Brocade Product Trainingdocshare01.docshare.tips/files/17340/173407056.pdf · 2016. 12. 21. · Brocade switches can be administered using a command line interface (CLI) or through

© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806

Page 4-1

1

Brocade Education Services

Brocade®

Product Training

© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806

CFP264Brocade 4 Gbit/sec Accelerated BCFP

Instructor-Led Module 4Installation and Setup


Page 4-2

2© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806

Objectives

Following this module and associated lab, an attendee should be able toPerform out-of-box initial configurationPerform initial security configurationVerify switch statusIdentify the importance of fabric parametersPerform other common administrative tasks


Page 4-3


“Out of the box” Experience

Items included– Qualified Fabric OS version– Command-Line management– Generally included: Web Tools and Zoning licenses– Power Cables– Serial Cables– Rubber mounting feet– Quick Start Guide– Documentation CD

Optional Items– Rack-mount kit– Additional licensed Fabric OS features– SFPs (may be included, varies by OEM)

Each vendor that ships a Brocade switch will include the version of firmware that the supporting vendor has qualified.Due to qualification cycles, switches shipping from the factory may not have the same Fabric OS version that is currently installed on other switches in your fabric, even if the switches were obtained from the same vendor. Close attention should be taken to ensure the firmware on the new switch is compatible with other switches in your environment, per your vendor’s qualification matrix. Use the version command to determine the installed firmware version.You may also check fabric operation parameters to ensure there are no conflicting settings when any new switch is introduced to a production fabric. Being familiar with the version of Fabric OS currently installed on the SAN and any customized settings will make troubleshooting easier and adding new switches simpler. The SAN Health utility can help you audit your current environment.Cables and documentation will be enclosed with the switch. A switch may be shipped with a rack mounting kit or enclosed in a 19” rack. Should the switch reside on a table top and not installed in a rack, it is recommended to attach the four rubber mounting feet, one in each corner to reduce the chance of slipping.Each switch has a blank IP address label located on the cable side of the switch that can be used to document the IP address when assigned. The Quick Start Guide and Brocade Documentation CD should be read prior to installing SFPs and powering on the switch.

Brocade Partner Network http://partner.brocade.comFor Brocade partners.•Firmware and release notes•Documentation, how-to-guides•Sales presentations and collateral•Sales training courses and sales Webinars•Scripts, MIBs, and RSH Utilities•Technical support bulletins, advisory notices, and the Brocade Knowledge Base.

Brocade Connect: http://www.brocadeconnect.comFor Brocade end-users.•User-donated scripts•SNMP MIBs•User message boards•Documentation, how-to guides, and release notes•Customers that have purchased Brocade support have access to firmware, support bulletins, advisory notices, and the Brocade Knowledge Base.

SAN Health: http://www.brocade.com/sanhealthFor Brocade end-users and partners•Generates a Visio topology diagram.•Generates a detailed "snapshot" report on your SAN configuration including alerts, performance graphs, and best practices.


Page 4-4


Physical PreparationCustomizing the SwitchManaging Licensed FeaturesConfiguring and Verifying Fabric ParametersVerifying Switch FunctionAttaching NodesSaving Switch Configuration

Steps For Configuring a New Switch

Prior to installing the switch, a site survey should be made. Brocade recommends separate power sources; one for each of the dual power supplies and ample airflow for the back to front cooling. Details on environmental requirements, including power and cooling, are found in the Hardware Reference Guide for your switch. This document is found on the Documentation CD shipped with the switch, and can be downloaded from Brocade Connect.When customizing the switch for the SAN and Network, it is customary to first assign the switch an IP address by connecting to the external serial port first. It is also a good idea to set a timeout value (timeout 10) to ensure you do not end up with hanging administrative sessions. Once the IP address is assigned, log out of the serial connection and connect over IP with Web Tools, telnet or SSH for remaining customization such as the domain number and switch name. During the login process and after the password submitted has been verified, a message will appear asking to change default user id and password from its current value. Responding to this is optional and changing the default password to a new value will make the switch more secure when performing administration.


Page 4-5


Environmental ConcernsPower

– Cable dual power switches to dual power circuitsAir

– Air flow is from non-cable side (“back”) to cable side (“front”)Cable(s)

– Allow for manageable cable slack to minimize stress– Do not mix single (longwave) with multimode (shortwave) in patch panel– Secure with Velcro straps– Be wary of distances – total can add up quickly with patch panels– Create a Cable Table

Monitor switch environment– psshow Displays power status– fanshow Displays fan status– tempshow Displays temp readings– sensorshow Displays all sensor readings

Air flow for Brocade switches is from the non-cable side to the cable side because the heat-generating components of the switch (ASICs and SFPs) are on the port side.Improper cable planning can cause problems and may impact performance in the SAN. Although patch panels are helpful in a cable management scenario, attempt to minimize the number of connections as every fiber optic interconnection generates a few dB of signal loss. Keep a manageable slack to minimize cable stress. Use different color Velcro straps for trunk groups.For more information on power supplies, fans, and temperature readings see the hardware reference manual for the appropriate switch model.


Page 4-6


SilkWorm Management Interfaces

Command Line Interface– Serial Communication (HyperTerm or tip)– Telnet (Port 23)– SSHv2 (Port 22) - v4.1 and later

Brocade Application Program Interface (API and SMI-S)Brocade Fabric ManagerBrocade Advanced Web Tools– HTTP– HTTPS requires a Digital Certificate to be installed on the switch

(v4.4 and later)SNMPv1 (all) and SNMPv3 (Fabric OS v4.4 and later)– Brocade MIBs

Brocade switches can be administered using a command line interface (CLI) or through a graphical user interface (GUI).With Fabric OS v4.1 and higher, SSHv2 (Secure Shell version 2) is enabled by default, allowing the entire telnet session to be encrypted.The Brocade Fabric Access and Storage Management Initiative Specification (SMI-S) APIs give developers and customers programmatic access into the switch where organizations can easily integrate the intelligence of Brocade SAN fabrics into existing management applications, or quickly develop customized SAN-specific capabilities. Brocade Fabric Manager is a powerful desktop application that manages multiple Brocade SilkWorm switches and fabrics in real time. In particular, Fabric Manager provides the essential functions for efficiently configuring, monitoring, provisioning, and managing Brocade SAN fabrics on a daily basis.Brocade Web Tools, an intuitive and easy-to-use interface, enables organizations to monitor and manage Brocade SilkWorm fabrics. Tasks can be performed by using a Java-capable Web browser from standard laptops, desktop PCs, or workstations from any location within the enterprise. Use the httpcfgshow command to determine the java version the switch expects at the management console. Brocade offers SNMP MIBs for customers to use to read and set common settings on SilkWorm switches.For information regarding Secure Shell, read:

SSH, The Secure Shell: The Definitive GuideBy Daniel J. Barrett, Richard E. SilvermanFirst Edition February 2001 ISBN: 0-596-00011-1


Page 4-7


Command Line Interface Shortcuts

Recall last command & put CLI into edit mode– ESC + K (pre v5.1.0), or UP Arrow key (v5.1.0 and higher)

Cursor Position - while edit mode active– H, J, K, L or UP, DOWN, LEFT, RIGHT

End of Line - while edit mode active– Shift + A or END key

History of commands– h

Multiple commands issued on one line– command1;command2

Help for commands– help <command>

When administrating Brocade switches using the command line interface certain key strokes can be helpful administrating the switch.


Page 4-8


Initial Configuration Log in Through the Serial Port

Cable: The required serial cable is provided with the switch

A PC with:HyperTerm An available COM port

A UNIX® system with:tipAn available serial port

When a new switch has arrived for installation into a fabric, its suggested to use a serial cable to configure the switch with an IP address. After the IP address is configured, the serial connection to the switch may be dropped and an SSH, telnet, or Web Tools session may be used for further switch configuration because of its convenience and speed.

To configure the connection in a Microsoft Windows® environment:•Bits per second: 9600 Data bits: 8•Parity: None Stop bits: 1 Flow control: NoneTo configure the connection in a UNIX environment:•# tip hardwire

Installation steps1. Insert the serial cable provided to an RS-232 serial port on the workstation2. Verify the switch has power and is past the POST stage3. Invoke the ipaddrset command to set the IP address and subnet mask and default gateway


Page 4-9


Initial ConfigurationSet the IP Address

Default IP Address for switches: 10.77.77.77Default Netmask: 255.255.255.0Obtain addressing information for your network– IP Address & netmask– Default gateway

Directors require more than one IP address on the same subnet– One IP Address required per Control Processor– One IP Address required per logical switch

2 logical switches in the SilkWorm 120001 or 2 logical switches in the SilkWorm 240001 logical switch in the SilkWorm 48000

– Default IP Addresses for Directors: 10.77.77.77 (logical switch 0), .76 (logical switch 1), .75 (cp0), .74 (cp1)

RSL1_ST02_B41:admin> ifmodeshow eth0

Link mode: negotiated 100baseTx-FD, link ok

RSL1_ST02_B41:admin> ifmodeset eth0

Exercise care when using this command. Forcing the link to an operating mode not supported by the network equipment to which it is attached may result in an inability to communicate with the system through its Ethernet interface. It is recommended that you only use this command from the serial console port.

Are you sure you really want to do this? (yes, y, no, n): [no] yes

Proceed with caution.

Auto-negotiate (yes, y, no, n): [no]

Force 100 Mbps / Full Duplex (yes, y, no, n): [no]

Force 100 Mbps / Half Duplex (yes, y, no, n): [no]

Force 10 Mbps / Full Duplex (yes, y, no, n): [no]

Force 10 Mbps / Half Duplex (yes, y, no, n): [no]

You must select at least one link operating mode.

RSL1_ST02_B41:admin> ipaddrset

Ethernet IP Address [10.255.248.35]:

Ethernet Subnetmask [255.255.255.192]:

Fibre Channel IP Address [0.0.0.0]:

Fibre Channel Subnetmask [0.0.0.0]:

Gateway IP Address [10.255.248.62]:

Issuing gratuitous ARP...Done.

IP address is being changed...Done.

Committing configuration...Done.


Page 4-10


Initial Configuration Log In Through the Ethernet Interface

Multiple concurrent telnet sessions are allowed on Linux-based switches– Two admin and four user logins simultaneously– Use killtelnet to terminate a telnet connection

Login using a standard telnet or SSHv2 clientUse quietmode to suppress messages to the consoleTelnet may be disabled to force administrators to connect through an encrypted SSHv2 session

RSL1_ST02_B41 login: admin

Password:

Please change your passwords now.

Use Control-C to exit or press 'Enter' key to proceed.

Password was not changed. Will prompt again at next login

until password is changed.

RSL1_ST02_B41:admin> quietmode

[* abbreviated *]

quietMode: Off

RSL1_ST02_B41:admin> quietmode 1

Committing configuration...done

Quiet Mode is now ON

RSL1_ST02_B41:admin> killtelnet

[* abbreviated *]

______________________________________________________________________________

Session No USER TTY IDLE FROM LOGIN@

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

0 admin0 pts/0 1.00s 10.255.248.22 1:47pm

1 admin0 pts/1 9.00s 10.255.248.22 1:52pm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Enter Session Number to terminate (q to quit) 1

Please Ensure (Y/[N]): Y

killing session.... Done!


Page 4-11


Initial Configuration Switch Login Accounts

Open telnet or serial connection to switch– Default administrative account: admin– Default password: password– Other accounts: root, factory, switchadmin and user

You will be prompted to change the default passwords at every login until they are changed

The default user accounts are factory, root, admin and user. The default password for admin and user is password. Brocade discourages signing on as root/factory except for conditions when directed by an OEM support team for advanced troubleshooting reasons.When signing onto a switch and the current password is the Brocade default value, a password prompt will appear asking to change the password for all accounts. Once this process completes, you may rename the default accounts to a new name and assign a new password that meet the password requirements of 8 characters long. New passwords must be different than the current password. The password value is then written to the local switch. Subsequently, when signing onto other switches in the fabric, other switches may have different accounts and passwords. Documenting renamed accounts and their new password values is strongly encouraged. Having the same password for each account is discouraged.Use the switchAdmin level account for administrative use that does not include security, user management, or zoning configuration.

RSL1_ST02_B41 login: adminPassword:Please change your passwords now.Use Control-C to exit or press 'Enter' key to proceed.

Password was not changed. Will prompt again at next loginuntil password is changed.

While there are four accounts that can be used to sign onto a switch. Fabric OS v3.x and v2.x, only one person signed at a time can sign on. FOS v4.x allows for two concurrent admin sessions. For FOS v2.x and v3.x, if an administration session using the RS232 interface is in use and a telnet session using the IP interface is made to the same switch, the telnet session will disconnect the RS232 session.


Page 4-12


Initial Configuration Set the Fabric-Wide Clock

The Principal Switch maintains time for an entire fabricSubordinate switches synchronize time from the PrincipalUse the tsclockserver command to instruct the Principal Switch to synchronize time with an NTP server– Specify an IP address of an NTP server– Specify LOCL to stop NTP synchronization

Use the date command to manually set the switch date and time– date with no arguments displays the current date and time– date "mmddhhmmyy" sets the date and time, where

mm is the month, valid values are 01-12dd is the date, valid values are 01-31hh is the hour, valid values are 00-23mm is minutes, valid values are 00-59yy is the year, valid values are 00-99

– The date command becomes read-only if an NTP server has been specified

RSL1_ST02_B41:admin> date

Tue May 16 15:00:57 UTC 2006

RSL1_ST02_B41:admin> tsclockserver

LOCL

RSL1_ST02_B41:admin> tsclockserver 128.118.25.3

Updating Clock Server configuration...done.


128.118.25.3

RSL1_ST02_B41:admin> date "0516073406"

External Time Synchronization in place. Cannot execute this command.

RSL1_ST02_B41:admin> tsclockserver LOCL

Updating Clock Server configuration...done.


LOCL

RSL1_ST02_B41:admin> date "0516073406"

Tue May 16 07:34:00 UTC 2006


Page 4-13


Initial Configuration Set Switch Time Zone

Set on each switch in the fabric– Individual switches maintain time zone information independently

Use the tstimezone command to set the switch time zone in relationship to Greenwich Mean Time (GMT)Example: Eastern Time (United States) is GMT-5– tstimezone -5

RSL1_ST02_B41:admin> tstimezone -5

Updating Time Zone configuration...done.

System Time Zone change will take effect at next reboot.


Page 4-14


Initial Configuration Set Login Banner

A login banner will appear prior to CLI or Web Tools login– Limited to 1022 characters interactively, 116 as a command line

argument– Viewed from command line or Web Tools

Set using the bannerset commandRemove using bannerset ""

RSL1_ST02_B41:admin> bannersetPlease input content of security banner (press "." and RETURN at the beginning of a newline to finish input):Unauthorized access is prohibited.Do not log in if you do not have the authorization to do so..

RSL1_ST02_B41:admin> bannersetPlease input content of security banner (press "." and RETURN at the beginning of a newline to finish input):Unauthorized access is prohibited.Do not log in if you do not have the authorization to do so..RSL1_ST02_B41:admin> login

Unauthorized access is prohibited.Do not log in if you do not have the authorization to do so.

RSL1_ST02_B41 login: adminPassword:RSL1_ST02_B41:admin> bannershowUnauthorized access is prohibited.Do not log in if you do not have the authorization to do so.

RSL1_ST02_B41:admin> bannerset ""RSL1_ST02_B41:admin> bannershow


Page 4-15


Initial Configuration Activate Licensed Features

Used to enable Fabric OS featuresBased on the switch WWN– licenseidshow

License string is up to 16 mixed-case, case-sensitive charactersA single license key may activate one feature or a bundle of featuresLicense commands– licenseshow– licenseadd– licenseremove

RSL1_ST02_B41:admin> licenseidshow

10:00:00:05:1e:02:ab:21

RSL1_ST02_B41:admin> licenseadd "cbQeQRy9QdsVfRl"

adding license-key "cbQeQRy9QdsVfRl"

RSL1_ST02_B41:admin> licenseshow

bzbzRQQSRQc0c0SQ:

Web license

ezcRecbSef0dSf2:

Zoning license

ReQbbSzdR9SfRcc7:

Fabric license

cbQeQRy9QdsVfRl:

Ports on Demand license - additional 8 port upgrade

Ports on Demand license - additional 8 port upgrade

One feature per license key

Multiple features per license key


Page 4-16


Initial Configuration Set the Switch Name

Switch names should be unique for easier administrationNaming suggestions– Site or building where switch is located– Floor or room where switch is located– Indicate topology (core switch vs. edge switch)– Rack ID– Switch Type– Fabric ID– Domain ID

Example: RSL1_ST02_B41– Remote SAN Lab #1– Station #2– Brocade 4100

Switch name is assigned using the switchname command

Having a well thought out switch naming convention enables easy identification of physical switches if a problem arises. Use a switch naming convention that scales across the organization, keeping in mind that the SAN might start small but can be extended enterprise-wide over time. Switch names can be duplicated in the fabric. To see a list of the existing switch names and their IP settings, use the command fabricshow.Switch Name rules in Fabric OS v4.1 and later

- Up to 15 characters including letters, digits, hyphens, and underscore characters- Must begin with a letter- No spaces

switch:admin> switchname "RSL1_ST02_B41"Committing configuration...Done.

RSL1_ST02_B41:admin> switchname

RSL1_ST02_B41

RSL1_ST02_B41:admin> fabricshow

Switch ID Worldwide Name Enet IP Addr FC IP Addr Name

-------------------------------------------------------------------------

1: fffc01 10:00:00:05:1e:02:12:a5 10.255.248.32 0.0.0.0 "RSL1_ST02_B20"

2: fffc02 10:00:00:05:1e:02:ab:21 10.255.248.35 0.0.0.0 >"RSL1_ST02_B41"

The Fabric has 2 switches


Page 4-17


Initial Configuration Set syslog Server

The system logging daemon (syslogd) on hosts can receive system events and error messages from SilkWorm switchesIf all switches and control processors escalate messages to syslogd, the administrator may view a fabric-wide log of eventsConfiguration is simple– syslogdipadd– syslogdipremove– syslogdipshow

syslog records are tagged as belonging to a facility– Fabric OS v4.4 and later support UNIX local1 - local7

facilities– The default facility level is 7– Change the facility using the syslogdfacility command

Additional host configuration may be necessary, see server documentation

RSL1_ST02_B41:admin> syslogdipshow

No addresses configured

RSL1_ST02_B41:admin>

RSL1_ST02_B41:admin> syslogdipadd 10.255.248.2

RSL1_ST02_B41:admin> syslogdipadd 10.255.248.3


syslog.IP.address.1 10.255.248.2


RSL1_ST02_B41:admin> syslogdfacility

Syslog facility: LOG_LOCAL7

RSL1_ST02_B41:admin> syslogdfacility -l 6

Syslog facility changed to LOG_LOCAL6

RSL1_ST02_B41:admin> syslogdipremove 10.255.248.3



RSL1_ST02_B41:admin> syslogdipremove 10.255.248.2


No addresses configured


Page 4-18


Initial Security Configuration Disable Telnet

Use the configure command to disable telnet– May be run on an enabled switch

If telnet is disabled from within a telnet session, all telnet sessions will be disabledTo avoid losing your session, disable telnet through an alternate interface– Serial port session– SSHv2 session– Web Tools

RSL1_ST02_B41:admin> configure

Not all options will be available on an enabled switch.

To disable the switch, use the "switchDisable" command.

Configure...

System services (yes, y, no, n): [no] y

rstatd (on, off): [off]

rusersd (on, off): [off]

telnetd (on, off): [on]

ssl attributes (yes, y, no, n): [no]

http attributes (yes, y, no, n): [no]

snmp attributes (yes, y, no, n): [no]

rpcd attributes (yes, y, no, n): [no]

cfgload attributes (yes, y, no, n): [no]

No changes.


Page 4-19


Initial Security Configuration Enable Web Tools Upfront Login

Upfront Login forces administrators to enter an ID and password before they can access any portion of the Web Tools interface– Enable Upfront Login using the configure command– May be run on an enabled switch

By default Upfront Login is not enabled.

RSL1_ST02_B200E:admin> configure

Not all options will be available on an enabled switch.To disable the switch, use the "switchDisable" command.

Configure...

System services (yes, y, no, n): [no]ssl attributes (yes, y, no, n): [no]http attributes (yes, y, no, n): [no]snmp attributes (yes, y, no, n): [no]rpcd attributes (yes, y, no, n): [no]cfgload attributes (yes, y, no, n): [no]webtools attributes (yes, y, no, n): [no] yes

Upfront Login Enabled (yes, y, no, n): [no] yes

By default, Upfront Login is not enabled. Anyone with network access to the management port may enter the initial switchExplorer view without an ID and password. However, an ID and password are required to change any switch or fabric parameters. Upfront Login ensures that unauthorized users are not able to gather even basic information regarding the switch.Web Tools may be disabled using the configure command.


Page 4-20


Initial Security ConfigurationSet Command Line Session Timeout

Automatically terminate a telnet or SSH session after a period of inactivityTimeout value is specified in minutes– Setting a timeout value of 0 disables automatic session timeout– Valid settings include 0, or a value between 1 and 99,999 minutes– To display the current setting, type timeout with no arguments

RSL1_ST02_B41:admin> timeoutCurrent IDLE Timeout is 0 minutesRSL1_ST02_B41:admin> timeout 15IDLE Timeout Changed to 15 minutesThe modified IDLE Timeout will be in effect after NEXT loginRSL1_ST02_B41:admin> login

RSL1_ST02_B41 login: adminPassword:RSL1_ST02_B41:admin> timeoutCurrent IDLE Timeout is 15 minutes

Default timeout on Linux-based switches is 10 minutes.


Page 4-21


Initial Security Configuration Change Default Passwords

Open a serial port, telnet, or SSH connection to the switch– Default administrative accounts: admin, user– Default password for both: password– Other default accounts: root, factory

Use of root and factory accounts is not supportedLog in as root or factory only if directed by your support provider

When prompted, change all default passwords– Passwords must be between 8 and 40 characters by default

Use the passwdcfg --showall command to display password rules in Fabric OS v5.1 and higher only

RSL1_ST02_B41 login: adminPassword:Please change your passwords now.Use Control-C to exit or press 'Enter' key to proceed.

Password was not changed. Will prompt again at next loginuntil password is changed.

RSL1_ST02_B41 login: admin

Password:


Use Control-C to exit or press 'Enter' key to proceed.

Warning: Access to the Root and Factory accounts may be required for

proper support of the switch. Please ensure the Root and Factory

passwords are documented in a secure location. Recovery of a lost Root

or Factory password will result in fabric downtime.

for user - root

Changing password for root

Enter new password:

Re-type new password:

passwd: all authentication tokens updated successfully


for user - factory

…

for user - admin

…

for user - user

…

passwd: all authentication tokens updated successfully

Saving passwords to stable storage.

Passwords saved to stable storage successfully


Page 4-22


Initial Security Configuration Set Password Rules

Fabric OS v5.1 and later onlyPassword rules are enforced only when defining new passwordsPasswords that have already been defined will not be checked forpolicy complianceSet password rules with passwdcfg --set commandSet password strength policy by specifying the minimum number of:– Lowercase letters -lowercase– Uppercase letters -uppercase– Digits (0-9) -digits– Punctuation characters1 -punctuation– Minimum length2 -minlength

Limit password re-use by setting the password history policy– Passwords kept in history3 -history

1All printable punctuation characters except colon ":" are allowed2The minimum password length may be set from 8 to 40 characters in length. The password length is the total number of lowercase, uppercase, digits, and punctuation characters. The total number of these characters may not exceed 40. Keep this in mind as you specify the minimum number of each type of character required.3The password history policy is not enforced when an administrator sets a password for another user, but the password set by the administrator is recorded in the user's password history.

swd77:admin> passwdcfg --set -lowercase 3 -uppercase 1 -digits 2 -punctuation 2 -minlength 10 -history 3swd77:admin> passwdChanging password for adminEnter old password:Enter new password:Password must be between 10 and 40 characters long.Enter new password:Insufficient number of upper case lettersEnter new password:Insufficient number of lower case letters[* abbreviated *]Enter new password:Insufficient number of digits in passwordEnter new password:Re-type new password:passwd: all authentication tokens updated successfullySaving password to stable storage.Password saved to stable storage successfully.


Page 4-23


Initial Security Configuration Set Password Rules (cont.)

Avoid stale passwords by setting a password expiration policy2

– Minimum age -minpasswordage– Maximum age -maxpasswordage– Expiration warning (days)1 -warning

Set the account lockout policy3

– Password failures allowed -lockoutthreshold– Set lockout duration (minutes) -lockoutduration

RSL1_ST02_B41:admin> passwdcfg --set -minpasswordage 20 -maxpasswordage 30 -warning 5RSL1_ST02_B41:admin> passwdcfg --set -lockoutthreshold 5 -lockoutduration 15

1The user will begin seeing warning messages when they login a number of days prior to password expiration. They will be compelled to change their password when it has expired.2The password expiration policy is not enforced for root and factory accounts.3The account lockout policy is not enforced for root, factory, and admin role accounts.swd77:admin> passwdcfg --set -minpasswordage 20 -maxpasswordage 30 -warning 5swd77:admin> userconfig --show -a

[* abbreviated *]

Account name: rootRole: rootDescription: rootEnabled: YesPassword Last Change Date: UnknownPassword Expiration Date: Not ApplicableLocked: No

Account name: adminRole: adminDescription: AdministratorEnabled: YesPassword Last Change Date: Wed May 24 2006Password Expiration Date: Fri Jun 23 2006Locked: No


Page 4-24


Initial Security Configuration Set Password Rules (cont.)

Use passwdcfg --setdefault command to restore the factory default password policy

RSL1_ST02_B41:admin> passwdcfg --setdefaultRSL1_ST02_B41:admin> passwdcfg --showallpasswdcfg.minlength: 8passwdcfg.lowercase: 0passwdcfg.uppercase: 0passwdcfg.digits: 0passwdcfg.punctuation: 0passwdcfg.history: 1passwdcfg.minpasswordage: 0passwdcfg.maxpasswordage: 0passwdcfg.warning: 0passwdcfg.lockoutthreshold: 0passwdcfg.lockoutduration: 30passwdcfg.status: 0


Page 4-25


Initial Security Configuration User-Defined Accounts

Up to 15 user defined accounts may be createdDefault accounts admin and user may be disabledUse the userconfig command to administer accounts– userconfig --show– userconfig --change– userconfig --add– userconfig --delete

User-defined accounts assist in tracking who did what, when– Enable enhanced change tracking with trackchangesset 1

RSL1_ST02_B41:admin> userconfig --show -a

Account name: root

Role: root

Description: root

Enabled: Yes

Account name: factory

Role: factory

Description: Diagnostics

Enabled: Yes

Account name: admin

Role: admin

Description: Administrator

Enabled: Yes

Account name: user

Role: user

Description: User

Enabled: Yes

RSL1_ST02_B41:admin> userconfig --add jdoe -r admin -d "Jane Doe"Setting initial password for jdoeEnter new password:Re-type new password:Account jdoe has been successfully added.RSL1_ST02_B41:admin> login

RSL1_ST02_B41 login: jdoePassword:RSL1_ST02_B41:jdoe> userconfig --show jdoe

Account name: jdoeRole: adminDescription: Jane DoeEnabled: YesRSL1_ST02_B41:jdoe> userconfig --change admin -e no

Broadcast message from root (pts/0) Wed May 17 09:14:48 2006...

Security Policy, Password or Account Attribute Change: admin will be logged outAttribute for account admin has been successfully changed.RSL1_ST02_B41:jdoe> userconfig --show admin

Account name: adminRole: adminDescription: AdministratorEnabled: NoRSL1_ST02_B41:jdoe>DANGER

Your company policy may require you to disable default accounts or group-access accounts such as the default user and admin accounts. Before you disable the default account admin, be certain you have created at least one user-defined account assigned to the admin role. Without an account with admin privileges, you will not be able to manage your switch.


Page 4-26


Initial Security Configuration RADIUS Authentication

To centrally control user logins, Fabric OS supports the open-standard RADIUS protocol

– Provides remote user access authentication, authorization, and accounting

– Client/server model: A Brocade switch running Fabric OS v3.2/4.4 or higher acts as a RADIUS client to a RADIUS server

– Network Security: All RADIUS client/server traffic is authenticated via a shared secret

– Focused on user logins, not FC device logins or switch attachmentWhen RADIUS is enabled on a switch:

– All logins are authenticated through a RADIUS server (bypasses local database)

– All switch passwords are managed through the RADIUS server - the switch/Director local password database is bypassed

– Monitor user logins on a RADIUS-enabled system through the RADIUS server

• The Remote Authentication Dial-In User Service (or RADIUS) is a protocol for carrying authentication, authorization, and authentication (aaa) information about remote user access between a Network Access Server (which desires to authenticate its links) and a shared Authentication Server. RADIUS is an open standard (IETF RFC 2865 and RFC 2866).• Client/server: The RADIUS client must pass user information to designated RADIUS servers, and act on the returned response. The RADIUS server receives user connection requests, authenticates the users, and then returns all configuration information needed for the RADIUS client to deliver service. In this case, a SilkWorm switch is configured as a Network Access Server that acts as a RADIUS client. • Network Security: To ensure that user names and passwords remain private, all client/server communication is encrypted, and authenticated with a shared secret key.• RADIUS is focused on authenticating, authorizing, and accounting remote user access – in particular, logins and logouts. RADIUS does not perform these roles for devices or switches entering a fabric – these roles continue to be handled by existing Fibre Channel protocols.• In a fabric with switches running a mix of Fabric OS version, the way a switch authenticates users depends on whether a RADIUS server is set up for that switch.

• For a switch with RADIUS support and configuration enabled, authentication bypasses the local password database. On a RADIUS-enabled switch, logins through the console port are not authenticated with the RADIUS server, but through the local switch database.• For a switch with RADIUS support or configuration disabled, authentication uses switch local account names and passwords.


Page 4-27


Initial Security Configuration RADIUS Authentication (cont.)

Fabric OS v3.2/4.4+ switches have two login authentication databases The default primary database is Switch Database1

– It consists of the default switch login accounts: root, factory, admin, and user

– It can also contain user-defined multiple user accounts (MUAs)There is no secondary login authentication database available when the primary database is Switch Database; the only option is None

When RADIUS is configured as the primary login authentication database there are two options available for secondary login authentication: None(default) and Switch Database

Footnote 1: Web Tools Switch Database is referred to as switchdb at the CLI.If a denial (incorrect user name / password) is received from RADIUS server that is authenticating login then a secondary RADIUS server or authentication database login is not attempted. If a configuration parameter is incorrect in either the RADIUS server or the switch AND if the secondary database is Switch Database then telnet or Web Tools Admin access could be gained, after timeout(s), using a local account that authenticates via the Switch Database.


Page 4-28


Initial Security Configuration RADIUS Authentication (cont.)

Management access to a switch with primary database configured to RADIUS will attempt authentication via configured RADIUS server(s)Possible RADIUS server responses: grant, deny, or time outIf response from all RADIUS servers is “timeout”, serial access can authenticate using switch database; ALL servers can similarly access IF secondary RADIUS server is set to Switch Database

RADIUS Server 2

RADIUS Server 1Management

Server

Fabric OS v4.4+ switch

1

23 4 5

ResponseSerial /Console

Server

Network

Serial Cable

6

In the example above, the primary database is RADIUS, and the RADIUS servers have been properly configured with user names and passwords. When a management station attempts access, the following scenario occurs:1. The management server attempts to access the switch (RADIUS client) using a user name/password combination configured on the RADIUS servers.2. The authentication request is sent to the first RADIUS server in the RADIUS configuration (RADIUS Server 1). 3. If the response from RADIUS Server 1 is “accept”, management access is achieved; if the response is “deny”, the management server does not get access. 4. If there is a timeout from RADIUS Server 1, then the authentication request is sent to the second RADIUS server in the RADIUS configuration (RADIUS Server 2).5. If the response from RADIUS Server 2 is “accept”, management access is achieved; if the response is “deny”, the management server does not get access. 6. If there is a timeout from RADIUS Server 2 AND the switch database is configured as a secondary database, then the user name/password is authenticated on the local switch. Notes:• Error messages related to RADIUS access attempts are displayed at the serial port console.• Up to five RADIUS servers can be configured.


Page 4-29


Verify Switch Status View Switch Uptime

Use switchuptime or uptime commands to display the amount of time the switch has been operational

RSL1_ST02_B41:admin> switchuptime8:49pm up for 10 days 5 hrs 21 mins

RSL1_ST02_B41:admin> uptime8:49pm up 10 days, 5:21, 1 user, load average: 0.01, 0.03, 0.00


Page 4-30


Verify Switch Status Check Switch Status Commands

Display overall status of switch with switchstatusshowDisplay current policy settings with switchstatuspolicyshow– Marginal Status

Yellow color when displayed in Web Tools or Fabric ManagerEntry in error log, viewed with errshow, flagged as marginal

– Down StatusRed color when displayed in Web Tools or Fabric ManagerEntry in error log, viewed with errshow, flagged as faulty

Display temperature, fan, and power supply status with sensorshow

RSL1_ST02_B41:admin> switchstatusshow

Switch Health Report Report time: 05/16/2006 10:59:22 AM

Switch Name: RSL1_ST02_B41

IP address: 10.255.248.35

SwitchState: HEALTHY

Duration: 01:45

Power supplies monitor HEALTHY

Temperatures monitor HEALTHY

Fans monitor HEALTHY

Flash monitor HEALTHY

Marginal ports monitor HEALTHY

Faulty ports monitor HEALTHY

Missing SFPs monitor HEALTHY

Fabric Watch is not licensed

Detailed port information is not included


Page 4-31


Verify Switch Status Check Switch Status Commands (cont.)RSL1_ST02_B41:admin> sensorshowsensor 1: (Temperature ) is Ok, value is 27 Csensor 2: (Temperature ) is Ok, value is 30 Csensor 3: (Temperature ) is Ok, value is 28 Csensor 4: (Temperature ) is Ok, value is 28 Csensor 5: (Temperature ) is Ok, value is 29 Csensor 6: (Fan ) is Ok, speed is 5400 RPMsensor 7: (Fan ) is Ok, speed is 5273 RPMsensor 8: (Fan ) is Ok, speed is 5532 RPMsensor 9: (Power Supply) is Oksensor 10: (Power Supply) is Ok

RSL1_ST02_B41:admin> switchstatuspolicyshowThe current overall switch status policy parameters:

Down Marginal----------------------------------

PowerSupplies 2 1Temperatures 2 1

Fans 2 1Flash 0 1

MarginalPorts 2 1FaultyPorts 2 1MissingSFPs 0 0

switchstatusshow will display the overall status of the switch that include internal switch status, faulty ports, missing SFPs, power supplies, temperatures, fans, portstatus, and ISLStatus. The status may be one of the following: marginal/warning or down/failed. switchstatuspolicyshow: This command prints the current policy parameters for calculating the overall status of the switch. The tolerances for calculating the status of the switch can be configured with switchstatuspolicyset.

RSL1_ST02_B200E:admin> switchstatusshow

Switch Health Report Report time: 05/21/2006 09:37:31 AM

Switch Name: RSL1_ST02_B200E

IP address: 10.255.248.32

SwitchState: HEALTHY

Duration: 70:56

Power supplies monitor HEALTHY

Temperatures monitor HEALTHY

Fans monitor HEALTHY

Flash monitor HEALTHY

Marginal ports monitor HEALTHY

Faulty ports monitor HEALTHY

Missing SFPs monitor HEALTHY

All ports are healthy


Page 4-32


Verify Switch Status switchstatuspolicyset

Seven parameters that determine switch status– PowerSupplies– Temperatures– Fans– Flash– MarginalPorts– FaultyPorts– MissingSFPs

Marginal triggers – Yellow status in Web Tools

Down triggers– Red status in Web Tools

These states are policy based and do not

necessarily reflect the operational state of the

switch

RSL1_ST02_B41:admin> switchstatuspolicysetTo change the overall switch status policy parametersThe current overall switch status policy parameters:

Down Marginal----------------------------------

PowerSupplies 1 1Temperatures 2 1

Fans 2 1Flash 0 1

MarginalPorts 2 1FaultyPorts 2 1MissingSFPs 0 0

Note that the value, 0, for a parameter, means that it isNOT used in the calculation.** In addition, if the range of settable values in the prompt is (0..0),** the policy parameter is NOT applicable to the switch.** Simply hit the Return key.The minimum number ofBad PowerSupplies contributing to DOWN status: (0..1) [1]Bad PowerSupplies contributing to MARGINAL status: (0..1) [1]Bad Temperatures contributing to DOWN status: (0..2) [2]Bad Temperatures contributing to MARGINAL status: (0..2) [1]Bad Fans contributing to DOWN status: (0..3) [2]Bad Fans contributing to MARGINAL status: (0..3) [1]Out of range Flash contributing to DOWN status: (0..1) [0]Out of range Flash contributing to MARGINAL status: (0..1) [1]MarginalPorts contributing to DOWN status: (0..16) [2]MarginalPorts contributing to MARGINAL status: (0..16) [1]FaultyPorts contributing to DOWN status: (0..16) [2]FaultyPorts contributing to MARGINAL status: (0..16) [1]MissingSFPs contributing to DOWN status: (0..16) [0]MissingSFPs contributing to MARGINAL status: (0..16) [0]

No change


Page 4-33


Verify Switch Status Port Status

Port name command– portname <port> or <slot>/<port>

Port enable/disable commands– portdisable <port> or <slot>/<port>– portenable <port> or <slot>/<port>– portcfgpersistentdisable <port> or <slot>/<port>– portcfgpersistentenable <port> or <slot>/<port>

Port status command– portshow <port>

sw2:admin> portshow 2

portName: JBOD PORT

portFlags: 0x23806b portLbMod: 0x0 PRESENT ACTIVE F_PORT L_PORT U_PORT LOGIN NOELP LED ACCEPT

portType: 4.1

portState: 1 Online

portPhys: 6 In_Sync

portScn: 6 F_Port

portRegs: 0x81020000

portData: 0x102de900

portId: 330200

portWwn: 20:02:00:60:69:50:06:67

portWwn of device(s) connected: 21:00:00:20:37:38:60:e5

21:00:00:20:37:38:ab:42

21:00:00:20:37:36:02:4a

21:00:00:20:37:38:89:a9

21:00:00:20:37:59:84:17

21:00:00:20:37:97:02:13

21:00:00:20:37:0c:30:bf

21:00:00:20:37:87:49:7d

21:00:00:20:37:87:49:87

21:00:00:20:37:11:65:ec

Distance: normal

Speed: N1Gbps

Interrupts: 707 Link_failure: 0 Frjt: 0

Unknown: 90 Loss_of_sync: 69 Fbsy: 0

Lli: 191 Loss_of_sig: 0 Lip_in: 0

Proc_rqrd: 488 Protocol_err: 0 Lip_out: 7

Timed_out: 0 Invalid_word: 0 Lip_rx: F7,F7

Rx_flushed: 0 Invalid_crc: 0

Tx_unavail: 0 Delim_err: 0

Free_buffer: 0 Address_err: 47

Overrun: 0 Lr_in: 0

Suspended: 0 Lr_out: 0

Parity_err: 0 Ols_in: 0

Ols_out: 0

Port initialization from right to left and current port type

Port Name

Port WWNs of Devices: 10 Devices

Distance: Normal bufferingPort speed


Page 4-34


Verify Switch Status Port Speeds

Individual port speeds can be set by the administratorportcfgspeed <port>,<speed_level>

Set the speed level for all ports on a switchswitchcfgspeed <speed_level>

Valid speeds0: auto-negotiated 1, 2, or 4 Gbit/sec1: 1 Gbit/sec2: 2 Gbit/sec4: 4 Gbit/sec

The SFP and hard-coded port speed should match, otherwise a Mod_Inv will display in switchshow output

Some devices prefer hard-coded speeds to auto-negotiation

Setting the port speed is a disruptive event, and can force a device to re-login to the fabric.


Page 4-35


Verify Switch Status Port Settings & Port Setting Commands

portcfgshowRSL1_ST02_B20:admin> portcfgshow

Ports of Slot 0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15-----------------+--+--+--+--+----+--+--+--+----+--+--+--+----+--+--+--Speed 1G 2G 4G AN 1G 2G 4G AN AN AN AN AN AN AN AN ANTrunk Port ON ON ON ON ON ON ON ON ON ON ON ON ON ON ON ONLong Distance .. .. .. .. .. .. .. LE LE .. .. .. .. .. .. ..VC Link Init .. .. .. .. .. .. .. .. ON .. .. .. .. .. .. ..Locked L_Port .. .. .. .. .. .. .. .. .. .. .. .. .. .. ON ..Locked G_Port .. .. .. .. .. .. .. .. .. .. .. .. .. ON .. ..Disabled E_Port .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ONISL R_RDY Mode .. .. .. .. .. .. .. .. .. .. .. ON .. .. .. ..RSCN Suppressed .. .. .. .. .. .. .. .. .. .. ON .. .. .. .. ..Persistent Disable.. .. .. .. .. .. .. .. .. ON .. .. .. .. .. ..NPIV capability ON ON ON ON .. ON .. ON ON .. ON .. ON ON ON ON

where AN:AutoNegotiate, ..:OFF, ??:INVALID.

portcfgdefaultportcfgeport, portcfglport, portcfggport

• Speed is displayed as 1G, 2G, 4G, or AN (when in Auto Speed Negotiation mode). This value is set by the portcfgspeed command.• Trunk Port is displayed as ON (when port is set for trunking) or for OFF (when trunking is disabled on the port) as set by the portcfgtrunkport command.• Long Distance setting of the port is shown as blank when long distance mode is L0(normal) and will display modes depending on the distance mode setting: LE (<= 10km), L0.5 (<=25km), L1 (<= 50km), L2 (<= 100km), LD (auto), LS (static). This value is set by the portcfglongdistance command.• VC link init setting of the port is shown as blank when VC link init mode is off or ONwhen VC link init mode is on. This value is set by the portcfglongdistance command.• Locked L_Port is displayed as ON when port is locked to L_Port only or when L_Port lock mode is disabled (and it behaves as a U_Port). This value is set by the portcfglportcommand.• Locked G_Port is displayed as ON when port is locked to G_Port only) or blank when G_Port lock mode is disabled (and it behaves as a U_Port). This command is set by the portcfggport command.• Disabled E_Port is displayed as ON when port is not allowed to be an E_Port. This command is set by the portcfgeport command.• Persistent disable is displayed as ON when the port is disabled across reboots or power cycles or when the port is allowed to function normally. This mode is set by the portcfgpersistentdisable command.ISL R_RDY is displayed as ON when the port is set to R_RDY flow control. This mode is set by the portcfgislmode command.RSCN Suppressed is displayed as ON when RSCNs have been suppressed on the port. This mode is set by the portcfg rscnsupr command.Persistent Disable is displayed as ON when the port has been persistently disabled. This mode is set by the portcfgpersistentdisable commandNPIV capability mode is displayed as ON when the port is configured to perform N_portvirtualization. This mode is set by the portcfgnpivport command.


Page 4-36


SW3850_51:admin> switchshow

switchName: SW3850_51

switchType: 26.1

switchState: Online

switchMode: Native

switchRole: Subordinate

switchDomain: 51

switchId: fffc33

switchWwn: 10:00:00:60:69:50:06:67

switchBeacon: OFF

Zoning: OFF

port 0: id N1 Online F-Port 10:00:00:00:c9:24:76:16

port 1: id N2 Online F-Port 10:00:00:00:c9:29:06:4d

port 2: id N1 Online L-Port 10 public

port 3: id N2 Online Loopback->3

port 4: id N2 Online E-Port (Trunk port, master is port #5)

port 5: id N2 Online E-Port 10:00:00:60:69:90:04:f0 "SWT3850_53" (upstream) (Trunk master)



port 8: id N2 No_Light

port 9: id 2G No_Light



port 12: id 1G No_Light



port 15: -- N2 No_Module

Verify Switch Status Verifying Switch Operation

SwitchDomain #51

1 2 34

765

0

10 9 811

15

121314

FC-AL10 Devices

No SFP

SwitchDomain #53

1 2 34

765

0

10 9 811

15

121314

The switchshow command can be used to verify the switch is operating correctly and display information about the switch status. switchName - The switch’s nameswitchType - model.motherboard-rev, where the model number is as follows:1=SilkWorm 1000 2=SilkWorm 2800 3=SilkWorm 2400 4=SilkWorm 20x0 5=SilkWorm 22x0 9=SilkWorm 3800 10=SilkWorm 12000 12=SilkWorm 3900 16=SilkWorm 3200 21=SilkWorm 24000 26=SilkWorm 3850 27=SilkWorm 3250 32=SilkWorm 4100 34=SilkWorm 200E 38=AP 7420 42=SilkWorm 48000 44=SilkWorm 4900 46=SilkWorm 7500 switchState - The state of this switch: Online, Offline, Testing or FaultyswitchMode – The switch mode, Native or InterOpswitchRole - The switch role: Principal, Subordinate or disabledswitchDomain - The domain ID of this switch: 0 to 31 or 1 to 239.switchID - The 24-bit address of this switch's embedded port: hex fffc00 to fffcef. switchWwn - The World Wide Name of this switchswitchBeacon - Indicates if the beacon is turned on or notZoning – zoning statusPort Number - Each line shows the port number: 0 to 15, the GBIC type, the port state and a comment fieldPort module type - The GBIC/SFP or other type follows the port number.The four types include (--= none; sw=short wave; lw – long wave; cu – copper; id - intelligent)Port speed - The speed of the port (1G, 2G, N1, N2, AN)Long distance level - L0 (default), L1, L2, LEPort state - The possible port states include:

No_Card - no card present in this switch slotNo_Module - no SFP module in this portNo_Light - the module is not receiving lightNo_Sync - the module is receiving light but is out of syncIn_Sync - the module is receiving light and is in sync (copper displays Sync, fiber, Online)Laser_Flt - the module is signaling a laser fault (defective GBIC)Port_Flt - the port has been marked faulty (defective GBIC, cable, or device)Diag_Flt - the port failed diagnostics (defective G_Port or FL_Port card or motherboard)Online - the port is up and runningLock_Ref - the port is locking to the reference signalTesting - running diagnostics

Comment field - Some possible comments include: Disabled, Loopback


Page 4-37


Verify Switch Status Port Status LEDs

Port status LED behavior may vary per switch typeCheck the Hardware Reference Guide for your particular switchExample for the SilkWorm 4100:

Port is online but segmentedSlow Green(2 second intervals)

Port is faultyFast Flashing Amber(½ second intervals)

Port is disabledSlow Flashing Amber(2 second intervals)

Port is connected to another device, but has no traffic

Steady Green

Port is online and frames are passing through the port

Flickering GreenMeaningPort Status LED State

NonePort is Tx/Rx at 4 Gbit/secSteady amber

NonePort is Tx/Rx at 2 Gbit/secSteady green

Above each port on right

Below serial port

Location of LED

Indicates port speed

Indicates switch power

Purpose of LED

NonePOST is running, or port is Tx/Rx at1 Gbit/sec

No light

Check error logOne or more ports failed POSTSlow green

NoneSwitch on and boot completedSteady green

Verify boot completed; contact switch vendor

Boot not complete or failed; switch may be off

No light

Recommended ActionStatus of HardwareColor of LED

Port Speed and Serial Port LEDs

Port Speed LED for 3900/12000: upper LED

Each SilkWorm 4100 port has two LEDs on an LED assembly below the ports. The port-speed LED is on the right and port-status LED is on the left. Top row LEDs are for ports 0-3; 8-11; 16-19; and 24-27. Bottom row LEDs are for ports 4-7; 12-15; 20-23; and 28-31.


Page 4-38


Fabric Parameters Configuration Parameters

They dictate the way the switch will behave Set using the configure command– Some configure parameters can be changed online

Disable the switch before setting fabric configuration parametersRSL1_ST02_B41:admin> switchdisable; configureReset to factory defaults by using the configdefault commandRSL1_ST02_B41:admin> switchdisable; configdefaultParameters not reset by a configdefault– World Wide Name– Ethernet settings (MAC address, IP address, subnetmask)– IP gateway address– SNMP configuration– Zoning configuration– Switch name– License keys

An example of some of the configuration parameters:

RSL1_ST02_B41:admin> switchdisable; configure

Configure...

Fabric parameters (yes, y, no, n): [no] y

Domain: (1..239) [1]

R_A_TOV: (4000..120000) [10000]

E_D_TOV: (1000..5000) [2000]

WAN_TOV: (0..30000) [0]

MAX_HOPS: (7..19) [7]

Data field size: (256..2112) [2112]

Sequence Level Switching: (0..1) [0]

Disable Device Probing: (0..1) [0]

Suppress Class F Traffic: (0..1) [0]

Switch PID Format: (1..2) [1]

Per-frame Route Priority: (0..1) [0]

Long Distance Fabric: (0..1) [0]

BB credit: (1..27) [16]


Page 4-39


Fabric Parameters Consistent Fabric Parameters

The configshow command will display parameter settingsRSL1_ST02_B20:admin> configshow fabric.opsfabric.ops.BBCredit:16fabric.ops.E_D_TOV:2000fabric.ops.R_A_TOV:10000fabric.ops.dataFieldSize:2112fabric.ops.max_hops:7fabric.ops.mode.fcpProbeDisable:0fabric.ops.mode.isolate:0fabric.ops.mode.longDistance:0fabric.ops.mode.noClassF:0fabric.ops.mode.pidFormat:1fabric.ops.mode.tachyonCompat:0fabric.ops.mode.unicastOnly:0fabric.ops.mode.useCsCtl:0fabric.ops.vc.class.2:2fabric.ops.vc.class.3:3fabric.ops.vc.config:0xc0fabric.ops.vc.linkCtrl:0fabric.ops.vc.multicast:7fabric.ops.wan_tov:0

fabric.ops parameters must be consistent on all switches throughout the fabric otherwise switches cannot join togetherfabric.ops.pidFormat is the most commonly changed default setting

– pidFormat = 1 (Core PID) is the default setting for all 4 Gbit/sec switches and some 2 Gbit/sec models

– pidFormat = 0 (Native PID) is the default for all 1 Gbit/sec switches and some 2 Gbit/sec models

Other fabric.ops parameters:

fabric.ops.mode.longDistance: In fabrics with version 2.x switches this command is used in conjunction with the portcfglongdistance command to extend ISL capabilities (Extended Fabrics switch license required).fabric.ops.mode.noClassF: Class F frames will not be used for inter-switch communications - Class 2 is used. Toggle using Suppress Class F Traffic under Fabric Parameters.fabric.ops.mode.pidFormat: Used to enable PID and Extended Edge PID formats. The Core PID format is the default on all 4 Gbit/sec SilkWorm switches.fabric.ops.mode.sync: Used to prevent time out delays in remote Fabrics.fabric.ops.mode.useCsCtl: Type configure then yes to Fabric parameters and toggle Per-frame Route Priority: (0..1) [0] to change fabric.ops.mode.useCsCtl. Creates additional Virtual Channel ID for per-frame based prioritization, using existing VCs plus frame header information.fabric.ops.mode.vcEncode: The output relates to Virtual Channel (vc) settings for establishing communication priority over ISLs and are configurable only when VC Encoded Address Mode is set. Like all fabric.ops parameters, they must be the same on all fabric switches.

Other fabric.ops parameters are explained in the Fabric OS Reference Guide.

Fabric operating mode parameters include:

Disable Device Probing fabric.ops.mode.fcpProbeDisableIsolated Operation fabric.ops.mode.isolateLong Distance Fabric fabric.ops.mode.longDistanceSuppress Class F Traffic fabric.ops.mode.noClassFSwitch PID Format fabric.ops.mode.pidFormatSequence Level Switching fabric.ops.mode.tachyonCompatUnicast-only Operation fabric.ops.mode.unicastOnlyPer-frame Route Priority fabric.ops.mode.useCsCtl


Page 4-40


Administrative Tasks Booting a Switch

fastboot boots the switch bypassing POST

reboot boots the switch and includes POST*

switchreboot reboots a logical switch in a dual-domain SilkWorm 24000

* reboot includes POST unless diagdisablepost is configured.


Page 4-41


Administrative Tasks Join an Existing Brocade Fabric

Adding a new switch to an existing fabric– switchdisable– configure; set the domain ID– connect one or more ISLs– switchenable

Verify fabric membership with the fabricshow command

RSL1_ST02_B41:admin> fabricshowSwitch ID Worldwide Name Enet IP Addr FC IP Addr Name-------------------------------------------------------------------------1: fffc01 10:00:00:05:1e:02:12:a5 10.255.248.32 0.0.0.0 >"RSL1_ST02_B20"2: fffc02 10:00:00:05:1e:02:ab:21 10.255.248.35 0.0.0.0 "RSL1_ST02_B41"

The Fabric has 2 switches

The “>” denotes the Principal Switch.


Page 4-42


Administrative TasksAttach Devices

To attach a device to a switch, power it on, wait for it to come up, and then plug it in to the switch portOptional steps for the conservative administrator– Issue portdisable prior to plugging in a device to avoid noise– Once cable is secure, issue portenable to bring the port online

Switch will automatically negotiate the device speed and port type– Individual switch ports will negotiate speed to 4, 2, or 1 Gbit/sec to

match the attached device– Individual switch ports will determine the proper port type

F_PortFL_Port

Verify device connection using switchshow and nsshow


Page 4-43


Administrative Tasks Verify Device Name Server Registration

Did the device log in to the name server as expected?Verify that an entry existsVerify Type– Did you expect N or NL?– Configurable on most HBAs– Configurable on switch ports with the portcfgshow command

RSL1_ST02_B41:admin> nsshow{Type Pid COS PortName NodeName TTL(sec)NL 0200e2; 3;21:00:00:04:cf:92:69:9e;20:00:00:04:cf:92:69:9e; na

FC4s: FCP [SEAGATE ST318452FC 0004]

<truncated output>

The Local Name Server has 4 entries }

Use the nsshow command to display local Name Server information, including information about devices connected to this switch, and cached information about devices connected to other switches in the fabric. Each line of output shows:

* Indicates a cached entry from another switch.

Type U for unknown, N for N_Port, NL for NL_Port.

PID 24-bit Fibre Channel address.

COS List of classes of service supported by device.

PortName Device port worldwide name.

NodeName Device node worldwide name.

TTL Time-to-live (in seconds) for cached entries, or NA (not applicable) if the entry is local.

There may be additional lines if the device has registered any of the following information (the switch automatically registers SCSI inquiry data for FCP target devices):

FC4s supported IP address

IPA Port and node symbolic names

Fabric Port Name This is the WWN of the port to which a device is physically connected.

Hard address and/or port IP address

-r Lists the State Change Registration 0 – Reserved1 – (Fabric Detected Registration) Register to receive all RSCN requests issued by the Fabric Controller for events detected by the fabric.2 – (N_Port Detected Registration) Register to receive all RSCN requests issued by the Fabric

Controller for events detected by the affected N_Port or NL_Port.3 – (Full Registration (1 and 2)) Register to receive all RSCN requests issued by the Fabric Controller for events detected by the affected N_Port ID pages.


Page 4-44


Summary

Installation and configuration of Brocade switches includes the following steps:– Initial Configuration– Initial Security Configuration– Verify Switch Status– Fabric Parameters– Administrative Tasks


Page 4-45


Review Questions1. What single command displays the current temperature, fan, and

power supply status?

2. You are about to add a new switch to an existing fabric. In order for the new switch to join successfully, what parameter must be set to a unique value?

3. When placing a new switch into an existing fabric, what parameters must be set to the same values as the existing fabric?

4. An administrator has plugged a new tape device into a switch port. Name a command to verify the tape device is properly attached to the switch.

5. Name three management interfaces into a Brocade switch.

1.sensorshow

2.Domain ID3.fabric.opsparameters4.nsshow

5.Telnet, Serial, SSH, Web Tools, SNMP, Fabric Manager, SMI-S


Page 4-46

46

Brocade Education Services

Brocade®

Product Training

© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806

CFP264Brocade 4 Gbit/sec Accelerated BCFP

End of Instructor-Led Module 4Installation and Setup

Documents

Brocade Product Trainingdocshare01.docshare.tips/files/17340/173407056.pdf · 2016. 12. 21. · Brocade switches can be administered using a command line interface (CLI) or through