Brocade Communications Systems 53-1003126-02 User Manual

53-1003126-02 15 August 2014

Access Gateway

Administrator's Guide

Supporting Fabric OS v7.3.0

Brocade, the B-wing symbol, Brocade Assurance, ADX, AnyIO, DCX, Fabric OS, FastIron, HyperEdge, ICX, MLX, MyBrocade, NetIron, OpenScript, VCS, VDX, and Vyatta are registered trademarks, and The Effortless Network and the On-Demand Data Center are trademarks of Brocade Communications Systems, Inc., in the United States and in other countries. Other brands and product names mentioned may be trademarks of others.

Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government.

The authors and Brocade Communications Systems, Inc. assume no liability or responsibility to any person or entity with respect to the accuracy of this document or any loss, cost, liability, or damages arising from the information contained herein or the computer programs that accompany it.

The product described by this document may contain open source software covered by the GNU General Public License or other open source license agreements. To find out which open source software is included in Brocade products, view the licensing terms applicable to the open source software, and obtain a copy of the programming source code, please visit http://www.brocade.com/support/oscd.

Contents

Preface.....................................................................................................................................7

Document conventions......................................................................................7

Text formatting conventions.................................................................. 7

Command syntax conventions.............................................................. 7

Notes, cautions, and warnings.............................................................. 8

Brocade resources............................................................................................ 9

Contacting Brocade Technical Support.............................................................9

Document feedback........................................................................................ 10

About This Document.............................................................................................................. 11

Supported hardware and software.................................................................. 11

What’s new in this document.......................................................................... 11

Key terms for Access Gateway....................................................................... 12

Access Gateway Basic Concepts..............................................................................................15

Brocade Access Gateway overview ...............................................................15

Comparing Native Fabric and Access Gateway modes......................15

Fabric OS features in Access Gateway mode................................................ 17

Buffer credit recovery support............................................................. 20

Forward error correction support.........................................................20

Virtual Fabrics support........................................................................ 21

Device authentication support.............................................................21

AG mode without all POD licenses..................................................... 23

Password distribution support............................................................. 23

FDMI support...................................................................................... 24

Access Gateway port types.............................................................................24

Comparison of Access Gateway ports to standard switch ports ........ 24

Access Gateway hardware considerations..................................................... 26

Configuring Ports in Access Gateway Mode..............................................................................27

Managing Policies and Features in Access Gateway Mode....................................................... 51

Access Gateway Administrator's Guide 53-1003126-02

Enabling and disabling Access Gateway mode.............................................. 27

Port state description.......................................................................... 28

Access Gateway mapping...............................................................................29

Port mapping.......................................................................................29

F_Port Static Mapping.........................................................................36

Device mapping.................................................................................. 37

Considerations for Access Gateway mapping.................................... 44

N_Port configurations......................................................................................46

Displaying N_Port configurations........................................................ 47

Unlocking N_Ports ............................................................................. 47

Persisting port online state .................................................................47

D_Port support................................................................................................ 48

Limitations and considerations............................................................48

Saving port mappings ........................................................................ 49

Access Gateway policies overview............................................................... 51

Displaying current policies ............................................................... 51

Access Gateway policy enforcement matrix .................................... 51

Advanced Device Security policy .................................................................52

How the ADS policy works................................................................52

Enabling and disabling the ADS policy............................................. 52

Allow lists.......................................................................................... 53

ADS policy considerations................................................................ 55

Upgrade and downgrade considerations for the ADS policy............ 55

Automatic Port Configuration policy .............................................................55

How the APC policy works................................................................55

Enabling and disabling the APC policy............................................. 55

APC policy considerations................................................................ 56

Upgrade and downgrade considerations for the APC policy............ 56

Port Grouping policy......................................................................................56

How port groups work....................................................................... 57

Adding an N_Port to a port group..................................................... 58

Deleting an N_Port from a port group............................................... 58

Removing a port group .....................................................................58

Renaming a port group..................................................................... 59

Disabling the Port Grouping policy....................................................59

Port Grouping policy modes..............................................................59

Creating a port group and enabling Automatic Login Balancing

mode............................................................................................60

Enabling MFNM mode...................................................................... 61

Disabling MFNM mode......................................................................61

Displaying the current MFNM mode timeout value........................... 61

Setting the current MFNM mode timeout value.................................61

Port Grouping policy considerations................................................. 61

Upgrade and downgrade considerations for the Port Grouping

policy........................................................................................... 62

Device Load Balancing policy....................................................................... 62

Enabling the Device Load Balancing policy...................................... 62

Disabling the Device Load Balancing policy..................................... 63

Device Load Balancing policy considerations...................................63

Persistent ALPA policy..................................................................................63

Enabling the Persistent ALPA policy.................................................64

Disabling the Persistent ALPA policy................................................64

Persistent ALPA device data.............................................................64

Clearing ALPA values....................................................................... 65

Persistent ALPA policy considerations..............................................65

Failover policy............................................................................................... 65

Failover with port mapping................................................................66

Failover with device mapping ...........................................................69

Enabling and disabling the Failover policy on an N_Port..................70

Enabling and disabling the Failover policy for a port group.............. 71

Upgrade and downgrade considerations for the Failover policy....... 71

Failback policy...............................................................................................71

Failback policy configurations in Access Gateway............................72

Enabling and disabling the Failback policy on an N_Port ................ 73

Enabling and disabling the Failback policy for a port group..............74

Upgrade and downgrade considerations for the Failback policy...... 74

Failback policy disabled on unreliable links (N_Port monitoring)......74

Trunking in Access Gateway mode...............................................................75

How trunking works...........................................................................75

Configuring trunking on the Edge switch.......................................... 75

Configuration management for trunk areas...................................... 76

Enabling trunking ............................................................................. 77

Access Gateway Administrator's Guide

53-1003126-02

Disabling F_Port trunking....................................................................78

Monitoring trunking .............................................................................78

AG trunking considerations for the Edge switch................................. 78

Trunking considerations for Access Gateway mode........................... 81

Upgrade and downgrade considerations for trunking in Access

Gateway mode.............................................................................. 81

Adaptive Networking on Access Gateway...................................................... 82

QoS: Ingress rate limiting ...................................................................82

QoS: SID/DID traffic prioritization .......................................................82

Upgrade and downgrade considerations for Adaptive Networking

in AG mode....................................................................................83

Adaptive Networking on Access Gateway considerations.................. 83

Per-Port NPIV login limit................................................................................. 84

Setting the login limit........................................................................... 84

Duplicate PWWN handling during device login...............................................84

Performance Monitoring..................................................................................85

Flow Monitor........................................................................................85

Legacy performance monitoring features............................................86

Considerations for the Brocade 6505 and 6510..............................................88

SAN Configuration with Access Gateway..................................................................................89

Connectivity of multiple devices overview.......................................................89

Considerations for connecting multiple devices.................................. 89

Direct target attachment..................................................................................89

Considerations for direct target attachment........................................ 90

Target aggregation..........................................................................................91

Access Gateway cascading............................................................................ 92

Access Gateway cascading considerations........................................ 92

Fabric and Edge switch configuration............................................................. 93

Verifying the switch mode................................................................... 93

Enabling NPIV on M-EOS switches.................................................... 94

Connectivity to Cisco fabrics........................................................................... 94

Enabling NPIV on a Cisco switch........................................................94

Rejoining Fabric OS switches to a fabric........................................................ 95

Reverting to a previous configuration..................................................95

Troubleshooting......................................................................................................................97

Index...................................................................................................................................... 99

Access Gateway Administrator's Guide 53-1003126-02

6 Access Gateway Administrator's Guide

53-1003126-02

Preface

● Document conventions......................................................................................................7

● Brocade resources............................................................................................................ 9

● Contacting Brocade Technical Support.............................................................................9

● Document feedback........................................................................................................ 10

Document conventions

The document conventions describe text formatting conventions, command syntax conventions, and important notice formats used in Brocade technical documentation.

Text formatting conventions

Text formatting conventions such as boldface, italic, or Courier font may be used in the flow of the text to highlight specific words or phrases.

Format

bold text

italic text

Courier font

Description

Identifies command names

Identifies keywords and operands

Identifies the names of user-manipulated GUI elements

Identifies text to enter at the GUI

Identifies emphasis

Identifies variables and modifiers

Identifies paths and Internet addresses

Identifies document titles

Identifies CLI output

Identifies command syntax examples

Command syntax conventions

Bold and italic text identify command syntax components. Delimiters and operators define groupings of parameters and their logical relationships.

Convention

bold text Identifies command names, keywords, and command options.

italic text Identifies a variable.

Description

Access Gateway Administrator's Guide 7 53-1003126-02

Notes, cautions, and warnings

Convention Description

value In Fibre Channel products, a fixed value provided as input to a command

[ ] Syntax components displayed within square brackets are optional.

option is printed in plain text, for example, --show WWN.

Default responses to system prompts are enclosed in square brackets.

{ x | y | z } A choice of required parameters is enclosed in curly brackets separated by

x | y A vertical bar separates mutually exclusive elements.

< > Nonprinting characters, for example, passwords, are enclosed in angle

...

vertical bars. You must select one of the options.

In Fibre Channel products, square brackets may be used instead for this purpose.

brackets.

Repeat the previous element, for example, member[member...].

Indicates a “soft” line break in command examples. If a backslash separates two lines of a command input, enter the entire command at the prompt without the backslash.

Notes, cautions, and warnings

Notes, cautions, and warning statements may be used in this document. They are listed in the order of increasing severity of potential hazards.

NOTE

A Note provides a tip, guidance, or advice, emphasizes important information, or provides a reference to related information.

ATTENTION

An Attention statement indicates a stronger note, for example, to alert you when traffic might be interrupted or the device might reboot.

CAUTION

A Caution statement alerts you to situations that can be potentially hazardous to you or cause damage to hardware, firmware, software, or data.

DANGER

A Danger statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you. Safety labels are also attached directly to products to warn of these conditions or situations.

8 Access Gateway Administrator's Guide

53-1003126-02

Brocade resources

Visit the Brocade website to locate related documentation for your product and additional Brocade resources.

You can download additional publications supporting your product at www.brocade.com. Select the Brocade Products tab to locate your product, then click the Brocade product name or image to open the individual product page. The user manuals are available in the resources module at the bottom of the page under the Documentation category.

To get up-to-the-minute information on Brocade products and resources, go to MyBrocade. You can register at no cost to obtain a user ID and password.

Release notes are available on MyBrocade under Product Downloads.

White papers, online demonstrations, and data sheets are available through the Brocade website.

Contacting Brocade Technical Support

Brocade resources

As a Brocade customer, you can contact Brocade Technical Support 24x7 online, by telephone, or by email. Brocade OEM customers contact their OEM/Solutions provider.

Brocade customers

For product support information and the latest information on contacting the Technical Assistance Center, go to http://www.brocade.com/services-support/index.html.

If you have purchased Brocade product support directly from Brocade, use one of the following methods to contact the Brocade Technical Assistance Center 24x7.

Online Telephone E-mail

Preferred method of contact for nonurgent issues:

• My Cases through MyBrocade

• Software downloads and licensing tools

• Knowledge Base

Required for Sev 1-Critical and Sev 2-High issues:

• Continental US: 1-800-752-8061

• Europe, Middle East, Africa, and Asia Pacific: +800-AT FIBREE (+800 28 34 27 33)

• For areas unable to access toll free number: +1-408-333-6061

• Toll-free numbers are available in many countries.

support@brocade.com

Please include:

• Problem summary

• Serial number

• Installation details

• Environment description

Brocade OEM customers

If you have purchased Brocade product support from a Brocade OEM/Solution Provider, contact your OEM/Solution Provider for all of your product support needs.

• OEM/Solution Providers are trained and certified by Brocade to support Brocade® products.

• Brocade provides backline support for issues that cannot be resolved by the OEM/Solution Provider.

Access Gateway Administrator's Guide 9 53-1003126-02

Document feedback

• Brocade Supplemental Support augments your existing OEM support contract, providing direct access to Brocade expertise. For more information, contact Brocade or your OEM.

• For questions regarding service levels and response times, contact your OEM/Solution Provider.

Document feedback

To send feedback and report errors in the documentation you can use the feedback form posted with the document or you can e-mail the documentation team.

Quality is our first concern at Brocade and we have made every effort to ensure the accuracy and completeness of this document. However, if you find an error or an omission, or you think that a topic needs further development, we want to hear from you. You can provide feedback in two ways:

• Through the online feedback form in the HTML documents posted on www.brocade.com.

• By sending your feedback to documentation@brocade.com.

Provide the publication title, part number, and as much detail as possible, including the topic heading and page number if applicable, as well as your suggestions for improvement.

10 Access Gateway Administrator's Guide

53-1003126-02

About This Document

● Supported hardware and software.................................................................................. 11

● What’s new in this document.......................................................................................... 11

● Key terms for Access Gateway....................................................................................... 12

Supported hardware and software

In those instances in which procedures or parts of procedures documented here apply to some switches but not to others, this guide identifies which switches are supported and which are not.

Although many different software and hardware configurations are tested and supported by Brocade Communications Systems, Inc., for Fabric OS, documenting all possible configurations and scenarios is beyond the scope of this document.

All Fabric OS switches must be running Fabric OS v7.0.0 or later; all M-EOS switches must be running M-EOSc 9.1 or later, M-EOSn must be running 9.6.2 or later, and Cisco switches with NX OS must be running 5.x or later.

Fabric OS version 7.3.0 supports the following Brocade hardware platforms for Access Gateway:

• Brocade 300

• Brocade 5100

• Brocade M5424

• Brocade 5430

• Brocade 5431

• Brocade 5450

• Brocade 5460

• Brocade 5470

• Brocade 5480

• Brocade 6505

• Brocade M6505

• Brocade 6510

• Brocade 6547

• Brocade VA-40FC

What’s new in this document

The following information has been added since this document was last released:

• AG mode is supported without all POD licenses.

• Password distribution is supported.

• Dynamic D_Port is supported.

• FDMI is supported.

Access Gateway Administrator's Guide 53-1003126-02

Key terms for Access Gateway

Changes made for Fabric OS 7.3.0a

The following content is new or significantly revised from 53-1003126-01 for this release of this document:

• Updated Key terms for Access Gateway on page 12.

Key terms for Access Gateway

For definitions of SAN-specific terms, visit the Storage Networking Industry Association online dictionary at:

http://www.snia.org/education/dictionary

For definitions specific to Brocade and Fibre Channel, refer to the Brocade Glossary .

The following terms are used in this manual to describe Access Gateway mode and its components.

Access Gateway (AG) Advanced Device Security (ADS) policy Device Any host or target device with a distinct WWN. Devices may be physical or

Fabric OS mode for switches that reduces storage area network (SAN) deployment complexity by leveraging N_Port ID Virtualization (NPIV).

Advanced Device Security (ADS) is a security policy that restricts access to the fabric at the AG level to a set of authorized devices.

virtual.

D_Port A port configured as a diagnostic port on an AG switch, connected fabric

E_Port An interswitch link (ISL) port. A switch port that connects switches together

Edge switch A fabric switch that connects host, storage, or other devices, such as

Fabric system

F_Port A fabric port. A switch port that connects a host, host bus adapter (HBA), or

FCoE Fibre Channel over Ethernet (FCoE) refers to a network technology that

Mapping In Access Gateway, mapping defines the routes between devices or

N_Port A node port. A Fibre Channel host or storage port in a fabric or point-to-point

switch, or connected cascaded AG switch to run diagnostic tests between the ports and test the link.

to form a fabric.

Brocade Access Gateway, to the fabric.

A fabric system consists of interconnected nodes that look like a single logical unit when viewed collectively. This refers to a consolidated highperformance network system consisting of coupled storage devices, networking devices and parallel processing high bandwidth interconnects such as 4-Gbps, 8-Gbps, 10-Gbps, and 16-Gbps Fibre channel ports.

storage device to the SAN. On Brocade Access Gateway, the F_Port connects to a host or a target.

encapsulates Fibre Channel frames over Ethernet networks. This allows Fibre Channel to use 10-Gigabit Ethernet or higher speed networks while preserving the Fibre Channel protocol.

F_Ports to the fabric facing ports (N_Ports).

connection. On Brocade Access Gateway, the N_Port connects to the Edge switch.

12 Access Gateway Administrator's Guide

53-1003126-02

About This Document

NPIV N_Port ID Virtualization. This is a Fibre Channel facility allowing multiple

Port Grouping (PG) policy

N_Port IDs to share a single physical N_Port. This allows multiple Fibre Channel initiators to occupy a single physical port, easing hardware requirements in storage area network design, especially for virtual SANs.

Port Grouping (PG) policy is used to partition the fabric, host, or target ports within an AG-enabled module into independently operated groups.

Access Gateway Administrator's Guide 13 53-1003126-02

Key terms for Access Gateway

14 Access Gateway Administrator's Guide

53-1003126-02

Access Gateway Basic Concepts

● Brocade Access Gateway overview ...............................................................................15

● Fabric OS features in Access Gateway mode................................................................ 17

● Access Gateway port types.............................................................................................24

● Access Gateway hardware considerations..................................................................... 26

Brocade Access Gateway overview

Brocade Access Gateway (AG) is a Fabric OS feature that you can use to configure your Enterprise fabric to handle additional devices instead of domains. You do this by configuring F_Ports to connect to the fabric as N_Ports, which increases the number of device ports you can connect to a single fabric. Multiple AGs can connect to the DCX enterprise-class platform, directors, and switches.

Access Gateway is compatible with M-EOS v9.1 or v9.6 or later, and Cisco-based fabrics that support standards-based NPIV. You can use the command line interface (CLI), Web Tools, or Brocade Network Advisor (BNA) to enable and disable AG mode and configure AG features on a switch. This document describes configurations using the CLI commands. Refer to the Fabric OS Command Reference , the Web Tools Administrator’s Guide, or the Brocade Network Advisor User Guide for more information about AG support in those tools.

After you set a Fabric OS switch to AG mode, the F_Ports connect to the Enterprise fabric as N_Ports rather than as E_Ports.

Comparing Native Fabric and Access Gateway modes on page 15 shows a comparison of a

configuration that connects eight hosts to a fabric using AG to the same configuration with Fabric OS switches in Native mode.

Switches in AG mode are logically transparent to the host and the fabric. Therefore, you can increase the number of hosts that have access to the fabric without increasing the number of switch domains. This simplifies configuration and management in a large fabric by reducing the number of domain IDs and ports.

Comparing Native Fabric and Access Gateway modes

The following points summarize the differences between a Fabric OS switch functioning in Native operating mode and a Fabric OS switch functioning in AG operating mode:

• The Fabric OS switch in Native mode is a part of the fabric; it requires two to four times as many physical ports, consumes fabric resources, and can connect to a Fabric OS fabric only.

• A switch in AG mode is outside of the fabric; it reduces the number of switches in the fabric and the number of required physical ports. You can connect an AG switch to a Fabric OS, M-EOS, or Ciscobased fabric.

Refer to the figures below for a comparison between switch function in Native mode and switch function in AG mode.

Access Gateway Administrator's Guide 53-1003126-02

Access Gateway Basic Concepts

FIGURE 1 Switch function in Native mode

16 Access Gateway Administrator's Guide

53-1003126-02

FIGURE 2 Switch function in Access Gateway mode

Fabric OS features in Access Gateway mode

In the table below, "Yes" indicates that the feature is supported in Access Gateway mode. "No" indicates that the feature is not provided in AG mode. "NA" indicates the feature is not applicable in Access Gateway mode. A single asterisk (*) indicates the feature is transparent to AG; that is, AG forwards the request to the Enterprise fabric. Two asterisks (**) indicates that the feature may not be available if the Enterprise fabric is not a Brocade fabric. For more information on these features, refer to the Fabric OS Administrator's Guide and Fabric OS Command Reference.

Fabric OS components supported on Access Gateway TABLE 1

Feature Support

Access Control Yes (limited roles)

Adaptive Networking Yes

When a switch is behaving as an AG, RBAC features in Fabric OS are available, but there are some limitations. For more information on the limitations, refer to Access Gateway hardware considerations on page 26.

Access Gateway Administrator's Guide 17 53-1003126-02

Access Gateway Basic Concepts

Feature Support

Admin Domains No

Audit Yes

Beaconing Yes

Bottleneck Detection Yes

Buffer Credit Recovery (CR) Yes -

Config Download/Upload Yes

Device Authentication Yes

Fabric OS components supported on Access Gateway (Continued)TABLE 1

Refer to Buffer credit recovery support on page 20 .

Refer to Device authentication support on page 21.

DHCP Yes

Diagnostic Port (D_Port) Yes

Refer to D_Port support on page 48.

Duplicate PWWN handling during device login Yes

Refer to Duplicate PWWN handling during device login on page 84.

Encryption Configuration and Management No

Environmental Monitor Yes

Error Event Management Yes

Extended Fabrics No

Fabric Assigned PWWN (FA-PWWN) Yes

Fabric Device Management Interface (FDMI) Yes*

Fabric Manager Yes**

Fabric Provisioning No

Fabric Services No

Fabric Watch Yes

Refer to the Fabric Watch Administrator's Guide for applicable support details.

Fibre Channel Routing (FCR) services No

18 Access Gateway Administrator's Guide

53-1003126-02

Fabric OS components supported on Access Gateway (Continued)TABLE 1

Feature Support

FICON (includes CUP) No

Forward Error Correction (FEC) Yes

Refer to Forward error correction support on page 20.

High Availability Yes

Hot Code Load Yes

License Yes**

Lightweight Directory Access Protocol (LDAP) Yes

Log Tracking Yes

Management Server NA

Access Gateway Basic Concepts

Manufacturing Diagnostics Yes

N_Port ID Virtualization (NPIV) Yes

Name Server NA

Native Interoperability Mode NA

Network Time Protocol (NTP) No (no relevance from fabric perspective)

Open E_Port NA

Performance Monitor Yes

Persistent ALPA Yes

Port Decommission No

Port Mirroring No

QuickLoop, QuickLoop Fabric Assist No

Remote Authentication Dial-In User Service (RADIUS) Yes

Resource Monitor Yes

Security Yes (ADS/DCC Policy)

SNMP Yes

Speed Negotiation Yes

In embedded switches, time should be updated by the server management utility.

Access Gateway Administrator's Guide 19 53-1003126-02

Buffer credit recovery support

Feature Support

Syslog Daemon Yes

Track Changes Yes

Trunking Yes**

User-Defined Roles Yes

Value Line Options (Static POD, DPOD) Yes

Virtual Fabrics No

Web Tools Yes

Zoning NA

Fabric OS components supported on Access Gateway (Continued)TABLE 1

Refer to Virtual Fabrics support on page 21 .

Buffer credit recovery support

This Fabric OS feature is supported on 8 Gbps and 16 Gbps platforms in the following configurations:

• Between AG switch F_Port and Brocade HBA port using Adapter v3.2 or greater firmware or any device supporting credit recovery, This feature only works at the maximum supported speed of the HBA port (8 Gbps or 16 Gbps).

• Between AG switch N_Port and Brocade fabric switch or cascaded AG switch F_Port.

It is highly recommended that you disable this feature on the AG switch before connecting to a switch running Fabric OS earlier than 7.1. Enable and disable credit recovery using the portcfgcreditrecovery command. Refer to the Fabric OS Command Reference for more information on this command.

Specific switch platforms support this feature either in R_RDY or VC_RDY mode. In VC_RDY mode, the buffer credit recovery is supported with fabric assigned PWWN (FA-PWWN), FEC, QoS, and trunking Fabric OS features. In R_RDY mode, this feature is supported without FA-PWWN and QoS Fabric OS features.

Forward error correction support

Forward error correction (FEC) is a Fabric OS feature supported in the following configurations:

• Between the AG switch F_Port and a Brocade 16 Gbps HBA port running version 3.2 or greater firmware.

• Between the AG switch N_Port and F_Port on Brocade 16 Gbps fabric switch or cascaded AG switch.

Following are limitations and considerations for FEC:

• Supported on Brocade 16 Gbps platforms only.

• Supported by Fabric OS 7.1.0 and later.

• Enabled by default.

20 Access Gateway Administrator's Guide

53-1003126-02

Virtual Fabrics support

• A Fabric OS downgrade requires FEC to be disabled.

• Specific switch platforms support this feature either in R_RDY or VC_RDY mode.

Virtual Fabrics support

Although you cannot enable AG mode on a switch enabled for Virtual Fabrics or enable Virtual Fabrics on an AG switch, you can connect ports on an AG switch to Virtual Fabrics.

Device authentication support

Devices use authentication as a mechanism to log in into switches only after exchanging DH_CHAP authorization keys. This prevents any unauthorized device from logging into switch and fabric by default.

Authentication policy is supported in the following configurations for Access Gateway switches. Regardless of the enabled policy, the AG port disables if the DH-CHAP or FCAP fails to authenticate each other.

• Access Gateway switch N_Port connected to Brocade fabric switch F_Port. The N_Port should enable authentication when authentication is enabled on the connected switch. This can be done by enabling switch policy on the AG switch and device policy on the fabric switch.

• Access Gateway switch F_Port connected to an HBA. The F_Port also should enable authentication when the connected device is sending login request with authentication enabled. This is done by enabling device policy on the AG switch.

By default, Brocade switches use DH-CHAP or FCAP authentication protocols. For authentication between fabric switches and AG switches, FCAP and DH-CHAP are used. If an FCAP certificate is present on the AG switch and fabric switch, FCAP has precedence over DHCAP. For authentication between AG switches and HBAs, DH-CHAP is used because the HBA only supports DH-CHAP.

For details on installing FCAP certificates and creating DHCAP secrets on the switch in AG or native mode, refer to the Fabric OS Administrator’s Guide or Fabric OS Command Reference.

For general information on authentication, refer to the section on authentication policy for fabric elements in the "Configuring Security Policies" chapter of the Fabric OS Administrator’s Guide.

Supported policy modes

The following switch and device policy modes are supported by Access Gateway:

• On - Strict authentication will be enforced on all ports. The ports on the AG connected to the switch or device will disable if the connecting switch or device does not support authentication or the policy mode is set to off. During AG initialization, authentication initiates on all ports automatically.

• Off - The AG switch does not support authentication and rejects any authentication negotiation request from the connected fabric switch or HBA. A fabric switch with the policy mode set to off should not be connected to an AG switch with policy mode set to on since the on policy is strict. This will disable the port if any switch rejects the authentication. You must configure DH-CHAP shared secrets or install FCAP certificates on the AG and connected fabric switch before switching from a policy "off" mode to policy "on" mode. Off is the default mode for both switch and device policy.

• Passive - The AG does not initiate authentication when connected to a device, but participates in authentication if the connecting device initiates authentication. The AG will not initiate authentication on ports, but accepts incoming authentication requests. Authentication will not disable AG F_Ports if the connecting device does not support authentication or the policy mode is set to off. Passive mode is the safest mode to use for devices connected to an AG switch if the devices do not support authentication.

Access Gateway Administrator's Guide 21 53-1003126-02

Supported Fabric OS commands

To perform authentication with switch policy, the on and off policy modes are supported on the AG switch. To perform authentication with device policy, the on, off, and passive modes are supported on the AG switch.

Behavior of sending AG switch and receiving fabric switch with different policies configuredTABLE 2

AG switch with switch policy mode on

AG switch with switch policy off

TABLE 3

Behavior of sending device (HBA) and receiving AG switch with different policies

Fabric switch with device policy mode ON

Authorization negotiation accept

DH-CHAP/FCAP:

Success - N_Port

Failure - disable

No negotiation

No light

Fabric switch with device policy mode PASSIVE

Authorization negotiation accept

DH-CHAP/FCAP:

Success - N_Port

Failure - disable

No Negotiation

N_Port without authenctication.

configured

AG switch with device policy mode ON

HBA authentication enabled Authorization negotiation

- accept

DH-CHAP

Success - F_Port

Failure - disable

AG switch with device policy mode PASSIVE

Authorization negotiation accept

DH-CHAP

Success - F_Port

Failure - disable

Fabric switch with device policy mode OFF

Authorization negotiation reject

N_Port without authentication

No negotiation

N_Port without authentication

AG switch with device policy mode OFF

Authorization negotiation

- reject

F_Port without authentication

HBA authenticationdisabled No negotiation

No light

No negotiation

F_Port without authentication

No negotiation

F_Port without authentication

Supported Fabric OS commands

All Fabric OS commands for authentication policy apply to AG switches, including the following:

• authutil -- policy

• authutil --show

• authutil --set

• secauthsecret --set

• secauthsecret --show

NOTE

Although authutil --authinit is not supported in AG mode, it is supported in native mode.

22 Access Gateway Administrator's Guide

53-1003126-02

Limitations and considerations

For more information, refer to the Fabric OS Command Reference .

Limitations and considerations

• Authentication policy is not supported on cascaded AG switch configurations.

• Authentication is not supported between an AG switch running Fabric OS v7.1.0 or later and a fabric running Fabric OS earlier than v7.1.0. If the AG switch is connected to fabric switch running Fabric OS earlier than v7.1.0, the AG switch N_Ports will disable if authentication is enabled on both switches. Devices mapped to N_Ports connected to fabrics operating with Fabric OS before v7.1.0 will also disable.

• If authentication is disabled on the Fabric Switch, the AG switch N_Port will come online without authentication policy.

• Device and switch policies must be disabled on the AG before converting the switch to Native mode.

• Device and switch policies must be disabled on the switch in Native mode before converting it to AG mode.

• Authentication policy is disabled by default on all ports in AG mode.

• High availability (HA) reboots are supported.

AG mode without all POD licenses

Prior to Fabric OS 7.3.0, the Brocade non-embedded switches (Brocade 300, 5100, 6505, and 6510) require all POD licenses to run in Access Gateway mode. However, starting with Fabric OS release

7.3.0, all POD licenses are not required to run these switches in AG mode.

The following points need to be considered while running the switches in AG mode without all POD licenses:

• By default, configured N_Ports will come up as disabled because a POD license is not installed for those ports.

• All F_Ports mapped to the default N-port will come up as disabled with the following reason N-Port

Offline for F-Port

• You must manually configure N_Ports in the switch using the portcfgnport command, and move the cable connections accordingly.

• You can update the N_Port-to-F_Port mapping using the mapdel and mapadd commands.

• You must install all POD licenses to downgrade from Fabric OS 7.3.0 to any previous release.

Password distribution support

Prior to Fabric OS 7.3.0, user account and password database can only be managed locally on the switches in AG mode. You had to either manually populate the password database in the AG mode or change the switch to native mode and then back to AG mode to populate the password database. Starting with Fabric OS 7.3.0, running the distribute command on any of the switches in native mode, will distribute the password database to all AGs and switches connected to the same fabric. You can distribute using the AG name or use *.* to distribute to all switches and AGs.

Consider the following points regarding password distribution:

• The fddCfg command in the AG can only be used to configure to either accept or reject the password database coming from any of the switches in the same fabric.

• To accept the password database from any switch, the AG must be loaded with Fabric OS 7.3.0, and at least one of the switches in native mode within the same fabric must be loaded with Fabric OS

7.3.0.

• Other databases supported by fddCfg are not supported on AGs.

Access Gateway Administrator's Guide 23 53-1003126-02

FDMI support

• VF mode distribution is not applicable to an AG.

• The distribute command is not supported in AG mode. Hence, an AG cannot distribute its password database to any of the switches in native mode.

FDMI support

Starting with Fabric OS 7.3.0, AG can register its N_Port with FDMI devices, and the fdmishow command is supported to display the device details in AG as well. The fdmishow command in an AG will display only the local devices, and the remote device details are blocked.

Access Gateway port types

Access Gateway differs from a typical fabric switch because it is not a switch; instead, it is a mode that you enable on a switch using the ag command. After a switch is set in Access Gateway mode, it can connect to the fabric using node ports (N_Ports). Typically, fabric switches connect to the Enterprise fabric using interswitch link (ISL) ports, such as E_Ports.

AG uses the following Fibre Channel (FC) ports:

• F_Port - Fabric port that connects a host, HBA, or storage device to a switch in AG mode.

• N_Port - Node port that connects a switch in AG mode to the F_Port of the fabric switch.

• D_Port - Port configured in diagnostic mode so that various tests can run between it and connected D_Port on another switch or HBA across a link.

NOTE

Initiate the portcfgpersisentenable command on all external or outward facing ports to ensure that these ports come back online after a switch reboot or power failure. For an embedded switch, execute this command through the chassis management console and not the switch CLI or the command may not persist. Refer to Persisting port online state on page 47 for more information.

Comparison of Access Gateway ports to standard switch ports

Access Gateway multiplexes host connections to the fabric. It presents an F_Port to the host and an N_Port to an Edge fabric switch. Using N_Port ID Virtualization (NPIV), AG allows multiple FC initiators to access the SAN on the same physical port. This reduces the hardware requirements and management overhead of hosts to the SAN connections.

A fabric switch presents F_Ports (or FL_Ports) and storage devices to the host and presents E_Ports, VE_Ports, or EX_Ports to other switches in the fabric. A fabric switch consumes SAN resources, such as domain IDs, and participates in fabric management and zoning distribution. A fabric switch requires more physical ports than AG to connect the same number of hosts.

The figure below shows a comparison of the types of ports a switch in AG mode uses to the type of ports that a switch uses in standard mode.

24 Access Gateway Administrator's Guide

53-1003126-02

FIGURE 3 Port usage comparison

Access Gateway Basic Concepts

You can convert a Fibre Channel port into a D_Port on AG switch and a connected fabric switch, another AG switch (cascaded configuration), or an HBA to test the link between the ports. When you configure the ports on each end of the link as D_Ports, diagnostic tests automatically initiate on the link when the D_Ports go online. Results can be viewed using Fabric OS commands, such as portDPortTest, during or after testing. Once in D_Port mode, the port does not participate in fabric operations, login to a remote device, or run data traffic.

Access Gateway Administrator's Guide 25 53-1003126-02

Access Gateway hardware considerations

FIGURE 4 Diagnostic port configurations

The table below shows a comparison of port configurations between AG and a standard fabric switch.

Port configurationsTABLE 4

Port type Available on Access Gateway? Available on Fabric switch?

F_Port Yes Connects hosts and targets to Access

Gateway.

N_Port Yes Connects Access Gateway to a fabric

switch.

E_Port N/A ISL is not supported. Yes Connects the switch to other switches to

D_Port Yes Allows diagnostic testing across link to

connected AG switch, fabric switch, or HBA.

Access Gateway hardware considerations

Hardware considerations for Access Gateway are as follows:

• Access Gateway is supported on the switch platforms and embedded switch platforms listed in

Supported hardware and software on page 11.

• Loop devices are not supported.

• Direct connections to SAN target devices are only supported if the AG-enabled module is connected to a fabric.

Yes Connects devices, such as hosts, HBAs, and

storage to the fabric.

N/A N_Ports are not supported.

form a fabric.

Yes Allows diagnostic testing across link to

connected AG switch.

The switch is logically transparent to the fabric, therefore it does not participate in the SAN as a fabric switch.

26 Access Gateway Administrator's Guide

53-1003126-02

Configuring Ports in Access Gateway Mode

● Enabling and disabling Access Gateway mode.............................................................. 27

● Access Gateway mapping...............................................................................................29

● N_Port configurations......................................................................................................46

● D_Port support................................................................................................................ 48

Enabling and disabling Access Gateway mode

Use the following steps to enable and disable Access Gateway mode. After you enable AG mode, some fabric information is erased, such as the zone and security databases. Enabling AG mode is disruptive because the switch is disabled and rebooted. For more information on the ag commands used in these steps, refer to the Fabric OS Command Reference.

1. Connect to the switch and log in using an account assigned to the admin role.

2. Before enabling or disabling a switch to AG mode, save the current configuration file using the configUpload command in case you might need this configuration again.

3. Ensure that no zoning or Admin Domain (AD) transaction buffers are active. If any transaction buffer is active, enabling AG mode will fail with the error, "Failed to clear Zoning/Admin Domain configuration".

4. Verify that the switch is set to Native mode.

a) Issue the switchShow command to verify the switch mode. b) If the switch mode is anything other than 0, issue the interopmode 0 command to set the

switch to Native mode.

For more information on setting switches to Native mode, refer to the Fabric OS Administrator’s Guide.

5. Enter the switchDisable command.

switch:admin> switchdisable

This command disables all user ports on a switch. All Fibre Channel ports are taken offline. If the switch is part of a fabric, the remaining switches reconfigure. You must disable the switch before making configuration changes.

6. Enter the ag - -modeenable command.

switch:admin> ag --modeenable

The switch automatically reboots and comes back online in AG mode using a factory default port mapping. For more information on AG default port mapping, refer to Table 7 on page 31.

7. Enter the ag --modeshow command to verify that AG mode is enabled.

switch:admin> ag --modeshow Access Gateway mode is enabled.

You can display the port mappings and status of the host connections to the fabric on Access Gateway.

8. Enter the ag --mapshow command to display all the mapped ports.

The ag --mapshow command shows all enabled N_Ports, even if those N_Ports are not connected.

Access Gateway Administrator's Guide 53-1003126-02

Port state description

9. Enter the switchShow command to display the status and port state of all ports. Refer to the Fabric OS Command Reference for examples of output. For a description of the port state, refer to Table 5

on page 28.

When you disable AG mode, the switch automatically reboots and comes back online using the fabric switch configuration; the AG parameters, such as port mapping, and Failover and Failback, are automatically removed. When the switch reboots, it starts in Fabric OS Native mode. To rejoin the switch to the core fabric, refer to Rejoining Fabric OS switches to a fabric on page 95.

10.Enter the switchDisable command to disable the switch.

switch:admin> switchdisable

11.Enter the ag command with the --modedisable option to disable AG mode.

switch:admin> ag --modedisable

12.Enter the ag --modeshow command to verify that AG mode is disabled.

switch:admin> ag --modeshow Access Gateway mode is NOT enabled

Port state description

Refer to the following table to know the port state.

Port state description TABLE 5

State Description

No _Card No interface card present

No _Module No module (GBIC or other) present

Mod_Val Module validation in process

Mod_Inv Invalid module

No_Light Module is not receiving light

No_Sync Receiving light but out of sync

In_Sync Receiving light and in sync

Laser_Flt Module is signaling a laser fault

Port_Flt Port marked faulty

Diag_Flt Port failed diagnostics

Lock_Ref Locking to the reference signal

Testing Running diagnostics

Offline Connection not established (only for virtual ports)

Online Port is up and running

28 Access Gateway Administrator's Guide

53-1003126-02

Access Gateway mapping

When operating in AG mode, you must specify pre-provisioned routes that AG will use to direct traffic from the devices (hosts or targets) on its F_Ports to the ports connected to the fabric using its N_Ports. This is unlike Native switch mode where the switch itself determines the best path between its F_Ports. This process of pre-provisioning routes in AG mode is called "mapping."

During mapping, device World Wide Names (WWNs) or F_Ports are assigned to N_Ports and N_Port groups on the switch running in AG mode. Mapping ensures that a device logging in to the switch will always connect to the fabric through a specific N_Port or N_Port group. Two types of mapping are available:

• Port mapping

A specific F_Port is mapped to a specific N_Port. This ensures that all traffic from a specific F_Port always goes through the same N_Port. To map an F_Port to an N_Port group, simply map the port to an N_Port that belongs to that port group. All F_Ports mapped to that N_Port will be part of that N_Port group.

• Device mapping (optional)

A specific device WWN is mapped to N_Port groups (preferred method) or to specific N_Ports. Device mapping allows a virtual port to access its destination device regardless of the F_Port where the device resides. Device mapping also allows multiple virtual ports on a single physical machine to access multiple destinations residing in different fabrics.

Device mapping is optional and should be added on top of existing port maps. Port mapping must exist at all times.

Access Gateway mapping

Port mapping

F_Ports must be mapped to N_Ports before the F_Ports can come online. The figure below shows an example in which eight F_Ports are mapped evenly to four N_Ports on a switch in AG mode. The N_Ports connect to the same fabric through different Edge switches.

Access Gateway Administrator's Guide 29 53-1003126-02

Default port mapping

FIGURE 5 Port mapping example

The following table describes the port mapping details for the above example.

Description of port mapping TABLE 6

Access Gateway Fabric

F_Port N_Port Edge switch F_Port

F_1, F_2 N_1 Switch_A F_A1

F_3, F_4 N_2 Switch_A F_A2

F_5, F_6 N_3 Switch_B F_B1

F_7, F_8 N_4 Switch_B F_B2

Default port mapping

When you first enable a switch for AG mode, the F_Ports are mapped to a set of predefined N_Ports by default. The table below describes the default port mapping for all supported hardware platforms. By default, Failover and Failback policies are enabled on all N_Ports.

If you want to change the default mapping, refer to Adding F_Ports to an N_Port on page 35. Note that all F_Ports must be mapped to an N_Port before the F_Port can come online.

30 Access Gateway Administrator's Guide

53-1003126-02

+ 74 hidden pages

Brocade Communications Systems 53-1003126-02 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual