HP Brocade 4Gb SAN Switch for HP BladeSystem p-Class User Manual

Download

HP StorageWorks

Fabric OS 5.0.0 procedures

user guide

Part number:AA–RW1PA–TE First edition: May 2005

Legal and notice information

Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of Hewlett-Packard. The information is provided “as is” without warranty of any kind and is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Windows is a U.S. registered trademarks of Microsoft Corporation.

UNIX® is a registered trademark of The Open Group.

Linux® is a U.S. registered trademark of Linus Torvalds.

Java

is a U.S. trademark of Sun Microsystems, Inc.

Fabric OS 5.0.0 procedures user guide

About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Related documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Document conventions and symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

HP technical support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

HP Storage web site. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

HP authorized reseller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1 Introducing Fabric OS CLI procedures . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Changes to this guide for OS v5.0.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Brocade 4Gb SAN Switch for HP p-Class BladeSystem. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

About procedural differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Scope and references . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

About the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Help information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Displaying command help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Displaying additional help topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2 Performing basic configuration tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Connecting to the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Setting the IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Setting the default account passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Setting the date and time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Maintaining licensed features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Customizing the switch name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Customizing the chassis name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Disabling and enabling a switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Disabling and enabling a port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Activating Ports on Demand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Making basic connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Connecting to devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Connecting to other switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Working with domain IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Linking through a gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Checking status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Tracking and controlling switch changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

3 Configuring standard security features . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Ensuring network security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Configuring the telnet interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Blocking listeners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Accessing switches and fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Creating and maintaining user-defined accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

To display account information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

To create a user-defined account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

To delete a user-defined account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

To change account parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

To recover user-defined accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Changing an account password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Setting up RADIUS AAA service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Fabric OS 5.0.0 procedures user guide 3

Configuring the RADIUS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Configuring the switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Enabling and disabling local authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Configuring for the SSL protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Browser and Javatm support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Summary of SSL procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Choosing a CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Generating a public/private key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Generating and storing a CSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Obtaining certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Installing a switch certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Activating a switch certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Configuring the browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Installing a root certificate to the Java Plug-in. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Displaying and deleting certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Troubleshooting certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Configuring for SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Setting the security level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Using the snmpconfig command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Using legacy commands for SNMPv1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Configuring secure file copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Setting the boot PROM password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

With a recovery string . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Without a recovery string . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Recovering forgotten passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

4 Maintaining configurations and firmware . . . . . . . . . . . . . . . . . . . . . . . . 75

Maintaining configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Displaying configuration settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Backing up a configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Restoring a configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Downloading configurations across a fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Editing configuration files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Printing hard copies of switch information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Maintaining firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Obtaining and unzipping firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Checking connected switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

About the download process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Effects of firmware changes on accounts and passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Considerations for downgrading firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Upgrading HP StorageWorks SAN switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Summary of the upgrade process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

SAN Switch upgrade procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Upgrading the Core Switch 2/64 and the SAN Director 2/128 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Summary of the upgrade process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Core Switch 2/64 and SAN Director 2/128 upgrade procedure. . . . . . . . . . . . . . . . . . . . . . . . . 84

Troubleshooting firmware downloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

5 Configuring the Core Switch 2/64 and the SAN Director 2/128. . . . . . . . 89

Identifying ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

By slot and port number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

By port area ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Basic card management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Powering port cards on and off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Disabling and enabling cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Conserving power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Setting chassis configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

4Contents

Obtaining slot information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Configuring a new SAN Director 2/128 with two domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Converting an installed SAN Director 2/128 to support two domains . . . . . . . . . . . . . . . . . . . . . . . . 94

Combining Core Switch 2/64 and SAN Director 2/128 cards in one chassis . . . . . . . . . . . . . . . . . . 95

Setting the card beacon mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

6 Routing traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

About routing policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Specifying the routing policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Assigning a static route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Specifying frame order delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Using dynamic load sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Viewing routing path information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Viewing routing information along a path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

7 Administering extended fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

About extended link buffer allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, Core Switch 2/64, and SAN Director 2/128 . 107

SAN Switch 4/32 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Fabric considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Choosing an extended ISL mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Configuring an extended ISL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Trunking over distance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

8 Administering ISL trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Standard trunking criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Fabric considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Initializing trunking on ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Monitoring traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Enabling and disabling ISL trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Setting port speeds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Displaying trunking information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Trunking over extended fabrics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Troubleshooting trunking problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Listing link characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Recognizing buffer underallocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

9 Administering advanced zoning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Zoning terminology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Zoning concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Zone types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Zone objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Zone aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Zone configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Zoning enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Software-enforced zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Hardware-enforced zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Rules for configuring zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Creating and managing zone aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Creating and maintaining zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Creating and modifying zoning configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Managing zoning configurations in a fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Adding a new switch or fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Splitting a fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Using zoning to administer security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Resolving zone conflicts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Fabric OS 5.0.0 procedures user guide 5

10 Administering advanced performance monitoring . . . . . . . . . . . . . . . . . 143

Displaying and clearing the CRC error count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Monitoring end-to-end performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Adding end-to-end monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Setting a mask for end-to-end monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Deleting end-to-end monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Monitoring filter-based performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Adding standard filter-based monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Adding custom filter-based monitors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Deleting filter-based monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Monitoring ISL performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Monitoring trunks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Displaying monitor counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Clearing monitor counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Saving and restoring monitor configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Collecting performance data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

11 Configuring the distributed management server . . . . . . . . . . . . . . . . . . . 157

Enabling and disabling the platform services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Controlling access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Configuring the server database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Controlling topology discovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

12 Working with diagnostic features . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Viewing power-on self test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Viewing switch status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Viewing port information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Viewing equipment status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Viewing the system message log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Viewing the port log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Configuring for syslogd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Configuring the Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Configuring the switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Viewing and saving diagnostic information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Setting up automatic trace dump transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

13 Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Most common problem areas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Gathering information for technical support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Analyzing connection problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Restoring a segmented fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Correcting zoning setup issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Recognizing MQ-WRITE errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Correcting I2C bus errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Correcting device login issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Identifying media-related issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Correcting link failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Correcting marginal links. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Inaccurate information in the system message log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Recognizing the port initialization and FCP auto discovery process. . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

A Configuring the PID format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

About PIDs and PID binding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Summary of PID formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Impact of changing the fabric PID format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Host reboots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Static PID mapping errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Changes to configuration data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

6Contents

Selecting a PID format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Evaluating the fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Planning the update procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Online update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Offline update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Hybrid update. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Changing to core PID format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Changing to extended edge PID format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Performing PID format changes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Basic procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

HP–UX procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

AIX procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Swapping port area IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

B Configuring interoperability mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Vendor switch requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

HP StorageWorks switch requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Supported HP StorageWorks features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Unsupported HP StorageWorks features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Configuration recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Configuration restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Zoning restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Zone name restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Enabling and disabling interoperability mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

C Using Remote Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

D Understanding legacy password behavior. . . . . . . . . . . . . . . . . . . . . . . 229

Password management information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Password prompting behaviors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

Password migration during firmware changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Password recovery options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

E Zone merging scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

F Upgrading firmware in single mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Figures

1 Hardware-enforced non-overlapping zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

2 Hardware-enforced overlapping zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

3 Zoning with hardware assist (mixed port and WWN zones) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

4 Overlapping hardware-enforced zoning with soft porting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

5 Setting end-to-end monitors on a port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

6 Proper placement of end-to-end performance monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

7 Mask positions for end-to-end monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

8 Configure command on a switch running Fabric OS 3.1.2

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

9 Configure command on a switch running Fabric OS 4.2.0 and later . . . . . . . . . . . . . . . . . . . . . . . 213

Tables

1 Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2 Brocade 4Gb SAN Switch for HP p-Class BladeSystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3 Conversion from UTC to local time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Fabric OS 5.0.0 procedures user guide 7

4 Standard ISL modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

5 Blocked listener applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

6 Access details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

7 SSL certificate files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

8 Recommended CAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

9 Commands for displaying and deleting SSL certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

10 SSL messages and actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

11 Recommended firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

12 Effect of firmware on accounts and passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

13 Supported options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

14 Header fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

15 Extended ISL modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

16 SAN Switch 2/8V, 2/16V, 2/32, Core Switch 2/64, and SAN Director 2/128 . . . . . . . . . . . . . . . 109

17 SAN Switch 4/32 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

18 Types of zoning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

19 Approaches to fabric-based zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125

20 Enforcing hardware zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

21 Zoning database limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

22 Considerations for zoning architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

23 Advanced performance monitoring commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

24 Commands to add filter-based monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150

25 Predefined values at offset 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

26 Error summary description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

27 Commands for port log management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

28 Fabric OS to UNIX message severities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176

29 Common troubleshooting problems and tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

30 Types of zone discrepancies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

31 Commands for debugging zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

32 Component test descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

33 Switch component tests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

34 SwitchShow output and suggested action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

35 Effects of PID format changes on configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

36 PID format recommendations for adding new switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

37 PID format and management interface names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

38 Earliest Fabric OS versions for extended edge PID format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

39 Account and password characteristics matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

40 Password prompting matrix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

41 Password migration behavior during firmware upgrade and downgrade . . . . . . . . . . . . . . . . . . . . . 233

42 Password recovery options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

43 Zone merging scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

8Contents

About this guide

This document provides information to assist fabric administrators in using the web-based graphical user interface to monitor and modify their HP StorageWorks switch fabrics.

This preface discusses the following topics:

• Intended audience, page 9

• Related documentation, page 9

• Document conventions and symbols, page 10

• HP technical support, page 11

Intended audience

This book is intended for use by those responsible for monitoring and modifying their HP StorageWorks switch fabric.

Document conventions and symbols

Table 1 Document conventions

Convention Element

Medium blue text: Figure 1 Cross-reference links and e-mail addresses

Medium blue, underlined text (http://www.hp.com)

Bold font • Key names

Italics

font Text emphasis

Monospace font • File and directory names

Monospace italic font • Code variables

Monospace, bold font Emphasis of file and directory names, system

Web site addresses

• Text typed into a GUI element, such as

into a box

• GUI elements that are clicked or

selected, such as menu and list items, buttons, and check boxes

• System output

• Code

• Text typed at the command-line

• Command-line variables

output, code, and text typed at the command-line

WARNING! Indicates that failure to follow directions could result in bodily harm or death.

CAUTION: Indicates that failure to follow directions could result in damage to equipment or data.

IMPORTANT: Provides clarifying information or specific instructions.

NOTE: Provides additional information.

TIP: Provides helpful hints and shortcuts.

10 About this guide

HP technical support

Telephone numbers for worldwide technical support are listed on the following HP web site:

http://www.hp.com/support/

NOTE: For continuous quality improvement, calls may be recorded or monitored.

Obtain the following information before calling:

• Technical support registration number (if applicable)

• Product serial numbers

• Product model names and numbers

• Applicable error messages

• Operating system type and revision level

• Detailed, specific questions

HP Storage web site

The HP web site has the latest information on this product, as well as the latest drivers. Access storage at:

http://www.hp.com/country/us/eng/prodserv/storage .html

or solution.

. From this web site, select the country of origin.

. From this web site, select the appropriate product

HP authorized reseller

For the name of your nearest HP authorized reseller:

• In the United States, call 1-800-345-1518.

• Elsewhere, visit http://www.hp.com

and click Contact HP to find locations and telephone numbers.

Fabric OS 5.0.0 procedures user guide 11

12 About this guide

1 Introducing Fabric OS CLI procedures

This guide contains procedures for configuring and managing an HP StorageWorks Storage Area Network (SAN) using the Fabric OS Command Line Interface (CLI). This chapter consists of the following sections:

• Changes to this guide for OS v5.0.0, page 13

• About procedural differences, page 15

• Scope and references, page 16

• About the CLI, page 16

• Help information, page 17

The guide applies to the following HP products:

• HP StorageWorks Switches: 1-GB switches, SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch

2/32, and SAN Switch 4/32.

These switches contain a fixed number of ports (they are called fixed-port switches). The SAN Switch 4/32 allows you to license and activate extra fixed ports with the Ports on Demand feature.

• Core Switch 2/64 and SAN Director 2/128.

These switches can contain a variable number of ports, which you install by plugging port cards into the director chassis.

Changes to this guide for OS v5.0.0

The following changes are new to v5.0.0 and are not included elsewhere in this guide.

• Add “Brocade 4Gb SAN Switch for HP p-Class BladeSystem ” everywhere that the HP StorageWorks

SAN Switch 4/32 is mentioned, except as specified in the following sections.

• On page 43, in the section “Creating and maintaining a user-defined account,” change the following definition item:

-r rolename Specifies the role: either admin or user in nonsecure mode; admin, user, or nonfcsadmin in secure mode.

to:

-r rolename Specifies the role: either admin or user in nonsecure mode or admin, user, switchAdmin, or nonfcsadmin in secure mode.

• On page 44, in the section “To change account parameters,” change the following definition item:

-r rolename Specifies the role: either admin or user in nonsecure mode; admin, user, or nonfcsadmin in secure mode.

to:

-r rolename Specifies the role: either admin or user in nonsecure mode; admin, user, switchAdmin, or nonfcsadmin in secure mode.

Fabric OS 5.0.0 procedures user guide 13

• On page 107, in the section “SAN Switch 4/32” add the following:

For the Brocade 4Gb SAN Switch for HP p-Class BladeSystem, each port group contains four ports and buffer credits are shared among all ports on the switch.

14 Introducing Fabric OS CLI procedures

• On page 108, in the section “Choosing an extended ISL mode,” add the following:

Brocade 4Gb SAN Switch for HP p-Class BladeSystem

The number of ports that can be configured at various distances is summarized in Table 2.

Table 2 Brocade 4Gb SAN Switch for HP p-Class BladeSystem

Speed (Gbit/sec)

128615411088

2143775544

4 71.5 38.5 27.5 22

• On page 146, in the section “Adding end-to-end monitors,” change the following paragraph:

The HP StorageWorks SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, Core Switch 2/64, SAN Director 2/128, allow up to eight end-to-end monitors allow up to eight end-to-end monitors.

to:

The HP StorageWorks SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, Core Switch 2/64, SAN Director 2/128, and Brocade 4Gb SAN Switch for HP p-Class BladeSystem allow up to eight end-to-end monitors.

Number of ports allowed at distance (km)

1 2 3 4

• On page 149, in the section “Monitoring filter-based performance,” change the following

paragraph:

For HP StorageWorks SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, Core Switch 2/64, and SAN Director 2/128, the maximum number of filters is eight per port, in any combination of standard filters and user-defined filters.

to:

For HP StorageWorks SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, Core Switch 2/64, SAN Director 2/128, and Brocade 4Gb SAN Switch for HP p-Class BladeSystem, the maximum number of filters is eight per port, in any combination of standard filters and user-defined filters.

• On page 219, in the section “HP StorageWorks switch requirements,” add the following:

Brocade 4Gb SAN Switch for HP p-Class BladeSystem running Fabric OS 5.0.0 or later.

About procedural differences

As a result of the differences between fixed-port and variable-port devices, procedures sometimes differ between HP StorageWorks switch models. Also, because the domain architecture of the Core Switch 2/64 differs from that of the SAN Director 2/128, there are sometimes procedural differences between these two.

When procedures or parts of procedures apply to some models but not others, this guide identifies the specifics for each model. For example, a number of procedures that apply only to variable-port devices are found in ”Configuring the Core Switch 2/64 and the SAN Director 2/128” on page 89. Procedures that apply only to the SAN Switch 4/32 are labeled as such.

Fabric OS 5.0.0 procedures user guide 15

NOTE: When command examples in this guide show user input enclosed in quotation marks, the

quotation marks are required for versions earlier than v4.0.0. They are optional in later versions, unless specifically called for in the procedures.

Scope and references

Although many different software and hardware configurations are tested and supported by HP, documenting all possible configurations and scenarios is beyond the scope of this document. In some cases, earlier releases are highlighted to present considerations for interoperating with them.

The hardware reference manuals for HP StorageWorks products describe how to power up devices and set their IP addresses. After the IP address is set, you can use the CLI procedures contained in this guide.

This guide provides only the level of detail required to perform the procedures. If you need more information about the commands used in the procedures, refer to online help or to the HP StorageWorks Fabric OS 4.x command reference guide.

There are several access methods that you can use to configure a switch. These are listed with their respective documents:

• For Advanced Web Tools procedures, refer to the HP StorageWorks Fabric OS 4.x Advanced Web

Tools user guide.

• For Fabric Manager procedures, refer to the HP StorageWorks Fabric OS 4.4.x Fabric Manager user

guide.

• For third-party application procedures, refer to the third-party API documentation.

About the CLI

Fabric OS CLI is the complete fabric management tool for HP SANs that enables you to:

• Access the full range of Fabric OS features, based on license keys.

• Configure, monitor, dynamically provision, and manage every aspect of the SAN.

• Configure and manage the HP fabric on multiple efficient levels.

• Identify, isolate, and manage SAN events across every switch in the fabric.

• Manage switch licenses.

• Perform fabric stamping.

To manage a switch using telnet, SNMP, and HP Advanced Web Tools, the switch must be connected to a network through the switch Ethernet port (out of band) or from the Fibre Channel (in band). The switch must be configured with an IP address to allow for the network connection. Refer to the hardware manual for your switch for information on physically connecting to the switch.

You can access switches from different connections, such as Advanced Web Tools, CLI, and API. When these connections are simultaneous, changes from one connection may not be updated to the other, and some modifications may be lost. When simultaneous connections are used, make sure that you do not overwrite the work of another connection.

In a mixed fabric containing switches running various Fabric OS versions, you should use the latest-model switches running the most recent release for the primary management tasks. The principal management

16 Introducing Fabric OS CLI procedures

access should be set to the core switches in the fabric. For example, to run Secure Fabric OS, use the latest-model switch as the primary FCS, the location to perform zoning tasks, and the time server.

A number of management tasks are designed to make fabric-level changes; for example, zoning commands make changes that affect the entire fabric. When executing fabric-level configuration tasks, allow time for the changes to propagate across the fabric before executing any subsequent tasks. For a large fabric, it may be take a few minutes.

Help information

Each Fabric OS command provides Help information that explains the command function, its possible operands, its level in the command hierarchy, and additional pertinent information.

Displaying command help

To display help information:

1. Connect to the switch and log in as admin.

2. To display a list of all command help topics, issue the help command with no arguments.

3. To display help for a specific command, enter help command, where command is the name of the

command for which you need information, as shown in the following example:

switch:admin> help configure

Administrative Commands configure(1m)

NAME

configure - change system configuration settings

SYNOPSIS

configure

AVAILABILITY

admin

DESCRIPTION

This command changes some system configuration settings,

including:

o Arbitrated loop settings

o Switch fabric settings

o System services settings

o Virtual channel settings

(output truncated)

Displaying additional help topics

The following commands provide help files for specific topics:

diagHelp Diagnostic help information

fwHelp Fabric Watch help information

licenseHelp License help information

perfHelp Performance Monitoring help information

routeHelp Routing help information

trackChangesHelp Track Changes help information

zoneHelp Zoning help information

Fabric OS 5.0.0 procedures user guide 17

18 Introducing Fabric OS CLI procedures

2 Performing basic configuration tasks

This chapter contains procedures for performing basic switch configuration tasks using the Fabric OS CLI and contains the following sections:

• Connecting to the CLI, page 19

• Setting the IP address, page 21

• Setting the default account passwords, page 21

• Setting the date and time, page 22

• Maintaining licensed features, page 25

• Customizing the switch name, page 27

• Customizing the chassis name, page 28

• Disabling and enabling a switch, page 28

• Disabling and enabling a port, page 29

• Activating Ports on Demand, page 30

• Making basic connections, page 30

• Working with domain IDs, page 31

• Linking through a gateway, page 32

• Checking status, page 33

• Tracking and controlling switch changes, page 35

Connecting to the CLI

You can connect to the CLI either through a telnet connection or through the serial port. To connect with telnet:

1. Verify that the switch is connected to the IP network through the RJ-45 Ethernet port.

Switches in the fabric that are not connected via Ethernet can be managed through switches that are using IP over Fibre Channel. The embedded port must have an assigned IP address.

2. Open a telnet connection to the switch.

The login prompt is displayed when the telnet connection finds the switch in the network.

For the Core Switch 2/64 and SAN Director 2/128, enter the logical switch name (sw0 or sw1).

3. Enter the account ID (defaults are user or admin) at the login prompt.

4. Enter the password. The default password is password.

If you have not changed the system passwords from the default, you are prompted to change them.

5. Enter the new system passwords, or press Ctrl+c to skip the password prompts.

Fabric OS 5.0.0 procedures user guide 19

6. Verify that the login was successful. The prompt displays the switch name and user ID to which you

are connected:

password: xxxxxxx

switch:admin>

Consider the following for telnet connections:

• Never change the IP address of the switch while two telnet sessions are active; if you do, your next

attempt to log in fails. To recover, gain access to the switch by one of these methods:

• Use Advanced Web Tools and perform a fast boot. When the switch comes up, the telnet quota is cleared. For instructions on performing a fast boot with Advanced Web Tools, refer to the HP StorageWorks Fabric OS 4.x Advanced Web Tools user guide.

• If you have the required privileges, you can connect through the serial port, log in as root, and use operating system commands to identify and kill the telnet processes without disrupting the fabric.

• For admin level accounts, Fabric OS limits the number of simultaneous telnet sessions per switch to

two. For more details on session limits, see ”Configuring the telnet interface” on page 40 and ”Creating and maintaining user-defined accounts” on page 43.

To connect through the serial port:

1. Connect the serial cable to the serial port on the switch and to an RS-232 serial port on

the workstation.

If the serial port on the workstation is RJ-45 instead of RS-232, remove the adapter on the end of the serial cable and insert the exposed RJ-45 connector into the RJ-45 serial port on the workstation.

2. Open a terminal emulator application (such as HyperTerminal on a PC, or TERM, TIP, or Kermit in a

UNIX® environment), and configure the application as follows:

• In a Windows® environment:

Parameter Value Bits per second 9600 Databits 8 Parity None Stop bits 1 Flow control None

• In a UNIX environment, enter the following string at the prompt: tip /dev/ttyb -9600

If ttyb is already in use, you can use ttya (enter tip /dev/ttya -9600).

Consider the following for serial connections:

• Some procedures require that you connect through the serial port; for example, setting the IP address

or setting the boot PROM password.

• If secure mode is enabled, connect through the serial port of the primary FCS switch.

• For the Core Switch 2/64 and SAN Director 2/128, you can connect to CP0 or CP1 using either of

the two serial ports.

20 Performing basic configuration tasks

Setting the IP address

You must connect through the serial port to set the IP address (see ”To connect through the serial port:” on page 20). After connecting, use the ipaddrset command to set the IP address.

CAUTION: The use of IP address 0.0.0.0 is not supported. Do not use this address.

Fabric OS v2.6.0, v3.1.0, and v4.0.0 supports Classless Inter-Domain Routing (CIDR).

Setting the default account passwords

For each logical switch (domain), there are admin and user default access accounts. These accounts designate different levels of authorization—called roles—for using the system:

• The admin level is for administrative use.

• The user level is for nonadministrative use, such as monitoring system activity.

Two accounts—factory and root—are reserved for development and manufacturing. You can change their passwords, which is optional, but you should not use these accounts under normal circumstances.

For the SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, SAN Switch 4/32, and SAN Director 2/128 (default configuration with one domain), there is one set of default access accounts.

For the Core Switch 2/64 and SAN Director 2/128, configured with two domains, each logical switch has its own set of default access accounts. The default account names and passwords are the same for both of the logical switches.

You can also create up to 15 additional accounts per logical switch and designate their roles as either admin or user. See the procedures in ”Creating and maintaining user-defined accounts” on page 43.

For large enterprises, Fabric OS supports RADIUS services, as described in ”Setting up RADIUS AAA

service” on page 46.

In addition to the account access passwords, each switch can set a boot PROM password. For greater security, HP recommends that you set this password to protect system boot parameters from unauthorized access. See ”Setting the boot PROM password” on page 70.

Each of the default access accounts has an associated password. The first time you connect to a Fabric OS switch you are prompted to change these default account passwords.

If you do not change the default passwords, you are prompted to do so at each subsequent login until all system passwords have been changed from the default values. Thereafter, use the passwd command to change passwords.

For more background information on passwords, see ”Changing an account password” on page 45.

To change the default passwords at login:

1. Connect to the switch and log in as admin.

2. At each of the Enter new password prompts, either enter a new password or skip the prompt.

Skip a prompt by pressing Enter. You can bypass all further prompts by pressing Ctrl+c.

Although the root and factory accounts are not meant for general use, you should change their passwords if prompted to do so and save the passwords in case they are needed for recovery purposes.

Fabric OS 5.0.0 procedures user guide 21

Passwords can be from 8 to 40 characters long and must begin with an alphabetic character. They can include numerals, the dot (.), and the underscore (_). They are case sensitive, and they are not displayed when you enter them on the command line. You cannot reuse the default passwords.

NOTE: Record the passwords exactly as entered and store them in a secure place; recovering

passwords requires significant effort and fabric downtime.

Example:

login: admin Password: Please change your passwords now. Use Control-C to exit or press 'Enter' key to proceed. for user - root Changing password for root Enter new password: ***** Password changed. Saving password to stable storage. Password saved to stable storage successfully. Please change your passwords now. for user - factory Changing password for factory Enter new password: ***** Password changed. Saving password to stable storage. Password saved to stable storage successfully. Please change your passwords now. for user - admin Changing password for admin Enter new password: ***** Password changed. Saving password to stable storage. Password saved to stable storage successfully. Please change your passwords now. for user - user Changing password for user Enter new password: ***** Password changed. Saving password to stable storage. Password saved to stable storage successfully. switch:admin>

Setting the date and time

Switches maintain the current date and time in nonvolatile memory. Date and time are used for logging events. Switch operation does not depend on the date and time; a switch with an incorrect date and time value still functions properly. However, because the date and time are used for logging, you should set them correctly.

NOTE: The date and tsclockserver commands are disabled when the security feature is enabled.

With security enabled you can view the current date setting only on the primary FCS switch.

22 Performing basic configuration tasks

To set the date and time:

1. Connect to the switch and log in as admin.

2. Enter the date command at the command line using the following syntax:

date “MMDDhhmmYY”

The values represent the following:

• MM is the month; valid values are 01 through 12.

• DD is the date; valid values are 01 through 31.

• hh is the hour; valid values are 00 through 23.

• mm is minutes; valid values are 00 through 59.

• YY is the year; valid values are 00 through 99 (values greater than 69 are interpreted as 1970 through 1999, and values less than 70 are interpreted as 2000 through 2069).

NOTE: The date function does not support daylight savings time or time zones, so such changes must be

reset manually.

Example:

switch:admin> date

Fri May 5 21:50:00 UTC 1989

switch:admin>

switch:admin> date “0624165203”

Tue Jun 24 16:52:30 UTC 2003

switch:admin>

You can synchronize the local time of the principal or primary Fabric Configuration Server (FCS) switch to an external NTP server.

To synchronize local time with an external source:

1. Connect to the switch and log in as admin.

2. Issue the following command:

tsclockserver ipaddr

where ipaddr is the IP address of the NTP server, which the switch must be able to access. This operand is optional; by default this value is LOCL, which uses the local clock of the principal or primary switch as the clock server.

Example:

switch:admin> tsclockserver

LOCL

switch:admin> tsclockserver “132.163.135.131”

switch:admin> tsclockserver

132.163.135.131

switch:admin>

HP recommends that you synchronize time with an external NTP server, as described on page 23. If you cannot do so, use the next procedure.

Fabric OS 5.0.0 procedures user guide 23

To set the time zone:

1. Connect to the switch and log in as admin.

2. Issue the tstimezone command as follows:

tstimezone [houroffset [, minuteoffset]]

• For Pacific Standard Time enter tsTimeZone -8,0

• For Central Standard Time enter tsTimeZone -6,0

• For Eastern Standard Time enter tsTimeZone -5,0

The default time zone for switches is Universal Time Conversion (UTC), which is 8 hours ahead of (later than) Pacific Standard Time (PST). For additional time zone conversions, see Table 3.

The parameters do not apply if the time zone of the switch has already been changed from the default (8 hours ahead of PST).

Refer to the tstimezone command in the HP StorageWorks Fabric OS 4.x command reference guide for more detailed information about the command parameters.

3. Repeat the procedure on all switches for which the Time Zone needs to be set. This needs to be done

only once, because the value is written to nonvolatile memory.

For U.S. time zones, use Table 3 to determine the correct parameter for the tstimezone command.

Table 3 Conversion from UTC to local time

Local time tstimezone conversion

parameter

Atlantic Standard -4,0

Atlantic Daylight -3,0

Eastern Standard -5,0

Eastern Daylight -4,0

Central Standard -6,0

Central Daylight -5,0

Mountain Standard -7,0

Mountain Daylight -6,0

Pacific Standard -8,0

Pacific Daylight -7,0

Alaskan Standard -9,0

Alaskan Daylight -8,0

Hawaiian Standard -10,0

24 Performing basic configuration tasks

Maintaining licensed features

Feature licenses might be part the licensed Paper Pack supplied with switch software, or you can purchase licenses separately from your switch vendor, who will provide you with keys to unlock the features. License keys are provided on a per-chassis basis, so for products that support multiple logical switches (domains), a license key applies to all domains within the chassis.

To unlock a licensed feature, you can either use the license key in the Paper Pack supplied with switch software, or launch an internet browser and go to the HP licensing web site at

http://webkey.external.hp.com/welcome.asp

generate the key.

NOTE: You need the following items for each chassis to be licensed:

• Transaction key, which is in the Paper Pack supplied with switch software. Or, when you purchase a

license, your switch vendor gives you a transaction key to be used for obtaining a license key.

• License ID; to see a switch License ID, use the licenseIDShow command.

To unlock a licensed feature:

1. If you already have a license key, go to step 10.

If you do not have a key, launch an Internet browser and go to the HP web site:

http://www.hp.com/country/us/eng/prodserv/storage.html

. Click Generate a license key and follow the instructions to

2. Click products.

3. Click Software Products.

4. In the Related Links panel on the right side of the page, select Software License Keys.

The Software License Keys instruction page appears.

5. If you want to generate a single license key, select Generate 1 license key.

If you want to generate multiple license keys, select Batch Generation of Licenses.

The Software License Key instruction page appears.

6. Enter the requested information in the required fields.

When generating multiple license keys, enter the worldwide names and transaction keys in the table at the bottom of the screen. If you need additional rows in the table, select Add More Rows.

7. Click Next.

A verification screen appears.

8. Verify that the information appears correctly.

Click Submit if the information displayed is correct. If the information is incorrect, Click Previous and change the information.

9. After the information is corrected, click Submit.

An information screen displays the license keys.

You also receive an e-mail with the keys and installation instructions.

Fabric OS 5.0.0 procedures user guide 25

10.Activate and verify the license as follows:

a. Connect to the switch and log in as admin.

b. Activate the license using the licenseadd command. For example:

switch:admin> licenseadd “key”

The license key is case sensitive and must be entered exactly as given. The quotation marks are optional.

For the Core Switch 2/64 and SAN Director 2/128, the licenses are effective on both CPs and on all logical switches.

c. Verify that the license was added by issuing the licenseshow command. The licensed features

currently installed on the switch are listed. If the feature is not listed, issue the licenseadd command again.

d. Some features may require additional configuration , or you might need to disable and reenable

the switch to make them operational; see the feature documentation for details.

Example

switch:admin> licenseshow SbeSdQdQySyriTeJ: Web license Zoning license Fabric license Remote Switch license Extended Fabric license Fabric Watch license Performance Monitor license Trunking license Security license SbbebdQS9QTscfcB: Ports on Demand license - additional 8 port upgrade SbbebdQS9QTcgfcz: Ports on Demand license - additional 8 port upgrade

To remove a licensed feature:

1. Connect to the switch and log in as admin.

2. Issue the licenseshow command to display the active licenses.

3. Remove the license key using the licenseremove command. For example:

switch:admin> licenseremove “key”

The license key is case sensitive and must be entered exactly as given. The quotation marks are optional.

After removing a license key, the optionally licensed feature is disabled when the switch is rebooted or when a switch disable or enable is performed. For the Core Switch 2/64 and SAN Director 2/128, reboot both the primary and the secondary CP cards to ensure that HA features remain synchronized.

4. Issue the licenseshow command to verify that the license is disabled.

26 Performing basic configuration tasks

Example:

switch:admin> licenseshow bQebzbRdScRfc0iK: Web license Zoning license SybbzQQ9edTzcc0X: Fabric license switch:admin> licenseremove “bQebzbRdScRfc0iK” removing license key “bQebzbRdScRfc0iK” switch:admin>

After a reboot (or switchdisable and switchenable):

Example:

switch:admin> licenseshow SybbzQQ9edTzcc0X: Fabric license switch:admin>

If there are no license keys, licenseshow displays No licenses.

Customizing the switch name

Switches can be identified by IP address, Domain ID, World Wide Name (WWN), or by customized switch names that are unique and meaningful.

Version 4.0.0 and later switch names can be from 1 to 15 characters; they must begin with a letter and may can contain letters, numbers, and the underscore character. It is not necessary to use quotation marks.

The default names are:

• swd77 for the SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, and SAN Switch 4/32.

• For the Core Switch 2/64, the two logical switches have different default names. The name swd77 is

used for the logical switch containing the port cards in slots 1 through 4; swd76 is used for the logical switch containing the port cards in slots 7 through 10.

• swd77 for the SAN Director 2/128

NOTE: Changing the switch name causes a domain address format RSCN to be issued.

To customize the switch name:

1. For the SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, and SAN Switch 4/32, proceed

to the next step.

For the Core Switch 2/64 and the SAN Director 2/128, identify the serial console for the active CP. You can do so by issuing the hashow command from any Core Switch 2/64 and SAN Director 2/128 serial console, or by looking for the blue Active LED on the SAN Director 2/128.

2. Connect to the switch and log in as admin.

Fabric OS 5.0.0 procedures user guide 27

3. For the Core Switch 2/64 and the SAN Director 2/128, proceed to the next step.

For the SAN Director 2/128, if configured for one domain (the default) proceed to the next step. If configured with two domains, proceed as for the Core Switch 2/64.

For the Core Switch 2/64, choose the logical switch that you want to change. Enter the value that corresponds to that logical region:

•Enter 0 to configure logical switch 0 (slot 1 through 4).

•Enter 1 to configure logical switch 1 (slot 7 through 10).

4. Issue the switchname command at the command line with the following syntax:

switchname “newname”

where newname is the new name for the switch.

5. Record the new switch name for future reference.

6. For the Core Switch 2/64 and the SAN Director 2/128 configured with two domains, disconnect

from the session and repeat the procedure for the second logical switch.

Example:

switch:admin> switchname “switch62” Committing configuration... Done. switch62:admin>

Customizing the chassis name

Beginning with Fabric OS v4.4.0, HP recommends that you customize the chassis name for each switch. Some system logs identify switches by chassis names, so if you assign meaningful chassis names in addition to meaningful switch names, logs are more useful.

To change the chassis name:

1. Connect to the switch and log in as admin.

2. Issue the chassisname command at the command line with the following syntax:

chassisname “newname”

Where newname is the new name for the chassis.

Chassis names can be from 1 to 15 characters, must begin with a letter, and can contain letters, numbers, and the underscore character. It is not necessary to use the quotation marks.

3. Record the new chassis name for future reference.

Disabling and enabling a switch

By default, the switch is enabled after power is applied and diagnostics and switch initialization routines have finished. You can disable and reenable it as necessary.

To disable a switch:

1. Connect to the switch and log in as admin.

28 Performing basic configuration tasks

2. Issue the switchdisable command at the command line.

All Fibre Channel ports on the switch are taken offline. If the switch was part of a fabric, the fabric reconfigures.

To enable a switch:

1. Connect to the switch and log in as admin.

2. Issue the switchenable command at the command line.

All Fibre Channel ports that passed the POST test are enabled. If the switch has interswitch links to a fabric, it joins the fabric.

Disabling and enabling a port

All licensed ports are enabled by default. You can disable and reenable them as necessary. Ports that you activate with Ports on Demand must be enabled explicitly, as described in ”Activating Ports on

Demand” on page 30.

To disable a port:

1. Connect to the switch and log in as admin.

2. For the SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, and SAN Switch 4/32, issue the

following command:

portdisable portnumber

where portnumber is the port number of the port you want to disable.

For the Core Switch 2/64 and the SAN Director 2/128, issue the following command:

portdisable slotnumber/portnumber

where slotnumber and portnumber are the slot and port numbers of the port you want to disable.

If the port is connected to another switch, the fabric might reconfigure.

To enable a port:

1. Connect to the switch and log in as admin.

2. For the SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, and SAN Switch 4/32, issue the

following command:

portenable portnumber

The portnumber is the port number of the port you want to enable.

For the Core Switch 2/64 and the SAN Director 2/128, issue the following command:

portenable slotnumber/portnumber

The slotnumber and portnumber are the slot and port numbers of the port you want to enable. (Slots are numbered 1 through 4 and 7 through 10, counting from left to right.)

If the port is connected to another switch, the fabric might reconfigure. If the port is connected to one or more devices, these devices become available to the fabric.

If you change port configurations during a switch failover, the ports might become disabled. Reissue the portenable command after the failover is complete to bring the ports online.

Fabric OS 5.0.0 procedures user guide 29

Activating Ports on Demand

The Core Switch 4/32 can be purchased with 16 or 32 licensed ports. As your needs increase, you can activate the remaining ports by purchasing and installig the optional HP StorageWorks 8-port upgrade license.

Ports on Demand is ready to be unlocked in the switch firmware. Its license might be part of the licensed Paper Pack supplied with switch software, or you can purchase the license separately from your switch vendor, who will provide you with a key to unlock it.

By default, ports 0 through 15 are enabled on the SAN Switch 4/32. To enable ports 16 through 23, purchase and install an 8-port upgrade license. To enable ports 24 through 31, purchase and install another 8-port upgrade license. The first license key must be already installed before you can use the second license.

You must enable the ports after you have installed the license keys. You can do so without disrupting switch operation using the portenable command on each port. Alternatively, you can disable and reenable the switch to activate all ports.

To enable an 8-port upgrade license, you can either use the supplied license key or generate a license key. If you need to generate a key, launch an Internet browser and go to the HP licensing web site at

http://webkey.external.hp.com/welcome.asp

generate the key.

To enable Ports on Demand:

. Click Generate a license key and follow the instructions to

1. Connect to the switch and log in as admin.

2. Optional: to verify the states of the ports, use the portshow command.

In the portshow output, the Licensed field shows whether the port is licensed.

3. Install the HP Ports on Demand licensed product.

For instructions, see ”Maintaining licensed features” on page 25.

4. Use the portenable command to enable the ports.

5. Optional: use the portshow command to check the newly activated ports.

If you remove an 8-port upgrade license, the licensed ports become disabled after the next platform reboot or the next port deactivation.

Making basic connections

You can make basic connections to devices and to other switches.

Before connecting a v4.0.0 or later switch to a fabric that contains switches running earlier firmware versions, you must first set the same PID format on all the switches. The presence of different PID formats in a fabric causes fabric segmentation.

For information on PID formats and related procedures, see ”Selecting a PID format” on page 206.

For information on configuring the routing of connections, see ”Routing traffic” on page 99.

For information on configuring extended interswitch connections, see ”Administering extended fabrics” on page 107.

30 Performing basic configuration tasks

Connecting to devices

To minimize port logins, power off all devices before connecting them to the switch. For devices that cannot be powered off, first use the portdisable command to disable the port on the switch, and then connect the device. When powering the devices back on, wait for each device to complete the fabric login before powering on the next one.

Connecting to other switches

Refer to the hardware user’s guide of your specific switch for interswitch link (ISL) connection and cable management information. Table 4 summarizes the standard ISL modes, which you can configure with the portcfglongdistance command. For information on extended ISL modes, which enable longer distance interswitch links, see ”Administering extended fabrics” on page 107.

Table 4 Standard ISL modes

Mode Description Maximum ISL distance (km) Earliest fabric OS release

LE Level E static mode,

1. When you upgrade from Fabric OS v4.0.0 to Fabric OS v4.1.0 or later, all extended ISL ports are set automatically to L0 mode.

Level 0 static mode, the default.

supports links beyond 5 km.

• 10 km at 1 Gbps

• 5 km at 2 Gbps

• 2.5 km at 4 Gbps

10 km at 1, 2, or 4 Gbps v3.0.0, v4.0.0

Working with domain IDs

Although domain IDs are assigned dynamically when a switch is enabled, you can reset them manually so that you can control the ID number or to resolve a domain ID conflict when you merge fabrics.

If a switch already has a domain ID when it is enabled, and that domain ID conflicts with a switch already in the fabric, the conflict is automatically resolved. The process can take several seconds, during which time traffic is delayed.

The default domain ID for HP StorageWorks switches is 1.

All

The default domain ID applies to both of the logical switches in Core Switch 2/64 and SAN Director 2/128 switches that are configured for two domains. To prevent domain conflict, you can either disable one of the switches until both are connected to the fabric, then reenable the switches so that unique domain IDs are automatically assigned; or use the procedure ”To set the domain ID:” on page 32 to make the domain IDs unique before connecting the logical switches to the fabric.

CAUTION: On switches running Fabric OS v4.0.0 and later, do not use domain ID 0, which is reserved

for another purpose. Using this domain ID can cause the switch to reboot continuously. Avoid changing the domain ID on the FCS in secure mode. To minimize down time, change the domain IDs on the other switches in the secure fabric.

To display domain IDs:

1. Connect to a switch and log in as admin.

Fabric OS 5.0.0 procedures user guide 31

2. Issue the fabricshow command.

Fabric information is displayed, including the domain ID (D_ID).

Example:

switch:admin> fabricshow Switch ID Worldwide Name Enet IP Addr FC IP Addr Name

------------------------------------------------------------------------3: fffc43 10:00:00:60:69:10:60:1f 192.168.64.187 0.0.0.0 “sw187” 2: fffc42 10:00:00:60:69:00:05:91 192.168.64.60 192.168.65.60 “sw60” 1:fffc41 10:00:00:60:69:00:02:0b 192.168.64.180 192.168.65.180 > “sw180” The Fabric has 3 switches Group ID Token

----------------0: fffb01 40:05:00:00:10:00:00:60:69:00:00:15

The fields in the fabricshow display are:

Switch ID The switch Domain_ID and embedded port D_ID. Worldwide Name The switch WWN. Enet IP Addr The switch Ethernet IP address. FC IP Addr The switch FC IP address. Name The switch symbolic name. An arrow (>) indicates the principal switch.

To set the domain ID:

1. Connect to the switch and log in as admin.

2. Issue the switchdisable command to disable the switch.

3. Issue the configure command.

4. Enter y after the Fabric Parameters prompt:

Fabric parameters (yes, y, no, n): [no] y

5. Enter a unique domain ID at the Domain prompt. Use a domain ID value from 1 through 239 for

normal operating mode (FCSW compatible). For example:

Domain: (1..239) [1] 3

6. Respond to the remaining prompts (or press Ctrl+d to accept the other settings and exit).

7. Issue the switchenable command to reenable the switch.

Linking through a gateway

A gateway merges SANs into a single fabric—by establishing point-to-point E_Port connectivity between two Fibre Channel switches that are separated by a network—with a protocol such as IP or SONET.

Except for link initialization, gateways are transparent to switches; the gateway simply provides E_Port connectivity from one switch to another.

By default, switch ports initialize links using the Exchange Link Parameters (ELP) mode 1. However, gateways expect initialization with ELP mode 2. Therefore, to enable two switches to link through a gateway, the ports on both switches must be set for ELP mode 2.

Any number of E_Ports in a fabric can be configured for gateway links, if these rules are followed:

• All switches in the fabric must be upgraded to Fabric OS v3.1.0 (or later) or v4.1.0 (or later).

• To prevent fabric segmentation, make sure that all switches in the fabric use the core PID format, as

described in ”To configure a link through a gateway:” on page 33.

32 Performing basic configuration tasks

• When determining switch count maximums, include the switches connected to both sides of

the gateway.

• Extended links (those created using the Extended Fabrics licensed feature) and the security features in

Secure Fabric OS are not supported through gateway links.

To configure a link through a gateway:

1. If you are not sure that the PID format is consistent across the entire fabric, issue the configshow

command on all switches to check the PID setting. If necessary, change the PID format on any nonconforming switches as described in ”Configuring the PID format” on page 203.

2. Connect to the switch on one end of the gateway and log in as admin.

3. Issue the portcfgislmode command:

SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, and SAN Switch 4/32

Core Switch 2/64 and SAN Director 2/128

In the following example, slot 2, port 3 is enabled for a gateway link:

switch:admin> portcfgislmode 2/3, 1

Committing configuration...done.

ISL R_RDY Mode is enabled for port 3. Please make sure the PID

formats are consistent across the entire fabric.

switch:admin>

portcfgislmode port mode

Specify a port number. Valid values for port number vary, depending on the switch type. The mode operand is required: specify 1 to enable ISL R_RDY mode (gateway link) or specify 0 to disable it.

portcfgislmode slot/port, mode

Specify a slot/port number pair. Valid values for slot and port number vary depending on the switch type. The mode operand is required: specify 1 to enable ISL R_RDY mode (gateway link) or specify 0 to disable it.

4. Repeat the previous steps for any additional ports to be connected to the gateway.

5. Repeat the procedure on the switch at the other end of the gateway.

Refer to the HP StorageWorks Fabric OS 4.x command reference guide for more information about the portcfgislmode command.

Checking status

You can check the status of switch operation, HA features, and fabric connectivity:

1. Connect to the switch and log in as admin.

2. Issue the switchshow command at the command line.

This command displays a switch summary and a port summary.

3. Verify that the switch and ports are online.

4. Issue the switchstatusshow command to further check the status of the switch.

Fabric OS 5.0.0 procedures user guide 33

To verify HA features:

HA features provide maximum reliability and nondisruptive replacement of key hardware and software modules. To verify these features, connect to the switch as admin and use any of the following commands:

• chassisshow verifies the Field Replaceable Units (FRUs).

• For the Core Switch 2/64 and the SAN Director 2/128:

• hashow verifies that HA is enabled, that the heartbeat is up, and that the HA state is synchronized between the active and standby CP cards.

• slotshow inventories and displays the current status of each slot in the system.

To verify fabric connectivity:

1. Connect to the switch and log in as admin.

2. Issue the fabricshow command, which displays a summary of all the switches in the fabric.

Example:

switch:admin> fabricshow Switch ID Worldwide Name Enet IP Addr FC IP Addr Name

------------------------------------------------------------------------ 1: fffc01 10:00:00:60:69:80:04:5a 192.168.186.61 192.168.68.193 “switch61” 3: fffc03 10:00:00:60:69:10:9c:29 192.168.186.175 0.0.0.0 “switch175” 4: fffc04 10:00:00:60:69:12:14:b7 192.168.174.70 0.0.0.0 “switch70” 5: fffc05 10:00:00:60:69:45:68:04 192.168.144.121 0.0.0.0 “switch121” 6: fffc06 10:00:00:60:69:00:54:ea 192.168.174.79 192.168.68.197 “switch79” 7: fffc07 10:00:00:60:69:80:04:5b 192.168.186.62 192.168.68.194 “switch62” 8: fffc08 10:00:00:60:69:04:11:22 192.168.186.195 0.0.0.0 ”switch195” 9: fffc09 10:00:00:60:69:10:92:04 192.168.189.197 192.168.68.198 “switch197” 10: fffc0a 10:00:00:60:69:50:05:47 192.168.189.181 192.168.68.181 “switch181” 11: fffc0b 10:00:00:60:69:00:54:e9 192.168.174.78 192.168.68.196 “switch78” 15: fffc0f 10:00:00:60:69:30:1e:16 192.168.174.73 0.0.0.0 “switch73” 33: fffc21 10:00:00:60:69:90:02:5e 192.168.144.120 0.0.0.0 “switch120” 44: fffc2c 10:00:00:60:69:c0:06:8d 192.168.144.121 0.0.0.0 “switch121” 97: fffc61 10:00:00:60:69:90:02:ed 192.168.144.123 0.0.0.0 “switch123” 98: fffc62 10:00:00:60:69:90:03:32 192.168.144.122 0.0.0.0 “switch122”

The Fabric has 15 switches

switch:admin>

To verify device connectivity:

1. Connect to the switch and log in as admin.

2. Optional: Issue the switchshow command to verify that devices, hosts, and storage are connected.

3. Optional: Issue the nsshow command to verify that devices, hosts, and storage have successfully

registered with the Name Server.

4. Issue the nsallshow command, which displays 24-bit Fibre Channel addresses of all devices in the

fabric.

34 Performing basic configuration tasks

Example:

switch:admin> nsallshow

{

010e00 012fe8 012fef 030500 030b04 030b08 030b17 030b18

030b1e 030b1f 040000 050000 050200 050700 050800 050de8

050def 051700 061c00 071a00 073c00 090d00 0a0200 0a07ca

0a07cb 0a07cc 0a07cd 0a07ce 0a07d1 0a07d2 0a07d3 0a07d4

0a07d5 0a07d6 0a07d9 0a07da 0a07dc 0a07e0 0a07e1 0a0f01

0a0f02 0a0f0f 0a0f10 0a0f1b 0a0f1d 0b2700 0b2e00 0b2fe8

0b2fef 0f0000 0f0226 0f0233 0f02e4 0f02e8 0f02ef 210e00

211700 211fe8 211fef 2c0000 2c0300 611000 6114e8 6114ef

611600 620800 621026 621036 6210e4 6210e8 6210ef 621400

621500 621700 621a00

75 Nx_Ports in the Fabric }

switch:admin>

The number of devices listed should reflect the number of devices that are connected.

Tracking and controlling switch changes

The Track Changes feature allows you to keep a record of specific changes that may not be considered switch events, but can provide useful information. The output from the Track Changes feature is dumped to the system messages log for the switch. Use the errdump or errshow command to view the log.

Items in the log created from the Track Changes feature are labeled TRACK.

Trackable changes are:

• Successful login

• Unsuccessful login

• Logout

• Configuration file change from task

• Track Changes on

• Track Changes off

An SNMP-TRAP mode can also be enabled; refer to the trackchangeshelp command in the HP StorageWorks Fabric OS 4.x command reference guide.

For troubleshooting information on the Track Changes feature, see ”Inaccurate information in the system

message log” on page 200.

To enable the Track Changes feature:

1. Connect to the switch and log in as admin.

2. Issue the following command to enable the Track Changes feature:

trackchangesset 1

Fabric OS 5.0.0 procedures user guide 35

A message appears, verifying that the Track Changes feature is on:

switch:admin> trackchangesset 1

Committing configuration...done.

switch:admin>

The output from the Track Changes feature is dumped to the system message log for the switch. Use the errdump or errshow command to view the log.

Items in the system message log created from the Track Changes feature are labeled TRCK; for example:

2004/08/24-08:45:43, [TRCK-1001], 212,, INFO, ras007, Successful login by user admin.

To display the status of the Track Changes feature:

1. Connect to the switch and log in as admin.

2. Issue the trackchangesshow command.

The status of the Track Changes feature is displayed as either on or off. The display specifies whether the Track Changes feature is configured to send SNMP traps:

switch:admin> trackchangesshow

Track Changes status: ON

Track Changes generate SNMP-TRAP: NO

switch:admin>

To view the switch status policy threshold values:

1. Connect to the switch and log in as admin.

2. Issue the switchstatuspolicyshow command at the command line.

Whenever there is a switch change, an error message is logged and an SNMP connUnitStatusChange trap is sent.

For the SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, and SAN Switch 4/32, the output is similar to the following:

switch:admin> switchstatuspolicyshow

The current overall switch status policy parameters:

Down Marginal

----------------------------------

PowerSupplies 2 1

Temperatures 2 1

Fans 2 1

Flash 0 1

MarginalPorts 5 2

FaultyPorts 2 1

MissingSFPs 2 1

switch:admin>

36 Performing basic configuration tasks

For the Core Switch 2/64 and the SAN Director 2/128, the output is similar to the following:

switch:admin> switchstatuspolicyshow

The current overall switch status policy parameters:

Down Marginal

----------------------------------

PowerSupplies 3 0

Temperatures 2 1

Fans 2 1

WWN 0 1

CP 0 1

Blade 0 1

Flash 0 1

MarginalPorts 2 1

FaultyPorts 2 1

MissingSFPs 0 0

switch:admin>

The policy parameter determines the number of failed or inoperable units for each contributor that triggers a status change in the switch.

Each parameter can be adjusted so that a specific threshold must be reached before that parameter changes the overall status of a switch to MARGINAL or DOWN. For example, if the FaultyPorts DOWN parameter is set to 3, the status of the switch changes if 3 ports fail. Only one policy parameter needs to pass the MARGINAL or DOWN threshold to change the overall status of the switch.

These parameters determine the status of a switch:

• Number of faulty ports

• Missing GBICs

• Power supply status

• Temperature in enclosure

• Fan speed

• Port status

• ISL status

For detailed information about setting policy parameters, refer to the HP StorageWorks Fabric OS 4.x Fabric Watch user guide.

To set the switch status policy threshold values:

1. Connect to the switch and log in as admin.

2. Issue the switchstatuspolicyset command.

First, the current switch status policy parameter values are displayed. Then, you are prompted to enter values for each DOWN and MARGINAL threshold parameter:

3. Verify the threshold settings you have configured for each parameter.

4. Issue the switchstatuspolicyshow command to view your current switch status policy

configuration.

Fabric OS 5.0.0 procedures user guide 37

NOTE: By setting the DOWN and MARGINAL value for a parameter to 0,0 that parameter is no longer

used in setting the overall status for the switch.

For the SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, and SAN Switch 4/32, the following example shows the command as executed on a SAN Switch 2/32. The output is similar on the SAN Switch 2/8V, SAN Switch 2/16V, and SAN Switch 4/32:

switch:admin> switchstatuspolicyset To change the overall switch status policy parameters The current overall switch status policy parameters: Down Marginal

--------------------------------- FaultyPorts 2 1 MissingSFPs 0 0 PowerSupplies 2 1 Temperatures 2 1 Fans 2 1 PortStatus 0 0 ISLStatus 0 0 Note that the value, 0, for a parameter, means that it is NOT used in the calculation. ** In addition, if the range of settable values in the prompt is (0..0), ** the policy parameter is NOT applicable to the switch. ** Simply hit the Return key. The minimum number of FaultyPorts contributing to DOWN status: (0..32) [2] 3 FaultyPorts contributing to MARGINAL status: (0..32) [1] 2 MissingSFPs contributing to DOWN status: (0..32) [0] MissingSFPs contributing to MARGINAL status: (0..32) [0] Bad PowerSupplies contributing to DOWN status: (0..2) [2] Bad PowerSupplies contributing to MARGINAL status: (0..2) [1] Bad Temperatures contributing to DOWN status: (0..5) [2] Bad Temperatures contributing to MARGINAL status: (0..5) [1] Bad Fans contributing to DOWN status: (0..6) [2] Bad Fans contributing to MARGINAL status: (0..6) [1] Down PortStatus contributing to DOWN status: (0..32) [0] Down PortStatus contributing to MARGINAL status: (0..32) [0] down ISLStatus contributing to DOWN status: (0..32) [0] down ISLStatus contributing to MARGINAL status: (0..32) [0] Policy parameter set has been changed

For the Core Switch 2/64 and the SAN Director 2/128, the command output includes parameters related to CP cards.

38 Performing basic configuration tasks

3 Configuring standard security features

This chapter provides information and procedures for standard Fabric OS security features. Standard Fabric OS features include account and password management. Additional security is available when secure mode is enabled. For information about licensed security features available in Secure Fabric OS, refer to the HP StorageWorks Secure Fabric OS user guide.

This chapter contains the following sections:

• Ensuring network security, page 39

• Configuring the telnet interface, page 40

• Blocking listeners, page 41

• Accessing switches and fabrics, page 42

• Creating and maintaining user-defined accounts, page 43

• Changing an account password, page 45

• Setting up RADIUS AAA service, page 46

• Configuring for the SSL protocol, page 54

• Configuring for SNMP, page 60

• Configuring secure file copy, page 69

• Setting the boot PROM password, page 70

• Recovering forgotten passwords, page 73

Ensuring network security

To ensure security, Fabric OS supports secure shell (SSH) encrypted sessions. SSH encrypts all messages, including the client’s transmission of password during login. The SSH package contains a daemon (sshd), which runs on the switch. The daemon supports a wide variety of encryption algorithms such as Blowfish-CBC and AES.

NOTE: To maintain a secure network, you should avoid using telnet or any other unprotected

application when you are working on the switch. For example, if you use telnet to connect to a machine, then start an SSH or secure telnet session from that machine to the switch, the communication to the switch is in clear text, and therefore is not secure.

The FTP protocol is also not secure. When you use FTP to copy files to or from the switch, the contents are in clear text. This includes the remote FTP server's login and password. This limitation affects the following commands: savecore, configupload, configdownload, and firmwaredownload.

Commands that require a secure login channel must be issued from an original SSH session. If you start an SSH session, use the login command to start a nested SSH session, commands that require a secure channel are rejected.

Fabric OS 5.0.0 procedures user guide 39

Fabric OS v4.4.0 and later supports SSH protocol v2.0 (ssh2). For more information on SSH, see the SSH IETF web site: http://www.ietf.org/ids.by.wg/secsh.html

Refer to SSH, The Secure Shell; The Definitive Guide, By Daniel J. Barrett and Richard Silverman; Published by O’Reilly.

Fabric OS v4.4.0 comes with the SSH server preinstalled; however, you must select and install the SSH client. For information on installing and configuring the F-Secure SSH client, see the web site:

http://www.f-secure.co

Configuring the telnet interface

Telnet is enabled by default. To prevent users from passing clear text passwords over the network when they connect to the switch, you can disable the telnet interface.

NOTE: Before disabling the telnet interface, make sure that you have installed SSH, or some other

secure means of establishing a connection with the switch.

To disable telnet:

1. Connect to the switch and log in as admin.

HP recommends that you connect through some other means than telnet; for example, through SSH.

2. Enter the following command:

configure telnetd

3. In response to the System Services prompt, enter y.

4. In response to the telnetd prompt, enter off.

The telnet interface is disabled. If you entered the command during a standard telnet session, the session terminates.

Example:

switch:admin> configure telnetd Not all options will be available on an enabled switch. To disable the switch, use the “switchDisable” command. Configure...

ssl attributes (yes, y, no, n): [no]

http attributes (yes, y, no, n): [no] snmp attributes (yes, y, no, n): [no] rpcd attributes (yes, y, no, n): [no] cfgload attributes (yes, y, no, n): [no]

[31454]: Read 1 license entries for generation 1. [31454]: Read 1 license records. System services (yes, y, no, n): [no] y

rstatd (on, off): [off] rusersd (on, off): [off] telnetd (on, off): [on] off

40 Configuring standard security features

To enable telnet:

1. Connect to the switch through a means other than telnet (for example, SSH) and log in as admin.

2. Issue the following command:

configure telnetd

3. In response to the System Services prompt, enter y.

4. In response to the telnetd prompt, enter on.

The telnet interface is enabled.

Blocking listeners

HP StorageWorks switches block Linux® subsystem listener applications that are not used to implement supported features and capabilities. Table 5 lists the listener applications that HP StorageWorks switches either block or do not start.

Fabric OS 5.0.0 procedures user guide 41

Table 5 Blocked listener applications

Listener application

chargen Do not start Do not start

echo Do not start Do not start

daytime Do not start Do not start

discard Do not start Do not start

ftp Do not start Do not start

rexec Block with packet filter Do not start

rsh Block with packet filter Do not start

rlogin Block with packet filter Do not start

time Block with packet filter Do not start

rstats Do not start Do not start

rusers Do not start Do not start

Core Switch 2/64 and SAN Director 2/128

SAN switches 2/8V, 2/16V, 2/32, 4/32

Accessing switches and fabrics

Table 6 lists the defaults for accessing hosts, devices, switches, and zones.

Table 6 Access details

Area Description

Hosts Any host can access the fabric by SNMP.

Any host can telnet to any switch in the fabric.

Any host can establish an HTTP connection to any switch in the fabric.

Any host can establish an API connection to any switch in the fabric.

Devices All devices can access the management server.

Any device can connect to any FC port in the fabric.

Switch Access Any switch can join the fabric.

All switches in the fabric can be accessed through serial port.

Zoning Node WWNs can be used for WWN-based zoning.

42 Configuring standard security features

Creating and maintaining user-defined accounts

In addition to the default administrative and user accounts, Fabric OS supports up to 15 user-defined accounts in each logical switch (domain). These accounts expand your ability to track account access and audit administrative activities.

User-defined accounts can be specified as either admin or user level. Admin-level accounts allow up to two simultaneous login sessions. User-level accounts allow up to four simultaneous login sessions. The total number of simultaneous login sessions allowed per logical switch is 15.

You can change passwords on user-defined accounts as described in ”Changing an account password” on page 45.

If the Track Changes feature is enabled, the system keeps track of account names and login attempts. (See ”Tracking and controlling switch changes” on page 35 for details on enabling the Track Changes feature.)

For large enterprises, Fabric OS also supports RADIUS services, as described in ”Setting up RADIUS AAA

service” on page 46.

The following procedures are for operations you can perform on user-defined accounts.

The default administrative account is called admin.

NOTE: If you are operating in secure mode, you can perform these operations only on the primary FCS

switch.

To display account information

1. Connect to the switch and log in as admin.

2. Issue one of the following commands:

• userConfig --show -a to show all account information for a logical switch.

• userConfig --show -b to show all backup account information for a logical switch.

• userConfig --show name to show account information for the specified account name.

Accounts with the admin role can display information about all accounts on the logical switch. Accounts with the user role can display only information about themselves.

To create a user-defined account

1. Connect to the switch and log in as admin.

Fabric OS 5.0.0 procedures user guide 43

2. Issue the following command:

userConfig --add username -r rolename [-d description]

where:

username Specifies the account name, which must begin with an alphabetic

character. The name can be from 8 to 40 characters. It is case sensitive and can contain alphabetic and numeric characters, the dot (.), and the underscore ( _ ). It must be different from all other account names on the logical switch.

-r rolename Specifies the role: either admin or user in nonsecure mode; admin, user, or nonfcsadmin in secure mode.

-d description Optionally, adds a description to the account. The description field can be up to 40 printable ASCII characters long. The following characters are not allowed: asterisk (‘), quotation mark (“), exclamation point (!), semi-colon (;), and colon (:).

3. In response to the prompt, enter a password for the account.

The password is not displayed when you enter it on the command line.

Accounts with the admin role can create accounts. Accounts with the user role cannot.

To delete a user-defined account

1. Connect to the switch and log in as admin.

2. Issue the following command:

userConfig --delete username

where:

username Specifies the account name. You cannot delete the default accounts. An

account cannot delete itself. All active CLI sessions for the deleted account are logged out.

3. At the prompt for confirmation, enter y.

Accounts with the admin role can delete user-defined accounts on the logical switch. Accounts with the user role cannot.

To change account parameters

1. Connect to the switch and log in as admin.

44 Configuring standard security features

2. Enter the following command:

userConfig --change username [-r rolename] [-d description] [-e yes | no]

where:

username An option that changes the account attribute for username. The account

must already exist.

-r rolename An option that changes the role: either admin or user in nonsecure mode; admin, user, or nonfcsadmin in secure mode.

An account cannot change its own role.

You can only change the role name of a user-defined account with a lower level of authorization.

-d description An option: the account description. The description field can be up to 40 printable ASCII characters long. The following characters are not allowed: asterisk (‘), quotation mark (“), exclamation point (!), semi-colon (;), and colon (:).

You can only change the description of a user-defined account with a lower level of authorization.

-e Optionally, enter yes to enable the account or enter no to disable it. If you disable an account, all active CLI sessions for that account are logged out. You can enable or disable user-defined or default accounts.

Accounts with the admin role can change information for accounts that have lesser permissions. Accounts with the user role cannot.

To recover user-defined accounts

If a backup account exists (in secure mode), you can recover it with the following command:

userConfig --recover

The following conditions apply to recovering user accounts:

• Only accounts with admin or higher roles can recover accounts.

• The attributes in the backup database replace the attributes in the current account database.

• An event is stored in the system message log indicating that accounts have been recovered.

Changing an account password

At each level of account access, you can change passwords for that account and accounts that have lesser privileges.

If you log in to a user account, you can only change that account’s password.

If you log in to an admin account, you can change admin and user passwords. You must provide the old password when the account being changed has the same or higher privileges than the current login account. For example, when logged in as admin, you need admin passwords to change passwords for admin accounts (except when you change the default user account password at login), but you do not need user passwords to change passwords for user accounts.

A new password must have at least one character different than the old password. The following rules also apply to passwords:

• You cannot change passwords using SNMP.

Fabric OS 5.0.0 procedures user guide 45

• Password prompting is disabled when security mode is enabled.

• Starting with Fabric OS v4.4.0, admin level accounts can use Web Tools to change passwords.

• Starting with Fabric OS v3.2.0, you cannot change default account names.

• For information on password behavior when you upgrade (or downgrade) firmware, see ”Effects of

firmware changes on accounts and passwords” on page 80.

To change the password for the current login account:

1. Connect to the switch and log in as either admin or user.

2. Issue the following command:

passwd

3. Enter the requested information at the prompts.

To change the password for a different account:

1. Connect to the switch and log in as admin.

2. Issue the following command:

passwd name

where name is the name of the account.

3. Enter the requested information at the prompts.

If the named account has lesser privileges than the current account, the old password is not required. If the named account has equal or higher privileges than the current account, you are prompted to enter the old password.

Setting up RADIUS AAA service

Fabric OS v3.2 and v4.4 support Remote Authentication Dial-in User Service (RADIUS) authentication, authorization, and accounting (AAA). When it is configured for RADIUS, the switch becomes a RADIUS client. In this configuration, authentication records are stored in the RADIUS host server database.

The RADIUS service supports accounting request and response packets so that accounting records can be centralized on the RADIUS server. The login account name, assigned role, password, and time accounting records are stored on the RADIUS server for each user.

By default, RADIUS service is disabled, so AAA services default to the switch local database.

To enable RADIUS service, access the CLI through an SSH connection so that the shared secret is protected. Multiple login sessions can configure simultaneously, and the last session to apply a change leaves its configuration in effect. After a configuration is applied, it persists after a reboot or an HA failover.

The configuration is chassis-based, so it applies to all logical switches (domains) on the switch and replicates itself on a standby CP card, if one is present. It is saved in a configuration upload and applied in a configuration download.

Configure at least two RADIUS servers so that if one fails, the other assumes service. You can set the configuration with both RADIUS service and local authentication enabled so that if all RADIUS servers do not respond (because of power failure or network problems), the switch uses local authentication.

46 Configuring standard security features

Consider the following effects of the use of RADIUS service on other Fabric OS features:

• When RADIUS service is enabled, all account passwords must be managed on the RADIUS server. The

Fabric OS mechanisms for changing switch passwords remain functional; however, such changes affect only the involved switches locally. They do not propagate to the RADIUS server, nor do they affect any account on the RADIUS server.

When RADIUS is set up for a fabric that contains a mix of switches running v4.4.0 and v3.2.0 or earlier, the way a switch authenticates users depends on whether a RADIUS server is set up for that switch. For a switch with RADIUS support and configuration, authentication bypasses the local password database. For a switch without RADIUS support or configuration, authentication uses the switch’s local account names and passwords.

• When Secure Fabric OS secure mode is enabled, the following items apply:

• Account passwords are distributed among all switches in the same fabric. An account that resides on several switches has the same password on all of them. This model applies with RADIUS integration; however, such distribution affects only the switch’s local password database.

• There are separate admin and nonfcsadmin roles in secure mode. A nonfcsadmin account on a RADIUS server cannot access FCS switches, even if the account is properly authenticated.

• If a nonfcsadmin account on a RADIUS server logs in to a switch in nonsecure mode, the switch treats the role like the admin role, and grants the access.

• The following items apply to Advanced Web Tools:

• Advanced Web Tools client and server keep a session open after a user is authenticated. A password change on a switch invalidates an open session and requires the user to log in again. When integrated with RADIUS, a switch password change on the RADIUS server does not invalidate an existing open session, although a password change on the local switch does.

• If you cannot log in because of a RADIUS server connection problem, Advanced Web Tools displays a message indicating server outage.

• The following items apply to API:

• When an older version of the API host library authenticates against a switch with RADIUS support, the host performs the login. However, the old host library does not recognize the role returned from the switch, which can result in the host displaying an incorrect read or write attribute for an account. The switch library performs the permission check again for individual API function calls.

• API provides functions for RADIUS configuration that share the behavior of the aaaConfig CLI command.

• The following items apply to both Advanced Web Tools and API:

• Users can log in using account names and passwords configured on the RADIUS server and gain access with the switch roles defined there.

• Users can log in through API using account names and passwords configured on the RADIUS server and gain access with the switch roles defined there.

• When a proxy switch is used, the switch-side component performs authentication on the proxy switch, rather than on the destination switch. Therefore, to use RADIUS in this environment, you must configure on the proxy switch.

Fabric OS 5.0.0 procedures user guide 47

Configuring the RADIUS server

You must know the switch IP address or name to connect to switches. Use the ipaddrshow command to display a switch IP address.

For the Core Switch 2/64 and the SAN Director 2/128 (chassis-based systems), the switch IP addresses are aliases of the physical Ethernet interfaces on the CP cards. When specifying client IP addresses for the logical switches in such systems, make sure that the CP card IP addresses are used. For accessing both the active and standby CP card, and for the purpose of HA failover, both of the CP card IP addresses should be included in the RADIUS server configuration.

User accounts should be set up by their true network-wide identity, rather than by the account names created on a Fabric OS switch. Along with each account name, the administrator should assign appropriate switch access roles. To manage a nonsecure fabric, these roles can be user or admin. To manage a secure fabric, these roles can be user, admin, or nonfcsadmin.

When they log in to a switch configured with RADIUS, users enter their assigned RADIUS account names and passwords at the prompt. After RADIUS server authenticates a user, it responds with the assigned switch role in HP Vendor-Specific Attribute (VSA) as defined in the RFC. An Authentication-Accept response without such VSA role assignment automatically assigns the user role.

The following sections describe how to configure a RADIUS server to support HP clients under different operating systems.

Windows 2000

Use these procedures to add a client to the RADIUS server and create remote access policies for Fabric OS user and admin roles.

To add a RADIUS client:

1. From the Windows Start menu, select Programs > Administrative Tools >

Internet Authentication Service to bring up the Internet Authentication Service window.

2. In the Internet Authentication Service window, right-click the RADIUS Clients folder and select New

RADIUS Client.

3. In the New RADIUS Client window:

• In the Friendly name space, enter a name for the switch that allows you to identify it easily.

• In the Client Address (IP or DNS) space, enter the IP address of the switch.

4. Click Next.

5. In the next window, enter and confirm the shared secret, in the spaces provided. Make sure the shared

secret matches that configured on the switch (as described in ”To add a RADIUS server to the switch

configuration:” on page 52).

6. Click Finish.

The new client friendly name appears in the list of clients. Should you need to change the shared secret, right-click the client, select Properties, and change the secret in the properties window.

To create user and admin remote access policies:

1. From the Windows Start menu, select Programs > Administrative Tools >

Internet Authentication Service to bring up the Internet Authentication Service window.

2. If you do not already have Windows groups set up, use standard Windows procedures to set up a

Windows group of login names assigned to the user role and another Windows group of login names assigned to the admin role.

3. Right-click the Remote Access Policies icon folder and select New Remote Access Policy.

4. In the New Remote Access Policy Wizard window, click Next.

48 Configuring standard security features

5. In the Set Up a Custom Policy window:

a. Select the Custom policy radio button.

b. Enter a policy name for the user role (for example, HP User) in the space provided.

c. Click Next.

6. In the Select Attribute window, select Windows-Groups and click Add.

7. In the Select Groups window:

a. Enter the name of the Windows group that contains login names assigned to the user role.

b. Click Check Names.

When the system finds the Windows group, it underlines the name.

8. Click OK.

9. In the Group window, check that the Windows group is listed, and click OK.

10.In the Policy Conditions window, check that the policy name is listed (for example, HP User) and click

Next.

11.In the Permissions window, select the Grant remote access permission radio button, and click Next.

12.In the Profile window, click E

DIT PROFILE.

13.In the Edit Dial-in Profile window, click the Authentication tab.

14.In the Authentication tab:

• Uncheck these check boxes:

• Microsoft Encryption (MSCHAPv2)

• Microsoft Encryption (MSCHAP)

• Check these check boxes:

• Encrypted Authentication (CHAP)

• Unencrypted Authentication (PAP, SPAP)

15.Select the Advanced tab.

16.In the Advanced tab, click Add.

17. In the Add Attributes window, select Vendor-specific and click Add.

18.In the Multivalued Attribute Information window, click A

DD.

19. In the Vendor-Specific Attribute Information window:

a. Select the Enter Vendor Code radio button and enter 1588 in the space provided.

b. Select the Yes. It conforms. radio button.

c. Click Configure Attribute.

20.In the Configure VSA (RFC Compliant) window, enter the following information in the spaces provided:

a. Vendor-Assigned Attribute Number: 1

b. Attribute Format: string

c. Attribute Value: user

21.Click OK.

22.Click OK or Close in each window until you reach the New Remote Access Policy Wizard.

23.Click Next.

24.Click Finish.

Fabric OS 5.0.0 procedures user guide 49

Linux

25.Repeat the procedure to set the admin remote access policy, with these differences:

•In step 5, enter a policy name for the admin role (for example, HP Admin) in the space provided.

•In step 7, enter the name of the Windows group that contains login names assigned to the admin role.

•In step 20, enter admin in the Attribute Value space.

Use the following procedure on a Linux FreeRADIUS server to:

• Set up a vendor dictionary file and include it in the system dictionary file.

• Identify a switch as a RADIUS client.

• Set up user accounts and roles.

• Test the configuration.

1. Log in to the server and change directory to the RADIUS configuration file directory. Typically, this

directory is located at /usr/local/etc/raddb.

2. Use a text editor to create a vendor dictionary file called dictionary.brocade and enter the

following lines into the file:

# # dictionary.brocade # VENDOR Brocade 1588 # # attributes # ATTRIBUTE Brocade-Auth-Role 1 string Brocade

3. Save dictionary.brocade.

4. Open the system dictionary file in a text editor and add this line:

$INCLUDE dictionary.brocade

The dictionary file is located in the RADIUS configuration directory.

5. Save the dictionary file.

6. Open the client.config file in a text editor and add the switches that are to be configured as

RADIUS clients. For example, to configure the switch at IP address 10.32.170.59 as a client:

client 10.32.170.59

secret = Secret shortname = Testing Switch nastype = other

The client.config file is located in the RADIUS configuration directory.

In this example, the switch name is Testing Switch and its shared secret is Secret. Make sure that the shared secret matches that configured on the switch (see ”To add a RADIUS server to the switch

configuration:” on page 52).

7. Save client.config.

50 Configuring standard security features

8. Open the user file in a text editor and add user names and roles for users who will be accessing the

switch. For example, to set up an account called JohnDoe with the admin role:

JohnDoe Auth-Type := Local, User-Password == “johnPassword” HP-Auth-Role = “admin”

The user file is located in the RADIUS configuration directory.

9. Save the user file.

10.Enter this command to start the RADIUS server:

/usr/local/sbin/radiusd

11.Log in to a client switch and use the aaaconfig command to configure it as a client and enable

RADIUS service, as described in ”To add a RADIUS server to the switch configuration:” on page 52 and ”To enable or disable RADIUS service:” on page 52.

12.Log out.

When you log in to the switch again, RADIUS service is in force.

Configuring the switch

The following procedures show how to use the aaaconfig command to set up a switch for RADIUS service.

To display the current RADIUS configuration

1. Connect to the switch and log in as admin.

2. Enter this command:

switch:admin> aaaConfig --show

If a configuration exists, its parameters are displayed. If RADIUS service is not configured, only the parameter heading line is displayed. Parameters include:

Position The order in which servers are contacted to provide service

Server The server names or IP addresses

Port The server ports

Secret The shared secrets

Timeouts The length of time servers have to respond before the next server is contacted

Authentication The type of authentication being used on servers

Fabric OS 5.0.0 procedures user guide 51

To add a RADIUS server to the switch configuration:

1. Connect to the switch and log in as admin.

2. Enter this command:

switch:admin> aaaConfig --add server [-p port] [-s secret] [-t timeout] [-a pap | chap]

where:

server Enter either a server name or IP address. Avoid duplicating server listings

(that is, listing the same server once by name and again by IP address). Up to five servers can be added to the configuration.

-p port Optional: enter a server port. The default is port 1812.

-s secret Optional: enter a shared secret. The default is sharedsecret. Secrets

can be from 8 to 40 alphanumeric characters long. Make sure that the secret matches that configured on the server.

-t timeout Optional: enter the time (in seconds) the server has to respond before the next server is contacted. The default is three seconds. Timeout values can range from 1 to 30 seconds.

-a Optional: specify that the PAP protocol be used instead of the CHAP protocol for packets traveling between the switch and the server.

To enable or disable RADIUS service:

1. Connect to the switch and log in as admin.

2. Issue the following command:

switch:admin> aaaConfig --radius on | off

Specifying on enables the service; specifying off disables it.

At least one RADIUS server must be configured before you can enable RADIUS service.

If no RADIUS configuration exists, turning it on triggers an error message. When the command succeeds, the event log indicates that the configuration is enabled or disabled.

To delete a RADIUS server from the configuration:

1. Connect to the switch and log in as admin.

2. Issue the following command:

switch:admin> aaaConfig --remove server | all

where:

server Servers are listed by either name or IP address. Enter either the name or IP

address of the server to be removed.

all Enter this keyword to remove all servers. If RADIUS service is enabled, this

removes all but the server in the first position. If RADIUS service is disabled, all servers are removed.

3. At the prompt, enter y to complete the command.

When the command succeeds, the event log indicates that the server is removed.

52 Configuring standard security features

To change a RADIUS server configuration:

1. Connect to the switch and log in as admin.

2. Issue the following command:

switch:admin> aaaConfig --change server [-p port] [-s secret] [-t timeout] [-a pap | chap]

where:

server Servers are listed by either name or IP address. Enter either the name or IP

address of the server to be changed.

-p port Optional: enter a server port.

-s secret Optional: enter a shared secret.

-t timeout Optional: enter the length of time (in seconds) the server has to respond

before the next server is contacted.

-a pap | chap Optional: specify that the PAP protocol be used instead of the CHAP protocol for packets traveling between the switch and the server.

To change the order in which RADIUS servers are contacted for service:

1. Connect to the switch and log in as admin.

2. Issue the following command:

switch:admin> aaaConfig --move server to_position

where:

server Servers are listed by either name or IP address. Enter either the name or IP

address of the server whose position is to be changed.

to_position Enter the position number to which the server is to be moved.

When the command succeeds, the event log indicates that a server configuration changed.

Enabling and disabling local authentication

It is useful to enable local authentication so that the switch can take over authentication locally if the RADIUS servers fail to respond because of power outage or network problems. To enable or disable local authentication, issue the following command:

switch:admin> aaaConfig --switchdb on | off

Specifying on enables local authentication; specifying off disables it.

When local authentication is enabled and RADIUS servers fail to respond, you can log in to the default switch accounts (admin and user) or any user-defined account. You must know the passwords of these accounts.

RADIUS authentication must be enabled when local database authentication is turned off from the on state; otherwise, an error is returned.

Because local database authentication may be automatically disabled or enabled when enabling or disabling RADIUS authentication, you should set the local database authentication explicitly to enabled or disabled after setting the desired RADIUS authentication configuration.

When the command succeeds, the event log indicates that local database authentication is disabled or enabled.

Fabric OS 5.0.0 procedures user guide 53

Configuring for the SSL protocol

Fabric OS v4.4.0 and later supports secure sockets layer (SSL) protocol, which provides secure access to a fabric through web-based management tools like Advanced Web Tools. SSL support is a standard Fabric OS feature; it is independent of Secure Fabric OS, which requires a license and separate certification.

Switches configured for SSL grant access to management tools through hypertext transfer protocol-secure links (which begin with https://) instead of standard links (which begin with http://).

SSL uses public key infrastructure (PKI) encryption to protect data transferred over SSL connections. PKI is based on digital certificates obtained from an Internet Certificate Authority (CA), which acts as the trusted key agent.

Certificates are based on the switch IP address or fully qualified domain name (FQDN), depending on the issuing CA. If you change a switch IP address or FQDN after activating an associated certificate, you might have to obtain and install a new certificate. Check with the CA to verify this possibility, and plan these types of changes accordingly.

Browser and JavaTM support

Fabric OS supports the following Web browsers for SSL connections:

• Internet Explorer (Microsoft Windows)

• Mozilla (Solaris and Redhat Linux)

In countries that allow the use of 128-bit encryption, you should use the latest version of your browser. For example, Internet Explorer 6.0 and later supports 128-bit encryption by default. You can display the encryption support (called “cipher strength”) using the Internet Explorer Help:About menu option. If you are running an earlier version of Internet Explorer, you might be able to download an encryption patch from the Microsoft Web site at http://www.microsoft.com

You should upgrade to the Java 1.4.2_03 Plug-in on your management workstation. To find the Java version that is currently running, open the Java console and look at the first line of the window.

For more details on levels of browser and Java support, refer to the HP StorageWorks Fabric OS 4.x Advanced Web Tools user guide.

Summary of SSL procedures

You configure for SSL by obtaining, installing, and activating digital certificates for SSL support. Certificates are required on all switches that are to be accessed through SSL.

You also need to install a certificate to the Java Plug-in on the management workstation, and you might need to add a certificate to your Web browser.

Configuring for SSL involves these major steps, which are shown in detail in the next sections:

1. Choose a CA.

2. On each switch:

a. Generate a public/private key (seccertutil genkey command).

b. Generate a certificate signing request (CSR) (seccertutil gencsr command) and store the CSR on an

FTP server (seccertutil export command).

3. Obtain the certificates from the CA.

54 Configuring standard security features

You can request a certificate from a CA through a Web browser. After you request a certificate, the CA either sends certificate files by e-mail (public) or gives access to them on a remote host (private). Typically, the CA provides the certificate files listed in Table 7.

Table 7 SSL certificate files

Certificate file Description

name.crt The switch certificate.

nameRoot.crt The root certificate. Typically, this certificate is already installed

nameCA.crt The CA certificate. It is not necessary to install this, but you can if

4. On each switch:

a. Install the certificate.

b. Activate the certificate.

5. If necessary, install the root certificate to the browser on the management workstation.

6. Add the root certificate to the Java Plug-in keystore on the management workstation.

Choosing a CA

To ease maintenance and allow secure out-of-band communication between switches, consider using one CA to sign all management certificates for a fabric. If you use different CAs, management services operate correctly, but the Web Tools Fabric Events button is unable to retrieve events for the entire fabric.

in the browser, but if not, you must install it.

you want the CA name to be displayed in the browser window.

Table 8 lists recommended Certificate Authorities. Each CA has slightly different requirements; for

example, some generate certificates based on IP address, while others require an FQDN, and most require a 1024-bit public/private key while some might accept a 2048-bit key. Consider your fabric configuration, check CA Web sites for requirements, and gather all the information that the CA requires.

Table 8 Recommended CAs

Certificate authority Web Site

Verisign www.verisign.com

Entrust www.entrust.com

InstantSSL www.instantssl.com

GeoTrust www.geotrust.com

Generating a public/private key

Perform this procedure on each switch:

1. Connect to the switch and log in as admin.

2. Issue the following command to generate a public/private key pair:

switch:admin> seccertutil genkey

The system reports that this process disables secure protocols, delete any existing CSR, and delete any existing certificates.

Fabric OS 5.0.0 procedures user guide 55

3. Respond to the prompts to continue and select the key size:

Continue (yes, y, no, n): [no] y Select key size [1024 or 2048]: 1024 Generating new rsa public/private key pair Done.

Because CA support for the 2048-bit key size is limited, you should select 1024 in most cases.

Generating and storing a CSR

After generating a public/private key (see ”Generating a public/private key” on page 55 earlier), perform this procedure on each switch:

1. Connect to the switch and log in as admin.

2. Issue the following command:

switch:admin> seccertutil gencsr

3. Enter the requested information:

Country Name (2 letter code, eg, US):US State or Province Name (full name, eg, California):California Locality Name (eg, city name):San Jose Organization Name (eg, company name):HP Organizational Unit Name (eg, department name):Eng Common Name (Fully qualified Domain Name, or IP address): 192.1.2.3 Generating CSR, file name is: 192.1.2.3.csr Done.

Your CA might require specific codes for Country, State or Province, Locality, Organization, and Organizational Unit names. Make sure that your spelling is correct and matches the CA requirements. If the CA requires that the Common Name be specified as an FQDN, make sure that the fully qualified domain name is set on the domain Name Server.

4. Issue the following command to store the CSR:

switch:admin> seccertutil export

5. Enter the requested information:

Select protocol [ftp or scp]: ftp Enter IP address: 192.1.2.3 Enter remote directory: path_to_remote_directory Enter Login Name: your account Enter Password: your password Success: exported CSR.

If you are set up for secure file copy protocol, you can select it; otherwise, select ftp. Enter the IP address of the switch on which you generated the CSR. Enter the remote directory name of the FTP server to which the CSR is to be sent. Enter your account name and password on the server.

56 Configuring standard security features

Obtaining certificates

Check the instructions on the CA web site; then, perform this procedure for each switch:

1. Generate and store the CSR as described in ”Generating and storing a CSR” on page 56.

2. Open a Web browser window on the management workstation and go to the CA web site. Follow the

instructions to request a certificate. Locate the area in the request form that is provided for you to paste the CSR.

3. Through a telnet window, connect to the switch and log in as admin.

4. Issue the following command:

switch:admin> seccertutil showcsr

The contents of the CSR is displayed.

5. Locate the section that begins with BEGIN CERTIFICATE REQUEST and ends with END CERTIFICATE

REQUEST.

6. Copy and paste this section (including the BEGIN and END lines) into the area provided in the request

form; then, follow the instructions to complete and send the request.

It may take several days to receive the certificates. If the certificates arrive by e-mail, save them to an FTP server. If the CA provides access to the certificates on an FTP server, make note of the path name and make sure you have a login name and password on the server.

Installing a switch certificate

Perform this procedure on each switch:

1. Connect to the switch and log in as admin.

2. Issue the following command:

switch:admin> seccertutil import

3. Select a protocol, enter the IP address of the host on which the switch certificate is saved, and enter

your login name and password:

Select protocol [ftp or scp]: ftp Enter IP address: 192.10.11.12 Enter remote directory: path_to_remote_directory Enter certificate name (must have “.crt” suffix):192.1.2.3.crt Enter Login Name: your_account Enter Password: ***** Success: imported certificate [192.1.2.3.crt]. To use this certificate, run the configure command to activate it

The certificate downloads to the switch.

Fabric OS 5.0.0 procedures user guide 57

Activating a switch certificate

Enter the configure command and respond to the prompts that apply to SSL certificates:

SSL attributes Enter yes.

Certificate File Enter the name of the switch certificate file: for example,

192.1.2.3.crt.

CA Certificate File If you want the CA name to be displayed in the browser

window, enter the name of the CA certificate file; otherwise, skip this prompt.

Select length of crypto key Enter the encryption key length (40, 56, or 128).

HTTP attributes Enter yes.

Secure HTTP enabled Enter yes.

Example

Configure... System services (yes, y, no, n): [no] ssl attributes (yes, y, no, n): [no] yes Certificate File. (filename or none): [10.33.13.182.crt] 192.1.2.3.crt CA Certificate File. (filename or none): [none] Select length of crypto key. (Valid values are 40, 56, and 128.): (40..128) [128] http attributes (yes, y, no, n): [no] yes HTTP Enabled (yes, y, no, n): [yes] no Secure HTTP Enabled (yes, y, no, n): [no] yes

After you exit the configure command, the HTTP daemon restarts automatically to handle HTTPS requests.

Configuring the browser

The root certificate might already be installed on your browser, but if not, you must install it. To see whether it is already installed, check the certificate store on your browser.

The next procedures are guides for installing root certificates to Internet Explorer and Mozilla browsers. For more detailed instructions, refer to the documentation that came with the certificate.

To check and install root certificates on Internet Explorer:

1. From the browser Tools menu, select Internet Options.

2. Select the Content tab.

3. Click Certificates.

4. Click the various tabs and scroll the lists to see if the root certificate is listed. If it is listed, you do not

need to install it.

5. If the certificate is not listed, click Import.

6. Follow the instructions in the Certificate Import wizard to import the certificate.

To check and install root certificates on Mozilla:

1. From the browser Edit menu, select Preferences.

2. In the left pane of the Preferences window, expand the Privacy & Security list and select Certificates.

3. In the right pane, click Manage Certificates.

4. In the next window, click the Authorities tab.

58 Configuring standard security features

5. Scroll the authorities list to see if the root certificate is listed. (For example, its name may have the form

nameRoot.crt.) If it is listed, you do not need to install it; forgo the remainder of this procedure.

6. If the certificate is not listed, click Import.

7. Browse to the certificate location and select the certificate. (For example, select nameRoot.crt.)

8. Click Open and follow the instructions to import the certificate.

Installing a root certificate to the Java Plug-in

For information on Java requirements, see ”Browser and Javatm support” on page 54.

This procedure is a guide for installing a root certificate to the Java Plug-in on the management workstation. If the root certificate is not already installed to the plug-in, you should install it. For more detailed instructions, refer to the documentation that came with the certificate and to the Sun Microsystems Web site (www.sun.com

1. Copy the root certificate file from its location on the FTP server to the Java Plug-in bin. For example, the

bin location might be:

C: \program files\java\j2re1.4.2_03\bin

2. Open a Command Prompt window and change directory to the Java Plug-in bin.

3. Issue the keytool command and respond to the prompts:

C:\Program Files\Java\j2re1.4.2_03\bin> keytool -import -alias RootCert -file RootCert.crt -keystore ..\lib\security\RootCerts

Enter keystore password: changeit Owner: CN=HP, OU=Software, O=HP Communications, L=San Jose, ST=California, C=US Issuer: CN=HP, OU=Software, O=HP Communications, L=San Jose, ST=California, C=US Serial number: 0 Valid from: Thu Jan 15 16:27:03 PST 2004 until: Sat Feb 14 16:27:03 PST 2004 Certificate fingerprints: MD5: 71:E9:27:44:01:30:48:CC:09:4D:11:80:9D:DE:A5:E3 SHA1: 06:46:C5:A5:C8:6C:93:9C:FE:6A:C0:EC:66:E9:51:C2:DB:E6:4F:A1 Trust this certificate? [no]: yes Certificate was added to keystore

In the example, changeit is the default password and RootCert is an example root certificate name.

Displaying and deleting certificates

Table 9 summarizes the commands for displaying and deleting certificates. For details on the commands,

refer to the HP StorageWorks Fabric OS 4.x command reference guide.

Table 9 Commands for displaying and deleting SSL certificates

Command Description

seccertutil show Displays the state of the SSL key and a list of installed certificates.

seccertutil show filename Displays the contents of a specific certificate.

seccertutil showcsr Displays the contents of a CSR.

seccertutil delete filename Deletes a specified certificate.

seccertutil delcsr Deletes a CSR.

Fabric OS 5.0.0 procedures user guide 59

Troubleshooting certificates

If you receive messages in the browser or in a pop-up window when logging in to the target switch using HTTPS, see Table 10.

Table 10 SSL messages and actions

Message Action

The page cannot be displayed The SSL certificate is not installed correctly or HTTPS

is not enabled correctly. Make sure that the certificate has not expired, that HTTPS is enabled, and that certificate file names are configured correctly.

The security certificate was issued by a company you have not chosen to trust….

The security certificate has expired or is not yet valid

The name on the security certificate is invalid or does not match the name of the site file

This page contains both secure and nonsecure items. Do you want to display the nonsecure items?

Configuring for SNMP

You can configure for the automatic transmission of Simple Network Management Protocol (SNMP) information to management stations. SNMPv3 and SNMPv1 are supported.

The configuration process involves configuring the SNMP agent and configuring SNMP traps. The following commands are used in the process:

The certificate is not installed in the browser. Install it as described in ”Configuring the browser” on page 58.

Either the certificate file is corrupted or it needs to be updated. Click View Certificate to verify the certificate content. If it is corrupted or out of date, obtain and install a new certificate.

The certificate is not installed correctly in the Java Plug-in. Install it as described in ”Installing a root

certificate to the Java Plug-in” on page 59.

Click No in this pop-up window. The session opens with a closed lock on the lower-right corner of the browser, indicating an encrypted connection.

• Use the configure command to set the security level. You can specify no security, authentication

only, or authentication and privacy.

• Use the snmpconfig command to configure the SNMP agent and traps for SNMPv3 or

SNMPv1 configurations.

• If necessary for backward compatibility, you can use these legacy commands to configure for SNMP

v1:

•Use the agtcfgshow, agtcfgset, and agtcfgdefault commands to configure the SNMPv1

agent.

•Use the snmpmibcapset command to filter at the trap level and the snmpmibcapshow command to display the trap filter values.

Associated with the HP-specific StorageWorks MIB (SW-MIB), this Management Information Base (MIB) monitors HP StorageWorks switches specifically.

• Fibre Alliance MIB trap

Associated with the Fibre Alliance MIB (FA-MIB), this MIB manages SAN switches and devices from any company that complies with Fibre Alliance specifications.

60 Configuring standard security features

If you use both SW-MIB and FA-MIB, you may receive duplicate information. You can disable the FA-MIB, but the SW-MIB cannot be disabled.

You can also use these additional MIBs and their associated traps:

• HA-MIB (for the Core Switch 2/64 and SAN Director 2/128)

• SW-EXTTRAP includes the swSsn (Software Serial Number) as a part of HP SW traps. It is also used

with the legacy SAN Switched Integrated/64 to provide detailed group information for a particular trap.

For more information on HP support for SNMP, refer to the HP StorageWorks Fabric OS 4.x features overview guide.

For information on HP MIBs, refer to the HP StorageWorks Fabric OS 4.x Management Information Base reference guide.

For information on the specific commands used in these procedures, refer to online help or to the HP StorageWorks Fabric OS 4,x command reference guide.

Setting the security level

Use the configure command to set the security level (called SNMP attributes). You can specify no security, authentication only, or authentication and privacy. For example, to configure for authentication and privacy:

switch:admin> configure

Not all options will be available on an enabled switch. To disable the switch, use the “switchDisable” command.

Configure...

System services (yes, y, no, n): [no] ssl attributes (yes, y, no, n): [no] http attributes (yes, y, no, n): [no] snmp attributes (yes, y, no, n): [no] y

Select SNMP Security Level: (0 = No security, 1 = Authentication only, 2 = Authentication

and Privacy): (0..2) [0] 2

Using the snmpconfig command

Use the snmpconfig --set command to change either the SNMPv3 or SNMPv1 configuration. You can also change access control, MIB capability, and system group.

Fabric OS 5.0.0 procedures user guide 61

To change the SNMPv3 configuration, use the following as an example:

switch:admin> snmpconfig --set snmpv3

SNMPv3 user configuration: User (rw): [snmpadmin1] adminuser Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [3] 1 New Auth Passwd: Verify Auth Passwd: Priv Protocol [DES(1)/noPriv[2]): (1..2) [2] 1 New Priv Passwd: Verify Priv Passwd: User (rw): [snmpadmin2] shauser Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [3] 2 New Auth Passwd: Verify Auth Passwd: Priv Protocol [DES(1)/noPriv[2]): (1..2) [2] 1 New Priv Passwd: Verify Priv Passwd: User (rw): [snmpadmin3] nosec Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [3] Priv Protocol [DES(1)/noPriv[2]): (2..2) [2] User (ro): [snmpuser1] Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (3..3) [3] Priv Protocol [DES(1)/noPriv[2]): (2..2) [2] User (ro): [snmpuser2] Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (3..3) [3] Priv Protocol [DES(1)/noPriv[2]): (2..2) [2] User (ro): [snmpuser3] Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (3..3) [3] Priv Protocol [DES(1)/noPriv[2]): (2..2) [2]

SNMPv3 trap recipient configuration: Trap Recipient's IP address in dot notation: [0.0.0.0]

192.168.45.90

UserIndex: (1..6) [1] Trap recipient Severity level : (0..5) [0] 4 Trap Recipient's IP address in dot notation: [0.0.0.0]

192.168.45.92

UserIndex: (1..6) [2] Trap recipient Severity level : (0..5) [0] 2 Trap Recipient's IP address in dot notation: [0.0.0.0] Trap Recipient's IP address in dot notation: [0.0.0.0] Trap Recipient's IP address in dot notation: [0.0.0.0] Trap Recipient's IP address in dot notation: [0.0.0.0] Committing configuration...done.

62 Configuring standard security features

To change the SNMPv1 configuration, use the following as an example:

switch:admin> snmpconfig --set snmpv1

SNMP community and trap recipient configuration: Community (rw): [Secret C0de] admin Trap Recipient's IP address in dot notation: [0.0.0.0] 10.32.225.1 Trap recipient Severity level : (0..5) [0] 1 Community (rw): [OrigEquipMfr] Trap Recipient's IP address in dot notation: [10.32.225.2] Trap recipient Severity level : (0..5) [1] Community (rw): [private] Trap Recipient's IP address in dot notation: [10.32.225.3] Trap recipient Severity level : (0..5) [2] Community (ro): [public] Trap Recipient's IP address in dot notation: [10.32.225.4] Trap recipient Severity level : (0..5) [3] Community (ro): [common] Trap Recipient's IP address in dot notation: [10.32.225.5] Trap recipient Severity level : (0..5) [4] Community (ro): [FibreChannel] Trap Recipient's IP address in dot notation: [10.32.225.6] Trap recipient Severity level : (0..5) [5] Committing configuration...done.

To change the accessControl configuration, use the following as an example:

switch:admin> snmpconfig --set accessControl

SNMP access list configuration: Access host subnet area in dot notation: [0.0.0.0] 192.168.0.0 Read/Write? (true, t, false, f): [true] Access host subnet area in dot notation: [0.0.0.0] 10.32.148.0 Read/Write? (true, t, false, f): [true] f Access host subnet area in dot notation: [0.0.0.0] Read/Write? (true, t, false, f): [true] Access host subnet area in dot notation: [0.0.0.0] 10.33.0.0 Read/Write? (true, t, false, f): [true] f Access host subnet area in dot notation: [0.0.0.0] Read/Write? (true, t, false, f): [true] Access host subnet area in dot notation: [0.0.0.0] Read/Write? (true, t, false, f): [true] Committing configuration...done.

Fabric OS 5.0.0 procedures user guide 63

To display the mibCapability configuration, use the following as an example:

switch:admin> snmpconfig --show mibCapability FA-MIB: YES FICON-MIB: YES HA-MIB: YES SW-TRAP: YES swFCPortScn: YES swEventTrap: YES swFabricWatchTrap: YES swTrackChangesTrap: NO FA-TRAP: YES connUnitStatusChange: YES connUnitEventTrap: NO connUnitSensorStatusChange: YES connUnitPortStatusChange: YES SW-EXTTRAP: NO FICON-TRAP: NO HA-TRAP: YES fruStatusChanged: YES cpStatusChanged: YES fruHistoryTrap: NO

To change the systemGroup configuration to default, use the following as an example:

switch:admin> snmpconfig --default systemGroup ***** This command will reset the agent's system group configuration back

to factory default ***** sysDescr = Fibre Channel Switch sysLocation = End User Premise sysContact = Field Support authTraps = 0 (OFF)

***** Are you sure? (yes, y, no, n): [no] y

Using legacy commands for SNMPv1

Use the snmpconfig command to configure the SNMPv1 agent and traps (see ”Using the snmpconfig

command” on page 61). However, if necessary for backward compatibility, you can choose to use

legacy commands.

64 Configuring standard security features

Use the agtcfgshow command to display SNMP agent configuration information. For example:

switch:admin> agtcfgshow Current SNMP Agent Configuration Customizable MIB-II system variables: sysDescr = FC Switch sysLocation = End User Premise sysContact = Field Support. authTraps = 1 (ON)

SNMPv1 community and trap recipient configuration: Community 1: Secret C0de (rw) Trap recipient: 192.168.1.51 Trap recipient Severity level: 4 Community 2: OrigEquipMfr (rw) Trap recipient: 192.168.1.26 Trap recipient Severity level: 0 Community 3: private (rw) No trap recipient configured yet Community 4: public (ro) No trap recipient configured yet Community 5: common (ro) No trap recipient configured yet Community 6: FibreChannel (ro) No trap recipient configured yet

SNMP access list configuration: Entry 0: Access host subnet area 192.168.64.0 (rw)] Entry 1: No access host configured yet Entry 2: No access host configured yet Entry 3: No access host configured yet Entry 4: No access host configured yet Entry 5: No access host configured yet

Fabric OS 5.0.0 procedures user guide 65

Use the agtcfgset command to modify the SNMP configuration values. For example:

switch:admin> agtcfgset

Customizing MIB-II system variables ...

At each prompt, do one of the followings:

o <Return> to accept current value,

o enter the appropriate new value,

o <Control-D> to skip the rest of configuration, or

o <Control-C> to cancel any change.

To correct any input mistake:

<Backspace> erases the previous character,

<Control-U> erases the whole line,

sysDescr: [FC Switch]

sysLocation: [End User Premise]

sysContact: [Field Support.]

authTrapsEnabled (true, t, false, f): [true]

SNMP community and trap recipient configuration:

Community (rw): [Secret C0de]

Trap Recipient's IP address in dot notation: [192.168.1.51]

Trap recipient Severity level : (0..5) [0] 3

Community (rw): [OrigEquipMfr]

Trap Recipient's IP address in dot notation: [192.168.1.26]

Trap recipient Severity level : (0..5) [0]

Community (rw): [private]

Trap Recipient's IP address in dot notation: [0.0.0.0] 192.168.64.88

Trap recipient Severity level : (0..5) [0] 1

Community (ro): [public]

Trap Recipient's IP address in dot notation: [0.0.0.0]

Community (ro): [common]

Trap Recipient's IP address in dot notation: [0.0.0.0]

Community (ro): [FibreChannel]

Trap Recipient's IP address in dot notation: [0.0.0.0]

SNMP access list configuration:

Access host subnet area in dot notation: [0.0.0.0] 192.168.64.0

Read/Write? (true, t, false, f): [true]

Access host subnet area in dot notation: [0.0.0.0]

Read/Write? (true, t, false, f): [true]

Access host subnet area in dot notation: [0.0.0.0]

Read/Write? (true, t, false, f): [true]

Access host subnet area in dot notation: [0.0.0.0]

Read/Write? (true, t, false, f): [true]

Access host subnet area in dot notation: [0.0.0.0]

Read/Write? (true, t, false, f): [true]

Access host subnet area in dot notation: [0.0.0.0]

Read/Write? (true, t, false, f): [true]

Committing configuration...done.

value = 1 = 0x1

66 Configuring standard security features

Use the agtcfgdefault command to reset the SNMP agent configuration to default values. For example:

switch:admin> agtcfgdefault ***** This command will reset the agent's configuration back to factory default ***** Current SNMP Agent Configuration Customizable MIB-II system variables: sysDescr = Fibre Channel Switch. sysLocation = End User Premise sysContact = sweng authTraps = 0 (OFF) SNMPv1 community and trap recipient configuration: Community 1: Secret C0de (rw) Trap recipient: 192.168.15.41 Trap recipient Severity level: 4 Community 2: OrigEquipMfr (rw) No trap recipient configured yet Community 3: private (rw) No trap recipient configured yet Community 4: public (ro) No trap recipient configured yet Community 5: common (ro) No trap recipient configured yet Community 6: FibreChannel (ro) No trap recipient configured yet SNMP access list configuration: Entry 0: Access host subnet area 192.168.64.0 (rw)] Entry 1: No access host configured yet Entry 2: No access host configured yet Entry 3: No access host configured yet Entry 4: No access host configured yet Entry 5: No access host configured yet ***** Are you sure? (yes, y, no, n): [no] y Committing configuration...done. agent configuration reset to factory default Current SNMP Agent Configuration Customizable MIB-II system variables: sysDescr = Fibre Channel Switch. sysLocation = End User Premise sysContact = Field Support. authTraps = 0 (OFF) SNMPv1 community and trap recipient configuration: Community 1: Secret C0de (rw) No trap recipient configured yet Community 2: OrigEquipMfr (rw) No trap recipient configured yet Community 3: private (rw) No trap recipient configured yet Community 4: public (ro) No trap recipient configured yet Community 5: common (ro) No trap recipient configured yet Community 6: FibreChannel (ro) No trap recipient configured yet (output truncated)

Fabric OS 5.0.0 procedures user guide 67

Use the snmpmibcapset command to modify the options for configuring SNMP MIB traps. For example:

switch:admin> snmpmibcapset The SNMP Mib/Trap Capability has been set to support FE-MIB SW-MIB FA-MIB FA-TRAP FA-MIB (yes, y, no, n): [yes] FICON-MIB (yes, y, no, n): [no] y HA-MIB (yes, y, no, n): [no] y SW-TRAP (yes, y, no, n): [no] y swFCPortScn (yes, y, no, n): [no] swEventTrap (yes, y, no, n): [no] swFabricWatchTrap (yes, y, no, n): [no] swTrackChangesTrap (yes, y, no, n): [no] FA-TRAP (yes, y, no, n): [yes] connUnitStatusChange (yes, y, no, n): [no] connUnitEventTrap (yes, y, no, n): [no] connUnitSensorStatusChange (yes, y, no, n): [no] connUnitPortStatusChange (yes, y, no, n): [no] SW-EXTTRAP (yes, y, no, n): [no] y FICON-TRAP (yes, y, no, n): [no] y linkRNIDDeviceRegistration (yes, y, no, n): [no] linkRNIDDeviceDeRegistration (yes, y, no, n): [no] linkLIRRListenerAdded (yes, y, no, n): [no] linkLIRRListenerRemoved (yes, y, no, n): [no] linkRLIRFailureIncident (yes, y, no, n): [no] HA-TRAP (yes, y, no, n): [no] y fruStatusChanged (yes, y, no, n): [no] cpStatusChanged (yes, y, no, n): [no] fruHistoryTrap (yes, y, no, n): [no] Avoid-Duplicate-TRAP (yes, y, no, n): [no] y switch:admin>

These notes apply to snmpmibcapset parameters for the FA-TRAP:

• connUnitStatusChange indicates that the overall status of the connectivity unit has changed. Its

variables are:

• connUnitStatus is the status of the connection unit

• connUnitState is the state of the connection unit

• connUnitEventTrap indicates that the connectivity unit has generated an event. Its variables are:

• connUnitEventId is the internal event ID

• connUnitEventType is the type of this event

• connUnitEventObject is used with the connUnitEventType to identify the object to which the

event refers.

• connUnitEventDescr is the description of the event.

• connUnitSensorStatusChange indicates that the status of the sensor associated with the

connectivity unit has changed.

• connUnitSensorStatus is the status indicated by the sensor.

68 Configuring standard security features

• connUnitPortStatusChange indicates that the status of the sensor associated with the

connectivity unit has changed.

• connUnitPortStatus shows overall protocol status for the port.

• connUnitPortState shows the user-specified state of the port hardware.

Use the snmpmibcapshow command to view the SNMP MIB trap setup. For example:

switch:admin> snmpmibcapshow FA-MIB: YES FICON-MIB: YES HA-MIB: YES SW-TRAP: YES swFCPortScn: YES swEventTrap: YES swFabricWatchTrap: YES swTrackChangesTrap: YES FA-TRAP: YES SW-EXTTRAP: YES HA-TRAP: YES fruStatusChanged: YES cpStatusChanged: YES fruHistoryTrap: YES

Configuring secure file copy

Use the configure command to specify that secure file copy (scp) be used for configuration uploads and downloads. For example:

switch:admin> configure

Not all options will be available on an enabled switch. To disable the switch, use the “switchDisable” command.

Configure...

System services (yes, y, no, n): [no] n ssl attributes (yes, y, no, n): [no] n http attributes (yes, y, no, n): [no] n snmp attributes (yes, y, no, n): [no] n rpcd attributes (yes, y, no, n): [no] n cfgload attributes (yes, y, no, n): [no] y

Enforce secure config Upload/Download (yes, y, no, n): [no] y switch:admin>

Fabric OS 5.0.0 procedures user guide 69

Setting the boot PROM password

The boot PROM password provides an additional layer of security by protecting the boot PROM from unauthorized use. Setting a recovery string for the boot PROM password enables you to recover a lost boot PROM password by contacting your switch service provider. Without the recovery string, a lost boot PROM password cannot be recovered.

You should set the boot PROM password and the recovery string on all switches, as described in ”With a

recovery string” on page 70. If your site procedures dictate that you set the boot PROM password without

the recovery string, refer to ”Without a recovery string” on page 72.

With a recovery string

To set the boot PROM password with a recovery string, refer to the section that applies to your switch model.

NOTE: Setting the boot PROM password requires accessing the boot prompt, which stops traffic flow

through the switch until the switch is rebooted. You should perform this procedure during a planned down time.

For the SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, and SAN Switch 4/32, follow this procedure to set the boot PROM password with a recovery string:

1. Connect to the serial port interface as described in ”To connect through the serial port:” on page 20.

2. Reboot the switch.

3. Press ESC within four seconds after the message Press escape within 4 seconds appears.

The following options are available:

• 1 Start system Continues the system boot process

• 2 Recovery password Lets you set the recovery string and the boot PROM password.

• 3 Enter command shell Provides access to boot parameters

4. Enter 2.

If no password was previously set, the following message appears:

Recovery password is NOT set. Please set it now.

If a password was previously set, the following messages appear:

Send the following string to Customer Support for password recovery:

afHTpyLsDo1Pz0Pk5GzhIw==

Enter the supplied recovery password.

Recovery Password:

5. Enter the recovery password (string).

The recovery string must be between 8 and 40 alphanumeric characters. HP recommends a random string that is 15 characters or longer for higher security. The firmware prompts for this password only once. It is not necessary to remember the recovery string because it is displayed the next time you enter the command shell.

The following prompt appears:

New password:

70 Configuring standard security features

6. Enter the boot PROM password and then reenter it when prompted. The password must be 8

alphanumeric characters (any additional characters are not recorded). Record this password for future use.

The new password is automatically saved (the saveenv command is not required).

7. Reboot the switch.

For the Core Switch 2/64 and the SAN Director 2/128, the boot PROM and recovery passwords must be set for each CP card on those switches:

1. Connect to the serial port interface on the standby CP card, as described in ”To connect through the

serial port:” on page 20.

2. Connect to the active CP card by serial or telnet and enter the hadisable command to prevent

failover during the remaining steps.

3. For the Core Switch 2/64, reboot the standby CP card by pressing the yellow ejector buttons at top

and bottom of the CP card and then pressing both ejector handles back towards the switch to lock the card back into the slot.

For the SAN Director 2/128, reboot the standby CP card by sliding the On/Off switch on the ejector handle of the standby CP card to Off, and then back to On.

4. Press ESC within four seconds after the message Press escape within 4 seconds appears.

The following options are available:

• 1 Start system Continues the system boot process

• 2 Recovery password Lets you set the recovery string and the boot PROM password

• 3 Enter command shell Provides access to boot parameters

5. Enter 2.

If no password was previously set, the following message appears:

Recovery password is NOT set. Please set it now.

If a password was previously set, the following messages appear:

Send the following string to Customer Support for password recovery:

afHTpyLsDo1Pz0Pk5GzhIw==

Enter the supplied recovery password.

Recovery Password:

6. Enter the recovery password (string).

The following prompt appears:

New password:

7. Enter the boot PROM password and then reenter it when prompted. The password must be 8

alphanumeric characters (any additional characters are not recorded). Record this password for future use.

The new password is automatically saved (the saveenv command is not required).

8. Connect to the active CP card by serial or telnet and enter the haenable command to restore HA,

and then fail over the active CP card by entering the hafailover command.

Traffic flow through the active CP card resumes when the failover is complete.

Fabric OS 5.0.0 procedures user guide 71

9. Connect the serial cable to the serial port on the new standby CP card (previously the active CP card).

10.Repeat step 2 through step 7 for the new standby CP card (each CP card has a separate boot

PROM password).

11.Connect to the active CP card by serial or telnet and enter the haenable command to restore

high availability.

Without a recovery string

Although you can set the boot PROM password without also setting the recovery string, HP recommends that you set both the password and the string as described in ”With a recovery string” on page 70. If your site procedures dictate that you must set the boot PROM password without the string, follow the procedure that applies to your switch model.

NOTE: Setting the boot PROM password requires accessing the boot prompt, which stops traffic flow

through the switch until the switch is rebooted. You should perform this procedure during a planned down time.

For the SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, and SAN Switch 4/32, follow this procedure to set the boot PROM password without a recovery string.

1. Create a serial connection to the switch as described in ”To connect through the serial port:” on

page 20.

2. Reboot the switch by issuing the reboot command.

3. Press ESC within four seconds after the message Press escape within 4 seconds appears.

The following options are available:

• 1 Start system Continues the system boot process

• 2 Recovery password Lets you set the recovery string and the boot PROM password

• 3 Enter command shell Provides access to boot parameters

4. Enter 3.

5. Enter the passwd command at the shell prompt.

NOTE: The passwd command applies to the boot PROM password only when it is entered from the

boot interface.

6. Enter the boot PROM password at the prompt and then reenter it when prompted. The password must

be 8 alphanumeric characters (any additional characters are not recorded). Record this password for future use.

7. Issue the saveenv command to save the new password.

8. Reboot the switch by issuing the reset command.

For the Core Switch 2/64 and the SAN Director 2/128, set the password on the standby CP card, fail over, and then set the password on the previously active (now standby) CP card to minimize disruption to the fabric:

1. Determine the active CP card by opening a telnet session to either CP card, connecting as admin, and

entering the hashow command.

2. Connect to the active CP card by serial or telnet and enter the hadisable command to prevent

failover during the remaining steps.

72 Configuring standard security features

3. Create a serial connection to the standby CP card as described in ”To connect through the serial port:”

on page 20.

4. For the Core Switch 2/64, reboot the standby CP card by pressing the yellow ejector buttons at top

and bottom of the CP card and then pressing both ejector handles back towards the switch to lock the card back into the slot.

For the SAN Director 2/128, reboot the standby CP card by sliding the On/Off switch on the ejector handle of the standby CP card to Off, and then back to On.

This causes the card to reset.

5. Press ESC within four seconds after the message Press escape within 4 seconds appears.

The following options are available:

• 1 Start system Continues the system boot process

• 2 Recovery password Lets you set the recovery string and the boot PROM password

• 3 Enter command shell Provides access to boot parameters

6. Enter 3.

7. Issue the passwd command at the shell prompt.

NOTE: The passwd command only applies to the boot PROM password when it is entered from the boot

interface.

8. Enter the boot PROM password at the prompt and then reenter it when prompted. The password must

be 8 alphanumeric characters (any additional characters are not recorded). Record this password for future use.

9. Enter the saveenv command to save the new password.

10.Reboot the standby CP card by entering the reset command.

11.Connect to the active CP card by serial or telnet, enter the haenable command to restore HA, and

then fail over the active CP card by entering the hafailover command.

Traffic resumes flowing through the newly active CP card after it has completed rebooting.

12.Connect the serial cable to the serial port on the new standby CP card (previously the active CP card).

13.Repeat step 3 through step 10 for the new standby CP card.

14.Connect to the active CP card by serial or telnet and enter the haenable command to restore HA.

Recovering forgotten passwords

If you know the root password, you can use this procedure to recover the user, admin, and factory passwords:

1. Open a CLI connection (serial or telnet) to the switch. If secure mode is enabled, connect to the

primary FCS switch.

2. Log in as root.

3. Enter the command for the type of password that was lost:

passwd user

passwd admin

passwd factory

Fabric OS 5.0.0 procedures user guide 73

4. Enter the requested information at the prompts.

To recover a lost root password, contact your switch service provider.

To recover a lost boot PROM password, contact your switch service provider. You must have previously set a recovery string to recover the boot PROM password.

74 Configuring standard security features

4 Maintaining configurations and

firmware

This chapter contains procedures for maintaining switch configurations and installing firmware and consists of the following sections:

• Maintaining configurations, page 75

• Maintaining firmware, page 78

• Troubleshooting firmware downloads, page 86

Maintaining configurations

It is important to maintain consistent configuration settings on all switches in the same fabric, because inconsistent parameters (such as inconsistent PID formats) can cause fabric segmentation. As part of standard configuration maintenance procedures, HP recommends that you back up all important configuration data for every switch on a host computer server for emergency reference.

The following sections contain procedures for basic switch configuration maintenance.

Displaying configuration settings

The switch configuration file comprises four sections, and is organized as follows:

• The Boot Parameters section contains variables such as the switch's name and IP address.

• The Licenses section lists the licenses that are active on the switch.

• The Chassis Configuration section contains configuration variables such as diagnostic settings, fabric

configuration settings, and SNMP settings.

• The Configuration section contains licensed option configuration parameters.

To display configuration settings, connect to the switch, log in as admin, and enter the configshow command at the command line. The configuration settings vary depending on switch model and configuration.

Backing up a configuration

Keep a backup copy of the configuration file in case the configuration is lost or unintentional changes are made. You should keep individual backup files for all switches in the fabric. You should avoid copying configurations from one switch to another.

The following information is not saved in a backup:

• dnsconfig information

• passwords

You must have a valid account on the FTP server where the backup file is to be stored.

You can specify the use of secure file copy (scp) during the procedure. For instructions on configuring the use of scp by default, see ”Configuring secure file copy” on page 69.

Fabric OS 5.0.0 procedures user guide 75

Before beginning, verify that you can reach the FTP server from the switch. Using a telnet connection, save a backup copy of the configuration file to a host computer as follows:

1. Verify that the FTP service is running on the host computer.

2. Connect to the switch and log in as admin.

3. Enter the configupload command.

The command becomes interactive and you are prompted for the required information.

4. Respond to the prompts as follows:

Protocol (scp or ftp)

Server Name or IP Address

If your site requires the use of Secure Copy, specify scp. Otherwise, specify ftp.

Enter the name or IP address of the server where the file is to be stored; for example, 192.1.2.3. You can enter a server name if DNS is enabled.

User name Enter the user name of your account on the server; for example,

JohnDoe.

File name Specify a file name for the backup file; for example, config.txt. Use

the forward slash (/) to specify absolute path names. Relative path names create the file in the user’s home directory on UNIX servers, and in the directory where the FTP server is running on Windows servers.

Password Enter your account password for the server.

Example:

switch:admin> configupload Protocol (scp or ftp) [ftp]: ftp Server Name or IP Address [host]: 192.1.2.3 User Name [user]: JohnDoe File Name [config.txt]: /pub/configurations/config.txt Password: xxxxx Upload complete switch:admin>

Restoring a configuration

Restoring a configuration involves overwriting the configuration on the switch by downloading a previously saved backup configuration file. Perform this procedure during a planned down time.

Make sure that the configuration file you are downloading is compatible with your switch model, because configuration files from other model switches might cause your switch to fail.

You must have a user ID on the FTP server where the backup file is stored.

Use the following procedure:

1. Verify that the FTP service is running on the server where the backup configuration file is located.

2. Connect to the switch and log in as admin.

3. Disable the switch by entering the switchdisable command.

4. Enter the configdownload command.

The command becomes interactive and you are prompted for the required information.

76 Maintaining configurations and firmware

5. Respond to the prompts as follows:

Protocol (scp or ftp)

Server Name or IP Address

If your site requires the use of Secure Copy, specify scp. Otherwise, specify ftp.

Enter the name or IP address of the server where the file is stored; for example, 192.1.2.3. You can enter a server name if DNS is enabled.

User name Enter the user name of your account on the server; for example, JohnDoe.

File name Specify the full path name of the backup file; for example,

/pub/configurations/config.txt.

Password Enter your account password for the server.

6. At the Do you want to continue [y/n] prompt, enter y.

7. Wait for the configuration to be restored.

8. When the process is finished, enter the switchenable command:

Example:

switch:admin> configdownload Protocol (scp or ftp) [ftp]: ftp Server Name or IP Address [host]: 192.1.2.3 User Name [user]: JohnDoe File Name [config.txt]: /pub/configurations/config.txt Password: xxxxx

*** CAUTION ***

This command is used to download a backed-up configuration for a specific switch. If using a file from a different switch, this file's configuration settings will override any current switch settings. Downloading a configuration file, which was uploaded from a different type of switch, may cause this switch to fail.

Do you want to continue [y/n]: y download complete.. switch:admin> switchenable

NOTE: Because some configuration parameters require a reboot to take effect, after you download a

configuration file you must reboot to be sure that the parameters are enabled. Before the reboot, this type of parameter is listed in the configuration file, but it is not effective until after the reboot.

Downloading configurations across a fabric

To save time when configuring fabric parameters and software features, you can save a configuration file from one switch and download it to other switches of the same model type, as described in the following procedure. Avoid downloading configuration files to different model switches, because that can cause the switches to fail.

1. Configure one switch first.

2. Use the configupload command to save the configuration information. See ”Backing up a

configuration” on page 75.

3. Use the configdownload command to download the configuration to each of the remaining

switches. See ”Restoring a configuration” on page 76.

Fabric OS 5.0.0 procedures user guide 77

Editing configuration files

Beginning with Fabric OS v4.2.0, the portcfg line in the configuration file for a brand new switch contains 256 entries, regardless of the number of ports on the switch. This line length exceeds the capacity of the vi editor. If you must edit a new configuration file, you can do so with the vim editor. Or, be sure to perform a portcfg operation before attempting to edit the configuration file (because after the portcfg operation, the portcfg line in the configuration file contains only as many entries as the maximum number of ports on the switch).

Printing hard copies of switch information

HP recommends that you print a hard copy of all key configuration data, including license key information for every switch, and store it in a safe and secure place for emergency reference. Print out the information from the following commands, and store the printouts in a secure location:

• configshow displays configuration parameters and setup information, including license information.

• ipaddrshow displays the IP address.

• licenseshow displays the license keys you have installed and provides better detail than the license

information from the configshow command.

Depending on the security procedures of your company, you might also want to keep a record of the user levels and passwords for all switches in the fabric. Access to this sensitive information should be limited.

Maintaining firmware

This section explains how to obtain and install firmware. Fabric OS v4.4.0 provides nondisruptive firmware installation.

In most cases, you are to upgrade firmware; that is, install a newer firmware version than the one you are currently running. However, some circumstances may require installing an older version; that is, downgrading the firmware. The procedures in this section assume that you are upgrading firmware, but they work for downgrading as well, provided the old and new firmware versions are compatible.

Using the CLI (or HP Advanced Web Tools), you can upgrade the firmware on one switch at a time. You can use the optionally licensed HP Fabric Manager software tool to upgrade firmware simultaneously on multiple switches. For more details on Fabric Manager and other licensed software tools, go to the HP StorageWorks web site: http://www.hp.com/country/us/eng/prodserv/storage.html

Obtaining and unzipping firmware

Firmware upgrades are available for customers with support service contracts and partners on the HP StorageWorks web site: http://www.hp.com/country/us/eng/prodserv/storage.html

The firmware is delivered in a compressed file that contains RPM packages with names defined in a pfile, a binary file that contains specific firmware information (timestamp, platform code, version, and so forth) and the names of the packages of firmware to be downloaded. You must unzip the firmware (using the UNIX tar or gzip command, or a Windows unzip program) before you can use the firmwaredownload command to update the firmware on your equipment.

When you unpack the downloaded firmware it expands into a directory that is named according to the version of Fabric OS it contains. For example, if you download and unpack Fabric OS v4.4.0.zip, it expands into a directory called v4.4.0. When you use the firmwaredownload command, you specify the path to the v4.4.0 directory and append the keyword release.plist to the path.

78 Maintaining configurations and firmware

Checking connected switches

If the switch to be upgraded is running v4.1.0 firmware (or later), HP recommends that all switches directly connected to it be running versions no earlier than v2.6.1, v3.1.0, or v4.1.0. If some connected switches are running older firmware, upgrade them to at least the earliest recommended version (shown in Table 11) before upgrading firmware on your switch.

Table 11 Recommended firmware

HP StorageWorks switch

Earliest recommended Fabric OS version

1 GB

SAN Switch 2/8-EL, SAN Switch 2/16-EL, SAN Switch 2/16

SAN Switch 2/8V, SAN Switch 2/16V

SAN Switch 2/32

SAN Switch 4/32

Core Switch 2/64

SAN Director 2/128

1. During code activation on 2 GB switches, SAN Switch 2/8V, SAN Switch 2/16V, or SAN Switch 2/32 running Fabric OS v4.1.0 or later, data continues to flow between hosts and storage devices; however, fabric services are unavailable for a period of approximately 50-55 seconds. Possible disruption of the fabric can be minimized by ensuring that switches logically adjacent to these models (directly connected via an ISL) are running at the minimum Fabric OS v2.6.1 or later, v3.1.0 or later, or v4.1.0 or later. If 2 GB switches, SAN Switch 2/8V, SAN Switch 2/16V, or SAN Switch 2/32 are adjacent and you start firmware downloads on them at the same time, I/O might be disrupted.

v2.6.1

v3.1.0

v4.2.0

v4.1.0

v4.4.0

v4.1.0

v4.2.0

To determine whether you need to upgrade connected switches before upgrading your switch, use the following procedure on each connected switch to display firmware information and build dates.

1. Connect to the switch and log in as admin.

2. Issue the version command.

The following information is displayed:

• Kernel: Displays the version of switch kernel operating system

• Fabric OS: Displays the version of switch Fabric OS

• Made on: Displays the build date of firmware running in switch

• Flash: Displays the install date of firmware stored in nonvolatile memory

• BootProm: Displays the version of the firmware stored in the boot PROM

About the download process

The firmwaredownload command downloads unzipped switch firmware from an FTP server to the switch’s nonvolatile storage area.

In the Core Switch 2/64 and SAN Director 2/128, this command by default downloads the firmware image to the two CP cards in rollover mode, to prevent disruption to application services. This operation depends on HAHA support. If HA is not available, experienced technicians can upgrade the CPs one at a time, using the -s option.

Fabric OS 5.0.0 procedures user guide 79

HP StorageWorks fixed-port switches and each CP card of the Core Switch 2/64 and SAN Director 2/128 have two partitions of nonvolatile storage areas (a primary and a secondary) to store two firmware images. The firmwaredownload command always loads the new image into the secondary partition and swaps the secondary partition to be the primary. It then reboots the partition and activates the new image. Finally, it performs the firmwarecommit procedure automatically, to copy the new image to the other partition.

Effects of firmware changes on accounts and passwords

Table 12 describes what happens to accounts and passwords when you replace the switch firmware with

a different version. Upgrading means installing a newer version of firmware. Downgrading means installing an older version of firmware.

Table 12 Effect of firmware on accounts and passwords

Change First time Subsequent times (after upgrade, then

downgrade, then upgrade)

Upgrading Default accounts and their

passwords are preserved.

Downgrading User-defined accounts are no

longer valid. Default accounts and their passwords are preserved. If a default account was disabled, it is reenabled after the downgrade.

Upgrading to v3.2.0

For more details on older releases of Fabric OS, see ”Understanding legacy password behavior” on page 229.

(You may upgrade a switch in the fabric as part of ”Checking connected switches” on page 79.) Earlier versions allowed you to change the default account names. You cannot add user-defined accounts until you change the names back to default with the passwdDefault command.

Considerations for downgrading firmware

The following items must be considered before attempting to downgrade to an earlier version of Fabric OS:

• If your fabric is set to the extended edge PID format and you want to downgrade to an older Fabric

OS version that does not support extended edge, you must change the PID to a supported format. For more information, see ”Configuring the PID format” on page 203.

User-defined and default accounts and their passwords are preserved.

User-defined and default accounts and their passwords are preserved, including accounts added after the first upgrade.

• Downgrading a SAN Director 2/128 that is configured for two domains from Fabric OS v4.4.0 to

Fabric OS v4.2.0 is not supported.

• If you are running v4.0.2 firmware on a SAN Switch 2/32, you cannot downgrade to earlier

versions.

Upgrading HP StorageWorks SAN switches

SAN StorageWorks Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, and SAN Switch 4/32 maintain primary and secondary partitions for firmware. The firmwaredownload command defaults to an Auto Commit option that automatically copies the firmware from one partition to the other.

Do not override Auto Commit under normal circumstances; use the default. If you override the Auto Commit option (that is, use the single mode -s option with the firmwaredownload command and then specify no to the Auto Commit prompt), and then reboot with the hareboot command, you must execute the firmwarecommit command.

80 Maintaining configurations and firmware

As an option, before starting a firmware download, HP suggests that you connect the switch with a console cable to a computer that is running a session capture. The information collected may be useful if needed for troubleshooting.

Summary of the upgrade process

The following summary describes the default behavior of the firmwaredownload command (without options) on the SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, and SAN Switch 4/32.

• Issue the firmwaredownload command.

Fabric OS downloads firmware to the secondary partition.

The system performs an HA reboot (hareboot). After the hareboot, the former secondary partition is now the primary partition. The system replicates the firmware from the primary to the secondary partition.

• Issue the firmwaredownloadstatus command to view the firmware process.

SAN Switch upgrade procedure

For the SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, and SAN Switch 4/32, the upgrade process first downloads and then commits the firmware to the switch. While the upgrade is proceeding, you can start another telnet session on the switch and observe the upgrade progress if you wish.

NOTE: After you start the process, do not enter any disruptive commands (such as reboot) that

interrupt the process. The firmware download and commit process takes approximately 15 minutes. If there is a problem, wait for the time-out (30 minutes for network problems; 10 minutes for incorrect IP address). Disrupting the process can render the switch inoperable and require you to seek help from Customer Support.

Do not disconnect the switch from power during the process; the switch could become inoperable upon reboot.

Use the following procedure to upgrade firmware for the SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, and SAN Switch 4/32:

1. Verify that the FTP service is running on the host server and that you have a user ID on that server.

2. Obtain the firmware file from the HP StorageWorks web site at

http://www.hp.com/country/us/eng/prodserv/storage .html

the FTP service is running.

3. Issue the firmwareshow command to check the current firmware version on connected switches.

Upgrade their firmware if necessary before proceeding with upgrading this switch. See ”Checking

connected switches” on page 79.

4. Connect to the switch and log in as admin.

5. Issue the firmwareshow command to check the current firmware version of the switch to verify

compatibility with the version of firmware you are going to download.

NOTE: For the SAN Switch 2/32, if you are running Fabric OS v4.0.2, you cannot downgrade to

earlier versions.

For the SAN Switches 2/8V and 2/16V, if you are running Fabric OS v4.2.0, you cannot downgrade to earlier version.

and store the file on the FTP server. Verify that

6. Issue the firmwaredownload command.

Fabric OS 5.0.0 procedures user guide 81

7. At the Do you want to continue [y/n] prompt, enter y.

8. Respond to the prompts as follows:

Server Name or IP Address:

Enter the name or IP address of the server where the firmware file is stored; for example, 192.1.2.3. You can enter a server name if DNS is enabled.

User name: Enter the user name of your account on the server; for example, JohnDoe.

File name: Specify the full path name of the firmware directory, appended by

release.plist; for example, /pub/v4.4.0/release.plist.

Password: Enter your account password for the server.

After the firmware is downloaded, the switch reboots and starts the firmware commit.

9. After the reboot, connect to the switch and log in again as admin.

10.If you want to watch the upgrade progress, issue the firmwaredownloadstatus command to

monitor the status of the firmware download.

11.After the firmware commit finishes, issue the firmwareshow command to display the firmware level

for both partitions.

Example:

switch:admin> firmwaredownload You can run firmwareDownloadStatus to get the status of this

command. This command will cause the switch to reset and will require that

existing telnet, secure telnet or SSH sessions be restarted. Do you want to continue [Y]: y Server Name or IP Address: 192.1.2.3 User Name: JohnDoe File Name: /pub/v4.4.0/release.plist Password: xxxxx Firmwaredownload has started.

0x8fd (Fabric OS): Switch: 0, Warning SULIB-FWDL_START, 3, Firmwaredownload command has started.

. . .

switch:admin> firmwaredownloadstatus [0]: Tue Apr 20 10:32:34 2004 cp0: Firmwaredownload has started. [1]: Tue Apr 20 10:36:07 2004 cp0: Firmwaredownload has completed successfully. [2]: Tue Apr 20 10:57:09 2004 cp0: Firmwarecommit has started. [3]: Tue Apr 20 10:36:07 2004 cp0: Firmwarecommit has completed successfully. [4]: Tue Apr 20 11:03:28 2004 cp0: Firmwaredownload command has completed successfully. switch:admin> firmwareshow Primary partition: v4.4.0 Secondary Partition: v4.4.0 switch:admin>

82 Maintaining configurations and firmware

Upgrading the Core Switch 2/64 and the SAN Director 2/128

You can download firmware to the Core Switch 2/64 and SAN Director 2/128 without disrupting the overall fabric if the two CP cards are installed and fully synchronized. Use the hashow command to confirm synchronization. If only one CP card is powered on, the switch must reboot to activate firmware, which is disruptive to the overall fabric.

If there is an error during the firmware download, the system ensures that the two partitions of a CP card contain the same version of firmware. However, the two CP cards might contain different versions of firmware; in that event, repeat the firmware download process.

During the upgrade process the director fails over to its standby CP card and the IP addresses for the two logical switches move to that CP card's Ethernet port. This might cause informational ARP address reassignment messages to appear on other switches in the fabric. This is normal behavior, because the association between the IP addresses and MAC addresses has changed.

Summary of the upgrade process

The following summary describes the default behavior of the firmwaredownload command (without options) on the Core Switch 2/64 and SAN Director 2/128.

• Issue the firmwaredownload command on the active CP card.

• The standby CP card downloads firmware.

• The standby CP card reboots and comes up with the new Fabric OS.

• The active CP card synchronizes its state with the standby CP card.

• The active CP card forces a failover and reboots to become the standby CP card.

• The new standby CP card (the active CP card before the failover) downloads firmware.

• The new standby CP card reboots and comes up with the new Fabric OS.

• The new active CP card synchronizes its state with the new standby CP card.

• The firmwarecommit command runs automatically on both CP cards.

NOTE: After you start the process, do not enter any disruptive commands (such as reboot) that

interrupt the process. The entire firmware download and commit process takes approximately 15 minutes. If there is a problem, wait for the time-out (30 minutes for network problems; 10 minutes for incorrect IP address). Disrupting the process can render the switch inoperable and require you to seek help from Customer Support.

Do not disconnect the switch from power during the process, because the switch could become inoperable upon reboot.

Fabric OS 5.0.0 procedures user guide 83

Core Switch 2/64 and SAN Director 2/128 upgrade procedure

The Core Switch 2/64 has four IP addresses: one for each of the two logical switches (switch 0 and switch 1) and one for each of the two CP cards (CP0 in slot 5 and CP1 in slot 6). The SAN Director 2/128 in its default configuration has three IP addresses, but it can be configured for four.

NOTE: By default, the firmwaredownload command automatically upgrades both the active CP card

and the standby CP card. When upgrading a Core Switch 2/64 that is running v4.0.0c or earlier, you must upgrade each CP card separately, as described in ”To upgrade a single Core Switch 2/64 or SAN

Director 2/128 CP card:” on page 240. You should not use this procedure under normal circumstances.

Follow this procedure to upgrade the firmware on the Core Switch 2/64 and the SAN Director 2/128:

1. Verify that the FTP service is running on the host server and that you have a user ID on that server.

2. Obtain the firmware file from the HP StorageWorks web site at

http://www.hp.com/country/us/eng/prodserv/storage .html

the FTP service is running.

3. Use the firmwareshow command to check the current firmware version on connected switches.

Upgrade their firmware if necessary before proceeding with upgrading this switch.

See ”Checking connected switches” on page 79.

4. Using a telnet session, connect to the switch and log in as admin.

and store the file on the FTP server. Verify that

5. For the Core Switch 2/64, issue the firmwareshow command to check the current firmware version

of the switch.

If the switch is running v4.0.0c or earlier, and you want to downgrade to an earlier version, you must load firmware to each CP card separately using the procedure in ”To upgrade a single Core Switch

2/64 or SAN Director 2/128 CP card:” on page 240.

6. Issue the hashow command to confirm that the two CP cards are synchronized. CP cards must be

synchronized and running Fabric OS v4.1.0 or later to provide a nondisruptive download. If the two CP cards are not synchronized, and the current firmware version is 4.1.0 or later, issue the hasyncstart command to synchronize the two CP cards. In the following example, the active CP card is CP1 and the standby CP card is CP0.

Example:

switch:admin> hashow Local CP (Slot 6, CP1): Active Remote CP (Slot 5, CP0): Standby HA Enabled, Heartbeat up, HA State is in Sync switch:admin>

7. Log in to either of the logical switches.

8. Issue the firmwaredownload command.

9. At the Do you want to continue [y/n] prompt enter: y

84 Maintaining configurations and firmware

10.Respond to the prompts as follows:

Server Name or IP Address

Enter the name or IP address of the server where the firmware file is stored; for example, 192.1.2.3. You can enter a server name if DNS is enabled.

User name Enter the user name of your account on the server; for example, JohnDoe.

File name Specify the full path name of the firmware directory, appended by

release.plist; for example, /pub/v4.4.0/release.plist.

Password Enter your account password for the server.

The firmware is downloaded to one CP card at a time, beginning with the standby CP card. During the process, the active CP card is failed over. After the firmware is downloaded, a firmware commit starts on both CP cards.

11.Optionally, after the failover, connect to the switch and log in again as admin.

12.Issue the firmwaredownloadstatus command to monitor the firmwaredownload status.

13.Issue the firmwareshow command to display the new firmware versions.

Example:

switch:admin> firmwaredownload This command will upgrade both CPs in the switch. If you what to upgrade a single CP only, please use -s option.

You can run firmwareDownloadStatus to get the status of this command.

This command will cause the active CP to reset and will require that existing telnet, secure telnet, or SSH sessions be restarted.

Do you want to continue [Y]: y Server Name or IP Address: 192.1.2.3 User Name: JohnDoe File Name: /pub/v4.4.0/release.plist Password:***** FirmwareDownload has started on Standby CP. It may take up to 30

minutes. Firmwaredownload has completed successfully on Standby CP. . . . Standby CP reboots. Standby CP booted up. Standby CP booted up with new firmware. cp1: Firmwarecommit has started on both Active and Standby CPs. cp1: Firmwarecommit has completed successfully on Active CP. cp1: Firmwaredownload command has completed successfully. switch:admin>

Fabric OS 5.0.0 procedures user guide 85

Start a new session to view the upgrade progress:

switch:admin> firmwaredownloadstatus [0]: Tue Apr 20 15:18:56 2003 cp0: Firmwaredownload has started on Standby CP. It may take up to 10

minutes. [1]: Tue Apr 20 15:24:17 2003 cp0: Firmwaredownload has completed successfully on Standby CP. [2]: Tue Apr 20 15:24:19 2003 cp0: Standby CP reboots. [3]: Tue Apr 20 15:27:06 2003 cp0: Standby CP booted up. [4]: Tue Apr 20 15:29:01 2003 cp1: Active CP forced failover succeeded. Now this CP becomes Active. [5]: Tue Apr 20 15:29:05 2003 cp1: Firmwaredownload has started on Standby CP. It may take up to 30

minutes. [6]: Tue Apr 20 15:34:16 2003 cp1: Firmwaredownload has completed successfully on Standby CP. [7]: Tue Apr 20 15:34:19 2003 cp1: Standby CP reboots. [8]: Tue Apr 20 15:36:59 2003 cp1: Standby CP booted up with new firmware. [9]: Tue Apr 20 15:37:04 2003 cp1: Firmwarecommit has started on both Active and Standby CPs. [10]: Tue Apr 20 15:42:48 2003 cp1: Firmwarecommit has completed successfully on Active CP. [11]: Tue Apr 20 15:42:49 2003 cp1: Firmwaredownload command has completed successfully.

Troubleshooting firmware downloads

A firmware download can fail for many reasons, such as a power failure, a failed network connection, a failed FTP server, or an incorrect path to unpacked firmware files. In most cases, the firmware is not affected. You can make necessary corrections (for example, check the Ethernet cables and check the file path names) and then run the firmwaredownload command again.

NOTE: Under firmware versions earlier than v4.1.0, do not perform a firmware download while the

switch is running POST. If a firmware download is attempted on a Core Switch 2/64 while POST is running, it might fail because the CP cards cannot synchronize with each other.

Issue the firmwareshow command to see whether both CP cards have the same firmware. In this example, the active CP card has the old version of firmware and the standby CP card has the new version:

switch: admin> firmwareshow Local CP (Slot 5, CP0): Active

Primary partition: v4.2.0 Secondary Partition: v4.2.0

Remote CP (Slot 6, CP1): Standby

Primary partition: v4.4.0 Secondary Partition: v4.4.0

switch: admin>

86 Maintaining configurations and firmware

Decide which firmware version you want to be applied to both CP cards. Then repeat the download procedure.

Fabric OS 5.0.0 procedures user guide 87

88 Maintaining configurations and firmware

5 Configuring the Core Switch 2/64 and

the SAN Director 2/128

This chapter contains procedures that are specific to the Core Switch 2/64 and the SAN Director 2/128 and consists of the following sections:

• Identifying ports, page 89

• Basic card management, page 90

• Setting chassis configurations, page 92

• Setting the card beacon mode, page 98

Because these switches contain interchangeable 16-port cards (the software calls them blades), their procedures differ from those for the SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, and the SAN Switch 4/32 fixed-port switches. For example, fixed-port models identify ports by domain, port number, while director models identify ports by slot/port number.

Also, because the Core Switch 2/64 comprises two logical switches (domains) and the SAN Director 2/128 in its default configuration has only one domain, procedures for the two directors sometimes differ from one another.

For detailed information about the Core Switch 2/64 and the SAN Director 2/128, refer to their hardware reference manuals.

Identifying ports

The Core Switch 2/64 and the SAN Director 2/128 have slots and can have a variable number of ports within a given domain. Ports are identified by their combined slot number and port number.

There are a total of 10 slots that contain cards:

• Slot numbers 5 and 6 contain control processor cards (CPs).

• Slot numbers 1 through 4 and 7 through 10 contain port cards.

On each port card, there are 16 ports (counted from the bottom, 0 to 15). A particular port must be represented by both slot number (1 through 4 and 7 through 10) and port number (0 through 15).

The Core Switch 2/64 is divided into two logical switches, where slots 1 through 4 are logical switch 0 (sw0) and slots 7 through 10 are logical switch 1 (sw1). You must be connected to the logical switch that represents the slot where you want to execute a command.

In the SAN Director 2/128 default configuration, all the ports are part of a single logical switch. With Fabric OS v4.4.0 and later, you can configure the SAN Director 2/128 as two logical switches (domains).

The following sections tell how to identify ports on the Core Switch 2/64 and the SAN Director 2/128, and how to identify ports for zoning commands.

Fabric OS 5.0.0 procedures user guide 89

By slot and port number

To select a specific port in the Core Switch 2/64 and the SAN Director 2/128, you must identify both the slot number and the port number using the format slot number/port number. No spaces are allowed between the slot number, the slash (/), and the port number.

The following example shows how to enable port 4 on a card in slot 2:

switch:admin> portenable 2/4

By port area ID

Zoning commands require that you specify ports using the area ID method. In Fabric OS v4.0.0 and later, each port on a particular domain is given a unique area ID. How the port number is related to the area ID depends upon the PID format used in the fabric:

• When Core PID mode is in effect, the area ID for port 0 is 0, for port 1, it is 1, and so forth.

When using Core PID mode on the Core Switch 2/64 (two logical 64-port switches) and the SAN Director 2/128 configured with two domains, the area IDs for both logical switches (domains) range from 0 to 63. This means that both logical switch 0 and logical switch 1 have a port that is referenced with area ID 0.

• When Extended Edge PID mode is in effect, the area ID is the port number plus 16 for ports 0 to 111.

For port numbers higher than 111, the area ID wraps around so that port 112 has an area ID of 0, and so on. Each 64-port logical switch (domain) has area IDs ranging from 16 to 79.

To determine the area ID of a particular port, enter the switchshow command. This command displays all ports on the current (logical) switch and their corresponding area IDs.

Basic card management

The following sections provide procedures for powering a card on and off and for disabling and enabling a card.

Powering port cards on and off

Port cards are powered on by default.

To power off a port card:

1. Connect to the switch and log in as admin.

2. Issue the slotpoweroff command with the slot number of the card you want to power off.

The slot must exist in the logical switch where you are logged in.

Example:

switch:admin> slotpoweroff 3 Slot 3 is being powered off switch:admin>

To provide power to a port card:

1. Connect to the switch and log in as admin.

2. Issue the slotpoweron command with the slot number of the card you want to power on.

The slot must exist in the logical switch where you are logged in.

90 Configuring the Core Switch 2/64 and the SAN Director 2/128

Example:

switch:admin> slotpoweron 3 Powering on slot 3 switch:admin>

Disabling and enabling cards

Cards are enabled by default.

You might need to disable a card to perform diagnostics. When diagnostics are executed manually (from the Fabric OS command line), many commands require the card to be disabled. This ensures that diagnostic activity does not interfere or disturb normal fabric traffic.

To disable a card:

1. Connect to the switch and log in as admin.

2. Issue the slotoff command with the slot number of the card you want to disable.

Example:

switch:admin> slotoff 3 Slot 3 is being disabled switch:admin>

To enable a card:

1. Connect to the switch and log in as admin.

2. Issue the sloton command with the slot number of the card you want to enable.

Example:

switch:admin> sloton 3 Slot 3 is being enabled switch:admin>

Conserving power

To conserve power and ensure that more critical components are the least affected by a power fluctuation, you can power off components in a specified order using the powerofflistset command.

The available power is compared to the power demand to determine if there is enough power to operate. If there is less power available than the demand, the power-off list is processed until there is enough power for operation. By default, the processing proceeds from slot 1 to the last slot in the chassis. As power becomes available, slots are powered up in the reverse order.

NOTE: Some FRUs in the chassis may use significant power, yet cannot be powered off through

software. For example, a missing blower FRU may change the power computation enough to affect how many slots can be powered up.

The powerofflistshow command displays the power-off order.

Fabric OS 5.0.0 procedures user guide 91

Setting chassis configurations

The chassisconfig command allows you to set the chassis configuration for products that support both single-switch (one domain) and dual-switch (two domains) operation.

Table 13 lists the supported options for Fabric OS v4.4.0 or later. In the table, Blade ID 4 indicates a

SAN Director 2/128 card, and Blade ID 2 indicates a Core Switch 2/64 card.

Table 13 Supported options

Option Result

1 One 128-port switch (Blade ID 4 on slots 1–4, 7–10)

2 Two 64-port switches (Blade ID 4 on slots 1–4, 7–10)

3 Two 64-port switches (Blade ID 4 on slots 1–4, ID 2 on slots 7–10)

4 Two 64-port switches (Blade ID 2 on slots 1–4, ID 4 on slots 7–10)

The following sections contain procedures for obtaining chassis information, and for configuring director domains using the chassisconfig command.

Obtaining slot information

For a Core Switch 2/64 or a SAN Director 2/128 configured as two logical switches, the chassis-wide commands display or control both logical switches. In the default configuration, the SAN Director 2/128 is configured as one logical switch, so the chassis-wide commands display and control the single logical switch.

To display the status of all slots in the chassis:

1. Connect to the switch and log in as user or admin.

2. Issue the slotshow command to display the current status of each slot in the system.

The format of the display includes a header and four fields for each slot. The fields and their possible values are:

Table 14 Header fields

Field Value

Slot Displays the physical slot number.

Blade type Displays the card type:

• SW BLADE: The card is a switch.

• CP BLADE: The card is a control processor.

• UNKNOWN: The card is not present or its type is not recognized.

92 Configuring the Core Switch 2/64 and the SAN Director 2/128

Table 14 Header fields (continued)

Field Value

ID Displays the hardware ID of the card type

Status Displays the status of the card:

• VACANT: the slot is empty.

• INSERTED, NOT POWERED ON: The card is present in the slot, but is

turned off.

• DIAG RUNNING POST1: The card is present, powered on, and running

the post initialization power on self tests.

• DIAG RUNNING POST2: The card is present, powered on, and running

the power-on self test.

• ENABLED: The card is on and enabled.

• ENABLED (User Ports Disabled): The card is on, but external ports have

been disabled with the bladedisable command.

• DISABLED: The card is powered on, but disabled.

• FAULTY: The card is faulty because an error has been detected. The

reason code numbers displayed are for use in debugging.

• UNKNOWN: The card is inserted but its state cannot be determined.

Configuring a new SAN Director 2/128 with two domains

By default, the SAN Director 2/128 is configured as one 128-port switch (one domain). Use the following procedure to add a new SAN Director 2/128 to a fabric and configure it as two 64-port switches (two domains). The procedure assumes that the new director:

• Has been installed and connected to power, but is not yet attached to the fabric.

• Has been given an IP address, but is otherwise running factory defaults.

If this is not the case, back up the current configuration before starting, so that you can restore it later if necessary.

• Is running Fabric OS v4.4.0 or later.

1. Connect to the switch and log in as admin.

2. Issue the chassisconfig command without options to verify that the switch is configured with one

domain. For example:

chassisconfig

Current Option: 1

3. Issue the chassisconfig command to configure two domains. Use the -f option to suppress

prompting for uploading the configuration. This command reboots the system.

chassisconfig -f 2

Current Option changed to 2

Restoring switch 0 configuration to factory defaults...

All account passwords have been successfully set to factory default.

Restoring switch 1 configuration to factory defaults...

All account passwords have been successfully set to factory default.

Fabric OS 5.0.0 procedures user guide 93

4. After the system reboots, log in again to the first logical switch (sw0) as admin.

5. Use the configure command to configure the sw0 to match your fabric specifications.

If the director is to be merged into an existing fabric, do not configure zoning parameters; these are propagated automatically when you merge the director into the fabric.

6. Log in to the second logical switch (sw1) as admin.

7. Use the configure command to configure the sw1 to match your fabric specifications.

If the director is to be merged into an existing fabric, do not configure zoning parameters; these are propagated automatically when you merge the director into the fabric.

8. If the fabric is in secure mode, perform the following steps; otherwise, proceed to step 9. (Refer to the

HP StorageWorks Secure Fabric OS user guide for specific instructions.)

a. Optionally, to configure sw0 and sw1 in one operation, connect them with an ISL link to form a

temporary fabric.

b. If you want sw0 and sw1 to be fabric configuration servers, update the overall fabric’s FCS policy

to include them. If not, skip this step.

c. On sw0, enable security mode and use the secmodeenable command to create an FCS list that

matches your overall fabric’s FCS policy.

d. Reset the version stamp on sw0.

e. If you connected sw0 and sw1 in step 8a and you do not want them connected, disconnect the ISL

link between them. If you did not connect them, repeat step 8b through step 8d on sw1.

9. Optional: Connect the new two-domain SAN Director 2/128 to the fabric.

10.Issue the fabricshow command to verify that sw0 and sw1 have been merged with the fabric.

11.Issue the cfgshow command to verify that zoning parameters were propagated.

Converting an installed SAN Director 2/128 to support two domains

Fabric OS versions earlier than v4.4.0 supported only one domain for the SAN Director 2/128 (one 128-port logical switch). When you upgrade a SAN Director 2/128 to Fabric OS v4.4.0 or later, you can use the chassisconfig command to specify two domains for the director (two 64-port logical switches, sw0 and sw1).

NOTE: This procedure restores most configuration parameters to factory defaults. After performing this

procedure, you must check the new configuration and reconfigure those parameters that you customized in the old configuration.

During this procedure, power is reset and the CP cards are rebooted, so traffic on the fabric is disrupted. If the fabric is in secure mode, enabling security on the new domains is a complicated task. You should avoid converting existing core switches.

1. Connect to the switch and log in as admin.

2. If the director is already in a fabric, minimize disruption by removing the director from the fabric using

one of the following methods:

• Physically disconnect the director.

•Use the portcfgpersistentdisable command on all connected remote switches to persistently disable ports that are connected to the director.

94 Configuring the Core Switch 2/64 and the SAN Director 2/128

3. Issue the chassisconfig command to change the configuration from the default (one domain) to

two domains. This command reboots the system.

chassisconfig 2

During the conversion, you are prompted to save the configuration of sw0. Follow the prompts to save the configuration file.

4. After the system reboots, log in again as admin to each logical switch.

5. Using the configuration file saved in step 3 as a guide, manually reconfigure sw0 and sw1.

Do not configure zoning parameters; these are propagated automatically when you merge the director into the fabric.

6. If the fabric is in secure mode, perform the following steps; otherwise, proceed to step 7.

a. Optionally, to configure sw0 and sw1 in one operation, connect them with an ISL link to form a

temporary fabric.

b. If you want sw0 and sw1 to be fabric configuration servers, update the overall fabric’s FCS policy

to include them. If not, skip this step.

c. On sw0, enable security mode and use the secmodeenable command to create an FCS list that

matches your overall fabric’s FCS policy.

d. Reset the version stamp on sw0.

e. If you connected sw0 and sw1 in step 6a and you do not want them connected, disconnect the ISL

link between them. If you did not connect them, repeat step 6b through step 6d on sw1.

7. If you physically disconnected the switch in step 2, reconnect it to the fabric.

If you used the portcfgpersistentdisable command in step 2, use the portcfgpersistentenable command to persistently enable all ports that connect the switch to

other switches in the fabric.

8. Use the fabricshow command to verify that sw0 and sw1 have been merged with the fabric.

9. Use the configshow command to verify that zoning parameters were propagated.

Combining Core Switch 2/64 and SAN Director 2/128 cards in one chassis

You can preserve your investment in legacy equipment by combining Core Switch 2/64 cards and SAN Director 2/128 cards in one chassis.

The following procedure assumes that:

• The Core Switch 2/64 has one logical switch (sw0, slots 1 through 4) populated with port cards. (You

can perform the same procedure on sw1 slots 7–10.) The other side of the chassis is empty.

• Fabric OS firmware v4.4.0 or later is already installed on the new SAN Director 2/128 CP cards.

The result of the procedure is a system populated with four Core Switch 2/64 port cards in slots 1 through 4, two SAN Director 2/128 CP cards in slots 5 and 6, and four SAN Director 2/128 port cards in slots 7 through 10 and configured with two domains.

Consider the following rules and guidelines:

• Because this procedure requires power reset and rebooting, traffic on the fabric is disrupted.

• You should be familiar with the standard procedures for shutting down the equipment. Refer to the HP

StorageWorks Core Switch 2/64 and SAN Director 2/128 installation guide, which contains more details on disconnecting an HP StorageWorks model from the network and fabric.

Fabric OS 5.0.0 procedures user guide 95

• The result of this procedure is two 64-port logical switches (domains) that communicate through

external ISLs.

• Only similar port cards can be inserted in the same logical switch (slots 1 through 4 or slots 7 through

10); you cannot install Core Switch 2/64 and SAN Director 2/128 port cards in the same logical

switch.

• Before installing Core Switch 2/64 cards in a SAN Director 2/128 chassis, review the power supply

requirements in the Core Switch 2/64 hardware reference manual and make sure you meet the higher power requirements of the Core Switch 2/64 cards. You need enough power supplies in the SAN Director 2/128 chassis to ensure uninterrupted performance if a power supply fails.

• You must replace both of the Core Switch 2/64 CP cards with SAN Director 2/128 CP cards running

Fabric OS v4.4.0 or later. Using dissimilar CP cards in the same chassis is not allowed.

To combine Core Switch 2/64 and SAN Director 2/128 cards in one chassis:

1. Connect to the switch and log in as admin.

2. Use the configupload command to back up the configuration of sw0 (slots 1 through 4).

3. Issue the switchshutdown command to ensure a graceful shutdown of sw0. Wait until the

command finishes and displays the message:

Cleaning up kernel modules . . . . .Done

The following is a sample output from the command:

SW0:admin> switchshutdown Stopping all switch daemons...Done. Powering off slot 1...Done. Powering off slot 4...Done. Checking all slots are powered off...Done.

Cleaning up kernel modules.....Done

SW0:admin>

4. Shut down the power to the switch.

For details on the switchshutdown command, refer to the HP StorageWorks Fabric OS 4.x command reference guide or to the online help. For details on shutdown procedures, refer to the HP StorageWorks Core Switch 2/64 and SAN Director 2/128 installation guide.

5. Remove the Core Switch 2/64 CP cards from slots 5 and 6 of the chassis.

6. Insert the SAN Director 2/128 CP cards into slots 5 and 6 of the chassis.

7. Insert the SAN Director 2/128 port cards into the empty side of the chassis (slots 7 through 10).

8. Restore power to the switch.

By default, the switch starts up in single domain mode (one 128-port switch) with slots 1 through 4 set to faulty.

9. Connect to the switch and log in as admin.

96 Configuring the Core Switch 2/64 and the SAN Director 2/128

10.Issue the slotshow command to view the status of the cards in each slot. The Core Switch 2/64

cards (ID = 2) show FAULTY status. For example:

slotshow

Slot Blade Type ID Status 1 SW BLADE 2 FAULTY (9) 2 SW BLADE 2 FAULTY (9) 3 SW BLADE 2 FAULTY (9) 4 SW BLADE 2 FAULTY (9) 5 CP BLADE 5 ENABLED 6 CP BLADE 5 ENABLED 7 SW BLADE 4 ENABLED 8 SW BLADE 4 ENABLED 9 SW BLADE 4 ENABLED 10 SW BLADE 4 ENABLED

Issue the chassisconfig command to configure two domains. Use the -f option to suppress prompting for uploading the configuration and the 4 option to specify two 64-port switches (Blade ID 2 on slots 1–4, ID 4 on slots 7–10).

11.This command reboots the system.

chassisconfig -f 4

Current Option changed to 4

Restoring switch 0 configuration to factory defaults...

All account passwords have been successfully set to factory default.

Restoring switch 1 configuration to factory defaults...

All account passwords have been successfully set to factory default.

12.After the system reboots, log in again as admin to each logical switch.

Passwords have been changed to the defaults. You can either change the account passwords or press

Ctrl+c to bypass prompts.

13.Issue the chassisconfig command without options to verify the change to two domains.

For example:

chassisconfig

Current Option: 4

14.Issue the slotshow command to verify that there are no faulty cards. If POST diagnostics are

running, allow them to finish, which takes several minutes.

slotshow

Slot Blade Type ID Status 1 SW BLADE 2 DIAG RUNNING POST1 2 SW BLADE 2 DIAG RUNNING POST1 3 SW BLADE 2 DIAG RUNNING POST1 4 SW BLADE 2 DIAG RUNNING POST1 5 CP BLADE 5 DIAG RUNNING POST1 6 CP BLADE 5 DIAG RUNNING POST1 7 SW BLADE 4 DIAG RUNNING POST1 8 SW BLADE 4 DIAG RUNNING POST1 9 SW BLADE 4 DIAG RUNNING POST1 10 SW BLADE 4 DIAG RUNNING POST1

Fabric OS 5.0.0 procedures user guide 97

15.Reissue the slotshow command until you see that POST diagnostics are finished and the status of all

cards is Enabled. For example:

slotshow

Slot Blade Type ID Status 1 SW BLADE 2 ENABLED 2 SW BLADE 2 ENABLED 3 SW BLADE 2 ENABLED 4 SW BLADE 2 ENABLED 5 CP BLADE 5 ENABLED 6 CP BLADE 5 ENABLED 7 SW BLADE 4 ENABLED 8 SW BLADE 4 ENABLED 9 SW BLADE 4 ENABLED 10 SW BLADE 4 ENABLED

16.Issue the switchshow command to verify that port initialization is complete (no ports are shown as

Testing and all E_Ports, F_Ports, and L_Ports are Online).

17. Use the configdownload command to restore the configuration of sw0 (saved in step 2).

18.Manually configure sw1 as desired.

Setting the card beacon mode

When beaconing mode is enabled, the port LEDs flash amber in a running pattern from port 0 through port 15 and back again. The pattern continues until you turn it off. This can be used to locate a particular card.

To set the card beacon mode on:

1. Connect to the switch and log in as admin.

2. Issue the bladebeacon command with the following syntax at the command line:

bladebeacon slotnumber, mode

where slotnumber is the card where you want to enable beacon mode; this slot number must exist on the logical switch. 1 turns beaconing mode on, or 0 turns beaconing mode off.

Example:

switch:admin> bladebeacon 3, 1 switch:admin>

98 Configuring the Core Switch 2/64 and the SAN Director 2/128

6 Routing traffic

This chapter contains procedures for configuring HP StorageWorks switch routing features. For details on the commands used in the procedures, refer to the HP StorageWorks Fabric OS 4.x command reference guide.

This chapter contains the following sections:

• About routing policies, page 99

• Specifying the routing policy, page 99

• Assigning a static route, page 100

• Specifying frame order delivery, page 100

• Using dynamic load sharing, page 101

• Viewing routing path information, page 102

• Viewing routing information along a path, page 104

About routing policies

All HP StorageWorks switches support port-based routing, in which the routing path chosen for an incoming frame is based only on the incoming port and the destination domain. To optimize port-based routing, enable the Dynamic Load Sharing feature (DLS) to balance the load across the available output ports within a domain.

The SAN Switch 4/32 allows you to tune routing performance with these additional routing policies:

• Device-based routing, in which the choice of routing path is based on the Fibre Channel addresses of

the source device (SID) and the destination device (DID), improving path utilization for better performance

• Exchange-based routing, in which the choice of routing path is based on the SID, DID, and Fibre

Channel originator exchange ID (OXID), optimizing path utilization for the best performance

Device-based and exchange-based routing require the use of DLS; when these policies are in effect, you cannot disable the DLS feature.

Using port-based routing, you can assign a static route, in which the path chosen for traffic never changes. In contrast, device-based and exchange-based routing policies always employ dynamic path selection.

Specifying the routing policy

In addition to port-based routing, which all HP StorageWorks switches support, the SAN Switch 4/32 supports additional routing policies and allows you to specify the active routing policy using the aptpolicy command.

The following routing policies are supported:

• 1: Port-based path selection, which is the default on the SAN Switch 2/8V, SAN Switch 2/16V, SAN

Switch 2/32, Core Switch 2/64, and SAN Director 2/128

Fabric OS 5.0.0 procedures user guide 99

• 2: Device-based path selection on the on the SAN Switch 4/32 only

• 3: Exchange-based path selection, which is the default on the SAN Switch 4/32 only

The default policy usually provides the best performance. You should change the policy only if there is a performance problem that you cannot resolve in other ways.

You must disable the switch before changing the routing policy, and reenable it afterward.

In this example, the routing policy is changed from exchange-based to device-based:

switch:admin> aptpolicy Current Policy: 3

3: Default Policy 1: Port Based Routing Policy 2: Device Based Routing Policy 3: Exchange Based Routing Policy switch:admin> switchdisable switch:admin> aptpolicy 2 Policy updated successfully. switch:admin> switchenable switch:admin> aptpolicy Current Policy: 2

Assigning a static route

Assign a static route only when the active routing policy is port-based. When device-based or exchange-based routing is active you cannot assign static routes.

To assign a static route, use the urouteconfig command. To remove a static route, use the urouteremove command.

NOTE: For the SAN Switch 2/32, Core Switch 2/64, and SAN Director 2/128, when you issue the

urouteconfig command, two similar warning messages may be displayed if a platform conflict condition occurs. The first message appears when the static routing feature detects the condition. The second message appears when the dynamic load sharing feature detects the condition as it tries to rebalance the route.

A platform conflict occurs if a static route was configured with a destination port that is currently down. The static route is ignored in this case, in favor of a normal dynamic route. When the configured destination port comes back up, the system attempts to reestablish the static route, and the conflict can occur then.

Specifying frame order delivery

In a stable fabric, frames are always delivered in order, even when the traffic between switches is shared among multiple paths. However, when topology changes occur in the fabric (for example, if a link goes down), traffic is rerouted around the failure, and some frames could be delivered out of order. Most destination devices tolerate out-of-order delivery, but some do not.

By default, out of order frame-based delivery is allowed to improve speed. You should force in-order frame delivery across topology changes only if the fabric contains destination devices that cannot tolerate occasional out-of-order frame delivery.

100 Routing traffic

HP Brocade 4Gb SAN Switch for HP BladeSystem p-Class User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

About this guide

Intended audience

Related documentation

Document conventions and symbols

Table 1 Document conventions

HP technical support

HP Storage web site

HP authorized reseller

1 Introducing Fabric OS CLI procedures

Changes to this guide for OS v5.0.0

Brocade 4Gb SAN Switch for HP p-Class BladeSystem

Table 2 Brocade 4Gb SAN Switch for HP p-Class BladeSystem

About procedural differences

Scope and references

About the CLI

Help information

Displaying command help

To display help information:

Displaying additional help topics

2 Performing basic configuration tasks

Connecting to the CLI

To connect through the serial port:

Setting the IP address

Setting the default account passwords

Setting the date and time

Table 3 Conversion from UTC to local time

Maintaining licensed features

Customizing the switch name

Customizing the chassis name

Disabling and enabling a switch

Disabling and enabling a port

Activating Ports on Demand

Making basic connections

Connecting to devices

Connecting to other switches

Table 4 Standard ISL modes

Working with domain IDs

To set the domain ID:

Linking through a gateway

To configure a link through a gateway:

Checking status

Tracking and controlling switch changes

3 Configuring standard security features

Ensuring network security

Configuring the telnet interface

To disable telnet:

To enable telnet:

Blocking listeners

Table 5 Blocked listener applications

Accessing switches and fabrics

Table 6 Access details

Creating and maintaining user-defined accounts

To display account information

To create a user-defined account

To delete a user-defined account

To change account parameters

To recover user-defined accounts

Changing an account password

To change the password for the current login account:

To change the password for a different account:

Setting up RADIUS AAA service

Configuring the RADIUS server

Windows 2000

To add a RADIUS client:

To create user and admin remote access policies:

Linux

Configuring the switch

To display the current RADIUS configuration

To add a RADIUS server to the switch configuration:

To enable or disable RADIUS service:

To delete a RADIUS server from the configuration:

To change a RADIUS server configuration:

To change the order in which RADIUS servers are contacted for service:

Enabling and disabling local authentication

Configuring for the SSL protocol