How it Works
Brocade Communications Systems
Loading...
A7533A - Brocade 4Gb SAN Switch Base
Administrator's Manual
70 pgs814.95 Kb0
Administrator's Manual
444 pgs8.09 Mb0
Administrator's Manual
452 pgs7.43 Mb0
Administrator's Manual
72 pgs622.93 Kb0
Administrator's Manual
62 pgs538.43 Kb0
Administrator's Manual
60 pgs1.25 Mb0
Administrator's Manual
272 pgs2.86 Mb0
Command Reference Manual
746 pgs4.35 Mb0
Reference Manual
590 pgs3.97 Mb0
Troubleshooting Manual
144 pgs1.05 Mb0

Brocade Communications Systems A7533A - Brocade 4Gb SAN Switch Base, AE370A - Brocade 4Gb SAN Switch 4/12 Administrator's Manual

53-1000605-02 12 Mar 2008
Access Gateway
Administrator’s Guide
Supporting Fabric OS v6.1.0
Copyright © 2007-2008 Brocade Communications Systems, Inc. All Rights Reserved.
Brocade, Fabric OS, File Lifecycle Manager, MyView, and StorageX are registered trademarks and the Brocade B-wing symbol, DCX, and SAN Health are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. All other brands, products, or service names are or may be trademarks or service marks of, and are used to identify, products or services of their respective owners.
Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government.
The authors and Brocade Communications Systems, Inc. shall have no liability or responsibility to any person or entity with respect to any loss, cost, liability, or damages arising from the information contained in this book or the computer programs that accompany it.
The product described by this document may contain “open source” software covered by the GNU General Public License or other open source license agreements. To find-out which open source software is included in Brocade products, view the licensing terms applicable to the open source software, and obtain a copy of the programming source code, please visit http://www.brocade.com/support/oscd.
Brocade Communications Systems, Incorporated
Corporate Headquarters Brocade Communications Systems, Inc. 1745 Technology Drive San Jose, CA 95110 Tel: 1-408-333-8000 Fax: 1-408-333-8101 Email: info@brocade.com
European and Latin American Headquarters Brocade Communications Switzerland Sàrl Centre Swissair Tour A - 2ème étage 29, Route de l'Aéroport Case Postale 105 CH-1215 Genève 15 Switzerland Tel: +41 22 799 56 40 Fax: +41 22 799 56 41 Email: emea-info@brocade.com
Asia-Pacific Headquarters Brocade Communications Singapore Pte. Ltd. 9 Raffles Place #59-02 Republic Plaza 1 Singapore 048619 Tel: +65-6538-4700 Fax: +65-6538-0302 Email: apac-info@brocade.com
Document History
The following table lists all versions of the Access Gateway Administrator’s Guide.
Document Title Publication Number Summary of Changes Publication Date
Access Gateway Administrator’s Guide 53-1000430-01 First version January 2007
Access Gateway Administrator’s Guide 53-1000633-01 Added support for the 200E 15 Jun 2007
Access Gateway Administrator’s Guide 53-1000605-01 Added support for new policies
and changes to N_Port mappings.
Access Gateway Administrator’s Guide 53-1000605-02 Added support for new
platforms: 300 and the 4424. Added support for new features:
- Masterless Trunking
- Direct Target Connectivity
- Advance Device Security policy
- 16- bit routing
19 Oct 2007
12 Mar 2008
Access Gateway Administrator’s Guide iii 53-1000605-02
iv Access Gateway Administrator’s Guide
53-1000605-02
Contents
About This Document
How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . vii
What’s new in this document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Document conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Text formatting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Notes, cautions, and warnings . . . . . . . . . . . . . . . . . . . . . . . . . . .ix
Key terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Additional information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Brocade resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Other industry resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Optional Brocade features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Getting technical help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Document feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Chapter 1 Getting Started
In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Brocade Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Fabric OS features in Access Gateway mode . . . . . . . . . . . . . . . . 2
Access Gateway port types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Comparison of Access Gateway ports to standard switch ports. 3
How Access Gateway maps ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Upgrade and downgrade considerations. . . . . . . . . . . . . . . . . . . . . . . 5
Considerations with policies enabled. . . . . . . . . . . . . . . . . . . . . . 5
Advance Device Security policy. . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Automatic Port Configuration policy . . . . . . . . . . . . . . . . . . . . . . . 5
Port Grouping policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Chapter 2 Enabling Policies on Switches in Access Gateway Mode
In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Access Gateway Administrator’s Guide iii 53-1000605-02
Access Gateway policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Showing current policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Advance Device Security policy. . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Enabling the Advance Device Security policy. . . . . . . . . . . . . . . . 9
Disabling the Advance Device Security policy . . . . . . . . . . . . . . . 9
Setting which devices can log in if ADS policy is enabled. . . . . . 9
Setting which devices cannot log in if ADS policy is enabled . .10 Removing devices from the list of devices allowed at login . . . 10
Adding new devices to the list of devices allowed at login . . . . 10
Displaying the list of devices on the switch . . . . . . . . . . . . . . . .11
Automatic Port Configuration policy . . . . . . . . . . . . . . . . . . . . . .11
Enabling the Automatic Port Configuration policy . . . . . . . . . . .12
Disabling the Automatic Port Configuration policy . . . . . . . . . .12
Rebalancing F_Ports with APC policy enabled . . . . . . . . . . . . . .12
Failover Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Enabling the Failover policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Disabling the Failover policy . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Failback policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Enabling the Failback policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Cold Failover policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Port Grouping policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Creating a port group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Adding an N_Port to a port group . . . . . . . . . . . . . . . . . . . . . . . .20
Deleting an N_Port from a port group . . . . . . . . . . . . . . . . . . . . 20
Removing a port group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Renaming a port group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Disabling the Port Group policy. . . . . . . . . . . . . . . . . . . . . . . . . . 21
Access Gateway policy enforcement matrix . . . . . . . . . . . . . . . .21
Access Gateway N_Port trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Access Gateway trunking considerations . . . . . . . . . . . . . . . . . .23
Trunk group creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Setting up F_Port trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Assigning a Trunk Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Enabling the DCC policy on trunk . . . . . . . . . . . . . . . . . . . . . . . . 27
Configuration management for trunk areas . . . . . . . . . . . . . . . 28
Enabling Access Gateway trunking . . . . . . . . . . . . . . . . . . . . . . .28
Disabling F_Port trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
F_Port Trunking monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Chapter 3 Connecting Devices Using Access Gateway
iv Access Gateway Administrator’s Guide
In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Configuring the fabric and edge switch. . . . . . . . . . . . . . . . . . . . . . .32
Verifying the switch mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Setting the Fabric OS switch to Native Mode. . . . . . . . . . . . . . .33
Enabling NPIV on the M-EOS switch . . . . . . . . . . . . . . . . . . . . . .33
53-1000605-02
Connectivity to Cisco Fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Access Gateway routing requirements with Cisco fabrics. . . . . 34
Enabling NPIV on a Cisco switch. . . . . . . . . . . . . . . . . . . . . . . . .34
Workaround for QLogic-based devices . . . . . . . . . . . . . . . . . . . .35
Editing Company ID List if no FC target devices on switch . . . .35
Adding or deleting an OUI from the Company ID List . . . . . . . .36
Enabling Flat FCID mode if no FC target devices on switch . . . 37
Editing Company ID list if target devices on switch. . . . . . . . . . 37
Access Gateway mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Enabling Access Gateway mode . . . . . . . . . . . . . . . . . . . . . . . . .38
Port States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Disabling Access Gateway mode . . . . . . . . . . . . . . . . . . . . . . . .40
Re-joining switches to a fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Reverting to a previous configuration. . . . . . . . . . . . . . . . . . . . . 41
Chapter 4 Configuring Ports in Access Gateway mode
In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Port Initialization in Access Gateway mode. . . . . . . . . . . . . . . . . . . .43
N_Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Unlocking N_Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Displaying N_Port configurations . . . . . . . . . . . . . . . . . . . . . . . .46
Verifying port mapping and status . . . . . . . . . . . . . . . . . . . . . . . 46
Displaying N_Port mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
Displaying port status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Port configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Adding F_Ports to an N_Port. . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Removing F_Ports from an N_Port . . . . . . . . . . . . . . . . . . . . . . .49
Adding a preferred secondary N_Port . . . . . . . . . . . . . . . . . . . .50
Deleting F_Ports from a preferred secondary N_Port . . . . . . . .50
Appendix A Troubleshooting
Index
Access Gateway Administrator’s Guide v 53-1000605-02
vi Access Gateway Administrator’s Guide
53-1000605-02
About This Document
This document is a procedural guide to help SAN administrators configure and manage Brocade Access Gateway.
This preface contains the following sections:
How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
What’s new in this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Key terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Additional information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Getting technical help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Document feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
How this document is organized
The document contains the following topics:
Chapter 1, “Getting Started” describes how to use Access Gateway to create seamless
connectivity to any Storage Area Network (SAN) fabric.
Chapter 2, “Enabling Policies on Switches in Access Gateway Mode”describes how to enable
policies on a switch in Access Gateway mode.
Chapter 3, “Connecting Devices Using Access Gateway” describes how to connect multiple
devices using Access Gateway.
Chapter 4, “Configuring Ports in Access Gateway mode” describes how to configure ports in
Access Gateway mode.
Appendix A, “Troubleshooting” provides symptoms and troubleshooting tips to resolve issues.
Supported hardware and software
Although many different software and hardware configurations are tested and supported by Brocade Communications Systems, Inc. For v6.1.0, documenting all possible configurations and scenarios is beyond the scope of this document. All Fabric OS switches must be running v5.1 or later; all M-EOS switches must be running M-EOSc 9.1 or later, M-EOSn must be running 9.6.2 or later, and Cisco switches with SAN OS must be running 3.0 (1) and 3.1 (1) or later. Access Gateway supports 4 and 8 Gbit bladed servers and blades.
Access Gateway Administrator’s Guide vii 53-1000605-02
What’s new in this document
The following changes have been made since this document was last released:
Information that was added
Platforms
Brocade 300 and 4424
16-bit routing (8 Gbps platforms only)
Performance
Access Gateway masterless trunking
Seamless failover
Configuration
Direct Target Attach
Security
Advance Device Security policy
Enhanced routing
For further information, refer to the release notes.
Document conventions
This section describes text formatting conventions and important notices formats.
Text formatting
The narrative-text formatting conventions that are used in this document are as follows:
bold text Identifies command names
Identifies the names of user-manipulated GUI elements Identifies keywords and operands Identifies text to enter at the GUI or CLI
italic text Provides emphasis
Identifies variables Identifies paths and Internet addresses Identifies document titles
code text Identifies CLI output
Identifies syntax examples
For readability, command names in the narrative portions of this guide are presented in mixed lettercase: for example, switchShow. In actual examples, command lettercase is often all lowercase. Otherwise, this manual specifically notes those cases in which a command is case sensitive. The ficonCupSet and ficonCupShow commands are an exception to this convention.
viii Access Gateway Administrator’s Guide
53-1000605-02
Notes, cautions, and warnings
NOTE
ATTENTION
CAUTION
DANGER
The following notices appear in this document.
A note provides a tip, emphasizes important information, or provides a reference to related information.
An Attention statement indicates potential damage to hardware or data.
A Caution statement alerts you to situations that can be potentially hazardous to you.
A Danger statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you. Safety labels are also attached directly to products to warn of these conditions or situations.
Key terms
For definitions of SAN-specific terms, visit the Storage Networking Industry Association online dictionary at: http://www.snia.org/education/dictionary.
For definitions specific to Brocade and Fibre Channel, see the Brocade Glossary.
The following terms are used in this manual to describe Access Gateway mode and its components.
Access Gateway (AG)
Fabric OS mode for embedded switches that reduces SAN (storage area network) deployment complexity by leveraging NPIV (N_Port ID virtualization).
E_Port An ISL (Interswitch link) port. A switch port that connects switches together to
form a fabric.
Edge switch A fabric switch that connects host, storage, or other devices, such as Brocade
Access Gateway, to the fabric.
F_Port A fabric port. A switch port that connects a host, HBA (host bus adaptor), or
storage device to the SAN. On Brocade Access Gateway, the F_Port connects to a host only and target.
Mapping On the Brocade Access Gateway, the configuration of F_Port to N_Port routes.
N_Port A node port. A Fibre Channel host or storage port in a fabric or point-to-point
connection. On Brocade Access Gateway, the N_Port connects to the edge switch.
Access Gateway Administrator’s Guide ix 53-1000605-02
NPIV N_Port ID virtualization. Allows a single Fibre Channel port to appear as
Preferred Secondary N_Port
Additional information
This section lists additional Brocade and industry-specific documentation that you might find helpful.
Brocade resources
To get up-to-the-minute information, join Brocade Connect. It’s free! Go to
http://www.brocade.com and click Brocade Connect to register at no cost for a user ID and
password.
For practical discussions about SAN design, implementation, and maintenance, you can obtain Building SANs with Brocade Fabric Switches through:
multiple, distinct ports providing separate port identification and security zoning within the fabric for each operating system image as if each operating system image had its own unique physical port.
On the Brocade Access Gateway, the preferred secondary N_Port refers to the secondary path that and F_Port failovers to if the primary N_Port goes offline.
http://www.amazon.com
For additional Brocade documentation, visit the Brocade SAN Info Center and click the Resource Library location:
http://www.brocade.com
Release notes are available on the Brocade Connect Web site and are also bundled with the Fabric OS firmware.
Other industry resources
White papers, online demos, and data sheets are available through the Brocade Web site at
http://www.brocade.com/products/software.jhtml.
Best practice guides, white papers, data sheets, and other documentation is available through
the Brocade Partner Web site.
For additional resource information, visit the Technical Committee T11 Web site. This Web site provides interface standards for high-performance and mass storage applications for Fibre Channel, storage management, and other applications:
http://www.t11.org
For information about the Fibre Channel industry, visit the Fibre Channel Industry Association Web site:
http://www.fibrechannel.org
x Access Gateway Administrator’s Guide
53-1000605-02
Optional Brocade features
For a list of optional Brocade features and descriptions, see the Fabric OS Administrator’s Guide.
Getting technical help
Contact your switch support supplier for hardware, firmware, and software support, including product repairs and part ordering. To expedite your call, have the following information available:
1. General Information
Technical Support contract number, if applicable
Switch model
Switch operating system version
Error numbers and messages received
supportSave command output
Detailed description of the problem, including the switch or fabric behavior immediately
following the problem, and specific questions
Description of any troubleshooting steps already performed and the results
Serial console and Telnet session logs
Syslog message logs
2. Switch Serial Number
The switch serial number and corresponding bar code are provided on the serial number label, as shown here.
:
*FT00X0054E9*
FT00X0054E9
The serial number label is located as follows:
Brocade 200E—On the nonport side of the chassis
Brocade 300— On the nonport side of the chassis
Brocade 4100, 4900, and 7500—On the switch ID pull-out tab located inside the chassis
on the port side on the left
Brocade 5000—On the switch ID pull-out tab located on the bottom of the port side of the
switch
Brocade 7600—On the bottom of the chassis
Brocade 48000—Inside the chassis next to the power supply bays
Brocade DCX—On the bottom right on the port side of the chassis
3. World Wide Name (WWN)
Use the wwn command to display the switch WWN.
If you cannot use the wwn command because the switch is inoperable, you can get the
WWN from the same place as the serial number.
Access Gateway Administrator’s Guide xi 53-1000605-02
Document feedback
Quality is our first concern at Brocade and we have made every effort to ensure the accuracy and completeness of this document. However, if you find an error or an omission, or you think that a topic needs further development, we want to hear from you. Forward your feedback to:
documentation@brocade.com
Provide the title and version number of the document and as much detail as possible about your comment, including the topic heading and page number and your suggestions for improvement.
xii Access Gateway Administrator’s Guide
53-1000605-02
Chapter
Getting Started
This chapter describes how to create seamless connectivity to any Storage Area Network (SAN) fabric using Access Gateway (AG). It provides information on how to set the port types, port mappings, and the policies to ensure a stable fabric.
AG is compatible with Fabric OS, M-EOS, and Cisco-based fabrics. Enabling and disabling AG mode on a switch can be performed from the command line interface (CLI) or using Web Tools, Fabric Manager (5.3) or EFCM (9.6). This document describes configurations using the CLI commands.
In this chapter
Brocade Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Fabric OS features in Access Gateway mode. . . . . . . . . . . . . . . . . . . . . . . . . . 2
Comparison of Access Gateway ports to standard switch ports . . . . . . . . . . 3
Access Gateway port types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
How Access Gateway maps ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Upgrade and downgrade considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Considerations with policies enabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Advance Device Security policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Automatic Port Configuration policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Port Grouping policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1
Brocade Access Gateway
Brocade Access Gateway is a Fabric OS feature that lets you configure your Enterprise fabric to handle additional N_Ports instead of domains. You do this by configuring F_Ports to connect to the fabric as N_Ports, which increases the number of device ports you can connect to a single fabric. Multiple Gas can connect to the DCX enterprise-class platform, directors, and switches.
After you set a Fabric OS switch to AG mode, the F_ports connect to the Enterprise fabric as N_Ports rather than as E_Ports. They connect as E_Ports if the Fabric OS switch is in Native mode.
Figure 1 shows a comparison of a configuration that connects eight hosts to a fabric using AG to
the same configuration with Fabric OS switches in Native mode.
Switches in AG mode are logically transparent to the host and the fabric. You can increase the number of hosts to have access to the fabric without increasing the number of switches. This simplifies configuration and management in a large fabric by reducing the number of domain IDs and ports.
Access Gateway Administrator’s Guide 1 53-1000605-02
Brocade Access Gateway
1
FIGURE 1 Access Gateway and fabric switch comparison
The following points summarize the differences between a Fabric OS switch in Native mode and a Fabric OS switch in AG mode:
The Fabric OS switch in Native mode is a part of the fabric; it requires two to four times as
many physical ports, consumes fabric resources, and can connect to a Fabric OS fabric only.
AG is outside the fabric; it reduces the number of switches in the fabric and the number of
required physical ports. You can connect AG to either a Fabric OS, M-EOS, or Cisco-based fabric.
Fabric OS features in Access Gateway mode
When a switch is behaving as an Access Gateway, RBAC features in Fabric OS are available, but Admin Domains, Advanced Performance Monitoring, direct connection to SAN target devices are available, Fibre Channel Arbitrated Loop support, Fabric Manager, FICON, IP over FC, ISL trunking, extended fabrics, management platform services, name services (SNS), port mirroring, SMI-S, and zoning are not available. For more information on AG supported features, see “Access Gateway
trunking considerations” on page 23. You must have the role of securityadmin, admin, or user to
configure AG.
All security enforcement is done in the Enterprise fabric using the Advanced Device Security policy (ADS), which secures virtual connections in the case where the physical connection to the SAN is lost. When you enable the ADS policy, by default, every port is configured to allow all devices to log in or be a part of the Access List. The Allow list restricts the number of devices that can log in to a specified F_Port. Because all WWNs are a part of the Access List, you can identify which devices are allowed to log in on a per F_Port basis by specifying the device’s port WWN(PWWN). Using the ag
--adsset command, you can set the “Allow List” to All Access or No Access.
For example, the Allow List can include the N_Port WWN and the PWWNs of all the HBAs connected to the F_Ports that are mapped an N_Port, which is connected to a switch in AG mode. If there is an ADS policy violation, the AG connection is disabled and all of the N_Ports to which the F_Ports are connected are also disabled. For information on how to specify which devices to include or exclude at login, see “Setting which devices can log in if ADS policy is enabled” on page 9 or “Setting which
devices cannot log in if ADS policy is enabled” on page 10.
2 Access Gateway Administrator’s Guide
53-1000605-02
Access Gateway port types
N_Port
F_Port
N_Port
F_Port
N_Port
F_Port
Hosts
Switch in AG mode
Edge Switch
Fabric
enabled
NPIV
N_Port
F_Port
E_Port
E_Port
N_Port
F_Port
Hosts
Switch in standard
Fabric Switch
E_Port
E_Port
Fabric
Access Gateway Ports
Fabric Switch Ports
default mode
Access Gateway differs from a typical fabric switch because it is not a switch; instead, it is a mode that you enable on a switch using the ag command. After a switch is set in ag mode, it can connect to the fabric using node ports (N_Ports). Typically fabric switches connect to the Enterprise fabric using ISL (InterSwitch Link) ports, such as E_Ports.
Following are the Fibre Channel (FC) ports that AG uses:
F_Port - fabric port that connects a host, HBA, or storage device to a switch in AG mode.
N_Port - node port that connects a switch in AG mode to the F_Port of the fabric switch.
Comparison of Access Gateway ports to standard switch ports
Access Gateway multiplexes host connections to the fabric. It presents an F_Port to the host and an N_Port to an edge fabric switch. Using N_Port ID virtualization (NPIV), AG allows multiple FC initiators to access the SAN on the same physical port. This reduces the hardware requirements and management overhead of hosts to the SAN connections.
A fabric switch presents F_Ports (or FL_Ports) and storage devices to the host and presents E_Ports, VE_Ports, or EX_Ports to other switches in the fabric. A fabric switch consumes SAN resources, such as domain IDs, and participates in fabric management and zoning distribution. A fabric switch requires more physical ports than AG to connect the same number of hosts.
Access Gateway port types
1
Figure 2 shows a comparison of the types of ports a switch in AG mode uses to the type of ports
that a standard fabric switch uses.
FIGURE 2 Port usage comparison
Access Gateway Administrator’s Guide 3 53-1000605-02
How Access Gateway maps ports
N_2
F_A2
Hosts
Access Gateway
Edge Switch
Fabric
(Switch_A)
enabled
NPIV
F_4
F_3
F_2
F_1
N_1
F_A1
enabled
NPIV
N_3
F_B1
enabled
NPIV
Host_1
Host_2
Host_3
Host_4
F_5
Host_5
F_6
Host_6
F_7
Host_7
F_8
Host_8
Edge Switch
(Switch_B)
N_4
F_B2
enabled
NPIV
1
Tab le 1 shows a comparison of port configurations with AG to a standard fabric switch.
TABLE 1 Port configurations
Port Type Access Gateway Fabric switch
F_Port Yes Connects hosts and targets to
Access Gateway.
N_Port Yes Connects Access Gateway to a fabric
switch.
E_Port NA ISL is not supported.
1. The switch is logically transparent to the fabric, therefore it does not participate in the SAN as a fabric switch.
How Access Gateway maps ports
Access Gateway uses mapping—that is, pre provisioned routes—to direct traffic from the hosts to the fabric. When you first enable a switch to AG mode, by default, the F_Ports are mapped to a set of predefined N_Ports. For the default F_Port-to-N_Port mapping, see Table 9 on page 51. If required, you can manually change the default mapping. Figure 3 shows a mapping with eight F_Ports evenly mapped to four N_Ports on a switch in AG mode. The N_Ports connect to the same fabric through different edge switches.
Yes Connects devices, such as hosts, HBAs,
and storage to the fabric.
NA N_Ports are not supported.
1
Yes Connects the switch to other switches to
form a fabric.
FIGURE 3 Example F_Port-to-N_Port mapping
4 Access Gateway Administrator’s Guide
53-1000605-02
TABLE 2 Description of F_Port-to-N_Port mapping
Access Gateway Fabric
F_Port N_Port Edge switch F_Port
F_1, F_2 N_1 Switch_A F_A1
F_3, F_4 N_2 Switch_A F_A2
F_5, F_6 N_3 Switch_B F_B1
F_7, F_8 N_4 Switch_B F_B2
Upgrade and downgrade considerations
Downgrading to Fabric OS v6.0.0 or earlier is supported; however, you must first disable the switch from AG mode. Note the following considerations when upgrading and downgrading from Fabric OS v6.1.0 to Fabric OS v6.0.0 and earlier:
Not allowed if any F_Port trunk is active.
Trunking must be disabled before downgrading.
When a switch is set in AG mode, if you downgrade to v6.0.0x, all preferred settings are
lost.
Upgrade and downgrade considerations
1
Considerations with policies enabled
Note the following upgrade and downgrade considerations when the Brocade policies are enabled.
Advance Device Security policy
If ADS is enabled, downgrading to v6.0 is allowed, however the ADS policy is not supported in v6.0.0.
Automatic Port Configuration policy
If you upgrade from Fabric OS v6.0.x to Fabric OS v6.1.0, by default, the APC policy is disabled. If the APC is enabled, you can downgrade from Fabric OS v6.1.0 to Fabric OS v6.0.0.
Port Grouping policy
If you upgrade from v6.0.0 to v6.1.0, then the PG policy is enabled with the default port group pg0 containing all the N_Ports. If the PG policy is enabled, you can downgrade from Fabric OS v6.1.0 to Fabric OS v6.0.0.
Access Gateway Administrator’s Guide 5 53-1000605-02
Upgrade and downgrade considerations
1
6 Access Gateway Administrator’s Guide
53-1000605-02
Chapter
Enabling Policies on Switches in Access Gateway Mode
This chapter provides information and procedures for enabling policies on switches in Access Gateway mode.
In this chapter
Access Gateway policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Showing current policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Advance Device Security policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Enabling the Advance Device Security policy . . . . . . . . . . . . . . . . . . . . . . . . . 9
Disabling the Advance Device Security policy . . . . . . . . . . . . . . . . . . . . . . . . . 9
Setting which devices can log in if ADS policy is enabled . . . . . . . . . . . . . . . 9
Setting which devices cannot log in if ADS policy is enabled. . . . . . . . . . . . 10
Removing devices from the list of devices allowed at login . . . . . . . . . . . . . 10
Adding new devices to the list of devices allowed at login . . . . . . . . . . . . . . 10
Displaying the list of devices on the switch . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Automatic Port Configuration policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Enabling the Automatic Port Configuration policy. . . . . . . . . . . . . . . . . . . . . 12
Disabling the Automatic Port Configuration policy . . . . . . . . . . . . . . . . . . . . 12
Rebalancing F_Ports with APC policy enabled . . . . . . . . . . . . . . . . . . . . . . . 12
Enabling the Failover policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Failover Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Enabling the Failover policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Disabling the Failover policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Failback policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Enabling the Failback policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Cold Failover policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Port Grouping policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Creating a port group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Adding an N_Port to a port group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Deleting an N_Port from a port group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Removing a port group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Renaming a port group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Disabling the Port Group policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Access Gateway policy enforcement matrix. . . . . . . . . . . . . . . . . . . . . . . . . . 21
2
Access Gateway Administrator’s Guide 7 53-1000605-02
Access Gateway policies
2
Access Gateway trunking considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Trunk group creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Setting up F_Port trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Assigning a Trunk Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Enabling Access Gateway trunking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Enabling the DCC policy on trunk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Disabling F_Port trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
F_Port Trunking monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Access Gateway policies
Brocade policy-based approach lets you restrict or filter traffic on standard Fabric OS switches and switches in Access Gateway mode. You can enable the following policies on a switch in Access Gateway mode:
Advance Device Security policy (ADS)
Automatic Port Configuration policy (APC)
Port Grouping policy (PG)
Showing current policies
You can run the following command to see which policies are enabled or disabled on a switch.
1. Connect to the switch and log in as admin.
2. Enter the ag
switch:admin> ag --policyshow Policy_Description Policy_Name State
-------------------------------------------------­Port Grouping pg Enabled Auto Port Configuration auto Disabled Advanced Device Security ads Enabled
--policyshow command.
Advance Device Security policy
The Advance Device Security (ADS) policy is supported on AG F_Ports. Fabric OS v6.1.0 extends the DCC policy to switches in AG mode to provide an additional level of security. It does this by extending the DCC policy to the physical F_Ports and the NPIV logins on F_Ports. As more physical servers become virtual, virtual servers can become vulnerable and security becomes an integral part of server IO virtualization. This security policy is a mechanism that restricts fabric connectivity to a set of devices that you can specify or allow to log in to the fabric connected through a switch in AG mode. By default, the ADS policy is not enabled. After you set a switch in AG mode, you can enable the ADS policy, and then specify which devices to allow at login on a per F_Port basis.
Security enforcement can also be done in the enterprise fabric; the DCC policy in the enterprise fabric takes precedence over the ADS policy. When you enable the ADS policy, it applies to all the ports on the switch. By default, all devices have access to the fabric on all ports.
8 Access Gateway Administrator’s Guide
53-1000605-02
Loading...
+ 50 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use