Upload
others
View
15
Download
0
Embed Size (px)
Citation preview
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-1
1
Brocade Education Services
Brocade®
Product Training
© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
CFP264Brocade 4 Gbit/sec Accelerated BCFP
Instructor-Led Module 4Installation and Setup
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-2
2© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Objectives
Following this module and associated lab, an attendee should be able toPerform out-of-box initial configurationPerform initial security configurationVerify switch statusIdentify the importance of fabric parametersPerform other common administrative tasks
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-3
3© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
“Out of the box” Experience
Items included– Qualified Fabric OS version– Command-Line management– Generally included: Web Tools and Zoning licenses– Power Cables– Serial Cables– Rubber mounting feet– Quick Start Guide– Documentation CD
Optional Items– Rack-mount kit– Additional licensed Fabric OS features– SFPs (may be included, varies by OEM)
Each vendor that ships a Brocade switch will include the version of firmware that the supporting vendor has qualified.Due to qualification cycles, switches shipping from the factory may not have the same Fabric OS version that is currently installed on other switches in your fabric, even if the switches were obtained from the same vendor. Close attention should be taken to ensure the firmware on the new switch is compatible with other switches in your environment, per your vendor’s qualification matrix. Use the version command to determine the installed firmware version.You may also check fabric operation parameters to ensure there are no conflicting settings when any new switch is introduced to a production fabric. Being familiar with the version of Fabric OS currently installed on the SAN and any customized settings will make troubleshooting easier and adding new switches simpler. The SAN Health utility can help you audit your current environment.Cables and documentation will be enclosed with the switch. A switch may be shipped with a rack mounting kit or enclosed in a 19” rack. Should the switch reside on a table top and not installed in a rack, it is recommended to attach the four rubber mounting feet, one in each corner to reduce the chance of slipping.Each switch has a blank IP address label located on the cable side of the switch that can be used to document the IP address when assigned. The Quick Start Guide and Brocade Documentation CD should be read prior to installing SFPs and powering on the switch.
Brocade Partner Network http://partner.brocade.comFor Brocade partners.•Firmware and release notes•Documentation, how-to-guides•Sales presentations and collateral•Sales training courses and sales Webinars•Scripts, MIBs, and RSH Utilities•Technical support bulletins, advisory notices, and the Brocade Knowledge Base.
Brocade Connect: http://www.brocadeconnect.comFor Brocade end-users.•User-donated scripts•SNMP MIBs•User message boards•Documentation, how-to guides, and release notes•Customers that have purchased Brocade support have access to firmware, support bulletins, advisory notices, and the Brocade Knowledge Base.
SAN Health: http://www.brocade.com/sanhealthFor Brocade end-users and partners•Generates a Visio topology diagram.•Generates a detailed "snapshot" report on your SAN configuration including alerts, performance graphs, and best practices.
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-4
4© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Physical PreparationCustomizing the SwitchManaging Licensed FeaturesConfiguring and Verifying Fabric ParametersVerifying Switch FunctionAttaching NodesSaving Switch Configuration
Steps For Configuring a New Switch
Prior to installing the switch, a site survey should be made. Brocade recommends separate power sources; one for each of the dual power supplies and ample airflow for the back to front cooling. Details on environmental requirements, including power and cooling, are found in the Hardware Reference Guide for your switch. This document is found on the Documentation CD shipped with the switch, and can be downloaded from Brocade Connect.When customizing the switch for the SAN and Network, it is customary to first assign the switch an IP address by connecting to the external serial port first. It is also a good idea to set a timeout value (timeout 10) to ensure you do not end up with hanging administrative sessions. Once the IP address is assigned, log out of the serial connection and connect over IP with Web Tools, telnet or SSH for remaining customization such as the domain number and switch name. During the login process and after the password submitted has been verified, a message will appear asking to change default user id and password from its current value. Responding to this is optional and changing the default password to a new value will make the switch more secure when performing administration.
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-5
5© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Environmental ConcernsPower
– Cable dual power switches to dual power circuitsAir
– Air flow is from non-cable side (“back”) to cable side (“front”)Cable(s)
– Allow for manageable cable slack to minimize stress– Do not mix single (longwave) with multimode (shortwave) in patch panel– Secure with Velcro straps– Be wary of distances – total can add up quickly with patch panels– Create a Cable Table
Monitor switch environment– psshow Displays power status– fanshow Displays fan status– tempshow Displays temp readings– sensorshow Displays all sensor readings
Air flow for Brocade switches is from the non-cable side to the cable side because the heat-generating components of the switch (ASICs and SFPs) are on the port side.Improper cable planning can cause problems and may impact performance in the SAN. Although patch panels are helpful in a cable management scenario, attempt to minimize the number of connections as every fiber optic interconnection generates a few dB of signal loss. Keep a manageable slack to minimize cable stress. Use different color Velcro straps for trunk groups.For more information on power supplies, fans, and temperature readings see the hardware reference manual for the appropriate switch model.
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-6
6© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
SilkWorm Management Interfaces
Command Line Interface– Serial Communication (HyperTerm or tip)– Telnet (Port 23)– SSHv2 (Port 22) - v4.1 and later
Brocade Application Program Interface (API and SMI-S)Brocade Fabric ManagerBrocade Advanced Web Tools– HTTP– HTTPS requires a Digital Certificate to be installed on the switch
(v4.4 and later)SNMPv1 (all) and SNMPv3 (Fabric OS v4.4 and later)– Brocade MIBs
Brocade switches can be administered using a command line interface (CLI) or through a graphical user interface (GUI).With Fabric OS v4.1 and higher, SSHv2 (Secure Shell version 2) is enabled by default, allowing the entire telnet session to be encrypted.The Brocade Fabric Access and Storage Management Initiative Specification (SMI-S) APIs give developers and customers programmatic access into the switch where organizations can easily integrate the intelligence of Brocade SAN fabrics into existing management applications, or quickly develop customized SAN-specific capabilities. Brocade Fabric Manager is a powerful desktop application that manages multiple Brocade SilkWorm switches and fabrics in real time. In particular, Fabric Manager provides the essential functions for efficiently configuring, monitoring, provisioning, and managing Brocade SAN fabrics on a daily basis.Brocade Web Tools, an intuitive and easy-to-use interface, enables organizations to monitor and manage Brocade SilkWorm fabrics. Tasks can be performed by using a Java-capable Web browser from standard laptops, desktop PCs, or workstations from any location within the enterprise. Use the httpcfgshow command to determine the java version the switch expects at the management console. Brocade offers SNMP MIBs for customers to use to read and set common settings on SilkWorm switches.For information regarding Secure Shell, read:
SSH, The Secure Shell: The Definitive GuideBy Daniel J. Barrett, Richard E. SilvermanFirst Edition February 2001 ISBN: 0-596-00011-1
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-7
7© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Command Line Interface Shortcuts
Recall last command & put CLI into edit mode– ESC + K (pre v5.1.0), or UP Arrow key (v5.1.0 and higher)
Cursor Position - while edit mode active– H, J, K, L or UP, DOWN, LEFT, RIGHT
End of Line - while edit mode active– Shift + A or END key
History of commands– h
Multiple commands issued on one line– command1;command2
Help for commands– help <command>
When administrating Brocade switches using the command line interface certain key strokes can be helpful administrating the switch.
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-8
8© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Initial Configuration Log in Through the Serial Port
Cable: The required serial cable is provided with the switch
A PC with:HyperTerm An available COM port
A UNIX® system with:tipAn available serial port
When a new switch has arrived for installation into a fabric, its suggested to use a serial cable to configure the switch with an IP address. After the IP address is configured, the serial connection to the switch may be dropped and an SSH, telnet, or Web Tools session may be used for further switch configuration because of its convenience and speed.
To configure the connection in a Microsoft Windows® environment:•Bits per second: 9600 Data bits: 8•Parity: None Stop bits: 1 Flow control: NoneTo configure the connection in a UNIX environment:•# tip hardwire
Installation steps1. Insert the serial cable provided to an RS-232 serial port on the workstation2. Verify the switch has power and is past the POST stage3. Invoke the ipaddrset command to set the IP address and subnet mask and default gateway
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-9
9© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Initial ConfigurationSet the IP Address
Default IP Address for switches: 10.77.77.77Default Netmask: 255.255.255.0Obtain addressing information for your network– IP Address & netmask– Default gateway
Directors require more than one IP address on the same subnet– One IP Address required per Control Processor– One IP Address required per logical switch
2 logical switches in the SilkWorm 120001 or 2 logical switches in the SilkWorm 240001 logical switch in the SilkWorm 48000
– Default IP Addresses for Directors: 10.77.77.77 (logical switch 0), .76 (logical switch 1), .75 (cp0), .74 (cp1)
RSL1_ST02_B41:admin> ifmodeshow eth0
Link mode: negotiated 100baseTx-FD, link ok
RSL1_ST02_B41:admin> ifmodeset eth0
Exercise care when using this command. Forcing the link to an operating mode not supported by the network equipment to which it is attached may result in an inability to communicate with the system through its Ethernet interface. It is recommended that you only use this command from the serial console port.
Are you sure you really want to do this? (yes, y, no, n): [no] yes
Proceed with caution.
Auto-negotiate (yes, y, no, n): [no]
Force 100 Mbps / Full Duplex (yes, y, no, n): [no]
Force 100 Mbps / Half Duplex (yes, y, no, n): [no]
Force 10 Mbps / Full Duplex (yes, y, no, n): [no]
Force 10 Mbps / Half Duplex (yes, y, no, n): [no]
You must select at least one link operating mode.
RSL1_ST02_B41:admin> ipaddrset
Ethernet IP Address [10.255.248.35]:
Ethernet Subnetmask [255.255.255.192]:
Fibre Channel IP Address [0.0.0.0]:
Fibre Channel Subnetmask [0.0.0.0]:
Gateway IP Address [10.255.248.62]:
Issuing gratuitous ARP...Done.
IP address is being changed...Done.
Committing configuration...Done.
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-10
10© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Initial Configuration Log In Through the Ethernet Interface
Multiple concurrent telnet sessions are allowed on Linux-based switches– Two admin and four user logins simultaneously– Use killtelnet to terminate a telnet connection
Login using a standard telnet or SSHv2 clientUse quietmode to suppress messages to the consoleTelnet may be disabled to force administrators to connect through an encrypted SSHv2 session
RSL1_ST02_B41 login: admin
Password:
Please change your passwords now.
Use Control-C to exit or press 'Enter' key to proceed.
Password was not changed. Will prompt again at next login
until password is changed.
RSL1_ST02_B41:admin> quietmode
[* abbreviated *]
quietMode: Off
RSL1_ST02_B41:admin> quietmode 1
Committing configuration...done
Quiet Mode is now ON
RSL1_ST02_B41:admin> killtelnet
[* abbreviated *]
______________________________________________________________________________
Session No USER TTY IDLE FROM LOGIN@
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
0 admin0 pts/0 1.00s 10.255.248.22 1:47pm
1 admin0 pts/1 9.00s 10.255.248.22 1:52pm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Enter Session Number to terminate (q to quit) 1
Please Ensure (Y/[N]): Y
killing session.... Done!
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-11
11© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Initial Configuration Switch Login Accounts
Open telnet or serial connection to switch– Default administrative account: admin– Default password: password– Other accounts: root, factory, switchadmin and user
You will be prompted to change the default passwords at every login until they are changed
The default user accounts are factory, root, admin and user. The default password for admin and user is password. Brocade discourages signing on as root/factory except for conditions when directed by an OEM support team for advanced troubleshooting reasons.When signing onto a switch and the current password is the Brocade default value, a password prompt will appear asking to change the password for all accounts. Once this process completes, you may rename the default accounts to a new name and assign a new password that meet the password requirements of 8 characters long. New passwords must be different than the current password. The password value is then written to the local switch. Subsequently, when signing onto other switches in the fabric, other switches may have different accounts and passwords. Documenting renamed accounts and their new password values is strongly encouraged. Having the same password for each account is discouraged.Use the switchAdmin level account for administrative use that does not include security, user management, or zoning configuration.
RSL1_ST02_B41 login: adminPassword:Please change your passwords now.Use Control-C to exit or press 'Enter' key to proceed.
Password was not changed. Will prompt again at next loginuntil password is changed.
While there are four accounts that can be used to sign onto a switch. Fabric OS v3.x and v2.x, only one person signed at a time can sign on. FOS v4.x allows for two concurrent admin sessions. For FOS v2.x and v3.x, if an administration session using the RS232 interface is in use and a telnet session using the IP interface is made to the same switch, the telnet session will disconnect the RS232 session.
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-12
12© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Initial Configuration Set the Fabric-Wide Clock
The Principal Switch maintains time for an entire fabricSubordinate switches synchronize time from the PrincipalUse the tsclockserver command to instruct the Principal Switch to synchronize time with an NTP server– Specify an IP address of an NTP server– Specify LOCL to stop NTP synchronization
Use the date command to manually set the switch date and time– date with no arguments displays the current date and time– date "mmddhhmmyy" sets the date and time, where
mm is the month, valid values are 01-12dd is the date, valid values are 01-31hh is the hour, valid values are 00-23mm is minutes, valid values are 00-59yy is the year, valid values are 00-99
– The date command becomes read-only if an NTP server has been specified
RSL1_ST02_B41:admin> date
Tue May 16 15:00:57 UTC 2006
RSL1_ST02_B41:admin> tsclockserver
LOCL
RSL1_ST02_B41:admin> tsclockserver 128.118.25.3
Updating Clock Server configuration...done.
RSL1_ST02_B41:admin> tsclockserver
128.118.25.3
RSL1_ST02_B41:admin> date "0516073406"
External Time Synchronization in place. Cannot execute this command.
RSL1_ST02_B41:admin> tsclockserver LOCL
Updating Clock Server configuration...done.
RSL1_ST02_B41:admin> tsclockserver
LOCL
RSL1_ST02_B41:admin> date "0516073406"
Tue May 16 07:34:00 UTC 2006
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-13
13© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Initial Configuration Set Switch Time Zone
Set on each switch in the fabric– Individual switches maintain time zone information independently
Use the tstimezone command to set the switch time zone in relationship to Greenwich Mean Time (GMT)Example: Eastern Time (United States) is GMT-5– tstimezone -5
RSL1_ST02_B41:admin> tstimezone -5
Updating Time Zone configuration...done.
System Time Zone change will take effect at next reboot.
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-14
14© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Initial Configuration Set Login Banner
A login banner will appear prior to CLI or Web Tools login– Limited to 1022 characters interactively, 116 as a command line
argument– Viewed from command line or Web Tools
Set using the bannerset commandRemove using bannerset ""
RSL1_ST02_B41:admin> bannersetPlease input content of security banner (press "." and RETURN at the beginning of a newline to finish input):Unauthorized access is prohibited.Do not log in if you do not have the authorization to do so..
RSL1_ST02_B41:admin> bannersetPlease input content of security banner (press "." and RETURN at the beginning of a newline to finish input):Unauthorized access is prohibited.Do not log in if you do not have the authorization to do so..RSL1_ST02_B41:admin> login
Unauthorized access is prohibited.Do not log in if you do not have the authorization to do so.
RSL1_ST02_B41 login: adminPassword:RSL1_ST02_B41:admin> bannershowUnauthorized access is prohibited.Do not log in if you do not have the authorization to do so.
RSL1_ST02_B41:admin> bannerset ""RSL1_ST02_B41:admin> bannershow
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-15
15© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Initial Configuration Activate Licensed Features
Used to enable Fabric OS featuresBased on the switch WWN– licenseidshow
License string is up to 16 mixed-case, case-sensitive charactersA single license key may activate one feature or a bundle of featuresLicense commands– licenseshow– licenseadd– licenseremove
RSL1_ST02_B41:admin> licenseidshow
10:00:00:05:1e:02:ab:21
RSL1_ST02_B41:admin> licenseadd "cbQeQRy9QdsVfRl"
adding license-key "cbQeQRy9QdsVfRl"
RSL1_ST02_B41:admin> licenseshow
bzbzRQQSRQc0c0SQ:
Web license
ezcRecbSef0dSf2:
Zoning license
ReQbbSzdR9SfRcc7:
Fabric license
cbQeQRy9QdsVfRl:
Ports on Demand license - additional 8 port upgrade
Ports on Demand license - additional 8 port upgrade
One feature per license key
Multiple features per license key
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-16
16© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Initial Configuration Set the Switch Name
Switch names should be unique for easier administrationNaming suggestions– Site or building where switch is located– Floor or room where switch is located– Indicate topology (core switch vs. edge switch)– Rack ID– Switch Type– Fabric ID– Domain ID
Example: RSL1_ST02_B41– Remote SAN Lab #1– Station #2– Brocade 4100
Switch name is assigned using the switchname command
Having a well thought out switch naming convention enables easy identification of physical switches if a problem arises. Use a switch naming convention that scales across the organization, keeping in mind that the SAN might start small but can be extended enterprise-wide over time. Switch names can be duplicated in the fabric. To see a list of the existing switch names and their IP settings, use the command fabricshow.Switch Name rules in Fabric OS v4.1 and later
- Up to 15 characters including letters, digits, hyphens, and underscore characters- Must begin with a letter- No spaces
switch:admin> switchname "RSL1_ST02_B41"Committing configuration...Done.
RSL1_ST02_B41:admin> switchname
RSL1_ST02_B41
RSL1_ST02_B41:admin> fabricshow
Switch ID Worldwide Name Enet IP Addr FC IP Addr Name
-------------------------------------------------------------------------
1: fffc01 10:00:00:05:1e:02:12:a5 10.255.248.32 0.0.0.0 "RSL1_ST02_B20"
2: fffc02 10:00:00:05:1e:02:ab:21 10.255.248.35 0.0.0.0 >"RSL1_ST02_B41"
The Fabric has 2 switches
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-17
17© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Initial Configuration Set syslog Server
The system logging daemon (syslogd) on hosts can receive system events and error messages from SilkWorm switchesIf all switches and control processors escalate messages to syslogd, the administrator may view a fabric-wide log of eventsConfiguration is simple– syslogdipadd– syslogdipremove– syslogdipshow
syslog records are tagged as belonging to a facility– Fabric OS v4.4 and later support UNIX local1 - local7
facilities– The default facility level is 7– Change the facility using the syslogdfacility command
Additional host configuration may be necessary, see server documentation
RSL1_ST02_B41:admin> syslogdipshow
No addresses configured
RSL1_ST02_B41:admin>
RSL1_ST02_B41:admin> syslogdipadd 10.255.248.2
RSL1_ST02_B41:admin> syslogdipadd 10.255.248.3
RSL1_ST02_B41:admin> syslogdipshow
syslog.IP.address.1 10.255.248.2
syslog.IP.address.2 10.255.248.3
RSL1_ST02_B41:admin> syslogdfacility
Syslog facility: LOG_LOCAL7
RSL1_ST02_B41:admin> syslogdfacility -l 6
Syslog facility changed to LOG_LOCAL6
RSL1_ST02_B41:admin> syslogdipremove 10.255.248.3
RSL1_ST02_B41:admin> syslogdipshow
syslog.IP.address.1 10.255.248.2
RSL1_ST02_B41:admin> syslogdipremove 10.255.248.2
RSL1_ST02_B41:admin> syslogdipshow
No addresses configured
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-18
18© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Initial Security Configuration Disable Telnet
Use the configure command to disable telnet– May be run on an enabled switch
If telnet is disabled from within a telnet session, all telnet sessions will be disabledTo avoid losing your session, disable telnet through an alternate interface– Serial port session– SSHv2 session– Web Tools
RSL1_ST02_B41:admin> configure
Not all options will be available on an enabled switch.
To disable the switch, use the "switchDisable" command.
Configure...
System services (yes, y, no, n): [no] y
rstatd (on, off): [off]
rusersd (on, off): [off]
telnetd (on, off): [on]
ssl attributes (yes, y, no, n): [no]
http attributes (yes, y, no, n): [no]
snmp attributes (yes, y, no, n): [no]
rpcd attributes (yes, y, no, n): [no]
cfgload attributes (yes, y, no, n): [no]
No changes.
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-19
19© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Initial Security Configuration Enable Web Tools Upfront Login
Upfront Login forces administrators to enter an ID and password before they can access any portion of the Web Tools interface– Enable Upfront Login using the configure command– May be run on an enabled switch
By default Upfront Login is not enabled.
RSL1_ST02_B200E:admin> configure
Not all options will be available on an enabled switch.To disable the switch, use the "switchDisable" command.
Configure...
System services (yes, y, no, n): [no]ssl attributes (yes, y, no, n): [no]http attributes (yes, y, no, n): [no]snmp attributes (yes, y, no, n): [no]rpcd attributes (yes, y, no, n): [no]cfgload attributes (yes, y, no, n): [no]webtools attributes (yes, y, no, n): [no] yes
Upfront Login Enabled (yes, y, no, n): [no] yes
By default, Upfront Login is not enabled. Anyone with network access to the management port may enter the initial switchExplorer view without an ID and password. However, an ID and password are required to change any switch or fabric parameters. Upfront Login ensures that unauthorized users are not able to gather even basic information regarding the switch.Web Tools may be disabled using the configure command.
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-20
20© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Initial Security ConfigurationSet Command Line Session Timeout
Automatically terminate a telnet or SSH session after a period of inactivityTimeout value is specified in minutes– Setting a timeout value of 0 disables automatic session timeout– Valid settings include 0, or a value between 1 and 99,999 minutes– To display the current setting, type timeout with no arguments
RSL1_ST02_B41:admin> timeoutCurrent IDLE Timeout is 0 minutesRSL1_ST02_B41:admin> timeout 15IDLE Timeout Changed to 15 minutesThe modified IDLE Timeout will be in effect after NEXT loginRSL1_ST02_B41:admin> login
RSL1_ST02_B41 login: adminPassword:RSL1_ST02_B41:admin> timeoutCurrent IDLE Timeout is 15 minutes
Default timeout on Linux-based switches is 10 minutes.
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-21
21© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Initial Security Configuration Change Default Passwords
Open a serial port, telnet, or SSH connection to the switch– Default administrative accounts: admin, user– Default password for both: password– Other default accounts: root, factory
Use of root and factory accounts is not supportedLog in as root or factory only if directed by your support provider
When prompted, change all default passwords– Passwords must be between 8 and 40 characters by default
Use the passwdcfg --showall command to display password rules in Fabric OS v5.1 and higher only
RSL1_ST02_B41 login: adminPassword:Please change your passwords now.Use Control-C to exit or press 'Enter' key to proceed.
Password was not changed. Will prompt again at next loginuntil password is changed.
RSL1_ST02_B41 login: admin
Password:
Please change your passwords now.
Use Control-C to exit or press 'Enter' key to proceed.
Warning: Access to the Root and Factory accounts may be required for
proper support of the switch. Please ensure the Root and Factory
passwords are documented in a secure location. Recovery of a lost Root
or Factory password will result in fabric downtime.
for user - root
Changing password for root
Enter new password:
Re-type new password:
passwd: all authentication tokens updated successfully
Please change your passwords now.
for user - factory
…
for user - admin
…
for user - user
…
passwd: all authentication tokens updated successfully
Saving passwords to stable storage.
Passwords saved to stable storage successfully
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-22
22© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Initial Security Configuration Set Password Rules
Fabric OS v5.1 and later onlyPassword rules are enforced only when defining new passwordsPasswords that have already been defined will not be checked forpolicy complianceSet password rules with passwdcfg --set commandSet password strength policy by specifying the minimum number of:– Lowercase letters -lowercase– Uppercase letters -uppercase– Digits (0-9) -digits– Punctuation characters1 -punctuation– Minimum length2 -minlength
Limit password re-use by setting the password history policy– Passwords kept in history3 -history
1All printable punctuation characters except colon ":" are allowed2The minimum password length may be set from 8 to 40 characters in length. The password length is the total number of lowercase, uppercase, digits, and punctuation characters. The total number of these characters may not exceed 40. Keep this in mind as you specify the minimum number of each type of character required.3The password history policy is not enforced when an administrator sets a password for another user, but the password set by the administrator is recorded in the user's password history.
swd77:admin> passwdcfg --set -lowercase 3 -uppercase 1 -digits 2 -punctuation 2 -minlength 10 -history 3swd77:admin> passwdChanging password for adminEnter old password:Enter new password:Password must be between 10 and 40 characters long.Enter new password:Insufficient number of upper case lettersEnter new password:Insufficient number of lower case letters[* abbreviated *]Enter new password:Insufficient number of digits in passwordEnter new password:Re-type new password:passwd: all authentication tokens updated successfullySaving password to stable storage.Password saved to stable storage successfully.
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-23
23© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Initial Security Configuration Set Password Rules (cont.)
Avoid stale passwords by setting a password expiration policy2
– Minimum age -minpasswordage– Maximum age -maxpasswordage– Expiration warning (days)1 -warning
Set the account lockout policy3
– Password failures allowed -lockoutthreshold– Set lockout duration (minutes) -lockoutduration
RSL1_ST02_B41:admin> passwdcfg --set -minpasswordage 20 -maxpasswordage 30 -warning 5RSL1_ST02_B41:admin> passwdcfg --set -lockoutthreshold 5 -lockoutduration 15
1The user will begin seeing warning messages when they login a number of days prior to password expiration. They will be compelled to change their password when it has expired.2The password expiration policy is not enforced for root and factory accounts.3The account lockout policy is not enforced for root, factory, and admin role accounts.swd77:admin> passwdcfg --set -minpasswordage 20 -maxpasswordage 30 -warning 5swd77:admin> userconfig --show -a
[* abbreviated *]
Account name: rootRole: rootDescription: rootEnabled: YesPassword Last Change Date: UnknownPassword Expiration Date: Not ApplicableLocked: No
Account name: adminRole: adminDescription: AdministratorEnabled: YesPassword Last Change Date: Wed May 24 2006Password Expiration Date: Fri Jun 23 2006Locked: No
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-24
24© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Initial Security Configuration Set Password Rules (cont.)
Use passwdcfg --setdefault command to restore the factory default password policy
RSL1_ST02_B41:admin> passwdcfg --setdefaultRSL1_ST02_B41:admin> passwdcfg --showallpasswdcfg.minlength: 8passwdcfg.lowercase: 0passwdcfg.uppercase: 0passwdcfg.digits: 0passwdcfg.punctuation: 0passwdcfg.history: 1passwdcfg.minpasswordage: 0passwdcfg.maxpasswordage: 0passwdcfg.warning: 0passwdcfg.lockoutthreshold: 0passwdcfg.lockoutduration: 30passwdcfg.status: 0
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-25
25© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Initial Security Configuration User-Defined Accounts
Up to 15 user defined accounts may be createdDefault accounts admin and user may be disabledUse the userconfig command to administer accounts– userconfig --show– userconfig --change– userconfig --add– userconfig --delete
User-defined accounts assist in tracking who did what, when– Enable enhanced change tracking with trackchangesset 1
RSL1_ST02_B41:admin> userconfig --show -a
Account name: root
Role: root
Description: root
Enabled: Yes
Account name: factory
Role: factory
Description: Diagnostics
Enabled: Yes
Account name: admin
Role: admin
Description: Administrator
Enabled: Yes
Account name: user
Role: user
Description: User
Enabled: Yes
RSL1_ST02_B41:admin> userconfig --add jdoe -r admin -d "Jane Doe"Setting initial password for jdoeEnter new password:Re-type new password:Account jdoe has been successfully added.RSL1_ST02_B41:admin> login
RSL1_ST02_B41 login: jdoePassword:RSL1_ST02_B41:jdoe> userconfig --show jdoe
Account name: jdoeRole: adminDescription: Jane DoeEnabled: YesRSL1_ST02_B41:jdoe> userconfig --change admin -e no
Broadcast message from root (pts/0) Wed May 17 09:14:48 2006...
Security Policy, Password or Account Attribute Change: admin will be logged outAttribute for account admin has been successfully changed.RSL1_ST02_B41:jdoe> userconfig --show admin
Account name: adminRole: adminDescription: AdministratorEnabled: NoRSL1_ST02_B41:jdoe>DANGER
Your company policy may require you to disable default accounts or group-access accounts such as the default user and admin accounts. Before you disable the default account admin, be certain you have created at least one user-defined account assigned to the admin role. Without an account with admin privileges, you will not be able to manage your switch.
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-26
26© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Initial Security Configuration RADIUS Authentication
To centrally control user logins, Fabric OS supports the open-standard RADIUS protocol
– Provides remote user access authentication, authorization, and accounting
– Client/server model: A Brocade switch running Fabric OS v3.2/4.4 or higher acts as a RADIUS client to a RADIUS server
– Network Security: All RADIUS client/server traffic is authenticated via a shared secret
– Focused on user logins, not FC device logins or switch attachmentWhen RADIUS is enabled on a switch:
– All logins are authenticated through a RADIUS server (bypasses local database)
– All switch passwords are managed through the RADIUS server - the switch/Director local password database is bypassed
– Monitor user logins on a RADIUS-enabled system through the RADIUS server
• The Remote Authentication Dial-In User Service (or RADIUS) is a protocol for carrying authentication, authorization, and authentication (aaa) information about remote user access between a Network Access Server (which desires to authenticate its links) and a shared Authentication Server. RADIUS is an open standard (IETF RFC 2865 and RFC 2866).• Client/server: The RADIUS client must pass user information to designated RADIUS servers, and act on the returned response. The RADIUS server receives user connection requests, authenticates the users, and then returns all configuration information needed for the RADIUS client to deliver service. In this case, a SilkWorm switch is configured as a Network Access Server that acts as a RADIUS client. • Network Security: To ensure that user names and passwords remain private, all client/server communication is encrypted, and authenticated with a shared secret key.• RADIUS is focused on authenticating, authorizing, and accounting remote user access – in particular, logins and logouts. RADIUS does not perform these roles for devices or switches entering a fabric – these roles continue to be handled by existing Fibre Channel protocols.• In a fabric with switches running a mix of Fabric OS version, the way a switch authenticates users depends on whether a RADIUS server is set up for that switch.
• For a switch with RADIUS support and configuration enabled, authentication bypasses the local password database. On a RADIUS-enabled switch, logins through the console port are not authenticated with the RADIUS server, but through the local switch database.• For a switch with RADIUS support or configuration disabled, authentication uses switch local account names and passwords.
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-27
27© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Initial Security Configuration RADIUS Authentication (cont.)
Fabric OS v3.2/4.4+ switches have two login authentication databases The default primary database is Switch Database1
– It consists of the default switch login accounts: root, factory, admin, and user
– It can also contain user-defined multiple user accounts (MUAs)There is no secondary login authentication database available when the primary database is Switch Database; the only option is None
When RADIUS is configured as the primary login authentication database there are two options available for secondary login authentication: None(default) and Switch Database
Footnote 1: Web Tools Switch Database is referred to as switchdb at the CLI.If a denial (incorrect user name / password) is received from RADIUS server that is authenticating login then a secondary RADIUS server or authentication database login is not attempted. If a configuration parameter is incorrect in either the RADIUS server or the switch AND if the secondary database is Switch Database then telnet or Web Tools Admin access could be gained, after timeout(s), using a local account that authenticates via the Switch Database.
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-28
28© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Initial Security Configuration RADIUS Authentication (cont.)
Management access to a switch with primary database configured to RADIUS will attempt authentication via configured RADIUS server(s)Possible RADIUS server responses: grant, deny, or time outIf response from all RADIUS servers is “timeout”, serial access can authenticate using switch database; ALL servers can similarly access IF secondary RADIUS server is set to Switch Database
RADIUS Server 2
RADIUS Server 1Management
Server
Fabric OS v4.4+ switch
1
23 4 5
ResponseSerial /Console
Server
Network
Serial Cable
6
In the example above, the primary database is RADIUS, and the RADIUS servers have been properly configured with user names and passwords. When a management station attempts access, the following scenario occurs:1. The management server attempts to access the switch (RADIUS client) using a user name/password combination configured on the RADIUS servers.2. The authentication request is sent to the first RADIUS server in the RADIUS configuration (RADIUS Server 1). 3. If the response from RADIUS Server 1 is “accept”, management access is achieved; if the response is “deny”, the management server does not get access. 4. If there is a timeout from RADIUS Server 1, then the authentication request is sent to the second RADIUS server in the RADIUS configuration (RADIUS Server 2).5. If the response from RADIUS Server 2 is “accept”, management access is achieved; if the response is “deny”, the management server does not get access. 6. If there is a timeout from RADIUS Server 2 AND the switch database is configured as a secondary database, then the user name/password is authenticated on the local switch. Notes:• Error messages related to RADIUS access attempts are displayed at the serial port console.• Up to five RADIUS servers can be configured.
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-29
29© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Verify Switch Status View Switch Uptime
Use switchuptime or uptime commands to display the amount of time the switch has been operational
RSL1_ST02_B41:admin> switchuptime8:49pm up for 10 days 5 hrs 21 mins
RSL1_ST02_B41:admin> uptime8:49pm up 10 days, 5:21, 1 user, load average: 0.01, 0.03, 0.00
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-30
30© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Verify Switch Status Check Switch Status Commands
Display overall status of switch with switchstatusshowDisplay current policy settings with switchstatuspolicyshow– Marginal Status
Yellow color when displayed in Web Tools or Fabric ManagerEntry in error log, viewed with errshow, flagged as marginal
– Down StatusRed color when displayed in Web Tools or Fabric ManagerEntry in error log, viewed with errshow, flagged as faulty
Display temperature, fan, and power supply status with sensorshow
RSL1_ST02_B41:admin> switchstatusshow
Switch Health Report Report time: 05/16/2006 10:59:22 AM
Switch Name: RSL1_ST02_B41
IP address: 10.255.248.35
SwitchState: HEALTHY
Duration: 01:45
Power supplies monitor HEALTHY
Temperatures monitor HEALTHY
Fans monitor HEALTHY
Flash monitor HEALTHY
Marginal ports monitor HEALTHY
Faulty ports monitor HEALTHY
Missing SFPs monitor HEALTHY
Fabric Watch is not licensed
Detailed port information is not included
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-31
31© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Verify Switch Status Check Switch Status Commands (cont.)RSL1_ST02_B41:admin> sensorshowsensor 1: (Temperature ) is Ok, value is 27 Csensor 2: (Temperature ) is Ok, value is 30 Csensor 3: (Temperature ) is Ok, value is 28 Csensor 4: (Temperature ) is Ok, value is 28 Csensor 5: (Temperature ) is Ok, value is 29 Csensor 6: (Fan ) is Ok, speed is 5400 RPMsensor 7: (Fan ) is Ok, speed is 5273 RPMsensor 8: (Fan ) is Ok, speed is 5532 RPMsensor 9: (Power Supply) is Oksensor 10: (Power Supply) is Ok
RSL1_ST02_B41:admin> switchstatuspolicyshowThe current overall switch status policy parameters:
Down Marginal----------------------------------
PowerSupplies 2 1Temperatures 2 1
Fans 2 1Flash 0 1
MarginalPorts 2 1FaultyPorts 2 1MissingSFPs 0 0
switchstatusshow will display the overall status of the switch that include internal switch status, faulty ports, missing SFPs, power supplies, temperatures, fans, portstatus, and ISLStatus. The status may be one of the following: marginal/warning or down/failed. switchstatuspolicyshow: This command prints the current policy parameters for calculating the overall status of the switch. The tolerances for calculating the status of the switch can be configured with switchstatuspolicyset.
RSL1_ST02_B200E:admin> switchstatusshow
Switch Health Report Report time: 05/21/2006 09:37:31 AM
Switch Name: RSL1_ST02_B200E
IP address: 10.255.248.32
SwitchState: HEALTHY
Duration: 70:56
Power supplies monitor HEALTHY
Temperatures monitor HEALTHY
Fans monitor HEALTHY
Flash monitor HEALTHY
Marginal ports monitor HEALTHY
Faulty ports monitor HEALTHY
Missing SFPs monitor HEALTHY
All ports are healthy
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-32
32© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Verify Switch Status switchstatuspolicyset
Seven parameters that determine switch status– PowerSupplies– Temperatures– Fans– Flash– MarginalPorts– FaultyPorts– MissingSFPs
Marginal triggers – Yellow status in Web Tools
Down triggers– Red status in Web Tools
These states are policy based and do not
necessarily reflect the operational state of the
switch
RSL1_ST02_B41:admin> switchstatuspolicysetTo change the overall switch status policy parametersThe current overall switch status policy parameters:
Down Marginal----------------------------------
PowerSupplies 1 1Temperatures 2 1
Fans 2 1Flash 0 1
MarginalPorts 2 1FaultyPorts 2 1MissingSFPs 0 0
Note that the value, 0, for a parameter, means that it isNOT used in the calculation.** In addition, if the range of settable values in the prompt is (0..0),** the policy parameter is NOT applicable to the switch.** Simply hit the Return key.The minimum number ofBad PowerSupplies contributing to DOWN status: (0..1) [1]Bad PowerSupplies contributing to MARGINAL status: (0..1) [1]Bad Temperatures contributing to DOWN status: (0..2) [2]Bad Temperatures contributing to MARGINAL status: (0..2) [1]Bad Fans contributing to DOWN status: (0..3) [2]Bad Fans contributing to MARGINAL status: (0..3) [1]Out of range Flash contributing to DOWN status: (0..1) [0]Out of range Flash contributing to MARGINAL status: (0..1) [1]MarginalPorts contributing to DOWN status: (0..16) [2]MarginalPorts contributing to MARGINAL status: (0..16) [1]FaultyPorts contributing to DOWN status: (0..16) [2]FaultyPorts contributing to MARGINAL status: (0..16) [1]MissingSFPs contributing to DOWN status: (0..16) [0]MissingSFPs contributing to MARGINAL status: (0..16) [0]
No change
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-33
33© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Verify Switch Status Port Status
Port name command– portname <port> or <slot>/<port>
Port enable/disable commands– portdisable <port> or <slot>/<port>– portenable <port> or <slot>/<port>– portcfgpersistentdisable <port> or <slot>/<port>– portcfgpersistentenable <port> or <slot>/<port>
Port status command– portshow <port>
sw2:admin> portshow 2
portName: JBOD PORT
portFlags: 0x23806b portLbMod: 0x0 PRESENT ACTIVE F_PORT L_PORT U_PORT LOGIN NOELP LED ACCEPT
portType: 4.1
portState: 1 Online
portPhys: 6 In_Sync
portScn: 6 F_Port
portRegs: 0x81020000
portData: 0x102de900
portId: 330200
portWwn: 20:02:00:60:69:50:06:67
portWwn of device(s) connected: 21:00:00:20:37:38:60:e5
21:00:00:20:37:38:ab:42
21:00:00:20:37:36:02:4a
21:00:00:20:37:38:89:a9
21:00:00:20:37:59:84:17
21:00:00:20:37:97:02:13
21:00:00:20:37:0c:30:bf
21:00:00:20:37:87:49:7d
21:00:00:20:37:87:49:87
21:00:00:20:37:11:65:ec
Distance: normal
Speed: N1Gbps
Interrupts: 707 Link_failure: 0 Frjt: 0
Unknown: 90 Loss_of_sync: 69 Fbsy: 0
Lli: 191 Loss_of_sig: 0 Lip_in: 0
Proc_rqrd: 488 Protocol_err: 0 Lip_out: 7
Timed_out: 0 Invalid_word: 0 Lip_rx: F7,F7
Rx_flushed: 0 Invalid_crc: 0
Tx_unavail: 0 Delim_err: 0
Free_buffer: 0 Address_err: 47
Overrun: 0 Lr_in: 0
Suspended: 0 Lr_out: 0
Parity_err: 0 Ols_in: 0
Ols_out: 0
Port initialization from right to left and current port type
Port Name
Port WWNs of Devices: 10 Devices
Distance: Normal bufferingPort speed
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-34
34© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Verify Switch Status Port Speeds
Individual port speeds can be set by the administratorportcfgspeed <port>,<speed_level>
Set the speed level for all ports on a switchswitchcfgspeed <speed_level>
Valid speeds0: auto-negotiated 1, 2, or 4 Gbit/sec1: 1 Gbit/sec2: 2 Gbit/sec4: 4 Gbit/sec
The SFP and hard-coded port speed should match, otherwise a Mod_Inv will display in switchshow output
Some devices prefer hard-coded speeds to auto-negotiation
Setting the port speed is a disruptive event, and can force a device to re-login to the fabric.
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-35
35© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Verify Switch Status Port Settings & Port Setting Commands
portcfgshowRSL1_ST02_B20:admin> portcfgshow
Ports of Slot 0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15-----------------+--+--+--+--+----+--+--+--+----+--+--+--+----+--+--+--Speed 1G 2G 4G AN 1G 2G 4G AN AN AN AN AN AN AN AN ANTrunk Port ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON ONLong Distance .. .. .. .. .. .. .. LE LE .. .. .. .. .. .. ..VC Link Init .. .. .. .. .. .. .. .. ON .. .. .. .. .. .. ..Locked L_Port .. .. .. .. .. .. .. .. .. .. .. .. .. .. ON ..Locked G_Port .. .. .. .. .. .. .. .. .. .. .. .. .. ON .. ..Disabled E_Port .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ONISL R_RDY Mode .. .. .. .. .. .. .. .. .. .. .. ON .. .. .. ..RSCN Suppressed .. .. .. .. .. .. .. .. .. .. ON .. .. .. .. ..Persistent Disable.. .. .. .. .. .. .. .. .. ON .. .. .. .. .. ..NPIV capability ON ON ON ON .. ON .. ON ON .. ON .. ON ON ON ON
where AN:AutoNegotiate, ..:OFF, ??:INVALID.
portcfgdefaultportcfgeport, portcfglport, portcfggport
• Speed is displayed as 1G, 2G, 4G, or AN (when in Auto Speed Negotiation mode). This value is set by the portcfgspeed command.• Trunk Port is displayed as ON (when port is set for trunking) or for OFF (when trunking is disabled on the port) as set by the portcfgtrunkport command.• Long Distance setting of the port is shown as blank when long distance mode is L0(normal) and will display modes depending on the distance mode setting: LE (<= 10km), L0.5 (<=25km), L1 (<= 50km), L2 (<= 100km), LD (auto), LS (static). This value is set by the portcfglongdistance command.• VC link init setting of the port is shown as blank when VC link init mode is off or ONwhen VC link init mode is on. This value is set by the portcfglongdistance command.• Locked L_Port is displayed as ON when port is locked to L_Port only or when L_Port lock mode is disabled (and it behaves as a U_Port). This value is set by the portcfglportcommand.• Locked G_Port is displayed as ON when port is locked to G_Port only) or blank when G_Port lock mode is disabled (and it behaves as a U_Port). This command is set by the portcfggport command.• Disabled E_Port is displayed as ON when port is not allowed to be an E_Port. This command is set by the portcfgeport command.• Persistent disable is displayed as ON when the port is disabled across reboots or power cycles or when the port is allowed to function normally. This mode is set by the portcfgpersistentdisable command.ISL R_RDY is displayed as ON when the port is set to R_RDY flow control. This mode is set by the portcfgislmode command.RSCN Suppressed is displayed as ON when RSCNs have been suppressed on the port. This mode is set by the portcfg rscnsupr command.Persistent Disable is displayed as ON when the port has been persistently disabled. This mode is set by the portcfgpersistentdisable commandNPIV capability mode is displayed as ON when the port is configured to perform N_portvirtualization. This mode is set by the portcfgnpivport command.
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-36
36© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
SW3850_51:admin> switchshow
switchName: SW3850_51
switchType: 26.1
switchState: Online
switchMode: Native
switchRole: Subordinate
switchDomain: 51
switchId: fffc33
switchWwn: 10:00:00:60:69:50:06:67
switchBeacon: OFF
Zoning: OFF
port 0: id N1 Online F-Port 10:00:00:00:c9:24:76:16
port 1: id N2 Online F-Port 10:00:00:00:c9:29:06:4d
port 2: id N1 Online L-Port 10 public
port 3: id N2 Online Loopback->3
port 4: id N2 Online E-Port (Trunk port, master is port #5)
port 5: id N2 Online E-Port 10:00:00:60:69:90:04:f0 "SWT3850_53" (upstream) (Trunk master)
port 6: id N2 Online E-Port (Trunk port, master is port #5)
port 7: id N2 Online E-Port (Trunk port, master is port #5)
port 8: id N2 No_Light
port 9: id 2G No_Light
port 10: id N2 No_Light
port 11: id N2 No_Light
port 12: id 1G No_Light
port 13: id N2 No_Light
port 14: id N2 No_Light
port 15: -- N2 No_Module
Verify Switch Status Verifying Switch Operation
SwitchDomain #51
1 2 34
765
0
10 9 811
15
121314
FC-AL10 Devices
No SFP
SwitchDomain #53
1 2 34
765
0
10 9 811
15
121314
The switchshow command can be used to verify the switch is operating correctly and display information about the switch status. switchName - The switch’s nameswitchType - model.motherboard-rev, where the model number is as follows:1=SilkWorm 1000 2=SilkWorm 2800 3=SilkWorm 2400 4=SilkWorm 20x0 5=SilkWorm 22x0 9=SilkWorm 3800 10=SilkWorm 12000 12=SilkWorm 3900 16=SilkWorm 3200 21=SilkWorm 24000 26=SilkWorm 3850 27=SilkWorm 3250 32=SilkWorm 4100 34=SilkWorm 200E 38=AP 7420 42=SilkWorm 48000 44=SilkWorm 4900 46=SilkWorm 7500 switchState - The state of this switch: Online, Offline, Testing or FaultyswitchMode – The switch mode, Native or InterOpswitchRole - The switch role: Principal, Subordinate or disabledswitchDomain - The domain ID of this switch: 0 to 31 or 1 to 239.switchID - The 24-bit address of this switch's embedded port: hex fffc00 to fffcef. switchWwn - The World Wide Name of this switchswitchBeacon - Indicates if the beacon is turned on or notZoning – zoning statusPort Number - Each line shows the port number: 0 to 15, the GBIC type, the port state and a comment fieldPort module type - The GBIC/SFP or other type follows the port number.The four types include (--= none; sw=short wave; lw – long wave; cu – copper; id - intelligent)Port speed - The speed of the port (1G, 2G, N1, N2, AN)Long distance level - L0 (default), L1, L2, LEPort state - The possible port states include:
No_Card - no card present in this switch slotNo_Module - no SFP module in this portNo_Light - the module is not receiving lightNo_Sync - the module is receiving light but is out of syncIn_Sync - the module is receiving light and is in sync (copper displays Sync, fiber, Online)Laser_Flt - the module is signaling a laser fault (defective GBIC)Port_Flt - the port has been marked faulty (defective GBIC, cable, or device)Diag_Flt - the port failed diagnostics (defective G_Port or FL_Port card or motherboard)Online - the port is up and runningLock_Ref - the port is locking to the reference signalTesting - running diagnostics
Comment field - Some possible comments include: Disabled, Loopback
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-37
37© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Verify Switch Status Port Status LEDs
Port status LED behavior may vary per switch typeCheck the Hardware Reference Guide for your particular switchExample for the SilkWorm 4100:
Port is online but segmentedSlow Green(2 second intervals)
Port is faultyFast Flashing Amber(½ second intervals)
Port is disabledSlow Flashing Amber(2 second intervals)
Port is connected to another device, but has no traffic
Steady Green
Port is online and frames are passing through the port
Flickering GreenMeaningPort Status LED State
NonePort is Tx/Rx at 4 Gbit/secSteady amber
NonePort is Tx/Rx at 2 Gbit/secSteady green
Above each port on right
Below serial port
Location of LED
Indicates port speed
Indicates switch power
Purpose of LED
NonePOST is running, or port is Tx/Rx at1 Gbit/sec
No light
Check error logOne or more ports failed POSTSlow green
NoneSwitch on and boot completedSteady green
Verify boot completed; contact switch vendor
Boot not complete or failed; switch may be off
No light
Recommended ActionStatus of HardwareColor of LED
Port Speed and Serial Port LEDs
Port Speed LED for 3900/12000: upper LED
Each SilkWorm 4100 port has two LEDs on an LED assembly below the ports. The port-speed LED is on the right and port-status LED is on the left. Top row LEDs are for ports 0-3; 8-11; 16-19; and 24-27. Bottom row LEDs are for ports 4-7; 12-15; 20-23; and 28-31.
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-38
38© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Fabric Parameters Configuration Parameters
They dictate the way the switch will behave Set using the configure command– Some configure parameters can be changed online
Disable the switch before setting fabric configuration parametersRSL1_ST02_B41:admin> switchdisable; configureReset to factory defaults by using the configdefault commandRSL1_ST02_B41:admin> switchdisable; configdefaultParameters not reset by a configdefault– World Wide Name– Ethernet settings (MAC address, IP address, subnetmask)– IP gateway address– SNMP configuration– Zoning configuration– Switch name– License keys
An example of some of the configuration parameters:
RSL1_ST02_B41:admin> switchdisable; configure
Configure...
Fabric parameters (yes, y, no, n): [no] y
Domain: (1..239) [1]
R_A_TOV: (4000..120000) [10000]
E_D_TOV: (1000..5000) [2000]
WAN_TOV: (0..30000) [0]
MAX_HOPS: (7..19) [7]
Data field size: (256..2112) [2112]
Sequence Level Switching: (0..1) [0]
Disable Device Probing: (0..1) [0]
Suppress Class F Traffic: (0..1) [0]
Switch PID Format: (1..2) [1]
Per-frame Route Priority: (0..1) [0]
Long Distance Fabric: (0..1) [0]
BB credit: (1..27) [16]
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-39
39© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Fabric Parameters Consistent Fabric Parameters
The configshow command will display parameter settingsRSL1_ST02_B20:admin> configshow fabric.opsfabric.ops.BBCredit:16fabric.ops.E_D_TOV:2000fabric.ops.R_A_TOV:10000fabric.ops.dataFieldSize:2112fabric.ops.max_hops:7fabric.ops.mode.fcpProbeDisable:0fabric.ops.mode.isolate:0fabric.ops.mode.longDistance:0fabric.ops.mode.noClassF:0fabric.ops.mode.pidFormat:1fabric.ops.mode.tachyonCompat:0fabric.ops.mode.unicastOnly:0fabric.ops.mode.useCsCtl:0fabric.ops.vc.class.2:2fabric.ops.vc.class.3:3fabric.ops.vc.config:0xc0fabric.ops.vc.linkCtrl:0fabric.ops.vc.multicast:7fabric.ops.wan_tov:0
fabric.ops parameters must be consistent on all switches throughout the fabric otherwise switches cannot join togetherfabric.ops.pidFormat is the most commonly changed default setting
– pidFormat = 1 (Core PID) is the default setting for all 4 Gbit/sec switches and some 2 Gbit/sec models
– pidFormat = 0 (Native PID) is the default for all 1 Gbit/sec switches and some 2 Gbit/sec models
Other fabric.ops parameters:
fabric.ops.mode.longDistance: In fabrics with version 2.x switches this command is used in conjunction with the portcfglongdistance command to extend ISL capabilities (Extended Fabrics switch license required).fabric.ops.mode.noClassF: Class F frames will not be used for inter-switch communications - Class 2 is used. Toggle using Suppress Class F Traffic under Fabric Parameters.fabric.ops.mode.pidFormat: Used to enable PID and Extended Edge PID formats. The Core PID format is the default on all 4 Gbit/sec SilkWorm switches.fabric.ops.mode.sync: Used to prevent time out delays in remote Fabrics.fabric.ops.mode.useCsCtl: Type configure then yes to Fabric parameters and toggle Per-frame Route Priority: (0..1) [0] to change fabric.ops.mode.useCsCtl. Creates additional Virtual Channel ID for per-frame based prioritization, using existing VCs plus frame header information.fabric.ops.mode.vcEncode: The output relates to Virtual Channel (vc) settings for establishing communication priority over ISLs and are configurable only when VC Encoded Address Mode is set. Like all fabric.ops parameters, they must be the same on all fabric switches.
Other fabric.ops parameters are explained in the Fabric OS Reference Guide.
Fabric operating mode parameters include:
Disable Device Probing fabric.ops.mode.fcpProbeDisableIsolated Operation fabric.ops.mode.isolateLong Distance Fabric fabric.ops.mode.longDistanceSuppress Class F Traffic fabric.ops.mode.noClassFSwitch PID Format fabric.ops.mode.pidFormatSequence Level Switching fabric.ops.mode.tachyonCompatUnicast-only Operation fabric.ops.mode.unicastOnlyPer-frame Route Priority fabric.ops.mode.useCsCtl
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-40
40© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Administrative Tasks Booting a Switch
fastboot boots the switch bypassing POST
reboot boots the switch and includes POST*
switchreboot reboots a logical switch in a dual-domain SilkWorm 24000
* reboot includes POST unless diagdisablepost is configured.
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-41
41© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Administrative Tasks Join an Existing Brocade Fabric
Adding a new switch to an existing fabric– switchdisable– configure; set the domain ID– connect one or more ISLs– switchenable
Verify fabric membership with the fabricshow command
RSL1_ST02_B41:admin> fabricshowSwitch ID Worldwide Name Enet IP Addr FC IP Addr Name-------------------------------------------------------------------------1: fffc01 10:00:00:05:1e:02:12:a5 10.255.248.32 0.0.0.0 >"RSL1_ST02_B20"2: fffc02 10:00:00:05:1e:02:ab:21 10.255.248.35 0.0.0.0 "RSL1_ST02_B41"
The Fabric has 2 switches
The “>” denotes the Principal Switch.
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-42
42© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Administrative TasksAttach Devices
To attach a device to a switch, power it on, wait for it to come up, and then plug it in to the switch portOptional steps for the conservative administrator– Issue portdisable prior to plugging in a device to avoid noise– Once cable is secure, issue portenable to bring the port online
Switch will automatically negotiate the device speed and port type– Individual switch ports will negotiate speed to 4, 2, or 1 Gbit/sec to
match the attached device– Individual switch ports will determine the proper port type
F_PortFL_Port
Verify device connection using switchshow and nsshow
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-43
43© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Administrative Tasks Verify Device Name Server Registration
Did the device log in to the name server as expected?Verify that an entry existsVerify Type– Did you expect N or NL?– Configurable on most HBAs– Configurable on switch ports with the portcfgshow command
RSL1_ST02_B41:admin> nsshow{Type Pid COS PortName NodeName TTL(sec)NL 0200e2; 3;21:00:00:04:cf:92:69:9e;20:00:00:04:cf:92:69:9e; na
FC4s: FCP [SEAGATE ST318452FC 0004]
<truncated output>
The Local Name Server has 4 entries }
Use the nsshow command to display local Name Server information, including information about devices connected to this switch, and cached information about devices connected to other switches in the fabric. Each line of output shows:
* Indicates a cached entry from another switch.
Type U for unknown, N for N_Port, NL for NL_Port.
PID 24-bit Fibre Channel address.
COS List of classes of service supported by device.
PortName Device port worldwide name.
NodeName Device node worldwide name.
TTL Time-to-live (in seconds) for cached entries, or NA (not applicable) if the entry is local.
There may be additional lines if the device has registered any of the following information (the switch automatically registers SCSI inquiry data for FCP target devices):
FC4s supported IP address
IPA Port and node symbolic names
Fabric Port Name This is the WWN of the port to which a device is physically connected.
Hard address and/or port IP address
-r Lists the State Change Registration 0 – Reserved1 – (Fabric Detected Registration) Register to receive all RSCN requests issued by the Fabric Controller for events detected by the fabric.2 – (N_Port Detected Registration) Register to receive all RSCN requests issued by the Fabric
Controller for events detected by the affected N_Port or NL_Port.3 – (Full Registration (1 and 2)) Register to receive all RSCN requests issued by the Fabric Controller for events detected by the affected N_Port ID pages.
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-44
44© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Summary
Installation and configuration of Brocade switches includes the following steps:– Initial Configuration– Initial Security Configuration– Verify Switch Status– Fabric Parameters– Administrative Tasks
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-45
45© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
Review Questions1. What single command displays the current temperature, fan, and
power supply status?
2. You are about to add a new switch to an existing fabric. In order for the new switch to join successfully, what parameter must be set to a unique value?
3. When placing a new switch into an existing fabric, what parameters must be set to the same values as the existing fabric?
4. An administrator has plugged a new tape device into a switch port. Name a command to verify the tape device is properly attached to the switch.
5. Name three management interfaces into a Brocade switch.
1.sensorshow
2.Domain ID3.fabric.opsparameters4.nsshow
5.Telnet, Serial, SSH, Web Tools, SNMP, Fabric Manager, SMI-S
© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806
Page 4-46
46
Brocade Education Services
Brocade®
Product Training
© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806
CFP264Brocade 4 Gbit/sec Accelerated BCFP
End of Instructor-Led Module 4Installation and Setup