Hp StorageWorks Fabric OS 6.1.x administrator guide

HP StorageWorks Fabric OS 6.1.x administrator guide

Part number: 5697-7477 edition: August 2008

Legal and notice information

Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of Hewlett-Packard. The information is provided “as is” without warranty of any kind and is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Product names mentioned herein may be trademarks of their respective companies.

Microsoft, Windows, Windows NT, and Windows XP are U.S. registered trademarks of Microsoft Corporation.

Fabric OS 6.1.x administrator guide

Contents

About this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Supported Fabric OS 6.1.x HP StorageWorks hardware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Related documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Document conventions and symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Rack stability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

HP technical support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Customer self repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Product warranties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Subscription service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

HP websites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Documentation feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

1 Standard features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Connecting to the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Using Telnet or SSH session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Using a console session on the serial port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Changing passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Changing default account passwords at login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Configuring the Ethernet interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Displaying the network interface settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Setting static Ethernet addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Activating DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Enabling DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Disabling DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Setting the date and time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Setting time zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Synchronizing local time using NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Customizing switch names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Working with Domain IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Licensed features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Generating a license key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Activating a license key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Removing a licensed feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Features and required licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Inter-Chassis Link (ICL) licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

8Gb licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Time-based licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

High Availability considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Firmware upgrade and downgrade consideration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Configupload and Configdownload considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Expired licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Ports on Demand (POD) licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Activating POD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Configuring Dynamic Ports on Demand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

How ports are assigned to licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Displaying the port license assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Activating Dynamic Ports on Demand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Disabling Dynamic Ports on Demand. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Managing POD licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Reserving a license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Releasing a port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Fabric OS 6.1.x administrator guide 3

Disabling and enabling switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Disabling and enabling ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Making basic connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Connecting to devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Connecting to other switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Linking through a gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Checking switch status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Switch operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

High Availability (HA) features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Fabric connectivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Device connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Show switches in Access Gateway mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Tracking and controlling switch changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Configuring the audit log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Auditable event classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Shutting down switches and Directors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

High Availability of daemon processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

2 Managing user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Accessing the management channel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Using Role-Based Access Control (RBAC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Role permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Managing the local database user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

About the default accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Defining local user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Recovering accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Changing local account passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Configuring the local user database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Distributing the local user database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Protecting the local user database from distributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Configuring password policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Setting the password strength policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Setting the password history policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Setting the password expiration policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Upgrade and downgrade considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Setting the account lockout policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Denial of service implications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Authentication model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Creating Fabric OS user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Managing Fabric OS users on the RADIUS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Windows 2000 IAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Linux FreeRadius server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

RADIUS configuration and Admin Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Configuring the RADIUS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

RSA RADIUS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Setting up the RSA RADIUS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

LDAP configuration and Microsoft’s Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Adding the adlist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Configuring authentication servers on the switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Enabling and disabling local authentication as backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Boot PROM password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Setting the boot PROM password with a recovery string . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

4/256 SAN Director and DC SAN Backbone Director (short name, DC Director). . . . . . . . . . . . . . 83

Setting the boot PROM password without a recovery string. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

4/256 SAN Director and DC SAN Backbone Director (short name, DC Director). . . . . . . . . . . . . . 84

Recovering forgotten passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

3 Configuring standard security features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Security protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

The SSH protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

SSH public key authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Allowed-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Authentication setup overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Configuring the allowed-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Generating a key pair for host-to-switch authentication (incoming) . . . . . . . . . . . . . . . . . . . . . . 90

Generating a key pair for switch-to-host authentication (outgoing) . . . . . . . . . . . . . . . . . . . . . . 90

Importing the public key to the switch for host-to-switch authentication (incoming) . . . . . . . . . . . . 90

Exporting the public key for switch-to-host authentication (outgoing) . . . . . . . . . . . . . . . . . . . . . 91

Appending the public key on a remote host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Testing the setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Deleting keys on the switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Configuring the Telnet protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Blocking Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Unblocking Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Configuring for the SSL protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Browser and Java support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Summary of SSL procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Choosing a CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Generating a public/private key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Generating and storing a CSR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Obtaining certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Installing a switch certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Activating a switch certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Configuring the browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Installing a root certificate to the Java plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Summary of certificate commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Configuring for SNMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Setting the security level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Using the snmpConfig command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Secure file copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Setting up SCP for configuploads and downloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Listener applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Ports and applications used by switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Port configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

4 Configuring advanced security features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

About access control list (ACL) policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

How the ACL policies are stored . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Identifying policy members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Configuring ACL policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Displaying ACL policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Configuring an FCS policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

FCS policy restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Overview of steps to create and manage the FCS policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Modifying the Primary FCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Distributing an FCS policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Configuring a DCC policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

DCC policy restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Creating a DCC policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Examples of creating DCC policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Creating an SCC policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Saving changes to ACL policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Activating changes to ACL policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Adding a member to an existing policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Removing a member from an ACL policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Fabric OS 6.1.x administrator guide 5

Deleting an ACL policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Aborting all uncommitted changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Configuring the authentication policy for fabric elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

E_Port authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Device authentication policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Auth policy restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Supported configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Selecting authentication protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Re-authenticating ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Managing secret key pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Fabric wide distribution of the Auth policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Accept distributions configuration parameter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

IP Filter policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Creating an IP Filter policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Cloning an IP Filter policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Displaying an IP Filter policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Saving an IP Filter policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Activating an IP Filter policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Deleting an IP Filter policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

IP Filter policy rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

IP Filter policy enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Creating IP Filter policy rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Deleting IP Filter policy rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Switch session transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Aborting a switch session transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

IP Filter policy distributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

IP Filter policy restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Distributing the policy database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Configuring the database distribution settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Distributing ACL policies to other switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Setting the consistency policy fabric-wide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Notes on joining a switch to the fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Matching fabric-wide consistency policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Non-matching fabric-wide consistency policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

FIPS support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Zeroization functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Power-up self tests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Conditional tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

FIPS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

LDAP in FIPS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Addtional Microsoft Active Directory settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

LDAP certificates for FIPS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Importing an LDAP switch certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Exporting an LDAP switch certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Deleting an LDAP switch certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Preparing the switch for FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Overview of steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Disabling FIPS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Zeroizing for FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Displaying FIPS configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

5 Maintaining the switch configuration file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Maintaining consistent configuration settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Displaying configuration settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Backing up a configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Restoring a configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Configuration download without disabling a switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Security considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Restoring configurations in a FICON environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Downloading configurations across a fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Configuration form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

6 Managing administrative domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Admin Domain features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Requirements for Admin Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Admin Domain access levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

User-defined Administrative Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

System-defined Administrative Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

AD0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

AD255 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Admin Domains and login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Admin Domain member types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Device members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Switch port members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Switch members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Admin Domains and switch WWN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Admin Domain compatibility and availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Admin Domains and merging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Firmware upgrade considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Managing Admin Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Understanding the AD transaction model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Setting the default zone mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Creating an Admin Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Assigning a user to an Admin Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Activating and deactivating Admin Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Adding and removing Admin Domain members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Renaming an Admin Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Deleting an Admin Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Deleting all user-defined Admin Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Validating an Admin Domain member list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

SAN management with Admin Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Using CLI commands in an AD context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Executing a command in a different AD context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Displaying an Admin Domain configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Switching to a different Admin Domain context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Performing zone validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Admin Domain interactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Admin Domains, zones, and zone databases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Admin Domains and LSAN zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Configuration upload and download in an AD context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

7 Installing and maintaining firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

About the firmware download process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Upgrading and downgrading firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Effects of firmware changes on accounts and passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Considerations for FICON CUP environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Preparing for firmware downloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Checking connected switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Finding the firmware version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Obtaining and decompressing firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Performing firmwareDownload on switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Overview of the firmware download process on switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Downloading firmware to a Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Overview of the firmware download process on directors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

4/256 SAN Director and DC Director firmwareDownload procedure . . . . . . . . . . . . . . . . . . . . . . . 180

FirmwareDownload from a USB device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Enabling USB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Fabric OS 6.1.x administrator guide 7

Viewing the USB file system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Downloading the 6.1.0 image using the relative path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Downloading the 6.1.0 image using the absolute path. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Director restrictions for downgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

FIPS Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Public and private key management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Updating the firmwarekey. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

The firmwareDownload command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Configuring the switch for signed firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Power-on firmware checksum test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Testing and restoring firmware on switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Testing a different firmware version on a switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Testing and restoring firmware on directors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Validating firmwareDownload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

8 Administering Advanced Zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

About zoning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Zone types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Zone objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Zoning schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Zone aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Zone configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Zoning enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Software-enforced zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Hardware-enforced zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Considerations for zoning architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Best practices for zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Broadcast zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Supported switches for broadcast zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Broadcast zones and Admin Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Broadcast zones and FC-FC routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Upgrade and downgrade considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

High Availability considerations with broadcast zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Loop devices and broadcast zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Backward compatibility with pre-5.3.0 switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Broadcast zones and default zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Creating and managing zone aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Creating and maintaining zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Default zoning mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Setting the default zoning mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Viewing the current default zone access mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Merging zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Creating and modifying zoning configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Maintaining zone objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Managing zoning configurations in a fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

New switch or fabric additions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Fabric segmentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Security and zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Zone conflict resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

9 Configuring Directors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Identifying ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Director port numbering schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

By slot and port number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

By port area ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

By index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

Basic blade management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Changing a Director’s name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Powering port blades off and on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Disabling and enabling port blades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

FR4-18i blade exceptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

FC4-48 and FC8-48 blade exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

Conserving power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

Blade terminology and compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

CP blades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Core blades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Port blade compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Setting chassis configuration options for the 4/256 Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Displaying slot information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Inter Chassis Link behavior between two HP StorageWorks DC Directors. . . . . . . . . . . . . . . . . . . . . . . . 232

10Routing traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Data routing and routing policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Static route assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

Frame order delivery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

Forcing in-order frame delivery across topology changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Restoring out-of-order frame delivery across topology changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Dynamic load sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Setting DLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Viewing routing path information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Viewing routing information along a path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

11Implementing an interoperable fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

12Configuring the Distributed Management Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Platform services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Enabling platform services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Disabling platform services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Accessing the Management Server database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Displaying the management server ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Adding a member to the ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

Deleting a member from the ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Viewing the contents of the management server database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Clearing the management server database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Controlling topology discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

13iSCSI Gateway services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Overview of iSCSI gateway service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

iSCSI session translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Basic versus advanced LUN mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

Basic LUN mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

Advanced LUN mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

iSCSI component identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

IQN Prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Changing and displaying the IQN prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Access control with discovery domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Switch-to-iSCSI initiator authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Load balancing through connection redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Enabling and disabling connection redirection for load balancing . . . . . . . . . . . . . . . . . . . . . . . 254

Displaying connection redirection status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

Supported iSCSI initiators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Checklist for configuring iSCSI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

FC4-16IP Blade Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

FC4-16IP port numbering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Enabling the iSCSI gateway service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Enabling GbE ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Configuring the GbE interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

iSCSI Virtual Target Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

Fabric OS 6.1.x administrator guide 9

Automatic iSCSI VT creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Generating iSCSI VTs for every FC target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Generating an iSCSI VT for a specific FC target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

Manual iSCSI VT creation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

Mapping LUNs on a specific port to an iSCSI VT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

Deleting LUNs from an iSCSI VT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

Displaying the iSCSI virtual target LUN map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

Displaying iSCSI VT state and status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

Discovery domain and domain set configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

Displaying iSCSI initiator IQNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Creating discovery domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Creating and enabling a discovery domain sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

iSCSI initiator-to-VT authentication configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Setting the user name and shared secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Binding user names to an iSCSI VT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Deleting user names from an iSCSI VT binding list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

Displaying CHAP configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

Committing the iSCSI-related configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

Resolving conflicts between iSCSI configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

LUN masking considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

iSCSI FC zoning overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

iSCSI FC zone creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

Creating an iSCSI FC zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

Zoning configuration creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

Creating and enabling a zoning configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

iSNS client service configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

Displaying iSNS client service status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

Enabling the iSNS client service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

Disabling the iSNS client service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

Clearing the iSNS client configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

14Administering NPIV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

About NPIV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Enabling and disabling NPIV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Configuring NPIV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Configuration scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

Viewing NPIV port configuration information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

Displaying login information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

15Optimizing fabric behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

Introduction to adaptive networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

Top Talkers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

Traffic Isolation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

TI zone failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

FSPF routing rules and Traffic Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

General rules for TI zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

Supported configurations for Traffic Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

Limitations and restrictions of Traffic Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Admin Domain considerations for Traffic Isolation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Creating a TI zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Modifying TI zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

Activating and deactivating a TI zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

Deleting a TI zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

Displaying TI zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

QoS: ingress rate limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

QoS: SID/DID traffic prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

QoS zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292

QoS on E_Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

Supported configurations for traffic prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

Setting traffic prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

16Using the FC-FC Routing Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Supported platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Supported configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Fibre Channel routing concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Proxy devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

Routing types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

Fibre Channel NAT and phantom domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

Setting up the FC-FC routing service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Performing verification checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Assigning backbone fabric IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

Configuring FCIP tunnels (optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Configuring FC-FC routing to work with Secure Fabric OS (optional) . . . . . . . . . . . . . . . . . . . . . . . . 303

Configuring DH-CHAP secret. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

Configuring an interfabric link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

portCfgExport options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Configuring the FC router port cost (optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

Using router port cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

Upgrade, downgrade, and HA considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

Port cost considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Setting a proxy PID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Matching fabric parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Configuring EX_Port frame trunking (optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

Supported configurations and platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

High Availability support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

Backward compatibility support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

Using EX_Port frame trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

Security considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

Trunking commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

Configuring LSANs and zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

Use of administrative domains with LSAN zones and FCR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

Defining and naming zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

LSAN zones and fabric-to-fabric communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

LSAN zone binding (optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

Dual backbone configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

Maximum LSAN count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

Configuring backbone fabrics for interconnectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

HA and downgrade considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

IPFC over FCR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Broadcast configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

Monitoring resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

Routing ECHO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324

Upgrade and downgrade considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

Interoperability with legacy FCR switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

Backward compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326

Front domain consolidation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326

Using front domain consolidation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326

Range of output ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

17Administering Advanced Performance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

About Advanced Performance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

End-to-end performance monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330

End-to-end monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330

Setting a mask for end-to-end monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Monitoring AL_PAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

Adding end-to-end monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

Setting a mask for an end-to-end monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

Deleting end-to-end monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

Fabric OS 6.1.x administrator guide 11

Filter-based performance monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Adding standard filter-based monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Adding custom filter-based monitors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

Deleting filter-based monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

ISL performance monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

Top Talker monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

Adding a Top Talker monitor on an F_Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

Deleting a Top Talker monitor on an F_Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

Displaying the top n bandwidth-using flows on an F_Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

Using Top Talker monitors in fabric mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340

Adding Top Talker monitors on all switches in the fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340

Deleting the fabric mode Top Talker monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340

Displaying top talking flows on the switch for a given Domain ID . . . . . . . . . . . . . . . . . . . . . . . . 340

Limitations of Top Talker monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

Trunk monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

Displaying monitor counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

Clearing monitor counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

Saving and restoring monitor configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

Collecting performance data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

18Administering Extended Fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

Extended Fabrics licensing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

Extended Fibre Channel over distance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

Distance levels for extended Inter-Switch Links (ISLs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

Buffer-to-Buffer Credits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

FC switch port Buffer Credit requirements for long distance calculations . . . . . . . . . . . . . . . . . . . . . . 349

Determining how many ports can be configured for long distance . . . . . . . . . . . . . . . . . . . . . . . . . . 349

Displaying the remaining buffers in a port group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

Buffer credit recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Fabric considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Long distance link initialization activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Extended Fabrics device limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Configuring an extended ISL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

19Administering ISL Trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

About ISL Trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

Standard trunking criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

Fabric considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

Initializing trunking on ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Performance monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Adding a monitor to an F_Port master port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Displaying port throughput performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360

Enabling and disabling ISL Trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

Setting port speeds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

Setting the same speed for all ports on the switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

Displaying trunking information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

Trunking over Extended Fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Trunking distances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

F_Port masterless trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Setting up F_Port trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

Assigning a Trunk area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

Enabling F_Port trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371

Enabling the DCC policy on trunk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372

Disabling F_Port trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

F_Port Trunking Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Configuration management for trunk areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Trunking for Access Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

20Configuring and monitoring FCIP extension services . . . . . . . . . . . . . . . . . . . . . . . . . 375

FCIP services licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375

Platforms that support SAN extension over IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376

FCIP concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Virtual ports and FCIP tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Virtual port types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

Traffic shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

QoS concepts and implementation over FCIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

Layer three DiffServ Code Points (DSCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

VLAN tagging and layer two class of service (L2CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

When both DSCP and L2CoS are used. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

IPSec concepts and implementation over FCIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380

Options for enhancing tape write I/O performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

FCIP fastwrite and tape pipelining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

Constraints for FCIP fastwrite and tape pipelining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

FCIP fastwrite/tape pipelining configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

Unsupported configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

FICON emulation concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384

XRC emulation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Tape write pipelining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Tape read pipelining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Device level acknowledgment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

TIN/TIR emulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Read block ID emulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

FTRACE concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

FCIP services configuration guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386

Checklist for configuring FCIP links. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386

Configuring IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

IPSec parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

Managing policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Persistently disabling ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

Configuring VEX ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

Configuring IP interfaces and IP routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392

Configuring FCIP tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

Configuring FICON emulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395

Configuring FTRACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397

Verifying the FCIP tunnel configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397

Enabling persistently disabled ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

Modify and delete command options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402

Modifying FCIP tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402

Modifying/deleting QoS Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403

FICON emulation modify operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403

Deleting an fcip tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

Deleting an IP interface (IPIF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

Deleting an IProute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

Deleting an FTRACE configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

Maintaining VLAN tag tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

Troubleshooting FCIP links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406

WAN performance analysis tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

About the ipperf option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

Running WAN tool sessions with an FCIP tunnel online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

FCIP port bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

WAN tool performance characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

Starting WAN tool analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

WAN tool ipPerf syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

409

Using portCmd ping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

Using portCmd traceroute . . . . . . . . . . . . . . . . . . . . . . . . . 411

FCIP tunnel performance characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Fabric OS 6.1.x administrator guide 13

21FICON fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

Overview of Fabric OS support for FICON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

Supported switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

Types of FICON configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

Control Unit Port (CUP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

FICON commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

User security considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418

Configuring switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418

Preparing a switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

Configuring a single switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

Configuring a high-integrity fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

Setting a unique Domain ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420

Displaying information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

Link incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

Registered listeners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

Node identification data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

FRU failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

Swapping ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422

Clearing the FICON management database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422

Using FICON CUP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422

Setup summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423

Enabling and disabling FICON Management Server mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423

Setting up CUP when FICON Management Server mode is enabled . . . . . . . . . . . . . . . . . . . . . . . . 424

Displaying the fmsmode setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424

Displaying mode register bit settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

Setting mode register bits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426

Persistently enabling/disabling ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426

Port and switch naming standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427

Adding and removing FICON CUP licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427

Zoning and PDCM considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427

Zoning and link incident reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428

Identifying ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428

Backing up and restoring FICON configuration files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429

Recording configuration information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430

Sample IOCP configuration file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

22Configuring and monitoring FICON Extension Services . . . . . . . . . . . . . . . . . . . . . . . 433

FICON extension products licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433

Platforms that support FICON extension over IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434

FCIP Configuration requirements for FICON extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435

Configuration requirements for switches and directors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435

Ensure sufficient buffer credits are configured . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435

High integrity fabric requirements for cascaded configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435

FICON emulation requirement for a determinate path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435

One Ethernet interface, one IP route and one FCIP tunnel between sites . . . . . . . . . . . . . . . . . . . . 435

Traffic isolation zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435

Allow/Prohibit for M-series directors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435

Cross-coupled configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436

FICON emulation concepts and features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436

XRC emulation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436

Tape Write Pipelining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437

Tape Read Pipelining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437

Configuring FICON emulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437

Displaying FICON emulation configuration values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439

FICON emulation modify operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439

FICON performance statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441

Monitoring FICON emulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442

A Configuring the PID format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

About PIDs and PID binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

Summary of PID formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

Impact of changing the fabric PID format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

Host reboots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

Static PID mapping errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

Changes to configuration data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447

Selecting a PID format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447

Evaluating the fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448

Planning the update procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450

Online update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450

Offline update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

Hybrid update. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

Changing to core PID format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

Converting port number to area ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452

Performing PID format changes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453

Basic procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453

HP/UX procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454

AIX procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455

Swapping port area IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456

B Understanding legacy password behaviour . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459

Password management information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459

Password prompting behaviors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460

Password migration during firmware changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461

Password recovery options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461

C Interoperating with an M-EOS fabric. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463

D Migrating from an MP Router to a 400 MP Router . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

Non-redundant configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

Redundant configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466

Dual backbone configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466

Devices directly connected to router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467

Configuring a new FC router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467

E Using Remote Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469

About Remote Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469

Remote Switch capabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469

Using Remote Switch with a gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469

Zone merging scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479

Figures

1 Example of a Brocade DCT file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

2 Example of the dictiona.dcm file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

3 DH-CHAP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

4 Fabric with two Admin Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

5 Filtered fabric views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

6 Fabric with AD0 and AD255 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

7 Fabric showing switch and device WWNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

8 Filtered fabric views showing converted switch WWNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

9 Isolated subfabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

10 Zoning example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

11 Hardware-enforced nonoverlapping zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

12 Hardware-enforced overlapping zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Fabric OS 6.1.x administrator guide 15

13 Zoning with hardware assist (mixed-port and WWN zones) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

14 Session-based hard zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

15 iSCSI gateway network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

16 iSCSI gateway service basic implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

17 iSCSI-to-FC translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

18 iSCSI VT basic LUN mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

19 iSCSI VT advanced LUN mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

20 IQN example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

21 Discovery domain set configuration example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

22 FC4-16IP ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

23 iSCSI gateway service in an iSCSI FC zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

24 iSCSI network with iSNS server and clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

25 Traffic Isolation zone creating a dedicated path through the fabric . . . . . . . . . . . . . . . . . . . . . . . . 283

26 Dedicated path (shortest path). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

27 Dedicated path (but not the shortest path) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

28 TI zone misconfiguration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

29 QoS traffic prioritization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292

30 QoS with E_Ports enabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

31 A metaSAN with interfabric links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

32 A metaSAN with edge-to-edge and backbone fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

33 Edge SANs connected through a backbone fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

34 MetaSAN with imported devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

35 Setting end-to-end monitors on a port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

36 Proper placement of end-to-end performance monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

37 Mask positions for end-to-end monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

38 Distribution of traffic over ISL Trunking groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

39 Switch in Access Gateway mode without F_Port trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366

40 Switch in Access Gateway mode with F_Port masterless trunking . . . . . . . . . . . . . . . . . . . . . . . . . . 366

41 Trunk group configuration for the SAN Switch 8/40 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

42 FR4-18i port numbering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376

43 400 Multi-protocol Router port numbering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376

44 Network using FCIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

45 Single tunnel, fastwrite and tape pipelining enabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

46 Multiple tunnels to multiple ports, fastwrite and tape pipelining enabled on a per-tunnel/per-port basis 383

47 Unsupported configurations with fastwrite and tape pipelining . . . . . . . . . . . . . . . . . . . . . . . . . . . 384

48 Cascaded configuration, two switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420

49 Cascaded configuration, three switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420

50 FR4-18i Port Numbering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434

51 MP Router 400 Port Numbering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434

52 allow/prohibit example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436

53 Cross-coupled configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436

54 Non-redundant router configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

55 Configuration during the upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

56 Redundant router configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466

57 Dual backbone fabric configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466

Tables

1 Switch model naming matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2 Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

3 Default administrative account names and passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

4 License requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

5 AuditCfg event class operands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

6 Daemons that are automatically restarted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54

7 Maximum number of simultaneous sessions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

8 Fabric OS 6.1.x roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

9 Permission types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

10 RBAC permissions matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

11 Default local user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

12 Authentication configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

13 Syntax for VSA-based account roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

14 dictionary.brocade file entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

15 Secure protocol support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

16 Items needed to deploy secure protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

17 Main security scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

18 SSL certificate files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

19 Commands for displaying and deleting SSL certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

20 Blocked listener applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

21 Access defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

22 Port information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

23 Security database size restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

24 Valid methods for specifying policy members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

25 FCS policy states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

26 Switch operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

27 Distribution policy states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

28 DCC policy states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

29 SCC policy states. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

30 Supported services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

31 Implicit IP Filter rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

32 Default IP policy rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

33 Interaction between fabric-wide consistency policy and distribution settings . . . . . . . . . . . . . . . . . . . 129

34 Supported policy databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

35 ACL policy database distribution behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131

36 Fabric-wide consistency policy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

37 Merging fabrics with matching fabric-wide consistency policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

38 Examples of strict fabric merges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

39 Fabric merges with tolerant/absent combinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

40 Zeroization behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

41 FIPS mode restrictions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

42 FIPS mode of operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

43 Active Directory Keys to modify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

44 CLI commands to display or modifiy switch configuration information. . . . . . . . . . . . . . . . . . . . . . . . 145

45 Backup and restore in a FICON CUP environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

46 Configuration and connection information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

47 AD user types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

48 Ports and devices in CLI output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

49 Admin Domain interaction with Fabric OS features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

50 Configuration upload and download scenarios in an AD context. . . . . . . . . . . . . . . . . . . . . . . . . . . 171

51 Effects of firmware changes on accounts and passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

52 Recommended firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

53 Types of zoning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

54 Approaches to fabric-based zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194

55 Enforcing hardware zoning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

56 Considerations for zoning architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

57 Zoning database limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

58 Resulting database size: 0 to 96K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

59 Resulting database size: 96K to 128K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211

60 Resulting database size: 128K to 256K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211

61 Resulting database size: 256K to 1M. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212

62 Port numbering schemes for the 4/256 Director and DC Director . . . . . . . . . . . . . . . . . . . . . . . . . . 224

63 Default index/area_ID core PID assignment with no port swap . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

64 Director terminology and abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229

65 Port blades supported by each Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230

66 Supported configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . 230

67 Chassis configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

68 Led behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

69 Supported iSCSI initiators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

70 iSCSI target gateway configuration steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255

71 Hardware and firmware compatibility for nonsecure fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326

Fabric OS 6.1.x administrator guide 17

72 Types of monitors supported on B-Series switch models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

73 Advanced Performance Monitoring commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

74 Commands to add filter-based monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .335

75 Predefined values at offset 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

76 Fibre Channel data frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

77 Switch, port speed, and distance with ASIC and buffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352

78 Extended ISL modes: B-Series 2Gb Switches (Bloom and Bloom II ASICs) . . . . . . . . . . . . . . . . . . . . . 355

79 Long-distance mode definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

80 Trunking support for

SAN Switch 4/32, 4/32B and 4/64 SAN Switch (Condor ASIC) . . . . . . . . . . . . . . 365

81 Trunking support for 4/256 SAN Director and DC Directors with supported blades (Condor and Condor2

ASIC)365

82 F_Port masterless trunking considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

83 PWWN format for F_Port and N_Port trunk ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

84 Address identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

85 Tunnel and virtual port numbering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

86 Default Mapping of DSCP priorities to L2Cos Priorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

87 IPSec terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380

88 Using FCIP fastwrite and tape pipelining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382

89 Command checklist for configuring FCIP links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386

90 Fixed policy parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

91 Modifiable policy parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

92 WAN tool performance characteristics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408

93 Fabric OS commands related to FICON and FICON CUP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

94 FICON CUP mode register bits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

95 FICON configuration worksheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430

96 Effects of PID format changes on configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447

97 PID format recommendations for adding new switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448

98 Account/password characteristics matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .459

99 Password prompting matrix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460

100 Password migration behavior during firmware upgrade/downgrade . . . . . . . . . . . . . . . . . . . . . . . 461

101 Password recovery options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461

102 Zone merging scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471

103 Zone merging scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475

About this guide

This guide provides information about:

• Installing and configuring Fabric OS 6.1.x

• Managing user accounts

• Using licensed features

Supported Fabric OS 6.1.x HP StorageWorks hardware

Table 1 lists Brocade and HP StorageWorks product models supported by Fabric OS 6.1.x.

Table 1 Switch model naming matrix

Brocade product name Equivalent HP StorageWorks B-Series product name

Brocade 200E switch HP StorageWorks 4/8 SAN Switch or

HP StorageWorks 4/16 SAN Switch

Brocade 4100 switch HP StorageWorks SAN Switch 4/32

Brocade 4900 switch HP StorageWorks 4/64 SAN Switch

Brocade 4/256 SAN Director HP StorageWorks 4/256 SAN Director

Brocade FC4-16 Blade HP StorageWorks 16 Port 4Gb Blade

Brocade FC4-32 Blade HP StorageWorks 32 Port 4Gb Blade

FR4-18i blade

FC4-48 Blade

FC4-16IP Blade

Brocade 7500 HP StorageWorks 400 Multi-protocol (MP) Router

Brocade 4012 Brocade 4Gb SAN Switch for HP p-Class BladeSystem

Brocade 4024 Brocade 4Gb SAN Switch for HP c-Class BladeSystem

Brocade 5000 HP StorageWorks SAN Switch 4/32B

Brocade DCX Backbone HP StorageWorks DC SAN Backbone Director (short

FC10-6 Blade

FC8-16 Blade

FC8-32 Blade

FC8-48 Blade

Brocade 300 HP StorageWorks 8/8 SAN Switch or

Brocade 5100

B-Series Multi-protocol (MP) Router blade

HP StorageWorks 4/48 SAN Director Blade

HP StorageWorks iSCSI Director Blade (compatible with HP StorageWorks 4/256 SAN Director only)

name, DC Director)

HP StorageWorks SAN Director 6 Port 10Gb FC blade

HP StorageWorks SAN Director16 Port 8Gb FC blade

HP StorageWorks SAN Director 32 Port 8Gb FC blade

HP StorageWorks SAN Director 48 Port 8Gb FC blade

HP StorageWorks 8/24 SAN Switch

HP StorageWorks 8/40 SAN Switch

Brocade 5300

Brocade 5410

Brocade 5480

HP StorageWorks 8/80 SAN Switch HP StorageWorksEVA4400 Embedded Switch Module,

8Gb Brocade

8Gb SAN Switch for HP BladeSystem c-Class

Fabric OS 6.1.x administrator guide 19

Intended audience

This guide is intended for system administrators with knowledge of:

• Storage area networks

• HP StorageWorks Fibre Channel SAN switches

Document conventions and symbols

Table 2 Document conventions

Convention Element

Blue text: Table 1 Cross-reference links and e-mail addresses

Blue, underlined text:

http://www.hp.com

Bold text

Italics text Text emphasis

Monospace text • File and directory names

Monospace, italic text • Code variables

Monospace, bold text Emphasized monospace text

WARNING! Indicates that failure to follow directions could result in bodily harm or death.

Website addresses

• Key that are pressed

• Text typed into a GUI element, such as into a box

• GUI elements that are clicked or selected, such as menu and list

items, buttons, tabs, and check boxes

• System output

• Code

• Commands, their arguments, and argument values

• Command variables

CAUTION: Indicates that failure to follow directions could result in damage to equipment or data.

IMPORTANT: Provides clarifying information or specific instructions.

NOTE: Provides additional information.

TIP: Provides helpful hints and shortcuts.

Rack stability

Rack stability protects personnel and equipment.

WARNING!

To reduce the risk of personal injury or damage to equipment:

• Extend leveling jacks to the floor.

• Ensure that the full weight of the rack rests on the leveling jacks.

• Install stabilizing feet on the rack.

• In multiple-rack installations, secure racks together.

• Extend only one rack component at a time. Racks may become unstable if more than one component is

extended.

HP technical support

For worldwide technical support information, see the HP support website:

http://www.hp.com/support/

Before contacting HP, collect the following information:

• Product model names and numbers

• Technical support registration number (if applicable)

• Product serial numbers

• Error messages

• Operating system type and revision level

• Detailed questions

Customer self repair

HP customer self repair (CSR) programs allow you to repair your StorageWorks product. If a CSR part needs replacing, HP ships the part directly to you so that you can install it at your convenience. Some parts do not qualify for CSR. Your HP-authorized service provider will determine whether a repair can be accomplished by CSR.

For more information about CSR, contact your local service provider. For North America, see the CSR website:

http://www.hp.com/go/selfrepair

Product warranties

For information about HP StorageWorks product warranties, see the warranty information website:

http://www.hp.com/go/storagewarranty

Fabric OS 6.1.x administrator guide 21

Subscription service

HP recommends that you register your product at the Subscriber's Choice for Business website:

http://www.hp.com/go/e-updates

After registering, you will receive e-mail notification of product enhancements, new driver versions, firmware updates, and other product resources.

HP websites

For additional product information, see the following HP websites:

• http://www.hp.com

• http://www.hp.com/go/storage

• http://www.hp.com/support/manuals

Documentation feedback

HP welcomes your feedback.

To make comments and suggestions about product documentation, please send a message to

storagedocs.feedback@hp.com. All submissions become the property of HP.

1 Standard features

This chapter describes how to configure your HP StorageWorks SAN using the Fabric OS Command Line Interface (CLI). Before you can configure a Storage Area Network (SAN), you must power-up the Director or switch and blades, and then set the IP addresses of those devices. Although this chapter focuses on configuring a SAN using the CLI, you can also use the following methods to configure a SAN:

• Web Tools

For Web Tools procedures, see the Web Tools Administrator’s Guide.

• Fabric Manager

For Fabric Manager procedures, see the Fabric Manager Administrator’s Guide.

Overview

As a result of the differences between fixed-port and variable-port devices, procedures sometimes differ among HP switch models. As new models are introduced, new features sometimes apply only to specific switches.

When procedures or parts of procedures apply to some models but not others, this guide identifies the specifics for each model. For example, a number of procedures that apply only to variable-port devices are found in ”Configuring Directors” on page 193.

Although many different software and hardware configurations are tested and supported, documenting all possible configurations and scenarios is beyond the scope of this document. In some cases, earlier releases are highlighted to present considerations for interoperating with them.

The hardware reference manuals for HP products describe how to power up devices and set their IP addresses. After the IP address is set, you can use the CLI procedures contained in this guide.

For additional information about the commands used in the procedures, see online help or the Fabric OS Command Reference.

Using the CLI

Fabric OS 6.x uses Role-Based Access Control (RBAC) to control access to all Fabric OS operations. You can display a list of all command help topics for a given login level, For example, if you are logged in as user and enter the help command, a list of all user-level commands that can be executed is displayed. The same rule applies to the admin, securityAdmin, and the switchAdmin roles.

NOTE: When command examples in this guide show user input enclosed in quotation marks, the

quotation marks are required.

You can enter the help [| more] (pipe more) command with no specific command and all commands display. The | more argument displays the command one page at a time. Or, you can enter help <command>, where command is the name of the command for which you need specific information.

Fabric OS 6.1.x administrator guide 23

The following commands provide help files for specific topics to understand configuring your SAN:

diagHelp Diagnostic help information ficonHelp FICON help information fwHelp Fabric Watch help information iscsiHelp iSCSI help informations licenseHelp License help information perfHelp Performance Monitoring help information routeHelp Routing help information trackChangesHelp Track Changes help information zoneHelp Zoning help information

Connecting to the CLI

Read this section for procedures.

Using Telnet or SSH session

Connect to the Fabric OS through a Telnet or SSH connection or through a console session on the serial port. The switch must also be physically connected to the network. If the switch network interface is not configured or the switch has been disconnected from the network, use a console session on the serial port as described in the next section.

NOTE: To automatically configure the network interface on a DHCP-enabled switch, plug the switch into

the network and power it on. The DHCP client automatically gets the IP and gateway addresses from the DHCP server. The DHCP server must be on the same subnet as the switch. See ”Activating DHCP” on page 29 for more details.

Rules for Telnet connections:

• Never change the IP address of the switch while two Telnet sessions are active; if you do, your next

attempt to log in fails. To recover, gain access to the switch by one of these methods:

• You can use Web Tools to perform a fast boot. When the switch comes up, the Telnet quota is cleared. (For instructions on performing a fast boot with Web Tools, see the Web Tools Administrator’s Guide.)

• If you have the required privileges, you can connect through the serial port, log in as root, and use operating system commands to identify and kill the Telnet processes without disrupting the fabric.

• For admin level accounts, Fabric OS limits the number of simultaneous Telnet sessions per switch to two.

For more details on session limits, see ”Configuring the Telnet protocol” on page 92 and ”Managing

user accounts” on page 55.

To connect using Telnet:

1. Verify that the switch’s network interface is configured and that it is connected to the IP network through

the RJ-45 Ethernet port. Switches in the fabric that are not connected through the Ethernet can be managed through switches

that are using IP over Fibre Channel. The embedded port must have an assigned IP address.

2. Open a Telnet connection using the IP address of the logical switch to which you want to connect.

Enter the account ID at the login prompt. See ”Changing passwords” on page 25 for instructions on how to log in for the first time.

3. Enter the account ID at the login prompt.

4. Enter the password.

If you have not changed the system passwords from the default, you are prompted to change them. Enter the new system passwords, or press Ctrl-C to skip the password prompts. See ”Changing default

account passwords at login” on page 26.

24 Standard features

5. Verify that the login was successful.

The prompt displays the switch name and user ID to which you are connected.

Using a console session on the serial port

Note the following behaviors for serial connections:

• Some procedures require that you connect through the serial port; for example, setting the IP address or

setting the boot PROM password.

• If you are using a Fabric OS version prior to 6.x, and secure mode is enabled, connect through the

serial port of the primary FCS switch.

• 4/256 SAN Director and DC Director: You can connect to CP0 or CP1 using either of the two

serial ports.

To connect through the serial port:

1. Connect the serial cable to the serial port on the switch and to an RS-232 serial port on the workstation.

If the serial port on the workstation is RJ-45 instead of RS-232, remove the adapter on the end of the serial cable and insert the exposed RJ-45 connector into the RJ-45 serial port on the workstation.

2. Open a terminal emulator application (such as HyperTerminal on a PC, or TERM, TIP, or Kermit in a

UNIX environment), and configure the application as follows:

• In a Windows environment:

Parameter Value

Bits per second 9600

Databits 8

Parity None

Stop bits 1

Flow control None

• In a UNIX environment, enter the following string at the prompt:

tip /dev/ttyb -9600

If ttyb is already in use, use ttya instead and enter the following string at the prompt: tip /dev/ttya -9600

Changing passwords

The switch automatically prompts you to change the default account passwords after logging in for the first time. If you do not change the passwords, the switch prompts you after each subsequent login until all the default passwords have been changed.

NOTE: The default account passwords can be changed from their original value only when prompted

immediately following the login; the passwords cannot be changed using the passwd command later in the session. If you skip the prompt, and then later decide to change the passwords, log out and then back in.

The default accounts on the switch are admin, user, root, and factory. Use the default administrative account as shown in Table 3 to log into the switch for the first time and to perform the basic configuration tasks.

Fabric OS 6.1.x administrator guide 25

Every logical switch (domain) has a set of default accounts. The root and factory default accounts are reserved for development and manufacturing. The user account is primarily used for system monitoring. For more information on default accounts, see ”About the default accounts” on page 59.

Table 3 describes the default administrative accounts for switches by model number.

Table 3 Default administrative account names and passwords

Model Administrative

account

HP StorageWorks 4/8 SAN Switch, 4/16 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 8/8 SAN Switch, 8/24 SAN Switch, 8/40 SAN Switch, 8/80 SAN Switch 400 Multi-protocol Router

4/256 SAN Director and DC SAN Backbone Director (short name, DC Director)

admin password

Changing default account passwords at login

The change default account passwords prompt accepts a maximum of eight characters. Any characters beyond the eighth character are ignored. Only the default password is subject to the eight character limit. User-defined passwords can have 8 to 40 characters. They must begin with an alphabetic character and can include numeric characters, the period (.), and the underscore ( _ ). They are case-sensitive, and they are not displayed when you enter them on the command line.

Record the passwords exactly as entered and store them in a secure place because recovering passwords requires significant effort and fabric downtime. Although the root and factory accounts are not meant for general use, change their passwords if prompted to do so and save the passwords in case they are needed for recovery purposes.

Password

To change the default account passwords at login:

1. Connect to the switch and log in using the default administrative account.

2. At each of the “Enter new password” prompts, either enter a new password or skip the prompt.

To skip a single prompt press Enter. To skip all of the remaining prompts press Ctrl-c.

login: admin Password: Please change your passwords now. Use Control-C to exit or press 'Enter' key to proceed. for user - root Changing password for root Enter new password: ******** Password changed. Saving password to stable storage. Password saved to stable storage successfully. Please change your passwords now. for user - factory Changing password for factory Enter new password: ******** Password changed. Saving password to stable storage. Password saved to stable storage successfully. Please change your passwords now. for user - admin Changing password for admin Enter new password: ******** Password changed. Saving password to stable storage. Password saved to stable storage successfully. Please change your passwords now. for user - user

26 Standard features

Changing password for user Enter new password: ******** Password changed. Saving password to stable storage. Password saved to stable storage successfully. switch:admin>

Configuring the Ethernet interface

You can use Dynamic Host Configuration Protocol (DHCP) for the Ethernet network interface configuration. The Ethernet (network) interface provides management access, including direct access to the Fabric OS CLI, and allows other tools, such as Web Tools, to interact with the switch.

You can continue to use a static Ethernet addressing system or allow the DHCP client to automatically acquire Ethernet addresses. Configure the Ethernet interface IP, subnet mask, and gateway addresses in one of the following manners:

• ”Setting static Ethernet addresses” on page 28

• ”Activating DHCP” on page 29

When you change the Ethernet interface settings, open connections such as SSH or Telnet may be dropped. Reconnect using the new Ethernet IP information or change the Ethernet settings using a console session through the serial port to maintain your session through the change. You must connect through the serial port to set the Ethernet IP address if the Ethernet network interface is not configured already.

Displaying the network interface settings

If an IP address has not been assigned to the network interface (Ethernet), you must connect to the Fabric OS CLI using a console session on the serial port. For more information, see ”Using a console session on

the serial port” on page 25. Otherwise, connect using SSH.

To display the network interface settings:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the ipAddrShow command.

SWITCH Ethernet IP Address: 102.108.153.238 Ethernet Subnetmask: 255.255.255.0 Fibre Channel IP Address: none Fibre Channel Subnetmask: 255.255.0.0 Gateway IP Address: 102.108.153.1 DHCP: Off IPv6 Autoconfiguration Enabled: No Local IPv6 Addresses: static 1080::9:800:400c:416a/64

If the Ethernet IP address, subnet mask, and gateway address are displayed, then the network interface is configured. Verify that the information is correct. If DHCP is enabled, the network interface information was acquired from the DHCP server.

NOTE: You can use either IPv4 or IPv6 with a classless inter-domain routing (CIDR) block notation to set

up your IP addresses.

Fabric OS 6.1.x administrator guide 27

Setting static Ethernet addresses

Use static Ethernet network interface addresses on HP StorageWorks 2/128, 4/256 SAN Director, DC Director models, and in environments where DHCP service is not available. To use static addresses for the Ethernet interface, you must first disable DHCP. You may enter static Ethernet information and disable DHCP at the same time. Refer to ”Activating DHCP” on page 29 for more information.

If you choose not to use DHCP or to specify an IP address for your switch Ethernet interface, you can do so by entering none or 0.0.0.0 in the Ethernet IP address field.

IMPORTANT: IP address 0.0.0.0 is not supported in Fabric OS versions earlier than 5.2.0.

On the iSCSI Director (FC4-16IP) and B-Series MP Router (FR4-18i) blades, configure the two external Ethernet interfaces to two different subnets, or if two subnets are not present, configure one of the interfaces and leave the other unconfigured. Otherwise the following message will show up and also blade status may go into a faulty state after a reboot.

Neighbor table overflow.

print: 54 messages suppressed

To set static addresses for the Ethernet network interface:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the following command to set the IPv4 address:

switch:admin> ipaddrset Ethernet IP Address [192.168.74.102]: Ethernet Subnetmask [255.255.255.0]: Fibre Channel IP Address [220.220.220.2]: Fibre Channel Subnetmask [255.255.0.0]: Gateway IP Address [192.168.74.1]: DHCP [OFF]: off

or to set an IPv6 address on a switch:

switch:admin> ipaddrset -ipv6 --add 1080::8:800:200C:417A/64 IP address is being changed...Done.

Example of setting logical switch (sw0)'s IPv6 address on a Director:

director:admin> ipaddrset -ipv6 -sw 0 --add 1080::8:800:200C:417B/64 IP address is being changed...Done.

Enter the network information in dotted decimal notation for the Ethernet IPv4 address and in semicolon separated notation for IPv6. Enter the Ethernet Subnetmask and Gateway Address at the prompts. Skip Fibre Channel prompts by pressing Enter. Disable DHCP by entering OFF.

28 Standard features

Activating DHCP

By default, some HP switches have DHCP enabled; check the latest Fabric OS 6.x release notes for a complete list of switches. The 4/256 SAN Director and DC SAN Backbone Director (short name, DC Director) do not support DHCP.

The Fabric OS DHCP client supports the following parameters:

• External Ethernet port IP addresses and subnet masks

• Default gateway IP address

The DHCP client uses a DHCP vendor class identifier that allows DHCP servers to determine that the Discovers and Requests are coming from a switch. The vendor class identifier is the string “BROCADE” followed by the SWBD model number of the platform. For example, the vendor class identifier for a request from an HP StorageWorks DC Director is “BROCADESWBD62.”

IMPORTANT: The client conforms to the latest IETF Draft Standard RFCs for IPv4, IPv6, and DHCP.

Enabling DHCP

Connect the DHCP-enabled switch to the network, power on the switch, and the switch automatically obtains the Ethernet IP address, Ethernet subnet mask, and default gateway address from the DHCP server. The DHCP client can only connect to a DHCP server on the same subnet as the switch. Do not enable DHCP if the DHCP server is not on the same subnet as the switch.

Enabling DHCP after the Ethernet information has been configured releases the current Ethernet network interface settings, including Ethernet IP, Ethernet Subnetmask, and Gateway. The Fibre Channel (FC) IP address and subnet mask is static and is not affected by DHCP; see ”Setting static Ethernet addresses” on page 28 for instructions on setting the FC IP address.

To enable DHCP:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the ipaddrset command.

3. If already set up, skip the Ethernet IP address, Ethernet subnet mask, Fibre Channel IP address and

subnet mask prompts by pressing Enter.

4. When you are prompted for DHCP[Off], enable it by entering at the prompt:

Disabling DHCP

When you disable DHCP, enter the static Ethernet IP address and subnet mask of the switch and default gateway address. Otherwise, the Ethernet settings may conflict with other addresses assigned by the DHCP server on the network.

To disable DHCP:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the ipaddrset command.

3. Enter the network information in dotted decimal notation for the Ethernet IP address, Ethernet

Subnetmask, and Gateway Address at the prompts. If a static Ethernet address is not available when you disable DHCP, enter 0.0.0.0 at the Ethernet IP address prompt. Skip Fibre Channel prompts by pressing Enter.

Fabric OS 6.1.x administrator guide 29

4. When you are prompted for DHCP[On], disable it by entering off.

Setting the date and time

Switches maintain the current date and time inside a battery-backed real-time clock (RTC) circuit. Date and time are used for logging events. Switch operation does not depend on the date and time; a switch with an incorrect date and time value still functions properly. However, because the date and time are used for logging, error detection, and troubleshooting, you should set them correctly.

Authorization access to set or change the date and time for a switch is role-based. For an understanding of role-based access, refer to ”Using Role-Based Access Control (RBAC)” on page 56.

IMPORTANT: If you are running a Fabric OS version earlier than 6.x and secure mode is not enabled, a

change in date or time to one switch is forwarded to the principal switch and distributed to the fabric. If secure mode is enabled, date or time changes can be made only on the primary FCS switch and distributed to the fabric.

To set the date and time:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the date command, using the following syntax:

date "mmddHHMMyy"

The values represent the following:

• mm is the month; valid values are 01 through 12.

• dd is the date; valid values are 01 through 31.

• HH is the hour; valid values are 00 through 23.

• MM is minutes; valid values are 00 through 59.

• yy is the year; valid values are 00 through 99 (values greater than 69 are interpreted as 1970 through 1999, and values less than 70 are interpreted as 2000-2069).

switch:admin> date Fri Sep 29 17:01:48 UTC 2007 switch:admin> date "0927123007" Thu Sep 27 12:30:00 UTC 2007 switch:admin>

For details about how to change time zones, see the tsTimeZone command in the Fabric OS Command Reference.

Setting time zones

You can set the time zone for a switch by name. You can specify the setting using country and city or time zone parameters. Switch operation does not depend on a date and time setting. However, having an accurate time setting is needed for accurate logging and audit tracking.

If the time zone is not set with the new options, the switch retains the offset time zone settings. The

TSTIMEZONE command includes an option to revert to the prior time zone format. For more information

about the

30 Standard features

--old option, see the Fabric OS Command Reference.

IMPORTANT: If you are downgrading to a Fabric OS version earlier than 6.x, or retaining the offset

format, see prior versions of the Fabric OS Administrator’s Guide for detailed information about setting time zones using the offset format. See ”About the firmware download process” on page 163 for time zone downgrading considerations.

You can set the time zone for a switch using the tsTimeZone command. The tsTimeZone command allows you to perform the following tasks:

• Display all of the time zones supported in the firmware

• Set the time zone based on a country and city combination or based on a time zone ID such as PST

The time zone setting has the following characteristics:

• Users can view the time zone settings. However, only those with administrative permissions can set the

time zones.

• The tsTimeZone setting automatically adjusts for Daylight Savings Time.

• Changing the time zone on a switch updates the local time zone setup and is reflected in local time

calculations.

• By default, all switches are in the GMT time zone (0,0). If all switches in a fabric are in one time zone,

it is possible for you to keep the time zone setup at the default setting.

• System services that have already started will reflect the time zone changes only after the next reboot.

• Time zone settings persist across failover for High Availability.

Setting the time zone on a dual domain Director has the following characteristics:

• Updating the time zone on any switch updates the entire Director.

• The time zone of the entire Director is the time zone of switch 0.

The following procedure describes how to set the time zone for a switch. You must perform the procedure on all switches for which the time zone must be set. However, you only need to set the time zone once on each switch, because the value is written to nonvolatile memory.

To set the time zone:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the tsTimeZone command as follows:

switch:admin> tstimezone [--interactive]/ [, timezone_fmt]

•Use tsTimeZone with no parameters to display the current time zone setting

•Use

--interactive to list all of the time zones supported by the firmware.

•Use timezone_fmt to set the time zone by Country/City or by time zone ID, such as PST.

The following example shows how to display the current time zone setup and how to change the time zone to US/Central.

switch:admin> tstimezone Time Zone : US/Pacific switch:admin> tstimezone US/Central switch:admin> tstimezone Time Zone : US/Central

Fabric OS 6.1.x administrator guide 31

The following procedure describes how to set the current time zone using interactive mode to Pacific Standard Time.

To set the time zone interactively:

1. Type the tsTimeZone command as follows:

switch:admin> tstimezone --interactive

2. You are prompted to select a general location.

Please identify a location so that time zone rules can be set correctly.

3. Enter the appropriate number or Ctrl-D to quit.

4. At the prompt, select a country location.

5. At the prompt, enter the appropriate number to specify the time zone region or Ctrl-D to quit.

Synchronizing local time using NTP

You can synchronize the local time of the principal or primary fabric configuration server (FCS) switch to a maximum of eight external network time protocol (NTP) servers. To keep the time in your SAN current, it is recommended that the principal or primary-FCS switch has its time synchronized with at least one external NTP server. The other switches in the fabric will automatically take their time from the principal or primary-FCS switch.

All switches in the fabric maintain the current clock server value in non-volatile memory. By default, this value is the local clock server <LOCL> of the principal or primary FCS switch. Changes to the clock server value on the principal or primary FCS switch are propagated to all switches in the fabric.

When a new switch enters the fabric, the time server daemon of the principal or primary FCS switch sends out the addresses of all existing clock servers and the time to the new switch. If a switch with Fabric OS

5.3.0 or later has entered the fabric it will be able to store the list and the active servers; pre-5.3.0 Fabric OS switches will ignore the new list parameter in the payload and will update only the active server address.

If the active NTP server configured is IPv6, then distributing the same in the fabric will not be possible to switches earlier than Fabric OS 5.3.0 because IPv6 is supported for Fabric OS version 5.3.0 and later. The default value LOCL will be distributed to pre-5.3.0 switches.

To synchronize local time with an external source:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the tsClockServer command:

switch:admin> tsclockserver "<ntp1;ntp2>"

where ntp1 is the IP address or DNS name of the first NTP server, which the switch must be able to access. The second ntp2 is the second NTP server and is optional. The operand “<ntp1;ntp2>” is optional; by default, this value is LOCL, which uses the local clock of the principal or primary switch as the clock server.

The tsClockServer command accepts multiple server addresses in either IPv4, IPv6, or DNS name formats. When multiple NTP server addresses are passed, tsClockServer sets the first obtainable address as the active NTP server. The rest will be stored as backup servers that can take over if the active NTP server fails. The principal or primary FCS switch synchronizes its time with the NTP server every 64 seconds.

switch:admin> tsclockserver LOCL switch:admin> tsclockserver "132.163.135.131"

switch:admin> tsclockserver

132.163.135.131 switch:admin>

32 Standard features

The following example shows how to set up more than one NTP server using a DNS name:

switch:admin> tsclockserver "10.32.170.1;10.32.170.2;ntp.localdomain.net" Updating Clock Server configuration...done. Updated with the NTP servers

Changes to the clock server value on the principal or primary FCS switch are propagated to all switches in the fabric.

Customizing switch names

Switches can be identified by IP address, Domain ID, World Wide Name (WWN), or by customized switch names that are unique and meaningful.

Switch names can be from 1 to 31 characters long, except for the HP StorageWorks DC Director. The DC Director name must be 1 to 15 characters in length. All switch names must begin with a letter, and can contain letters, numbers, or the underscore character. It is not necessary to use quotation marks.

NOTE: Changing the switch name causes a domain address format RSCN (registered state change

notification) to be issued and may be disruptive to the fabric.

To customize the switch name:

1. Open a Telnet session for each logical switch and enter the switchName command.

2. Connect to the switch and log in using an admin account.

3. Enter the switchName command, using the following syntax:

switchname "newname"

where newname is the new name for the switch.

4. Record the new switch name for future reference.

5. Record the new switch name for the second domain for future reference.

Working with Domain IDs

Although Domain IDs are assigned dynamically when a switch is enabled, you can reset them manually so that you can control the ID number or resolve a Domain ID conflict when you merge fabrics.

If a switch has a Domain ID when it is enabled, and that Domain ID conflicts with a switch in the fabric, the conflict is automatically resolved. The process can take several seconds, during which time traffic is delayed.

The default Domain ID for HP switches is 1.

NOTE: Do not use Domain ID 0. The use of this Domain ID can cause the switch to reboot continuously.

Avoid changing the Domain ID on the FCS in secure mode. To minimize down time, change the Domain IDs on the other switches in the fabric.

To display Domain IDs:

1. Connect to a switch and log in as admin.

2. Enter the fabricShow command.

Fabric information is displayed, including the Domain ID (D_ID)

switch:admin> fabricshow Switch ID Worldwide Name Enet IP Addr FC IP Addr Name

------------------------------------------------------------------------64: fffc40 10:00:00:60:69:00:06:56 192.168.64.59 192.168.65.59 "sw5" 65: fffc41 10:00:00:60:69:00:02:0b 192.168.64.180 192.168.65.180 >"sw180" 66: fffc42 10:00:00:60:69:00:05:91 192.168.64.60 192.168.65.60 "sw60" 67: fffc43 10:00:00:60:69:10:60:1f 192.168.64.187 0.0.0.0 "sw187"

Fabric OS 6.1.x administrator guide 33

The Fabric has 4 switches

The fields in the fabricShow display are:

Switch ID — The switch Domain_ID and embedded port D_ID Worldwide Name — The switch WWN Enet IP Addr — The switch Ethernet IP address for IPv4 and IPv6 configured switches. For IPv6

switches, only the static IP address displays

FC IP Addr —The switch FC IP address Name —The switch symbolic name. An arrow (>) indicates the principal switch.

To set the Domain ID:

1. Connect to the switch and log in using an admin account.

2. Enter the switchDisable command to disable the switch.

3. Enter the configure command.

4. Enter y after the Fabric

Fabric parameters (yes, y, no, n): [no] y

5. Enter a unique Domain ID at the Domain prompt. Use a Domain ID value from 1 through 239 for

normal operating mode (FCSW compatible):

Domain: (1..239) [1] 3

6. Respond to the remaining prompts, or press Ctrl-D to accept the other settings and exit.

7. Enter the switchEnable command to re-enable the switch.

parameters prompt:

Licensed features

You need the following items for each feature that needs to be licensed:

• Transaction key in the paperpack document supplied with the switch software. Or, when you purchased

a license, you received a transaction key to use for generating a software license key.

• License ID. To see a switch license ID, issue the licenseIdShow command.

Feature licenses may be part of the licensed paperpack supplied with your switch software; if not, you can purchase licenses separately from HP. License keys are provided on a per-product and per-feature basis. Each switch within a fabric will need its own licensing.

NOTE: To preserve licenses on your switch, perform a configupload prior to upgrading or

downgrading your Fabric OS.

If you downgrade your Fabric OS to the version earlier than 6.1.x, some licenses associated with specific features of Fabric OS 6.1.x may not work.

Licenses can be associated with a feature version or a blade type.

• If a feature has a version-based license, that license is valid only for a particular version of the feature.

If you want a newer version of the feature, you must purchase a new license. Version upgrade: For example, a zoning license that is for Fabric OS version 6.x is added. You can

add another zoning license with a version greater than 5.2.0 and above without removing the zoning license for Fabric OS 5.2.0. Upgrading is allowed, but downgrading is not supported.

If a license is not version-based, then it is valid for all versions of the feature.

• If a license is associated with a blade type, the licensed feature can be used only with the associated

blade; if you want to use the feature on a second blade, you must purchase an additional license.

34 Standard features

Generating a license key

To generate a license key:

1. If you already have a license key, go to ”Activating a license key” on page 35 to activate.

If you do not have a license key, launch an Internet browser and go to:

http://webkey.external.hp.com/welcome.asp

The Hewlett-Packard Authorization Center website main menu displays.

2. Click Generate a license key.

The HP StorageWorks Software License Key instruction page opens:h

3. Enter the information in the required fields.

4. Follow the onscreen instructions to generate multiple license keys if applicable.

5. Click Next. A verification screen appears.

Verify that the information is correct. Click Submit if the information displayed is correct. If the information is incorrect, click Previous and change the information.

6. Click Submit.

7. An information screen displays the license keys. You also receive an e-mail from the HP licensing

company.

8. Activate the license keys. Go to ”Activating a license key” on page 35.

Activating a license key

To activate and verify the license:

1. Connect to the switch and log in using an admin account.

2. Activate the license using the licenseAdd command.

switch:admin> licenseadd "key"

The transaction key is case sensitive, so it must be entered exactly as it appears. To lessen the chance of error, copy and paste the transaction key. The quotation marks are optional.

For 4/256 SAN Director and DC SAN Backbone Director (short name, DC Director) models, licenses are effective on both CP blades, but are valid only when the CP blade is inserted into a Director that has an appropriate license ID stored in the WWN card. If a CP is moved from one Director to another, the license works in the new Director only if the WWN card is the same in the new Director. Otherwise, you must transfer licenses from the old WWN to the new WWN.

For example, if you swap one CP blade at a time, or replace a single CP blade, then the existing CP blade (the active CP blade) propagates the licenses to the new CP blade.

If you move a standby CP from one Director to another, then the active CP will propagate its configuration (including license keys).

Fabric OS 6.1.x administrator guide 35

3. Verify that the license was added by entering the licenseShow command. The licensed features

currently installed on the switch display. If the feature is not listed, enter the licenseAdd command again.

Some features may require additional configuration, or you may need to disable and reenable the switch to make them operational; see the feature documentation for details.

switch:admin> licenseshow RzdeSee9wVlfTu: Web license Zoning license SES license Fabric license Remote Switch license Extended Fabric license Fabric Watch license Performance Monitor license Trunking license Security license 4 Domain Fabric license FICON_CUP license N_Port ID Virtualization license

High-Performance Extension over FCIP/FC license Ports on Demand license - additional 16 port upgrade 2 Domain Fabric license

Ports on Demand license - additional 16 port upgrade

Removing a licensed feature

1. Connect to the switch and log in using an admin account.

2. Enter the licenseShow command to display the active licenses.

3. Remove the license key using the licenseRemove command.

switch:admin> licenseremove "key" The license key is case-sensitive and must be entered exactly as given. The quotation marks

are optional. After removing a license key, the optionally licensed feature is disabled when the switch is rebooted or when a switch disable and enable is performed.

4. Enter the licenseShow command to verify that the license is disabled.

switch:admin> licenseshow bQebzbRdScRfc0iK: Web license Zoning license switch:admin> licenseremove "bQebzbRdScRfc0iK" removing license key "bQebzbRdScRfc0iK" switch:admin>

After a reboot (or switchDisable and switchEnable), only the remaining licenses appear:

switch:admin> licenseshow SybbzQQ9edTzcc0X: Fabric license switch:admin>

If there are no license keys, licenseShow displays “No licenses.”

36 Standard features

Features and required licenses

Table 4 lists the licenses that should be installed on the local switch and any connecting switches for a

particular feature.

Table 4 License requirements

Feature License Where license should be

installed

Administrative Domains

Configuration up/download

Diagnostic tools No license required. n/a

Distributed Management Server

EX_Ports Integrated Routing Local and attached switches.

FC Fastwrite FC-IP Services or

FCIP FC-IP Services or

FICON No license required. n/a

FICON-CUP FICON Management Server Local switch.

FIPS No license required. n/a

Firmware download No license required.

No license required. n/a

No license required. Configupload or configdownload is

a command and comes with the OS on the switch.

No license required. n/a

High Performance Extension over FCIP/FC

Firmwaredownload is a command and comes with the OS on the switch.

n/a

Local and attached switches.

Local and attached switches. License is needed on both sides of tunnel.

n/a

Full fabric Full Fabric Local switch. May be required on

attached switches.

Ingress rate limiting Adaptive Networking Local switch and attached

switches.

Integrated routing Integrated Routing Local and attached switches.

Inter-chassis link (ICL) ICL Local and attached ICLs.

IPSec for FCIP tunnels FC-IP Services or

High Performance Extension over FCIP/FC

LDAP No license required. n/a

Long distance Extended Fabrics Local and attached switches.

NPIV No license required. n/a

Per form ance monitoring

Port fencing Fabric Watch Local switch

Ports Ports on demand licenses. This license

Basic features - no Advanced features - yes: Advance

Performance Monitoring.

applies to a select set of switches.

Local and attached switches. License is needed on both sides of tunnel.

License is needed on both sides of connection.

Local switch

Fabric OS 6.1.x administrator guide 37

Table 4 License requirements

Feature License Where license should be

installed

QoS Adaptive Networking Local switch and attached

switches.

RADIUS No license required. n/a

RBAC No license required. n/a

Routing traffic No license required.

This includes port-based or exchanged-based routing, static routes, frame-order deliver, and dynamic routes.

Security No license required.

Includes the DCC, SCC, FCS, IP Filter, and authentication policies.

SNMP No license required. n/a

SSH public key No license required. n/a

Top Talkers Advanced Performance Monitoring Local switch and attached

Traffic Isolation No license required. n/a

Trunking ISL Trunking or

ISL Trunking Over Extended Fabrics

Two -factor authentication

Two-to-four domains in a fabric

USB usage No license required. n/a

Web Tools No license required. Local and any switch you want to

No license required. n/a

Value Line (Two/Four) Local switch. May be required on

n/a

switches.

Local and attached switches.

attached switches.

manage using Web Tools.

Zoning No license required. Local and attached switches; or

Inter-Chassis Link (ICL) licensing

ICL ports can be used only with an ICL license. After the addition or removal of a license, the license enforcement is performed on the ICL ports only when the portdisable and portenable commands are issued on the ports. An ICL license must be installed on both DC Directors forming the ICL connection.

8Gb licensing

IMPORTANT: This license is installed by default. Do not remove it under any circumstances.

The 8 Gbps licensing applies to the 8Gb SAN Switches. The following list describes the basic rules of using, adding, or removing 8Gb licenses.

• Without an 8Gb license, even if there is an 8Gb SFP plugged into a port in an applicable platform, the

port would be enabled only to run at a maximum speed of 4Gb.

• In order to obtain an 8Gb license only the License ID from the switch will be required. When you add

the 8Gb license, a portdisable and portenable on individual ports or a switchdisable and switchenable, for all ports, will have to be done to enable the 8 Gbps functionality on the ports.

any switch you want to use in a zone.

38 Standard features

• When you remove the 8Gb license, the ports which are online and already running at 8Gb would not

be disturbed until the port goes offline or the switch is rebooted. The behavior would return to its pre-license state maximum speed of 4Gb.

Time-based licenses

A time-based license applies a try-before-you-buy approach to certain features so that you can experience the feature and its capabilities prior to buying the license. Once you have installed the license, you are given a time limit to use the feature. The following lists the types of licenses that have this feature:

• High Performance Extension over FCIP

• Fabric

• Extended Fabric

• Trunking

• Advanced Performance Monitoring

If you downgrade your switch to a version earlier than 6.1.x, the time-based license will no longer be available. The license will remain on the switch, but you will not be able to use it.

Once the time-base license is installed you cannot change the time of the switch until the time-based license is removed. You will need to remove the license, change the date, and then reinstall the license on the switch. However, if there is any other mechanism that exists to change time, such as NTP, then it is not blocked. If you are using NTP to synchronize the time between your network devices, including switches or enterprise-class platforms, then you should not attempt to change system date and time when a time based license is installed.

High Availability considerations

Whenever license database is modified then it is synchronized with the standby CP. When the active CP is Fabric OS 6.1.x and has time-based licenses installed, and the standby CP is Fabric OS 6.0.0 or earlier then, upon HA failover the time-based license would no longer be supported on the director or enterprise-class platform. You would not have access to the time-based licensed feature until the CPs Fabric OS 6.1.x or later. If both CPs have a Fabric OS 6.1.x or later there will be no change to the time-based licenses or their associated features.

Firmware upgrade and downgrade consideration

When a time-based license is present on the switch, and you downgrade the firmware to Fabric OS 6.0.0 or earlier, then the firmware downgrade will be blocked.

Configupload and Configdownload considerations

The configdownload and configupload commands will download the legacy, enhanced, consumed capacities, and time-based licenses.

Expired licenses

Once a license has expired, you will not be able to view it through the licenseShow command. Expired licenses will have an output string of License has expired. Raslog warning messages will be generated every hour for licenses present in the database which have expired or which are going to expire in the next five days. If your license has expired, you will need to reboot the switch for the expiry to take affect.

Ports on Demand (POD) licensing

NOTE: See the hardware reference guide for your switch for the specific POD licensing available.

POD licensing is ready to be unlocked in the switch firmware. Its license key may be part of the licensed paperpack supplied with switch software, or you can purchase the license key separately from HP. You may need to generate a license key from a transaction key supplied with your purchase, see ”Generating a

license key” on page 35.

Fabric OS 6.1.x administrator guide 39

Each POD license activates the next group of eight ports in numerical order. For example, the 4/8 SAN Switch or 4/16 SAN Switch activates the first eight with four port increments. Before installing a license key, you must insert transceivers in the ports to be activated. Remember to insert the transceivers in the lowest group of inactive port numbers first.

For example in a SAN Switch 4/32, if only 16 ports are currently active and you are installing one POD license key, make sure to insert the transceivers in ports 16 through 23. If you later install a second license key, insert the transceivers in ports 24 through 31. For details on inserting transceivers, see the switch’s Hardware Reference Manual.

After you install a license key, you must enable the ports to complete their activation. You can do so without disrupting switch operation by issuing the portEnable command on each port. Alternatively, you can disable and reenable the switch to activate ports.

NOTE: If you enable or disable an active port you will disrupt any traffic and potentially lose data flowing

on that port.

If the port is connected to another switch, you will segment the switch from the fabric and all traffic flowing between the disabled port and the fabric will be lost.

Activating POD

To activate POD:

1. Connect to the switch and log in on an admin account.

2. Optional: To verify the current states of the ports, use the portShow command.

In the portShow output, the Licensed field indicates whether the port is licensed.

3. Install the Ports on Demand license; see ”Enter the information in the required fields.” on page 35.

4. Use the portEnable command to enable the ports.

5. Optional: Use the portShow command to check the newly activated ports.

If you remove a POD license, the licensed ports will become disabled after the next platform reboot or the next port deactivation.

Configuring Dynamic Ports on Demand

The Brocade 4Gb SAN Switch for HP c-Class BladeSystem supports blade modules. This switch supports the Dynamic Ports on Demand (DPOD) feature. The Dynamic POD feature automatically assigns POD licenses from a pool of available licenses based on the server blade installation.

How ports are assigned to licenses

The Dynamic POD feature detects and assigns ports to a POD license only if the server blade is installed with an HBA present. A server blade that does not have a functioning HBA is treated as an inactive link during initial POD port assignment.

The Dynamic POD feature assigns the ports to the POD license as they come online. Typically, assignments are sequential, starting with the lowest port number. However, variations in the equipment attached to the ports can cause the ports to take different amounts of time to come online. This means that the port assignment order is not guaranteed.

If the switch detects more active links than allowed by the current POD licenses, then some ports will not be assigned a POD license. Ports that do not receive a POD assignment show No Sync or In Sync status; these ports are not allowed to progress to the online state. Ports that cannot be brought online because of insufficient POD licenses show a (No POD License) Disabled status. (Use the switchShow command to display the port states.)

To allocate licenses to a specific port instead of automatically assigning them as the ports come online, reserve a license for the port using the licensePort command described in ”Managing POD licenses” on page 42. The port receives a POD assignment if any are available.

40 Standard features

After a port is assigned to the POD set, the port is licensed until it is manually removed from the POD port set using the licensePort Single, or Double), it creates a vacancy in that port set.

--release command. When a port is released from its POD port set (Base,

Displaying the port license assignment

Use the licensePort --show command to display the available licenses, the current port assignment of those licenses, and the POD method state (dynamic or static).

To display the port licenses:

1. Connect to the switch and log in using an admin account.

2. Enter the licensePort

switch:admin> licenseport --show 24 ports are available in this switch Full POD license is installed Static POD method is in use 24 port assignments are provisioned for use in this switch: 12 port assignments are provisioned by the base switch license 12 port assignments are provisioned by a full POD license 24 ports are assigned to installed licenses: 12 ports are assigned to the base switch license 12 ports are assigned to the full POD license Ports assigned to the base switch license: 1, 2, 3, 4, 5, 6, 7, 8, 17, 18, 19, 20 Ports assigned to the full POD license: 0, 9, 10, 11, 12, 13, 14, 15, 16, 21, 22, 23

--show command.

The example above shows output from a switch that manually assigned POD licenses.

Activating Dynamic Ports on Demand

If the switch is in the Static POD mode, then activating the Dynamic POD will erase any prior port license assignments the next time the switch is rebooted. The static POD assignments become the initial Dynamic POD assignments. After the Dynamic POD feature is enabled, you can customize the POD license associations.

IMPORTANT: The Dynamic POD feature is supported on the Brocade 4Gb SAN Switch for HP c-Class

BladeSystem only.

To enable Dynamic Ports on Demand:

1. Connect to the switch and log in using an admin account.

2. Enter the licensePort

assignment method to dynamic.

switch:admin> licenseport --method dynamic The POD method has been changed to dynamic. Please reboot the switch now for this change to take effect.

3. Enter the reboot command to restart the switch.

switch:admin> reboot

4. Enter the licensePort

--method command with the dynamic option to change the license

--show command to verify that the switch started the Dynamic POD feature.

Fabric OS 6.1.x administrator guide 41

8 ports are assigned to the base switch license 0 ports are assigned to the full POD license Ports assigned to the base switch license: 1, 2, 5, 6, 8*, 21, 22, 23 Ports assigned to the full POD license: None Ports not assigned to a license: 0, 3, 4, 7, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20

16 license reservations are still available for use by unassigned ports 1 license assignment is held by an offline port (indicated by *)

Disabling Dynamic Ports on Demand

Disabling the Dynamic POD feature (changing the POD method to static), erases any prior port license associations or assignments the next time the switch is rebooted.

To disable Dynamic Ports on Demand:

1. Connect to the switch and log in using an admin account.

2. Enter the licensePort

assignment method to static.

switch:admin> licenseport --method static The POD method has been changed to static. Please reboot the switch now for this change to take effect.

3. Enter the reboot command to restart the switch.

switch:admin> reboot

4. Enter the licensePort --show command to verify the switch started the Static POD feature.

--method command with the static option to change the license

Managing POD licenses

This section explains how to allocate licenses by reserving and releasing POD assignments to specific ports. Disabled ports are not candidates for automatic license assignment by the Dynamic POD feature. Persistently disable an otherwise viable port to prevent it from coming online, and thereby preserve a license assignment for another port.

Before you can re-assign a license, you must disable the port and release the license.

Reserving a license

Reserving a license for a port assigns a POD license to that port whether the port is online or offline. That license will not be available to other ports that come online before the specified port.

To reserve a port license:

1. Connect to the switch and log in using an admin account.

2. Enter the licensePort

switch:admin> licenseport --show 24 ports are available in this switch Full POD license is installed

42 Standard features

--show command to verify that there are port reservations still available.

Dynamic POD method is in use 24 port assignments are provisioned for use in this switch: 12 port assignments are provisioned by the base switch license 12 port assignments are provisioned by a full POD license 10 ports are assigned to installed licenses: 10 ports are assigned to the base switch license 0 ports are assigned to the full POD license Ports assigned to the base switch license: 1*, 2*, 3*, 4*, 5*, 6*, 8*, 21, 22, 23 Ports assigned to the full POD license: None Ports not assigned to a license: 0, 7, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20

3. If a port reservation is available, then issue the licensePort --reserve command to reserve a

license for the port.

switch:admin> licenseport -reserve 0

4. If all port reservations are assigned, select a port to release its POD license. You must disable the port

first by entering the command portdisable <port num>.

5. Enter the licensePort

switch:admin> licenseport --release 0

--release command to remove the port from the POD license.

6. Enter the licensePort --show command to verify there is an available port reservation.

switch:admin> licenseport --show 24 ports are available in this switch Full POD license is installed Dynamic POD method is in use 24 port assignments are provisioned for use in this switch: 12 port assignments are provisioned by the base switch license 12 port assignments are provisioned by a full POD license 10 ports are assigned to installed licenses: 10 ports are assigned to the base switch license 0 ports are assigned to the full POD license Ports assigned to the base switch license: 1*, 2*, 3*, 4*, 5*, 6*, 8*, 21, 22, 23 Ports assigned to the full POD license: None Ports not assigned to a license: 0, 7, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20

7. Enter the switchEnable command to bring the switch back online.

switch:admin> switchenable

Releasing a port

Releasing a port removes it from the POD set; the port will appear as unassigned until it comes back online. Persistently disabling the port will ensure that the port cannot come back online and be automatically assigned to a POD assignment.

To release a port from a POD set:

1. Connect to the switch and log in using an admin account.

2. Enter the switchDisable command to take the switch offline.

switch:admin> switchdisable

3. Enter the switchShow command to verify the switch state is offline.

4. Enter the licensePort

switch:admin> licenseport --release 0

5. Enter the licensePort --show command to verify the port is no longer assigned to a POD set.

--release command to remove the port from the POD license.

Fabric OS 6.1.x administrator guide 43

10 ports are assigned to installed licenses: 10 ports are assigned to the base switch license 0 ports are assigned to the full POD license Ports assigned to the base switch license: 1*, 2*, 3*, 4*, 5*, 6*, 8*, 21, 22, 23 Ports assigned to the full POD license: None Ports not assigned to a license: 0, 7, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20 switch:admin>

6. Enter the switchEnable command to bring the switch back online.

7. Enter the switchShow command to verify the switch state is now online.

Disabling and enabling switches

By default, the switch is enabled after power is applied and diagnostics and switch initialization routines have finished. You can disable and reenable it as necessary.

To disable a switch:

1. Connect to the switch and log in using an admin account.

2. Enter the switchDisable command.

All Fibre Channel ports on the switch are taken offline. If the switch was part of a fabric, the fabric is reconfigured.

To enable a switch:

1. Connect to the switch and log in using an admin account.

2. Enter the switchEnable command.

All Fibre Channel ports that passed the POST test are enabled. If the switch has interswitch links (ISLs) to a fabric, it joins the fabric.

Disabling and enabling ports

By default, all licensed ports are enabled. You can disable and reenable them as necessary. Ports that you activate with Ports on Demand must be enabled explicitly, as described in ”Activating ports on demand” on page 37.

WARNING! The fabric will be reconfigured if the port you are enabling or disabling is connected to

another switch.

The switch whose port has been disabled will be segmented from the fabric and all traffic flowing between it and the fabric will be lost.

To disable a port:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the following command:

switch:admin> portdisable portnumber

where portnumber is the port number of the port you want to disable.

For 4/256 SAN Director and DC SAN Backbone Director (short name, DC Director): Enter the following command:

switch:admin> portdisable slotnumber/portnumber where slotnumber and portnumber are the slot and port numbers of the port you want to disable.

To enable a port:

1. Connect to the switch and log in using an admin account.

2. Enter the following command:

44 Standard features

switch:admin> portenable portnumber

where portnumber is the port number of the port you want to enable.

For 4/256 SAN Director and DC Director: Enter the following command:

switch:admin> portenable slotnumber/portnumber where slotnumber and portnumber are the slot and port numbers of the port you want to enable. (Slots are numbered 1 through 4 and 7 through 10, counting from left to right.)

If the port is connected to another switch, the fabric may be reconfigured. If the port is connected to one or more devices, these devices become available to the fabric.

If you change port configurations during a switch failover, the ports may become disabled. To bring the ports online, re-issue the portEnable command after the failover is complete.

Making basic connections

You can make basic connections to devices and to other switches.

Before connecting a switch to a fabric that contains switches running different firmware versions, you must first set the same PID format on all switches. The presence of different PID formats in a fabric causes fabric segmentation.

• For information on PID formats and related procedures, see ”Selecting a PID format” on page 447.

• For information on configuring the routing of connections, see ”Routing traffic” on page 205.

3. For information on configuring extended interswitch connections, see ”Administering Extended Fabrics”

on page 361.

Connecting to devices

To minimize port logins, power off all devices before connecting them to the switch. For devices that cannot be powered off, first use the portDisable command to disable the port on the switch, and then connect the device. When powering the devices back on, wait for each device to complete the fabric login before powering on the next one.

Connecting to other switches

See the hardware reference guide for your specific switch for interswitch link (ISL) connection and cable management information. The standard or default ISL mode is L0. ISL Mode L0 is a static mode, with the following maximum ISL distances:

• 10 km at 1 Gbps

• 5 km at 2 Gbps

• 2.5 km at 4 Gbps

• 1. 25 k m a t 8 G b p s

ISL mode L0 is available on all Fabric OS releases. When you upgrade from Fabric OS 5.3.0 to Fabric 6.x or later, all extended ISL ports are set automatically to L0 mode.

For information on extended ISL modes, which enable longer distance interswitch links, see ”Administering

Extended Fabrics” on page 361.

Linking through a gateway

A gateway merges SANs into a single fabric by establishing point-to-point E_Port connectivity between two Fibre Channel switches that are separated by a network with a protocol such as IP or SONET.

Except for link initialization, gateways are transparent to switches; the gateway simply provides E_Port connectivity from one switch to another.

By default, switch ports initialize links using the Exchange Link Parameters (ELP) mode 1. However, gateways expect initialization with ELP mode 2, also referred to as ISL R_RDY mode. Therefore, to enable two switches to link through a gateway, the ports on both switches must be set for ELP mode 2.

Fabric OS 6.1.x administrator guide 45

Any number of E_Ports in a fabric can be configured for gateway links, provided the following rules are followed:

• All switches in the fabric must be upgraded to Fabric OS 5.2.0 or later.

• All switches in the fabric are using the core PID format.

• The switches connected to both sides of the gateway are included when determining switch count

maximums.

• Extended links (those created using the Extended Fabrics licensed feature) and the security features if

you are running a Fabric OS version earlier than 6.x in Secure Fabric OS are not supported through gateway links.

To configure a link through a gateway:

1. If you are not sure if the PID format is consistent across the entire fabric, enter the configShow

command on all switches to check the PID setting. If necessary, change the PID format on any nonconforming switches, as described in ”Configuring the PID format” on page 463.

2. Connect to the switch on one end of the gateway and log in using an admin account.

3. Enter the portCfgIslMode command that is appropriate for your hardware model:

4/8 SAN Switch and 4/16 SAN Switch, 8/8 SAN Switch, 8/24 SAN Switch, 8/40 SAN Switch, 8/80 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 400 Multi-protocol Router, 4/256 SAN Director and DC SAN Backbone Director:

portCfgIslMode <port, mode>

Specify a port number. Valid values for port number vary depending on the switch type. The mode operand is required: specify 1 to enable ISL R_RDY mode (gateway link) or specify 0 to disable it.

4/256 SAN Director and DC SAN Backbone Director (short name, DC Director):

portCfgIslMode <slot/port, mode> Specify a slot/port number pair. Valid values for slot and port number vary depending on the switch

type. The mode operand is required: specify 1 to enable ISL R_RDY mode (gateway link) or specify 0 to disable it.

In the following example, slot 2, port 3 is enabled for a gateway link:

switch:admin> portcfgislmode 2/3, 1 Committing configuration...done. ISL R_RDY Mode is enabled for port 3. Please make sure the PID formats are consistent across the entire fabric. switch:admin>

4. Repeat the steps for any additional ports that will be connected to the gateway.

5. Repeat the procedure on the switch at the other end of the gateway.

Checking switch status

This section describes how to verify:

• Switch operation

• High availability features

• Fabric connectivity

• Device connectivity

• Display switches in Access Gateway mode

Switch operation

To check switch operation:

1. Connect to the switch and log in using an admin account.

2. Enter the switchShow command. This command displays a switch summary and a port summary.

3. Check that the switch and ports are online.

46 Standard features

4. Use the switchStatusShow command to further check the status of the switch.

High Availability (HA) features

NOTE: HA features provide maximum reliability and nondisruptive replacement of key hardware and

software modules.

To verify HA features (Directors only):

1. Connect to the switch using an account with admin role

2. Enter the chassisShow command to verify the field replaceable units (FRUs).

3. Enter the haShow to verify that HA is enabled, the heartbeat is up, and that the HA state is

synchronized between the active and standby CP blades.

4. Enter the slotShow to display the inventory and the current status of each slot in the system.

Fabric connectivity

To verify fabric connectivity:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the fabricShow command. This command displays a summary of all the switches in the fabric.

switch:admin> fabricshow Switch ID Worldwide Name Enet IP Addr FC IP Addr Name

The Fabric has 4 switches

Device connectivity

To verify device connectivity:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Optional: Enter the switchShow command to verify that devices, hosts, and storage are connected.

3. Optional: Enter the nsShow command to verify that devices, hosts, and storage have successfully

registered with the name server.

4. Enter the nsAllShow command to display the 24-bit Fibre Channel addresses of all devices in the

fabric.

switch:admin> nsallshow { 010e00 012fe8 012fef 030500 030b04 030b08 030b17 030b18 030b1e 030b1f 040000 050000 050200 050700 050800 050de8 050def 051700 061c00 071a00 073c00 090d00 0a0200 0a07ca 0a07cb 0a07cc 0a07cd 0a07ce 0a07d1 0a07d2 0a07d3 0a07d4 0a07d5 0a07d6 0a07d9 0a07da 0a07dc 0a07e0 0a07e1 0a0f01 0a0f02 0a0f0f 0a0f10 0a0f1b 0a0f1d 0b2700 0b2e00 0b2fe8 0b2fef 0f0000 0f0226 0f0233 0f02e4 0f02e8 0f02ef 210e00 211700 211fe8 211fef 2c0000 2c0300 611000 6114e8 6114ef 611600 620800 621026 621036 6210e4 6210e8 6210ef 621400 621500 621700 621a00 75 Nx_Ports in the Fabric } switch:admin>

The number of devices listed should reflect the number of devices that are connected.

Fabric OS 6.1.x administrator guide 47

Show switches in Access Gateway mode

To show switches in Access Gateway mode:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the agShow command.

switch:admin> agshow Worldwide Name Ports Enet IP Addr Firmware Local/Remote Name

-------------------------------------------------------------10:00:00:05:1e:02:1d:b0 16 10.32.53.4 v5.2.1 local ag_01 10:00:00:05:1e:03:4b:e7 24 10.32.60.95 v5.2.1 local ag_02 10:00:00:05:1e:35:a2:58 20 10.32.53.180 v5.2.1 remote ag_03

This command displays all the switches in Access Gateway mode in the fabric.

Tracking and controlling switch changes

The track changes feature allows you to keep a record of specific changes that may not be considered switch events, but may provide useful information. The output from the track changes feature is dumped to the system messages log for the switch. Use the errDump or errShow command to view the log.

Items in the log created from the Track changes feature are labeled TRCK.

Trackable changes are:

• Successful login

• Unsuccessful login

• Logout

• Configuration file change from task

• Track changes on

• Track changes off

An SNMP-TRAP mode can also be enabled (see the trackChangesHelp command in the Fabric OS Command Reference).

For troubleshooting information on the track changes feature, see ”Inaccurate information in the system

message log” on page 328.

To enable the track changes feature:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter this command to enable the track changes feature: trackChangesSet 1.

A message displays, verifying that the track changes feature is on:

switch:admin> trackchangesset 1 Committing configuration...done. switch:admin>

3. Use the errDump or errShow command to view the log.

2004/08/24-08:45:43, [TRCK-1001], 212,, INFO, ras007, Successful login by user admin.

To display the status of the track changes feature:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the trackChangesShow command.

The status of the track changes feature is displayed as either on or off. The display includes whether or not the track changes feature is configured to send SNMP traps.

switch:admin> trackchangesshow Track changes status: ON Track changes generate SNMP-TRAP: NO switch:admin>

48 Standard features

To view the switch status policy threshold values:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the switchStatusPolicyShow command.

Whenever there is a switch change, an error message is logged and an SNMP connUnitStatusChange trap is sent.

The output is similar to the following:

switch:admin> switchstatuspolicyshow The current overall switch status policy parameters: Down Marginal

--------------------------------- PowerSupplies 3 0 Temperatures 2 1 Fans 2 1 WWN 0 1 CP 0 1 Blade 0 1 Flash 0 1 MarginalPorts 2 1 FaultyPorts 2 1 MissingSFPs 0 0

The policy parameter determines the number of failed or inoperable units for each contributor that will trigger a status change in the switch.

Each parameter can be adjusted so that a specific threshold must be reached before that parameter changes the overall status of a switch to MARGINAL or DOWN. For example, if the FaultyPorts DOWN parameter is set to 3, the status of the switch will change if 3 ports fail. Only one policy parameter needs to pass the MARGINAL or DOWN threshold to change the overall status of the switch.

For more information about setting policy parameters, see the Fabric Watch Administrator’s Guide.

To set the switch status policy threshold values:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the switchStatusPolicySet command.

The current switch status policy parameter values are displayed. You are prompted to enter values for each DOWN and MARGINAL threshold parameter.

By setting the DOWN and MARGINAL values for a parameter to 0,0 that parameter is no longer used in setting the overall status for the switch.

Fabric OS 6.1.x administrator guide 49

3. Verify the threshold settings you have configured for each parameter.

Enter the switchStatusPolicyShow command to view your current switch status policy configuration.

HP StorageWorks 4/8 SAN Switch and 4/16 SAN Switch, 8/8 SAN Switch, 8/24 SAN Switch, 8/40 SAN Switch, 8/80 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 400 Multi-protocol Router:

switch:admin> switchstatuspolicyset To change the overall switch status policy parameters

The current overall switch status policy parameters: Down Marginal

--------------------------------- PowerSupplies 2 1 Temperatures 2 1 Fans 2 1 Flash 0 1 MarginalPorts 2 1 FaultyPorts 2 1 MissingSFPs 0 0

Note that the value, 0, for a parameter, means that it is NOT used in the calculation. ** In addition, if the range of settable values in the prompt is (0..0), ** the policy parameter is NOT applicable to the switch. ** Simply hit the Return key.

Bad PowerSupplies contributing to DOWN status: (0..2) [2] 0 Bad PowerSupplies contributing to MARGINAL status: (0..2) [1] 0 Bad Temperatures contributing to DOWN status: (0..6) [2] 0 Bad Temperatures contributing to MARGINAL status: (0..6) [1] 0 Bad Fans contributing to DOWN status: (0..3) [2] 0 Bad Fans contributing to MARGINAL status: (0..3) [1] 0 Out of range Flash contributing to DOWN status: (0..1) [0] 0 Out of range Flash contributing to MARGINAL status: (0..1) [1] 0 MarginalPorts contributing to DOWN status: (0..32) [2] 0 MarginalPorts contributing to MARGINAL status: (0..32) [1] 0 FaultyPorts contributing to DOWN status: (0..32) [2] 0 FaultyPorts contributing to MARGINAL status: (0..32) [1] 0 MissingSFPs contributing to DOWN status: (0..32) [0] 0 MissingSFPs contributing to MARGINAL status: (0..32) [0] 0

Policy parameter set has been changed rint12:admin>

4/256 SAN Director and DC SAN Backbone Director (short name, DC Director): Command output includes parameters related to CP blades.

Configuring the audit log

When managing SANs, you may want to filter, or audit certain classes of events to ensure that you can view and generate an audit log for what is happening on a switch, particularly for security-related event changes if you are running a Fabric OS version earlier than 6.x. These events include login failures, zone configuration changes, firmware downloads, and other configuration changes—in other words—critical changes that have a serious effect on the operation and security of the switch.

Important information related to event classes is also tracked and made available. For example, you can track changes from an external source by the user name, IP address, or type of management interface used to access the switch.

Auditable events are generated by the switch and streamed to an external host through a configured system message log daemon (syslog). You specify a filter on the output to select the event classes that are sent through the system message log. The filtered events are streamed chronologically and sent to the system message log on an external host in the specified audit message format. This ensures that they can

50 Standard features

be easily distinguished from other system message log events that occur in the network. Then, at some regular interval of your choosing, you can review the audit events to look for unexpected changes.

Before you configure audit event logging, familiarize yourself with the following audit event log behaviors and limitations:

• By default, all event classes are configured for audit; to create an audit event log for specific events, you

must explicitly set a filter with the class operand and then enable it.

• Audited events are generated specific to a switch and have no negative impact on performance.

• If you are running Fabric OS versions earlier than 6.x, all Secure Fabric OS events are audited.

• Events are not persistently stored on the switch but are streamed to a system message log.

• The audit log depends on the system message log facility and IP network to send messages from the

switch to a remote host. Because the audit event log configuration has no control over these facilities, audit events can be lost if the system message log and IP network facilities fail.

• If too many events are generated by the switch, the system message log will become a bottleneck and

audit events will be dropped by the Fabric OS.

• If the user name, IP address, or user interface is not transported, an audit message is logged by adding

the message None to each of the respective fields.

• For High Availability, the audit event logs exist independently on both active and standby CPs. The

configuration changes that occur on the active CP are propagated to the standby CP and take effect.

• Audit log configuration is updated through a configuration download.

See the Fabric OS Command Reference for more information about the auditCfg command and command syntax.

Auditable event classes

You configure the audit log using the auditCfg command. Before configuring an audit log, you must select the event classes you want audited. When enabled, the audit log feature audits any RASLog messages (system message log) previously tagged as AUDIT in Fabric OS 6.x. The audit log includes:

• SEC-3001 through SEC-3017

• SEC-3024 through SEC-3029

• ZONE-3001 through ZONE-3012

Table 5 identifies auditable event classes and auditCfg operands used to enable auditing of a specific

class.

Table 5 AuditCfg event class operands

Operand Event class Description

1 Zone Audit zone event configuration changes, but not the actual values that

2 Security Audit any user-initiated security events for all management interfaces. For

3 Configuration Audit configuration downloads of existing SNMP configuration

were changed. For example, a message may state, “Zone configuration has changed,” but the syslog does not display the actual values that were changed.

events that have an impact on an entire fabric, an audit is generated only for the switch from which the event was initiated.

parameters. Configuration uploads are not audited.

4 Firmware Audit firmware download start, firmware complete, and any other errors

encountered during a firmware download.

5 Fabric Audit administrative domain-related changes.

Fabric OS 6.1.x administrator guide 51

NOTE: Only the active CP can generate audit messages because event classes being audited occur only

on the active CP. Audit messages cannot originate from other blades in a Director.

Audit events have the following message format:

AUDIT, <Timestamp>, [<Event ID>], <Severity>, <Event Class>, <User ID>/<Role>/<IP address>/<Interface>,<Admin Domain>/<Switch name>,<Reserved>,<Event-specific information>

Switch names are logged for switch components and Director names for Director components. For example, a Director name may be FWDL or RAS and a switch component name may be zone, name server, or SNMP.

Pushed messages contain the administration domain of the entity that generated the event. See the Fabric OS Message Reference for details on message formats. See ”Working with Diagnostic Features” on page 285 for details on setting up the system error log daemon.

Audit logging assumes that your syslog is operational and running. Before configuring an audit log, you must perform the following steps to ensure that the host syslog is operational.

To verify host syslog prior to configuring the audit log:

1. Set up an external host machine with a system message log daemon running to receive the audit events

that will be generated.

2. On the switch where the audit configuration is enabled, enter the syslogdipaddrAdd command to

add the IP address of the host machine so that it can receive the audit events. You can use IPv4, IPv6, or DNS names for the syslogdipaddrAdd command.

3. Ensure the network is configured with a network connection between the switch and the remote host.

4. Check the host SYSLOG configuration. If all error levels are not configured, you may not see some of

the audit messages.

To configure an audit log for specific event classes:

1. Connect to the switch from which you wish to generate an audit log and log in using an account

assigned to the admin role.

2. Enter the auditCfg

switch:admin> auditcfg --class 2,4 Audit filter is configured.

--class command, which defines the specific event classes to be filtered.

The auditCfg event class operands are identified in Table 5.

3. Enter the auditCfg

--enable command, which enables audit event logging based on the classes

configured in step 2.

switch:admin> auditcfg --enable Audit filter is enabled.

To disable an audit event configuration, enter the auditCfg --disable command.

4. Enter the auditCfg

--show command to view the filter configuration and confirm that the correct

event classes are being audited, and the correct filter state appears (enabled or disabled).

switch:admin> auditcfg --show Audit filter is enabled. 2-SECURITY 4-FIRMWARE

5. To verify the audit event log setup, make a change affecting an enabled event class, and confirm that

the remote host machine receives the audit event messages. The following example shows the SYSLOG (system message log) output for audit logging.

Jun 2 08:33:04 [10.32.220.7.2.2] raslogd: AUDIT, 2006/06/02-15:25:53, [SULB-1003], INFO, FIRMWARE, root/root/NONE/console/CLI, ad_0/ras007_chassis, , Firmwarecommit has started. Jun 5 06:45:33 [10.32.220.70.2.2] raslogd: AUDIT, 2006/06/05-13:38:17, [CONF-1010], INFO, CONFIGURATION, root/root/NONE/ console/CLI, ad_0/ras070, , configDownload failed

52 Standard features

Jun 5 08:15:32 [10.32.248.73.2.2] raslogd: AUDIT, 2006/06/05-13:38:17, [SEC-1000], WARNING, SECURITY, JaneDoe/root/192.168.132.19/ telnet, Domain A/DoeSwitch, , Incorrect password during login attempt.

Shutting down switches and Directors

To avoid corrupting your file system, HP recommends that you perform graceful shutdowns of switches and Directors. The following procedure describes how to gracefully shut down a switch.

To power off a switch:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the sysShutdown command.

3. At the prompt, enter y.

switch:admin> sysshutdown This command will shutdown the operating systems on your switch. You are required to power-cycle the switch in order to restore operation. Are you sure you want to shutdown the switch [y/n]?y

4. Wait until the following message displays:

Broadcast message from root (ttyS0) Wed Jan 25 16:12:09 2006...

The system is going down for system halt NOW !! INIT: Switching to runlevel: 0 INIT: Sending processes the TERM signal Unmounting all filesystems. The system is halted flushing ide devices: hda Power down.

5. Power off the switch.

To power off a Director:

1. From the active CP in a dual CP platform, enter the sysShutdown command.

When the sysShutdown command is issued on the active CP, the active CP, the standby CP, and any AP blades are all shut down.

2. At the prompt, enter y.

3. Wait until you see the following message:

2006/01/25-17:01:40, [FSSM-1003], 194,, WARNING, NANDU, HA State out of sync HA is disabled

Broadcast message from root (ttyS0) Wed Jan 25 17:01:41 2006...

4. Power off the switch.

High Availability of daemon processes

Fabric OS 6.x supports automatic restart of non-critical daemons. Starting these non-critical daemons is automatic, you cannot configure the startup process. The following sequence of events occurs when a non-critical daemon fails:

1. When a non-critical daemon fails or dies, a RASLog and AUDIT event message is logged.

2. The daemon is automatically started again.

3. If the restart is successful, then another message is sent to RASLog and AUDIT reporting the successful

restart status.

4. If the restart fails, another message is sent to RASLog and no further attempts are made to restart the

daemon.

Fabric OS 6.1.x administrator guide 53

Schedule downtime and reboot the switch at your convenience. Table 6 lists the daemons that are considered non-critical and are automatically restarted on failure.

Table 6 Daemons that are automatically restarted

Daemon Description

Arrd Asynchronous Response Router (used to send management data to hosts when the switch is accessed

through the APIs (FA API or SMI-S).

Cald Common Access Layer Daemon (used by Manageability Applications).

Evmd Event Monitor Daemon (used by port and switch SCNs, firmwareDownload, and configDownload)

Raslogd Remote Access Service Log Daemon logs error detection, reporting, handling, and presentation of

data into a format readable by management tools and the user.

Rpcd Remote Procedure Call daemon used by the API (Fabric Access API and SMI-S).

Snmpd Simple Network Management Protocol Daemon.

Traced Trace Daemon. Provides trace entry date/time translation to Trace Device at startup and when

date/time changed by command. Maintains the trace dump trigger parameters in a Trace Device. Performs the trace Background Dump, trace automatic FTP, and FTP “aliveness check” if auto-FTP is enabled.

Trackd Track Changes Daemon.

Webd Webserver daemon used for Web Tools (includes httpd as well).

54 Standard features

2 Managing user accounts

This chapter provides information and procedures on managing authentication and user accounts for the switch management channel.

Overview

In addition to the default accounts—root, factory, admin, and user—Fabric OS supports up to 252 additional user-defined accounts in each logical switch (domain). These accounts expand your ability to track account access and audit administrative activities.

Each user-defined account is associated with the following:

• Admin Domain list—Specifies what Admin Domains a user account is allowed to log in to.

• Home Admin Domain—Specifies the Admin Domain that the user is logged in to by default. The home

Admin Domain must be a member of the user’s Admin Domain list.

• Role—Determines functional access levels within the bounds of the user’s current Admin Domain.

Fabric OS provides three options for authenticating users—remote RADIUS services, remote LDAP service, and the local switch user database. All options allow users to be centrally managed using the following methods:

• Remote RADIUS servers—Users are managed in a remote RADIUS server. All switches in the fabric

can be configured to authenticate against the centralized remote database.

• Remote LDAP servers—Users are managed in a remote LDAP server. All switches in the fabric can

be configured to authenticate against the centralized remote database.

• Local user database—Users are managed using the local user database. The local user database

is manually synchronized using the distribute command to push a copy of the switch’s local user database to all other Fabric OS 5.3.0 and later switches in the fabric.

Accessing the management channel

The total number of sessions on a switch may not exceed 32. Table 7 shows the number of simultaneous login sessions allowed for each role. The roles are displayed in alphabetic order which does not reflect their importance.

Table 7 Maximum number of simultaneous sessions

Role name Maximum sessions

Admin 2

BasicSwitchAdmin 4

FabricAdmin 4

Operator 4

SecurityAdmin 4

SwitchAdmin 4

User 4

ZoneAdmin 4

Fabric OS 6.1.x administrator guide 55

Using Role-Based Access Control (RBAC)

Role-Based Action Control (RBAC) defines the capabilities that a user account has based on the role the account has been assigned. For each role, there is a set of pre-defined permissions on the jobs and tasks that can be performed on a fabric and its associated fabric elements. Fabric OS 6.1.x uses RBAC to determine which commands a user can issue.

When you log in to a switch, your user account is associated with a pre-defined role. The role that your account is associated with determines the level of access you have on that switch and in the fabric. Table 8 outlines the Fabric OS predefined roles.

Table 8 Fabric OS 6.1.x roles

Role name Fabric OS version Duties Description

Admin All All administration All administrative commands.

BasicSwitchAdmin 5.2.0 and later Restricted switch

administration

FabricAdmin 5.2.0 and later Fabric and switch

administration

Operator 5.2.0 and later General switch

administration

SecurityAdmin 5.3.0 and later Restricts security

functions

SwitchAdmin 5.0.0 and later Local switch

administration

User All Monitoring only Nonadministrative use, such as

ZoneAdmin 5.2.0 and later Zone administration Zone management commands only.

Mostly monitoring with limited switch (local) commands.

All switch and fabric commands, excludes user management and Administrative Domains commands.

Routine switch maintenance commands.

All switch security and user management functions.

Most switch (local) commands, excludes security, user management, and zoning commands.

monitoring system activity.

You can perform these operations only on the primary FCS switch.

For legacy users with no Admin Domain specified, the user will have access to AD 0 through 255 (physical fabric admin) if their current role is Admin; otherwise, the user will have access to AD0 only.

If some Admin Domains have been defined for the user and all of them are inactive, the user will not be allowed to log in to any switch in the fabric.

If no Home Domain is specified for a user, the system provides a default home domain. The default home domain for the predefined account is AD0. For user-defined accounts, the default home domain is the Admin Domain in the user’s Admin Domain list with the lowest ID.

56 Managing user accounts

Role permissions

Table 9 describes the types of permissions that are assigned to roles.

Table 9 Permission types

Abbreviation Definition Description

O Observe The user can run commands using options that display information only,

M Modify The user can run commands using options that create, change, and

such as running userConfig --show -a to show all users on a switch.

delete objects on the system, such as running userconfig

--change username -r rolename to change a user’s role.

OM Observe and

modify

N None The user is not allowed to run commands in a given category.

The user can run commands using both observe and modify options; if a role has modify permissions, it almost always has observe.

Table 10 shows the permission type for categories of commands that each role is assigned. The

permissions apply to all commands within the specified category. For a complete list of commands and role permissions, see the Fabric OS Command Reference.

Table 10 RBAC permissions matrix

Category Role permission

User Operator Switch

admin

Zone admin

Fabric admin

Basic switch

Admin Security

admin

Admin Domains N N N N N N OM O

Admin Domains—Selection OM OM OM OM OM OM OM OM

Access Gateway O OM OM O OM O OM N

APM O O OM N OM O OM N

Audit O O O O O O OM OM

Authentication N N N N N N OM OM

Blade O OM OM N OM O OM N

admin

Chassis Configuration O OM OM N OM O OM N

Configuration Management N O O O O O OM O

Data Migration Manager N N N N N N OM N

Debug N N N N N N N N

Diagnostics O OM OM N OM O OM N

Ethernet Configuration O O OM N OM O OM N

Fabric O O O O OM O OM O

Fabric Distribution N N N N OM N OM OM

Fabric Routing O O O O OM O OM N

Fabric Watch O OM OM N OM O OM N

FICON O OM OM N OM O OM N

Firmware Management O OM OM O OM O OM O

FRU Management O OM OM N OM O OM N

Fabric OS 6.1.x administrator guide 57

Table 10 RBAC permissions matrix (continued)

Category Role permission

User Operator Switch

admin

Zone admin

Fabric admin

Basic switch

Admin Security

admin

HA (High Availability) O O OM N OM O OM O

iSCSI O O O O OM O OM N

License O OM OM O OM O OM O

LDAP N N N N N N OM OM

Local User Environment OM OM OM OM OM OM OM OM

Logging O OM OM O OM O OM OM

Management Access Configuration

Management Server O OM OM O OM O OM N

Name Server O O OM O OM O OM N

Nx_Port Management O M OM N OM O OM N

Physical Computer System O O O O O O O O

PKI O O O N O O OM OM

Por t Mirroring N N N N N N OM N

QOS O OM OM O OM OM OM O

OOMOMNOMOOMN

RADIUS N N N N N N OM OM

Routing—Advanced O O O N OM O OM N

Routing—Basic O OM OM O OM O OM N

Security O N O N OM O OM OM

Session Management O OM OM N OM OM OM OM

SNMP O O OM N OM O OM OM

Statistics O OM OM N OM O OM N

Statistics—Device O OM OM N OM O OM N

Statistics—Port O OM OM N OM O OM N

Switch Configuration O OM OM N OM O OM OM

Switch Management O OM OM O OM O OM O

Switch Management—IP Configuration

Switch Port Configuration O OM OM N OM OM OM N

Switch Port Management O OM OM O OM OM OM O

Topology O O O N OM O OM N

User Management N N N N N N OM OM

OOMOMNOMOOMOM

WWN Card O OM OM N OM N OM N

Zoning O O O OM OM O OM O

Set the authentication model on each switch. Refer to ”Authentication model” on page 67 for more information.

58 Managing user accounts

Managing the local database user accounts

User add, change, and delete operations are subject to the subset rule: an admin with ADlist 0-10 cannot perform operations on an admin, user, or any role with an ADlist 11-25. The user account being changed must have an ADlist that is a subset of the account that is making the change.

About the default accounts

Fabric OS provides the following predefined accounts in the local switch user database. The password for all default accounts should be changed during the initial installation and configuration for each switch.

Table 11 lists default local user accounts.

Table 11 Default local user accounts

Account

Role Admin

name

admin Admin AD0-255

factory Factory AD0-255

root Root AD0-255

user User AD0

Defining local user accounts

In addition to the default administrative and user accounts, Fabric OS supports up to 252 user-defined accounts in each logical switch (domain). These accounts expand your ability to track account access and audit administrative activities.

The following procedures can be performed on local user accounts. Administrators can act on other accounts only if that account has an Admin Domain list that is a subset of the administrator.

To display account information:

1. Connect to the switch and log in using an admin account.

2. Enter the appropriate show operands for the account information you want to display:

• userConfig

• userConfig specified admindomain_ID

--show -a to show all account information for a logical switch

--show -b to show all backup account information for a logical switch

--show username to show account information for the specified account

--showad -a admindomain_ID to show all accounts permitted to select the

Description

domain

Most commands have observe-modify permission.

home: 0

Reserved.

home: 0

Reserved.

home: 0

Most commands have observe-only permission.

home: 0

Fabric OS 6.1.x administrator guide 59

To create an account:

1. Connect to the switch and log in using an admin account.

2. Enter the following command:

userConfig --add <username> -r <rolename> [-h <admindomain_ID>] [-a <admindomain_ID_list>] [-d <description>] [-x]

username Specifies the account name, which must begin with an alphabetic

character. The name can be from 8 to 40 characters long. It is case-sensitive and can contain alphabetic and numeric characters, the period (.) and the underscore ( _ ). It must be different than all other account names on the logical switch. The account name cannot be the same as a role name.

-r rolename Specifies the role: User, SwitchAdmin, ZoneAdmin, FabricAdmin, BasicSwitchAdmin, Operator, or Admin in nonsecure mode; in secure mode you can also use NonfcsAdmin.

-h admindomain_ID Optional: Specifies the home Administrative Domain; if no Administrative Domain is specified, then the lowest numbered Administrative Domain in the list is assigned.

-a admindomain_ID_list Optional: Specifies which Administrative Domains the user may access; if no Administrative Domains are listed, the user is automatically assigned to AD0. Use comma-separated lists, ranges, or both for example -a 0,9,10-15,244.

-d description Optional: Adds a description to the account. The description field can be up to 40 printable ASCII characters long. The following characters are not allowed: asterisk (*), single quotation mark (‘), quotation mark (“), exclamation point (!), semicolon (;), and colon (:).

-x Specifies an expired password that must be changed the first time the user logs in.

3. In response to the prompt, enter a password for the account.

The password is not displayed when you enter it on the command line.

To delete an account:

1. Connect to the switch and log in using an admin account.

2. Enter the following command:

userConfig --delete username

where username specifies the account name You cannot delete the default accounts. An account cannot delete itself. All active CLI sessions for the

deleted account are logged out.

3. At the prompt for confirmation, enter y.

60 Managing user accounts

To change account parameters:

When changing account parameters, if you change the ADlist for the user account, all of the currently active sessions for that account will be logged out.

1. Connect to the switch and log in using an admin account.

2. Enter the following command:

userconfig --change username [-r rolename] [-h admindomain_ID] [-a admindomain_ID_list] [-d description] [-e yes | no] -u -x

username Specifies the account for which parameters are being changed.

-r rolename Changes the role to one of the names listed in Table 8 on

page 56. In secure mode, role can also be changed to nonfcsadmin role. An account cannot change its own role. Account with Admin role can change the role names of all user-defined accounts except those with Admin roles.

-h admindomain_ID Optional: Changes the home Administrative Domain; if no Administrative Domain is specified, then the lowest numbered Administrative Domain in the list is assigned.

-a

admindomain_ID_lis t

Optional: Changes which Administrative Domains the user may access; if no Administrative Domains are listed, the user is automatically assigned to AD0. Use comma-separated lists, ranges, or both for example -a 0,9,10-15,244.

-d description Optional: Changes the description to the account. The description field can be up to 40 printable ASCII characters long. The following characters are not allowed: asterisk (*), single quotation mark (‘), quotation mark (“), exclamation point (!), semicolon (;), and colon (:).

-e Optional: Enables or disables the account. Enter yes to enable the account or no to disable it. If you disable an account, all active CLI sessions for that account are logged out. You can enable or disable user-defined or default accounts.

-u Unlocks the user account.

-x Specifies an expired password that must be changed the first

time the user logs in.

To add an Administrative Domain to the account:

1. Connect to the switch and log in using an admin account.

2. Enter the following command:

userConfig --addad <username> [-h <admindomain_ID>] [-a <admindomain_ID_list>]

where <username> is the account to which the Administrative Domain is being added (the account must already exist) <admindomain_ID> is the home Administrative Domain and <admindomain_ID_list> adds the new list Administrative Domain to the existing list.

3. Log into the switch again to verify access to the newly-added Admin Domain.

To remove an Administrative Domain from the account:

When removing an Admin Domain from an account, all of the currently active sessions for that account will be logged out.

1. Connect to the switch and log in using an admin account.

2. Enter the following command:

userConfig --deletead <username> [-h <admindomain_ID>] [-a <admindomain_ID_list>]

where <username> is the account from which the Admin Domain is being removed (the account must already exist) admindomain_ID is the home Admin Domain, and admindomain_ID_list is the Admin Domain list to be removed from the existing list. If the –h argument is not specified, the home Admin Domain will either remain as it was or will be the lowest Admin Domain ID in the remaining list.

Fabric OS 6.1.x administrator guide 61

Recovering accounts

The following conditions apply to recovering user accounts:

• The attributes in the backup database replace the attributes in the current account database.

• An event is stored in the system message log, indicating that accounts have been recovered.

To recover an account:

1. Connect to the switch and log in using an admin account.

2. If a backup database exists, enter the following command.

userConfig --recover

The AD list for a user account is not recovered; recovered accounts are given access only to AD0, regardless of previous AD assignments

Changing local account passwords

The following rules apply to changing passwords:

• Users can change their own passwords.

• Only users with Admin roles can change the password for other accounts. When changing an Admin

account password, you must provide the current password.

• An admin with ADlist 0-10 cannot change the password on an admin, user, or any role with an ADlist

11-25. The user account being changed must have an ADlist that is a subset of the account that is making the change.

• A new password must have at least one character different from the old password.

• You cannot change passwords using SNMP.

NOTE: Starting with Fabric OS 4.4.0, accounts with the Admin role can use Web Tools to change

passwords. Starting with Fabric OS 3.2.0, you cannot change default account names. Starting with Fabric OS 5.1.0 password policies apply.

For information on password behavior when you upgrade (or downgrade) firmware, see ”Upgrading and

downgrading firmware” on page 174.

To change the password for the current login account:

1. Connect to the switch and log in using an admin account.

2. Enter the following command:

passwd

3. Enter the requested information at the prompts.

To change the password for a different account:

1. Connect to the switch and log in using an admin account.

2. Enter the following command:

passwd "name"

where name is the name of the account for which the password is being changed.

3. Enter the requested information at the prompts.

62 Managing user accounts

Configuring the local user database

This section covers the following topics:

• ”Distributing the local user database” on page 63

• ”Protecting the local user database from distributions” on page 63

• ”Configuring password policies” on page 64

Distributing the local user database

Distributing the local switch user database and passwords to other switches in the fabric causes the distributed database to replace (overwrite) the database on the target switch. The ‘Locked’ status of a user account is not distributed as part of local user database distribution.

When distributing the user database, the database may be rejected for one of the following reasons:

• One of the target switches does not have Fabric OS 5.3.0 or later.

• One of the target switch’s user database is protected.

Distribute the user database and password policies only to Fabric OS 5.2.0 or later switches; the distribution command fails if any of the target switches are an earlier version.

To distribute the local user database:

When distributing the local user database, all user-defined accounts residing in the receiving switches will be logged out of any active sessions.

1. Connect to the switch and log in using an admin account.

2. Enter the following command:

distribute -p PWD -d <switch_list>

where <switch_list> is a semicolon-separated list of switch Domain IDs, switch names, or switch WWN addresses. You can also specify -d “*” to send the local user database only to Fabric OS 5.2.0 or later switches in the fabric.

Protecting the local user database from distributions

Fabric OS 5.2.0 and later allows you to distribute the user database and passwords to other switches in the fabric. When the switch accepts a distributed user database, it replaces the local user database with the user database it receives.

By default, Fabric OS 6.1.x switches accept the user databases and passwords distributed from other switches. This section explains how to protect the local user database from being overwritten.

To accept distribution of user databases on the local switch:

1. Connect to the switch and log in using an admin account.

2. Enter the following command:

fddCfg --localaccept PWD

where PWD is the user database policy. Other supported policy databases are SCC, DCC, AUTH, FCS, and IPFILTER.

To reject distributed user databases on the local switch:

1. Connect to the switch and log in using an admin account.

2. Enter the following command:

fddCfg --localreject PWD

Fabric OS 6.1.x administrator guide 63

Configuring password policies

The password policies described in this section apply to the local switch user database only. Configured password policies (and all user account attribute and password state information) are synchronized across CPs and remain unchanged after an HA failover. Password policies can also be manually distributed across the fabric (see ”Distributing the local user database” on page 63). Following is a list of the configurable password policies:

• Password strength

• Password history

• Password expiration

• Account lockout

All password policies are enforced during logins to the standby CP. However, you may observe that the password enforcement behavior on the standby CP is inconsistent with prior login activity because password state information from the active CP is automatically synchronized with the standby CP, thereby overwriting any password state information that was previously stored there. Also, password changes are not permitted on the standby CP.

Password authentication policies configured using the passwdCfg command are not enforced during initial prompts to change default passwords.

Setting the password strength policy

The password strength policy is enforced across all user accounts, and enforces a set of format rules to which new passwords must adhere. The password strength policy is enforced only when a new password is defined. The total of the other password strength policy parameters (lowercase, uppercase, digits, and punctuation) must be less than or equal to the value of the MinLength parameter.

Use the following attributes to set the password strength policy:

•

Lowercase

Specifies the minimum number of lowercase alphabetic characters that must appear in the password. The default value is zero. The maximum value must be less than or equal to the MinLength value.

•

Uppercase

Specifies the minimum number of uppercase alphabetic characters that must appear in the password. The default value is zero. The maximum value must be less than or equal to the MinLength value.

• Digits

Specifies the minimum number of numeric digits that must appear in the password. The default value is zero. The maximum value must be less than or equal to the MinLength value.

•

Punctuation

Specifies the minimum number of punctuation characters that must appear in the password. All printable, non-alphanumeric punctuation characters except colon ( : ) are allowed. The colon character is not allowed because it is incompatible with Web Tools. The default value is zero. The maximum value must be less than or equal to the MinLength value.

•

MinLength

Specifies the minimum length of the password. The minimum can be from 8 to 40 characters. New passwords must between the minimum length specified and 40 characters. The default value is 8. The maximum value must be greater than or equal to the MinLength value.

•

Repeat

Specifies the length of repeated character sequences that will be disallowed. For example, if the “repeat” value is set to 3, a password “passAAAword” is disallowed because it contains the repeated sequence “AAA”. A password of “passAAword” would be allowed because no repeated character sequence exceeds two characters. The range of allowed values is 1 – 40. The default value is 1.

64 Managing user accounts

•

Sequence

Specifies the length of sequential character sequences that will be disallowed. A sequential character sequence is defined as a character sequence in which the ASCII value of each contiguous character differs by one. The ASCII value for the characters in the sequence must all be increasing or decreasing. For example, if the “sequence” value is set to 3, a password “passABCword” is disallowed because it contains the sequence “ABC”. A password of “passABword” would be allowed because it contains no sequential character sequence exceeding two characters. The range of allowed values is 1 – 40. The default value is 1.

The following example shows a password strength policy that requires passwords to contain at least three uppercase characters, four lowercase characters and two numeric digits; the minimum length of the password is nine characters.

passwdcfg --set -uppercase 3 -lowercase 4 -digits 2 -minlength 9

Setting the password history policy

The password history policy prevents users from recycling recently used passwords, and is enforced across all user accounts when users are setting their own passwords. The password history policy is enforced only when a new password is defined.

Specify the number of past password values that are disallowed when setting a new password. Allowable password history values range between 1 and 24. The default value is 2, which means the current password cannot be reused. The value 2 indicates that the current and the two previous passwords cannot be used (and so on, up to 24 passwords).

This policy does not verify that a new password meets a minimal standard of difference from prior passwords, rather, it only determines whether or not a newly-specified password is identical to one of the specified number (1-24) of previously used passwords.

The password history policy is not enforced when an administrator sets a password for another user; instead, the user’s password history is preserved and the password set by the administrator is recorded in the user’s password history.

Setting the password expiration policy

The password expiration policy forces expiration of a password after a configurable period of time, and is enforced across all user accounts. A warning that password expiration is approaching is displayed when the user logs in. When a user’s password expires, he or she must change the password to complete the authentication process and open a user session. You can specify the number of days prior to password expiration during which warnings will commence. Password expiration does not disable or lock out the account.

Use the following attributes to set the password expiration policy:

•

MinPasswordAge

Specifies the minimum number of days that must elapse before a user can change a password. MinPasswordAge values range from 0 to 999. The default value is zero. Setting this parameter to a non-zero value discourages users from rapidly changing a password in order to circumvent the password history setting to select a recently-used password. The MinPasswordAge policy is not enforced when an administrator changes the password for another user.

•

MaxPasswordAge

Specifies the maximum number of days that can elapse before a password must be changed, and is also known as the password expiration period. MaxPasswordAge values in range from 0 to 999. The default value is zero. Setting this parameter to zero disables password expiration.

•

Warning

Specifies the number of days prior to password expiration that a warning about password expiration is displayed. Warning values range from 0 to 999. The default value is 0 days.

When MaxPasswordAge is set to a non-zero value, MinPasswordAge and Warning must be set to a value that is less than or equal to MaxPasswordAge.

Fabric OS 6.1.x administrator guide 65

Upgrade and downgrade considerations

If you are upgrading from a 5.3.x environment to 6.x, the existing password databases do not contain the state information that implements password expiration. So, when the password expiration policy is first set after an upgrade to 6.x, any user who has not changed their password will have their password expiration period set to the maximum password expiration period. You must explicitly define the password expiration for users who have not performed a password change subsequent to the upgrade.

TIP: You cannot upgrade your switch from Fabric OS 5.3.0 directly to 6.1.x. You first have to

upgrade to Fabric OS 6.x and then to 6.1.x.

For example:

• March 1st—Using a 5.3.x Fabric OS release. User A changes their password.

• April 1—Upgrade to 6.x

• May 1—User B changes his password.

• June 1—The password configuration parameter MaxPasswordAge is set to 90 days.

User A’s password will expire on September 1. User B’s password will expire on August 1.

Setting the account lockout policy

The account lockout policy disables a user account when that user exceeds a specified number of failed login attempts, and is enforced across all user accounts. You can configure this policy to keep the account locked until explicit administrative action is taken to unlock it, or the locked account can be automatically unlocked after a specified period. Administrators can unlock a locked account at any time.

A failed login attempt counter is maintained for each user on each switch instance. The counters for all user accounts are reset to zero when the account lockout policy is enabled. The counter for an individual account is reset to zero when the account is unlocked after a LockoutDuration period expires.

The admin account can also have the lockout policy enabled on it. The admin account lockout policy is disabled by default and uses the same lockout threshold as the other roles. It can be automatically unlocked after the lockout duration passes or when it is manually unlocked by either a user account that has a securityAdmin or other Admin role.

• userConfig —change <account name> -u

• passwdCfg —disableadminlockout

Note that the account-locked state is distinct from the account-disabled state.

Use the following attributes to set the account lockout policy:

•

LockoutThreshold

Specifies the number of times a user can attempt to log in using an incorrect password before the account is locked. The number of failed login attempts is counted from the last successful login. LockoutThreshold values range from 0 to 999, and the default value is 0. Setting the value to 0 disables the lockout mechanism.

•

LockoutDuration

Specifies the time, in minutes, after which a previously locked account is automatically unlocked. LockoutDuration values range from 0 to 99999, and the default value is 30. Setting the value to 0 disables lockout duration, and would require a user to seek administrative action to unlock the account. The lockout duration begins with the first login attempt after the LockoutThreshold has been reached. Subsequent failed login attempts do not extend the lockout period.

To enable the admin lockout policy:

1. Log in to the switch using an admin or securityAdmin account.

2. Type passwdCfg

The policy is now enabled.

To unlock an account:

66 Managing user accounts

--enableadminlockout.

1. Log in to the switch using an admin or securityAdmin account.

2. Type userConfig

where <account_name> is the name of the user account that is locked out.

To disable the admin lockout policy:

1. Log in to the switch using an admin or securityAdmin account.

2. Type passwdCfg --disableadminlockout.

The policy is now disabled.

Denial of service implications

The account lockout mechanism may be used to create a denial of service condition by repeatedly attempting to log in to an account using an incorrect password. Selected privileged accounts are exempted from the account lockout policy to prevent them from being locked out from a denial of service attack. However these privileged accounts may then become the target of password guessing attacks. Audit logs may be examined to monitor if such attacks are attempted.

Authentication model

This section discusses the authentication model of the switch management channel connections using the aaaConfig command. Fabric OS 6.x and later supports the use of both the local user database and the RADIUS service at the same time; and the local user database and LDAP using Microsoft’s Active Directory in Windows at the same time. Table 12 on page 68 outlines the available command options.

--change <account_name> -u.

When configured to use RADIUS or LDAP, the switch acts as a network access server (NAS) and RADIUS or LDAP client. The switch sends all authentication, authorization, and accounting (AAA) service requests to the RADIUS or LDAP server. The RADIUS or LDAP server receives the request, validates the request, and sends its response back to the switch.

The supported management access channels that will integrate with RADIUS and LDAP include serial port, Telnet, SSH, Web Tools, and API. All these require the switch IP address or name to connect. The RADIUS server accepts both IPv4 and IP address formats, while LDAP server accepts only an IPv4 address.

A switch can be configured to try both RADIUS or LDAP and local switch authentication.

For systems such as the HP 4/256 SAN Director and DC SAN Backbone Director (DC Director), the switch IP addresses are aliases of the physical Ethernet interfaces on the CP blades. When specifying client IP addresses for the logical switches in such systems, make sure the CP IP addresses are used. For accessing both the active and standby CP, and for the purpose of HA failover, both CP IP addresses of a Director should be included in the RADIUS or LDAP server configuration.

When configured for RADIUS or LDAP, a switch becomes a RADIUS or LDAP client. In either of these configurations, authentication records are stored in the RADIUS or LDAP host server database. Login and logout account name, assigned role, and time-accounting records are also stored on the RADIUS or LDAP server for each user.

By default, the RADIUS and LDAP services are disabled, so AAA services default to the switch local database.

To enable RADIUS or LDAP service, it is strongly recommended that you access the CLI through an SSH connection so that the shared secret is protected. Multiple login sessions can configure simultaneously, and the last session to apply a change leaves its configuration in effect. After a configuration is applied, it persists after a reboot or an HA failover.

To enable LDAP service, you will need to install a certificate on the Microsoft Active Directory server.

The configuration applies to all switches and on a Director the configuration replicates itself on a standby CP blade if one is present. It is saved in a configuration upload and applied in a configuration download.

You should configure at least two RADIUS servers so that if one fails, the other will assume service.

You can set the configuration with both RADIUS or LDAP service and local authentication enabled so that if the RADIUS or LDAP servers do not respond due to power failure or network problems, the switch uses local authentication.

Fabric OS 6.1.x administrator guide 67

Consider the following effects of the use of RADIUS or LDAP service on other Fabric OS features:

• When RADIUS or LDAP service is enabled, all account passwords must be managed on the RADIUS or

LDAP server. The Fabric OS mechanisms for changing switch passwords remain functional; however, such changes affect only the involved switches locally. They do not propagate to the RADIUS or LDAP server, nor do they affect any account on the RADIUS or LDAP server.

When RADIUS or LDAP is set up for a fabric that contains a mix of switches with and without RADIUS or LDAP support, the way a switch authenticates users depends on whether or not a RADIUS or LDAP server is set up for that switch. For a switch with RADIUS or LDAP support and configuration, authentication bypasses the local password database. For a switch without RADIUS or LDAP support or configuration, authentication uses the switch’s local account names and passwords.

• The following behaviors apply to Web Tools:

• Web Tools client and server keep a session open after a user is authenticated. A password change on a switch invalidates an open session and requires the user to log in again. When integrated with RADIUS or LDAP, a switch password change on the RADIUS or LDAP server does not invalidate an existing open session, although a password change on the local switch does.

• If you cannot log in because of a RADIUS or LDAP server connection problem, Web Tools displays a message indicating server outage.

Table 12 lists authentication configuration options.

Table 12 Authentication configuration options

aaaConfig options Description Equivalent setting in Fabric

OS 5.1.0 and earlier

--radius --switchdb

--authspec “local” Replaces --localonly.

Default setting. Authenticates management connections against the local database only.

If the password does not match or the user is not defined, the login fails.

--authspec “radius” Replaces --radiusonly

Authenticates management connections against the RADIUS database(s) only.

If the RADIUS service is not available or the credentials do not match, the login fails.

--authspec “radius;local” Replaces --radiuslocal.

Authenticates management connections against any RADIUS databases first.

If RADIUS fails for any reason, authenticates against the local user database.

--authspec “radius;local”

--backup

Replaces --radiuslocalbackup. Authenticates management connections

against any RADIUS databases. If RADIUS fails because the service is

not available, authenticates against the local user database.

Off On

On Off

not supported

On On

not supported

68 Managing user accounts

Table 12 Authentication configuration options (continued)

aaaConfig options Description Equivalent setting in Fabric

OS 5.1.0 and earlier

--radius --switchdb

--authspec “ldap” Authenticates management connections

--authspec “ldap; local” Authenticates management connections

1. Fabric OS 5.1.0 and earlier aaaConfig --switchdb <on | off> setting.

To set the switch authentication mode:

1. Connect to the switch and log in using an admin account.

2. Enter this command:

switch:admin> aaaConfig --authspec [“radius” | “ldap” | “radius;local” | “ldap;local” --backup]

Creating Fabric OS user accounts

RADIUS and LDAP servers allow you to set up user accounts by their true network-wide identity rather than by the account names created on a Fabric OS switch. With each account name, assign the appropriate switch access roles.

RADIUS and LDAP support all the defined RBAC roles described in Table 8 on page 56.

Users must enter their assigned RADIUS or LDAP account name and password when logging in to a switch that has been configured with RADIUS or LDAP. After the RADIUS or LDAP server authenticates a user, it responds with the assigned switch role in a Brocade Vendor-Specific Attribute (VSA). If the response does not have a VSA role assignment, the User role is assigned. If no Administrative Domain is assigned, then the user is assigned to the default Admin Domain AD0.

n/a n/a against any LDAP database(s) only. If LDAP service is not available or the credentials do not match, the login fails.

n/a On against any LDAP database first. If LDAP fails for any reason, authenticates against the local user database.

The syntax used for assigning VSA-based account switch roles on a RADIUS server is described in

Table 13.

Table 13 Syntax for VSA-based account roles

Item Value Description

Type 26 1 octet

Length 7 or higher 1 octet, calculated by the server

Vendor ID 1588 4 octet, Brocade's SMI Private Enterprise Code

Fabric OS 6.1.x administrator guide 69

Table 13 Syntax for VSA-based account roles (continued)

Item Value Description

Vendor type 1 1 octet, Brocade-Auth-Role; valid attributes for the Brocade-Auth-Role

are:

SwitchAdmin ZoneAdmin FabricAdmin BasicSwitchAdmin Operator User Admin

2 Optional: Specifies the Admin Domain member list. For more

information, see ”RADIUS configuration and Admin Domains” on

page 71.

Brocade-AVPairs1

3 Brocade-AVPairs2

4 Brocade-AVPairs3

5 Brocade-AVPairs4

Vendor length 2 or higher 1 octet, calculated by server, including vendor-type and vendor-length

Attribute-specific data

ASCII string

Multiple octet, maximum 253, indicating the name of the assigned role and other supported attribute values such as Admin Domain member list.

Managing Fabric OS users on the RADIUS server

All existing Fabric OS mechanisms for managing local switch user accounts and passwords remain functional when the switch is configured to use the remote authentication dial-in user service (RADIUS). Changes made to the local switch database do not propagate to the RADIUS server, nor do the changes affect any account on the RADIUS server.

Windows 2000 IAS

For example, to configure a Windows 2000 internet authentication service (IAS) server to use VSA to pass the Admin role to the switch in the dial-in profile, the configuration specifies the Vendor code (1588), Vendor-assigned attribute number (1), and attribute value (admin), as shown in the following:

70 Managing user accounts

Linux FreeRadius server

For the configuration on a Linux FreeRadius server, define the following in a vendor dictionary file called dictionary.brocade. Include the values outlined in Table 14.

Table 14 dictionary.brocade file entries

Include Key Value

VENDOR Brocade 1588

ATTRIBUTE Brocade-Auth-Role 1 string Brocade

AdminDomain

After you have completed the dictionary file, define the role for the user in a configuration file. For example, to grant the user jsmith the Admin role, you would add the following statement to the configuration file:

jsmithAuth-Type:= Local, User-Password == "jspassword"

Brocade-Auth-Role = "admin"

RADIUS configuration and Admin Domains

When configuring users with Admin Domains, you must also include the Admin Domain member list. This section describes the way that you configure attribute types for this configuration.

The values for the new attribute types use the syntax key=val[;key=val], where key is a text description of attributes, value is the attribute value for the given key, the equal sign (=) is the separator between key and value, and the semi-colon (;) is an optional separator for multiple key-value pairs.

Multiple key-value pairs can appear for one Vendor-Type code. Key-value pairs with the same key name may be concatenated across multiple Vendor-Type codes. You can use any combination of the Vendor-Type codes to specify key-value pairs. Note that a switch always parses these attributes from Vendor-Type code 2 to Vendor-Type code 4.

Only two kinds of keys are accepted; all other keys are ignored. The following keys are accepted:

• HomeAD is the designated home Admin Domain for the account. The valid value is between 0 to 255,

inclusive. The first valid HomeAD key-value pair is accepted by the switch, and any additional HomeAD key-value pairs are ignored.

• ADList is a comma-separated list of Administrative Domain numbers to which this account is a member.

Valid numbers range from 0 to 255, inclusive. A dash between two numbers specifies a range. Multiple ADList key-value pairs within the same or across the different Vendor-Type codes are concatenated. Multiple occurrences of the same AD number are ignored.

RADIUS authentication requires that the account have a valid role through the attribute type Brocade-Auth-Role. The additional attribute values ADList and HomeAD are optional. If they are unspecified, the account can log in with AD0 as its member list and home Admin Domain. If there is an error in ADList or HomeAD specification, the account cannot log in until the AD list is corrected; an error message is displayed.

For example, on a Linux FreeRadius Server, the user (user-za) with the following settings takes the “ZoneAdmin” role, with AD member list: 1, 2, 4, 5, 6, 7, 8, 9, 12; the Home Admin Domain will be 1.

user-za Auth-Type := Local, User-Password == "password" Brocade-Auth-Role = "ZoneAdmin", Brocade-AVPairs1 = "ADList=1,2,6, Brocade-AVPairs2 = "ADList=4-8;ADList=7,9,12"

In the next example, on a Linux FreeRadius Server, the user takes the “Operator” role, with ADList 1, 2, 4, 5, 6, 7, 8, 9, 12, 20 and homeAD 2.

user-opr Auth-Type := Local, User-Password == "password" Brocade-Auth-Role = "operator", Brocade-AVPairs1 = "ADList=1,2;HomeAD=2", Brocade-AVPairs2 = "ADList=-4-8,20;ADList=7,9,12"

Fabric OS 6.1.x administrator guide 71

Configuring the RADIUS server

You must know the switch IP address, in either IPv4 or IPv6 notation, or name to connect to switches. Use the ipAddrShow command to display a switch IP address.

For Directors (chassis-based systems), the switch IP addresses are aliases of the physical Ethernet interfaces on the CP blades. When specifying client IP addresses for the logical switches in such systems, make sure the CP blade IP addresses are used. For accessing both the active and standby CP blade, and for the purpose of HA failover, both of the CP blade IP addresses should be included in the RADIUS server configuration.

User accounts should be set up by their true network-wide identity, rather than by the account names created on a Fabric OS switch. Along with each account name, the administrator should assign appropriate switch access roles. To manage a fabric, these roles can be User, Admin, and SecurityAdmin.

When they log in to a switch configured with RADIUS, users enter their assigned RADIUS account names and passwords at the prompt. After the RADIUS server authenticates a user, it responds with the assigned switch role in a Brocade Vendor-Specific Attribute (VSA), as defined in the RFC. An Authentication-Accept response without such VSA role assignment automatically assigns the user role.

The following sections describe how to configure a RADIUS server to support clients under different operating systems.

Linux

The following procedures work for FreeRADIUS on Solaris and Red Hat Linux. FreeRADIUS is a freeware RADIUS server that you can find at the following website:

www.freeradius.org

Follow the installation instructions at the website. FreeRADIUS runs on Linux (all versions), FreeBSD, NetBSD, and Solaris. If you make a change to any of the files used in this configuration, you must stop the server and restart it for the changes to take effect.

FreeRADIUS installation places the configuration files in $PREFIX/etc/raddb. By default, the PREFIX is /usr/local.

Configuring RADIUS service on Linux consists of the following tasks:

• Adding the Brocade attribute to the server

• Creating the user

• Enabling clients

To add the Brocade attribute to the server:

1. Create and save the file $PREFIX/etc/raddb/dictionary.brocade with the following information:

# # Brocade FabricOS 5.0.1 dictionary # VENDOR Brocade 1588 # # attribute 1 defined to be Brocade-Auth-Role # string defined in user configuration # ATTRIBUTE Brocade-Auth-Role 1 string Brocade

This defines the Brocade vendor ID as 1588, the Brocade attribute 1 as Brocade-Auth-Role, and it is a string value.

2. Open the file $PREFIX/etc/raddb/dictionary in a text editor and add the line:

$INCLUDE dictionary.brocade

As a result, the file dictionary.brocade is located in the RADIUS configuration directory and loaded for use by the RADIUS server.

72 Managing user accounts

To create the user:

• Open the $PREFIX/etc/raddb/user file in a text editor and add user names and roles for users who will

be accessing the switch and authenticating RADIUS. The user will log in using the role specified with Brocade-Auth-Role. The valid roles include Root, Admin,

SwitchAdmin, ZoneAdmin, SecurityAdmin, BasicSwitchAdmin, FabricAdmin, Operator and User. You must use quotation marks around “password” and “role”.

For example, to set up an account called JohnDoe with the Admin role:

JohnDoe Auth-Type := Local, User-Password == "johnPassword" Brocade-Auth-Role = "admin"

The next example uses the local system password file to authenticate users.

JohnDoe Auth-Type := System, Brocade-Auth-Role = "admin"

When you use Network Information Service (NIS) for authentication, the only way to enable authentication with the password file is to force the switch to authenticate using Password Authentication Protocol (PAP); this requires the -a pap option with the aaaConfig command.

Clients are the switches that will use the RADIUS server; each client must be defined. By default, all IP addresses are blocked.

4/256 SAN Director and DC SAN Backbone Director (short name, DC Director) models send their RADIUS requests using the IP address of the active CP. When adding clients, add both the active and standby CP IP addresses so that, in the event of a failover, users can still log in to the switch.

To enable clients:

1. Open the $PREFIX/etc/raddb/client.config file in a text editor and add the switches that are to be

configured as RADIUS clients. For example, to configure the switch at IP address 10.32.170.59 as a client:

client 10.32.170.59

In this example, shortname is an alias used to easily identify the client. Secret is the shared secret between the client and server. Make sure the shared secret matches that configured on the switch (see ”To add a RADIUS server to the switch configuration:” on page 79).

Save the file $PREFIX/etc/raddb/client.config then start the RADIUS server as follows:

$PREFIX/sbin/radiusd

Windows 2000

The instructions for setting up RADIUS on a Windows 2000 server are listed here for your convenience but are not guaranteed to be accurate for your network environment. Always check with your system administrator before proceeding with setup.

Configuring RADIUS service on Windows 2000 consists of the following tasks:

• Installing internet authentication service (IAS)

For more information and instructions on installing IAS, refer to the Microsoft website.

• Enabling the Challenge Handshake Authentication Protocol (CHAP)

If CHAP authentication is required, then Windows must be configured to store passwords with reversible encryption. Reverse password encryption is not the default behavior; it must be enabled.

If a user is configured prior to enabling reverse password encryption, then the user’s password is stored and cannot utilize CHAP. To use CHAP, the password must be re-entered after encryption is enabled. If the password is not re-entered, then CHAP authentication will not work and the user will be unable to authenticate from the switch.

• Configuring a user

IAS is the Microsoft implementation of a RADIUS server and proxy database to verify user login credentials; it does not list specific users, but instead lists user groups.

secret = Secret shortname = Testing Switch nastype = other

. IAS uses the Windows native user

Fabric OS 6.1.x administrator guide 73

Each user group should be associated with a specific switch login role. For example, you should configure a user group for root, admin, factory, switchadmin, and user, and then add any users whose logins you want to associate to the appropriate group.

• Configuring the server

For more information and instructions on configuring the server, refer to the Microsoft website. Below is the information you will need to configure the RADIUS server for a HP StorageWorks switch. A client is the device that uses the RADIUS server; in this case, it is the switch.

a. For the Add RADIUS Client window, provide the following:

Client address (IP or DNS)—Enter the IP address of the switch. Client-Vendor—Select RADIUS Standard. Shared secret—Provide a password. Shared secret is a password used between the client device

and server to prevent IP address spoofing by unwanted clients. Keep your shared secret password in a safe place. You will need to enter this password in the switch configuration.

After clicking Finish, add a new client for all switches on which RADIUS authentication will be used.

b. In the Internet Authentication Service window, right-click the Remote Access Policies folder; then

select New Remote Access Policy from the pop-up window. A remote access policy must be created for each login role (Root, Admin, Factory, SwitchAdmin,

and User) for which you want to use RADIUS. Apply this policy to the user groups that you already created.

c. In the Vendor-Specific Attribute Information window, enter the vendor code value 158 8. Click Yes,

then click Configure Attribute...

d. In the Configure VSA (RFC compliant) window, enter the following values and click OK.

Vendor-assigned attribute number—Enter the value 1. Attribute format—Enter String. Attribute value—Enter the login role (Root, Admin, SwitchAdmin, User, etc.) the user group must use

to log in to the switch.

e. After returning to the Internet Authentication Service window, add additional policies for all login

types for which you want to use the RADIUS server. After this is done, you can configure the switch.

RSA RADIUS server

Traditional password-based authentication methods are based on one-factor authentication, where you confirm your identity using a memorized password. Two-factor authentication increases the security that uses a second factor to corroborate identification. The first factor is either a PIN or password and the second factor is the RSA SecureID token.

RSA SecurID with an RSA RADIUS server is used for user authentication. Our switch does not communicate directly with the RSA Authentication Manager, so the RSA RADIUS server is used in conjunction with the switch to facilitate communication.

To learn more about how RSA SecurID works, visit www.rsa.com

for more information.

74 Managing user accounts

Setting up the RSA RADIUS server

For more information on how to install and configure the RSA Authentication Manager and the RSA RADIUS server, refer to your documentation or visit www.rsa.com

1. Create user records in the RSA Authentication Manager.

2. Configure the RSA Authentication Manager.

3. Add an agent host in RSA Authentication Manager.

4. Configure the RSA RADIUS server.

Setting up the RSA RADIUS server involves adding RADIUS clients, users, and vendor specific attributes to the RSA RADIUS server.

a. Add the following data to the vendor.ini file

vendor-product = Brocade dictionary = brocade ignore-ports = no port-number-usage = per-port-type help-id = 2000

b. Create a brocade.dct file that needs to be added into dictiona.dcm file located in the following

path: C:\Program Files\RSA Security\RSA RADIUS\Service The dictionary files for RSA RADIUS Server must remain in the installation directory. Do not move the

files to other locations on your computer. Add Brocade-VSA macro and define the attributes as follows:

•vid(Vendor-ID): 1588

• type1 (Vendor-Type): 1

• len1 (Vendor-Length): >=2

########################################################################### # brocade.dct -- Brocade Dictionary # # (See readme.dct for more details on the format of this file) ########################################################################### # # Use the Radius specification attributes in lieu of the Brocade one: # @radius.dct

MACRO Brocade-VSA(t,s) 26 [vid=1588 type1=%t% len1=+2 data=%s%]

ATTRIBUTE Brocade-Auth-Role Brocade-VSA(1,string) r

########################################################################### # brocade.dct -- Brocade Dictionary ###########################################################################

Figure 1 Example of a Brocade DCT file

Fabric OS 6.1.x administrator guide 75

####################################################################### # dictiona.dcm #######################################################################

# Generic Radius

@radius.dct

# # Specific Implementations (vendor specific) # @3comsw.dct @aat.dct @acc.dct @accessbd.dct @agere.dct @agns.dct @airespace.dct @alcatel.dct @altiga.dct @annex.dct @aptis.dct @ascend.dct @ascndvsa.dct @axc.dct @brocade.dct @bandwagn.dct @brocade.dct <-------

Figure 2 Example of the dictiona.dcm file

c. When selecting items from the Add Return List Attribute, select Brocade-Auth-Role and type the

string Admin. The string will equal the role on the switch.

d. Add the Brocade profile.

5. In RSA Authentication Manager, edit the user records that will be authenticating using RSA

SecurID.

LDAP configuration and Microsoft’s Active Directory

LDAP provides user authentication and authorization using Microsoft's Active Directory service in conjunction with LDAP on the switch. There are two modes of operation in LDAP authentication, FIPS mode and non-FIPS mode. This section discusses LDAP authentication in non-FIPS mode. For more information on LDAP in FIPS mode, refer to ”Configuring advanced security features” on page 105. The following are restrictions when using LDAP:

• In Fabric OS 6.1.x and later there will be no password change through Active Directory.

• There is no automatic migration of newly created users from local switch database to Active Directory.

This is a manual process explained later.

• LDAP authentication is used on the local switch only and not for the entire fabric.

Roles for users can be added through the Microsoft Management Console. Groups created in Active Directory must correspond directly to the RBAC user roles on the switch. Role assignments can be achieved by including the user in the respective group. A user can be assigned to multiple groups like Switch Admin and Security Admin. For LDAP servers, you can usethe ldapCfg <switch_role> to map a LDAP server role to one of the default roles available on a switch.For more information on RBAC roles, see ”Using Role-Based Access Control (RBAC)” on page 56.

-–maprole <ldap_role name>

NOTE: All instructions involving Microsoft’s Active Directory can be obtained from

www.microsoft.com

needs your network environment may have.

76 Managing user accounts

. Confer with your network administrator prior to configuration for any special

To set up LDAP:

1. Install a Certificate Authority (CA) certificate on the Windows Active Directory server for LDAP.

Follow Microsoft’s instructions for generating and installing CA certificates on a Windows server.

2. Create a user in Microsoft Active Directory server.

For instructions on how to create a user, refer to Microsoft documentation to create a user in your Active Directory.

3. Create a group name that uses the switch’s role name so that the Active Directory group’s name is the

same as the switch’s role name. or Use the ldapCfg -–maprole <ldap_role_name> <switch_role> command to to map an

LDAP server role to one of the default roles available on the switch.

4. Associate the user to the group by adding the user to the group.

For instructions on how to create a user refer to Microsoft documentation to create a user in your Active Directory.

5. Add the user’s Administrative Domains to the CN_list by editing the adminDescription value.

This will map the admin domains to the user name. Multiple admin domains can be added as a string value separated by the underscore character ( _ ).

To create a user:

To create a user in Active Directory, refer to www.microsoft.com special attributes.

To create a group:

To create a group in Active Directory, refer to www.microsoft.com need to verify that the group uses the following attributes:

• The name of the group has to match the RBAC role.

• The Group Type must be Security.

• The Group Scope must be Global.

To assign the group (role) to the user:

To assign the user to a group in the Active Directory, refer to www.microsoft.com documentation. You will need to verify that the user has the following attributes:

• Update the memberOf field with the login role (Root, Admin, SwitchAdmin, User, etc.) that the user

must use to log in to the switch, or

• If you have a user-defined group, then use the ldapCfg -–maprole <ldap_role_name>

<switch_role> to map an LDAP server role to one of the default roles available on a switch.

Adding the adlist

1. From the Windows Start menu, select Programs> Administrative Tools> ADSI.msc

ADSI is a Microsoft Windows Resource Utility. This will need to be installed to proceed with the rest of the setup. For Windows 2003, this utility comes with Service Pack 1 or you can download this utility from the Microsoft website.

2. Go to CN=Users

3. Right click on Properties. Click the Attribute Editor tab.

4. Double-click the adminDescription attribute.

This opens the String Attribute Editor dialog box.

5. Enter the value for the admin domains separated by an underscore ( _ ) into the Value field.

Example

adlist_0_10_200_endAd

Home Admin Domain (homeAD) for the user will be the first value in the adlist (Admin Domain list). If a user has no values assigned in the adlist attribute, then the homeAD ‘0’ will be the default administrative domain for the user.

or Microsoft documentation. There are no

or Microsoft documentation. You will

or Microsoft

Fabric OS 6.1.x administrator guide 77

NOTE: You can perform batch operations using the Ldifde.exe utility. For more information on importing

and exporting schemas, refer to your Microsoft documentation or visit www.microsoft.com

Configuring authentication servers on the switch

RADIUS and LDAP configuration of the switch is controlled by the aaaConfig command.

At least one RADIUS or LDAP server must be configured before you can enable RADIUS or LDAP service. You can configure the RADIUS or LDAP service even if it is disabled on the switch. You can configure up to five RADIUS or LDAP servers. You must be logged in as admin or switchadmin to configure the RADIUS service.

NOTE: On dual-CP switches (the 4/256 SAN Director and the DC Director), the switch sends its RADIUS

or LDAP request using the IP address of the active CP. When adding clients, add both the active and standby CP IP addresses so that users can still log in to the switch in the event of a failover.

RADIUS or LDAP configuration is chassis-based configuration data. On platforms containing multiple switch instances, the configuration applies to all instances. The configuration is persistent across reboot and firmwareDownload. On a chassis-based system, the command must replicate the configuration to the standby CP.

Multiple login sessions can invoke the command simultaneously. The last session that applies the change will be the one whose configuration is in effect. This configuration is persistent after an HA failover.

The RADIUS or LDAP servers are contacted in the order they are listed, starting from the top of the list and moving to the bottom.

The following procedures show how to use the aaaConfig command to set up a switch for RADIUS or LDAP service.

To display the current RADIUS configuration:

1. Connect to the switch and log in using an admin account.

2. Enter this command:

switch:admin> aaaConfig --show If a configuration exists, its parameters are displayed. If RADIUS or LDAP service is not configured, only

the parameter heading line is displayed. Parameters include:

Position The order in which servers are contacted to provide service. Server The server names or IPv4 or IPv6 addresses. Port The server ports. Secret The shared secrets. Timeouts The length of time servers have to respond before the next server is

contacted.

AuthenticationThe type of authentication being used on servers.

78 Managing user accounts

To add a RADIUS server to the switch configuration:

1. Connect to the switch and log in using an admin account.

2. Enter this command:

switch:admin> aaaConfig --add <server> [-p port] [-s secret] [-t timeout] [-a pap | chap | peap-mschapv2]

server Enter either a server name or IPv4 or IPv6

address. Avoid duplicating server listings (that is, listing the same server once by name and again by IP address). Up to five servers can be added to the configuration.

-p port Optional: Enter a server port. The default is port 1812.

-s secret Optional: Enter a shared secret. The default is “sharedsecret”. Secrets can be from 8 to 40 alphanumeric characters long. Make sure that the secret matches that configured on the server.

-t timeout Optional: Enter the length of time (in seconds) that the server has to respond before the next server is contacted. The default is three seconds. Time-out values can range from 1 to 30 seconds.

-a

[pap|chap|peap-msc hapv2]

Specify PAP, CHAP or PEAP as authentication protocol. Use peap-mschapv2 to provide encrypted authentication channel between the switch and server.

To add an LDAP server to the switch configuration:

1. Connect to the switch and log in using an admin account.

2. Enter this command:

switch:admin> aaaConfig --add <server> [-p port] [-t timeout] [-d domain_name]

server Enter either a server name or IPv4 address. Microsoft’s Active

Directory does not support IPv6 addresses. Avoid duplicating server listings (that is, listing the same server once by name and again by IP address). Up to five servers can be added to the configuration.

-p port Optional: Enter a server port. The default is port 389.

-t timeout Optional: Enter the length of time (in seconds) that the server has

to respond before the next server is contacted. The default is three seconds. Time-out values can range from 1 to 30 seconds.

-d domain_name Enter the name of the Windows domain.

At least one RADIUS or LDAP server must be configured before you can enable the RADIUS or LDAP service.

If no RADIUS or LDAP configuration exists, turning it on triggers an error message. When the command succeeds, the event log indicates that the configuration is enabled or disabled.

Fabric OS 6.1.x administrator guide 79

NOTE: When the RADIUS authentication mode is set to radius;local, you cannot downgrade the Fabric

OS to any version earlier than 5.2.0. Previous versions do not support the radius;local mode.

When the LDAP authentication mode is set to ldap;local, you cannot downgrade the Fabric OS to any version earlier than 6.x. Previous versions do not support the ldap;local mode.

To enable and disable a RADIUS or LDAP server:

1. Connect to the switch and log in using an admin account.

2. Enter this command to enable RADIUS or LDAP using the local database:

switch:admin> aaaconfig --authspec "<radius | ldap>;local"

where you specify the type of server as either RADIUS or LDAP, but not both. Local is used for local authentication if the user authentication fails on the RADIUS or LDAP server.

Example

switch:admin> aaaconfig --authspec "radius;local" --backup

To delete a RADIUS or LDAP server from the configuration:

1. Connect to the switch and log in using an admin account.

2. Enter this command:

switch:admin> aaaConfig --remove server | all

server Enter either the name or IP address of the server to be removed.

When the command succeeds, the event log indicates that the server is removed.

To change a RADIUS server configuration

1. Connect to the switch and log in using an admin account.

2. Enter this command:

switch:admin> aaaConfig --change server [-p port] [-s shared secret] [-t timeout] [-a pap|chap|peap-mschapv2]

server Enter either the name or IP address of the server to be changed.

-p port Optional: Enter a server port. The default is 1812.

-s shared secret Optional: Enter a shared secret.

-t timeout Optional: Enter the length of time (in seconds) the server has to

respond before the next server is contacted.

-a [pap|chap|peap-mscha pv2]

NOTE: Protected Extensible Authentication Protocol (PEAP) is used to authenticate users and clients. It is based on

extensible authentication protocol (EAP) and transport layer security (TLS).

When PEAP is configured on the switch, clients running Fabric Manager cannot authenticate.

Specify PAP, CHAP or PEAP as authentication protocol. Use peap-mschapv2 to provide security on the switch.

80 Managing user accounts

To change an LDAP server configuration:

1. Connect to the switch and log in using an admin account.

2. Enter this command:

switch:admin> aaaConfig --change server [-p port] [-t timeout] [-d domain_name]

server

Enter either a server name or IPv4 address. Microsoft’s Active Directory does not support IPv6 addresses. Avoid duplicating server listings (that is, listing the same server once by name and again by IP address). Up to five servers can be added to the configuration.

-p port

-t timeout

Optional: Enter a server port. The default is port 389. Optional: Enter the length of time (in seconds) that the server has to

respond before the next server is contacted. The default is three seconds. Time-out values can range from 1 to 30 seconds.

-d

domain_name

Enter the name of the Windows domain.

To change the order in which RADIUS or LDAP servers are contacted for service:

1. Connect to the switch and log in using an admin account.

2. Enter this command:

switch:admin> aaaConfig --move server to_position

server Enter either the name or IP address of the server whose position is to be changed. to_position Enter the position number to which the server is to be moved.

When the command succeeds, the event log indicates that a server configuration is changed.

Enabling and disabling local authentication as backup

It is useful to enable local authentication so that the switch can take over authentication locally if the RADIUS or LDAP servers fail to respond because of power outage or network problems. To enable or disable local authentication, enter the following command for RADIUS:

switch:admin> aaaconfig --authspec "radius;local" --backup

or for LDAP,

switch:admin> aaaconfig --authspec "ldap;local" --backup

For details about this command see Table 12 on page 68.

When local authentication is enabled and the RADIUS or LDAP servers fail to respond, you can log in to the default switch accounts (admin and user) or any user-defined account. You must know the passwords of these accounts.

When the command succeeds, the event log indicates that local database authentication is disabled or enabled.

Boot PROM password

The boot PROM password provides an additional layer of security by protecting the boot PROM from unauthorized use. Setting a recovery string for the boot PROM password enables you to recover a lost boot PROM password by contacting HP. Without the recovery string, a lost boot PROM password cannot be recovered.

You should set the boot PROM password and the recovery string on all switches, as described in ”Setting

the boot PROM password with a recovery string” on page 82. If your site procedures dictate that you set

the boot PROM password without the recovery string, see ”Setting the boot PROM password without a

recovery string” on page 84.

Fabric OS 6.1.x administrator guide 81

Setting the boot PROM password with a recovery string

To set the boot PROM password with a recovery string, refer to the section that applies to your switch model.

NOTE: Setting the boot PROM password requires accessing the boot prompt, which stops traffic flow

through the switch until the switch is rebooted. You should perform this procedure during a planned down time.

HP StorageWorks 4/8 or 4/16, 8/8 SAN Switch, 8/24 SAN Switch, 8/40 SAN Switch, 8/80 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 400 Multi-protocal (MP) Router

The instructions contained within this section are only for the switches listed in the title. If your switch is not listed, please contact HP for instructions.

To set the boot PROM password for a switch with a recovery string:

1. Connect to the serial port interface.

2. Reboot the switch.

3. Press ESC within four seconds after the message “Press escape within 4 seconds...” displays.

The following options are available:

Option Description

1 Start system. Continues the system boot process.

2 Recovery password. Lets you set the recovery string and the boot PROM password.

3 Enter command shell. Provides access to boot parameters.

4. Enter 2.

If no password was previously set, the following message displays:

Recovery password is NOT set. Please set it now.

If a password was previously set, the following messages display:

Send the following string to Customer Support for password recovery: afHTpyLsDo1Pz0Pk5GzhIw== Enter the supplied recovery password.

Recovery Password:

5. Enter the recovery password (string).

The recovery string must be between 8 and 40 alphanumeric characters. A random string that is 15 characters or longer is recommended for higher security. The firmware prompts for this password only once. It is not necessary to remember the recovery string because it is displayed the next time you enter the command shell.

The following prompt displays:

New password:

6. Enter the boot PROM password, then re-enter it when prompted. The password must be eight

alphanumeric characters (any additional characters are not recorded). Record this password for future use.

The new password is automatically saved.

7. Type reset at the prompt to reboot the switch.

82 Managing user accounts

4/256 SAN Director and DC SAN Backbone Director (short name, DC Director)

The boot PROM and recovery passwords must be set for each CP blade on the 4/256 SAN Director or DC Director.

To set the boot PROM password for a Director with a recovery string:

1. Connect to the serial port interface on the standby CP blade.

2. Connect to the active CP blade by serial or Telnet and enter the haDisable command to prevent

failover during the remaining steps.

3. Reboot the standby CP blade by sliding the On/Off switch on the ejector handle of the standby CP

blade to Off, and then back to On.

4. Press ESC within four seconds after the message “Press escape within 4 seconds...” displays.

The following options are available:

Option Description

1 Start system. Continues the system boot process. 2 Recovery password. Lets you set the recovery string and the boot PROM password. 3 Enter command shell. Provides access to boot parameters.

5. Enter 2.

If no password was previously set, the following message displays:

Recovery password is NOT set. Please set it now.

If a password was previously set, the following messages display:

Send the following string to Customer Support for password recovery: afHTpyLsDo1Pz0Pk5GzhIw== Enter the supplied recovery password.

Recovery Password:

6. Enter the recovery password (string).

The recovery string must be between 8 and 40 alphanumeric characters. A random string that is 15 characters or longer is recommended for higher security. The firmware only prompts for this password once. It is not necessary to remember the recovery string because it is displayed the next time you enter the command shell.

The following prompt displays:

New password:

7. Enter the boot PROM password, then re-enter it when prompted. The password must be eight

alphanumeric characters (any additional characters are not recorded). Record this password for future use.

The new password is automatically saved (the saveEnv command is not required).

8. Connect to the active CP blade using serial or Telnet and enter the haEnable command to restore

High Availability; then fail over the active CP blade by entering the haFailover command. Traffic flow through the active CP blade resumes when the failover is complete.

9. Connect the serial cable to the serial port on the new standby CP blade (previously the active

CP blade).

10. Repeat step 2 through step 7 for the new standby CP blade (each CP blade has a separate boot PROM

password).

11 . Connect to the active CP blade by serial or Telnet and enter the haEnable command to restore High

Availability.

Fabric OS 6.1.x administrator guide 83

Setting the boot PROM password without a recovery string

Although you can set the boot PROM password without also setting the recovery string, it is strongly recommended that you set both the password and the string as described in ”Setting the boot PROM

password with a recovery string” on page 82. If your site procedures dictate that you must set the boot

PROM password without the string, follow the procedure that applies to your switch model.

Setting the boot PROM password requires accessing the boot prompt, which stops traffic flow through the switch until the switch is rebooted. You should perform this procedure during a planned down time.

The password recovery instructions contained within this section are only for the switches listed in the title. If your switch is not listed, contact HP for instructions.

To set the boot PROM password for a switch without a recovery string:

1. Create a serial connection to the switch.

2. Enter the reboot command to reset the switch.

3. Press ESC within four seconds after the message “Press escape within 4 seconds...” displays.

The following options are available:

Option Description

1 Start system. Continues the system boot process. 2 Recovery password. Lets you set the recovery string and the boot PROM password. 3 Enter command shell. Provides access to boot parameters.

4. Enter 3.

5. At the shell prompt, enter the passwd command.

NOTE: The passwd command only applies to the boot PROM password when it is entered from the boot

interface.

6. Enter your boot PROM password at the prompt, then re-enter it when prompted. The password must be

eight alphanumeric characters (any additional characters are not recorded). Record this password for future use.

7. Enter the saveEnv command to save the new password.

8. Enter the reboot command to reset the switch.

4/256 SAN Director and DC SAN Backbone Director (short name, DC Director)

On 4/256 SAN Director and DC Director models, set the password on the standby CP blade, fail over, and then set the password on the previously active (now standby) CP blade to minimize disruption to the fabric.

To set the boot PROM password for a Director without a recovery string:

1. Determine the active CP blade by opening a Telnet session to either CP blade, connecting as admin,

and entering the haShow command.

2. Connect to the active CP blade by serial or Telnet and enter the haDisable command to prevent

failover during the remaining steps.

3. Create a serial connection to the standby CP blade.

4. Reboot the standby CP blade by sliding the On/Off switch on the ejector handle of the standby CP

blade to Off, and then back to On. This causes the blade to reset.

5. Press ESC within four seconds after the message

Press escape within 4 seconds... displays.

84 Managing user accounts

The following options are available:

Option Description

1 Start system. Continues the system boot process. 2 Recovery password. Lets you set the recovery string and the boot PROM password. 3 Enter command shell. Provides access to boot parameters.

6. Enter 3.

7. Enter the passwd command at the shell prompt.

NOTE: The passwd command only applies to the boot PROM password when it is entered from the boot

interface.

8. Enter your boot PROM password at the prompt, then re-enter it when prompted. The password must be

eight alphanumeric characters (any additional characters are not recorded). Record this password for future use.

9. Enter the saveEnv command to save the new password.

10. Reboot the standby CP blade by entering the reset command. 11 . Connect to the active CP blade by serial or Telnet and enter the haEnable command to restore High

Availability; then fail over the active CP blade by entering the haFailover command. Traffic resumes flowing through the newly active CP blade after it has completed rebooting.

12 . Connect the serial cable to the serial port on the new standby CP blade (previously the active

CP blade).

13 . Repeat step 3 through step 10 for the new standby CP blade.

14. Connect to the active CP blade by serial or Telnet and enter the haEnable command to restore High

Availability.

Recovering forgotten passwords

If you know the root password, you can use this procedure to recover the password for the default accounts of user, admin, and factory.

To recover passwords:

1. Open a CLI connection (serial or Telnet) to the switch.

OR Connect to the primary FCS switch, if one exists in your fabric.

2. Log in as root.

3. Enter the command for the type of password that was lost:

passwd user passwd admin passwd factory

4. Enter the requested information at the prompts.

To recover a lost root password or boot PROM password, contact HP. You must have previously set a recovery string to recover the boot PROM password.

NOTE: Contact HP to recover a lost root password or boot PROM password. You must have previously set

a recovery string to recover the boot PROM password.

Fabric OS 6.1.x administrator guide 85

86 Managing user accounts

3 Configuring standard security features

This chapter provides information and procedures for configuring standard Fabric OS security features such as protocol and certificate management.

IMPORTANT: Secure Fabric OS is no longer supported in Fabric OS 6.x. However, all features of Secure

Fabric OS are included in the base Fabric OS 6.x.

Security protocols

Security protocols provide endpoint authentication and communications privacy using cryptography. Typically, only you are authenticated while the switch remains unauthenticated. This means that you can be sure with what you are communicating. The next level of security, in which both ends of the conversation are sure with whom they are communicating, is known as two-factor authentication. Two-factor authentication requires public key infrastructure (PKI) deployment to clients.

Fabric OS supports the secure protocols shown in Table 15.

Table 15 Secure protocol support

Protocol Description

HTTPS HTTPS is a Uniform Resource Identifier scheme used to indicate a secure

HTTP connection. Web Tools supports the use of hypertext transfer protocol over secure socket layer (HTTPS).

LDAPS Lightweight Directory Access Protocol over SSL that uses a certificate authority

(CA). By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology in conjunction with LDAP.

SCP Secure Copy (SCP) is a means of securely transferring computer files between

a local and a remote host or between two remote hosts, using the Secure Shell (SSH) protocol. Configuration upload and download support the use of SCP.

SNMP Supports SNMPv1, v2, and v3. SNMP is used in network management

systems to monitor network-attached devices for conditions that warrant administrative attention.

SSH Secure Shell (SSH) is a network protocol that allows data to be exchanged

over a secure channel between two computers. Encryption provides confidentiality and integrity of data. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary.

SSL Supports SSLv3, 128-bit encryption by default. Fabric OS uses secure socket

layer (SSL) to support HTTPS. A certificate must be generated and installed on each switch to enable SSL.

Simple Network Management Protocol (SNMP) is a standard method for monitoring and managing network devices. Using SNMP components, you can program tools to view, browse, and manipulate switch variables and set up enterprise-level management processes.

Every switch carries an SNMP agent and Management Information Base (MIB). The agent accesses MIB information about a device and makes it available to a network manager station. You can manipulate information of your choice by trapping MIB elements using the Fabric OS CLI, Web Tools, or Fabric Manager.

The SNMP Access Control List (ACL) provides a way for the administrator to restrict SNMP get and set operations to certain hosts and IP addresses. This is used for enhanced management security in the storage area network.

Fabric OS 6.1.x administrator guide 87

For details on Brocade MIB files, naming conventions, loading instructions, and information about using Brocade's SNMP agent, see the Fabric OS MIB Reference.

Table 16 describes additional software or certificates that you must obtain to deploy secure protocols.

Table 16 Items needed to deploy secure protocols

Protocol Host side Switch side

SSH SSH client None

HTTPS No requirement on host

side except a browser that supports HTTPS

Secure File Copy (scp) SSH daemon, scp server None

SNMPv1, SNMPv2, SNMPv3

None None

Switch IP certificate for SSL

The security protocols are designed with the four main usage cases described in Table 17.

Table 17 Main security scenarios

Fabric Management

Comments

interfaces

Nonsecure Nonsecure No special setup is needed to use Telnet or HTTP.

Nonsecure Secure Secure protocols may be used. An SSL switch certificate must be

installed if HTTPS is used.

Secure Secure Secure protocols are supported on Fabric OS v4.1.0 and later

switches. Switches running earlier Fabric OS versions can be part of the secure fabric, but they do not support secure management. Secure management protocols must be configured for each participating switch. Nonsecure protocols may be disabled on nonparticipating switches. If SSL is used, then certificates must be installed.

Secure Nonsecure You must use SSH because Telnet is not allowed with some

The SSH protocol

To ensure security, Fabric OS supports secure shell (SSH) encrypted sessions in 4.1.x and later. SSH encrypts all messages, including the client’s transmission of password during login. The SSH package contains a daemon (sshd), which runs on the switch. The daemon supports a wide variety of encryption algorithms, such as Blowfish-CBC and AES.

NOTE: To maintain a secure network, you should avoid using Telnet or any other unprotected application

when you are working on the switch.

The FTP protocol is also not secure. When you use FTP to copy files to or from the switch, the contents are in clear text. This includes the remote FTP server's login and password. This limitation affects the following commands: saveCore, configUpload, configDownload, and firmwareDownload.

features, such as RADIUS. Nonsecure management protocols are necessary under these

circumstances: The fabric contains switches running Fabric OS v3.2.0. The presence of software tools that do not support secure protocols: for example, Fabric Manager v4.0.0. The fabric contains switches running Fabric OS versions earlier

than v4.4.0. Nonsecure management is enabled by default.

88 Configuring standard security features

Commands that require a secure login channel must originate from an SSH session. If you start an SSH session, and then use the login command to start a nested SSH session, commands that require a secure channel will be rejected.

Fabric OS 6.1.x and later supports SSH protocol version 2.0 (ssh2). For more information on SSH, refer to the SSH IETF website:

http://www.ietf.org/ids.by.wg/secsh.html

For more information, refer to SSH, The Secure Shell: The Definitive Guide by Daniel J. Barrett, Richard Silverman and Robert G. Byrnes.

SSH public key authentication

OpenSSH public key authentication provides password-less logins known as SSH authentication that uses public and private key pairs for incoming and outgoing authentication. This feature allows only one allowed-user to be configured to utilize OpenSSH public key authentication. Using OpenSSH RSA and DSA, the authentication protocols are based on a pair of specially generated cryptographic keys, called the private key and the public key. The advantage of using these key-based authentication systems is that in many cases, it is possible to establish secure connections without having to manually type in a password. RSA and DSA asynchronous algorithms are FIPS-compliant.

Allowed-user

The default admin user has to set up the allowed-user with the admin role. By default, the admin is the configured allowed-user. However, while creating the key pair, the configured allowed-user can choose a passphrase with which the private key will be encrypted. Then the passphrase will always need to be entered when authenticating using a key pair. The allowed-user needs to have an admin role and can perform OpenSSH public key authentication, import and export keys, generation of a key pair for an outgoing connection, delete public and private keys. Once the allowed-user is changed, all the public keys related to old allowed-user will be lost.

Authentication

Incoming authentication is used when the remote host needs to authenticate to the switch. Outgoing authentication is used when the switch needs to authenticate to a server or remote host, more commonly used for the configUpload command. Both password and public key authentication can coexist on the switch.

Authentication setup overview

1. Configure the allowed-user.

Once the allowed-user is configured, the remaining setup steps will need to be completed by the allowed-user.

2. Generate the key pair for incoming or outgoing authentication.

3. Add public key into the switch (for incoming authentication).

4. Export the public key from the remote directory (for outgoing authentication).

5. Append the public key to the authorized_keys file on the host.

6. Test the setup.

Configuring the allowed-user

1. Log in to the switch as the default admin.

2. Change the allowed-user’s role to admin, if applicable.

switch:admin> userconfig --change <username> -r admin

Where <username> is the name of the user you want to perform SSH public key authentication, import, export, and delete keys.

3. Setup the allowed-user by typing the following command:

switch:admin> sshutil allowuser <username>

Where <username> is the name of the user you want to perform SSH public key authentication, import, export, and delete keys.

Fabric OS 6.1.x administrator guide 89

Generating a key pair for host-to-switch authentication (incoming)

1. Log in to your host as admin.

2. Verify that SSH v2 is installed and working.

Refer to your host’s documentation.

3. Type the following command:

ssh-keygen -t dsa

Example of RSA/DSA key pair generation

alloweduser@mymachine: ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/users/alloweduser/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /users/alloweduser/.ssh/id_dsa. Your public key has been saved in /users/alloweduser/.ssh/id_dsa.pub. The key fingerprint is: 32:9f:ae:b6:7f:7e:56:e4:b5:7a:21:f0:95:42:5c:d1 alloweduser@mymachine

Generating a key pair for switch-to-host authentication (outgoing)

1. Log in to the switch as the allowed user.

2. Use the sshUtil genkey command to generate a key pair.

3. Enter a passphrase for additional security.

Example of generating a key pair on the switch

switch:alloweduser> sshutil genkey Enter passphrase (empty for no passphrase): Enter same passphrase again: Key pair generated successfully.

Importing the public key to the switch for host-to-switch authentication (incoming)

1. Log in to the switch as the allowed-user.

2. Use the sshUtil

3. Respond to the prompts as follows:

IP Address Enter the IP address of the switch. IPv6 is supported by sshUtil. Remote directory Enter the path to the remote directory where the public key is stored. Public key name Enter the name of the public key. Login name Enter the name of the user granted access to the host. Password Enter the password for the host.

importpubkey command to import the public key.

90 Configuring standard security features

Example of adding the public key to the switch

switch:alloweduser> sshutil importpubkey Enter IP address:192.168.38.244 Enter remote directory:~auser/.ssh Enter public key name(must have .pub suffix):id_dsa.pub Enter login name:auser Password: Public key is imported successfully.

Exporting the public key for switch-to-host authentication (outgoing)

1. Log in to the switch as the allowed-user.

2. Use the sshUtil exportpubkey command to export the public key.

3. Respond to the prompts as follows:

IP Address Enter the IP address of the remote host. IPv6 is supported by

sshUtil.

Remote directory Enter the path to the remote directory where the public key will be

stored.

Login name Enter the name of the user granted access to the remote host. Password Enter the password for the remote host.

Example of exporting a public key from the switch

pulsar067:kghanta> sshutil exportpubkey Enter IP address:192.168.38.244 Enter remote directory:~auser/.ssh Enter login name:auser Password: public key out_going.pub is exported successfully.

Appending the public key on a remote host

1. Log in to the remote host.

2. Locate the directory where authorized keys are stored.

You may need to refer to the hosts documentation to locate where the authorized keys are stored.

3. Appsend the public key to the file.

Testing the setup

Test your setup by using a command that uses SCP and authentication, such as firmwareDownload or a configUpload.

Deleting keys on the switch

1. Log in to the switch as the allowed-user.

2. Use the sshUtil delprivkey command to delete the private key.

or Use the sshUtil delpubkeys command to delete all public keys.

Fabric OS 6.1.x administrator guide 91

Configuring the Telnet protocol

Telnet is enabled by default. To prevent users from passing clear text passwords over the network when they connect to the switch, you can block the Telnet protocol using an IP Filter policy.

NOTE: Before blocking Telnet, make sure you have an alternate method of establishing a connection with

the switch.

Blocking Telnet

To block Telnet:

1. Connect to the switch and log in as admin.

Connect through some means other than Telnet: for example, through SSH.

2. Create a policy:

ipfilter --create <policyname> -type < ipv4 | ipv6 >

where <policyname> is the name of the new policy and -type specifies an IPv4 or IPv6 address.

Example

ipfilter --create block_telnet_v4 --type ipv4

3. Add a rule to the policy, by typing the following command:

ipfilter --addrule <policyname> -rule <rule_number> -sip <source_IP> -dp <dest_port> -proto <protocol> -act <deny>

where -sip option can be given as any, dp is the port number for telnet (23), and -proto is tcp.

Example

ipfilter --addrule block_telnet_v4 -rule 2 -sip any -dp 23 -proto tcp -act deny

4. Save the new ipfilter policy by typing the following command:

ipfilter --save [policyname]

where [policyname] is the name of the policy and is optional.

Example

ipfilter --save block_telnet_v4

5. Activate the new ipfilter policy by typing the following command:

ipfilter --activate <policyname>

where <policyname> is the name of the policy you created in step

Example

ipfilter --activate block_telnet_v4

Unblocking Telnet

To unblock Telnet:

1. Connect to the switch through a means other than Telnet (for example, SSH) and log in as admin.

2. Type in the following command:

ipfilter –delete <telnet_policyname> where <telnet_policyname> is the name of the Telnet policy.

3. To permanently delete the policy, type the following command:

ipfilter --save

For more information on IP Filter policies, refer to ”Configuring advanced security features” on page 105.

92 Configuring standard security features

Configuring for the SSL protocol

Secure sockets layer (SSL) protocol provides a secure sockets layer (SSL) protocol, which provides secure access to a fabric through Web-based management tools like Web Tools. SSL support is a standard Fabric OS feature.

Switches configured for SSL grant access to management tools through hypertext transfer protocol-secure links (which begin with https://) instead of standard links (which begin with http://).

SSL uses Public Key Infrastructure (PKI) encryption to protect data transferred over SSL connections. PKI is based on digital certificates obtained from an Internet Certificate Authority (CA), which acts as the trusted key agent.

Certificates are based on the switch IP address or fully qualified domain name (FQDN), depending on the issuing CA. If you change a switch IP address or FQDN after activating an associated certificate, you may have to obtain and install a new certificate. Check with the CA to verify this possibility, and plan these types of changes accordingly.

Browser and Java support

Fabric OS supports the following Web browsers for SSL connections:

• Internet Explorer (Microsoft Windows)

• Mozilla (Solaris and Red Hat Linux)

In countries that allow the use of 128-bit encryption, you should use the latest version of your browser. For example, Internet Explorer 6.0 and later supports 128-bit encryption by default. You can display the encryption support (called “cipher strength”) using the Internet Explorer Help:About menu option. If you are running an earlier version of Internet Explorer, you may be able to download an encryption patch from the Microsoft website at http://www.microsoft.com

You should upgrade to the Java 1.5.0_06 Plug-in on your management workstation. To find the Java version that is currently running, open the Java console and look at the first line of the window.

For more details on levels of browser and Java support, see the Web Tools Administrator’s Guide.

Summary of SSL procedures

You configure for SSL by obtaining, installing, and activating digital certificates for SSL support. Certificates are required on all switches that are to be accessed through SSL.

You also need to install a certificate in the Java Plug-in on the management workstation, and you may need to add a certificate to your Web browser.

Configuring for SSL involves these major steps, which are shown in detail in the next sections.

1. Choose a Certificate Authority (CA).

2. Generate the following items on each switch:

a. A public/private key (secCertUtil genkey command). b. A certificate signing request (CSR) (secCertUtil gencsr command) and store the CSR on an

FTP server (secCertUtil export command).

3. Obtain the certificates from the CA.

You can request a certificate from a CA through a Web browser. After you request a certificate, the CA either sends certificate files by e-mail (public) or gives access to them on a remote host (private). Typically, the CA provides the certificate files listed in Table 18.

Table 18 SSL certificate files

Certificate file Description

name.crt The switch certificate.

Fabric OS 6.1.x administrator guide 93

Table 18 SSL certificate files (continued)

Certificate file Description

nameRoot.crt The root certificate. Typically, this certificate is already installed in the

browser, but if not, you must install it.

nameCA.crt The CA certificate. It needs to be installed in the browser to verify the

validity of the server certificate or server validation fails.

4. On each switch, install and then activate the certificate.

5. If necessary, install the root certificate to the browser on the management workstation.

6. Add the root certificate to the Java Plug-in keystore on the management workstation.

Choosing a CA

To ease maintenance and allow secure out-of-band communication between switches, consider using one CA to sign all management certificates for a fabric. If you use different CAs, management services operate correctly, but the Web Tools Fabric Events button is unable to retrieve events for the entire fabric.

Each CA (for example, Verisign or GeoTrust) has slightly different requirements; for example, some generate certificates based on IP address, while others require an FQDN, and most require a 1024-bit public/private key while some may accept a 2048-bit key. Consider your fabric configuration, check CA websites for requirements, and gather all the information that the CA requires.

Generating a public/private key

Perform this procedure on each switch.

1. Connect to the switch and log in as admin.

2. Enter this command to generate a public/private key pair:

switch:admin> seccertutil genkey

The system reports that this process will disable secure protocols, delete any existing CSR, and delete any existing certificates.

3. Respond to the prompts to continue and select the key size:

Continue (yes, y, no, n): [no] y Select key size [1024 or 2048]: Generating new rsa public/private key pair Done.

IMPORTANT: HP recommends selecting 1024 in most cases. CA support for the 2048-bit key size is

limited.

Generating and storing a CSR

After generating a public/private key, perform this procedure on each switch.

1. Connect to the switch and log in as admin.

2. Enter this command:

switch:admin> seccertutil gencsr

3. Enter the requested information:

Country Name (2 letter code, eg, US):US State or Province Name (full name, eg, California):California Locality Name (eg, city name):San Jose Organization Name (eg, company name):Brocade Organizational Unit Name (eg, department name):Eng Common Name (Fully qualified Domain Name, or IP address): 192.1.2.3 Generating CSR, file name is: 192.1.2.3.csr Done.

1024

94 Configuring standard security features

Your CA may require specific codes for Country, State or Province, Locality, Organization, and Organizational Unit names. Make sure that your spelling is correct and matches the CA requirements. If the CA requires that the Common Name be specified as an FQDN, make sure that the fully qualified domain name is set on the domain name server.

4. Enter this command to store the CSR:

switch:admin> seccertutil export

5. Enter the requested information:

Select protocol [ftp or scp]: ftp Enter IP address: Enter remote directory: path_to_remote_directory Enter Login Name: your account Enter Password: your password Success: exported CSR.

If you are set up for secure file copy protocol, you can select it; otherwise, select ftp. Enter the IP address of the switch on which you generated the CSR. Enter the remote directory name of the FTP server to which the CSR is to be sent. Enter your account name and password on the server.

Obtaining certificates

Check the instructions on the CA website; then, perform this procedure for each switch.

1. Generate and store the CSR as described in ”Generating and storing a CSR” on page 89.

2. Open a Web browser window on the management workstation and go to the CA website. Follow the

instructions to request a certificate. Locate the area in the request form into which you are to paste the CSR.

3. Through a Telnet window, connect to the switch and log in as admin.

4. Enter this command:

switch:admin> seccertutil showcsr

192.1.2.3

The contents of the CSR are displayed.

5. Locate the section that begins with “BEGIN CERTIFICATE REQUEST” and ends with “END CERTIFICATE

REQUEST”.

6. Copy and paste this section (including the BEGIN and END lines) into the area provided in the request

form; then, follow the instructions to complete and send the request. It may take several days to receive the certificates. If the certificates arrive by e-mail, save them to an

FTP server. If the CA provides access to the certificates on an FTP server, make note of the path name and make sure you have a login name and password on the server.

Installing a switch certificate

Perform this procedure on each switch.

1. Connect to the switch and log in as admin.

2. Enter this command:

switch:admin> seccertutil import

3. Select a protocol, enter the IP address of the host on which the switch certificate is saved, and enter

your login name and password:

Select protocol [ftp or scp]: ftp Enter IP address: Enter remote directory: path_to_remote_directory Enter certificate name (must have ".crt" suffix): Enter Login Name: your_account Enter Password: ***** Success: imported certificate [192.1.2.3.crt].

192.10.11.12

192.1.2.3.crt

To use this certificate, run the configure command to activate it. The certificate is downloaded to the switch.

Fabric OS 6.1.x administrator guide 95

Activating a switch certificate

1. Enter the configure command

2. When the ssl attributes comes up, type y

3. Respond to the prompts that apply to SSL certificates:

SSL attributes Enter y or yes. Certificate File Enter the name of the switch certificate file: for example,

CA Certificate File If you want the CA name to be displayed in the browser

Select length of crypto key Enter the encryption key length (40, 56, or 128). HTTP attributes Enter yes. Secure HTTP enabled Enter yes.

For example:

Configure... System services (yes, y, no, n): [no] ssl attributes (yes, y, no, n): [no] Certificate File. (filename or none): [10.33.13.182.crt] CA Certificate File. (filename or none): [none] Select length of crypto key. (Valid values are 40, 56, and 128.): (40..128) [128] http attributes (yes, y, no, n): [no] HTTP Enabled (yes, y, no, n): [yes] Secure HTTP Enabled (yes, y, no, n): [no]

192.1.2.3.crt.

window, enter the name of the CA certificate file; otherwise, skip this prompt.

yes

192.1.2.3.crt

yes

After you exit the configure command, the HTTP daemon restarts automatically to handle HTTPS requests.

Configuring the browser

The root certificate may already be installed on your browser, but if not, you must install it. To see whether it is already installed, check the certificate store on your browser.

The next procedures are guides for installing root certificates to Internet Explorer and Mozilla browsers. For more detailed instructions, refer to the documentation that came with the certificate.

To check and install root certificates on Internet Explorer:

1. From the browser Tools menu, select Internet Options.

2. Click the Content tab.

3. Click Certificates.

4. Click the Intermediate certification authorities or Trusted Root certification authorities tabs and scroll the

lists to see if the root certificate is listed. If it is listed, you do not need to install it, forgo the remainder of this procedure.

5. If the certificate is not listed, click Import.

6. Follow the instructions in the Certificate Import wizard to import the certificate.

To check and install root certificates on Mozilla:

1. From the browser Edit menu, select Preferences.

2. In the left pane of the Preferences window, expand the Privacy & Security list and select

Certificates.

3. In the right pane, click Manage Certificates.

4. In the next window, click the Authorities tab.

5. Scroll the authorities list to see if the root certificate is listed. (For example, its name may have the form

nameRoot.crt.) If it is listed, you do not need to install it; forgo the remainder of this procedure.

6. If the certificate is not listed, click Import.

96 Configuring standard security features

7. Browse to the certificate location and select the certificate. (For example, select nameRoot.crt.)

8. Click Open and follow the instructions to import the certificate.

Installing a root certificate to the Java plug-in

For information on Java requirements, see ”For more details on levels of browser and Java support, see the

Web Tools Administrator’s Guide.” on page 93.

This procedure is a guide for installing a root certificate to the Java Plug-in on the management workstation. If the root certificate is not already installed to the plug-in, you should install it. For more detailed instructions, refer to the documentation that came with the certificate and to the Sun Microsystems website, www.sun.com

1. Copy the root certificate file from its location on the FTP server to the Java Plug-in bin. For example, the

bin location may be:

C: \program files\java\j2re1.5.0_06\bin

2. Open a command prompt window and change directory to the Java Plug-in bin.

3. Enter the keytool command and respond to the prompts:

C:\Program Files\Java\j2re1.5.0_06\bin> keytool -import -alias RootCert

-file RootCert.crt -keystore ..\lib\security\RootCerts

Enter keystore password: changeit Owner: CN=Brocade, OU=Software, O=Brocade Communications, L=San Jose, ST=California, C=US Issuer: CN=Brocade, OU=Software, O=Brocade Communications, L=San Jose, ST=California, C=US Serial number: 0 Valid from: Thu Jan 15 16:27:03 PST 2007 until: Sat Feb 14 16:27:03 PST 2007 Certificate fingerprints: MD5: 71:E9:27:44:01:30:48:CC:09:4D:11:80:9D:DE:A5:E3 SHA1: 06:46:C5:A5:C8:6C:93:9C:FE:6A:C0:EC:66:E9:51:C2:DB:E6:4F:A1 Trust this certificate? [no]: yes Certificate was added to keystore

In the example, changeit is the default password and RootCert is an example root certificate name.

Summary of certificate commands

Table 19 summarizes the commands for displaying and deleting certificates. For details on the commands,

see the Fabric OS Command Reference.

Table 19 Commands for displaying and deleting SSL certificates

Command Description

secCertUtil show Displays the state of the SSL key and a list of installed certificates secCertUtil show

filename

secCertUtil showcsr Displays the contents of a CSR secCertUtil delete

filename

secCertUtil delcsr Deletes a CSR

Displays the contents of a specific certificate

Deletes a specified certificate

Fabric OS 6.1.x administrator guide 97

Configuring for SNMP

You can configure for the automatic transmission of SNMP information to management stations. SNMPv3 and SNMPv1 are supported.

The configuration process involves configuring the SNMP agent and configuring SNMP traps. The following commands are used in the process:

• Use the configure command to set the security level. You can specify no security, authentication only,

or authentication and privacy.

• Use the snmpConfig command to configure the SNMP agent and traps for SNMPv3 or SNMPv1

configurations.

• If necessary for backward compatibility, you can use these legacy commands to configure for SNMP

v1:

•Use the agtCfgShow, agtCfgset, and agtCfgDefault commands to configure the SNMPv1

agent.

•Use the snmpMibCapSet command to filter at the trap level.

The SNMP trap configuration specifies the MIB trap elements to be used to send information to the SNMP management station. There are two main MIB trap choices:

• Brocade-specific MIB trap

Associated with the Brocade-specific MIB (SW-MIB), this MIB monitors Brocade (HP) switches specifically.

• FibreAlliance MIB trap

Associated with the FibreAlliance MIB (FA-MIB), this MIB manages SAN switches and devices from any company that complies with FibreAlliance specifications.

If you use both SW-MIB and FA-MIB, you may receive duplicate information. You can disable the FA-MIB, but not the SW-MIB.

You can also use these additional MIBs and their associated traps:

• FICON-MIB (for FICON environments)

• SW-EXTTRAP

Includes the swSsn (Software Serial Number) as a part of Brocade SW traps.

For information on Brocade MIBs, see the Fabric OS MIB Reference.

For information on the specific commands used in these procedures, see online help or the Fabric OS

Command Reference.

Setting the security level

Use the configure command to set the security level (called “SNMP attributes”). You can specify no security, authentication only, or authentication and privacy. For example, to configure for authentication and privacy:

Stealth200E:admin> configure

Not all options will be available on an enabled switch. To disable the switch, use the "switchDisable" command.

Configure...

System services (yes, y, no, n): [no] ssl attributes (yes, y, no, n): [no] rpcd attributes (yes, y, no, n): [no] cfgload attributes (yes, y, no, n): [no] y

Enforce secure config Upload/Download (yes, y, no, n): [no] Enforce signature validation for firmware (yes, y, no, n): [no]

98 Configuring standard security features

webtools attributes (yes, y, no, n): [no] System (yes, y, no, n): [no]

No changes.

Using the snmpConfig command

4. Use the snmpConfig --set command to change either the SNMPv3 or SNMPv1 configuration. You

can also change access control, MIB capability, and system group.

Sample SNMPv3 configuration

switch:admin> snmpconfig --set snmpv3

SNMPv3 user configuration: User (rw): [snmpadmin1] adminuser Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [3] 1 New Auth Passwd: Verify Auth Passwd: Priv Protocol [DES(1)/noPriv(2)/3DES(3)/AES128(4)/AES192(5)/

AES256(6)]): (1..2) [2] 1 New Priv Passwd: Verify Priv Passwd: User (rw): [snmpadmin2] shauser Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [3] 2 New Auth Passwd: Verify Auth Passwd: Priv Protocol [DES(1)/noPriv[2]): (1..2) [2] 1 New Priv Passwd: Verify Priv Passwd: User (rw): [snmpadmin3] nosec Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [3] Priv Protocol [DES(1)/noPriv[2]): (2..2) [2] User (ro): [snmpuser1] Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (3..3) [3] Priv Protocol [DES(1)/noPriv[2]): (2..2) [2] User (ro): [snmpuser2] Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (3..3) [3] Priv Protocol [DES(1)/noPriv[2]): (2..2) [2] User (ro): [snmpuser3] Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (3..3) [3] Priv Protocol [DES(1)/noPriv[2]): (2..2) [2]

SNMPv3 trap recipient configuration: Trap Recipient's IP address in dot notation: [0.0.0.0] 192.168.45.90 UserIndex: (1..6) [1] Trap recipient Severity level : (0..5) [0] 4 Trap Recipient's IP address in dot notation: [0.0.0.0] 192.168.45.92 UserIndex: (1..6) [2] Trap recipient Severity level : (0..5) [0] 2 Trap Recipient's IP address in dot notation: [0.0.0.0] Trap Recipient's IP address in dot notation: [0.0.0.0] Trap Recipient's IP address in dot notation: [0.0.0.0] Trap Recipient's IP address in dot notation: [0.0.0.0] Committing configuration...done.

Fabric OS 6.1.x administrator guide 99

Sample SNMPv1 configuration

switch:admin> snmpconfig --set snmpv1

SNMP community and trap recipient configuration: Community (rw): [Secret C0de] admin Trap Recipient's IP address in dot notation: [0.0.0.0] 10.32.225.1 Trap recipient Severity level : (0..5) [0] 1 Community (rw): [OrigEquipMfr] Trap Recipient's IP address in dot notation: [10.32.225.2] Trap recipient Severity level : (0..5) [1] Community (rw): [private] Trap Recipient's IP address in dot notation: [10.32.225.3] Trap recipient Severity level : (0..5) [2] Community (ro): [public] Trap Recipient's IP address in dot notation: [10.32.225.4] Trap recipient Severity level : (0..5) [3] Community (ro): [common] Trap Recipient's IP address in dot notation: [10.32.225.5] Trap recipient Severity level : (0..5) [4] Community (ro): [FibreChannel] Trap Recipient's IP address in dot notation: [10.32.225.6] Trap recipient Severity level : (0..5) [5] Committing configuration...done.

Sample accessControl configuration

switch:admin> snmpconfig --set accessControl

SNMP access list configuration: Access host subnet area in dot notation: [0.0.0.0] 192.168.0.0 Read/Write? (true, t, false, f): [true] Access host subnet area in dot notation: [0.0.0.0] 10.32.148.0 Read/Write? (true, t, false, f): [true] f Access host subnet area in dot notation: [0.0.0.0] Read/Write? (true, t, false, f): [true] Access host subnet area in dot notation: [0.0.0.0] 10.33.0.0 Read/Write? (true, t, false, f): [true] f Access host subnet area in dot notation: [0.0.0.0] Read/Write? (true, t, false, f): [true] Access host subnet area in dot notation: [0.0.0.0] Read/Write? (true, t, false, f): [true] Committing configuration...done.

Sample mibCapability configuration

supp_dcx_218:admin> snmpconfig --show mibcapability

FE-MIB:YES SW-MIB: YES FA-MIB: YES FICON-MIB: YES HA-MIB: YES FCIP-MIB: YES ISCSI-MIB: NO SW-TRAP: YES swFCPortScn: YES swEventTrap: YES swFabricWatchTrap: YES swTrackChangesTrap: YES FA-TRAP: YES

100 Configuring standard security features

Hp StorageWorks Fabric OS 6.1.x administrator guide

Specifications and Main Features

Frequently Asked Questions

User Manual

Supported Fabric OS 6.1.x HP StorageWorks hardware

Table 1 Switch model naming matrix

Intended audience

Related documentation

Document conventions and symbols

Table 2 Document conventions

Rack stability

HP technical support

Customer self repair

Product warranties

Subscription service

HP websites

Documentation feedback

1 Standard features

Overview

Using the CLI

Connecting to the CLI

Using Telnet or SSH session

Using a console session on the serial port

Changing passwords

Table 3 Default administrative account names and passwords

Changing default account passwords at login

Configuring the Ethernet interface

Displaying the network interface settings

Setting static Ethernet addresses

Activating DHCP

Enabling DHCP

Disabling DHCP

Setting the date and time

Setting time zones

Synchronizing local time using NTP

Customizing switch names

Working with Domain IDs

Licensed features

Generating a license key

Activating a license key

Removing a licensed feature

Features and required licenses

Table 4 License requirements

Inter-Chassis Link (ICL) licensing

8Gb licensing

Time-based licenses

High Availability considerations

Firmware upgrade and downgrade consideration

Configupload and Configdownload considerations

Expired licenses

Ports on Demand (POD) licensing

Activating POD

Configuring Dynamic Ports on Demand

How ports are assigned to licenses

Displaying the port license assignment

Activating Dynamic Ports on Demand

Disabling Dynamic Ports on Demand

Managing POD licenses

Reserving a license

Releasing a port

Disabling and enabling switches

Disabling and enabling ports

Making basic connections

Connecting to devices

Connecting to other switches

Linking through a gateway

Checking switch status

Switch operation

High Availability (HA) features

Fabric connectivity

Device connectivity

Show switches in Access Gateway mode

Tracking and controlling switch changes

Configuring the audit log

Auditable event classes

Table 5 AuditCfg event class operands

Shutting down switches and Directors

High Availability of daemon processes

Table 6 Daemons that are automatically restarted

2 Managing user accounts