377: Admin Domain Features

    Administrative Domains overview Admin Domain features Admin Domains allow you to do the following: • Define the scope of an Admin Domain to encompass ports and devices within a switch or a fabric. • Share resources across multiple Admin Domains. For example, you can share array ports and tape drives between multiple departments.
  • Page 378: User-Defined Admin Domains

    Administrative Domains overview Table 61 lists each Admin Domain user type and describes its administrative access and capabilities. TABLE 61 AD user types User type Description Physical fabric User account with admin permissions and with access to all Admin Domains (AD0 through administrator AD255).
  • Page 379 Administrative Domains overview For example, if DeviceA is not a member of any user-defined Admin Domain, then it is an implicit member of AD0. If you explicitly add DeviceA to AD0, then DeviceA is both an implicit and an explicit member of AD0. AD0 implicit members AD0 explicit members AD2 members...
  • Page 380: Home Admin Domains And Login

    Administrative Domains overview FIGURE 53 Fabric with AD0 and AD255 Home Admin Domains and login You are always logged in to an Admin Domain, and you can view and modify only the devices in that Admin Domain. If you have access to more than one Admin Domain, one of them is designated as your home Admin Domain, the one you are automatically logged in to.
  • Page 381: Admin Domain Member Types

    Administrative Domains overview Admin Domain member types You define an Admin Domain by identifying members of that domain. Admin Domain members can be devices, switch ports, or switches. Defining these member types is similar to defining a traditional zone member type. An Admin Domain does not require or have a new domain ID or management IP address linked to it.
  • Page 382: Admin Domains And Switch Wwns

    Administrative Domains overview Switch members Switch members are defined by the switch WWN or domain ID, and have the following properties: • A switch member grants administrative control to the switch. • A switch member grants port control for all ports in that switch. •...
  • Page 383: Figure 54 Fabric Showing Switch And Device Wwns

    Administrative Domains overview FIGURE 54 Fabric showing switch and device WWNs Figure 55 shows the filtered view of the fabric as seen from AD3 and AD4. The switch WWNs are converted to the NAA=5 syntax; the device WWNs and domain IDs remain the same. Fabric Visible to AD3 User WWN = 10:00:00:00:c2:37:2b:a3 WWN = 10:00:00:00:c7:2b:fd:a3...
  • Page 384: Admin Domain Compatibility, Availability, And Merging

    Admin Domain management for physical fabric administrators Admin Domain compatibility, availability, and merging Admin Domains maintain continuity of service for Fabric OS features and operate in mixed-release Fabric OS environments. High availability is supported with some backward compatibility. When an E_Port comes online, the adjacent switches merge their AD databases. The receiving switch accepts an AD database from the neighboring switch only if the local AD database is empty or if the new AD database exactly matches both the defined and effective configurations of the local AD database.
  • Page 385: Creating An Admin Domain

    Admin Domain management for physical fabric administrators 1. Log in to the switch with the appropriate RBAC role. 2. Ensure you are in the AD0 context by entering the ad show command to determine the current Admin Domain. If necessary, switch to the AD0 context by entering the ad select 0 command.
  • Page 386: User Assignments To Admin Domains

    Admin Domain management for physical fabric administrators 5. Enter the ad create command using the -d option to specify device and switch port members and the -s option to specify switch members: ad --create ad_id -d "dev_list" -s "switch_list" 6. Enter the appropriate command based on whether you want to save or activate the Admin Domain definition: •...
  • Page 387 Admin Domain management for physical fabric administrators Creating a new user account for managing Admin Domains 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the userConfig add command using the -r option to set the role, the -a option to provide access to Admin Domains, and the -h option to specify the home Admin Domain.
  • Page 388: Removing An Admin Domain From A User Account

    Admin Domain management for physical fabric administrators Removing an Admin Domain from a user account When you remove an Admin Domain from an account, all of the currently active sessions for that account are logged out. 1. Connect to the switch and log in using an account with admin permissions. 2.
  • Page 389: Deactivating An Admin Domain

    Admin Domain management for physical fabric administrators Deactivating an Admin Domain If you deactivate an Admin Domain, the members assigned to the Admin Domain can no longer access their hosts or storage unless those members are part of another Admin Domain. You cannot log in to an Admin Domain that has been deactivated.
  • Page 390: Removing Members From An Admin Domain

    Admin Domain management for physical fabric administrators 4. Enter the appropriate command based on whether you want to save or activate the Admin Domain definition: • To save the Admin Domain definition, enter ad save. • To save the Admin Domain definition and directly apply the definition to the fabric, enter ad apply.
  • Page 391: Deleting An Admin Domain

    Admin Domain management for physical fabric administrators 3. Enter the ad rename command with the present name and the new name. ad --rename present_name new_name 4. Enter the appropriate command based on whether you want to save or activate the Admin Domain definition: •...
  • Page 392: Deleting All User-Defined Admin Domains

    Admin Domain management for physical fabric administrators Deleting all user-defined Admin Domains When you clear the Admin Domain configuration, all user-defined Admin Domains are deleted, the explicit membership list of AD0 is cleared, and all fabric resources (switches, ports, and devices) are returned to the implicit membership list of AD0.
  • Page 393 Admin Domain management for physical fabric administrators 3. Enter the zone copy command to copy the zones from all user-defined Admin Domains to AD0. zone --copy source_AD.source_name dest_name In this syntax, source_AD is the name of the user-defined AD from which you are copying the zone, source_name is the name of the zone to be copied, and dest_name is the name to give to the zone after it is copied to AD0.
  • Page 394: Figure 56 Ad0 And Two User-Defined Admin Domains, Ad1 And Ad2

    Admin Domain management for physical fabric administrators FIGURE 56 AD0 and two user-defined Admin Domains, AD1 and AD2 At the conclusion of the procedure, all devices and zones are moved to AD0, and the user-defined Admin Domains are deleted, as shown in Figure FIGURE 57 AD0 with three zones...
  • Page 395 Admin Domain management for physical fabric administrators 10:00:00:00:02:00:00:00; 10:00:00:00:03:00:00:00 Effective configuration: cfg: AD1_cfg zone: AD1_BlueZone 10:00:00:00:02:00:00:00 10:00:00:00:03:00:00:00 Zone CFG Info for AD_ID: 2 (AD Name: AD2, State: Active) : Defined configuration: cfg: AD2_cfg AD2_GreenZone zone: AD2_GreenZone 10:00:00:00:04:00:00:00; 10:00:00:00:05:00:00:00 Effective configuration: cfg: AD2_cfg zone:...
  • Page 396: Validating An Admin Domain Member List

    SAN management with Admin Domains Validating an Admin Domain member list You can validate the device and switch member list. You can list non-existing or offline Admin Domain members. You can also identify misconfigurations of the Admin Domain. The Admin Domain validation process is not applicable for AD0, because AD0 implicitly contains all unassigned online switches and their devices.
  • Page 397: Cli Commands In An Ad Context

    SAN management with Admin Domains CLI commands in an AD context The CLI command input arguments are validated against the AD member list; they do not work with input arguments that specify resources that are not members of the current Admin Domain. All commands present filtered output, showing only the members of the current Admin Domain.
  • Page 398: Switching To A Different Admin Domain Context

    SAN management with Admin Domains • AD0–AD254: The membership of the current Admin Domain is displayed. • AD0: The device and switch list members are categorized into implicit and explicit member lists. 1. Connect to the switch and log in as any user type. 2.
  • Page 399: Admin Domain Interactions With Other Fabric Os Features

    SAN management with Admin Domains Example of switching to a different Admin Domain context The following example switches to the AD12 context and back. Note that the prompt changes to display the Admin Domain. switch:admin> ad --select 12 switch:AD12:admin> logout switch:admin>...
  • Page 400: Admin Domains, Zones, And Zone Databases

    SAN management with Admin Domains TABLE 63 Admin Domain interaction with Fabric OS features (Continued) Fabric OS feature Admin Domain interaction FICON Admin Domains support FICON. However, you must perform additional steps because FICON management requires additional physical control of the ports. You must set up the switch as a physical member of the FICON AD.
  • Page 401: Admin Domains And Lsan Zones

    SAN management with Admin Domains The AD zone database also has the following characteristics: Each zone database has its own name space. For example, you can define a zone name of test_z1 in more than one Admin Domain. There is no zone database linked to the physical fabric (AD255) and no support for zone database updates.
  • Page 402: Configuration Upload And Download In An Ad Context

    SAN management with Admin Domains LSAN zone names in AD0 are never converted for backward-compatibility reasons. The auto-converted LSAN zone names might collide with LSAN zone names in AD0 (in the example, if AD0 contains lsan_for_linux_farm_AD005, this causes a name collision). Fabric OS does not detect or report such name clashes.
  • Page 403: Licensed Features

    Section Licensed Features This section describes optionally licensed Brocade Fabric OS features and includes the following chapters: • Chapter 18, “Administering Licensing” • Chapter 19, “Inter-chassis Links” • Chapter 20, “Monitoring Fabric Performance” • Chapter 21, “Optimizing Fabric Behavior” • Chapter 22, “Managing Trunking Connections”...
  • Page 404 Fabric OS Administrator’s Guide 53-1002446-01...
  • Page 405: In This Chapter

    Chapter Administering Licensing In this chapter • Licensing overview..........367 •...
  • Page 406: Table 65 Available Brocade Licenses

    Licensing overview Table 65 lists the optionally licensed features that are available in Fabric OS 7.0.1: TABLE 65 Available Brocade licenses License Description • 10 Gigabit FCIP/Fibre Channel Allows 10 Gbps operation of FC ports on the Brocade 6510 (10G license) switch or the FC ports of FC16-32 or FC16-48 port blades installed on a Brocade DCX 8510 Backbone.
  • Page 407 Licensing overview TABLE 65 Available Brocade licenses (Continued) License Description • Brocade Advanced Performance Enables performance monitoring of networked storage Monitoring resources. • Includes the Top Talkers feature. Brocade Extended Fabrics Provides greater than 10 km of switched fabric connectivity at full bandwidth over long distances (depending on the platform, this can be up to 3000 km).
  • Page 408 Licensing overview TABLE 65 Available Brocade licenses (Continued) License Description FCoE Included with the Brocade 8000 switch; enables Fibre Channel over Ethernet (FCoE) functions. FICON Management Server Enables host-control of switches in mainframe environments. (Also known as Control Unit Port or “CUP”) High Performance Extension over FCIP/FC Includes the IPsec capabilities.
  • Page 409 Licensing overview TABLE 66 License requirements and location name by feature Feature License Where license should be installed Adaptive Rate Limiting Advanced Extension Local switch. Administrative Domains No license required. Bottleneck Detection No license required. Configuration No license required. up/download NOTE: The configUpload and configDownload commands are provided automatically with Fabric OS on the switch.
  • Page 410 Licensing overview TABLE 66 License requirements and location name by feature (Continued) Feature License Where license should be installed Full fabric connectivity Full Fabric Local switch. May be required on attached switches. NOTE: Also called the Fabric license (visible in licenseShow output) and the E_Port Upgrade license.
  • Page 411: Table 66 License Requirements And Location Name By Feature

    Licensing overview TABLE 66 License requirements and location name by feature (Continued) Feature License Where license should be installed • Ports Ports on Demand licenses required, Local switch. applicable to a select set of switches only. • 7800 Upgrade license for the 7800 switches to use all ports.
  • Page 412: Brocade 7800 Upgrade License

    Brocade 7800 Upgrade license TABLE 66 License requirements and location name by feature (Continued) Feature License Where license should be installed Virtual Fabrics No license required. Web Tools No license required. Local and any switch you will be managing using Web Tools. Zoning No license required.
  • Page 413: Icl 2Nd Pod License

    ICL licensing On the Brocade DCX 8510-8, this license enables QSFP ports 0–7; QSFP ports 8–15 are disabled. (QSFP ports 0–7 correspond to core blade port numbers 0–31, and QSFP ports 8–15 correspond to core blade port numbers 32–63, as observed in switchShow output.) This license allows you to purchase half the bandwidth of the Brocade DCX 8510-8 ICL ports initially and upgrade with an additional ICL license to use the full ICL bandwidth later.
  • Page 414: 8G Licensing

    8G licensing 8G licensing ATTENTION This license is installed by default and you should not remove it. Port operation may become disrupted, and ports may be prevented from operating at 8 Gbps when the license is removed. The 8 Gbps license applies to the Brocade 300, 5100, 5300, and VA-40FC switches and the 8 Gbps embedded switches;...
  • Page 415: Upgrade And Downgrade Considerations

    10G licensing Once a license is assigned to a slot, whether it has been automatically assigned or manually assigned, the assignment will remain until you manually reassign the license to another slot. This design allows for various maintenance operations to occur without having the license move around to other slots.
  • Page 416: Enabling 10 Gbps Operation On An Fc Port

    10G licensing This 10G license is applied as a slot-based license on the FC16-32 and FC16-48 port blades and on the FX8-24 extension blade; generic rules for adding slot-based licenses apply, as described in “Slot-based licensing” on page 376. When this license is applied to the Brocade 6510 switch, it is applied to the whole chassis.
  • Page 417 10G licensing 1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions for the license and switchportconfiguration classes of RBAC commands. 2. Use the licenseAdd command to add the 10G license. 3.
  • Page 418: Enabling The 10-Gbe Ports On An Fx8-24 Blade

    10G licensing Enabling the 10-GbE ports on an FX8-24 blade To enable the 10-GbE ports on an FX8-24 blade, follow these steps. 1. Connect to the Brocade Backbone and log in using an account with admin permissions, or an account with OM permissions for the license class of RBAC commands. 2.
  • Page 419: Temporary Licenses

    Temporary licenses Temporary licenses A temporary license applies a “try-before-you-buy” approach to certain features so that you can experience the feature and its capabilities prior to buying the license. Once you have installed the license, you are given a time limit to use the feature. A temporary license can be either a regular temporary license or a universal temporary license: •...
  • Page 420: Date Change Restriction

    Temporary licenses Date change restriction Once the temporary license is installed, you cannot change the time of the switch until the temporary license is removed. To change the time, you must remove the license, change the date, and then re-install the license on the switch. However, if there is any other mechanism that exists to change the time, such as NTP, then it is not blocked.
  • Page 421: Extending A Universal Temporary License

    Viewing installed licenses Extending a universal temporary license Extending a universal temporary license is done by adding a temporary license with an expiry date after the universal temporary license expiry date, or by adding a permanent license. Re-applying an existing universal temporary license is not allowed. Universal temporary license shelf life All universal temporary licenses are encoded with a “shelf life”...
  • Page 422: Removing A Licensed Feature

    Removing a licensed feature For the Brocade Backbones, licenses are effective on both CP blades, but are valid only when the CP blade is inserted into a Backbone that has an appropriate license ID stored in the WWN card. If a CP is moved from one Backbone to another, the license works in the new Backbone only if the WWN card is the same in the new Backbone.
  • Page 423: Ports On Demand

    Ports on Demand 3. Remove the license key using the licenseRemove command. The license key is case-sensitive and must be entered exactly as given. The quotation marks are optional. After removing a license key, the licensed feature is disabled when the switch is rebooted or when a switch disable and enable is performed.
  • Page 424: Displaying Installed Licenses

    Ports on Demand Table 68 shows the ports that are enabled by default and the ports that can be enabled after you install the first and second Ports on Demand licenses for each switch type. TABLE 68 List of available ports when implementing PODs Platform Available user ports No POD license...
  • Page 425: Activating Ports On Demand

    Ports on Demand 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the licenseshow command. switch:admin> licenseshow SdSSc9SyRSTuTTdz: First Ports on Demand license - additional 16 port upgrade license SdSSc9SyRSTeXTdn: Second Ports on Demand license - additional 16 port upgrade license SdSSc9SyRSTuXTd3: Full Ports on Demand license - additional 32 port upgrade license ATTENTION...
  • Page 426: Displaying The Port License Assignments

    Ports on Demand If the switch detects more active links than allowed by the current POD licenses, then some ports will not be assigned a POD license. Ports that do not receive a POD assignment have a state of No Sync or In Sync;...
  • Page 427: Disabling Dynamic Ports On Demand

    Ports on Demand 12 port assignments are provisioned by a full POD license 8 ports are assigned to installed licenses: 8 ports are assigned to the base switch license 0 ports are assigned to the full POD license Ports assigned to the base switch license: 1, 2, 5, 6, 8*, 21, 22, 23 Ports assigned to the full POD license: None...
  • Page 428: Releasing A Port From A Pod Set

    Ports on Demand 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the licensePort show command to verify there are port reservations available. switch:admin> licenseport --show 24 ports are available in this switch Full POD license is installed Dynamic POD method is in use 24 port assignments are provisioned for use in this switch:...
  • Page 429 Ports on Demand 12 port assignments are provisioned by the base switch license 12 port assignments are provisioned by a full POD license 10 ports are assigned to installed licenses: 10 ports are assigned to the base switch license 0 ports are assigned to the full POD license Ports assigned to the base switch license: 1*, 2*, 3*, 4*, 5*, 6*, 8*, 21, 22, 23 Ports assigned to the full POD license:...
  • Page 430 Ports on Demand Fabric OS Administrator’s Guide 53-1002446-01...
  • Page 431: Inter-Chassis Links

    Chapter Inter-chassis Links In this chapter • Inter-chassis links ..........393 •...
  • Page 432: Icls For The Brocade Dcx 8510 Backbone Family

    ICLs for the Brocade DCX 8510 Backbone family Refer to the hardware reference manuals for additional information about LED status and ICL connections, including instructions on how to cable ICLs. ICLs for the Brocade DCX 8510 Backbone family Each ICL connects the core blades of two Brocade DCX 8510 chassis and provides up to 64 Gbps of throughput within a single cable.
  • Page 433: Icl Trunking On The Brocade Dcx 8510-8 And Dcx 8510-4

    ICLs for the Brocade DCX Backbone family NOTE QSFP ICLs and ISLs in the same switch and connected to the same neighboring switch are not supported. This is a topology restriction with 16 Gbps ICLs and any ISLs that are E_Ports or VE_Ports. ICL trunking on the Brocade DCX 8510-8 and DCX 8510-4 ICL trunks automatically form on the ICLs if the ISL Trunking license is installed on each platform.
  • Page 434: Icl Trunking On The Brocade Dcx And Dcx-4S

    Virtual Fabrics considerations for ICLs FIGURE 59 DCX-4S allowed ICL connections The following ICL connections are not allowed: • ICL0 ports to ICL0 ports • ICL1 ports to ICL1 ports ICL trunking on the Brocade DCX and DCX-4S On the Brocade DCX and DCX-4S, trunks are automatically formed on the ICLs when you install the ISL Trunking license on each platform.
  • Page 435: Supported Topologies For Icl Connections

    Supported topologies for ICL connections Supported topologies for ICL connections You can connect the Brocade Backbones in a mesh topology and a core-edge topology. A brief description of each follows. The illustrations in this section show sample topologies. Refer to the Brocade SAN Scalability Guidelines for details about maximum topology configurations.
  • Page 436: Core-Edge Topology

    Supported topologies for ICL connections Core-edge topology You can also connect the Brocade DCX 8510 Backbones in a core-edge topology. For example, Figure 61 shows six chassis connected in a core-edge topology (four edges and two cores). Although Figure 61 shows only the Brocade DCX 8510-8, each chassis can be either a Brocade DCX 8510-4 or a DCX 8510-8.
  • Page 437: In This Chapter

    Chapter Monitoring Fabric Performance In this chapter • Advanced Performance Monitoring overview ..... . . 399 • End-to-end performance monitoring ......401 •...
  • Page 438: Restrictions For Installing Monitors

    Advanced Performance Monitoring overview Restrictions for installing monitors • Advanced Performance Monitoring is not supported on VE_Ports and EX_Ports. If you issue commands for any Advanced Performance Monitors on VE_Ports or EX_Ports you will receive error messages. • For the Brocade 8000, performance monitoring is supported only on the FC ports and not on the CEE ports.
  • Page 439: Monitoring

    End-to-end performance monitoring Access Gateway considerations for Advanced Performance Monitoring EE monitors and frame monitors are supported on switches in Access Gateway mode. Top Talker monitors are not supported on these switches. EE monitors must be installed on F_Ports. Frame monitors can be installed on F_Ports or N_Ports. See the Access Gateway Administrator’s Guide for additional information.
  • Page 440: Supported Port Configurations For Ee Monitors

    End-to-end performance monitoring Supported port configurations for EE monitors You can configure EE monitors on F_Ports and, depending on the switch model, on E_Ports. The following platforms support EE monitors on E_Ports: • Brocade 6505 • Brocade 6510 • Brocade DCX 8510 family Identical EE monitors cannot be added to the same port.
  • Page 441: Setting A Mask For An Ee Monitor

    End-to-end performance monitoring Example of monitoring the traffic from Dev B to Host A On Domain 2, add a monitor to the F_Port as follows: switch:admin> perfaddeemonitor 2/14 "0x021e00" "0x011200" This monitor (Monitor 4) counts the frames that have an SID of 0x021e00 and a DID of 0x011200. For Monitor 4, RX_COUNT is the number of words from Dev B to Host A, and TX_COUNT is the number of words from Host A to Dev B.
  • Page 442: Deleting Ee Monitors

    End-to-end performance monitoring Figure 63 shows the mask positions in the command. A mask (“ff”) is set on slot 1, port 2 to compare the AL_PA fields on the SID and DID in all frames (transmitted and received) on port 2. The frame SID and DID must match only the AL_PA portion of the specified SID-DID pair.
  • Page 443: Clearing Ee Monitor Counters

    End-to-end performance monitoring Example of displaying an end-to-end monitor on a port at 10-second intervals switch:admin> perfMonitorShow --class EE 4/5 10 Showing EE monitors 4/5 10: Tx/Rx are # of bytes --------- --------- --------- --------- --------- ========= ========= ========= ========= ========= 4.9m 4.9m...
  • Page 444: Frame Monitoring

    Frame monitoring Frame monitoring Frame monitoring counts the number of times a frame with a particular pattern is transmitted by a port and generates alerts when thresholds are crossed. Frame monitoring is achieved by defining a filter, or frame type, for a particular purpose. The frame type can be a standard type (for example, a SCSI read command filter that counts the number of SCSI read commands that have been transmitted by the port) or a user-defined frame type customized for your particular use.
  • Page 445: Deleting Frame Types

    Frame monitoring You can specify up to four values to compare against each offset. If more than one offset is required to properly define a filter, the bytes found at each offset must match one of the given values for the filter to increment its counter. If one or more of the given offsets does not match any of the given values, the counter does not increment.
  • Page 446: Adding Frame Monitors To A Port

    Frame monitoring Adding frame monitors to a port If the switch does not have enough resources to add a frame monitor to a port, then other frame monitors on that port might have to be deleted to free resources. 1. Connect to the switch and log in using an account with admin permissions. 2.
  • Page 447: Displaying Frame Monitors

    Frame monitoring Displaying frame monitors 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the fmmonitor show command. Example This example displays the existing frame types and associated bit patterns on the switch: switch:admin>...
  • Page 448: Top Talker Monitors

    Top Talker monitors Example This example clears the counters for the ABTS monitor from ports 7 through 10. switch:admin> fmmonitor --clear ABTS -port 7-10 Top Talker monitors Top Talker monitors determine the flows (SID/DID pairs) that are the major users of bandwidth (after initial stabilization).
  • Page 449: Top Talker Monitors And Fc-Fc Routing

    Top Talker monitors How do Top Talker monitors differ from EE monitors? EE monitors provide counter statistics for traffic flowing between a given SID-DID pair. Top Talker monitors identify all possible SID-DID flow combinations that are possible on a given port and provides a sorted output of the top talking flows.
  • Page 450: Limitations Of Top Talker Monitors

    Top Talker monitors Edge fabric E_Port FC router EX_Port Backbone fabric FIGURE 64 Fabric mode Top Talker monitors on FC router do not monitor any flows Edge fabric E_Port E_Port E_Port FC router EX_Port Backbone fabric FIGURE 65 Fabric mode Top Talker monitors on FC router monitor flows over the E_Port Limitations of Top Talker monitors Be aware of the following when using Top Talker monitors: •...
  • Page 451: Adding A Top Talker Monitor To A Port (Port Mode)

    Top Talker monitors Adding a Top Talker monitor to a port (port mode) 1. Connect to the switch and log in using an account with admin permissions. 2. Enter the perfTTmon add command. perfttmon --add [egress | ingress] [slotnumber/]port For example, to monitor the incoming traffic on port 7: perfttmon --add ingress 7 To monitor the outgoing traffic on slot 2, port 4 on a Backbone: perfttmon --add egress 2/4...
  • Page 452: Displaying Top Talking Flows For A Given Domain Id (Fabric Mode)

    Top Talker monitors The output is sorted based on the data rate of each flow. If you do not specify the number of flows to display, then the command displays the top 8 flows or the total number of flows, whichever is less.
  • Page 453: Deleting All Fabric Mode Top Talker Monitors

    Trunk monitoring For example, to delete the monitor on port 7: perfttmon --delete 7 To delete the monitor on slot 2, port 4 on a Backbone: perfttmon --delete 2/4 Deleting all fabric mode Top Talker monitors 1. Connect to the switch and log in using an account with admin permissions. 2.
  • Page 454: Performance Data Collection

    Performance data collection When there are more than 512 monitors in the system, monitors are saved to flash memory in the following order: • The EE monitors for each port (from 0 to MAX_PORT) • The frame monitors for each port EE monitors get preference saving to flash memory when the total number of monitors in a switch exceeds 512.
  • Page 455: In This Chapter

    Chapter Optimizing Fabric Behavior In this chapter • Adaptive Networking overview ........417 •...
  • Page 456: Ingress Rate Limiting

    Ingress Rate Limiting • Ingress Rate Limiting Ingress rate limiting restricts the speed of traffic from a particular device to the switch port. Ingress rate limiting requires an Adaptive Networking license. See “Ingress Rate Limiting” page 418 for more information about this feature. •...
  • Page 457: Limiting Traffic From A Particular Device

    QoS: SID/DID traffic prioritization Virtual Fabrics considerations: If Virtual Fabrics is enabled, the rate limit configuration on a port is on a per-logical switch basis. That is, if a port is configured to have a certain rate limit value, and the port is then moved to a different logical switch, it would have no rate limit applied to it in the new logical switch.
  • Page 458: License Requirements For Sid/Did Prioritization

    CS_CTL-based frame prioritization TABLE 72 Comparison between CS_CTL-based and QoS zone-based prioritization CS_CTL-based frame prioritization QoS zone-based traffic prioritization Requires Adaptive Networking license. Requires Adaptive Networking license. Must be manually enabled after you install the license. Automatically enabled when you install the license. No zones are required.
  • Page 459: Prioritization

    Enabling CS_CTL-based frame prioritization Supported configurations for CS_CTL-based frame prioritization • CS_CTL-based frame prioritization is supported on all 8-Gbps and 16-Gbps platforms. • All switches in the fabric should be running Fabric OS v6.0.0 or later. NOTE If a switch is running a firmware version earlier than Fabric OS v6.0.0, the outgoing frames from that switch lose their priority.
  • Page 460: Networking License

    QoS zone-based traffic prioritization High, medium, and low priority flows are allocated to different virtual channels (VCs). High priority flows receive more VCs than medium priority flows, which receive more VCs than low priority flows. The virtual channels are allocated as shown in Table TABLE 74 Virtual channels assigned to QoS priority for zone-based prioritization...
  • Page 461 QoS zone-based traffic prioritization 3. Identify E_Ports on which QoS should be manually disabled. In the islshow output, these ports have all of the following characteristics: • 8 Gbps or 16 Gbps ports • Trunking is enabled • QoS is disabled 4.
  • Page 462: Qos Zones

    QoS zones NPIV capability NPIV PP Limit 126 126 126 126 126 126 126 126 126 126 126 126 126 126 126 126 QOS E_Port EX Port Mirror Port Rate Limit Credit Recovery Fport Buffers Port Auto Disable CSCTL mode where AE:QoSAutoEnable, AN:AutoNegotiate, ..:OFF, NA:NotApplicable, ??:INVALID, switch:admin>...
  • Page 463: Qos On E_Ports

    QoS zones For example, Figure 66 shows a fabric with two hosts (H1, H2) and three targets (S1, S2, S3). The traffic prioritization is as follows: • Traffic between H1 and S1 is high priority. • Traffic between H1 and S3 and between H2 and S3 is low priority. •...
  • Page 464: Qos Over Fc Routers

    QoS zones Domain 1 Domain 3 = Low priority = Medium priority = High priority = E_Ports with QoS enabled Domain 2 Domain 4 FIGURE 67 QoS with E_Ports enabled You need to enable QoS on the E_Ports on both ISLs between Domain 3 and Domain 4 because either path might be selected to carry the traffic.
  • Page 465: Prioritization

    QoS zones • QoS over FC routers is supported for the following configurations: Edge-to-edge fabric configuration: supported on all platforms. Backbone-to-edge fabric configuration: supported on 16-Gbps-capable platforms only (Brocade 6510 and Brocade DCX 8510 family), and only if the setup contains no other platforms.
  • Page 466: Prioritization

    QoS zones High availability considerations for QoS zone-based traffic prioritization If the standby CP is running a Fabric OS version earlier than 6.3.0 and is synchronized with the active CP, then QoS zones using D,I notation cannot be created. If the standby CP is not synchronized or if no standby CP exists, then the QoS zone creation succeeds.
  • Page 467: Setting Qos Zone-Based Traffic Prioritization

    Setting QoS zone-based traffic prioritization • Traffic prioritization is not supported in McDATA Fabric Mode (interopmode 2) or Open Fabric Mode (interopmode 3). • You must be running Fabric OS v6.3.0 or later to create QoS zones using D,I notation. •...
  • Page 468 Setting QoS zone-based traffic prioritization NOTE QoS is enabled by default on all ports (except long-distance ports). If you use the portCfgQos command to enable QoS on a specific port, the port is toggled to apply this configuration, even though the port already has QoS enabled. The port is toggled because the user configuration changed, even though the actual configuration of the port did not change.
  • Page 469: Setting Qos Zone-Based Traffic Prioritization Over Fc Routers

    Setting QoS zone-based traffic prioritization over FC routers Setting QoS zone-based traffic prioritization over FC routers 1. Connect to the switch in the edge fabric and log in using an account with admin permissions. 2. Create QoS zones in the edge fabric. The QoS zones must have WWN members only, and not D,I members.
  • Page 470 Disabling QoS zone-based traffic prioritization Fabric OS Administrator’s Guide 53-1002446-01...
  • Page 471: Managing Trunking Connections

    Chapter Managing Trunking Connections In this chapter • Trunking overview ..........433 •...
  • Page 472: Types Of Trunking

    Trunking overview Types of trunking Trunking can be between two switches, between a switch and an Access Gateway module, or between a switch and a Brocade adapter. The types of trunking are as follows: • ISL trunking, or E_Port trunking, is configured on an inter-switch link (ISL) between two Fabric OS switches and is applicable only to E_Ports.
  • Page 473: License Requirements For Trunking

    Requirements for trunk groups License requirements for trunking All types of trunking require the Trunking license. This license must be installed on each switch that participates in trunking. ATTENTION After you add the Trunking license, to enable trunking functionality, you must disable and then re-enable each port to be used in trunking, or disable and re-enable the switch.
  • Page 474: Supported Configurations For Trunking

    Supported configurations for trunking • Trunking cannot be done if ports are in ISL R_RDY mode. (You can disable this mode using the portCfgIslMode command.) • Trunking is supported only on FC ports. Virtual FC ports (VE_ or VEX_Ports) do not support trunking.
  • Page 475: Recommendations For Trunking Groups

    Recommendations for trunking groups Recommendations for trunking groups To identify the most useful trunking groups, consider the following recommendations along with the standard guidelines for SAN design: • Evaluate the traffic patterns within the fabric. • Place trunking-capable switches adjacent to each other. This maximizes the number of trunking groups that can form.
  • Page 476: Enabling Trunking On A Port Or Switch

    Enabling trunking on a port or switch To re-initialize the ports, you can either disable and then re-enable the switch, or disable and then re-enable the affected ports. 1. Connect to the switch and log in using an account assigned to the admin role. 2.
  • Page 477: Displaying Trunking Information

    Displaying trunking information Displaying trunking information You can use the trunkShow command to view the following information: • All the trunks and members of a trunk. • Whether the trunking port connection is the master port connection for the trunking group. •...
  • Page 478: Isl Trunking Over Long Distance Fabrics

    ISL trunking over long distance fabrics Tx: Bandwidth 16.00Gbps, Throughput 1.67Gbps (12.12%) Rx: Bandwidth 16.00Gbps, Throughput 1.66Gbps (12.11%) Tx+Rx: Bandwidth 32.00Gbps, Throughput 3.33Gbps (12.11%) ISL trunking over long distance fabrics In long-distance fabrics, if a port speed is set to autonegotiate, then the maximum speed, which is 16 Gbps, is assumed for reserving buffers for the port.
  • Page 479: Masterless Ex_Port Trunking

    EX_Port trunking The FC router front domain has a higher node WWN—derived from the FC router—than that of the edge fabric. Therefore, the FC router front domain initiates the trunking protocol on the EX_Port. After initiation, the first port from the trunk group that comes online is designated as the master port.
  • Page 480: Configuring Ex_Port Trunking

    F_Port trunking Backward compatibility support For backward compatibility, an FC router that supports EX_Port trunking can continue to interoperate with older FC routers and all previously supported Brocade switches in the backbone fabric or Brocade edge fabric. Configuring EX_Port trunking With EX_Port trunking, you use the same CLI commands as you do for E_Port trunking.
  • Page 481: F_Port Trunking For Access Gateway

    F_Port trunking F_Port trunking for Access Gateway You can configure trunking between the F_Ports on an edge switch and the N_Ports on an Access Gateway module. NOTE You cannot configure F_Port trunking on the F_Ports of an Access Gateway module. F_Port trunking keeps F_Ports from becoming disabled when they are mapped to an N_Port on a switch in Access Gateway mode.
  • Page 482: Requirements For F_Port Trunking On An Access Gateway

    F_Port trunking NOTE You do not need to manually map the host to the master port because Access Gateway will perform a cold failover to the master port. “Configuring F_Port trunking for Access Gateway” on page 447 for instructions on configuring F_Port trunking.
  • Page 483 F_Port trunking TABLE 76 F_Port masterless considerations (Continued) Category Description configdownload If you issue the configDownload command for a port configuration that is not compatible with F_Port trunking, and the port is Trunk Area-enabled, then the port will be persistently disabled.
  • Page 484: Trunk Area And Admin Domains

    F_Port trunking TABLE 76 F_Port masterless considerations (Continued) Category Description Port Swap When you assign a Trunk Area to a trunk group, the Trunk Area cannot be port swapped; if a port is swapped, then you cannot assign a Trunk Area to that port. Port Types Only F_Port trunk ports are allowed on a Trunk Area port.
  • Page 485: F_Port Trunking In Virtual Fabrics

    Configuring F_Port trunking for Access Gateway F_Port trunking in Virtual Fabrics F_Port trunking functionality performs the same in Virtual Fabrics as it does in non-virtual fabric platforms except for the Brocade DCX and DCX 8510-8. Fabric OS uses a 10-bit addressing model, which is the default mode for all dynamically created logical switches in the DCX platform.
  • Page 486: Configuring F_Port Trunking For Brocade Adapters

    Configuring F_Port trunking for Brocade adapters 3. Enter the portDisable command for each port to be included in the TA. 4. Enter the portTrunkArea enable command to enable the trunk area. For example, the following command creates a TA for ports 36-39 with index number 37. switch:admin>...
  • Page 487: Disabling F_Port Trunking

    Disabling F_Port trunking Port Type State Master TI DI ------------------------------------- F-port Master F-port Slave F-port Slave F-port Slave • Enter the porttrunkarea --show trunk command to display the trunking information. switch:admin> porttrunkarea --show trunk Trunk Index 39->0 8.000G bw: 16.000G deskew 15 MASTER Tx: Bandwidth 16.00Gbps, Throughput 1.63Gbps (11.84%) Rx: Bandwidth 16.00Gbps, Throughput 1.62Gbps (11.76%) Tx+Rx: Bandwidth 32.00Gbps, Throughput 3.24Gbps (11.80%)
  • Page 488 Enabling the DCC policy on a trunk area 3. Turn on the trunk ports. Trunk ports should be turned on after issuing the secPolicyActivate command to prevent the ports from becoming disabled in the case where there is a DCC security policy violation. You can configure authentication on all Brocade trunking configurations.
  • Page 489: Managing Long Distance Fabrics

    Chapter Managing Long Distance Fabrics In this chapter • Long distance fabrics overview ........451 •...
  • Page 490: Extended Fabrics Device Limitations

    Extended Fabrics device limitations Extended Fabrics device limitations Note the limitations regarding the following platforms: • Brocade 8000 FCoE switch Extended Fabrics is not supported on this platform. • FC8-64 port blade Brocade recommends that you do not use the FC8-64 port blade for long distance, due to limited buffers.
  • Page 491: Configuring An Extended Isl

    Configuring an extended ISL • Static Long-Distance Mode (LS) - LS calculates a static number of BB credits based only on a user-defined desired_distance value. LS mode also assumes that all FC payloads are 2112 bytes. Specify LS mode to configure a static long distance link with a fixed buffer allocation greater than 10 km.
  • Page 492: Enabling Long Distance When Connecting To Tdm Devices

    Configuring an extended ISL Example The following example configures slot 1, port 2 to support a 100 km link in LS mode and be initialized using the extended link initialization sequence. This example is for an 8 Gbps platform. switch:admin> portcfgfillword 1/2 3 switch:admin>...
  • Page 493: Buffer Credit Management

    Buffer credit management 3. Disable the credit recovery; credit recovery is not compatible with the IDLE mode. If you do not disable the credit recovery, it continues to perform a link reset. switch:admin> portcfgcreditrecovery --disable [slot/]port 4. Configure the port to support long-distance links. switch:admin>...
  • Page 494: Optimal Buffer Credit Allocation

    Buffer credit management Upon arrival at a receiver, a frame goes through several steps. It is received, deserialized, decoded, and is stored in a receive buffer where it is processed by the receiving port. If another frame arrives while the receiver is processing the first frame, a second receive buffer is needed to hold this new frame.
  • Page 495: Fibre Channel Gigabit Values Reference Definition

    Buffer credit management Fibre Channel gigabit values reference definition Before you can calculate the buffer requirement, note the following Fibre Channel gigabit values reference definition: • 1.0625 for 1 Gbps • 2.125 for 2 Gbps • 4.25 for 4 Gbps •...
  • Page 496 Buffer credit management payloads consistently being 2,112 bytes is not realistic in practice. To gain the proper number of BB credits using the LS mode, there must be enough BB credits available in the pool because Fabric OS will check before accepting a value. NOTE The portCfgLongDistance command’s desired_distance parameter is the upper limit of the link distance and is used to calculate buffer availability for other ports in the same port group.
  • Page 497: Allocating Buffer Credits Based On Average-Size Frames

    Buffer credit management Example Consider the Brocade 300, which has a single 24-port port group and a total of 676 buffer credits for that port group. The maximum remaining number of buffer credits for the port group, after each port reserves its eight buffer credits, is: 676 –...
  • Page 498: Allocating Buffer Credits For F_Ports

    Buffer credit management 4. Use the following formula to calculate the number of buffer-to-buffer credits to allocate: BB credits = roundup [desired_distance * (data_rate / 2.125)] Using the values for desired_distance and data_rate from step 1 step 3, the value for BB credits is calculated as follows: BB credits = roundup [(207 * 8.5) / 2.125] = 828 NOTE...
  • Page 499: Buffer Credits For Each Switch Model

    Buffer credit management Buffer credits for each switch model Table 79 shows the total ports in a switch or blade, number of user ports in a port group, and the unreserved buffer credits available per port group. The number in the Unreserved buffers column is the number with QoS enabled.
  • Page 500: Maximum Configurable Distances For Extended Fabrics

    Buffer credit management Maximum configurable distances for Extended Fabrics Table 80 shows the maximum supported extended distances (in kilometers) that can be configured for one port on a specific switch or blade at different speeds. TABLE 80 Configurable distances for Extended Fabrics Maximum distances (km) that can be configured assuming 2112 Byte Frame Size Switch/blade model 2 Gbps...
  • Page 501: Buffer Credit Recovery

    Buffer credit recovery To get an estimated maximum equally distributed distance for n number of ports at a particular ("X") speed, divide the 1-port maximum distance of the switch at X speed by n. For example, for three ports running at 2 Gbps on a 300 switch, the maximum equally distributed distance is calculated as 486 / 3 = 164 km.
  • Page 502 Buffer credit recovery Fabric OS Administrator’s Guide 53-1002446-01...
  • Page 503: Using Fc-Fc Routing To Connect Fabrics

    Chapter Using FC-FC Routing to Connect Fabrics In this chapter • FC-FC routing overview ......... 465 •...
  • Page 504: License Requirements For Fc-Fc Routing

    FC-FC routing overview For more information about M-EOS connectivity, refer to Appendix A, “Interoperation of Fabric OS and M-EOS Fabrics Using FC Router”. A Fibre Channel router (FC router) is a switch running the FC-FC routing service. The FC-FC routing service can be simultaneously used as an FC router and as a SAN extension over wide area networks (WANs) using FCIP.
  • Page 505: Supported Configurations For Fc-Fc Routing

    FC-FC routing overview • VEX_Ports are supported on the FR4-18i Router Blade, but EX_Ports are not supported. The FR4-18i blade is not supported in the same chassis as the FX8-24 blade. • The Backbones have a limit of 128 EX_Ports for each chassis. Refer to the Network OS Administrator’s Guide for supported Network OS platforms.
  • Page 506: Fibre Channel Routing Concepts

    Fibre Channel routing concepts Fibre Channel routing concepts Fibre Channel routing introduces the following concepts: • Fibre Channel router (FC router) A switch running the FC-FC routing service. Refer to “Supported platforms for FC-FC routing” page 466 for a list of platforms that can be FC routers. •...
  • Page 507: Figure 73 A Metasan With Edge-To-Edge And Backbone Fabrics And Lsan Zones

    Fibre Channel routing concepts • Logical SANs (LSANs) An LSAN is defined by zones in two or more edge or backbone fabrics that contain the same devices. You can create LSANs that span fabrics. These LSANs enable Fibre Channel zones to cross physical SAN boundaries without merging the fabrics while maintaining the access controls of zones.
  • Page 508 Fibre Channel routing concepts • Fabric ID (FID) Every EX_Port and VEX_Port uses the fabric ID (FID) to identify the fabric at the opposite end of the inter-fabric link. The FID for every edge fabric must be unique from the perspective of each backbone fabric.
  • Page 509: Proxy Devices

    Fibre Channel routing concepts FC router FC router EX_Port EX_Port Backbone fabric E_Port E_Port Edge SAN 1 Edge SAN 2 = LSAN FIGURE 74 Edge SANs connected through a backbone fabric • Phantom domains A phantom domain is a domain emulated by the Fibre Channel router. The FC router can emulate two types of phantom domains: front phantom domains and translate phantom domains.
  • Page 510: Fc-Fc Routing Topologies

    Fibre Channel routing concepts Proxy host Host (imported device) Proxy target (imported device) Target Fabric 1 Fabric 2 E_Port E_Port EX_Port FC router FIGURE 75 MetaSAN with imported devices FC-FC routing topologies The FC-FC routing service provides two types of routing: •...
  • Page 511: Phantom Domains

    Fibre Channel routing concepts Phantom domains A phantom domain is a domain created by the Fibre Channel router. The FC router creates two types of phantom domains: front phantom domains and translate phantom domains. A front phantom domain, or front domain, is a domain that is projected from the FC router to the edge fabric.
  • Page 512: Figure 77 Ex_Port Phantom Switch Topology

    Fibre Channel routing concepts Host 1 Fabric 1 Front domain 1 Front domain 2 (FC router 1) (FC router 2) Xlate domain 1 Xlate domain 2 (Fabric 2) (Fabric 3) Target 1' Target 2' Target 3' FIGURE 77 EX_Port phantom switch topology All EX_Ports or VEX_Ports connected to an edge fabric use the same xlate domain ID for an imported edge fabric;...
  • Page 513: Setting Up Fc-Fc Routing

    Setting up FC-FC routing 1. Connect to the FC router and log in using an account with admin permissions. 2. Enter the fcrXlateConfig show command to identify any stale xlate domains. 3. Enter the fcrXlateConfig del command to delete the stale xlate domains. Example sw0:root>...
  • Page 514 Setting up FC-FC routing 2. If you are configuring a Backbone, enter the slotShow command to verify that either the FR4-18i or FX8-24 blade is present or an 8-Gbps or 16-Gbps port blade is present. The following example shows slots 1, 2, 3, 9, 10, and 12 with 8-Gbps port blades enabled. switch:admin>...
  • Page 515: Backbone Fabric Ids

    Backbone fabric IDs FC-FC routing and fabric mode Top Talker monitors are not concurrently supported on 8-Gbps platforms. FC-FC routing and fabric mode Top Talker monitors are concurrently supported only on the Brocade 6510 and on the Brocade DCX Backbone family with only 16-Gbps-capable ports. Backbone fabric IDs If your configuration has only one backbone fabric, then you do not need to assign a backbone fabric ID because the backbone fabric ID in this situation defaults to a value of 128.
  • Page 516: Fcip Tunnel Configuration

    FCIP tunnel configuration FC Router service is disabled switch:admin> fcrconfigure FC Router parameter set. <cr> to skip a parameter Please make sure new Backbone Fabric ID does not conflict with any configured EX-Port's Fabric ID Backbone fabric ID: (1-128)[128] switch:admin> fosconfig --enable fcr FC Router service is enabled switch:admin>...
  • Page 517 Inter-fabric link configuration 2. Configure each port that connects to an edge fabric as an EX_Port or VEX_Port. Note the following: • portCfgVEXPort works only on VE_Ports. • portCfgEXPort (only on the FC ports on the FC router) commands work only on ports that are capable of FC-FC routing.
  • Page 518 Inter-fabric link configuration 4. (Optional) Set up ISL or EX_Port trunking. For information on trunking setup, refer to “Configuring EX_Port trunking” on page 442. 5. Enter the portEnable command to enable the ports that you disabled in step switch:admin> portenable 7/10 6.
  • Page 519 Inter-fabric link configuration State: NOT OK Pid format: Not Applicable Operate mode: Brocade Native Edge Fabric ID: Preferred Domain ID: Front WWN: 50:06:06:9e:20:38:6e:1e Fabric Parameters: Auto Negotiate R_A_TOV: Not Applicable E_D_TOV: Not Applicable Authentication Type: None DH Group: N/A Hash Algorithm: N/A Edge fabric's primary wwn: N/A Edge fabric's version stamp: N/A switch:admin_06>...
  • Page 520: Fc Router Port Cost Configuration

    FC router port cost configuration Overrun: Lr_in: Suspended: Lr_out: Parity_err: Ols_in: 2_parity_err: Ols_out: CMI_bus_err: Port part of other ADs: No 10. Enter the switchShow command to verify the EX_Port (or VEX_Port), edge fabric ID, and name of the edge fabric switch (containing the E_Port or VE_Port) are correct. 11.
  • Page 521: Port Cost Considerations

    FC router port cost configuration Every IFL has a default cost. The default router port cost values are: • 1000 for a legacy (v5.1 or XPath FCR) IFL • 1000 for an EX_Port IFL • 10,000 for a VEX_Port IFL The FC router port cost settings are 0, 1000, or 10,000.
  • Page 522: Ex_Port Frame Trunking Configuration

    EX_Port frame trunking configuration For details about the use of any of the following commands, refer to the Fabric OS Command Reference. 1. Enter the portDisable command to disable any port on which you want to set the router port cost.
  • Page 523: Lsan Zone Configuration

    LSAN zone configuration After initiation, the first port from the trunk group that comes online is designated as the master port. The other ports that come online on the trunk group are considered the slave ports. Adding or removing a slave port does not cause frame drop; however, removing a slave port causes the loss of frames in transit.
  • Page 524: Lsan Zones And Fabric-To-Fabric Communications

    LSAN zone configuration Zones that contain hosts and targets that are shared between the two fabrics must be explicitly coordinated. To share devices between any two fabrics, you must create an LSAN zone in both fabrics containing the port WWNs of the devices to be shared. Although an LSAN is managed using the same tools as any other zone on the edge fabric, two behaviors distinguish an LSAN from a conventional zone: •...
  • Page 525 LSAN zone configuration switch:admin> nsshow Type Pid PortName NodeName TTL(sec) 060f00; 2,3; 10:00:00:00:c9:2b:c9:0c; 20:00:00:00:c9:2b:c9:0c; na FC4s: FCP NodeSymb: [35] "Emulex LP9002 FV3.91A3 DV5-5.20A6 " Fabric Port Name: 20:0f:00:05:1e:37:00:44 Permanent Port Name: 10:00:00:00:c9:2b:c9:0c The Local Name Server has 1 entry } 3.
  • Page 526 LSAN zone configuration zone: lsan_zone_fabric2 10:00:00:00:c9:2b:c9:0c; 50:05:07:61:00:5b:62:ed; 50:05:07:61:00:49:20:b4 Effective configuration: no configuration in effect 10. Enter the cfgAdd and cfgEnable commands to create and enable the LSAN configuration. switch:admin> cfgadd "zone_cfg", "lsan_zone_fabric2" switch:admin> cfgenable "zone_cfg" You are about to enable a new zoning configuration. This action will replace the old zoning configuration with the current configuration selected.
  • Page 527: Configuring Backbone Fabrics For Interconnectivity

    LSAN zone configuration Configuring backbone fabrics for interconnectivity If you want devices in backbone fabrics to communicate with devices in edge fabrics, set up the LSANs as described in the section “Controlling device communication with the LSAN” on page 486. However, instead of configuring the LSAN in the second edge fabric, configure the LSAN in the backbone fabric.
  • Page 528: Lsan Zone Policies Using Lsan Tagging

    LSAN zone configuration LSAN zone policies using LSAN tagging You can create tags for LSAN zones to give them a special meaning. LSAN zones are zones with names that start with the “lsan_” prefix. You can specify a tag to append to this prefix that causes the LSAN zone to be treated differently.
  • Page 529: Figure 78 Example Of Setting Up Speed Lsan Tag

    LSAN zone configuration For example, in Figure 78 on page 491, assume that the host, H1, needs fast access to target devices D1 and D2. You could set up the Speed tag as follows: 1. In FC router 1 and FC router 2, configure the Speed tag as “super”. 2.
  • Page 530 LSAN zone configuration • The LSAN tags are configured per FC router, not per fabric. If the backbone fabric has multiple FC routers, it is recommended that you configure the LSAN tags on all of the FC routers. • The FC router must be disabled before you configure the Enforce tag. Configuring the Speed tag does not require that the FC router be disabled;...
  • Page 531: Lsan Zone Binding

    LSAN zone configuration Removing an LSAN tag Use the following procedure to remove an LSAN tag. This procedure does not remove the LSAN zone; it deactivates the tag so that LSAN zones with this tag in the name now behave as regular LSAN zones.
  • Page 532: Figure 79 Lsan Zone Binding

    LSAN zone configuration Without LSAN zone binding, every FC router in the backbone fabric maintains the entire LSAN zone and device state database. The size of this database limits the number of FC routers and devices you can have. With LSAN zone binding, each FC router in the backbone fabric stores only the LSAN zone entries of the remote edge fabrics that can access its local edge fabrics.
  • Page 533 LSAN zone configuration TABLE 81 LSAN information stored in FC routers, with and without LSAN zone binding WIthout LSAN zone binding With LSAN zone binding FC router 1 FC router 2 FC router 3 FC router 4 FC router 1 FC router 2 FC router 3 FC router 4...
  • Page 534 LSAN zone configuration FC router matrix definition Depending on the structure of the backbone fabric, you can specify pairs of FC routers that can access each other. For the metaSAN shown in Figure 79, the following FC routers can access each other: •...
  • Page 535 LSAN zone configuration Setting up LSAN zone binding 1. Log in to the FC router as admin. 2. Enter the following command to add a pair of FC routers that can access each other: FCR:Admin> fcrlsanmatrix --add -fcr wwn1 wwn2 The variables wwn1 and wwn2 are the WWNs of the FC routers.
  • Page 536: Proxy Pid Configuration

    Proxy PID configuration Proxy PID configuration When an FC router is first configured, the PIDs for the proxy devices are automatically assigned. Proxy PIDs (as well as phantom domain IDs) persist across reboots. The most common situation in which you would set a proxy PID is when you replace a switch. If you replace the switch and want to continue using the old PID assignments, you can configure it to do so;...
  • Page 537: Inter-Fabric Broadcast Frames

    Inter-fabric broadcast frames Inter-fabric broadcast frames The FC router can receive and forward broadcast frames between edge fabrics and between the backbone fabric and edge fabrics. Many target devices and HBAs cannot handle broadcast frames. In this case, you can set up broadcast zones to control which devices receive broadcast frames. (Refer to “Broadcast zones”...
  • Page 538: Resource Monitoring

    Resource monitoring Resource monitoring It is possible to exhaust resources, such as proxy PIDs. Whenever a resource is exhausted, Fabric OS generates an error message. The messages are described in the Fabric OS Message Reference. You can monitor FC router resources using the fcrResourceShow command. The fcrResourceShow command shows FCR resource limits and usage and includes the following: •...
  • Page 539: Fc-Fc Routing And Virtual Fabrics

    FC-FC routing and Virtual Fabrics 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | FC-FC routing and Virtual Fabrics If Virtual Fabrics is not enabled, FC-FC routing behavior is unchanged. If Virtual Fabrics is enabled, then in the FC-FC routing context, a base switch is like a backbone switch and a base fabric is like a backbone fabric.
  • Page 540: Logical Switch Configuration For Fc Routing

    FC-FC routing and Virtual Fabrics • Backbone-to-edge routing is not supported in the base switch. Refer to “Backbone-to-edge routing with Virtual Fabrics” on page 503 for information about how to configure legacy FC routers to allow backbone-to-edge routing with Virtual Fabrics. •...
  • Page 541: Backbone-To-Edge Routing With Virtual Fabrics

    FC-FC routing and Virtual Fabrics Edge fabric Fabric 128 Edge fabric Fabric 15 Fabric 1 Backbone fabric Fabric 8 FIGURE 81 Logical representation of EX_Ports in a base switch Backbone-to-edge routing with Virtual Fabrics Backbone-to-edge routing is not supported in the base switch, unless you use a legacy FC router. A legacy FC router is an FC router configured on a Brocade 7500 switch or an FR4-18i blade.
  • Page 542: Upgrade And Downgrade Considerations For Fc-Fc Routing

    Upgrade and downgrade considerations for FC-FC routing Physical chassis 2 Physical chassis 1 Logical switch 1 Logical switch 5 (Default logical switch) (Default logical switch) Fabric ID 128 Fabric ID 128 Edge fabric Logical switch 2 Logical switch 6 FID 20 Fabric ID 1 Fabric ID 1 Allows XISL use...
  • Page 543: Displaying The Range Of Output Ports Connected To Xlate Domains

    Displaying the range of output ports connected to xlate domains Displaying the range of output ports connected to xlate domains The edge fabric detects only one front domain from an FC router connected through multiple output ports. The output port of the front domain is not fixed to 0; the values can be in a range from 129 through 255.
  • Page 544 Displaying the range of output ports connected to xlate domains Fabric OS Administrator’s Guide 53-1002446-01...
  • Page 545: Interoperation Of Fabric Os And M-Eos Fabrics Using Fc Router

    Appendix Interoperation of Fabric OS and M-EOS Fabrics Using FC Router In this appendix • Interoperability overview ........507 •...
  • Page 546: Table 82 Fabric Os And M-Eosc Interoperability Compatibility Matrix

    Interoperability overview TABLE 82 Fabric OS and M-EOSc interoperability compatibility matrix Fabric OS Versions of M-EOSc v6.2.0 v7.1.3x v8.0 v9.2.0 v9.6.2 v9.7 v9.8 v9.9 v5.1.0 v5.2.0 v5.3.0 v6.0.0 v6.1.0 v6.1.1 v6.1.1_enc v6.2.0 v6.3.0 v6.4.0 v7.0.0 and later Both Open and McDATA Fabric modes are supported. Fabric OS v5.1.0 and M-EOSc v4.1.1, v5.1.2, 6.2.0 interoperate using FC routing with SilkWorm AP7420 only.
  • Page 547: Features Of Connected Sans

    Establishing interoperability Features of Connected SANs Connected SANs provide additional features not possible with segregated SANs. Some of these features are listed below: • Island consolidation—Uses the Fabric OS v6.0 or later FC router to connect isolated M-EOS and Fabric OS fabrics to share devices. •...
  • Page 548: Fabric Configurations For Interconnectivity

    Fabric configurations for interconnectivity When configuring an EX_Port, you have the option to request a front domain with the portCfgEXPort -d command. If you request a front domain that is not within the valid range for M-EOSc, then the Fibre Channel router will internally request a valid M-EOSc domain ID. For M-EOSc switches, after the port is properly configured and connected, running switchShow on the FC router displays the M-EOSc switch that is connected.
  • Page 549: Configuring The Fc Router

    Fabric configurations for interconnectivity Configuring the FC router When configuring a fabric on which Fabric OS is installed to connect to a Native McDATA fabric, you must configure the FC router in advance. The following procedure shows how to connect an EX_Port of an FC router to a Native McDATA fabric configured in Fabric mode.
  • Page 550: Configuring Lsan Zones In The M-Eos Fabric

    Fabric configurations for interconnectivity 9. Capture a SAN profile of the M-EOS and Fabric OS SANs, identifying the number of devices in each SAN. By projecting the total number of devices and switches expected in each fabric when the LSANs are active, you can quickly determine the status of the SAN by issuing the commands nsAllShow and fabricShow on the Fabric OS fabric.
  • Page 551: Correcting Errors If Lsan Devices Appear In Only One Of The Fabrics

    Fabric configurations for interconnectivity Correcting errors if LSAN devices appear in only one of the fabrics If the LSAN devices appear in only one of the fabrics in a multiple-fabric SAN, use the following procedure to correct the problem. 1. Log in to each fabric and verify that all of the devices are physically logged in. 2.
  • Page 552 Fabric configurations for interconnectivity 3. Physically connect the configured FC router EX_Port to the M-EOS switch, and issue the switchShow command on the Brocade FC router. New domains should be visible for each IFL (front domain) that connects the Fabric OS switch to the FC router and one domain for the xlate domain.
  • Page 553 Fabric configurations for interconnectivity Permanent Port Name: 10:00:00:00:00:03:00:00 Port Index: na Share Area: No Device Shared in Other AD: No All of the devices from both LSANs should appear in the output. If the devices do not appear in the output, issue the cfgShow command to verify your zone configuration. Use the cfgActvShow command to display the zone configuration currently in effect.
  • Page 554 Fabric configurations for interconnectivity Fabric OS Administrator’s Guide 53-1002446-01...
  • Page 555: Port Indexing

    Appendix Port Indexing This appendix shows how to use the switchShow command to determine the mapping among the port index, slot/port numbers, and the 24-bit port ID (PID) on any Brocade Backbone. Enter the switchShow command without parameters to show the port index mapping for the entire platform. Enter the switchShow -slot command for port mapping information for the ports on the blade in a specific slot.
  • Page 556 Port Indexing ------ No_Module FC ------ No_Module FC ------ No_Module FC ------ No_Module FC ------ No_Module FC ------ No_Module FC ------ No_Module FC ------ No_Module FC ------ No_Module FC ------ Online FC E-Port 10:00:00:05:1e:39:e4:5a trunkmaster name (Trunk master) ------ Online FC E-Port 10:00:00:05:1e:39:e4:5a trunkmaster name (Trunk master) ------...
  • Page 557 Port Indexing Example of port indexing on an FC8-64 blade on a Brocade DCX-4S Backbone. The Brocade DCX-4S does not need a mapping of ports on port blades because it is a one-to-one mapping. The order is sequential starting at slot 1 port 0 all the way through slot 8 port 255 for the FC8-64 blade.
  • Page 558 Port Indexing Example of port indexing on an FS8-18 blade on a DCX 8510-8 Backbone This example shows the truncated switchShow output for an FS8-18 encryption blade on the Brocade DCX 8510-8 Backbone. The assignment of port index numbers to PIDs will vary depending on blade type, platform type, and slot number.
  • Page 559: Fips Support

    Appendix FIPS Support In this appendix • FIPS overview..........521 •...
  • Page 560: Power-On Self Tests

    Zeroization functions TABLE 85 Zeroization behavior (Continued) Keys Zeroization CLI Description FCSP Challenge secAuthSecret –-remove The secAuthSecret --remove value command is used Handshake value | –-all to remove the specified keys from the database. When Authentication Protocol the secAuthSecret command is used with the (CHAP) Secret --remove –-all option, then the entire key database is deleted.
  • Page 561: Fips Mode Configuration

    FIPS mode configuration The results of the POST and conditional tests are recorded in the system log or are output to the local console. This action includes logging both passing and failing results. Refer to the Fabric OS Troubleshooting and Diagnostics Guide for instructions on how to recover if your system cannot get out of the conditional test mode.
  • Page 562: Ldap In Fips Mode

    FIPS mode configuration LDAP in FIPS mode You can configure your Microsoft Active Directory server to use the Lightweight Directory Access Protocol (LDAP) while in FIPS mode. There is no option provided on the switch to configure TLS ciphers for LDAP in FIPS mode. However, the LDAP client checks if FIPS mode is set on the switch and uses the FIPS-compliant TLS ciphers for LDAP.
  • Page 563: Table 88 Active Directory Keys To Modify

    FIPS mode configuration Specify the DNS IP address using either IPv4 or IPv6. This address is needed for the switch to resolve the domain name to the IP address because LDAP initiates a TCP session to connect to your Microsoft Active Directory server. A Fully Qualified Domain Name (FQDN) is needed to validate the server identity as mentioned in the common name of the server certificate.
  • Page 564: Ldap Certificates For Fips Mode

    FIPS mode configuration LDAP certificates for FIPS mode To utilize the LDAP services for FIPS between the switch and the host, you must generate a certificate signing request (CSR) on the Active Directory server and import and export the CA certificates.
  • Page 565: Preparing The Switch For Fips

    Preparing the switch for FIPS Deleting an LDAP switch certificate This procedure deletes the LDAP CA certificate from the switch. 1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions for the PKI RBAC class of commands. 2.
  • Page 566: Enabling Fips Mode

    Preparing the switch for FIPS • Disable in-flight encryption. • Disable IPsec for Ethernet and IPsec for FCIP. • Disable in-band management. • Disable root access. • Enable the KATs and the conditional tests. • Enable FIPS. Enabling FIPS mode 1.
  • Page 567 Preparing the switch for FIPS ipfilter --addrule policyname -rule rule_number -sip source_IP -dp dest_port -proto protocol -act deny • The -sip option can be given as any. • The -dp option for the port numbers for Telnet, HTTP, and RPC are 23, 80, and 898, respectively.
  • Page 568: Zeroizing For Fips

    Preparing the switch for FIPS 11. Enter the portCfgEncrypt disable command to disable in-flight encryption. You must first disable the port. Example myswitch:root> portdisable 0 myswitch:root> portcfgencrypt --disable 0 myswitch:root> portenable 0 12. Enter the ipSecConfig disable command to disable Ethernet IPsec. 13.
  • Page 569: Hexadecimal Conversion

    Appendix Hexadecimal Conversion Hexadecimal overview Hexadecimal, also known as hex, is a numeral system with a base of 16, usually written using unique symbols 0–9 and A–F, or a–f. Its primary purpose is to represent the binary code that computers interpret in a format easier for humans to remember. It acts as a form of shorthand, in which one hexadecimal digit takes the place of four binary bits.
  • Page 570: Table 89 Decimal To Hexadecimal Conversion Table

    Hexadecimal overview TABLE 89 Decimal to hexadecimal conversion table Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Fabric OS Administrator’s Guide 53-1002446-01...
  • Page 571 Hexadecimal overview TABLE 89 Decimal to hexadecimal conversion table (Continued) Decimal Decimal Decimal Decimal Decimal Decimal Decimal Decimal Fabric OS Administrator’s Guide 53-1002446-01...
  • Page 572 Hexadecimal overview Fabric OS Administrator’s Guide 53-1002446-01...
  • Page 573: Index

    Index adding a new switch or fabric to a zone Admin Domain members AAA service requests alias members access end-to-end monitors browser support members to a zone configuration changing account parameters ports to logical switches CP blade switches to a zone creating accounts zone members deleting accounts...
  • Page 574 Admin Domains about access levels backbone fabric ID activating backbone-to-edge routing backing up a configuration AD255 base switches adding members about ADList creating assigning users to blade swapping configupload, download blades configuration, displaying compatibility creating disabling and enabling deactivating enabling exceptions for the FR4-18i defined AD configuration port area ID deleting...
  • Page 575 changing connecting an account password Fabric OS and M-EOS SANs FID of logical switch multiple EX_Ports to an edge fabric logical switch to base switch to devices RADIUS configuration connection RADIUS servers restrictions clearing performance monitor counters serial clearing zone configurations telnet core/edge topology and ISL trunking command line interface...
  • Page 576 dictionary.brocade end-to-end monitors Directory server deleting restoring configuration disabled zone configuration saving configuration disabling setting a mask bottleneck detection end-to-end performance monitoring port enforce LSAN tag RADIUS configuration equipment status Virtual Fabrics zone configurations events displaying date and time Admin Domain configuration EX_Port configuration settings EX_Ports...
  • Page 577 FCAP gateway links FC-FC Routing buffer credits FC-FC Routing and Virtual Fabrics FC-FC routing service FCIP link FCR and traffic isolation HA failover FCS policy modifying high availability (HA) feature licenses home Admin Domain Fibre Channel NAT HTTPS Fibre Channel over IP certificates, security Fibre Channel protocol auto discovery process Fibre Channel routing...
  • Page 578 IPsec logical switches algorithms about Authentication Header protocol allowing XISL use configuration on the management interface changing FID Encapsulating Security Payload protocol changing to a base switch flushing SAs creating IKE policies deleting key management displaying configuration manual key entry moving ports policies login...
  • Page 579 Port Login port mirroring port type E_Port network address translation, see NAT EX_Port Network OS connectivity F_Port network security FL_Port NPIV G_Port 10-bit addressing mode M_Port disabling U_Port enabling VE_Port viewing PID login information VEX_Port NTP access primary FCS Principal ISLs priority groups private key PRLI...
  • Page 580 RBAC security Registered State Change Notification AUTH policy Brocade MIB remote access policies browsers remove feature certificates removing encryption and SSL Admin Domain members FibreAlliance MIB Admin Domains from user accounts HTTPS, certificate alias members IAS remote access policies frame monitors IP policy rules licensed feature obtaining certificates...
  • Page 581 support traps FC router Java version SNMP SNMPv3 and v1 trunking SW-EXTTRAP with TI zones switch access methods, Web Tools certificates, installing certificates, installing for FIPS configuring U_Port deleting RADIUS configuration USB device disabling port user accounts and removing Admin Domains displaying RADIUS configuration user databases name limitations...
  • Page 582 Virtual Fabrics and FC-FC Routing and ingress rate limiting zone base switches, about adding a new switch or fabric base switches, creating adding members ContextRoleList administering security date settings alias, adding members default logical switch alias, deleting disabling alias, removing members enabling alias, viewing extended ISL (XISL)
  • Page 583 zone configurations creating deleting disabling enabling removing zone database and Admin Domains zone, broadcast zones QoS zones TI zones Fabric OS Administrator’s Guide 53-1002446-01...
  • Page 584 Fabric OS Administrator’s Guide 53-1002446-01...

This manual is also suitable for:

Fabric os v7.0.1

Table of Contents

Save PDF