Implementing An IBM Cisco SAN
Implementing An IBM Cisco SAN
Implementing an
IBM/Cisco SAN
Learn about the latest editions to the
IBM/Cisco product family
Jon Tate
Michael Engelbrecht
Jacek Koman
ibm.com/redbooks
International Technical Support Organization
March 2009
SG24-7545-01
Note: Before using this information and the product it supports, read the information in
“Notices” on page vii.
This edition applies to Version 4.1.n of the Cisco Fabric Manager and Device Manager and the
NX-OS operating system.
© Copyright International Business Machines Corporation 2009. All rights reserved.
Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP
Schedule Contract with IBM Corp.
Contents
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
The team that wrote this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Become a published author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Comments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Contents v
8.1.3 Fabric Configuration Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
8.1.4 End-to-end connectivity analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . 342
8.1.5 FC Ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
8.1.6 FC Traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
8.1.7 Show tech support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
8.1.8 Cisco Fabric Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
8.1.9 Monitoring network traffic using SPAN . . . . . . . . . . . . . . . . . . . . . . 371
8.1.10 Cisco Traffic Analyzer and Performance Manager . . . . . . . . . . . . 380
8.1.11 Traffic Analyzer in Fabric Manager Web Server . . . . . . . . . . . . . . 382
8.1.12 System message logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
8.1.13 Call Home . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
8.2 Performance Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
IBM may not offer the products, services, or features discussed in this document in other countries. Consult
your local IBM representative for information about the products and services currently available in your
area. Any reference to an IBM product, program, or service is not intended to state or imply that only that
IBM product, program, or service may be used. Any functionally equivalent product, program, or service that
does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document.
The furnishing of this document does not give you any license to these patents. You can send license
inquiries, in writing, to:
IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A.
The following paragraph does not apply to the United Kingdom or any other country where such
provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION
PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer
of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made
to the information herein; these changes will be incorporated in new editions of the publication. IBM may
make improvements and/or changes in the product(s) and/or the program(s) described in this publication at
any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any
manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the
materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without
incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products and cannot confirm
the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on
the capabilities of non-IBM products should be addressed to the suppliers of those products.
This information contains examples of data and reports used in daily business operations. To illustrate them
as completely as possible, the examples include the names of individuals, companies, brands, and products.
All of these names are fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrate programming
techniques on various operating platforms. You may copy, modify, and distribute these sample programs in
any form without payment to IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating platform for which the
sample programs are written. These examples have not been thoroughly tested under all conditions. IBM,
therefore, cannot guarantee or imply reliability, serviceability, or function of these programs.
IBM
HACMP™
FICON®
eServer™
ESCON®
BladeCenter®
AIX®TotalStorage Proven™ pSeries®
PR/SM™
PowerPC®
Redbooks
Redbooks®
S/370™ (logo)
S/360™ ® Storage Tank™
System Storage™
System/360™
System/370™
TotalStorage Proven™
TotalStorage®
z/Architecture®
IBM® S/390® zSeries®
Oracle, JD Edwards, PeopleSoft, Siebel, and TopLink are registered trademarks of Oracle Corporation
and/or its affiliates.
These materials have been reproduced by IBM with the permission of Cisco Systems Inc. COPYRIGHT
2003 - 2007 CISCO SYSTEMS INC. ALL RIGHTS RESERVED.
Java, JDK, JRE, Solaris, Sun, Ultra, and all Java-based trademarks are trademarks of Sun Microsystems,
Inc. in the United States, other countries, or both.
Excel, Internet Explorer, Microsoft, Visio, Windows Vista, Windows, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or both.
Other company, product, or service names may be trademarks or service marks of others.
Summary of Changes
for SG24-7545-01
for Implementing an IBM/Cisco SAN
as created or updated on March 9, 2009.
New information
New products added
Fabric Manager and Device Manager 4.1.x
NX-OS operating system
Changed information
All figures updated
Removed FICON® chapter
Each of the products described has much more functionality than we could cover
in just one book. The IBM SAN portfolio is rich in quality products that bring a
vast amount of technicality and vitality to the SAN world. Their inclusion and
selection is based on a thorough understanding of the storage networking
environment that positions IBM, and therefore its customers and partners, in an
ideal position to take advantage by their deployment.
We discuss the latest additions to the IBM/Cisco SAN family and we show how
they can be implemented in an open systems environment, focusing on the Fibre
Channel protocol (FCP) environment. We address some of the key concepts that
they bring to the market, and in each case, we give an overview of those
functions that are essential to building a robust SAN environment.
In other Redbooks publications we explore in greater depth the IBM SAN product
family, Fibre Channel basics, and SAN design concepts. More information can be
found in these Redbooks publications:
Introduction to Storage Area Networks, SG24-5470
IBM TotalStorage: SAN Product, Design, and Optimization Guide, SG24-6384
IBM/Cisco Multiprotocol Routing: An Introduction and Implementation,
SG24-7543
Jon Tate is a Project Manager for IBM System Storage™ SAN Solutions at the
International Technical Support Organization, San Jose Center. Before joining
the ITSO in 1999, he worked in the IBM Technical Support Center, providing
Level 2 support for IBM storage products. Jon has 23 years of experience in
storage software and management, services, and support, and is both an IBM
Certified IT Specialist and an IBM SAN Certified Specialist. Jon also serves as
the UK Chair of the Storage Networking Industry Association.
Marci Nagel
IBM Storage Systems Group
Khalid Ansari
George DeBiasi
Brian Cartwright
Kerry Edwards
Sven Eichelbaum
Michael Engelbrecht
Steve Garraway
Joe Hew
Cameron Hildebran
Uwe Hofmann
Thomas Jahn
Jin Su Kim
Mark Kornakiewicz
Andy McManus
Jeannie Ostdiek
Pauli Ramo
Simon Richardson
Glen Routley
Marcus Thordal
Ricardo Trentin
Eric Wong
The previous authors of this book
Preface xiii
John McKibben
Darshak Patel
Hui Chen
Cisco Systems
Your efforts will help increase product acceptance and customer satisfaction. As
a bonus, you will develop a network of contacts in IBM development labs, and
increase your productivity and marketability.
Find out more about the residency program, browse the residency index, and
apply online at:
ibm.com/redbooks/residencies.html
Comments welcome
Your comments are important to us!
9120 2061-020
9140 2061-040
9020 2061-420
9124 2053-424
9134 2053-434
9216 2062-D01
9216A 2062-D1A/2054-D1A
9216i 2062-D1H/2054-D1H
9222i 2054-E01
9506 2062-D04/2062-T04/2054-E04
9509 2062-D07/2062-T07/2054-E07
9513 2062-E11/2054-E11
Note: All the 2061 and 2062 products have been withdrawn from marketing
but are shown here for reference only.
This switch is configured with dual redundant power supplies, either of which can
supply power for the entire switch, and shares a common firmware architecture
with the MDS 9500 Series of Multilayer Directors, making it an intelligent and
flexible fabric switch. Figure 1-3 shows the MDS 9120 Multilayer Fabric Switch.
This switch is configured with dual redundant power supplies, either of which can
supply power for the entire switch, and shares a common firmware architecture
with the MDS 9500 Series of Multilayer Directors, making it an intelligent and
flexible fabric switch. Figure 1-4 shows the MDS 9140 Multilayer Fabric Switch.
Note: The MDS 9124 Multilayer switch supports N-Port identifier virtualization
(NPV) to reduce the number of Fibre Channel domain IDs in SANs.
Note: The MDS 9134 Multilayer Switch supports N-Port identifier virtualization
(NPV) to reduce the number of Fibre Channel domain IDs in SANs.
The MDS 9216A switch is a three RU, 2-slot fabric switch that can support from
16 to 64 shortwave or long-wave SFP fiber optic transceivers. The chassis
consists of two slots. The first slot contains the supervisor module. This provides
the control and management functions for the MDS 9216A and includes 16 full
capability 2 Gbps target-optimized Fibre Channel ports. It contains 2 GB of
DRAM and has one internal CompactFlash card that provides 256 MB of storage
for the firmware images. Figure 1-7 shows the MDS 9216A Multilayer Fabric
Switch.
The MDS 9216i uses the same backplane as the MDS 9216A. However, the
MDS 9216i includes a fixed 14+2 supervisor module to provide 14 full capability
2 Gbps target-optimized Fibre Channel ports and two Gigabit Ethernet
interfaces. The Gigabit Ethernet interfaces support iSCSI initiators connecting to
Fibre Channel disk systems. The FCIP and IVR features are bundled with the
MDS 9216i switch and do not require the Enterprise package. Figure 1-8 shows
the MDS 9216i Multilayer Fabric Switch.
MDS 9222i 1 1 66
(includes 18 FC ports (66 + 4 GigE)
+ 4 GigE)
Note: Throughout this chapter the term switch is used interchangeably for
both Cisco MDS switches and directors.
The chassis has six slots, two of which are reserved for dual, redundant
Supervisor Modules. This director supports Supervisor-1 and Supervisor-2
modules. A Supervisor-2 Module combines an intelligent control module and a
high-performance crossbar switch fabric in a single unit.
Figure 1-10 MDS 9506 Multilayer Director (IBM 2062-D04/T04 or IBM 2054-E04)
The chassis has nine slots, two of which are reserved for dual, redundant
Supervisor Modules, and this director supports Supervisor-1 and Supervisor-2
modules. The Supervisor-2 module combines an intelligent control module and a
The MDS 9509 Multilayer Director requires a minimum of one and allows a
maximum of seven switching modules. Third-generation modules are available in
24-port and 48-port, 1, 2, 4, and 8 Gbps configurations. Second-generation
modules are available in 12-port, 24-port, and 48-port, 1, 2, and 4 Gbps
configurations.
Figure 1-11 MDS 9509 Multilayer Director (IBM 2062-D045/T04 or IBM 2054-E07)
Figure 1-12 MDS 9513 Multilayer Director (IBM 2062-E11 or IBM 2054-E11)
Table 1-3 compares the hardware features within the MDS 95xx Series of
Multilayer Directors.
Available slots 6 9 13
Rack units 7 14 14
Table 1-4 MDS 9000 Modules and Platform Compatibility Matrix Generation Line Cards
Module 9513 9509 9506 9222i 9216A 9216i
Supervisor-2 module X X X
Supervisor-1 module X X
48-port 4 Gbps Fibre Channel switching
module X X X X X X
Services1 Module
32-port Gbps/2 Gbps
(SSM)Fibre Channel Storage X X X X X X
32-port Fibre
Module (ASM)Channel Advanced Services X X X X
18-port Fibre
Ethernet IP Services
ChannelFIPS 4-port Gigabit
and (MSFM-18/4) X X X X X X
module
14-port Fibre Channel/2-port Gigabit Ethernet X X X X X
Multiprotocol Services (MPS-14/2) module
The 32-port Switching Module also supports optional CWDM SFPs to provide
aggregation of multiple links onto a single optical fiber through a passive optical
mux.
The two IP storage interfaces are similar to the IP Services Module, including
hardware compression and security.
Note: Two Ethernet ports on the IPS modules can be combined into a single
EtherChannel, but only between ports that share the same application-specific
integrated circuit (ASIC). However, PortChannel can be used.
To use FCIP an activation for the FCIP 8-port IP Services Line Card feature is
required for every 8-port IP line card that needs to support FCIP.
The Fabric Manager is used to discover and display iSCSI hosts. These iSCSI
hosts are bound to assigned worldwide names (WWNs) and create a static
relationship that enables:
Zoning of iSCSI initiators
Accounting against iSCSI initiators
Topology mapping of iSCSI initiators
Fiver thousand simultaneous connections per switch/director
FC-WA can help improve the performance of remote mirroring applications over
extended distances by reducing the effect of transport latency when completing a
SCSI operation over distance. This supports longer distances between primary
and secondary data centers and can help improve disk replication performance.
The optional Storage Systems Enabler package bundle can enable independent
software vendors (ISVs) to develop intelligent fabric applications that can be
hosted on the SSM through an application programming interface (API).
Note: IBM support for these ISV applications is limited to IBM TotalStorage®
Proven™ solutions. For the most current IBM TotalStorage Proven
information, go to:
http://www.ibm.com/storage/proven
The Advanced Services Module incorporates all the capabilities of the Cisco
MDS 9000 family 32-Port Fibre Channel Switching Module and also provides
scalable, in-band storage virtualization services. Combining a highly distributed
processing architecture and integrated VERITAS Storage Foundation for
Networks software, the Cisco Advanced Services Module delivers virtualization
performance, which can be scaled by simply adding modules anywhere in the
fabric to meet the performance needs of even the largest enterprises.
The Cisco Advanced Services Module is available in a 32-port configuration and
accepts 2Gbps Fibre Channel small form-factor pluggable (SFP) optical
modules as MDS 9000 family Fibre Channel switching modules. Figure 1-18
shows the 32-port Advanced Services Module.
Each target-optimized port supports 255 buffer credits, and host-optimized ports
support 12 buffer credits per port. On the 14+2 line card, up to 3,500 buffer
credits can be assigned to a single port if you are willing to sacrifice buffers on
other ports and shut down three ports on the quad controlled by that ASIC. A
maximum of 1500 buffer credits can be configured if the additional three ports
are left enabled.
Note: Generation 3 cards can work only with Supervisor-2 modules, and the
NX-OS firmware version 4.x is required.
New Gen3 cards work with all MDS 9500 Multilayer Directors and with MDS
9222i switches, as shown in Table 1-5.
For switch and fabric management of the MDS 9000 family, both a command-line
interface (CLI) and a graphical user interface (GUI) are available. The CLI uses
Telnet, SSH, or a serial console, while the GUI-based Fabric Manager toolset
uses SNMP when accessing the switches.
Table 1-6 shows the new and changed features of Fabric Manager for SAN-OS
3.x and NX-OS 4.x.
Table 1-6 Features of the Fabric Manager 4.x for SAN-OS 3.x and NX-OS 4.x.
Feature Description Changed in
Release
Supported platforms The server platforms supported for Cisco Fabric Manager have 4.1.(X)
Information and FM been revised.
Express Install
Inventory Report The FMS inventory switch detail report has been enhanced to 4.1.(X)
Enhancements include a number of summary statistics useful for creating a
more comprehensive SAN health report.
Flex Attach Procedures to use the Flex Attach wizards for pre-configuring 4.1.(X)
Configuration by all or selected ports, moving a server to a different port or
Server switch, and replacing a server in the same or a different port or
Administrators switch.
Generation 3 Added configuration guidelines that include port groups, port 4.1.(X)
48-Port, 24-Port, and rate modes, BB_credit buffer allocation, port speed
4/44-Port 8 Gbps configuration, over subscription ratio restrictions, combining
Fibre Channel with earlier generation modules, upgrade and downgrade
modules considerations, cross bar management, port channel interface
configuration configuration, example configurations, and default settings.
Manager
Performance Added the flow creation wizard for performance manager. 4.1.(X)
Cisco Fabric Manager 4.x has been tested with the following software:
Operating systems
– Windows 2003 SP2, Windows XP SP2, Windows XP SP3, Windows
Vista® SP1 (Enterprise edition)
– Red Hat Enterprise Linux AS Release 4
– Solaris (SPARC) 8, 9 and 10
– VMWare ESX Server 3.5
Java
– Sun™ JRE™ and JDK™ 1.5(x) and 1.6(x) supported
– Java Web Start 1.5 and 1.6
Browsers
– Internet Explorer® 6.x and 7.0
– Firefox 1.5 and 2.0
– Mozilla 1.7 (packaged with Solaris 9)
Databases
– Oracle® Database 10g Express, Oracle Enterprise Edition 10g
– PostgreSQL 8.2 (Windows and Red Hat Enterprise Linux AS Release 4)
– PostgreSQL 8.1 (Solaris 8, 9 and 10)
CLI
From the CLI interface we can perform fabric and switch management, while the
CLI parser provides both command help and command completion. The
keyboard sequence stores previously used commands in the buffer history.
Performing ongoing fabric and switch management using the GUI is somewhat
more intuitive, and most switch commands are available, though when it comes
to troubleshooting, comparably the CLI is a more powerful interface.
Licensing
The licensing model for the MDS 9000 family consists of two options:
Feature-based licensing, which implies a per-switch cost, for features that
apply to the entire switch
Module-based licensing for features that require a specific hardware module
such as the IPS module
Note: For a complete list of features within each license package, see the
respective license package fact sheets:
http://www.cisco.com/en/US/products/hw/ps4159/ps4358/products_data_
sheets_list.html
When buying the MDS 9000 family switch, the standard license package is
always included. To see which other licenses are available with a specific switch
type, refer to Table 1-7.
Figure 1-26 Support matrix for SAN-OS 3.x and NX-OS 4.x code
Contrary to other switch manufacturers, with the Cisco MDS 9000 family there is
no fixed correlation between physical Fibre Channel ports and Fibre Channel IDs
(FCID). This is necessary to allow intermixing of line cards with different numbers
of ports, while being able to utilize all port addresses, to allow both fabric and
loop devices to coexist, and also to allow switches larger than 256 ports.
The primary reason for persistent FCIDs is to enable customers to move devices
within a switch without having to rebind the disk. This could be used in the case
of a linecard or SFP failure, for example.
The following considerations apply to the FCID assignment for any VSAN:
When an N_Port or NL_Port logs into the switch, it is assigned an FCID.
N_Ports receive the same FCID if disconnected and reconnected to any port
within the same switch, and within the same VSAN.
NL_Ports receive the same FCID only if reconnected to the same port within
the same switch where the port was originally connected.
If the persistent FCIDs feature is not enabled for a VSAN, the following
considerations apply:
The WWN of the N_Port or NL_Port and the assigned FCID are stored in a
volatile cache, and are not saved across switch reboots.
The switch preserves the binding of FCID to WWN on a best-effort basis.
The volatile cache has room for a maximum of 4,000 entries, and if the cache
gets full, the oldest entries are overwritten.
Note: If you attach AIX or HP-UX hosts to a VSAN, you must have persistent
FCIDs enabled for that VSAN. This is because these operating systems use
the FCIDs in device addressing. If the FCID of a device changes, the
operating system considers it to be a new device, and gives it a new name.
In general, we recommend enabling persistent FCIDs for your VSANs unless
you have specific requirements that do not comply with persistent FCIDs.
Example 2-1 shows persistent FCID enabled for VSAN 10.
FL_Port A fabric loop port (FL_Port) connects the switch to a public FC-AL
loop. Only one FL_Port can be operational in a single FC-AL loop at
any given time.
B_Port A bridge port (B_Port) is used to connect some SAN extender devices
to the switch, instead of E_Port.
ST_Port In the SPAN tunnel port (ST port) mode, an interface functions as an
entry point port in the source switch for the RSPAN Fibre Channel
tunnel. The ST port mode and the remote SPAN (RSPAN) feature are
specific to switches in the Cisco MDS 9000 family. When configured
in ST port mode, the interface cannot be attached to any device, and
thus cannot be used for normal Fibre Channel traffic.
Example 2-2 shows port mode configuration from the command-line interface.
Figure 2-3 Device Manager port configuration window for the 8 Gbps port
Figure 2-5 Device Manager port configuration window for the Gen 2 line card
Figure 2-7 Configuration tasks for the MDS 9000 Gen 3 line card
Figure 2-10 Checking the oversubscription status from the Device Manager
It is possible to use a specific auto option to set the port speed. For example, we
can set for an 8 Gbps port autoMax2G or autoMax4G mode. This means that the
8 Gbps port will set its speed automatically to the best allowed, but no faster than
respectively 2 Gbps or 4Gbps. These options are valuable when using
oversubscription and sharing modes.
There are three Gen 3 line cards available at the time of writing and all of them
follow the same rules with respect to the ports and modules configuration and
administration.
Chapter 3.
Operating system
In this chapter we discuss the Cisco SAN-OS and NX-OS operating systems.
MDS 9500 supervisors also have an external bootflash memory slot called Slot0:
that is used for transferring image files between switches.
The system RAM memory is used by the Linux operating system and a Volatile:
file system for storing temporary files. Any changes made to the switch operating
parameters or configuration are instantly active and held in the running
configuration.
All data stored in RAM will be lost when the MDS is rebooted, so an area of
non-volatile RAM (NVRAM) is used for the storage of critical data. The most
critical of these would be the running configuration for the switch. The running
configuration should be saved to the Startup-Configuration in NVRAM using the
CLI command copy run start so that the configuration can be preserved during
a switch reboot.
The MDS Cisco 9000 family switches have three main memory areas, as shown
in Figure 3-1.
The kickstart and system image must be available for the switch to boot, and
therefore it is placed in the bootflash. It is possible to boot from an external
-------------
Total Power Available 119.70 W
-------------
Connectivity
Verify that you have connectivity to the server from which you are
downloading the software images.
Images
Verify that the specified system and kickstart images are compatible. If no
kickstart image is specified, the running kickstart image is used. If a different
system image is specified, you must verify that it is compatible with the
running kickstart image.
When upgrading the SAN-OS or NX-OS on any Cisco MDS 9000 family switch
running in production, we strongly recommend that you use the install all
command, which provides a nondisruptive upgrade process.
Important: If you issue the install all command on a switch that only has a
single supervisor system with kickstart and system image changes, or on a
dual supervisor system with incompatible system software images, then the
process is disruptive.
For switches not running in production, you can alternatively perform the quick
upgrade procedure using the reload command. This process is disruptive.
Performing a quick upgrade using the reload command is only recommended for
switches not in production, while on completion the switch is rebooted. The
process is to copy the kickstart and system image to the switch, set the boot
variables, and issue the reload command. When completed, the switch is
rebooted.
We upgrade the NX-OS to the latest released level. This can be done using
either the CLI or the graphical user interface (GUI) (FM or DM). For
completeness we show how to perform the upgrade using both the CLI and the
GUI.
Note: For this book we used NX-OS Version 4.1(0.182) and NX-OS Version
4.1(1).
Software
BIOS: version 1.0.15
loader: version N/A
kickstart: version 4.1(1) [build 4.1(0.182)] [gdb]
system: version 4.1(1) [build 4.1(0.182)] [gdb]
BIOS compile time: 07/16/08
kickstart image file is:
bootflash:/m9200-s2ek9-kickstart-mzg.4.1.0.182.bin
kickstart compile time: 10/12/2020 25:00:00 [08/15/2008 18:42:09]
system image file is: bootflash:/m9200-s2ek9-mzg.4.1.0.182.bin
system compile time: 12/25/2010 12:00:00 [08/15/2008 20:03:21]
Hardware
cisco MDS 9222i ("4x1GE IPS, 18x1/2/4Gbps FC/Sup2")
Motorola, e500v2 with 1036512 kB of memory.
Processor Board ID JAE12088ZMT
After we have done that we verify that there is sufficient space on the supervisor
bootflash, as shown in Example 3-5.
Next we copy the NX-OS code from an FTP server to the bootflash: on the
switch, as shown in Example 3-6.
Note: Ensure that the FTP server is reachable in order to copy the required
files. Firewalls may prevent you from reaching the FTP server.
Prior to starting the actual upgrade process we back up the running configuration
to our FTP server, as shown in Example 3-7.
After backing up the configuration, start the upgrade using the install all
command, as shown in Example 3-8.
Example 3-8 Upgrading the switch using the install all command
mds9222i-1# install all system bootflash:m9200-s2ek9-mz.4.1.1.bin kickstart
bootflash:m9200-s2ek9-kickstart-mz.4.1.1.bin
Extracting
[####################] 100% from
"system" version -- SUCCESS
image bootflash:/m9200-s2ek9-mz.4.1.1.bin.
After the upgrade has completed, verify the version using the show version
command, as shown in Example 3-9.
Software
BIOS: version 1.0.15
loader: version N/A
kickstart: version 4.1(1)
system: version 4.1(1)
BIOS compile time: 07/16/08
kickstart image file is:
bootflash:/m9200-s2ek9-kickstart-mz.4.1.1.bin
kickstart compile time: 10/12/2020 25:00:00 [09/09/2008 06:55:47]
system image file
compile time:
is: bootflash:/m9200-s2ek9-mz.4.1.1.bin
8/22/2008 0:00:00 [09/09/2008 08:15:09]
Hardware
cisco MDS 9222i ("4x1GE IPS, 18x1/2/4Gbps FC/Sup2")
Motorola, e500v2 with 1036316 kB of memory.
Processor Board ID JAE12088ZMT
Figure 3-3 Checking the firmware versions for all devices in the fabric in the GUI
Note: The complete path to the file location must be specified for this step to
complete successfully.
The wizard does not verify automatically whether the images match the
specified size, but the value is used to verify whether the amount of
corresponding free space is available on the bootflash prior to initiating the
download.
Tip: Click Verify Remote Server and Path to ensure that you can reach the
source server.
When you do not have enough free space to copy the files, just delete the
previous version of files stored on the bootflash, as shown in Figure 3-8.
Figure 3-8 Delete files from bootflash using Software Install Wizard
Figure 3-11 Starting the installation for the MDS 9000 family switch
Note: If you want to perform the upgrade unattended, then in order to avoid
being prompted to start the upgrade, you can check mark Ignore versions
check results, as shown in Figure 3-11 on page 69. But in this case you must
be sure that new firmware version is correct and all conditions are met.
Figure 3-12 Compatibility checks and synchronization before the upgrade process starts
Figure 3-13 Verification after compatibility checks before running an upgrade process
As shown in Figure 3-14, we are prompted to confirm that we want to start the
upgrade process.
Previously, the Cisco Fabric Manager and Cisco Device Manager software was
embedded in every Cisco MDS 9000 family switch. This software was
downloaded and installed automatically through Java Web Start when you
accessed a switch through a supported Java-enabled Web browser, such as
Windows Internet Explorer or Netscape Navigator.
SAN-OS Release 3.2(1) brought about a major change in how Fabric Manager
Software is upgraded and installed. Fabric Manager is no longer packaged with a
Cisco MDS 9000 family switch. You can use an installation media as a compact
disc read-only memory (CD-ROM) or you can download Fabric Manager from the
Cisco Web site.
You can access the MDS 9000 family of switches for configuration, status, or
management through the console port and initiate a Telnet session through the
OOB Ethernet management port or through the in-band IP over FC management
feature.
The console port is an asynchronous port with a default configuration of
9600 bps, 8 data bits, no parity, and 1 stop bit. This port is the only means of
accessing the switch after the initial power up until an IP address is configured for
the management port.
In-band IP over FC is used to manage remote switches through the local Mgmt0
interface.
The CLI enables you to configure every feature of the switch. More than 1,700
combinations of commands are available and are structurally consistent with the
style of Cisco IOS software CLI.
The CLI help facility provides:
Context-sensitive help: Provides a list of commands and associated
arguments. Type a question mark (?) at any time or type part of a command
and type ?.
Command completion: The Tab key completes the keyword that you have
started typing.
Console error messages: Identify problems with any switch commands that
are incorrectly entered so that they may be corrected or modified.
Command history buffer: Allows recalling of long or complex commands or
entries for reentry, renewing, or correction.
MDS Command Scheduler: Provides a UNIX® cron-like facility in the
SAN-OS that allows the user to schedule a job at a particular time or
periodically.
The commands available to you depend on the mode that you are in. To obtain a
list of available commands, type a question mark (?) at the system prompt.
Exec mode
From the EXEC mode, you can perform basic tests and display system
information. This includes operations other than configuration such as show and
debug. Show commands display system configuration and information. Debug
commands enable printing of debug messages for various system components.
Changes made in EXEC mode are generally not saved across system resets
(that is, they are not saved to the startup config).
By default, you enter the user EXEC mode when logging on to a switch using the
CLI. When in EXEC mode, the prompt is SwitchName#.
Configuration mode
Use the config or config terminal command from EXEC mode to go into the
configuration mode. The configuration mode has a set of configuration
commands that can be entered after a config terminal command in order to set
up the switch. The configuration mode enables you to configure features that
affect the system as a whole. Changes made in this mode are saved across
system resets if you save your configuration (save to startup configuration).
To return to EXEC mode when in config mode, use the command end or press
Ctrl+z.
The CLI commands are organized hierarchically, with commands that perform
similar functions grouped under the same level. For example, all commands that
display information about the system, configuration, or hardware are grouped
under the show command, and all commands that allow you to configure the
switch are grouped under the config terminal command, which includes switch
sub-parameters at the configuration submode level. The CLI hierarchy is shown
in Figure 4-1 on page 78.
To execute a command, you enter the command by starting at the top level of the
hierarchy. For example, to configure a Fibre Channel interface, use the config
terminal command. Once you are in configuration mode, issue the interface
command. When you are in the interface submode, you can query the available
commands there.
Apart from invoking the CLI from the Device Manager or GUI interfaces, we can
connect to the switch using either Telnet, SSH, or a serial connection physically
connected to the switch. In Example 4-1 we connect to the switch via Telnet.
Password:
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2008, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php
mds9222i-1#
Using the CLI provides you with the possibility to perform management tasks
using scripts that access the switch utilizing the CLI.
Note: The Cisco MDS 9000 family CLI command structure is very similar to
that of the Cisco Internetwork Operating System (IOS) commands.
Command aliases
Some commands can require a lot of typing. An example of this is gigabit
Ethernet that can sometimes be shortened to gig, but it is sometimes useful to
group several commands and subcommands together. This can be done using
command aliases.
Command aliases are saved in NVRAM and so can persist across reboots.
When creating an alias, the individual commands must be typed in fully without
abbreviation.
If you define an alias, it will take precedence over CLI keywords starting with the
same letters, so be careful when using abbreviations. An example of creating an
alias is shown in Example 4-2.
Command Scheduler
The Cisco MDS SAN-OS provides a UNIX kron-like facility called the Command
Scheduler.
Jobs can be defined listing several commands that are to be executed in order.
Jobs can be scheduled to run at the same time every day, week, month or at a
user-configurable frequency (delta).
All jobs are executed non-interactively, without administrator response.
Be aware that a job may fail if a command that is issued is disabled or no longer
supported, because a license may have expired. The job will fail at the point of
error, and all subsequent commands will be ignored.
For more detailed information, Performance Manager included with the Fabric
Manager Server license provides detailed traffic analysis by capturing data with
the Cisco Port Analyzer Adapter. This data is compiled into various graphs and
charts that can be viewed with any Web browser.
Table 4-1 shows the new and changed features of Fabric Manager for SAN-OS
3.x and NX-OS 4.x.
Table 4-1 Features of the Fabric Manager 4.x for SAN-OS 3.x and NX-OS 4.x
Feature Description Changed in
Release
Supported platforms The server platforms supported for Cisco Fabric Manager have 4.1(1)
Information and FM been revised.
Express Install
Inventory Report The FMS inventory switch detail report has been enhanced to 4.1(1)
Enhancements include a number of summary statistics useful for creating a
more comprehensive SAN health report.
Server Admin Tool The Server Admin perspective view limits the scope of Fabric 4.1(1)
Manager to Flex Attach configuration and relevant data.
Flex Attach Procedures to use the Flex Attach wizards for preconfiguring all 4.1(1)
Configuration by or selected ports, moving a server to a different port or switch,
Server and replacing a server in the same or a different port or switch.
Administrators
IP Static Peers for Added IP static peers configuration steps for CFS distribution 4.1(1)
CFS over IP over IP.
Generation 3 Added configuration guidelines that include port groups, port 4.1(1)
48-Port, 24-Port, and rate modes, BB_credit buffer allocation, port speed
4/44-Port 8-Gbps configuration, over subscription ratio restrictions, combining
Fibre Channel with earlier generation modules, upgrade and downgrade
modules considerations, cross bar management, port channel interface
configuration configuration, example configurations, and default settings.
Manager
Performance Added the flow creation wizard for performance manager. 4.1(1)
Cisco Fabric Manager 4.x has been tested with the following software:
Operating systems
– Windows 2003 SP2, Windows XP SP2, Windows XP SP3, Windows Vista
SP1 (Enterprise edition)
– Red Hat Enterprise Linux AS Release 4
– Solaris (SPARC) 8, 9, and 10
– VMWare ESX Server 3.5
Java
– Sun JRE and JDK 1.5(x) and 1.6(x) is supported
– Java Web Start 1.5 and 1.6
Browsers
– Internet Explorer 6.x and 7.0
– Firefox 1.5 and 2.0
– Mozilla 1.7 (packaged with Solaris 9)
Databases
– Oracle Database 10g Express, Oracle Enterprise Edition 10g
– PostgreSQL 8.2 (Windows and Red Hat Enterprise Linux AS Release 4)
– PostgreSQL 8.1 (Solaris 8, 9 and 10)
Security
– Cisco ACS 3.1 and 4.0
– PIX Firewall
– IP Tables
– SSH v2
– Global Enforce SNMP Privacy Encryption
– HTTPS
Install Cisco Fabric Manager Server on a computer on which you want to provide
centralized MDS management services and performance monitoring. SNMP
operations are used to efficiently collect fabric information. Fabric Manager
software, including the server components, requires about 60 MB of hard disk
space on your workstation. Fabric Manager Server runs on Windows 2000,
Windows 2003, Windows XP, Solaris 8 and 10, and Red Hat Enterprise Linux AS
Release 4.
Note: The unlicensed Fabric Manager Server can only monitor and configure
one fabric at a time. You must use the Admin tab and the Configure option to
switch to a new fabric, which causes the application to stop monitoring the
previous one and to rediscover the new fabric, as shown in Figure 4-2 on
page 86. When you have the unlicensed Fabric Manager Server you must
remove the currently monitored fabric before you add a new one.
Figure 4-2 Adding a new fabric to monitor in the Fabric Manager Web Client
Fabric Manager Release 4.1(1) and later provides a multi-level security system
by adding a server admin role that allows access to limited features. The
configuration capabilities of a server admin is limited to FlexAttach and relevant
data. FlexAttach is a new feature in Fabric Manager 4.x and has been described
in 4.1.3, “System management using the GUI management tools” on page 81.
Fabric Manager Client and Device Manager use SNMP to communicate with the
Fabric Manager Server. In typical configurations, the Fabric Manager Server may
be installed behind a firewall. The SNMP proxy service available in Fabric
Manager Release 2.1(1a) or later provides a TCP-based transport proxy for
these SNMP requests.
The SNMP proxy service allows you to block all UDP traffic at the firewall and
configure Fabric Manager Client to communicate over a configured TCP port.
Fabric Manager uses the CLI for managing some features on the switches.
These management tasks are used by Fabric Manager and do not use the proxy
services. Your firewall must remain open for CLI access for the following:
External and internal loopback test
Flash files
Create CLI user
Security: ISCSI users
Show image version
Show tech
Switch resident reports (syslog, accounting)
Zone migration
Show cores
If you are using the SNMP proxy service and another application on your server
is using port 9198, you must modify your workstation settings.
Performance Manager can collect statistics for Inter-Switch Links (ISLs), hosts,
storage elements, and configured flows. Flows are defined based on a
host-to-storage (or storage-to-host) link.
Fabric Manager Web Server allows operators to monitor and obtain reports for
MDS events, performance, and inventory from a remote location using a Web
browser.
Using Fabric Manager Web Server, you can monitor MDS switch events,
performance, and inventory, and perform minor administrative tasks.
Figure 4-3 Configure performance collection in the Cisco Fabric Manager Web Client
Be aware that if you try to install as you used to previously by pointing your Web
browser to the switch name or IP address, you will get a message similar to the
one shown in Figure 4-4.
Figure 4-4 Cisco Device Manager for MDS 9000 family Installation Web page
Once we load the CD-ROM, we see the initial MDS 9000 family Product
CD-ROM Web page, as shown in Figure 4-5.
Note: The contents of the CD-ROM were copied to the server’s internal disk in
our example. Also, the CD-ROM is a source of documentation, and it contains
other tools such as Java, PostgreSQL, and Ethereal.
Note: We recommend that you install the latest version of Fabric Manager
applications. Fabric Manager is backward-compatible with the Cisco MDS
SAN-OS and NX-OS. Upgrade Fabric Manager software first and then
upgrade the Cisco MDS SAN-OS or NX-OS.
Note: Fabric Manager requires Java 1.5 or 1.6, and the CD-ROM contains
the installation binary if necessary.
4. Click Next and then check the selection box, as shown in Figure 4-10.
Note: You can use an existing Postgres installation, but before installing FM
you must create a database with the name dcmd, and define a user and a
password. After that you must choose an existing database option in the FM
installation panel and specify a database URL, DB user name, and password,
as shown in Figure 4-12 on page 97.
Next we must choose the authentication and authorization mode. All MDS 9000
family switches can perform local authentication or authorization using the local
database stored on the MDS 9000 family switch, director, management
workstation, or remote authentication or authorization using AAA servers. The
authentication, authorization, and accounting (AAA) feature verifies the identity
of, grants access to, and tracks the actions of users managing a switch.
Note: When the MDS radio button is selected, the FM authentication uses the
user database in the switch for authentication.
At the end of the installation process we can elect to have Fabric Manager create
desktop icons and launch Fabric Manager or Desktop Manager, as shown in
Figure 4-17. We select only to create icons and click Finish.
Figure 4-17 Cisco Fabric Manager Installer Installation completed successfully panel
You can start Fabric Manager from the icon on your desktop or the Windows
Start menu. Enter the IP address or host name of your switch, the user name and
password, and click Discover, as shown in Figure 4-18.
If you have more than one fabric to manage, repeat the above process until you
have all your fabrics discovered. Select which fabric you want to manage and
click Open (Figure 4-19).
The Fabric Manager window shows a graphical presentation of our switch fabric
on the bottom right, an information area on the top, and a navigation window on
the left, which is divided into a logical menu at the top and a physical menu at the
bottom. The content of the information area changes accordingly to represent the
selection chosen in the navigation menu, showing the current selection at the
top.
Depending on your network, either the request packet or the response packet
might end up being dropped. This results in a SNMP time-out message. If you
Click Yes to save changes to the copy configuration table. After the copy process
is finished you can close Fabric Manager.
Upon successful login, the Device Manager application is started and we are
presented with a graphical representation of the physical switch, as shown in
Figure 4-25.
Figure 4-26 shows the Device Manager port summary window. It shows port
mode for all ports and the WWNs of connected devices. There are statistics for
transmission, errors, and discards. Above the list are current CPU, memory, and
flash utilization information and thresholds. This view can be filtered for any
particular VSAN.
To launch the Fabric Manager Web Client, use a Web browser and point to the IP
address of the Fabric Manager Web Server (FMS) and a port number, as shown
in Figure 4-27.
Note: To be able to use the Performance Manager, you must acquire and
install the Cisco Fabric Manager Server Package (FMSERVER_PKG), if not
already present on the switch. The Fabric Manager Server Package License
installed on the MDS 9222i is shown in Example 4-3 on page 108.
Another way to display the licenses is to use the CLI. In Example 4-3 we use the
CLI to display the licenses that are installed on the switch.
Example 4-3 Fabric Manager Server lIcense installed on the MDS switch
mds9222i-1# show license usage
Feature Ins Lic Status Expiry Date Comments Count
-------------------------------------------------------------------------------
DMM_184_PKG No 0 Unused Grace 120D 0H
DMM_9222i_PKG No 0 Unused Grace 120D 0H
Figure 4-28 Inventory Summary tab in the CISCO Fabric Manager Web Client
Figure 4-29 VSAN’s Inventory tab in the Cisco Fabric Manager Web Server
Figure 4-30 Switches Inventory tab in the Cisco Fabric Manager Web Client
Figure 4-31 License Inventory tab in the Cisco Fabric Manager Web Client
Figure 4-32 Modules Inventory tab in the Cisco Fabric Manager Web Client
Figure 4-33 End Devices inventory tab in the Cisco Fabric Manager Web Client
To view inventory information regarding ISLs in our SAN click the ISLs tab in the
the Inventory section, as shown in Figure 4-34.
Figure 4-34 ISLs inventory tab in the Cisco Fabric Manager Web Client
Figure 4-35 Zones inventory tab in the Cisco Fabric Manager Web Client
The Fabric Manager Web Server allows you to create customized reports based
on historical performance, events, and inventory information gathered by the
Fabric Manager Server. You can create aggregate reports with summary and
detailed views. You can also view previously saved reports.
You can create custom reports from all or any subset of information gathered by
Fabric Manager Server. You create a report template by selecting events,
performance, and inventory statistics that you want in your report and set the
desired SAN, fabric, or VSAN to limit the scope of the template.
You can generate and schedule a report of your fabric based on this template
immediately or at a later time. Fabric Manager Web Server saves each report
based on the report template used and the time at which you generate the report.
Figure 4-36 Create a customer report in the Cisco Fabric Manager Web Client
2. Choose the Generate button and get the report from the SAN network, as
shown in Figure 4-37 and Figure 4-38 on page 116.
Figure 4-37 Generate the report from the SAN in the Cisco Fabric Manager Web Client
Figure 4-39 Visio Drawing of the SAN network created by the reporting tool
You can use the Fabric Manager Web Client to collect and analyze performance
data from a monitored SAN. Before doing that it is necessary to configure a
performance monitoring environment.
Note: If you are managing your fabrics with Performance Manager, you need
to set up an initial set of flows and collections on the fabric. You can use the
Fabric Manager Web server to add and remove performance collections. See
Creating Performance Collections under the Help panel.
Note: Performance data is available for display once data collection has
progressed for a time period.
Figure 4-44 Graphical performance reports from the Cisco Fabric Manager Web Client
Figure 4-50 Traffic prediction for ISLs in a one week period of time
You can use the Fabric Manager Web Client to gather and present data
regarding the health status of monitored SAN networks. There are a few options
available to gather valuable information regarding your SAN:
Summary report: Shows a summary of events and problems for all SANs, or a
selected SAN, fabric, or switch. You can click any blue link for more
information about that item.
Fabric Events: Shows a detailed list of events and hardware, or accounting.
You can filter these events by severity, date, and type of event.
SysLog: Shows a detailed list of system messages. You can filter these
events by severity, date, and type of event.
Analysis: Enables you to schedule or run analysis reports and compile results
to analyze the Fabric Manager Server database statistics.
If you experience problems with an unapproved code release, IBM might ask
you to install an approved release before continuing with problem resolution.
Chapter 5.
Security
Before the existence of storage area networks (SANs), and during the initial
migration to SANs, the storage environment was fairly secure due to its physical
isolation from the remainder of the communication network. SANs were typically
entirely contained in the data center, and there are explicit procedural and
physical controls to control access to the data center. However, with the advent of
optical and FCIP solutions designed to improve high availability and disaster
recovery this is no longer the case. SANs that span outside a single data center
are now commonplace.
The concepts of who will manage the SAN and how will they manage the SAN
are also areas that need to be considered. Effective security management
strategies can only be implemented once these procedural questions have been
discussed and finalized.
The SSH Client in the MDS also supports a secured method when copying files
(configuration files, log files, SAN-OS and NX-OS images) to and from the
switch.
SSH provides secure communications to the Cisco SAN-OS and NX-OS CLI.
You can use SSH keys for the following SSH options:
SSH2,
SSH1 using RSA
Be sure to have an SSH server key pair with the appropriate version before
enabling the SSH service. Generate the SSH server key pair according to the
SSH client version used. The number of bits specified for each key pair ranges
from 768 to 2048.
Note: If you delete all of the SSH keys, you cannot start a new SSH session.
In the Create SSH Key dialog box select the MDS switches, define the SSH
protocol, and specify the number of bits used to generate the key pairs in the
NumBits drop-down menu, as shown in Figure 5-3.
To transfer files to and from MDS 9000 family switches we recommend using
SCP (secure copy) and SFTP (secure FTP) instead of FTP or TFTP.
The CLI and SNMP user ID and password are maintained separately, so it is
possible for the same ID to have a different password for both the SNMP and the
CLI. However, we do not recommend this.
SNMPv3 provides for both security models and security levels. A security model
is an authentication strategy that is set up for a user and the role in which the
user resides. A security level is the permitted level of security within a security
model. A combination of a security model and a security level determines which
security mechanism is employed when handling an SNMP packet.
Any configuration changes made to the user group, role, or password results in
database synchronization for both SNMP and AAA.
IPv4 Access Control Lists (IPv4-ACLs and IPv6-ACLs) provide basic network
security to all switches in the MDS 9000 Multilayer Switch family. IPv4-ACLs and
IPv6-ACLs restrict IP-related traffic based in the configured IP filters. A filter
contains the rules to match an IP packet, and if the packet matches, the rule also
stipulates whether the packet should be permitted or denied.
Each switch in the MDS 9000 Multilayer Switch family can have a maximum of
128 IPv4-ACLs or 128 IPv6-ACLs, and each IPv4-ACL or IPv6-ACL can have a
maximum of 256 filters.
An ACL is a sequential collection of permit and deny conditions that apply to IP
addresses. The MDS SAN-OS software tests addresses against the conditions in
an access list one by one. The first match determines whether the software
accepts or rejects the address. Because the software stops testing conditions
after the first match, the order of the conditions is critical. If no conditions match,
the software rejects the address.
Crypto IPv4-ACLs
IP access control lists (IPv4-ACLs) provide basic network security to all switches
in the Cisco MDS 9000 family. IPv4 IP-ACLs restrict IP-related traffic based on
the configured IP filters.
In the context of crypto maps, IPv4-ACLs are different from regular IPv4-ACLs.
Regular IPv4-ACLs determine what traffic to forward or block at an interface. For
example, IPv4-ACLs can be created to protect all IP traffic between subnet A and
subnet Y or Telnet traffic between host A and host B.
Crypto IPv4-ACLs associated with IPsec crypto map entries have four primary
functions:
Select outbound traffic to be protected by IPsec (permit = protect).
Indicate the data flow to be protected by the new SAs (specified by a single
permit entry) when initiating negotiations for IPsec SAs.
Process inbound traffic to filter out and discard traffic that should have been
protected by IPsec.
Determine whether to accept requests for IPsec SAs on behalf of the
requested data flows when processing IKE negotiation from the IPsec peer.
Note: If you want some traffic to receive one type of IPsec protection (for
example, encryption only) and other traffic to receive a different type of IPsec
protection (for example, both authentication and encryption), create two
IPv4-ACLs. Use both IPv4-ACLs in different crypto maps to specify different
IPsec policies.
Note: Each role can contain multiple users, and each user can be part of
multiple roles. For example, if role 1 users are only allowed access to
configuration commands, and role 2 users are only allowed access to debug
commands, then if user belongs to both role 1 and role 2, he can access
configuration as well as debug commands.
Note: If a user only belongs to one of the newly created roles and that role is
subsequently deleted, then the user immediately defaults to the
network-operator role.
You can use SNMP to modify a role that was created using CLI and vice versa.
Each role in SNMP is the same as a role created or modified through the CLI.
Common roles allow you to use a set of rules to set the scope of VSAN security.
Each role can be restricted to one or more VSANs as required.
Note: If you belong to multiple roles, you can execute a union of all the
commands permitted by these roles. Access to a command takes priority over
being denied access to a command. For example, suppose that you belong to
a group called STG and you were denied access to configuration commands.
However, you also belong to the ITSO group and are permitted access to
configuration commands. In this case, you will have access to configuration
commands.
You can add a new role by selecting the create row icon in Fabric Manager, as
shown in Figure 5-6.
Role configuration tasks can also be done from the CLI, as shown in
Example 5-1.
Role: server-admin
Description: Predefined system role for server administrators. This role
cannot be modified.
Vsan policy: permit (default)
-------------------------------------------------
Rule Type Command-type Feature
-------------------------------------------------
1 permit show *
2 permit exec install
Role: default-role
Description: This is a system defined role and applies to all users.
Vsan policy: permit (default)
-------------------------------------------------
Rule Type Command-type Feature
-------------------------------------------------
1 permit show system
2 permit show snmp
3 permit show module
4 permit show hardware
5 permit show environment
Role: ITSO_Admins
Description: Admins from ITSO in San Jose
Vsan policy: deny
Permitted vsans: 1-4093
-------------------------------------------------
Rule Type Command-type Feature
-------------------------------------------------
1 permit show *
2 permit config *
3 permit exec *
Role: SAN_monitor
Description: SAN Monitoring
Vsan policy: deny
Permitted vsans: 10,20,30
-------------------------------------------------
Rule Type Command-type Feature
-------------------------------------------------
1 permit show system
2 permit show module
3 permit show hardware
4 permit show environment
Accounting refers to the log that is kept for tracking each management session in
a switch. This log provides accountability and can be an invaluable tool for
troubleshooting.
RADIUS is a fully open protocol, distributed in source code format, that can be
modified to work with any security system currently available on the market.
You can set the RADIUS server address, the RADIUS preshared key, the
RADIUS server time-out interval, and iterations of the RADIUS server; define
vendor-specific attributes; and display RADIUS server details.
You must configure the RADIUS preshared key to authenticate the switch to the
RADIUS server. The length of the key is restricted to 64 characters and can
include any printable ASCII characters (white spaces are not allowed). You can
configure a global key to be used for all RADIUS server configurations on the
switch. You can override this global key assignment by explicitly using the key
option when configuring an individual RADIUS server.
As shown in Figure 5-10 on page 146, in the Create RADIUS Server dialog box
you are required to specify parameters to configure the RADIUS server:
Select the switches that you want to assign as RADIUS servers.
Assign an index number to identify the RADIUS server.
Select the IP address type for the RADIUS server.
Fill in the IP address or name for the RADIUS server.
Optionally, modify the authentication and accounting ports used by this
RADIUS server.
Select the appropriate key type for the RADIUS server.
Select the TimeOut value in seconds. The valid range is 0 to 60 seconds.
Select the number of times the switch tries to connect to RADIUS servers
before reverting to local authentication.
Enter the test idle time interval value in minutes. The valid range is 1 to 1440
minutes.
Enter the test user with the default password. The default username is test.
You can verify the RADIUS server configuration from the CLI, as shown in
Example 5-2.
9.43.86.12:
RADIUS
available
shared on port:1813
for secret:********
accounting
authentication on port:1812
A Cisco MDS switch uses the Terminal Access Controller Access Control System
Plus (TACACS+) protocol to communicate with remote AAA servers. You can
configure multiple TACACS+ servers and set timeout values.
TACACS+ is a client/server protocol that uses TCP (TCP port 49) for transport
requirements. All switches in the Cisco MDS 9000 family provide centralized
authentication using the TACACS+ protocol. TACACS+ has the following
advantages over RADIUS authentication:
Provides independent, modular AAA facilities. Authorization can be done
without authentication.
Uses the TCP transport protocol to send data between the AAA client and
server, making reliable transfers with a connection-oriented protocol.
Encrypts the entire protocol payload between the switch and the AAA server
to ensure higher data confidentiality. The RADIUS protocol only encrypts
passwords.
Fabric Manager allows you to set up a default configuration that can be used for
any TACACS+ server that you configure the switch to communicate with. The
default configuration includes:
Encryption type
Preshared key
Timeout value
Number of retransmission attempts
Allowing the user to specify a TACACS+ server at login
For high-availability purposes you can specify multiple remote AAA servers to
authenticate users using server groups. If you had multiple servers you would
enter the index ID of each server sequentially, separated by commas. All
members of a group must use the same protocol, either RADIUS or TACACS+.
You need to configure the TACACS+ preshared key to authenticate the switch to
the TACACS+ server. The length of the key is restricted to 64 characters and can
Note: You can override this global key assignment by explicitly using the key
option when configuring an individual TACACS+ server.
FIPS specifies certain crypto algorithms as secure, and it also identifies which
algorithms should be used if a cryptographic module is to be called FIPS
compliant.
5.2.1 VSANs
You can achieve higher security and greater stability in Fibre Channel fabrics by
using virtual SANs (VSANs). VSANs provide isolation among devices that are
physically connected to the same fabric. With VSANs you can create multiple
logical SANs over a common physical infrastructure. Each VSAN can contain up
to 239 switches and has an independent address space that allows identical
Fibre Channel IDs (FC IDs) to be used simultaneously in different VSANs.
VSANs are a very effective tool for securing access to the fabric and preventing
intentional or accidental wrongdoing. Fibre Channel services are replicated
across VSANs, and no communication occurs between VSANs unless
configured to do so using Inter-VSAN Routing (IVR).
There are two VSANs created on the switch by default. They are VSANs 1 and
4094. VSAN 4094 is referred to as the isolated VSAN. When a VSAN is deleted
that has active ports, the ports are subsequently moved to the isolated VSAN.
Ports in the isolated VSAN are unable to communicate with any other ports,
including other ports that are in the isolated VSAN. Because of this behavior,
moving all ports into the isolated VSAN at initial configuration would be a very
By default all ports are in VSAN 1. We do not recommend using VSAN 1 as your
production VSAN. By creating a separate VSAN for your production traffic you
effectively isolate your production devices from any device that is later connected
to the switch. Again, a manual configuration change would be required to move a
port from VSAN 1 to an active production VSAN. Creating separate VSANs also
allows zoning granularity such that a misconfiguration of the zone in one VSAN
does not cause a problem for any of the other VSANs. Extra precautions need to
be considered in IVR environments.
The use of VSANs does not preclude the use of zoning. The two features are
complimentary.
5.2.2 Zoning
Zoning is the mechanism in FC fabrics that controls what ports are allowed to
inter-communicate. Zoning is done on a per-fabric basis, or in the case of MDS
switches on a per-VSAN/fabric basis. There can only be one active zoneset per
fabric. There can be multiple zonesets, but only one can be active at a time.
Zoning enables you to set up access control between storage devices or user
groups. If you have administrator privileges in your fabric, you can create zones
to increase network security and to prevent data loss or corruption. Zoning is
enforced by examining the source-destination ID field.
By default all devices are initially placed into a default zone. When devices are
moved to a user-defined zone they are removed from this default zone. On an
MDS switch the default zone is set to deny by default.
All switches in the MDS 9000 Multilayer Fabric Switch family support
switch-to-switch and host-to-switch authentication, and the authentication can be
performed either locally or remotely. Configuring this feature requires the
Enterprise package license. Use of the DHCHAP authentication protocol helps to
prevent either accidental or intentional fabric disruption by preventing
unauthorized switches or devices from connecting to the fabric.
The impact of configuring the DHCHAP feature along with existing MDS features
is identified below:
PortChannel interfaces: If DHCHAP is enabled for ports belonging to a
PortChannel, DHCHAP authentication is performed at the physical interface
level, not at the PortChannel level.
FCIP interfaces: The DHCHAP protocol works with the FCIP interface just as
it would with a physical interface.
Port security or fabric binding: Fabric binding policies are enforced based on
identities authenticated by DHCHAP.
VSANs: DHCHAP authentication is not done on a per-VSAN basis.
High availability: DHCHAP authentication works transparently with existing
HA features.
When port security is enabled, all FLOGI and initialization requests from
unauthorized devices, including (Nx ports) and switches (xE ports), are rejected
and the intrusion attempts are logged.
To enforce port security, you need to configure the devices and switch port
interfaces through which each device or switch is connected. You can use either
the port world wide name (pWWN) or the node world wide name (nWWN) to
specify the Nx port connection for each device. For switches, you use the switch
world wide name (sWWN) to specify the xE port connection. Each Nx and xE
port can be configured to restrict a single port or a range of ports.
Enforcement of port security policies is done on every activation and when the
port tries to initialize.
Use the port world wide name or the node world wide name to specify the Nx
port connection for each device.
Use the switch world wide name to specify the xE port connection for each
switch.
The port security feature uses two databases and implements configuration
changes:
Configuration database: All configuration changes are stored in the
configuration database.
Active database: The database currently enforced by the fabric. The port
security feature requires all devices connecting to a switch to be part of the
port security active database. The software uses this active database to
enforce authorization.
You can instruct the switch to automatically learn (auto-learn) the port security
configurations. The auto-learn option allows any switch in the MDS 9000
Multilayer Fabric Switch family to automatically learn about devices and switches
that connect to it. Using this feature to implement port security saves tedious
manual configuration for each port. Auto-learn is configured on a per-VSAN
Learned entries on a port are cleaned up after that port is shut down if
auto-learning is still enabled. Learning does not override the existing configured
port security policies. So, for example, if an interface is configured to allow a
specific pWWN, then auto-learning does not add a new entry to allow any other
pWWN to that interface. All other pWWNs will be blocked even in auto-learning
mode. No entries are learned for a port in the shutdown state.
Note: If you enable auto-learning before activating port security, you cannot
activate until auto-learning is disabled.
By default, the port security feature is not activated. When you activate the port
security feature, the auto-learn option is also automatically enabled. You can
choose to activate the port security feature and disable auto-learn. In this case,
you need to manually configure the port security database by individually adding
each port.
A principal switch is elected based upon switch priority (MDS switches default to
128) and switch WWN (sWWN). The lower the switch priority value, the higher
the switch priority. When two switches have the same priority the switch with the
lower sWWN becomes the principal switch.
To avoid a potential problem with principal switch selection and the subsequent
domain ID distribution, each switch in the MDS 9000 Multilayer Fabric Switch
family has the ability to set the switch priority.
If the domain ID of a switch changes, this is a disruptive event for devices that are
logged into the local switch. Remember that the first byte of the FCID contains
the domain ID of the switch that the device is connected to, so if this changes,
locally attached devices need to log out and back into the fabric in order to be
assigned a new FCID.
When the assigned and requested domain IDs are different, the following cases
apply:
If the configured type is static, the assigned domain ID is discarded, all local
interfaces are isolated, and the local switch assigns itself the configured
domain ID, which becomes the running domain ID.
If the configured type is preferred, the local switch accepts the domain ID
assigned by the principal switch and the assigned domain ID becomes the
running domain ID.
Note: Configuring domain IDs on each switch in the fabric and setting the type
to static can help to prevent accidental or intentional disruption caused by
domain ID distribution. This is also beneficial when troubleshooting
switch-to-switch type of problems.
Example 5-4 shows how to configure and verify static domain IDs.
Remember that the first byte of the FCID is the domain ID of the switch, so static
switch domain IDs should be configured when using persistent FCIDs.
MDS switches also provide the ability to statically assign FCIDs. For the most
part this is not necessary except in high security situations or migration scenarios
where AIX or HP-UX servers are being migrated.
As shown in Figure 5-13, you can change FCIDs from dynamic to static from the
Domain Manager by selecting the Persistent FcIDs tab.
Chapter 6.
Implementation
In this chapter we describe the steps necessary to implement and set up the
Cisco MDS 9000 family switches.
Before you configure the switch for the first time, gather the following information:
New administrator password
Switch name
IP address for the management Ethernet
Subnet mask for the management Ethernet
Default gateway IP address (optional)
DNS server IP address (optional)
NTP server IP address (optional)
SNMP v3 secret key (optional)
We assume that you are already connected to the console serial port of the
switch, but that the switch is still powered off. In Example 6-1 we connect to an
MDS 9222i and power on the switch. The basic system configuration dialog
starts.
Note: The steps shown in our example might differ, depending on which
features you want to activate and configure. However, the prompts in the basic
system configuration dialog are somewhat self-explanatory.
This setup utility will guide you through the basic configuration of
the system. Setup configures only enough connectivity for management
of the system.
Would you like to enter the basic configuration dialog (yes/no): yes
DoCreate
you want to enforce
another login secure
accountpassword
(yes/no)standard
[n]: (yes/no)[y]:
Note: If you confirm to save the configuration in the last step, none of your
changes are updated until the next time that the switch is rebooted. Ensure
that you type yes here to save the new configuration.
The basic configuration is now finished, and we can proceed to upgrade the
SAN-OS or NX-OS to the latest available level.
Figure 6-3 Second method to start a command-line interface from a Device Manager
Software
BIOS: version 1.0.15
loader: version N/A
kickstart: version 4.1(1) [build 4.1(0.182)] [gdb]
system: version 4.1(1) [build 4.1(0.182)] [gdb]
BIOS compile time: 07/16/08
kickstart image file is:
bootflash:/m9200-s2ek9-kickstart-mzg.4.1.0.182.bin
kickstart compile time: 10/12/2020 25:00:00 [08/15/2008 18:42:09]
system image file is: bootflash:/m9200-s2ek9-mzg.4.1.0.182.bin
system compile time: 12/25/2010 12:00:00 [08/15/2008 20:03:21]
Hardware
cisco MDS 9222i ("4x1GE IPS, 18x1/2/4Gbps FC/Sup2")
Motorola, e500v2 with 1036512 kB of memory.
Processor Board ID JAE12088ZMT
If needed, you may list the remote supervisor bootflash space as in a MDS 9513,
which has dual supervisors. List the bootflash space as shown in Example 6-4.
Ensure that the FTP server is reachable in order to copy the required files.
Firewalls may prevent you from reaching the FTP server.
Example 6-5 Copy files to a remote server
Prior to starting the actual upgrade process, back up the running configuration to
a FTP server, as shown in Example 6-6.
After backing up the configuration, start the upgrade using the install all
command, as shown in Example 6-7.
Example 6-7 Upgrading the director using the install all command
Extracting
[####################] 100% from
"system" version -- SUCCESS
image bootflash:/m9200-s2ek9-mz.4.1.1.bin.
After the upgrade has completed, we verify the version using the show version
command, as shown in Example 6-8.
Software
BIOS: version 1.0.15
loader: version N/A
kickstart:
system:
BIOS compile time: 4.1(1)07/16/08
version
Hardware
cisco MDS 9222i ("4x1GE IPS, 18x1/2/4Gbps FC/Sup2")
Motorola, e500v2 with 1036316 kB of memory.
Processor Board ID JAE12088ZMT
The CLI can be used to delete old NX-OS files to free up bootflash space on the
active supervisor if needed, as shown in Example 6-9.
Example 6-9 Freeing up bootflash space
mds9513# dir
delete
bootflash://sup-remote
bootflash://sup-remote/m9200-s2ek9-mzg.4.1.0.182.bin
bootflash://sup-remote/m9200-s2ek9-kickstart-mzg.4.1.0.182.bin
Note: When deleting files from the bootflash make sure that they will no longer
be needed.
Figure 6-4 Upgrade the SAN-OS or the NX-OS using Fabric Manager
Note: The complete path to the file location must be specified for this step to
complete successfully. Ensure that the firewall does not prevent access to the
FTP server.
The wizard does not verify whether the images match the specified size, but
the value is used to verify whether the amount of corresponding free space is
available on the bootflash, prior to initiating the download.
Should you encounter an insufficient amount of bootflash space you may take
recovery action by clicking the Edit button, as suggested in Figure 6-8, or you
may use the Device Manager option to delete bootflash files, as shown in
Figure 6-9 on page 179 and Figure 6-10 on page 179.
If you want to perform the upgrade unattended, then in order to avoid being
prompted to start the upgrade, you can check Ignore Versions Check Results,
as shown in Figure 6-12.
The license key file is sent to you by e-mail. The license key file is digitally signed
to only authorize use on the switch for which it was requested. The requested
features are also enabled once the NX-OS or SAN-OS software on the specified
switch accesses the license key file.
When selecting the Copy option, when prompted, define the transfer protocol,
server address, login credentials, and the source and target file names, and once
done, click Apply to start the copy, as in Figure 6-22.
Copy status notification is displayed in the bottom left of the Copy Files window,
and upon completion we are notified that the file transfer was successful, as
shown in Figure 6-23.
We have now transferred the license file to the bootflash, and we can proceed
with installation of the license feature.
2. On the Install tab, click the pull-down icon to display available license files (in
the bootflash), as shown in Figure 6-25.
4. Upon completion of the license file installation, click Refresh on the Feature
tab, and verify that the desired feature has been activated, as shown in
Figure 6-27.
Example 6-12 Copy license file to the bootflash and list files on the bootflash
mds9222i-2# show license host-id
License hostid: VDH=FOX111504SL
mds9222i-2# copy ftp://9.43.86.49/root/Lic/FOX111504SL.lic bootflash:
Subsequently, install the received license on the switch and then display the
installed licenses, as shown in Example 6-13.
Authentication
User authentication can be configured to be performed locally on the switch (in
the lookup database) or remotely using one or more RADIUS, TACACS+ servers,
or MDS.
In the following section we authenticate using local authentication. For detailed
information about how to set up remote authentication (RADIUS, TACACS+,
MDS) consult the MDS config-guide:
configuration_guides_list.html
http://www.cisco.com/en/US/products/ps5989/products_installation_and_
Authorization
By default the two roles, network-operator and network-admin, exist in all Cisco
MDS 9000 family switches and cannot be changed or deleted, although you can
create other roles:
Network-operator
Has permission to view the configuration only and cannot make any
configuration changes.
Network-admin
Has permission to execute all commands and configuration changes. The
administrator has the permission to create up to 64 additional roles.
Creating roles
To create a role, we define the name of the role and the profile, which specifies
the permissions for the role. In Example 6-14 we create the ITSO_role role and
give this administrator access only to VSANs 10 and 20.
Role: network-admin
Description: Predefined Network Admin group. This role cannot be
modified
Access to all the switch commands
Role: network-operator
Description: Predefined Network Operator group. This role cannot be
modified
Access to Show commands and selected Exec commands
Role: server-admin
Description: Predefined system role for server administrators.
This role cannot be modified.
Vsan policy: permit (default)
-------------------------------------------------
Rule Type Command-type Feature
-------------------------------------------------
1 permit show *
2 permit exec install
Role: default-role
Description: This is a system defined role and applies to all users.
Vsan policy: permit (default)
-------------------------------------------------
Rule Type Command-type Feature
-------------------------------------------------
1 permit show system
2 permit show snmp
3 permit show module
4 permit show hardware
5 permit show environment
Role: ITSO_role
Admin for VSAN10_VSAN20
Vsan policy: deny
Description:
2. Select the Roles tab and click the create row icon, as shown in Figure 6-29.
After closing the role creation window, see that the created role is now listed,
as shown in Figure 6-31.
As you can see, we have the option to define an expiry date for the user that we
create. To delete a user, we simply delete the row of the user to be deleted.
For further details on user and host creation, consult the MDS Cisco
Configuration Guide:
configuration_guides_list.html
http://www.cisco.com/en/US/products/ps5989/products_installation_and_
6.1.7 VSAN
A Virtual Storage Area Network (VSAN) is a unique feature of the Cisco MDS
9000 family that enables dividing the physical Fibre Channel fabric into virtual
SAN fabrics. Each VSAN is a completely separate SAN fabric, with its own set of
domain IDs, fabric services, zones, namespace, and interoperability mode.
Up to 256 VSANs can be configured in a single switch. The VSAN numbers can
range from 1 to 4094. VSAN number 1 is called the default VSAN and is the
VSAN that initially contains all of the ports in the switch. If you do not have to
divide the fabric into VSANs, you can leave all ports in the default VSAN.
The VSAN number 4094 is called the isolated VSAN, and any port configured
into that VSAN is isolated from all other ports. If you delete a VSAN, all ports in it
are moved to the isolated VSAN to avoid implicit transfer of the ports to the
default VSAN.
Note: A best practice for a large SAN environment is not to use VSAN1 while
disallowing communication between ports that are not defined in a zone (at
setup this is defined as default zone policy deny) and additionally not define
any zones in VSAN1. Doing this prevents any accidental communication of
new devices or hosts attached to the fabric since they by default belong to
VSAN1.
vsan 10 information
name:ITSO_VSAN_10 state:active
interoperability mode:default
loadbalancing:src-id/dst-id/oxid
VSan 20 information
name: ITS0 WSAN_20 state: active
interoperability mode: default
loadbalancing: Src-id/dst-id/oxid
operational State: up
VSan 30 information
name: ITS0 WSAN_30 state: active
interoperability mode: default
loadbalancing: Src-id/dst-id/oxid
operational State: up
VSan 10 interfaces:
vsan 20 interfaces:
fc1/5 fc1/6 fc1/7 fc1/8
fc1/16
vsan 30 interfaces:
fc1/9 fc1/10 fc1/11 fc1/12
fc1/17
Note: When assigning port membership to a VSAN, the port is removed from
its previous membership, since a port can only be part of one VSAN at a time.
The VSAN has now been created and appears in Fabric Manager. As shown in
Figure 6-37, the VSAN is down, since we have not yet assigned any ports to the
VSAN. Thus, there are no active ports in the VSAN.
2. Double-click the Port VSAN cell and change the VSAN ID to the VSAN ID of
the VSAN that is required to assign the port to, and subsequently click the
apply changes icon to save the changes, as shown in Figure 6-39.
Figure 6-39 Changing the VSAN ID for a port to assign it to the VSAN
4. When this is completed, list the ports in our VSAN, as shown in Figure 6-41,
and the VSAN is now up, since active ports are present in the VSAN.
Dynamic VSANs
Port VSAN membership on the switch is assigned on a port-by-port basis. By
default each port belongs to the default VSAN.
About DPVM
DPVM configurations are based on port world wide name (pWWN) and node
world wide name (nWWN) assignments. A DPVM database contains mapping
information for each device pWWN/nWWN assignment and the corresponding
VSAN. The Cisco SAN-OS and NX-OS software checks the database during a
device FLOGI and obtains the required VSAN details.
The pWWN identifies the host or device and the nWWN identifies a node
consisting of multiple devices. You can assign any one of these identifiers or any
combination of these identifiers to configure DPVM mapping. If you assign a
combination, then preference is given to the pWWN. DPVM uses the Cisco
Fabric Services (CFS) infrastructure to allow efficient database management and
distribution. DPVM uses the application-driven, coordinated distribution mode
and the fabric-wide distribution scope.
DPVM requirements
To use the DPVM feature as designed, be sure to verify the following
requirements:
The interface through which the dynamic device connects to the Cisco MDS
9000 family switch must be configured as an F port.
The static port VSAN of the F port should be valid (not isolated, not
suspended, and in existence).
The dynamic VSAN configured for the device in the DPVM database should
be valid (not isolated, not suspended, and in existence).
Note: The DPVM feature overrides any existing static port VSAN membership
configuration. If the VSAN corresponding to the dynamic port is deleted or
suspended, the port is shut down.
Enabling DPVM
To begin configuring the DPVM feature, you must explicitly enable DPVM on the
required switches in the fabric. By default, this feature is disabled in all switches
in the Cisco MDS 9000 family. The configuration and verification commands for
the DPVM feature are only available when DPVM is enabled on a switch. When
you disable this feature, all related configurations are automatically discarded.
2. Select the switch that is required to be the master DPVM switch and click
Next, as shown in Figure 6-43.
6.1.8 Zoning
The Cisco MDS 9000 family zoning can be administrated from any switch in the
fabric, and all changes are automatically distributed to all of the switches.
The Cisco MDS 9000 family supports zoning by the following criteria:
World Wide Port Name (WWPN): The WWN of the Nx_Port (device) attached
to the switch.
Fabric Port WWN (fWWN): The WWN of the fabric port (port-based zoning).
FCID: The FCID of the N_Port attached to the switch.
FC alias: The alias used.
Domain ID: Where the domain ID is the domain ID of a switch.
To make zone management easier, the Cisco MDS 9000 family supports alias
names for practically all of the elements above.
The Cisco MDS 9000 family supports a default zone. All ports and WWNs not
assigned to any zone belong to the default zone. If zoning is not activated, all
devices belong to the default zone. You can control access between default zone
members by default zone policy. This is both a per-switch (defined at setup) and
a per-VSAN setting. The default is deny, but can be changed using the config
command zone default-zone permit. In Example 6-18 we set the default zone
policy to permit for VSAN20.
The Cisco MDS 9000 family supports both soft and hard zoning. The difference
between soft and hard zone enforcement is described below.
Soft zoning
In soft zoning, zoning restrictions are applied during the interaction between the
name server and the end device.
Hard zoning
In hard zoning, the zoning is enforced for each frame sent by an Nx_Port as the
frame enters the switch. This prevents any unauthorized access at all times. The
enforcement is done by the switch hardware at wire speed.
Alias
Alias members can be assigned to an alias based on FC ID, fabric port WWN, or
WWPN.
VSAN 20:
--------------------------------------------------------------------------
FCID
--------------------------------------------------------------------------
TYPE PWWN (VENDOR) FC4-TYPE:FEATURE
0x9c0001
0x9c0003
0x9c0004
0x9c000e
0x9c0100 N 50:05:07:68:01:30:1d:21
50:05:07:68:01:30:1d:22
50:05:07:68:01:10:1d:22
50:05:07:68:01:10:1d:21
21:00:00:e0:8b:05:4c:aa (IBM)
(Qlogic) scsi-fcp:target
scsi-fcp:init
Zones
When creating a zone, we recommend zones based on aliases, and in the
following coding, we create a zone called SVC2_NODE1_FCS0_PALAU_FCS0
for PALAU to access SVC2_NODE1_FCS0. As shown in Example 6-20, we
create the zone and subsequently list defined zones.
For the zone to become active, we must then assign the zone to a zoneset and
activate the zoneset.
Zoneset
Whereas a zone is used to specify access control, confining the specified
members in a zone, zonesets are used to group zones and to enforce the access
control defined by each zone when the zoneset is activated.
To create a zoneset specify the name, VSAN, and members of the zoneset. In
Example 6-21 we create the zoneset ZonesetActive2 and add the zone
SVC2_NODE1_FCS0_PALAU_FCS0, and subsequently list the zoneset.
When working with zonesets, it is crucial to understand that while you can create
multiple zonesets (and zones can be members of multiple zonesets), only one
zoneset can be active at any given time (for each VSAN).
When creating a zoneset, the zoneset becomes part of the full zoneset, and
when activating a zoneset, a copy of the zoneset from the full zoneset is
activated and the member zones become active.
Although the active zoneset cannot be modified, we can modify the full zoneset,
and even a zoneset with the same name. However, modifications only take effect
when reactivated.
Alias
Alias members can be assigned to an alias based on FC ID, fabric port WWN, or
WWPN.
3. In the Create Alias window, name the alias and assign the WWPN (selected
from the drop-down menu) and click OK, as shown in Figure 6-48.
5. Name the new alias SVC3_NODE1_FCS0 and click OK to create the empty alias,
as shown in Figure 6-50.
8. Highlight the desired end device and click OK, as shown in Figure 6-53.
10.Finally, we list the defined aliases and verify that they are created as we
intended, as shown in Figure 6-55 and Figure 6-56 on page 222.
2. Name the new zone and apply specific properties for the zone such as Read
Only, QoS, and broadcast frame restrictions, as shown in Figure 6-58. We
name the zone SVC3_NODE1_FCS0_SIAM_FCS0 with default zone properties and
click OK.
5. Select the two newly created FC-Aliases to be members of the zone and click
OK, as shown in Figure 6-61.
You can create zones using the CLI, as shown in Example 6-24.
Zoneset
Whereas a zone is used to specify access control, confining the specified
members in a zone, zonesets are used to group zones and to enforce the access
control defined by each zone when the zoneset is activated.
To create a zoneset, specify the name, VSAN, and members of the zoneset. In
the following example we go through the steps to create the zoneset
ZonesetActive3 in VSAN 30 and add the zone
SVC3_NODE1_FCS0_SIAM_FCS0.
1. Right-click Zonesets and select Insert to create a new zoneset, as shown in
Figure 6-64.
At the next step, right-click the newly created zoneset ZonesetActive3 and
select Insert to define members for the zoneset, as shown in Figure 6-66.
You can create and configure zonesets using the CLI, as shown in Example 6-25.
1.
mds9222i-1# show zoneset vsan 10
zoneset name ActiveZoneset1 vsan 10
zone name SVC1_NODE1_FCS0_NILE_FCS0 vsan 10
fcalias name SVC1_NODE1_FCS0 vsan 10
pwwn 50:05:07:68:01:10:37:e5
2.
mds9222i-1# show zoneset active vsan 10
zoneset name ActiveZoneset1 vsan 10
zone name SVC1_NODE1_FCS0_NILE_FCS0 vsan 10
* fcid 0x0b000a
0x0b0100 [pwwn 50:05:07:68:01:10:37:e5]
21:00:00:e0:8b:89:2b:cd]
3.
mds9222i-1# configure terminal
mds9222i-1(config)# zone name SVC1_NODE2_FCS0_NILE_FCS0 vsan 10
mds9222i-1(config-zone)# member fcalias NILE_FCS0
mds9222i-1(config-zone)# member fcalias SVC1_NODE2_FCS0
Alias not present
mds9222i-1(config-zone)# exit
When comparing step 5 with step 7, notice that the newly created zone has
become a part of the active zoneset due to the reactivation of ZonesetActive1 in
step 7.
In Figure 6-72 a new zone has been dragged and dropped into the zoneset.
Figure 6-72 Dragging and dropping a new zone into the zoneset
Fabric Manager will prompt you to review the changes that have been
implemented, as shown in Figure 6-74 and Figure 6-75.
Verify the zoneset after reactivation and saving the configuration, as shown in
Figure 6-77.
Zone distribution
While all Cisco MDS 9000 family switches distribute the active zonesets when
new E_Port links (ISL) appear, or when a new zone is activated in a VSAN, the
full zoneset is not distributed automatically.
Config mode
The zoneset distribute VSAN command in config mode is used on a per-VSAN
basis to distribute the specified VSANs to all switches along with the active
zoneset.
To configure distribution of the full zoneset database of a VSAN along with the
active zoneset, use the config command zoneset distribute full, as shown in
Example 6-27.
EXEC mode
The zoneset distribute VSAN command in config mode is used to perform a
one-time distribution of all inactive, unmodified zonesets to all switches in the
fabric.
To distribute the full zoneset database of a VSAN, use the command zoneset
distribute. As shown in Example 6-28, the full zoneset for VSAN 10 has been
distributed, and this is verified using the command show zone status, as shown
in Example 6-28.
Fabric Manager will prompt us to confirm zoneset distribution since this will
overwrite the current full zone configuration on all switches in VSAN 30, as
shown in Figure 6-79.
Note: When removing only a few zones from a zoneset, the full zoneset
database for the VSAN is only distributed across the fabric and is not saved to
the startup configuration on the other switches (regardless of whether you use
the CLI or GUI). Therefore, you subsequently must perform this task on the
other switches in the fabric.
For details on how to configure LUN masking, consult the MDS Cisco
Configuration Guide:
configuration_guides_list.html
http://www.cisco.com/en/US/products/ps5989/products_installation_and_
Figure 6-82 Merge analysis for VSAN’s 1, VSAN10, VSAN20 and VSAN30
After successful merge analysis we are now ready to establish ISLs between the
two switches. In this case we will establish EISL links using TE ports.
Trunking and PortChannel features are available for both Fibre Channel and
gigabit Ethernet interfaces on the Cisco MDS 9000 family. Since the
configuration rules for these features are different, we describe both of them
separately.
6.2.4 FC PortChannel
The PortChannel feature can be used to aggregate up to 16 ISL or EISL links into
a single logical link. The Fibre Channel ports can be any Fibre Channel ports in
any 16-port Fibre Channel line card.
Since PortChannel can be built on EISL links, both trunking and PortChannel are
supported simultaneously.
mds9222i-2(config-if)# no shutdown
mds9222i-1(config-if)# no shutdown
Tip: Using the force option when adding a port to a PortChannel forces the
configuration of the ports in the PortChannel onto the added port to achieve
compatibility.
Fabric Manager will warn us that the process of converting ports into a
PortChannel may be disruptive, as shown in Figure 6-90.
Verify the PortChannel configuration and the status of the connection, as shown
in Figure 6-91.
To understand how IVR works, we first clarify the following IVR definitions:
Inter VSAN Zone (IVZ): A set of end devices that are allowed to communicate
across VSANs within their interconnected SAN fabric. This definition is based
on their port World Wide Names (pWWNs) and their native VSAN
associations. You can configure up to 200 IVZs and 2,000 IVZ members on
any switch in the Cisco MDS 9000 family.
Inter VSAN zonesets (IVZS): One or more IVZs make up an IVZS. You can
configure up to 32 IVZSs on any switch in the Cisco MDS 9000 family. Only
one IVZS can be active at any time.
Inter VSAN Path (IVR Path): An IVR path is a set of switches and Inter-Switch
Links through which a frame from one end device in one VSAN can reach
another end device in some other VSAN. Multiple paths can exist between
two such end devices.
Edge and Transit VSANs: A VSAN that initiates (source edge-VSAN) or
terminates (destination edge-VSAN) an IVR path. Edge VSANs might be
adjacent to each other or they might be connected by one or more transit
VSANs.
Note: Unique domain IDs are not a requirement when using IVR-NAT. A
common domain ID (10, for example) could be in VSAN 5 and VSAN 6 and
you could still route between devices in these VSANs attached to the
switches with domain ID 10.
The first step is to locate the IVR Wizard. This is the same wizard that we use for
normal zoning operations, and is found by starting with the Fabric Manager IVR
Wizard icon, as seen in Figure 6-92.
As we want to use IVR NAT, we select the IVR NAT option, as shown in
Figure 6-93.
We continue setting up our IVR by proceeding to the next panel, where we have
to move the VSANs that we are working with to the appropriate window, as seen
in Figure 6-95.
Note: Cisco MDS SAN-OS Release 2.1(1a) introduced IVR NAT, which allows
you to set up IVR in a fabric without requiring unique domain IDs on every
switch in the IVR path. When IVR NAT is enabled, the virtualized end device
that appears in the native VSAN uses a virtual domain ID that is unique to the
native VSAN.
Now we can review our actions and the progress, as seen in Figure 6-99.
pwwn 50:05:07:68:01:10:37:dc
50:05:07:68:01:10:37:e5 vsan 10 autonomous-fabric-id 1
vsan 10 autonomous-fabric-id 1
pwwn 21:00:00:e0:8b:18:ff:8a vsan 30 autonomous-fabric-id 1
Example 6-31 IVR zone and zoneset configuration from the CLI
mds 9222i-2+ show flogi database
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - INTERFACE
WSAN FCID PORT NAME NODE NAME
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - fo 1/5
20 0x15000e 50:05:07: 68: 01:20: 1d: 22 50 : 05:07:68: 01:00: 16 :22
fo 1/6 20 0x150003 50 : 05:07: 68: 01:40: 1d: 22 50:05:07: 68: 01:00: 1d: 22
fol/7 20 0x150000 50 : 05:07: 68: 01:20: 1d: 21 50:05:07: 68: 01:00: 1d: 21
fo 1/8 20 0x150001 50 : 05:07: 68: 01:40: 1d: 21 50:05:07: 68: 01:00: 1d: 21
fo 1/9 30 0x1 f()006 50 : 05:07: 68: 01:20: 1d: 1C 50:05:07: 68: 01:00: 1d: 1C
fo 1/10 30 0x1 f()00a 50:05:07: 68: 01:40: 1d: 1C 50:05:07: 68: 01:00: 1d: 1C
fo 1/11 30 0x1 f()001 50 : 05:07: 68: 01:20:27: e2 50:05:07: 68: 01:00:27: e2
fo 1/14 20 0x150100 21:00:00: eC): 8b : 89: b8: CO 20 : 00:00: eC): 8b : 89 : b8: CO
fo 1/15 50 0x6e0000 21:00:00: eC): 8b : 05:41: bc 20:00:00: eC): 8b : 05:41:bc
[Diomede_1]
fo 1/16 20 0x150200 21:00:00: eC): 8b : 89: C1 : Cd 20:00:00: eC): 8b : 89 : C1 : Cd
fo 1/17 10 0x0b0100 21:00:00: eC): 8b : 18: d4:8f 20 : 00:00: eC): 8b : 18: d4:8f
fo2/2 20 0x150300 20:05:00: a 0:b8:17:44:33 20:04:00: a 0: b8:17:44:31
[Nile_1]
fo 1/15 20 0x140400 21:00:00: eC): 8b : 05:48:bc 20:00:00: eC): 8b : 05:48:bc
fo 1/16 20 0x140200 21:00:00: eC): 8b : 05:4c: aa 20:00:00: eC): 8b : 05:4c: aa
[Palau_1]
fo 1/17 50 0x640000 21:00:00: eC): 8b : 18: ff.: 8a 20:00:00: eC): 8b : 18: ff.: 8a
fo2/2 20 0x140300 20:04:00: a 0:b8:17:44:32 20:04:00: a 0: b8:17:44:31
fo2/17 20 0x140000 50 : 03:08: C1 : 40:46: 70 : 06 50 : 03:08: C1:40 : 06: 70 : 06
zoneset
zone name
nameIvrZone_SIAM_SVC_1
IVR_Zoneset_SVC
zoneset
zone name
nameIvrZone_SIAM_SVC_1
IVR_Zoneset_SVC
Typically, Fibre Channel networks are deployed using a core-edge model with a
large number of fabric switches connected to edge devices. Such a model is
cost-effective because the per-port cost for director class switches is much
higher than that of fabric switches. However, as the number of ports in the fabric
increases, the number of switches deployed also increases, and you can end up
with a dramatic increase in the number of domain IDs (the maximum number
supported is 239). This challenge becomes even more difficult when additional
blade chassis are deployed in Fibre Channel networks.
NPV addresses the increase in the number of domain IDs needed to deploy a
large number of the ports by making a fabric or blade switch appear as a host to
the core Fibre Channel switch, and as a Fibre Channel switch to the servers in
the fabric or blade switch. NPV aggregates multiple locally connected N-ports
into one or more external NP links, thereby sharing the domain ID of the NPV
core switch among multiple NPV switches. NPV also allows multiple devices to
attach to the same port on the NPV core switch, thereby reducing the need for
more ports on the core.
The NP ports can be considered as passthru ports. If you add more NP ports
after a configuration has been running you must disable/enable all F ports or NP
ports on the edge switch in order to load balance over all the NP ports.
6.4.2 Enable or disable NPV via the CLI on supported edge switches
Using the CLI, at the prompt enter these commands:
1. Enter config t to get into config mode.
2. Enter npv enable when in config mode.
3. Enter no npv enable when in config mode.
4. End config mode by entering the command end.
6.4.3 Enable or disable NPV via the CLI on supported core switches
Using the CLI, at the prompt enter these commands:
1. Enter config t to get into config mode.
2. Enter npv enable when in config mode.
3. Enter no npv enable when in config mode.
4. End config mode by entering the command end.
Chapter 7. IP services
FCIP provides the capability to extend a SAN over existing IP networks. For short
distances, SANs can be extended using traditional FC ISLs and multimode fiber.
For longer distances, extend SANs using single-mode fiber with Coarse Wave
Division Multiplexing (CWDM) or Dense Wave Division Multiplexing (DWDM)
equipment. FCIP provides a third alternative for extending SANs over IP
networks where IP is the most viable transport option, either due to cost or
distance.
When implementing any MDS 9000 family IP services module (as well as the
MDS 9216i and MDS 9222i), the traffic can be routed between any IP storage
port and any other port on the MDS 9000 family switches in the fabric. It is
configurable on a per-port basis, providing either Fibre Channel over IP (FCIP) or
iSCSI on the defined port.
To enable FCIP in a MDS switch equipped with the IP module you need a SAN
Extension over IP package license. This package is licensed on a per-module
basis. The number of licenses is equal to the number of IP Storage Services and
Multiprotocol Services modules in a switch.
Note: For SAN-OS 2.0 and later, the SAN Extension licence also includes:
IVR
Tape acceleration
The 9216i and 9222i are shipped with the required licences for FCIP. The
included licence is SAN Extension over IP package for integrated IP ports and
includes all of the protocols that are in the SAN_EXTN_OVER_IP licence.
The licenses are, however, needed on a per-module basis. For example, if you
have two 18/4-port MSM modules running FCIP in a switch, you need two
SAN_EXTN_OVER_IP licenses. If you added an 18/4-port MSM module to your
MDS9216i or 9222i, you still need the SAN_EXTN_OVER_IP license for that
module.
FCIP and VE_Ports describe the internal model of FCIP with respect to Fibre
Channel Inter-Switch Links (ISLs) and Cisco's enhanced ISLs (EISLs).
FCIP links consist of one or more TCP connections between two FCIP link end
points. Each link carries encapsulated Fibre Channel frames. When the FCIP link
comes up, the VE_Ports at both ends of the FCIP link create a virtual Fibre
Channel (E)ISL and initiate the E_Port protocol to bring up the (E)ISL. By default,
the FCIP feature on any Cisco MDS 9000 family switch creates two TCP
connections for each FCIP link.
One connection is used for data frames.
The second connection is used only for Fibre Channel control frames, that is,
switch-to-switch protocol frames (all Class F) frames. This arrangement is
used to provide low latency for all control frames.
To enable FCIP on the IPS module, an FCIP profile and FCIP interface (interface
FCIP) must be configured. The FCIP link is established between two peers. The
VE_Port initialization behavior is identical to a normal E_Port. This behavior is
independent of the link being FCIP or pure Fibre Channel, and is based on the
E_Port discovery process (ELP, ESC). When the FCIP link is established, the
VE_Port behavior is identical to E_Port behavior for all inter-switch
communication (including domain management, zones, and VSANs). At the
Fibre Channel layer, all VE and E_Port operations are identical.
The FCIP profile’s local IP address determines the Gigabit Ethernet port where
the FCIP links terminate.
The FCIP interface is the local endpoint of the FCIP link and a VE_Port interface.
All the FCIP and E_Port parameters are configured in context with the FCIP
interface.
The FCIP profile determines which Gigabit Ethernet port initiates the FCIP links
and defines the TCP connection behavior.
The FCIP parameters consist of the following data:
Peer information
Number of TCP connections for the FCIP link
E_Port parameters: Trunking mode and trunk-allowed VSAN list
1.
7.2.1 Configuring FCIP using the CLI
2.
Setting up FCIP is a step-by-step process, and in the following sections we
perform each of the following steps to set up FCIP using the CLI:
3.
Enable FCIP.
4. Configure the GigE interface.
Create an FCIP profile and assign the GigE interface IP address.
5. Create an FCIP interface and assign the FCIP profile.
Configure the peer IP address for the FCIP interface.
6. Enable the FCIP interface.
Note: Prior to setting up FCIP we must enable the FCIP feature on the
switches, as it is disabled by default on all switches.
When enabling FCIP there is a check to see whether you have a current
SAN_EXTN_OVER_IP license installed. The 9221i and 9216i will have this
licence pre-installed for their integrated IP services module.
mds9222i-1# config t
Enter configuration commands, one per line. End with CNTL/Z.
mds9222i-1(config)# interface fcip 2
mds9222i-1(config-if)# use-profile 1
mds9222i-1(config-if)# peer info address 10.1.1.2
mds9222i-1(config-if)# no shutdown
mds9222i-2# config t
Enter configuration commands, one per line. End with CNTL/Z.
mds9222i-2(config)# interface fcip 2
mds9222i-2(config-if)# use-profile 1
mds9222i-2(config-if)# peer info address 10.1.1.2
mds9222i-2(config-if)# no shutdown
Tip: Before starting the FCIP tunnel wizard, ensure that you select SAN in the
Logical Domains pane on the left side of FM, as shown in Figure 7-5 on
page 277. This enables you to select your switches from the drop-down
menus in the wizard. Also, ensure that you have the physical gigE interfaces
cabled to your LAN.
3. If IPsec is to be used then check the Enforce IPSEC Security check box and
set the IKE Auth Key. For further information about this refer to the
Configuring IPsec Network Security IPSEC chapter in the Cisco MDS 9000
Family Fabric Manager Configuration Guide, Release MDS NX-OS 4.1(x).
4. In this panel you can check the Use Large MTU Size (Jumbo Frames) option
to use jumbo size frames of 2300. Since Fibre Channel frames are 2112, we
recommended that you use this option. If you leave the box unchecked the
FCIP Wizard does not set the MTU size, and the default value of 1500 is set.
5. Click Next. In this example, we connect interface gigE1/1 on mds9222i-1 to
the interface gigE2/1 on mds9222i-2 by clicking the ports.
Note: In Cisco MDS 9000 NX-OS, Release 4.1(1), by default the Use
Large MTU Size (Jumbo Frames) option is not selected.
8. On this frame we can also check the Write Acceleration check box to enable
FCIP write acceleration, as well as check the Enable Optimum Compression
check box to enable IP compression on this FCIP link. Take note of the
Measure button, as we refer to it later.
Important: Although we leave the default settings, do not leave the min,
max, and RTT at their defaults. You must configure real values, and ensure
that the min is greater than 1/20 of the max.
Example 7-6 shows an example of the ping procedure and the results.
Figure 7-10 shows an example using the Measure button (see Figure 7-9 on
page 281 for the Measure button).
Table 7-1 explains the trunk behavior based on individual switch trunk
configurations.
On On On
Off On Off
Auto On On
If FCIP has not previously been enabled then the FM wizard asks for
confirmation to enable FCIP on the switches that are not enabled, as shown in
Figure 7-13.
The following characteristics set Fibre Channel PortChannel solutions apart from
other solutions:
The entire bundle is one logical (E)ISL link.
All FCIP links in the PortChannel should be across the same two switches.
The Fibre Channel traffic is load balanced across the FCIP links in the
PortChannel.
You can set up IPsec for your link in this panel and set your Ethernet frame size.
We select the default VSAN for this interface and configure the trunking behavior
for trunk and click Finish.
Note: The maximum number of Fibre Channel ports that can be put into a
Fibre Channel PortChannel is 16.
Note: Allow sufficient time after creating FCIP tunnel links before creating
a channel so that Fabric Manager can discover all the new links. You could
press Ctlr+R on FM to manually force a rediscover of the fabric.
Tip: Select the Dynamically form Port Channel Group from selected
ISLs check box if you want to dynamically create the PortChannel and
make the ISL properties identical for the admin, trunk, speed, and VSAN
attributes.
5. In the pop-up shown in Figure 7-25 we confirm that we want to create the
PortChannel.
The IBM storage and SVC interoperability sites are a useful references for
ensuring that you have a supported matrix:
http://www-03.ibm.com/systems/support/storage/config/ssic/displayesssea
rchwithoutjs.wss?start_over=yes
http://www-03.ibm.com/systems/storage/software/virtualization/svc/interop
.html
Also check the Cisco Interoperability site for compatibility:
http://www.cisco.com/en/US/docs/storage/san_switches/mds9000/interoper
ability/matrix/Matrix.pdf
Licences
Depending on which module is installed, we need to activate this on a
module-by-module basis:
SAN extension over IP package for IPS-8 modules (SAN_EXTN_OVER_IP)
SAN extension over IP package for IPS-4 modules
(SAN_EXTN_OVER_IP_IPS4)
SAN extension over IP package for MPS-14/2 modules
(SAN_EXTN_OVER_IP_IPS2)
Important: If the licence is not installed, you will have a grace period of 120
days to purchase and install the licence.
We go to the iSCSI feature and click Enable in the drop-down menu, as shown in
Figure 7-29. Then we click Apply at the lower end of the Feature Control panel.
First we check to see whether iSCSI is already enabled by displaying the iSCSI
port that we are going to use. In Example 7-8 we use iSCSI interface iSCSI 1/4.
We can see that this interface does not exist. If the port does exist then iSCSI is
already enabled on this module.
If it is not already enabled, we need to enable our module for iSCSI and then
perform the same command as before to make sure that it is ready
(Example 7-9).
4. Enter the IP address in the fields provided (Figure 7-33). The format is IP
Address/Netmask.
6. Select the check box Admin up and apply our changes (Figure 7-35).
It is a good idea to check whether the interface has come up. If you want to be
sure that it is working, you can ping the server where you installed the
initiator, as shown in Example 7-10.
Example 7-10 ping to our iSCSI initiator
PING
mds9222i-1#
10.43.86.10
ping (10.43.86.10)
10.43.86.10 56(84) bytes of data.
7. Select the iSCSI tab. On this tab we select the Admin up check box, VSAN
200, passThrough, and ipaddress options, as shown in Figure 7-36.
8. The Device Manager panel (Figure 7-37) shows that interface 4 in the MSM
module is up (shows as green) and that iSCSI is enabled in this interface
(small mark inside the interface).
Our Windows 2003 server used for this example, Senegal, has 10.43.86.10
configured as its interface that is connected to the storage LAN network.
VSAN200 is the VSAN where we have our SVC ports.
At this point our initiators and targets are created. We are ready to zone targets
and initiators as we do for FC. After zoning, we must load the client portion of the
code into the server and configure it before we are able to map disks from the
SVC to the server.
As such, it is inappropriate for the SVC to present the VDisk at multiple ports in
the Fibre Channel SAN, and to prevent this the user must select a single SVC
port in each SVC I/O group that is to be associated with each iSCSI host. Zoning
is then applied in the MDS switch so that each iSCSI host can see only one SVC
port in each SVC I/O group. If multiple iSCSI hosts are in use, the hosts should
be evenly spread across the ports in each SVC I/O group. The SVC svctask
mkvdiskhostmap command should then be used to ensure that each SVC VDisk
is mapped to a single NIC in the server.
In our example we configured the SVC and the DS4500 into a zone called
SVC_BACKEND. We now configure the host to SVC using the wizard.
At this point we are ready to load the client code and initiator into the server.
Once we have the code loaded and we have the initiator driver configured, we
can assign volumes from the SVC to the server.
The Microsoft iSCSI Software Initiator supported hardware list is found at:
http://www.microsoft.com/windowsserver2003/technologies/storage/iscsi/
default.mspx
Note: At the time of this writing, Microsoft iSCSI Software Initiator Version
2.07 was released, but we used Microsoft iSCSI Software Initiator Version
1.06 for our implementation due to its compatibility with IBM SVC 4.3.0.
Notice: Microsoft product images are reprinted with permission from Microsoft
Corporation.
Figure 7-52 Microsoft iSCSI Software Initiator Version 1.06 Web page
Figure 7-53 Microsoft iSCSI Software Initiator Version 1.06 download Web page
To install the iSCSI Initiator package, we run the appropriate MSI installer
package by double-clicking the file icon (Figure 7-54) from an Explorer window.
You must be logged in as an administrator to install the Microsoft iSCSI Software
Initiator package.
From there:
1. Choose the install location. We use the default value, as shown in
Figure 7-56. This operation is conducted by the superuser (in this case,
administrator). We do not want anyone else to have access to this software,
so we leave Just me checked and select Next.
2. After reading the software license agreement, check the I agree box and then
click Next, as shown in Figure 7-58.
4. The End User License Agreement (EULA) appears. After reading it, click
Agree (Figure 7-60).
Figure 7-62 shows a panel that contains information about how to solve a
possible installation problem.
Note: Before proceeding, make sure that you have the iSCSI target
gateway IP address and your host zoned to the targets.
3. Once the Target Portal is established under the Available Targets tab, click
Refresh, After a short period of time, all the available iSCSI targets are listed.
Highlight the target and click Log on, as shown in Figure 7-67.
5. Repeat the same process for each target. The final result is shown in
Figure 7-69.
Figure 8-1 Start Switch Health Analysis from the Fabric Manager Tools menu
When performing health analysis you can change the default configuration of
health analysis by selecting the following options, and as shown in Figure 8-3:
Ignore Interface Link Failures.
Ignore vsanMatchIsolation Trunk Failures.
An in-depth switch health analysis using Fabric Manager will verify the status of
all critical Cisco MDS switches, modules, ports, and Fibre Channel services.
Over 40 conditions are checked. This tool provides a very fast, simple, and
thorough way to assess Cisco MDS switch health.
Note: We strongly recommend that you conduct zone merge analysis before
merging or connecting two or more switches and initiating the zone merge
process. This tool allows us to avoiding problems caused by, for example,
duplicate zone names, duplicate aliases, zone membership conflicts, and so
on.
We will perform analysis of all switches, and as our policy switch we choose the
mds9222i-2 switch.
Figure 8-9 shows that you might be able to resolve some of the errors (indicated
by the check mark). Click the Resolve Issues button to attempt to solve the
selected problems.
Figure 8-13 Select End-to-End Connectivity analysis from Fabric Manager menu
8.1.5 FC Ping
Fabric Manager also provides an FC Ping tool that allows you to check
connectivity to end devices. the ping consists of a Port Login (PLOGI), followed
by an ECHO extended link service command sourced with the switch FCID
FF.FC.XX, where XX is the domain ID of the switch for that VSAN.
As shown in Figure 8-17, you are prompted to select a source mds switch, a
VSAN to use, and a target device to ping it.
When all the required information is provided you can start FC ping, as shown in
Figure 8-19. In this case the FC ping was successful.
As you see in Figure 8-22, our traceroute test has completed successfully and
we have obtained the possible routes to the specified target.
You can issue a show tech support command from Fabric Manager for one or
more switches in a fabric. The results of each command are written to a text file,
one file per switch, in a directory that you specify. You can then view these files
using Fabric Manager.
You can also save the Fabric Manager map as a JPG file. The file is saved with
the name of the seed switch or fabric.
You can zip up all the files (the show tech support output and the map file image)
and send the resulting zipped file to technical support.
show tech support displays the output of several show commands at once. The
output varies depending on the configuration that you have.
Note: Use the show tech-support command in EXEC mode to display general
information about the switch when reporting a problem.
Software
BIOS: version 1.0.15
loader: version N/A
kickstart:
system:
BIOS compile
version
time: 4.1(1)07/16/08
Hardware
cisco MDS 9222i ("4x1GE IPS, 18x1/2/4Gbps FC/Sup2")
Motorola, e500v2 with 1036316 kB of memory.
Processor Board ID JAE12088ZMT
1000440 kB
Device name: mds9222i-1
bootflash:
Fan:
------------------------------------------------------
Fan Model Hw Status
------------------------------------------------------
ChassisFan1 DS-2SLOT-FAN 4.0 Ok
Fan_in_PS1 -- -- Absent
Fan_in_PS2 -- -- Ok
Fan Air Filter : NotSupported
Temperature:
--------------------------------------------------------------------
Module Sensor MajorThresh MinorThres CurTemp Status
(Celsius) (Celsius) (Celsius)
Power Supply:
Voltage: 42 Volts
-----------------------------------------------------
PS Model Power Power Status
(Watts) (Amp)
-----------------------------------------------------
1 ------------ 0.00 0.00 Absent
2 DS-CAC-845W 800.10 19.05 Ok
-------------
Total Power Available 119.70 W
-------------
Software
BIOS: version 1.0.15
loader: version N/A
kickstart:
system:
BIOS compile
version
time: 4.1(1)07/16/08
Hardware
cisco MDS 9222i ("4x1GE IPS, 18x1/2/4Gbps FC/Sup2")
Motorola, e500v2 with 1036316 kB of memory.
Processor Board ID JAE12088ZMT
Switch is booted up
--------------------------------
Chassis has 2 Module slots
--------------------------------
Module1 ok
Module type is : 4x1GE IPS, 18x1/2/4Gbps FC/Sup2
0 submodules are present
Model number is DS-X9222I-K9
H/W version is 1.1
Part Number is 73-11018-06
Part Revision is B0
Manufacture Date is Year 12 Week 8
Serial number is JAE12088ZMT
CLEI code is COUIAMCCAA
Module2 ok
Module type is : 1/2/4/8 Gbps 4/44-Port FC Module
0 submodules are present
Model number is DS-X9248-48K9
H/W version is 0.35
Part Number is 73-11289-03
Part Revision is 03
Manufacture Date is Year 12 Week 16
Serial number is JAE1216EXLB
CLEI code is 0000000000
---------------------------------------
Chassis has 2 PowerSupply Slots
---------------------------------------
PS1 absent
PS2 ok
Power supply type is: 800.10W 110v AC
Model number is DS-CAC-845W
H/W version is 1.2
Part Number is 341-0052-03
Part Revision is B0
Manufacture Date is Year 12 Week 15
Serial number is QCS1215109K
CLEI code is CNUPAA8AAA
----------------------------------
Chassis has 1 Fan slots
----------------------------------
-----------------------------------------
Chassis has 1 Interface slot
-----------------------------------------
Interface module ok
Model number is DS-X9222-MGT
H/W version is 1.0
Part Number is 73-11488-02
Part Revision is A0
Manufacture Date is Year 12 Week 6
Serial
CLEI code is 0is JAE12067IIM
number
feature dpvm
role name default-role
description This is a system defined role and applies to all users.
rule 5 permit show feature environment
--- truncateed ---
rule 1 permit show feature system
vsan policy deny
permit vsan 10-10
username admin password 5 $1$w.fBQFNO$FLQdKnS2V65A39FbZjQwd1 role network-admin
feature telnet
ntp server 10.1.1.1
ip domain-lookup
ip host mds9222i-1 9.43.86.147
kernel core target 0.0.0.0
kernel core limit 1
aaa group server radius radius
snmp-server contact Jaco
snmp-server user admin network-admin auth md5 0x5f504840456bd68853696954ecfa9f0b priv
--- truncateed ---
snmp-server host 9.43.86.81 traps version 2c public udp-port 2162
callhome
contract-id ABC12345
--- truncateed ---
fcip profile 1
-------------------------------------------------------------------------------
Interface Vsan Admin Admin Status SFP Oper Oper Port
Mode Trunk Mode Speed Channel
Mode (Gbps)
-------------------------------------------------------------------------------
fc1/1 10 FX -- up swl F 4 --
fc1/2 200 FX -- up swl F 4 --
fc1/3 10 FX -- up swl F 4 --
fc1/4 10 FX -- up swl F 4 --
fc1/5 20 FX -- up swl F 4 --
fc1/6 20 FX -- up swl F 4 --
fc1/7 20 FX -- up swl F 4 --
fc1/8 20 FX -- up swl F 4 --
fc1/9 4094 FX -- down swl -- --
fc1/10 4094 FX -- down swl -- --
fc1/11 20 FX -- down swl -- --
fc1/12 30 FX -- notConnected swl -- --
fc1/13 1 E on notConnected swl -- --
fc1/14 30 FX -- up swl F 2 --
fc1/15 20 FX -- up swl F 2 --
fc1/16 20 FX -- up swl F 2 --
fc1/17 50 FX -- up swl F 2 --
fc1/18 20 FX -- notConnected swl -- --
fc2/1 1 E on down swl -- --
fc2/2 20 FX -- up swl F 2 --
fc2/3 40 FX -- sfpAbsent -- -- --
--- trunkated ---
fc2/12 1 FX -- sfpAbsent -- -- --
-------------------------------------------------------------------------------
Interface Status Oper Mode Oper Speed
(Gbps)
-------------------------------------------------------------------------------
iscsi1/1 down --
iscsi1/2 down --
iscsi1/3 down --
iscsi1/4 up ISCSI 1
-------------------------------------------------------------------------------
Interface Status Speed
(Gbps)
-------------------------------------------------------------------------------
sup-fc0 up 1
--------------------------------------------------------------------------------
Interface Status IP Address Speed MTU Port
Channel
--------------------------------------------------------------------------------
GigabitEthernet1/1 up 10.1.1.1/24 1 Gbps 2300 --
GigabitEthernet1/2 up 10.2.2.1/24 1 Gbps 2300 --
GigabitEthernet1/3 up 10.3.3.1/24 1 Gbps 2300 --
GigabitEthernet1/4 up 10.43.86.1/24 1 Gbps 1500 --
-------------------------------------------------------------------------------
Interface Vsan Admin Admin Status Oper Profile Eth Int Port-channel
Mode Trunk Mode
Mode
-------------------------------------------------------------------------------
fcip1 1 auto on srcUnbound -- -- --
fcip2 1 E on trunking TE 1 GigabitEthernet1/1 port-channel 20
fcip3 1 E on trunking TE 2 GigabitEthernet1/2 port-channel 20
-------------------------------------------------------------------------------
Interface Status IP Address Speed MTU
-------------------------------------------------------------------------------
mgmt0 up 9.43.86.147/22 100 Mbps 1500
Example 8-12 Show process log details output from the CLI
mds9222i-1# show processes log details
======================================================
Service: installer
Description: Installer
PID: 23639
SAP: 0
UUID: 0
======================================================
show tech-support (brief) (Example 8-13)
Example 8-13 Show tech-support output from the CLI (brief version)
mds9222i-1# show tech-support brief
Switch Name : mds9222i-1
Switch Type :
IP
Kickstart
System
Address/Mask
Image
Image : 9.43.86.147/22
4.1(1) bootflash:///m9200-s2ek9-kickstart-mz.4.1.1.bin
bootflash:/m9200-s2ek9-mz.4.1.1.bin
20 FX - - up swl F 4 - -
20 FX - - up swl F 4 - -
20 FX - - up swl F 4 - -
10 FX - - up swl F 4 - -
20 FX - - up swl F 4 - -
20 FX - - up swl F 4 - -
20 FX - - up swl F 4 - -
20 FX - - up swl F 4 - -
fol/14 30 FX - - up swl F 2 - -
fo 1/15 20 FX - - up swl F 2 - -
fo 1/16 20 FX - - up swl F 2 - -
fo 1/17 50 FX - - up swl F 2 - -
fo2/2 20 FX - - up swl F 2 - -
fo2/3 40 FX - - sfpAbsent - - - - - -
-------------------------------------------------------------------------------
Interface Status Oper Mode Oper Speed
(Gbps)
-------------------------------------------------------------------------------
iscsi1/1 down --
iscsi1/2 down --
iscsi1/3 down --
iscsi1/4 up ISCSI 1
-------------------------------------------------------------------------------
Interface Vsan Admin Admin Status Oper Profile Eth Int Port-channel
Mode Trunk Mode
Mode
-------------------------------------------------------------------------------
fcip1 1 auto on srcUnbound -- -- --
fcip2 1 E on trunking TE 1 GigabitEthernet1/1 port-channel 20
fcip3 1 E on trunking TE 2 GigabitEthernet1/2 port-channel 20
-------------------------------------------------------------------------------
Interface Status IP Address Speed MTU
-------------------------------------------------------------------------------
mgmt0 up 9.43.86.147/22 100 Mbps 1500
-------------------------------------------------------------------------------
Interface Vsan Admin Status Oper Oper IP
Trunk Mode Speed Address
Mode (Gbps)
-------------------------------------------------------------------------------
port-channel 20 1 on trunking TE 2 --
Note: The examples above were truncated for brevity, or the brief versions of
commands have been used. For technical support full versions of commands
are used to collect all relevant data from your fabric for support and analysis.
Figure 8-23 Launching Show Tech Support from Fabric Manager menu
In Figure 8-24 there are switches for we want to capture tech support data along
with all the parameters that we need to set.
When you start the process of tech support data collection, in the Status column
next to each switch you will see a highlighted status. A yellow highlight, as shown
in Figure 8-25 on page 368, indicates that the show tech support command is
currently running on that switch. A red highlight indicates an error. A green
Figure 8-25 shows the progress of the tech support data collection process.
As shown in Figure 8-27, all tech support data from all mds switches in the fabric
have been saved to a zip file along with images of the fabric map in the JPG and
VXD format.
The control connection is used to remotely control the captures (start or stop the
capture, or specify capture filters). Remote capture can only be performed to
explicitly configured hosts. This technique prevents an unauthorized machine in
the network from snooping on the control traffic in the network.
GUI-based client
The Wireshark software (formerly Etherreal) runs on a host, such as a PC or
workstation, and communicates with the remote capture daemon. This software
is available in the public domain from:
http://www.wireshark.org
The Ethereal GUI front-end supports a rich interface such as a colorized display,
graphical assists in defining filters, and specific frame searches. These features
are documented on Ethereal’s Web site. While remote capture through Ethereal
supports capturing and decoding Fibre Channel frames from a Cisco MDS 9000
family switch, the host running Ethereal does not require a Fibre Channel
connection to the switch. The remote capture daemon running on the switch
sends the captured frames over the out-of-band Ethernet management port. This
capability allows you to capture and decode Fibre Channel frames from your
desktop or mobile computer.
Traffic through any Fibre Channel interface can be replicated to a special port
called the SPAN destination port. Any Fibre Channel port in a switch can be
configured as an SD_Port. When an interface is in SD_Port mode, it cannot be
used for normal data traffic. You can attach a Fibre Channel analyzer to the
SD_Port to monitor SPAN traffic.
The traffic for each RSPAN session is carried over a user-specified RSPAN
VLAN that is dedicated for that RSPAN session in all participating switches.
The SPAN traffic from the sources, which cannot be in the RSPAN VLAN, is
switched to the RSPAN VLAN and then forwarded to destination ports
configured in the RSPAN VLAN.
The traffic type for sources (ingress, egress, or both) in an RSPAN session can
be different in different source switches, but is the same for all sources in each
source switch for each RSPAN session. Do not configure any ports in an
RSPAN VLAN except those selected to carry RSPAN traffic. Learning is
disabled on the RSPAN VLAN.
SD_Ports do not receive frames. They only transmit a copy of the SPAN source
traffic. The SPAN feature is non-intrusive and does not affect switching of
network traffic for any SPAN source port.
SPAN sessions
Each SPAN session represents an association of one destination with a set of
sources along with various other parameters that you specify to monitor the
network traffic. One destination can be used by one or more SPAN sessions. You
can configure up to 16 SPAN sessions in a switch. Each session can have
several source ports and one destination port.
To activate a SPAN session, at least one source and the SD_Port must be up and
functioning. Otherwise, traffic is not directed to the SD_Port.
SD_Port characteristics
An SD_Port has the following characteristics:
It ignores buffer-to-buffer credits.
It allows data traffic only in the egress (tx) direction.
It does not require a device or an analyzer to be physically connected.
It supports only 1 Gbps or 2 Gbps speeds. The auto speed option is not
allowed.
Multiple sessions can share the same destination ports.
If the SD_Port is shut down, all shared sessions stop generating SPAN traffic.
You can configure an SD port from the CLI, as shown in Example 8-14.
The PAA-2 allows you to examine Fibre Channel frames of various sizes. Fibre
Channel frames from layers 2, 3, and 4 may be examined without network
disruption.
Round-trip response times, SCSI I/Os per second, SCSI read or traffic
throughput and frame counts, SCSI session status, and management task
information are monitored. Additional statistics are also available on Fibre
Channel frame sizes and network management protocols.
Cisco Traffic Analyzer software is available under the Port Analyzer Adapter link.
Fabric Manager Web Server supports the following Traffic Analyzer integration
features:
SCSI I/O Traffic Analyzer pages can be viewed within the Web client.
Traffic Analyzer can reside on a different server from Performance Manager.
Performance Manager integrates with multiple servers running Traffic
Analyzer.
Instances of Traffic Analyzer servers can be discovered by Fabric Manager
Server.
The Web client report lists SPAN destination ports and associations with
Traffic Analyzers.
By default, the switch logs normal but significant system messages to a log file
and sends these messages to the system console. You can specify which system
messages should be saved based on the type of facility and the severity level.
Messages are time-stamped to enhance real-time debugging and management.
You can access logged system messages using the CLI or by saving them to a
properly configured system message logging server. The switch software saves
system messages in a file that can be configured to save up to 4 MB. You can
monitor system messages remotely by accessing the switch through Telnet,
SSH, or the console port, or by viewing the logs on a system message logging
server.
show logging last 2 Displays the last two lines of a log file
Common uses of this feature can include direct paging of a network support
engineer, e-mail notification to a network operations center, and utilization of
Cisco AutoNotify services for direct case generation with the technical assistance
center.
Performance Manager can collect statistics for ISLs, hosts, storage elements,
and configured flows. Flows are defined based on a host-to-storage (or
storage-to-host) link. Performance Manager gathers statistics from across the
fabric based on collection configuration files. These files determine which SAN
elements and SAN links Performance Manager gathers statistics for. Based on
this configuration, Performance Manager communicates with the appropriate
devices (switches, hosts, or storage elements) and collects the appropriate
information at fixed five-minute intervals.
Data interpolation
One of the unique features of Performance Manager is its ability to interpolate
data when statistical polling results are missing or delayed. Other performance
tools may store the missing data point as zero, but this can distort historical
trending. Performance Manager interpolates the missing data point by comparing
the data point that preceded the missing data and the data point stored in the
polling interval after the missing data. This maintains the continuity of the
performance information.
A 1000-port SAN requires 110 MB for a year’s worth of historical data that
includes errors and discards. If there were 20 switches in this SAN with equal
distribution of fabric ports, about two to three SNMP packets per switch would be
sent every 5 minutes for a total of about 100 request or response SNMP packets
required to monitor the data.
Flows, because of their variable counter requests, are more difficult to predict
storage space requirements for. But as a rule of thumb, each extra flow adds
another 76 kB.
Performance thresholds
The Performance Manager Configuration Wizard allows you to set up two
thresholds that will trigger events when the monitored traffic exceeds the percent
utilization configured. These event triggers can be set as either critical or warning
events that are reported on the Fabric Manager Web client Events browser page.
Baseline thresholds create a threshold that adapts to the typical traffic pattern for
each link for the same time window each day, week, or every two weeks.
Baseline thresholds are set as a percent of the average (110% to 500%), where
100% equals the calculated weighted average.
Flow definition
The Performance Manager Flow and Performance Manager Setup wizards
greatly simplify configuration. All you need to do is select the categories of
statistics to capture and the wizards provide a list of flows and links to monitor.
2. Specify a VSAN to define a flow and specify the type of traffic to capture data,
as shown in Figure 8-37.
AIT See Advanced Intelligent Tape. Automated Tape Library (ATL) Large-scale tape
storage system that uses multiple tape drives and
AL See arbitrated loop. mechanisms to address 50 or more cassettes.
bridge A component used to attach more than one channel to channel See CTC.
I/O unit to a port. Also a data communications device
that connects two or more networks and forwards channel to converter See CVC.
packets between them. The bridge may use similar
or dissimilar media and signaling systems. It channel-attached Devices attached directly by
operates at the data link level of the OSI model. data channels (I/O channels) to a computer. Also
Bridges read and filter data packets and frames. refers to devices attached to a controlling unit by
cables rather than by telecommunication lines.
bridge/router A device that can provide the
functions of a bridge, router, or both, concurrently. A channel I/O A form of I/O where request and
bridge/router can route one or more protocols, such response correlation is maintained through a form of
as TCP/IP, and bridge all other traffic. See also source, destination, and request identification.
bridge and router.
channel path (CHP) A single interface between a
broadcast To send a transmission to all N_Ports central processor and one or more control units
on a fabric. along which signals and data can be sent to perform
I/O requests.
byte 1) In Fibre Channel, an 8-bit entity prior to
encoding or after decoding, with its least significant channel path identifier (CHPID) In a channel
bit denoted as bit 0 and most significant bit as bit 7. subsystem, a value assigned to each installed
The most significant bit is shown on the left side in channel path of the system that uniquely identifies
FC-FS unless otherwise shown. 2) In S/390 that path to the system.
architecture or z/Architecture® for zSeries (and
FICON), an 8-bit entity prior to encoding or after channel subsystem (CSS) Relieves the
decoding, with its least significant bit denoted as bit processor of direct I/O communication tasks and
7 and most significant bit as bit 0. The most performs path management functions. Uses a
significant bit is shown on the left side in S/390 collection of subchannels to direct a channel to
architecture and z/Architecture for zSeries. control the flow of information between I/O devices
and main storage.
cascaded switches The connecting of one Fibre
Channel switch to another Fibre Channel switch, CHP See channel path.
creating a cascaded switch route between two
N_Nodes connected to a Fibre Channel fabric. CHPID See channel path identifier.
Glossary 395
coupler In an ESCON environment, link hardware established or removed only as a result of actions
used to join optical fiber connectors of the same performed by a host control program or at the ESCD
type. Contrast with adapter. console. Contrast with dynamic connection.
CRC See Cyclic Redundancy Check. Note: The two links having a dedicated
connection appear as one continuous link.
CSS See channel subsystem.
data sharing A SAN solution in which files on a device number 1) In ESA/390 and z/Architecture
storage device are shared between multiple hosts. for zSeries, a four-hexadecimal character identifier
(for example, 19A0) that you associate with a device
to facilitate communication between the program
datagram Refers to the Class 3 Fibre Channel
Service that allows data to be sent rapidly to multiple and the host operator. 2) The device number that
you associate with a subchannel that uniquely
devices attached to the fabric, with no confirmation
of delivery. identifies an I/O device.
Digital Linear Tape (DLT) A magnetic tape duplex receptacle In an ESCON environment, a
technology originally developed by Digital fixed or stationary optical fiber component that
Equipment Corporation (DEC) and now sold by provides a keyed attachment method for a duplex
Quantum. DLT cartridges provide storage capacities connector.
from 10 GB to 35 GB.
DWDM See Dense Wavelength Division
direct access storage device (DASD) A mass Multiplexing.
storage medium on which a computer stores data.
any online storage device: a disc, drive or CD-ROM. dynamic connection In an ESCON Director, a
connection between two ports, established or
disconnected In an ESCON Director, the attribute removed by the ESCD and that, when active,
that, when set, removes a dedicated connection. appears as one continuous link. The duration of the
Contrast with connected. connection depends on the protocol defined for the
frames transmitted through the ports and on the
disk A mass storage medium on which a computer state of the ports. Contrast with dedicated
stores data. connection.
disk drive module (DDM) A disk storage medium dynamic connectivity In an ESCON Director, the
that you use for any host data that is stored within a capability that allows connections to be established
disk subsystem. and removed at any time.
disk mirroring A fault-tolerant technique that Dynamic I/O Reconfiguration An S/390 and
writes data simultaneously to two hard disks using z/Architecture function that allows I/O configuration
the same hard disk controller. changes to be made nondisruptively to the current
operating I/O configuration.
diskpooling A SAN solution in which disk storage
resources are pooled across multiple hosts rather ECL See Emitter Coupled Logic.
than dedicated to a specific host.
ELS See Extended Link Services.
distribution panel In an ESCON and FICON
environment, a panel that provides a central location EMIF See ESCON Multiple Image Facility.
for the attachment of trunk and jumper cables and
can be mounted in a rack, wiring closet, or on a wall. Emitter Coupled Logic (ECL) The type of
transmitter used to drive copper media such as
DLT See Digital Linear Tape. Twinax, Shielded Twisted Pair, or Coax.
Glossary 397
Enterprise System Connection (ESCON) 1) An exchange A group of sequences which share a
ESA/390 computer peripheral interface. The I/O unique identifier. All sequences within a given
interface uses ESA/390 logical protocols over a exchange use the same protocol. Frames from
serial interface that configures attached units to a multiple sequences can be multiplexed to prevent a
communication fabric. 2) A set of IBM products and single exchange from consuming all the bandwidth.
services that provide a dynamically connected See also sequence.
environment within an enterprise.
Extended Link Services (ELS) Via a command
entity In general, a real or existing object from the request, solicits a destination port (N_Port or
Latin ens, or being, which makes the distinction F_Port) to perform a function or service. Each ELS
between an object’s existence and its qualities. In request consists of an Link Service (LS) command;
programming, engineering and probably many other the N_Port ELS commands are defined in the FC-FS
contexts, the word is used to identify units, whether architecture.
concrete items or abstract ideas, that have no ready
name or label. fabric Fibre Channel employs a fabric to connect
devices. A fabric can be as simple as a single cable
E_Port Expansion Port. A port on a switch used to connecting two devices. The term is most often used
link multiple switches together into a Fibre Channel to describe a more complex network using hubs,
switch fabric. switches, and gateways.
ESCON channel A channel having an Enterprise FC 1) A short form when referring to something
Systems Connection channel-to-control-unit I/O that is part of the Fibre Channel standard. Used by
interface that uses optical cables as a transmission the IBM I/O definition process when defining a
medium. May operate in CBY, CNC, CTC or CVC FICON channel (using IOCP of HCD) that will be
mode. Contrast with parallel channel. used in FICON native mode (using the FC-SB-2
communication protocol. See also Fibre Channel.
ESCON Director An I/O interface switch that
provides the interconnection capability of multiple FC-0 Lowest level of the Fibre Channel Physical
ESCON interfaces (or FICON Bridge (FCV) mode - standard, covering the physical characteristics of the
9032-5) in a distributed-star topology. interface and media.
ESCON Multiple Image Facility (EMIF) In the FC-1 Middle level of the Fibre Channel Physical
ESA/390 architecture and z/Architecture for zSeries, standard, defining the 8b/10b encoding and
a function that allows logical partitions (LPARs) to decoding and transmission protocol.
share an ESCON and FICON channel path (and
other channel types) by providing each LPAR with its
own channel-subsystem image.
FC-GS See Fibre Channel Generic Services. Fibre Channel-Framing and Signaling
(FC-FS) The term used to describe the FC-FS
FCLC See Fibre Channel Loop Association. architecture.
FC-LE See Fibre Channel Link Encapsulation. Fibre Channel Generic Services (FC-GS) A
reference to the document (ANSIX3.289-1996) that
FCP See Fibre Channel Protocol. describes a common transport protocol used to
communicate with the server functions, a full
FC-PH See Fibre Channel Physical and Signaling. X500-based directory service, mapping of the
SNMP directly to the Fibre Channel, a time server,
FC-PLDA Fibre Channel Private Loop Direct and an alias server.
Attach. See Private Loop Direct Attach.
Fibre Channel HIPPI Framing Protocol
FCS See Fibre Channel standard. (FCFP) A reference to the document (ANSI
X3.254-1994) that defines how the HIPPI framing
FC-SB See Fibre Channel Single Byte Command protocol is transported via the Fibre Channel.
Code Set.
Fibre Channel Link Encapsulation (FC-LE) A
FC Storage Director SAN Storage Director. reference to the document (ANSIX3.287-1996)
which defines how IEEE 802.2 Logical Link Control
FC-SW See Fibre Channel Switch Fabric. (LLC) information is transported via the Fibre
Channel.
fiber See optical fiber.
Glossary 399
Fibre Channel Loop Association (FCLC) An
independent working group of the FCA focused on Note: Telecommunication applications of fiber
the marketing aspects of the Fibre Channel loop optics use optical fibers. Either a single discrete
technology. fiber or a non-spatially aligned fiber bundle can be
used for each information channel. Such fibers
Fibre Channel Physical and Signaling are often called “optical fibers” to differentiate
(FC-PH) A reference to the ANSIX3.230 standard, them from fibers used in non-communication
that contains the definition of the three lower levels applications.
(FC-0, FC-1, and FC-2) of the Fibre Channel.
Fibre Channel Protocol (FCP) The mapping of FICON 1) An ESA/390 and zSeries computer
SCSI-3 operations to Fibre Channel. peripheral interface. The I/O interface uses ESA/390
and zSeries FICON protocols (FC-FS and FC-SB-2)
Fibre Channel Service Protocol (FSP) The over a Fibre Channel serial interface that configures
attached units to a FICON supported Fibre Channel
common FC-4 level protocol for all services,
communication fabric. 2) An FC4 proposed standard
transparent to the fabric type or topology.
that defines an effective mechanism for the export of
the SBCCS-2 (FC-SB-2) command protocol via
Fibre Channel Single Byte Command Code Set
(FC-SB) A reference to the document (ANSI Fibre Channels.
X.271-1996) which defines how the ESCON
command set protocol is transported using the Fibre FICON channel A channel having a Fibre Channel
connection (FICON) channel-to-control-unit I/O
Channel.
interface that uses optical cables as a transmission
Fibre Channel standard (FCS) An ANSI standard medium. May operate in either FC or FCV mode.
for a computer peripheral interface. The I/O interface
defines a protocol for communication over a serial FICON Director A Fibre Channel switch that
supports the ESCON-like “control unit port” (CUP
interface that configures attached units to a
function) that is assigned a 24-bit Fibre Channel port
communication fabric. The protocol has four layers.
The lower of the four layers defines the physical address to allow FC-SB-2 addressing of the CUP
media and interface, the upper of the four layers function to perform command and data transfer. (In
defines one or more Upper Layer Protocols (ULP), the Fibre Channel world, it is a means of in-band
for example, FCP for SCSI command protocols and management using a FC-4 ULP.)
FC-SB-2 for FICON protocol supported by ESA/390
field replaceable unit (FRU) An assembly that is
and z/Architecture. Refer to ANSI X3.230.1999x.
replaced in its entirety when any one of its required
Fibre Channel Switch Fabric (FC-SW) A components fails.
reference to the ANSI standard under development
F_Node Fabric Node. A fabric attached node.
that further defines the fabric behavior described in
FC-FG and defines the communications between
different fabric elements required for those elements FLOGI See Fabric Login.
to coordinate their operations and management
address assignment. F_Port Fabric Port. A port used to attach a Node
Port (N_Port) to a switch fabric.
fiber optic cable See optical cable.
frame A linear set of transmitted bits that define the
basic transport unit. The frame is the most basic
fiber optics The branch of optical technology
element of a message in Fibre Channel
concerned with the transmission of radiant power
communications, consisting of a 24-byte header and
through fibers made of transparent materials such
as glass, fused silica, and plastic. zero to 2112 bytes of data. See also sequence.
full duplex A mode of communications allowing hardware The mechanical, magnetic, and
simultaneous transmission and reception of frames. electronic components of a system, such as
computers, telephone switches, and terminals.
gateway A node on a network that interconnects
two otherwise incompatible networks. HBA Host bus adapter.
Gbps Gigabits per second. Also sometimes HCD Hardware configuration dialog.
referred to as Gbps. In computing terms, it is
approximately 1000000000 bits per second. Most HDA See head and disk assembly.
precisely it is 1073741824 (1024x1024x1024) bits
per second. HDD See hard disk drive.
Gbps Gigabytes per second. Also sometimes head and disk assembly (HDA) The portion of an
referred to as Gbps. In computing terms, it is HDD associated with the medium and the read/write
approximately 1000000000 bytes per second. Most head.
precisely it is 1073741824 (1024 x 1024 x 1024)
bytes per second. hierarchical storage management (HSM) A
software and hardware system that moves files from
GBIC See Gigabit Interface Converter. disk to slower, less expensive storage media based
on rules and observation of file activity. Modern HSM
Gigabit One billion bits or one thousand megabits. systems move files from magnetic disk to optical
disk to magnetic tape.
Gigabit Interface Converter (GBIC) Industry
standard transceivers for connection of Fibre High Performance Parallel Interface (HPPI) An
Channel nodes to arbitrated loop hubs and fabric ANSI standard that defines a channel that transfers
switches. data between CPUs and from a CPU to disk arrays
and other peripherals.
Gigabit Link Module (GLM) A generic Fibre
Channel transceiver unit that integrates the key HIPPI See High Performance Parallel Interface.
functions necessary for the installation of a Fibre
channel media interface on most systems. HMMP HyperMedia Management Protocol.
GLM See Gigabit Link Module. HMMS See HyperMedia Management Schema.
G_Port Generic Port. A generic switch port that is hop An Fibre Channel frame may travel from a
either an F_Port or E_Port. The function is switch to a director, a switch to a switch, or a director
automatically determined during login. to a director, which in this case is one hop.
half duplex In data communication, pertaining to HSM See Hierarchical Storage Management.
transmission in only one direction at a time. Contrast
with duplex. hub A Fibre Channel device that connects nodes
into a logical loop by using a physical star topology.
Hubs will automatically recognize an active node
Glossary 401
and insert the node into the loop. A node that fails or process, output process, or both, concurrently or
is powered off is automatically removed from the not, and to the data involved in such a process. (3)
loop. Pertaining to input, output, or both.
isochronous transmission Data transmission light emitting diode (LED) A semiconductor chip
which supports network-wide timing requirements. that gives off visible or infrared light when activated.
A typical application for isochronous transmission is Contrast with laser.
a broadcast environment which needs information to
be delivered at a predictable time. link 1) In an ESCON environment or FICON
environment (Fibre Channel environment), the
JBOD Just a bunch of disks. physical connection and transmission medium used
between an optical transmitter and an optical
jukebox A device that holds multiple optical disks receiver. A link consists of two conductors, one used
and one or more disk drives, and can swap disks in for sending and the other for receiving, thereby
and out of the drive as needed. providing a duplex communication path. 2) In an
ESCON I/O interface, the physical connection and
jumper cable In an ESCON and FICON transmission medium used between a channel and
environment, an optical cable having two conductors a control unit, a channel and an ESCD, a control unit
that provide physical attachment between a channel and an ESCD, or at times between two ESCDs. 3) In
and a distribution panel or an ESCON/FICON a FICON I/O interface, the physical connection and
Director port or a control unit/device, between an transmission medium used between a channel and
ESCON/FICON Director port and a distribution a control unit, a channel and a FICON Director, a
panel or a control unit/device, or between a control control unit and a Fibre Channel FICON Director, or
unit/device and a distribution panel. Contrast with at times between two Fibre Channels switches.
trunk cable.
link address 1) On an ESCON interface, the
LAN See local area network. portion of a source or destination address in a frame
that ESCON uses to route a frame through an
laser A device that produces optical radiation ESCON director. ESCON associates the link
using a population inversion to provide light address with a specific switch port that is on the
amplification by stimulated emission of radiation and ESCON director. 2) On a FICON interface, the port
(generally) an optical resonant cavity to provide address (1-byte link address), or domain and port
positive feedback. Laser radiation can be highly address (2-byte link address) portion of a source
coherent temporally, spatially, or both. (S_ID) or destination address (D_ID) in a Fibre
Channel frame that the Fibre Channel switch uses to
latency Ameasurement of the time it takes to send route a frame through a Fibre Channel switch or
a frame between two locations. Fibre Channel switch fabric. See also port address.
Glossary 403
Link_Control_Facility A termination card that using the PR/SM™ facility, that allows an operator to
handles the logical and physical control of the Fibre allocate processor hardware resources among
Channel link for each mode of use. LPARs. Contrast with basic mode.
LIP See loop initialization primitive sequence. login server An entity within the Fibre Channel
fabric that receives and responds to login requests.
local area network (LAN) A computer network
located in a user’s premises within a limited loop circuit A temporary point-to-point like path
geographic area, usually not larger than a floor or that allows bidirectional communications between
small building. Transmissions within a LAN are loop-capable ports.
mostly digital, carrying data among stations at rates
usually above one Mbps. loop initialization primitive (LIP) sequence A
special Fibre Channel sequence that is used to start
logical control unit (LCU) A separately loop initialization. Allows ports to establish their port
addressable control unit function within a physical addresses.
control unit. Usually a physical control unit that
supports several LCUs. For ESCON, the maximum loop topology An interconnection structure in
number of LCUs that can be in a control unit (and which each point has physical links to two neighbors
addressed from the same ESCON fiber link) is 16. resulting in a closed circuit. In a loop topology, the
They are addressed from x’0’ to x’F’. For FICON available bandwidth is shared.
architecture, the maximum number of LCUs that can
be in a control unit (and addressed from the same LPAR See logical partition.
FICON fibre link) is 256. They are addressed from
x’00’ to x’FF’. For both ESCON and FICON, the L_Port Loop Port. A node or fabric port capable of
actual number supported, and the LCU address performing arbitrated loop functions and protocols.
value, is both processor- and control unit NL_Ports and FL_Ports are loop-capable ports.
implementation-dependent.
LSN See logical switch number.
logical partition (LPAR) A set of functions that
create a programming environment that is defined Lucent Connector (LC) A registered trademark of
by the ESA/390 architecture or z/Architecture for Lucent Technologies
zSeries. The ESA/390 architecture or z/Architecture
for zSeries uses the term LPAR when more than one LVD Low Voltage Differential.
LPAR is established on a processor. An LPAR is
conceptually similar to a virtual machine management agent A process that exchanges a
environment except that the LPAR is a function of managed node's information with a management
the processor. Also, LPAR does not depend on an station.
operating system to create the virtual machine
environment. managed node A computer, a storage system, a
gateway, a media device such as a switch or hub, a
logical switch number (LSN) A two-digit number control instrument, a software product such as an
used by the IOCP to identify a specific ESCON or operating system or an accounting package, or a
FICON Director. This number is separate from the machine on a factory floor, such as a robot.
director’s “switch device number” and, for FICON, it
is separate from the director’s “Fibre Channel switch managed object A variable of a managed node.
address”. This variable contains one piece of information
about the node. Each node can have several
logically partitioned mode A central processor objects.
mode, available on the configuration frame when
Mbps Megabits per second. Also sometimes Multi-Mode Fiber (MMF) In optical fiber
referred to as MBps. In computing terms, it is technology, an optical fiber that is designed to carry
approximately 1000000 bits per second. Most multiple light rays or modes concurrently, each at a
precisely it is 1048576 (1024 x 1024) bits per slightly different reflection angle within the optical
second. core. Multi-Mode fiber transmission is used for
relatively short distances because the modes tend
MBps Megabytes per second. Also sometimes to disperse over longer distances. See also
referred to as MBps. In computing terms, it is Single-Mode Fiber.
approximately 1000000 bytes per second. Most
precisely it is 1048576 (1024 x 1024) bytes per multiplex The ability to intersperse data from
second. multiple sources and destinations onto a single
transmission medium. Refers to delivering a single
media Plural of medium. The physical environment transmission to multiple destination N_Ports.
through which transmission signals pass. Common
media include copper and fiber optic cable. name server Provides translation from a given
node name to one or more associated N_Port
Media Access Rules (MAR) Enable systems to identifiers.
self-configure themselves is a SAN environment.
NAS See Network Attached Storage.
Media Interface Adapter (MIA) Enables
optic-based adapters to interface with copper-based ND See node descriptor.
devices, including adapters, hubs, and switches.
NDMP Network Data Management Protocol
metadata server In Storage Tank™, servers that
maintain information (metadata) about the data files NED See node-element descriptor.
and grant permission for application servers to
communicate directly with disk systems. network An aggregation of interconnected nodes,
workstations, file servers, and peripherals, with its
meter Equal to 39.37 inches, or just slightly larger own protocol that supports interaction.
than a yard (36 inches)
Network Attached Storage (NAS) A term used to
MIA See Media Interface Adapter. describe a technology where an integrated storage
system is attached to a messaging network that
MIB See Management Information Block. uses common communications protocols, such as
TCP/IP.
Glossary 405
Network File System (NFS) A distributed file N_Port Node Port. A Fibre Channel-defined
system in UNIX developed by Sun Microsystems. It hardware entity at the end of a link which provides
allows a set of computers to cooperatively access the mechanisms necessary to transport information
each other’s files in a transparent manner. units to or from another node.
Network Management System (NMS) A system N_Port Login (PLOGI) Allows two N_Ports to
responsible for managing at least part of a network. establish a session and exchange identities and
NMSs communicate with agents to help keep track service parameters. It is performed following
of network statistics and resources. completion of the FLOGI process and prior to the
FC-4 level operations with the destination port. May
network topology Physical arrangement of nodes be either explicit or implicit.
and interconnecting communications links in
networks based on application requirements and OEMI See original equipment manufacturer
geographical distribution of users. information.
NFS See Network File System. open system A system whose characteristics
comply with standards made available throughout
NL_Port Node Loop Port. A node port that the industry and that can be connected to other
supports arbitrated loop devices. systems that comply with the same standards.
NMS See Network Management System. A operation A term defined in FC-2 that refers to one
system responsible for managing at least part of a of the Fibre Channel building blocks composed of
network. NMSs communicate with agents to help one or more, possibly concurrent, exchanges.
keep track of network statistics and resources.
optical cable A fiber, multiple fibers, or a fiber
node An entity with one or more N_Ports or bundle in a structure built to meet optical,
NL_Ports. mechanical, and environmental specifications. See
also jumper cable, optical cable assembly, and trunk
node descriptor (ND) In an ESCON and FICON cable.
environment, a 32-byte field that describes a node,
channel, ESCON Director or FICON Director port, or optical cable assembly An optical cable that is
a control unit. connector-terminated. Generally, an optical cable
that has been connector-terminated by a
node-element descriptor (NED) In an ESCON manufacturer and is ready for installation. See also
and FICON environment, a 32-byte field that jumper cable and optical cable.
describes a node element, such as a disk (DASD)
device. optical fiber Any filament made of dialectic
materials that guides light, regardless of its ability to
non-blocking Indicates that the capabilities of a send signals. See also fiber optics and optical
switch are such that the total number of available waveguide.
transmission paths is equal to the number of ports.
Therefore, all ports can have simultaneous access optical fiber connector A hardware component
through the switch. that transfers optical power between two optical
fibers or bundles and is designed to be repeatedly
Non-L_Port A Node or Fabric port that is not connected and disconnected.
capable of performing the arbitrated loop functions
and protocols. N_Ports and F_Ports are not
loop-capable ports.
path In a channel or communication network, any port An access point for data entry or exit. A
route between any two nodes. For ESCON and receptacle on a device to which a cable for another
FICON, this is the route between the channel and device is attached. See also duplex receptacle.
the control unit/device, or sometimes from the
operating system control block for the device and the port address In an ESCON Director, an address
device itself. used to specify port connectivity parameters and to
assign link addresses for attached channels and
path group The ESA/390 and zSeries architecture control units. In a FICON director or Fibre Channel
(z/Architecture) term for a set of channel paths that switch, it is the middle 8 bits of the full 24-bit Fibre
are defined to a controller as being associated with Channel port address. This field is also referred to
Glossary 407
as the area field in the 24-bit Fibre Channel port PTF See program temporary fix.
address. See also link address.
Public NL_Port An NL_Port that attempts login
port bypass circuit A circuit used in hubs and disk with the fabric and can observe the rules of either
enclosures to automatically open or close the loop to public or private loop behavior. A public NL_Port
add or remove nodes on the loop. may communicate with both private and public
NL_Ports.
port card In an ESCON and FICON environment,
a field-replaceable hardware component that QoS See Quality of Service.
provides the optomechanical attachment method for
jumper cables and performs specific Quality of Service (QoS) A set of communications
device-dependent logic functions. characteristics required by an application. Each
QoS defines a specific transmission priority, level of
port name In an ESCON or FICON Director, a route reliability, and security level.
user-defined symbolic name of 24 characters or less
that identifies a particular port. Quick Loop A unique Fibre Channel topology that
combines arbitrated loop and fabric topologies. It is
Private Loop Direct Attach (PLDA) A technical an optional licensed product that allows arbitrated
report which defines a subset of the relevant loops with private devices to be attached to a fabric.
standards suitable for the operation of peripheral
devices such as disks and tapes on a private loop. RAID See Redundant Array of Inexpensive or
Independent Disks.
Private NL_Port An NL_Port which does not
attempt login with the fabric and only communicates RAID 0 Level 0 RAID support. Striping, no
with other NL Ports on the same loop. redundancy.
processor complex A system configuration that RAID 1 Level 1 RAID support. Mirroring, complete
consists of all the machines required for operation; redundancy.
for example, a processor unit, a processor controller,
a system display, a service support display, and a RAID 5 Level 5 RAID support. Striping with parity.
power and coolant distribution unit.
Redundant Array of Inexpensive or Independent
program temporary fix (PTF) A temporary Disks (RAID) A method of configuring multiple
solution or bypass of a problem diagnosed by IBM in disk drives in a storage subsystem for high
a current unaltered release of a program. availability and high performance.
prohibited In an ESCON or FICON Director, the repeater A device that receives a signal on an
attribute that, when set, removes dynamic electromagnetic or optical transmission medium,
connectivity capability. Contrast with allowed. amplifies the signal, and then retransmits it along the
next leg of the medium.
protocol 1) A set of semantic and syntactic rules
that determine the behavior of functional units in responder A Fibre Channel term referring to the
achieving communication. 2) In Fibre Channel, the answering device.
meaning of, and sequencing rules for, requests and
responses used for managing the switch or switch route The path that an ESCON frame takes from a
fabric, transferring data, and synchronizing states of channel through an ESCD to a control unit/device.
Fibre Channel fabric components. 3) A specification
for the format and relative timing of information
exchanged between communicating parties.
SAN See System Area Network. sequence A series of frames strung together in
numbered order which can be transmitted over a
SANSymphony In-band block-level virtualization Fibre Channel connection as a single operation. See
software made by DataCore Software Corporation also exchange.
and resold by IBM.
SERDES Serializer Deserializer.
saved configuration In an ESCON or FICON
Director environment, a stored set of connectivity Serial Storage Architecture (SSA) A high speed
attributes whose values determine a configuration serial loop-based interface developed as a high
that can be used to replace all or part of the ESCD’s speed point-to-point connection for peripherals,
or FICON’s active configuration. Contrast with active particularly high speed storage arrays, RAID, and
configuration. CD-ROM storage by IBM.
SC connector A fiber optic connector server A computer which is dedicated to one task.
standardized by ANSI TIA/EIA-568A for use in
structured wiring installations. service element (SE) A dedicated service
processing unit used to service a S/390 machine
scalability The ability of a computer application or (processor).
product (hardware or software) to continue to
function because of a change in size or volume. For SES See SCSI Enclosure Services.
example, the ability to retain performance levels
when adding additional processors, memory, and Simple Network Management Protocol
storage. (SNMP) The Internet network management
protocol that provides a means to monitor and set
SCSI See Small Computer System Interface. network configuration and run-time parameters.
SCSI-3 SCSI-3 consists of a set of primary Single-Mode Fiber (SMF) In optical fiber
commands and additional specialized command technology, an optical fiber that is designed for the
sets to meet the needs of specific device types. The transmission of a single ray or mode of light as a
SCSI-3 command sets are used not only for the carrier. It is a single light path used for long-distance
SCSI-3 parallel interface but for additional parallel signal transmission. See also Multi-Mode Fiber.
and serial protocols, including Fibre Channel, Serial
Bus Protocol (used with IEEE 1394 Firewire physical Small Computer System Interface (SCSI) 1) A
protocol), and the Serial Storage Protocol (SSP). set of evolving ANSI standard electronic interfaces
that allow personal computers to communicate with
Glossary 409
peripheral hardware such as disk drives, tape star The physical configuration used with hubs in
drives, CD_ROM drives, printers, and scanners which each user is connected by communications
faster and more flexibly than previous interfaces. links radiating out of a central hub that handles all
The interface uses a SCSI logical protocol over an communications.
I/O interface that configures attached targets and
initiators in a multidrop bus topology. The following storage area network (SAN) A dedicated,
table identifies the major characteristics of the centrally managed, secure information
different SCSI versions. infrastructure, which enables any-to-any
interconnection of servers and storage systems.
)
s
ti R le
(b T
.
o
b
a storage media The physical device onto which
D n c )
version
SCSI te
S h data is recorded. Magnetic tape, optical disks, and
a
r t m m m (m
d u
axim u vice
axim s u
l
a Hz)
i
B
)
Bps M axim h
gt floppy disks are all storage media.
n W
ig s
u e n
(M M (M d M le
Storage Network Management Working Group
(SNMWG) Chartered to identify, define, and
SCSI-1 5 8 5 7 6
support open standards needed to address the
SCSI-2 5 8 5 7 6 increased management requirements imposed by
storage area network environments.
Wide SCSI-2 5 16 10 15 6
Fast SCSI-2 10 8 10 7 6
Storage Networking Industry Association
(SNIA) A non-profit organization comprised of
Fast Wide SCSI-2 10 16 20 15 6 more than 77 companies and individuals in the
storage industry.
Ultra™ SCSI 20 8 20 7 1.5
SMART Self Monitoring and Reporting StorWatch Expert StorWatch applications that
Technology. employ a three-tiered architecture that includes a
management interface, a StorWatch manager and
SMF See Single-Mode Fiber.
agents that run on the storage resource or
resources being managed. Products employ a
SNIA See Storage Networking Industry
StorWatch database that can be used for saving key
Association. management data, such as capacity or performance
metrics. Products also use the agents and analysis
SN storage network. See also SAN.
of storage data saved in the database to perform
higher value functions including the reporting of
SNMP See Simple Network Management
capacity and performance over time (trends),
Protocol. configuration of multiple devices based on policies,
monitoring of capacity and performance, automated
SNMWG See Storage Network Management
responses to events or conditions, and storage
Working Group. related data mining.
SWCH In ESCON Manager, the mnemonic used to T_Port An ISL port more commonly known as an
represent an ESCON Director. E_Port, referred to as a Trunk port and used by
INRANGE.
switch A component with multiple entry and exit
points (ports) that provides dynamic connection Transmission Control Protocol (TCP) A reliable,
between any two of these points. full duplex, connection-oriented end-to-end
transport protocol running on top of IP.
switch topology An interconnection structure in
which any entry point can be dynamically connected Transmission Control Protocol/Internet
to any exit point. The available bandwidth is Protocol (TCP/IP) A set of communications
scalable. protocols that support peer-to-peer connectivity
functions for both LAN and WANs.
system area network (SAN) Term originally used
to describe a particular symmetric multiprocessing trunk cable In an ESCON and FICON
(SMP) architecture in which a switched interconnect environment, a cable consisting of multiple fiber
is used in place of a shared bus. Server area pairs that do not directly attach to an active device.
network refers to a switched interconnect between This cable usually exists between distribution panels
multiple SMPs. (or sometimes between a set processor channels
and a distribution panel) and can be located within,
T11 A technical committee of the National or external to, a building. Contrast with jumper cable.
Committee for Information Technology Standards,
titled T11 I/O Interfaces. Develops standards for twinax A transmission media (cable) consisting of
moving data into and out of computers. two insulated central conducting leads of coaxial
cable.
Glossary 411
twisted pair The most common type of Wave Division Multiplexing (WDM) A technology
transmission media (cable), that consists of two that puts data from different sources together on an
insulated copper wires twisted around each other to optical fiber, with each signal carried on its own
reduce the induction (interference) from one wire to separate light wavelength. Using WDM, up to 80
another. The twists, or lays, are varied in length to (and theoretically more) separate wavelengths or
reduce the potential for signal interference between channels of data can be multiplexed into a stream of
pairs. Several sets of twisted pair wires may be light transmitted on a single optical fiber.
enclosed in a single cable.
WDM See Wave Division Multiplexing.
ULP Upper Level Protocols,
Web-Based Enterprise Management (WEBM) A
unblocked In an ESCON and FICON Director, the consortium working on the development of a series
attribute that, when set, establishes communication of standards to enable active management and
capability for a specific port. Contrast with blocked. monitoring of network-based elements.
unit address The ESA/390 and zSeries term for z/Architecture An IBM architecture for mainframe
the address associated with a device on a given computers and peripherals. Processors that follow
controller. On ESCON and FICON interfaces, the this architecture include the zSeries family of
unit address is the same as the device address. On processors.
OEMI interfaces, the unit address specifies a
controller and device pair on the interface. zoning In Fibre Channel environments, the
grouping together of multiple ports to form a virtual
UTC See Under-The-Covers. private storage network. Ports that are members of
a group or zone can communicate with each other
UTP Unshielded Twisted Pair but are isolated from ports in other zones.
virtual circuit A unidirectional path between two zSeries A family of IBM mainframe servers that
communicating N_Ports that permits fractional support high performance, availability, connectivity,
bandwidth. security, and integrity.
Redbooks
These Redbooks publications are relevant as further information sources:
Introduction to Storage Area Networks, SG24-5470
IBM TotalStorage: SAN Product, Design, and Optimization Guide, SG24-6384
IBM/Cisco Multiprotocol Routing: An Introduction and Implementation,
SG24-7543
http://www.storage.ibm.com/snetwork/index.html
Cisco
http://www.cisco.com
Tivoli
http://www.tivoli.com
IEEE
http://www.ieee.org
Storage Networking Industry Association
http://www.snia.org
SCSI Trade Association
http://www.scsita.org
Internet Engineering Task Force
http://www.ietf.org
Index 417
Fibre Channel interface 39, 372 graphical presentation 28, 103, 107, 244
Fibre Channel Line Card 13, 245 green highlight 367
Fibre Channel-to-Ethernet adapter 382 group 16, 23, 148, 214, 379
FICON 7, 11, 13, 31, 153 group names 136
filter 137, 378
filtering 378
filters 137, 371–372, 378 H
hard zoning 212
FIPS 149
Hardware 354
FIPS 140-2 149
FIPS compliant 149 hardware 13, 15, 18, 30–31, 56, 212
hardware enforced zoning 152
firewall 87, 177
hash 154
firewall restrictions 371
health 332–333
firmware 4, 6, 129 High Availability 245
FL/NL 388
high availability 131, 148, 154
FL_Port 38
historical data 387
FL_Ports 376
historical performance 31
Flash Files 188
historically 386
flash utilization 107
host ID 183
FlexAttach 84, 87
hot-swappable 21
flexibility 5, 23, 208
HyperTerminal 162–163
FLOGI 155, 160,208
flow 143, 389
flow control 162 I
Flow Definition 388 ICMP 137
flows 119, 388, 390, 392 identify 143, 152
FMS 108 IKE Auth Key 279
FMSERVER_PKG 31, 108 Images 57, 177
Force Admin 297 images 6, 54–55, 57,66, 132, 177
frame 13, 212, 223, 372 implementation process 129
frame counts 383 Implementing iSCSI 298
frame decoding 370 in-band 137
frame size 289 in-band IP 76
frame sizes 383 infrastructure simplification 4
frames 39, 135–136, 212, 245, 272, 370–373, 379 ingress 373, 375–378
FSPF 10 Ingress source 376
FTP 59, 66, 132, 170, 177 initial configuration 150
FTP server 60, 66, 168, 170, 177 initialization 38, 155, 272
fWWN 211 initiator 19
FX_Port 38 initiators 6, 19, 253
Install all 57, 61, 170
intelligent storage services 20
G inter switch link 241
gateway 19, 162
gig 80 inter switch links 271
Inter VSAN Path 253
Gigabit Ethernet Inter VSAN Routing 253
ports 18
Inter VSAN Zone 253
GigE interface 273–274
global key 149 Inter VSAN Zone Sets 253
Internet Control Message Protocol 137
global key assignment 149
Internet Explorer 76
Index 419
54–55, 57–58, 76, 80, 131–132, 161–162, 194–195, nWWN 155,208
200, 208,211–212, 237, 244, 253,267, 269, 272, NX-OS 349
371–372
MDS 9216 162–163,268
MDS 9506 9, 14, 162 O
MDS 9509 10, 14, 162 OOB 76
Open Systems 153
Measure 281
Operating system 53, 80
member 152, 212–213
membership 155, 202–203, 207–208, 220 operational modes 38
memory 76, 107, 159 Operator 139
OS 53, 76, 132, 137, 166–167,269
merge 241
merge analysis 241 outbound traffic 138
merging 253 Out-of-Band 76
overwrite 239
minimum available bandwidth 275
Mode 38, 78, 200, 208, 238,240, 248, 264, 267,
273, 372, 379 P
mode 16 PAA-2 381–382
modular packets 104
chassis 17 PAK 184
monitor 232, 332, 372, 377–378, 384–385, 388 parameters 162–163, 248,273, 377
monitor traffic 382 Passive mode 371
monitored 375, 378 passive optical mux 16–17, 19
monitored fabrics 121 passthru ports 263
monitored traffic 388 password 106, 135, 162
monitoring 27, 31, 39, 372–373, 377, 384 peak throughput 89
monitors 39 peer IP address 273
MTU size 279 percent utilization 388
Multiple switch environment 241 Performance 382
multiple zone sets 215 performance 4, 7, 16, 28, 31, 89, 118, 332
multiplex 38, 201, 244 performance data 121
performance information 387
Performance Manager 28, 88, 108, 118, 381, 386
N performance monitoring 120
N_Ports 36
performance statistics 382
name server 212–213
names 19, 189, 212, 253 Performance Thresholds 388
permissions 195, 199
Netscape 76
network traffic probe 383 permit 137, 153
network-admin 139, 195 persistent 36–37, 150, 159–160,215
Persistent FCIDs 36
network-operator 139, 195
new zone 223, 228, 235 Persistent FcIds 36, 159
ping 332, 345
new zone set 229
PLOGI 345
NL_Ports 36
policies 154–155
node World Wide Name 208
policy 136
nondisruptively 152
polling 387
non-intrusive 39, 373
nontrunking 297 polling interval 88, 387
ntop 382 port 16, 18–19, 26
NVRM log 385 density 16
groups 16
Index 421
SCSI 160 Span Destination 39, 372
SCSI I/O statistics 382 SPAN port 374
SCSI session status 383 SPAN session 377
SD port 39, 379–380 SPAN source 39, 375
SD_Port 39, 372, 375–379 SPAN traffic 375
secure 131–132, 137, 151, 154 Speed 297
Secure Shell 76 speed 4–5, 212, 370–371, 378–379
Security 31, 135, 150 speeds 378
security 8–9, 18, 131–132, 137, 139, 143, SSH 27, 76, 79, 132, 384
150–152, 154–155, 159 SSM (Storage Services Module) 20
security level 135 startup configuration 61,78, 104, 170, 231–232,
security mechanism 135 237,240, 259
security model 135 startup configuration file 54
security policies 155–156 startup-config 215
Security Requirements for Cryptographic Modules stateless protocol 103
149 static 158
segmentation 241 static domain ids 204–205
serial cable 162 static routes 290
serial console 27, 76 statistical data 88, 387
serial number 183–184 statistics 28, 31, 88, 107, 387, 389
serial port 162–163 status notification 190
serverless backup 20 Storage Services Module (SSM) 20
Setting up FCIP 273 subordinate switch 158
setup 153, 162–163,287, 371 supervisor 6, 8, 55, 57, 60, 136, 169, 376
setup program 162–163 supervisor bootflash 169
SFP 6, 8, 36 supervisor module 162, 169, 371, 376–377
sharing 16, 253,263 suspended 204, 208
show processes log 362 switch
Show Tech Support 351, 366 requirements 3
show tech-support 362 switch configuration 269
Simple Network Management Protocol (SNMP) 82 switch events 89
slot number 36 switch fabric 8, 10, 103, 158, 201, 375–377
slots 6, 8, 14 Switch Health 332
SNMP 27, 76, 103, 132, 135, 162 Switch Health Analysis 333
SNMP (Simple Network Management Protocol) 82 switch name 162
SNMP packet 135 switch pair 278
SNMP PDUs 136 switch ports 155,263, 372
SNMP protocol 103 switch priority 156
SNMP proxy service 87 switch world wide name 155
SNMP timeout 103 switch WWN 156
SNMPv3 27, 132, 135 Switched Port Analyzer 381
soft zoning 212 system 13–14, 37, 51, 53–55, 57–58, 80, 143,
Solaris 27 384–385
source files 129 system image 53, 55, 57
source interface types 376 system message logging 384
source/source-wildcard 137
source-destination ID 152
Space 55, 60, 66–67, 169, 177–178
T
SPAN 39, 131, 372–373, 375–379, 381 TACACS+ 147
Index 423
Y
yellow highlight 367
Z
Zone distribution 237
zone members 152, 212, 229
zone name 233
zone set 214–217, 228
zone set database 233, 238–240
zone set distribution 238–240
zone sets 151, 214–215, 228, 233
zones 31, 152, 200–201, 213–215, 223, 228, 272
zoning 19, 31, 150–151, 153,211–212, 215, 254
zoning capabilities 152
Implementing an
IBM/Cisco SAN
®
Learn about the "Do everything that is necessary and absolutely nothing that is not."
latest editions to the
INTERNATIONAL
IBM/Cisco product In this IBM Redbooks publication, which is an update and major TECHNICAL
revision of the previous version, we consolidate as much critical SUPPORT
family information as possible while covering procedures and tasks that
are likely to be encountered on a daily basis.
ORGANIZATION
Increase your skills Each of the products described has much more functionality than
with this can be covered in just one book. The IBM SAN portfolio is rich in
easy-to-follow quality products that bring a vast amount of technicality and vitality BUILDING TECHNICAL
format to the SAN world. Their inclusion and selection is based on a INFORMATION BASED ON
thorough understanding of the storage networking environment that PRACTICAL EXPERIENCE
Advance your positions IBM, and therefore its customers and partners, in an ideal
position to take advantage by their deployment.
IBM/Cisco skill set IBM Redbooks are developed by
We discuss the latest additions to the IBM/Cisco SAN family and we
show how they can be implemented in an open systems the IBM International Technical
Support Organization. Experts
environment, focusing on the Fibre Channel protocol (FCP) from IBM, Customers and
environment. We address some of the key concepts that they bring Partners from around the world
to the market, and in each case we provide an overview of the create timely technical
functions that are essential to building a robust SAN environment. information based on realistic
scenarios. Specific
recommendations are provided
to help you implement IT
solutions more effectively in
your environment.