Brocade Communications Systems 53-1001763-02 D

Fabric OS Administrator’s Guide 521

53-1001763-02

Appendix

D

FIPS Support

In this appendix

•FIPS overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521

•Zeroization functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521

•FIPS mode configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523

•Preparing the switch for FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527

FIPS overview

Federal information processing standards (FIPS) specify the security standards to be satisfied by a

cryptographic module utilized in Fabric OS v6.0.0 and later to protect sensitive information in the

switch. As part of FIPS 140-2 level 2 compliance passwords, shared secrets, and the private keys

used in SSL, TLS, and system login need to be cleared out or zeroized. Power-up self tests are

executed when the switch is powered on to check for the consistency of the algorithms

implemented in the switch. Known-answer-tests (KATs) are used to exercise various features of the

algorithm and their results are displayed on the console for your reference. Conditional tests are

performed whenever an RSA key pair is generated. These tests verify the randomness of the

deterministic and non-deterministic random number generator (DRNG and non-DRNG). They also

verify the consistency of RSA keys with regard to signing and verification and encryption and

decryption.

ATTENTION

When FIPS mode is enabled, this is a chassis-wide setting and affects all logical switches.

Zeroization functions

Explicit zeroization can be done at the discretion of the security administrator. These functions

clear the passwords and the shared secrets. Table 102 lists the various keys used in the system

that will be zeroized in a FIPS-compliant Fabric OS module.

TABLE 102 Zeroization behavior

Keys Zeroization CLI Description

DH private keys No CLI required Keys will be zeroized within code before they are

released from memory.

FCAP private key pkiRemove The pkiCreate command creates the keys, and

'pkiremove' removes/zeroizes the keys.

Contents

Main Brocade Communications Systems, Incorporated Document History Title Publication number Summary of changes Date Page Contents About This Document Section I Standard Features Chapter 1 Understanding Fibre Channel Services Chapter 2 Performing Basic Configuration Tasks Chapter 3 Performing Advanced Configuration Tasks Chapter 4 Routing Traffic Chapter 5 Managing User Accounts Chapter 6 Configuring Protocols Chapter 7 Configuring Security Policies Chapter 8 Maintaining the Switch Configuration File Chapter 9 Installing and Maintaining Firmware Chapter 10 Managing Virtual Fabrics Chapter 11 Administering Advanced Zoning Chapter 12 Traffic Isolation Zoning Chapter 13 Administering NPIV Chapter 14 Interoperability for Merged SANs Chapter 15 Managing Administrative Domains Section II Licensed Features Chapter 16 Administering Licensing Chapter 17 Monitoring Fabric Performance Chapter 18 Optimizing Fabric Behavior Chapter 19 Managing Trunking Connections Chapter 20 Managing Long Distance Fabrics Chapter 21 Using the FC-FC Routing Service Appendix A M-EOS Migration Path to Fabric OS Appendix B Inband Management Appendix C Port Indexing Appendix D FIPS Support Page Page Figures Page Page Page Tables Page Page Page About This Document How this document is organized Supported hardware and software Whats new in this document Document conventions Text formatting Command syntax conventions Notes, cautions, and warnings Key terms Notice to the reader Additional information Brocade resources Other industry resources Getting technical help Document feedback Page Section I Standard Features Page Understanding Fibre Channel Services Fibre Channel services overview FIGURE 1 The Management Server Platform services Platform services in a Virtual Fabric Enabling platform services Management server database Displaying the management server ACL Adding a member to the ACL Deleting a member from the ACL Management server database Viewing the contents of the management server database 2. Enter the msPlatShow command. Example of viewing the contents of the management server platform database Clearing the management server database The command msPlClearDB is allowed only in AD0 and AD255. Topology discovery Displaying topology discovery status Enabling topology discovery Disabling topology discovery Device login Principal switch E_Port login Fabric login Port login process RSCN causes High availability of daemon processes TA B L E 1 Page Performing Basic Configuration Tasks Fabric OS overview Fabric OS command line interface Console sessions using the serial port Connecting to Fabric OS through the serial port Telnet or SSH sessions Rules for Telnet connections - Connecting to Fabric OS using Telnet Getting help on a command Password modification Default account passwords Changing the default account passwords at login TA B L E 2 The Ethernet interface on your switch Virtual Fabrics and the Ethernet interface Displaying the network interface settings Static Ethernet addresses Setting the static addresses for the Ethernet network interface Setting the static addresses for the chassis IP management interface DHCP activation Enabling DHCP Disabling DHCP IPv6 autoconfiguration Setting IPv6 autoconfiguration Date and time settings Setting the date and time Time zone settings Setting the time zone Setting the time zone interactively Network time protocol Synchronizing the local time with an external source Domain IDs Displaying the domain IDs Setting the domain ID Switch names Customizing the switch name Chassis names Customizing chassis names Switch activation and deactivation Disabling a switch Enabling a switch Powering off a Brocade switch Powering off a Brocade enterprise-class platform Basic connections Device connection Switch connection Page Performing Advanced Configuration Tasks PIDs and PID binding overview Core PID addressing mode Fixed addressing mode 10-bit addressing mode 256-area addressing mode WWN-based PID assignment Virtual Fabric considerations NPIV Enabling automatic PID assignment Assigning a static PID Clearing PID binding Ports TA B L E 3 Setting port names Port identification by slot and port number Port identification by port area ID Port identification by index Swapping port area IDs Port activation and deactivation Enabling a port Disabling a port Setting port speeds Setting the same speed for all ports on the switch Blade terminology and compatibility TA B L E 4 Blade terminology and compatibility 3 TA B L E 4 Definition Term Abbreviation Blade ID (slotshow) CP blades Core blades Port and application blade compatibility TA B L E 5 TA B L E 6 TA B L E 5 FX8-24 compatibility notes Enabling and disabling blades Enabling blades FA4-18 application blade enabling exceptions FC4-48 and FC8-48 port blade enabling exceptions FR4-18i application blade enabling exceptions Disabling blades Blade swapping Swapping blades FIGURE 2 FIGURE 3 FIGURE 4 Power management Powering off a port blade Powering on a port blade Equipment status Checking switch operation Verifying High Availability features (directors and enterprise-class platforms only) Verifying fabric connectivity Verifying device connectivity Track and control switch changes Enabling the track changes feature Displaying the status of the track changes feature Viewing the switch status policy threshold values Setting the switch status policy threshold values Page Audit log configuration Auditable event classes Verifying host syslog prior to configuring the audit log TA B L E 7 Configuring an audit log for specific event classes Page Routing Traffic About this chapter Routing overview Path versus route selection FSPF FIGURE 5 Fibre Channel NAT Inter-switch links Buffer credits Virtual Channels FIGURE 7 FIGURE 8 Gateway links FIGURE 9 Configuring a link through a gateway Inter-chassis links FIGURE 1 0 Supported topologies TA B L E 8 FIGURE 1 1 Chassis 1 Chassis 3 Routing policies ICL 3 ICL 1 ICL 2 Chassis 2 Displaying the current routing policy Exchange-based routing Port-based routing AP route policy Routing in Virtual Fabrics Setting the routing policy Setting up the AP route policy Route selection Dynamic Load Sharing Setting DLS Static route assignment Assigning a static route Removing a static route Frame order delivery Forcing in-order frame delivery across topology changes Restoring out-of-order frame delivery across topology changes Lossless Dynamic Load Sharing on ports TA B L E 9 Lossless core ICL Limitations Traffic flow limitations Configuring Lossless Dynamic Load Sharing Frame Redirection FIGURE 12 Creating a frame redirect zone Deleting a frame redirect zone Viewing redirect zones Managing User Accounts User accounts overview Role-Based Access Control (RBAC) TA B L E 1 0 Role permissions Table 11 describes the types of permissions that are assigned to roles. TA B L E 11 TA B L E 1 2 User accounts overview TA B L E 1 2 User accounts overview 5 The management channel TA B L E 13 TA B L E 1 2 Local database user accounts Default accounts Displaying account information Creating an account Local account passwords Changing the password for the current login account Changing the password for a different account Local account database distribution Distributing the local user database Accepting distribution of user databases on the local switch Rejecting distributed user databases on the local switch Password policies Password strength policy Password history policy Password expiration policy Account lockout policy Enabling the admin lockout policy Unlocking an account Disabling the admin lockout policy Denial of service implications The boot PROM password Setting the boot PROM password for a switch with a recovery string Setting the boot PROM password for a director with a recovery string Setting the boot PROM password for a switch without a recovery string Setting the boot PROM password for a director without a recovery string The authentication model using RADIUS and LDAP TA B L E 15 Setting the switch authentication mode Fabric OS user accounts TA B L E 1 5 Fabric OS users on the RADIUS server TA B L E 16 Windows 2000 IAS FIGURE 13 Linux FreeRadius server TA B L E 1 7 RADIUS configuration with Admin Domains or Virtual Fabrics The RADIUS server Configuring RADIUS server support with Linux Page Configuring RADIUS server support with Windows 2000 RSA RADIUS server The authentication model using RADIUS and LDAP FIGURE 1 4 FIGURE 15 LDAP configuration and Microsoft Active Directory Creating a user Creating a group Assigning the group (role) to the user Adding an Admin Domain or Virtual Fabric list Adding attributes to the Active Directory Schema Authentication servers on the switch Adding a RADIUS or LDAP server to the switch configuration Enabling and disabling a RADIUS or LDAP server Deleting a RADIUS or LDAP server from the configuration Changing a RADIUS or LDAP server configuration Configuring local authentication as backup Page Configuring Protocols Security protocols TA B L E 1 8 Secure Copy TA B L E 19 TA B L E 2 0 TA B L E 1 8 Setting up SCP for configUploads and downloads Secure Shell protocol SSH public key authentication Allowed-user Configuring SSH authentication Page Deleting keys on the switch Secure Sockets Layer protocol Browser and Java support SSL configuration overview Certificate authorities TA B L E 21 Generating a public and private key Generating and storing a CSR Obtaining certificates Installing a switch certificate The browser Checking and installing root certificates on Internet Explorer Checking and installing root certificates on Mozilla Firefox Root certificates for the Java Plug-in Installing a root certificate to the Java Plug-in Simple Network Management Protocol SNMP and Virtual Fabrics Filtering ports Switch and Chassis context enforcement The security level Telnet protocol Blocking Telnet Unblocking Telnet Listener applications Ports and applications used by switches TA B L E 2 2 TA B L E 2 3 Port configuration TA B L E 24 TA B L E 2 3 Configuring Security Policies ACL policies overview How the ACL policies are stored Policy members ACL policy management TA B L E 2 5 Displaying ACL policies Saving changes without activating the policies Activating policy changes Deleting an ACL policy Adding a member to an existing ACL policy Removing a member from an ACL policy Aborting unsaved policy changes FCS policies FCS policy restrictions TA B L E 2 6 Ensuring fabric domains share policies Creating an FCS policy TA B L E 27 Modifying the order of FCS switches FCS policy distribution DCC policies TA B L E 2 8 DCC policy restrictions Creating a DCC policy TA B L E 2 9 Deleting a DCC policy SCC policies Creating an SCC policy TA B L E 3 0 Authentication policy for fabric elements FIGURE 1 6 Switch A Switch B Key database on switch Local secret A Peer secret B Key database on switch Local secret B Peer secret A E_Port authentication Configuring E_Port authentication Re-authenticating E_Ports Device authentication policy Configuring device authentication AUTH policy restrictions Supported HBAs Authentication protocols Viewing the current authentication parameter settings for a switch Setting the authentication protocol Secret key pairs for DH-CHAP Viewing the list of secret key pairs in the current switch database Setting a secret key pair FCAP configuration overview Generating the key and CSR for FCAP Exporting the CSR for FCAP TA B L E 31 Import CA for FCAP Importing the FCAP switch certificate Updating the switch database for FCAP authentication Starting FCAP authentication Fabric-wide distribution of the Auth policy IP Filter policy Creating an IP Filter policy Cloning an IP Filter policy Displaying an IP Filter policy Saving an IP Filter policy Activating an IP Filter policy Deleting an IP Filter policy IP Filter policy rules TA B L E 3 2 TA B L E 3 3 TA B L E 3 4 TA B L E 3 2 IP Filter policy enforcement Adding a rule to an IP Filter policy Deleting a rule to an IP Filter policy Aborting an IP Filter transaction IP Filter policy distribution Policy database distribution Policy database distribution 7 Database distribution settings Displaying the database distribution settings 2. Enter the fddcfg --showall command. Example shows the database distribution settings TA B L E 3 5 ACL policy distribution to other switches Distributing the local ACL policies Fabric-wide enforcement Displaying the fabric-wide consistency policy Setting the fabric-wide consistency policy TA B L E 37 Notes on joining a switch to the fabric Matching fabric-wide consistency policies Non-matching fabric-wide consistency policies TA B L E 3 8 Management interface security TA B L E 3 9 TA B L E 4 0 Configuration examples Endpoint-to-Endpoint Transport or Tunnel FIGURE 1 7 Gateway-to-Gateway Tunnel FIGURE 18 IPsec protocols Security associations IPsec proposal Authentication and encryption algorithms IPsec policies IPsec traffic selector IPsec transform TA B L E 41 IKE policies Key management Pre-shared keys Security certificates Static Security Associations Creating the tunnel Page Example of an End-to-End Transport Tunnel mode Page Page Maintaining the Switch Configuration File Configuration settings Configuration file format Configuration settings 8 Chassis section Switch section Configuration file backup Uploading a configuration file in interactive mode Configuration file restoration Restrictions TA B L E 4 2 Configuration download without disabling a switch Restoring a configuration Configuration file restoration 8 Example of configDownload without Admin Domains Example of configDownload with Admin Domains Example of a non-interactive download of all configurations (chassis + switches) Configurations across a fabric Downloading a configuration file from one switch to another same model switch Security considerations Configuration management for Virtual Fabrics Uploading a configuration file from a switch with Virtual Fabrics enabled Restoring logical switch configuration using configDownload Restrictions Brocade configuration form TA B L E 4 3 Page Installing and Maintaining Firmware Firmware download process overview Upgrading and downgrading firmware Considerations for FICON CUP environments HA sync state TA B L E 4 4 Preparing for a firmware download Connected switches Finding the switch firmware version Obtain and decompress firmware Firmware download on switches Switch firmware download process overview Page Firmware download on an enterprise-class platform Enterprise-class platform firmware download process overview Upgrading firmware on enterprise-class platforms (including blades) Page Firmware download on an enterprise-class platform 9 Firmware download from a USB device Enabling USB Viewing the USB file system Downloading from USB using the relative path Downloading from USB using the absolute path FIPS Support Public and Private Key Management Updating the firmwarekey The firmwareDownload Command Configuring the switch for signed firmware Power-on Firmware Checksum Test Test and restore firmware on switches Testing a different firmware version on a switch Test and restore firmware on enterprise-class platforms Testing different firmware versions on enterprise-class platforms Page Validating a firmware download Validating a firmware download Managing Virtual Fabrics Virtual Fabrics overview Logical switch overview Default logical switch Fabric OS Administrators Guide 211 53-1001763-02 Logical switch overview 10 FIGURE 20 FIGURE 2 1 Before enabling Virtual Fabrics After enabling Virtual Fabrics Before logical switch creation After logical switch creation Logical switches and fabric IDs FIGURE 22 Port assignment in logical switches FIGURE 23 Logical switches and connected devices FIGURE 24 FIGURE 25 Logical fabric overview Logical fabric and ISLs FIGURE 26 FIGURE 2 7 Logical fabric and ISL sharing FIGURE 28 FIGURE 29 FIGURE 30 Logical ports Logical fabric formation Management model for logical switches - - - - Account management and Virtual Fabrics Supported platforms for Virtual Fabrics Supported port configurations in the Brocade 5100, 5300, and VA-40FC Supported port configurations in the Brocade DCX and DCX-4S Virtual Fabrics interaction with other Fabric OS features TA B L E 45 Limitations and restrictions of Virtual Fabrics TA B L E 4 6 Fabric OS feature Virtual Fabrics interaction TA B L E 47 Platform Maximum number of logical switches Enabling Virtual Fabrics mode Disabling Virtual Fabrics mode Configuring logical switches to use basic configuration values Creating a logical switch or base switch Page Executing a command in a different logical fabric context Deleting a logical switch Adding and removing ports on a logical switch Displaying logical switch configuration Changing the fabric ID of a logical switch Changing a logical switch to a base switch Setting up IP addresses for a Virtual Fabric Removing an IP address for a Virtual Fabric Configuring a logical switch to use XISLs Changing the context to a different logical fabric Creating a logical fabric using XISLs FIGURE 3 1 Page Page Administering Advanced Zoning Special zones Zoning overview FIGURE 32 Zone types TA B L E 4 8 Zoning overview Zone objects A zone object is any device in a zone, such as: TA B L E 4 9 Zoning approach Description Recommended approach Zone aliases Zone configurations Zoning enforcement Identifying the enforced zone type Considerations for zoning architecture TA B L E 5 0 Best practices for zoning Broadcast zones Broadcast zones and Admin Domains FIGURE 33 Broadcast zones and FC-FC routing High availability considerations with broadcast zones Loop devices and broadcast zones Broadcast zones and default zoning Zone aliases Creating an alias Adding members to an alias Removing members from an alias Deleting an alias Viewing an alias in the defined configuration Zone creation and maintenance Creating a zone Adding devices (members) to a zone Removing devices (members) from a zone Deleting a zone Viewing a zone in the defined configuration Validating a zone Default zoning mode Setting the default zoning mode Viewing the current default zone access mode Zoning database size Zoning configurations Creating a zoning configuration Adding zones (members) to a zoning configuration Removing zones (members) from a zone configuration Enabling a zone configuration Disabling a zone configuration Deleting a zone configuration Clearing changes to a configuration Viewing all zone configuration information Viewing selected zone configuration information Viewing the configuration in the effective zone database Clearing all zone configurations Zone object maintenance Copying a zone object Deleting a zone object Renaming a zone object Zoning configuration management New switch or fabric additions - - - - Security and zoning Zone merging scenarios Table 51 provides information on merging zones and the expected results. TA B L E 51 Zone merging scenarios 11 TA B L E 51 Traffic Isolation Zoning Traffic Isolation Zoning overview FIGURE 34 TI zone failover Additional considerations when disabling failover TA B L E 5 2 FIGURE 35 FSPF routing rules and traffic isolation FIGURE 36 FIGURE 3 7 Enhanced TI zones FIGURE 38 FIGURE 39 Traffic Isolation Zoning over FC routers FIGURE 40 TI within an edge fabric FIGURE 4 1 TI within a backbone fabric FIGURE 42 Limitations of TI zones over FC routers General rules for TI zones FIGURE 43 Supported configurations for Traffic Isolation Zoning - Additional configuration rules for enhanced TI zones Trunking with TI zones Limitations and restrictions of Traffic Isolation Zoning Admin Domain considerations for Traffic Isolation Zoning Virtual Fabric considerations for Traffic Isolation Zoning Virtual Fabric considerations for Traffic Isolation Zoning FIGURE 44 FIGURE 45 FIGURE 46 Traffic Isolation Zoning over FC routers with Virtual Fabrics FIGURE 4 7 FIGURE 48 Creating a TI zone Page Creating a TI zone in a base fabric Modifying TI zones Changing the state of a TI zone Deleting a TI zone Displaying TI zones Setting up TI over FCR (sample procedure) FIGURE 49 Page b. Enter the following commands to create and display a TI zone: Setting up TI over FCR (sample procedure) Administering NPIV NPIV overview Upgrade considerations Fixed addressing mode 10-bit addressing mode TA B L E 5 3 Configuring NPIV TA B L E 5 3 Enabling and disabling NPIV Viewing NPIV port configuration information Viewing NPIV port configuration information 13 Viewing NPIV port configuration information Viewing virtual PID login information Interoperability for Merged SANs Interoperability overview Connectivity solutions FIGURE 50 Domain ID offset modes TA B L E 5 4 TA B L E 5 5 Configuring the Domain_ID offset McDATA Fabric mode configuration restrictions McDATA Open Fabric mode configuration restrictions Interoperability support for logical switches Switch configurations for interoperability Enabling McDATA Open Fabric mode Enabling McDATA Fabric mode Enabling Brocade Native mode Zone management in interoperable fabrics Zoning restrictions Zone name restrictions Zoning modes Default zoning mode Safe zoning mode Setting the safe zone mode on a stand-alone switch Setting the safe zone mode fabric-wide Disabling safe zone mode Effective zone configuration Saving the effective zone configuration to the Defined Database Frame Redirection in interoperable fabrics Traffic Isolation zones in interoperable fabrics Brocade SANtegrity implementation in mixed fabric SANS Fabric OS Layer 2 Fabric Binding E_Port authentication between Fabric OS and M-EOS switches TA B L E 5 6 TA B L E 5 7 TA B L E 5 8 Table 59 describes the device authentication mode. Switch authentication policy Switch authentication policy when the switch secrets are correct TA B L E 5 9 Fabric OS authentication mode M-EOS support M-EOS switch explanation Authentication policy when the secrets are not correct TA B L E 61 Fabric OS Passive Active On Off TA B L E 6 2 Dumb switch authentication TA B L E 6 3 Authentication of EX_Port, VE_Port, and VEX_Port connections Authentication of VE_Port-to-VE_Port connections TA B L E 6 4 Fabric OS switch VE_ to VE_Port Passive Active On Off TA B L E 6 4 Passive Active On Off Fabric OS switch VE_ to VE_Port TA B L E 6 5 Authentication of VEX_Port-to-VE_Port connections TA B L E 6 5 FCR SANtegrity 14 TA B L E 6 6 TA B L E 6 7 FCR SANtegrity Fabric Binding behavior in a mixed fabric Configuring the preferred domain ID and the insistent domain ID FICON implementation in a mixed fabric Fabric OS version change restrictions in an interoperable environment Coordinated Hot Code Load Bypassing the Coordinated HCL check on firmware download Coordinated HCL on switches firmware downloads Upgrade and downgrade considerations for HCL for interoperability McDATA-aware features TA B L E 6 8 McDATA-unaware features Table 70 describes a comprehensive matrix of feature support. McDATA-unaware features TA B L E 6 8 Feature Behavior TA B L E 6 9 Feature Support TA B L E 7 0 Feature Support Notes M-EOS feature limitations in mixed fabrics TA B L E 7 0 - - Supported hardware in an interoperable environment Supported hardware in an interoperable environment TA B L E 71 McDATA Open Fabric and Fabric mode Supported features in an interoperable environment 14 Supported features in an interoperable environment Table 72 shows the interoperability features supported in Fabric OS v6.2.0, v6.3.0, and v6.4.0. TA B L E 71 Supported features in an interoperable environment TA B L E 7 2 Supported features in an interoperable environment 14 TA B L E 7 2 Unsupported features in an interoperable environment Managing Administrative Domains Administrative Domains overview Page Admin Domain features Requirements for Admin Domains Admin Domain access levels User-defined Administrative Domains System-defined Administrative Domains AD0 TA B L E 7 3 AD255 FIGURE 53 Admin Domains and login Admin Domain member types Device members Switch port members Admin Domains and switch WWN FIGURE 54 FIGURE 55 Fabric Visible to AD3 User Fabric Visible to AD4 User Admin Domain compatibility, availability, and merging Admin Domain management for physical fabric administrators Setting the default zoning mode for Admin Domains Creating an Admin Domain User assignments to Admin Domains Creating a new user account for managing Admin Domains Assigning Admin Domains to an existing user account Creating a physical fabric administrator user account Removing an Admin Domain from a user account Activating an Admin Domain Deactivating an Admin Domain Adding members to an existing Admin Domain Removing members from an Admin Domain Renaming an Admin Domain Deleting an Admin Domain Deleting all user-defined Admin Domains Deleting all user-defined Admin Domains non-disruptively Admin Domain management for physical fabric administrators FIGURE 56 FIGURE 5 7 Admin Domain management for physical fabric administrators 15 Validating an Admin Domain member list SAN management with Admin Domains CLI commands in an AD context Executing a command in a different AD context TA B L E 7 4 Displaying an Admin Domain configuration Switching to a different Admin Domain context Admin Domain interactions with other Fabric OS features TA B L E 7 5 SAN management with Admin Domains Admin Domains, zones, and zone databases TA B L E 7 5 Fabric OS feature Admin Domain interaction - - - - Admin Domains and LSAN zones Configuration upload and download in an AD context TA B L E 76 Sectiona II Licensed Features Page Administering Licensing Licensing overview TA B L E 77 Licensing overview 16 TA B L E 7 7 TA B L E 7 8 TA B L E 77 Licensing overview 16 TA B L E 7 8 The Brocade 7800 Upgrade license ICL licensing ICL 16-link license ICL 8-link license TA B L E 7 9 8G licensing Slot-based licensing Upgrade/downgrade considerations Adding a license to a slot Removing a license from a slot Time-based licenses Configupload and download considerations Expired licenses Removing an expired license Universal Time-based licenses Universal Time-based license expiration date Extending a license Deleting a license Date change restriction Viewing installed licenses Activating a license Adding a licensed feature Removing a licensed feature Ports on Demand TA B L E 8 0 Activating Ports on Demand Dynamic Ports on Demand Displaying the port license assignments Enabling Dynamic Ports on Demand Disabling Dynamic Ports on Demand Reserving a port license Releasing a port from a POD set Monitoring Fabric Performance Advanced Performance Monitoring overview Types of monitors Virtual Fabrics considerations for Advanced Performance Monitoring TA B L E 81 TA B L E 8 2 End-to-end performance monitoring End-to-end monitors Adding end-to-end monitors FIGURE 58 FIGURE 59 Setting a mask for an end-to-end monitor FIGURE 60 Deleting end-to-end monitors Frame monitoring TA B L E 8 3 Creating frame types to be monitored TA B LE 8 4 Deleting frame types Adding frame monitors to a port Removing frame monitors from a port Saving frame monitor configuration Displaying frame monitors Clearing frame monitor counters ISL performance monitoring Top Talker monitors Adding a Top Talker monitor on an F_Port Adding Top Talker monitors on all switches in the fabric (fabric mode) n Displaying the top bandwidth-using flows on an F_Port Displaying top talking flows for a given domain ID (fabric mode) Deleting a Top Talker monitor on an F_Port Deleting the fabric mode Top Talker monitors Limitations of Top Talker monitors Trunk monitoring Displaying end-to-end and ISL monitor counters Clearing end-to-end and ISL monitor counters Example of displaying EE monitors on a port Example of displaying ISL monitor information on a port Clearing end-to-end and ISL monitor counters 3. Enter the perfmonitorclear command. The following example clears statistics counters for an end-to-end monitor: The following example clears statistics counters for an ISL monitor: Saving and restoring monitor configurations Performance data collection Page Optimizing Fabric Behavior Adaptive Networking overview Ingress Rate Limiting Limiting traffic from a particular device Disabling ingress rate limiting QoS: SID/DID traffic prioritization TA B L E 85 License requirements for traffic prioritization Trunking considerations before you install the Adaptive Networking license Manually disabling QoS on 8 Gbps ports QoS zones FIGURE 6 1 QoS on E_Ports FIGURE 62 QoS over FC routers Virtual Fabric considerations for traffic prioritization FIGURE 63 High availability considerations for traffic prioritization Supported configurations for traffic prioritization Upgrade considerations for traffic prioritization Manually enabling QoS on 4 Gbps ports and long-distance 8 Gbps ports after upgrade Page Limitations and restrictions for traffic prioritization Setting traffic prioritization Setting traffic prioritization over FC routers Disabling QoS Bottleneck detection Supported configurations for bottleneck detection How bottlenecks are reported Limitations of bottleneck detection High availability considerations for bottleneck detection Upgrade and downgrade considerations for bottleneck detection Trunking considerations for bottleneck detection Virtual Fabrics considerations for bottleneck detection Access Gateway considerations for bottleneck detection Enabling bottleneck detection on a switch Excluding a port from bottleneck detection Displaying bottleneck detection configuration details Changing bottleneck alert parameters Page Displaying bottleneck statistics Disabling bottleneck detection on a switch Page Managing Trunking Connections Trunking overview FIGURE 64 Criteria for managing trunking connections Supported hardware Recommendations for trunking groups Basic trunk group configuration Re-initializing ports for trunking Enabling Trunking on a port Enabling Trunking on a switch Displaying trunking information Trunking over long distance fabrics TA B L E 8 6 F_Port trunking FIGURE 65 Prerequisites for F_Port trunking TA B L E 87 Enabling F_Port trunking Disabling F_Port trunking F_Port trunking in Virtual Fabrics F_Port trunking considerations for Virtual Fabrics F_Port masterless trunking FIGURE 66 FIGURE 67 TA B L E 8 8 F_Port masterless trunking considerations TA B L E 8 9 F_Port masterless trunking TA B L E 8 9 Category Description F_Port masterless trunking 19 Assigning a Trunk Area TA B L E 8 9 Category Description TA B LE 9 0 Enabling the DCC policy on a Trunk Area Page Managing Long Distance Fabrics Long distance fabrics overview Extended Fabrics device limitations Long distance link modes Configuring an extended ISL Enabling long distance when connecting to TDM devices Buffer credit management Buffer-to-Buffer flow control Optimal buffer credit allocation Considerations for calculating buffer credits - - - Fibre Channel gigabit values reference definition Allocating buffer credits based on full-size frames TA B L E 91 Allocating buffer credits based on average-size frames Allocating buffer credits for F_Ports Displaying the remaining buffers in a port group Buffer credits for each switch model TA B L E 9 2 Buffer credit management Maximum configurable distances for Extended Fabrics TA B L E 9 3 Buffer credit recovery Page Using the FC-FC Routing Service FC-FC routing service overview Supported platforms for Fibre Channel routing Supported configurations Integrated Routing Fibre Channel routing concepts FIGURE 68 FIGURE 69 Proxy devices FIGURE 7 1 Routing types Phantom domains FIGURE 72 FIGURE 73 Setting up the FC-FC routing service Verifying the setup for FC-FC routing Page Backbone fabric IDs Assigning backbone fabric IDs FCIP tunnel configuration Inter-fabric link configuration Configuring an IFL for both edge and backbone connections Page Inter-fabric link configuration FC Router port cost configuration 21 FC Router port cost configuration Port cost considerations Setting router port cost for an EX_Port EX_Port frame trunking configuration Masterless EX_Port trunking Supported configurations and platforms TA B L E 9 4 High availability support Backward compatibility support Configuring EX_Port frame trunking Displaying EX_Port trunking information LSAN zone configuration Use of Admin Domains with LSAN zones and FCR Zone definition and naming LSAN zones and fabric-to-fabric communications Controlling device communication with the LSAN Page Setting the maximum LSAN count Configuring backbone fabrics for interconnectivity HA and downgrade considerations for LSAN zones LSAN zone policies using LSAN tagging Speed tag FIGURE 7 4 Rules for LSAN tagging Configuring an Enforce LSAN tag Configuring a Speed LSAN tag Removing an LSAN tag Displaying the LSAN tag configuration LSAN zone binding FIGURE 75 TA B L E 9 5 How LSAN zone binding works FC router matrix definition LSAN fabric matrix definition Setting up LSAN zone binding Viewing the LSAN zone binding matrixes Proxy PID configuration Fabric parameter considerations Inter-fabric broadcast frames Displaying the current broadcast configuration Enabling broadcast frame forwarding Disabling broadcast frame forwarding Resource monitoring FC-FC Routing and Virtual Fabrics Logical switch configuration for FC routing FC-FC Routing and Virtual Fabrics FIGURE 7 6 FIGURE 77 Backbone-to-edge routing with Virtual Fabrics FIGURE 78 Upgrade and downgrade considerations for FC-FC routing How replacing port blades affects EX_Port configuration A B C Displaying the range of output ports connected to xlate domains A M-EOS Migration Path to Fabric OS M-EOS fabrics overview TA B L E 9 6 McDATA Mi10K interoperability Fabric configurations for interconnectivity Connectivity modes Configuring the FC router TA B LE 9 8 Configuring LSAN zones in the M-EOS fabric Correcting errors if LSAN devices appear in only one of the fabrics Completing the configuration Fabric configurations for interconnectivity B Inband Management Inband Management overview Internal Ethernet devices FIGURE 79 IP address and routing management Setting the IP address for the 7500s Setting the IP address for the CP Inband Management interface Setting the IP address for the GE Inband Management interface Adding an Inband Management route on the CP Deleting an Inband Management route Viewing Inband Management IP addresses and routes Viewing Inband Management IP routes FIPS Examples of supported configurations Configuring a Management Station on the same subnet FIGURE 80 Configuring a Management Station on different subnets FIGURE 8 1 Page C Port Indexing Port indexing on the Brocade 48000 director TA B L E 9 9 TA B L E 9 9 Port indexing on the Brocade DCX backbone C Port indexing on the Brocade DCX backbone TA B L E 10 0 Port indexing on the Brocade DCX backbone TA B L E 10 0 Port indexing on the Brocade DCX-4S backbone C Port indexing on the Brocade DCX-4S backbone TA B L E 10 0 Port indexing on the Brocade DCX-4S backbone TA B L E 101 Port on blade Slot 1 Index/PID Slot 2 Index/PID Slot 7 Index/PID Slot 8 Index/PID Port indexing on the Brocade DCX-4S backbone C TA B L E 101 Port on blade Slot 1 Index/PID Slot 2 Index/PID Slot 7 Index/PID Slot 8 Index/PID Page D FIPS Support FIPS overview Zeroization functions Power-up self tests Conditional tests TA B L E 10 2 FIPS mode configuration TA B L E 10 3 FIPS mode configuration LDAP in FIPS mode Setting up LDAP for FIPS mode Example of setting up LDAP for FIPS mode TA B L E 1 0 4 FIPS mode non-FIPS mode LDAP certificates for FIPS mode Importing an LDAP switch certificate Exporting an LDAP switch certificate Deleting an LDAP switch certificate Preparing the switch for FIPS Overview of steps Enabling FIPS mode Disabling FIPS mode Page E Hexadecimal Hexadecimal overview Example conversion of the hexadecimal triplet Ox616000 Hexadecimal overview TA B L E 10 6 Hexadecimal overview E Page Index Numerics Page Page Page F G H I J L M N P Q R S T U V W X Z